mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-02 22:54:52 +00:00
openssl: Vendor import of OpenSSL 3.0.11
Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows ([CVE-2023-4807]) Release notes can otherwise be found at https://www.openssl.org/news/openssl-3.0-notes.html. Obtained from: https://www.openssl.org/source/openssl-3.0.11.tar.gz Sponsored by: The FreeBSD Foundation Test Plan: ``` $ git status On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean $ OSSLVER=3.0.11 $ XLIST=FREEBSD-Xlist $ (cd ..; fetch https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.11.tar.gz 14 MB 17 MBps 01s openssl-3.0.11.tar.gz.asc 833 B 8301 kBps 00s $ gpg --list-keys /home/khorben/.gnupg/pubring.kbx -------------------------------- pub rsa4096 2011-03-01 [SCA] DC34EE5DB2417BCC151E5100E5F8F8212F77A498 uid [ unknown] Willem Toorop <willem@nlnetlabs.nl> sub rsa4096 2011-03-01 [E] pub rsa4096 2014-10-04 [SC] [expires: 2024-01-30] EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 uid [ unknown] OpenSSL security team <openssl-security@openssl.org> uid [ unknown] OpenSSL OMC <openssl-omc@openssl.org> uid [ unknown] OpenSSL Security <openssl-security@openssl.org> sub rsa4096 2014-10-04 [E] [expires: 2024-01-30] $ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz gpg: Signature made Tue Sep 19 15:02:51 2023 CEST gpg: using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 gpg: Good signature from "OpenSSL security team <openssl-security@openssl.org>" [unknown] gpg: aka "OpenSSL OMC <openssl-omc@openssl.org>" [unknown] gpg: aka "OpenSSL Security <openssl-security@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -av ../openssl-${OSSLVER}/* . [...] $ diff -arq ../openssl-${OSSLVER} . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade Only in .: appveyor.yml $ git status FREEBSD* On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean ```
This commit is contained in:
parent
cf2fc1b0f5
commit
315108b816
25
CHANGES.md
25
CHANGES.md
|
@ -28,6 +28,30 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|||
|
||||
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
|
||||
|
||||
### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
|
||||
|
||||
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
|
||||
|
||||
The POLY1305 MAC (message authentication code) implementation in OpenSSL
|
||||
does not save the contents of non-volatile XMM registers on Windows 64
|
||||
platform when calculating the MAC of data larger than 64 bytes. Before
|
||||
returning to the caller all the XMM registers are set to zero rather than
|
||||
restoring their previous content. The vulnerable code is used only on newer
|
||||
x86_64 processors supporting the AVX512-IFMA instructions.
|
||||
|
||||
The consequences of this kind of internal application state corruption can
|
||||
be various - from no consequences, if the calling application does not
|
||||
depend on the contents of non-volatile XMM registers at all, to the worst
|
||||
consequences, where the attacker could get complete control of the
|
||||
application process. However given the contents of the registers are just
|
||||
zeroized so the attacker cannot put arbitrary values inside, the most likely
|
||||
consequence, if any, would be an incorrect result of some application
|
||||
dependent calculations or a crash leading to a denial of service.
|
||||
|
||||
([CVE-2023-4807])
|
||||
|
||||
*Bernd Edlinger*
|
||||
|
||||
### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
|
||||
|
||||
* Fix excessive time spent checking DH q parameter value.
|
||||
|
@ -19708,6 +19732,7 @@ ndif
|
|||
|
||||
<!-- Links -->
|
||||
|
||||
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
|
||||
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
|
||||
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
|
||||
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
|
||||
|
|
6
NEWS.md
6
NEWS.md
|
@ -18,6 +18,11 @@ OpenSSL Releases
|
|||
OpenSSL 3.0
|
||||
-----------
|
||||
|
||||
### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
|
||||
|
||||
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
|
||||
([CVE-2023-4807])
|
||||
|
||||
### Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]
|
||||
|
||||
* Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
|
||||
|
@ -1448,6 +1453,7 @@ OpenSSL 0.9.x
|
|||
|
||||
<!-- Links -->
|
||||
|
||||
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
|
||||
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
|
||||
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
|
||||
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
|
||||
|
|
|
@ -166,7 +166,7 @@ attempting to develop or distribute cryptographic code.
|
|||
Copyright
|
||||
=========
|
||||
|
||||
Copyright (c) 1998-2022 The OpenSSL Project
|
||||
Copyright (c) 1998-2023 The OpenSSL Project
|
||||
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
MAJOR=3
|
||||
MINOR=0
|
||||
PATCH=10
|
||||
PATCH=11
|
||||
PRE_RELEASE_TAG=
|
||||
BUILD_METADATA=
|
||||
RELEASE_DATE="1 Aug 2023"
|
||||
RELEASE_DATE="19 Sep 2023"
|
||||
SHLIB_VERSION=3
|
||||
|
|
|
@ -2512,7 +2512,7 @@ static int get_opts(int argc, char **argv)
|
|||
}
|
||||
break;
|
||||
case OPT_CSR:
|
||||
opt_csr = opt_arg();
|
||||
opt_csr = opt_str();
|
||||
break;
|
||||
case OPT_OUT_TRUSTED:
|
||||
opt_out_trusted = opt_str();
|
||||
|
|
|
@ -944,7 +944,7 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin,
|
|||
BIO *bio;
|
||||
|
||||
if (!maybe_stdin) {
|
||||
BIO_printf(bio_err, "No filename or uri specified for loading");
|
||||
BIO_printf(bio_err, "No filename or uri specified for loading\n");
|
||||
goto end;
|
||||
}
|
||||
uri = "<stdin>";
|
||||
|
@ -960,10 +960,8 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin,
|
|||
ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
|
||||
params, NULL, NULL);
|
||||
}
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "Could not open file or uri for loading");
|
||||
if (ctx == NULL)
|
||||
goto end;
|
||||
}
|
||||
if (expect > 0 && !OSSL_STORE_expect(ctx, expect))
|
||||
goto end;
|
||||
|
||||
|
@ -1948,16 +1946,17 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
|
|||
nid = OBJ_txt2nid(typestr);
|
||||
if (nid == NID_undef) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Skipping unknown %s name attribute \"%s\"\n",
|
||||
"%s warning: Skipping unknown %s name attribute \"%s\"\n",
|
||||
opt_getprog(), desc, typestr);
|
||||
if (ismulti)
|
||||
BIO_printf(bio_err,
|
||||
"Hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n");
|
||||
"%s hint: a '+' in a value string needs be escaped using '\\' else a new member of a multi-valued RDN is expected\n",
|
||||
opt_getprog());
|
||||
continue;
|
||||
}
|
||||
if (*valstr == '\0') {
|
||||
BIO_printf(bio_err,
|
||||
"%s: No value provided for %s name attribute \"%s\", skipped\n",
|
||||
"%s warning: No value provided for %s name attribute \"%s\", skipped\n",
|
||||
opt_getprog(), desc, typestr);
|
||||
continue;
|
||||
}
|
||||
|
|
|
@ -990,10 +990,10 @@ int req_main(int argc, char **argv)
|
|||
else
|
||||
tpubkey = X509_REQ_get0_pubkey(req);
|
||||
if (tpubkey == NULL) {
|
||||
fprintf(stdout, "Modulus is unavailable\n");
|
||||
BIO_puts(bio_err, "Modulus is unavailable\n");
|
||||
goto end;
|
||||
}
|
||||
fprintf(stdout, "Modulus=");
|
||||
BIO_puts(out, "Modulus=");
|
||||
if (EVP_PKEY_is_a(tpubkey, "RSA") || EVP_PKEY_is_a(tpubkey, "RSA-PSS")) {
|
||||
BIGNUM *n = NULL;
|
||||
|
||||
|
@ -1002,9 +1002,9 @@ int req_main(int argc, char **argv)
|
|||
BN_print(out, n);
|
||||
BN_free(n);
|
||||
} else {
|
||||
fprintf(stdout, "Wrong Algorithm type");
|
||||
BIO_puts(out, "Wrong Algorithm type");
|
||||
}
|
||||
fprintf(stdout, "\n");
|
||||
BIO_puts(out, "\n");
|
||||
}
|
||||
|
||||
if (!noout && !gen_x509) {
|
||||
|
|
|
@ -789,7 +789,7 @@ const OPTIONS s_server_options[] = {
|
|||
"second server certificate chain file in PEM format"},
|
||||
{"dkey", OPT_DKEY, '<',
|
||||
"Second private key file to use (usually for DSA)"},
|
||||
{"dkeyform", OPT_DKEYFORM, 'F',
|
||||
{"dkeyform", OPT_DKEYFORM, 'f',
|
||||
"Second key file format (ENGINE, other values ignored)"},
|
||||
{"dpass", OPT_DPASS, 's',
|
||||
"Second private key and cert file pass phrase source"},
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -129,8 +129,10 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
|
|||
int idx;
|
||||
ASN1_STRING_TABLE fnd;
|
||||
|
||||
#ifndef OPENSSL_NO_AUTOLOAD_CONFIG
|
||||
/* "stable" can be impacted by config, so load the config file first */
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
|
||||
fnd.nid = nid;
|
||||
if (stable) {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -698,9 +698,12 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
|
|||
atmp->value.asn1_string->data = rdata;
|
||||
atmp->value.asn1_string->length = rdlen;
|
||||
atmp->value.asn1_string->type = utype;
|
||||
} else if (format == ASN1_GEN_FORMAT_ASCII)
|
||||
ASN1_STRING_set(atmp->value.asn1_string, str, -1);
|
||||
else if ((format == ASN1_GEN_FORMAT_BITLIST)
|
||||
} else if (format == ASN1_GEN_FORMAT_ASCII) {
|
||||
if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1)) {
|
||||
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
|
||||
goto bad_str;
|
||||
}
|
||||
} else if ((format == ASN1_GEN_FORMAT_BITLIST)
|
||||
&& (utype == V_ASN1_BIT_STRING)) {
|
||||
if (!CONF_parse_list
|
||||
(str, ',', 1, bitstr_cb, atmp->value.bit_string)) {
|
||||
|
|
|
@ -46,6 +46,8 @@ ChaCha20_ctr32:
|
|||
ADDP @k[11]=4,$key
|
||||
.save ar.lc,r3
|
||||
mov r3=ar.lc }
|
||||
{ .mmi; ADDP $out=0,$out
|
||||
ADDP $inp=0,$inp }
|
||||
{ .mmi; ADDP $key=0,$key
|
||||
ADDP $counter=0,$counter
|
||||
.save pr,r14
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright Nokia 2007-2019
|
||||
* Copyright Siemens AG 2015-2019
|
||||
*
|
||||
|
@ -188,22 +188,22 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* get ASN.1 encoded integer, return -1 on error */
|
||||
/* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */
|
||||
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
|
||||
{
|
||||
int64_t res;
|
||||
|
||||
if (!ASN1_INTEGER_get_int64(&res, a)) {
|
||||
ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
|
||||
return -1;
|
||||
return -2;
|
||||
}
|
||||
if (res < INT_MIN) {
|
||||
ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
|
||||
return -1;
|
||||
return -2;
|
||||
}
|
||||
if (res > INT_MAX) {
|
||||
ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
|
||||
return -1;
|
||||
return -2;
|
||||
}
|
||||
return (int)res;
|
||||
}
|
||||
|
|
|
@ -584,7 +584,7 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
|
|||
return 0;
|
||||
if (rid == OSSL_CMP_CERTREQID_NONE) { /* used for OSSL_CMP_PKIBODY_P10CR */
|
||||
rid = ossl_cmp_asn1_get_int(crep->certReqId);
|
||||
if (rid != OSSL_CMP_CERTREQID_NONE) {
|
||||
if (rid < OSSL_CMP_CERTREQID_NONE) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright Nokia 2007-2019
|
||||
* Copyright Siemens AG 2015-2019
|
||||
*
|
||||
|
@ -30,9 +30,12 @@
|
|||
|
||||
int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si)
|
||||
{
|
||||
int res ;
|
||||
|
||||
if (!ossl_assert(si != NULL && si->status != NULL))
|
||||
return -1;
|
||||
return ossl_cmp_asn1_get_int(si->status);
|
||||
res = ossl_cmp_asn1_get_int(si->status);
|
||||
return res == -2 ? -1 : res;
|
||||
}
|
||||
|
||||
const char *ossl_cmp_PKIStatus_to_string(int status)
|
||||
|
|
|
@ -26,7 +26,7 @@ static void cms_env_set_version(CMS_EnvelopedData *env);
|
|||
#define CMS_ENVELOPED_STANDARD 1
|
||||
#define CMS_ENVELOPED_AUTH 2
|
||||
|
||||
static int cms_get_enveloped_type(const CMS_ContentInfo *cms)
|
||||
static int cms_get_enveloped_type_simple(const CMS_ContentInfo *cms)
|
||||
{
|
||||
int nid = OBJ_obj2nid(cms->contentType);
|
||||
|
||||
|
@ -38,11 +38,28 @@ static int cms_get_enveloped_type(const CMS_ContentInfo *cms)
|
|||
return CMS_ENVELOPED_AUTH;
|
||||
|
||||
default:
|
||||
ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
static int cms_get_enveloped_type(const CMS_ContentInfo *cms)
|
||||
{
|
||||
int ret = cms_get_enveloped_type_simple(cms);
|
||||
|
||||
if (ret == 0)
|
||||
ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf)
|
||||
{
|
||||
if (cms_get_enveloped_type_simple(cinf) != 0) {
|
||||
CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cinf);
|
||||
if (ec != NULL)
|
||||
OPENSSL_clear_free(ec->key, ec->keylen);
|
||||
}
|
||||
}
|
||||
|
||||
CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms)
|
||||
{
|
||||
if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) {
|
||||
|
|
|
@ -76,10 +76,7 @@ CMS_ContentInfo *CMS_ContentInfo_new(void)
|
|||
void CMS_ContentInfo_free(CMS_ContentInfo *cms)
|
||||
{
|
||||
if (cms != NULL) {
|
||||
CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
|
||||
|
||||
if (ec != NULL)
|
||||
OPENSSL_clear_free(ec->key, ec->keylen);
|
||||
ossl_cms_env_enc_content_free(cms);
|
||||
OPENSSL_free(cms->ctx.propq);
|
||||
ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo));
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -444,6 +444,7 @@ BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
|
|||
int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
|
||||
BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms);
|
||||
int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio);
|
||||
void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf);
|
||||
CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms);
|
||||
CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms);
|
||||
CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -233,9 +233,9 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)
|
|||
int i;
|
||||
|
||||
if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC"))
|
||||
return ossl_cms_ecdsa_dsa_sign(si, cmd);
|
||||
return ossl_cms_ecdsa_dsa_sign(si, cmd) > 0;
|
||||
else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS"))
|
||||
return ossl_cms_rsa_sign(si, cmd);
|
||||
return ossl_cms_rsa_sign(si, cmd) > 0;
|
||||
|
||||
/* Something else? We'll give engines etc a chance to handle this */
|
||||
if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)
|
||||
|
|
|
@ -65,7 +65,8 @@ int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings)
|
|||
#endif
|
||||
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
ret = CONF_modules_load_file(filename, appname, flags);
|
||||
ret = CONF_modules_load_file_ex(OSSL_LIB_CTX_get0_global_default(),
|
||||
filename, appname, flags);
|
||||
#else
|
||||
ret = 1;
|
||||
#endif
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -743,10 +743,11 @@ static int decoder_process(const OSSL_PARAM params[], void *arg)
|
|||
(void *)new_data.ctx, LEVEL, rv);
|
||||
} OSSL_TRACE_END(DECODER);
|
||||
|
||||
data->flag_construct_called = 1;
|
||||
ok = (rv > 0);
|
||||
if (ok)
|
||||
if (ok) {
|
||||
data->flag_construct_called = 1;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
/* The constructor didn't return success */
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -150,7 +150,11 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst,
|
|||
|
||||
import_data.keymgmt = keymgmt;
|
||||
import_data.keydata = NULL;
|
||||
import_data.selection = data->selection;
|
||||
if (data->selection == 0)
|
||||
/* import/export functions do not tolerate 0 selection */
|
||||
import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
else
|
||||
import_data.selection = data->selection;
|
||||
|
||||
/*
|
||||
* No need to check for errors here, the value of
|
||||
|
|
|
@ -133,28 +133,34 @@ static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)
|
|||
return item;
|
||||
}
|
||||
|
||||
void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
|
||||
int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
|
||||
{
|
||||
ENGINE_CLEANUP_ITEM *item;
|
||||
|
||||
if (!int_cleanup_check(1))
|
||||
return;
|
||||
item = int_cleanup_item(cb);
|
||||
if (item != NULL)
|
||||
if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0)
|
||||
OPENSSL_free(item);
|
||||
}
|
||||
|
||||
void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
|
||||
{
|
||||
ENGINE_CLEANUP_ITEM *item;
|
||||
if (!int_cleanup_check(1))
|
||||
return;
|
||||
return 0;
|
||||
item = int_cleanup_item(cb);
|
||||
if (item != NULL) {
|
||||
if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0)
|
||||
OPENSSL_free(item);
|
||||
if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0))
|
||||
return 1;
|
||||
OPENSSL_free(item);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
|
||||
{
|
||||
ENGINE_CLEANUP_ITEM *item;
|
||||
|
||||
if (!int_cleanup_check(1))
|
||||
return 0;
|
||||
item = int_cleanup_item(cb);
|
||||
if (item != NULL) {
|
||||
if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) > 0)
|
||||
return 1;
|
||||
OPENSSL_free(item);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* The API function that performs all cleanup */
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
|
@ -78,12 +78,15 @@ static int engine_list_add(ENGINE *e)
|
|||
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR);
|
||||
return 0;
|
||||
}
|
||||
engine_list_head = e;
|
||||
e->prev = NULL;
|
||||
/*
|
||||
* The first time the list allocates, we should register the cleanup.
|
||||
*/
|
||||
engine_cleanup_add_last(engine_list_cleanup);
|
||||
if (!engine_cleanup_add_last(engine_list_cleanup)) {
|
||||
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_INTERNAL_LIST_ERROR);
|
||||
return 0;
|
||||
}
|
||||
engine_list_head = e;
|
||||
e->prev = NULL;
|
||||
} else {
|
||||
/* We are adding to the tail of an existing list. */
|
||||
if ((engine_list_tail == NULL) || (engine_list_tail->next != NULL)) {
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
|
@ -46,8 +46,8 @@ typedef struct st_engine_cleanup_item {
|
|||
ENGINE_CLEANUP_CB *cb;
|
||||
} ENGINE_CLEANUP_ITEM;
|
||||
DEFINE_STACK_OF(ENGINE_CLEANUP_ITEM)
|
||||
void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
|
||||
void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
|
||||
int engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
|
||||
int engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
|
||||
|
||||
/* We need stacks of ENGINEs for use in eng_table.c */
|
||||
DEFINE_STACK_OF(ENGINE)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -93,9 +93,11 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
|
|||
added = 1;
|
||||
if (!int_table_check(table, 1))
|
||||
goto end;
|
||||
if (added)
|
||||
/* The cleanup callback needs to be added */
|
||||
engine_cleanup_add_first(cleanup);
|
||||
/* The cleanup callback needs to be added */
|
||||
if (added && !engine_cleanup_add_first(cleanup)) {
|
||||
lh_ENGINE_PILE_free(&(*table)->piles);
|
||||
*table = NULL;
|
||||
}
|
||||
while (num_nids--) {
|
||||
tmplate.nid = *nids;
|
||||
fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, &tmplate);
|
||||
|
@ -201,8 +203,10 @@ ENGINE *ossl_engine_table_select(ENGINE_TABLE **table, int nid,
|
|||
ENGINE_PILE tmplate, *fnd = NULL;
|
||||
int initres, loop = 0;
|
||||
|
||||
#ifndef OPENSSL_NO_AUTOLOAD_CONFIG
|
||||
/* Load the config before trying to check if engines are available */
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
|
||||
#endif
|
||||
|
||||
if (!(*table)) {
|
||||
OSSL_TRACE3(ENGINE_TABLE,
|
||||
|
|
|
@ -1786,7 +1786,8 @@ static int get_rsa_payload_n(enum state state,
|
|||
{
|
||||
const BIGNUM *bn = NULL;
|
||||
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA
|
||||
&& EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)
|
||||
return 0;
|
||||
bn = RSA_get0_n(EVP_PKEY_get0_RSA(ctx->p2));
|
||||
|
||||
|
@ -1799,7 +1800,8 @@ static int get_rsa_payload_e(enum state state,
|
|||
{
|
||||
const BIGNUM *bn = NULL;
|
||||
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA
|
||||
&& EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)
|
||||
return 0;
|
||||
bn = RSA_get0_e(EVP_PKEY_get0_RSA(ctx->p2));
|
||||
|
||||
|
@ -1812,7 +1814,8 @@ static int get_rsa_payload_d(enum state state,
|
|||
{
|
||||
const BIGNUM *bn = NULL;
|
||||
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA)
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA
|
||||
&& EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS)
|
||||
return 0;
|
||||
bn = RSA_get0_d(EVP_PKEY_get0_RSA(ctx->p2));
|
||||
|
||||
|
@ -1912,7 +1915,8 @@ static int get_rsa_payload_coefficient(enum state state,
|
|||
const struct translation_st *translation, \
|
||||
struct translation_ctx_st *ctx) \
|
||||
{ \
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \
|
||||
&& EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \
|
||||
return 0; \
|
||||
return get_rsa_payload_factor(state, translation, ctx, n - 1); \
|
||||
}
|
||||
|
@ -1923,7 +1927,8 @@ static int get_rsa_payload_coefficient(enum state state,
|
|||
const struct translation_st *translation, \
|
||||
struct translation_ctx_st *ctx) \
|
||||
{ \
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \
|
||||
&& EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \
|
||||
return 0; \
|
||||
return get_rsa_payload_exponent(state, translation, ctx, \
|
||||
n - 1); \
|
||||
|
@ -1935,7 +1940,8 @@ static int get_rsa_payload_coefficient(enum state state,
|
|||
const struct translation_st *translation, \
|
||||
struct translation_ctx_st *ctx) \
|
||||
{ \
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA) \
|
||||
if (EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA \
|
||||
&& EVP_PKEY_get_base_id(ctx->p2) != EVP_PKEY_RSA_PSS) \
|
||||
return 0; \
|
||||
return get_rsa_payload_coefficient(state, translation, ctx, \
|
||||
n - 1); \
|
||||
|
@ -2271,10 +2277,10 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
|
|||
{ SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
||||
EVP_PKEY_CTRL_RSA_KEYGEN_BITS, "rsa_keygen_bits", NULL,
|
||||
OSSL_PKEY_PARAM_RSA_BITS, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
|
||||
{ SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN,
|
||||
{ SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
||||
EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, "rsa_keygen_pubexp", NULL,
|
||||
OSSL_PKEY_PARAM_RSA_E, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
|
||||
{ SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_KEYGEN,
|
||||
{ SET, EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN,
|
||||
EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES, "rsa_keygen_primes", NULL,
|
||||
OSSL_PKEY_PARAM_RSA_PRIMES, OSSL_PARAM_UNSIGNED_INTEGER, NULL },
|
||||
|
||||
|
|
|
@ -717,6 +717,7 @@ static void detect_foreign_key(EVP_PKEY *pkey)
|
|||
{
|
||||
switch (pkey->type) {
|
||||
case EVP_PKEY_RSA:
|
||||
case EVP_PKEY_RSA_PSS:
|
||||
pkey->foreign = pkey->pkey.rsa != NULL
|
||||
&& ossl_rsa_is_foreign(pkey->pkey.rsa);
|
||||
break;
|
||||
|
@ -1075,6 +1076,7 @@ int EVP_PKEY_can_sign(const EVP_PKEY *pkey)
|
|||
if (pkey->keymgmt == NULL) {
|
||||
switch (EVP_PKEY_get_base_id(pkey)) {
|
||||
case EVP_PKEY_RSA:
|
||||
case EVP_PKEY_RSA_PSS:
|
||||
return 1;
|
||||
# ifndef OPENSSL_NO_DSA
|
||||
case EVP_PKEY_DSA:
|
||||
|
|
|
@ -164,7 +164,8 @@ void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx,
|
|||
|
||||
/*
|
||||
* Create request line using |rctx| and |path| (or "/" in case |path| is NULL).
|
||||
* Server name (and port) must be given if and only if plain HTTP proxy is used.
|
||||
* Server name (and optional port) must be given if and only if
|
||||
* a plain HTTP proxy is used and |path| does not begin with 'http://'.
|
||||
*/
|
||||
int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, int method_POST,
|
||||
const char *server, const char *port,
|
||||
|
@ -193,11 +194,17 @@ int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, int method_POST,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Make sure path includes a forward slash */
|
||||
if (path == NULL)
|
||||
/* Make sure path includes a forward slash (abs_path) */
|
||||
if (path == NULL) {
|
||||
path = "/";
|
||||
if (path[0] != '/' && BIO_printf(rctx->mem, "/") <= 0)
|
||||
} else if (HAS_PREFIX(path, "http://")) { /* absoluteURI for proxy use */
|
||||
if (server != NULL) {
|
||||
ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
} else if (path[0] != '/' && BIO_printf(rctx->mem, "/") <= 0) {
|
||||
return 0;
|
||||
}
|
||||
/*
|
||||
* Add (the rest of) the path and the HTTP version,
|
||||
* which is fixed to 1.0 for straightforward implementation of keep-alive
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -195,7 +195,6 @@ void *CRYPTO_zalloc(size_t num, const char *file, int line)
|
|||
void *ret;
|
||||
|
||||
ret = CRYPTO_malloc(num, file, line);
|
||||
FAILTEST();
|
||||
if (ret != NULL)
|
||||
memset(ret, 0, num);
|
||||
|
||||
|
@ -208,7 +207,6 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
|
|||
if (realloc_impl != CRYPTO_realloc)
|
||||
return realloc_impl(str, num, file, line);
|
||||
|
||||
FAILTEST();
|
||||
if (str == NULL)
|
||||
return CRYPTO_malloc(num, file, line);
|
||||
|
||||
|
@ -217,6 +215,7 @@ void *CRYPTO_realloc(void *str, size_t num, const char *file, int line)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
FAILTEST();
|
||||
return realloc(str, num);
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -366,10 +366,19 @@ int PEM_write_bio_PrivateKey_traditional(BIO *bp, const EVP_PKEY *x,
|
|||
return ret;
|
||||
}
|
||||
|
||||
static int no_password_cb(char *buf, int num, int rwflag, void *userdata)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
return pem_read_bio_key(bp, x, NULL, NULL, libctx, propq,
|
||||
/*
|
||||
* PEM_read_bio_Parameters(_ex) should never ask for a password. Any attempt
|
||||
* to get a password just fails.
|
||||
*/
|
||||
return pem_read_bio_key(bp, x, no_password_cb, NULL, libctx, propq,
|
||||
EVP_PKEY_KEY_PARAMETERS);
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#! /usr/bin/env perl
|
||||
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -159,9 +159,8 @@ while(my $line=<>) {
|
|||
}
|
||||
|
||||
{
|
||||
$line =~ s|(^[\.\w]+)\:\s*||;
|
||||
my $label = $1;
|
||||
if ($label) {
|
||||
if ($line =~ s|(^[\.\w]+)\:\s*||) {
|
||||
my $label = $1;
|
||||
printf "%s:",($GLOBALS{$label} or $label);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -14,6 +14,12 @@
|
|||
|
||||
static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
|
||||
PKCS12_SAFEBAG *bag);
|
||||
static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
|
||||
X509 *cert,
|
||||
const char *name,
|
||||
int namelen,
|
||||
unsigned char *keyid,
|
||||
int keyidlen);
|
||||
|
||||
static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
|
||||
{
|
||||
|
@ -40,6 +46,9 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey,
|
|||
int i;
|
||||
unsigned char keyid[EVP_MAX_MD_SIZE];
|
||||
unsigned int keyidlen = 0;
|
||||
int namelen = -1;
|
||||
unsigned char *pkeyid = NULL;
|
||||
int pkeyidlen = -1;
|
||||
|
||||
/* Set defaults */
|
||||
if (nid_cert == NID_undef)
|
||||
|
@ -64,11 +73,16 @@ PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey,
|
|||
}
|
||||
|
||||
if (cert) {
|
||||
bag = PKCS12_add_cert(&bags, cert);
|
||||
if (name && !PKCS12_add_friendlyname(bag, name, -1))
|
||||
goto err;
|
||||
if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
|
||||
goto err;
|
||||
if (name == NULL)
|
||||
name = (char *)X509_alias_get0(cert, &namelen);
|
||||
if (keyidlen > 0) {
|
||||
pkeyid = keyid;
|
||||
pkeyidlen = keyidlen;
|
||||
} else {
|
||||
pkeyid = X509_keyid_get0(cert, &pkeyidlen);
|
||||
}
|
||||
|
||||
bag = pkcs12_add_cert_bag(&bags, cert, name, namelen, pkeyid, pkeyidlen);
|
||||
}
|
||||
|
||||
/* Add all other certificates */
|
||||
|
@ -139,30 +153,23 @@ PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *
|
|||
iter, mac_iter, keytype, NULL, NULL);
|
||||
}
|
||||
|
||||
PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
|
||||
static PKCS12_SAFEBAG *pkcs12_add_cert_bag(STACK_OF(PKCS12_SAFEBAG) **pbags,
|
||||
X509 *cert,
|
||||
const char *name,
|
||||
int namelen,
|
||||
unsigned char *keyid,
|
||||
int keyidlen)
|
||||
{
|
||||
PKCS12_SAFEBAG *bag = NULL;
|
||||
char *name;
|
||||
int namelen = -1;
|
||||
unsigned char *keyid;
|
||||
int keyidlen = -1;
|
||||
|
||||
/* Add user certificate */
|
||||
if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL)
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* Use friendlyName and localKeyID in certificate. (if present)
|
||||
*/
|
||||
|
||||
name = (char *)X509_alias_get0(cert, &namelen);
|
||||
|
||||
if (name && !PKCS12_add_friendlyname(bag, name, namelen))
|
||||
if (name != NULL && !PKCS12_add_friendlyname(bag, name, namelen))
|
||||
goto err;
|
||||
|
||||
keyid = X509_keyid_get0(cert, &keyidlen);
|
||||
|
||||
if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
|
||||
if (keyid != NULL && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
|
||||
goto err;
|
||||
|
||||
if (!pkcs12_add_bag(pbags, bag))
|
||||
|
@ -173,7 +180,22 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
|
|||
err:
|
||||
PKCS12_SAFEBAG_free(bag);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert)
|
||||
{
|
||||
char *name = NULL;
|
||||
int namelen = -1;
|
||||
unsigned char *keyid = NULL;
|
||||
int keyidlen = -1;
|
||||
|
||||
/*
|
||||
* Use friendlyName and localKeyID in certificate. (if present)
|
||||
*/
|
||||
name = (char *)X509_alias_get0(cert, &namelen);
|
||||
keyid = X509_keyid_get0(cert, &keyidlen);
|
||||
|
||||
return pkcs12_add_cert_bag(pbags, cert, name, namelen, keyid, keyidlen);
|
||||
}
|
||||
|
||||
PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags,
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#! /usr/bin/env perl
|
||||
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -195,7 +195,7 @@ $code.=<<___ if ($avx>1);
|
|||
bt \$`5+32`,%r9 # AVX2?
|
||||
cmovc %rax,%r10
|
||||
___
|
||||
$code.=<<___ if ($avx>3);
|
||||
$code.=<<___ if ($avx>3 && !$win64);
|
||||
mov \$`(1<<31|1<<21|1<<16)`,%rax
|
||||
shr \$32,%r9
|
||||
and %rax,%r9
|
||||
|
@ -2724,7 +2724,7 @@ $code.=<<___;
|
|||
.cfi_endproc
|
||||
.size poly1305_blocks_avx512,.-poly1305_blocks_avx512
|
||||
___
|
||||
if ($avx>3) {
|
||||
if ($avx>3 && !$win64) {
|
||||
########################################################################
|
||||
# VPMADD52 version using 2^44 radix.
|
||||
#
|
||||
|
|
|
@ -129,11 +129,11 @@ static const OSSL_LIB_CTX_METHOD ossl_ctx_global_properties_method = {
|
|||
};
|
||||
|
||||
OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx,
|
||||
int loadconfig)
|
||||
ossl_unused int loadconfig)
|
||||
{
|
||||
OSSL_GLOBAL_PROPERTIES *globp;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
|
||||
if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
||||
return NULL;
|
||||
#endif
|
||||
|
@ -513,7 +513,7 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store,
|
|||
if (nid <= 0 || method == NULL || store == NULL)
|
||||
return 0;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
|
||||
if (ossl_lib_ctx_is_default(store->ctx)
|
||||
&& !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
||||
return 0;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -408,7 +408,7 @@ int ossl_provider_info_add_to_store(OSSL_LIB_CTX *libctx,
|
|||
}
|
||||
|
||||
OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name,
|
||||
int noconfig)
|
||||
ossl_unused int noconfig)
|
||||
{
|
||||
struct provider_store_st *store = NULL;
|
||||
OSSL_PROVIDER *prov = NULL;
|
||||
|
@ -417,7 +417,7 @@ OSSL_PROVIDER *ossl_provider_find(OSSL_LIB_CTX *libctx, const char *name,
|
|||
OSSL_PROVIDER tmpl = { 0, };
|
||||
int i;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
|
||||
/*
|
||||
* Make sure any providers are loaded from config before we try to find
|
||||
* them.
|
||||
|
@ -1356,7 +1356,7 @@ int ossl_provider_doall_activated(OSSL_LIB_CTX *ctx,
|
|||
struct provider_store_st *store = get_provider_store(ctx);
|
||||
STACK_OF(OSSL_PROVIDER) *provs = NULL;
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
#if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_AUTOLOAD_CONFIG)
|
||||
/*
|
||||
* Make sure any providers are loaded from config before we try to use
|
||||
* them.
|
||||
|
|
|
@ -60,13 +60,16 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
|
|||
if (!rsa_param_encode(pkey, &str, &strtype))
|
||||
return 0;
|
||||
penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
|
||||
if (penclen <= 0)
|
||||
if (penclen <= 0) {
|
||||
ASN1_STRING_free(str);
|
||||
return 0;
|
||||
}
|
||||
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
|
||||
strtype, str, penc, penclen))
|
||||
return 1;
|
||||
|
||||
OPENSSL_free(penc);
|
||||
ASN1_STRING_free(str);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
|
@ -283,6 +283,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key)
|
|||
return NULL;
|
||||
if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL
|
||||
|| (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) {
|
||||
sk_SRP_user_pwd_free(vb->users_pwd);
|
||||
OPENSSL_free(vb);
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -424,14 +424,14 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
|
|||
|
||||
load_data.v = NULL;
|
||||
load_data.ctx = ctx;
|
||||
ctx->error_flag = 0;
|
||||
|
||||
if (!ctx->fetched_loader->p_load(ctx->loader_ctx,
|
||||
ossl_store_handle_load_result,
|
||||
&load_data,
|
||||
ossl_pw_passphrase_callback_dec,
|
||||
&ctx->pwdata)) {
|
||||
if (!OSSL_STORE_eof(ctx))
|
||||
ctx->error_flag = 1;
|
||||
ctx->error_flag = 1;
|
||||
return NULL;
|
||||
}
|
||||
v = load_data.v;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -72,8 +72,6 @@ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void)
|
|||
# if !defined (__TANDEM) && !defined (_SPT_MODEL_)
|
||||
# if !defined(NDEBUG) && !defined(OPENSSL_NO_MUTEX_ERRORCHECK)
|
||||
pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);
|
||||
# else
|
||||
pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL);
|
||||
# endif
|
||||
# else
|
||||
/* The SPT Thread Library does not define MUTEX attributes. */
|
||||
|
|
|
@ -51,25 +51,25 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
|
|||
if (strcmp(cnf->name, "signTool") == 0) {
|
||||
ist->signTool = ASN1_UTF8STRING_new();
|
||||
if (ist->signTool == NULL || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
} else if (strcmp(cnf->name, "cATool") == 0) {
|
||||
ist->cATool = ASN1_UTF8STRING_new();
|
||||
if (ist->cATool == NULL || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
} else if (strcmp(cnf->name, "signToolCert") == 0) {
|
||||
ist->signToolCert = ASN1_UTF8STRING_new();
|
||||
if (ist->signToolCert == NULL || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
} else if (strcmp(cnf->name, "cAToolCert") == 0) {
|
||||
ist->cAToolCert = ASN1_UTF8STRING_new();
|
||||
if (ist->cAToolCert == NULL || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
|
|
|
@ -292,12 +292,13 @@ unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx,
|
|||
unsigned long ret = 0;
|
||||
unsigned char md[SHA_DIGEST_LENGTH];
|
||||
EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq);
|
||||
int i2d_ret;
|
||||
|
||||
/* Make sure X509_NAME structure contains valid cached encoding */
|
||||
i2d_X509_NAME(x, NULL);
|
||||
i2d_ret = i2d_X509_NAME(x, NULL);
|
||||
if (ok != NULL)
|
||||
*ok = 0;
|
||||
if (sha1 != NULL
|
||||
if (i2d_ret >= 0 && sha1 != NULL
|
||||
&& EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, sha1, NULL)) {
|
||||
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
|
||||
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
|
||||
|
@ -325,7 +326,9 @@ unsigned long X509_NAME_hash_old(const X509_NAME *x)
|
|||
goto end;
|
||||
|
||||
/* Make sure X509_NAME structure contains valid cached encoding */
|
||||
i2d_X509_NAME(x, NULL);
|
||||
if (i2d_X509_NAME(x, NULL) < 0)
|
||||
goto end;
|
||||
|
||||
if (EVP_DigestInit_ex(md_ctx, md5, NULL)
|
||||
&& EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length)
|
||||
&& EVP_DigestFinal_ex(md_ctx, md, NULL))
|
||||
|
|
|
@ -659,11 +659,12 @@ is typically used when authenticating with pre-shared key (password-based MAC).
|
|||
|
||||
=item B<-secret> I<arg>
|
||||
|
||||
Prefer PBM-based message protection with given source of a secret value.
|
||||
The secret is used for creating PBM-based protection of outgoing messages
|
||||
and (as far as needed) for validating PBM-based protection of incoming messages.
|
||||
PBM stands for Password-Based Message Authentication Code.
|
||||
Provides the source of a secret value to use with MAC-based message protection.
|
||||
This takes precedence over the B<-cert> and B<-key> options.
|
||||
The secret is used for creating MAC-based protection of outgoing messages
|
||||
and for validating incoming messages that have MAC-based protection.
|
||||
The algorithm used by default is Password-Based Message Authentication Code (PBM)
|
||||
as defined in RFC 4210 section 5.1.3.1.
|
||||
|
||||
For more information about the format of I<arg> see
|
||||
L<openssl-passphrase-options(1)>.
|
||||
|
@ -682,7 +683,8 @@ while the subject of B<-oldcert> or B<-subjectName> may provide fallback values.
|
|||
The issuer of this certificate is used as one of the recipient fallback values
|
||||
and as fallback issuer entry in the certificate template of IR/CR/KUR messages.
|
||||
|
||||
When using signature-based message protection, this "protection certificate"
|
||||
When performing signature-based message protection,
|
||||
this "protection certificate", also called "signer certificate",
|
||||
will be included first in the extraCerts field of outgoing messages
|
||||
and the signature is done with the corresponding key.
|
||||
In Initialization Request (IR) messages this can be used for authenticating
|
||||
|
@ -713,8 +715,8 @@ have no effect on the certificate verification enabled via this option.
|
|||
|
||||
The corresponding private key file for the client's current certificate given in
|
||||
the B<-cert> option.
|
||||
This will be used for signature-based message protection unless
|
||||
the B<-secret> option indicating PBM or B<-unprotected_requests> is given.
|
||||
This will be used for signature-based message protection unless the B<-secret>
|
||||
option indicating MAC-based protection or B<-unprotected_requests> is given.
|
||||
|
||||
It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages.
|
||||
|
||||
|
@ -730,7 +732,7 @@ L<openssl-passphrase-options(1)>.
|
|||
=item B<-digest> I<name>
|
||||
|
||||
Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG
|
||||
and as the one-way function (OWF) in MSG_MAC_ALG.
|
||||
and as the one-way function (OWF) in C<MSG_MAC_ALG>.
|
||||
If applicable, this is used for message protection and
|
||||
proof-of-possession (POPO) signatures.
|
||||
To see the list of supported digests, use C<openssl list -digest-commands>.
|
||||
|
@ -738,7 +740,7 @@ Defaults to C<sha256>.
|
|||
|
||||
=item B<-mac> I<name>
|
||||
|
||||
Specifies the name of the MAC algorithm in MSG_MAC_ALG.
|
||||
Specifies the name of the MAC algorithm in C<MSG_MAC_ALG>.
|
||||
To get the names of supported MAC algorithms use C<openssl list -mac-algorithms>
|
||||
and possibly combine such a name with the name of a supported digest algorithm,
|
||||
e.g., hmacWithSHA256.
|
||||
|
@ -1097,6 +1099,13 @@ only affect the certificate verification enabled via the B<-out_trusted> option.
|
|||
|
||||
=head1 NOTES
|
||||
|
||||
When a client obtains from a CMP server CA certificates that it is going to
|
||||
trust, for instance via the C<caPubs> field of a certificate response,
|
||||
authentication of the CMP server is particularly critical.
|
||||
So special care must be taken setting up server authentication
|
||||
using B<-trusted> and related options for certificate-based authentication
|
||||
or B<-secret> for MAC-based protection.
|
||||
|
||||
When setting up CMP configurations and experimenting with enrollment options
|
||||
typically various errors occur until the configuration is correct and complete.
|
||||
When the CMP server reports an error the client will by default
|
||||
|
@ -1166,7 +1175,7 @@ In order to update the enrolled certificate one may call
|
|||
|
||||
openssl cmp -section insta,kur
|
||||
|
||||
using with PBM-based protection or
|
||||
using MAC-based protection with PBM or
|
||||
|
||||
openssl cmp -section insta,kur,signature
|
||||
|
||||
|
@ -1225,7 +1234,7 @@ Then it can start using the new cert and key.
|
|||
-newkey cl_key_new.pem -certout cl_cert.pem
|
||||
cp cl_key_new.pem cl_key.pem
|
||||
|
||||
This command sequence can be repated as often as needed.
|
||||
This command sequence can be repeated as often as needed.
|
||||
|
||||
=head2 Requesting information from CMP server
|
||||
|
||||
|
|
|
@ -391,7 +391,7 @@ option.
|
|||
=item I<recipient-cert> ...
|
||||
|
||||
This is an alternative to using the B<-recip> option when encrypting a message.
|
||||
One or more certificate filennames may be given.
|
||||
One or more certificate filenames may be given.
|
||||
|
||||
=item B<-I<cipher>>
|
||||
|
||||
|
@ -902,7 +902,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -490,7 +490,7 @@ Default is no. (Optional)
|
|||
=item B<ess_cert_id_alg>
|
||||
|
||||
This option specifies the hash function to be used to calculate the TSA's
|
||||
public key certificate identifier. Default is sha256. (Optional)
|
||||
public key certificate identifier. Default is sha1. (Optional)
|
||||
|
||||
=back
|
||||
|
||||
|
@ -652,7 +652,7 @@ L<ossl_store-file(7)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -59,6 +59,8 @@ positive return value B<v> should be set to a negative value, typically -1.
|
|||
|
||||
BIO_get_mem_data() sets *B<pp> to a pointer to the start of the memory BIOs data
|
||||
and returns the total amount of data available. It is implemented as a macro.
|
||||
Note the pointer returned by this call is informative, no transfer of ownership
|
||||
of this memory is implied. See notes on BIO_set_close().
|
||||
|
||||
BIO_set_mem_buf() sets the internal BUF_MEM structure to B<bm> and sets the
|
||||
close flag to B<c>, that is B<c> should be either BIO_CLOSE or BIO_NOCLOSE.
|
||||
|
@ -114,6 +116,10 @@ preceding that write operation cannot be undone.
|
|||
Calling BIO_get_mem_ptr() prior to a BIO_reset() call with
|
||||
BIO_FLAGS_NONCLEAR_RST set has the same effect as a write operation.
|
||||
|
||||
Calling BIO_set_close() with BIO_NOCLOSE orphans the BUF_MEM internal to the
|
||||
BIO, _not_ its actual data buffer. See the examples section for the proper
|
||||
method for claiming ownership of the data pointer for a deferred free operation.
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
There should be an option to set the maximum size of a memory BIO.
|
||||
|
@ -151,10 +157,24 @@ Extract the BUF_MEM structure from a memory BIO and then free up the BIO:
|
|||
BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */
|
||||
BIO_free(mem);
|
||||
|
||||
Extract the BUF_MEM ptr, claim ownership of the internal data and free the BIO
|
||||
and BUF_MEM structure:
|
||||
|
||||
BUF_MEM *bptr;
|
||||
char *data;
|
||||
|
||||
BIO_get_mem_data(bio, &data);
|
||||
BIO_get_mem_ptr(bio, &bptr);
|
||||
BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free orphans BUF_MEM */
|
||||
BIO_free(bio);
|
||||
bptr->data = NULL; /* Tell BUF_MEM to orphan data */
|
||||
BUF_MEM_free(bptr);
|
||||
...
|
||||
free(data);
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -105,7 +105,7 @@ The function CMS_sign() is a basic CMS signing function whose output will be
|
|||
suitable for many purposes. For finer control of the output format the
|
||||
B<certs>, B<signcert> and B<pkey> parameters can all be B<NULL> and the
|
||||
B<CMS_PARTIAL> flag set. Then one or more signers can be added using the
|
||||
function CMS_sign_add1_signer(), non default digests can be used and custom
|
||||
function CMS_add1_signer(), non default digests can be used and custom
|
||||
attributes added. CMS_final() must then be called to finalize the
|
||||
structure if streaming is not enabled.
|
||||
|
||||
|
@ -132,7 +132,7 @@ The CMS_sign_ex() method was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -181,7 +181,7 @@ EVP_MAC_CTX_set_params() passes chosen parameters to the underlying
|
|||
context, given a context I<ctx>.
|
||||
The set of parameters given with I<params> determine exactly what
|
||||
parameters are passed down.
|
||||
If I<params> are NULL, the unterlying context should do nothing and return 1.
|
||||
If I<params> are NULL, the underlying context should do nothing and return 1.
|
||||
Note that a parameter that is unknown in the underlying context is
|
||||
simply ignored.
|
||||
Also, what happens when a needed parameter isn't passed down is
|
||||
|
@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -61,7 +61,7 @@ EVP_SIGNATURE_get0_provider() returns the provider that I<signature> was
|
|||
fetched from.
|
||||
|
||||
EVP_SIGNATURE_do_all_provided() traverses all SIGNATURE implemented by all
|
||||
activated roviders in the given library context I<libctx>, and for each of the
|
||||
activated providers in the given library context I<libctx>, and for each of the
|
||||
implementations, calls the given function I<fn> with the implementation method
|
||||
and the given I<arg> as argument.
|
||||
|
||||
|
@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -182,7 +182,7 @@ clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
|
|||
and any previous results (newCert, newChain, caPubs, and extraCertsIn)
|
||||
from the last executed transaction.
|
||||
It also clears any ITAVs that were added by OSSL_CMP_CTX_push0_genm_ITAV().
|
||||
All other field values (i.e., CMP options) are retained for potential re-use.
|
||||
All other field values (i.e., CMP options) are retained for potential reuse.
|
||||
|
||||
OSSL_CMP_CTX_set_option() sets the given value for the given option
|
||||
(e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) in the given OSSL_CMP_CTX structure.
|
||||
|
@ -260,12 +260,12 @@ The following options can be set:
|
|||
|
||||
=item B<OSSL_CMP_OPT_OWF_ALGNID>
|
||||
The NID of the digest algorithm to be used as one-way function (OWF)
|
||||
in RFC 4210's MSG_MAC_ALG for PBM-based message protection.
|
||||
for MAC-based message protection with password-based MAC (PBM).
|
||||
See RFC 4210 section 5.1.3.1 for details.
|
||||
Default is SHA256.
|
||||
|
||||
=item B<OSSL_CMP_OPT_MAC_ALGNID>
|
||||
The NID of the MAC algorithm to be used in RFC 4210's MSG_MAC_ALG
|
||||
for PBM-based message protection.
|
||||
The NID of the MAC algorithm to be used for message protection with PBM.
|
||||
Default is HMAC-SHA1 as per RFC 4210.
|
||||
|
||||
=item B<OSSL_CMP_OPT_REVOCATION_REASON>
|
||||
|
@ -450,8 +450,8 @@ The reference counts of those certificates handled successfully are increased.
|
|||
OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the
|
||||
list of untrusted certs, which may be empty if unset.
|
||||
|
||||
OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate
|
||||
related to the private key used for CMP message protection.
|
||||
OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate, also called protection
|
||||
certificate, related to the private key for signature-based message protection.
|
||||
Therefore the public key of this I<cert> must correspond to
|
||||
the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey().
|
||||
When using signature-based protection of CMP request messages
|
||||
|
@ -481,15 +481,15 @@ OSSL_CMP_CTX_set1_pkey() sets the client's private key corresponding to the
|
|||
CMP signer certificate set via OSSL_CMP_CTX_set1_cert().
|
||||
This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG)
|
||||
of outgoing messages
|
||||
unless a PBM secret has been set via OSSL_CMP_CTX_set1_secretValue().
|
||||
unless a symmetric secret has been set via OSSL_CMP_CTX_set1_secretValue().
|
||||
The I<pkey> argument may be NULL to clear the entry.
|
||||
|
||||
OSSL_CMP_CTX_set1_secretValue() sets the byte string I<sec> with length I<len>
|
||||
as PBM secret in the given I<ctx> or clears it if the I<sec> argument is NULL.
|
||||
If present, this secret is used to create PBM-based protection of outgoing
|
||||
messages and to verify any PBM-based protection of incoming messages
|
||||
(protectionAlg = MSG_MAC_ALG). PBM stands for Password-Based MAC.
|
||||
PBM-based protection takes precedence over signature-based protection.
|
||||
OSSL_CMP_CTX_set1_secretValue() sets in I<ctx> the byte string I<sec> of length
|
||||
I<len> to use as pre-shared secret, or clears it if the I<sec> argument is NULL.
|
||||
If present, this secret is used to create MAC-based authentication and integrity
|
||||
protection (rather than applying signature-based protection)
|
||||
of outgoing messages and to verify authenticity and integrity of incoming
|
||||
messages that have MAC-based protection (protectionAlg = C<MSG_MAC_ALG>).
|
||||
|
||||
OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue I<ref> with
|
||||
length I<len> in the given I<ctx> or clears it if the I<ref> argument is NULL.
|
||||
|
@ -500,7 +500,7 @@ then the sender field will contain the NULL-DN
|
|||
and the senderKID field of the CMP message header must be set.
|
||||
When signature-based protection is used the senderKID will be set to
|
||||
the subjectKeyIdentifier of the CMP signer certificate as far as present.
|
||||
If not present or when PBM-based protection is used
|
||||
If not present or when MAC-based protection is used
|
||||
the I<ref> value is taken as the fallback value for the senderKID.
|
||||
|
||||
OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the
|
||||
|
@ -731,7 +731,7 @@ Set up a CMP client context for sending requests and verifying responses:
|
|||
OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias);
|
||||
OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts);
|
||||
|
||||
Set up client credentials for password-based protection (PBM):
|
||||
Set up symmetric credentials for MAC-based message protection such as PBM:
|
||||
|
||||
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
|
||||
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
|
||||
|
|
|
@ -42,7 +42,7 @@ client-server transactions, i.e., sequences of CMP requests and responses.
|
|||
|
||||
All functions take a populated OSSL_CMP_CTX structure as their first argument.
|
||||
Usually the server name, port, and path ("CMP alias") need to be set, as well as
|
||||
credentials the client can use for authenticating itself to the client.
|
||||
credentials the client can use for authenticating itself to the server.
|
||||
In order to authenticate the server the client typically needs a trust store.
|
||||
The functions return their respective main results directly, while there are
|
||||
also accessor functions for retrieving various results and status information
|
||||
|
@ -72,7 +72,7 @@ and need to be filled in using L<OSSL_CMP_CTX_set1_subjectName(3)>,
|
|||
L<OSSL_CMP_CTX_set0_newPkey(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>, etc.
|
||||
For P10CR, L<OSSL_CMP_CTX_set1_p10CSR(3)> needs to be used instead.
|
||||
The enrollment session may be blocked by sleeping until the addressed
|
||||
CA (or an intermedate PKI component) can fully process and answer the request.
|
||||
CA (or an intermediate PKI component) can fully process and answer the request.
|
||||
|
||||
OSSL_CMP_try_certreq() is an alternative to the above functions that is
|
||||
more flexible regarding what to do after receiving a checkAfter value.
|
||||
|
@ -119,9 +119,17 @@ See RFC 4210 section 5.3.19 and appendix E.5 for details.
|
|||
|
||||
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
|
||||
|
||||
So far the CMP client implementation is limited to one request per CMP message
|
||||
The CMP client implementation is limited to one request per CMP message
|
||||
(and consequently to at most one response component per CMP message).
|
||||
|
||||
When a client obtains from a CMP server CA certificates that it is going to
|
||||
trust, for instance via the caPubs field of a certificate response,
|
||||
authentication of the CMP server is particularly critical.
|
||||
So special care must be taken setting up server authentication in I<ctx>
|
||||
using functions such as
|
||||
L<OSSL_CMP_CTX_set0_trustedStore(3)> (for certificate-based authentication) or
|
||||
L<OSSL_CMP_CTX_set1_secretValue(3)> (for MAC-based protection).
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
|
||||
|
@ -163,7 +171,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -72,12 +72,16 @@ which collects the HTTP request header lines.
|
|||
OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I<rctx>.
|
||||
The I<rbio> is not free'd, I<wbio> will be free'd if I<free_wbio> is set.
|
||||
|
||||
OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context.
|
||||
OSSL_HTTP_REQ_CTX_set_request_line() adds the 1st HTTP request line to I<rctx>.
|
||||
The HTTP method is determined by I<method_POST>,
|
||||
which should be 1 to indicate C<POST> or 0 to indicate C<GET>.
|
||||
I<server> and I<port> may be set to indicate a proxy server and port
|
||||
that the request should go through, otherwise they should be left NULL.
|
||||
I<path> is the HTTP request path; if left NULL, C</> is used.
|
||||
I<server> and I<port> may be set to give the server and the optional port that
|
||||
an HTTP proxy shall forward the request to, otherwise they must be left NULL.
|
||||
I<path> provides the HTTP request path; if left NULL, C</> is used.
|
||||
For backward compatibility, I<path> may begin with C<http://> and thus convey
|
||||
an absoluteURI. In this case it indicates HTTP proxy use and provides also the
|
||||
server (and optionally the port) that the proxy shall forward the request to.
|
||||
In this case the I<server> and I<port> arguments must be NULL.
|
||||
|
||||
OSSL_HTTP_REQ_CTX_add1_header() adds header I<name> with value I<value> to the
|
||||
context I<rctx>. It can be called more than once to add multiple header lines.
|
||||
|
|
|
@ -161,8 +161,11 @@ NULL) to print additional diagnostic information in a user-oriented way.
|
|||
|
||||
OSSL_HTTP_set1_request() sets up in I<rctx> the request header and content data
|
||||
and expectations on the response using the following parameters.
|
||||
If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server hostname
|
||||
(and optionally port) needs to be placed in the header and thus must be present.
|
||||
If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server host
|
||||
(and optionally port) needs to be placed in the header; thus it must be present
|
||||
in I<rctx>.
|
||||
For backward compatibility, the server (and optional port) may also be given in
|
||||
the I<path> argument beginning with C<http://> (thus giving an absoluteURI).
|
||||
If I<path> is NULL it defaults to "/".
|
||||
If I<req> is NULL the HTTP GET method will be used to send the request
|
||||
else HTTP POST with the contents of I<req> and optional I<content_type>, where
|
||||
|
@ -274,7 +277,7 @@ All the functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -42,7 +42,8 @@ can all be set to zero and sensible defaults will be used.
|
|||
These defaults are: AES password based encryption (PBES2 with PBKDF2 and
|
||||
AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key
|
||||
derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and
|
||||
MAC algorithm HMAC with SHA2-256.
|
||||
MAC algorithm HMAC with SHA2-256. The MAC key derivation algorithm used
|
||||
for the outer PKCS#12 structure is PKCS12KDF.
|
||||
|
||||
The default MAC iteration count is 1 in order to retain compatibility with
|
||||
old software which did not interpret MAC iteration counts. If such compatibility
|
||||
|
@ -68,6 +69,8 @@ I<nid_key> or I<nid_cert> can be set to -1 indicating that no encryption
|
|||
should be used.
|
||||
|
||||
I<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
|
||||
This can be useful when running with the FIPS provider as the PKCS12KDF
|
||||
is not a FIPS approvable algorithm.
|
||||
|
||||
PKCS12_create() makes assumptions regarding the encoding of the given pass
|
||||
phrase.
|
||||
|
@ -83,7 +86,9 @@ IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
|
|||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<EVP_KDF-PKCS12KDF(7)>,
|
||||
L<d2i_PKCS12(3)>,
|
||||
L<OSSL_PROVIDER-FIPS(7)>,
|
||||
L<passphrase-encoding(7)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
@ -96,7 +101,7 @@ standards.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -22,6 +22,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure
|
|||
|
||||
PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
|
||||
supplied password along with a set of already configured parameters.
|
||||
The default key generation mechanism used is PKCS12KDF.
|
||||
|
||||
PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
|
||||
password.
|
||||
|
@ -57,6 +58,7 @@ IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
|
|||
=head1 SEE ALSO
|
||||
|
||||
L<d2i_PKCS12(3)>,
|
||||
L<EVP_KDF-PKCS12KDF(7)>,
|
||||
L<PKCS12_create(3)>,
|
||||
L<passphrase-encoding(7)>
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ MUST NOT have yet started the SSL handshake. For connections that are not in
|
|||
their initial state SSL_dup() just increments an internal
|
||||
reference count and returns the I<same> handle. It may be possible to
|
||||
use L<SSL_clear(3)> to recycle an SSL handle that is not in its initial
|
||||
state for re-use, but this is best avoided. Instead, save and restore
|
||||
state for reuse, but this is best avoided. Instead, save and restore
|
||||
the session, if desired, and construct a fresh handle for each connection.
|
||||
|
||||
The subset of settings in I<s> that are duplicated are:
|
||||
|
@ -124,7 +124,7 @@ L<ssl(7)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -28,7 +28,6 @@ d2i_RSA_PUBKEY_fp,
|
|||
d2i_DHparams,
|
||||
d2i_DHparams_bio,
|
||||
d2i_DHparams_fp,
|
||||
d2i_ECPKParameters,
|
||||
d2i_ECParameters,
|
||||
d2i_ECPrivateKey,
|
||||
d2i_ECPrivateKey_bio,
|
||||
|
@ -56,7 +55,6 @@ i2d_DSA_PUBKEY,
|
|||
i2d_DSA_PUBKEY_bio,
|
||||
i2d_DSA_PUBKEY_fp,
|
||||
i2d_DSAparams,
|
||||
i2d_ECPKParameters,
|
||||
i2d_ECParameters,
|
||||
i2d_ECPrivateKey,
|
||||
i2d_ECPrivateKey_bio,
|
||||
|
@ -205,7 +203,7 @@ I<selection> and I<structure> as follows:
|
|||
|
||||
=item B<i2d_I<TYPE>PrivateKey>() translates into:
|
||||
|
||||
int selection = EVP_PKEY_PRIVATE_KEY;
|
||||
int selection = EVP_PKEY_KEYPAIR;
|
||||
const char *structure = "type-specific";
|
||||
|
||||
=item B<i2d_I<TYPE>PublicKey>() translates into:
|
||||
|
@ -309,7 +307,7 @@ L<i2d_PUBKEY(3)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -53,6 +53,7 @@ d2i_DIST_POINT,
|
|||
d2i_DIST_POINT_NAME,
|
||||
d2i_DSA_SIG,
|
||||
d2i_ECDSA_SIG,
|
||||
d2i_ECPKParameters,
|
||||
d2i_EDIPARTYNAME,
|
||||
d2i_ESS_CERT_ID,
|
||||
d2i_ESS_CERT_ID_V2,
|
||||
|
@ -223,6 +224,7 @@ i2d_DIST_POINT,
|
|||
i2d_DIST_POINT_NAME,
|
||||
i2d_DSA_SIG,
|
||||
i2d_ECDSA_SIG,
|
||||
i2d_ECPKParameters,
|
||||
i2d_EDIPARTYNAME,
|
||||
i2d_ESS_CERT_ID,
|
||||
i2d_ESS_CERT_ID_V2,
|
||||
|
|
|
@ -93,7 +93,7 @@ numeric identifier, as shown here:
|
|||
email.2 = steve@example.org
|
||||
|
||||
The syntax of raw extensions is defined by the source code that parses
|
||||
the extension but should be documened.
|
||||
the extension but should be documented.
|
||||
See L</Certificate Policies> for an example of a raw extension.
|
||||
|
||||
If an extension type is unsupported, then the I<arbitrary> extension syntax
|
||||
|
@ -590,7 +590,7 @@ L<ASN1_generate_nconf(3)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -46,6 +46,9 @@ RFC 7292 section B.3.
|
|||
|
||||
=head1 NOTES
|
||||
|
||||
This algorithm is not available in the FIPS provider as it is not FIPS
|
||||
approvable.
|
||||
|
||||
A typical application of this algorithm is to derive keying material for an
|
||||
encryption algorithm from a password in the "pass", a salt in "salt",
|
||||
and an iteration count.
|
||||
|
@ -68,7 +71,8 @@ L<EVP_KDF_CTX_new(3)>,
|
|||
L<EVP_KDF_CTX_free(3)>,
|
||||
L<EVP_KDF_CTX_set_params(3)>,
|
||||
L<EVP_KDF_derive(3)>,
|
||||
L<EVP_KDF(3)/PARAMETERS>
|
||||
L<EVP_KDF(3)/PARAMETERS>,
|
||||
L<OSSL_PROVIDER-FIPS(7)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
|
@ -76,7 +80,7 @@ This functionality was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -306,6 +306,15 @@ context and property query and will call an extended version of the key/IV
|
|||
derivation function which supports these parameters. This includes
|
||||
L<EVP_PBE_CipherInit_ex(3)>, L<EVP_PBE_find_ex(3)> and L<EVP_PBE_scrypt_ex(3)>.
|
||||
|
||||
=head4 PKCS#12 KDF versus FIPS
|
||||
|
||||
Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure
|
||||
is created with a MAC that does not work with the FIPS provider as the PKCS12KDF
|
||||
is not a FIPS approvable mechanism.
|
||||
|
||||
See L<EVP_KDF-PKCS12KDF(7)>, L<PKCS12_create(3)>, L<openssl-pkcs12(1)>,
|
||||
L<OSSL_PROVIDER-FIPS(7)>.
|
||||
|
||||
=head4 Windows thread synchronization changes
|
||||
|
||||
Windows thread synchronization uses read/write primitives (SRWLock) when
|
||||
|
|
|
@ -259,12 +259,12 @@ a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_
|
|||
97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c
|
||||
3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl
|
||||
b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c
|
||||
7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c
|
||||
3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba crypto/property/property.c
|
||||
66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h
|
||||
921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c
|
||||
a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c
|
||||
065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c
|
||||
9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e crypto/provider_core.c
|
||||
0ba5d0297837940c972224c97cbbf3ea4a723c1eed9ce1112538c9bb26208639 crypto/provider_core.c
|
||||
d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h
|
||||
5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c
|
||||
a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c
|
||||
|
@ -344,7 +344,7 @@ c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_
|
|||
8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c
|
||||
7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c
|
||||
a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c
|
||||
2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c
|
||||
3729e2bd36f945808b578e0d89fac0fcb3114e4fc9381614bcbd8a9869991716 crypto/threads_pthread.c
|
||||
88423960f0414f6fd41fba4f4c67f9f7260c2741e4788adcd52493e895ec8027 crypto/threads_win.c
|
||||
fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl
|
||||
bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl
|
||||
|
@ -567,13 +567,13 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl
|
|||
589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c
|
||||
4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c
|
||||
6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c
|
||||
37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c
|
||||
2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696 providers/implementations/keymgmt/dh_kmgmt.c
|
||||
a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c
|
||||
9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c
|
||||
258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc
|
||||
d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/implementations/keymgmt/ecx_kmgmt.c
|
||||
011c36aad6834729043f23eacab417732541ee23916d9afa5bb9164862be00bb providers/implementations/keymgmt/ecx_kmgmt.c
|
||||
053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c
|
||||
e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c
|
||||
1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c
|
||||
19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c
|
||||
aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c
|
||||
e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c
|
||||
|
|
|
@ -1 +1 @@
|
|||
f07990ec634ec6ea3c8c42a664768debcf92a1b0c39bde7041c24df33dd7f052 providers/fips-sources.checksums
|
||||
8d97c837eeb1288f74788f0e48cb0cbc8498d4cf7ddc25c89344df7d5309ffc8 providers/fips-sources.checksums
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -21,6 +21,7 @@
|
|||
|
||||
static OSSL_FUNC_cipher_newctx_fn chacha20_newctx;
|
||||
static OSSL_FUNC_cipher_freectx_fn chacha20_freectx;
|
||||
static OSSL_FUNC_cipher_dupctx_fn chacha20_dupctx;
|
||||
static OSSL_FUNC_cipher_get_params_fn chacha20_get_params;
|
||||
static OSSL_FUNC_cipher_get_ctx_params_fn chacha20_get_ctx_params;
|
||||
static OSSL_FUNC_cipher_set_ctx_params_fn chacha20_set_ctx_params;
|
||||
|
@ -64,6 +65,25 @@ static void chacha20_freectx(void *vctx)
|
|||
}
|
||||
}
|
||||
|
||||
static void *chacha20_dupctx(void *vctx)
|
||||
{
|
||||
PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)vctx;
|
||||
PROV_CHACHA20_CTX *dupctx = NULL;
|
||||
|
||||
if (ctx != NULL) {
|
||||
dupctx = OPENSSL_memdup(ctx, sizeof(*dupctx));
|
||||
if (dupctx != NULL && dupctx->base.tlsmac != NULL && dupctx->base.alloced) {
|
||||
dupctx->base.tlsmac = OPENSSL_memdup(dupctx->base.tlsmac,
|
||||
dupctx->base.tlsmacsize);
|
||||
if (dupctx->base.tlsmac == NULL) {
|
||||
OPENSSL_free(dupctx);
|
||||
dupctx = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
return dupctx;
|
||||
}
|
||||
|
||||
static int chacha20_get_params(OSSL_PARAM params[])
|
||||
{
|
||||
return ossl_cipher_generic_get_params(params, 0, CHACHA20_FLAGS,
|
||||
|
@ -187,6 +207,7 @@ int ossl_chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen,
|
|||
const OSSL_DISPATCH ossl_chacha20_functions[] = {
|
||||
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_newctx },
|
||||
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_freectx },
|
||||
{ OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_dupctx },
|
||||
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_chacha20_einit },
|
||||
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_chacha20_dinit },
|
||||
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_update },
|
||||
|
|
|
@ -316,10 +316,14 @@ static int der2key_export_object(void *vctx,
|
|||
void *keydata;
|
||||
|
||||
if (reference_sz == sizeof(keydata) && export != NULL) {
|
||||
int selection = ctx->selection;
|
||||
|
||||
if (selection == 0)
|
||||
selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
/* The contents of the reference is the address to our object */
|
||||
keydata = *(void **)reference;
|
||||
|
||||
return export(keydata, ctx->selection, export_cb, export_cbarg);
|
||||
return export(keydata, selection, export_cb, export_cbarg);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -79,6 +79,18 @@ static void msblob2key_freectx(void *vctx)
|
|||
OPENSSL_free(ctx);
|
||||
}
|
||||
|
||||
static int msblob2key_does_selection(void *provctx, int selection)
|
||||
{
|
||||
if (selection == 0)
|
||||
return 1;
|
||||
|
||||
if ((selection & (OSSL_KEYMGMT_SELECT_PRIVATE_KEY
|
||||
| OSSL_KEYMGMT_SELECT_PUBLIC_KEY)) != 0)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
|
||||
OSSL_CALLBACK *data_cb, void *data_cbarg,
|
||||
OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
|
||||
|
@ -211,10 +223,14 @@ msblob2key_export_object(void *vctx,
|
|||
void *keydata;
|
||||
|
||||
if (reference_sz == sizeof(keydata) && export != NULL) {
|
||||
int selection = ctx->selection;
|
||||
|
||||
if (selection == 0)
|
||||
selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
/* The contents of the reference is the address to our object */
|
||||
keydata = *(void **)reference;
|
||||
|
||||
return export(keydata, ctx->selection, export_cb, export_cbarg);
|
||||
return export(keydata, selection, export_cb, export_cbarg);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -260,6 +276,8 @@ static void rsa_adjust(void *key, struct msblob2key_ctx_st *ctx)
|
|||
(void (*)(void))msblob2##keytype##_newctx }, \
|
||||
{ OSSL_FUNC_DECODER_FREECTX, \
|
||||
(void (*)(void))msblob2key_freectx }, \
|
||||
{ OSSL_FUNC_DECODER_DOES_SELECTION, \
|
||||
(void (*)(void))msblob2key_does_selection }, \
|
||||
{ OSSL_FUNC_DECODER_DECODE, \
|
||||
(void (*)(void))msblob2key_decode }, \
|
||||
{ OSSL_FUNC_DECODER_EXPORT_OBJECT, \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -79,6 +79,17 @@ static void pvk2key_freectx(void *vctx)
|
|||
OPENSSL_free(ctx);
|
||||
}
|
||||
|
||||
static int pvk2key_does_selection(void *provctx, int selection)
|
||||
{
|
||||
if (selection == 0)
|
||||
return 1;
|
||||
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
|
||||
OSSL_CALLBACK *data_cb, void *data_cbarg,
|
||||
OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
|
||||
|
@ -179,10 +190,14 @@ static int pvk2key_export_object(void *vctx,
|
|||
void *keydata;
|
||||
|
||||
if (reference_sz == sizeof(keydata) && export != NULL) {
|
||||
int selection = ctx->selection;
|
||||
|
||||
if (selection == 0)
|
||||
selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
/* The contents of the reference is the address to our object */
|
||||
keydata = *(void **)reference;
|
||||
|
||||
return export(keydata, ctx->selection, export_cb, export_cbarg);
|
||||
return export(keydata, selection, export_cb, export_cbarg);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -226,6 +241,8 @@ static void rsa_adjust(void *key, struct pvk2key_ctx_st *ctx)
|
|||
(void (*)(void))pvk2##keytype##_newctx }, \
|
||||
{ OSSL_FUNC_DECODER_FREECTX, \
|
||||
(void (*)(void))pvk2key_freectx }, \
|
||||
{ OSSL_FUNC_DECODER_DOES_SELECTION, \
|
||||
(void (*)(void))pvk2key_does_selection }, \
|
||||
{ OSSL_FUNC_DECODER_DECODE, \
|
||||
(void (*)(void))pvk2key_decode }, \
|
||||
{ OSSL_FUNC_DECODER_EXPORT_OBJECT, \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -858,14 +858,17 @@ static int prepare_rsa_params(const void *rsa, int nid, int save,
|
|||
case 1:
|
||||
if ((str = OPENSSL_malloc(str_sz)) == NULL
|
||||
|| !WPACKET_init_der(&pkt, str, str_sz)) {
|
||||
WPACKET_cleanup(&pkt);
|
||||
goto err;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (!ossl_DER_w_RSASSA_PSS_params(&pkt, -1, pss)
|
||||
|| !WPACKET_finish(&pkt)
|
||||
|| !WPACKET_get_total_written(&pkt, &str_sz))
|
||||
|| !WPACKET_get_total_written(&pkt, &str_sz)) {
|
||||
WPACKET_cleanup(&pkt);
|
||||
goto err;
|
||||
}
|
||||
WPACKET_cleanup(&pkt);
|
||||
|
||||
/*
|
||||
|
|
|
@ -222,6 +222,9 @@ static int dh_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
|
|||
if (!ossl_prov_is_running() || dh == NULL)
|
||||
return 0;
|
||||
|
||||
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
|
||||
return 0;
|
||||
|
||||
tmpl = OSSL_PARAM_BLD_new();
|
||||
if (tmpl == NULL)
|
||||
return 0;
|
||||
|
|
|
@ -223,6 +223,9 @@ static int dsa_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
|
|||
if (!ossl_prov_is_running() || dsa == NULL)
|
||||
return 0;
|
||||
|
||||
if ((selection & DSA_POSSIBLE_SELECTIONS) == 0)
|
||||
return 0;
|
||||
|
||||
tmpl = OSSL_PARAM_BLD_new();
|
||||
if (tmpl == NULL)
|
||||
return 0;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -238,6 +238,9 @@ static int ecx_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
|
|||
if (!ossl_prov_is_running() || key == NULL)
|
||||
return 0;
|
||||
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
|
||||
return 0;
|
||||
|
||||
tmpl = OSSL_PARAM_BLD_new();
|
||||
if (tmpl == NULL)
|
||||
return 0;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -281,6 +281,9 @@ static int mac_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
|
|||
if (!ossl_prov_is_running() || key == NULL)
|
||||
return 0;
|
||||
|
||||
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) == 0)
|
||||
return 0;
|
||||
|
||||
tmpl = OSSL_PARAM_BLD_new();
|
||||
if (tmpl == NULL)
|
||||
return 0;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
|
@ -582,7 +582,7 @@ int SSL_clear(SSL *s)
|
|||
OPENSSL_free(s->psksession_id);
|
||||
s->psksession_id = NULL;
|
||||
s->psksession_id_len = 0;
|
||||
s->hello_retry_request = 0;
|
||||
s->hello_retry_request = SSL_HRR_NONE;
|
||||
s->sent_tickets = 0;
|
||||
|
||||
s->error = 0;
|
||||
|
@ -2809,14 +2809,14 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
|
|||
if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
|
||||
continue;
|
||||
|
||||
n = strlen(c->name);
|
||||
if (n + 1 > size) {
|
||||
n = OPENSSL_strnlen(c->name, size);
|
||||
if (n >= size) {
|
||||
if (p != buf)
|
||||
--p;
|
||||
*p = '\0';
|
||||
return buf;
|
||||
}
|
||||
strcpy(p, c->name);
|
||||
memcpy(p, c->name, n);
|
||||
p += n;
|
||||
*(p++) = ':';
|
||||
size -= n + 1;
|
||||
|
|
|
@ -198,8 +198,11 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
|
|||
dest->references = 1;
|
||||
|
||||
dest->lock = CRYPTO_THREAD_lock_new();
|
||||
if (dest->lock == NULL)
|
||||
if (dest->lock == NULL) {
|
||||
OPENSSL_free(dest);
|
||||
dest = NULL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
|
||||
goto err;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -883,7 +883,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
|||
}
|
||||
|
||||
/* Act as if this ClientHello came after a HelloRetryRequest */
|
||||
s->hello_retry_request = 1;
|
||||
s->hello_retry_request = SSL_HRR_PENDING;
|
||||
|
||||
s->ext.cookieok = 1;
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue