[openssl-commits] Build failed: openssl master.17216
Build openssl master.17216 failed Commit 2ab1dbb15d by Paul Yang on 4/12/2018 2:39 AM: Support temporary file writing for -out option Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17213
Build openssl master.17213 failed Commit 3e48ea0346 by Andy Polyakov on 4/12/2018 8:59 PM: TLSProxy/Proxy.pm: don't leave SNI to chance [to be squashed]. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17210
Build openssl master.17210 failed Commit 96cc6f093d by Todd Short on 4/12/2018 5:32 PM: Fix hashing algorithm Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl master.17206
Build openssl master.17206 completed Commit 362ff3c397 by Richard Levitte on 4/12/2018 1:34 PM: openssl rehash: use libcrypto variables for default dir Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17205
Build openssl master.17205 failed Commit 769a940ab5 by Patrick Steuer on 4/3/2018 5:24 PM: s390x assembly pack: add KIMD/KLMD code path for sha3/shake Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via e73e4460aa47e8cb6c694625584c26e9298d0bb5 (commit) from a2e614d7f5554b477dedd0066709df3cd3e14990 (commit) - Log - commit e73e4460aa47e8cb6c694625584c26e9298d0bb5 Author: Mark J. CoxDate: Thu Apr 12 15:46:30 2018 +0100 Use a unified converter tool with Apache by making it handle both formats and abstracting the differences --- Summary of changes: bin/vulnxml2json.py| 137 - bin/vulnxml2jsonproject.py | 43 ++ 2 files changed, 117 insertions(+), 63 deletions(-) create mode 100644 bin/vulnxml2jsonproject.py diff --git a/bin/vulnxml2json.py b/bin/vulnxml2json.py index b905da1..cffa29f 100755 --- a/bin/vulnxml2json.py +++ b/bin/vulnxml2json.py @@ -3,8 +3,11 @@ # Convert our XML file to a JSON file as accepted by Mitre for CNA purposes # as per https://github.com/CVEProject/automation-working-group/blob/master/cve_json_schema/DRAFT-JSON-file-format-v4.md # +# ASF httpd and OpenSSL use quite similar files, so this script is designed to work with either +# from xml.dom import minidom +import HTMLParser import simplejson as json import codecs import re @@ -17,45 +20,15 @@ from jsonschema import validate from jsonschema import Draft4Validator import urllib -# Versions of OpenSSL we never released, to allow us to display ranges -neverreleased = "1.0.0h,"; +# Specific project stuff is here +import vulnxml2jsonproject as cfg # Location of CVE JSON schema (default, can use local file etc) default_cve_schema = "https://raw.githubusercontent.com/CVEProject/automation-working-group/master/cve_json_schema/CVE_JSON_4.0_min_public.schema; -def merge_affects(issue,base): -# let's merge the affects into a nice list which is better for Mitre text but we have to take into account our stange lettering scheme -prev = "" -anext = "" -alist = list() -vlist = list() -for affects in issue.getElementsByTagName('affects'): # so we can sort them - version = affects.getAttribute("version") - if (not base or base in version): - vlist.append(version) -for ver in sorted(vlist): - # print "version %s (last was %s, next was %s)" %(ver,prev,anext) - if (ver != anext): - alist.append([ver]) - elif len(alist[-1]) > 1: - alist[-1][-1] = ver - else: - alist[-1].append(ver) - prev = ver - if (unicode.isdigit(ver[-1])): # First version after 1.0.1 is 1.0.1a - anext = ver + "a" - elif (ver[-1] == "y"): - anext = ver[:-1] + "za"# We ran out of letters once so y->za->zb - else: - anext = ver[:-1]+chr(ord(ver[-1])+1) # otherwise after 1.0.1a is 1.0.1b - while (anext in neverreleased): # skip unreleased versions - anext = anext[:-1]+chr(ord(anext[-1])+1) - -return ",".join(['-'.join(map(str,aff)) for aff in alist]) - parser = OptionParser() parser.add_option("-s", "--schema", help="location of schema to check (default "+default_cve_schema+")", default=default_cve_schema,dest="schema") -parser.add_option("-i", "--input", help="input vulnerability file live openssl-web/news/vulnerabilities.xml", dest="input") +parser.add_option("-i", "--input", help="input vulnerability file vulnerabilities.xml", dest="input") parser.add_option("-c", "--cve", help="comma separated list of cve names to generate a json file for (or all)", dest="cves") parser.add_option("-o", "--outputdir", help="output directory for json file (default ./)", default=".", dest="outputdir") (options, args) = parser.parse_args() @@ -74,61 +47,99 @@ cvej = list() with codecs.open(options.input,"r","utf-8") as vulnfile: vulns = vulnfile.read() dom = minidom.parseString(vulns.encode("utf-8")) -issues = dom.getElementsByTagName('issue') -for issue in issues: -cve = issue.getElementsByTagName('cve')[0].getAttribute('name') -if (cve == ""): + +for issue in dom.getElementsByTagName('issue'): +if not issue.getElementsByTagName('cve'): +continue +# ASF httpd has CVE- prefix, but OpenSSL does not, make either work +cvename = issue.getElementsByTagName('cve')[0].getAttribute('name').replace('CVE-','') +if (cvename == ""): continue -if (options.cves): - if (not cve in options.cves): +if (options.cves): # If we only want a certain list of CVEs, skip the rest + if (not cvename in options.cves): continue + cve = dict() cve['data_type']="CVE" cve['data_format']="MITRE" cve['data_version']="4.0" -cve['CVE_data_meta']= { "ID": "CVE-"+issue.getElementsByTagName('cve')[0].getAttribute('name'), "ASSIGNER": "openssl-secur...@openssl.org", "STATE":"PUBLIC" } +cve['CVE_data_meta']= { "ID": "CVE-"+cvename,
[openssl-commits] [openssl] master update
The branch master has been updated via 362ff3c39703633ac53ba9130c7acc02177bedc5 (commit) via adaf3cfad2319fe5c0d6fe179c726cc85eebf2d3 (commit) from 18d1588268f0fbec249d3386113df4452234573d (commit) - Log - commit 362ff3c39703633ac53ba9130c7acc02177bedc5 Author: Richard LevitteDate: Thu Apr 12 13:30:57 2018 +0200 openssl rehash: use libcrypto variables for default dir X509_get_default_cert_dir_env() returns the default environment variable to check for certificate directories. X509_get_default_cert_dir() returns the default configured certificate directory. Use these instead of hard coding our own values, and thereby be more integrated with the rest of OpenSSL. Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/5937) commit adaf3cfad2319fe5c0d6fe179c726cc85eebf2d3 Author: Richard Levitte Date: Thu Apr 12 13:30:21 2018 +0200 openssl rehash: document -compat Fixes #5902 Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/5937) --- Summary of changes: apps/rehash.c | 7 --- doc/man1/rehash.pod | 6 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/apps/rehash.c b/apps/rehash.c index 6f2b5da..2b6167f 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -479,13 +479,14 @@ int rehash_main(int argc, char **argv) if (*argv != NULL) { while (*argv != NULL) errs += do_dir(*argv++, h); -} else if ((env = getenv("SSL_CERT_DIR")) != NULL) { +} else if ((env = getenv(X509_get_default_cert_dir_env())) != NULL) { +char lsc[2] = { LIST_SEPARATOR_CHAR, '\0' }; m = OPENSSL_strdup(env); -for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) +for (e = strtok(m, lsc); e != NULL; e = strtok(NULL, lsc)) errs += do_dir(e, h); OPENSSL_free(m); } else { -errs += do_dir("/etc/ssl/certs", h); +errs += do_dir(X509_get_default_cert_dir(), h); } end: diff --git a/doc/man1/rehash.pod b/doc/man1/rehash.pod index 79268d4..0a192e9 100644 --- a/doc/man1/rehash.pod +++ b/doc/man1/rehash.pod @@ -99,6 +99,12 @@ Note that current versions will not use the old style. Do not remove existing links. This is needed when keeping new and old-style links in the same directory. +=item B<-compat> + +Generate links for both old-style (MD5) and new-style (SHA1) hashing. +This allows releases before 1.0.0 to use these links along-side newer +releases. + =item B<-v> Print messages about old links removed and new links created. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 18d1588268f0fbec249d3386113df4452234573d (commit) from 0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe (commit) - Log - commit 18d1588268f0fbec249d3386113df4452234573d Author: Andy PolyakovDate: Wed Apr 11 10:11:07 2018 +0200 Configurations/*.tmpl: refine build_all_generated. Purpose of build_all_generated is to execute all the rules that require perl, so that one can copy the tree to system with compiler but without perl. This commit removes last dependencies on perl. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5929) --- Summary of changes: Configurations/descrip.mms.tmpl | 5 + Configurations/unix-Makefile.tmpl| 21 +++-- Configurations/windows-makefile.tmpl | 10 ++ 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 09b6763..bbd9b0e 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -415,6 +415,11 @@ build_apps build_tests : build_programs # Convenience target to prebuild all generated files, not just the mandatory # ones build_all_generated : $(GENERATED_MANDATORY) $(GENERATED) + @ ! {- output_off() if $disabled{makedepend}; "" -} + @ WRITE SYS$OUTPUT "Warning: consider configuring with no-makedepend, because if" + @ WRITE SYS$OUTPUT " target system doesn't have $(PERL)," + @ WRITE SYS$OUTPUT " then make will fail..." + @ ! {- output_on() if $disabled{makedepend}; "" -} test : tests {- dependmagic('tests'); -} : build_programs_nodep, build_engines_nodep diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 46a4866..39df5cd 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -353,6 +353,11 @@ build_apps build_tests: build_programs # Convenience target to prebuild all generated files, not just the mandatory # ones build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) + @ : {- output_off() if $disabled{makedepend}; "" -} + @echo "Warning: consider configuring with no-makedepend, because if" + @echo " target system doesn't have $(PERL)," + @echo " then make will fail..." + @ : {- output_on() if $disabled{makedepend}; "" -} test: tests {- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep link-utils @@ -1000,18 +1005,14 @@ $obj$objext: $deps $cmd $cmdflags -c -o \$\@ $srcs EOF } elsif (grep /\.S$/, @srcs) { - # In case one wonders why not just $(CC) -c file.S. While it - # does work with contemporary compilers, there are some legacy - # ones that get it wrong. Hence the elaborate scheme... We - # don't care to maintain dependecy lists, because dependency - # is rather weak, at most one header file that lists constants - # which are assigned in ascending order. + # Originally there was mutli-step rule with $(CC) -E file.S + # followed by $(CC) -c file.s. It compensated for one of + # legacy platform compiler's inability to handle .S files. + # The platform is long discontinued by vendor so there is + # hardly a point to drag it along... $recipe .= <<"EOF"; $obj$objext: $deps - ( trap "rm -f \$@.*" INT 0; \\ - \$(CC) $incs $cmdflags -E $srcs | \\ - \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.s && \\ - $cmd $cmdflags -c -o \$\@ \$@.s ) + $cmd $incs $cmdflags -c -o \$\@ $srcs EOF } elsif (defined $makedepprog && $makedepprog !~ /\/makedepend/) { $recipe .= <<"EOF"; diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 1c6ce51..c51e4c7 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -319,6 +319,11 @@ build_apps build_tests: build_programs # Convenience target to prebuild all generated files, not just the mandatory # ones build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) + @rem {- output_off() if $disabled{makedepend}; "" -} + @echo "Warning: consider configuring with no-makedepend, because if" + @echo " target system doesn't have $(PERL)," + @echo " then make will fail..." + @rem {- output_on() if $disabled{makedepend}; "" -} test: tests {- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep @@ -580,6 +585,11 @@ EOF $obj$objext: $deps \$(AS) $asflags \$(ASOUTFLAG)\$\@ $srcs EOF + } elsif ($srcs[0] =~ /.S$/) { + return <<"EOF"; +$obj$objext: $deps + \$(CC) /EP /D__ASSEMBLER__ $cflags
[openssl-commits] Build completed: openssl master.17199
Build openssl master.17199 completed Commit 198b763cae by Richard Levitte on 4/12/2018 11:30 AM: openssl rehash: use libcrypto variables for default dir Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via d1a64149b061172d120559aea289498ec680b497 (commit) from 06196e717651fe2c724fb326e31e8d666b27de33 (commit) - Log - commit d1a64149b061172d120559aea289498ec680b497 Author: Daniel BeveniusDate: Thu Apr 12 13:39:37 2018 +0200 Clarify default section in config.pod This is a minor update which hopefully makes these particular lines read a little easier. Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5938) (cherry picked from commit 0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe) (cherry picked from commit 9e8554fca5019b81ed7659d97f103f388ea3a2bf) --- Summary of changes: doc/apps/config.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/config.pod b/doc/apps/config.pod index 3f607d3..b1300a9 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -21,7 +21,7 @@ started or end of file is reached. A section name can consist of alphanumeric characters and underscores. The first section of a configuration file is special and is referred -to as the B section this is usually unnamed and is from the +to as the B section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 9e8554fca5019b81ed7659d97f103f388ea3a2bf (commit) from 7faab6869b09c7b66b52dd7b71469fe862157e32 (commit) - Log - commit 9e8554fca5019b81ed7659d97f103f388ea3a2bf Author: Daniel BeveniusDate: Thu Apr 12 13:39:37 2018 +0200 Clarify default section in config.pod This is a minor update which hopefully makes these particular lines read a little easier. Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5938) (cherry picked from commit 0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe) --- Summary of changes: doc/apps/config.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/config.pod b/doc/apps/config.pod index 76f282f..1b935a7 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -20,7 +20,7 @@ started or end of file is reached. A section name can consist of alphanumeric characters and underscores. The first section of a configuration file is special and is referred -to as the B section this is usually unnamed and is from the +to as the B section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe (commit) from ad5c205c011d1e2ec538d1f4d75477133e0dcab3 (commit) - Log - commit 0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe Author: Daniel BeveniusDate: Thu Apr 12 13:39:37 2018 +0200 Clarify default section in config.pod This is a minor update which hopefully makes these particular lines read a little easier. Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5938) --- Summary of changes: doc/man5/config.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 09d72be..c930ddd 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -18,7 +18,7 @@ started or end of file is reached. A section name can consist of alphanumeric characters and underscores. The first section of a configuration file is special and is referred -to as the B section this is usually unnamed and is from the +to as the B section. This section is usually unnamed and spans from the start of file until the first named section. When a name is being looked up it is first looked up in a named section (if any) and then the default section. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17198
Build openssl master.17198 failed Commit da253bdc76 by Andy Polyakov on 4/12/2018 11:32 AM: TLSProxy/Proxy.pm: further attempt to fix race condition [to be squashed]. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl master.17193
Build openssl master.17193 completed Commit ee6089979d by Matt Caswell on 4/12/2018 8:59 AM: fixup! Add support for the SRP base64 alphabet Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 7faab6869b09c7b66b52dd7b71469fe862157e32 (commit) from ca1beab7c11f0fe5e2717adc85fcf4ee8a9b4ae1 (commit) - Log - commit 7faab6869b09c7b66b52dd7b71469fe862157e32 Author: Rich SalzDate: Thu Apr 5 22:55:28 2018 -0400 Fix bugs in X509_NAME_ENTRY_set The wrong "set" field was incremented in the wrong place and would create a new RDN, not a multi-valued RDN. RDN inserts would happen after not before. Prepending an entry to an RDN incorrectly created a new RDN Anything which built up an X509_NAME could get a messed-up structure, which would then be "wrong" for anyone using that name. Thanks to Ingo Schwarze for extensive debugging and the initial fix (documented in GitHub issue #5870). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/5882) (cherry picked from commit bbf27cd58337116c57a1c942153330ff83d5540a) --- Summary of changes: crypto/x509/x509name.c | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index f87dc7d..3dc781f 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -191,7 +191,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, loc = n; else if (loc < 0) loc = n; - +inc = (set == 0); name->modified = 1; if (set == -1) { @@ -200,7 +200,6 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, inc = 1; } else { set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set; -inc = 0; } } else {/* if (set >= 0) */ @@ -211,12 +210,11 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, set = 0; } else set = sk_X509_NAME_ENTRY_value(sk, loc)->set; -inc = (set == 0) ? 1 : 0; } /* * X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily - * const'ified; harmless cast as dup() don't modify its input. + * const'ified; harmless cast since dup() don't modify its input. */ if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL) goto err; @@ -228,7 +226,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, if (inc) { n = sk_X509_NAME_ENTRY_num(sk); for (i = loc + 1; i < n; i++) -sk_X509_NAME_ENTRY_value(sk, i - 1)->set += 1; +sk_X509_NAME_ENTRY_value(sk, i)->set += 1; } return (1); err: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17192
Build openssl master.17192 failed Commit 8becaff86e by Andy Polyakov on 4/12/2018 8:05 AM: TLSProxy/Proxy.pm: straighten inner loop termination logic. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.17189
Build openssl master.17189 failed Commit d39acc6484 by Paul Yang on 4/12/2018 2:39 AM: Support temporary file writing for -out option Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits