src - FreeBSD source tree

diff options


context:
space:
mode:

author	Enji Cooper <ngie@FreeBSD.org>	2025-08-08 19:24:09 +0000
committer	Enji Cooper <ngie@FreeBSD.org>	2025-08-08 19:33:57 +0000
commit	fbc35f82f0eca4571df0d753da74571e01ace763 (patch)
tree	b1140e447e6c40c2bc65e7fc3413664fe98c3666 /crypto
parent	1095efe41feed8ea5a6fe5ca123c347ae0914801 (diff)

vendor/openssl-3.5

Diffstat (limited to 'crypto')

-rw-r--r--

crypto/dh/dh_check.c

-rw-r--r--

crypto/encode_decode/decoder_lib.c

-rw-r--r--

crypto/encode_decode/decoder_pkey.c

-rw-r--r--

crypto/encode_decode/encoder_local.h

-rw-r--r--

crypto/evp/asymcipher.c

-rw-r--r--

crypto/evp/keymgmt_meth.c

-rw-r--r--

crypto/evp/m_sigver.c

-rw-r--r--

crypto/provider_core.c

-rw-r--r--

crypto/rsa/rsa_gen.c

-rw-r--r--

crypto/slh_dsa/slh_hash.c

-rw-r--r--

crypto/sm2/sm2_sign.c

-rw-r--r--

crypto/store/store_lib.c

-rw-r--r--

crypto/x509/x_crl.c

13 files changed, 205 insertions, 39 deletions

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index ae23f61839ea..2d899dc96f67 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -16,6 +16,7 @@

#include <stdio.h>

#include "internal/cryptlib.h"

#include <openssl/bn.h>

+#include <openssl/self_test.h>

#include "dh_local.h"

#include "crypto/dh.h"

@@ -329,17 +330,27 @@ end:

* FFC pairwise check from SP800-56A R3.

* Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency

-int ossl_dh_check_pairwise(const DH *dh)

+int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers)

{

int ret = 0;

BN_CTX *ctx = NULL;

BIGNUM *pub_key = NULL;

+ OSSL_SELF_TEST *st = NULL;

+ OSSL_CALLBACK *stcb = NULL;

+ void *stcbarg = NULL;

if (dh->params.p == NULL

|| dh->params.g == NULL

|| dh->priv_key == NULL

|| dh->pub_key == NULL)

- return 0;

+ return return_on_null_numbers;

+ OSSL_SELF_TEST_get_callback(dh->libctx, &stcb, &stcbarg);

+ st = OSSL_SELF_TEST_new(stcb, stcbarg);

+ if (st == NULL)

+ goto err;

+ OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,

+ OSSL_SELF_TEST_DESC_PCT_DH);

ctx = BN_CTX_new_ex(dh->libctx);

if (ctx == NULL)

@@ -351,10 +362,27 @@ int ossl_dh_check_pairwise(const DH *dh)

/* recalculate the public key = (g ^ priv) mod p */

if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key))

goto err;

+#ifdef FIPS_MODULE

+ {

+ int len;

+ unsigned char bytes[1024] = {0}; /* Max key size of 8192 bits */

+ if (BN_num_bytes(pub_key) > (int)sizeof(bytes))

+ goto err;

+ len = BN_bn2bin(pub_key, bytes);

+ OSSL_SELF_TEST_oncorrupt_byte(st, bytes);

+ if (BN_bin2bn(bytes, len, pub_key) == NULL)

+ goto err;

+ }

+#endif

/* check it matches the existing public_key */

ret = BN_cmp(pub_key, dh->pub_key) == 0;

-err:

+ err:

BN_free(pub_key);

BN_CTX_free(ctx);

+ OSSL_SELF_TEST_onend(st, ret);

+ OSSL_SELF_TEST_free(st);

return ret;

}

diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c
index ffcf3cde1155..dedfb24e569e 100644
--- a/crypto/encode_decode/decoder_lib.c
+++ b/crypto/encode_decode/decoder_lib.c

@@ -537,6 +537,14 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg)

}

+static int decoder_sk_cmp(const OSSL_DECODER_INSTANCE *const *a,

+ const OSSL_DECODER_INSTANCE *const *b)

+ if ((*a)->score == (*b)->score)

+ return (*a)->order - (*b)->order;

+ return (*a)->score - (*b)->score;

int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx,

OSSL_LIB_CTX *libctx, const char *propq)

{

@@ -595,6 +603,26 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx,

OSSL_DECODER_do_all_provided(libctx, collect_all_decoders, skdecoders);

numdecoders = sk_OSSL_DECODER_num(skdecoders);

+ /*

+ * If there are provided or default properties, sort the initial decoder list

+ * by property matching score so that the highest scored provider is selected

+ * first.

+ */

+ if (propq != NULL || ossl_ctx_global_properties(libctx, 0) != NULL) {

+ int num_decoder_insts = sk_OSSL_DECODER_INSTANCE_num(ctx->decoder_insts);

+ int i;

+ OSSL_DECODER_INSTANCE *di;

+ sk_OSSL_DECODER_INSTANCE_compfunc old_cmp =

+ sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, decoder_sk_cmp);

+ for (i = 0; i < num_decoder_insts; i++) {

+ di = sk_OSSL_DECODER_INSTANCE_value(ctx->decoder_insts, i);

+ di->order = i;

+ }

+ sk_OSSL_DECODER_INSTANCE_sort(ctx->decoder_insts);

+ sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, old_cmp);

+ }

memset(&data, 0, sizeof(data));

data.ctx = ctx;

data.w_prev_start = 0;

diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c
index f99566bde744..9fc4e2312331 100644
--- a/crypto/encode_decode/decoder_pkey.c
+++ b/crypto/encode_decode/decoder_pkey.c

@@ -222,15 +222,21 @@ struct collect_data_st {

int total; /* number of matching results */

char error_occurred;

char keytype_resolved;

+ OSSL_PROPERTY_LIST *pq;

STACK_OF(EVP_KEYMGMT) *keymgmts;

};

-static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,

- void *provctx, struct collect_data_st *data)

+/*

+ * Add decoder instance to the decoder context if it is compatible. Returns 1

+ * if a decoder was added, 0 otherwise.

+ */

+static int collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,

+ void *provctx, struct collect_data_st *data)

{

void *decoderctx = NULL;

OSSL_DECODER_INSTANCE *di = NULL;

+ const OSSL_PROPERTY_LIST *props;

* We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we

@@ -239,17 +245,17 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,

if (keymgmt->name_id != decoder->base.id)

/* Mismatch is not an error, continue. */

- return;

+ return 0;

if ((decoderctx = decoder->newctx(provctx)) == NULL) {

data->error_occurred = 1;

- return;

+ return 0;

}

if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) {

decoder->freectx(decoderctx);

data->error_occurred = 1;

- return;

+ return 0;

}

@@ -263,7 +269,7 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,

|| OPENSSL_strcasecmp(data->ctx->start_input_type, "PEM") != 0)) {

/* Mismatch is not an error, continue. */

ossl_decoder_instance_free(di);

- return;

+ return 0;

}

OSSL_TRACE_BEGIN(DECODER) {

@@ -275,13 +281,30 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,

OSSL_DECODER_get0_properties(decoder));

} OSSL_TRACE_END(DECODER);

+ /*

+ * Get the property match score so the decoders can be prioritized later.

+ */

+ props = ossl_decoder_parsed_properties(decoder);

+ if (data->pq != NULL && props != NULL) {

+ di->score = ossl_property_match_count(data->pq, props);

+ /*

+ * Mismatch of mandatory properties is not an error, the decoder is just

+ * ignored, continue.

+ */

+ if (di->score < 0) {

+ ossl_decoder_instance_free(di);

+ return 0;

+ }

if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) {

ossl_decoder_instance_free(di);

data->error_occurred = 1;

- return;

+ return 0;

}

++data->total;

+ return 1;

}

static void collect_decoder(OSSL_DECODER *decoder, void *arg)

@@ -321,7 +344,9 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg)

for (i = 0; i < end_i; ++i) {

keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i);

- collect_decoder_keymgmt(keymgmt, decoder, provctx, data);

+ /* Only add this decoder once */

+ if (collect_decoder_keymgmt(keymgmt, decoder, provctx, data))

+ break;

if (data->error_occurred)

return;

}

@@ -407,6 +432,8 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,

struct decoder_pkey_data_st *process_data = NULL;

struct collect_data_st collect_data = { NULL };

STACK_OF(EVP_KEYMGMT) *keymgmts = NULL;

+ OSSL_PROPERTY_LIST **plp;

+ OSSL_PROPERTY_LIST *pq = NULL, *p2 = NULL;

OSSL_TRACE_BEGIN(DECODER) {

const char *input_type = ctx->start_input_type;

@@ -443,6 +470,25 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,

process_data->keymgmts = keymgmts;

+ * Collect passed and default properties to prioritize the decoders.

+ */

+ if (propquery != NULL)

+ p2 = pq = ossl_parse_query(libctx, propquery, 1);

+ plp = ossl_ctx_global_properties(libctx, 0);

+ if (plp != NULL && *plp != NULL) {

+ if (pq == NULL) {

+ pq = *plp;

+ } else {

+ p2 = ossl_property_merge(pq, *plp);

+ ossl_property_free(pq);

+ if (p2 == NULL)

+ goto err;

+ pq = p2;

+ }

+ /*

* Enumerate all keymgmts into a stack.

* We could nest EVP_KEYMGMT_do_all_provided inside

@@ -457,10 +503,11 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,

* upfront, as this ensures that the names for all loaded providers have

* been registered by the time we try to resolve the keytype string.

- collect_data.ctx = ctx;

- collect_data.libctx = libctx;

- collect_data.keymgmts = keymgmts;

- collect_data.keytype = keytype;

+ collect_data.ctx = ctx;

+ collect_data.libctx = libctx;

+ collect_data.keymgmts = keymgmts;

+ collect_data.keytype = keytype;

+ collect_data.pq = pq;

EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data);

if (collect_data.error_occurred)

@@ -496,6 +543,7 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,

ok = 1;

err:

decoder_clean_pkey_construct_arg(process_data);

+ ossl_property_free(p2);

return ok;

}

diff --git a/crypto/encode_decode/encoder_local.h b/crypto/encode_decode/encoder_local.h
index a2846d309ea8..11e52cfeec75 100644
--- a/crypto/encode_decode/encoder_local.h
+++ b/crypto/encode_decode/encoder_local.h

@@ -109,6 +109,8 @@ struct ossl_decoder_instance_st {

const char *input_type; /* Never NULL */

const char *input_structure; /* May be NULL */

int input_type_id;

+ int order; /* For stable ordering of decoders wrt proqs */

+ int score; /* For ordering decoders wrt proqs */

unsigned int flag_input_structure_was_set : 1;

};

diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c
index 975170c0aa09..c97ce338fdf8 100644
--- a/crypto/evp/asymcipher.c
+++ b/crypto/evp/asymcipher.c

@@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,

cipher = ctx->op.ciph.cipher;

desc = cipher->description != NULL ? cipher->description : "";

+ ERR_set_mark();

ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);

- if (ret <= 0)

+ if (ret <= 0 && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,

"%s encrypt:%s", cipher->type_name, desc);

+ ERR_clear_last_mark();

return ret;

legacy:

@@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,

cipher = ctx->op.ciph.cipher;

desc = cipher->description != NULL ? cipher->description : "";

+ ERR_set_mark();

ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);

- if (ret <= 0)

+ if (ret <= 0 && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,

"%s decrypt:%s", cipher->type_name, desc);

+ ERR_clear_last_mark();

return ret;

diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c
index f54684852b7c..f57153b2c1a1 100644
--- a/crypto/evp/keymgmt_meth.c
+++ b/crypto/evp/keymgmt_meth.c

@@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx,

return NULL;

}

+ ERR_set_mark();

ret = keymgmt->gen(genctx, cb, cbarg);

- if (ret == NULL)

+ if (ret == NULL && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE,

"%s key generation:%s", keymgmt->type_name, desc);

+ ERR_clear_last_mark();

return ret;

}

diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index d5df497da770..c27ed6dbe9b2 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c

@@ -426,10 +426,12 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)

return 0;

}

+ ERR_set_mark();

ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize);

- if (ret <= 0)

+ if (ret <= 0 && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,

"%s digest_sign_update:%s", signature->type_name, desc);

+ ERR_clear_last_mark();

return ret;

legacy:

@@ -470,10 +472,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)

return 0;

}

+ ERR_set_mark();

ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize);

- if (ret <= 0)

+ if (ret <= 0 && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,

"%s digest_verify_update:%s", signature->type_name, desc);

+ ERR_clear_last_mark();

return ret;

legacy:

@@ -523,11 +527,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,

pctx = dctx;

}

+ ERR_set_mark();

r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen,

sigret == NULL ? 0 : *siglen);

- if (!r)

+ if (!r && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,

"%s digest_sign_final:%s", signature->type_name, desc);

+ ERR_clear_last_mark();

if (dctx == NULL && sigret != NULL)

ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;

else

@@ -634,11 +640,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,

if (sigret != NULL)

ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;

+ ERR_set_mark();

ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen,

sigret == NULL ? 0 : *siglen, tbs, tbslen);

- if (ret <= 0)

+ if (ret <= 0 && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,

"%s digest_sign:%s", signature->type_name, desc);

+ ERR_clear_last_mark();

return ret;

}

} else {

@@ -689,10 +697,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,

pctx = dctx;

}

+ ERR_set_mark();

r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen);

- if (!r)

+ if (!r && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,

"%s digest_verify_final:%s", signature->type_name, desc);

+ ERR_clear_last_mark();

if (dctx == NULL)

ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;

else

@@ -765,10 +775,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,

int ret;

ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;

+ ERR_set_mark();

ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen);

- if (ret <= 0)

+ if (ret <= 0 && ERR_count_to_mark() == 0)

ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,

"%s digest_verify:%s", signature->type_name, desc);

+ ERR_clear_last_mark();

return ret;

}

} else {

diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 0b675946485c..ce5cf36eef9d 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c

@@ -2419,6 +2419,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle)

return ERR_pop_to_mark();

}

+static int core_count_to_mark(const OSSL_CORE_HANDLE *handle)

+ return ERR_count_to_mark();

static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx,

OSSL_INDICATOR_CALLBACK **cb)

{

@@ -2600,6 +2605,7 @@ static const OSSL_DISPATCH core_dispatch_[] = {

{ OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK,

(void (*)(void))core_clear_last_error_mark },

{ OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark },

+ { OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark },

{ OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file },

{ OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf },

{ OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex },

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index f76bb7748369..32084a822cac 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c

@@ -734,3 +734,18 @@ err:

return ret;

}

+#ifdef FIPS_MODULE

+int ossl_rsa_key_pairwise_test(RSA *rsa)

+ OSSL_CALLBACK *stcb;

+ void *stcbarg;

+ int res;

+ OSSL_SELF_TEST_get_callback(rsa->libctx, &stcb, &stcbarg);

+ res = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);

+ if (res <= 0)

+ ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);

+ return res;

+#endif /* FIPS_MODULE */

diff --git a/crypto/slh_dsa/slh_hash.c b/crypto/slh_dsa/slh_hash.c
index 6a8d6bab03c1..8eb8ab4e8604 100644
--- a/crypto/slh_dsa/slh_hash.c
+++ b/crypto/slh_dsa/slh_hash.c

@@ -158,6 +158,9 @@ slh_hmsg_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *r, const uint8_t *pk_seed,

int sz = EVP_MD_get_size(hctx->key->md_big);

size_t seed_len = (size_t)sz + 2 * n;

+ if (sz <= 0)

+ return 0;

memcpy(seed, r, n);

memcpy(seed + n, pk_seed, n);

return digest_4(hctx->md_big_ctx, r, n, pk_seed, n, pk_root, n, msg, msg_len,

diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c
index 28cf95cc48c9..7c49128b47db 100644
--- a/crypto/sm2/sm2_sign.c
+++ b/crypto/sm2/sm2_sign.c

@@ -1,5 +1,5 @@

* Ported from Ribose contributions from Botan.

@@ -220,6 +220,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)

BIGNUM *tmp = NULL;

OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);

+ if (dA == NULL) {

+ ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY);

+ goto done;

+ }

kG = EC_POINT_new(group);

if (kG == NULL) {

ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);

diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 505d606f4a9b..ebf170c3e8f1 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c

@@ -428,12 +428,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)

if (ctx->loader != NULL)

OSSL_TRACE(STORE, "Loading next object\n");

- if (ctx->cached_info != NULL

- && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {

- sk_OSSL_STORE_INFO_free(ctx->cached_info);

- ctx->cached_info = NULL;

- }

if (ctx->cached_info != NULL) {

v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);

} else {

@@ -556,14 +550,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx)

int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)

{

- int ret = 1;

+ int ret = 0;

- if (ctx->fetched_loader != NULL)

- ret = ctx->loader->p_eof(ctx->loader_ctx);

+ if (ctx->cached_info != NULL

+ && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {

+ sk_OSSL_STORE_INFO_free(ctx->cached_info);

+ ctx->cached_info = NULL;

+ }

+ if (ctx->cached_info == NULL) {

+ ret = 1;

+ if (ctx->fetched_loader != NULL)

+ ret = ctx->loader->p_eof(ctx->loader_ctx);

#ifndef OPENSSL_NO_DEPRECATED_3_0

- if (ctx->fetched_loader == NULL)

- ret = ctx->loader->eof(ctx->loader_ctx);

+ if (ctx->fetched_loader == NULL)

+ ret = ctx->loader->eof(ctx->loader_ctx);

#endif

+ }

return ret != 0;

}

diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 2601a019f87e..7af3e9a7e7f2 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c

@@ -1,5 +1,5 @@

* Licensed under the Apache License 2.0 (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -289,6 +289,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,

static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)

{

int idp_only = 0;

+ int ret = 0;

/* Set various flags according to IDP */

crl->idp_flags |= IDP_PRESENT;

@@ -320,7 +321,17 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)

crl->idp_reasons &= CRLDP_ALL_REASONS;

}

- return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));

+ ret = DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));

+ /*

+ * RFC5280 specifies that if onlyContainsUserCerts, onlyContainsCACerts,

+ * indirectCRL, and OnlyContainsAttributeCerts are all FALSE, there must

+ * be either a distributionPoint field or an onlySomeReasons field present.

+ */

+ if (crl->idp_flags == IDP_PRESENT && idp->distpoint == NULL)

+ crl->idp_flags |= IDP_INVALID;

+ return ret;

}

ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {