Build failed: openssl master.34325
Build openssl master.34325 failed Commit 9c9d1051c6 by Nicola Tuveri on 5/22/2020 4:50 PM: Fix coverity issues in EC after #11807 Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: e1c6f76281 There is no -signreq option in CA.pl b84439b06a STORE: Make try_decode_PrivateKey() ENGINE aware e637d47c91 rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(): fix check of |md| a30027b680 Refactor the provider side DER constants and writers c2f2db9b6f deprecate EC_POINT_make_affine and EC_POINTs_make_affine 7486c718e5 t1_trce: Fix remaining places where the 24 bit shift overflow happens 1d05eb55ca Avoid potential overflow to the sign bit when shifting left 24 places cbeb0bfa96 Cast the unsigned char to unsigned int before shifting left ddec332f32 Fix egd and devrandom source configs a7ad40c502 Add OSSL_PROVIDER_do_all() Build log ended with (last 100 lines): rm -f doc/man/man1/CA.pl.1 doc/man/man1/openssl-asn1parse.1 doc/man/man1/openssl-ca.1 doc/man/man1/openssl-ciphers.1 doc/man/man1/openssl-cmds.1 doc/man/man1/openssl-cmp.1 doc/man/man1/openssl-cms.1 doc/man/man1/openssl-crl.1 doc/man/man1/openssl-crl2pkcs7.1 doc/man/man1/openssl-dgst.1 doc/man/man1/openssl-dhparam.1 doc/man/man1/openssl-dsa.1 doc/man/man1/openssl-dsaparam.1 doc/man/man1/openssl-ec.1 doc/man/man1/openssl-ecparam.1 doc/man/man1/openssl-enc.1 doc/man/man1/openssl-engine.1 doc/man/man1/openssl-errstr.1 doc/man/man1/openssl-fipsinstall.1 doc/man/man1/openssl-gendsa.1 doc/man/man1/openssl-genpkey.1 doc/man/man1/openssl-genrsa.1 doc/man/man1/openssl-info.1 doc/man/man1/openssl-kdf.1 doc/man/man1/openssl-list.1 doc/man/man1/openssl-mac.1 doc/man/man1/openssl-nseq.1 doc/man/man1/openssl-ocsp.1 doc/man/man1/openssl-passwd.1 doc/man/man1/openssl-pkcs12.1 doc/man/man1/openssl-pkcs7.1 doc/man/man1/openssl-pkcs8.1 doc/man/man1/openssl-pkey.1 doc/man/man1/openssl-pkeyparam.1 doc/ma n/man1/openssl-pkeyutl.1 doc/man/man1/openssl-prime.1 doc/man/man1/openssl-provider.1 doc/man/man1/openssl-rand.1 doc/man/man1/openssl-rehash.1 doc/man/man1/openssl-req.1 doc/man/man1/openssl-rsa.1 doc/man/man1/openssl-rsautl.1 doc/man/man1/openssl-s_client.1 doc/man/man1/openssl-s_server.1 doc/man/man1/openssl-s_time.1 doc/man/man1/openssl-sess_id.1 doc/man/man1/openssl-smime.1 doc/man/man1/openssl-speed.1 doc/man/man1/openssl-spkac.1 doc/man/man1/openssl-srp.1 doc/man/man1/openssl-storeutl.1 doc/man/man1/openssl-ts.1 doc/man/man1/openssl-verify.1 doc/man/man1/openssl-version.1 doc/man/man1/openssl-x509.1 doc/man/man1/openssl.1 doc/man/man1/tsget.1 doc/man/man3/ADMISSIONS.3 doc/man/man3/ASN1_INTEGER_get_int64.3 doc/man/man3/ASN1_INTEGER_new.3 doc/man/man3/ASN1_ITEM_lookup.3 doc/man/man3/ASN1_OBJECT_new.3 doc/man/man3/ASN1_STRING_TABLE_add.3 doc/man/man3/ASN1_STRING_length.3 doc/man/man3/ASN1_STRING_new.3 doc/man/man3/ASN1_STRING_print_ex.3 doc/man/man3/ASN1_TIME_set.3 doc/man/man3/ ASN1_TYPE_get.3 doc/man/man3/ASN1_generate_nconf.3 doc/man/man3/ASYNC_WAIT_CTX_new.3 doc/man/man3/ASYNC_start_job.3 doc/man/man3/BF_encrypt.3 doc/man/man3/BIO_ADDR.3 doc/man/man3/BIO_ADDRINFO.3 doc/man/man3/BIO_connect.3 doc/man/man3/BIO_ctrl.3 doc/man/man3/BIO_f_base64.3 doc/man/man3/BIO_f_buffer.3 doc/man/man3/BIO_f_cipher.3 doc/man/man3/BIO_f_md.3 doc/man/man3/BIO_f_null.3 doc/man/man3/BIO_f_prefix.3 doc/man/man3/BIO_f_ssl.3 doc/man/man3/BIO_find_type.3 doc/man/man3/BIO_get_data.3 doc/man/man3/BIO_get_ex_new_index.3 doc/man/man3/BIO_meth_new.3 doc/man/man3/BIO_new.3 doc/man/man3/BIO_new_CMS.3 doc/man/man3/BIO_parse_hostserv.3 doc/man/man3/BIO_printf.3 doc/man/man3/BIO_push.3 doc/man/man3/BIO_read.3 doc/man/man3/BIO_s_accept.3 doc/man/man3/BIO_s_bio.3 doc/man/man3/BIO_s_connect.3 doc/man/man3/BIO_s_fd.3 doc/man/man3/BIO_s_file.3 doc/man/man3/BIO_s_mem.3 doc/man/man3/BIO_s_null.3 doc/man/man3/BIO_s_socket.3 doc/man/man3/BIO_set_callback.3 doc/man/man3/BIO_should_retry.3 doc/man/man 3/BIO_socket_wait.3 doc/man/man3/BN_BLINDING_new.3 doc/man/man3/BN_CTX_new.3 doc/man/man3/BN_CTX_start.3 doc/man/man3/BN_add.3 doc/man/man3/BN_add_word.3 doc/man/man3/BN_bn2bin.3 doc/man/man3/BN_cmp.3 doc/man/man3/BN_copy.3 doc/man/man3/BN_generate_prime.3 doc/man/man3/BN_mod_inverse.3 doc/man/man3/BN_mod_mul_montgomery.3 doc/man/man3/BN_mod_mul_reciprocal.3 doc/man/man3/BN_new.3 doc/man/man3/BN_num_bytes.3 doc/man/man3/BN_rand.3 doc/man/man3/BN_security_bits.3 doc/man/man3/BN_set_bit.3 doc/man/man3/BN_swap.3 doc/man/man3/BN_zero.3 doc/man/man3/BUF_MEM_new.3 doc/man/man3/CMS_EnvelopedData_create.3 doc/man/man3/CMS_add0_cert.3 doc/man/man3/CMS_add1_recipient_cert.3 doc/man/man3/CMS_add1_signer.3 doc/man/man3/CMS_compress.3 doc/man/man3/CMS_decrypt.3 doc/man/man3/CMS_encrypt.3 doc/man/man3/CMS_final.3 doc/man/man3/CMS_get0_RecipientInfos.3 doc/man/man3/CMS_get0_SignerInfos.3 doc/man/man3/CMS_get0_type.3 doc/man/man3/CMS_get1_ReceiptRequest.3 doc/man/man3/CMS_sign.3 doc/man/man3/CMS_si gn_receipt.3 doc/man/man3/C
Build completed: openssl master.34322
Build openssl master.34322 completed Commit 294d7ceab1 by Rich Salz on 5/22/2020 3:21 PM: Fix auto-gen names Configure your notification preferences
Build failed: openssl master.34321
Build openssl master.34321 failed Commit d933dcc40f by Matt Caswell on 5/22/2020 3:05 PM: fixup! Make EVP_PKEY_[get1|set1]_tls_encodedpoint work with provided keys Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-posix-io
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-posix-io Commit log since last time: e1c6f76281 There is no -signreq option in CA.pl b84439b06a STORE: Make try_decode_PrivateKey() ENGINE aware e637d47c91 rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(): fix check of |md| a30027b680 Refactor the provider side DER constants and writers c2f2db9b6f deprecate EC_POINT_make_affine and EC_POINTs_make_affine 7486c718e5 t1_trce: Fix remaining places where the 24 bit shift overflow happens 1d05eb55ca Avoid potential overflow to the sign bit when shifting left 24 places cbeb0bfa96 Cast the unsigned char to unsigned int before shifting left ddec332f32 Fix egd and devrandom source configs a7ad40c502 Add OSSL_PROVIDER_do_all() Build log ended with (last 100 lines): rm -f *.ld rm -f doc/html/man1/CA.pl.html doc/html/man1/openssl-asn1parse.html doc/html/man1/openssl-ca.html doc/html/man1/openssl-ciphers.html doc/html/man1/openssl-cmds.html doc/html/man1/openssl-cmp.html doc/html/man1/openssl-cms.html doc/html/man1/openssl-crl.html doc/html/man1/openssl-crl2pkcs7.html doc/html/man1/openssl-dgst.html doc/html/man1/openssl-dhparam.html doc/html/man1/openssl-dsa.html doc/html/man1/openssl-dsaparam.html doc/html/man1/openssl-ec.html doc/html/man1/openssl-ecparam.html doc/html/man1/openssl-enc.html doc/html/man1/openssl-engine.html doc/html/man1/openssl-errstr.html doc/html/man1/openssl-fipsinstall.html doc/html/man1/openssl-gendsa.html doc/html/man1/openssl-genpkey.html doc/html/man1/openssl-genrsa.html doc/html/man1/openssl-info.html doc/html/man1/openssl-kdf.html doc/html/man1/openssl-list.html doc/html/man1/openssl-mac.html doc/html/man1/openssl-nseq.html doc/html/man1/openssl-ocsp.html doc/html/man1/openssl-passwd.html doc/html/man1/openssl-pkcs12.html doc/h tml/man1/openssl-pkcs7.html doc/html/man1/openssl-pkcs8.html doc/html/man1/openssl-pkey.html doc/html/man1/openssl-pkeyparam.html doc/html/man1/openssl-pkeyutl.html doc/html/man1/openssl-prime.html doc/html/man1/openssl-provider.html doc/html/man1/openssl-rand.html doc/html/man1/openssl-rehash.html doc/html/man1/openssl-req.html doc/html/man1/openssl-rsa.html doc/html/man1/openssl-rsautl.html doc/html/man1/openssl-s_client.html doc/html/man1/openssl-s_server.html doc/html/man1/openssl-s_time.html doc/html/man1/openssl-sess_id.html doc/html/man1/openssl-smime.html doc/html/man1/openssl-speed.html doc/html/man1/openssl-spkac.html doc/html/man1/openssl-srp.html doc/html/man1/openssl-storeutl.html doc/html/man1/openssl-ts.html doc/html/man1/openssl-verify.html doc/html/man1/openssl-version.html doc/html/man1/openssl-x509.html doc/html/man1/openssl.html doc/html/man1/tsget.html doc/html/man3/ADMISSIONS.html doc/html/man3/ASN1_INTEGER_get_int64.html doc/html/man3/ASN1_INTEGER_new.html doc /html/man3/ASN1_ITEM_lookup.html doc/html/man3/ASN1_OBJECT_new.html doc/html/man3/ASN1_STRING_TABLE_add.html doc/html/man3/ASN1_STRING_length.html doc/html/man3/ASN1_STRING_new.html doc/html/man3/ASN1_STRING_print_ex.html doc/html/man3/ASN1_TIME_set.html doc/html/man3/ASN1_TYPE_get.html doc/html/man3/ASN1_generate_nconf.html doc/html/man3/ASYNC_WAIT_CTX_new.html doc/html/man3/ASYNC_start_job.html doc/html/man3/BF_encrypt.html doc/html/man3/BIO_ADDR.html doc/html/man3/BIO_ADDRINFO.html doc/html/man3/BIO_connect.html doc/html/man3/BIO_ctrl.html doc/html/man3/BIO_f_base64.html doc/html/man3/BIO_f_buffer.html doc/html/man3/BIO_f_cipher.html doc/html/man3/BIO_f_md.html doc/html/man3/BIO_f_null.html doc/html/man3/BIO_f_prefix.html doc/html/man3/BIO_f_ssl.html doc/html/man3/BIO_find_type.html doc/html/man3/BIO_get_data.html doc/html/man3/BIO_get_ex_new_index.html doc/html/man3/BIO_meth_new.html doc/html/man3/BIO_new.html doc/html/man3/BIO_new_CMS.html doc/html/man3/BIO_parse_hostserv.html doc/html/man3/BIO_printf.html doc/html/man3/BIO_push.html doc/html/man3/BIO_read.html doc/html/man3/BIO_s_accept.html doc/html/man3/BIO_s_bio.html doc/html/man3/BIO_s_connect.html doc/html/man3/BIO_s_fd.html doc/html/man3/BIO_s_file.html doc/html/man3/BIO_s_mem.html doc/html/man3/BIO_s_null.html doc/html/man3/BIO_s_socket.html doc/html/man3/BIO_set_callback.html doc/html/man3/BIO_should_retry.html doc/html/man3/BIO_socket_wait.html doc/html/man3/BN_BLINDING_new.html doc/html/man3/BN_CTX_new.html doc/html/man3/BN_CTX_start.html doc/html/man3/BN_add.html doc/html/man3/BN_add_word.html doc/html/man3/BN_bn2bin.html doc/html/man3/BN_cmp.html doc/html/man3/BN_copy.html doc/html/man3/BN_generate_prime.html doc/html/man3/BN_mod_inverse.html doc/html/man3/BN_mod_mul_montgomery.html doc/html/man3/BN_mod_mul_reciprocal.html doc/html/man3/BN_new.html doc/html/man3/BN_num_bytes.html doc/html/man3/BN_rand.html doc/html/man3/BN_security_bits.html doc/html/man3/BN_set_bit.html doc/html/man3/BN_swap .html doc/ht
Build failed: openssl master.34304
Build openssl master.34304 failed Commit b4194930ba by Pauli on 5/22/2020 9:26 AM: fixup! rand: libcrypto.num update Configure your notification preferences
Passed: openssl/openssl#34871 (master - 2de6466)
Build Update for openssl/openssl - Build: #34871 Status: Passed Duration: 39 mins and 54 secs Commit: 2de6466 (master) Author: Nicola Tuveri Message: Adjust length of some strncpy() calls This fixes warnings detected by -Wstringop-truncation. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/11878) View the changeset: https://github.com/openssl/openssl/compare/e12813d0d31f...2de64666a07c View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/690033582?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Passed: openssl/openssl#34867 (master - e12813d)
Build Update for openssl/openssl - Build: #34867 Status: Passed Duration: 56 mins and 57 secs Commit: e12813d (master) Author: Tomas Mraz Message: Prevent use after free of global_engine_lock If buggy application calls engine functions after cleanup of engines already happened the global_engine_lock will be used although already freed. See for example: https://bugzilla.redhat.com/show_bug.cgi?id=1831086 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/11896) View the changeset: https://github.com/openssl/openssl/compare/4d55122ee782...e12813d0d31f View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/690017717?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 2de64666a07cccf8477e6483de62ae31f463df64 (commit) from e12813d0d31f4f7be2ccc592d382ef3e94bdb842 (commit) - Log - commit 2de64666a07cccf8477e6483de62ae31f463df64 Author: Nicola Tuveri Date: Tue May 19 19:36:44 2020 +0200 Adjust length of some strncpy() calls This fixes warnings detected by -Wstringop-truncation. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/11878) --- Summary of changes: crypto/x509/v3_alt.c | 2 +- providers/implementations/signature/rsa.c | 34 ++- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/crypto/x509/v3_alt.c b/crypto/x509/v3_alt.c index 5fece4f985..dd45546f6c 100644 --- a/crypto/x509/v3_alt.c +++ b/crypto/x509/v3_alt.c @@ -128,7 +128,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, BIO_snprintf(othername, sizeof(othername), "othername: %s:", oline); else -strncpy(othername, "othername:", sizeof(othername)); +OPENSSL_strlcpy(othername, "othername:", sizeof(othername)); /* check if the value is something printable */ if (gen->d.otherName->value->type == V_ASN1_IA5STRING) { diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 6f62c2b648..0e3885ec1d 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -227,17 +227,22 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int md_nid = rsa_get_md_nid(md); WPACKET pkt; +size_t mdname_len = strlen(mdname); if (md == NULL || md_nid == NID_undef || !rsa_check_padding(md_nid, ctx->pad_mode) -|| !rsa_check_parameters(md, ctx)) { +|| !rsa_check_parameters(md, ctx) +|| mdname_len >= sizeof(ctx->mdname)) { if (md == NULL) ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, "%s could not be fetched", mdname); if (md_nid == NID_undef) ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, "digest=%s", mdname); +if (mdname_len >= sizeof(ctx->mdname)) +ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "%s exceeds name buffer length", mdname); EVP_MD_free(md); return 0; } @@ -274,6 +279,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, const char *mdprops) { +size_t len; + if (mdprops == NULL) mdprops = ctx->propq; @@ -285,7 +292,12 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname, "%s could not be fetched", mdname); return 0; } -OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); +len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname)); +if (len >= sizeof(ctx->mgf1_mdname)) { +ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "%s exceeds name buffer length", mdname); +return 0; +} return 1; } @@ -321,6 +333,7 @@ static int rsa_signature_init(void *vprsactx, void *vrsa, int operation) int mgf1md_nid = rsa_pss_params_30_maskgenhashalg(pss); int min_saltlen = rsa_pss_params_30_saltlen(pss); const char *mdname, *mgf1mdname; +size_t len; mdname = rsa_oaeppss_nid2name(md_nid); mgf1mdname = rsa_oaeppss_nid2name(mgf1md_nid); @@ -337,9 +350,20 @@ static int rsa_signature_init(void *vprsactx, void *vrsa, int operation) return 0; } -strncpy(prsactx->mdname, mdname, sizeof(prsactx->mdname)); -strncpy(prsactx->mgf1_mdname, mgf1mdname, -sizeof(prsactx->mgf1_mdname)); +len = OPENSSL_strlcpy(prsactx->mdname, mdname, + sizeof(prsactx->mdname)); +if (len >= sizeof(prsactx->mdname)) { +ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST, + "hash algorithm name too long"); +return 0; +} +len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname, + sizeof(prsactx->mgf1_mdname)); +if (len >= sizeof(prsactx->
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via e512efe0894481679a5d3c57d10bf4ea97046c2a (commit) from 2f4023e88962d3375ff30ad5011a310dacf0ad3f (commit) - Log - commit e512efe0894481679a5d3c57d10bf4ea97046c2a Author: Tomas Mraz Date: Thu May 21 13:16:57 2020 +0200 Prevent use after free of global_engine_lock If buggy application calls engine functions after cleanup of engines already happened the global_engine_lock will be used although already freed. See for example: https://bugzilla.redhat.com/show_bug.cgi?id=1831086 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/11896) (cherry picked from commit e12813d0d31f4f7be2ccc592d382ef3e94bdb842) --- Summary of changes: crypto/engine/eng_lib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index b851ff6957..dd87ebaca7 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -171,6 +171,7 @@ void engine_cleanup_int(void) cleanup_stack = NULL; } CRYPTO_THREAD_lock_free(global_engine_lock); +global_engine_lock = NULL; } /* Now the "ex_data" support */
[openssl] master update
The branch master has been updated via e12813d0d31f4f7be2ccc592d382ef3e94bdb842 (commit) from 4d55122ee782ebd306ef492f50c9b41e41a56244 (commit) - Log - commit e12813d0d31f4f7be2ccc592d382ef3e94bdb842 Author: Tomas Mraz Date: Thu May 21 13:16:57 2020 +0200 Prevent use after free of global_engine_lock If buggy application calls engine functions after cleanup of engines already happened the global_engine_lock will be used although already freed. See for example: https://bugzilla.redhat.com/show_bug.cgi?id=1831086 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/11896) --- Summary of changes: crypto/engine/eng_lib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 4ba235ca75..0cdb3fde42 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -171,6 +171,7 @@ void engine_cleanup_int(void) cleanup_stack = NULL; } CRYPTO_THREAD_lock_free(global_engine_lock); +global_engine_lock = NULL; } /* Now the "ex_data" support */
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 2f4023e88962d3375ff30ad5011a310dacf0ad3f (commit) from 176eb406691f14d560cf7619365830a4d033ee28 (commit) - Log - commit 2f4023e88962d3375ff30ad5011a310dacf0ad3f Author: Richard Levitte Date: Tue May 19 15:42:07 2020 +0200 STORE: Make try_decode_PrivateKey() ENGINE aware This function only considered the built-in and application EVP_PKEY_ASN1_METHODs, and is now amended with a loop that goes through all loaded engines, using whatever table of methods they each have. Fixes #11861 (cherry picked from commit b84439b06a1b9a7bfb47e230b70a6d3ee46e8a19) Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11887) --- Summary of changes: crypto/store/loader_file.c | 36 1 file changed, 36 insertions(+) diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c index 8f1d20e74a..e473751539 100644 --- a/crypto/store/loader_file.c +++ b/crypto/store/loader_file.c @@ -429,6 +429,42 @@ static OSSL_STORE_INFO *try_decode_PrivateKey(const char *pem_name, } } else { int i; +#ifndef OPENSSL_NO_ENGINE +ENGINE *curengine = ENGINE_get_first(); + +while (curengine != NULL) { +ENGINE_PKEY_ASN1_METHS_PTR asn1meths = +ENGINE_get_pkey_asn1_meths(curengine); + +if (asn1meths != NULL) { +const int *nids = NULL; +int nids_n = asn1meths(curengine, NULL, &nids, 0); + +for (i = 0; i < nids_n; i++) { +EVP_PKEY_ASN1_METHOD *ameth2 = NULL; +EVP_PKEY *tmp_pkey = NULL; +const unsigned char *tmp_blob = blob; + +if (!asn1meths(curengine, &ameth2, NULL, nids[i])) +continue; +if (ameth2 == NULL +|| ameth2->pkey_flags & ASN1_PKEY_ALIAS) +continue; + +tmp_pkey = d2i_PrivateKey(ameth2->pkey_id, NULL, + &tmp_blob, len); +if (tmp_pkey != NULL) { +if (pkey != NULL) +EVP_PKEY_free(tmp_pkey); +else +pkey = tmp_pkey; +(*matchcount)++; +} +} +} +curengine = ENGINE_get_next(curengine); +} +#endif for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) { EVP_PKEY *tmp_pkey = NULL;
Errored: openssl/openssl#34850 (master - 4d55122)
Build Update for openssl/openssl - Build: #34850 Status: Errored Duration: 48 mins and 26 secs Commit: 4d55122 (master) Author: Pauli Message: Coverity 1463571: Null pointer dereferences (FORWARD_NULL) Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/11892) View the changeset: https://github.com/openssl/openssl/compare/e1c6f7628147...4d55122ee782 View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/689937107?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Passed: openssl/openssl#34806 (OpenSSL_1_1_1-stable - 5f10fce)
Build Update for openssl/openssl - Build: #34806 Status: Passed Duration: 5 mins and 49 secs Commit: 5f10fce (OpenSSL_1_1_1-stable) Author: Bernd Edlinger Message: Fix egd and devrandom source configs ./config --with-rand-seed=egd need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD so get rid of OPENSSL_NO_EGD (compiles but I did not really test EGD) ./config --with-rand-seed=devrandom does not work since wait_random_seeded works under the assumption that OPENSSL_RAND_SEED_GETRANDOM is supposed to be enabled as well, that is usually the case, but not when only devrandom is enabled. Skip the wait code in this special case. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/11848) (cherry picked from commit ddec332f329a432a45c0131d83f3bfb46114532b) View the changeset: https://github.com/openssl/openssl/compare/de5e2cb54169...5f10fce37b23 View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/689225945?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 4d55122ee782ebd306ef492f50c9b41e41a56244 (commit) via 3f17066f5d3bf48d33a8481bd7a7cfdcc00ace97 (commit) via e5cb3453fba01c264636d54440ca0eb81d1fcd6e (commit) via 084b7bec0f615f70c108dfba988ed43d544e00ed (commit) from e1c6f76281473b8fe66954187e793108a0e8568c (commit) - Log - commit 4d55122ee782ebd306ef492f50c9b41e41a56244 Author: Pauli Date: Thu May 21 13:44:01 2020 +1000 Coverity 1463571: Null pointer dereferences (FORWARD_NULL) Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/11892) commit 3f17066f5d3bf48d33a8481bd7a7cfdcc00ace97 Author: Pauli Date: Thu May 21 13:40:01 2020 +1000 Coverity 1463574: Null pointer dereferences (REVERSE_INULL) Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/11892) commit e5cb3453fba01c264636d54440ca0eb81d1fcd6e Author: Pauli Date: Thu May 21 13:38:35 2020 +1000 Coverity 1463576: Error handling issues (CHECKED_RETURN) Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/11892) commit 084b7bec0f615f70c108dfba988ed43d544e00ed Author: Pauli Date: Thu May 21 13:18:42 2020 +1000 Coverity 1463258: Incorrect expression (EVALUATION_ORDER) Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/11892) --- Summary of changes: crypto/x509/v3_ncons.c | 2 +- providers/implementations/keymgmt/rsa_kmgmt.c | 8 +--- providers/implementations/serializers/serializer_rsa.c | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c index d7b82b775e..4543ec2e11 100644 --- a/crypto/x509/v3_ncons.c +++ b/crypto/x509/v3_ncons.c @@ -197,7 +197,7 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip) int len2 = ip->length - len1; char *ip1 = ipaddr_to_asc(ip->data, len1); char *ip2 = ipaddr_to_asc(ip->data + len1, len2); -int ret = ret = ip1 != NULL && ip2 != NULL +int ret = ip1 != NULL && ip2 != NULL && BIO_printf(bp, "IP:%s/%s", ip1, ip2) > 0; OPENSSL_free(ip1); diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 295cdf61a4..3091c1dee0 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -411,8 +411,8 @@ static void *gen_init(void *provctx, int selection, int rsa_type) } else { gctx->nbits = 2048; gctx->primes = RSA_DEFAULT_PRIME_NUM; +gctx->rsa_type = rsa_type; } -gctx->rsa_type = rsa_type; } return gctx; } @@ -496,6 +496,9 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) RSA *rsa = NULL, *rsa_tmp = NULL; BN_GENCB *gencb = NULL; +if (gctx == NULL) +return NULL; + switch (gctx->rsa_type) { case RSA_FLAG_TYPE_RSA: /* For plain RSA keys, PSS parameters must not be set */ @@ -513,8 +516,7 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) return NULL; } -if (gctx == NULL -|| (rsa_tmp = rsa_new_with_ctx(gctx->libctx)) == NULL) +if ((rsa_tmp = rsa_new_with_ctx(gctx->libctx)) == NULL) return NULL; gctx->cb = osslcb; diff --git a/providers/implementations/serializers/serializer_rsa.c b/providers/implementations/serializers/serializer_rsa.c index ac685a09f2..7cc6027636 100644 --- a/providers/implementations/serializers/serializer_rsa.c +++ b/providers/implementations/serializers/serializer_rsa.c @@ -215,9 +215,9 @@ int ossl_prov_prepare_rsa_params(const void *rsa, int nid, break; } if (!DER_w_RSASSA_PSS_params(&pkt, -1, pss) -|| !WPACKET_finish(&pkt)) +|| !WPACKET_finish(&pkt) +|| !WPACKET_get_total_written(&pkt, &str_sz)) goto err; -WPACKET_get_total_written(&pkt, &str_sz); WPACKET_cleanup(&pkt); /*
Still Failing: openssl/openssl#34801 (master - a7ad40c)
Build Update for openssl/openssl - Build: #34801 Status: Still Failing Duration: 45 mins and 1 sec Commit: a7ad40c (master) Author: Richard Levitte Message: Add OSSL_PROVIDER_do_all() This allows applications to iterate over all loaded providers. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/11858) View the changeset: https://github.com/openssl/openssl/compare/b2a5001d954e...a7ad40c502d3 View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/689170485?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Passed: openssl/openssl#34808 (master - 7486c71)
Build Update for openssl/openssl - Build: #34808 Status: Passed Duration: 45 mins and 14 secs Commit: 7486c71 (master) Author: Tomas Mraz Message: t1_trce: Fix remaining places where the 24 bit shift overflow happens [extended tests] Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11857) View the changeset: https://github.com/openssl/openssl/compare/ddec332f329a...7486c718e54c View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/689299430?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 176eb406691f14d560cf7619365830a4d033ee28 (commit) from cf94e8430f3cd7c17f62b74443d16347b4b97ac8 (commit) - Log - commit 176eb406691f14d560cf7619365830a4d033ee28 Author: Richard Levitte Date: Mon May 11 09:14:11 2020 +0200 Fix d2i_PrivateKey() to work as documented d2i_PrivateKey() is documented to return keys of the type given as first argument |type|, unconditionally. Most specifically, the manual says this: > An error occurs if the decoded key does not match type. However, when faced of a PKCS#8 wrapped key, |type| was ignored, which may lead to unexpected results. (cherry picked from commit b2952366dd0248bf35c83e1736cd203033a22378) Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/11888) --- Summary of changes: crypto/asn1/d2i_pr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 6ec0107380..ac1a8c429a 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -56,6 +56,8 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, goto err; EVP_PKEY_free(ret); ret = tmp; +if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret)) +goto err; } else { ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); goto err;
Errored: openssl/openssl#34834 (master - e1c6f76)
Build Update for openssl/openssl - Build: #34834 Status: Errored Duration: 30 mins and 30 secs Commit: e1c6f76 (master) Author: mettacrawler Message: There is no -signreq option in CA.pl CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11876) View the changeset: https://github.com/openssl/openssl/compare/b84439b06a1b...e1c6f7628147 View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/689606818?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#34805 (master - ddec332)
Build Update for openssl/openssl - Build: #34805 Status: Errored Duration: 53 mins and 20 secs Commit: ddec332 (master) Author: Bernd Edlinger Message: Fix egd and devrandom source configs ./config --with-rand-seed=egd need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD so get rid of OPENSSL_NO_EGD (compiles but I did not really test EGD) ./config --with-rand-seed=devrandom does not work since wait_random_seeded works under the assumption that OPENSSL_RAND_SEED_GETRANDOM is supposed to be enabled as well, that is usually the case, but not when only devrandom is enabled. Skip the wait code in this special case. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/11848) View the changeset: https://github.com/openssl/openssl/compare/a7ad40c502d3...ddec332f329a View the full build log and details: https://travis-ci.org/github/openssl/openssl/builds/689225810?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.