[openssl-commits] FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec
Platform and configuration command: $ uname -a Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec Commit log since last time: 55442b8 BIGNUM signed add/sub routines refactory 9f2a3bb Fix a memory leak in an error path a682365 Check the return from EVP_PKEY_get0_DH() 7d4488b Extend the SSL_set_bio() tests bd7775e Fix assertion failure in SSL_set_bio() 2bdeffe Update fingerprints.txt 5bbf42a Update the info callback documentation for TLSv1.3 5718fe4 Add a test for the info callback 7f9f5f7 Make sure info callback knows about all handshake start events c2c1d8a Call the info callback on all handshake done events ded4a83 Ignore the status_request extension in a resumption handshake a12de2c SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call e62fb0d p5_scrypt.c: fix error check of RAND_bytes() call 43687d6 DRBG: fix coverity issues 826e154 apps/s_socket.c: print only dynamically allocated port in do_server. dbabc86 Add a config option to disable automatic config loading a051af0 Prepare for 1.1.1-pre6-dev 4ff3df1 Prepare for 1.1.1-pre5 release 2842813 Update copyright year 6761890 OpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes Build log ended with (last 100 lines): /usr/bin/perl ../openssl/test/generate_buildtest.pl x509 > test/buildtest_x509.c /usr/bin/perl ../openssl/test/generate_buildtest.pl x509_vfy > test/buildtest_x509_vfy.c /usr/bin/perl ../openssl/test/generate_buildtest.pl x509v3 > test/buildtest_x509v3.c clang -Iinclude -I../openssl/include -pthread -m64 -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/casttest.d.tmp -MT test/casttest.o -c -o test/casttest.o ../openssl/test/casttest.c clang -I. -Iinclude -Icrypto/include -I../openssl -I../openssl/include -I../openssl/crypto/include -pthread -m64 -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/chacha_internal_test.d.tmp -MT test/chacha_internal_test.o -c -o test/chacha_internal_test.o ../openssl/test/chacha_internal_test.c clang -Iinclude -I../openssl/include -pthread -m64 -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/cipherbytes_test.d.tmp -MT test/cipherbytes_test.o -c -o test/cipherbytes_test.o ../openssl/test/cipherbytes_test.c clang -Iinclude -I../openssl/include -pthread -m64 -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/cipherlist_test.d.tmp -MT test/cipherlist_test.o -c -o test/cipherlist_test.o ../openssl/test/cipherlist_test.c clang -Iinclude -I../openssl/include -pthread -m64 -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/ciphername_test.d.tmp -MT test/ciphername_test.o -c -o test/ciphername_test.o ../openssl/test/ciphername_test.c clang
[openssl-commits] [openssl] master update
The branch master has been updated via 55442b8a5b719f54578083fae0fcc814b599cd84 (commit) from 9f2a3bb19d42e6942cbbb7ea0a41a342ce158b94 (commit) - Log - commit 55442b8a5b719f54578083fae0fcc814b599cd84 Author: Davide GalassiDate: Tue Apr 17 16:57:22 2018 -0400 BIGNUM signed add/sub routines refactory Old code replaced in favor of a clearer implementation. Performances are not penalized. Updated the copyright end date to 2018. Reviewed-by: David Benjamin Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5963) --- Summary of changes: crypto/bn/bn_add.c | 132 +++-- 1 file changed, 47 insertions(+), 85 deletions(-) diff --git a/crypto/bn/bn_add.c b/crypto/bn/bn_add.c index 7cdefa7..f2736b8 100644 --- a/crypto/bn/bn_add.c +++ b/crypto/bn/bn_add.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,51 +10,69 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" -/* r can == a or b */ +/* signed add of b to a. */ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { -int a_neg = a->neg, ret; +int ret, r_neg, cmp_res; bn_check_top(a); bn_check_top(b); -/*- - * a + b a+b - * a + -b a-b - * -a + b b-a - * -a + -b -(a+b) - */ -if (a_neg ^ b->neg) { -/* only one is negative */ -if (a_neg) { -const BIGNUM *tmp; - -tmp = a; -a = b; -b = tmp; +if (a->neg == b->neg) { +r_neg = a->neg; +ret = BN_uadd(r, a, b); +} else { +cmp_res = BN_ucmp(a, b); +if (cmp_res > 0) { +r_neg = a->neg; +ret = BN_usub(r, a, b); +} else if (cmp_res < 0) { +r_neg = b->neg; +ret = BN_usub(r, b, a); +} else { +r_neg = 0; +BN_zero(r); +ret = 1; } +} + +r->neg = r_neg; +bn_check_top(r); +return ret; +} + +/* signed sub of b from a. */ +int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) +{ +int ret, r_neg, cmp_res; -/* we are now a - b */ +bn_check_top(a); +bn_check_top(b); -if (BN_ucmp(a, b) < 0) { -if (!BN_usub(r, b, a)) -return 0; -r->neg = 1; +if (a->neg != b->neg) { +r_neg = a->neg; +ret = BN_uadd(r, a, b); +} else { +cmp_res = BN_ucmp(a, b); +if (cmp_res > 0) { +r_neg = a->neg; +ret = BN_usub(r, a, b); +} else if (cmp_res < 0) { +r_neg = !b->neg; +ret = BN_usub(r, b, a); } else { -if (!BN_usub(r, a, b)) -return 0; -r->neg = 0; +r_neg = 0; +BN_zero(r); +ret = 1; } -return 1; } -ret = BN_uadd(r, a, b); -r->neg = a_neg; +r->neg = r_neg; bn_check_top(r); return ret; } -/* unsigned add of b to a */ +/* unsigned add of b to a, r can be equal to a or b. */ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { int max, min, dif; @@ -151,59 +169,3 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) return 1; } -int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ -int max; -int add = 0, neg = 0; - -bn_check_top(a); -bn_check_top(b); - -/*- - * a - b a-b - * a - -b a+b - * -a - b -(a+b) - * -a - -b b-a - */ -if (a->neg) { -if (b->neg) { -const BIGNUM *tmp; - -tmp = a; -a = b; -b = tmp; -} else { -add = 1; -neg = 1; -} -} else { -if (b->neg) { -add = 1; -neg = 0; -} -} - -if (add) { -if (!BN_uadd(r, a, b)) -return 0; -r->neg = neg; -return 1; -} - -/* We are actually doing a - b :-) */ - -max = (a->top > b->top) ? a->top : b->top; -if (bn_wexpand(r, max) == NULL) -return 0; -if (BN_ucmp(a, b) < 0) { -if (!BN_usub(r, b, a)) -return 0; -r->neg = 1; -} else { -if (!BN_usub(r, a, b)) -return 0; -r->neg = 0; -} -bn_check_top(r); -return 1; -} _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 82d8cec06ae8af5dbe68c8e4be38ad32ce9fa594 (commit) from 363c9f0ba4973a3d7d4ce743fadbc252aa9f0d4c (commit) - Log - commit 82d8cec06ae8af5dbe68c8e4be38ad32ce9fa594 Author: John EichenbergerDate: Tue Apr 3 16:08:31 2018 -0700 Correct the check of RSA_FLAG_SIGN_VER The wrong flags were being tested. It is the rsa->meth flags not the rsa flags that should be tested. wpa_supplicant has a bit of code that 1. Allocates and defines a RSA_METHOD structure. 2. calls RSA_new(); 3. calls RSA_set_method(). In current versions of that code the rsa_sign and rsa_verify members of the RSA_METHOD structure are not defined, thus making it compatible with the really old versions of OpenSSL. But should one change it use the rsa_sign method one must set the RSA_FLAG_SIGN_VER bit of the RSA_METHOD structure to indicate that one or both of those new methods are required. In doing so, OpenSSL will not call the new methods, not without this change. CLA: trivial Change-Id: I6e65a80f21399f25e966466ff676e3b21f85f360 Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5971) --- Summary of changes: crypto/rsa/rsa_sign.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 82ca832..b7fff43 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, return 0; } #endif -if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { +if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); } /* Special case: SSL signature, just check the length */ @@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { -if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) { +if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) { return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 9f2a3bb19d42e6942cbbb7ea0a41a342ce158b94 (commit) from a68236572850a1f50d5c40990b5a15a18ebea3bc (commit) - Log - commit 9f2a3bb19d42e6942cbbb7ea0a41a342ce158b94 Author: Matt CaswellDate: Mon Apr 16 18:41:01 2018 +0100 Fix a memory leak in an error path Found by Coverity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5970) --- Summary of changes: crypto/srp/srp_vfy.c | 22 ++ 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 1bf2f26..b13c006 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -69,8 +69,10 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) * 4 bytes unencoded = 6 bytes encoded * etc */ -if (padsize == 3) -return -1; +if (padsize == 3) { +outl = -1; +goto err; +} /* Valid padsize values are now 0, 1 or 2 */ @@ -80,12 +82,12 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) /* Add any encoded padding that is required */ if (padsize != 0 && EVP_DecodeUpdate(ctx, a, , pad, padsize) < 0) { -EVP_ENCODE_CTX_free(ctx); -return -1; +outl = -1; +goto err; } if (EVP_DecodeUpdate(ctx, a, , (const unsigned char *)src, size) < 0) { -EVP_ENCODE_CTX_free(ctx); -return -1; +outl = -1; +goto err; } outl += outl2; EVP_DecodeFinal(ctx, a + outl, ); @@ -93,8 +95,11 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) /* Strip off the leading padding */ if (padsize != 0) { -if ((int)padsize >= outl) -return -1; +if ((int)padsize >= outl) { +outl = -1; +goto err; +} + /* * If we added 1 byte of padding prior to encoding then we have 2 bytes * of "real" data which gets spread across 4 encoded bytes like this: @@ -112,6 +117,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) outl -= padsize; } + err: EVP_ENCODE_CTX_free(ctx); return outl; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a68236572850a1f50d5c40990b5a15a18ebea3bc (commit) from 7d4488bbd7ac34fffb776cccbfff6b4ac0387e03 (commit) - Log - commit a68236572850a1f50d5c40990b5a15a18ebea3bc Author: Matt CaswellDate: Tue Apr 17 11:32:20 2018 +0100 Check the return from EVP_PKEY_get0_DH() Fixes #5934 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5983) --- Summary of changes: ssl/statem/statem_srvr.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 7e033ce..aa38fad 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2481,6 +2481,12 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) } dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey); +if (dh == NULL) { +SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); +goto err; +} EVP_PKEY_free(pkdh); pkdh = NULL; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1d015368ebe245c4468522d152edfd8a1069426e (commit) from 8917c8909ab0f63cf5812bfc9cba7cbb9ccb5210 (commit) - Log - commit 1d015368ebe245c4468522d152edfd8a1069426e Author: Matt CaswellDate: Mon Apr 16 14:06:56 2018 +0100 Fix assertion failure in SSL_set_bio() If SSL_set_bio() is called with a NULL wbio after a failed connection then this can trigger an assertion failure. This should be valid behaviour and the assertion is in fact invalid and can simply be removed. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/5966) (cherry picked from commit bd7775e14a19c326d3720f2345c2ae324409e979) --- Summary of changes: ssl/ssl_lib.c | 1 - 1 file changed, 1 deletion(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 8a190d2..a1a514f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3519,7 +3519,6 @@ void ssl_free_wbio_buffer(SSL *s) return; s->wbio = BIO_pop(s->wbio); -assert(s->wbio != NULL); BIO_free(s->bbio); s->bbio = NULL; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 7d4488bbd7ac34fffb776cccbfff6b4ac0387e03 (commit) via bd7775e14a19c326d3720f2345c2ae324409e979 (commit) from 2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602 (commit) - Log - commit 7d4488bbd7ac34fffb776cccbfff6b4ac0387e03 Author: Matt CaswellDate: Mon Apr 16 14:08:38 2018 +0100 Extend the SSL_set_bio() tests The SSL_set_bio() tests only did standalone testing without being in the context of an actual connection. We extend this to do additional tests following a successful or failed connection attempt. This would have caught the issue fixed in the previous commit. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/5966) commit bd7775e14a19c326d3720f2345c2ae324409e979 Author: Matt Caswell Date: Mon Apr 16 14:06:56 2018 +0100 Fix assertion failure in SSL_set_bio() If SSL_set_bio() is called with a NULL wbio after a failed connection then this can trigger an assertion failure. This should be valid behaviour and the assertion is in fact invalid and can simply be removed. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/5966) --- Summary of changes: ssl/ssl_lib.c | 2 - test/sslapitest.c | 127 -- 2 files changed, 95 insertions(+), 34 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b1d78dc..1e24f84 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3844,8 +3844,6 @@ int ssl_free_wbio_buffer(SSL *s) return 1; s->wbio = BIO_pop(s->wbio); -if (!ossl_assert(s->wbio != NULL)) -return 0; BIO_free(s->bbio); s->bbio = NULL; diff --git a/test/sslapitest.c b/test/sslapitest.c index 1c9f294..338c61c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1113,11 +1113,27 @@ static int test_session_with_both_cache(void) #endif } -#define USE_NULL0 -#define USE_BIO_1 1 -#define USE_BIO_2 2 +#define USE_NULL0 +#define USE_BIO_1 1 +#define USE_BIO_2 2 +#define USE_DEFAULT 3 + +#define CONNTYPE_CONNECTION_SUCCESS 0 +#define CONNTYPE_CONNECTION_FAIL 1 +#define CONNTYPE_NO_CONNECTION 2 + +#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) +#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS(2 * 2) +#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) +# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) +#else +# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 +#endif + -#define TOTAL_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) +#define TOTAL_SSL_SET_BIO_TESTS TOTAL_NO_CONN_SSL_SET_BIO_TESTS \ ++ TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS \ ++ TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) { @@ -1134,28 +1150,65 @@ static void setupbio(BIO **res, BIO *bio1, BIO *bio2, int type) } } + +/* + * Tests calls to SSL_set_bio() under various conditions. + * + * For the first 3 * 3 * 3 * 3 = 81 tests we do 2 calls to SSL_set_bio() with + * various combinations of valid BIOs or NULL being set for the rbio/wbio. We + * then do more tests where we create a successful connection first using our + * standard connection setup functions, and then call SSL_set_bio() with + * various combinations of valid BIOs or NULL. We then repeat these tests + * following a failed connection. In this last case we are looking to check that + * SSL_set_bio() functions correctly in the case where s->bbio is not NULL. + */ static int test_ssl_set_bio(int idx) { -SSL_CTX *ctx; +SSL_CTX *sctx = NULL, *cctx = NULL; BIO *bio1 = NULL; BIO *bio2 = NULL; BIO *irbio = NULL, *iwbio = NULL, *nrbio = NULL, *nwbio = NULL; -SSL *ssl = NULL; -int initrbio, initwbio, newrbio, newwbio; +SSL *serverssl = NULL, *clientssl = NULL; +int initrbio, initwbio, newrbio, newwbio, conntype; int testresult = 0; -initrbio = idx % 3; -idx /= 3; -initwbio = idx % 3; -idx /= 3; -newrbio = idx % 3; -idx /= 3; -newwbio = idx; -if (!TEST_int_le(newwbio, 2)) -return 0; +if (idx < TOTAL_NO_CONN_SSL_SET_BIO_TESTS) { +initrbio = idx % 3; +idx /= 3; +initwbio = idx % 3; +idx /= 3; +newrbio = idx % 3; +idx /= 3; +newwbio = idx % 3; +conntype = CONNTYPE_NO_CONNECTION; +} else { +idx -= TOTAL_NO_CONN_SSL_SET_BIO_TESTS; +initrbio = initwbio = USE_DEFAULT; +newrbio = idx % 2; +idx /= 2; +newwbio = idx % 2; +idx /= 2; +conntype = idx % 2; +} -if (!TEST_ptr(ctx =
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 363c9f0ba4973a3d7d4ce743fadbc252aa9f0d4c (commit) from 1084fc8f0086cece8ae1a1e9f484d30fdff25192 (commit) - Log - commit 363c9f0ba4973a3d7d4ce743fadbc252aa9f0d4c Author: Matt CaswellDate: Tue Apr 17 13:40:07 2018 +0100 Update fingerprints.txt Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5988) --- Summary of changes: doc/fingerprints.txt | 67 +++- 1 file changed, 14 insertions(+), 53 deletions(-) diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt index 373e90d..2cb74ae 100644 --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -1,63 +1,24 @@ - Fingerprints +Fingerprints for Signing Releases -OpenSSL releases are signed with PGP/GnuPG keys. You can find the -signatures in separate files in the same location you find the -distributions themselves. The normal file name is the same as the -distribution file, with '.asc' added. For example, the signature for -the distribution of OpenSSL 1.0.1h, openssl-1.0.1h.tar.gz, is found in -the file openssl-1.0.1h.tar.gz.asc. +OpenSSL releases are signed with PGP/GnuPG keys. This file contains +the fingerprints of team members who are "authorized" to sign the +next release. + +The signature is a detached cleartxt signature, with the same name +as the release but with ".asc" appended. For example, release +1.0.1h can be found in openssl-1.0.1h.tar.gz with the signature +in the file named openssl-1.0.1h.tar.gz.asc. The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: -pub 1024D/F709453B 2003-10-20 - Key fingerprint = C4CA B749 C34F 7F4C C04F DAC9 A7AF 9E78 F709 453B -uid Richard Levitte +pub 4096R/7DF9EE8C 2014-10-04 + Key fingerprint = 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C +uid Richard Levitte uid Richard Levitte -uid Richard Levitte - -pub 2048R/F295C759 1998-12-13 - Key fingerprint = D0 5D 8C 61 6E 27 E6 60 41 EC B1 B8 D5 7E E5 97 -uid Dr S N Henson - -pub 4096R/FA40E9E2 2005-03-19 - Key fingerprint = 6260 5AA4 334A F9F0 DDE5 D349 D357 7507 FA40 E9E2 -uid Dr Stephen Henson -uid Dr Stephen Henson -uid Dr Stephen N Henson -sub 4096R/8811F530 2005-03-19 - -pub 1024R/49A563D9 1997-02-24 - Key fingerprint = 7B 79 19 FA 71 6B 87 25 0E 77 21 E5 52 D9 83 BF -uid Mark Cox -uid Mark Cox -uid Mark Cox - -pub 1024R/9C58A66D 1997-04-03 - Key fingerprint = 13 D0 B8 9D 37 30 C3 ED AC 9C 24 7D 45 8C 17 67 -uid jaeni...@openssl.org -uid Lutz Jaenicke - -pub 1024D/2118CF83 1998-07-13 - Key fingerprint = 7656 55DE 62E3 96FF 2587 EB6C 4F6D E156 2118 CF83 -uid Ben Laurie -uid Ben Laurie -uid Ben Laurie -sub 4096g/1F5143E7 1998-07-13 - -pub 1024R/5A6A9B85 1994-03-22 - Key fingerprint = C7 AC 7E AD 56 6A 65 EC F6 16 66 83 7E 86 68 28 -uid Bodo Moeller <2...@bmoeller.de> -uid Bodo Moeller <2...@bmoeller.de> -uid Bodo Moeller <2...@bmoeller.de> -uid Bodo Moeller -uid Bodo Moeller -uid Bodo Moeller -uid Bodo Moeller <3moel...@informatik.uni-hamburg.de> -uid Bodo Moeller -uid Bodo Moeller <3moel...@rzdspc5.informatik.uni-hamburg.de> +uid Richard Levitte pub 2048R/0E604491 2013-04-30 Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +uid Matt Caswell uid Matt Caswell - _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 8917c8909ab0f63cf5812bfc9cba7cbb9ccb5210 (commit) from af2d06d245cd97de891213bb4c9e0f4b6dbe3bfb (commit) - Log - commit 8917c8909ab0f63cf5812bfc9cba7cbb9ccb5210 Author: Matt CaswellDate: Tue Apr 17 13:40:07 2018 +0100 Update fingerprints.txt Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5987) (cherry picked from commit 2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602) --- Summary of changes: doc/fingerprints.txt | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt index 1863224..2cb74ae 100644 --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -18,10 +18,7 @@ uid Richard Levitte uid Richard Levitte uid Richard Levitte -pub 4096R/FA40E9E2 2005-03-19 - Key fingerprint = 6260 5AA4 334A F9F0 DDE5 D349 D357 7507 FA40 E9E2 -uid Dr Stephen N Henson - pub 2048R/0E604491 2013-04-30 Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +uid Matt Caswell uid Matt Caswell _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602 (commit) from 5bbf42a519c9fb70bfc13c2e4ad0044016c6f1ae (commit) - Log - commit 2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602 Author: Matt CaswellDate: Tue Apr 17 13:40:07 2018 +0100 Update fingerprints.txt Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5987) --- Summary of changes: doc/fingerprints.txt | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt index 1863224..2cb74ae 100644 --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -18,10 +18,7 @@ uid Richard Levitte uid Richard Levitte uid Richard Levitte -pub 4096R/FA40E9E2 2005-03-19 - Key fingerprint = 6260 5AA4 334A F9F0 DDE5 D349 D357 7507 FA40 E9E2 -uid Dr Stephen N Henson - pub 2048R/0E604491 2013-04-30 Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +uid Matt Caswell uid Matt Caswell _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5bbf42a519c9fb70bfc13c2e4ad0044016c6f1ae (commit) via 5718fe45605681c4d33e43e689491172af0b46c1 (commit) via 7f9f5f71e48b12b6029871cbf8542f21c7883c6c (commit) via c2c1d8a495d540e0b1b61f20c2c14f0c7ab7a8f0 (commit) from ded4a83d31f8271e5a74e6fbf357f9975d4878ec (commit) - Log - commit 5bbf42a519c9fb70bfc13c2e4ad0044016c6f1ae Author: Matt CaswellDate: Wed Apr 4 15:02:30 2018 +0100 Update the info callback documentation for TLSv1.3 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5874) commit 5718fe45605681c4d33e43e689491172af0b46c1 Author: Matt Caswell Date: Wed Apr 4 14:16:28 2018 +0100 Add a test for the info callback Make sure the info callback gets called in all the places we expect it to. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5874) commit 7f9f5f71e48b12b6029871cbf8542f21c7883c6c Author: Matt Caswell Date: Wed Apr 4 14:28:23 2018 +0100 Make sure info callback knows about all handshake start events The first session ticket sent by the server is actually tacked onto the end of the first handshake from a state machine perspective. However in reality this is a post-handshake message, and should be preceeded by a handshake start event from an info callback perspective. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5874) commit c2c1d8a495d540e0b1b61f20c2c14f0c7ab7a8f0 Author: Matt Caswell Date: Wed Apr 4 14:17:10 2018 +0100 Call the info callback on all handshake done events Fixes #5721 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5874) --- Summary of changes: doc/man3/SSL_CTX_set_info_callback.pod | 28 +++- ssl/statem/statem_lib.c| 17 ++- ssl/statem/statem_srvr.c | 17 +++ test/sslapitest.c | 257 + 4 files changed, 307 insertions(+), 12 deletions(-) diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod index f4d9128..85187cf 100644 --- a/doc/man3/SSL_CTX_set_info_callback.pod +++ b/doc/man3/SSL_CTX_set_info_callback.pod @@ -2,7 +2,11 @@ =head1 NAME -SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback - handle information callback for SSL connections +SSL_CTX_set_info_callback, +SSL_CTX_get_info_callback, +SSL_set_info_callback, +SSL_get_info_callback +- handle information callback for SSL connections =head1 SYNOPSIS @@ -37,7 +41,8 @@ callback function for B. When setting up a connection and during use, it is possible to obtain state information from the SSL/TLS engine. When set, an information callback function -is called whenever the state changes, an alert appears, or an error occurs. +is called whenever a significant event occurs such as: the state changes, +an alert appears, or an error occurs. The callback function is called as B . The B argument specifies information about where (in which context) @@ -51,12 +56,15 @@ B is a bitmask made up of the following bits: =item SSL_CB_LOOP -Callback has been called to indicate state change inside a loop. +Callback has been called to indicate state change or some other significant +state machine event. This may mean that the callback gets invoked more than once +per state in some situations. =item SSL_CB_EXIT -Callback has been called to indicate error exit of a handshake function. -(May be soft error with retry option for non-blocking setups.) +Callback has been called to indicate exit of a handshake function. This will +happen after the end of a handshake, but may happen at other times too such as +on error or when IO might otherwise block and non-blocking is being used. =item SSL_CB_READ @@ -84,11 +92,17 @@ Callback has been called due to an alert being sent or received. =item SSL_CB_HANDSHAKE_START -Callback has been called because a new handshake is started. +Callback has been called because a new handshake is started. In TLSv1.3 this is +also used for the start of post-handshake message exchanges such as for the +exchange of session tickets, or for key updates. It also occurs when resuming a +handshake following a pause to handle early data. =item SSL_CB_HANDSHAKE_DONE 0x20 -Callback has been called because a handshake is finished. +Callback has been called because a handshake is finished. In TLSv1.3 this is +also used at the end of an exchange of post-handshake messages such as for
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 1084fc8f0086cece8ae1a1e9f484d30fdff25192 (commit) from 349a41da1ad88ad87825414752a8ff5fdd6a6c3f (commit) - Log - commit 1084fc8f0086cece8ae1a1e9f484d30fdff25192 Author: Matt CaswellDate: Fri Apr 6 14:33:07 2018 +0100 Ignore the status_request extension in a resumption handshake We cannot provide a certificate status on a resumption so we should ignore this extension in that case. Fixes #1662 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5898) --- Summary of changes: ssl/t1_lib.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 75c2f41..179802c 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2408,8 +2408,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, goto err; if (!tls1_save_sigalgs(s, data, dsize)) goto err; -} else if (type == TLSEXT_TYPE_status_request) { - +} else if (type == TLSEXT_TYPE_status_request && !s->hit) { if (size < 5) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via af2d06d245cd97de891213bb4c9e0f4b6dbe3bfb (commit) from 69712507e73437553790ccac6f19a9ded996c0cd (commit) - Log - commit af2d06d245cd97de891213bb4c9e0f4b6dbe3bfb Author: Matt CaswellDate: Fri Apr 6 14:33:07 2018 +0100 Ignore the status_request extension in a resumption handshake We cannot provide a certificate status on a resumption so we should ignore this extension in that case. Fixes #1662 Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/5897) --- Summary of changes: ssl/t1_lib.c | 4 1 file changed, 4 insertions(+) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index dc4e652..5ba7377 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2156,6 +2156,10 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) } } } else if (type == TLSEXT_TYPE_status_request) { +/* Ignore this if resuming */ +if (s->hit) +continue; + if (!PACKET_get_1(, (unsigned int *)>tlsext_status_type)) { return 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via ded4a83d31f8271e5a74e6fbf357f9975d4878ec (commit) from a12de2cba83273b2a553f988716c231af7c9ba68 (commit) - Log - commit ded4a83d31f8271e5a74e6fbf357f9975d4878ec Author: Matt CaswellDate: Fri Apr 6 14:53:05 2018 +0100 Ignore the status_request extension in a resumption handshake We cannot provide a certificate status on a resumption so we should ignore this extension in that case. Fixes #1662 Reviewed-by: Rich Salz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/5896) --- Summary of changes: ssl/statem/extensions_srvr.c | 4 1 file changed, 4 insertions(+) diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 90142eb..adf63d8 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -324,6 +324,10 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, { PACKET responder_id_list, exts; +/* We ignore this in a resumption handshake */ +if (s->hit) +return 1; + /* Not defined if we get one of these in a client Certificate */ if (x != NULL) return 1; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a12de2cba83273b2a553f988716c231af7c9ba68 (commit) from e62fb0d31bdf25854aa2c7cda8e1d03768984ab4 (commit) - Log - commit a12de2cba83273b2a553f988716c231af7c9ba68 Author: Dr. Matthias St. PierreDate: Tue Apr 17 08:54:26 2018 +0200 SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5977) --- Summary of changes: doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod index 3cf0717..7782ea7 100644 --- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -133,7 +133,7 @@ Reference Implementation: HMAC_CTX *hctx, int enc) { if (enc) { /* create new session */ - if (RAND_bytes(iv, EVP_MAX_IV_LENGTH)) + if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0) return -1; /* insufficient random */ key = currentkey(); /* something that you need to implement */ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 69712507e73437553790ccac6f19a9ded996c0cd (commit) from dbbaeb8973d662ae0d009e0fb6c8975721991b63 (commit) - Log - commit 69712507e73437553790ccac6f19a9ded996c0cd Author: Dr. Matthias St. PierreDate: Tue Apr 17 08:39:42 2018 +0200 p5_scrypt.c: fix error check of RAND_bytes() call Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/5977) --- Summary of changes: crypto/asn1/p5_scrypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 4cb7837..a5232fe 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -91,7 +91,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); -else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) +else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e62fb0d31bdf25854aa2c7cda8e1d03768984ab4 (commit) from 43687d685ffd71fc1cf0ea1079f6d4958dff5026 (commit) - Log - commit e62fb0d31bdf25854aa2c7cda8e1d03768984ab4 Author: Dr. Matthias St. PierreDate: Tue Apr 17 08:39:42 2018 +0200 p5_scrypt.c: fix error check of RAND_bytes() call Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/5977) --- Summary of changes: crypto/asn1/p5_scrypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index c556d01..1daaa6f 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -82,7 +82,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); -else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) +else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 43687d685ffd71fc1cf0ea1079f6d4958dff5026 (commit) from 826e154481e93413a79c37cb1bf4da6175a05875 (commit) - Log - commit 43687d685ffd71fc1cf0ea1079f6d4958dff5026 Author: Dr. Matthias St. PierreDate: Tue Apr 17 08:07:11 2018 +0200 DRBG: fix coverity issues - drbg_lib.c: Silence coverity warning: the comment preceding the RAND_DRBG_instantiate() call explicitely states that the error is ignored and explains the reason why. - drbgtest: Add checks for the return values of RAND_bytes() and RAND_priv_bytes() to run_multi_thread_test(). Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5976) --- Summary of changes: crypto/rand/drbg_lib.c | 8 test/drbgtest.c| 16 +--- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index cc59236..16ac03b 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -864,14 +864,14 @@ static RAND_DRBG *drbg_setup(RAND_DRBG *parent) drbg->reseed_counter = 1; /* - * Ignore instantiation error so support just-in-time instantiation. + * Ignore instantiation error to support just-in-time instantiation. * * The state of the drbg will be checked in RAND_DRBG_generate() and * an automatic recovery is attempted. */ -RAND_DRBG_instantiate(drbg, - (const unsigned char *) ossl_pers_string, - sizeof(ossl_pers_string) - 1); +(void)RAND_DRBG_instantiate(drbg, +(const unsigned char *) ossl_pers_string, +sizeof(ossl_pers_string) - 1); return drbg; err: diff --git a/test/drbgtest.c b/test/drbgtest.c index 5426046..d69456b 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -783,6 +783,8 @@ error: } #if defined(OPENSSL_THREADS) +static int multi_thread_rand_bytes_succeeded = 1; +static int multi_thread_rand_priv_bytes_succeeded = 1; static void run_multi_thread_test(void) { @@ -796,8 +798,10 @@ static void run_multi_thread_test(void) RAND_DRBG_set_reseed_time_interval(private, 1); do { -RAND_bytes(buf, sizeof(buf)); -RAND_priv_bytes(buf, sizeof(buf)); +if (RAND_bytes(buf, sizeof(buf)) <= 0) +multi_thread_rand_bytes_succeeded = 0; +if (RAND_priv_bytes(buf, sizeof(buf)) <= 0) +multi_thread_rand_priv_bytes_succeeded = 0; } while(time(NULL) - start < 5); } @@ -849,7 +853,7 @@ static int wait_for_thread(thread_t thread) * The main thread will also run the test, so we'll have THREADS+1 parallel * tests running */ -#define THREADS 3 +# define THREADS 3 static int test_multi_thread(void) { @@ -861,6 +865,12 @@ static int test_multi_thread(void) run_multi_thread_test(); for (i = 0; i < THREADS; i++) wait_for_thread(t[i]); + +if (!TEST_true(multi_thread_rand_bytes_succeeded)) +return 0; +if (!TEST_true(multi_thread_rand_priv_bytes_succeeded)) +return 0; + return 1; } #endif _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 826e154481e93413a79c37cb1bf4da6175a05875 (commit) from dbabc862966b9afbcc55c59cc07ab643a14ffb31 (commit) - Log - commit 826e154481e93413a79c37cb1bf4da6175a05875 Author: Andy PolyakovDate: Sat Apr 14 21:42:21 2018 +0200 apps/s_socket.c: print only dynamically allocated port in do_server. For formal backward compatibility print original "ACCEPT" message for fixed port and "ACCEPT host:port" for dynamically allocated. Reviewed-by: Bernd Edlinger Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5956) --- Summary of changes: apps/s_socket.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apps/s_socket.c b/apps/s_socket.c index ae62a13..d21bfc6 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -283,7 +283,8 @@ int do_server(int *accept_sock, const char *host, const char *port, BIO_ADDRINFO_free(res); res = NULL; -{ +if (BIO_ADDR_rawport(sock_address) == 0) { +/* dynamically allocated port, report which one */ union BIO_sock_info_u info; char *hostname = NULL; char *service = NULL; @@ -309,6 +310,9 @@ int do_server(int *accept_sock, const char *host, const char *port, ERR_print_errors(bio_err); goto end; } +} else { +(void)BIO_printf(bio_s_out, "ACCEPT\n"); +(void)BIO_flush(bio_s_out); } if (accept_sock != NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via dbabc862966b9afbcc55c59cc07ab643a14ffb31 (commit) from a051af0e75bf717cc818db498d9b977953816f80 (commit) - Log - commit dbabc862966b9afbcc55c59cc07ab643a14ffb31 Author: Bernd EdlingerDate: Sun Apr 15 12:02:25 2018 +0200 Add a config option to disable automatic config loading ./config no-autoload-config Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5959) --- Summary of changes: Configure | 3 ++- INSTALL | 4 ssl/ssl_init.c | 2 ++ test/ssl_test.c | 5 + 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Configure b/Configure index 99ab26f..5703302 100755 --- a/Configure +++ b/Configure @@ -325,6 +325,7 @@ my @disablables = ( "async", "autoalginit", "autoerrinit", +"autoload-config", "bf", "blake2", "camellia", @@ -426,7 +427,7 @@ my %deprecated_disablables = ( # All of the following are disabled by default: our %disabled = ( # "what" => "comment" - "asan" => "default", + "asan"=> "default", "crypto-mdebug" => "default", "crypto-mdebug-backtrace" => "default", "devcryptoeng"=> "default", diff --git a/INSTALL b/INSTALL index 71d6b88..c0163a9 100644 --- a/INSTALL +++ b/INSTALL @@ -276,6 +276,10 @@ error strings. For a statically linked application this may be undesirable if small executable size is an objective. + no-autoload-config + Don't automatically load the default openssl.cnf file. + Typically OpenSSL will automatically load a system config + file which configures default ssl options. no-capieng Don't build the CAPI engine. This option will be forced if diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index 6073556..ed2bf84 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -195,7 +195,9 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings) } if (!OPENSSL_init_crypto(opts +#ifndef OPENSSL_NO_AUTOLOAD_CONFIG | OPENSSL_INIT_LOAD_CONFIG +#endif | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, settings)) diff --git a/test/ssl_test.c b/test/ssl_test.c index f2a1812..7453a9d 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -467,6 +467,11 @@ static int test_handshake(int idx) } } +#ifdef OPENSSL_NO_AUTOLOAD_CONFIG +if (!TEST_true(OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL))) +goto err; +#endif + if (!TEST_ptr(server_ctx) || !TEST_ptr(client_ctx) || !TEST_int_gt(CONF_modules_load(conf, test_app, 0), 0)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a051af0e75bf717cc818db498d9b977953816f80 (commit) via 4ff3df161c8b0caf0acac2e0a19980ccd4173a66 (commit) from 28428130db13fe5d1b956a622747db2e0e0b1458 (commit) - Log - commit a051af0e75bf717cc818db498d9b977953816f80 Author: Richard LevitteDate: Tue Apr 17 15:32:41 2018 +0200 Prepare for 1.1.1-pre6-dev Reviewed-by: Matt Caswell commit 4ff3df161c8b0caf0acac2e0a19980ccd4173a66 Author: Richard Levitte Date: Tue Apr 17 15:32:02 2018 +0200 Prepare for 1.1.1-pre5 release Reviewed-by: Matt Caswell --- Summary of changes: README | 2 +- include/openssl/opensslv.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README b/README index 694411d..7484255 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.1-pre5-dev + OpenSSL 1.1.1-pre6-dev Copyright (c) 1998-2018 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 241856d..fc1e2b5 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x10101005L -# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1-pre5-dev xx XXX " +# define OPENSSL_VERSION_NUMBER 0x10101006L +# define OPENSSL_VERSION_TEXT"OpenSSL 1.1.1-pre6-dev xx XXX " /*- * The macros below are to be used for shared library (.so, .dll, ...) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-pre5 create
The annotated tag OpenSSL_1_1_1-pre5 has been created at 1a7c70caec83e52b03df96e83d937eb39ae7424d (tag) tagging 4ff3df161c8b0caf0acac2e0a19980ccd4173a66 (commit) replaces OpenSSL_1_1_1-pre4 tagged by Richard Levitte on Tue Apr 17 15:32:02 2018 +0200 - Log - OpenSSL 1.1.1-pre5 release tag -BEGIN PGP SIGNATURE- iF0EABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCWtX3UgAKCRCnr5549wlF O+kJAJsEDSfdwIpV5FeVhjVlGVVoQd1zCwCfdVRdBfQX4n5y/dQD6zehIUBDiSQ= =8lqD -END PGP SIGNATURE- Andy Polyakov (18): TLSProxy/Proxy.pm: switch to dynamic ports and overhaul. rand/randfile.c: fix potential resource leak in RAND_load_file. test/asn1_time_test.c: make it work on 64-bit HP-UX. config: fix hpux64-parisc2-gcc detection. Configurations/10-main.conf: clean up HP-UX targets and add magic macros. TLSProxy/Proxy.pm: harmonize inner loop with the way sockets are. apps/s_socket.c: disable the Nagle algorithm. apps/{s_client.c|s_socket}.c: omit usleep calls. TLSProxy/Proxy.pm: refine partial packet handling. TLSProxy/Record.pm: remove dead condition and improve readability. Configurations/10-main.conf: further HP-UX cleanups/unifications. bio/b_addr.c: resolve HP-UX compiler warnings. appveyor.yml: exercise build_all_generated. Configurations/*.tmpl: refine build_all_generated. TLSProxy/Proxy.pm: handle -1 as return value from waitpid. TLSProxy/Proxy.pm: handle "impossible" failure to connect to s_server. TLSProxy/Proxy.pm: bind s_server to loopback interface. TLSProxy/Proxy.pm: straighten inner loop termination logic. Bernd Edlinger (15): Use gnu_printf format attribute to minimise MinGW warnings Fix a crash in the asn1parse command Improve diagnostics for invalid arguments in asn1parse -strparse Use strtol instead of atoi in asn1parse Fix range checks with -offset and -length in asn1parse Remove an unnecessary cast in the param to BUF_MEM_grow Change the "offset too large" message to more generic wording Don't use getenv for critical functions when run as setuid/setgid Prevent a possible recursion in ERR_get_state and fix the problem that was pointed out in commit aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb differently. Fix the build_all_generated rule to include generated .map, .def and .opt files Rework partial packet handling once more Fix cygwin make dependencies Remove mandatory generated files too Remove mandatory generated files on windows too Remove mandatory generated files on VMS too Daniel Bevenius (2): Fix minor typos in Configurations/README Clarify default section in config.pod David Benjamin (1): Fix a bug in ecp_nistp224.c. Dr. Matthias St. Pierre (5): Fix false positives of IS_*() macros for 8-bit ASCII characters DRBG: fix memory leak on error in rand_drbg_get_entropy() Minor corrections for the RAND_DRBG API documentation DRBG: implement a get_nonce() callback Revert "Add OPENSSL_VERSION_AT_LEAST" Kaoru Toda (1): Duplicate code refactored Kunxian Xia (1): Correct the equation for Y' in the comment of point_double function Matt Caswell (17): Prepare for 1.1.1-pre5-dev Fix a text canonicalisation bug in CMS Fix some errors in the mem leaks docs Add some tests for configuring the TLSv1.3 ciphersuites Fix configuration of TLSv1.3 ciphersuites Add test/versions to gitignore Move the loading of the ssl_conf module to libcrypto Document the change in the previous commit about loading the config file Don't crash if an unrecognised digest is used with dsa_paramgen_md Pick a q size consistent with the digest for DSA param generation Update the genpkey documentation Support EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA Add a note and better error if using Ed25519/Ed448 in dgst Change SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions Add support for the SRP base64 alphabet Add a test for SRP RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set. Matthias Kraft (1): openssl#5668: corrections after compiling with -qinfo=all:als. Pecio (1): Enabled OneCore Conf for Console Apps (removed nonUniversal API) Rich Salz (4): Set error code on alloc failures Set error code if alloc returns NULL Fix bugs in X509_NAME_ENTRY_set Updated to CONTRIBUTING to reflect GitHub, etc. Richard Levitte (17): VMS: stricter acquisition of entropy for the pool Don't use CPP in Configurations/unix-Makefile.tmpl Remove ambiguity in rand_pool_add[_end] return value openssl s_server: print the accepting address and socket Change
[openssl-commits] [web] master update
The branch master has been updated via fd21e3cd9ca7c7b7a8465d47e2bfbb728a4865e2 (commit) from 168a9472b41c33b508d82a167ec169482b854664 (commit) - Log - commit fd21e3cd9ca7c7b7a8465d47e2bfbb728a4865e2 Author: Richard LevitteDate: Tue Apr 17 15:46:22 2018 +0200 Update newsflash for release of OpenSSL 1.1.1-pre5 (beta 3) --- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index b0b7cf1..00f1aff 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +17-Apr-2018: Beta 3 of OpenSSL 1.1.1 is now available: please download and test it 16-Apr-2018: https://mta.openssl.org/pipermail/openssl-announce/2018-April/000121.html;>OpenSSL 1747 Validation not moved to historical 16-Apr-2018: Security Advisory: one low severity fix 03-Apr-2018: Beta 2 of OpenSSL 1.1.1 is now available: please download and test it _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 28428130db13fe5d1b956a622747db2e0e0b1458 (commit) from 6761890195526c28ff82a9e763fc9a86158832ce (commit) - Log - commit 28428130db13fe5d1b956a622747db2e0e0b1458 Author: Richard LevitteDate: Tue Apr 17 15:18:40 2018 +0200 Update copyright year Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5990) --- Summary of changes: crypto/asn1/a_object.c| 2 +- crypto/asn1/a_strex.c | 2 +- crypto/asn1/a_strnid.c| 2 +- crypto/asn1/asn_moid.c| 2 +- crypto/asn1/bio_asn1.c| 2 +- crypto/asn1/bio_ndef.c| 2 +- crypto/asn1/tasn_new.c| 2 +- crypto/asn1/tasn_utl.c| 2 +- crypto/asn1/x_int64.c | 2 +- crypto/async/async_wait.c | 2 +- crypto/bio/b_print.c | 2 +- crypto/bn/bn_ctx.c| 2 +- crypto/cmac/cmac.c| 2 +- crypto/cms/cms_enc.c | 2 +- crypto/cms/cms_pwri.c | 2 +- crypto/conf/conf_mall.c | 2 +- crypto/conf/conf_mod.c| 2 +- crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_gen.c | 2 +- crypto/dsa/dsa_pmeth.c| 2 +- crypto/ec/ec_key.c| 2 +- crypto/ec/ec_oct.c| 2 +- crypto/ec/ec_print.c | 2 +- crypto/engine/eng_openssl.c | 2 +- crypto/evp/bio_enc.c | 2 +- crypto/evp/bio_ok.c | 2 +- crypto/evp/encode.c | 2 +- crypto/evp/evp_locl.h | 2 +- crypto/hmac/hm_pmeth.c| 2 +- crypto/kdf/hkdf.c | 2 +- crypto/modes/ocb128.c | 2 +- crypto/objects/obj_xref.c | 2 +- crypto/poly1305/poly1305_pmeth.c | 2 +- crypto/rsa/rsa_pmeth.c| 2 +- crypto/siphash/siphash_pmeth.c| 2 +- crypto/stack/stack.c | 2 +- crypto/threads_none.c | 2 +- crypto/threads_pthread.c | 2 +- crypto/threads_win.c | 2 +- crypto/ui/ui_lib.c| 2 +- crypto/x509/x509name.c| 2 +- doc/man1/dgst.pod | 2 +- doc/man1/rehash.pod | 2 +- doc/man3/EVP_DigestSignInit.pod | 2 +- doc/man3/EVP_DigestVerifyInit.pod | 2 +- doc/man3/OPENSSL_config.pod | 2 +- doc/man3/OPENSSL_init_crypto.pod | 2 +- doc/man3/OPENSSL_malloc.pod | 2 +- ssl/packet.c | 2 +- ssl/pqueue.c | 2 +- ssl/ssl_init.c| 2 +- test/recipes/15-test_genrsa.t | 2 +- test/recipes/90-test_sslapi.t | 2 +- 53 files changed, 53 insertions(+), 53 deletions(-) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 2d3877b..42c138c 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 7539553..db9fa80 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index 948fc1f..f19a9de 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index e1bf1a1..f0b4dab 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index b88b2e5..86ee566 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights
[openssl-commits] [openssl] master update
The branch master has been updated via 6761890195526c28ff82a9e763fc9a86158832ce (commit) from b7fb239438fb289a69e9420ad1edacf3bd1c5d69 (commit) - Log - commit 6761890195526c28ff82a9e763fc9a86158832ce Author: Richard LevitteDate: Tue Apr 17 15:06:00 2018 +0200 OpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5989) --- Summary of changes: CHANGES | 32 1 file changed, 32 insertions(+) diff --git a/CHANGES b/CHANGES index e5f6cb6..00b5c40 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,38 @@ Changes between 1.1.0h and 1.1.1 [xx XXX ] + *) Updated CONTRIBUTING + [Rich Salz] + + *) Updated DRBG / RAND to request nonce and additional low entropy + randomness from the system. + [Matthias St. Pierre] + + *) Updated 'openssl rehash' to use OpenSSL consistent default. + [Richard Levitte] + + *) Moved the load of the ssl_conf module to libcrypto, which helps + loading engines that libssl uses before libssl is initialised. + [Matt Caswell] + + *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA + [Matt Caswell] + + *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases. + [Ingo Schwarze, Rich Salz] + + *) Added output of accepting IP address and port for 'openssl s_server' + [Richard Levitte] + + *) Added a new API for TLSv1.3 ciphersuites: +SSL_CTX_set_ciphersuites() +SSL_set_ciphersuites() + [Matt Caswell] + + *) Memory allocation failures consistenly add an error to the error + stack. + [Rich Salz] + *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values in libcrypto when run as setuid/setgid. [Bernd Edlinger] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits