diff options
Diffstat (limited to 'crypto/openssl')
220 files changed, 5215 insertions, 2902 deletions
diff --git a/crypto/openssl/.ctags.d/add-dir.ctags b/crypto/openssl/.ctags.d/add-dir.ctags new file mode 100644 index 000000000000..ec20b51bd4ca --- /dev/null +++ b/crypto/openssl/.ctags.d/add-dir.ctags @@ -0,0 +1,11 @@ +# +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# + +# Allow ctags to load configuration file under the sub directories. +--optlib-dir=+./.ctags.d diff --git a/crypto/openssl/.ctags.d/exclude.ctags b/crypto/openssl/.ctags.d/exclude.ctags new file mode 100644 index 000000000000..c932464e6dbd --- /dev/null +++ b/crypto/openssl/.ctags.d/exclude.ctags @@ -0,0 +1,13 @@ +# +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# + +# List file names or patterns you want ctags to ignore. +--exclude=.ctags.d +--exclude=test +--exclude=check-format-test-positives.c diff --git a/crypto/openssl/.ctags.d/openssl-stage1/10extrac-macrodefs.ctags b/crypto/openssl/.ctags.d/openssl-stage1/10extrac-macrodefs.ctags new file mode 100644 index 000000000000..ddd4fd54bd04 --- /dev/null +++ b/crypto/openssl/.ctags.d/openssl-stage1/10extrac-macrodefs.ctags @@ -0,0 +1,18 @@ +# +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# + +# This file is only for extracting macro definitions. +--langmap=C:+.h +-o - +--sort=no +--languages=C +-R + +--fields-C=+{macrodef} +--fields=+{signature} diff --git a/crypto/openssl/.ctags.d/openssl-stage2/10expand-macros.ctags b/crypto/openssl/.ctags.d/openssl-stage2/10expand-macros.ctags new file mode 100644 index 000000000000..5cf5000df3af --- /dev/null +++ b/crypto/openssl/.ctags.d/openssl-stage2/10expand-macros.ctags @@ -0,0 +1,9 @@ +# +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +--param-CPreProcessor._expand=1 diff --git a/crypto/openssl/BSDmakefile b/crypto/openssl/BSDmakefile new file mode 100644 index 000000000000..d260808ffac3 --- /dev/null +++ b/crypto/openssl/BSDmakefile @@ -0,0 +1,121 @@ +# This BSD makefile helps provide a deterministic means of doing a "clean" +# vendor import of OpenSSL. +# +# Recommended use: +# +# % make clean +# % make all + +NO_OBJ= + +LCRYPTO_SRC= ${SRCTOP}/crypto/openssl +LCRYPTO_DOC= ${LCRYPTO_SRC}/doc + +CAT?= /bin/cat +CC?= cc +GMAKE?= gmake +LD?= ld +MV?= /bin/mv +PERL?= perl +SETENVI= /usr/bin/env -i + +BN_CONF_H= include/crypto/bn_conf.h +BN_CONF_H_ORIG= ${BN_CONF_H}.orig +CONFIGURATION_H= include/openssl/configuration.h +CONFIGURATION_H_ORIG= ${CONFIGURATION_H}.orig + +.PHONY: configure patch all +.ORDER: configure patch all + +LOCALBASE= /usr/local +WRK_ENV= CC=${CC} \ + LD=${LD} \ + PATH=${LOCALBASE}/bin:/bin:/usr/bin + +configure: + @(cd ${.CURDIR} && ${SETENVI} \ + ${WRK_ENV} \ + ${PERL} ./Configure \ + disable-aria \ + disable-egd \ + disable-idea \ + disable-mdc2 \ + disable-sm2 \ + disable-sm3 \ + disable-sm4 \ + enable-ec_nistp_64_gcc_128 \ + enable-ktls \ + enable-sctp \ + --openssldir=etc \ + --prefix=/usr) + @echo "Building configdata.pm for later use." + @(cd ${.CURDIR} && \ + ${SETENVI} ${WRK_ENV} ${GMAKE} -j ${.MAKE.JOBS} configdata.pm) + + @echo "Populating Makefile.version with release information" + @(cd ${LCRYPTO_SRC} && ${SETENVI} ${WRK_ENV} ${PERL} \ + ${LCRYPTO_SRC}/freebsd/dump_version_from_configdata.pl > \ + ${SRCTOP}/secure/lib/libcrypto/Makefile.version) + +all: patch + @echo "==> Building generated files (headers, manpages, etc)" + @(cd ${.CURDIR} && \ + ${SETENVI} ${WRK_ENV} ${GMAKE} -j ${.MAKE.JOBS} build_all_generated) + + # 1. Fix --prefix. + # a. Not sure why --prefix isn't honored properly, even though it's + # passed to Configure; the files might be getting rebuilt + # post-Configure, somehow. + # 2. Remove duplicate path in CFLAGS. + # 3. Remove duplicate path in includedir(s). + @echo "==> Fixing pkgconfig files" + @find . -name \*.pc -print -exec sed -i '' -E \ + -e 's,^prefix=.+,prefix=/usr,' \ + -e 's,[[:space:]]+(\-I)?\$\{prefix\}/\./include[[:space:]]*,,g' \ + {} + + + @echo "==> Cleaning / rebuilding ASM" + @(cd ${SRCTOP}/secure/lib/libcrypto && \ + ${SETENVI} ${WRK_ENV} ${MAKE} cleanasm && \ + ${SETENVI} ${WRK_ENV} ${MAKE} buildasm) + + @echo "==> Syncing manpages (section 1)" + @rsync -a --delete \ + --exclude 'Makefile*' --exclude '*.1' \ + ${LCRYPTO_DOC}/man/ \ + ${SRCTOP}/secure/lib/libcrypto/man + + @echo "==> Syncing manpages (sections {3,5,7})" + @rsync -a --delete \ + --exclude 'Makefile*' --exclude '*.[357]' \ + ${LCRYPTO_DOC}/man/man1/ \ + ${SRCTOP}/secure/usr.bin/openssl/man + + +# This doesn't use standard patching since the generated files can vary +# depending on the host architecture. +patch: configure + # Spam arch-specific overrides to config files. + @echo "==> Patching headers" + @(cd ${.CURDIR} && ${SETENVI} ${WRK_ENV} ${GMAKE} ${BN_CONF_H} && \ + ${MV} ${BN_CONF_H} ${BN_CONF_H_ORIG} && \ + ${CAT} ${BN_CONF_H}.orig \ + ${LCRYPTO_SRC}/freebsd/${BN_CONF_H} >> \ + ${BN_CONF_H}) + + @(cd ${.CURDIR} && \ + ${MV} ${CONFIGURATION_H} ${CONFIGURATION_H_ORIG} && \ + ${CAT} ${CONFIGURATION_H_ORIG} \ + ${LCRYPTO_SRC}/freebsd/${CONFIGURATION_H} >> \ + ${CONFIGURATION_H}) + + +clean: .PHONY + @(cd ${.CURDIR} && rm -f ${BN_CONF_H_ORIG} ${CONFIGURATION_H_ORIG}) + + @(cd ${SRCTOP}/secure/lib/libcrypto && \ + ${SETENVI} ${WRK_ENV} ${MAKE} cleanasm) + + -@(cd ${.CURDIR} && ${GMAKE} ${.TARGET}) + +.include <sys.mk> diff --git a/crypto/openssl/CHANGES.md b/crypto/openssl/CHANGES.md index 2978ebfa2d10..b991285aedb2 100644 --- a/crypto/openssl/CHANGES.md +++ b/crypto/openssl/CHANGES.md @@ -28,6 +28,129 @@ OpenSSL Releases OpenSSL 3.5 ----------- +### Changes between 3.5.3 and 3.5.4 [30 Sep 2025] + + * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap + + Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write. + + Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code. + + The issue was reported by Stanislav Fort (Aisle Research). + + ([CVE-2025-9230]) + + *Viktor Dukhovni* + + * Fix Timing side-channel in SM2 algorithm on 64 bit ARM + + Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on + 64 bit ARM platforms. + + Impact summary: A timing side-channel in SM2 signature computations on + 64 bit ARM platforms could allow recovering the private key by an attacker. + + The issue was reported by Stanislav Fort (Aisle Research). + + ([CVE-2025-9231]) + + *Stanislav Fort and Tomáš Mráz* + + * Fix Out-of-bounds read in HTTP client no_proxy handling + + Issue summary: An application using the OpenSSL HTTP client API functions + may trigger an out-of-bounds read if the "no_proxy" environment variable is + set and the host portion of the authority component of the HTTP URL is an + IPv6 address. + + Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application. + + The issue was reported by Stanislav Fort (Aisle Research). + + ([CVE-2025-9232]) + + *Stanislav Fort* + + * The FIPS provider no longer performs a PCT on key import for ECX keys + (that was introduced in 3.5.2), following the latest update + on that requirement in FIPS 140-3 IG 10.3.A additional comment 1. + + *Eugene Syromiatnikov* + + * Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted + signatures. + + *Xiao Lou Dong Feng* + + * Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release + builds, as it broke some exiting applications that relied on the previous + 3.x semantics, as documented in `OpenSSL_version(3)`. + + *Richard Levitte* + +### Changes between 3.5.2 and 3.5.3 [16 Sep 2025] + + * Avoided a potential race condition introduced in 3.5.1, where + `OSSL_STORE_CTX` kept open during lookup while potentially being used + by multiple threads simultaneously, that could lead to potential crashes + when multiple concurrent TLS connections are served. + + *Matt Caswell* + + * The FIPS provider no longer performs a PCT on key import for RSA, DH, + and EC keys (that was introduced in 3.5.2), following the latest update + on that requirement in FIPS 140-3 IG 10.3.A additional comment 1. + + *Dr Paul Dale* + + * Secure memory allocation calls are no longer used for HMAC keys. + + *Dr Paul Dale* + + * `openssl req` no longer generates certificates with an empty extension list + when SKID/AKID are set to `none` during generation. + + *David Benjamin* + + * The man page date is now derived from the release date provided + in `VERSION.dat` and not the current date for the released builds. + + *Enji Cooper* + + * Hardened the provider implementation of the RSA public key "encrypt" + operation to add a missing check that the caller-indicated output buffer + size is at least as large as the byte count of the RSA modulus. The issue + was reported by Arash Ale Ebrahim from SYSPWN. + + This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that + in fact provide a sufficiently large buffer, but fail to correctly indicate + its size may now encounter unexpected errors. In applications that attempt + RSA public encryption into a buffer that is too small, an out-of-bounds + write is now avoided and an error is reported instead. + + *Viktor Dukhovni* + + * Added FIPS 140-3 PCT on DH key generation. + + *Nikola Pajkovsky* + + * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. + + *Richard Levitte* + +### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] + + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. + + *Dr Paul Dale* + ### Changes between 3.5.0 and 3.5.1 [1 Jul 2025] * Fix x509 application adds trusted use instead of rejected use. @@ -21227,6 +21350,9 @@ ndif <!-- Links --> +[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232 +[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231 +[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230 [CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 diff --git a/crypto/openssl/Configurations/unix-Makefile.tmpl b/crypto/openssl/Configurations/unix-Makefile.tmpl index a6f666957ec0..81f49926ce92 100644 --- a/crypto/openssl/Configurations/unix-Makefile.tmpl +++ b/crypto/openssl/Configurations/unix-Makefile.tmpl @@ -3,6 +3,8 @@ ## ## {- join("\n## ", @autowarntext) -} {- + use Time::Piece; + use OpenSSL::Util; our $makedep_scheme = $config{makedep_scheme}; @@ -74,6 +76,15 @@ FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} VERSION_NUMBER={- "$config{version}" -} +RELEASE_DATE={- my $t = localtime; + if ($config{"release_date"}) { + # Provide the user with a more meaningful error message + # than the default internal parsing error from + # `Time::Piece->strptime(..)`. + eval { $t = Time::Piece->strptime($config{"release_date"}, "%d %b %Y"); } || + die "Parsing \$config{release_date} ('$config{release_date}') failed: $@"; + } + $t->strftime("%Y-%m-%d") -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -1565,7 +1576,8 @@ EOF return <<"EOF"; $args{src}: $pod pod2man --name=$name --section=$section\$(MANSUFFIX) --center=OpenSSL \\ - --release=\$(VERSION) $pod >\$\@ + --date=\$(RELEASE_DATE) --release=\$(VERSION) \\ + $pod >\$\@ EOF } elsif (platform->isdef($args{src})) { # diff --git a/crypto/openssl/NEWS.md b/crypto/openssl/NEWS.md index e5fe94779035..b194dfb7cb06 100644 --- a/crypto/openssl/NEWS.md +++ b/crypto/openssl/NEWS.md @@ -23,6 +23,47 @@ OpenSSL Releases OpenSSL 3.5 ----------- +### Major changes between OpenSSL 3.5.3 and OpenSSL 3.5.4 [30 Sep 2025] + +OpenSSL 3.5.4 is a security patch release. The most severe CVE fixed in this +release is Moderate. + +This release incorporates the following bug fixes and mitigations: + + * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. + ([CVE-2025-9230]) + + * Fix Timing side-channel in SM2 algorithm on 64 bit ARM. + ([CVE-2025-9231]) + + * Fix Out-of-bounds read in HTTP client no_proxy handling. + ([CVE-2025-9232]) + + * Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release + builds, as it broke some exiting applications that relied on the previous + 3.x semantics, as documented in `OpenSSL_version(3)`. + +### Major changes between OpenSSL 3.5.2 and OpenSSL 3.5.3 [16 Sep 2025] + +OpenSSL 3.5.3 is a bug fix release. + +This release incorporates the following bug fixes and mitigations: + + * Added FIPS 140-3 PCT on DH key generation. + + * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. + + * Removed PCT on key import in the FIPS provider as it is not required by + the standard. + +### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025] + +OpenSSL 3.5.2 is a bug fix release. + +This release incorporates the following bug fixes and mitigations: + + * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. + ### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025] OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this @@ -31,7 +72,7 @@ release is Low. This release incorporates the following bug fixes and mitigations: * Fix x509 application adds trusted use instead of rejected use. - ([CVE-2025-4575]) + ([CVE-2025-4575]) ### Major changes between OpenSSL 3.4 and OpenSSL 3.5.0 [8 Apr 2025] @@ -1899,6 +1940,9 @@ OpenSSL 0.9.x * Support for various new platforms <!-- Links --> +[CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232 +[CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231 +[CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230 [CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 diff --git a/crypto/openssl/NOTES-WINDOWS.md b/crypto/openssl/NOTES-WINDOWS.md index e903376db530..5d6287a8e8fd 100644 --- a/crypto/openssl/NOTES-WINDOWS.md +++ b/crypto/openssl/NOTES-WINDOWS.md @@ -125,7 +125,7 @@ format: `\\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\OpenSSL-<version>-<ctx>` Where `<version>` is the major.minor version of the library being -built, and `<ctx>` is the value specified by `-DOPENSSL_WINCTX`. This allows +built, and `<ctx>` is the value specified by `-DOSSL_WINCTX`. This allows for multiple openssl builds to be created and installed on a single system, in which each library can use its own set of registry keys. diff --git a/crypto/openssl/VERSION.dat b/crypto/openssl/VERSION.dat index f931934a1972..a8eb3ac9c421 100644 --- a/crypto/openssl/VERSION.dat +++ b/crypto/openssl/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=5 -PATCH=1 +PATCH=4 PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="1 Jul 2025" +RELEASE_DATE="30 Sep 2025" SHLIB_VERSION=3 diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index 70ad231fff04..0861fd7a4da7 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/openssl/apps/asn1parse.c b/crypto/openssl/apps/asn1parse.c index 4f882396d03d..4540d5f5fb6e 100644 --- a/crypto/openssl/apps/asn1parse.c +++ b/crypto/openssl/apps/asn1parse.c @@ -40,8 +40,8 @@ const OPTIONS asn1parse_options[] = { {"length", OPT_LENGTH, 'p', "length of section in file"}, {"strparse", OPT_STRPARSE, 'p', "offset; a series of these can be used to 'dig'"}, - {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, + {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"}, {"strictpem", OPT_STRICTPEM, 0, "equivalent to '-inform pem' (obsolete)"}, diff --git a/crypto/openssl/apps/cms.c b/crypto/openssl/apps/cms.c index 919d306ff687..6f19414880c9 100644 --- a/crypto/openssl/apps/cms.c +++ b/crypto/openssl/apps/cms.c @@ -1280,6 +1280,7 @@ int cms_main(int argc, char **argv) goto end; } if (ret <= 0) { + BIO_printf(bio_err, "Error writing CMS output\n"); ret = 6; goto end; } diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 3f45ba15e576..33949d402dd7 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -260,6 +260,8 @@ int enc_main(int argc, char **argv) goto opthelp; if (k) n *= 1024; + if (n > INT_MAX) + goto opthelp; bsize = (int)n; break; case OPT_K: diff --git a/crypto/openssl/apps/include/apps.h b/crypto/openssl/apps/include/apps.h index ceebfde72786..11381ea7da8c 100644 --- a/crypto/openssl/apps/include/apps.h +++ b/crypto/openssl/apps/include/apps.h @@ -103,7 +103,6 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data); /* progress callback for dsaparam, dhparam, req, genpkey, etc. */ int progress_cb(EVP_PKEY_CTX *ctx); -int chopup_args(ARGS *arg, char *buf); void dump_cert_text(BIO *out, X509 *x); void print_name(BIO *out, const char *title, const X509_NAME *nm); void print_bignum_var(BIO *, const BIGNUM *, const char *, diff --git a/crypto/openssl/apps/lib/apps.c b/crypto/openssl/apps/lib/apps.c index d4e72307de58..1b9c9e3e9a19 100644 --- a/crypto/openssl/apps/lib/apps.c +++ b/crypto/openssl/apps/lib/apps.c @@ -83,55 +83,6 @@ static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl); int app_init(long mesgwin); -int chopup_args(ARGS *arg, char *buf) -{ - int quoted; - char c = '\0', *p = NULL; - - arg->argc = 0; - if (arg->size == 0) { - arg->size = 20; - arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space"); - } - - for (p = buf;;) { - /* Skip whitespace. */ - while (*p && isspace(_UC(*p))) - p++; - if (*p == '\0') - break; - - /* The start of something good :-) */ - if (arg->argc >= arg->size) { - char **tmp; - - arg->size += 20; - tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size); - if (tmp == NULL) - return 0; - arg->argv = tmp; - } - quoted = *p == '\'' || *p == '"'; - if (quoted) - c = *p++; - arg->argv[arg->argc++] = p; - - /* now look for the end of this */ - if (quoted) { - while (*p && *p != c) - p++; - *p++ = '\0'; - } else { - while (*p && !isspace(_UC(*p))) - p++; - if (*p) - *p++ = '\0'; - } - } - arg->argv[arg->argc] = NULL; - return 1; -} - #ifndef APP_INIT int app_init(long mesgwin) { diff --git a/crypto/openssl/apps/ocsp.c b/crypto/openssl/apps/ocsp.c index 79b76a2ca747..95a95f56cb99 100644 --- a/crypto/openssl/apps/ocsp.c +++ b/crypto/openssl/apps/ocsp.c @@ -662,7 +662,8 @@ redo_accept: resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); - send_ocsp_response(cbio, resp); + if (resp != NULL) + send_ocsp_response(cbio, resp); } goto done_resp; } @@ -764,16 +765,18 @@ redo_accept: BIO_free(derbio); } - i = OCSP_response_status(resp); - if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { - BIO_printf(out, "Responder Error: %s (%d)\n", - OCSP_response_status_str(i), i); - if (!ignore_err) + if (resp != NULL) { + i = OCSP_response_status(resp); + if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + BIO_printf(out, "Responder Error: %s (%d)\n", + OCSP_response_status_str(i), i); + if (!ignore_err) goto end; - } + } - if (resp_text) - OCSP_RESPONSE_print(out, resp, 0); + if (resp_text) + OCSP_RESPONSE_print(out, resp, 0); + } /* If running as responder don't verify our own response */ if (cbio != NULL) { diff --git a/crypto/openssl/apps/progs.c b/crypto/openssl/apps/progs.c index 2646a1a35bf3..acc204a3e6e7 100644 --- a/crypto/openssl/apps/progs.c +++ b/crypto/openssl/apps/progs.c @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by apps/progs.pl * - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -89,6 +89,7 @@ FUNCTION functions[] = { {FT_general, "s_time", s_time_main, s_time_options, NULL, NULL}, #endif {FT_general, "sess_id", sess_id_main, sess_id_options, NULL, NULL}, + {FT_general, "skeyutl", skeyutl_main, skeyutl_options, NULL, NULL}, {FT_general, "smime", smime_main, smime_options, NULL, NULL}, {FT_general, "speed", speed_main, speed_options, NULL, NULL}, {FT_general, "spkac", spkac_main, spkac_options, NULL, NULL}, @@ -225,9 +226,15 @@ FUNCTION functions[] = { {FT_cipher, "camellia-256-ecb", enc_main, enc_options, NULL}, #endif {FT_cipher, "base64", enc_main, enc_options, NULL}, -#ifdef ZLIB +#ifndef OPENSSL_NO_ZLIB {FT_cipher, "zlib", enc_main, enc_options, NULL}, #endif +#ifndef OPENSSL_NO_BROTLI + {FT_cipher, "brotli", enc_main, enc_options, NULL}, +#endif +#ifndef OPENSSL_NO_ZSTD + {FT_cipher, "zstd", enc_main, enc_options, NULL}, +#endif #ifndef OPENSSL_NO_DES {FT_cipher, "des", enc_main, enc_options, NULL}, #endif diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h index 83c829a721bf..1b62ec37dec1 100644 --- a/crypto/openssl/apps/progs.h +++ b/crypto/openssl/apps/progs.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by apps/progs.pl * - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -56,6 +56,7 @@ extern int s_client_main(int argc, char *argv[]); extern int s_server_main(int argc, char *argv[]); extern int s_time_main(int argc, char *argv[]); extern int sess_id_main(int argc, char *argv[]); +extern int skeyutl_main(int argc, char *argv[]); extern int smime_main(int argc, char *argv[]); extern int speed_main(int argc, char *argv[]); extern int spkac_main(int argc, char *argv[]); @@ -110,6 +111,7 @@ extern const OPTIONS s_client_options[]; extern const OPTIONS s_server_options[]; extern const OPTIONS s_time_options[]; extern const OPTIONS sess_id_options[]; +extern const OPTIONS skeyutl_options[]; extern const OPTIONS smime_options[]; extern const OPTIONS speed_options[]; extern const OPTIONS spkac_options[]; diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c index b123a151ea74..da747c1783e4 100644 --- a/crypto/openssl/apps/rand.c +++ b/crypto/openssl/apps/rand.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -199,7 +199,7 @@ int rand_main(int argc, char **argv) int chunk; chunk = scaled_num > buflen ? (int)buflen : (int)scaled_num; - r = RAND_bytes(buf, chunk); + r = RAND_bytes_ex(app_get0_libctx(), buf, chunk, 0); if (r <= 0) goto end; if (format != FORMAT_TEXT) { diff --git a/crypto/openssl/apps/storeutl.c b/crypto/openssl/apps/storeutl.c index 62f0e6135640..f8ebde44481c 100644 --- a/crypto/openssl/apps/storeutl.c +++ b/crypto/openssl/apps/storeutl.c @@ -331,14 +331,22 @@ int storeutl_main(int argc, char *argv[]) static int indent_printf(int indent, BIO *bio, const char *format, ...) { va_list args; - int ret; + int ret, vret; + + ret = BIO_printf(bio, "%*s", indent, ""); + if (ret < 0) + return ret; va_start(args, format); + vret = BIO_vprintf(bio, format, args); + va_end(args); - ret = BIO_printf(bio, "%*s", indent, "") + BIO_vprintf(bio, format, args); + if (vret < 0) + return vret; + if (vret > INT_MAX - ret) + return INT_MAX; - va_end(args); - return ret; + return ret + vret; } static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata, diff --git a/crypto/openssl/configdata.pm b/crypto/openssl/configdata.pm index b2ea8dcd87ca..4a2c9307aa86 100755 --- a/crypto/openssl/configdata.pm +++ b/crypto/openssl/configdata.pm @@ -1,4 +1,4 @@ -#! /usr/local/bin/perl +#! /usr/bin/env perl # -*- mode: perl -*- package configdata; @@ -21,24 +21,17 @@ our %config = ( "ASFLAGS" => [], "CC" => "cc", "CFLAGS" => [ - "-O2 -pipe -fstack-protector-strong -fno-strict-aliasing " + "-Wall -O3" ], - "CPP" => "cpp", "CPPDEFINES" => [], - "CPPFLAGS" => [ - "" - ], + "CPPFLAGS" => [], "CPPINCLUDES" => [], - "CXX" => "c++", - "CXXFLAGS" => [ - "-O2 -pipe -fstack-protector-strong -fno-strict-aliasing " - ], + "CXXFLAGS" => [], "FIPSKEY" => "f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813", - "FIPS_VENDOR" => "OpenSSL FIPS Provider", - "HASHBANGPERL" => "/usr/local/bin/perl", - "LDFLAGS" => [ - " " - ], + "FIPS_VENDOR" => "OpenSSL non-compliant FIPS Provider", + "HASHBANGPERL" => "/usr/bin/env perl", + "LD" => "ld", + "LDFLAGS" => [], "LDLIBS" => [], "OBJCOPY" => "objcopy", "PERL" => "/usr/local/bin/perl", @@ -139,7 +132,6 @@ our %config = ( "apps/lib/build.info", "providers/common/build.info", "providers/implementations/build.info", - "providers/fips/build.info", "doc/man1/build.info", "ssl/record/methods/build.info", "providers/common/der/build.info", @@ -176,8 +168,9 @@ our %config = ( ], "dynamic_engines" => "1", "ex_libs" => [], - "full_version" => "3.5.1", + "full_version" => "3.5.4", "includes" => [], + "ktls" => "", "lflags" => [], "lib_defines" => [ "OPENSSL_PIC" @@ -192,6 +185,7 @@ our %config = ( "openssl_feature_defines" => [ "OPENSSL_RAND_SEED_OS", "OPENSSL_THREADS", + "OPENSSL_NO_ACVP_TESTS", "OPENSSL_NO_AFALGENG", "OPENSSL_NO_ARIA", "OPENSSL_NO_ASAN", @@ -203,13 +197,14 @@ our %config = ( "OPENSSL_NO_EGD", "OPENSSL_NO_EXTERNAL_TESTS", "OPENSSL_NO_FIPS_JITTER", + "OPENSSL_NO_FIPS_POST", + "OPENSSL_NO_FIPS_SECURITYCHECKS", "OPENSSL_NO_FUZZ_AFL", "OPENSSL_NO_FUZZ_LIBFUZZER", "OPENSSL_NO_H3DEMO", "OPENSSL_NO_HQINTEROP", "OPENSSL_NO_IDEA", "OPENSSL_NO_JITTER", - "OPENSSL_NO_KTLS", "OPENSSL_NO_MD2", "OPENSSL_NO_MDC2", "OPENSSL_NO_MSAN", @@ -222,7 +217,6 @@ our %config = ( "OPENSSL_NO_SSL3_METHOD", "OPENSSL_NO_SSLKEYLOG", "OPENSSL_NO_TFO", - "OPENSSL_NO_TLS_DEPRECATED_EC", "OPENSSL_NO_TRACE", "OPENSSL_NO_UBSAN", "OPENSSL_NO_UNIT_TEST", @@ -235,30 +229,26 @@ our %config = ( "OPENSSL_NO_ZSTD_DYNAMIC", "OPENSSL_NO_STATIC_ENGINE" ], - "openssl_other_defines" => [ - "OPENSSL_NO_KTLS" - ], "openssl_sys_defines" => [], - "openssldir" => "/usr/local/openssl", - "options" => "--openssldir=/usr/local/openssl --prefix=/usr/local enable-ec_nistp_64_gcc_128 enable-fips enable-sctp no-afalgeng no-aria no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-idea no-jitter no-ktls no-legacy no-md2 no-mdc2 no-msan no-pie no-rc5 no-sm2 no-sm3 no-sm4 no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-tls-deprecated-ec no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic", - "patch" => "1", + "openssldir" => "etc", + "options" => "enable-ec_nistp_64_gcc_128 enable-ktls enable-sctp --openssldir=etc --prefix=/usr no-acvp-tests no-afalgeng no-aria no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-egd no-external-tests no-fips no-fips-jitter no-fips-post no-fips-securitychecks no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-idea no-jitter no-md2 no-mdc2 no-msan no-pie no-rc5 no-sm2 no-sm3 no-sm4 no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic", + "patch" => "4", "perl_archname" => "amd64-freebsd-thread-multi", "perl_cmd" => "/usr/local/bin/perl", - "perl_version" => "5.40.2", + "perl_version" => "5.40.3", "perlargv" => [ - "--openssldir=/usr/local/openssl", - "--prefix=/usr/local", - "no-aria", + "disable-aria", + "disable-egd", + "disable-idea", + "disable-mdc2", + "disable-sm2", + "disable-sm3", + "disable-sm4", "enable-ec_nistp_64_gcc_128", - "enable-fips", - "no-idea", - "no-legacy", - "no-mdc2", + "enable-ktls", "enable-sctp", - "no-sm2", - "no-sm3", - "no-sm4", - "no-tls-deprecated-ec" + "--openssldir=etc", + "--prefix=/usr" ], "perlenv" => { "AR" => undef, @@ -267,23 +257,23 @@ our %config = ( "ASFLAGS" => undef, "BUILDFILE" => undef, "CC" => "cc", - "CFLAGS" => "-O2 -pipe -fstack-protector-strong -fno-strict-aliasing ", - "CPP" => "cpp", + "CFLAGS" => undef, + "CPP" => undef, "CPPDEFINES" => undef, - "CPPFLAGS" => "", + "CPPFLAGS" => undef, "CPPINCLUDES" => undef, "CROSS_COMPILE" => undef, - "CXX" => "c++", - "CXXFLAGS" => "-O2 -pipe -fstack-protector-strong -fno-strict-aliasing ", + "CXX" => undef, + "CXXFLAGS" => undef, "HASHBANGPERL" => undef, - "LD" => undef, - "LDFLAGS" => " ", + "LD" => "ld", + "LDFLAGS" => undef, "LDLIBS" => undef, "MT" => undef, "MTFLAGS" => undef, "OBJCOPY" => undef, "OPENSSL_LOCAL_CONFIG_DIR" => undef, - "PERL" => "/usr/local/bin/perl", + "PERL" => undef, "RANLIB" => undef, "RC" => undef, "RCFLAGS" => undef, @@ -297,15 +287,15 @@ our %config = ( "__CNF_LDFLAGS" => undef, "__CNF_LDLIBS" => undef }, - "prefix" => "/usr/local", + "prefix" => "/usr", "prerelease" => "", "processor" => "", "rc4_int" => "unsigned int", - "release_date" => "1 Jul 2025", - "shlib_version" => "17", + "release_date" => "30 Sep 2025", + "shlib_version" => "3", "sourcedir" => ".", "target" => "BSD-x86_64", - "version" => "3.5.1" + "version" => "3.5.4" ); our %target = ( "AR" => "ar", @@ -521,6 +511,7 @@ our @disablables_int = ( "crmf" ); our %disabled = ( + "acvp-tests" => "cascade", "afalgeng" => "not-linux", "aria" => "option", "asan" => "default", @@ -530,17 +521,18 @@ our %disabled = ( "crypto-mdebug" => "default", "crypto-mdebug-backtrace" => "default", "demos" => "default", - "egd" => "default", + "egd" => "option", "external-tests" => "default", + "fips" => "default", "fips-jitter" => "default", + "fips-post" => "cascade", + "fips-securitychecks" => "cascade", "fuzz-afl" => "default", "fuzz-libfuzzer" => "default", "h3demo" => "default", "hqinterop" => "default", "idea" => "option", "jitter" => "default", - "ktls" => "default", - "legacy" => "option", "md2" => "default", "mdc2" => "option", "msan" => "default", @@ -553,7 +545,6 @@ our %disabled = ( "ssl3-method" => "default", "sslkeylog" => "default", "tfo" => "default", - "tls-deprecated-ec" => "option", "trace" => "default", "ubsan" => "default", "unit-test" => "default", @@ -880,7 +871,7 @@ our %unified_info = ( "providers/libdefault.a" => { "noinst" => "1" }, - "providers/libfips.a" => { + "providers/liblegacy.a" => { "noinst" => "1" }, "providers/libtemplate.a" => { @@ -912,9 +903,6 @@ our %unified_info = ( "engines/padlock" => { "engine" => "1" }, - "providers/fips" => { - "fips" => "1" - }, "test/p_minimal" => { "noinst" => "1" }, @@ -1016,9 +1004,6 @@ our %unified_info = ( "test/aborttest" => { "noinst" => "1" }, - "test/acvp_test" => { - "noinst" => "1" - }, "test/aesgcmtest" => { "noinst" => "1" }, @@ -1112,9 +1097,18 @@ our %unified_info = ( "test/buildtest_c_aes" => { "noinst" => "1" }, + "test/buildtest_c_asn1" => { + "noinst" => "1" + }, + "test/buildtest_c_asn1t" => { + "noinst" => "1" + }, "test/buildtest_c_async" => { "noinst" => "1" }, + "test/buildtest_c_bio" => { + "noinst" => "1" + }, "test/buildtest_c_blowfish" => { "noinst" => "1" }, @@ -1136,12 +1130,27 @@ our %unified_info = ( "test/buildtest_c_cmac" => { "noinst" => "1" }, + "test/buildtest_c_cmp" => { + "noinst" => "1" + }, "test/buildtest_c_cmp_util" => { "noinst" => "1" }, + "test/buildtest_c_cms" => { + "noinst" => "1" + }, + "test/buildtest_c_comp" => { + "noinst" => "1" + }, + "test/buildtest_c_conf" => { + "noinst" => "1" + }, "test/buildtest_c_conf_api" => { "noinst" => "1" }, + "test/buildtest_c_configuration" => { + "noinst" => "1" + }, "test/buildtest_c_conftypes" => { "noinst" => "1" }, @@ -1151,12 +1160,24 @@ our %unified_info = ( "test/buildtest_c_core_dispatch" => { "noinst" => "1" }, + "test/buildtest_c_core_names" => { + "noinst" => "1" + }, "test/buildtest_c_core_object" => { "noinst" => "1" }, + "test/buildtest_c_crmf" => { + "noinst" => "1" + }, + "test/buildtest_c_crypto" => { + "noinst" => "1" + }, "test/buildtest_c_cryptoerr_legacy" => { "noinst" => "1" }, + "test/buildtest_c_ct" => { + "noinst" => "1" + }, "test/buildtest_c_decoder" => { "noinst" => "1" }, @@ -1196,12 +1217,18 @@ our %unified_info = ( "test/buildtest_c_engine" => { "noinst" => "1" }, + "test/buildtest_c_ess" => { + "noinst" => "1" + }, "test/buildtest_c_evp" => { "noinst" => "1" }, "test/buildtest_c_fips_names" => { "noinst" => "1" }, + "test/buildtest_c_fipskey" => { + "noinst" => "1" + }, "test/buildtest_c_hmac" => { "noinst" => "1" }, @@ -1217,6 +1244,9 @@ our %unified_info = ( "test/buildtest_c_kdf" => { "noinst" => "1" }, + "test/buildtest_c_lhash" => { + "noinst" => "1" + }, "test/buildtest_c_macros" => { "noinst" => "1" }, @@ -1238,6 +1268,12 @@ our %unified_info = ( "test/buildtest_c_objects" => { "noinst" => "1" }, + "test/buildtest_c_ocsp" => { + "noinst" => "1" + }, + "test/buildtest_c_opensslv" => { + "noinst" => "1" + }, "test/buildtest_c_ossl_typ" => { "noinst" => "1" }, @@ -1253,6 +1289,12 @@ our %unified_info = ( "test/buildtest_c_pem2" => { "noinst" => "1" }, + "test/buildtest_c_pkcs12" => { + "noinst" => "1" + }, + "test/buildtest_c_pkcs7" => { + "noinst" => "1" + }, "test/buildtest_c_prov_ssl" => { "noinst" => "1" }, @@ -1277,6 +1319,9 @@ our %unified_info = ( "test/buildtest_c_rsa" => { "noinst" => "1" }, + "test/buildtest_c_safestack" => { + "noinst" => "1" + }, "test/buildtest_c_seed" => { "noinst" => "1" }, @@ -1286,9 +1331,15 @@ our %unified_info = ( "test/buildtest_c_sha" => { "noinst" => "1" }, + "test/buildtest_c_srp" => { + "noinst" => "1" + }, "test/buildtest_c_srtp" => { "noinst" => "1" }, + "test/buildtest_c_ssl" => { + "noinst" => "1" + }, "test/buildtest_c_ssl2" => { "noinst" => "1" }, @@ -1319,9 +1370,24 @@ our %unified_info = ( "test/buildtest_c_types" => { "noinst" => "1" }, + "test/buildtest_c_ui" => { + "noinst" => "1" + }, "test/buildtest_c_whrlpool" => { "noinst" => "1" }, + "test/buildtest_c_x509" => { + "noinst" => "1" + }, + "test/buildtest_c_x509_acert" => { + "noinst" => "1" + }, + "test/buildtest_c_x509_vfy" => { + "noinst" => "1" + }, + "test/buildtest_c_x509v3" => { + "noinst" => "1" + }, "test/byteorder_test" => { "noinst" => "1" }, @@ -1996,9 +2062,6 @@ our %unified_info = ( "libssl" => [ "AES_ASM" ], - "providers/fips" => [ - "FIPS_MODULE" - ], "providers/legacy" => [ "OPENSSL_CPUID_OBJ" ], @@ -2053,8 +2116,11 @@ our %unified_info = ( "VPAES_ASM", "X25519_ASM" ], - "test/evp_test" => [ - "NO_LEGACY_MODULE" + "test/endecode_test" => [ + "STATIC_LEGACY" + ], + "test/evp_extra_test" => [ + "STATIC_LEGACY" ], "test/provider_internal_test" => [ "PROVIDER_INIT_FUNCTION_NAME=p_test_init" @@ -2296,9 +2362,6 @@ our %unified_info = ( "apps/progs.h" => [ "apps/progs.c" ], - "build_modules_nodep" => [ - "providers/fipsmodule.cnf" - ], "crypto/aes/aes-586.S" => [ "crypto/perlasm/x86asm.pl" ], @@ -8214,10 +8277,6 @@ our %unified_info = ( "providers/common/include/prov/der_digests.h", "providers/common/include/prov/der_rsa.h" ], - "providers/common/der/libfips-lib-der_rsa_sig.o" => [ - "providers/common/include/prov/der_digests.h", - "providers/common/include/prov/der_rsa.h" - ], "providers/common/include/prov/der_digests.h" => [ "providers/common/der/DIGESTS.asn1", "providers/common/der/NIST.asn1", @@ -8252,21 +8311,12 @@ our %unified_info = ( "providers/common/der/oids_to_c.pm", "providers/common/der/wrap.asn1" ], - "providers/fips" => [ - "providers/libfips.a" - ], - "providers/fipsmodule.cnf" => [ - "providers/fips" - ], "providers/implementations/encode_decode/libdefault-lib-encode_key2any.o" => [ "providers/common/include/prov/der_rsa.h" ], "providers/implementations/kdfs/libdefault-lib-x942kdf.o" => [ "providers/common/include/prov/der_wrap.h" ], - "providers/implementations/kdfs/libfips-lib-x942kdf.o" => [ - "providers/common/include/prov/der_wrap.h" - ], "providers/implementations/signature/libdefault-lib-dsa_sig.o" => [ "providers/common/include/prov/der_dsa.h" ], @@ -8285,27 +8335,13 @@ our %unified_info = ( "providers/implementations/signature/libdefault-lib-slh_dsa_sig.o" => [ "providers/common/include/prov/der_slh_dsa.h" ], - "providers/implementations/signature/libfips-lib-dsa_sig.o" => [ - "providers/common/include/prov/der_dsa.h" - ], - "providers/implementations/signature/libfips-lib-ecdsa_sig.o" => [ - "providers/common/include/prov/der_ec.h" - ], - "providers/implementations/signature/libfips-lib-eddsa_sig.o" => [ - "providers/common/include/prov/der_ecx.h" - ], - "providers/implementations/signature/libfips-lib-ml_dsa_sig.o" => [ - "providers/common/include/prov/der_ml_dsa.h" - ], - "providers/implementations/signature/libfips-lib-rsa_sig.o" => [ - "providers/common/include/prov/der_rsa.h" - ], - "providers/implementations/signature/libfips-lib-slh_dsa_sig.o" => [ - "providers/common/include/prov/der_slh_dsa.h" - ], "providers/implementations/signature/sm2_sig.o" => [ "providers/common/include/prov/der_sm2.h" ], + "providers/legacy" => [ + "libcrypto", + "providers/liblegacy.a" + ], "providers/libcommon.a" => [ "libcrypto" ], @@ -8318,10 +8354,6 @@ our %unified_info = ( "test/aborttest" => [ "libcrypto" ], - "test/acvp_test" => [ - "libcrypto.a", - "test/libtestutil.a" - ], "test/aesgcmtest" => [ "libcrypto", "test/libtestutil.a" @@ -8447,10 +8479,22 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_asn1" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_asn1t" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_async" => [ "libcrypto", "libssl" ], + "test/buildtest_c_bio" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_blowfish" => [ "libcrypto", "libssl" @@ -8479,14 +8523,34 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_cmp" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_cmp_util" => [ "libcrypto", "libssl" ], + "test/buildtest_c_cms" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_comp" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_conf" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_conf_api" => [ "libcrypto", "libssl" ], + "test/buildtest_c_configuration" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_conftypes" => [ "libcrypto", "libssl" @@ -8499,14 +8563,30 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_core_names" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_core_object" => [ "libcrypto", "libssl" ], + "test/buildtest_c_crmf" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_crypto" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_cryptoerr_legacy" => [ "libcrypto", "libssl" ], + "test/buildtest_c_ct" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_decoder" => [ "libcrypto", "libssl" @@ -8559,6 +8639,10 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_ess" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_evp" => [ "libcrypto", "libssl" @@ -8567,6 +8651,10 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_fipskey" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_hmac" => [ "libcrypto", "libssl" @@ -8587,6 +8675,10 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_lhash" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_macros" => [ "libcrypto", "libssl" @@ -8615,6 +8707,14 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_ocsp" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_opensslv" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_ossl_typ" => [ "libcrypto", "libssl" @@ -8635,6 +8735,14 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_pkcs12" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_pkcs7" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_prov_ssl" => [ "libcrypto", "libssl" @@ -8667,6 +8775,10 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_safestack" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_seed" => [ "libcrypto", "libssl" @@ -8679,10 +8791,18 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_srp" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_srtp" => [ "libcrypto", "libssl" ], + "test/buildtest_c_ssl" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_ssl2" => [ "libcrypto", "libssl" @@ -8723,10 +8843,30 @@ our %unified_info = ( "libcrypto", "libssl" ], + "test/buildtest_c_ui" => [ + "libcrypto", + "libssl" + ], "test/buildtest_c_whrlpool" => [ "libcrypto", "libssl" ], + "test/buildtest_c_x509" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_x509_acert" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_x509_vfy" => [ + "libcrypto", + "libssl" + ], + "test/buildtest_c_x509v3" => [ + "libcrypto", + "libssl" + ], "test/byteorder_test" => [ "libcrypto.a", "test/libtestutil.a" @@ -8917,6 +9057,8 @@ our %unified_info = ( ], "test/endecode_test" => [ "libcrypto.a", + "providers/libcommon.a", + "providers/liblegacy.a", "test/libtestutil.a" ], "test/endecoder_legacy_test" => [ @@ -8937,6 +9079,8 @@ our %unified_info = ( ], "test/evp_extra_test" => [ "libcrypto.a", + "providers/libcommon.a", + "providers/liblegacy.a", "test/libtestutil.a" ], "test/evp_extra_test2" => [ @@ -9676,6 +9820,9 @@ our %unified_info = ( "crypto/packettest-bin-quic_vlint.o", "crypto/tls13secretstest-bin-packet.o", "crypto/tls13secretstest-bin-quic_vlint.o", + "crypto/legacy-dso-cpuid.o", + "crypto/legacy-dso-ctype.o", + "crypto/legacy-dso-x86_64cpuid.o", "crypto/libcrypto-lib-asn1_dsa.o", "crypto/libcrypto-lib-bsearch.o", "crypto/libcrypto-lib-comp_methods.o", @@ -9792,37 +9939,7 @@ our %unified_info = ( "crypto/libssl-shlib-getenv.o", "crypto/libssl-shlib-packet.o", "crypto/libssl-shlib-quic_vlint.o", - "crypto/libssl-shlib-time.o", - "crypto/libfips-lib-asn1_dsa.o", - "crypto/libfips-lib-bsearch.o", - "crypto/libfips-lib-context.o", - "crypto/libfips-lib-core_algorithm.o", - "crypto/libfips-lib-core_fetch.o", - "crypto/libfips-lib-core_namemap.o", - "crypto/libfips-lib-cpuid.o", - "crypto/libfips-lib-cryptlib.o", - "crypto/libfips-lib-ctype.o", - "crypto/libfips-lib-der_writer.o", - "crypto/libfips-lib-ex_data.o", - "crypto/libfips-lib-initthread.o", - "crypto/libfips-lib-o_str.o", - "crypto/libfips-lib-packet.o", - "crypto/libfips-lib-param_build.o", - "crypto/libfips-lib-param_build_set.o", - "crypto/libfips-lib-params.o", - "crypto/libfips-lib-params_dup.o", - "crypto/libfips-lib-params_from_text.o", - "crypto/libfips-lib-params_idx.o", - "crypto/libfips-lib-provider_core.o", - "crypto/libfips-lib-provider_predefined.o", - "crypto/libfips-lib-self_test_core.o", - "crypto/libfips-lib-sparse_array.o", - "crypto/libfips-lib-threads_lib.o", - "crypto/libfips-lib-threads_none.o", - "crypto/libfips-lib-threads_pthread.o", - "crypto/libfips-lib-threads_win.o", - "crypto/libfips-lib-time.o", - "crypto/libfips-lib-x86_64cpuid.o" + "crypto/libssl-shlib-time.o" ], "products" => { "bin" => [ @@ -9831,10 +9948,12 @@ our %unified_info = ( "test/packettest", "test/tls13secretstest" ], + "dso" => [ + "providers/legacy" + ], "lib" => [ "libcrypto", - "libssl", - "providers/libfips.a" + "libssl" ] } }, @@ -9867,22 +9986,11 @@ our %unified_info = ( "crypto/aes/libcrypto-shlib-aesni-x86_64.o", "crypto/aes/libcrypto-shlib-aesni-xts-avx512.o", "crypto/aes/libcrypto-shlib-bsaes-x86_64.o", - "crypto/aes/libcrypto-shlib-vpaes-x86_64.o", - "crypto/aes/libfips-lib-aes-x86_64.o", - "crypto/aes/libfips-lib-aes_ecb.o", - "crypto/aes/libfips-lib-aes_misc.o", - "crypto/aes/libfips-lib-aesni-mb-x86_64.o", - "crypto/aes/libfips-lib-aesni-sha1-x86_64.o", - "crypto/aes/libfips-lib-aesni-sha256-x86_64.o", - "crypto/aes/libfips-lib-aesni-x86_64.o", - "crypto/aes/libfips-lib-aesni-xts-avx512.o", - "crypto/aes/libfips-lib-bsaes-x86_64.o", - "crypto/aes/libfips-lib-vpaes-x86_64.o" + "crypto/aes/libcrypto-shlib-vpaes-x86_64.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10234,65 +10342,22 @@ our %unified_info = ( "crypto/bn/libcrypto-shlib-rsaz_exp_x2.o", "crypto/bn/libcrypto-shlib-x86_64-gf2m.o", "crypto/bn/libcrypto-shlib-x86_64-mont.o", - "crypto/bn/libcrypto-shlib-x86_64-mont5.o", - "crypto/bn/libfips-lib-bn_add.o", - "crypto/bn/libfips-lib-bn_blind.o", - "crypto/bn/libfips-lib-bn_const.o", - "crypto/bn/libfips-lib-bn_conv.o", - "crypto/bn/libfips-lib-bn_ctx.o", - "crypto/bn/libfips-lib-bn_dh.o", - "crypto/bn/libfips-lib-bn_div.o", - "crypto/bn/libfips-lib-bn_exp.o", - "crypto/bn/libfips-lib-bn_exp2.o", - "crypto/bn/libfips-lib-bn_gcd.o", - "crypto/bn/libfips-lib-bn_gf2m.o", - "crypto/bn/libfips-lib-bn_intern.o", - "crypto/bn/libfips-lib-bn_kron.o", - "crypto/bn/libfips-lib-bn_lib.o", - "crypto/bn/libfips-lib-bn_mod.o", - "crypto/bn/libfips-lib-bn_mont.o", - "crypto/bn/libfips-lib-bn_mpi.o", - "crypto/bn/libfips-lib-bn_mul.o", - "crypto/bn/libfips-lib-bn_nist.o", - "crypto/bn/libfips-lib-bn_prime.o", - "crypto/bn/libfips-lib-bn_rand.o", - "crypto/bn/libfips-lib-bn_recp.o", - "crypto/bn/libfips-lib-bn_rsa_fips186_4.o", - "crypto/bn/libfips-lib-bn_shift.o", - "crypto/bn/libfips-lib-bn_sqr.o", - "crypto/bn/libfips-lib-bn_sqrt.o", - "crypto/bn/libfips-lib-bn_word.o", - "crypto/bn/libfips-lib-rsaz-2k-avx512.o", - "crypto/bn/libfips-lib-rsaz-2k-avxifma.o", - "crypto/bn/libfips-lib-rsaz-3k-avx512.o", - "crypto/bn/libfips-lib-rsaz-3k-avxifma.o", - "crypto/bn/libfips-lib-rsaz-4k-avx512.o", - "crypto/bn/libfips-lib-rsaz-4k-avxifma.o", - "crypto/bn/libfips-lib-rsaz-avx2.o", - "crypto/bn/libfips-lib-rsaz-x86_64.o", - "crypto/bn/libfips-lib-rsaz_exp.o", - "crypto/bn/libfips-lib-rsaz_exp_x2.o", - "crypto/bn/libfips-lib-x86_64-gf2m.o", - "crypto/bn/libfips-lib-x86_64-mont.o", - "crypto/bn/libfips-lib-x86_64-mont5.o" + "crypto/bn/libcrypto-shlib-x86_64-mont5.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, "crypto/bn/asm" => { "deps" => [ "crypto/bn/asm/libcrypto-lib-x86_64-gcc.o", - "crypto/bn/asm/libcrypto-shlib-x86_64-gcc.o", - "crypto/bn/asm/libfips-lib-x86_64-gcc.o" + "crypto/bn/asm/libcrypto-shlib-x86_64-gcc.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10301,13 +10366,11 @@ our %unified_info = ( "crypto/buffer/libcrypto-lib-buf_err.o", "crypto/buffer/libcrypto-lib-buffer.o", "crypto/buffer/libcrypto-shlib-buf_err.o", - "crypto/buffer/libcrypto-shlib-buffer.o", - "crypto/buffer/libfips-lib-buffer.o" + "crypto/buffer/libcrypto-shlib-buffer.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10365,13 +10428,11 @@ our %unified_info = ( "crypto/cmac" => { "deps" => [ "crypto/cmac/libcrypto-lib-cmac.o", - "crypto/cmac/libcrypto-shlib-cmac.o", - "crypto/cmac/libfips-lib-cmac.o" + "crypto/cmac/libcrypto-shlib-cmac.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10583,15 +10644,13 @@ our %unified_info = ( "crypto/des/libcrypto-shlib-set_key.o", "crypto/des/libcrypto-shlib-str2key.o", "crypto/des/libcrypto-shlib-xcbc_enc.o", - "crypto/des/libfips-lib-des_enc.o", - "crypto/des/libfips-lib-ecb3_enc.o", - "crypto/des/libfips-lib-fcrypt_b.o", - "crypto/des/libfips-lib-set_key.o" + "crypto/des/liblegacy-lib-des_enc.o", + "crypto/des/liblegacy-lib-fcrypt_b.o" ], "products" => { "lib" => [ "libcrypto", - "providers/libfips.a" + "providers/liblegacy.a" ] } }, @@ -10626,19 +10685,11 @@ our %unified_info = ( "crypto/dh/libcrypto-shlib-dh_meth.o", "crypto/dh/libcrypto-shlib-dh_pmeth.o", "crypto/dh/libcrypto-shlib-dh_prn.o", - "crypto/dh/libcrypto-shlib-dh_rfc5114.o", - "crypto/dh/libfips-lib-dh_backend.o", - "crypto/dh/libfips-lib-dh_check.o", - "crypto/dh/libfips-lib-dh_gen.o", - "crypto/dh/libfips-lib-dh_group_params.o", - "crypto/dh/libfips-lib-dh_kdf.o", - "crypto/dh/libfips-lib-dh_key.o", - "crypto/dh/libfips-lib-dh_lib.o" + "crypto/dh/libcrypto-shlib-dh_rfc5114.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10673,20 +10724,11 @@ our %unified_info = ( "crypto/dsa/libcrypto-shlib-dsa_pmeth.o", "crypto/dsa/libcrypto-shlib-dsa_prn.o", "crypto/dsa/libcrypto-shlib-dsa_sign.o", - "crypto/dsa/libcrypto-shlib-dsa_vrf.o", - "crypto/dsa/libfips-lib-dsa_backend.o", - "crypto/dsa/libfips-lib-dsa_check.o", - "crypto/dsa/libfips-lib-dsa_gen.o", - "crypto/dsa/libfips-lib-dsa_key.o", - "crypto/dsa/libfips-lib-dsa_lib.o", - "crypto/dsa/libfips-lib-dsa_ossl.o", - "crypto/dsa/libfips-lib-dsa_sign.o", - "crypto/dsa/libfips-lib-dsa_vrf.o" + "crypto/dsa/libcrypto-shlib-dsa_vrf.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10792,44 +10834,11 @@ our %unified_info = ( "crypto/ec/libcrypto-shlib-ecx_backend.o", "crypto/ec/libcrypto-shlib-ecx_key.o", "crypto/ec/libcrypto-shlib-ecx_meth.o", - "crypto/ec/libcrypto-shlib-x25519-x86_64.o", - "crypto/ec/libfips-lib-curve25519.o", - "crypto/ec/libfips-lib-ec2_oct.o", - "crypto/ec/libfips-lib-ec2_smpl.o", - "crypto/ec/libfips-lib-ec_asn1.o", - "crypto/ec/libfips-lib-ec_backend.o", - "crypto/ec/libfips-lib-ec_check.o", - "crypto/ec/libfips-lib-ec_curve.o", - "crypto/ec/libfips-lib-ec_cvt.o", - "crypto/ec/libfips-lib-ec_key.o", - "crypto/ec/libfips-lib-ec_kmeth.o", - "crypto/ec/libfips-lib-ec_lib.o", - "crypto/ec/libfips-lib-ec_mult.o", - "crypto/ec/libfips-lib-ec_oct.o", - "crypto/ec/libfips-lib-ecdh_kdf.o", - "crypto/ec/libfips-lib-ecdh_ossl.o", - "crypto/ec/libfips-lib-ecdsa_ossl.o", - "crypto/ec/libfips-lib-ecdsa_sign.o", - "crypto/ec/libfips-lib-ecdsa_vrf.o", - "crypto/ec/libfips-lib-ecp_mont.o", - "crypto/ec/libfips-lib-ecp_nist.o", - "crypto/ec/libfips-lib-ecp_nistp224.o", - "crypto/ec/libfips-lib-ecp_nistp256.o", - "crypto/ec/libfips-lib-ecp_nistp384.o", - "crypto/ec/libfips-lib-ecp_nistp521.o", - "crypto/ec/libfips-lib-ecp_nistputil.o", - "crypto/ec/libfips-lib-ecp_nistz256-x86_64.o", - "crypto/ec/libfips-lib-ecp_nistz256.o", - "crypto/ec/libfips-lib-ecp_oct.o", - "crypto/ec/libfips-lib-ecp_smpl.o", - "crypto/ec/libfips-lib-ecx_backend.o", - "crypto/ec/libfips-lib-ecx_key.o", - "crypto/ec/libfips-lib-x25519-x86_64.o" + "crypto/ec/libcrypto-shlib-x25519-x86_64.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -10844,43 +10853,33 @@ our %unified_info = ( "crypto/ec/curve448/libcrypto-shlib-curve448_tables.o", "crypto/ec/curve448/libcrypto-shlib-eddsa.o", "crypto/ec/curve448/libcrypto-shlib-f_generic.o", - "crypto/ec/curve448/libcrypto-shlib-scalar.o", - "crypto/ec/curve448/libfips-lib-curve448.o", - "crypto/ec/curve448/libfips-lib-curve448_tables.o", - "crypto/ec/curve448/libfips-lib-eddsa.o", - "crypto/ec/curve448/libfips-lib-f_generic.o", - "crypto/ec/curve448/libfips-lib-scalar.o" + "crypto/ec/curve448/libcrypto-shlib-scalar.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, "crypto/ec/curve448/arch_32" => { "deps" => [ "crypto/ec/curve448/arch_32/libcrypto-lib-f_impl32.o", - "crypto/ec/curve448/arch_32/libcrypto-shlib-f_impl32.o", - "crypto/ec/curve448/arch_32/libfips-lib-f_impl32.o" + "crypto/ec/curve448/arch_32/libcrypto-shlib-f_impl32.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, "crypto/ec/curve448/arch_64" => { "deps" => [ "crypto/ec/curve448/arch_64/libcrypto-lib-f_impl64.o", - "crypto/ec/curve448/arch_64/libcrypto-shlib-f_impl64.o", - "crypto/ec/curve448/arch_64/libfips-lib-f_impl64.o" + "crypto/ec/curve448/arch_64/libcrypto-shlib-f_impl64.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11163,36 +11162,11 @@ our %unified_info = ( "crypto/evp/libcrypto-shlib-pmeth_lib.o", "crypto/evp/libcrypto-shlib-s_lib.o", "crypto/evp/libcrypto-shlib-signature.o", - "crypto/evp/libcrypto-shlib-skeymgmt_meth.o", - "crypto/evp/libfips-lib-asymcipher.o", - "crypto/evp/libfips-lib-dh_support.o", - "crypto/evp/libfips-lib-digest.o", - "crypto/evp/libfips-lib-ec_support.o", - "crypto/evp/libfips-lib-evp_enc.o", - "crypto/evp/libfips-lib-evp_fetch.o", - "crypto/evp/libfips-lib-evp_lib.o", - "crypto/evp/libfips-lib-evp_rand.o", - "crypto/evp/libfips-lib-evp_utils.o", - "crypto/evp/libfips-lib-exchange.o", - "crypto/evp/libfips-lib-kdf_lib.o", - "crypto/evp/libfips-lib-kdf_meth.o", - "crypto/evp/libfips-lib-kem.o", - "crypto/evp/libfips-lib-keymgmt_lib.o", - "crypto/evp/libfips-lib-keymgmt_meth.o", - "crypto/evp/libfips-lib-mac_lib.o", - "crypto/evp/libfips-lib-mac_meth.o", - "crypto/evp/libfips-lib-p_lib.o", - "crypto/evp/libfips-lib-pmeth_check.o", - "crypto/evp/libfips-lib-pmeth_gn.o", - "crypto/evp/libfips-lib-pmeth_lib.o", - "crypto/evp/libfips-lib-s_lib.o", - "crypto/evp/libfips-lib-signature.o", - "crypto/evp/libfips-lib-skeymgmt_meth.o" + "crypto/evp/libcrypto-shlib-skeymgmt_meth.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11211,19 +11185,11 @@ our %unified_info = ( "crypto/ffc/libcrypto-shlib-ffc_key_validate.o", "crypto/ffc/libcrypto-shlib-ffc_params.o", "crypto/ffc/libcrypto-shlib-ffc_params_generate.o", - "crypto/ffc/libcrypto-shlib-ffc_params_validate.o", - "crypto/ffc/libfips-lib-ffc_backend.o", - "crypto/ffc/libfips-lib-ffc_dh.o", - "crypto/ffc/libfips-lib-ffc_key_generate.o", - "crypto/ffc/libfips-lib-ffc_key_validate.o", - "crypto/ffc/libfips-lib-ffc_params.o", - "crypto/ffc/libfips-lib-ffc_params_generate.o", - "crypto/ffc/libfips-lib-ffc_params_validate.o" + "crypto/ffc/libcrypto-shlib-ffc_params_validate.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11233,28 +11199,23 @@ our %unified_info = ( "crypto/hashtable/libcrypto-lib-hashtable.o", "crypto/hashtable/libcrypto-shlib-hashfunc.o", "crypto/hashtable/libcrypto-shlib-hashtable.o", - "crypto/hashtable/libssl-shlib-hashfunc.o", - "crypto/hashtable/libfips-lib-hashfunc.o", - "crypto/hashtable/libfips-lib-hashtable.o" + "crypto/hashtable/libssl-shlib-hashfunc.o" ], "products" => { "lib" => [ "libcrypto", - "libssl", - "providers/libfips.a" + "libssl" ] } }, "crypto/hmac" => { "deps" => [ "crypto/hmac/libcrypto-lib-hmac.o", - "crypto/hmac/libcrypto-shlib-hmac.o", - "crypto/hmac/libfips-lib-hmac.o" + "crypto/hmac/libcrypto-shlib-hmac.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11302,13 +11263,11 @@ our %unified_info = ( "crypto/lhash/libcrypto-lib-lh_stats.o", "crypto/lhash/libcrypto-lib-lhash.o", "crypto/lhash/libcrypto-shlib-lh_stats.o", - "crypto/lhash/libcrypto-shlib-lhash.o", - "crypto/lhash/libfips-lib-lhash.o" + "crypto/lhash/libcrypto-shlib-lhash.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11334,11 +11293,16 @@ our %unified_info = ( "crypto/md5/libcrypto-shlib-md5-x86_64.o", "crypto/md5/libcrypto-shlib-md5_dgst.o", "crypto/md5/libcrypto-shlib-md5_one.o", - "crypto/md5/libcrypto-shlib-md5_sha1.o" + "crypto/md5/libcrypto-shlib-md5_sha1.o", + "crypto/md5/liblegacy-lib-md5-x86_64.o", + "crypto/md5/liblegacy-lib-md5_dgst.o", + "crypto/md5/liblegacy-lib-md5_one.o", + "crypto/md5/liblegacy-lib-md5_sha1.o" ], "products" => { "lib" => [ - "libcrypto" + "libcrypto", + "providers/liblegacy.a" ] } }, @@ -11359,33 +11323,22 @@ our %unified_info = ( "crypto/ml_dsa/libcrypto-shlib-ml_dsa_ntt.o", "crypto/ml_dsa/libcrypto-shlib-ml_dsa_params.o", "crypto/ml_dsa/libcrypto-shlib-ml_dsa_sample.o", - "crypto/ml_dsa/libcrypto-shlib-ml_dsa_sign.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_encoders.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_key.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_key_compress.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_matrix.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_ntt.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_params.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_sample.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_sign.o" + "crypto/ml_dsa/libcrypto-shlib-ml_dsa_sign.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, "crypto/ml_kem" => { "deps" => [ "crypto/ml_kem/libcrypto-lib-ml_kem.o", - "crypto/ml_kem/libcrypto-shlib-ml_kem.o", - "crypto/ml_kem/libfips-lib-ml_kem.o" + "crypto/ml_kem/libcrypto-shlib-ml_kem.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11420,24 +11373,11 @@ our %unified_info = ( "crypto/modes/libcrypto-shlib-siv128.o", "crypto/modes/libcrypto-shlib-wrap128.o", "crypto/modes/libcrypto-shlib-xts128.o", - "crypto/modes/libcrypto-shlib-xts128gb.o", - "crypto/modes/libfips-lib-aes-gcm-avx512.o", - "crypto/modes/libfips-lib-aesni-gcm-x86_64.o", - "crypto/modes/libfips-lib-cbc128.o", - "crypto/modes/libfips-lib-ccm128.o", - "crypto/modes/libfips-lib-cfb128.o", - "crypto/modes/libfips-lib-ctr128.o", - "crypto/modes/libfips-lib-gcm128.o", - "crypto/modes/libfips-lib-ghash-x86_64.o", - "crypto/modes/libfips-lib-ofb128.o", - "crypto/modes/libfips-lib-wrap128.o", - "crypto/modes/libfips-lib-xts128.o", - "crypto/modes/libfips-lib-xts128gb.o" + "crypto/modes/libcrypto-shlib-xts128gb.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11616,17 +11556,11 @@ our %unified_info = ( "crypto/property/libcrypto-shlib-property_err.o", "crypto/property/libcrypto-shlib-property_parse.o", "crypto/property/libcrypto-shlib-property_query.o", - "crypto/property/libcrypto-shlib-property_string.o", - "crypto/property/libfips-lib-defn_cache.o", - "crypto/property/libfips-lib-property.o", - "crypto/property/libfips-lib-property_parse.o", - "crypto/property/libfips-lib-property_query.o", - "crypto/property/libfips-lib-property_string.o" + "crypto/property/libcrypto-shlib-property_string.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11647,13 +11581,11 @@ our %unified_info = ( "crypto/rand/libcrypto-shlib-rand_meth.o", "crypto/rand/libcrypto-shlib-rand_pool.o", "crypto/rand/libcrypto-shlib-rand_uniform.o", - "crypto/rand/libcrypto-shlib-randfile.o", - "crypto/rand/libfips-lib-rand_lib.o" + "crypto/rand/libcrypto-shlib-randfile.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11681,11 +11613,14 @@ our %unified_info = ( "crypto/rc4/libcrypto-lib-rc4-md5-x86_64.o", "crypto/rc4/libcrypto-lib-rc4-x86_64.o", "crypto/rc4/libcrypto-shlib-rc4-md5-x86_64.o", - "crypto/rc4/libcrypto-shlib-rc4-x86_64.o" + "crypto/rc4/libcrypto-shlib-rc4-x86_64.o", + "crypto/rc4/liblegacy-lib-rc4-md5-x86_64.o", + "crypto/rc4/liblegacy-lib-rc4-x86_64.o" ], "products" => { "lib" => [ - "libcrypto" + "libcrypto", + "providers/liblegacy.a" ] } }, @@ -11755,29 +11690,11 @@ our %unified_info = ( "crypto/rsa/libcrypto-shlib-rsa_sp800_56b_check.o", "crypto/rsa/libcrypto-shlib-rsa_sp800_56b_gen.o", "crypto/rsa/libcrypto-shlib-rsa_x931.o", - "crypto/rsa/libcrypto-shlib-rsa_x931g.o", - "crypto/rsa/libfips-lib-rsa_acvp_test_params.o", - "crypto/rsa/libfips-lib-rsa_backend.o", - "crypto/rsa/libfips-lib-rsa_chk.o", - "crypto/rsa/libfips-lib-rsa_crpt.o", - "crypto/rsa/libfips-lib-rsa_gen.o", - "crypto/rsa/libfips-lib-rsa_lib.o", - "crypto/rsa/libfips-lib-rsa_mp_names.o", - "crypto/rsa/libfips-lib-rsa_none.o", - "crypto/rsa/libfips-lib-rsa_oaep.o", - "crypto/rsa/libfips-lib-rsa_ossl.o", - "crypto/rsa/libfips-lib-rsa_pk1.o", - "crypto/rsa/libfips-lib-rsa_pss.o", - "crypto/rsa/libfips-lib-rsa_schemes.o", - "crypto/rsa/libfips-lib-rsa_sign.o", - "crypto/rsa/libfips-lib-rsa_sp800_56b_check.o", - "crypto/rsa/libfips-lib-rsa_sp800_56b_gen.o", - "crypto/rsa/libfips-lib-rsa_x931.o" + "crypto/rsa/libcrypto-shlib-rsa_x931g.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11823,22 +11740,11 @@ our %unified_info = ( "crypto/sha/libcrypto-shlib-sha256.o", "crypto/sha/libcrypto-shlib-sha3.o", "crypto/sha/libcrypto-shlib-sha512-x86_64.o", - "crypto/sha/libcrypto-shlib-sha512.o", - "crypto/sha/libfips-lib-keccak1600-x86_64.o", - "crypto/sha/libfips-lib-sha1-mb-x86_64.o", - "crypto/sha/libfips-lib-sha1-x86_64.o", - "crypto/sha/libfips-lib-sha1dgst.o", - "crypto/sha/libfips-lib-sha256-mb-x86_64.o", - "crypto/sha/libfips-lib-sha256-x86_64.o", - "crypto/sha/libfips-lib-sha256.o", - "crypto/sha/libfips-lib-sha3.o", - "crypto/sha/libfips-lib-sha512-x86_64.o", - "crypto/sha/libfips-lib-sha512.o" + "crypto/sha/libcrypto-shlib-sha512.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11876,22 +11782,11 @@ our %unified_info = ( "crypto/slh_dsa/libcrypto-shlib-slh_hypertree.o", "crypto/slh_dsa/libcrypto-shlib-slh_params.o", "crypto/slh_dsa/libcrypto-shlib-slh_wots.o", - "crypto/slh_dsa/libcrypto-shlib-slh_xmss.o", - "crypto/slh_dsa/libfips-lib-slh_adrs.o", - "crypto/slh_dsa/libfips-lib-slh_dsa.o", - "crypto/slh_dsa/libfips-lib-slh_dsa_hash_ctx.o", - "crypto/slh_dsa/libfips-lib-slh_dsa_key.o", - "crypto/slh_dsa/libfips-lib-slh_fors.o", - "crypto/slh_dsa/libfips-lib-slh_hash.o", - "crypto/slh_dsa/libfips-lib-slh_hypertree.o", - "crypto/slh_dsa/libfips-lib-slh_params.o", - "crypto/slh_dsa/libfips-lib-slh_wots.o", - "crypto/slh_dsa/libfips-lib-slh_xmss.o" + "crypto/slh_dsa/libcrypto-shlib-slh_xmss.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11911,13 +11806,11 @@ our %unified_info = ( "crypto/stack" => { "deps" => [ "crypto/stack/libcrypto-lib-stack.o", - "crypto/stack/libcrypto-shlib-stack.o", - "crypto/stack/libfips-lib-stack.o" + "crypto/stack/libcrypto-shlib-stack.o" ], "products" => { "lib" => [ - "libcrypto", - "providers/libfips.a" + "libcrypto" ] } }, @@ -11952,16 +11845,12 @@ our %unified_info = ( "crypto/thread/libcrypto-shlib-api.o", "crypto/thread/libcrypto-shlib-arch.o", "crypto/thread/libcrypto-shlib-internal.o", - "crypto/thread/libssl-shlib-arch.o", - "crypto/thread/libfips-lib-api.o", - "crypto/thread/libfips-lib-arch.o", - "crypto/thread/libfips-lib-internal.o" + "crypto/thread/libssl-shlib-arch.o" ], "products" => { "lib" => [ "libcrypto", - "libssl", - "providers/libfips.a" + "libssl" ] } }, @@ -11975,16 +11864,12 @@ our %unified_info = ( "crypto/thread/arch/libcrypto-shlib-thread_win.o", "crypto/thread/arch/libssl-shlib-thread_none.o", "crypto/thread/arch/libssl-shlib-thread_posix.o", - "crypto/thread/arch/libssl-shlib-thread_win.o", - "crypto/thread/arch/libfips-lib-thread_none.o", - "crypto/thread/arch/libfips-lib-thread_posix.o", - "crypto/thread/arch/libfips-lib-thread_win.o" + "crypto/thread/arch/libssl-shlib-thread_win.o" ], "products" => { "lib" => [ "libcrypto", - "libssl", - "providers/libfips.a" + "libssl" ] } }, @@ -12317,6 +12202,8 @@ our %unified_info = ( }, "providers" => { "deps" => [ + "providers/endecode_test-bin-legacyprov.o", + "providers/evp_extra_test-bin-legacyprov.o", "providers/libcrypto-lib-baseprov.o", "providers/libcrypto-lib-defltprov.o", "providers/libcrypto-lib-nullprov.o", @@ -12329,12 +12216,16 @@ our %unified_info = ( "providers/libdefault.a" ], "products" => { + "bin" => [ + "test/endecode_test", + "test/evp_extra_test" + ], "dso" => [ - "providers/fips" + "providers/legacy" ], "lib" => [ "libcrypto", - "providers/libfips.a" + "providers/liblegacy.a" ] } }, @@ -12349,19 +12240,13 @@ our %unified_info = ( "providers/common/libdefault-lib-provider_util.o", "providers/common/libdefault-lib-securitycheck.o", "providers/common/libdefault-lib-securitycheck_default.o", - "providers/common/libfips-lib-bio_prov.o", - "providers/common/libfips-lib-capabilities.o", - "providers/common/libfips-lib-digest_to_nid.o", - "providers/common/libfips-lib-provider_seeding.o", - "providers/common/libfips-lib-provider_util.o", - "providers/common/libfips-lib-securitycheck.o", - "providers/common/libfips-lib-securitycheck_fips.o" + "providers/common/liblegacy-lib-provider_util.o" ], "products" => { "lib" => [ "providers/libcommon.a", "providers/libdefault.a", - "providers/libfips.a" + "providers/liblegacy.a" ] } }, @@ -12383,43 +12268,22 @@ our %unified_info = ( "providers/common/der/libcommon-lib-der_slh_dsa_gen.o", "providers/common/der/libcommon-lib-der_slh_dsa_key.o", "providers/common/der/libcommon-lib-der_wrap_gen.o", - "providers/common/der/libdefault-lib-der_rsa_sig.o", - "providers/common/der/libfips-lib-der_rsa_sig.o" + "providers/common/der/libdefault-lib-der_rsa_sig.o" ], "products" => { "lib" => [ "providers/libcommon.a", - "providers/libdefault.a", - "providers/libfips.a" - ] - } - }, - "providers/fips" => { - "deps" => [ - "providers/fips/fips-dso-fips_entry.o", - "providers/fips/libfips-lib-fipsindicator.o", - "providers/fips/libfips-lib-fipsprov.o", - "providers/fips/libfips-lib-self_test.o", - "providers/fips/libfips-lib-self_test_kats.o" - ], - "products" => { - "dso" => [ - "providers/fips" - ], - "lib" => [ - "providers/libfips.a" + "providers/libdefault.a" ] } }, "providers/implementations/asymciphers" => { "deps" => [ - "providers/implementations/asymciphers/libdefault-lib-rsa_enc.o", - "providers/implementations/asymciphers/libfips-lib-rsa_enc.o" + "providers/implementations/asymciphers/libdefault-lib-rsa_enc.o" ], "products" => { "lib" => [ - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, @@ -12467,31 +12331,29 @@ our %unified_info = ( "providers/implementations/ciphers/libdefault-lib-cipher_tdes_hw.o", "providers/implementations/ciphers/libdefault-lib-cipher_tdes_wrap.o", "providers/implementations/ciphers/libdefault-lib-cipher_tdes_wrap_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha1_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha256_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ccm.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ccm_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_gcm.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_gcm_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ocb.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ocb_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_wrp.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts_fips.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_cts.o", - "providers/implementations/ciphers/libfips-lib-cipher_tdes.o", - "providers/implementations/ciphers/libfips-lib-cipher_tdes_common.o", - "providers/implementations/ciphers/libfips-lib-cipher_tdes_hw.o" + "providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_des.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_desx.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_seed.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o" ], "products" => { "lib" => [ "providers/libcommon.a", "providers/libdefault.a", - "providers/libfips.a" + "providers/liblegacy.a" ] } }, @@ -12507,14 +12369,15 @@ our %unified_info = ( "providers/implementations/digests/libdefault-lib-ripemd_prov.o", "providers/implementations/digests/libdefault-lib-sha2_prov.o", "providers/implementations/digests/libdefault-lib-sha3_prov.o", - "providers/implementations/digests/libfips-lib-sha2_prov.o", - "providers/implementations/digests/libfips-lib-sha3_prov.o" + "providers/implementations/digests/liblegacy-lib-md4_prov.o", + "providers/implementations/digests/liblegacy-lib-ripemd_prov.o", + "providers/implementations/digests/liblegacy-lib-wp_prov.o" ], "products" => { "lib" => [ "providers/libcommon.a", "providers/libdefault.a", - "providers/libfips.a" + "providers/liblegacy.a" ] } }, @@ -12546,16 +12409,11 @@ our %unified_info = ( "providers/implementations/exchange/libdefault-lib-dh_exch.o", "providers/implementations/exchange/libdefault-lib-ecdh_exch.o", "providers/implementations/exchange/libdefault-lib-ecx_exch.o", - "providers/implementations/exchange/libdefault-lib-kdf_exch.o", - "providers/implementations/exchange/libfips-lib-dh_exch.o", - "providers/implementations/exchange/libfips-lib-ecdh_exch.o", - "providers/implementations/exchange/libfips-lib-ecx_exch.o", - "providers/implementations/exchange/libfips-lib-kdf_exch.o" + "providers/implementations/exchange/libdefault-lib-kdf_exch.o" ], "products" => { "lib" => [ - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, @@ -12574,19 +12432,13 @@ our %unified_info = ( "providers/implementations/kdfs/libdefault-lib-sskdf.o", "providers/implementations/kdfs/libdefault-lib-tls1_prf.o", "providers/implementations/kdfs/libdefault-lib-x942kdf.o", - "providers/implementations/kdfs/libfips-lib-hkdf.o", - "providers/implementations/kdfs/libfips-lib-kbkdf.o", - "providers/implementations/kdfs/libfips-lib-pbkdf2.o", - "providers/implementations/kdfs/libfips-lib-pbkdf2_fips.o", - "providers/implementations/kdfs/libfips-lib-sshkdf.o", - "providers/implementations/kdfs/libfips-lib-sskdf.o", - "providers/implementations/kdfs/libfips-lib-tls1_prf.o", - "providers/implementations/kdfs/libfips-lib-x942kdf.o" + "providers/implementations/kdfs/liblegacy-lib-pbkdf1.o", + "providers/implementations/kdfs/liblegacy-lib-pvkkdf.o" ], "products" => { "lib" => [ "providers/libdefault.a", - "providers/libfips.a" + "providers/liblegacy.a" ] } }, @@ -12598,15 +12450,11 @@ our %unified_info = ( "providers/implementations/kem/libdefault-lib-ml_kem_kem.o", "providers/implementations/kem/libdefault-lib-mlx_kem.o", "providers/implementations/kem/libdefault-lib-rsa_kem.o", - "providers/implementations/kem/libfips-lib-ml_kem_kem.o", - "providers/implementations/kem/libfips-lib-mlx_kem.o", - "providers/implementations/kem/libfips-lib-rsa_kem.o", "providers/implementations/kem/libtemplate-lib-template_kem.o" ], "products" => { "lib" => [ "providers/libdefault.a", - "providers/libfips.a", "providers/libtemplate.a" ] } @@ -12624,23 +12472,11 @@ our %unified_info = ( "providers/implementations/keymgmt/libdefault-lib-mlx_kmgmt.o", "providers/implementations/keymgmt/libdefault-lib-rsa_kmgmt.o", "providers/implementations/keymgmt/libdefault-lib-slh_dsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-dh_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-dsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ec_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ecx_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-kdf_legacy_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-mac_legacy_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ml_dsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ml_kem_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-mlx_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-rsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-slh_dsa_kmgmt.o", "providers/implementations/keymgmt/libtemplate-lib-template_kmgmt.o" ], "products" => { "lib" => [ "providers/libdefault.a", - "providers/libfips.a", "providers/libtemplate.a" ] } @@ -12654,16 +12490,11 @@ our %unified_info = ( "providers/implementations/macs/libdefault-lib-hmac_prov.o", "providers/implementations/macs/libdefault-lib-kmac_prov.o", "providers/implementations/macs/libdefault-lib-poly1305_prov.o", - "providers/implementations/macs/libdefault-lib-siphash_prov.o", - "providers/implementations/macs/libfips-lib-cmac_prov.o", - "providers/implementations/macs/libfips-lib-gmac_prov.o", - "providers/implementations/macs/libfips-lib-hmac_prov.o", - "providers/implementations/macs/libfips-lib-kmac_prov.o" + "providers/implementations/macs/libdefault-lib-siphash_prov.o" ], "products" => { "lib" => [ - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, @@ -12675,18 +12506,11 @@ our %unified_info = ( "providers/implementations/rands/libdefault-lib-drbg_hmac.o", "providers/implementations/rands/libdefault-lib-seed_src.o", "providers/implementations/rands/libdefault-lib-seed_src_jitter.o", - "providers/implementations/rands/libdefault-lib-test_rng.o", - "providers/implementations/rands/libfips-lib-drbg.o", - "providers/implementations/rands/libfips-lib-drbg_ctr.o", - "providers/implementations/rands/libfips-lib-drbg_hash.o", - "providers/implementations/rands/libfips-lib-drbg_hmac.o", - "providers/implementations/rands/libfips-lib-fips_crng_test.o", - "providers/implementations/rands/libfips-lib-test_rng.o" + "providers/implementations/rands/libdefault-lib-test_rng.o" ], "products" => { "lib" => [ - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, @@ -12711,33 +12535,22 @@ our %unified_info = ( "providers/implementations/signature/libdefault-lib-mac_legacy_sig.o", "providers/implementations/signature/libdefault-lib-ml_dsa_sig.o", "providers/implementations/signature/libdefault-lib-rsa_sig.o", - "providers/implementations/signature/libdefault-lib-slh_dsa_sig.o", - "providers/implementations/signature/libfips-lib-dsa_sig.o", - "providers/implementations/signature/libfips-lib-ecdsa_sig.o", - "providers/implementations/signature/libfips-lib-eddsa_sig.o", - "providers/implementations/signature/libfips-lib-mac_legacy_sig.o", - "providers/implementations/signature/libfips-lib-ml_dsa_sig.o", - "providers/implementations/signature/libfips-lib-rsa_sig.o", - "providers/implementations/signature/libfips-lib-slh_dsa_sig.o" + "providers/implementations/signature/libdefault-lib-slh_dsa_sig.o" ], "products" => { "lib" => [ - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, "providers/implementations/skeymgmt" => { "deps" => [ "providers/implementations/skeymgmt/libdefault-lib-aes_skmgmt.o", - "providers/implementations/skeymgmt/libdefault-lib-generic.o", - "providers/implementations/skeymgmt/libfips-lib-aes_skmgmt.o", - "providers/implementations/skeymgmt/libfips-lib-generic.o" + "providers/implementations/skeymgmt/libdefault-lib-generic.o" ], "products" => { "lib" => [ - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, @@ -12936,6 +12749,7 @@ our %unified_info = ( "ssl/record/methods" => { "deps" => [ "ssl/record/methods/libssl-lib-dtls_meth.o", + "ssl/record/methods/libssl-lib-ktls_meth.o", "ssl/record/methods/libssl-lib-ssl3_meth.o", "ssl/record/methods/libssl-lib-tls13_meth.o", "ssl/record/methods/libssl-lib-tls1_meth.o", @@ -12943,6 +12757,7 @@ our %unified_info = ( "ssl/record/methods/libssl-lib-tls_multib.o", "ssl/record/methods/libssl-lib-tlsany_meth.o", "ssl/record/methods/libssl-shlib-dtls_meth.o", + "ssl/record/methods/libssl-shlib-ktls_meth.o", "ssl/record/methods/libssl-shlib-ssl3_cbc.o", "ssl/record/methods/libssl-shlib-ssl3_meth.o", "ssl/record/methods/libssl-shlib-tls13_meth.o", @@ -12952,15 +12767,13 @@ our %unified_info = ( "ssl/record/methods/libssl-shlib-tls_pad.o", "ssl/record/methods/libssl-shlib-tlsany_meth.o", "ssl/record/methods/libcommon-lib-tls_pad.o", - "ssl/record/methods/libdefault-lib-ssl3_cbc.o", - "ssl/record/methods/libfips-lib-ssl3_cbc.o" + "ssl/record/methods/libdefault-lib-ssl3_cbc.o" ], "products" => { "lib" => [ "libssl", "providers/libcommon.a", - "providers/libdefault.a", - "providers/libfips.a" + "providers/libdefault.a" ] } }, @@ -13122,6 +12935,7 @@ our %unified_info = ( "test/testutil/libtestutil-lib-apps_shims.o", "test/testutil/libtestutil-lib-basic_output.o", "test/testutil/libtestutil-lib-cb.o", + "test/testutil/libtestutil-lib-compare.o", "test/testutil/libtestutil-lib-driver.o", "test/testutil/libtestutil-lib-fake_random.o", "test/testutil/libtestutil-lib-format_output.o", @@ -19584,26 +19398,29 @@ our %unified_info = ( "providers/common/include/prov/der_wrap.h" => [ "providers/common/include/prov/der_wrap.h.in" ], - "providers/fips.ld" => [ + "providers/legacy.ld" => [ "util/providers.num" ], - "providers/fipsmodule.cnf" => [ - "util/mk-fipsmodule-cnf.pl", - "-module", - "\$(FIPSMODULE)", - "-section_name", - "fips_sect", - "-key", - "\$(FIPSKEY)" - ], "test/buildtest_aes.c" => [ "test/generate_buildtest.pl", "aes" ], + "test/buildtest_asn1.c" => [ + "test/generate_buildtest.pl", + "asn1" + ], + "test/buildtest_asn1t.c" => [ + "test/generate_buildtest.pl", + "asn1t" + ], "test/buildtest_async.c" => [ "test/generate_buildtest.pl", "async" ], + "test/buildtest_bio.c" => [ + "test/generate_buildtest.pl", + "bio" + ], "test/buildtest_blowfish.c" => [ "test/generate_buildtest.pl", "blowfish" @@ -19632,14 +19449,34 @@ our %unified_info = ( "test/generate_buildtest.pl", "cmac" ], + "test/buildtest_cmp.c" => [ + "test/generate_buildtest.pl", + "cmp" + ], "test/buildtest_cmp_util.c" => [ "test/generate_buildtest.pl", "cmp_util" ], + "test/buildtest_cms.c" => [ + "test/generate_buildtest.pl", + "cms" + ], + "test/buildtest_comp.c" => [ + "test/generate_buildtest.pl", + "comp" + ], + "test/buildtest_conf.c" => [ + "test/generate_buildtest.pl", + "conf" + ], "test/buildtest_conf_api.c" => [ "test/generate_buildtest.pl", "conf_api" ], + "test/buildtest_configuration.c" => [ + "test/generate_buildtest.pl", + "configuration" + ], "test/buildtest_conftypes.c" => [ "test/generate_buildtest.pl", "conftypes" @@ -19652,14 +19489,30 @@ our %unified_info = ( "test/generate_buildtest.pl", "core_dispatch" ], + "test/buildtest_core_names.c" => [ + "test/generate_buildtest.pl", + "core_names" + ], "test/buildtest_core_object.c" => [ "test/generate_buildtest.pl", "core_object" ], + "test/buildtest_crmf.c" => [ + "test/generate_buildtest.pl", + "crmf" + ], + "test/buildtest_crypto.c" => [ + "test/generate_buildtest.pl", + "crypto" + ], "test/buildtest_cryptoerr_legacy.c" => [ "test/generate_buildtest.pl", "cryptoerr_legacy" ], + "test/buildtest_ct.c" => [ + "test/generate_buildtest.pl", + "ct" + ], "test/buildtest_decoder.c" => [ "test/generate_buildtest.pl", "decoder" @@ -19712,6 +19565,10 @@ our %unified_info = ( "test/generate_buildtest.pl", "engine" ], + "test/buildtest_ess.c" => [ + "test/generate_buildtest.pl", + "ess" + ], "test/buildtest_evp.c" => [ "test/generate_buildtest.pl", "evp" @@ -19720,6 +19577,10 @@ our %unified_info = ( "test/generate_buildtest.pl", "fips_names" ], + "test/buildtest_fipskey.c" => [ + "test/generate_buildtest.pl", + "fipskey" + ], "test/buildtest_hmac.c" => [ "test/generate_buildtest.pl", "hmac" @@ -19740,6 +19601,10 @@ our %unified_info = ( "test/generate_buildtest.pl", "kdf" ], + "test/buildtest_lhash.c" => [ + "test/generate_buildtest.pl", + "lhash" + ], "test/buildtest_macros.c" => [ "test/generate_buildtest.pl", "macros" @@ -19768,6 +19633,14 @@ our %unified_info = ( "test/generate_buildtest.pl", "objects" ], + "test/buildtest_ocsp.c" => [ + "test/generate_buildtest.pl", + "ocsp" + ], + "test/buildtest_opensslv.c" => [ + "test/generate_buildtest.pl", + "opensslv" + ], "test/buildtest_ossl_typ.c" => [ "test/generate_buildtest.pl", "ossl_typ" @@ -19788,6 +19661,14 @@ our %unified_info = ( "test/generate_buildtest.pl", "pem2" ], + "test/buildtest_pkcs12.c" => [ + "test/generate_buildtest.pl", + "pkcs12" + ], + "test/buildtest_pkcs7.c" => [ + "test/generate_buildtest.pl", + "pkcs7" + ], "test/buildtest_prov_ssl.c" => [ "test/generate_buildtest.pl", "prov_ssl" @@ -19820,6 +19701,10 @@ our %unified_info = ( "test/generate_buildtest.pl", "rsa" ], + "test/buildtest_safestack.c" => [ + "test/generate_buildtest.pl", + "safestack" + ], "test/buildtest_seed.c" => [ "test/generate_buildtest.pl", "seed" @@ -19832,10 +19717,18 @@ our %unified_info = ( "test/generate_buildtest.pl", "sha" ], + "test/buildtest_srp.c" => [ + "test/generate_buildtest.pl", + "srp" + ], "test/buildtest_srtp.c" => [ "test/generate_buildtest.pl", "srtp" ], + "test/buildtest_ssl.c" => [ + "test/generate_buildtest.pl", + "ssl" + ], "test/buildtest_ssl2.c" => [ "test/generate_buildtest.pl", "ssl2" @@ -19876,10 +19769,30 @@ our %unified_info = ( "test/generate_buildtest.pl", "types" ], + "test/buildtest_ui.c" => [ + "test/generate_buildtest.pl", + "ui" + ], "test/buildtest_whrlpool.c" => [ "test/generate_buildtest.pl", "whrlpool" ], + "test/buildtest_x509.c" => [ + "test/generate_buildtest.pl", + "x509" + ], + "test/buildtest_x509_acert.c" => [ + "test/generate_buildtest.pl", + "x509_acert" + ], + "test/buildtest_x509_vfy.c" => [ + "test/generate_buildtest.pl", + "x509_vfy" + ], + "test/buildtest_x509v3.c" => [ + "test/generate_buildtest.pl", + "x509v3" + ], "test/p_minimal.ld" => [ "util/providers.num" ], @@ -21222,9 +21135,6 @@ our %unified_info = ( "crypto/bn/libcrypto-shlib-bn_exp.o" => [ "crypto" ], - "crypto/bn/libfips-lib-bn_exp.o" => [ - "crypto" - ], "crypto/bn/mips-mont.o" => [ "crypto" ], @@ -21321,15 +21231,6 @@ our %unified_info = ( "crypto/ec/libcrypto-shlib-ecx_meth.o" => [ "crypto" ], - "crypto/ec/libfips-lib-ecp_nistp384.o" => [ - "crypto" - ], - "crypto/ec/libfips-lib-ecp_nistp521.o" => [ - "crypto" - ], - "crypto/ec/libfips-lib-ecx_key.o" => [ - "crypto" - ], "crypto/evp/e_aes.o" => [ "crypto", "crypto/modes" @@ -21417,6 +21318,9 @@ our %unified_info = ( "crypto/info.o" => [ "crypto" ], + "crypto/legacy-dso-cpuid.o" => [ + "." + ], "crypto/libcrypto-lib-cpuid.o" => [ "." ], @@ -21435,9 +21339,6 @@ our %unified_info = ( "crypto/libcrypto-shlib-info.o" => [ "crypto" ], - "crypto/libfips-lib-cpuid.o" => [ - "." - ], "crypto/md5/md5-aarch64.o" => [ "crypto" ], @@ -21474,9 +21375,6 @@ our %unified_info = ( "crypto/modes/libcrypto-shlib-gcm128.o" => [ "crypto" ], - "crypto/modes/libfips-lib-gcm128.o" => [ - "crypto" - ], "crypto/params_idx.c" => [ "util/perl" ], @@ -21993,9 +21891,6 @@ our %unified_info = ( "providers/common/der/libdefault-lib-der_rsa_sig.o" => [ "providers/common/include/prov" ], - "providers/common/der/libfips-lib-der_rsa_sig.o" => [ - "providers/common/include/prov" - ], "providers/common/include/prov/der_digests.h" => [ "providers/common/der" ], @@ -22020,9 +21915,6 @@ our %unified_info = ( "providers/common/include/prov/der_wrap.h" => [ "providers/common/der" ], - "providers/fips" => [ - "include" - ], "providers/implementations/encode_decode/encode_key2any.o" => [ "providers/common/include/prov" ], @@ -22032,9 +21924,6 @@ our %unified_info = ( "providers/implementations/kdfs/libdefault-lib-x942kdf.o" => [ "providers/common/include/prov" ], - "providers/implementations/kdfs/libfips-lib-x942kdf.o" => [ - "providers/common/include/prov" - ], "providers/implementations/kdfs/x942kdf.o" => [ "providers/common/include/prov" ], @@ -22065,24 +21954,6 @@ our %unified_info = ( "providers/implementations/signature/libdefault-lib-slh_dsa_sig.o" => [ "providers/common/include/prov" ], - "providers/implementations/signature/libfips-lib-dsa_sig.o" => [ - "providers/common/include/prov" - ], - "providers/implementations/signature/libfips-lib-ecdsa_sig.o" => [ - "providers/common/include/prov" - ], - "providers/implementations/signature/libfips-lib-eddsa_sig.o" => [ - "providers/common/include/prov" - ], - "providers/implementations/signature/libfips-lib-ml_dsa_sig.o" => [ - "providers/common/include/prov" - ], - "providers/implementations/signature/libfips-lib-rsa_sig.o" => [ - "providers/common/include/prov" - ], - "providers/implementations/signature/libfips-lib-slh_dsa_sig.o" => [ - "providers/common/include/prov" - ], "providers/implementations/signature/ml_dsa_sig.o" => [ "providers/common/include/prov" ], @@ -22095,6 +21966,11 @@ our %unified_info = ( "providers/implementations/signature/sm2_sig.o" => [ "providers/common/include/prov" ], + "providers/legacy" => [ + "include", + "providers/implementations/include", + "providers/common/include" + ], "providers/libcommon.a" => [ "crypto", "include", @@ -22137,10 +22013,6 @@ our %unified_info = ( "include", "apps/include" ], - "test/acvp_test" => [ - "include", - "apps/include" - ], "test/aesgcmtest" => [ "include", "apps/include", @@ -22271,9 +22143,18 @@ our %unified_info = ( "test/buildtest_c_aes" => [ "include" ], + "test/buildtest_c_asn1" => [ + "include" + ], + "test/buildtest_c_asn1t" => [ + "include" + ], "test/buildtest_c_async" => [ "include" ], + "test/buildtest_c_bio" => [ + "include" + ], "test/buildtest_c_blowfish" => [ "include" ], @@ -22295,12 +22176,27 @@ our %unified_info = ( "test/buildtest_c_cmac" => [ "include" ], + "test/buildtest_c_cmp" => [ + "include" + ], "test/buildtest_c_cmp_util" => [ "include" ], + "test/buildtest_c_cms" => [ + "include" + ], + "test/buildtest_c_comp" => [ + "include" + ], + "test/buildtest_c_conf" => [ + "include" + ], "test/buildtest_c_conf_api" => [ "include" ], + "test/buildtest_c_configuration" => [ + "include" + ], "test/buildtest_c_conftypes" => [ "include" ], @@ -22310,12 +22206,24 @@ our %unified_info = ( "test/buildtest_c_core_dispatch" => [ "include" ], + "test/buildtest_c_core_names" => [ + "include" + ], "test/buildtest_c_core_object" => [ "include" ], + "test/buildtest_c_crmf" => [ + "include" + ], + "test/buildtest_c_crypto" => [ + "include" + ], "test/buildtest_c_cryptoerr_legacy" => [ "include" ], + "test/buildtest_c_ct" => [ + "include" + ], "test/buildtest_c_decoder" => [ "include" ], @@ -22355,12 +22263,18 @@ our %unified_info = ( "test/buildtest_c_engine" => [ "include" ], + "test/buildtest_c_ess" => [ + "include" + ], "test/buildtest_c_evp" => [ "include" ], "test/buildtest_c_fips_names" => [ "include" ], + "test/buildtest_c_fipskey" => [ + "include" + ], "test/buildtest_c_hmac" => [ "include" ], @@ -22376,6 +22290,9 @@ our %unified_info = ( "test/buildtest_c_kdf" => [ "include" ], + "test/buildtest_c_lhash" => [ + "include" + ], "test/buildtest_c_macros" => [ "include" ], @@ -22397,6 +22314,12 @@ our %unified_info = ( "test/buildtest_c_objects" => [ "include" ], + "test/buildtest_c_ocsp" => [ + "include" + ], + "test/buildtest_c_opensslv" => [ + "include" + ], "test/buildtest_c_ossl_typ" => [ "include" ], @@ -22412,6 +22335,12 @@ our %unified_info = ( "test/buildtest_c_pem2" => [ "include" ], + "test/buildtest_c_pkcs12" => [ + "include" + ], + "test/buildtest_c_pkcs7" => [ + "include" + ], "test/buildtest_c_prov_ssl" => [ "include" ], @@ -22436,6 +22365,9 @@ our %unified_info = ( "test/buildtest_c_rsa" => [ "include" ], + "test/buildtest_c_safestack" => [ + "include" + ], "test/buildtest_c_seed" => [ "include" ], @@ -22445,9 +22377,15 @@ our %unified_info = ( "test/buildtest_c_sha" => [ "include" ], + "test/buildtest_c_srp" => [ + "include" + ], "test/buildtest_c_srtp" => [ "include" ], + "test/buildtest_c_ssl" => [ + "include" + ], "test/buildtest_c_ssl2" => [ "include" ], @@ -22478,9 +22416,24 @@ our %unified_info = ( "test/buildtest_c_types" => [ "include" ], + "test/buildtest_c_ui" => [ + "include" + ], "test/buildtest_c_whrlpool" => [ "include" ], + "test/buildtest_c_x509" => [ + "include" + ], + "test/buildtest_c_x509_acert" => [ + "include" + ], + "test/buildtest_c_x509_vfy" => [ + "include" + ], + "test/buildtest_c_x509v3" => [ + "include" + ], "test/byteorder_test" => [ "include", "apps/include" @@ -22686,7 +22639,9 @@ our %unified_info = ( "test/endecode_test" => [ ".", "include", - "apps/include" + "apps/include", + "providers/common/include", + "providers/implementations/include" ], "test/endecoder_legacy_test" => [ ".", @@ -23564,7 +23519,7 @@ our %unified_info = ( "libssl", "providers/libcommon.a", "providers/libdefault.a", - "providers/libfips.a", + "providers/liblegacy.a", "providers/libtemplate.a", "test/libtestutil.a" ], @@ -24478,7 +24433,7 @@ our %unified_info = ( "engines/loader_attic", "engines/ossltest", "engines/padlock", - "providers/fips", + "providers/legacy", "test/p_minimal", "test/p_test" ], @@ -24515,7 +24470,6 @@ our %unified_info = ( "fuzz/v3name-test", "fuzz/x509-test", "test/aborttest", - "test/acvp_test", "test/aesgcmtest", "test/afalgtest", "test/algorithmid_test", @@ -24547,7 +24501,10 @@ our %unified_info = ( "test/bntest", "test/build_wincrypt_test", "test/buildtest_c_aes", + "test/buildtest_c_asn1", + "test/buildtest_c_asn1t", "test/buildtest_c_async", + "test/buildtest_c_bio", "test/buildtest_c_blowfish", "test/buildtest_c_bn", "test/buildtest_c_buffer", @@ -24555,13 +24512,22 @@ our %unified_info = ( "test/buildtest_c_camellia", "test/buildtest_c_cast", "test/buildtest_c_cmac", + "test/buildtest_c_cmp", "test/buildtest_c_cmp_util", + "test/buildtest_c_cms", + "test/buildtest_c_comp", + "test/buildtest_c_conf", "test/buildtest_c_conf_api", + "test/buildtest_c_configuration", "test/buildtest_c_conftypes", "test/buildtest_c_core", "test/buildtest_c_core_dispatch", + "test/buildtest_c_core_names", "test/buildtest_c_core_object", + "test/buildtest_c_crmf", + "test/buildtest_c_crypto", "test/buildtest_c_cryptoerr_legacy", + "test/buildtest_c_ct", "test/buildtest_c_decoder", "test/buildtest_c_des", "test/buildtest_c_dh", @@ -24575,13 +24541,16 @@ our %unified_info = ( "test/buildtest_c_ecdsa", "test/buildtest_c_encoder", "test/buildtest_c_engine", + "test/buildtest_c_ess", "test/buildtest_c_evp", "test/buildtest_c_fips_names", + "test/buildtest_c_fipskey", "test/buildtest_c_hmac", "test/buildtest_c_hpke", "test/buildtest_c_http", "test/buildtest_c_indicator", "test/buildtest_c_kdf", + "test/buildtest_c_lhash", "test/buildtest_c_macros", "test/buildtest_c_md4", "test/buildtest_c_md5", @@ -24589,11 +24558,15 @@ our %unified_info = ( "test/buildtest_c_modes", "test/buildtest_c_obj_mac", "test/buildtest_c_objects", + "test/buildtest_c_ocsp", + "test/buildtest_c_opensslv", "test/buildtest_c_ossl_typ", "test/buildtest_c_param_build", "test/buildtest_c_params", "test/buildtest_c_pem", "test/buildtest_c_pem2", + "test/buildtest_c_pkcs12", + "test/buildtest_c_pkcs7", "test/buildtest_c_prov_ssl", "test/buildtest_c_provider", "test/buildtest_c_quic", @@ -24602,10 +24575,13 @@ our %unified_info = ( "test/buildtest_c_rc4", "test/buildtest_c_ripemd", "test/buildtest_c_rsa", + "test/buildtest_c_safestack", "test/buildtest_c_seed", "test/buildtest_c_self_test", "test/buildtest_c_sha", + "test/buildtest_c_srp", "test/buildtest_c_srtp", + "test/buildtest_c_ssl", "test/buildtest_c_ssl2", "test/buildtest_c_sslerr_legacy", "test/buildtest_c_stack", @@ -24616,7 +24592,12 @@ our %unified_info = ( "test/buildtest_c_ts", "test/buildtest_c_txt_db", "test/buildtest_c_types", + "test/buildtest_c_ui", "test/buildtest_c_whrlpool", + "test/buildtest_c_x509", + "test/buildtest_c_x509_acert", + "test/buildtest_c_x509_vfy", + "test/buildtest_c_x509v3", "test/byteorder_test", "test/ca_internals_test", "test/casttest", @@ -25750,6 +25731,7 @@ our %unified_info = ( "ssl/record/libssl-shlib-rec_layer_d1.o", "ssl/record/libssl-shlib-rec_layer_s3.o", "ssl/record/methods/libssl-shlib-dtls_meth.o", + "ssl/record/methods/libssl-shlib-ktls_meth.o", "ssl/record/methods/libssl-shlib-ssl3_cbc.o", "ssl/record/methods/libssl-shlib-ssl3_meth.o", "ssl/record/methods/libssl-shlib-tls13_meth.o", @@ -26203,36 +26185,6 @@ our %unified_info = ( "crypto/aes/libcrypto-shlib-vpaes-x86_64.o" => [ "crypto/aes/vpaes-x86_64.s" ], - "crypto/aes/libfips-lib-aes-x86_64.o" => [ - "crypto/aes/aes-x86_64.s" - ], - "crypto/aes/libfips-lib-aes_ecb.o" => [ - "crypto/aes/aes_ecb.c" - ], - "crypto/aes/libfips-lib-aes_misc.o" => [ - "crypto/aes/aes_misc.c" - ], - "crypto/aes/libfips-lib-aesni-mb-x86_64.o" => [ - "crypto/aes/aesni-mb-x86_64.s" - ], - "crypto/aes/libfips-lib-aesni-sha1-x86_64.o" => [ - "crypto/aes/aesni-sha1-x86_64.s" - ], - "crypto/aes/libfips-lib-aesni-sha256-x86_64.o" => [ - "crypto/aes/aesni-sha256-x86_64.s" - ], - "crypto/aes/libfips-lib-aesni-x86_64.o" => [ - "crypto/aes/aesni-x86_64.s" - ], - "crypto/aes/libfips-lib-aesni-xts-avx512.o" => [ - "crypto/aes/aesni-xts-avx512.s" - ], - "crypto/aes/libfips-lib-bsaes-x86_64.o" => [ - "crypto/aes/bsaes-x86_64.s" - ], - "crypto/aes/libfips-lib-vpaes-x86_64.o" => [ - "crypto/aes/vpaes-x86_64.s" - ], "crypto/asn1/asn1_time_test-bin-a_time.o" => [ "crypto/asn1/a_time.c" ], @@ -26866,9 +26818,6 @@ our %unified_info = ( "crypto/bn/asm/libcrypto-shlib-x86_64-gcc.o" => [ "crypto/bn/asm/x86_64-gcc.c" ], - "crypto/bn/asm/libfips-lib-x86_64-gcc.o" => [ - "crypto/bn/asm/x86_64-gcc.c" - ], "crypto/bn/libcrypto-lib-bn_add.o" => [ "crypto/bn/bn_add.c" ], @@ -27139,126 +27088,6 @@ our %unified_info = ( "crypto/bn/libcrypto-shlib-x86_64-mont5.o" => [ "crypto/bn/x86_64-mont5.s" ], - "crypto/bn/libfips-lib-bn_add.o" => [ - "crypto/bn/bn_add.c" - ], - "crypto/bn/libfips-lib-bn_blind.o" => [ - "crypto/bn/bn_blind.c" - ], - "crypto/bn/libfips-lib-bn_const.o" => [ - "crypto/bn/bn_const.c" - ], - "crypto/bn/libfips-lib-bn_conv.o" => [ - "crypto/bn/bn_conv.c" - ], - "crypto/bn/libfips-lib-bn_ctx.o" => [ - "crypto/bn/bn_ctx.c" - ], - "crypto/bn/libfips-lib-bn_dh.o" => [ - "crypto/bn/bn_dh.c" - ], - "crypto/bn/libfips-lib-bn_div.o" => [ - "crypto/bn/bn_div.c" - ], - "crypto/bn/libfips-lib-bn_exp.o" => [ - "crypto/bn/bn_exp.c" - ], - "crypto/bn/libfips-lib-bn_exp2.o" => [ - "crypto/bn/bn_exp2.c" - ], - "crypto/bn/libfips-lib-bn_gcd.o" => [ - "crypto/bn/bn_gcd.c" - ], - "crypto/bn/libfips-lib-bn_gf2m.o" => [ - "crypto/bn/bn_gf2m.c" - ], - "crypto/bn/libfips-lib-bn_intern.o" => [ - "crypto/bn/bn_intern.c" - ], - "crypto/bn/libfips-lib-bn_kron.o" => [ - "crypto/bn/bn_kron.c" - ], - "crypto/bn/libfips-lib-bn_lib.o" => [ - "crypto/bn/bn_lib.c" - ], - "crypto/bn/libfips-lib-bn_mod.o" => [ - "crypto/bn/bn_mod.c" - ], - "crypto/bn/libfips-lib-bn_mont.o" => [ - "crypto/bn/bn_mont.c" - ], - "crypto/bn/libfips-lib-bn_mpi.o" => [ - "crypto/bn/bn_mpi.c" - ], - "crypto/bn/libfips-lib-bn_mul.o" => [ - "crypto/bn/bn_mul.c" - ], - "crypto/bn/libfips-lib-bn_nist.o" => [ - "crypto/bn/bn_nist.c" - ], - "crypto/bn/libfips-lib-bn_prime.o" => [ - "crypto/bn/bn_prime.c" - ], - "crypto/bn/libfips-lib-bn_rand.o" => [ - "crypto/bn/bn_rand.c" - ], - "crypto/bn/libfips-lib-bn_recp.o" => [ - "crypto/bn/bn_recp.c" - ], - "crypto/bn/libfips-lib-bn_rsa_fips186_4.o" => [ - "crypto/bn/bn_rsa_fips186_4.c" - ], - "crypto/bn/libfips-lib-bn_shift.o" => [ - "crypto/bn/bn_shift.c" - ], - "crypto/bn/libfips-lib-bn_sqr.o" => [ - "crypto/bn/bn_sqr.c" - ], - "crypto/bn/libfips-lib-bn_sqrt.o" => [ - "crypto/bn/bn_sqrt.c" - ], - "crypto/bn/libfips-lib-bn_word.o" => [ - "crypto/bn/bn_word.c" - ], - "crypto/bn/libfips-lib-rsaz-2k-avx512.o" => [ - "crypto/bn/rsaz-2k-avx512.s" - ], - "crypto/bn/libfips-lib-rsaz-2k-avxifma.o" => [ - "crypto/bn/rsaz-2k-avxifma.s" - ], - "crypto/bn/libfips-lib-rsaz-3k-avx512.o" => [ - "crypto/bn/rsaz-3k-avx512.s" - ], - "crypto/bn/libfips-lib-rsaz-3k-avxifma.o" => [ - "crypto/bn/rsaz-3k-avxifma.s" - ], - "crypto/bn/libfips-lib-rsaz-4k-avx512.o" => [ - "crypto/bn/rsaz-4k-avx512.s" - ], - "crypto/bn/libfips-lib-rsaz-4k-avxifma.o" => [ - "crypto/bn/rsaz-4k-avxifma.s" - ], - "crypto/bn/libfips-lib-rsaz-avx2.o" => [ - "crypto/bn/rsaz-avx2.s" - ], - "crypto/bn/libfips-lib-rsaz-x86_64.o" => [ - "crypto/bn/rsaz-x86_64.s" - ], - "crypto/bn/libfips-lib-rsaz_exp.o" => [ - "crypto/bn/rsaz_exp.c" - ], - "crypto/bn/libfips-lib-rsaz_exp_x2.o" => [ - "crypto/bn/rsaz_exp_x2.c" - ], - "crypto/bn/libfips-lib-x86_64-gf2m.o" => [ - "crypto/bn/x86_64-gf2m.s" - ], - "crypto/bn/libfips-lib-x86_64-mont.o" => [ - "crypto/bn/x86_64-mont.s" - ], - "crypto/bn/libfips-lib-x86_64-mont5.o" => [ - "crypto/bn/x86_64-mont5.s" - ], "crypto/buffer/libcrypto-lib-buf_err.o" => [ "crypto/buffer/buf_err.c" ], @@ -27271,9 +27100,6 @@ our %unified_info = ( "crypto/buffer/libcrypto-shlib-buffer.o" => [ "crypto/buffer/buffer.c" ], - "crypto/buffer/libfips-lib-buffer.o" => [ - "crypto/buffer/buffer.c" - ], "crypto/ca_internals_test-bin-ctype.o" => [ "crypto/ctype.c" ], @@ -27355,9 +27181,6 @@ our %unified_info = ( "crypto/cmac/libcrypto-shlib-cmac.o" => [ "crypto/cmac/cmac.c" ], - "crypto/cmac/libfips-lib-cmac.o" => [ - "crypto/cmac/cmac.c" - ], "crypto/cmp/libcrypto-lib-cmp_asn.o" => [ "crypto/cmp/cmp_asn.c" ], @@ -27814,18 +27637,12 @@ our %unified_info = ( "crypto/des/libcrypto-shlib-xcbc_enc.o" => [ "crypto/des/xcbc_enc.c" ], - "crypto/des/libfips-lib-des_enc.o" => [ + "crypto/des/liblegacy-lib-des_enc.o" => [ "crypto/des/des_enc.c" ], - "crypto/des/libfips-lib-ecb3_enc.o" => [ - "crypto/des/ecb3_enc.c" - ], - "crypto/des/libfips-lib-fcrypt_b.o" => [ + "crypto/des/liblegacy-lib-fcrypt_b.o" => [ "crypto/des/fcrypt_b.c" ], - "crypto/des/libfips-lib-set_key.o" => [ - "crypto/des/set_key.c" - ], "crypto/dh/libcrypto-lib-dh_ameth.o" => [ "crypto/dh/dh_ameth.c" ], @@ -27916,27 +27733,6 @@ our %unified_info = ( "crypto/dh/libcrypto-shlib-dh_rfc5114.o" => [ "crypto/dh/dh_rfc5114.c" ], - "crypto/dh/libfips-lib-dh_backend.o" => [ - "crypto/dh/dh_backend.c" - ], - "crypto/dh/libfips-lib-dh_check.o" => [ - "crypto/dh/dh_check.c" - ], - "crypto/dh/libfips-lib-dh_gen.o" => [ - "crypto/dh/dh_gen.c" - ], - "crypto/dh/libfips-lib-dh_group_params.o" => [ - "crypto/dh/dh_group_params.c" - ], - "crypto/dh/libfips-lib-dh_kdf.o" => [ - "crypto/dh/dh_kdf.c" - ], - "crypto/dh/libfips-lib-dh_key.o" => [ - "crypto/dh/dh_key.c" - ], - "crypto/dh/libfips-lib-dh_lib.o" => [ - "crypto/dh/dh_lib.c" - ], "crypto/dsa/libcrypto-lib-dsa_ameth.o" => [ "crypto/dsa/dsa_ameth.c" ], @@ -28027,30 +27823,6 @@ our %unified_info = ( "crypto/dsa/libcrypto-shlib-dsa_vrf.o" => [ "crypto/dsa/dsa_vrf.c" ], - "crypto/dsa/libfips-lib-dsa_backend.o" => [ - "crypto/dsa/dsa_backend.c" - ], - "crypto/dsa/libfips-lib-dsa_check.o" => [ - "crypto/dsa/dsa_check.c" - ], - "crypto/dsa/libfips-lib-dsa_gen.o" => [ - "crypto/dsa/dsa_gen.c" - ], - "crypto/dsa/libfips-lib-dsa_key.o" => [ - "crypto/dsa/dsa_key.c" - ], - "crypto/dsa/libfips-lib-dsa_lib.o" => [ - "crypto/dsa/dsa_lib.c" - ], - "crypto/dsa/libfips-lib-dsa_ossl.o" => [ - "crypto/dsa/dsa_ossl.c" - ], - "crypto/dsa/libfips-lib-dsa_sign.o" => [ - "crypto/dsa/dsa_sign.c" - ], - "crypto/dsa/libfips-lib-dsa_vrf.o" => [ - "crypto/dsa/dsa_vrf.c" - ], "crypto/dso/libcrypto-lib-dso_dl.o" => [ "crypto/dso/dso_dl.c" ], @@ -28099,18 +27871,12 @@ our %unified_info = ( "crypto/ec/curve448/arch_32/libcrypto-shlib-f_impl32.o" => [ "crypto/ec/curve448/arch_32/f_impl32.c" ], - "crypto/ec/curve448/arch_32/libfips-lib-f_impl32.o" => [ - "crypto/ec/curve448/arch_32/f_impl32.c" - ], "crypto/ec/curve448/arch_64/libcrypto-lib-f_impl64.o" => [ "crypto/ec/curve448/arch_64/f_impl64.c" ], "crypto/ec/curve448/arch_64/libcrypto-shlib-f_impl64.o" => [ "crypto/ec/curve448/arch_64/f_impl64.c" ], - "crypto/ec/curve448/arch_64/libfips-lib-f_impl64.o" => [ - "crypto/ec/curve448/arch_64/f_impl64.c" - ], "crypto/ec/curve448/libcrypto-lib-curve448.o" => [ "crypto/ec/curve448/curve448.c" ], @@ -28141,21 +27907,6 @@ our %unified_info = ( "crypto/ec/curve448/libcrypto-shlib-scalar.o" => [ "crypto/ec/curve448/scalar.c" ], - "crypto/ec/curve448/libfips-lib-curve448.o" => [ - "crypto/ec/curve448/curve448.c" - ], - "crypto/ec/curve448/libfips-lib-curve448_tables.o" => [ - "crypto/ec/curve448/curve448_tables.c" - ], - "crypto/ec/curve448/libfips-lib-eddsa.o" => [ - "crypto/ec/curve448/eddsa.c" - ], - "crypto/ec/curve448/libfips-lib-f_generic.o" => [ - "crypto/ec/curve448/f_generic.c" - ], - "crypto/ec/curve448/libfips-lib-scalar.o" => [ - "crypto/ec/curve448/scalar.c" - ], "crypto/ec/libcrypto-lib-curve25519.o" => [ "crypto/ec/curve25519.c" ], @@ -28390,102 +28141,6 @@ our %unified_info = ( "crypto/ec/libcrypto-shlib-x25519-x86_64.o" => [ "crypto/ec/x25519-x86_64.s" ], - "crypto/ec/libfips-lib-curve25519.o" => [ - "crypto/ec/curve25519.c" - ], - "crypto/ec/libfips-lib-ec2_oct.o" => [ - "crypto/ec/ec2_oct.c" - ], - "crypto/ec/libfips-lib-ec2_smpl.o" => [ - "crypto/ec/ec2_smpl.c" - ], - "crypto/ec/libfips-lib-ec_asn1.o" => [ - "crypto/ec/ec_asn1.c" - ], - "crypto/ec/libfips-lib-ec_backend.o" => [ - "crypto/ec/ec_backend.c" - ], - "crypto/ec/libfips-lib-ec_check.o" => [ - "crypto/ec/ec_check.c" - ], - "crypto/ec/libfips-lib-ec_curve.o" => [ - "crypto/ec/ec_curve.c" - ], - "crypto/ec/libfips-lib-ec_cvt.o" => [ - "crypto/ec/ec_cvt.c" - ], - "crypto/ec/libfips-lib-ec_key.o" => [ - "crypto/ec/ec_key.c" - ], - "crypto/ec/libfips-lib-ec_kmeth.o" => [ - "crypto/ec/ec_kmeth.c" - ], - "crypto/ec/libfips-lib-ec_lib.o" => [ - "crypto/ec/ec_lib.c" - ], - "crypto/ec/libfips-lib-ec_mult.o" => [ - "crypto/ec/ec_mult.c" - ], - "crypto/ec/libfips-lib-ec_oct.o" => [ - "crypto/ec/ec_oct.c" - ], - "crypto/ec/libfips-lib-ecdh_kdf.o" => [ - "crypto/ec/ecdh_kdf.c" - ], - "crypto/ec/libfips-lib-ecdh_ossl.o" => [ - "crypto/ec/ecdh_ossl.c" - ], - "crypto/ec/libfips-lib-ecdsa_ossl.o" => [ - "crypto/ec/ecdsa_ossl.c" - ], - "crypto/ec/libfips-lib-ecdsa_sign.o" => [ - "crypto/ec/ecdsa_sign.c" - ], - "crypto/ec/libfips-lib-ecdsa_vrf.o" => [ - "crypto/ec/ecdsa_vrf.c" - ], - "crypto/ec/libfips-lib-ecp_mont.o" => [ - "crypto/ec/ecp_mont.c" - ], - "crypto/ec/libfips-lib-ecp_nist.o" => [ - "crypto/ec/ecp_nist.c" - ], - "crypto/ec/libfips-lib-ecp_nistp224.o" => [ - "crypto/ec/ecp_nistp224.c" - ], - "crypto/ec/libfips-lib-ecp_nistp256.o" => [ - "crypto/ec/ecp_nistp256.c" - ], - "crypto/ec/libfips-lib-ecp_nistp384.o" => [ - "crypto/ec/ecp_nistp384.c" - ], - "crypto/ec/libfips-lib-ecp_nistp521.o" => [ - "crypto/ec/ecp_nistp521.c" - ], - "crypto/ec/libfips-lib-ecp_nistputil.o" => [ - "crypto/ec/ecp_nistputil.c" - ], - "crypto/ec/libfips-lib-ecp_nistz256-x86_64.o" => [ - "crypto/ec/ecp_nistz256-x86_64.s" - ], - "crypto/ec/libfips-lib-ecp_nistz256.o" => [ - "crypto/ec/ecp_nistz256.c" - ], - "crypto/ec/libfips-lib-ecp_oct.o" => [ - "crypto/ec/ecp_oct.c" - ], - "crypto/ec/libfips-lib-ecp_smpl.o" => [ - "crypto/ec/ecp_smpl.c" - ], - "crypto/ec/libfips-lib-ecx_backend.o" => [ - "crypto/ec/ecx_backend.c" - ], - "crypto/ec/libfips-lib-ecx_key.o" => [ - "crypto/ec/ecx_key.c" - ], - "crypto/ec/libfips-lib-x25519-x86_64.o" => [ - "crypto/ec/x25519-x86_64.s" - ], "crypto/encode_decode/libcrypto-lib-decoder_err.o" => [ "crypto/encode_decode/decoder_err.c" ], @@ -29212,78 +28867,6 @@ our %unified_info = ( "crypto/evp/libcrypto-shlib-skeymgmt_meth.o" => [ "crypto/evp/skeymgmt_meth.c" ], - "crypto/evp/libfips-lib-asymcipher.o" => [ - "crypto/evp/asymcipher.c" - ], - "crypto/evp/libfips-lib-dh_support.o" => [ - "crypto/evp/dh_support.c" - ], - "crypto/evp/libfips-lib-digest.o" => [ - "crypto/evp/digest.c" - ], - "crypto/evp/libfips-lib-ec_support.o" => [ - "crypto/evp/ec_support.c" - ], - "crypto/evp/libfips-lib-evp_enc.o" => [ - "crypto/evp/evp_enc.c" - ], - "crypto/evp/libfips-lib-evp_fetch.o" => [ - "crypto/evp/evp_fetch.c" - ], - "crypto/evp/libfips-lib-evp_lib.o" => [ - "crypto/evp/evp_lib.c" - ], - "crypto/evp/libfips-lib-evp_rand.o" => [ - "crypto/evp/evp_rand.c" - ], - "crypto/evp/libfips-lib-evp_utils.o" => [ - "crypto/evp/evp_utils.c" - ], - "crypto/evp/libfips-lib-exchange.o" => [ - "crypto/evp/exchange.c" - ], - "crypto/evp/libfips-lib-kdf_lib.o" => [ - "crypto/evp/kdf_lib.c" - ], - "crypto/evp/libfips-lib-kdf_meth.o" => [ - "crypto/evp/kdf_meth.c" - ], - "crypto/evp/libfips-lib-kem.o" => [ - "crypto/evp/kem.c" - ], - "crypto/evp/libfips-lib-keymgmt_lib.o" => [ - "crypto/evp/keymgmt_lib.c" - ], - "crypto/evp/libfips-lib-keymgmt_meth.o" => [ - "crypto/evp/keymgmt_meth.c" - ], - "crypto/evp/libfips-lib-mac_lib.o" => [ - "crypto/evp/mac_lib.c" - ], - "crypto/evp/libfips-lib-mac_meth.o" => [ - "crypto/evp/mac_meth.c" - ], - "crypto/evp/libfips-lib-p_lib.o" => [ - "crypto/evp/p_lib.c" - ], - "crypto/evp/libfips-lib-pmeth_check.o" => [ - "crypto/evp/pmeth_check.c" - ], - "crypto/evp/libfips-lib-pmeth_gn.o" => [ - "crypto/evp/pmeth_gn.c" - ], - "crypto/evp/libfips-lib-pmeth_lib.o" => [ - "crypto/evp/pmeth_lib.c" - ], - "crypto/evp/libfips-lib-s_lib.o" => [ - "crypto/evp/s_lib.c" - ], - "crypto/evp/libfips-lib-signature.o" => [ - "crypto/evp/signature.c" - ], - "crypto/evp/libfips-lib-skeymgmt_meth.o" => [ - "crypto/evp/skeymgmt_meth.c" - ], "crypto/ffc/libcrypto-lib-ffc_backend.o" => [ "crypto/ffc/ffc_backend.c" ], @@ -29326,27 +28909,6 @@ our %unified_info = ( "crypto/ffc/libcrypto-shlib-ffc_params_validate.o" => [ "crypto/ffc/ffc_params_validate.c" ], - "crypto/ffc/libfips-lib-ffc_backend.o" => [ - "crypto/ffc/ffc_backend.c" - ], - "crypto/ffc/libfips-lib-ffc_dh.o" => [ - "crypto/ffc/ffc_dh.c" - ], - "crypto/ffc/libfips-lib-ffc_key_generate.o" => [ - "crypto/ffc/ffc_key_generate.c" - ], - "crypto/ffc/libfips-lib-ffc_key_validate.o" => [ - "crypto/ffc/ffc_key_validate.c" - ], - "crypto/ffc/libfips-lib-ffc_params.o" => [ - "crypto/ffc/ffc_params.c" - ], - "crypto/ffc/libfips-lib-ffc_params_generate.o" => [ - "crypto/ffc/ffc_params_generate.c" - ], - "crypto/ffc/libfips-lib-ffc_params_validate.o" => [ - "crypto/ffc/ffc_params_validate.c" - ], "crypto/hashtable/libcrypto-lib-hashfunc.o" => [ "crypto/hashtable/hashfunc.c" ], @@ -29359,12 +28921,6 @@ our %unified_info = ( "crypto/hashtable/libcrypto-shlib-hashtable.o" => [ "crypto/hashtable/hashtable.c" ], - "crypto/hashtable/libfips-lib-hashfunc.o" => [ - "crypto/hashtable/hashfunc.c" - ], - "crypto/hashtable/libfips-lib-hashtable.o" => [ - "crypto/hashtable/hashtable.c" - ], "crypto/hashtable/libssl-shlib-hashfunc.o" => [ "crypto/hashtable/hashfunc.c" ], @@ -29374,9 +28930,6 @@ our %unified_info = ( "crypto/hmac/libcrypto-shlib-hmac.o" => [ "crypto/hmac/hmac.c" ], - "crypto/hmac/libfips-lib-hmac.o" => [ - "crypto/hmac/hmac.c" - ], "crypto/hpke/libcrypto-lib-hpke.o" => [ "crypto/hpke/hpke.c" ], @@ -29413,6 +28966,15 @@ our %unified_info = ( "crypto/kdf/libcrypto-shlib-kdf_err.o" => [ "crypto/kdf/kdf_err.c" ], + "crypto/legacy-dso-cpuid.o" => [ + "crypto/cpuid.c" + ], + "crypto/legacy-dso-ctype.o" => [ + "crypto/ctype.c" + ], + "crypto/legacy-dso-x86_64cpuid.o" => [ + "crypto/x86_64cpuid.s" + ], "crypto/lhash/libcrypto-lib-lh_stats.o" => [ "crypto/lhash/lh_stats.c" ], @@ -29425,9 +28987,6 @@ our %unified_info = ( "crypto/lhash/libcrypto-shlib-lhash.o" => [ "crypto/lhash/lhash.c" ], - "crypto/lhash/libfips-lib-lhash.o" => [ - "crypto/lhash/lhash.c" - ], "crypto/libcrypto-lib-asn1_dsa.o" => [ "crypto/asn1_dsa.c" ], @@ -29764,96 +29323,6 @@ our %unified_info = ( "crypto/libcrypto-shlib-x86_64cpuid.o" => [ "crypto/x86_64cpuid.s" ], - "crypto/libfips-lib-asn1_dsa.o" => [ - "crypto/asn1_dsa.c" - ], - "crypto/libfips-lib-bsearch.o" => [ - "crypto/bsearch.c" - ], - "crypto/libfips-lib-context.o" => [ - "crypto/context.c" - ], - "crypto/libfips-lib-core_algorithm.o" => [ - "crypto/core_algorithm.c" - ], - "crypto/libfips-lib-core_fetch.o" => [ - "crypto/core_fetch.c" - ], - "crypto/libfips-lib-core_namemap.o" => [ - "crypto/core_namemap.c" - ], - "crypto/libfips-lib-cpuid.o" => [ - "crypto/cpuid.c" - ], - "crypto/libfips-lib-cryptlib.o" => [ - "crypto/cryptlib.c" - ], - "crypto/libfips-lib-ctype.o" => [ - "crypto/ctype.c" - ], - "crypto/libfips-lib-der_writer.o" => [ - "crypto/der_writer.c" - ], - "crypto/libfips-lib-ex_data.o" => [ - "crypto/ex_data.c" - ], - "crypto/libfips-lib-initthread.o" => [ - "crypto/initthread.c" - ], - "crypto/libfips-lib-o_str.o" => [ - "crypto/o_str.c" - ], - "crypto/libfips-lib-packet.o" => [ - "crypto/packet.c" - ], - "crypto/libfips-lib-param_build.o" => [ - "crypto/param_build.c" - ], - "crypto/libfips-lib-param_build_set.o" => [ - "crypto/param_build_set.c" - ], - "crypto/libfips-lib-params.o" => [ - "crypto/params.c" - ], - "crypto/libfips-lib-params_dup.o" => [ - "crypto/params_dup.c" - ], - "crypto/libfips-lib-params_from_text.o" => [ - "crypto/params_from_text.c" - ], - "crypto/libfips-lib-params_idx.o" => [ - "crypto/params_idx.c" - ], - "crypto/libfips-lib-provider_core.o" => [ - "crypto/provider_core.c" - ], - "crypto/libfips-lib-provider_predefined.o" => [ - "crypto/provider_predefined.c" - ], - "crypto/libfips-lib-self_test_core.o" => [ - "crypto/self_test_core.c" - ], - "crypto/libfips-lib-sparse_array.o" => [ - "crypto/sparse_array.c" - ], - "crypto/libfips-lib-threads_lib.o" => [ - "crypto/threads_lib.c" - ], - "crypto/libfips-lib-threads_none.o" => [ - "crypto/threads_none.c" - ], - "crypto/libfips-lib-threads_pthread.o" => [ - "crypto/threads_pthread.c" - ], - "crypto/libfips-lib-threads_win.o" => [ - "crypto/threads_win.c" - ], - "crypto/libfips-lib-time.o" => [ - "crypto/time.c" - ], - "crypto/libfips-lib-x86_64cpuid.o" => [ - "crypto/x86_64cpuid.s" - ], "crypto/libssl-shlib-ctype.o" => [ "crypto/ctype.c" ], @@ -29905,6 +29374,18 @@ our %unified_info = ( "crypto/md5/libcrypto-shlib-md5_sha1.o" => [ "crypto/md5/md5_sha1.c" ], + "crypto/md5/liblegacy-lib-md5-x86_64.o" => [ + "crypto/md5/md5-x86_64.s" + ], + "crypto/md5/liblegacy-lib-md5_dgst.o" => [ + "crypto/md5/md5_dgst.c" + ], + "crypto/md5/liblegacy-lib-md5_one.o" => [ + "crypto/md5/md5_one.c" + ], + "crypto/md5/liblegacy-lib-md5_sha1.o" => [ + "crypto/md5/md5_sha1.c" + ], "crypto/ml_dsa/libcrypto-lib-ml_dsa_encoders.o" => [ "crypto/ml_dsa/ml_dsa_encoders.c" ], @@ -29953,39 +29434,12 @@ our %unified_info = ( "crypto/ml_dsa/libcrypto-shlib-ml_dsa_sign.o" => [ "crypto/ml_dsa/ml_dsa_sign.c" ], - "crypto/ml_dsa/libfips-lib-ml_dsa_encoders.o" => [ - "crypto/ml_dsa/ml_dsa_encoders.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_key.o" => [ - "crypto/ml_dsa/ml_dsa_key.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_key_compress.o" => [ - "crypto/ml_dsa/ml_dsa_key_compress.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_matrix.o" => [ - "crypto/ml_dsa/ml_dsa_matrix.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_ntt.o" => [ - "crypto/ml_dsa/ml_dsa_ntt.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_params.o" => [ - "crypto/ml_dsa/ml_dsa_params.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_sample.o" => [ - "crypto/ml_dsa/ml_dsa_sample.c" - ], - "crypto/ml_dsa/libfips-lib-ml_dsa_sign.o" => [ - "crypto/ml_dsa/ml_dsa_sign.c" - ], "crypto/ml_kem/libcrypto-lib-ml_kem.o" => [ "crypto/ml_kem/ml_kem.c" ], "crypto/ml_kem/libcrypto-shlib-ml_kem.o" => [ "crypto/ml_kem/ml_kem.c" ], - "crypto/ml_kem/libfips-lib-ml_kem.o" => [ - "crypto/ml_kem/ml_kem.c" - ], "crypto/modes/libcrypto-lib-aes-gcm-avx512.o" => [ "crypto/modes/aes-gcm-avx512.s" ], @@ -30076,42 +29530,6 @@ our %unified_info = ( "crypto/modes/libcrypto-shlib-xts128gb.o" => [ "crypto/modes/xts128gb.c" ], - "crypto/modes/libfips-lib-aes-gcm-avx512.o" => [ - "crypto/modes/aes-gcm-avx512.s" - ], - "crypto/modes/libfips-lib-aesni-gcm-x86_64.o" => [ - "crypto/modes/aesni-gcm-x86_64.s" - ], - "crypto/modes/libfips-lib-cbc128.o" => [ - "crypto/modes/cbc128.c" - ], - "crypto/modes/libfips-lib-ccm128.o" => [ - "crypto/modes/ccm128.c" - ], - "crypto/modes/libfips-lib-cfb128.o" => [ - "crypto/modes/cfb128.c" - ], - "crypto/modes/libfips-lib-ctr128.o" => [ - "crypto/modes/ctr128.c" - ], - "crypto/modes/libfips-lib-gcm128.o" => [ - "crypto/modes/gcm128.c" - ], - "crypto/modes/libfips-lib-ghash-x86_64.o" => [ - "crypto/modes/ghash-x86_64.s" - ], - "crypto/modes/libfips-lib-ofb128.o" => [ - "crypto/modes/ofb128.c" - ], - "crypto/modes/libfips-lib-wrap128.o" => [ - "crypto/modes/wrap128.c" - ], - "crypto/modes/libfips-lib-xts128.o" => [ - "crypto/modes/xts128.c" - ], - "crypto/modes/libfips-lib-xts128gb.o" => [ - "crypto/modes/xts128gb.c" - ], "crypto/objects/libcrypto-lib-o_names.o" => [ "crypto/objects/o_names.c" ], @@ -30466,21 +29884,6 @@ our %unified_info = ( "crypto/property/libcrypto-shlib-property_string.o" => [ "crypto/property/property_string.c" ], - "crypto/property/libfips-lib-defn_cache.o" => [ - "crypto/property/defn_cache.c" - ], - "crypto/property/libfips-lib-property.o" => [ - "crypto/property/property.c" - ], - "crypto/property/libfips-lib-property_parse.o" => [ - "crypto/property/property_parse.c" - ], - "crypto/property/libfips-lib-property_query.o" => [ - "crypto/property/property_query.c" - ], - "crypto/property/libfips-lib-property_string.o" => [ - "crypto/property/property_string.c" - ], "crypto/rand/libcrypto-lib-prov_seed.o" => [ "crypto/rand/prov_seed.c" ], @@ -30529,9 +29932,6 @@ our %unified_info = ( "crypto/rand/libcrypto-shlib-randfile.o" => [ "crypto/rand/randfile.c" ], - "crypto/rand/libfips-lib-rand_lib.o" => [ - "crypto/rand/rand_lib.c" - ], "crypto/rc2/libcrypto-lib-rc2_cbc.o" => [ "crypto/rc2/rc2_cbc.c" ], @@ -30574,6 +29974,12 @@ our %unified_info = ( "crypto/rc4/libcrypto-shlib-rc4-x86_64.o" => [ "crypto/rc4/rc4-x86_64.s" ], + "crypto/rc4/liblegacy-lib-rc4-md5-x86_64.o" => [ + "crypto/rc4/rc4-md5-x86_64.s" + ], + "crypto/rc4/liblegacy-lib-rc4-x86_64.o" => [ + "crypto/rc4/rc4-x86_64.s" + ], "crypto/ripemd/libcrypto-lib-rmd_dgst.o" => [ "crypto/ripemd/rmd_dgst.c" ], @@ -30742,57 +30148,6 @@ our %unified_info = ( "crypto/rsa/libcrypto-shlib-rsa_x931g.o" => [ "crypto/rsa/rsa_x931g.c" ], - "crypto/rsa/libfips-lib-rsa_acvp_test_params.o" => [ - "crypto/rsa/rsa_acvp_test_params.c" - ], - "crypto/rsa/libfips-lib-rsa_backend.o" => [ - "crypto/rsa/rsa_backend.c" - ], - "crypto/rsa/libfips-lib-rsa_chk.o" => [ - "crypto/rsa/rsa_chk.c" - ], - "crypto/rsa/libfips-lib-rsa_crpt.o" => [ - "crypto/rsa/rsa_crpt.c" - ], - "crypto/rsa/libfips-lib-rsa_gen.o" => [ - "crypto/rsa/rsa_gen.c" - ], - "crypto/rsa/libfips-lib-rsa_lib.o" => [ - "crypto/rsa/rsa_lib.c" - ], - "crypto/rsa/libfips-lib-rsa_mp_names.o" => [ - "crypto/rsa/rsa_mp_names.c" - ], - "crypto/rsa/libfips-lib-rsa_none.o" => [ - "crypto/rsa/rsa_none.c" - ], - "crypto/rsa/libfips-lib-rsa_oaep.o" => [ - "crypto/rsa/rsa_oaep.c" - ], - "crypto/rsa/libfips-lib-rsa_ossl.o" => [ - "crypto/rsa/rsa_ossl.c" - ], - "crypto/rsa/libfips-lib-rsa_pk1.o" => [ - "crypto/rsa/rsa_pk1.c" - ], - "crypto/rsa/libfips-lib-rsa_pss.o" => [ - "crypto/rsa/rsa_pss.c" - ], - "crypto/rsa/libfips-lib-rsa_schemes.o" => [ - "crypto/rsa/rsa_schemes.c" - ], - "crypto/rsa/libfips-lib-rsa_sign.o" => [ - "crypto/rsa/rsa_sign.c" - ], - "crypto/rsa/libfips-lib-rsa_sp800_56b_check.o" => [ - "crypto/rsa/rsa_sp800_56b_check.c" - ], - "crypto/rsa/libfips-lib-rsa_sp800_56b_gen.o" => [ - "crypto/rsa/rsa_sp800_56b_gen.c" - ], - "crypto/rsa/libfips-lib-rsa_x931.o" => [ - "crypto/rsa/rsa_x931.c" - ], "crypto/seed/libcrypto-lib-seed.o" => [ "crypto/seed/seed.c" ], @@ -30889,36 +30244,6 @@ our %unified_info = ( "crypto/sha/libcrypto-shlib-sha512.o" => [ "crypto/sha/sha512.c" ], - "crypto/sha/libfips-lib-keccak1600-x86_64.o" => [ - "crypto/sha/keccak1600-x86_64.s" - ], - "crypto/sha/libfips-lib-sha1-mb-x86_64.o" => [ - "crypto/sha/sha1-mb-x86_64.s" - ], - "crypto/sha/libfips-lib-sha1-x86_64.o" => [ - "crypto/sha/sha1-x86_64.s" - ], - "crypto/sha/libfips-lib-sha1dgst.o" => [ - "crypto/sha/sha1dgst.c" - ], - "crypto/sha/libfips-lib-sha256-mb-x86_64.o" => [ - "crypto/sha/sha256-mb-x86_64.s" - ], - "crypto/sha/libfips-lib-sha256-x86_64.o" => [ - "crypto/sha/sha256-x86_64.s" - ], - "crypto/sha/libfips-lib-sha256.o" => [ - "crypto/sha/sha256.c" - ], - "crypto/sha/libfips-lib-sha3.o" => [ - "crypto/sha/sha3.c" - ], - "crypto/sha/libfips-lib-sha512-x86_64.o" => [ - "crypto/sha/sha512-x86_64.s" - ], - "crypto/sha/libfips-lib-sha512.o" => [ - "crypto/sha/sha512.c" - ], "crypto/siphash/libcrypto-lib-siphash.o" => [ "crypto/siphash/siphash.c" ], @@ -30988,36 +30313,6 @@ our %unified_info = ( "crypto/slh_dsa/libcrypto-shlib-slh_xmss.o" => [ "crypto/slh_dsa/slh_xmss.c" ], - "crypto/slh_dsa/libfips-lib-slh_adrs.o" => [ - "crypto/slh_dsa/slh_adrs.c" - ], - "crypto/slh_dsa/libfips-lib-slh_dsa.o" => [ - "crypto/slh_dsa/slh_dsa.c" - ], - "crypto/slh_dsa/libfips-lib-slh_dsa_hash_ctx.o" => [ - "crypto/slh_dsa/slh_dsa_hash_ctx.c" - ], - "crypto/slh_dsa/libfips-lib-slh_dsa_key.o" => [ - "crypto/slh_dsa/slh_dsa_key.c" - ], - "crypto/slh_dsa/libfips-lib-slh_fors.o" => [ - "crypto/slh_dsa/slh_fors.c" - ], - "crypto/slh_dsa/libfips-lib-slh_hash.o" => [ - "crypto/slh_dsa/slh_hash.c" - ], - "crypto/slh_dsa/libfips-lib-slh_hypertree.o" => [ - "crypto/slh_dsa/slh_hypertree.c" - ], - "crypto/slh_dsa/libfips-lib-slh_params.o" => [ - "crypto/slh_dsa/slh_params.c" - ], - "crypto/slh_dsa/libfips-lib-slh_wots.o" => [ - "crypto/slh_dsa/slh_wots.c" - ], - "crypto/slh_dsa/libfips-lib-slh_xmss.o" => [ - "crypto/slh_dsa/slh_xmss.c" - ], "crypto/srp/libcrypto-lib-srp_lib.o" => [ "crypto/srp/srp_lib.c" ], @@ -31036,9 +30331,6 @@ our %unified_info = ( "crypto/stack/libcrypto-shlib-stack.o" => [ "crypto/stack/stack.c" ], - "crypto/stack/libfips-lib-stack.o" => [ - "crypto/stack/stack.c" - ], "crypto/store/libcrypto-lib-store_err.o" => [ "crypto/store/store_err.c" ], @@ -31099,15 +30391,6 @@ our %unified_info = ( "crypto/thread/arch/libcrypto-shlib-thread_win.o" => [ "crypto/thread/arch/thread_win.c" ], - "crypto/thread/arch/libfips-lib-thread_none.o" => [ - "crypto/thread/arch/thread_none.c" - ], - "crypto/thread/arch/libfips-lib-thread_posix.o" => [ - "crypto/thread/arch/thread_posix.c" - ], - "crypto/thread/arch/libfips-lib-thread_win.o" => [ - "crypto/thread/arch/thread_win.c" - ], "crypto/thread/arch/libssl-shlib-thread_none.o" => [ "crypto/thread/arch/thread_none.c" ], @@ -31135,15 +30418,6 @@ our %unified_info = ( "crypto/thread/libcrypto-shlib-internal.o" => [ "crypto/thread/internal.c" ], - "crypto/thread/libfips-lib-api.o" => [ - "crypto/thread/api.c" - ], - "crypto/thread/libfips-lib-arch.o" => [ - "crypto/thread/arch.c" - ], - "crypto/thread/libfips-lib-internal.o" => [ - "crypto/thread/internal.c" - ], "crypto/thread/libssl-shlib-arch.o" => [ "crypto/thread/arch.c" ], @@ -33177,6 +32451,7 @@ our %unified_info = ( "ssl/record/libssl-lib-rec_layer_d1.o", "ssl/record/libssl-lib-rec_layer_s3.o", "ssl/record/methods/libssl-lib-dtls_meth.o", + "ssl/record/methods/libssl-lib-ktls_meth.o", "ssl/record/methods/libssl-lib-ssl3_meth.o", "ssl/record/methods/libssl-lib-tls13_meth.o", "ssl/record/methods/libssl-lib-tls1_meth.o", @@ -33247,9 +32522,6 @@ our %unified_info = ( "providers/common/der/libdefault-lib-der_rsa_sig.o" => [ "providers/common/der/der_rsa_sig.c" ], - "providers/common/der/libfips-lib-der_rsa_sig.o" => [ - "providers/common/der/der_rsa_sig.c" - ], "providers/common/libcommon-lib-provider_ctx.o" => [ "providers/common/provider_ctx.c" ], @@ -33277,52 +32549,18 @@ our %unified_info = ( "providers/common/libdefault-lib-securitycheck_default.o" => [ "providers/common/securitycheck_default.c" ], - "providers/common/libfips-lib-bio_prov.o" => [ - "providers/common/bio_prov.c" - ], - "providers/common/libfips-lib-capabilities.o" => [ - "providers/common/capabilities.c" - ], - "providers/common/libfips-lib-digest_to_nid.o" => [ - "providers/common/digest_to_nid.c" - ], - "providers/common/libfips-lib-provider_seeding.o" => [ - "providers/common/provider_seeding.c" - ], - "providers/common/libfips-lib-provider_util.o" => [ + "providers/common/liblegacy-lib-provider_util.o" => [ "providers/common/provider_util.c" ], - "providers/common/libfips-lib-securitycheck.o" => [ - "providers/common/securitycheck.c" + "providers/endecode_test-bin-legacyprov.o" => [ + "providers/legacyprov.c" ], - "providers/common/libfips-lib-securitycheck_fips.o" => [ - "providers/common/securitycheck_fips.c" - ], - "providers/fips" => [ - "providers/fips.ld", - "providers/fips/fips-dso-fips_entry.o" - ], - "providers/fips/fips-dso-fips_entry.o" => [ - "providers/fips/fips_entry.c" - ], - "providers/fips/libfips-lib-fipsindicator.o" => [ - "providers/fips/fipsindicator.c" - ], - "providers/fips/libfips-lib-fipsprov.o" => [ - "providers/fips/fipsprov.c" - ], - "providers/fips/libfips-lib-self_test.o" => [ - "providers/fips/self_test.c" - ], - "providers/fips/libfips-lib-self_test_kats.o" => [ - "providers/fips/self_test_kats.c" + "providers/evp_extra_test-bin-legacyprov.o" => [ + "providers/legacyprov.c" ], "providers/implementations/asymciphers/libdefault-lib-rsa_enc.o" => [ "providers/implementations/asymciphers/rsa_enc.c" ], - "providers/implementations/asymciphers/libfips-lib-rsa_enc.o" => [ - "providers/implementations/asymciphers/rsa_enc.c" - ], "providers/implementations/ciphers/libcommon-lib-ciphercommon.o" => [ "providers/implementations/ciphers/ciphercommon.c" ], @@ -33449,63 +32687,57 @@ our %unified_info = ( "providers/implementations/ciphers/libdefault-lib-cipher_tdes_wrap_hw.o" => [ "providers/implementations/ciphers/cipher_tdes_wrap_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes.o" => [ - "providers/implementations/ciphers/cipher_aes.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o" => [ + "providers/implementations/ciphers/cipher_blowfish.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha.o" => [ - "providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c" - ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha1_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o" => [ + "providers/implementations/ciphers/cipher_blowfish_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha256_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o" => [ + "providers/implementations/ciphers/cipher_cast5.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_ccm.o" => [ - "providers/implementations/ciphers/cipher_aes_ccm.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o" => [ + "providers/implementations/ciphers/cipher_cast5_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_ccm_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_ccm_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_des.o" => [ + "providers/implementations/ciphers/cipher_des.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_gcm.o" => [ - "providers/implementations/ciphers/cipher_aes_gcm.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o" => [ + "providers/implementations/ciphers/cipher_des_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_gcm_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_gcm_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_desx.o" => [ + "providers/implementations/ciphers/cipher_desx.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o" => [ + "providers/implementations/ciphers/cipher_desx_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_ocb.o" => [ - "providers/implementations/ciphers/cipher_aes_ocb.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o" => [ + "providers/implementations/ciphers/cipher_rc2.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_ocb_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_ocb_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o" => [ + "providers/implementations/ciphers/cipher_rc2_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_wrp.o" => [ - "providers/implementations/ciphers/cipher_aes_wrp.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o" => [ + "providers/implementations/ciphers/cipher_rc4.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts.o" => [ - "providers/implementations/ciphers/cipher_aes_xts.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o" => [ + "providers/implementations/ciphers/cipher_rc4_hmac_md5.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts_fips.o" => [ - "providers/implementations/ciphers/cipher_aes_xts_fips.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o" => [ + "providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts_hw.o" => [ - "providers/implementations/ciphers/cipher_aes_xts_hw.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o" => [ + "providers/implementations/ciphers/cipher_rc4_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_cts.o" => [ - "providers/implementations/ciphers/cipher_cts.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_seed.o" => [ + "providers/implementations/ciphers/cipher_seed.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_tdes.o" => [ - "providers/implementations/ciphers/cipher_tdes.c" + "providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o" => [ + "providers/implementations/ciphers/cipher_seed_hw.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_tdes_common.o" => [ + "providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o" => [ "providers/implementations/ciphers/cipher_tdes_common.c" ], - "providers/implementations/ciphers/libfips-lib-cipher_tdes_hw.o" => [ - "providers/implementations/ciphers/cipher_tdes_hw.c" - ], "providers/implementations/digests/libcommon-lib-digestcommon.o" => [ "providers/implementations/digests/digestcommon.c" ], @@ -33536,11 +32768,14 @@ our %unified_info = ( "providers/implementations/digests/libdefault-lib-sha3_prov.o" => [ "providers/implementations/digests/sha3_prov.c" ], - "providers/implementations/digests/libfips-lib-sha2_prov.o" => [ - "providers/implementations/digests/sha2_prov.c" + "providers/implementations/digests/liblegacy-lib-md4_prov.o" => [ + "providers/implementations/digests/md4_prov.c" ], - "providers/implementations/digests/libfips-lib-sha3_prov.o" => [ - "providers/implementations/digests/sha3_prov.c" + "providers/implementations/digests/liblegacy-lib-ripemd_prov.o" => [ + "providers/implementations/digests/ripemd_prov.c" + ], + "providers/implementations/digests/liblegacy-lib-wp_prov.o" => [ + "providers/implementations/digests/wp_prov.c" ], "providers/implementations/encode_decode/libdefault-lib-decode_der2key.o" => [ "providers/implementations/encode_decode/decode_der2key.c" @@ -33596,18 +32831,6 @@ our %unified_info = ( "providers/implementations/exchange/libdefault-lib-kdf_exch.o" => [ "providers/implementations/exchange/kdf_exch.c" ], - "providers/implementations/exchange/libfips-lib-dh_exch.o" => [ - "providers/implementations/exchange/dh_exch.c" - ], - "providers/implementations/exchange/libfips-lib-ecdh_exch.o" => [ - "providers/implementations/exchange/ecdh_exch.c" - ], - "providers/implementations/exchange/libfips-lib-ecx_exch.o" => [ - "providers/implementations/exchange/ecx_exch.c" - ], - "providers/implementations/exchange/libfips-lib-kdf_exch.o" => [ - "providers/implementations/exchange/kdf_exch.c" - ], "providers/implementations/kdfs/libdefault-lib-argon2.o" => [ "providers/implementations/kdfs/argon2.c" ], @@ -33647,29 +32870,11 @@ our %unified_info = ( "providers/implementations/kdfs/libdefault-lib-x942kdf.o" => [ "providers/implementations/kdfs/x942kdf.c" ], - "providers/implementations/kdfs/libfips-lib-hkdf.o" => [ - "providers/implementations/kdfs/hkdf.c" - ], - "providers/implementations/kdfs/libfips-lib-kbkdf.o" => [ - "providers/implementations/kdfs/kbkdf.c" - ], - "providers/implementations/kdfs/libfips-lib-pbkdf2.o" => [ - "providers/implementations/kdfs/pbkdf2.c" - ], - "providers/implementations/kdfs/libfips-lib-pbkdf2_fips.o" => [ - "providers/implementations/kdfs/pbkdf2_fips.c" - ], - "providers/implementations/kdfs/libfips-lib-sshkdf.o" => [ - "providers/implementations/kdfs/sshkdf.c" - ], - "providers/implementations/kdfs/libfips-lib-sskdf.o" => [ - "providers/implementations/kdfs/sskdf.c" - ], - "providers/implementations/kdfs/libfips-lib-tls1_prf.o" => [ - "providers/implementations/kdfs/tls1_prf.c" + "providers/implementations/kdfs/liblegacy-lib-pbkdf1.o" => [ + "providers/implementations/kdfs/pbkdf1.c" ], - "providers/implementations/kdfs/libfips-lib-x942kdf.o" => [ - "providers/implementations/kdfs/x942kdf.c" + "providers/implementations/kdfs/liblegacy-lib-pvkkdf.o" => [ + "providers/implementations/kdfs/pvkkdf.c" ], "providers/implementations/kem/libdefault-lib-ec_kem.o" => [ "providers/implementations/kem/ec_kem.c" @@ -33689,15 +32894,6 @@ our %unified_info = ( "providers/implementations/kem/libdefault-lib-rsa_kem.o" => [ "providers/implementations/kem/rsa_kem.c" ], - "providers/implementations/kem/libfips-lib-ml_kem_kem.o" => [ - "providers/implementations/kem/ml_kem_kem.c" - ], - "providers/implementations/kem/libfips-lib-mlx_kem.o" => [ - "providers/implementations/kem/mlx_kem.c" - ], - "providers/implementations/kem/libfips-lib-rsa_kem.o" => [ - "providers/implementations/kem/rsa_kem.c" - ], "providers/implementations/kem/libtemplate-lib-template_kem.o" => [ "providers/implementations/kem/template_kem.c" ], @@ -33734,39 +32930,6 @@ our %unified_info = ( "providers/implementations/keymgmt/libdefault-lib-slh_dsa_kmgmt.o" => [ "providers/implementations/keymgmt/slh_dsa_kmgmt.c" ], - "providers/implementations/keymgmt/libfips-lib-dh_kmgmt.o" => [ - "providers/implementations/keymgmt/dh_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-dsa_kmgmt.o" => [ - "providers/implementations/keymgmt/dsa_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-ec_kmgmt.o" => [ - "providers/implementations/keymgmt/ec_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-ecx_kmgmt.o" => [ - "providers/implementations/keymgmt/ecx_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-kdf_legacy_kmgmt.o" => [ - "providers/implementations/keymgmt/kdf_legacy_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-mac_legacy_kmgmt.o" => [ - "providers/implementations/keymgmt/mac_legacy_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-ml_dsa_kmgmt.o" => [ - "providers/implementations/keymgmt/ml_dsa_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-ml_kem_kmgmt.o" => [ - "providers/implementations/keymgmt/ml_kem_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-mlx_kmgmt.o" => [ - "providers/implementations/keymgmt/mlx_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-rsa_kmgmt.o" => [ - "providers/implementations/keymgmt/rsa_kmgmt.c" - ], - "providers/implementations/keymgmt/libfips-lib-slh_dsa_kmgmt.o" => [ - "providers/implementations/keymgmt/slh_dsa_kmgmt.c" - ], "providers/implementations/keymgmt/libtemplate-lib-template_kmgmt.o" => [ "providers/implementations/keymgmt/template_kmgmt.c" ], @@ -33794,18 +32957,6 @@ our %unified_info = ( "providers/implementations/macs/libdefault-lib-siphash_prov.o" => [ "providers/implementations/macs/siphash_prov.c" ], - "providers/implementations/macs/libfips-lib-cmac_prov.o" => [ - "providers/implementations/macs/cmac_prov.c" - ], - "providers/implementations/macs/libfips-lib-gmac_prov.o" => [ - "providers/implementations/macs/gmac_prov.c" - ], - "providers/implementations/macs/libfips-lib-hmac_prov.o" => [ - "providers/implementations/macs/hmac_prov.c" - ], - "providers/implementations/macs/libfips-lib-kmac_prov.o" => [ - "providers/implementations/macs/kmac_prov.c" - ], "providers/implementations/rands/libdefault-lib-drbg.o" => [ "providers/implementations/rands/drbg.c" ], @@ -33827,24 +32978,6 @@ our %unified_info = ( "providers/implementations/rands/libdefault-lib-test_rng.o" => [ "providers/implementations/rands/test_rng.c" ], - "providers/implementations/rands/libfips-lib-drbg.o" => [ - "providers/implementations/rands/drbg.c" - ], - "providers/implementations/rands/libfips-lib-drbg_ctr.o" => [ - "providers/implementations/rands/drbg_ctr.c" - ], - "providers/implementations/rands/libfips-lib-drbg_hash.o" => [ - "providers/implementations/rands/drbg_hash.c" - ], - "providers/implementations/rands/libfips-lib-drbg_hmac.o" => [ - "providers/implementations/rands/drbg_hmac.c" - ], - "providers/implementations/rands/libfips-lib-fips_crng_test.o" => [ - "providers/implementations/rands/fips_crng_test.c" - ], - "providers/implementations/rands/libfips-lib-test_rng.o" => [ - "providers/implementations/rands/test_rng.c" - ], "providers/implementations/rands/seeding/libdefault-lib-rand_cpu_x86.o" => [ "providers/implementations/rands/seeding/rand_cpu_x86.c" ], @@ -33878,45 +33011,28 @@ our %unified_info = ( "providers/implementations/signature/libdefault-lib-slh_dsa_sig.o" => [ "providers/implementations/signature/slh_dsa_sig.c" ], - "providers/implementations/signature/libfips-lib-dsa_sig.o" => [ - "providers/implementations/signature/dsa_sig.c" - ], - "providers/implementations/signature/libfips-lib-ecdsa_sig.o" => [ - "providers/implementations/signature/ecdsa_sig.c" - ], - "providers/implementations/signature/libfips-lib-eddsa_sig.o" => [ - "providers/implementations/signature/eddsa_sig.c" - ], - "providers/implementations/signature/libfips-lib-mac_legacy_sig.o" => [ - "providers/implementations/signature/mac_legacy_sig.c" - ], - "providers/implementations/signature/libfips-lib-ml_dsa_sig.o" => [ - "providers/implementations/signature/ml_dsa_sig.c" - ], - "providers/implementations/signature/libfips-lib-rsa_sig.o" => [ - "providers/implementations/signature/rsa_sig.c" - ], - "providers/implementations/signature/libfips-lib-slh_dsa_sig.o" => [ - "providers/implementations/signature/slh_dsa_sig.c" - ], "providers/implementations/skeymgmt/libdefault-lib-aes_skmgmt.o" => [ "providers/implementations/skeymgmt/aes_skmgmt.c" ], "providers/implementations/skeymgmt/libdefault-lib-generic.o" => [ "providers/implementations/skeymgmt/generic.c" ], - "providers/implementations/skeymgmt/libfips-lib-aes_skmgmt.o" => [ - "providers/implementations/skeymgmt/aes_skmgmt.c" - ], - "providers/implementations/skeymgmt/libfips-lib-generic.o" => [ - "providers/implementations/skeymgmt/generic.c" - ], "providers/implementations/storemgmt/libdefault-lib-file_store.o" => [ "providers/implementations/storemgmt/file_store.c" ], "providers/implementations/storemgmt/libdefault-lib-file_store_any2obj.o" => [ "providers/implementations/storemgmt/file_store_any2obj.c" ], + "providers/legacy" => [ + "crypto/legacy-dso-cpuid.o", + "crypto/legacy-dso-ctype.o", + "crypto/legacy-dso-x86_64cpuid.o", + "providers/legacy-dso-legacyprov.o", + "providers/legacy.ld" + ], + "providers/legacy-dso-legacyprov.o" => [ + "providers/legacyprov.c" + ], "providers/libcommon.a" => [ "providers/common/der/libcommon-lib-der_digests_gen.o", "providers/common/der/libcommon-lib-der_dsa_gen.o", @@ -34104,335 +33220,42 @@ our %unified_info = ( "providers/implementations/storemgmt/libdefault-lib-file_store_any2obj.o", "ssl/record/methods/libdefault-lib-ssl3_cbc.o" ], - "providers/libfips.a" => [ - "crypto/aes/libfips-lib-aes-x86_64.o", - "crypto/aes/libfips-lib-aes_ecb.o", - "crypto/aes/libfips-lib-aes_misc.o", - "crypto/aes/libfips-lib-aesni-mb-x86_64.o", - "crypto/aes/libfips-lib-aesni-sha1-x86_64.o", - "crypto/aes/libfips-lib-aesni-sha256-x86_64.o", - "crypto/aes/libfips-lib-aesni-x86_64.o", - "crypto/aes/libfips-lib-aesni-xts-avx512.o", - "crypto/aes/libfips-lib-bsaes-x86_64.o", - "crypto/aes/libfips-lib-vpaes-x86_64.o", - "crypto/bn/asm/libfips-lib-x86_64-gcc.o", - "crypto/bn/libfips-lib-bn_add.o", - "crypto/bn/libfips-lib-bn_blind.o", - "crypto/bn/libfips-lib-bn_const.o", - "crypto/bn/libfips-lib-bn_conv.o", - "crypto/bn/libfips-lib-bn_ctx.o", - "crypto/bn/libfips-lib-bn_dh.o", - "crypto/bn/libfips-lib-bn_div.o", - "crypto/bn/libfips-lib-bn_exp.o", - "crypto/bn/libfips-lib-bn_exp2.o", - "crypto/bn/libfips-lib-bn_gcd.o", - "crypto/bn/libfips-lib-bn_gf2m.o", - "crypto/bn/libfips-lib-bn_intern.o", - "crypto/bn/libfips-lib-bn_kron.o", - "crypto/bn/libfips-lib-bn_lib.o", - "crypto/bn/libfips-lib-bn_mod.o", - "crypto/bn/libfips-lib-bn_mont.o", - "crypto/bn/libfips-lib-bn_mpi.o", - "crypto/bn/libfips-lib-bn_mul.o", - "crypto/bn/libfips-lib-bn_nist.o", - "crypto/bn/libfips-lib-bn_prime.o", - "crypto/bn/libfips-lib-bn_rand.o", - "crypto/bn/libfips-lib-bn_recp.o", - "crypto/bn/libfips-lib-bn_rsa_fips186_4.o", - "crypto/bn/libfips-lib-bn_shift.o", - "crypto/bn/libfips-lib-bn_sqr.o", - "crypto/bn/libfips-lib-bn_sqrt.o", - "crypto/bn/libfips-lib-bn_word.o", - "crypto/bn/libfips-lib-rsaz-2k-avx512.o", - "crypto/bn/libfips-lib-rsaz-2k-avxifma.o", - "crypto/bn/libfips-lib-rsaz-3k-avx512.o", - "crypto/bn/libfips-lib-rsaz-3k-avxifma.o", - "crypto/bn/libfips-lib-rsaz-4k-avx512.o", - "crypto/bn/libfips-lib-rsaz-4k-avxifma.o", - "crypto/bn/libfips-lib-rsaz-avx2.o", - "crypto/bn/libfips-lib-rsaz-x86_64.o", - "crypto/bn/libfips-lib-rsaz_exp.o", - "crypto/bn/libfips-lib-rsaz_exp_x2.o", - "crypto/bn/libfips-lib-x86_64-gf2m.o", - "crypto/bn/libfips-lib-x86_64-mont.o", - "crypto/bn/libfips-lib-x86_64-mont5.o", - "crypto/buffer/libfips-lib-buffer.o", - "crypto/cmac/libfips-lib-cmac.o", - "crypto/des/libfips-lib-des_enc.o", - "crypto/des/libfips-lib-ecb3_enc.o", - "crypto/des/libfips-lib-fcrypt_b.o", - "crypto/des/libfips-lib-set_key.o", - "crypto/dh/libfips-lib-dh_backend.o", - "crypto/dh/libfips-lib-dh_check.o", - "crypto/dh/libfips-lib-dh_gen.o", - "crypto/dh/libfips-lib-dh_group_params.o", - "crypto/dh/libfips-lib-dh_kdf.o", - "crypto/dh/libfips-lib-dh_key.o", - "crypto/dh/libfips-lib-dh_lib.o", - "crypto/dsa/libfips-lib-dsa_backend.o", - "crypto/dsa/libfips-lib-dsa_check.o", - "crypto/dsa/libfips-lib-dsa_gen.o", - "crypto/dsa/libfips-lib-dsa_key.o", - "crypto/dsa/libfips-lib-dsa_lib.o", - "crypto/dsa/libfips-lib-dsa_ossl.o", - "crypto/dsa/libfips-lib-dsa_sign.o", - "crypto/dsa/libfips-lib-dsa_vrf.o", - "crypto/ec/curve448/arch_32/libfips-lib-f_impl32.o", - "crypto/ec/curve448/arch_64/libfips-lib-f_impl64.o", - "crypto/ec/curve448/libfips-lib-curve448.o", - "crypto/ec/curve448/libfips-lib-curve448_tables.o", - "crypto/ec/curve448/libfips-lib-eddsa.o", - "crypto/ec/curve448/libfips-lib-f_generic.o", - "crypto/ec/curve448/libfips-lib-scalar.o", - "crypto/ec/libfips-lib-curve25519.o", - "crypto/ec/libfips-lib-ec2_oct.o", - "crypto/ec/libfips-lib-ec2_smpl.o", - "crypto/ec/libfips-lib-ec_asn1.o", - "crypto/ec/libfips-lib-ec_backend.o", - "crypto/ec/libfips-lib-ec_check.o", - "crypto/ec/libfips-lib-ec_curve.o", - "crypto/ec/libfips-lib-ec_cvt.o", - "crypto/ec/libfips-lib-ec_key.o", - "crypto/ec/libfips-lib-ec_kmeth.o", - "crypto/ec/libfips-lib-ec_lib.o", - "crypto/ec/libfips-lib-ec_mult.o", - "crypto/ec/libfips-lib-ec_oct.o", - "crypto/ec/libfips-lib-ecdh_kdf.o", - "crypto/ec/libfips-lib-ecdh_ossl.o", - "crypto/ec/libfips-lib-ecdsa_ossl.o", - "crypto/ec/libfips-lib-ecdsa_sign.o", - "crypto/ec/libfips-lib-ecdsa_vrf.o", - "crypto/ec/libfips-lib-ecp_mont.o", - "crypto/ec/libfips-lib-ecp_nist.o", - "crypto/ec/libfips-lib-ecp_nistp224.o", - "crypto/ec/libfips-lib-ecp_nistp256.o", - "crypto/ec/libfips-lib-ecp_nistp384.o", - "crypto/ec/libfips-lib-ecp_nistp521.o", - "crypto/ec/libfips-lib-ecp_nistputil.o", - "crypto/ec/libfips-lib-ecp_nistz256-x86_64.o", - "crypto/ec/libfips-lib-ecp_nistz256.o", - "crypto/ec/libfips-lib-ecp_oct.o", - "crypto/ec/libfips-lib-ecp_smpl.o", - "crypto/ec/libfips-lib-ecx_backend.o", - "crypto/ec/libfips-lib-ecx_key.o", - "crypto/ec/libfips-lib-x25519-x86_64.o", - "crypto/evp/libfips-lib-asymcipher.o", - "crypto/evp/libfips-lib-dh_support.o", - "crypto/evp/libfips-lib-digest.o", - "crypto/evp/libfips-lib-ec_support.o", - "crypto/evp/libfips-lib-evp_enc.o", - "crypto/evp/libfips-lib-evp_fetch.o", - "crypto/evp/libfips-lib-evp_lib.o", - "crypto/evp/libfips-lib-evp_rand.o", - "crypto/evp/libfips-lib-evp_utils.o", - "crypto/evp/libfips-lib-exchange.o", - "crypto/evp/libfips-lib-kdf_lib.o", - "crypto/evp/libfips-lib-kdf_meth.o", - "crypto/evp/libfips-lib-kem.o", - "crypto/evp/libfips-lib-keymgmt_lib.o", - "crypto/evp/libfips-lib-keymgmt_meth.o", - "crypto/evp/libfips-lib-mac_lib.o", - "crypto/evp/libfips-lib-mac_meth.o", - "crypto/evp/libfips-lib-p_lib.o", - "crypto/evp/libfips-lib-pmeth_check.o", - "crypto/evp/libfips-lib-pmeth_gn.o", - "crypto/evp/libfips-lib-pmeth_lib.o", - "crypto/evp/libfips-lib-s_lib.o", - "crypto/evp/libfips-lib-signature.o", - "crypto/evp/libfips-lib-skeymgmt_meth.o", - "crypto/ffc/libfips-lib-ffc_backend.o", - "crypto/ffc/libfips-lib-ffc_dh.o", - "crypto/ffc/libfips-lib-ffc_key_generate.o", - "crypto/ffc/libfips-lib-ffc_key_validate.o", - "crypto/ffc/libfips-lib-ffc_params.o", - "crypto/ffc/libfips-lib-ffc_params_generate.o", - "crypto/ffc/libfips-lib-ffc_params_validate.o", - "crypto/hashtable/libfips-lib-hashfunc.o", - "crypto/hashtable/libfips-lib-hashtable.o", - "crypto/hmac/libfips-lib-hmac.o", - "crypto/lhash/libfips-lib-lhash.o", - "crypto/libfips-lib-asn1_dsa.o", - "crypto/libfips-lib-bsearch.o", - "crypto/libfips-lib-context.o", - "crypto/libfips-lib-core_algorithm.o", - "crypto/libfips-lib-core_fetch.o", - "crypto/libfips-lib-core_namemap.o", - "crypto/libfips-lib-cpuid.o", - "crypto/libfips-lib-cryptlib.o", - "crypto/libfips-lib-ctype.o", - "crypto/libfips-lib-der_writer.o", - "crypto/libfips-lib-ex_data.o", - "crypto/libfips-lib-initthread.o", - "crypto/libfips-lib-o_str.o", - "crypto/libfips-lib-packet.o", - "crypto/libfips-lib-param_build.o", - "crypto/libfips-lib-param_build_set.o", - "crypto/libfips-lib-params.o", - "crypto/libfips-lib-params_dup.o", - "crypto/libfips-lib-params_from_text.o", - "crypto/libfips-lib-params_idx.o", - "crypto/libfips-lib-provider_core.o", - "crypto/libfips-lib-provider_predefined.o", - "crypto/libfips-lib-self_test_core.o", - "crypto/libfips-lib-sparse_array.o", - "crypto/libfips-lib-threads_lib.o", - "crypto/libfips-lib-threads_none.o", - "crypto/libfips-lib-threads_pthread.o", - "crypto/libfips-lib-threads_win.o", - "crypto/libfips-lib-time.o", - "crypto/libfips-lib-x86_64cpuid.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_encoders.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_key.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_key_compress.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_matrix.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_ntt.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_params.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_sample.o", - "crypto/ml_dsa/libfips-lib-ml_dsa_sign.o", - "crypto/ml_kem/libfips-lib-ml_kem.o", - "crypto/modes/libfips-lib-aes-gcm-avx512.o", - "crypto/modes/libfips-lib-aesni-gcm-x86_64.o", - "crypto/modes/libfips-lib-cbc128.o", - "crypto/modes/libfips-lib-ccm128.o", - "crypto/modes/libfips-lib-cfb128.o", - "crypto/modes/libfips-lib-ctr128.o", - "crypto/modes/libfips-lib-gcm128.o", - "crypto/modes/libfips-lib-ghash-x86_64.o", - "crypto/modes/libfips-lib-ofb128.o", - "crypto/modes/libfips-lib-wrap128.o", - "crypto/modes/libfips-lib-xts128.o", - "crypto/modes/libfips-lib-xts128gb.o", - "crypto/property/libfips-lib-defn_cache.o", - "crypto/property/libfips-lib-property.o", - "crypto/property/libfips-lib-property_parse.o", - "crypto/property/libfips-lib-property_query.o", - "crypto/property/libfips-lib-property_string.o", - "crypto/rand/libfips-lib-rand_lib.o", - "crypto/rsa/libfips-lib-rsa_acvp_test_params.o", - "crypto/rsa/libfips-lib-rsa_backend.o", - "crypto/rsa/libfips-lib-rsa_chk.o", - "crypto/rsa/libfips-lib-rsa_crpt.o", - "crypto/rsa/libfips-lib-rsa_gen.o", - "crypto/rsa/libfips-lib-rsa_lib.o", - "crypto/rsa/libfips-lib-rsa_mp_names.o", - "crypto/rsa/libfips-lib-rsa_none.o", - "crypto/rsa/libfips-lib-rsa_oaep.o", - "crypto/rsa/libfips-lib-rsa_ossl.o", - "crypto/rsa/libfips-lib-rsa_pk1.o", - "crypto/rsa/libfips-lib-rsa_pss.o", - "crypto/rsa/libfips-lib-rsa_schemes.o", - "crypto/rsa/libfips-lib-rsa_sign.o", - "crypto/rsa/libfips-lib-rsa_sp800_56b_check.o", - "crypto/rsa/libfips-lib-rsa_sp800_56b_gen.o", - "crypto/rsa/libfips-lib-rsa_x931.o", - "crypto/sha/libfips-lib-keccak1600-x86_64.o", - "crypto/sha/libfips-lib-sha1-mb-x86_64.o", - "crypto/sha/libfips-lib-sha1-x86_64.o", - "crypto/sha/libfips-lib-sha1dgst.o", - "crypto/sha/libfips-lib-sha256-mb-x86_64.o", - "crypto/sha/libfips-lib-sha256-x86_64.o", - "crypto/sha/libfips-lib-sha256.o", - "crypto/sha/libfips-lib-sha3.o", - "crypto/sha/libfips-lib-sha512-x86_64.o", - "crypto/sha/libfips-lib-sha512.o", - "crypto/slh_dsa/libfips-lib-slh_adrs.o", - "crypto/slh_dsa/libfips-lib-slh_dsa.o", - "crypto/slh_dsa/libfips-lib-slh_dsa_hash_ctx.o", - "crypto/slh_dsa/libfips-lib-slh_dsa_key.o", - "crypto/slh_dsa/libfips-lib-slh_fors.o", - "crypto/slh_dsa/libfips-lib-slh_hash.o", - "crypto/slh_dsa/libfips-lib-slh_hypertree.o", - "crypto/slh_dsa/libfips-lib-slh_params.o", - "crypto/slh_dsa/libfips-lib-slh_wots.o", - "crypto/slh_dsa/libfips-lib-slh_xmss.o", - "crypto/stack/libfips-lib-stack.o", - "crypto/thread/arch/libfips-lib-thread_none.o", - "crypto/thread/arch/libfips-lib-thread_posix.o", - "crypto/thread/arch/libfips-lib-thread_win.o", - "crypto/thread/libfips-lib-api.o", - "crypto/thread/libfips-lib-arch.o", - "crypto/thread/libfips-lib-internal.o", - "providers/common/der/libfips-lib-der_rsa_sig.o", - "providers/common/libfips-lib-bio_prov.o", - "providers/common/libfips-lib-capabilities.o", - "providers/common/libfips-lib-digest_to_nid.o", - "providers/common/libfips-lib-provider_seeding.o", - "providers/common/libfips-lib-provider_util.o", - "providers/common/libfips-lib-securitycheck.o", - "providers/common/libfips-lib-securitycheck_fips.o", - "providers/fips/libfips-lib-fipsindicator.o", - "providers/fips/libfips-lib-fipsprov.o", - "providers/fips/libfips-lib-self_test.o", - "providers/fips/libfips-lib-self_test_kats.o", - "providers/implementations/asymciphers/libfips-lib-rsa_enc.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha1_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_cbc_hmac_sha256_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ccm.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ccm_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_gcm.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_gcm_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ocb.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_ocb_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_wrp.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts_fips.o", - "providers/implementations/ciphers/libfips-lib-cipher_aes_xts_hw.o", - "providers/implementations/ciphers/libfips-lib-cipher_cts.o", - "providers/implementations/ciphers/libfips-lib-cipher_tdes.o", - "providers/implementations/ciphers/libfips-lib-cipher_tdes_common.o", - "providers/implementations/ciphers/libfips-lib-cipher_tdes_hw.o", - "providers/implementations/digests/libfips-lib-sha2_prov.o", - "providers/implementations/digests/libfips-lib-sha3_prov.o", - "providers/implementations/exchange/libfips-lib-dh_exch.o", - "providers/implementations/exchange/libfips-lib-ecdh_exch.o", - "providers/implementations/exchange/libfips-lib-ecx_exch.o", - "providers/implementations/exchange/libfips-lib-kdf_exch.o", - "providers/implementations/kdfs/libfips-lib-hkdf.o", - "providers/implementations/kdfs/libfips-lib-kbkdf.o", - "providers/implementations/kdfs/libfips-lib-pbkdf2.o", - "providers/implementations/kdfs/libfips-lib-pbkdf2_fips.o", - "providers/implementations/kdfs/libfips-lib-sshkdf.o", - "providers/implementations/kdfs/libfips-lib-sskdf.o", - "providers/implementations/kdfs/libfips-lib-tls1_prf.o", - "providers/implementations/kdfs/libfips-lib-x942kdf.o", - "providers/implementations/kem/libfips-lib-ml_kem_kem.o", - "providers/implementations/kem/libfips-lib-mlx_kem.o", - "providers/implementations/kem/libfips-lib-rsa_kem.o", - "providers/implementations/keymgmt/libfips-lib-dh_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-dsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ec_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ecx_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-kdf_legacy_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-mac_legacy_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ml_dsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-ml_kem_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-mlx_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-rsa_kmgmt.o", - "providers/implementations/keymgmt/libfips-lib-slh_dsa_kmgmt.o", - "providers/implementations/macs/libfips-lib-cmac_prov.o", - "providers/implementations/macs/libfips-lib-gmac_prov.o", - "providers/implementations/macs/libfips-lib-hmac_prov.o", - "providers/implementations/macs/libfips-lib-kmac_prov.o", - "providers/implementations/rands/libfips-lib-drbg.o", - "providers/implementations/rands/libfips-lib-drbg_ctr.o", - "providers/implementations/rands/libfips-lib-drbg_hash.o", - "providers/implementations/rands/libfips-lib-drbg_hmac.o", - "providers/implementations/rands/libfips-lib-fips_crng_test.o", - "providers/implementations/rands/libfips-lib-test_rng.o", - "providers/implementations/signature/libfips-lib-dsa_sig.o", - "providers/implementations/signature/libfips-lib-ecdsa_sig.o", - "providers/implementations/signature/libfips-lib-eddsa_sig.o", - "providers/implementations/signature/libfips-lib-mac_legacy_sig.o", - "providers/implementations/signature/libfips-lib-ml_dsa_sig.o", - "providers/implementations/signature/libfips-lib-rsa_sig.o", - "providers/implementations/signature/libfips-lib-slh_dsa_sig.o", - "providers/implementations/skeymgmt/libfips-lib-aes_skmgmt.o", - "providers/implementations/skeymgmt/libfips-lib-generic.o", - "providers/libcommon.a", - "ssl/record/methods/libfips-lib-ssl3_cbc.o" + "providers/liblegacy-lib-prov_running.o" => [ + "providers/prov_running.c" + ], + "providers/liblegacy.a" => [ + "crypto/des/liblegacy-lib-des_enc.o", + "crypto/des/liblegacy-lib-fcrypt_b.o", + "crypto/md5/liblegacy-lib-md5-x86_64.o", + "crypto/md5/liblegacy-lib-md5_dgst.o", + "crypto/md5/liblegacy-lib-md5_one.o", + "crypto/md5/liblegacy-lib-md5_sha1.o", + "crypto/rc4/liblegacy-lib-rc4-md5-x86_64.o", + "crypto/rc4/liblegacy-lib-rc4-x86_64.o", + "providers/common/liblegacy-lib-provider_util.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_des.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_desx.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_seed.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o", + "providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o", + "providers/implementations/digests/liblegacy-lib-md4_prov.o", + "providers/implementations/digests/liblegacy-lib-ripemd_prov.o", + "providers/implementations/digests/liblegacy-lib-wp_prov.o", + "providers/implementations/kdfs/liblegacy-lib-pbkdf1.o", + "providers/implementations/kdfs/liblegacy-lib-pvkkdf.o", + "providers/liblegacy-lib-prov_running.o" ], "providers/libtemplate.a" => [ "providers/implementations/kem/libtemplate-lib-template_kem.o", @@ -34894,12 +33717,12 @@ our %unified_info = ( "ssl/record/methods/libdefault-lib-ssl3_cbc.o" => [ "ssl/record/methods/ssl3_cbc.c" ], - "ssl/record/methods/libfips-lib-ssl3_cbc.o" => [ - "ssl/record/methods/ssl3_cbc.c" - ], "ssl/record/methods/libssl-lib-dtls_meth.o" => [ "ssl/record/methods/dtls_meth.c" ], + "ssl/record/methods/libssl-lib-ktls_meth.o" => [ + "ssl/record/methods/ktls_meth.c" + ], "ssl/record/methods/libssl-lib-ssl3_meth.o" => [ "ssl/record/methods/ssl3_meth.c" ], @@ -34921,6 +33744,9 @@ our %unified_info = ( "ssl/record/methods/libssl-shlib-dtls_meth.o" => [ "ssl/record/methods/dtls_meth.c" ], + "ssl/record/methods/libssl-shlib-ktls_meth.o" => [ + "ssl/record/methods/ktls_meth.c" + ], "ssl/record/methods/libssl-shlib-ssl3_cbc.o" => [ "ssl/record/methods/ssl3_cbc.c" ], @@ -35026,12 +33852,6 @@ our %unified_info = ( "test/aborttest-bin-aborttest.o" => [ "test/aborttest.c" ], - "test/acvp_test" => [ - "test/acvp_test-bin-acvp_test.o" - ], - "test/acvp_test-bin-acvp_test.o" => [ - "test/acvp_test.c" - ], "test/aesgcmtest" => [ "test/aesgcmtest-bin-aesgcmtest.o" ], @@ -35221,12 +34041,30 @@ our %unified_info = ( "test/buildtest_c_aes-bin-buildtest_aes.o" => [ "test/buildtest_aes.c" ], + "test/buildtest_c_asn1" => [ + "test/buildtest_c_asn1-bin-buildtest_asn1.o" + ], + "test/buildtest_c_asn1-bin-buildtest_asn1.o" => [ + "test/buildtest_asn1.c" + ], + "test/buildtest_c_asn1t" => [ + "test/buildtest_c_asn1t-bin-buildtest_asn1t.o" + ], + "test/buildtest_c_asn1t-bin-buildtest_asn1t.o" => [ + "test/buildtest_asn1t.c" + ], "test/buildtest_c_async" => [ "test/buildtest_c_async-bin-buildtest_async.o" ], "test/buildtest_c_async-bin-buildtest_async.o" => [ "test/buildtest_async.c" ], + "test/buildtest_c_bio" => [ + "test/buildtest_c_bio-bin-buildtest_bio.o" + ], + "test/buildtest_c_bio-bin-buildtest_bio.o" => [ + "test/buildtest_bio.c" + ], "test/buildtest_c_blowfish" => [ "test/buildtest_c_blowfish-bin-buildtest_blowfish.o" ], @@ -35269,18 +34107,48 @@ our %unified_info = ( "test/buildtest_c_cmac-bin-buildtest_cmac.o" => [ "test/buildtest_cmac.c" ], + "test/buildtest_c_cmp" => [ + "test/buildtest_c_cmp-bin-buildtest_cmp.o" + ], + "test/buildtest_c_cmp-bin-buildtest_cmp.o" => [ + "test/buildtest_cmp.c" + ], "test/buildtest_c_cmp_util" => [ "test/buildtest_c_cmp_util-bin-buildtest_cmp_util.o" ], "test/buildtest_c_cmp_util-bin-buildtest_cmp_util.o" => [ "test/buildtest_cmp_util.c" ], + "test/buildtest_c_cms" => [ + "test/buildtest_c_cms-bin-buildtest_cms.o" + ], + "test/buildtest_c_cms-bin-buildtest_cms.o" => [ + "test/buildtest_cms.c" + ], + "test/buildtest_c_comp" => [ + "test/buildtest_c_comp-bin-buildtest_comp.o" + ], + "test/buildtest_c_comp-bin-buildtest_comp.o" => [ + "test/buildtest_comp.c" + ], + "test/buildtest_c_conf" => [ + "test/buildtest_c_conf-bin-buildtest_conf.o" + ], + "test/buildtest_c_conf-bin-buildtest_conf.o" => [ + "test/buildtest_conf.c" + ], "test/buildtest_c_conf_api" => [ "test/buildtest_c_conf_api-bin-buildtest_conf_api.o" ], "test/buildtest_c_conf_api-bin-buildtest_conf_api.o" => [ "test/buildtest_conf_api.c" ], + "test/buildtest_c_configuration" => [ + "test/buildtest_c_configuration-bin-buildtest_configuration.o" + ], + "test/buildtest_c_configuration-bin-buildtest_configuration.o" => [ + "test/buildtest_configuration.c" + ], "test/buildtest_c_conftypes" => [ "test/buildtest_c_conftypes-bin-buildtest_conftypes.o" ], @@ -35299,18 +34167,42 @@ our %unified_info = ( "test/buildtest_c_core_dispatch-bin-buildtest_core_dispatch.o" => [ "test/buildtest_core_dispatch.c" ], + "test/buildtest_c_core_names" => [ + "test/buildtest_c_core_names-bin-buildtest_core_names.o" + ], + "test/buildtest_c_core_names-bin-buildtest_core_names.o" => [ + "test/buildtest_core_names.c" + ], "test/buildtest_c_core_object" => [ "test/buildtest_c_core_object-bin-buildtest_core_object.o" ], "test/buildtest_c_core_object-bin-buildtest_core_object.o" => [ "test/buildtest_core_object.c" ], + "test/buildtest_c_crmf" => [ + "test/buildtest_c_crmf-bin-buildtest_crmf.o" + ], + "test/buildtest_c_crmf-bin-buildtest_crmf.o" => [ + "test/buildtest_crmf.c" + ], + "test/buildtest_c_crypto" => [ + "test/buildtest_c_crypto-bin-buildtest_crypto.o" + ], + "test/buildtest_c_crypto-bin-buildtest_crypto.o" => [ + "test/buildtest_crypto.c" + ], "test/buildtest_c_cryptoerr_legacy" => [ "test/buildtest_c_cryptoerr_legacy-bin-buildtest_cryptoerr_legacy.o" ], "test/buildtest_c_cryptoerr_legacy-bin-buildtest_cryptoerr_legacy.o" => [ "test/buildtest_cryptoerr_legacy.c" ], + "test/buildtest_c_ct" => [ + "test/buildtest_c_ct-bin-buildtest_ct.o" + ], + "test/buildtest_c_ct-bin-buildtest_ct.o" => [ + "test/buildtest_ct.c" + ], "test/buildtest_c_decoder" => [ "test/buildtest_c_decoder-bin-buildtest_decoder.o" ], @@ -35389,6 +34281,12 @@ our %unified_info = ( "test/buildtest_c_engine-bin-buildtest_engine.o" => [ "test/buildtest_engine.c" ], + "test/buildtest_c_ess" => [ + "test/buildtest_c_ess-bin-buildtest_ess.o" + ], + "test/buildtest_c_ess-bin-buildtest_ess.o" => [ + "test/buildtest_ess.c" + ], "test/buildtest_c_evp" => [ "test/buildtest_c_evp-bin-buildtest_evp.o" ], @@ -35401,6 +34299,12 @@ our %unified_info = ( "test/buildtest_c_fips_names-bin-buildtest_fips_names.o" => [ "test/buildtest_fips_names.c" ], + "test/buildtest_c_fipskey" => [ + "test/buildtest_c_fipskey-bin-buildtest_fipskey.o" + ], + "test/buildtest_c_fipskey-bin-buildtest_fipskey.o" => [ + "test/buildtest_fipskey.c" + ], "test/buildtest_c_hmac" => [ "test/buildtest_c_hmac-bin-buildtest_hmac.o" ], @@ -35431,6 +34335,12 @@ our %unified_info = ( "test/buildtest_c_kdf-bin-buildtest_kdf.o" => [ "test/buildtest_kdf.c" ], + "test/buildtest_c_lhash" => [ + "test/buildtest_c_lhash-bin-buildtest_lhash.o" + ], + "test/buildtest_c_lhash-bin-buildtest_lhash.o" => [ + "test/buildtest_lhash.c" + ], "test/buildtest_c_macros" => [ "test/buildtest_c_macros-bin-buildtest_macros.o" ], @@ -35473,6 +34383,18 @@ our %unified_info = ( "test/buildtest_c_objects-bin-buildtest_objects.o" => [ "test/buildtest_objects.c" ], + "test/buildtest_c_ocsp" => [ + "test/buildtest_c_ocsp-bin-buildtest_ocsp.o" + ], + "test/buildtest_c_ocsp-bin-buildtest_ocsp.o" => [ + "test/buildtest_ocsp.c" + ], + "test/buildtest_c_opensslv" => [ + "test/buildtest_c_opensslv-bin-buildtest_opensslv.o" + ], + "test/buildtest_c_opensslv-bin-buildtest_opensslv.o" => [ + "test/buildtest_opensslv.c" + ], "test/buildtest_c_ossl_typ" => [ "test/buildtest_c_ossl_typ-bin-buildtest_ossl_typ.o" ], @@ -35503,6 +34425,18 @@ our %unified_info = ( "test/buildtest_c_pem2-bin-buildtest_pem2.o" => [ "test/buildtest_pem2.c" ], + "test/buildtest_c_pkcs12" => [ + "test/buildtest_c_pkcs12-bin-buildtest_pkcs12.o" + ], + "test/buildtest_c_pkcs12-bin-buildtest_pkcs12.o" => [ + "test/buildtest_pkcs12.c" + ], + "test/buildtest_c_pkcs7" => [ + "test/buildtest_c_pkcs7-bin-buildtest_pkcs7.o" + ], + "test/buildtest_c_pkcs7-bin-buildtest_pkcs7.o" => [ + "test/buildtest_pkcs7.c" + ], "test/buildtest_c_prov_ssl" => [ "test/buildtest_c_prov_ssl-bin-buildtest_prov_ssl.o" ], @@ -35551,6 +34485,12 @@ our %unified_info = ( "test/buildtest_c_rsa-bin-buildtest_rsa.o" => [ "test/buildtest_rsa.c" ], + "test/buildtest_c_safestack" => [ + "test/buildtest_c_safestack-bin-buildtest_safestack.o" + ], + "test/buildtest_c_safestack-bin-buildtest_safestack.o" => [ + "test/buildtest_safestack.c" + ], "test/buildtest_c_seed" => [ "test/buildtest_c_seed-bin-buildtest_seed.o" ], @@ -35569,12 +34509,24 @@ our %unified_info = ( "test/buildtest_c_sha-bin-buildtest_sha.o" => [ "test/buildtest_sha.c" ], + "test/buildtest_c_srp" => [ + "test/buildtest_c_srp-bin-buildtest_srp.o" + ], + "test/buildtest_c_srp-bin-buildtest_srp.o" => [ + "test/buildtest_srp.c" + ], "test/buildtest_c_srtp" => [ "test/buildtest_c_srtp-bin-buildtest_srtp.o" ], "test/buildtest_c_srtp-bin-buildtest_srtp.o" => [ "test/buildtest_srtp.c" ], + "test/buildtest_c_ssl" => [ + "test/buildtest_c_ssl-bin-buildtest_ssl.o" + ], + "test/buildtest_c_ssl-bin-buildtest_ssl.o" => [ + "test/buildtest_ssl.c" + ], "test/buildtest_c_ssl2" => [ "test/buildtest_c_ssl2-bin-buildtest_ssl2.o" ], @@ -35635,12 +34587,42 @@ our %unified_info = ( "test/buildtest_c_types-bin-buildtest_types.o" => [ "test/buildtest_types.c" ], + "test/buildtest_c_ui" => [ + "test/buildtest_c_ui-bin-buildtest_ui.o" + ], + "test/buildtest_c_ui-bin-buildtest_ui.o" => [ + "test/buildtest_ui.c" + ], "test/buildtest_c_whrlpool" => [ "test/buildtest_c_whrlpool-bin-buildtest_whrlpool.o" ], "test/buildtest_c_whrlpool-bin-buildtest_whrlpool.o" => [ "test/buildtest_whrlpool.c" ], + "test/buildtest_c_x509" => [ + "test/buildtest_c_x509-bin-buildtest_x509.o" + ], + "test/buildtest_c_x509-bin-buildtest_x509.o" => [ + "test/buildtest_x509.c" + ], + "test/buildtest_c_x509_acert" => [ + "test/buildtest_c_x509_acert-bin-buildtest_x509_acert.o" + ], + "test/buildtest_c_x509_acert-bin-buildtest_x509_acert.o" => [ + "test/buildtest_x509_acert.c" + ], + "test/buildtest_c_x509_vfy" => [ + "test/buildtest_c_x509_vfy-bin-buildtest_x509_vfy.o" + ], + "test/buildtest_c_x509_vfy-bin-buildtest_x509_vfy.o" => [ + "test/buildtest_x509_vfy.c" + ], + "test/buildtest_c_x509v3" => [ + "test/buildtest_c_x509v3-bin-buildtest_x509v3.o" + ], + "test/buildtest_c_x509v3-bin-buildtest_x509v3.o" => [ + "test/buildtest_x509v3.c" + ], "test/byteorder_test" => [ "test/byteorder_test-bin-byteorder_test.o" ], @@ -35929,6 +34911,7 @@ our %unified_info = ( "test/ectest.c" ], "test/endecode_test" => [ + "providers/endecode_test-bin-legacyprov.o", "test/endecode_test-bin-endecode_test.o", "test/helpers/endecode_test-bin-predefined_dhparams.o" ], @@ -35960,6 +34943,7 @@ our %unified_info = ( "test/evp_byname_test.c" ], "test/evp_extra_test" => [ + "providers/evp_extra_test-bin-legacyprov.o", "test/evp_extra_test-bin-evp_extra_test.o", "test/evp_extra_test-bin-fake_pipelineprov.o", "test/evp_extra_test-bin-fake_rsaprov.o" @@ -36327,6 +35311,7 @@ our %unified_info = ( "test/testutil/libtestutil-lib-apps_shims.o", "test/testutil/libtestutil-lib-basic_output.o", "test/testutil/libtestutil-lib-cb.o", + "test/testutil/libtestutil-lib-compare.o", "test/testutil/libtestutil-lib-driver.o", "test/testutil/libtestutil-lib-fake_random.o", "test/testutil/libtestutil-lib-format_output.o", @@ -37039,6 +36024,9 @@ our %unified_info = ( "test/testutil/libtestutil-lib-cb.o" => [ "test/testutil/cb.c" ], + "test/testutil/libtestutil-lib-compare.o" => [ + "test/testutil/compare.c" + ], "test/testutil/libtestutil-lib-driver.o" => [ "test/testutil/driver.c" ], @@ -37268,9 +36256,7 @@ our %unified_info = ( "util/wrap.pl.in" ] }, - "targets" => [ - "build_modules_nodep" - ] + "targets" => [] ); # Unexported, only used by OpenSSL::Test::Utils::available_protocols() @@ -37317,6 +36303,9 @@ my @makevars = ( "RM" ); my %disabled_info = ( + "acvp-tests" => { + "macro" => "OPENSSL_NO_ACVP_TESTS" + }, "afalgeng" => { "macro" => "OPENSSL_NO_AFALGENG" }, @@ -37353,6 +36342,12 @@ my %disabled_info = ( "fips-jitter" => { "macro" => "OPENSSL_NO_FIPS_JITTER" }, + "fips-post" => { + "macro" => "OPENSSL_NO_FIPS_POST" + }, + "fips-securitychecks" => { + "macro" => "OPENSSL_NO_FIPS_SECURITYCHECKS" + }, "fuzz-afl" => { "macro" => "OPENSSL_NO_FUZZ_AFL" }, @@ -37374,9 +36369,6 @@ my %disabled_info = ( "jitter" => { "macro" => "OPENSSL_NO_JITTER" }, - "ktls" => { - "macro" => "OPENSSL_NO_KTLS" - }, "md2" => { "macro" => "OPENSSL_NO_MD2", "skipped" => [ @@ -37431,9 +36423,6 @@ my %disabled_info = ( "tfo" => { "macro" => "OPENSSL_NO_TFO" }, - "tls-deprecated-ec" => { - "macro" => "OPENSSL_NO_TLS_DEPRECATED_EC" - }, "trace" => { "macro" => "OPENSSL_NO_TRACE" }, @@ -37476,8 +36465,8 @@ unless (caller) { use File::Copy; use Pod::Usage; - use lib '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/util/perl'; - use OpenSSL::fallback '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/external/perl/MODULES.txt'; + use lib '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/util/perl'; + use OpenSSL::fallback '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/external/perl/MODULES.txt'; my $here = dirname($0); @@ -37504,7 +36493,7 @@ unless (caller) { ); use lib '.'; - use lib '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/Configurations'; + use lib '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/Configurations'; use gentemplate; open my $buildfile_template_fh, ">$buildfile_template" @@ -37521,8 +36510,8 @@ unless (caller) { my $prepend = <<'_____'; use File::Spec::Functions; -use lib '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/util/perl'; -use lib '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/Configurations'; +use lib '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/util/perl'; +use lib '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/Configurations'; use lib '.'; use platform; _____ diff --git a/crypto/openssl/crypto/aes/asm/aes-s390x.pl b/crypto/openssl/crypto/aes/asm/aes-s390x.pl index 5d1283f57690..2345d4574a41 100755 --- a/crypto/openssl/crypto/aes/asm/aes-s390x.pl +++ b/crypto/openssl/crypto/aes/asm/aes-s390x.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1431,6 +1431,9 @@ $code.=<<___ if (!$softonly); st${g} $s3,0($sp) # backchain la %r1,$stdframe($sp) + xc $stdframe+0(64,$sp),$stdframe+0($sp) # clear reserved/unused + # in parameter block + lmg $s2,$s3,0($key) # copy key stg $s2,$stdframe+80($sp) stg $s3,$stdframe+88($sp) diff --git a/crypto/openssl/crypto/asn1/asn_mime.c b/crypto/openssl/crypto/asn1/asn_mime.c index 806adade7ffc..9afe249965e9 100644 --- a/crypto/openssl/crypto/asn1/asn_mime.c +++ b/crypto/openssl/crypto/asn1/asn_mime.c @@ -168,6 +168,19 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs) BIO_write(out, ",", 1); write_comma = 1; md_nid = OBJ_obj2nid(sk_X509_ALGOR_value(mdalgs, i)->algorithm); + + /* RFC 8702 does not define a micalg for SHAKE, assuming "shake-<bitlen>" */ + if (md_nid == NID_shake128) { + if (BIO_puts(out, "shake-128") < 0) + goto err; + continue; + } + if (md_nid == NID_shake256) { + if (BIO_puts(out, "shake-256") < 0) + goto err; + continue; + } + md = EVP_get_digestbynid(md_nid); if (md && md->md_ctrl) { int rv; @@ -204,15 +217,15 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs) case NID_id_GostR3411_94: BIO_puts(out, "gostr3411-94"); - goto err; + break; case NID_id_GostR3411_2012_256: BIO_puts(out, "gostr3411-2012-256"); - goto err; + break; case NID_id_GostR3411_2012_512: BIO_puts(out, "gostr3411-2012-512"); - goto err; + break; default: if (have_unknown) { @@ -272,7 +285,8 @@ int SMIME_write_ASN1_ex(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, BIO_printf(bio, "Content-Type: multipart/signed;"); BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix); BIO_puts(bio, " micalg=\""); - asn1_write_micalg(bio, mdalgs); + if (!asn1_write_micalg(bio, mdalgs)) + return 0; BIO_printf(bio, "\"; boundary=\"----%s\"%s%s", bound, mime_eol, mime_eol); BIO_printf(bio, "This is an S/MIME signed message%s%s", diff --git a/crypto/openssl/crypto/bio/bss_dgram.c b/crypto/openssl/crypto/bio/bss_dgram.c index ea2550859ccd..784a1abb00bb 100644 --- a/crypto/openssl/crypto/bio/bss_dgram.c +++ b/crypto/openssl/crypto/bio/bss_dgram.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -464,11 +464,11 @@ static int dgram_write(BIO *b, const char *in, int inl) return ret; } -static long dgram_get_mtu_overhead(bio_dgram_data *data) +static long dgram_get_mtu_overhead(BIO_ADDR *addr) { long ret; - switch (BIO_ADDR_family(&data->peer)) { + switch (BIO_ADDR_family(addr)) { case AF_INET: /* * Assume this is UDP - 20 bytes for IP, 8 bytes for UDP @@ -480,7 +480,8 @@ static long dgram_get_mtu_overhead(bio_dgram_data *data) { # ifdef IN6_IS_ADDR_V4MAPPED struct in6_addr tmp_addr; - if (BIO_ADDR_rawaddress(&data->peer, &tmp_addr, NULL) + + if (BIO_ADDR_rawaddress(addr, &tmp_addr, NULL) && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) /* * Assume this is UDP - 20 bytes for IP, 8 bytes for UDP @@ -666,11 +667,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) &sockopt_len)) < 0 || sockopt_val < 0) { ret = 0; } else { - /* - * we assume that the transport protocol is UDP and no IP - * options are used. - */ - data->mtu = sockopt_val - 8 - 20; + data->mtu = sockopt_val - dgram_get_mtu_overhead(&addr); ret = data->mtu; } break; @@ -682,11 +679,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) || sockopt_val < 0) { ret = 0; } else { - /* - * we assume that the transport protocol is UDP and no IPV6 - * options are used. - */ - data->mtu = sockopt_val - 8 - 40; + data->mtu = sockopt_val - dgram_get_mtu_overhead(&addr); ret = data->mtu; } break; @@ -700,7 +693,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) # endif break; case BIO_CTRL_DGRAM_GET_FALLBACK_MTU: - ret = -dgram_get_mtu_overhead(data); + ret = -dgram_get_mtu_overhead(&data->peer); switch (BIO_ADDR_family(&data->peer)) { case AF_INET: ret += 576; @@ -956,7 +949,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) } break; case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD: - ret = dgram_get_mtu_overhead(data); + ret = dgram_get_mtu_overhead(&data->peer); break; /* diff --git a/crypto/openssl/crypto/bio/bss_file.c b/crypto/openssl/crypto/bio/bss_file.c index 2743a14417cf..ddcb4feb6a58 100644 --- a/crypto/openssl/crypto/bio/bss_file.c +++ b/crypto/openssl/crypto/bio/bss_file.c @@ -287,7 +287,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) if (fp == NULL) { ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(), "calling fopen(%s, %s)", - ptr, p); + (const char *)ptr, p); ERR_raise(ERR_LIB_BIO, ERR_R_SYS_LIB); ret = 0; break; diff --git a/crypto/openssl/crypto/cms/cms_pwri.c b/crypto/openssl/crypto/cms/cms_pwri.c index a7d609f83791..ee1b8aa6ed61 100644 --- a/crypto/openssl/crypto/cms/cms_pwri.c +++ b/crypto/openssl/crypto/cms/cms_pwri.c @@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, /* Check byte failure */ goto err; } - if (inlen < (size_t)(tmp[0] - 4)) { + if (inlen < 4 + (size_t)tmp[0]) { /* Invalid length value */ goto err; } diff --git a/crypto/openssl/crypto/dh/dh_check.c b/crypto/openssl/crypto/dh/dh_check.c index ae23f61839ea..2d899dc96f67 100644 --- a/crypto/openssl/crypto/dh/dh_check.c +++ b/crypto/openssl/crypto/dh/dh_check.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/bn.h> +#include <openssl/self_test.h> #include "dh_local.h" #include "crypto/dh.h" @@ -329,17 +330,27 @@ end: * FFC pairwise check from SP800-56A R3. * Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency */ -int ossl_dh_check_pairwise(const DH *dh) +int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers) { int ret = 0; BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL; + OSSL_SELF_TEST *st = NULL; + OSSL_CALLBACK *stcb = NULL; + void *stcbarg = NULL; if (dh->params.p == NULL || dh->params.g == NULL || dh->priv_key == NULL || dh->pub_key == NULL) - return 0; + return return_on_null_numbers; + + OSSL_SELF_TEST_get_callback(dh->libctx, &stcb, &stcbarg); + st = OSSL_SELF_TEST_new(stcb, stcbarg); + if (st == NULL) + goto err; + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, + OSSL_SELF_TEST_DESC_PCT_DH); ctx = BN_CTX_new_ex(dh->libctx); if (ctx == NULL) @@ -351,10 +362,27 @@ int ossl_dh_check_pairwise(const DH *dh) /* recalculate the public key = (g ^ priv) mod p */ if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key)) goto err; + +#ifdef FIPS_MODULE + { + int len; + unsigned char bytes[1024] = {0}; /* Max key size of 8192 bits */ + + if (BN_num_bytes(pub_key) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key, bytes); + OSSL_SELF_TEST_oncorrupt_byte(st, bytes); + if (BN_bin2bn(bytes, len, pub_key) == NULL) + goto err; + } +#endif /* check it matches the existing public_key */ ret = BN_cmp(pub_key, dh->pub_key) == 0; -err: + err: BN_free(pub_key); BN_CTX_free(ctx); + + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); return ret; } diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c index 7132b9b68e53..052d4d29ed22 100644 --- a/crypto/openssl/crypto/dh/dh_key.c +++ b/crypto/openssl/crypto/dh/dh_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -267,7 +267,7 @@ static int generate_key(DH *dh) int ok = 0; int generate_new_key = 0; #ifndef FIPS_MODULE - unsigned l; + int l; #endif BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -327,11 +327,13 @@ static int generate_key(DH *dh) goto err; #else if (dh->params.q == NULL) { - /* secret exponent length, must satisfy 2^(l-1) <= p */ - if (dh->length != 0 - && dh->length >= BN_num_bits(dh->params.p)) + /* secret exponent length, must satisfy 2^l < (p-1)/2 */ + l = BN_num_bits(dh->params.p); + if (dh->length >= l) goto err; - l = dh->length ? dh->length : BN_num_bits(dh->params.p) - 1; + l -= 2; + if (dh->length != 0 && dh->length < l) + l = dh->length; if (!BN_priv_rand_ex(priv_key, l, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY, 0, ctx)) goto err; diff --git a/crypto/openssl/crypto/dh/dh_pmeth.c b/crypto/openssl/crypto/dh/dh_pmeth.c index 3b75a537b3e0..74bef9370d3a 100644 --- a/crypto/openssl/crypto/dh/dh_pmeth.c +++ b/crypto/openssl/crypto/dh/dh_pmeth.c @@ -408,7 +408,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, } dh = (DH *)EVP_PKEY_get0_DH(ctx->pkey); dhpub = EVP_PKEY_get0_DH(ctx->peerkey); - if (dhpub == NULL) { + if (dhpub == NULL || dh == NULL) { ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET); return 0; } diff --git a/crypto/openssl/crypto/ec/ecp_sm2p256.c b/crypto/openssl/crypto/ec/ecp_sm2p256.c index 7668b61378b6..4c39be2186fb 100644 --- a/crypto/openssl/crypto/ec/ecp_sm2p256.c +++ b/crypto/openssl/crypto/ec/ecp_sm2p256.c @@ -1,5 +1,5 @@ /* - * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -56,10 +56,6 @@ ALIGN32 static const BN_ULONG def_p[P256_LIMBS] = { 0xffffffffffffffff, 0xffffffff00000000, 0xffffffffffffffff, 0xfffffffeffffffff }; -ALIGN32 static const BN_ULONG def_ord[P256_LIMBS] = { - 0x53bbf40939d54123, 0x7203df6b21c6052b, - 0xffffffffffffffff, 0xfffffffeffffffff -}; ALIGN32 static const BN_ULONG ONE[P256_LIMBS] = {1, 0, 0, 0}; @@ -177,13 +173,6 @@ static ossl_inline void ecp_sm2p256_mod_inverse(BN_ULONG* out, BN_MOD_INV(out, in, ecp_sm2p256_div_by_2, ecp_sm2p256_sub, def_p); } -/* Modular inverse mod order |out| = |in|^(-1) % |ord|. */ -static ossl_inline void ecp_sm2p256_mod_ord_inverse(BN_ULONG* out, - const BN_ULONG* in) { - BN_MOD_INV(out, in, ecp_sm2p256_div_by_2_mod_ord, ecp_sm2p256_sub_mod_ord, - def_ord); -} - /* Point double: R <- P + P */ static void ecp_sm2p256_point_double(P256_POINT *R, const P256_POINT *P) { @@ -454,52 +443,6 @@ static int ecp_sm2p256_is_affine_G(const EC_POINT *generator) } #endif -/* - * Convert Jacobian coordinate point into affine coordinate (x,y) - */ -static int ecp_sm2p256_get_affine(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, BN_CTX *ctx) -{ - ALIGN32 BN_ULONG z_inv2[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG z_inv3[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG x_aff[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG y_aff[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG point_x[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG point_y[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG point_z[P256_LIMBS] = {0}; - - if (EC_POINT_is_at_infinity(group, point)) { - ECerr(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); - return 0; - } - - if (ecp_sm2p256_bignum_field_elem(point_x, point->X) <= 0 - || ecp_sm2p256_bignum_field_elem(point_y, point->Y) <= 0 - || ecp_sm2p256_bignum_field_elem(point_z, point->Z) <= 0) { - ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); - return 0; - } - - ecp_sm2p256_mod_inverse(z_inv3, point_z); - ecp_sm2p256_sqr(z_inv2, z_inv3); - - if (x != NULL) { - ecp_sm2p256_mul(x_aff, point_x, z_inv2); - if (!bn_set_words(x, x_aff, P256_LIMBS)) - return 0; - } - - if (y != NULL) { - ecp_sm2p256_mul(z_inv3, z_inv3, z_inv2); - ecp_sm2p256_mul(y_aff, point_y, z_inv3); - if (!bn_set_words(y, y_aff, P256_LIMBS)) - return 0; - } - - return 1; -} - /* r = sum(scalar[i]*point[i]) */ static int ecp_sm2p256_windowed_mul(const EC_GROUP *group, P256_POINT *r, @@ -689,44 +632,6 @@ static int ecp_sm2p256_field_sqr(const EC_GROUP *group, BIGNUM *r, return 1; } -static int ecp_sm2p256_inv_mod_ord(const EC_GROUP *group, BIGNUM *r, - const BIGNUM *x, BN_CTX *ctx) -{ - int ret = 0; - ALIGN32 BN_ULONG t[P256_LIMBS] = {0}; - ALIGN32 BN_ULONG out[P256_LIMBS] = {0}; - - if (bn_wexpand(r, P256_LIMBS) == NULL) { - ECerr(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - - if ((BN_num_bits(x) > 256) || BN_is_negative(x)) { - BIGNUM *tmp; - - if ((tmp = BN_CTX_get(ctx)) == NULL - || !BN_nnmod(tmp, x, group->order, ctx)) { - ECerr(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - x = tmp; - } - - if (!ecp_sm2p256_bignum_field_elem(t, x)) { - ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE); - goto err; - } - - ecp_sm2p256_mod_ord_inverse(out, t); - - if (!bn_set_words(r, out, P256_LIMBS)) - goto err; - - ret = 1; -err: - return ret; -} - const EC_METHOD *EC_GFp_sm2p256_method(void) { static const EC_METHOD ret = { @@ -747,7 +652,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void) ossl_ec_GFp_simple_point_copy, ossl_ec_GFp_simple_point_set_to_infinity, ossl_ec_GFp_simple_point_set_affine_coordinates, - ecp_sm2p256_get_affine, + ossl_ec_GFp_simple_point_get_affine_coordinates, 0, 0, 0, ossl_ec_GFp_simple_add, ossl_ec_GFp_simple_dbl, @@ -763,7 +668,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void) ecp_sm2p256_field_mul, ecp_sm2p256_field_sqr, 0 /* field_div */, - 0 /* field_inv */, + ossl_ec_GFp_simple_field_inv, 0 /* field_encode */, 0 /* field_decode */, 0 /* field_set_to_one */, @@ -779,7 +684,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void) ossl_ecdsa_simple_sign_setup, ossl_ecdsa_simple_sign_sig, ossl_ecdsa_simple_verify_sig, - ecp_sm2p256_inv_mod_ord, + 0, /* use constant‑time fallback for inverse mod order */ 0, /* blind_coordinates */ 0, /* ladder_pre */ 0, /* ladder_step */ diff --git a/crypto/openssl/crypto/encode_decode/decoder_lib.c b/crypto/openssl/crypto/encode_decode/decoder_lib.c index ffcf3cde1155..dedfb24e569e 100644 --- a/crypto/openssl/crypto/encode_decode/decoder_lib.c +++ b/crypto/openssl/crypto/encode_decode/decoder_lib.c @@ -537,6 +537,14 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) } } +static int decoder_sk_cmp(const OSSL_DECODER_INSTANCE *const *a, + const OSSL_DECODER_INSTANCE *const *b) +{ + if ((*a)->score == (*b)->score) + return (*a)->order - (*b)->order; + return (*a)->score - (*b)->score; +} + int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, OSSL_LIB_CTX *libctx, const char *propq) { @@ -595,6 +603,26 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, OSSL_DECODER_do_all_provided(libctx, collect_all_decoders, skdecoders); numdecoders = sk_OSSL_DECODER_num(skdecoders); + /* + * If there are provided or default properties, sort the initial decoder list + * by property matching score so that the highest scored provider is selected + * first. + */ + if (propq != NULL || ossl_ctx_global_properties(libctx, 0) != NULL) { + int num_decoder_insts = sk_OSSL_DECODER_INSTANCE_num(ctx->decoder_insts); + int i; + OSSL_DECODER_INSTANCE *di; + sk_OSSL_DECODER_INSTANCE_compfunc old_cmp = + sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, decoder_sk_cmp); + + for (i = 0; i < num_decoder_insts; i++) { + di = sk_OSSL_DECODER_INSTANCE_value(ctx->decoder_insts, i); + di->order = i; + } + sk_OSSL_DECODER_INSTANCE_sort(ctx->decoder_insts); + sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, old_cmp); + } + memset(&data, 0, sizeof(data)); data.ctx = ctx; data.w_prev_start = 0; diff --git a/crypto/openssl/crypto/encode_decode/decoder_pkey.c b/crypto/openssl/crypto/encode_decode/decoder_pkey.c index f99566bde744..9fc4e2312331 100644 --- a/crypto/openssl/crypto/encode_decode/decoder_pkey.c +++ b/crypto/openssl/crypto/encode_decode/decoder_pkey.c @@ -222,15 +222,21 @@ struct collect_data_st { int total; /* number of matching results */ char error_occurred; char keytype_resolved; + OSSL_PROPERTY_LIST *pq; STACK_OF(EVP_KEYMGMT) *keymgmts; }; -static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, - void *provctx, struct collect_data_st *data) +/* + * Add decoder instance to the decoder context if it is compatible. Returns 1 + * if a decoder was added, 0 otherwise. + */ +static int collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, + void *provctx, struct collect_data_st *data) { void *decoderctx = NULL; OSSL_DECODER_INSTANCE *di = NULL; + const OSSL_PROPERTY_LIST *props; /* * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we @@ -239,17 +245,17 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, if (keymgmt->name_id != decoder->base.id) /* Mismatch is not an error, continue. */ - return; + return 0; if ((decoderctx = decoder->newctx(provctx)) == NULL) { data->error_occurred = 1; - return; + return 0; } if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { decoder->freectx(decoderctx); data->error_occurred = 1; - return; + return 0; } /* @@ -263,7 +269,7 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, || OPENSSL_strcasecmp(data->ctx->start_input_type, "PEM") != 0)) { /* Mismatch is not an error, continue. */ ossl_decoder_instance_free(di); - return; + return 0; } OSSL_TRACE_BEGIN(DECODER) { @@ -275,13 +281,30 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); + /* + * Get the property match score so the decoders can be prioritized later. + */ + props = ossl_decoder_parsed_properties(decoder); + if (data->pq != NULL && props != NULL) { + di->score = ossl_property_match_count(data->pq, props); + /* + * Mismatch of mandatory properties is not an error, the decoder is just + * ignored, continue. + */ + if (di->score < 0) { + ossl_decoder_instance_free(di); + return 0; + } + } + if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { ossl_decoder_instance_free(di); data->error_occurred = 1; - return; + return 0; } ++data->total; + return 1; } static void collect_decoder(OSSL_DECODER *decoder, void *arg) @@ -321,7 +344,9 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) for (i = 0; i < end_i; ++i) { keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i); - collect_decoder_keymgmt(keymgmt, decoder, provctx, data); + /* Only add this decoder once */ + if (collect_decoder_keymgmt(keymgmt, decoder, provctx, data)) + break; if (data->error_occurred) return; } @@ -407,6 +432,8 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, struct decoder_pkey_data_st *process_data = NULL; struct collect_data_st collect_data = { NULL }; STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; + OSSL_PROPERTY_LIST **plp; + OSSL_PROPERTY_LIST *pq = NULL, *p2 = NULL; OSSL_TRACE_BEGIN(DECODER) { const char *input_type = ctx->start_input_type; @@ -443,6 +470,25 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, process_data->keymgmts = keymgmts; /* + * Collect passed and default properties to prioritize the decoders. + */ + if (propquery != NULL) + p2 = pq = ossl_parse_query(libctx, propquery, 1); + + plp = ossl_ctx_global_properties(libctx, 0); + if (plp != NULL && *plp != NULL) { + if (pq == NULL) { + pq = *plp; + } else { + p2 = ossl_property_merge(pq, *plp); + ossl_property_free(pq); + if (p2 == NULL) + goto err; + pq = p2; + } + } + + /* * Enumerate all keymgmts into a stack. * * We could nest EVP_KEYMGMT_do_all_provided inside @@ -457,10 +503,11 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, * upfront, as this ensures that the names for all loaded providers have * been registered by the time we try to resolve the keytype string. */ - collect_data.ctx = ctx; - collect_data.libctx = libctx; - collect_data.keymgmts = keymgmts; - collect_data.keytype = keytype; + collect_data.ctx = ctx; + collect_data.libctx = libctx; + collect_data.keymgmts = keymgmts; + collect_data.keytype = keytype; + collect_data.pq = pq; EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data); if (collect_data.error_occurred) @@ -496,6 +543,7 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, ok = 1; err: decoder_clean_pkey_construct_arg(process_data); + ossl_property_free(p2); return ok; } diff --git a/crypto/openssl/crypto/encode_decode/encoder_local.h b/crypto/openssl/crypto/encode_decode/encoder_local.h index a2846d309ea8..11e52cfeec75 100644 --- a/crypto/openssl/crypto/encode_decode/encoder_local.h +++ b/crypto/openssl/crypto/encode_decode/encoder_local.h @@ -109,6 +109,8 @@ struct ossl_decoder_instance_st { const char *input_type; /* Never NULL */ const char *input_structure; /* May be NULL */ int input_type_id; + int order; /* For stable ordering of decoders wrt proqs */ + int score; /* For ordering decoders wrt proqs */ unsigned int flag_input_structure_was_set : 1; }; diff --git a/crypto/openssl/crypto/err/openssl.txt b/crypto/openssl/crypto/err/openssl.txt index 355b20d627db..7e4c7570ddb3 100644 --- a/crypto/openssl/crypto/err/openssl.txt +++ b/crypto/openssl/crypto/err/openssl.txt @@ -1076,6 +1076,7 @@ PROV_R_FAILED_TO_SIGN:175:failed to sign PROV_R_FINAL_CALL_OUT_OF_ORDER:237:final call out of order PROV_R_FIPS_MODULE_CONDITIONAL_ERROR:227:fips module conditional error PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state +PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR:253:fips module import pct error PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state PROV_R_GENERATE_ERROR:191:generate error PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\ diff --git a/crypto/openssl/crypto/evp/asymcipher.c b/crypto/openssl/crypto/evp/asymcipher.c index 975170c0aa09..c97ce338fdf8 100644 --- a/crypto/openssl/crypto/evp/asymcipher.c +++ b/crypto/openssl/crypto/evp/asymcipher.c @@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, cipher = ctx->op.ciph.cipher; desc = cipher->description != NULL ? cipher->description : ""; + ERR_set_mark(); ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE, "%s encrypt:%s", cipher->type_name, desc); + ERR_clear_last_mark(); return ret; legacy: @@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, cipher = ctx->op.ciph.cipher; desc = cipher->description != NULL ? cipher->description : ""; + ERR_set_mark(); ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE, "%s decrypt:%s", cipher->type_name, desc); + ERR_clear_last_mark(); return ret; diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c index 20811ffded6f..d7f6c71ee1ad 100644 --- a/crypto/openssl/crypto/evp/bio_ok.c +++ b/crypto/openssl/crypto/evp/bio_ok.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -560,7 +560,7 @@ static int block_in(BIO *b) { BIO_OK_CTX *ctx; EVP_MD_CTX *md; - unsigned long tl = 0; + size_t tl = 0; unsigned char tmp[EVP_MAX_MD_SIZE]; int md_size; @@ -571,15 +571,18 @@ static int block_in(BIO *b) goto berr; assert(sizeof(tl) >= OK_BLOCK_BLOCK); /* always true */ - tl = ctx->buf[0]; - tl <<= 8; - tl |= ctx->buf[1]; - tl <<= 8; - tl |= ctx->buf[2]; - tl <<= 8; - tl |= ctx->buf[3]; - - if (ctx->buf_len < tl + OK_BLOCK_BLOCK + md_size) + tl = ((size_t)ctx->buf[0] << 24) + | ((size_t)ctx->buf[1] << 16) + | ((size_t)ctx->buf[2] << 8) + | ((size_t)ctx->buf[3]); + + if (tl > OK_BLOCK_SIZE) + goto berr; + + if (tl > SIZE_MAX - OK_BLOCK_BLOCK - (size_t)md_size) + goto berr; + + if (ctx->buf_len < tl + OK_BLOCK_BLOCK + (size_t)md_size) return 1; if (!EVP_DigestUpdate(md, @@ -587,7 +590,7 @@ static int block_in(BIO *b) goto berr; if (!EVP_DigestFinal_ex(md, tmp, NULL)) goto berr; - if (memcmp(&(ctx->buf[tl + OK_BLOCK_BLOCK]), tmp, md_size) == 0) { + if (memcmp(&(ctx->buf[tl + OK_BLOCK_BLOCK]), tmp, (size_t)md_size) == 0) { /* there might be parts from next block lurking around ! */ ctx->buf_off_save = tl + OK_BLOCK_BLOCK + md_size; ctx->buf_len_save = ctx->buf_len; diff --git a/crypto/openssl/crypto/evp/ctrl_params_translate.c b/crypto/openssl/crypto/evp/ctrl_params_translate.c index ed73fc0fbb8d..c846353200b2 100644 --- a/crypto/openssl/crypto/evp/ctrl_params_translate.c +++ b/crypto/openssl/crypto/evp/ctrl_params_translate.c @@ -1356,7 +1356,7 @@ static int fix_rsa_padding_mode(enum state state, if (i == OSSL_NELEM(str_value_map)) { ERR_raise_data(ERR_LIB_RSA, RSA_R_UNKNOWN_PADDING_TYPE, "[action:%d, state:%d] padding name %s", - ctx->action_type, state, ctx->p1); + ctx->action_type, state, (const char *)ctx->p2); ctx->p1 = ret = -2; } else if (state == POST_CTRL_TO_PARAMS) { /* EVP_PKEY_CTRL_GET_RSA_PADDING weirdness explained further up */ diff --git a/crypto/openssl/crypto/evp/keymgmt_meth.c b/crypto/openssl/crypto/evp/keymgmt_meth.c index f54684852b7c..f57153b2c1a1 100644 --- a/crypto/openssl/crypto/evp/keymgmt_meth.c +++ b/crypto/openssl/crypto/evp/keymgmt_meth.c @@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx, return NULL; } + ERR_set_mark(); ret = keymgmt->gen(genctx, cb, cbarg); - if (ret == NULL) + if (ret == NULL && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE, "%s key generation:%s", keymgmt->type_name, desc); + ERR_clear_last_mark(); return ret; } diff --git a/crypto/openssl/crypto/evp/m_sigver.c b/crypto/openssl/crypto/evp/m_sigver.c index d5df497da770..c27ed6dbe9b2 100644 --- a/crypto/openssl/crypto/evp/m_sigver.c +++ b/crypto/openssl/crypto/evp/m_sigver.c @@ -426,10 +426,12 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) return 0; } + ERR_set_mark(); ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_sign_update:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; legacy: @@ -470,10 +472,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) return 0; } + ERR_set_mark(); ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_verify_update:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; legacy: @@ -523,11 +527,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, pctx = dctx; } + ERR_set_mark(); r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen, sigret == NULL ? 0 : *siglen); - if (!r) + if (!r && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_sign_final:%s", signature->type_name, desc); + ERR_clear_last_mark(); if (dctx == NULL && sigret != NULL) ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; else @@ -634,11 +640,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, if (sigret != NULL) ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + ERR_set_mark(); ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen, sigret == NULL ? 0 : *siglen, tbs, tbslen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_sign:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; } } else { @@ -689,10 +697,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, pctx = dctx; } + ERR_set_mark(); r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen); - if (!r) + if (!r && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_verify_final:%s", signature->type_name, desc); + ERR_clear_last_mark(); if (dctx == NULL) ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; else @@ -765,10 +775,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, int ret; ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + ERR_set_mark(); ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen); - if (ret <= 0) + if (ret <= 0 && ERR_count_to_mark() == 0) ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE, "%s digest_verify:%s", signature->type_name, desc); + ERR_clear_last_mark(); return ret; } } else { diff --git a/crypto/openssl/crypto/evp/p_lib.c b/crypto/openssl/crypto/evp/p_lib.c index 7f4508169dfa..63953a84e1f5 100644 --- a/crypto/openssl/crypto/evp/p_lib.c +++ b/crypto/openssl/crypto/evp/p_lib.c @@ -1146,15 +1146,14 @@ int EVP_PKEY_can_sign(const EVP_PKEY *pkey) } else { const OSSL_PROVIDER *prov = EVP_KEYMGMT_get0_provider(pkey->keymgmt); OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); - const char *supported_sig = - pkey->keymgmt->query_operation_name != NULL - ? pkey->keymgmt->query_operation_name(OSSL_OP_SIGNATURE) - : EVP_KEYMGMT_get0_name(pkey->keymgmt); - EVP_SIGNATURE *signature = NULL; - - signature = EVP_SIGNATURE_fetch(libctx, supported_sig, NULL); - if (signature != NULL) { - EVP_SIGNATURE_free(signature); + EVP_SIGNATURE *sig; + const char *name; + + name = evp_keymgmt_util_query_operation_name(pkey->keymgmt, + OSSL_OP_SIGNATURE); + sig = EVP_SIGNATURE_fetch(libctx, name, NULL); + if (sig != NULL) { + EVP_SIGNATURE_free(sig); return 1; } } diff --git a/crypto/openssl/crypto/evp/p_seal.c b/crypto/openssl/crypto/evp/p_seal.c index 94c8462ab457..aa77201a6f41 100644 --- a/crypto/openssl/crypto/evp/p_seal.c +++ b/crypto/openssl/crypto/evp/p_seal.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -55,6 +55,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, for (i = 0; i < npubk; i++) { size_t keylen = len; + size_t outlen = EVP_PKEY_get_size(pubk[i]); pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pubk[i], NULL); if (pctx == NULL) { @@ -63,9 +64,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, } if (EVP_PKEY_encrypt_init(pctx) <= 0 - || EVP_PKEY_encrypt(pctx, ek[i], &keylen, key, keylen) <= 0) + || EVP_PKEY_encrypt(pctx, ek[i], &outlen, key, keylen) <= 0) goto err; - ekl[i] = (int)keylen; + ekl[i] = (int)outlen; EVP_PKEY_CTX_free(pctx); } pctx = NULL; diff --git a/crypto/openssl/crypto/evp/skeymgmt_meth.c b/crypto/openssl/crypto/evp/skeymgmt_meth.c index 10a320e58a60..9ecab50fa046 100644 --- a/crypto/openssl/crypto/evp/skeymgmt_meth.c +++ b/crypto/openssl/crypto/evp/skeymgmt_meth.c @@ -197,7 +197,7 @@ void EVP_SKEYMGMT_do_all_provided(OSSL_LIB_CTX *libctx, void (*fn)(EVP_SKEYMGMT *skeymgmt, void *arg), void *arg) { - evp_generic_do_all(libctx, OSSL_OP_KEYMGMT, + evp_generic_do_all(libctx, OSSL_OP_SKEYMGMT, (void (*)(void *, void *))fn, arg, skeymgmt_from_algorithm, (int (*)(void *))EVP_SKEYMGMT_up_ref, diff --git a/crypto/openssl/crypto/http/http_lib.c b/crypto/openssl/crypto/http/http_lib.c index fcf8a69e07a8..022b8c194cbe 100644 --- a/crypto/openssl/crypto/http/http_lib.c +++ b/crypto/openssl/crypto/http/http_lib.c @@ -263,6 +263,7 @@ static int use_proxy(const char *no_proxy, const char *server) /* strip leading '[' and trailing ']' from escaped IPv6 address */ sl -= 2; strncpy(host, server + 1, sl); + host[sl] = '\0'; server = host; } diff --git a/crypto/openssl/crypto/info.c b/crypto/openssl/crypto/info.c index 4d70471be255..e760ec094027 100644 --- a/crypto/openssl/crypto/info.c +++ b/crypto/openssl/crypto/info.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,6 +23,9 @@ #if defined(__arm__) || defined(__arm) || defined(__aarch64__) # include "arm_arch.h" # define CPU_INFO_STR_LEN 128 +#elif defined(__powerpc__) || defined(__POWERPC__) || defined(_ARCH_PPC) +# include "crypto/ppc_arch.h" +# define CPU_INFO_STR_LEN 128 #elif defined(__s390__) || defined(__s390x__) # include "s390x_arch.h" # define CPU_INFO_STR_LEN 2048 @@ -77,6 +80,15 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings) BIO_snprintf(ossl_cpu_info_str + strlen(ossl_cpu_info_str), sizeof(ossl_cpu_info_str) - strlen(ossl_cpu_info_str), " env:%s", env); +# elif defined(__powerpc__) || defined(__POWERPC__) || defined(_ARCH_PPC) + const char *env; + + BIO_snprintf(ossl_cpu_info_str, sizeof(ossl_cpu_info_str), + CPUINFO_PREFIX "OPENSSL_ppccap=0x%x", OPENSSL_ppccap_P); + if ((env = getenv("OPENSSL_ppccap")) != NULL) + BIO_snprintf(ossl_cpu_info_str + strlen(ossl_cpu_info_str), + sizeof(ossl_cpu_info_str) - strlen(ossl_cpu_info_str), + " env:%s", env); # elif defined(__s390__) || defined(__s390x__) const char *env; diff --git a/crypto/openssl/crypto/ml_dsa/ml_dsa_key.c b/crypto/openssl/crypto/ml_dsa/ml_dsa_key.c index 41df1a956fb8..50e3b5433085 100644 --- a/crypto/openssl/crypto/ml_dsa/ml_dsa_key.c +++ b/crypto/openssl/crypto/ml_dsa/ml_dsa_key.c @@ -311,6 +311,7 @@ int ossl_ml_dsa_key_has(const ML_DSA_KEY *key, int selection) static int public_from_private(const ML_DSA_KEY *key, EVP_MD_CTX *md_ctx, VECTOR *t1, VECTOR *t0) { + int ret = 0; const ML_DSA_PARAMS *params = key->params; uint32_t k = params->k, l = params->l; POLY *polys; @@ -343,9 +344,10 @@ static int public_from_private(const ML_DSA_KEY *key, EVP_MD_CTX *md_ctx, /* Zeroize secret */ vector_zero(&s1_ntt); + ret = 1; err: OPENSSL_free(polys); - return 1; + return ret; } int ossl_ml_dsa_key_public_from_private(ML_DSA_KEY *key) diff --git a/crypto/openssl/crypto/ml_kem/ml_kem.c b/crypto/openssl/crypto/ml_kem/ml_kem.c index 4474af0f87cb..716c3bf4275e 100644 --- a/crypto/openssl/crypto/ml_kem/ml_kem.c +++ b/crypto/openssl/crypto/ml_kem/ml_kem.c @@ -2046,5 +2046,5 @@ int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2) * No match if just one of the public keys is not available, otherwise both * are unavailable, and for now such keys are considered equal. */ - return (ossl_ml_kem_have_pubkey(key1) ^ ossl_ml_kem_have_pubkey(key2)); + return (!(ossl_ml_kem_have_pubkey(key1) ^ ossl_ml_kem_have_pubkey(key2))); } diff --git a/crypto/openssl/crypto/modes/siv128.c b/crypto/openssl/crypto/modes/siv128.c index 72526b849eaf..4e52d8eb8782 100644 --- a/crypto/openssl/crypto/modes/siv128.c +++ b/crypto/openssl/crypto/modes/siv128.c @@ -202,9 +202,12 @@ int ossl_siv128_init(SIV128_CONTEXT *ctx, const unsigned char *key, int klen, || !EVP_MAC_final(mac_ctx, ctx->d.byte, &out_len, sizeof(ctx->d.byte))) { EVP_CIPHER_CTX_free(ctx->cipher_ctx); + ctx->cipher_ctx = NULL; EVP_MAC_CTX_free(ctx->mac_ctx_init); + ctx->mac_ctx_init = NULL; EVP_MAC_CTX_free(mac_ctx); EVP_MAC_free(ctx->mac); + ctx->mac = NULL; return 0; } EVP_MAC_CTX_free(mac_ctx); diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index 9fa215a62846..6173e4608b8a 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -361,8 +361,11 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) if (xalg->parameter == NULL) goto err; } - if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) <= 0) + if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) <= 0) { + ASN1_TYPE_free(xalg->parameter); + xalg->parameter = NULL; goto err; + } } /* Lets do the pub key stuff :-) */ diff --git a/crypto/openssl/crypto/property/property_parse.c b/crypto/openssl/crypto/property/property_parse.c index 3a67754224f0..23963c89bc46 100644 --- a/crypto/openssl/crypto/property/property_parse.c +++ b/crypto/openssl/crypto/property/property_parse.c @@ -641,7 +641,7 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed) } quotes = quote != '\0'; - if (*remain == 0) { + if (*remain <= (size_t)quotes) { *needed += 2 * quotes; return; } diff --git a/crypto/openssl/crypto/provider_core.c b/crypto/openssl/crypto/provider_core.c index 0b675946485c..c71c1e74468d 100644 --- a/crypto/openssl/crypto/provider_core.c +++ b/crypto/openssl/crypto/provider_core.c @@ -562,8 +562,10 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, template.parameters = sk_INFOPAIR_deep_copy(p->parameters, infopair_copy, infopair_free); - if (template.parameters == NULL) + if (template.parameters == NULL) { + CRYPTO_THREAD_unlock(store->lock); return NULL; + } break; } CRYPTO_THREAD_unlock(store->lock); @@ -2419,6 +2421,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle) return ERR_pop_to_mark(); } +static int core_count_to_mark(const OSSL_CORE_HANDLE *handle) +{ + return ERR_count_to_mark(); +} + static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx, OSSL_INDICATOR_CALLBACK **cb) { @@ -2600,6 +2607,7 @@ static const OSSL_DISPATCH core_dispatch_[] = { { OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK, (void (*)(void))core_clear_last_error_mark }, { OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark }, + { OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark }, { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file }, { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf }, { OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex }, diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 9337b36dc8b9..236c1b0c5420 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -167,6 +167,10 @@ int RAND_load_file(const char *file, long bytes) /* If given a bytecount, and we did it, break. */ if (bytes > 0 && (bytes -= i) <= 0) break; + + /* We can hit a signed integer overflow on the next iteration */ + if (ret > INT_MAX - RAND_LOAD_BUF_SIZE) + break; } OPENSSL_cleanse(buf, sizeof(buf)); diff --git a/crypto/openssl/crypto/riscv32cpuid.pl b/crypto/openssl/crypto/riscv32cpuid.pl index 5ee7df0ea63b..9d42ef6b8950 100644 --- a/crypto/openssl/crypto/riscv32cpuid.pl +++ b/crypto/openssl/crypto/riscv32cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -94,7 +94,8 @@ $code .= <<___; .globl riscv_vlen_asm .type riscv_vlen_asm,\@function riscv_vlen_asm: - csrr $ret, vlenb + # 0xc22 is CSR vlenb + csrr $ret, 0xc22 slli $ret, $ret, 3 ret .size riscv_vlen_asm,.-riscv_vlen_asm diff --git a/crypto/openssl/crypto/riscv64cpuid.pl b/crypto/openssl/crypto/riscv64cpuid.pl index 5dcdc5c584cd..5c0d3c429a89 100644 --- a/crypto/openssl/crypto/riscv64cpuid.pl +++ b/crypto/openssl/crypto/riscv64cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -94,7 +94,8 @@ $code .= <<___; .globl riscv_vlen_asm .type riscv_vlen_asm,\@function riscv_vlen_asm: - csrr $ret, vlenb + # 0xc22 is CSR vlenb + csrr $ret, 0xc22 slli $ret, $ret, 3 ret .size riscv_vlen_asm,.-riscv_vlen_asm diff --git a/crypto/openssl/crypto/rsa/rsa_pmeth.c b/crypto/openssl/crypto/rsa/rsa_pmeth.c index 8f89f748e7aa..6a2d0327d5ef 100644 --- a/crypto/openssl/crypto/rsa/rsa_pmeth.c +++ b/crypto/openssl/crypto/rsa/rsa_pmeth.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -228,7 +228,7 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, return -1; ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, RSA_X931_PADDING); - if (ret < 1) + if (ret <= 0) return 0; ret--; if (rctx->tbuf[ret] != RSA_X931_hash_id(EVP_MD_get_type(rctx->md))) { @@ -255,7 +255,7 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, } else { ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode); } - if (ret < 0) + if (ret <= 0) return ret; *routlen = ret; return 1; @@ -313,7 +313,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, return -1; rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, rctx->pad_mode); - if (rslen == 0) + if (rslen <= 0) return 0; } diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c index 78e4bad69e49..bb6e99acf9d3 100644 --- a/crypto/openssl/crypto/rsa/rsa_sign.c +++ b/crypto/openssl/crypto/rsa/rsa_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -129,7 +129,7 @@ static const unsigned char digestinfo_ripemd160_der[] = { # ifndef OPENSSL_NO_SM3 /* SM3 (1 2 156 10197 1 401) */ static const unsigned char digestinfo_sm3_der[] = { - ASN1_SEQUENCE, 0x0f + SM3_DIGEST_LENGTH, + ASN1_SEQUENCE, 0x10 + SM3_DIGEST_LENGTH, ASN1_SEQUENCE, 0x0c, ASN1_OID, 0x08, 1 * 40 + 2, 0x81, 0x1c, 0xcf, 0x55, 1, 0x83, 0x78, ASN1_NULL, 0x00, diff --git a/crypto/openssl/crypto/sleep.c b/crypto/openssl/crypto/sleep.c index dbd0f7802576..08fb064d8331 100644 --- a/crypto/openssl/crypto/sleep.c +++ b/crypto/openssl/crypto/sleep.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,9 +9,10 @@ #include <openssl/crypto.h> #include "internal/e_os.h" +#include "internal/time.h" /* system-specific variants defining OSSL_sleep() */ -#if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) +#if (defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__)) && !defined(OPENSSL_USE_SLEEP_BUSYLOOP) # if defined(OPENSSL_USE_USLEEP) \ || defined(__DJGPP__) \ @@ -26,7 +27,7 @@ */ # include <unistd.h> -void OSSL_sleep(uint64_t millis) +static void ossl_sleep_millis(uint64_t millis) { unsigned int s = (unsigned int)(millis / 1000); unsigned int us = (unsigned int)((millis % 1000) * 1000); @@ -45,7 +46,7 @@ void OSSL_sleep(uint64_t millis) # elif defined(__TANDEM) && !defined(_REENTRANT) # include <cextdecs.h(PROCESS_DELAY_)> -void OSSL_sleep(uint64_t millis) +static void ossl_sleep_millis(uint64_t millis) { /* HPNS does not support usleep for non threaded apps */ PROCESS_DELAY_(millis * 1000); @@ -55,7 +56,7 @@ void OSSL_sleep(uint64_t millis) /* nanosleep is defined by POSIX.1-2001 */ # include <time.h> -void OSSL_sleep(uint64_t millis) +static void ossl_sleep_millis(uint64_t millis) { struct timespec ts; @@ -68,7 +69,7 @@ void OSSL_sleep(uint64_t millis) #elif defined(_WIN32) && !defined(OPENSSL_SYS_UEFI) # include <windows.h> -void OSSL_sleep(uint64_t millis) +static void ossl_sleep_millis(uint64_t millis) { /* * Windows' Sleep() takes a DWORD argument, which is smaller than @@ -83,7 +84,7 @@ void OSSL_sleep(uint64_t millis) #else /* Fallback to a busy wait */ -# include "internal/time.h" +# define USE_SLEEP_SECS static void ossl_sleep_secs(uint64_t secs) { @@ -107,10 +108,28 @@ static void ossl_sleep_millis(uint64_t millis) while (ossl_time_compare(ossl_time_now(), finish) < 0) /* busy wait */ ; } +#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ void OSSL_sleep(uint64_t millis) { - ossl_sleep_secs(millis / 1000); - ossl_sleep_millis(millis % 1000); + OSSL_TIME now = ossl_time_now(); + OSSL_TIME finish = ossl_time_add(now, ossl_ms2time(millis)); + uint64_t left = millis; + +#if defined(USE_SLEEP_SECS) + do { + ossl_sleep_secs(left / 1000); + now = ossl_time_now(); + left = ossl_time2ms(ossl_time_subtract(finish, now)); + } while (ossl_time_compare(now, finish) < 0 && left > 1000); + + if (ossl_time_compare(now, finish) >= 0) + return; +#endif + + do { + ossl_sleep_millis(left); + now = ossl_time_now(); + left = ossl_time2ms(ossl_time_subtract(finish, now)); + } while (ossl_time_compare(now, finish) < 0); } -#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */ diff --git a/crypto/openssl/crypto/slh_dsa/slh_dsa_key.c b/crypto/openssl/crypto/slh_dsa/slh_dsa_key.c index d71d55c25829..73c538acca75 100644 --- a/crypto/openssl/crypto/slh_dsa/slh_dsa_key.c +++ b/crypto/openssl/crypto/slh_dsa/slh_dsa_key.c @@ -77,6 +77,17 @@ static void slh_dsa_key_hash_dup(SLH_DSA_KEY *dst, const SLH_DSA_KEY *src) } /** + * @brief Return the libctx associated with a SLH_DSA_KEY object + * + * @param key A SLH_DSA_KEY to extract the libctx from. + * @returns The new OSSL_LIB_CTX object on success, or NULL failure + */ +OSSL_LIB_CTX *ossl_slh_dsa_key_get0_libctx(const SLH_DSA_KEY *key) +{ + return key != NULL ? key->libctx : NULL; +} + +/** * @brief Create a new SLH_DSA_KEY object * * @param libctx A OSSL_LIB_CTX object used for fetching algorithms. @@ -235,6 +246,15 @@ int ossl_slh_dsa_key_pairwise_check(const SLH_DSA_KEY *key) return ret; } +void ossl_slh_dsa_key_reset(SLH_DSA_KEY *key) +{ + key->pub = NULL; + if (key->has_priv) { + key->has_priv = 0; + OPENSSL_cleanse(key->priv, sizeof(key->priv)); + } +} + /** * @brief Load a SLH_DSA key from raw data. * @@ -293,9 +313,7 @@ int ossl_slh_dsa_key_fromdata(SLH_DSA_KEY *key, const OSSL_PARAM params[], key->pub = p; return 1; err: - key->pub = NULL; - key->has_priv = 0; - OPENSSL_cleanse(key->priv, priv_len); + ossl_slh_dsa_key_reset(key); return 0; } diff --git a/crypto/openssl/crypto/slh_dsa/slh_hash.c b/crypto/openssl/crypto/slh_dsa/slh_hash.c index 6a8d6bab03c1..8eb8ab4e8604 100644 --- a/crypto/openssl/crypto/slh_dsa/slh_hash.c +++ b/crypto/openssl/crypto/slh_dsa/slh_hash.c @@ -158,6 +158,9 @@ slh_hmsg_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *r, const uint8_t *pk_seed, int sz = EVP_MD_get_size(hctx->key->md_big); size_t seed_len = (size_t)sz + 2 * n; + if (sz <= 0) + return 0; + memcpy(seed, r, n); memcpy(seed + n, pk_seed, n); return digest_4(hctx->md_big_ctx, r, n, pk_seed, n, pk_root, n, msg, msg_len, diff --git a/crypto/openssl/crypto/sm2/sm2_sign.c b/crypto/openssl/crypto/sm2/sm2_sign.c index 28cf95cc48c9..7c49128b47db 100644 --- a/crypto/openssl/crypto/sm2/sm2_sign.c +++ b/crypto/openssl/crypto/sm2/sm2_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -220,6 +220,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) BIGNUM *tmp = NULL; OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key); + if (dA == NULL) { + ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY); + goto done; + } kG = EC_POINT_new(group); if (kG == NULL) { ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB); diff --git a/crypto/openssl/crypto/store/store_lib.c b/crypto/openssl/crypto/store/store_lib.c index 505d606f4a9b..ebf170c3e8f1 100644 --- a/crypto/openssl/crypto/store/store_lib.c +++ b/crypto/openssl/crypto/store/store_lib.c @@ -428,12 +428,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) if (ctx->loader != NULL) OSSL_TRACE(STORE, "Loading next object\n"); - if (ctx->cached_info != NULL - && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) { - sk_OSSL_STORE_INFO_free(ctx->cached_info); - ctx->cached_info = NULL; - } - if (ctx->cached_info != NULL) { v = sk_OSSL_STORE_INFO_shift(ctx->cached_info); } else { @@ -556,14 +550,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx) int OSSL_STORE_eof(OSSL_STORE_CTX *ctx) { - int ret = 1; + int ret = 0; - if (ctx->fetched_loader != NULL) - ret = ctx->loader->p_eof(ctx->loader_ctx); + if (ctx->cached_info != NULL + && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) { + sk_OSSL_STORE_INFO_free(ctx->cached_info); + ctx->cached_info = NULL; + } + + if (ctx->cached_info == NULL) { + ret = 1; + if (ctx->fetched_loader != NULL) + ret = ctx->loader->p_eof(ctx->loader_ctx); #ifndef OPENSSL_NO_DEPRECATED_3_0 - if (ctx->fetched_loader == NULL) - ret = ctx->loader->eof(ctx->loader_ctx); + if (ctx->fetched_loader == NULL) + ret = ctx->loader->eof(ctx->loader_ctx); #endif + } return ret != 0; } diff --git a/crypto/openssl/crypto/threads_pthread.c b/crypto/openssl/crypto/threads_pthread.c index 44d6ebe09231..ace2dc499061 100644 --- a/crypto/openssl/crypto/threads_pthread.c +++ b/crypto/openssl/crypto/threads_pthread.c @@ -62,8 +62,10 @@ __tsan_mutex_post_lock((x), 0, 0) /* * The Non-Stop KLT thread model currently seems broken in its rwlock * implementation + * Likewise is there a problem with the glibc implementation on riscv. */ -# if defined(PTHREAD_RWLOCK_INITIALIZER) && !defined(_KLT_MODEL_) +# if defined(PTHREAD_RWLOCK_INITIALIZER) && !defined(_KLT_MODEL_) \ + && !defined(__riscv) # define USE_RWLOCK # endif @@ -279,7 +281,7 @@ static struct rcu_qp *get_hold_current_qp(struct rcu_lock_st *lock) /* if the idx hasn't changed, we're good, else try again */ if (qp_idx == ATOMIC_LOAD_N(uint32_t, &lock->reader_idx, - __ATOMIC_RELAXED)) + __ATOMIC_ACQUIRE)) break; ATOMIC_SUB_FETCH(&lock->qp_group[qp_idx].users, (uint64_t)1, @@ -403,8 +405,12 @@ static struct rcu_qp *update_qp(CRYPTO_RCU_LOCK *lock, uint32_t *curr_id) *curr_id = lock->id_ctr; lock->id_ctr++; + /* + * make the current state of everything visible by this release + * when get_hold_current_qp acquires the next qp + */ ATOMIC_STORE_N(uint32_t, &lock->reader_idx, lock->current_alloc_idx, - __ATOMIC_RELAXED); + __ATOMIC_RELEASE); /* * this should make sure that the new value of reader_idx is visible in diff --git a/crypto/openssl/crypto/x509/by_store.c b/crypto/openssl/crypto/x509/by_store.c index def06be1fe8c..0e5627ebc37d 100644 --- a/crypto/openssl/crypto/x509/by_store.c +++ b/crypto/openssl/crypto/x509/by_store.c @@ -17,7 +17,6 @@ typedef struct cached_store_st { char *uri; OSSL_LIB_CTX *libctx; char *propq; - OSSL_STORE_CTX *ctx; } CACHED_STORE; DEFINE_STACK_OF(CACHED_STORE) @@ -27,14 +26,12 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store, const OSSL_STORE_SEARCH *criterion, int depth) { int ok = 0; - OSSL_STORE_CTX *ctx = store->ctx; + OSSL_STORE_CTX *ctx; X509_STORE *xstore = X509_LOOKUP_get_store(lctx); - if (ctx == NULL - && (ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq, - NULL, NULL, NULL, NULL, NULL)) == NULL) + if ((ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq, + NULL, NULL, NULL, NULL, NULL)) == NULL) return 0; - store->ctx = ctx; /* * We try to set the criterion, but don't care if it was valid or not. @@ -79,7 +76,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store, substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info); substore.libctx = store->libctx; substore.propq = store->propq; - substore.ctx = NULL; ok = cache_objects(lctx, &substore, criterion, depth - 1); } } else { @@ -105,7 +101,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store, break; } OSSL_STORE_close(ctx); - store->ctx = NULL; return ok; } @@ -114,7 +109,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store, static void free_store(CACHED_STORE *store) { if (store != NULL) { - OSSL_STORE_close(store->ctx); OPENSSL_free(store->uri); OPENSSL_free(store->propq); OPENSSL_free(store); @@ -136,6 +130,7 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp, if (argp != NULL) { STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx); CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store)); + OSSL_STORE_CTX *sctx; if (store == NULL) { return 0; @@ -145,14 +140,20 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp, store->libctx = libctx; if (propq != NULL) store->propq = OPENSSL_strdup(propq); - store->ctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL, - NULL, NULL, NULL); - if (store->ctx == NULL + /* + * We open this to check for errors now - so we can report those + * errors early. + */ + sctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL, + NULL, NULL, NULL); + if (sctx == NULL || (propq != NULL && store->propq == NULL) || store->uri == NULL) { + OSSL_STORE_close(sctx); free_store(store); return 0; } + OSSL_STORE_close(sctx); if (stores == NULL) { stores = sk_CACHED_STORE_new_null(); @@ -174,7 +175,6 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp, store.uri = (char *)argp; store.libctx = libctx; store.propq = (char *)propq; - store.ctx = NULL; return cache_objects(ctx, &store, NULL, 0); } default: @@ -218,8 +218,14 @@ static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, OSSL_STORE_SEARCH_free(criterion); - if (ok) + if (ok) { + X509_STORE *store = X509_LOOKUP_get_store(ctx); + + if (!ossl_x509_store_read_lock(store)) + return 0; tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name); + X509_STORE_unlock(store); + } ok = 0; if (tmp != NULL) { diff --git a/crypto/openssl/crypto/x509/t_req.c b/crypto/openssl/crypto/x509/t_req.c index 63626c0d9810..c6b73c1d6208 100644 --- a/crypto/openssl/crypto/x509/t_req.c +++ b/crypto/openssl/crypto/x509/t_req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -40,7 +40,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, long l; int i; EVP_PKEY *pkey; - STACK_OF(X509_EXTENSION) *exts; + STACK_OF(X509_EXTENSION) *exts = NULL; char mlch = ' '; int nmindent = 0, printok = 0; @@ -191,6 +191,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, goto err; } sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + exts = NULL; } } @@ -204,6 +205,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, return 1; err: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB); return 0; } diff --git a/crypto/openssl/crypto/x509/t_x509.c b/crypto/openssl/crypto/x509/t_x509.c index 7d693669cd36..d849e642ce8b 100644 --- a/crypto/openssl/crypto/x509/t_x509.c +++ b/crypto/openssl/crypto/x509/t_x509.c @@ -219,7 +219,8 @@ int X509_ocspid_print(BIO *bp, X509 *x) goto err; if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL) goto err; - i2d_X509_NAME(subj, &dertmp); + if (i2d_X509_NAME(subj, &dertmp) < 0) + goto err; md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq); if (md == NULL) diff --git a/crypto/openssl/crypto/x509/v3_attrdesc.c b/crypto/openssl/crypto/x509/v3_attrdesc.c index 45958e9affdc..0745e9acdb60 100644 --- a/crypto/openssl/crypto/x509/v3_attrdesc.c +++ b/crypto/openssl/crypto/x509/v3_attrdesc.c @@ -1,5 +1,5 @@ /* - * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,6 +67,8 @@ static int i2r_HASH(X509V3_EXT_METHOD *method, } if (BIO_printf(out, "%*sHash Value: ", indent, "") <= 0) return 0; + if (hash->hashValue == NULL) + return 0; return ossl_bio_print_hex(out, hash->hashValue->data, hash->hashValue->length); } diff --git a/crypto/openssl/crypto/x509/v3_purp.c b/crypto/openssl/crypto/x509/v3_purp.c index 4688aaeea412..1db22047cf0f 100644 --- a/crypto/openssl/crypto/x509/v3_purp.c +++ b/crypto/openssl/crypto/x509/v3_purp.c @@ -186,7 +186,7 @@ int X509_PURPOSE_add(int id, int trust, int flags, return 0; } if (trust < X509_TRUST_DEFAULT || name == NULL || sname == NULL || ck == NULL) { - ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT); + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT); return 0; } diff --git a/crypto/openssl/crypto/x509/x509_ext.c b/crypto/openssl/crypto/x509/x509_ext.c index a7b85857bdad..1d40cb5c3811 100644 --- a/crypto/openssl/crypto/x509/x509_ext.c +++ b/crypto/openssl/crypto/x509/x509_ext.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,9 +42,21 @@ X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc) return X509v3_get_ext(x->crl.extensions, loc); } +static X509_EXTENSION *delete_ext(STACK_OF(X509_EXTENSION) **sk, int loc) +{ + X509_EXTENSION *ret = X509v3_delete_ext(*sk, loc); + + /* Empty extension lists are omitted. */ + if (*sk != NULL && sk_X509_EXTENSION_num(*sk) == 0) { + sk_X509_EXTENSION_pop_free(*sk, X509_EXTENSION_free); + *sk = NULL; + } + return ret; +} + X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) { - return X509v3_delete_ext(x->crl.extensions, loc); + return delete_ext(&x->crl.extensions, loc); } void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx) @@ -91,7 +103,7 @@ X509_EXTENSION *X509_get_ext(const X509 *x, int loc) X509_EXTENSION *X509_delete_ext(X509 *x, int loc) { - return X509v3_delete_ext(x->cert_info.extensions, loc); + return delete_ext(&x->cert_info.extensions, loc); } int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) @@ -139,7 +151,7 @@ X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc) X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) { - return X509v3_delete_ext(x->extensions, loc); + return delete_ext(&x->extensions, loc); } int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) diff --git a/crypto/openssl/crypto/x509/x509_local.h b/crypto/openssl/crypto/x509/x509_local.h index 1393da201339..ca56f478874c 100644 --- a/crypto/openssl/crypto/x509/x509_local.h +++ b/crypto/openssl/crypto/x509/x509_local.h @@ -159,3 +159,4 @@ int ossl_x509_likely_issued(X509 *issuer, X509 *subject); int ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject); int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx, X509_LOOKUP_TYPE type, const X509_NAME *name, X509_OBJECT *ret); +int ossl_x509_store_read_lock(X509_STORE *xs); diff --git a/crypto/openssl/crypto/x509/x509_lu.c b/crypto/openssl/crypto/x509/x509_lu.c index 9270a0745fbb..eb2d47955b2e 100644 --- a/crypto/openssl/crypto/x509/x509_lu.c +++ b/crypto/openssl/crypto/x509/x509_lu.c @@ -44,7 +44,7 @@ int X509_STORE_lock(X509_STORE *xs) return CRYPTO_THREAD_write_lock(xs->lock); } -static int x509_store_read_lock(X509_STORE *xs) +int ossl_x509_store_read_lock(X509_STORE *xs) { return CRYPTO_THREAD_read_lock(xs->lock); } @@ -331,7 +331,7 @@ int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx, X509_LOOKUP_TY stmp.type = X509_LU_NONE; stmp.data.x509 = NULL; - if (!x509_store_read_lock(store)) + if (!ossl_x509_store_read_lock(store)) return 0; /* Should already be sorted...but just in case */ if (!sk_X509_OBJECT_is_sorted(store->objs)) { @@ -408,7 +408,6 @@ static int x509_store_add(X509_STORE *store, void *x, int crl) } if (!X509_STORE_lock(store)) { - obj->type = X509_LU_NONE; X509_OBJECT_free(obj); return 0; } @@ -604,7 +603,7 @@ STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *store) return NULL; } - if (!x509_store_read_lock(store)) + if (!ossl_x509_store_read_lock(store)) return NULL; objs = sk_X509_OBJECT_deep_copy(store->objs, x509_object_dup, diff --git a/crypto/openssl/crypto/x509/x509_vpm.c b/crypto/openssl/crypto/x509/x509_vpm.c index 6f1cfd9320ee..efe08ff68315 100644 --- a/crypto/openssl/crypto/x509/x509_vpm.c +++ b/crypto/openssl/crypto/x509/x509_vpm.c @@ -635,6 +635,11 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id) { int num = OSSL_NELEM(default_table); + if (id < 0) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT); + return NULL; + } + if (id < num) return default_table + id; return sk_X509_VERIFY_PARAM_value(param_table, id - num); diff --git a/crypto/openssl/crypto/x509/x_crl.c b/crypto/openssl/crypto/x509/x_crl.c index 2601a019f87e..7af3e9a7e7f2 100644 --- a/crypto/openssl/crypto/x509/x_crl.c +++ b/crypto/openssl/crypto/x509/x_crl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -289,6 +289,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { int idp_only = 0; + int ret = 0; /* Set various flags according to IDP */ crl->idp_flags |= IDP_PRESENT; @@ -320,7 +321,17 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) crl->idp_reasons &= CRLDP_ALL_REASONS; } - return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); + ret = DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); + + /* + * RFC5280 specifies that if onlyContainsUserCerts, onlyContainsCACerts, + * indirectCRL, and OnlyContainsAttributeCerts are all FALSE, there must + * be either a distributionPoint field or an onlySomeReasons field present. + */ + if (crl->idp_flags == IDP_PRESENT && idp->distpoint == NULL) + crl->idp_flags |= IDP_INVALID; + + return ret; } ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = { diff --git a/crypto/openssl/demos/bio/saccept.c b/crypto/openssl/demos/bio/saccept.c index 604051cda966..b0c930d6ce00 100644 --- a/crypto/openssl/demos/bio/saccept.c +++ b/crypto/openssl/demos/bio/saccept.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -53,7 +53,8 @@ int main(int argc, char *argv[]) { char *port = NULL; BIO *in = NULL; - BIO *ssl_bio, *tmp; + BIO *ssl_bio = NULL; + BIO *tmp; SSL_CTX *ctx; char buf[512]; int ret = EXIT_FAILURE, i; @@ -83,6 +84,7 @@ int main(int argc, char *argv[]) * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); + ssl_bio = NULL; /* Arrange to leave server loop on interrupt */ sigsetup(); @@ -121,5 +123,6 @@ int main(int argc, char *argv[]) if (ret != EXIT_SUCCESS) ERR_print_errors_fp(stderr); BIO_free(in); + BIO_free_all(ssl_bio); return ret; } diff --git a/crypto/openssl/demos/bio/server-arg.c b/crypto/openssl/demos/bio/server-arg.c index 60a87725a9de..ccf59b14056b 100644 --- a/crypto/openssl/demos/bio/server-arg.c +++ b/crypto/openssl/demos/bio/server-arg.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,7 +23,8 @@ int main(int argc, char *argv[]) { char *port = "*:4433"; - BIO *ssl_bio, *tmp; + BIO *ssl_bio = NULL; + BIO *tmp; SSL_CTX *ctx; SSL_CONF_CTX *cctx; char buf[512]; @@ -105,6 +106,7 @@ int main(int argc, char *argv[]) * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); + ssl_bio = NULL; again: /* @@ -140,5 +142,6 @@ int main(int argc, char *argv[]) if (ret != EXIT_SUCCESS) ERR_print_errors_fp(stderr); BIO_free(in); + BIO_free_all(ssl_bio); return ret; } diff --git a/crypto/openssl/demos/bio/server-cmod.c b/crypto/openssl/demos/bio/server-cmod.c index 3642fbacf6ce..4970a6b6466b 100644 --- a/crypto/openssl/demos/bio/server-cmod.c +++ b/crypto/openssl/demos/bio/server-cmod.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,7 +24,8 @@ int main(int argc, char *argv[]) unsigned char buf[512]; char *port = "*:4433"; BIO *in = NULL; - BIO *ssl_bio, *tmp; + BIO *ssl_bio = NULL; + BIO *tmp; SSL_CTX *ctx; int ret = EXIT_FAILURE, i; @@ -52,6 +53,7 @@ int main(int argc, char *argv[]) * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); + ssl_bio = NULL; again: /* @@ -90,5 +92,6 @@ int main(int argc, char *argv[]) if (ret != EXIT_SUCCESS) ERR_print_errors_fp(stderr); BIO_free(in); + BIO_free_all(ssl_bio); return ret; } diff --git a/crypto/openssl/demos/bio/server-conf.c b/crypto/openssl/demos/bio/server-conf.c index 5e07a15e7bc7..2c03d1d367cc 100644 --- a/crypto/openssl/demos/bio/server-conf.c +++ b/crypto/openssl/demos/bio/server-conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2013-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,7 +25,8 @@ int main(int argc, char *argv[]) { char *port = "*:4433"; BIO *in = NULL; - BIO *ssl_bio, *tmp; + BIO *ssl_bio = NULL; + BIO *tmp; SSL_CTX *ctx; SSL_CONF_CTX *cctx = NULL; CONF *conf = NULL; @@ -97,6 +98,7 @@ int main(int argc, char *argv[]) * Basically it means the SSL BIO will be automatically setup */ BIO_set_accept_bios(in, ssl_bio); + ssl_bio = NULL; again: /* @@ -135,5 +137,6 @@ int main(int argc, char *argv[]) if (ret != EXIT_SUCCESS) ERR_print_errors_fp(stderr); BIO_free(in); + BIO_free_all(ssl_bio); return ret; } diff --git a/crypto/openssl/demos/certs/mkcerts.sh b/crypto/openssl/demos/certs/mkcerts.sh index 1825607fa33c..89300a6c52c5 100644 --- a/crypto/openssl/demos/certs/mkcerts.sh +++ b/crypto/openssl/demos/certs/mkcerts.sh @@ -1,7 +1,7 @@ #!/bin/sh opensslcmd() { - LD_LIBRARY_PATH=../.. ../../apps/openssl $@ + LD_LIBRARY_PATH=../.. ../../apps/openssl "$@" } OPENSSL_CONF=../../apps/openssl.cnf diff --git a/crypto/openssl/demos/certs/ocspquery.sh b/crypto/openssl/demos/certs/ocspquery.sh index 7cb8e76423bb..b38e10ce2ef5 100644 --- a/crypto/openssl/demos/certs/ocspquery.sh +++ b/crypto/openssl/demos/certs/ocspquery.sh @@ -4,7 +4,7 @@ # called. opensslcmd() { - LD_LIBRARY_PATH=../.. ../../apps/openssl $@ + LD_LIBRARY_PATH=../.. ../../apps/openssl "$@" } OPENSSL_CONF=../../apps/openssl.cnf diff --git a/crypto/openssl/demos/certs/ocsprun.sh b/crypto/openssl/demos/certs/ocsprun.sh index 77fd62fcf1bb..b2e927cd84da 100644 --- a/crypto/openssl/demos/certs/ocsprun.sh +++ b/crypto/openssl/demos/certs/ocsprun.sh @@ -1,7 +1,7 @@ #!/bin/sh opensslcmd() { - LD_LIBRARY_PATH=../.. ../../apps/openssl $@ + LD_LIBRARY_PATH=../.. ../../apps/openssl "$@" } # Example of running an querying OpenSSL test OCSP responder. @@ -18,4 +18,4 @@ opensslcmd version PORT=8888 opensslcmd ocsp -port $PORT -index index.txt -CA intca.pem \ - -rsigner resp.pem -rkey respkey.pem -rother intca.pem $* + -rsigner resp.pem -rkey respkey.pem -rother intca.pem "$@" diff --git a/crypto/openssl/demos/cms/cms_ddec.c b/crypto/openssl/demos/cms/cms_ddec.c index d119e9722226..dd8ef90b6e3f 100644 --- a/crypto/openssl/demos/cms/cms_ddec.c +++ b/crypto/openssl/demos/cms/cms_ddec.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -58,7 +58,7 @@ int main(int argc, char **argv) /* Open file containing detached content */ dcont = BIO_new_file("smencr.out", "rb"); - if (!in) + if (dcont == NULL) goto err; out = BIO_new_file("encrout.txt", "w"); diff --git a/crypto/openssl/demos/cms/cms_denc.c b/crypto/openssl/demos/cms/cms_denc.c index 53b680f67484..e451a108fd46 100644 --- a/crypto/openssl/demos/cms/cms_denc.c +++ b/crypto/openssl/demos/cms/cms_denc.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -57,7 +57,7 @@ int main(int argc, char **argv) dout = BIO_new_file("smencr.out", "wb"); - if (!in) + if (in == NULL || dout == NULL) goto err; /* encrypt content */ diff --git a/crypto/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c b/crypto/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c index 62dd8405e77b..a889ab6f77d4 100644 --- a/crypto/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c +++ b/crypto/openssl/demos/pkey/EVP_PKEY_RSA_keygen.c @@ -1,5 +1,5 @@ /*- - * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -254,7 +254,7 @@ int main(int argc, char **argv) if (argc > 1) { bits_i = atoi(argv[1]); - if (bits < 512) { + if (bits_i < 512) { fprintf(stderr, "Invalid RSA key size\n"); return EXIT_FAILURE; } diff --git a/crypto/openssl/doc/internal/man3/ossl_namemap_new.pod b/crypto/openssl/doc/internal/man3/ossl_namemap_new.pod index 7f4940fc9341..8879c592106b 100644 --- a/crypto/openssl/doc/internal/man3/ossl_namemap_new.pod +++ b/crypto/openssl/doc/internal/man3/ossl_namemap_new.pod @@ -4,7 +4,7 @@ ossl_namemap_new, ossl_namemap_free, ossl_namemap_stored, ossl_namemap_empty, ossl_namemap_add_name, ossl_namemap_add_names, -ossl_namemap_name2num, ossl_namemap_name2num_n, +ossl_namemap_name2num, ossl_namemap_name2num_n, ossl_namemap_num2name, ossl_namemap_doall_names - internal number E<lt>-E<gt> name map @@ -23,6 +23,8 @@ ossl_namemap_doall_names int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name); int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, const char *name, size_t name_len); + const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number, + int idx); int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, void (*fn)(const char *name, void *data), void *data); @@ -64,6 +66,9 @@ ossl_namemap_name2num_n() does the same thing as ossl_namemap_name2num(), but takes a string length I<name_len> as well, allowing the caller to use a fragment of a string as a name. +ossl_namemap_num2name() finds the I<idx>th name associated with the +id I<number>. + ossl_namemap_doall_names() walks through all names associated with I<number> in the given I<namemap> and calls the function I<fn> for each of them. @@ -88,9 +93,9 @@ to lock). ossl_namemap_add_name() returns the number associated with the added string, or zero on error. -ossl_namemap_num2names() returns a pointer to a NULL-terminated list of -pointers to the names corresponding to the given number, or NULL if -it's undefined in the given B<OSSL_NAMEMAP>. +ossl_namemap_num2name() returns a pointer to I<idx>th name associated +with id I<number>, or NULL if it's undefined in the given +B<OSSL_NAMEMAP>. ossl_namemap_name2num() and ossl_namemap_name2num_n() return the number corresponding to the given name, or 0 if it's undefined in the given @@ -116,7 +121,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man1/openssl-enc.pod.in b/crypto/openssl/doc/man1/openssl-enc.pod.in index 4d7ff3dc77e7..fb4f72ed8a19 100644 --- a/crypto/openssl/doc/man1/openssl-enc.pod.in +++ b/crypto/openssl/doc/man1/openssl-enc.pod.in @@ -193,9 +193,12 @@ Print out the key and IV used. Print out the key and IV used then immediately exit: don't do any encryption or decryption. -=item B<-bufsize> I<number> +=item B<-bufsize> I<number>[B<k>] Set the buffer size for I/O. +The maximum size that can be specified is B<2^31-1> (2147483647) bytes. +The B<k> suffix can be specified to indicate that I<number> is provided +in kibibytes (multiples of 1024 bytes). =item B<-nopad> @@ -279,7 +282,7 @@ Some of the ciphers do not have large keys and others have security implications if not used correctly. A beginner is advised to just use a strong block cipher, such as AES, in CBC mode. -All the block ciphers normally use PKCS#5 padding, also known as standard +All the block ciphers normally use PKCS#7 padding, also known as standard block padding. This allows a rudimentary integrity or password check to be performed. However, since the chance of random data passing the test is better than 1 in 256 it isn't a very good test. diff --git a/crypto/openssl/doc/man1/openssl-fipsinstall.pod.in b/crypto/openssl/doc/man1/openssl-fipsinstall.pod.in index 9dd4f5a49ffe..d44b4a7dac85 100644 --- a/crypto/openssl/doc/man1/openssl-fipsinstall.pod.in +++ b/crypto/openssl/doc/man1/openssl-fipsinstall.pod.in @@ -237,9 +237,7 @@ explicitly permitted by the various standards. =item B<-hkdf_digest_check> -Configure the module to enable a run-time digest check when deriving a key by -HKDF. -See NIST SP 800-56Cr2 for details. +This option is deprecated. =item B<-tls13_kdf_digest_check> @@ -261,9 +259,7 @@ See NIST SP 800-135r1 for details. =item B<-sskdf_digest_check> -Configure the module to enable a run-time digest check when deriving a key by -SSKDF. -See NIST SP 800-56Cr2 for details. +This option is deprecated. =item B<-x963kdf_digest_check> @@ -493,7 +489,7 @@ B<-ecdh_cofactor_check> =head1 COPYRIGHT -Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/BN_generate_prime.pod b/crypto/openssl/doc/man3/BN_generate_prime.pod index accc8a749f0c..6b8d1de19cd8 100644 --- a/crypto/openssl/doc/man3/BN_generate_prime.pod +++ b/crypto/openssl/doc/man3/BN_generate_prime.pod @@ -130,7 +130,7 @@ or all the tests passed. If B<p> passes all these tests, it is considered a probable prime. The test performed on B<p> are trial division by a number of small primes -and rounds of the of the Miller-Rabin probabilistic primality test. +and rounds of the Miller-Rabin probabilistic primality test. The functions do at least 64 rounds of the Miller-Rabin test giving a maximum false positive rate of 2^-128. @@ -148,7 +148,7 @@ and BN_is_prime_fasttest() are deprecated. BN_is_prime_fasttest() and BN_is_prime() behave just like BN_is_prime_fasttest_ex() and BN_is_prime_ex() respectively, but with the old -style call back. +style callback. B<ctx> is a preallocated B<BN_CTX> (to save the overhead of allocating and freeing the structure in a loop), or B<NULL>. @@ -246,7 +246,7 @@ BN_check_prime() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod b/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod index ff2074820f68..eeb882f291e4 100644 --- a/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod +++ b/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod @@ -170,15 +170,14 @@ B<sk_I<TYPE>_set>() sets element I<idx> of I<sk> to I<ptr> replacing the current element. The new element value is returned or NULL if an error occurred: this will only happen if I<sk> is NULL or I<idx> is out of range. -B<sk_I<TYPE>_find>() searches I<sk> for the element I<ptr>. In the case -where no comparison function has been specified, the function performs -a linear search for a pointer equal to I<ptr>. The index of the first -matching element is returned or B<-1> if there is no match. In the case -where a comparison function has been specified, I<sk> is sorted and -B<sk_I<TYPE>_find>() returns the index of a matching element or B<-1> if there -is no match. Note that, in this case the comparison function will usually -compare the values pointed to rather than the pointers themselves and -the order of elements in I<sk> can change. +B<sk_I<TYPE>_find>() searches I<sk> for the element I<ptr>. In the +case where no comparison function has been specified, the function +performs a linear search for a pointer equal to I<ptr>. In the case +where a comparison function has been specified, the function performs +a search for a element that the comparison function indicates is a +match. If the stack is sorted, a binary search is used, otherwise, a +linear search is used. B<sk_I<TYPE>_find>() returns the index of a +matching element or B<-1> if there is no match. B<sk_I<TYPE>_find_ex>() operates like B<sk_I<TYPE>_find>() except when a comparison function has been specified and no matching element is found. @@ -301,7 +300,7 @@ was changed to return 0 in this condition as for other errors. =head1 COPYRIGHT -Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/EVP_EncryptInit.pod b/crypto/openssl/doc/man3/EVP_EncryptInit.pod index 2c42e3969e03..3c62659319c2 100644 --- a/crypto/openssl/doc/man3/EVP_EncryptInit.pod +++ b/crypto/openssl/doc/man3/EVP_EncryptInit.pod @@ -850,7 +850,7 @@ See also EVP_CIPHER_CTX_get_key_length() and EVP_CIPHER_CTX_set_key_length(). =item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string> Gets or sets the AEAD tag for the associated cipher context I<ctx>. -See L<EVP_EncryptInit(3)/AEAD Interface>. +See L<EVP_EncryptInit(3)/AEAD INTERFACE>. =item "pipeline-tag" (B<OSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG>) <octet ptr> diff --git a/crypto/openssl/doc/man3/EVP_PKEY_new.pod b/crypto/openssl/doc/man3/EVP_PKEY_new.pod index 72d129deff24..0a56600c2b60 100644 --- a/crypto/openssl/doc/man3/EVP_PKEY_new.pod +++ b/crypto/openssl/doc/man3/EVP_PKEY_new.pod @@ -219,7 +219,19 @@ general private key without reference to any particular algorithm. The structure returned by EVP_PKEY_new() is empty. To add a private or public key to this empty structure use the appropriate functions described in L<EVP_PKEY_set1_RSA(3)>, L<EVP_PKEY_set1_DSA(3)>, L<EVP_PKEY_set1_DH(3)> or -L<EVP_PKEY_set1_EC_KEY(3)>. +L<EVP_PKEY_set1_EC_KEY(3)> for legacy key types implemented in internal +OpenSSL providers. + +For fully provider-managed key types (see L<provider-keymgmt(7)>), +possibly implemented in external providers, use functions such as +L<EVP_PKEY_set1_encoded_public_key(3)> or L<EVP_PKEY_fromdata(3)> +to populate key data. + +Generally caution is advised for using an B<EVP_PKEY> structure across +different library contexts: In order for an B<EVP_PKEY> to be shared by +multiple library contexts the providers associated with the library contexts +must have key managers that support the key type and implement the +OSSL_FUNC_keymgmt_import() and OSSL_FUNC_keymgmt_export() functions. =head1 RETURN VALUES diff --git a/crypto/openssl/doc/man3/EVP_aes_128_gcm.pod b/crypto/openssl/doc/man3/EVP_aes_128_gcm.pod index 485705ea7889..9bac62b10b32 100644 --- a/crypto/openssl/doc/man3/EVP_aes_128_gcm.pod +++ b/crypto/openssl/doc/man3/EVP_aes_128_gcm.pod @@ -127,7 +127,7 @@ EVP_aes_256_ocb() AES for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM), Galois Counter Mode (GCM) and OCB Mode respectively. These ciphers require additional control -operations to function correctly, see the L<EVP_EncryptInit(3)/AEAD Interface> +operations to function correctly, see the L<EVP_EncryptInit(3)/AEAD INTERFACE> section for details. =item EVP_aes_128_wrap(), @@ -184,7 +184,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/EVP_aria_128_gcm.pod b/crypto/openssl/doc/man3/EVP_aria_128_gcm.pod index 91aa75ec3871..74e21444db8f 100644 --- a/crypto/openssl/doc/man3/EVP_aria_128_gcm.pod +++ b/crypto/openssl/doc/man3/EVP_aria_128_gcm.pod @@ -88,7 +88,7 @@ EVP_aria_256_gcm(), ARIA for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM) and Galois Counter Mode (GCM). These ciphers require additional control operations to function -correctly, see the L<EVP_EncryptInit(3)/AEAD Interface> section for details. +correctly, see the L<EVP_EncryptInit(3)/AEAD INTERFACE> section for details. =back @@ -113,7 +113,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/EVP_chacha20.pod b/crypto/openssl/doc/man3/EVP_chacha20.pod index 7e80c8de40c9..0dfce7389b78 100644 --- a/crypto/openssl/doc/man3/EVP_chacha20.pod +++ b/crypto/openssl/doc/man3/EVP_chacha20.pod @@ -36,7 +36,7 @@ With an initial counter of 42 (2a in hex) would be expressed as: Authenticated encryption with ChaCha20-Poly1305. Like EVP_chacha20(), the key is 256 bits and the IV is 96 bits. This supports additional authenticated data (AAD) and produces a 128-bit authentication tag. See the -L<EVP_EncryptInit(3)/AEAD Interface> section for more information. +L<EVP_EncryptInit(3)/AEAD INTERFACE> section for more information. =back @@ -64,7 +64,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod b/crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod index 1bddd7737069..dbc7073aac18 100644 --- a/crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod +++ b/crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod @@ -45,7 +45,12 @@ the program's dynamic memory area, where keys and other sensitive information might be stored, OpenSSL supports the concept of a "secure heap." The level and type of security guarantees depend on the operating system. It is a good idea to review the code and see if it addresses your -threat model and concerns. +threat model and concerns. It should be noted that the secure heap +uses a single read/write lock, and therefore any operations +that involve allocation or freeing of secure heap memory are serialised, +blocking other threads. With that in mind, highly concurrent applications +should enable the secure heap with caution and be aware of the performance +implications for multi-threaded code. If a secure heap is used, then private key B<BIGNUM> values are stored there. This protects long-term storage of private keys, but will not necessarily @@ -135,7 +140,7 @@ a B<size_t> in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/OSSL_CALLBACK.pod b/crypto/openssl/doc/man3/OSSL_CALLBACK.pod index 5fa8a8f08916..5550819a94b4 100644 --- a/crypto/openssl/doc/man3/OSSL_CALLBACK.pod +++ b/crypto/openssl/doc/man3/OSSL_CALLBACK.pod @@ -47,15 +47,10 @@ Additional parameters can be passed with the L<OSSL_PARAM(3)> array I<params>, =back -=begin comment RETURN VALUES doesn't make sense for a manual that only -describes a type, but document checkers still want that section, and -to have more than just the section title. - =head1 RETURN VALUES -txt - -=end comment +Functions of type B<OSSL_CALLBACK> and B<OSSL_PASSPHRASE_CALLBACK> +must return 1 on success and 0 on failure. =head1 SEE ALSO @@ -67,7 +62,7 @@ The types described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/OpenSSL_version.pod b/crypto/openssl/doc/man3/OpenSSL_version.pod index e5dff33dcdda..6b899cbe5438 100644 --- a/crypto/openssl/doc/man3/OpenSSL_version.pod +++ b/crypto/openssl/doc/man3/OpenSSL_version.pod @@ -256,9 +256,16 @@ L<crypto(7)> The macros and functions described here were added in OpenSSL 3.0, except for OPENSSL_VERSION_NUMBER and OpenSSL_version_num(). +=head1 BUGS + +There was a discrepancy between this manual and commentary + code +in F<< <openssl/opensslv.h> >>, where the latter suggested that the +four least significant bits of B<OPENSSL_VERSION_NUMBER> could be +C<0x0f> in released OpenSSL versions. + =head1 COPYRIGHT -Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/PEM_read_CMS.pod b/crypto/openssl/doc/man3/PEM_read_CMS.pod index dbccf26cd893..880e31481029 100644 --- a/crypto/openssl/doc/man3/PEM_read_CMS.pod +++ b/crypto/openssl/doc/man3/PEM_read_CMS.pod @@ -84,9 +84,9 @@ see L<openssl_user_macros(7)>: =head1 DESCRIPTION -All of the functions described on this page are deprecated. -Applications should use OSSL_ENCODER_to_bio() and OSSL_DECODER_from_bio() -instead. +To replace the deprecated functions listed above, applications should use the +B<EVP_PKEY> type and OSSL_DECODER_from_bio() and OSSL_ENCODER_to_bio() to +read and write PEM data containing key parameters or private and public keys. In the description below, B<I<TYPE>> is used as a placeholder for any of the OpenSSL datatypes, such as B<X509>. @@ -142,7 +142,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. +Copyright 1998-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/RAND_load_file.pod b/crypto/openssl/doc/man3/RAND_load_file.pod index baca54cb3c89..45570920ca95 100644 --- a/crypto/openssl/doc/man3/RAND_load_file.pod +++ b/crypto/openssl/doc/man3/RAND_load_file.pod @@ -19,7 +19,11 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file RAND_load_file() reads a number of bytes from file B<filename> and adds them to the PRNG. If B<max_bytes> is nonnegative, up to B<max_bytes> are read; -if B<max_bytes> is -1, the complete file is read. +if B<max_bytes> is -1, the complete file is read (unless the file +is not a regular file, in that case a fixed number of bytes, +256 in the current implementation, is attempted to be read). +RAND_load_file() can read less than the complete file or the requested number +of bytes if it doesn't fit in the return value type. Do not load the same file multiple times unless its contents have been updated by RAND_write_file() between reads. Also, note that B<filename> should be adequately protected so that an @@ -77,7 +81,7 @@ L<RAND(7)> =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod index 09b7280bdd58..a10942433aa7 100644 --- a/crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod +++ b/crypto/openssl/doc/man3/SSL_CIPHER_get_name.pod @@ -37,7 +37,7 @@ SSL_CIPHER_get_protocol_id int SSL_CIPHER_is_aead(const SSL_CIPHER *c); const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c); - uint32_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c); + uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c); =head1 DESCRIPTION @@ -203,7 +203,7 @@ The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_domain_flags.pod b/crypto/openssl/doc/man3/SSL_CTX_set_domain_flags.pod index 2f0911608435..cc9ad5911498 100644 --- a/crypto/openssl/doc/man3/SSL_CTX_set_domain_flags.pod +++ b/crypto/openssl/doc/man3/SSL_CTX_set_domain_flags.pod @@ -106,7 +106,7 @@ L<SSL_new_domain(3)>, L<openssl-quic-concurrency(7)> =head1 HISTORY -These functions were added in @QUIC_SERVER_VERSION@. +These functions were added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/crypto/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index a14f334cfca8..902cefdfa366 100644 --- a/crypto/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/crypto/openssl/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -58,9 +58,11 @@ the actual key is newly generated during the negotiation. Typically applications should use well known DH parameters that have built-in support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto() configure OpenSSL to use the default built-in DH parameters for the B<SSL_CTX> -and B<SSL> objects respectively. Passing a value of 1 in the I<onoff> parameter -switches the feature on, and passing a value of 0 switches it off. The default -setting is off. +and B<SSL> objects respectively. Passing a value of 2 or 1 in the I<onoff> +parameter switches it on. If the I<onoff> parameter is set to 2, it will force +the DH key size to 1024 if the B<SSL_CTX> or B<SSL> security level +L<SSL_CTX_set_security_level(3)> is 0 or 1. Passing a value of 0 switches +it off. The default setting is off. If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate. @@ -112,7 +114,7 @@ L<openssl-ciphers(1)>, L<openssl-dhparam(1)> =head1 COPYRIGHT -Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man3/SSL_SESSION_get0_hostname.pod b/crypto/openssl/doc/man3/SSL_SESSION_get0_hostname.pod index f7add16d7bdd..0140deee9a5e 100644 --- a/crypto/openssl/doc/man3/SSL_SESSION_get0_hostname.pod +++ b/crypto/openssl/doc/man3/SSL_SESSION_get0_hostname.pod @@ -23,9 +23,10 @@ SSL_SESSION_set1_alpn_selected =head1 DESCRIPTION -SSL_SESSION_get0_hostname() retrieves the SNI value that was sent by the -client when the session was created if it was accepted by the server. Otherwise -NULL is returned. +SSL_SESSION_get0_hostname() retrieves the Server Name Indication (SNI) value +that was sent by the client when the session was created if the server +acknowledged the client's SNI extension by including an empty SNI extension +in response. Otherwise NULL is returned. The value returned is a pointer to memory maintained within B<s> and should not be free'd. @@ -44,8 +45,7 @@ B<alpn>. =head1 RETURN VALUES -SSL_SESSION_get0_hostname() returns either a string or NULL based on if there -is the SNI value sent by client. +SSL_SESSION_get0_hostname() returns the SNI string if available, or NULL if not. SSL_SESSION_set1_hostname() returns 1 on success or 0 on error. diff --git a/crypto/openssl/doc/man3/SSL_poll.pod b/crypto/openssl/doc/man3/SSL_poll.pod index 87a1e42b1720..6047bd6750f8 100644 --- a/crypto/openssl/doc/man3/SSL_poll.pod +++ b/crypto/openssl/doc/man3/SSL_poll.pod @@ -5,12 +5,14 @@ SSL_poll, SSL_POLL_EVENT_NONE, SSL_POLL_EVENT_F, +SSL_POLL_EVENT_EL, SSL_POLL_EVENT_EC, SSL_POLL_EVENT_ECD, SSL_POLL_EVENT_ER, SSL_POLL_EVENT_EW, SSL_POLL_EVENT_R, SSL_POLL_EVENT_W, +SSL_POLL_EVENT_IC, SSL_POLL_EVENT_ISB, SSL_POLL_EVENT_ISU, SSL_POLL_EVENT_OSB, @@ -35,27 +37,29 @@ SSL_POLL_FLAG_NO_HANDLE_EVENTS #define SSL_POLL_EVENT_NONE 0 #define SSL_POLL_EVENT_F /* F (Failure) */ + #define SSL_POLL_EVENT_EL /* EL (Exception on Listener) */ #define SSL_POLL_EVENT_EC /* EC (Exception on Conn) */ #define SSL_POLL_EVENT_ECD /* ECD (Exception on Conn Drained) */ #define SSL_POLL_EVENT_ER /* ER (Exception on Read) */ #define SSL_POLL_EVENT_EW /* EW (Exception on Write) */ #define SSL_POLL_EVENT_R /* R (Readable) */ #define SSL_POLL_EVENT_W /* W (Writable) */ + #define SSL_POLL_EVENT_IC /* IC (Incoming Connection) */ #define SSL_POLL_EVENT_ISB /* ISB (Incoming Stream: Bidi) */ #define SSL_POLL_EVENT_ISU /* ISU (Incoming Stream: Uni) */ #define SSL_POLL_EVENT_OSB /* OSB (Outgoing Stream: Bidi) */ #define SSL_POLL_EVENT_OSU /* OSU (Outgoing Stream: Uni) */ - #define SSL_POLL_EVENT_RW /* R | W */ - #define SSL_POLL_EVENT_RE /* R | ER */ - #define SSL_POLL_EVENT_WE /* W | EW */ - #define SSL_POLL_EVENT_RWE /* RE | WE */ - #define SSL_POLL_EVENT_E /* EC | ER | EW */ - #define SSL_POLL_EVENT_IS /* ISB | ISU */ - #define SSL_POLL_EVENT_ISE /* IS | EC */ - #define SSL_POLL_EVENT_I /* IS */ - #define SSL_POLL_EVENT_OS /* OSB | OSU */ - #define SSL_POLL_EVENT_OSE /* OS | EC */ + #define SSL_POLL_EVENT_RW /* R | W */ + #define SSL_POLL_EVENT_RE /* R | ER */ + #define SSL_POLL_EVENT_WE /* W | EW */ + #define SSL_POLL_EVENT_RWE /* RE | WE */ + #define SSL_POLL_EVENT_E /* EL | EC | ER | EW */ + #define SSL_POLL_EVENT_IS /* ISB | ISU */ + #define SSL_POLL_EVENT_ISE /* IS | EC */ + #define SSL_POLL_EVENT_I /* IS */ + #define SSL_POLL_EVENT_OS /* OSB | OSU */ + #define SSL_POLL_EVENT_OSE /* OS | EC */ typedef struct ssl_poll_item_st { BIO_POLL_DESCRIPTOR desc; diff --git a/crypto/openssl/doc/man3/d2i_X509.pod b/crypto/openssl/doc/man3/d2i_X509.pod index df5ea65e596e..8e04c2286c57 100644 --- a/crypto/openssl/doc/man3/d2i_X509.pod +++ b/crypto/openssl/doc/man3/d2i_X509.pod @@ -588,8 +588,9 @@ freed in the event of error and I<*a> is set to NULL. B<i2d_I<TYPE>>() returns the number of bytes successfully encoded or a negative value if an error occurs. -B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>() return 1 for success and 0 if an -error occurs. +B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>(), +as well as i2d_ASN1_bio_stream(), +return 1 for success and 0 if an error occurs. =head1 EXAMPLES diff --git a/crypto/openssl/doc/man5/fips_config.pod b/crypto/openssl/doc/man5/fips_config.pod index a25ced338393..c3f7b8f3ab6b 100644 --- a/crypto/openssl/doc/man5/fips_config.pod +++ b/crypto/openssl/doc/man5/fips_config.pod @@ -62,17 +62,11 @@ A version number for the fips install process. Should be 1. =item B<install-status> -An indicator that the self-tests were successfully run. -This should only be written after the module has -successfully passed its self tests during installation. -If this field is not present, then the self tests will run when the module -loads. +This field is deprecated and is no longer used. =item B<install-mac> -A MAC of the value of the B<install-status> option, to prevent accidental -changes to that value. -It is written-to at the same time as B<install-status> is updated. +This field is deprecated and is no longer used. =back @@ -112,7 +106,7 @@ See L<openssl-fipsinstall(1)/OPTIONS> B<-signature_digest_check> =item B<hkdf-digest-check> -See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check> +This option is deprecated. =item B<tls13-kdf-digest-check> @@ -128,7 +122,7 @@ See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_digest_check> =item B<sskdf-digest-check> -See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check> +This option is deprecated. =item B<x963kdf-digest-check> @@ -233,7 +227,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod b/crypto/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod index 171a3d130ec0..2b8cf1c12fb8 100644 --- a/crypto/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod +++ b/crypto/openssl/doc/man7/EVP_ASYM_CIPHER-RSA.pod @@ -27,7 +27,8 @@ The default provider understands these RSA padding modes in string form: This padding mode is no longer supported by the FIPS provider for key agreement and key transport. -(This is a FIPS 140-3 requirement) +(This is a FIPS 140-3 requirement). +See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pkcs15_pad_disabled>. =item "x931" (B<OSSL_PKEY_RSA_PAD_MODE_X931>) @@ -109,7 +110,7 @@ L<OSSL_PROVIDER-FIPS(7)> =head1 COPYRIGHT -Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man7/EVP_PKEY-DSA.pod b/crypto/openssl/doc/man7/EVP_PKEY-DSA.pod index f3bed36f88a4..d386d8868a1c 100644 --- a/crypto/openssl/doc/man7/EVP_PKEY-DSA.pod +++ b/crypto/openssl/doc/man7/EVP_PKEY-DSA.pod @@ -119,7 +119,7 @@ The following sections of FIPS186-4: =head1 SEE ALSO L<EVP_PKEY-FFC(7)>, -L<EVP_SIGNATURE-DSA(7)> +L<EVP_SIGNATURE-DSA(7)>, L<EVP_PKEY(3)>, L<provider-keymgmt(7)>, L<EVP_KEYMGMT(3)>, @@ -133,7 +133,7 @@ OpenSSL 3.4. See L<fips_module(7)/FIPS indicators> for more information. =head1 COPYRIGHT -Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man7/EVP_PKEY-FFC.pod b/crypto/openssl/doc/man7/EVP_PKEY-FFC.pod index 7c9848676b8c..a28bb84e0a36 100644 --- a/crypto/openssl/doc/man7/EVP_PKEY-FFC.pod +++ b/crypto/openssl/doc/man7/EVP_PKEY-FFC.pod @@ -213,7 +213,7 @@ The following sections of FIPS186-4: L<EVP_PKEY-DSA(7)>, L<EVP_PKEY-DH(7)>, L<EVP_SIGNATURE-DSA(7)>, -L<EVP_KEYEXCH-DH(7)> +L<EVP_KEYEXCH-DH(7)>, L<EVP_KEYMGMT(3)>, L<EVP_PKEY(3)>, L<provider-keymgmt(7)>, @@ -222,7 +222,7 @@ L<OSSL_PROVIDER-FIPS(7)>, =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/doc/man7/EVP_SIGNATURE-ML-DSA.pod b/crypto/openssl/doc/man7/EVP_SIGNATURE-ML-DSA.pod index 3e7cc41b2424..3b6e795f0709 100644 --- a/crypto/openssl/doc/man7/EVP_SIGNATURE-ML-DSA.pod +++ b/crypto/openssl/doc/man7/EVP_SIGNATURE-ML-DSA.pod @@ -113,7 +113,7 @@ To sign a message using an ML-DSA EVP_PKEY structure: EVP_PKEY_sign(sctx, sig, &sig_len, msg, msg_len); ... OPENSSL_free(sig); - EVP_SIGNATURE(sig_alg); + EVP_SIGNATURE_free(sig_alg); EVP_PKEY_CTX_free(sctx); } diff --git a/crypto/openssl/doc/man7/EVP_SIGNATURE-SLH-DSA.pod b/crypto/openssl/doc/man7/EVP_SIGNATURE-SLH-DSA.pod index 9ca1e077484a..de2be646ed64 100644 --- a/crypto/openssl/doc/man7/EVP_SIGNATURE-SLH-DSA.pod +++ b/crypto/openssl/doc/man7/EVP_SIGNATURE-SLH-DSA.pod @@ -109,7 +109,7 @@ To sign a message using an SLH-DSA EVP_PKEY structure: EVP_PKEY_sign(sctx, sig, &sig_len, msg, msg_len); ... OPENSSL_free(sig); - EVP_SIGNATURE(sig_alg); + EVP_SIGNATURE_free(sig_alg); EVP_PKEY_CTX_free(sctx); } diff --git a/crypto/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod b/crypto/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod index 571a1e99e089..d14005a89a1c 100644 --- a/crypto/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/crypto/openssl/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -14,7 +14,7 @@ accredited testing laboratory. =head2 Properties The implementations in this provider specifically have these properties -defined: +defined for approved algorithms: =over 4 @@ -41,20 +41,17 @@ query. Including C<provider=fips> in your property query guarantees that the OpenSSL FIPS provider is used for cryptographic operations rather than other FIPS capable providers. -=head2 Provider parameters - -See L<provider-base(7)/Provider parameters> for a list of base parameters. -Additionally the OpenSSL FIPS provider also supports the following gettable -parameters: - -=over 4 +=head2 Approved algorithms -=item "security-checks" (B<OSSL_OSSL_PROV_PARAM_SECURITY_CHECKS>) <unsigned integer> +Algorithms that are fetched using "fips=yes" may still be unapproved if certain +conditions are not met. See L<fips_module(7)/FIPS indicators> for additional +information. -For further information refer to the L<openssl-fipsinstall(1)> option -B<-no_security_checks>. +=head2 Provider parameters -=back +See L<provider-base(7)/Provider parameters> for a list of base parameters. +The OpenSSL FIPS provider also handles FIPS indicator related parameters as +specified by L<fips_config(5)/FIPS indicator options>. =head1 OPERATIONS AND ALGORITHMS @@ -84,8 +81,6 @@ The OpenSSL FIPS provider supports these operations and algorithms: =item 3DES, see L<EVP_CIPHER-DES(7)> -This is an unapproved algorithm. - =back =head2 Message Authentication Code (MAC) @@ -212,21 +207,21 @@ for signature generation, but may be used for verification for legacy use cases. =item EC, see L<EVP_KEYMGMT-EC(7)> -=item X25519, see L<EVP_KEYMGMT-X25519(7)> - -This is an unapproved algorithm. - -=item X448, see L<EVP_KEYMGMT-X448(7)> +=item ED25519, see L<EVP_KEYMGMT-ED25519(7)> -This is an unapproved algorithm. +=item ED448, see L<EVP_KEYMGMT-ED448(7)> -=item ED25519, see L<EVP_KEYMGMT-ED25519(7)> +=item X25519, see L<EVP_KEYMGMT-X25519(7)> This is an unapproved algorithm. +The FIPS 140-3 IG states that "Curves that are included in SP 800-186 but not +included in SP 800-56Arev3 are not approved for key agreement". -=item ED448, see L<EVP_KEYMGMT-ED448(7)> +=item X448, see L<EVP_KEYMGMT-X448(7)> This is an unapproved algorithm. +The FIPS 140-3 IG states that "Curves that are included in SP 800-186 but not" +included in SP 800-56Arev3 are not approved for key agreement". =item TLS1-PRF @@ -288,8 +283,11 @@ TEST-RAND is an unapproved algorithm. =head1 SELF TESTING -One of the requirements for the FIPS module is self testing. An optional callback -mechanism is available to return information to the user using +A requirement of FIPS modules is to run cryptographic algorithm self tests. +FIPS 140-3 requires known answer tests to be run on startup as well as +conditional tests that run during cryptographic operations. + +An optional callback mechanism is available to return information to the user using L<OSSL_SELF_TEST_set_callback(3)>. The parameters passed to the callback are described in L<OSSL_SELF_TEST_new(3)> @@ -311,12 +309,10 @@ Uses HMAC SHA256 on the module file to validate that the module has not been modified. The integrity value is compared to a value written to a configuration file during installation. -=item "Install_Integrity" (B<OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY>) +=item "KAT_Integrity" (B<OSSL_SELF_TEST_TYPE_KAT_INTEGRITY>) -Uses HMAC SHA256 on a fixed string to validate that the installation process -has already been performed and the self test KATS have already been tested, -The integrity value is compared to a value written to a configuration -file after successfully running the self tests during installation. +Used during the Module Integrity test to perform a known answer test on +HMAC SHA256 prior to using it. =item "KAT_Cipher" (B<OSSL_SELF_TEST_TYPE_KAT_CIPHER>) @@ -360,24 +356,28 @@ Known answer test for a Deterministic Random Bit Generator. =item "Conditional_PCT" (B<OSSL_SELF_TEST_TYPE_PCT>) -Conditional test that is run during the generation or importing of key pairs. +Conditional test that is run during the generation of key pairs. + +=item "Import_PCT" (B<OSSL_SELF_TEST_TYPE_PCT_IMPORT>) + +Conditional test that is run during the import of key pairs. + +=item "Conditional_KAT" (B<OSSL_SELF_TEST_TYPE_PCT_KAT>) + +Conditional test run during generation that derive the public key from the +private key and checks that the public key matches. This is a SP 800-56A requirement. =item "Continuous_RNG_Test" (B<OSSL_SELF_TEST_TYPE_CRNG>) Continuous random number generator test. -=back - -The "Module_Integrity" self test is always run at startup. -The "Install_Integrity" self test is used to check if the self tests have -already been run at installation time. If they have already run then the -self tests are not run on subsequent startups. -All other self test categories are run once at installation time, except for the -"Pairwise_Consistency_Test". +=item "Install_Integrity" (B<OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY>) -There is only one instance of the "Module_Integrity" and "Install_Integrity" -self tests. All other self tests may have multiple instances. +This is deprecated. The option is no longer used since FIPS 140-3 requires +self tests to always run on startup. Previous FIPS 140-2 validations allowed +the self tests to be run just once. +=back The FIPS module passes the following descriptions(s) to OSSL_SELF_TEST_onbegin(). @@ -385,7 +385,7 @@ The FIPS module passes the following descriptions(s) to OSSL_SELF_TEST_onbegin() =item "HMAC" (B<OSSL_SELF_TEST_DESC_INTEGRITY_HMAC>) -"Module_Integrity" and "Install_Integrity" use this. +"Module_Integrity" uses this. =item "RSA" (B<OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1>) @@ -559,20 +559,6 @@ validated versions alongside F<libcrypto> and F<libssl> compiled from any release within the same major release series. This flexibility enables you to address bug fixes and CVEs that fall outside the FIPS boundary. -The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, -consequently the property query C<fips=yes> is mandatory for applications that -want to operate in a FIPS approved manner. The algorithms are: - -=over 4 - -=item Triple DES ECB - -=item Triple DES CBC - -=item EdDSA - -=back - You can load the FIPS provider into multiple library contexts as any other provider. However the following restriction applies. The FIPS provider cannot be used by multiple copies of OpenSSL libcrypto in a single process. diff --git a/crypto/openssl/doc/man7/provider-base.pod b/crypto/openssl/doc/man7/provider-base.pod index 0302900a7314..511195770581 100644 --- a/crypto/openssl/doc/man7/provider-base.pod +++ b/crypto/openssl/doc/man7/provider-base.pod @@ -154,6 +154,10 @@ provider): core_new_error OSSL_FUNC_CORE_NEW_ERROR core_set_error_debug OSSL_FUNC_CORE_SET_ERROR_DEBUG core_vset_error OSSL_FUNC_CORE_VSET_ERROR + core_set_error_mark OSSL_FUNC_CORE_SET_ERROR_MARK + core_clear_last_error_mark OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK + core_pop_error_to_mark OSSL_FUNC_CORE_POP_ERROR_TO_MARK + core_count_to_mark OSSL_FUNC_CORE_COUNT_TO_MARK core_obj_add_sigid OSSL_FUNC_CORE_OBJ_ADD_SIGID core_obj_create OSSL_FUNC_CORE_OBJ_CREATE CRYPTO_malloc OSSL_FUNC_CRYPTO_MALLOC @@ -270,6 +274,33 @@ error occurred or was reported. This corresponds to the OpenSSL function L<ERR_vset_error(3)>. +=item core_set_error_mark() + +sets a mark on the current topmost error record if there is one. + +This corresponds to the OpenSSL function L<ERR_set_mark(3)>. + +=item core_clear_last_error_mark() + +removes the last mark added if there is one. + +This corresponds to the OpenSSL function L<ERR_clear_last_mark(3)>. + +=item core_pop_error_to_mark() + +pops the top of the error stack until a mark is found. The mark is then removed. +If there is no mark, the whole stack is removed. + +This corresponds to the OpenSSL function L<ERR_pop_to_mark(3)>. + +=item core_count_to_mark() + +returns the number of entries on the error stack above the most recently +marked entry, not including that entry. If there is no mark in the error stack, +the number of entries in the error stack is returned. + +This corresponds to the OpenSSL function L<ERR_count_to_mark(3)>. + =back The core_obj_create() function registers a new OID and associated short name diff --git a/crypto/openssl/exporters/libcrypto.pc b/crypto/openssl/exporters/libcrypto.pc new file mode 100644 index 000000000000..3ee633d09bee --- /dev/null +++ b/crypto/openssl/exporters/libcrypto.pc @@ -0,0 +1,13 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix}/lib +includedir=${prefix}/include +enginesdir=${libdir}/engines-3 +modulesdir=${libdir}/ossl-modules + +Name: OpenSSL-libcrypto +Description: OpenSSL cryptography library +Version: 3.5.4 +Libs: -L${libdir} -lcrypto +Libs.private: -pthread +Cflags: -I${includedir} diff --git a/crypto/openssl/exporters/libssl.pc b/crypto/openssl/exporters/libssl.pc new file mode 100644 index 000000000000..a14763f553f9 --- /dev/null +++ b/crypto/openssl/exporters/libssl.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix}/lib +includedir=${prefix}/include + +Name: OpenSSL-libssl +Description: Secure Sockets Layer and cryptography libraries +Version: 3.5.4 +Requires.private: libcrypto +Libs: -L${libdir} -lssl +Cflags: -I${includedir} diff --git a/crypto/openssl/exporters/openssl.pc b/crypto/openssl/exporters/openssl.pc new file mode 100644 index 000000000000..e964e5e90a34 --- /dev/null +++ b/crypto/openssl/exporters/openssl.pc @@ -0,0 +1,9 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix}/lib +includedir=${prefix}/include + +Name: OpenSSL +Description: Secure Sockets Layer and cryptography libraries and tools +Version: 3.5.4 +Requires: libssl libcrypto diff --git a/crypto/openssl/freebsd/dump_version_from_configdata.pl b/crypto/openssl/freebsd/dump_version_from_configdata.pl new file mode 100644 index 000000000000..b6137718ba54 --- /dev/null +++ b/crypto/openssl/freebsd/dump_version_from_configdata.pl @@ -0,0 +1,21 @@ +#!/usr/bin/env perl +# +# This dumps out the values needed to generate manpages and other artifacts +# which include the release version/date. +# +# See also: `secure/lib/libcrypto/Makefile.version`. + +use Cwd qw(realpath); +use File::Basename qw(dirname); +use Time::Piece; + +use lib dirname(dirname(realpath($0))); + +use configdata qw(%config); + +$OPENSSL_DATE = Time::Piece->strptime($config{"release_date"}, "%d %b %Y")->strftime("%Y-%m-%d"); + +$OPENSSL_VER = "$config{'major'}.$config{'minor'}.$config{'patch'}"; + +print("OPENSSL_VER=\t${OPENSSL_VER}\n"); +print("OPENSSL_DATE=\t${OPENSSL_DATE}\n"); diff --git a/crypto/openssl/freebsd/include/crypto/bn_conf.h b/crypto/openssl/freebsd/include/crypto/bn_conf.h new file mode 100644 index 000000000000..442931b63339 --- /dev/null +++ b/crypto/openssl/freebsd/include/crypto/bn_conf.h @@ -0,0 +1,27 @@ + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_BN_CONF_H__ +#define __FREEBSD_BN_CONF_H__ + +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT + +# if __SIZEOF_LONG__ == 8 +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif + +#endif /* __FREEBSD_BN_CONF_H__ */ diff --git a/crypto/openssl/freebsd/include/openssl/configuration.h b/crypto/openssl/freebsd/include/openssl/configuration.h new file mode 100644 index 000000000000..faea78cb32c8 --- /dev/null +++ b/crypto/openssl/freebsd/include/openssl/configuration.h @@ -0,0 +1,38 @@ + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_CONFIGURATION_H__ +#define __FREEBSD_CONFIGURATION_H__ + +# undef OPENSSL_NO_EC_NISTP_64_GCC_128 +# if __SIZEOF_LONG__ == 4 || __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__ +# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 +# endif +# endif + +# undef BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# if !defined(OPENSSL_SYS_UEFI) +# if __SIZEOF_LONG__ == 8 +# undef BN_LLONG +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +# define BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif +# endif + +#endif /* __FREEBSD_CONFIGURATION_H__ */ diff --git a/crypto/openssl/fuzz/dtlsserver.c b/crypto/openssl/fuzz/dtlsserver.c index 68ddb1e6e683..7ea57ea05336 100644 --- a/crypto/openssl/fuzz/dtlsserver.c +++ b/crypto/openssl/fuzz/dtlsserver.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -590,10 +590,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) SSL *server; BIO *in; BIO *out; -#if !defined(OPENSSL_NO_EC) \ - || (!defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)) BIO *bio_buf; -#endif SSL_CTX *ctx; int ret; #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/crypto/openssl/include/crypto/bn_conf.h b/crypto/openssl/include/crypto/bn_conf.h index 0347a6ddc067..408242f0f8d0 100644 --- a/crypto/openssl/include/crypto/bn_conf.h +++ b/crypto/openssl/include/crypto/bn_conf.h @@ -27,3 +27,30 @@ #undef THIRTY_TWO_BIT #endif + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_BN_CONF_H__ +#define __FREEBSD_BN_CONF_H__ + +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT + +# if __SIZEOF_LONG__ == 8 +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif + +#endif /* __FREEBSD_BN_CONF_H__ */ diff --git a/crypto/openssl/include/crypto/dh.h b/crypto/openssl/include/crypto/dh.h index 51232d18c244..b4a4a3c1fae8 100644 --- a/crypto/openssl/include/crypto/dh.h +++ b/crypto/openssl/include/crypto/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -42,7 +42,7 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret); int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret); -int ossl_dh_check_pairwise(const DH *dh); +int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers); const DH_METHOD *ossl_dh_get_method(const DH *dh); diff --git a/crypto/openssl/include/crypto/rsa.h b/crypto/openssl/include/crypto/rsa.h index dcb465cbcae0..55cc814ce913 100644 --- a/crypto/openssl/include/crypto/rsa.h +++ b/crypto/openssl/include/crypto/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/include/crypto/slh_dsa.h b/crypto/openssl/include/crypto/slh_dsa.h index cf1e21215f9e..75b928638309 100644 --- a/crypto/openssl/include/crypto/slh_dsa.h +++ b/crypto/openssl/include/crypto/slh_dsa.h @@ -23,9 +23,11 @@ typedef struct slh_dsa_hash_ctx_st SLH_DSA_HASH_CTX; typedef struct slh_dsa_key_st SLH_DSA_KEY; +__owur OSSL_LIB_CTX *ossl_slh_dsa_key_get0_libctx(const SLH_DSA_KEY *key); __owur SLH_DSA_KEY *ossl_slh_dsa_key_new(OSSL_LIB_CTX *libctx, const char *propq, const char *alg); void ossl_slh_dsa_key_free(SLH_DSA_KEY *key); +void ossl_slh_dsa_key_reset(SLH_DSA_KEY *key); __owur SLH_DSA_KEY *ossl_slh_dsa_key_dup(const SLH_DSA_KEY *src, int selection); __owur int ossl_slh_dsa_key_equal(const SLH_DSA_KEY *key1, const SLH_DSA_KEY *key2, int selection); diff --git a/crypto/openssl/include/internal/quic_ackm.h b/crypto/openssl/include/internal/quic_ackm.h index c271dfca2e1d..949d91903bb1 100644 --- a/crypto/openssl/include/internal/quic_ackm.h +++ b/crypto/openssl/include/internal/quic_ackm.h @@ -1,5 +1,5 @@ /* - * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,7 +23,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg), void *now_arg, OSSL_STATM *statm, const OSSL_CC_METHOD *cc_method, - OSSL_CC_DATA *cc_data); + OSSL_CC_DATA *cc_data, int is_server); void ossl_ackm_free(OSSL_ACKM *ackm); void ossl_ackm_set_loss_detection_deadline_callback(OSSL_ACKM *ackm, diff --git a/crypto/openssl/include/internal/quic_record_rx.h b/crypto/openssl/include/internal/quic_record_rx.h index 8e0cd6a2c927..24143f91f2f3 100644 --- a/crypto/openssl/include/internal/quic_record_rx.h +++ b/crypto/openssl/include/internal/quic_record_rx.h @@ -168,6 +168,17 @@ int ossl_qrx_provide_secret(OSSL_QRX *qrx, size_t secret_len); /* + * Utility function to update the pn space from a src to a dst qrx. + * Occasionally we use a temporary qrx to do packet validation on quic frames + * that are not yet associated with a channel, and in the event a validation is + * successful AND we allocate a new qrx for the newly created channel, we need + * to migrate the largest_pn values recorded in the tmp qrx to the channel qrx. + * If we don't then PN decoding fails in cases where the initial PN is a large value. + * This function does that migration for us + */ +void ossl_qrx_update_pn_space(OSSL_QRX *src, OSSL_QRX *dst); + +/* * Informs the QRX that it can now discard key material for a given EL. The QRX * will no longer be able to process incoming packets received at that * encryption level. This function is idempotent and succeeds if the EL has diff --git a/crypto/openssl/include/openssl/configuration.h b/crypto/openssl/include/openssl/configuration.h index 9fd68f770a1a..b4d8283a8b98 100644 --- a/crypto/openssl/include/openssl/configuration.h +++ b/crypto/openssl/include/openssl/configuration.h @@ -34,6 +34,9 @@ extern "C" { # ifndef OPENSSL_THREADS # define OPENSSL_THREADS # endif +# ifndef OPENSSL_NO_ACVP_TESTS +# define OPENSSL_NO_ACVP_TESTS +# endif # ifndef OPENSSL_NO_AFALGENG # define OPENSSL_NO_AFALGENG # endif @@ -67,6 +70,12 @@ extern "C" { # ifndef OPENSSL_NO_FIPS_JITTER # define OPENSSL_NO_FIPS_JITTER # endif +# ifndef OPENSSL_NO_FIPS_POST +# define OPENSSL_NO_FIPS_POST +# endif +# ifndef OPENSSL_NO_FIPS_SECURITYCHECKS +# define OPENSSL_NO_FIPS_SECURITYCHECKS +# endif # ifndef OPENSSL_NO_FUZZ_AFL # define OPENSSL_NO_FUZZ_AFL # endif @@ -85,9 +94,6 @@ extern "C" { # ifndef OPENSSL_NO_JITTER # define OPENSSL_NO_JITTER # endif -# ifndef OPENSSL_NO_KTLS -# define OPENSSL_NO_KTLS -# endif # ifndef OPENSSL_NO_MD2 # define OPENSSL_NO_MD2 # endif @@ -124,9 +130,6 @@ extern "C" { # ifndef OPENSSL_NO_TFO # define OPENSSL_NO_TFO # endif -# ifndef OPENSSL_NO_TLS_DEPRECATED_EC -# define OPENSSL_NO_TLS_DEPRECATED_EC -# endif # ifndef OPENSSL_NO_TRACE # define OPENSSL_NO_TRACE # endif @@ -189,3 +192,41 @@ extern "C" { # endif #endif /* OPENSSL_CONFIGURATION_H */ + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_CONFIGURATION_H__ +#define __FREEBSD_CONFIGURATION_H__ + +# undef OPENSSL_NO_EC_NISTP_64_GCC_128 +# if __SIZEOF_LONG__ == 4 || __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__ +# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 +# endif +# endif + +# undef BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# if !defined(OPENSSL_SYS_UEFI) +# if __SIZEOF_LONG__ == 8 +# undef BN_LLONG +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +# define BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif +# endif + +#endif /* __FREEBSD_CONFIGURATION_H__ */ diff --git a/crypto/openssl/include/openssl/core_dispatch.h b/crypto/openssl/include/openssl/core_dispatch.h index 690a38206a35..13de04e2622c 100644 --- a/crypto/openssl/include/openssl/core_dispatch.h +++ b/crypto/openssl/include/openssl/core_dispatch.h @@ -253,6 +253,10 @@ OSSL_CORE_MAKE_FUNC(int, provider_up_ref, OSSL_CORE_MAKE_FUNC(int, provider_free, (const OSSL_CORE_HANDLE *prov, int deactivate)) +/* Additional error functions provided by the core */ +# define OSSL_FUNC_CORE_COUNT_TO_MARK 120 +OSSL_CORE_MAKE_FUNC(int, core_count_to_mark, (const OSSL_CORE_HANDLE *prov)) + /* Functions provided by the provider to the Core, reserved numbers 1024-1535 */ # define OSSL_FUNC_PROVIDER_TEARDOWN 1024 OSSL_CORE_MAKE_FUNC(void, provider_teardown, (void *provctx)) diff --git a/crypto/openssl/include/openssl/crypto.h b/crypto/openssl/include/openssl/crypto.h index fd2cfd3e5a9a..87fefd4ab73b 100644 --- a/crypto/openssl/include/openssl/crypto.h +++ b/crypto/openssl/include/openssl/crypto.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by Makefile from include/openssl/crypto.h.in * - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -358,9 +358,9 @@ OSSL_CRYPTO_ALLOC void *CRYPTO_zalloc(size_t num, const char *file, int line); OSSL_CRYPTO_ALLOC void *CRYPTO_aligned_alloc(size_t num, size_t align, void **freeptr, const char *file, int line); -OSSL_CRYPTO_ALLOC void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); -OSSL_CRYPTO_ALLOC char *CRYPTO_strdup(const char *str, const char *file, int line); -OSSL_CRYPTO_ALLOC char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); +void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); +char *CRYPTO_strdup(const char *str, const char *file, int line); +char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); void CRYPTO_free(void *ptr, const char *file, int line); void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line); void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line); diff --git a/crypto/openssl/include/openssl/crypto.h.in b/crypto/openssl/include/openssl/crypto.h.in index e0ace5e5a064..c98f5215d54b 100644 --- a/crypto/openssl/include/openssl/crypto.h.in +++ b/crypto/openssl/include/openssl/crypto.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -335,9 +335,9 @@ OSSL_CRYPTO_ALLOC void *CRYPTO_zalloc(size_t num, const char *file, int line); OSSL_CRYPTO_ALLOC void *CRYPTO_aligned_alloc(size_t num, size_t align, void **freeptr, const char *file, int line); -OSSL_CRYPTO_ALLOC void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); -OSSL_CRYPTO_ALLOC char *CRYPTO_strdup(const char *str, const char *file, int line); -OSSL_CRYPTO_ALLOC char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); +void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); +char *CRYPTO_strdup(const char *str, const char *file, int line); +char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); void CRYPTO_free(void *ptr, const char *file, int line); void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line); void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line); diff --git a/crypto/openssl/include/openssl/fipskey.h b/crypto/openssl/include/openssl/fipskey.h index 929db18c6783..620812bf0a5f 100644 --- a/crypto/openssl/include/openssl/fipskey.h +++ b/crypto/openssl/include/openssl/fipskey.h @@ -32,7 +32,7 @@ extern "C" { /* * The FIPS provider vendor name, as a string. */ -#define FIPS_VENDOR "OpenSSL FIPS Provider" +#define FIPS_VENDOR "OpenSSL non-compliant FIPS Provider" # ifdef __cplusplus } diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h index 4660b937298f..05af9abc456b 100644 --- a/crypto/openssl/include/openssl/opensslv.h +++ b/crypto/openssl/include/openssl/opensslv.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by Makefile from include/openssl/opensslv.h.in * - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,7 +29,7 @@ extern "C" { */ # define OPENSSL_VERSION_MAJOR 3 # define OPENSSL_VERSION_MINOR 5 -# define OPENSSL_VERSION_PATCH 1 +# define OPENSSL_VERSION_PATCH 4 /* * Additional version information @@ -57,7 +57,7 @@ extern "C" { * be related to the API version expressed with the macros above. * This is defined in free form. */ -# define OPENSSL_SHLIB_VERSION 17 +# define OPENSSL_SHLIB_VERSION 3 /* * SECTION 2: USEFUL MACROS @@ -74,33 +74,28 @@ extern "C" { * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and * OPENSSL_VERSION_BUILD_METADATA_STR appended. */ -# define OPENSSL_VERSION_STR "3.5.1" -# define OPENSSL_FULL_VERSION_STR "3.5.1" +# define OPENSSL_VERSION_STR "3.5.4" +# define OPENSSL_FULL_VERSION_STR "3.5.4" /* * SECTION 3: ADDITIONAL METADATA * * These strings are defined separately to allow them to be parsable. */ -# define OPENSSL_RELEASE_DATE "1 Jul 2025" +# define OPENSSL_RELEASE_DATE "30 Sep 2025" /* * SECTION 4: BACKWARD COMPATIBILITY */ -# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025" +# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.4 30 Sep 2025" -/* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ -# ifdef OPENSSL_VERSION_PRE_RELEASE -# define _OPENSSL_VERSION_PRE_RELEASE 0x0L -# else -# define _OPENSSL_VERSION_PRE_RELEASE 0xfL -# endif +/* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PP0L */ # define OPENSSL_VERSION_NUMBER \ ( (OPENSSL_VERSION_MAJOR<<28) \ |(OPENSSL_VERSION_MINOR<<20) \ |(OPENSSL_VERSION_PATCH<<4) \ - |_OPENSSL_VERSION_PRE_RELEASE ) + |0x0L ) # ifdef __cplusplus } diff --git a/crypto/openssl/include/openssl/opensslv.h.in b/crypto/openssl/include/openssl/opensslv.h.in index 3f47a2ac08f0..69b9caacf4dc 100644 --- a/crypto/openssl/include/openssl/opensslv.h.in +++ b/crypto/openssl/include/openssl/opensslv.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -89,17 +89,12 @@ extern "C" { # define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}" -/* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ -# ifdef OPENSSL_VERSION_PRE_RELEASE -# define _OPENSSL_VERSION_PRE_RELEASE 0x0L -# else -# define _OPENSSL_VERSION_PRE_RELEASE 0xfL -# endif +/* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PP0L */ # define OPENSSL_VERSION_NUMBER \ ( (OPENSSL_VERSION_MAJOR<<28) \ |(OPENSSL_VERSION_MINOR<<20) \ |(OPENSSL_VERSION_PATCH<<4) \ - |_OPENSSL_VERSION_PRE_RELEASE ) + |0x0L ) # ifdef __cplusplus } diff --git a/crypto/openssl/include/openssl/pem.h b/crypto/openssl/include/openssl/pem.h index 94424e6c209e..de1b6581f28f 100644 --- a/crypto/openssl/include/openssl/pem.h +++ b/crypto/openssl/include/openssl/pem.h @@ -57,6 +57,7 @@ extern "C" { # define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" # define PEM_STRING_PARAMETERS "PARAMETERS" # define PEM_STRING_CMS "CMS" +# define PEM_STRING_SM2PRIVATEKEY "SM2 PRIVATE KEY" # define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS" # define PEM_STRING_ACERT "ATTRIBUTE CERTIFICATE" diff --git a/crypto/openssl/include/openssl/proverr.h b/crypto/openssl/include/openssl/proverr.h index 0d61b733dc59..10bcd427800f 100644 --- a/crypto/openssl/include/openssl/proverr.h +++ b/crypto/openssl/include/openssl/proverr.h @@ -49,6 +49,7 @@ # define PROV_R_FINAL_CALL_OUT_OF_ORDER 237 # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227 # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224 +# define PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR 253 # define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225 # define PROV_R_GENERATE_ERROR 191 # define PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 165 diff --git a/crypto/openssl/include/openssl/self_test.h b/crypto/openssl/include/openssl/self_test.h index 2d39e096eeab..6c81cef4c300 100644 --- a/crypto/openssl/include/openssl/self_test.h +++ b/crypto/openssl/include/openssl/self_test.h @@ -31,6 +31,7 @@ extern "C" { # define OSSL_SELF_TEST_TYPE_CRNG "Continuous_RNG_Test" # define OSSL_SELF_TEST_TYPE_PCT "Conditional_PCT" # define OSSL_SELF_TEST_TYPE_PCT_KAT "Conditional_KAT" +# define OSSL_SELF_TEST_TYPE_PCT_IMPORT "Import_PCT" # define OSSL_SELF_TEST_TYPE_KAT_INTEGRITY "KAT_Integrity" # define OSSL_SELF_TEST_TYPE_KAT_CIPHER "KAT_Cipher" # define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER "KAT_AsymmetricCipher" @@ -50,6 +51,7 @@ extern "C" { # define OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1 "RSA" # define OSSL_SELF_TEST_DESC_PCT_ECDSA "ECDSA" # define OSSL_SELF_TEST_DESC_PCT_EDDSA "EDDSA" +# define OSSL_SELF_TEST_DESC_PCT_DH "DH" # define OSSL_SELF_TEST_DESC_PCT_DSA "DSA" # define OSSL_SELF_TEST_DESC_PCT_ML_DSA "ML-DSA" # define OSSL_SELF_TEST_DESC_PCT_ML_KEM "ML-KEM" diff --git a/crypto/openssl/libcrypto.pc b/crypto/openssl/libcrypto.pc new file mode 100644 index 000000000000..05ed0737f0f1 --- /dev/null +++ b/crypto/openssl/libcrypto.pc @@ -0,0 +1,13 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix} +includedir=${prefix}/include ${prefix}/./include +enginesdir=${libdir}/engines +modulesdir=${libdir}/providers + +Name: OpenSSL-libcrypto +Description: OpenSSL cryptography library +Version: 3.5.4 +Libs: -L${libdir} -lcrypto +Libs.private: -pthread +Cflags: -I${prefix}/include -I${prefix}/./include diff --git a/crypto/openssl/libssl.pc b/crypto/openssl/libssl.pc new file mode 100644 index 000000000000..10b330aaa098 --- /dev/null +++ b/crypto/openssl/libssl.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix} +includedir=${prefix}/include ${prefix}/./include + +Name: OpenSSL-libssl +Description: Secure Sockets Layer and cryptography libraries +Version: 3.5.4 +Requires.private: libcrypto +Libs: -L${libdir} -lssl +Cflags: -I${prefix}/include -I${prefix}/./include diff --git a/crypto/openssl/openssl.pc b/crypto/openssl/openssl.pc new file mode 100644 index 000000000000..7a9c9fc22d45 --- /dev/null +++ b/crypto/openssl/openssl.pc @@ -0,0 +1,9 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=${exec_prefix} +includedir=${prefix}/include ${prefix}/./include + +Name: OpenSSL +Description: Secure Sockets Layer and cryptography libraries and tools +Version: 3.5.4 +Requires: libssl libcrypto diff --git a/crypto/openssl/providers/common/provider_err.c b/crypto/openssl/providers/common/provider_err.c index ea727e8334d5..967d708b516a 100644 --- a/crypto/openssl/providers/common/provider_err.c +++ b/crypto/openssl/providers/common/provider_err.c @@ -63,6 +63,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "fips module conditional error"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE), "fips module entering error state"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR), + "fips module import pct error"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE), "fips module in error state"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_GENERATE_ERROR), "generate error"}, diff --git a/crypto/openssl/providers/common/securitycheck_fips.c b/crypto/openssl/providers/common/securitycheck_fips.c index c02fa960c096..ea07ccd42bb8 100644 --- a/crypto/openssl/providers/common/securitycheck_fips.c +++ b/crypto/openssl/providers/common/securitycheck_fips.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,18 +98,33 @@ int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id, int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx, int nid, int sha1_allowed, + int sha512_trunc_allowed, const char *desc, OSSL_FIPS_IND_CHECK_CB *config_check_f) { int approved; + const char *op = "none"; - if (nid == NID_undef) + switch (nid) { + case NID_undef: approved = 0; - else - approved = sha1_allowed || nid != NID_sha1; + break; + case NID_sha512_224: + case NID_sha512_256: + approved = sha512_trunc_allowed; + op = "Digest Truncated SHA512"; + break; + case NID_sha1: + approved = sha1_allowed; + op = "Digest SHA1"; + break; + default: + approved = 1; + break; + } if (!approved) { - if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, "Digest SHA1", + if (!ossl_FIPS_IND_on_unapproved(ind, id, libctx, desc, op, config_check_f)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); return 0; diff --git a/crypto/openssl/providers/fips-sources.checksums b/crypto/openssl/providers/fips-sources.checksums index 9f25bac77f3e..334b4ad6b7f2 100644 --- a/crypto/openssl/providers/fips-sources.checksums +++ b/crypto/openssl/providers/fips-sources.checksums @@ -16,7 +16,7 @@ e1f3805332eb811d9d0c9377b67fe0681063364f1af84d8598f7daa30da65b4d crypto/aes/asm ecd9bdfaf25cdd3d8ec0c50cb4306d98374da1c6056e27e0cf31a057dc5ee150 crypto/aes/asm/aes-riscv64-zvkb-zvkned.pl d372152dac004b96a89f8531256bd05597ca0b614b444bb02aee93238dcf83ab crypto/aes/asm/aes-riscv64-zvkned.pl f0388e17ba4268ed0b562da60e0780072180a824a379b79fafb60e25b8da3b52 crypto/aes/asm/aes-riscv64.pl -ecbfe826f4c514810c3ee20e265f4f621149694c298554b2682e5de4f029f14f crypto/aes/asm/aes-s390x.pl +290ae2a09826d24e83763415a021e328d41a163f41cff8c9e3b882e973677f33 crypto/aes/asm/aes-s390x.pl ee4e8cacef972942d2a89c1a83c984df9cad87c61a54383403c5c4864c403ba1 crypto/aes/asm/aes-sparcv9.pl 391497550eaca253f64b2aba7ba2e53c6bae7dff01583bc6bfc12e930bb7e217 crypto/aes/asm/aes-x86_64.pl c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm/aesfx-sparcv9.pl @@ -136,7 +136,7 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb 9549901d6f0f96cd17bd76c2b6cb33fb25641707bfdb8ed34aab250c34f7f4f6 crypto/des/set_key.c 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h a54b1b60cf48ca89dfb3f71d299794dd6c2e462c576b0fe583d1448f819c80ea crypto/dh/dh_backend.c -24cf9462da6632c52b726041271f8a43dfb3f74414abe460d9cc9c7fd2fd2d7d crypto/dh/dh_check.c +9db32c052fb3cf7c36ab8e642f4852c2fa68a7b6bae0e3b1746522f826827068 crypto/dh/dh_check.c c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7 crypto/dh/dh_gen.c 6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64 crypto/dh/dh_group_params.c a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902 crypto/dh/dh_kdf.c @@ -204,7 +204,7 @@ a47d8541bb2cc180f4c7d3ac0f888657e17621b318ea8a2eacdefb1926efb500 crypto/ec/ecp_ 43f81968983e9a466b7dc9cffe64302418703f7a66adcbac4b7c4d8cb19c9af5 crypto/ec/ecx_backend.c 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h 2be4ca60082891bdc99f8c6ebc5392c1f0a7a53f0bcf18dcf5497a7aee0b9c84 crypto/ec/ecx_key.c -73c956c97fd558b0fd267934657fb829fd8d9ab12dda2d96d3ca1521f0416ca8 crypto/evp/asymcipher.c +c1f04d877f96f2d0852290e34b1994dd48222650ac1121903cee9c259fe3ebf2 crypto/evp/asymcipher.c 80da494704c8fc54fea36e5de7100a6c2fdcc5f8c50f43ac477df5f56fa57e58 crypto/evp/dh_support.c bc9f3b827e3d29ac485fff9fb1c8f71d7e2bcd883ccc44c776de2f620081df58 crypto/evp/digest.c 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c @@ -219,7 +219,7 @@ baccbd623a94ba350c07e0811033ad66a2c892ef51ccb051b4a65bf2ba625a85 crypto/evp/evp 90742590db894920ffdb737a450ee591488aa455802e777400b1bf887618fd7a crypto/evp/kdf_meth.c 948f7904e81008588288a1ba7969b9de83546c687230ffe2a3fd0be1651bce8f crypto/evp/kem.c 55d141a74405415ad21789abcace9557f1d1ef54cf207e99993bf0a801f4b81e crypto/evp/keymgmt_lib.c -5cb9ddc6a7434bd7e063bf85455c2025fb34e4eb846d7d113dbcedc25eeac7a3 crypto/evp/keymgmt_meth.c +d57908a9473d2af324f32549649016f7a3c196b5ac8b54d6ca3c82f84cab5d48 crypto/evp/keymgmt_meth.c 9e44d1ffb52fee194b12c50962907c8637e7d92f08339345ec9fd3bd4a248e69 crypto/evp/mac_lib.c cd611921dc773b47207c036b9108ec820ab39d67780ba4adc9ccb9dc8da58627 crypto/evp/mac_meth.c 4f0a9a7baa72c6984edb53c46101b6ff774543603bec1e1d3a6123adf27e41db crypto/evp/p_lib.c @@ -228,7 +228,7 @@ cd611921dc773b47207c036b9108ec820ab39d67780ba4adc9ccb9dc8da58627 crypto/evp/mac c2c8f6d17dc3d85ffcced051047c0b00ce99d119635f4626c5c6db3d59d86fbb crypto/evp/pmeth_lib.c ba4ff38738cbcfd3841d53a2fab92227638ceca176d3ffe50e486c9dcbabb5dd crypto/evp/s_lib.c 3c003fa01341a69c461b75cffd93cf31a1899373d7e95a1ef3754ea1bfbb77fe crypto/evp/signature.c -a3ba57f8181cfbbf017fe1d4fa8d80f4999eea6d2834b0bcda22b60e6a5e31e3 crypto/evp/skeymgmt_meth.c +30af153213f8b008955486000c5a92507dc694c4af9ac6ed6fef3f290efa3e52 crypto/evp/skeymgmt_meth.c 64f7e366e681930ba10267272b87dba223b9744a01c27ba0504a4941802a580d crypto/ex_data.c d986ec74995b05ff65a68df320ab45894ba35d7be4906f8d78ca5fca294a4e6c crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c @@ -250,7 +250,7 @@ c685813be6ad35b0861ba888670ef54aa2b399d003472698e39426de6e52db59 crypto/initthr f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c 18127868d868ca5705444c24f7dc385391ba31154fc04ff54949739e8fa7fdfc crypto/ml_dsa/ml_dsa_encoders.c 825105b0a2c4844b2b4229001650ff7e61e1348e52f1072210f70b97cd4adb71 crypto/ml_dsa/ml_dsa_hash.h -c82201cf1a17ff2d4b169dcd4402d3d56f4685e460a1447e021db4abd67f7f0e crypto/ml_dsa/ml_dsa_key.c +c467f4400d399aad6b51746ef2575d1e04d260a1bf901b35ca55624fe62e650e crypto/ml_dsa/ml_dsa_key.c 579c1a12a5c5f014476a6bf695dc271f63074fb187e23ffc3f9ccb5b7ea044f1 crypto/ml_dsa/ml_dsa_key.h 3f98eb0467033d0a40867ef1c1036dcfea5d231eeac2321196f7d7c7243edace crypto/ml_dsa/ml_dsa_key_compress.c 983d164bfa3dbe8d85ad1fdc24d897e79d9246d96d9c1862855c6c538b387ad9 crypto/ml_dsa/ml_dsa_local.h @@ -263,7 +263,7 @@ ff65c82c56e341f47df03d0c74de7fb537de0e68a4fa23fa07a9fdb51c511f1c crypto/ml_dsa/ 1d7f57a41034988a4e7d4c9a998760d2ef802c5e90275d09a3ca31c5f3403d94 crypto/ml_dsa/ml_dsa_sign.c 5217ef237e21872205703b95577290c34898423466a465c7bd609b2eb4627964 crypto/ml_dsa/ml_dsa_sign.h abd934284bcd8061027a69f437fa4410c6b72cd950be1ebe048244d036371208 crypto/ml_dsa/ml_dsa_vector.h -defc2e4e81ff1b78056c795bc0565f4241a259c2957abe84a51bcbc1e4ace3f1 crypto/ml_kem/ml_kem.c +8c4f7238f68f959f2ad1e2529c567364c5a8818898355c82818521e03239ea76 crypto/ml_kem/ml_kem.c 36e24eae5d38cc9666ae40e4e8a2dc12328e1159fea68447cb19dab174d25adf crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl 33357356cd739d4ae89d52f0804b6900e4b94d8829323819c6f64c8908e978df crypto/modes/asm/aes-gcm-armv8_64.pl bcc09bdb474f045d04c983fa09c31a010c5a25513f53a5d3653ade91304f0f96 crypto/modes/asm/aes-gcm-avx512.pl @@ -306,17 +306,17 @@ f50450f7e5f6896fb8e3cde2fdc11cc543124c854ef9d88252a166606ca80081 crypto/params_ 467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7 crypto/property/defn_cache.c 91c1f1f8eb5588ed9da17386c244ae68a6a81717b1c7ab6c9f1a6a57973a039f crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h -d32105cb087d708d0504a787f74bc163cc398c299faf2e98d6bb5ae02f5ce9b7 crypto/property/property_parse.c +1e99a3934812f99dad79cbfbb6727ad61b6093711c1a6c74d4b50f9318152611 crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c 20e69b9d594dfc443075eddbb0e6bcc0ed36ca51993cd50cc5a4f86eb31127f8 crypto/property/property_string.c -faa002fd33a147494ea93dbd1cef07138c6f61432d6465ceb4a34118e31e0a72 crypto/provider_core.c +10644e9d20214660706de58d34edf635c110d4e4f2628cd5284a08c60ed9aff8 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c e13cf63765dd538a75eb9d2cb8fcb0243e6bd2988dd420c83806a69984dad558 crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h 426ba915ca65a770f8264129f8ac47db7aaf06c6ae51517c5d775eacdf91b9f6 crypto/rcu_internal.h -48f6a98e3d7e9ae79f2d2b8ea9965d0c4ec3b1a4473adbceb47fe1e7930dc3c1 crypto/riscv32cpuid.pl -f6c5a1440de995a115dbba5f732b294e2e6d94aa520687afd1e776af1ba48cf8 crypto/riscv64cpuid.pl +0c1d3e0e857e9e4f84752a8ef0b619d8af0d81427b52facbd0174e685dac9a47 crypto/riscv32cpuid.pl +231263dffc16987f5288592ebf4c0738902d5146bfc16bcd8a157e044cb697da crypto/riscv64cpuid.pl 0b0f3c7757447c2374338f2008c6545a1d176dcbdb41f06873f4681dc43fd42e crypto/riscvcap.c f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c 1b828f428f0e78b591378f7b780164c4574620c68f9097de041cbd576f811bf6 crypto/rsa/rsa_backend.c @@ -393,11 +393,11 @@ dfd99e02830973ab349409ac6ba0ee901ba7736216030965bd7e5a54356abd7c crypto/slh_dsa 1a2e505ac8ef45ff46f36ab89f5fb1d6a6888b2123a7cb75cf0eae849ee5de70 crypto/slh_dsa/slh_adrs.h 11d3895ea104d1238999f00b2beee4de71f35eea79065ac7b4536ee79d61d2dd crypto/slh_dsa/slh_dsa.c ab7b580b1cba302c5675918b457794a3b3d00aac42297312d9447bc6f6a40b09 crypto/slh_dsa/slh_dsa_hash_ctx.c -c26498960895d435af4ef5f592d98a0c011c00609bbba8bbd0078d4a4f081609 crypto/slh_dsa/slh_dsa_key.c +36007c2d3c7f6a405745a25d1a10b97ce781c7541b1610e51981f549c9852a5b crypto/slh_dsa/slh_dsa_key.c 4c7981f7db69025f52495c549fb3b3a76be62b9e13072c3f3b7f1dedeaf8cc91 crypto/slh_dsa/slh_dsa_key.h 5dcb631891eb6afcd27a6b19d2de4d493c71dab159e53620d86d9b96642e97e8 crypto/slh_dsa/slh_dsa_local.h adb3f4dea52396935b8442df7b36ed99324d3f3e8ce3fdf714d6dfd683e1f9f0 crypto/slh_dsa/slh_fors.c -ff320d5fc65580eb85e4e0530f332af515124a5ec8915b5a7ec04acad524c11d crypto/slh_dsa/slh_hash.c +3891252acdefc4eff77d7a65cc35d77bdca8083c9dd0d44ff91889ceafcccb45 crypto/slh_dsa/slh_hash.c a146cdf01b4b6e20127f0e48b30ed5e8820bec0fca2d9423c7b63eddf0f19af3 crypto/slh_dsa/slh_hash.h 6402664fbb259808a6f7b5a5d6be2b4a3cc8a905399d97b160cdb3e4a97c02c4 crypto/slh_dsa/slh_hypertree.c 98ba100862bb45d13bcddff79bc55e44eadd95f528dd49accb4da3ca85fcc52d crypto/slh_dsa/slh_params.c @@ -416,7 +416,7 @@ a00e16963e1e2a0126c6a8e62da8a14f98de9736027654c925925dadd0ca3cc1 crypto/thread/ 27ec0090f4243c96e4fbe1babfd4320c2a16615ffa368275433217d50a1ef76c crypto/thread/internal.c 67ba8d87fbbb7c9a9e438018e7ecfd1cedd4d00224be05755580d044f5f1317a crypto/threads_lib.c b1a828491d9ce305802662561788facac92dff70cca9ead807f3e28741ff21e0 crypto/threads_none.c -c659f7ce5c4b59d2a1cff78485fa8e89c8d20d5798df4afc1b94ff635ffc0262 crypto/threads_pthread.c +491e9c29d4a7b4dd627ea25c20ce4a33103565b3108b618c41c6816dfc675569 crypto/threads_pthread.c 9c3bf7b4baa302a4017150fbcaa114ee9df935b18d5a3a8c8015003780d4e7de crypto/threads_win.c 7edd638df588b14711a50c98d458c4fc83f223ed03bc6c39c7c8edf7915b7cfa crypto/time.c 88c5f9f4d2611223d283ebd2ae10ae5ecbb9972d00f747d93fcb74b62641e3f9 crypto/x86_64cpuid.pl @@ -433,7 +433,7 @@ e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h f69643f16687c5a290b2ce6b846c6d1dddabfaf7e4d26fde8b1181955de32833 include/crypto/decoder.h 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h -daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto/dh.h +48d133a1eb8c3b3198cfe1cafda47f9abe8050d53004f3874f258a78f29b9e48 include/crypto/dh.h 679f6e52d9becdf51fde1649478083d18fa4f5a6ece21eeb1decf70f739f49d5 include/crypto/dsa.h c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5 include/crypto/ec.h adf369f3c9392e9f2dec5a87f61ac9e48160f4a763dae51d4ad5306c4ca4e226 include/crypto/ecx.h @@ -448,7 +448,7 @@ bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto 6f16685ffbc97dc2ac1240bfddf4bbac2dd1ad83fff6da91aee6f3f64c6ee8ff include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h 80338f3865b7c74aab343879432a6399507b834e2f55dd0e9ee7a5eeba11242a include/crypto/sha.h -0814571bff328719cc1e5a73a4daf6f5810b17f9e50fe63287f91f445f053213 include/crypto/slh_dsa.h +dc7808729c3231a08bbe470b3e1b562420030f59f7bc05b14d7b516fa77b4f3a include/crypto/slh_dsa.h 7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h d6d1cd1ec7581046f5a84359a32ed41caad9e7c1b4d1eb9665ea4763de10e6b3 include/crypto/types.h 27d13538d9303b1c2f0b2ce9b6d376097ce7661354fbefbde24b7ef07206ea45 include/internal/bio.h @@ -511,9 +511,9 @@ bb45de4eafdd89c14096e9af9b0aee12b09adcee43b9313a3a373294dec99142 include/openss 69d98c5230b1c2a1b70c3e6b244fcfd8460a80ebf548542ea43bb1a57fe6cf57 include/openssl/configuration.h.in 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h 28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1 include/openssl/core.h -940f6276e5bab8a7c59eedba56150902e619823c10dc5e50cf63575be6be9ba0 include/openssl/core_dispatch.h +b59255ddb1ead5531c3f0acf72fa6627d5c7192f3d23e9536eed00f32258c43b include/openssl/core_dispatch.h d37532e62315d733862d0bff8d8de9fe40292a75deacae606f4776e544844316 include/openssl/core_names.h.in -57898905771752f6303e2b1cca1c9a41ea5e9c7bf08ee06531213a65e960e424 include/openssl/crypto.h.in +01ed3af4e25b9be3453a8f13d7dd3b4e9e73889bbed338e0d4b8021f0d17aa82 include/openssl/crypto.h.in 628e2a9e67412e2903ecb75efb27b262db1f266b805c07ece6b85bf7ffa19dac include/openssl/cryptoerr.h bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h 83af275af84cf88c4e420030a9ea07c38d1887009c8f471874ed1458a4b1cda7 include/openssl/decoder.h @@ -546,20 +546,20 @@ a8a45996fd21411cb7ed610bc202dbd06570cdfa0a2d14f7dfc8bfadc820e636 include/openss cb6bca3913c60a57bac39583eee0f789d49c3d29be3ecde9aecc7f3287117aa5 include/openssl/objects.h d25537af264684dff033dd8ae62b0348f868fcfec4aa51fa8f07bcfa4bd807ad include/openssl/objectserr.h fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openssl/opensslconf.h -1bf52d136e94f727a96651c1f48ad040482f35dae152519ccd585efd410b92f0 include/openssl/opensslv.h.in +6c1a8837bbba633db2a8951ff29ccfe09e7d2a24a37ee2af90f2d897c190da9a include/openssl/opensslv.h.in 767d9d7d5051c937a3ce8a268c702902fda93eeaa210a94dfde1f45c23277d20 include/openssl/param_build.h 1c442aaaa4dda7fbf727a451bc676fb4d855ef617c14dc77ff2a5e958ae33c3e include/openssl/params.h 44f178176293c6ce8142890ff9dc2d466364c734e4e811f56bd62010c5403183 include/openssl/pkcs7.h.in 8394828da6fd7a794777320c955d27069bfef694356c25c62b7a9eb47cd55832 include/openssl/pkcs7err.h ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d include/openssl/prov_ssl.h -7c0e616ec99ac03d241da8def32cebf2679d9cacc93f58d2c2c4b05faf0011ea include/openssl/proverr.h +d8e2e31fbf88649efaabb6a999d9c464d4462b016c65c6bdf830b2ab4261a792 include/openssl/proverr.h 01ecfa6add534dfe98c23382e0f2faf86f627c21ce16c5b49bf90333fb4cac9f include/openssl/provider.h 765846563fbd69411aff6ce00bcc22f577f6407f5a80d592edb1dc10b580a145 include/openssl/rand.h 1c135b1e5ef06e052f554d52a744a9a807a8c371c848389ad836f9e4a923dd8e include/openssl/randerr.h 2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in -b0c9ed3ce37034524623c579e8a2ea0feb6aab39e7489ce66e2b6bf28ec81840 include/openssl/self_test.h +39300fe80a46e0b76e07f10ada73a0ba55887c8cd5f98180b337ef6d5a3344d1 include/openssl/self_test.h a435cb5d87a37c05921afb2d68f581018ec9f62fd9b3194ab651139b24f616d2 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h @@ -604,23 +604,23 @@ c02d1fa866192dee1bf6d06338714efad5e7cae6ac0470ba20820599b4f811e8 providers/comm f221ca9b117c9cccb776bb230f71b86553ce6c24196bea120124a4be7b8a712f providers/common/include/prov/providercommon.h 4a6e35be7600e78633324422f019443747a62777eba4987efc50f900c43fda25 providers/common/include/prov/securitycheck.h ba12773ee7d5afbd55e240798a0e36a2b0bdb4472f3aa3984bb8059f68cfba25 providers/common/provider_ctx.c -c67989723273186af8d0fa7019fe5564957a21dd9867645cfab6ba54f8871df4 providers/common/provider_err.c +1f724e74106fa406999d706ec4b88c7185d2d1ceb7cc431a3340f778f533dbda providers/common/provider_err.c c4032b7cb033b588c6eb0585b8dfbed029d5b112a74ddd134dbcb1d78b0f9684 providers/common/provider_seeding.c 976aed982b0091a8f5320ee15e9b3d56c638c2a6b8481ddf9478d07927522f82 providers/common/provider_util.c bde6107744cf6840a4c350a48265ed000c49b0524fa60b0d68d6d7b33df5fce6 providers/common/securitycheck.c -8ea192553b423e881d85118c70bcb26a40fbdee4e110f230c966939c76f4aa7e providers/common/securitycheck_fips.c +c0ba8608dd7719c9a8d9f8668ce60007eaadd6635162d4448815a7b76a9b2439 providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c d8cb05784ae8533a7d9569d4fbaaea4175b63a7c9f4fb0f254215224069dea6b providers/fips/fipsindicator.c -e9383013a79a8223784a69a66bb610d16d54e61ea978f67a3d31de9f48cd4627 providers/fips/fipsprov.c -7be8349d3b557b6d9d5f87d318253a73d21123628a08f50726502abf0e3d8a44 providers/fips/include/fips/fipsindicator.h +485441c31b5ff7916a12d0b8438d131a58cbc1ff6267cd266ae2dd6128c825cc providers/fips/fipsprov.c +6e024bbebae12014997c105df04c22bd07bbbc0a0b0a9ddd14fb798dbd3f0f26 providers/fips/include/fips/fipsindicator.h ef204adc49776214dbb299265bc4f2c40b48848cbea4c25b8029f2b46a5c9797 providers/fips/include/fips_indicator_params.inc f2581d7b4e105f2bb6d30908f3c2d9959313be08cec6dbeb49030c125a7676d3 providers/fips/include/fips_selftest_params.inc 669f76f742bcaaf28846b057bfab97da7c162d69da244de71b7c743bf16e430f providers/fips/include/fipscommon.h -1af975061d9ea273fd337c74ccaab7b9331ab781d887c4e7164c5ac35e2c2e94 providers/fips/self_test.c +f111fd7e016af8cc6f96cd8059c28227b328dd466ed137ae0c0bc0c3c3eec3ba providers/fips/self_test.c 5c2c6c2f69e2eb01b88fa35630f27948e00dd2c2fd351735c74f34ccb2005cbe providers/fips/self_test.h -9c5c8131ee9a5b2d1056b5548db3269c00445294134cb30b631707f69f8904f1 providers/fips/self_test_data.inc -2e568e2b161131240e97bd77a730c2299f961c2f1409ea8466422fc07f9be23f providers/fips/self_test_kats.c -7a368f6c6a5636593018bf10faecc3be1005e7cb3f0647f25c62b6f0fb7ac974 providers/implementations/asymciphers/rsa_enc.c +df83c901ad13675fbbb4708b6087feba6099870ad3dd0e8d09cfdb6798419770 providers/fips/self_test_data.inc +6779d5afb3f48d82868b247ffb0a6a572f6e3964738296ad47e7ccafdb263c88 providers/fips/self_test_kats.c +dde79dfdedfe0e73006a0cf912fdde1ff109dfbc5ba6ecab319c938bc4275950 providers/implementations/asymciphers/rsa_enc.c c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879 providers/implementations/ciphers/cipher_aes.c 6ba7d817081cf0d87ba7bfb38cd9d70e41505480bb8bc796ef896f68d4514ea6 providers/implementations/ciphers/cipher_aes.h c20072ecf42c87f9fad2ea241d358f57ed2a04cf0cc51bdb8cb5086172f6fc8a providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -692,24 +692,24 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl e18ef50cd62647a2cc784c45169d75054dccd58fc106bf623d921de995bb3c34 providers/implementations/kdfs/sskdf.c 6d9767a99a5b46d44ac9e0898ee18d219c04dfb34fda42e71d54adccbed7d57c providers/implementations/kdfs/tls1_prf.c 88d04ff4c93648a4fbfd9ce137cfc64f2c85e1850593c1ab35334b8b3de8ad99 providers/implementations/kdfs/x942kdf.c -3e199221ff78d80a3678e917dbbd232c5cd15f35b7c41bac92b60f766f656af7 providers/implementations/kem/ml_kem_kem.c +b04249bcc64d6f7ec16f494afef252356b2f56424a034ab53def90463de0cb6f providers/implementations/kem/ml_kem_kem.c a2e2b44064ef44b880b89ab6adc83686936acaa906313a37e5ec69d632912034 providers/implementations/kem/mlx_kem.c c764555b9dc9b273c280514a5d2d44156f82f3e99155a77c627f2c773209bcd7 providers/implementations/kem/rsa_kem.c -b9f7fc5c19f637cee55b0a435b838f5de3a5573ca376ba602e90f70855a78852 providers/implementations/keymgmt/dh_kmgmt.c +56e173f4ddb3e91314abd79b18de513c8cbc645669a287942fca4632c3851f6b providers/implementations/keymgmt/dh_kmgmt.c 24cc3cc8e8681c77b7f96c83293bd66045fd8ad69f756e673ca7f8ca9e82b0af providers/implementations/keymgmt/dsa_kmgmt.c -e10086c31aafae0562054e3b07f12409e39b87b5e96ee7668c231c37861aa447 providers/implementations/keymgmt/ec_kmgmt.c +36a9c1c8658ce7918453827cb58ed52787e590e3f148c5510deeb2c16c25a29d providers/implementations/keymgmt/ec_kmgmt.c 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc -d042d687da861d2a39658c6b857a6507a70fa78cecdf883bd1dcdafcf102e084 providers/implementations/keymgmt/ecx_kmgmt.c +11c27cc3c9f38885c484f25d11987e93f197aa90bef2fc1d6e8f508c2d014d4d providers/implementations/keymgmt/ecx_kmgmt.c daf35a7ab961ef70aefca981d80407935904c5da39dca6692432d6e6bc98759d providers/implementations/keymgmt/kdf_legacy_kmgmt.c d97d7c8d3410b3e560ef2becaea2a47948e22205be5162f964c5e51a7eef08cb providers/implementations/keymgmt/mac_legacy_kmgmt.c -24384616fcba4eb5594ccb2ebc199bcee8494ce1b3f4ac7824f17743e39c0279 providers/implementations/keymgmt/ml_dsa_kmgmt.c -830c339dfc7f301ce5267ef9b0dc173b84d9597509c1a61ae038f3c01af78f45 providers/implementations/keymgmt/ml_kem_kmgmt.c +a428de71082fd01e5dcfa030a6fc34f6700b86d037b4e22f015c917862a158ce providers/implementations/keymgmt/ml_dsa_kmgmt.c +ae129b80f400c2d520262a44842fb02898d6986dd1417ac468293dc104337120 providers/implementations/keymgmt/ml_kem_kmgmt.c e15b780a1489bbe4c7d40d6aaa3bccfbf973e3946578f460eeb8373c657eee91 providers/implementations/keymgmt/mlx_kmgmt.c -9376a19735fcc79893cb3c6b0cff17a2cae61db9e9165d9a30f8def7f8e8e7c7 providers/implementations/keymgmt/rsa_kmgmt.c -6f0a786170ba9af860e36411d158ac0bd74bcb4d75c818a0cebadbc764759283 providers/implementations/keymgmt/slh_dsa_kmgmt.c +d37e7a96253cf146e45c9adf9dbf83ab83fccbe41a5e5a6736f9085a60c38167 providers/implementations/keymgmt/rsa_kmgmt.c +6bb62b5417afb24a43b726148862770689f420a310722398f714f396ba07f205 providers/implementations/keymgmt/slh_dsa_kmgmt.c 9d02d481b9c7c0c9e0932267d1a3e1fef00830aaa03093f000b88aa042972b9f providers/implementations/macs/cmac_prov.c 3c558b57fff3588b6832475e0b1c5be590229ad50d95a6ebb089b62bf5fe382d providers/implementations/macs/gmac_prov.c -3b5e591e8f6c6ba721a20d978452c9aae9a8259b3595b158303a49b35f286e53 providers/implementations/macs/hmac_prov.c +b78305d36f248499a97800873a6bd215b2b7ae2e767c04b7ffcbad7add066040 providers/implementations/macs/hmac_prov.c 6f9100c9cdd39f94601d04a6564772686571711ff198cf8469e86444d1ba25f3 providers/implementations/macs/kmac_prov.c 4115f822e2477cd2c92a1c956cca1e4dbc5d86366e2a44a37526756153c0e432 providers/implementations/rands/drbg.c b7e24bb9265501e37253e801028f3fd0af5111a100c0b2005c53d43f02c03389 providers/implementations/rands/drbg_ctr.c @@ -718,12 +718,12 @@ b7e24bb9265501e37253e801028f3fd0af5111a100c0b2005c53d43f02c03389 providers/impl 2c63defffcc681ada17a6cc3eb895634fd8bf86110796a6381cc3dedd26fd47d providers/implementations/rands/drbg_local.h ddae75f1e08416c92802faafba9d524e3bf58c13e9fcb51735733e161006f89e providers/implementations/rands/fips_crng_test.c 04e726d547a00d0254362b0ebd3ddf87f58a53b78d3a070a1620f5fa714330bb providers/implementations/rands/test_rng.c -bd3c3d166be0e171e08e1cd03a943a643b4c181f11d8dde5e508d50163ac0cb8 providers/implementations/signature/dsa_sig.c -848ecf7587757410f98661a22fdf6eece53cc317224a22826d838131a47de8b0 providers/implementations/signature/ecdsa_sig.c +732a4402f2621e2b676f0c0e885fb5ca8bc22d00842d47e7607a875fdff8a980 providers/implementations/signature/dsa_sig.c +72d09f89a9645d365fb357a512fb5687c04a924c34f1bbfc17e17c1ca169d7c6 providers/implementations/signature/ecdsa_sig.c bd48b0fe43f0d0d91eb34bdfd48fbcfd69bceabf0ddc678702fe9ef968064bb6 providers/implementations/signature/eddsa_sig.c e0e67e402ff19b0d2eb5228d7ebd70b9477c12595ac34d6f201373d7c8a516f4 providers/implementations/signature/mac_legacy_sig.c 51251a1ca4c0b6faea059de5d5268167fe47565163317177d09db39978134f78 providers/implementations/signature/ml_dsa_sig.c -6c370ec1d3393fa9ac7125e26700fbc0ea05bfd489ddacd1bb6da9b990da26d1 providers/implementations/signature/rsa_sig.c +bab268ab5ad1d5e8dfdd8c01d25b216c657406ec2ff4e7ce190814ac7b92509f providers/implementations/signature/rsa_sig.c 14e7640b4db5e59e29b0266256d3d821adf871afa9703e18285f2fc957ac5971 providers/implementations/signature/slh_dsa_sig.c 21f537f9083f0341d9d1b0ace090a8d8f0b2b9e9cf76771c359b6ea00667a469 providers/implementations/skeymgmt/aes_skmgmt.c 2dbf9b8e738fad556c3248fb554ff4cc269ade3c86fa3d2786ba9b6d6016bf22 providers/implementations/skeymgmt/generic.c diff --git a/crypto/openssl/providers/fips.checksum b/crypto/openssl/providers/fips.checksum index f9e822a7f9f1..5d1117361d27 100644 --- a/crypto/openssl/providers/fips.checksum +++ b/crypto/openssl/providers/fips.checksum @@ -1 +1 @@ -cffe76b0bc6464c7c864d5e2eaaf528439cb6c9908dc75666d530aa8a65e152e providers/fips-sources.checksums +c342f9dc7075a6ecd0e4b3c9db06e180765278a7bbae233ec1a65095a0e524ec providers/fips-sources.checksums diff --git a/crypto/openssl/providers/fips/fipsprov.c b/crypto/openssl/providers/fips/fipsprov.c index 4b9a0574625d..e260b5b6652e 100644 --- a/crypto/openssl/providers/fips/fipsprov.c +++ b/crypto/openssl/providers/fips/fipsprov.c @@ -65,6 +65,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error; static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark; static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark; static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark; +static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark; static OSSL_FUNC_CRYPTO_malloc_fn *c_CRYPTO_malloc; static OSSL_FUNC_CRYPTO_zalloc_fn *c_CRYPTO_zalloc; static OSSL_FUNC_CRYPTO_free_fn *c_CRYPTO_free; @@ -797,6 +798,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, case OSSL_FUNC_CORE_POP_ERROR_TO_MARK: set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(in)); break; + case OSSL_FUNC_CORE_COUNT_TO_MARK: + set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in)); + break; case OSSL_FUNC_CRYPTO_MALLOC: set_func(c_CRYPTO_malloc, OSSL_FUNC_CRYPTO_malloc(in)); break; @@ -1035,6 +1039,11 @@ int ERR_pop_to_mark(void) return c_pop_error_to_mark(NULL); } +int ERR_count_to_mark(void) +{ + return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0; +} + /* * This must take a library context, since it's called from the depths * of crypto/initthread.c code, where it's (correctly) assumed that the diff --git a/crypto/openssl/providers/fips/include/fips/fipsindicator.h b/crypto/openssl/providers/fips/include/fips/fipsindicator.h index 045d2108d549..9b2b5b49a7fa 100644 --- a/crypto/openssl/providers/fips/include/fips/fipsindicator.h +++ b/crypto/openssl/providers/fips/include/fips/fipsindicator.h @@ -1,5 +1,5 @@ /* - * Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -134,6 +134,7 @@ int ossl_fips_ind_digest_exch_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *li int ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND *ind, int id, OSSL_LIB_CTX *libctx, int nid, int sha1_allowed, + int sha512_trunc_allowed, const char *desc, OSSL_FIPS_IND_CHECK_CB *config_check_f); diff --git a/crypto/openssl/providers/fips/self_test.c b/crypto/openssl/providers/fips/self_test.c index ef7be26ca722..456efd139e94 100644 --- a/crypto/openssl/providers/fips/self_test.c +++ b/crypto/openssl/providers/fips/self_test.c @@ -424,9 +424,18 @@ void SELF_TEST_disable_conditional_error_state(void) void ossl_set_error_state(const char *type) { - int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0); + int cond_test = 0; + int import_pct = 0; - if (!cond_test || (FIPS_conditional_error_check == 1)) { + if (type != NULL) { + cond_test = strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0; + import_pct = strcmp(type, OSSL_SELF_TEST_TYPE_PCT_IMPORT) == 0; + } + + if (import_pct) { + /* Failure to import is transient to avoid a DoS attack */ + ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR); + } else if (!cond_test || (FIPS_conditional_error_check == 1)) { set_fips_state(FIPS_STATE_ERROR); ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); } else { diff --git a/crypto/openssl/providers/fips/self_test_data.inc b/crypto/openssl/providers/fips/self_test_data.inc index 5cbb5352a596..6abab0a7a173 100644 --- a/crypto/openssl/providers/fips/self_test_data.inc +++ b/crypto/openssl/providers/fips/self_test_data.inc @@ -169,6 +169,12 @@ typedef struct st_kat_kem_st { } ST_KAT_KEM; /*- DIGEST SELF TEST DATA */ +static const unsigned char sha1_pt[] = "abc"; +static const unsigned char sha1_digest[] = { + 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, + 0xBA, 0x3E, 0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, + 0x9C, 0xD0, 0xD8, 0x9D +}; static const unsigned char sha512_pt[] = "abc"; static const unsigned char sha512_digest[] = { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA, 0xCC, 0x41, 0x73, 0x49, @@ -187,12 +193,18 @@ static const unsigned char sha3_256_digest[] = { /* * Note: - * SHA1 and SHA256 are tested by higher level algorithms so a + * SHA256 is tested by higher level algorithms so a * CAST is not needed. */ static const ST_KAT_DIGEST st_kat_digest_tests[] = { { + OSSL_SELF_TEST_DESC_MD_SHA1, + "SHA1", + ITM_STR(sha1_pt), + ITM(sha1_digest), + }, + { OSSL_SELF_TEST_DESC_MD_SHA2, "SHA512", ITM_STR(sha512_pt), @@ -208,28 +220,6 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = /*- CIPHER TEST DATA */ -/* DES3 test data */ -static const unsigned char des_ede3_cbc_pt[] = { - 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, - 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, - 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, - 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 -}; -static const unsigned char des_ede3_cbc_key[] = { - 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, - 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, - 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 -}; -static const unsigned char des_ede3_cbc_iv[] = { - 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17 -}; -static const unsigned char des_ede3_cbc_ct[] = { - 0x20, 0x79, 0xC3, 0xD5, 0x3A, 0xA7, 0x63, 0xE1, - 0x93, 0xB7, 0x9E, 0x25, 0x69, 0xAB, 0x52, 0x62, - 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, - 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 -}; - /* AES-256 GCM test data */ static const unsigned char aes_256_gcm_key[] = { 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, @@ -364,7 +354,7 @@ static const ST_KAT_PARAM hkdf_params[] = { ST_KAT_PARAM_END() }; -static const char sskdf_digest[] = "SHA224"; +static const char sskdf_digest[] = "SHA256"; static const unsigned char sskdf_secret[] = { 0x6d, 0xbd, 0xc2, 0x3f, 0x04, 0x54, 0x88, 0xe4, 0x06, 0x27, 0x57, 0xb0, 0x6b, 0x9e, 0xba, 0xe1, @@ -383,8 +373,8 @@ static const unsigned char sskdf_otherinfo[] = { 0x9b, 0x1e, 0xe0, 0xec, 0x3f, 0x8d, 0xbe }; static const unsigned char sskdf_expected[] = { - 0xa4, 0x62, 0xde, 0x16, 0xa8, 0x9d, 0xe8, 0x46, - 0x6e, 0xf5, 0x46, 0x0b, 0x47, 0xb8 + 0x27, 0xce, 0x57, 0xed, 0xb1, 0x7e, 0x1f, 0xf2, + 0xe4, 0x79, 0x2e, 0x84, 0x8b, 0x04, 0xf1, 0xae }; static const ST_KAT_PARAM sskdf_params[] = { ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, sskdf_digest), @@ -393,7 +383,7 @@ static const ST_KAT_PARAM sskdf_params[] = { ST_KAT_PARAM_END() }; -static const char x942kdf_digest[] = "SHA1"; +static const char x942kdf_digest[] = "SHA256"; static const char x942kdf_cekalg[] = "AES-128-WRAP"; static const unsigned char x942kdf_secret[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, @@ -401,8 +391,8 @@ static const unsigned char x942kdf_secret[] = { 0x10, 0x11, 0x12, 0x13 }; static const unsigned char x942kdf_expected[] = { - 0xd6, 0xd6, 0xb0, 0x94, 0xc1, 0x02, 0x7a, 0x7d, - 0xe6, 0xe3, 0x11, 0x72, 0x94, 0xa3, 0x53, 0x64 + 0x79, 0x66, 0xa0, 0x38, 0x22, 0x28, 0x1e, 0xa3, + 0xeb, 0x08, 0xd9, 0xbc, 0x69, 0x5b, 0xd8, 0xff }; static const ST_KAT_PARAM x942kdf_params[] = { ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, x942kdf_digest), @@ -809,51 +799,73 @@ static const unsigned char drbg_ctr_aes128_pr_df_expected[] = { /* * HMAC_DRBG.rsp * - * [SHA-1] + * [SHA-256] * [PredictionResistance = True] - * [EntropyInputLen = 128] - * [NonceLen = 64] - * [PersonalizationStringLen = 128] - * [AdditionalInputLen = 128] - * [ReturnedBitsLen = 640] + * [EntropyInputLen = 256] + * [NonceLen = 128] + * [PersonalizationStringLen = 256] + * [AdditionalInputLen = 256] + * [ReturnedBitsLen = 1024] * * COUNT = 0 */ -static const unsigned char drbg_hmac_sha1_pr_entropyin[] = { - 0x68, 0x0f, 0xac, 0xe9, 0x0d, 0x7b, 0xca, 0x21, 0xd4, 0xa0, 0xed, 0xb7, - 0x79, 0x9e, 0xe5, 0xd8 -}; -static const unsigned char drbg_hmac_sha1_pr_nonce[] = { - 0xb7, 0xbe, 0x9e, 0xed, 0xdd, 0x0e, 0x3b, 0x4b -}; -static const unsigned char drbg_hmac_sha1_pr_persstr[] = { - 0xf5, 0x8c, 0x40, 0xae, 0x70, 0xf7, 0xa5, 0x56, 0x48, 0xa9, 0x31, 0xa0, - 0xa9, 0x31, 0x3d, 0xd7 -}; -static const unsigned char drbg_hmac_sha1_pr_entropyinpr0[] = { - 0x7c, 0xaf, 0xe2, 0x31, 0x63, 0x0a, 0xa9, 0x5a, 0x74, 0x2c, 0x4e, 0x5f, - 0x5f, 0x22, 0xc6, 0xa4 -}; -static const unsigned char drbg_hmac_sha1_pr_entropyinpr1[] = { - 0x1c, 0x0d, 0x77, 0x92, 0x89, 0x88, 0x27, 0x94, 0x8a, 0x58, 0x9f, 0x82, - 0x2d, 0x1a, 0xf7, 0xa6 -}; -static const unsigned char drbg_hmac_sha1_pr_addin0[] = { - 0xdc, 0x36, 0x63, 0xf0, 0x62, 0x78, 0x9c, 0xd1, 0x5c, 0xbb, 0x20, 0xc3, - 0xc1, 0x8c, 0xd9, 0xd7 -}; -static const unsigned char drbg_hmac_sha1_pr_addin1[] = { - 0xfe, 0x85, 0xb0, 0xab, 0x14, 0xc6, 0x96, 0xe6, 0x9c, 0x24, 0xe7, 0xb5, - 0xa1, 0x37, 0x12, 0x0c -}; -static const unsigned char drbg_hmac_sha1_pr_expected[] = { - 0x68, 0x00, 0x4b, 0x3a, 0x28, 0xf7, 0xf0, 0x1c, 0xf9, 0xe9, 0xb5, 0x71, - 0x20, 0x79, 0xef, 0x80, 0x87, 0x1b, 0x08, 0xb9, 0xa9, 0x1b, 0xcd, 0x2b, - 0x9f, 0x09, 0x4d, 0xa4, 0x84, 0x80, 0xb3, 0x4c, 0xaf, 0xd5, 0x59, 0x6b, - 0x0c, 0x0a, 0x48, 0xe1, 0x48, 0xda, 0xbc, 0x6f, 0x77, 0xb8, 0xff, 0xaf, - 0x18, 0x70, 0x28, 0xe1, 0x04, 0x13, 0x7a, 0x4f, 0xeb, 0x1c, 0x72, 0xb0, - 0xc4, 0x4f, 0xe8, 0xb1, 0xaf, 0xab, 0xa5, 0xbc, 0xfd, 0x86, 0x67, 0xf2, - 0xf5, 0x5b, 0x46, 0x06, 0x63, 0x2e, 0x3c, 0xbc +static const unsigned char drbg_hmac_sha2_pr_entropyin[] = { + 0xca, 0x85, 0x19, 0x11, 0x34, 0x93, 0x84, 0xbf, + 0xfe, 0x89, 0xde, 0x1c, 0xbd, 0xc4, 0x6e, 0x68, + 0x31, 0xe4, 0x4d, 0x34, 0xa4, 0xfb, 0x93, 0x5e, + 0xe2, 0x85, 0xdd, 0x14, 0xb7, 0x1a, 0x74, 0x88 +}; +static const unsigned char drbg_hmac_sha2_pr_nonce[] = { + 0x65, 0x9b, 0xa9, 0x6c, 0x60, 0x1d, 0xc6, 0x9f, + 0xc9, 0x02, 0x94, 0x08, 0x05, 0xec, 0x0c, 0xa8 +}; +static const unsigned char drbg_hmac_sha2_pr_persstr[] = { + 0xe7, 0x2d, 0xd8, 0x59, 0x0d, 0x4e, 0xd5, 0x29, + 0x55, 0x15, 0xc3, 0x5e, 0xd6, 0x19, 0x9e, 0x9d, + 0x21, 0x1b, 0x8f, 0x06, 0x9b, 0x30, 0x58, 0xca, + 0xa6, 0x67, 0x0b, 0x96, 0xef, 0x12, 0x08, 0xd0 +}; +static const unsigned char drbg_hmac_sha2_pr_entropyinpr0[] = { + 0x5c, 0xac, 0xc6, 0x81, 0x65, 0xa2, 0xe2, 0xee, + 0x20, 0x81, 0x2f, 0x35, 0xec, 0x73, 0xa7, 0x9d, + 0xbf, 0x30, 0xfd, 0x47, 0x54, 0x76, 0xac, 0x0c, + 0x44, 0xfc, 0x61, 0x74, 0xcd, 0xac, 0x2b, 0x55 +}; +static const unsigned char drbg_hmac_sha2_pr_entropyinpr1[] = { + 0x8d, 0xf0, 0x13, 0xb4, 0xd1, 0x03, 0x52, 0x30, + 0x73, 0x91, 0x7d, 0xdf, 0x6a, 0x86, 0x97, 0x93, + 0x05, 0x9e, 0x99, 0x43, 0xfc, 0x86, 0x54, 0x54, + 0x9e, 0x7a, 0xb2, 0x2f, 0x7c, 0x29, 0xf1, 0x22 +}; +static const unsigned char drbg_hmac_sha2_pr_addin0[] = { + 0x79, 0x3a, 0x7e, 0xf8, 0xf6, 0xf0, 0x48, 0x2b, + 0xea, 0xc5, 0x42, 0xbb, 0x78, 0x5c, 0x10, 0xf8, + 0xb7, 0xb4, 0x06, 0xa4, 0xde, 0x92, 0x66, 0x7a, + 0xb1, 0x68, 0xec, 0xc2, 0xcf, 0x75, 0x73, 0xc6 +}; +static const unsigned char drbg_hmac_sha2_pr_addin1[] = { + 0x22, 0x38, 0xcd, 0xb4, 0xe2, 0x3d, 0x62, 0x9f, + 0xe0, 0xc2, 0xa8, 0x3d, 0xd8, 0xd5, 0x14, 0x4c, + 0xe1, 0xa6, 0x22, 0x9e, 0xf4, 0x1d, 0xab, 0xe2, + 0xa9, 0x9f, 0xf7, 0x22, 0xe5, 0x10, 0xb5, 0x30 +}; +static const unsigned char drbg_hmac_sha2_pr_expected[] = { + 0xb1, 0xd1, 0x7c, 0x00, 0x2a, 0x7f, 0xeb, 0xd2, + 0x84, 0x12, 0xd8, 0xe5, 0x8a, 0x7f, 0x32, 0x31, + 0x8e, 0x4e, 0xe3, 0x60, 0x5a, 0x99, 0xb0, 0x5b, + 0x05, 0xd5, 0x93, 0x56, 0xd5, 0xf0, 0xc6, 0xb4, + 0x96, 0x0a, 0x4b, 0x8f, 0x96, 0x3b, 0x7e, 0xfa, + 0x55, 0xbb, 0x68, 0x72, 0xfb, 0xea, 0xc7, 0xb9, + 0x9b, 0x78, 0xde, 0xa8, 0xf3, 0x53, 0x19, 0x73, + 0x63, 0x7c, 0x94, 0x6a, 0x9c, 0xab, 0x33, 0x49, + 0x74, 0x4b, 0x24, 0xa0, 0x85, 0x1d, 0xd4, 0x7f, + 0x2b, 0x3b, 0x46, 0x0c, 0x2c, 0x61, 0x84, 0x6e, + 0x91, 0x18, 0x1d, 0x62, 0xd4, 0x2c, 0x60, 0xa4, + 0xef, 0xda, 0x5e, 0xd5, 0x79, 0x02, 0xbf, 0xd7, + 0x02, 0xb3, 0x49, 0xc5, 0x49, 0x52, 0xc7, 0xf6, + 0x44, 0x76, 0x9d, 0x8e, 0xf4, 0x01, 0x5e, 0xcc, + 0x5f, 0x5b, 0xbd, 0x4a, 0xf0, 0x61, 0x34, 0x68, + 0x8e, 0x30, 0x05, 0x0e, 0x04, 0x97, 0xfb, 0x0a }; static const ST_KAT_DRBG st_kat_drbg_tests[] = @@ -884,15 +896,15 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = }, { OSSL_SELF_TEST_DESC_DRBG_HMAC, - "HMAC-DRBG", "digest", "SHA1", - ITM(drbg_hmac_sha1_pr_entropyin), - ITM(drbg_hmac_sha1_pr_nonce), - ITM(drbg_hmac_sha1_pr_persstr), - ITM(drbg_hmac_sha1_pr_entropyinpr0), - ITM(drbg_hmac_sha1_pr_entropyinpr1), - ITM(drbg_hmac_sha1_pr_addin0), - ITM(drbg_hmac_sha1_pr_addin1), - ITM(drbg_hmac_sha1_pr_expected) + "HMAC-DRBG", "digest", "SHA256", + ITM(drbg_hmac_sha2_pr_entropyin), + ITM(drbg_hmac_sha2_pr_nonce), + ITM(drbg_hmac_sha2_pr_persstr), + ITM(drbg_hmac_sha2_pr_entropyinpr0), + ITM(drbg_hmac_sha2_pr_entropyinpr1), + ITM(drbg_hmac_sha2_pr_addin0), + ITM(drbg_hmac_sha2_pr_addin1), + ITM(drbg_hmac_sha2_pr_expected) } }; @@ -907,38 +919,39 @@ static const unsigned char dh_priv[] = { 0x40, 0xb8, 0xfc, 0xe6 }; static const unsigned char dh_pub[] = { - 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, - 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, - 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, - 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, - 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, - 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, - 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, - 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, - 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, - 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, - 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, - 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, - 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, - 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, - 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, - 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, - 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, - 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, - 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, - 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, - 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, - 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, - 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, - 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, - 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, - 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, - 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, - 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, - 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, - 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, - 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, - 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 + 0x00, 0x8f, 0x81, 0x67, 0x68, 0xce, 0x97, 0x99, + 0x7e, 0x11, 0x5c, 0xad, 0x5b, 0xe1, 0x0c, 0xd4, + 0x15, 0x44, 0xdf, 0xc2, 0x47, 0xe7, 0x06, 0x27, + 0x5e, 0xf3, 0x9d, 0x5c, 0x4b, 0x2e, 0x35, 0x05, + 0xfd, 0x3c, 0x8f, 0x35, 0x85, 0x1b, 0x82, 0xdd, + 0x49, 0xc9, 0xa8, 0x7e, 0x3a, 0x5f, 0x33, 0xdc, + 0x8f, 0x5e, 0x32, 0x76, 0xe1, 0x52, 0x1b, 0x88, + 0x85, 0xda, 0xa9, 0x1d, 0x5f, 0x1c, 0x05, 0x3a, + 0xd4, 0x8d, 0xbb, 0xe7, 0x46, 0x46, 0x1e, 0x29, + 0x4b, 0x5a, 0x02, 0x88, 0x46, 0x94, 0xd0, 0x68, + 0x7d, 0xb2, 0x9f, 0x3a, 0x3d, 0x82, 0x05, 0xe5, + 0xa7, 0xbe, 0x6c, 0x7e, 0x24, 0x35, 0x25, 0x14, + 0xf3, 0x45, 0x08, 0x90, 0xfc, 0x55, 0x2e, 0xa8, + 0xb8, 0xb1, 0x89, 0x15, 0x94, 0x51, 0x44, 0xa9, + 0x9f, 0x68, 0xcb, 0x90, 0xbc, 0xd3, 0xae, 0x02, + 0x37, 0x26, 0xe4, 0xe9, 0x1a, 0x90, 0x95, 0x7e, + 0x1d, 0xac, 0x0c, 0x91, 0x97, 0x83, 0x24, 0x83, + 0xb9, 0xa1, 0x40, 0x72, 0xac, 0xf0, 0x55, 0x32, + 0x18, 0xab, 0xb8, 0x90, 0xda, 0x13, 0x4a, 0xc8, + 0x4b, 0x7c, 0x18, 0xbc, 0x33, 0xbf, 0x99, 0x85, + 0x39, 0x3e, 0xc6, 0x95, 0x9b, 0x48, 0x8e, 0xbe, + 0x46, 0x59, 0x48, 0x41, 0x0d, 0x37, 0x25, 0x94, + 0xbe, 0x8d, 0xf5, 0x81, 0x52, 0xf6, 0xdc, 0xeb, + 0x98, 0xd7, 0x3b, 0x44, 0x61, 0x6f, 0xa3, 0xef, + 0x7b, 0xfe, 0xbb, 0xc2, 0x8e, 0x46, 0x63, 0xbc, + 0x52, 0x65, 0xf9, 0xf8, 0x85, 0x41, 0xdf, 0x82, + 0x4a, 0x10, 0x2a, 0xe3, 0x0c, 0xb7, 0xad, 0x84, + 0xa6, 0x6f, 0x4e, 0x8e, 0x96, 0x1e, 0x04, 0xf7, + 0x57, 0x39, 0xca, 0x58, 0xd4, 0xef, 0x5a, 0xf1, + 0xf5, 0x69, 0xc2, 0xb1, 0x5c, 0x0a, 0xce, 0xbe, + 0x38, 0x01, 0xb5, 0x3f, 0x07, 0x8a, 0x72, 0x90, + 0x10, 0xac, 0x51, 0x3a, 0x96, 0x43, 0xdf, 0x6f, + 0xea }; static const unsigned char dh_peer_pub[] = { 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, @@ -1295,6 +1308,18 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ST_KAT_PARAM_END() }; +/*- + * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient + * HP/UX PA-RISC compilers. + */ +static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; + +static const ST_KAT_PARAM rsa_enc_params[] = { + ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), + ST_KAT_PARAM_END() +}; + static const unsigned char rsa_sig_msg[] = "Hello World!"; static const unsigned char rsa_expected_sig[256] = { @@ -3484,3 +3509,33 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = { # endif }; #endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */ + +static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { + { + OSSL_SELF_TEST_DESC_ASYM_RSA_ENC, + "RSA", + 1, + rsa_pub_key, + rsa_enc_params, + ITM(rsa_asym_plaintext_encrypt), + ITM(rsa_asym_expected_encrypt), + }, + { + OSSL_SELF_TEST_DESC_ASYM_RSA_DEC, + "RSA", + 0, + rsa_priv_key, + rsa_enc_params, + ITM(rsa_asym_expected_encrypt), + ITM(rsa_asym_plaintext_encrypt), + }, + { + OSSL_SELF_TEST_DESC_ASYM_RSA_DEC, + "RSA", + 0, + rsa_crt_key, + rsa_enc_params, + ITM(rsa_asym_expected_encrypt), + ITM(rsa_asym_plaintext_encrypt), + }, +}; diff --git a/crypto/openssl/providers/fips/self_test_kats.c b/crypto/openssl/providers/fips/self_test_kats.c index 35ecb43598ee..acb0b85f7343 100644 --- a/crypto/openssl/providers/fips/self_test_kats.c +++ b/crypto/openssl/providers/fips/self_test_kats.c @@ -813,6 +813,93 @@ err: #endif /* + * Test an encrypt or decrypt KAT.. + * + * FIPS 140-2 IG D.9 states that separate KAT tests are needed for encrypt + * and decrypt.. + */ +static int self_test_asym_cipher(const ST_KAT_ASYM_CIPHER *t, OSSL_SELF_TEST *st, + OSSL_LIB_CTX *libctx) +{ + int ret = 0; + OSSL_PARAM *keyparams = NULL, *initparams = NULL; + OSSL_PARAM_BLD *keybld = NULL, *initbld = NULL; + EVP_PKEY_CTX *encctx = NULL, *keyctx = NULL; + EVP_PKEY *key = NULL; + BN_CTX *bnctx = NULL; + unsigned char out[256]; + size_t outlen = sizeof(out); + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER, t->desc); + + bnctx = BN_CTX_new_ex(libctx); + if (bnctx == NULL) + goto err; + + /* Load a public or private key from data */ + keybld = OSSL_PARAM_BLD_new(); + if (keybld == NULL + || !add_params(keybld, t->key, bnctx)) + goto err; + keyparams = OSSL_PARAM_BLD_to_param(keybld); + keyctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, NULL); + if (keyctx == NULL || keyparams == NULL) + goto err; + if (EVP_PKEY_fromdata_init(keyctx) <= 0 + || EVP_PKEY_fromdata(keyctx, &key, EVP_PKEY_KEYPAIR, keyparams) <= 0) + goto err; + + /* Create a EVP_PKEY_CTX to use for the encrypt or decrypt operation */ + encctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL); + if (encctx == NULL + || (t->encrypt && EVP_PKEY_encrypt_init(encctx) <= 0) + || (!t->encrypt && EVP_PKEY_decrypt_init(encctx) <= 0)) + goto err; + + /* Add any additional parameters such as padding */ + if (t->postinit != NULL) { + initbld = OSSL_PARAM_BLD_new(); + if (initbld == NULL) + goto err; + if (!add_params(initbld, t->postinit, bnctx)) + goto err; + initparams = OSSL_PARAM_BLD_to_param(initbld); + if (initparams == NULL) + goto err; + if (EVP_PKEY_CTX_set_params(encctx, initparams) <= 0) + goto err; + } + + if (t->encrypt) { + if (EVP_PKEY_encrypt(encctx, out, &outlen, + t->in, t->in_len) <= 0) + goto err; + } else { + if (EVP_PKEY_decrypt(encctx, out, &outlen, + t->in, t->in_len) <= 0) + goto err; + } + /* Check the KAT */ + OSSL_SELF_TEST_oncorrupt_byte(st, out); + if (outlen != t->expected_len + || memcmp(out, t->expected, t->expected_len) != 0) + goto err; + + ret = 1; +err: + BN_CTX_free(bnctx); + EVP_PKEY_free(key); + EVP_PKEY_CTX_free(encctx); + EVP_PKEY_CTX_free(keyctx); + OSSL_PARAM_free(keyparams); + OSSL_PARAM_BLD_free(keybld); + OSSL_PARAM_free(initparams); + OSSL_PARAM_BLD_free(initbld); + OSSL_SELF_TEST_onend(st, ret); + return ret; +} + +/* * Test a data driven list of KAT's for digest algorithms. * All tests are run regardless of if they fail or not. * Return 0 if any test fails. @@ -853,6 +940,17 @@ static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) return ret; } +static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) +{ + int i, ret = 1; + + for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { + if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) + ret = 0; + } + return ret; +} + static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) { int i, ret = 1; @@ -1092,6 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) ret = 0; if (!self_test_kems(st, libctx)) ret = 0; + if (!self_test_asym_ciphers(st, libctx)) + ret = 0; RAND_set0_private(libctx, saved_rand); return ret; diff --git a/crypto/openssl/providers/implementations/asymciphers/rsa_enc.c b/crypto/openssl/providers/implementations/asymciphers/rsa_enc.c index 6ee127caff80..e6b676d0f8fa 100644 --- a/crypto/openssl/providers/implementations/asymciphers/rsa_enc.c +++ b/crypto/openssl/providers/implementations/asymciphers/rsa_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -151,6 +151,7 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, size_t outsize, const unsigned char *in, size_t inlen) { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + size_t len = RSA_size(prsactx->rsa); int ret; if (!ossl_prov_is_running()) @@ -168,17 +169,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, } #endif - if (out == NULL) { - size_t len = RSA_size(prsactx->rsa); + if (len == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); + return 0; + } - if (len == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY); - return 0; - } + if (out == NULL) { *outlen = len; return 1; } + if (outsize < len) { + ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); + return 0; + } + if (prsactx->pad_mode == RSA_PKCS1_OAEP_PADDING) { int rsasize = RSA_size(prsactx->rsa); unsigned char *tbuf; diff --git a/crypto/openssl/providers/implementations/encode_decode/decode_pem2der.c b/crypto/openssl/providers/implementations/encode_decode/decode_pem2der.c index abea679fe19a..a38c71883dd1 100644 --- a/crypto/openssl/providers/implementations/encode_decode/decode_pem2der.c +++ b/crypto/openssl/providers/implementations/encode_decode/decode_pem2der.c @@ -151,6 +151,7 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, { PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" }, { PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" }, { PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" }, + { PEM_STRING_SM2PRIVATEKEY, OSSL_OBJECT_PKEY, "SM2", "type-specific" }, { PEM_STRING_SM2PARAMETERS, OSSL_OBJECT_PKEY, "SM2", "type-specific" }, { PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, { PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, diff --git a/crypto/openssl/providers/implementations/kdfs/krb5kdf.c b/crypto/openssl/providers/implementations/kdfs/krb5kdf.c index 566afa74fece..13623ec7302e 100644 --- a/crypto/openssl/providers/implementations/kdfs/krb5kdf.c +++ b/crypto/openssl/providers/implementations/kdfs/krb5kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -350,7 +350,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, { int klen, ret; - ret = EVP_EncryptInit_ex(ctx, cipher, engine, key, NULL); + ret = EVP_EncryptInit_ex(ctx, cipher, engine, NULL, NULL); if (!ret) goto out; /* set the key len for the odd variable key len cipher */ @@ -362,6 +362,9 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, goto out; } } + ret = EVP_EncryptInit_ex(ctx, NULL, NULL, key, NULL); + if (!ret) + goto out; /* we never want padding, either the length requested is a multiple of * the cipher block size or we are passed a cipher that can cope with * partial blocks via techniques like cipher text stealing */ diff --git a/crypto/openssl/providers/implementations/kem/ml_kem_kem.c b/crypto/openssl/providers/implementations/kem/ml_kem_kem.c index ac798cb4b6ba..27aa3b819836 100644 --- a/crypto/openssl/providers/implementations/kem/ml_kem_kem.c +++ b/crypto/openssl/providers/implementations/kem/ml_kem_kem.c @@ -171,7 +171,7 @@ static int ml_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen, return 1; } if (shsec == NULL) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL, + ERR_raise_data(ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER, "NULL shared-secret buffer"); goto end; } diff --git a/crypto/openssl/providers/implementations/keymgmt/dh_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/dh_kmgmt.c index c2ee8593557a..0e9e837383f2 100644 --- a/crypto/openssl/providers/implementations/keymgmt/dh_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/dh_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,10 +19,12 @@ #include <openssl/core_names.h> #include <openssl/bn.h> #include <openssl/err.h> +#include <openssl/self_test.h> #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "crypto/dh.h" +#include "internal/fips.h" #include "internal/sizes.h" static OSSL_FUNC_keymgmt_new_fn dh_newdata; @@ -440,7 +442,7 @@ static int dh_validate(const void *keydata, int selection, int checktype) if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) - ok = ok && ossl_dh_check_pairwise(dh); + ok = ok && ossl_dh_check_pairwise(dh, 0); return ok; } @@ -792,6 +794,15 @@ static void *dh_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) gctx->gen_type == DH_PARAMGEN_TYPE_FIPS_186_2); if (DH_generate_key(dh) <= 0) goto end; +#ifdef FIPS_MODULE + if (!ossl_fips_self_testing()) { + ret = ossl_dh_check_pairwise(dh, 0); + if (ret <= 0) { + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + goto end; + } + } +#endif /* FIPS_MODULE */ } DH_clear_flags(dh, DH_FLAG_TYPE_MASK); DH_set_flags(dh, gctx->dh_type); diff --git a/crypto/openssl/providers/implementations/keymgmt/ec_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/ec_kmgmt.c index 9421aabb1455..a1d04bc3fdd3 100644 --- a/crypto/openssl/providers/implementations/keymgmt/ec_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/ec_kmgmt.c @@ -20,12 +20,14 @@ #include <openssl/err.h> #include <openssl/objects.h> #include <openssl/proverr.h> +#include <openssl/self_test.h> #include "crypto/bn.h" #include "crypto/ec.h" #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/securitycheck.h" +#include "internal/fips.h" #include "internal/param_build_set.h" #ifndef FIPS_MODULE @@ -1330,6 +1332,21 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (gctx->group_check != NULL) ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); +#ifdef FIPS_MODULE + if (ret > 0 + && !ossl_fips_self_testing() + && EC_KEY_get0_public_key(ec) != NULL + && EC_KEY_get0_private_key(ec) != NULL + && EC_KEY_get0_group(ec) != NULL) { + BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); + + ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx); + BN_CTX_free(bnctx); + if (ret <= 0) + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + } +#endif /* FIPS_MODULE */ + if (ret) return ec; err: diff --git a/crypto/openssl/providers/implementations/keymgmt/ecx_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/ecx_kmgmt.c index c2ac805ad1f6..0ebe8b4d59b1 100644 --- a/crypto/openssl/providers/implementations/keymgmt/ecx_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/ecx_kmgmt.c @@ -17,6 +17,7 @@ #include <openssl/evp.h> #include <openssl/rand.h> #include <openssl/self_test.h> +#include "internal/fips.h" #include "internal/param_build_set.h" #include <openssl/param_build.h> #include "crypto/ecx.h" @@ -92,6 +93,15 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx); static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx); #endif +#ifdef FIPS_MODULE +static int ecd_fips140_pairwise_test(const ECX_KEY *ecx, int type, int self_test); +#endif /* FIPS_MODULE */ + +static ossl_inline int ecx_key_type_is_ed(ECX_KEY_TYPE type) +{ + return type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448; +} + static void *x25519_new_key(void *provctx) { if (!ossl_prov_is_running()) @@ -703,8 +713,7 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx) } #ifndef FIPS_MODULE if (gctx->dhkem_ikm != NULL && gctx->dhkem_ikmlen != 0) { - if (gctx->type == ECX_KEY_TYPE_ED25519 - || gctx->type == ECX_KEY_TYPE_ED448) + if (ecx_key_type_is_ed(gctx->type)) goto err; if (!ossl_ecx_dhkem_derive_private(key, privkey, gctx->dhkem_ikm, gctx->dhkem_ikmlen)) @@ -968,7 +977,7 @@ static int ecx_validate(const void *keydata, int selection, int type, if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != OSSL_KEYMGMT_SELECT_KEYPAIR) return ok; - if (type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448) + if (ecx_key_type_is_ed(type)) ok = ok && ecd_key_pairwise_check(ecx, type); else ok = ok && ecx_key_pairwise_check(ecx, type); diff --git a/crypto/openssl/providers/implementations/keymgmt/ml_dsa_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/ml_dsa_kmgmt.c index 53feeba4ac3d..6b99e093c6d5 100644 --- a/crypto/openssl/providers/implementations/keymgmt/ml_dsa_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/ml_dsa_kmgmt.c @@ -268,6 +268,7 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[] { ML_DSA_KEY *key = keydata; int include_priv; + int res; if (!ossl_prov_is_running() || key == NULL) return 0; @@ -276,7 +277,17 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[] return 0; include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0); - return ml_dsa_key_fromdata(key, params, include_priv); + res = ml_dsa_key_fromdata(key, params, include_priv); +#ifdef FIPS_MODULE + if (res > 0) { + res = ml_dsa_pairwise_test(key); + if (!res) { + ossl_ml_dsa_key_reset(key); + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT); + } + } +#endif /* FIPS_MODULE */ + return res; } #define ML_DSA_IMEXPORTABLE_PARAMETERS \ diff --git a/crypto/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c index 3936b6c3cd40..9b34fe1c0331 100644 --- a/crypto/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/ml_kem_kmgmt.c @@ -475,7 +475,7 @@ static int ml_kem_import(void *vkey, int selection, const OSSL_PARAM params[]) if (res > 0 && include_private && !ml_kem_pairwise_test(key, key->prov_flags)) { #ifdef FIPS_MODULE - ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT); #endif ossl_ml_kem_key_reset(key); res = 0; @@ -504,7 +504,7 @@ static const OSSL_PARAM *ml_kem_gettable_params(void *provctx) } #ifndef FIPS_MODULE -void *ml_kem_load(const void *reference, size_t reference_sz) +static void *ml_kem_load(const void *reference, size_t reference_sz) { ML_KEM_KEY *key = NULL; uint8_t *encoded_dk = NULL; diff --git a/crypto/openssl/providers/implementations/keymgmt/rsa_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/rsa_kmgmt.c index 77d095009421..cd74275d604b 100644 --- a/crypto/openssl/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/rsa_kmgmt.c @@ -25,6 +25,7 @@ #include "prov/provider_ctx.h" #include "crypto/rsa.h" #include "crypto/cryptlib.h" +#include "internal/fips.h" #include "internal/param_build_set.h" static OSSL_FUNC_keymgmt_new_fn rsa_newdata; diff --git a/crypto/openssl/providers/implementations/keymgmt/slh_dsa_kmgmt.c b/crypto/openssl/providers/implementations/keymgmt/slh_dsa_kmgmt.c index cd2ebea72abb..721617229467 100644 --- a/crypto/openssl/providers/implementations/keymgmt/slh_dsa_kmgmt.c +++ b/crypto/openssl/providers/implementations/keymgmt/slh_dsa_kmgmt.c @@ -11,6 +11,7 @@ #include <openssl/core_names.h> #include <openssl/param_build.h> #include <openssl/self_test.h> +#include <openssl/proverr.h> #include "crypto/slh_dsa.h" #include "internal/fips.h" #include "internal/param_build_set.h" @@ -18,6 +19,11 @@ #include "prov/providercommon.h" #include "prov/provider_ctx.h" +#ifdef FIPS_MODULE +static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key, + SLH_DSA_HASH_CTX *ctx); +#endif /* FIPS_MODULE */ + static OSSL_FUNC_keymgmt_free_fn slh_dsa_free_key; static OSSL_FUNC_keymgmt_has_fn slh_dsa_has; static OSSL_FUNC_keymgmt_match_fn slh_dsa_match; @@ -281,9 +287,8 @@ static void *slh_dsa_gen_init(void *provctx, int selection, * Refer to FIPS 140-3 IG 10.3.A Additional Comment 1 * Perform a pairwise test for SLH_DSA by signing and verifying a signature. */ -static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx, - const SLH_DSA_KEY *key, - OSSL_LIB_CTX *lib_ctx) +static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key, + SLH_DSA_HASH_CTX *ctx) { int ret = 0; OSSL_SELF_TEST *st = NULL; @@ -293,15 +298,25 @@ static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx, size_t msg_len = sizeof(msg); uint8_t *sig = NULL; size_t sig_len; + OSSL_LIB_CTX *lib_ctx; + int alloc_ctx = 0; /* During self test, it is a waste to do this test */ if (ossl_fips_self_testing()) return 1; + if (ctx == NULL) { + ctx = ossl_slh_dsa_hash_ctx_new(key); + if (ctx == NULL) + return 0; + alloc_ctx = 1; + } + lib_ctx = ossl_slh_dsa_key_get0_libctx(key); + OSSL_SELF_TEST_get_callback(lib_ctx, &cb, &cb_arg); st = OSSL_SELF_TEST_new(cb, cb_arg); if (st == NULL) - return 0; + goto err; OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, OSSL_SELF_TEST_DESC_PCT_SLH_DSA); @@ -322,6 +337,8 @@ static int slh_dsa_fips140_pairwise_test(SLH_DSA_HASH_CTX *ctx, ret = 1; err: + if (alloc_ctx) + ossl_slh_dsa_hash_ctx_free(ctx); OPENSSL_free(sig); OSSL_SELF_TEST_onend(st, ret); OSSL_SELF_TEST_free(st); @@ -342,12 +359,12 @@ static void *slh_dsa_gen(void *genctx, const char *alg) return NULL; ctx = ossl_slh_dsa_hash_ctx_new(key); if (ctx == NULL) - return NULL; + goto err; if (!ossl_slh_dsa_generate_key(ctx, key, gctx->libctx, gctx->entropy, gctx->entropy_len)) goto err; #ifdef FIPS_MODULE - if (!slh_dsa_fips140_pairwise_test(ctx, key, gctx->libctx)) { + if (!slh_dsa_fips140_pairwise_test(key, ctx)) { ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); goto err; } diff --git a/crypto/openssl/providers/implementations/macs/hmac_prov.c b/crypto/openssl/providers/implementations/macs/hmac_prov.c index e9c3087027c6..eb5ecaa300ef 100644 --- a/crypto/openssl/providers/implementations/macs/hmac_prov.c +++ b/crypto/openssl/providers/implementations/macs/hmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -98,7 +98,7 @@ static void hmac_free(void *vmacctx) if (macctx != NULL) { HMAC_CTX_free(macctx->ctx); ossl_prov_digest_reset(&macctx->digest); - OPENSSL_secure_clear_free(macctx->key, macctx->keylen); + OPENSSL_clear_free(macctx->key, macctx->keylen); OPENSSL_free(macctx); } } @@ -127,13 +127,13 @@ static void *hmac_dup(void *vsrc) return NULL; } if (src->key != NULL) { - /* There is no "secure" OPENSSL_memdup */ - dst->key = OPENSSL_secure_malloc(src->keylen > 0 ? src->keylen : 1); + dst->key = OPENSSL_malloc(src->keylen > 0 ? src->keylen : 1); if (dst->key == NULL) { hmac_free(dst); return 0; } - memcpy(dst->key, src->key, src->keylen); + if (src->keylen > 0) + memcpy(dst->key, src->key, src->keylen); } return dst; } @@ -178,13 +178,14 @@ static int hmac_setkey(struct hmac_data_st *macctx, #endif if (macctx->key != NULL) - OPENSSL_secure_clear_free(macctx->key, macctx->keylen); + OPENSSL_clear_free(macctx->key, macctx->keylen); /* Keep a copy of the key in case we need it for TLS HMAC */ - macctx->key = OPENSSL_secure_malloc(keylen > 0 ? keylen : 1); + macctx->key = OPENSSL_malloc(keylen > 0 ? keylen : 1); if (macctx->key == NULL) return 0; - memcpy(macctx->key, key, keylen); + if (keylen > 0) + memcpy(macctx->key, key, keylen); macctx->keylen = keylen; digest = ossl_prov_digest_md(&macctx->digest); diff --git a/crypto/openssl/providers/implementations/signature/dsa_sig.c b/crypto/openssl/providers/implementations/signature/dsa_sig.c index c5adbf80021b..887f6cbb9018 100644 --- a/crypto/openssl/providers/implementations/signature/dsa_sig.c +++ b/crypto/openssl/providers/implementations/signature/dsa_sig.c @@ -193,7 +193,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), OSSL_FIPS_IND_SETTABLE1, ctx->libctx, - md_nid, sha1_allowed, desc, + md_nid, sha1_allowed, 0, desc, ossl_fips_config_signature_digest_check)) goto err; } diff --git a/crypto/openssl/providers/implementations/signature/ecdsa_sig.c b/crypto/openssl/providers/implementations/signature/ecdsa_sig.c index 4018a772ff13..73bfbf4aa9c1 100644 --- a/crypto/openssl/providers/implementations/signature/ecdsa_sig.c +++ b/crypto/openssl/providers/implementations/signature/ecdsa_sig.c @@ -219,7 +219,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), OSSL_FIPS_IND_SETTABLE1, ctx->libctx, - md_nid, sha1_allowed, desc, + md_nid, sha1_allowed, 0, desc, ossl_fips_config_signature_digest_check)) goto err; } diff --git a/crypto/openssl/providers/implementations/signature/rsa_sig.c b/crypto/openssl/providers/implementations/signature/rsa_sig.c index e75b90840b9a..d8357cfe1578 100644 --- a/crypto/openssl/providers/implementations/signature/rsa_sig.c +++ b/crypto/openssl/providers/implementations/signature/rsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -411,7 +411,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx), OSSL_FIPS_IND_SETTABLE1, ctx->libctx, - md_nid, sha1_allowed, desc, + md_nid, sha1_allowed, 1, desc, ossl_fips_config_signature_digest_check)) goto err; } @@ -952,7 +952,7 @@ static int rsa_verify_recover(void *vprsactx, return 0; ret = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, RSA_X931_PADDING); - if (ret < 1) { + if (ret <= 0) { ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } @@ -1002,7 +1002,7 @@ static int rsa_verify_recover(void *vprsactx, } else { ret = RSA_public_decrypt(siglen, sig, rout, prsactx->rsa, prsactx->pad_mode); - if (ret < 0) { + if (ret <= 0) { ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } diff --git a/crypto/openssl/providers/legacyprov.c b/crypto/openssl/providers/legacyprov.c index 16e3639e76f1..6dbe3a8505d0 100644 --- a/crypto/openssl/providers/legacyprov.c +++ b/crypto/openssl/providers/legacyprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -48,6 +48,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error; static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark; static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark; static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark; +static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark; #endif /* Parameters we provide to the core */ @@ -234,6 +235,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, case OSSL_FUNC_CORE_POP_ERROR_TO_MARK: set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(tmp)); break; + case OSSL_FUNC_CORE_COUNT_TO_MARK: + set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in)); + break; } } #endif @@ -301,4 +305,9 @@ int ERR_pop_to_mark(void) { return c_pop_error_to_mark(NULL); } + +int ERR_count_to_mark(void) +{ + return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0; +} #endif diff --git a/crypto/openssl/ssl/d1_lib.c b/crypto/openssl/ssl/d1_lib.c index 9e1fbb0b2945..a5a52a7ee80e 100644 --- a/crypto/openssl/ssl/d1_lib.c +++ b/crypto/openssl/ssl/d1_lib.c @@ -863,7 +863,7 @@ int dtls1_shutdown(SSL *s) BIO *wbio; SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s); - if (s == NULL) + if (sc == NULL) return -1; wbio = SSL_get_wbio(s); diff --git a/crypto/openssl/ssl/quic/quic_ackm.c b/crypto/openssl/ssl/quic/quic_ackm.c index 75a1e5741a03..93c83a36d8fe 100644 --- a/crypto/openssl/ssl/quic/quic_ackm.c +++ b/crypto/openssl/ssl/quic/quic_ackm.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -536,6 +536,9 @@ struct ossl_ackm_st { /* Set to 1 when the handshake is confirmed. */ char handshake_confirmed; + /* Set to 1 when attached to server channel */ + char is_server; + /* Set to 1 when the peer has completed address validation. */ char peer_completed_addr_validation; @@ -855,7 +858,13 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space) } for (i = QUIC_PN_SPACE_INITIAL; i < QUIC_PN_SPACE_NUM; ++i) { - if (ackm->ack_eliciting_bytes_in_flight[i] == 0) + /* + * RFC 9002 section 6.2.2.1 keep probe timeout armed until + * handshake is confirmed (client sees HANDSHAKE_DONE message + * from server). + */ + if (ackm->ack_eliciting_bytes_in_flight[i] == 0 && + (ackm->handshake_confirmed == 1 || ackm->is_server == 1)) continue; if (i == QUIC_PN_SPACE_APP) { @@ -875,10 +884,18 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space) } } - t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration); - if (ossl_time_compare(t, pto_timeout) < 0) { - pto_timeout = t; - pto_space = i; + /* + * Only re-arm timer if stack has sent at least one ACK eliciting frame. + * If stack has sent no ACK eliciting frame at given encryption level then + * particular timer is zero and we must not attempt to set it. Timer keeps + * time since epoch (Jan 1 1970) and we must not set timer to past. + */ + if (!ossl_time_is_zero(ackm->time_of_last_ack_eliciting_pkt[i])) { + t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration); + if (ossl_time_compare(t, pto_timeout) < 0) { + pto_timeout = t; + pto_space = i; + } } } @@ -1021,7 +1038,8 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg), void *now_arg, OSSL_STATM *statm, const OSSL_CC_METHOD *cc_method, - OSSL_CC_DATA *cc_data) + OSSL_CC_DATA *cc_data, + int is_server) { OSSL_ACKM *ackm; int i; @@ -1045,6 +1063,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg), ackm->statm = statm; ackm->cc_method = cc_method; ackm->cc_data = cc_data; + ackm->is_server = (char)is_server; ackm->rx_max_ack_delay = ossl_ms2time(QUIC_DEFAULT_MAX_ACK_DELAY); ackm->tx_max_ack_delay = DEFAULT_TX_MAX_ACK_DELAY; diff --git a/crypto/openssl/ssl/quic/quic_channel.c b/crypto/openssl/ssl/quic/quic_channel.c index 8fb651d9ceb6..652c653b9120 100644 --- a/crypto/openssl/ssl/quic/quic_channel.c +++ b/crypto/openssl/ssl/quic/quic_channel.c @@ -242,7 +242,8 @@ static int ch_init(QUIC_CHANNEL *ch) goto err; if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm, - ch->cc_method, ch->cc_data)) == NULL) + ch->cc_method, ch->cc_data, + ch->is_server)) == NULL) goto err; if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch, @@ -1330,8 +1331,20 @@ static int ch_on_transport_params(const unsigned char *params, ossl_unused uint64_t rx_max_idle_timeout = 0; ossl_unused const void *stateless_reset_token_p = NULL; QUIC_PREFERRED_ADDR pfa; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(ch->tls); - if (ch->got_remote_transport_params) { + /* + * When HRR happens the client sends the transport params in the new client + * hello again. Reset the transport params here and load them again. + */ + if (ch->is_server && sc->hello_retry_request != SSL_HRR_NONE + && ch->got_remote_transport_params) { + ch->max_local_streams_bidi = 0; + ch->max_local_streams_uni = 0; + ch->got_local_transport_params = 0; + OPENSSL_free(ch->local_transport_params); + ch->local_transport_params = NULL; + } else if (ch->got_remote_transport_params) { reason = "multiple transport parameter extensions"; goto malformed; } @@ -2422,7 +2435,6 @@ static void ch_rx_handle_packet(QUIC_CHANNEL *ch, int channel_only) if (!PACKET_get_net_4(&vpkt, &supported_ver)) return; - supported_ver = ntohl(supported_ver); if (supported_ver == QUIC_VERSION_1) { /* * If the server supports version 1, set it as diff --git a/crypto/openssl/ssl/quic/quic_impl.c b/crypto/openssl/ssl/quic/quic_impl.c index 5ad5a79157f4..cec05d5bd37b 100644 --- a/crypto/openssl/ssl/quic/quic_impl.c +++ b/crypto/openssl/ssl/quic/quic_impl.c @@ -3197,6 +3197,7 @@ int ossl_quic_conn_stream_conclude(SSL *s) QCTX ctx; QUIC_STREAM *qs; int err; + int ret; if (!expect_quic_with_stream_lock(s, /*remote_init=*/0, /*io=*/0, &ctx)) return 0; @@ -3204,13 +3205,15 @@ int ossl_quic_conn_stream_conclude(SSL *s) qs = ctx.xso->stream; if (!quic_mutation_allowed(ctx.qc, /*req_active=*/1)) { + ret = QUIC_RAISE_NON_NORMAL_ERROR(&ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); qctx_unlock(&ctx); - return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, SSL_R_PROTOCOL_IS_SHUTDOWN, NULL); + return ret; } if (!quic_validate_for_write(ctx.xso, &err)) { + ret = QUIC_RAISE_NON_NORMAL_ERROR(&ctx, err, NULL); qctx_unlock(&ctx); - return QUIC_RAISE_NON_NORMAL_ERROR(&ctx, err, NULL); + return ret; } if (ossl_quic_sstream_get_final_size(qs->sstream, NULL)) { @@ -4769,6 +4772,7 @@ void ossl_quic_free_token_store(SSL_TOKEN_STORE *hdl) ossl_crypto_mutex_free(&hdl->mutex); lh_QUIC_TOKEN_doall(hdl->cache, free_this_token); lh_QUIC_TOKEN_free(hdl->cache); + CRYPTO_FREE_REF(&hdl->references); OPENSSL_free(hdl); return; } diff --git a/crypto/openssl/ssl/quic/quic_port.c b/crypto/openssl/ssl/quic/quic_port.c index 684c088c08c0..d6e6d4d25cb5 100644 --- a/crypto/openssl/ssl/quic/quic_port.c +++ b/crypto/openssl/ssl/quic/quic_port.c @@ -1267,7 +1267,7 @@ static void port_send_version_negotiation(QUIC_PORT *port, BIO_ADDR *peer, * Add the array of supported versions to the end of the packet */ for (i = 0; i < OSSL_NELEM(supported_versions); i++) { - if (!WPACKET_put_bytes_u32(&wpkt, htonl(supported_versions[i]))) + if (!WPACKET_put_bytes_u32(&wpkt, supported_versions[i])) return; } @@ -1691,6 +1691,7 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg, */ while (ossl_qrx_read_pkt(qrx_src, &qrx_pkt) == 1) ossl_quic_channel_inject_pkt(new_ch, qrx_pkt); + ossl_qrx_update_pn_space(qrx_src, new_ch->qrx); } /* diff --git a/crypto/openssl/ssl/quic/quic_record_rx.c b/crypto/openssl/ssl/quic/quic_record_rx.c index e01cc5253457..1a8194b396d7 100644 --- a/crypto/openssl/ssl/quic/quic_record_rx.c +++ b/crypto/openssl/ssl/quic/quic_record_rx.c @@ -237,6 +237,16 @@ static void qrx_cleanup_urxl(OSSL_QRX *qrx, QUIC_URXE_LIST *l) } } +void ossl_qrx_update_pn_space(OSSL_QRX *src, OSSL_QRX *dst) +{ + size_t i; + + for (i = 0; i < QUIC_PN_SPACE_NUM; i++) + dst->largest_pn[i] = src->largest_pn[i]; + + return; +} + void ossl_qrx_free(OSSL_QRX *qrx) { uint32_t i; diff --git a/crypto/openssl/ssl/quic/quic_record_tx.c b/crypto/openssl/ssl/quic/quic_record_tx.c index ef93a14f94a8..ae37353a9b26 100644 --- a/crypto/openssl/ssl/quic/quic_record_tx.c +++ b/crypto/openssl/ssl/quic/quic_record_tx.c @@ -279,12 +279,12 @@ static TXE *qtx_resize_txe(OSSL_QTX *qtx, TXE_LIST *txl, TXE *txe, size_t n) * data. */ txe2 = OPENSSL_realloc(txe, sizeof(TXE) + n); - if (txe2 == NULL || txe == txe2) { + if (txe2 == NULL) { if (p == NULL) ossl_list_txe_insert_head(txl, txe); else ossl_list_txe_insert_after(txl, p, txe); - return txe2; + return NULL; } if (p == NULL) diff --git a/crypto/openssl/ssl/quic/quic_rx_depack.c b/crypto/openssl/ssl/quic/quic_rx_depack.c index a36b02d5dcb4..f800d8984193 100644 --- a/crypto/openssl/ssl/quic/quic_rx_depack.c +++ b/crypto/openssl/ssl/quic/quic_rx_depack.c @@ -1429,16 +1429,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) uint32_t enc_level; size_t dgram_len = qpacket->datagram_len; - /* - * ok has three states: - * -1 error with ackm_data uninitialized - * 0 error with ackm_data initialized - * 1 success (ackm_data initialized) - */ - int ok = -1; /* Assume the worst */ - if (ch == NULL) - goto end; + return 0; ch->did_crypto_frame = 0; @@ -1456,9 +1448,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) * Retry and Version Negotiation packets should not be passed to this * function. */ - goto end; + return 0; - ok = 0; /* Still assume the worst */ ackm_data.pkt_space = ossl_quic_enc_level_to_pn_space(enc_level); /* @@ -1480,18 +1471,9 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket) enc_level, qpacket->time, &ackm_data)) - goto end; + return 0; - ok = 1; - end: - /* - * ASSUMPTION: If this function is called at all, |qpacket| is - * a legitimate packet, even if its contents aren't. - * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as - * |ackm_data| has at least been initialized. - */ - if (ok >= 0) - ossl_ackm_on_rx_packet(ch->ackm, &ackm_data); + ossl_ackm_on_rx_packet(ch->ackm, &ackm_data); - return ok > 0; + return 1; } diff --git a/crypto/openssl/ssl/record/methods/tls_common.c b/crypto/openssl/ssl/record/methods/tls_common.c index 80d4477bd0c0..b9c79099462d 100644 --- a/crypto/openssl/ssl/record/methods/tls_common.c +++ b/crypto/openssl/ssl/record/methods/tls_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1093,9 +1093,12 @@ int tls13_common_post_process_record(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) return 0; } - if (rl->msg_callback != NULL) - rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &rec->type, - 1, rl->cbarg); + if (rl->msg_callback != NULL) { + unsigned char ctype = (unsigned char)rec->type; + + rl->msg_callback(0, rl->version, SSL3_RT_INNER_CONTENT_TYPE, &ctype, + 1, rl->cbarg); + } /* * TLSv1.3 alert and handshake records are required to be non-zero in diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c index e833bcdbc377..f4731a87af90 100644 --- a/crypto/openssl/ssl/ssl_rsa.c +++ b/crypto/openssl/ssl/ssl_rsa.c @@ -1056,10 +1056,13 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx, X509 *x509, EVP_PKEY *pr } } - if (!X509_up_ref(x509)) + if (!X509_up_ref(x509)) { + OSSL_STACK_OF_X509_free(dup_chain); goto out; + } if (!EVP_PKEY_up_ref(privatekey)) { + OSSL_STACK_OF_X509_free(dup_chain); X509_free(x509); goto out; } diff --git a/crypto/openssl/ssl/statem/extensions_clnt.c b/crypto/openssl/ssl/statem/extensions_clnt.c index baa7c47b3cd9..d958373875a3 100644 --- a/crypto/openssl/ssl/statem/extensions_clnt.c +++ b/crypto/openssl/ssl/statem/extensions_clnt.c @@ -745,6 +745,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, /* SSLfatal() already called */ return EXT_RETURN_FAIL; } + valid_keyshare++; } else { if (s->ext.supportedgroups == NULL) /* use default */ add_only_one = 1; @@ -766,13 +767,18 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, /* SSLfatal() already called */ return EXT_RETURN_FAIL; } + valid_keyshare++; if (add_only_one) break; - - valid_keyshare++; } } + if (valid_keyshare == 0) { + /* No key shares were allowed */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); + return EXT_RETURN_FAIL; + } + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; diff --git a/crypto/openssl/ssl/t1_trce.c b/crypto/openssl/ssl/t1_trce.c index 35c60feb4371..73fd4ebaa4b0 100644 --- a/crypto/openssl/ssl/t1_trce.c +++ b/crypto/openssl/ssl/t1_trce.c @@ -549,8 +549,12 @@ static const ssl_trace_tbl ssl_groups_tbl[] = { {258, "ffdhe4096"}, {259, "ffdhe6144"}, {260, "ffdhe8192"}, + {512, "MLKEM512"}, + {513, "MLKEM768"}, + {514, "MLKEM1024"}, {4587, "SecP256r1MLKEM768"}, {4588, "X25519MLKEM768"}, + {4589, "SecP384r1MLKEM1024"}, {25497, "X25519Kyber768Draft00"}, {25498, "SecP256r1Kyber768Draft00"}, {0xFF01, "arbitrary_explicit_prime_curves"}, diff --git a/crypto/openssl/test/build.info b/crypto/openssl/test/build.info index 9d9be6b642e9..3dca6117796b 100644 --- a/crypto/openssl/test/build.info +++ b/crypto/openssl/test/build.info @@ -31,7 +31,8 @@ IF[{- !$disabled{tests} -}] testutil/format_output.c testutil/load.c testutil/fake_random.c \ testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ testutil/options.c testutil/test_options.c testutil/provider.c \ - testutil/apps_shims.c testutil/random.c testutil/helper.c $LIBAPPSSRC + testutil/apps_shims.c testutil/random.c testutil/helper.c \ + testutil/compare.c $LIBAPPSSRC INCLUDE[libtestutil.a]=../include ../apps/include .. DEPEND[libtestutil.a]=../libcrypto diff --git a/crypto/openssl/test/crltest.c b/crypto/openssl/test/crltest.c index c18448122024..9cea5b2f072f 100644 --- a/crypto/openssl/test/crltest.c +++ b/crypto/openssl/test/crltest.c @@ -9,6 +9,7 @@ #include "internal/nelem.h" #include <string.h> +#include <time.h> #include <openssl/bio.h> #include <openssl/crypto.h> #include <openssl/err.h> @@ -17,7 +18,16 @@ #include "testutil.h" +/* + * We cannot use old certificates for new tests because the private key + * associated with them is no longer available. Therefore, we add kCRLTestLeaf, + * kCRLTestLeaf2 and PARAM_TIME2, as well as pass the verification time to the + * verify function as a parameter. Certificates and CRL from + * https://github.com/openssl/openssl/issues/27506 are used. + */ + #define PARAM_TIME 1474934400 /* Sep 27th, 2016 */ +#define PARAM_TIME2 1753284700 /* July 23th, 2025 */ static const char *kCRLTestRoot[] = { "-----BEGIN CERTIFICATE-----\n", @@ -70,6 +80,61 @@ static const char *kCRLTestLeaf[] = { NULL }; +static const char *kCRLTestRoot2[] = { + "-----BEGIN CERTIFICATE-----\n", + "MIID4zCCAsugAwIBAgIUGTcyNat9hTOo8nnGdzF7MTzL9WAwDQYJKoZIhvcNAQEL\n", + "BQAweTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM\n", + "DVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk15IENvbXBhbnkxEzARBgNVBAMMCk15\n", + "IFJvb3QgQ0ExEzARBgNVBAsMCk15IFJvb3QgQ0EwHhcNMjUwMzAzMDcxNDA0WhcN\n", + "MzUwMzAxMDcxNDA0WjB5MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5p\n", + "YTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKTXkgQ29tcGFueTET\n", + "MBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9vdCBDQTCCASIwDQYJ\n", + "KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN6jjwkmV+pse430MQfyaWv+JtAd2r6K\n", + "qzEquBcoofzuf/yvdEhQPjK3bcotgfEcFq3QMo1MJ7vqRHEIu0hJ+5ZnEQtIRcrg\n", + "Vm7/EoVCBpDc9BDtW40TDp69z9kaKyyKYy6rxmSKgJydGBeGGMwBxgTK/o0xAriC\n", + "C3lLXHT8G8YMamKUpToPL5iCRX+GJPnnizB2ODvpQGMWkbp9+1xEc4dD7Db2wfUb\n", + "gatDYUoGndQKWD49UhURavQZeLpDxlz93YutRRkZTWc4IB7WebiEb39BDjSP3QYm\n", + "2h+rZYyjp3Gxy8pBNTPzE9Dk4yjiqS7o3WGvi/S6zKTLDvWl9t6pMOMCAwEAAaNj\n", + "MGEwHQYDVR0OBBYEFNdhiR+Tlot2VBbp5XfcfLdlG4AkMA4GA1UdDwEB/wQEAwIB\n", + "hjAfBgNVHSMEGDAWgBTXYYkfk5aLdlQW6eV33Hy3ZRuAJDAPBgNVHRMBAf8EBTAD\n", + "AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCvwutY0WMcKoqulifnYfhxGLtXSSvD2GET\n", + "uNRv+S1KI5JKcAdfvnbNDpUwlujMDIpe3ewmv9i6kcitpHwZXdVAw6KWagJ0kDSt\n", + "jbArJxuuuFmSFDS7kj8x7FZok5quAWDSSg+ubV2tCVxmDuTs1WXJXD3l9g+3J9GU\n", + "kyeFMKqwRp8w22vm9ilgXrzeesAmmAg/pEb56ljTPeaONQxVe7KJhv2q8J17sML8\n", + "BE7TdVx7UFQbO/t9XqdT5O9eF8JUx4Vn4QSr+jdjJ/ns4T3/IC9dJq9k7tjD48iA\n", + "TNc+7x+uj8P39VA96HpjujVakj8/qn5SQMPJgDds+MSXrX+6JBWm\n", + "-----END CERTIFICATE-----\n", + NULL +}; + +static const char *kCRLTestLeaf2[] = { + "-----BEGIN CERTIFICATE-----\n", + "MIIECjCCAvKgAwIBAgIUPxuMqMtuN1j3XZVRVrNmaTCIP04wDQYJKoZIhvcNAQEL\n", + "BQAweTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM\n", + "DVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk15IENvbXBhbnkxEzARBgNVBAMMCk15\n", + "IFJvb3QgQ0ExEzARBgNVBAsMCk15IFJvb3QgQ0EwHhcNMjUwNDE3MTAxNjQ5WhcN\n", + "MjYwNDE3MTAxNjQ5WjBoMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQ\n", + "MA4GA1UEBwwHQmVpamluZzEYMBYGA1UECgwPTXkgT3JnYW5pemF0aW9uMRswGQYD\n", + "VQQDDBJNeSBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n", + "ggEKAoIBAQDIxRxZQokflDaLYoD21HT2U4EshqtKpSf9zPS5unBMCfnQkU4IJjBF\n", + "3qQmfgz5ZOpZv3x0w48fDjiysk0eOVCFAo+uixEjMeuln6Wj3taetch2Sk0YNm5J\n", + "SJCNF2olHZXn5R8ngEmho2j1wbwNnpcccZyRNzUSjR9oAgObkP3O7fyQKJRxwNU0\n", + "sN7mfoyEOczKtUaYbqi2gPx6OOqNLjXlLmfZ8PJagKCN/oYkGU5PoRNXp65Znhu6\n", + "s8FuSmvTodu8Qhs9Uizo+SycaBXn5Fbqt32S+9vPfhH9FfELDfQIaBp+iQAxcKPX\n", + "tUglXEjiEVrbNf722PuWIWN9EIBolULVAgMBAAGjgZowgZcwEgYDVR0TAQH/BAgw\n", + "BgEB/wIBATAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vbG9jYWxob3N0OjgwMDAv\n", + "Y2FfY3JsLmRlcjAdBgNVHQ4EFgQUh40vFgoopz5GUggPEEk2+bKgbwQwHwYDVR0j\n", + "BBgwFoAU12GJH5OWi3ZUFunld9x8t2UbgCQwDgYDVR0PAQH/BAQDAgGGMA0GCSqG\n", + "SIb3DQEBCwUAA4IBAQDANfJuTgo0vRaMPYqOeW8R4jLHdVazdGLeQQ/85vXr/Gl1\n", + "aL40tLp4yZbThxuxTzPzfY1OGkG69YQ/8Vo0gCEi5KjBMYPKmZISKy1MwROQ1Jfp\n", + "HkmyZk1TfuzG/4fN/bun2gjpDYcihf4xA4NhSVzQyvqm1N6VkTgK+bEWTOGzqw66\n", + "6IYPN6oVDmLbwU1EvV3rggB7HUJCJP4qW9DbAQRAijUurPUGoU2vEbrSyYkfQXCf\n", + "p4ouOTMl6O7bJ110SKzxbCfWqom+iAwHlU2tOPVmOp1CLDCClMRNHIFMDGAoBomH\n", + "s01wD+IcIi9OkQEbqVb/XDKes8fqzQgTtSM9C9Ot\n", + "-----END CERTIFICATE-----\n", + NULL +}; + static const char *kBasicCRL[] = { "-----BEGIN X509 CRL-----\n", "MIIBpzCBkAIBATANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzETMBEGA1UE\n", @@ -124,6 +189,24 @@ static const char *kBadIssuerCRL[] = { NULL }; +static const char *kEmptyIdpCRL[] = { + "-----BEGIN X509 CRL-----\n", + "MIICOTCCASECAQEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCVVMxEzARBgNV\n", + "BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoM\n", + "Ck15IENvbXBhbnkxEzARBgNVBAMMCk15IFJvb3QgQ0ExEzARBgNVBAsMCk15IFJv\n", + "b3QgQ0EXDTI1MDEwMTAwMDAwMFoXDTI1MTIwMTAwMDAwMFowJzAlAhQcgAIu+B8k\n", + "Be6WphLcth/grHAeXhcNMjUwNDE3MTAxNjUxWqBLMEkwGAYDVR0UBBECDxnP/97a\n", + "dO3y9qRGDM7hQDAfBgNVHSMEGDAWgBTXYYkfk5aLdlQW6eV33Hy3ZRuAJDAMBgNV\n", + "HRwBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAf+mtlDi9IftsYwTcxYYKxE203\n", + "+prttFB00om29jjtkGYRxcs3vZQRTvera21YFn3mrS/lxvhBq6GMx0I61AQ48Pr4\n", + "63bDvZgf+/P6T2+MLgLds23o3TOfy2SBSdnFEcN0bFUgF5U0bFpQqlQWx+FYhrAf\n", + "ZX3RAhURiKKfGKGeVOVKS0u+x666FoDQ7pbhbHM3+jnuzdtv8RQMkj1AZMw0FMl8\n", + "m2dFQhZqT9WdJqZAc8ldc6V3a0rUeOV8BUPACf1k4B0CKhn4draIqltZkWgl3cmU\n", + "SX2V/a51lS12orfNYSEx+vtJ9gpx4LDxyOnai18vueVyljrXuQSrcYuxS2Cd\n", + "-----END X509 CRL-----\n", + NULL +}; + /* * This is kBasicCRL but with a critical issuing distribution point * extension. @@ -189,6 +272,8 @@ static const char **unknown_critical_crls[] = { static X509 *test_root = NULL; static X509 *test_leaf = NULL; +static X509 *test_root2 = NULL; +static X509 *test_leaf2 = NULL; /* * Glue an array of strings together. Return a BIO and put the string @@ -251,7 +336,7 @@ static X509 *X509_from_strings(const char **pem) * Returns a value from X509_V_ERR_xxx or X509_V_OK. */ static int verify(X509 *leaf, X509 *root, STACK_OF(X509_CRL) *crls, - unsigned long flags) + unsigned long flags, time_t verification_time) { X509_STORE_CTX *ctx = X509_STORE_CTX_new(); X509_STORE *store = X509_STORE_new(); @@ -276,8 +361,8 @@ static int verify(X509 *leaf, X509 *root, STACK_OF(X509_CRL) *crls, goto err; X509_STORE_CTX_set0_trusted_stack(ctx, roots); X509_STORE_CTX_set0_crls(ctx, crls); - X509_VERIFY_PARAM_set_time(param, PARAM_TIME); - if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param), PARAM_TIME)) + X509_VERIFY_PARAM_set_time(param, verification_time); + if (!TEST_long_eq((long)X509_VERIFY_PARAM_get_time(param), (long)verification_time)) goto err; X509_VERIFY_PARAM_set_depth(param, 16); if (flags) @@ -341,10 +426,11 @@ static int test_basic_crl(void) && TEST_ptr(revoked_crl) && TEST_int_eq(verify(test_leaf, test_root, make_CRL_stack(basic_crl, NULL), - X509_V_FLAG_CRL_CHECK), X509_V_OK) + X509_V_FLAG_CRL_CHECK, PARAM_TIME), X509_V_OK) && TEST_int_eq(verify(test_leaf, test_root, make_CRL_stack(basic_crl, revoked_crl), - X509_V_FLAG_CRL_CHECK), X509_V_ERR_CERT_REVOKED); + X509_V_FLAG_CRL_CHECK, PARAM_TIME), + X509_V_ERR_CERT_REVOKED); X509_CRL_free(basic_crl); X509_CRL_free(revoked_crl); return r; @@ -353,7 +439,7 @@ static int test_basic_crl(void) static int test_no_crl(void) { return TEST_int_eq(verify(test_leaf, test_root, NULL, - X509_V_FLAG_CRL_CHECK), + X509_V_FLAG_CRL_CHECK, PARAM_TIME), X509_V_ERR_UNABLE_TO_GET_CRL); } @@ -365,12 +451,26 @@ static int test_bad_issuer_crl(void) r = TEST_ptr(bad_issuer_crl) && TEST_int_eq(verify(test_leaf, test_root, make_CRL_stack(bad_issuer_crl, NULL), - X509_V_FLAG_CRL_CHECK), + X509_V_FLAG_CRL_CHECK, PARAM_TIME), X509_V_ERR_UNABLE_TO_GET_CRL); X509_CRL_free(bad_issuer_crl); return r; } +static int test_crl_empty_idp(void) +{ + X509_CRL *empty_idp_crl = CRL_from_strings(kEmptyIdpCRL); + int r; + + r = TEST_ptr(empty_idp_crl) + && TEST_int_eq(verify(test_leaf2, test_root2, + make_CRL_stack(empty_idp_crl, NULL), + X509_V_FLAG_CRL_CHECK, PARAM_TIME2), + X509_V_ERR_UNABLE_TO_GET_CRL); + X509_CRL_free(empty_idp_crl); + return r; +} + static int test_known_critical_crl(void) { X509_CRL *known_critical_crl = CRL_from_strings(kKnownCriticalCRL); @@ -379,7 +479,7 @@ static int test_known_critical_crl(void) r = TEST_ptr(known_critical_crl) && TEST_int_eq(verify(test_leaf, test_root, make_CRL_stack(known_critical_crl, NULL), - X509_V_FLAG_CRL_CHECK), X509_V_OK); + X509_V_FLAG_CRL_CHECK, PARAM_TIME), X509_V_OK); X509_CRL_free(known_critical_crl); return r; } @@ -392,7 +492,7 @@ static int test_unknown_critical_crl(int n) r = TEST_ptr(unknown_critical_crl) && TEST_int_eq(verify(test_leaf, test_root, make_CRL_stack(unknown_critical_crl, NULL), - X509_V_FLAG_CRL_CHECK), + X509_V_FLAG_CRL_CHECK, PARAM_TIME), X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION); X509_CRL_free(unknown_critical_crl); return r; @@ -412,7 +512,7 @@ static int test_reuse_crl(int idx) if (idx & 1) { if (!TEST_true(X509_CRL_up_ref(reused_crl))) goto err; - addref_crl = reused_crl; + addref_crl = reused_crl; } idx >>= 1; @@ -455,12 +555,15 @@ static int test_reuse_crl(int idx) int setup_tests(void) { if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) - || !TEST_ptr(test_leaf = X509_from_strings(kCRLTestLeaf))) + || !TEST_ptr(test_leaf = X509_from_strings(kCRLTestLeaf)) + || !TEST_ptr(test_root2 = X509_from_strings(kCRLTestRoot2)) + || !TEST_ptr(test_leaf2 = X509_from_strings(kCRLTestLeaf2))) return 0; ADD_TEST(test_no_crl); ADD_TEST(test_basic_crl); ADD_TEST(test_bad_issuer_crl); + ADD_TEST(test_crl_empty_idp); ADD_TEST(test_known_critical_crl); ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); ADD_ALL_TESTS(test_reuse_crl, 6); @@ -471,4 +574,6 @@ void cleanup_tests(void) { X509_free(test_root); X509_free(test_leaf); + X509_free(test_root2); + X509_free(test_leaf2); } diff --git a/crypto/openssl/test/evp_extra_test.c b/crypto/openssl/test/evp_extra_test.c index 2bcc2797aa69..aebf5c41d715 100644 --- a/crypto/openssl/test/evp_extra_test.c +++ b/crypto/openssl/test/evp_extra_test.c @@ -3938,6 +3938,48 @@ static int test_RSA_OAEP_set_null_label(void) return ret; } +static int test_RSA_encrypt(void) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *pctx = NULL; + unsigned char *cbuf = NULL, *pbuf = NULL; + size_t clen = 0, plen = 0; + + if (!TEST_ptr(pkey = load_example_rsa_key()) + || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_pkey(testctx, + pkey, testpropq)) + || !TEST_int_gt(EVP_PKEY_encrypt_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_encrypt(pctx, cbuf, &clen, kMsg, sizeof(kMsg)), 0) + || !TEST_ptr(cbuf = OPENSSL_malloc(clen)) + || !TEST_int_gt(EVP_PKEY_encrypt(pctx, cbuf, &clen, kMsg, sizeof(kMsg)), 0)) + goto done; + + /* Require failure when the output buffer is too small */ + plen = clen - 1; + if (!TEST_int_le(EVP_PKEY_encrypt(pctx, cbuf, &plen, kMsg, sizeof(kMsg)), 0)) + goto done; + /* flush error stack */ + TEST_openssl_errors(); + + /* Check decryption of encrypted result */ + if (!TEST_int_gt(EVP_PKEY_decrypt_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_decrypt(pctx, pbuf, &plen, cbuf, clen), 0) + || !TEST_ptr(pbuf = OPENSSL_malloc(plen)) + || !TEST_int_gt(EVP_PKEY_decrypt(pctx, pbuf, &plen, cbuf, clen), 0) + || !TEST_mem_eq(pbuf, plen, kMsg, sizeof(kMsg)) + || !TEST_int_gt(EVP_PKEY_encrypt_init(pctx), 0)) + goto done; + + ret = 1; +done: + EVP_PKEY_CTX_free(pctx); + EVP_PKEY_free(pkey); + OPENSSL_free(cbuf); + OPENSSL_free(pbuf); + return ret; +} + #ifndef OPENSSL_NO_DEPRECATED_3_0 static int test_RSA_legacy(void) { @@ -6810,6 +6852,7 @@ int setup_tests(void) ADD_TEST(test_RSA_get_set_params); ADD_TEST(test_RSA_OAEP_set_get_params); ADD_TEST(test_RSA_OAEP_set_null_label); + ADD_TEST(test_RSA_encrypt); #ifndef OPENSSL_NO_DEPRECATED_3_0 ADD_TEST(test_RSA_legacy); #endif diff --git a/crypto/openssl/test/fake_rsaprov.c b/crypto/openssl/test/fake_rsaprov.c index c1b8e2828614..6ed121554336 100644 --- a/crypto/openssl/test/fake_rsaprov.c +++ b/crypto/openssl/test/fake_rsaprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -9,12 +9,15 @@ */ #include <string.h> +#include <openssl/asn1.h> +#include <openssl/asn1t.h> #include <openssl/core_names.h> #include <openssl/core_object.h> #include <openssl/rand.h> #include <openssl/provider.h> #include "testutil.h" #include "fake_rsaprov.h" +#include "internal/asn1.h" static OSSL_FUNC_keymgmt_new_fn fake_rsa_keymgmt_new; static OSSL_FUNC_keymgmt_free_fn fake_rsa_keymgmt_free; @@ -32,6 +35,18 @@ static int exptypes_selection; static int query_id; static int key_deleted; +unsigned fake_rsa_query_operation_name = 0; + +typedef struct { + OSSL_LIB_CTX *libctx; +} PROV_FAKE_RSA_CTX; + +#define PROV_FAKE_RSA_LIBCTX_OF(provctx) (((PROV_FAKE_RSA_CTX *)provctx)->libctx) + +#define FAKE_RSA_STATUS_IMPORTED 1 +#define FAKE_RSA_STATUS_GENERATED 2 +#define FAKE_RSA_STATUS_DECODED 3 + struct fake_rsa_keydata { int selection; int status; @@ -77,7 +92,7 @@ static const char *fake_rsa_keymgmt_query(int id) /* record global for checking */ query_id = id; - return "RSA"; + return fake_rsa_query_operation_name ? NULL: "RSA"; } static int fake_rsa_keymgmt_import(void *keydata, int selection, @@ -86,7 +101,7 @@ static int fake_rsa_keymgmt_import(void *keydata, int selection, struct fake_rsa_keydata *fake_rsa_key = keydata; /* key was imported */ - fake_rsa_key->status = 1; + fake_rsa_key->status = FAKE_RSA_STATUS_IMPORTED; return 1; } @@ -219,11 +234,11 @@ static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz) { struct fake_rsa_keydata *key = NULL; - if (reference_sz != sizeof(*key)) + if (reference_sz != sizeof(key)) return NULL; key = *(struct fake_rsa_keydata **)reference; - if (key->status != 1) + if (key->status != FAKE_RSA_STATUS_IMPORTED && key->status != FAKE_RSA_STATUS_DECODED) return NULL; /* detach the reference */ @@ -258,7 +273,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL))) return NULL; - keydata->status = 2; + keydata->status = FAKE_RSA_STATUS_GENERATED; return keydata; } @@ -638,7 +653,7 @@ static int fake_rsa_st_load(void *loaderctx, /* The address of the key becomes the octet string */ params[2] = OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, - &key, sizeof(*key)); + &key, sizeof(key)); params[3] = OSSL_PARAM_construct_end(); rv = object_cb(params, object_cbarg); *storectx = 1; @@ -702,6 +717,502 @@ static const OSSL_ALGORITHM fake_rsa_store_algs[] = { { NULL, NULL, NULL } }; +struct der2key_ctx_st; /* Forward declaration */ +typedef int check_key_fn(void *, struct der2key_ctx_st *ctx); +typedef void adjust_key_fn(void *, struct der2key_ctx_st *ctx); +typedef void free_key_fn(void *); +typedef void *d2i_PKCS8_fn(void **, const unsigned char **, long, + struct der2key_ctx_st *); +struct keytype_desc_st { + const char *keytype_name; + const OSSL_DISPATCH *fns; /* Keymgmt (to pilfer functions from) */ + + /* The input structure name */ + const char *structure_name; + + /* + * The EVP_PKEY_xxx type macro. Should be zero for type specific + * structures, non-zero when the outermost structure is PKCS#8 or + * SubjectPublicKeyInfo. This determines which of the function + * pointers below will be used. + */ + int evp_type; + + /* The selection mask for OSSL_FUNC_decoder_does_selection() */ + int selection_mask; + + /* For type specific decoders, we use the corresponding d2i */ + d2i_of_void *d2i_private_key; /* From type-specific DER */ + d2i_of_void *d2i_public_key; /* From type-specific DER */ + d2i_of_void *d2i_key_params; /* From type-specific DER */ + d2i_PKCS8_fn *d2i_PKCS8; /* Wrapped in a PrivateKeyInfo */ + d2i_of_void *d2i_PUBKEY; /* Wrapped in a SubjectPublicKeyInfo */ + + /* + * For any key, we may need to check that the key meets expectations. + * This is useful when the same functions can decode several variants + * of a key. + */ + check_key_fn *check_key; + + /* + * For any key, we may need to make provider specific adjustments, such + * as ensure the key carries the correct library context. + */ + adjust_key_fn *adjust_key; + /* {type}_free() */ + free_key_fn *free_key; +}; + +/* + * Start blatant code steal. Alternative: Open up d2i_X509_PUBKEY_INTERNAL + * as per https://github.com/openssl/openssl/issues/16697 (TBD) + * Code from openssl/crypto/x509/x_pubkey.c as + * ossl_d2i_X509_PUBKEY_INTERNAL is presently not public + */ +struct X509_pubkey_st { + X509_ALGOR *algor; + ASN1_BIT_STRING *public_key; + + EVP_PKEY *pkey; + + /* extra data for the callback, used by d2i_PUBKEY_ex */ + OSSL_LIB_CTX *libctx; + char *propq; +}; + +ASN1_SEQUENCE(X509_PUBKEY_INTERNAL) = { + ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR), + ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING) +} static_ASN1_SEQUENCE_END_name(X509_PUBKEY, X509_PUBKEY_INTERNAL) + +static X509_PUBKEY *fake_rsa_d2i_X509_PUBKEY_INTERNAL(const unsigned char **pp, + long len, OSSL_LIB_CTX *libctx) +{ + X509_PUBKEY *xpub = OPENSSL_zalloc(sizeof(*xpub)); + + if (xpub == NULL) + return NULL; + return (X509_PUBKEY *)ASN1_item_d2i_ex((ASN1_VALUE **)&xpub, pp, len, + ASN1_ITEM_rptr(X509_PUBKEY_INTERNAL), + libctx, NULL); +} +/* end steal https://github.com/openssl/openssl/issues/16697 */ + +/* + * Context used for DER to key decoding. + */ +struct der2key_ctx_st { + PROV_FAKE_RSA_CTX *provctx; + struct keytype_desc_st *desc; + /* The selection that is passed to fake_rsa_der2key_decode() */ + int selection; + /* Flag used to signal that a failure is fatal */ + unsigned int flag_fatal : 1; +}; + +static int fake_rsa_read_der(PROV_FAKE_RSA_CTX *provctx, OSSL_CORE_BIO *cin, + unsigned char **data, long *len) +{ + BUF_MEM *mem = NULL; + BIO *in = BIO_new_from_core_bio(provctx->libctx, cin); + int ok = (asn1_d2i_read_bio(in, &mem) >= 0); + + if (ok) { + *data = (unsigned char *)mem->data; + *len = (long)mem->length; + OPENSSL_free(mem); + } + BIO_free(in); + return ok; +} + +typedef void *key_from_pkcs8_t(const PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq); +static void *fake_rsa_der2key_decode_p8(const unsigned char **input_der, + long input_der_len, struct der2key_ctx_st *ctx, + key_from_pkcs8_t *key_from_pkcs8) +{ + PKCS8_PRIV_KEY_INFO *p8inf = NULL; + const X509_ALGOR *alg = NULL; + void *key = NULL; + + if ((p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, input_der, input_der_len)) != NULL + && PKCS8_pkey_get0(NULL, NULL, NULL, &alg, p8inf) + && OBJ_obj2nid(alg->algorithm) == ctx->desc->evp_type) + key = key_from_pkcs8(p8inf, PROV_FAKE_RSA_LIBCTX_OF(ctx->provctx), NULL); + PKCS8_PRIV_KEY_INFO_free(p8inf); + + return key; +} + +static struct fake_rsa_keydata *fake_rsa_d2i_PUBKEY(struct fake_rsa_keydata **a, + const unsigned char **pp, long length) +{ + struct fake_rsa_keydata *key = NULL; + X509_PUBKEY *xpk; + + xpk = fake_rsa_d2i_X509_PUBKEY_INTERNAL(pp, length, NULL); + if (xpk == NULL) + goto err_exit; + + key = fake_rsa_keymgmt_new(NULL); + if (key == NULL) + goto err_exit; + + key->status = FAKE_RSA_STATUS_DECODED; + + if (a != NULL) { + fake_rsa_keymgmt_free(*a); + *a = key; + } + +err_exit: + X509_PUBKEY_free(xpk); + return key; +} + +/* ---------------------------------------------------------------------- */ + +static OSSL_FUNC_decoder_freectx_fn der2key_freectx; +static OSSL_FUNC_decoder_decode_fn fake_rsa_der2key_decode; +static OSSL_FUNC_decoder_export_object_fn der2key_export_object; + +static struct der2key_ctx_st * +der2key_newctx(void *provctx, struct keytype_desc_st *desc, const char *tls_name) +{ + struct der2key_ctx_st *ctx = OPENSSL_zalloc(sizeof(*ctx)); + + if (ctx != NULL) { + ctx->provctx = provctx; + ctx->desc = desc; + if (desc->evp_type == 0) + ctx->desc->evp_type = OBJ_sn2nid(tls_name); + } + return ctx; +} + +static void der2key_freectx(void *vctx) +{ + struct der2key_ctx_st *ctx = vctx; + + OPENSSL_free(ctx); +} + +static int der2key_check_selection(int selection, + const struct keytype_desc_st *desc) +{ + /* + * The selections are kinda sorta "levels", i.e. each selection given + * here is assumed to include those following. + */ + int checks[] = { + OSSL_KEYMGMT_SELECT_PRIVATE_KEY, + OSSL_KEYMGMT_SELECT_PUBLIC_KEY, + OSSL_KEYMGMT_SELECT_ALL_PARAMETERS + }; + size_t i; + + /* The decoder implementations made here support guessing */ + if (selection == 0) + return 1; + + for (i = 0; i < OSSL_NELEM(checks); i++) { + int check1 = (selection & checks[i]) != 0; + int check2 = (desc->selection_mask & checks[i]) != 0; + + /* + * If the caller asked for the currently checked bit(s), return + * whether the decoder description says it's supported. + */ + if (check1) + return check2; + } + + /* This should be dead code, but just to be safe... */ + return 0; +} + +static int fake_rsa_der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, + OSSL_CALLBACK *data_cb, void *data_cbarg, + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) +{ + struct der2key_ctx_st *ctx = vctx; + unsigned char *der = NULL; + const unsigned char *derp; + long der_len = 0; + void *key = NULL; + int ok = 0; + + ctx->selection = selection; + /* + * The caller is allowed to specify 0 as a selection mark, to have the + * structure and key type guessed. For type-specific structures, this + * is not recommended, as some structures are very similar. + * Note that 0 isn't the same as OSSL_KEYMGMT_SELECT_ALL, as the latter + * signifies a private key structure, where everything else is assumed + * to be present as well. + */ + if (selection == 0) + selection = ctx->desc->selection_mask; + if ((selection & ctx->desc->selection_mask) == 0) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + + ok = fake_rsa_read_der(ctx->provctx, cin, &der, &der_len); + if (!ok) + goto next; + + ok = 0; /* Assume that we fail */ + + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { + derp = der; + if (ctx->desc->d2i_PKCS8 != NULL) { + key = ctx->desc->d2i_PKCS8(NULL, &derp, der_len, ctx); + if (ctx->flag_fatal) + goto end; + } else if (ctx->desc->d2i_private_key != NULL) { + key = ctx->desc->d2i_private_key(NULL, &derp, der_len); + } + if (key == NULL && ctx->selection != 0) + goto next; + } + if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { + derp = der; + if (ctx->desc->d2i_PUBKEY != NULL) + key = ctx->desc->d2i_PUBKEY(NULL, &derp, der_len); + else + key = ctx->desc->d2i_public_key(NULL, &derp, der_len); + if (key == NULL && ctx->selection != 0) + goto next; + } + if (key == NULL && (selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) { + derp = der; + if (ctx->desc->d2i_key_params != NULL) + key = ctx->desc->d2i_key_params(NULL, &derp, der_len); + if (key == NULL && ctx->selection != 0) + goto next; + } + + /* + * Last minute check to see if this was the correct type of key. This + * should never lead to a fatal error, i.e. the decoding itself was + * correct, it was just an unexpected key type. This is generally for + * classes of key types that have subtle variants, like RSA-PSS keys as + * opposed to plain RSA keys. + */ + if (key != NULL + && ctx->desc->check_key != NULL + && !ctx->desc->check_key(key, ctx)) { + ctx->desc->free_key(key); + key = NULL; + } + + if (key != NULL && ctx->desc->adjust_key != NULL) + ctx->desc->adjust_key(key, ctx); + + next: + /* + * Indicated that we successfully decoded something, or not at all. + * Ending up "empty handed" is not an error. + */ + ok = 1; + + /* + * We free memory here so it's not held up during the callback, because + * we know the process is recursive and the allocated chunks of memory + * add up. + */ + OPENSSL_free(der); + der = NULL; + + if (key != NULL) { + OSSL_PARAM params[4]; + int object_type = OSSL_OBJECT_PKEY; + + params[0] = + OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &object_type); + params[1] = + OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE, + (char *)ctx->desc->keytype_name, + 0); + /* The address of the key becomes the octet string */ + params[2] = + OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, + &key, sizeof(key)); + params[3] = OSSL_PARAM_construct_end(); + + ok = data_cb(params, data_cbarg); + } + + end: + ctx->desc->free_key(key); + OPENSSL_free(der); + + return ok; +} + +static OSSL_FUNC_keymgmt_export_fn * +fake_rsa_prov_get_keymgmt_export(const OSSL_DISPATCH *fns) +{ + /* Pilfer the keymgmt dispatch table */ + for (; fns->function_id != 0; fns++) + if (fns->function_id == OSSL_FUNC_KEYMGMT_EXPORT) + return OSSL_FUNC_keymgmt_export(fns); + + return NULL; +} + +static int der2key_export_object(void *vctx, + const void *reference, size_t reference_sz, + OSSL_CALLBACK *export_cb, void *export_cbarg) +{ + struct der2key_ctx_st *ctx = vctx; + OSSL_FUNC_keymgmt_export_fn *export = fake_rsa_prov_get_keymgmt_export(ctx->desc->fns); + void *keydata; + + if (reference_sz == sizeof(keydata) && export != NULL) { + /* The contents of the reference is the address to our object */ + keydata = *(void **)reference; + + return export(keydata, ctx->selection, export_cb, export_cbarg); + } + return 0; +} + +/* ---------------------------------------------------------------------- */ + +static struct fake_rsa_keydata *fake_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq) +{ + struct fake_rsa_keydata *key = fake_rsa_keymgmt_new(NULL); + + if (key) + key->status = FAKE_RSA_STATUS_DECODED; + return key; +} + +#define rsa_evp_type EVP_PKEY_RSA + +static void *fake_rsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len, + struct der2key_ctx_st *ctx) +{ + return fake_rsa_der2key_decode_p8(der, der_len, ctx, + (key_from_pkcs8_t *)fake_rsa_key_from_pkcs8); +} + +static void fake_rsa_key_adjust(void *key, struct der2key_ctx_st *ctx) +{ +} + +/* ---------------------------------------------------------------------- */ + +#define DO_PrivateKeyInfo(keytype) \ + "PrivateKeyInfo", keytype##_evp_type, \ + (OSSL_KEYMGMT_SELECT_PRIVATE_KEY), \ + NULL, \ + NULL, \ + NULL, \ + fake_rsa_d2i_PKCS8, \ + NULL, \ + NULL, \ + fake_rsa_key_adjust, \ + (free_key_fn *)fake_rsa_keymgmt_free + +#define DO_SubjectPublicKeyInfo(keytype) \ + "SubjectPublicKeyInfo", keytype##_evp_type, \ + (OSSL_KEYMGMT_SELECT_PUBLIC_KEY), \ + NULL, \ + NULL, \ + NULL, \ + NULL, \ + (d2i_of_void *)fake_rsa_d2i_PUBKEY, \ + NULL, \ + fake_rsa_key_adjust, \ + (free_key_fn *)fake_rsa_keymgmt_free + +/* + * MAKE_DECODER is the single driver for creating OSSL_DISPATCH tables. + * It takes the following arguments: + * + * keytype_name The implementation key type as a string. + * keytype The implementation key type. This must correspond exactly + * to our existing keymgmt keytype names... in other words, + * there must exist an ossl_##keytype##_keymgmt_functions. + * type The type name for the set of functions that implement the + * decoder for the key type. This isn't necessarily the same + * as keytype. For example, the key types ed25519, ed448, + * x25519 and x448 are all handled by the same functions with + * the common type name ecx. + * kind The kind of support to implement. This translates into + * the DO_##kind macros above, to populate the keytype_desc_st + * structure. + */ +#define MAKE_DECODER(keytype_name, keytype, type, kind) \ + static struct keytype_desc_st kind##_##keytype##_desc = \ + { keytype_name, fake_rsa_keymgmt_funcs, \ + DO_##kind(keytype) }; \ + \ + static OSSL_FUNC_decoder_newctx_fn kind##_der2##keytype##_newctx; \ + \ + static void *kind##_der2##keytype##_newctx(void *provctx) \ + { \ + return der2key_newctx(provctx, &kind##_##keytype##_desc, keytype_name);\ + } \ + static int kind##_der2##keytype##_does_selection(void *provctx, \ + int selection) \ + { \ + return der2key_check_selection(selection, \ + &kind##_##keytype##_desc); \ + } \ + static const OSSL_DISPATCH \ + fake_rsa_##kind##_der_to_##keytype##_decoder_functions[] = { \ + { OSSL_FUNC_DECODER_NEWCTX, \ + (void (*)(void))kind##_der2##keytype##_newctx }, \ + { OSSL_FUNC_DECODER_FREECTX, \ + (void (*)(void))der2key_freectx }, \ + { OSSL_FUNC_DECODER_DOES_SELECTION, \ + (void (*)(void))kind##_der2##keytype##_does_selection }, \ + { OSSL_FUNC_DECODER_DECODE, \ + (void (*)(void))fake_rsa_der2key_decode }, \ + { OSSL_FUNC_DECODER_EXPORT_OBJECT, \ + (void (*)(void))der2key_export_object }, \ + OSSL_DISPATCH_END \ + } + +MAKE_DECODER("RSA", rsa, rsa, PrivateKeyInfo); +MAKE_DECODER("RSA", rsa, rsa, SubjectPublicKeyInfo); + +static const OSSL_ALGORITHM fake_rsa_decoder_algs[] = { +#define DECODER_PROVIDER "fake-rsa" +#define DECODER_STRUCTURE_SubjectPublicKeyInfo "SubjectPublicKeyInfo" +#define DECODER_STRUCTURE_PrivateKeyInfo "PrivateKeyInfo" + +/* Arguments are prefixed with '_' to avoid build breaks on certain platforms */ +/* + * Obviously this is not FIPS approved, but in order to test in conjunction + * with the FIPS provider we pretend that it is. + */ + +#define DECODER(_name, _input, _output) \ + { _name, \ + "provider=" DECODER_PROVIDER ",fips=yes,input=" #_input, \ + (fake_rsa_##_input##_to_##_output##_decoder_functions) \ + } +#define DECODER_w_structure(_name, _input, _structure, _output) \ + { _name, \ + "provider=" DECODER_PROVIDER ",fips=yes,input=" #_input \ + ",structure=" DECODER_STRUCTURE_##_structure, \ + (fake_rsa_##_structure##_##_input##_to_##_output##_decoder_functions) \ + } + +DECODER_w_structure("RSA:rsaEncryption", der, PrivateKeyInfo, rsa), +DECODER_w_structure("RSA:rsaEncryption", der, SubjectPublicKeyInfo, rsa), +#undef DECODER_PROVIDER + { NULL, NULL, NULL } +}; + static const OSSL_ALGORITHM *fake_rsa_query(void *provctx, int operation_id, int *no_cache) @@ -716,13 +1227,24 @@ static const OSSL_ALGORITHM *fake_rsa_query(void *provctx, case OSSL_OP_STORE: return fake_rsa_store_algs; + + case OSSL_OP_DECODER: + return fake_rsa_decoder_algs; } return NULL; } +static void fake_rsa_prov_teardown(void *provctx) +{ + PROV_FAKE_RSA_CTX *pctx = (PROV_FAKE_RSA_CTX *)provctx; + + OSSL_LIB_CTX_free(pctx->libctx); + OPENSSL_free(pctx); +} + /* Functions we provide to the core */ static const OSSL_DISPATCH fake_rsa_method[] = { - { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))OSSL_LIB_CTX_free }, + { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))fake_rsa_prov_teardown }, { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))fake_rsa_query }, OSSL_DISPATCH_END }; @@ -731,8 +1253,20 @@ static int fake_rsa_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, void **provctx) { - if (!TEST_ptr(*provctx = OSSL_LIB_CTX_new())) + OSSL_LIB_CTX *libctx; + PROV_FAKE_RSA_CTX *prov_ctx; + + if (!TEST_ptr(libctx = OSSL_LIB_CTX_new_from_dispatch(handle, in))) return 0; + + if (!TEST_ptr(prov_ctx = OPENSSL_malloc(sizeof(*prov_ctx)))) { + OSSL_LIB_CTX_free(libctx); + return 0; + } + + prov_ctx->libctx = libctx; + + *provctx = prov_ctx; *out = fake_rsa_method; return 1; } diff --git a/crypto/openssl/test/fake_rsaprov.h b/crypto/openssl/test/fake_rsaprov.h index cb2e66eb68ef..00e7dccb4872 100644 --- a/crypto/openssl/test/fake_rsaprov.h +++ b/crypto/openssl/test/fake_rsaprov.h @@ -1,5 +1,5 @@ /* - * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,5 +14,14 @@ /* Fake RSA provider implementation */ OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); void fake_rsa_finish(OSSL_PROVIDER *p); + OSSL_PARAM *fake_rsa_key_params(int priv); void fake_rsa_restore_store_state(void); + +/* + * When fake_rsa_query_operation_name is set to a non-zero value, + * query_operation_name() will return NULL. + * + * By default, it is 0, in which case query_operation_name() will return "RSA". + */ +extern unsigned fake_rsa_query_operation_name; diff --git a/crypto/openssl/test/ml_kem_evp_extra_test.c b/crypto/openssl/test/ml_kem_evp_extra_test.c index bfa52c9af2e6..b867b14ad1d4 100644 --- a/crypto/openssl/test/ml_kem_evp_extra_test.c +++ b/crypto/openssl/test/ml_kem_evp_extra_test.c @@ -140,9 +140,19 @@ static int test_ml_kem(void) if (!TEST_int_gt(EVP_PKEY_copy_parameters(bkey, akey), 0)) goto err; + /* Bob's empty key is not equal to Alice's */ + if (!TEST_false(EVP_PKEY_eq(akey, bkey)) + || !TEST_false(EVP_PKEY_eq(bkey, akey))) + goto err; + if (!TEST_true(EVP_PKEY_set1_encoded_public_key(bkey, rawpub, publen))) goto err; + /* Bob's copy of Alice's public key makes the two equal */ + if (!TEST_true(EVP_PKEY_eq(akey, bkey)) + || !TEST_true(EVP_PKEY_eq(bkey, akey))) + goto err; + /* Encapsulate Bob's key */ ctx = EVP_PKEY_CTX_new_from_pkey(testctx, bkey, NULL); if (!TEST_ptr(ctx)) diff --git a/crypto/openssl/test/ml_kem_internal_test.c b/crypto/openssl/test/ml_kem_internal_test.c index bb745a2afc1a..c8c4cdf6f4d0 100644 --- a/crypto/openssl/test/ml_kem_internal_test.c +++ b/crypto/openssl/test/ml_kem_internal_test.c @@ -107,8 +107,10 @@ static int sanity_test(void) return 0; if (!TEST_ptr(privctx = RAND_get0_private(NULL)) - || !TEST_ptr(pubctx = RAND_get0_public(NULL))) - return 0; + || !TEST_ptr(pubctx = RAND_get0_public(NULL))) { + ret = -1; + goto err; + } decap_entropy = ml_kem_public_entropy + ML_KEM_RANDOM_BYTES; @@ -134,8 +136,10 @@ static int sanity_test(void) params[1] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, &strength); params[2] = OSSL_PARAM_construct_end(); - if (!TEST_true(EVP_RAND_CTX_set_params(privctx, params))) - return 0; + if (!TEST_true(EVP_RAND_CTX_set_params(privctx, params))) { + ret = -1; + goto err; + } public_key = ossl_ml_kem_key_new(NULL, NULL, alg[i]); private_key = ossl_ml_kem_key_new(NULL, NULL, alg[i]); @@ -254,6 +258,8 @@ static int sanity_test(void) OPENSSL_free(encoded_public_key); OPENSSL_free(ciphertext); } + +err: EVP_MD_free(sha256); return ret == 0; } diff --git a/crypto/openssl/test/property_test.c b/crypto/openssl/test/property_test.c index 18f8cc8740e0..e62ff247c42c 100644 --- a/crypto/openssl/test/property_test.c +++ b/crypto/openssl/test/property_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -687,6 +687,22 @@ static int test_property_list_to_string(int i) return ret; } +static int test_property_list_to_string_bounds(void) +{ + OSSL_PROPERTY_LIST *pl = NULL; + char buf[16]; + int ret = 0; + + if (!TEST_ptr(pl = ossl_parse_query(NULL, "provider='$1'", 1))) + goto err; + if (!TEST_size_t_eq(ossl_property_list_to_string(NULL, pl, buf, 10), 14)) + goto err; + ret = 1; + err: + ossl_property_free(pl); + return ret; +} + int setup_tests(void) { ADD_TEST(test_property_string); @@ -701,5 +717,6 @@ int setup_tests(void) ADD_TEST(test_query_cache_stochastic); ADD_TEST(test_fips_mode); ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); + ADD_TEST(test_property_list_to_string_bounds); return 1; } diff --git a/crypto/openssl/test/provider_pkey_test.c b/crypto/openssl/test/provider_pkey_test.c index 4abbdd33ec4d..9ffe3581d62a 100644 --- a/crypto/openssl/test/provider_pkey_test.c +++ b/crypto/openssl/test/provider_pkey_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -239,6 +239,77 @@ end: return ret; } +static int test_pkey_can_sign(void) +{ + OSSL_PROVIDER *fake_rsa = NULL; + EVP_PKEY *pkey_fake = NULL; + EVP_PKEY_CTX *ctx = NULL; + OSSL_PARAM *params = NULL; + int ret = 0; + + if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) + return 0; + + /* + * Ensure other tests did not forget to reset fake_rsa_query_operation_name + * to its default value: 0 + */ + if (!TEST_int_eq(fake_rsa_query_operation_name, 0)) + goto end; + + if (!TEST_ptr(params = fake_rsa_key_params(0)) + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", + "provider=fake-rsa")) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, + params)) + || !TEST_true(EVP_PKEY_can_sign(pkey_fake)) + || !TEST_ptr(pkey_fake)) + goto end; + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(pkey_fake); + pkey_fake = NULL; + OSSL_PARAM_free(params); + params = NULL; + + /* + * Documented behavior for OSSL_FUNC_keymgmt_query_operation_name() + * allows it to return NULL, in which case the fallback should be to use + * EVP_KEYMGMT_get0_name(). That is exactly the thing we are testing here. + */ + fake_rsa_query_operation_name = 1; + + if (!TEST_ptr(params = fake_rsa_key_params(0)) + || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", + "provider=fake-rsa")) + || !TEST_true(EVP_PKEY_fromdata_init(ctx)) + || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, + params)) + || !TEST_true(EVP_PKEY_can_sign(pkey_fake)) + || !TEST_ptr(pkey_fake)) + goto end; + + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + EVP_PKEY_free(pkey_fake); + pkey_fake = NULL; + OSSL_PARAM_free(params); + params = NULL; + + ret = 1; +end: + + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey_fake); + OSSL_PARAM_free(params); + fake_rsa_query_operation_name = 0; + + fake_rsa_finish(fake_rsa); + return ret; +} + static int test_pkey_store(int idx) { OSSL_PROVIDER *deflt = NULL; @@ -424,6 +495,292 @@ end: return ret; } +#define DEFAULT_PROVIDER_IDX 0 +#define FAKE_RSA_PROVIDER_IDX 1 + +static int reset_ctx_providers(OSSL_LIB_CTX **ctx, OSSL_PROVIDER *providers[2], const char *prop) +{ + OSSL_PROVIDER_unload(providers[DEFAULT_PROVIDER_IDX]); + providers[DEFAULT_PROVIDER_IDX] = NULL; + fake_rsa_finish(providers[FAKE_RSA_PROVIDER_IDX]); + providers[FAKE_RSA_PROVIDER_IDX] = NULL; + OSSL_LIB_CTX_free(*ctx); + *ctx = NULL; + + if (!TEST_ptr(*ctx = OSSL_LIB_CTX_new()) + || !TEST_ptr(providers[DEFAULT_PROVIDER_IDX] = OSSL_PROVIDER_load(*ctx, "default")) + || !TEST_ptr(providers[FAKE_RSA_PROVIDER_IDX] = fake_rsa_start(*ctx)) + || !TEST_true(EVP_set_default_properties(*ctx, prop))) + return 0; + return 1; +} + +struct test_pkey_decoder_properties_t { + const char *provider_props; + const char *explicit_props; + int curr_provider_idx; +}; + +static int test_pkey_provider_decoder_props(void) +{ + OSSL_LIB_CTX *my_libctx = NULL; + OSSL_PROVIDER *providers[2] = { NULL }; + struct test_pkey_decoder_properties_t properties_test[] = { + { "?provider=fake-rsa", NULL, FAKE_RSA_PROVIDER_IDX }, + { "?provider=default", NULL, DEFAULT_PROVIDER_IDX }, + { NULL, "?provider=fake-rsa", FAKE_RSA_PROVIDER_IDX }, + { NULL, "?provider=default", DEFAULT_PROVIDER_IDX }, + { NULL, "provider=fake-rsa", FAKE_RSA_PROVIDER_IDX }, + { NULL, "provider=default", DEFAULT_PROVIDER_IDX }, + }; + EVP_PKEY *pkey = NULL; + BIO *bio_priv = NULL; + unsigned char *encoded_pub = NULL; + int len_pub; + const unsigned char *p; + PKCS8_PRIV_KEY_INFO *p8 = NULL; + size_t i; + int ret = 0; + const char pem_rsa_priv_key[] = { + 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x20, 0x50, + 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x2D, + 0x2D, 0x2D, 0x2D, 0x0A, 0x4D, 0x49, 0x49, 0x45, 0x76, 0x51, 0x49, 0x42, + 0x41, 0x44, 0x41, 0x4E, 0x42, 0x67, 0x6B, 0x71, 0x68, 0x6B, 0x69, 0x47, + 0x39, 0x77, 0x30, 0x42, 0x41, 0x51, 0x45, 0x46, 0x41, 0x41, 0x53, 0x43, + 0x42, 0x4B, 0x63, 0x77, 0x67, 0x67, 0x53, 0x6A, 0x41, 0x67, 0x45, 0x41, + 0x41, 0x6F, 0x49, 0x42, 0x41, 0x51, 0x44, 0x45, 0x6B, 0x43, 0x34, 0x5A, + 0x57, 0x76, 0x33, 0x75, 0x63, 0x46, 0x62, 0x55, 0x0A, 0x46, 0x38, 0x59, + 0x77, 0x6C, 0x55, 0x72, 0x6D, 0x51, 0x6C, 0x4C, 0x43, 0x5A, 0x77, 0x41, + 0x67, 0x72, 0x34, 0x44, 0x50, 0x55, 0x41, 0x46, 0x56, 0x48, 0x6C, 0x2B, + 0x77, 0x46, 0x63, 0x58, 0x79, 0x70, 0x56, 0x67, 0x53, 0x63, 0x56, 0x59, + 0x34, 0x4B, 0x37, 0x51, 0x6D, 0x64, 0x57, 0x4B, 0x73, 0x59, 0x71, 0x62, + 0x38, 0x74, 0x70, 0x4F, 0x78, 0x71, 0x77, 0x30, 0x4E, 0x77, 0x5A, 0x57, + 0x58, 0x0A, 0x4F, 0x2B, 0x74, 0x61, 0x34, 0x2B, 0x79, 0x32, 0x37, 0x43, + 0x4F, 0x75, 0x66, 0x6F, 0x4F, 0x68, 0x52, 0x54, 0x4D, 0x77, 0x4E, 0x79, + 0x4E, 0x32, 0x4C, 0x77, 0x53, 0x4E, 0x54, 0x50, 0x4E, 0x33, 0x65, 0x45, + 0x6B, 0x34, 0x65, 0x65, 0x35, 0x51, 0x6E, 0x70, 0x70, 0x45, 0x79, 0x44, + 0x72, 0x71, 0x6F, 0x43, 0x67, 0x76, 0x54, 0x6C, 0x41, 0x41, 0x64, 0x54, + 0x6F, 0x46, 0x61, 0x58, 0x76, 0x6A, 0x0A, 0x78, 0x31, 0x33, 0x59, 0x62, + 0x6A, 0x37, 0x6A, 0x66, 0x68, 0x77, 0x4E, 0x37, 0x34, 0x71, 0x4B, 0x64, + 0x71, 0x73, 0x53, 0x45, 0x74, 0x50, 0x57, 0x79, 0x67, 0x67, 0x65, 0x6F, + 0x74, 0x69, 0x51, 0x53, 0x50, 0x79, 0x36, 0x4B, 0x79, 0x42, 0x49, 0x75, + 0x57, 0x74, 0x49, 0x78, 0x50, 0x41, 0x41, 0x38, 0x6A, 0x41, 0x76, 0x66, + 0x41, 0x6E, 0x51, 0x6A, 0x31, 0x65, 0x58, 0x68, 0x67, 0x68, 0x46, 0x0A, + 0x4E, 0x32, 0x4E, 0x78, 0x6B, 0x71, 0x67, 0x78, 0x76, 0x42, 0x59, 0x64, + 0x4E, 0x79, 0x31, 0x6D, 0x33, 0x2B, 0x6A, 0x58, 0x41, 0x43, 0x50, 0x4C, + 0x52, 0x7A, 0x63, 0x31, 0x31, 0x5A, 0x62, 0x4E, 0x48, 0x4B, 0x69, 0x77, + 0x68, 0x43, 0x59, 0x31, 0x2F, 0x48, 0x69, 0x53, 0x42, 0x6B, 0x77, 0x48, + 0x6C, 0x49, 0x4B, 0x2B, 0x2F, 0x56, 0x4C, 0x6A, 0x32, 0x73, 0x6D, 0x43, + 0x4B, 0x64, 0x55, 0x51, 0x0A, 0x67, 0x76, 0x4C, 0x58, 0x53, 0x6E, 0x6E, + 0x56, 0x67, 0x51, 0x75, 0x6C, 0x48, 0x69, 0x6F, 0x44, 0x36, 0x55, 0x67, + 0x59, 0x38, 0x78, 0x41, 0x32, 0x61, 0x34, 0x4D, 0x31, 0x72, 0x68, 0x59, + 0x75, 0x54, 0x56, 0x38, 0x42, 0x72, 0x50, 0x52, 0x5A, 0x34, 0x42, 0x46, + 0x78, 0x32, 0x6F, 0x30, 0x6A, 0x59, 0x57, 0x76, 0x47, 0x62, 0x41, 0x2F, + 0x48, 0x6C, 0x70, 0x37, 0x66, 0x54, 0x4F, 0x79, 0x2B, 0x0A, 0x46, 0x35, + 0x4F, 0x6B, 0x69, 0x48, 0x53, 0x37, 0x41, 0x67, 0x4D, 0x42, 0x41, 0x41, + 0x45, 0x43, 0x67, 0x67, 0x45, 0x41, 0x59, 0x67, 0x43, 0x75, 0x38, 0x31, + 0x5A, 0x69, 0x51, 0x42, 0x56, 0x44, 0x76, 0x57, 0x69, 0x44, 0x47, 0x4B, + 0x72, 0x2B, 0x31, 0x70, 0x49, 0x66, 0x32, 0x43, 0x78, 0x70, 0x72, 0x47, + 0x4A, 0x45, 0x6D, 0x31, 0x68, 0x38, 0x36, 0x5A, 0x63, 0x45, 0x78, 0x33, + 0x4C, 0x37, 0x0A, 0x71, 0x46, 0x44, 0x57, 0x2B, 0x67, 0x38, 0x48, 0x47, + 0x57, 0x64, 0x30, 0x34, 0x53, 0x33, 0x71, 0x76, 0x68, 0x39, 0x4C, 0x75, + 0x62, 0x6C, 0x41, 0x4A, 0x7A, 0x65, 0x74, 0x41, 0x50, 0x78, 0x52, 0x58, + 0x4C, 0x39, 0x7A, 0x78, 0x33, 0x50, 0x58, 0x6A, 0x4A, 0x5A, 0x73, 0x37, + 0x65, 0x33, 0x48, 0x4C, 0x45, 0x75, 0x6E, 0x79, 0x33, 0x54, 0x61, 0x57, + 0x65, 0x7A, 0x30, 0x58, 0x49, 0x30, 0x4F, 0x0A, 0x34, 0x4C, 0x53, 0x59, + 0x38, 0x53, 0x38, 0x64, 0x36, 0x70, 0x56, 0x42, 0x50, 0x6D, 0x55, 0x45, + 0x74, 0x77, 0x47, 0x57, 0x4E, 0x34, 0x76, 0x59, 0x71, 0x48, 0x6E, 0x4B, + 0x4C, 0x58, 0x4F, 0x62, 0x34, 0x51, 0x51, 0x41, 0x58, 0x73, 0x34, 0x4D, + 0x7A, 0x66, 0x6B, 0x4D, 0x2F, 0x4D, 0x65, 0x2F, 0x62, 0x2B, 0x7A, 0x64, + 0x75, 0x31, 0x75, 0x6D, 0x77, 0x6A, 0x4D, 0x6C, 0x33, 0x44, 0x75, 0x64, + 0x0A, 0x35, 0x72, 0x56, 0x68, 0x6B, 0x67, 0x76, 0x74, 0x38, 0x75, 0x68, + 0x44, 0x55, 0x47, 0x33, 0x58, 0x53, 0x48, 0x65, 0x6F, 0x4A, 0x59, 0x42, + 0x4D, 0x62, 0x54, 0x39, 0x69, 0x6B, 0x4A, 0x44, 0x56, 0x4D, 0x4A, 0x35, + 0x31, 0x72, 0x72, 0x65, 0x2F, 0x31, 0x52, 0x69, 0x64, 0x64, 0x67, 0x78, + 0x70, 0x38, 0x53, 0x6B, 0x74, 0x56, 0x6B, 0x76, 0x47, 0x6D, 0x4D, 0x6C, + 0x39, 0x6B, 0x51, 0x52, 0x38, 0x0A, 0x38, 0x64, 0x76, 0x33, 0x50, 0x78, + 0x2F, 0x6B, 0x54, 0x4E, 0x39, 0x34, 0x45, 0x75, 0x52, 0x67, 0x30, 0x43, + 0x6B, 0x58, 0x42, 0x68, 0x48, 0x70, 0x6F, 0x47, 0x6F, 0x34, 0x71, 0x6E, + 0x4D, 0x33, 0x51, 0x33, 0x42, 0x35, 0x50, 0x6C, 0x6D, 0x53, 0x4B, 0x35, + 0x67, 0x6B, 0x75, 0x50, 0x76, 0x57, 0x79, 0x39, 0x6C, 0x38, 0x4C, 0x2F, + 0x54, 0x56, 0x74, 0x38, 0x4C, 0x62, 0x36, 0x2F, 0x7A, 0x4C, 0x0A, 0x42, + 0x79, 0x51, 0x57, 0x2B, 0x67, 0x30, 0x32, 0x77, 0x78, 0x65, 0x4E, 0x47, + 0x68, 0x77, 0x31, 0x66, 0x6B, 0x44, 0x2B, 0x58, 0x46, 0x48, 0x37, 0x4B, + 0x6B, 0x53, 0x65, 0x57, 0x6C, 0x2B, 0x51, 0x6E, 0x72, 0x4C, 0x63, 0x65, + 0x50, 0x4D, 0x30, 0x68, 0x51, 0x4B, 0x42, 0x67, 0x51, 0x44, 0x78, 0x6F, + 0x71, 0x55, 0x6B, 0x30, 0x50, 0x4C, 0x4F, 0x59, 0x35, 0x57, 0x67, 0x4F, + 0x6B, 0x67, 0x72, 0x0A, 0x75, 0x6D, 0x67, 0x69, 0x65, 0x2F, 0x4B, 0x31, + 0x57, 0x4B, 0x73, 0x2B, 0x69, 0x7A, 0x54, 0x74, 0x41, 0x70, 0x6A, 0x7A, + 0x63, 0x4D, 0x37, 0x36, 0x73, 0x7A, 0x61, 0x36, 0x33, 0x62, 0x35, 0x52, + 0x39, 0x77, 0x2B, 0x50, 0x2B, 0x4E, 0x73, 0x73, 0x4D, 0x56, 0x34, 0x61, + 0x65, 0x56, 0x39, 0x65, 0x70, 0x45, 0x47, 0x5A, 0x4F, 0x36, 0x38, 0x49, + 0x55, 0x6D, 0x69, 0x30, 0x51, 0x6A, 0x76, 0x51, 0x0A, 0x6E, 0x70, 0x6C, + 0x75, 0x51, 0x6F, 0x61, 0x64, 0x46, 0x59, 0x77, 0x65, 0x46, 0x77, 0x53, + 0x51, 0x31, 0x31, 0x42, 0x58, 0x48, 0x6F, 0x65, 0x51, 0x42, 0x41, 0x34, + 0x6E, 0x4E, 0x70, 0x6B, 0x72, 0x56, 0x35, 0x38, 0x68, 0x67, 0x7A, 0x5A, + 0x4E, 0x33, 0x6D, 0x39, 0x4A, 0x4C, 0x52, 0x37, 0x4A, 0x78, 0x79, 0x72, + 0x49, 0x71, 0x58, 0x73, 0x52, 0x6E, 0x55, 0x7A, 0x6C, 0x31, 0x33, 0x4B, + 0x6A, 0x0A, 0x47, 0x7A, 0x5A, 0x42, 0x43, 0x4A, 0x78, 0x43, 0x70, 0x4A, + 0x6A, 0x66, 0x54, 0x7A, 0x65, 0x2F, 0x79, 0x6D, 0x65, 0x38, 0x64, 0x33, + 0x70, 0x61, 0x35, 0x51, 0x4B, 0x42, 0x67, 0x51, 0x44, 0x51, 0x50, 0x35, + 0x6D, 0x42, 0x34, 0x6A, 0x49, 0x2B, 0x67, 0x33, 0x58, 0x48, 0x33, 0x4D, + 0x75, 0x4C, 0x79, 0x42, 0x6A, 0x4D, 0x6F, 0x54, 0x49, 0x76, 0x6F, 0x79, + 0x37, 0x43, 0x59, 0x4D, 0x68, 0x5A, 0x0A, 0x36, 0x2F, 0x2B, 0x4B, 0x6B, + 0x70, 0x77, 0x31, 0x33, 0x32, 0x4A, 0x31, 0x36, 0x6D, 0x71, 0x6B, 0x4C, + 0x72, 0x77, 0x55, 0x4F, 0x5A, 0x66, 0x54, 0x30, 0x65, 0x31, 0x72, 0x4A, + 0x42, 0x73, 0x43, 0x55, 0x6B, 0x45, 0x6F, 0x42, 0x6D, 0x67, 0x4B, 0x4E, + 0x74, 0x52, 0x6B, 0x48, 0x6F, 0x33, 0x2F, 0x53, 0x6A, 0x55, 0x49, 0x2F, + 0x39, 0x66, 0x48, 0x6A, 0x33, 0x75, 0x53, 0x74, 0x50, 0x48, 0x56, 0x0A, + 0x6F, 0x50, 0x63, 0x66, 0x58, 0x6A, 0x2F, 0x67, 0x46, 0x52, 0x55, 0x6B, + 0x44, 0x44, 0x7A, 0x59, 0x2B, 0x61, 0x75, 0x42, 0x33, 0x64, 0x48, 0x4F, + 0x4E, 0x46, 0x31, 0x55, 0x31, 0x7A, 0x30, 0x36, 0x45, 0x41, 0x4E, 0x6B, + 0x6B, 0x50, 0x43, 0x43, 0x33, 0x61, 0x35, 0x33, 0x38, 0x55, 0x41, 0x4E, + 0x42, 0x49, 0x61, 0x50, 0x6A, 0x77, 0x70, 0x52, 0x64, 0x42, 0x7A, 0x4E, + 0x77, 0x31, 0x78, 0x6C, 0x0A, 0x62, 0x76, 0x6E, 0x35, 0x61, 0x43, 0x74, + 0x33, 0x48, 0x77, 0x4B, 0x42, 0x67, 0x42, 0x66, 0x4F, 0x6C, 0x34, 0x6A, + 0x47, 0x45, 0x58, 0x59, 0x6D, 0x4E, 0x36, 0x4B, 0x2B, 0x75, 0x30, 0x65, + 0x62, 0x71, 0x52, 0x44, 0x6B, 0x74, 0x32, 0x67, 0x49, 0x6F, 0x57, 0x36, + 0x62, 0x46, 0x6F, 0x37, 0x58, 0x64, 0x36, 0x78, 0x63, 0x69, 0x2F, 0x67, + 0x46, 0x57, 0x6A, 0x6F, 0x56, 0x43, 0x4F, 0x42, 0x59, 0x0A, 0x67, 0x43, + 0x38, 0x47, 0x4C, 0x4D, 0x6E, 0x77, 0x33, 0x7A, 0x32, 0x71, 0x67, 0x61, + 0x76, 0x34, 0x63, 0x51, 0x49, 0x67, 0x38, 0x45, 0x44, 0x59, 0x70, 0x62, + 0x70, 0x45, 0x34, 0x46, 0x48, 0x51, 0x6E, 0x6E, 0x74, 0x50, 0x6B, 0x4B, + 0x57, 0x2F, 0x62, 0x72, 0x75, 0x30, 0x4E, 0x74, 0x33, 0x79, 0x61, 0x4E, + 0x62, 0x38, 0x69, 0x67, 0x79, 0x31, 0x61, 0x5A, 0x4F, 0x52, 0x66, 0x49, + 0x76, 0x5A, 0x0A, 0x71, 0x54, 0x4D, 0x4C, 0x45, 0x33, 0x6D, 0x65, 0x6C, + 0x63, 0x5A, 0x57, 0x37, 0x4C, 0x61, 0x69, 0x71, 0x65, 0x4E, 0x31, 0x56, + 0x30, 0x76, 0x48, 0x2F, 0x4D, 0x43, 0x55, 0x64, 0x70, 0x58, 0x39, 0x59, + 0x31, 0x34, 0x4B, 0x39, 0x43, 0x4A, 0x59, 0x78, 0x7A, 0x73, 0x52, 0x4F, + 0x67, 0x50, 0x71, 0x64, 0x45, 0x67, 0x4D, 0x57, 0x59, 0x44, 0x46, 0x41, + 0x6F, 0x47, 0x41, 0x41, 0x65, 0x39, 0x6C, 0x0A, 0x58, 0x4D, 0x69, 0x65, + 0x55, 0x4F, 0x68, 0x6C, 0x30, 0x73, 0x71, 0x68, 0x64, 0x5A, 0x59, 0x52, + 0x62, 0x4F, 0x31, 0x65, 0x69, 0x77, 0x54, 0x49, 0x4C, 0x58, 0x51, 0x36, + 0x79, 0x47, 0x4D, 0x69, 0x42, 0x38, 0x61, 0x65, 0x2F, 0x76, 0x30, 0x70, + 0x62, 0x42, 0x45, 0x57, 0x6C, 0x70, 0x6E, 0x38, 0x6B, 0x32, 0x2B, 0x4A, + 0x6B, 0x71, 0x56, 0x54, 0x77, 0x48, 0x67, 0x67, 0x62, 0x43, 0x41, 0x5A, + 0x0A, 0x6A, 0x4F, 0x61, 0x71, 0x56, 0x74, 0x58, 0x31, 0x6D, 0x55, 0x79, + 0x54, 0x59, 0x7A, 0x6A, 0x73, 0x54, 0x7A, 0x34, 0x5A, 0x59, 0x6A, 0x68, + 0x61, 0x48, 0x4A, 0x33, 0x6A, 0x31, 0x57, 0x6C, 0x65, 0x67, 0x6F, 0x4D, + 0x63, 0x73, 0x74, 0x64, 0x66, 0x54, 0x2B, 0x74, 0x78, 0x4D, 0x55, 0x37, + 0x34, 0x6F, 0x67, 0x64, 0x4F, 0x71, 0x4D, 0x7A, 0x68, 0x78, 0x53, 0x55, + 0x4F, 0x34, 0x35, 0x67, 0x38, 0x0A, 0x66, 0x39, 0x57, 0x38, 0x39, 0x6D, + 0x70, 0x61, 0x38, 0x62, 0x42, 0x6A, 0x4F, 0x50, 0x75, 0x2B, 0x79, 0x46, + 0x79, 0x36, 0x36, 0x74, 0x44, 0x61, 0x5A, 0x36, 0x73, 0x57, 0x45, 0x37, + 0x63, 0x35, 0x53, 0x58, 0x45, 0x48, 0x58, 0x6C, 0x38, 0x43, 0x67, 0x59, + 0x45, 0x41, 0x74, 0x41, 0x57, 0x77, 0x46, 0x50, 0x6F, 0x44, 0x53, 0x54, + 0x64, 0x7A, 0x6F, 0x58, 0x41, 0x77, 0x52, 0x6F, 0x66, 0x30, 0x0A, 0x51, + 0x4D, 0x4F, 0x30, 0x38, 0x2B, 0x50, 0x6E, 0x51, 0x47, 0x6F, 0x50, 0x62, + 0x4D, 0x4A, 0x54, 0x71, 0x72, 0x67, 0x78, 0x72, 0x48, 0x59, 0x43, 0x53, + 0x38, 0x75, 0x34, 0x63, 0x59, 0x53, 0x48, 0x64, 0x44, 0x4D, 0x4A, 0x44, + 0x43, 0x4F, 0x4D, 0x6F, 0x35, 0x67, 0x46, 0x58, 0x79, 0x43, 0x2B, 0x35, + 0x46, 0x66, 0x54, 0x69, 0x47, 0x77, 0x42, 0x68, 0x79, 0x35, 0x38, 0x7A, + 0x35, 0x62, 0x37, 0x0A, 0x67, 0x42, 0x77, 0x46, 0x4B, 0x49, 0x39, 0x52, + 0x67, 0x52, 0x66, 0x56, 0x31, 0x44, 0x2F, 0x4E, 0x69, 0x6D, 0x78, 0x50, + 0x72, 0x6C, 0x6A, 0x33, 0x57, 0x48, 0x79, 0x65, 0x63, 0x31, 0x2F, 0x43, + 0x73, 0x2B, 0x42, 0x72, 0x2B, 0x2F, 0x76, 0x65, 0x6B, 0x4D, 0x56, 0x46, + 0x67, 0x35, 0x67, 0x65, 0x6B, 0x65, 0x48, 0x72, 0x34, 0x61, 0x47, 0x53, + 0x46, 0x34, 0x62, 0x6B, 0x30, 0x41, 0x6A, 0x56, 0x0A, 0x54, 0x76, 0x2F, + 0x70, 0x51, 0x6A, 0x79, 0x52, 0x75, 0x5A, 0x41, 0x74, 0x36, 0x36, 0x49, + 0x62, 0x52, 0x5A, 0x64, 0x6C, 0x32, 0x49, 0x49, 0x3D, 0x0A, 0x2D, 0x2D, + 0x2D, 0x2D, 0x2D, 0x45, 0x4E, 0x44, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, + 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D + }; + /* + * PEM of pem_rsa_priv_key: + * -----BEGIN PRIVATE KEY----- + * MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEkC4ZWv3ucFbU + * F8YwlUrmQlLCZwAgr4DPUAFVHl+wFcXypVgScVY4K7QmdWKsYqb8tpOxqw0NwZWX + * O+ta4+y27COufoOhRTMwNyN2LwSNTPN3eEk4ee5QnppEyDrqoCgvTlAAdToFaXvj + * x13Ybj7jfhwN74qKdqsSEtPWyggeotiQSPy6KyBIuWtIxPAA8jAvfAnQj1eXhghF + * N2NxkqgxvBYdNy1m3+jXACPLRzc11ZbNHKiwhCY1/HiSBkwHlIK+/VLj2smCKdUQ + * gvLXSnnVgQulHioD6UgY8xA2a4M1rhYuTV8BrPRZ4BFx2o0jYWvGbA/Hlp7fTOy+ + * F5OkiHS7AgMBAAECggEAYgCu81ZiQBVDvWiDGKr+1pIf2CxprGJEm1h86ZcEx3L7 + * qFDW+g8HGWd04S3qvh9LublAJzetAPxRXL9zx3PXjJZs7e3HLEuny3TaWez0XI0O + * 4LSY8S8d6pVBPmUEtwGWN4vYqHnKLXOb4QQAXs4MzfkM/Me/b+zdu1umwjMl3Dud + * 5rVhkgvt8uhDUG3XSHeoJYBMbT9ikJDVMJ51rre/1Riddgxp8SktVkvGmMl9kQR8 + * 8dv3Px/kTN94EuRg0CkXBhHpoGo4qnM3Q3B5PlmSK5gkuPvWy9l8L/TVt8Lb6/zL + * ByQW+g02wxeNGhw1fkD+XFH7KkSeWl+QnrLcePM0hQKBgQDxoqUk0PLOY5WgOkgr + * umgie/K1WKs+izTtApjzcM76sza63b5R9w+P+NssMV4aeV9epEGZO68IUmi0QjvQ + * npluQoadFYweFwSQ11BXHoeQBA4nNpkrV58hgzZN3m9JLR7JxyrIqXsRnUzl13Kj + * GzZBCJxCpJjfTze/yme8d3pa5QKBgQDQP5mB4jI+g3XH3MuLyBjMoTIvoy7CYMhZ + * 6/+Kkpw132J16mqkLrwUOZfT0e1rJBsCUkEoBmgKNtRkHo3/SjUI/9fHj3uStPHV + * oPcfXj/gFRUkDDzY+auB3dHONF1U1z06EANkkPCC3a538UANBIaPjwpRdBzNw1xl + * bvn5aCt3HwKBgBfOl4jGEXYmN6K+u0ebqRDkt2gIoW6bFo7Xd6xci/gFWjoVCOBY + * gC8GLMnw3z2qgav4cQIg8EDYpbpE4FHQnntPkKW/bru0Nt3yaNb8igy1aZORfIvZ + * qTMLE3melcZW7LaiqeN1V0vH/MCUdpX9Y14K9CJYxzsROgPqdEgMWYDFAoGAAe9l + * XMieUOhl0sqhdZYRbO1eiwTILXQ6yGMiB8ae/v0pbBEWlpn8k2+JkqVTwHggbCAZ + * jOaqVtX1mUyTYzjsTz4ZYjhaHJ3j1WlegoMcstdfT+txMU74ogdOqMzhxSUO45g8 + * f9W89mpa8bBjOPu+yFy66tDaZ6sWE7c5SXEHXl8CgYEAtAWwFPoDSTdzoXAwRof0 + * QMO08+PnQGoPbMJTqrgxrHYCS8u4cYSHdDMJDCOMo5gFXyC+5FfTiGwBhy58z5b7 + * gBwFKI9RgRfV1D/NimxPrlj3WHyec1/Cs+Br+/vekMVFg5gekeHr4aGSF4bk0AjV + * Tv/pQjyRuZAt66IbRZdl2II= + * -----END PRIVATE KEY----- + */ + + /* Load private key BIO, DER-encoded public key and PKCS#8 private key for testing */ + if (!TEST_ptr(bio_priv = BIO_new(BIO_s_mem())) + || !TEST_int_gt(BIO_write(bio_priv, pem_rsa_priv_key, sizeof(pem_rsa_priv_key)), 0) + || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(bio_priv, NULL, NULL, NULL, NULL, NULL)) + || !TEST_int_ge(BIO_seek(bio_priv, 0), 0) + || !TEST_int_gt((len_pub = i2d_PUBKEY(pkey, &encoded_pub)), 0) + || !TEST_ptr(p8 = EVP_PKEY2PKCS8(pkey))) + goto end; + EVP_PKEY_free(pkey); + pkey = NULL; + + for (i = 0; i < OSSL_NELEM(properties_test); i++) { + const char *libctx_prop = properties_test[i].provider_props; + const char *explicit_prop = properties_test[i].explicit_props; + /* *curr_provider will be updated in reset_ctx_providers */ + OSSL_PROVIDER **curr_provider = &providers[properties_test[i].curr_provider_idx]; + + /* + * Decoding a PEM-encoded key uses the properties to select the right provider. + * Using a PEM-encoding adds an extra decoder before the key is created. + */ + if (!TEST_int_eq(reset_ctx_providers(&my_libctx, providers, libctx_prop), 1)) + goto end; + if (!TEST_int_ge(BIO_seek(bio_priv, 0), 0) + || !TEST_ptr(pkey = PEM_read_bio_PrivateKey_ex(bio_priv, NULL, NULL, NULL, my_libctx, + explicit_prop)) + || !TEST_ptr_eq(EVP_PKEY_get0_provider(pkey), *curr_provider)) + goto end; + EVP_PKEY_free(pkey); + pkey = NULL; + + /* Decoding a DER-encoded X509_PUBKEY uses the properties to select the right provider */ + if (!TEST_int_eq(reset_ctx_providers(&my_libctx, providers, libctx_prop), 1)) + goto end; + p = encoded_pub; + if (!TEST_ptr(pkey = d2i_PUBKEY_ex(NULL, &p, len_pub, my_libctx, explicit_prop)) + || !TEST_ptr_eq(EVP_PKEY_get0_provider(pkey), *curr_provider)) + goto end; + EVP_PKEY_free(pkey); + pkey = NULL; + + /* Decoding a PKCS8_PRIV_KEY_INFO uses the properties to select the right provider */ + if (!TEST_int_eq(reset_ctx_providers(&my_libctx, providers, libctx_prop), 1)) + goto end; + if (!TEST_ptr(pkey = EVP_PKCS82PKEY_ex(p8, my_libctx, explicit_prop)) + || !TEST_ptr_eq(EVP_PKEY_get0_provider(pkey), *curr_provider)) + goto end; + EVP_PKEY_free(pkey); + pkey = NULL; + } + + ret = 1; + +end: + PKCS8_PRIV_KEY_INFO_free(p8); + BIO_free(bio_priv); + OPENSSL_free(encoded_pub); + EVP_PKEY_free(pkey); + OSSL_PROVIDER_unload(providers[DEFAULT_PROVIDER_IDX]); + fake_rsa_finish(providers[FAKE_RSA_PROVIDER_IDX]); + OSSL_LIB_CTX_free(my_libctx); + return ret; +} + int setup_tests(void) { libctx = OSSL_LIB_CTX_new(); @@ -433,9 +790,11 @@ int setup_tests(void) ADD_TEST(test_pkey_sig); ADD_TEST(test_alternative_keygen_init); ADD_TEST(test_pkey_eq); + ADD_TEST(test_pkey_can_sign); ADD_ALL_TESTS(test_pkey_store, 2); ADD_TEST(test_pkey_delete); ADD_TEST(test_pkey_store_open_ex); + ADD_TEST(test_pkey_provider_decoder_props); return 1; } diff --git a/crypto/openssl/test/quic-openssl-docker/hq-interop/quic-hq-interop.c b/crypto/openssl/test/quic-openssl-docker/hq-interop/quic-hq-interop.c index 14375d178a77..80b93c68c91e 100644 --- a/crypto/openssl/test/quic-openssl-docker/hq-interop/quic-hq-interop.c +++ b/crypto/openssl/test/quic-openssl-docker/hq-interop/quic-hq-interop.c @@ -906,8 +906,6 @@ int main(int argc, char *argv[]) goto end; } } - BIO_free(req_bio); - req_bio = NULL; reqnames[read_offset + 1] = '\0'; if (!setup_connection(hostname, port, &ctx, &ssl)) { @@ -1037,6 +1035,7 @@ int main(int argc, char *argv[]) */ BIO_ADDR_free(peer_addr); OPENSSL_free(reqnames); + BIO_free(req_bio); BIO_free(session_bio); for (poll_idx = 0; poll_idx < poll_count; poll_idx++) { BIO_free(outbiolist[poll_idx]); diff --git a/crypto/openssl/test/quic_ackm_test.c b/crypto/openssl/test/quic_ackm_test.c index 0f26e9d38a0e..7b42fa5410fa 100644 --- a/crypto/openssl/test/quic_ackm_test.c +++ b/crypto/openssl/test/quic_ackm_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -104,7 +104,8 @@ static int helper_init(struct helper *h, size_t num_pkts) /* Initialise ACK manager. */ h->ackm = ossl_ackm_new(fake_now, NULL, &h->statm, - &ossl_cc_dummy_method, h->ccdata); + &ossl_cc_dummy_method, h->ccdata, + /* is_server */0); if (!TEST_ptr(h->ackm)) goto err; diff --git a/crypto/openssl/test/quic_fifd_test.c b/crypto/openssl/test/quic_fifd_test.c index cfa5a77745b7..7f93ca40d924 100644 --- a/crypto/openssl/test/quic_fifd_test.c +++ b/crypto/openssl/test/quic_fifd_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -329,7 +329,8 @@ static int test_fifd(int idx) || !TEST_ptr(info.ackm = ossl_ackm_new(fake_now, NULL, &info.statm, &ossl_cc_dummy_method, - info.ccdata)) + info.ccdata, + /* is_server */0)) || !TEST_true(ossl_ackm_on_handshake_confirmed(info.ackm)) || !TEST_ptr(info.cfq = ossl_quic_cfq_new()) || !TEST_ptr(info.txpim = ossl_quic_txpim_new()) diff --git a/crypto/openssl/test/quic_txp_test.c b/crypto/openssl/test/quic_txp_test.c index 329953a3bd75..bf576c31f2d5 100644 --- a/crypto/openssl/test/quic_txp_test.c +++ b/crypto/openssl/test/quic_txp_test.c @@ -182,7 +182,8 @@ static int helper_init(struct helper *h) if (!TEST_ptr(h->args.ackm = ossl_ackm_new(fake_now, NULL, &h->statm, h->cc_method, - h->cc_data))) + h->cc_data, + /* is_server */0))) goto err; if (!TEST_true(ossl_quic_stream_map_init(&h->qsm, NULL, NULL, diff --git a/crypto/openssl/test/quicapitest.c b/crypto/openssl/test/quicapitest.c index b98a94055301..4e887c13d14c 100644 --- a/crypto/openssl/test/quicapitest.c +++ b/crypto/openssl/test/quicapitest.c @@ -428,91 +428,6 @@ static int test_version(void) } #if defined(DO_SSL_TRACE_TEST) -static void strip_line_ends(char *str) -{ - size_t i; - - for (i = strlen(str); - i > 0 && (str[i - 1] == '\n' || str[i - 1] == '\r'); - i--); - - str[i] = '\0'; -} - -static int compare_with_file(BIO *membio) -{ - BIO *file = NULL, *newfile = NULL; - char buf1[8192], buf2[8192]; - char *reffile; - int ret = 0; - size_t i; - -#ifdef OPENSSL_NO_ZLIB - reffile = test_mk_file_path(datadir, "ssltraceref.txt"); -#else - reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt"); -#endif - if (!TEST_ptr(reffile)) - goto err; - - file = BIO_new_file(reffile, "rb"); - if (!TEST_ptr(file)) - goto err; - - newfile = BIO_new_file("ssltraceref-new.txt", "wb"); - if (!TEST_ptr(newfile)) - goto err; - - while (BIO_gets(membio, buf2, sizeof(buf2)) > 0) - if (BIO_puts(newfile, buf2) <= 0) { - TEST_error("Failed writing new file data"); - goto err; - } - - if (!TEST_int_ge(BIO_seek(membio, 0), 0)) - goto err; - - while (BIO_gets(file, buf1, sizeof(buf1)) > 0) { - size_t line_len; - - if (BIO_gets(membio, buf2, sizeof(buf2)) <= 0) { - TEST_error("Failed reading mem data"); - goto err; - } - strip_line_ends(buf1); - strip_line_ends(buf2); - line_len = strlen(buf1); - if (line_len > 0 && buf1[line_len - 1] == '?') { - /* Wildcard at the EOL means ignore anything after it */ - if (strlen(buf2) > line_len) - buf2[line_len] = '\0'; - } - if (line_len != strlen(buf2)) { - TEST_error("Actual and ref line data length mismatch"); - TEST_info("%s", buf1); - TEST_info("%s", buf2); - goto err; - } - for (i = 0; i < line_len; i++) { - /* '?' is a wild card character in the reference text */ - if (buf1[i] == '?') - buf2[i] = '?'; - } - if (!TEST_str_eq(buf1, buf2)) - goto err; - } - if (!TEST_true(BIO_eof(file)) - || !TEST_true(BIO_eof(membio))) - goto err; - - ret = 1; - err: - OPENSSL_free(reffile); - BIO_free(file); - BIO_free(newfile); - return ret; -} - /* * Tests that the SSL_trace() msg_callback works as expected with a QUIC * connection. This also provides testing of the msg_callback at the same time. @@ -524,6 +439,7 @@ static int test_ssl_trace(void) QUIC_TSERVER *qtserv = NULL; int testresult = 0; BIO *bio = NULL; + char *reffile = NULL; if (!TEST_ptr(cctx = SSL_CTX_new_ex(libctx, NULL, OSSL_QUIC_client_method())) || !TEST_ptr(bio = BIO_new(BIO_s_mem())) @@ -547,7 +463,13 @@ static int test_ssl_trace(void) if (!TEST_int_gt(BIO_pending(bio), 0)) goto err; } else { - if (!TEST_true(compare_with_file(bio))) + +# ifdef OPENSSL_NO_ZLIB + reffile = test_mk_file_path(datadir, "ssltraceref.txt"); +# else + reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt"); +# endif + if (!TEST_true(compare_with_reference_file(bio, reffile))) goto err; } @@ -557,6 +479,7 @@ static int test_ssl_trace(void) SSL_free(clientquic); SSL_CTX_free(cctx); BIO_free(bio); + OPENSSL_free(reffile); return testresult; } @@ -2863,6 +2786,62 @@ static int test_ssl_set_verify(void) return testresult; } +/* + * When the server has a different primary group than the client, the server + * should not fail on the client hello retry. + */ +static int test_client_hello_retry(void) +{ +#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECX) + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL, *qlistener = NULL; + int testresult = 0, i = 0, ret = 0; + + if (!TEST_ptr(sctx = create_server_ctx()) + || !TEST_ptr(cctx = create_client_ctx())) + goto err; + /* + * set the specific groups for the test + */ + if (!TEST_true(SSL_CTX_set1_groups_list(cctx, "secp384r1:secp256r1"))) + goto err; + if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "secp256r1"))) + goto err; + + if (!create_quic_ssl_objects(sctx, cctx, &qlistener, &clientssl)) + goto err; + + /* Send ClientHello and server retry */ + for (i = 0; i < 2; i++) { + ret = SSL_connect(clientssl); + if (!TEST_int_le(ret, 0) + || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ)) + goto err; + SSL_handle_events(qlistener); + } + + /* We expect a server SSL object which has not yet completed its handshake */ + serverssl = SSL_accept_connection(qlistener, 0); + + /* Call SSL_accept() and SSL_connect() until we are connected */ + if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE, 0, 0))) + goto err; + + testresult = 1; + +err: + SSL_CTX_free(cctx); + SSL_CTX_free(sctx); + SSL_free(clientssl); + SSL_free(serverssl); + SSL_free(qlistener); + + return testresult; +#else + return TEST_skip("EC(X) keys are not supported in this build"); +#endif +} /***********************************************************************************/ OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n") @@ -2964,6 +2943,7 @@ int setup_tests(void) ADD_TEST(test_server_method_with_ssl_new); ADD_TEST(test_ssl_accept_connection); ADD_TEST(test_ssl_set_verify); + ADD_TEST(test_client_hello_retry); return 1; err: cleanup_tests(); diff --git a/crypto/openssl/test/radix/quic_bindings.c b/crypto/openssl/test/radix/quic_bindings.c index 49b8e28ef69a..c33a5bb9236d 100644 --- a/crypto/openssl/test/radix/quic_bindings.c +++ b/crypto/openssl/test/radix/quic_bindings.c @@ -799,9 +799,9 @@ DEF_FUNC(hf_spawn_thread) if (!TEST_ptr(child_rt->debug_bio = BIO_new(BIO_s_mem()))) goto err; - ossl_crypto_mutex_lock(child_rt->m); - child_rt->child_script_info = script_info; + + ossl_crypto_mutex_lock(child_rt->m); if (!TEST_ptr(child_rt->t = ossl_crypto_thread_native_start(RADIX_THREAD_worker_main, child_rt, 1))) { ossl_crypto_mutex_unlock(child_rt->m); diff --git a/crypto/openssl/test/radix/terp.c b/crypto/openssl/test/radix/terp.c index 3c83fd9b18b0..41d3bdeb9fd4 100644 --- a/crypto/openssl/test/radix/terp.c +++ b/crypto/openssl/test/radix/terp.c @@ -871,8 +871,10 @@ err: } GEN_SCRIPT_cleanup(&gen_script); - BIO_printf(debug_bio, "Stats:\n Ops executed: %16llu\n\n", - (unsigned long long)terp.ops_executed); + if (have_terp) { + BIO_printf(debug_bio, "Stats:\n Ops executed: %16llu\n\n", + (unsigned long long)terp.ops_executed); + } SCRIPT_INFO_print(script_info, debug_bio, /*error=*/!ok, ok ? "completed" : "failed, exiting"); return ok; diff --git a/crypto/openssl/test/recipes/03-test_fipsinstall.t b/crypto/openssl/test/recipes/03-test_fipsinstall.t index 1f9110ef600a..3dcbe67c6d55 100644 --- a/crypto/openssl/test/recipes/03-test_fipsinstall.t +++ b/crypto/openssl/test/recipes/03-test_fipsinstall.t @@ -63,7 +63,7 @@ my @commandline = ( 'x942kdf_key_check', 'x942kdf-key-check' ) ); -plan tests => 40 + (scalar @pedantic_okay) + (scalar @pedantic_fail) +plan tests => 41 + (scalar @pedantic_okay) + (scalar @pedantic_fail) + 4 * (scalar @commandline); my $infile = bldtop_file('providers', platform->dso('fips')); @@ -392,6 +392,16 @@ SKIP: { "fipsinstall fails when the ML-KEM decapsulate implicit failure result is corrupted"); } +# corrupt an Asymmetric cipher test +SKIP: { + skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1 + if disabled("rsa") || disabled("fips-post"); + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, + '-corrupt_desc', 'RSA_Encrypt', + '-corrupt_type', 'KAT_AsymmetricCipher'])), + "fipsinstall fails when the asymmetric cipher result is corrupted"); +} + # 'local' ensures that this change is only done in this file. local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); diff --git a/crypto/openssl/test/recipes/15-test_ec.t b/crypto/openssl/test/recipes/15-test_ec.t index c953fad9f1ec..9bf946e81b4b 100644 --- a/crypto/openssl/test/recipes/15-test_ec.t +++ b/crypto/openssl/test/recipes/15-test_ec.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,7 @@ setup("test_ec"); plan skip_all => 'EC is not supported in this build' if disabled('ec'); -plan tests => 15; +plan tests => 16; my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); @@ -33,6 +33,16 @@ subtest 'EC conversions -- private key' => sub { tconversion( -type => 'ec', -prefix => 'ec-priv', -in => srctop_file("test","testec-p256.pem") ); }; + +SKIP: { + skip "SM2 is not supported by this OpenSSL build", 1 + if disabled("sm2"); + subtest 'EC conversions -- private key' => sub { + tconversion( -type => 'ec', -prefix => 'sm2-priv', + -in => srctop_file("test","testec-sm2.pem") ); + }; +} + subtest 'EC conversions -- private key PKCS#8' => sub { tconversion( -type => 'ec', -prefix => 'ec-pkcs8', -in => srctop_file("test","testec-p256.pem"), diff --git a/crypto/openssl/test/recipes/20-test_cli_list.t b/crypto/openssl/test/recipes/20-test_cli_list.t new file mode 100644 index 000000000000..a039b20978e4 --- /dev/null +++ b/crypto/openssl/test/recipes/20-test_cli_list.t @@ -0,0 +1,25 @@ +#! /usr/bin/env perl +# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file bldtop_dir with/; +use OpenSSL::Test::Utils; + +setup("test_cli_list"); + +plan tests => 2; + +ok(run(app(["openssl", "list", "-skey-managers"], + stdout => "listout.txt")), +"List skey managers - default configuration"); +open DATA, "listout.txt"; +my @match = grep /secret key/, <DATA>; +close DATA; +ok(scalar @match > 1 ? 1 : 0, "Several skey managers are listed - default configuration"); diff --git a/crypto/openssl/test/recipes/25-test_verify.t b/crypto/openssl/test/recipes/25-test_verify.t index 271f499690bf..673c3d5f1772 100644 --- a/crypto/openssl/test/recipes/25-test_verify.t +++ b/crypto/openssl/test/recipes/25-test_verify.t @@ -602,9 +602,10 @@ ok(vfy_root("-CAfile", $rootcert), "CAfile"); ok(vfy_root("-CAstore", $rootcert), "CAstore"); ok(vfy_root("-CAstore", $rootcert, "-CAfile", $rootcert), "CAfile and existing CAstore"); ok(!vfy_root("-CAstore", "non-existing", "-CAfile", $rootcert), "CAfile and non-existing CAstore"); + SKIP: { - skip "file names with colons aren't supported on Windows and VMS", 2 - if $^O =~ /^(MsWin32|VMS)$/; + skip "file names with colons aren't supported on Windows and VMS", 1 + if $^O =~ /^(MSWin32|VMS)$/; my $foo_file = "foo:cert.pem"; copy($rootcert, $foo_file); ok(vfy_root("-CAstore", $foo_file), "CAstore foo:file"); diff --git a/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt b/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt index d8f6aa72a175..e2de4754fa74 100644 --- a/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt +++ b/crypto/openssl/test/recipes/30-test_evp_data/evpkdf_krb5.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -129,3 +129,11 @@ Ctrl.cipher = cipher:DES-EDE3-CBC Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 Ctrl.hexconstant = hexconstant:0000000155 Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705 + +#Erroneous key size for the cipher as XTS has double key size +KDF = KRB5KDF +Ctrl.cipher = cipher:AES-256-XTS +Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 +Ctrl.hexconstant = hexconstant:0000000255 +Output = 97151B4C76945063E2EB0529DC067D97D7BBA90776D8126D91F34F3101AEA8BA +Result = KDF_DERIVE_ERROR diff --git a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt index 54b143beada4..07dc4b429819 100644 --- a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +++ b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -261,6 +261,15 @@ Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Result = KEYOP_MISMATCH +FIPSversion = >=3.6.0 +Sign = P-256 +Securitycheck = 1 +Unapproved = 1 +CtrlInit = digest-check:0 +Ctrl = digest:SHA512-224 +Input = "0123456789ABCDEF1234" +Result = KEYOP_ERROR + Title = XOF disallowed DigestVerify = SHAKE256 diff --git a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt index 5083cc2bde24..f258700670ab 100644 --- a/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt +++ b/crypto/openssl/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -186,4 +186,4 @@ Output = 6a7fc08e9999fc9d50cda476e973a01a06efeb52eece1c78cb1422950476cbff67408c6 Availablein = default Sign-Message = RSA-SM3:RSA-2048 Input = "Hello World" -Output = 92657e22036214c343d8e95d129c0c47430d5a1ae452371a7847a963f533f96e018aa6658958e6a584cf0d380aa9435175cf2de3dfa60100aca893b76aa6d8f0cc9154ee982cb5ea8f19153fe8a9c801aa2da8bb4451c7ec6fd836e81ecdacf022b68294db068efa47decf3a7c548ea7088a16433029b8733b9573053b7e7122ea10b662726fc97bd149c663617434a9707b672b024f95865d91077edfb79c8ed4c8528032204c46c984a6c82b17794cbf9c4dfe4c1af1d59535f7755540ff36d6a2b55accbf046896c4aae9287a33f38c2a269a02abdac46c17b1b55ee89cc9eb3011a84916596f982c5375dd2110633be6dc43532919466d83bd0f3e406978 +Output = b74e03c18050807541bde949aa0ac91d43fb9730f0b529d5100d5776f4f446d0ca0f0992359dc5f89386ed45bc3bf52cac1f75fbcc088fc2ea77624fd962569d2d317e90886dec424fb6757c4eba1e881ddf4f7942e8003b54e05cc974558dea171ce23a2fc158f71a5621c9a2c3ce45c9af4c706d3f60efe0c0f087a6ec504f771b08e2a1d78e0316c74706c678869bf121d5da00e2e8c8dc1cd273315b4ad8ab9962c62f81cebc5fb393b7f8860ee68545578413feada82b1c2bbfabfa157e298f0354bffc1cc6aa68f058a5d34b6b70ffacd3532c6b2c6a0de059bf605edf392ac8adbf1769555a0a50b2b13c63cae98a461498fae7f0d1729b710f05f39e diff --git a/crypto/openssl/test/recipes/80-test_cms.t b/crypto/openssl/test/recipes/80-test_cms.t index 5c967c581835..4031dbec77f5 100644 --- a/crypto/openssl/test/recipes/80-test_cms.t +++ b/crypto/openssl/test/recipes/80-test_cms.t @@ -89,6 +89,15 @@ my @smime_pkcs7_tests = ( \&final_compare ], + [ "signed text content DER format, RSA key", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-certfile", $smroot, "-signer", $smrsa1, "-text", + "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", + "-text", "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], + [ "signed detached content DER format, RSA key", [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-signer", $smrsa1, "-out", "{output}.cms" ], @@ -222,6 +231,14 @@ my @smime_pkcs7_tests = ( \&final_compare ], + [ "enveloped text content streaming S/MIME format, DES, 1 recipient", + [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-text", "-out", "{output}.cms", $smrsa1 ], + [ "{cmd2}", @defaultprov, "-decrypt", "-recip", $smrsa1, + "-in", "{output}.cms", "-text", "-out", "{output}.txt" ], + \&final_compare + ], + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used", [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, "-stream", "-out", "{output}.cms", diff --git a/crypto/openssl/test/recipes/90-test_sslapi.t b/crypto/openssl/test/recipes/90-test_sslapi.t index 650e0d1ffb16..70c2c24d8661 100644 --- a/crypto/openssl/test/recipes/90-test_sslapi.t +++ b/crypto/openssl/test/recipes/90-test_sslapi.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -45,7 +45,10 @@ ok(run(test(["sslapitest", srctop_dir("test", "certs"), srctop_file("test", "recipes", "90-test_sslapi_data", - "dhparams.pem")])), + "dhparams.pem"), + srctop_dir("test", + "recipes", + "90-test_sslapi_data")])), "running sslapitest"); SKIP: { @@ -62,7 +65,10 @@ SKIP: { srctop_file("test", "recipes", "90-test_sslapi_data", - "dhparams.pem")])), + "dhparams.pem"), + srctop_dir("test", + "recipes", + "90-test_sslapi_data")])), "running sslapitest with default fips config"); run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), @@ -140,7 +146,10 @@ SKIP: { srctop_file("test", "recipes", "90-test_sslapi_data", - "dhparams.pem")])), + "dhparams.pem"), + srctop_dir("test", + "recipes", + "90-test_sslapi_data")])), "running sslapitest with modified fips config"); } diff --git a/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt new file mode 100644 index 000000000000..05aed8299b0e --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt @@ -0,0 +1,255 @@ +Sent TLS Record +Header: + Version = TLS 1.0 (0x301) + Content Type = Handshake (22) + Length = ? + ClientHello, Length=? + client_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suites (len=2) + {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_methods (len=1) + No Compression (0x00) + extensions, length = ? + extension_type=ec_point_formats(11), length=4 + uncompressed (0) + ansiX962_compressed_prime (1) + ansiX962_compressed_char2 (2) + extension_type=supported_groups(10), length=20 + MLKEM512 (512) + MLKEM768 (513) + MLKEM1024 (514) + X25519MLKEM768 (4588) + SecP256r1MLKEM768 (4587) + SecP384r1MLKEM1024 (4589) + secp521r1 (P-521) (25) + secp384r1 (P-384) (24) + secp256r1 (P-256) (23) + extension_type=session_ticket(35), length=0 + extension_type=encrypt_then_mac(22), length=0 + extension_type=extended_master_secret(23), length=0 + extension_type=signature_algorithms(13), length=? + mldsa65 (0x0905) + mldsa87 (0x0906) + mldsa44 (0x0904) + ecdsa_secp256r1_sha256 (0x0403) + ecdsa_secp384r1_sha384 (0x0503) + ecdsa_secp521r1_sha512 (0x0603) + ed25519 (0x0807) + ed448 (0x0808) + ecdsa_brainpoolP256r1tls13_sha256 (0x081a) + ecdsa_brainpoolP384r1tls13_sha384 (0x081b) + ecdsa_brainpoolP512r1tls13_sha512 (0x081c) + rsa_pss_pss_sha256 (0x0809) + rsa_pss_pss_sha384 (0x080a) + rsa_pss_pss_sha512 (0x080b) + rsa_pss_rsae_sha256 (0x0804) + rsa_pss_rsae_sha384 (0x0805) + rsa_pss_rsae_sha512 (0x0806) + rsa_pkcs1_sha256 (0x0401) + rsa_pkcs1_sha384 (0x0501) + rsa_pkcs1_sha512 (0x0601) + extension_type=supported_versions(43), length=3 + TLS 1.3 (772) + extension_type=psk_key_exchange_modes(45), length=2 + psk_dhe_ke (1) + extension_type=key_share(51), length=806 + NamedGroup: MLKEM512 (512) + key_exchange: (len=800): ? + extension_type=compress_certificate(27), length=3 + zlib (1) + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = Handshake (22) + Length = 858 + ServerHello, Length=854 + server_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suite {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_method: No Compression (0x00) + extensions, length = ? + extension_type=supported_versions(43), length=2 + TLS 1.3 (772) + extension_type=key_share(51), length=772 + NamedGroup: MLKEM512 (512) + key_exchange: (len=768): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 23 + Inner Content Type = Handshake (22) + EncryptedExtensions, Length=2 + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 839 + Inner Content Type = Handshake (22) + Certificate, Length=818 + context (len=0): + certificate_list, length=814 + ASN.1Cert, length=809 +------details----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN = server.example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43: + a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a: + 04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab: + b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11: + 42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07: + 0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0: + ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49: + 53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19: + 57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2: + 50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39: + 42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad: + f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e: + eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1: + 98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e: + d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee: + 65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5: + 70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95: + 93:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD + X509v3 Authority Key Identifier: + 70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:server.example + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18: + d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60: + 9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f: + 74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b: + 28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47: + de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe: + 5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f: + 09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28: + 25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25: + 71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1: + ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d: + a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61: + e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9: + c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90: + 69:e5:b6:f9 +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- +------------------ + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 281 + Inner Content Type = Handshake (22) + CertificateVerify, Length=260 + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature (len=256): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + diff --git a/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref.txt b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref.txt new file mode 100644 index 000000000000..5d332da235fb --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_sslapi_data/ssltraceref.txt @@ -0,0 +1,253 @@ +Sent TLS Record +Header: + Version = TLS 1.0 (0x301) + Content Type = Handshake (22) + Length = ? + ClientHello, Length=? + client_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suites (len=2) + {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_methods (len=1) + No Compression (0x00) + extensions, length = ? + extension_type=ec_point_formats(11), length=4 + uncompressed (0) + ansiX962_compressed_prime (1) + ansiX962_compressed_char2 (2) + extension_type=supported_groups(10), length=20 + MLKEM512 (512) + MLKEM768 (513) + MLKEM1024 (514) + X25519MLKEM768 (4588) + SecP256r1MLKEM768 (4587) + SecP384r1MLKEM1024 (4589) + secp521r1 (P-521) (25) + secp384r1 (P-384) (24) + secp256r1 (P-256) (23) + extension_type=session_ticket(35), length=0 + extension_type=encrypt_then_mac(22), length=0 + extension_type=extended_master_secret(23), length=0 + extension_type=signature_algorithms(13), length=? + mldsa65 (0x0905) + mldsa87 (0x0906) + mldsa44 (0x0904) + ecdsa_secp256r1_sha256 (0x0403) + ecdsa_secp384r1_sha384 (0x0503) + ecdsa_secp521r1_sha512 (0x0603) + ed25519 (0x0807) + ed448 (0x0808) + ecdsa_brainpoolP256r1tls13_sha256 (0x081a) + ecdsa_brainpoolP384r1tls13_sha384 (0x081b) + ecdsa_brainpoolP512r1tls13_sha512 (0x081c) + rsa_pss_pss_sha256 (0x0809) + rsa_pss_pss_sha384 (0x080a) + rsa_pss_pss_sha512 (0x080b) + rsa_pss_rsae_sha256 (0x0804) + rsa_pss_rsae_sha384 (0x0805) + rsa_pss_rsae_sha512 (0x0806) + rsa_pkcs1_sha256 (0x0401) + rsa_pkcs1_sha384 (0x0501) + rsa_pkcs1_sha512 (0x0601) + extension_type=supported_versions(43), length=3 + TLS 1.3 (772) + extension_type=psk_key_exchange_modes(45), length=2 + psk_dhe_ke (1) + extension_type=key_share(51), length=806 + NamedGroup: MLKEM512 (512) + key_exchange: (len=800): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = Handshake (22) + Length = 858 + ServerHello, Length=854 + server_version=0x303 (TLS 1.2) + Random: + gmt_unix_time=0x? + random_bytes (len=28): ? + session_id (len=? + cipher_suite {0x13, 0x01} TLS_AES_128_GCM_SHA256 + compression_method: No Compression (0x00) + extensions, length = ? + extension_type=supported_versions(43), length=2 + TLS 1.3 (772) + extension_type=key_share(51), length=772 + NamedGroup: MLKEM512 (512) + key_exchange: (len=768): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 23 + Inner Content Type = Handshake (22) + EncryptedExtensions, Length=2 + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 839 + Inner Content Type = Handshake (22) + Certificate, Length=818 + context (len=0): + certificate_list, length=814 + ASN.1Cert, length=809 +------details----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN = Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN = server.example + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d5:5d:60:6a:df:fc:61:ee:48:aa:8c:11:48:43: + a5:6d:b6:52:5d:aa:98:49:b1:61:92:35:b1:fc:3a: + 04:25:0c:6d:79:ff:b4:d5:c9:e9:5c:1c:3b:e0:ab: + b3:b8:7d:a3:de:6d:bd:e0:dd:d7:5a:bf:14:47:11: + 42:5e:a6:82:d0:61:c1:7f:dd:13:46:e6:09:85:07: + 0e:f2:d4:fc:1a:64:d2:0a:ad:20:ab:20:6b:96:f0: + ad:cc:c4:19:53:55:dc:01:1d:a4:b3:ef:8a:b4:49: + 53:5d:8a:05:1c:f1:dc:e1:44:bf:c5:d7:e2:77:19: + 57:5c:97:0b:75:ee:88:43:71:0f:ca:6c:c1:b4:b2: + 50:a7:77:46:6c:58:0f:11:bf:f1:76:24:5a:ae:39: + 42:b7:51:67:29:e1:d0:55:30:6f:17:e4:91:ea:ad: + f8:28:c2:43:6f:a2:64:a9:fb:9d:98:92:62:48:3e: + eb:0d:4f:82:4a:8a:ff:3f:72:ee:96:b5:ae:a1:c1: + 98:ba:ef:7d:90:75:6d:ff:5a:52:9e:ab:f5:c0:7e: + d0:87:43:db:85:07:07:0f:7d:38:7a:fd:d1:d3:ee: + 65:1d:d3:ea:39:6a:87:37:ee:4a:d3:e0:0d:6e:f5: + 70:ac:c2:bd:f1:6e:f3:92:95:5e:a9:f0:a1:65:95: + 93:8d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C0:E7:84:BF:E8:59:27:33:10:B0:52:4F:51:52:2F:06:D6:C0:7A:CD + X509v3 Authority Key Identifier: + 70:7F:2E:AE:83:68:59:98:04:23:2A:CD:EB:3E:17:CD:24:DD:01:49 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:server.example + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 7b:d3:04:43:75:8a:0f:11:ae:c4:fb:d7:a1:a2:9e:fe:20:18: + d5:f4:2f:31:88:46:b6:75:8c:ee:e5:9b:97:a6:b9:a3:cd:60: + 9a:46:c3:48:97:e5:97:68:f7:5a:86:35:73:d9:69:9e:f9:5f: + 74:b9:e6:94:13:01:cb:6a:dc:e3:c4:04:e9:65:da:9c:a4:8b: + 28:f3:f9:9a:7f:bf:97:1f:45:92:e5:05:b1:56:e6:0b:f6:47: + de:1e:89:b6:2b:e1:4d:df:4a:7e:01:d3:23:dc:97:8c:47:fe: + 5f:c7:cc:98:46:0e:c4:83:5b:ca:8a:f1:52:09:be:6b:ec:3f: + 09:8b:d0:93:02:bf:e1:51:e7:d1:7e:34:56:19:74:d0:ff:28: + 25:de:b7:9f:56:52:91:7d:20:29:85:0a:80:44:5f:71:32:25: + 71:0f:c2:16:e2:5f:6b:1d:3f:32:5b:0a:3c:74:1c:b9:62:f1: + ed:07:50:a3:6d:b4:b4:31:0a:c0:53:44:6a:3a:88:84:8b:2d: + a9:b0:37:8e:e6:18:36:bd:9a:20:40:0f:01:92:8b:3d:aa:61: + e7:ae:2c:ed:36:cd:3a:07:86:74:3a:29:b3:d7:3a:b4:00:a9: + c2:f5:92:78:0e:e2:0f:a3:fe:bb:be:e0:06:53:84:59:1d:90: + 69:e5:b6:f9 +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- +------------------ + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 281 + Inner Content Type = Handshake (22) + CertificateVerify, Length=260 + Signature Algorithm: rsa_pss_rsae_sha256 (0x0804) + Signature (len=256): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ChangeCipherSpec (20) + Length = 1 + change_cipher_spec (1) + +Sent TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 53 + Inner Content Type = Handshake (22) + Finished, Length=32 + verify_data (len=32): ? + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + +Received TLS Record +Header: + Version = TLS 1.2 (0x303) + Content Type = ApplicationData (23) + Length = 234 + Inner Content Type = Handshake (22) + NewSessionTicket, Length=213 + ticket_lifetime_hint=7200 + ticket_age_add=? + ticket_nonce (len=8): ? + ticket (len=192): ? + No extensions + diff --git a/crypto/openssl/test/recipes/90-test_store_cases.t b/crypto/openssl/test/recipes/90-test_store_cases.t index 05b00e6b4eb1..5915a1b76a53 100644 --- a/crypto/openssl/test/recipes/90-test_store_cases.t +++ b/crypto/openssl/test/recipes/90-test_store_cases.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -18,9 +18,10 @@ use OpenSSL::Test::Utils; my $test_name = "test_store_cases"; setup($test_name); -plan tests => 2; +plan tests => 3; my $stderr; +my @stdout; # The case of the garbage PKCS#12 DER file where a passphrase was # prompted for. That should not have happened. @@ -34,3 +35,24 @@ open DATA, $stderr; close DATA; ok(scalar @match > 0 ? 0 : 1, "checking that storeutl didn't ask for a passphrase"); + + SKIP: { + skip "The objects in test-BER.p12 contain EC keys, which is disabled in this build", 1 + if disabled("ec"); + skip "test-BER.p12 has contents encrypted with DES-EDE3-CBC, which is disabled in this build", 1 + if disabled("des"); + + # The case with a BER-encoded PKCS#12 file, using infinite + EOC + # constructs. There was a bug with those in OpenSSL 3.0 and newer, + # where OSSL_STORE_load() (and by consequence, 'openssl storeutl') + # only extracted the first available object from that file and + # ignored the rest. + # Our test file has a total of four objects, and this should be + # reflected in the total that 'openssl storeutl' outputs + @stdout = run(app(['openssl', 'storeutl', '-passin', 'pass:12345', + data_file('test-BER.p12')]), + capture => 1); + @stdout = map { my $x = $_; $x =~ s/\R$//; $x } @stdout; # Better chomp + ok((grep { $_ eq 'Total found: 4' } @stdout), + "Checking that 'openssl storeutl' with test-BER.p12 returns 4 objects"); +} diff --git a/crypto/openssl/test/recipes/90-test_store_cases_data/test-BER.p12 b/crypto/openssl/test/recipes/90-test_store_cases_data/test-BER.p12 Binary files differnew file mode 100644 index 000000000000..256e697bac1a --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_store_cases_data/test-BER.p12 diff --git a/crypto/openssl/test/recipes/90-test_threads_data/store/8489a545.0 b/crypto/openssl/test/recipes/90-test_threads_data/store/8489a545.0 new file mode 100644 index 000000000000..7fd65dfe924b --- /dev/null +++ b/crypto/openssl/test/recipes/90-test_threads_data/store/8489a545.0 @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFjCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTEzN1oYDzIxMjAxMjEzMjAxMTM3WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 +oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS +feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN +wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g +MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u +aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff +tWgiQ35mJCOvxQIDAQABo3UwczAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl +rx6ba4Q9fICayVOcTXL3o1IwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcN +AQELBQADggEBABWUjaqtkdRDhVAJZTxkJVgohjRrBwp86Y0JZWdCDua/sErmEaGu +nQVxWWFWIgu6sb8tyQo3/7dBIQl3Rpij9bsgKhToO1OzoG3Oi3d0+zRDHfY6xNrj +TUE00FeLHGNWsgZSIvu99DrGApT/+uPdWfJgMu5szillqW+4hcCUPLjG9ekVNt1s +KhdEklo6PrP6eMbm6s22EIVUxqGE6xxAmrvyhlY1zJH9BJ23Ps+xabjG6OeMRZzT +0F/fU7XIFieSO7rqUcjgo1eYc3ghsDxNUJ6TPBgv5z4SPnstoOBj59rjpJ7Qkpyd +L17VfEadezat37Cpeha7vGDduCsyMfN4kiw= +-----END CERTIFICATE----- diff --git a/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh new file mode 100755 index 000000000000..716172f029d3 --- /dev/null +++ b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# Test openssl CA functionality using oqsprovider for alg $1 + +if [ $# -ne 1 ]; then + echo "Usage: $0 <algorithmname>. Exiting." + exit 1 +fi + +if [ -z "$OPENSSL_APP" ]; then + echo "OPENSSL_APP env var not set. Exiting." + exit 1 +fi + +if [ -z "$OPENSSL_MODULES" ]; then + echo "Warning: OPENSSL_MODULES env var not set." +fi + +if [ -z "$OPENSSL_CONF" ]; then + echo "Warning: OPENSSL_CONF env var not set." +fi + +# Set OSX DYLD_LIBRARY_PATH if not already externally set +if [ -z "$DYLD_LIBRARY_PATH" ]; then + export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH +fi + +echo "oqsprovider-ca.sh commencing..." + +#rm -rf tmp +mkdir -p tmp && cd tmp +rm -rf demoCA && mkdir -p demoCA/newcerts +touch demoCA/index.txt +echo '01' > demoCA/serial +$OPENSSL_APP req -x509 -new -newkey $1 -keyout $1_rootCA.key -out $1_rootCA.crt -subj "/CN=test CA" -nodes + +if [ $? -ne 0 ]; then + echo "Failed to generate root CA. Exiting." + exit 1 +fi + +$OPENSSL_APP req -new -newkey $1 -keyout $1.key -out $1.csr -nodes -subj "/CN=test Server" + +if [ $? -ne 0 ]; then + echo "Failed to generate test server CSR. Exiting." + exit 1 +fi + +$OPENSSL_APP ca -batch -days 100 -keyfile $1_rootCA.key -cert $1_rootCA.crt -policy policy_anything -notext -out $1.crt -infiles $1.csr + +if [ $? -ne 0 ]; then + echo "Failed to generate server CRT. Exiting." + exit 1 +fi + +# Don't forget to use provider(s) when not activated via config file +$OPENSSL_APP verify -CAfile $1_rootCA.crt $1.crt + diff --git a/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh index a03c3722fc43..18e0391d520f 100755 --- a/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh +++ b/crypto/openssl/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh @@ -70,5 +70,7 @@ export OPENSSL_APP="$O_EXE/openssl" export OPENSSL_MODULES=$PWD/_build/lib export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider/scripts export OPENSSL_CONF=$OQS_PROVIDER_TESTSCRIPTS/openssl-ca.cnf +# hotfix for wrong cert validity period +cp $SRCTOP/test/recipes/95-test_external_oqsprovider_data/oqsprovider-ca.sh $SRCTOP/oqs-provider/scripts/ # Be verbose if harness is verbose: $SRCTOP/oqs-provider/scripts/runtests.sh -V diff --git a/crypto/openssl/test/sanitytest.c b/crypto/openssl/test/sanitytest.c index dd19bfbc71da..449e21f55180 100644 --- a/crypto/openssl/test/sanitytest.c +++ b/crypto/openssl/test/sanitytest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,6 +13,10 @@ #include "internal/numbers.h" #include "internal/time.h" +#if defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L +# include <signal.h> +#endif + static int test_sanity_null_zero(void) { char *p; @@ -130,22 +134,77 @@ static int test_sanity_memcmp(void) return CRYPTO_memcmp("ab", "cd", 2); } -static int test_sanity_sleep(void) +static const struct sleep_test_vector { + uint64_t val; +} sleep_test_vectors[] = { { 0 }, { 1 }, { 999 }, { 1000 } }; + +#if defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L +static void +alrm_handler(int sig) +{ +} +#endif /* defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L */ + +static int test_sanity_sleep(int i) { + const struct sleep_test_vector * const td = sleep_test_vectors + i; OSSL_TIME start = ossl_time_now(); - uint64_t seconds; + uint64_t ms; +#if defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L /* - * On any reasonable system this must sleep at least one second - * but not more than 20. - * Assuming there is no interruption. + * Set up an interrupt timer to check that OSSL_sleep doesn't return early + * due to interrupts. */ - OSSL_sleep(1000); + do { + static const struct itimerval it = { { 0, 111111 } }; + struct sigaction sa; + sigset_t mask; + + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = alrm_handler; + + if (sigaction(SIGALRM, &sa, NULL)) { + TEST_perror("test_sanity_sleep: sigaction"); + break; + } + + sigemptyset(&mask); + sigaddset(&mask, SIGALRM); + if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) { + TEST_perror("test_sanity_sleep: sigprocmask"); + break; + } + + if (setitimer(ITIMER_REAL, &it, NULL)) { + TEST_perror("test_sanity_sleep: arm setitimer"); + break; + } + } while (0); +#endif /* defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L */ - seconds = ossl_time2seconds(ossl_time_subtract(ossl_time_now(), start)); + /* + * On any reasonable system this must sleep at least the specified time + * but not more than 20 seconds more than that. + */ + OSSL_sleep(td->val); + +#if defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L + /* disarm the timer */ + do { + static const struct itimerval it; - if (!TEST_uint64_t_ge(seconds, 1) || !TEST_uint64_t_le(seconds, 20)) - return 0; + if (setitimer(ITIMER_REAL, &it, NULL)) { + TEST_perror("test_sanity_sleep: disarm setitimer"); + break; + } + } while (0); +#endif /* defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L */ + + ms = ossl_time2ms(ossl_time_subtract(ossl_time_now(), start)); + + if (!TEST_uint64_t_ge(ms, td->val) + !TEST_uint64_t_le(ms, td->val + 20000)) + return 0; return 1; } @@ -158,6 +217,6 @@ int setup_tests(void) ADD_TEST(test_sanity_unsigned_conversion); ADD_TEST(test_sanity_range); ADD_TEST(test_sanity_memcmp); - ADD_TEST(test_sanity_sleep); + ADD_ALL_TESTS(test_sanity_sleep, OSSL_NELEM(sleep_test_vectors)); return 1; } diff --git a/crypto/openssl/test/slh_dsa_test.c b/crypto/openssl/test/slh_dsa_test.c index eff9071937a2..35a8d784de40 100644 --- a/crypto/openssl/test/slh_dsa_test.c +++ b/crypto/openssl/test/slh_dsa_test.c @@ -183,10 +183,11 @@ static int slh_dsa_key_validate_failure_test(void) * Loading 128s private key data into a 128f algorithm will have an incorrect * public key. */ - if (!TEST_ptr(key = slh_dsa_key_from_data("SLH-DSA-SHA2-128f", - slh_dsa_sha2_128s_0_keygen_priv, - sizeof(slh_dsa_sha2_128s_0_keygen_priv), 0))) - return 0; + key = slh_dsa_key_from_data("SLH-DSA-SHA2-128f", + slh_dsa_sha2_128s_0_keygen_priv, + sizeof(slh_dsa_sha2_128s_0_keygen_priv), 0); + if (!TEST_ptr(key)) + goto end; if (!TEST_ptr(vctx = EVP_PKEY_CTX_new_from_pkey(lib_ctx, key, NULL))) goto end; if (!TEST_int_eq(EVP_PKEY_pairwise_check(vctx), 0)) diff --git a/crypto/openssl/test/sslapitest.c b/crypto/openssl/test/sslapitest.c index b83dd6c552de..fbe284b9ff1e 100644 --- a/crypto/openssl/test/sslapitest.c +++ b/crypto/openssl/test/sslapitest.c @@ -98,6 +98,7 @@ static char *privkey8192 = NULL; static char *srpvfile = NULL; static char *tmpfilename = NULL; static char *dhfile = NULL; +static char *datadir = NULL; static int is_fips = 0; static int fips_ems_check = 0; @@ -120,6 +121,15 @@ static X509 *ocspcert = NULL; #define CLIENT_VERSION_LEN 2 +/* The ssltrace test assumes some options are switched on/off */ +#if !defined(OPENSSL_NO_SSL_TRACE) \ + && defined(OPENSSL_NO_BROTLI) && defined(OPENSSL_NO_ZSTD) \ + && !defined(OPENSSL_NO_ECX) && !defined(OPENSSL_NO_DH) \ + && !defined(OPENSSL_NO_ML_DSA) && !defined(OPENSSL_NO_ML_KEM) \ + && !defined(OPENSSL_NO_TLS1_3) +# define DO_SSL_TRACE_TEST +#endif + /* * This structure is used to validate that the correct number of log messages * of various types are emitted when emitting secret logs. @@ -13269,6 +13279,77 @@ static int test_no_renegotiation(int idx) return testresult; } +#if defined(DO_SSL_TRACE_TEST) +/* + * Tests that the SSL_trace() msg_callback works as expected with a PQ Groups. + */ +static int test_ssl_trace(void) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *serverssl = NULL, *clientssl = NULL; + int testresult = 0; + BIO *bio = NULL; + char *reffile = NULL; + char *grouplist = "MLKEM512:MLKEM768:MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768" + ":SecP384r1MLKEM1024:secp521r1:secp384r1:secp256r1"; + + if (!fips_provider_version_ge(libctx, 3, 5, 0)) + return TEST_skip("FIPS provider does not support MLKEM algorithms"); + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), + TLS1_3_VERSION, TLS1_3_VERSION, + &sctx, &cctx, cert, privkey)) + || !TEST_ptr(bio = BIO_new(BIO_s_mem())) + || !TEST_true(SSL_CTX_set1_groups_list(sctx, grouplist)) + || !TEST_true(SSL_CTX_set1_groups_list(cctx, grouplist)) + || !TEST_true(SSL_CTX_set_ciphersuites(cctx, + "TLS_AES_128_GCM_SHA256")) + || !TEST_true(SSL_CTX_set_ciphersuites(sctx, + "TLS_AES_128_GCM_SHA256")) +# ifdef SSL_OP_LEGACY_EC_POINT_FORMATS + || !TEST_true(SSL_CTX_set_options(cctx, SSL_OP_LEGACY_EC_POINT_FORMATS)) + || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_LEGACY_EC_POINT_FORMATS)) +# endif + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto err; + + SSL_set_msg_callback(clientssl, SSL_trace); + SSL_set_msg_callback_arg(clientssl, bio); + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto err; + + /* Skip the comparison of the trace when the fips provider is used. */ + if (is_fips) { + /* Check whether there was something written. */ + if (!TEST_int_gt(BIO_pending(bio), 0)) + goto err; + } else { + +# ifdef OPENSSL_NO_ZLIB + reffile = test_mk_file_path(datadir, "ssltraceref.txt"); +# else + reffile = test_mk_file_path(datadir, "ssltraceref-zlib.txt"); +# endif + if (!TEST_true(compare_with_reference_file(bio, reffile))) + goto err; + } + + testresult = 1; + err: + BIO_free(bio); + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + OPENSSL_free(reffile); + + return testresult; +} +#endif + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") int setup_tests(void) @@ -13303,6 +13384,8 @@ int setup_tests(void) || !TEST_ptr(dhfile = test_get_argument(5))) return 0; + datadir = test_get_argument(6); + if (!TEST_true(OSSL_LIB_CTX_load_config(libctx, configfile))) return 0; @@ -13598,6 +13681,10 @@ int setup_tests(void) ADD_TEST(test_quic_tls_early_data); #endif ADD_ALL_TESTS(test_no_renegotiation, 2); +#if defined(DO_SSL_TRACE_TEST) + if (datadir != NULL) + ADD_TEST(test_ssl_trace); +#endif return 1; err: diff --git a/crypto/openssl/test/testec-sm2.pem b/crypto/openssl/test/testec-sm2.pem new file mode 100644 index 000000000000..30e25613b38e --- /dev/null +++ b/crypto/openssl/test/testec-sm2.pem @@ -0,0 +1,5 @@ +-----BEGIN SM2 PRIVATE KEY----- +MHcCAQEEIKPB7gEYKGAwAkz0MfGwQm0BXclgzvSTxQG9bm4RCAxXoAoGCCqBHM9V +AYItoUQDQgAE+FuibOpfjVfj716O3LglhK4HzjUR82mgn8kTZinQsEafw3FFZzZJ +vwHIGHUsSKxVTRIEs+BICQDBg99OA3VU/Q== +-----END SM2 PRIVATE KEY----- diff --git a/crypto/openssl/test/testutil.h b/crypto/openssl/test/testutil.h index f02dcdfba6f9..a262d9371955 100644 --- a/crypto/openssl/test/testutil.h +++ b/crypto/openssl/test/testutil.h @@ -652,4 +652,6 @@ X509 *load_cert_der(const unsigned char *bytes, int len); STACK_OF(X509) *load_certs_pem(const char *file); X509_REQ *load_csr_der(const char *file, OSSL_LIB_CTX *libctx); time_t test_asn1_string_to_time_t(const char *asn1_string); + +int compare_with_reference_file(BIO *membio, const char *reffile); #endif /* OSSL_TESTUTIL_H */ diff --git a/crypto/openssl/test/testutil/compare.c b/crypto/openssl/test/testutil/compare.c new file mode 100644 index 000000000000..067fb878b58e --- /dev/null +++ b/crypto/openssl/test/testutil/compare.c @@ -0,0 +1,88 @@ +/* + * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "../testutil.h" + +static void strip_line_ends(char *str) +{ + size_t i; + + for (i = strlen(str); + i > 0 && (str[i - 1] == '\n' || str[i - 1] == '\r'); + i--); + + str[i] = '\0'; +} + +int compare_with_reference_file(BIO *membio, const char *reffile) +{ + BIO *file = NULL, *newfile = NULL; + char buf1[8192], buf2[8192]; + int ret = 0; + size_t i; + + if (!TEST_ptr(reffile)) + goto err; + + file = BIO_new_file(reffile, "rb"); + if (!TEST_ptr(file)) + goto err; + + newfile = BIO_new_file("ssltraceref-new.txt", "wb"); + if (!TEST_ptr(newfile)) + goto err; + + while (BIO_gets(membio, buf2, sizeof(buf2)) > 0) + if (BIO_puts(newfile, buf2) <= 0) { + TEST_error("Failed writing new file data"); + goto err; + } + + if (!TEST_int_ge(BIO_seek(membio, 0), 0)) + goto err; + + while (BIO_gets(file, buf1, sizeof(buf1)) > 0) { + size_t line_len; + + if (BIO_gets(membio, buf2, sizeof(buf2)) <= 0) { + TEST_error("Failed reading mem data"); + goto err; + } + strip_line_ends(buf1); + strip_line_ends(buf2); + line_len = strlen(buf1); + if (line_len > 0 && buf1[line_len - 1] == '?') { + /* Wildcard at the EOL means ignore anything after it */ + if (strlen(buf2) > line_len) + buf2[line_len] = '\0'; + } + if (line_len != strlen(buf2)) { + TEST_error("Actual and ref line data length mismatch"); + TEST_info("%s", buf1); + TEST_info("%s", buf2); + goto err; + } + for (i = 0; i < line_len; i++) { + /* '?' is a wild card character in the reference text */ + if (buf1[i] == '?') + buf2[i] = '?'; + } + if (!TEST_str_eq(buf1, buf2)) + goto err; + } + if (!TEST_true(BIO_eof(file)) + || !TEST_true(BIO_eof(membio))) + goto err; + + ret = 1; + err: + BIO_free(file); + BIO_free(newfile); + return ret; +} diff --git a/crypto/openssl/test/threadstest.c b/crypto/openssl/test/threadstest.c index 76db07f3baf6..d33ad46999c6 100644 --- a/crypto/openssl/test/threadstest.c +++ b/crypto/openssl/test/threadstest.c @@ -49,6 +49,7 @@ static int do_fips = 0; static char *privkey; +static char *storedir; static char *config_file = NULL; static int multidefault_run = 0; @@ -182,13 +183,16 @@ static void rwreader_fn(int *iterations) CRYPTO_atomic_add(&rwwriter2_done, 0, &lw2, atomiclock); count++; - if (rwwriter_ptr != NULL && old > *rwwriter_ptr) { - TEST_info("rwwriter pointer went backwards\n"); - rw_torture_result = 0; + if (rwwriter_ptr != NULL) { + if (old > *rwwriter_ptr) { + TEST_info("rwwriter pointer went backwards! %d : %d\n", + old, *rwwriter_ptr); + rw_torture_result = 0; + } + old = *rwwriter_ptr; } if (CRYPTO_THREAD_unlock(rwtorturelock) == 0) abort(); - *iterations = count; if (rw_torture_result == 0) { *iterations = count; return; @@ -320,7 +324,8 @@ static void writer_fn(int id, int *iterations) t1 = ossl_time_now(); for (count = 0; ; count++) { - new = CRYPTO_zalloc(sizeof(uint64_t), NULL, 0); + new = CRYPTO_malloc(sizeof(uint64_t), NULL, 0); + *new = (uint64_t)0xBAD; if (contention == 0) OSSL_sleep(1000); ossl_rcu_write_lock(rcu_lock); @@ -380,6 +385,8 @@ static void reader_fn(int *iterations) if (oldval > val) { TEST_info("rcu torture value went backwards! %llu : %llu", (unsigned long long)oldval, (unsigned long long)val); + if (valp == NULL) + TEST_info("ossl_rcu_deref did return NULL!"); rcu_torture_result = 0; } oldval = val; /* just try to deref the pointer */ @@ -1135,7 +1142,7 @@ static int test_multi_default(void) multidefault_run = 1; return thread_run_test(&thread_multi_simple_fetch, - 2, &thread_multi_simple_fetch, 0, default_provider); + 2, &thread_multi_simple_fetch, 0, NULL); } static int test_multi_load(void) @@ -1295,6 +1302,62 @@ static int test_pem_read(void) &test_pem_read_one, 1, default_provider); } +static X509_STORE *store = NULL; + +static void test_x509_store_by_subject(void) +{ + X509_STORE_CTX *ctx; + X509_OBJECT *obj = NULL; + X509_NAME *name = NULL; + int success = 0; + + ctx = X509_STORE_CTX_new(); + if (!TEST_ptr(ctx)) + goto err; + + if (!TEST_true(X509_STORE_CTX_init(ctx, store, NULL, NULL))) + goto err; + + name = X509_NAME_new(); + if (!TEST_ptr(name)) + goto err; + if (!TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, + (unsigned char *)"Root CA", + -1, -1, 0))) + goto err; + obj = X509_STORE_CTX_get_obj_by_subject(ctx, X509_LU_X509, name); + if (!TEST_ptr(obj)) + goto err; + + success = 1; + err: + X509_OBJECT_free(obj); + X509_STORE_CTX_free(ctx); + X509_NAME_free(name); + if (!success) + multi_set_success(0); +} + +/* Test accessing an X509_STORE from multiple threads */ +static int test_x509_store(void) +{ + int ret = 0; + + store = X509_STORE_new(); + if (!TEST_ptr(store)) + return 0; + if (!TEST_true(X509_STORE_load_store(store, storedir))) + goto err; + + ret = thread_run_test(&test_x509_store_by_subject, MAXIMUM_THREADS, + &test_x509_store_by_subject, 0, NULL); + + err: + X509_STORE_free(store); + store = NULL; + return ret; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, @@ -1341,6 +1404,10 @@ int setup_tests(void) if (!TEST_ptr(privkey)) return 0; + storedir = test_mk_file_path(datadir, "store"); + if (!TEST_ptr(storedir)) + return 0; + if (!TEST_ptr(global_lock = CRYPTO_THREAD_lock_new())) return 0; @@ -1379,12 +1446,14 @@ int setup_tests(void) ADD_TEST(test_bio_dgram_pair); #endif ADD_TEST(test_pem_read); + ADD_TEST(test_x509_store); return 1; } void cleanup_tests(void) { OPENSSL_free(privkey); + OPENSSL_free(storedir); #ifdef TSAN_REQUIRES_LOCKING CRYPTO_THREAD_lock_free(tsan_lock); #endif diff --git a/crypto/openssl/test/tls13groupselection_test.c b/crypto/openssl/test/tls13groupselection_test.c index 01d1eded5f87..351b3102c70b 100644 --- a/crypto/openssl/test/tls13groupselection_test.c +++ b/crypto/openssl/test/tls13groupselection_test.c @@ -311,17 +311,17 @@ static const struct tls13groupselection_test_st tls13groupselection_tests[] = { "X25519:secp256r1:X448:secp521r1:-X448:-secp256r1:-X25519:-secp521r1", "", CLIENT_PREFERENCE, - NEGOTIATION_FAILURE + NEGOTIATION_FAILURE, INIT }, { "secp384r1:secp521r1:X25519", /* test 39 */ "prime256v1:X448", CLIENT_PREFERENCE, - NEGOTIATION_FAILURE + NEGOTIATION_FAILURE, INIT }, { "secp521r1:secp384r1:X25519", /* test 40 */ "prime256v1:X448", SERVER_PREFERENCE, - NEGOTIATION_FAILURE + NEGOTIATION_FAILURE, INIT }, /* * These are allowed @@ -340,6 +340,15 @@ static const struct tls13groupselection_test_st tls13groupselection_tests[] = SERVER_PREFERENCE, "secp521r1", SH }, + /* + * Not a syntax error, but invalid because brainpoolP256r1 is the only + * key share and is not valid in TLSv1.3 + */ + { "*brainpoolP256r1:X25519", /* test 43 */ + "X25519", + SERVER_PREFERENCE, + NEGOTIATION_FAILURE, INIT + } }; static void server_response_check_cb(int write_p, int version, @@ -489,6 +498,10 @@ static int test_groupnegotiation(const struct tls13groupselection_test_st *curre ok = 1; } else { TEST_false_or_end(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)); + if (test_type == TEST_NEGOTIATION_FAILURE && + !TEST_int_eq((int)current_test_vector->expected_server_response, + (int)server_response)) + goto end; ok = 1; } diff --git a/crypto/openssl/test/wpackettest.c b/crypto/openssl/test/wpackettest.c index bd696e007407..c6d6faf5c485 100644 --- a/crypto/openssl/test/wpackettest.c +++ b/crypto/openssl/test/wpackettest.c @@ -588,7 +588,7 @@ static int test_WPACKET_quic_vlint_random(void) for (i = 0; i < 10000; ++i) { if (!TEST_int_gt(RAND_bytes(rand_data, sizeof(rand_data)), 0)) - return cleanup(&pkt); + return 0; memcpy(&expected, rand_data, sizeof(expected)); diff --git a/crypto/openssl/test/x509_test.c b/crypto/openssl/test/x509_test.c index 1c6e569a4c44..a9023a809471 100644 --- a/crypto/openssl/test/x509_test.c +++ b/crypto/openssl/test/x509_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -176,6 +176,112 @@ static int test_asn1_item_verify(void) return ret; } +static int test_x509_delete_last_extension(void) +{ + int ret = 0; + X509 *x509 = NULL; + X509_EXTENSION *ext = NULL; + ASN1_OBJECT *obj = NULL; + + if (!TEST_ptr((x509 = X509_new())) + /* Initially, there are no extensions and thus no extension list. */ + || !TEST_ptr_null(X509_get0_extensions(x509)) + /* Add an extension. */ + || !TEST_ptr((ext = X509_EXTENSION_new())) + || !TEST_ptr((obj = OBJ_nid2obj(NID_subject_key_identifier))) + || !TEST_int_eq(X509_EXTENSION_set_object(ext, obj), 1) + || !TEST_int_eq(X509_add_ext(x509, ext, -1), 1) + /* There should now be an extension list. */ + || !TEST_ptr(X509_get0_extensions(x509)) + || !TEST_int_eq(sk_X509_EXTENSION_num(X509_get0_extensions(x509)), 1)) + goto err; + + /* Delete the extension. */ + X509_EXTENSION_free(X509_delete_ext(x509, 0)); + + /* The extension list should be NULL again. */ + if (!TEST_ptr_null(X509_get0_extensions(x509))) + goto err; + + ret = 1; + +err: + X509_free(x509); + X509_EXTENSION_free(ext); + return ret; +} + +static int test_x509_crl_delete_last_extension(void) +{ + int ret = 0; + X509_CRL *crl = NULL; + X509_EXTENSION *ext = NULL; + ASN1_OBJECT *obj = NULL; + + if (!TEST_ptr((crl = X509_CRL_new())) + /* Initially, there are no extensions and thus no extension list. */ + || !TEST_ptr_null(X509_CRL_get0_extensions(crl)) + /* Add an extension. */ + || !TEST_ptr((ext = X509_EXTENSION_new())) + || !TEST_ptr((obj = OBJ_nid2obj(NID_subject_key_identifier))) + || !TEST_int_eq(X509_EXTENSION_set_object(ext, obj), 1) + || !TEST_int_eq(X509_CRL_add_ext(crl, ext, -1), 1) + /* There should now be an extension list. */ + || !TEST_ptr(X509_CRL_get0_extensions(crl)) + || !TEST_int_eq(sk_X509_EXTENSION_num(X509_CRL_get0_extensions(crl)), + 1)) + goto err; + + /* Delete the extension. */ + X509_EXTENSION_free(X509_CRL_delete_ext(crl, 0)); + + /* The extension list should be NULL again. */ + if (!TEST_ptr_null(X509_CRL_get0_extensions(crl))) + goto err; + + ret = 1; + +err: + X509_CRL_free(crl); + X509_EXTENSION_free(ext); + return ret; +} + +static int test_x509_revoked_delete_last_extension(void) +{ + int ret = 0; + X509_REVOKED *rev = NULL; + X509_EXTENSION *ext = NULL; + ASN1_OBJECT *obj = NULL; + + if (!TEST_ptr((rev = X509_REVOKED_new())) + /* Initially, there are no extensions and thus no extension list. */ + || !TEST_ptr_null(X509_REVOKED_get0_extensions(rev)) + /* Add an extension. */ + || !TEST_ptr((ext = X509_EXTENSION_new())) + || !TEST_ptr((obj = OBJ_nid2obj(NID_subject_key_identifier))) + || !TEST_int_eq(X509_EXTENSION_set_object(ext, obj), 1) + || !TEST_int_eq(X509_REVOKED_add_ext(rev, ext, -1), 1) + /* There should now be an extension list. */ + || !TEST_ptr(X509_REVOKED_get0_extensions(rev)) + || !TEST_int_eq(sk_X509_EXTENSION_num(X509_REVOKED_get0_extensions(rev)), 1)) + goto err; + + /* Delete the extension. */ + X509_EXTENSION_free(X509_REVOKED_delete_ext(rev, 0)); + + /* The extension list should be NULL again. */ + if (!TEST_ptr_null(X509_REVOKED_get0_extensions(rev))) + goto err; + + ret = 1; + +err: + X509_REVOKED_free(rev); + X509_EXTENSION_free(ext); + return ret; +} + OPT_TEST_DECLARE_USAGE("<pss-self-signed-cert.pem>\n") int setup_tests(void) @@ -210,6 +316,9 @@ int setup_tests(void) ADD_TEST(test_x509_tbs_cache); ADD_TEST(test_x509_crl_tbs_cache); ADD_TEST(test_asn1_item_verify); + ADD_TEST(test_x509_delete_last_extension); + ADD_TEST(test_x509_crl_delete_last_extension); + ADD_TEST(test_x509_revoked_delete_last_extension); return 1; } diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index 2377b88ceda9..f3fbdae831d9 100755 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # WARNING: do not edit! # Generated by Makefile from tools/c_rehash.in @@ -12,8 +12,8 @@ # Perl c_rehash script, scan all files in a directory # and add symbolic links to their hash values. -my $dir = "/usr/local/openssl"; -my $prefix = "/usr/local"; +my $dir = "etc"; +my $prefix = "/usr"; my $errorcount = 0; my $openssl = $ENV{OPENSSL} || "openssl"; diff --git a/crypto/openssl/util/perl/TLSProxy/Proxy.pm b/crypto/openssl/util/perl/TLSProxy/Proxy.pm index b76f9e931ec0..ccc4814f6fd2 100644 --- a/crypto/openssl/util/perl/TLSProxy/Proxy.pm +++ b/crypto/openssl/util/perl/TLSProxy/Proxy.pm @@ -97,7 +97,23 @@ sub new_dtls { sub init { - require IO::Socket::IP; + my $useSockInet = 0; + eval { + require IO::Socket::IP; + my $s = IO::Socket::IP->new( + LocalAddr => "::1", + LocalPort => 0, + Listen=>1, + ); + $s or die "\n"; + $s->close(); + }; + if ($@ eq "") { + require IO::Socket::IP; + } else { + $useSockInet = 1; + } + my $class = shift; my ($filter, $execute, @@ -118,8 +134,13 @@ sub init $test_client_port = 49152 + int(rand(65535 - 49152)); my $test_sock; if ($useINET6 == 0) { - $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port, - LocalAddr => $test_client_addr); + if ($useSockInet == 0) { + $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port, + LocalAddr => $test_client_addr); + } else { + $test_sock = IO::Socket::INET->new(LocalAddr => $test_client_addr, + LocalPort => $test_client_port); + } } else { $test_sock = IO::Socket::INET6->new(LocalAddr => $test_client_addr, LocalPort => $test_client_port, diff --git a/crypto/openssl/util/shlib_wrap.sh b/crypto/openssl/util/shlib_wrap.sh index 8b70f5048835..6754c25b9808 100755 --- a/crypto/openssl/util/shlib_wrap.sh +++ b/crypto/openssl/util/shlib_wrap.sh @@ -25,8 +25,8 @@ fi THERE="`echo $0 | sed -e 's|[^/]*$||' 2>/dev/null`.." [ -d "${THERE}" ] || exec "$@" # should never happen... -LIBCRYPTOSO="${THERE}/libcrypto.so.17" -LIBSSLSO="${THERE}/libssl.so.17" +LIBCRYPTOSO="${THERE}/libcrypto.so.3" +LIBSSLSO="${THERE}/libssl.so.3" SYSNAME=`(uname -s) 2>/dev/null`; case "$SYSNAME" in diff --git a/crypto/openssl/util/wrap.pl b/crypto/openssl/util/wrap.pl index 5d6af0a688a8..1b536c1885ac 100755 --- a/crypto/openssl/util/wrap.pl +++ b/crypto/openssl/util/wrap.pl @@ -1,4 +1,4 @@ -#! /usr/local/bin/perl +#! /usr/bin/env perl use strict; use warnings; @@ -9,7 +9,7 @@ use File::Spec::Functions; BEGIN { # This method corresponds exactly to 'use OpenSSL::Util', # but allows us to use a platform specific file spec. - require '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/util/perl/OpenSSL/Util.pm'; + require '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/util/perl/OpenSSL/Util.pm'; OpenSSL::Util->import(); } @@ -53,14 +53,14 @@ my $unix_shlib_wrap = catfile($there, 'util/shlib_wrap.sh'); my $std_openssl_conf_include; if ($ARGV[0] eq '-fips') { - $std_openssl_conf = '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/test/fips-and-base.cnf'; + $std_openssl_conf = '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/test/fips-and-base.cnf'; shift; $std_openssl_conf_include = catdir($there, 'providers'); } if ($ARGV[0] eq '-jitter') { - $std_openssl_conf = '/home/khorben/Projects/FreeBSD/ports/security/openssl35/work/openssl-3.5.1/test/default-and-jitter.cnf'; + $std_openssl_conf = '/usr/home/ngie/git/freebsd-src/worktree/main/crypto/openssl/test/default-and-jitter.cnf'; shift; $std_openssl_conf_include = catdir($there, 'providers'); |