diff options
-rw-r--r-- | .github/workflows/ci.yml | 2 | ||||
-rw-r--r-- | crypto/ess/ess_lib.c | 2 | ||||
-rw-r--r-- | crypto/provider_core.c | 9 | ||||
-rw-r--r-- | crypto/sm2/sm2_sign.c | 9 | ||||
-rw-r--r-- | doc/man3/SSL_CIPHER_get_name.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_PKEY-SM2.pod | 3 | ||||
-rw-r--r-- | doc/man7/migration_guide.pod | 18 | ||||
-rw-r--r-- | os-dep/Apple/PrivacyInfo.xcprivacy | 23 | ||||
-rw-r--r-- | test/build.info | 1 | ||||
-rw-r--r-- | test/ct_test.c | 9 | ||||
-rw-r--r-- | test/pathed.cnf | 22 | ||||
-rw-r--r-- | test/prov_config_test.c | 54 | ||||
-rw-r--r-- | test/recipes/30-test_prov_config.t | 6 | ||||
-rw-r--r-- | test/sm2_internal_test.c | 35 |
14 files changed, 177 insertions, 18 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4376498edd..ea89c3634e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -356,7 +356,7 @@ jobs: sudo apt-get update sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy - name: install cpanm and Test2::V0 for gost_engine testing - uses: perl-actions/install-with-cpanm@v1 + uses: perl-actions/install-with-cpanm@stable with: install: Test2::V0 - name: setup hostname workaround diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 65444d383f..3d59fc2151 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -293,7 +293,7 @@ int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss, int i, ret; if (require_signing_cert && ss == NULL && ssv2 == NULL) { - ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); + ERR_raise(ERR_LIB_ESS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); return -1; } if (n_v1 == 0 || n_v2 == 0) { diff --git a/crypto/provider_core.c b/crypto/provider_core.c index e90b63b303..9f8e73c9d0 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -559,8 +559,15 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name, } /* provider_new() generates an error, so no need here */ - if ((prov = provider_new(name, template.init, template.parameters)) == NULL) + prov = provider_new(name, template.init, template.parameters); + + if (prov == NULL) + return NULL; + + if (!ossl_provider_set_module_path(prov, template.path)) { + ossl_provider_free(prov); return NULL; + } prov->libctx = libctx; #ifndef FIPS_MODULE diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index b6d41db8e3..79692f146e 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -28,6 +28,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out, { int rc = 0; const EC_GROUP *group = EC_KEY_get0_group(key); + const EC_POINT *pubkey = EC_KEY_get0_public_key(key); BN_CTX *ctx = NULL; EVP_MD_CTX *hash = NULL; BIGNUM *p = NULL; @@ -42,6 +43,12 @@ int ossl_sm2_compute_z_digest(uint8_t *out, uint16_t entl = 0; uint8_t e_byte = 0; + /* SM2 Signatures require a public key, check for it */ + if (pubkey == NULL) { + ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER); + goto done; + } + hash = EVP_MD_CTX_new(); ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key)); if (hash == NULL || ctx == NULL) { @@ -117,7 +124,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out, || BN_bn2binpad(yG, buf, p_bytes) < 0 || !EVP_DigestUpdate(hash, buf, p_bytes) || !EC_POINT_get_affine_coordinates(group, - EC_KEY_get0_public_key(key), + pubkey, xA, yA, ctx) || BN_bn2binpad(xA, buf, p_bytes) < 0 || !EVP_DigestUpdate(hash, buf, p_bytes) diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod index e22a85a063..c3109279a7 100644 --- a/doc/man3/SSL_CIPHER_get_name.pod +++ b/doc/man3/SSL_CIPHER_get_name.pod @@ -109,7 +109,7 @@ cipher B<c>. SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it -must be at least 128 bytes, otherwise a buffer will be allocated using +must be at least 128 bytes. If B<buf> is NULL it will be allocated using OPENSSL_malloc(). If the provided buffer is too small, or the allocation fails, B<NULL> is returned. diff --git a/doc/man7/EVP_PKEY-SM2.pod b/doc/man7/EVP_PKEY-SM2.pod index 8bdc506cec..b073dc8b05 100644 --- a/doc/man7/EVP_PKEY-SM2.pod +++ b/doc/man7/EVP_PKEY-SM2.pod @@ -38,6 +38,9 @@ Getter that returns the default digest name. B<SM2> signatures can be generated by using the 'DigestSign' series of APIs, for instance, EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal(). Ditto for the verification process by calling the 'DigestVerify' series of APIs. +Note that the SM2 algorithm requires the presence of the public key for signatures, +as such the B<OSSL_PKEY_PARAM_PUB_KEY> option must be set on any key used in signature +generation. Before computing an B<SM2> signature, an B<EVP_PKEY_CTX> needs to be created, and an B<SM2> ID must be set for it, like this: diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 28983ea600..3152b70483 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -1326,7 +1326,7 @@ d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(), d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(), d2i_ECParameters(), d2i_ECPrivateKey(), d2i_ECPrivateKey_bio(), d2i_ECPrivateKey_fp(), d2i_EC_PUBKEY(), d2i_EC_PUBKEY_bio(), -d2i_EC_PUBKEY_fp(), o2i_ECPublicKey(), d2i_RSAPrivateKey(), +d2i_EC_PUBKEY_fp(), d2i_RSAPrivateKey(), d2i_RSAPrivateKey_bio(), d2i_RSAPrivateKey_fp(), d2i_RSA_PUBKEY(), d2i_RSA_PUBKEY_bio(), d2i_RSA_PUBKEY_fp(), d2i_RSAPublicKey(), d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp() @@ -1335,6 +1335,13 @@ See L</Deprecated i2d and d2i functions for low-level key types> =item * +o2i_ECPublicKey() + +Use L<EVP_PKEY_set1_encoded_public_key(3)>. +See L</Deprecated low-level key parameter setters> + +=item * + DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(), DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), @@ -1885,13 +1892,20 @@ and L<d2i_RSAPrivateKey(3)/Migration> i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(), i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), -i2d_EC_PUBKEY_fp(), i2o_ECPublicKey() +i2d_EC_PUBKEY_fp() See L</Deprecated low-level key reading and writing functions> and L<d2i_RSAPrivateKey(3)/Migration> =item * +i2o_ECPublicKey() + +Use L<EVP_PKEY_get1_encoded_public_key(3)>. +See L</Deprecated low-level key parameter getters> + +=item * + i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(), i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() diff --git a/os-dep/Apple/PrivacyInfo.xcprivacy b/os-dep/Apple/PrivacyInfo.xcprivacy new file mode 100644 index 0000000000..285dd5beba --- /dev/null +++ b/os-dep/Apple/PrivacyInfo.xcprivacy @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>NSPrivacyAccessedAPITypes</key> + <array> + <dict> + <key>NSPrivacyAccessedAPIType</key> + <string>NSPrivacyAccessedAPICategoryFileTimestamp</string> + <key>NSPrivacyAccessedAPITypeReasons</key> + <array> + <string>C617.1</string> + </array> + </dict> + </array> + <key>NSPrivacyCollectedDataTypes</key> + <array/> + <key>NSPrivacyTrackingDomains</key> + <array/> + <key>NSPrivacyTracking</key> + <false/> +</dict> +</plist> diff --git a/test/build.info b/test/build.info index 81fd75df15..0435c00085 100644 --- a/test/build.info +++ b/test/build.info @@ -874,6 +874,7 @@ IF[{- !$disabled{tests} -}] ENDIF IF[{- $disabled{module} || !$target{dso_scheme} -}] DEFINE[provider_test]=NO_PROVIDER_MODULE + DEFINE[prov_config_test]=NO_PROVIDER_MODULE DEFINE[provider_internal_test]=NO_PROVIDER_MODULE ENDIF DEPEND[]=provider_internal_test.cnf diff --git a/test/ct_test.c b/test/ct_test.c index 26d5bc1084..7bf4e94029 100644 --- a/test/ct_test.c +++ b/test/ct_test.c @@ -450,13 +450,18 @@ static int test_encode_tls_sct(void) fixture->sct_list = sk_SCT_new_null(); if (fixture->sct_list == NULL) - return 0; + { + tear_down(fixture); + return 0; + } if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id, CT_LOG_ENTRY_TYPE_X509, timestamp, extensions, signature))) - + { + tear_down(fixture); return 0; + } sk_SCT_push(fixture->sct_list, sct); fixture->sct_dir = ct_dir; diff --git a/test/pathed.cnf b/test/pathed.cnf new file mode 100644 index 0000000000..07bdc1fdb2 --- /dev/null +++ b/test/pathed.cnf @@ -0,0 +1,22 @@ +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +[openssl_init] +providers = provider_sect + +[provider_sect] +default = default_sect +legacy = legacy_sect +test = test_sect + +[test_sect] +module = ../test/p_test.so +activate = false + +[default_sect] +activate = true + +[legacy_sect] +activate = false diff --git a/test/prov_config_test.c b/test/prov_config_test.c index b44ec78d8d..4f0cbc247b 100644 --- a/test/prov_config_test.c +++ b/test/prov_config_test.c @@ -7,12 +7,14 @@ * https://www.openssl.org/source/license.html */ +#include <sys/stat.h> #include <openssl/evp.h> #include <openssl/conf.h> #include "testutil.h" static char *configfile = NULL; static char *recurseconfigfile = NULL; +static char *pathedconfig = NULL; /* * Test to make sure there are no leaks or failures from loading the config @@ -70,6 +72,54 @@ static int test_recursive_config(void) return testresult; } +#define P_TEST_PATH "/../test/p_test.so" +static int test_path_config(void) +{ + OSSL_LIB_CTX *ctx = NULL; + OSSL_PROVIDER *prov; + int testresult = 0; + struct stat sbuf; + char *module_path = getenv("OPENSSL_MODULES"); + char *full_path = NULL; + int rc; + + if (!TEST_ptr(module_path)) + return 0; + + full_path = OPENSSL_zalloc(strlen(module_path) + strlen(P_TEST_PATH) + 1); + if (!TEST_ptr(full_path)) + return 0; + + strcpy(full_path, module_path); + full_path = strcat(full_path, P_TEST_PATH); + TEST_info("full path is %s", full_path); + rc = stat(full_path, &sbuf); + OPENSSL_free(full_path); + if (rc == -1) + return TEST_skip("Skipping modulepath test as provider not present"); + + if (!TEST_ptr(pathedconfig)) + return 0; + + ctx = OSSL_LIB_CTX_new(); + if (!TEST_ptr(ctx)) + return 0; + + if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, pathedconfig))) + goto err; + + /* attempt to manually load the test provider */ + if (!TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "test"))) + goto err; + + OSSL_PROVIDER_unload(prov); + + testresult = 1; + err: + OSSL_LIB_CTX_free(ctx); + return testresult; +} + OPT_TEST_DECLARE_USAGE("configfile\n") int setup_tests(void) @@ -85,7 +135,11 @@ int setup_tests(void) if (!TEST_ptr(recurseconfigfile = test_get_argument(1))) return 0; + if (!TEST_ptr(pathedconfig = test_get_argument(2))) + return 0; + ADD_TEST(test_recursive_config); ADD_TEST(test_double_config); + ADD_TEST(test_path_config); return 1; } diff --git a/test/recipes/30-test_prov_config.t b/test/recipes/30-test_prov_config.t index 7f6350fd84..8884d07f3a 100644 --- a/test/recipes/30-test_prov_config.t +++ b/test/recipes/30-test_prov_config.t @@ -23,13 +23,15 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => 2; ok(run(test(["prov_config_test", srctop_file("test", "default.cnf"), - srctop_file("test", "recursive.cnf")])), + srctop_file("test", "recursive.cnf"), + srctop_file("test", "pathed.cnf")])), "running prov_config_test default.cnf"); SKIP: { skip "Skipping FIPS test in this build", 1 if $no_fips; ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf"), - srctop_file("test", "recursive.cnf")])), + srctop_file("test", "recursive.cnf"), + srctop_file("test", "pathed.cnf")])), "running prov_config_test fips.cnf"); } diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c index 4899d5e213..8953915ec1 100644 --- a/test/sm2_internal_test.c +++ b/test/sm2_internal_test.c @@ -305,7 +305,8 @@ static int test_sm2_sign(const EC_GROUP *group, const char *message, const char *k_hex, const char *r_hex, - const char *s_hex) + const char *s_hex, + int omit_pubkey) { const size_t msg_len = strlen(message); int ok = 0; @@ -327,11 +328,13 @@ static int test_sm2_sign(const EC_GROUP *group, || !TEST_true(EC_KEY_set_private_key(key, priv))) goto done; - pt = EC_POINT_new(group); - if (!TEST_ptr(pt) - || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) - || !TEST_true(EC_KEY_set_public_key(key, pt))) - goto done; + if (omit_pubkey == 0) { + pt = EC_POINT_new(group); + if (!TEST_ptr(pt) + || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL)) + || !TEST_true(EC_KEY_set_public_key(key, pt))) + goto done; + } start_fake_rand(k_hex); sig = ossl_sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, @@ -392,7 +395,25 @@ static int sm2_sig_test(void) "006CB28D99385C175C94F94E934817663FC176D925DD72B727260DBAAE1FB2F96F" "007c47811054c6f99613a578eb8453706ccb96384fe7df5c171671e760bfa8be3a", "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1", - "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7"))) + "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7", 0))) + goto done; + + /* Make sure we fail if we omit the public portion of the key */ + if (!TEST_false(test_sm2_sign( + test_group, + /* the default ID specified in GM/T 0009-2012 (Sec. 10).*/ + SM2_DEFAULT_USERID, + /* privkey */ + "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", + /* plaintext message */ + "message digest", + /* ephemeral nonce k */ + "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", + /* expected signature, */ + /* signature R, 0x20 bytes */ + "F5A03B0648D2C4630EEAC513E1BB81A15944DA3827D5B74143AC7EACEEE720B3", + /* signature S, 0x20 bytes */ + "B1B6AA29DF212FD8763182BC0D421CA1BB9038FD1F7F42D4840B69C485BBC1AA", 1))) goto done; testresult = 1; |