FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec
Platform and configuration command: $ uname -a Linux run 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec Commit log since last time: 3b437400d9 Configure: Remove extra warning and sanitizer options from CXXFLAGS 6aa2e59e1c Add d2i_KeyParams/i2d_KeyParams API's. 324954640e Changed ssl layer to use EVP_KDF API for TLS1_PRF and HKDF. 19f43f02aa doc/man3/X509_LOOKUP_meth_new.pod: clarify the requirements 6783944f89 Added Conforming To section to EVP_KDF_TLS1_PRF documentation. 5b3accde60 OCSP: fix memory leak in OCSP_url_svcloc_new method. Add a few coverage test case. d4d89a0762 Fix input checks wrt legacy code 2e9d61ecd8 crypto/evp/evp_key.c: #define BUFSIZ if doesn't #define it Build log ended with (last 100 lines): /usr/bin/perl ../openssl/test/generate_buildtest.pl dh > test/buildtest_dh.c /usr/bin/perl ../openssl/test/generate_buildtest.pl dsa > test/buildtest_dsa.c /usr/bin/perl ../openssl/test/generate_buildtest.pl dtls1 > test/buildtest_dtls1.c /usr/bin/perl ../openssl/test/generate_buildtest.pl e_os2 > test/buildtest_e_os2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ebcdic > test/buildtest_ebcdic.c /usr/bin/perl ../openssl/test/generate_buildtest.pl engine > test/buildtest_engine.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ess > test/buildtest_ess.c /usr/bin/perl ../openssl/test/generate_buildtest.pl evp > test/buildtest_evp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl hmac > test/buildtest_hmac.c /usr/bin/perl ../openssl/test/generate_buildtest.pl idea > test/buildtest_idea.c /usr/bin/perl ../openssl/test/generate_buildtest.pl kdf > test/buildtest_kdf.c /usr/bin/perl ../openssl/test/generate_buildtest.pl lhash > test/buildtest_lhash.c /usr/bin/perl ../openssl/test/generate_buildtest.pl md4 > test/buildtest_md4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl md5 > test/buildtest_md5.c /usr/bin/perl ../openssl/test/generate_buildtest.pl mdc2 > test/buildtest_mdc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl modes > test/buildtest_modes.c /usr/bin/perl ../openssl/test/generate_buildtest.pl obj_mac > test/buildtest_obj_mac.c /usr/bin/perl ../openssl/test/generate_buildtest.pl objects > test/buildtest_objects.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ocsp > test/buildtest_ocsp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl opensslv > test/buildtest_opensslv.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ossl_typ > test/buildtest_ossl_typ.c /usr/bin/perl ../openssl/test/generate_buildtest.pl params > test/buildtest_params.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem > test/buildtest_pem.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem2 > test/buildtest_pem2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pkcs12 > test/buildtest_pkcs12.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pkcs7 > test/buildtest_pkcs7.c /usr/bin/perl ../openssl/test/generate_buildtest.pl provider > test/buildtest_provider.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rand > test/buildtest_rand.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rand_drbg > test/buildtest_rand_drbg.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc2 > test/buildtest_rc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc4 > test/buildtest_rc4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ripemd > test/buildtest_ripemd.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rsa > test/buildtest_rsa.c /usr/bin/perl ../openssl/test/generate_buildtest.pl safestack > test/buildtest_safestack.c /usr/bin/perl ../openssl/test/generate_buildtest.pl seed > test/buildtest_seed.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sha > test/buildtest_sha.c /usr/bin/perl ../openssl/test/generate_buildtest.pl srp > test/buildtest_srp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl srtp > test/buildtest_srtp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ssl > test/buildtest_ssl.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ssl2 > test/buildtest_ssl2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl stack > test/buildtest_stack.c /usr/bin/perl ../openssl/test/generate_buildtest.pl store > test/buildtest_store.c /usr/bin/perl ../openssl/test/generate_buildtest.pl symhacks > test/buildtest_symhacks.c /usr/bin/perl ../openssl/test/generate_buildtest.pl tls1 > test/buildtest_tls1.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ts > test/buildtest_ts.c /usr/bin/perl ../openssl/test/generate_buildtest.pl txt_db > test/buildtest_txt_db.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ui > test/buildtest_ui.c /usr/bin/perl ../openssl/test/generate_buildtest.pl whrlpool > test/buildtest_whrlpool.c /usr/bin/perl ../openssl/test/generate_buildtest.pl x509 > test/buildtest_x509.c /usr/bin/perl ../openssl/test/generate_buildtest.pl x509_vfy > test/buildtest_x509_vfy.c
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 3e3f4e903b4ecc8f271d591010ee5609211ac545 (commit) from 87f533c9f622d5f44170fc2aed0d341187d10878 (commit) - Log - commit 3e3f4e903b4ecc8f271d591010ee5609211ac545 Author: Richard Levitte Date: Mon May 27 21:32:41 2019 +0200 Add CHANGES and NEWS for 1.1.1c Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9017) --- Summary of changes: CHANGES | 57 - NEWS| 2 +- 2 files changed, 57 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 90937e1..12fe884 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,7 @@ Changes between 1.1.1b and 1.1.1c [xx XXX ] - *) Added build tests for C++. These are generated files that only do one + *) Add build tests for C++. These are generated files that only do one thing, to include one public OpenSSL head file each. This tests that the public header files can be usefully included in a C++ application. @@ -17,12 +17,67 @@ 'enable-buildtest-c++'. [Richard Levitte] + *) Enable SHA3 pre-hashing for ECDSA and DSA. + [Patrick Steuer] + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation apps to use 2048 bits by default. [Kurt Roeckx] + *) Reorganize the manual pages to consistently have RETURN VALUES, + EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust + util/fix-doc-nits accordingly. + [Paul Yang, Joshua Lock] + + *) Add the missing accessor EVP_PKEY_get0_engine() + [Matt Caswell] + + *) Have apps like 's_client' and 's_server' output the signature scheme + along with other cipher suite parameters when debugging. + [Lorinczy Zsigmond] + + *) Make OPENSSL_config() error agnostic again. + [Richard Levitte] + + *) Do the error handling in RSA decryption constant time. + [Bernd Edlinger] + + *) Prevent over long nonces in ChaCha20-Poly1305. + + ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input + for every encryption operation. RFC 7539 specifies that the nonce value + (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length + and front pads the nonce with 0 bytes if it is less than 12 + bytes. However it also incorrectly allows a nonce to be set of up to 16 + bytes. In this case only the last 12 bytes are significant and any + additional leading bytes are ignored. + + It is a requirement of using this cipher that nonce values are + unique. Messages encrypted using a reused nonce value are susceptible to + serious confidentiality and integrity attacks. If an application changes + the default nonce length to be longer than 12 bytes and then makes a + change to the leading bytes of the nonce expecting the new value to be a + new unique nonce then such an application could inadvertently encrypt + messages with a reused nonce. + + Additionally the ignored bytes in a long nonce are not covered by the + integrity guarantee of this cipher. Any application that relies on the + integrity of these ignored leading bytes of a long nonce may be further + affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, + is safe because no such use sets such a long nonce value. However user + applications that use this cipher directly and set a non-default nonce + length to be longer than 12 bytes may be vulnerable. + + This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk + Greef of Ronomon. + (CVE-2019-1543) + [Matt Caswell] + + *) Ensure that SM2 only uses SM3 as digest algorithm + [Paul Yang] + Changes between 1.1.1a and 1.1.1b [26 Feb 2019] *) Added SCA hardening for modular field inversion in EC_GROUP through diff --git a/NEWS b/NEWS index 2baab79..7c54f3c 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [under development] - o + o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543) Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6db453c2ca261f663cecd1f05e388513cbcf6309 (commit) from ccbf148e30c5cb5f595c5d9e713c68768fe84248 (commit) - Log - commit 6db453c2ca261f663cecd1f05e388513cbcf6309 Author: Richard Levitte Date: Mon May 27 21:34:05 2019 +0200 Add CHANGES and NEWS for 1.1.0k Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9018) --- Summary of changes: CHANGES | 31 +++ NEWS| 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index de7a8a7..fb7d918 100644 --- a/CHANGES +++ b/CHANGES @@ -15,6 +15,37 @@ generation apps to use 2048 bits by default. [Kurt Roeckx] + *) Prevent over long nonces in ChaCha20-Poly1305. + + ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input + for every encryption operation. RFC 7539 specifies that the nonce value + (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length + and front pads the nonce with 0 bytes if it is less than 12 + bytes. However it also incorrectly allows a nonce to be set of up to 16 + bytes. In this case only the last 12 bytes are significant and any + additional leading bytes are ignored. + + It is a requirement of using this cipher that nonce values are + unique. Messages encrypted using a reused nonce value are susceptible to + serious confidentiality and integrity attacks. If an application changes + the default nonce length to be longer than 12 bytes and then makes a + change to the leading bytes of the nonce expecting the new value to be a + new unique nonce then such an application could inadvertently encrypt + messages with a reused nonce. + + Additionally the ignored bytes in a long nonce are not covered by the + integrity guarantee of this cipher. Any application that relies on the + integrity of these ignored leading bytes of a long nonce may be further + affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, + is safe because no such use sets such a long nonce value. However user + applications that use this cipher directly and set a non-default nonce + length to be longer than 12 bytes may be vulnerable. + + This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk + Greef of Ronomon. + (CVE-2019-1543) + [Matt Caswell] + *) Added SCA hardening for modular field inversion in EC_GROUP through a new dedicated field_inv() pointer in EC_METHOD. This also addresses a leakage affecting conversions from projective diff --git a/NEWS b/NEWS index 188e9aa..cf03be9 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [under development] - o + o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543) Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]
Build failed: openssl master.24744
Build openssl master.24744 failed Commit 3a65cd0501 by FdaSilvaYY on 5/25/2019 3:50 PM: style nit fix, plus constifcation. Configure your notification preferences
Passed: openssl/openssl#25325 (OpenSSL_1_1_1-stable - 87f533c)
Build Update for openssl/openssl - Build: #25325 Status: Passed Duration: 19 mins and 37 secs Commit: 87f533c (OpenSSL_1_1_1-stable) Author: Richard Levitte Message: Configure: make 'enable-buildtest-c++' work (not be a regexp) OpenSSL 1.1.1's Configure treats the strings in @disablables as regexps, which means that the 'buildtest-c++' option needs a bit of escaping to be interpreted as intended. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9016) View the changeset: https://github.com/openssl/openssl/compare/aa085f8c10f8...87f533c9f622 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537893549?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 87f533c9f622d5f44170fc2aed0d341187d10878 (commit) from aa085f8c10f8d79f80a3bae02936492604b0492d (commit) - Log - commit 87f533c9f622d5f44170fc2aed0d341187d10878 Author: Richard Levitte Date: Mon May 27 19:16:14 2019 +0200 Configure: make 'enable-buildtest-c++' work (not be a regexp) OpenSSL 1.1.1's Configure treats the strings in @disablables as regexps, which means that the 'buildtest-c++' option needs a bit of escaping to be interpreted as intended. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9016) --- Summary of changes: Configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configure b/Configure index b220337..254b04c 100755 --- a/Configure +++ b/Configure @@ -332,7 +332,7 @@ my @disablables = ( "autoload-config", "bf", "blake2", -"buildtest-c++", +"buildtest-c\\+\\+", "camellia", "capieng", "cast",
Errored: openssl/openssl#25322 (OpenSSL_1_1_1-stable - aa085f8)
Build Update for openssl/openssl - Build: #25322 Status: Errored Duration: 18 mins and 5 secs Commit: aa085f8 (OpenSSL_1_1_1-stable) Author: Richard Levitte Message: Add advice on setting CXX at the same time as CC Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8370) (cherry picked from commit 284d19c2ced0264bd46de61718aa4a60efa8d175) View the changeset: https://github.com/openssl/openssl/compare/27a3be20a543...aa085f8c10f8 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537881876?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via aa085f8c10f8d79f80a3bae02936492604b0492d (commit) via 6a047f0581e3ec4966e626f6bdc1462aee25b081 (commit) via b6f18d3851ef06ee4f690d81b6c878085219a7ba (commit) from 27a3be20a543fdd44517b898421f154e4619c78a (commit) - Log - commit aa085f8c10f8d79f80a3bae02936492604b0492d Author: Richard Levitte Date: Fri Mar 1 11:54:07 2019 +0100 Add advice on setting CXX at the same time as CC Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8370) (cherry picked from commit 284d19c2ced0264bd46de61718aa4a60efa8d175) commit 6a047f0581e3ec4966e626f6bdc1462aee25b081 Author: Richard Levitte Date: Thu Feb 28 13:35:32 2019 +0100 Travis: use enable-buildtest-c++ Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8370) (cherry picked from commit 26a053d195d5cc8a5cd648da3f05d3ff0e47f776) commit b6f18d3851ef06ee4f690d81b6c878085219a7ba Author: Richard Levitte Date: Thu Feb 28 13:28:43 2019 +0100 Configure: make C++ build tests optional and configurable Disabled by default Fixes #8360 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8370) (cherry picked from commit ac4033d658e4dc210ed4552b88069b57532ba3d7) --- Summary of changes: .travis.yml | 2 +- CHANGES | 8 Configure | 4 +++- INSTALL | 18 ++ test/build.info | 2 +- 5 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 3184308..c79040d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,7 +28,7 @@ compiler: env: - CONFIG_OPTS="" DESTDIR="_install" - CONFIG_OPTS="no-asm -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2" -- CONFIG_OPTS="no-asm no-makedepend --strict-warnings -D_DEFAULT_SOURCE" BUILDONLY="yes" CHECKDOCS="yes" GENERATE="yes" CPPFLAGS="-ansi" +- CONFIG_OPTS="no-asm no-makedepend enable-buildtest-c++ --strict-warnings -D_DEFAULT_SOURCE" BUILDONLY="yes" CHECKDOCS="yes" GENERATE="yes" CPPFLAGS="-ansi" matrix: include: diff --git a/CHANGES b/CHANGES index 53f8563..90937e1 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,14 @@ Changes between 1.1.1b and 1.1.1c [xx XXX ] + *) Added build tests for C++. These are generated files that only do one + thing, to include one public OpenSSL head file each. This tests that + the public header files can be usefully included in a C++ application. + + This test isn't enabled by default. It can be enabled with the option + 'enable-buildtest-c++'. + [Richard Levitte] + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH diff --git a/Configure b/Configure index f0892c2..b220337 100755 --- a/Configure +++ b/Configure @@ -332,6 +332,7 @@ my @disablables = ( "autoload-config", "bf", "blake2", +"buildtest-c++", "camellia", "capieng", "cast", @@ -432,6 +433,7 @@ my %deprecated_disablables = ( our %disabled = ( # "what" => "comment" "asan"=> "default", + "buildtest-c++" => "default", "crypto-mdebug" => "default", "crypto-mdebug-backtrace" => "default", "devcryptoeng"=> "default", @@ -1167,7 +1169,7 @@ my %disabled_info = (); # For configdata.pm foreach my $what (sort keys %disabled) { $config{options} .= " no-$what"; -if (!grep { $what eq $_ } ( 'threads', 'shared', 'pic', +if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'pic', 'dynamic-engine', 'makedepend', 'zlib-dynamic', 'zlib', 'sse2' )) { (my $WHAT = uc $what) =~ s|-|_|g; diff --git a/INSTALL b/INSTALL index 7dd051c..0b6a3fd 100644 --- a/INSTALL +++ b/INSTALL @@ -287,6 +287,19 @@ Typically OpenSSL will automatically load a system config file which configures default ssl options. + enable-buildtest-c++ + While testing, generate C++ buildtest files that + simply check that the public OpenSSL header files + are usable standalone with C++. + + Enabling this option demands extra care. For any + compiler flag given directly as configuration + option, you must ensure that it's valid for both + the C and the C++ compiler. If not, the C++ build + test will most
Still Failing: openssl/openssl#25316 (OpenSSL_1_1_1-stable - 27a3be2)
Build Update for openssl/openssl - Build: #25316 Status: Still Failing Duration: 29 mins and 9 secs Commit: 27a3be2 (OpenSSL_1_1_1-stable) Author: Richard Levitte Message: Configure: Remove extra warning and sanitizer options from CXXFLAGS We add the extra warning and sanitizer options to check our code, which is entirely in C. We support C++ compilers uniquely for the sake of certain external test suites, and those projects can probably sanitize their own code themselves. [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9013) (cherry picked from commit 3b437400d90fb89ce5e0d74fd79bda9028f185fb) View the changeset: https://github.com/openssl/openssl/compare/5a070488d8c7...27a3be20a543 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537790616?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Failed: openssl/openssl#25315 (master - 3b43740)
Build Update for openssl/openssl - Build: #25315 Status: Failed Duration: 31 mins and 23 secs Commit: 3b43740 (master) Author: Richard Levitte Message: Configure: Remove extra warning and sanitizer options from CXXFLAGS We add the extra warning and sanitizer options to check our code, which is entirely in C. We support C++ compilers uniquely for the sake of certain external test suites, and those projects can probably sanitize their own code themselves. [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9013) View the changeset: https://github.com/openssl/openssl/compare/6aa2e59e1c52...3b437400d90f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537790058?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 27a3be20a543fdd44517b898421f154e4619c78a (commit) from 5a070488d8c7b31da9080e6fcce6aefdc86af608 (commit) - Log - commit 27a3be20a543fdd44517b898421f154e4619c78a Author: Richard Levitte Date: Mon May 27 14:40:25 2019 +0200 Configure: Remove extra warning and sanitizer options from CXXFLAGS We add the extra warning and sanitizer options to check our code, which is entirely in C. We support C++ compilers uniquely for the sake of certain external test suites, and those projects can probably sanitize their own code themselves. [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9013) (cherry picked from commit 3b437400d90fb89ce5e0d74fd79bda9028f185fb) --- Summary of changes: Configurations/90-team.norelease.conf | 6 +- Configure | 105 -- 2 files changed, 41 insertions(+), 70 deletions(-) diff --git a/Configurations/90-team.norelease.conf b/Configurations/90-team.norelease.conf index 45f1811..1d5d755 100644 --- a/Configurations/90-team.norelease.conf +++ b/Configurations/90-team.norelease.conf @@ -18,7 +18,7 @@ my %targets = ( "debug-erbridge" => { inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "gcc", -cflags => combine(join(' ', @{$gcc_devteam_warn{CFLAGS}}), +cflags => combine(join(' ', @gcc_devteam_warn), "-DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g", threads("-D_REENTRANT")), ex_libs => add(" ","-ldl"), @@ -83,7 +83,7 @@ my %targets = ( "debug-test-64-clang" => { inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "clang", -cflags => combine(join(' ', @{$gcc_devteam_warn{CFLAGS}}), +cflags => combine(join(' ', @gcc_devteam_warn), "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe", threads("${BSDthreads}")), bn_ops => "SIXTY_FOUR_BIT_LONG", @@ -98,7 +98,7 @@ my %targets = ( inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "clang", cflags => combine("-arch x86_64 -DL_ENDIAN", -join(' ', @{$gcc_devteam_warn{CFLAGS}}), +join(' ', @gcc_devteam_warn), "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe", threads("${BSDthreads}")), sys_id => "MACOSX", diff --git a/Configure b/Configure index 85418b3..f0892c2 100755 --- a/Configure +++ b/Configure @@ -101,8 +101,9 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lx # SHA512_ASMsha512_block is implemented in assembler # AES_ASM AES_[en|de]crypt is implemented in assembler -# Minimum warning options... any contributions to OpenSSL should at least get -# past these. +# Minimum warning options... any contributions to OpenSSL should at least +# get past these. Note that we only use these with C compilers, not with +# C++ compilers. # DEBUG_UNUSED enables __owur (warn unused result) checks. # -DPEDANTIC complements -pedantic and is meant to mask code that @@ -117,27 +118,23 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lx # code, so we just tell compiler to be pedantic about everything # but 'long long' type. -my %gcc_devteam_warn = (); -{ -my @common = qw( -DDEBUG_UNUSED - -DPEDANTIC -pedantic -Wno-long-long - -Wall - -Wextra - -Wno-unused-parameter - -Wno-missing-field-initializers - -Wswitch - -Wsign-compare - -Wshadow - -Wformat - -Wtype-limits - -Wundef - -Werror ); -%gcc_devteam_warn = ( -CFLAGS => [ @common, qw( -Wmissing-prototypes - -Wstrict-prototypes ) ], -CXXFLAGS=> [ @common ] -); -} +my @gcc_devteam_warn = qw( +-DDEBUG_UNUSED +-DPEDANTIC -pedantic -Wno-long-long
[openssl] master update
The branch master has been updated via 3b437400d90fb89ce5e0d74fd79bda9028f185fb (commit) from 6aa2e59e1c52761cc5ad60170106118d7c1aa090 (commit) - Log - commit 3b437400d90fb89ce5e0d74fd79bda9028f185fb Author: Richard Levitte Date: Mon May 27 14:40:25 2019 +0200 Configure: Remove extra warning and sanitizer options from CXXFLAGS We add the extra warning and sanitizer options to check our code, which is entirely in C. We support C++ compilers uniquely for the sake of certain external test suites, and those projects can probably sanitize their own code themselves. [extended tests] Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9013) --- Summary of changes: Configurations/90-team.norelease.conf | 6 +- Configure | 105 -- 2 files changed, 41 insertions(+), 70 deletions(-) diff --git a/Configurations/90-team.norelease.conf b/Configurations/90-team.norelease.conf index 77dad97..6ead610 100644 --- a/Configurations/90-team.norelease.conf +++ b/Configurations/90-team.norelease.conf @@ -18,7 +18,7 @@ my %targets = ( "debug-erbridge" => { inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "gcc", -cflags => combine(join(' ', @{$gcc_devteam_warn{CFLAGS}}), +cflags => combine(join(' ', @gcc_devteam_warn), "-DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g", threads("-D_REENTRANT")), ex_libs => add(" ","-ldl"), @@ -81,7 +81,7 @@ my %targets = ( "debug-test-64-clang" => { inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "clang", -cflags => combine(join(' ', @{$gcc_devteam_warn{CFLAGS}}), +cflags => combine(join(' ', @gcc_devteam_warn), "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe", threads("${BSDthreads}")), bn_ops => "SIXTY_FOUR_BIT_LONG", @@ -95,7 +95,7 @@ my %targets = ( inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "clang", cflags => combine("-arch x86_64 -DL_ENDIAN", -join(' ', @{$gcc_devteam_warn{CFLAGS}}), +join(' ', @gcc_devteam_warn), "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe", threads("${BSDthreads}")), sys_id => "MACOSX", diff --git a/Configure b/Configure index 96c8e40..2247a36 100755 --- a/Configure +++ b/Configure @@ -102,8 +102,9 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lx # SHA512_ASMsha512_block is implemented in assembler # AES_ASM AES_[en|de]crypt is implemented in assembler -# Minimum warning options... any contributions to OpenSSL should at least get -# past these. +# Minimum warning options... any contributions to OpenSSL should at least +# get past these. Note that we only use these with C compilers, not with +# C++ compilers. # DEBUG_UNUSED enables __owur (warn unused result) checks. # -DPEDANTIC complements -pedantic and is meant to mask code that @@ -118,27 +119,23 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lx # code, so we just tell compiler to be pedantic about everything # but 'long long' type. -my %gcc_devteam_warn = (); -{ -my @common = qw( -DDEBUG_UNUSED - -DPEDANTIC -pedantic -Wno-long-long - -Wall - -Wextra - -Wno-unused-parameter - -Wno-missing-field-initializers - -Wswitch - -Wsign-compare - -Wshadow - -Wformat - -Wtype-limits - -Wundef - -Werror ); -%gcc_devteam_warn = ( -CFLAGS => [ @common, qw( -Wmissing-prototypes - -Wstrict-prototypes ) ], -CXXFLAGS=> [ @common ] -); -} +my @gcc_devteam_warn = qw( +-DDEBUG_UNUSED +-DPEDANTIC -pedantic -Wno-long-long +-Wall +-Wextra +-Wno-unused-parameter +-Wno-missing-field-initializers +
Errored: openssl/openssl#25309 (master - 6aa2e59)
Build Update for openssl/openssl - Build: #25309 Status: Errored Duration: 22 mins and 9 secs Commit: 6aa2e59 (master) Author: Shane Lontis Message: Add d2i_KeyParams/i2d_KeyParams API's. Convert EVP_PKEY Parameters to/from binary. This wraps the low level i2d/d2i calls for DH,DSA and EC key parameters in a similar way to Public and Private Keys. The API's can be used by applications (including openssl apps) that only want to use EVP_PKEY without needing to access low level key API's. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8903) View the changeset: https://github.com/openssl/openssl/compare/324954640e7f...6aa2e59e1c52 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537757295?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 6aa2e59e1c52761cc5ad60170106118d7c1aa090 (commit) from 324954640e7fcb2b4a26cb5ae7923a6e5e79ee14 (commit) - Log - commit 6aa2e59e1c52761cc5ad60170106118d7c1aa090 Author: Shane Lontis Date: Mon May 27 21:52:37 2019 +1000 Add d2i_KeyParams/i2d_KeyParams API's. Convert EVP_PKEY Parameters to/from binary. This wraps the low level i2d/d2i calls for DH,DSA and EC key parameters in a similar way to Public and Private Keys. The API's can be used by applications (including openssl apps) that only want to use EVP_PKEY without needing to access low level key API's. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8903) --- Summary of changes: crypto/asn1/asn1_err.c | 4 +- crypto/asn1/build.info | 3 +- crypto/asn1/d2i_param.c| 65 +++ crypto/asn1/i2d_param.c| 30 + crypto/err/openssl.txt | 2 + doc/man3/d2i_PrivateKey.pod| 26 +--- include/openssl/asn1err.h | 2 + include/openssl/evp.h | 6 ++ test/build.info| 6 +- test/evp_pkey_dparams_test.c | 73 ++ ...{30-test_aesgcm.t => 30-test_evp_pkey_dparam.t} | 3 +- util/libcrypto.num | 4 ++ 12 files changed, 210 insertions(+), 14 deletions(-) create mode 100644 crypto/asn1/d2i_param.c create mode 100644 crypto/asn1/i2d_param.c create mode 100644 test/evp_pkey_dparams_test.c copy test/recipes/{30-test_aesgcm.t => 30-test_evp_pkey_dparam.t} (85%) diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 7fe46ed..0e1edc7 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -107,6 +107,7 @@ static const ERR_STRING_DATA ASN1_str_functs[] = { {ERR_PACK(ERR_LIB_ASN1, ASN1_F_D2I_ASN1_UINTEGER, 0), "d2i_ASN1_UINTEGER"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_D2I_AUTOPRIVATEKEY, 0), "d2i_AutoPrivateKey"}, +{ERR_PACK(ERR_LIB_ASN1, ASN1_F_D2I_KEYPARAMS, 0), "d2i_KeyParams"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_D2I_PRIVATEKEY, 0), "d2i_PrivateKey"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_D2I_PUBLICKEY, 0), "d2i_PublicKey"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_DO_BUF, 0), "do_buf"}, @@ -119,6 +120,7 @@ static const ERR_STRING_DATA ASN1_str_functs[] = { {ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_ASN1_OBJECT, 0), "i2d_ASN1_OBJECT"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_DSA_PUBKEY, 0), "i2d_DSA_PUBKEY"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_EC_PUBKEY, 0), "i2d_EC_PUBKEY"}, +{ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_KEYPARAMS, 0), "i2d_KeyParams"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_PRIVATEKEY, 0), "i2d_PrivateKey"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_PUBLICKEY, 0), "i2d_PublicKey"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_I2D_RSA_PUBKEY, 0), "i2d_RSA_PUBKEY"}, diff --git a/crypto/asn1/build.info b/crypto/asn1/build.info index d3e92c8..32fdaaa 100644 --- a/crypto/asn1/build.info +++ b/crypto/asn1/build.info @@ -13,4 +13,5 @@ SOURCE[../../libcrypto]=\ x_pkey.c bio_asn1.c bio_ndef.c asn_mime.c \ asn1_gen.c asn1_par.c asn1_lib.c asn1_err.c a_strnid.c \ evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p5_scrypt.c p8_pkey.c \ -asn_moid.c asn_mstbl.c asn1_item_list.c +asn_moid.c asn_mstbl.c asn1_item_list.c \ +d2i_param.c i2d_param.c diff --git a/crypto/asn1/d2i_param.c b/crypto/asn1/d2i_param.c new file mode 100644 index 000..e852470 --- /dev/null +++ b/crypto/asn1/d2i_param.c @@ -0,0 +1,65 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "internal/cryptlib.h" +#include +#include +#include "internal/evp_int.h" +#include "internal/asn1_int.h" + +EVP_PKEY *d2i_KeyParams(int type, EVP_PKEY **a, const unsigned char **pp, +long length) +{ +EVP_PKEY *ret = NULL; +const unsigned char *p = *pp; + +if ((a == NULL) || (*a == NULL)) { +if ((ret = EVP_PKEY_new()) == NULL) +
Still Failing: openssl/openssl#25307 (master - 3249546)
Build Update for openssl/openssl - Build: #25307 Status: Still Failing Duration: 18 mins and 54 secs Commit: 3249546 (master) Author: David Makepeace Message: Changed ssl layer to use EVP_KDF API for TLS1_PRF and HKDF. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/9010) View the changeset: https://github.com/openssl/openssl/compare/19f43f02aa53...324954640e7f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537727896?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 324954640e7fcb2b4a26cb5ae7923a6e5e79ee14 (commit) from 19f43f02aa5349034d0a7a60c3a750e046f994b5 (commit) - Log - commit 324954640e7fcb2b4a26cb5ae7923a6e5e79ee14 Author: David Makepeace Date: Mon May 27 09:29:43 2019 +1000 Changed ssl layer to use EVP_KDF API for TLS1_PRF and HKDF. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/9010) --- Summary of changes: ssl/t1_enc.c| 30 ++ ssl/tls13_enc.c | 50 -- 2 files changed, 42 insertions(+), 38 deletions(-) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 9f2dbee..31290a4 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -31,7 +31,7 @@ static int tls1_PRF(SSL *s, unsigned char *out, size_t olen, int fatal) { const EVP_MD *md = ssl_prf_md(s); -EVP_PKEY_CTX *pctx = NULL; +EVP_KDF_CTX *kctx = NULL; int ret = 0; if (md == NULL) { @@ -43,16 +43,22 @@ static int tls1_PRF(SSL *s, SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); return 0; } -pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); -if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0 -|| EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0 -|| EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0 -|| EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0 -|| EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0 -|| EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0 -|| EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0 -|| EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0 -|| EVP_PKEY_derive(pctx, out, ) <= 0) { +kctx = EVP_KDF_CTX_new_id(EVP_PKEY_TLS1_PRF); +if (kctx == NULL +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, md) <= 0 +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, +sec, (size_t)slen) <= 0 +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, +seed1, (size_t)seed1_len) <= 0 +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, +seed2, (size_t)seed2_len) <= 0 +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, +seed3, (size_t)seed3_len) <= 0 +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, +seed4, (size_t)seed4_len) <= 0 +|| EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, +seed5, (size_t)seed5_len) <= 0 +|| EVP_KDF_derive(kctx, out, olen) <= 0) { if (fatal) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); @@ -64,7 +70,7 @@ static int tls1_PRF(SSL *s, ret = 1; err: -EVP_PKEY_CTX_free(pctx); +EVP_KDF_CTX_free(kctx); return ret; } diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index edb3290..b0fc4b2 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -31,7 +31,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *out, size_t outlen, int fatal) { static const unsigned char label_prefix[] = "tls13 "; -EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); +EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_PKEY_HKDF); int ret; size_t hkdflabellen; size_t hashlen; @@ -45,7 +45,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, + 1 + EVP_MAX_MD_SIZE]; WPACKET pkt; -if (pctx == NULL) +if (kctx == NULL) return 0; if (labellen > TLS13_MAX_LABEL_LEN) { @@ -59,7 +59,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, */ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); } -EVP_PKEY_CTX_free(pctx); +EVP_KDF_CTX_free(kctx); return 0; } @@ -74,7 +74,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, || !WPACKET_sub_memcpy_u8(, data, (data == NULL) ? 0 : datalen) || !WPACKET_get_total_written(, ) || !WPACKET_finish()) { -EVP_PKEY_CTX_free(pctx); +EVP_KDF_CTX_free(kctx); WPACKET_cleanup(); if (fatal) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, @@ -84,15 +84,15 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, return 0; } -ret = EVP_PKEY_derive_init(pctx) <= 0 -|| EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) -
Still Failing: openssl/openssl#25303 (OpenSSL_1_1_1-stable - 5a07048)
Build Update for openssl/openssl - Build: #25303 Status: Still Failing Duration: 26 mins and 38 secs Commit: 5a07048 (OpenSSL_1_1_1-stable) Author: Richard Levitte Message: doc/man3/X509_LOOKUP_meth_new.pod: clarify the requirements The documentation of what a X509_LOOKUP implementation must do was unclear and confusing. Most of all, clarification was needed that it must store away the found objects in the X509_STORE. Fixes #8707 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8755) (cherry picked from commit 19f43f02aa5349034d0a7a60c3a750e046f994b5) View the changeset: https://github.com/openssl/openssl/compare/9f084451a33d...5a070488d8c7 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537692050?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#25302 (master - 19f43f0)
Build Update for openssl/openssl - Build: #25302 Status: Still Failing Duration: 19 mins and 43 secs Commit: 19f43f0 (master) Author: Richard Levitte Message: doc/man3/X509_LOOKUP_meth_new.pod: clarify the requirements The documentation of what a X509_LOOKUP implementation must do was unclear and confusing. Most of all, clarification was needed that it must store away the found objects in the X509_STORE. Fixes #8707 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8755) View the changeset: https://github.com/openssl/openssl/compare/6783944f89a6...19f43f02aa53 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537691174?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 5a070488d8c7b31da9080e6fcce6aefdc86af608 (commit) from 9f084451a33d60c3da6833739f6e26f203ca85d2 (commit) - Log - commit 5a070488d8c7b31da9080e6fcce6aefdc86af608 Author: Richard Levitte Date: Mon Apr 15 17:30:11 2019 +0200 doc/man3/X509_LOOKUP_meth_new.pod: clarify the requirements The documentation of what a X509_LOOKUP implementation must do was unclear and confusing. Most of all, clarification was needed that it must store away the found objects in the X509_STORE. Fixes #8707 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8755) (cherry picked from commit 19f43f02aa5349034d0a7a60c3a750e046f994b5) --- Summary of changes: doc/man3/X509_LOOKUP_meth_new.pod | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/doc/man3/X509_LOOKUP_meth_new.pod b/doc/man3/X509_LOOKUP_meth_new.pod index fb165fd..430124c 100644 --- a/doc/man3/X509_LOOKUP_meth_new.pod +++ b/doc/man3/X509_LOOKUP_meth_new.pod @@ -150,10 +150,20 @@ the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters related to the lookup, and an X509_OBJECT that will receive the requested object. -Implementations should use either X509_OBJECT_set1_X509() or -X509_OBJECT_set1_X509_CRL() to set the result. Any method data that was -created as a result of the new_item function set by -X509_LOOKUP_meth_set_new_item() can be accessed with +Implementations must add objects they find to the B object +using X509_STORE_add_cert() or X509_STORE_add_crl(). This increments +its reference count. However, the X509_STORE_CTX_get_by_subject() +function also increases the reference count which leads to one too +many references being held. Therefore applications should +additionally call X509_free() or X509_CRL_free() to decrement the +reference count again. + +Implementations should also use either X509_OBJECT_set1_X509() or +X509_OBJECT_set1_X509_CRL() to set the result. Note that this also +increments the result's reference count. + +Any method data that was created as a result of the new_item function +set by X509_LOOKUP_meth_set_new_item() can be accessed with X509_LOOKUP_get_method_data(). The B object that owns the X509_LOOKUP may be accessed with X509_LOOKUP_get_store(). Successful lookups should return 1, and unsuccessful lookups should return 0.
[openssl] master update
The branch master has been updated via 19f43f02aa5349034d0a7a60c3a750e046f994b5 (commit) from 6783944f89a606e09e961d473b70167d2a66f96e (commit) - Log - commit 19f43f02aa5349034d0a7a60c3a750e046f994b5 Author: Richard Levitte Date: Mon Apr 15 17:30:11 2019 +0200 doc/man3/X509_LOOKUP_meth_new.pod: clarify the requirements The documentation of what a X509_LOOKUP implementation must do was unclear and confusing. Most of all, clarification was needed that it must store away the found objects in the X509_STORE. Fixes #8707 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8755) --- Summary of changes: doc/man3/X509_LOOKUP_meth_new.pod | 18 ++ 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/doc/man3/X509_LOOKUP_meth_new.pod b/doc/man3/X509_LOOKUP_meth_new.pod index 4e5fba4..11a7a0d 100644 --- a/doc/man3/X509_LOOKUP_meth_new.pod +++ b/doc/man3/X509_LOOKUP_meth_new.pod @@ -150,10 +150,20 @@ the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters related to the lookup, and an X509_OBJECT that will receive the requested object. -Implementations should use either X509_OBJECT_set1_X509() or -X509_OBJECT_set1_X509_CRL() to set the result. Any method data that was -created as a result of the new_item function set by -X509_LOOKUP_meth_set_new_item() can be accessed with +Implementations must add objects they find to the B object +using X509_STORE_add_cert() or X509_STORE_add_crl(). This increments +its reference count. However, the X509_STORE_CTX_get_by_subject() +function also increases the reference count which leads to one too +many references being held. Therefore applications should +additionally call X509_free() or X509_CRL_free() to decrement the +reference count again. + +Implementations should also use either X509_OBJECT_set1_X509() or +X509_OBJECT_set1_X509_CRL() to set the result. Note that this also +increments the result's reference count. + +Any method data that was created as a result of the new_item function +set by X509_LOOKUP_meth_set_new_item() can be accessed with X509_LOOKUP_get_method_data(). The B object that owns the X509_LOOKUP may be accessed with X509_LOOKUP_get_store(). Successful lookups should return 1, and unsuccessful lookups should return 0.
Still Failing: openssl/openssl#25300 (master - 6783944)
Build Update for openssl/openssl - Build: #25300 Status: Still Failing Duration: 25 mins and 24 secs Commit: 6783944 (master) Author: David Makepeace Message: Added Conforming To section to EVP_KDF_TLS1_PRF documentation. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9008) View the changeset: https://github.com/openssl/openssl/compare/5b3accde606f...6783944f89a6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537675892?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 6783944f89a606e09e961d473b70167d2a66f96e (commit) from 5b3accde606ffe01466426bd59407ffca0690d23 (commit) - Log - commit 6783944f89a606e09e961d473b70167d2a66f96e Author: David Makepeace Date: Mon May 27 08:21:50 2019 +1000 Added Conforming To section to EVP_KDF_TLS1_PRF documentation. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9008) --- Summary of changes: doc/man7/EVP_KDF_TLS1_PRF.pod | 4 1 file changed, 4 insertions(+) diff --git a/doc/man7/EVP_KDF_TLS1_PRF.pod b/doc/man7/EVP_KDF_TLS1_PRF.pod index e6cbe09..4c73139 100644 --- a/doc/man7/EVP_KDF_TLS1_PRF.pod +++ b/doc/man7/EVP_KDF_TLS1_PRF.pod @@ -121,6 +121,10 @@ and seed value "seed": } EVP_KDF_CTX_free(kctx); +=head1 CONFORMING TO + +RFC 2246, RFC 5246 and NIST SP 800-135 r1 + =head1 SEE ALSO L,
Still Failing: openssl/openssl#25292 (master - d4d89a0)
Build Update for openssl/openssl - Build: #25292 Status: Still Failing Duration: 27 mins and 28 secs Commit: d4d89a0 (master) Author: Simo Sorce Message: Fix input checks wrt legacy code In all legacy code ctx->cipher is dereferenced without checks, so it makes no sense to jump there is ctx->cipher is NULL as it will just lead to a crash. Catch it separately and return an error. This is simlar to the fix in d2c2e49eab69c7446c1c2c7227f63f8618ca99a5 Signed-off-by: Simo Sorce Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9002) View the changeset: https://github.com/openssl/openssl/compare/2e9d61ecd81a...d4d89a076262 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537551859?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUEvyxzJHSwEoiXkZglM3WeHA-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I1-2FXstMZ3-2BCqhnv3fNE72H3Nqaw8s5Y6bVonPxKVf0DHWzB2RuGYqBnDb91WFtgZaeWjlm-2F6KfJuhfuJ6Osw0f-2Bn7p2zzvu7zIzr-2BdFbN3p6rYoJPQ8DK1fAicc3XAs1mOaCa8ScfSgfLXfCMKklORWQagAdtz-2BacGMQwpePkyi4XwbRLX2XXQh0U8ftPTbKPg-3D Build ID: 257215 Analysis Summary: New defects found: 1 Defects eliminated: 5 If you have difficulty understanding any defects, email us at scan-ad...@coverity.com, or post your question to StackOverflow at https://u2389337.ct.sendgrid.net/wf/click?upn=OgIsEqWzmIl4S-2FzEUMxLXL-2BukuZt9UUdRZhgmgzAKchwAzH1nH3073xDEXNRgHN6zzUI-2FRfbrE6mNOeeukHUQw-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I1-2FXstMZ3-2BCqhnv3fNE72H3Nqaw8s5Y6bVonPxKVf0DHVFVel6OA1z1ip0WGtcJPX3a-2FqCDoxOyaiAc2voJvWOeq7fakCuLswkzsmr9dzZ-2BqhPwEtT8ZbAockkcGBruoyGDIELGaGjd3AXVEwJsJYmI-2BH1gt5EBUHx3pOHL0kOdRSEg87YyBguNxCWXSawmlZ0-3D
Still Failing: openssl/openssl#25291 (master - 2e9d61e)
Build Update for openssl/openssl - Build: #25291 Status: Still Failing Duration: 18 mins and 17 secs Commit: 2e9d61e (master) Author: Laszlo Ersek Message: crypto/evp/evp_key.c: #define BUFSIZ if doesn't #define it CLA: trivial Fixes #8904 Commit 48feaceb53fa ("Remove the possibility to disable the UI module entirely", 2017-07-03) made the BUFSIZ references in "evp_key.c" unconditional, by deleting the preprocessing directive "#ifndef OPENSSL_NO_UI". This breaks the build when compiling OpenSSL for edk2 (OPENSSL_SYS_UEFI), because edk2's doesn't #define BUFSIZ. Provide a fallback definition, like we do in "crypto/ui/ui_util.c" (from commit 984d6c605216, "Fix no-stdio build", 2015-09-29). Signed-off-by: Laszlo Ersek Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8922) View the changeset: https://github.com/openssl/openssl/compare/7817e74dc854...2e9d61ecd81a View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537550990?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 7817e74dc8540abad63d62d8585d8efe9c458fcf (commit) via 266481095734f62ca9f1c92f4ac9a9034a019f11 (commit) from 5435a830765a63692b8e1e406142d1602133a5a0 (commit) - Log - commit 7817e74dc8540abad63d62d8585d8efe9c458fcf Author: Daniël van Eeden Date: Fri May 24 14:06:38 2019 +0200 Use fixed length for formatting standard cipher names Example with patch: ``` $ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305' TLS_AES_256_GCM_SHA384- TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256- TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ``` Example without patch: ``` $ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305' TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ``` CLA: Trivial Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8999) commit 266481095734f62ca9f1c92f4ac9a9034a019f11 Author: Daniël van Eeden Date: Fri May 24 12:52:33 2019 +0200 Update format string for ciphers to account for newer ciphers * Cipher name: from 23 to 30 (example: ECDHE-ECDSA-AES128-GCM-SHA256) * Fixed length for TLS version (examples: TLSv1, TLSv1.3) * Au length from 4 to 5 (example: ECDSA) Example (without patch): ``` $ openssl ciphers -v 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ``` Example (with patch): ``` $ openssl ciphers -v 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ``` CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8999) --- Summary of changes: apps/ciphers.c | 2 +- ssl/ssl_ciph.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/ciphers.c b/apps/ciphers.c index cc71e50..e51fac1 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -247,7 +247,7 @@ int ciphers_main(int argc, char **argv) const char *nm = SSL_CIPHER_standard_name(c); if (nm == NULL) nm = "UNKNOWN"; -BIO_printf(bio_out, "%s - ", nm); +BIO_printf(bio_out, "%-45s - ", nm); } BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf))); } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 5aa04db..968998b 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1645,7 +1645,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) const char *ver; const char *kx, *au, *enc, *mac; uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; -static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n"; +static const char *format = "%-30s %-7s Kx=%-8s Au=%-5s Enc=%-9s Mac=%-4s\n"; if (buf == NULL) { len = 128;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 9f084451a33d60c3da6833739f6e26f203ca85d2 (commit) from 22598dab5665d9218a4da9e98de16253849c0408 (commit) - Log - commit 9f084451a33d60c3da6833739f6e26f203ca85d2 Author: FdaSilvaYY Date: Mon May 20 00:33:58 2019 +0200 OCSP: fix memory leak in OCSP_url_svcloc_new method. Add a few coverage test case. Fixes #8949 [extended tests] Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8959) (cherry picked from commit 5b3accde606ffe01466426bd59407ffca0690d23) --- Summary of changes: crypto/ocsp/ocsp_ext.c | 4 +-- test/ocspapitest.c | 82 +- 2 files changed, 83 insertions(+), 3 deletions(-) diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index 27ee212..ddfb3a9 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -439,6 +439,7 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls) if ((sloc = OCSP_SERVICELOC_new()) == NULL) goto err; +X509_NAME_free(sloc->issuer); if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL) goto err; if (urls && *urls @@ -449,12 +450,11 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls) goto err; if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL) goto err; -if ((ad->location = GENERAL_NAME_new()) == NULL) -goto err; if ((ia5 = ASN1_IA5STRING_new()) == NULL) goto err; if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1)) goto err; +/* ad->location is allocated inside ACCESS_DESCRIPTION_new */ ad->location->type = GEN_URI; ad->location->d.ia5 = ia5; ia5 = NULL; diff --git a/test/ocspapitest.c b/test/ocspapitest.c index 43b03e3..f9f5264 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -47,6 +47,24 @@ static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out) return 0; } +static int get_cert(X509 **cert_out) +{ +BIO *certbio; +X509 *cert = NULL; + +if (!TEST_ptr(certbio = BIO_new_file(certstr, "r"))) +return 0; +cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); +BIO_free(certbio); +if (!TEST_ptr(cert)) +goto end; +*cert_out = cert; +return 1; + end: +X509_free(cert); +return 0; +} + static OCSP_BASICRESP *make_dummy_resp(void) { const unsigned char namestr[] = "openssl.example.com"; @@ -131,7 +149,67 @@ static int test_resp_signer(void) EVP_PKEY_free(key); return ret; } -#endif + +static int test_access_description(int testcase) +{ +ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new(); +int ret = 0; + +if (!TEST_ptr(ad)) +goto err; + +switch (testcase) { +case 0: /* no change */ +break; +case 1: /* check and release current location */ +if (!TEST_ptr(ad->location)) +goto err; +GENERAL_NAME_free(ad->location); +ad->location = NULL; +break; +case 2: /* replace current location */ +GENERAL_NAME_free(ad->location); +ad->location = GENERAL_NAME_new(); +if (!TEST_ptr(ad->location)) +goto err; +break; +} +ACCESS_DESCRIPTION_free(ad); +ret = 1; +err: +return ret; +} + +static int test_ocsp_url_svcloc_new(void) +{ +static const char * urls[] = { +"www.openssl.org", +"www.openssl.net", +NULL +}; + +X509 *issuer = NULL; +X509_EXTENSION * ext = NULL; +int ret = 0; + +if (!TEST_true(get_cert())) +goto err; + +/* + * Test calling this ocsp method to catch any memory leak + */ +ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls); +if (!TEST_ptr(ext)) +goto err; + +X509_EXTENSION_free(ext); +ret = 1; +err: +X509_free(issuer); +return ret; +} + +#endif /* OPENSSL_NO_OCSP */ int setup_tests(void) { @@ -140,6 +218,8 @@ int setup_tests(void) return 0; #ifndef OPENSSL_NO_OCSP ADD_TEST(test_resp_signer); +ADD_ALL_TESTS(test_access_description, 3); +ADD_TEST(test_ocsp_url_svcloc_new); #endif return 1; }
[openssl] master update
The branch master has been updated via 5b3accde606ffe01466426bd59407ffca0690d23 (commit) from d4d89a076262aa118c07a4766daf17202aef17f0 (commit) - Log - commit 5b3accde606ffe01466426bd59407ffca0690d23 Author: FdaSilvaYY Date: Mon May 20 00:33:58 2019 +0200 OCSP: fix memory leak in OCSP_url_svcloc_new method. Add a few coverage test case. Fixes #8949 [extended tests] Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8959) --- Summary of changes: crypto/ocsp/ocsp_ext.c | 4 +-- test/ocspapitest.c | 82 +- 2 files changed, 83 insertions(+), 3 deletions(-) diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index 8ebfd62..c5cf279 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -439,6 +439,7 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls) if ((sloc = OCSP_SERVICELOC_new()) == NULL) goto err; +X509_NAME_free(sloc->issuer); if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL) goto err; if (urls && *urls @@ -449,12 +450,11 @@ X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls) goto err; if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL) goto err; -if ((ad->location = GENERAL_NAME_new()) == NULL) -goto err; if ((ia5 = ASN1_IA5STRING_new()) == NULL) goto err; if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1)) goto err; +/* ad->location is allocated inside ACCESS_DESCRIPTION_new */ ad->location->type = GEN_URI; ad->location->d.ia5 = ia5; ia5 = NULL; diff --git a/test/ocspapitest.c b/test/ocspapitest.c index 03b88e0..355bd44 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -47,6 +47,24 @@ static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out) return 0; } +static int get_cert(X509 **cert_out) +{ +BIO *certbio; +X509 *cert = NULL; + +if (!TEST_ptr(certbio = BIO_new_file(certstr, "r"))) +return 0; +cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL); +BIO_free(certbio); +if (!TEST_ptr(cert)) +goto end; +*cert_out = cert; +return 1; + end: +X509_free(cert); +return 0; +} + static OCSP_BASICRESP *make_dummy_resp(void) { const unsigned char namestr[] = "openssl.example.com"; @@ -131,7 +149,67 @@ static int test_resp_signer(void) EVP_PKEY_free(key); return ret; } -#endif + +static int test_access_description(int testcase) +{ +ACCESS_DESCRIPTION *ad = ACCESS_DESCRIPTION_new(); +int ret = 0; + +if (!TEST_ptr(ad)) +goto err; + +switch (testcase) { +case 0: /* no change */ +break; +case 1: /* check and release current location */ +if (!TEST_ptr(ad->location)) +goto err; +GENERAL_NAME_free(ad->location); +ad->location = NULL; +break; +case 2: /* replace current location */ +GENERAL_NAME_free(ad->location); +ad->location = GENERAL_NAME_new(); +if (!TEST_ptr(ad->location)) +goto err; +break; +} +ACCESS_DESCRIPTION_free(ad); +ret = 1; +err: +return ret; +} + +static int test_ocsp_url_svcloc_new(void) +{ +static const char * urls[] = { +"www.openssl.org", +"www.openssl.net", +NULL +}; + +X509 *issuer = NULL; +X509_EXTENSION * ext = NULL; +int ret = 0; + +if (!TEST_true(get_cert())) +goto err; + +/* + * Test calling this ocsp method to catch any memory leak + */ +ext = OCSP_url_svcloc_new(X509_get_issuer_name(issuer), urls); +if (!TEST_ptr(ext)) +goto err; + +X509_EXTENSION_free(ext); +ret = 1; +err: +X509_free(issuer); +return ret; +} + +#endif /* OPENSSL_NO_OCSP */ OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n") @@ -142,6 +220,8 @@ int setup_tests(void) return 0; #ifndef OPENSSL_NO_OCSP ADD_TEST(test_resp_signer); +ADD_ALL_TESTS(test_access_description, 3); +ADD_TEST(test_ocsp_url_svcloc_new); #endif return 1; }
[openssl] master update
The branch master has been updated via d4d89a076262aa118c07a4766daf17202aef17f0 (commit) from 2e9d61ecd81a6a512a0700486ccc1b3784b4c969 (commit) - Log - commit d4d89a076262aa118c07a4766daf17202aef17f0 Author: Simo Sorce Date: Fri May 24 17:35:04 2019 -0400 Fix input checks wrt legacy code In all legacy code ctx->cipher is dereferenced without checks, so it makes no sense to jump there is ctx->cipher is NULL as it will just lead to a crash. Catch it separately and return an error. This is simlar to the fix in d2c2e49eab69c7446c1c2c7227f63f8618ca99a5 Signed-off-by: Simo Sorce Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9002) --- Summary of changes: crypto/evp/evp_enc.c | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index b3e97d0..02f0e00 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -587,7 +587,12 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 0; } -if (ctx->cipher == NULL || ctx->cipher->prov == NULL) +if (ctx->cipher == NULL) { +EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_NO_CIPHER_SET); +return 0; +} + +if (ctx->cipher->prov == NULL) goto legacy; blocksize = EVP_CIPHER_CTX_block_size(ctx); @@ -831,7 +836,12 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) return 0; } -if (ctx->cipher == NULL || ctx->cipher->prov == NULL) +if (ctx->cipher == NULL) { +EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_NO_CIPHER_SET); +return 0; +} + +if (ctx->cipher->prov == NULL) goto legacy; blocksize = EVP_CIPHER_CTX_block_size(ctx); @@ -858,11 +868,6 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) legacy: *outl = 0; -if (ctx->cipher == NULL) { -EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_NO_CIPHER_SET); -return 0; -} - if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { i = ctx->cipher->do_cipher(ctx, out, NULL, 0); if (i < 0)
[openssl] master update
The branch master has been updated via 2e9d61ecd81a6a512a0700486ccc1b3784b4c969 (commit) from 7817e74dc8540abad63d62d8585d8efe9c458fcf (commit) - Log - commit 2e9d61ecd81a6a512a0700486ccc1b3784b4c969 Author: Laszlo Ersek Date: Thu May 9 21:29:48 2019 +0200 crypto/evp/evp_key.c: #define BUFSIZ if doesn't #define it CLA: trivial Fixes #8904 Commit 48feaceb53fa ("Remove the possibility to disable the UI module entirely", 2017-07-03) made the BUFSIZ references in "evp_key.c" unconditional, by deleting the preprocessing directive "#ifndef OPENSSL_NO_UI". This breaks the build when compiling OpenSSL for edk2 (OPENSSL_SYS_UEFI), because edk2's doesn't #define BUFSIZ. Provide a fallback definition, like we do in "crypto/ui/ui_util.c" (from commit 984d6c605216, "Fix no-stdio build", 2015-09-29). Signed-off-by: Laszlo Ersek Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8922) --- Summary of changes: crypto/evp/evp_key.c | 4 1 file changed, 4 insertions(+) diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c index fc65b4c..3aa49aa 100644 --- a/crypto/evp/evp_key.c +++ b/crypto/evp/evp_key.c @@ -14,6 +14,10 @@ #include #include +#ifndef BUFSIZ +# define BUFSIZ 256 +#endif + /* should be init to zeros. */ static char prompt_string[80];
Still Failing: openssl/openssl#25293 (master - 5b3accd)
Build Update for openssl/openssl - Build: #25293 Status: Still Failing Duration: 26 mins and 13 secs Commit: 5b3accd (master) Author: FdaSilvaYY Message: OCSP: fix memory leak in OCSP_url_svcloc_new method. Add a few coverage test case. Fixes #8949 [extended tests] Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8959) View the changeset: https://github.com/openssl/openssl/compare/d4d89a076262...5b3accde606f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537553003?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared
Platform and configuration command: $ uname -a Linux run 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared Commit log since last time: 7817e74dc8 Use fixed length for formatting standard cipher names 2664810957 Update format string for ciphers to account for newer ciphers 5435a83076 issue-8973: Added const to parameters for values that were not altered 55e09d17d4 Doc update: minor typo in CMS_verify.pod CLA: trivial 0f52d9ed7e Cleaned up tls1_prf and added comments. e70185883e Added algorithm description comments to HKDF. Build log ended with (last 100 lines): /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:357: undefined reference to `__afl_prev_loc' crypto/stack/fips-dso-stack.o: In function `OPENSSL_sk_pop_free': /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:359: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:359: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:361: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:366: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:366: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:367: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:365: undefined reference to `__afl_prev_loc' crypto/stack/fips-dso-stack.o:/home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:371: more undefined references to `__afl_prev_loc' follow crypto/stack/fips-dso-stack.o: In function `OPENSSL_sk_num': /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:379: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:381: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:381: undefined reference to `__afl_prev_loc' crypto/stack/fips-dso-stack.o: In function `OPENSSL_sk_value': /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:384: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:384: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:386: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:388: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:389: undefined reference to `__afl_prev_loc' crypto/stack/fips-dso-stack.o: In function `OPENSSL_sk_set': /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:391: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:391: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:393: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:395: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:398: undefined reference to `__afl_prev_loc' crypto/stack/fips-dso-stack.o: In function `OPENSSL_sk_sort': /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:400: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:400: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:402: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:402: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:403: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:404: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:405: undefined reference to `__afl_prev_loc' crypto/stack/fips-dso-stack.o:/home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:407: more undefined references to `__afl_prev_loc' follow crypto/stack/fips-dso-stack.o: In function `OPENSSL_sk_is_sorted': /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:409: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/crypto/stack/stack.c:411: undefined reference to `__afl_prev_loc'
Still Failing: openssl/openssl#25294 (OpenSSL_1_1_1-stable - 9f08445)
Build Update for openssl/openssl - Build: #25294 Status: Still Failing Duration: 23 mins and 36 secs Commit: 9f08445 (OpenSSL_1_1_1-stable) Author: FdaSilvaYY Message: OCSP: fix memory leak in OCSP_url_svcloc_new method. Add a few coverage test case. Fixes #8949 [extended tests] Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8959) (cherry picked from commit 5b3accde606ffe01466426bd59407ffca0690d23) View the changeset: https://github.com/openssl/openssl/compare/22598dab5665...9f084451a33d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537553102?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Coverity Scan: Analysis completed for OpenSSL-1.0.2
Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUEOo3rtGjiQZqYPGgcjfkiXQ-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I3WUW2WhDzeMSlD-2F-2BJn7gPbEVuc26tbP1UgukKb1EFWNKk18KUXDJ1uZu-2Btze7T6nqf-2FXwEwb5hgzYxt6PrECuKu6n1zYkcd34K4kxM0lCvHuD9T7yXpA-2Bh2jYoexSlQWzc7HY4Yo4l4MERoh3Na3QahDGX0XG3wopBLyTuthulJc5uBcgue0DxtPxf7KlZtOY-3D Build ID: 257218 Analysis Summary: New defects found: 0 Defects eliminated: 0
Still Failing: openssl/openssl#25290 (master - 7817e74)
Build Update for openssl/openssl - Build: #25290 Status: Still Failing Duration: 19 mins and 25 secs Commit: 7817e74 (master) Author: Daniël van Eeden Message: Use fixed length for formatting standard cipher names Example with patch: ``` $ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305' TLS_AES_256_GCM_SHA384- TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256- TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ``` Example without patch: ``` $ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305' TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ``` CLA: Trivial Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8999) View the changeset: https://github.com/openssl/openssl/compare/5435a830765a...7817e74dc854 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/537540725?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.