[openssl] master update
The branch master has been updated via 02c163ea8936d75c7334d81d86c2a713dea40371 (commit) from c3612970465d0a13f2fc5b47bc28ca18516a699d (commit) - Log - commit 02c163ea8936d75c7334d81d86c2a713dea40371 Author: Pauli Date: Wed Jul 31 07:19:33 2019 +1000 Check for NULL return from zalloc in dh_dupctx. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9485) --- Summary of changes: providers/common/exchange/dh_exch.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/providers/common/exchange/dh_exch.c b/providers/common/exchange/dh_exch.c index b4bfd5f419..62041daab3 100644 --- a/providers/common/exchange/dh_exch.c +++ b/providers/common/exchange/dh_exch.c @@ -106,6 +106,8 @@ static void *dh_dupctx(void *vpdhctx) PROV_DH_CTX *dstctx; dstctx = OPENSSL_zalloc(sizeof(*srcctx)); +if (dstctx == NULL) +return NULL; *dstctx = *srcctx; if (dstctx->dh != NULL && !DH_up_ref(dstctx->dh)) {
Build completed: openssl master.26397
Build openssl master.26397 completed Commit c361297046 by Richard Levitte on 7/31/2019 4:45 AM: Avoid using ERR_put_error() directly in OpenSSL code Configure your notification preferences
Errored: openssl/openssl#26974 (master - c361297)
Build Update for openssl/openssl - Build: #26974 Status: Errored Duration: 22 mins and 18 secs Commit: c361297 (master) Author: Richard Levitte Message: Avoid using ERR_put_error() directly in OpenSSL code If compiled with 'no-deprecated', ERR_put_error() is undefined. We had one spot where we were using it directly, because the file and line information was passed from elsewhere. Fortunately, it's possible to use ERR_raise() for that situation, and call ERR_set_debug() immediately after and thereby override the information that ERR_raise() stored in the error record. util/mkerr.pl needed a small adjustment to not generate code that won't compile in a 'no-deprecated' configuration. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) View the changeset: https://github.com/openssl/openssl/compare/35f6fe7ac4fb...c3612970465d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/565800920?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via c3612970465d0a13f2fc5b47bc28ca18516a699d (commit) via 036913b1076da41f257c640a5e6230476c647eff (commit) via 49c6434673ca5e9413062851979cf6ed126c9f1c (commit) via add8c8e9647a71cc755dea22490e2075e342624b (commit) via ed57f7f93508776b898e4c23b65d67f3479edaf1 (commit) via 7c0e20dc6f11aa506abc99ccc90b3a39c48c3052 (commit) via 8a4dc425cc73040c55bc01d89c5541e37dab939a (commit) via e039ca38c8d77f1e2f182123727c884aaf2d683d (commit) from 35f6fe7ac4fbde98d4fd6af968dfe320011bbe1e (commit) - Log - commit c3612970465d0a13f2fc5b47bc28ca18516a699d Author: Richard Levitte Date: Wed Jul 24 16:55:32 2019 +0200 Avoid using ERR_put_error() directly in OpenSSL code If compiled with 'no-deprecated', ERR_put_error() is undefined. We had one spot where we were using it directly, because the file and line information was passed from elsewhere. Fortunately, it's possible to use ERR_raise() for that situation, and call ERR_set_debug() immediately after and thereby override the information that ERR_raise() stored in the error record. util/mkerr.pl needed a small adjustment to not generate code that won't compile in a 'no-deprecated' configuration. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit 036913b1076da41f257c640a5e6230476c647eff Author: Richard Levitte Date: Wed Jul 24 14:00:39 2019 +0200 Adapt the FIPS provider to use the new core error functions Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit 49c6434673ca5e9413062851979cf6ed126c9f1c Author: Richard Levitte Date: Wed Jul 24 13:37:42 2019 +0200 Refactor provider support for reporting errors The core now supplies its own versions of ERR_new(), ERR_set_debug() and ERR_vset_error(). This should suffice for a provider to have any OpenSSL compatible functionlity it desires. The main difference between the ERR functions and the core counterparts is that the core counterparts take an OSSL_PROVIDER parameter instead of the library number. That way, providers do not need to know what number they have been assigned, that information stays in the core. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit add8c8e9647a71cc755dea22490e2075e342624b Author: Richard Levitte Date: Wed Jul 24 13:25:56 2019 +0200 ERR: Remove ERR_put_func_error() and reimplement ERR_put_error() as a macro Also, deprecate ERR_put_error() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit ed57f7f93508776b898e4c23b65d67f3479edaf1 Author: Richard Levitte Date: Wed Jul 24 13:13:52 2019 +0200 ERR: Implement the macros ERR_raise() and ERR_raise_data() and use them The ERR_raise() macro uses a trick in C. The following is permitted: #include void first(void) { printf("Hello! "); } void foo(const char *bar) { printf("%s", bar); } int main() { /* This */ (first(),foo)("cookie"); } ERR_raise_data() can be used to implement FUNCerr() as well, which takes away the need for the special function ERR_put_func_error(). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit 7c0e20dc6f11aa506abc99ccc90b3a39c48c3052 Author: Richard Levitte Date: Wed Jul 24 13:03:32 2019 +0200 ERR: Add new building blocks for reporting errors The new building block are ERR_new(), ERR_set_debug(), ERR_set_error(), ERR_vset_error(), which allocate a new error record and set the diverse data in them. They are designed in such a way that it's reasonably easy to create macros that use all of them but then rely completely on the function signature of ERR_set_error() or ERR_vset_error(). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit 8a4dc425cc73040c55bc01d89c5541e37dab939a Author: Richard Levitte Date: Wed Jul 24 12:56:58 2019 +0200 ERR: refactor useful inner macros to err_locl.h. Add function name field The useful inner macros are now static inline functions. That will make them easier to debug in the future. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9452) commit e039ca38c8d77f1e2f182123727c884aaf2d683d Author: Richard Levitte Date: Wed Jul 24 12:53:36 2019 +0200 Move some macros from include/openssl/opensslconf.h.in, add OPENSSL_FUNC New header file, include/openssl/macros.h, which contains diverse useful macros that we use
Still FAILED build of OpenSSL branch master with options -d --strict-warnings enable-ec_nistp_64_gcc_128
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-ec_nistp_64_gcc_128 Commit log since last time: 35f6fe7ac4 Fix BIO_printf format warnings 62cc845fc9 Use OPENSSL_strlcpy instead of strncpy in e_afalg.c 11dbdc0714 Document the provider CIPHER operation d753cc333d Fix coverity 1452084 Fix coverity 1452083 10f8b36874 ERR: re-use the err_data field when possible Build log ended with (last 100 lines): ../../openssl/test/recipes/30-test_pbelu.t ok ../../openssl/test/recipes/30-test_pkey_meth.t ok ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ok ../../openssl/test/recipes/40-test_rehash.t ... ok ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t . ok ../../openssl/test/recipes/60-test_x509_dup_cert.t ok ../../openssl/test/recipes/60-test_x509_store.t ... ok ../../openssl/test/recipes/60-test_x509_time.t ok ../../openssl/test/recipes/70-test_asyncio.t .. ok ../../openssl/test/recipes/70-test_bad_dtls.t . ok ../../openssl/test/recipes/70-test_clienthello.t .. ok ../../openssl/test/recipes/70-test_comp.t . ok ../../openssl/test/recipes/70-test_key_share.t ok ../../openssl/test/recipes/70-test_packet.t ... ok ../../openssl/test/recipes/70-test_recordlen.t ok ../../openssl/test/recipes/70-test_renegotiation.t ok ../../openssl/test/recipes/70-test_servername.t ... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t ok ../../openssl/test/recipes/70-test_sslcertstatus.t ok ../../openssl/test/recipes/70-test_sslextension.t . ok ../../openssl/test/recipes/70-test_sslmessages.t .. ok ../../openssl/test/recipes/70-test_sslrecords.t ... ok ../../openssl/test/recipes/70-test_sslsessiontick.t ... ok ../../openssl/test/recipes/70-test_sslsigalgs.t ... ok ../../openssl/test/recipes/70-test_sslsignature.t . ok ../../openssl/test/recipes/70-test_sslskewith0p.t . ok ../../openssl/test/recipes/70-test_sslversions.t .. ok ../../openssl/test/recipes/70-test_sslvertol.t ok ../../openssl/test/recipes/70-test_tls13alerts.t .. ok ../../openssl/test/recipes/70-test_tls13cookie.t .. ok ../../openssl/test/recipes/70-test_tls13downgrade.t ... ok ../../openssl/test/recipes/70-test_tls13hrr.t . ok ../../openssl/test/recipes/70-test_tls13kexmodes.t ok ../../openssl/test/recipes/70-test_tls13messages.t ok ../../openssl/test/recipes/70-test_tls13psk.t . ok ../../openssl/test/recipes/70-test_tlsextms.t . ok ../../openssl/test/recipes/70-test_verify_extra.t . ok ../../openssl/test/recipes/70-test_wpacket.t .. ok ../../openssl/test/recipes/80-test_ca.t ... ok ../../openssl/test/recipes/80-test_cipherbytes.t .. ok ../../openssl/test/recipes/80-test_cipherlist.t ... ok ../../openssl/test/recipes/80-test_ciphername.t ... ok ../../openssl/test/recipes/80-test_cms.t .. ok ../../openssl/test/recipes/80-test_cmsapi.t ... ok ../../openssl/test/recipes/80-test_ct.t ... ok ../../openssl/test/recipes/80-test_dane.t . ok ../../openssl/test/recipes/80-test_dtls.t . ok ../../openssl/test/recipes/80-test_dtls_mtu.t . ok ../../openssl/test/recipes/80-test_dtlsv1listen.t . ok ../../openssl/test/recipes/80-test_ocsp.t . ok ../../openssl/test/recipes/80-test_pkcs12.t ... ok ../../openssl/test/recipes/80-test_ssl_new.t .. ok ../../openssl/test/recipes/80-test_ssl_old.t .. ok ../../openssl/test/recipes/80-test_ssl_test_ctx.t . ok ../../openssl/test/recipes/80-test_sslcorrupt.t ... ok ../../openssl/test/recipes/80-test_tsa.t .. ok ../../openssl/test/recipes/80-test_x509aux.t .. ok ../../openssl/test/recipes/90-test_asn1_time.t ok ../../openssl/test/recipes/90-test_async.t ok ../../openssl/test/recipes/90-test_bio_enc.t .. ok ../../openssl/test/recipes/90-test_bio_memleak.t .. ok ../../openssl/test/recipes/90-test_constant_time.t ok ../../openssl/test/recipes/90-test_fatalerr.t . ok ../../openssl/test/recipes/90-test_gmdiff.t ... ok ../../openssl/test/recipes/90-test_gost.t . ok ../../openssl/test/recipes/90-test_ige.t .. ok
Build failed: openssl master.26396
Build openssl master.26396 failed Commit c7a4db1b73 by Rich Salz on 7/30/2019 7:42 PM: Show sample output Configure your notification preferences
FAILED build of OpenSSL branch master with options -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT Commit log since last time: 35f6fe7ac4 Fix BIO_printf format warnings 62cc845fc9 Use OPENSSL_strlcpy instead of strncpy in e_afalg.c 11dbdc0714 Document the provider CIPHER operation d753cc333d Fix coverity 1452084 Fix coverity 1452083 10f8b36874 ERR: re-use the err_data field when possible Build log ended with (last 100 lines): ../../openssl/test/recipes/60-test_x509_time.t ok ../../openssl/test/recipes/70-test_asyncio.t .. ok ../../openssl/test/recipes/70-test_bad_dtls.t . ok ../../openssl/test/recipes/70-test_clienthello.t .. ok ../../openssl/test/recipes/70-test_comp.t . skipped: test_comp needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_key_share.t skipped: test_key_share needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_packet.t ... ok ../../openssl/test/recipes/70-test_recordlen.t ok ../../openssl/test/recipes/70-test_renegotiation.t skipped: test_renegotiation needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_servername.t ... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t skipped: test_sslcbcpadding needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslcertstatus.t skipped: test_sslcertstatus needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslextension.t . skipped: test_sslextension needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslmessages.t .. skipped: test_sslmessages needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ... skipped: test_sslsigalgs needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsignature.t . skipped: test_sslsignature needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslskewith0p.t . skipped: test_sslskewith0p needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslversions.t .. skipped: test_sslversions needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslvertol.t skipped: test_sslextension needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13alerts.t .. skipped: test_tls13alerts needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13cookie.t .. skipped: test_tls13cookie needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13hrr.t . skipped: test_tls13hrr needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13kexmodes.t skipped: test_tls13kexmodes needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13messages.t skipped: test_tls13messages needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13psk.t . skipped: test_tls13psk needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tlsextms.t . skipped: test_tlsextms needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_verify_extra.t . ok ../../openssl/test/recipes/70-test_wpacket.t .. ok ../../openssl/test/recipes/80-test_ca.t ... ok ../../openssl/test/recipes/80-test_cipherbytes.t .. ok ../../openssl/test/recipes/80-test_cipherlist.t ... ok ../../openssl/test/recipes/80-test_ciphername.t ... ok ../../openssl/test/recipes/80-test_cms.t .. ok ../../openssl/test/recipes/80-test_cmsapi.t ... ok ../../openssl/test/recipes/80-test_ct.t ... ok ../../openssl/test/recipes/80-test_dane.t . ok ../../openssl/test/recipes/80-test_dtls.t . ok ../../openssl/test/recipes/80-test_dtls_mtu.t . ok ../../openssl/test/recipes/80-test_dtlsv1listen.t . ok ../../openssl/test/recipes/80-test_ocsp.t . ok ../../openssl/test/recipes/80-test_pkcs12.t ... ok
Build completed: openssl master.26394
Build openssl master.26394 completed Commit e49ed44c3d by Pauli on 7/30/2019 9:19 PM: Check for NULL return from zalloc in dh_dupctx. Configure your notification preferences
Build failed: openssl master.26393
Build openssl master.26393 failed Commit 39df0bf1bf by Rich Salz on 7/30/2019 7:42 PM: Show sample output Configure your notification preferences
Still Failing: openssl/openssl#26968 (master - 35f6fe7)
Build Update for openssl/openssl - Build: #26968 Status: Still Failing Duration: 28 mins and 44 secs Commit: 35f6fe7 (master) Author: Bernd Edlinger Message: Fix BIO_printf format warnings [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9479) View the changeset: https://github.com/openssl/openssl/compare/62cc845fc955...35f6fe7ac4fb View the full build log and details: https://travis-ci.org/openssl/openssl/builds/565625448?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#26966 (master - 62cc845)
Build Update for openssl/openssl - Build: #26966 Status: Still Failing Duration: 28 mins and 38 secs Commit: 62cc845 (master) Author: Bernd Edlinger Message: Use OPENSSL_strlcpy instead of strncpy in e_afalg.c This avoids a spurious gcc warning: ./config enable-asan --strict-warnings => In function 'afalg_create_sk', inlined from 'afalg_cipher_init' at engines/e_afalg.c:545:11: engines/e_afalg.c:376:5: error: '__builtin_strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Werror=stringop-truncation] 376 | strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME); | ^~~ [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9478) View the changeset: https://github.com/openssl/openssl/compare/11dbdc0714b1...62cc845fc955 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/565623738?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 35f6fe7ac4fbde98d4fd6af968dfe320011bbe1e (commit) from 62cc845fc955c8d4de7b703f57bfd8e5854f00f4 (commit) - Log - commit 35f6fe7ac4fbde98d4fd6af968dfe320011bbe1e Author: Bernd Edlinger Date: Mon Jul 29 12:26:06 2019 +0200 Fix BIO_printf format warnings [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9479) --- Summary of changes: crypto/x509/pcy_tree.c | 2 +- ssl/record/ssl3_record.c | 2 +- test/sparse_array_test.c | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c index 0c5887c25a..5d4c6bd839 100644 --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -49,7 +49,7 @@ static void tree_print(BIO *channel, curr++; BIO_printf(channel, "Level print after %s\n", str); -BIO_printf(channel, "Printing Up to Level %ld\n", +BIO_printf(channel, "Printing Up to Level %zd\n", curr - tree->levels); for (plev = tree->levels; plev != curr; plev++) { int i; diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index d32516e26d..c5614dc08e 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1703,7 +1703,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) return 0; } OSSL_TRACE_BEGIN(TLS) { -BIO_printf(trc_out, "dec %ld\n", rr->length); +BIO_printf(trc_out, "dec %zd\n", rr->length); BIO_dump_indent(trc_out, rr->data, rr->length, 4); } OSSL_TRACE_END(TLS); diff --git a/test/sparse_array_test.c b/test/sparse_array_test.c index 3457a7775f..5cc8038f7f 100644 --- a/test/sparse_array_test.c +++ b/test/sparse_array_test.c @@ -122,7 +122,7 @@ static void leaf_check_all(ossl_uintmax_t n, char *value, void *arg) doall_data->res = 1; return; } -TEST_error("Index %zu with value %s not found", n, value); +TEST_error("Index %ju with value %s not found", n, value); } static void leaf_delete(ossl_uintmax_t n, char *value, void *arg) @@ -138,7 +138,7 @@ static void leaf_delete(ossl_uintmax_t n, char *value, void *arg) ossl_sa_char_set(doall_data->sa, n, NULL); return; } -TEST_error("Index %zu with value %s not found", n, value); +TEST_error("Index %ju with value %s not found", n, value); } static int test_sparse_array_doall(void)
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 74f4cc0276b8fe003c036544219a0371266fc32c (commit) from 7de305510a07729be3cc80a0fb10561732ee4f31 (commit) - Log - commit 74f4cc0276b8fe003c036544219a0371266fc32c Author: Bernd Edlinger Date: Mon Jul 29 11:39:34 2019 +0200 Use OPENSSL_strlcpy instead of strncpy in e_afalg.c This avoids a spurious gcc warning: ./config enable-asan --strict-warnings => In function 'afalg_create_sk', inlined from 'afalg_cipher_init' at engines/e_afalg.c:545:11: engines/e_afalg.c:376:5: error: '__builtin_strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Werror=stringop-truncation] 376 | strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME); | ^~~ [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9478) (cherry picked from commit 62cc845fc955c8d4de7b703f57bfd8e5854f00f4) --- Summary of changes: engines/e_afalg.c | 14 -- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/engines/e_afalg.c b/engines/e_afalg.c index f09c396ed9..ae9fee807a 100644 --- a/engines/e_afalg.c +++ b/engines/e_afalg.c @@ -63,9 +63,6 @@ void engine_load_afalg_int(void) # define ALG_OP_TYPE unsigned int # define ALG_OP_LEN (sizeof(ALG_OP_TYPE)) -#define ALG_MAX_SALG_NAME 64 -#define ALG_MAX_SALG_TYPE 14 - # ifdef OPENSSL_NO_DYNAMIC_ENGINE void engine_load_afalg_int(void); # endif @@ -371,10 +368,8 @@ static int afalg_create_sk(afalg_ctx *actx, const char *ciphertype, memset(, 0, sizeof(sa)); sa.salg_family = AF_ALG; -strncpy((char *) sa.salg_type, ciphertype, ALG_MAX_SALG_TYPE); -sa.salg_type[ALG_MAX_SALG_TYPE-1] = '\0'; -strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME); -sa.salg_name[ALG_MAX_SALG_NAME-1] = '\0'; +OPENSSL_strlcpy((char *) sa.salg_type, ciphertype, sizeof(sa.salg_type)); +OPENSSL_strlcpy((char *) sa.salg_name, ciphername, sizeof(sa.salg_name)); actx->bfd = socket(AF_ALG, SOCK_SEQPACKET, 0); if (actx->bfd == -1) { @@ -502,7 +497,7 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, int ciphertype; int ret; afalg_ctx *actx; -char ciphername[ALG_MAX_SALG_NAME]; +const char *ciphername; if (ctx == NULL || key == NULL) { ALG_WARN("%s(%d): Null Parameter\n", __FILE__, __LINE__); @@ -525,14 +520,13 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, case NID_aes_128_cbc: case NID_aes_192_cbc: case NID_aes_256_cbc: -strncpy(ciphername, "cbc(aes)", ALG_MAX_SALG_NAME); +ciphername = "cbc(aes)"; break; default: ALG_WARN("%s(%d): Unsupported Cipher type %d\n", __FILE__, __LINE__, ciphertype); return 0; } -ciphername[ALG_MAX_SALG_NAME-1]='\0'; if (ALG_AES_IV_LEN != EVP_CIPHER_CTX_iv_length(ctx)) { ALG_WARN("%s(%d): Unsupported IV length :%d\n", __FILE__, __LINE__,
[openssl] master update
The branch master has been updated via 62cc845fc955c8d4de7b703f57bfd8e5854f00f4 (commit) from 11dbdc0714b117fcac4af59d61184b0770fcee7e (commit) - Log - commit 62cc845fc955c8d4de7b703f57bfd8e5854f00f4 Author: Bernd Edlinger Date: Mon Jul 29 11:39:34 2019 +0200 Use OPENSSL_strlcpy instead of strncpy in e_afalg.c This avoids a spurious gcc warning: ./config enable-asan --strict-warnings => In function 'afalg_create_sk', inlined from 'afalg_cipher_init' at engines/e_afalg.c:545:11: engines/e_afalg.c:376:5: error: '__builtin_strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Werror=stringop-truncation] 376 | strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME); | ^~~ [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9478) --- Summary of changes: engines/e_afalg.c | 14 -- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/engines/e_afalg.c b/engines/e_afalg.c index c3f622e752..dacbe358cb 100644 --- a/engines/e_afalg.c +++ b/engines/e_afalg.c @@ -63,9 +63,6 @@ void engine_load_afalg_int(void) # define ALG_OP_TYPE unsigned int # define ALG_OP_LEN (sizeof(ALG_OP_TYPE)) -#define ALG_MAX_SALG_NAME 64 -#define ALG_MAX_SALG_TYPE 14 - # ifdef OPENSSL_NO_DYNAMIC_ENGINE void engine_load_afalg_int(void); # endif @@ -371,10 +368,8 @@ static int afalg_create_sk(afalg_ctx *actx, const char *ciphertype, memset(, 0, sizeof(sa)); sa.salg_family = AF_ALG; -strncpy((char *) sa.salg_type, ciphertype, ALG_MAX_SALG_TYPE); -sa.salg_type[ALG_MAX_SALG_TYPE-1] = '\0'; -strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME); -sa.salg_name[ALG_MAX_SALG_NAME-1] = '\0'; +OPENSSL_strlcpy((char *) sa.salg_type, ciphertype, sizeof(sa.salg_type)); +OPENSSL_strlcpy((char *) sa.salg_name, ciphername, sizeof(sa.salg_name)); actx->bfd = socket(AF_ALG, SOCK_SEQPACKET, 0); if (actx->bfd == -1) { @@ -503,7 +498,7 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, int ciphertype; int ret; afalg_ctx *actx; -char ciphername[ALG_MAX_SALG_NAME]; +const char *ciphername; if (ctx == NULL || key == NULL) { ALG_WARN("%s(%d): Null Parameter\n", __FILE__, __LINE__); @@ -526,14 +521,13 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, case NID_aes_128_cbc: case NID_aes_192_cbc: case NID_aes_256_cbc: -strncpy(ciphername, "cbc(aes)", ALG_MAX_SALG_NAME); +ciphername = "cbc(aes)"; break; default: ALG_WARN("%s(%d): Unsupported Cipher type %d\n", __FILE__, __LINE__, ciphertype); return 0; } -ciphername[ALG_MAX_SALG_NAME-1]='\0'; if (ALG_AES_IV_LEN != EVP_CIPHER_CTX_iv_length(ctx)) { ALG_WARN("%s(%d): Unsupported IV length :%d\n", __FILE__, __LINE__,
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: e9a5932d04 Add weak platform independent PRNG to test framework. Build log ended with (last 100 lines): ../../openssl/test/recipes/70-test_bad_dtls.t . ok ../../openssl/test/recipes/70-test_clienthello.t .. ok ../../openssl/test/recipes/70-test_comp.t . ok ../../openssl/test/recipes/70-test_key_share.t ok ../../openssl/test/recipes/70-test_packet.t ... ok ../../openssl/test/recipes/70-test_recordlen.t ok ../../openssl/test/recipes/70-test_renegotiation.t skipped: test_renegotiation needs TLS <= 1.2 enabled ../../openssl/test/recipes/70-test_servername.t ... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t skipped: test_sslcbcpadding needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslcertstatus.t skipped: test_sslcertstatus needs TLS enabled ../../openssl/test/recipes/70-test_sslextension.t . Dubious, test returned 255 (wstat 65280, 0xff00) All 8 subtests passed (less 5 skipped subtests: 3 okay) ../../openssl/test/recipes/70-test_sslmessages.t .. skipped: test_sslmessages needs TLS enabled ../../openssl/test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ... ok ../../openssl/test/recipes/70-test_sslsignature.t . ok ../../openssl/test/recipes/70-test_sslskewith0p.t . ok ../../openssl/test/recipes/70-test_sslversions.t .. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled ../../openssl/test/recipes/70-test_sslvertol.t ok ../../openssl/test/recipes/70-test_tls13alerts.t .. ok ../../openssl/test/recipes/70-test_tls13cookie.t .. ok ../../openssl/test/recipes/70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled ../../openssl/test/recipes/70-test_tls13hrr.t . ok ../../openssl/test/recipes/70-test_tls13kexmodes.t ok ../../openssl/test/recipes/70-test_tls13messages.t ok ../../openssl/test/recipes/70-test_tls13psk.t . ok ../../openssl/test/recipes/70-test_tlsextms.t . skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_verify_extra.t . ok ../../openssl/test/recipes/70-test_wpacket.t .. ok ../../openssl/test/recipes/80-test_ca.t ... ok ../../openssl/test/recipes/80-test_cipherbytes.t .. ok ../../openssl/test/recipes/80-test_cipherlist.t ... ok ../../openssl/test/recipes/80-test_ciphername.t ... ok ../../openssl/test/recipes/80-test_cms.t .. ok ../../openssl/test/recipes/80-test_cmsapi.t ... ok ../../openssl/test/recipes/80-test_ct.t ... ok ../../openssl/test/recipes/80-test_dane.t . ok ../../openssl/test/recipes/80-test_dtls.t . ok ../../openssl/test/recipes/80-test_dtls_mtu.t . ok ../../openssl/test/recipes/80-test_dtlsv1listen.t . ok ../../openssl/test/recipes/80-test_ocsp.t . ok ../../openssl/test/recipes/80-test_pkcs12.t ... ok ../../openssl/test/recipes/80-test_ssl_new.t .. ok ../../openssl/test/recipes/80-test_ssl_old.t .. ok ../../openssl/test/recipes/80-test_ssl_test_ctx.t . ok ../../openssl/test/recipes/80-test_sslcorrupt.t ... ok ../../openssl/test/recipes/80-test_tsa.t .. ok ../../openssl/test/recipes/80-test_x509aux.t .. ok ../../openssl/test/recipes/90-test_asn1_time.t ok ../../openssl/test/recipes/90-test_async.t ok ../../openssl/test/recipes/90-test_bio_enc.t .. ok ../../openssl/test/recipes/90-test_bio_memleak.t .. ok ../../openssl/test/recipes/90-test_constant_time.t ok ../../openssl/test/recipes/90-test_fatalerr.t . ok ../../openssl/test/recipes/90-test_gmdiff.t ... ok ../../openssl/test/recipes/90-test_gost.t . skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build ../../openssl/test/recipes/90-test_ige.t .. ok ../../openssl/test/recipes/90-test_includes.t . ok ../../openssl/test/recipes/90-test_memleak.t .. ok
[web] master update
The branch master has been updated via e6ce68d75408edac4a22e85dc3af43444bc7fefc (commit) from e784301605e11bb68c60d0f8c8e0c0ce5520eb17 (commit) - Log - commit e6ce68d75408edac4a22e85dc3af43444bc7fefc Author: Richard Levitte Date: Tue Jul 30 15:20:38 2019 +0200 CVE-2019-1552 security advisory Reviewed-by: Mark J. Cox Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/134) --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20190730.txt | 68 +++ news/vulnerabilities.xml | 83 +++- 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20190730.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 7a47756..491bee5 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +30-Jul-2019: Security Advisory: one low severity fix in Windows builds 28-May-2019: OpenSSL 1.1.1c is now available, including bug and security fixes 28-May-2019: OpenSSL 1.1.0k is now available, including bug and security fixes 28-May-2019: OpenSSL 1.0.2s is now available, including bug fixes diff --git a/news/secadv/20190730.txt b/news/secadv/20190730.txt new file mode 100644 index 000..0714a04 --- /dev/null +++ b/news/secadv/20190730.txt @@ -0,0 +1,68 @@ +OpenSSL Security Advisory [30 July 2019] + + +Windows builds with insecure path defaults (CVE-2019-1552) +== + +Severity: Low + +OpenSSL has internal defaults for a directory tree where it can find a +configuration file as well as certificates used for verification in +TLS. This directory is most commonly referred to as OPENSSLDIR, and +is configurable with the --prefix / --openssldir configuration options. + +For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets +assume that resulting programs and libraries are installed in a +Unix-like environment and the default prefix for program installation +as well as for OPENSSLDIR should be '/usr/local'. + +However, mingw programs are Windows programs, and as such, find +themselves looking at sub-directories of 'C:/usr/local', which may be +world writable, which enables untrusted users to modify OpenSSL's +default configuration, insert CA certificates, modify (or even +replace) existing engine modules, etc. + +For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR +on all Unix and Windows targets, including Visual C builds. However, +some build instructions for the diverse Windows targets on 1.0.2 +encourage you to specify your own --prefix. + +OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. +Due to the limited scope of affected deployments this has been +assessed as low severity and therefore we are not creating new +releases at this time. + +The mitigations are found in these commits: +- For 1.1.1, commit 54aa9d51b09d67e90db443f682cface795f5af9e +- For 1.1.0, commit e32bc855a81a2d48d215c506bdeb4f598045f7e9 and + b15a19c148384e73338aa7c5b12652138e35ed28 +- For 1.0.2, commit d333ebaf9c77332754a9d5e111e2f53e1de54fdd + +The 1.1.1 and 1.1.0 mitigation set more appropriate defaults for +mingw, while the 1.0.2 mitigation documents the issue and provides +enhanced examples. + +This issue was reported by Rich Mirth. The fix was developed by +Richard Levitte from the OpenSSL development team. It was reported to +OpenSSL on 9th Jun 2019. + +Note += + +OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. +Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 +will end on 11th September 2019. Users of these versions should +upgrade to OpenSSL 1.1.1. + + +Referenses +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20190730.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index f9949ce..e66f6d8 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,88 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Insecure defaults +Windows builds with insecure path defaults + + OpenSSL has internal defaults for a directory tree where it can find
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: e9a5932d04 Add weak platform independent PRNG to test framework. Build log ended with (last 100 lines): ../../openssl/test/recipes/70-test_bad_dtls.t . ok ../../openssl/test/recipes/70-test_clienthello.t .. ok ../../openssl/test/recipes/70-test_comp.t . ok ../../openssl/test/recipes/70-test_key_share.t ok ../../openssl/test/recipes/70-test_packet.t ... ok ../../openssl/test/recipes/70-test_recordlen.t ok ../../openssl/test/recipes/70-test_renegotiation.t skipped: test_renegotiation needs TLS <= 1.2 enabled ../../openssl/test/recipes/70-test_servername.t ... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t skipped: test_sslcbcpadding needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslcertstatus.t skipped: test_sslcertstatus needs TLS enabled ../../openssl/test/recipes/70-test_sslextension.t . Dubious, test returned 255 (wstat 65280, 0xff00) All 8 subtests passed (less 5 skipped subtests: 3 okay) ../../openssl/test/recipes/70-test_sslmessages.t .. skipped: test_sslmessages needs TLS enabled ../../openssl/test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords needs TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ... ok ../../openssl/test/recipes/70-test_sslsignature.t . ok ../../openssl/test/recipes/70-test_sslskewith0p.t . ok ../../openssl/test/recipes/70-test_sslversions.t .. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled ../../openssl/test/recipes/70-test_sslvertol.t ok ../../openssl/test/recipes/70-test_tls13alerts.t .. ok ../../openssl/test/recipes/70-test_tls13cookie.t .. ok ../../openssl/test/recipes/70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled ../../openssl/test/recipes/70-test_tls13hrr.t . ok ../../openssl/test/recipes/70-test_tls13kexmodes.t ok ../../openssl/test/recipes/70-test_tls13messages.t ok ../../openssl/test/recipes/70-test_tls13psk.t . ok ../../openssl/test/recipes/70-test_tlsextms.t . skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled ../../openssl/test/recipes/70-test_verify_extra.t . ok ../../openssl/test/recipes/70-test_wpacket.t .. ok ../../openssl/test/recipes/80-test_ca.t ... ok ../../openssl/test/recipes/80-test_cipherbytes.t .. ok ../../openssl/test/recipes/80-test_cipherlist.t ... ok ../../openssl/test/recipes/80-test_ciphername.t ... ok ../../openssl/test/recipes/80-test_cms.t .. ok ../../openssl/test/recipes/80-test_cmsapi.t ... ok ../../openssl/test/recipes/80-test_ct.t ... ok ../../openssl/test/recipes/80-test_dane.t . ok ../../openssl/test/recipes/80-test_dtls.t . ok ../../openssl/test/recipes/80-test_dtls_mtu.t . ok ../../openssl/test/recipes/80-test_dtlsv1listen.t . ok ../../openssl/test/recipes/80-test_ocsp.t . ok ../../openssl/test/recipes/80-test_pkcs12.t ... ok ../../openssl/test/recipes/80-test_ssl_new.t .. ok ../../openssl/test/recipes/80-test_ssl_old.t .. ok ../../openssl/test/recipes/80-test_ssl_test_ctx.t . ok ../../openssl/test/recipes/80-test_sslcorrupt.t ... ok ../../openssl/test/recipes/80-test_tsa.t .. ok ../../openssl/test/recipes/80-test_x509aux.t .. ok ../../openssl/test/recipes/90-test_asn1_time.t ok ../../openssl/test/recipes/90-test_async.t ok ../../openssl/test/recipes/90-test_bio_enc.t .. ok ../../openssl/test/recipes/90-test_bio_memleak.t .. ok ../../openssl/test/recipes/90-test_constant_time.t ok ../../openssl/test/recipes/90-test_fatalerr.t . ok ../../openssl/test/recipes/90-test_gmdiff.t ... ok ../../openssl/test/recipes/90-test_gost.t . skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build ../../openssl/test/recipes/90-test_ige.t .. ok ../../openssl/test/recipes/90-test_includes.t . ok ../../openssl/test/recipes/90-test_memleak.t .. ok
Fixed: openssl/openssl#26960 (OpenSSL_1_1_0-stable - b15a19c)
Build Update for openssl/openssl - Build: #26960 Status: Fixed Duration: 16 mins and 27 secs Commit: b15a19c (OpenSSL_1_1_0-stable) Author: Richard Levitte Message: Makefile.shared: fix to allow strings and spaces in passed variables The previous change for mingw, which now defaults to OPENSSLDIR and ENGINESDIR definitions that include a space, a long standing issue was revealed again; our builds for Unix like environment were never very tolerant of spaces in these definitions, because the quotes were interpreted along the way. New analysis of Makefile.shared showed that our use of quotes in there wasn't quite right. A lot of double quotes could safely be replaced with single quotes, thus protecting the diverse values we pass down to this build file (remember that make variables are expanded before passing the command to the shell, unconditionally), reserving double quotes to the places where absolutely needed (to protect the expansion of shell variables to commands). CVE-2019-1552 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9469) View the changeset: https://github.com/openssl/openssl/compare/e32bc855a81a...b15a19c14838 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/565469821?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via b15a19c148384e73338aa7c5b12652138e35ed28 (commit) from e32bc855a81a2d48d215c506bdeb4f598045f7e9 (commit) - Log - commit b15a19c148384e73338aa7c5b12652138e35ed28 Author: Richard Levitte Date: Sat Jul 27 08:40:46 2019 +0200 Makefile.shared: fix to allow strings and spaces in passed variables The previous change for mingw, which now defaults to OPENSSLDIR and ENGINESDIR definitions that include a space, a long standing issue was revealed again; our builds for Unix like environment were never very tolerant of spaces in these definitions, because the quotes were interpreted along the way. New analysis of Makefile.shared showed that our use of quotes in there wasn't quite right. A lot of double quotes could safely be replaced with single quotes, thus protecting the diverse values we pass down to this build file (remember that make variables are expanded before passing the command to the shell, unconditionally), reserving double quotes to the places where absolutely needed (to protect the expansion of shell variables to commands). CVE-2019-1552 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9469) --- Summary of changes: Makefile.shared | 116 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/Makefile.shared b/Makefile.shared index 4f9550aaf1..f7d2ffccc3 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -98,20 +98,20 @@ top: LINK_APP= \ ( $(SET_X); \ -LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \ -LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS) $(LDFLAGS)}"; \ +LIBDEPS=$${LIBDEPS:-'$(LIBDEPS)'}; \ +LDCMD=$${LDCMD:-'$(CC)'}; LDFLAGS=$${LDFLAGS:-'$(CFLAGS) $(LDFLAGS)'}; \ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS}; \ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ -$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} ) +eval "$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS}" ) LINK_SO= \ ( $(SET_X); \ -LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \ -SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \ -SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ +LIBDEPS=$${LIBDEPS:-'$(LIBDEPS)'}; \ +SHAREDCMD=$${SHAREDCMD:-'$(CC)'}; \ +SHAREDFLAGS=$${SHAREDFLAGS:-'$(CFLAGS) $(SHARED_LDFLAGS)'}; \ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ @@ -119,23 +119,23 @@ LINK_SO= \ -o $(SHLIBNAME_FULL) \ $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS; \ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ -$${SHAREDCMD} $${SHAREDFLAGS} \ +eval "$${SHAREDCMD} $${SHAREDFLAGS} \ -o $(SHLIBNAME_FULL) \ - $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ + $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS" \ ) && $(SYMLINK_SO) SYMLINK_SO=\ if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \ - if [ -n "$(SHLIBNAME_FULL)" -a -n "$(SHLIBNAME)" -a \ -"$(SHLIBNAME_FULL)" != "$(SHLIBNAME)" ]; then \ + if [ -n '$(SHLIBNAME_FULL)' -a -n '$(SHLIBNAME)' -a \ +'$(SHLIBNAME_FULL)' != '$(SHLIBNAME)' ]; then \ ( $(SET_X); \ rm -f $(SHLIBNAME); \ ln -s $(SHLIBNAME_FULL) $(SHLIBNAME) ); \ fi; \ fi -LINK_SO_SHLIB= SHOBJECTS="$(STLIBNAME) $(LIBEXTRAS)"; $(LINK_SO) -LINK_SO_DSO= INHIBIT_SYMLINKS=yes; SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO) +LINK_SO_SHLIB= SHOBJECTS='$(STLIBNAME) $(LIBEXTRAS)'; $(LINK_SO) +LINK_SO_DSO= INHIBIT_SYMLINKS=yes; SHOBJECTS='$(LIBEXTRAS)'; $(LINK_SO) LINK_SO_SHLIB_VIA_O= \ SHOBJECTS=$(STLIBNAME).o; \ @@ -147,21 +147,21 @@ LINK_SO_SHLIB_VIA_O= \ LINK_SO_SHLIB_UNPACKED=\ UNPACKDIR=link_tmp.; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \ (cd $$UNPACKDIR; ar x ../$(STLIBNAME)) && \ - ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \ + ([ -z '$(LIBEXTRAS)' ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \ SHOBJECTS=$$UNPACKDIR/*.o; \ $(LINK_SO) && rm -rf $$UNPACKDIR DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null DO_GNU_SO_COMMON=\ - SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$(SHLIBNAME_FULL)" +
[openssl] master update
The branch master has been updated via 11dbdc0714b117fcac4af59d61184b0770fcee7e (commit) from d753cc333d941d0990ce74821c80b0bfb81e10dc (commit) - Log - commit 11dbdc0714b117fcac4af59d61184b0770fcee7e Author: Matt Caswell Date: Thu Jul 25 11:55:00 2019 +0100 Document the provider CIPHER operation Extends the existing provider documentation with information about the CIPHER operation. This is primarily for provider authors. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/9473) --- Summary of changes: crypto/evp/evp_enc.c | 5 +- doc/man3/EVP_EncryptInit.pod | 7 +- doc/man7/provider-cipher.pod | 316 +++ 3 files changed, 323 insertions(+), 5 deletions(-) create mode 100644 doc/man7/provider-cipher.pod diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0873bae81a..b2c0a260e6 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1216,9 +1216,8 @@ static void *evp_cipher_from_dispatch(const char *name, /* * In order to be a consistent set of functions we must have at least * a complete set of "encrypt" functions, or a complete set of "decrypt" - * functions, or a single "cipher" function. In all cases we need a - * complete set of context management functions, as well as the - * blocksize, iv_length and key_length functions. + * functions, or a single "cipher" function. In all cases we need both + * the "newctx" and "freectx" functions. */ EVP_CIPHER_meth_free(cipher); EVPerr(EVP_F_EVP_CIPHER_FROM_DISPATCH, EVP_R_INVALID_PROVIDER_FUNCTIONS); diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 43ed7f90c2..083bba7996 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -278,8 +278,11 @@ an B structure. EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode: EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, -EVP_CIPH_WRAP_MODE or EVP_CIPH_OCB_MODE. If the cipher is a stream cipher then -EVP_CIPH_STREAM_CIPHER is returned. +EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE. If the cipher is a +stream cipher then EVP_CIPH_STREAM_CIPHER is returned. + +EVP_CIPHER_flags() returns any flags associated with the cipher. See +EVP_CIPHER_meth_set_flags() for a list of currently defined flags. EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will typically include any parameters and an diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod new file mode 100644 index 00..08cfebfb25 --- /dev/null +++ b/doc/man7/provider-cipher.pod @@ -0,0 +1,316 @@ +=pod + +=head1 NAME + +provider-cipher - The cipher library E-E provider functions + +=head1 SYNOPSIS + +=for comment multiple includes + + #include + #include + + /* + * None of these are actual functions, but are displayed like this for + * the function signatures for functions that are offered as function + * pointers in OSSL_DISPATCH arrays. + */ + + /* Context management */ + void *OP_cipher_newctx(void *provctx); + void OP_cipher_freectx(void *cctx); + void *OP_cipher_dupctx(void *cctx); + + /* Encryption/decryption */ + int OP_cipher_encrypt_init(void *cctx, const unsigned char *key, +size_t keylen, const unsigned char *iv, +size_t ivlen); + int OP_cipher_decrypt_init(void *cctx, const unsigned char *key, +size_t keylen, const unsigned char *iv, +size_t ivlen); + int OP_cipher_update(void *cctx, unsigned char *out, size_t *outl, + size_t outsize, const unsigned char *in, size_t inl); + int OP_cipher_final(void *cctx, unsigned char *out, size_t *outl, + size_t outsize); + int OP_cipher_cipher(void *cctx, unsigned char *out, size_t *outl, + size_t outsize, const unsigned char *in, size_t inl); + + /* Cipher parameters */ + int OP_cipher_get_params(OSSL_PARAM params[]); + int OP_cipher_ctx_get_params(void *cctx, OSSL_PARAM params[]); + int OP_cipher_ctx_set_params(void *cctx, const OSSL_PARAM params[]); + +=head1 DESCRIPTION + +This documentation is primarily aimed at provider authors. See L +for further information. + +The CIPHER operation enables providers to implement cipher algorithms and make +them available to applications via the API functions L, +L and L (as well as the decrypt +equivalents and other related functions). + +All "functions" mentioned here are passed as function pointers between +F and the provider in B arrays via +B arrays that
[openssl] master update
The branch master has been updated via d753cc333d941d0990ce74821c80b0bfb81e10dc (commit) from 10f8b36874fca928c3f41834babac8ee94dd3f09 (commit) - Log - commit d753cc333d941d0990ce74821c80b0bfb81e10dc Author: Pauli Date: Sun Jul 28 18:21:07 2019 +1000 Fix coverity 1452084 Fix coverity 1452083 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/9470) --- Summary of changes: providers/common/exchange/dh_exch.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/providers/common/exchange/dh_exch.c b/providers/common/exchange/dh_exch.c index 439b28a27e..b4bfd5f419 100644 --- a/providers/common/exchange/dh_exch.c +++ b/providers/common/exchange/dh_exch.c @@ -42,22 +42,22 @@ static int dh_init(void *vpdhctx, void *vdh) { PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx; +if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh)) +return 0; DH_free(pdhctx->dh); pdhctx->dh = vdh; -DH_up_ref(pdhctx->dh); - -return pdhctx->dh != NULL; +return 1; } static int dh_set_peer(void *vpdhctx, void *vdh) { PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx; +if (pdhctx == NULL || vdh == NULL || !DH_up_ref(vdh)) +return 0; DH_free(pdhctx->dhpeer); pdhctx->dhpeer = vdh; -DH_up_ref(pdhctx->dhpeer); - -return pdhctx->dhpeer != NULL; +return 1; } static int dh_derive(void *vpdhctx, unsigned char *key, size_t *keylen,
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared
Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared Commit log since last time: e9a5932d04 Add weak platform independent PRNG to test framework. Build log ended with (last 100 lines): /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/common/digests/sha3_prov.c:110: undefined reference to `__afl_area_ptr' providers/fips/fips-dso-fipsprov.o: In function `ossl_prov_util_nid_to_name': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:171: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:171: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:206: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:188: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:182: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:214: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:221: undefined reference to `__afl_prev_loc' providers/fips/fips-dso-fipsprov.o:/home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:212: more undefined references to `__afl_prev_loc' follow providers/fips/fips-dso-fipsprov.o: In function `OSSL_provider_init': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:293: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:297: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:290: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:301: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:307: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:310: undefined reference to `__afl_prev_loc' providers/fips/fips-dso-fipsprov.o:/home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:313: more undefined references to `__afl_prev_loc' follow providers/fips/fips-dso-fipsprov.o: In function `fips_intern_provider_init': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:386: undefined reference to `__afl_area_ptr' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:391: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:391: undefined reference to `__afl_prev_loc' providers/fips/fips-dso-fipsprov.o: In function `OSSL_get_core_get_library_context': /home/openssl/run-checker/enable-fuzz-afl/../openssl/include/openssl/core_numbers.h:77: undefined reference to `__afl_prev_loc' providers/fips/fips-dso-fipsprov.o: In function `fips_intern_provider_init': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:403: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:406: undefined reference to `__afl_prev_loc' providers/fips/fips-dso-fipsprov.o:/home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:415: more undefined references to `__afl_prev_loc' follow providers/fips/fips-dso-fipsprov.o: In function `ERR_put_error': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:419: undefined reference to `__afl_area_ptr' providers/fips/fips-dso-fipsprov.o: In function `ERR_add_error_data': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:431: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:431: undefined reference to `__afl_area_ptr' providers/fips/fips-dso-fipsprov.o: In function `ERR_add_error_vdata': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:439: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:439: undefined reference to `__afl_area_ptr' providers/fips/fips-dso-fipsprov.o: In function `FIPS_get_provider': /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:444: undefined reference to `__afl_prev_loc' /home/openssl/run-checker/enable-fuzz-afl/../openssl/providers/fips/fipsprov.c:444: undefined reference to `__afl_area_ptr'