Merge 636b8de5c3 into b8c46cba5f

These are not present in FIPS providers <3.6.0.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28133)

apps/lib/s_cb.c

@@ -68,14 +68,9 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
     if (!ok) {
         BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
                    X509_verify_cert_error_string(err));
-        if (verify_args.depth < 0 || verify_args.depth >= depth) {
+        if (!verify_args.return_error)
-            if (!verify_args.return_error)
+            ok = 1;
-                ok = 1;
+        verify_args.error = err;
-            verify_args.error = err;
-        } else {
-            ok = 0;
-            verify_args.error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-        }
     }
     switch (err) {
     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:

apps/s_client.c

@@ -580,7 +580,7 @@ const OPTIONS s_client_options[] = {
     {"key", OPT_KEY, 's', "Private key file to use; default: -cert file"},
     {"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"},
     {"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
-    {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
+    {"verify", OPT_VERIFY, 'N', "Turn on peer certificate verification, set depth"},
     {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
     {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
     {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
@@ -1090,8 +1090,12 @@ int s_client_main(int argc, char **argv)
             protohost = opt_arg();
             break;
         case OPT_VERIFY:
-            verify = SSL_VERIFY_PEER;
+            /* Alias for -verify_depth int */
             verify_args.depth = atoi(opt_arg());
+            if (verify_args.depth >= 0) {
+                X509_VERIFY_PARAM_set_depth(vpm, verify_args.depth);
+                vpmtouched++;
+            }
             if (!c_quiet)
                 BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
             break;

apps/s_time.c

@@ -47,8 +47,8 @@ typedef enum OPTION_choice {
     OPT_CONNECT, OPT_CIPHER, OPT_CIPHERSUITES, OPT_CERT, OPT_NAMEOPT, OPT_KEY,
     OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
     OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE,
-    OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3,
+    OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_VERIFY_RET_ERROR, OPT_TIME,
-    OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
+    OPT_SSL3, OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3,
     OPT_PROV_ENUM
 } OPTION_CHOICE;
 
@@ -80,8 +80,10 @@ const OPTIONS s_time_options[] = {
 #ifndef OPENSSL_NO_TLS1_3
     {"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
 #endif
-    {"verify", OPT_VERIFY, 'p',
+    {"verify", OPT_VERIFY, 'N',
      "Turn on peer certificate verification, set depth"},
+    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
+     "Close connection on verification error"},
     {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
     {"www", OPT_WWW, 's', "Fetch specified page from the site"},
 
@@ -129,6 +131,8 @@ int s_time_main(int argc, char **argv)
     OPTION_CHOICE o;
     int min_version = 0, max_version = 0, ver, buf_len, fd;
     size_t buf_size;
+    X509_VERIFY_PARAM *vpm = NULL;
+    int verify = SSL_VERIFY_NONE;
 
     meth = TLS_client_method();
 
@@ -155,6 +159,10 @@ int s_time_main(int argc, char **argv)
             break;
         case OPT_VERIFY:
             verify_args.depth = opt_int_arg();
+            if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+                goto end;
+            if (verify_args.depth >= 0)
+                X509_VERIFY_PARAM_set_depth(vpm, verify_args.depth);
             BIO_printf(bio_err, "%s: verify depth is %d\n",
                        prog, verify_args.depth);
             break;
@@ -186,6 +194,10 @@ int s_time_main(int argc, char **argv)
         case OPT_NOCASTORE:
             noCAstore = 1;
             break;
+        case OPT_VERIFY_RET_ERROR:
+            verify = SSL_VERIFY_PEER;
+            verify_args.return_error = 1;
+            break;
         case OPT_CIPHER:
             cipher = opt_arg();
             break;
@@ -243,6 +255,13 @@ int s_time_main(int argc, char **argv)
     if ((ctx = SSL_CTX_new(meth)) == NULL)
         goto end;
 
+    verify_args.quiet = 1;
+    SSL_CTX_set_verify(ctx, verify, verify_callback);
+    if (vpm != NULL && !SSL_CTX_set1_param(ctx, vpm)) {
+        BIO_printf(bio_err, "Error setting verify params\n");
+        goto end;
+    }
+
     SSL_CTX_set_quiet_shutdown(ctx, 1);
     if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
         goto end;
@@ -404,6 +423,7 @@ int s_time_main(int argc, char **argv)
     ret = 0;
 
  end:
+    X509_VERIFY_PARAM_free(vpm);
     SSL_free(scon);
     SSL_CTX_free(ctx);
     return ret;
@@ -443,12 +463,7 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
     /* ok, lets connect */
     i = SSL_connect(serverCon);
     if (i <= 0) {
-        BIO_printf(bio_err, "ERROR\n");
+        ERR_print_errors(bio_err);
-        if (verify_args.error != X509_V_OK)
-            BIO_printf(bio_err, "verify error:%s\n",
-                       X509_verify_cert_error_string(verify_args.error));
-        else
-            ERR_print_errors(bio_err);
         if (scon == NULL)
             SSL_free(serverCon);
         return NULL;

doc/man1/openssl-s_time.pod.in

@@ -16,6 +16,7 @@ B<openssl> B<s_time>
 [B<-reuse>]
 [B<-new>]
 [B<-verify> I<depth>]
+[B<-verify_return_error>]
 [B<-time> I<seconds>]
 [B<-ssl3>]
 [B<-tls1>]
@@ -73,10 +74,17 @@ be used. The file is in PEM format.
 
 The verify depth to use. This specifies the maximum length of the
 server certificate chain and turns on server certificate verification.
-Currently the verify operation continues after errors so all the problems
+Unless the B<-verify_return_error> option is given,
+the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
 
+=item B<-verify_return_error>
+
+Turns on server certificate verification, like with B<-verify>,
+but returns verification errors instead of continuing.
+This will typically abort the handshake with a fatal error.
+
 =item B<-new>
 
 Performs the timing test using a new session ID for each connection.
@@ -184,9 +192,6 @@ Because this program does not have all the options of the
 L<openssl-s_client(1)> program to turn protocols on and off, you may not
 be able to measure the performance of all protocols with all servers.
 
-The B<-verify> option should really exit if the server verification
-fails.
-
 =head1 HISTORY
 
 The B<-cafile> option was deprecated in OpenSSL 3.0.

test/recipes/80-test_cms.t

@@ -43,6 +43,7 @@ my @config = ( );
 my $provname = 'default';
 my $dsaallow = '1';
 my $no_pqc = 0;
+my $no_hkdf_fixed = 0;
 
 my $datadir = srctop_dir("test", "recipes", "80-test_cms_data");
 my $smdir    = srctop_dir("test", "smime-certs");
@@ -68,6 +69,8 @@ unless ($no_fips) {
     $old_fips = 1 if $dsaallow != '0';
     run(test(["fips_version_test", "-config", $provconf, "<3.5.0"]),
         capture => 1, statusvar => \$no_pqc);
+    run(test(["fips_version_test", "-config", $provconf, "<3.6.0"]),
+        capture => 1, statusvar => \$no_hkdf_fixed);
 }
 
 $ENV{OPENSSL_TEST_LIBCTX} = "1";
@@ -1534,7 +1537,7 @@ subtest "ML-KEM KEMRecipientInfo tests for CMS" => sub {
 
     SKIP: {
         skip "ML-KEM is not supported in this build", 5
-            if disabled("ml-kem") || $no_pqc;
+            if disabled("ml-kem") || $no_hkdf_fixed;
 
         ok(run(app(["openssl", "cms", @prov, "-encrypt", "-in", $smcont,
                     "-out", "mlkem512.cms",