Bug#1086157: bookworm-pu: package openssl/3.0.15-1~deb12u1
Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: [email protected]
Severity: normal
This is a new stable release by upstream of OpenSSL. I added
additionally a fix for CVE-2024-9143 which is classified as low and not
yet part of an OpenSSL release in the 3.0.x series. I also made an
upload to unstable with a fix for this CVE.
I am not aware of a regression. I remember that a previous release led
to a regression in nodejs (different error code led to testsuite
failires). If this is still the case (or anything else) and you want me
to act uppon it, please let me know.
Please find attached the debdiff.
Sebastian
diff -Nru openssl-3.0.14/apps/cms.c openssl-3.0.15/apps/cms.c
--- openssl-3.0.14/apps/cms.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/apps/cms.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -132,7 +132,7 @@
{"binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form"},
{"crlfeol", OPT_CRLFEOL, '-',
- "Use CRLF as EOL termination instead of CR only" },
+ "Use CRLF as EOL termination instead of LF only" },
{"asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing"},
diff -Nru openssl-3.0.14/apps/dgst.c openssl-3.0.15/apps/dgst.c
--- openssl-3.0.14/apps/dgst.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/apps/dgst.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -478,7 +478,7 @@
static void show_digests(const OBJ_NAME *name, void *arg)
{
struct doall_dgst_digests *dec = (struct doall_dgst_digests *)arg;
- const EVP_MD *md = NULL;
+ EVP_MD *md = NULL;
/* Filter out signed digests (a.k.a signature algorithms) */
if (strstr(name->name, "rsa") != NULL || strstr(name->name, "RSA") != NULL)
@@ -490,8 +490,7 @@
/* Filter out message digests that we cannot use */
md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
if (md == NULL) {
- md = EVP_get_digestbyname(name->name);
- if (md == NULL)
+ if (EVP_get_digestbyname(name->name) == NULL)
return;
}
@@ -502,6 +501,8 @@
} else {
BIO_printf(dec->bio, " ");
}
+
+ EVP_MD_free(md);
}
/*
diff -Nru openssl-3.0.14/apps/lib/opt.c openssl-3.0.15/apps/lib/opt.c
--- openssl-3.0.14/apps/lib/opt.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/apps/lib/opt.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -616,7 +616,7 @@
opt_number_error(value);
return 0;
}
- *result = (ossl_intmax_t)m;
+ *result = (ossl_uintmax_t)m;
errno = oerrno;
return 1;
}
diff -Nru openssl-3.0.14/apps/lib/s_cb.c openssl-3.0.15/apps/lib/s_cb.c
--- openssl-3.0.14/apps/lib/s_cb.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/apps/lib/s_cb.c 2024-09-03 15:30:13.000000000 +0200
@@ -649,7 +649,7 @@
(void)BIO_flush(bio);
}
-static STRINT_PAIR tlsext_types[] = {
+static const STRINT_PAIR tlsext_types[] = {
{"server name", TLSEXT_TYPE_server_name},
{"max fragment length", TLSEXT_TYPE_max_fragment_length},
{"client certificate URL", TLSEXT_TYPE_client_certificate_url},
@@ -688,6 +688,7 @@
{"psk kex modes", TLSEXT_TYPE_psk_kex_modes},
{"certificate authorities", TLSEXT_TYPE_certificate_authorities},
{"post handshake auth", TLSEXT_TYPE_post_handshake_auth},
+ {"early_data", TLSEXT_TYPE_early_data},
{NULL}
};
diff -Nru openssl-3.0.14/apps/smime.c openssl-3.0.15/apps/smime.c
--- openssl-3.0.14/apps/smime.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/apps/smime.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -118,7 +118,7 @@
"Do not load certificates from the default certificates store"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
- {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
+ {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},
OPT_R_OPTIONS,
OPT_V_OPTIONS,
diff -Nru openssl-3.0.14/CHANGES.md openssl-3.0.15/CHANGES.md
--- openssl-3.0.14/CHANGES.md 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/CHANGES.md 2024-09-03 15:30:13.000000000 +0200
@@ -28,6 +28,30 @@
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
+
+ * Fixed possible denial of service in X.509 name checks.
+
+ Applications performing certificate name checks (e.g., TLS clients checking
+ server certificates) may attempt to read an invalid memory address when
+ comparing the expected name with an `otherName` subject alternative name of
+ an X.509 certificate. This may result in an exception that terminates the
+ application program.
+
+ ([CVE-2024-6119])
+
+ *Viktor Dukhovni*
+
+ * Fixed possible buffer overread in SSL_select_next_proto().
+
+ Calling the OpenSSL API function SSL_select_next_proto with an empty
+ supported client protocols buffer may cause a crash or memory contents
+ to be sent to the peer.
+
+ ([CVE-2024-5535])
+
+ *Matt Caswell*
+
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called.
@@ -70,6 +94,14 @@
*Tomáš Mráz*
+ * Improved EC/DSA nonce generation routines to avoid bias and timing
+ side channel leaks.
+
+ Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
+ and Hubert Kario from Red Hat for reporting the issues.
+
+ *Tomáš Mráz and Paul Dale*
+
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
@@ -19890,6 +19922,8 @@
<!-- Links -->
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
diff -Nru openssl-3.0.14/Configurations/10-main.conf openssl-3.0.15/Configurations/10-main.conf
--- openssl-3.0.14/Configurations/10-main.conf 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/Configurations/10-main.conf 2024-09-03 15:30:13.000000000 +0200
@@ -1264,6 +1264,25 @@
AR => add("-X32"),
RANLIB => add("-X32"),
},
+ # To enable openxl compiler for aix
+ # If 17.1 openxl runtime is available, -latomic can be used
+ # instead of -DBROKEN_CLANG_ATOMICS
+ "aix-clang" => {
+ inherit_from => [ "aix-common" ],
+ CC => "ibm-clang",
+ CFLAGS => picker(debug => "-O0 -g",
+ release => "-O"),
+ cflags => combine("-Wno-implicit-function-declaration -mcmodel=large -DBROKEN_CLANG_ATOMICS",
+ threads("-pthread")),
+ ex_libs => add(threads("-pthread")),
+ bn_ops => "BN_LLONG RC4_CHAR",
+ asm_arch => 'ppc32',
+ perlasm_scheme => "aix32",
+ shared_cflag => "-fpic",
+ shared_ldflag => add("-shared"),
+ AR => add("-X32"),
+ RANLIB => add("-X32"),
+ },
"aix64-cc" => {
inherit_from => [ "aix-common" ],
CC => "cc",
@@ -1281,6 +1300,23 @@
shared_extension => "64.so.\$(SHLIB_VERSION_NUMBER)",
AR => add("-X64"),
RANLIB => add("-X64"),
+ },
+ "aix64-clang" => {
+ inherit_from => [ "aix-common" ],
+ CC => "ibm-clang",
+ CFLAGS => picker(debug => "-O0 -g",
+ release => "-O"),
+ cflags => combine("-maix64 -Wno-implicit-function-declaration -mcmodel=large",
+ threads("-pthread")),
+ ex_libs => add(threads("-pthread")),
+ bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
+ asm_arch => 'ppc64',
+ perlasm_scheme => "aix64",
+ shared_cflag => "-fpic",
+ shared_ldflag => add("-shared"),
+ shared_extension => "64.so.\$(SHLIB_VERSION_NUMBER)",
+ AR => add("-X64"),
+ RANLIB => add("-X64"),
},
# SIEMENS BS2000/OSD: an EBCDIC-based mainframe
diff -Nru openssl-3.0.14/Configurations/15-ios.conf openssl-3.0.15/Configurations/15-ios.conf
--- openssl-3.0.14/Configurations/15-ios.conf 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/Configurations/15-ios.conf 2024-09-03 15:30:13.000000000 +0200
@@ -10,7 +10,7 @@
template => 1,
inherit_from => [ "darwin-common" ],
sys_id => "iOS",
- disable => [ "shared", "async" ],
+ disable => [ "async" ],
},
"ios-xcrun" => {
inherit_from => [ "ios-common" ],
diff -Nru openssl-3.0.14/Configure openssl-3.0.15/Configure
--- openssl-3.0.14/Configure 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/Configure 2024-09-03 15:30:13.000000000 +0200
@@ -178,7 +178,6 @@
# -Wextended-offsetof -- no, needed in CMS ASN1 code
my @clang_devteam_warn = qw(
-Wno-unknown-warning-option
- -Wswitch-default
-Wno-parentheses-equality
-Wno-language-extension-token
-Wno-extended-offsetof
@@ -1583,7 +1582,7 @@
disable('unavailable', 'makedepend') unless $config{makedep_scheme};
}
-if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS') {
+if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS' && !$predefined_C{_AIX}) {
# probe for -Wa,--noexecstack option...
if ($predefined_C{__clang__}) {
# clang has builtin assembler, which doesn't recognize --help,
@@ -3407,6 +3406,13 @@
return rel2abs($dir);
}
+ # realpath() on Windows seems to check if the directory actually exists,
+ # which isn't what is wanted here. All we want to know is if a directory
+ # spec is absolute, not if it exists.
+ if ($^O eq "MSWin32") {
+ return rel2abs($dir);
+ }
+
# We use realpath() on Unix, since no other will properly clean out
# a directory spec.
use Cwd qw/realpath/;
diff -Nru openssl-3.0.14/CONTRIBUTING.md openssl-3.0.15/CONTRIBUTING.md
--- openssl-3.0.14/CONTRIBUTING.md 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/CONTRIBUTING.md 2024-09-03 15:30:13.000000000 +0200
@@ -3,7 +3,7 @@
Please visit our [Getting Started] page for other ideas about how to contribute.
- [Getting Started]: <https://www.openssl.org/community/getting-started.html>
+ [Getting Started]: <https://openssl-library.org/community/getting-started>
Development is done on GitHub in the [openssl/openssl] repository.
@@ -77,8 +77,8 @@
Clean builds via GitHub Actions are required. They are started automatically
whenever a PR is created or updated by committers.
- [coding style]: https://www.openssl.org/policies/technical/coding-style.html
- [documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
+ [coding style]: https://openssl-library.org/policies/technical/coding-style/
+ [documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see
diff -Nru openssl-3.0.14/crypto/aes/asm/aesp8-ppc.pl openssl-3.0.15/crypto/aes/asm/aesp8-ppc.pl
--- openssl-3.0.14/crypto/aes/asm/aesp8-ppc.pl 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/aes/asm/aesp8-ppc.pl 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -99,11 +99,12 @@
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
.long 0,0,0,0 ?asis
+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
Lconsts:
mflr r0
bcl 20,31,\$+4
mflr $ptr #vvvvv "distance between . and rcon
- addi $ptr,$ptr,-0x48
+ addi $ptr,$ptr,-0x58
mtlr r0
blr
.long 0
@@ -2405,7 +2406,7 @@
my $key_=$key2;
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
$x00=0 if ($flavour =~ /osx/);
-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
@@ -2460,6 +2461,18 @@
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -2502,69 +2515,77 @@
?vperm v31,v31,$twk5,$keyperm
lvx v25,$x10,$key_ # pre-load round[2]
+ # Switch to use the following codes with 0x010101..87 to generate tweak.
+ # eighty7 = 0x010101..87
+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
+ # vand tmp, tmp, eighty7 # last byte with carry
+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
+ # xxlor vsx, 0, 0
+ # vpermxor tweak, tweak, tmp, vsx
+
vperm $in0,$inout,$inptail,$inpperm
subi $inp,$inp,31 # undo "caller"
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -2590,6 +2611,8 @@
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_enc6x
+ xxlor 32+$eighty7, 1, 1 # 0x010101..87
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vcipher $out0,$out0,v24
@@ -2599,7 +2622,6 @@
vaddubm $tweak,$tweak,$tweak
vcipher $out2,$out2,v24
vcipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v24
vcipher $out5,$out5,v24
@@ -2607,7 +2629,8 @@
vand $tmp,$tmp,$eighty7
vcipher $out0,$out0,v25
vcipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vcipher $out2,$out2,v25
vcipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -2618,13 +2641,13 @@
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v26
vcipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vcipher $out4,$out4,v26
vcipher $out5,$out5,v26
@@ -2638,7 +2661,6 @@
vaddubm $tweak,$tweak,$tweak
vcipher $out0,$out0,v27
vcipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out2,$out2,v27
vcipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -2646,7 +2668,8 @@
vcipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vcipher $out0,$out0,v28
vcipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -2655,7 +2678,6 @@
vcipher $out2,$out2,v28
vcipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v28
vcipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -2663,7 +2685,8 @@
vcipher $out0,$out0,v29
vcipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vcipher $out2,$out2,v29
vcipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -2673,14 +2696,14 @@
vcipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v30
vcipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v30
vcipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vcipher $out4,$out4,v30
vcipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -2690,7 +2713,6 @@
vcipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vcipherlast $out2,$out2,$in2
@@ -2703,7 +2725,10 @@
vcipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vcipherlast $tmp,$out5,$in5 # last block might be needed
# in stealing mode
le?vperm $in3,$in3,$in3,$leperm
@@ -2736,6 +2761,8 @@
mtctr $rounds
beq Loop_xts_enc6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2 # 0x870101..01
+
addic. $len,$len,0x60
beq Lxts_enc6x_zero
cmpwi $len,0x20
@@ -3112,6 +3139,18 @@
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -3159,64 +3198,64 @@
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -3242,6 +3281,8 @@
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_dec6x
+ xxlor 32+$eighty7, 1, 1
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vncipher $out0,$out0,v24
@@ -3251,7 +3292,6 @@
vaddubm $tweak,$tweak,$tweak
vncipher $out2,$out2,v24
vncipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v24
vncipher $out5,$out5,v24
@@ -3259,7 +3299,8 @@
vand $tmp,$tmp,$eighty7
vncipher $out0,$out0,v25
vncipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vncipher $out2,$out2,v25
vncipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -3270,13 +3311,13 @@
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v26
vncipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v26
vncipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vncipher $out4,$out4,v26
vncipher $out5,$out5,v26
@@ -3290,7 +3331,6 @@
vaddubm $tweak,$tweak,$tweak
vncipher $out0,$out0,v27
vncipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out2,$out2,v27
vncipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -3298,7 +3338,8 @@
vncipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vncipher $out0,$out0,v28
vncipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -3307,7 +3348,6 @@
vncipher $out2,$out2,v28
vncipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v28
vncipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -3315,7 +3355,8 @@
vncipher $out0,$out0,v29
vncipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vncipher $out2,$out2,v29
vncipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -3325,14 +3366,14 @@
vncipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v30
vncipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v30
vncipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vncipher $out4,$out4,v30
vncipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -3342,7 +3383,6 @@
vncipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vncipherlast $out2,$out2,$in2
@@ -3355,7 +3395,10 @@
vncipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vncipherlast $out5,$out5,$in5
le?vperm $in3,$in3,$in3,$leperm
lvx_u $in5,$x50,$inp
@@ -3386,6 +3429,8 @@
mtctr $rounds
beq Loop_xts_dec6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2
+
addic. $len,$len,0x60
beq Lxts_dec6x_zero
cmpwi $len,0x20
diff -Nru openssl-3.0.14/crypto/aes/build.info openssl-3.0.15/crypto/aes/build.info
--- openssl-3.0.14/crypto/aes/build.info 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/aes/build.info 2024-09-03 15:30:13.000000000 +0200
@@ -38,7 +38,11 @@
$AESASM_parisc20_64=$AESASM_parisc11
$AESDEF_parisc20_64=$AESDEF_parisc11
+ IF[{- $target{sys_id} ne "MACOSX" -}]
$AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s
+ ELSE
+ $AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s
+ ENDIF
$AESDEF_ppc32=AES_ASM VPAES_ASM
$AESASM_ppc64=$AESASM_ppc32
$AESDEF_ppc64=$AESDEF_ppc32
diff -Nru openssl-3.0.14/crypto/asn1/a_d2i_fp.c openssl-3.0.15/crypto/asn1/a_d2i_fp.c
--- openssl-3.0.14/crypto/asn1/a_d2i_fp.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/asn1/a_d2i_fp.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -148,6 +148,9 @@
goto err;
}
len += i;
+ if ((size_t)i < want)
+ continue;
+
}
}
/* else data already loaded */
diff -Nru openssl-3.0.14/crypto/asn1/a_mbstr.c openssl-3.0.15/crypto/asn1/a_mbstr.c
--- openssl-3.0.14/crypto/asn1/a_mbstr.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/asn1/a_mbstr.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -139,9 +139,7 @@
if (*out) {
free_out = 0;
dest = *out;
- OPENSSL_free(dest->data);
- dest->data = NULL;
- dest->length = 0;
+ ASN1_STRING_set0(dest, NULL, 0);
dest->type = str_type;
} else {
free_out = 1;
@@ -155,6 +153,10 @@
/* If both the same type just copy across */
if (inform == outform) {
if (!ASN1_STRING_set(dest, in, len)) {
+ if (free_out) {
+ ASN1_STRING_free(dest);
+ *out = NULL;
+ }
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return -1;
}
@@ -185,8 +187,10 @@
break;
}
if ((p = OPENSSL_malloc(outlen + 1)) == NULL) {
- if (free_out)
+ if (free_out) {
ASN1_STRING_free(dest);
+ *out = NULL;
+ }
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return -1;
}
diff -Nru openssl-3.0.14/crypto/asn1/a_strex.c openssl-3.0.15/crypto/asn1/a_strex.c
--- openssl-3.0.14/crypto/asn1/a_strex.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/asn1/a_strex.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <string.h>
#include "internal/cryptlib.h"
+#include "internal/sizes.h"
#include "crypto/asn1.h"
#include <openssl/crypto.h>
#include <openssl/x509.h>
@@ -345,8 +346,10 @@
if (lflags & ASN1_STRFLGS_SHOW_TYPE) {
const char *tagname;
+
tagname = ASN1_tag2str(type);
- outlen += strlen(tagname);
+ /* We can directly cast here as tagname will never be too large. */
+ outlen += (int)strlen(tagname);
if (!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1))
return -1;
outlen++;
@@ -372,7 +375,7 @@
if (type == -1) {
len = do_dump(lflags, io_ch, arg, str);
- if (len < 0)
+ if (len < 0 || len > INT_MAX - outlen)
return -1;
outlen += len;
return outlen;
@@ -391,7 +394,7 @@
}
len = do_buf(str->data, str->length, type, flags, "es, io_ch, NULL);
- if (len < 0)
+ if (len < 0 || len > INT_MAX - 2 - outlen)
return -1;
outlen += len;
if (quotes)
diff -Nru openssl-3.0.14/crypto/asn1/a_verify.c openssl-3.0.15/crypto/asn1/a_verify.c
--- openssl-3.0.14/crypto/asn1/a_verify.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/asn1/a_verify.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -203,10 +203,12 @@
inl = ASN1_item_i2d(data, &buf_in, it);
if (inl <= 0) {
ERR_raise(ERR_LIB_ASN1, ERR_R_INTERNAL_ERROR);
+ ret = -1;
goto err;
}
if (buf_in == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
+ ret = -1;
goto err;
}
inll = inl;
diff -Nru openssl-3.0.14/crypto/asn1/tasn_fre.c openssl-3.0.15/crypto/asn1/tasn_fre.c
--- openssl-3.0.14/crypto/asn1/tasn_fre.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/asn1/tasn_fre.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -85,8 +85,12 @@
case ASN1_ITYPE_NDEF_SEQUENCE:
case ASN1_ITYPE_SEQUENCE:
- if (ossl_asn1_do_lock(pval, -1, it) != 0) /* if error or ref-counter > 0 */
+ if (ossl_asn1_do_lock(pval, -1, it) != 0) {
+ /* if error or ref-counter > 0 */
+ OPENSSL_assert(embed == 0);
+ *pval = NULL;
return;
+ }
if (asn1_cb) {
i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL);
if (i == 2)
diff -Nru openssl-3.0.14/crypto/bio/bf_readbuff.c openssl-3.0.15/crypto/bio/bf_readbuff.c
--- openssl-3.0.14/crypto/bio/bf_readbuff.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/bio/bf_readbuff.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -222,10 +222,13 @@
char *p;
int i, j;
- if (size == 0)
+ if (buf == NULL || size == 0)
return 0;
--size; /* the passed in size includes the terminator - so remove it here */
ctx = (BIO_F_BUFFER_CTX *)b->ptr;
+
+ if (ctx == NULL || b->next_bio == NULL)
+ return 0;
BIO_clear_retry_flags(b);
/* If data is already buffered then use this first */
diff -Nru openssl-3.0.14/crypto/bio/bio_addr.c openssl-3.0.15/crypto/bio/bio_addr.c
--- openssl-3.0.14/crypto/bio/bio_addr.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/bio/bio_addr.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -778,14 +778,12 @@
if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) {
ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
- ret = 0;
- goto err;
+ return 0;
}
- if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) {
- ret = 0;
- goto err;
- }
+ if (!CRYPTO_THREAD_write_lock(bio_lookup_lock))
+ return 0;
+
he_fallback_address = INADDR_ANY;
if (host == NULL) {
he = &he_fallback;
diff -Nru openssl-3.0.14/crypto/cmp/cmp_vfy.c openssl-3.0.15/crypto/cmp/cmp_vfy.c
--- openssl-3.0.14/crypto/cmp/cmp_vfy.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/cmp/cmp_vfy.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2020
* Copyright Siemens AG 2015-2020
*
@@ -619,7 +619,7 @@
default:
scrt = ctx->srvCert;
if (scrt == NULL) {
- if (ctx->trusted == NULL) {
+ if (ctx->trusted == NULL && ctx->secretValue != NULL) {
ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
return 0;
diff -Nru openssl-3.0.14/crypto/conf/conf_def.c openssl-3.0.15/crypto/conf/conf_def.c
--- openssl-3.0.14/crypto/conf/conf_def.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/conf/conf_def.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -332,7 +332,7 @@
v = NULL;
/* check for line continuation */
- if (bufnum >= 1) {
+ if (!again && bufnum >= 1) {
/*
* If we have bytes and the last char '\\' and second last char
* is not '\\'
diff -Nru openssl-3.0.14/crypto/conf/conf_lib.c openssl-3.0.15/crypto/conf/conf_lib.c
--- openssl-3.0.14/crypto/conf/conf_lib.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/conf/conf_lib.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -464,6 +464,9 @@
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
{
+ if (settings == NULL)
+ return;
+
free(settings->filename);
free(settings->appname);
free(settings);
diff -Nru openssl-3.0.14/crypto/conf/conf_sap.c openssl-3.0.15/crypto/conf/conf_sap.c
--- openssl-3.0.14/crypto/conf/conf_sap.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/conf/conf_sap.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,6 +38,8 @@
settings.appname = strdup(appname);
settings.flags = DEFAULT_CONF_MFLAGS;
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
+
+ free(settings.appname);
}
#endif
diff -Nru openssl-3.0.14/crypto/context.c openssl-3.0.15/crypto/context.c
--- openssl-3.0.14/crypto/context.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/context.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -240,7 +240,7 @@
void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx)
{
- if (ossl_lib_ctx_is_default(ctx))
+ if (ctx == NULL || ossl_lib_ctx_is_default(ctx))
return;
#ifndef FIPS_MODULE
diff -Nru openssl-3.0.14/crypto/ec/ecdsa_ossl.c openssl-3.0.15/crypto/ec/ecdsa_ossl.c
--- openssl-3.0.14/crypto/ec/ecdsa_ossl.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/ec/ecdsa_ossl.c 2024-09-03 15:30:13.000000000 +0200
@@ -130,7 +130,11 @@
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
goto err;
}
- order = EC_GROUP_get0_order(group);
+
+ if ((order = EC_GROUP_get0_order(group)) == NULL) {
+ ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
+ goto err;
+ }
/* Preallocate space */
order_bits = BN_num_bits(order);
@@ -255,7 +259,11 @@
goto err;
}
- order = EC_GROUP_get0_order(group);
+ if ((order = EC_GROUP_get0_order(group)) == NULL) {
+ ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
+ goto err;
+ }
+
i = BN_num_bits(order);
/*
* Need to truncate digest if it is too long: first truncate whole bytes.
diff -Nru openssl-3.0.14/crypto/engine/eng_table.c openssl-3.0.15/crypto/engine/eng_table.c
--- openssl-3.0.14/crypto/engine/eng_table.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/engine/eng_table.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -215,9 +215,11 @@
f, l, nid);
return NULL;
}
- ERR_set_mark();
+
if (!CRYPTO_THREAD_write_lock(global_engine_lock))
- goto end;
+ return NULL;
+
+ ERR_set_mark();
/*
* Check again inside the lock otherwise we could race against cleanup
* operations. But don't worry about a debug printout
diff -Nru openssl-3.0.14/crypto/evp/ctrl_params_translate.c openssl-3.0.15/crypto/evp/ctrl_params_translate.c
--- openssl-3.0.14/crypto/evp/ctrl_params_translate.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/evp/ctrl_params_translate.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -2777,7 +2777,7 @@
fixup_args_fn *fixup = default_fixup_args;
int ret;
- tmpl.action_type = action_type;
+ ctx.action_type = tmpl.action_type = action_type;
tmpl.keytype1 = tmpl.keytype2 = keytype;
tmpl.optype = optype;
tmpl.param_key = params->key;
@@ -2786,7 +2786,6 @@
if (translation != NULL) {
if (translation->fixup_args != NULL)
fixup = translation->fixup_args;
- ctx.action_type = translation->action_type;
ctx.ctrl_cmd = translation->ctrl_num;
}
ctx.pctx = pctx;
diff -Nru openssl-3.0.14/crypto/evp/digest.c openssl-3.0.15/crypto/evp/digest.c
--- openssl-3.0.14/crypto/evp/digest.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/evp/digest.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -409,7 +409,7 @@
/* Code below to be removed when legacy support is dropped. */
legacy:
- return ctx->update(ctx, data, count);
+ return ctx->update != NULL ? ctx->update(ctx, data, count) : 0;
}
/* The caller can assume that this removes any secret data from the context */
diff -Nru openssl-3.0.14/crypto/evp/names.c openssl-3.0.15/crypto/evp/names.c
--- openssl-3.0.14/crypto/evp/names.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/evp/names.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -78,6 +78,7 @@
const EVP_CIPHER *cp;
OSSL_NAMEMAP *namemap;
int id;
+ int do_retry = 1;
if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL))
return NULL;
@@ -94,9 +95,21 @@
*/
namemap = ossl_namemap_stored(libctx);
+ retry:
id = ossl_namemap_name2num(namemap, name);
- if (id == 0)
- return NULL;
+ if (id == 0) {
+ EVP_CIPHER *fetched_cipher;
+
+ /* Try to fetch it because the name might not be known yet. */
+ if (!do_retry)
+ return NULL;
+ do_retry = 0;
+ ERR_set_mark();
+ fetched_cipher = EVP_CIPHER_fetch(libctx, name, NULL);
+ EVP_CIPHER_free(fetched_cipher);
+ ERR_pop_to_mark();
+ goto retry;
+ }
if (!ossl_namemap_doall_names(namemap, id, cipher_from_name, &cp))
return NULL;
@@ -124,6 +137,7 @@
const EVP_MD *dp;
OSSL_NAMEMAP *namemap;
int id;
+ int do_retry = 1;
if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL))
return NULL;
@@ -140,9 +154,21 @@
*/
namemap = ossl_namemap_stored(libctx);
+ retry:
id = ossl_namemap_name2num(namemap, name);
- if (id == 0)
- return NULL;
+ if (id == 0) {
+ EVP_MD *fetched_md;
+
+ /* Try to fetch it because the name might not be known yet. */
+ if (!do_retry)
+ return NULL;
+ do_retry = 0;
+ ERR_set_mark();
+ fetched_md = EVP_MD_fetch(libctx, name, NULL);
+ EVP_MD_free(fetched_md);
+ ERR_pop_to_mark();
+ goto retry;
+ }
if (!ossl_namemap_doall_names(namemap, id, digest_from_name, &dp))
return NULL;
diff -Nru openssl-3.0.14/crypto/evp/pmeth_lib.c openssl-3.0.15/crypto/evp/pmeth_lib.c
--- openssl-3.0.14/crypto/evp/pmeth_lib.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/evp/pmeth_lib.c 2024-09-03 15:30:13.000000000 +0200
@@ -1034,6 +1034,7 @@
int datalen)
{
OSSL_PARAM os_params[2];
+ const OSSL_PARAM *gettables;
unsigned char *info = NULL;
size_t info_len = 0;
size_t info_alloc = 0;
@@ -1057,6 +1058,12 @@
return 1;
}
+ /* Check for older provider that doesn't support getting this parameter */
+ gettables = EVP_PKEY_CTX_gettable_params(ctx);
+ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
+ data, datalen);
+
/* Get the original value length */
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
os_params[1] = OSSL_PARAM_construct_end();
@@ -1064,9 +1071,9 @@
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
return 0;
- /* Older provider that doesn't support getting this parameter */
+ /* This should not happen but check to be sure. */
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+ return 0;
info_alloc = os_params[0].return_size + datalen;
if (info_alloc == 0)
diff -Nru openssl-3.0.14/crypto/o_str.c openssl-3.0.15/crypto/o_str.c
--- openssl-3.0.14/crypto/o_str.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/o_str.c 2024-09-03 15:30:13.000000000 +0200
@@ -229,12 +229,14 @@
int has_sep = (sep != CH_ZERO);
size_t len = has_sep ? buflen * 3 : 1 + buflen * 2;
+ if (len == 0)
+ ++len;
if (strlength != NULL)
*strlength = len;
if (str == NULL)
return 1;
- if (str_n < (unsigned long)len) {
+ if (str_n < len) {
ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER);
return 0;
}
@@ -246,7 +248,7 @@
if (has_sep)
*q++ = sep;
}
- if (has_sep)
+ if (has_sep && buflen > 0)
--q;
*q = CH_ZERO;
diff -Nru openssl-3.0.14/crypto/pkcs12/p12_crt.c openssl-3.0.15/crypto/pkcs12/p12_crt.c
--- openssl-3.0.14/crypto/pkcs12/p12_crt.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/pkcs12/p12_crt.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -213,16 +213,19 @@
if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
goto err;
if (nid_key != -1) {
+ /* This call does not take ownership of p8 */
bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0,
iter, p8, ctx, propq);
- PKCS8_PRIV_KEY_INFO_free(p8);
- } else
+ } else {
bag = PKCS12_SAFEBAG_create0_p8inf(p8);
+ if (bag != NULL)
+ p8 = NULL; /* bag takes ownership of p8 */
+ }
+ /* This does not need to be in the error path */
+ if (p8 != NULL)
+ PKCS8_PRIV_KEY_INFO_free(p8);
- if (!bag)
- goto err;
-
- if (!pkcs12_add_bag(pbags, bag))
+ if (bag == NULL || !pkcs12_add_bag(pbags, bag))
goto err;
return bag;
diff -Nru openssl-3.0.14/crypto/pkcs7/pk7_doit.c openssl-3.0.15/crypto/pkcs7/pk7_doit.c
--- openssl-3.0.14/crypto/pkcs7/pk7_doit.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/pkcs7/pk7_doit.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1239,36 +1239,29 @@
void *value)
{
X509_ATTRIBUTE *attr = NULL;
+ int i, n;
if (*sk == NULL) {
if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
return 0;
- new_attrib:
- if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
- return 0;
- if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
- X509_ATTRIBUTE_free(attr);
- return 0;
- }
- } else {
- int i;
-
- for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
- attr = sk_X509_ATTRIBUTE_value(*sk, i);
- if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
- X509_ATTRIBUTE_free(attr);
- attr = X509_ATTRIBUTE_create(nid, atrtype, value);
- if (attr == NULL)
- return 0;
- if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
- X509_ATTRIBUTE_free(attr);
- return 0;
- }
- goto end;
- }
- }
- goto new_attrib;
}
+ n = sk_X509_ATTRIBUTE_num(*sk);
+ for (i = 0; i < n; i++) {
+ attr = sk_X509_ATTRIBUTE_value(*sk, i);
+ if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid)
+ goto end;
+ }
+ if (!sk_X509_ATTRIBUTE_push(*sk, NULL))
+ return 0;
+
end:
+ attr = X509_ATTRIBUTE_create(nid, atrtype, value);
+ if (attr == NULL) {
+ if (i == n)
+ sk_X509_ATTRIBUTE_pop(*sk);
+ return 0;
+ }
+ X509_ATTRIBUTE_free(sk_X509_ATTRIBUTE_value(*sk, i));
+ (void) sk_X509_ATTRIBUTE_set(*sk, i, attr);
return 1;
}
diff -Nru openssl-3.0.14/crypto/property/property.c openssl-3.0.15/crypto/property/property.c
--- openssl-3.0.14/crypto/property/property.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/property/property.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -95,6 +95,8 @@
DEFINE_SPARSE_ARRAY_OF(ALGORITHM);
+DEFINE_STACK_OF(ALGORITHM)
+
typedef struct ossl_global_properties_st {
OSSL_PROPERTY_LIST *list;
#ifndef FIPS_MODULE
@@ -469,33 +471,45 @@
fn(alg->nid, impl->method.method, fnarg);
}
-struct alg_do_each_data_st {
- void (*fn)(int id, void *method, void *fnarg);
- void *fnarg;
-};
-
-static void alg_do_each(ossl_uintmax_t idx, ALGORITHM *alg, void *arg)
+static void alg_copy(ossl_uintmax_t idx, ALGORITHM *alg, void *arg)
{
- struct alg_do_each_data_st *data = arg;
- int i, end = sk_IMPLEMENTATION_num(alg->impls);
-
- for (i = 0; i < end; i++) {
- IMPLEMENTATION *impl = sk_IMPLEMENTATION_value(alg->impls, i);
+ STACK_OF(ALGORITHM) *newalg = arg;
- alg_do_one(alg, impl, data->fn, data->fnarg);
- }
+ (void)sk_ALGORITHM_push(newalg, alg);
}
void ossl_method_store_do_all(OSSL_METHOD_STORE *store,
void (*fn)(int id, void *method, void *fnarg),
void *fnarg)
{
- struct alg_do_each_data_st data;
+ int i, j;
+ int numalgs, numimps;
+ STACK_OF(ALGORITHM) *tmpalgs;
+ ALGORITHM *alg;
- data.fn = fn;
- data.fnarg = fnarg;
- if (store != NULL)
- ossl_sa_ALGORITHM_doall_arg(store->algs, alg_do_each, &data);
+ if (store != NULL) {
+
+ if (!ossl_property_read_lock(store))
+ return;
+
+ tmpalgs = sk_ALGORITHM_new_reserve(NULL,
+ ossl_sa_ALGORITHM_num(store->algs));
+ if (tmpalgs == NULL) {
+ ossl_property_unlock(store);
+ return;
+ }
+
+ ossl_sa_ALGORITHM_doall_arg(store->algs, alg_copy, tmpalgs);
+ ossl_property_unlock(store);
+ numalgs = sk_ALGORITHM_num(tmpalgs);
+ for (i = 0; i < numalgs; i++) {
+ alg = sk_ALGORITHM_value(tmpalgs, i);
+ numimps = sk_IMPLEMENTATION_num(alg->impls);
+ for (j = 0; j < numimps; j++)
+ alg_do_one(alg, sk_IMPLEMENTATION_value(alg->impls, j), fn, fnarg);
+ }
+ sk_ALGORITHM_free(tmpalgs);
+ }
}
int ossl_method_store_fetch(OSSL_METHOD_STORE *store,
@@ -651,10 +665,13 @@
void *v)
{
IMPL_CACHE_FLUSH *state = (IMPL_CACHE_FLUSH *)v;
+ unsigned long orig_down_load = lh_QUERY_get_down_load(alg->cache);
state->cache = alg->cache;
+ lh_QUERY_set_down_load(alg->cache, 0);
lh_QUERY_doall_IMPL_CACHE_FLUSH(state->cache, &impl_cache_flush_cache,
state);
+ lh_QUERY_set_down_load(alg->cache, orig_down_load);
}
static void ossl_method_cache_flush_some(OSSL_METHOD_STORE *store)
diff -Nru openssl-3.0.14/crypto/rand/randfile.c openssl-3.0.15/crypto/rand/randfile.c
--- openssl-3.0.14/crypto/rand/randfile.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/rand/randfile.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -16,6 +16,7 @@
# include <sys/stat.h>
#endif
+#include "e_os.h"
#include "internal/cryptlib.h"
#include <errno.h>
@@ -208,8 +209,16 @@
* should be restrictive from the start
*/
int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
- if (fd != -1)
+
+ if (fd != -1) {
out = fdopen(fd, "wb");
+ if (out == NULL) {
+ close(fd);
+ ERR_raise_data(ERR_LIB_RAND, RAND_R_CANNOT_OPEN_FILE,
+ "Filename=%s", file);
+ return -1;
+ }
+ }
}
#endif
diff -Nru openssl-3.0.14/crypto/rsa/rsa_oaep.c openssl-3.0.15/crypto/rsa/rsa_oaep.c
--- openssl-3.0.14/crypto/rsa/rsa_oaep.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/rsa/rsa_oaep.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -186,7 +186,7 @@
mdlen = EVP_MD_get_size(md);
- if (tlen <= 0 || flen <= 0)
+ if (tlen <= 0 || flen <= 0 || mdlen <= 0)
return -1;
/*
* |num| is the length of the modulus; |flen| is the length of the
diff -Nru openssl-3.0.14/crypto/x509/v3_utl.c openssl-3.0.15/crypto/x509/v3_utl.c
--- openssl-3.0.14/crypto/x509/v3_utl.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/x509/v3_utl.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -916,36 +916,64 @@
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
- NID_id_on_SmtpUTF8Mailbox) {
- san_present = 1;
-
- /*
- * If it is not a UTF8String then that is unexpected and we
- * treat it as no match
- */
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
- cstr = gen->d.otherName->value->value.utf8string;
-
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, 0, equal, flags,
- chk, chklen, peername)) != 0)
- break;
- }
- } else
+ switch (gen->type) {
+ default:
+ continue;
+ case GEN_OTHERNAME:
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
+ default:
continue;
- } else {
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
+ case NID_id_on_SmtpUTF8Mailbox:
+ /*-
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
+ *
+ * Due to name constraint compatibility reasons described
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
+ * be used unless the local-part of the email address
+ * contains non-ASCII characters. When the local-part is
+ * ASCII, rfc822Name subjectAltName MUST be used instead
+ * of SmtpUTF8Mailbox. This is compatible with legacy
+ * software that supports only rfc822Name (and not
+ * SmtpUTF8Mailbox). [...]
+ *
+ * SmtpUTF8Mailbox is encoded as UTF8String.
+ *
+ * If it is not a UTF8String then that is unexpected, and
+ * we ignore the invalid SAN (neither set san_present nor
+ * consider it a candidate for equality). This does mean
+ * that the subject CN may be considered, as would be the
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
+ * simply absent.
+ *
+ * When CN-ID matching is not desirable, applications can
+ * choose to turn it off, doing so is at this time a best
+ * practice.
+ */
+ if (check_type != GEN_EMAIL
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
+ continue;
+ alt_type = 0;
+ cstr = gen->d.otherName->value->value.utf8string;
+ break;
+ }
+ break;
+ case GEN_EMAIL:
+ if (check_type != GEN_EMAIL)
continue;
- }
- san_present = 1;
- if (check_type == GEN_EMAIL)
cstr = gen->d.rfc822Name;
- else if (check_type == GEN_DNS)
+ break;
+ case GEN_DNS:
+ if (check_type != GEN_DNS)
+ continue;
cstr = gen->d.dNSName;
- else
+ break;
+ case GEN_IPADD:
+ if (check_type != GEN_IPADD)
+ continue;
cstr = gen->d.iPAddress;
+ break;
+ }
+ san_present = 1;
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags,
chk, chklen, peername)) != 0)
diff -Nru openssl-3.0.14/crypto/x509/x_name.c openssl-3.0.15/crypto/x509/x_name.c
--- openssl-3.0.14/crypto/x509/x_name.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/crypto/x509/x_name.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -476,8 +476,8 @@
v = sk_ASN1_VALUE_value(intname, i);
ltmp = ASN1_item_ex_i2d(&v, in,
ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
- if (ltmp < 0)
- return ltmp;
+ if (ltmp < 0 || len > INT_MAX - ltmp)
+ return -1;
len += ltmp;
}
return len;
diff -Nru openssl-3.0.14/debian/changelog openssl-3.0.15/debian/changelog
--- openssl-3.0.14/debian/changelog 2024-09-01 16:59:10.000000000 +0200
+++ openssl-3.0.15/debian/changelog 2024-10-27 15:16:28.000000000 +0100
@@ -1,3 +1,13 @@
+openssl (3.0.15-1~deb12u1) bookworm; urgency=medium
+
+ * Import 3.0.15
+ - CVE-2024-5535 (SSL_select_next_proto buffer overread)
+ (Closes: #1074487).
+ - CVE-2024-9143 (Low-level invalid GF(2^m) parameters lead to OOB memory
+ access) (Closes: #1085378).
+
+ -- Sebastian Andrzej Siewior <[email protected]> Sun, 27 Oct 2024 15:16:28 +0100
+
openssl (3.0.14-1~deb12u2) bookworm-security; urgency=medium
* CVE-2024-6119 (Possible denial of service in X.509 name checks).
diff -Nru openssl-3.0.14/debian/patches/Avoid-type-errors-in-EAI-related-name-check-logic.patch openssl-3.0.15/debian/patches/Avoid-type-errors-in-EAI-related-name-check-logic.patch
--- openssl-3.0.14/debian/patches/Avoid-type-errors-in-EAI-related-name-check-logic.patch 2024-09-01 16:30:36.000000000 +0200
+++ openssl-3.0.15/debian/patches/Avoid-type-errors-in-EAI-related-name-check-logic.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,263 +0,0 @@
-From: Viktor Dukhovni <[email protected]>
-Date: Wed, 19 Jun 2024 21:04:11 +1000
-Subject: Avoid type errors in EAI-related name check logic.
-
-The incorrectly typed data is read only, used in a compare operation, so
-neither remote code execution, nor memory content disclosure were possible.
-However, applications performing certificate name checks were vulnerable to
-denial of service.
-
-The GENERAL_TYPE data type is a union, and we must take care to access the
-correct member, based on `gen->type`, not all the member fields have the same
-structure, and a segfault is possible if the wrong member field is read.
-
-The code in question was lightly refactored with the intent to make it more
-obviously correct.
-
-CVE-2024-6119
-
-(cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
----
- crypto/x509/v3_utl.c | 78 +++++++++++++++++--------
- test/recipes/25-test_eai_data.t | 12 +++-
- test/recipes/25-test_eai_data/kdc-cert.pem | 21 +++++++
- test/recipes/25-test_eai_data/kdc-root-cert.pem | 16 +++++
- test/recipes/25-test_eai_data/kdc.sh | 41 +++++++++++++
- 5 files changed, 142 insertions(+), 26 deletions(-)
- create mode 100644 test/recipes/25-test_eai_data/kdc-cert.pem
- create mode 100644 test/recipes/25-test_eai_data/kdc-root-cert.pem
- create mode 100755 test/recipes/25-test_eai_data/kdc.sh
-
-diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
-index 6e4ef26ed608..304463d572c6 100644
---- a/crypto/x509/v3_utl.c
-+++ b/crypto/x509/v3_utl.c
-@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
- ASN1_STRING *cstr;
-
- gen = sk_GENERAL_NAME_value(gens, i);
-- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
-- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
-- NID_id_on_SmtpUTF8Mailbox) {
-- san_present = 1;
--
-- /*
-- * If it is not a UTF8String then that is unexpected and we
-- * treat it as no match
-+ switch (gen->type) {
-+ default:
-+ continue;
-+ case GEN_OTHERNAME:
-+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
-+ default:
-+ continue;
-+ case NID_id_on_SmtpUTF8Mailbox:
-+ /*-
-+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
-+ *
-+ * Due to name constraint compatibility reasons described
-+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
-+ * be used unless the local-part of the email address
-+ * contains non-ASCII characters. When the local-part is
-+ * ASCII, rfc822Name subjectAltName MUST be used instead
-+ * of SmtpUTF8Mailbox. This is compatible with legacy
-+ * software that supports only rfc822Name (and not
-+ * SmtpUTF8Mailbox). [...]
-+ *
-+ * SmtpUTF8Mailbox is encoded as UTF8String.
-+ *
-+ * If it is not a UTF8String then that is unexpected, and
-+ * we ignore the invalid SAN (neither set san_present nor
-+ * consider it a candidate for equality). This does mean
-+ * that the subject CN may be considered, as would be the
-+ * case when the malformed SmtpUtf8Mailbox SAN is instead
-+ * simply absent.
-+ *
-+ * When CN-ID matching is not desirable, applications can
-+ * choose to turn it off, doing so is at this time a best
-+ * practice.
- */
-- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
-- cstr = gen->d.otherName->value->value.utf8string;
--
-- /* Positive on success, negative on error! */
-- if ((rv = do_check_string(cstr, 0, equal, flags,
-- chk, chklen, peername)) != 0)
-- break;
-- }
-- } else
-+ if (check_type != GEN_EMAIL
-+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
-+ continue;
-+ alt_type = 0;
-+ cstr = gen->d.otherName->value->value.utf8string;
-+ break;
-+ }
-+ break;
-+ case GEN_EMAIL:
-+ if (check_type != GEN_EMAIL)
- continue;
-- } else {
-- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
-+ cstr = gen->d.rfc822Name;
-+ break;
-+ case GEN_DNS:
-+ if (check_type != GEN_DNS)
- continue;
-+ cstr = gen->d.dNSName;
-+ break;
-+ case GEN_IPADD:
-+ if (check_type != GEN_IPADD)
-+ continue;
-+ cstr = gen->d.iPAddress;
-+ break;
- }
- san_present = 1;
-- if (check_type == GEN_EMAIL)
-- cstr = gen->d.rfc822Name;
-- else if (check_type == GEN_DNS)
-- cstr = gen->d.dNSName;
-- else
-- cstr = gen->d.iPAddress;
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, alt_type, equal, flags,
- chk, chklen, peername)) != 0)
-diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
-index 522982ddfb80..e18735d89aad 100644
---- a/test/recipes/25-test_eai_data.t
-+++ b/test/recipes/25-test_eai_data.t
-@@ -21,16 +21,18 @@ setup("test_eai_data");
- #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
- #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
-
--plan tests => 12;
-+plan tests => 16;
-
- require_ok(srctop_file('test','recipes','tconversion.pl'));
- my $folder = "test/recipes/25-test_eai_data";
-
- my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
- my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
-+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
-
- my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
- my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
-+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
-
- my $out;
- my $outcnt = 0;
-@@ -56,10 +58,18 @@ SKIP: {
-
- ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
- ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
-+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
-
- ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
- ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
-
-+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
-+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
-+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
-+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", '[email protected]', "-CAfile", $kdc_chain_pem, $kdc_pem])));
-+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
-+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", '[email protected]', "-CAfile", $kdc_chain_pem, $kdc_pem])));
-+
- #Check that we get the expected failure return code
- with({ exit_checker => sub { return shift == 2; } },
- sub {
-diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
-new file mode 100644
-index 000000000000..e8a2c6f55d45
---- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
-@@ -0,0 +1,21 @@
-+-----BEGIN CERTIFICATE-----
-+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
-+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
-+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
-+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
-+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
-+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
-+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
-+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
-+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
-+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
-+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
-+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
-+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
-+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
-+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
-+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
-+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
-+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
-+oDQ9fKfUOAmUFth2/R/eGA==
-+-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
-new file mode 100644
-index 000000000000..a74c96bf3146
---- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
-@@ -0,0 +1,16 @@
-+-----BEGIN CERTIFICATE-----
-+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
-+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
-+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
-+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
-+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
-+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
-+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
-+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
-+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
-+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
-+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
-+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
-+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
-+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
-+-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
-new file mode 100755
-index 000000000000..7a8dbc719fb7
---- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc.sh
-@@ -0,0 +1,41 @@
-+#! /usr/bin/env bash
-+
-+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
-+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
-+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
-+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
-+# should likewise lead to ASAN issues with email name checks.
-+
-+rm -f root-key.pem root-cert.pem
-+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
-+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
-+
-+exts=$(
-+ printf "%s\n%s\n%s\n%s = " \
-+ "subjectKeyIdentifier = hash" \
-+ "authorityKeyIdentifier = keyid" \
-+ "basicConstraints = CA:false" \
-+ "subjectAltName"
-+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
-+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:[email protected]"
-+ printf "%s, " "email:[email protected]"
-+ printf "%s\n" "DNS:mx1.example.com"
-+ printf "[kdc_princ_name]\n"
-+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
-+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
-+ printf "[kdc_principal_seq]\n"
-+ printf "name_type = EXP:0, INTEGER:1\n"
-+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
-+ printf "[kdc_principal_components]\n"
-+ printf "princ1 = GeneralString:krbtgt\n"
-+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
-+ )
-+
-+printf "%s\n" "$exts"
-+
-+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
-+ -subj "/CN=TEST.EXAMPLE" |
-+ openssl x509 -req -out kdc-cert.pem \
-+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
-+ -set_serial 2 -days 36524 \
-+ -extfile <(printf "%s\n" "$exts")
diff -Nru openssl-3.0.14/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch openssl-3.0.15/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
--- openssl-3.0.14/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch 2024-09-01 16:30:36.000000000 +0200
+++ openssl-3.0.15/debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch 2024-10-27 15:16:28.000000000 +0100
@@ -23,7 +23,7 @@
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index 1155d9859c56..4c12034643f8 100644
+index e74adb50cc3c..a3d7a2d184ba 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -700,7 +700,7 @@ my %targets = (
@@ -36,10 +36,10 @@
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
diff --git a/Configure b/Configure
-index 40c03ad0af32..76df19ef40d2 100755
+index 0c60d1da1659..c9cc885e1f71 100755
--- a/Configure
+++ b/Configure
-@@ -1716,7 +1716,7 @@ unless ($disabled{devcryptoeng}) {
+@@ -1715,7 +1715,7 @@ unless ($disabled{devcryptoeng}) {
unless ($disabled{ktls}) {
$config{ktls}="";
my $cc = $config{CROSS_COMPILE}.$config{CC};
diff -Nru openssl-3.0.14/debian/patches/Fix-tests-for-new-default-security-level.patch openssl-3.0.15/debian/patches/Fix-tests-for-new-default-security-level.patch
--- openssl-3.0.14/debian/patches/Fix-tests-for-new-default-security-level.patch 2024-09-01 16:30:36.000000000 +0200
+++ openssl-3.0.15/debian/patches/Fix-tests-for-new-default-security-level.patch 2024-10-27 15:16:28.000000000 +0100
@@ -1407,7 +1407,7 @@
},
test => {
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 2b1c2fded322..34c33c1f97dc 100644
+index 97cf0f3ef092..d8486e1fac19 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -9762,7 +9762,8 @@ static int test_set_tmp_dh(int idx)
diff -Nru openssl-3.0.14/debian/patches/Harden-BN_GF2m_poly2arr-against-misuse.patch openssl-3.0.15/debian/patches/Harden-BN_GF2m_poly2arr-against-misuse.patch
--- openssl-3.0.14/debian/patches/Harden-BN_GF2m_poly2arr-against-misuse.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/debian/patches/Harden-BN_GF2m_poly2arr-against-misuse.patch 2024-10-27 15:16:28.000000000 +0100
@@ -0,0 +1,199 @@
+From: Viktor Dukhovni <[email protected]>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction. A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large. Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates. These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters. The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <[email protected]>
+Reviewed-by: Bernd Edlinger <[email protected]>
+Reviewed-by: Paul Dale <[email protected]>
+Reviewed-by: Tomas Mraz <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+(cherry picked from commit 72ae83ad214d2eef262461365a1975707f862712)
+---
+ crypto/bn/bn_gf2m.c | 30 ++++++++++++++++++++---------
+ test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 72 insertions(+), 9 deletions(-)
+
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index c811ae82d6b1..bcc66613cc14 100644
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+
+ /*
+ * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+ * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+ * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient. Array is terminated with -1. Up to max elements of the array
+- * will be filled. Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient. The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1. Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`. It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+ */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+ int i, j, k = 0;
+ BN_ULONG mask;
+
+- if (BN_is_zero(a))
++ if (!BN_is_odd(a))
+ return 0;
+
+ for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ }
+ }
+
+- if (k < max) {
+- p[k] = -1;
+- k++;
+- }
++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++ return 0;
+
+- return k;
++ if (k < max)
++ p[k] = -1;
++
++ return k + 1;
+ }
+
+ /*
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 8c2cd0563169..02cfd4e9d885 100644
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++ int ret = 0;
++ BN_CTX *ctx = BN_CTX_new();
++ BIGNUM *p, *a, *b;
++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++ TEST_info("Testing GF2m hardening\n");
++
++ BN_CTX_start(ctx);
++ p = BN_CTX_get(ctx);
++ a = BN_CTX_get(ctx);
++ if (!TEST_ptr(b = BN_CTX_get(ctx))
++ || !TEST_true(BN_one(a))
++ || !TEST_true(BN_one(b)))
++ goto out;
++
++ /* Even pentanomial value should be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf2)))
++ goto out;
++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Zero constant term accepted in GF2m polynomial");
++
++ /* Odd hexanomial should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf3)))
++ goto out;
++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Hexanomial accepted as GF2m polynomial");
++
++ /* Excessive polynomial degree should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0x71))
++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++ goto out;
++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("GF2m polynomial degree > %d accepted",
++ OPENSSL_ECC_MAX_FIELD_BITS);
++
++ ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++ EC_GROUP_free(group1);
++ EC_GROUP_free(group2);
++ EC_GROUP_free(group3);
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++
++ return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+ ADD_TEST(field_tests_ecp_simple);
+ ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++ ADD_TEST(ec2m_field_sanity);
+ ADD_TEST(field_tests_ec2_simple);
+ #endif
+ ADD_ALL_TESTS(field_tests_default, crv_len);
diff -Nru openssl-3.0.14/debian/patches/series openssl-3.0.15/debian/patches/series
--- openssl-3.0.14/debian/patches/series 2024-09-01 16:30:36.000000000 +0200
+++ openssl-3.0.15/debian/patches/series 2024-10-27 15:16:28.000000000 +0100
@@ -7,4 +7,4 @@
Remove-the-provider-section.patch
conf-Serialize-allocation-free-of-ssl_names.patch
Fix-tests-for-new-default-security-level.patch
-Avoid-type-errors-in-EAI-related-name-check-logic.patch
+Harden-BN_GF2m_poly2arr-against-misuse.patch
diff -Nru openssl-3.0.14/debian/upstream/signing-key.asc openssl-3.0.15/debian/upstream/signing-key.asc
--- openssl-3.0.14/debian/upstream/signing-key.asc 2024-08-15 23:44:09.000000000 +0200
+++ openssl-3.0.15/debian/upstream/signing-key.asc 2024-10-27 14:53:13.000000000 +0100
@@ -1,376 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
-hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
-iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
-2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
-N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
-UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8
-bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK
-CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH
-jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR
-nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p
-3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH
-sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0
-hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h
-dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD
-BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+
-viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA
-RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj
-eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE
-5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R
-4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO
-5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg
-icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM
-k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6
-2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex
-F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ
-P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC
-AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v
-Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb
-SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x
-dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL
-HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2
-8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2pkCDQRg
-8UwlARAAotCdQIMF8Y6wFfxmpuaOGmUlXDxQXDtG31jC+Zk/GVHN8TtXK+eQ7HG5
-F29uzivxUna6tWD+/qQrUmTrLTT2P+5OFczUtaPFaDMyWdywIlyOVgfyxxfF0ssx
-rhRHKP1U9YY072/BFtipXAQkemNts+Vpta1S6ru0PG/339fjP5GljOgRYlCqnwWX
-aibgwzRURqha9CYwqJdA9b9b6JZZutdjgESqc7lEjhEXXNdbrYnZBooWoKSQ8j+W
-vqh2eBjc2ZGfgQXbrmQzFHRCoCtvD4tD9DZte10c19Tn9bl6IzL66KL+yvwZG6b/
-rr2aIkhAHg/hv/k8pPVS4Zso4vT/tJcGMh29wAoEt8BJc+wmcBYAd5IybzF/dzpQ
-gDK7hYbf/uoULtM8dSj8cfueY/8O6Elcx/GZmDQ+ZDOM5RlZycSZOmgbvJWjgEWc
-OxBDc93PoXYKPgvpF6LLTbG4rkE0J5RRWiDO1MtNvcFp5QikhJshJVvWQR5z4XIo
-YvFm36EXU3HXzK2sQhCFNRv6FcWCn81dpKGU0pMD6aiWHJMox7O2Xs+QN81ZQFzx
-RFSxAhK9NhEqVsRWm5PIrQM9KDGUp+bW95QR7NVxag7yWqjBNbp2rI49OmFLg4Ch
-8QlmS8aP3HyUa1cZUXLA4Gd7OD48SpAJs1F7ecm+ytxFVg0K4tMAEQEAAbQbVG9t
-w6HFoSBNcsOheiA8dG1AdDhtLmluZm8+iQJUBBMBCAA+FiEEoh+rdLAIiqNhFSWG
-uO8aa6naLVwFAmDxTJECGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
-CgkQuO8aa6naLVxBqA//QskRTPLc3HULEAXkHsChkxnSbz8fbGgyzuhFclPZRMvL
-yyjB55gJPvZslQX9FB8Qo1WW5b1xC+lP3giDVvEwbvWR+egDJD0IL32ZBCq6QaD9
-sn5APf9q3woXnO45BVMAK1igAfIciz4gAV3Zt70WTIYgQLBU7/a3a6/PVpwL3HfT
-lz8axDO5jZJAg1JUZH0cHcUns0rZif9fGzOZa5UeA4/TGFDonmCArLv54dbvQvkA
-zhq7qP8ZLuwfO6lUpyjODMtvP0bUnho0wTcN0DxJrpgKyDTVAzWW3t3viJtt5erc
-j+55rS26NMD3EQfauCtRpZnnKs0oC7HX/GAjmSmsfQy2gNn1lSQsqdtlI5Aph5FY
-Hl5gcp3VlXX2MiTuCxiYTOwX5lhmv8iESkSmRpSWr0WPlAJH6pFwm84RQyDMkU1N
-86iXyXF61Q7JbwdZjGwRiEe4Ji9h0k6DbzeRNsYhGph20jr9M3tFcOQNTPEu9Yvo
-y1Enpxk4Iy3budviu0hi7coRv5AOTabzMgiwTmGfuBz4GyMCi5XJuUkSes+LCi0m
-ZlOxyzKevY13xkKo2GyaFBB7ArCznlTBojlWaqGVkFnDB8vVbzgNBVceNca6XQy3
-7fWnfnDP6GomFxFoamEZwTOXiB9AdxzpP5Ji2enKzRPl+cRtaoaGYALqzDK4jxW0
-H1RvbcOhxaEgTXLDoXogPHRvbWFzQGFybGV0by5jej6JAlQEEwEIAD4WIQSiH6t0
-sAiKo2EVJYa47xprqdotXAUCYPFMagIbAwUJEswDAAULCQgHAgYVCgkICwIEFgID
-AQIeAQIXgAAKCRC47xprqdotXHrLD/4xu3Rb/2BCJ+6eO8APqvuNyqK45PCy6XW/
-mIVRKV4Cyt8lDTnIIbPnvlMUpUuIw1fU4aSoARIEwp+lfLxFnuXY7y1XDlDRv8Md
-95LGSgzq2bdqhs8/VQXdrq9dNB4wN4mxgpTI3ITEAnLZQBwQiP41e4PUrxSB6/6h
-Ag56+dJYeJDXgWR/+oGBJwdVKpHPu8v9IKKZN5BHMTtNKio/XfED2rbKFhTgVujk
-9JXV+ZtfRC/seCrtv2sgcJqG7EMo93A1fHCTfUMScQdQKiwClyt16REPEFBEaK+m
-doELvWwkaEApd17vpX6odoJn6F6FomRYp6AcxBE7SCxFHTWtjLCYXjblck3/lv76
-38gClZew4D5Pp9+tH68ZkfJ+6ZEqQ6tdrPSeHopl+2lJW4Q19l4jKP5BktqKNrpQ
-dPN6CatPVIniNmnMESJ+nxQDl8eAq/SEQJyrbxsU9185AyfFpAv/kBO8FpI7Q/fe
-JA9iX9RgqhSFj8fifPFV6eVG6GzhDWARlr3OT5IueNWhSpF3uZryvZ9hZk93zngZ
-8oU9uye/VGEpDoPWZNKO5XCyr4F906jsEa8DDhqsgSKx5C6ayG3l+SjgSMr7aL8k
-7qt6YhejnHzmLmSTnFeC551ujpPbIImtVoKjcifhUnUperS2m83DOrGdSPLZlweA
-XKBxQfTdALQhVG9tw6HFoSBNcsOheiA8dG9tYXNAb3BlbnNzbC5vcmc+iQJUBBMB
-CAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTCUCGwMFCRLMAwAFCwkIBwIG
-FQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6naLVyVHw//ahSVEV68q/P1ISiSAGEG
-sHN64EgnjGkoutH4D4bXgX/VTwOcPODii7Z2RXD3KbxqWh7kcY/pnITkqNh5GM+3
-rHk7Fm34Lg4gTX9bANCFuv1nyI6nxpYsP4pC5/5gPBoC84DzxIhG2R/oGfidbbcb
-9eRPHVlUmCCyXJ+1S1/BIGHPd7moj23HOsBt6gc+VA+xVuqYOgIxIc+o+MkAav3Q
-FFC/Z3668fKeuePGrJQEeQO3tZFj0jJK1w+hAnZSfC0Xmj44lq7ywrX9THJgECZF
-1/Tyx7T7ZF830/exnXBFrTxd6qbvZPICt0Av3T6AAiLA1FNfprmqpUQdwKMy1RW0
-idpANAapx74Qfu3CAf2ZAGrIiNYyfVz8CSZ82RpURRiZ1IOjEV//xSL5clYvoRbd
-Q0NrVjKOqXrtbDQwzjWCi+/zYRXnSYSEaGFIkLXBLlqrU4zlJ+xK5GgtsqvIc1oG
-Antmn8tbFL8g7VI7pXVUzc1dYnODDwvkGeWRMNrh3z9qBC5Sts1JS2SKbQcL4M6s
-OanMY9JwR6Gg00ciV61w1n/w7Mkug39bfFInaHOlt8zRISm2m702+ILVo4Yf0Hsy
-TbckUoOEmdmcfhMYAJ4BXYSlJNNV8rS3BKmB4zozumR6T9P/hO0/Mme7CMOQJwQv
-5pE26qeTbG5P7KaDdFpez2W5Ag0EYPFMqAEQAKYlkax43RLvRadsneyvd1abbbAF
-hnmaOmnQO5Cq3QfgxcMkHUECBhdTKMcym963DtrMaFP0p2P06cXVW0jtu9TC1HKq
-BHORfrsbl7KeE8ebOol2PcU8EHgYvKQFEEi5VnP8qGpBeLGoRvuftDVA6XYwhHr0
-cNpx1WzG8swAoAdFURK4aWOoDgSuy5B8FwBF4daTfN+j9bNwyyyJ46DOdCBkCSyd
-/P3QXln/Zaiaw4n95WfQa+4dsR1YWo/tPIlihV2/jA5FupVzrk/gPKcxym89U1Ya
-KYnfTTnMPMLNNFZ6vUdP3YZPhU/NVyQuhpqAYtho4yqSzTM3wROiJCY4Z4DGPVs+
-bEn14cndMe2RnUt8PUoiF16McN+cKAtf1HukFWrJv5XQjUjR+t8vBuW+8DQPOP34
-VWvf07oPM8s0Y/aeRnu29cjG7VcvUXrfHtcQd8jiR/K48Jndd6HDQaxWIQ+G9fj9
-A0nK+E27q0d0uIMM2sAdo7iE6BC0BrHkfJ0IPJOhZOb2fDGmLJTFNs2ux2t+/QvP
-gPYdAtpqG6rcOxqvDcwx9h+AYKctAnvAclp0RxCK2XCuL2Q08wX1vpWCQRxZTXNJ
-oXldooer45s/eNHGpMy7xheuVAOvbbEvEP97Fh9kCxU8sHXBFGTYGUVp3JwGiziP
-58NcnXoMPBfrNQCxABEBAAGJBHIEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdot
-XAUCYPFMqAIbAgUJC0c1AAJACRC47xprqdotXMF0IAQZAQgAHRYhBNxwMmYq+IXi
-9H8kP1J0ZqIcp55tBQJg8UyoAAoJEFJ0ZqIcp55t7/kP/jaWELjvtGue/qLcL7jd
-8aDLDpoop4J3eruX3n4vKgox4GCcZ2UIYoZODDsomOOgsSSJhSiOjNdx+UpbLmhj
-G5de3+VfHRO61Aw/Q/bQ+PoVXudOFLAHamihxYRPMcliduIrfS5iF2N+fHEO4Jvx
-MwP8AihHs9WfyFJceoaxugZwLhOhWIS00LeVnAhmwNeyO9jNR+dK1/H2tPKjoOK8
-8jRDnrM9WriN6bdVTsv1SaO1fqDtss+DTRgaowjdZjDpgZdbwZXWc+KGSb6qAhYM
-eAY+IfCx4pcoNjlmVeF4e31Bh9v0SHXwGIQk8+PeTdbHQx3sPUHNzz9L1cs8KAiW
-NpqAomdeitKNtea4GACXGNiggorYY8PpLR2fxNdPHJiSRNGVxvbBVXRegBxBKH2m
-EYFxL8BTsBAZ8rQKtpdXj5pU3unruf4UjGJWp/d2KbBdraJfo8OxfmrKYCtiT1qg
-eBbLqcZ77wL8xga00xnwi+M+yvP+kJmKyQQcsdFv5ZBbHmxHzs9EmP0b7GhkNyxJ
-kJG5/gs9nNj8JiLmCYrLpxzQtax+pRdWtfQ9paXvNhId07FxLII7ctvrIbh7Cgl/
-7J0mvs8kqjG7BOqP/AKrrk+7ZHRzta2H69337yHl/B1Y+jSptXspOrsghHG9PI6g
-VjhvLc6TbejyL4sq0Eayvp3Ei48P/Rk+C4WSp3yzOaVQBVdI1an9vZVYZERw3ojZ
-naa6qb1t+XAEuyx9sL9sRo+PsBmiZpLK7oiY9irTQFmvu1L3eMb57ay9xfZBuagt
-OIk8fZ54OKpYmQCNcBsU/3wCkteuS+bHU10b3MsKJLIcbbD4Al3B/ydr/yQugRp+
-OKPKqPwixiGkwZOlfDX2OGKjRcjGjEQEEkPT5NCl0MbMHcQEmmM002/d4JrqDu16
-yLu2ntZaaXi9xweYUNP8xdXFcwqy1337BGTVVv9f/VWponEzlj/HVf8pTfOnezb3
-yZPC+zvmCLBCmIShA3wlyGaxe2J7vUglokfCwKsWaQcdv+paJpkCe0ZSqxwZFlBs
-gvFh2K/7MTkctLsUnrxhXHytrBTJ6SyYQugvN9DtOQekhU1k6w/XPzQtkgw1kAq9
-U7ndxmet+AaME5UEYCaRiXNrOMDjGgEZ4Vba/xmUIXwszoXGhwFTAV9BRHHvi5LY
-oRJ8xCSYHP280x/rd3yFvG0uHOuWJcAszAidaGMgC5Q9QZWesIRUlVGa6LmFbvHY
-ieAJX/foXGDlPxp28ot2xW0RoQVc/JQd03BHj9NvoEkhQ+4g4tlrd4ZJmGGk+5N2
-BjNpLF3UNuUhjNWluHa8WqgI+bGePDl0zDU/Yq2t0y/6P16ehkYVRPIjpSSmxqKg
-vsHIR5jiuQINBGDxTCUBEADfyegcqR2Ls6sFQx/IawkCdLPSNXxXYrutLmni00D3
-gdiVcFeLfVmbDOplTBFGSRiKG5NmORRcy7B7Wz5UrOzF7S4ZS2tOYojF6qGbEuxG
-CPhgzTujj9Y/IfTp9iJORJyv9HVhkIJUmP68sPuUoXQIx0neIQkbwcX1+xSRja7y
-JCKfAMZU7zQUMrkeK5bjp30tS1xQ5Wk1sUQGQSXQfxsgGwqippH25F2WzGRQPdxN
-rJKyyeugj4GivN6/g1IuvhMrzik5GcNDlOktJO8U+GdX9AG0vzjeRvMIy78Srvk5
-ndixyzFEzIkkO/ytIsOPqZrNfjDgVhQ1/Gkv6aEXtDUu+/USJPh8uDhu/ovUaX+M
-FPmdkB21GK7p+oe/kckr/hNu0FgoDbgHZthfHCLMUNwdJgGqan9hAiJDWz37Q5b/
-4g6swMQKGzSc5bCkK3EZhDyDqjcYt0z/h/OXpMB03cMHT2+bvKYHoaQ7pnIsh32G
-ewN3jZekbm0DCFkIEM8VG63lCZCox8C6KpExw2nyXiiO/tpyCOK96XkHxDdI2eR0
-lx0x7uOdtBVARzbrb7h6gstJ0K4b6FxHw+MKGJNuzjsEih7tWXRBWuoiR3gFtH+q
-UjjJBDA0bRVr9P4VaTQ24QPowLMMw+Pl2A5PsWXQzjbmvYpzvd9DBiNgbC0NZKLR
-UwARAQABiQI8BBgBCAAmFiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTCUCGwwF
-CRLMAwAACgkQuO8aa6naLVwVNg/+Lxf+Ra5D8+/I0pe2De+4HP7E6QRjIUMYWcSq
-X/vMRP6IoPfxfdATCmhQH5QoYhDD3Pg49FawhsD9sTE1TuCe5cO20690QbhE7lav
-Et14LZk5V8KEUC/dV7aBowI4X4KV24vwxMmevt+EMDGK+O+K7CojLAXDEp1kw7qk
-apBWAGheC0Ww+kZFnJPgu5OKbPyiH5RCokhLr6Y5NU6Ym8KErfsyHmSOrrEi1mxn
-AA6p1x3tBgpVKnDGGyIC81cl0EM1L368AM4vF731vvEIT/geaGU+svGAQzR0A3CE
-wuDmGlR2J2VkvrT7T0GSuHbgJWUXf5QcSj2zVnnubnz4eQCxQCDaQVj9ApxylY/z
-93wXAq89mWGh+YkJqoUmyd5chSiaEEIK3J1m5zliPdQ3YZrxNhiMp9SSRBU9mEKk
-R+dnQ1+YDpeTnME+z8VdY3NN24WbDgspQaKtWHfYg91NG4IqiO9XRma12amkM7oo
-AkcZb/Jxfe0lBiwwrr6guXo5nnEAWJiwq4CIkXCPhV0lZ2YVGJHgW4PbFwpWvJgo
-MRdUYR9kvc/W5ayxH9q/pf/D9PiFppmk7wm2e5CK1LGxr+xTQrm1QN1F3Mz6w0e4
-UAv8TQF9UVzBjZj67vcFbYJ5+9lJ3qA/3S2GOuVP2RSzXkAJ6vXN1SSkNkyHY7xm
-yf5OKseZAg0EYCmvuwEQAKjJzMcw2BaJWDiMyO12RvmPtywo90XHwHsUk0wWsv9n
-8jUGPAxNDt/Eq8M3rPeaMAwqFT7AIv29RJIxS3LN79+jHT2fziNgPA3effujOSuF
-wMHTWJqIoIJ5E0RbqZ5Ozf9ok8YLOcg6T+QweWdmdA9xKmEh7Gj9lTIHn2HqybPY
-u+hNmDRp5l4nB7Rx9pWdZgDVr3Cv5AkNDBGQSp3LvvZwzTc+Gz+xFZ3j6cGo/VfF
-aVffRiNUaMOxjeAf0ADLihSdvu06aTlL0Ugq4x2SRZ5TQBubz/fo59nIwVtkMAxs
-7yLe6fh4hA6Dm2PKdJdh6XeeUn9/ChId58+Bq8KQF2SeTzjYsz3Gvba34gqbL325
-bsUOq+PBs+gyDrPYlquXQWq7caEiMKYox7pMF+RjAHh+nkq3NHCtKMOjXq+Qygzr
-2ZeoDvB/UlX4Eq8TpBN4823yLHiJvlzqY86sWdgbVfe2Q05zj+ropwZu9LXExrHX
-arb/NJk+agm/NZOtIXyVANkqMydeeGtkxjyHuW79ATgNDUz1TU8V1/q/Aus1ocd+
-L+tYpN5+ysanZMipTiWbjmnR8OuhioMwv6CnxExRkFTwzjAbCGW50SIKg4WNe7YQ
-K++CsHskeuH4W0y65E/HirZ5E7vk16kN9mqanjw8iqS3ZvdWOKw1x4HvS5iJRDZ5
-ABEBAAG0HVBhdWwgRGFsZSA8cGF1bGlAb3BlbnNzbC5vcmc+iQJOBBMBCgA4FiEE
-t8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwMFCwkIBwIGFQoJCAsCBBYCAwEC
-HgECF4AACgkQIxyEzdzGnEVrRhAAgCec16Tf5Rdkv+7hHqGz+UmikL2n8wVsKcvR
-vXNmdvMptu9rXQ8Dc8S/6zOHKUMp4MhsMoXXISMjgFM0ItLywsoRlZItMxbUxmGb
-FablN0V5uGiPpOON/GZ7gRPKTf6/eELdiWbSOKoccSu61EA8hbVUMVBXEpk9qy/X
-KPdg2IFKS1NIfUyNlm2UNiOn3PdVNzO+s7cEEklLFDkJjvj2kTC2PB0tOo5W2gkv
-y2Fncn2NKdIOyAVWn+k81XHFX3xh3z0mozfgy864PeNhI4S0xQImAwVc1n9zb4Gl
-atf6yw+qtj28Guruj3Ur45AdtvhnWmMr93MOrXzcTfa5M5htyjuBr8moTtz33vNj
-R+BCwjOF0S94LigzJ3PAdD1bMdRhHsC1OAX2QqxMfLwfrJ7e5okwgxIR0C8jibEb
-+T/Mb9Aqsi3WdQmH8zu67YhP18z4ChH7ZVXW7W+KbGkKk5elMHiZMhHlh+JpF9ec
-ebnmKr+h3FWP/JWoVRy6PL5gL1ICgpEYlFBXQpm6vXEA4myDBQnWJclnDKmjCQjn
-2OnCXapYJ9khLVmukh5uJWThkFocN7W/Xvy4s7chqxlHscu9wPsRJfxTzyeDwnWd
-cer5RzviPkNzoIxN3lZhOQW+GM7fcmIedwrwItg4Wyd0gZe2z84SGnTw3kkQscJ5
-K67hQhu5Ag0EYCmvuwEQAM1DrDqNA2rFbEcOMnNxdyVAkU8HaqVP/l4xrtB45iIn
-kOZjZVA/QyW2SatzxP8j019EWloHtn7zMTmWaNKLc3l9haOGhmn2g/RZh9It5/gq
-kPsp8QRNoGiGfxzDQq36eYQ33TjD2SksT5YC8PSpEqeKVwJRYTkSzvX1bx0yH/xw
-HoWIIjnybIi9XrfINXUOI3IRwo15qwgUXyfcUJ3SBY9ddL0V7ua5CkgngtvanfKW
-pxj1RpTyf4tABvUsvWQLjrwxTQsGGGQKdnYFpxacm7smvNDU2KGT4lHJe3RABFyC
-whO3z7etB1kNvqjqNOLEKU1c4nYsZkwAjY2tCml+fe4GfLTq97J172XeuLC05jCo
-R8RO3o413LSA53jN6U86d8y3PAN48LSbRvmJs2wwZVga7lua7hcVmuTyK9wCISDh
-Mkdxi1SZ443K6GZoJtwbyKfQZm9SBv9gtwGksGEUVRR3UAsF+LpxeW8WVJTQcdCg
-1EgDIW0LUNBoA5ZD2/bUpIXrMUb1CDfIcrL7EGNeN+nQhk6o3mOuZfFt+X/4tapQ
-cPni2ZKIetR/UKJbqej7hYEj1/r/5AJUsUGhK2U2ChG385whearVxMnalNI+XdLT
-4ehsIRqWUQYQNeqwbGZXaQ2bGxSSz+ScQYUSWn9e0yuHKSJwh1Bie0xpF5uWOumL
-ABEBAAGJAjYEGAEKACAWIQS3wcFDYPNTo2hi5NUjHITN3MacRQUCYCmvuwIbDAAK
-CRAjHITN3MacRbZ7D/4jMZVeAHfg14edotUNO2JReCs2g5XjEVNL6S9lesYLmL6Y
-yFp709yC8DKOywnt1U/ZEkFI2R93GtF3YPgcVx/d2f+frjoc2JOKeKt++hR/hUgD
-WN0On2qLGL/+07t+w/Kffl3rvY4D0ALdxwGCOLpX1cDnxESicX5qnZsTQkElhMlm
-sRP1afIE8SN592k5FIdpeqKZ8c3n1BXmBcQVngKLWMK32fpYRvSij6RBORRvzPsX
-0/7uiOND7gquC2Vdv2KPELAx8ZE80iee6arIonQ+FNXCEzUk12LnefBVj3w4YRld
-aIo8VDqUAbIstfBo5LO0oZJ2wU8r+2nJWKHCioeMkJTlK389WWm9EqFu2rbgV8O7
-tjIM7ZAOnb8X5Ah1WdQU7YjXF5vaT79PH7ed8pg26L4AVq505uWthDM+uWzAnMKa
-YH85OS3C46qvae9CvYlTCZJpG90IB7wQj8cBr+6OUDztPr0vhProrAFa4GQhhlDE
-W0KIL4GaSw8Jh71MFNmbb7zGTpSJIwq6vARJOQOP+5Qaa0YeLdxIk9JDnHjUI5IR
-z7/JnSR5BNKeeRWsHvVwyvbJV71ZaJSpSgduTCKLL1gAeSnvqMdtNGwKOzw7ai2K
-gBbTphvuvWJanq3CH+CIHOxUmd14/lKz/zlNB+uXzHzImO/U5CIhGtNPPoZ1TZkC
-DQRUMGs2ARAAtNb/ePchWM8G59FJBJDNzB06w6lm6fnq4V6nVQ+cphv6V75qseSp
-cS9U2TLlhBbmqvRFZFvFpuYJZOA9eCGpSFSgEQDA8KoDaz58NBggJjSH/jpr5Ru4
-HbEkfd3gCyadb7ymaXhFWY9DNIENYuECCEfDzKrPto2mMnneB4UWM1GximTJ6/eD
-p28vBSAGKtAe/Vagb+TXzHNihCqy18Lg0o7WXdkxge6nixe7AnM8haIuV04/gYlX
-3cQs6GBGtUY6eYRpZVY/OcNg3XyhA/wVu1QnpeB/lk2RqkxUNXt5D6NSnapcAxfg
-otiRVOpsj8tC6R6zYZ+hbHUBjrkSoGD8nKJe1cyRyrXBjTA5FBRldg7IJY0Llko+
-UzTV+bphQiCDfeHi7x7VfW1z/fMigf+aa9iYWoC+pHVOzhNHP5roANOYBkE1CQ3i
-zbEaueGAvgi8jPXcTLx+8geN8jH1L4CnEkbdLB1KPIOWjmHRatEl0FK/Prf4h97e
-fycYagYpPBQYrtGiErEw1G728UEEHvy4X0fhVg2URcBzi9FRC2qX8NcIYrRhvsvh
-fX0CCX2ucsxIgvQFmGYx0WhQe6uiwLxdFfLz/qZE9ee30yut1ud5rdflTzLdi+99
-ovvwqsv+h88DnZzZzcnxHb5tiaI7PClzdtLwoZ31Bon7048bohYm/bEAEQEAAbQf
-UmljaGFyZCBMZXZpdHRlIDxsZXZpdHRlQGxwLnNlPokCOAQTAQIAIgUCVDBsHQIb
-AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357oyrtA/+I2EEQMlh
-FOthzokCZEiDpjKIqN47HyRe1UJ736oLML5j16HJkHkPKXRht6P2M0l0QMnMMcrN
-XBTg2t959xNapQ5AM1ukKUa1dxAeVS2GNEQ9anIAQfU6EPk0NNIwjlhgpkMR+I3q
-gSlaVztYrSZdm5jmYc6jQHfI0N9Xzjn7sIY8r3O4Tnr9/1IuYJoWwKQ0wZu9XjJs
-tGgF9l2cLk084rIldDRMbQJvEYyAg3lw6sGmFT5ms9hj6niMSgPmu8W6BCXj6hGy
-/HKCklXm3yl7WKE0yGbO7cKlG0yOZEB3Mr7btnynubwE5G6gL41tdWlyaMi55cOR
-h3E/7T2pTLDzETf3y0C4RelsJWhDrxvo0MIGmjCC9S7fjPEOfTAp23ZgYcHrPsqX
-tvxHJxYbdjy78ez6XpB6ESaLLpQpeXvNbc8iLfX3ZbMSVSLtO0b9u2oLpg+zRTdJ
-AyQ1bPCSNsoz1sLiA8UwrTlrxAQ1zroz5RJaM2DROICQY/08OWljKG2OJwJOAvnW
-UObwsFev1xvO9dq/slzo1WHtlvLz2vUOw8XN8ORxw5fqdKepgwhKa9FQasZ+CuR5
-4zQw273do9Ouz7R/Gr4ckhkSFf9gLJA3iOoz6FAaH1s7AzsFpxo/0X2+eraEMrZY
-heVYKFf1DvTECtWImrMjz/vo+HWKc9uNsly0JVJpY2hhcmQgTGV2aXR0ZSA8bGV2
-aXR0ZUBvcGVuc3NsLm9yZz6JAjgEEwECACIFAlQwbAoCGwMGCwkIBwMCBhUIAgkK
-CwQWAgMBAh4BAheAAAoJENXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX
-jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY
-TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd
-x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv
-nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue
-W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r
-d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy
-nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp
-G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6
-JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI
-uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX
-lRJjjYxIBCnjxtUWtCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v
-cmc+iQI7BBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ
-AQAKCRDV6eQ/ffnujJjdD/wJqQfA2rAZ44fXwJQTPJBGdtzB1XRILj1l/CgTC+C+
-nlZVkZ+4XX6bzkvdC5eS03bVjwELPJQ2IeFfOoSGICyvbYrGcm8vuTU+HRJegl4B
-20Y3Q26dMSnxnORfY1sz2aRvGXQ8+mW73aKMv+E4VzUteh3LCUXJGp+qBYwjQFkj
-aVw2HC7QO/vZ3IpqwvwvpBmJcj1iRmGbtQtyPqC9/qlsIqgBvYaf83nbCLDT+6Nu
-MG9EoA9HU86YZjgD8E0Xxktgx4aWwB/T+jGT4hQURrAEUURX00RpMyPVtTOG7/Zf
-y/LOkk6Yw/PuNH/mlBPHMlHDY9cnMkRhQJ8H+THjtzKs746HKFMqGTXOLe/+q4er
-HHhY4DLfwxRWW4t5L8/XCQXGjek1lpLXePtVpi8cHBdJ98WgdOCgr102gWeX/x8+
-Q+DvB8mLEuhpVusiFIrgDr2r/Fos2kzG2JPNV31wbgSr+1cZNH0WH/fhye38lsiJ
-SDfRaq0ooqKQNyUfvID/LnhXMnJi55dg/X8mZ/7L/lAi6zEen8g/+RLc4M1tACfA
-QycOZ+3LZmelIbmrA2WTDwtrgfS1YaUPFt5gw8SaGmHuWxNqdHGvpsBB2UKW6Y5r
-U/9seaxhWWMQVDobhp//eMxGEqiyw4q5RSBFILnFyzi0B8hJfpBJAixJkm5+9VrD
-PLQlUmljaGFyZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2wuY29tPokCOAQTAQIA
-IgUCVDuNgwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357oyz
-4Q/+J+yZefxSCijTyAyQwGJqv2d+rdZvptCL0i9MrmYdlkgg6Psbq2VlSz0CKz9e
-Dkb1iSc2U5kS1Fk8UDwxdM90uJJKKTMqk3h5fvraP+Hk0DxdEJKS3A11Ss0XuY80
-VE2AvMe5rSR3YCo5lqm4Kput0SYNj6YUUmxaqD5H6GdP5DXcxt25BC5aVvGKYQOI
-LkAZVNze6edijmr1Z8tN1AyzdY1RP0Jg+uNYOBO4jTcclzbNeYkYvPODsePhIwWT
-kBcoMe0ba1l1aJDkuAWuH6d8g55AHaoTdw7Yyhj7+6KjHCbiabgT+hdUZne3iT0u
-vpyHyWnNBJ4Q7tuZOZtuPJlAIL7V/D0fZ+jgd/RulBCpwaARaZg6VAiSnji8Bo75
-KQdOIAFXSG1iVV1ZGFVMl+otlUUIlRBJhLEzUWSq48lrR8gM30oNKBClE8Yo7VW5
-B2ZN90rgkgE6vvKijFwwyR4XKV/Pyt84FTjA00XsWOWaXuOyIi9PwmytzDfkpwX4
-Gc7MP0zWrCdGvwFMPhQxiKu9VDcrFS+3Sh3ikF950Ubx6e25aXQn9GzpQXODYuUZ
-P0GDAEdc1R4FxzqwDc04ptXVB3p7J5armBsd7HcLNnext6dFV+Snvg63mpeTa2kY
-TGJNISU4Dst+L3/s9VBno21YlZBILbNV9p0ZgSJyYWTksj+0L1JpY2hhcmQgTGV2
-aXR0ZSA8cmljaGFyZEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQI4BBMBAgAiBQJU
-MGv1AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujNypD/4s
-4N9nBz2Hw2Wlg1W81dVdRHMjDNYabEJuAt26NlGP9OjbS3rHJ/+pFMAJYQZ5/Y36
-m4aD86iV3P5GzcbVUXOSb2cYbpQY/lHYKAd8Isq2PLTNPnmDFgeE3o+PN9LOHOa1
-HpzNjq1Da6Wi1S+aRZtTO5OJucWjCJClFUAdD2gprPTQeMqZUiBHC/XNzOVBZv4q
-UGDC+qqdO6pJ3fzU2zTT1H2a3i2EIgK/5GcbI2UeJnAjGmpfK3EWVYc5BsF+/GkX
-rtMSHZD2jXyQL6zuzTAs+1N8p7cG15kYtY8ODwF72YwH4EWzr+7oNcT3FXW6+2G4
-S95osmFx/B+9pri77JTr22tggQBOMesGYuyBMd1TRvWpJTsdPTw2ctvbcj8eAITC
-z4/RpxkTlHDMwt/mbzj5rXmkI3QNTJkdjxAHZtTmSydS2+/BXBqFgV3VpiNFxTNP
-WMQAA9WDb1Yoz50tfd47U6nrCrbuew+DxKiz1LqR2WaYnPV/U9e73ko2yOgdVQou
-OhxxeDBG0Le6U7BojTCktov2FU2qdvRY/MfnE8QJldhW/AVj43S3nuVRsh/HcA2L
-TFyu3xOoUBWV91Z+0VyJ7+KJ6LqJXMqu2j78WD1ZxnYozUjA7R3Rce/L0rfZDMe+
-bPI8idCC6I7gKgewthv0nMm7UDWAVwCGbRWVi4j7hLQvUmljaGFyZCBMZXZpdHRl
-IDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLm9yZz6JAjgEEwECACIFAlbPAe0C
-GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99+e6M0mkP/3mgwmAw
-TgX1pC3JMF457JF0wEWmnIkm1yfLVI5xBH8X0i0J9y3IeyYWcGm5Kwj5PEpI00BM
-i4Xa4tJNK3rnusTFqcg98pmCYw6t7baujhj8IA+jVyZALD3rYBwQYa60Ax6QuULJ
-vBz/h1GFajah+2py6VS4JodBLD2MBWGIyoVmnTwsXBet+zNvugnb34uTsGM7I5Vz
-icUu6966lze9Lp7WkEF2GmHq+ZIE0B/ttP4uNhkCuxGZJtEFGk3GgwRUlfxWyyeJ
-x0os1yUjk4GEPkx9Yl/Aah03BUgLbRBFiGYm/DnUIq96sVNa31X4CcZyQSGmeat8
-oBkGM46Irn8xqItgO7oF2U3abPucHd6c81zM0TWyXztsK+VGiHQ23Dsn36ThZ1o4
-lqboHKQ8JFtGdukC4XmgOS+IKShxWPN6g4Mqs0xkXyqey8+Lrwwg0b51gDoZtVn0
-jxQwQk25NM36FUXDPNKNCYhFNSmB0WAZ8LKumeAd0eVgCantCdY4PR5WgRWbv3eQ
-62l+V6oH2VsT1xQgd13vTXxfz7HhleJClwvx/QHLjtKD1L1vUbF+GF/tc0/nwMPV
-7cJO2OnbV6iIjfRGxslI4t+rhYbj5JajGOszat2aPySso5MkF4WTfdn2jPeah8as
-1W8A+DAkqBGFltJBTD8VYqfu3F52MkCjShaiuQINBFQwazYBEADPNcBdaXTUwkG8
-1K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45kx/wO5KiTVj+bM+sc
-SzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3i0eSSpa1Kpx8eAHK
-cVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEoMSVU6Jy86E908OLa
-JbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8ZcEgTah7huS6lUA4s
-eQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ/dEvMQpFxLCOBNQP
-0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+iwMUkQQXJRw7Vlp9F
-p9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31m7sezA3cLnFR86ol
-2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjauCZQW3KYx31Il5bO3
-ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJBHsd7GNkwzb1Qivcq
-nYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTjMkj1s9cppQ8tdqiV
-4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJBQJUMGs2AhsMAAoJ
-ENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivPNqT4V3yal/JfB9c8
-h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyDt+/5UAXKY7wH8vR1
-qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIbR1utS972wQHM/VTE
-msvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd6knl9ArEQe1heVWD
-GpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek51RFSdO7NJ59co96u
-yIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJeyHfzOtZNMijrrB3cw
-3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCwEzBPkx/SeXjatAOb
-EUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQW3w34fKEYRLCAkOq
-7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmayk1J0RKR9dNqYNQsO
-r9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCzEBlr5Dmz1xGC5Xdl
-BeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlHVhMV8mypBNjWmQIN
-BFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWMkRhx
-9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholByyUGF
-Tb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt4vMI
-oWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5Qivu
-OvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q2zR8
-3QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9Ce9t
-Wq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO3GLc
-yTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf5HCn
-afDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWczYY6
-spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfKeCOV
-NtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQABtCVP
-cGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+AhsD
-BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9efUF
-AmPX/O0FCRGJRs4ACgkQ2JTizos9efVwcw//SJ1HcktYXQu39rhGw+QPuVBVMMvY
-as8vLFy6xn1DLSQt1K/ggEaqR8OiwvaKhZQDIXUqSCDc7MC76WKmClJZUFsNG0ra
-lnnesLqJwu50JOHyYWloUzBMlTQu4KctRXBUGGWf68FcX7b1ehHrDiC/nDPU4NiC
-r3aybLhbZoXKxJqwFaz7jlZCAWzo8pVOYh27N4VteQ6jF4rurPcC5cUiballnBk+
-F6d0o1Mtl0c7FsBT63bJ2XI9YdQtaJ4JSKTbqu8kBeq6wZilHcuxQpV7MBIPh3uq
-lesy4WaOm0QGTtm/4OGjVzVToeQUvWaUHbORXox8d5Wuhs3zzP7MwtFiUdq/+kak
-f3Ys6z5YbCV94OSPn0ZzRpjq1Gu0vzq0d0JVshOab8rSk56NFLz7iEwOzBrUH98+
-J+FGzO22Mi5giFRJA0JfSmsdb7RGCyise7FS5iVEFaqPEZpo6LbUWevgeVFjgfnV
-77d2fpiSx7fdsujS5OIjl6t24DvXjD4JPhnS144LYHru0t9wTRPfOP9Afowy6oYB
-IytrKQOdLj1wVLQ5vgLvrNc33jyVX0MXWqCmNNIjpbbo0UurKhNT7W3m0x4A2pMZ
-6/TApc05kc+spgIJcaO9qIJNDiQjRC3XJCtBx3eYRixCgZUlRmEsdiffOaO1RP62
-ga+/2FC5uJNC1yW0L09wZW5TU0wgU2VjdXJpdHkgPG9wZW5zc2wtc2VjdXJpdHlA
-b3BlbnNzbC5vcmc+iQJVBBMBCgA/AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
-gBYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJiKerwBQkXYALFAAoJENiU4s6LPXn1
-m8gP/3MOYfZM6oxzT61slJ6nIUgPwQMRgH7/CFub01yiBqLv72xftnleKRnvHI2B
-K34hDCNlxKoFtzarQfCHtSabx2/yQEQ6V0QHjtJwM+vFGYr9LPgWBtXC9DCYMUps
-CxKNVyMcfjWEET2iD4ViHYHSZoTspRh0W2T31LtILF9ybxWGCb6km2WCceOycy4L
-7GkbWNOqDrfPYalTqfYHkuB7cHGYiKIatROBcvPk2Ee4jL+tpQQBtMTqCwsuFMzN
-6VWwoc3H5iy7R+GWwztpLL4Wn3nOpVHrcTCbr6gpaeKGA6fbnK3GRd6SQNH3khhe
-hFzpmKNyjIlWxt+Q6nyayPIL2ukD0xaPFkbE2e4VK5/wYqF8ezq65rZefviDwFO3
-P9CTxwlaK3cYpw/1w3XBVbNiCH+Yi/dePwmiPAF5njOB9JvZLmkvTdFCPPt4CAYT
-tfXD9VSQcPxFncI8B7VJX3epjgG8LlQIzxFkJnH9IyMaFEfbft4nmYz3XB7rOXff
-8R9oji3RB2EER0Yi5Shbbj4VoKsu1IKVkcnv+tvGreQvZuU3xkAZXUqDpFMz0Bhq
-Vd6VIh3iZUDwQGJdQALwCvPmNk/YkmV1LjF4jKd5aZQxM1yh41Gl11JIBbhrPy/G
-AfgQTQUhPxktO/JEK3Olrsu5ppxNtmhX+xtDf4Yp/vUHiFiatDRPcGVuU1NMIHNl
-Y3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNzbC5vcmc+iQJUBBMB
-CgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTi
-zos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negna1HZIWs18LDktjV4
-9a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJuBl1MZElcmrqIsVC
-KHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl4EeTkPsOCo20QEC8
-jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNEXBjzqxHGKcq4iyOK
-TGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY3Y/9rVvtU/Na044F
-QBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAzZQ5CqauGvjTJ4GXi
-+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGeHW4qagRaLDtDRtkF
-nIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8c281Nv9o+xaNI4TN
-3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAVnRF2iAB25Vjcz/92
-Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZjhnZdL3b3F4iKpyz
-DhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqtVH02VwVHMVt4no62
-mZj2UNT2+Ci5p+tze4Rhfl65Ag0EVC/pnwEQAMB3s+8dq5T8fW+b3OcGujEcbhyg
-uc6D5shlNWsuCV3W7+izsVUe+0hD1YwD30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL
-7GQiA/n192hX2DuHxvQwnDNkHxYghtrFKOlXAyte2awA0fC+e0o8lHa1Yd2ZZNql
-DC23qJtLMJH8bX8CIr59KckNyv64bF+hVPIN3evnh1Ajn4A85848EZMQcjedg72M
-sA3TW2D4omayY7eXE5uut7FYcY6SM4pThIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxy
-XiA8XF+FZukXc/iM68P0VS/sMml9QPsYMWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/
-Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6lVa7GCSASTRrS3OvmY++fTsUPzSOvit0
-kqQfimziYx7QcJIagG92mvUmuf2PEfzvSi6iaIqMhaTaJq5qxOR0q430KakQktNP
-X53HflWL7YenDPYw1rEyQFxGqjaBY1X8NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvS
-TsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/
-4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5
-IUO3SoTs5kl6bARzABEBAAGJAjwEGAEKACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLO
-iz159QUCY9f9DQUJEYlG7gAKCRDYlOLOiz159f5RD/9Dhv5+muyWX9U4wNH7Dt7K
-HOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJsHwFuiaIjnZmQwiUJm72jCMUncL3OsWrQ
-Xm6SU60aG20XeQl1oXWmSD9D/len23hOYo/3WsC3o1AIkLA9cJ3h/oo3I7RE30sk
-w4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaK
-SBJQDya2TkEh6OUf1B/7EIk811oeNSaL9eJXS9VGDytVyjGGXSbudBw2XAV0/oiP
-PDKYElbOZH66d6marGwCCdc29cNono/7zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9
-GEAz0O1rss/4hxnGqn/m3gue+aQx4hji/K/vAV+531YT9MEp6m6e3074a7Hvn2l/
-tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1LzsQXmyjgr1yTlCShgNQCYXAgprWXPCwv1
-76kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDo
-rK3Pbu5/VeIeEfIkc717EgvdZU4EB70vE/jnY1V9GLFzdPcygy7bz5aA4IA/Y12V
-FdhQ9/E7HFvEv0KUa294rQiH86lRyCJIaEUqeymypLjoU2oeR4Cujkne+5spQHBf
-n2/RWGqH28v+vqHysb/8GA==
-=BQaf
+mQINBGYT46cBEADnGgpkGwVTO5hu+sqoC3UWXM1nxr3v+tLveHQQlMA/MLDwK+TS
+1sMFSsOEE1ehAlhaEVCaiHSh+8PSqs8bvxrkbC8FXj6UkHvdZOoBgoDqEVUXawen
+UmW/3OEQtC/815ByacwHsbgabTY+bXQBAvKnDsKMIg04YlE1UVLnO6Rf0v/AvnlK
+400c0J/KOPOXP2+e5dYMxRN/8CMFA+Jo8m1N2/gDKb3y1Ga6Ug9Qg/7VmL+zp/9A
++JnVQFhVQgpt2hVGKcKteJvDJODRAmBG371E+KV+lnh0jvALUxGiC+h/XrHmm8Em
+7hQM7LLoVKGDPxYYUQKA6U6+//Q3J7JgrstLTxAZ6Xz3516o8gM4EeNXo/rXNqNw
+Ng4zKeYAU0klk0hDIf7JHluT/Xxy9ezgRK6V3RJEvvjA1RjpsTVe7uDw5GPEoRO/
+xXtcLghhPixbL6y1FOspZqx3BzroX6Ic4V03Ub61YL6Zx3Q3tTcaj+4QFGXVA3SN
+WL6is2XBdvZAiOgO/7lbRXGq/vFtvynYPLEx6LbZdKtdfADUCgD7If4gvif5yaL2
+isSfD3UmoXPdDDLGdga5/dhmg2658AigHw6t0fPWnxPx4EUc1tL2bb+dEG+soRoj
+s4QHHoAhEeVEKdeFfu7lE3i0omS/mp63IFUFI7AybnHYiZ2ujyc5sBBsnwARAQAB
+tB1PcGVuU1NMIDxvcGVuc3NsQG9wZW5zc2wub3JnPokCVAQTAQoAPhYhBLpUc6Kw
+WHsH+yfPLSFglN/Qy4HvBQJmE+OnAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJECFglN/Qy4HvXIcP/jCgVgZ7wMwMaDqbwBJOVKQ7sVzNvjy1xMr+
+XkXn1FHme1MlRl4Uw9Wzeh8TUckzx59+CAqe/pRRYhR9kL0S8WUhoa4VK61c47WS
+0wFWzOOuQ4JQO9v9zP6hsKubnQdA9ggq3rvkFrRDIV0DPU6iFxXs2/kYmuqHxIkO
+GgLx+aCWPx0XNAdJyov46EbQnIjJOdialeC2dIEdIU0Vk5N0jWYv6MKweAmXRVLM
+Jusz3yfNZ0FmydSo90aNQcQz4fp3vgF8qP7Z5BmMOSWOnXJawJd8+ic0RXRWdsMS
+oxyAEKH/98IUPZII8N8c5u8pAJ52m7LQRm8CKk4GzylStaV+Pe6PuNTVkx1sIE62
+Sv0RFbd2yJ5Wou5Z/1lRZvzjF5R3G+dobKZLym2HwNkJtFROODFqiPkcKYCSSd4c
+sqlOVh2X6/8VlJZ9Q4r7pAm/ulPnf/PSEo8l7kr/JS7Q09nlwNaa5l9nwvrt2z+u
++5dNZt5syyVgpNd4mPZMFb9TXqoFrhrZfLGZ2I3GQ7tLX2boHhBXNl32a1sb2Qsv
+9fbz++sFbYrfDhsjH5eEwBjW7o4Kkd/cTMJGufLczy3Cb+RyrjyBrSwfMQf0xHkp
+QKidfWOKv9j+yeEhGVCHaIPilYNVeZFRHzL1H9oIkda2BZamj7iYveVnnDBjgpN7
+k6YNfbUM
+=Hw5D
-----END PGP PUBLIC KEY BLOCK-----
diff -Nru openssl-3.0.14/doc/fingerprints.txt openssl-3.0.15/doc/fingerprints.txt
--- openssl-3.0.14/doc/fingerprints.txt 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/fingerprints.txt 2024-09-03 15:30:13.000000000 +0200
@@ -12,9 +12,6 @@
The following is the list of fingerprints for the keys that are
currently in use to sign OpenSSL distributions:
-OpenSSL OMC:
-EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
-
OpenSSL:
BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF
diff -Nru openssl-3.0.14/doc/HOWTO/certificates.txt openssl-3.0.15/doc/HOWTO/certificates.txt
--- openssl-3.0.14/doc/HOWTO/certificates.txt 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/HOWTO/certificates.txt 2024-09-03 15:30:13.000000000 +0200
@@ -89,7 +89,7 @@
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else. Depending on your
-applications, this may be perfectly OK, it all depends on what they
+applications, this may be perfectly OK. It all depends on what they
know how to decode. If not, there are a number of OpenSSL tools to
convert between some (most?) formats.
diff -Nru openssl-3.0.14/doc/man1/openssl-enc.pod.in openssl-3.0.15/doc/man1/openssl-enc.pod.in
--- openssl-3.0.14/doc/man1/openssl-enc.pod.in 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man1/openssl-enc.pod.in 2024-09-03 15:30:13.000000000 +0200
@@ -97,13 +97,19 @@
the data is base64 encoded after encryption. If decryption is set then
the input data is base64 decoded before being decrypted.
+When the B<-A> option not given,
+on encoding a newline is inserted after each 64 characters, and
+on decoding a newline is expected among the first 1024 bytes of input.
+
=item B<-base64>
Same as B<-a>
=item B<-A>
-If the B<-a> option is set then base64 process the data on one line.
+If the B<-a> option is set then base64 encoding produces output without any
+newline character, and base64 decoding does not require any newlines.
+Therefore it can be helpful to use the B<-A> option when decoding unknown input.
=item B<-k> I<password>
@@ -434,6 +440,9 @@
=head1 BUGS
The B<-A> option when used with large files doesn't work properly.
+On the other hand, when base64 decoding without the B<-A> option,
+if the first 1024 bytes of input do not include a newline character
+the first two lines of input are ignored.
The B<openssl enc> command only supports a fixed number of algorithms with
certain parameters. So if, for example, you want to use RC2 with a
@@ -449,7 +458,7 @@
=head1 COPYRIGHT
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man1/openssl-passphrase-options.pod openssl-3.0.15/doc/man1/openssl-passphrase-options.pod
--- openssl-3.0.14/doc/man1/openssl-passphrase-options.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man1/openssl-passphrase-options.pod 2024-09-03 15:30:13.000000000 +0200
@@ -46,26 +46,32 @@
=item B<file:>I<pathname>
-The first line of I<pathname> is the password. If the same I<pathname>
-argument is supplied to B<-passin> and B<-passout> arguments then the first
-line will be used for the input password and the next line for the output
-password. I<pathname> need not refer to a regular file: it could for example
-refer to a device or named pipe.
+Reads the password from the specified file I<pathname>, which can be a regular
+file, device, or named pipe. Only the first line, up to the newline character,
+is read from the stream.
+
+If the same I<pathname> argument is supplied to both B<-passin> and B<-passout>
+arguments, the first line will be used for the input password, and the next
+line will be used for the output password.
=item B<fd:>I<number>
-Read the password from the file descriptor I<number>. This can be used to
-send the data via a pipe for example.
+Reads the password from the file descriptor I<number>. This can be useful for
+sending data via a pipe, for example. The same line handling as described for
+B<file:> applies to passwords read from file descriptors.
+
+B<fd:> is not supported on Windows.
=item B<stdin>
-Read the password from standard input.
+Reads the password from standard input. The same line handling as described for
+B<file:> applies to passwords read from standard input.
=back
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man1/openssl-s_client.pod.in openssl-3.0.15/doc/man1/openssl-s_client.pod.in
--- openssl-3.0.14/doc/man1/openssl-s_client.pod.in 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man1/openssl-s_client.pod.in 2024-09-03 15:30:13.000000000 +0200
@@ -616,7 +616,11 @@
=item B<-curves> I<curvelist>
Specifies the list of supported curves to be sent by the client. The curve is
-ultimately selected by the server. For a list of all curves, use:
+ultimately selected by the server.
+
+The list of all supported groups includes named EC parameters as well as X25519
+and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
+providers. For a list of named EC parameters, use:
$ openssl ecparam -list_curves
@@ -910,7 +914,7 @@
=head1 COPYRIGHT
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man1/openssl-s_server.pod.in openssl-3.0.15/doc/man1/openssl-s_server.pod.in
--- openssl-3.0.14/doc/man1/openssl-s_server.pod.in 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man1/openssl-s_server.pod.in 2024-09-03 15:30:13.000000000 +0200
@@ -641,7 +641,10 @@
=item B<-named_curve> I<val>
Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
-For a list of all possible curves, use:
+
+The list of all supported groups includes named EC parameters as well as X25519
+and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
+providers. For a list of named EC parameters, use:
$ openssl ecparam -list_curves
@@ -930,7 +933,7 @@
=head1 COPYRIGHT
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man1/openssl-verification-options.pod openssl-3.0.15/doc/man1/openssl-verification-options.pod
--- openssl-3.0.14/doc/man1/openssl-verification-options.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man1/openssl-verification-options.pod 2024-09-03 15:30:13.000000000 +0200
@@ -430,7 +430,7 @@
=item B<-policy> I<arg>
Enable policy processing and add I<arg> to the user-initial-policy-set (see
-RFC5280). The policy I<arg> can be an object name an OID in numeric form.
+RFC5280). The policy I<arg> can be an object name or an OID in numeric form.
This argument can appear more than once.
=item B<-explicit_policy>
@@ -686,7 +686,7 @@
=head1 COPYRIGHT
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/ASN1_INTEGER_new.pod openssl-3.0.15/doc/man3/ASN1_INTEGER_new.pod
--- openssl-3.0.14/doc/man3/ASN1_INTEGER_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/ASN1_INTEGER_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -18,6 +18,7 @@
ASN1_INTEGER_new() returns an allocated B<ASN1_INTEGER> structure.
ASN1_INTEGER_free() frees up a single B<ASN1_INTEGER> object.
+If the argument is NULL, nothing is done.
B<ASN1_INTEGER> structure representing the ASN.1 INTEGER type
@@ -34,7 +35,7 @@
=head1 COPYRIGHT
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/ASYNC_WAIT_CTX_new.pod openssl-3.0.15/doc/man3/ASYNC_WAIT_CTX_new.pod
--- openssl-3.0.14/doc/man3/ASYNC_WAIT_CTX_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/ASYNC_WAIT_CTX_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -178,6 +178,9 @@
user code set a callback by calling ASYNC_WAIT_CTX_set_callback() previously,
then the registered callback will be called.
+ASYNC_WAIT_CTX_free() frees up a single B<ASYNC_WAIT_CTX> object.
+If the argument is NULL, nothing is done.
+
=head1 RETURN VALUES
ASYNC_WAIT_CTX_new() returns a pointer to the newly allocated B<ASYNC_WAIT_CTX>
@@ -216,7 +219,7 @@
=head1 COPYRIGHT
-Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BIO_ADDRINFO.pod openssl-3.0.15/doc/man3/BIO_ADDRINFO.pod
--- openssl-3.0.14/doc/man3/BIO_ADDRINFO.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BIO_ADDRINFO.pod 2024-09-03 15:30:13.000000000 +0200
@@ -78,7 +78,7 @@
from the given one.
BIO_ADDRINFO_free() frees the chain of B<BIO_ADDRINFO> starting
-with the given one.
+with the given one. If the argument is NULL, nothing is done.
=head1 RETURN VALUES
@@ -103,7 +103,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BIO_ADDR.pod openssl-3.0.15/doc/man3/BIO_ADDR.pod
--- openssl-3.0.14/doc/man3/BIO_ADDR.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BIO_ADDR.pod 2024-09-03 15:30:13.000000000 +0200
@@ -38,6 +38,7 @@
BIO_accept_ex().
BIO_ADDR_free() frees a B<BIO_ADDR> created with BIO_ADDR_new().
+If the argument is NULL, nothing is done.
BIO_ADDR_clear() clears any data held within the provided B<BIO_ADDR> and sets
it back to an uninitialised state.
@@ -115,7 +116,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BIO_f_base64.pod openssl-3.0.15/doc/man3/BIO_f_base64.pod
--- openssl-3.0.14/doc/man3/BIO_f_base64.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BIO_f_base64.pod 2024-09-03 15:30:13.000000000 +0200
@@ -21,25 +21,23 @@
Base64 BIOs do not support BIO_gets() or BIO_puts().
-For writing, output is by default divided to lines of length 64
-characters and there is always a newline at the end of output.
-
-For reading, first line should be at most 1024
-characters long. If it is longer then it is ignored completely.
-Other input lines can be of any length. There must be a newline
-at the end of input.
-
-This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.
+For writing, by default output is divided to lines of length 64
+characters and there is a newline at the end of output.
+This behavior can be changed with B<BIO_FLAGS_BASE64_NO_NL> flag.
+
+For reading, first line should be at most 1024 bytes long including newline
+unless the flag B<BIO_FLAGS_BASE64_NO_NL> is set.
+Further input lines can be of any length (i.e., newlines may appear anywhere
+in the input) and a newline at the end of input is not needed.
BIO_flush() on a base64 BIO that is being written through is
used to signal that no more data is to be encoded: this is used
to flush the final block through the BIO.
-The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().
+The flag B<BIO_FLAGS_BASE64_NO_NL> can be set with BIO_set_flags().
For writing, it causes all data to be written on one line without
newline at the end.
-For reading, it expects the data to be all on one line (with or
-without a trailing newline).
+For reading, it removes all expectations on newlines in the input data.
=head1 NOTES
@@ -85,6 +83,10 @@
=head1 BUGS
+On decoding, if the flag B<BIO_FLAGS_BASE64_NO_NL> is not set and
+the first 1024 bytes of input do not include a newline character
+the first two lines of input are ignored.
+
The ambiguity of EOF in base64 encoded data can cause additional
data following the base64 encoded block to be misinterpreted.
@@ -93,7 +95,7 @@
=head1 COPYRIGHT
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BIO_meth_new.pod openssl-3.0.15/doc/man3/BIO_meth_new.pod
--- openssl-3.0.14/doc/man3/BIO_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BIO_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -76,7 +76,7 @@
L<BIO_find_type(3)> page for more information.
BIO_meth_free() destroys a B<BIO_METHOD> structure and frees up any memory
-associated with it.
+associated with it. If the argument is NULL, nothing is done.
BIO_meth_get_write_ex() and BIO_meth_set_write_ex() get and set the function
used for writing arbitrary length data to the BIO respectively. This function
@@ -157,7 +157,7 @@
=head1 COPYRIGHT
-Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BN_add.pod openssl-3.0.15/doc/man3/BN_add.pod
--- openssl-3.0.14/doc/man3/BN_add.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BN_add.pod 2024-09-03 15:30:13.000000000 +0200
@@ -14,9 +14,9 @@
int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
- int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
BN_CTX *ctx);
@@ -25,25 +25,25 @@
int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
- int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
- int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+ int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
- int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
- int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
- int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);
- int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
=head1 DESCRIPTION
@@ -135,7 +135,7 @@
=head1 COPYRIGHT
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BN_generate_prime.pod openssl-3.0.15/doc/man3/BN_generate_prime.pod
--- openssl-3.0.14/doc/man3/BN_generate_prime.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BN_generate_prime.pod 2024-09-03 15:30:13.000000000 +0200
@@ -167,7 +167,8 @@
for backwards compatibility purposes.
A B<BN_GENCB> structure should be created through a call to BN_GENCB_new(),
-and freed through a call to BN_GENCB_free().
+and freed through a call to BN_GENCB_free(). If the argument is NULL,
+nothing is done.
For "new" style callbacks a BN_GENCB structure should be initialised with a
call to BN_GENCB_set(), where B<gencb> is a B<BN_GENCB *>, B<callback> is of
@@ -245,7 +246,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BN_set_bit.pod openssl-3.0.15/doc/man3/BN_set_bit.pod
--- openssl-3.0.14/doc/man3/BN_set_bit.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BN_set_bit.pod 2024-09-03 15:30:13.000000000 +0200
@@ -33,8 +33,11 @@
BN_is_bit_set() tests if bit B<n> in B<a> is set.
BN_mask_bits() truncates B<a> to an B<n> bit number
-(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<a> already is
-shorter than B<n> bits.
+(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<n> is negative. An error is
+also returned if the internal representation of B<a> is already shorter than
+B<n> bits. The internal representation depends on the platform's word size, and
+this error can be safely ignored. Use L<BN_num_bits(3)> to determine the exact
+number of bits if needed.
BN_lshift() shifts B<a> left by B<n> bits and places the result in
B<r> (C<r=a*2^n>). Note that B<n> must be nonnegative. BN_lshift1() shifts
@@ -59,7 +62,7 @@
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/BUF_MEM_new.pod openssl-3.0.15/doc/man3/BUF_MEM_new.pod
--- openssl-3.0.14/doc/man3/BUF_MEM_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/BUF_MEM_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -34,6 +34,7 @@
BUF_MEM_free() frees up an already existing buffer. The data is zeroed
before freeing up in case the buffer contains sensitive data.
+If the argument is NULL, nothing is done.
BUF_MEM_grow() changes the size of an already existing buffer to
B<len>. Any data already in the buffer is preserved if it increases in
@@ -65,7 +66,7 @@
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/CRYPTO_THREAD_run_once.pod openssl-3.0.15/doc/man3/CRYPTO_THREAD_run_once.pod
--- openssl-3.0.14/doc/man3/CRYPTO_THREAD_run_once.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/CRYPTO_THREAD_run_once.pod 2024-09-03 15:30:13.000000000 +0200
@@ -69,6 +69,7 @@
=item *
CRYPTO_THREAD_lock_free() frees the provided I<lock>.
+If the argument is NULL, nothing is done.
=item *
@@ -163,10 +164,13 @@
{
int ret = 0;
- if (mylock()) {
- /* Your code here, do not return without releasing the lock! */
- ret = ... ;
+ if (!mylock()) {
+ /* Do not unlock unless the lock was successfully acquired. */
+ return 0;
}
+
+ /* Your code here, do not return without releasing the lock! */
+ ret = ... ;
myunlock();
return ret;
}
@@ -183,7 +187,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/CTLOG_new.pod openssl-3.0.15/doc/man3/CTLOG_new.pod
--- openssl-3.0.14/doc/man3/CTLOG_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/CTLOG_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -50,7 +50,7 @@
Regardless of whether CTLOG_new() or CTLOG_new_from_base64() is used, it is the
caller's responsibility to pass the CTLOG to CTLOG_free() once it is no longer
needed. This will delete it and, if created by CTLOG_new(), the EVP_PKEY that
-was passed to it.
+was passed to it. If the argument to CTLOG_free() is NULL, nothing is done.
CTLOG_get0_name() returns the name of the log, as provided when the CTLOG was
created. Ownership of the string remains with the CTLOG.
@@ -80,7 +80,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/CTLOG_STORE_new.pod openssl-3.0.15/doc/man3/CTLOG_STORE_new.pod
--- openssl-3.0.14/doc/man3/CTLOG_STORE_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/CTLOG_STORE_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -52,7 +52,7 @@
Once a CTLOG_STORE is no longer required, it should be passed to
CTLOG_STORE_free(). This will delete all of the CTLOGs stored within, along
-with the CTLOG_STORE itself.
+with the CTLOG_STORE itself. If the argument is NULL, nothing is done.
=head1 NOTES
@@ -78,7 +78,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/CT_POLICY_EVAL_CTX_new.pod openssl-3.0.15/doc/man3/CT_POLICY_EVAL_CTX_new.pod
--- openssl-3.0.14/doc/man3/CT_POLICY_EVAL_CTX_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/CT_POLICY_EVAL_CTX_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -105,7 +105,8 @@
Each setter has a matching getter for accessing the current value.
When no longer required, the B<CT_POLICY_EVAL_CTX> should be passed to
-CT_POLICY_EVAL_CTX_free() to delete it.
+CT_POLICY_EVAL_CTX_free() to delete it. If the argument to
+CT_POLICY_EVAL_CTX_free() is NULL, nothing is done.
=head1 NOTES
@@ -130,7 +131,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/d2i_X509.pod openssl-3.0.15/doc/man3/d2i_X509.pod
--- openssl-3.0.14/doc/man3/d2i_X509.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/d2i_X509.pod 2024-09-03 15:30:13.000000000 +0200
@@ -387,7 +387,9 @@
pointer to the B<I<TYPE>> structure is returned and I<*ppin> is incremented to
the byte following the parsed data. If I<a> is not NULL then a pointer
to the returned structure is also written to I<*a>. If an error occurred
-then NULL is returned.
+then NULL is returned. The caller retains ownership of the
+returned object and needs to free it when it is no longer needed, e.g.
+using X509_free() for X509 objects or DSA_SIG_free() for DSA_SIG objects.
On a successful return, if I<*a> is not NULL then it is assumed that I<*a>
contains a valid B<I<TYPE>> structure and an attempt is made to reuse it.
@@ -615,7 +617,7 @@
=head1 COPYRIGHT
-Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 1998-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/DH_meth_new.pod openssl-3.0.15/doc/man3/DH_meth_new.pod
--- openssl-3.0.14/doc/man3/DH_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/DH_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -81,7 +81,7 @@
existing one, but with some differences.
DH_meth_free() destroys a B<DH_METHOD> structure and frees up any memory
-associated with it.
+associated with it. If the argument is NULL, nothing is done.
DH_meth_get0_name() will return a pointer to the name of this DH_METHOD. This
is a pointer to the internal name string and so should not be freed by the
@@ -166,7 +166,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/DSA_meth_new.pod openssl-3.0.15/doc/man3/DSA_meth_new.pod
--- openssl-3.0.14/doc/man3/DSA_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/DSA_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -110,7 +110,7 @@
existing one, but with some differences.
DSA_meth_free() destroys a B<DSA_METHOD> structure and frees up any memory
-associated with it.
+associated with it. If the argument is NULL, nothing is done.
DSA_meth_get0_name() will return a pointer to the name of this DSA_METHOD. This
is a pointer to the internal name string and so should not be freed by the
@@ -214,7 +214,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/DSA_SIG_new.pod openssl-3.0.15/doc/man3/DSA_SIG_new.pod
--- openssl-3.0.14/doc/man3/DSA_SIG_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/DSA_SIG_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -20,6 +20,7 @@
DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
values are erased before the memory is returned to the system.
+If the argument is NULL, nothing is done.
DSA_SIG_get0() returns internal pointers to the B<r> and B<s> values contained
in B<sig>.
@@ -48,7 +49,7 @@
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/ECDSA_SIG_new.pod openssl-3.0.15/doc/man3/ECDSA_SIG_new.pod
--- openssl-3.0.14/doc/man3/ECDSA_SIG_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/ECDSA_SIG_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -31,6 +31,7 @@
Note: before OpenSSL 1.1.0, the I<r> and I<s> components were initialised.
ECDSA_SIG_free() frees the B<ECDSA_SIG> structure I<sig>.
+If the argument is NULL, nothing is done.
ECDSA_SIG_get0() returns internal pointers the I<r> and I<s> values contained
in I<sig> and stores them in I<*pr> and I<*ps>, respectively.
@@ -136,7 +137,7 @@
=head1 COPYRIGHT
-Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/ENGINE_add.pod openssl-3.0.15/doc/man3/ENGINE_add.pod
--- openssl-3.0.14/doc/man3/ENGINE_add.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/ENGINE_add.pod 2024-09-03 15:30:13.000000000 +0200
@@ -227,7 +227,8 @@
ENGINE_get_next(), ENGINE_get_prev(). All structural references should be
released by a corresponding to call to the ENGINE_free() function - the
ENGINE object itself will only actually be cleaned up and deallocated when
-the last structural reference is released.
+the last structural reference is released. If the argument to ENGINE_free()
+is NULL, nothing is done.
It should also be noted that many ENGINE API function calls that accept a
structural reference will internally obtain another reference - typically
@@ -665,7 +666,7 @@
=head1 COPYRIGHT
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_ASYM_CIPHER_free.pod openssl-3.0.15/doc/man3/EVP_ASYM_CIPHER_free.pod
--- openssl-3.0.14/doc/man3/EVP_ASYM_CIPHER_free.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_ASYM_CIPHER_free.pod 2024-09-03 15:30:13.000000000 +0200
@@ -45,7 +45,7 @@
EVP_ASYM_CIPHER_free() decrements the reference count for the B<EVP_ASYM_CIPHER>
structure. Typically this structure will have been obtained from an earlier call
to EVP_ASYM_CIPHER_fetch(). If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
EVP_ASYM_CIPHER_up_ref() increments the reference count for an
B<EVP_ASYM_CIPHER> structure.
@@ -102,7 +102,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_CIPHER_meth_new.pod openssl-3.0.15/doc/man3/EVP_CIPHER_meth_new.pod
--- openssl-3.0.14/doc/man3/EVP_CIPHER_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_CIPHER_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -80,6 +80,7 @@
EVP_CIPHER_meth_dup() creates a copy of B<cipher>.
EVP_CIPHER_meth_free() destroys a B<EVP_CIPHER> structure.
+If the argument is NULL, nothing is done.
EVP_CIPHER_meth_set_iv_length() sets the length of the IV.
This is only needed when the implemented cipher mode requires it.
@@ -249,7 +250,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_DigestInit.pod openssl-3.0.15/doc/man3/EVP_DigestInit.pod
--- openssl-3.0.14/doc/man3/EVP_DigestInit.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_DigestInit.pod 2024-09-03 15:30:13.000000000 +0200
@@ -157,6 +157,7 @@
Decrements the reference count for the fetched B<EVP_MD> structure.
If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
=item EVP_MD_CTX_new()
@@ -170,6 +171,7 @@
=item EVP_MD_CTX_free()
Cleans up digest context I<ctx> and frees up the space allocated to it.
+If the argument is NULL, nothing is done.
=item EVP_MD_CTX_ctrl()
@@ -529,9 +531,13 @@
This flag instructs the digest to optimize for one update only, if possible.
-=for comment EVP_MD_CTX_FLAG_CLEANED is internal, don't mention it
+=item EVP_MD_CTX_FLAG_CLEANED
-=for comment EVP_MD_CTX_FLAG_REUSE is internal, don't mention it
+This flag is for internal use only and I<must not> be used in user code.
+
+=item EVP_MD_CTX_FLAG_REUSE
+
+This flag is for internal use only and I<must not> be used in user code.
=for comment We currently avoid documenting flags that are only bit holder:
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, EVP_MD_CTX_FLAGS_PAD_*
diff -Nru openssl-3.0.14/doc/man3/EVP_EncodeInit.pod openssl-3.0.15/doc/man3/EVP_EncodeInit.pod
--- openssl-3.0.14/doc/man3/EVP_EncodeInit.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_EncodeInit.pod 2024-09-03 15:30:13.000000000 +0200
@@ -41,7 +41,7 @@
the encode/decode functions.
EVP_ENCODE_CTX_free() cleans up an encode/decode context B<ctx> and frees up the
-space allocated to it.
+space allocated to it. If the argument is NULL, nothing is done.
Encoding of binary data is performed in blocks of 48 input bytes (or less for
the final block). For each 48 byte input block encoded 64 bytes of base 64 data
@@ -151,7 +151,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_EncryptInit.pod openssl-3.0.15/doc/man3/EVP_EncryptInit.pod
--- openssl-3.0.14/doc/man3/EVP_EncryptInit.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_EncryptInit.pod 2024-09-03 15:30:13.000000000 +0200
@@ -268,6 +268,7 @@
Decrements the reference count for the fetched B<EVP_CIPHER> structure.
If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
=item EVP_CIPHER_CTX_new()
@@ -276,9 +277,9 @@
=item EVP_CIPHER_CTX_free()
Clears all information from a cipher context and frees any allocated memory
-associated with it, including I<ctx> itself. This function should be called after
-all operations using a cipher are complete so sensitive information does not
-remain in memory.
+associated with it, including I<ctx> itself. This function should be called
+after all operations using a cipher are complete so sensitive information does
+not remain in memory. If the argument is NULL, nothing is done.
=item EVP_CIPHER_CTX_ctrl()
@@ -360,9 +361,13 @@
Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
I<out>. The pointers I<out> and I<in> may point to the same location, in which
-case the encryption will be done in-place. If I<out> and I<in> point to different
-locations, the two buffers must be disjoint, otherwise the operation might fail
-or the outcome might be undefined.
+case the encryption will be done in-place. However, in-place encryption is
+guaranteed to work only if the encryption context (I<ctx>) has processed data in
+multiples of the block size. If the context contains an incomplete data block
+from previous operations, in-place encryption will fail.
+
+If I<out> and I<in> point to different locations, the two buffers must be
+disjoint, otherwise the operation might fail or the outcome might be undefined.
This function can be called multiple times to encrypt successive blocks
of data. The amount of data written depends on the block alignment of the
@@ -1733,7 +1738,7 @@
=head1 COPYRIGHT
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_KEM_free.pod openssl-3.0.15/doc/man3/EVP_KEM_free.pod
--- openssl-3.0.14/doc/man3/EVP_KEM_free.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_KEM_free.pod 2024-09-03 15:30:13.000000000 +0200
@@ -41,6 +41,7 @@
EVP_KEM_free() decrements the reference count for the B<EVP_KEM> structure.
Typically this structure will have been obtained from an earlier call to
EVP_KEM_fetch(). If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
EVP_KEM_up_ref() increments the reference count for an B<EVP_KEM> structure.
@@ -95,7 +96,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_KEYEXCH_free.pod openssl-3.0.15/doc/man3/EVP_KEYEXCH_free.pod
--- openssl-3.0.14/doc/man3/EVP_KEYEXCH_free.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_KEYEXCH_free.pod 2024-09-03 15:30:13.000000000 +0200
@@ -41,7 +41,7 @@
EVP_KEYEXCH_free() decrements the reference count for the B<EVP_KEYEXCH>
structure. Typically this structure will have been obtained from an earlier call
to EVP_KEYEXCH_fetch(). If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
EVP_KEYEXCH_up_ref() increments the reference count for an B<EVP_KEYEXCH>
structure.
@@ -101,7 +101,7 @@
=head1 COPYRIGHT
-Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_KEYMGMT.pod openssl-3.0.15/doc/man3/EVP_KEYMGMT.pod
--- openssl-3.0.14/doc/man3/EVP_KEYMGMT.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_KEYMGMT.pod 2024-09-03 15:30:13.000000000 +0200
@@ -62,6 +62,7 @@
EVP_KEYMGMT_free() decrements the reference count for the given
B<EVP_KEYMGMT> I<keymgmt>, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
EVP_KEYMGMT_get0_provider() returns the provider that has this particular
implementation.
@@ -140,7 +141,7 @@
=head1 COPYRIGHT
-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_MD_meth_new.pod openssl-3.0.15/doc/man3/EVP_MD_meth_new.pod
--- openssl-3.0.14/doc/man3/EVP_MD_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_MD_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -74,6 +74,7 @@
EVP_MD_meth_free() decrements the reference count for the B<EVP_MD> structure.
If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
EVP_MD_meth_set_input_blocksize() sets the internal input block size
for the method B<md> to B<blocksize> bytes.
@@ -194,7 +195,7 @@
=head1 COPYRIGHT
-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_PKEY_ASN1_METHOD.pod openssl-3.0.15/doc/man3/EVP_PKEY_ASN1_METHOD.pod
--- openssl-3.0.14/doc/man3/EVP_PKEY_ASN1_METHOD.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_PKEY_ASN1_METHOD.pod 2024-09-03 15:30:13.000000000 +0200
@@ -393,7 +393,7 @@
when initializing the application.
EVP_PKEY_asn1_free() frees an existing B<EVP_PKEY_ASN1_METHOD> pointed
-by B<ameth>.
+by B<ameth>. If the argument is NULL, nothing is done.
EVP_PKEY_asn1_add0() adds B<ameth> to the user defined stack of
methods unless another B<EVP_PKEY_ASN1_METHOD> with the same NID is
@@ -439,7 +439,7 @@
=head1 COPYRIGHT
-Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_PKEY_meth_new.pod openssl-3.0.15/doc/man3/EVP_PKEY_meth_new.pod
--- openssl-3.0.14/doc/man3/EVP_PKEY_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_PKEY_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -407,7 +407,7 @@
digest signing operation by calling L<EVP_DigestSignFinal(3)>.
EVP_PKEY_meth_free() frees an existing B<EVP_PKEY_METHOD> pointed by
-B<pmeth>.
+B<pmeth>. If the argument is NULL, nothing is done.
EVP_PKEY_meth_copy() copies an B<EVP_PKEY_METHOD> object from B<src>
to B<dst>.
@@ -456,7 +456,7 @@
=head1 COPYRIGHT
-Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_RAND.pod openssl-3.0.15/doc/man3/EVP_RAND.pod
--- openssl-3.0.14/doc/man3/EVP_RAND.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_RAND.pod 2024-09-03 15:30:13.000000000 +0200
@@ -284,7 +284,7 @@
Reads or set the number of elapsed seconds before reseeding the
associated RAND ctx.
-=item "max_request" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer>
+=item "max_request" (B<OSSL_RAND_PARAM_MAX_REQUEST>) <unsigned integer>
Specifies the maximum number of bytes that can be generated in a single
call to OSSL_FUNC_rand_generate.
@@ -406,7 +406,7 @@
=head1 COPYRIGHT
-Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/EVP_SIGNATURE.pod openssl-3.0.15/doc/man3/EVP_SIGNATURE.pod
--- openssl-3.0.14/doc/man3/EVP_SIGNATURE.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/EVP_SIGNATURE.pod 2024-09-03 15:30:13.000000000 +0200
@@ -49,7 +49,7 @@
EVP_SIGNATURE_free() decrements the reference count for the B<EVP_SIGNATURE>
structure. Typically this structure will have been obtained from an earlier call
to EVP_SIGNATURE_fetch(). If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
EVP_SIGNATURE_up_ref() increments the reference count for an B<EVP_SIGNATURE>
structure.
@@ -106,7 +106,7 @@
=head1 COPYRIGHT
-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/HMAC.pod openssl-3.0.15/doc/man3/HMAC.pod
--- openssl-3.0.14/doc/man3/HMAC.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/HMAC.pod 2024-09-03 15:30:13.000000000 +0200
@@ -87,7 +87,7 @@
HMAC_CTX_free() erases the key and other data from the B<HMAC_CTX>,
releases any associated resources and finally frees the B<HMAC_CTX>
-itself.
+itself. If the argument is NULL, nothing is done.
The following functions may be used if the message is not completely
stored in memory:
@@ -163,7 +163,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/MD5.pod openssl-3.0.15/doc/man3/MD5.pod
--- openssl-3.0.14/doc/man3/MD5.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/MD5.pod 2024-09-03 15:30:13.000000000 +0200
@@ -7,12 +7,12 @@
=head1 SYNOPSIS
- #include <openssl/md2.h>
-
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
+ #include <openssl/md2.h>
+
unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md);
int MD2_Init(MD2_CTX *c);
@@ -20,25 +20,24 @@
int MD2_Final(unsigned char *md, MD2_CTX *c);
- #include <openssl/md4.h>
-
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
+ #include <openssl/md4.h>
+
unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
int MD4_Init(MD4_CTX *c);
int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
int MD4_Final(unsigned char *md, MD4_CTX *c);
-
- #include <openssl/md5.h>
-
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
+ #include <openssl/md5.h>
+
unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
int MD5_Init(MD5_CTX *c);
@@ -105,7 +104,7 @@
=head1 COPYRIGHT
-Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/NCONF_new_ex.pod openssl-3.0.15/doc/man3/NCONF_new_ex.pod
--- openssl-3.0.14/doc/man3/NCONF_new_ex.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/NCONF_new_ex.pod 2024-09-03 15:30:13.000000000 +0200
@@ -35,7 +35,7 @@
NCONF_new() is similar to NCONF_new_ex() but sets the I<libctx> to NULL.
NCONF_free() frees the data associated with I<conf> and then frees the I<conf>
-object.
+object. If the argument is NULL, nothing is done.
NCONF_load() parses the file named I<filename> and adds the values found to
I<conf>. If an error occurs I<file> and I<eline> list the file and line that
@@ -74,7 +74,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OCSP_cert_to_id.pod openssl-3.0.15/doc/man3/OCSP_cert_to_id.pod
--- openssl-3.0.14/doc/man3/OCSP_cert_to_id.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OCSP_cert_to_id.pod 2024-09-03 15:30:13.000000000 +0200
@@ -38,6 +38,7 @@
B<serialNumber>.
OCSP_CERTID_free() frees up B<id>.
+If the argument is NULL, nothing is done.
OCSP_id_cmp() compares B<OCSP_CERTID> B<a> and B<b>.
@@ -79,7 +80,7 @@
=head1 COPYRIGHT
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OCSP_REQUEST_new.pod openssl-3.0.15/doc/man3/OCSP_REQUEST_new.pod
--- openssl-3.0.14/doc/man3/OCSP_REQUEST_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OCSP_REQUEST_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -29,6 +29,7 @@
OCSP_REQUEST_new() allocates and returns an empty B<OCSP_REQUEST> structure.
OCSP_REQUEST_free() frees up the request structure B<req>.
+If the argument is NULL, nothing is done.
OCSP_request_add0_id() adds certificate ID B<cid> to B<req>. It returns
the B<OCSP_ONEREQ> structure added so an application can add additional
@@ -108,7 +109,7 @@
=head1 COPYRIGHT
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OCSP_response_status.pod openssl-3.0.15/doc/man3/OCSP_response_status.pod
--- openssl-3.0.14/doc/man3/OCSP_response_status.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OCSP_response_status.pod 2024-09-03 15:30:13.000000000 +0200
@@ -46,6 +46,7 @@
I<status> and optionally including basic response I<bs>.
OCSP_RESPONSE_free() frees up OCSP response I<resp>.
+If the argument is NULL, nothing is done.
OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the
subject name in the supplied X509 certificate I<cert> for the OCSP responder.
@@ -123,7 +124,7 @@
=head1 COPYRIGHT
-Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OPENSSL_init_crypto.pod openssl-3.0.15/doc/man3/OPENSSL_init_crypto.pod
--- openssl-3.0.14/doc/man3/OPENSSL_init_crypto.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OPENSSL_init_crypto.pod 2024-09-03 15:30:13.000000000 +0200
@@ -249,6 +249,7 @@
the configuration file will cause an error return from B<OPENSSL_init_crypto>
or indirectly L<OPENSSL_init_ssl(3)>.
The object can be released with OPENSSL_INIT_free() when done.
+If the argument to OPENSSL_INIT_free() is NULL, nothing is done.
=head1 NOTES
@@ -289,7 +290,7 @@
=head1 COPYRIGHT
-Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OPENSSL_LH_COMPFUNC.pod openssl-3.0.15/doc/man3/OPENSSL_LH_COMPFUNC.pod
--- openssl-3.0.14/doc/man3/OPENSSL_LH_COMPFUNC.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OPENSSL_LH_COMPFUNC.pod 2024-09-03 15:30:13.000000000 +0200
@@ -123,7 +123,7 @@
B<lh_I<TYPE>_free>() frees the B<LHASH_OF>(B<I<TYPE>>) structure
I<table>. Allocated hash table entries will not be freed; consider
using B<lh_I<TYPE>_doall>() to deallocate any remaining entries in the
-hash table (see below).
+hash table (see below). If the argument is NULL, nothing is done.
B<lh_I<TYPE>_flush>() empties the B<LHASH_OF>(B<I<TYPE>>) structure I<table>. New
entries can be added to the flushed table. Allocated hash table entries
@@ -299,7 +299,7 @@
=head1 COPYRIGHT
-Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OPENSSL_malloc.pod openssl-3.0.15/doc/man3/OPENSSL_malloc.pod
--- openssl-3.0.14/doc/man3/OPENSSL_malloc.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OPENSSL_malloc.pod 2024-09-03 15:30:13.000000000 +0200
@@ -99,7 +99,8 @@
OPENSSL_clear_realloc() and OPENSSL_clear_free() should be used
when the buffer at B<addr> holds sensitive information.
The old buffer is filled with zero's by calling OPENSSL_cleanse()
-before ultimately calling OPENSSL_free().
+before ultimately calling OPENSSL_free(). If the argument to OPENSSL_free() is
+NULL, nothing is done.
OPENSSL_cleanse() fills B<ptr> of size B<len> with a string of 0's.
Use OPENSSL_cleanse() with care if the memory is a mapping of a file.
@@ -198,7 +199,7 @@
=head1 COPYRIGHT
-Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OPENSSL_secure_malloc.pod openssl-3.0.15/doc/man3/OPENSSL_secure_malloc.pod
--- openssl-3.0.14/doc/man3/OPENSSL_secure_malloc.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OPENSSL_secure_malloc.pod 2024-09-03 15:30:13.000000000 +0200
@@ -82,13 +82,15 @@
calling OPENSSL_free().
It exists for consistency with OPENSSL_secure_malloc() , and
is a macro that expands to CRYPTO_secure_free() and adds the C<__FILE__>
-and C<__LINE__> parameters..
+and C<__LINE__> parameters.. If the argument to OPENSSL_secure_free()
+is NULL, nothing is done.
OPENSSL_secure_clear_free() is similar to OPENSSL_secure_free() except
that it has an additional C<num> parameter which is used to clear
the memory if it was not allocated from the secure heap.
If CRYPTO_secure_malloc_init() is not called, this is equivalent to
-calling OPENSSL_clear_free().
+calling OPENSSL_clear_free(). If the argument to OPENSSL_secure_clear_free()
+is NULL, nothing is done.
OPENSSL_secure_actual_size() tells the actual size allocated to the
pointer; implementations may allocate more space than initially
@@ -133,7 +135,7 @@
=head1 COPYRIGHT
-Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_CMP_CTX_new.pod openssl-3.0.15/doc/man3/OSSL_CMP_CTX_new.pod
--- openssl-3.0.14/doc/man3/OSSL_CMP_CTX_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_CMP_CTX_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -176,6 +176,7 @@
and the proof-of-possession method is set to OSSL_CRMF_POPO_SIGNATURE.
OSSL_CMP_CTX_free() deallocates an OSSL_CMP_CTX structure.
+If the argument is NULL, nothing is done.
OSSL_CMP_CTX_reinit() prepares the given I<ctx> for a further transaction by
clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
@@ -312,6 +313,11 @@
Allow retrieving a trust anchor from extraCerts and using that
to validate the certificate chain of an IP message.
+ This is a quirk option added to support 3GPP TS 33.310.
+
+ Note that using this option is dangerous as the certificate obtained
+ this way has not been authenticated (at least not at CMP level).
+ Taking it over as a trust anchor implements trust-on-first-use (TOFU).
=back
@@ -796,7 +802,7 @@
=head1 COPYRIGHT
-Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_CMP_SRV_CTX_new.pod openssl-3.0.15/doc/man3/OSSL_CMP_SRV_CTX_new.pod
--- openssl-3.0.14/doc/man3/OSSL_CMP_SRV_CTX_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_CMP_SRV_CTX_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -104,6 +104,7 @@
I<propq>, both of which may be NULL to select the defaults.
OSSL_CMP_SRV_CTX_free() deletes the given I<srv_ctx>.
+If the argument is NULL, nothing is done.
OSSL_CMP_SRV_CTX_init() sets in the given I<srv_ctx> a custom server context
pointer as well as callback functions performing the specific processing of CMP
@@ -158,7 +159,7 @@
=head1 COPYRIGHT
-Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_CMP_validate_msg.pod openssl-3.0.15/doc/man3/OSSL_CMP_validate_msg.pod
--- openssl-3.0.14/doc/man3/OSSL_CMP_validate_msg.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_CMP_validate_msg.pod 2024-09-03 15:30:13.000000000 +0200
@@ -40,11 +40,14 @@
If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
-any self-issued certificate from the I<msg> extraCerts field may also be used
-as trust anchor for the path verification of an acceptable cert if it can be
+any self-issued certificate from the I<msg> extraCerts field may be used
+as a trust anchor for the path verification of an 'acceptable' cert if it can be
used also to validate the issued certificate returned in the IP message. This is
according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
(AF)] document specified by the The 3rd Generation Partnership Project (3GPP).
+Note that using this option is dangerous as the certificate obtained this way
+has not been authenticated (at least not at CMP level).
+Taking it over as a trust anchor implements trust-on-first-use (TOFU).
Any cert that has been found as described above is cached and tried first when
validating the signatures of subsequent messages in the same transaction.
@@ -74,7 +77,7 @@
=head1 COPYRIGHT
-Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod openssl-3.0.15/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod
--- openssl-3.0.14/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod 2024-09-03 15:30:13.000000000 +0200
@@ -82,7 +82,7 @@
through an internal L<OSSL_PASSPHRASE_CALLBACK(3)> function.
The internal L<OSSL_PASSPHRASE_CALLBACK(3)> function caches the pass phrase, to
-be re-used in all decodings that are performed in the same decoding run (for
+be reused in all decodings that are performed in the same decoding run (for
example, within one L<OSSL_DECODER_from_bio(3)> call).
=head2 Input Types
@@ -135,7 +135,7 @@
=head1 COPYRIGHT
-Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_DECODER_CTX.pod openssl-3.0.15/doc/man3/OSSL_DECODER_CTX.pod
--- openssl-3.0.14/doc/man3/OSSL_DECODER_CTX.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_DECODER_CTX.pod 2024-09-03 15:30:13.000000000 +0200
@@ -126,6 +126,7 @@
implementation doesn't recognise should be ignored by it.
OSSL_DECODER_CTX_free() frees the given context I<ctx>.
+If the argument is NULL, nothing is done.
OSSL_DECODER_CTX_add_decoder() populates the B<OSSL_DECODER_CTX> I<ctx> with
a decoder, to be used to attempt to decode some encoded input.
@@ -249,7 +250,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_DECODER.pod openssl-3.0.15/doc/man3/OSSL_DECODER.pod
--- openssl-3.0.14/doc/man3/OSSL_DECODER.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_DECODER.pod 2024-09-03 15:30:13.000000000 +0200
@@ -61,6 +61,7 @@
OSSL_DECODER_free() decrements the reference count for the given
I<decoder>, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
OSSL_DECODER_get0_provider() returns the provider of the given
I<decoder>.
@@ -180,7 +181,7 @@
=head1 COPYRIGHT
-Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_ENCODER_CTX.pod openssl-3.0.15/doc/man3/OSSL_ENCODER_CTX.pod
--- openssl-3.0.14/doc/man3/OSSL_ENCODER_CTX.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_ENCODER_CTX.pod 2024-09-03 15:30:13.000000000 +0200
@@ -102,6 +102,7 @@
implementation doesn't recognise should be ignored.
OSSL_ENCODER_CTX_free() frees the given context I<ctx>.
+If the argument is NULL, nothing is done.
OSSL_ENCODER_CTX_add_encoder() populates the B<OSSL_ENCODER_CTX>
I<ctx> with a encoder, to be used to encode an input object.
@@ -211,7 +212,7 @@
=head1 COPYRIGHT
-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_ENCODER.pod openssl-3.0.15/doc/man3/OSSL_ENCODER.pod
--- openssl-3.0.14/doc/man3/OSSL_ENCODER.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_ENCODER.pod 2024-09-03 15:30:13.000000000 +0200
@@ -61,6 +61,7 @@
OSSL_ENCODER_free() decrements the reference count for the given
I<encoder>, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
OSSL_ENCODER_get0_provider() returns the provider of the given
I<encoder>.
@@ -134,7 +135,7 @@
=head1 COPYRIGHT
-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_HTTP_REQ_CTX.pod openssl-3.0.15/doc/man3/OSSL_HTTP_REQ_CTX.pod
--- openssl-3.0.14/doc/man3/OSSL_HTTP_REQ_CTX.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_HTTP_REQ_CTX.pod 2024-09-03 15:30:13.000000000 +0200
@@ -71,6 +71,7 @@
OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I<rctx>.
The I<rbio> is not free'd, I<wbio> will be free'd if I<free_wbio> is set.
+If the argument is NULL, nothing is done.
OSSL_HTTP_REQ_CTX_set_request_line() adds the 1st HTTP request line to I<rctx>.
The HTTP method is determined by I<method_POST>,
@@ -260,7 +261,7 @@
=head1 COPYRIGHT
-Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_LIB_CTX.pod openssl-3.0.15/doc/man3/OSSL_LIB_CTX.pod
--- openssl-3.0.14/doc/man3/OSSL_LIB_CTX.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_LIB_CTX.pod 2024-09-03 15:30:13.000000000 +0200
@@ -88,7 +88,7 @@
from a configuration.
OSSL_LIB_CTX_free() frees the given I<ctx>, unless it happens to be the
-default OpenSSL library context.
+default OpenSSL library context. If the argument is NULL, nothing is done.
OSSL_LIB_CTX_get0_global_default() returns a concrete (non NULL) reference to
the global default library context.
@@ -126,7 +126,7 @@
=head1 COPYRIGHT
-Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_PARAM_BLD.pod openssl-3.0.15/doc/man3/OSSL_PARAM_BLD.pod
--- openssl-3.0.14/doc/man3/OSSL_PARAM_BLD.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_PARAM_BLD.pod 2024-09-03 15:30:13.000000000 +0200
@@ -53,6 +53,7 @@
Any existing values are cleared.
OSSL_PARAM_BLD_free() deallocates the memory allocates by OSSL_PARAM_BLD_new().
+If the argument is NULL, nothing is done.
OSSL_PARAM_BLD_to_param() converts a built up OSSL_PARAM_BLD structure
I<bld> into an allocated OSSL_PARAM array.
@@ -193,7 +194,7 @@
=head1 COPYRIGHT
-Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_PARAM_dup.pod openssl-3.0.15/doc/man3/OSSL_PARAM_dup.pod
--- openssl-3.0.14/doc/man3/OSSL_PARAM_dup.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_PARAM_dup.pod 2024-09-03 15:30:13.000000000 +0200
@@ -32,6 +32,7 @@
OSSL_PARAM_free() frees the parameter array I<params> that was created using
OSSL_PARAM_dup(), OSSL_PARAM_merge() or OSSL_PARAM_BLD_to_param().
+If the argument to OSSL_PARAM_free() is NULL, nothing is done.
=head1 RETURN VALUES
@@ -49,7 +50,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_SELF_TEST_new.pod openssl-3.0.15/doc/man3/OSSL_SELF_TEST_new.pod
--- openssl-3.0.14/doc/man3/OSSL_SELF_TEST_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_SELF_TEST_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -32,6 +32,7 @@
different phases.
OSSL_SELF_TEST_free() frees the space allocated by OSSL_SELF_TEST_new().
+If the argument is NULL, nothing is done.
OSSL_SELF_TEST_onbegin() may be inserted at the start of a block of self test
code. It can be used for diagnostic purposes.
@@ -165,7 +166,7 @@
=head1 COPYRIGHT
-Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_STORE_INFO.pod openssl-3.0.15/doc/man3/OSSL_STORE_INFO.pod
--- openssl-3.0.14/doc/man3/OSSL_STORE_INFO.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_STORE_INFO.pod 2024-09-03 15:30:13.000000000 +0200
@@ -101,6 +101,7 @@
OSSL_STORE_INFO_get_type()) matches the function, otherwise NULL.
OSSL_STORE_INFO_free() frees a B<OSSL_STORE_INFO> and its contained type.
+If the argument is NULL, nothing is done.
OSSL_STORE_INFO_new_NAME() , OSSL_STORE_INFO_new_PARAMS(),
, OSSL_STORE_INFO_new_PUBKEY(), OSSL_STORE_INFO_new_PKEY(),
@@ -221,7 +222,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_STORE_LOADER.pod openssl-3.0.15/doc/man3/OSSL_STORE_LOADER.pod
--- openssl-3.0.14/doc/man3/OSSL_STORE_LOADER.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_STORE_LOADER.pod 2024-09-03 15:30:13.000000000 +0200
@@ -105,7 +105,6 @@
typedef int (*OSSL_STORE_close_fn)(OSSL_STORE_LOADER_CTX *ctx);
int OSSL_STORE_LOADER_set_close(OSSL_STORE_LOADER *store_loader,
OSSL_STORE_close_fn store_close_function);
- void OSSL_STORE_LOADER_free(OSSL_STORE_LOADER *store_loader);
int OSSL_STORE_register_loader(OSSL_STORE_LOADER *loader);
OSSL_STORE_LOADER *OSSL_STORE_unregister_loader(const char *scheme);
@@ -126,6 +125,7 @@
OSSL_STORE_LOADER_free() decrements the reference count for the given
I<loader>, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
OSSL_STORE_LOADER_get0_provider() returns the provider of the given
I<loader>.
@@ -297,6 +297,7 @@
I<store_loader>.
OSSL_STORE_LOADER_free() frees the given I<store_loader>.
+If the argument is NULL, nothing is done.
OSSL_STORE_register_loader() register the given I<store_loader> and
thereby makes it available for use with OSSL_STORE_open(),
@@ -358,21 +359,25 @@
=head1 HISTORY
OSSL_STORE_LOADER_fetch(), OSSL_STORE_LOADER_up_ref(),
-OSSL_STORE_LOADER_free(), OSSL_STORE_LOADER_get0_provider(),
-OSSL_STORE_LOADER_get0_properties(), OSSL_STORE_LOADER_is_a(),
-OSSL_STORE_LOADER_do_all_provided() and
-OSSL_STORE_LOADER_names_do_all() were added in OpenSSL 3.0.
+OSSL_STORE_LOADER_get0_provider(), OSSL_STORE_LOADER_get0_properties(),
+OSSL_STORE_LOADER_get0_description(), OSSL_STORE_LOADER_is_a(),
+OSSL_STORE_LOADER_do_all_provided() and OSSL_STORE_LOADER_names_do_all()
+were added in OpenSSL 3.0.
-OSSL_STORE_open_ex_fn() was added in OpenSSL 3.0.
+B<OSSL_STORE_LOADER> and OSSL_STORE_LOADER_free() were added in OpenSSL
+1.1.1.
-B<OSSL_STORE_LOADER>, B<OSSL_STORE_LOADER_CTX>, OSSL_STORE_LOADER_new(),
+OSSL_STORE_LOADER_set_open_ex() and OSSL_STORE_open_ex_fn() were added in
+OpenSSL 3.0, and are deprecated.
+
+B<OSSL_STORE_LOADER_CTX>, OSSL_STORE_LOADER_new(),
OSSL_STORE_LOADER_set0_scheme(), OSSL_STORE_LOADER_get0_scheme(),
OSSL_STORE_LOADER_get0_engine(), OSSL_STORE_LOADER_set_expect(),
OSSL_STORE_LOADER_set_find(), OSSL_STORE_LOADER_set_attach(),
OSSL_STORE_LOADER_set_open_ex(), OSSL_STORE_LOADER_set_open(),
OSSL_STORE_LOADER_set_ctrl(),
OSSL_STORE_LOADER_set_load(), OSSL_STORE_LOADER_set_eof(),
-OSSL_STORE_LOADER_set_close(), OSSL_STORE_LOADER_free(),
+OSSL_STORE_LOADER_set_close(),
OSSL_STORE_register_loader(), OSSL_STORE_LOADER_set_error(),
OSSL_STORE_unregister_loader(), OSSL_STORE_open_fn(), OSSL_STORE_ctrl_fn(),
OSSL_STORE_load_fn(), OSSL_STORE_eof_fn() and OSSL_STORE_close_fn()
@@ -380,7 +385,7 @@
=head1 COPYRIGHT
-Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/OSSL_STORE_SEARCH.pod openssl-3.0.15/doc/man3/OSSL_STORE_SEARCH.pod
--- openssl-3.0.14/doc/man3/OSSL_STORE_SEARCH.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/OSSL_STORE_SEARCH.pod 2024-09-03 15:30:13.000000000 +0200
@@ -75,6 +75,7 @@
B<OSSL_STORE_SEARCH>.
OSSL_STORE_SEARCH_free() is used to free the B<OSSL_STORE_SEARCH>.
+If the argument is NULL, nothing is done.
=head2 Loader Functions
@@ -183,7 +184,7 @@
=head1 COPYRIGHT
-Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/PEM_read_bio_PrivateKey.pod openssl-3.0.15/doc/man3/PEM_read_bio_PrivateKey.pod
--- openssl-3.0.14/doc/man3/PEM_read_bio_PrivateKey.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/PEM_read_bio_PrivateKey.pod 2024-09-03 15:30:13.000000000 +0200
@@ -320,7 +320,9 @@
to I<*x>. If neither I<x> nor I<*x> is NULL then an attempt is made
to reuse the structure at I<*x> (but see BUGS and EXAMPLES sections).
Irrespective of the value of I<x> a pointer to the structure is always
-returned (or NULL if an error occurred).
+returned (or NULL if an error occurred). The caller retains ownership of the
+returned object and needs to free it when it is no longer needed, e.g.
+using X509_free() for X509 objects or EVP_PKEY_free() for EVP_PKEY objects.
The PEM functions which write private keys take an I<enc> parameter
which specifies the encryption algorithm to use, encryption is done
@@ -574,7 +576,7 @@
=head1 COPYRIGHT
-Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/RAND_set_DRBG_type.pod openssl-3.0.15/doc/man3/RAND_set_DRBG_type.pod
--- openssl-3.0.14/doc/man3/RAND_set_DRBG_type.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/RAND_set_DRBG_type.pod 2024-09-03 15:30:13.000000000 +0200
@@ -27,7 +27,7 @@
RAND_set_seed_source_type() specifies the seed source that will be used
within the library context I<ctx>. The seed source of name I<seed>
with properties I<propq> will be fetched and used to seed the primary
-random big generator.
+random bit generator.
=head1 RETURN VALUES
@@ -54,7 +54,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/RSA_meth_new.pod openssl-3.0.15/doc/man3/RSA_meth_new.pod
--- openssl-3.0.14/doc/man3/RSA_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/RSA_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -147,7 +147,7 @@
B<RSA_METHOD> based on an existing one, but with some differences.
RSA_meth_free() destroys an B<RSA_METHOD> structure and frees up any
-memory associated with it.
+memory associated with it. If the argument is NULL, nothing is done.
RSA_meth_get0_name() will return a pointer to the name of this
RSA_METHOD. This is a pointer to the internal name string and so
@@ -260,7 +260,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/SCT_new.pod openssl-3.0.15/doc/man3/SCT_new.pod
--- openssl-3.0.14/doc/man3/SCT_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/SCT_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -166,6 +166,12 @@
(TLS extension, X.509 certificate extension or OCSP response). This is not
required for verifying the SCT.
+SCT_free() frees the specified SCT.
+If the argument is NULL, nothing is done.
+
+SCT_LIST_free() frees the specified stack of SCTs.
+If the argument is NULL, nothing is done.
+
=head1 NOTES
Some of the setters return int, instead of void. These will all return 1 on
@@ -210,7 +216,7 @@
=head1 COPYRIGHT
-Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/SSL_CTX_set_alpn_select_cb.pod openssl-3.0.15/doc/man3/SSL_CTX_set_alpn_select_cb.pod
--- openssl-3.0.14/doc/man3/SSL_CTX_set_alpn_select_cb.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/SSL_CTX_set_alpn_select_cb.pod 2024-09-03 15:30:13.000000000 +0200
@@ -52,7 +52,8 @@
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementing
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -149,7 +158,8 @@
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
@@ -187,7 +197,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/SSL_CTX_set_cipher_list.pod openssl-3.0.15/doc/man3/SSL_CTX_set_cipher_list.pod
--- openssl-3.0.14/doc/man3/SSL_CTX_set_cipher_list.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/SSL_CTX_set_cipher_list.pod 2024-09-03 15:30:13.000000000 +0200
@@ -52,7 +52,7 @@
=back
-An empty list is permissible. The default value for the this setting is:
+An empty list is permissible. The default value for this setting is:
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
@@ -119,7 +119,7 @@
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod openssl-3.0.15/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
--- openssl-3.0.14/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod 2024-09-03 15:30:13.000000000 +0200
@@ -126,9 +126,9 @@
=head1 NOTES
-Session resumption shortcuts the TLS so that the client certificate
-negotiation don't occur. It makes up for this by storing client certificate
-an all other negotiated state information encrypted within the ticket. In a
+Session resumption shortcuts the TLS handshake so that the client certificate
+negotiation doesn't occur. It makes up for this by storing the client certificate
+and all other negotiated state information encrypted within the ticket. In a
resumed session the applications will have all this state information available
exactly as if a full negotiation had occurred.
@@ -241,7 +241,7 @@
=head1 COPYRIGHT
-Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/TS_RESP_CTX_new.pod openssl-3.0.15/doc/man3/TS_RESP_CTX_new.pod
--- openssl-3.0.14/doc/man3/TS_RESP_CTX_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/TS_RESP_CTX_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -27,6 +27,7 @@
being used for any operations requiring algorithm fetches.
TS_RESP_CTX_free() frees the B<TS_RESP_CTX> object I<ctx>.
+If the argument is NULL, nothing is done.
=head1 RETURN VALUES
@@ -39,7 +40,7 @@
=head1 COPYRIGHT
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/X509_dup.pod openssl-3.0.15/doc/man3/X509_dup.pod
--- openssl-3.0.14/doc/man3/X509_dup.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/X509_dup.pod 2024-09-03 15:30:13.000000000 +0200
@@ -367,7 +367,7 @@
which re-builds the cached data.
B<I<TYPE>_free>() releases the object and all pointers and sub-objects
-within it.
+within it. If the argument is NULL, nothing is done.
B<I<TYPE>_print_ctx>() prints the object I<a> on the specified BIO I<out>.
Each line will be prefixed with I<indent> spaces.
diff -Nru openssl-3.0.14/doc/man3/X509_LOOKUP_meth_new.pod openssl-3.0.15/doc/man3/X509_LOOKUP_meth_new.pod
--- openssl-3.0.14/doc/man3/X509_LOOKUP_meth_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/X509_LOOKUP_meth_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -110,6 +110,7 @@
method.
X509_LOOKUP_meth_free() destroys a B<X509_LOOKUP_METHOD> structure.
+If the argument is NULL, nothing is done.
X509_LOOKUP_get_new_item() and X509_LOOKUP_set_new_item() get and set the
function that is called when an B<X509_LOOKUP> object is created with
@@ -186,7 +187,7 @@
=head1 COPYRIGHT
-Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/X509_LOOKUP.pod openssl-3.0.15/doc/man3/X509_LOOKUP.pod
--- openssl-3.0.14/doc/man3/X509_LOOKUP.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/X509_LOOKUP.pod 2024-09-03 15:30:13.000000000 +0200
@@ -85,6 +85,7 @@
the given B<X509_LOOKUP>.
X509_LOOKUP_free() destructs the given B<X509_LOOKUP>.
+If the argument is NULL, nothing is done.
X509_LOOKUP_set_method_data() and X509_LOOKUP_get_method_data()
associates and retrieves a pointer to application data to and from the
@@ -228,7 +229,7 @@
=head1 COPYRIGHT
-Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/X509_new.pod openssl-3.0.15/doc/man3/X509_new.pod
--- openssl-3.0.14/doc/man3/X509_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/X509_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -18,7 +18,7 @@
=head1 DESCRIPTION
-The X509 ASN1 allocation routines, allocate and free an
+The X509 ASN1 allocation routines allocate and free an
X509 structure, which represents an X509 certificate.
X509_new_ex() allocates and initializes a X509 structure with a
@@ -33,7 +33,8 @@
being used for any X509 operations requiring algorithm fetches.
X509_free() decrements the reference count of B<X509> structure B<a> and
-frees it up if the reference count is zero. If B<a> is NULL nothing is done.
+frees it up if the reference count is zero. If the argument is NULL,
+nothing is done.
X509_up_ref() increments the reference count of B<a>.
@@ -86,7 +87,7 @@
=head1 COPYRIGHT
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/X509_STORE_new.pod openssl-3.0.15/doc/man3/X509_STORE_new.pod
--- openssl-3.0.14/doc/man3/X509_STORE_new.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/X509_STORE_new.pod 2024-09-03 15:30:13.000000000 +0200
@@ -27,6 +27,7 @@
X509_STORE_unlock() unlocks it.
X509_STORE_free() frees up a single X509_STORE object.
+If the argument is NULL, nothing is done.
=head1 RETURN VALUES
@@ -49,7 +50,7 @@
=head1 COPYRIGHT
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man3/X509V3_get_d2i.pod openssl-3.0.15/doc/man3/X509V3_get_d2i.pod
--- openssl-3.0.14/doc/man3/X509V3_get_d2i.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man3/X509V3_get_d2i.pod 2024-09-03 15:30:13.000000000 +0200
@@ -108,6 +108,7 @@
will return NULL if the extension is not
found, occurs multiple times or cannot be decoded. It is possible to
determine the precise reason by checking the value of I<*crit>.
+The returned pointer must be explicitly freed.
The function X509V3_add1_i2d() and its variants allocate B<X509_EXTENSION>
objects on STACK I<*x> depending on I<flags>. The B<X509_EXTENSION> objects
@@ -236,7 +237,7 @@
=head1 COPYRIGHT
-Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man7/EVP_KEYEXCH-DH.pod openssl-3.0.15/doc/man7/EVP_KEYEXCH-DH.pod
--- openssl-3.0.14/doc/man7/EVP_KEYEXCH-DH.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man7/EVP_KEYEXCH-DH.pod 2024-09-03 15:30:13.000000000 +0200
@@ -7,9 +7,14 @@
=head1 DESCRIPTION
-Key exchange support for the B<DH> key type.
+Key exchange support for the B<DH> and B<DHX> key types.
-=head2 DH key exchange parameters
+Please note that although both key types support the same key exchange
+operations, they cannot be used together in a single key exchange. It
+is not possible to use a private key of the B<DH> type in key exchange
+with the public key of B<DHX> type and vice versa.
+
+=head2 DH and DHX key exchange parameters
=over 4
@@ -122,7 +127,7 @@
=head1 COPYRIGHT
-Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man7/EVP_PKEY-DH.pod openssl-3.0.15/doc/man7/EVP_PKEY-DH.pod
--- openssl-3.0.14/doc/man7/EVP_PKEY-DH.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man7/EVP_PKEY-DH.pod 2024-09-03 15:30:13.000000000 +0200
@@ -7,11 +7,12 @@
=head1 DESCRIPTION
-For B<DH> FFC key agreement, two classes of domain parameters can be used:
-"safe" domain parameters that are associated with approved named safe-prime
-groups, and a class of "FIPS186-type" domain parameters. FIPS186-type domain
-parameters should only be used for backward compatibility with existing
-applications that cannot be upgraded to use the approved safe-prime groups.
+For finite field Diffie-Hellman key agreement, two classes of domain
+parameters can be used: "safe" domain parameters that are associated with
+approved named safe-prime groups, and a class of "FIPS186-type" domain
+parameters. FIPS186-type domain parameters should only be used for backward
+compatibility with existing applications that cannot be upgraded to use the
+approved safe-prime groups.
See L<EVP_PKEY-FFC(7)> for more information about FFC keys.
@@ -20,11 +21,11 @@
The B<DHX> key type uses X9.42 format which saves the value of I<q> and this
must be used for FIPS186-4. If key validation is required, users should be aware
of the nuances associated with FIPS186-4 style parameters as discussed in
-L</DH key validation>.
+L</DH and DHX key validation>.
=head2 DH and DHX domain parameters
-In addition to the common FCC parameters that all FFC keytypes should support
+In addition to the common FFC parameters that all FFC keytypes should support
(see L<EVP_PKEY-FFC(7)/FFC parameters>) the B<DHX> and B<DH> keytype
implementations support the following:
@@ -129,43 +130,44 @@
=back
-=head2 DH key validation
+=head2 DH and DHX key validation
-For B<DHX> that is not a named group the FIPS186-4 standard specifies that the
+For keys that are not a named group the FIPS186-4 standard specifies that the
values used for FFC parameter generation are also required for parameter
validation. This means that optional FFC domain parameter values for
I<seed>, I<pcounter> and I<gindex> or I<hindex> may need to be stored for
validation purposes.
For B<DHX> the I<seed> and I<pcounter> can be stored in ASN1 data
(but the I<gindex> or I<hindex> cannot be stored). It is recommended to use a
-named safe prime group instead.
+B<DH> parameters with named safe prime group instead.
-For DH keys, L<EVP_PKEY_param_check(3)> behaves in the following way:
-The OpenSSL FIPS provider tests if the parameters are either an approved safe
-prime group OR that the FFC parameters conform to FIPS186-4 as defined in
-SP800-56Ar3 I<Assurances of Domain-Parameter Validity>.
-The OpenSSL default provider uses simpler checks that allows there to be no I<q>
-value for backwards compatibility.
-
-For DH keys, L<EVP_PKEY_param_check_quick(3)> is equivalent to
-L<EVP_PKEY_param_check(3)>.
+With the OpenSSL FIPS provider, L<EVP_PKEY_param_check(3)> and
+L<EVP_PKEY_param_check_quick(3)> behave in the following way: the parameters
+are tested if they are either an approved safe prime group OR that the FFC
+parameters conform to FIPS186-4 as defined in SP800-56Ar3 I<Assurances of
+Domain-Parameter Validity>.
-For DH keys, L<EVP_PKEY_public_check(3)> conforms to
-SP800-56Ar3 I<FFC Full Public-Key Validation>.
-
-For DH keys, L<EVP_PKEY_public_check_quick(3)> conforms to
-SP800-56Ar3 I<FFC Partial Public-Key Validation> when the
-DH key is an approved named safe prime group, otherwise it is the same as
-L<EVP_PKEY_public_check(3)>.
-
-For DH Keys, L<EVP_PKEY_private_check(3)> tests that the private key is in the
-correct range according to SP800-56Ar3. The OpenSSL FIPS provider requires the
-value of I<q> to be set (note that this is set for named safe prime groups).
+The OpenSSL default provider uses simpler checks that allows there to be no I<q>
+value for backwards compatibility, however the L<EVP_PKEY_param_check(3)> will
+test the I<p> value for being a prime (and a safe prime if I<q> is missing)
+which can take significant time. The L<EVP_PKEY_param_check_quick(3)> avoids
+the prime tests.
+
+L<EVP_PKEY_public_check(3)> conforms to SP800-56Ar3
+I<FFC Full Public-Key Validation>.
+
+L<EVP_PKEY_public_check_quick(3)> conforms to SP800-56Ar3
+I<FFC Partial Public-Key Validation> when the key is an approved named safe
+prime group, otherwise it is the same as L<EVP_PKEY_public_check(3)>.
+
+L<EVP_PKEY_private_check(3)> tests that the private key is in the correct range
+according to SP800-56Ar3. The OpenSSL FIPS provider requires the value of I<q>
+to be set (note that this is implicitly set for named safe prime groups).
For backwards compatibility the OpenSSL default provider only requires I<p> to
be set.
-For DH keys, L<EVP_PKEY_pairwise_check(3)> conforms to
-SP800-56Ar3 I<Owner Assurance of Pair-wise Consistency>.
+L<EVP_PKEY_pairwise_check(3)> conforms to SP800-56Ar3
+I<Owner Assurance of Pair-wise Consistency>.
=head1 EXAMPLES
@@ -327,7 +329,7 @@
=head1 COPYRIGHT
-Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/doc/man7/ossl_store.pod openssl-3.0.15/doc/man7/ossl_store.pod
--- openssl-3.0.14/doc/man7/ossl_store.pod 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/doc/man7/ossl_store.pod 2024-09-03 15:30:13.000000000 +0200
@@ -44,7 +44,11 @@
=head2 A generic call
- OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem");
+ #include <openssl/ui.h> /* for UI_get_default_method */
+ #include <openssl/store.h>
+
+ OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem",
+ UI_get_default_method(), NULL, NULL, NULL);
/*
* OSSL_STORE_eof() simulates file semantics for any repository to signal
@@ -65,6 +69,7 @@
PEM_write_X509(stdout, OSSL_STORE_INFO_get0_CERT(info));
break;
}
+ OSSL_STORE_INFO_free(info);
}
OSSL_STORE_close(ctx);
@@ -77,7 +82,7 @@
=head1 COPYRIGHT
-Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-3.0.14/fuzz/bignum.c openssl-3.0.15/fuzz/bignum.c
--- openssl-3.0.14/fuzz/bignum.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/fuzz/bignum.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,11 +52,12 @@
*/
if (len > 2) {
len -= 3;
- l1 = (buf[0] * len) / 255;
+ /* limit l1, l2, and l3 to be no more than 512 bytes */
+ l1 = ((buf[0] * len) / 255) % 512;
++buf;
- l2 = (buf[0] * (len - l1)) / 255;
+ l2 = ((buf[0] * (len - l1)) / 255) % 512;
++buf;
- l3 = len - l1 - l2;
+ l3 = (len - l1 - l2) % 512;
s1 = buf[0] & 1;
s3 = buf[0] & 4;
diff -Nru openssl-3.0.14/include/crypto/aes_platform.h openssl-3.0.15/include/crypto/aes_platform.h
--- openssl-3.0.14/include/crypto/aes_platform.h 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/include/crypto/aes_platform.h 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -65,6 +65,7 @@
# ifdef VPAES_ASM
# define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC)
# endif
+# if !defined(OPENSSL_SYS_MACOSX)
# define HWAES_CAPABLE (OPENSSL_ppccap_P & PPC_CRYPTO207)
# define HWAES_set_encrypt_key aes_p8_set_encrypt_key
# define HWAES_set_decrypt_key aes_p8_set_decrypt_key
@@ -74,6 +75,7 @@
# define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
# define HWAES_xts_encrypt aes_p8_xts_encrypt
# define HWAES_xts_decrypt aes_p8_xts_decrypt
+# endif /* OPENSSL_SYS_MACOSX */
# endif /* PPC */
# if (defined(__arm__) || defined(__arm) || defined(__aarch64__))
diff -Nru openssl-3.0.14/include/crypto/bn.h openssl-3.0.15/include/crypto/bn.h
--- openssl-3.0.14/include/crypto/bn.h 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/include/crypto/bn.h 2024-09-03 15:30:13.000000000 +0200
@@ -88,7 +88,7 @@
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
const BIGNUM *d, BN_CTX *ctx);
int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n);
-int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w);
+int ossl_bn_is_word_fixed_top(const BIGNUM *a, const BN_ULONG w);
int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
unsigned int strength, BN_CTX *ctx);
int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
diff -Nru openssl-3.0.14/include/openssl/tls1.h openssl-3.0.15/include/openssl/tls1.h
--- openssl-3.0.14/include/openssl/tls1.h 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/include/openssl/tls1.h 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -210,6 +210,8 @@
# define TLSEXT_max_fragment_length_1024 2
# define TLSEXT_max_fragment_length_2048 3
# define TLSEXT_max_fragment_length_4096 4
+/* OpenSSL value for unset maximum fragment length extension */
+# define TLSEXT_max_fragment_length_UNSPECIFIED 255
int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode);
int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode);
diff -Nru openssl-3.0.14/INSTALL.md openssl-3.0.15/INSTALL.md
--- openssl-3.0.14/INSTALL.md 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/INSTALL.md 2024-09-03 15:30:13.000000000 +0200
@@ -1164,7 +1164,7 @@
### Automatic Configuration
In previous version, the `config` script determined the platform type and
-compiler and then called `Configure`. Starting with this release, they are
+compiler and then called `Configure`. Starting with version 3.0, they are
the same.
#### Unix / Linux / macOS
@@ -1618,7 +1618,7 @@
### Configuration Errors
-If the `./Configure` or `./Configure` command fails with an error message,
+If the `./config` or `./Configure` command fails with an error message,
read the error message carefully and try to figure out whether you made
a mistake (e.g., by providing a wrong option), or whether the script is
working incorrectly. If you think you encountered a bug, please
diff -Nru openssl-3.0.14/NEWS.md openssl-3.0.15/NEWS.md
--- openssl-3.0.14/NEWS.md 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/NEWS.md 2024-09-03 15:30:13.000000000 +0200
@@ -18,6 +18,19 @@
OpenSSL 3.0
-----------
+### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]
+
+OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
+release is Moderate.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed possible denial of service in X.509 name checks
+ ([CVE-2024-6119])
+
+ * Fixed possible buffer overread in SSL_select_next_proto()
+ ([CVE-2024-5535])
+
### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called
@@ -1482,6 +1495,8 @@
<!-- Links -->
+[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
+[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
diff -Nru openssl-3.0.14/providers/fips.checksum openssl-3.0.15/providers/fips.checksum
--- openssl-3.0.14/providers/fips.checksum 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/providers/fips.checksum 2024-09-03 15:30:13.000000000 +0200
@@ -1 +1 @@
-4e1960f3d68410e8daf1893c9133ba9840912974ec65f885054c46b6bbeff5cd providers/fips-sources.checksums
+101807560af8f62c064ad796dfa1e4c269d45aaf5303b47ad0b25fdd6cc92466 providers/fips-sources.checksums
diff -Nru openssl-3.0.14/providers/fips-sources.checksums openssl-3.0.15/providers/fips-sources.checksums
--- openssl-3.0.14/providers/fips-sources.checksums 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/providers/fips-sources.checksums 2024-09-03 15:30:13.000000000 +0200
@@ -19,7 +19,7 @@
ce91f0893a2a35fdf4c024ccb0fd8329b30fdbd955f0ae011ab948101ee14951 crypto/aes/asm/aesni-sha256-x86_64.pl
4ff74d4e629a88ef5a9e3d3f5b340fc0a4793d16d7cc7f1b70da62512a856248 crypto/aes/asm/aesni-x86.pl
30103cfe3b29d06b34feff48a927e0fa649e9109d35a3db64b09cfeb15426fa2 crypto/aes/asm/aesni-x86_64.pl
-67c73dbf78b5f3c8a436800dc43bf122cd1f0c4fefab357359edaae4fbb27e8e crypto/aes/asm/aesp8-ppc.pl
+f3490c936a80e012c49e577ec6e1d4d36df324dfef6264e788e6225e20b5fd52 crypto/aes/asm/aesp8-ppc.pl
a5807ed92ec8a16d123061487c385bf1f65e50878cee95c8e8096844454129f8 crypto/aes/asm/aest4-sparcv9.pl
d34cf129a8c63e2b77a74117ed4440a4f35408dabd90e21e70eae92d208fa516 crypto/aes/asm/aesv8-armx.pl
a0b578b7d2787c91013547df07dfa73d8d7a420446dd624c66f7c55159817eb2 crypto/aes/asm/bsaes-armv7.pl
@@ -106,7 +106,7 @@
c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c
d2bfdfd96b182741d2d51f91478ffcc48491b0da44662bc1c32bc506b3eef1ba crypto/c64xpluscpuid.pl
0e1a41a2d81b5765bca3df448f60bf1fad91e485fe89dd65a7300ffc419e316d crypto/cmac/cmac.c
-ff9be205d6d7ff00b0e64508f0eb8d9ec0415fbabc0948d26e308212b3f7b2d8 crypto/context.c
+5113d8d12d884f845cad3d35d92f0a1ee20ebafd7a169273642f4e8178711de9 crypto/context.c
c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c
f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c
799c84d224639c6760c5c28e0e287500a973ca6d0c3d7c1bdcd61b0da4018b3c crypto/core_namemap.c
@@ -178,7 +178,7 @@
129c6b42417bfcf582f4a959cfd65433e6f85b158274f4fa38f9c62615ac9166 crypto/ec/ec_oct.c
c7fba2f2c33f67dafa23caef8c3abd12f5336274a9a07d412b83be0366969ee6 crypto/ec/ecdh_kdf.c
b2cf8f052a5716137da7b0e857ed7a5df5fb513b6d14534199a05e32f2b5a866 crypto/ec/ecdh_ossl.c
-031f99c746ac746c1d4f243dd71c8246b502ff00c1d7ca29f7ca024f0e37e14a crypto/ec/ecdsa_ossl.c
+2e00c2e0e6f6d58b81fc23fe500f59e98793dc828ca87d64eba10cc0fddd0dc1 crypto/ec/ecdsa_ossl.c
b6baa42b16e8df69a12e0ab101033100cddc808ec2682ba1574373e6ec86ae93 crypto/ec/ecdsa_sign.c
f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecdsa_vrf.c
141cfc1459214555b623517a054a9e8d5e4065a11301237b7247be2c6f397a0a crypto/ec/ecp_mont.c
@@ -191,7 +191,7 @@
22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c
28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c
0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c
-1af3872164b4a4757bc7896a24b4d2f8eb2cfb4cba0d872a93db69975693e0a6 crypto/evp/digest.c
+8f9e9da65ab1d0fb3feae5abd6b5c3649d3a4d03e936bb7624a431080de181ae crypto/evp/digest.c
838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c
61df3942752307b7006f09d7628348a0cc9e5555469a3a8862349067a52824b7 crypto/evp/evp_enc.c
62c994fd91dc4a5a1a81dfa9391d6eadae62d3549b2e1b22acb2e7c4cd278f27 crypto/evp/evp_fetch.c
@@ -249,7 +249,7 @@
bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/ofb128.c
e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c
608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c
-fecd75b0e1646fb18eeb6b1f528015296157a9bcf97191d0f32b9619aa4f0ffb crypto/o_str.c
+abba788a11469f5c01c766fdac64eccd4fb598b2d4d9a12efb086ae87009acb8 crypto/o_str.c
8ddbbdf43131c10dcd4428aef0eff2b1e98b0410accada0fad41a4925868beef crypto/packet.c
c698d5166d091d6bb6e9df3c211fe1cc916fd43a26ec844f28f547cd708f9c55 crypto/param_build.c
2a0f272dd553b698e8c6fa57962694ebd6064cb03fe26a60df529205568d315d crypto/param_build_set.c
@@ -259,7 +259,7 @@
97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c
826a78afb376cbf1e87f12a2a67eef2ee47059a0fd3f9cba7ce7f035e34f8052 crypto/ppccpuid.pl
b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c
-3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba crypto/property/property.c
+c3709986fd2ab18f3c6136d8dd7705a4538986aa789ceafe770c3a376db3c569 crypto/property/property.c
66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h
b0b382ce829192d2537561cfb0fb5c7afb04305f321f7b3c91441b4ba99b9c92 crypto/property/property_parse.c
a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c
@@ -278,7 +278,7 @@
a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa_local.h
cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c
5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c
-33de2accc3af530fd0a4758eb83d5e1d994bf49bac4512b01387dbae656e1a7d crypto/rsa/rsa_oaep.c
+f733d03a7f633514bfb33862cd0fa46ac952a86f84000f109c0d37937bac9a1e crypto/rsa/rsa_oaep.c
e05fcad237b7e4e7842ad6e142789fe25d060247283c337c78703be6ecc31ed9 crypto/rsa/rsa_ossl.c
be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c
174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c
@@ -349,9 +349,9 @@
af0af59fe2cb8668a96751f343232d7faa3e7a937beb2bda09ed74fe60b9cb5f crypto/x86_64cpuid.pl
bbec287bb9bf35379885f8f8998b7fd9e8fc22efee9e1b299109af0f33a7ee16 crypto/x86cpuid.pl
acbb841170d4d3eb91d969be1c0e4973b1babfd5fcd76440b0628f509f82fd76 e_os.h
-6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005 include/crypto/aes_platform.h
+249a0e58e9692920eddc1ada2ac772a0cfd749cfbf618f2f5da08280df545d8f include/crypto/aes_platform.h
8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h
-f6b01cff254311e973361190011cb6aa4d24b3a8c92f54e5191b7e2f669b8745 include/crypto/bn.h
+2e8c284672c4e8e395b3da56a3abf3e65bb4346313fb6f7358e925d077a2e1e2 include/crypto/bn.h
1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in
7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h
e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h
diff -Nru openssl-3.0.14/providers/implementations/encode_decode/decode_der2key.c openssl-3.0.15/providers/implementations/encode_decode/decode_der2key.c
--- openssl-3.0.14/providers/implementations/encode_decode/decode_der2key.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/providers/implementations/encode_decode/decode_der2key.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -32,6 +32,7 @@
#include "crypto/ecx.h"
#include "crypto/rsa.h"
#include "crypto/x509.h"
+#include "openssl/obj_mac.h"
#include "prov/bio.h"
#include "prov/implementations.h"
#include "endecoder_local.h"
@@ -107,7 +108,10 @@
if ((p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, input_der, input_der_len)) != NULL
&& PKCS8_pkey_get0(NULL, NULL, NULL, &alg, p8inf)
- && OBJ_obj2nid(alg->algorithm) == ctx->desc->evp_type)
+ && (OBJ_obj2nid(alg->algorithm) == ctx->desc->evp_type
+ /* Allow decoding sm2 private key with id_ecPublicKey */
+ || (OBJ_obj2nid(alg->algorithm) == NID_X9_62_id_ecPublicKey
+ && ctx->desc->evp_type == NID_sm2)))
key = key_from_pkcs8(p8inf, PROV_LIBCTX_OF(ctx->provctx), NULL);
PKCS8_PRIV_KEY_INFO_free(p8inf);
@@ -286,10 +290,19 @@
params[0] =
OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &object_type);
- params[1] =
- OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE,
- (char *)ctx->desc->keytype_name,
- 0);
+
+#ifndef OPENSSL_NO_SM2
+ if (strcmp(ctx->desc->keytype_name, "EC") == 0
+ && (EC_KEY_get_flags(key) & EC_FLAG_SM2_RANGE) != 0)
+ params[1] =
+ OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE,
+ "SM2", 0);
+ else
+#endif
+ params[1] =
+ OSSL_PARAM_construct_utf8_string(OSSL_OBJECT_PARAM_DATA_TYPE,
+ (char *)ctx->desc->keytype_name,
+ 0);
/* The address of the key becomes the octet string */
params[2] =
OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
@@ -409,10 +422,16 @@
static int ec_check(void *key, struct der2key_ctx_st *ctx)
{
/* We're trying to be clever by comparing two truths */
-
+ int ret = 0;
int sm2 = (EC_KEY_get_flags(key) & EC_FLAG_SM2_RANGE) != 0;
- return sm2 == (ctx->desc->evp_type == EVP_PKEY_SM2);
+ if (sm2)
+ ret = ctx->desc->evp_type == EVP_PKEY_SM2
+ || ctx->desc->evp_type == NID_X9_62_id_ecPublicKey;
+ else
+ ret = ctx->desc->evp_type != EVP_PKEY_SM2;
+
+ return ret;
}
static void ec_adjust(void *key, struct der2key_ctx_st *ctx)
diff -Nru openssl-3.0.14/providers/implementations/rands/drbg.c openssl-3.0.15/providers/implementations/rands/drbg.c
--- openssl-3.0.14/providers/implementations/rands/drbg.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/providers/implementations/rands/drbg.c 2024-09-03 15:30:13.000000000 +0200
@@ -203,6 +203,11 @@
return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
prediction_resistance);
#else
+ /*
+ * In normal use (i.e. OpenSSL's own uses), this is never called.
+ * Outside of the FIPS provider, OpenSSL sets its DRBGs up so that
+ * they always have a parent. This remains purely for legacy reasons.
+ */
return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
max_len);
#endif
diff -Nru openssl-3.0.14/ssl/bio_ssl.c openssl-3.0.15/ssl/bio_ssl.c
--- openssl-3.0.14/ssl/bio_ssl.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/bio_ssl.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -77,7 +77,7 @@
return 0;
bs = BIO_get_data(a);
if (BIO_get_shutdown(a)) {
- if (bs->ssl != NULL)
+ if (bs->ssl != NULL && !SSL_in_init(bs->ssl))
SSL_shutdown(bs->ssl);
if (BIO_get_init(a))
SSL_free(bs->ssl);
diff -Nru openssl-3.0.14/ssl/ssl_lib.c openssl-3.0.15/ssl/ssl_lib.c
--- openssl-3.0.14/ssl/ssl_lib.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/ssl_lib.c 2024-09-03 15:30:13.000000000 +0200
@@ -2952,37 +2952,54 @@
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
diff -Nru openssl-3.0.14/ssl/ssl_sess.c openssl-3.0.15/ssl/ssl_sess.c
--- openssl-3.0.14/ssl/ssl_sess.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/ssl_sess.c 2024-09-03 15:30:13.000000000 +0200
@@ -53,21 +53,36 @@
return 0;
}
+#ifdef __DJGPP__ /* time_t is unsigned on djgpp, it's signed anywhere else */
+# define TMAX(_type_) ((time_t)-1)
+#else
+# define TMAX(_type_) ((time_t)(((_type_)-1) >> 1))
+#endif
+
+#define CALCULATE_TIMEOUT(_ss_, _type_) do { \
+ _type_ overflow; \
+ time_t tmax = TMAX(_type_); \
+ overflow = (_type_)tmax - (_type_)(_ss_)->time; \
+ if ((_ss_)->timeout > (time_t)overflow) { \
+ (_ss_)->timeout_ovf = 1; \
+ (_ss_)->calc_timeout = (_ss_)->timeout - (time_t)overflow; \
+ } else { \
+ (_ss_)->timeout_ovf = 0; \
+ (_ss_)->calc_timeout = (_ss_)->time + (_ss_)->timeout; \
+ } \
+ } while (0)
/*
* Calculates effective timeout, saving overflow state
* Locking must be done by the caller of this function
*/
void ssl_session_calculate_timeout(SSL_SESSION *ss)
{
- /* Force positive timeout */
- if (ss->timeout < 0)
- ss->timeout = 0;
- ss->calc_timeout = ss->time + ss->timeout;
- /*
- * |timeout| is always zero or positive, so the check for
- * overflow only needs to consider if |time| is positive
- */
- ss->timeout_ovf = ss->time > 0 && ss->calc_timeout < ss->time;
+
+ if (sizeof(time_t) == 8)
+ CALCULATE_TIMEOUT(ss, uint64_t);
+ else
+ CALCULATE_TIMEOUT(ss, uint32_t);
+
/*
* N.B. Realistic overflow can only occur in our lifetimes on a
* 32-bit machine in January 2038.
@@ -132,6 +147,7 @@
return NULL;
}
+ ss->ext.max_fragment_len_mode = TLSEXT_max_fragment_length_UNSPECIFIED;
ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
ss->references = 1;
ss->timeout = 60 * 5 + 4; /* 5 minute timeout by default */
diff -Nru openssl-3.0.14/ssl/statem/extensions.c openssl-3.0.15/ssl/statem/extensions.c
--- openssl-3.0.14/ssl/statem/extensions.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/statem/extensions.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1684,15 +1684,9 @@
static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
{
- /*
- * Session resumption on server-side with MFL extension active
- * BUT MFL extension packet was not resent (i.e. sent == 0)
- */
- if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
- && !sent ) {
- SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_BAD_EXTENSION);
- return 0;
- }
+ /* MaxFragmentLength defaults to disabled */
+ if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
+ s->session->ext.max_fragment_len_mode = TLSEXT_max_fragment_length_DISABLED;
/* Current SSL buffer is lower than requested MFL */
if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
diff -Nru openssl-3.0.14/ssl/statem/extensions_clnt.c openssl-3.0.15/ssl/statem/extensions_clnt.c
--- openssl-3.0.14/ssl/statem/extensions_clnt.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/statem/extensions_clnt.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1536,7 +1536,8 @@
PACKET_data(pkt),
PACKET_remaining(pkt),
s->ctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}
@@ -1565,6 +1566,8 @@
size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3.alpn_sent) {
@@ -1583,6 +1586,28 @@
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3.alpn_selected);
s->s3.alpn_selected = OPENSSL_malloc(len);
if (s->s3.alpn_selected == NULL) {
diff -Nru openssl-3.0.14/ssl/statem/extensions_srvr.c openssl-3.0.15/ssl/statem/extensions_srvr.c
--- openssl-3.0.14/ssl/statem/extensions_srvr.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/statem/extensions_srvr.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -181,21 +181,26 @@
}
/*
- * RFC 6066: The negotiated length applies for the duration of the session
+ * When doing a full handshake or a renegotiation max_fragment_len_mode will
+ * be TLSEXT_max_fragment_length_UNSPECIFIED
+ *
+ * In case of a resumption max_fragment_len_mode will be one of
+ * TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
+ * TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
+ * TLSEXT_max_fragment_length_4096
+ *
+ * RFC 6066: The negotiated length applies for the duration of the session
* including session resumptions.
- * We should receive the same code as in resumed session !
+ *
+ * So we only set the value in case it is unspecified.
*/
- if (s->hit && s->session->ext.max_fragment_len_mode != value) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
- SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
- return 0;
- }
+ if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
+ /*
+ * Store it in session, so it'll become binding for us
+ * and we'll include it in a next Server Hello.
+ */
+ s->session->ext.max_fragment_len_mode = value;
- /*
- * Store it in session, so it'll become binding for us
- * and we'll include it in a next Server Hello.
- */
- s->session->ext.max_fragment_len_mode = value;
return 1;
}
@@ -1471,9 +1476,10 @@
return EXT_RETURN_FAIL;
}
s->s3.npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
diff -Nru openssl-3.0.14/ssl/statem/statem_lib.c openssl-3.0.15/ssl/statem/statem_lib.c
--- openssl-3.0.14/ssl/statem/statem_lib.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/statem/statem_lib.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -480,6 +480,10 @@
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
goto err;
}
+ if (PACKET_remaining(pkt) != 0) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
+ goto err;
+ }
if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
/* SSLfatal() already called */
diff -Nru openssl-3.0.14/ssl/t1_lib.c openssl-3.0.15/ssl/t1_lib.c
--- openssl-3.0.14/ssl/t1_lib.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/ssl/t1_lib.c 2024-09-03 15:30:13.000000000 +0200
@@ -3401,6 +3401,8 @@
uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session)
{
+ if (session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
+ return TLSEXT_max_fragment_length_DISABLED;
return session->ext.max_fragment_len_mode;
}
diff -Nru openssl-3.0.14/test/build.info openssl-3.0.15/test/build.info
--- openssl-3.0.14/test/build.info 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/build.info 2024-09-03 15:30:13.000000000 +0200
@@ -40,7 +40,7 @@
exptest pbetest localetest evp_pkey_ctx_new_from_name\
evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
evp_fetch_prov_test evp_libctx_test ossl_store_test \
- v3nametest v3ext punycode_test \
+ v3nametest v3ext punycode_test evp_byname_test \
crltest danetest bad_dtls_test lhash_test sparse_array_test \
conf_include_test params_api_test params_conversion_test \
constant_time_test verify_extra_test clienthellotest \
@@ -305,6 +305,10 @@
INCLUDE[punycode_test]=../include ../apps/include
DEPEND[punycode_test]=../libcrypto.a libtestutil.a
+ SOURCE[evp_byname_test]=evp_byname_test.c
+ INCLUDE[evp_byname_test]=../include ../apps/include
+ DEPEND[evp_byname_test]=../libcrypto libtestutil.a
+
SOURCE[stack_test]=stack_test.c
INCLUDE[stack_test]=../include ../apps/include
DEPEND[stack_test]=../libcrypto libtestutil.a
diff -Nru openssl-3.0.14/test/crltest.c openssl-3.0.15/test/crltest.c
--- openssl-3.0.14/test/crltest.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/crltest.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -101,6 +101,13 @@
NULL
};
+static const char *kInvalidCRL[] = {
+ "-----BEGIN X509 CRL-----\n",
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
+ "-----END X509 CRL-----\n",
+ NULL
+};
+
static const char *kBadIssuerCRL[] = {
"-----BEGIN X509 CRL-----\n",
"MIIBwjCBqwIBATANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJVUzETMBEGA1UE\n",
@@ -371,24 +378,58 @@
return r;
}
-static int test_reuse_crl(void)
+static int test_reuse_crl(int idx)
{
- X509_CRL *reused_crl = CRL_from_strings(kBasicCRL);
- char *p;
- BIO *b = glue2bio(kRevokedCRL, &p);
+ X509_CRL *result, *reused_crl = CRL_from_strings(kBasicCRL);
+ X509_CRL *addref_crl = NULL;
+ char *p = NULL;
+ BIO *b = NULL;
+ int r = 0;
- if (b == NULL) {
- OPENSSL_free(p);
- X509_CRL_free(reused_crl);
- return 0;
+ if (!TEST_ptr(reused_crl))
+ goto err;
+
+ if (idx & 1) {
+ if (!TEST_true(X509_CRL_up_ref(reused_crl)))
+ goto err;
+ addref_crl = reused_crl;
}
- reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);
+ idx >>= 1;
+ b = glue2bio(idx == 2 ? kRevokedCRL : kInvalidCRL + idx, &p);
+
+ if (!TEST_ptr(b))
+ goto err;
+ result = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);
+
+ switch (idx) {
+ case 0: /* valid PEM + invalid DER */
+ if (!TEST_ptr_null(result)
+ || !TEST_ptr_null(reused_crl))
+ goto err;
+ break;
+ case 1: /* invalid PEM */
+ if (!TEST_ptr_null(result)
+ || !TEST_ptr(reused_crl))
+ goto err;
+ break;
+ case 2:
+ if (!TEST_ptr(result)
+ || !TEST_ptr(reused_crl)
+ || !TEST_ptr_eq(result, reused_crl))
+ goto err;
+ break;
+ }
+
+ r = 1;
+
+ err:
OPENSSL_free(p);
BIO_free(b);
X509_CRL_free(reused_crl);
- return 1;
+ X509_CRL_free(addref_crl);
+ return r;
}
int setup_tests(void)
@@ -402,7 +443,7 @@
ADD_TEST(test_bad_issuer_crl);
ADD_TEST(test_known_critical_crl);
ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls));
- ADD_TEST(test_reuse_crl);
+ ADD_ALL_TESTS(test_reuse_crl, 6);
return 1;
}
diff -Nru openssl-3.0.14/test/endecode_test.c openssl-3.0.15/test/endecode_test.c
--- openssl-3.0.14/test/endecode_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/endecode_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1028,6 +1028,10 @@
IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC", 0)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC")
# endif
+# ifndef OPENSSL_NO_SM2
+KEYS(SM2);
+IMPLEMENT_TEST_SUITE(SM2, "SM2", 0)
+# endif
KEYS(ED25519);
IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1)
KEYS(ED448);
@@ -1333,9 +1337,7 @@
}
/* FIPS(3.0.0): provider imports explicit params but they won't work #17998 */
- is_fips_3_0_0 = fips_provider_version_eq(testctx, 3, 0, 0);
- if (is_fips_3_0_0 < 0)
- return 0;
+ is_fips_3_0_0 = is_fips && fips_provider_version_eq(testctx, 3, 0, 0);
/* Separate provider/ctx for generating the test data */
if (!TEST_ptr(keyctx = OSSL_LIB_CTX_new()))
@@ -1383,6 +1385,9 @@
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
# endif
+# ifndef OPENSSL_NO_SM2
+ MAKE_KEYS(SM2, "SM2", NULL);
+# endif
MAKE_KEYS(ED25519, "ED25519", NULL);
MAKE_KEYS(ED448, "ED448", NULL);
MAKE_KEYS(X25519, "X25519", NULL);
@@ -1429,6 +1434,12 @@
ADD_TEST_SUITE(ECExplicitTri2G);
ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
# endif
+# ifndef OPENSSL_NO_SM2
+ if (!is_fips_3_0_0) {
+ /* 3.0.0 FIPS provider imports explicit EC params and then fails. */
+ ADD_TEST_SUITE(SM2);
+ }
+# endif
ADD_TEST_SUITE(ED25519);
ADD_TEST_SUITE(ED448);
ADD_TEST_SUITE(X25519);
@@ -1486,6 +1497,9 @@
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
# endif
+# ifndef OPENSSL_NO_SM2
+ FREE_KEYS(SM2);
+# endif
FREE_KEYS(ED25519);
FREE_KEYS(ED448);
FREE_KEYS(X25519);
diff -Nru openssl-3.0.14/test/evp_byname_test.c openssl-3.0.15/test/evp_byname_test.c
--- openssl-3.0.14/test/evp_byname_test.c 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/evp_byname_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/evp.h>
+#include "testutil.h"
+
+static int test_evp_get_digestbyname(void)
+{
+ const EVP_MD *md;
+
+ if (!TEST_ptr(md = EVP_get_digestbyname("SHA2-256")))
+ return 0;
+ return 1;
+}
+
+static int test_evp_get_cipherbyname(void)
+{
+ const EVP_CIPHER *cipher;
+
+ if (!TEST_ptr(cipher = EVP_get_cipherbyname("AES-256-WRAP")))
+ return 0;
+ return 1;
+}
+
+int setup_tests(void)
+{
+ ADD_TEST(test_evp_get_digestbyname);
+ ADD_TEST(test_evp_get_cipherbyname);
+ return 1;
+}
diff -Nru openssl-3.0.14/test/evp_extra_test.c openssl-3.0.15/test/evp_extra_test.c
--- openssl-3.0.14/test/evp_extra_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/evp_extra_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -5351,6 +5351,25 @@
}
#endif
+static int test_invalid_ctx_for_digest(void)
+{
+ int ret;
+ EVP_MD_CTX *mdctx;
+
+ mdctx = EVP_MD_CTX_new();
+ if (!TEST_ptr(mdctx))
+ return 0;
+
+ if (!TEST_int_eq(EVP_DigestUpdate(mdctx, "test", sizeof("test") - 1), 0))
+ ret = 0;
+ else
+ ret = 1;
+
+ EVP_MD_CTX_free(mdctx);
+
+ return ret;
+}
+
int setup_tests(void)
{
OPTION_CHOICE o;
@@ -5514,6 +5533,8 @@
ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
#endif
+ ADD_TEST(test_invalid_ctx_for_digest);
+
return 1;
}
diff -Nru openssl-3.0.14/test/helpers/handshake.c openssl-3.0.15/test/helpers/handshake.c
--- openssl-3.0.14/test/helpers/handshake.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/helpers/handshake.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -348,6 +348,12 @@
len = strlen(protos);
+ if (len == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return 1;
+ }
+
/* Should never have reuse. */
if (!TEST_ptr_null(*out)
/* Test values are small, so we omit length limit checks. */
diff -Nru openssl-3.0.14/test/hexstr_test.c openssl-3.0.15/test/hexstr_test.c
--- openssl-3.0.14/test/hexstr_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/hexstr_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -120,9 +120,14 @@
return TEST_true(OPENSSL_hexstr2buf_ex(buf, sizeof(buf), &len, test->in, ':'))
&& TEST_mem_eq(buf, len, test->expected, test->expected_len)
+ && TEST_false(OPENSSL_buf2hexstr_ex(out, 3 * len - 1, NULL, buf, len,
+ ':'))
&& TEST_true(OPENSSL_buf2hexstr_ex(out, sizeof(out), NULL, buf, len,
- ':'))
- && TEST_str_eq(out, test->in);
+ ':'))
+ && TEST_str_eq(out, test->in)
+ && TEST_true(OPENSSL_buf2hexstr_ex(out, sizeof(out), NULL, buf, 0,
+ ':'))
+ && TEST_size_t_eq(strlen(out), 0);
}
int setup_tests(void)
diff -Nru openssl-3.0.14/test/prov_config_test.c openssl-3.0.15/test/prov_config_test.c
--- openssl-3.0.14/test/prov_config_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/prov_config_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -26,15 +26,13 @@
int testresult = 0;
EVP_MD *sha256 = NULL;
- if (!TEST_ptr(configfile))
- return 0;
if (!TEST_ptr(ctx))
return 0;
if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, configfile)))
- return 0;
+ goto err;
if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, configfile)))
- return 0;
+ goto err;
/* Check we can actually fetch something */
sha256 = EVP_MD_fetch(ctx, "SHA2-256", NULL);
@@ -54,9 +52,6 @@
int testresult = 0;
unsigned long err;
- if (!TEST_ptr(recurseconfigfile))
- goto err;
-
if (!TEST_ptr(ctx))
goto err;
diff -Nru openssl-3.0.14/test/provider_fallback_test.c openssl-3.0.15/test/provider_fallback_test.c
--- openssl-3.0.14/test/provider_fallback_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/provider_fallback_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -39,9 +39,15 @@
int ok;
ok = TEST_ptr(ctx = OSSL_LIB_CTX_new())
- && TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "default"))
- && test_provider(ctx)
- && TEST_true(OSSL_PROVIDER_unload(prov));
+ && TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "default"));
+
+ if (ok) {
+ ok = test_provider(ctx);
+ if (ok)
+ ok = TEST_true(OSSL_PROVIDER_unload(prov));
+ else
+ OSSL_PROVIDER_unload(prov);
+ }
OSSL_LIB_CTX_free(ctx);
return ok;
diff -Nru openssl-3.0.14/test/provider_internal_test.c openssl-3.0.15/test/provider_internal_test.c
--- openssl-3.0.14/test/provider_internal_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/provider_internal_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -22,7 +22,7 @@
static int test_provider(OSSL_PROVIDER *prov, const char *expected_greeting)
{
- const char *greeting = NULL;
+ const char *greeting = "no greeting received";
int ret = 0;
ret =
diff -Nru openssl-3.0.14/test/provider_test.c openssl-3.0.15/test/provider_test.c
--- openssl-3.0.14/test/provider_test.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/provider_test.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -197,6 +197,7 @@
if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, name,
PROVIDER_INIT_FUNCTION_NAME))) {
+ OSSL_PROVIDER_unload(legacy);
OSSL_LIB_CTX_free(libctx);
return 0;
}
diff -Nru openssl-3.0.14/test/recipes/03-test_fipsinstall.t openssl-3.0.15/test/recipes/03-test_fipsinstall.t
--- openssl-3.0.14/test/recipes/03-test_fipsinstall.t 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/recipes/03-test_fipsinstall.t 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -30,6 +30,9 @@
my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
my $provconf = srctop_file("test", "fips-and-base.cnf");
+run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]),
+ capture => 1, statusvar => \my $indicatorpost);
+
# Read in a text $infile and replace the regular expression in $srch with the
# value in $repl and output to a new file $outfile.
sub replace_line_file_internal {
@@ -182,7 +185,7 @@
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
- '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
+ '-section_name', 'fips_sect', '-corrupt_desc', 'SHA2'])),
"fipsinstall fails when the digest result is corrupted");
# corrupt another digest
@@ -269,24 +272,27 @@
'-config', 'fips_parent_no_module_mac.cnf'])),
"verify load config fail no module mac");
-ok(replace_parent_line_file('fips_no_install_mac.cnf',
- 'fips_parent_no_install_mac.cnf')
- && !run(app(['openssl', 'fipsinstall',
- '-config', 'fips_parent_no_install_mac.cnf'])),
- "verify load config fail no install mac");
-
-ok(replace_parent_line_file('fips_bad_indicator.cnf',
- 'fips_parent_bad_indicator.cnf')
- && !run(app(['openssl', 'fipsinstall',
- '-config', 'fips_parent_bad_indicator.cnf'])),
- "verify load config fail bad indicator");
+SKIP: {
+ skip "Newer FIPS provider version does not support this feature", 3
+ if !$indicatorpost;
-ok(replace_parent_line_file('fips_bad_install_mac.cnf',
- 'fips_parent_bad_install_mac.cnf')
- && !run(app(['openssl', 'fipsinstall',
- '-config', 'fips_parent_bad_install_mac.cnf'])),
- "verify load config fail bad install mac");
+ ok(replace_parent_line_file('fips_no_install_mac.cnf',
+ 'fips_parent_no_install_mac.cnf')
+ && !run(app(['openssl', 'fipsinstall',
+ '-config', 'fips_parent_no_install_mac.cnf'])),
+ "verify load config fail no install mac");
+ ok(replace_parent_line_file('fips_bad_indicator.cnf',
+ 'fips_parent_bad_indicator.cnf')
+ && !run(app(['openssl', 'fipsinstall',
+ '-config', 'fips_parent_bad_indicator.cnf'])),
+ "verify load config fail bad indicator");
+ ok(replace_parent_line_file('fips_bad_install_mac.cnf',
+ 'fips_parent_bad_install_mac.cnf')
+ && !run(app(['openssl', 'fipsinstall',
+ '-config', 'fips_parent_bad_install_mac.cnf'])),
+ "verify load config fail bad install mac");
+}
ok(replace_parent_line_file('fips_bad_module_mac.cnf',
'fips_parent_bad_module_mac.cnf')
diff -Nru openssl-3.0.14/test/recipes/04-test_conf_data/oversized_line.cnf openssl-3.0.15/test/recipes/04-test_conf_data/oversized_line.cnf
--- openssl-3.0.14/test/recipes/04-test_conf_data/oversized_line.cnf 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/04-test_conf_data/oversized_line.cnf 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,3 @@
+foo = a_line_longer_than_512_characters_\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"_end
+bar = a_line_longer_than_512_characters__\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"_end
+last = x
diff -Nru openssl-3.0.14/test/recipes/04-test_conf_data/oversized_line.txt openssl-3.0.15/test/recipes/04-test_conf_data/oversized_line.txt
--- openssl-3.0.14/test/recipes/04-test_conf_data/oversized_line.txt 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/04-test_conf_data/oversized_line.txt 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,4 @@
+[ default ]
+foo = a_line_longer_than_512_characters_""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""_end
+bar = a_line_longer_than_512_characters__""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""_end
+last = x
diff -Nru openssl-3.0.14/test/recipes/04-test_conf.t openssl-3.0.15/test/recipes/04-test_conf.t
--- openssl-3.0.14/test/recipes/04-test_conf.t 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/recipes/04-test_conf.t 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -18,6 +18,7 @@
my %input_result = (
'dollarid_on.cnf' => 'dollarid_on.txt',
'dollarid_off.cnf' => 'dollarid_off.txt',
+ 'oversized_line.cnf' => 'oversized_line.txt',
);
plan skip_all => 'This is unsupported for cross compiled configurations'
diff -Nru openssl-3.0.14/test/recipes/25-test_eai_data/kdc-cert.pem openssl-3.0.15/test/recipes/25-test_eai_data/kdc-cert.pem
--- openssl-3.0.14/test/recipes/25-test_eai_data/kdc-cert.pem 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/25-test_eai_data/kdc-cert.pem 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
+oDQ9fKfUOAmUFth2/R/eGA==
+-----END CERTIFICATE-----
diff -Nru openssl-3.0.14/test/recipes/25-test_eai_data/kdc-root-cert.pem openssl-3.0.15/test/recipes/25-test_eai_data/kdc-root-cert.pem
--- openssl-3.0.14/test/recipes/25-test_eai_data/kdc-root-cert.pem 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/25-test_eai_data/kdc-root-cert.pem 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
+-----END CERTIFICATE-----
diff -Nru openssl-3.0.14/test/recipes/25-test_eai_data/kdc.sh openssl-3.0.15/test/recipes/25-test_eai_data/kdc.sh
--- openssl-3.0.14/test/recipes/25-test_eai_data/kdc.sh 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/25-test_eai_data/kdc.sh 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,41 @@
+#! /usr/bin/env bash
+
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
+# should likewise lead to ASAN issues with email name checks.
+
+rm -f root-key.pem root-cert.pem
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
+
+exts=$(
+ printf "%s\n%s\n%s\n%s = " \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:false" \
+ "subjectAltName"
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:[email protected]"
+ printf "%s, " "email:[email protected]"
+ printf "%s\n" "DNS:mx1.example.com"
+ printf "[kdc_princ_name]\n"
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
+ printf "[kdc_principal_seq]\n"
+ printf "name_type = EXP:0, INTEGER:1\n"
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
+ printf "[kdc_principal_components]\n"
+ printf "princ1 = GeneralString:krbtgt\n"
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
+ )
+
+printf "%s\n" "$exts"
+
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
+ -subj "/CN=TEST.EXAMPLE" |
+ openssl x509 -req -out kdc-cert.pem \
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
+ -set_serial 2 -days 36524 \
+ -extfile <(printf "%s\n" "$exts")
diff -Nru openssl-3.0.14/test/recipes/25-test_eai_data.t openssl-3.0.15/test/recipes/25-test_eai_data.t
--- openssl-3.0.14/test/recipes/25-test_eai_data.t 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/recipes/25-test_eai_data.t 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -21,16 +21,18 @@
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
-plan tests => 12;
+plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
my $out;
my $outcnt = 0;
@@ -56,10 +58,18 @@
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", '[email protected]', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", '[email protected]', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+
#Check that we get the expected failure return code
with({ exit_checker => sub { return shift == 2; } },
sub {
diff -Nru openssl-3.0.14/test/recipes/30-test_evp_byname.t openssl-3.0.15/test/recipes/30-test_evp_byname.t
--- openssl-3.0.14/test/recipes/30-test_evp_byname.t 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/30-test_evp_byname.t 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,16 @@
+#! /usr/bin/env perl
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test;
+use OpenSSL::Test::Simple;
+use OpenSSL::Test::Utils;
+
+setup("test_evp_byname");
+
+simple_test("test_evp_byname", "evp_byname_test");
diff -Nru openssl-3.0.14/test/recipes/30-test_evp_data/evppkey_dsa.txt openssl-3.0.15/test/recipes/30-test_evp_data/evppkey_dsa.txt
--- openssl-3.0.14/test/recipes/30-test_evp_data/evppkey_dsa.txt 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/recipes/30-test_evp_data/evppkey_dsa.txt 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#
-# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -270,6 +270,7 @@
# Test sign with a 2048 bit key with N == 160 is not allowed in fips mode
Availablein = fips
+FIPSversion = <3.4.0
DigestSign = SHA256
Key = DSA-2048-160
Input = "Hello"
@@ -324,6 +325,7 @@
# Test sign with a 1024 bit key is not allowed in fips mode
Availablein = fips
+FIPSversion = <3.4.0
DigestSign = SHA256
Securitycheck = 1
Key = DSA-1024-FIPS186-2
@@ -340,6 +342,7 @@
# Test sign with a 3072 bit key with N == 224 is not allowed in fips mode
Availablein = fips
+FIPSversion = <3.4.0
DigestSign = SHA256
Securitycheck = 1
Key = DSA-3072-224
@@ -348,6 +351,7 @@
# Test sign with a 4096 bit key is not allowed in fips mode
Availablein = fips
+FIPSversion = <3.4.0
DigestSign = SHA256
Securitycheck = 1
Key = DSA-4096-256
diff -Nru openssl-3.0.14/test/recipes/30-test_evp_data/evppkey_ecdsa.txt openssl-3.0.15/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
--- openssl-3.0.14/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/recipes/30-test_evp_data/evppkey_ecdsa.txt 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#
-# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -216,6 +216,7 @@
# Test that SHA1 is not allowed in fips mode for signing
Availablein = fips
+FIPSversion = <3.4.0
Sign = P-256
Securitycheck = 1
Ctrl = digest:SHA1
diff -Nru openssl-3.0.14/test/recipes/30-test_evp_data/evppkey_rsa_common.txt openssl-3.0.15/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
--- openssl-3.0.14/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
#
-# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1344,6 +1344,7 @@
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
+FIPSversion = <3.4.0
DigestSign = SHA1
Securitycheck = 1
Key = RSA-2048
diff -Nru openssl-3.0.14/test/recipes/70-test_npn.t openssl-3.0.15/test/recipes/70-test_npn.t
--- openssl-3.0.14/test/recipes/70-test_npn.t 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/test/recipes/70-test_npn.t 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,73 @@
+#! /usr/bin/env perl
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
+use OpenSSL::Test::Utils;
+
+use TLSProxy::Proxy;
+
+my $test_name = "test_npn";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+ if $^O =~ /^(VMS)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+ if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+ if disabled("sock");
+
+plan skip_all => "$test_name needs NPN enabled"
+ if disabled("nextprotoneg");
+
+plan skip_all => "$test_name needs TLSv1.2 enabled"
+ if disabled("tls1_2");
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ srctop_file("apps", "server.pem"),
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 1;
+
+my $npnseen = 0;
+
+# Test 1: Check sending an empty NextProto message from the client works. This is
+# valid as per the spec, but OpenSSL does not allow you to send it.
+# Therefore we must be prepared to receive such a message but we cannot
+# generate it except via TLSProxy
+$proxy->clear();
+$proxy->filter(\&npn_filter);
+$proxy->clientflags("-nextprotoneg foo -no_tls1_3");
+$proxy->serverflags("-nextprotoneg foo");
+$proxy->start();
+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message");
+
+sub npn_filter
+{
+ my $proxy = shift;
+ my $message;
+
+ # The NextProto message always appears in flight 2
+ return if $proxy->flight != 2;
+
+ foreach my $message (@{$proxy->message_list}) {
+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) {
+ # Our TLSproxy NextProto message support doesn't support parsing of
+ # the message. If we repack it just creates an empty NextProto
+ # message - which is exactly the scenario we want to test here.
+ $message->repack();
+ $npnseen = 1;
+ }
+ }
+}
diff -Nru openssl-3.0.14/test/sslapitest.c openssl-3.0.15/test/sslapitest.c
--- openssl-3.0.14/test/sslapitest.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/sslapitest.c 2024-09-03 15:30:13.000000000 +0200
@@ -3938,7 +3938,7 @@
if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
goto end;
#else
- if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+ if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
goto end;
#endif
} else if (idx == 2) {
@@ -5553,7 +5553,7 @@
if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072")))
goto end;
#else
- if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
+ if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
goto end;
#endif
@@ -10765,6 +10765,367 @@
return testresult;
}
+static struct next_proto_st {
+ int serverlen;
+ unsigned char server[40];
+ int clientlen;
+ unsigned char client[40];
+ int expected_ret;
+ size_t selectedlen;
+ unsigned char selected[40];
+} next_proto_tests[] = {
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
+ OPENSSL_NPN_NEGOTIATED,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'b', 'c', 'd' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 0, { 0 },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ -1, { 0 },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 0, { 0 },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ -1, { 0 },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ },
+ {
+ 3, { 3, 'a', 'b', 'c' },
+ 4, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 3, { 'a', 'b', 'c' }
+ },
+ {
+ 4, { 3, 'a', 'b', 'c' },
+ 3, { 3, 'a', 'b', 'c' },
+ OPENSSL_NPN_NO_OVERLAP,
+ 0, { 0 }
+ }
+};
+
+static int test_select_next_proto(int idx)
+{
+ struct next_proto_st *np = &next_proto_tests[idx];
+ int ret = 0;
+ unsigned char *out, *client, *server;
+ unsigned char outlen;
+ unsigned int clientlen, serverlen;
+
+ if (np->clientlen == -1) {
+ client = NULL;
+ clientlen = 0;
+ } else {
+ client = np->client;
+ clientlen = (unsigned int)np->clientlen;
+ }
+ if (np->serverlen == -1) {
+ server = NULL;
+ serverlen = 0;
+ } else {
+ server = np->server;
+ serverlen = (unsigned int)np->serverlen;
+ }
+
+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
+ client, clientlen),
+ np->expected_ret))
+ goto err;
+
+ if (np->selectedlen == 0) {
+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
+ goto err;
+ } else {
+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
+ goto err;
+ }
+
+ ret = 1;
+ err:
+ return ret;
+}
+
+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
+static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
+
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
+static int npn_advert_cb(SSL *ssl, const unsigned char **out,
+ unsigned int *outlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ default:
+ case 0:
+ *out = fooprot;
+ *outlen = sizeof(fooprot);
+ return SSL_TLSEXT_ERR_OK;
+
+ case 1:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 2:
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+}
+
+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ case 0:
+ case 1:
+ *out = (unsigned char *)(fooprot + 1);
+ *outlen = *fooprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 3:
+ *out = (unsigned char *)(barprot + 1);
+ *outlen = *barprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 4:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ default:
+ case 2:
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
+
+/*
+ * Test the NPN callbacks
+ * Test 0: advert = foo, select = foo
+ * Test 1: advert = <empty>, select = foo
+ * Test 2: no advert
+ * Test 3: advert = foo, select = bar
+ * Test 4: advert = foo, select = <empty> (should fail)
+ */
+static int test_npn(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, TLS1_2_VERSION,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (idx == 4) {
+ /* We don't allow empty selection of NPN, so this should fail */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+ } else {
+ const unsigned char *prot;
+ unsigned int protlen;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
+ switch (idx) {
+ case 0:
+ case 1:
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
+ goto end;
+ break;
+ case 2:
+ if (!TEST_uint_eq(protlen, 0))
+ goto end;
+ break;
+ case 3:
+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
+ goto end;
+ break;
+ default:
+ TEST_error("Should not get here");
+ goto end;
+ }
+ }
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
+
+static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
+ unsigned char *outlen, const unsigned char *in,
+ unsigned int inlen, void *arg)
+{
+ int *idx = (int *)arg;
+
+ switch (*idx) {
+ case 0:
+ *out = (unsigned char *)(fooprot + 1);
+ *outlen = *fooprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 2:
+ *out = (unsigned char *)(barprot + 1);
+ *outlen = *barprot;
+ return SSL_TLSEXT_ERR_OK;
+
+ case 3:
+ *outlen = 0;
+ return SSL_TLSEXT_ERR_OK;
+
+ default:
+ case 1:
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ return 0;
+}
+
+/*
+ * Test the ALPN callbacks
+ * Test 0: client = foo, select = foo
+ * Test 1: client = <empty>, select = none
+ * Test 2: client = foo, select = bar (should fail)
+ * Test 3: client = foo, select = <empty> (should fail)
+ */
+static int test_alpn(int idx)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+ const unsigned char *prots = fooprot;
+ unsigned int protslen = sizeof(fooprot);
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), 0, 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
+ NULL)))
+ goto end;
+
+ if (idx == 1) {
+ prots = NULL;
+ protslen = 0;
+ }
+
+ /* SSL_set_alpn_protos returns 0 for success! */
+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
+ goto end;
+
+ if (idx == 2 || idx == 3) {
+ /* We don't allow empty selection of NPN, so this should fail */
+ if (!TEST_false(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+ } else {
+ const unsigned char *prot;
+ unsigned int protlen;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_get0_alpn_selected(clientssl, &prot, &protlen);
+ switch (idx) {
+ case 0:
+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
+ goto end;
+ break;
+ case 1:
+ if (!TEST_uint_eq(protlen, 0))
+ goto end;
+ break;
+ default:
+ TEST_error("Should not get here");
+ goto end;
+ }
+ }
+
+ testresult = 1;
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n")
int setup_tests(void)
@@ -11041,6 +11402,11 @@
#endif
ADD_ALL_TESTS(test_handshake_retry, 16);
ADD_ALL_TESTS(test_multi_resume, 5);
+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ ADD_ALL_TESTS(test_npn, 5);
+#endif
+ ADD_ALL_TESTS(test_alpn, 4);
return 1;
err:
diff -Nru openssl-3.0.14/test/ssl-tests/08-npn.cnf openssl-3.0.15/test/ssl-tests/08-npn.cnf
--- openssl-3.0.14/test/ssl-tests/08-npn.cnf 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/ssl-tests/08-npn.cnf 2024-09-03 15:30:13.000000000 +0200
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 20
+num_tests = 22
test-0 = 0-npn-simple
test-1 = 1-npn-client-finds-match
@@ -8,20 +8,22 @@
test-3 = 3-npn-client-first-pref-on-mismatch
test-4 = 4-npn-no-server-support
test-5 = 5-npn-no-client-support
-test-6 = 6-npn-with-sni-no-context-switch
-test-7 = 7-npn-with-sni-context-switch
-test-8 = 8-npn-selected-sni-server-supports-npn
-test-9 = 9-npn-selected-sni-server-does-not-support-npn
-test-10 = 10-alpn-preferred-over-npn
-test-11 = 11-sni-npn-preferred-over-alpn
-test-12 = 12-npn-simple-resumption
-test-13 = 13-npn-server-switch-resumption
-test-14 = 14-npn-client-switch-resumption
-test-15 = 15-npn-client-first-pref-on-mismatch-resumption
-test-16 = 16-npn-no-server-support-resumption
-test-17 = 17-npn-no-client-support-resumption
-test-18 = 18-alpn-preferred-over-npn-resumption
-test-19 = 19-npn-used-if-alpn-not-supported-resumption
+test-6 = 6-npn-empty-client-list
+test-7 = 7-npn-empty-server-list
+test-8 = 8-npn-with-sni-no-context-switch
+test-9 = 9-npn-with-sni-context-switch
+test-10 = 10-npn-selected-sni-server-supports-npn
+test-11 = 11-npn-selected-sni-server-does-not-support-npn
+test-12 = 12-alpn-preferred-over-npn
+test-13 = 13-sni-npn-preferred-over-alpn
+test-14 = 14-npn-simple-resumption
+test-15 = 15-npn-server-switch-resumption
+test-16 = 16-npn-client-switch-resumption
+test-17 = 17-npn-client-first-pref-on-mismatch-resumption
+test-18 = 18-npn-no-server-support-resumption
+test-19 = 19-npn-no-client-support-resumption
+test-20 = 20-alpn-preferred-over-npn-resumption
+test-21 = 21-npn-used-if-alpn-not-supported-resumption
# ===========================================================
[0-npn-simple]
@@ -206,253 +208,318 @@
# ===========================================================
-[6-npn-with-sni-no-context-switch]
-ssl_conf = 6-npn-with-sni-no-context-switch-ssl
+[6-npn-empty-client-list]
+ssl_conf = 6-npn-empty-client-list-ssl
-[6-npn-with-sni-no-context-switch-ssl]
-server = 6-npn-with-sni-no-context-switch-server
-client = 6-npn-with-sni-no-context-switch-client
-server2 = 6-npn-with-sni-no-context-switch-server2
+[6-npn-empty-client-list-ssl]
+server = 6-npn-empty-client-list-server
+client = 6-npn-empty-client-list-client
-[6-npn-with-sni-no-context-switch-server]
+[6-npn-empty-client-list-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-npn-with-sni-no-context-switch-server2]
+[6-npn-empty-client-list-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedClientAlert = HandshakeFailure
+ExpectedResult = ClientFail
+server = 6-npn-empty-client-list-server-extra
+client = 6-npn-empty-client-list-client-extra
+
+[6-npn-empty-client-list-server-extra]
+NPNProtocols = foo
+
+[6-npn-empty-client-list-client-extra]
+NPNProtocols =
+
+
+# ===========================================================
+
+[7-npn-empty-server-list]
+ssl_conf = 7-npn-empty-server-list-ssl
+
+[7-npn-empty-server-list-ssl]
+server = 7-npn-empty-server-list-server
+client = 7-npn-empty-server-list-client
+
+[7-npn-empty-server-list-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-npn-with-sni-no-context-switch-client]
+[7-npn-empty-server-list-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-6]
+[test-7]
+ExpectedNPNProtocol = foo
+server = 7-npn-empty-server-list-server-extra
+client = 7-npn-empty-server-list-client-extra
+
+[7-npn-empty-server-list-server-extra]
+NPNProtocols =
+
+[7-npn-empty-server-list-client-extra]
+NPNProtocols = foo
+
+
+# ===========================================================
+
+[8-npn-with-sni-no-context-switch]
+ssl_conf = 8-npn-with-sni-no-context-switch-ssl
+
+[8-npn-with-sni-no-context-switch-ssl]
+server = 8-npn-with-sni-no-context-switch-server
+client = 8-npn-with-sni-no-context-switch-client
+server2 = 8-npn-with-sni-no-context-switch-server2
+
+[8-npn-with-sni-no-context-switch-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-npn-with-sni-no-context-switch-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-npn-with-sni-no-context-switch-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
ExpectedNPNProtocol = foo
ExpectedServerName = server1
-server = 6-npn-with-sni-no-context-switch-server-extra
-server2 = 6-npn-with-sni-no-context-switch-server2-extra
-client = 6-npn-with-sni-no-context-switch-client-extra
+server = 8-npn-with-sni-no-context-switch-server-extra
+server2 = 8-npn-with-sni-no-context-switch-server2-extra
+client = 8-npn-with-sni-no-context-switch-client-extra
-[6-npn-with-sni-no-context-switch-server-extra]
+[8-npn-with-sni-no-context-switch-server-extra]
NPNProtocols = foo
ServerNameCallback = IgnoreMismatch
-[6-npn-with-sni-no-context-switch-server2-extra]
+[8-npn-with-sni-no-context-switch-server2-extra]
NPNProtocols = bar
-[6-npn-with-sni-no-context-switch-client-extra]
+[8-npn-with-sni-no-context-switch-client-extra]
NPNProtocols = foo,bar
ServerName = server1
# ===========================================================
-[7-npn-with-sni-context-switch]
-ssl_conf = 7-npn-with-sni-context-switch-ssl
+[9-npn-with-sni-context-switch]
+ssl_conf = 9-npn-with-sni-context-switch-ssl
-[7-npn-with-sni-context-switch-ssl]
-server = 7-npn-with-sni-context-switch-server
-client = 7-npn-with-sni-context-switch-client
-server2 = 7-npn-with-sni-context-switch-server2
+[9-npn-with-sni-context-switch-ssl]
+server = 9-npn-with-sni-context-switch-server
+client = 9-npn-with-sni-context-switch-client
+server2 = 9-npn-with-sni-context-switch-server2
-[7-npn-with-sni-context-switch-server]
+[9-npn-with-sni-context-switch-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-npn-with-sni-context-switch-server2]
+[9-npn-with-sni-context-switch-server2]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-npn-with-sni-context-switch-client]
+[9-npn-with-sni-context-switch-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-7]
+[test-9]
ExpectedNPNProtocol = bar
ExpectedServerName = server2
-server = 7-npn-with-sni-context-switch-server-extra
-server2 = 7-npn-with-sni-context-switch-server2-extra
-client = 7-npn-with-sni-context-switch-client-extra
+server = 9-npn-with-sni-context-switch-server-extra
+server2 = 9-npn-with-sni-context-switch-server2-extra
+client = 9-npn-with-sni-context-switch-client-extra
-[7-npn-with-sni-context-switch-server-extra]
+[9-npn-with-sni-context-switch-server-extra]
NPNProtocols = foo
ServerNameCallback = IgnoreMismatch
-[7-npn-with-sni-context-switch-server2-extra]
+[9-npn-with-sni-context-switch-server2-extra]
NPNProtocols = bar
-[7-npn-with-sni-context-switch-client-extra]
+[9-npn-with-sni-context-switch-client-extra]
NPNProtocols = foo,bar
ServerName = server2
# ===========================================================
-[8-npn-selected-sni-server-supports-npn]
-ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl
+[10-npn-selected-sni-server-supports-npn]
+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl
-[8-npn-selected-sni-server-supports-npn-ssl]
-server = 8-npn-selected-sni-server-supports-npn-server
-client = 8-npn-selected-sni-server-supports-npn-client
-server2 = 8-npn-selected-sni-server-supports-npn-server2
+[10-npn-selected-sni-server-supports-npn-ssl]
+server = 10-npn-selected-sni-server-supports-npn-server
+client = 10-npn-selected-sni-server-supports-npn-client
+server2 = 10-npn-selected-sni-server-supports-npn-server2
-[8-npn-selected-sni-server-supports-npn-server]
+[10-npn-selected-sni-server-supports-npn-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-npn-selected-sni-server-supports-npn-server2]
+[10-npn-selected-sni-server-supports-npn-server2]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-npn-selected-sni-server-supports-npn-client]
+[10-npn-selected-sni-server-supports-npn-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-8]
+[test-10]
ExpectedNPNProtocol = bar
ExpectedServerName = server2
-server = 8-npn-selected-sni-server-supports-npn-server-extra
-server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
-client = 8-npn-selected-sni-server-supports-npn-client-extra
+server = 10-npn-selected-sni-server-supports-npn-server-extra
+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra
+client = 10-npn-selected-sni-server-supports-npn-client-extra
-[8-npn-selected-sni-server-supports-npn-server-extra]
+[10-npn-selected-sni-server-supports-npn-server-extra]
ServerNameCallback = IgnoreMismatch
-[8-npn-selected-sni-server-supports-npn-server2-extra]
+[10-npn-selected-sni-server-supports-npn-server2-extra]
NPNProtocols = bar
-[8-npn-selected-sni-server-supports-npn-client-extra]
+[10-npn-selected-sni-server-supports-npn-client-extra]
NPNProtocols = foo,bar
ServerName = server2
# ===========================================================
-[9-npn-selected-sni-server-does-not-support-npn]
-ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl
+[11-npn-selected-sni-server-does-not-support-npn]
+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl
-[9-npn-selected-sni-server-does-not-support-npn-ssl]
-server = 9-npn-selected-sni-server-does-not-support-npn-server
-client = 9-npn-selected-sni-server-does-not-support-npn-client
-server2 = 9-npn-selected-sni-server-does-not-support-npn-server2
+[11-npn-selected-sni-server-does-not-support-npn-ssl]
+server = 11-npn-selected-sni-server-does-not-support-npn-server
+client = 11-npn-selected-sni-server-does-not-support-npn-client
+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2
-[9-npn-selected-sni-server-does-not-support-npn-server]
+[11-npn-selected-sni-server-does-not-support-npn-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-npn-selected-sni-server-does-not-support-npn-server2]
+[11-npn-selected-sni-server-does-not-support-npn-server2]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-npn-selected-sni-server-does-not-support-npn-client]
+[11-npn-selected-sni-server-does-not-support-npn-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-9]
+[test-11]
ExpectedServerName = server2
-server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
-client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra
+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra
-[9-npn-selected-sni-server-does-not-support-npn-server-extra]
+[11-npn-selected-sni-server-does-not-support-npn-server-extra]
NPNProtocols = bar
ServerNameCallback = IgnoreMismatch
-[9-npn-selected-sni-server-does-not-support-npn-client-extra]
+[11-npn-selected-sni-server-does-not-support-npn-client-extra]
NPNProtocols = foo,bar
ServerName = server2
# ===========================================================
-[10-alpn-preferred-over-npn]
-ssl_conf = 10-alpn-preferred-over-npn-ssl
+[12-alpn-preferred-over-npn]
+ssl_conf = 12-alpn-preferred-over-npn-ssl
-[10-alpn-preferred-over-npn-ssl]
-server = 10-alpn-preferred-over-npn-server
-client = 10-alpn-preferred-over-npn-client
+[12-alpn-preferred-over-npn-ssl]
+server = 12-alpn-preferred-over-npn-server
+client = 12-alpn-preferred-over-npn-client
-[10-alpn-preferred-over-npn-server]
+[12-alpn-preferred-over-npn-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-alpn-preferred-over-npn-client]
+[12-alpn-preferred-over-npn-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-10]
+[test-12]
ExpectedALPNProtocol = foo
-server = 10-alpn-preferred-over-npn-server-extra
-client = 10-alpn-preferred-over-npn-client-extra
+server = 12-alpn-preferred-over-npn-server-extra
+client = 12-alpn-preferred-over-npn-client-extra
-[10-alpn-preferred-over-npn-server-extra]
+[12-alpn-preferred-over-npn-server-extra]
ALPNProtocols = foo
NPNProtocols = bar
-[10-alpn-preferred-over-npn-client-extra]
+[12-alpn-preferred-over-npn-client-extra]
ALPNProtocols = foo
NPNProtocols = bar
# ===========================================================
-[11-sni-npn-preferred-over-alpn]
-ssl_conf = 11-sni-npn-preferred-over-alpn-ssl
+[13-sni-npn-preferred-over-alpn]
+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl
-[11-sni-npn-preferred-over-alpn-ssl]
-server = 11-sni-npn-preferred-over-alpn-server
-client = 11-sni-npn-preferred-over-alpn-client
-server2 = 11-sni-npn-preferred-over-alpn-server2
+[13-sni-npn-preferred-over-alpn-ssl]
+server = 13-sni-npn-preferred-over-alpn-server
+client = 13-sni-npn-preferred-over-alpn-client
+server2 = 13-sni-npn-preferred-over-alpn-server2
-[11-sni-npn-preferred-over-alpn-server]
+[13-sni-npn-preferred-over-alpn-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[11-sni-npn-preferred-over-alpn-server2]
+[13-sni-npn-preferred-over-alpn-server2]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[11-sni-npn-preferred-over-alpn-client]
+[13-sni-npn-preferred-over-alpn-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-11]
+[test-13]
ExpectedNPNProtocol = bar
ExpectedServerName = server2
-server = 11-sni-npn-preferred-over-alpn-server-extra
-server2 = 11-sni-npn-preferred-over-alpn-server2-extra
-client = 11-sni-npn-preferred-over-alpn-client-extra
+server = 13-sni-npn-preferred-over-alpn-server-extra
+server2 = 13-sni-npn-preferred-over-alpn-server2-extra
+client = 13-sni-npn-preferred-over-alpn-client-extra
-[11-sni-npn-preferred-over-alpn-server-extra]
+[13-sni-npn-preferred-over-alpn-server-extra]
ALPNProtocols = foo
ServerNameCallback = IgnoreMismatch
-[11-sni-npn-preferred-over-alpn-server2-extra]
+[13-sni-npn-preferred-over-alpn-server2-extra]
NPNProtocols = bar
-[11-sni-npn-preferred-over-alpn-client-extra]
+[13-sni-npn-preferred-over-alpn-client-extra]
ALPNProtocols = foo
NPNProtocols = bar
ServerName = server2
@@ -460,356 +527,356 @@
# ===========================================================
-[12-npn-simple-resumption]
-ssl_conf = 12-npn-simple-resumption-ssl
+[14-npn-simple-resumption]
+ssl_conf = 14-npn-simple-resumption-ssl
-[12-npn-simple-resumption-ssl]
-server = 12-npn-simple-resumption-server
-client = 12-npn-simple-resumption-client
-resume-server = 12-npn-simple-resumption-server
-resume-client = 12-npn-simple-resumption-client
+[14-npn-simple-resumption-ssl]
+server = 14-npn-simple-resumption-server
+client = 14-npn-simple-resumption-client
+resume-server = 14-npn-simple-resumption-server
+resume-client = 14-npn-simple-resumption-client
-[12-npn-simple-resumption-server]
+[14-npn-simple-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[12-npn-simple-resumption-client]
+[14-npn-simple-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-12]
+[test-14]
ExpectedNPNProtocol = foo
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 12-npn-simple-resumption-server-extra
-resume-server = 12-npn-simple-resumption-server-extra
-client = 12-npn-simple-resumption-client-extra
-resume-client = 12-npn-simple-resumption-client-extra
+server = 14-npn-simple-resumption-server-extra
+resume-server = 14-npn-simple-resumption-server-extra
+client = 14-npn-simple-resumption-client-extra
+resume-client = 14-npn-simple-resumption-client-extra
-[12-npn-simple-resumption-server-extra]
+[14-npn-simple-resumption-server-extra]
NPNProtocols = foo
-[12-npn-simple-resumption-client-extra]
+[14-npn-simple-resumption-client-extra]
NPNProtocols = foo
# ===========================================================
-[13-npn-server-switch-resumption]
-ssl_conf = 13-npn-server-switch-resumption-ssl
+[15-npn-server-switch-resumption]
+ssl_conf = 15-npn-server-switch-resumption-ssl
-[13-npn-server-switch-resumption-ssl]
-server = 13-npn-server-switch-resumption-server
-client = 13-npn-server-switch-resumption-client
-resume-server = 13-npn-server-switch-resumption-resume-server
-resume-client = 13-npn-server-switch-resumption-client
+[15-npn-server-switch-resumption-ssl]
+server = 15-npn-server-switch-resumption-server
+client = 15-npn-server-switch-resumption-client
+resume-server = 15-npn-server-switch-resumption-resume-server
+resume-client = 15-npn-server-switch-resumption-client
-[13-npn-server-switch-resumption-server]
+[15-npn-server-switch-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[13-npn-server-switch-resumption-resume-server]
+[15-npn-server-switch-resumption-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[13-npn-server-switch-resumption-client]
+[15-npn-server-switch-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-13]
+[test-15]
ExpectedNPNProtocol = baz
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 13-npn-server-switch-resumption-server-extra
-resume-server = 13-npn-server-switch-resumption-resume-server-extra
-client = 13-npn-server-switch-resumption-client-extra
-resume-client = 13-npn-server-switch-resumption-client-extra
+server = 15-npn-server-switch-resumption-server-extra
+resume-server = 15-npn-server-switch-resumption-resume-server-extra
+client = 15-npn-server-switch-resumption-client-extra
+resume-client = 15-npn-server-switch-resumption-client-extra
-[13-npn-server-switch-resumption-server-extra]
+[15-npn-server-switch-resumption-server-extra]
NPNProtocols = bar,foo
-[13-npn-server-switch-resumption-resume-server-extra]
+[15-npn-server-switch-resumption-resume-server-extra]
NPNProtocols = baz,foo
-[13-npn-server-switch-resumption-client-extra]
+[15-npn-server-switch-resumption-client-extra]
NPNProtocols = foo,bar,baz
# ===========================================================
-[14-npn-client-switch-resumption]
-ssl_conf = 14-npn-client-switch-resumption-ssl
+[16-npn-client-switch-resumption]
+ssl_conf = 16-npn-client-switch-resumption-ssl
-[14-npn-client-switch-resumption-ssl]
-server = 14-npn-client-switch-resumption-server
-client = 14-npn-client-switch-resumption-client
-resume-server = 14-npn-client-switch-resumption-server
-resume-client = 14-npn-client-switch-resumption-resume-client
+[16-npn-client-switch-resumption-ssl]
+server = 16-npn-client-switch-resumption-server
+client = 16-npn-client-switch-resumption-client
+resume-server = 16-npn-client-switch-resumption-server
+resume-client = 16-npn-client-switch-resumption-resume-client
-[14-npn-client-switch-resumption-server]
+[16-npn-client-switch-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[14-npn-client-switch-resumption-client]
+[16-npn-client-switch-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[14-npn-client-switch-resumption-resume-client]
+[16-npn-client-switch-resumption-resume-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-14]
+[test-16]
ExpectedNPNProtocol = bar
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 14-npn-client-switch-resumption-server-extra
-resume-server = 14-npn-client-switch-resumption-server-extra
-client = 14-npn-client-switch-resumption-client-extra
-resume-client = 14-npn-client-switch-resumption-resume-client-extra
+server = 16-npn-client-switch-resumption-server-extra
+resume-server = 16-npn-client-switch-resumption-server-extra
+client = 16-npn-client-switch-resumption-client-extra
+resume-client = 16-npn-client-switch-resumption-resume-client-extra
-[14-npn-client-switch-resumption-server-extra]
+[16-npn-client-switch-resumption-server-extra]
NPNProtocols = foo,bar,baz
-[14-npn-client-switch-resumption-client-extra]
+[16-npn-client-switch-resumption-client-extra]
NPNProtocols = foo,baz
-[14-npn-client-switch-resumption-resume-client-extra]
+[16-npn-client-switch-resumption-resume-client-extra]
NPNProtocols = bar,baz
# ===========================================================
-[15-npn-client-first-pref-on-mismatch-resumption]
-ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl
+[17-npn-client-first-pref-on-mismatch-resumption]
+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl
-[15-npn-client-first-pref-on-mismatch-resumption-ssl]
-server = 15-npn-client-first-pref-on-mismatch-resumption-server
-client = 15-npn-client-first-pref-on-mismatch-resumption-client
-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server
-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client
+[17-npn-client-first-pref-on-mismatch-resumption-ssl]
+server = 17-npn-client-first-pref-on-mismatch-resumption-server
+client = 17-npn-client-first-pref-on-mismatch-resumption-client
+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server
+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client
-[15-npn-client-first-pref-on-mismatch-resumption-server]
+[17-npn-client-first-pref-on-mismatch-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[15-npn-client-first-pref-on-mismatch-resumption-resume-server]
+[17-npn-client-first-pref-on-mismatch-resumption-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[15-npn-client-first-pref-on-mismatch-resumption-client]
+[17-npn-client-first-pref-on-mismatch-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-15]
+[test-17]
ExpectedNPNProtocol = foo
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra
-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra
+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
-[15-npn-client-first-pref-on-mismatch-resumption-server-extra]
+[17-npn-client-first-pref-on-mismatch-resumption-server-extra]
NPNProtocols = bar
-[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
NPNProtocols = baz
-[15-npn-client-first-pref-on-mismatch-resumption-client-extra]
+[17-npn-client-first-pref-on-mismatch-resumption-client-extra]
NPNProtocols = foo,bar
# ===========================================================
-[16-npn-no-server-support-resumption]
-ssl_conf = 16-npn-no-server-support-resumption-ssl
+[18-npn-no-server-support-resumption]
+ssl_conf = 18-npn-no-server-support-resumption-ssl
-[16-npn-no-server-support-resumption-ssl]
-server = 16-npn-no-server-support-resumption-server
-client = 16-npn-no-server-support-resumption-client
-resume-server = 16-npn-no-server-support-resumption-resume-server
-resume-client = 16-npn-no-server-support-resumption-client
+[18-npn-no-server-support-resumption-ssl]
+server = 18-npn-no-server-support-resumption-server
+client = 18-npn-no-server-support-resumption-client
+resume-server = 18-npn-no-server-support-resumption-resume-server
+resume-client = 18-npn-no-server-support-resumption-client
-[16-npn-no-server-support-resumption-server]
+[18-npn-no-server-support-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-npn-no-server-support-resumption-resume-server]
+[18-npn-no-server-support-resumption-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-npn-no-server-support-resumption-client]
+[18-npn-no-server-support-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-16]
+[test-18]
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 16-npn-no-server-support-resumption-server-extra
-client = 16-npn-no-server-support-resumption-client-extra
-resume-client = 16-npn-no-server-support-resumption-client-extra
+server = 18-npn-no-server-support-resumption-server-extra
+client = 18-npn-no-server-support-resumption-client-extra
+resume-client = 18-npn-no-server-support-resumption-client-extra
-[16-npn-no-server-support-resumption-server-extra]
+[18-npn-no-server-support-resumption-server-extra]
NPNProtocols = foo
-[16-npn-no-server-support-resumption-client-extra]
+[18-npn-no-server-support-resumption-client-extra]
NPNProtocols = foo
# ===========================================================
-[17-npn-no-client-support-resumption]
-ssl_conf = 17-npn-no-client-support-resumption-ssl
+[19-npn-no-client-support-resumption]
+ssl_conf = 19-npn-no-client-support-resumption-ssl
-[17-npn-no-client-support-resumption-ssl]
-server = 17-npn-no-client-support-resumption-server
-client = 17-npn-no-client-support-resumption-client
-resume-server = 17-npn-no-client-support-resumption-server
-resume-client = 17-npn-no-client-support-resumption-resume-client
+[19-npn-no-client-support-resumption-ssl]
+server = 19-npn-no-client-support-resumption-server
+client = 19-npn-no-client-support-resumption-client
+resume-server = 19-npn-no-client-support-resumption-server
+resume-client = 19-npn-no-client-support-resumption-resume-client
-[17-npn-no-client-support-resumption-server]
+[19-npn-no-client-support-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[17-npn-no-client-support-resumption-client]
+[19-npn-no-client-support-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[17-npn-no-client-support-resumption-resume-client]
+[19-npn-no-client-support-resumption-resume-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-17]
+[test-19]
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 17-npn-no-client-support-resumption-server-extra
-resume-server = 17-npn-no-client-support-resumption-server-extra
-client = 17-npn-no-client-support-resumption-client-extra
+server = 19-npn-no-client-support-resumption-server-extra
+resume-server = 19-npn-no-client-support-resumption-server-extra
+client = 19-npn-no-client-support-resumption-client-extra
-[17-npn-no-client-support-resumption-server-extra]
+[19-npn-no-client-support-resumption-server-extra]
NPNProtocols = foo
-[17-npn-no-client-support-resumption-client-extra]
+[19-npn-no-client-support-resumption-client-extra]
NPNProtocols = foo
# ===========================================================
-[18-alpn-preferred-over-npn-resumption]
-ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl
+[20-alpn-preferred-over-npn-resumption]
+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl
-[18-alpn-preferred-over-npn-resumption-ssl]
-server = 18-alpn-preferred-over-npn-resumption-server
-client = 18-alpn-preferred-over-npn-resumption-client
-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server
-resume-client = 18-alpn-preferred-over-npn-resumption-client
+[20-alpn-preferred-over-npn-resumption-ssl]
+server = 20-alpn-preferred-over-npn-resumption-server
+client = 20-alpn-preferred-over-npn-resumption-client
+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server
+resume-client = 20-alpn-preferred-over-npn-resumption-client
-[18-alpn-preferred-over-npn-resumption-server]
+[20-alpn-preferred-over-npn-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[18-alpn-preferred-over-npn-resumption-resume-server]
+[20-alpn-preferred-over-npn-resumption-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[18-alpn-preferred-over-npn-resumption-client]
+[20-alpn-preferred-over-npn-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-18]
+[test-20]
ExpectedALPNProtocol = foo
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 18-alpn-preferred-over-npn-resumption-server-extra
-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra
-client = 18-alpn-preferred-over-npn-resumption-client-extra
-resume-client = 18-alpn-preferred-over-npn-resumption-client-extra
+server = 20-alpn-preferred-over-npn-resumption-server-extra
+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra
+client = 20-alpn-preferred-over-npn-resumption-client-extra
+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra
-[18-alpn-preferred-over-npn-resumption-server-extra]
+[20-alpn-preferred-over-npn-resumption-server-extra]
NPNProtocols = bar
-[18-alpn-preferred-over-npn-resumption-resume-server-extra]
+[20-alpn-preferred-over-npn-resumption-resume-server-extra]
ALPNProtocols = foo
NPNProtocols = baz
-[18-alpn-preferred-over-npn-resumption-client-extra]
+[20-alpn-preferred-over-npn-resumption-client-extra]
ALPNProtocols = foo
NPNProtocols = bar,baz
# ===========================================================
-[19-npn-used-if-alpn-not-supported-resumption]
-ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl
+[21-npn-used-if-alpn-not-supported-resumption]
+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl
-[19-npn-used-if-alpn-not-supported-resumption-ssl]
-server = 19-npn-used-if-alpn-not-supported-resumption-server
-client = 19-npn-used-if-alpn-not-supported-resumption-client
-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server
-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client
+[21-npn-used-if-alpn-not-supported-resumption-ssl]
+server = 21-npn-used-if-alpn-not-supported-resumption-server
+client = 21-npn-used-if-alpn-not-supported-resumption-client
+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server
+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client
-[19-npn-used-if-alpn-not-supported-resumption-server]
+[21-npn-used-if-alpn-not-supported-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[19-npn-used-if-alpn-not-supported-resumption-resume-server]
+[21-npn-used-if-alpn-not-supported-resumption-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[19-npn-used-if-alpn-not-supported-resumption-client]
+[21-npn-used-if-alpn-not-supported-resumption-client]
CipherString = DEFAULT
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-19]
+[test-21]
ExpectedNPNProtocol = baz
HandshakeMode = Resume
ResumptionExpected = Yes
-server = 19-npn-used-if-alpn-not-supported-resumption-server-extra
-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra
-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra
+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra
+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
-[19-npn-used-if-alpn-not-supported-resumption-server-extra]
+[21-npn-used-if-alpn-not-supported-resumption-server-extra]
ALPNProtocols = foo
NPNProtocols = bar
-[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
NPNProtocols = baz
-[19-npn-used-if-alpn-not-supported-resumption-client-extra]
+[21-npn-used-if-alpn-not-supported-resumption-client-extra]
ALPNProtocols = foo
NPNProtocols = bar,baz
diff -Nru openssl-3.0.14/test/ssl-tests/08-npn.cnf.in openssl-3.0.15/test/ssl-tests/08-npn.cnf.in
--- openssl-3.0.14/test/ssl-tests/08-npn.cnf.in 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/ssl-tests/08-npn.cnf.in 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
# -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -111,6 +111,41 @@
},
},
{
+ name => "npn-empty-client-list",
+ server => {
+ extra => {
+ "NPNProtocols" => "foo",
+ },
+ },
+ client => {
+ extra => {
+ "NPNProtocols" => "",
+ },
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "ExpectedResult" => "ClientFail",
+ "ExpectedClientAlert" => "HandshakeFailure"
+ },
+ },
+ {
+ name => "npn-empty-server-list",
+ server => {
+ extra => {
+ "NPNProtocols" => "",
+ },
+ },
+ client => {
+ extra => {
+ "NPNProtocols" => "foo",
+ },
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "ExpectedNPNProtocol" => "foo"
+ },
+ },
+ {
name => "npn-with-sni-no-context-switch",
server => {
extra => {
diff -Nru openssl-3.0.14/test/ssl-tests/09-alpn.cnf openssl-3.0.15/test/ssl-tests/09-alpn.cnf
--- openssl-3.0.14/test/ssl-tests/09-alpn.cnf 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/ssl-tests/09-alpn.cnf 2024-09-03 15:30:13.000000000 +0200
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 16
+num_tests = 18
test-0 = 0-alpn-simple
test-1 = 1-alpn-server-finds-match
@@ -18,6 +18,8 @@
test-13 = 13-alpn-alert-on-mismatch-resumption
test-14 = 14-alpn-no-server-support-resumption
test-15 = 15-alpn-no-client-support-resumption
+test-16 = 16-alpn-empty-client-list
+test-17 = 17-alpn-empty-server-list
# ===========================================================
[0-alpn-simple]
@@ -617,3 +619,65 @@
ALPNProtocols = foo
+# ===========================================================
+
+[16-alpn-empty-client-list]
+ssl_conf = 16-alpn-empty-client-list-ssl
+
+[16-alpn-empty-client-list-ssl]
+server = 16-alpn-empty-client-list-server
+client = 16-alpn-empty-client-list-client
+
+[16-alpn-empty-client-list-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-alpn-empty-client-list-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
+server = 16-alpn-empty-client-list-server-extra
+client = 16-alpn-empty-client-list-client-extra
+
+[16-alpn-empty-client-list-server-extra]
+ALPNProtocols = foo
+
+[16-alpn-empty-client-list-client-extra]
+ALPNProtocols =
+
+
+# ===========================================================
+
+[17-alpn-empty-server-list]
+ssl_conf = 17-alpn-empty-server-list-ssl
+
+[17-alpn-empty-server-list-ssl]
+server = 17-alpn-empty-server-list-server
+client = 17-alpn-empty-server-list-client
+
+[17-alpn-empty-server-list-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[17-alpn-empty-server-list-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-17]
+ExpectedResult = ServerFail
+ExpectedServerAlert = NoApplicationProtocol
+server = 17-alpn-empty-server-list-server-extra
+client = 17-alpn-empty-server-list-client-extra
+
+[17-alpn-empty-server-list-server-extra]
+ALPNProtocols =
+
+[17-alpn-empty-server-list-client-extra]
+ALPNProtocols = foo
+
+
diff -Nru openssl-3.0.14/test/ssl-tests/09-alpn.cnf.in openssl-3.0.15/test/ssl-tests/09-alpn.cnf.in
--- openssl-3.0.14/test/ssl-tests/09-alpn.cnf.in 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/test/ssl-tests/09-alpn.cnf.in 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
# -*- mode: perl; -*-
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -322,4 +322,37 @@
"ExpectedALPNProtocol" => undef,
},
},
+ {
+ name => "alpn-empty-client-list",
+ server => {
+ extra => {
+ "ALPNProtocols" => "foo",
+ },
+ },
+ client => {
+ extra => {
+ "ALPNProtocols" => "",
+ },
+ },
+ test => {
+ "ExpectedALPNProtocol" => undef,
+ },
+ },
+ {
+ name => "alpn-empty-server-list",
+ server => {
+ extra => {
+ "ALPNProtocols" => "",
+ },
+ },
+ client => {
+ extra => {
+ "ALPNProtocols" => "foo",
+ },
+ },
+ test => {
+ "ExpectedResult" => "ServerFail",
+ "ExpectedServerAlert" => "NoApplicationProtocol",
+ },
+ },
);
diff -Nru openssl-3.0.14/util/check-format-commit.sh openssl-3.0.15/util/check-format-commit.sh
--- openssl-3.0.14/util/check-format-commit.sh 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/util/check-format-commit.sh 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,171 @@
+#!/bin/bash
+# Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# You can obtain a copy in the file LICENSE in the source distribution
+# or at https://www.openssl.org/source/license.html
+#
+# This script is a wrapper around check-format.pl. It accepts a commit sha
+# value as input, and uses it to identify the files and ranges that were
+# changed in that commit, filtering check-format.pl output only to lines that
+# fall into the commits change ranges.
+#
+
+
+# List of Regexes to use when running check-format.pl.
+# Style checks don't apply to any of these
+EXCLUDED_FILE_REGEX=("\.pod" \
+ "\.pl" \
+ "\.pm" \
+ "\.t" \
+ "\.yml" \
+ "\.sh")
+
+# Exit code for the script
+EXIT_CODE=0
+
+# Global vars
+
+# TEMPDIR is used to hold any files this script creates
+# And is cleaned on EXIT with a trap function
+TEMPDIR=$(mktemp -d /tmp/checkformat.XXXXXX)
+
+# TOPDIR always points to the root of the git tree we are working in
+# used to locate the check-format.pl script
+TOPDIR=$(git rev-parse --show-toplevel)
+
+
+# cleanup handler function, returns us to the root of the git tree
+# and erases our temp directory
+cleanup() {
+ rm -rf $TEMPDIR
+ cd $TOPDIR
+}
+
+trap cleanup EXIT
+
+# Get the canonical sha256 sum for the commit we are checking
+# This lets us pass in symbolic ref names like master/etc and
+# resolve them to sha256 sums easily
+COMMIT=$(git rev-parse $1)
+
+# Fail gracefully if git rev-parse doesn't produce a valid
+# commit
+if [ $? -ne 0 ]
+then
+ echo "$1 is not a valid revision"
+ exit 1
+fi
+
+# Create a iteratable list of files to check for a
+# given commit. It produces output of the format
+# <commit id> <file name> <change start line>, <change line count>
+touch $TEMPDIR/ranges.txt
+git show $COMMIT | awk -v mycmt=$COMMIT '
+ BEGIN {myfile=""}
+ /+{3}/ {
+ gsub(/b\//,"",$2);
+ myfile=$2
+ }
+ /@@/ {
+ gsub(/+/,"",$3);
+ printf mycmt " " myfile " " $3 "\n"
+ }' >> $TEMPDIR/ranges.txt || true
+
+# filter out anything that matches on a filter regex
+for i in ${EXCLUDED_FILE_REGEX[@]}
+do
+ touch $TEMPDIR/ranges.filter
+ grep -v "$i" $TEMPDIR/ranges.txt >> $TEMPDIR/ranges.filter || true
+ REMAINING_FILES=$(wc -l $TEMPDIR/ranges.filter | awk '{print $1}')
+ if [ $REMAINING_FILES -eq 0 ]
+ then
+ echo "This commit has no files that require checking"
+ exit 0
+ fi
+ mv $TEMPDIR/ranges.filter $TEMPDIR/ranges.txt
+done
+
+# check out the files from the commit level.
+# For each file name in ranges, we show that file at the commit
+# level we are checking, and redirect it to the same path, relative
+# to $TEMPDIR/check-format. This give us the full file to run
+# check-format.pl on with line numbers matching the ranges in the
+# $TEMPDIR/ranges.txt file
+for j in $(grep $COMMIT $TEMPDIR/ranges.txt | awk '{print $2}')
+do
+ FDIR=$(dirname $j)
+ mkdir -p $TEMPDIR/check-format/$FDIR
+ git show $COMMIT:$j > $TEMPDIR/check-format/$j
+done
+
+# Now for each file in $TEMPDIR/check-format run check-format.pl
+# Note that we use the %P formatter in the find utilty. This strips
+# off the $TEMPDIR/check-format path prefix, leaving $j with the
+# path to the file relative to the root of the source dir, so that
+# output from check-format.pl looks correct, relative to the root
+# of the git tree.
+for j in $(find $TEMPDIR/check-format -type f -printf "%P\n")
+do
+ range_start=()
+ range_end=()
+
+ # Get the ranges for this file. Create 2 arrays. range_start contains
+ # the start lines for valid ranges from the commit. the range_end array
+ # contains the corresponding end line (note, since diff output gives us
+ # a line count for a change, the range_end[k] entry is actually
+ # range_start[k]+line count
+ for k in $(grep $COMMIT $TEMPDIR/ranges.txt | grep $j | awk '{print $3}')
+ do
+ RANGE=$k
+ RSTART=$(echo $RANGE | awk -F',' '{print $1}')
+ RLEN=$(echo $RANGE | awk -F',' '{print $2}')
+ let REND=$RSTART+$RLEN
+ range_start+=($RSTART)
+ range_end+=($REND)
+ done
+
+ # Go to our checked out tree
+ cd $TEMPDIR/check-format
+
+ # Actually run check-format.pl on the file, capturing the output
+ # in a temporary file. Note the format of check-patch.pl output is
+ # <file name>:<line number>:<error text>:<offending line contents>
+ $TOPDIR/util/check-format.pl $j > $TEMPDIR/format-results.txt
+
+ # Now we filter the check-format.pl output based on the changed lines
+ # captured in the range_start/end arrays
+ let maxidx=${#range_start[@]}-1
+ for k in $(seq 0 1 $maxidx)
+ do
+ RSTART=${range_start[$k]}
+ REND=${range_end[$k]}
+
+ # field 2 of check-format.pl output is the offending line number
+ # Check here if any line in that output falls between any of the
+ # start/end ranges defined in the range_start/range_end array.
+ # If it does fall in that range, print the entire line to stdout
+ # If anything is printed, have awk exit with a non-zero exit code
+ awk -v rstart=$RSTART -v rend=$REND -F':' '
+ BEGIN {rc=0}
+ /:/ {
+ if (($2 >= rstart) && ($2 <= rend)) {
+ print $0;
+ rc=1
+ }
+ }
+ END {exit rc;}
+ ' $TEMPDIR/format-results.txt
+
+ # If awk exited with a non-zero code, this script will also exit
+ # with a non-zero code
+ if [ $? -ne 0 ]
+ then
+ EXIT_CODE=1
+ fi
+ done
+done
+
+# Exit with the recorded exit code above
+exit $EXIT_CODE
diff -Nru openssl-3.0.14/util/check-format.pl openssl-3.0.15/util/check-format.pl
--- openssl-3.0.14/util/check-format.pl 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/util/check-format.pl 2024-09-03 15:30:13.000000000 +0200
@@ -1,6 +1,6 @@
#! /usr/bin/env perl
#
-# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
# Copyright Siemens AG 2019-2022
#
# Licensed under the Apache License 2.0 (the "License").
@@ -167,7 +167,7 @@
my $line_body_start; # number of line where last function body started, or 0
my $line_function_start; # number of line where last function definition started, used for $line_body_start
my $last_function_header; # header containing name of last function defined, used if $line_body_start != 0
-my $line_opening_brace; # number of previous line with opening brace after do/while/for, optionally for if/else
+my $line_opening_brace; # number of previous line with opening brace after if/do/while/for, optionally for 'else'
my $keyword_opening_brace; # name of previous keyword, used if $line_opening_brace != 0
my $block_indent; # currently required normal indentation at block/statement level
@@ -972,9 +972,12 @@
# check for code block containing a single line/statement
if ($line_before2 > 0 && !$outermost_level && # within function body
$in_typedecl == 0 && @nested_indents == 0 && # neither within type declaration nor inside stmt/expr
- m/^[\s@]*\}/) { # leading closing brace '}', any preceding blinded comment must not be matched
+ m/^[\s@]*\}\s*(\w*)/) { # leading closing brace '}', any preceding blinded comment must not be matched
# TODO extend detection from single-line to potentially multi-line statement
+ my $next_word = $1;
if ($line_opening_brace > 0 &&
+ ($keyword_opening_brace ne "if" ||
+ $extended_1_stmt || $next_word ne "else") &&
($line_opening_brace == $line_before2 ||
$line_opening_brace == $line_before)
&& $contents_before =~ m/;/) { # there is at least one terminator ';', so there is some stmt
@@ -1132,9 +1135,9 @@
$line_body_start = $contents =~ m/LONG BODY/ ? 0 : $line if $line_function_start != 0;
}
} else {
- $line_opening_brace = $line if $keyword_opening_brace =~ m/do|while|for/;
+ $line_opening_brace = $line if $keyword_opening_brace =~ m/if|do|while|for/;
# using, not assigning, $keyword_opening_brace here because it could be on an earlier line
- $line_opening_brace = $line if $keyword_opening_brace =~ m/if|else/ && $extended_1_stmt &&
+ $line_opening_brace = $line if $keyword_opening_brace eq "else" && $extended_1_stmt &&
# TODO prevent false positives for if/else where braces around single-statement branches
# should be avoided but only if all branches have just single statements
# The following helps detecting the exception when handling multiple 'if ... else' branches:
diff -Nru openssl-3.0.14/util/check-format-test-negatives.c openssl-3.0.15/util/check-format-test-negatives.c
--- openssl-3.0.14/util/check-format-test-negatives.c 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/util/check-format-test-negatives.c 2024-09-03 15:30:13.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Siemens AG 2015-2022
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -335,9 +335,8 @@
int f()
{
c;
- if (1) {
+ if (1)
c;
- }
c;
if (1)
if (2)
diff -Nru openssl-3.0.14/util/perl/OpenSSL/Test/Utils.pm openssl-3.0.15/util/perl/OpenSSL/Test/Utils.pm
--- openssl-3.0.14/util/perl/OpenSSL/Test/Utils.pm 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/util/perl/OpenSSL/Test/Utils.pm 2024-09-03 15:30:13.000000000 +0200
@@ -1,4 +1,4 @@
-# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -72,6 +72,8 @@
=item B<have_IPv6>
Return true if IPv4 / IPv6 is possible to use on the current system.
+Additionally, B<have_IPv6> also checks how OpenSSL was configured,
+i.e. if IPv6 was explicitly disabled with -DOPENSSL_USE_IPv6=0.
=back
@@ -80,6 +82,7 @@
our %available_protocols;
our %disabled;
our %config;
+our %target;
my $configdata_loaded = 0;
sub load_configdata {
@@ -91,6 +94,7 @@
%available_protocols = %configdata::available_protocols;
%disabled = %configdata::disabled;
%config = %configdata::config;
+ %target = %configdata::target;
};
$configdata_loaded = 1;
}
@@ -222,6 +226,18 @@
sub have_IPv6 {
if ($have_IPv6 < 0) {
+ load_configdata() unless $configdata_loaded;
+ # If OpenSSL is configured with IPv6 explicitly disabled, no IPv6
+ # related tests should be performed. In other words, pretend IPv6
+ # isn't present.
+ $have_IPv6 = 0
+ if grep { $_ eq 'OPENSSL_USE_IPV6=0' } @{$config{CPPDEFINES}};
+ # Similarly, if a config target has explicitly disabled IPv6, no
+ # IPv6 related tests should be performed.
+ $have_IPv6 = 0
+ if grep { $_ eq 'OPENSSL_USE_IPV6=0' } @{$target{defines}};
+ }
+ if ($have_IPv6 < 0) {
$have_IPv6 = check_IP("::1");
}
return $have_IPv6;
diff -Nru openssl-3.0.14/util/perl/TLSProxy/Message.pm openssl-3.0.15/util/perl/TLSProxy/Message.pm
--- openssl-3.0.14/util/perl/TLSProxy/Message.pm 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/util/perl/TLSProxy/Message.pm 2024-09-03 15:30:13.000000000 +0200
@@ -1,4 +1,4 @@
-# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -375,6 +375,15 @@
$server,
$data,
[@message_rec_list],
+ $startoffset,
+ [@message_frag_lens]
+ );
+ $message->parse();
+ } elsif ($mt == MT_NEXT_PROTO) {
+ $message = TLSProxy::NextProto->new(
+ $server,
+ $data,
+ [@message_rec_list],
$startoffset,
[@message_frag_lens]
);
diff -Nru openssl-3.0.14/util/perl/TLSProxy/NextProto.pm openssl-3.0.15/util/perl/TLSProxy/NextProto.pm
--- openssl-3.0.14/util/perl/TLSProxy/NextProto.pm 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.15/util/perl/TLSProxy/NextProto.pm 2024-09-03 15:30:13.000000000 +0200
@@ -0,0 +1,54 @@
+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+
+package TLSProxy::NextProto;
+
+use vars '@ISA';
+push @ISA, 'TLSProxy::Message';
+
+sub new
+{
+ my $class = shift;
+ my ($server,
+ $data,
+ $records,
+ $startoffset,
+ $message_frag_lens) = @_;
+
+ my $self = $class->SUPER::new(
+ $server,
+ TLSProxy::Message::MT_NEXT_PROTO,
+ $data,
+ $records,
+ $startoffset,
+ $message_frag_lens);
+
+ return $self;
+}
+
+sub parse
+{
+ # We don't support parsing at the moment
+}
+
+# This is supposed to reconstruct the on-the-wire message data following changes.
+# For now though since we don't support parsing we just create an empty NextProto
+# message - this capability is used in test_npn
+sub set_message_contents
+{
+ my $self = shift;
+ my $data;
+
+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00);
+ $self->data($data);
+}
+1;
diff -Nru openssl-3.0.14/util/perl/TLSProxy/Proxy.pm openssl-3.0.15/util/perl/TLSProxy/Proxy.pm
--- openssl-3.0.14/util/perl/TLSProxy/Proxy.pm 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/util/perl/TLSProxy/Proxy.pm 2024-09-03 15:30:13.000000000 +0200
@@ -1,4 +1,4 @@
-# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -23,6 +23,7 @@
use TLSProxy::CertificateVerify;
use TLSProxy::ServerKeyExchange;
use TLSProxy::NewSessionTicket;
+use TLSProxy::NextProto;
my $have_IPv6;
my $IP_factory;
diff -Nru openssl-3.0.14/VERSION.dat openssl-3.0.15/VERSION.dat
--- openssl-3.0.14/VERSION.dat 2024-06-04 16:27:20.000000000 +0200
+++ openssl-3.0.15/VERSION.dat 2024-09-03 15:30:13.000000000 +0200
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
-PATCH=14
+PATCH=15
PRE_RELEASE_TAG=
BUILD_METADATA=
-RELEASE_DATE="4 Jun 2024"
+RELEASE_DATE="3 Sep 2024"
SHLIB_VERSION=3
Reply to: