From 5a21f9f286d27ad504fff6cdd432812af19a2a9e Mon Sep 17 00:00:00 2001
From: Apertis CI <devel@lists.apertis.org>
Date: Tue, 2 Jul 2024 13:53:01 +0000
Subject: [PATCH] Import Upstream version 3.0.13
---
CHANGES.md | 97 +++
CONTRIBUTING.md | 56 +-
Configurations/10-main.conf | 10 +
Configurations/descrip.mms.tmpl | 11 +-
Configurations/unix-Makefile.tmpl | 299 ++++-----
Configurations/windows-makefile.tmpl | 4 +-
Configure | 37 +-
INSTALL.md | 4 +-
NEWS.md | 22 +
README.md | 2 +-
VERSION.dat | 4 +-
VMS/openssl_ivp.com.in | 4 +-
VMS/openssl_shutdown.com.in | 8 +-
VMS/openssl_startup.com.in | 8 +-
apps/cms.c | 15 +-
apps/dgst.c | 2 +
apps/dhparam.c | 4 +-
apps/dsaparam.c | 4 +-
apps/enc.c | 5 +-
apps/errstr.c | 2 +-
apps/gendsa.c | 4 +-
apps/genpkey.c | 4 +-
apps/genrsa.c | 4 +-
apps/lib/apps.c | 16 +-
apps/lib/opt.c | 7 +-
apps/list.c | 52 +-
apps/rehash.c | 40 +-
apps/req.c | 6 +-
apps/s_server.c | 7 +-
apps/smime.c | 3 +-
apps/speed.c | 3 +-
crypto/aes/asm/aesv8-armx.pl | 3 +
crypto/arm_arch.h | 7 +-
crypto/asn1/asn_moid.c | 4 +
crypto/asn1/asn_mstbl.c | 8 +-
crypto/asn1/x_algor.c | 6 +-
crypto/bn/bn_exp.c | 21 +
crypto/bn/bn_gcd.c | 8 +-
crypto/bn/bn_gf2m.c | 8 +-
crypto/bn/bn_mod.c | 10 +
crypto/bn/bn_nist.c | 126 ++--
crypto/build.info | 6 +-
crypto/cms/cms_att.c | 24 +-
crypto/cms/cms_dh.c | 8 +-
crypto/cms/cms_enc.c | 5 +-
crypto/cms/cms_err.c | 4 +-
crypto/cms/cms_rsa.c | 35 +-
crypto/cms/cms_sd.c | 45 +-
crypto/cms/cms_smime.c | 3 +-
crypto/conf/conf_err.c | 2 +
crypto/dh/dh_check.c | 15 +-
crypto/dh/dh_err.c | 3 +-
crypto/dh/dh_key.c | 15 +-
crypto/dh/dh_lib.c | 4 +-
crypto/dsa/dsa_check.c | 8 +-
crypto/dsa/dsa_lib.c | 4 +-
crypto/dsa/dsa_ossl.c | 1 -
crypto/ec/ecx_backend.c | 9 +-
crypto/engine/eng_pkey.c | 44 +-
crypto/engine/eng_table.c | 1 +
crypto/err/openssl.txt | 3 +
crypto/evp/e_aes.c | 16 +-
crypto/evp/evp_enc.c | 45 +-
crypto/evp/evp_fetch.c | 23 +-
crypto/evp/legacy_sha.c | 8 +-
crypto/evp/p_lib.c | 2 +-
crypto/evp/pmeth_lib.c | 5 +-
crypto/ex_data.c | 4 +-
crypto/ffc/ffc_key_validate.c | 16 +-
crypto/http/http_client.c | 8 +-
crypto/http/http_lib.c | 2 +-
crypto/lhash/lhash.c | 6 +-
crypto/mem.c | 12 +-
crypto/mem_sec.c | 12 +-
crypto/modes/asm/ghashv8-armx.pl | 5 +-
crypto/objects/obj_dat.c | 11 +-
crypto/param_build.c | 8 +-
crypto/param_build_set.c | 13 +-
crypto/params_from_text.c | 10 +-
crypto/perlasm/x86_64-xlate.pl | 7 +-
crypto/pkcs12/p12_add.c | 20 +-
crypto/pkcs12/p12_mutl.c | 7 +-
crypto/pkcs12/p12_npas.c | 7 +-
crypto/pkcs7/pk7_attr.c | 20 +-
crypto/pkcs7/pk7_mime.c | 9 +-
crypto/poly1305/asm/poly1305-armv8.pl | 26 +-
crypto/poly1305/asm/poly1305-ppc.pl | 44 +-
crypto/property/property_parse.c | 84 ++-
crypto/provider_conf.c | 104 ++-
crypto/provider_core.c | 70 +-
crypto/rsa/rsa_backend.c | 14 +-
crypto/rsa/rsa_lib.c | 40 +-
crypto/rsa/rsa_sp800_56b_check.c | 10 +-
crypto/x509/t_req.c | 8 +-
crypto/x509/t_x509.c | 4 +-
crypto/x509/v3_addr.c | 6 +-
crypto/x509/v3_asid.c | 24 +-
crypto/x509/v3_crld.c | 7 +-
crypto/x509/v3_ist.c | 18 +-
crypto/x509/v3_san.c | 13 +-
crypto/x509/v3_sxnet.c | 20 +-
crypto/x509/x509_att.c | 92 ++-
crypto/x509/x509_req.c | 4 +-
doc/build.info | 30 +
doc/images/openssl-square-nontransparent.png | Bin 0 -> 78086 bytes
doc/images/openssl-square.svg | 49 ++
doc/images/openssl.svg | 88 +--
doc/man1/openssl-pkeyutl.pod.in | 4 +-
doc/man1/openssl-req.pod.in | 2 +-
doc/man3/BIO_f_md.pod | 6 +-
doc/man3/BN_add.pod | 5 +
doc/man3/BN_mod_inverse.pod | 6 +-
doc/man3/CMS_add1_signer.pod | 8 +-
doc/man3/CMS_signed_get_attr.pod | 214 +++++++
doc/man3/DH_generate_parameters.pod | 6 +-
doc/man3/DSA_generate_parameters.pod | 4 +-
doc/man3/EVP_EncryptInit.pod | 14 +-
doc/man3/EVP_MAC.pod | 12 +-
doc/man3/EVP_PKEY_get_attr.pod | 113 ++++
doc/man3/EVP_aes_128_gcm.pod | 8 +-
doc/man3/EVP_aria_128_gcm.pod | 2 +-
doc/man3/EVP_bf_cbc.pod | 2 +-
doc/man3/EVP_blake2b512.pod | 2 +-
doc/man3/EVP_camellia_128_ecb.pod | 2 +-
doc/man3/EVP_cast5_cbc.pod | 2 +-
doc/man3/EVP_chacha20.pod | 2 +-
doc/man3/EVP_des_cbc.pod | 2 +-
doc/man3/EVP_desx_cbc.pod | 2 +-
doc/man3/EVP_idea_cbc.pod | 2 +-
doc/man3/EVP_md2.pod | 2 +-
doc/man3/EVP_md4.pod | 2 +-
doc/man3/EVP_md5.pod | 2 +-
doc/man3/EVP_mdc2.pod | 2 +-
doc/man3/EVP_rc2_cbc.pod | 2 +-
doc/man3/EVP_rc4.pod | 2 +-
doc/man3/EVP_rc5_32_12_16_cbc.pod | 2 +-
doc/man3/EVP_ripemd160.pod | 2 +-
doc/man3/EVP_seed_cbc.pod | 2 +-
doc/man3/EVP_sha1.pod | 2 +-
doc/man3/EVP_sha224.pod | 2 +-
doc/man3/EVP_sha3_224.pod | 2 +-
doc/man3/EVP_sm3.pod | 2 +-
doc/man3/EVP_sm4_cbc.pod | 2 +-
doc/man3/EVP_whirlpool.pod | 2 +-
doc/man3/OPENSSL_LH_COMPFUNC.pod | 65 +-
doc/man3/OSSL_PARAM_int.pod | 2 +-
doc/man3/PKCS12_create.pod | 14 +-
doc/man3/PKCS5_PBKDF2_HMAC.pod | 5 +-
doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod | 10 +-
doc/man3/SSL_CTX_set_info_callback.pod | 16 +-
doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 4 +-
doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 2 +-
doc/man3/SSL_get_error.pod | 6 +-
doc/man3/SSL_get_peer_certificate.pod | 9 +-
doc/man3/X509_ATTRIBUTE.pod | 263 ++++++++
doc/man3/X509_REQ_get_attr.pod | 111 ++++
doc/man3/X509_REQ_get_extensions.pod | 50 ++
doc/man3/X509_dup.pod | 15 +-
doc/man3/d2i_PKCS8PrivateKey_bio.pod | 4 +-
doc/man3/d2i_X509.pod | 26 +-
doc/man7/EVP_CIPHER-AES.pod | 13 +
doc/man7/EVP_KDF-SS.pod | 6 +-
doc/man7/EVP_MAC-BLAKE2.pod | 9 +-
doc/man7/EVP_MAC-CMAC.pod | 2 +-
doc/man7/EVP_MAC-HMAC.pod | 2 +-
doc/man7/EVP_MAC-KMAC.pod | 14 +-
doc/man7/EVP_MD-SHAKE.pod | 21 +-
doc/man7/EVP_PKEY-RSA.pod | 2 +-
doc/man7/EVP_RAND-SEED-SRC.pod | 3 +-
doc/man7/provider-cipher.pod | 10 +-
doc/man7/provider-keymgmt.pod | 4 +-
doc/man7/provider-storemgmt.pod | 4 +-
include/crypto/dherr.h | 2 +-
include/crypto/x509.h | 19 +-
include/internal/ffc.h | 9 +-
include/internal/refcount.h | 4 +-
include/openssl/bio.h.in | 2 +-
include/openssl/cmserr.h | 3 +-
include/openssl/conferr.h | 1 +
include/openssl/dh.h | 6 +-
include/openssl/dherr.h | 3 +-
include/openssl/evp.h | 4 +-
include/openssl/pkcs7.h.in | 6 +-
providers/fips-sources.checksums | 100 +--
providers/fips.checksum | 2 +-
.../implementations/asymciphers/rsa_enc.c | 1 +
.../implementations/ciphers/cipher_aes.h | 3 +-
.../ciphers/cipher_aes_cbc_hmac_sha.c | 20 +-
.../implementations/ciphers/cipher_aes_ccm.c | 22 +-
.../implementations/ciphers/cipher_aes_gcm.c | 17 +-
.../ciphers/cipher_aes_hw_s390x.inc | 12 +-
.../implementations/ciphers/cipher_aes_ocb.c | 5 +-
.../implementations/ciphers/cipher_aes_wrp.c | 23 +-
.../implementations/ciphers/cipher_aria_ccm.c | 17 +-
.../implementations/ciphers/cipher_aria_gcm.c | 17 +-
.../ciphers/cipher_chacha20_poly1305.c | 23 +-
.../implementations/ciphers/cipher_des.c | 1 +
.../ciphers/cipher_rc4_hmac_md5.c | 13 +-
.../ciphers/cipher_tdes_common.c | 1 +
.../implementations/ciphers/ciphercommon.c | 33 +-
.../ciphers/ciphercommon_ccm.c | 5 +-
.../ciphers/ciphercommon_gcm.c | 7 +-
.../implementations/digests/blake2b_prov.c | 6 +-
.../implementations/digests/blake2s_prov.c | 6 +-
.../encode_decode/encode_key2any.c | 12 +-
.../encode_decode/encode_key2text.c | 65 +-
.../include/prov/ciphercommon.h | 1 +
.../include/prov/ciphercommon_aead.h | 7 +-
providers/implementations/kdfs/pbkdf1.c | 8 +-
providers/implementations/keymgmt/dh_kmgmt.c | 2 +-
providers/implementations/macs/cmac_prov.c | 6 +-
providers/implementations/macs/kmac_prov.c | 6 +-
providers/implementations/signature/rsa_sig.c | 1 +
providers/implementations/signature/sm2_sig.c | 9 +
ssl/d1_lib.c | 17 +
ssl/record/rec_layer_s3.c | 6 +-
ssl/s3_enc.c | 6 +-
ssl/s3_lib.c | 4 +
ssl/ssl_ciph.c | 3 +-
ssl/ssl_conf.c | 24 +-
ssl/ssl_lib.c | 30 +-
ssl/ssl_mcnf.c | 18 +-
ssl/statem/extensions_cust.c | 7 +
ssl/statem/statem_dtls.c | 8 +-
ssl/t1_enc.c | 7 +-
test/README.md | 2 +-
test/asn1_stable_parse_test.c | 81 +++
test/bntest.c | 112 ++++
test/build.info | 21 +-
test/cmp_ctx_test.c | 3 +
test/cmp_protect_test.c | 16 +-
test/danetest.in | 225 +++++--
test/evp_extra_test.c | 598 +++++++++++++++++-
test/evp_extra_test2.c | 21 +-
test/evp_kdf_test.c | 52 +-
test/evp_pkey_provided_test.c | 8 +-
test/evp_test.c | 48 +-
test/ffc_internal_test.c | 38 +-
test/http_test.c | 3 +-
test/invalid-x509.cnf | 6 +
test/p_minimal.c | 24 +
test/params_test.c | 46 +-
test/property_test.c | 10 +
test/prov_config_test.c | 30 +
test/recipes/01-test_symbol_presence.t | 36 +-
test/recipes/04-test_asn1_parse.t | 26 +
test/recipes/04-test_asn1_stable_parse.t | 24 +
.../asn1_stable_parse.cnf | 16 +
test/recipes/04-test_provider.t | 9 +-
test/recipes/05-test_rand.t | 6 +-
test/recipes/15-test_gensm2.t | 61 ++
test/recipes/25-test_req.t | 9 +-
test/recipes/25-test_x509.t | 12 +-
test/recipes/30-test_prov_config.t | 7 +-
test/recipes/80-test_cms.t | 83 ++-
test/recipes/80-test_pkcs12.t | 27 +-
test/recipes/80-test_pkcs12_data/bad1.p12 | Bin 0 -> 85 bytes
test/recipes/80-test_pkcs12_data/bad2.p12 | Bin 0 -> 104 bytes
test/recipes/80-test_pkcs12_data/bad3.p12 | Bin 0 -> 104 bytes
test/recipes/91-test_pkey_check.t | 4 +-
.../91-test_pkey_check_data/rsapub_17k.pem | 48 ++
.../gost_engine.sh | 4 +-
test/recursive.cnf | 8 +
test/rsa_test.c | 118 +++-
test/siphash_internal_test.c | 4 +-
test/smime-certs/smrsa3-cert.pem | 21 +
test/smime-certs/smrsa3-key.pem | 28 +
test/ssl_old_test.c | 24 +-
test/sslapitest.c | 56 +-
test/sysdefault.cnf | 1 +
test/test_asn1_parse.cnf | 12 +
util/missingcrypto.txt | 59 --
util/missingssl.txt | 1 -
util/other.syms | 1 +
util/perl/OpenSSL/config.pm | 14 +-
275 files changed, 4851 insertions(+), 1209 deletions(-)
create mode 100644 doc/images/openssl-square-nontransparent.png
create mode 100644 doc/images/openssl-square.svg
create mode 100644 doc/man3/CMS_signed_get_attr.pod
create mode 100644 doc/man3/EVP_PKEY_get_attr.pod
create mode 100644 doc/man3/X509_ATTRIBUTE.pod
create mode 100644 doc/man3/X509_REQ_get_attr.pod
create mode 100644 doc/man3/X509_REQ_get_extensions.pod
create mode 100644 test/asn1_stable_parse_test.c
create mode 100644 test/invalid-x509.cnf
create mode 100644 test/p_minimal.c
create mode 100644 test/recipes/04-test_asn1_parse.t
create mode 100644 test/recipes/04-test_asn1_stable_parse.t
create mode 100644 test/recipes/04-test_asn1_stable_parse_data/asn1_stable_parse.cnf
create mode 100644 test/recipes/15-test_gensm2.t
create mode 100644 test/recipes/80-test_pkcs12_data/bad1.p12
create mode 100644 test/recipes/80-test_pkcs12_data/bad2.p12
create mode 100644 test/recipes/80-test_pkcs12_data/bad3.p12
create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
create mode 100644 test/recursive.cnf
create mode 100644 test/smime-certs/smrsa3-cert.pem
create mode 100644 test/smime-certs/smrsa3-key.pem
create mode 100644 test/test_asn1_parse.cnf
diff --git a/CHANGES.md b/CHANGES.md
index a26bdbdd..bd876eb8 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,98 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
+
+ * A file in PKCS12 format can contain certificates and keys and may come from
+ an untrusted source. The PKCS12 specification allows certain fields to be
+ NULL, but OpenSSL did not correctly check for this case. A fix has been
+ applied to prevent a NULL pointer dereference that results in OpenSSL
+ crashing. If an application processes PKCS12 files from an untrusted source
+ using the OpenSSL APIs then that application will be vulnerable to this
+ issue prior to this fix.
+
+ OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
+ PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
+ and PKCS12_newpass().
+
+ We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
+ function is related to writing data we do not consider it security
+ significant.
+
+ ([CVE-2024-0727])
+
+ *Matt Caswell*
+
+ * When function EVP_PKEY_public_check() is called on RSA public keys,
+ a computation is done to confirm that the RSA modulus, n, is composite.
+ For valid RSA keys, n is a product of two or more large primes and this
+ computation completes quickly. However, if n is an overly large prime,
+ then this computation would take a long time.
+
+ An application that calls EVP_PKEY_public_check() and supplies an RSA key
+ obtained from an untrusted source could be vulnerable to a Denial of Service
+ attack.
+
+ The function EVP_PKEY_public_check() is not called from other OpenSSL
+ functions however it is called from the OpenSSL pkey command line
+ application. For that reason that application is also vulnerable if used
+ with the "-pubin" and "-check" options on untrusted data.
+
+ To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
+ now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
+
+ ([CVE-2023-6237])
+
+ *Tomáš Mráz*
+
+ * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
+ have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
+ rather than SM2.
+
+ *Richard Levitte*
+
+ * The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ for PowerPC CPUs saves the contents of vector registers in different
+ order than they are restored. Thus the contents of some of these vector
+ registers is corrupted when returning to the caller. The vulnerable code is
+ used only on newer PowerPC processors supporting the PowerISA 2.07
+ instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However unless the compiler uses the vector registers
+ for storing pointers, the most likely consequence, if any, would be an
+ incorrect result of some application dependent calculations or a crash
+ leading to a denial of service.
+
+ ([CVE-2023-6129])
+
+ *Rohan McLure*
+
+ * Fix excessive time spent in DH check / generation with large Q parameter
+ value.
+
+ Applications that use the functions DH_generate_key() to generate an
+ X9.42 DH key may experience long delays. Likewise, applications that use
+ DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
+ to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
+ Where the key or parameters that are being checked have been obtained from
+ an untrusted source this may lead to a Denial of Service.
+
+ ([CVE-2023-5678])
+
+ *Richard Levitte*
+
+### Changes between 3.0.11 and 3.0.12 [24 Oct 2023]
+
+ * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
+ EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
+ that alter the key or IV length ([CVE-2023-5363]).
+
+ *Paul Dale*
+
### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
@@ -19732,6 +19824,11 @@ ndif
<!-- Links -->
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
+[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index efb4be87..15490fd9 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,22 +9,36 @@ Development is done on GitHub in the [openssl/openssl] repository.
[openssl/openssl]: <https://github.com/openssl/openssl>
-To request new features or report bugs, please open an issue on GitHub
+To request new a feature, ask a question, or report a bug,
+please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
-To submit a patch, please open a pull request on GitHub. If you are thinking
-of making a large contribution, open an issue for it before starting work,
-to get comments from the community. Someone may be already working on
-the same thing or there may be reasons why that feature isn't implemented.
+To submit a patch or implement a new feature, please open a
+[pull request on GitHub](https://github.com/openssl/openssl/pulls).
+If you are thinking of making a large contribution,
+open an issue for it before starting work, to get comments from the community.
+Someone may be already working on the same thing,
+or there may be special reasons why a feature is not implemented.
To make it easier to review and accept your pull request, please follow these
guidelines:
1. Anything other than a trivial contribution requires a [Contributor
License Agreement] (CLA), giving us permission to use your code.
- If your contribution is too small to require a CLA (e.g. fixing a spelling
- mistake), place the text "`CLA: trivial`" on a line by itself separated by
- an empty line from the rest of the commit message. It is not sufficient to
- only place the text in the GitHub pull request description.
+ If your contribution is too small to require a CLA (e.g., fixing a spelling
+ mistake), then place the text "`CLA: trivial`" on a line by itself below
+ the rest of your commit message separated by an empty line, like this:
+
+ ```
+ One-line summary of trivial change
+
+ Optional main body of commit message. It might contain a sentence
+ or two explaining the trivial change.
+
+ CLA: trivial
+ ```
+
+ It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
+ pull request description.
[Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
@@ -32,8 +46,8 @@ guidelines:
```
git commit --amend
- [add the line, save and quit the editor]
- git push -f
+ # add the line, save and quit the editor
+ git push -f [<repository> [<branch>]]
```
2. All source files should start with the following text (with
@@ -53,22 +67,24 @@ guidelines:
often. We do not accept merge commits, you will have to remove them
(usually by rebasing) before it will be acceptable.
- 4. Patches should follow our [coding style] and compile without warnings.
- Where `gcc` or `clang` is available you should use the
+ 4. Code provided should follow our [coding style] and compile without warnings.
+ There is a [Perl tool](util/check-format.pl) that helps
+ finding code formatting mistakes and other coding style nits.
+ Where `gcc` or `clang` is available, you should use the
`--strict-warnings` `Configure` option. OpenSSL compiles on many varied
- platforms: try to ensure you only use portable features. Clean builds via
- GitHub Actions and AppVeyor are required, and they are started automatically
- whenever a PR is created or updated.
+ platforms: try to ensure you only use portable features.
+ Clean builds via GitHub Actions are required. They are started automatically
+ whenever a PR is created or updated by committers.
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
- 5. When at all possible, patches should include tests. These can
+ 5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see
[test/README.md](test/README.md) for information on the test framework.
6. New features or changed functionality must include
- documentation. Please look at the "pod" files in doc/man[1357] for
- examples of our style. Run "make doc-nits" to make sure that your
+ documentation. Please look at the `.pod` files in `doc/man[1357]` for
+ examples of our style. Run `make doc-nits` to make sure that your
documentation changes are clean.
7. For user visible changes (API changes, behaviour changes, ...),
@@ -78,7 +94,7 @@ guidelines:
Have a look through existing entries for inspiration.
Please note that this is NOT simply a copy of git-log one-liners.
Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
- This file helps users get more in depth information of what comes
+ This file helps users get more in-depth information of what comes
with a specific release without having to sift through the higher
noise ratio in git-log.
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 280a75b2..ff8af714 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -1941,5 +1941,15 @@ my %targets = (
inherit_from => [ "vms-generic" ],
bn_ops => "SIXTY_FOUR_BIT",
pointer_size => "",
+ },
+ "vms-x86_64-p32" => {
+ inherit_from => [ "vms-x86_64" ],
+ cflags => add("/POINTER_SIZE=32"),
+ pointer_size => "32",
+ },
+ "vms-x86_64-p64" => {
+ inherit_from => [ "vms-x86_64" ],
+ cflags => add("/POINTER_SIZE=64=ARGV"),
+ pointer_size => "64",
}
);
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 337fc1e5..c722a754 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -478,7 +478,8 @@ build_all_generated : $(GENERATED_MANDATORY) $(GENERATED) build_docs
all : build_sw build_docs
test : tests
-{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep run_tests
+{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep
+ $(MMS) $(MMSQUALIFIERS) run_tests
run_tests :
@ ! {- output_off() if $disabled{tests}; "" -}
DEFINE SRCTOP "$(SRCDIR)"
@@ -710,13 +711,15 @@ vmsconfig.pm : configdata.pm
WRITE CONFIG " shlib_version => '","{- $config{shlib_version} -}","',"
WRITE CONFIG " shlib_major => '","{- $config{shlib_major} -}","',"
WRITE CONFIG " shlib_minor => '","{- $config{shlib_minor} -}","',"
- WRITE CONFIG " no_shared => '","{- $disabled{shared} -}","',"
WRITE CONFIG " INSTALLTOP => '$(INSTALLTOP)',"
WRITE CONFIG " OPENSSLDIR => '$(OPENSSLDIR)',"
+ WRITE CONFIG ");"
+ WRITE CONFIG "our %target = ("
WRITE CONFIG " pointer_size => '","{- $target{pointer_size} -}","',"
WRITE CONFIG ");"
- WRITE CONFIG "our %target = ();"
- WRITE CONFIG "our %disabled = ();"
+ WRITE CONFIG "our %disabled = ("
+ WRITE CONFIG " shared => '","{- $disabled{shared} -}","',"
+ WRITE CONFIG ");"
WRITE CONFIG "our %withargs = ();"
WRITE CONFIG "our %unified_info = ();"
WRITE CONFIG "1;"
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 17e194f1..3754595d 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -526,8 +526,9 @@ build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) build_docs
all: build_sw build_docs
test: tests
-{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils run_tests
-run_tests:
+{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils
+ $(MAKE) run_tests
+run_tests: FORCE
@ : {- output_off() if $disabled{tests}; "" -}
( SRCTOP=$(SRCDIR) \
BLDTOP=$(BLDDIR) \
@@ -614,28 +615,28 @@ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_de
install_docs: install_man_docs install_html_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
- $(RM) -r $(DESTDIR)$(DOCDIR)
+ $(RM) -r "$(DESTDIR)$(DOCDIR)"
{- output_off() if $disabled{fips}; "" -}
install_fips: build_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
@$(ECHO) "*** Installing FIPS module"
@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
- @cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
- @chmod 755 $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
- @mv -f $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new \
- $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
+ @cp "$(INSTALL_FIPSMODULE)" "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new"
+ @chmod 755 "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new"
+ @mv -f "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new" \
+ "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
@$(ECHO) "*** Installing FIPS module configuration"
@$(ECHO) "install $(INSTALL_FIPSMODULECONF) -> $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
- @cp $(INSTALL_FIPSMODULECONF) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
+ @cp $(INSTALL_FIPSMODULECONF) "$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
uninstall_fips:
@$(ECHO) "*** Uninstalling FIPS module configuration"
- $(RM) $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
+ $(RM) "$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf"
@$(ECHO) "*** Uninstalling FIPS module"
- $(RM) $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)
+ $(RM) "$(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
{- if ($disabled{fips}) { output_on(); } else { output_off(); } "" -}
install_fips:
@$(ECHO) "The 'install_fips' target requires the 'enable-fips' option"
@@ -646,75 +647,75 @@ uninstall_fips:
install_ssldirs:
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/certs"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/private"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/misc"
@set -e; for x in dummy $(MISC_SCRIPTS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
x1=`echo "$$x" | cut -f1 -d:`; \
x2=`echo "$$x" | cut -f2 -d:`; \
fn=`basename $$x1`; \
$(ECHO) "install $$x1 -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
- cp $$x1 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
- chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
- mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \
- $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
+ cp $$x1 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \
+ mv -f "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new" \
+ "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
if [ "$$x1" != "$$x2" ]; then \
ln=`basename "$$x2"`; \
: {- output_off() unless windowsdll(); "" -}; \
$(ECHO) "copy $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
- cp $(DESTDIR)$(OPENSSLDIR)/misc/$$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \
+ cp "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn" "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \
: {- output_on() unless windowsdll();
output_off() if windowsdll(); "" -}; \
$(ECHO) "link $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
- ln -sf $$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \
+ ln -sf $$fn "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \
: {- output_on() if windowsdll(); "" -}; \
fi; \
done
@$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
+ @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
+ @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
+ @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
+ cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
+ chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
fi
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
- @cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
- @mv -f $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist
+ @cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
+ @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
+ @mv -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf" ]; then \
$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
- cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \
+ cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
+ chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
fi
install_dev: install_runtime_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/include/openssl"
@ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
- @cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
+ @cp $(SRCDIR)/ms/applink.c "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
+ @chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
$(ECHO) "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
- cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
- chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+ cp $$i "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
+ chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
done
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)"
@set -e; for l in $(INSTALL_LIBS); do \
fn=`basename $$l`; \
$(ECHO) "install $$l -> $(DESTDIR)$(libdir)/$$fn"; \
- cp $$l $(DESTDIR)$(libdir)/$$fn.new; \
- $(RANLIB) $(DESTDIR)$(libdir)/$$fn.new; \
- chmod 644 $(DESTDIR)$(libdir)/$$fn.new; \
- mv -f $(DESTDIR)$(libdir)/$$fn.new \
- $(DESTDIR)$(libdir)/$$fn; \
+ cp $$l "$(DESTDIR)$(libdir)/$$fn.new"; \
+ $(RANLIB) "$(DESTDIR)$(libdir)/$$fn.new"; \
+ chmod 644 "$(DESTDIR)$(libdir)/$$fn.new"; \
+ mv -f "$(DESTDIR)$(libdir)/$$fn.new" \
+ "$(DESTDIR)$(libdir)/$$fn"; \
done
@ : {- output_off() if $disabled{shared}; "" -}
@set -e; for s in $(INSTALL_SHLIB_INFO); do \
@@ -727,18 +728,18 @@ install_dev: install_runtime_libs
: {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \
if [ "$$fn2" != "" ]; then \
$(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \
- ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \
+ ln -sf $$fn1 "$(DESTDIR)$(libdir)/$$fn2"; \
fi; \
: {- output_off() unless windowsdll() or sharedaix(); output_on() if windowsdll(); "" -}; \
if [ "$$fn3" != "" ]; then \
$(ECHO) "install $$s3 -> $(DESTDIR)$(libdir)/$$fn3"; \
- cp $$s3 $(DESTDIR)$(libdir)/$$fn3.new; \
- chmod 755 $(DESTDIR)$(libdir)/$$fn3.new; \
- mv -f $(DESTDIR)$(libdir)/$$fn3.new \
- $(DESTDIR)$(libdir)/$$fn3; \
+ cp $$s3 "$(DESTDIR)$(libdir)/$$fn3.new"; \
+ chmod 755 "$(DESTDIR)$(libdir)/$$fn3.new"; \
+ mv -f "$(DESTDIR)$(libdir)/$$fn3.new" \
+ "$(DESTDIR)$(libdir)/$$fn3"; \
fi; \
: {- output_off() if windowsdll(); output_on() if sharedaix(); "" -}; \
- a=$(DESTDIR)$(libdir)/$$fn2; \
+ a="$(DESTDIR)$(libdir)/$$fn2"; \
$(ECHO) "install $$s1 -> $$a"; \
if [ -f $$a ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \
mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \
@@ -755,35 +756,35 @@ install_dev: install_runtime_libs
: {- output_off() if sharedaix(); output_on(); "" -}; \
done
@ : {- output_on() if $disabled{shared}; "" -}
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)/pkgconfig
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)/pkgconfig"
@$(ECHO) "install libcrypto.pc -> $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
- @cp libcrypto.pc $(DESTDIR)$(libdir)/pkgconfig
- @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc
+ @cp libcrypto.pc "$(DESTDIR)$(libdir)/pkgconfig"
+ @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
@$(ECHO) "install libssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
- @cp libssl.pc $(DESTDIR)$(libdir)/pkgconfig
- @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libssl.pc
+ @cp libssl.pc "$(DESTDIR)$(libdir)/pkgconfig"
+ @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
@$(ECHO) "install openssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
- @cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig
- @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc
+ @cp openssl.pc "$(DESTDIR)$(libdir)/pkgconfig"
+ @chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
uninstall_dev: uninstall_runtime_libs
@$(ECHO) "*** Uninstalling development files"
@ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
- @$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
+ @$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
- $(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+ $(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
done
- -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl
- -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include
+ -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include/openssl"
+ -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include"
@set -e; for l in $(INSTALL_LIBS); do \
fn=`basename $$l`; \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn"; \
- $(RM) $(DESTDIR)$(libdir)/$$fn; \
+ $(RM) "$(DESTDIR)$(libdir)/$$fn"; \
done
@ : {- output_off() if $disabled{shared}; "" -}
@set -e; for s in $(INSTALL_SHLIB_INFO); do \
@@ -795,39 +796,39 @@ uninstall_dev: uninstall_runtime_libs
fn3=`basename "$$s3"`; \
: {- output_off() if windowsdll(); "" -}; \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \
- $(RM) $(DESTDIR)$(libdir)/$$fn1; \
+ $(RM) "$(DESTDIR)$(libdir)/$$fn1"; \
if [ -n "$$fn2" ]; then \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \
- $(RM) $(DESTDIR)$(libdir)/$$fn2; \
+ $(RM) "$(DESTDIR)$(libdir)/$$fn2"; \
fi; \
: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
if [ -n "$$fn3" ]; then \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn3"; \
- $(RM) $(DESTDIR)$(libdir)/$$fn3; \
+ $(RM) "$(DESTDIR)$(libdir)/$$fn3"; \
fi; \
: {- output_on() unless windowsdll(); "" -}; \
done
@ : {- output_on() if $disabled{shared}; "" -}
- $(RM) $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc
- $(RM) $(DESTDIR)$(libdir)/pkgconfig/libssl.pc
- $(RM) $(DESTDIR)$(libdir)/pkgconfig/openssl.pc
- -$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig
- -$(RMDIR) $(DESTDIR)$(libdir)
+ $(RM) "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
+ $(RM) "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
+ $(RM) "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
+ -$(RMDIR) "$(DESTDIR)$(libdir)/pkgconfig"
+ -$(RMDIR) "$(DESTDIR)$(libdir)"
_install_modules_deps: install_runtime_libs build_modules
install_engines: _install_modules_deps
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)/"
@$(ECHO) "*** Installing engines"
@set -e; for e in dummy $(INSTALL_ENGINES); do \
if [ "$$e" = "dummy" ]; then continue; fi; \
fn=`basename $$e`; \
$(ECHO) "install $$e -> $(DESTDIR)$(ENGINESDIR)/$$fn"; \
- cp $$e $(DESTDIR)$(ENGINESDIR)/$$fn.new; \
- chmod 755 $(DESTDIR)$(ENGINESDIR)/$$fn.new; \
- mv -f $(DESTDIR)$(ENGINESDIR)/$$fn.new \
- $(DESTDIR)$(ENGINESDIR)/$$fn; \
+ cp $$e "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \
+ mv -f "$(DESTDIR)$(ENGINESDIR)/$$fn.new" \
+ "$(DESTDIR)$(ENGINESDIR)/$$fn"; \
done
uninstall_engines:
@@ -836,22 +837,22 @@ uninstall_engines:
if [ "$$e" = "dummy" ]; then continue; fi; \
fn=`basename $$e`; \
$(ECHO) "$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn"; \
- $(RM) $(DESTDIR)$(ENGINESDIR)/$$fn; \
+ $(RM) "$(DESTDIR)$(ENGINESDIR)/$$fn"; \
done
- -$(RMDIR) $(DESTDIR)$(ENGINESDIR)
+ -$(RMDIR) "$(DESTDIR)$(ENGINESDIR)"
install_modules: _install_modules_deps
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)/
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)/"
@$(ECHO) "*** Installing modules"
@set -e; for e in dummy $(INSTALL_MODULES); do \
if [ "$$e" = "dummy" ]; then continue; fi; \
fn=`basename $$e`; \
$(ECHO) "install $$e -> $(DESTDIR)$(MODULESDIR)/$$fn"; \
- cp $$e $(DESTDIR)$(MODULESDIR)/$$fn.new; \
- chmod 755 $(DESTDIR)$(MODULESDIR)/$$fn.new; \
- mv -f $(DESTDIR)$(MODULESDIR)/$$fn.new \
- $(DESTDIR)$(MODULESDIR)/$$fn; \
+ cp $$e "$(DESTDIR)$(MODULESDIR)/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(MODULESDIR)/$$fn.new"; \
+ mv -f "$(DESTDIR)$(MODULESDIR)/$$fn.new" \
+ "$(DESTDIR)$(MODULESDIR)/$$fn"; \
done
uninstall_modules:
@@ -860,18 +861,18 @@ uninstall_modules:
if [ "$$e" = "dummy" ]; then continue; fi; \
fn=`basename $$e`; \
$(ECHO) "$(RM) $(DESTDIR)$(MODULESDIR)/$$fn"; \
- $(RM) $(DESTDIR)$(MODULESDIR)/$$fn; \
+ $(RM) "$(DESTDIR)$(MODULESDIR)/$$fn"; \
done
- -$(RMDIR) $(DESTDIR)$(MODULESDIR)
+ -$(RMDIR) "$(DESTDIR)$(MODULESDIR)"
install_runtime: install_programs
install_runtime_libs: build_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@ : {- output_off() if windowsdll(); "" -}
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)"
@ : {- output_on() if windowsdll(); output_off() unless windowsdll(); "" -}
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin"
@ : {- output_on() unless windowsdll(); "" -}
@$(ECHO) "*** Installing runtime libraries"
@set -e; for s in dummy $(INSTALL_SHLIBS); do \
@@ -879,40 +880,40 @@ install_runtime_libs: build_libs
fn=`basename $$s`; \
: {- output_off() unless windowsdll(); "" -}; \
$(ECHO) "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
- cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
- chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
- mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
- $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+ cp $$s "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+ mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
+ "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
: {- output_on() unless windowsdll(); "" -}{- output_off() if windowsdll(); "" -}; \
$(ECHO) "install $$s -> $(DESTDIR)$(libdir)/$$fn"; \
- cp $$s $(DESTDIR)$(libdir)/$$fn.new; \
- chmod 755 $(DESTDIR)$(libdir)/$$fn.new; \
- mv -f $(DESTDIR)$(libdir)/$$fn.new \
- $(DESTDIR)$(libdir)/$$fn; \
+ cp $$s "$(DESTDIR)$(libdir)/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(libdir)/$$fn.new"; \
+ mv -f "$(DESTDIR)$(libdir)/$$fn.new" \
+ "$(DESTDIR)$(libdir)/$$fn"; \
: {- output_on() if windowsdll(); "" -}; \
done
install_programs: install_runtime_libs build_programs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin"
@$(ECHO) "*** Installing runtime programs"
@set -e; for x in dummy $(INSTALL_PROGRAMS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
- cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
- chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
- mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
- $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+ cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+ mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
+ "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
@set -e; for x in dummy $(BIN_SCRIPTS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
- cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
- chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
- mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
- $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+ cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+ chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
+ mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
+ "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
uninstall_runtime: uninstall_programs uninstall_runtime_libs
@@ -924,16 +925,16 @@ uninstall_programs:
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
- $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+ $(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done;
@set -e; for x in dummy $(BIN_SCRIPTS); \
do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
- $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+ $(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
- -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
+ -$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/bin"
uninstall_runtime_libs:
@$(ECHO) "*** Uninstalling runtime libraries"
@@ -942,49 +943,49 @@ uninstall_runtime_libs:
if [ "$$s" = "dummy" ]; then continue; fi; \
fn=`basename $$s`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
- $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+ $(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
@ : {- output_on() unless windowsdll(); "" -}
install_man_docs: build_man_docs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man1
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man3
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man5
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MANDIR)/man7
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man1"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man3"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man5"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MANDIR)/man7"
@$(ECHO) "*** Installing manpages"
@set -e; for x in dummy $(MANDOCS1); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
- cp $$x $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \
- chmod 644 $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man1; \
+ cp $$x "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
+ chmod 644 "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man1"; \
done
@set -e; for x in dummy $(MANDOCS3); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
- cp $$x $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \
- chmod 644 $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man3; \
+ cp $$x "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
+ chmod 644 "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man3"; \
done
@set -e; for x in dummy $(MANDOCS5); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
- cp $$x $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \
- chmod 644 $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man5; \
+ cp $$x "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
+ chmod 644 "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man5"; \
done
@set -e; for x in dummy $(MANDOCS7); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
- cp $$x $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \
- chmod 644 $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man7; \
+ cp $$x "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
+ chmod 644 "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks install $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man7"; \
done
uninstall_man_docs: build_man_docs
@@ -993,65 +994,65 @@ uninstall_man_docs: build_man_docs
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
- $(RM) $(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man1; \
+ $(RM) "$(DESTDIR)$(MANDIR)/man1/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man1 $(BLDDIR)/doc/man1 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man1"; \
done
@set -e; for x in dummy $(MANDOCS3); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
- $(RM) $(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man3; \
+ $(RM) "$(DESTDIR)$(MANDIR)/man3/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man3 $(BLDDIR)/doc/man3 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man3"; \
done
@set -e; for x in dummy $(MANDOCS5); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
- $(RM) $(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man5; \
+ $(RM) "$(DESTDIR)$(MANDIR)/man5/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man5 $(BLDDIR)/doc/man5 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man5"; \
done
@set -e; for x in dummy $(MANDOCS7); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
- $(RM) $(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX); \
- $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) $(DESTDIR)$(MANDIR)/man7; \
+ $(RM) "$(DESTDIR)$(MANDIR)/man7/$${fn}$(MANSUFFIX)"; \
+ $(PERL) $(SRCDIR)/util/write-man-symlinks uninstall $(SRCDIR)/doc/man7 $(BLDDIR)/doc/man7 $${fn}$(MANSUFFIX) "$(DESTDIR)$(MANDIR)/man7"; \
done
install_html_docs: install_image_docs build_html_docs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man1
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man3
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man5
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man7
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man1"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man3"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man5"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man7"
@$(ECHO) "*** Installing HTML manpages"
@set -e; for x in dummy $(HTMLDOCS1); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
- cp $$x $(DESTDIR)$(HTMLDIR)/man1/$$fn; \
- chmod 644 $(DESTDIR)$(HTMLDIR)/man1/$$fn; \
+ cp $$x "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
+ chmod 644 "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
done
@set -e; for x in dummy $(HTMLDOCS3); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
- cp $$x $(DESTDIR)$(HTMLDIR)/man3/$$fn; \
- chmod 644 $(DESTDIR)$(HTMLDIR)/man3/$$fn; \
+ cp $$x "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
+ chmod 644 "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
done
@set -e; for x in dummy $(HTMLDOCS5); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
- cp $$x $(DESTDIR)$(HTMLDIR)/man5/$$fn; \
- chmod 644 $(DESTDIR)$(HTMLDIR)/man5/$$fn; \
+ cp $$x "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
+ chmod 644 "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
done
@set -e; for x in dummy $(HTMLDOCS7); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
- cp $$x $(DESTDIR)$(HTMLDIR)/man7/$$fn; \
- chmod 644 $(DESTDIR)$(HTMLDIR)/man7/$$fn; \
+ cp $$x "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
+ chmod 644 "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
done
uninstall_html_docs: uninstall_image_docs
@@ -1060,35 +1061,35 @@ uninstall_html_docs: uninstall_image_docs
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
- $(RM) $(DESTDIR)$(HTMLDIR)/man1/$$fn; \
+ $(RM) "$(DESTDIR)$(HTMLDIR)/man1/$$fn"; \
done
@set -e; for x in dummy $(HTMLDOCS3); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
- $(RM) $(DESTDIR)$(HTMLDIR)/man3/$$fn; \
+ $(RM) "$(DESTDIR)$(HTMLDIR)/man3/$$fn"; \
done
@set -e; for x in dummy $(HTMLDOCS5); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
- $(RM) $(DESTDIR)$(HTMLDIR)/man5/$$fn; \
+ $(RM) "$(DESTDIR)$(HTMLDIR)/man5/$$fn"; \
done
@set -e; for x in dummy $(HTMLDOCS7); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
- $(RM) $(DESTDIR)$(HTMLDIR)/man7/$$fn; \
+ $(RM) "$(DESTDIR)$(HTMLDIR)/man7/$$fn"; \
done
install_image_docs:
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(HTMLDIR)/man7/img
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(HTMLDIR)/man7/img"
@set -e; for x in dummy $(IMAGEDOCS7); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
- cp $(SRCDIR)/$$x $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \
- chmod 644 $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \
+ cp $(SRCDIR)/$$x "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
+ chmod 644 "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
done
uninstall_image_docs:
@@ -1096,7 +1097,7 @@ uninstall_image_docs:
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
- $(RM) $(DESTDIR)$(HTMLDIR)/man7/img/$$fn; \
+ $(RM) "$(DESTDIR)$(HTMLDIR)/man7/img/$$fn"; \
done
# Developer targets (note: these are only available on Unix) #########
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index b8a1abc8..c36efc7d 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -294,7 +294,7 @@ RCOUTFLAG={- $target{rcoutflag} -}$(OSSL_EMPTY)
CNF_ASFLAGS={- join(' ', $target{asflags} || (),
@{$config{asflags}}) -}
-CNF_CPPFLAGS={- our $cppfags2 =
+CNF_CPPFLAGS={- our $cppflags2 =
join(' ', $target{cppflags} || (),
(map { '-D'.quotify1($_) } @{$target{defines}},
@{$config{defines}}),
@@ -440,6 +440,8 @@ all: build_sw build_docs
test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep copy-utils
+ $(MAKE) /$(MAKEFLAGS) run_tests
+run_tests:
@{- output_off() if $disabled{tests}; "\@rem" -}
cmd /C "set "SRCTOP=$(SRCDIR)" & set "BLDTOP=$(BLDDIR)" & set "PERL=$(PERL)" & set "FIPSKEY=$(FIPSKEY)" & "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS)"
@{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
diff --git a/Configure b/Configure
index dd06aa48..84cc4094 100755
--- a/Configure
+++ b/Configure
@@ -933,8 +933,6 @@ while (@argvcopy)
if (/^--prefix=(.*)$/)
{
$config{prefix}=$1;
- die "Directory given with --prefix MUST be absolute\n"
- unless file_name_is_absolute($config{prefix});
}
elsif (/^--api=(.*)$/)
{
@@ -1377,6 +1375,11 @@ foreach (keys %useradd) {
# At this point, we can forget everything about %user and %useradd,
# because it's now all been merged into the corresponding $config entry
+if ($config{prefix} && !$config{CROSS_COMPILE}) {
+ die "Directory given with --prefix MUST be absolute\n"
+ unless file_name_is_absolute($config{prefix});
+}
+
if (grep { $_ =~ /(?:^|\s)-static(?:\s|$)/ } @{$config{LDFLAGS}}) {
disable('static', 'pic', 'threads');
}
@@ -1832,11 +1835,12 @@ if ($builder eq "unified") {
my $base = shift;
my $dir = shift;
my $relativeto = shift || ".";
+ my $no_mkpath = shift // 0;
$dir = catdir($base,$dir) unless isabsolute($dir);
# Make sure the directories we're building in exists
- mkpath($dir);
+ mkpath($dir) unless $no_mkpath;
my $res = abs2rel(absolutedir($dir), rel2abs($relativeto));
#print STDERR "DEBUG[cleandir]: $dir , $base => $res\n";
@@ -1847,6 +1851,7 @@ if ($builder eq "unified") {
my $base = shift;
my $file = shift;
my $relativeto = shift || ".";
+ my $no_mkpath = shift // 0;
$file = catfile($base,$file) unless isabsolute($file);
@@ -1854,7 +1859,7 @@ if ($builder eq "unified") {
my $f = basename($file);
# Make sure the directories we're building in exists
- mkpath($d);
+ mkpath($d) unless $no_mkpath;
my $res = abs2rel(catfile(absolutedir($d), $f), rel2abs($relativeto));
#print STDERR "DEBUG[cleanfile]: $d , $f => $res\n";
@@ -1884,7 +1889,7 @@ if ($builder eq "unified") {
}
# Then, look in our standard directory
push @build_file_templates,
- ( map { cleanfile($srcdir, catfile("Configurations", $_), $blddir) }
+ ( map { cleanfile($srcdir, catfile("Configurations", $_), $blddir, 1) }
@build_file_template_names );
my $build_file_template;
@@ -1899,7 +1904,7 @@ if ($builder eq "unified") {
}
$config{build_file_templates}
= [ cleanfile($srcdir, catfile("Configurations", "common0.tmpl"),
- $blddir),
+ $blddir, 1),
$build_file_template ];
my @build_dirs = ( [ ] ); # current directory
@@ -1908,7 +1913,7 @@ if ($builder eq "unified") {
# We want to detect configdata.pm in the source tree, so we
# don't use it if the build tree is different.
- my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir);
+ my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir, 1);
# Any source file that we recognise is placed in this hash table, with
# the list of its intended destinations as value. When everything has
@@ -2261,7 +2266,7 @@ EOF
my $dest = $_;
my $ddest = cleanfile($buildd, $_, $blddir);
foreach (@{$sources{$dest}}) {
- my $s = cleanfile($sourced, $_, $blddir);
+ my $s = cleanfile($sourced, $_, $blddir, 1);
# If it's generated or we simply don't find it in the source
# tree, we assume it's in the build tree.
@@ -2306,7 +2311,7 @@ EOF
my $dest = $_;
my $ddest = cleanfile($buildd, $_, $blddir);
foreach (@{$shared_sources{$dest}}) {
- my $s = cleanfile($sourced, $_, $blddir);
+ my $s = cleanfile($sourced, $_, $blddir, 1);
# If it's generated or we simply don't find it in the source
# tree, we assume it's in the build tree.
@@ -2361,7 +2366,7 @@ EOF
if scalar @{$generate{$_}} > 1;
my @generator = split /\s+/, $generate{$dest}->[0];
my $gen = $generator[0];
- $generator[0] = cleanfile($sourced, $gen, $blddir);
+ $generator[0] = cleanfile($sourced, $gen, $blddir, 1);
# If the generator is itself generated, it's in the build tree
if ($generate{$gen} || ! -f $generator[0]) {
@@ -2387,7 +2392,7 @@ EOF
} elsif ($dest eq '') {
$ddest = '';
} else {
- $ddest = cleanfile($sourced, $_, $blddir);
+ $ddest = cleanfile($sourced, $_, $blddir, 1);
# If the destination doesn't exist in source, it can only be
# a generated file in the build tree.
@@ -2396,7 +2401,7 @@ EOF
}
}
foreach (@{$depends{$dest}}) {
- my $d = cleanfile($sourced, $_, $blddir);
+ my $d = cleanfile($sourced, $_, $blddir, 1);
my $d2 = cleanfile($buildd, $_, $blddir);
# If we know it's generated, or assume it is because we can't
@@ -2419,7 +2424,7 @@ EOF
foreach (keys %includes) {
my $dest = $_;
- my $ddest = cleanfile($sourced, $_, $blddir);
+ my $ddest = cleanfile($sourced, $_, $blddir, 1);
# If the destination doesn't exist in source, it can only be
# a generated file in the build tree.
@@ -2427,7 +2432,7 @@ EOF
$ddest = cleanfile($buildd, $_, $blddir);
}
foreach (@{$includes{$dest}}) {
- my $is = cleandir($sourced, $_, $blddir);
+ my $is = cleandir($sourced, $_, $blddir, 1);
my $ib = cleandir($buildd, $_, $blddir);
push @{$unified_info{includes}->{$ddest}->{source}}, $is
unless grep { $_ eq $is } @{$unified_info{includes}->{$ddest}->{source}};
@@ -2440,7 +2445,7 @@ EOF
my $ddest;
if ($dest ne "") {
- $ddest = cleanfile($sourced, $dest, $blddir);
+ $ddest = cleanfile($sourced, $dest, $blddir, 1);
# If the destination doesn't exist in source, it can only
# be a generated file in the build tree.
@@ -2822,7 +2827,7 @@ my %template_vars = (
my $configdata_outname = 'configdata.pm';
open CONFIGDATA, ">$configdata_outname.new"
or die "Trying to create $configdata_outname.new: $!";
-my $configdata_tmplname = cleanfile($srcdir, "configdata.pm.in", $blddir);
+my $configdata_tmplname = cleanfile($srcdir, "configdata.pm.in", $blddir, 1);
my $configdata_tmpl =
OpenSSL::Template->new(TYPE => 'FILE', SOURCE => $configdata_tmplname);
$configdata_tmpl->fill_in(
diff --git a/INSTALL.md b/INSTALL.md
index ad4a5102..fef408e9 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -2,8 +2,8 @@ Build and Install
=================
This document describes installation on all supported operating
-systems (the Unix/Linux family, including macOS), OpenVMS,
-and Windows).
+systems: the Unix/Linux family (including macOS), OpenVMS,
+and Windows.
Table of Contents
=================
diff --git a/NEWS.md b/NEWS.md
index f7ca47ba..d9a48b15 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -18,6 +18,23 @@ OpenSSL Releases
OpenSSL 3.0
-----------
+### Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
+
+ * Fixed PKCS12 Decoding crashes
+ ([CVE-2024-0727])
+ * Fixed Excessive time spent checking invalid RSA public keys
+ ([CVE-2023-6237])
+ * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
+ CPUs which support PowerISA 2.07
+ ([CVE-2023-6129])
+ * Fix excessive time spent in DH check / generation with large Q parameter
+ value ([CVE-2023-5678])
+
+### Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
+
+ * Mitigate incorrect resize handling for symmetric cipher keys and IVs.
+ ([CVE-2023-5363])
+
### Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
@@ -1453,6 +1470,11 @@ OpenSSL 0.9.x
<!-- Links -->
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
+[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
diff --git a/README.md b/README.md
index b848d050..5184a461 100644
--- a/README.md
+++ b/README.md
@@ -166,7 +166,7 @@ attempting to develop or distribute cryptographic code.
Copyright
=========
-Copyright (c) 1998-2023 The OpenSSL Project
+Copyright (c) 1998-2024 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/VERSION.dat b/VERSION.dat
index c4157a86..3ee1a6f8 100644
--- a/VERSION.dat
+++ b/VERSION.dat
@@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
-PATCH=11
+PATCH=13
PRE_RELEASE_TAG=
BUILD_METADATA=
-RELEASE_DATE="19 Sep 2023"
+RELEASE_DATE="30 Jan 2024"
SHLIB_VERSION=3
diff --git a/VMS/openssl_ivp.com.in b/VMS/openssl_ivp.com.in
index 6810792b..582e1fe1 100644
--- a/VMS/openssl_ivp.com.in
+++ b/VMS/openssl_ivp.com.in
@@ -21,9 +21,9 @@ $ @'INSTALLTOP_'SYS$STARTUP]openssl_startup'v'
$ @'INSTALLTOP_'SYS$STARTUP]openssl_utils'v'
$
$ IF F$SEARCH("OSSL$LIBCRYPTO''pz'") .EQS. "" -
- .OR. F$SEARCH("OSSL$LIBSSL''pz'") .EQS. "" {- output_off() if $config{no_shared}; "" -}-
+ .OR. F$SEARCH("OSSL$LIBSSL''pz'") .EQS. "" {- output_off() if $disabled{shared}; "" -}-
.OR. F$SEARCH("OSSL$LIBCRYPTO_SHR''pz'") .EQS. "" -
- .OR. F$SEARCH("OSSL$LIBSSL_SHR''pz'") .EQS. "" {- output_on() if $config{no_shared}; "" -}-
+ .OR. F$SEARCH("OSSL$LIBSSL_SHR''pz'") .EQS. "" {- output_on() if $disabled{shared}; "" -}-
.OR. F$SEARCH("OSSL$INCLUDE:[OPENSSL]crypto.h") .EQS. "" -
.OR. F$SEARCH("OPENSSL:crypto.h") .EQS. "" -
.OR. F$SEARCH("OSSL$EXE:OPENSSL''v'.EXE") .EQS. ""
diff --git a/VMS/openssl_shutdown.com.in b/VMS/openssl_shutdown.com.in
index 4193c900..c2b9cf6c 100644
--- a/VMS/openssl_shutdown.com.in
+++ b/VMS/openssl_shutdown.com.in
@@ -39,19 +39,19 @@ $ DEAS OSSL$MODULES'pz'
$ DEAS OSSL$EXE
$ DEAS OSSL$LIBCRYPTO'pz'
$ DEAS OSSL$LIBSSL'pz'
-${- output_off() if $config{no_shared}; "" -}
+${- output_off() if $disabled{shared}; "" -}
$ DEAS OSSL$LIBCRYPTO'sv'_SHR'pz'
$ DEAS OSSL$LIBSSL'sv'_SHR'pz'
-${- output_on() if $config{no_shared}; "" -}
+${- output_on() if $disabled{shared}; "" -}
$ DEAS OPENSSL
$
$ IF P2 .NES. "NOALIASES"
$ THEN
$ DEAS OSSL$ENGINES'pz'
-${- output_off() if $config{no_shared}; "" -}
+${- output_off() if $disabled{shared}; "" -}
$ DEAS OSSL$LIBCRYPTO_SHR'pz'
$ DEAS OSSL$LIBSSL_SHR'pz'
-${- output_on() if $config{no_shared}; "" -}
+${- output_on() if $disabled{shared}; "" -}
$ ENDIF
$
$ EXIT 'status'
diff --git a/VMS/openssl_startup.com.in b/VMS/openssl_startup.com.in
index bbf3e3b4..738f508d 100644
--- a/VMS/openssl_startup.com.in
+++ b/VMS/openssl_startup.com.in
@@ -103,19 +103,19 @@ $ DEF OSSL$EXE OSSL$INSTROOT:[EXE.'arch'],-
OSSL$INSTROOT:[EXE]
$ DEF OSSL$LIBCRYPTO'pz' OSSL$LIB:OSSL$LIBCRYPTO'pz'.OLB
$ DEF OSSL$LIBSSL'pz' OSSL$LIB:OSSL$LIBSSL'pz'.OLB
-${- output_off() if $config{no_shared}; "" -}
+${- output_off() if $disabled{shared}; "" -}
$ DEF OSSL$LIBCRYPTO'sv'_SHR'pz' OSSL$SHARE:OSSL$LIBCRYPTO'sv'_SHR'pz'.EXE
$ DEF OSSL$LIBSSL'sv'_SHR'pz' OSSL$SHARE:OSSL$LIBSSL'sv'_SHR'pz'.EXE
-${- output_on() if $config{no_shared}; "" -}
+${- output_on() if $disabled{shared}; "" -}
$ DEF OPENSSL OSSL$INCLUDE:[OPENSSL]
$
$ IF P2 .NES. "NOALIASES"
$ THEN
$ DEF OSSL$ENGINES'pz' OSSL$ENGINES'sv''pz'
-${- output_off() if $config{no_shared}; "" -}
+${- output_off() if $disabled{shared}; "" -}
$ DEF OSSL$LIBCRYPTO_SHR'pz' OSSL$LIBCRYPTO'sv'_SHR'pz'
$ DEF OSSL$LIBSSL_SHR'pz' OSSL$LIBSSL'sv'_SHR'pz'
-${- output_on() if $config{no_shared}; "" -}
+${- output_on() if $disabled{shared}; "" -}
$ ENDIF
$
$ bailout:
diff --git a/apps/cms.c b/apps/cms.c
index 0d1730c5..3994cb0f 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -620,7 +620,8 @@ int cms_main(int argc, char **argv)
"recipient certificate file");
if (cert == NULL)
goto end;
- sk_X509_push(encerts, cert);
+ if (!sk_X509_push(encerts, cert))
+ goto end;
cert = NULL;
} else {
recipfile = opt_arg();
@@ -831,7 +832,8 @@ int cms_main(int argc, char **argv)
"recipient certificate file");
if (cert == NULL)
goto end;
- sk_X509_push(encerts, cert);
+ if (!sk_X509_push(encerts, cert))
+ goto end;
cert = NULL;
}
}
@@ -1413,6 +1415,7 @@ static CMS_ReceiptRequest
STACK_OF(OPENSSL_STRING) *rr_from)
{
STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
+ CMS_ReceiptRequest *rr;
rct_to = make_names_stack(rr_to);
if (rct_to == NULL)
@@ -1424,10 +1427,14 @@ static CMS_ReceiptRequest
} else {
rct_from = NULL;
}
- return CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from,
- rct_to, app_get0_libctx());
+ rr = CMS_ReceiptRequest_create0_ex(NULL, -1, rr_allorfirst, rct_from,
+ rct_to, app_get0_libctx());
+ if (rr == NULL)
+ goto err;
+ return rr;
err:
sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
+ sk_GENERAL_NAMES_pop_free(rct_from, GENERAL_NAMES_free);
return NULL;
}
diff --git a/apps/dgst.c b/apps/dgst.c
index e1238919..3f02af0d 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -320,6 +320,8 @@ int dgst_main(int argc, char **argv)
sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */);
/* Verbose output would make external-tests gost-engine fail */
EVP_PKEY_CTX_free(mac_ctx);
+ if (sigkey == NULL)
+ goto end;
}
if (hmac_key != NULL) {
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 43906cea..2a54dca9 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -222,6 +222,8 @@ int dhparam_main(int argc, char **argv)
}
tmppkey = app_paramgen(ctx, alg);
+ if (tmppkey == NULL)
+ goto end;
EVP_PKEY_CTX_free(ctx);
ctx = NULL;
if (dsaparam) {
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index b5555282..ca91beb5 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -218,6 +218,8 @@ int dsaparam_main(int argc, char **argv)
goto end;
}
pkey = app_keygen(ctx, "DSA", numbits, verbose);
+ if (pkey == NULL)
+ goto end;
assert(private);
if (outformat == FORMAT_ASN1)
i = i2d_PrivateKey_bio(out, pkey);
diff --git a/apps/enc.c b/apps/enc.c
index b3bf4cc2..c275046c 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -624,7 +624,10 @@ int enc_main(int argc, char **argv)
}
}
if (!BIO_flush(wbio)) {
- BIO_printf(bio_err, "bad decrypt\n");
+ if (enc)
+ BIO_printf(bio_err, "bad encrypt\n");
+ else
+ BIO_printf(bio_err, "bad decrypt\n");
goto end;
}
diff --git a/apps/errstr.c b/apps/errstr.c
index 782705a7..21349d21 100644
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -62,7 +62,7 @@ int errstr_main(int argc, char **argv)
/* All remaining arg are error code. */
ret = 0;
for (argv = opt_rest(); *argv != NULL; argv++) {
- if (sscanf(*argv, "%lx", &l) == 0) {
+ if (sscanf(*argv, "%lx", &l) <= 0) {
ret++;
} else {
ERR_error_string_n(l, buf, sizeof(buf));
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 27feb793..8aefca65 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -146,6 +146,8 @@ int gendsa_main(int argc, char **argv)
goto end;
}
pkey = app_keygen(ctx, "DSA", nbits, verbose);
+ if (pkey == NULL)
+ goto end;
assert(private);
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) {
diff --git a/apps/genpkey.c b/apps/genpkey.c
index d00754ee..705e5c76 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -183,6 +183,8 @@ int genpkey_main(int argc, char **argv)
pkey = do_param ? app_paramgen(ctx, algname)
: app_keygen(ctx, algname, 0, 0 /* not verbose */);
+ if (pkey == NULL)
+ goto end;
if (do_param) {
rv = PEM_write_bio_Parameters(out, pkey);
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 4436b7fa..6a683517 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -203,6 +203,8 @@ opthelp:
goto end;
}
pkey = app_keygen(ctx, "RSA", num, verbose);
+ if (pkey == NULL)
+ goto end;
if (verbose) {
BIGNUM *e = NULL;
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 572f6a3f..a632b0cf 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -960,10 +960,14 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin,
ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
params, NULL, NULL);
}
- if (ctx == NULL)
+ if (ctx == NULL) {
+ BIO_printf(bio_err, "Could not open file or uri for loading");
goto end;
- if (expect > 0 && !OSSL_STORE_expect(ctx, expect))
+ }
+ if (expect > 0 && !OSSL_STORE_expect(ctx, expect)) {
+ BIO_printf(bio_err, "Internal error trying to load");
goto end;
+ }
failed = NULL;
while (cnt_expectations > 0 && !OSSL_STORE_eof(ctx)) {
@@ -3359,8 +3363,8 @@ EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose)
BIO_printf(bio_err, "Warning: generating random key material may take a long time\n"
"if the system has a poor entropy source\n");
if (EVP_PKEY_keygen(ctx, &res) <= 0)
- app_bail_out("%s: Error generating %s key\n", opt_getprog(),
- alg != NULL ? alg : "asymmetric");
+ BIO_printf(bio_err, "%s: Error generating %s key\n", opt_getprog(),
+ alg != NULL ? alg : "asymmetric");
return res;
}
@@ -3372,8 +3376,8 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg)
BIO_printf(bio_err, "Warning: generating random key parameters may take a long time\n"
"if the system has a poor entropy source\n");
if (EVP_PKEY_paramgen(ctx, &res) <= 0)
- app_bail_out("%s: Generating %s key parameters failed\n",
- opt_getprog(), alg != NULL ? alg : "asymmetric");
+ BIO_printf(bio_err, "%s: Generating %s key parameters failed\n",
+ opt_getprog(), alg != NULL ? alg : "asymmetric");
return res;
}
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 15736798..d56964db 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -696,7 +696,12 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
opt_printf_stderr("%s: Invalid Policy %s\n", prog, opt_arg());
return 0;
}
- X509_VERIFY_PARAM_add0_policy(vpm, otmp);
+ if (!X509_VERIFY_PARAM_add0_policy(vpm, otmp)) {
+ ASN1_OBJECT_free(otmp);
+ opt_printf_stderr("%s: Internal error adding Policy %s\n",
+ prog, opt_arg());
+ return 0;
+ }
break;
case OPT_V_PURPOSE:
/* purpose name -> purpose index */
diff --git a/apps/list.c b/apps/list.c
index 514abacf..0fcbcbb0 100644
--- a/apps/list.c
+++ b/apps/list.c
@@ -1209,9 +1209,11 @@ static int provider_cmp(const OSSL_PROVIDER * const *a,
static int collect_providers(OSSL_PROVIDER *provider, void *stack)
{
STACK_OF(OSSL_PROVIDER) *provider_stack = stack;
-
- sk_OSSL_PROVIDER_push(provider_stack, provider);
- return 1;
+ /*
+ * If OK - result is the index of inserted data
+ * Error - result is -1 or 0
+ */
+ return sk_OSSL_PROVIDER_push(provider_stack, provider) > 0 ? 1 : 0;
}
static void list_provider_info(void)
@@ -1226,11 +1228,19 @@ static void list_provider_info(void)
BIO_printf(bio_err, "ERROR: Memory allocation\n");
return;
}
+
+ if (OSSL_PROVIDER_do_all(NULL, &collect_providers, providers) != 1) {
+ BIO_printf(bio_err, "ERROR: Memory allocation\n");
+ return;
+ }
+
BIO_printf(bio_out, "Providers:\n");
- OSSL_PROVIDER_do_all(NULL, &collect_providers, providers);
sk_OSSL_PROVIDER_sort(providers);
for (i = 0; i < sk_OSSL_PROVIDER_num(providers); i++) {
const OSSL_PROVIDER *prov = sk_OSSL_PROVIDER_value(providers, i);
+ const char *provname = OSSL_PROVIDER_get0_name(prov);
+
+ BIO_printf(bio_out, " %s\n", provname);
/* Query the "known" information parameters, the order matches below */
params[0] = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
@@ -1243,23 +1253,23 @@ static void list_provider_info(void)
params[4] = OSSL_PARAM_construct_end();
OSSL_PARAM_set_all_unmodified(params);
if (!OSSL_PROVIDER_get_params(prov, params)) {
- BIO_printf(bio_err, "ERROR: Unable to query provider parameters\n");
- return;
- }
-
- /* Print out the provider information, the params order matches above */
- BIO_printf(bio_out, " %s\n", OSSL_PROVIDER_get0_name(prov));
- if (OSSL_PARAM_modified(params))
- BIO_printf(bio_out, " name: %s\n", name);
- if (OSSL_PARAM_modified(params + 1))
- BIO_printf(bio_out, " version: %s\n", version);
- if (OSSL_PARAM_modified(params + 2))
- BIO_printf(bio_out, " status: %sactive\n", status ? "" : "in");
- if (verbose) {
- if (OSSL_PARAM_modified(params + 3))
- BIO_printf(bio_out, " build info: %s\n", buildinfo);
- print_param_types("gettable provider parameters",
- OSSL_PROVIDER_gettable_params(prov), 4);
+ BIO_printf(bio_err,
+ "WARNING: Unable to query provider parameters for %s\n",
+ provname);
+ } else {
+ /* Print out the provider information, the params order matches above */
+ if (OSSL_PARAM_modified(params))
+ BIO_printf(bio_out, " name: %s\n", name);
+ if (OSSL_PARAM_modified(params + 1))
+ BIO_printf(bio_out, " version: %s\n", version);
+ if (OSSL_PARAM_modified(params + 2))
+ BIO_printf(bio_out, " status: %sactive\n", status ? "" : "in");
+ if (verbose) {
+ if (OSSL_PARAM_modified(params + 3))
+ BIO_printf(bio_out, " build info: %s\n", buildinfo);
+ print_param_types("gettable provider parameters",
+ OSSL_PROVIDER_gettable_params(prov), 4);
+ }
}
}
sk_OSSL_PROVIDER_free(providers);
diff --git a/apps/rehash.c b/apps/rehash.c
index 5c6d5340..85eee385 100644
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -45,9 +45,6 @@
# ifndef PATH_MAX
# define PATH_MAX 4096
# endif
-# ifndef NAME_MAX
-# define NAME_MAX 255
-# endif
# define MAX_COLLISIONS 256
# if defined(OPENSSL_SYS_VXWORKS)
@@ -355,21 +352,22 @@ static int do_dir(const char *dirname, enum Hash h)
OPENSSL_DIR_CTX *d = NULL;
struct stat st;
unsigned char idmask[MAX_COLLISIONS / 8];
- int n, numfiles, nextid, buflen, errs = 0;
- size_t i;
- const char *pathsep;
+ int n, numfiles, nextid, dirlen, buflen, errs = 0;
+ size_t i, fname_max_len = 20; /* maximum length of "%08x.r%d" */
+ const char *pathsep = "";
const char *filename;
- char *buf, *copy = NULL;
+ char *buf = NULL, *copy = NULL;
STACK_OF(OPENSSL_STRING) *files = NULL;
if (app_access(dirname, W_OK) < 0) {
BIO_printf(bio_err, "Skipping %s, can't write\n", dirname);
return 1;
}
- buflen = strlen(dirname);
- pathsep = (buflen && !ends_with_dirsep(dirname)) ? "/": "";
- buflen += NAME_MAX + 1 + 1;
- buf = app_malloc(buflen, "filename buffer");
+ dirlen = strlen(dirname);
+ if (dirlen != 0 && !ends_with_dirsep(dirname)) {
+ pathsep = "/";
+ dirlen++;
+ }
if (verbose)
BIO_printf(bio_out, "Doing %s\n", dirname);
@@ -380,17 +378,25 @@ static int do_dir(const char *dirname, enum Hash h)
goto err;
}
while ((filename = OPENSSL_DIR_read(&d, dirname)) != NULL) {
+ size_t fname_len = strlen(filename);
+
if ((copy = OPENSSL_strdup(filename)) == NULL
|| sk_OPENSSL_STRING_push(files, copy) == 0) {
OPENSSL_free(copy);
+ OPENSSL_DIR_end(&d);
BIO_puts(bio_err, "out of memory\n");
errs = 1;
goto err;
}
+ if (fname_len > fname_max_len)
+ fname_max_len = fname_len;
}
OPENSSL_DIR_end(&d);
sk_OPENSSL_STRING_sort(files);
+ buflen = dirlen + fname_max_len + 1;
+ buf = app_malloc(buflen, "filename buffer");
+
numfiles = sk_OPENSSL_STRING_num(files);
for (n = 0; n < numfiles; ++n) {
filename = sk_OPENSSL_STRING_value(files, n);
@@ -427,12 +433,12 @@ static int do_dir(const char *dirname, enum Hash h)
while (bit_isset(idmask, nextid))
nextid++;
- BIO_snprintf(buf, buflen, "%s%s%n%08x.%s%d",
- dirname, pathsep, &n, bp->hash,
+ BIO_snprintf(buf, buflen, "%s%s%08x.%s%d",
+ dirname, pathsep, bp->hash,
suffixes[bp->type], nextid);
if (verbose)
BIO_printf(bio_out, "link %s -> %s\n",
- ep->filename, &buf[n]);
+ ep->filename, &buf[dirlen]);
if (unlink(buf) < 0 && errno != ENOENT) {
BIO_printf(bio_err,
"%s: Can't unlink %s, %s\n",
@@ -449,12 +455,12 @@ static int do_dir(const char *dirname, enum Hash h)
bit_set(idmask, nextid);
} else if (remove_links) {
/* Link to be deleted */
- BIO_snprintf(buf, buflen, "%s%s%n%08x.%s%d",
- dirname, pathsep, &n, bp->hash,
+ BIO_snprintf(buf, buflen, "%s%s%08x.%s%d",
+ dirname, pathsep, bp->hash,
suffixes[bp->type], ep->old_id);
if (verbose)
BIO_printf(bio_out, "unlink %s\n",
- &buf[n]);
+ &buf[dirlen]);
if (unlink(buf) < 0 && errno != ENOENT) {
BIO_printf(bio_err,
"%s: Can't unlink %s, %s\n",
diff --git a/apps/req.c b/apps/req.c
index 926f0796..c7d4c782 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -685,6 +685,8 @@ int req_main(int argc, char **argv)
EVP_PKEY_CTX_set_app_data(genctx, bio_err);
pkey = app_keygen(genctx, keyalgstr, newkey_len, verbose);
+ if (pkey == NULL)
+ goto end;
EVP_PKEY_CTX_free(genctx);
genctx = NULL;
@@ -731,7 +733,7 @@ int req_main(int argc, char **argv)
}
goto end;
}
- BIO_free(out);
+ BIO_free_all(out);
out = NULL;
BIO_printf(bio_err, "-----\n");
}
diff --git a/apps/s_server.c b/apps/s_server.c
index c8ccdfd0..3c3b209d 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1670,6 +1670,11 @@ int s_server_main(int argc, char *argv[])
BIO_printf(bio_err, "Can only use -listen with DTLS\n");
goto end;
}
+
+ if (rev && socket_type == SOCK_DGRAM) {
+ BIO_printf(bio_err, "Can't use -rev with DTLS\n");
+ goto end;
+ }
#endif
if (stateless && socket_type != SOCK_STREAM) {
diff --git a/apps/smime.c b/apps/smime.c
index a2ff0b5b..52b4a01c 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -453,7 +453,8 @@ int smime_main(int argc, char **argv)
"recipient certificate file");
if (cert == NULL)
goto end;
- sk_X509_push(encerts, cert);
+ if (!sk_X509_push(encerts, cert))
+ goto end;
cert = NULL;
argv++;
}
diff --git a/apps/speed.c b/apps/speed.c
index f3043570..1113d775 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3700,7 +3700,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single,
} else {
int pad;
- RAND_bytes(out, 16);
+ if (RAND_bytes(inp, 16) <= 0)
+ app_bail_out("error setting random bytes\n");
len += 16;
aad[11] = (unsigned char)(len >> 8);
aad[12] = (unsigned char)(len);
diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
index 544dc7e8..d0e0be61 100755
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@@ -3661,6 +3661,9 @@ if ($flavour =~ /64/) { ######## 64-bit code
s/\.[ui]?64//o and s/\.16b/\.2d/go;
s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
+ # Switch preprocessor checks to aarch64 versions.
+ s/__ARME([BL])__/__AARCH64E$1__/go;
+
print $_,"\n";
}
} else { ######## 32-bit code
diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h
index 45d7e155..ec4a087f 100644
--- a/crypto/arm_arch.h
+++ b/crypto/arm_arch.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -21,11 +21,6 @@
# elif defined(__GNUC__)
# if defined(__aarch64__)
# define __ARM_ARCH__ 8
-# if __BYTE_ORDER__==__ORDER_BIG_ENDIAN__
-# define __ARMEB__
-# else
-# define __ARMEL__
-# endif
/*
* Why doesn't gcc define __ARM_ARCH__? Instead it defines
* bunch of below macros. See all_architectures[] table in
diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c
index 526219c1..9aaab8a2 100644
--- a/crypto/asn1/asn_moid.c
+++ b/crypto/asn1/asn_moid.c
@@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name)
if (p == NULL) {
ln = name;
ostr = value;
+ } else if (p == value) {
+ /* we started with a leading comma */
+ ln = name;
+ ostr = p + 1;
} else {
ln = value;
ostr = p + 1;
diff --git a/crypto/asn1/asn_mstbl.c b/crypto/asn1/asn_mstbl.c
index 3543cd22..1208d566 100644
--- a/crypto/asn1/asn_mstbl.c
+++ b/crypto/asn1/asn_mstbl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -72,6 +72,8 @@ static int do_tcreate(const char *value, const char *name)
goto err;
for (i = 0; i < sk_CONF_VALUE_num(lst); i++) {
cnf = sk_CONF_VALUE_value(lst, i);
+ if (cnf->value == NULL)
+ goto err;
if (strcmp(cnf->name, "min") == 0) {
tbl_min = strtoul(cnf->value, &eptr, 0);
if (*eptr)
@@ -98,7 +100,9 @@ static int do_tcreate(const char *value, const char *name)
if (rv == 0) {
if (cnf)
ERR_raise_data(ERR_LIB_ASN1, ASN1_R_INVALID_STRING_TABLE_VALUE,
- "field=%s, value=%s", cnf->name, cnf->value);
+ "field=%s, value=%s", cnf->name,
+ cnf->value != NULL ? cnf->value
+ : value);
else
ERR_raise_data(ERR_LIB_ASN1, ASN1_R_INVALID_STRING_TABLE_VALUE,
"name=%s, value=%s", name, value);
diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c
index c0a5f768..2c4a8d4b 100644
--- a/crypto/asn1/x_algor.c
+++ b/crypto/asn1/x_algor.c
@@ -179,7 +179,11 @@ int ossl_x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md)
*palg = X509_ALGOR_new();
if (*palg == NULL)
goto err;
- X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp);
+ if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) {
+ X509_ALGOR_free(*palg);
+ *palg = NULL;
+ goto err;
+ }
stmp = NULL;
err:
ASN1_STRING_free(stmp);
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 4e169ae1..598a592c 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -243,6 +243,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
wstart = bits - 1; /* The top bit of the window */
wend = 0; /* The bottom bit of the window */
+ if (r == p) {
+ BIGNUM *p_dup = BN_CTX_get(ctx);
+
+ if (p_dup == NULL || BN_copy(p_dup, p) == NULL)
+ goto err;
+ p = p_dup;
+ }
+
if (!BN_one(r))
goto err;
@@ -1317,6 +1325,11 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
return 0;
}
+ if (r == m) {
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+
bits = BN_num_bits(p);
if (bits == 0) {
/* x**0 mod 1, or x**0 mod -1 is still zero. */
@@ -1362,6 +1375,14 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
wstart = bits - 1; /* The top bit of the window */
wend = 0; /* The bottom bit of the window */
+ if (r == p) {
+ BIGNUM *p_dup = BN_CTX_get(ctx);
+
+ if (p_dup == NULL || BN_copy(p_dup, p) == NULL)
+ goto err;
+ p = p_dup;
+ }
+
if (!BN_one(r))
goto err;
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 59d024f6..cd0b0151 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -611,9 +611,9 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
for (i = 0; i < m; i++) {
/* conditionally flip signs if delta is positive and g is odd */
- cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
+ cond = ((unsigned int)-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
/* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
- & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
+ & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1)));
delta = (-cond & -delta) | ((cond - 1) & delta);
r->neg ^= cond;
/* swap */
@@ -625,7 +625,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
goto err;
BN_consttime_swap(g->d[0] & 1 /* g is odd */
/* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
- & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
+ & (~((unsigned int)(g->top - 1) >> (sizeof(g->top) * 8 - 1))),
g, temp, top);
if (!BN_rshift1(g, g))
goto err;
diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
index 304c2ea0..c811ae82 100644
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -734,14 +734,20 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
{
BIGNUM *b = NULL;
int ret = 0;
+ int numbits;
BN_CTX_start(ctx);
if ((b = BN_CTX_get(ctx)) == NULL)
goto err;
+ /* Fail on a non-sensical input p value */
+ numbits = BN_num_bits(p);
+ if (numbits <= 1)
+ goto err;
+
/* generate blinding value */
do {
- if (!BN_priv_rand_ex(b, BN_num_bits(p) - 1,
+ if (!BN_priv_rand_ex(b, numbits - 1,
BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx))
goto err;
} while (BN_is_zero(b));
diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c
index 7f5afa25..2dda2e34 100644
--- a/crypto/bn/bn_mod.c
+++ b/crypto/bn/bn_mod.c
@@ -17,6 +17,11 @@ int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
* always holds)
*/
+ if (r == d) {
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+
if (!(BN_mod(r, m, d, ctx)))
return 0;
if (!r->neg)
@@ -186,6 +191,11 @@ int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m)
{
+ if (r == m) {
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+
if (!BN_sub(r, a, b))
return 0;
if (r->neg)
diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c
index 3d4d9a2f..d761e570 100644
--- a/crypto/bn/bn_nist.c
+++ b/crypto/bn/bn_nist.c
@@ -319,6 +319,28 @@ static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
# endif
#endif /* BN_BITS2 != 64 */
+#ifdef NIST_INT64
+/* Helpers to load/store a 32-bit word (uint32_t) from/into a memory
+ * location and avoid potential aliasing issue. */
+static ossl_inline uint32_t load_u32(const void *ptr)
+{
+ uint32_t tmp;
+
+ memcpy(&tmp, ptr, sizeof(tmp));
+ return tmp;
+}
+
+static ossl_inline void store_lo32(void *ptr, NIST_INT64 val)
+{
+ /* A cast is needed for big-endian system: on a 32-bit BE system
+ * NIST_INT64 may be defined as well if the compiler supports 64-bit
+ * long long. */
+ uint32_t tmp = (uint32_t)val;
+
+ memcpy(ptr, &tmp, sizeof(tmp));
+}
+#endif /* NIST_INT64 */
+
#define nist_set_192(to, from, a1, a2, a3) \
{ \
bn_cp_64(to, 0, from, (a3) - 3) \
@@ -374,42 +396,42 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
unsigned int *rp = (unsigned int *)r_d;
const unsigned int *bp = (const unsigned int *)buf.ui;
- acc = rp[0];
+ acc = load_u32(&rp[0]);
acc += bp[3 * 2 - 6];
acc += bp[5 * 2 - 6];
- rp[0] = (unsigned int)acc;
+ store_lo32(&rp[0], acc);
acc >>= 32;
- acc += rp[1];
+ acc += load_u32(&rp[1]);
acc += bp[3 * 2 - 5];
acc += bp[5 * 2 - 5];
- rp[1] = (unsigned int)acc;
+ store_lo32(&rp[1], acc);
acc >>= 32;
- acc += rp[2];
+ acc += load_u32(&rp[2]);
acc += bp[3 * 2 - 6];
acc += bp[4 * 2 - 6];
acc += bp[5 * 2 - 6];
- rp[2] = (unsigned int)acc;
+ store_lo32(&rp[2], acc);
acc >>= 32;
- acc += rp[3];
+ acc += load_u32(&rp[3]);
acc += bp[3 * 2 - 5];
acc += bp[4 * 2 - 5];
acc += bp[5 * 2 - 5];
- rp[3] = (unsigned int)acc;
+ store_lo32(&rp[3], acc);
acc >>= 32;
- acc += rp[4];
+ acc += load_u32(&rp[4]);
acc += bp[4 * 2 - 6];
acc += bp[5 * 2 - 6];
- rp[4] = (unsigned int)acc;
+ store_lo32(&rp[4], acc);
acc >>= 32;
- acc += rp[5];
+ acc += load_u32(&rp[5]);
acc += bp[4 * 2 - 5];
acc += bp[5 * 2 - 5];
- rp[5] = (unsigned int)acc;
+ store_lo32(&rp[5], acc);
carry = (int)(acc >> 32);
}
@@ -683,36 +705,36 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
unsigned int *rp = (unsigned int *)r_d;
const unsigned int *bp = (const unsigned int *)buf.ui;
- acc = rp[0];
+ acc = load_u32(&rp[0]);
acc += bp[8 - 8];
acc += bp[9 - 8];
acc -= bp[11 - 8];
acc -= bp[12 - 8];
acc -= bp[13 - 8];
acc -= bp[14 - 8];
- rp[0] = (unsigned int)acc;
+ store_lo32(&rp[0], acc);
acc >>= 32;
- acc += rp[1];
+ acc += load_u32(&rp[1]);
acc += bp[9 - 8];
acc += bp[10 - 8];
acc -= bp[12 - 8];
acc -= bp[13 - 8];
acc -= bp[14 - 8];
acc -= bp[15 - 8];
- rp[1] = (unsigned int)acc;
+ store_lo32(&rp[1], acc);
acc >>= 32;
- acc += rp[2];
+ acc += load_u32(&rp[2]);
acc += bp[10 - 8];
acc += bp[11 - 8];
acc -= bp[13 - 8];
acc -= bp[14 - 8];
acc -= bp[15 - 8];
- rp[2] = (unsigned int)acc;
+ store_lo32(&rp[2], acc);
acc >>= 32;
- acc += rp[3];
+ acc += load_u32(&rp[3]);
acc += bp[11 - 8];
acc += bp[11 - 8];
acc += bp[12 - 8];
@@ -721,10 +743,10 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc -= bp[15 - 8];
acc -= bp[8 - 8];
acc -= bp[9 - 8];
- rp[3] = (unsigned int)acc;
+ store_lo32(&rp[3], acc);
acc >>= 32;
- acc += rp[4];
+ acc += load_u32(&rp[4]);
acc += bp[12 - 8];
acc += bp[12 - 8];
acc += bp[13 - 8];
@@ -732,10 +754,10 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc += bp[14 - 8];
acc -= bp[9 - 8];
acc -= bp[10 - 8];
- rp[4] = (unsigned int)acc;
+ store_lo32(&rp[4], acc);
acc >>= 32;
- acc += rp[5];
+ acc += load_u32(&rp[5]);
acc += bp[13 - 8];
acc += bp[13 - 8];
acc += bp[14 - 8];
@@ -743,10 +765,10 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc += bp[15 - 8];
acc -= bp[10 - 8];
acc -= bp[11 - 8];
- rp[5] = (unsigned int)acc;
+ store_lo32(&rp[5], acc);
acc >>= 32;
- acc += rp[6];
+ acc += load_u32(&rp[6]);
acc += bp[14 - 8];
acc += bp[14 - 8];
acc += bp[15 - 8];
@@ -755,10 +777,10 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc += bp[13 - 8];
acc -= bp[8 - 8];
acc -= bp[9 - 8];
- rp[6] = (unsigned int)acc;
+ store_lo32(&rp[6], acc);
acc >>= 32;
- acc += rp[7];
+ acc += load_u32(&rp[7]);
acc += bp[15 - 8];
acc += bp[15 - 8];
acc += bp[15 - 8];
@@ -767,7 +789,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc -= bp[11 - 8];
acc -= bp[12 - 8];
acc -= bp[13 - 8];
- rp[7] = (unsigned int)acc;
+ store_lo32(&rp[7], acc);
carry = (int)(acc >> 32);
}
@@ -920,32 +942,32 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
unsigned int *rp = (unsigned int *)r_d;
const unsigned int *bp = (const unsigned int *)buf.ui;
- acc = rp[0];
+ acc = load_u32(&rp[0]);
acc += bp[12 - 12];
acc += bp[21 - 12];
acc += bp[20 - 12];
acc -= bp[23 - 12];
- rp[0] = (unsigned int)acc;
+ store_lo32(&rp[0], acc);
acc >>= 32;
- acc += rp[1];
+ acc += load_u32(&rp[1]);
acc += bp[13 - 12];
acc += bp[22 - 12];
acc += bp[23 - 12];
acc -= bp[12 - 12];
acc -= bp[20 - 12];
- rp[1] = (unsigned int)acc;
+ store_lo32(&rp[1], acc);
acc >>= 32;
- acc += rp[2];
+ acc += load_u32(&rp[2]);
acc += bp[14 - 12];
acc += bp[23 - 12];
acc -= bp[13 - 12];
acc -= bp[21 - 12];
- rp[2] = (unsigned int)acc;
+ store_lo32(&rp[2], acc);
acc >>= 32;
- acc += rp[3];
+ acc += load_u32(&rp[3]);
acc += bp[15 - 12];
acc += bp[12 - 12];
acc += bp[20 - 12];
@@ -953,10 +975,10 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc -= bp[14 - 12];
acc -= bp[22 - 12];
acc -= bp[23 - 12];
- rp[3] = (unsigned int)acc;
+ store_lo32(&rp[3], acc);
acc >>= 32;
- acc += rp[4];
+ acc += load_u32(&rp[4]);
acc += bp[21 - 12];
acc += bp[21 - 12];
acc += bp[16 - 12];
@@ -967,10 +989,10 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc -= bp[15 - 12];
acc -= bp[23 - 12];
acc -= bp[23 - 12];
- rp[4] = (unsigned int)acc;
+ store_lo32(&rp[4], acc);
acc >>= 32;
- acc += rp[5];
+ acc += load_u32(&rp[5]);
acc += bp[22 - 12];
acc += bp[22 - 12];
acc += bp[17 - 12];
@@ -979,10 +1001,10 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc += bp[21 - 12];
acc += bp[23 - 12];
acc -= bp[16 - 12];
- rp[5] = (unsigned int)acc;
+ store_lo32(&rp[5], acc);
acc >>= 32;
- acc += rp[6];
+ acc += load_u32(&rp[6]);
acc += bp[23 - 12];
acc += bp[23 - 12];
acc += bp[18 - 12];
@@ -990,48 +1012,48 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
acc += bp[14 - 12];
acc += bp[22 - 12];
acc -= bp[17 - 12];
- rp[6] = (unsigned int)acc;
+ store_lo32(&rp[6], acc);
acc >>= 32;
- acc += rp[7];
+ acc += load_u32(&rp[7]);
acc += bp[19 - 12];
acc += bp[16 - 12];
acc += bp[15 - 12];
acc += bp[23 - 12];
acc -= bp[18 - 12];
- rp[7] = (unsigned int)acc;
+ store_lo32(&rp[7], acc);
acc >>= 32;
- acc += rp[8];
+ acc += load_u32(&rp[8]);
acc += bp[20 - 12];
acc += bp[17 - 12];
acc += bp[16 - 12];
acc -= bp[19 - 12];
- rp[8] = (unsigned int)acc;
+ store_lo32(&rp[8], acc);
acc >>= 32;
- acc += rp[9];
+ acc += load_u32(&rp[9]);
acc += bp[21 - 12];
acc += bp[18 - 12];
acc += bp[17 - 12];
acc -= bp[20 - 12];
- rp[9] = (unsigned int)acc;
+ store_lo32(&rp[9], acc);
acc >>= 32;
- acc += rp[10];
+ acc += load_u32(&rp[10]);
acc += bp[22 - 12];
acc += bp[19 - 12];
acc += bp[18 - 12];
acc -= bp[21 - 12];
- rp[10] = (unsigned int)acc;
+ store_lo32(&rp[10], acc);
acc >>= 32;
- acc += rp[11];
+ acc += load_u32(&rp[11]);
acc += bp[23 - 12];
acc += bp[20 - 12];
acc += bp[19 - 12];
acc -= bp[22 - 12];
- rp[11] = (unsigned int)acc;
+ store_lo32(&rp[11], acc);
carry = (int)(acc >> 32);
}
diff --git a/crypto/build.info b/crypto/build.info
index b90390ae..a45bf8de 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -74,8 +74,8 @@ DEFINE[../providers/libfips.a]=$CPUIDDEF
# already gets everything that the static libcrypto.a has, and doesn't need it
# added again.
IF[{- !$disabled{module} && !$disabled{shared} -}]
- SOURCE[../providers/liblegacy.a]=$CPUID_COMMON
- DEFINE[../providers/liblegacy.a]=$CPUIDDEF
+ SOURCE[../providers/legacy]=$CPUID_COMMON
+ DEFINE[../providers/legacy]=$CPUIDDEF
ENDIF
# Implementations are now spread across several libraries, so the CPUID define
@@ -97,8 +97,6 @@ $UTIL_COMMON=\
context.c sparse_array.c asn1_dsa.c packet.c param_build.c \
param_build_set.c der_writer.c threads_lib.c params_dup.c
-SHARED_SOURCE[../libssl]=sparse_array.c
-
SOURCE[../libcrypto]=$UTIL_COMMON \
mem.c mem_sec.c \
cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \
diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c
index 5b99516b..64acda72 100644
--- a/crypto/cms/cms_att.c
+++ b/crypto/cms/cms_att.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,8 +12,9 @@
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/cms.h>
-#include "cms_local.h"
#include "internal/nelem.h"
+#include "crypto/x509.h"
+#include "cms_local.h"
/*-
* Attribute flags.
@@ -94,7 +95,7 @@ X509_ATTRIBUTE *CMS_signed_delete_attr(CMS_SignerInfo *si, int loc)
int CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr)
{
- if (X509at_add1_attr(&si->signedAttrs, attr))
+ if (ossl_x509at_add1_attr(&si->signedAttrs, attr))
return 1;
return 0;
}
@@ -103,7 +104,7 @@ int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si,
const ASN1_OBJECT *obj, int type,
const void *bytes, int len)
{
- if (X509at_add1_attr_by_OBJ(&si->signedAttrs, obj, type, bytes, len))
+ if (ossl_x509at_add1_attr_by_OBJ(&si->signedAttrs, obj, type, bytes, len))
return 1;
return 0;
}
@@ -111,7 +112,7 @@ int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si,
int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si,
int nid, int type, const void *bytes, int len)
{
- if (X509at_add1_attr_by_NID(&si->signedAttrs, nid, type, bytes, len))
+ if (ossl_x509at_add1_attr_by_NID(&si->signedAttrs, nid, type, bytes, len))
return 1;
return 0;
}
@@ -120,7 +121,8 @@ int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si,
const char *attrname, int type,
const void *bytes, int len)
{
- if (X509at_add1_attr_by_txt(&si->signedAttrs, attrname, type, bytes, len))
+ if (ossl_x509at_add1_attr_by_txt(&si->signedAttrs, attrname, type, bytes,
+ len))
return 1;
return 0;
}
@@ -161,7 +163,7 @@ X509_ATTRIBUTE *CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc)
int CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr)
{
- if (X509at_add1_attr(&si->unsignedAttrs, attr))
+ if (ossl_x509at_add1_attr(&si->unsignedAttrs, attr))
return 1;
return 0;
}
@@ -170,7 +172,7 @@ int CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si,
const ASN1_OBJECT *obj, int type,
const void *bytes, int len)
{
- if (X509at_add1_attr_by_OBJ(&si->unsignedAttrs, obj, type, bytes, len))
+ if (ossl_x509at_add1_attr_by_OBJ(&si->unsignedAttrs, obj, type, bytes, len))
return 1;
return 0;
}
@@ -179,7 +181,7 @@ int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si,
int nid, int type,
const void *bytes, int len)
{
- if (X509at_add1_attr_by_NID(&si->unsignedAttrs, nid, type, bytes, len))
+ if (ossl_x509at_add1_attr_by_NID(&si->unsignedAttrs, nid, type, bytes, len))
return 1;
return 0;
}
@@ -188,8 +190,8 @@ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si,
const char *attrname, int type,
const void *bytes, int len)
{
- if (X509at_add1_attr_by_txt(&si->unsignedAttrs, attrname,
- type, bytes, len))
+ if (ossl_x509at_add1_attr_by_txt(&si->unsignedAttrs, attrname,
+ type, bytes, len))
return 1;
return 0;
}
diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c
index 95097963..2f54ed26 100644
--- a/crypto/cms/cms_dh.c
+++ b/crypto/cms/cms_dh.c
@@ -316,10 +316,10 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri)
goto err;
ASN1_STRING_set0(wrap_str, penc, penclen);
penc = NULL;
- X509_ALGOR_set0(talg, OBJ_nid2obj(NID_id_smime_alg_ESDH),
- V_ASN1_SEQUENCE, wrap_str);
-
- rv = 1;
+ rv = X509_ALGOR_set0(talg, OBJ_nid2obj(NID_id_smime_alg_ESDH),
+ V_ASN1_SEQUENCE, wrap_str);
+ if (!rv)
+ ASN1_STRING_free(wrap_str);
err:
OPENSSL_free(penc);
diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index f7007c12..ae88df33 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,6 +15,7 @@
#include <openssl/cms.h>
#include <openssl/rand.h>
#include "crypto/evp.h"
+#include "crypto/asn1.h"
#include "cms_local.h"
/* CMS EncryptedData Utilities */
@@ -81,7 +82,7 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
if (enc) {
calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_get_type(ctx));
- if (calg->algorithm == NULL) {
+ if (calg->algorithm == NULL || calg->algorithm->nid == NID_undef) {
ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
goto err;
}
diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c
index dcbea201..4bd6a0dc 100644
--- a/crypto/cms/cms_err.c
+++ b/crypto/cms/cms_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -154,6 +154,8 @@ static const ERR_STRING_DATA CMS_str_reasons[] = {
"unsupported recipientinfo type"},
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENT_TYPE),
"unsupported recipient type"},
+ {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM),
+ "unsupported signature algorithm"},
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_TYPE), "unsupported type"},
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_ERROR), "unwrap error"},
{ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_FAILURE), "unwrap failure"},
diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
index 61fd43fb..12bc8184 100644
--- a/crypto/cms/cms_rsa.c
+++ b/crypto/cms/cms_rsa.c
@@ -99,8 +99,10 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
goto err;
if (label != NULL
- && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
+ && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) {
+ OPENSSL_free(label);
goto err;
+ }
/* Carry on */
rv = 1;
@@ -114,6 +116,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
const EVP_MD *md, *mgf1md;
RSA_OAEP_PARAMS *oaep = NULL;
ASN1_STRING *os = NULL;
+ ASN1_OCTET_STRING *los = NULL;
X509_ALGOR *alg;
EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
@@ -125,10 +128,10 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
return 0;
}
- if (pad_mode == RSA_PKCS1_PADDING) {
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
- return 1;
- }
+ if (pad_mode == RSA_PKCS1_PADDING)
+ return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
+ V_ASN1_NULL, NULL);
+
/* Not supported */
if (pad_mode != RSA_PKCS1_OAEP_PADDING)
return 0;
@@ -147,30 +150,32 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
if (!ossl_x509_algor_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
goto err;
if (labellen > 0) {
- ASN1_OCTET_STRING *los;
-
oaep->pSourceFunc = X509_ALGOR_new();
if (oaep->pSourceFunc == NULL)
goto err;
los = ASN1_OCTET_STRING_new();
if (los == NULL)
goto err;
- if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
- ASN1_OCTET_STRING_free(los);
+ if (!ASN1_OCTET_STRING_set(los, label, labellen))
goto err;
- }
- X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
- V_ASN1_OCTET_STRING, los);
+
+ if (!X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
+ V_ASN1_OCTET_STRING, los))
+ goto err;
+
+ los = NULL;
}
- /* create string with pss parameter encoding. */
+ /* create string with oaep parameter encoding. */
if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
- goto err;
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
+ goto err;
+ if (!X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os))
+ goto err;
os = NULL;
rv = 1;
err:
RSA_OAEP_PARAMS_free(oaep);
ASN1_STRING_free(os);
+ ASN1_OCTET_STRING_free(los);
return rv;
}
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 53c8e378..3a21664e 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -354,11 +354,16 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
if (md == NULL) {
int def_nid;
- if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0)
+
+ if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0) {
+ ERR_raise_data(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST,
+ "pkey nid=%d", EVP_PKEY_get_id(pk));
goto err;
+ }
md = EVP_get_digestbynid(def_nid);
if (md == NULL) {
- ERR_raise(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST);
+ ERR_raise_data(ERR_LIB_CMS, CMS_R_NO_DEFAULT_DIGEST,
+ "default md nid=%d", def_nid);
goto err;
}
}
@@ -398,8 +403,11 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
}
}
- if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0))
+ if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0)) {
+ ERR_raise_data(ERR_LIB_CMS, CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM,
+ "pkey nid=%d", EVP_PKEY_get_id(pk));
goto err;
+ }
if (!(flags & CMS_NOATTR)) {
/*
* Initialize signed attributes structure so other attributes
@@ -1029,31 +1037,32 @@ int CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs)
int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs,
int algnid, int keysize)
{
- X509_ALGOR *alg;
+ X509_ALGOR *alg = NULL;
ASN1_INTEGER *key = NULL;
if (keysize > 0) {
key = ASN1_INTEGER_new();
- if (key == NULL || !ASN1_INTEGER_set(key, keysize)) {
- ASN1_INTEGER_free(key);
- return 0;
- }
+ if (key == NULL || !ASN1_INTEGER_set(key, keysize))
+ goto err;
}
alg = X509_ALGOR_new();
- if (alg == NULL) {
- ASN1_INTEGER_free(key);
- return 0;
- }
+ if (alg == NULL)
+ goto err;
- X509_ALGOR_set0(alg, OBJ_nid2obj(algnid),
- key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key);
+ if (!X509_ALGOR_set0(alg, OBJ_nid2obj(algnid),
+ key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key))
+ goto err;
+ key = NULL;
if (*algs == NULL)
*algs = sk_X509_ALGOR_new_null();
- if (*algs == NULL || !sk_X509_ALGOR_push(*algs, alg)) {
- X509_ALGOR_free(alg);
- return 0;
- }
+ if (*algs == NULL || !sk_X509_ALGOR_push(*algs, alg))
+ goto err;
return 1;
+
+ err:
+ ASN1_INTEGER_free(key);
+ X509_ALGOR_free(alg);
+ return 0;
}
/* Check to see if a cipher exists and if so add S/MIME capabilities */
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 479038d5..d7719267 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -558,7 +558,7 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
{
CMS_SignerInfo *rct_si;
CMS_ContentInfo *cms = NULL;
- ASN1_OCTET_STRING **pos, *os;
+ ASN1_OCTET_STRING **pos, *os = NULL;
BIO *rct_cont = NULL;
int r = 0;
const CMS_CTX *ctx = si->cms_ctx;
@@ -620,6 +620,7 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
if (r)
return cms;
CMS_ContentInfo_free(cms);
+ ASN1_OCTET_STRING_free(os);
return NULL;
}
diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c
index 68ee90b9..fc0eee7d 100644
--- a/crypto/conf/conf_err.c
+++ b/crypto/conf/conf_err.c
@@ -41,6 +41,8 @@ static const ERR_STRING_DATA CONF_str_reasons[] = {
"openssl conf references missing section"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_DIRECTORY_INCLUDE),
"recursive directory include"},
+ {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RECURSIVE_SECTION_REFERENCE),
+ "recursive section reference"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_RELATIVE_PATH), "relative path"},
{ERR_PACK(ERR_LIB_CONF, 0, CONF_R_SSL_COMMAND_SECTION_EMPTY),
"ssl command section empty"},
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index f4173e21..e20eb620 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
*/
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
{
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
}
@@ -259,7 +271,8 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
*/
int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret)
{
- return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret);
+ return ossl_ffc_validate_public_key_partial(&dh->params, pub_key, ret)
+ && *ret == 0;
}
int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret)
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 41523974..f76ac0dd 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 4e9705be..afc49f5c 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
goto err;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
@@ -190,7 +196,6 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
static int dh_init(DH *dh)
{
dh->flags |= DH_FLAG_CACHE_MONT_P;
- ossl_ffc_params_init(&dh->params);
dh->dirty_cnt++;
return 1;
}
@@ -268,6 +273,12 @@ static int generate_key(DH *dh)
return 0;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index 29cda5d7..5577413e 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -116,6 +116,8 @@ static DH *dh_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
goto err;
#endif /* FIPS_MODULE */
+ ossl_ffc_params_init(&ret->params);
+
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
ERR_raise(ERR_LIB_DH, ERR_R_INIT_FAIL);
goto err;
diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
index 7ee914a4..fb0e9129 100644
--- a/crypto/dsa/dsa_check.c
+++ b/crypto/dsa/dsa_check.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -39,7 +39,8 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
*/
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
- return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret);
+ return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
+ && *ret == 0;
}
/*
@@ -49,7 +50,8 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
*/
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
- return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret);
+ return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
+ && *ret == 0;
}
int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index ccc70165..2ae3f8e3 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -176,6 +176,8 @@ static DSA *dsa_new_intern(ENGINE *engine, OSSL_LIB_CTX *libctx)
goto err;
#endif
+ ossl_ffc_params_init(&ret->params);
+
if ((ret->meth->init != NULL) && !ret->meth->init(ret)) {
ERR_raise(ERR_LIB_DSA, ERR_R_INIT_FAIL);
goto err;
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 62f7c701..8fd66a95 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -441,7 +441,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
static int dsa_init(DSA *dsa)
{
dsa->flags |= DSA_FLAG_CACHE_MONT_P;
- ossl_ffc_params_init(&dsa->params);
dsa->dirty_cnt++;
return 1;
}
diff --git a/crypto/ec/ecx_backend.c b/crypto/ec/ecx_backend.c
index 2ab7611b..e42767d6 100644
--- a/crypto/ec/ecx_backend.c
+++ b/crypto/ec/ecx_backend.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -122,7 +122,7 @@ ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key, int selection)
}
ret->libctx = key->libctx;
- ret->haspubkey = key->haspubkey;
+ ret->haspubkey = 0;
ret->keylen = key->keylen;
ret->type = key->type;
ret->references = 1;
@@ -133,8 +133,11 @@ ECX_KEY *ossl_ecx_key_dup(const ECX_KEY *key, int selection)
goto err;
}
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
+ if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0
+ && key->haspubkey == 1) {
memcpy(ret->pubkey, key->pubkey, sizeof(ret->pubkey));
+ ret->haspubkey = 1;
+ }
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
&& key->privkey != NULL) {
diff --git a/crypto/engine/eng_pkey.c b/crypto/engine/eng_pkey.c
index 6e6d6df3..f84fcde4 100644
--- a/crypto/engine/eng_pkey.c
+++ b/crypto/engine/eng_pkey.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -79,6 +79,48 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
return NULL;
}
+ /* We enforce check for legacy key */
+ switch (EVP_PKEY_get_id(pkey)) {
+ case EVP_PKEY_RSA:
+ {
+ RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+ EVP_PKEY_set1_RSA(pkey, rsa);
+ RSA_free(rsa);
+ }
+ break;
+# ifndef OPENSSL_NO_EC
+ case EVP_PKEY_SM2:
+ case EVP_PKEY_EC:
+ {
+ EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+ EVP_PKEY_set1_EC_KEY(pkey, ec);
+ EC_KEY_free(ec);
+ }
+ break;
+# endif
+# ifndef OPENSSL_NO_DSA
+ case EVP_PKEY_DSA:
+ {
+ DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+ EVP_PKEY_set1_DSA(pkey, dsa);
+ DSA_free(dsa);
+ }
+ break;
+#endif
+# ifndef OPENSSL_NO_DH
+ case EVP_PKEY_DH:
+ {
+ DH *dh = EVP_PKEY_get1_DH(pkey);
+ EVP_PKEY_set1_DH(pkey, dh);
+ DH_free(dh);
+ }
+ break;
+#endif
+ default:
+ /*Do nothing */
+ break;
+ }
+
return pkey;
}
diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c
index 3138a152..9dc3144b 100644
--- a/crypto/engine/eng_table.c
+++ b/crypto/engine/eng_table.c
@@ -97,6 +97,7 @@ int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
if (added && !engine_cleanup_add_first(cleanup)) {
lh_ENGINE_PILE_free(&(*table)->piles);
*table = NULL;
+ goto end;
}
while (num_nids--) {
tmplate.nid = *nids;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a6f61ca3..36fe318b 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -375,6 +375,7 @@ CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
CMS_R_UNSUPPORTED_LABEL_SOURCE:193:unsupported label source
CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE:155:unsupported recipientinfo type
CMS_R_UNSUPPORTED_RECIPIENT_TYPE:154:unsupported recipient type
+CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM:195:unsupported signature algorithm
CMS_R_UNSUPPORTED_TYPE:156:unsupported type
CMS_R_UNWRAP_ERROR:157:unwrap error
CMS_R_UNWRAP_FAILURE:180:unwrap failure
@@ -402,6 +403,7 @@ CONF_R_NUMBER_TOO_LARGE:121:number too large
CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION:124:\
openssl conf references missing section
CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
+CONF_R_RECURSIVE_SECTION_REFERENCE:126:recursive section reference
CONF_R_RELATIVE_PATH:125:relative path
CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
@@ -499,6 +501,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 52b9e87c..949de680 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -831,8 +831,6 @@ typedef struct {
/* KMO-AES parameter block - end */
} kmo;
unsigned int fc;
-
- int res;
} S390X_AES_OFB_CTX;
typedef struct {
@@ -849,8 +847,6 @@ typedef struct {
/* KMF-AES parameter block - end */
} kmf;
unsigned int fc;
-
- int res;
} S390X_AES_CFB_CTX;
typedef struct {
@@ -1002,7 +998,6 @@ static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx,
memcpy(cctx->kmo.param.cv, iv, ivlen);
memcpy(cctx->kmo.param.k, key, keylen);
cctx->fc = S390X_AES_FC(keylen);
- cctx->res = 0;
return 1;
}
@@ -1012,7 +1007,7 @@ static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
S390X_AES_OFB_CTX *cctx = EVP_C_DATA(S390X_AES_OFB_CTX, ctx);
const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
- int n = cctx->res;
+ int n = ctx->num;
int rem;
memcpy(cctx->kmo.param.cv, iv, ivlen);
@@ -1045,7 +1040,7 @@ static int s390x_aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
}
memcpy(iv, cctx->kmo.param.cv, ivlen);
- cctx->res = n;
+ ctx->num = n;
return 1;
}
@@ -1063,7 +1058,6 @@ static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx,
if (!enc)
cctx->fc |= S390X_DECRYPT;
- cctx->res = 0;
memcpy(cctx->kmf.param.cv, iv, ivlen);
memcpy(cctx->kmf.param.k, key, keylen);
return 1;
@@ -1077,7 +1071,7 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const int enc = EVP_CIPHER_CTX_is_encrypting(ctx);
const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
- int n = cctx->res;
+ int n = ctx->num;
int rem;
unsigned char tmp;
@@ -1115,7 +1109,7 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
}
memcpy(iv, cctx->kmf.param.cv, ivlen);
- cctx->res = n;
+ ctx->num = n;
return 1;
}
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index b178d108..4e6f83e3 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -192,7 +192,12 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
#endif
}
- if (cipher->prov != NULL) {
+ if (!ossl_assert(cipher->prov != NULL)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+ return 0;
+ }
+
+ if (cipher != ctx->fetched_cipher) {
if (!EVP_CIPHER_up_ref((EVP_CIPHER *)cipher)) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
return 0;
@@ -218,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
return 0;
}
+#ifndef FIPS_MODULE
+ /*
+ * Fix for CVE-2023-5363
+ * Passing in a size as part of the init call takes effect late
+ * so, force such to occur before the initialisation.
+ *
+ * The FIPS provider's internal library context is used in a manner
+ * such that this is not an issue.
+ */
+ if (params != NULL) {
+ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
+ OSSL_PARAM_END };
+ OSSL_PARAM *q = param_lens;
+ const OSSL_PARAM *p;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
+ if (p != NULL)
+ memcpy(q++, p, sizeof(*q));
+
+ /*
+ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
+ * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
+ */
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
+ if (p != NULL)
+ memcpy(q++, p, sizeof(*q));
+
+ if (q != param_lens) {
+ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+ return 0;
+ }
+ }
+ }
+#endif
+
if (enc) {
if (ctx->cipher->einit == NULL) {
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c
index aafd927e..6eeafd94 100644
--- a/crypto/evp/evp_fetch.c
+++ b/crypto/evp/evp_fetch.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -349,13 +349,26 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata,
* there is a correct name_id and meth_id, since those have
* already been calculated in get_evp_method_from_store() and
* put_evp_method_in_store() above.
+ * Note that there is a corner case here, in which, if a user
+ * passes a name of the form name1:name2:..., then the construction
+ * will create a method against all names, but the lookup will fail
+ * as ossl_namemap_name2num treats the name string as a single name
+ * rather than introducing new features where in the EVP_<obj>_fetch
+ * parses the string and querys for each, return an error.
*/
if (name_id == 0)
name_id = ossl_namemap_name2num(namemap, name);
- meth_id = evp_method_id(name_id, operation_id);
- if (name_id != 0)
- ossl_method_store_cache_set(store, prov, meth_id, propq,
- method, up_ref_method, free_method);
+ if (name_id == 0) {
+ ERR_raise_data(ERR_LIB_EVP, ERR_R_FETCH_FAILED,
+ "Algorithm %s cannot be found", name);
+ free_method(method);
+ method = NULL;
+ } else {
+ meth_id = evp_method_id(name_id, operation_id);
+ if (meth_id != 0)
+ ossl_method_store_cache_set(store, prov, meth_id, propq,
+ method, up_ref_method, free_method);
+ }
}
/*
diff --git a/crypto/evp/legacy_sha.c b/crypto/evp/legacy_sha.c
index 3859286e..ca9a3264 100644
--- a/crypto/evp/legacy_sha.c
+++ b/crypto/evp/legacy_sha.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -71,7 +71,11 @@ static int sha1_int_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)
static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2)
{
- KECCAK1600_CTX *ctx = evp_ctx->md_data;
+ KECCAK1600_CTX *ctx;
+
+ if (evp_ctx == NULL)
+ return 0;
+ ctx = evp_ctx->md_data;
switch (cmd) {
case EVP_MD_CTRL_XOF_LEN:
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 59a7a867..04b148a9 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -1201,7 +1201,7 @@ int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
int indent, ASN1_PCTX *pctx)
{
- return print_pkey(pkey, out, indent, EVP_PKEY_KEYPAIR, NULL,
+ return print_pkey(pkey, out, indent, EVP_PKEY_PRIVATE_KEY, NULL,
(pkey->ameth != NULL ? pkey->ameth->priv_print : NULL),
pctx);
}
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ce6e1a1c..ba1971ce 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -251,10 +251,11 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
*/
if (e != NULL)
pmeth = ENGINE_get_pkey_meth(e, id);
- else if (pkey != NULL && pkey->foreign)
+ else
+# endif /* OPENSSL_NO_ENGINE */
+ if (pkey != NULL && pkey->foreign)
pmeth = EVP_PKEY_meth_find(id);
else
-# endif
app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id);
/* END legacy */
diff --git a/crypto/ex_data.c b/crypto/ex_data.c
index 40223f06..13b92889 100644
--- a/crypto/ex_data.c
+++ b/crypto/ex_data.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -163,6 +163,8 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index,
* "app_data" routines use ex_data index zero. See RT 3710. */
if (ip->meth == NULL
|| !sk_EX_CALLBACK_push(ip->meth, NULL)) {
+ sk_EX_CALLBACK_free(ip->meth);
+ ip->meth = NULL;
ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE);
goto err;
}
diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c
index 34278962..a4a2a58e 100644
--- a/crypto/ffc/ffc_key_validate.c
+++ b/crypto/ffc/ffc_key_validate.c
@@ -26,7 +26,7 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
*ret = 0;
if (params == NULL || pub_key == NULL || params->p == NULL) {
*ret = FFC_ERROR_PASSED_NULL_PARAM;
- return 0;
+ return 1;
}
ctx = BN_CTX_new_ex(NULL);
@@ -39,18 +39,14 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params,
if (tmp == NULL
|| !BN_set_word(tmp, 1))
goto err;
- if (BN_cmp(pub_key, tmp) <= 0) {
+ if (BN_cmp(pub_key, tmp) <= 0)
*ret |= FFC_ERROR_PUBKEY_TOO_SMALL;
- goto err;
- }
/* Step(1): Verify pub_key <= p-2 */
if (BN_copy(tmp, params->p) == NULL
|| !BN_sub_word(tmp, 1))
goto err;
- if (BN_cmp(pub_key, tmp) >= 0) {
+ if (BN_cmp(pub_key, tmp) >= 0)
*ret |= FFC_ERROR_PUBKEY_TOO_LARGE;
- goto err;
- }
ok = 1;
err:
if (ctx != NULL) {
@@ -73,7 +69,7 @@ int ossl_ffc_validate_public_key(const FFC_PARAMS *params,
if (!ossl_ffc_validate_public_key_partial(params, pub_key, ret))
return 0;
- if (params->q != NULL) {
+ if (*ret == 0 && params->q != NULL) {
ctx = BN_CTX_new_ex(NULL);
if (ctx == NULL)
goto err;
@@ -84,10 +80,8 @@ int ossl_ffc_validate_public_key(const FFC_PARAMS *params,
if (tmp == NULL
|| !BN_mod_exp(tmp, pub_key, params->q, params->p, ctx))
goto err;
- if (!BN_is_one(tmp)) {
+ if (!BN_is_one(tmp))
*ret |= FFC_ERROR_PUBKEY_INVALID;
- goto err;
- }
}
ok = 1;
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index e3ccc6c4..4b96a6b9 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -487,13 +487,17 @@ static int parse_http_line1(char *line, int *found_keep_alive)
static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, size_t len)
{
- if (rctx->max_resp_len != 0 && len > rctx->max_resp_len)
+ if (rctx->max_resp_len != 0 && len > rctx->max_resp_len) {
ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MAX_RESP_LEN_EXCEEDED,
"length=%zu, max=%zu", len, rctx->max_resp_len);
- if (rctx->resp_len != 0 && rctx->resp_len != len)
+ return 0;
+ }
+ if (rctx->resp_len != 0 && rctx->resp_len != len) {
ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INCONSISTENT_CONTENT_LENGTH,
"ASN.1 length=%zu, Content-Length=%zu",
len, rctx->resp_len);
+ return 0;
+ }
rctx->resp_len = len;
return 1;
}
diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c
index e45f60b7..30c1cd04 100644
--- a/crypto/http/http_lib.c
+++ b/crypto/http/http_lib.c
@@ -118,7 +118,7 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost,
port = ++p;
/* remaining port spec handling is also done for the default values */
/* make sure a decimal port number is given */
- if (!sscanf(port, "%u", &portnum) || portnum > 65535) {
+ if (sscanf(port, "%u", &portnum) <= 0 || portnum > 65535) {
ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INVALID_PORT_NUMBER, "%s", port);
goto err;
}
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index 1cd988f0..a01cfa72 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -266,12 +266,12 @@ static void contract(OPENSSL_LHASH *lh)
if (n == NULL) {
/* fputs("realloc error in lhash",stderr); */
lh->error++;
- return;
+ } else {
+ lh->b = n;
}
lh->num_alloc_nodes /= 2;
lh->pmax /= 2;
lh->p = lh->pmax - 1;
- lh->b = n;
} else
lh->p--;
diff --git a/crypto/mem.c b/crypto/mem.c
index bc9dc111..34128616 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -100,6 +100,9 @@ void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount)
* or 100;100@25;0
* This means 100 mallocs succeed, then next 100 fail 25% of the time, and
* all remaining (count is zero) succeed.
+ * The failure percentge can have 2 digits after the comma. For example:
+ * 0@0.01
+ * This means 0.01% of all allocations will fail.
*/
static void parseit(void)
{
@@ -112,26 +115,27 @@ static void parseit(void)
/* Get the count (atol will stop at the @ if there), and percentage */
md_count = atol(md_failstring);
atsign = strchr(md_failstring, '@');
- md_fail_percent = atsign == NULL ? 0 : atoi(atsign + 1);
+ md_fail_percent = atsign == NULL ? 0 : (int)(atof(atsign + 1) * 100 + 0.5);
if (semi != NULL)
md_failstring = semi;
}
/*
- * Windows doesn't have random(), but it has rand()
+ * Windows doesn't have random() and srandom(), but it has rand() and srand().
* Some rand() implementations aren't good, but we're not
* dealing with secure randomness here.
*/
# ifdef _WIN32
# define random() rand()
+# define srandom(seed) srand(seed)
# endif
/*
* See if the current malloc should fail.
*/
static int shouldfail(void)
{
- int roll = (int)(random() % 100);
+ int roll = (int)(random() % 10000);
int shoulditfail = roll < md_fail_percent;
# ifndef _WIN32
/* suppressed on Windows as POSIX-like file descriptors are non-inheritable */
@@ -165,6 +169,8 @@ void ossl_malloc_setup_failures(void)
parseit();
if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
md_tracefd = atoi(cp);
+ if ((cp = getenv("OPENSSL_MALLOC_SEED")) != NULL)
+ srandom(atoi(cp));
}
#endif
diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 6ba75486..5cdeedb8 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -238,11 +238,17 @@ int CRYPTO_secure_allocated(const void *ptr)
size_t CRYPTO_secure_used(void)
{
+ size_t ret = 0;
+
#ifndef OPENSSL_NO_SECURE_MEMORY
- return secure_mem_used;
-#else
- return 0;
+ if (!CRYPTO_THREAD_read_lock(sec_malloc_lock))
+ return 0;
+
+ ret = secure_mem_used;
+
+ CRYPTO_THREAD_unlock(sec_malloc_lock);
#endif /* OPENSSL_NO_SECURE_MEMORY */
+ return ret;
}
size_t CRYPTO_secure_actual_size(void *ptr)
diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl
index b1d35d25..b3d94041 100644
--- a/crypto/modes/asm/ghashv8-armx.pl
+++ b/crypto/modes/asm/ghashv8-armx.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -744,6 +744,9 @@ if ($flavour =~ /64/) { ######## 64-bit code
s/\.[uisp]?64//o and s/\.16b/\.2d/go;
s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
+ # Switch preprocessor checks to aarch64 versions.
+ s/__ARME([BL])__/__AARCH64E$1__/go;
+
print $_,"\n";
}
} else { ######## 32-bit code
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 1a52000e..dc501cbb 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -62,7 +62,7 @@ static unsigned long added_obj_hash(const ADDED_OBJ *ca)
a = ca->obj;
switch (ca->type) {
case ADDED_DATA:
- ret = a->length << 20L;
+ ret = (unsigned long)a->length << 20UL;
p = (unsigned char *)a->data;
for (i = 0; i < a->length; i++)
ret ^= p[i] << ((i * 3) % 24);
@@ -642,13 +642,14 @@ const void *OBJ_bsearch_ex_(const void *key, const void *base, int num,
if (p == NULL) {
const char *base_ = base;
int l, h, i = 0, c = 0;
+ char *p1;
for (i = 0; i < num; ++i) {
- p = &(base_[i * size]);
- c = (*cmp) (key, p);
+ p1 = &(base_[i * size]);
+ c = (*cmp) (key, p1);
if (c == 0
|| (c < 0 && (flags & OBJ_BSEARCH_VALUE_ON_NOMATCH)))
- return p;
+ return p1;
}
}
#endif
diff --git a/crypto/param_build.c b/crypto/param_build.c
index 51c8681f..56537e67 100644
--- a/crypto/param_build.c
+++ b/crypto/param_build.c
@@ -239,9 +239,9 @@ int OSSL_PARAM_BLD_push_utf8_string(OSSL_PARAM_BLD *bld, const char *key,
OSSL_PARAM_BLD_DEF *pd;
int secure;
- if (bsize == 0) {
+ if (bsize == 0)
bsize = strlen(buf);
- } else if (bsize > INT_MAX) {
+ if (bsize > INT_MAX) {
ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG);
return 0;
}
@@ -258,9 +258,9 @@ int OSSL_PARAM_BLD_push_utf8_ptr(OSSL_PARAM_BLD *bld, const char *key,
{
OSSL_PARAM_BLD_DEF *pd;
- if (bsize == 0) {
+ if (bsize == 0)
bsize = strlen(buf);
- } else if (bsize > INT_MAX) {
+ if (bsize > INT_MAX) {
ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG);
return 0;
}
diff --git a/crypto/param_build_set.c b/crypto/param_build_set.c
index 8b570ded..5de06cc7 100644
--- a/crypto/param_build_set.c
+++ b/crypto/param_build_set.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -99,21 +99,22 @@ int ossl_param_build_set_multi_key_bn(OSSL_PARAM_BLD *bld, OSSL_PARAM *params,
{
int i, sz = sk_BIGNUM_const_num(stk);
OSSL_PARAM *p;
-
+ const BIGNUM *bn;
if (bld != NULL) {
for (i = 0; i < sz && names[i] != NULL; ++i) {
- if (!OSSL_PARAM_BLD_push_BN(bld, names[i],
- sk_BIGNUM_const_value(stk, i)))
+ bn = sk_BIGNUM_const_value(stk, i);
+ if (bn != NULL && !OSSL_PARAM_BLD_push_BN(bld, names[i], bn))
return 0;
}
return 1;
}
for (i = 0; i < sz && names[i] != NULL; ++i) {
+ bn = sk_BIGNUM_const_value(stk, i);
p = OSSL_PARAM_locate(params, names[i]);
- if (p != NULL) {
- if (!OSSL_PARAM_set_BN(p, sk_BIGNUM_const_value(stk, i)))
+ if (p != NULL && bn != NULL) {
+ if (!OSSL_PARAM_set_BN(p, bn))
return 0;
}
}
diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c
index 360f8933..a323bf26 100644
--- a/crypto/params_from_text.c
+++ b/crypto/params_from_text.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -118,7 +118,13 @@ static int prepare_from_text(const OSSL_PARAM *paramdefs, const char *key,
break;
case OSSL_PARAM_OCTET_STRING:
if (*ishex) {
- *buf_n = strlen(value) >> 1;
+ size_t hexdigits = strlen(value);
+ if ((hexdigits % 2) != 0) {
+ /* We don't accept an odd number of hex digits */
+ ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_ODD_NUMBER_OF_DIGITS);
+ return 0;
+ }
+ *buf_n = hexdigits >> 1;
} else {
*buf_n = value_n;
}
diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl
index 1830b255..b2bf96ce 100755
--- a/crypto/perlasm/x86_64-xlate.pl
+++ b/crypto/perlasm/x86_64-xlate.pl
@@ -111,7 +111,12 @@ elsif (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
$gnuas=1;
}
elsif (`$ENV{CC} --version 2>/dev/null`
- =~ /clang .*/)
+ =~ /(clang .*|Intel.*oneAPI .*)/)
+{
+ $gnuas=1;
+}
+elsif (`$ENV{CC} -V 2>/dev/null`
+ =~ /nvc .*/)
{
$gnuas=1;
}
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index 6fd4184a..66dcf92c 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.encrypted == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
p7s = ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
if (p7s != NULL) {
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 67a885a4..f8a6d33d 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (p12->mac->iter == NULL)
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index 62230bc6..dfcfcf6a 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c
index e9904c59..80b128c3 100644
--- a/crypto/pkcs7/pk7_attr.c
+++ b/crypto/pkcs7/pk7_attr.c
@@ -28,8 +28,12 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si,
}
seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data,
ASN1_ITEM_rptr(X509_ALGORS));
- return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
- V_ASN1_SEQUENCE, seq);
+ if (!PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+ V_ASN1_SEQUENCE, seq)) {
+ ASN1_STRING_free(seq);
+ return 0;
+ }
+ return 1;
}
STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
@@ -95,12 +99,18 @@ int PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid)
int PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
{
- if (t == NULL && (t = X509_gmtime_adj(NULL, 0)) == NULL) {
+ ASN1_TIME *tmp = NULL;
+
+ if (t == NULL && (tmp = t = X509_gmtime_adj(NULL, 0)) == NULL) {
ERR_raise(ERR_LIB_PKCS7, ERR_R_MALLOC_FAILURE);
return 0;
}
- return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime,
- V_ASN1_UTCTIME, t);
+ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime,
+ V_ASN1_UTCTIME, t)) {
+ ASN1_TIME_free(tmp);
+ return 0;
+ }
+ return 1;
}
int PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si,
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
index 49a0da5f..d23f7a86 100644
--- a/crypto/pkcs7/pk7_mime.c
+++ b/crypto/pkcs7/pk7_mime.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
int ctype_nid = OBJ_obj2nid(p7->type);
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
- if (ctype_nid == NID_pkcs7_signed)
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
+ }
flags ^= SMIME_OLDMIME;
diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl
index 113a2151..dc39f405 100755
--- a/crypto/poly1305/asm/poly1305-armv8.pl
+++ b/crypto/poly1305/asm/poly1305-armv8.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -85,7 +85,7 @@ poly1305_init:
ldp $r0,$r1,[$inp] // load key
mov $s1,#0xfffffffc0fffffff
movk $s1,#0x0fff,lsl#48
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev $r0,$r0 // flip bytes
rev $r1,$r1
#endif
@@ -132,7 +132,7 @@ poly1305_blocks:
.Loop:
ldp $t0,$t1,[$inp],#16 // load input
sub $len,$len,#16
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev $t0,$t0
rev $t1,$t1
#endif
@@ -197,13 +197,13 @@ poly1305_emit:
csel $h0,$h0,$d0,eq
csel $h1,$h1,$d1,eq
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
ror $t0,$t0,#32 // flip nonce words
ror $t1,$t1,#32
#endif
adds $h0,$h0,$t0 // accumulate nonce
adc $h1,$h1,$t1
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev $h0,$h0 // flip output bytes
rev $h1,$h1
#endif
@@ -335,7 +335,7 @@ poly1305_blocks_neon:
adcs $h1,$h1,xzr
adc $h2,$h2,xzr
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev $d0,$d0
rev $d1,$d1
#endif
@@ -381,7 +381,7 @@ poly1305_blocks_neon:
ldp $d0,$d1,[$inp],#16 // load input
sub $len,$len,#16
add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev $d0,$d0
rev $d1,$d1
#endif
@@ -466,7 +466,7 @@ poly1305_blocks_neon:
lsl $padbit,$padbit,#24
add x15,$ctx,#48
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev x8,x8
rev x12,x12
rev x9,x9
@@ -502,7 +502,7 @@ poly1305_blocks_neon:
ld1 {$S2,$R3,$S3,$R4},[x15],#64
ld1 {$S4},[x15]
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev x8,x8
rev x12,x12
rev x9,x9
@@ -563,7 +563,7 @@ poly1305_blocks_neon:
umull $ACC1,$IN23_0,${R1}[2]
ldp x9,x13,[$in2],#48
umull $ACC0,$IN23_0,${R0}[2]
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev x8,x8
rev x12,x12
rev x9,x9
@@ -628,7 +628,7 @@ poly1305_blocks_neon:
umlal $ACC4,$IN01_2,${R2}[0]
umlal $ACC1,$IN01_2,${S4}[0]
umlal $ACC2,$IN01_2,${R0}[0]
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev x8,x8
rev x12,x12
rev x9,x9
@@ -909,13 +909,13 @@ poly1305_emit_neon:
csel $h0,$h0,$d0,eq
csel $h1,$h1,$d1,eq
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
ror $t0,$t0,#32 // flip nonce words
ror $t1,$t1,#32
#endif
adds $h0,$h0,$t0 // accumulate nonce
adc $h1,$h1,$t1
-#ifdef __ARMEB__
+#ifdef __AARCH64EB__
rev $h0,$h0 // flip output bytes
rev $h1,$h1
#endif
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
index 9f86134d..9f9b27ca 100755
--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -744,7 +744,7 @@ ___
my $LOCALS= 6*$SIZE_T;
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
$VSXFRAME += 128; # local variables
- $VSXFRAME += 13*16; # v20-v31 offload
+ $VSXFRAME += 12*16; # v20-v31 offload
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
@@ -919,12 +919,12 @@ __poly1305_blocks_vsx:
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx:
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1899,26 +1899,26 @@ Ldone_vsx:
mtspr 256,r12 # restore vrsave
lvx v20,r10,$sp
addi r10,r10,32
- lvx v21,r10,$sp
- addi r10,r10,32
- lvx v22,r11,$sp
+ lvx v21,r11,$sp
addi r11,r11,32
- lvx v23,r10,$sp
+ lvx v22,r10,$sp
addi r10,r10,32
- lvx v24,r11,$sp
+ lvx v23,r11,$sp
addi r11,r11,32
- lvx v25,r10,$sp
+ lvx v24,r10,$sp
addi r10,r10,32
- lvx v26,r11,$sp
+ lvx v25,r11,$sp
addi r11,r11,32
- lvx v27,r10,$sp
+ lvx v26,r10,$sp
addi r10,r10,32
- lvx v28,r11,$sp
+ lvx v27,r11,$sp
addi r11,r11,32
- lvx v29,r10,$sp
+ lvx v28,r10,$sp
addi r10,r10,32
- lvx v30,r11,$sp
- lvx v31,r10,$sp
+ lvx v29,r11,$sp
+ addi r11,r11,32
+ lvx v30,r10,$sp
+ lvx v31,r11,$sp
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)
diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c
index ca2bd333..19ea39a7 100644
--- a/crypto/property/property_parse.c
+++ b/crypto/property/property_parse.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -97,9 +97,18 @@ static int parse_number(const char *t[], OSSL_PROPERTY_DEFINITION *res)
const char *s = *t;
int64_t v = 0;
- if (!ossl_isdigit(*s))
- return 0;
do {
+ if (!ossl_isdigit(*s)) {
+ ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_A_DECIMAL_DIGIT,
+ "HERE-->%s", *t);
+ return 0;
+ }
+ /* overflow check */
+ if (v > ((INT64_MAX - (*s - '0')) / 10)) {
+ ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED,
+ "Property %s overflows", *t);
+ return 0;
+ }
v = v * 10 + (*s++ - '0');
} while (ossl_isdigit(*s));
if (!ossl_isspace(*s) && *s != '\0' && *s != ',') {
@@ -117,15 +126,27 @@ static int parse_hex(const char *t[], OSSL_PROPERTY_DEFINITION *res)
{
const char *s = *t;
int64_t v = 0;
+ int sval;
- if (!ossl_isxdigit(*s))
- return 0;
do {
+ if (ossl_isdigit(*s)) {
+ sval = *s - '0';
+ } else if (ossl_isxdigit(*s)) {
+ sval = ossl_tolower(*s) - 'a' + 10;
+ } else {
+ ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_AN_HEXADECIMAL_DIGIT,
+ "%s", *t);
+ return 0;
+ }
+
+ if (v > ((INT64_MAX - sval) / 16)) {
+ ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED,
+ "Property %s overflows", *t);
+ return 0;
+ }
+
v <<= 4;
- if (ossl_isdigit(*s))
- v += *s - '0';
- else
- v += ossl_tolower(*s) - 'a';
+ v += sval;
} while (ossl_isxdigit(*++s));
if (!ossl_isspace(*s) && *s != '\0' && *s != ',') {
ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_AN_HEXADECIMAL_DIGIT,
@@ -143,9 +164,18 @@ static int parse_oct(const char *t[], OSSL_PROPERTY_DEFINITION *res)
const char *s = *t;
int64_t v = 0;
- if (*s == '9' || *s == '8' || !ossl_isdigit(*s))
- return 0;
do {
+ if (*s == '9' || *s == '8' || !ossl_isdigit(*s)) {
+ ERR_raise_data(ERR_LIB_PROP, PROP_R_NOT_AN_OCTAL_DIGIT,
+ "HERE-->%s", *t);
+ return 0;
+ }
+ if (v > ((INT64_MAX - (*s - '0')) / 8)) {
+ ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED,
+ "Property %s overflows", *t);
+ return 0;
+ }
+
v = (v << 3) + (*s - '0');
} while (ossl_isdigit(*++s) && *s != '9' && *s != '8');
if (!ossl_isspace(*s) && *s != '\0' && *s != ',') {
@@ -588,15 +618,38 @@ static void put_char(char ch, char **buf, size_t *remain, size_t *needed)
static void put_str(const char *str, char **buf, size_t *remain, size_t *needed)
{
- size_t olen, len;
+ size_t olen, len, i;
+ char quote = '\0';
+ int quotes;
len = olen = strlen(str);
*needed += len;
- if (*remain == 0)
+ /*
+ * Check to see if we need quotes or not.
+ * Characters that are legal in a PropertyName don't need quoting.
+ * We simply assume all others require quotes.
+ */
+ for (i = 0; i < len; i++)
+ if (!ossl_isalnum(str[i]) && str[i] != '.' && str[i] != '_') {
+ /* Default to single quotes ... */
+ if (quote == '\0')
+ quote = '\'';
+ /* ... but use double quotes if a single is present */
+ if (str[i] == '\'')
+ quote = '"';
+ }
+
+ quotes = quote != '\0';
+ if (*remain == 0) {
+ *needed += 2 * quotes;
return;
+ }
- if (*remain < len + 1)
+ if (quotes)
+ put_char(quote, buf, remain, needed);
+
+ if (*remain < len + 1 + quotes)
len = *remain - 1;
if (len > 0) {
@@ -605,6 +658,9 @@ static void put_str(const char *str, char **buf, size_t *remain, size_t *needed)
*remain -= len;
}
+ if (quotes)
+ put_char(quote, buf, remain, needed);
+
if (len < olen && *remain == 1) {
**buf = '\0';
++*buf;
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index c13c887c..9333b877 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -70,13 +70,22 @@ static const char *skip_dot(const char *name)
return name;
}
-static int provider_conf_params(OSSL_PROVIDER *prov,
- OSSL_PROVIDER_INFO *provinfo,
- const char *name, const char *value,
- const CONF *cnf)
+/*
+ * Parse the provider params section
+ * Returns:
+ * 1 for success
+ * 0 for non-fatal errors
+ * < 0 for fatal errors
+ */
+static int provider_conf_params_internal(OSSL_PROVIDER *prov,
+ OSSL_PROVIDER_INFO *provinfo,
+ const char *name, const char *value,
+ const CONF *cnf,
+ STACK_OF(OPENSSL_CSTRING) *visited)
{
STACK_OF(CONF_VALUE) *sect;
int ok = 1;
+ int rc = 0;
sect = NCONF_get_section(cnf, value);
if (sect != NULL) {
@@ -86,6 +95,25 @@ static int provider_conf_params(OSSL_PROVIDER *prov,
OSSL_TRACE1(CONF, "Provider params: start section %s\n", value);
+ /*
+ * Check to see if the provided section value has already
+ * been visited. If it has, then we have a recursive lookup
+ * in the configuration which isn't valid. As such we should error
+ * out
+ */
+ for (i = 0; i < sk_OPENSSL_CSTRING_num(visited); i++) {
+ if (sk_OPENSSL_CSTRING_value(visited, i) == value) {
+ ERR_raise(ERR_LIB_CONF, CONF_R_RECURSIVE_SECTION_REFERENCE);
+ return -1;
+ }
+ }
+
+ /*
+ * We've not visited this node yet, so record it on the stack
+ */
+ if (!sk_OPENSSL_CSTRING_push(visited, value))
+ return -1;
+
if (name != NULL) {
OPENSSL_strlcpy(buffer, name, sizeof(buffer));
OPENSSL_strlcat(buffer, ".", sizeof(buffer));
@@ -95,14 +123,20 @@ static int provider_conf_params(OSSL_PROVIDER *prov,
for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
CONF_VALUE *sectconf = sk_CONF_VALUE_value(sect, i);
- if (buffer_len + strlen(sectconf->name) >= sizeof(buffer))
- return 0;
+ if (buffer_len + strlen(sectconf->name) >= sizeof(buffer)) {
+ sk_OPENSSL_CSTRING_pop(visited);
+ return -1;
+ }
buffer[buffer_len] = '\0';
OPENSSL_strlcat(buffer, sectconf->name, sizeof(buffer));
- if (!provider_conf_params(prov, provinfo, buffer, sectconf->value,
- cnf))
- return 0;
+ rc = provider_conf_params_internal(prov, provinfo, buffer,
+ sectconf->value, cnf, visited);
+ if (rc < 0) {
+ sk_OPENSSL_CSTRING_pop(visited);
+ return rc;
+ }
}
+ sk_OPENSSL_CSTRING_pop(visited);
OSSL_TRACE1(CONF, "Provider params: finish section %s\n", value);
} else {
@@ -116,6 +150,33 @@ static int provider_conf_params(OSSL_PROVIDER *prov,
return ok;
}
+/*
+ * recursively parse the provider configuration section
+ * of the config file.
+ * Returns
+ * 1 on success
+ * 0 on non-fatal error
+ * < 0 on fatal errors
+ */
+static int provider_conf_params(OSSL_PROVIDER *prov,
+ OSSL_PROVIDER_INFO *provinfo,
+ const char *name, const char *value,
+ const CONF *cnf)
+{
+ int rc;
+ STACK_OF(OPENSSL_CSTRING) *visited = sk_OPENSSL_CSTRING_new_null();
+
+ if (visited == NULL)
+ return -1;
+
+ rc = provider_conf_params_internal(prov, provinfo, name,
+ value, cnf, visited);
+
+ sk_OPENSSL_CSTRING_free(visited);
+
+ return rc;
+}
+
static int prov_already_activated(const char *name,
STACK_OF(OSSL_PROVIDER) *activated)
{
@@ -146,6 +207,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
const char *path = NULL;
long activate = 0;
int ok = 0;
+ int added = 0;
name = skip_dot(name);
OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
@@ -218,7 +280,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
ok = provider_conf_params(prov, NULL, NULL, value, cnf);
- if (ok) {
+ if (ok > 0) {
if (!ossl_provider_activate(prov, 1, 0)) {
ok = 0;
} else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
@@ -242,7 +304,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
}
}
}
- if (!ok)
+ if (ok <= 0)
ossl_provider_free(prov);
}
CRYPTO_THREAD_unlock(pcgbl->lock);
@@ -267,19 +329,23 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
}
if (ok)
ok = provider_conf_params(NULL, &entry, NULL, value, cnf);
- if (ok && (entry.path != NULL || entry.parameters != NULL))
+ if (ok >= 1 && (entry.path != NULL || entry.parameters != NULL)) {
ok = ossl_provider_info_add_to_store(libctx, &entry);
- if (!ok || (entry.path == NULL && entry.parameters == NULL)) {
- ossl_provider_info_clear(&entry);
+ added = 1;
}
-
+ if (added == 0)
+ ossl_provider_info_clear(&entry);
}
/*
- * Even if ok is 0, we still return success. Failure to load a provider is
- * not fatal. We want to continue to load the rest of the config file.
+ * Provider activation returns a tristate:
+ * 1 for successful activation
+ * 0 for non-fatal activation failure
+ * < 0 for fatal activation failure
+ * We return success (1) for activation, (1) for non-fatal activation
+ * failure, and (0) for fatal activation failure
*/
- return 1;
+ return ok >= 0;
}
static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
@@ -302,7 +368,7 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
for (i = 0; i < sk_CONF_VALUE_num(elist); i++) {
cval = sk_CONF_VALUE_value(elist, i);
if (!provider_conf_load(NCONF_get0_libctx((CONF *)cnf),
- cval->name, cval->value, cnf))
+ cval->name, cval->value, cnf))
return 0;
}
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 92cce32c..4cadb6a9 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -936,44 +936,46 @@ static int provider_init(OSSL_PROVIDER *prov)
prov->provctx = tmp_provctx;
prov->dispatch = provider_dispatch;
- for (; provider_dispatch->function_id != 0; provider_dispatch++) {
- switch (provider_dispatch->function_id) {
- case OSSL_FUNC_PROVIDER_TEARDOWN:
- prov->teardown =
- OSSL_FUNC_provider_teardown(provider_dispatch);
- break;
- case OSSL_FUNC_PROVIDER_GETTABLE_PARAMS:
- prov->gettable_params =
- OSSL_FUNC_provider_gettable_params(provider_dispatch);
- break;
- case OSSL_FUNC_PROVIDER_GET_PARAMS:
- prov->get_params =
- OSSL_FUNC_provider_get_params(provider_dispatch);
- break;
- case OSSL_FUNC_PROVIDER_SELF_TEST:
- prov->self_test =
- OSSL_FUNC_provider_self_test(provider_dispatch);
- break;
- case OSSL_FUNC_PROVIDER_GET_CAPABILITIES:
- prov->get_capabilities =
- OSSL_FUNC_provider_get_capabilities(provider_dispatch);
- break;
- case OSSL_FUNC_PROVIDER_QUERY_OPERATION:
- prov->query_operation =
- OSSL_FUNC_provider_query_operation(provider_dispatch);
- break;
- case OSSL_FUNC_PROVIDER_UNQUERY_OPERATION:
- prov->unquery_operation =
- OSSL_FUNC_provider_unquery_operation(provider_dispatch);
- break;
+ if (provider_dispatch != NULL) {
+ for (; provider_dispatch->function_id != 0; provider_dispatch++) {
+ switch (provider_dispatch->function_id) {
+ case OSSL_FUNC_PROVIDER_TEARDOWN:
+ prov->teardown =
+ OSSL_FUNC_provider_teardown(provider_dispatch);
+ break;
+ case OSSL_FUNC_PROVIDER_GETTABLE_PARAMS:
+ prov->gettable_params =
+ OSSL_FUNC_provider_gettable_params(provider_dispatch);
+ break;
+ case OSSL_FUNC_PROVIDER_GET_PARAMS:
+ prov->get_params =
+ OSSL_FUNC_provider_get_params(provider_dispatch);
+ break;
+ case OSSL_FUNC_PROVIDER_SELF_TEST:
+ prov->self_test =
+ OSSL_FUNC_provider_self_test(provider_dispatch);
+ break;
+ case OSSL_FUNC_PROVIDER_GET_CAPABILITIES:
+ prov->get_capabilities =
+ OSSL_FUNC_provider_get_capabilities(provider_dispatch);
+ break;
+ case OSSL_FUNC_PROVIDER_QUERY_OPERATION:
+ prov->query_operation =
+ OSSL_FUNC_provider_query_operation(provider_dispatch);
+ break;
+ case OSSL_FUNC_PROVIDER_UNQUERY_OPERATION:
+ prov->unquery_operation =
+ OSSL_FUNC_provider_unquery_operation(provider_dispatch);
+ break;
#ifndef OPENSSL_NO_ERR
# ifndef FIPS_MODULE
- case OSSL_FUNC_PROVIDER_GET_REASON_STRINGS:
- p_get_reason_strings =
- OSSL_FUNC_provider_get_reason_strings(provider_dispatch);
- break;
+ case OSSL_FUNC_PROVIDER_GET_REASON_STRINGS:
+ p_get_reason_strings =
+ OSSL_FUNC_provider_get_reason_strings(provider_dispatch);
+ break;
# endif
#endif
+ }
}
}
diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c
index 58187fa2..f9d1cb36 100644
--- a/crypto/rsa/rsa_backend.c
+++ b/crypto/rsa/rsa_backend.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -141,18 +141,6 @@ int ossl_rsa_todata(RSA *rsa, OSSL_PARAM_BLD *bld, OSSL_PARAM params[],
/* Check private key data integrity */
if (include_private && rsa_d != NULL) {
- int numprimes = sk_BIGNUM_const_num(factors);
- int numexps = sk_BIGNUM_const_num(exps);
- int numcoeffs = sk_BIGNUM_const_num(coeffs);
-
- /*
- * It's permissible to have zero primes, i.e. no CRT params.
- * Otherwise, there must be at least two, as many exponents,
- * and one coefficient less.
- */
- if (numprimes != 0
- && (numprimes < 2 || numexps < 2 || numcoeffs < 1))
- goto err;
if (!ossl_param_build_set_bn(bld, params, OSSL_PKEY_PARAM_RSA_D,
rsa_d)
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 449097b8..c9c661b1 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -753,18 +753,22 @@ int ossl_rsa_set0_all_params(RSA *r, const STACK_OF(BIGNUM) *primes,
return 0;
pnum = sk_BIGNUM_num(primes);
- if (pnum < 2
- || pnum != sk_BIGNUM_num(exps)
- || pnum != sk_BIGNUM_num(coeffs) + 1)
+ if (pnum < 2)
return 0;
if (!RSA_set0_factors(r, sk_BIGNUM_value(primes, 0),
- sk_BIGNUM_value(primes, 1))
- || !RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
- sk_BIGNUM_value(exps, 1),
- sk_BIGNUM_value(coeffs, 0)))
+ sk_BIGNUM_value(primes, 1)))
return 0;
+ if (pnum == sk_BIGNUM_num(exps)
+ && pnum == sk_BIGNUM_num(coeffs) + 1) {
+
+ if (!RSA_set0_crt_params(r, sk_BIGNUM_value(exps, 0),
+ sk_BIGNUM_value(exps, 1),
+ sk_BIGNUM_value(coeffs, 0)))
+ return 0;
+ }
+
#ifndef FIPS_MODULE
old_infos = r->prime_infos;
#endif
@@ -995,6 +999,10 @@ int EVP_PKEY_CTX_set_rsa_pss_keygen_md_name(EVP_PKEY_CTX *ctx,
*/
int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md)
{
+ /* If key type not RSA return error */
+ if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
+ return -1;
+
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md));
}
@@ -1022,6 +1030,10 @@ int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
*/
int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
{
+ /* If key type not RSA return error */
+ if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
+ return -1;
+
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)md);
}
@@ -1084,6 +1096,12 @@ int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md)
int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
{
OSSL_PARAM rsa_params[2], *p = rsa_params;
+ const char *empty = "";
+ /*
+ * Needed as we swap label with empty if it is NULL, and label is
+ * freed at the end of this function.
+ */
+ void *plabel = label;
int ret;
if (ctx == NULL || !EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) {
@@ -1096,9 +1114,13 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
if (!EVP_PKEY_CTX_is_a(ctx, "RSA"))
return -1;
+ /* Accept NULL for backward compatibility */
+ if (label == NULL && llen == 0)
+ plabel = (void *)empty;
+
/* Cast away the const. This is read only so should be safe */
*p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL,
- (void *)label, (size_t)llen);
+ (void *)plabel, (size_t)llen);
*p++ = OSSL_PARAM_construct_end();
ret = evp_pkey_ctx_set_params_strict(ctx, rsa_params);
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index fc8f19b4..df81397f 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
return 0;
nbits = BN_num_bits(rsa->n);
+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
#ifdef FIPS_MODULE
/*
* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
goto err;
}
- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
#ifdef FIPS_MODULE
if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
#else
diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index 095c1651..63626c0d 100644
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -42,15 +42,15 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
EVP_PKEY *pkey;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
- int nmindent = 0;
+ int nmindent = 0, printok = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
- if (nmflags == X509_FLAG_COMPAT)
- nmindent = 16;
+ if (nmflags == XN_FLAG_COMPAT)
+ printok = 1;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
@@ -72,7 +72,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
if (BIO_printf(bp, " Subject:%c", mlch) <= 0)
goto err;
if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x),
- nmindent, nmflags) < 0)
+ nmindent, nmflags) < printok)
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 95ee5f51..5b0282bc 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -60,10 +60,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
nmindent = 12;
}
- if (nmflags == X509_FLAG_COMPAT) {
- nmindent = 16;
+ if (nmflags == XN_FLAG_COMPAT)
printok = 1;
- }
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bp, "Certificate:\n", 13) <= 0)
diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c
index db010720..4930f331 100644
--- a/crypto/x509/v3_addr.c
+++ b/crypto/x509/v3_addr.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -972,6 +972,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
* the other input values.
*/
if (safi != NULL) {
+ if (val->value == NULL) {
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_MISSING_VALUE);
+ goto err;
+ }
*safi = strtoul(val->value, &t, 0);
t += strspn(t, " \t");
if (*safi > 0xFF || *t++ != ':') {
diff --git a/crypto/x509/v3_asid.c b/crypto/x509/v3_asid.c
index 86577d6c..c2b6f8a6 100644
--- a/crypto/x509/v3_asid.c
+++ b/crypto/x509/v3_asid.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -169,8 +169,11 @@ int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
- if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
+ if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) {
+ ASIdentifierChoice_free(*choice);
+ *choice = NULL;
return 0;
+ }
(*choice)->type = ASIdentifierChoice_inherit;
}
return (*choice)->type == ASIdentifierChoice_inherit;
@@ -196,18 +199,23 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
default:
return 0;
}
- if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
+ if (*choice != NULL && (*choice)->type != ASIdentifierChoice_asIdsOrRanges)
return 0;
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
(*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
- if ((*choice)->u.asIdsOrRanges == NULL)
+ if ((*choice)->u.asIdsOrRanges == NULL) {
+ ASIdentifierChoice_free(*choice);
+ *choice = NULL;
return 0;
+ }
(*choice)->type = ASIdentifierChoice_asIdsOrRanges;
}
if ((aor = ASIdOrRange_new()) == NULL)
return 0;
+ if (!sk_ASIdOrRange_reserve((*choice)->u.asIdsOrRanges, 1))
+ goto err;
if (max == NULL) {
aor->type = ASIdOrRange_id;
aor->u.id = min;
@@ -220,7 +228,8 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
ASN1_INTEGER_free(aor->u.range->max);
aor->u.range->max = max;
}
- if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
+ /* Cannot fail due to the reservation above */
+ if (!ossl_assert(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
goto err;
return 1;
@@ -538,6 +547,11 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
goto err;
}
+ if (val->value == NULL) {
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
+ goto err;
+ }
+
/*
* Handle inheritance.
*/
diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c
index 0289df4d..07c8379d 100644
--- a/crypto/x509/v3_crld.c
+++ b/crypto/x509/v3_crld.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -70,6 +70,11 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
STACK_OF(GENERAL_NAME) *fnm = NULL;
STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
+ if (cnf->value == NULL) {
+ ERR_raise(ERR_LIB_X509V3, X509V3_R_MISSING_VALUE);
+ goto err;
+ }
+
if (strncmp(cnf->name, "fullname", 9) == 0) {
fnm = gnames_from_sectname(ctx, cnf->value);
if (!fnm)
diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c
index 4a3cfa12..96c40a39 100644
--- a/crypto/x509/v3_ist.c
+++ b/crypto/x509/v3_ist.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,25 +50,33 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
}
if (strcmp(cnf->name, "signTool") == 0) {
ist->signTool = ASN1_UTF8STRING_new();
- if (ist->signTool == NULL || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {
+ if (ist->signTool == NULL
+ || cnf->value == NULL
+ || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else if (strcmp(cnf->name, "cATool") == 0) {
ist->cATool = ASN1_UTF8STRING_new();
- if (ist->cATool == NULL || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {
+ if (ist->cATool == NULL
+ || cnf->value == NULL
+ || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else if (strcmp(cnf->name, "signToolCert") == 0) {
ist->signToolCert = ASN1_UTF8STRING_new();
- if (ist->signToolCert == NULL || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {
+ if (ist->signToolCert == NULL
+ || cnf->value == NULL
+ || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
} else if (strcmp(cnf->name, "cAToolCert") == 0) {
ist->cAToolCert = ASN1_UTF8STRING_new();
- if (ist->cAToolCert == NULL || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {
+ if (ist->cAToolCert == NULL
+ || cnf->value == NULL
+ || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index c081f02e..34ca16a6 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -581,6 +581,8 @@ GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
if ((gen->d.ia5 = ASN1_IA5STRING_new()) == NULL ||
!ASN1_STRING_set(gen->d.ia5, (unsigned char *)value,
strlen(value))) {
+ ASN1_IA5STRING_free(gen->d.ia5);
+ gen->d.ia5 = NULL;
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -651,16 +653,21 @@ static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
*/
ASN1_TYPE_free(gen->d.otherName->value);
if ((gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)) == NULL)
- return 0;
+ goto err;
objlen = p - value;
objtmp = OPENSSL_strndup(value, objlen);
if (objtmp == NULL)
- return 0;
+ goto err;
gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
OPENSSL_free(objtmp);
if (!gen->d.otherName->type_id)
- return 0;
+ goto err;
return 1;
+
+ err:
+ OTHERNAME_free(gen->d.otherName);
+ gen->d.otherName = NULL;
+ return 0;
}
static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
diff --git a/crypto/x509/v3_sxnet.c b/crypto/x509/v3_sxnet.c
index ca46dc1a..70f5db63 100644
--- a/crypto/x509/v3_sxnet.c
+++ b/crypto/x509/v3_sxnet.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -103,8 +103,10 @@ static SXNET *sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
int i;
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
+ if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1)) {
+ SXNET_free(sx);
return NULL;
+ }
}
return sx;
}
@@ -123,7 +125,11 @@ int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userle
ERR_raise(ERR_LIB_X509V3, X509V3_R_ERROR_CONVERTING_ZONE);
return 0;
}
- return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+ if (!SXNET_add_id_INTEGER(psx, izone, user, userlen)) {
+ ASN1_INTEGER_free(izone);
+ return 0;
+ }
+ return 1;
}
/* Add an id given the zone as an unsigned long */
@@ -139,8 +145,11 @@ int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
ASN1_INTEGER_free(izone);
return 0;
}
- return SXNET_add_id_INTEGER(psx, izone, user, userlen);
-
+ if (!SXNET_add_id_INTEGER(psx, izone, user, userlen)) {
+ ASN1_INTEGER_free(izone);
+ return 0;
+ }
+ return 1;
}
/*
@@ -187,6 +196,7 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
goto err;
if (!sk_SXNETID_push(sx->ids, id))
goto err;
+ ASN1_INTEGER_free(id->zone);
id->zone = zone;
*psx = sx;
return 1;
diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c
index d9fe7a37..6a541d79 100644
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -71,8 +71,8 @@ X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc)
return ret;
}
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
- X509_ATTRIBUTE *attr)
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+ X509_ATTRIBUTE *attr)
{
X509_ATTRIBUTE *new_attr = NULL;
STACK_OF(X509_ATTRIBUTE) *sk = NULL;
@@ -82,11 +82,6 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
return NULL;
}
- if (*x != NULL && X509at_get_attr_by_OBJ(*x, attr->object, -1) != -1) {
- ERR_raise(ERR_LIB_X509, X509_R_DUPLICATE_ATTRIBUTE);
- return NULL;
- }
-
if (*x == NULL) {
if ((sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
goto err;
@@ -110,18 +105,68 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
return NULL;
}
+STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+ X509_ATTRIBUTE *attr)
+{
+ if (x == NULL || attr == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+ if (*x != NULL && X509at_get_attr_by_OBJ(*x, attr->object, -1) != -1) {
+ ERR_raise(ERR_LIB_X509, X509_R_DUPLICATE_ATTRIBUTE);
+ return NULL;
+ }
+
+ return ossl_x509at_add1_attr(x, attr);
+}
+
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+ const ASN1_OBJECT *obj,
+ int type,
+ const unsigned char *bytes,
+ int len)
+{
+ X509_ATTRIBUTE *attr;
+ STACK_OF(X509_ATTRIBUTE) *ret;
+
+ attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
+ if (attr == NULL)
+ return 0;
+ ret = ossl_x509at_add1_attr(x, attr);
+ X509_ATTRIBUTE_free(attr);
+ return ret;
+}
+
STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE)
**x, const ASN1_OBJECT *obj,
int type,
const unsigned char *bytes,
int len)
+{
+ if (x == NULL || obj == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+ if (*x != NULL && X509at_get_attr_by_OBJ(*x, obj, -1) != -1) {
+ ERR_raise(ERR_LIB_X509, X509_R_DUPLICATE_ATTRIBUTE);
+ return NULL;
+ }
+
+ return ossl_x509at_add1_attr_by_OBJ(x, obj, type, bytes, len);
+}
+
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+ int nid, int type,
+ const unsigned char *bytes,
+ int len)
{
X509_ATTRIBUTE *attr;
STACK_OF(X509_ATTRIBUTE) *ret;
- attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len);
- if (!attr)
+
+ attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
+ if (attr == NULL)
return 0;
- ret = X509at_add1_attr(x, attr);
+ ret = ossl_x509at_add1_attr(x, attr);
X509_ATTRIBUTE_free(attr);
return ret;
}
@@ -130,13 +175,32 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE)
**x, int nid, int type,
const unsigned char *bytes,
int len)
+{
+ if (x == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+ if (*x != NULL && X509at_get_attr_by_NID(*x, nid, -1) != -1) {
+ ERR_raise(ERR_LIB_X509, X509_R_DUPLICATE_ATTRIBUTE);
+ return NULL;
+ }
+
+ return ossl_x509at_add1_attr_by_NID(x, nid, type, bytes, len);
+}
+
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+ const char *attrname,
+ int type,
+ const unsigned char *bytes,
+ int len)
{
X509_ATTRIBUTE *attr;
STACK_OF(X509_ATTRIBUTE) *ret;
- attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len);
- if (!attr)
+
+ attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len);
+ if (attr == NULL)
return 0;
- ret = X509at_add1_attr(x, attr);
+ ret = ossl_x509at_add1_attr(x, attr);
X509_ATTRIBUTE_free(attr);
return ret;
}
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 5428bdaf..0434fbbc 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -219,7 +219,7 @@ X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
if (req == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
- return 0;
+ return NULL;
}
attr = X509at_delete_attr(req->req_info.attributes, loc);
if (attr != NULL)
diff --git a/doc/build.info b/doc/build.info
index 00dc1507..0279e239 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -843,6 +843,10 @@ DEPEND[html/man3/CMS_sign_receipt.html]=man3/CMS_sign_receipt.pod
GENERATE[html/man3/CMS_sign_receipt.html]=man3/CMS_sign_receipt.pod
DEPEND[man/man3/CMS_sign_receipt.3]=man3/CMS_sign_receipt.pod
GENERATE[man/man3/CMS_sign_receipt.3]=man3/CMS_sign_receipt.pod
+DEPEND[html/man3/CMS_signed_get_attr.html]=man3/CMS_signed_get_attr.pod
+GENERATE[html/man3/CMS_signed_get_attr.html]=man3/CMS_signed_get_attr.pod
+DEPEND[man/man3/CMS_signed_get_attr.3]=man3/CMS_signed_get_attr.pod
+GENERATE[man/man3/CMS_signed_get_attr.3]=man3/CMS_signed_get_attr.pod
DEPEND[html/man3/CMS_uncompress.html]=man3/CMS_uncompress.pod
GENERATE[html/man3/CMS_uncompress.html]=man3/CMS_uncompress.pod
DEPEND[man/man3/CMS_uncompress.3]=man3/CMS_uncompress.pod
@@ -1239,6 +1243,10 @@ DEPEND[html/man3/EVP_PKEY_fromdata.html]=man3/EVP_PKEY_fromdata.pod
GENERATE[html/man3/EVP_PKEY_fromdata.html]=man3/EVP_PKEY_fromdata.pod
DEPEND[man/man3/EVP_PKEY_fromdata.3]=man3/EVP_PKEY_fromdata.pod
GENERATE[man/man3/EVP_PKEY_fromdata.3]=man3/EVP_PKEY_fromdata.pod
+DEPEND[html/man3/EVP_PKEY_get_attr.html]=man3/EVP_PKEY_get_attr.pod
+GENERATE[html/man3/EVP_PKEY_get_attr.html]=man3/EVP_PKEY_get_attr.pod
+DEPEND[man/man3/EVP_PKEY_get_attr.3]=man3/EVP_PKEY_get_attr.pod
+GENERATE[man/man3/EVP_PKEY_get_attr.3]=man3/EVP_PKEY_get_attr.pod
DEPEND[html/man3/EVP_PKEY_get_default_digest_nid.html]=man3/EVP_PKEY_get_default_digest_nid.pod
GENERATE[html/man3/EVP_PKEY_get_default_digest_nid.html]=man3/EVP_PKEY_get_default_digest_nid.pod
DEPEND[man/man3/EVP_PKEY_get_default_digest_nid.3]=man3/EVP_PKEY_get_default_digest_nid.pod
@@ -2655,6 +2663,10 @@ DEPEND[html/man3/X509_ALGOR_dup.html]=man3/X509_ALGOR_dup.pod
GENERATE[html/man3/X509_ALGOR_dup.html]=man3/X509_ALGOR_dup.pod
DEPEND[man/man3/X509_ALGOR_dup.3]=man3/X509_ALGOR_dup.pod
GENERATE[man/man3/X509_ALGOR_dup.3]=man3/X509_ALGOR_dup.pod
+DEPEND[html/man3/X509_ATTRIBUTE.html]=man3/X509_ATTRIBUTE.pod
+GENERATE[html/man3/X509_ATTRIBUTE.html]=man3/X509_ATTRIBUTE.pod
+DEPEND[man/man3/X509_ATTRIBUTE.3]=man3/X509_ATTRIBUTE.pod
+GENERATE[man/man3/X509_ATTRIBUTE.3]=man3/X509_ATTRIBUTE.pod
DEPEND[html/man3/X509_CRL_get0_by_serial.html]=man3/X509_CRL_get0_by_serial.pod
GENERATE[html/man3/X509_CRL_get0_by_serial.html]=man3/X509_CRL_get0_by_serial.pod
DEPEND[man/man3/X509_CRL_get0_by_serial.3]=man3/X509_CRL_get0_by_serial.pod
@@ -2699,6 +2711,14 @@ DEPEND[html/man3/X509_PUBKEY_new.html]=man3/X509_PUBKEY_new.pod
GENERATE[html/man3/X509_PUBKEY_new.html]=man3/X509_PUBKEY_new.pod
DEPEND[man/man3/X509_PUBKEY_new.3]=man3/X509_PUBKEY_new.pod
GENERATE[man/man3/X509_PUBKEY_new.3]=man3/X509_PUBKEY_new.pod
+DEPEND[html/man3/X509_REQ_get_attr.html]=man3/X509_REQ_get_attr.pod
+GENERATE[html/man3/X509_REQ_get_attr.html]=man3/X509_REQ_get_attr.pod
+DEPEND[man/man3/X509_REQ_get_attr.3]=man3/X509_REQ_get_attr.pod
+GENERATE[man/man3/X509_REQ_get_attr.3]=man3/X509_REQ_get_attr.pod
+DEPEND[html/man3/X509_REQ_get_extensions.html]=man3/X509_REQ_get_extensions.pod
+GENERATE[html/man3/X509_REQ_get_extensions.html]=man3/X509_REQ_get_extensions.pod
+DEPEND[man/man3/X509_REQ_get_extensions.3]=man3/X509_REQ_get_extensions.pod
+GENERATE[man/man3/X509_REQ_get_extensions.3]=man3/X509_REQ_get_extensions.pod
DEPEND[html/man3/X509_SIG_get0.html]=man3/X509_SIG_get0.pod
GENERATE[html/man3/X509_SIG_get0.html]=man3/X509_SIG_get0.pod
DEPEND[man/man3/X509_SIG_get0.3]=man3/X509_SIG_get0.pod
@@ -2974,6 +2994,7 @@ html/man3/CMS_get0_type.html \
html/man3/CMS_get1_ReceiptRequest.html \
html/man3/CMS_sign.html \
html/man3/CMS_sign_receipt.html \
+html/man3/CMS_signed_get_attr.html \
html/man3/CMS_uncompress.html \
html/man3/CMS_verify.html \
html/man3/CMS_verify_receipt.html \
@@ -3073,6 +3094,7 @@ html/man3/EVP_PKEY_digestsign_supports_digest.html \
html/man3/EVP_PKEY_encapsulate.html \
html/man3/EVP_PKEY_encrypt.html \
html/man3/EVP_PKEY_fromdata.html \
+html/man3/EVP_PKEY_get_attr.html \
html/man3/EVP_PKEY_get_default_digest_nid.html \
html/man3/EVP_PKEY_get_field_type.html \
html/man3/EVP_PKEY_get_group_name.html \
@@ -3427,6 +3449,7 @@ html/man3/UI_new.html \
html/man3/X509V3_get_d2i.html \
html/man3/X509V3_set_ctx.html \
html/man3/X509_ALGOR_dup.html \
+html/man3/X509_ATTRIBUTE.html \
html/man3/X509_CRL_get0_by_serial.html \
html/man3/X509_EXTENSION_set_object.html \
html/man3/X509_LOOKUP.html \
@@ -3438,6 +3461,8 @@ html/man3/X509_NAME_get0_der.html \
html/man3/X509_NAME_get_index_by_NID.html \
html/man3/X509_NAME_print_ex.html \
html/man3/X509_PUBKEY_new.html \
+html/man3/X509_REQ_get_attr.html \
+html/man3/X509_REQ_get_extensions.html \
html/man3/X509_SIG_get0.html \
html/man3/X509_STORE_CTX_get_error.html \
html/man3/X509_STORE_CTX_new.html \
@@ -3577,6 +3602,7 @@ man/man3/CMS_get0_type.3 \
man/man3/CMS_get1_ReceiptRequest.3 \
man/man3/CMS_sign.3 \
man/man3/CMS_sign_receipt.3 \
+man/man3/CMS_signed_get_attr.3 \
man/man3/CMS_uncompress.3 \
man/man3/CMS_verify.3 \
man/man3/CMS_verify_receipt.3 \
@@ -3676,6 +3702,7 @@ man/man3/EVP_PKEY_digestsign_supports_digest.3 \
man/man3/EVP_PKEY_encapsulate.3 \
man/man3/EVP_PKEY_encrypt.3 \
man/man3/EVP_PKEY_fromdata.3 \
+man/man3/EVP_PKEY_get_attr.3 \
man/man3/EVP_PKEY_get_default_digest_nid.3 \
man/man3/EVP_PKEY_get_field_type.3 \
man/man3/EVP_PKEY_get_group_name.3 \
@@ -4030,6 +4057,7 @@ man/man3/UI_new.3 \
man/man3/X509V3_get_d2i.3 \
man/man3/X509V3_set_ctx.3 \
man/man3/X509_ALGOR_dup.3 \
+man/man3/X509_ATTRIBUTE.3 \
man/man3/X509_CRL_get0_by_serial.3 \
man/man3/X509_EXTENSION_set_object.3 \
man/man3/X509_LOOKUP.3 \
@@ -4041,6 +4069,8 @@ man/man3/X509_NAME_get0_der.3 \
man/man3/X509_NAME_get_index_by_NID.3 \
man/man3/X509_NAME_print_ex.3 \
man/man3/X509_PUBKEY_new.3 \
+man/man3/X509_REQ_get_attr.3 \
+man/man3/X509_REQ_get_extensions.3 \
man/man3/X509_SIG_get0.3 \
man/man3/X509_STORE_CTX_get_error.3 \
man/man3/X509_STORE_CTX_new.3 \
diff --git a/doc/images/openssl-square-nontransparent.png b/doc/images/openssl-square-nontransparent.png
new file mode 100644
index 0000000000000000000000000000000000000000..5e6b747ce0879921715ad64523a2d055be27f075
GIT binary patch
literal 78086
zcmeFZg<n)#_Xj*63W@^KA*IqKEsY|ebayD-NOz1}I;9%~=@RKiU>G{2bA*wOp*!9)
z_qq2z@ciEQFL*DX&oF!DoU_l~Yp=c5cYW776RaR7`RD=Z0}u%G=-t~lN+1xLFY<+P
z4+H`Q=JRNQKo5n@#l#feiHT7u*xQ<zTN#5uZ-e91(KVF23DdQes4GFJO0R7{y?sPQ
z^9P~3Bu-ou8U{_Ls6u&m=z~&S=J#Ui;`qhB8VVf)S(E1muf#QpFrAlVAFS4wdD=GH
zZeJW{a9;B{Z1**}fD}Xq2txN29)b46{iAE6K%I%PD)-hH6j1OrxKWaNnQ$r$44#6R
z{kCAe4I7}(Rq9WSw5~U=%fw^Y=zpR3c8I3_VEeTs<_Q8dhS0_1ql(7vF2`U(I36+$
z#kYc}^{Co4AL!7ulRRjYw28ri2Gl+ReP>Ky>P8ja!u?Gm-pHK)WgNXcCWs9mC3C=c
zl2^p%DdnPLkacD_u|bkBCmcPkxW(M$p}BpXrkDmhksCGo1I!M$*@A0R{wtU6!5FNw
zZ=Y1TwQ))5QaJl&`e%a|IEo+GmC-+ABsE|O62UmN_Xtw7sOI8Q{18dH_h9mcsVI>F
zoiOi<CkA3ce&TM5kEMj4DHHdBiA!-DL%v1DfXXR4FwyS5+LcO?jSjYx(l-;!{i9!L
z&$JG=PCu#a{O9bOc%^HnYTxWp=x9g<UNm*?Yb(X)G9jNd9vMJC&7OSB>0e#6avseL
ze?v+a3PW9d38sH8`X!RUSn3lz_Q?43uHQa{#~71OQL3@*g#fk6XUgJmXdD!K<&!RM
zkVdc{|EEvvkNq4LFj4*R9iZv=-vsYUrC~3&`M!i`q%sbKDo(>qJ~iTy*xoC*e5KfE
z&z!D;LG<-C<sd#$=X3hSj!=i%59}eXJ2_OS-(FF@2Qd_rynot-(iSn_spp!vdjFmd
z6^f=P=t*qfuOK70NDMvrEA|t-rzrHqq(oE*0^g@yKI8@j>gZ7n2$tx`uDkM71LzA>
z*z?j$*>A+=qgxHTFs>KUFqyDBQ_zcwuVMRsn=S!&lQ3wWksov^P*y&__xMimmyY*Y
zEH=L9i}S8%jc4uaVVrh@KioWP=me=9aVc<1AJ=2l&|*kG7ZE49U!Upyjf03pWEr*Q
zQ?iXKX#39C7mm_UG7$PK!P$oe@1Y7Zqp6-+W6cj2UoUG&E_S$Lo$=`&NRdeF=1pD*
zD)r0tTfY^L-=N&j4&pYXhi!gI&$z7c=@O=_UJ%hX!2EVONwSINj3w}i8};7!C+-hh
zlZqr1TDp--MV3R_se<V``Ohu_TYk_n^%{YdOOzu=h{W~3ybswVe>8~)QKo4t-h6!z
z)B7>n!-$}jm!B3ke{Z7tZk}hkdNl>d`S9Y*9U*3CML;{|B*eroFVZkAQQnuK&t3&K
zJMhSytSO-U+N4fbQTqDp<CH%LhP(bTZ|#oZdn~J8o~dAgoqJbQ7=M7xqCiTmuEbtE
zIxDy@NMz6*L>cJOrGGGf!?HrtZpHdWws|M~7sg8zIX}!_xV87TTgOHo>G=xpV0lX5
z{PD*S4u4i;B2|2l&|=t&$NJAPf<+gj@Sl@+zkU;hpA^w2-t&2>i{FS-$!}8}i<&OV
z;Vqp#rkn2pRoQ2G`hdc$>HNnQ{t<7I=rJEj;tkoE5%S+>ky!Z>I?QdxU5{xkDxXO-
zWNAiphPnj><$hW-$W6S{*)gfX6(3@3fNMpo7NGimOoM#<Va7f|G3EwDc=1hY1m{Qe
z+D~G;Z&Cy0+e{ZjcbrbJ8c}T9%YI?+2w#waC0;zA#B0QO(nkE6@B_z}ScO-U5-;Dr
zynC#~yFmW=?I?{Fp3pBn8R})6yvIb3C-63cp}}b#k{#Z-!C&RS)15|Tz0*;mE{Ls+
zuM8c1T`#jv>qS)*CEGRd`@KD*<{MUO^(dF<$j@vs8POujT=enyY*JkQ@<~#fucxHU
zb9KHtDhn%f7mTY=TA*?V@(0!jXh{l*H%WVCXJr}WE*9VxJyl66`7U7`*`pbU&Pb_R
zrLv_mRcKzQGzKZ0QH?B`SMn0e9xgV!s#MXUwq`F0aE^A)IC>Rcx}4vs2rueaDpIjj
zXed5XO3Sh-7*L`t(<|2d(yV`(<z9AAyj{w#<i}WIfntH(TX=v(3$3n0tVyLw^YYXF
zwB!}84D-*G#g(5bPqg+ctIg6z-QPf0mmPW1Br~L8QX=Araas#)ONUB_%HAp$OBb`_
zHM6za_2+9c!v&*!g(EqkYg%jej{A-YtJ@<@rRU~}!!O2P{P^bIz8;`UainKko8FQx
zS|(Gbhe)2M^9t~e@-DsNxRki`xK|5KdsY0y$nVj;yoc_Ame|J>17vzUp0J&nfc!6M
zA5s^%+F1g&0xl&wC8#9~va2NM!rjB2!Y{)e!qiDAIk(xrq?{yU$f_k*CJLIazR(C0
z>?D;S%N`sZ;u=-4sGq8AKd4Bm(#+Bf)@+&*awy~*5ghT%aVv7m@DCRM3ULh83Z03^
zm(De=Ub5)rj7O9dmqeE=YjbM}Rg70GYY=HqXu+z!Or1>0d@rc3vyiSdo?f0Vt!Xj}
zoUWTPo>86Ft(4rF+wwo!*b<P$k#LQ`3D2jnYkxHcUQ+n2u(8vsIKkdl-cdfhyYx2n
zbHTHOa6!(!l$aFd^bxf@f$T~N|8Pc<F~Rk!iZsr_x}T?onEf=9#_`fIy-eyJ>fnug
z6Dc;1HE(N9ZAxtP=Y(cyww<<xC<rOmC{!tU6Q}!#m!B?c%6~HTU11)4mQL9;+w`F6
z$nA1z>sQ)F)5!Uh*~ajvVQoo~J@);DGpnPuJ>!$ybDO=bJ<db;nd-UF0q^n3x$VAB
z&v)acZ_ed<_g>z8i;8ux(bS{d^jjpl0hk(W3?_f2^(y$)#;0xcl)I*PC+;2l*ZRv~
z@=-`(Ji^u`boVptSg^Br>Ggr)183WGn`%3}eZpTP>|1Em8!pML&mTTBJw-@pN(5(-
zX20U1a~D5oBHl=R#~x@HT+Ut|S1!LO0g;Uqz>|;6z-i&U(tR!37X61nFi-H$j`8P*
zUn{>Re?9I7clX9LbcQ|QH0<-o_rw1nrOe2{&ETYMaXpz?UexKFSC<o)t4nDrWYbgY
z0DsiE5-!63$_v${?aJ}ByZza~0o$yZ4R?)*UyNehFw}5gZC`Ka@|5XR2$k}O{f`lu
zjJ~C$!S9~m)r<~}&W+WLjvq|5Ikl<tec>Z>m|u}tu^A-qk{&1;q+7{bp~N*0wima?
z3#XGynq;UZN(gD7b(7WNE|AA%ol^6~4`VW891RfJ+fpK1WBZ9N-Ygy`PDx8AJ1-*c
z5Mm~EuF_C|nJ3JG#d>8;Djd#R;#9wOz&AqK_r8Bp5HBf-y}~K}wAihp-ZZdpo;{GC
z&Sd~WBS+IKJwG6uJ|j42Hoxf>>3#n+r&^^%MakW;`S>CnbLVc`U2;ra!cyInk}!Se
z=GlVAtc%{K^I7{X5ob>QWp_e3iCmcN^uK>#uq!ZIJ2dw0b!MK>(QCXI4(TFz#6-f>
ztJbW`{b8)`!9+-SQ9)5oQN#F~VskCaa_6;awvF!-x<wE3i_18QwKNXBg?uiT9$k^G
z^N?CI!%oa&K92PFQ>Ty>mJ~8o<J90=yM5<2-$;Tbwv1VEPO3F;Z8#4fm6F>DOj`(A
zSU8hz>nMeeOIdn2=WNwi3Vd`?P7|A3cAq=j6M7%%IJn=m=23>ggiX|E)U|B;E`baE
z4*ZNCy=@;2XztwXEX|G09T58vsFl)`f=%Hp*mxPV_PHmUUozoIHbshyRc20Y&UNjH
zD<ZfUFH(!Ha-NTG`S)1$WOan{Lf$|+max~}!ws2U&5R1k0k<>($8@*m-B0KK0nRl?
zek~1`-rw4rvKO+TkX-5Xgk%9p7m9{Wm(z~8R;Ii%`%=AHLZ^~__r=2$-k&y(bH8Dp
z&P<5$q8afT5m=H}!pEA;^v<S`^MK=`>u;CY&Am+<tA4HMTi9^QdAAOagGIX^aJISq
z^r3VWL2fs#{l3$w&*{I?r3azH2ybfd-MX3s`F@ciz3E25orG)sEic2fdi{5Lj~ew3
zB(D39YD#Uj&kfHIExkU+r(RR&m)HWr93ttbu@`G=E8Y5U^~XJ{E~hV8E@tMy7hn{2
z^|rX{2k*aSB_)9x=dnO6cR~Du8H!NG0iV53^aI8AXjgb@sgIW+<i7kT*Az3D*ETkw
zZ>CIw-mkn4xj+VHpy#frqY&eKtn{(pD^i-&Z4RxuiDe|GB)?$zkfi;<S|1y*%oxGN
z>=h;q+w=9|b7?ampa?P6cxNIj3t|M?7$7thQqWzXg#x^UQON#jOQ6t$?)>>ZDiDL1
zgV6puM-F&L{zU;V<Td|!zY`q*LI*zK0x#E0)W6S0^Ub{T-!^az^h#Om-8<l2+0fqD
z*v7%k)-i4i4Ges7|KnRt2M~ym2KhpHr}TUW=zr2&MZ-};R)*iu)|&N$k*$F-tE=@#
zWIrH5SAL*rZS44g%GKJ+#)02e=;@zl@B?k+*KALz{yfFeQs}9MtOAvot-Uc759<ro
z7f*#BP*G6{+8dehE4`8U>vG_e&{H!<$B+DMY%VS?tS+3aw)UoM?0kHDY%e(2I5=2<
zGgutlY#cwhve-C0`%fo-_w&Zs!O-6PqocX44HdHA4+geQjzUkLB5(B1-+#tw>}vks
zJJ~q=H7#I*Y{(;Q?5r=?{^=XIR1o<szk<1|v6bc<b8A3mz&(W7*||9c|GeP;9QyAq
zZ(OSJ|9$C=L;riJs)Mn;n5{K%Q%B+dF4$l9y?OAj3kBJbbH5>r{|NfeZvjaQKM-X5
zXVriYT11<`LOwBnBd-Fy18Ro+Llp)7(f{Wi+0OdJ`KHVZ1QG?kd-F=g6=ieoZY{ys
z8Tv1I$ZK{*#d19D@^1?Gii(?{atPH!9Px4mMHQ>1r-Zc5=*09PkDQrk4RD+%d~CN5
zuMkVPD^CXIJ^E8!(gP(2<~b{x5xSTQ7XzC~Bv*`9AD)T&f>2P=FmR~;ZgiEjK19u&
z9VqF%@#TMx;@w3PB}Bb_I+ZBZ3My)5s{FU3|8qVnmF55TP8H>Vf}$`$r{Qt)o_}_a
z62<-Z82&q$I$sd|3SP0$tsw%3eL-EM|D5%A<F}3|D0ct;IK}@CQ50nK=)W`k>vVfo
zDp1cUnq}nw2!M(T^!?udnF}8g4rs~qQ<dcZ&IkvjdFOxU0#3!m@U<8IG5vqUi{V@R
zzk~A?9RTFYm+^k<@!u2qd#q@p<NrIjf5rW;xc_G}{Hxvn8k2v_#J|SmU)z1#dHw4u
z|3xPMV2*#0$-hAGZ*=*WnfMoX|BJi-31I#WbN)95!}vF<{NIrG-yr_qApRdj@t?-O
zoXNiw)jww9Uq<j>M(`g*@n_@zHxv~W30UO%M5y^}asOnww|w`omJQyp3x}VVHAf&?
zP8q!~mQzmF8W4*sl-^+(K4-$-=W8n`hZFjXgZe(9B3BpBt}ft_C(g5zW-ol&6F&ry
z80IEzh&Q=&Li;KP_;)9Y4^1OAHwH;6c+GGe`nc8m*pCI-p^f{UI{Sl^4udVCeHFhx
z`Rijsm@5X;!vbI5<^n{m?_>B{NdI&ze7>_GFVdN)n7tT^4U1$GxuWkR^bRMxG!G-^
z<Zov9LnLmVw2xQ6ujV7%tX2cA@v$6Y_=P4u%s*a-pOmHPpkpZi=OIbPKfKeQjnOxv
zAQe1rsLH$dZKj5c*}Qs@^7Ee0Bw8-jJkPcT*pFf&3mvUO1o|5kvNas*2(orVWDUw`
zWetL9nV_HieY+(7u_1pplmOB_M_7!c5Ya>=*_ltIABL^Rdf|Q;*9NT<?o~MCW~y?9
z3`G}}Qb?Con=n@_Czo#~%Vy6rSB!2NMLfNoPN2cX0mWfdv!)(hCg_LMWO$e?mbpj@
zQ?^|0N$Z+<6bcQzXn$BfJH65IV55|hskp+Mxn-bUc@CCxTbDDR0QnAk`W2%vM9USU
zp2y;@tMv(dcUf7!!v&A__t%P_RqQjV4xK$@R`^V|weN}>cWD(bh?Bx^%PLkIkd@7D
zSU9hDU*7KCkmTYLlp>fn!<)l!EKhx#!?KjT$aehc_++ComzI6O!2^}Yw|wqzB_P?+
zYo6Ae+e|LPD)G>bO3(A-$HvQxiV+tMNqNQhYhx2ZRa!O#vf9?<`)uD=@sIcK-Rc1+
zQ4a-W=-|Qf>d6W^jA(GqMSdY9BhX<~l}Ag{tv%duZhVHoyDB(oeXLhvxbXQ+af16W
zFnl>URdW~|4+Lx>$}aPd2j?9EJ<ehSYPC$$s=O~XTKXe~i+74#{iFV8=A!|=pnM*D
zPS=RVG2wRGhMbR_D+?sW%{H-(n_3$k0Rmf3$hK>x=gc$`Zb@E&14tcpn~ezU4#IpW
z+ighk+ijYuJHxM@H=(L>X@cuWS#eS}>m|8h+17n?AAfXj!^Lk?<uAB_36DD3@6DgE
zXB(~_PC&B#O2c73r!;iBWBoilQzh0`<2DFDHJ8?DeM|4(jFdAafMq8wH-={p&ik-Y
zG@HB^wCfF@qSuI1C8VEccHeJ03eQo~E$M+ye!jKR>!m;rE70Nk6g}IZOI5uire-d+
zeY^4?168(WnznlOSoGD9Pu7Xht+ly`^aZW@y#0RO_Qzmn$1kRP9fp3Ty*7A^WuIH?
zXKW}-uvT$GSy~LjBV2H9UHBVNt60C&%fmcMc(e35<W9oj;45COL<;b-$0o_l6GyW?
zVDqi<g&W?Q9hE6CyD<6Hp^dWO^E3S?FxkYYUAb6&ZB))a4Yq2buZC70W-EywI!P=y
zDhI@FZBr6L9FVc&o*v1O*{oN$|L*QanMvgx;{>hu&EllcqcrSLlNp4{`j^z()&dvU
z+%&?kV&ZwXM~3ZI{8u0j$Mf84+Rd~tG{LmM=9zKf<A~R@KJ0Er++N477C@q64uZdX
zdf`X=0}(BN*%VV{;wAvc`{(&@Ilie$G+$0qW_U+_TYqQ){YlEqGfi}nj0l<;5aOKo
zS%ds3iZ|_@;f8solF;dr>MyTu&Ccm9AkY&dnDe$K`_~;a7c%fPzJ^c3mf=dad&le}
zqWu05exh4T@SKqfB;{x@?|If;yHw0+0BjH%tuNodvnu$Mx*60MMub0dp5)so$-ga+
zTxu#%@;wEb`R2>UX7-c4t2pB6L??y!bK}+q#}rUWztiO+zd6gKo66-R1`KXU(C6gL
z(#{YO0|zXdR6b+Q=w0MyAhz~MCzh?5Eo7}MlDxSQM)?3iJXOBxs=5Qu70#nk3g=ia
zY+d%)64<rKte<XazNs2f>cGkVrbjD?mdFkFG@QXXA9;T!c0sVu1Lmsr_2KOfWrN^2
zHHp`^q{jCc2c-J(Da?C&s&@HzI{Q&JHj{?`m-{k$nU~#p5ZZ=q_EX*_saw}10R~#t
ztlsl?(d(Unl6cX5p`$P%`Bl{t!%dl6C$0fbjPV8CMEWRadhKEEgD|VNsAEJLrEC1<
z2y-t3FeD-W>PN(_Kpy-Y4NcTIHNY+-BBCf_ivkhh*&LQl8q#`z*~dQESPok=g;@0S
zrd-AF-MO`xvATenrroPacVlD~S<VMMbAmDH@C!5x{r5G7?wy1l2=#M1XNjBQ#i1_%
z4BXeoYr)f)8W^s6#z!j>2@W*yPfS-8&$aOITXu9B*gRv^tIt;&jwus5=7=(QyNjBi
zM_Gfbs?7+<&(bM5`vo1U$rNvyhxH)f27lmrwVO9BmcN>a|A>}HtDp%M#ulO2XK8$E
z9QuO))+A(<ML}G$S;<=;HEY`8r$3IzHh=MZssI|5a#C3k5Xwrp&sGl@hWFWt9zX6H
zmY$Mz>i8e84+^=A+P+ZldjSs{Q#xCMQZ5GCwuB>E&KR4?M1%pi!vo-)(8QgoL}L9~
zzT<>!k>GMlFO3q1X+B^P;)DDKnqI_fm>WO2wGE@b0fUdH%OmExfbYodb}F}9p7x#c
z&pqTE52aDp<Ri5GZqKFX?XTfFwPg6&I6j<jC9TFF{OS}+xqFI^fF>#;AbE&J@@$wl
zr?5Bt@U_B$8^ofgt+j#(wN8w!_PLr)nI>V6>a&|7SpN##lrZmdW*43X`w-Z9&eo(6
zYT6Gi2vI*`o^YJgFzL@N?<2MBR4OV}+bVKpq)}{?TD?@)i%?{1!a;;Tc}&@KWsxKG
z&SkcZK$DzpmB_Mk^64C@>P^G~=4Yk?73Ora1)wE33cnO~+vwNgH$0NBSgh|i$a%yY
zLXcujEM3|tbwqZijt=v=RBb%m<lJ2zk?$mH&j{Mh@JddZ&#n24Wtu^`VO6npklwj_
zOLPjofR)w)k*nAG^of%TbeQ@_VvQ|XcP6bvl2dFS7ZH`BYC6Tp8b;Ku6yQCfY(BDR
z+?yP7HD7JV6X8*#OHP-HIZv~5=CZ7Ss~qhR-V_i95|41DEkbry+QhJ!X9Y|~9n%>a
z0?Vd7D>OWcth3B}OAO+tOb2bARVkc8{h3<zh&f)SQ`+mNH5VK-Hw}gXMy-zUP1>iM
z_6f}bFi>3NA#kXt7KRU2evJARmzG76S@mT^`Fypt;62X=maE};>0zdbI?nXw^9Y8`
z&xnL$fy?4H(kTX*?0Uq_-betWGWId6nS_^z^`+T0|MBMxZmr6&aOWu&H71=y!=hx-
z-Sk)T^WNGITeg-@7Tb@DoE7Ab_;-pO04!r||1+HDCLE5^1uWa6<!z*8a}e0Xqa;j!
zsH$EqJF`uYvOUa7sOel+|I_~6*%S8PU}9(Z;qH;cVC?S;hV+A|wr7hI(^;w^IR(Kt
z2k0aL7z@7wVMMDJtuRXAy+D)oDEEqfLYCucUaieK`M#!B)TBb8Lj#!ma)Imb`Xcy}
zB;~uNQLO?*5Xv1o;m4(Fa?8(eFS#`^NbYV{q3_aRo;zR*inyk^nzbQzt?e40G`DE=
z9Fx_#&(9Wr6tVVt;c(47ap?H0u0tkWQm>VhA1-~vY=Ze&0OjmF(4W}&!}VhM)!56Y
z9u3uIE%H`#3sH#;Uzogm_&gwF64=efK8=U7BTG-Jiw*l5cAnaes!l*qLs|63?H=9K
zb`;ddsF{qVpBmVjskSen;;OR(9u3?qf}LJ7V)Y$ay>(D|8emz^5y8C;l$zbRQv64Y
zOl72V=z5eD<7N6k?NU>3$`0)cP{0EiMa<>;uC`6shMchXcf`^HWZ;r@U!|;rb`RV(
zChC$3<1H_=$V*kll#kj_(s1CpZFn<$L1v`mWg@$-Iv=~PMkbk3Y!R*<ig+U1asBK2
z`iHghlF+o33_M8Dr@d<H@7gnFK0gcGETu(m%KWVwptErWrx)$mi^WF`&|`hs#2&pV
z56i=Tp2)NYa`NzaEm{xA#E+2B$Oy`zD(P*0BGF|VDegD_6}M;`uu~ai2lRa)Yg^92
z*!pg6QXWQohl{F2kRmp#DcqB-l?-@%vlr5S8yD@Et9T665kUa>k>05{PkYNntP$XV
zWMAzR8a6;jTwv_}E)~an7X8{C6woxBM`UdAO^d1*wqPPkH+maE_~^-c1^cx(OK(e(
zarG2Dk<2C-qNc&#Yn`8VQ`+4?ff6mJxL+AD4iE{A8_jnwOAEMcJT5sBd65DsI`cvE
zzBrnx{o+#Qx;@`;wbI1g{Ov@lsH5D^CL9?L7@S(%9Hb~M;9g^7l+$g_8oR#tLeuHe
zaeKLSJ)&8?lF-4Dn3U*bj?>+4W;DrFQ|w0q@J*eAtot{Y?khbN=qyt6)cK<JrB@BP
zVcSZ^CA4VjV(V<in$jZ;Fh}Xu)mA*2>x}msulJ<w`rknzi7v2$pH~cs%8g;Dc(2#q
zX-8A++}I5j6`jMu0bN1`k2mbi8o3U>T)Wbww9Kt_ZI_RM(M>B{Rn@gKUHw*zA`p+C
zQPkE<Lvx*574O&vElp_hR(&76iE_bxfWWS}{jqh%MYdnI*yhqXR`acdT@J32AsxYp
z7k#q{>hVFti|xAKZOP=RU5ZF0k*hsqRWGICpzOH;MyNyp)o9ac=3G2oZIG{~3~yfD
zW9mdPO(P3W&=wXcQl=Xtq!+F$Jwa<=wk6yA=CC<)-p5>%>3maO&*`W@j56=a$ZNvo
zVQx%y-31n}kin+os)zSzhGl6Xg+a>`%*M-2PWH_6$Gf@<>1vvDN84ipJk!R<#qnh}
zw>wi<xs&;-Nj_N8wwAUo80afKT}8E^z6!R2hzz;X#b%m)a<(PIqgVEEe=o+ig_lsr
zpj&3V%<N__UuhNc?qnte2tT>3e-b^Ns#2HU57<3tgq>&HagE^|?ukv?$*PM+9`WH~
zkPJ_Ak3>KGn{-*1(N@SURkA>J;sG%V^R0c|s)?}67I|kaSEw?`L(bocCFxl5v)Q?@
z0TtpjkN74AKcvg(dj3hW-PC>>U-ri4`-JSGexWi34(u+Pmoy`+1+sbVhBFbmxlP$Z
z7#GsNqUF#by^)Xlze2lRgm6Nc8+2$b)wymuM5V|1F(^Ytks^dd<nHeo9TZCVryYek
zs)Z_*t0Kxd!C9heVpNoOE4*)l<rkNzP8=Y9w?OL$yihOGv%?<G0Bh_mTx)(xy=BEm
z33OmgY+))rGGS&1mMVc}b*pLT!M?GQ_qXKuRAB`*vw@XgWP8KMj`2#hG<)od++f89
zs^aD&fSZ`wifFkcByybOo%g<)>TXKgv;^!aW!~)hdt_*5WT`@YYaWF8$|ys0wk-sC
z+m+Tm`|MNG$%uK@Bf;I+?&cM7)G>mSg_JUQ<DH|3NSJ4KeW04-wTZQJ*yX^>hAeL4
zTQ*vg0NIx~Id+J8pz(%8Es|P5&+t%Gn@Fg~BOpHSh7P;59PN&o8se6G+%tBncNHye
z)(q`#SyR0^L!87c(X{)%=}pJmwTp>XLOfnc+!GPmWp&ghiFTa~a+$msqbl!5rP(B4
zUeleFE!TP@%CVQVolIQ8c(yHhn{d*oo3>1oD4!E$Xjj{oLf`vB(PY{3%AY8Fdt#1w
zpIhrCCpQz92kJA*Cr=V6rudZo5spU3lk2U1oT?QDH&;%<9L)b1G<O~;y|^7ZSXAj$
z)hTi|onkOmm8`ZwEP$6E-0G*UOHp&Qr5q#1WZws{aimS?*x_!3I{8oGWU;pfgx}=_
zIv69$kc?zWhU)uVeNH-^I<6Eh{}It(l&j}&qW^0;#=R4-W<EAa0!cblimZ+HjTR}~
z6q1S-)iKJ@VO}b6yG{L<p988CKD}PpVY>Cl`FmH+&lR*$O{-wf<~{7*Sf`c#Ug10H
zoG~m=RcAVVdGCg?@fD>&vnK};P&#-`vs!a-%FFUh(nmB}y*F7`HETu_zJ9NAFmDY#
z0l+=y@Z>s6b&wp<;ozH+keh6eXwF@r58dglZ^V2jS5jo^<`-uU{djb<&Zd1WZ{dtv
zwsfdDI9<~tdsrJj;>F+X_LUS~(%n=-dzz>j(4RnMv+202&&cWJ$|nueqVc2x^)IIc
zwFQIbyFf6?Is9vHqnJ$cQQv^1ASbx+?G1U@Ga!5Td)sz=wFY<^vzh%4nbE?odg>vM
znzY623H|Oj73di*c3gAzMZkfZ*JG$iQ6-=Z%?t{Wt!&nq=ExLrZ)f$E;Ly#v>HoQ(
zl`zBH*B~z)26d%{WJ*$f*0{&RC?;S^Oe^-dH^zbSTNT+4O&WGY0;Sh;Jcsea9!o>W
zVX|?Sn)o;i`26fR6xh4Gc(RoCSCDcwX>}B1gYWq7ZdfOAG<zaYxcjdE%Zf`If*-}(
znI%{+>7BRT9i6Z%M8Mzgr%p9nhq>>beh*h40mo}PY`t8rC$n^~h2KK29^l!#q6tnS
zPt#kj=YP}LEC8XBo(r~Iv)tWrYw)qYH^W)w3=JMe+PN-a5jTt(uZl7Hrj{-dcBz86
zmYZDQzqe{wYd(Z`ZaD7xYIs!;a`TVBLhE7pc<$z9xU+QG%V!kcspXa}ySO7=Ry<se
zb(2^Xoxf{O0MhlD?q;_da_Sz`tk`l1xs(%OI^`#L`^y&Wr>1v=fYDyU3`-mMfVq@>
zwN!a>Q#BZ=qf$Vt=VdJ+**xZiK3BUQG*61SO)@0YgHB0VbdbS+W;E)vdoap7_2g>Z
zxP@FtXER$k=f`W>IbK^gAQuQ+{~XyBxc3Z7zLIwx4wI8~jx50vtYs}>Z(4ryE1EU1
zqgRYlt~rI1f)t2&znkqjG2XHyOZZ)~pizgSe#1>V%D9nI3ByOOmrbPPD^#d)geNEc
zyo;5((<=30<`J;7D7kX4glBnm8RR!tMIiyr{xK*VU}AOLjaGiIlt9uwpa4)y^h|s3
z`~?m8FDGjvWlOhvrt^p>thqg1DvMD3Ceuho0M<bhC2|p@*CXNKA{gl&FK?^gkgO^C
z+4AbpDD?O#*yp~dfVa+qp7sVE!mc%GrNe#3CIfkg8@N%l4vm8n6n=S<y;^s;ytG%i
z`%>~DF)@>Mtzvkj3l&%e4GC3h^I-l3v7A%<YSZttUoL(J$9N5f-UP$>p{PmNz9Fz6
z!WL>-H|;97(AA%|qCGT);i7SOy|0%NR%^$5ROefi1di%GJ~B7T@KEUMGdzRi{?`a8
zxFAPDu3vk$(%Ysg%3v$`sF6Be-*hfkT7?X3asOfS#n0Ny#)={*nL3yGTrue6LQv@v
z#klLualBQc8bKLKkryFYA+L3b{^mopw4TvIbHOW*+H!rQ?Fh5-J6R|yi?%NM0PnOr
zi-Ja%$bY!m0ezlm?ww3aIYHI{n6m?4Q=!oK=LCH`*<@>lE%*~rDyM(8?i$CO2h-Y`
z;!QO*#_w_jIRZ3Wr##F{U7~dTQB@oNhIkElLLEWnf!7rzx;v;>Bbx$2h+L;yLCCfn
zwKpAl*1E^@UfeVuvC>o(C_|Xo*uhtUE{qAv;hlV|v!MoCYT6U48t9L^KDDx#9tQ{B
z(@VE1sNhXxVs%~iH`-9X<<NU*qNYHrAry0qQy$wuA5~EE%25uxo+hzEuhcsjM(^HR
zE!^7_!sIoOciV7Pyw=Eu5Hcj>--?uCb%1dwBsi%@>U*Dj`7O##{(fQ`38Ih7))pe3
zMUjA|8^{Ttp~Et)n*N5M|7RT3QQe@`xDSz?5ORUo_B;v0K9w@PRDp}r#HLq%q~r)H
zR83r0c=v+c)vI$_ZTri*<>37ciqBSF4{kmdA<BowK?2fs=?UIFk>&lfAFIaR?Q-?9
z`9JN@clwV#5i^~uF7r~=2hZ3V_>--^efWOJ5O&j+<q&omfgG)Rm)U`2N=|jb?rCK6
zQLct_NiMhWJQ(de?ar@Orp57!!MD|${m1ic&LX*{|1W*$fDVQ?%ES?K&h%B%;e#+&
z2(8_s_3`M5D>`mhRx7U|RN}bp*@E)iY^=~&lHyI;cL}!(xVqK&5+1RC9^acc4c{C+
zT%BC^_507N=w<@H7O?0aIO4UZyIbH1p}Ljp0@u?=)qz%LFOP$3(!DsQ>iFSbKCoXu
z4W-r2Xv2t=dfyRsZYVm@F6DH#CXApEk`E!=I!fN&e~EI_lzyj=Dgdn>>-&U9$f^gQ
z><>OKQP;6;Uv*y^dpDj-kD5bxQna(O_w8^z2tZ2Zqhe#L7nWAd#*U5O^ur^ZZY2`F
zvjTn5A3|ko{(`B+W%m#9^2=LQq0W(ci0150Xu@9W6j>huk>LJohQN=vBMK(uNCq$m
zLeJ54qM4VI!~&s>nA}p;!v2rxt3-DxL?Iq1IrZco@U8OE!lE3l^!i&?lmjetSJdm+
zng}6yt<(J?ccr7Zq)E=P#eL`?wXGbDgKY<jXpu~CQVU&#ax2d|3!T-P)eT-T#OKo9
z+HNXT0w_a34F1KED|nGNk-<j5MTl05e25zIbM#GSG3q7O1~Hq^-g`}G@%nqqs#!)X
zzU#%pZ5xrBz5JG-0`O&if?gQs@hrFI2_B-Bmz1r=0I5KLm8ED|>a5-V4e#aFsp?EJ
z{c#swESXU_&hC6Gs-ZyRzyk@{Z?z)9&bwq@tJ#-wlzSS{RSY4bb$2@>Nywqqvz4>$
zYHp1qfr6w!T(7otx%Ji;1dc@mnAZQWtr;(<o3GC{PS(!<Odtp8`<(H4UvDL}#r^c@
z(DyIOHBGk51#%zm?E6*~5UazLAYg$=9QuUh`}klN>@MvA?1P^$ArCqGqLeHxsQ=?F
zq?n_UK&w4~JxK!W3A<#!T+1+P17yBQu59W@#M3A-aEyx?x#7H*K=%NDs>7?|3e}D0
zmdf~m=7pfbWQi#OB9=**jGIyTdgt<FFB{u%GcOxnG}t*hEi@joFz6Xh7#tAFLWs#)
zZiFQNG#sav42GA~gX)MhTHpNT`1tU<WI&FK&LxZc$C5OBchOVb<ce#yj{el!I2_{9
z26aLA_Nq8y_hiHB=@zlg*{wwLZPP$2OnlonS8x{?q)g-*zvc460iZ2xcPA*X8#xR*
zlOCu`jHd9Jq&vkYR$Xo4l|>|0ef0k$Tr>x5-s6K&<MCqG$xd7X97t4$?ivc0s4(C`
z(|i`h4ZFwGLUYvhIpcLLt>xv5SFQevgGSRuX;CwQ>i)=*yU8*@l*I476o}BY(tL
z57?vV2BH(J?~aDQP6gQgUQ(yiOvx%_-GKyBcC1i(;uwmY(svS+h5>}R>2Cid+u}?)
ze6gX7R_391p?7tVJLljNhXDcGK5iiK->@^B2*95wNR+bB6GUV1gC-$DJYJ7B<j3c5
zQEQAa@0BfAc)`N%_=r4YW>5qVnZ>qFtu|W8hrQo6`&q16+&D~I-qV?aFDyKsZ)C{F
z4o=3n(8M@_5?!&<2jt;3pET~c{Fpqc-eK>iY&qpe@;z<P=RRTjKBw&7Y!{m6+20U(
z{vv*%%r&nUt~WS4nJWggPCm3gQEYkTmuQ&ob0ze`Hd{jR;cFrd&s~l8<q%7yXhUEd
zM}0*KNs+A?$Fv&8@~+kY0gO1+T|Ze~PzqN@(dqTC6gz#1<7KkvQ<gvmBGe(>m9={s
zpW6+Lt?#o1Q<v~mI??C@7=8jD{L)p1W3|TNYXc^pU>Y?|?szThN9y9S9;h6`db=<V
zwntv{dftv^)QvLxA<KohY&A#x<r1MR*-OIbs)sn|kMp^~i`XD!mVo}sYiG&>(UFKf
zA6f1n`7Yj~NF5`HP}kXCqw!r#+x5A6hO6=HQ~yZmY2*~d!7^x~3?iy#e&o&(ULF}q
zkUDivaP))JA@|;stdEEgd|vgfoR>`3`Xhm5O{BI$%8eY0Q}o_kxvm6eAv4Ss{S>`r
zO*X~f^eWoM9+TlW^Jy?ZIL1_7fenWCXT6R)gMJ*F3Lhll!Wqf9BM+-B;n_RNsC#FQ
zn2q`;X1@jeTd*aXUOb)mIE5f#P40Q>h{vZoA`5(`l9pG+O0|qORkGUnrBsC?O?i%j
zz*g*e8Wjv$?c|gT|1yzt`Z@dvVBk_V=S!JmjBx-zT>BlW=ucJyOET&X)OS~1$bLwc
zP*M%Or>kFGPD^e!QtcskrWCE;!ga9Vx>WvUcX|g3-)LJp*PIQJ|3jz5Efk0g`Z2*n
z0h(5?`m3Jr%zC*%fuz6iuAyF)W6y7SPRWI5v1D7d(pHs#?^amI{mFyMO@It5;mERv
z2?`%(J)gbcHrZji(E}A@zEW4QL+%<g0!!OD{&AZsC(TYS3}6-(jL2DBV4c&RN9L#V
z!bqfx8>M6~$t9_3P{qnxXl(>9W1pYTY$c|bL*|!GSKE|b<|yt&3e+25-O=+YGcc65
z{56qIO!y4*IF$5s=-0{VIU=vhBX>TdW@ls}*FUenWX8Qg<0tHKQgTBwq4ovs;cg1L
z?8Tv~gjiqlk?@)wgpP&BcBc8G|15t@^O7ZM48h4pS<B)n`gS-`z{3b43JQ)XukSmH
zI{R!mWLuS%R+Te0!yi9)YSL?lqhXA)BlQMqRo>kpnUTxGi%g!Mwd|ST$M}$;pkA{m
zcxLr$Zn<0|i11De-4+U)gfP_+afU^Xpiu;bHw!3SiOn8k3}?4FpxgaTUIVE(o+p7z
zM3(+!*Mym`aVK{M2yAohrhFnXNoC*I%J;zqmuGlBiNr5eqHq^m=nnL`;_Gg3I`3VC
zwrg!y_;5|N64*I;(8$!CM?N@q^;jR6d7%CfMj+yKycO%x_e+3mt5Lg>`Qn@Thhxm1
zUz-d`qTY9-v3<QS*YZ{yj|$%nv?3{cD9lsxPe+w=SIOHQ7P7$;TB;tm!hRTs<tyj$
z>$AqkT^h!wClA!^gh}LQIp`&XU)C;GsTBGyju<B+rg?a*CkB*b8M*IQz1*IBop}07
zH39mKjOqCCpq5qM*F3GNQ<L&Ta3DSf1FZ5Z+-T`HdP$>|xb$4Z#F~HPy6VvaBcug0
zM7^)+^dN?yiXQqaWpkXTny(h#ktZE*C};@ykoOj--RPp(FfTf}sShayhYID#v!Hr|
zgL?x(qJ!4e^lLGE7Cj1{jmIR|kBZh7#`sHrqA1ibl`+kJb-lD0(@7B!ak*~VoqRL_
z@nDMpa{4A$Iw{q2mWz0?f_g7Klr=rS9$Y3Ig`%VDr8g}y>DX292y{B9VTA^S6BT`=
zi6d|Ri8Azey!jLZ$U#X9dTx#3Wh`raMrGt$eaJb0tY>&y&9^%AK=r)_fG;kTsZK$w
zIg*sY-f2wx38R&S-2;+`L2BpZFH7bc<ueB!9BkOHc0eieFm@snU?BkQ&g5neh#bkE
z(|eDoZf^kwErcmzO>O%FC*Z-3&O6l5pQzM6HT%*xrbmS7eUe<XnC?xqw4Kekl-|pe
z78wR`kt*9CVo1t>*%w_3bPUWzFccxP3XjD~YneOoDQ5H%Y8La*omnQ;_s}_=rt}eL
z7;m0af*v)Metb5?+2c?avCbL<<Ybrxca1C7DNKA&og{u8?Vol2>OH5MLYN<mJi&}#
zc*hNlvs$FsvXWKDU9Ysnb$@_50Xqm=&#O*H%)~p@0B7p#mt46ulr;%KQ}(EF_xDaM
z{F4Kc!s)jRHAYwh_#iB;!8uZu$42j{oJr_?&YjFhn7j=0E2Eq}Z98W>bc@Yb3AGO#
zaks_;9T{~VJN|xNc826Pa){mvgX#}Ag}e1kbW3fiq+1?_iDq)4%Fo$ZJ``-0G?x=j
zGZoqkvCQf|Ba>Ot%=K~w`d(~8pU!Yxuf$9n5JEzO1<F$*c~2vRV|w8LMRTix^qZ7{
zK&bmnbwS0w0&YFeCx<Lv=N)j~xhO63x&qS*XAj7>kb7qsXWUgtpUMy;IjCgbAavDH
z(cI@H=RyU$-OAk+LYr+*Q^w8iF(f`f#y7(s73DFdZS3*iP(hLEdnbbbsRTX+X40&h
zYjkf;S>x9I_uaA`_r3=F{aXNGpOkQ2O*{67T{5Z};tmj6M?#mylkd;dt}dMlyp`8L
zW^v)X;q7M$+j=yxuyc;>`kf16@0tFbr^OB{x|X48<;nn>u-Eybw(_xPcn1^vQAEms
zpip;Slv;MU%;vP&nsL^a9i7B3*<$@SRelg7DK<cWL@Q!9T_x8Z&Q>fQXZWyA5xeo(
z0iHYZ^1(GlL8yA$k}=ldD=JIm6ikVlfuA?qku|c=-leN*LKlhF(p;yGif#R4P$ZNh
z#Wqz%)`zG9{#X(+PL6eY-Wz>c1E^woxzeRri>pZNqP(lm<!N5@>DU+^ku7okIlEA{
z_<7R?<15J76<~)A6cEZl#%#$=={<y0_T#U5d)v&$d!qWD2Onk~&k6vywI^sq{ewma
z9vz~-PFOZs1w7l6If@(^oz)0O^U128l7Pzj#gb>3V^ydF2>b^cmY$RU$;O}vZsBT1
z4!&)31GJnjwy{+3o@ln7JG%|rh2!zu=QaO*nv5Y1>~Ci#DUvhkbP!KWHl^jy8_ORN
zEf-2UK0Wt$yR~h{Wqr}=^}H%r3=qolk@xlo5=6Ok7^ovr6m}VhUNw0@Y=M(WEBQZ;
zZ#Cd=Pr1B3-JViMe_Qp|x77#@FuPd#J|)jHs)4Gx;m?aSDL}-Y%Q}?3l*|61Z?yoS
z0(P00Ds*xLsMF}k)Yl-#g$g!^mBWB0Q`5ZD@F^bRP??F&A)4_%kpD?H^Vwr4cP_Fn
ztZYfMpnb8~xdA^@mM;VVeW4S0dt#Ot$j&v452m!;-zNm={*@AD7&2)NSd8n2FvVH}
z)Cql@C}7l($p-QXGo`}$yp6^ybRk_&tWq&lucKL^c^`8ld-Af{`GDcWo+4>I^#>?J
ze`Ql<9S_eIEX(9PpTf`mi+rr&9-BF}{=myfR!JJ(7g~Rmm!@;lHQ{t>!{Ika;4`Fl
z0oI<c#z)QEPp1IF74BolVM38Tr!l)ZOdsgE$A@|<IzHDFEONuZXZ3P>g=_$EuONW>
z4qX%$Mn*Q5!dsLkXL-u(fp4QWX&`@Wl5eb**ZW2Ex?MngclcL<b!f@tbGh2B^yq{*
zKy0qpOomJ0yaje;*t%Y-v-WBTQc6VYG@b^)ZB1T>RTv<vCz@i$7dX8Dl1*m{o{t3D
zP8!r(<NGJ&iNGl5u?2B4nVa8))3uzq9`|}UhEq156?U$C{1toG`DLTFmBY{%<@p~1
zfDH4$AZ3WmqT$t8s<w|yd1&lrKZ8U@O=93A){7P<1Pr!xW!ZI#<+LaoKL8Yky@Cw!
z{d|<pf&+1NFy~@7*A0d4`yo>L8uSWdTig8UXt#Wp>&iQ%nA8jZ&<Q&S_zH;cwq(a-
zo9e^r%DX(4H7*N!8g#k3M%;zc)Sz{{_LB00bxW1(^=sH+fq-o&SSa%Jn&_hRIjYAo
zzYvfPtcgyYd3PTtzX2&wNDBLrd5v^*g#!@3Oe8_$X!%e=dcs<Pq&eBK{y1BmyD3l+
zq_fk9NmIt;56VBJPBT1bl~gI3K-ScO=?-@K?W#t5YW9nP;1kPhFmf!}R;~G!1J_SW
z`G=v>4bH(p@Wd{uyVMYOSTjR?gc#u^lFh{dIc>XWhF@JPdY-}iP3xal>R^^{#7%UD
zY~-Ap2icPl2ZF%U1aJ94?)wFF@J6ijQ5$HLV|9AX>{4D?mC+j4DWU65VK02V+3TmJ
zeJ6=wYY_t2#K2l1OYM%fyiDReSmygGT$kcmyugdR9T3|vYgHoG?JJMPy=_UgOOOZc
zvmwXclEq*9ta7>O$%N6bL6tBPQ%S(js}=d9vu;qjq-I3olxl^me_UA{>w(TWN^&K#
zwa7z?sLH<FAAJY@dMA^J!u!P;W%@E4#{-*!6qC8yHBE;rnO1=uOlQ-?P%2bl>V(BG
z(@YfU%59S5brc<u@EW9&My3aI9!O#bsu`s$7JpYUeOtNTlyyqsF~0rI!M%DhyReLJ
zw>H&Top)NxaGxa`?!Tt1szrVYOinj)n}p?fs;tKt)2C2Ibwi-EO1$Xh?@!VemyL37
zeMRT+ks{k}Zh-G)k2GR>!=M@Ab;}toHl?Jxc=-XMJtEd3rY8==@8^GBsjvXc`BE2v
z(YA#ZM-v%7a*d2_m)^NOv70FrGB36Y?2KnB!@qx*94|wYq6SSbXUdhgFQ_))Zhy8!
z@09hD>+RX=GEVb&qV0Mj<AI&gz4Y56L^SDcG?s6A<7Is9*&l|zGD=kotQ5Oa3q9a7
z)tM<hwDoVT(qfbm-nv-tlz#PnX*ZnrCylGDW=0c*&`}d00{6CqR-`Q!e&-OFxp<aM
zR+cb<Y4cL|;(}s|CM-t?yY_^@N*KO>=QGV;1HhKtZmfI`Ny|$yy=V_RT&z3~keP^?
zk<$KBfkzcZfLx{zyn2)q8SYBa@t68;0w$^Exkx?(AX-8qLz;g5D%3a88<_UMcH<&6
zYt(obC_@9{UkPp-lZ&YfY+a!Y3%QbX3}#2fU3tHy@ps+}Mm<j*r{kGr?+>I?u?R`8
zJ0Gaso6Kh9ZnTr8j~dJK%fSJ0TUR+f@!S?yPD|r`aJ(oeGVEa|SGAMctQp7GYrZl4
zR5X(iDX9QGAK6*gvq~R+#ZU@W;jv0#ImIQssn5W#I?THtt-S;=YV_vb=s9JCf4s)`
zuT?p?NM7CUaxq4br}2b%)8~n^nas&WMKtM4H@CZ3O*@q3%gZdi0%lp+O?#`)?Ce(j
z@Ji$~tEj(uC6o@IMR6gB_;RiQ5vu9bXgW5nPcy_312o0U0kaxQPmvE7_{X~vr+4}F
zJk5*Cr<Ru}Cxg&106J_9M86~{`@q+J-&FJ&4I#aE@#?16bi8Y9a@tj_N5GrxoP>g@
zAF6_kaiDy-_@!Yu5NS26BU4hWYn}?8ydT<H^!HOdF-B9|mREUp0yIp*x%Y<^9yI`^
z0hmAvSqL5p^DbH-c@j?mUR1^kl^5vii3heyW%6{3@!))eb)&#f=qF`uWuVT<{fP(M
zx*#rx0u_zpd6Xka#ZhL7t^3`IqlJ&TTzy&D{ZV5u^a15kBlU2keLQ^7juB<(KLqNP
z8;u(KMcq!+9XQmsrL<R?bD{~!%SALFbtanr_&E<}RPC@clz>io)P$A^lf_sBkCj>u
z0Kf;LZiS1<)}X^&c@nLd3U?#a%HI(U2~hMYt;;69kgdN2u*&Y`ggyjdj5|+0L2BDn
z$upWn82@|_;^3?(W;=bYEVABRfw|>~KWUXZ&Syq$4bh5(2-&<cr|X$AR4cVzcLw=+
z$F1jRq2w0fAh6Pd=j5O|)cjaw#4K9RvmLpG2bs;KAV%yX6$x{v)>q{Y6WMS$uU>|$
zJgxeb%v~lrTiK0g6ny3m->p-}ydzx^kjF7zY)ou~whApj?~y_FHcHiNlPyb-(VIop
z0Sr@Jf}kwg-L#`(_bf&psE`aV9@|%6G*Ygg(4?_QnoeXu7ag2+P}iBto*C^q*7Lus
zb5~{I{tH2H7$z_@WQ2g7$vJz69&Raf>ZJ2)%QPd{;m9`QYg@sw5I!bLoyt2)>7@sm
zPBl}k)f<i)sV=Sa+o#GuN#r+v1EChvG<n8yJH8YR;PxefkYrA;a3tZP5%SGBoRFpW
z>T&a8Q>&i)$rsmc@Hq$By^>~g0A6?dMh^}jU`0uRxYqEjLoG8Wuu9+nJDoO9NUm=H
zZa>q1Tx2!d*pdAbsGoKF(;8YSEMz~+%Q?lKV9@1Bfr@9*p^iM;>5OTIU-%uRr7Op7
zPR{!Ub|MSjzV8#sr%HiTij6-TCmdInJ$*wyGo9h7W%Yf7!YONmT3v^*Ce6cS*_}mr
z&a}Nv$VzR>Xym!Y^|y~eE~;kkNhHis4EInaFUVl1Nf+8)=<s&xSQaoQe{uU)4cF3<
zo4C&?J%7RU&t>a@=K%l$S{SkDh^az?g4&H-aDwYyyZ&G(P4Ei)&O5o#EL?oo)8Q|8
zwmhlt&4*V$(-|~NU?x;n#-e6M^Julj5Vi2xDAZneBfam`N-C#Gnqfr#b=mcRu%ut2
zTeT*<OynvI=6y=zeYS8OEYig4-LaKYuHSjWo<W#yvj1+OnGS(0SkP-@91%XeUo(dn
zO0Z2Cv$A!#ATM*_Y8dZ6>sjVyI3je!d>R+T&CPJd$0+>yu=#50OoH>U=$X=eUw6WE
zth$btbga|Sv>HfjI&{>r;AJT)syDGN3LuUyFcJ`Py1+=(DLho7`-p^&_d0A}M>ESQ
zqT%AYdhdAI0X52ag{#-nYv(5w{$%+B*Vk;Zzg$o=3%~Ht&vsS2X2bx`S+F3>gqiCv
z_Wa3+*;K0hifSiTU0}iT^R6uOK1)l)hizTNmjl|Wf*j`!EKL$4t9F;NQ?^DA$S-#K
zC+wzK1@KW@hLtCul_Y3a!sx2`GsR47eqOfo!hnY@Si`B+zh3VawwRt}tzcfuG5yiW
zU{io5Dyie_v>>cZ)(Jc=MJ!Y^|FoI>*jPyi;OYs()y;52nVYPbYdaR%VQrxuvzW}p
z4t<>ReZtUGMcZ*r!vGSKAmGukXWnO54fLfWw$MnX*^A4H;K*{y{W7xjNVnsyuV;lN
z2F?PxrdH+0-c?TgE7YQy5g33L{GCsJp0~L9K^_7;bs+PdNBr^IcT`JEr>yQ*ac#U9
zhtfSXpkxk2$c8mBlWn6NmwEL<M;@81+u+Z}eV`TvN+vJ-xJ+1>S&#JW<3dW1r#^M1
zQ=pgu^x4mgFFgkXJHFWwL65O#1)B00PIm!S<gebEq#@L`IgO4~4M9Oxip&CG2D|;+
zGfKQ^vz0j@$dO~a+wPdb30V2|sTC;yj1?JghMT*fXMfzt+{8h8Ch^IiEcBv#KTt<A
zURdR0O62!t@!1y4)xxzA@JDrZ*z@-OdGk(ef|mn8;U0J$IoqbA6GOX&FX(D{8Q-@&
z)-SQ4ucetat9Kv1p(;ZC8?!&}rQDfrP(0cF@XitsbjgcAR*q~~jq#6LO<63$i>}Y-
zdb|#i&$tD(@m2xPHVt;z;xekgGnd?U9y=_5y-=X!HXShM>ZRjjk$jAKG2=Gh7KhpJ
z#Hp{N>iXDH^9tc`48sGGaT1=F##-uOG8XPbd_<ko+SZ(Fy#&|%z?`>s>7e$q6A{YJ
zv(*N)4g}tb^*~K?maBXUkUGd_c51xpfGb{fY41K*Dz^2eN;@P`5drTZZDr2I$*Q4k
zqt~J&L63;B#PcW?@ZVLm-2}Q9W}>^#P;=(dL?0iTq_89t*}QH9Du+4@n2I$l_SS@b
zcC!uSXFUxCz4ssOLJ_C+jAp>k;)ka5njYWRjFH<0>Qad55Z`1k0525N9M?BNwq0qt
zX}5Wwre*pYpgSVYysHPw@H!6!<MEIxMHz8pn)_f>qVdsGk*5rwGXQriM%H#ttVTTu
z?!OLEFXMuhSQpRK%kp*633RUbM+QBrTi<itJJO~-_a@YvMTAvkYo?G_C=`<3$9ek(
z00*n^n)$F1=Xuu0h1aal4#^%~xl}bjRp0}Y$!!osKB}*_zbo_MH&8kCV!-{NfT2;_
zgKc67l>ftX9|AmtLc}t?MNmOtGo4zsg)9q^EN$X<;B8Hd-#^l=m)H>Fm$R&qY4mxw
z;s;-9ljK+Wf9QJ4fUNc>YLpU0I+gC0Zm9?9ZjkP7r1L=#knWT&rMpX7x<R_TySW?n
zy!V{{eeXy3z@Gh!nKf&z*(?MT3DSCF(hO^!P>yn@c}rH%V;|KjBQ7h>0_kYVs$Qk(
zdStm`3{&8C&Y~6i717f|PSKjIbs5mHQ1kK~@4G(bMk&qF|GeS=ezaR!{N-_~ADtLX
zDlY~DK(b)YkGwS-c@napJNbT^D=2@0>cRu%yCylEL~T<oIr;qT+BJYsZd%QE3Jk}v
zb>JBvU`?2>n}Ejj%Yb8OWFy3Nb^9JjJ9i`3e3WUF&a0y0AA7{8y1!DFau@`RJ5(1O
z7`eCBrh8Ei{c829;KTPikooM<$0n24q70Sc1~C3z9+`2LQWs=yK3BSkz5$pv&S|;U
zzU>Fp?yqg6o<HCSQhA1s-nWO1T%Hf?g|kxXS9A565oXms$yZdgbpAhHN((K2^|}hJ
zP4{ue^@w{q*ht2<NpqFiu}%9h4V4jwKy+a-eskPD$n%=|DJR~w6Yw~29s&Z9>&Xh7
z6tCir+)|aDZmb`|mDtbS%eC62ZusKbpjE>@r8!mW7Il2r&3a}JKiKbas$=fm5jR!G
zLXDdg1lf61y7~(j*>ft>ljp}80t~>FnZg4Y2Th_enwlerb<9PXy^Z|CI(AsXC9>kI
zJOvr<G_!YM=uI+UP{8k{4-YJ9F^Im>n=v?gFa!pt`bU)M;y}hQvNL(co+qPlaX6l|
z*(LQ|@%Gy<9`Y*04w_Wdpfb8riZHwMnj|WbEZ`VcDtSK+r`j7w><h>ger)YGsDA$;
zs>@pbNati5X~(Oos>BCB+m$g7!1Up20Z1}7>R1AlN?+44YZ}mj>Z>!8y(Iw*mF{SH
zsl?sL-OzN#6g~l7eM4ZJBY9p^2Uz~Lr<VXhN-*i^ckQg@E|+9BYq7_5J%4Uvbtk~O
z{{jjNdwbq-^7>*comQ*s30b#E(YQ25?rw?G;wG*E6{7mxa>h*k-e~pPgv*^^wX}Ih
z(G}Rb&-o<APIUbC`8`OrCMEYMI&R!UW+~mAr%zvM&F3yhOOBN(G&^&}oWoZ+M`^5q
zR#W(#@N4%&)-C{(OIi)3s=F&N&yU<4hXGyOJ2%Tt2MWf4GSU;m(PD*iBpuTRHg&dU
z!lJMTFmy{5zr8>em&~}9ai|TOmMO?<4f%CB!hj)AaDFwNduzK0oe}<87uV9N#_juc
zw7}6wy9zZYc8TcE-S{yTG!^!yZ-#-cPBYmm3(arutY@7|-(P=JRPXNVBYvXRf>%Do
zLzL^MjEgwh;)9rN?m77k2eHpnyd(bja0ho!cG$H1b$xF>=a{Yfk}5U%w~2`u$#)$(
z0|9waK!@nj6<6a)LFAck{Fo+w)I#~BkhO&Vt*#BOv<2OCzg($nFHsBfK#rG!<5%;-
z`eMQ4^eHX`yLpZN{zr}U#M06B>fN}mnC2@056qlxU!Sf;u&8+h4ayg#R}nvl`Yy*t
z0<(1!graF(ItW~nu1!h4XQ9(<w)>$3O$VSz<s=7jZzgdLxvzgothdX)m9%j~0-F@5
zF(SXaYX9)@jGpeNW}%_3yHP^>q!r4<F1O{K5uJ6J0>1sPwpsq-Gc@8zrRSF^l;h%f
zZiC5hhJ9{7e-oJ2`mJo!yyW$HYPMIuB2%Q^@UhtbYruOtbGL4d?1AW&!+Uax1H4|I
zD=naf)v)}4r=yfFtrY-wTz<mPNTstO(7#u?Rq|Pky){v~xX^Z%^qn>fagw_t-THL8
zcWBF9RRkcaQY4Ml9F4JS5RH{*U92-h&<0o%Fy4y+b594svs0JLUHLhw6DEbvVwvUL
zM748E(TkhvsX7caVtKOX;Q#R=hb7Zp2s-VcmFCtsK6<{IpMHw2+sitOwmS5mI|RlI
ztQ1dYPq87ar%%deO2+jmT>5t*x=^<PTS1@l4FY4O)p-L?@m;kvGE+6E{^XU+>b9kA
z=&#L0Lx&Cb16?RX1hwu9^HvW}PH!!A%C3yneX;aV_sRjqa(Cdb4yxDDK9>1t5lWR*
zSaeBCaUTP-yCH%Alh{X+w>N*WmCQ5b<G${g+VKO>;Rv4Ne#YR_UlTXSYo2+gsU@4h
zhDr@b$&6&E1fm7@w8o=D3qqB&g<%g1;pZ`W3Zl1ikRvud=b`kM&e=cB>67>5_-Fu(
z@KEI}wfg`)#7i|b=X{rA0eskhvGD+th{A#5r!=72_bj-2sJ~yAAgH*$cpl_BLy_Hj
zBH$sKB-1!>(d(iHC{_Z^>&h~~>7p`Fi4UD#BbD;(ChTKY4(r~2>YHO;lV+WKHh>Y!
z*FF=$i=Mkbxk@|uC59vmp^+JQZ}L2T>u;~1@-b~z`QQCWsY^J^H+F*u&k`)raacE+
zzUrsNV9&WtJf&Ir2kk1kH?Eep9v??;`?%%@PoKCz{xkcvq<d?N1w+`hds<g*n@+p0
zeyfekVS}HK;#PDHEu-(x`vRn0+Qb3O(fz`FH#pqiMP!2I^DS;ywS>qbceWL<>U?Ve
zodRTKUUH9Z>L!MX>Mz%EuA-+6mFXHP-*=RD#|3nq&$ef+>5$SU3w)n50^{#=D3J0x
zY1@kN@J|tf&r}$%y=6mYpHJ+&liG!nCI;0Hwht1zva5R^FD;2|1+Jvgt6k?k2J=_O
zN<QQ5B1^0VG{iLp^Dsin2YzG-a;mY=K6?>WP9|s843vVEI|<c=e7lbyQH;eMEHFig
zxu5qRm<wh_Rxdu5SqJVwAm{M=u+^f>UyUoK4w0|=a@+p##78${J^j$Q547a2DS`u8
zzat==bKX}(F3<|M--${E28|@19^Z-FJ0TE3@{}DblugvQi1O;zMcK`f_t7pg?&R<s
zo+*Uj4t2X=bocz^sghmw1_AUsRf8_;w}4dXC4IM-VCP+TM=PL9ABT%7&xX_WHlO!i
z{3W64bsH&`t-sb4T_mFb^D>75NYKjb?=qeG->*IjYB)R<Y!1AKV6!E8S%F4;yaZ@i
zZkj8jGd=fLAzwVJ4>Gm0WVSl`6=mX~Gd3G*L-^!)bKlCk5v&gjJO))>E|PtxQj;0H
z-S0^Y2fQ|V7LBnF&HWKO*ux7c-C@-zf4$ljc<bhErU)P1MD%5qX2R<q<Dco6ejUjv
zKyq`LWxwRU2(4&Tac_f9_rd1lSgIQ{mUi}p95GUF`Yl|rph0NQpJcci&y4(x)xAkT
zZZ6X;s=tYkV-$V?gN`A7Lr4v{d2Ch!YOVW7<0m1^a*;TK$r$iHU}ra>umGQg$d+r=
zUTuWOh_-b~Xdkq%Em|J5r+RUF+dsUvJ@^>WTnRCrWwCTElR&&cv9Pc}9Omfa(nCrS
z#x_PzO!G1bT;(V(@sgT=mW24F<h|+T-Q^Q~e>YF#(EzXMX4>BA>{TlF7Vq#`Bb>|9
z9p6XUa&W%2n{Jkl5F5^I5`B3pwxiAx;fRY<<sG$7Eo3q>p1B(?Egp!5)zo)*7wP3|
z{-%w2a+t3Z6*LTleB>l?E)E%x=g7z{B#`JY1HkC8BeU>^<zD3j)y{ROj!Z7E8S9hV
z5@D<DFZRu&5MeDf+w!aQ5L}yGv5+znPgX5`mP@zXp>&!&<c=0UGdA@4XuW^3<8&?l
zntE3=kn{y<oYGC<%Lod)`4h7zDwXUuoZj#gmEF^n3}V5D+oz?u3sQ#(vz9qi&1Q<G
zKG+d3mSq&BDMKT9C0|KS*T6$Z2IP7=tZobhJd79!9(ud&w)z8$E6C1i#+lxW{{ZKd
z;*wX$MspNV8j1w<`l<`TaVUk}U-eSE#-ULe2r+!z#GDnce~v0rh|KmYGggYJ%xm3+
z43)j8cbd*<Zj$Pb)iz6l)Js`$FDYdu49<!e%j~<2=K9U~9o_~{6&RWm7T|)aJuU!&
z&zjztf_~=WY>TPD2Fcvqym8hZiP%1ii3A;0@;S6wIaB5aZ~CN{)ih<SKD>cJQKUZy
zBGjY6NH7fe@4!E;ljl&m*CT(9nRbpKEd|VvNYN{^g8SHQ!`vTW-M_mdV?=@{df@K2
z)D<*ms%vW63Kx1l3&B-CMX*)!AT3=3R(`ao!13rvJ%1y54g7^Ih6>DL|AsK^ujL?;
zbDgRIGfuIZBOPj#NAFu<WotID@XsGc;vhCi3d9T_-4@|3UiGd|``kV>EUy_zIRq$0
zp;R#<dB-#5FOtpJH$V1AelvogkVt^+X#Hh?gU1Qm;Iu<3IuTvZla@{hubA8Yjh^Rz
zarW}#jy%!6Zew4~wYTp@m(7KUt($9l+oB3xnP(^J5sH<aa3SZp{3t{;8|z3$la6hP
z&yQT6QHq@mNOB3J&G%3h@YMPcJ1+w#i$Zx47{BDG*IQFf?2k$r*+>V&>=QEy&Q;u0
z)HqdkX4?o5#o8{8RZJ+efExzB2I5m3=q7Zq*jv3iUugREL7?j$1`C_9<aOC}v%JlL
z=4F1S#8ROb*IiE`*AkxeC!8_8Wz<-6g9R&Ac=lE*VJ0ft8jFzGX5+(M9O>CSZ4Evf
zHs`n6X0z9sIEk?GX5Y$D;Ok<*EU+W(kY0AK<FHY*Ua@>suq9elES!`gz-qak?Bg_G
z^_n|<h*;aPbl$OaQFr=g0D)DagFxRSUG^$uZ%zCO;zO|#r}EzXAV;d~;e5FI!n<GC
zON@4Fa)H@Ke%;=-H{&o+9%>9dr^5lsOch%~CbaTznz6lh+ya?uVjqu|eB5sHAPlQ6
zj7h~pHlL~rb&oVF(fb3Cu)Dypk<{FYi10y_8KIC>mcJB>@LAu#9XM%3A$D#THaIgh
zAlJi!q#>IBRB#o7AwZ%y@l8<s^43iSk@)ds+iAy-;CNthA#qgV(4gR!LEzR#z?mQf
z_M#)xwxx!y$#(wDY`AWWH&?LTO8c+mK)g>^GzxFz2=DbRzo#GZeEM**svhkp2^%?C
znf(@xI8>0lSZ-78l~3SZ)Uq5pv2Wx{YD0(zhf}doOGU;UcdN!lt4=e_LV8Ytxi+S<
zy_awC9%(L%<Lg;<3W~U^4hD-K<iCG{RQ@gl=Q&mxv3ID_h>-Su(2hHI&@sy0v*oDl
z(wD1+en;XOtX1yhVa>eXQZsQ>lYu@JR(Yx*0Do0Wb@d@@f@r1Ew)HCKd*SSS<1Ipf
zaxry*2`(sWU5|yFIQe-mQ>IHtX<SsB+#V#!N3@LTGRCWtNIx1XlIv0ULK=sxtu!~P
z2Ap%L?ug2aj`YlmA?4tKqOwIh>a+!jy93MlHhTjWN$f86aYD_Hzqr7%>c?_mP-cTR
zEGR?q?;~GF;J4?f%J|tD{g^~csUfjXuEG{J2!eC5G1R+>uKCofTTeSHn`j_`T<``Y
z6W|?yeu1meE}Tm|O!)LAP2}{8WYWJkHAe}5ItS95+f9pn#BPPmpu1cto?n9$9VW(s
z9dd{D;#}bHLg2KR7l@Il_5iHG2ORc3k9MD;8!wO5?Rc3-xi4<TKF8w%5E@=ZDQu8)
z*aPM7_IXZ<bTBqkml?cRD=o#o&Ke(CVHBD`e%FKOl1fH2Y+2eHYh+%p$Tb&-rZyU!
z`2-`rEC3VB0w%v#crzb1?mkbBS){>NN7*C_6;4@ZGv<2WH>Xw39=_D9t64}_o_iy~
z39j=_%B}72_)(I^9mb4g+3KRx{v~IJMQ?^v^R1k*QL{#!{bA9D{R7<k0NfK>k(-y*
zUTxxZV<Y>IPeECw9=WAH#+M|6yvK!VoNf0GcR8lI$`<2`N9aDV#LGQ2ZRT@}V-OWc
ze9$pqhv(387?YFoJt-U$S%m6S!0<8P+LzbL41oeAx@S{%Is`o>D3#Gj83s<fnZJ%l
zbv6cmgkmHvmeUU%&RI8Qzu=>^2qEqX#hd;l{sez=z9Mwapwm|2D)^$J;V|RWZv3X!
zb}>WqhnDNjeZ94@rm?#?E6O4?AwMtWkwBlA-xBm$E5;aG4&=Fj^>r|eII$~~Bo2u2
z@wWde!f#os;%ax@ujd9~TnGNm0wt81H?QxB%-$R(-+EatE{90=kExQUY*UI~5WB6O
zNMoCQ1T4HYOmS@yJT->SE_b!OC`G*ttXrgFKUsXWSvKas9B4A<o4!`+zH}TJ_#Be8
zbx)DTVamgZ{(&ol6WR8*JA@1uPqKCT!een?DA^6QY%wc+LgZ|?8-{oA>hY!ccqDA3
zfc<qe5a);IINd4Ms-3_kFSX&shf7D7SEwh;${(ZQ;Om0h`bNphEN>Lc*<B{E&4-KW
zr)(}rCLttK$*5qxs)sD_Ltn%A3SvpEJr<`3YE>UORu3)61Iex*{R5vjqVrpIJ@uwG
zsL2DKmm8W@ulCW0lcd`Yd)l&kg2QM62XrkJf#~F?77-Fi41c_blsjt{fO=lVbvgVN
zasYh9gB@T;ILGss=YBa5RZ1rC5Z%&i;=Fa#A%~<wA0e6>AzF%bmlklxRWRr*<K_Df
zEB^rLr%+>#(C@~iw+xf>Xw$FW@b=wsnT_CPdD!0Cv=S9mpwZ~BOuQDMit`=%;BKZz
z`1^-*nugaEE~=|#wk<+qj+?uTz^N-0%$hK-DqgC+6X=@uMUBiOLCOFLuhIZ%4FpeZ
z3Zc#Kjfj!lzZgAcdI6i$mrO6e%qsyUORjfSTSLM;sQiuEoxW@<3i&(ih<`KOiT=Gm
zN#>eU$jkW_PxuZ?)f(#LE&WvrnUVvTs-81seXC#0rj$+I7qp?-{w*H!of1sWTPT@C
zV7?A%&=a2Aljd+q_Qv)JwbmMjQil{P%KdB2dTrB*{l)Ponigb#FdLFN#0ye%xhMb?
zNrJec#Y?lqRy<uF*M~s}(RLM%*?DH$h7THK=oY5PhvZDnF*QL4I!PfjyTKDXtPofl
zHRU4sUts0qNxMc27Y#IBnaoCDL?`cHriWAE8+>Kd^6+obMh&}I_-_BAo$)o8*BPL=
zT{Bj1MLQYSK_e*V;Q+ev9By31`-utK+$6Zi5P}@9FG<O|2Df79+m`0IV-T;DDbt?!
z)gK%UJ96*cY<E5v<{L}4ro2u)%Cys_ARLY@Bl>>e6O1&u-O(=N8^!9ZFKF%j=f`21
zQRLPQWhj`zXymvcBv>TDr0&7@3P_EK5_;pW$IHw&*;s}AEvyQ$5d_M->EjUzQ48>!
zC%^k%Zph#qNZ}J+qH)ze!AV;$jn%-gtTTf7L(~#+b(7te)vP{YerK}SlWncN$3cYr
z9i`}79a2bi*FYf3$QB|07A61n>>r>5XjKgFw&)_Xk7vlfP8dD<bM0=6I0OC)(YeDx
zz=>klHyRFzHG>G7uYiVE%DpUtsHq5To2)ct%JZ#{Nb}E2#Ln){6d#<;+_Cr;;r}87
zuH+t<$aq+v+Lq&z0TO->Vvx_Jt5M{|8yO(3gf#6&<J&H^o&4vm{qA_hq=sIW@Vstk
zRB}~4ZKpF*4F21<R?uEkkSOSOERbHs;fq}e77<4L*qV6@dpP23;DJXwvP%<rV&;dX
z@$o<uVPlKQ)=cvQ&9(do59?yDshyA@ROYN=ZYD0htH8a#pdn8}-^EK1Yf67tdY#7f
z!6r#?gY2g1IS7ds%|tx-Ueb&l$Q-iR<3Iy(#hMg0q#N2k%?Z|=Cbv`=UWziyu7nTV
z7Ipc9*5;gcahGA<9Ct0F2__J67Betmuqc%x2(U;=ZC`b??G5H!NI0v?KCA4l0>B^l
z%66fuj3t27w+%kA8L5HotS#b`%AVIvm(tCjCGg~Ac0n(T2Uoz3w6N2aTg~WMn&X7V
z^V@o#Yv0EG(6N$*+C_b%(TslhXmF@}Q#KOGgdvv<sazpw$o8mQWBwX@Q01u6aEG*r
zkW*3_XUAbnsMVNGW^iY4Pi;GrEap2i7Z<#%WX8_10<}(lOa35IZHx)w_KTc>WCB06
zQckT9O`hMWQ}al8N(QPMp4t+E&+A&=<2(m^5=?(MYCYv?M5oZV`VCPGY7=ARwZZgj
zqXbXogBh&JM#oxq5p!7ikSIfi9906%BqrAp7;o+yvTpY8uN|TBN;)N?G1r{;S=mpI
zrc3qhHXQQ0mzT+xX?!KE-z~?adGT7?)TOeWff&JiPj6xrk^|Vlp*uZO<jW>deYl_o
zGuC(29ZAiN!g~qzb_(ZTTZJ9NrNd#~3+YMw&DObJI+`_TOqp&6(2K|O`x&1=AqYcL
zGtu(C#`N{kZ31mI{rc2k)qnGhFNS`F<aM{WUK3MRZ+64yz296W#OS@USE;)54DLAy
z<A?>8<fay%kMOf)ucrSZwI;yEKi3nLK2~J-Z*m}W=<Sj2iw|sNrLI_i5V};za14Aj
zI3GsVYAKkTuhDgOKHgcCw`NsBpAF2L*~#$;kN8~!?W*K)^(pqCl<LtAlX<P1ogPKS
zJ3R#!3>`wMcX@<jzUhnX(|bE8p5_~&@9s_}`TWrQzH$QiNbnf!NTJW8VD0<*lidxe
zQAv|tT?jAiQq)wk7&1sQ7*WomFiTUT;YagrR?J*Hc6P;h8f$Ziq)(Hhenb1SX!*`w
zj0K`zYEoV@^p)YoXIsmAKQRVy)7GNFBv2<YR6X0)9*7srV;_>;^t#>(ka;Sb(a8wm
zf@tU22clq%P~~SK#?TlDc_HAYOXCDt6W`9teht2lD}WjQlpqd5f)eBK@q6*$(J#xP
z#U;({3I*iR3O+epP>ocE7L+AbXxC-enaIY1%Z_BuaLRDiSJen2KLRQ2L=Jv9N+5hv
z(XikoDsPstE_qG!O+gmx&0%?KSX7i@_}`~-Yqp#MzAhDf3L7c82Rpz=<x)#t`y{0I
zkcJU?DJG|vw72(W8%PISW)Kqcg2njGKGlf2Vfd7^JF={s#A-Vgc^g$`@&fp`o0j9<
zTW#cev2Ews`DhfPh}jFg7K{g1W{a=lM!ZiEBOFY#pMDoY;>9F#5L6nv{365{0)cAf
zt3$2FU*pNvmTIM~D1Gdf=9-?cl)h!?GxeS{s$qm^Q~J_JOO`7My~<@}JNCTrAn0BU
zNvpN=wx6j>hN`vUk8-~r8zyJIP%9S)n7et7=JLrNEt=0><0ry|qQ5zNAncS%o;Tx+
zm<0+SZH-ODZ1Z~Q_Z>8?5L}7pQy|jLiU`jI29qIXSR-s1E_9Yl_A=ir+jm|w)u7k2
zNT46fEvL7pXG^u<18CSYl|_mJQKwQ++J+6>DV`}!+M34yxjbw)sIT@U5{+8DHOib@
z#%lD901=PDKQS~plPQ`E8C0c+9RQWh<mvA6Ww1e54ginE%khGCqQPM>`1%kJ7u#s=
zSpBwSqQgQ77BiSYzPo6G){F+DLhVt8chr17^Ebk9#07pW_B|lX&qnVA3m1e9?E<P>
zD%I^+?%NPnQLH^8j<p@_tNJQBS@?NxYbg2mDaeL7ALKcg;T_=0NrIa%o~rA6hDk<R
zLYKslwdi*KkU1f>>*Ky$#}~L1j%*&xG8Dv261gwun_MB&Crc>#x4tnO8bsG<J9Uaj
zb*@W7i-%(Nk)N*rfIg>DkXLT0c0d2oW6hHoKVF6#XTQ})@%JQvlk$RqL_F|IR<yow
zOy@c4DA#{Xq=KK3Yh#8TVa%5`&{}J_#JC{#b96h+UP{n)8;O<?2f_O8q|UDHFD|e|
z!&8O?7tfjRy*Wq7`+SjL2BAKzbrFP4R9iIl9k0OY&;(b5$hv!+Xm)^#kev84xP`i+
zg{uN5knK!wzT_b&hPoUl_nou!b6s}WFYay^Z`*^xH-y+RqO7(F4+%tZC5Xm>p8A7f
zm<`RsC7^UD?Cd(;y}jHynq(ftwK~7#3rZjOD#9a_!itnJ68#bQxJ#*SworIz7KHN7
z$P4y{OD1|MbD}(Hx>#sBp^V9y;p)%BmdVkjRd-&SKhJ{Ra97Y&zjKoR9l~yEcY}D_
z9SpuPMCwcn)<<{e6Ml*qQT!Hry67Ak)3I&*c$jwC<zH(8%sCnqyk2$!`+iBh@1v5d
zM-3*pVzS>5rNKtpo9si1-`OeT3YiW<?3yRDjqS1*%Oe*dLITsVj~-p2LbDJ2SMyk`
zeU9gezwz+)Tv%5WSPh=54`S>m;&hFFYjIorv3rSnNF3;j8{r~>R~$s{n=1sX|I{!^
z`Vk>979jS-<JdLZ#%o&hA&nYgBq@mxIzInm1$)xQbrErv(tXE@ai;V&ArsC1aNwSY
zNp-NqiA21{@;jN^BmMG&nU`#{|39VH_`Il?@0Ds)#3!2UgcNkXmII!FgGrSy(PygH
zZw{#BUMJBZ5l2-7$x5!0>6w&5vgKHa0PS~(nRepW#+Ph({I9xpCpdG>%r_zbFHebN
zSkDN~1t>szV>W^+3qD2D{u1dH>4_Vd$J;YB(TRdj0zOaLUkvWN>R;`gu4Dc4u-%PH
z(`^mn{BQV!i!ZGFYx<Yzt!o9J&k+O?F^y#JfFEq6w00sEd?ctB2Hzaw;NF2*HH-kq
z;o`jpfZ3t>3tO?Hk;aK3^}JhkxNZ+bDdg8_l?YSwhS5`i_bDF>lGz`%y&7qiW>&bF
zJlOI(9n?&YAHSwVvfEg<|9eS*M`d@;PXhbecy3ZnzDy1k&IWe$y-lF=6>~YF&Q|%&
zBba_;xnWV*LZ3OCbSQfBeW-cnsy|LVohto<pc%xMI8iHuT84*x9%wnmPci{v!e1JY
zq@~O)?o_#IebUX>KI)+}Ndjb#g2ADM9CWX?d!+`t9XezWE~qh{zN?R!EOxBmrnj70
zqcB{Nn^oNut?qJMJ+wquDk<w!wIK8oBmc`#0&Jw2n=qxz$+4ic#e%f5jWwmTsBhn-
zbicVxIw9BNg315?3$cS8qhNisuv?epP1T}~(MS!J)htC0jn;Eg(yC!(mk&}n->5uc
z%yT^{EhE9CU8tWSDH{KzWvYD26^7pSd3)W*3Khsv(v#)u#b;@yP-s)RNv8QlF;7I3
z*@5fQ^CI{E_Z7wPKzGw6?PHnzk~?v4y+j9LH2iu;v*_YDV^q@H4ALLD>hx1tK4VTh
zo0=CKjFCP7q@p&7+l_S^HvwL2A}wt>B;6FL%#apP=5|8NXV{c3t@y`-x7tYIM<CE?
zLK1U;<&XOGB@zPu4f(Pew74mAfeyWvfXfsywnxeqjV?Sv-ar{Ayr>J7??2ULl6Uit
zFDQYn{`#vq#FqqdtxpJWmp@j*@Ps$mE%q45#iPcmzFrnTzUmL~vG`j;G9Zm&6B}p8
zAsiAGi{fFv3b&oWj{L2EedekyB6t%AJfQlfq%wCHfFvw=z}v}DUR8PL2>h#YzSv%X
z6GCVCBI%&qELX+IFcj2hep}8Oguc*}^xgFGusc-NT4Zv-XkG?5BaIg*-`#ORBxtKn
z=){oUVeoAsc9vVW=aKWT_M-~~Bi$zVj{F=32j-kPd)u0paiKUFzV=)LV}ipWt#RME
zWmn1HRC=Mbiv?u}53zw`BPEoh2|gNk@A*7o#VA!JGBaNsODLVyJMCoEoT;lQ8Tzxi
zP8m?h&v&K{y$>GVt9ZFiqxPf9A1G7+J<VLKnveWerek!@naukXQ?_fcK^zRzB;JMv
zJHmc|RyI1Dtw&2}a@3SXim|y*03}B_-{Wr*c05<D+sv9FlFjyHg&6FuIGtstk0Jz3
zy^pxS*8aBxRiL1noXW$iS<zJb=zcP-yRACX#2&yalSbsvN73c1PeMG%yX<AFCG(uP
zSxQJeBEg#Qb?p#iUE1u<<j&spA0$#6hjoIAx}>O+cw*uuKuaf<28EP$j{DyRVElS%
zm40MxSKCRTsu`!nn?UR!nC>B%okdFM4XgE+8?4JK{4{1%$JI6+V&%){r$AWy`5+)2
zfuRNAjfxzOT<R7AW;+94HQO6MlW4tl0sDebHWbUa(Be<dqhfQ|k2@W3edYw*7HsE<
zt#5#4M1{eH@@-6;wDn-R((J520fEVpun{Z@&@?1b4vy*(zn)_k0>otQQWqEeIg3Lp
zyll64n+ZfDuYflPCUp<~n@ILI*UTLcO~3R<3NFM`=^Hr%*FTUS6GA@c+>9&oS110@
zUEF7C96aE#-zR`A5s8}@y)0D?ewF=@41N;)TDQ$%N}^~wm}m4Tt%2+-0)4j%V0j1h
zQ>GY)LCtKPR$s!J_;KlE$k@M47d~iUodBvi<Td7%h=`w{kbItfrOPSXT38E0Vhdhk
zs+gazMzPF5>EsYD&YU;Y*Z?#xsQU>1KN|v6G?BFVnimZC^QAe9<*O8+>0f72v{I@R
zXQpG97}tudAfJ&?`N{CQS?43N)`jq(D6+!%cR4tqcc8~|#xstF`!#!MvssXq1K$?C
z;3lbv%&_HjFk`vHgxxbqK`d7vyv=kGvYdR33-6!wyeq93p;ENZ2)>)$2<V;ZAg6Ia
z)58z`3Ktf%g|#+NPHEh5M8^G@R!GwGgi!qgc)`td33C{{p$c;{$pM~Nbb<Dm9t~1#
zV1SM45|ccrC-@ZBU^50|rO8A!!{Mxj-|8V?KqYPEzAZJorkidV;rq)?I0Q#(?qpw#
zM@i4>HEN^@;Rpna_xNx8`cJiWf{kQ2@5WIocbjrFW{*JQL4GHf9_Hv)M;Tc`s`0hX
zUySa(rbDI$`-sJU=ZJG{bGk6}H_=+1Z(}Vn2Udw~jWGPhiaK*~N4t$w*4|fw^R9{K
z9cWS&0B6bFuvz=mANH4Mi=P-EJ|qXO2auHR`C|cUi+ByU0^s}Nz(Cd0-jABCIp(Z7
zSW)3475(x_R>_o9^CY?;zO9L#wCr!I5R&D_8EWH<ymU=q&=qpD;7gA$lLZ;e>?3%t
zQ?zNtgpgawHZd#~p=Z$F9p8OU{$VPsYt-wIR4&;)ckoz4#r|$gq%;(3R!~{n_HETg
zMfwE{kT8Izb_x1F$hH`g{360So6}&=9z&tb0x5f8X7L5gVvAP@H($eY55Zh)am_{|
zJhfJHe8tV)7hq4$oA{SpgjuIncNpDX5|=sl67TEQYJez@^5p->N_z`2lr1r3vg&_{
zAB@8F5gV$%s}cU6)vyFs<M={}zsKdwgs#*pwFO!sQ^ay(PY-gD>=;1L1A7Zd0z{RY
zqew@_kF8OTYhs*WWq}-AkW662`;&JUDm{Ba_vw6Yp^IIwRsot}b$2I+&*p2PG<W}L
z^yyLV@G4esWGmR%i8ZqECBP_~LEyALJ$DuVCtp}Vi@)}g?f`oD&8pMe1nVjEi@Q5&
zT{wi7Jid6Z8TGuE2<xu)81;z;^3YbvWj~SV+KPsv2vpHPAAOEH_2tkLNeaOf8g>hT
zPTTard%3MEysaxP&Rdj5<NS0<k60kz=Zs0Q$N7GZgv@H#51uRL`F_Agp4>_QrWh=H
z3CWjLp-MQx-jf6A<;n2t{$!>*4raN7i9y(`c^G~ANSVZT7SqUY@kj6&)A$fXY`L|I
z(wy{6HWZPFn>V90or(1eCQRao%lU|(VHEG}K^h!=v2`?1$`Kcii>n2z&4db6JDUqH
zac2~=dfL{Zdr+AjjQaOXL0cGqugUO#uE_;(P3~(%&dLtY?8EEe(DNliu*rHzfD#}6
zEl|W&R_|{0#Rne!&@BT0nxdHo0*k9%DmI=qa|sS`LDf+x?t(imV=!NnsNVEx?gws-
zP3f4iu;k3lVbs#e-5ro_7;g9iUCVh@z4<}187o-QjMdjQ5?l-aXM5B>{Ci#4z>kIZ
z`-iD<I&V3bkp?dKpwR6v?<mrdJAF&1sdbHRJ#R)`eya6Nue3t^gpG{T^t>}|pMIjq
zpr2S|&~z{7dMBImdEU5RGi_;Sq48KG!8yJM=?#-{yw#f~6QQ<oPdO-k%0DMlOYz@X
za|GhH^z=5XK6`fxl^aQ*iqrIqJCfHl)63TkT4sTI0xK{j=>mbq9k6S+^_A_cNZif6
z3fVtQ2i?gfVi?xDUsXq1LF~N2yG0ZMz$q5#?pNj3R6dL)>2&g%44j@}Vuz~j_^qqW
z3rokrbm*rRPjk0@Fl6dEmqpv`^&<a2iTuTXLpsgBm%F>v)9B%N9QyXe;+8jHw$6$O
z;B}SOH>$_TzRiWIdR?YMnYLGl{@H`q64dg!4H%Mc`LH{%@=(@D849x+Al@R1<K-c1
z#J9R*vl*~i#`GFcfU3<l($Ofhb-o*nG1qc-n34I0-q82`cC(o}wR;5uJd6w|*$o6u
zZC3oLf%G}83(|C*0R#mkfbd>{jQZ!*XPBG}z?HkL#go}6{5Erf5AQ!frtx`)su+qc
zALrTP3uPPZUCuTLco8T?JiP~`H1`suDs_-C7ea5VRbFe_QY&Y;P5hnh%wdwg7>8}=
zr^jaL=^rr=sip%WLu1Cg=6xLG%V@s~EpddAM}E|Ep=~BZSpo_zj1U-Bp4e{la>sXV
z$r^b*cs8E}i#oIc+B1^Wkg^)V-u{xR#<pv>JiAH^>*!s;`|xPv5#vp*o(YUHR4l}d
z4<{IU12qdlnCup9=QoQmP`3lvUI8KNhJV{*Ynt5%A1B6Gyi(x%;Wha8aGP*OPi)uk
zik=f{Q)?LAe<~d=$d~#_@~-2fW5>I?i?h$5k^-LsldHvV^Cj80pX<JTGL<8|J5;Xq
zS+EdODHiZ%)4Q?g48@pMaJpd>eE}^#T>CzR<J-6k_-W#176xiKomViT-A($<FApIT
z1}#j!Eyj~Ya3;R_3V6}L<Q)eQH@1l7B)l=jz9`fY`tR%Pu0|xc`1?Xr6_g_Z?42yI
zKB!ke2Gbc0w6Ytnx4M=DtK^>?OJ7JueV0eOK(Kdx0XJ3J75xMGUay2+cG2gTMb2Q{
z+~}(U1Be~cbKREi6ZaWlBpH81jFsK!=<TG@jCky~xi%Z+$Qp*FBBj@;B#Pv7^-Pc#
zfA4T>{=ZW!aB$viT=ZCPp6{beBU~_Il`0WUHlDWy!lQrF4eg*EnQj|-y4wllLoVDG
z*x+&+-2xkYH-gCh8K;&KRZXi0?|DQ4<<X)Mjzt#eZqD{G0G^11G>`C|FEz74B1YTt
zH-11Ki_qjmx@5`cHvO5@F&UOE`6tyQ{2LkqalmY}>Q<myc1Iv*#@!|e>`bD>Y1AsU
zqQWU3UybL_uvx+airO;R0*dj6Oh|O05yXy#ip?|*d*c<N7FQY)yDuG;oStXQZRVk^
zN>4jGzhM99TJfvb247`#r91MH#@}0+s`#}?sgZguda8al#1H(lBP`z8|4y(#`iJW)
zCFI2AiJz?{D1oDKFP7+M#*nXbr!Nib@eM_@^IQ3lXV1#^hOP6>o6nks05<-{GnnY7
zmD^7%t*yE%N5tPbLwRxBb75J5jzFHW7!prr==;f6t9)ysqtS&aLkr&H6C66b%GCa`
zdNY3{9j^!!Kvq6OqEjuSnxSC`2vQCSVL@e{*7)D-M?RuYGz7fAFmO=B{U1HNyqD6r
z8jNECizjX30cVi1*(A1GpNeuL>gS5-*DjAXKeQ<Li346(E(XVqdPje?J?l^m$@fxW
z0~>UH@e|Z77W#xq!$%);@QH+}-WoxRt4<&hn}y*YX9pRMkNUvTG=f;`!uC;UGvf_)
zV)K0}s`hh^>Alvb_&0FG1;NIq&*yOiZXUgiz*(8`jiJDb!DKSq&k>Uh!giMpCzXaf
z2J`g}5_a*667;`2ijl|E&rM2UTiM^tAa*8mN3pjKuQnw8QHXw=8T>lsgNk;paA&NC
zph^yV6J}7o_kzpvX|BH~LjV0)z$Mixqu*sr{+Ua*0HLRO=$~TE{BS<?Z_oswI*^;!
z-J(P?yyM!uI&|}dZL(s@sZO50A?6BpoetXBMWNbEqr(g5k`KGrI0D{n=RK6?*16d|
z!5c1p>;fu4x9{taQ0gD9WKt(eXZyOrV4Z3I#v-XUklnb6>r0H@{1A~e&K#bfti><P
z*AaxL-SRp(WbQ>M%;G8ZaZD-}rJ+57^CG{qa_{v6)&HzmoR8fWM_!e=?^1~_`;5}V
z<}I8*x)Wa3ht!5^CVm$r)`D#!PTS?c>cW$b-8k3Fb-C<?IO}wB84btu+Bf#qcRgW&
zeXx-w3H)Tj={W5jZ+znn`8!ICcL!Vx7d#*UOOIiZID%&S{0*Op)1H}rXQYt*bW<cw
zxd<Q$KZ8uDX_~sq=M}^JssT6{$d}Ur4(ExD*VF4Nfi7{jgo1FfaZev*i=7T2q-#E$
zQ}t@)d^-z1a}ddQKI&XS(p>|9XA^J5{mLqpT=?O~*JM#4trTht5MxIb(HD4`0F8WV
z%SD32K*S8=p;n9<Ez@h>8H)FM&4ozVKL}08#>z0{uN-YPu>3IcqCi<J<s@dYwT+b=
z70@7``!&7JSF6#_W#k13rX1jPYZ3#)j(CXk^4PBd`F3vvSMKm>MIA1%Ml$vt(ktZ>
zKyWA|J`pn~(8xWhuzB=E>uH?}%}(K5`LQt94QB^J@#>bF{)G_r*2^7E8RHiHs~&Lp
zK2k=SUbW5h^LaiUcuZ-C7RtF_2<1*47?ER0V?S4=uW8z!%=L$J9R@Wrb)Ez-VN8`N
z{>h@h>F<AlDv-Sp`*a_65KSDdLh@0F{Pi)n94GTTwrJD{xvLMdF>)V!xj(yo_?b$V
zU=QF$>%3v->0%5l)F_)r$0T-?pR7i&Tz@(pr2;v<eFvev_QCU2yV!F32&C;ga1lG&
zADd6k%E=%ZzjzZ-NhpTSmCHGXKgOiYWR;6|Prh>zs+L{2&+nTiM<xHWe#E)2PCxx#
zKN>8?=Q2zTgb0C}ZCjdp2M?%aP7l%<;CV%pp8-}~lBAa9tK#XLx^4a8ZaycyBwu-s
zp}l8oU)M4|?I$+0D~iwO{2T>pGPztj$=eRDywVs%VgUtF+a<s2pV4>CP7iWkF1-|f
zaMU*+>|!$0Glluod8}Tz2&D>?5h=}9zbyG;J#FE<_qp$Y=NERm@8mNz@!WeYM*XYz
z0?r^Kwa?k=i-GMi!idAglXkNqJW`E;54|5UP+2w^Gm->vqFAI<jYFE;FA*8ixdQrU
zYwv;U*WJH099P^G+Ib-c#WS4P)dTtP!zl|gCt+IKqlwY-1pSfLX{-MrWYh3q%P{UO
zKY*0qlo=E|)DQ1WVo}w2QL)&1VMp@g1;IT#Dt|*Mu4<@O%I9nAyVqF>K&c}Pz!AzH
zBcED-w}&;bKMUWgeaEi+urNWh3r9pO6Rrht%_%0Z=1<0bp)fQ`UxWYxr?AfcgxBV)
zK%iyv$;XRx^ZT<?TYEQ23GwNQwFyR4MspS#nlHT_-(e$>YgHrouj{Pg(7qPSu4bBC
zm*PJpUCwM>sRmwZG!f219jFImpUt|eBIO9!@Dz3TsD5U}&(}Je`ZjHwvEsddOav7I
zdns~{NrV3&4ydHh4UCW1e^cVR$Oe&l<EO#hDV*t{)RWb3hi_;l&$q>sIhr{>k|Uw#
z-HNmNE1HSEcQ|Mz4@zY!r$Jq8af9|+K=$ISy{olZX{nI`KGQONJU3Zb_s~z#<bKi~
zTPKUpCiM8JWm7H`#gM1GiD`1(2wEI2rcxPa0`Hmzom>u$QkK?fvDSnl9tp2VvF~U@
z<2<Ip?D1FP)li{>K}W2_42x~vjN?Tri)L6VHHW~LFAq0&wt$a^h=GuMIYlQ9IaMLs
zQtr$50B)*3+<EkG<?}CR0K92JoDV>LB^DnjIy^3WGe+#MuC#v^+J}KZ1_*#494ZFD
zZ1dTSs8e|24G}S5tPR4Xctt82>~DwGe#f7dD`0ZDIZ4-at9Ey^A=NZta?s>?iRdHX
z6>RGB_$A+m|5Uqf?trJxZ7;k}sReyjE;+z%rNhHgTr6zO5$H|n3?{yPn=^%w<g{9)
zK7hjhc#vN?!(@#<WVz@4-BUQ?f<)A6F#s?M7HYvhvlA&!9x7Hyw?|p=**#<}Ap@f$
z!S*X7fEG8t-+XwBDCCuwIgb42MO_k~uP@GYB%gR&F^m~RQqH}nHD_XWN-MLuBeE0}
z%gfkrOD|;tLL;L>N8ZlsLEL0cPv4HUmdhnjl`heU-FtdIxmYE!;x($hbrR+q42Tdd
ze|HgEy0JcVFk7T~6T;x~l>?!^KVB`ZR{e!1r!B{n+zoH<3SEs&;B52l3ped9gujdx
z>3<s?7KIyjjPBLDt}~g?woHjOekcGi3QvZo9!P<rdTm(1_vADhg~+tk<`Kf*1x|T#
z*N0oHetqJ>W<-DZ7Nt<;MrX!)Njc0kD`R!{SF<rVJCiC>OhLZR$v-oxxSo8SobKXN
z|7mhf^yV-JNAc+u{ai*kNB;;7AdEd9Zyu@t_My_M-aTU?Ek4VM_yHX;;9MAuP~1RL
zc1ulMrAa*-Ht>BFEnxlbW3vf2+8Mt~Rb1UV;w&*7?!%fXH}XZlaZff1ov~+H-;)W7
z>HX?7$vfDQa&X>L5;#><)XDJmw#3ru4*C7;yj#;3(9iPs$rl(O6gHBp-#0({K{e*g
zbN|_~+Q|Rzn0m(jGsC^o#^16x@&PrRM7)g+%08N0WRE$WOz06Rugh+>&4vRAZa}Go
zG}u!Sj$1PRl854S3$QZSnRQHam3tNT-nS<!&%rB2wmM9fA(NG~KJqvNn(^xCD_W9=
zsJ!F_cary=L4xe|`)=BWgRJ>0n_UQ*1?AE)n`RmG?@Dh03*mFB4UhhBstt*4^}1of
zzB%s*`)EoZ+{;A1tPQ0ej45;$Wk|s8(bnh>MHB`*@>EAIozyoC9(j!{7e#aS#4vNc
zo1jExFR3ZDdF`TkynJYl$I8rE6=Na?BPv-fR<cGRlgIad?!~Q*l?|6SzdH<Ixa^X<
zy9%hES42w58ePuRC+r!5{7ZHr{WnP&WuBH+r+$w|JdEf_spG2pJcHAR0Mo}|?RyJ7
zv3NO)@a8=`3{pm0IfX<DGNAnl$G3|_lITJLzA5_S03H52fRoaC=Z*Oqg{ZTh=#qQ(
z{6r{$1mNV<o92&-4Si(I7Eu!-h?ENWAIh1$MCA`Fuwwh>#*K!FW+Jrv6W*t5Zw(4v
zAiew>UF!ct=Xa`EZTq7ojcqZY7f}KV7T!#=krR&tz00Do)iCl$U-Q&g*ho`qfxa}1
z?-d)MzJVmbwdGF!xJ~vf#ha%3nO$txdbG^>FSVRk9+6SqavZvpXuZm+{wNo**aCMF
zL*ZiM`&2Bwgzl~UpfNK2Lh(R6hK{k1!)7-~>>MEd3i%}Kk?*ET+Dm5<c`C!vXK@W>
zs+Qzv3IFf+v_j$r0S;xke}%u!XD?m`hv_Xmj2yAb6u#Lz&zwtNUa4awH}(%uY~W8_
z82eq@<pyLn(d5@mf>6(3ZPc*)ee4@%RAz&mCtZP!i#;`<HI-`ed_)Ak-$nK4e*Mzt
z(H;fmXnu6)iD3WQrf$Y-h}1ey#hx>ES2MfCdmO+{u_d+6N08K7+1LO{ny*Z7yA}(8
z8Gitlt^SG;p#Q1;<dF3%Xf(d_)CBd<725ru>>k!9;Bo(kP89J+dGXS0;tQb|Kzx?u
zv<MF1w<s+?_Ex$4nh9xy;v)LlWI6nqa?}nq=>M7oq~PdNr>)`->M3Z-FK$V96;Zqb
zhIjaQG8qp&kEV64B$Sq-6qk||a{+(ob6c}O_Fs?=6}wbzMWY&yLqd#^x9kjc8yX^-
zjw}Mmh4bO<mKRd2U`3O`p|0)bypnm}0+++^g4BjSnUVE@cw`*^hdtF4{H}(Tizg~m
zdL5`F1T4XQ|1U)d_{3uXu)i+Jbdu1VxB;XE$dcKs8u@Bq*x>Tx9Xit+_20o{fHgk;
zH{qgZ-G?D;m0Jv$)_J}!e)0D6vLUVxafVO7md{B3{6;^*+XobqL5ML^=YtyyoWt33
z>t-JgPith~ib0JmZy%zMuxe%#-w!lb<{!OY8SkqX023F&KsGy8xWpHa;--r>?FApB
zHMQp66V=+RhS&J*97w&kU%ThNuQN<Bg`b@$`0aGm2}{!bbJA=z{wKh^`#i=x{qX_w
z_6mb{vXsvh=EUBXpCS?-PrdY<MT`kV^&4(%309+a|GbNnqyB^%dwso+FSjE+cOtw`
zz()on>9rQS!8o>G1SCTM1VySdwx0YYz1QU-<4yS*@hluO8il)~a40_fmF?1{Hlo&2
z)Op;c?bF8Dmh0oR60graRT{tNx8l?b9>Rs@kUJL}^X`b`kld|OEi7v)X*8cZz&rCy
zFB|`t`w-7Ky?q~SNf|onJj_MH#FMv94#h2%Ahh5O9mQl!OBF{^fDQOUqcohV*a0`P
zYOQS62j-+Qv=OICB!0ptvSSb{D`l;X?~<+7-I7F$1DkIXmVoG;#JI>b^`FG+{684?
zN1tsH4+37EEaq1dC8aoU%amLy|3h7K;|nNBcJTSwRk8XPfVk8I`H~D!X6)LCn|vJY
zX)WgKW~<izcn=J4s`?uuLc*MjCG$u>ya!SG=KluMn02y0QsbUoy2}%*?11q31VDzH
ze3Ih}pyMd_K83MP2-AkDG?b)89}%FQ+8yn2(X_@oQ=>Nph}ogjI|_tylP32$>OyCt
z#3b9_lG}2=Nr1e!l^0UVcLI&I9lyK2>2@eyvdBtlZpSqKxyo+r+UP$z4)kv)*8hvi
zNc)Hut04FCWyjKnTeHQxrIm1fm1hs-*c&g;7bHYAY-EST8X$8jmumC~r(_f@@r<dK
zSVb)gr|JPq%&tjJh~?Za<w)p|H8)1DhzsZvU<92uwd}F}?xD#4>><g9?!z4;$53K$
z@tH9&`HLz!ovZQJNaW-sMg0LF?zTFUK<J0qhTLp~EKmUB&ocFMqxhod2hbt+vioW|
z5*g8{qHD8ZP<#5nG$@Gw^In$!^Io6&_98x8C$ke!)z~O7dE{A9_yR@Eq7u5{)Si(p
z6D}w>7&0e+klhz5i0a%rl*@j^ePF9swJB!=(Kz1;5F7>$e@$XF`u$XGZ`iNErho38
z)n7CDi~qh=Brmahji2w;D`E09z<~QQ76R~Gmw&TAoqr@MGd`5o;<uL$^H0h(hB<%1
zBw(`y|GmPf`Yk2&3t12a;CNo{ye$4OQc87>6Ue)c2J~|R$(B4`_FFAw=4SwZmN=Ks
zGjy=@y2f`#6CUbC!4xRP-hpHCuf~A)Z{rJqu%KfFDsJ$sw3&b=@L?Zp@!|c4mqx%`
zPTXvjSbSDjI}75Sdlc9LHd5!d)Ku1Rw2lAzU{-}OdRbndLcT$PmF*k{eM*03iRd3!
z&g0N=?)Xb_PZ*8AL=xkFGcK~Cj*sWsT^GW2=AdA*yM|=4mYYJkisd?k=8tg(D^oN`
zEF@xrL0upIcJ%bedEb$&JMuav1;cJ(vh+;AIcH)w=t>_8^LN7Ta|LIk1VtpTp$Xfq
z<D0RKAvy+;zaTB>zaWiU{>H1Ybqw24I|oOw^<CM!`1N#9!~BhWjXJ`5vHZ^`^A>Dj
zkP37!%E})nKI{GBX?_=sLmW-SEi@dN&X^Iln6nz!!)Q;J-`yJE$T_5)&z#)dTiU7I
zX#b2rRq_7sgTMUGgFoE(;Z5mJpE3fORt~vjEH&4dMiKFLjTlHk_EZp`3seC{MIrrH
zBOaY7a!&_OEhcHHbAf_kC+J}Dp}s%iGs_|{;M0QtE^%*Hy?1^tbCpu|Q^SK-rw<M3
zpWGw+Z#56-uU}L9IBZ=3)ED;<(frXTi&SlcmWaYEWxwv;NXFJm1SfeXSthU}_jwXp
zVRzW7I}P@H%ICuA_k)DZXjBRY2wBX+AgJeLNtmBTbj-GdKqX(~%r~*e`BFjP8swVy
zS3J`c{VzDz%DD$@;GVT^{B187;}rRTo}RkoL0>aV2bx?uPUHK0(%WTB=w3Og2Zf}I
z7=a!Dn%|_Z$}yq=T{Vw|<4(90g`}IgFfxV)6qSojPr+#V3NWLTN$~06EomgR6RvfQ
zmH^;e8p;aNM<M(D=2}Ystxpb_r*cGmoj)#g*OmjS>+broUZcxrud~%VWCMnD>Pra%
z{|Hotu$-g~516k2pZlW4?LkA6&4s0ADE&dFnHTLH)L+-4&~#F>G|BP(PmCf$0S&;A
zH5GfpZ8ih1Y%?d3LO)Hn53SDo=}(V>2m0?a%op7I?6ue(Lm=DEf;#|e>L5jpAz$C;
zX4KFt2uh_O+wLOynp#Zu4#NOepK@6kIC6al{Rw~^&h~ZYGIfdOkqrb&Ur;Mo(Nwlr
zh^H)tv{B`JIJqnSz-bTlSm(B|JMuh^@^#iKeOKF^SfpE8uqx8)?{$0ltqlDm_~U|X
zRQN#)jOhYB<wqQrPhKGifygj*eYGYSBQCc;pX{;LOSLBV<?)vcpk#ptMLumhbRBR8
zudbp!wsu5F*a;YRhlQ|&X=ZqyVF%&UyW7dQ$-IR0nwq=)9#dxh1D^z^o;3_Ji6vXI
zhoM)gBx?-fFQ%6LFQ#5s-SGQ<x3a(kv^sdQ2eaV-)B9pPI-&hNv1K`WuXYL4X>4f_
zia`&2zx+O3A{Y-Kp6>Hqj@rX>5l+rVJG}F+$BBG9iE<~MFD$+tEKmEhdf(eC>})*C
zDZpfeounpNP@ogc`9d>o_0Do)4>{mpeU{n#|37i?72QSEK;%7U$}Yj)&ObK0-dz?4
z^8I>C>?^L2MeK2+*sD_!TjS-y?TH$gCkGOh^*o{k4z0k$=$JNL%f#bSdB;&~p^wS<
z<HGAgCAAxMgc59K(8=vlC;dm$-=jBLE1I_GK{%X*eYIu>ci)Wa>{gn%tBMUJ{y-Cg
z|CY7h;=aJFL!ZY-ye;I%3~MSMh^^|L&c`}$dd%#)La8xFoXC1RG$VRNM1UQdZn=n9
zW`HP~vTp?AM4fNuhH#bHAR&7;!`>R^*}MaITHjA9h1mes6py_n<BU5j(1@^F+-@{}
z2A0|?wOCzKhkOt~OAGQ38k&O<{F9>z=>MCeZB!N!oSsT>KndYQ7Y|2$5k2;RXOS_q
z;1U&HDewJl(@hk=uD8)!dDN3=O0`B}6Cx8Ro3D_VsI!23sw*>W&t6&6>Tz{c2$GR!
z)2rzJq3bK4qWYq}VH}W<6h*qbOBzP$M!Gwsq(K@CK<Sk3kS>u96_rLwNdf7WZoV^&
z|9bCzYt6!o%-!dlefHV;+xH%$N0-=pEtIIDCu7`kRy1U#wSdUf*?%mzRM=TxRj1;&
z3Zq1)?TJRuC*~a_Pp~JjAYm~0W3ROTN6AJ%fj@f-G#T0q&8f_-jq|i#O*cDXUo{_3
zzL4b(4kzU!R<rC2));r8jCgOZt>-X#C@>*}A|l%^j!X=@v_Wcg_BA`xa)_wfc0TA`
z_2ghaR?Y-Z9$ijok(9Gw*3tQZkyOo(e*Vr8=dfHaXvoLI%T?!VR6?$sE<uH%v5!b&
z_%FK=%(ThEkhemUeqvG@V$8G>SemM@1VQNrDh*0ECK^xs?VwMLTVLpl8@HD!ym4CY
zwwyXUAf&4sjK~xb1o+vgywyP(ui$Xm3@*&re3flJWzx<D;K!kqZC>c}J0FI$2n5XD
zbU6C(T>jn{z+#CBk&|ey0A%A&3=dw%KOpR6DW`Kf+qL{DLxEFn9I~uJ(Ud6R^z!S7
zRp;GuBZ;$$yZ8n2WCrR+G|0e1gnxGM!SanDU8W)oJHRVH-u&Wz?))po3Uzwl&u!!T
z^yJelHi3)dqn|sVCvf2Ao>~tG6YXj|@u{B7=Y_`6qT|yl1RXP}Q3f5#YMX813;}GS
z7ZZMnGYO!Z!Qy|?;k*(Rcj<kacRy^0HDl^(das}U-Ef_qN}?DKfRu-8jMx0i-4MhR
zC!$#AMXt>a5vg7!S+PU8$aBb>J*1Hjzc)b>OF?7&xw})Z`NgDjrT?FqSEd1j))T{H
zA`3NY^M1*Ivt@TB+Fm0QwX^X%^Z0D__NM-DA!tt)G-`bs3A#K2pU|$_g@G0`4v^Oj
z<9D1vnqa4z`xqi4=}@(Z7DGd2me<+3q(r;vT=sZ^BICQ+7fH9xwtEy`q;EN_AAk%V
zwbs-zyb3LA^IHi0#cSZ3shaL>?(b}oIULRowAS1VX!5wzW>@h0hC^9ZNQ&-88I9KY
zi_la?u6cT;*H2R#;utMK!>!^^TAM*?(49Pk@yS`X{is#6O3CN^(d5I+-B;%2R5>I?
zAPMx~P|fmP`VMn_!IQi45RiZdAAC^Gk9~{b3OqxnTY$SWZ+6S94#h^TZi=>EAq`N7
zkM_<nOt71S*RjlLr!bu_9R&2wqBY`?azUu2UOkhYU~Ogmo@0mV#3~te2a}@X)eXNe
z8wLlqO}|0X@2rr<1~08i`AdciJXr^Ar3*|f1~MC$r9tu-*5XZn-CIQOl<=N{Is)R;
z391RQ!PuZvO}0H72&kZjPNEdVh&qcT1@!-Z0l=r(-6)ybuap79R<*5%gDa!Aa<~1H
zr6<v-9JZQeE6QT-{Q87bhThAFSR42mj0O;4FTx_^0s+l?V0~YnR`J0bJD#9j6mLd*
zUQFpuH9L{>zl$K)vQ1@dK3%4m{NACQ^vzS^1?@yI8q+&0JT;5{;<A{8&xg%Pf6X*H
z&>GCo>&vS$fV-5X)BwM{#2^ud_X$#FRXjhKba&W;I^2E<BF10e(}kZNpNWdJ1W-g#
zh_$mgI5bz1o)UXebVP=M2RqPsoF5;n>fd0=cn_YO;;`HV?NX=Ae$Vu5CivzbzC;H$
zf&q$3$aol#@l^wXgrZ2Ay{4T-f?S<nOnHiy5(bEV`Z<xJQ(<(O+ehsEst#N`&a{3X
zZNk`YqSrbOjk&C0Pkev!V0h&_p5`RwgP){SzAr+tv)b|D^S}N)qXDHH0U>zh4hAu$
z1;2zNji>+l<DYM}v%pu4LUR*5!-5jDlmR428s-2{MSpK0xX@7mj(%-3Q3T+)CHQ`W
zqEn*6A8AAE%R_J@KJ%?1xXht~J?Z}zqxo+N(Sd95^_Elaf%W3T(YKGil1TqENPRHi
z!kBE|L$I+MKx{g(*TUugGYBniG&oFwlE)eFHGoHsphgp#x-kAZ=LkJT8KeqIFa)-4
z8?x|wso=kG)4c!l$G@~0C%llkN5lgGu!=A+b(gAR*8egFiU;t~vbPEzf~uzo$b6+0
zGO>Wg{fo{WaG%;Ez9mHnZ5I5Pb<2L1gv;dLpZ4!y$%1-DcV!^7Cj8(V9xUz02zLGb
zQwaQbGY<Toc1bXb;)|Z_|Ii48iqHdAm}}TyFXsywle<4$^q)blM{8CAtT;+`k%Z6h
zH~<j3q(CwL5C4(Sf57<_u|t#s#yWw|%-CG(n&{t?VaClu&U+>gdbMO>x`0T0LgXt@
zQT>NbU@ka&F7aus!QdOjVCsVerec5J4!@XH2KP-B3760#<5z|PCWpa5&(S{=05w=8
z7#t-mgb=<^N_+6j%Lode|BQo#{xk&KyX~}aee7`=!B9bFb8`P?Ke&ePT=hMHPvDH!
zhk@^VuJ+mfhkGz)aHCp+sS%i3BwVEMxU13rLqs(L+_y+)fegM83&_QmV!Qrr^R74h
z2ry-VyiAt~hzb^%>^M?7)qe&FgwB9-wjxR^@&GPz@LxK8SOxL_$EsHVbqrDAL(tYs
z8H5Y}1rHC7FaGyO2L`qXC7KAXEnC1?4cb0h%Kte6v0wvY^H5#EX>}q6i;IklM*++K
zhe%*7xQ~g6Bo1tVD!jWxGu|u%zB7M+X6+$YH<6I8t{f-F#s7Mn#K!c^B!bWH+kbyT
zky6#DHldd7f0on^eGBaZuePQXq<KUeDj7ugDYj-IjR!3Uit<1;CW})01JY^ZSP71s
zXL9;#MtSk&(a}kj@Q|i^|F+`K?M*Myk>8h<*mE!>WGJqal*!lFm)!YwGTKYnR)dWf
zsNJrM%&0u^TxgVmNRU52vZ`Pr#4uv*sBd^Mm={=I_nS~8ylVp2KX%|NGLBEC#e=o8
zfIk~`)v*6{FPzF0GuR0&EPrV*B<WqSah!}pRR53<gsB4Yd}d~j3vR+q0?MR4O#l<j
z?(Y$%?tq)hIcjJE0|!t*UhMn^?DSs~WTXb>Eao9DDg-Tw3G8!kW9*%Ojo%2ib+F8=
zBMb?m2fr*ffP%}v?hmX2gNL)Ry`l;X!~mBXZy{X&T07hbh}{5R4h#c-H0ZFj{nxy3
z(R6@k*shTl3g~qhg6pZidqMxuMuPNXf}=STPXxFX)CQ)0q4WXguaV*3o6QFFaenI(
zBSU)$L7~S#q6_z5D<=bDv#LsGCW(aX0PeQY7lO#Z_YJ|BcK8XDPKdL>g~9m1WwGXq
zr~fbwcc&204j4@@#e-2Qg2{h`_HqAvY}^vSY8|hqw*f&kp!`)I`-j7~=x-8m(<}I^
zlNH<qdj|;QSk6iP^H*?F4IsezyoMBlb_};gZEH&J|24o{u<f!V-MEAhw0l%wTSB>G
zp?|X-2{Hj#GuZlq76<|}xKwKp>InXab%6n3@RPz(i`PgHa&WwMk<#h@C33J?V=$ph
zsgIaoz(7}UomOK(|DVYjffem|gag(=w-|u{MoOmrOXiRura*-dpjspXUS45<0US5G
zNdL9?1TcP)2A0_aB;;S<l1N((|KUH(fhhof>m^2HffGRpE*mvo3;b((oce$r;|FxY
zP~06LBGF$_OuYU*xlsHp<c^!jU^u5o;Ll<8iV?6|kg*EmHznfdlvfwq0gDs0>-Zc-
zBH(d^8&{V!zke}AAEVFrOnXk#dH(eC91b{|a*djbV|+C1#iiKQgGRX{9+Vkyd9uCE
z^6R!r=Ufzy{#c~Wn3nH4aTo{smOP~=ovewWK02N0!?U)g+;Wby(_e_gs|6-dcUc;V
z1PKP)z}?)QN9Yk$(RwQ1D&(WJ5zuyWN+K9=so&sq`OKi+?NMu!n_RhXfNr^dKo+Vi
zt#X<yKAk-45nY4IRujjoser4C-Ps#Boj1U1)aByn<1D&j<#!2~Xr*4q$1*1z7_SZQ
z1|EprgcP8q341E{X9(^c9k_2zy1M*6_iA|hJIA1LKi#0gMX<PtSh4k0skGg^&vt^(
z=KA`~*^{<baz*B@ScbTTuFZ9pmwAc_@@j?3bU5@%#Jy_aV56Y8p%1{W-{Ncz2a+TJ
z7dmvQrJdaNRrSKfA62=#<G+9Ho-Akf5HhHA6B?(*8V6ixGDUVA(I>vM8I+$0p-7aW
z@RB6=+u-ur`2CgEuyH?@${e+!r*SCs2J#4WgMOgO{OiJT)m2-ovfpp1Z++@@yEUoR
zHstcR-Tg$*S7>&Vz`vJ2e#Nr;39Yy7oBeG0n*9dWBIJI6A<+JqK_wl3HaRUgunq`p
z^MSQH6qnNguzwDPUQ`Ck4xThg`Xc~_O)kPnK_SGLNqQ++u46pMJtvzfmTuuo4QHlQ
zwM8HGc(wJLTSVMR(Zqs}shtkiG}lijIBtrc%3_n9>R?k`>agp3b|*W5mu2-PXGHfV
z*T`C(opvWGaa;D=KeUxz+L;^7A6)7im0t4L-DjfNqh{IzBA%?R&J9HTCAehLxb^Un
z^z1~fUA601?C}P_kd2uZ{YX;597X#%G+Mb>+E^ZK_O3XFx`nP(?OoB6ygbEZZc>Gs
zU>vCb*(N`DKX$5n#Adu`lV{i0QF2j#p^c_pm&IPXhO%`Q#~I(zg9H^d@%`vbwD`UR
z)adGbDozTZns*;n$=yMQe&m4NU_4(ceOnNCkx(8%!r!^1lxne_SZ0g5YO0Z3ZISp4
zB_p;l(@#3XZ%fdwE!%=z`qN+|`VSv7hl$Du_Z{AqSCr{5e2GYH%%8PwCMs*%!XN<u
zXI;9!K5m_Rxb5QpfIbSyz3MyG=1`ap(5x>LQa|Iu+8x2ZoNGDnwrI9LIW5(zRU0kW
zW4nn%)_B0?-})TZ>U*;AlF&Gs(Ab-4jXhg9t$$LC;P`aC!gA#Gooeqs;_)`mOdOPF
zDuSL{25N72GRL%o3NfJKcr?G@e!j9nT6iD}7{b8RQVpnsSrwo;eDTleO~jx1t<KX`
z4^OO{0(g(V!p{WX&A$9F0v6_q)<eBvvRmb>AM^A;L$sHABC8RpdxXPuce<N00h@bD
zNS;oNctyoBCZUU&{L<g@54#6n6<%sSSQXs$JlA$@v$A)b6$#i9(XBTLI^XT#@V9gl
zb!;Nq_wK@1%aQDQE2?Z@9E}o>D`2}B#|KuRD-aNLe*7y+zQe){*MsM+<nMX491A%w
z?g0PW>ifJ5AVsiSBLH~>$RAU}Z6-VB`Iz^|7-kv#!#j`i3BGhxxtw6U3J(vT7#>f`
z<CUY8=}+60UL8~`P_#MZ{hnv#jOBXK=#DQ)!)?1=S|7Q1{te2lf98_#zPy6JJ3dCH
z^b3p33LyWG-vSl-5O@Iu#gxAgdUhwfJx#a9vOB&DoazDJq!w=`!n!RzM(tMLVeQYu
zVUeNp%$1KnJWRgt{(3uO_KtR;Q@U~9V>~9~)@RK|IZx{od0ohW`Akg6;|1YJp6&-U
zLWKI~K(UhQk4MMDb2;6&;rL{-c@Ijia#XKTs`H3htDLn+E&uf#tC5yw`z6Mr<oc<Q
z$3}fI)u~W9ug#!res@Anc|{0?|Btb|A81toIGgVa<!mW1#MYw8SP1$wC>vLw{5F!f
z&P|ISx%X(lr5q{NHs`pFW&3{AJ9g}5u1rt11ce<g8`T8laO_jDMhWwPPE^7&nj(-`
z6Xmp*fvJEcQ^S@|5GI9}@JE|tX86-9zw!4DO-sqg{O8u0KFYSkZ>c_)_2mi<;~y{V
zm=baM)|VRB8I`q%(u3_EHD9pPs9?A3PQZK`Zma?xS~S)jS0@h$YZRkaAsnEr(Ds0<
zGh-s5r=g0O_myHo(P%V~ebgr>+}CtGQ8aPfnZJZE?o2wi>5h$=yt+q$H?Me0TZ+=K
z(e2Tgc9~G^qWING6tgMQots#c`P~mV#o%t-(8sv@2rqyO{Rhc6Y+?abc7x`7Lrl%(
zRj`S7Hu+Cl8rACj{a#Usw|+@pA!@u>X!a~yU*8z7@ur6jS7GGI#>@jN_b5lQDr3El
z-v;TVY<{662e9}~$wNhi|M8U4>AUUm{`!!1qTg}$&5|06dXx=u4H91a#}{L;c?MbB
ztwlfZ?09X%fc4W9e#eY$mm~9!I8y;_!*<_b#P@9(U*R(x(tK!hDL~%mz&C<XZUD}F
zRPKL<p#PS^gx}Bm$Xmbl>eA=n84a~Iidw!R6BY@7ENTRCLt|tngK?Wjdh>M28{fS?
zet)YS%PkL@&em39eg|fB-<ikx$O}CRfq8e}lBe?k?dG*)1UX^uZ%*qMC}!YqS?a2A
z1;LFGF~1%2NEueHVA}0_yIYhev(ItTQlpdK5mb_t9Uf>7oUY{?;}FCA%S60NfRd5T
zx5dRo@Yj?;z-u?pZFNfbaC@5Yi>9u;d(g&swOq|zwmiwA*y504H{Zi)F+(BuSO@(&
zCNhQ(FSRMngKvS&Yrt6i)Km#6`HrNPh4y0B2k5ERD>S5Q|7lhxh_6IjA;e=7ygW2u
z-~4oeG!O<rdwEhN{EJ1;R8XAm7fvx(I;?B0J~lL7<}j!~u=JOnbqsno>OPWV$-=b%
zaIVdm=i(+YtUx>I+zlSyN+g8hAr8k)lnogb98%8q4@Ak`7D3$!ED9y}%Rc*i-}{=5
zLT%j}oiXh*bt2ghYsY6)FHjslND%Y${v`?=G-EUTVR)p5Dn%`cI2dX8CT$djv=@9)
zEnb`Y4nJcH`cltWehXL$yY1i-@p!wD$~X%_s2$(?tLwELBz`9VfdD&4mkm6eh<k`f
zk6>dq#=G~e{hw%NBsBMrj#+i9Wt$E+^JS}YE`vkq&&o&r^<1q6UM-OsJ*4Ce+Fu>&
z(%+nr>r%^ykYtVP@&@v<+?ykYM<t!ru>=T;R~$P%9Br~S^h%a{1xi;})Z$dQ&tT&&
zmiZE2m3LKBLLMf4PRnL16VBBt*RfH4Xfa;|`;AYR=l2ymmfcWD<(HGUGcim#jGF@D
z41xv%Paf$%2R0(GrOWjfDwgHZ*7QV&VwN`=aL^cw(KVW$kcmP(sJefG2N9(3+S8KU
zw|6r2DA=!ofoI6)<sJ|;d{Iih_X$ihNi8<?3lMf*cJgeR>kY?EZ3kr%TCDYvI8mR&
zFCN6(RJgIQ?1uvih3tm3K9QtUeYumf;+Mw~#KR>6>F$kplxv>uiEF}y^o==ufwAbL
zzVfUG-nzp_7PJ?@Gghtttc!z?cuusbdS{8X;bOKXkF8suY*~W>JG+JoeLsJzH<i$B
zd(u+jLa)0GRjh9X`LLrCQ%mS2aGm$xK(DB;=VlTO1Ix9z@NP{sQ<Y0l&X+1l92}i!
z9_6@6Qhb&_XuDt&&{sV+=~#lNi1rAC_sCJ%XaeAzbW+I{TziZ#*qxxmQHuGnyQ~^?
zr1LvL?U&Cfx}M{Rtvpwh@;+E$;wex$k}9Vy3T|I=&|i#^A%8@Zgqs7{4k4GobAqRD
zB%&3cUq>z=fPDVbPy35Mr`Ai=&<_ldKK*ym9%K_|)RSDf(p}%EB>ZAn<cg_OOFSIB
znp7P5o}qJLfL?b9H!1Q>;C2ZHb`tziFqE7;+-lx#>*Ws_J7#Hu{B9m93|e%B4?OLf
z|2+7<PyfrZ+%sEr`-y5@xVKvS41=2(bdG)Gx`lib7=FRfE{#8$kj}*M&>&aOy&}=t
zFcX8<Zd7r?bM3M3VJ4{<>tatrTq^$);!GCwVj9&NE2Y)xiV7j*m-o=IvT%`!A_H##
zK_G=$U?9#@Gr{p(_Z=qn#_%*z*DpPsI+Gy~pTlk7j>nOtH(W@zxH!fq(#S*+r!#aF
zF;x2hl9qcTmhK&dLWGBvMLBmbIPf`~UWWzqA9}ct$D12U4XOsi@^y#4LX=YO$3&(J
zlW=^?H)lu|_ALMH6`Q380oL)2|Bcg<I~t+i;R%}PIWz%y+6Y;);7=UP64Z5@LB6f^
zqFFD)-H)}>Zkt>#nLGbGWN)cAra!&c(S^uRQYlWq$+X3yGy1{MN-j<+s_H&_^J|y@
z+)YwXtwjXAPO7sjF*It$l5#h#!7L%S9}m~ZxNS}FRmSm&_FT$az8W)rV>ecAmx64%
z&a7Iir@4C7FWeYRVLk=gbMoe}pdUeEkkNja^#wv8Y9NON1BXikq(JaZmbVOJncdf%
zI7mhhQh04y*GJ2-)>Bx61KBFAruDjxJ8pk51rb<z9&H{xEr1m!-HF&l#T3p5r$;<?
z0cgd=A+YDcSowBGPrRWd7V*9ZEV2T@FIiO^<nMSbPX|#A<jzBZ4KKyuI)UeNe=;k#
zUelPsgc~BYh5R>*W5xj^VubkLR7}qL$$+}yJw+im>Cmn)ifC*F_UsHv#)%lxk6x-*
zqXz<pjj0zHeUdk1v(0c{I|62%yx*q<u_78}RtfCu;ilz>bCkwll__G(;R<78@LJbw
zXH-w@mZM3>o_9>@+rHG+l(UtveE9^6+1Ur!1I7Jryn(|-C^5&{V0Hm^DofY1BgWX6
zs*<qPs>n87cwzsneUxmH&SBymeIC98He66GXBf#geVRi9Cm}3aWwETfHT5mw)_X%p
zyWtrx@s5E``Sz3G{8}Rf2A)DZ_P#!WI8)+232Ho8laDfL`PgEwGiEoMS5&IoB2;Qu
zeGl>;c7k!oV&@x`v^ijTV>4~xE5LFk45=gp%S-hd)bx1mu%VC)H2azNn&e&!cq*gV
zUvnnw9O5SU>|UBPjlz=<JzC|__T$wT>+W$zAb+FA*CnM5&j)Bl)?fRnz6`2Wz9=Uv
z?Z`hDl|Ig34wtLzdmn6V`cbk=t5zr*j#qotgt2h)LB3<gvluG}Hy;`8I}-0RV^KbT
zEyp|o5)*^(-JsVDpJhNkvtv3OQy0M9d1x|}*tff49_3Z#rZZ~cSXRkdBYO)%!EQ`H
z?z#{<XXt8FfNY`6)+K2SW^+0k*@>79ttwCj<F&4ZQQY*Jno!%(V!D>I!$)+a+Vdvc
z6xuq;yhuUSmOb6yjzUnJ3N8!5@NK~sS#5wf7k09!*SrbF+!$|>Db_49dzzS6Slk}0
zl)CWSEvkgrsMDED*h5ji)ktK)D+wvc1e)kuui>)PeWzD-^9vwVZUME=0;Fz)$;)4p
zvO<67IH`4)&A>uS%_8?DEP|LXPvy#AuY=e=x}}UERVh`7?Z;fW1m)wP!F+|DO1w|c
z$txydfWMmIPn8G&!_73i(BY<}{a#QQAxAfl${k+%Oefk{Ax-A>$OO0D&fF;Zly^2A
zm!i7W3%l*laXS5u=wdov-In|K0-etP8Po*?UUD(qFQ<+-`A<%kjTa_rGZ)rIN?cBM
zEl;+Zwif^h$mMdXZg*tNxJTQ%zZ0c|++S$aVTy8fsF45uqOt#p6o$x2p268_N|m5c
zy3T6?rqY3qtMUq78#?#3w(^Rbi><Ura`Tb_M#kt{jSBDtO053!<k%Yrzs-r-x9jV`
z$$2z3CbfQgItotU<tdAx>r!c&c)-l6Q$mL0_gK1EVU;KO=5E{q!0Ov_6GA?~6V?3@
zj}W5zLW<IC>M7B2zp$yU!dEGB#Y7DZJ*;ZqlU=#;sRmlR(b8C6UG6cps#FQ%G!Z6{
zC2AlQ_g0J~6=jB>E%A%}I6FIUKIf6Ok-V!wWFt0;MEB+16gI;qH}oDoA@*2WIeez$
zeXt^f20FV#do%vPDWQ$^m4#PvF7qABF1?Mdkstyn%=D$!_CNkmMkktDXHlfaZ8j`B
zFnVNW3KGI^Yv>_$AiLB!{ro3F)2hnPM&Q#ecE-@ie_n9s)UC0Kq5k~33;0E>C#6mN
z8Um3N!t5c~<ncGoj(S@Cd=`g`hL~U6QM+X~S`imc#1qULvi7`0yNtfcb5l*UxAM!;
z3(dWpio0=yW$Ps-5BRpkM7-u-`0js~+5H}LquOy>tmJ_kbt(N5*7r`osk`F%D@fE?
zgc-0XEfpk8#DGt+kZTsl4EN6hjUXY|WU;%J-D`K=DSV&tJDOG-pFnFeIB|&`Yn+rh
z_*GJ4ZCQ9Q{62lsv-7>fWKQc=j(2a}7wvr8J4BpLvt=AaM|(x;g?TGI75Cm~bE1C^
zBOGXKWmXv9T}-e!?MVFE;JR#a)Nfercjhtv#L&3W&%IQ#3!mF%f8~c7@2=?o5tX)!
zL!Ot4w||WwTh4ru+XX_+oB96FQPoP6$*S5SbJnW@eu|AZ+tk=kRXzw4Zq%wUq*1Zx
z&SUX}IY*K4NTcEqlYVO`$gtQB8ObvJ^md)aYj<Iy!0TJ%*^{t?ca2IU{M{htWXb$`
z{t`33!G|kN2ZTFCeR^n;@LY^Hp^?;e?z7z$`D_b%#*WfP-j~7`cehMWKBwbV1a)Ow
zf3?S^o^F$EE$O?hUA4`(1`XBCJS&DHA6-N;Fh-}{nNNi?9^bk>T45}{cIwS(GkCB6
z+ukCFN&wS(De4kXsFvF^E!}j#K{5qk6et)8wFMwK$OPDyqcBPjpu(!ocK*~9GSEm*
z_SL;|EtphB552#`L)}J?b!MRUc7zDV#>7n>=v&NAFmzje8-9qFIF%Z-=y6+jl|E!F
z|7;Q<wf*@cNB#Y_wc7*woW>cwnZ^g45|P{QY6-`R6Gjhe?Hjl~XZq5`Rdxv(ab2DW
zDT7epYcXDp4RBl(OBheC{p@>GJ3+PL9nl{o!aM2M<$idczjGL4XO{>U^xV#9+08!C
zSpi$_bEr{;afhWli)tx=joIbYZFM}ikSjACcDt%=Yoykv4yMAtCgKx!n16U+dEvQu
z)|0WIwK1Y?3Ep?*Uj`m`#Xuo^S8Db?SbUxH&Yzgh7VY@=s^m5n3B6@^)#^bX3BSen
z9I0xj4<9SVvu#g`6Jq)7wD{N|gt?C=>R%n)$>w7(&zc#&K;3_1J5o|Ym~<15ttzE7
ztaROOeYDKf5WFV3VOQfr;m5`T`7jXe6%lvL!|fM5oV@n_8Cje*C-}M&rq3(Hr}e;t
zsp-3WDt06b^p!R;#RYwJmIhKeT$g)efErxPbQC`I0imO1=eO+0{-QMtFPEiQih%P+
zBRix~b{%hH)T-mf+ti3jmaM;u$9ZX~f4SUlySi|+FAP360?V+RdJ!7E{M`#e3=`6h
z`k@4hy%zFxT{r&d_rB2~`?aw$Yeg|nd5iE`sx`aOFK<b?FyWfFH$zlm3Fs__Ql-3U
zfy6Q$c90|WG`G!PItQk=NT>Cg8dn2R`1Ej1st>qjs&cC_mB%iz7bKc!WFk9!&Cs@c
zQ+V_-#4g;>cvi&YQKK*UXm4Bqe`nQLg8SOd<Ww|yTYEHc&kl!DoK)2NFuw8NVrau9
zr=UcuG(I^d27a0u3c^xy700W0XU;y6rm8HyqW&V&*^Yce1N(c`kBy6W8-BF{5W*jo
zPyB`tYQKBuHLJ_SP*-#wzq*~CqCDw^sPOQ^V~Pi#Y42Qn$vjZt7EuX%ZgA2h>s0Tk
z4^iC>&iXmgWE}-^GHh$;G7nUC+kzC{_%RB)EZuS^X8TfSKWd;=Zcrpunhn)`mvoSj
zixv>D$VedWGxYfERPUYBBgP@gh;%L<wT(iOQ}D#Gg(DTDlM*;4<Rvri4MdDuhqllk
zGgMOuo5l|=5vP}nm4ur-Cbc{#cQSEB|NWIm$@jfp_tqYAp)WBSHom(>!X=WFtry93
zKDD>o$N%#&kx$lxuVI8LqYghPR|g9*-O!dlQ#$P~$R*#mEbgt$ASLYm4RVk@FS_EM
z5!p`N1Bj7?_!qpurstV{M<cr4bAzDU;C1#DcYH>spjU5nk1|B_j4n>UEEDxZRnmp%
z)ajLDiFm9!Y{ow;ypadCZk|_qEDj_bC<pHH22do9I!tt?I_RzI(bN5UpBfy;pcpR~
zH$U2&eBZoL#Q1G=tl&#wMq=39U29S3B^xLa{iJVxhVa|1Aw6Q}s(N+aLp2AVs&;at
zM5t5WzdZWgGuNq*z}N44lCSvgQWa|<66LH*_3(Dixr_aHv+mkRk)2y3j@VA1{m&MK
zt%hat+`WC~hP|KuEVrrYJM)kZ_r2ym6I$*LGa0=so@xZed=_-%6IHO^IAO}&*XDc;
zqnY30Z8$lf{4^3-XsJ0s;pge9-?TD&{R6ro{EYfbM4VvFa>vt&k91*lDj6bNt&S5U
zx64GGQTO?MZmd}Kr7E07k}0yJyPW*+gpQAmy(=0r3wJ244N=V|#Q1vL`f~>Cc-`x`
ziq}A=!2^ZsQtYu-I}XY4)<lyGNY1WK5{C%?Hvbygb&T_+JC;u2iGCy8Kn*gez!NC!
z=|VkIf?WI^mqIGb0b@^eIEc6{z6qj~nbpB_QU?Q~^%#Wgtm*|{r$`5x<wBl;Y!@!=
z5GC$2P%p&Yxd%#ma63B$p)(FJj3g7@+JD#Gd(_QRA=^Pq9<m|z;Ba%A!Tf7@OdGjl
zi^=zgU8x+IgxOEuTh%gaS`2K7W|VCoemu!!rgUBIbM+xwiUN;8`5Ka2UZGi{CDmdV
zaL{v!aqsID@Hb8aF#R9?kDBy%w1w^r!*atW@;+g!=3x+q7wI;=C+d2f^0~3r&a&#@
z@%kf*@bA3OXFvIGjax6CH#k1eg#C`$oT!UiV$)|P&mW(2n68$h52xTz|5Z=aG|n7g
zB?HjDn)EUwKw%UaQO!%ht>sQcJ1_%_$%Poi>D$G8C3Nabz0%9z^+y=zz{<t4x!&b_
z?#fu)u(vFC2|*!EiLk+Sf*0dzGJ1nyoM3aFJu<(AIF0ORKa8mu^&8(|@|1ApU%2I5
zgkTrr-FkGaJliu=xR~(9=>Glfr@!aBeh-Mh0d+!>RGL?-K%!;0Pw`ra0IA-$G`a}e
zMQIYiS16bJ1=RxI4+ABWow4TD&p`guUN21)WS?yc9~?^cD3Ijpd_5AdC2npTxsYE6
zJoc7#nSCob#49(_;<~_X64<_xT$86iR(?$=fkivf6SalpBDMK-U=M`lO+|Dfn_hkM
zYtNy!Ck~Y2-WxY(P};lEra*n}8(H8}k|0h%4dVv40wQyT8`^$zl%^r%7CC-rkzU47
zqmrFhjS>l)Im6=%6zVc1FCUNX>;P&m3)MO!!`1I4+PAiMxgj%Pi+5X5CI2qc1HodX
z-ci0n=BA>481py{=hx<pqe7XGds=1^5gr=Mr1$M3Znw^FNd3cm@$W&NE=)@VS#e<P
zgvJ)YNZ<147Q>mgd5TMREum4+Mz=LqSF9NtYhcpU${%`BXvS-3;@=Z636u=yulq1D
z)Oc1H=}w4y6H*L9HMLsqjztEz`7FNQaGjuHWZSXo(W>?x=gv33MOTlPD=iOFgAbFR
zRiQ!IzSZb^g6haE@8-1|XNTJiBX+~8qKfl-Re<3Xgqgz$zyRhcGND1QmEkrdg5-Yu
z!TKmk52x<}8q>iSk}pd#X118`>RPF5L8YVi`7J6TkWHH9;$;O}{_$fkHChL#!82-+
z&%mqTxG+jzh`ZfLY?*%DOUDnK6};cPAv$#Haweo`PpQB>6GzEBdRlaZSnWJEM>UCg
zZ3z-<b)X=O1IVD<FZZBn@cex#Lk$AEf%^`2P&{IBRBrenO54vQBoY9i_m+x7<a~oc
znrTpDwA9Gqu?O{ENu5-RSF6C6l)WO34Y~x=+pnM^LP#XFYG0$U)j&o|u*KdsZ?RSh
z^TkiE<)4l_7@$V~c(5|2RKJe>7K>Mn<Zt}XmcvP0Gpzl^Xox2w&?-M@w*(AlzriDl
zI4VIHNi#^@Z#Xi0jV-pwS%XHC_nPq@oB4^_PV2dnz*H=H8B4}eQ#1K9iM8C-z;TO9
z>3s=vf*&_m^FImNNKB0iHBFE0na$&7W~HYK$6RtroZ0eJcws8gl>1Mp?Z!&EgeDDr
zj%2&znIigQ7WM&W@*Foqr{L(HrQuk`>mY}h@U41Hf&Jur!#!3roB&_R7X(aNyoYg5
z36Tk*dbN+KSQ0CoOs(7tNV(nK#+RrXr3Z#WgY*Hrr=NX@LVF5NQ_?(5M7Z9wnPC5Q
zqJoSax6EfZeOWY08J`E=y0l(9j|^OgY)-yUkisNvXpMY>*?c--xBH>K$|$&f0<8l;
z9~h;HXJC}}aG8+qdx!`cJJ?N5&5JiTwj0;k$B(`vH*B|_nSGr#1OT0t?`5gI;c2To
zrE5xc4qvh5;_gRy2jRtR!?Qn^G)RFEK#716LWMZGCYWxk!@5iT$>t)`4C{|ZBFbd6
zTq$vtgFH`hqR~gSah1eV^o`x^#<E*hZDKQn!Ogs^#8e~<V0HDev2f5&U|>1q#_7SE
zSGVa`i2d803#;!JO;?-y3{S(5aponV4+-vxy2LkIZ^oFP#t1l5kDG1MCGzU34XM+K
z_W^d<XmNhzgYRXGB^}eX*F=W$C7hT}A|&bRX0c%^JWiSP*mPsP&1J{TX%1ZRk=(+9
z?_b$A{^W<|?}yglIq3olJ?)B7FeETX2yC9<niTXS6{q#6{pv)%f<U60Sww!1SUjnq
zD>EMEgCveh+t2bg-<umwUR`p0O0Kc)8X6G!mFg>};Rgg^Z7dY6@875%*zF*!^-+b~
zU@X2@_xCw7y^8~TGx$07UnL<2Awl6*Pm@^_V^)zzxhsP$mDRAyVE%KMwe&-a>=vLB
zHWg$csBj&e6`F@geh0V1gYJBV7E@_%WUEJQ{(h^YH8O$LuEdZJn7;0ZrOi6WFJ~FP
zIaw?+Yc8aF-n6|ZNR<jCqO+qoHtq>nrCZ6p-`9%j9*YxbPRwtQJBjGyDCqD$T4m$2
z8;e|ZFp_D<3rgj8lwS&05#WBK9Ot$&{3zwVU4eRMhwWQ1EeT8oz5n2<Od8wc8umJI
zv@23FmfChn#9Us)dw(+a6u-a>A~Ya;+SPbtrPQ4v`e&pkDt3IgX2~&|!>%SMZbqA-
zP>~wLu{f6FasUwpU`?7qAP(;Yp=k+mMu~F-Ighjv$D^qczND$25ce|SzV}bY*A!kn
zkU&*<`TCAuvannU0DZ_t2;shjqpePwE-j+q&PG-e?CiaR<@b+Luchv^It8~LWyG@?
zv-@IJ$5ud354YIV=~aGf_Sex*78)BDJ*rtM<M_=3F@?ia@7vyeNGT0=lWTAX0L<Vr
zKSy})=z|W?{#MhRu}=0KVb4wG2x5LUM(T%LQYMGJx`Tb-$$2M_rwbyQ#|vsR(L1MU
z!2RSOYFHt4VE-CXo>Tm(Ve6UnEcK~@G+@Q29p8(TQA3QDvZgx%xK3)b-#$E7Yi0FJ
zN&tFchKyHs{%h1WEr%=B->9viO1K5Z<OxF@L)@fx01RS4*&{^Tu=q6Ky;cMntP2R}
ziWjVzOO7?Fzs6;BrMwy#G6qkyVvU*da=AKSxuTve279ROl}s8G2-ou+9dZZ-@j@l5
zQ-PxgB)LA-WzDl3Z2nX!9($YpH2y_l80;mt<>G9%MB|Hf@3d(jw>REc#PzM%m>`4*
z9YFe*S%&kg-2p;2QTyg4=H02ol%D}iM$PqZt20XE{>P?m>d^tAkPGjl7yu;+5eU=$
z1P>!YcEbEixD}oBeR+`QQY$8f{!$106JryxxeiI+vT!=~ldet`)ife|-_y-(^~;kk
z(<7H|A8f?@leR7QAujLuS*x#Y^DPwXhv5fHwQS^$5F}){3iC3)L5-*z%-#>;G4^NT
zXgeNssQBG;g-O6{AUol?LfPO_<JompvZI~_5jSX{R$1yJTv=@ut}yvfm}eLgsn$O6
zJnRNC10W_?)MbDM1*(iufL|J67iWvx*DG4+GbyfmNBG<_n;*q}+0~kSAIoX_a9W+}
zk`q&-Ttg0CkzLX}&@1;ypV-xE@^HDjI9k6W@ST|ji0}9yZc-H3jFY!N@~(a5tf+Pn
zMADl1z7Rw9A+TBF#gR)Lb;xrWVJ4SquNJ}xC*qS2#wIE@Uonk1`CuWJe~?<1?=dZ8
zYWU`JFFZ?XW!NRp0eI*=680F82&S&IK6+B5m0zp^UP9G(K02nU_uig~qxsluC64R)
zZ-`73d4k$!g?pKW>gY?I$?AG7<MOXtPK(vmxubC4N2_uruN2<Hu_*r#hLD(ZCe`DH
z<;7IT)*u>eNQItpy4`4V!$SY3OPI6C-eOU{5eK_W6xp8T)(85Fc?AwBLt_=)GbqT@
z!!r)fcYgUo(}1>IXlCL;6!&IB+l4P~cD_JsMZJ5=3gqka<c8>XB?}Zk+_DbGfl5b_
z(rsfc+L?TaZyY9Zlr^`*VL$7q1SxwsP~<JaGSw^`M|@<Td>u_91w})#1AKM56WPfI
zN&P7dYQ6bvzEx&}iqMB`f`u!bAb2*aLdWx+6O==>{NV|ZL;d&mA5=cd{sbp&SE)!&
z!xT&ugD~V9B8T}_BRhxmM;k>bE=sXZs^nOSu`wu^kOCA0zg(7S%W1XqFX=e7UD`J;
zi#=emQ+NyLZTG_lkp>GipthA@YR|(IY_EBDirJekD%0q;RT@D3+Cufcf$sV%X?J*d
z_gYf&o)Jc=UX_}jj*qmn0F7#n1$vQTVR@xYG*3oB-@_Z7?_S47MZ$G?DKXde0XdeR
zU4^K0<tx1LO{kgdy33>|2@?IE)jv%IkD6TOaI{euDyI)ps`))+HK?x~E;UqmeV3&`
z<(uSMBbe0KD_x`@VW5Q@Y48{jx@ESky>pIc;llJ&GuFp%BYTTIz*il`1^EQ*01U-s
zUft8f)n5Y(hW$dI8myKpja79tKM!j0xS7b%X84x+VTE2hph!VFDE`NDH@z-btrt!Q
z#J_rzJEC$#(>o9s>D8ua6lrOK=#%JNGJIHh_ULCoRAVc^hP*Z0XoRMTc)1kmZ4Ruj
z&xKHo(%H|u!Eu$JvJ^vLxM1ziVCHCll=Iz63T+4R_bH$Jkk6iEb!!$^M!h;4?k>gU
z5_^b>eJ@K<g#M=5gm<;+=kA2XlZOMTY4i<J@SY4}0#L&51;jqy>UTkiG?Zp%NJYFW
z>?KCmVvqJSqW&aG=<ZS<%N=ITc#zwZ2Q`G}NkLRX=*=3(D1ttRrOH%xWF;2|m9Ix@
zHCxS408sALXalaV37`sboo9tkfz!B9!0w8utj}h(FTA>)Z~W6AyT4N-2;;|D65I_0
zcsh$L2>}(JATQS?*=1!B=Yg<l&G%bq)fE-bRKzzw@0JqL14%S}W<>-w13>}-CblC&
z`DCTQR@EFkfm@KHr_=hnP-Y-Qt-zj0E`>F@V)sy@dZf%R%VT?DF+?MwugdieJHUDr
z4;Ljw#I!$y8@n`;Twr?uW8qFQ+;9ehU@n#4A@<aLy`dRn=q9ylwT2u#^w?dqt3YuP
zT7FFFWOC(S1Wp2KObUfrm9}xhpryRRt5~`|l~D$wL8M)|Y&mrsFkAUIA+v~cb6f`-
zcrs1L&Akhp{MQVSBK7>(!BMgYmY^J63JPNQH^PJ%I3Lf#i1<CyTyJx$%R+GI6__o1
z;;YK5s$&^cGNPBvD*wh%+5_Ug*a*_!6lYHl*41*JIt#j<D)dqFi%%7ni7IZiC~idL
zUhQRGC1qA-6SY37j)y0aC2EHF*?e%ycdwdSe<T^U34ya&VI^q~R~vh_^3vBrAcp(n
zopUblTkW4Wlh=~xpW}#_h(0Kd)hITQ1E;;z8ec3*$h>i1j8K*T0@Rgsl|}&^4>*X$
zB#bfBpc=e#AKU*y`)x4EjLI5Dgpg)qHuJlIB#$67@clk$22o3e$!glU&S{qh2=3$E
zbM(X7FkD|ZA+^OMU^mbKArXDW8^&^vEJ+3cwZo;Hg}Z~>b};B4DP>cw@E{wnwp94`
zi|C$M(8lN`Y{YgndTo?uQE(sk@kq|gQk~X^Q6_%mi?@k*qz#SvY)9jpwi<huiERs1
zZpijE;wH4g4Nl37#WghEB&i+LDDr$)xn1Vwr9N@<@TY4qsmu3G)aGlYPr!{;YU*3$
zWWyG3&F(i$EI^%bQ<4PanFL%^OK<9_H7S$H#ZbQ#j~%5|Acmz7yylDmuzw3TFFEY%
zP!<OwLTog^Jem4qv`kxjZM1@;sFdNA^IN7$P^T#}+g$DdpjkLD<;irTTA{zF7bxQ#
zV9b1b3?8VZr!zPRf0u;TBDD^}KhGgd60wN|U@!htelJZM<TIR+Q!HZHPtsU)nrp-I
zU)RQFm->=v(uLg*?M^3_4QsT@K+)~{SMnh-!gM$Q%k?01ngHxifkv#zwHWzwe5><x
zOy>4_y-ntZQc3b4B9-_3r5!au8W-CUfBAATgKIZ*@W{Tg+%;%Zcxz*w<v;>wH7)pk
z)zEdh_6g{Sx~|_M_U9cUA&dUv3*?ZdJeAjhzE6+$&GGMFc4@D?vOVp8KDgVP>1bpo
z*3IaDekEyW+y_vykLEkXx~I-GY!D6$LYZFA?iPN%*IvPJsgdE~#*DeD)}`WNHt+~~
zw94{QG*z(Op~Ryl93=ctG#DtU(d8*^s`J1ppY}d@Mm&&J4>BgNn}}#|o%8??hjMyD
z5U2br<fq?J`f$-B^+<BzC1+aJ?H90_X0QAMeFr$=)y+(33GLDBa%MoH-spk5$<-yU
zwOKs|WW2^QPRl{Br=+5#;Gux@R}fjO?8c_i19ivCL|}?A<G6%DHP-#IqU&6pKu{uk
zIQunqvg{kG;eO9<CruP1X}<Wwn$%JdBF4~U`maU3@Qb$mJ^vXL^2#iH=g}!F)|FlZ
zytK2mCiDp~?QSKg;t2g|65S4v-0~NV2MYimh-$gGt$|M~OSviR5icD<azgSjXroQ^
zsEoJr{v9!Z(u91+eWng^taV^v`)R*8?AGfF`jfKsIgjy>;qI0fbf6lsVJ{?RfnFYb
zYbtTFyZ>fRCz9_Y?T*Fe`Cx;Bb(e7#EJ@2Ec?H^^F3b=?!W$0?2$DzlD{PpfMP;y8
zhZ}0(ZsgFd;ajPw(JAg!%mHv@vvy0@-D}wofmpYmtEKSUbZ5X&M?o*^-NAARpBp?w
z48UHq%ME=|TFAX|b00lL_6ELy*Qo|<*;(!XV?MG%16!=+daU{^K=K6cC@7;Z^u@_|
zAFi@_0Y%b`SMR@>!s|F{@ZNrALkX#LEd{p3n!LC<)3Uf~o#E_&)uyO;qmv_nUL^r|
zbVUYaX4iR3So?z@AU?9GT8`bIG)<P4P^5vkGG6j#xau%(Zbvz*rB?1J2L-bQGcdvM
z_R6=ST;AH0719qtv@m8OW6%WXfEX~zE&YL4-443+JMGSsi{pKj$oY#}wMdPQNZ_fe
zL9kQ#C&)Gy5p%9ggv(Q{0`&)3@T#%Xx29MDXR|vWzq6wf!zL2K1F_&9tjQy}>pDMh
zP0$rHg_LIAZ{3^YRG~C(_2qW^!RaM3{cDM?P)>Spxi3zcOvo0W&Gd^DrT%Cs_tPIf
zv26P9>u>!s08J{m6gU2dOM<Kd_1OABWhmqs1H|-cwOCjqLo~G%1`&u`MfNsow%9)Q
zR$-6=aR2)08fzxm73=8UQ+09VGwiH68kueuDWmTkPjP4pkQb=L6liwf4e7oF2y3)c
z)eaJ)dDcf;AOq+^!IG4E8v2Ol^W_9a2tTCld^c==Wz-Oy{cZT>6bD|oSIQ@_G&Kgx
z#SI~G7o{xZfDRo>Ll&7SgjfnNa=PylteT6i27eL>`V%}Sy-AWL>PzO+Kh+x>JID+e
zWwd>WC7I<jK(1Ede*sfIxDezG^u5AEf+2&MVGso2BIc(0VD`A`7k8GiF&s6FF^Bv7
zIi#iRYsXlr;UvIbGM7V)GsM_#oF2Ua=kl{V<1!2Tw<>i8o59ke`A6Oq<bMp%H>7!<
z>tqD@QHKuq1%q!9cT8i{6|Gz;{0YrY8FIW(0dHeJj2>79T*Q7N4N@NUSBXfy&&5DR
z$eoS60AW_A#+3o{bB6wMLumDL%AL&y$HkUxiSee6O0yd4SHvhSE+^HuNKP|)lei=z
z0z*II1!auJ-B}+lS?@HUR|c-||4M66;z}c*$(iO#N5&codj>meCc3Db^!~tEs2wx*
zbVXmnR-J9Xya4D6&|v@}{a{m!d5c^~vRnIYmUmJ{2gvH*_V`~lSTsq7%8gGrmK!Tv
zF8e>KR%Vv?BB1!Rp&T)z1sy0E%vq0ytwI_-`ci<E0YS1A!&=-1y;3qON9%qph_*zO
zK-;9gGd<)9&<idKiC&0Y0H>;nl|^1Sg)nG}5w$b%xRhg3O5x@9{NO8>dcQ0nc9c^6
z%=!1>f%|+1I#v!{M-r60{>nd@Cm_S3J58`a-S<QYG~p$t{|`(tG8vR!C5;j9*O#6X
zOhPxbH}`V!7<DSMdQ*fMQaqn_*#!{|752RNjmN9k!Y+xnZaokqvBY6OiGG{@mg(J^
zVDRplk_?Mncq^Icy7VwY5TCL;?JX%K-{X2fubf2rhTU*igd7su1p9*^ai-`Dtwd8y
z7m=cul<egH>3cizK&M0ZF9=V1y2h_@khC)pdB_i*tPstWPm71x^Jcu`5<FhZLE0^}
z-2y08S@*9wiFwQ(lO{ZipYEQAB^4j5$-@K~zGbV+*i4iryWX}Hxs62`5hk<p1w?4v
z1@W|h%6D~;fb-uWitkfkL#5(cClVu*dL8ZuQVNN(TOtj=gu?eevEtf@-uGY2>vGu*
z<M`Oj-Sd)~Q`99`<mh}aThX*b2VgMbV`zCn@RH|+j7|Yp-AKrHP^|jWnA8iE69%FJ
z3e28%?BfK9Xzf{Nk3i?YNwm+fdauP7?XEIpuHaP;<n|^}J@>75dAWUbBL{h54>M>#
z0giQ+BtnBA$nl^g>M6anQ7`P0xrv>Wob^DL&vr^j$aB+7ReGtg+ICSsS<InvW1?Z`
z+=6eQ(zdpE@G9MtcYylc4tNpH($~k(G<X~A3u;$Hm=*{ty>`}R*Sn<G#~ecsL}vE2
zOuF9{sU5#0Y{mkQ<7BM_?K}YSPQ_9dj2qGj$(4>uoTpQGOOn+S^Bu{BC}|ZGNdQ0>
zNj43^NzlQFMtXT%+57I03y#R-xy>Dx3xT6`7E81Qg&5*qs=(C<a4;+^@_zWZIKQQf
zzVD!?TjQTjD<3ag*8Y(I3-ky+sJR8H0$cPNC8Q3aeqilnL5>6Iamk}%4{E5byFs+K
z-A~<191jaiWXpFr^LP+p8BGj1<g+x^=dqUVu3K)^q+!en#eZv9_<nzFdh!i1P;0s#
zv08s64*#ePdQKl;<oJ9Nea)uHI<kY?tMByC=^t*`LL~^OK*xdfKn9;a_Qp?&L6KV?
z$|j>}<7zvrh3ToPamhd?)fhkW!abw!i*$krg8O(s8ZE<mlSTEl%1tP4SCnYwb+T~#
z&r4Q(GV!~K0)i<zS8!-RrB7IZMID7kwQ^RSyC=l>c|I~hZ{bTWGy#y(>C{!RLfBTM
zAY7DI5kEcPk+Qfh_0FxEQt1VApD(PcXWz0e&4DbJRv7o!5|<r{8Tg9!Hc_AaJ_W)v
zy&RE%2k)``W{iLSSMzE&`VV8{WXFr_M(Y8iMKd1JtX^I2p6-znC6%GE6E?%@j>gud
zuEWhqzs*^xU7NwYm@?t_3c#&y)|rXp1AgVl{v5QazakVwd=5k$n@ogpuT)&aT9-t|
z6=VTDe~PIAmwAV+Qyu}mNe2BAtV#UF{->)9DrP&sa>#@{qT$ebdUwz!z{K~8nH40l
z=H_vU5y1}H6uVR3=`XjrXDE-Z$b|NPZ#wR#{(?k_9VP+%^7wDBWK|`&!y(BRbeGkD
z^6Y3!ok#Y0jyI>S+IW>~A+2K4x2#e#<(H_cz4x1+!|H*n_EI6m{VzFs6y!Hb@fK+J
z#5e{OAt8>qY4&dw0Rcr?xu=^PyQ#mg(OgoPcf0p(hQbF%dZ5C(S0tnLHn%w>&?YDT
z)I|O+ll)-=8MNHEiT=>&L5ug{AeF(US#K;|SgB5nd{aI852B#9EsPXLLvs=N8KNP5
zYoMSVhK*o#tyXIT047w%>a_~*#3;1IWBJ2@4(7^F6TPGU&wc<Hqq%4l|1Ww@cC%&z
zHZ9gC&jlt0kk87S1V?XoY*d)K2rzJ3tf(?+XE(dvW)=eaO$t*&rxlJ+D{+ZqMG(Bi
z74TV791i}@Q!rqnu76YB=$+0ZB0{{mc11<gXYD7BZ3&&7vdK0Vo+oEL^mz+5*eIBH
z<8@t^pAt(5+%5b+aaCxKS)DFU-IKW-8Wq#IrGR%^=uAHo^28C<!4ab`sNEO>p1N|r
zcbXz3)hcqaXw0$ahzt1(cVd<&CIPTA>MYcJaA0pkEgcWy_~6z{Q3C8!GN{@Fyqz(_
ze?u|(-j0DyuQt2~xBnofy;;!JVlYqcx`!*i*0t!q{jhAK+xi+n9rpv&@rNAT*ll=Z
zTE0LF@96{yi8d4~oro;-Uo>!^AM{|DA12pWBqo$-e|07(JX126nQFl2dLp8-9A-X8
zA-@-GUq_DaxclHn=fYZSDm#cw+=>XC5s^t?U@int>-OWRo8}9<i!71-cDoi~Wqq}-
zi~W`^uNRi0+xLrx7M^pNFPxw3VfQ`0<Q=l=jb6qSb+pexG>zN9H#*l0?;1G><|n|i
z^D9cc`)v$O?v{>|hZT=?O&i22;7<6BAlP*Vp2)$_m_{c2)`Hv5O!X#Zht-j$x+?7d
zn^^s@LZ&tnlDHN8Z4xvl+xpxaEk_nu#?G(r2!KS}?%b|rRmP`Ov~%_L8A|WtO4Dl4
zAR5s6dAklx<a8ys+Gagb--v5nh8Siw5@){;ht^n6hh7&}fS4QL>Kx96a6g@Gf<s%I
zIGc#npS-_>`E{I1B-{w9$0#+dkw$G34!sC63#uV0^~fFR0PmxGrAfyy4K`#|i)$WH
zm_$O>M)AKqu_h9jB?I;<rDT0Y=p@i{CWd*Wc#T-hnT3+msU4~6Xm%dteU{k`^FTuU
z%KuZKHt5+=l~nr%`n01D>1Yuq5i~@DcmFoJ4;GG1PGRliOo8(Phy7mtW^SX#<qral
zN^-__ZK<~zlsg=<=Bz>LUV+=D+k&Ph581*(S5BS>IFTuL!krLK6};jNfb9uJ(>|SQ
z>#N$N0T{<~&LhJ@B9KG+@1kYvc3WwJbGoX}HSvF@>R<<)7NN#`5tRgfD8D%rq6{J$
z7rpqCzch_N&?`JV?yM`MU%MFhvky}5%Qw2MJ|pWFfIhh$`i?x{3I8*JO9GvGiz?6&
z@l^o(|9~_BzJKJXwD~1%V=W4~=stS$sjc3OrPW&Wdy!&8^=m090U<cLT7RNtM62~=
zi6ni<iT2RQv5l>Eebm{4J%K(OIZur*^m7G}<8wW)-9P>MK?0a*?+#gPhSrn>UG^WR
zeNExbGHUT2Y|&PUQ==wCfo?3R*nw8X%78Y=_osvpL9xu@TQt=S%Ish_Xh(f!sRx}0
z#T!O!oiqeE2Z%E0!j=LEcy`d3v(F~|;TekMsKKGb@6DU-pF1}Fg7kPDn1Pew<b0>L
zus@NngjK&*ZIkkOXe4+Y&f{AT+Tp2k?C0FqKng%DiNoY7W}^Oq1V~ebopedZ&D}Wq
z$#GLmjG#}r`9&ZPgsqGo0HK%o9zaG;HWtu9`=5VSp`9~`GuXN%qyK76N2Du|AX|vO
zq0w?0fQ)mpM*eI)-DuvFr<AJon-N{bI*2}kxT~>t-A$Ql<;R;c11c~org!t}8{l2^
zI(N)=Q-M3%rkUpZM@rhcf++ltAJ}S@u**b}I@>E7(x(XdrGPkI=Z(`Vb&2cxXGF0k
zz^M8WOH=4|(nv?d$L7nwy#LB9*9M763-{yid_WTJe*Z<1=^DG1z@iaPQEudJE6=vH
zI$c-?lI{9oI_PS~L9WaFa{0S=IxfdlWc1fxJqIe0m)R2WJO^GloWN!djpWav7{=3S
zu}$E0oKQ>;{D>=efr^!<AGKww^NQ}Az0z;eqsXwPpyD30M(JZwbo<Ijf*^V<PNU5&
z0#j1Ll=*>h+9|UV+p~ghSWf+LwnbSq;{~0?DZZRfO0T;Qt~fZYh8c;3ELN`COpa9s
zM9xYj`%`Q*5`ku7X6Skhf0V<}N4!6sn`mztcBFsfyDY3cI)J!R<xDlWcID(N7$zk%
z;e{Gy=_N2%TOVbt{N&vj`8p`dPQvfN&CK%uS=#L%^`_5xOMk*z+6_V(-HSD<%?F+k
zT3N|Ma|nM}JN&=)zWO1`XKf#ll@d__2_=*=C_$tIRt1#qPNf8-q?<KB>F!cmS~?d6
zq@-hMPy~dfVW}nFS(eW^=lh=b`yarsz&y`0bI;s$UDuq~%TUfZ8R;Dnd3)GQOJKV{
zxJY)EnMMxOEX=h9zW*ax!3T-wGrwc0UZ~D1K#=B7#g&{WfO`LymxmJ1`Rd={`nT+{
zV#i%<w6;HBPY7mV1oYgD5n?K!v><z1O56xoD=ig9;N&C#fQrBl(c4n9{zsKE&%2L2
z!$J1}<qsAALG0mlz<b+zS!~wNXxSGPe&fk`Bjt?$dki_)D4#_;h`$CebbZSn%G0?^
zlj8Cn<krM6VUp6K<jRV6w~ge5mRiW>Y}>(JkW>UV7Yf3B7)Xx(QTpJ6T;<ec1U*y@
z%!lzTlc^Gz$F@trKwd5#AsM8n`zR=fO*Z}(7ktB?_M5;Z2q`1Mr8qngXo5hAu+{d|
z5kmoj1mRW9TJ`$R?tI6OLs4*Sx~^x$1a<_x8=!LGai-t<wWx+VM|$J?^Tw%|K9lx$
z+;6p?fE}Yo_IVwX0AjU7P9~_q1O~uz9YY*Cdiu>{3r~aSIhtjn*B%h6?_@M2aOkve
zm~;en)d4zzGHA0Iy#}ZA|255eu&~Cbt>{MIoNKA)!boX(G=UNS1wjl9I*y+ypL`RL
zY=g%bJG)kf(rN~5dY~oQMi*oLKY^eIp4V_zy3Mhda-Afp!C;i};HBXbvk=u>U5Ow=
zUH{KdS}yjLy4uH>k{y?Vu+OH;A9zj>Qj1CK(*4W(K&P94K7?hnzM~<lW7bL4D@Oy|
zjq~xRCX9rNv$X`0^5B7(aPcX&^jZWHDWj3J)J<C8EBY#3-kmUYKrLjE7;}DZ%y(v4
z`&<+s%6I3_nJW5pj`tn}&yE~$>c#$i+@ksY;8{tDPN~IhtFf|v_QlvnkTaB!t}<TY
z1m^fF+?4Kg>DHneg0As1caX;gc2(IU3i`6`n9}T-1sx$gnKFgew%`G^5+vpTVRMc*
z=N?#pzC|d-5k_febwA=17e!dfY};>vV*=__;hg<986N}5VFhrTb={&wsVV68@st!8
zV_QBzaD_w{?xpwIv}47NVuf>R!cAI9<ZZI@pMt9;!W@Qf=duSA^3&zU%H>O3A25(I
zcK_9){x5YKAj*O%DO3D3Xs9BhOw4gknN%)uvVt%%G513b)+lA%j~Uz<7*&9m#MIp#
zz}sR9@&BwuB;{J8O2he!ZW?#g3i4i&68_Z16?+KDv#coSOAQlrf7Oe_v*X6h>xqd)
zK-l?DEE0rYZZpPNW;rx)>vyG}kj2)^+xlO{#|d~a`#}@{*4t~9gqpMl=qJ4!aB{Tk
z;zu9-z@X;r8h)$d>tdqpEA0LMM28^M1WEua6V)_9+>WF70dx5|X4?56>g+n4`P%WD
zsO-OyPXlRhv&cmGuW)b}q~WHUj1Z1;gXQz3jC42&9DY*m0?CotWcQVOVoII7OJg+^
zvT+Y3P9R}zeljd(1-iv4O*Mp-jNHEucT9HCje4<KNw>2)V>!F2?xf2@Z%95qcS{`V
z%QTI_Ibyc<iM7IPiGG5zU$xW1O<q&U_L6Q9ssa-&HbU5!s5@<wb?7(LIo+Yl!p`ka
z%<22sriI1#5qd0_$=NU!%c{na+T{%Bj4!DPD4y&4PVbN2RWAg*y04Y>@|9pIC^*fB
z9x<AN@3=R%b`hI&NE01w=I~ohy2)sld8y=36U`~WFaj!H&D!o@$}PRjDM=4+tk1OY
zv$p6k+?_1dQd#K9iMUr47yS$dlruntotfdNBZ|Jb6qDW-KCvC&1qYj^%B{&7$T2di
z+>xR`@l-!ZYL6$~d0scQj%|4C$C;%+?WPasaNi!&pQo~cJjk1345Gacj+z*aiq(VS
zRUDq#57Z1d&gIKF+lXw;wJ}Y&qar;NL|u^`2TR2bqR6i5I{?_o%J6Yjj@?h}a3Grk
zw2{>0!+TXh<eB-N>D9?D^CkkMR!M!gU(M7JE5lV0_svJ||JZS5s>Q>kmH=}7&bgPn
zaC<-nV!U1J`doi7X|_POo_%k#dHj!Se|3LBnPUr`A1$6!T9@^3oQH9HxR!dpzLhHI
zT>O^@^?~CHm0EI<P_cjDGe?tc1gp>d0v-U97*0?Y!N2SnC)aL(#&cCoXiJGkwx-f~
zQko?@iY|7BR^JIh`}uJBA&u|J?nka>S52Z*A;enflqB?=ZqJM(wPva2JsPTe`hJS%
zg2S-dR6dp<Skz53d4WAm5-$&zxL2s=D)UXZ(P}27l_PufudvEeuTjf8$TPnFabaPk
z&JUA%s`$y%Wtf+k`b$!|Xg<v=9H~{}S$k@Q$WxOUEw^DKd$<Oj4zSHM!eiyXY%RfK
zM|LN|(s^SmN2jBuoAA~tkcAp+JKn^gU-bmk*)OwQboY*~7%h+T_g#&+%ofR=bfDe)
z0uaeQa_7%Y@LVQmZM`cI;6ml|<Ssu3McTBU`#>s!1#nX>2J#jZDP+mBq0O&nXVXGN
ziMJfAy04vLC&zZvND|L0I^3!Cg}PuoA0lB88@PXnX!!j;AU$cYm1w(&fzoEx08{aK
zoAk!c?ououBWwZ18iBx`odJ%qinc~Fu{;|*^*=~Ne#8&bYmlV3b%Ldyo^@+4exmIm
zB7*0RSum<1=2Ha|aDD#u_a=9vuT@lukus8t<$&wtfgMlWk*qzj<N7O=sN#W7%=!f$
zg65N--y65a-itJ+z7}u-3opAVG3%GBVI<fQSfQN$>_*Mb@}MY9Rzcwv78%e2d>GVS
z7t(}6B4&ZO&;DG3&A5(uSR4RpS_|%v*hzf0<GcX$9JP4J@xFn>n^-;A4jbiFvafyn
z+sk9TcIl}`j!t30ed|7PjM7fpCQn=|aLjGMF?&2xYT92!xFGKu3NiF&$wySUqh8;C
z|79>&iX6G`29%HJl49D#57vz9;ES*N$hVK$+m2$+_vF(a1p4p;V>)TYolNcv%1Ya#
z+K1>Z-r{8Pr3BEmi|`G)_OVXO0U%@FCi&V`5C&coRzFYbu@kNF^QgG4tj&cN8O);>
zf<zQZbu9_%lE48_sjo<hX&HWVo>uWXTX3SNp4;|cnii$~<jHI)qlNK|fO?`Pa8Yb3
zwV?|Qj2rX4Ob=wRfQL)j(4B$_V?gSFCDRYM5?yJE5pqOIP3)tX0fG2Y=QqYM#U1m$
zUfZE@LFFRDM|4j@{9St*U_91K0*IMHwVLvQVnE7F5v@a7##Q^&J*ucvsz?c5C%>8g
ztoQSe4A3A0Ak|P`@YNX9>Pg=*mc#b%^rPDb<+_>?rSR$($Hnn{mP17ax#$<H$B)QW
ztgf)hGy8>H|F~c^YanJW@@ZKODP{HRA!sXHa`c?-iV#lhuz(NkmkqH_3?-?0316f?
z(gZBa7rLXY$Ez$MF#eSpi&u}aMS+vg{ClUTNZ)g$(k_kd7aYKQl{+oYudAjBZ+6E%
zkaI&hIFZE(7cL&sRIeUy4khH9Ec9h0L+gRY&kKH?fU6`n=h`ETpXfS#JJ{<h_Vl}C
z)@$SP?TtcPUX?wH<e|?8a7~|2(`~{^P`7I}G0emUo{XGW7(ek+emIkvJdnNls+z4T
z1z0V~mFd#~_RCM}#zH)HW_mFU3iAn$%$Z`K`H`d2fga{HX=BGQ0;Gq$Stl1RFPa&x
z)vUG;ll|}&3W}Z?(+;V!>HU%sT|9OBB`wtX%5P8naSTeR{@z_|A^TF1k4i|!MVD_l
z@_Aah(ZeBOfMsTYW0v6AzM@xS+~9+|(bnSEDStnD>4DV<JE$aTvYTb2qx}&Y0O*>o
z`+h@vHRq3NGnv;`*aaZ`ROh}U$d}=?$*#BkX_(Z79O$L6sz)U{V4D9r%^yy5e;PDl
zQbR^%=pAICgO`XKDw1D1CK}}Ncj>bFza<@S>i|Y)u!q+HZ&ucjMZJeQx$V*C_u9<|
z8bz4$FK3eQF)BCwcvQg)fOP!&9;O?6SVJ6VH%w>%a#=S1ep^0EY3$C&KpGR&z9Zl_
z%Z9S@`@C5<3>3smsIZE9N)N7Be+S}zCDu15Sbc82Y0!HO7b_HX9;R?dsohrk`i_E2
z>G2A{Ya4YKAx!$-edKW)xMgG?DDxsI@4WO(rrd8H@sIX4leM?wctt;nv%~P8uTrXh
z26!C+xn!136bQYcoos(XIkp^jUp1$J_dnvdoYWn4zVAH61gOQ{FJcuafy@7*`bGeI
zboPj+8mx-)xNaEBeXbMv2|zj|PEWFd_6a~Uejl3}*s8z)D0!KfSO7LLlctiqyujd?
zR`gYDAhqasI*J%@f6ix@0hEc&b<fqho$6X`m(1hs@d_mbRnXvAo!rrWOww)A)G=hI
z%^aqIlND`z+Q32LwFJ{gg*VH9ctqeTKwxmyZH3pa^#z1Kuo|^xU-(OVZOA4RAl_Sv
zEqSej#~@h3kwVR(1gRH#aY@Uyc#VWs+-?4nf$J=#>w*b5*VZLCcAk%dVm`Zm<+H0?
z`X2Mfo=%dJ4_%GFT`AE6HO8eU%V`ckPv{@mr4KY4k0bs;1fUhY7Ycekvm7Lw;(jFP
zx;<i+G2O2q^I803WI*r5m)$E9U!732TE(y54?DBkigR%f?8nP%S@POWTtqAV-ezi+
z6aH%2`9ja&{ZVawva2?rm5Z{dJOtI4Je?YK^*qhnX5EQOJd%`e7EMI7iok(*=iP7Z
z3s|om0-TwvE>1LdS3;@&fsi{A@uv%<00!&Eytnd(raK)tSablY_E+c}iPKt4mV%A~
z&FEcF9tj0SGYlB;O;S7mOgI2ip)X$V;hd^--v;W8YNY|fu|CVf&z3CNS0jKfn{b7h
zGodGHP~)pjw?0NG;8pPhNf8AVRPbydkYrjC+YJNyZ-0X47d`Mu8Iy9KE)|15roWuu
z4%TF#(>A!23^Iq#ww%YIfQ8={&XEAhl3K~Fky1Ryt&AaAGV{aaKLE~`syIP}O~LC%
zino)l=;79f>qmdMy+h9{Au>DTrTyfS-cT<rhn}X;b)?_Z1|wKxSOs4j$Nbd#DxE2-
z@NEAA4G@O1!$^HFT|V3%vw5)^<p>ytdq3TTk`L8}8X3IV4LlFam^RVo;eh@s1IM)x
z!|nU%2FiMm!vs|^1<@C3AF#Lr+-CfnSqd@9B5rrCM(z9>zBZ9ryiMkI%kfSwP2}UH
z8il3fZkOLpJCasBNsNyUvKc`!T+eF{rLniS@3^;+mGTFueuV-)t30P(<*oU=mhu$9
z;71!@_-HsYC$}*?6Ji<F87>i!v8-cbPH8XjM$W_Lh18}ZtyGjyS-Nc4V|v;BROYH<
zuc{qy1VYc5<pc3dArct_AU6!&`$`1>wG}hlCxPA<YC*8ju}3c?h#gBvocqf~bi{{I
z`Y@+tVZa7>*RNJu^KoFZx3xT3Kc7v!**s5g-<P|w)?!n7^9NZzG!s{DS%`?(>An+7
ze(>yEYreweO*cS%YDE$kiDKh5f6xctEeNC&#?;fuaKk|BRD5|PJ)(K|o{{ld>NlbH
zvU#GEu@)0V+S#@@42%`dwNjaEn}lO~a@dj#kVE3C-+k;~r_5XwAxMHt29b_rzX9}N
zwz=O_a(Vvx4sk7??g!0cLj3RShWuVj=R*xZHt3a8db|Pj$l&o2_pmR6OHyhzAsMad
ztY*uYTHWxyIUp~qd{#~5=h$!LNPdmDq~zo_Eu1m+bHl(we_o9@aV~ZI-Fu*)`94aD
z64P>pUM9q7ZJu;+ms)}mIchS^Js*f*WB3l^==q*cPn7FrN5(d$sqj@P*7_&Ky!ZNX
z_GR99%K-;rtS!-omFL3s!yk?v0=hwVdWN0VW#Q`|*>nwB+90%pHjEfOrPtDPj~ggq
zkbtYwlOB7zaXN!ipm?H9^P5-=v{bX-1Y&n^0~EkI=cVU^lP>%WjFbfuGwH<+D}55V
zrRw>bw>jeZ5qC`AptAmHrq|0PpATJ?UP*WdPNvKOW^8>HYKR9vKB_Tp550FXw;>?6
zbrT0loPX>n>~xZAkiX}eM<$7u#!GaRGo)wraOm?vBm>AqjzFb06xqa%#cTkr1ExuD
z17En9Zei-jp%}c?i}cKtch&mt?3^m<l={aR9^US$Gb78<fY)<HWC7u_uV`?iB((k(
zuhc2PE4Be>%5ZQ!G`MxT(Eb#z5<hf0DUyOQb=BmbX^4n+hYc3>d3@rl?6*qhy6mhU
zcbbArUV-W!zaelrxGHuxv5P%N;!wPO7-zYB+z9h&$6KE{eyX0Y#YDrih*E1lMG~oI
zvOK{5jDM9=iyi0~tmmI6Wt@th+-(AR9Z&%~<+^dhzzHWk*dBFGIIiT<nqsP1p}umK
zz8)FV2XtRcFkM7=Ayo((D#>`s6o#b&ax~U{(e3~&_*{DN84R|4o;~jLaL9)&0;v?8
z3hRC$f;apI(<q<=)N3Tx!`U0%8Q%dsby+}y&moIqcF!h{<Btp8EOc_^Krr{wFBT?H
zprBEb496B08Sld~WTIPj^2gpiAW8$2BSy!?fv?6Re&IYO(lHvZo%TtQ{Lj+PlO`rb
zj$E?UWL&TNXtMCtBpj%m`I!ybfJ(*wVBm*yz%VId$<44auwf}qNXCQe+8@kR&#m?k
z{LA)AtO*b?)|8uOwW}f2oHmi1%iVvD!}v&3y?xel?}1o0@HWfG(^xC9VVF!5K;SPD
zTXUyfB8-5ZrhU(~JF84?<`?#FEloC75rLVY!jI>(;RNV9Kw1;YN<Zl)?RSCER$evH
zVABskBU<QVajkAp!Eh5z301$SN}azrR4BE#*)1j$oHz3G7M>RMUBy~)I~qRIz~Vhf
z1T|@@;Q)2oTQJ{rU&I4X(-`KS+@}h0_dKg*N_aW&K9M{;KG@{pQ0|s9Ulv9#2`>p;
zQdDCsL}l-2ZO*k%I8WtUd`NDRIKk_Xf}v8m8B0#ZhQAR1Oc2%(a$ZWeaA}&ghk+)!
z%%40hQ0(C0U|ABoIpu}6s@ga-;h152SpuPV-F+T+&ocAj{;-iL8?Ct03AX&hRq&Oi
zx5yu14SqTqqbLh*_?Z0a+RwUk^|>kj?^|m?xXrk_%v;_!kY+|eIlsT#8=b%9T2ldZ
zM5Tf1;tvEKfP;sbV|=WFwSjO`<U`WbSYsDGXJG%;8lk(`+OzF5Mi5I~019}YMq<yy
zrXd(TmrU8XJ5{geiM_5gOG;`Rlr4>A6&?VG=Pw~C;6+{pU*U6Iq;Q=ZF*}TQYuE!<
zkj46w^I@Xff2&&ZLjcp7b#)8LHdb!sY)>;M$tVdUU~qxnWR;6#+nf(szpgh`v|4_x
z2cCk_i9}F*(6NW%6J2R-l8Q+0A$iZ&-82DkCsoLfrAZ8;u`4+W`^JjuhF?(x-y3jO
zTS1jF5@5-Hl0Qp+SQVIZ>4xj(EH77;4o^Ivz3Bi71?rxY8+XKRP8UFbyOVbe+s*vh
zd;ES}uhnM+>|M|e{P2$|D`**E>=VRAVUJep?*gVI&N*BJgkEN+GO#!~Hi{!bj6T8Z
z*MTd|{g<Ka+C@E%I#;2L68;oCrb`6ja40S}9ys|aaIR#%1mb(oI=)`Mj~($Bxn}*V
zIG~;@-j#U7;}L*ifGs^$3ZdrJrY}#H{!?KzF<QnmP+c!7d=xjO%r?bMWc)QblmGRf
zXMjs(AFDp#O#?O|BJ{#%kh4(KkrbX*3mZ62Kt~vS8es1)Mr-U{hV?)&oS9m&7nS4o
z-6Ee9GS@GpJq-^3wMqtb*Srw|B#$-ZQf+@d=6SVCC}m-l*LArP*lt6<fXe^F*15E%
ziUFh!G2}Eh*Wdkc4yFiM<bTOH;pRZ*NNe=N+j099(37zJhG+Ep=H*rVFY1M?hpu0Z
z6d~XRDXzV}kMV(z!U#_#76<VG9+Vw4p)uMzxmRh|U*7DofdarpT{Ua3FaOVp8YjS3
z0f8go>i0a;KxoCvM7md_?~gy^E8?K8qLYaF4iKKVbo=s7RqtSUBy-&{c1EJ15e6R5
z4V}{e_(DxB#jc<W@W~lAS4t6I$;2Xy(^^`4jam|u<M%F5x@;A<0G(7!C;g@GFR6g@
ziY|#-EC*ndos{KIP9|zL4BC-~-zzauY$xBYDlF6<FDh3xO!RQSUC()9c064))?EFM
zEDgiG<e*_sMWmuKkQ@lCou~-Gs8D~BZNyxV0q~wGAb^h3*4n_zcLRpUwq);#9K#2~
zD%<rJu^MKAQ4o5MY21a$k}M4WVwO89#A-A$hsXRoz94!~qrGL{dwJrpaPYk+!CHv_
zhu`OfD2pz{DnLH@=L_ZK=R`SK%s0s{D<edh_XFChUv<2CvAo?_Zal{DJVwask=}$f
zn`JR2MM}|&Fai=n!uGd#qN#*#-#oje;xkAtCAfEs%-44#e_TU)?s~yj5%ZgJZj)8>
z*Qo?N@Y0@!6xbXeP7NZg>l}CGX}wq>in~5&fn>bw5I-&<Ts(ZjOMl-re0xiPoLZ^M
zs<-cUwgAE|NdoVUf*D~`@T2`|q>l68E)lt8kJ`?5#u3^XK2{G0Nz}j?)#9QMC%0Kw
zVl{H5#<G3jHl3J;SP~R>K%sx7FpoI(D88Z;49^HP)P$_SSL>@QT#Kr=V=Vnpwemxr
zu#e<yLsMRxUDeN5##anv|585OZ8+x$(!8N|N-kek3ZyMweuX1^v&&|P!+UG6@$f?-
z*<&c~eZq(E(SAJQ)MWaQ04Asp4lW)IUdX{;IMRJ*$^by1I|-SaFGH+r4!8Gn;d@A0
zUelkKy}S7RB&T~**uS9TzdEiPg^+gQ(q&{pj&_j-Hd6*OKZ1}8$m?xXSva(9{h%^&
zMG=Qis$~cB@;*4Q8<d(y2b+Ay=uL~GgS{tix&%m4n4rPFvgZsJT#47TYbl6iu_RZs
z?6pZJdUD4S0N?qzxqHkOHfQu*XQNP5orkk@TS8)%5XJeRq))=&<yR_&?_ww45;jre
zjCi}rknKnBmOWIcgFsv*`o(p$m4yrzUdiU_suH@<^`X1StUDRR+)HBg9@*-J`XawK
zx7>Y5On<(dGC+9ER(oYpmmd(PK2LM{{QRmS4k>SC|7Fa(<Kn?N*P3QR5RGEHkI+`m
z1m`av?DHRLD3FxW$4)w-t@P)!{Ia%w_ABu3AR19AWMaDLoz>M}cOA|BuI$cxAI4Pg
zMeAHdaTp*|eekm1R$iP?!-Xhn>?I|FvBB!@Mm5x|*6WZQA^pk>zrAr=Y-96AnH;Y?
zf@x9dsd|IlGIMv~+sO5maP8UdHw+JUH0(n-fRvi8*c?)Xk=t{$biaS@sCq9~f4WL%
zMiIwRX3|xdBNb<{v}lI>^b3j`qB|2Te=(6Dy{~fS&342b|A4Pj2{G9Ys%c;hdr+lL
zs8RUU(}{9N9S+^yXNQ$l@MKS?k)kBT$6$8bW=f6H)k4dHn(bDxzcqAJ;30{_MAgjT
zAy;bquV5d-pkN5Bpe)-pCM|_id*Gp_=l0BDcnU2KjQmHkBL9Sg3flZuewN2x>lGJ}
z+*<aAcq@x}ZYizyA>Q}WyDt@^{P?F-EAA_7R=*s|<J5(z&`U#c9d1z?$XrsyVUblj
zkC`pT9yUCi+I2~h?UIzi@aBMoZk9o}(b$kK!qOw!U;EdNQs*XJjLPWK_gkr4N?h%>
zn?uT0@|(+c*I7_QEBu>JoNxa!iP0M!H{c%_ui{tFHAeO70CSp*_sgXb!iDtoXbD|8
zSr<m`pLhylC{+&67v^Zbw-41`t?g3j@8;~+Sr+727NVu);)G1r2pryB=2#p5I=|SK
zp>RJ%#!_n&?s-9e`prT=vSS&I92MHB-8}Ei4WCc~tNzrLt~LNXjq|rK-|0gf@ND3R
zPGytpFGqO0hwQsKaw+fXU$1^kz+k>T8-t*VM{HMByOQjbbc+fL<h*=)*#&Iy#kj0w
z>tx?O*)snd?~yJ2wOf5MqdN#SgW76Q!Q}{s)tCcS1cU;r#{eVw8w$+sNzp|aj4k66
zI%uS#wu<Jxk2c*txn5qF?J&ru<SJN;j5cMSzt7TbQevioyse*dI8N!<eml#-S+Ps>
zCS-eMLZ>6eV6q<Wwf=Z>mC8%0#%Y;0Ov`uUGaJ9RAV1pK3^AKhS1Y=+*NrgGN_r6K
z=bZN(oB^cdrTrIbeDGclw<U#Q?fq{w6bZ@D$k){Z;&DKf1u?*7;FjZ5d*oKZnKd&{
z$F~?8FSx0~hy1P8Ip2(mli|!M=@QDFnRk41L@|8Oez)_m?29_z4nhXB7~^Ax2DYun
z((Y+1B-E~b)^fB%AMMK?ZvScPbw%GE7dvbe+g8!lLW@u9Ox3$LF^epw%^5Z6=993T
zY;AnWcMSk$X9)rh)W$vvwc$%zwmwT*mgCAe=5}{KZ0nxa!LAUv=mA-~*_~_NpE+2%
zKs68;$GiA9Ered`o~~tVLqaEsRH05q`4HIuz9=q)Z|1v+Qgb6KFBAKq^kYl!IU2Kp
z)kJ&wBycyxGTL$<(w~beaM5QJdG);c1~k<Sp8_hvOHB3nWO+6q7cX2Gh@Rv4YB1L4
z0hH&h#>&geZKjljotCos<KeUxA`=;E^mGEYsWa3q*X<pWj&!mRfJ>r9&Kg(<)EkDh
zB1DxU086SZBCFJ(Xzx#i!pg3r050s)6#<tu!@6n{nX*aWdQWewiJ@_wF(itvu;TcR
z&3r*pnfrXf{#qlM-(sYnNSD%6IyJMz$#Da@Hs0so-_cHa$Xl!wD%{`EKytZd$|q@q
zy)L}8iaw9AsS9;rh5yRYg<)5iI=w-7wN}Ljj#4kvf9KYnEV5jYIfb5_bOW?C%c&#J
zGViG)+L!I=Fc=vUx|zC@_Le~niEGAp94KU}x=DqfX0i3R*KypgWiWOoq_CJRFrQpO
zs90WTAzdiLwa3+BQ*dQKg}^n+E2*KC;^l<O@$r#G9U}_uo`ANTs^13!-J>i(bFfon
zD6-hE8ZJpETpi4?>Aiy(CT}TUEsRJ&z=g`HDr)7sTgOQ?<b0szK6tm>>-$a*{1caZ
zvK-R5#za^bhTW|vM)M17;5FQUr`Y{;;^0nxtB5o5AAf}%1X>A3_GtM1Un5gMo&NX#
z1JFS#4lzTK%fFw0`fNxj9rld<kKeo_x#jbnfSvw-KN5;-OmOzfr_*&d%h+QMV-RPC
zaS}gZC*;g9&J5%1Tt2mdGgtC&SA6EM&teRaZk|PQ|8kaR!RJ|sf0mV;+Q3=v_wPjX
zEM5JN-22Qh&J5!$!~R#$fCs9YX9X^7IrOab^3Ob+q*-T%aaMZyKT9u1R394~6#A-5
RDR97#l!Ux^!DGWW{{vT21UCQx
literal 0
HcmV?d00001
diff --git a/doc/images/openssl-square.svg b/doc/images/openssl-square.svg
new file mode 100644
index 00000000..bb1ddc04
--- /dev/null
+++ b/doc/images/openssl-square.svg
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+ viewBox="0 0 510 510" style="enable-background:new 0 0 510 510;" xml:space="preserve">
+<style type="text/css">
+ .st0{fill:#231F20;}
+ .st1{fill:#6D2520;}
+</style>
+<g id="Layer_1">
+</g>
+<g id="Layer_2">
+ <g>
+ <path class="st0" d="M256.2,289c-5.2,0-9.3,1-12.1,3.1c-2.9,2.1-4.3,5.2-4.3,9.3c0,3.8,2.1,7.1,6.3,10c4.2,2.9,9.8,5.6,16.7,8.2
+ c5.7,2.1,10.5,4.4,14.5,7.1c4,2.7,7.4,6.3,10,11c2.7,4.7,4,10.6,4,17.8c0,6.2-1.6,11.9-4.8,17.2c-3.2,5.3-7.9,9.5-14.1,12.6
+ c-6.2,3.1-13.6,4.6-22.2,4.6c-7.2,0-14.3-1.1-21.4-3.2c-7.1-2.1-13.6-5.4-19.7-9.7l10.4-18.4c4.1,3,8.9,5.5,14.2,7.5
+ c5.3,2,10.1,2.9,14.4,2.9c5,0,9.4-1.1,13-3.2s5.5-5.6,5.5-10.4c0-6.2-5.8-11.6-17.4-16.1c-6.8-2.7-12.6-5.3-17.1-7.8
+ c-4.6-2.5-8.5-6.1-11.8-10.8c-3.3-4.7-5-10.5-5-17.6c0-10.3,3.4-18.6,10.2-25c6.8-6.3,15.8-9.7,27.2-10.3c8.9,0,16.4,1,22.3,3
+ c6,2,11.8,4.9,17.4,8.6l-9,18.1C273,291.9,263.9,289,256.2,289z"/>
+ <path class="st0" d="M351.3,289c-5.2,0-9.3,1-12.1,3.1c-2.9,2.1-4.3,5.2-4.3,9.3c0,3.8,2.1,7.1,6.3,10c4.2,2.9,9.8,5.6,16.7,8.2
+ c5.7,2.1,10.5,4.4,14.5,7.1c4,2.7,7.4,6.3,10,11c2.7,4.7,4,10.6,4,17.8c0,6.2-1.6,11.9-4.8,17.2c-3.2,5.3-7.9,9.5-14.1,12.6
+ c-6.2,3.1-13.6,4.6-22.2,4.6c-7.2,0-14.3-1.1-21.4-3.2c-7.1-2.1-13.6-5.4-19.7-9.7l10.4-18.4c4.1,3,8.9,5.5,14.2,7.5
+ c5.3,2,10.1,2.9,14.4,2.9c5,0,9.4-1.1,13-3.2s5.5-5.6,5.5-10.4c0-6.2-5.8-11.6-17.4-16.1c-6.8-2.7-12.6-5.3-17.1-7.8
+ c-4.6-2.5-8.5-6.1-11.8-10.8c-3.3-4.7-5-10.5-5-17.6c0-10.3,3.4-18.6,10.2-25c6.8-6.3,15.8-9.7,27.2-10.3c8.9,0,16.4,1,22.3,3
+ c6,2,11.8,4.9,17.4,8.6l-9,18.1C368.1,291.9,359,289,351.3,289z"/>
+ <path class="st0" d="M433.2,268.7v97.2h56.4v22.8h-80.1v-120H433.2z"/>
+ </g>
+ <g>
+ <path class="st1" d="M27.5,147.3c5.6-9.5,13-17,22.4-22.6s19.7-8.4,30.8-8.4c11,0,21.2,2.8,30.7,8.4c9.4,5.6,17,13.1,22.6,22.6
+ c5.6,9.5,8.4,19.7,8.4,30.7c0,11.1-2.8,21.4-8.3,30.9s-13.1,16.9-22.6,22.4c-9.5,5.5-19.8,8.3-30.8,8.3c-11.1,0-21.4-2.7-30.9-8.2
+ c-9.5-5.4-16.9-12.9-22.4-22.3c-5.5-9.4-8.3-19.8-8.3-31.1C19.1,167,21.9,156.8,27.5,147.3z M41.8,201c4,7,9.5,12.6,16.4,16.7
+ s14.5,6.2,22.8,6.2c8.2,0,15.8-2,22.6-6.1c6.8-4.1,12.2-9.6,16.2-16.7c3.9-7.1,5.9-14.8,5.9-23.1c0-8.3-2-16.1-6-23.2
+ c-4-7.1-9.5-12.7-16.3-16.8c-6.9-4.1-14.5-6.2-22.7-6.2s-15.8,2.1-22.7,6.3c-6.9,4.2-12.3,9.8-16.3,16.9
+ c-3.9,7.1-5.9,14.8-5.9,23.2C35.8,186.4,37.8,194,41.8,201z"/>
+ <path class="st1" d="M215.1,171c5.2,3.1,9.3,7.5,12.3,13.1c3,5.6,4.5,12.1,4.5,19.4c0,7.2-1.6,13.6-4.8,19.1
+ c-3.2,5.5-7.7,9.8-13.3,12.8c-5.7,3-12,4.5-19,4.5c-5,0-9.8-1.1-14.3-3.3c-4.6-2.2-8.2-5.1-11-8.8v43.5h-15.5V168h13.5l1.3,11.7
+ c3.6-4,7.8-7.2,12.8-9.7c4.9-2.4,10.3-3.7,16.1-3.7C204,166.3,209.8,167.9,215.1,171z M203.8,224.3c3.7-2.1,6.7-4.9,8.9-8.5
+ c2.2-3.6,3.3-7.6,3.3-12.1c0-4.6-1-8.7-3.1-12.3c-2.1-3.7-4.9-6.6-8.4-8.7c-3.6-2.1-7.5-3.2-11.8-3.2c-5.9,0-10.9,1.6-15.1,4.9
+ s-6.9,7.7-8.3,13.3v11.5c0.9,5.3,3.4,9.7,7.6,13.1c4.2,3.4,9.1,5.1,14.8,5.1C196,227.4,200.1,226.4,203.8,224.3z"/>
+ <path class="st1" d="M384.1,172.3c4.2,3.8,6.4,8.8,6.5,14.9v51h-15.7v-45.7c-0.2-3.9-1.4-6.9-3.5-9.2c-2.1-2.2-5.3-3.4-9.5-3.5
+ c-6.1,0-11.2,2.4-15.2,7.3c-4,4.9-6,11.1-6,18.7v32.4h-15.5v-69.1h14l1,13.3c2.4-5,6.1-8.9,11-11.8c4.9-2.8,10.5-4.3,16.8-4.3
+ C374.5,166.5,379.9,168.4,384.1,172.3z"/>
+ <g>
+ <path class="st1" d="M242.5,203.4c0-21.3,16.2-38.1,36.9-38.1c20.3,0,35.6,16.9,35.6,38.8v4.1h-58c2,12.2,12,21.1,24.7,21.1
+ c7.2,0,14-2.3,18.7-6.5l9.3,9.1c-8.7,6.7-17.5,9.7-28.5,9.7C259.4,241.6,242.5,224.9,242.5,203.4z M300.7,197.3
+ c-2-11.3-10.9-19.7-21.6-19.7c-11.1,0-20,8-22,19.7H300.7z"/>
+ </g>
+ </g>
+</g>
+</svg>
diff --git a/doc/images/openssl.svg b/doc/images/openssl.svg
index 9cd6794f..988d3a0e 100644
--- a/doc/images/openssl.svg
+++ b/doc/images/openssl.svg
@@ -1,41 +1,49 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
- xmlns:dc="http://purl.org/dc/elements/1.1/"
- xmlns:cc="http://creativecommons.org/ns#"
- xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
- xmlns:svg="http://www.w3.org/2000/svg"
- xmlns="http://www.w3.org/2000/svg"
- version="1.1"
- id="svg2"
- viewBox="0 0 973.70528 248.96588"
- height="70.263748mm"
- width="274.80124mm">
- <defs
- id="defs4" />
- <g
- transform="translate(60.758696,-843.33549)"
- id="layer1">
- <text
- id="text3336"
- y="1012.3623"
- x="3.8487569e-06"
- style="font-style:normal;font-weight:normal;line-height:0%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
- xml:space="preserve"><tspan
- style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:180px;line-height:1.25;font-family:sans-serif;-inkscape-font-specification:'sans-serif Bold'"
- y="1012.3623"
- x="3.8487569e-06"
- id="tspan3338"><tspan
- id="tspan3340"
- style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:180px;font-family:sans-serif;-inkscape-font-specification:sans-serif;fill:#480e0c;fill-opacity:1">Open</tspan>SSL</tspan></text>
- <text
- id="text817"
- y="1049.0681"
- x="176.75166"
- style="font-style:normal;font-weight:normal;font-size:17.49999619px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.93749976"
- xml:space="preserve"><tspan
- style="font-size:37.49998856px;stroke-width:0.93749976"
- y="1049.0681"
- x="176.75166"
- id="tspan815">Cryptography and SSL/TLS Toolkit</tspan></text>
- </g>
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
+<svg version="1.1"
+ id="svg2" xmlns:cc="http://creativecommons.org/ns#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:svg="http://www.w3.org/2000/svg" xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 779 199.2"
+ style="enable-background:new 0 0 779 199.2;" xml:space="preserve">
+<style type="text/css">
+ .st0{fill:#231F20;}
+ .st1{fill:#6D2520;}
+</style>
+<g>
+ <g>
+ <path class="st0" d="M457.3,48.3c-4.9,0-8.7,1-11.4,2.9c-2.7,1.9-4.1,4.9-4.1,8.7c0,3.6,2,6.7,5.9,9.4c3.9,2.7,9.2,5.3,15.7,7.7
+ c5.3,1.9,9.9,4.2,13.7,6.7c3.8,2.5,6.9,6,9.4,10.4c2.5,4.4,3.8,10,3.8,16.7c0,5.8-1.5,11.2-4.5,16.2c-3,5-7.4,8.9-13.3,11.8
+ c-5.8,2.9-12.8,4.4-20.9,4.4c-6.7,0-13.4-1-20.1-3c-6.6-2-12.8-5-18.6-9.1l9.8-17.3c3.9,2.9,8.3,5.2,13.3,7.1
+ c5,1.8,9.5,2.8,13.5,2.8c4.7,0,8.8-1,12.3-3c3.5-2,5.2-5.2,5.2-9.7c0-5.8-5.5-10.9-16.4-15.2c-6.4-2.6-11.8-5-16.1-7.4
+ c-4.3-2.3-8-5.7-11.1-10.1c-3.1-4.4-4.7-9.9-4.7-16.6c0-9.7,3.2-17.5,9.6-23.5c6.4-5.9,14.9-9.2,25.5-9.7c8.4,0,15.4,0.9,21,2.8
+ c5.6,1.9,11.1,4.6,16.4,8.1l-8.4,17C473.1,51,464.6,48.3,457.3,48.3z"/>
+ <path class="st0" d="M546.8,48.3c-4.9,0-8.7,1-11.4,2.9c-2.7,1.9-4.1,4.9-4.1,8.7c0,3.6,2,6.7,5.9,9.4c3.9,2.7,9.2,5.3,15.7,7.7
+ c5.3,1.9,9.9,4.2,13.7,6.7c3.8,2.5,6.9,6,9.4,10.4c2.5,4.4,3.8,10,3.8,16.7c0,5.8-1.5,11.2-4.5,16.2c-3,5-7.4,8.9-13.3,11.8
+ c-5.8,2.9-12.8,4.4-20.9,4.4c-6.7,0-13.4-1-20.1-3s-12.8-5-18.6-9.1l9.8-17.3c3.9,2.9,8.3,5.2,13.3,7.1s9.5,2.8,13.5,2.8
+ c4.7,0,8.8-1,12.3-3s5.2-5.2,5.2-9.7c0-5.8-5.5-10.9-16.4-15.2c-6.4-2.6-11.8-5-16.1-7.4c-4.3-2.3-8-5.7-11.1-10.1
+ c-3.1-4.4-4.7-9.9-4.7-16.6c0-9.7,3.2-17.5,9.6-23.5c6.4-5.9,14.9-9.2,25.5-9.7c8.4,0,15.4,0.9,21,2.8c5.6,1.9,11.1,4.6,16.4,8.1
+ l-8.4,17C562.6,51,554,48.3,546.8,48.3z"/>
+ <path class="st0" d="M623.8,29.1v91.4h53.1V142h-75.3V29.1H623.8z"/>
+ </g>
+ <g>
+ <path class="st1" d="M61.9,58.4c5.1-8.7,12-15.6,20.6-20.8s18.1-7.7,28.3-7.7c10.1,0,19.5,2.6,28.2,7.7
+ c8.7,5.2,15.6,12.1,20.8,20.8c5.2,8.7,7.7,18.1,7.7,28.2c0,10.2-2.6,19.7-7.7,28.4c-5.1,8.7-12,15.6-20.8,20.6
+ c-8.7,5.1-18.2,7.6-28.3,7.6c-10.2,0-19.7-2.5-28.4-7.5c-8.7-5-15.6-11.8-20.6-20.5c-5.1-8.6-7.6-18.2-7.6-28.6
+ C54.2,76.5,56.8,67.1,61.9,58.4z M75.1,107.8c3.7,6.4,8.7,11.6,15.1,15.3c6.4,3.8,13.4,5.7,20.9,5.7c7.6,0,14.5-1.9,20.8-5.6
+ c6.3-3.7,11.2-8.8,14.9-15.3c3.6-6.5,5.4-13.6,5.4-21.2c0-7.7-1.8-14.8-5.5-21.3s-8.7-11.7-15-15.5c-6.3-3.8-13.3-5.7-20.9-5.7
+ c-7.6,0-14.5,1.9-20.9,5.8c-6.3,3.8-11.3,9-15,15.6s-5.4,13.7-5.4,21.3C69.6,94.4,71.4,101.4,75.1,107.8z"/>
+ <path class="st1" d="M234.4,80.2c4.8,2.9,8.6,6.9,11.3,12c2.8,5.2,4.1,11.1,4.1,17.9c0,6.7-1.5,12.5-4.5,17.6
+ c-3,5.1-7.1,9-12.3,11.7c-5.2,2.8-11,4.1-17.5,4.1c-4.6,0-9-1-13.2-3c-4.2-2-7.6-4.7-10.1-8.1v40h-14.3V77.5h12.4l1.2,10.7
+ c3.3-3.7,7.2-6.6,11.7-8.9c4.5-2.3,9.5-3.4,14.8-3.4C224.2,75.9,229.6,77.4,234.4,80.2z M224,129.2c3.4-1.9,6.2-4.5,8.2-7.8
+ c2-3.3,3.1-7,3.1-11.1c0-4.2-0.9-8-2.8-11.3c-1.9-3.4-4.5-6-7.7-8c-3.3-1.9-6.9-2.9-10.9-2.9c-5.4,0-10,1.5-13.9,4.5
+ c-3.8,3-6.4,7.1-7.6,12.2v10.6c0.8,4.9,3.1,8.9,7,12c3.8,3.1,8.4,4.7,13.6,4.7C216.9,132.1,220.6,131.1,224,129.2z"/>
+ <path class="st1" d="M389.8,81.4c3.9,3.5,5.9,8.1,6,13.7V142h-14.4v-42c-0.2-3.6-1.3-6.4-3.2-8.4c-1.9-2-4.9-3.1-8.7-3.2
+ c-5.6,0-10.3,2.3-14,6.7c-3.7,4.5-5.5,10.2-5.5,17.2V142h-14.3V78.5h12.9l0.9,12.3c2.2-4.6,5.6-8.2,10.1-10.8
+ c4.5-2.6,9.7-3.9,15.5-3.9C381,76.1,386,77.8,389.8,81.4z"/>
+ <g>
+ <path class="st1" d="M259.6,110c0-19.6,14.9-35,33.9-35c18.6,0,32.7,15.6,32.7,35.7v3.7h-53.4c1.9,11.2,11,19.4,22.8,19.4
+ c6.7,0,12.9-2.1,17.2-6l8.5,8.4c-8,6.1-16.1,8.9-26.2,8.9C275.2,145.1,259.6,129.8,259.6,110z M313.1,104.4
+ c-1.9-10.4-10-18.1-19.8-18.1c-10.2,0-18.4,7.3-20.2,18.1H313.1z"/>
+ </g>
+ </g>
+</g>
</svg>
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index b0054ead..cf3427a3 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -235,9 +235,9 @@ This sets the RSA padding mode. Acceptable values for I<mode> are B<pkcs1> for
PKCS#1 padding, B<none> for no padding, B<oaep>
for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
-In PKCS#1 padding if the message digest is not set then the supplied data is
+In PKCS#1 padding, if the message digest is not set, then the supplied data is
signed or verified directly instead of using a B<DigestInfo> structure. If a
-digest is set then the a B<DigestInfo> structure is used and its the length
+digest is set, then the B<DigestInfo> structure is used and its length
must correspond to the digest type.
For B<oaep> mode only encryption and decryption is supported.
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index a21c30ba..31fd7141 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -282,7 +282,7 @@ It is implied by the B<-CA> option.
This option implies the B<-new> flag if B<-in> is not given.
If an existing request is specified with the B<-in> option, it is converted
-to the a certificate; otherwise a request is created from scratch.
+to a certificate; otherwise a request is created from scratch.
Unless specified using the B<-set_serial> option,
a large random number will be used for the serial number.
diff --git a/doc/man3/BIO_f_md.pod b/doc/man3/BIO_f_md.pod
index c2b825e3..397952f0 100644
--- a/doc/man3/BIO_f_md.pod
+++ b/doc/man3/BIO_f_md.pod
@@ -19,7 +19,7 @@ BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx - message digest BIO filter
=head1 DESCRIPTION
BIO_f_md() returns the message digest BIO method. This is a filter
-BIO that digests any data passed through it, it is a BIO wrapper
+BIO that digests any data passed through it. It is a BIO wrapper
for the digest routines EVP_DigestInit(), EVP_DigestUpdate()
and EVP_DigestFinal().
@@ -36,8 +36,8 @@ BIO_set_md() sets the message digest of BIO B<b> to B<md>: this
must be called to initialize a digest BIO before any data is
passed through it. It is a BIO_ctrl() macro.
-BIO_get_md() places the a pointer to the digest BIOs digest method
-in B<mdp>, it is a BIO_ctrl() macro.
+BIO_get_md() places a pointer to the digest BIOs digest method
+in B<mdp>. It is a BIO_ctrl() macro.
BIO_get_md_ctx() returns the digest BIOs context into B<mdcp>.
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
index 9561d554..35cfdd14 100644
--- a/doc/man3/BN_add.pod
+++ b/doc/man3/BN_add.pod
@@ -114,6 +114,11 @@ temporary variables; see L<BN_CTX_new(3)>.
Unless noted otherwise, the result B<BIGNUM> must be different from
the arguments.
+=head1 NOTES
+
+For modular operations such as BN_nnmod() or BN_mod_exp() it is an error
+to use the same B<BIGNUM> object for the modulus as for the output.
+
=head1 RETURN VALUES
The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
diff --git a/doc/man3/BN_mod_inverse.pod b/doc/man3/BN_mod_inverse.pod
index 5dbb5c3c..f88e0e63 100644
--- a/doc/man3/BN_mod_inverse.pod
+++ b/doc/man3/BN_mod_inverse.pod
@@ -18,7 +18,11 @@ places the result in B<r> (C<(a*r)%n==1>). If B<r> is NULL,
a new B<BIGNUM> is created.
B<ctx> is a previously allocated B<BN_CTX> used for temporary
-variables. B<r> may be the same B<BIGNUM> as B<a> or B<n>.
+variables. B<r> may be the same B<BIGNUM> as B<a>.
+
+=head1 NOTES
+
+It is an error to use the same B<BIGNUM> as B<n>.
=head1 RETURN VALUES
diff --git a/doc/man3/CMS_add1_signer.pod b/doc/man3/CMS_add1_signer.pod
index 800085b7..d606a02c 100644
--- a/doc/man3/CMS_add1_signer.pod
+++ b/doc/man3/CMS_add1_signer.pod
@@ -31,8 +31,8 @@ Unless the B<CMS_REUSE_DIGEST> flag is set the returned CMS_ContentInfo
structure is not complete and must be finalized either by streaming (if
applicable) or a call to CMS_final().
-The CMS_SignerInfo_sign() function will explicitly sign a CMS_SignerInfo
-structure, its main use is when B<CMS_REUSE_DIGEST> and B<CMS_PARTIAL> flags
+The CMS_SignerInfo_sign() function explicitly signs a CMS_SignerInfo
+structure, its main use is when the B<CMS_REUSE_DIGEST> and B<CMS_PARTIAL> flags
are both set.
=head1 NOTES
@@ -90,6 +90,8 @@ before it is finalized.
CMS_add1_signer() returns an internal pointer to the CMS_SignerInfo
structure just added or NULL if an error occurs.
+CMS_SignerInfo_sign() returns 1 on success, 0 on failure.
+
=head1 SEE ALSO
L<ERR_get_error(3)>, L<CMS_sign(3)>,
@@ -97,7 +99,7 @@ L<CMS_final(3)>,
=head1 COPYRIGHT
-Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/CMS_signed_get_attr.pod b/doc/man3/CMS_signed_get_attr.pod
new file mode 100644
index 00000000..3ed904ef
--- /dev/null
+++ b/doc/man3/CMS_signed_get_attr.pod
@@ -0,0 +1,214 @@
+=pod
+
+=head1 NAME
+
+CMS_signed_get_attr_count,
+CMS_signed_get_attr_by_NID, CMS_signed_get_attr_by_OBJ, CMS_signed_get_attr,
+CMS_signed_delete_attr,
+CMS_signed_add1_attr, CMS_signed_add1_attr_by_OBJ,
+CMS_signed_add1_attr_by_NID, CMS_signed_add1_attr_by_txt,
+CMS_signed_get0_data_by_OBJ,
+CMS_unsigned_get_attr_count,
+CMS_unsigned_get_attr_by_NID, CMS_unsigned_get_attr_by_OBJ,
+CMS_unsigned_get_attr, CMS_unsigned_delete_attr,
+CMS_unsigned_add1_attr, CMS_unsigned_add1_attr_by_OBJ,
+CMS_unsigned_add1_attr_by_NID, CMS_unsigned_add1_attr_by_txt,
+CMS_unsigned_get0_data_by_OBJ
+- CMS signed and unsigned attribute functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/cms.h>
+
+ int CMS_signed_get_attr_count(const CMS_SignerInfo *si);
+ int CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid,
+ int lastpos);
+ int CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj,
+ int lastpos);
+ X509_ATTRIBUTE *CMS_signed_get_attr(const CMS_SignerInfo *si, int loc);
+ X509_ATTRIBUTE *CMS_signed_delete_attr(CMS_SignerInfo *si, int loc);
+ int CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr);
+ int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si,
+ const ASN1_OBJECT *obj, int type,
+ const void *bytes, int len);
+ int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si,
+ int nid, int type,
+ const void *bytes, int len);
+ int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si,
+ const char *attrname, int type,
+ const void *bytes, int len);
+ void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si,
+ const ASN1_OBJECT *oid,
+ int lastpos, int type);
+
+ int CMS_unsigned_get_attr_count(const CMS_SignerInfo *si);
+ int CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid,
+ int lastpos);
+ int CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si,
+ const ASN1_OBJECT *obj, int lastpos);
+ X509_ATTRIBUTE *CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc);
+ X509_ATTRIBUTE *CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc);
+ int CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr);
+ int CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si,
+ const ASN1_OBJECT *obj, int type,
+ const void *bytes, int len);
+ int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si,
+ int nid, int type,
+ const void *bytes, int len);
+ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si,
+ const char *attrname, int type,
+ const void *bytes, int len);
+ void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
+ int lastpos, int type);
+
+=head1 DESCRIPTION
+
+CMS_signerInfo contains separate attribute lists for signed and unsigned
+attributes. Each CMS_signed_XXX() function is used for signed attributes, and
+each CMS_unsigned_XXX() function is used for unsigned attributes.
+Since the CMS_unsigned_XXX() functions work in the same way as the
+CMS_signed_XXX() equivalents, only the CMS_signed_XXX() functions are
+described below.
+
+CMS_signed_get_attr_by_OBJ() finds the location of the first matching object
+I<obj> in the SignerInfo's I<si> signed attribute list. The search starts at the
+position after I<lastpos>. If the returned value is positive then it can be used
+on the next call to CMS_signed_get_attr_by_OBJ() as the value of I<lastpos> in
+order to iterate through the remaining attributes. I<lastpos> can be set to any
+negative value on the first call, in order to start searching from the start of
+the signed attribute list.
+
+CMS_signed_get_attr_by_NID() is similar to CMS_signed_get_attr_by_OBJ() except
+that it passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+CMS_signed_get_attr() returns the B<X509_ATTRIBUTE> object at index I<loc> in the
+I<si> signed attribute list. I<loc> should be in the range from 0 to
+CMS_signed_get_attr_count() - 1.
+
+CMS_signed_delete_attr() removes the B<X509_ATTRIBUTE> object at index I<loc> in
+the I<si> signed attribute list. An error occurs if the I<si> attribute list
+is NULL.
+
+CMS_signed_add1_attr() pushes a copy of the passed in B<X509_ATTRIBUTE> object
+to the I<si> signed attribute list. A new signed attribute list is created if
+required. An error occurs if I<attr> is NULL.
+
+CMS_signed_add1_attr_by_OBJ() creates a new signed B<X509_ATTRIBUTE> using
+X509_ATTRIBUTE_set1_object() and X509_ATTRIBUTE_set1_data() to assign a new
+I<obj> with type I<type> and data I<bytes> of length I<len> and then pushes it
+to the I<key> object's attribute list.
+
+CMS_signed_add1_attr_by_NID() is similar to CMS_signed_add1_attr_by_OBJ() except
+that it passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+CMS_signed_add1_attr_by_txt() is similar to CMS_signed_add1_attr_by_OBJ()
+except that it passes a name I<attrname> associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+
+CMS_signed_get0_data_by_OBJ() finds the first attribute in a I<si> signed
+attributes list that matches the I<obj> starting at index I<lastpos>
+and returns the data retrieved from the found attributes first B<ASN1_TYPE>
+object. An error will occur if the attribute type I<type> does not match the
+type of the B<ASN1_TYPE> object OR if I<type> is either B<V_ASN1_BOOLEAN> or
+B<V_ASN1_NULL> OR the attribute is not found.
+If I<lastpos> is less than -1 then an error will occur if there are multiple
+objects in the signed attribute list that match I<obj>.
+If I<lastpos> is less than -2 then an error will occur if there is more than
+one B<ASN1_TYPE> object in the found signed attribute.
+
+Refer to L<X509_ATTRIBUTE(3)> for information related to attributes.
+
+=head1 RETURN VALUES
+
+The CMS_unsigned_XXX() functions return values are similar to those of the
+equivalent CMS_signed_XXX() functions.
+
+CMS_signed_get_attr_count() returns the number of signed attributes in the
+SignerInfo I<si>, or -1 if the signed attribute list is NULL.
+
+CMS_signed_get_attr_by_OBJ() returns -1 if either the signed attribute list of
+I<si> is empty OR if I<obj> is not found, otherwise it returns the location of
+the I<obj> in the SignerInfo's I<si> signed attribute list.
+
+CMS_signed_get_attr_by_NID() is similar to CMS_signed_get_attr_by_OBJ() except
+that it returns -2 if the I<nid> is not known by OpenSSL.
+
+CMS_signed_get_attr() returns either a signed B<X509_ATTRIBUTE> or NULL on error.
+
+CMS_signed_delete_attr() returns either the removed signed B<X509_ATTRIBUTE> or
+NULL if there is a error.
+
+CMS_signed_add1_attr(), CMS_signed_add1_attr_by_OBJ(),
+CMS_signed_add1_attr_by_NID(), CMS_signed_add1_attr_by_txt(),
+return 1 on success or 0 on error.
+
+CMS_signed_get0_data_by_OBJ() returns the data retrieved from the found
+signed attributes first B<ASN1_TYPE> object, or NULL if an error occurs.
+
+=head1 NOTES
+
+Some attributes are added automatically during the signing process.
+
+Calling CMS_SignerInfo_sign() adds the NID_pkcs9_signingTime signed
+attribute.
+
+Calling CMS_final(), CMS_final_digest() or CMS_dataFinal() adds the
+NID_pkcs9_messageDigest signed attribute.
+
+The NID_pkcs9_contentType signed attribute is always added if the
+NID_pkcs9_signingTime attribute is added.
+
+Calling CMS_sign_ex(), CMS_sign_receipt() or CMS_add1_signer() may add
+attributes depending on the flags parameter. See L<CMS_add1_signer(3)> for
+more information.
+
+OpenSSL applies special rules for the following attribute NIDs:
+
+=over 4
+
+=item CMS Signed Attributes
+
+NID_pkcs9_contentType
+NID_pkcs9_messageDigest
+NID_pkcs9_signingTime
+
+=item ESS Signed Attributes
+
+NID_id_smime_aa_signingCertificate
+NID_id_smime_aa_signingCertificateV2
+NID_id_smime_aa_receiptRequest
+
+=item CMS Unsigned Attributes
+
+NID_pkcs9_countersignature
+
+=back
+
+CMS_signed_add1_attr(), CMS_signed_add1_attr_by_OBJ(),
+CMS_signed_add1_attr_by_NID(), CMS_signed_add1_attr_by_txt()
+and the equivalent CMS_unsigned_add1_attrXXX() functions allow
+duplicate attributes to be added. The attribute rules are not checked
+during these function calls, and are deferred until the sign or verify process
+(i.e. during calls to any of CMS_sign_ex(), CMS_sign(), CMS_sign_receipt(),
+CMS_add1_signer(), CMS_Final(), CMS_dataFinal(), CMS_final_digest(),
+CMS_verify(), CMS_verify_receipt() or CMS_SignedData_verify()).
+
+For CMS attribute rules see RFC 5652 Section 11.
+For ESS attribute rules see RFC 2634 Section 1.3.4 and RFC 5035 Section 5.4.
+
+=head1 SEE ALSO
+
+L<X509_ATTRIBUTE(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/DH_generate_parameters.pod b/doc/man3/DH_generate_parameters.pod
index 1098a161..9c1dff7a 100644
--- a/doc/man3/DH_generate_parameters.pod
+++ b/doc/man3/DH_generate_parameters.pod
@@ -128,6 +128,10 @@ The parameter B<j> is invalid.
=back
+If 0 is returned or B<*codes> is set to a nonzero value the supplied
+parameters should not be used for Diffie-Hellman operations otherwise
+the security properties of the key exchange are not guaranteed.
+
DH_check_ex(), DH_check_params() and DH_check_pub_key_ex() are similar to
DH_check() and DH_check_params() respectively, but the error reasons are added
to the thread's error queue instead of provided as return values from the
@@ -160,7 +164,7 @@ DH_generate_parameters_ex() instead.
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/DSA_generate_parameters.pod b/doc/man3/DSA_generate_parameters.pod
index 415c4c8b..a10dc9ba 100644
--- a/doc/man3/DSA_generate_parameters.pod
+++ b/doc/man3/DSA_generate_parameters.pod
@@ -51,7 +51,7 @@ called as shown below. For information on the BN_GENCB structure and the
BN_GENCB_call function discussed below, refer to
L<BN_generate_prime(3)>.
-DSA_generate_prime() is similar to DSA_generate_prime_ex() but
+DSA_generate_parameters() is similar to DSA_generate_parameters_ex() but
expects an old-style callback function; see
L<BN_generate_prime(3)> for information on the old-style callback.
@@ -126,7 +126,7 @@ DSA_generate_parameters_ex() instead.
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 886cbdfb..12d7153d 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -359,7 +359,12 @@ exists.
=item EVP_EncryptUpdate()
Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
-I<out>. This function can be called multiple times to encrypt successive blocks
+I<out>. The pointers I<out> and I<in> may point to the same location, in which
+case the encryption will be done in-place. If I<out> and I<in> point to different
+locations, the two buffers must be disjoint, otherwise the operation might fail
+or the outcome might be undefined.
+
+This function can be called multiple times to encrypt successive blocks
of data. The amount of data written depends on the block alignment of the
encrypted data.
For most ciphers and modes, the amount of data written can be anything
@@ -368,10 +373,9 @@ For wrap cipher modes, the amount of data written can be anything
from zero bytes to (inl + cipher_block_size) bytes.
For stream ciphers, the amount of data written can be anything from zero
bytes to inl bytes.
-Thus, I<out> should contain sufficient room for the operation being performed.
-The actual number of bytes written is placed in I<outl>. It also
-checks if I<in> and I<out> are partially overlapping, and if they are
-0 is returned to indicate failure.
+Thus, the buffer pointed to by I<out> must contain sufficient room for the
+operation being performed.
+The actual number of bytes written is placed in I<outl>.
If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
the "final" data, that is any data that remains in a partial block.
diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod
index 56ac92a4..d1281dfc 100644
--- a/doc/man3/EVP_MAC.pod
+++ b/doc/man3/EVP_MAC.pod
@@ -145,6 +145,9 @@ the key. If I<key> is NULL, the key must be set via I<params> either
as part of this call or separately using EVP_MAC_CTX_set_params().
Providing non-NULL I<params> to this function is equivalent to calling
EVP_MAC_CTX_set_params() with those I<params> for the same I<ctx> beforehand.
+Note: There are additional requirements for some MAC algorithms during
+re-initalization (i.e. calling EVP_MAC_init() on an EVP_MAC after EVP_MAC_final()
+has been called on the same object). See the NOTES section below.
EVP_MAC_init() should be called before EVP_MAC_update() and EVP_MAC_final().
@@ -342,6 +345,13 @@ not be considered a breaking change to the API.
The usage of the parameter names "custom", "iv" and "salt" correspond to
the names used in the standard where the algorithm was defined.
+Some MAC algorithms store internal state that cannot be extracted during
+re-initalization. For example GMAC cannot extract an B<IV> from the
+underlying CIPHER context, and so calling EVP_MAC_init() on an EVP_MAC object
+after EVP_MAC_final() has been called cannot reset its cipher state to what it
+was when the B<IV> was initially generated. For such instances, an
+B<OSSL_MAC_PARAM_IV> parameter must be passed with each call to EVP_MAC_init().
+
=head1 RETURN VALUES
EVP_MAC_fetch() returns a pointer to a newly fetched B<EVP_MAC>, or
@@ -481,7 +491,7 @@ These functions were added in OpenSSL 3.0.
=head1 COPYRIGHT
-Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/EVP_PKEY_get_attr.pod b/doc/man3/EVP_PKEY_get_attr.pod
new file mode 100644
index 00000000..30477b87
--- /dev/null
+++ b/doc/man3/EVP_PKEY_get_attr.pod
@@ -0,0 +1,113 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_get_attr,
+EVP_PKEY_get_attr_count,
+EVP_PKEY_get_attr_by_NID, EVP_PKEY_get_attr_by_OBJ,
+EVP_PKEY_delete_attr,
+EVP_PKEY_add1_attr,
+EVP_PKEY_add1_attr_by_OBJ, EVP_PKEY_add1_attr_by_NID, EVP_PKEY_add1_attr_by_txt
+- EVP_PKEY B<X509_ATTRIBUTE> functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
+ int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos);
+ int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj,
+ int lastpos);
+ X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
+ X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
+ int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
+ int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
+ const ASN1_OBJECT *obj, int type,
+ const unsigned char *bytes, int len);
+ int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
+ int nid, int type,
+ const unsigned char *bytes, int len);
+ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
+ const char *attrname, int type,
+ const unsigned char *bytes, int len);
+
+=head1 DESCRIPTION
+
+These functions are used by B<PKCS12>.
+
+EVP_PKEY_get_attr_by_OBJ() finds the location of the first matching object I<obj>
+in the I<key> attribute list. The search starts at the position after I<lastpos>.
+If the returned value is positive then it can be used on the next call to
+EVP_PKEY_get_attr_by_OBJ() as the value of I<lastpos> in order to iterate through
+the remaining attributes. I<lastpos> can be set to any negative value on the
+first call, in order to start searching from the start of the attribute list.
+
+EVP_PKEY_get_attr_by_NID() is similar to EVP_PKEY_get_attr_by_OBJ() except that
+it passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+EVP_PKEY_get_attr() returns the B<X509_ATTRIBUTE> object at index I<loc> in the
+I<key> attribute list. I<loc> should be in the range from 0 to
+EVP_PKEY_get_attr_count() - 1.
+
+EVP_PKEY_delete_attr() removes the B<X509_ATTRIBUTE> object at index I<loc> in
+the I<key> attribute list.
+
+EVP_PKEY_add1_attr() pushes a copy of the passed in B<X509_ATTRIBUTE> object
+to the I<key> attribute list. A new I<key> attribute list is created if required.
+An error occurs if either I<attr> is NULL, or the attribute already exists.
+
+EVP_PKEY_add1_attr_by_OBJ() creates a new B<X509_ATTRIBUTE> using
+X509_ATTRIBUTE_set1_object() and X509_ATTRIBUTE_set1_data() to assign a new
+I<obj> with type I<type> and data I<bytes> of length I<len> and then pushes it
+to the I<key> object's attribute list. If I<obj> already exists in the attribute
+list then an error occurs.
+
+EVP_PKEY_add1_attr_by_NID() is similar to EVP_PKEY_add1_attr_by_OBJ() except
+that it passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+EVP_PKEY_add1_attr_by_txt() is similar to EVP_PKEY_add1_attr_by_OBJ() except
+that it passes a name I<attrname> associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_get_attr_count() returns the number of attributes in the I<key> object
+attribute list or -1 if the attribute list is NULL.
+
+EVP_PKEY_get_attr_by_OBJ() returns -1 if either the list is empty OR the object
+is not found, otherwise it returns the location of the object in the list.
+
+EVP_PKEY_get_attr_by_NID() is similar to EVP_PKEY_get_attr_by_OBJ(), except that
+it returns -2 if the I<nid> is not known by OpenSSL.
+
+EVP_PKEY_get_attr() returns either a B<X509_ATTRIBUTE> or NULL if there is a
+error.
+
+EVP_PKEY_delete_attr() returns either the removed B<X509_ATTRIBUTE> or NULL if
+there is a error.
+
+EVP_PKEY_add1_attr(), EVP_PKEY_add1_attr_by_OBJ(), EVP_PKEY_add1_attr_by_NID()
+and EVP_PKEY_add1_attr_by_txt() return 1 on success or 0 otherwise.
+
+=head1 NOTES
+
+A B<EVP_PKEY> object's attribute list is initially NULL. All the above functions
+listed will return an error unless EVP_PKEY_add1_attr() is called.
+All functions listed assume that the I<key> is not NULL.
+
+=head1 SEE ALSO
+
+L<X509_ATTRIBUTE(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod
index 09cae991..485705ea 100644
--- a/doc/man3/EVP_aes_128_gcm.pod
+++ b/doc/man3/EVP_aes_128_gcm.pod
@@ -134,13 +134,7 @@ section for details.
EVP_aes_192_wrap(),
EVP_aes_256_wrap(),
EVP_aes_128_wrap_pad(),
-EVP_aes_128_wrap(),
-EVP_aes_192_wrap(),
-EVP_aes_256_wrap(),
EVP_aes_192_wrap_pad(),
-EVP_aes_128_wrap(),
-EVP_aes_192_wrap(),
-EVP_aes_256_wrap(),
EVP_aes_256_wrap_pad()
AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section
@@ -173,7 +167,7 @@ the XTS "tweak" value.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-AES(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_aria_128_gcm.pod b/doc/man3/EVP_aria_128_gcm.pod
index 92913652..91aa75ec 100644
--- a/doc/man3/EVP_aria_128_gcm.pod
+++ b/doc/man3/EVP_aria_128_gcm.pod
@@ -96,7 +96,7 @@ correctly, see the L<EVP_EncryptInit(3)/AEAD Interface> section for details.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-ARIA(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_bf_cbc.pod b/doc/man3/EVP_bf_cbc.pod
index 4df98f4b..11a90920 100644
--- a/doc/man3/EVP_bf_cbc.pod
+++ b/doc/man3/EVP_bf_cbc.pod
@@ -41,7 +41,7 @@ Blowfish encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-BLOWFISH(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_blake2b512.pod b/doc/man3/EVP_blake2b512.pod
index 98e1899f..55bd9f3b 100644
--- a/doc/man3/EVP_blake2b512.pod
+++ b/doc/man3/EVP_blake2b512.pod
@@ -35,7 +35,7 @@ The BLAKE2b algorithm that produces a 512-bit output from a given input.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-BLAKE2(7)> instead.
See L<crypto(7)/Performance> for further information.
While the BLAKE2b and BLAKE2s algorithms supports a variable length digest,
diff --git a/doc/man3/EVP_camellia_128_ecb.pod b/doc/man3/EVP_camellia_128_ecb.pod
index a6b59715..cb6e12e2 100644
--- a/doc/man3/EVP_camellia_128_ecb.pod
+++ b/doc/man3/EVP_camellia_128_ecb.pod
@@ -79,7 +79,7 @@ Camellia for 128, 192 and 256 bit keys in the following modes: CBC, CFB with
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-CAMELLIA(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_cast5_cbc.pod b/doc/man3/EVP_cast5_cbc.pod
index 85ff2ad0..7fef0598 100644
--- a/doc/man3/EVP_cast5_cbc.pod
+++ b/doc/man3/EVP_cast5_cbc.pod
@@ -41,7 +41,7 @@ CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-CAST(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod
index 683faa32..7e80c8de 100644
--- a/doc/man3/EVP_chacha20.pod
+++ b/doc/man3/EVP_chacha20.pod
@@ -44,7 +44,7 @@ L<EVP_EncryptInit(3)/AEAD Interface> section for more information.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-CHACHA(7)> instead.
See L<crypto(7)/Performance> for further information.
L<RFC 7539|https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>
diff --git a/doc/man3/EVP_des_cbc.pod b/doc/man3/EVP_des_cbc.pod
index 501216cd..442be899 100644
--- a/doc/man3/EVP_des_cbc.pod
+++ b/doc/man3/EVP_des_cbc.pod
@@ -89,7 +89,7 @@ Triple-DES key wrap according to RFC 3217 Section 3.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-DES(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_desx_cbc.pod b/doc/man3/EVP_desx_cbc.pod
index fae82719..c22c0de4 100644
--- a/doc/man3/EVP_desx_cbc.pod
+++ b/doc/man3/EVP_desx_cbc.pod
@@ -31,7 +31,7 @@ implementation.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-DES(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_idea_cbc.pod b/doc/man3/EVP_idea_cbc.pod
index 5a9adaed..a36aae0b 100644
--- a/doc/man3/EVP_idea_cbc.pod
+++ b/doc/man3/EVP_idea_cbc.pod
@@ -39,7 +39,7 @@ The IDEA encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-IDEA(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_md2.pod b/doc/man3/EVP_md2.pod
index 0b473887..a6f3a010 100644
--- a/doc/man3/EVP_md2.pod
+++ b/doc/man3/EVP_md2.pod
@@ -28,7 +28,7 @@ The MD2 algorithm which produces a 128-bit output from a given input.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MD2(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_md4.pod b/doc/man3/EVP_md4.pod
index baaff9e4..a4e1a7d0 100644
--- a/doc/man3/EVP_md4.pod
+++ b/doc/man3/EVP_md4.pod
@@ -29,7 +29,7 @@ The MD4 algorithm which produces a 128-bit output from a given input.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MD4(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_md5.pod b/doc/man3/EVP_md5.pod
index 752fdd1f..42370fb3 100644
--- a/doc/man3/EVP_md5.pod
+++ b/doc/man3/EVP_md5.pod
@@ -40,7 +40,7 @@ WARNING: this algorithm is not intended for non-SSL usage.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MD5(7)> or L<EVP_MD-MD5-SHA1(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_mdc2.pod b/doc/man3/EVP_mdc2.pod
index e9de6f3c..3681bd06 100644
--- a/doc/man3/EVP_mdc2.pod
+++ b/doc/man3/EVP_mdc2.pod
@@ -30,7 +30,7 @@ The MDC-2DES algorithm of using MDC-2 with the DES block cipher. It produces a
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-MDC2(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_rc2_cbc.pod b/doc/man3/EVP_rc2_cbc.pod
index bf4a13ba..17f6f4b3 100644
--- a/doc/man3/EVP_rc2_cbc.pod
+++ b/doc/man3/EVP_rc2_cbc.pod
@@ -55,7 +55,7 @@ functions to set the key length and effective key length.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-RC2(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_rc4.pod b/doc/man3/EVP_rc4.pod
index f22e88a6..0311ef27 100644
--- a/doc/man3/EVP_rc4.pod
+++ b/doc/man3/EVP_rc4.pod
@@ -47,7 +47,7 @@ interface.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-RC4(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_rc5_32_12_16_cbc.pod b/doc/man3/EVP_rc5_32_12_16_cbc.pod
index c177b184..69fc2f2c 100644
--- a/doc/man3/EVP_rc5_32_12_16_cbc.pod
+++ b/doc/man3/EVP_rc5_32_12_16_cbc.pod
@@ -60,7 +60,7 @@ is an int.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-RC5(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_ripemd160.pod b/doc/man3/EVP_ripemd160.pod
index 6ad2d3e0..5b96fd09 100644
--- a/doc/man3/EVP_ripemd160.pod
+++ b/doc/man3/EVP_ripemd160.pod
@@ -29,7 +29,7 @@ The RIPEMD-160 algorithm which produces a 160-bit output from a given input.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-RIPEMD160(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_seed_cbc.pod b/doc/man3/EVP_seed_cbc.pod
index 010607e5..2c821d07 100644
--- a/doc/man3/EVP_seed_cbc.pod
+++ b/doc/man3/EVP_seed_cbc.pod
@@ -41,7 +41,7 @@ The SEED encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-SEED(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_sha1.pod b/doc/man3/EVP_sha1.pod
index 264ddd1a..6fc8f07b 100644
--- a/doc/man3/EVP_sha1.pod
+++ b/doc/man3/EVP_sha1.pod
@@ -29,7 +29,7 @@ The SHA-1 algorithm which produces a 160-bit output from a given input.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SHA1(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_sha224.pod b/doc/man3/EVP_sha224.pod
index 7a50cf9b..be09e49e 100644
--- a/doc/man3/EVP_sha224.pod
+++ b/doc/man3/EVP_sha224.pod
@@ -49,7 +49,7 @@ their outputs are of the same size.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SHA2(7)>instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_sha3_224.pod b/doc/man3/EVP_sha3_224.pod
index 5bb9ae1b..93c0d0b9 100644
--- a/doc/man3/EVP_sha3_224.pod
+++ b/doc/man3/EVP_sha3_224.pod
@@ -54,7 +54,7 @@ B<EVP_shake256> provides that of 256 bits.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SHA3(7)> or L<EVP_MD-SHAKE(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_sm3.pod b/doc/man3/EVP_sm3.pod
index 4e8112dc..65be55e8 100644
--- a/doc/man3/EVP_sm3.pod
+++ b/doc/man3/EVP_sm3.pod
@@ -28,7 +28,7 @@ The SM3 hash function.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-SM3(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_sm4_cbc.pod b/doc/man3/EVP_sm4_cbc.pod
index b67ade54..48be7a31 100644
--- a/doc/man3/EVP_sm4_cbc.pod
+++ b/doc/man3/EVP_sm4_cbc.pod
@@ -45,7 +45,7 @@ respectively.
Developers should be aware of the negative performance implications of
calling these functions multiple times and should consider using
-L<EVP_CIPHER_fetch(3)> instead.
+L<EVP_CIPHER_fetch(3)> with L<EVP_CIPHER-SM4(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/EVP_whirlpool.pod b/doc/man3/EVP_whirlpool.pod
index a9826e29..c5d465b1 100644
--- a/doc/man3/EVP_whirlpool.pod
+++ b/doc/man3/EVP_whirlpool.pod
@@ -30,7 +30,7 @@ input.
Developers should be aware of the negative performance implications of
calling this function multiple times and should consider using
-L<EVP_MD_fetch(3)> instead.
+L<EVP_MD_fetch(3)> with L<EVP_MD-WHIRLPOOL(7)> instead.
See L<crypto(7)/Performance> for further information.
=head1 RETURN VALUES
diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod
index d3bb272c..688ef0ed 100644
--- a/doc/man3/OPENSSL_LH_COMPFUNC.pod
+++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod
@@ -8,10 +8,12 @@ LHASH_DOALL_ARG_FN_TYPE,
IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN,
lh_TYPE_new, lh_TYPE_free, lh_TYPE_flush,
lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve,
-lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error,
+lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_num_items, lh_TYPE_get_down_load,
+lh_TYPE_set_down_load, lh_TYPE_error,
OPENSSL_LH_new, OPENSSL_LH_free, OPENSSL_LH_flush,
OPENSSL_LH_insert, OPENSSL_LH_delete, OPENSSL_LH_retrieve,
-OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error
+OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_num_items,
+OPENSSL_LH_get_down_load, OPENSSL_LH_set_down_load, OPENSSL_LH_error
- dynamic hash table
=head1 SYNOPSIS
@@ -34,6 +36,10 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error
void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func,
TYPE *arg);
+ unsigned long lh_TYPE_num_items(OPENSSL_LHASH *lh);
+ unsigned long lh_TYPE_get_down_load(OPENSSL_LHASH *lh);
+ void lh_TYPE_set_down_load(OPENSSL_LHASH *lh, unsigned long dl);
+
int lh_TYPE_error(LHASH_OF(TYPE) *table);
typedef int (*OPENSSL_LH_COMPFUNC)(const void *, const void *);
@@ -52,8 +58,14 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error
void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func);
void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg);
+ unsigned long OPENSSL_LH_num_items(OPENSSL_LHASH *lh);
+ unsigned long OPENSSL_LH_get_down_load(OPENSSL_LHASH *lh);
+ void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long dl);
+
int OPENSSL_LH_error(OPENSSL_LHASH *lh);
+ #define LH_LOAD_MULT /* integer constant */
+
=head1 DESCRIPTION
This library implements type-checked dynamic hash tables. The hash
@@ -145,15 +157,6 @@ For example:
/* Then the hash table itself can be deallocated */
lh_TYPE_free(hashtable);
-When doing this, be careful if you delete entries from the hash table
-in your callbacks: the table may decrease in size, moving the item
-that you are currently on down lower in the hash table - this could
-cause some entries to be skipped during the iteration. The second
-best solution to this problem is to set hash-E<gt>down_load=0 before
-you start (which will stop the hash table ever decreasing in size).
-The best solution is probably to avoid deleting items from the hash
-table inside a "doall" callback!
-
B<lh_I<TYPE>_doall_arg>() is the same as B<lh_I<TYPE>_doall>() except that
I<func> will be called with I<arg> as the second argument and I<func>
should be of type B<LHASH_DOALL_ARG_FN>(B<I<TYPE>>) (a callback prototype
@@ -175,21 +178,47 @@ that is provided by the caller):
lh_TYPE_doall_arg(hashtable, LHASH_DOALL_ARG_FN(TYPE_print), BIO,
logging_bio);
+Note that it is by default B<not> safe to use B<lh_I<TYPE>_delete>() inside a
+callback passed to B<lh_I<TYPE>_doall>() or B<lh_I<TYPE>_doall_arg>(). The
+reason for this is that deleting an item from the hash table may result in the
+hash table being contracted to a smaller size and rehashed.
+B<lh_I<TYPE>_doall>() and B<lh_I<TYPE>_doall_arg>() are unsafe and will exhibit
+undefined behaviour under these conditions, as these functions assume the hash
+table size and bucket pointers do not change during the call.
+
+If it is desired to use B<lh_I<TYPE>_doall>() or B<lh_I<TYPE>_doall_arg>() with
+B<lh_I<TYPE>_delete>(), it is essential that you call
+B<lh_I<TYPE>_set_down_load>() with a I<down_load> argument of 0 first. This
+disables hash table contraction and guarantees that it will be safe to delete
+items from a hash table during a call to B<lh_I<TYPE>_doall>() or
+B<lh_I<TYPE>_doall_arg>().
+
+It is never safe to call B<lh_I<TYPE>_insert>() during a call to
+B<lh_I<TYPE>_doall>() or B<lh_I<TYPE>_doall_arg>().
B<lh_I<TYPE>_error>() can be used to determine if an error occurred in the last
operation.
+B<lh_I<TYPE>_num_items>() returns the number of items in the hash table.
+
+B<lh_I<TYPE>_get_down_load>() and B<lh_I<TYPE>_set_down_load>() get and set the
+factor used to determine when the hash table is contracted. The factor is the
+load factor at or below which hash table contraction will occur, multiplied by
+B<LH_LOAD_MULT>, where the load factor is the number of items divided by the
+number of nodes. Setting this value to 0 disables hash table contraction.
+
OPENSSL_LH_new() is the same as the B<lh_I<TYPE>_new>() except that it is not
type specific. So instead of returning an B<LHASH_OF(I<TYPE>)> value it returns
a B<void *>. In the same way the functions OPENSSL_LH_free(),
OPENSSL_LH_flush(), OPENSSL_LH_insert(), OPENSSL_LH_delete(),
-OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(), and
-OPENSSL_LH_error() are equivalent to the similarly named B<lh_I<TYPE>> functions
-except that they return or use a B<void *> where the equivalent B<lh_I<TYPE>>
-function returns or uses a B<I<TYPE> *> or B<LHASH_OF(I<TYPE>) *>. B<lh_I<TYPE>>
-functions are implemented as type checked wrappers around the B<OPENSSL_LH>
-functions. Most applications should not call the B<OPENSSL_LH> functions
-directly.
+OPENSSL_LH_retrieve(), OPENSSL_LH_doall(), OPENSSL_LH_doall_arg(),
+OPENSSL_LH_num_items(), OPENSSL_LH_get_down_load(), OPENSSL_LH_set_down_load()
+and OPENSSL_LH_error() are equivalent to the similarly named B<lh_I<TYPE>>
+functions except that they return or use a B<void *> where the equivalent
+B<lh_I<TYPE>> function returns or uses a B<I<TYPE> *> or B<LHASH_OF(I<TYPE>) *>.
+B<lh_I<TYPE>> functions are implemented as type checked wrappers around the
+B<OPENSSL_LH> functions. Most applications should not call the B<OPENSSL_LH>
+functions directly.
=head1 RETURN VALUES
diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod
index d357818f..105fe324 100644
--- a/doc/man3/OSSL_PARAM_int.pod
+++ b/doc/man3/OSSL_PARAM_int.pod
@@ -112,7 +112,7 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified
A collection of utility functions that simplify and add type safety to the
L<OSSL_PARAM(3)> arrays. The following B<I<TYPE>> names are supported:
-=over 1
+=over 2
=item *
diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod
index 92e58806..7048f131 100644
--- a/doc/man3/PKCS12_create.pod
+++ b/doc/man3/PKCS12_create.pod
@@ -57,9 +57,15 @@ export grade software which could use signing only keys of arbitrary size but
had restrictions on the permissible sizes of keys which could be used for
encryption.
-If a certificate contains an I<alias> or I<keyid> then this will be
-used for the corresponding B<friendlyName> or B<localKeyID> in the
-PKCS12 structure.
+If I<name> is B<NULL> and I<cert> contains an I<alias> then this will be
+used for the corresponding B<friendlyName> in the PKCS12 structure instead.
+Similarly, if I<pkey> is NULL and I<cert> contains a I<keyid> then this will be
+used for the corresponding B<localKeyID> in the PKCS12 structure instead of the
+id calculated from the I<pkey>.
+
+For all certificates in I<ca> then if a certificate contains an I<alias> or
+I<keyid> then this will be used for the corresponding B<friendlyName> or
+B<localKeyID> in the PKCS12 structure.
Either I<pkey>, I<cert> or both can be B<NULL> to indicate that no key or
certificate is required. In previous versions both had to be present or
@@ -101,7 +107,7 @@ standards.
=head1 COPYRIGHT
-Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/PKCS5_PBKDF2_HMAC.pod b/doc/man3/PKCS5_PBKDF2_HMAC.pod
index 0984e993..8b5feff9 100644
--- a/doc/man3/PKCS5_PBKDF2_HMAC.pod
+++ b/doc/man3/PKCS5_PBKDF2_HMAC.pod
@@ -33,7 +33,8 @@ be NULL terminated.
B<iter> is the iteration count and its value should be greater than or
equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
-B<iter> less than 1 is treated as a single iteration.
+B<iter> value less than 1 is invalid; such values will result in failure
+and raise the PROV_R_INVALID_ITERATION_COUNT error.
B<digest> is the message digest function used in the derivation.
PKCS5_PBKDF2_HMAC_SHA1() calls PKCS5_PBKDF2_HMAC() with EVP_sha1().
@@ -66,7 +67,7 @@ L<passphrase-encoding(7)>
=head1 COPYRIGHT
-Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
index 06cc1e4e..3913ea93 100644
--- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
+++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
@@ -2,6 +2,7 @@
=head1 NAME
+SSL_CONF_CTX_finish,
SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure
=head1 SYNOPSIS
@@ -10,6 +11,7 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure
void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
+ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx);
=head1 DESCRIPTION
@@ -23,6 +25,10 @@ B<SSL> structure B<ssl>. Any previous B<SSL> or B<SSL_CTX> associated with
B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to
B<ssl>.
+The function SSL_CONF_CTX_finish() must be called after all configuration
+operations have been completed. It is used to finalise any operations
+or to process defaults.
+
=head1 NOTES
The context need not be set or it can be set to B<NULL> in which case only
@@ -32,6 +38,8 @@ syntax checking of commands is performed, where possible.
SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value.
+SSL_CONF_CTX_finish() returns 1 for success and 0 for failure.
+
=head1 SEE ALSO
L<ssl(7)>,
@@ -47,7 +55,7 @@ These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
-Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod
index 9cee6420..c1c6a67f 100644
--- a/doc/man3/SSL_CTX_set_info_callback.pod
+++ b/doc/man3/SSL_CTX_set_info_callback.pod
@@ -12,11 +12,15 @@ SSL_get_info_callback
#include <openssl/ssl.h>
- void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
- void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
+ void SSL_CTX_set_info_callback(SSL_CTX *ctx,
+ void (*callback) (const SSL *ssl, int type, int val));
- void SSL_set_info_callback(SSL *ssl, void (*callback)());
- void (*SSL_get_info_callback(const SSL *ssl))();
+ void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, int val);
+
+ void SSL_set_info_callback(SSL *ssl,
+ void (*callback) (const SSL *ssl, int type, int val));
+
+ void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, int val);
=head1 DESCRIPTION
@@ -119,7 +123,7 @@ SSL_get_info_callback() returns the current setting.
The following example callback function prints state strings, information
about alerts being handled and error messages to the B<bio_err> BIO.
- void apps_ssl_info_callback(SSL *s, int where, int ret)
+ void apps_ssl_info_callback(const SSL *s, int where, int ret)
{
const char *str;
int w = where & ~SSL_ST_MASK;
@@ -156,7 +160,7 @@ L<SSL_alert_type_string(3)>
=head1 COPYRIGHT
-Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
index 5d178bb8..f289383c 100644
--- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -42,8 +42,8 @@ ticket construction state according to RFC5077 Section 4 such that per session
state is unnecessary and a small set of cryptographic variables needs to be
maintained by the callback function implementation.
-In order to reuse a session, a TLS client must send the a session ticket
-extension to the server. The client can only send exactly one session ticket.
+In order to reuse a session, a TLS client must send the session ticket
+extension to the server. The client must send exactly one session ticket.
The server, through the callback function, either agrees to reuse the session
ticket information or it starts a full TLS handshake to create a new session
ticket.
diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
index 0c6694d4..4799ada6 100644
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
@@ -55,7 +55,7 @@ As generating DH parameters is extremely time consuming, an application
should not generate the parameters on the fly. DH parameters can be reused, as
the actual key is newly generated during the negotiation.
-Typically applications should use well know DH parameters that have built-in
+Typically applications should use well known DH parameters that have built-in
support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto()
configure OpenSSL to use the default built-in DH parameters for the B<SSL_CTX>
and B<SSL> objects respectively. Passing a value of 1 in the I<onoff> parameter
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index a90b22d9..e5a50721 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -32,7 +32,9 @@ Some TLS implementations do not send a close_notify alert on shutdown.
On an unexpected EOF, versions before OpenSSL 3.0 returned
B<SSL_ERROR_SYSCALL>, nothing was added to the error stack, and errno was 0.
Since OpenSSL 3.0 the returned error is B<SSL_ERROR_SSL> with a meaningful
-error on the error stack.
+error on the error stack (SSL_R_UNEXPECTED_EOF_WHILE_READING). This error reason
+code may be used for control flow decisions (see the man page for
+L<ERR_GET_REASON(3)> for further details on this).
=head1 RETURN VALUES
@@ -180,7 +182,7 @@ The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_get_peer_certificate.pod b/doc/man3/SSL_get_peer_certificate.pod
index b695edc6..1897a43e 100644
--- a/doc/man3/SSL_get_peer_certificate.pod
+++ b/doc/man3/SSL_get_peer_certificate.pod
@@ -10,10 +10,15 @@ SSL_get1_peer_certificate - get the X509 certificate of the peer
#include <openssl/ssl.h>
- X509 *SSL_get_peer_certificate(const SSL *ssl);
X509 *SSL_get0_peer_certificate(const SSL *ssl);
X509 *SSL_get1_peer_certificate(const SSL *ssl);
+The following function has been deprecated since OpenSSL 3.0,
+and can be hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable
+version value, see L<openssl_user_macros(7)>:
+
+ X509 *SSL_get_peer_certificate(const SSL *ssl);
+
=head1 DESCRIPTION
These functions return a pointer to the X509 certificate the
@@ -69,7 +74,7 @@ SSL_get_peer_certificate() was deprecated in 3.0.0.
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/X509_ATTRIBUTE.pod b/doc/man3/X509_ATTRIBUTE.pod
new file mode 100644
index 00000000..f2f7597d
--- /dev/null
+++ b/doc/man3/X509_ATTRIBUTE.pod
@@ -0,0 +1,263 @@
+=pod
+
+=head1 NAME
+
+X509_ATTRIBUTE, X509at_get_attr,
+X509at_get_attr_count, X509at_get_attr_by_NID, X509at_get_attr_by_OBJ,
+X509at_delete_attr,
+X509at_add1_attr,
+X509at_add1_attr_by_OBJ, X509at_add1_attr_by_NID, X509at_add1_attr_by_txt,
+X509at_get0_data_by_OBJ,
+X509_ATTRIBUTE_create, X509_ATTRIBUTE_create_by_NID,
+X509_ATTRIBUTE_create_by_OBJ, X509_ATTRIBUTE_create_by_txt,
+X509_ATTRIBUTE_set1_object, X509_ATTRIBUTE_set1_data,
+X509_ATTRIBUTE_count,
+X509_ATTRIBUTE_get0_data, X509_ATTRIBUTE_get0_object, X509_ATTRIBUTE_get0_type
+- X509 attribute functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ typedef struct x509_attributes_st X509_ATTRIBUTE;
+
+ int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
+ int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+ int lastpos);
+ int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
+ const ASN1_OBJECT *obj, int lastpos);
+ X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
+ X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
+ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+ X509_ATTRIBUTE *attr);
+ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE)
+ **x, const ASN1_OBJECT *obj,
+ int type,
+ const unsigned char *bytes,
+ int len);
+ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE)
+ **x, int nid, int type,
+ const unsigned char *bytes,
+ int len);
+ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
+ **x, const char *attrname,
+ int type,
+ const unsigned char *bytes,
+ int len);
+ void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
+ const ASN1_OBJECT *obj, int lastpos, int type);
+ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
+ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+ int atrtype, const void *data,
+ int len);
+ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+ const ASN1_OBJECT *obj,
+ int atrtype, const void *data,
+ int len);
+ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+ const char *atrname, int type,
+ const unsigned char *bytes,
+ int len);
+ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
+ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
+ const void *data, int len);
+ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
+ void *data);
+ int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
+ ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
+ ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+
+=head1 DESCRIPTION
+
+B<X509_ATTRIBUTE> objects are used by many standards including X509, X509_REQ,
+PKCS12, PKCS8, PKCS7 and CMS.
+
+The B<X509_ATTRIBUTE> object is used to represent the ASN.1 Attribute as defined
+in RFC 5280, i.e.
+
+ Attribute ::= SEQUENCE {
+ type AttributeType,
+ values SET OF AttributeValue }
+
+ AttributeType ::= OBJECT IDENTIFIER
+ AttributeValue ::= ANY -- DEFINED BY AttributeType
+
+For example CMS defines the signing-time attribute as:
+
+ id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
+ us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
+
+ SigningTime ::= Time
+
+ Time ::= CHOICE {
+ utcTime UTCTime,
+ generalizedTime GeneralizedTime }
+
+In OpenSSL B<AttributeType> maps to an B<ASN1_OBJECT> object
+and B<AttributeValue> maps to a list of B<ASN1_TYPE> objects.
+
+The following functions are used for B<X509_ATTRIBUTE> objects.
+
+X509at_get_attr_by_OBJ() finds the location of the first matching object I<obj>
+in a list of attributes I<sk>. The search starts at the position after I<lastpos>.
+If the returned value is positive then it can be used on the next call to
+X509at_get_attr_by_OBJ() as the value of I<lastpos> in order to iterate through
+the remaining attributes. I<lastpos> can be set to any negative value on the
+first call, in order to start searching from the start of the list.
+
+X509at_get_attr_by_NID() is similar to X509at_get_attr_by_OBJ() except that it
+passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+X509at_get_attr() returns the B<X509_ATTRIBUTE> object at index I<loc> in the
+list of attributes I<x>. I<loc> should be in the range from 0 to
+X509at_get_attr_count() - 1.
+
+X509at_delete_attr() removes the B<X509_ATTRIBUTE> object at index I<loc> in
+the list of attributes I<x>.
+
+X509at_add1_attr() pushes a copy of the passed in B<X509_ATTRIBUTE> object
+to the list I<x>.
+Both I<x> and I<attr> must be non NULL or an error will occur.
+If I<*x> is NULL then a new list is created, otherwise it uses the
+passed in list. An error will occur if an existing attribute (with the same
+attribute type) already exists in the attribute list.
+
+X509at_add1_attr_by_OBJ() creates a new B<X509_ATTRIBUTE> using
+X509_ATTRIBUTE_set1_object() and X509_ATTRIBUTE_set1_data() to assign a new
+I<obj> with type I<type> and data I<bytes> of length I<len> and then pushes it
+to the attribute list I<x>. Both I<x> and I<attr> must be non NULL or an error
+will occur. If I<*x> is NULL then a new attribute list is created. If I<obj>
+already exists in the attribute list then an error occurs.
+
+X509at_add1_attr_by_NID() is similar to X509at_add1_attr_by_OBJ() except that it
+passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+X509at_add1_attr_by_txt() is similar to X509at_add1_attr_by_OBJ() except that it
+passes a name I<attrname> associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+
+X509_ATTRIBUTE_set1_object() assigns a B<ASN1_OBJECT> I<obj>
+to the attribute I<attr>. If I<attr> contained an existing B<ASN1_OBJECT> then
+it is freed. An error occurs if either I<attr> or I<obj> are NULL, or if
+the passed in I<obj> cannot be duplicated.
+
+X509_ATTRIBUTE_set1_data() pushes a new B<ASN1_TYPE> object onto the I<attr>
+attributes list. The new object is assigned a copy of the data in I<data> of
+size I<len>.
+If I<attrtype> has flag I<MBSTRING_FLAG> set then a table lookup using the
+I<attr> attributes NID is used to set an B<ASN1_STRING> using
+ASN1_STRING_set_by_NID(), and the passed in I<data> must be in the format
+required for that object type or an error will occur.
+If I<len> is not -1 then internally ASN1_STRING_type_new() is
+used with the passed in I<attrtype>.
+If I<attrtype> is 0 the call does nothing except return 1.
+
+X509_ATTRIBUTE_create() creates a new B<X509_ATTRIBUTE> using the I<nid>
+to set the B<ASN1_OBJECT> OID and the I<atrtype> and I<value> to set the
+B<ASN1_TYPE>.
+
+X509_ATTRIBUTE_create_by_OBJ() uses X509_ATTRIBUTE_set1_object() and
+X509_ATTRIBUTE_set1_data() to assign a new I<obj> with type I<atrtype> and
+data I<data> of length I<len>. If the passed in attribute I<attr> OR I<*attr> is
+NULL then a new B<X509_ATTRIBUTE> will be returned, otherwise the passed in
+B<X509_ATTRIBUTE> is used. Note that the ASN1_OBJECT I<obj> is pushed onto the
+attributes existing list of objects, which could be an issue if the attributes
+<ASN1_OBJECT> was different.
+
+X509_ATTRIBUTE_create_by_NID() is similar to X509_ATTRIBUTE_create_by_OBJ()
+except that it passes the numerical identifier (NID) I<nid> associated with the
+object. See <openssl/obj_mac.h> for a list of NID_*.
+
+X509_ATTRIBUTE_create_by_txt() is similar to X509_ATTRIBUTE_create_by_OBJ()
+except that it passes a name I<atrname> associated with the
+object. See <openssl/obj_mac.h> for a list of SN_* names.
+
+X509_ATTRIBUTE_count() returns the number of B<ASN1_TYPE> objects in an
+attribute I<attr>.
+
+X509_ATTRIBUTE_get0_type() returns the B<ASN1_TYPE> object at index I<idx> in
+the attribute list I<attr>. I<idx> should be in the
+range of 0 to X509_ATTRIBUTE_count() - 1 or an error will occur.
+
+X509_ATTRIBUTE_get0_data() returns the data of an B<ASN1_TYPE> object at
+index I<idx> in the attribute I<attr>. I<data> is unused and can be set to NULL.
+An error will occur if the attribute type I<atrtype> does not match the type of
+the B<ASN1_TYPE> object at index I<idx> OR if I<atrtype> is either
+B<V_ASN1_BOOLEAN> or B<V_ASN1_NULL> OR if the I<idx> is not in the
+range 0 to X509_ATTRIBUTE_count() - 1.
+
+X509at_get0_data_by_OBJ() finds the first attribute in an attribute list I<x>
+that matches the I<obj> starting at index I<lastpos> and returns the data
+retrieved from the found attributes first B<ASN1_TYPE> object. An error will
+occur if the attribute type I<type> does not match the type of the B<ASN1_TYPE>
+object OR if I<type> is either B<V_ASN1_BOOLEAN> or B<V_ASN1_NULL> OR the
+attribute is not found.
+If I<lastpos> is less than -1 then an error will occur if there are multiple
+objects in the list I<x> that match I<obj>.
+If I<lastpos> is less than -2 then an error will occur if there is more than
+one B<ASN1_TYPE> object in the found attribute.
+
+=head1 RETURN VALUES
+
+X509at_get_attr_count() returns the number of attributes in the list I<x> or -1
+if I<x> is NULL.
+
+X509at_get_attr_by_OBJ() returns -1 if either the list is empty OR the object
+is not found, otherwise it returns the location of the object in the list.
+
+X509at_get_attr_by_NID() is similar to X509at_get_attr_by_OBJ(), except that
+it returns -2 if the I<nid> is not known by OpenSSL.
+
+X509at_get_attr() returns either an B<X509_ATTRIBUTE> or NULL if there is a error.
+
+X509at_delete_attr() returns either the removed B<X509_ATTRIBUTE> or NULL if
+there is a error.
+
+X509_ATTRIBUTE_count() returns -1 on error, otherwise it returns the number
+of B<ASN1_TYPE> elements.
+
+X509_ATTRIBUTE_get0_type() returns NULL on error, otherwise it returns a
+B<ASN1_TYPE> object.
+
+X509_ATTRIBUTE_get0_data() returns NULL if an error occurs,
+otherwise it returns the data associated with an B<ASN1_TYPE> object.
+
+X509_ATTRIBUTE_set1_object() and X509_ATTRIBUTE_set1_data() returns 1 on
+success, or 0 otherwise.
+
+X509_ATTRIBUTE_create(), X509_ATTRIBUTE_create_by_OBJ(),
+X509_ATTRIBUTE_create_by_NID() and X509_ATTRIBUTE_create_by_txt() return either
+a B<X509_ATTRIBUTE> on success, or NULL if there is a error.
+
+X509at_add1_attr(), X509at_add1_attr_by_OBJ(), X509at_add1_attr_by_NID() and
+X509at_add1_attr_by_txt() return NULL on error, otherwise they return a list
+of B<X509_ATTRIBUTE>.
+
+X509at_get0_data_by_OBJ() returns the data retrieved from the found attributes
+first B<ASN1_TYPE> object, or NULL if an error occurs.
+
+=head1 SEE ALSO
+
+L<ASN1_TYPE_get(3)>,
+L<ASN1_INTEGER_get(3)>,
+L<ASN1_ENUMERATED_get(3)>,
+L<ASN1_STRING_get0_data(3)>,
+L<ASN1_STRING_length(3)>,
+L<ASN1_STRING_type(3)>,
+L<X509_REQ_get_attr(3)>,
+L<EVP_PKEY_get_attr(3)>,
+L<CMS_signed_get_attr(3)>,
+L<PKCS8_pkey_get0_attrs(3)>,
+
+=head1 COPYRIGHT
+
+Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_REQ_get_attr.pod b/doc/man3/X509_REQ_get_attr.pod
new file mode 100644
index 00000000..f2217bd5
--- /dev/null
+++ b/doc/man3/X509_REQ_get_attr.pod
@@ -0,0 +1,111 @@
+=pod
+
+=head1 NAME
+
+X509_REQ_get_attr_count,
+X509_REQ_get_attr_by_NID, X509_REQ_get_attr_by_OBJ, X509_REQ_get_attr,
+X509_REQ_delete_attr,
+X509_REQ_add1_attr, X509_REQ_add1_attr_by_OBJ, X509_REQ_add1_attr_by_NID,
+X509_REQ_add1_attr_by_txt
+- B<X509_ATTRIBUTE> support for signed certificate requests
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ int X509_REQ_get_attr_count(const X509_REQ *req);
+ int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
+ int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
+ int lastpos);
+ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
+ X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
+ int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
+ int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+ const ASN1_OBJECT *obj, int type,
+ const unsigned char *bytes, int len);
+ int X509_REQ_add1_attr_by_NID(X509_REQ *req,
+ int nid, int type,
+ const unsigned char *bytes, int len);
+ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+ const char *attrname, int type,
+ const unsigned char *bytes, int len);
+
+=head1 DESCRIPTION
+
+X509_REQ_get_attr_by_OBJ() finds the location of the first matching object I<obj>
+in the I<req> attribute list. The search starts at the position after I<lastpos>.
+If the returned value is positive then it can be used on the next call to
+X509_REQ_get_attr_by_OBJ() as the value of I<lastpos> in order to iterate through
+the remaining attributes. I<lastpos> can be set to any negative value on the
+first call, in order to start searching from the start of the attribute list.
+
+X509_REQ_get_attr_by_NID() is similar to X509_REQ_get_attr_by_OBJ() except that
+it passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+X509_REQ_get_attr() returns the B<X509_ATTRIBUTE> object at index I<loc> in the
+I<req> attribute list. I<loc> should be in the range from 0 to
+X509_REQ_get_attr_count() - 1.
+
+X509_REQ_delete_attr() removes the B<X509_ATTRIBUTE> object at index I<loc> in
+the I<req> objects list of attributes. An error occurs if I<req> is NULL.
+
+X509_REQ_add1_attr() pushes a copy of the passed in B<X509_ATTRIBUTE> I<>attr>
+to the I<req> object's attribute list. An error will occur if either the
+attribute list is NULL or the attribute already exists.
+
+X509_REQ_add1_attr_by_OBJ() creates a new B<X509_ATTRIBUTE> using
+X509_ATTRIBUTE_set1_object() and X509_ATTRIBUTE_set1_data() to assign a new
+I<obj> with type I<type> and data I<bytes> of length I<len> and then pushes it
+to the I<req> object's attribute list. I<req> must be non NULL or an error
+will occur. If I<obj> already exists in the attribute list then an error occurs.
+
+X509_REQ_add1_attr_by_NID() is similar to X509_REQ_add1_attr_by_OBJ() except
+that it passes the numerical identifier (NID) I<nid> associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+
+X509_REQ_add1_attr_by_txt() is similar to X509_REQ_add1_attr_by_OBJ() except
+that it passes a name I<attrname> associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+
+Refer to L<X509_ATTRIBUTE(3)> for information related to attributes.
+
+=head1 RETURN VALUES
+
+X509_REQ_get_attr_count() returns the number of attributes in the I<req> object
+attribute list or -1 if the attribute list is NULL.
+
+X509_REQ_get_attr_by_OBJ() returns -1 if either the I<req> object's attribute
+list is empty OR I<obj> is not found, otherwise it returns the location of the
+I<obj> in the attribute list.
+
+X509_REQ_get_attr_by_NID() is similar to X509_REQ_get_attr_by_OBJ(), except that
+it returns -2 if the I<nid> is not known by OpenSSL.
+
+X509_REQ_get_attr() returns either an B<X509_ATTRIBUTE> or NULL on error.
+
+X509_REQ_delete_attr() returns either the removed B<X509_ATTRIBUTE> or NULL if
+there is a error.
+
+X509_REQ_add1_attr(), X509_REQ_add1_attr_by_OBJ(), X509_REQ_add1_attr_by_NID()
+and X509_REQ_add1_attr_by_txt() return 1 on success or 0 on error.
+
+=head1 NOTES
+
+Any functions that modify the attributes (add or delete) internally set a flag
+to indicate the ASN.1 encoding has been modified.
+
+=head1 SEE ALSO
+
+L<X509_ATTRIBUTE(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_REQ_get_extensions.pod b/doc/man3/X509_REQ_get_extensions.pod
new file mode 100644
index 00000000..00ab1e3c
--- /dev/null
+++ b/doc/man3/X509_REQ_get_extensions.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+X509_REQ_get_extensions,
+X509_REQ_add_extensions, X509_REQ_add_extensions_nid
+- handle X.509 extension attributes of a CSR
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
+ int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts);
+ int X509_REQ_add_extensions_nid(X509_REQ *req,
+ const STACK_OF(X509_EXTENSION) *exts, int nid);
+
+=head1 DESCRIPTION
+
+X509_REQ_get_extensions() returns the first list of X.509 extensions
+found in the attributes of I<req>.
+The returned list is empty if there are no such extensions in I<req>.
+The caller is responsible for freeing the list obtained.
+
+X509_REQ_add_extensions() adds to I<req> a list of X.509 extensions I<exts>,
+which must not be NULL, using the default B<NID_ext_req>.
+This function must not be called more than once on the same I<req>.
+
+X509_REQ_add_extensions_nid() is like X509_REQ_add_extensions()
+except that I<nid> is used to identify the extensions attribute.
+This function must not be called more than once with the same I<req> and I<nid>.
+
+=head1 RETURN VALUES
+
+X509_REQ_get_extensions() returns a pointer to B<STACK_OF(X509_EXTENSION)>
+or NULL on error.
+
+X509_REQ_add_extensions() and X509_REQ_add_extensions_nid()
+return 1 on success, 0 on error.
+
+=head1 COPYRIGHT
+
+Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index 1c9e4b95..849364e2 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -356,6 +356,15 @@ algorithms from providers. This created object can then be used when loading
binary data using B<d2i_I<TYPE>>().
B<I<TYPE>_dup>() copies an existing object, leaving it untouched.
+Note, however, that the internal representation of the object
+may contain (besides the ASN.1 structure) further data, which is not copied.
+For instance, an B<X509> object usually is augmented by cached information
+on X.509v3 extensions, etc., and losing it can lead to wrong validation results.
+To avoid such situations, better use B<I<TYPE>_up_ref>() if available.
+For the case of B<X509> objects, an alternative to using L<X509_up_ref(3)>
+may be to still call B<I<TYPE>_dup>(), e.g., I<copied_cert = X509_dup(cert)>,
+followed by I<X509_check_purpose(copied_cert, -1, 0)>,
+which re-builds the cached data.
B<I<TYPE>_free>() releases the object and all pointers and sub-objects
within it.
@@ -373,6 +382,10 @@ the object or NULL on failure.
B<I<TYPE>_print_ctx>() returns 1 on success or zero on failure.
+=head1 SEE ALSO
+
+L<X509_up_ref(3)>
+
=head1 HISTORY
The functions X509_REQ_new_ex(), X509_CRL_new_ex(), PKCS7_new_ex() and
@@ -383,7 +396,7 @@ deprecated in 3.0.
=head1 COPYRIGHT
-Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/d2i_PKCS8PrivateKey_bio.pod b/doc/man3/d2i_PKCS8PrivateKey_bio.pod
index 5b5371b7..51d8aa8c 100644
--- a/doc/man3/d2i_PKCS8PrivateKey_bio.pod
+++ b/doc/man3/d2i_PKCS8PrivateKey_bio.pod
@@ -8,7 +8,7 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private
=head1 SYNOPSIS
- #include <openssl/evp.h>
+ #include <openssl/pem.h>
EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);
@@ -64,7 +64,7 @@ L<passphrase-encoding(7)>
=head1 COPYRIGHT
-Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index 9226ef77..00efb603 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -390,10 +390,12 @@ to the returned structure is also written to I<*a>. If an error occurred
then NULL is returned.
On a successful return, if I<*a> is not NULL then it is assumed that I<*a>
-contains a valid B<I<TYPE>> structure and an attempt is made to reuse it. This
-"reuse" capability is present for historical compatibility but its use is
-B<strongly discouraged> (see BUGS below, and the discussion in the RETURN
-VALUES section).
+contains a valid B<I<TYPE>> structure and an attempt is made to reuse it.
+For B<I<TYPE>> structures where it matters it is possible to set up a library
+context on the decoded structure this way (see the B<EXAMPLES> section).
+However using the "reuse" capability for other purposes is B<strongly
+discouraged> (see B<BUGS> below, and the discussion in the B<RETURN VALUES>
+section).
B<d2i_I<TYPE>_bio>() is similar to B<d2i_I<TYPE>>() except it attempts
to parse data from BIO I<bp>.
@@ -538,6 +540,22 @@ Alternative technique:
if (d2i_X509(&x, &p, len) == NULL)
/* error */
+Setting up a library context and property query:
+
+ X509 *x;
+ unsigned char *buf;
+ const unsigned char *p;
+ int len;
+ OSSL_LIB_CTX *libctx = ....;
+ const char *propq = ....;
+
+ /* Set up buf and len to point to the input buffer. */
+ p = buf;
+ x = X509_new_ex(libctx, propq);
+
+ if (d2i_X509(&x, &p, len) == NULL)
+ /* error, x was freed and NULL assigned to it (see RETURN VALUES) */
+
=head1 WARNINGS
Using a temporary variable is mandatory. A common
diff --git a/doc/man7/EVP_CIPHER-AES.pod b/doc/man7/EVP_CIPHER-AES.pod
index 2c790d9c..3313245f 100644
--- a/doc/man7/EVP_CIPHER-AES.pod
+++ b/doc/man7/EVP_CIPHER-AES.pod
@@ -61,6 +61,19 @@ FIPS provider:
This implementation supports the parameters described in
L<EVP_EncryptInit(3)/PARAMETERS>.
+=head1 NOTES
+
+The AES-SIV and AES-WRAP mode implementations do not support streaming. That
+means to obtain correct results there can be only one L<EVP_EncryptUpdate(3)>
+or L<EVP_DecryptUpdate(3)> call after the initialization of the context.
+
+The AES-XTS implementations allow streaming to be performed, but each
+L<EVP_EncryptUpdate(3)> or L<EVP_DecryptUpdate(3)> call requires each input
+to be a multiple of the blocksize. Only the final EVP_EncryptUpdate() or
+EVP_DecryptUpdate() call can optionally have an input that is not a multiple
+of the blocksize but is larger than one block. In that case ciphertext
+stealing (CTS) is used to fill the block.
+
=head1 SEE ALSO
L<provider-cipher(7)>, L<OSSL_PROVIDER-FIPS(7)>, L<OSSL_PROVIDER-default(7)>
diff --git a/doc/man7/EVP_KDF-SS.pod b/doc/man7/EVP_KDF-SS.pod
index 7f158e42..c8d19691 100644
--- a/doc/man7/EVP_KDF-SS.pod
+++ b/doc/man7/EVP_KDF-SS.pod
@@ -53,7 +53,7 @@ This parameter is ignored for KMAC.
These parameters work as described in L<EVP_KDF(3)/PARAMETERS>.
-=item "key" (B<EVP_KDF_CTRL_SET_KEY>) <octet string>
+=item "key" (B<OSSL_KDF_PARAM_SECRET>) <octet string>
This parameter set the shared secret that is used for key derivation.
@@ -116,7 +116,7 @@ fixedinfo value "label" and salt "salt":
SN_hmac, strlen(SN_hmac));
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
SN_sha256, strlen(SN_sha256));
- *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY,
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
"secret", (size_t)6);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
"label", (size_t)5);
@@ -143,7 +143,7 @@ fixedinfo value "label", salt of "salt" and KMAC outlen of 20:
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
SN_kmac128, strlen(SN_kmac128));
- *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY,
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
"secret", (size_t)6);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
"label", (size_t)5);
diff --git a/doc/man7/EVP_MAC-BLAKE2.pod b/doc/man7/EVP_MAC-BLAKE2.pod
index 5557e153..f1106ef5 100644
--- a/doc/man7/EVP_MAC-BLAKE2.pod
+++ b/doc/man7/EVP_MAC-BLAKE2.pod
@@ -27,7 +27,8 @@ properties, to be used with EVP_MAC_fetch():
The general description of these parameters can be found in
L<EVP_MAC(3)/PARAMETERS>.
-All these parameters can be set with EVP_MAC_CTX_set_params().
+All these parameters (except for "block-size") can be set with
+EVP_MAC_CTX_set_params().
Furthermore, the "size" parameter can be retrieved with
EVP_MAC_CTX_get_params(), or with EVP_MAC_CTX_get_mac_size().
The length of the "size" parameter should not exceed that of a B<size_t>.
@@ -45,7 +46,7 @@ Setting this parameter is identical to passing a I<key> to L<EVP_MAC_init(3)>.
=item "custom" (B<OSSL_MAC_PARAM_CUSTOM>) <octet string>
-Sets the custom value.
+Sets the customization/personalization string.
It is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for
BLAKE2SMAC, and is empty by default.
@@ -62,10 +63,10 @@ It can be any number between 1 and 32 for EVP_MAC_BLAKE2S or between 1
and 64 for EVP_MAC_BLAKE2B.
It is 32 and 64 respectively by default.
-=item "block-size" (B<OSSL_MAC_PARAM_SIZE>) <unsigned integer>
+=item "block-size" (B<OSSL_MAC_PARAM_BLOCK_SIZE>) <unsigned integer>
Gets the MAC block size.
-By default, it is 64 for EVP_MAC_BLAKE2S and 128 for EVP_MAC_BLAKE2B.
+It is 64 for EVP_MAC_BLAKE2S and 128 for EVP_MAC_BLAKE2B.
=back
diff --git a/doc/man7/EVP_MAC-CMAC.pod b/doc/man7/EVP_MAC-CMAC.pod
index cf80586f..0b1dc79e 100644
--- a/doc/man7/EVP_MAC-CMAC.pod
+++ b/doc/man7/EVP_MAC-CMAC.pod
@@ -62,7 +62,7 @@ The length of the "size" parameter is equal to that of an B<unsigned int>.
=over 4
-=item "block-size" (B<OSSL_MAC_PARAM_SIZE>) <unsigned integer>
+=item "block-size" (B<OSSL_MAC_PARAM_BLOCK_SIZE>) <unsigned integer>
Gets the MAC block size. The "block-size" parameter can also be retrieved with
EVP_MAC_CTX_get_block_size().
diff --git a/doc/man7/EVP_MAC-HMAC.pod b/doc/man7/EVP_MAC-HMAC.pod
index ea2eda9e..0e401710 100644
--- a/doc/man7/EVP_MAC-HMAC.pod
+++ b/doc/man7/EVP_MAC-HMAC.pod
@@ -76,7 +76,7 @@ The length of the "size" parameter is equal to that of an B<unsigned int>.
=over 4
-=item "block-size" (B<OSSL_MAC_PARAM_SIZE>) <unsigned integer>
+=item "block-size" (B<OSSL_MAC_PARAM_BLOCK_SIZE>) <unsigned integer>
Gets the MAC block size. The "block-size" parameter can also be retrieved with
EVP_MAC_CTX_get_block_size().
diff --git a/doc/man7/EVP_MAC-KMAC.pod b/doc/man7/EVP_MAC-KMAC.pod
index 1065c166..9c4fbc0b 100644
--- a/doc/man7/EVP_MAC-KMAC.pod
+++ b/doc/man7/EVP_MAC-KMAC.pod
@@ -27,7 +27,8 @@ properties, to be used with EVP_MAC_fetch():
The general description of these parameters can be found in
L<EVP_MAC(3)/PARAMETERS>.
-All these parameters can be set with EVP_MAC_CTX_set_params().
+All these parameters (except for "block-size") can be set with
+EVP_MAC_CTX_set_params().
Furthermore, the "size" parameter can be retrieved with
EVP_MAC_CTX_get_params(), or with EVP_MAC_CTX_get_mac_size().
The length of the "size" parameter should not exceed that of a B<size_t>.
@@ -45,18 +46,19 @@ The length of the key (in bytes) must be in the range 4...512.
=item "custom" (B<OSSL_MAC_PARAM_CUSTOM>) <octet string>
-Sets the custom value.
-It is an optional value with a length of at most 512 bytes, and is empty by default.
+Sets the customization string.
+It is an optional value with a length of at most 512 bytes, and is
+empty by default.
=item "size" (B<OSSL_MAC_PARAM_SIZE>) <unsigned integer>
Sets the MAC size.
-By default, it is 16 for C<KMAC-128> and 32 for C<KMAC-256>.
+By default, it is 32 for C<KMAC-128> and 64 for C<KMAC-256>.
-=item "block-size" (B<OSSL_MAC_PARAM_SIZE>) <unsigned integer>
+=item "block-size" (B<OSSL_MAC_PARAM_BLOCK_SIZE>) <unsigned integer>
Gets the MAC block size.
-By default, it is 168 for C<KMAC-128> and 136 for C<KMAC-256>.
+It is 168 for C<KMAC-128> and 136 for C<KMAC-256>.
=item "xof" (B<OSSL_MAC_PARAM_XOF>) <integer>
diff --git a/doc/man7/EVP_MD-SHAKE.pod b/doc/man7/EVP_MD-SHAKE.pod
index 8a31cd53..fc1822f9 100644
--- a/doc/man7/EVP_MD-SHAKE.pod
+++ b/doc/man7/EVP_MD-SHAKE.pod
@@ -10,8 +10,9 @@ EVP_MD-SHAKE, EVP_MD-KECCAK-KMAC
Support for computing SHAKE or KECCAK-KMAC digests through the
B<EVP_MD> API.
-KECCAK-KMAC is a special digest that's used by the KMAC EVP_MAC
-implementation (see L<EVP_MAC-KMAC(7)>).
+KECCAK-KMAC is an Extendable Output Function (XOF), with a definition
+similar to SHAKE, used by the KMAC EVP_MAC implementation (see
+L<EVP_MAC-KMAC(7)>).
=head2 Identities
@@ -22,21 +23,25 @@ provider, and includes the following varieties:
=item KECCAK-KMAC-128
-Known names are "KECCAK-KMAC-128" and "KECCAK-KMAC128"
-This is used by L<EVP_MAC-KMAC128(7)>
+Known names are "KECCAK-KMAC-128" and "KECCAK-KMAC128". This is used
+by L<EVP_MAC-KMAC128(7)>. Using the notation from NIST FIPS 202
+(Section 6.2), we have S<KECCAK-KMAC-128(M, d)> = S<KECCAK[256](M || 00, d)>
+(see the description of KMAC128 in Appendix A of NIST SP 800-185).
=item KECCAK-KMAC-256
-Known names are "KECCAK-KMAC-256" and "KECCAK-KMAC256"
-This is used by L<EVP_MAC-KMAC256(7)>
+Known names are "KECCAK-KMAC-256" and "KECCAK-KMAC256". This is used
+by L<EVP_MAC-KMAC256(7)>. Using the notation from NIST FIPS 202
+(Section 6.2), we have S<KECCAK-KMAC-256(M, d)> = S<KECCAK[512](M || 00, d)>
+(see the description of KMAC256 in Appendix A of NIST SP 800-185).
=item SHAKE-128
-Known names are "SHAKE-128" and "SHAKE128"
+Known names are "SHAKE-128" and "SHAKE128".
=item SHAKE-256
-Known names are "SHAKE-256" and "SHAKE256"
+Known names are "SHAKE-256" and "SHAKE256".
=back
diff --git a/doc/man7/EVP_PKEY-RSA.pod b/doc/man7/EVP_PKEY-RSA.pod
index 161e9d4d..dcd38fce 100644
--- a/doc/man7/EVP_PKEY-RSA.pod
+++ b/doc/man7/EVP_PKEY-RSA.pod
@@ -80,7 +80,7 @@ Up to eight additional "r_i" prime factors are supported.
=item "rsa-exponent10" (B<OSSL_PKEY_PARAM_RSA_EXPONENT10>) <unsigned integer>
RSA CRT (Chinese Remainder Theorem) exponents. The exponents are known
-as "dP", "dQ" and "d_i in RFC8017".
+as "dP", "dQ" and "d_i" in RFC8017.
Up to eight additional "d_i" exponents are supported.
=item "rsa-coefficient1" (B<OSSL_PKEY_PARAM_RSA_COEFFICIENT1>) <unsigned integer>
diff --git a/doc/man7/EVP_RAND-SEED-SRC.pod b/doc/man7/EVP_RAND-SEED-SRC.pod
index 516fa64f..56f4acd2 100644
--- a/doc/man7/EVP_RAND-SEED-SRC.pod
+++ b/doc/man7/EVP_RAND-SEED-SRC.pod
@@ -49,9 +49,10 @@ A context for the seed source can be obtained by calling:
OSSL_PARAM params[2], *p = params;
unsigned int strength = 128;
- /* Create a seed source */
+ /* Create and instantiate a seed source */
rand = EVP_RAND_fetch(NULL, "SEED-SRC", NULL);
seed = EVP_RAND_CTX_new(rand, NULL);
+ EVP_RAND_instantiate(seed, strength, 0, NULL, 0, NULL);
EVP_RAND_free(rand);
/* Feed this into a DRBG */
diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod
index 14ff581c..eaad3cf2 100644
--- a/doc/man7/provider-cipher.pod
+++ b/doc/man7/provider-cipher.pod
@@ -148,9 +148,13 @@ It is the responsibility of the cipher implementation to handle input lengths
that are not multiples of the block length.
In such cases a cipher implementation will typically cache partial blocks of
input data until a complete block is obtained.
-I<out> may be the same location as I<in> but it should not partially overlap.
-The same expectations apply to I<outsize> as documented for
-L<EVP_EncryptUpdate(3)> and L<EVP_DecryptUpdate(3)>.
+The pointers I<out> and I<in> may point to the same location, in which
+case the encryption must be done in-place. If I<out> and I<in> point to different
+locations, the requirements of L<EVP_EncryptUpdate(3)> and L<EVP_DecryptUpdate(3)>
+guarantee that the two buffers are disjoint.
+Similarly, the requirements of L<EVP_EncryptUpdate(3)> and L<EVP_DecryptUpdate(3)>
+ensure that the buffer pointed to by I<out> contains sufficient room for the
+operation being performed.
OSSL_FUNC_cipher_final() completes an encryption or decryption started through previous
OSSL_FUNC_cipher_encrypt_init() or OSSL_FUNC_cipher_decrypt_init(), and OSSL_FUNC_cipher_update()
diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod
index c6399b83..498ad9c4 100644
--- a/doc/man7/provider-keymgmt.pod
+++ b/doc/man7/provider-keymgmt.pod
@@ -360,7 +360,7 @@ length is specific to the key cryptosystem.
The value should be the maximum size that a caller should allocate to
safely store a signature (called I<sig> in L<provider-signature(7)>),
-the result of asymmmetric encryption / decryption (I<out> in
+the result of asymmetric encryption / decryption (I<out> in
L<provider-asym_cipher(7)>, a derived secret (I<secret> in
L<provider-keyexch(7)>, and similar data).
@@ -442,7 +442,7 @@ The KEYMGMT interface was introduced in OpenSSL 3.0.
=head1 COPYRIGHT
-Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod
index cde95f66..f39f345f 100644
--- a/doc/man7/provider-storemgmt.pod
+++ b/doc/man7/provider-storemgmt.pod
@@ -162,12 +162,12 @@ fingerprint, computed with the given digest.
Indicates that the caller wants to search for an object with the given
alias (some call it a "friendly name").
-=item "properties" (B<OSSL_STORE_PARAM_PROPERTIES) <utf8 string>
+=item "properties" (B<OSSL_STORE_PARAM_PROPERTIES>) <utf8 string>
Property string to use when querying for algorithms such as the B<OSSL_DECODER>
decoder implementations.
-=item "input-type" (B<OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string>
+=item "input-type" (B<OSSL_STORE_PARAM_INPUT_TYPE>) <utf8 string>
Type of the input format as a hint to use when decoding the objects in the
store.
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
index bb24d131..519327f7 100644
--- a/include/crypto/dherr.h
+++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 631150b7..850e1575 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -367,4 +367,21 @@ EVP_PKEY *ossl_d2i_PUBKEY_legacy(EVP_PKEY **a, const unsigned char **pp,
int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
size_t vallen, STACK_OF(CONF_VALUE) **extlist);
+/* Attribute addition functions not checking for duplicate attributes */
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+ X509_ATTRIBUTE *attr);
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
+ const ASN1_OBJECT *obj,
+ int type,
+ const unsigned char *bytes,
+ int len);
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
+ int nid, int type,
+ const unsigned char *bytes,
+ int len);
+STACK_OF(X509_ATTRIBUTE) *ossl_x509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
+ const char *attrname,
+ int type,
+ const unsigned char *bytes,
+ int len);
#endif /* OSSL_CRYPTO_X509_H */
diff --git a/include/internal/ffc.h b/include/internal/ffc.h
index c4f09087..e96f08d6 100644
--- a/include/internal/ffc.h
+++ b/include/internal/ffc.h
@@ -58,8 +58,11 @@
# define FFC_CHECK_INVALID_Q_VALUE 0x00020
# define FFC_CHECK_INVALID_J_VALUE 0x00040
-# define FFC_CHECK_BAD_LN_PAIR 0x00080
-# define FFC_CHECK_INVALID_SEED_SIZE 0x00100
+/*
+ * 0x80, 0x100 reserved by include/openssl/dh.h with check bits that are not
+ * relevant for FFC.
+ */
+
# define FFC_CHECK_MISSING_SEED_OR_COUNTER 0x00200
# define FFC_CHECK_INVALID_G 0x00400
# define FFC_CHECK_INVALID_PQ 0x00800
@@ -68,6 +71,8 @@
# define FFC_CHECK_Q_MISMATCH 0x04000
# define FFC_CHECK_G_MISMATCH 0x08000
# define FFC_CHECK_COUNTER_MISMATCH 0x10000
+# define FFC_CHECK_BAD_LN_PAIR 0x20000
+# define FFC_CHECK_INVALID_SEED_SIZE 0x40000
/* Validation Return codes */
# define FFC_ERROR_PUBKEY_TOO_SMALL 0x01
diff --git a/include/internal/refcount.h b/include/internal/refcount.h
index 3392d3b4..64fb77fb 100644
--- a/include/internal/refcount.h
+++ b/include/internal/refcount.h
@@ -134,14 +134,14 @@ static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret,
static __inline int CRYPTO_UP_REF(volatile int *val, int *ret,
ossl_unused void *lock)
{
- *ret = _InterlockedExchangeAdd(val, 1) + 1;
+ *ret = _InterlockedExchangeAdd((long volatile *)val, 1) + 1;
return 1;
}
static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret,
ossl_unused void *lock)
{
- *ret = _InterlockedExchangeAdd(val, -1) - 1;
+ *ret = _InterlockedExchangeAdd((long volatile *)val, -1) - 1;
return 1;
}
# endif
diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in
index c521e41e..cdc395b7 100644
--- a/include/openssl/bio.h.in
+++ b/include/openssl/bio.h.in
@@ -844,7 +844,7 @@ int BIO_meth_set_puts(BIO_METHOD *biom,
int (*puts) (BIO *, const char *));
int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int);
int BIO_meth_set_gets(BIO_METHOD *biom,
- int (*gets) (BIO *, char *, int));
+ int (*ossl_gets) (BIO *, char *, int));
long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *);
int BIO_meth_set_ctrl(BIO_METHOD *biom,
long (*ctrl) (BIO *, int, long, void *));
diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h
index d48c2a4a..f2d7708f 100644
--- a/include/openssl/cmserr.h
+++ b/include/openssl/cmserr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -113,6 +113,7 @@
# define CMS_R_UNSUPPORTED_LABEL_SOURCE 193
# define CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE 155
# define CMS_R_UNSUPPORTED_RECIPIENT_TYPE 154
+# define CMS_R_UNSUPPORTED_SIGNATURE_ALGORITHM 195
# define CMS_R_UNSUPPORTED_TYPE 156
# define CMS_R_UNWRAP_ERROR 157
# define CMS_R_UNWRAP_FAILURE 180
diff --git a/include/openssl/conferr.h b/include/openssl/conferr.h
index 496e2e1e..5dd4868a 100644
--- a/include/openssl/conferr.h
+++ b/include/openssl/conferr.h
@@ -38,6 +38,7 @@
# define CONF_R_NUMBER_TOO_LARGE 121
# define CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION 124
# define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111
+# define CONF_R_RECURSIVE_SECTION_REFERENCE 126
# define CONF_R_RELATIVE_PATH 125
# define CONF_R_SSL_COMMAND_SECTION_EMPTY 117
# define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 6533260f..50e0cf54 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_GENERATOR_3 3
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
/*
* NB: These values must align with the equivalently named macros in
* internal/ffc.h.
@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
# define DH_MODULUS_TOO_SMALL 0x80
-# define DH_MODULUS_TOO_LARGE 0x100
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 5d2a762a..074a7014 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,6 +50,7 @@
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 49e8e1df..e64072f9 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -85,6 +85,8 @@
/* Easy to use macros for EVP_PKEY related selections */
# define EVP_PKEY_KEY_PARAMETERS \
( OSSL_KEYMGMT_SELECT_ALL_PARAMETERS )
+# define EVP_PKEY_PRIVATE_KEY \
+ ( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PRIVATE_KEY )
# define EVP_PKEY_PUBLIC_KEY \
( EVP_PKEY_KEY_PARAMETERS | OSSL_KEYMGMT_SELECT_PUBLIC_KEY )
# define EVP_PKEY_KEYPAIR \
diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in
index f5c55a3f..006b38b6 100644
--- a/include/openssl/pkcs7.h.in
+++ b/include/openssl/pkcs7.h.in
@@ -1,7 +1,7 @@
/*
* {- join("\n * ", @autowarntext) -}
*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -57,8 +57,8 @@ typedef struct pkcs7_signer_info_st {
PKCS7_ISSUER_AND_SERIAL *issuer_and_serial;
X509_ALGOR *digest_alg;
STACK_OF(X509_ATTRIBUTE) *auth_attr; /* [ 0 ] */
- X509_ALGOR *digest_enc_alg;
- ASN1_OCTET_STRING *enc_digest;
+ X509_ALGOR *digest_enc_alg; /* confusing name, actually used for signing */
+ ASN1_OCTET_STRING *enc_digest; /* confusing name, actually signature */
STACK_OF(X509_ATTRIBUTE) *unauth_attr; /* [ 1 ] */
/* The private key to sign with */
EVP_PKEY *pkey;
diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums
index f55fa914..c45b0306 100644
--- a/providers/fips-sources.checksums
+++ b/providers/fips-sources.checksums
@@ -21,7 +21,7 @@ c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm
c7c6694480bb5319690f94826139a93f5c460ebea6dba101b520a76cb956ec93 crypto/aes/asm/aesni-x86_64.pl
f3a8f3c960c0f47aaa8fc2633d18b14e7c7feeccc536b0115a08bc58333122b6 crypto/aes/asm/aesp8-ppc.pl
e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl
-a097f9d71de7cefa8e93629033ff1986fb01128623ec051d9b5afef55c0e5ebb crypto/aes/asm/aesv8-armx.pl
+e3955352a92d56905d63e68937e4758f13190a14a10a3dcb1e5c641c49913c0c crypto/aes/asm/aesv8-armx.pl
5e8005fdb6641df465bdda20c3476f7176e6bcd63d5073044a0c02a327c7f172 crypto/aes/asm/bsaes-armv7.pl
0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl
1ff94d6bf6c8ae4809f64657eb89260fe3cb22137f649d3c73f72cb190258196 crypto/aes/asm/vpaes-armv8.pl
@@ -77,19 +77,19 @@ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/
2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c
d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c
74b63a4515894592b7241fb30b91b21510beaa3d397809e3d74bc9a73e879d18 crypto/bn/bn_div.c
-a29b8b7fa8460f11e50f880e3c3c9e0755b93889bcbb5476206c4d938a9c5735 crypto/bn/bn_exp.c
+49e59eac540db304ab0ca7bee3ba9d45f89548fff98155561bbdb6602d0aab1d crypto/bn/bn_exp.c
ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_exp2.c
-1abab2cc5466b005b939d156e7d8664a4d42a191c9040dbb83941269d6844f0c crypto/bn/bn_gcd.c
-4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c
+baba7c8ae95af6aa36bc9f4be3a2eed33d500451e568ca4bfc6bc7cb48d4f7ea crypto/bn/bn_gcd.c
+5fbb1ab8463cd5544a1d95cf7996b6387ae634984a42256b7a21482ce3ac30a2 crypto/bn/bn_gf2m.c
081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c
602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c
bf73a1788a92142963177fb698bc518af9981bbf0ad9784701fbb2462ca10607 crypto/bn/bn_lib.c
d5beb9fbac2ff5dc3ccbdfa4d1aabca7225c778cff4e3b05b6d6c63e182637f5 crypto/bn/bn_local.h
-07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d crypto/bn/bn_mod.c
+96f98cdf50087c5b567c31bf2581728623206d79b3f97f5a0c5fdaa0009e6e3c crypto/bn/bn_mod.c
f60f3d49b183b04bcdf9b82f7c961b8c1bcb00e68a2c1166fe9edd95a783356e crypto/bn/bn_mont.c
2da73a76b746a47d8cf8ec8b3e0708c2a34e810abde4b4f1241a49e7f5bb2b60 crypto/bn/bn_mpi.c
76982b18b0803d59b33168b260677e7412970757d3b9513de5c80025290f211d crypto/bn/bn_mul.c
-1f65ad369352d51af1a75eccf598cb497b400ebd86252f5ca8aac54bbb3cc7bd crypto/bn/bn_nist.c
+b3677b73ac29aab660c9a549f7af154ca14347fac5cffd43b153a75211f1373f crypto/bn/bn_nist.c
c6760a724d696b7209f0a71f8483fabcf4f081f7e93e2628284c32ef78f69365 crypto/bn/bn_prime.c
c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h
628419eabdb88b265823e43a7a1c88fdfecef79771180836f6089050dc9eadb1 crypto/bn/bn_rand.c
@@ -122,20 +122,20 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb
61926e30dd940616e80936d1c94c5f522daf0d475fb3a40a9e589e78f322901e crypto/des/set_key.c
8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h
816472a54c273906d0a2b58650e0b9d28cc2c8023d120f0d77160f1fe34c4ca3 crypto/dh/dh_backend.c
-d2d0569bea2598bd405f23b60e5283a6ce353f1145a25ff8f28cf15711743156 crypto/dh/dh_check.c
+24cf9462da6632c52b726041271f8a43dfb3f74414abe460d9cc9c7fd2fd2d7d crypto/dh/dh_check.c
7838e9a35870b0fbcba0aff2f52a2439f64d026e9922bce6e5978c2f22c51120 crypto/dh/dh_gen.c
6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64 crypto/dh/dh_group_params.c
a5cf5cb464b40f1bc5457dc2a6f2c5ec0f050196603cd2ba7037a23ab64adbf7 crypto/dh/dh_kdf.c
-0afa7dd237f9b21b0cfb0de10505facd57eb07ded905d888d43a1de2356d4002 crypto/dh/dh_key.c
-b0046b2c4e1d74ff4e93f2486a00f63728909b8a75cbdd29b9100e607f97995c crypto/dh/dh_lib.c
+b0c248efc7dad48eaceb939a18cb2592cbfe5b02dd406592e5e590645488b153 crypto/dh/dh_key.c
+92345c259ea2a8c09e6d6b069d0942bd6ca4642231580f3e8148ae7a832a1115 crypto/dh/dh_lib.c
8300775d88db0a1aa26a77eb49d6c4f7252e7fee69e1440de4c40edadc9da044 crypto/dh/dh_local.h
bbcf4fc3067ac462a27d7277973180b7dc140df9262a686c7fbe4318ca01f7b8 crypto/dsa/dsa_backend.c
-b9c5992089203123c3fae46e39bb4d05e19854087bca7a30ad1f82a3505deec7 crypto/dsa/dsa_check.c
+d7e0d87494e3b3f0898a56785a219e87a2ce14416393ec32d8c0b5f539c7bdbf crypto/dsa/dsa_check.c
ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58 crypto/dsa/dsa_gen.c
b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa_key.c
-9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146 crypto/dsa/dsa_lib.c
+9f4837c5abe53613a2dc1c5db81d073d4f42bd28b6a2d1e93a2b350d8e25d52a crypto/dsa/dsa_lib.c
f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022 crypto/dsa/dsa_local.h
-38062c6eebdb2f88fa0c6592837a96a49de2ae520d3ad483a3e02921c8adb094 crypto/dsa/dsa_ossl.c
+c5c252f205482a71efeabe226d51a1c541a6ba2dfa9b8b8a70901087a9dc1667 crypto/dsa/dsa_ossl.c
d612fd05ff98816ba6cf37f84c0e31443ad9d840ed587a7ab2066027da390325 crypto/dsa/dsa_sign.c
53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c
d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ecp_nistp521-ppc64.pl
@@ -186,15 +186,15 @@ f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecds
f288c23b6f83740956886b2303c64d5a3098c98b530859c3bb4b698c01c1643b crypto/ec/ecp_nistz256.c
51cb98e7e9c241e33261589f0d74103238baaa850e333c61ff1da360e127518a crypto/ec/ecp_oct.c
b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_smpl.c
-2096e13aa2fbcb0d4b10faca3e3f5359cf66098b0397a6d74c6fca14f5dee659 crypto/ec/ecx_backend.c
+e2705097cfab64e8d7eb2feba37c3f12b18aec74b135ad0c7f073efccf336d4c crypto/ec/ecx_backend.c
5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h
22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c
28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c
0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c
1af3872164b4a4757bc7896a24b4d2f8eb2cfb4cba0d872a93db69975693e0a6 crypto/evp/digest.c
838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c
-1c3d1b1f800b1f1f5adb1fdbdd67cdf37ca7ea93b264d1468c72a63c140873ce crypto/evp/evp_enc.c
-7f10367f9b6191c4a8c01784130d26b2d778485a41cdac5fa17c9a1c4096f132 crypto/evp/evp_fetch.c
+61df3942752307b7006f09d7628348a0cc9e5555469a3a8862349067a52824b7 crypto/evp/evp_enc.c
+62c994fd91dc4a5a1a81dfa9391d6eadae62d3549b2e1b22acb2e7c4cd278f27 crypto/evp/evp_fetch.c
ebe32b2895f7f9767710674352c8949efe93b4bbb5e7b71c27bb5d1822339b46 crypto/evp/evp_lib.c
78f07bf50b6999611a4e9414ab3a20b219b0ab29ca2bd05002d6919a3f67b8eb crypto/evp/evp_local.h
117e679d49d2ae87e49d3c942ff0ce768959e8b9713f84a99025cabba462ccd5 crypto/evp/evp_rand.c
@@ -213,11 +213,11 @@ e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac
1f0e9e94e9b0ad322956521b438b78d44cfcd8eb974e8921d05f9e21ba1c05cf crypto/evp/pmeth_gn.c
76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c
4b2dbddf0f9ceed34c3822347138be754fb194febca1c21c46bcc3a5cce33674 crypto/evp/signature.c
-b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c
+f2acfb82aac20251d05a9c252cc6c282bd44e43feac4ac2e0faf68b9a38aef57 crypto/ex_data.c
1c8389c5d49616d491978f0f2b2a54ba82d805ec41c8f75c67853216953cf46a crypto/ffc/ffc_backend.c
a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c
854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c
-2695c9c8ad9193a8c1ab53d5d09712d50d12c91eb8d62e8a15cbc78f327afe84 crypto/ffc/ffc_key_validate.c
+4e973d956d4ec2087994de8e963be1a512da1441f22e6e7b9cd7ee536e3ff834 crypto/ffc/ffc_key_validate.c
8b72d5a7452b2c15aec6d20027053a83f7df89d49a3b6cfedd77e2b1a29e9fc1 crypto/ffc/ffc_params.c
1a1d227f9a0f427d2ec93bc646c726c9cd49a84a343b4aff0c9c744fa6df05a9 crypto/ffc/ffc_params_generate.c
73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c
@@ -225,7 +225,7 @@ a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc
0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h
0e2d6129504d15ffaf5baa63158ccec0e4b6193a8275333956d8f868ef35127e crypto/ia64cpuid.S
f897493b50f4e9dd4cacb2a7accda6683c10ece602641874cdff1dac7128a751 crypto/initthread.c
-5482c47c266523129980302426d25839fda662f1544f4b684707e6b272a952c9 crypto/lhash/lhash.c
+7290d8d7ec31a98b17618f218d4f27b393501c7606c814a43db8af1975ad1d10 crypto/lhash/lhash.c
5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h
f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c
e14f48d4112c0efe3826b4aa390cc24045a85298cc551ec7f3f36ac4236d7d81 crypto/modes/asm/aes-gcm-armv8_64.pl
@@ -240,7 +240,7 @@ e472d73d06933667a51a0af973479993eed333c71b43af03095450acb36dbeb4 crypto/modes/a
26f55a57e77f774d17dfba93d757f78edfa3a03f68a71ffa37ccf3bfc468b1e2 crypto/modes/asm/ghash-x86.pl
72744131007d2389c09665a59a862f5f6bb61b64bd3456e9b400985cb56586b8 crypto/modes/asm/ghash-x86_64.pl
a4e9f2e496bd9362b17a1b5989aa4682647cefcff6117f0607122a9e11a9dfd9 crypto/modes/asm/ghashp8-ppc.pl
-0029b5beb1d4cd4c5ad47164c23f3e7c9d1eaff66ef54af025ee26795b11a1c7 crypto/modes/asm/ghashv8-armx.pl
+69a13f423ca74c22543900c14aef4a848e3bc75504b65d2f51c6903aebcc17a7 crypto/modes/asm/ghashv8-armx.pl
65112dfe63cd59487e7bdb1706b44acfcf48ecede12cc3ae51daa5b661f41f06 crypto/modes/cbc128.c
1611e73dc1e01b5c2201f51756a7405b7673aa0bb872e2957d1ec80c3530486f crypto/modes/ccm128.c
d8c2f256532a4b94db6d03aea5cb609cccc938069f644b2fc77c5015648d148d crypto/modes/cfb128.c
@@ -251,30 +251,30 @@ e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/w
608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c
8aa2504f84a0637b5122f0c963c9d82773ba248bad972ab92be7169995d162b5 crypto/o_str.c
8ddbbdf43131c10dcd4428aef0eff2b1e98b0410accada0fad41a4925868beef crypto/packet.c
-a20bfd927d69737c86ca95d3cf636afa8cefd8fe23412d1a3897644a0da21211 crypto/param_build.c
-c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_build_set.c
+c698d5166d091d6bb6e9df3c211fe1cc916fd43a26ec844f28f547cd708f9c55 crypto/param_build.c
+2a0f272dd553b698e8c6fa57962694ebd6064cb03fe26a60df529205568d315d crypto/param_build_set.c
0e4a5388a92fabbe5a540176c0b4c5ce258b78dc9168ecc2e805352a06aaf0ba crypto/params.c
4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c
-a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c
+b6cbfc8791b31587f32a3f9e4c117549793528ebddc34a361bad1ad8cf8d4c42 crypto/params_from_text.c
97cb7414dc2f165d5849ee3b46cdfff0afb067729435d9c01a747e0ca41e230c crypto/ppccap.c
3ca43596a7528dec8ff9d1a3cd0d68b62640f84b1d6a8b5e4842cfd0be1133ad crypto/ppccpuid.pl
b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c
3c4ade2fed4605e374d85ec1134a98da34e7124f89f44b81a754e8cfe81f14ba crypto/property/property.c
66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h
-921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c
+37dba5e1f8a2f8cb8a69e491d52386359c9d08a3c7e43ac1c7a989b72b71593c crypto/property/property_parse.c
a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c
065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c
-0ba5d0297837940c972224c97cbbf3ea4a723c1eed9ce1112538c9bb26208639 crypto/provider_core.c
+0b38639ffc696d6037ace06cc0169bb5c411ee1c6bacc1fa18b3abd82000e69f crypto/provider_core.c
d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h
5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c
a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c
fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h
f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c
-9e7dd6fc91d3266d4aa4f0f41b7986381122b7d98114e63ebf04c5ee298b5fda crypto/rsa/rsa_backend.c
+5834d7c518ad53ea0dd3db811c0e51568c81cc6c117012030101d29003d0725c crypto/rsa/rsa_backend.c
38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c
e32cfa04221a2a3ea33f7bcb93ee51b84cbeba97e94c1fbf6e420b24f97fc9ce crypto/rsa/rsa_crpt.c
e995da1c2e5007bd7f5907f369fe45ed15f4e657143a85078c755bd5e6863d0b crypto/rsa/rsa_gen.c
-74ed75d1d8e0844800504a137bfd81c3dbcb6c4bd58b5d5fe9d0a362092b6e88 crypto/rsa/rsa_lib.c
+f2222f270e57559537d3da8abbeb1390bc5376b73dae59d536af6e73eb48bba0 crypto/rsa/rsa_lib.c
a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa_local.h
cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c
5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c
@@ -284,7 +284,7 @@ be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa
174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c
bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c
f01af62704dbf9457e2669c3e7c1d4d740f0388faa49df93611b987a8aa2bf11 crypto/rsa/rsa_sign.c
-740c022caff3b2487c5838b581cdddcc7de2ceabb504aad72dc0dd70a67bf7cf crypto/rsa/rsa_sp800_56b_check.c
+42d821612b0b0d62f587beb8a0cab8b8d876fedccd6913fec6d2044f8ac52b63 crypto/rsa/rsa_sp800_56b_check.c
3aba73dacebb046faf8d09dc279149b52c629004b524ec33e6d81c8ad0bc31a8 crypto/rsa/rsa_sp800_56b_gen.c
1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c
0acbebed48f6242d595c21e3c1ad69da0daa960d62062e8970209deda144f337 crypto/s390xcap.c
@@ -381,7 +381,7 @@ c5bb97f654984130c8b44c09a52395bce0b22985d5dbc9c4d9377d86283f11f8 include/intern
fd1722d6b79520ee4ac477280d5131eb1b744c3b422fd15f5e737ef966a97c3b include/internal/dso.h
f144daebef828a5bd4416466257a50f06b894e0ce0adf1601aa381f34f25a9e7 include/internal/dsoerr.h
70d3e0d5a1bd8db58dcc57bea4d1c3ed816c735fe0e6b2f4b07073712d2dc5ef include/internal/endian.h
-094b69aeb8f349cafa8865b577e253132088c25eabb61b910fab141e6f7d2929 include/internal/ffc.h
+7854b5c1cd786dc01d052204c5b3ea946dc9929590f47ec4c27697387c5b7ce5 include/internal/ffc.h
100053a1bad1a85a98c5b919cf81ace0ee147b2164732963e40474d7b5fbbb99 include/internal/namemap.h
b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d include/internal/nelem.h
ae41a2fb41bf592bbb47e4855cf4efd9ef85fc11f910a7e195ceef78fb4321dc include/internal/numbers.h
@@ -390,7 +390,7 @@ dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688 include/intern
d4ac19b28ea61f03383364cfad1e941cac44fc36787d80882c5b76ecc9d34e29 include/internal/property.h
727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h
6a899ef3e360c7144d84d3c3dbbd14aa457f5d38b83b13c0be7ec7f372076595 include/internal/provider.h
-80d7d12b8b3d9945bde3991cb0d1413d120a58a04b17ac673549789e3f37b18a include/internal/refcount.h
+34432d71c49dc8ee9926218ba78bdcd03c46cee4e966ee20d100e4519d85b064 include/internal/refcount.h
11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5 include/internal/sha3.h
494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1 include/internal/sizes.h
24f41a1985fa305833c3f58030c494d2563d15fc922cdf3eeb6a7ea8c135a880 include/internal/symhacks.h
@@ -401,7 +401,7 @@ fc0f9199487ef278b9fd317d1572db3e3fb95e182055f0e49c4d8faf78ed7dd2 include/intern
98aa2fc5eae9ef2a36d3d0053212696d58893baa083fa1fcf720660fb4bc0a9f include/openssl/asn1.h.in
d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h
1550474ee05423896ec4abfb6346f1bc44c7be22329efac9ea25de10e81d549c include/openssl/asn1t.h.in
-2cd8163cdc6c93386bc05e8ed983e5ca604d0bf9da65500cab736cfa8bc2b048 include/openssl/bio.h.in
+dbd1501acb0804eec0f2aa7bbac4dbc483cf2b4691c6eb1436461b5ed4685b42 include/openssl/bio.h.in
0a26138aaded05cafe2326e11fdc19b28408e054cfe3dda40d45ef95ce8136b0 include/openssl/bioerr.h
7d1f9880976a926ba6e0cad08e8de6f326aae48d8350b499aa79127f63d4d108 include/openssl/bn.h
9ad8b04764797f5138f01f549ba18b44cf698ffc7fe795fef42c1822d84a6ff4 include/openssl/bnerr.h
@@ -409,7 +409,7 @@ d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openss
9d48e6cab2ee98ae94d7113e4c65f000d97e125fdb3445642865ace3f34d06ac include/openssl/buffererr.h
8e772c24b051e59d2f65339f54584e3e44165a3eaf997d497faea764990130f5 include/openssl/cmac.h
55aa91482d327d1784484922389e8277bdcdff7a7df27e84200d5c908bd40454 include/openssl/conf.h.in
-f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openssl/conferr.h
+bb45de4eafdd89c14096e9af9b0aee12b09adcee43b9313a3a373294dec99142 include/openssl/conferr.h
02a1baff7b71a298419c6c5dcb43eaa9cc13e9beeb88c03fb14854b4e84e8862 include/openssl/configuration.h.in
6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h
df5e60af861665675e4a00d40d15e36884f940e3379c7b45c9f717eaf1942697 include/openssl/core.h
@@ -420,7 +420,7 @@ cbd9d7855ca3ba4240207fc025c22bbfef7411116446ff63511e336a0559bed0 include/openss
bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h
fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openssl/des.h
75fba45d6fc66e3aaef216959327157613f08070935aae4a5260e740184f031f include/openssl/dh.h
-836130f5a32bbdce51b97b34758ed1b03a9d06065c187418eaf323dca6adfc6d include/openssl/dherr.h
+ab7ba5d7eb18d2ea8abc6862ae2ceaa1fa116a702c2bff617c5ae1651d97b6bc include/openssl/dherr.h
92ae2c907fd56859e3ae28a085071611be5c9245879305cdf8bad027219e64b6 include/openssl/dsa.h
276d1f6e111ba933bc708e6a0670047cbe0d0b67aabe31807abbbc231de4d8cf include/openssl/dsaerr.h
41bf49e64e1c341a8c17778147ddeba35e88dfd7ff131db6210e801ef25a8fd5 include/openssl/e_os2.h
@@ -430,7 +430,7 @@ bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openss
61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h
69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h
c6ee8f17d7252bdd0807a124dc6d50a95c32c04e17688b7c2e061998570b7028 include/openssl/err.h.in
-12ec111c0e22581e0169be5e1838353a085fb51e3042ef59a7db1cee7da73c5b include/openssl/evp.h
+b23bf3e2d0a60fe4d768afbe7aab48b47791e1274ae42b28895255119ae7f61d include/openssl/evp.h
5bd1b5dcd14067a1fe490d49df911002793c0b4f0bd4492cd8f71cfed7bf9f2a include/openssl/evperr.h
5381d96fe867a4ee0ebc09b9e3a262a0d7a27edc5f91dccfb010c7d713cd0820 include/openssl/fips_names.h
b1d41beba560a41383f899a361b786e04f889106fb5960ec831b0af7996c9783 include/openssl/fipskey.h.in
@@ -500,28 +500,28 @@ abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips
f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h
d3c95c9c6cc4e3b1a5e4b2bfb2ae735a4109d763bcda7b1e9b8f9eb253f79820 providers/fips/self_test_data.inc
629f619ad055723e42624230c08430a3ef53e17ab405dc0fd35499e9ca4e389c providers/fips/self_test_kats.c
-cd784a44a01a8a30a6be63381344a7f5432e74d40b02ea471c5b0dc943a7ac9d providers/implementations/asymciphers/rsa_enc.c
+99baeec10374301e90352ab637056104a8ea28a6880804f44c640d0c9ee16eba providers/implementations/asymciphers/rsa_enc.c
4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a providers/implementations/ciphers/cipher_aes.c
-f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h
-89378cce6d31e8c2f221f9f29d0b17622624eb83e4ecec8465f7641f68352917 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+6ba7d817081cf0d87ba7bfb38cd9d70e41505480bb8bc796ef896f68d4514ea6 providers/implementations/ciphers/cipher_aes.h
+aef500281e7cd5a25a806a9bd45ec00a5b73984673202527dac5896fbcc9fa9c providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
7668e5c1cac474ad7b0f28aa78ca885edf44815fe4a606a6cd328b3c02fac25a providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.h
26e0f28523b416ba4067e471061f5a11fd76f5dc8bfe57ce37a137cf5667630b providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c
6d2ab2e059ef38fad342d4c65eebd533c08a2092bb174ff3566c6604e175c5a4 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c
-6d6bf36329af3b77f457898294be05fea3940a61cdaf0ed60cfb8d091a94186e providers/implementations/ciphers/cipher_aes_ccm.c
+f37c3cf9e2e6fcfcbed941f3670b790fe09990349db72eb065bef51705d46e96 providers/implementations/ciphers/cipher_aes_ccm.c
00f36bf48e522dbb5ec71df0ec13e387955fa3672e6ff90e8a412ae95c4a642f providers/implementations/ciphers/cipher_aes_ccm.h
6337b570e0dc4e98af07aa9704254d3ab958cf605584e250fbd76cd1d2a25ac7 providers/implementations/ciphers/cipher_aes_ccm_hw.c
302b3819ff9fdfed750185421616b248b0e1233d75b45a065490fe4762b42f55 providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc
a8eaca99a71521ff8ac4ffcf08315e59220f7e0b7f505ecddad04fadd021ec14 providers/implementations/ciphers/cipher_aes_cts.inc
-710ee60704dd9dffa2a11e2e96596af1f7f84f915cedcedeec7292e0d978317a providers/implementations/ciphers/cipher_aes_gcm.c
+7e886ecc088b5903aa082eac72a4c46f9064392bdf5723a592368ecebfeb71c0 providers/implementations/ciphers/cipher_aes_gcm.c
79f5a732820d2512a7f4fc2a99ece7e6e2523a51e62561eb67a4b70d5538b0c4 providers/implementations/ciphers/cipher_aes_gcm.h
ab298c5f89f3165fa11093fad8063b7bcbff0924b43fb3107148ae66d54adcb5 providers/implementations/ciphers/cipher_aes_gcm_hw.c
8ed4a100e4756c31c56147b4b0fab76a4c6e5292aa2f079045f37b5502fd41b9 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc
4c6f3a2818754a5aa7b6db36dae53e248504f9e82cc5af2ed68c723903d4f9d5 providers/implementations/ciphers/cipher_aes_hw.c
89de794c090192459d99d95bc4a422e7782e62192cd0fdb3bdef4128cfedee68 providers/implementations/ciphers/cipher_aes_hw_aesni.inc
-0264d1ea3ece6f730b342586fb1fe00e3f0ff01e47d53f552864df986bf35573 providers/implementations/ciphers/cipher_aes_ocb.c
+fac3a1878dc9c0c363d0ecdd9f74926157df54ca4f40adf8c479927395082008 providers/implementations/ciphers/cipher_aes_ocb.c
88138a1aff9705e608c0557653be92eb4de65b152555a2b79ec8b2a8fae73e8f providers/implementations/ciphers/cipher_aes_ocb.h
855869ab5a8d7a61a11674cfe5d503dfa67f59e7e393730835d1d8cf0ab85c70 providers/implementations/ciphers/cipher_aes_ocb_hw.c
-a872195161ac6c3a2cb59c3d15b212e34bb7596a41712258f5d0b5e771e25239 providers/implementations/ciphers/cipher_aes_wrp.c
+6a8782c728575d69c86b735c9f47acda5c0daa04e17f1e0faef2c963f23fab20 providers/implementations/ciphers/cipher_aes_wrp.c
527ff9277b92606517ee7af13225a9d5fcffbbc36eb18bce39f59d594cbe4931 providers/implementations/ciphers/cipher_aes_xts.c
c4a2499b214d7cf786dafaaee5c8c6963b3d5d1c27c144eec4b460f839074a3b providers/implementations/ciphers/cipher_aes_xts.h
281157d1da4d7285d878978e6d42d0d33b3a6bc16e3bc5b6879e39093a7d70da providers/implementations/ciphers/cipher_aes_xts_fips.c
@@ -530,13 +530,13 @@ f358c4121a8a223e2c6cf009fd28b8a195520279016462890214e8858880f632 providers/impl
74640ce402acc704af72e055fb7f27e6aa8efd417babc56f710478e571d8631c providers/implementations/ciphers/cipher_cts.h
fcc3bb0637864252402aaa9d543209909df9a39611127f777b168bc888498dc0 providers/implementations/ciphers/cipher_tdes.c
77709f7fc3f7c08986cd4f0ebf2ef6e44bacb975c1483ef444b3cf5e5071f9d6 providers/implementations/ciphers/cipher_tdes.h
-6fc41326c5f464f27b7d31c16d5ad7116d6244b99e242893f6c96d0c61f3639a providers/implementations/ciphers/cipher_tdes_common.c
+f6b81faf6abf3baa926be7c054cda1ff2be109b0a2143b34b2f2d266b6cb2c52 providers/implementations/ciphers/cipher_tdes_common.c
50645122f08ef4891cd96cace833bd550be7f5278ab785515fd61fe8993c8c25 providers/implementations/ciphers/cipher_tdes_hw.c
-6bb3c24bfd872e3b4c779b29e9f962348f6ae3effeb4f243c8ea66abefe8a4fa providers/implementations/ciphers/ciphercommon.c
+1f44963b1ac450cb77d75df9fbf956b04742e38d236d316c7eb8021bdf0573a4 providers/implementations/ciphers/ciphercommon.c
dd72ea861edf70b94197821ceb00e07165d550934a2e851d62afa5034b79f468 providers/implementations/ciphers/ciphercommon_block.c
-4b4106f85e36eb2c07acc5a3ca5ccd77b736b3ac46cc4af786cf57405ecd54b2 providers/implementations/ciphers/ciphercommon_ccm.c
+8af515e63a0c16ff35dcedcc43c7b4735a10943f1e937eeeb73eb1af3dc92782 providers/implementations/ciphers/ciphercommon_ccm.c
8b6828f188c2590c7d9c6cac13fa0eb6d38a522b0f2859e7c8a766580fa9b66e providers/implementations/ciphers/ciphercommon_ccm_hw.c
-3b83f58d6ff1ae77de1ae8bee8a44ea2e5e4491c802b156fa77783ddebd44598 providers/implementations/ciphers/ciphercommon_gcm.c
+142785a128a0d694e2457e7d79da545791b73ae388dcf700b538763099f91f65 providers/implementations/ciphers/ciphercommon_gcm.c
bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/implementations/ciphers/ciphercommon_gcm_hw.c
23fd89e3239e596c325a8c5d23eb1fe157a8d23aa4d90ed2c574bf06dfabd693 providers/implementations/ciphers/ciphercommon_hw.c
c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h
@@ -547,8 +547,8 @@ b5f94d597df72ca58486c59b2a70b4057d13f09528f861ed41a84b7125b54a82 providers/impl
9c46dc0d859875fcc0bc3d61a7b610cd3520b1bf63718775c1124f54a1fe5f24 providers/implementations/exchange/ecdh_exch.c
9bf87b8429398a6465c7e9f749a33b84974303a458736b56f3359b30726d3969 providers/implementations/exchange/ecx_exch.c
0cc02005660c5c340660123decac838c59b7460ef1003d9d50edc604cfd8e375 providers/implementations/exchange/kdf_exch.c
-31d3dba3d2e6b043b0d14a74caf6bf1a6c550471fb992a495ab7d3337081a526 providers/implementations/include/prov/ciphercommon.h
-6dc876a1a785420e84210f085be6e4c7aca407ffb5433dbca4cd3f1c11bb7f06 providers/implementations/include/prov/ciphercommon_aead.h
+a0d1c1d49557d32497877b2d549d2a7a7729a550306275bfe6ddcefca0d8fc80 providers/implementations/include/prov/ciphercommon.h
+a9f5de1623221f327245957ec1dfd66a1914bff25adf4bcb81213c7955d19382 providers/implementations/include/prov/ciphercommon_aead.h
dd07797d61988fd4124cfb920616df672938da80649fac5977bfd061c981edc5 providers/implementations/include/prov/ciphercommon_ccm.h
0c1e99d70155402a790e4de65923228c8df8ad970741caccfe8b513837457d7f providers/implementations/include/prov/ciphercommon_gcm.h
b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/implementations/include/prov/digestcommon.h
@@ -567,7 +567,7 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/impl
589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c
4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c
6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c
-9d5eb7e056e790b1b4292ec7af03fbf0b26e34625c70eb36643451965bcfc696 providers/implementations/keymgmt/dh_kmgmt.c
+11a0d0fb88ed88e965f10b3a0ef6c880f60341df995128f57ad943053aaf15b2 providers/implementations/keymgmt/dh_kmgmt.c
a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/implementations/keymgmt/dsa_kmgmt.c
9bc88451d3ae110c7a108ee73d3b3b6bda801ec3494d2dfb9c9970b85c2d34fe providers/implementations/keymgmt/ec_kmgmt.c
258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251 providers/implementations/keymgmt/ec_kmgmt_imexport.inc
@@ -575,10 +575,10 @@ a329f57cb041cd03907e9d996fbc2f378ee116c7f8d7fbf1ea08b7a5df7e0304 providers/impl
053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c
1646b477fa231dd0f6c22444c99098f9b447cab0d39ff69b811262469d4dbe09 providers/implementations/keymgmt/mac_legacy_kmgmt.c
19f22fc70a6321441e56d5bd4aab3d01d52d17069d4e4b5cefce0f411ecece75 providers/implementations/keymgmt/rsa_kmgmt.c
-aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c
+5eb96ea2df635cf79c5aeccae270fbe896b5e6384a5b3e4b187ce8c10fe8dfc7 providers/implementations/macs/cmac_prov.c
e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c
895c8dc7235b9ad5ff893be0293cbc245a5455e8850195ac7d446646e4ea71d0 providers/implementations/macs/hmac_prov.c
-f75fbfe5348f93ad610da7d310f4e8fecf18c0549f27605da25d393c33e0edc2 providers/implementations/macs/kmac_prov.c
+8640b63fd8325aaf8f7128d6cc448d9af448a65bf51a8978075467d33a67944e providers/implementations/macs/kmac_prov.c
bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c
9d23df7f99beec7392c9d4ed813407050bc2d150098888fe802e2c9705fc33fa providers/implementations/rands/drbg.c
bb5f8161a80d0d1a7ee919af2b167972b00afd62e326252ca6aa93101f315f19 providers/implementations/rands/drbg_ctr.c
@@ -590,6 +590,6 @@ cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/impl
a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c
02e833a767afbe98247d6f09dfb1eb5a5cf7304a93f2c5427a9f6af9c8a3b549 providers/implementations/signature/eddsa_sig.c
3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c
-5b5e51acce1f6e86581de9ee870e64772f69562362b34079ac65c5d6fffaddef providers/implementations/signature/rsa_sig.c
+166d7e3a049b28ae2c6f94415070720d176a82e46af1613511c4b073ea705476 providers/implementations/signature/rsa_sig.c
a14e901b02fe095713624db4080b3aa3ca685d43f9ebec03041f992240973346 ssl/record/tls_pad.c
3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c
diff --git a/providers/fips.checksum b/providers/fips.checksum
index db5ddc6c..8fe82e02 100644
--- a/providers/fips.checksum
+++ b/providers/fips.checksum
@@ -1 +1 @@
-8d97c837eeb1288f74788f0e48cb0cbc8498d4cf7ddc25c89344df7d5309ffc8 providers/fips-sources.checksums
+9597c676c418928e2ba5075a6352a7d5b398e64db622b577822391424300ed43 providers/fips-sources.checksums
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index d8659680..c8921acd 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -555,6 +555,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
static const OSSL_PARAM known_settable_ctx_params[] = {
OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST, NULL, 0),
OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS, NULL, 0),
diff --git a/providers/implementations/ciphers/cipher_aes.h b/providers/implementations/ciphers/cipher_aes.h
index 7eaf76c8..c62ac5e7 100644
--- a/providers/implementations/ciphers/cipher_aes.h
+++ b/providers/implementations/ciphers/cipher_aes.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -44,7 +44,6 @@ typedef struct prov_aes_ctx_st {
/* KMO-AES/KMF-AES parameter block - end */
} param;
unsigned int fc;
- int res;
} s390x;
#endif /* defined(OPENSSL_CPUID_OBJ) && defined(__s390__) */
} plat;
diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
index f9a8a580..6e044576 100644
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -334,6 +334,16 @@ static void *aes_cbc_hmac_sha1_newctx(void *provctx, size_t kbits,
return ctx;
}
+static void *aes_cbc_hmac_sha1_dupctx(void *provctx)
+{
+ PROV_AES_HMAC_SHA1_CTX *ctx = provctx;
+
+ if (ctx == NULL)
+ return NULL;
+
+ return OPENSSL_memdup(ctx, sizeof(*ctx));
+}
+
static void aes_cbc_hmac_sha1_freectx(void *vctx)
{
PROV_AES_HMAC_SHA1_CTX *ctx = (PROV_AES_HMAC_SHA1_CTX *)vctx;
@@ -361,6 +371,13 @@ static void *aes_cbc_hmac_sha256_newctx(void *provctx, size_t kbits,
return ctx;
}
+static void *aes_cbc_hmac_sha256_dupctx(void *provctx)
+{
+ PROV_AES_HMAC_SHA256_CTX *ctx = provctx;
+
+ return OPENSSL_memdup(ctx, sizeof(*ctx));
+}
+
static void aes_cbc_hmac_sha256_freectx(void *vctx)
{
PROV_AES_HMAC_SHA256_CTX *ctx = (PROV_AES_HMAC_SHA256_CTX *)vctx;
@@ -386,6 +403,7 @@ static int nm##_##kbits##_##sub##_get_params(OSSL_PARAM params[]) \
const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = { \
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))nm##_##kbits##_##sub##_newctx },\
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))nm##_##sub##_freectx }, \
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))nm##_##sub##_dupctx}, \
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))nm##_einit }, \
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))nm##_dinit }, \
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))nm##_update }, \
diff --git a/providers/implementations/ciphers/cipher_aes_ccm.c b/providers/implementations/ciphers/cipher_aes_ccm.c
index bb4b1e1e..1aa788b2 100644
--- a/providers/implementations/ciphers/cipher_aes_ccm.c
+++ b/providers/implementations/ciphers/cipher_aes_ccm.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -33,6 +33,26 @@ static void *aes_ccm_newctx(void *provctx, size_t keybits)
return ctx;
}
+static void *aes_ccm_dupctx(void *provctx)
+{
+ PROV_AES_CCM_CTX *ctx = provctx;
+ PROV_AES_CCM_CTX *dupctx = NULL;
+
+ if (ctx == NULL)
+ return NULL;
+ dupctx = OPENSSL_memdup(provctx, sizeof(*ctx));
+ if (dupctx == NULL)
+ return NULL;
+ /*
+ * ossl_cm_initctx, via the ossl_prov_aes_hw_ccm functions assign a
+ * provctx->ccm.ks.ks to the ccm context key so we need to point it to
+ * the memduped copy
+ */
+ dupctx->base.ccm_ctx.key = &dupctx->ccm.ks.ks;
+
+ return dupctx;
+}
+
static OSSL_FUNC_cipher_freectx_fn aes_ccm_freectx;
static void aes_ccm_freectx(void *vctx)
{
diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c
index 0081ca6c..3dce743e 100644
--- a/providers/implementations/ciphers/cipher_aes_gcm.c
+++ b/providers/implementations/ciphers/cipher_aes_gcm.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -34,6 +34,21 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits)
return ctx;
}
+static void *aes_gcm_dupctx(void *provctx)
+{
+ PROV_AES_GCM_CTX *ctx = provctx;
+ PROV_AES_GCM_CTX *dctx = NULL;
+
+ if (ctx == NULL)
+ return NULL;
+
+ dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
+ if (dctx != NULL && dctx->base.gcm.key != NULL)
+ dctx->base.gcm.key = &dctx->ks.ks;
+
+ return dctx;
+}
+
static OSSL_FUNC_cipher_freectx_fn aes_gcm_freectx;
static void aes_gcm_freectx(void *vctx)
{
diff --git a/providers/implementations/ciphers/cipher_aes_hw_s390x.inc b/providers/implementations/ciphers/cipher_aes_hw_s390x.inc
index c8282dbd..6c4a4cc9 100644
--- a/providers/implementations/ciphers/cipher_aes_hw_s390x.inc
+++ b/providers/implementations/ciphers/cipher_aes_hw_s390x.inc
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -58,7 +58,6 @@ static int s390x_aes_ofb128_initkey(PROV_CIPHER_CTX *dat,
memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
adat->plat.s390x.fc = S390X_AES_FC(keylen);
- adat->plat.s390x.res = 0;
return 1;
}
@@ -66,7 +65,7 @@ static int s390x_aes_ofb128_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
const unsigned char *in, size_t len)
{
PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
- int n = adat->plat.s390x.res;
+ int n = dat->num;
int rem;
memcpy(adat->plat.s390x.param.kmo_kmf.cv, dat->iv, dat->ivlen);
@@ -102,7 +101,7 @@ static int s390x_aes_ofb128_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
}
memcpy(dat->iv, adat->plat.s390x.param.kmo_kmf.cv, dat->ivlen);
- adat->plat.s390x.res = n;
+ dat->num = n;
return 1;
}
@@ -113,7 +112,6 @@ static int s390x_aes_cfb128_initkey(PROV_CIPHER_CTX *dat,
adat->plat.s390x.fc = S390X_AES_FC(keylen);
adat->plat.s390x.fc |= 16 << 24; /* 16 bytes cipher feedback */
- adat->plat.s390x.res = 0;
memcpy(adat->plat.s390x.param.kmo_kmf.k, key, keylen);
return 1;
}
@@ -123,7 +121,7 @@ static int s390x_aes_cfb128_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
{
PROV_AES_CTX *adat = (PROV_AES_CTX *)dat;
unsigned int modifier = adat->base.enc ? 0 : S390X_DECRYPT;
- int n = adat->plat.s390x.res;
+ int n = dat->num;
int rem;
unsigned char tmp;
@@ -164,7 +162,7 @@ static int s390x_aes_cfb128_cipher_hw(PROV_CIPHER_CTX *dat, unsigned char *out,
}
memcpy(dat->iv, adat->plat.s390x.param.kmo_kmf.cv, dat->ivlen);
- adat->plat.s390x.res = n;
+ dat->num = n;
return 1;
}
diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c
index ce377ad5..eab31545 100644
--- a/providers/implementations/ciphers/cipher_aes_ocb.c
+++ b/providers/implementations/ciphers/cipher_aes_ocb.c
@@ -387,7 +387,10 @@ static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
/* IV len must be 1 to 15 */
if (sz < OCB_MIN_IV_LEN || sz > OCB_MAX_IV_LEN)
return 0;
- ctx->base.ivlen = sz;
+ if (ctx->base.ivlen != sz) {
+ ctx->base.ivlen = sz;
+ ctx->iv_state = IV_STATE_UNINITIALISED;
+ }
}
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
if (p != NULL) {
diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c
index 8bddf475..d44002fa 100644
--- a/providers/implementations/ciphers/cipher_aes_wrp.c
+++ b/providers/implementations/ciphers/cipher_aes_wrp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -66,6 +66,26 @@ static void *aes_wrap_newctx(size_t kbits, size_t blkbits,
return wctx;
}
+static void *aes_wrap_dupctx(void *wctx)
+{
+ PROV_AES_WRAP_CTX *ctx = wctx;
+ PROV_AES_WRAP_CTX *dctx = wctx;
+
+ if (ctx == NULL)
+ return NULL;
+ dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
+
+ if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) {
+ dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac,
+ dctx->base.tlsmacsize);
+ if (dctx->base.tlsmac == NULL) {
+ OPENSSL_free(dctx);
+ dctx = NULL;
+ }
+ }
+ return dctx;
+}
+
static void aes_wrap_freectx(void *vctx)
{
PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
@@ -281,6 +301,7 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))aes_##mode##_cipher }, \
{ OSSL_FUNC_CIPHER_FINAL, (void (*)(void))aes_##mode##_final }, \
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))aes_##mode##_freectx }, \
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))aes_##mode##_dupctx }, \
{ OSSL_FUNC_CIPHER_GET_PARAMS, \
(void (*)(void))aes_##kbits##_##fname##_get_params }, \
{ OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
diff --git a/providers/implementations/ciphers/cipher_aria_ccm.c b/providers/implementations/ciphers/cipher_aria_ccm.c
index d6b5517e..9f0e1dc2 100644
--- a/providers/implementations/ciphers/cipher_aria_ccm.c
+++ b/providers/implementations/ciphers/cipher_aria_ccm.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -28,6 +28,21 @@ static void *aria_ccm_newctx(void *provctx, size_t keybits)
return ctx;
}
+static void *aria_ccm_dupctx(void *provctx)
+{
+ PROV_ARIA_CCM_CTX *ctx = provctx;
+ PROV_ARIA_CCM_CTX *dctx = NULL;
+
+ if (ctx == NULL)
+ return NULL;
+
+ dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
+ if (dctx != NULL && dctx->base.ccm_ctx.key != NULL)
+ dctx->base.ccm_ctx.key = &dctx->ks.ks;
+
+ return dctx;
+}
+
static void aria_ccm_freectx(void *vctx)
{
PROV_ARIA_CCM_CTX *ctx = (PROV_ARIA_CCM_CTX *)vctx;
diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c
index b412bd32..21c28cd5 100644
--- a/providers/implementations/ciphers/cipher_aria_gcm.c
+++ b/providers/implementations/ciphers/cipher_aria_gcm.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -27,6 +27,21 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits)
return ctx;
}
+static void *aria_gcm_dupctx(void *provctx)
+{
+ PROV_ARIA_GCM_CTX *ctx = provctx;
+ PROV_ARIA_GCM_CTX *dctx = NULL;
+
+ if (ctx == NULL)
+ return NULL;
+
+ dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
+ if (dctx != NULL && dctx->base.gcm.key != NULL)
+ dctx->base.gcm.key = &dctx->ks.ks;
+
+ return dctx;
+}
+
static OSSL_FUNC_cipher_freectx_fn aria_gcm_freectx;
static void aria_gcm_freectx(void *vctx)
{
diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c
index abe670ad..28ba0fee 100644
--- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c
+++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -23,6 +23,7 @@
static OSSL_FUNC_cipher_newctx_fn chacha20_poly1305_newctx;
static OSSL_FUNC_cipher_freectx_fn chacha20_poly1305_freectx;
+static OSSL_FUNC_cipher_dupctx_fn chacha20_poly1305_dupctx;
static OSSL_FUNC_cipher_encrypt_init_fn chacha20_poly1305_einit;
static OSSL_FUNC_cipher_decrypt_init_fn chacha20_poly1305_dinit;
static OSSL_FUNC_cipher_get_params_fn chacha20_poly1305_get_params;
@@ -58,6 +59,25 @@ static void *chacha20_poly1305_newctx(void *provctx)
return ctx;
}
+static void *chacha20_poly1305_dupctx(void *provctx)
+{
+ PROV_CHACHA20_POLY1305_CTX *ctx = provctx;
+ PROV_CHACHA20_POLY1305_CTX *dctx = NULL;
+
+ if (ctx == NULL)
+ return NULL;
+ dctx = OPENSSL_memdup(ctx, sizeof(*ctx));
+ if (dctx != NULL && dctx->base.tlsmac != NULL && dctx->base.alloced) {
+ dctx->base.tlsmac = OPENSSL_memdup(dctx->base.tlsmac,
+ dctx->base.tlsmacsize);
+ if (dctx->base.tlsmac == NULL) {
+ OPENSSL_free(dctx);
+ dctx = NULL;
+ }
+ }
+ return dctx;
+}
+
static void chacha20_poly1305_freectx(void *vctx)
{
PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)vctx;
@@ -310,6 +330,7 @@ static int chacha20_poly1305_final(void *vctx, unsigned char *out, size_t *outl,
const OSSL_DISPATCH ossl_chacha20_ossl_poly1305_functions[] = {
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))chacha20_poly1305_newctx },
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))chacha20_poly1305_freectx },
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))chacha20_poly1305_dupctx },
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))chacha20_poly1305_einit },
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))chacha20_poly1305_dinit },
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))chacha20_poly1305_update },
diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c
index c6d13466..b8bd47c7 100644
--- a/providers/implementations/ciphers/cipher_des.c
+++ b/providers/implementations/ciphers/cipher_des.c
@@ -98,6 +98,7 @@ static int des_init(void *vctx, const unsigned char *key, size_t keylen,
}
if (!ctx->hw->init(ctx, key, keylen))
return 0;
+ ctx->key_set = 1;
}
return ossl_cipher_generic_set_ctx_params(ctx, params);
}
diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
index c46c6eab..c1325c12 100644
--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -34,6 +34,7 @@ static OSSL_FUNC_cipher_encrypt_init_fn rc4_hmac_md5_einit;
static OSSL_FUNC_cipher_decrypt_init_fn rc4_hmac_md5_dinit;
static OSSL_FUNC_cipher_newctx_fn rc4_hmac_md5_newctx;
static OSSL_FUNC_cipher_freectx_fn rc4_hmac_md5_freectx;
+static OSSL_FUNC_cipher_dupctx_fn rc4_hmac_md5_dupctx;
static OSSL_FUNC_cipher_get_ctx_params_fn rc4_hmac_md5_get_ctx_params;
static OSSL_FUNC_cipher_gettable_ctx_params_fn rc4_hmac_md5_gettable_ctx_params;
static OSSL_FUNC_cipher_set_ctx_params_fn rc4_hmac_md5_set_ctx_params;
@@ -71,6 +72,15 @@ static void rc4_hmac_md5_freectx(void *vctx)
OPENSSL_clear_free(ctx, sizeof(*ctx));
}
+static void *rc4_hmac_md5_dupctx(void *vctx)
+{
+ PROV_RC4_HMAC_MD5_CTX *ctx = vctx;
+
+ if (ctx == NULL)
+ return NULL;
+ return OPENSSL_memdup(ctx, sizeof(*ctx));
+}
+
static int rc4_hmac_md5_einit(void *ctx, const unsigned char *key,
size_t keylen, const unsigned char *iv,
size_t ivlen, const OSSL_PARAM params[])
@@ -214,6 +224,7 @@ static int rc4_hmac_md5_get_params(OSSL_PARAM params[])
const OSSL_DISPATCH ossl_rc4_hmac_ossl_md5_functions[] = {
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))rc4_hmac_md5_newctx },
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))rc4_hmac_md5_freectx },
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))rc4_hmac_md5_dupctx },
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc4_hmac_md5_einit },
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc4_hmac_md5_dinit },
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))rc4_hmac_md5_update },
diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c
index af2f5b98..cd11f218 100644
--- a/providers/implementations/ciphers/cipher_tdes_common.c
+++ b/providers/implementations/ciphers/cipher_tdes_common.c
@@ -92,6 +92,7 @@ static int tdes_init(void *vctx, const unsigned char *key, size_t keylen,
}
if (!ctx->hw->init(ctx, key, ctx->keylen))
return 0;
+ ctx->key_set = 1;
}
return ossl_cipher_generic_set_ctx_params(ctx, params);
}
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index fa383165..7ad3eb0a 100644
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -128,7 +128,10 @@ int ossl_cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
- ctx->keylen = keylen;
+ if (ctx->keylen != keylen) {
+ ctx->keylen = keylen;
+ ctx->key_set = 0;
+ }
}
return 1;
}
@@ -217,6 +220,7 @@ static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
}
if (!ctx->hw->init(ctx, key, ctx->keylen))
return 0;
+ ctx->key_set = 1;
}
return ossl_cipher_generic_set_ctx_params(ctx, params);
}
@@ -249,6 +253,11 @@ int ossl_cipher_generic_block_update(void *vctx, unsigned char *out,
size_t blksz = ctx->blocksize;
size_t nextblocks;
+ if (!ctx->key_set) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+ return 0;
+ }
+
if (ctx->tlsversion > 0) {
/*
* Each update call corresponds to a TLS record and is individually
@@ -390,6 +399,11 @@ int ossl_cipher_generic_block_final(void *vctx, unsigned char *out,
if (!ossl_prov_is_running())
return 0;
+ if (!ctx->key_set) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+ return 0;
+ }
+
if (ctx->tlsversion > 0) {
/* We never finalize TLS, so this is an error */
ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
@@ -456,6 +470,11 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
{
PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+ if (!ctx->key_set) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+ return 0;
+ }
+
if (inl == 0) {
*outl = 0;
return 1;
@@ -510,9 +529,16 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out,
int ossl_cipher_generic_stream_final(void *vctx, unsigned char *out,
size_t *outl, size_t outsize)
{
+ PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
+
if (!ossl_prov_is_running())
return 0;
+ if (!ctx->key_set) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+ return 0;
+ }
+
*outl = 0;
return 1;
}
@@ -526,6 +552,11 @@ int ossl_cipher_generic_cipher(void *vctx, unsigned char *out, size_t *outl,
if (!ossl_prov_is_running())
return 0;
+ if (!ctx->key_set) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+ return 0;
+ }
+
if (outsize < inl) {
ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
return 0;
diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c
index ce3f7527..33105911 100644
--- a/providers/implementations/ciphers/ciphercommon_ccm.c
+++ b/providers/implementations/ciphers/ciphercommon_ccm.c
@@ -109,7 +109,10 @@ int ossl_ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
return 0;
}
- ctx->l = ivlen;
+ if (ctx->l != ivlen) {
+ ctx->l = ivlen;
+ ctx->iv_set = 0;
+ }
}
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
index ed95c97f..4ec73d5a 100644
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -261,7 +261,12 @@ int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
return 0;
}
- ctx->ivlen = sz;
+ if (ctx->ivlen != sz) {
+ /* If the iv was already set or autogenerated, it is invalid. */
+ if (ctx->iv_state != IV_STATE_UNINITIALISED)
+ ctx->iv_state = IV_STATE_FINISHED;
+ ctx->ivlen = sz;
+ }
}
p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD);
diff --git a/providers/implementations/digests/blake2b_prov.c b/providers/implementations/digests/blake2b_prov.c
index 11271e1b..44e07407 100644
--- a/providers/implementations/digests/blake2b_prov.c
+++ b/providers/implementations/digests/blake2b_prov.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -323,8 +323,10 @@ int ossl_blake2b_final(unsigned char *md, BLAKE2B_CTX *c)
for (i = 0; i < iter; ++i)
store64(target + sizeof(c->h[i]) * i, c->h[i]);
- if (target != md)
+ if (target != md) {
memcpy(md, target, c->outlen);
+ OPENSSL_cleanse(target, sizeof(outbuffer));
+ }
OPENSSL_cleanse(c, sizeof(BLAKE2B_CTX));
return 1;
diff --git a/providers/implementations/digests/blake2s_prov.c b/providers/implementations/digests/blake2s_prov.c
index a9a8f9d0..72cab1e9 100644
--- a/providers/implementations/digests/blake2s_prov.c
+++ b/providers/implementations/digests/blake2s_prov.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -314,8 +314,10 @@ int ossl_blake2s_final(unsigned char *md, BLAKE2S_CTX *c)
for (i = 0; i < iter; ++i)
store32(target + sizeof(c->h[i]) * i, c->h[i]);
- if (target != md)
+ if (target != md) {
memcpy(md, target, c->outlen);
+ OPENSSL_cleanse(target, sizeof(outbuffer));
+ }
OPENSSL_cleanse(c, sizeof(BLAKE2S_CTX));
return 1;
diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c
index 0f4c6296..1430c330 100644
--- a/providers/implementations/encode_decode/encode_key2any.c
+++ b/providers/implementations/encode_decode/encode_key2any.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -740,7 +740,15 @@ static int ec_pki_priv_to_der(const void *veckey, unsigned char **pder)
# define ec_pem_type "EC"
# ifndef OPENSSL_NO_SM2
-# define sm2_evp_type EVP_PKEY_SM2
+/*
+ * Albeit SM2 is a slightly different algorithm than ECDSA, the key type
+ * encoding (in all places where an AlgorithmIdentifier is produced, such
+ * as PrivateKeyInfo and SubjectPublicKeyInfo) is the same as for ECC keys
+ * according to the example in GM/T 0015-2012, appendix D.2.
+ * This leaves the distinction of SM2 keys to the EC group (which is found
+ * in AlgorithmIdentified.params).
+ */
+# define sm2_evp_type ec_evp_type
# define sm2_input_type "SM2"
# define sm2_pem_type "SM2"
# endif
diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c
index 7d983f5e..3e75a9af 100644
--- a/providers/implementations/encode_decode/encode_key2text.c
+++ b/providers/implementations/encode_decode/encode_key2text.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -241,7 +241,7 @@ static int dh_to_text(BIO *out, const void *key, int selection)
return 0;
}
}
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
pub_key = DH_get0_pub_key(dh);
if (pub_key == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY);
@@ -316,7 +316,7 @@ static int dsa_to_text(BIO *out, const void *key, int selection)
return 0;
}
}
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
pub_key = DSA_get0_pub_key(dsa);
if (pub_key == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PUBLIC_KEY);
@@ -525,7 +525,7 @@ static int ec_to_text(BIO *out, const void *key, int selection)
if (priv_len == 0)
goto err;
}
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
+ if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
const EC_POINT *pub_pt = EC_KEY_get0_public_key(ec);
if (pub_pt == NULL) {
@@ -575,26 +575,31 @@ static int ecx_to_text(BIO *out, const void *key, int selection)
return 0;
}
+ switch (ecx->type) {
+ case ECX_KEY_TYPE_X25519:
+ type_label = "X25519";
+ break;
+ case ECX_KEY_TYPE_X448:
+ type_label = "X448";
+ break;
+ case ECX_KEY_TYPE_ED25519:
+ type_label = "ED25519";
+ break;
+ case ECX_KEY_TYPE_ED448:
+ type_label = "ED448";
+ break;
+ }
+
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
if (ecx->privkey == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_NOT_A_PRIVATE_KEY);
return 0;
}
- switch (ecx->type) {
- case ECX_KEY_TYPE_X25519:
- type_label = "X25519 Private-Key";
- break;
- case ECX_KEY_TYPE_X448:
- type_label = "X448 Private-Key";
- break;
- case ECX_KEY_TYPE_ED25519:
- type_label = "ED25519 Private-Key";
- break;
- case ECX_KEY_TYPE_ED448:
- type_label = "ED448 Private-Key";
- break;
- }
+ if (BIO_printf(out, "%s Private-Key:\n", type_label) <= 0)
+ return 0;
+ if (!print_labeled_buf(out, "priv:", ecx->privkey, ecx->keylen))
+ return 0;
} else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
/* ecx->pubkey is an array, not a pointer... */
if (!ecx->haspubkey) {
@@ -602,29 +607,11 @@ static int ecx_to_text(BIO *out, const void *key, int selection)
return 0;
}
- switch (ecx->type) {
- case ECX_KEY_TYPE_X25519:
- type_label = "X25519 Public-Key";
- break;
- case ECX_KEY_TYPE_X448:
- type_label = "X448 Public-Key";
- break;
- case ECX_KEY_TYPE_ED25519:
- type_label = "ED25519 Public-Key";
- break;
- case ECX_KEY_TYPE_ED448:
- type_label = "ED448 Public-Key";
- break;
- }
+ if (BIO_printf(out, "%s Public-Key:\n", type_label) <= 0)
+ return 0;
}
- if (BIO_printf(out, "%s:\n", type_label) <= 0)
- return 0;
- if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
- && !print_labeled_buf(out, "priv:", ecx->privkey, ecx->keylen))
- return 0;
- if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0
- && !print_labeled_buf(out, "pub:", ecx->pubkey, ecx->keylen))
+ if (!print_labeled_buf(out, "pub:", ecx->pubkey, ecx->keylen))
return 0;
return 1;
diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h
index 8153872c..383b7593 100644
--- a/providers/implementations/include/prov/ciphercommon.h
+++ b/providers/implementations/include/prov/ciphercommon.h
@@ -58,6 +58,7 @@ struct prov_cipher_ctx_st {
unsigned int pad : 1; /* Whether padding should be used or not */
unsigned int enc : 1; /* Set to 1 for encrypt, or 0 otherwise */
unsigned int iv_set : 1; /* Set when the iv is copied to the iv/oiv buffers */
+ unsigned int key_set : 1; /* Set when key is set on the context */
unsigned int updated : 1; /* Set to 1 during update for one shot ciphers */
unsigned int variable_keylength : 1;
unsigned int inverse_cipher : 1; /* set to 1 to use inverse cipher */
diff --git a/providers/implementations/include/prov/ciphercommon_aead.h b/providers/implementations/include/prov/ciphercommon_aead.h
index 1d017175..4a5329e9 100644
--- a/providers/implementations/include/prov/ciphercommon_aead.h
+++ b/providers/implementations/include/prov/ciphercommon_aead.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -23,9 +23,14 @@ static void * alg##kbits##lc##_newctx(void *provctx) \
{ \
return alg##_##lc##_newctx(provctx, kbits); \
} \
+static void * alg##kbits##lc##_dupctx(void *src) \
+{ \
+ return alg##_##lc##_dupctx(src); \
+} \
const OSSL_DISPATCH ossl_##alg##kbits##lc##_functions[] = { \
{ OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))alg##kbits##lc##_newctx }, \
{ OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))alg##_##lc##_freectx }, \
+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))alg##kbits##lc##_dupctx }, \
{ OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_##lc##_einit }, \
{ OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_##lc##_dinit }, \
{ OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_##lc##_stream_update }, \
diff --git a/providers/implementations/kdfs/pbkdf1.c b/providers/implementations/kdfs/pbkdf1.c
index 1a042bac..a3d7cf51 100644
--- a/providers/implementations/kdfs/pbkdf1.c
+++ b/providers/implementations/kdfs/pbkdf1.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -71,6 +71,11 @@ static int kdf_pbkdf1_do_derive(const unsigned char *pass, size_t passlen,
mdsize = EVP_MD_size(md_type);
if (mdsize < 0)
goto err;
+ if (n > (size_t)mdsize) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE);
+ goto err;
+ }
+
for (i = 1; i < iter; i++) {
if (!EVP_DigestInit_ex(ctx, md_type, NULL))
goto err;
@@ -83,6 +88,7 @@ static int kdf_pbkdf1_do_derive(const unsigned char *pass, size_t passlen,
memcpy(out, md_tmp, n);
ret = 1;
err:
+ OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
EVP_MD_CTX_free(ctx);
return ret;
}
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 4ca9c1a3..c14b9765 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -392,7 +392,7 @@ static int dh_validate_public(const DH *dh, int checktype)
&& ossl_dh_is_named_safe_prime_group(dh))
return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
- return DH_check_pub_key(dh, pub_key, &res);
+ return DH_check_pub_key_ex(dh, pub_key);
}
static int dh_validate_private(const DH *dh)
diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c
index 96da429e..56eac008 100644
--- a/providers/implementations/macs/cmac_prov.c
+++ b/providers/implementations/macs/cmac_prov.c
@@ -99,8 +99,12 @@ static void *cmac_dup(void *vsrc)
static size_t cmac_size(void *vmacctx)
{
struct cmac_data_st *macctx = vmacctx;
+ const EVP_CIPHER_CTX *cipherctx = CMAC_CTX_get0_cipher_ctx(macctx->ctx);
- return EVP_CIPHER_CTX_get_block_size(CMAC_CTX_get0_cipher_ctx(macctx->ctx));
+ if (EVP_CIPHER_CTX_get0_cipher(cipherctx) == NULL)
+ return 0;
+
+ return EVP_CIPHER_CTX_get_block_size(cipherctx);
}
static int cmac_setkey(struct cmac_data_st *macctx,
diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c
index b2f85398..99e7c60a 100644
--- a/providers/implementations/macs/kmac_prov.c
+++ b/providers/implementations/macs/kmac_prov.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -249,7 +249,7 @@ static int kmac_setkey(struct kmac_data_st *kctx, const unsigned char *key,
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
- if (w < 0) {
+ if (w <= 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
return 0;
}
@@ -289,7 +289,7 @@ static int kmac_init(void *vmacctx, const unsigned char *key,
return 0;
t = EVP_MD_get_block_size(ossl_prov_digest_md(&kctx->digest));
- if (t < 0) {
+ if (t <= 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST_LENGTH);
return 0;
}
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 76516d9a..919ef172 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -997,6 +997,7 @@ static void *rsa_dupctx(void *vprsactx)
*dstctx = *srcctx;
dstctx->rsa = NULL;
dstctx->md = NULL;
+ dstctx->mgf1_md = NULL;
dstctx->mdctx = NULL;
dstctx->tbuf = NULL;
dstctx->propq = NULL;
diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c
index fffb280c..09e3aacf 100644
--- a/providers/implementations/signature/sm2_sig.c
+++ b/providers/implementations/signature/sm2_sig.c
@@ -330,6 +330,7 @@ static void sm2sig_freectx(void *vpsm2ctx)
free_md(ctx);
EC_KEY_free(ctx->ec);
+ OPENSSL_free(ctx->propq);
OPENSSL_free(ctx->id);
OPENSSL_free(ctx);
}
@@ -345,13 +346,21 @@ static void *sm2sig_dupctx(void *vpsm2ctx)
*dstctx = *srcctx;
dstctx->ec = NULL;
+ dstctx->propq = NULL;
dstctx->md = NULL;
dstctx->mdctx = NULL;
+ dstctx->id = NULL;
if (srcctx->ec != NULL && !EC_KEY_up_ref(srcctx->ec))
goto err;
dstctx->ec = srcctx->ec;
+ if (srcctx->propq != NULL) {
+ dstctx->propq = OPENSSL_strdup(srcctx->propq);
+ if (dstctx->propq == NULL)
+ goto err;
+ }
+
if (srcctx->md != NULL && !EVP_MD_up_ref(srcctx->md))
goto err;
dstctx->md = srcctx->md;
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 95a34093..034851d0 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -130,6 +130,23 @@ void dtls1_clear_sent_buffer(SSL *s)
while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
frag = (hm_fragment *)item->data;
+
+ if (frag->msg_header.is_ccs) {
+ /*
+ * If we're freeing the CCS then we're done with the old
+ * enc_write_ctx/write_hash and they can be freed
+ */
+ if (s->enc_write_ctx
+ != frag->msg_header.saved_retransmit_state.enc_write_ctx)
+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state
+ .enc_write_ctx);
+
+ if (s->write_hash
+ != frag->msg_header.saved_retransmit_state.write_hash)
+ EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state
+ .write_hash);
+ }
+
dtls1_hm_fragment_free(frag);
pitem_free(item);
}
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 3baf8207..4bcffcc4 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -300,6 +300,10 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
SSL_set_shutdown(s, SSL_RECEIVED_SHUTDOWN);
s->s3.warn_alert = SSL_AD_CLOSE_NOTIFY;
} else {
+ /*
+ * This reason code is part of the API and may be used by
+ * applications for control flow decisions.
+ */
SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_R_UNEXPECTED_EOF_WHILE_READING);
}
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 2ca3f74a..ee4f58e7 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -225,7 +225,11 @@ int ssl3_change_cipher_state(SSL *s, int which)
goto err;
}
- if (EVP_CIPHER_get0_provider(c) != NULL
+ /*
+ * The cipher we actually ended up using in the EVP_CIPHER_CTX may be
+ * different to that in c if we have an ENGINE in use
+ */
+ if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(dd)) != NULL
&& !tls_provider_set_tls_params(s, dd, c, m)) {
/* SSLfatal already called */
goto err;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 78d4f040..bcfe57b4 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3365,6 +3365,10 @@ void ssl3_free(SSL *s)
OPENSSL_free(s->s3.alpn_selected);
OPENSSL_free(s->s3.alpn_proposed);
+#ifndef OPENSSL_NO_PSK
+ OPENSSL_free(s->s3.tmp.psk);
+#endif
+
#ifndef OPENSSL_NO_SRP
ssl_srp_ctx_free_intern(s);
#endif
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 73a82128..9e32417e 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -465,7 +465,8 @@ DEFINE_RUN_ONCE_STATIC(do_load_builtin_compressions)
comp->method = method;
comp->id = SSL_COMP_ZLIB_IDX;
comp->name = COMP_get_name(method);
- sk_SSL_COMP_push(ssl_comp_methods, comp);
+ if (!sk_SSL_COMP_push(ssl_comp_methods, comp))
+ OPENSSL_free(comp);
sk_SSL_COMP_sort(ssl_comp_methods);
}
}
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 5146cedb..69828028 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -870,9 +870,12 @@ static int ctrl_switch_option(SSL_CONF_CTX *cctx, const ssl_conf_cmd_tbl * cmd)
/* Find index of command in table */
size_t idx = cmd - ssl_conf_cmds;
const ssl_switch_tbl *scmd;
+
/* Sanity check index */
- if (idx >= OSSL_NELEM(ssl_cmd_switches))
+ if (idx >= OSSL_NELEM(ssl_cmd_switches)) {
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
return 0;
+ }
/* Obtain switches entry with same index */
scmd = ssl_cmd_switches + idx;
ssl_set_option(cctx, scmd->name_flags, scmd->option_value, 1);
@@ -888,28 +891,33 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
}
if (!ssl_conf_cmd_skip_prefix(cctx, &cmd))
- return -2;
+ goto unknown_cmd;
runcmd = ssl_conf_cmd_lookup(cctx, cmd);
if (runcmd) {
- int rv;
+ int rv = -3;
+
if (runcmd->value_type == SSL_CONF_TYPE_NONE) {
return ctrl_switch_option(cctx, runcmd);
}
if (value == NULL)
- return -3;
+ goto bad_value;
rv = runcmd->cmd(cctx, value);
if (rv > 0)
return 2;
- if (rv == -2)
- return -2;
+ if (rv != -2)
+ rv = 0;
+
+ bad_value:
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
ERR_raise_data(ERR_LIB_SSL, SSL_R_BAD_VALUE,
- "cmd=%s, value=%s", cmd, value);
- return 0;
+ "cmd=%s, value=%s", cmd,
+ value != NULL ? value : "<EMPTY>");
+ return rv;
}
+ unknown_cmd:
if (cctx->flags & SSL_CONF_FLAG_SHOW_ERRORS)
ERR_raise_data(ERR_LIB_SSL, SSL_R_UNKNOWN_CMD_NAME, "cmd=%s", cmd);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 81a9f072..2c8479eb 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -341,17 +341,31 @@ static int dane_tlsa_add(SSL_DANE *dane,
case DANETLS_SELECTOR_CERT:
if (!d2i_X509(&cert, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
+ X509_free(cert);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
return 0;
}
if (X509_get0_pubkey(cert) == NULL) {
+ X509_free(cert);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
return 0;
}
if ((DANETLS_USAGE_BIT(usage) & DANETLS_TA_MASK) == 0) {
+ /*
+ * The Full(0) certificate decodes to a seemingly valid X.509
+ * object with a plausible key, so the TLSA record is well
+ * formed. However, we don't actually need the certifiate for
+ * usages PKIX-EE(1) or DANE-EE(3), because at least the EE
+ * certificate is always presented by the peer. We discard the
+ * certificate, and just use the TLSA data as an opaque blob
+ * for matching the raw presented DER octets.
+ *
+ * DO NOT FREE `t` here, it will be added to the TLSA record
+ * list below!
+ */
X509_free(cert);
break;
}
@@ -376,6 +390,7 @@ static int dane_tlsa_add(SSL_DANE *dane,
case DANETLS_SELECTOR_SPKI:
if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
+ EVP_PKEY_free(pkey);
tlsa_free(t);
ERR_raise(ERR_LIB_SSL, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
return 0;
@@ -1211,8 +1226,6 @@ void SSL_free(SSL *s)
SSL_SESSION_free(s->psksession);
OPENSSL_free(s->psksession_id);
- clear_ciphers(s);
-
ssl_cert_free(s->cert);
OPENSSL_free(s->shared_sigalgs);
/* Free up if allocated */
@@ -1248,6 +1261,12 @@ void SSL_free(SSL *s)
if (s->method != NULL)
s->method->ssl_free(s);
+ /*
+ * Must occur after s->method->ssl_free(). The DTLS sent_messages queue
+ * may reference the EVP_CIPHER_CTX/EVP_MD_CTX that are freed here.
+ */
+ clear_ciphers(s);
+
SSL_CTX_free(s->ctx);
ASYNC_WAIT_CTX_free(s->waitctx);
@@ -4972,6 +4991,8 @@ IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
* If |dst| points to a NULL pointer, a new stack will be created and owned by
* the caller.
* Returns the number of SCTs moved, or a negative integer if an error occurs.
+ * The |dst| stack is created and possibly partially populated even in case
+ * of error, likewise the |src| stack may be left in an intermediate state.
*/
static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
sct_source_t origin)
@@ -4991,15 +5012,14 @@ static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
if (SCT_set_source(sct, origin) != 1)
goto err;
- if (sk_SCT_push(*dst, sct) <= 0)
+ if (!sk_SCT_push(*dst, sct))
goto err;
scts_moved += 1;
}
return scts_moved;
err:
- if (sct != NULL)
- sk_SCT_push(src, sct); /* Put the SCT back */
+ SCT_free(sct);
return -1;
}
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index c2366e41..8bccce84 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -24,7 +24,7 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
{
SSL_CONF_CTX *cctx = NULL;
size_t i, idx, cmd_count;
- int rv = 0;
+ int err = 1;
unsigned int flags;
const SSL_METHOD *meth;
const SSL_CONF_CMD *cmds;
@@ -66,24 +66,22 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
flags |= SSL_CONF_FLAG_CLIENT;
SSL_CONF_CTX_set_flags(cctx, flags);
prev_libctx = OSSL_LIB_CTX_set0_default(libctx);
+ err = 0;
for (i = 0; i < cmd_count; i++) {
char *cmdstr, *arg;
+ int rv;
conf_ssl_get_cmd(cmds, i, &cmdstr, &arg);
rv = SSL_CONF_cmd(cctx, cmdstr, arg);
- if (rv <= 0) {
- int errcode = rv == -2 ? SSL_R_UNKNOWN_COMMAND : SSL_R_BAD_VALUE;
-
- ERR_raise_data(ERR_LIB_SSL, errcode,
- "section=%s, cmd=%s, arg=%s", name, cmdstr, arg);
- goto err;
- }
+ if (rv <= 0)
+ ++err;
}
- rv = SSL_CONF_CTX_finish(cctx);
+ if (!SSL_CONF_CTX_finish(cctx))
+ ++err;
err:
OSSL_LIB_CTX_set0_default(prev_libctx);
SSL_CONF_CTX_free(cctx);
- return rv <= 0 ? 0 : 1;
+ return err == 0;
}
int SSL_config(SSL *s, const char *name)
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index 401a4c5c..d75ee7df 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -220,6 +220,8 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
|| !WPACKET_start_sub_packet_u16(pkt)
|| (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen))
|| !WPACKET_close(pkt)) {
+ if (meth->free_cb != NULL)
+ meth->free_cb(s, meth->ext_type, context, out, meth->add_arg);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -228,6 +230,9 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx,
* We can't send duplicates: code logic should prevent this.
*/
if (!ossl_assert((meth->ext_flags & SSL_EXT_FLAG_SENT) == 0)) {
+ if (meth->free_cb != NULL)
+ meth->free_cb(s, meth->ext_type, context, out,
+ meth->add_arg);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -328,6 +333,8 @@ void custom_exts_free(custom_ext_methods *exts)
OPENSSL_free(meth->parse_arg);
}
OPENSSL_free(exts->meths);
+ exts->meths = NULL;
+ exts->meths_count = 0;
}
/* Return true if a client custom extension exists, false otherwise */
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 788d0eff..040c2303 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -59,7 +59,7 @@ static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly)
unsigned char *buf = NULL;
unsigned char *bitmask = NULL;
- if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) {
+ if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -95,11 +95,7 @@ void dtls1_hm_fragment_free(hm_fragment *frag)
{
if (!frag)
return;
- if (frag->msg_header.is_ccs) {
- EVP_CIPHER_CTX_free(frag->msg_header.
- saved_retransmit_state.enc_write_ctx);
- EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash);
- }
+
OPENSSL_free(frag->fragment);
OPENSSL_free(frag->reassembly);
OPENSSL_free(frag);
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 91238e64..6cb7baaf 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -427,7 +427,12 @@ int tls1_change_cipher_state(SSL *s, int which)
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (EVP_CIPHER_get0_provider(c) != NULL
+
+ /*
+ * The cipher we actually ended up using in the EVP_CIPHER_CTX may be
+ * different to that in c if we have an ENGINE in use
+ */
+ if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(dd)) != NULL
&& !tls_provider_set_tls_params(s, dd, c, m)) {
/* SSLfatal already called */
goto err;
diff --git a/test/README.md b/test/README.md
index 9a5c9195..14ce32ec 100644
--- a/test/README.md
+++ b/test/README.md
@@ -42,7 +42,7 @@ the make variable TESTS to specify them, like this:
$ make TESTS='test_rsa test_dsa' test # Unix
$ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS
- $ nmake TESTS='test_rsa test_dsa' test # Windows
+ $ nmake TESTS="test_rsa test_dsa" test # Windows
And of course, you can combine (Unix examples shown):
diff --git a/test/asn1_stable_parse_test.c b/test/asn1_stable_parse_test.c
new file mode 100644
index 00000000..2cda581a
--- /dev/null
+++ b/test/asn1_stable_parse_test.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/evp.h>
+#include "testutil.h"
+
+static char *config_file = NULL;
+
+typedef enum OPTION_choice {
+ OPT_ERR = -1,
+ OPT_EOF = 0,
+ OPT_CONFIG_FILE,
+ OPT_TEST_ENUM
+} OPTION_CHOICE;
+
+const OPTIONS *test_get_options(void)
+{
+ static const OPTIONS options[] = {
+ OPT_TEST_OPTIONS_DEFAULT_USAGE,
+ { "config", OPT_CONFIG_FILE, '<',
+ "The configuration file to use for the libctx" },
+ { NULL }
+ };
+ return options;
+}
+
+
+/*
+ * Test that parsing a config file with incorrect stable settings aren't parsed
+ * and appropriate errors are raised
+ */
+static int test_asn1_stable_parse(void)
+{
+ int testret = 0;
+ unsigned long errcode;
+ OSSL_LIB_CTX *newctx = OSSL_LIB_CTX_new();
+
+ if (!TEST_ptr(newctx))
+ goto out;
+
+ if (!TEST_int_eq(OSSL_LIB_CTX_load_config(newctx, config_file), 0))
+ goto err;
+
+ errcode = ERR_peek_error();
+ if (ERR_GET_LIB(errcode) != ERR_LIB_ASN1)
+ goto err;
+ if (ERR_GET_REASON(errcode) != ASN1_R_INVALID_STRING_TABLE_VALUE)
+ goto err;
+
+ ERR_clear_error();
+
+ testret = 1;
+err:
+ OSSL_LIB_CTX_free(newctx);
+out:
+ return testret;
+}
+
+int setup_tests(void)
+{
+ OPTION_CHOICE o;
+
+ while ((o = opt_next()) != OPT_EOF) {
+ switch (o) {
+ case OPT_CONFIG_FILE:
+ config_file = opt_arg();
+ break;
+ default:
+ return 0;
+ }
+ }
+
+ ADD_TEST(test_asn1_stable_parse);
+ return 1;
+}
diff --git a/test/bntest.c b/test/bntest.c
index c5894c15..2e0dcb9a 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -891,6 +891,14 @@ static int test_gf2m_modinv(void)
|| !TEST_ptr(d = BN_new()))
goto err;
+ /* Test that a non-sensical, too small value causes a failure */
+ if (!TEST_true(BN_one(b[0])))
+ goto err;
+ if (!TEST_true(BN_bntest_rand(a, 512, 0, 0)))
+ goto err;
+ if (!TEST_false(BN_GF2m_mod_inv(c, a, b[0], ctx)))
+ goto err;
+
if (!(TEST_true(BN_GF2m_arr2poly(p0, b[0]))
&& TEST_true(BN_GF2m_arr2poly(p1, b[1]))))
goto err;
@@ -2927,6 +2935,108 @@ err:
return res;
}
+static int test_mod_inverse(void)
+{
+ int res = 0;
+ char *str = NULL;
+ BIGNUM *a = NULL;
+ BIGNUM *b = NULL;
+ BIGNUM *r = NULL;
+
+ if (!TEST_true(BN_dec2bn(&a, "5193817943")))
+ goto err;
+ if (!TEST_true(BN_dec2bn(&b, "3259122431")))
+ goto err;
+ if (!TEST_ptr(r = BN_new()))
+ goto err;
+ if (!TEST_ptr_eq(BN_mod_inverse(r, a, b, ctx), r))
+ goto err;
+ if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL))
+ goto err;
+ if (!TEST_int_eq(strcmp(str, "2609653924"), 0))
+ goto err;
+
+ /* Note that this aliases the result with the modulus. */
+ if (!TEST_ptr_null(BN_mod_inverse(b, a, b, ctx)))
+ goto err;
+
+ res = 1;
+
+err:
+ BN_free(a);
+ BN_free(b);
+ BN_free(r);
+ OPENSSL_free(str);
+ return res;
+}
+
+static int test_mod_exp_alias(int idx)
+{
+ int res = 0;
+ char *str = NULL;
+ BIGNUM *a = NULL;
+ BIGNUM *b = NULL;
+ BIGNUM *c = NULL;
+ BIGNUM *r = NULL;
+
+ if (!TEST_true(BN_dec2bn(&a, "15")))
+ goto err;
+ if (!TEST_true(BN_dec2bn(&b, "10")))
+ goto err;
+ if (!TEST_true(BN_dec2bn(&c, "39")))
+ goto err;
+ if (!TEST_ptr(r = BN_new()))
+ goto err;
+
+ if (!TEST_int_eq((idx == 0 ? BN_mod_exp_simple
+ : BN_mod_exp_recp)(r, a, b, c, ctx), 1))
+ goto err;
+ if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL))
+ goto err;
+ if (!TEST_str_eq(str, "36"))
+ goto err;
+
+ OPENSSL_free(str);
+ str = NULL;
+
+ BN_copy(r, b);
+
+ /* Aliasing with exponent must work. */
+ if (!TEST_int_eq((idx == 0 ? BN_mod_exp_simple
+ : BN_mod_exp_recp)(r, a, r, c, ctx), 1))
+ goto err;
+ if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL))
+ goto err;
+ if (!TEST_str_eq(str, "36"))
+ goto err;
+
+ OPENSSL_free(str);
+ str = NULL;
+
+ /* Aliasing with modulus should return failure for the simple call. */
+ if (idx == 0) {
+ if (!TEST_int_eq(BN_mod_exp_simple(c, a, b, c, ctx), 0))
+ goto err;
+ } else {
+ if (!TEST_int_eq(BN_mod_exp_recp(c, a, b, c, ctx), 1))
+ goto err;
+ if (!TEST_ptr_ne(str = BN_bn2dec(c), NULL))
+ goto err;
+ if (!TEST_str_eq(str, "36"))
+ goto err;
+ }
+
+ res = 1;
+
+err:
+ BN_free(a);
+ BN_free(b);
+ BN_free(c);
+ BN_free(r);
+ OPENSSL_free(str);
+ return res;
+}
+
static int file_test_run(STANZA *s)
{
static const FILETEST filetests[] = {
@@ -3036,6 +3146,8 @@ int setup_tests(void)
ADD_ALL_TESTS(test_signed_mod_replace_ab, OSSL_NELEM(signed_mod_tests));
ADD_ALL_TESTS(test_signed_mod_replace_ba, OSSL_NELEM(signed_mod_tests));
ADD_TEST(test_mod);
+ ADD_TEST(test_mod_inverse);
+ ADD_ALL_TESTS(test_mod_exp_alias, 2);
ADD_TEST(test_modexp_mont5);
ADD_TEST(test_kronecker);
ADD_TEST(test_rand);
diff --git a/test/build.info b/test/build.info
index 75846e05..416c2270 100644
--- a/test/build.info
+++ b/test/build.info
@@ -51,7 +51,7 @@ IF[{- !$disabled{tests} -}]
bioprinttest sslapitest dtlstest sslcorrupttest \
bio_enc_test pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \
cipherbytes_test threadstest_fips \
- asn1_encode_test asn1_decode_test asn1_string_table_test \
+ asn1_encode_test asn1_decode_test asn1_string_table_test asn1_stable_parse_test \
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest rand_status_test sslbuffertest \
time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
@@ -172,6 +172,14 @@ IF[{- !$disabled{tests} -}]
SOURCE[evp_extra_test]=evp_extra_test.c
INCLUDE[evp_extra_test]=../include ../apps/include
DEPEND[evp_extra_test]=../libcrypto.a libtestutil.a
+ IF[{- !$disabled{module} && !$disabled{legacy} -}]
+ DEFINE[evp_extra_test]=STATIC_LEGACY
+ SOURCE[evp_extra_test]=../providers/legacyprov.c
+ INCLUDE[evp_extra_test]=../providers/common/include \
+ ../providers/implementations/include
+ DEPEND[evp_extra_test]=../providers/liblegacy.a \
+ ../providers/libcommon.a
+ ENDIF
SOURCE[evp_extra_test2]=evp_extra_test2.c
INCLUDE[evp_extra_test2]=../include ../apps/include
@@ -537,6 +545,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[asn1_string_table_test]=../include ../apps/include
DEPEND[asn1_string_table_test]=../libcrypto libtestutil.a
+ SOURCE[asn1_stable_parse_test]=asn1_stable_parse_test.c
+ INCLUDE[asn1_stable_parse_test]=../include ../apps/include
+ DEPEND[asn1_stable_parse_test]=../libcrypto libtestutil.a
+
SOURCE[time_offset_test]=time_offset_test.c
INCLUDE[time_offset_test]=../include ../apps/include
DEPEND[time_offset_test]=../libcrypto libtestutil.a
@@ -852,6 +864,13 @@ IF[{- !$disabled{tests} -}]
SOURCE[p_test]=p_test.ld
GENERATE[p_test.ld]=../util/providers.num
ENDIF
+ MODULES{noinst}=p_minimal
+ SOURCE[p_minimal]=p_minimal.c
+ INCLUDE[p_minimal]=../include ..
+ IF[{- defined $target{shared_defflag} -}]
+ SOURCE[p_minimal]=p_minimal.ld
+ GENERATE[p_minimal.ld]=../util/providers.num
+ ENDIF
ENDIF
IF[{- $disabled{module} || !$target{dso_scheme} -}]
DEFINE[provider_test]=NO_PROVIDER_MODULE
diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c
index 71fa679f..4a10653f 100644
--- a/test/cmp_ctx_test.c
+++ b/test/cmp_ctx_test.c
@@ -391,6 +391,7 @@ execute_CTX_##SETN##_##GETN##_##FIELD(OSSL_CMP_CTX_TEST_FIXTURE *fixture) \
} else { \
if (DUP && val1_read == val1) { \
TEST_error("first set did not dup the value"); \
+ val1_read = 0; \
res = 0; \
} \
if (DEFAULT(val1_read)) { \
@@ -419,6 +420,7 @@ execute_CTX_##SETN##_##GETN##_##FIELD(OSSL_CMP_CTX_TEST_FIXTURE *fixture) \
} else { \
if (DUP && val2_read == val2) { \
TEST_error("second set did not dup the value"); \
+ val2_read = 0; \
res = 0; \
} \
if (val2 == val1) { \
@@ -448,6 +450,7 @@ execute_CTX_##SETN##_##GETN##_##FIELD(OSSL_CMP_CTX_TEST_FIXTURE *fixture) \
} else { \
if (DUP && val3_read == val2_read) { \
TEST_error("third get did not create a new dup"); \
+ val3_read = 0; \
res = 0; \
} \
} \
diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c
index 32dae32d..09bf2ec1 100644
--- a/test/cmp_protect_test.c
+++ b/test/cmp_protect_test.c
@@ -37,15 +37,17 @@ static OSSL_PROVIDER *default_null_provider = NULL, *provider = NULL;
static void tear_down(CMP_PROTECT_TEST_FIXTURE *fixture)
{
- OSSL_CMP_CTX_free(fixture->cmp_ctx);
- OSSL_CMP_MSG_free(fixture->msg);
- OSSL_CMP_PKISI_free(fixture->si);
+ if (fixture != NULL) {
+ OSSL_CMP_CTX_free(fixture->cmp_ctx);
+ OSSL_CMP_MSG_free(fixture->msg);
+ OSSL_CMP_PKISI_free(fixture->si);
- OPENSSL_free(fixture->mem);
- sk_X509_free(fixture->certs);
- sk_X509_free(fixture->chain);
+ OPENSSL_free(fixture->mem);
+ sk_X509_free(fixture->certs);
+ sk_X509_free(fixture->chain);
- OPENSSL_free(fixture);
+ OPENSSL_free(fixture);
+ }
}
static CMP_PROTECT_TEST_FIXTURE *set_up(const char *const test_case_name)
diff --git a/test/danetest.in b/test/danetest.in
index 118da21e..e7aa8c6a 100644
--- a/test/danetest.in
+++ b/test/danetest.in
@@ -50,7 +50,7 @@
# 1
1 1 1 0 0
-3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1365
+3 0 0 3081ec308193a003020102020101300a06082a8648ce3d0403023000301e170d3135313231343030313033345a170d3135313231333030313033345a30003059301306072a8648ce3d020106082a8648ce3d03010703420004c5a4ffa008eebc0369b974799f9479cb47360544fafc02c4204fb3df31e88a1a4f18c85831e93f985c5b231094541b4316b5cb1c9c0c950886fe1143f39f6109300a06082a8648ce3d040302034800304502206ae7b7a870df21081e9a9896020aaf8560984875c812b36d671631abc879f872022100b0889ad2b3814ee64bddd5a7f6a98dea43cb435049469cb50a4404cbdeee1fd6
subject=
issuer=
notBefore=Dec 14 00:10:34 2015 GMT
@@ -65,7 +65,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
# 2
1 1 1 0 0
-3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33E
+3 1 0 3059301306072a8648ce3d020106082a8648ce3d03010703420004c5a4ffa008eebc0369b974799f9479cb47360544fafc02c4204fb3df31e88a1a4f18c85831e93f985c5b231094541b4316b5cb1c9c0c950886fe1143f39f6109
subject=
issuer=
notBefore=Dec 14 00:10:34 2015 GMT
@@ -80,7 +80,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
# 3
1 1 1 0 0
-3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E1
+3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1365
subject=
issuer=
notBefore=Dec 14 00:10:34 2015 GMT
@@ -95,7 +95,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
# 4
1 1 1 0 0
-3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A3
+3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33E
subject=
issuer=
notBefore=Dec 14 00:10:34 2015 GMT
@@ -109,6 +109,36 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
# 5
+1 1 1 0 0
+3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E1
+subject=
+issuer=
+notBefore=Dec 14 00:10:34 2015 GMT
+notAfter=Dec 13 00:10:34 2015 GMT
+-----BEGIN CERTIFICATE-----
+MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xNTEyMTQwMDEwMzRaFw0x
+NTEyMTMwMDEwMzRaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATFpP+gCO68
+A2m5dHmflHnLRzYFRPr8AsQgT7PfMeiKGk8YyFgx6T+YXFsjEJRUG0MWtcscnAyV
+CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
+yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
+-----END CERTIFICATE-----
+
+# 6
+1 1 1 0 0
+3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A3
+subject=
+issuer=
+notBefore=Dec 14 00:10:34 2015 GMT
+notAfter=Dec 13 00:10:34 2015 GMT
+-----BEGIN CERTIFICATE-----
+MIHsMIGToAMCAQICAQEwCgYIKoZIzj0EAwIwADAeFw0xNTEyMTQwMDEwMzRaFw0x
+NTEyMTMwMDEwMzRaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATFpP+gCO68
+A2m5dHmflHnLRzYFRPr8AsQgT7PfMeiKGk8YyFgx6T+YXFsjEJRUG0MWtcscnAyV
+CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
+yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
+-----END CERTIFICATE-----
+
+# 7
1 1 1 65 -1
3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1366
subject=
@@ -123,7 +153,7 @@ CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
-# 6
+# 8
1 1 1 65 -1
3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33F
subject=
@@ -138,7 +168,7 @@ CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
-# 7
+# 9
1 1 1 65 -1
3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E2
subject=
@@ -153,7 +183,7 @@ CIb+EUPzn2EJMAoGCCqGSM49BAMCA0gAMEUCIGrnt6hw3yEIHpqYlgIKr4VgmEh1
yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
-----END CERTIFICATE-----
-# 8
+# 10
1 1 1 65 -1
3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A4
subject=
@@ -170,7 +200,7 @@ yBKzbWcWMavIefhyAiEAsIia0rOBTuZL3dWn9qmN6kPLQ1BJRpy1CkQEy97uH9Y=
## -- DANE-?? chain tests --
-# 9
+# 11
1 3 0 0 0
3 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
@@ -217,7 +247,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 10
+# 12
1 3 0 0 0
3 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
subject= /CN=example.com
@@ -264,7 +294,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 11
+# 13
1 3 0 0 0
3 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
subject= /CN=example.com
@@ -311,7 +341,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 12
+# 14
1 3 0 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
subject= /CN=example.com
@@ -358,7 +388,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 13
+# 15
1 3 0 0 1
2 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
@@ -405,7 +435,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 14
+# 16
1 3 0 0 1
2 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
subject= /CN=example.com
@@ -452,7 +482,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 15
+# 17
1 3 0 0 1
2 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
subject= /CN=example.com
@@ -499,7 +529,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 16
+# 18
1 3 0 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
subject= /CN=example.com
@@ -546,7 +576,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 17
+# 19
1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
subject= /CN=example.com
@@ -593,7 +623,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 18
+# 20
1 3 0 0 2
2 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
subject= /CN=example.com
@@ -640,7 +670,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 19
+# 21
1 3 0 0 2
2 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
subject= /CN=example.com
@@ -687,7 +717,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 20
+# 22
1 3 0 0 2
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
@@ -736,7 +766,73 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
## -- PKIX-?? chain tests --
-# 21
+# 23
+1 2 0 0 0
+1 0 0 308201943082013ba003020102020102300a06082a8648ce3d04030230143112301006035504030c094973737565722043413020170d3135313231333233323335325a180f33303135303431353233323335325a30163114301206035504030c0b6578616d706c652e636f6d3059301306072a8648ce3d020106082a8648ce3d03010703420004664995f47bde35e7b4de48b258e9e8a07adebbdb863b3d06f481a1946c83da9f56cff4d9389b855d2f364b1585b0c734fcfa263026964ff5a4308b3fc879bdb8a37a3078301d0603551d0e041604145b20ca417d9088c7a4c017cb6c0c1c739bb07d8a301f0603551d230418301680147ab75a3cd295ca5df7c5150916e18ff5cc376a1530090603551d130402300030130603551d25040c300a06082b0601050507030130160603551d11040f300d820b6578616d706c652e636f6d300a06082a8648ce3d0403020347003044021f21c9032a5c8a93872d3f4aef321a9574dd956d43bd93c369944c72d6902858022100c8b3290d7af37e571a84d704dbad339d2987d41852dc5936f212947063911181
+subject= /CN=example.com
+issuer= /CN=Issuer CA
+notBefore=Dec 13 23:23:52 2015 GMT
+notAfter=Apr 15 23:23:52 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATugAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlJc3N1ZXIg
+Q0EwIBcNMTUxMjEzMjMyMzUyWhgPMzAxNTA0MTUyMzIzNTJaMBYxFDASBgNVBAMM
+C2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZkmV9HveNee0
+3kiyWOnooHreu9uGOz0G9IGhlGyD2p9Wz/TZOJuFXS82SxWFsMc0/PomMCaWT/Wk
+MIs/yHm9uKN6MHgwHQYDVR0OBBYEFFsgykF9kIjHpMAXy2wMHHObsH2KMB8GA1Ud
+IwQYMBaAFHq3WjzSlcpd98UVCRbhj/XMN2oVMAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
+RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
+GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
+-----END CERTIFICATE-----
+subject= /CN=Issuer CA
+issuer= /CN=Root CA
+notBefore=Dec 13 23:20:09 2015 GMT
+notAfter=Apr 15 23:20:09 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
+MCAXDTE1MTIxMzIzMjAwOVoYDzMwMTUwNDE1MjMyMDA5WjAUMRIwEAYDVQQDDAlJ
+c3N1ZXIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR9S64YtJ9dxp0KPIXG
+aj4hGd6Sz60IH61VwS1RDsl7bADhNpWo2XE1SP5g3xVXM5BDPiob2S20t6oBbsYY
+XcWvo1AwTjAdBgNVHQ4EFgQUerdaPNKVyl33xRUJFuGP9cw3ahUwHwYDVR0jBBgw
+FoAU5L1AXwUqgg3fmIP5PX0/kKrscj8wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
+GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
+-----END CERTIFICATE-----
+
+# 24
+1 2 0 0 0
+1 1 0 3059301306072a8648ce3d020106082a8648ce3d03010703420004664995f47bde35e7b4de48b258e9e8a07adebbdb863b3d06f481a1946c83da9f56cff4d9389b855d2f364b1585b0c734fcfa263026964ff5a4308b3fc879bdb8
+subject= /CN=example.com
+issuer= /CN=Issuer CA
+notBefore=Dec 13 23:23:52 2015 GMT
+notAfter=Apr 15 23:23:52 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATugAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlJc3N1ZXIg
+Q0EwIBcNMTUxMjEzMjMyMzUyWhgPMzAxNTA0MTUyMzIzNTJaMBYxFDASBgNVBAMM
+C2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZkmV9HveNee0
+3kiyWOnooHreu9uGOz0G9IGhlGyD2p9Wz/TZOJuFXS82SxWFsMc0/PomMCaWT/Wk
+MIs/yHm9uKN6MHgwHQYDVR0OBBYEFFsgykF9kIjHpMAXy2wMHHObsH2KMB8GA1Ud
+IwQYMBaAFHq3WjzSlcpd98UVCRbhj/XMN2oVMAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
+RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
+GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
+-----END CERTIFICATE-----
+subject= /CN=Issuer CA
+issuer= /CN=Root CA
+notBefore=Dec 13 23:20:09 2015 GMT
+notAfter=Apr 15 23:20:09 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
+MCAXDTE1MTIxMzIzMjAwOVoYDzMwMTUwNDE1MjMyMDA5WjAUMRIwEAYDVQQDDAlJ
+c3N1ZXIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR9S64YtJ9dxp0KPIXG
+aj4hGd6Sz60IH61VwS1RDsl7bADhNpWo2XE1SP5g3xVXM5BDPiob2S20t6oBbsYY
+XcWvo1AwTjAdBgNVHQ4EFgQUerdaPNKVyl33xRUJFuGP9cw3ahUwHwYDVR0jBBgw
+FoAU5L1AXwUqgg3fmIP5PX0/kKrscj8wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
+GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
+-----END CERTIFICATE-----
+
+# 25
1 2 0 0 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
@@ -769,7 +865,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 22
+# 26
1 2 0 0 0
1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
subject= /CN=example.com
@@ -802,7 +898,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 23
+# 27
1 3 0 0 0
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9923
subject= /CN=example.com
@@ -849,7 +945,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 24
+# 28
1 3 0 0 0
1 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
subject= /CN=example.com
@@ -896,7 +992,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 25
+# 29
1 2 0 0 1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
subject= /CN=example.com
@@ -929,7 +1025,40 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 26
+# 30
+1 2 0 0 1
+0 1 0 3059301306072a8648ce3d020106082a8648ce3d030107034200047d4bae18b49f5dc69d0a3c85c66a3e2119de92cfad081fad55c12d510ec97b6c00e13695a8d9713548fe60df15573390433e2a1bd92db4b7aa016ec6185dc5af
+subject= /CN=example.com
+issuer= /CN=Issuer CA
+notBefore=Dec 13 23:23:52 2015 GMT
+notAfter=Apr 15 23:23:52 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATugAwIBAgIBAjAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlJc3N1ZXIg
+Q0EwIBcNMTUxMjEzMjMyMzUyWhgPMzAxNTA0MTUyMzIzNTJaMBYxFDASBgNVBAMM
+C2V4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZkmV9HveNee0
+3kiyWOnooHreu9uGOz0G9IGhlGyD2p9Wz/TZOJuFXS82SxWFsMc0/PomMCaWT/Wk
+MIs/yHm9uKN6MHgwHQYDVR0OBBYEFFsgykF9kIjHpMAXy2wMHHObsH2KMB8GA1Ud
+IwQYMBaAFHq3WjzSlcpd98UVCRbhj/XMN2oVMAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
+RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
+GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
+-----END CERTIFICATE-----
+subject= /CN=Issuer CA
+issuer= /CN=Root CA
+notBefore=Dec 13 23:20:09 2015 GMT
+notAfter=Apr 15 23:20:09 3015 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBAjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
+MCAXDTE1MTIxMzIzMjAwOVoYDzMwMTUwNDE1MjMyMDA5WjAUMRIwEAYDVQQDDAlJ
+c3N1ZXIgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR9S64YtJ9dxp0KPIXG
+aj4hGd6Sz60IH61VwS1RDsl7bADhNpWo2XE1SP5g3xVXM5BDPiob2S20t6oBbsYY
+XcWvo1AwTjAdBgNVHQ4EFgQUerdaPNKVyl33xRUJFuGP9cw3ahUwHwYDVR0jBBgw
+FoAU5L1AXwUqgg3fmIP5PX0/kKrscj8wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
+GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
+-----END CERTIFICATE-----
+
+# 31
1 2 0 0 1
0 1 1 65A457617072DA3E7F1152471EB3D406526530097D0A9AA34EB47C990A1FCDA3
subject= /CN=example.com
@@ -962,7 +1091,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 27
+# 32
1 3 0 0 1
0 0 2 6BC0C0F2500320A49392910965263A3EBDD594173D3E36CCE38A003D2EC3FAFBC315EDB776CD3139637DF494FB60359601542A4F821BF0542F926E6270C9762C
subject= /CN=example.com
@@ -1009,7 +1138,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 28
+# 33
1 3 0 0 1
0 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
subject= /CN=example.com
@@ -1056,7 +1185,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 29
+# 34
1 2 0 0 2
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
subject= /CN=example.com
@@ -1089,7 +1218,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 30
+# 35
1 2 0 0 2
0 1 1 91D942E4A2D4226DDAF28CADAA7F13018E4ED0D9A43A529247E51C965188576C
subject= /CN=example.com
@@ -1122,7 +1251,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 31
+# 36
1 3 0 0 2
0 0 2 361029F20A3B59DAFAAF05D41811EFC1A9439B972BC6B9D7F13BC5469570E49ACAE0CB0C877C75D58346590EA950AC7A39AED6E8AA8004EA7F5DE3AB9462047E
subject= /CN=example.com
@@ -1169,7 +1298,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 32
+# 37
1 3 0 0 2
0 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
subject= /CN=example.com
@@ -1218,7 +1347,7 @@ vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
## -- PKIX-?? chain failures --
-# 33
+# 38
# Missing intermediate CA
1 1 0 20 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
@@ -1238,7 +1367,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
-----END CERTIFICATE-----
-# 34
+# 39
# Missing PKIX intermediate, provided via DNS
2 1 0 0 0
1 1 1 3111668338043DE264D0256A702248696C9484B6221A42740F920187B4C61838
@@ -1259,7 +1388,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
-----END CERTIFICATE-----
-# 35
+# 40
# Wrong leaf digest
1 3 0 65 -1
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9924
@@ -1307,7 +1436,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 36
+# 41
# Wrong intermediate digest
1 2 0 65 -1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBE
@@ -1341,7 +1470,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 37
+# 42
# Wrong root digest
1 2 0 65 -1
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3D
@@ -1377,7 +1506,7 @@ GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
## -- Mixed usage cases
-# 38
+# 43
# DANE-EE(3) beats DANE-TA(2)
1 3 0 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
@@ -1426,7 +1555,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 39
+# 44
# DANE-TA(2) depth 1 beats DANE-TA(2) depth 2
1 3 0 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
@@ -1475,7 +1604,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 40
+# 45
# DANE-TA(2) depth 2 beats PKIX-TA(0) depth 1
1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
@@ -1524,7 +1653,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 41
+# 46
# DANE-TA(2) depth 2 beats PKIX-EE depth 0
1 3 0 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
@@ -1573,7 +1702,7 @@ RwAwRAIgaGnmqp+bTUvzCAkaWnqyww42GbDXXlKIGUaOS7km9MkCIBfxuEWGEZZv
vBCcrtNYKWa/JfwFmOq6bHk8WNzDU3zF
-----END CERTIFICATE-----
-# 42
+# 47
# DANE-TA(2) Full(0) root "from DNS":
1 2 0 0 2
2 0 0 308201643082010BA003020102020101300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233313330385A180F33303135303431353233313330385A30123110300E06035504030C07526F6F742043413059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76CA350304E301D0603551D0E04160414E4BD405F052A820DDF9883F93D7D3F90AAEC723F301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D040302034700304402206869E6AA9F9B4D4BF308091A5A7AB2C30E3619B0D75E528819468E4BB926F4C9022017F1B8458611966FBC109CAED3582966BF25FC0598EABA6C793C58DCC3537CC5
@@ -1607,7 +1736,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 43
+# 48
# DANE-TA(2) Full(0) intermediate "from DNS":
1 1 0 0 1
2 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
@@ -1627,7 +1756,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
-----END CERTIFICATE-----
-# 44
+# 49
# DANE-TA(2) SPKI(1) Full(0) intermediate "from DNS":
1 1 0 0 0
2 1 0 3059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AF
@@ -1647,7 +1776,7 @@ RwAwRAIfIckDKlyKk4ctP0rvMhqVdN2VbUO9k8NplExy1pAoWAIhAMizKQ16835X
GoTXBNutM50ph9QYUtxZNvISlHBjkRGB
-----END CERTIFICATE-----
-# 45
+# 50
# DANE-TA(2) SPKI(1) Full(0) root "from DNS":
1 2 0 0 1
2 1 0 3059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76C
@@ -1681,7 +1810,7 @@ AgNJADBGAiEAgx3NiC2oeF1Q5BAgiYwCSIed3fctcB0dwd5r4IFVtD4CIQC4Sy+1
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
-# 46
+# 51
# Mismatched name "example.org", should still succeed given a
# DANE-EE(3) match.
1 3 1 0 0
@@ -1730,7 +1859,7 @@ AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
-----END CERTIFICATE-----
-# 47
+# 52
# Mismatched name "example.org", should fail despite a DANE-TA(2)
# match for the intermediate CA.
1 3 0 62 1
@@ -1779,7 +1908,7 @@ AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
-----END CERTIFICATE-----
-# 48
+# 53
# Mismatched name "example.org", should fail despite a DANE-TA(2)
# match for the root CA.
1 3 0 62 2
@@ -1828,7 +1957,7 @@ AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
-----END CERTIFICATE-----
-# 49
+# 54
# Mismatched name "example.org", should fail when name checks
# are not disabled for DANE-EE(3).
1 3 0 62 0
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index a6667105..6b484f87 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -37,6 +37,10 @@
#include "internal/sizes.h"
#include "crypto/evp.h"
+#ifdef STATIC_LEGACY
+OSSL_provider_init_fn ossl_legacy_provider_init;
+#endif
+
static OSSL_LIB_CTX *testctx = NULL;
static char *testpropq = NULL;
@@ -486,6 +490,10 @@ static const unsigned char cfbPlaintext[] = {
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
0x73, 0x93, 0x17, 0x2A
};
+static const unsigned char cfbPlaintext_partial[] = {
+ 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11,
+ 0x73, 0x93, 0x17, 0x2A, 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+};
static const unsigned char gcmDefaultPlaintext[16] = { 0 };
@@ -502,6 +510,16 @@ static const unsigned char cfbCiphertext[] = {
0xE8, 0x3C, 0xFB, 0x4A
};
+static const unsigned char cfbCiphertext_partial[] = {
+ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
+ 0xE8, 0x3C, 0xFB, 0x4A, 0x0D, 0x4A, 0x71, 0x82, 0x90, 0xF0, 0x9A, 0x35
+};
+
+static const unsigned char ofbCiphertext_partial[] = {
+ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49, 0xF8,
+ 0xE8, 0x3C, 0xFB, 0x4A, 0xB2, 0x65, 0x64, 0x38, 0x26, 0xD2, 0xBC, 0x09
+};
+
static const unsigned char gcmDefaultCiphertext[] = {
0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, 0x07, 0x4e, 0xc5, 0xd3,
0xba, 0xf3, 0x9d, 0x18
@@ -1133,11 +1151,11 @@ static int test_EVP_PKEY_sign(int tst)
if (tst == 0 ) {
if (!TEST_ptr(pkey = load_example_rsa_key()))
- goto out;
+ goto out;
} else if (tst == 1) {
#ifndef OPENSSL_NO_DSA
if (!TEST_ptr(pkey = load_example_dsa_key()))
- goto out;
+ goto out;
#else
ret = 1;
goto out;
@@ -1145,7 +1163,82 @@ static int test_EVP_PKEY_sign(int tst)
} else {
#ifndef OPENSSL_NO_EC
if (!TEST_ptr(pkey = load_example_ec_key()))
+ goto out;
+#else
+ ret = 1;
+ goto out;
+#endif
+ }
+
+ ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL);
+ if (!TEST_ptr(ctx)
+ || !TEST_int_gt(EVP_PKEY_sign_init(ctx), 0)
+ || !TEST_int_gt(EVP_PKEY_sign(ctx, NULL, &sig_len, tbs,
+ sizeof(tbs)), 0))
+ goto out;
+ sig = OPENSSL_malloc(sig_len);
+ if (!TEST_ptr(sig)
+ /* Test sending a signature buffer that is too short is rejected */
+ || !TEST_int_le(EVP_PKEY_sign(ctx, sig, &shortsig_len, tbs,
+ sizeof(tbs)), 0)
+ || !TEST_int_gt(EVP_PKEY_sign(ctx, sig, &sig_len, tbs, sizeof(tbs)),
+ 0)
+ /* Test the signature round-trips */
+ || !TEST_int_gt(EVP_PKEY_verify_init(ctx), 0)
+ || !TEST_int_gt(EVP_PKEY_verify(ctx, sig, sig_len, tbs, sizeof(tbs)),
+ 0))
+ goto out;
+
+ ret = 1;
+ out:
+ EVP_PKEY_CTX_free(ctx);
+ OPENSSL_free(sig);
+ EVP_PKEY_free(pkey);
+ return ret;
+}
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+static int test_EVP_PKEY_sign_with_app_method(int tst)
+{
+ int ret = 0;
+ EVP_PKEY *pkey = NULL;
+ RSA *rsa = NULL;
+ RSA_METHOD *rsa_meth = NULL;
+#ifndef OPENSSL_NO_DSA
+ DSA *dsa = NULL;
+ DSA_METHOD *dsa_meth = NULL;
+#endif
+ unsigned char *sig = NULL;
+ size_t sig_len = 0, shortsig_len = 1;
+ EVP_PKEY_CTX *ctx = NULL;
+ unsigned char tbs[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13
+ };
+
+ if (tst == 0) {
+ if (!TEST_ptr(pkey = load_example_rsa_key()))
+ goto out;
+ if (!TEST_ptr(rsa_meth = RSA_meth_dup(RSA_get_default_method())))
+ goto out;
+
+ if (!TEST_ptr(rsa = EVP_PKEY_get1_RSA(pkey))
+ || !TEST_int_gt(RSA_set_method(rsa, rsa_meth), 0)
+ || !TEST_int_gt(EVP_PKEY_assign_RSA(pkey, rsa), 0))
+ goto out;
+ rsa = NULL; /* now owned by the pkey */
+ } else {
+#ifndef OPENSSL_NO_DSA
+ if (!TEST_ptr(pkey = load_example_dsa_key()))
goto out;
+ if (!TEST_ptr(dsa_meth = DSA_meth_dup(DSA_get_default_method())))
+ goto out;
+
+ if (!TEST_ptr(dsa = EVP_PKEY_get1_DSA(pkey))
+ || !TEST_int_gt(DSA_set_method(dsa, dsa_meth), 0)
+ || !TEST_int_gt(EVP_PKEY_assign_DSA(pkey, dsa), 0))
+ goto out;
+ dsa = NULL; /* now owned by the pkey */
#else
ret = 1;
goto out;
@@ -1176,8 +1269,15 @@ static int test_EVP_PKEY_sign(int tst)
EVP_PKEY_CTX_free(ctx);
OPENSSL_free(sig);
EVP_PKEY_free(pkey);
+ RSA_free(rsa);
+ RSA_meth_free(rsa_meth);
+#ifndef OPENSSL_NO_DSA
+ DSA_free(dsa);
+ DSA_meth_free(dsa_meth);
+#endif
return ret;
}
+#endif /* !OPENSSL_NO_DEPRECATED_3_0 */
/*
* n = 0 => test using legacy cipher
@@ -2830,6 +2930,36 @@ static int test_RSA_OAEP_set_get_params(void)
return ret;
}
+/* https://github.com/openssl/openssl/issues/21288 */
+static int test_RSA_OAEP_set_null_label(void)
+{
+ int ret = 0;
+ EVP_PKEY *key = NULL;
+ EVP_PKEY_CTX *key_ctx = NULL;
+
+ if (!TEST_ptr(key = load_example_rsa_key())
+ || !TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, key, NULL))
+ || !TEST_true(EVP_PKEY_encrypt_init(key_ctx)))
+ goto err;
+
+ if (!TEST_true(EVP_PKEY_CTX_set_rsa_padding(key_ctx, RSA_PKCS1_OAEP_PADDING)))
+ goto err;
+
+ if (!TEST_true(EVP_PKEY_CTX_set0_rsa_oaep_label(key_ctx, OPENSSL_strdup("foo"), 0)))
+ goto err;
+
+ if (!TEST_true(EVP_PKEY_CTX_set0_rsa_oaep_label(key_ctx, NULL, 0)))
+ goto err;
+
+ ret = 1;
+
+ err:
+ EVP_PKEY_free(key);
+ EVP_PKEY_CTX_free(key_ctx);
+
+ return ret;
+}
+
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
static int test_decrypt_null_chunks(void)
{
@@ -3628,6 +3758,30 @@ static const EVP_INIT_TEST_st evp_init_tests[] = {
}
};
+/* use same key, iv and plaintext for cfb and ofb */
+static const EVP_INIT_TEST_st evp_reinit_tests[] = {
+ {
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbPlaintext_partial,
+ cfbCiphertext_partial, NULL, 0, sizeof(cfbPlaintext_partial),
+ sizeof(cfbCiphertext_partial), 0, 0, 1, 0
+ },
+ {
+ "aes-128-cfb", kCFBDefaultKey, iCFBIV, cfbCiphertext_partial,
+ cfbPlaintext_partial, NULL, 0, sizeof(cfbCiphertext_partial),
+ sizeof(cfbPlaintext_partial), 0, 0, 0, 0
+ },
+ {
+ "aes-128-ofb", kCFBDefaultKey, iCFBIV, cfbPlaintext_partial,
+ ofbCiphertext_partial, NULL, 0, sizeof(cfbPlaintext_partial),
+ sizeof(ofbCiphertext_partial), 0, 0, 1, 0
+ },
+ {
+ "aes-128-ofb", kCFBDefaultKey, iCFBIV, ofbCiphertext_partial,
+ cfbPlaintext_partial, NULL, 0, sizeof(ofbCiphertext_partial),
+ sizeof(cfbPlaintext_partial), 0, 0, 0, 0
+ },
+};
+
static int evp_init_seq_set_iv(EVP_CIPHER_CTX *ctx, const EVP_INIT_TEST_st *t)
{
int res = 0;
@@ -3732,6 +3886,44 @@ static int test_evp_init_seq(int idx)
return testresult;
}
+/*
+ * Test re-initialization of cipher context without changing key or iv.
+ * The result of both iteration should be the same.
+ */
+static int test_evp_reinit_seq(int idx)
+{
+ int outlen1, outlen2, outlen_final;
+ int testresult = 0;
+ unsigned char outbuf1[1024];
+ unsigned char outbuf2[1024];
+ const EVP_INIT_TEST_st *t = &evp_reinit_tests[idx];
+ EVP_CIPHER_CTX *ctx = NULL;
+ EVP_CIPHER *type = NULL;
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !TEST_ptr(type = EVP_CIPHER_fetch(testctx, t->cipher, testpropq))
+ /* setup cipher context */
+ || !TEST_true(EVP_CipherInit_ex2(ctx, type, t->key, t->iv, t->initenc, NULL))
+ /* first iteration */
+ || !TEST_true(EVP_CipherUpdate(ctx, outbuf1, &outlen1, t->input, t->inlen))
+ || !TEST_true(EVP_CipherFinal_ex(ctx, outbuf1, &outlen_final))
+ /* check test results iteration 1 */
+ || !TEST_mem_eq(t->expected, t->expectedlen, outbuf1, outlen1 + outlen_final)
+ /* now re-init the context (same cipher, key and iv) */
+ || !TEST_true(EVP_CipherInit_ex2(ctx, NULL, NULL, NULL, -1, NULL))
+ /* second iteration */
+ || !TEST_true(EVP_CipherUpdate(ctx, outbuf2, &outlen2, t->input, t->inlen))
+ || !TEST_true(EVP_CipherFinal_ex(ctx, outbuf2, &outlen_final))
+ /* check test results iteration 2 */
+ || !TEST_mem_eq(t->expected, t->expectedlen, outbuf2, outlen2 + outlen_final))
+ goto err;
+ testresult = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ EVP_CIPHER_free(type);
+ return testresult;
+}
+
typedef struct {
const unsigned char *input;
const unsigned char *expected;
@@ -3815,7 +4007,7 @@ static int test_evp_reset(int idx)
TEST_info("test_evp_reset %d: %s", idx, errmsg);
EVP_CIPHER_CTX_free(ctx);
EVP_CIPHER_free(type);
- return testresult;
+ return testresult;
}
typedef struct {
@@ -4052,6 +4244,134 @@ static int test_gcm_reinit(int idx)
return testresult;
}
+static const char *ivlen_change_ciphers[] = {
+ "AES-256-GCM",
+#ifndef OPENSSL_NO_OCB
+ "AES-256-OCB",
+#endif
+ "AES-256-CCM"
+};
+
+/* Negative test for ivlen change after iv being set */
+static int test_ivlen_change(int idx)
+{
+ int outlen;
+ int res = 0;
+ unsigned char outbuf[1024];
+ static const unsigned char iv[] = {
+ 0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
+ 0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34
+ };
+ EVP_CIPHER_CTX *ctx = NULL;
+ EVP_CIPHER *ciph = NULL;
+ OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ size_t ivlen = 13; /* non-default IV length */
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
+ goto err;
+
+ if (!TEST_ptr(ciph = EVP_CIPHER_fetch(testctx, ivlen_change_ciphers[idx],
+ testpropq)))
+ goto err;
+
+ if (!TEST_true(EVP_CipherInit_ex(ctx, ciph, NULL, kGCMDefaultKey, iv, 1)))
+ goto err;
+
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
+ sizeof(gcmDefaultPlaintext))))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+ &ivlen);
+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)))
+ goto err;
+
+ ERR_set_mark();
+ if (!TEST_false(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
+ sizeof(gcmDefaultPlaintext)))) {
+ ERR_clear_last_mark();
+ goto err;
+ }
+ ERR_pop_to_mark();
+
+ res = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ EVP_CIPHER_free(ciph);
+ return res;
+}
+
+static const char *keylen_change_ciphers[] = {
+#ifndef OPENSSL_NO_BF
+ "BF-ECB",
+#endif
+#ifndef OPENSSL_NO_CAST
+ "CAST5-ECB",
+#endif
+#ifndef OPENSSL_NO_RC2
+ "RC2-ECB",
+#endif
+#ifndef OPENSSL_NO_RC4
+ "RC4",
+#endif
+#ifndef OPENSSL_NO_RC5
+ "RC5-ECB",
+#endif
+ NULL
+};
+
+/* Negative test for keylen change after key was set */
+static int test_keylen_change(int idx)
+{
+ int outlen;
+ int res = 0;
+ unsigned char outbuf[1024];
+ static const unsigned char key[] = {
+ 0x57, 0x71, 0x7d, 0xad, 0xdb, 0x9b, 0x98, 0x82,
+ 0x5a, 0x55, 0x91, 0x81, 0x42, 0xa8, 0x89, 0x34
+ };
+ EVP_CIPHER_CTX *ctx = NULL;
+ EVP_CIPHER *ciph = NULL;
+ OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ size_t keylen = 12; /* non-default key length */
+
+ if (lgcyprov == NULL)
+ return TEST_skip("Test requires legacy provider to be loaded");
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()))
+ goto err;
+
+ if (!TEST_ptr(ciph = EVP_CIPHER_fetch(testctx, keylen_change_ciphers[idx],
+ testpropq)))
+ goto err;
+
+ if (!TEST_true(EVP_CipherInit_ex(ctx, ciph, NULL, key, NULL, 1)))
+ goto err;
+
+ if (!TEST_true(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
+ sizeof(gcmDefaultPlaintext))))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
+ &keylen);
+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)))
+ goto err;
+
+ ERR_set_mark();
+ if (!TEST_false(EVP_CipherUpdate(ctx, outbuf, &outlen, gcmDefaultPlaintext,
+ sizeof(gcmDefaultPlaintext)))) {
+ ERR_clear_last_mark();
+ goto err;
+ }
+ ERR_pop_to_mark();
+
+ res = 1;
+ err:
+ EVP_CIPHER_CTX_free(ctx);
+ EVP_CIPHER_free(ciph);
+ return res;
+}
+
#ifndef OPENSSL_NO_DEPRECATED_3_0
static EVP_PKEY_METHOD *custom_pmeth = NULL;
static const EVP_PKEY_METHOD *orig_pmeth = NULL;
@@ -4739,6 +5059,253 @@ static int test_ecx_not_private_key(int tst)
}
#endif /* OPENSSL_NO_EC */
+static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s,
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen, tmplen;
+ unsigned char outbuf[1024];
+ unsigned char outtag[16];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+ &gcm_ivlen);
+
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
+ || (gcm_aad != NULL
+ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen,
+ gcm_aad, gcm_aad_s)))
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
+ gcm_pt, gcm_pt_s))
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+ outtag, sizeof(outtag));
+
+ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params))
+ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s)
+ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s,
+ const unsigned char *gcm_iv, size_t gcm_ivlen,
+ const unsigned char *gcm_pt, size_t gcm_pt_s,
+ const unsigned char *gcm_aad, size_t gcm_aad_s,
+ const unsigned char *gcm_ct, size_t gcm_ct_s,
+ const unsigned char *gcm_tag, size_t gcm_tag_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen;
+ unsigned char outbuf[1024];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
+ goto err;
+
+ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL)
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN,
+ &gcm_ivlen);
+
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params))
+ || (gcm_aad != NULL
+ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen,
+ gcm_aad, gcm_aad_s)))
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
+ gcm_ct, gcm_ct_s))
+ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG,
+ (void*)gcm_tag, gcm_tag_s);
+
+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params))
+ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen)))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int test_aes_gcm_ivlen_change_cve_2023_5363(void)
+{
+ /* AES-GCM test data obtained from NIST public test vectors */
+ static const unsigned char gcm_key[] = {
+ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf,
+ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84,
+ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b,
+ };
+ static const unsigned char gcm_iv[] = {
+ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8,
+ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca,
+ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14,
+ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09,
+ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8,
+ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24,
+ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0,
+ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54,
+ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc,
+ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b,
+ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d,
+ };
+ static const unsigned char gcm_pt[] = {
+ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07,
+ 0x4f, 0xe3, 0x6f, 0x81,
+ };
+ static const unsigned char gcm_ct[] = {
+ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3,
+ 0xe2, 0xd0, 0xec, 0xed,
+ };
+ static const unsigned char gcm_tag[] = {
+ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63,
+ 0xdb, 0x99, 0x6c, 0x21,
+ };
+
+ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag))
+ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv),
+ gcm_pt, sizeof(gcm_pt), NULL, 0,
+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag));
+}
+
+#ifndef OPENSSL_NO_RC4
+static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s,
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen, tmplen;
+ unsigned char outbuf[1024];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", "")))
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
+ &rc4_key_s);
+
+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen,
+ rc4_pt, rc4_pt_s))
+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen)))
+ goto err;
+
+ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s,
+ const unsigned char *rc4_pt, size_t rc4_pt_s,
+ const unsigned char *rc4_ct, size_t rc4_ct_s)
+{
+ int ret = 0;
+ EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER *cipher = NULL;
+ int outlen;
+ unsigned char outbuf[1024];
+ OSSL_PARAM params[2] = {
+ OSSL_PARAM_END, OSSL_PARAM_END
+ };
+
+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
+ goto err;
+
+ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL)
+ goto err;
+
+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN,
+ &rc4_key_s);
+
+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params))
+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen,
+ rc4_ct, rc4_ct_s))
+ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_CIPHER_free(cipher);
+ EVP_CIPHER_CTX_free(ctx);
+
+ return ret;
+}
+
+static int test_aes_rc4_keylen_change_cve_2023_5363(void)
+{
+ /* RC4 test data obtained from RFC 6229 */
+ static const struct {
+ unsigned char key[5];
+ unsigned char padding[11];
+ } rc4_key = {
+ { /* Five bytes of key material */
+ 0x83, 0x32, 0x22, 0x77, 0x2a,
+ },
+ { /* Random padding to 16 bytes */
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91
+ }
+ };
+ static const unsigned char rc4_pt[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ static const unsigned char rc4_ct[] = {
+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a,
+ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda
+ };
+
+ if (lgcyprov == NULL)
+ return TEST_skip("Test requires legacy provider to be loaded");
+
+ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key),
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct))
+ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key),
+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct));
+}
+#endif
+
int setup_tests(void)
{
OPTION_CHOICE o;
@@ -4750,6 +5317,15 @@ int setup_tests(void)
testctx = OSSL_LIB_CTX_new();
if (!TEST_ptr(testctx))
return 0;
+#ifdef STATIC_LEGACY
+ /*
+ * This test is always statically linked against libcrypto. We must not
+ * attempt to load legacy.so that might be dynamically linked against
+ * libcrypto. Instead we use a built-in version of the legacy provider.
+ */
+ if (!OSSL_PROVIDER_add_builtin(testctx, "legacy", ossl_legacy_provider_init))
+ return 0;
+#endif
/* Swap the libctx to test non-default context only */
nullprov = OSSL_PROVIDER_load(NULL, "null");
deflprov = OSSL_PROVIDER_load(testctx, "default");
@@ -4771,6 +5347,9 @@ int setup_tests(void)
ADD_TEST(test_EVP_Digest);
ADD_TEST(test_EVP_md_null);
ADD_ALL_TESTS(test_EVP_PKEY_sign, 3);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ ADD_ALL_TESTS(test_EVP_PKEY_sign_with_app_method, 2);
+#endif
ADD_ALL_TESTS(test_EVP_Enveloped, 2);
ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
ADD_TEST(test_privatekey_to_pkcs8);
@@ -4814,6 +5393,7 @@ int setup_tests(void)
#endif
ADD_TEST(test_RSA_get_set_params);
ADD_TEST(test_RSA_OAEP_set_get_params);
+ ADD_TEST(test_RSA_OAEP_set_null_label);
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
ADD_TEST(test_decrypt_null_chunks);
#endif
@@ -4850,8 +5430,12 @@ int setup_tests(void)
ADD_ALL_TESTS(test_evp_init_seq, OSSL_NELEM(evp_init_tests));
ADD_ALL_TESTS(test_evp_reset, OSSL_NELEM(evp_reset_tests));
+ ADD_ALL_TESTS(test_evp_reinit_seq, OSSL_NELEM(evp_reinit_tests));
ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests));
ADD_ALL_TESTS(test_evp_updated_iv, OSSL_NELEM(evp_updated_iv_tests));
+ ADD_ALL_TESTS(test_ivlen_change, OSSL_NELEM(ivlen_change_ciphers));
+ if (OSSL_NELEM(keylen_change_ciphers) - 1 > 0)
+ ADD_ALL_TESTS(test_keylen_change, OSSL_NELEM(keylen_change_ciphers) - 1);
#ifndef OPENSSL_NO_DEPRECATED_3_0
ADD_ALL_TESTS(test_custom_pmeth, 12);
@@ -4878,6 +5462,12 @@ int setup_tests(void)
ADD_ALL_TESTS(test_ecx_not_private_key, OSSL_NELEM(keys));
#endif
+ /* Test cases for CVE-2023-5363 */
+ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363);
+#ifndef OPENSSL_NO_RC4
+ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363);
+#endif
+
return 1;
}
diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c
index 68329b02..06a6683e 100644
--- a/test/evp_extra_test2.c
+++ b/test/evp_extra_test2.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1221,6 +1221,24 @@ err:
}
#endif
+/*
+ * Currently, EVP_<OBJ>_fetch doesn't support
+ * colon separated alternative names for lookup
+ * so add a test here to ensure that when one is provided
+ * libcrypto returns an error
+ */
+static int evp_test_name_parsing(void)
+{
+ EVP_MD *md;
+
+ if (!TEST_ptr_null(md = EVP_MD_fetch(mainctx, "SHA256:BogusName", NULL))) {
+ EVP_MD_free(md);
+ return 0;
+ }
+
+ return 1;
+}
+
int setup_tests(void)
{
if (!test_get_libctx(&mainctx, &nullprov, NULL, NULL, NULL)) {
@@ -1229,6 +1247,7 @@ int setup_tests(void)
return 0;
}
+ ADD_TEST(evp_test_name_parsing);
ADD_TEST(test_alternative_default);
ADD_ALL_TESTS(test_d2i_AutoPrivateKey_ex, OSSL_NELEM(keydata));
#ifndef OPENSSL_NO_EC
diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c
index bab8da1c..8f35900b 100644
--- a/test/evp_kdf_test.c
+++ b/test/evp_kdf_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2018-2020, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@@ -544,6 +544,55 @@ err:
return ret;
}
+static int test_kdf_pbkdf1_key_too_long(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx = NULL;
+ unsigned char out[EVP_MAX_MD_SIZE + 1];
+ unsigned int iterations = 4096;
+ OSSL_LIB_CTX *libctx = NULL;
+ OSSL_PARAM *params = NULL;
+ OSSL_PROVIDER *legacyprov = NULL;
+ OSSL_PROVIDER *defprov = NULL;
+
+ if (!TEST_ptr(libctx = OSSL_LIB_CTX_new()))
+ goto err;
+
+ /* PBKDF1 only available in the legacy provider */
+ legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
+ if (legacyprov == NULL) {
+ OSSL_LIB_CTX_free(libctx);
+ return TEST_skip("PBKDF1 only available in legacy provider");
+ }
+
+ if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
+ goto err;
+
+ params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+ &iterations);
+
+ /*
+ * This is the same test sequence as test_kdf_pbkdf1, but we expect
+ * failure here as the requested key size is longer than the digest
+ * can provide
+ */
+ if (!TEST_ptr(params)
+ || !TEST_ptr(kctx = get_kdfbyname_libctx(libctx, OSSL_KDF_NAME_PBKDF1))
+ || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))
+ || !TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), NULL), 0))
+ goto err;
+
+ ret = 1;
+err:
+ EVP_KDF_CTX_free(kctx);
+ OPENSSL_free(params);
+ OSSL_PROVIDER_unload(defprov);
+ OSSL_PROVIDER_unload(legacyprov);
+ OSSL_LIB_CTX_free(libctx);
+ return ret;
+}
+
static OSSL_PARAM *construct_pbkdf2_params(char *pass, char *digest, char *salt,
unsigned int *iter, int *mode)
{
@@ -1630,6 +1679,7 @@ static int test_kdf_krb5kdf(void)
int setup_tests(void)
{
ADD_TEST(test_kdf_pbkdf1);
+ ADD_TEST(test_kdf_pbkdf1_key_too_long);
#if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_CAMELLIA)
ADD_TEST(test_kdf_kbkdf_6803_128);
ADD_TEST(test_kdf_kbkdf_6803_256);
diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c
index 1aabfef8..27f90e42 100644
--- a/test/evp_pkey_provided_test.c
+++ b/test/evp_pkey_provided_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1130,6 +1130,12 @@ static int test_fromdata_ecx(int tst)
/* This should succeed because there are no parameters to copy */
|| !TEST_true(EVP_PKEY_copy_parameters(copy_pk, pk)))
goto err;
+ if (!TEST_ptr(ctx2 = EVP_PKEY_CTX_new_from_pkey(NULL, copy_pk, NULL))
+ /* This should fail because copy_pk has no pubkey */
+ || !TEST_int_le(EVP_PKEY_public_check(ctx2), 0))
+ goto err;
+ EVP_PKEY_CTX_free(ctx2);
+ ctx2 = NULL;
EVP_PKEY_free(copy_pk);
copy_pk = NULL;
diff --git a/test/evp_test.c b/test/evp_test.c
index c781f65b..782841a6 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -696,6 +696,9 @@ static int cipher_test_enc(EVP_TEST *t, int enc,
int ok = 0, tmplen, chunklen, tmpflen, i;
EVP_CIPHER_CTX *ctx_base = NULL;
EVP_CIPHER_CTX *ctx = NULL;
+ int fips_dupctx_supported = (fips_provider_version_gt(libctx, 3, 0, 12)
+ && fips_provider_version_lt(libctx, 3, 1, 0))
+ || fips_provider_version_ge(libctx, 3, 1, 3);
t->err = "TEST_FAILURE";
if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new()))
@@ -826,12 +829,20 @@ static int cipher_test_enc(EVP_TEST *t, int enc,
/* Test that the cipher dup functions correctly if it is supported */
ERR_set_mark();
- if (EVP_CIPHER_CTX_copy(ctx, ctx_base)) {
- EVP_CIPHER_CTX_free(ctx_base);
- ctx_base = NULL;
- } else {
+ if (!EVP_CIPHER_CTX_copy(ctx, ctx_base)) {
+ if (fips_dupctx_supported) {
+ TEST_info("Doing a copy of Cipher %s Fails!\n",
+ EVP_CIPHER_get0_name(expected->cipher));
+ ERR_print_errors_fp(stderr);
+ goto err;
+ } else {
+ TEST_info("Allowing copy fail as an old fips provider is in use.");
+ }
EVP_CIPHER_CTX_free(ctx);
ctx = ctx_base;
+ } else {
+ EVP_CIPHER_CTX_free(ctx_base);
+ ctx_base = NULL;
}
ERR_pop_to_mark();
@@ -1016,6 +1027,7 @@ static int cipher_test_run(EVP_TEST *t)
int rv, frag = 0;
size_t out_misalign, inp_misalign;
+ TEST_info("RUNNING TEST FOR CIPHER %s\n", EVP_CIPHER_get0_name(cdat->cipher));
if (!cdat->key) {
t->err = "NO_KEY";
return 0;
@@ -1408,6 +1420,7 @@ static int mac_test_run_mac(EVP_TEST *t)
EVP_MAC_CTX *ctx = NULL;
unsigned char *got = NULL;
size_t got_len = 0, size = 0;
+ size_t size_before_init = 0, size_after_init, size_val = 0;
int i, block_size = -1, output_size = -1;
OSSL_PARAM params[21], sizes[3], *psizes = sizes;
size_t params_n = 0;
@@ -1504,6 +1517,9 @@ static int mac_test_run_mac(EVP_TEST *t)
}
params_n++;
+ if (strcmp(tmpkey, "size") == 0)
+ size_val = (size_t)strtoul(tmpval, NULL, 0);
+
OPENSSL_free(tmpkey);
}
params[params_n] = OSSL_PARAM_construct_end();
@@ -1512,11 +1528,31 @@ static int mac_test_run_mac(EVP_TEST *t)
t->err = "MAC_CREATE_ERROR";
goto err;
}
-
+ if (fips_provider_version_gt(libctx, 3, 1, 4)
+ || (fips_provider_version_lt(libctx, 3, 1, 0)
+ && fips_provider_version_gt(libctx, 3, 0, 12)))
+ size_before_init = EVP_MAC_CTX_get_mac_size(ctx);
if (!EVP_MAC_init(ctx, expected->key, expected->key_len, params)) {
t->err = "MAC_INIT_ERROR";
goto err;
}
+ size_after_init = EVP_MAC_CTX_get_mac_size(ctx);
+ if (!TEST_false(size_before_init == 0 && size_after_init == 0)) {
+ t->err = "MAC SIZE not set";
+ goto err;
+ }
+ if (size_before_init != 0) {
+ /* mac-size not modified by init params */
+ if (size_val == 0 && !TEST_size_t_eq(size_before_init, size_after_init)) {
+ t->err = "MAC SIZE check failed";
+ goto err;
+ }
+ /* mac-size modified by init params */
+ if (size_val != 0 && !TEST_size_t_eq(size_val, size_after_init)) {
+ t->err = "MAC SIZE check failed";
+ goto err;
+ }
+ }
if (expected->output_size >= 0)
*psizes++ = OSSL_PARAM_construct_int(OSSL_MAC_PARAM_SIZE,
&output_size);
diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c
index 7f8f44c8..83dec13c 100644
--- a/test/ffc_internal_test.c
+++ b/test/ffc_internal_test.c
@@ -455,22 +455,20 @@ static int ffc_public_validate_test(void)
if (!TEST_true(BN_set_word(pub, 1)))
goto err;
BN_set_negative(pub, 1);
- /* Fail if public key is negative */
- if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+ /* Check must succeed but set res if public key is negative */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
goto err;
if (!TEST_true(BN_set_word(pub, 0)))
goto err;
- if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
- goto err;
- /* Fail if public key is zero */
- if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+ /* Check must succeed but set res if public key is zero */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
goto err;
- /* Fail if public key is 1 */
- if (!TEST_false(ossl_ffc_validate_public_key(params, BN_value_one(), &res)))
+ /* Check must succeed but set res if public key is 1 */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, BN_value_one(), &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_SMALL, res))
goto err;
@@ -482,24 +480,24 @@ static int ffc_public_validate_test(void)
if (!TEST_ptr(BN_copy(pub, params->p)))
goto err;
- /* Fail if public key = p */
- if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+ /* Check must succeed but set res if public key = p */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_LARGE, res))
goto err;
if (!TEST_true(BN_sub_word(pub, 1)))
goto err;
- /* Fail if public key = p - 1 */
- if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+ /* Check must succeed but set res if public key = p - 1 */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PUBKEY_TOO_LARGE, res))
goto err;
if (!TEST_true(BN_sub_word(pub, 1)))
goto err;
- /* Fail if public key is not related to p & q */
- if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+ /* Check must succeed but set res if public key is not related to p & q */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PUBKEY_INVALID, res))
goto err;
@@ -510,14 +508,14 @@ static int ffc_public_validate_test(void)
if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
- /* Fail if params is NULL */
- if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res)))
+ /* Check must succeed but set res if params is NULL */
+ if (!TEST_true(ossl_ffc_validate_public_key(NULL, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
goto err;
res = -1;
- /* Fail if pubkey is NULL */
- if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res)))
+ /* Check must succeed but set res if pubkey is NULL */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, NULL, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
goto err;
@@ -525,8 +523,8 @@ static int ffc_public_validate_test(void)
BN_free(params->p);
params->p = NULL;
- /* Fail if params->p is NULL */
- if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res)))
+ /* Check must succeed but set res if params->p is NULL */
+ if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res)))
goto err;
if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res))
goto err;
diff --git a/test/http_test.c b/test/http_test.c
index b9f74527..b6897a17 100644
--- a/test/http_test.c
+++ b/test/http_test.c
@@ -298,7 +298,8 @@ static int test_http_url_invalid_prefix(void)
static int test_http_url_invalid_port(void)
{
- return test_http_url_invalid("https://1.2.3.4:65536/pkix");
+ return test_http_url_invalid("https://1.2.3.4:65536/pkix")
+ && test_http_url_invalid("https://1.2.3.4:");
}
static int test_http_url_invalid_path(void)
diff --git a/test/invalid-x509.cnf b/test/invalid-x509.cnf
new file mode 100644
index 00000000..f982edb9
--- /dev/null
+++ b/test/invalid-x509.cnf
@@ -0,0 +1,6 @@
+[ext]
+issuerSignTool = signTool
+sbgp-autonomousSysNum = AS
+issuingDistributionPoint = fullname
+sbgp-ipAddrBlock = IPv4-SAFI
+
diff --git a/test/p_minimal.c b/test/p_minimal.c
new file mode 100644
index 00000000..0bff9823
--- /dev/null
+++ b/test/p_minimal.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This is the most minimal provider imaginable. It can be loaded, and does
+ * absolutely nothing else.
+ */
+
+#include <openssl/core.h>
+
+OSSL_provider_init_fn OSSL_provider_init; /* Check the function signature */
+int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
+ const OSSL_DISPATCH *oin,
+ const OSSL_DISPATCH **out,
+ void **provctx)
+{
+ return 1;
+}
diff --git a/test/params_test.c b/test/params_test.c
index 6a970fea..5d19f030 100644
--- a/test/params_test.c
+++ b/test/params_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
#include <string.h>
#include <openssl/bn.h>
#include <openssl/core.h>
+#include <openssl/err.h>
#include <openssl/params.h>
#include "internal/numbers.h"
#include "internal/nelem.h"
@@ -558,6 +559,7 @@ static const OSSL_PARAM params_from_text[] = {
/* Arbitrary size buffer. Make sure the result fits in a long */
OSSL_PARAM_DEFN("num", OSSL_PARAM_INTEGER, NULL, 0),
OSSL_PARAM_DEFN("unum", OSSL_PARAM_UNSIGNED_INTEGER, NULL, 0),
+ OSSL_PARAM_DEFN("octets", OSSL_PARAM_OCTET_STRING, NULL, 0),
OSSL_PARAM_END,
};
@@ -655,14 +657,56 @@ static int check_int_from_text(const struct int_from_text_test_st a)
return a.expected_res;
}
+static int check_octetstr_from_hexstr(void)
+{
+ OSSL_PARAM param;
+ static const char *values[] = { "", "F", "FF", "FFF", "FFFF", NULL };
+ int i;
+ int errcnt = 0;
+
+ /* Test odd vs even number of hex digits */
+ for (i = 0; values[i] != NULL; i++) {
+ int expected = (strlen(values[i]) % 2) != 1;
+ int result;
+
+ ERR_clear_error();
+ memset(¶m, 0, sizeof(param));
+ if (expected)
+ result =
+ TEST_true(OSSL_PARAM_allocate_from_text(¶m,
+ params_from_text,
+ "hexoctets", values[i], 0,
+ NULL));
+ else
+ result =
+ TEST_false(OSSL_PARAM_allocate_from_text(¶m,
+ params_from_text,
+ "hexoctets", values[i], 0,
+ NULL));
+ if (!result) {
+ TEST_error("unexpected OSSL_PARAM_allocate_from_text() %s for 'octets' \"%s\"",
+ (expected ? "failure" : "success"), values[i]);
+ errcnt++;
+ }
+ OPENSSL_free(param.data);
+ }
+ return errcnt == 0;
+}
+
static int test_allocate_from_text(int i)
{
return check_int_from_text(int_from_text_test_cases[i]);
}
+static int test_more_allocate_from_text(void)
+{
+ return check_octetstr_from_hexstr();
+}
+
int setup_tests(void)
{
ADD_ALL_TESTS(test_case, OSSL_NELEM(test_cases));
ADD_ALL_TESTS(test_allocate_from_text, OSSL_NELEM(int_from_text_test_cases));
+ ADD_TEST(test_more_allocate_from_text);
return 1;
}
diff --git a/test/property_test.c b/test/property_test.c
index 6a405e36..88c5342c 100644
--- a/test/property_test.c
+++ b/test/property_test.c
@@ -107,6 +107,10 @@ static const struct {
{ "n=0x3", "n=3", 1 },
{ "n=0x3", "n=-3", -1 },
{ "n=0x33", "n=51", 1 },
+ { "n=0x123456789abcdef", "n=0x123456789abcdef", 1 },
+ { "n=0x7fffffffffffffff", "n=0x7fffffffffffffff", 1 }, /* INT64_MAX */
+ { "n=9223372036854775807", "n=9223372036854775807", 1 }, /* INT64_MAX */
+ { "n=0777777777777777777777", "n=0777777777777777777777", 1 }, /* INT64_MAX */
{ "n=033", "n=27", 1 },
{ "n=0", "n=00", 1 },
{ "n=0x0", "n=0", 1 },
@@ -169,6 +173,9 @@ static const struct {
{ 1, "a=2, n=012345678" }, /* Bad octal digit */
{ 0, "n=0x28FG, a=3" }, /* Bad hex digit */
{ 0, "n=145d, a=2" }, /* Bad decimal digit */
+ { 0, "n=0x8000000000000000, a=3" }, /* Hex overflow */
+ { 0, "n=922337203000000000d, a=2" }, /* Decimal overflow */
+ { 0, "a=2, n=1000000000000000000000" }, /* Octal overflow */
{ 1, "@='hello'" }, /* Invalid name */
{ 1, "n0123456789012345678901234567890123456789"
"0123456789012345678901234567890123456789"
@@ -616,6 +623,9 @@ static struct {
{ "", "" },
{ "fips=3", "fips=3" },
{ "fips=-3", "fips=-3" },
+ { "provider='foo bar'", "provider='foo bar'" },
+ { "provider=\"foo bar'\"", "provider=\"foo bar'\"" },
+ { "provider=abc***", "provider='abc***'" },
{ NULL, "" }
};
diff --git a/test/prov_config_test.c b/test/prov_config_test.c
index 4b04211f..b44ec78d 100644
--- a/test/prov_config_test.c
+++ b/test/prov_config_test.c
@@ -8,9 +8,11 @@
*/
#include <openssl/evp.h>
+#include <openssl/conf.h>
#include "testutil.h"
static char *configfile = NULL;
+static char *recurseconfigfile = NULL;
/*
* Test to make sure there are no leaks or failures from loading the config
@@ -44,6 +46,30 @@ static int test_double_config(void)
return testresult;
}
+static int test_recursive_config(void)
+{
+ OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new();
+ int testresult = 0;
+ unsigned long err;
+
+ if (!TEST_ptr(recurseconfigfile))
+ goto err;
+
+ if (!TEST_ptr(ctx))
+ goto err;
+
+ if (!TEST_false(OSSL_LIB_CTX_load_config(ctx, recurseconfigfile)))
+ goto err;
+
+ err = ERR_peek_error();
+ /* We expect to get a recursion error here */
+ if (ERR_GET_REASON(err) == CONF_R_RECURSIVE_SECTION_REFERENCE)
+ testresult = 1;
+ err:
+ OSSL_LIB_CTX_free(ctx);
+ return testresult;
+}
+
OPT_TEST_DECLARE_USAGE("configfile\n")
int setup_tests(void)
@@ -56,6 +82,10 @@ int setup_tests(void)
if (!TEST_ptr(configfile = test_get_argument(0)))
return 0;
+ if (!TEST_ptr(recurseconfigfile = test_get_argument(1)))
+ return 0;
+
+ ADD_TEST(test_recursive_config);
ADD_TEST(test_double_config);
return 1;
}
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
index 5530ade0..3de3d2cc 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
@@ -70,17 +70,35 @@ foreach my $libname (@libnames) {
note "Number of lines in \@def_lines before massaging: ", scalar @def_lines;
# Massage the nm output to only contain defined symbols
+ # Common symbols need separate treatment
+ my %commons;
+ foreach (@nm_lines) {
+ if (m|^(.*) C .*|) {
+ $commons{$1}++;
+ }
+ }
+ foreach (sort keys %commons) {
+ note "Common symbol: $_";
+ }
+
@nm_lines =
sort
- map {
- # Drop the first space and everything following it
- s| .*||;
- # Drop OpenSSL dynamic version information if there is any
- s|\@\@.+$||;
- # Return the result
- $_
- }
- grep(m|.* [BCDST] .*|, @nm_lines);
+ ( map {
+ # Drop the first space and everything following it
+ s| .*||;
+ # Drop OpenSSL dynamic version information if there is any
+ s|\@\@.+$||;
+ # Return the result
+ $_
+ }
+ # Drop any symbol starting with a double underscore, they
+ # are reserved for the compiler / system ABI and are none
+ # of our business
+ grep !m|^__|,
+ # Only look at external definitions
+ grep m|.* [BDST] .*|,
+ @nm_lines ),
+ keys %commons;
# Massage the mkdef.pl output to only contain global symbols
# The output we got is in Unix .map format, which has a global
diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t
new file mode 100644
index 00000000..f3af4365
--- /dev/null
+++ b/test/recipes/04-test_asn1_parse.t
@@ -0,0 +1,26 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw(:DEFAULT srctop_file);
+use OpenSSL::Test::Utils;
+
+setup("test_asn1_parse");
+
+plan tests => 3;
+
+$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf");
+
+ok(run(app(([ 'openssl', 'asn1parse',
+ '-genstr', 'OID:1.2.3.4.1']))));
+
+ok(run(app(([ 'openssl', 'asn1parse',
+ '-genstr', 'OID:1.2.3.4.2']))));
+
+ok(run(app(([ 'openssl', 'asn1parse',
+ '-genstr', 'OID:1.2.3.4.3']))));
diff --git a/test/recipes/04-test_asn1_stable_parse.t b/test/recipes/04-test_asn1_stable_parse.t
new file mode 100644
index 00000000..0f553443
--- /dev/null
+++ b/test/recipes/04-test_asn1_stable_parse.t
@@ -0,0 +1,24 @@
+#! /usr/bin/env perl
+# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test::Simple;
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file data_dir/;
+use OpenSSL::Test::Utils;
+use Cwd qw(abs_path);
+
+BEGIN {
+setup("test_asn1_stable_parse");
+}
+my $config_path = srctop_file("test", "recipes", "04-test_asn1_stable_parse_data", "asn1_stable_parse.cnf");
+
+plan tests => 1;
+
+ok(run(test(["asn1_stable_parse_test", "-config", $config_path])),
+ "Confirm that malformed entries in stable section are not parsed");
+
diff --git a/test/recipes/04-test_asn1_stable_parse_data/asn1_stable_parse.cnf b/test/recipes/04-test_asn1_stable_parse_data/asn1_stable_parse.cnf
new file mode 100644
index 00000000..28381a08
--- /dev/null
+++ b/test/recipes/04-test_asn1_stable_parse_data/asn1_stable_parse.cnf
@@ -0,0 +1,16 @@
+openssl_conf = openssl_init
+config_diagnostics = 1
+
+[openssl_init]
+s = mstbl
+
+[mstbl]
+id-tc26 = min
+id-tc27 = ::::::
+id-tc28 = ,,,,,,
+id-tc29 = :,:,:,
+id-tc30 = n1:min
+id-tc31 = n2:max
+id-tc32 = n3:
+id-tc33 = :0
+
diff --git a/test/recipes/04-test_provider.t b/test/recipes/04-test_provider.t
index 312def77..1233cc4f 100644
--- a/test/recipes/04-test_provider.t
+++ b/test/recipes/04-test_provider.t
@@ -12,10 +12,17 @@ use OpenSSL::Test::Utils;
setup("test_provider");
-plan tests => 2;
+plan tests => 3;
ok(run(test(['provider_test'])), "provider_test");
$ENV{"OPENSSL_MODULES"} = bldtop_dir("test");
ok(run(test(['provider_test', '-loaded'])), "provider_test -loaded");
+
+ SKIP: {
+ skip "no module support", 1 if disabled("module");
+
+ ok(run(app(['openssl', 'list', '-provider', 'p_minimal',
+ '-providers', '-verbose'])));
+}
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
index 3f352db9..aa012c19 100644
--- a/test/recipes/05-test_rand.t
+++ b/test/recipes/05-test_rand.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -29,12 +29,12 @@ SKIP: {
@randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]),
capture => 1, statusvar => \$success);
chomp(@randdata);
- ok($success and $randdata[0] eq $expected,
+ ok($success && $randdata[0] eq $expected,
"rand with ossltest: Check rand output is as expected");
@randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]),
capture => 1, statusvar => \$success);
chomp(@randdata);
- ok($success and length($randdata[0]) == 32,
+ ok($success && length($randdata[0]) == 32,
"rand with dasync: Check rand output is of expected length");
}
diff --git a/test/recipes/15-test_gensm2.t b/test/recipes/15-test_gensm2.t
new file mode 100644
index 00000000..5c655b3d
--- /dev/null
+++ b/test/recipes/15-test_gensm2.t
@@ -0,0 +1,61 @@
+#! /usr/bin/env perl
+# Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use File::Spec;
+use OpenSSL::Test qw(:DEFAULT pipe);
+use OpenSSL::Test::Utils;
+
+# These are special key generation tests for SM2 keys specifically,
+# as they could be said to be a bit special in their encoding.
+# This is an auxilliary test to 15-test_genec.t
+
+setup("test_gensm2");
+
+plan skip_all => "This test is unsupported in a no-sm2 build"
+ if disabled("sm2");
+
+plan tests => 2;
+
+# According to the example in GM/T 0015-2012, appendix D.2,
+# generating an EC key with the named SM2 curve or generating
+# an SM2 key should end up with the same encoding (apart from
+# key private key field itself). This regular expressions
+# shows us what 'openssl asn1parse' should display.
+
+my $sm2_re = qr|
+ ^
+ .*?\Qcons: SEQUENCE\E\s+?\R
+ .*?\Qprim: INTEGER :00\E\R
+ .*?\Qcons: SEQUENCE\E\s+?\R
+ .*?\Qprim: OBJECT :id-ecPublicKey\E\R
+ .*?\Qprim: OBJECT :sm2\E\R
+ .*?\Qprim: OCTET STRING [HEX DUMP]:\E
+ |mx;
+
+my $cmd_genec = app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:SM2',
+ '-pkeyopt', 'ec_param_enc:named_curve' ]);
+my $cmd_gensm2 = app([ 'openssl', 'genpkey', '-algorithm', 'SM2' ]);
+my $cmd_asn1parse = app([ 'openssl', 'asn1parse', '-i' ]);
+
+my $result_ec = join("", run(pipe($cmd_genec, $cmd_asn1parse),
+ capture => 1));
+
+like($result_ec, $sm2_re,
+ "Check that 'genpkey -algorithm EC' resulted in a correctly encoded SM2 key");
+
+my $result_sm2 = join("", run(pipe($cmd_gensm2, $cmd_asn1parse),
+ capture => 1));
+
+like($result_sm2, $sm2_re,
+ "Check that 'genpkey -algorithm SM2' resulted in a correctly encoded SM2 key");
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 8c8274ae..fe02d29c 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_req");
-plan tests => 46;
+plan tests => 49;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
@@ -40,14 +40,19 @@ my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
"-key", srctop_file("test", "certs", "ee-key.pem"),
"-config", srctop_file("test", "test.cnf"), @req_new );
my $val = "subjectAltName=DNS:example.com";
+my $val1 = "subjectAltName=otherName:1.2.3.4;UTF8:test,email:info\@example.com";
my $val2 = " " . $val;
my $val3 = $val;
$val3 =~ s/=/ =/;
ok( run(app([@addext_args, "-addext", $val])));
+ok( run(app([@addext_args, "-addext", $val1])));
+$val1 =~ s/UTF8/XXXX/; # execute the error handling in do_othername
+ok(!run(app([@addext_args, "-addext", $val1])));
ok(!run(app([@addext_args, "-addext", $val, "-addext", $val])));
ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
+ok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"])));
# If a CSR is provided with neither of -key or -CA/-CAkey, this should fail.
ok(!run(app(["openssl", "req", "-x509",
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 95df179b..8092f7b7 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_x509");
-plan tests => 28;
+plan tests => 29;
# Prevent MSys2 filename munging for arguments that look like file paths but
# aren't
@@ -186,6 +186,14 @@ ok(run(app(["openssl", "x509", "-in", $a_cert, "-CA", $ca_cert,
# verify issuer is CA
ok (get_issuer($a2_cert) =~ /CN = ca.example.com/);
+my $in_csr = srctop_file('test', 'certs', 'x509-check.csr');
+my $in_key = srctop_file('test', 'certs', 'x509-check-key.pem');
+my $invextfile = srctop_file('test', 'invalid-x509.cnf');
+# Test that invalid extensions settings fail
+ok(!run(app(["openssl", "x509", "-req", "-in", $in_csr, "-signkey", $in_key,
+ "-out", "/dev/null", "-days", "3650" , "-extensions", "ext",
+ "-extfile", $invextfile])));
+
# Tests for issue #16080 (fixed in 1.1.1o)
my $b_key = "b-key.pem";
my $b_csr = "b-cert.csr";
diff --git a/test/recipes/30-test_prov_config.t b/test/recipes/30-test_prov_config.t
index f97a26db..7f6350fd 100644
--- a/test/recipes/30-test_prov_config.t
+++ b/test/recipes/30-test_prov_config.t
@@ -22,11 +22,14 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
plan tests => 2;
-ok(run(test(["prov_config_test", srctop_file("test", "default.cnf")])),
+ok(run(test(["prov_config_test", srctop_file("test", "default.cnf"),
+ srctop_file("test", "recursive.cnf")])),
"running prov_config_test default.cnf");
+
SKIP: {
skip "Skipping FIPS test in this build", 1 if $no_fips;
- ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf")])),
+ ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf"),
+ srctop_file("test", "recursive.cnf")])),
"running prov_config_test fips.cnf");
}
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 8dbec712..31f9fbd1 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
$no_rc2 = 1 if disabled("legacy");
-plan tests => 17;
+plan tests => 19;
ok(run(test(["pkcs7_test"])), "test pkcs7");
@@ -222,13 +222,15 @@ my @smime_pkcs7_tests = (
\&final_compare
],
- [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
+ [ "enveloped content test streaming S/MIME format, DES, 3 recipients, cert and key files used",
[ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
"-stream", "-out", "{output}.cms",
$smrsa1,
catfile($smdir, "smrsa2.pem"),
- catfile($smdir, "smrsa3.pem") ],
- [ "{cmd2}", @defaultprov, "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"),
+ catfile($smdir, "smrsa3-cert.pem") ],
+ [ "{cmd2}", @defaultprov, "-decrypt",
+ "-recip", catfile($smdir, "smrsa3-cert.pem"),
+ "-inkey", catfile($smdir, "smrsa3-key.pem"),
"-in", "{output}.cms", "-out", "{output}.txt" ],
\&final_compare
],
@@ -998,9 +1000,72 @@ with({ exit_checker => sub { return shift == 6; } },
# Test case for return value mis-check reported in #21986
with({ exit_checker => sub { return shift == 3; } },
sub {
- ok(run(app(['openssl', 'cms', '-sign',
- '-in', srctop_file("test", "smcont.txt"),
- '-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
- '-md', 'SHAKE256'])),
- "issue#21986");
+ SKIP: {
+ skip "DSA is not supported in this build", 1 if $no_dsa;
+
+ ok(run(app(['openssl', 'cms', '-sign',
+ '-in', srctop_file("test", "smcont.txt"),
+ '-signer', srctop_file("test/smime-certs", "smdsa1.pem"),
+ '-md', 'SHAKE256'])),
+ "issue#21986");
+ }
});
+
+# Test for problem reported in #22225
+with({ exit_checker => sub { return shift == 3; } },
+ sub {
+ ok(run(app(['openssl', 'cms', '-encrypt',
+ '-in', srctop_file("test", "smcont.txt"),
+ '-aes-256-ctr', '-recip',
+ catfile($smdir, "smec1.pem"),
+ ])),
+ "Check for failure when cipher does not have an assigned OID (issue#22225)");
+ });
+
+# Test encrypt to three recipients, and decrypt using key-only;
+# i.e. do not follow the recommended practice of providing the
+# recipient cert in the decrypt op.
+#
+# Use RSAES-OAEP for key-transport, not RSAES-PKCS-v1_5.
+#
+# Because the cert is not provided during decrypt, all RSA ciphertexts
+# are decrypted in turn, and when/if there is a valid decryption, it
+# is assumed the correct content-key has been recovered.
+#
+# That process may fail with RSAES-PKCS-v1_5 b/c there is a
+# non-negligible chance that decrypting a random input using
+# RSAES-PKCS-v1_5 can result in a valid plaintext (so two content-keys
+# could be recovered and the wrong one might be used).
+#
+# See https://github.com/openssl/project/issues/380
+subtest "encrypt to three recipients with RSA-OAEP, key only decrypt" => sub {
+ plan tests => 3;
+
+ my $pt = srctop_file("test", "smcont.txt");
+ my $ct = "smtst.cms";
+ my $ptpt = "smtst.txt";
+
+ ok(run(app(['openssl', 'cms',
+ @defaultprov,
+ '-encrypt', '-aes128',
+ '-in', $pt,
+ '-out', $ct,
+ '-stream',
+ '-recip', catfile($smdir, "smrsa1.pem"),
+ '-keyopt', 'rsa_padding_mode:oaep',
+ '-recip', catfile($smdir, "smrsa2.pem"),
+ '-keyopt', 'rsa_padding_mode:oaep',
+ '-recip', catfile($smdir, "smrsa3-cert.pem"),
+ '-keyopt', 'rsa_padding_mode:oaep',
+ ])),
+ "encrypt to three recipients with RSA-OAEP (avoid openssl/project issue#380)");
+ ok(run(app(['openssl', 'cms',
+ @defaultprov,
+ '-decrypt', '-aes128',
+ '-in', $ct,
+ '-out', $ptpt,
+ '-inkey', catfile($smdir, "smrsa3-key.pem"),
+ ])),
+ "decrypt with key only");
+ is(compare($pt, $ptpt), 0, "compare original message with decrypted ciphertext");
+};
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 1f0cb4d5..4c5bb574 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -9,7 +9,7 @@
use strict;
use warnings;
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_file with/;
use OpenSSL::Test::Utils;
use Encode;
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
}
$ENV{OPENSSL_WIN32_UTF8}=1;
-plan tests => 13;
+plan tests => 17;
# Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -148,4 +148,25 @@ ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
# Test that the expected friendly name is present in the output
ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
+# Test some bad pkcs12 files
+my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12");
+my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12");
+my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12");
+
+with({ exit_checker => sub { return shift == 1; } },
+ sub {
+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])),
+ "test bad pkcs12 file 1");
+
+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
+ "-nomacver"])),
+ "test bad pkcs12 file 1 (nomacver)");
+
+ ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
+ "test bad pkcs12 file 2");
+
+ ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
+ "test bad pkcs12 file 3");
+ });
+
SetConsoleOutputCP($savedcp) if (defined($savedcp));
diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12
new file mode 100644
index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09
GIT binary patch
literal 85
zcmV-b0IL5mQvv}4Fbf6=Duzgg_YDCD0Wd)@F)$4V31Egu0c8UO0s#d81R(r{)waiY
rfR=Py6XX<mRyon58xHv)BAVy}k(l(hJwF5pk-=q7<yb@T0s;sC$etR(
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/bad2.p12 b/test/recipes/80-test_pkcs12_data/bad2.p12
new file mode 100644
index 0000000000000000000000000000000000000000..113cb6f1cd523e880db869f518e60142dc875115
GIT binary patch
literal 104
zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+<SE8zIDI;AmiIz{|#&(B{FI%FM#V$jZQ?
z@Tpc|>#<$m7-wj)xrauuD`}hF=<J_T`^8$QMBK7d>Ng9=0`~S~)@=J%OiUaM0Oze6
AD*ylh
literal 0
HcmV?d00001
diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12
new file mode 100644
index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4
GIT binary patch
literal 104
zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+<SE8%fB((ZJAvmyI)_&4V$OnT3gwm4QWp
zJ2GXlSm>oA$5$MVJL*60=F*5iN*C_e&wD%dwCM*q{=+OBX|Z+F7XSHN#>B+I003La
BAqM~e
literal 0
HcmV?d00001
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
index dc7cc645..93369777 100644
--- a/test/recipes/91-test_pkey_check.t
+++ b/test/recipes/91-test_pkey_check.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -70,7 +70,7 @@ push(@positive_tests, (
"dhpkey.pem"
)) unless disabled("dh");
-my @negative_pubtests = ();
+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
push(@negative_pubtests, (
"dsapub_noparam.der"
diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
new file mode 100644
index 00000000..9a2eaeda
--- /dev/null
+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
@@ -0,0 +1,48 @@
+-----BEGIN PUBLIC KEY-----
+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
+AQAB
+-----END PUBLIC KEY-----
diff --git a/test/recipes/95-test_external_gost_engine_data/gost_engine.sh b/test/recipes/95-test_external_gost_engine_data/gost_engine.sh
index 4fd434f2..54ebd579 100755
--- a/test/recipes/95-test_external_gost_engine_data/gost_engine.sh
+++ b/test/recipes/95-test_external_gost_engine_data/gost_engine.sh
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -45,7 +45,7 @@ echo " OPENSSL_ROOT_DIR: $OPENSSL_ROOT_DIR"
echo " OpenSSL version: $OPENSSL_VERSION"
echo "------------------------------------------------------------------"
-cmake $SRCTOP/gost-engine -DOPENSSL_ROOT_DIR="$OPENSSL_ROOT_DIR"
+cmake $SRCTOP/gost-engine -DOPENSSL_ROOT_DIR="$OPENSSL_ROOT_DIR" -DOPENSSL_ENGINES_DIR="$OPENSSL_ROOT_DIR/engines"
make
export CTEST_OUTPUT_ON_FAILURE=1
export HARNESS_OSSL_PREFIX=''
diff --git a/test/recursive.cnf b/test/recursive.cnf
new file mode 100644
index 00000000..505733ae
--- /dev/null
+++ b/test/recursive.cnf
@@ -0,0 +1,8 @@
+openssl_conf = openssl_init
+config_diagnostics = yes
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+ = provider_sect
diff --git a/test/rsa_test.c b/test/rsa_test.c
index 62a54df7..18345b43 100644
--- a/test/rsa_test.c
+++ b/test/rsa_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -391,10 +391,126 @@ err:
return r;
}
+static int test_EVP_rsa_legacy_key(void)
+{
+ int ret;
+ size_t buflen = 384;
+ size_t msglen = 64;
+ unsigned char sigbuf[384];
+ unsigned char msgbuf[64];
+ BIGNUM *p;
+ BIGNUM *q;
+ BIGNUM *n;
+ BIGNUM *d;
+ BIGNUM *e;
+ RSA *rsa;
+ const EVP_MD *md;
+ EVP_MD_CTX *ctx = NULL;
+ EVP_PKEY *pkey = NULL;
+
+ unsigned char n_data[] = {
+ 0x00, 0xc7, 0x28, 0x7a, 0x28, 0x91, 0x51, 0xa5, 0xe8, 0x3c, 0x45, 0xcf,
+ 0x1d, 0xa9, 0x69, 0x7a, 0x0d, 0xdb, 0xdd, 0x8f, 0xe2, 0xde, 0x85, 0xdd,
+ 0x85, 0x6d, 0x8f, 0x78, 0x20, 0xd6, 0xe, 0xe5, 0x06, 0xcb, 0x9c, 0xd6,
+ 0xd3, 0xca, 0xef, 0x1d, 0x80, 0xd3, 0x18, 0x23, 0x91, 0x5c, 0xe5, 0xc8,
+ 0x44, 0x37, 0x56, 0x1b, 0x68, 0x7f, 0x08, 0xa3, 0x1c, 0xf6, 0xe8, 0x11,
+ 0x38, 0x0f, 0x2e, 0xad, 0xb1, 0x89, 0x8b, 0x08, 0xe8, 0x35, 0xaf, 0x3b,
+ 0xfe, 0x37, 0x8d, 0x21, 0xd5, 0x3f, 0x1f, 0x4b, 0x01, 0x30, 0xd8, 0xd0,
+ 0x24, 0xf7, 0xab, 0x57, 0xad, 0xac, 0xbc, 0x53, 0x6d, 0x84, 0x8e, 0xa1,
+ 0xb2, 0x5b, 0x8e, 0xe7, 0xb3, 0xac, 0xfc, 0x60, 0x22, 0x10, 0x1e, 0x99,
+ 0xfa, 0xa0, 0x60, 0x00, 0x69, 0x5f, 0x8e, 0xca, 0x6d, 0x9c, 0xee, 0x5e,
+ 0x84, 0x4e, 0x53, 0x83, 0x42, 0x76, 0x4d, 0xb8, 0xc1, 0xeb, 0x4e, 0x3d,
+ 0xc3, 0xce, 0xac, 0x79, 0xbb, 0x29, 0x5d, 0x92, 0x33, 0x6e, 0xcf, 0x8f,
+ 0x5a, 0xf0, 0xb3, 0xb5, 0xdc, 0xd5, 0xa3, 0xaf, 0x40, 0x4b, 0x0f, 0x05,
+ 0xac, 0x46, 0x53, 0x2d, 0x5f, 0x20, 0x96, 0x42, 0xa8, 0x47, 0x61, 0x54,
+ 0x05, 0x2c, 0x8a, 0x26, 0x5d, 0x92, 0x1d, 0x01, 0x2a, 0x27, 0x8a, 0xfc,
+ 0x64, 0x24, 0x5c, 0x34, 0xde, 0x92, 0xc6, 0x82, 0xea, 0x4d, 0xe2, 0x52,
+ 0xe5, 0xad, 0x62, 0x00, 0xc6, 0xc8, 0xe9, 0x0c, 0x22, 0xf0, 0x9e, 0xbe,
+ 0xdc, 0x51, 0x58, 0xad, 0x3b, 0xba, 0x2e, 0x45, 0x65, 0xcc, 0x5b, 0x55,
+ 0x46, 0x67, 0x18, 0x4a, 0x80, 0x67, 0x5b, 0x84, 0x7f, 0x13, 0x37, 0x45,
+ 0xd8, 0x03, 0xc6, 0x22, 0xc3, 0x4a, 0x46, 0x6b, 0xde, 0x50, 0xbf, 0x16,
+ 0x0a, 0x23, 0x0b, 0xaa, 0x50, 0x54, 0xf6, 0x20, 0x83, 0x74, 0x33, 0x97,
+ 0x2e, 0xf2, 0x8e, 0x7e, 0x13 };
+
+ unsigned char e_data[] = { 0x01, 0x00, 0x01 };
+
+ unsigned char d_data[] = {
+ 0x09, 0x2d, 0xcb, 0xe7, 0x87, 0xbf, 0x10, 0x1a, 0xf2, 0x80, 0x33, 0x2a,
+ 0x06, 0x4f, 0x56, 0xb1, 0x41, 0xd3, 0x65, 0xd8, 0xca, 0x71, 0xb8, 0x02,
+ 0x78, 0xc8, 0xb6, 0x7c, 0x28, 0xf4, 0x6c, 0xe8, 0xd1, 0xc4, 0x92, 0x40,
+ 0x23, 0xa7, 0xbe, 0x9f, 0xdb, 0xda, 0xce, 0x74, 0xda, 0x27, 0xbb, 0x01,
+ 0xad, 0xdd, 0x39, 0x99, 0x28, 0xd5, 0xb0, 0x92, 0xda, 0xac, 0x5a, 0x72,
+ 0xcf, 0x7c, 0x52, 0xc4, 0x0e, 0x77, 0x4a, 0x7b, 0x4d, 0x52, 0x1c, 0xbd,
+ 0x3c, 0x39, 0x34, 0x78, 0x7c, 0x16, 0xc8, 0xa1, 0xae, 0xeb, 0x27, 0x38,
+ 0xb4, 0xf3, 0x80, 0x30, 0x80, 0x78, 0x13, 0x8e, 0x46, 0x20, 0x3e, 0xc2,
+ 0x96, 0x26, 0xb1, 0x76, 0x1e, 0x00, 0x69, 0xbb, 0xd8, 0x2b, 0x58, 0xe4,
+ 0x6c, 0xb4, 0xd0, 0x00, 0x0b, 0x47, 0xec, 0xfb, 0x7d, 0x52, 0x9d, 0x27,
+ 0x92, 0xe6, 0x95, 0x73, 0xa0, 0x39, 0x37, 0xcd, 0x1f, 0x60, 0x13, 0x1c,
+ 0x87, 0x9d, 0xa7, 0x91, 0x90, 0xf9, 0x36, 0xc5, 0xfa, 0x3f, 0xf9, 0x7f,
+ 0x50, 0xf8, 0xb3, 0x54, 0x65, 0xff, 0x6f, 0xa6, 0x22, 0xcc, 0x4a, 0x1e,
+ 0x49, 0x3f, 0x07, 0xc6, 0xf2, 0x65, 0x73, 0x13, 0x1b, 0x2d, 0xb6, 0x15,
+ 0xff, 0xcd, 0x9a, 0x1c, 0xea, 0xef, 0x58, 0x56, 0x91, 0x2d, 0x47, 0x81,
+ 0x56, 0x0d, 0xc3, 0xb0, 0x47, 0x58, 0x8d, 0x05, 0x7d, 0x5b, 0xc0, 0x22,
+ 0xa4, 0xf0, 0x2e, 0x70, 0x36, 0x01, 0x89, 0xa1, 0x71, 0xed, 0x76, 0xe9,
+ 0x8d, 0xf5, 0x49, 0xaf, 0x11, 0xbe, 0xe4, 0xd4, 0x48, 0x92, 0xb6, 0x5b,
+ 0xc2, 0x04, 0xd4, 0x0c, 0x5c, 0x8b, 0xe3, 0xfa, 0x29, 0x63, 0x86, 0xb4,
+ 0x10, 0xad, 0x32, 0x07, 0x85, 0xe2, 0x43, 0x76, 0x16, 0x90, 0xab, 0xdf,
+ 0xb3, 0x36, 0x0a, 0xc4, 0x49, 0x7b, 0x95, 0x48, 0x50, 0x72, 0x8f, 0x7d,
+ 0xf4, 0xfa, 0x60, 0xc1 };
+
+ unsigned char p_data[] = {
+ 0x00, 0xed, 0xf7, 0xa7, 0x00, 0x5a, 0xbb, 0xd1, 0x52, 0x65, 0x9b, 0xec,
+ 0xfe, 0x27, 0x8b, 0xe2, 0xbe, 0x40, 0x8c, 0x2f, 0x6f, 0xb4, 0x26, 0xb2,
+ 0xbe, 0x45, 0x4b, 0x3b, 0x5a, 0xaa, 0xc6, 0xaa, 0xfa, 0xc1, 0x3a, 0xa9,
+ 0xa1, 0xba, 0xb7, 0x86, 0x1a, 0x98, 0x15, 0x5f, 0x5c, 0x1c, 0x57, 0x78,
+ 0x78, 0x6a, 0x13, 0xc2, 0x40, 0x7d, 0x07, 0x87, 0x47, 0xc6, 0x96, 0xd5,
+ 0x92, 0xc9, 0x65, 0x2c, 0xfe, 0xbb, 0xe0, 0xd6, 0x76, 0x25, 0x5a, 0xa3,
+ 0xdf, 0x97, 0x4b, 0x64, 0xfd, 0x3b, 0x2b, 0xbc, 0xfb, 0x80, 0xad, 0x3b,
+ 0x7d, 0x1f, 0x48, 0x56, 0x27, 0xf7, 0x2f, 0x8e, 0x92, 0x07, 0xa8, 0x9f,
+ 0xbc, 0x5a, 0xce, 0xfa, 0xd5, 0x67, 0xad, 0xf4, 0xbf, 0xe0, 0xc9, 0x3e,
+ 0x8e, 0xb5, 0x90, 0x58, 0x54, 0x92, 0x9f, 0xda, 0x36, 0xc0, 0x0d, 0x57,
+ 0xfe, 0x6c, 0x23, 0x63, 0x8b, 0xd1, 0x1e, 0x4f, 0xd3 };
+
+ unsigned char q_data[] = {
+ 0x00, 0xd6, 0x3f, 0xf5, 0xee, 0xff, 0x4d, 0x7d, 0x8c, 0x1a, 0x85, 0x5d,
+ 0x3c, 0x4f, 0x9d, 0xdf, 0xc7, 0x68, 0x27, 0x7f, 0xe4, 0x4f, 0x4f, 0xd7,
+ 0xa2, 0x3b, 0xcd, 0x4a, 0x34, 0xd8, 0x55, 0x4a, 0x3e, 0x8e, 0xb3, 0xa8,
+ 0xe9, 0x8a, 0xc5, 0x94, 0xd1, 0x09, 0x32, 0x4b, 0x79, 0x8d, 0x7b, 0x03,
+ 0x0b, 0x5d, 0xca, 0x91, 0x41, 0xbc, 0x82, 0xc3, 0x89, 0x67, 0x4d, 0x03,
+ 0x68, 0x03, 0x2d, 0x0e, 0x4e, 0x97, 0x6c, 0xf6, 0x3e, 0x1f, 0xf4, 0x50,
+ 0x06, 0x5d, 0x05, 0x22, 0xf2, 0xf8, 0xf2, 0xde, 0xad, 0x2e, 0x9d, 0xc3,
+ 0x97, 0x1b, 0xc3, 0x75, 0xe7, 0x86, 0xde, 0xc5, 0x11, 0x89, 0xed, 0x6a,
+ 0x13, 0x14, 0x23, 0x4b, 0x98, 0x81, 0xf7, 0xd4, 0x1c, 0xee, 0x30, 0x92,
+ 0x85, 0x20, 0x4f, 0x35, 0x02, 0xfa, 0xda, 0x14, 0x77, 0xfa, 0x08, 0x34,
+ 0x60, 0xc7, 0x93, 0x72, 0xdc, 0xc4, 0x18, 0x70, 0xc1 };
+
+ memset(msgbuf, 0xef, 64);
+
+ ret = (TEST_ptr((p = BN_bin2bn(p_data, sizeof(p_data), NULL)))
+ && TEST_ptr((q = BN_bin2bn(q_data, sizeof(q_data), NULL)))
+ && TEST_ptr((n = BN_bin2bn(n_data, sizeof(n_data), NULL)))
+ && TEST_ptr((d = BN_bin2bn(d_data, sizeof(d_data), NULL)))
+ && TEST_ptr((e = BN_bin2bn(e_data, sizeof(e_data), NULL)))
+ && TEST_ptr((rsa = RSA_new()))
+ && TEST_ptr((md = EVP_sha256()))
+ && TEST_ptr((ctx = EVP_MD_CTX_new()))
+ && TEST_ptr((pkey = EVP_PKEY_new()))
+ && TEST_true(RSA_set0_factors(rsa, p, q))
+ && TEST_true(RSA_set0_key(rsa, n, e, d))
+ && TEST_true(EVP_PKEY_assign_RSA(pkey, rsa))
+ && TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
+ && TEST_true(EVP_DigestSign(ctx, sigbuf, &buflen, msgbuf, msglen)));
+
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+ return ret;
+}
+
int setup_tests(void)
{
ADD_ALL_TESTS(test_rsa_pkcs1, 3);
ADD_ALL_TESTS(test_rsa_oaep, 3);
ADD_ALL_TESTS(test_rsa_security_bit, OSSL_NELEM(rsa_security_bits_cases));
+ ADD_TEST(test_EVP_rsa_legacy_key);
return 1;
}
diff --git a/test/siphash_internal_test.c b/test/siphash_internal_test.c
index 76ae5eca..7d1c6be9 100644
--- a/test/siphash_internal_test.c
+++ b/test/siphash_internal_test.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -257,7 +257,7 @@ static int test_siphash(int idx)
static int test_siphash_basic(void)
{
SIPHASH siphash = { 0, };
- unsigned char key[SIPHASH_KEY_SIZE];
+ static const unsigned char key[SIPHASH_KEY_SIZE] = {0};
unsigned char output[SIPHASH_MAX_DIGEST_SIZE];
/* Use invalid hash size */
diff --git a/test/smime-certs/smrsa3-cert.pem b/test/smime-certs/smrsa3-cert.pem
new file mode 100644
index 00000000..70004acb
--- /dev/null
+++ b/test/smime-certs/smrsa3-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL
+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
+NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
+cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC
+XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+
+qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK
+wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI
+U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N
+f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV
+HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi
+V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
+hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq
+112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd
+CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2
+iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW
+ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE
+BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg=
+-----END CERTIFICATE-----
diff --git a/test/smime-certs/smrsa3-key.pem b/test/smime-certs/smrsa3-key.pem
new file mode 100644
index 00000000..216d70b6
--- /dev/null
+++ b/test/smime-certs/smrsa3-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167
+toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB
+GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi
+ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK
+2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M
+jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq
+DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb
+Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ
+0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh
+/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG
+A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI
+vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I
+pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi
+YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS
+wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+
+BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto
+NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o
+c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K
+7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt
+oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L
+3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk
+YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr
+Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs
+Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz
+TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X
+fNcb5iDYqZRzD8ixBbLxUw==
+-----END PRIVATE KEY-----
diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c
index 6b56754b..9830c35c 100644
--- a/test/ssl_old_test.c
+++ b/test/ssl_old_test.c
@@ -894,7 +894,8 @@ int main(int argc, char *argv[])
{ APP_CALLBACK_STRING, 0 };
SSL_CTX *c_ctx = NULL;
const SSL_METHOD *meth = NULL;
- SSL *c_ssl, *s_ssl;
+ SSL *c_ssl = NULL;
+ SSL *s_ssl = NULL;
int number = 1, reuse = 0;
int should_reuse = -1;
int no_ticket = 0;
@@ -1759,6 +1760,8 @@ int main(int argc, char *argv[])
c_ssl = SSL_new(c_ctx);
s_ssl = SSL_new(s_ctx);
+ if (c_ssl == NULL || s_ssl == NULL)
+ goto end;
if (sn_client)
SSL_set_tlsext_host_name(c_ssl, sn_client);
@@ -1819,10 +1822,11 @@ int main(int argc, char *argv[])
case BIO_IPV4:
case BIO_IPV6:
ret = EXIT_FAILURE;
- goto err;
+ goto end;
#endif
}
- if (ret != EXIT_SUCCESS) break;
+ if (ret != EXIT_SUCCESS)
+ break;
}
if (should_negotiate && ret == EXIT_SUCCESS &&
@@ -1832,13 +1836,13 @@ int main(int argc, char *argv[])
if (version < 0) {
BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
ret = EXIT_FAILURE;
- goto err;
+ goto end;
}
if (SSL_version(c_ssl) != version) {
BIO_printf(bio_err, "Unexpected version negotiated. "
"Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
ret = EXIT_FAILURE;
- goto err;
+ goto end;
}
}
@@ -1849,20 +1853,20 @@ int main(int argc, char *argv[])
"Expected: %d, server: %d, client: %d\n", should_reuse,
SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
ret = EXIT_FAILURE;
- goto err;
+ goto end;
}
}
if (server_sess_out != NULL) {
if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
ret = EXIT_FAILURE;
- goto err;
+ goto end;
}
}
if (client_sess_out != NULL) {
if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
ret = EXIT_FAILURE;
- goto err;
+ goto end;
}
}
@@ -1888,11 +1892,9 @@ int main(int argc, char *argv[])
#endif
}
- err:
+ end:
SSL_free(s_ssl);
SSL_free(c_ssl);
-
- end:
SSL_CTX_free(s_ctx);
SSL_CTX_free(s_ctx2);
SSL_CTX_free(c_ctx);
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 2191b297..e0274f12 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -10128,6 +10128,27 @@ end:
}
#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+
+static ENGINE *load_dasync(void)
+{
+ ENGINE *e;
+
+ if (!TEST_ptr(e = ENGINE_by_id("dasync")))
+ return NULL;
+
+ if (!TEST_true(ENGINE_init(e))) {
+ ENGINE_free(e);
+ return NULL;
+ }
+
+ if (!TEST_true(ENGINE_register_ciphers(e))) {
+ ENGINE_free(e);
+ return NULL;
+ }
+
+ return e;
+}
+
/*
* Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
* support this yet. The only pipeline capable cipher that we have is in the
@@ -10143,6 +10164,8 @@ end:
* Test 4: Client has pipelining enabled, server does not: more data than all
* the available pipelines can take
* Test 5: Client has pipelining enabled, server does not: Maximum size pipeline
+ * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX
+ * is created)
*/
static int test_pipelining(int idx)
{
@@ -10155,25 +10178,28 @@ static int test_pipelining(int idx)
size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5;
size_t expectedreads;
unsigned char *buf = NULL;
- ENGINE *e;
-
- if (!TEST_ptr(e = ENGINE_by_id("dasync")))
- return 0;
+ ENGINE *e = NULL;
- if (!TEST_true(ENGINE_init(e))) {
- ENGINE_free(e);
- return 0;
+ if (idx != 6) {
+ e = load_dasync();
+ if (e == NULL)
+ return 0;
}
- if (!TEST_true(ENGINE_register_ciphers(e)))
- goto end;
-
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), 0,
TLS1_2_VERSION, &sctx, &cctx, cert,
privkey)))
goto end;
+ if (idx == 6) {
+ e = load_dasync();
+ if (e == NULL)
+ goto end;
+ /* Now act like test 0 */
+ idx = 0;
+ }
+
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
&clientssl, NULL, NULL)))
goto end;
@@ -10309,9 +10335,11 @@ end:
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
- ENGINE_unregister_ciphers(e);
- ENGINE_finish(e);
- ENGINE_free(e);
+ if (e != NULL) {
+ ENGINE_unregister_ciphers(e);
+ ENGINE_finish(e);
+ ENGINE_free(e);
+ }
OPENSSL_free(buf);
if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH)
OPENSSL_free(msg);
@@ -10684,7 +10712,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_serverinfo_custom, 4);
#endif
#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
- ADD_ALL_TESTS(test_pipelining, 6);
+ ADD_ALL_TESTS(test_pipelining, 7);
#endif
ADD_ALL_TESTS(test_handshake_retry, 16);
return 1;
diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf
index 20712b5b..1c891507 100644
--- a/test/sysdefault.cnf
+++ b/test/sysdefault.cnf
@@ -18,5 +18,6 @@ new-sig-oid = 1.1.1.1.1.1.1.1.1.1.1.1.1.1
system_default = ssl_default_sect
[ssl_default_sect]
+SignatureAlgorithms = RSA+SHA256:nonex
MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf
new file mode 100644
index 00000000..5f030565
--- /dev/null
+++ b/test/test_asn1_parse.cnf
@@ -0,0 +1,12 @@
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+[openssl_init]
+oid_section = oids
+
+[oids]
+testoid1 = 1.2.3.4.1
+testoid2 = A Very Long OID Name, 1.2.3.4.2
+testoid3 = ,1.2.3.4.3
diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
index 27c8018c..b59bcd0d 100644
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -331,27 +331,7 @@ CMS_digest_verify(3)
CMS_is_detached(3)
CMS_set1_signers_certs(3)
CMS_set_detached(3)
-CMS_signed_add1_attr(3)
-CMS_signed_add1_attr_by_NID(3)
-CMS_signed_add1_attr_by_OBJ(3)
-CMS_signed_add1_attr_by_txt(3)
-CMS_signed_delete_attr(3)
-CMS_signed_get0_data_by_OBJ(3)
-CMS_signed_get_attr(3)
-CMS_signed_get_attr_by_NID(3)
-CMS_signed_get_attr_by_OBJ(3)
-CMS_signed_get_attr_count(3)
CMS_stream(3)
-CMS_unsigned_add1_attr(3)
-CMS_unsigned_add1_attr_by_NID(3)
-CMS_unsigned_add1_attr_by_OBJ(3)
-CMS_unsigned_add1_attr_by_txt(3)
-CMS_unsigned_delete_attr(3)
-CMS_unsigned_get0_data_by_OBJ(3)
-CMS_unsigned_get_attr(3)
-CMS_unsigned_get_attr_by_NID(3)
-CMS_unsigned_get_attr_by_OBJ(3)
-CMS_unsigned_get_attr_count(3)
COMP_CTX_free(3)
COMP_CTX_get_method(3)
COMP_CTX_get_type(3)
@@ -605,18 +585,9 @@ EVP_PKEY_CTX_hex2ctrl(3)
EVP_PKEY_CTX_set0_keygen_info(3)
EVP_PKEY_CTX_set_data(3)
EVP_PKEY_CTX_str2ctrl(3)
-EVP_PKEY_add1_attr(3)
-EVP_PKEY_add1_attr_by_NID(3)
-EVP_PKEY_add1_attr_by_OBJ(3)
-EVP_PKEY_add1_attr_by_txt(3)
EVP_PKEY_assign(3)
EVP_PKEY_decrypt_old(3)
-EVP_PKEY_delete_attr(3)
EVP_PKEY_encrypt_old(3)
-EVP_PKEY_get_attr(3)
-EVP_PKEY_get_attr_by_NID(3)
-EVP_PKEY_get_attr_by_OBJ(3)
-EVP_PKEY_get_attr_count(3)
EVP_PKEY_save_parameters(3)
EVP_add_alg_module(3)
EVP_add_cipher(3)
@@ -763,9 +734,6 @@ OCSP_response_status_str(3)
OCSP_url_svcloc_new(3)
OPENSSL_DIR_end(3)
OPENSSL_DIR_read(3)
-OPENSSL_LH_get_down_load(3)
-OPENSSL_LH_num_items(3)
-OPENSSL_LH_set_down_load(3)
OPENSSL_LH_strhash(3)
OPENSSL_asc2uni(3)
OPENSSL_die(3)
@@ -1132,17 +1100,7 @@ X509V3_set_conf_lhash(3)
X509V3_set_nconf(3)
X509V3_string_free(3)
X509_ALGORS_it(3)
-X509_ATTRIBUTE_count(3)
-X509_ATTRIBUTE_create(3)
-X509_ATTRIBUTE_create_by_NID(3)
-X509_ATTRIBUTE_create_by_OBJ(3)
-X509_ATTRIBUTE_create_by_txt(3)
-X509_ATTRIBUTE_get0_data(3)
-X509_ATTRIBUTE_get0_object(3)
-X509_ATTRIBUTE_get0_type(3)
X509_ATTRIBUTE_it(3)
-X509_ATTRIBUTE_set1_data(3)
-X509_ATTRIBUTE_set1_object(3)
X509_CERT_AUX_it(3)
X509_CINF_it(3)
X509_CRL_INFO_it(3)
@@ -1198,17 +1156,10 @@ X509_REQ_add1_attr(3)
X509_REQ_add1_attr_by_NID(3)
X509_REQ_add1_attr_by_OBJ(3)
X509_REQ_add1_attr_by_txt(3)
-X509_REQ_add_extensions(3)
-X509_REQ_add_extensions_nid(3)
X509_REQ_delete_attr(3)
X509_REQ_extension_nid(3)
X509_REQ_get1_email(3)
-X509_REQ_get_attr(3)
-X509_REQ_get_attr_by_NID(3)
-X509_REQ_get_attr_by_OBJ(3)
-X509_REQ_get_attr_count(3)
X509_REQ_get_extension_nids(3)
-X509_REQ_get_extensions(3)
X509_REQ_it(3)
X509_REQ_print(3)
X509_REQ_print_ex(3)
@@ -1311,16 +1262,6 @@ X509_supported_extension(3)
X509_to_X509_REQ(3)
X509_trust_clear(3)
X509_trusted(3)
-X509at_add1_attr(3)
-X509at_add1_attr_by_NID(3)
-X509at_add1_attr_by_OBJ(3)
-X509at_add1_attr_by_txt(3)
-X509at_delete_attr(3)
-X509at_get0_data_by_OBJ(3)
-X509at_get_attr(3)
-X509at_get_attr_by_NID(3)
-X509at_get_attr_by_OBJ(3)
-X509at_get_attr_count(3)
X509v3_addr_add_inherit(3)
X509v3_addr_add_prefix(3)
X509v3_addr_add_range(3)
diff --git a/util/missingssl.txt b/util/missingssl.txt
index 48219fd9..41ca8a8b 100644
--- a/util/missingssl.txt
+++ b/util/missingssl.txt
@@ -3,7 +3,6 @@ ERR_load_SSL_strings(3)
SRP_Calc_A_param(3)
SSL_COMP_get_name(3)
SSL_COMP_set0_compression_methods(3)
-SSL_CONF_CTX_finish(3)
SSL_CTX_SRP_CTX_free(3)
SSL_CTX_SRP_CTX_init(3)
SSL_CTX_get0_certificate(3)
diff --git a/util/other.syms b/util/other.syms
index cdd62e81..ea0a8caa 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -113,6 +113,7 @@ UI_METHOD datatype
UI_STRING datatype
UI_string_types datatype
UI_string_types datatype
+X509_ATTRIBUTE datatype
X509_STORE_CTX_cert_crl_fn datatype
X509_STORE_CTX_check_crl_fn datatype
X509_STORE_CTX_check_issued_fn datatype
diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm
index 1aa6768a..695d6bab 100755
--- a/util/perl/OpenSSL/config.pm
+++ b/util/perl/OpenSSL/config.pm
@@ -82,7 +82,7 @@ my $guess_patterns = [
[ 'HP-UX:.*',
sub {
my $HPUXVER = $RELEASE;
- $HPUXVER = s/[^.]*.[0B]*//;
+ $HPUXVER =~ s/[^.]*.[0B]*//;
# HPUX 10 and 11 targets are unified
return "${MACHINE}-hp-hpux1x" if $HPUXVER =~ m@1[0-9]@;
return "${MACHINE}-hp-hpux";
@@ -321,6 +321,7 @@ sub determine_compiler_settings {
# If we got a version number, process it
if ($v) {
+ $v =~ s/[^.]*.0*// if $SYSTEM eq 'HP-UX';
$CCVENDOR = $k;
# The returned version is expected to be one of
@@ -358,8 +359,15 @@ sub determine_compiler_settings {
# However, other letters have been seen as well (for example X),
# and it's documented that HP (now VSI) reserve the letter W, X,
# Y and Z for their own uses.
- my ($vendor, $version) =
- ( $v =~ m/^([A-Z]+) C [VWXYZ]([0-9\.-]+)(:? +\(.*?\))? on / );
+ my ($vendor, $arch, $version, $extra) =
+ ( $v =~ m/^
+ ([A-Z]+) # Usually VSI
+ \s+ C
+ (?:\s+(.*?))? # Possible build arch
+ \s+ [VWXYZ]([0-9\.-]+) # Version
+ (?:\s+\((.*?)\))? # Possible extra data
+ \s+ on
+ /x );
my ($major, $minor, $patch) =
( $version =~ m/^([0-9]+)\.([0-9]+)-0*?(0|[1-9][0-9]*)$/ );
$CC = 'CC';
--
GitLab