Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts between 3.0...
details: https://anonhg.NetBSD.org/src/rev/25619f30f593
branches: trunk
changeset: 376088:25619f30f593
user: christos <christos%NetBSD.org@localhost>
date: Wed May 31 19:30:28 2023 +0000
description:
merge conflicts between 3.0.8 and 3.0.9
diffstat:
crypto/external/bsd/openssl/dist/Configure | 2 +-
crypto/external/bsd/openssl/dist/apps/cmp.c | 144 +-
crypto/external/bsd/openssl/dist/apps/lib/apps.c | 10 +-
crypto/external/bsd/openssl/dist/apps/openssl.cnf | 4 +-
crypto/external/bsd/openssl/dist/apps/s_server.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c | 24 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c | 87 +-
crypto/external/bsd/openssl/dist/crypto/bn/rsa_sup_mul.c | 604 -----------
crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c | 19 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 16 +-
crypto/external/bsd/openssl/dist/engines/e_padlock.c | 17 +-
crypto/external/bsd/openssl/dist/include/internal/refcount.h | 4 +-
crypto/external/bsd/openssl/dist/ssl/ssl_sess.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 3 +-
crypto/external/bsd/openssl/dist/test/destest.c | 26 +-
crypto/external/bsd/openssl/dist/test/dsatest.c | 217 +++-
crypto/external/bsd/openssl/dist/test/ecdsatest.c | 19 +-
crypto/external/bsd/openssl/dist/test/evp_extra_test.c | 24 +-
crypto/external/bsd/openssl/dist/test/testutil/provider.c | 4 +-
23 files changed, 485 insertions(+), 768 deletions(-)
diffs (truncated from 1925 to 300 lines):
diff -r fbea016e26b2 -r 25619f30f593 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Wed May 31 19:25:17 2023 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Wed May 31 19:30:28 2023 +0000
@@ -1423,7 +1423,7 @@ if ($target =~ /^mingw/ && `$config{CC}
}
if ($target =~ /linux.*-mips/ && !$disabled{asm}
- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+ && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
# minimally required architecture flags for assembly modules
my $value;
$value = '-mips2' if ($target =~ /mips32/);
diff -r fbea016e26b2 -r 25619f30f593 crypto/external/bsd/openssl/dist/apps/cmp.c
--- a/crypto/external/bsd/openssl/dist/apps/cmp.c Wed May 31 19:25:17 2023 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/cmp.c Wed May 31 19:30:28 2023 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@@ -158,6 +158,7 @@ static char *opt_reqin = NULL;
static int opt_reqin_new_tid = 0;
static char *opt_reqout = NULL;
static char *opt_rspin = NULL;
+static int rspin_in_use = 0;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
@@ -371,7 +372,7 @@ const OPTIONS cmp_options[] = {
OPT_SECTION("Server authentication"),
{"trusted", OPT_TRUSTED, 's',
- "Certificates to trust as chain roots when verifying signed CMP responses"},
+ "Certificates to use as trust anchors when verifying signed CMP responses"},
{OPT_MORE_STR, 0, 0, "unless -srvcert is given"},
{"untrusted", OPT_UNTRUSTED, 's',
"Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"},
@@ -417,7 +418,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"This can be used as the default CMP signer cert chain to include"},
{"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
- "Send messages without CMP-level protection"},
+ "Send request messages without CMP-level protection"},
OPT_SECTION("Credentials format"),
{"certform", OPT_CERTFORM, 's',
@@ -462,13 +463,16 @@ const OPTIONS cmp_options[] = {
"Do not interactively prompt for input when a password is required etc."},
{"repeat", OPT_REPEAT, 'p',
"Invoke the transaction the given positive number of times. Default 1"},
- {"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"},
+ {"reqin", OPT_REQIN, 's',
+ "Take sequence of CMP requests to send to server from file(s)"},
{"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
"Use fresh transactionID for CMP requests read from -reqin"},
- {"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"},
+ {"reqout", OPT_REQOUT, 's',
+ "Save sequence of CMP requests created by the client to file(s)"},
{"rspin", OPT_RSPIN, 's',
"Process sequence of CMP responses provided in file(s), skipping server"},
- {"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
+ {"rspout", OPT_RSPOUT, 's',
+ "Save sequence of actually used CMP responses to file(s)"},
{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
"Use internal mock server at API level, bypassing socket-based HTTP"},
@@ -754,12 +758,12 @@ static int write_PKIMESSAGE(const OSSL_C
}
/* read DER-encoded OSSL_CMP_MSG from the specified file name item */
-static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
+static OSSL_CMP_MSG *read_PKIMESSAGE(const char *desc, char **filenames)
{
char *file;
OSSL_CMP_MSG *ret;
- if (filenames == NULL) {
+ if (filenames == NULL || desc == NULL) {
CMP_err("NULL arg to read_PKIMESSAGE");
return NULL;
}
@@ -774,6 +778,8 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(cha
ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
if (ret == NULL)
CMP_err1("cannot read PKIMessage from file '%s'", file);
+ else
+ CMP_info2("%s %s", desc, file);
return ret;
}
@@ -795,7 +801,7 @@ static OSSL_CMP_MSG *read_write_req_resp
&& !write_PKIMESSAGE(req, &opt_reqout))
goto err;
if (opt_reqin != NULL && opt_rspin == NULL) {
- if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL)
+ if ((req_new = read_PKIMESSAGE("actually sending", &opt_reqin)) == NULL)
goto err;
/*-
* The transaction ID in req_new read from opt_reqin may not be fresh.
@@ -805,22 +811,44 @@ static OSSL_CMP_MSG *read_write_req_resp
if (opt_reqin_new_tid
&& !OSSL_CMP_MSG_update_transactionID(ctx, req_new))
goto err;
+
+ /*
+ * Except for first request, need to satisfy recipNonce check by server.
+ * Unfortunately requires re-protection if protection is required.
+ */
+ if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new))
+ goto err;
}
if (opt_rspin != NULL) {
- res = read_PKIMESSAGE(&opt_rspin);
+ res = read_PKIMESSAGE("actually using", &opt_rspin);
} else {
- const OSSL_CMP_MSG *actual_req = opt_reqin != NULL ? req_new : req;
+ const OSSL_CMP_MSG *actual_req = req_new != NULL ? req_new : req;
- res = opt_use_mock_srv
- ? OSSL_CMP_CTX_server_perform(ctx, actual_req)
- : OSSL_CMP_MSG_http_perform(ctx, actual_req);
+ if (opt_use_mock_srv) {
+ if (rspin_in_use)
+ CMP_warn("too few -rspin filename arguments; resorting to using mock server");
+ res = OSSL_CMP_CTX_server_perform(ctx, actual_req);
+ } else {
+#ifndef OPENSSL_NO_SOCK
+ if (opt_server == NULL) {
+ CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments");
+ goto err;
+ }
+ if (rspin_in_use)
+ CMP_warn("too few -rspin filename arguments; resorting to contacting server");
+ res = OSSL_CMP_MSG_http_perform(ctx, actual_req);
+#else
+ CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments");
+#endif
+ }
+ rspin_in_use = 0;
}
if (res == NULL)
goto err;
- if (opt_reqin != NULL || prev_opt_rspin != NULL) {
- /* need to satisfy nonce and transactionID checks */
+ if (req_new != NULL || prev_opt_rspin != NULL) {
+ /* need to satisfy nonce and transactionID checks by client */
ASN1_OCTET_STRING *nonce;
ASN1_OCTET_STRING *tid;
@@ -1024,10 +1052,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(E
goto err;
}
} else if (opt_srv_cert == NULL) {
- CMP_err("mock server credentials must be given if -use_mock_srv or -port is used");
+ CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is used");
goto err;
} else {
- CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not given");
+ CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given");
}
if (opt_srv_secret == NULL
@@ -1121,7 +1149,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(E
goto err;
if (opt_send_error)
- (void)ossl_cmp_mock_srv_set_send_error(srv_ctx, 1);
+ (void)ossl_cmp_mock_srv_set_sendError(srv_ctx, 1);
if (opt_send_unprotected)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1);
@@ -1283,7 +1311,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_C
/* disable any cert status/revocation checking etc. */
X509_VERIFY_PARAM_clear_flags(tls_vpm,
~(X509_V_FLAG_USE_CHECK_TIME
- | X509_V_FLAG_NO_CHECK_TIME));
+ | X509_V_FLAG_NO_CHECK_TIME
+ | X509_V_FLAG_PARTIAL_CHAIN
+ | X509_V_FLAG_POLICY_CHECK));
}
CMP_debug("trying to build cert chain for own TLS cert");
if (SSL_CTX_build_cert_chain(ssl_ctx,
@@ -1498,10 +1528,25 @@ static int setup_request_ctx(OSSL_CMP_CT
CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
- if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) {
- CMP_err("missing -newkey (or -key) to be certified and no -csr given");
+ if (opt_newkey == NULL
+ && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
+ CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
return 0;
}
+ if (opt_newkey == NULL
+ && opt_popo != OSSL_CRMF_POPO_NONE
+ && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
+ if (opt_csr != NULL) {
+ CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
+ opt_key == NULL ? "" :
+ ", and -key option superseded by by -csr");
+ return 0;
+ }
+ if (opt_key == NULL) {
+ CMP_err("missing -newkey (or -key) option for POPO");
+ return 0;
+ }
+ }
if (opt_certout == NULL) {
CMP_err("-certout not given, nowhere to save newly enrolled certificate");
return 0;
@@ -1897,8 +1942,11 @@ static int setup_client_ctx(OSSL_CMP_CTX
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT,
opt_total_timeout);
- if (opt_reqin != NULL && opt_rspin != NULL)
- CMP_warn("-reqin is ignored since -rspin is present");
+ if (opt_rspin != NULL) {
+ rspin_in_use = 1;
+ if (opt_reqin != NULL)
+ CMP_warn("-reqin is ignored since -rspin is present");
+ }
if (opt_reqin_new_tid && opt_reqin == NULL)
CMP_warn("-reqin_new_tid is ignored since -reqin is not present");
if (opt_reqin != NULL || opt_reqout != NULL
@@ -1923,12 +1971,14 @@ static int setup_client_ctx(OSSL_CMP_CTX
if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
- info->server = opt_server;
- info->port = server_port;
+ info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+ info->server = host;
+ host = NULL; /* prevent deallocation */
+ if ((info->port = OPENSSL_strdup(server_port)) == NULL)
+ goto err;
/* workaround for callback design flaw, see #17088: */
info->use_proxy = proxy_host != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
- info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
if (info->ssl_ctx == NULL)
goto err;
@@ -1952,7 +2002,9 @@ static int setup_client_ctx(OSSL_CMP_CTX
/* not printing earlier, to minimize confusion in case setup fails before */
if (opt_rspin != NULL)
- CMP_info("will not contact any server since -rspin is given");
+ CMP_info2("will contact %s%s "
+ "only if -rspin argument gives too few filenames",
+ server_buf, proxy_buf);
else
CMP_info2("will contact %s%s", server_buf, proxy_buf);
@@ -2847,8 +2899,16 @@ int cmp_main(int argc, char **argv)
CMP_err("-tls_used option not supported with -port option");
goto err;
}
- if (opt_use_mock_srv || opt_server != NULL || opt_rspin != NULL) {
- CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options");
+ if (opt_server != NULL || opt_use_mock_srv) {
+ CMP_err("The -port option excludes -server and -use_mock_srv");
+ goto err;
+ }
+ if (opt_reqin != NULL || opt_reqout != NULL) {
+ CMP_err("The -port option does not support -reqin and -reqout");
+ goto err;
+ }
+ if (opt_rspin != NULL || opt_rspout != NULL) {
+ CMP_err("The -port option does not support -rspin and -rspout");
goto err;
}
}
@@ -2857,10 +2917,6 @@ int cmp_main(int argc, char **argv)
goto err;
}
#endif
- if (opt_rspin != NULL && opt_use_mock_srv) {
- CMP_err("cannot use both -rspin and -use_mock_srv options");
- goto err;
- }
if (opt_use_mock_srv
#ifndef OPENSSL_NO_SOCK
@@ -2881,8 +2937,8 @@ int cmp_main(int argc, char **argv)
}
#ifndef OPENSSL_NO_SOCK
- if (opt_tls_used && (opt_use_mock_srv || opt_rspin != NULL)) {
- CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given");
+ if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
+ CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
opt_tls_used = 0;
}
@@ -2893,11 +2949,11 @@ int cmp_main(int argc, char **argv)
Home |
Main Index |
Thread Index |
Old Index