[openssl-commits] Build completed: openssl OpenSSL_1_1_0-stable.17034

[AppVeyor]

Build openssl OpenSSL_1_1_0-stable.17034 completed



Commit bd90e98e14 by cedral on 4/4/2018 5:12 PM:

fix build error in 32 bit debug build


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build failed: openssl master.17033

[AppVeyor]

Build openssl master.17033 failed


Commit b6e17dfb1d by Bernd Edlinger on 4/4/2018 4:47 PM:

Fix logic bug


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Richard Levitte]

The branch master has been updated
   via  4845aeba4c49e1bd65259a5014d7e3ab38657d42 (commit)
  from  b791355b5c0c474ba1005008e3731a859de0754d (commit)


- Log -
commit 4845aeba4c49e1bd65259a5014d7e3ab38657d42
Author: Richard Levitte 
Date:   Wed Apr 4 20:17:50 2018 +0200

Change rand_pool_add[_end] prototypes to match

Reviewed-by: Matthias St. Pierre 
(Merged from https://github.com/openssl/openssl/pull/5877)

---

Summary of changes:
 crypto/include/internal/rand_int.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/include/internal/rand_int.h 
b/crypto/include/internal/rand_int.h
index e5ae0df..baa9bfe 100644
--- a/crypto/include/internal/rand_int.h
+++ b/crypto/include/internal/rand_int.h
@@ -59,10 +59,10 @@ size_t rand_pool_entropy_needed(RAND_POOL *pool);
 size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte);
 size_t rand_pool_bytes_remaining(RAND_POOL *pool);
 
-size_t rand_pool_add(RAND_POOL *pool,
- const unsigned char *buffer, size_t len, size_t entropy);
+int rand_pool_add(RAND_POOL *pool,
+  const unsigned char *buffer, size_t len, size_t entropy);
 unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len);
-size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy);
+int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy);
 
 
 /*
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Andy Polyakov]

The branch master has been updated
   via  b791355b5c0c474ba1005008e3731a859de0754d (commit)
  from  6228b1dae265bbe6c46457d82b2d14d672af5f46 (commit)


- Log -
commit b791355b5c0c474ba1005008e3731a859de0754d
Author: Andy Polyakov 
Date:   Sun Apr 1 18:18:46 2018 +0200

rand/randfile.c: fix potential resource leak in RAND_load_file.

Found by Coverity.

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/5834)

---

Summary of changes:
 crypto/rand/randfile.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 3a62b88..c652ddc 100644
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -94,6 +94,7 @@ int RAND_load_file(const char *file, long bytes)
 if (fstat(fileno(in), ) < 0) {
 RANDerr(RAND_F_RAND_LOAD_FILE, RAND_R_INTERNAL_ERROR);
 ERR_add_error_data(2, "Filename=", file);
+fclose(in);
 return -1;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Andy Polyakov]

The branch master has been updated
   via  6228b1dae265bbe6c46457d82b2d14d672af5f46 (commit)
   via  5540eb7040839b0075a2b7651b6a95264d025e15 (commit)
  from  8e2bec9b8aaba602af6fda2523a15238aa49aade (commit)


- Log -
commit 6228b1dae265bbe6c46457d82b2d14d672af5f46
Author: Andy Polyakov 
Date:   Mon Apr 2 23:26:25 2018 +0200

TLSProxy/Proxy.pm: switch to dynamic ports and overhaul.

By asking for port 0, you get a free port dynamically assigned by OS.
TLSProxy::Proxy now asks for 0 and asks s_server to do the same. The
s_server's port is reported in "ACCEPT" line, which TLSProxy::Proxy
parses and uses.

Because the server port is now a random affair in TLSProxy::Proxy,
it's no longer possible to change it with the method 'server_port',
and it has become an accessor only. For the sake of orthogonality, so
has the method 'server_addr'.

Remove all fork calls on Windows, as fork is not to be trusted there.
This naturally minimized amount of fork calls on POSIX systems, to 1.

Sink s_server's output to 'perl -ne print' which ensures that output
is written strictly in lines. This keeps TAP parser happy.

Improve synchronization in -naccept +n cases by establishing next
connection to s_server *after* s_client finishes instead of before it
starts.

Improve error handling and clean up some methods.

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/5843)

commit 5540eb7040839b0075a2b7651b6a95264d025e15
Author: Richard Levitte 
Date:   Fri Mar 30 21:13:25 2018 +0200

openssl s_server: print the accepting address and socket

The line saying ACCEPT is extended with a space followed by the the
address and port combination on which s_server accepts connections.
The address is written in such a way that s_client should be able to
accepts as argument for the '-connect' option.

Reviewed-by: Andy Polyakov 
(Merged from https://github.com/openssl/openssl/pull/5843)

---

Summary of changes:
 apps/s_apps.h   |   5 +-
 apps/s_server.c |   9 +-
 apps/s_socket.c |  30 -
 util/perl/TLSProxy/Proxy.pm | 318 +---
 4 files changed, 211 insertions(+), 151 deletions(-)

diff --git a/apps/s_apps.h b/apps/s_apps.h
index 2454161..0a3bc96 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -22,9 +22,8 @@
 
 typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char 
*context);
 int do_server(int *accept_sock, const char *host, const char *port,
-  int family, int type, int protocol,
-  do_server_cb cb,
-  unsigned char *context, int naccept);
+  int family, int type, int protocol, do_server_cb cb,
+  unsigned char *context, int naccept, BIO *bio_s_out);
 #ifdef HEADER_X509_H
 int verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
diff --git a/apps/s_server.c b/apps/s_server.c
index 9b5106d..be1564a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2095,8 +2095,6 @@ int s_server_main(int argc, char *argv[])
 if (max_early_data >= 0)
 SSL_CTX_set_max_early_data(ctx, max_early_data);
 
-BIO_printf(bio_s_out, "ACCEPT\n");
-(void)BIO_flush(bio_s_out);
 if (rev)
 server_cb = rev_body;
 else if (www)
@@ -2109,7 +2107,7 @@ int s_server_main(int argc, char *argv[])
 unlink(host);
 #endif
 do_server(_socket, host, port, socket_family, socket_type, protocol,
-  server_cb, context, naccept);
+  server_cb, context, naccept, bio_s_out);
 print_stats(bio_s_out, ctx);
 ret = 0;
  end:
@@ -2673,9 +2671,6 @@ static int sv_body(int s, int stype, int prot, unsigned 
char *context)
 }
 BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
 OPENSSL_clear_free(buf, bufsize);
-if (ret >= 0)
-BIO_printf(bio_s_out, "ACCEPT\n");
-(void)BIO_flush(bio_s_out);
 return ret;
 }
 
@@ -3284,8 +3279,6 @@ static int www_body(int s, int stype, int prot, unsigned 
char *context)
 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
 
  err:
-if (ret >= 0)
-BIO_printf(bio_s_out, "ACCEPT\n");
 OPENSSL_free(buf);
 BIO_free_all(io);
 return ret;
diff --git a/apps/s_socket.c b/apps/s_socket.c
index 4b82011..e3cfda9 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -204,7 +204,7 @@ out:
  */
 int do_server(int *accept_sock, const char *host, const char *port,
   int family, int type, int protocol, do_server_cb cb,
-  unsigned char *context, int naccept)
+  unsigned char *context, int naccept, BIO *bio_s_out)
 {
 int asock = 0;
 int sock;
@@ 

[openssl-commits] [openssl] master update

[Richard Levitte]

The branch master has been updated
   via  8e2bec9b8aaba602af6fda2523a15238aa49aade (commit)
  from  dbcfd9025f86e997f6246d51e4700a0560ce3977 (commit)


- Log -
commit 8e2bec9b8aaba602af6fda2523a15238aa49aade
Author: Richard Levitte 
Date:   Wed Apr 4 18:31:50 2018 +0200

Remove ambiguity in rand_pool_add[_end] return value

When these two functions returned zero, it could mean:

1. that an error occured.  In their case, the error is an overflow of
   the pool, i.e. the correct response from the caller would be to
   stop trying to fill the pool.
2. that there isn't enought entropy acquired yet, i.e. the correct
   response from the caller would be to try and add more entropy to
   the pool.

Because of this ambiguity, the returned zero turns out to be useless.
This change makes the returned value more consistent.  1 means the
addition of new entropy was successful, 0 means it wasn't.  To know if
the pool has been filled enough, the caller will have to call some
other function, such as rand_pool_entropy_available().

Fixes #5846

Reviewed-by: Matthias St. Pierre 
(Merged from https://github.com/openssl/openssl/pull/5876)

---

Summary of changes:
 crypto/rand/rand_lib.c  | 42 ++
 crypto/rand/rand_unix.c |  9 ++---
 crypto/rand/rand_vms.c  |  5 +++--
 crypto/rand/rand_win.c  |  9 ++---
 4 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 143dfb0..3589e75 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -130,26 +130,20 @@ size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool)
 buffer = rand_pool_add_begin(pool, bytes_needed);
 
 if (buffer != NULL) {
-
-/* If RDSEED is available, use that. */
+/* Whichever comes first, use RDSEED, RDRAND or nothing */
 if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) {
 if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed)
-== bytes_needed)
-return rand_pool_add_end(pool,
- bytes_needed,
- 8 * bytes_needed);
-}
-
-/* Second choice is RDRAND. */
-if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) {
+== bytes_needed) {
+rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
+}
+} else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) {
 if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed)
-== bytes_needed)
-return rand_pool_add_end(pool,
- bytes_needed,
- 8 * bytes_needed);
+== bytes_needed) {
+rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed);
+}
+} else {
+rand_pool_add_end(pool, 0, 0);
 }
-
-return rand_pool_add_end(pool, 0, 0);
 }
 }
 
@@ -222,7 +216,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
 bytes = bytes_needed;
 rand_drbg_unlock(drbg->parent);
 
-entropy_available = rand_pool_add_end(pool, bytes, 8 * bytes);
+rand_pool_add_end(pool, bytes, 8 * bytes);
+entropy_available = rand_pool_entropy_available(pool);
 }
 
 } else {
@@ -631,11 +626,10 @@ size_t rand_pool_bytes_remaining(RAND_POOL *pool)
  * random input which contains at least |entropy| bits of
  * randomness.
  *
- * Return available amount of entropy after this operation.
- * (see rand_pool_entropy_available(pool))
+ * Returns 1 if the added amount is adequate, otherwise 0
  */
-size_t rand_pool_add(RAND_POOL *pool,
- const unsigned char *buffer, size_t len, size_t entropy)
+int rand_pool_add(RAND_POOL *pool,
+  const unsigned char *buffer, size_t len, size_t entropy)
 {
 if (len > pool->max_len - pool->len) {
 RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG);
@@ -648,7 +642,7 @@ size_t rand_pool_add(RAND_POOL *pool,
 pool->entropy += entropy;
 }
 
-return rand_pool_entropy_available(pool);
+return 1;
 }
 
 /*
@@ -685,7 +679,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t 
len)
  * to the buffer which contain at least |entropy| bits of randomness.
  * It is allowed to add less bytes than originally reserved.
  */
-size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy)
+int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy)
 {
 if (len > 

[openssl-commits] [openssl] master update

[Matt Caswell]

The branch master has been updated
   via  a53b5be6a056e998fb119dbf035d1df68083a951 (commit)
   via  034cb87b6c7758986b40692d1d5abdd2a7ba826e (commit)
  from  d3f9268aa58507eb2d25fd0b49f54efdc098f4e6 (commit)


- Log -
commit a53b5be6a056e998fb119dbf035d1df68083a951
Author: Matt Caswell 
Date:   Tue Apr 3 15:31:38 2018 +0100

Fix configuration of TLSv1.3 ciphersuites

Configuration of TLSv1.3 ciphersuites wasn't working in some cases.

Fixes #5740

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5855)

commit 034cb87b6c7758986b40692d1d5abdd2a7ba826e
Author: Matt Caswell 
Date:   Tue Apr 3 12:31:53 2018 +0100

Add some tests for configuring the TLSv1.3 ciphersuites

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5855)

---

Summary of changes:
 ssl/ssl_ciph.c| 136 +++---
 ssl/ssl_lib.c |  93 --
 ssl/ssl_locl.h|   1 +
 test/sslapitest.c |  82 ++
 test/sslcorrupttest.c |   6 +--
 5 files changed, 213 insertions(+), 105 deletions(-)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index be728df..9011e42 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -15,6 +15,7 @@
 #include 
 #include 
 #include 
+#include 
 #include "internal/nelem.h"
 #include "ssl_locl.h"
 #include "internal/thread_once.h"
@@ -1274,6 +1275,131 @@ static int check_suiteb_cipher_list(const SSL_METHOD 
*meth, CERT *c,
 }
 #endif
 
+static int ciphersuite_cb(const char *elem, int len, void *arg)
+{
+STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg;
+const SSL_CIPHER *cipher;
+/* Arbitrary sized temp buffer for the cipher name. Should be big enough */
+char name[80];
+
+if (len > (int)(sizeof(name) - 1)) {
+SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH);
+return 0;
+}
+
+memcpy(name, elem, len);
+name[len] = '\0';
+
+cipher = ssl3_get_cipher_by_std_name(name);
+if (cipher == NULL) {
+SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH);
+return 0;
+}
+
+if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) {
+SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR);
+return 0;
+}
+
+return 1;
+}
+
+int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str)
+{
+STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null();
+
+if (newciphers == NULL)
+return 0;
+
+/* Parse the list. We explicitly allow an empty list */
+if (*str != '\0'
+&& !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) {
+sk_SSL_CIPHER_free(newciphers);
+return 0;
+}
+sk_SSL_CIPHER_free(*currciphers);
+*currciphers = newciphers;
+
+return 1;
+}
+
+static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,
+STACK_OF(SSL_CIPHER) *cipherstack)
+{
+STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
+
+if (tmp_cipher_list == NULL) {
+return 0;
+}
+
+sk_SSL_CIPHER_free(*cipher_list_by_id);
+*cipher_list_by_id = tmp_cipher_list;
+
+(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, 
ssl_cipher_ptr_id_cmp);
+sk_SSL_CIPHER_sort(*cipher_list_by_id);
+
+return 1;
+}
+
+static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,
+  STACK_OF(SSL_CIPHER) **cipher_list_by_id,
+  STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
+{
+int i;
+STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list);
+
+if (tmp_cipher_list == NULL)
+return 0;
+
+/*
+ * Delete any existing TLSv1.3 ciphersuites. These are always first in the
+ * list.
+ */
+while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0
+   && sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls
+  == TLS1_3_VERSION)
+sk_SSL_CIPHER_delete(tmp_cipher_list, 0);
+
+/* Insert the new TLSv1.3 ciphersuites */
+for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++)
+sk_SSL_CIPHER_insert(tmp_cipher_list,
+ sk_SSL_CIPHER_value(tls13_ciphersuites, i), i);
+
+if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list))
+return 0;
+
+sk_SSL_CIPHER_free(*cipher_list);
+*cipher_list = tmp_cipher_list;
+
+return 1;
+}
+
+int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
+{
+int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
+
+if (ret && ctx->cipher_list != NULL) {
+/* We already have a cipher_list, so we need to update it */
+return 

[openssl-commits] Build failed: openssl master.17021

[AppVeyor]

Build openssl master.17021 failed


Commit f41d76c2c3 by Matt Caswell on 4/4/2018 2:02 PM:

Update the info callback documentation for TLSv1.3


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[Richard Levitte]

The branch OpenSSL_1_1_0-stable has been updated
   via  6ddcf90fae372da897bdf84d0949618bbdb4abab (commit)
  from  c255668c61e6b4800aa9c6e293a12942eccf511b (commit)


- Log -
commit 6ddcf90fae372da897bdf84d0949618bbdb4abab
Author: Richard Levitte 
Date:   Wed Apr 4 15:28:19 2018 +0200

Don't use CPP in Configurations/unix-Makefile.tmpl

We started using $(CPP) instead of $(CC) -E, with the assumption that
CPP would be predefined.  This is, however, not always true, and
rather depends on the 'make' implementation.  Furthermore, on
platforms where CPP=cpp or something else other than '$(CC) -E',
there's a risk that it won't understand machine specific flags that we
pass to it.  So it turns out that trying to use $(CPP) was a mistake,
and we therefore revert that use back to using $(CC) -E directly.

Fixes #5867

Note: this affects config targets that use Alpha, ARM, IA64, MIPS,
s390x or SPARC assembler modules.

Reviewed-by: Andy Polyakov 
(Merged from https://github.com/openssl/openssl/pull/5871)

---

Summary of changes:
 Configurations/unix-Makefile.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Configurations/unix-Makefile.tmpl 
b/Configurations/unix-Makefile.tmpl
index 40cf2c3..1bfaa97 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -848,7 +848,7 @@ EOF
   $recipe .= <<"EOF";
 $obj$objext: $deps
( trap "rm -f \$@.*" INT 0; \\
- \$(CPP) $incs \$(CFLAGS) $ecflags $srcs | \\
+ \$(CC) $incs \$(CFLAGS) $ecflags -E $srcs | \\
  \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\
  \$(CC) \$(CFLAGS) $ecflags -c -o \$\@ \$@.s )
 EOF
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[Richard Levitte]

The branch master has been updated
   via  d3f9268aa58507eb2d25fd0b49f54efdc098f4e6 (commit)
  from  d8fa9324d25b07efd45761a0fee6b0f89c18924b (commit)


- Log -
commit d3f9268aa58507eb2d25fd0b49f54efdc098f4e6
Author: Richard Levitte 
Date:   Wed Apr 4 15:23:30 2018 +0200

Don't use CPP in Configurations/unix-Makefile.tmpl

We started using $(CPP) instead of $(CC) -E, with the assumption that
CPP would be predefined.  This is, however, not always true, and
rather depends on the 'make' implementation.  Furthermore, on
platforms where CPP=cpp or something else other than '$(CC) -E',
there's a risk that it won't understand machine specific flags that we
pass to it.  So it turns out that trying to use $(CPP) was a mistake,
and we therefore revert that use back to using $(CC) -E directly.

Fixes #5867

Note: this affects config targets that use Alpha, ARM, IA64, MIPS,
s390x or SPARC assembler modules.

Reviewed-by: Andy Polyakov 
(Merged from https://github.com/openssl/openssl/pull/5872)

---

Summary of changes:
 Configurations/unix-Makefile.tmpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Configurations/unix-Makefile.tmpl 
b/Configurations/unix-Makefile.tmpl
index cc66abe..caf2783 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -954,7 +954,7 @@ EOF
   }
   return <<"EOF";
 $args{src}: $args{generator}->[0] $deps
-   \$(CPP) $incs $cppflags $args{generator}->[0] | \\
+   \$(CC) $incs $cppflags -E $args{generator}->[0] | \\
\$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@
 EOF
   }
@@ -1012,7 +1012,7 @@ EOF
   $recipe .= <<"EOF";
 $obj$objext: $deps
( trap "rm -f \$@.*" INT 0; \\
- \$(CPP) $incs $cmdflags $srcs | \\
+ \$(CC) $incs $cmdflags -E $srcs | \\
  \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\
  $cmd $cmdflags -c -o \$\@ \$@.s )
 EOF
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[bernd . edlinger]

The branch master has been updated
   via  d8fa9324d25b07efd45761a0fee6b0f89c18924b (commit)
  from  6b49b30811f4afa0340342af9400b8d0357b5291 (commit)


- Log -
commit d8fa9324d25b07efd45761a0fee6b0f89c18924b
Author: cedral 
Date:   Wed Apr 4 14:54:47 2018 +0200

Visual Studio 2017 debug build warning error on 32 bit build

Reviewed-by: Rich Salz 
Reviewed-by: Bernd Edlinger 
(Merged from https://github.com/openssl/openssl/pull/5799)

---

Summary of changes:
 ssl/t1_trce.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index d3f67f5..394df98 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1504,7 +1504,8 @@ void SSL_trace(int write_p, int version, int content_type,
 int hvers;
 
 /* avoid overlapping with length at the end of buffer */
-if (msglen < (SSL_IS_DTLS(ssl) ? 13 : 5)) {
+if (msglen < (size_t)(SSL_IS_DTLS(ssl) ?
+DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) {
 BIO_puts(bio, write_p ? "Sent" : "Received");
 ssl_print_hex(bio, 0, " too short message", msg, msglen);
 break;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[bernd . edlinger]

The branch master has been updated
   via  6b49b30811f4afa0340342af9400b8d0357b5291 (commit)
  from  284f4f6b70998b2b46dc74c3003c82cb1db0e742 (commit)


- Log -
commit 6b49b30811f4afa0340342af9400b8d0357b5291
Author: Bernd Edlinger 
Date:   Tue Apr 3 23:47:10 2018 +0200

Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb
differently.

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5863)

---

Summary of changes:
 crypto/err/err.c | 18 --
 crypto/init.c| 12 +---
 2 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index 1fb71e7..f55655c 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -667,25 +667,23 @@ ERR_STATE *ERR_get_state(void)
 if (!RUN_ONCE(_init, err_do_init))
 return NULL;
 
-/*
- * If base OPENSSL_init_crypto() hasn't been called yet, be sure to call
- * it now to avoid state to be doubly allocated and thereby leak memory.
- * Needed on any platform that doesn't define OPENSSL_USE_NODELETE.
- */
-if (!OPENSSL_init_crypto(0, NULL))
-return NULL;
-
 state = CRYPTO_THREAD_get_local(_thread_local);
+if (state == (ERR_STATE*)-1)
+return NULL;
 
 if (state == NULL) {
+if (!CRYPTO_THREAD_set_local(_thread_local, (ERR_STATE*)-1))
+return NULL;
+
 if ((state = OPENSSL_zalloc(sizeof(*state))) == NULL) {
-/* ERRerr(ERR_F_ERR_GET_STATE, ERR_R_MALLOC_FAILURE); */
+CRYPTO_THREAD_set_local(_thread_local, NULL);
 return NULL;
 }
 
 if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ERR_STATE)
-|| !CRYPTO_THREAD_set_local(_thread_local, state)) {
+|| !CRYPTO_THREAD_set_local(_thread_local, state)) {
 ERR_STATE_free(state);
+CRYPTO_THREAD_set_local(_thread_local, NULL);
 return NULL;
 }
 
diff --git a/crypto/init.c b/crypto/init.c
index 37b7a7c..c79c32c 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -540,18 +540,8 @@ void OPENSSL_cleanup(void)
  */
 int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
 {
-static int stoperrset = 0;
-
 if (stopped) {
-if (!stoperrset) {
-/*
- * We only ever set this once to avoid getting into an infinite
- * loop where the error system keeps trying to init and fails so
- * sets an error etc
- */
-stoperrset = 1;
-CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
-}
+CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
 return 0;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[bernd . edlinger]

The branch master has been updated
   via  284f4f6b70998b2b46dc74c3003c82cb1db0e742 (commit)
  from  dc55e4f70f401c5869410d6a0c068c18c3fd53ec (commit)


- Log -
commit 284f4f6b70998b2b46dc74c3003c82cb1db0e742
Author: Bernd Edlinger 
Date:   Wed Apr 4 14:45:49 2018 +0200

Don't use getenv for critical functions when run as setuid/setgid

Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5856)

---

Summary of changes:
 CHANGES |  4 
 crypto/conf/conf_mod.c  |  8 +---
 crypto/engine/eng_list.c|  3 ++-
 doc/man3/ENGINE_add.pod |  1 +
 doc/man3/OPENSSL_config.pod | 11 +++
 doc/man5/config.pod | 16 
 6 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index b4d0329..40b5823 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.0h and 1.1.1 [xx XXX ]
 
+  *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
+ in libcrypto when run as setuid/setgid.
+ [Bernd Edlinger]
+
   *) Added new public header file  and documentation
  for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
  [Matthias St. Pierre]
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index 99f0fcc..4a848b8 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -480,9 +480,11 @@ char *CONF_get1_default_config_file(void)
 char *file, *sep = "";
 int len;
 
-file = getenv("OPENSSL_CONF");
-if (file)
-return OPENSSL_strdup(file);
+if (!OPENSSL_issetugid()) {
+file = getenv("OPENSSL_CONF");
+if (file)
+return OPENSSL_strdup(file);
+}
 
 len = strlen(X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
index bfd91e2..4bc7ea1 100644
--- a/crypto/engine/eng_list.c
+++ b/crypto/engine/eng_list.c
@@ -317,7 +317,8 @@ ENGINE *ENGINE_by_id(const char *id)
  * Prevent infinite recursion if we're looking for the dynamic engine.
  */
 if (strcmp(id, "dynamic")) {
-if ((load_dir = getenv("OPENSSL_ENGINES")) == NULL)
+if (OPENSSL_issetugid()
+|| (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
 load_dir = ENGINESDIR;
 iterator = ENGINE_by_id("dynamic");
 if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod
index b009949..a2fc299 100644
--- a/doc/man3/ENGINE_add.pod
+++ b/doc/man3/ENGINE_add.pod
@@ -568,6 +568,7 @@ extension).
 =item B
 
 The path to the engines directory.
+Ignored in set-user-ID and set-group-ID programs.
 
 =back
 
diff --git a/doc/man3/OPENSSL_config.pod b/doc/man3/OPENSSL_config.pod
index e70fcd5..ac686e6 100644
--- a/doc/man3/OPENSSL_config.pod
+++ b/doc/man3/OPENSSL_config.pod
@@ -48,6 +48,17 @@ application calls OPENSSL_config() it doesn't need to know 
or care about
 ENGINE control operations because they can be performed by editing a
 configuration file.
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B
+
+The path to the config file.
+Ignored in set-user-ID and set-group-ID programs.
+
+=back
+
 =head1 RETURN VALUES
 
 Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index ef8e10e..09d72be 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -384,6 +384,22 @@ will output:
 
 showing that the OID "newoid1" has been added as "1.2.3.4.1".
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B
+
+The path to the config file.
+Ignored in set-user-ID and set-group-ID programs.
+
+=item B
+
+The path to the engines directory.
+Ignored in set-user-ID and set-group-ID programs.
+
+=back
+
 =head1 BUGS
 
 Currently there is no way to include characters using the octal B<\nnn>
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

[Richard Levitte]

The branch master has been updated
   via  a2e614d7f5554b477dedd0066709df3cd3e14990 (commit)
  from  f0dd77fca46f3d630d5a47d3bb93e8d50c66f7df (commit)


- Log -
commit a2e614d7f5554b477dedd0066709df3cd3e14990
Author: Richard Levitte 
Date:   Wed Apr 4 11:14:44 2018 +0200

Generalise the rewrites of older tarballs

We enumerated every series when we could as simply handle them all
with one simple regexp.

---

Summary of changes:
 bin/mk-latest | 10 +-
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/bin/mk-latest b/bin/mk-latest
index 2307837..8c2d3a7 100755
--- a/bin/mk-latest
+++ b/bin/mk-latest
@@ -43,15 +43,7 @@ print <<\EOF;
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^(openssl-0\.9\.\d.*) old/0.9.x/$1 [L]
 RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ^openssl-(1\.0\.0.*) old/1.0.0/openssl-$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ^openssl-(1\.0\.1.*) old/1.0.1/openssl-$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ^openssl-(1\.0\.2.*) old/1.0.2/openssl-$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ^openssl-(1\.1\.0.*) old/1.1.0/openssl-$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ^openssl-(1\.1\.1.*) old/1.1.1/openssl-$1 [L]
+RewriteRule ^(openssl-(\d+\.\d+\.\d+).*) old/$2/$1 [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^openssl-(fips.*)  old/fips/openssl-$1 [L]
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits