Module Name: src
Committed By: christos
Date: Wed May 31 19:30:30 UTC 2023
Modified Files:
src/crypto/external/bsd/openssl/dist: Configure
src/crypto/external/bsd/openssl/dist/apps: cmp.c openssl.cnf s_server.c
src/crypto/external/bsd/openssl/dist/apps/lib: apps.c
src/crypto/external/bsd/openssl/dist/crypto/asn1: asn_pack.c
src/crypto/external/bsd/openssl/dist/crypto/bio: bio_lib.c
src/crypto/external/bsd/openssl/dist/crypto/bn: bn_lib.c bn_nist.c
src/crypto/external/bsd/openssl/dist/crypto/conf: conf_def.c
src/crypto/external/bsd/openssl/dist/crypto/engine: eng_lib.c
src/crypto/external/bsd/openssl/dist/crypto/ui: ui_lib.c
src/crypto/external/bsd/openssl/dist/crypto/x509: x509_vfy.c
src/crypto/external/bsd/openssl/dist/engines: e_padlock.c
src/crypto/external/bsd/openssl/dist/include/internal: refcount.h
src/crypto/external/bsd/openssl/dist/ssl: ssl_sess.c t1_lib.c
src/crypto/external/bsd/openssl/dist/test: destest.c dsatest.c
ecdsatest.c evp_extra_test.c
src/crypto/external/bsd/openssl/dist/test/testutil: provider.c
Removed Files:
src/crypto/external/bsd/openssl/dist/crypto/bn: rsa_sup_mul.c
Log Message:
merge conflicts between 3.0.8 and 3.0.9
To generate a diff of this commit:
cvs rdiff -u -r1.32 -r1.33 src/crypto/external/bsd/openssl/dist/Configure
cvs rdiff -u -r1.2 -r1.3 src/crypto/external/bsd/openssl/dist/apps/cmp.c
cvs rdiff -u -r1.10 -r1.11 \
src/crypto/external/bsd/openssl/dist/apps/openssl.cnf
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/external/bsd/openssl/dist/apps/s_server.c
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/openssl/dist/apps/lib/apps.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c
cvs rdiff -u -r1.16 -r1.17 \
src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c
cvs rdiff -u -r1.1.1.2 -r0 \
src/crypto/external/bsd/openssl/dist/crypto/bn/rsa_sup_mul.c
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c
cvs rdiff -u -r1.10 -r1.11 \
src/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c
cvs rdiff -u -r1.27 -r1.28 \
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/external/bsd/openssl/dist/engines/e_padlock.c
cvs rdiff -u -r1.6 -r1.7 \
src/crypto/external/bsd/openssl/dist/include/internal/refcount.h
cvs rdiff -u -r1.11 -r1.12 \
src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c
cvs rdiff -u -r1.36 -r1.37 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssl/dist/test/destest.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssl/dist/test/dsatest.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/external/bsd/openssl/dist/test/ecdsatest.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/openssl/dist/test/testutil/provider.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssl/dist/Configure
diff -u src/crypto/external/bsd/openssl/dist/Configure:1.32 src/crypto/external/bsd/openssl/dist/Configure:1.33
--- src/crypto/external/bsd/openssl/dist/Configure:1.32 Sun May 7 14:40:15 2023
+++ src/crypto/external/bsd/openssl/dist/Configure Wed May 31 15:30:28 2023
@@ -1423,7 +1423,7 @@ if ($target =~ /^mingw/ && `$config{CC}
}
if ($target =~ /linux.*-mips/ && !$disabled{asm}
- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+ && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
# minimally required architecture flags for assembly modules
my $value;
$value = '-mips2' if ($target =~ /mips32/);
Index: src/crypto/external/bsd/openssl/dist/apps/cmp.c
diff -u src/crypto/external/bsd/openssl/dist/apps/cmp.c:1.2 src/crypto/external/bsd/openssl/dist/apps/cmp.c:1.3
--- src/crypto/external/bsd/openssl/dist/apps/cmp.c:1.2 Sun May 7 14:40:15 2023
+++ src/crypto/external/bsd/openssl/dist/apps/cmp.c Wed May 31 15:30:28 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
@@ -158,6 +158,7 @@ static char *opt_reqin = NULL;
static int opt_reqin_new_tid = 0;
static char *opt_reqout = NULL;
static char *opt_rspin = NULL;
+static int rspin_in_use = 0;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
@@ -371,7 +372,7 @@ const OPTIONS cmp_options[] = {
OPT_SECTION("Server authentication"),
{"trusted", OPT_TRUSTED, 's',
- "Certificates to trust as chain roots when verifying signed CMP responses"},
+ "Certificates to use as trust anchors when verifying signed CMP responses"},
{OPT_MORE_STR, 0, 0, "unless -srvcert is given"},
{"untrusted", OPT_UNTRUSTED, 's',
"Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"},
@@ -417,7 +418,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"This can be used as the default CMP signer cert chain to include"},
{"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
- "Send messages without CMP-level protection"},
+ "Send request messages without CMP-level protection"},
OPT_SECTION("Credentials format"),
{"certform", OPT_CERTFORM, 's',
@@ -462,13 +463,16 @@ const OPTIONS cmp_options[] = {
"Do not interactively prompt for input when a password is required etc."},
{"repeat", OPT_REPEAT, 'p',
"Invoke the transaction the given positive number of times. Default 1"},
- {"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"},
+ {"reqin", OPT_REQIN, 's',
+ "Take sequence of CMP requests to send to server from file(s)"},
{"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
"Use fresh transactionID for CMP requests read from -reqin"},
- {"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"},
+ {"reqout", OPT_REQOUT, 's',
+ "Save sequence of CMP requests created by the client to file(s)"},
{"rspin", OPT_RSPIN, 's',
"Process sequence of CMP responses provided in file(s), skipping server"},
- {"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
+ {"rspout", OPT_RSPOUT, 's',
+ "Save sequence of actually used CMP responses to file(s)"},
{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
"Use internal mock server at API level, bypassing socket-based HTTP"},
@@ -754,12 +758,12 @@ static int write_PKIMESSAGE(const OSSL_C
}
/* read DER-encoded OSSL_CMP_MSG from the specified file name item */
-static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
+static OSSL_CMP_MSG *read_PKIMESSAGE(const char *desc, char **filenames)
{
char *file;
OSSL_CMP_MSG *ret;
- if (filenames == NULL) {
+ if (filenames == NULL || desc == NULL) {
CMP_err("NULL arg to read_PKIMESSAGE");
return NULL;
}
@@ -774,6 +778,8 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(cha
ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
if (ret == NULL)
CMP_err1("cannot read PKIMessage from file '%s'", file);
+ else
+ CMP_info2("%s %s", desc, file);
return ret;
}
@@ -795,7 +801,7 @@ static OSSL_CMP_MSG *read_write_req_resp
&& !write_PKIMESSAGE(req, &opt_reqout))
goto err;
if (opt_reqin != NULL && opt_rspin == NULL) {
- if ((req_new = read_PKIMESSAGE(&opt_reqin)) == NULL)
+ if ((req_new = read_PKIMESSAGE("actually sending", &opt_reqin)) == NULL)
goto err;
/*-
* The transaction ID in req_new read from opt_reqin may not be fresh.
@@ -805,22 +811,44 @@ static OSSL_CMP_MSG *read_write_req_resp
if (opt_reqin_new_tid
&& !OSSL_CMP_MSG_update_transactionID(ctx, req_new))
goto err;
+
+ /*
+ * Except for first request, need to satisfy recipNonce check by server.
+ * Unfortunately requires re-protection if protection is required.
+ */
+ if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new))
+ goto err;
}
if (opt_rspin != NULL) {
- res = read_PKIMESSAGE(&opt_rspin);
+ res = read_PKIMESSAGE("actually using", &opt_rspin);
} else {
- const OSSL_CMP_MSG *actual_req = opt_reqin != NULL ? req_new : req;
+ const OSSL_CMP_MSG *actual_req = req_new != NULL ? req_new : req;
- res = opt_use_mock_srv
- ? OSSL_CMP_CTX_server_perform(ctx, actual_req)
- : OSSL_CMP_MSG_http_perform(ctx, actual_req);
+ if (opt_use_mock_srv) {
+ if (rspin_in_use)
+ CMP_warn("too few -rspin filename arguments; resorting to using mock server");
+ res = OSSL_CMP_CTX_server_perform(ctx, actual_req);
+ } else {
+#ifndef OPENSSL_NO_SOCK
+ if (opt_server == NULL) {
+ CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments");
+ goto err;
+ }
+ if (rspin_in_use)
+ CMP_warn("too few -rspin filename arguments; resorting to contacting server");
+ res = OSSL_CMP_MSG_http_perform(ctx, actual_req);
+#else
+ CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments");
+#endif
+ }
+ rspin_in_use = 0;
}
if (res == NULL)
goto err;
- if (opt_reqin != NULL || prev_opt_rspin != NULL) {
- /* need to satisfy nonce and transactionID checks */
+ if (req_new != NULL || prev_opt_rspin != NULL) {
+ /* need to satisfy nonce and transactionID checks by client */
ASN1_OCTET_STRING *nonce;
ASN1_OCTET_STRING *tid;
@@ -1024,10 +1052,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(E
goto err;
}
} else if (opt_srv_cert == NULL) {
- CMP_err("mock server credentials must be given if -use_mock_srv or -port is used");
+ CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is used");
goto err;
} else {
- CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not given");
+ CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given");
}
if (opt_srv_secret == NULL
@@ -1121,7 +1149,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(E
goto err;
if (opt_send_error)
- (void)ossl_cmp_mock_srv_set_send_error(srv_ctx, 1);
+ (void)ossl_cmp_mock_srv_set_sendError(srv_ctx, 1);
if (opt_send_unprotected)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1);
@@ -1283,7 +1311,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_C
/* disable any cert status/revocation checking etc. */
X509_VERIFY_PARAM_clear_flags(tls_vpm,
~(X509_V_FLAG_USE_CHECK_TIME
- | X509_V_FLAG_NO_CHECK_TIME));
+ | X509_V_FLAG_NO_CHECK_TIME
+ | X509_V_FLAG_PARTIAL_CHAIN
+ | X509_V_FLAG_POLICY_CHECK));
}
CMP_debug("trying to build cert chain for own TLS cert");
if (SSL_CTX_build_cert_chain(ssl_ctx,
@@ -1498,10 +1528,25 @@ static int setup_request_ctx(OSSL_CMP_CT
CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
- if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) {
- CMP_err("missing -newkey (or -key) to be certified and no -csr given");
+ if (opt_newkey == NULL
+ && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
+ CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
return 0;
}
+ if (opt_newkey == NULL
+ && opt_popo != OSSL_CRMF_POPO_NONE
+ && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
+ if (opt_csr != NULL) {
+ CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
+ opt_key == NULL ? "" :
+ ", and -key option superseded by by -csr");
+ return 0;
+ }
+ if (opt_key == NULL) {
+ CMP_err("missing -newkey (or -key) option for POPO");
+ return 0;
+ }
+ }
if (opt_certout == NULL) {
CMP_err("-certout not given, nowhere to save newly enrolled certificate");
return 0;
@@ -1897,8 +1942,11 @@ static int setup_client_ctx(OSSL_CMP_CTX
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT,
opt_total_timeout);
- if (opt_reqin != NULL && opt_rspin != NULL)
- CMP_warn("-reqin is ignored since -rspin is present");
+ if (opt_rspin != NULL) {
+ rspin_in_use = 1;
+ if (opt_reqin != NULL)
+ CMP_warn("-reqin is ignored since -rspin is present");
+ }
if (opt_reqin_new_tid && opt_reqin == NULL)
CMP_warn("-reqin_new_tid is ignored since -reqin is not present");
if (opt_reqin != NULL || opt_reqout != NULL
@@ -1923,12 +1971,14 @@ static int setup_client_ctx(OSSL_CMP_CTX
if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
- info->server = opt_server;
- info->port = server_port;
+ info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
+ info->server = host;
+ host = NULL; /* prevent deallocation */
+ if ((info->port = OPENSSL_strdup(server_port)) == NULL)
+ goto err;
/* workaround for callback design flaw, see #17088: */
info->use_proxy = proxy_host != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
- info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
if (info->ssl_ctx == NULL)
goto err;
@@ -1952,7 +2002,9 @@ static int setup_client_ctx(OSSL_CMP_CTX
/* not printing earlier, to minimize confusion in case setup fails before */
if (opt_rspin != NULL)
- CMP_info("will not contact any server since -rspin is given");
+ CMP_info2("will contact %s%s "
+ "only if -rspin argument gives too few filenames",
+ server_buf, proxy_buf);
else
CMP_info2("will contact %s%s", server_buf, proxy_buf);
@@ -2847,8 +2899,16 @@ int cmp_main(int argc, char **argv)
CMP_err("-tls_used option not supported with -port option");
goto err;
}
- if (opt_use_mock_srv || opt_server != NULL || opt_rspin != NULL) {
- CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options");
+ if (opt_server != NULL || opt_use_mock_srv) {
+ CMP_err("The -port option excludes -server and -use_mock_srv");
+ goto err;
+ }
+ if (opt_reqin != NULL || opt_reqout != NULL) {
+ CMP_err("The -port option does not support -reqin and -reqout");
+ goto err;
+ }
+ if (opt_rspin != NULL || opt_rspout != NULL) {
+ CMP_err("The -port option does not support -rspin and -rspout");
goto err;
}
}
@@ -2857,10 +2917,6 @@ int cmp_main(int argc, char **argv)
goto err;
}
#endif
- if (opt_rspin != NULL && opt_use_mock_srv) {
- CMP_err("cannot use both -rspin and -use_mock_srv options");
- goto err;
- }
if (opt_use_mock_srv
#ifndef OPENSSL_NO_SOCK
@@ -2881,8 +2937,8 @@ int cmp_main(int argc, char **argv)
}
#ifndef OPENSSL_NO_SOCK
- if (opt_tls_used && (opt_use_mock_srv || opt_rspin != NULL)) {
- CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given");
+ if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
+ CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
opt_tls_used = 0;
}
@@ -2893,11 +2949,11 @@ int cmp_main(int argc, char **argv)
/* act as CMP client, possibly using internal mock server */
- if (opt_server != NULL) {
- if (opt_rspin != NULL) {
- CMP_warn("ignoring -server option since -rspin is given");
- opt_server = NULL;
- }
+ if (opt_rspin != NULL) {
+ if (opt_server != NULL)
+ CMP_warn("-server option is not used if enough filenames given for -rspin");
+ if (opt_use_mock_srv)
+ CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin");
}
#endif
@@ -3010,7 +3066,11 @@ int cmp_main(int argc, char **argv)
/* cannot free info already here, as it may be used indirectly by: */
OSSL_CMP_CTX_free(cmp_ctx);
#ifndef OPENSSL_NO_SOCK
- APP_HTTP_TLS_INFO_free(info);
+ if (info != NULL) {
+ OPENSSL_free((char *)info->server);
+ OPENSSL_free((char *)info->port);
+ APP_HTTP_TLS_INFO_free(info);
+ }
#endif
}
X509_VERIFY_PARAM_free(vpm);
Index: src/crypto/external/bsd/openssl/dist/apps/openssl.cnf
diff -u src/crypto/external/bsd/openssl/dist/apps/openssl.cnf:1.10 src/crypto/external/bsd/openssl/dist/apps/openssl.cnf:1.11
--- src/crypto/external/bsd/openssl/dist/apps/openssl.cnf:1.10 Sun May 7 14:40:15 2023
+++ src/crypto/external/bsd/openssl/dist/apps/openssl.cnf Wed May 31 15:30:28 2023
@@ -356,7 +356,7 @@ cmd = ir # default operation, can be ove
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
-out_trusted = insta.ca.crt
+out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
@@ -366,7 +366,7 @@ secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
-trusted = insta.ca.crt # does not include keyUsage digitalSignature
+trusted = $insta::out_trusted # apps/insta.ca.crt
# Client authentication
secret = # disable PBM
Index: src/crypto/external/bsd/openssl/dist/apps/s_server.c
diff -u src/crypto/external/bsd/openssl/dist/apps/s_server.c:1.27 src/crypto/external/bsd/openssl/dist/apps/s_server.c:1.28
--- src/crypto/external/bsd/openssl/dist/apps/s_server.c:1.27 Sun May 7 14:40:15 2023
+++ src/crypto/external/bsd/openssl/dist/apps/s_server.c Wed May 31 15:30:28 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -229,6 +229,7 @@ static int psk_find_session_cb(SSL *ssl,
|| !SSL_SESSION_set_cipher(tmpsess, cipher)
|| !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
OPENSSL_free(key);
+ SSL_SESSION_free(tmpsess);
return 0;
}
OPENSSL_free(key);
Index: src/crypto/external/bsd/openssl/dist/apps/lib/apps.c
diff -u src/crypto/external/bsd/openssl/dist/apps/lib/apps.c:1.3 src/crypto/external/bsd/openssl/dist/apps/lib/apps.c:1.4
--- src/crypto/external/bsd/openssl/dist/apps/lib/apps.c:1.3 Thu May 25 13:20:14 2023
+++ src/crypto/external/bsd/openssl/dist/apps/lib/apps.c Wed May 31 15:30:28 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -2474,6 +2474,10 @@ BIO *app_http_tls_cb(BIO *bio, void *arg
if (connect) {
SSL *ssl;
BIO *sbio = NULL;
+ X509_STORE *ts = SSL_CTX_get_cert_store(ssl_ctx);
+ X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
+ const char *host = vpm == NULL ? NULL :
+ X509_VERIFY_PARAM_get0_host(vpm, 0 /* first hostname */);
/* adapt after fixing callback design flaw, see #17088 */
if ((info->use_proxy
@@ -2488,8 +2492,8 @@ BIO *app_http_tls_cb(BIO *bio, void *arg
return NULL;
}
- /* adapt after fixing callback design flaw, see #17088 */
- SSL_set_tlsext_host_name(ssl, info->server); /* not critical to do */
+ if (vpm != NULL)
+ SSL_set_tlsext_host_name(ssl, host /* may be NULL */);
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c:1.5
--- src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c:1.4 Sun May 7 14:40:16 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/asn1/asn_pack.c Wed May 31 15:30:28 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -29,7 +29,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, c
OPENSSL_free(octmp->data);
octmp->data = NULL;
- if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) == 0) {
+ if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) <= 0) {
ERR_raise(ERR_LIB_ASN1, ASN1_R_ENCODE_ERROR);
goto err;
}
Index: src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c:1.8 src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c:1.9
--- src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c:1.8 Sun May 7 14:40:16 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c Wed May 31 15:30:28 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -784,7 +784,7 @@ BIO *BIO_dup_chain(BIO *in)
/* This will let SSL_s_sock() work with stdin/stdout */
new_bio->num = bio->num;
- if (!BIO_dup_state(bio, (char *)new_bio)) {
+ if (BIO_dup_state(bio, (char *)new_bio) <= 0) {
BIO_free(new_bio);
goto err;
}
Index: src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.16 src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.17
--- src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c:1.16 Sun May 7 14:40:17 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1021,6 +1021,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words)
return (words <= a->dmax) ? a : bn_expand2(a, words);
}
+void bn_correct_top_consttime(BIGNUM *a)
+{
+ int j, atop;
+ BN_ULONG limb;
+ unsigned int mask;
+
+ for (j = 0, atop = 0; j < a->dmax; j++) {
+ limb = a->d[j];
+ limb |= 0 - limb;
+ limb >>= BN_BITS2 - 1;
+ limb = 0 - limb;
+ mask = (unsigned int)limb;
+ mask &= constant_time_msb(j - a->top);
+ atop = constant_time_select_int(mask, j + 1, atop);
+ }
+
+ mask = constant_time_eq_int(atop, 0);
+ a->top = atop;
+ a->neg = constant_time_select_int(mask, 0, a->neg);
+ a->flags &= ~BN_FLG_FIXED_TOP;
+}
+
void bn_correct_top(BIGNUM *a)
{
BN_ULONG *ftl;
Index: src/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c:1.8 src/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c:1.9
--- src/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c:1.8 Sun May 7 14:40:17 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -338,7 +338,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIG
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_192_TOP], *res;
- PTR_SIZE_INT mask;
static const BIGNUM ossl_bignum_nist_p_192_sqr = {
(BN_ULONG *)_nist_p_192_sqr,
OSSL_NELEM(_nist_p_192_sqr),
@@ -439,13 +438,9 @@ int BN_nist_mod_192(BIGNUM *r, const BIG
* 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
* this is what happens below, but without explicit if:-) a.
*/
- mask =
- 0 - (PTR_SIZE_INT) bn_sub_words(c_d, r_d, _nist_p_192[0],
- BN_NIST_192_TOP);
- mask &= 0 - (PTR_SIZE_INT) carry;
- res = c_d;
- res = (BN_ULONG *)
- (((PTR_SIZE_INT) res & ~mask) | ((PTR_SIZE_INT) r_d & mask));
+ res = (bn_sub_words(c_d, r_d, _nist_p_192[0], BN_NIST_192_TOP) && carry)
+ ? r_d
+ : c_d;
nist_cp_bn(r_d, res, BN_NIST_192_TOP);
r->top = BN_NIST_192_TOP;
bn_correct_top(r);
@@ -479,11 +474,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIG
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_224_TOP], *res;
- PTR_SIZE_INT mask;
- union {
- bn_addsub_f f;
- PTR_SIZE_INT p;
- } u;
+ bn_addsub_f adjust;
static const BIGNUM ossl_bignum_nist_p_224_sqr = {
(BN_ULONG *)_nist_p_224_sqr,
OSSL_NELEM(_nist_p_224_sqr),
@@ -597,7 +588,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIG
# endif
}
#endif
- u.f = bn_sub_words;
+ adjust = bn_sub_words;
if (carry > 0) {
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1],
@@ -616,19 +607,14 @@ int BN_nist_mod_224(BIGNUM *r, const BIG
carry =
(int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1],
BN_NIST_224_TOP);
- mask = 0 - (PTR_SIZE_INT) carry;
- u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
- ((PTR_SIZE_INT) bn_add_words & ~mask);
+ adjust = carry ? bn_sub_words : bn_add_words;
} else
carry = 1;
/* otherwise it's effectively same as in BN_nist_mod_192... */
- mask =
- 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP);
- mask &= 0 - (PTR_SIZE_INT) carry;
- res = c_d;
- res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
- ((PTR_SIZE_INT) r_d & mask));
+ res = ((*adjust) (c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP) && carry)
+ ? r_d
+ : c_d;
nist_cp_bn(r_d, res, BN_NIST_224_TOP);
r->top = BN_NIST_224_TOP;
bn_correct_top(r);
@@ -660,11 +646,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIG
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_256_TOP], *res;
- PTR_SIZE_INT mask;
- union {
- bn_addsub_f f;
- PTR_SIZE_INT p;
- } u;
+ bn_addsub_f adjust;
static const BIGNUM ossl_bignum_nist_p_256_sqr = {
(BN_ULONG *)_nist_p_256_sqr,
OSSL_NELEM(_nist_p_256_sqr),
@@ -850,7 +832,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIG
}
#endif
/* see BN_nist_mod_224 for explanation */
- u.f = bn_sub_words;
+ adjust = bn_sub_words;
if (carry > 0)
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1],
@@ -859,18 +841,13 @@ int BN_nist_mod_256(BIGNUM *r, const BIG
carry =
(int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1],
BN_NIST_256_TOP);
- mask = 0 - (PTR_SIZE_INT) carry;
- u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
- ((PTR_SIZE_INT) bn_add_words & ~mask);
+ adjust = carry ? bn_sub_words : bn_add_words;
} else
carry = 1;
- mask =
- 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP);
- mask &= 0 - (PTR_SIZE_INT) carry;
- res = c_d;
- res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
- ((PTR_SIZE_INT) r_d & mask));
+ res = ((*adjust) (c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP) && carry)
+ ? r_d
+ : c_d;
nist_cp_bn(r_d, res, BN_NIST_256_TOP);
r->top = BN_NIST_256_TOP;
bn_correct_top(r);
@@ -906,11 +883,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIG
sizeof(unsigned int)];
} buf;
BN_ULONG c_d[BN_NIST_384_TOP], *res;
- PTR_SIZE_INT mask;
- union {
- bn_addsub_f f;
- PTR_SIZE_INT p;
- } u;
+ bn_addsub_f adjust;
static const BIGNUM ossl_bignum_nist_p_384_sqr = {
(BN_ULONG *)_nist_p_384_sqr,
OSSL_NELEM(_nist_p_384_sqr),
@@ -1131,7 +1104,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIG
}
#endif
/* see BN_nist_mod_224 for explanation */
- u.f = bn_sub_words;
+ adjust = bn_sub_words;
if (carry > 0)
carry =
(int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1],
@@ -1140,18 +1113,13 @@ int BN_nist_mod_384(BIGNUM *r, const BIG
carry =
(int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1],
BN_NIST_384_TOP);
- mask = 0 - (PTR_SIZE_INT) carry;
- u.p = ((PTR_SIZE_INT) bn_sub_words & mask) |
- ((PTR_SIZE_INT) bn_add_words & ~mask);
+ adjust = carry ? bn_sub_words : bn_add_words;
} else
carry = 1;
- mask =
- 0 - (PTR_SIZE_INT) (*u.f) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP);
- mask &= 0 - (PTR_SIZE_INT) carry;
- res = c_d;
- res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
- ((PTR_SIZE_INT) r_d & mask));
+ res = ((*adjust) (c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP) && carry)
+ ? r_d
+ : c_d;
nist_cp_bn(r_d, res, BN_NIST_384_TOP);
r->top = BN_NIST_384_TOP;
bn_correct_top(r);
@@ -1168,7 +1136,6 @@ int BN_nist_mod_521(BIGNUM *r, const BIG
{
int top = a->top, i;
BN_ULONG *r_d, *a_d = a->d, t_d[BN_NIST_521_TOP], val, tmp, *res;
- PTR_SIZE_INT mask;
static const BIGNUM ossl_bignum_nist_p_521_sqr = {
(BN_ULONG *)_nist_p_521_sqr,
OSSL_NELEM(_nist_p_521_sqr),
@@ -1221,12 +1188,10 @@ int BN_nist_mod_521(BIGNUM *r, const BIG
r_d[i] &= BN_NIST_521_TOP_MASK;
bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP);
- mask =
- 0 - (PTR_SIZE_INT) bn_sub_words(t_d, r_d, _nist_p_521,
- BN_NIST_521_TOP);
- res = t_d;
- res = (BN_ULONG *)(((PTR_SIZE_INT) res & ~mask) |
- ((PTR_SIZE_INT) r_d & mask));
+ res = bn_sub_words(t_d, r_d, _nist_p_521,
+ BN_NIST_521_TOP)
+ ? r_d
+ : t_d;
nist_cp_bn(r_d, res, BN_NIST_521_TOP);
r->top = BN_NIST_521_TOP;
bn_correct_top(r);
Index: src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c:1.14 src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c:1.15
--- src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c:1.14 Sun May 7 14:40:17 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -226,6 +226,9 @@ static int def_load_bio(CONF *conf, BIO
char *dirpath = NULL;
OPENSSL_DIR_CTX *dirctx = NULL;
#endif
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ int numincludes = 0;
+#endif
if ((buff = BUF_MEM_new()) == NULL) {
ERR_raise(ERR_LIB_CONF, ERR_R_BUF_LIB);
@@ -442,6 +445,20 @@ static int def_load_bio(CONF *conf, BIO
const char *include_dir = ossl_safe_getenv("OPENSSL_CONF_INCLUDE");
char *include_path = NULL;
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ /*
+ * The include processing below can cause the "conf" fuzzer to
+ * timeout due to the fuzzer inserting large and complicated
+ * includes - with a large amount of time spent in
+ * OPENSSL_strlcat/OPENSSL_strcpy. This is not a security
+ * concern because config files should never come from untrusted
+ * sources. We just set an arbitrary limit on the allowed
+ * number of includes when fuzzing to prevent this timeout.
+ */
+ if (numincludes++ > 10)
+ goto err;
+#endif
+
if (include_dir == NULL)
include_dir = conf->includedir;
Index: src/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c:1.10 src/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c:1.11
--- src/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c:1.10 Sun May 7 14:40:18 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -140,8 +140,9 @@ void engine_cleanup_add_first(ENGINE_CLE
if (!int_cleanup_check(1))
return;
item = int_cleanup_item(cb);
- if (item)
- sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0);
+ if (item != NULL)
+ if (sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0) <= 0)
+ OPENSSL_free(item);
}
void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
Index: src/crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c:1.8 src/crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c:1.9
--- src/crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c:1.8 Sun May 7 14:40:23 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/ui/ui_lib.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -528,6 +528,10 @@ int UI_process(UI *ui)
ok = 0;
break;
}
+ } else {
+ ui->flags &= ~UI_FLAG_REDOABLE;
+ ok = -2;
+ goto err;
}
}
Index: src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.27 src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.28
--- src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.27 Sun May 7 14:40:23 2023
+++ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *
goto memerr;
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
+ cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
@@ -3413,7 +3421,7 @@ static int check_curve(X509 *cert)
ret = EVP_PKEY_get_int_param(pkey,
OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
&val);
- return ret < 0 ? ret : !val;
+ return ret == 1 ? !val : -1;
}
return 1;
Index: src/crypto/external/bsd/openssl/dist/engines/e_padlock.c
diff -u src/crypto/external/bsd/openssl/dist/engines/e_padlock.c:1.8 src/crypto/external/bsd/openssl/dist/engines/e_padlock.c:1.9
--- src/crypto/external/bsd/openssl/dist/engines/e_padlock.c:1.8 Sun May 7 14:40:25 2023
+++ src/crypto/external/bsd/openssl/dist/engines/e_padlock.c Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -146,6 +146,19 @@ static int padlock_init(ENGINE *e)
return (padlock_use_rng || padlock_use_ace);
}
+# ifndef AES_ASM
+static int padlock_aes_set_encrypt_key(const unsigned char *userKey,
+ const int bits,
+ AES_KEY *key);
+static int padlock_aes_set_decrypt_key(const unsigned char *userKey,
+ const int bits,
+ AES_KEY *key);
+# define AES_ASM
+# define AES_set_encrypt_key padlock_aes_set_encrypt_key
+# define AES_set_decrypt_key padlock_aes_set_decrypt_key
+# include "../crypto/aes/aes_core.c"
+# endif
+
/*
* This stuff is needed if this ENGINE is being compiled into a
* self-contained shared-library.
@@ -646,12 +659,10 @@ padlock_aes_init_key(EVP_CIPHER_CTX *ctx
AES_set_decrypt_key(key, key_len, &cdata->ks);
else
AES_set_encrypt_key(key, key_len, &cdata->ks);
-# ifndef AES_ASM
/*
* OpenSSL C functions use byte-swapped extended key.
*/
padlock_key_bswap(&cdata->ks);
-# endif
cdata->cword.b.keygen = 1;
break;
Index: src/crypto/external/bsd/openssl/dist/include/internal/refcount.h
diff -u src/crypto/external/bsd/openssl/dist/include/internal/refcount.h:1.6 src/crypto/external/bsd/openssl/dist/include/internal/refcount.h:1.7
--- src/crypto/external/bsd/openssl/dist/include/internal/refcount.h:1.6 Sun May 7 14:40:26 2023
+++ src/crypto/external/bsd/openssl/dist/include/internal/refcount.h Wed May 31 15:30:29 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -13,7 +13,7 @@
# include <openssl/e_os2.h>
# include <openssl/trace.h>
-# ifndef OPENSSL_DEV_NO_ATOMICS
+# if defined(OPENSSL_THREADS) && !defined(OPENSSL_DEV_NO_ATOMICS)
# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \
&& !defined(__STDC_NO_ATOMICS__) && !defined(__lint__)
# include <stdatomic.h>
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c:1.11 src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c:1.12
--- src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c:1.11 Sun May 7 14:40:27 2023
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl_sess.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -190,9 +190,10 @@ SSL_SESSION *ssl_session_dup(const SSL_S
dest->ticket_appdata = NULL;
memset(&dest->ex_data, 0, sizeof(dest->ex_data));
- /* We deliberately don't copy the prev and next pointers */
+ /* As the copy is not in the cache, we remove the associated pointers */
dest->prev = NULL;
dest->next = NULL;
+ dest->owner = NULL;
dest->references = 1;
Index: src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.36 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.37
--- src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.36 Sun May 7 14:40:27 2023
+++ src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, u
tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr));
if (tmparr == NULL)
goto end;
+ OPENSSL_free(*pext);
*pext = tmparr;
*pextlen = gcb.gidcnt;
ret = 1;
Index: src/crypto/external/bsd/openssl/dist/test/destest.c
diff -u src/crypto/external/bsd/openssl/dist/test/destest.c:1.4 src/crypto/external/bsd/openssl/dist/test/destest.c:1.5
--- src/crypto/external/bsd/openssl/dist/test/destest.c:1.4 Sun May 7 14:40:27 2023
+++ src/crypto/external/bsd/openssl/dist/test/destest.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -838,6 +838,29 @@ static int test_des_check_bad_parity(int
return TEST_int_eq(DES_check_key_parity(key), bad_parity_keys[n].expect);
}
+
+/* Test that two key 3DES can generate a random key without error */
+static int test_des_two_key(void)
+{
+ int res = 0;
+ EVP_CIPHER *cipher = NULL;
+ EVP_CIPHER_CTX *ctx = NULL;
+ unsigned char key[16];
+
+ if (!TEST_ptr(cipher = EVP_CIPHER_fetch(NULL, "DES-EDE-ECB", NULL))
+ || !TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 1)
+ || !EVP_CIPHER_CTX_set_key_length(ctx, sizeof(key))
+ || !EVP_CIPHER_CTX_rand_key(ctx, key))
+ goto err;
+
+ res = 1;
+ err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+ return res;
+}
+
#endif
int setup_tests(void)
@@ -866,6 +889,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_des_key_wrap, OSSL_NELEM(test_des_key_wrap_sizes));
ADD_ALL_TESTS(test_des_weak_keys, OSSL_NELEM(weak_keys));
ADD_ALL_TESTS(test_des_check_bad_parity, OSSL_NELEM(bad_parity_keys));
+ ADD_TEST(test_des_two_key);
#endif
return 1;
}
Index: src/crypto/external/bsd/openssl/dist/test/dsatest.c
diff -u src/crypto/external/bsd/openssl/dist/test/dsatest.c:1.5 src/crypto/external/bsd/openssl/dist/test/dsatest.c:1.6
--- src/crypto/external/bsd/openssl/dist/test/dsatest.c:1.5 Sun May 7 14:40:28 2023
+++ src/crypto/external/bsd/openssl/dist/test/dsatest.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -32,6 +32,32 @@
#ifndef OPENSSL_NO_DSA
static int dsa_cb(int p, int n, BN_GENCB *arg);
+static unsigned char out_p[] = {
+ 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
+ 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
+ 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
+ 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
+ 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
+ 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
+ 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
+ 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
+};
+static unsigned char out_q[] = {
+ 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
+ 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
+ 0xda, 0xce, 0x91, 0x5f,
+};
+static unsigned char out_g[] = {
+ 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
+ 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
+ 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
+ 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
+ 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
+ 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
+ 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
+ 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
+};
+
static int dsa_test(void)
{
BN_GENCB *cb;
@@ -51,31 +77,6 @@ static int dsa_test(void)
0xb6, 0x21, 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24,
0xe0, 0x42, 0x7d, 0xd3,
};
- static unsigned char out_p[] = {
- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
- };
- static unsigned char out_q[] = {
- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
- 0xda, 0xce, 0x91, 0x5f,
- };
- static unsigned char out_g[] = {
- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
- };
static const unsigned char str1[] = "12345678901234567890";
if (!TEST_ptr(cb = BN_GENCB_new()))
@@ -114,7 +115,6 @@ static int dsa_test(void)
goto end;
if (TEST_int_gt(DSA_verify(0, str1, 20, sig, siglen, dsa), 0))
ret = 1;
-
end:
DSA_free(dsa);
BN_GENCB_free(cb);
@@ -325,6 +325,167 @@ static int test_dsa_default_paramgen_val
return ret;
}
+static int test_dsa_sig_infinite_loop(void)
+{
+ int ret = 0;
+ DSA *dsa = NULL;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv = NULL, *pub = NULL, *priv2 = NULL;
+ BIGNUM *badq = NULL, *badpriv = NULL;
+ const unsigned char msg[] = { 0x00 };
+ unsigned int signature_len;
+ unsigned char signature[64];
+
+ static unsigned char out_priv[] = {
+ 0x17, 0x00, 0xb2, 0x8d, 0xcb, 0x24, 0xc9, 0x98,
+ 0xd0, 0x7f, 0x1f, 0x83, 0x1a, 0xa1, 0xc4, 0xa4,
+ 0xf8, 0x0f, 0x7f, 0x12
+ };
+ static unsigned char out_pub[] = {
+ 0x04, 0x72, 0xee, 0x8d, 0xaa, 0x4d, 0x89, 0x60,
+ 0x0e, 0xb2, 0xd4, 0x38, 0x84, 0xa2, 0x2a, 0x60,
+ 0x5f, 0x67, 0xd7, 0x9e, 0x24, 0xdd, 0xe8, 0x50,
+ 0xf2, 0x23, 0x71, 0x55, 0x53, 0x94, 0x0d, 0x6b,
+ 0x2e, 0xcd, 0x30, 0xda, 0x6f, 0x1e, 0x2c, 0xcf,
+ 0x59, 0xbe, 0x05, 0x6c, 0x07, 0x0e, 0xc6, 0x38,
+ 0x05, 0xcb, 0x0c, 0x44, 0x0a, 0x08, 0x13, 0xb6,
+ 0x0f, 0x14, 0xde, 0x4a, 0xf6, 0xed, 0x4e, 0xc3
+ };
+ if (!TEST_ptr(p = BN_bin2bn(out_p, sizeof(out_p), NULL))
+ || !TEST_ptr(q = BN_bin2bn(out_q, sizeof(out_q), NULL))
+ || !TEST_ptr(g = BN_bin2bn(out_g, sizeof(out_g), NULL))
+ || !TEST_ptr(pub = BN_bin2bn(out_pub, sizeof(out_pub), NULL))
+ || !TEST_ptr(priv = BN_bin2bn(out_priv, sizeof(out_priv), NULL))
+ || !TEST_ptr(priv2 = BN_dup(priv))
+ || !TEST_ptr(badq = BN_new())
+ || !TEST_true(BN_set_word(badq, 1))
+ || !TEST_ptr(badpriv = BN_new())
+ || !TEST_true(BN_set_word(badpriv, 0))
+ || !TEST_ptr(dsa = DSA_new()))
+ goto err;
+
+ if (!TEST_true(DSA_set0_pqg(dsa, p, q, g)))
+ goto err;
+ p = q = g = NULL;
+
+ if (!TEST_true(DSA_set0_key(dsa, pub, priv)))
+ goto err;
+ pub = priv = NULL;
+
+ if (!TEST_int_le(DSA_size(dsa), sizeof(signature)))
+ goto err;
+
+ /* Test passing signature as NULL */
+ if (!TEST_true(DSA_sign(0, msg, sizeof(msg), NULL, &signature_len, dsa)))
+ goto err;
+
+ if (!TEST_true(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ /* Test using a private key of zero fails - this causes an infinite loop without the retry test */
+ if (!TEST_true(DSA_set0_key(dsa, NULL, badpriv)))
+ goto err;
+ badpriv = NULL;
+ if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ /* Restore private and set a bad q - this caused an infinite loop in the setup */
+ if (!TEST_true(DSA_set0_key(dsa, NULL, priv2)))
+ goto err;
+ priv2 = NULL;
+ if (!TEST_true(DSA_set0_pqg(dsa, NULL, badq, NULL)))
+ goto err;
+ badq = NULL;
+ if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ ret = 1;
+err:
+ BN_free(badq);
+ BN_free(badpriv);
+ BN_free(pub);
+ BN_free(priv);
+ BN_free(priv2);
+ BN_free(g);
+ BN_free(q);
+ BN_free(p);
+ DSA_free(dsa);
+ return ret;
+}
+
+static int test_dsa_sig_neg_param(void)
+{
+ int ret = 0, setpqg = 0;
+ DSA *dsa = NULL;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv = NULL, *pub = NULL;
+ const unsigned char msg[] = { 0x00 };
+ unsigned int signature_len;
+ unsigned char signature[64];
+
+ static unsigned char out_priv[] = {
+ 0x17, 0x00, 0xb2, 0x8d, 0xcb, 0x24, 0xc9, 0x98,
+ 0xd0, 0x7f, 0x1f, 0x83, 0x1a, 0xa1, 0xc4, 0xa4,
+ 0xf8, 0x0f, 0x7f, 0x12
+ };
+ static unsigned char out_pub[] = {
+ 0x04, 0x72, 0xee, 0x8d, 0xaa, 0x4d, 0x89, 0x60,
+ 0x0e, 0xb2, 0xd4, 0x38, 0x84, 0xa2, 0x2a, 0x60,
+ 0x5f, 0x67, 0xd7, 0x9e, 0x24, 0xdd, 0xe8, 0x50,
+ 0xf2, 0x23, 0x71, 0x55, 0x53, 0x94, 0x0d, 0x6b,
+ 0x2e, 0xcd, 0x30, 0xda, 0x6f, 0x1e, 0x2c, 0xcf,
+ 0x59, 0xbe, 0x05, 0x6c, 0x07, 0x0e, 0xc6, 0x38,
+ 0x05, 0xcb, 0x0c, 0x44, 0x0a, 0x08, 0x13, 0xb6,
+ 0x0f, 0x14, 0xde, 0x4a, 0xf6, 0xed, 0x4e, 0xc3
+ };
+ if (!TEST_ptr(p = BN_bin2bn(out_p, sizeof(out_p), NULL))
+ || !TEST_ptr(q = BN_bin2bn(out_q, sizeof(out_q), NULL))
+ || !TEST_ptr(g = BN_bin2bn(out_g, sizeof(out_g), NULL))
+ || !TEST_ptr(pub = BN_bin2bn(out_pub, sizeof(out_pub), NULL))
+ || !TEST_ptr(priv = BN_bin2bn(out_priv, sizeof(out_priv), NULL))
+ || !TEST_ptr(dsa = DSA_new()))
+ goto err;
+
+ if (!TEST_true(DSA_set0_pqg(dsa, p, q, g)))
+ goto err;
+ setpqg = 1;
+
+ if (!TEST_true(DSA_set0_key(dsa, pub, priv)))
+ goto err;
+ pub = priv = NULL;
+
+ BN_set_negative(p, 1);
+ if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ BN_set_negative(p, 0);
+ BN_set_negative(q, 1);
+ if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ BN_set_negative(q, 0);
+ BN_set_negative(g, 1);
+ if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ BN_set_negative(p, 1);
+ BN_set_negative(q, 1);
+ BN_set_negative(g, 1);
+ if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
+ goto err;
+
+ ret = 1;
+err:
+ BN_free(pub);
+ BN_free(priv);
+
+ if (setpqg == 0) {
+ BN_free(g);
+ BN_free(q);
+ BN_free(p);
+ }
+ DSA_free(dsa);
+ return ret;
+}
+
#endif /* OPENSSL_NO_DSA */
int setup_tests(void)
@@ -332,6 +493,8 @@ int setup_tests(void)
#ifndef OPENSSL_NO_DSA
ADD_TEST(dsa_test);
ADD_TEST(dsa_keygen_test);
+ ADD_TEST(test_dsa_sig_infinite_loop);
+ ADD_TEST(test_dsa_sig_neg_param);
ADD_ALL_TESTS(test_dsa_default_paramgen_validate, 2);
#endif
return 1;
Index: src/crypto/external/bsd/openssl/dist/test/ecdsatest.c
diff -u src/crypto/external/bsd/openssl/dist/test/ecdsatest.c:1.7 src/crypto/external/bsd/openssl/dist/test/ecdsatest.c:1.8
--- src/crypto/external/bsd/openssl/dist/test/ecdsatest.c:1.7 Sun May 7 14:40:28 2023
+++ src/crypto/external/bsd/openssl/dist/test/ecdsatest.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -346,6 +346,22 @@ static int test_builtin_as_sm2(int n)
return test_builtin(n, EVP_PKEY_SM2);
}
# endif
+
+static int test_ecdsa_sig_NULL(void)
+{
+ int ret;
+ unsigned int siglen;
+ unsigned char dgst[128] = { 0 };
+ EC_KEY *eckey = NULL;
+
+ ret = TEST_ptr(eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1))
+ && TEST_int_eq(EC_KEY_generate_key(eckey), 1)
+ && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), NULL, &siglen, eckey), 1)
+ && TEST_int_gt(siglen, 0);
+ EC_KEY_free(eckey);
+ return ret;
+}
+
#endif /* OPENSSL_NO_EC */
int setup_tests(void)
@@ -365,6 +381,7 @@ int setup_tests(void)
return 0;
}
ADD_ALL_TESTS(test_builtin_as_ec, crv_len);
+ ADD_TEST(test_ecdsa_sig_NULL);
# ifndef OPENSSL_NO_SM2
ADD_ALL_TESTS(test_builtin_as_sm2, crv_len);
# endif
Index: src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c
diff -u src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c:1.12 src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c:1.13
--- src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c:1.12 Sun May 7 14:40:28 2023
+++ src/crypto/external/bsd/openssl/dist/test/evp_extra_test.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -899,6 +899,8 @@ static int test_EC_priv_pub(void)
BIGNUM *priv = NULL;
int ret = 0;
unsigned char *encoded = NULL;
+ size_t len = 0;
+ unsigned char buffer[128];
/*
* Setup the parameters for our pkey object. For our purposes they don't
@@ -1018,6 +1020,26 @@ static int test_EC_priv_pub(void)
goto err;
}
+ /* Positive and negative testcase for EVP_PKEY_get_octet_string_param */
+ if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
+ OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
+ buffer, sizeof(buffer), &len), 1)
+ || !TEST_int_eq(len, 65))
+ goto err;
+
+ len = 0;
+ if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
+ OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
+ NULL, 0, &len), 1)
+ || !TEST_int_eq(len, 65))
+ goto err;
+
+ /* too-short buffer len*/
+ if (!TEST_int_eq(EVP_PKEY_get_octet_string_param(params_and_pub,
+ OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
+ buffer, 10, &len), 0))
+ goto err;
+
ret = 1;
err:
OSSL_PARAM_free(params);
Index: src/crypto/external/bsd/openssl/dist/test/testutil/provider.c
diff -u src/crypto/external/bsd/openssl/dist/test/testutil/provider.c:1.2 src/crypto/external/bsd/openssl/dist/test/testutil/provider.c:1.3
--- src/crypto/external/bsd/openssl/dist/test/testutil/provider.c:1.2 Sun May 7 14:40:30 2023
+++ src/crypto/external/bsd/openssl/dist/test/testutil/provider.c Wed May 31 15:30:30 2023
@@ -1,5 +1,5 @@
/*
- * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,7 @@ int test_get_libctx(OSSL_LIB_CTX **libct
goto err;
}
- if (module_name != NULL
+ if (provider != NULL && module_name != NULL
&& (*provider = OSSL_PROVIDER_load(new_libctx, module_name)) == NULL) {
opt_printf_stderr("Failed to load provider %s\n", module_name);
goto err;
