Neil Horman [Tue, 1 Apr 2025 12:49:01 +0000 (08:49 -0400)]
update to latest version of libprov
Recently, we saw a failure in openssl tests when building gost-engine:
https://github.com/openssl/openssl/actions/runs/14192630435/job/39768534802
It occurs because a gost-engine dependency (libprov) requires a minimum
cmake version of 3.0. Recent distro updates have moved to cmake 4.0,
which error out if a CMakeLists.txt file requires a version less than
3.5.
The libprov tree has been updated to require 3.18 now (matching the
requirement for gost-engine), so we need to update the libprov submodule
here to pull that update in.
Vitaly Chikunov [Fri, 28 Mar 2025 15:53:14 +0000 (18:53 +0300)]
tcl_tests: ca.try: Ignore multi-space indentation in openssl crl output
Indentation is changing from 8 to 4 chars in new version of openssl[1]. Make the
test forward and backward compatible with variable indentation of openssl crl
output.
Adrien Nader [Tue, 25 Mar 2025 09:07:50 +0000 (10:07 +0100)]
test: parallel testsuite runs failed due to reused filenames
Cmake can run tests in parallel and does so for the perl tests. These
are actually the same tests twice but in "engine" and "provider"
variants.
These tests contain something like the following:
- create testdata.dat
- write to it
- use the file
- unlink the file
When two of these run in parallel, a likely scenario is the file is
unlinked by one while still being needed by the second.
This commit simply prefixes the filenames with "$ARGV[0]-" which is
either "engine-" or "provider-". With unique names, there are no more
overlaps.
PS: I had first looked for ways to disable parallel test execution (when
I thought it was perl running tests in parallel rather than cmake) but
found no way to do that in CMakeLists.txt, only through an environment
variable or by changing the command-line invocation, both of which where
far less appropriate both for distribution patches and upstreaming.
Sergei Ianovich [Tue, 30 Jul 2024 15:04:04 +0000 (15:04 +0000)]
Fix double initialization
Infer correctly complains that `ptr` is initialized twice before first
use. The fix is trivial.
```
gost12sum.c:253: error: Dead Store
The value written to `&ptr` is never used.
251. {
252. int i, len;
253. char *ptr = filename;
^
254. char *spacepos = NULL;
255.
```
Sergei Ianovich [Tue, 30 Jul 2024 14:55:22 +0000 (14:55 +0000)]
Fix false positive static analysis issue #2
Infer complains:
```
test_digest.c:662: error: Dead Store
The value written to `&p` is never used.
660. if (t->truncate) {
661. outsize = t->truncate;
662. params[p++] = OSSL_PARAM_construct_size_t("size", &outsize);
^
663. }
664. else
```
Altough the complain is false positive, fixing it will allow for future
use of the tools in automated tests.
arx11 [Sat, 23 Mar 2024 10:13:59 +0000 (06:13 -0400)]
Added support for raw public key export and import
In total there are 3 new functions to export/import raw values of public and private keys.
Public key functions are used to handle ASN1_PKEY_CTRL_GET1_TLS_ENCPT and ASN1_PKEY_CTRL_SET1_TLS_ENCPT control codes used by SSL stack during key exchange.
Private key export function is just a convenient way to get the key value (EVP_PKEY_new_raw_private_key does not provide paramset to use for key import).
Vitaly Chikunov [Fri, 22 Mar 2024 02:20:50 +0000 (05:20 +0300)]
tcl_tests: ca.try: Ignore openssl crl exit status for 'corrupted CRL' test
Older `openssl crl` exits with 0 in regard to verify no matter actual verify
status, newer `openssl crl` could exit with 1 on verify failure. Make the test
backward-compatible comparing only an output.
Vitaly Chikunov [Fri, 22 Mar 2024 02:12:53 +0000 (05:12 +0300)]
tcl_tests: Introduce new exitStatus -1 to ignore exit codes
It's proposed[1] that crl and req change exit code making it unreliable for some
commands. Allow tests to ignore exit codes by specifying expected exit code `-1`.
This will also make such tests to always use regexp match mode.
Also, slightly fix the logic of applying regexp. Commentary says test
_parameter_ (`exitStatus`) 1 is used to trigger regexp matching but in fact
actual command exit code (`status`) 1 is used for that. This change did not
cause any test result difference.
Vitaly Chikunov [Wed, 14 Jun 2023 14:12:51 +0000 (17:12 +0300)]
Fix gcc13 error: writing 1 byte into a region of size 0
gcc-13 thinks `bl` can take negative value (when returned from
EVP_CIPHER_CTX_block_size). Do simple sanity checking to workaround this.
Also, add error propagation up to EVP_DigestFinal_ex, so this sanity checking
is not in vain.
Error message:
In function 'make_kn',
inlined from 'CMAC_ACPKM_Final' at /builddir/build/BUILD/engine-3.0.0/gost_omac_acpkm.c:274:5,
inlined from 'omac_acpkm_imit_final' at /builddir/build/BUILD/engine-3.0.0/gost_omac_acpkm.c:354:5:
/builddir/build/BUILD/engine-3.0.0/gost_omac_acpkm.c:55:20: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
55 | k1[bl - 1] ^= bl == 16 ? 0x87 : 0x1b;
| ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
/builddir/build/BUILD/engine-3.0.0/gost_omac_acpkm.c: In function 'omac_acpkm_imit_final':
/builddir/build/BUILD/engine-3.0.0/gost_omac_acpkm.c:260:24: note: at offset [-2147483649, -1] into destination object 'k2' of size 32
260 | unsigned char *k1, k2[EVP_MAX_BLOCK_LENGTH];
| ^~
Craig Andrews [Tue, 3 Jan 2023 22:42:02 +0000 (17:42 -0500)]
Correct CMake files installation path
install(EXPORT GostEngineConfig DESTINATION share/cmake/GostEngine) will to a path like this:
/usr/GostEngine/share/cmake/GostEngine/GostEngineConfig.cmake
which is not standard or expected. These files should be installed to:
/usr/share/cmake/GostEngine/GostEngineConfig.cmake
which can be done by changing the installation line to:
install(EXPORT GostEngineConfig DESTINATION share/cmake/GostEngine)
As https://github.com/openssl/openssl/pull/18236 is going to
ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above,
we have to adjust GOST TLS tests.
Vitaly Chikunov [Sat, 8 Jan 2022 23:25:31 +0000 (02:25 +0300)]
gost_ec_keyx: Check CTX data before it's really used
This should fix Coverity warning:
*** CID 345243: Null pointer dereferences (REVERSE_INULL)
/gost_ec_keyx.c: 681 in pkey_gost2018_decrypt()
675 o Q_eph is on the same curve as server public key;
676
677 o Q_eph is not equal to zero point;
678
679 o q * Q_eph is not equal to zero point.
680 */
>>> CID 345243: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "data" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
681 if (eph_key == NULL || priv == NULL || data == NULL) {
682 GOSTerr(GOST_F_PKEY_GOST2018_DECRYPT,
683 GOST_R_ERROR_COMPUTING_EXPORT_KEYS);
684 ret = 0;
685 goto err;
686 }
Vitaly Chikunov [Wed, 15 Dec 2021 01:23:22 +0000 (04:23 +0300)]
test_tls: Rework test to be single process
Rework the test to be similar to sslapitest.c. Using BIO only connections
and non-blocking IO instead of socketpair and separate processes.
This will allow it to compile and work on Windows.
Vitaly Chikunov [Sun, 19 Dec 2021 22:40:39 +0000 (01:40 +0300)]
MSVC: Fix casting warning C4057
test_tls.c(103,5): warning C4057: 'function': 'const unsigned char *' differs in indirection to slightly different base types from 'char [8]'
test_tls.c(104,5): warning C4057: 'function': 'const unsigned char *' differs in indirection to slightly different base types from 'char [9]'
Vitaly Chikunov [Mon, 6 Dec 2021 03:09:27 +0000 (06:09 +0300)]
MSVC: Do not build in library form
Library form overwrites module form due to both having the same name `gost.dll'.
As temporary workaround do not build library form on Windows, until we invent
how to solve it properly. Currently, there is no known need of engine in the
library form on Windows.
Vitaly Chikunov [Sat, 4 Dec 2021 09:37:39 +0000 (12:37 +0300)]
MSVC: Fix include files
Error message:
gost12sum.c(13,10): fatal error C1083: Cannot open include file: 'unistd.h': No such file or directory
gost12sum.c(80,23): warning C4013: 'getopt' undefined; assuming extern returning int
test_keyexpimp.c(7,10): fatal error C1083: Cannot open include file: 'arpa/inet.h': No such file or directory
Richard Levitte [Mon, 5 Apr 2021 06:08:10 +0000 (08:08 +0200)]
Making a gost provider - Add the macs
We add the macs for the provider as wrappers around the EVP_MD
implementations designed for ENGINEs. This is not the most elegant,
but it does the job.
When an algorithm has an OID, it's included in the OSSL_ALGORITHM name
as an alias. This is the way to avoid having to register the OIDs in
OpenSSL proper.
Richard Levitte [Sat, 13 Feb 2021 13:56:17 +0000 (14:56 +0100)]
Making a gost provider - Add the digests
We add the digests for the provider as wrappers around the routines
designed for ENGINEs. This is not the most elegant, but it does the
job.
When an algorithm has an OID, it's included in the OSSL_ALGORITHM name
as an aliase. This is the way to avoid having to register the OIDs in
OpenSSL proper.
test/01-digest.t is modified to test the provider as well.
Richard Levitte [Sat, 13 Feb 2021 13:52:39 +0000 (14:52 +0100)]
Making a gost provider - Add the ciphers
We add the ciphers for the provider as wrappers around the routines
designed for ENGINEs. This is not the most elegant, but it does the
job.
When an algorithm has an OID, it's included in the OSSL_ALGORITHM name
as an aliase. This is the way to avoid having to register the OIDs in
OpenSSL proper.
test/03-encrypt.t is modified to test the provider as well.
Richard Levitte [Mon, 10 May 2021 07:06:04 +0000 (09:06 +0200)]
Making a gost provider - Refactor the testing foundation
This makes space for provider tests.
As a beginning, test/00-provider.t is added. It corresponds to
test/00-engine.t.
All other test/*.t are currently skipped unless the engine is tested.
They will be re-enabled as support for each algorithm type is added in
the provider code.
projects / openssl-gost / engine.git / log