[openssl-commits] Build completed: openssl OpenSSL_1_1_0-stable.17034
Build openssl OpenSSL_1_1_0-stable.17034 completed Commit bd90e98e14 by cedral on 4/4/2018 5:12 PM: fix build error in 32 bit debug build Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17033
Build openssl master.17033 failed Commit b6e17dfb1d by Bernd Edlinger on 4/4/2018 4:47 PM: Fix logic bug Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 4845aeba4c49e1bd65259a5014d7e3ab38657d42 (commit) from b791355b5c0c474ba1005008e3731a859de0754d (commit) - Log - commit 4845aeba4c49e1bd65259a5014d7e3ab38657d42 Author: Richard LevitteDate: Wed Apr 4 20:17:50 2018 +0200 Change rand_pool_add[_end] prototypes to match Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/5877) --- Summary of changes: crypto/include/internal/rand_int.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/include/internal/rand_int.h b/crypto/include/internal/rand_int.h index e5ae0df..baa9bfe 100644 --- a/crypto/include/internal/rand_int.h +++ b/crypto/include/internal/rand_int.h @@ -59,10 +59,10 @@ size_t rand_pool_entropy_needed(RAND_POOL *pool); size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_per_byte); size_t rand_pool_bytes_remaining(RAND_POOL *pool); -size_t rand_pool_add(RAND_POOL *pool, - const unsigned char *buffer, size_t len, size_t entropy); +int rand_pool_add(RAND_POOL *pool, + const unsigned char *buffer, size_t len, size_t entropy); unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len); -size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy); +int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy); /* _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via b791355b5c0c474ba1005008e3731a859de0754d (commit) from 6228b1dae265bbe6c46457d82b2d14d672af5f46 (commit) - Log - commit b791355b5c0c474ba1005008e3731a859de0754d Author: Andy PolyakovDate: Sun Apr 1 18:18:46 2018 +0200 rand/randfile.c: fix potential resource leak in RAND_load_file. Found by Coverity. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5834) --- Summary of changes: crypto/rand/randfile.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 3a62b88..c652ddc 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -94,6 +94,7 @@ int RAND_load_file(const char *file, long bytes) if (fstat(fileno(in), ) < 0) { RANDerr(RAND_F_RAND_LOAD_FILE, RAND_R_INTERNAL_ERROR); ERR_add_error_data(2, "Filename=", file); +fclose(in); return -1; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 6228b1dae265bbe6c46457d82b2d14d672af5f46 (commit) via 5540eb7040839b0075a2b7651b6a95264d025e15 (commit) from 8e2bec9b8aaba602af6fda2523a15238aa49aade (commit) - Log - commit 6228b1dae265bbe6c46457d82b2d14d672af5f46 Author: Andy PolyakovDate: Mon Apr 2 23:26:25 2018 +0200 TLSProxy/Proxy.pm: switch to dynamic ports and overhaul. By asking for port 0, you get a free port dynamically assigned by OS. TLSProxy::Proxy now asks for 0 and asks s_server to do the same. The s_server's port is reported in "ACCEPT" line, which TLSProxy::Proxy parses and uses. Because the server port is now a random affair in TLSProxy::Proxy, it's no longer possible to change it with the method 'server_port', and it has become an accessor only. For the sake of orthogonality, so has the method 'server_addr'. Remove all fork calls on Windows, as fork is not to be trusted there. This naturally minimized amount of fork calls on POSIX systems, to 1. Sink s_server's output to 'perl -ne print' which ensures that output is written strictly in lines. This keeps TAP parser happy. Improve synchronization in -naccept +n cases by establishing next connection to s_server *after* s_client finishes instead of before it starts. Improve error handling and clean up some methods. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5843) commit 5540eb7040839b0075a2b7651b6a95264d025e15 Author: Richard Levitte Date: Fri Mar 30 21:13:25 2018 +0200 openssl s_server: print the accepting address and socket The line saying ACCEPT is extended with a space followed by the the address and port combination on which s_server accepts connections. The address is written in such a way that s_client should be able to accepts as argument for the '-connect' option. Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/5843) --- Summary of changes: apps/s_apps.h | 5 +- apps/s_server.c | 9 +- apps/s_socket.c | 30 - util/perl/TLSProxy/Proxy.pm | 318 +--- 4 files changed, 211 insertions(+), 151 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index 2454161..0a3bc96 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -22,9 +22,8 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context); int do_server(int *accept_sock, const char *host, const char *port, - int family, int type, int protocol, - do_server_cb cb, - unsigned char *context, int naccept); + int family, int type, int protocol, do_server_cb cb, + unsigned char *context, int naccept, BIO *bio_s_out); #ifdef HEADER_X509_H int verify_callback(int ok, X509_STORE_CTX *ctx); #endif diff --git a/apps/s_server.c b/apps/s_server.c index 9b5106d..be1564a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2095,8 +2095,6 @@ int s_server_main(int argc, char *argv[]) if (max_early_data >= 0) SSL_CTX_set_max_early_data(ctx, max_early_data); -BIO_printf(bio_s_out, "ACCEPT\n"); -(void)BIO_flush(bio_s_out); if (rev) server_cb = rev_body; else if (www) @@ -2109,7 +2107,7 @@ int s_server_main(int argc, char *argv[]) unlink(host); #endif do_server(_socket, host, port, socket_family, socket_type, protocol, - server_cb, context, naccept); + server_cb, context, naccept, bio_s_out); print_stats(bio_s_out, ctx); ret = 0; end: @@ -2673,9 +2671,6 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) } BIO_printf(bio_s_out, "CONNECTION CLOSED\n"); OPENSSL_clear_free(buf, bufsize); -if (ret >= 0) -BIO_printf(bio_s_out, "ACCEPT\n"); -(void)BIO_flush(bio_s_out); return ret; } @@ -3284,8 +3279,6 @@ static int www_body(int s, int stype, int prot, unsigned char *context) SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); err: -if (ret >= 0) -BIO_printf(bio_s_out, "ACCEPT\n"); OPENSSL_free(buf); BIO_free_all(io); return ret; diff --git a/apps/s_socket.c b/apps/s_socket.c index 4b82011..e3cfda9 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -204,7 +204,7 @@ out: */ int do_server(int *accept_sock, const char *host, const char *port, int family, int type, int protocol, do_server_cb cb, - unsigned char *context, int naccept) + unsigned char *context, int naccept, BIO *bio_s_out) { int asock = 0; int sock; @@
[openssl-commits] [openssl] master update
The branch master has been updated via 8e2bec9b8aaba602af6fda2523a15238aa49aade (commit) from dbcfd9025f86e997f6246d51e4700a0560ce3977 (commit) - Log - commit 8e2bec9b8aaba602af6fda2523a15238aa49aade Author: Richard LevitteDate: Wed Apr 4 18:31:50 2018 +0200 Remove ambiguity in rand_pool_add[_end] return value When these two functions returned zero, it could mean: 1. that an error occured. In their case, the error is an overflow of the pool, i.e. the correct response from the caller would be to stop trying to fill the pool. 2. that there isn't enought entropy acquired yet, i.e. the correct response from the caller would be to try and add more entropy to the pool. Because of this ambiguity, the returned zero turns out to be useless. This change makes the returned value more consistent. 1 means the addition of new entropy was successful, 0 means it wasn't. To know if the pool has been filled enough, the caller will have to call some other function, such as rand_pool_entropy_available(). Fixes #5846 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/5876) --- Summary of changes: crypto/rand/rand_lib.c | 42 ++ crypto/rand/rand_unix.c | 9 ++--- crypto/rand/rand_vms.c | 5 +++-- crypto/rand/rand_win.c | 9 ++--- 4 files changed, 33 insertions(+), 32 deletions(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 143dfb0..3589e75 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -130,26 +130,20 @@ size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool) buffer = rand_pool_add_begin(pool, bytes_needed); if (buffer != NULL) { - -/* If RDSEED is available, use that. */ +/* Whichever comes first, use RDSEED, RDRAND or nothing */ if ((OPENSSL_ia32cap_P[2] & (1 << 18)) != 0) { if (OPENSSL_ia32_rdseed_bytes(buffer, bytes_needed) -== bytes_needed) -return rand_pool_add_end(pool, - bytes_needed, - 8 * bytes_needed); -} - -/* Second choice is RDRAND. */ -if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { +== bytes_needed) { +rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); +} +} else if ((OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0) { if (OPENSSL_ia32_rdrand_bytes(buffer, bytes_needed) -== bytes_needed) -return rand_pool_add_end(pool, - bytes_needed, - 8 * bytes_needed); +== bytes_needed) { +rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); +} +} else { +rand_pool_add_end(pool, 0, 0); } - -return rand_pool_add_end(pool, 0, 0); } } @@ -222,7 +216,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, bytes = bytes_needed; rand_drbg_unlock(drbg->parent); -entropy_available = rand_pool_add_end(pool, bytes, 8 * bytes); +rand_pool_add_end(pool, bytes, 8 * bytes); +entropy_available = rand_pool_entropy_available(pool); } } else { @@ -631,11 +626,10 @@ size_t rand_pool_bytes_remaining(RAND_POOL *pool) * random input which contains at least |entropy| bits of * randomness. * - * Return available amount of entropy after this operation. - * (see rand_pool_entropy_available(pool)) + * Returns 1 if the added amount is adequate, otherwise 0 */ -size_t rand_pool_add(RAND_POOL *pool, - const unsigned char *buffer, size_t len, size_t entropy) +int rand_pool_add(RAND_POOL *pool, + const unsigned char *buffer, size_t len, size_t entropy) { if (len > pool->max_len - pool->len) { RANDerr(RAND_F_RAND_POOL_ADD, RAND_R_ENTROPY_INPUT_TOO_LONG); @@ -648,7 +642,7 @@ size_t rand_pool_add(RAND_POOL *pool, pool->entropy += entropy; } -return rand_pool_entropy_available(pool); +return 1; } /* @@ -685,7 +679,7 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) * to the buffer which contain at least |entropy| bits of randomness. * It is allowed to add less bytes than originally reserved. */ -size_t rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) +int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy) { if (len >
[openssl-commits] [openssl] master update
The branch master has been updated via a53b5be6a056e998fb119dbf035d1df68083a951 (commit) via 034cb87b6c7758986b40692d1d5abdd2a7ba826e (commit) from d3f9268aa58507eb2d25fd0b49f54efdc098f4e6 (commit) - Log - commit a53b5be6a056e998fb119dbf035d1df68083a951 Author: Matt CaswellDate: Tue Apr 3 15:31:38 2018 +0100 Fix configuration of TLSv1.3 ciphersuites Configuration of TLSv1.3 ciphersuites wasn't working in some cases. Fixes #5740 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5855) commit 034cb87b6c7758986b40692d1d5abdd2a7ba826e Author: Matt Caswell Date: Tue Apr 3 12:31:53 2018 +0100 Add some tests for configuring the TLSv1.3 ciphersuites Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5855) --- Summary of changes: ssl/ssl_ciph.c| 136 +++--- ssl/ssl_lib.c | 93 -- ssl/ssl_locl.h| 1 + test/sslapitest.c | 82 ++ test/sslcorrupttest.c | 6 +-- 5 files changed, 213 insertions(+), 105 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index be728df..9011e42 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -15,6 +15,7 @@ #include #include #include +#include #include "internal/nelem.h" #include "ssl_locl.h" #include "internal/thread_once.h" @@ -1274,6 +1275,131 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, } #endif +static int ciphersuite_cb(const char *elem, int len, void *arg) +{ +STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg; +const SSL_CIPHER *cipher; +/* Arbitrary sized temp buffer for the cipher name. Should be big enough */ +char name[80]; + +if (len > (int)(sizeof(name) - 1)) { +SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); +return 0; +} + +memcpy(name, elem, len); +name[len] = '\0'; + +cipher = ssl3_get_cipher_by_std_name(name); +if (cipher == NULL) { +SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH); +return 0; +} + +if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { +SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR); +return 0; +} + +return 1; +} + +int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) +{ +STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); + +if (newciphers == NULL) +return 0; + +/* Parse the list. We explicitly allow an empty list */ +if (*str != '\0' +&& !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { +sk_SSL_CIPHER_free(newciphers); +return 0; +} +sk_SSL_CIPHER_free(*currciphers); +*currciphers = newciphers; + +return 1; +} + +static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id, +STACK_OF(SSL_CIPHER) *cipherstack) +{ +STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); + +if (tmp_cipher_list == NULL) { +return 0; +} + +sk_SSL_CIPHER_free(*cipher_list_by_id); +*cipher_list_by_id = tmp_cipher_list; + +(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); +sk_SSL_CIPHER_sort(*cipher_list_by_id); + +return 1; +} + +static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) **cipher_list_by_id, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites) +{ +int i; +STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list); + +if (tmp_cipher_list == NULL) +return 0; + +/* + * Delete any existing TLSv1.3 ciphersuites. These are always first in the + * list. + */ +while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0 + && sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls + == TLS1_3_VERSION) +sk_SSL_CIPHER_delete(tmp_cipher_list, 0); + +/* Insert the new TLSv1.3 ciphersuites */ +for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) +sk_SSL_CIPHER_insert(tmp_cipher_list, + sk_SSL_CIPHER_value(tls13_ciphersuites, i), i); + +if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) +return 0; + +sk_SSL_CIPHER_free(*cipher_list); +*cipher_list = tmp_cipher_list; + +return 1; +} + +int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) +{ +int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); + +if (ret && ctx->cipher_list != NULL) { +/* We already have a cipher_list, so we need to update it */ +return
[openssl-commits] Build failed: openssl master.17021
Build openssl master.17021 failed Commit f41d76c2c3 by Matt Caswell on 4/4/2018 2:02 PM: Update the info callback documentation for TLSv1.3 Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6ddcf90fae372da897bdf84d0949618bbdb4abab (commit) from c255668c61e6b4800aa9c6e293a12942eccf511b (commit) - Log - commit 6ddcf90fae372da897bdf84d0949618bbdb4abab Author: Richard LevitteDate: Wed Apr 4 15:28:19 2018 +0200 Don't use CPP in Configurations/unix-Makefile.tmpl We started using $(CPP) instead of $(CC) -E, with the assumption that CPP would be predefined. This is, however, not always true, and rather depends on the 'make' implementation. Furthermore, on platforms where CPP=cpp or something else other than '$(CC) -E', there's a risk that it won't understand machine specific flags that we pass to it. So it turns out that trying to use $(CPP) was a mistake, and we therefore revert that use back to using $(CC) -E directly. Fixes #5867 Note: this affects config targets that use Alpha, ARM, IA64, MIPS, s390x or SPARC assembler modules. Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/5871) --- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 40cf2c3..1bfaa97 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -848,7 +848,7 @@ EOF $recipe .= <<"EOF"; $obj$objext: $deps ( trap "rm -f \$@.*" INT 0; \\ - \$(CPP) $incs \$(CFLAGS) $ecflags $srcs | \\ + \$(CC) $incs \$(CFLAGS) $ecflags -E $srcs | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\ \$(CC) \$(CFLAGS) $ecflags -c -o \$\@ \$@.s ) EOF _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d3f9268aa58507eb2d25fd0b49f54efdc098f4e6 (commit) from d8fa9324d25b07efd45761a0fee6b0f89c18924b (commit) - Log - commit d3f9268aa58507eb2d25fd0b49f54efdc098f4e6 Author: Richard LevitteDate: Wed Apr 4 15:23:30 2018 +0200 Don't use CPP in Configurations/unix-Makefile.tmpl We started using $(CPP) instead of $(CC) -E, with the assumption that CPP would be predefined. This is, however, not always true, and rather depends on the 'make' implementation. Furthermore, on platforms where CPP=cpp or something else other than '$(CC) -E', there's a risk that it won't understand machine specific flags that we pass to it. So it turns out that trying to use $(CPP) was a mistake, and we therefore revert that use back to using $(CC) -E directly. Fixes #5867 Note: this affects config targets that use Alpha, ARM, IA64, MIPS, s390x or SPARC assembler modules. Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/5872) --- Summary of changes: Configurations/unix-Makefile.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index cc66abe..caf2783 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -954,7 +954,7 @@ EOF } return <<"EOF"; $args{src}: $args{generator}->[0] $deps - \$(CPP) $incs $cppflags $args{generator}->[0] | \\ + \$(CC) $incs $cppflags -E $args{generator}->[0] | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@ EOF } @@ -1012,7 +1012,7 @@ EOF $recipe .= <<"EOF"; $obj$objext: $deps ( trap "rm -f \$@.*" INT 0; \\ - \$(CPP) $incs $cmdflags $srcs | \\ + \$(CC) $incs $cmdflags -E $srcs | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\ $cmd $cmdflags -c -o \$\@ \$@.s ) EOF _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d8fa9324d25b07efd45761a0fee6b0f89c18924b (commit) from 6b49b30811f4afa0340342af9400b8d0357b5291 (commit) - Log - commit d8fa9324d25b07efd45761a0fee6b0f89c18924b Author: cedralDate: Wed Apr 4 14:54:47 2018 +0200 Visual Studio 2017 debug build warning error on 32 bit build Reviewed-by: Rich Salz Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/5799) --- Summary of changes: ssl/t1_trce.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index d3f67f5..394df98 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1504,7 +1504,8 @@ void SSL_trace(int write_p, int version, int content_type, int hvers; /* avoid overlapping with length at the end of buffer */ -if (msglen < (SSL_IS_DTLS(ssl) ? 13 : 5)) { +if (msglen < (size_t)(SSL_IS_DTLS(ssl) ? +DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) { BIO_puts(bio, write_p ? "Sent" : "Received"); ssl_print_hex(bio, 0, " too short message", msg, msglen); break; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 6b49b30811f4afa0340342af9400b8d0357b5291 (commit) from 284f4f6b70998b2b46dc74c3003c82cb1db0e742 (commit) - Log - commit 6b49b30811f4afa0340342af9400b8d0357b5291 Author: Bernd EdlingerDate: Tue Apr 3 23:47:10 2018 +0200 Prevent a possible recursion in ERR_get_state and fix the problem that was pointed out in commit aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb differently. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5863) --- Summary of changes: crypto/err/err.c | 18 -- crypto/init.c| 12 +--- 2 files changed, 9 insertions(+), 21 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 1fb71e7..f55655c 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -667,25 +667,23 @@ ERR_STATE *ERR_get_state(void) if (!RUN_ONCE(_init, err_do_init)) return NULL; -/* - * If base OPENSSL_init_crypto() hasn't been called yet, be sure to call - * it now to avoid state to be doubly allocated and thereby leak memory. - * Needed on any platform that doesn't define OPENSSL_USE_NODELETE. - */ -if (!OPENSSL_init_crypto(0, NULL)) -return NULL; - state = CRYPTO_THREAD_get_local(_thread_local); +if (state == (ERR_STATE*)-1) +return NULL; if (state == NULL) { +if (!CRYPTO_THREAD_set_local(_thread_local, (ERR_STATE*)-1)) +return NULL; + if ((state = OPENSSL_zalloc(sizeof(*state))) == NULL) { -/* ERRerr(ERR_F_ERR_GET_STATE, ERR_R_MALLOC_FAILURE); */ +CRYPTO_THREAD_set_local(_thread_local, NULL); return NULL; } if (!ossl_init_thread_start(OPENSSL_INIT_THREAD_ERR_STATE) -|| !CRYPTO_THREAD_set_local(_thread_local, state)) { +|| !CRYPTO_THREAD_set_local(_thread_local, state)) { ERR_STATE_free(state); +CRYPTO_THREAD_set_local(_thread_local, NULL); return NULL; } diff --git a/crypto/init.c b/crypto/init.c index 37b7a7c..c79c32c 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -540,18 +540,8 @@ void OPENSSL_cleanup(void) */ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { -static int stoperrset = 0; - if (stopped) { -if (!stoperrset) { -/* - * We only ever set this once to avoid getting into an infinite - * loop where the error system keeps trying to init and fails so - * sets an error etc - */ -stoperrset = 1; -CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL); -} +CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL); return 0; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 284f4f6b70998b2b46dc74c3003c82cb1db0e742 (commit) from dc55e4f70f401c5869410d6a0c068c18c3fd53ec (commit) - Log - commit 284f4f6b70998b2b46dc74c3003c82cb1db0e742 Author: Bernd EdlingerDate: Wed Apr 4 14:45:49 2018 +0200 Don't use getenv for critical functions when run as setuid/setgid Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5856) --- Summary of changes: CHANGES | 4 crypto/conf/conf_mod.c | 8 +--- crypto/engine/eng_list.c| 3 ++- doc/man3/ENGINE_add.pod | 1 + doc/man3/OPENSSL_config.pod | 11 +++ doc/man5/config.pod | 16 6 files changed, 39 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index b4d0329..40b5823 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0h and 1.1.1 [xx XXX ] + *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values + in libcrypto when run as setuid/setgid. + [Bernd Edlinger] + *) Added new public header file and documentation for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview. [Matthias St. Pierre] diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 99f0fcc..4a848b8 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -480,9 +480,11 @@ char *CONF_get1_default_config_file(void) char *file, *sep = ""; int len; -file = getenv("OPENSSL_CONF"); -if (file) -return OPENSSL_strdup(file); +if (!OPENSSL_issetugid()) { +file = getenv("OPENSSL_CONF"); +if (file) +return OPENSSL_strdup(file); +} len = strlen(X509_get_default_cert_area()); #ifndef OPENSSL_SYS_VMS diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index bfd91e2..4bc7ea1 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -317,7 +317,8 @@ ENGINE *ENGINE_by_id(const char *id) * Prevent infinite recursion if we're looking for the dynamic engine. */ if (strcmp(id, "dynamic")) { -if ((load_dir = getenv("OPENSSL_ENGINES")) == NULL) +if (OPENSSL_issetugid() +|| (load_dir = getenv("OPENSSL_ENGINES")) == NULL) load_dir = ENGINESDIR; iterator = ENGINE_by_id("dynamic"); if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod index b009949..a2fc299 100644 --- a/doc/man3/ENGINE_add.pod +++ b/doc/man3/ENGINE_add.pod @@ -568,6 +568,7 @@ extension). =item B The path to the engines directory. +Ignored in set-user-ID and set-group-ID programs. =back diff --git a/doc/man3/OPENSSL_config.pod b/doc/man3/OPENSSL_config.pod index e70fcd5..ac686e6 100644 --- a/doc/man3/OPENSSL_config.pod +++ b/doc/man3/OPENSSL_config.pod @@ -48,6 +48,17 @@ application calls OPENSSL_config() it doesn't need to know or care about ENGINE control operations because they can be performed by editing a configuration file. +=head1 ENVIRONMENT + +=over 4 + +=item B + +The path to the config file. +Ignored in set-user-ID and set-group-ID programs. + +=back + =head1 RETURN VALUES Neither OPENSSL_config() nor OPENSSL_no_config() return a value. diff --git a/doc/man5/config.pod b/doc/man5/config.pod index ef8e10e..09d72be 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -384,6 +384,22 @@ will output: showing that the OID "newoid1" has been added as "1.2.3.4.1". +=head1 ENVIRONMENT + +=over 4 + +=item B + +The path to the config file. +Ignored in set-user-ID and set-group-ID programs. + +=item B + +The path to the engines directory. +Ignored in set-user-ID and set-group-ID programs. + +=back + =head1 BUGS Currently there is no way to include characters using the octal B<\nnn> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via a2e614d7f5554b477dedd0066709df3cd3e14990 (commit) from f0dd77fca46f3d630d5a47d3bb93e8d50c66f7df (commit) - Log - commit a2e614d7f5554b477dedd0066709df3cd3e14990 Author: Richard LevitteDate: Wed Apr 4 11:14:44 2018 +0200 Generalise the rewrites of older tarballs We enumerated every series when we could as simply handle them all with one simple regexp. --- Summary of changes: bin/mk-latest | 10 +- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/bin/mk-latest b/bin/mk-latest index 2307837..8c2d3a7 100755 --- a/bin/mk-latest +++ b/bin/mk-latest @@ -43,15 +43,7 @@ print <<\EOF; RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(openssl-0\.9\.\d.*) old/0.9.x/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^openssl-(1\.0\.0.*) old/1.0.0/openssl-$1 [L] -RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^openssl-(1\.0\.1.*) old/1.0.1/openssl-$1 [L] -RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^openssl-(1\.0\.2.*) old/1.0.2/openssl-$1 [L] -RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^openssl-(1\.1\.0.*) old/1.1.0/openssl-$1 [L] -RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^openssl-(1\.1\.1.*) old/1.1.1/openssl-$1 [L] +RewriteRule ^(openssl-(\d+\.\d+\.\d+).*) old/$2/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^openssl-(fips.*) old/fips/openssl-$1 [L] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits