Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-posix-io
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-posix-io Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m Build log ended with (last 100 lines): rm -f doc/man/man1/CA.pl.1 doc/man/man1/openssl-asn1parse.1 doc/man/man1/openssl-ca.1 doc/man/man1/openssl-ciphers.1 doc/man/man1/openssl-cmds.1 doc/man/man1/openssl-cmp.1 doc/man/man1/openssl-cms.1 doc/man/man1/openssl-crl.1 doc/man/man1/openssl-crl2pkcs7.1 doc/man/man1/openssl-dgst.1 doc/man/man1/openssl-dhparam.1 doc/man/man1/openssl-dsa.1 doc/man/man1/openssl-dsaparam.1 doc/man/man1/openssl-ec.1 doc/man/man1/openssl-ecparam.1 doc/man/man1/openssl-enc.1 doc/man/man1/openssl-engine.1 doc/man/man1/openssl-errstr.1 doc/man/man1/openssl-fipsinstall.1 doc/man/man1/openssl-gendsa.1 doc/man/man1/openssl-genpkey.1 doc/man/man1/openssl-genrsa.1 doc/man/man1/openssl-info.1 doc/man/man1/openssl-kdf.1 doc/man/man1/openssl-list.1 doc/man/man1/openssl-mac.1 doc/man/man1/openssl-nseq.1 doc/man/man1/openssl-ocsp.1 doc/man/man1/openssl-passwd.1 doc/man/man1/openssl-pkcs12.1 doc/man/man1/openssl-pkcs7.1 doc/man/man1/openssl-pkcs8.1 doc/man/man1/openssl-pkey.1 doc/man/man1/openssl-pkeyparam.1 doc/ma n/man1/openssl-pkeyutl.1 doc/man/man1/openssl-prime.1 doc/man/man1/openssl-provider.1 doc/man/man1/openssl-rand.1 doc/man/man1/openssl-rehash.1 doc/man/man1/openssl-req.1 doc/man/man1/openssl-rsa.1 doc/man/man1/openssl-rsautl.1 doc/man/man1/openssl-s_client.1 doc/man/man1/openssl-s_server.1 doc/man/man1/openssl-s_time.1 doc/man/man1/openssl-sess_id.1 doc/man/man1/openssl-smime.1 doc/man/man1/openssl-speed.1 doc/man/man1/openssl-spkac.1 doc/man/man1/openssl-srp.1 doc/man/man1/openssl-storeutl.1 doc/man/man1/openssl-ts.1 doc/man/man1/openssl-verify.1 doc/man/man1/openssl-version.1 doc/man/man1/openssl-x509.1 doc/man/man1/openssl.1 doc/man/man1/tsget.1 doc/man/man3/ADMISSIONS.3 doc/man/man3/ASN1_INTEGER_get_int64.3 doc/man/man3/ASN1_INTEGER_new.3 doc/man/man3/ASN1_ITEM_lookup.3 doc/man/man3/ASN1_OBJECT_new.3 doc/man/man3/ASN1_STRING_TABLE_add.3 doc/man/man3/ASN1_STRING_length.3 doc/man/man3/ASN1_STRING_new.3 doc/man/man3/ASN1_STRING_print_ex.3 doc/man/man3/ASN1_TIME_set.3 doc/man/man3/ ASN1_TYPE_get.3 doc/man/man3/ASN1_generate_nconf.3 doc/man/man3/ASYNC_WAIT_CTX_new.3 doc/man/man3/ASYNC_start_job.3 doc/man/man3/BF_encrypt.3 doc/man/man3/BIO_ADDR.3 doc/man/man3/BIO_ADDRINFO.3 doc/man/man3/BIO_connect.3 doc/man/man3/BIO_ctrl.3 doc/man/man3/BIO_f_base64.3 doc/man/man3/BIO_f_buffer.3 doc/man/man3/BIO_f_cipher.3 doc/man/man3/BIO_f_md.3 doc/man/man3/BIO_f_null.3 doc/man/man3/BIO_f_prefix.3 doc/man/man3/BIO_f_ssl.3 doc/man/man3/BIO_find_type.3 doc/man/man3/BIO_get_data.3 doc/man/man3/BIO_get_ex_new_index.3 doc/man/man3/BIO_meth_new.3 doc/man/man3/BIO_new.3 doc/man/man3/BIO_new_CMS.3 doc/man/man3/BIO_parse_hostserv.3 doc/man/man3/BIO_printf.3 doc/man/man3/BIO_push.3 doc/man/man3/BIO_read.3 doc/man/man3/BIO_s_accept.3 doc/man/man3/BIO_s_bio.3 doc/man/man3/BIO_s_connect.3 doc/man/man3/BIO_s_fd.3 doc/man/man3/BIO_s_file.3 doc/man/man3/BIO_s_mem.3 doc/man/man3/BIO_s_null.3 doc/man/man3/BIO_s_socket.3 doc/man/man3/BIO_set_callback.3 doc/man/man3/BIO_should_retry.3 doc/man/man 3/BIO_socket_wait.3 doc/man/man3/BN_BLINDING_new.3 doc/man/man3/BN_CTX_new.3 doc/man/man3/BN_CTX_start.3 doc/man/man3/BN_add.3 doc/man/man3/BN_add_word.3 doc/man/man3/BN_bn2bin.3 doc/man/man3/BN_cmp.3 doc/man/man3/BN_copy.3 doc/man/man3/BN_generate_prime.3 doc/man/man3/BN_mod_inverse.3 doc/man/man3/BN_mod_mul_montgomery.3 doc/man/man3/BN_mod_mul_reciprocal.3 doc/man/man3/BN_new.3 doc/man/man3/BN_num_bytes.3 doc/man/man3/BN_rand.3 doc/man/man3/BN_security_bits.3 doc/man/man3/BN_set_bit.3 doc/man/man3/BN_swap.3 doc/man/man3/BN_zero.3 doc/man/man3/BUF_MEM_new.3 doc/man/man3/CMS_EnvelopedData_create.3 doc/man/man3/CMS_add0_cert.3 doc/man/man3/CMS_add1_recipient_cert.3 doc/man/man3/CMS_add1_signer.3 doc/man/man3/CMS_compress.3 doc/man/man3/CMS_decrypt.3 doc/man/man3/CMS_encrypt.3 doc/man/man3/CMS_final.3 doc/man/man3/CMS_get0_RecipientInfos.3 doc/man/man3/CMS_get0_SignerInfos.3 doc/man/man3/CMS_get0_type.3 doc/man/man3/CMS_get1_ReceiptRequest.3 doc/man/man3/CMS_sign.3 doc/man/man3/CMS_si gn_receipt.3 doc/man/man3/CMS_uncompress.3 doc/man/man3/CMS_verify.3 doc/man/man3/CMS_verify_receipt.3 doc/man/man3/CONF_modules_free.3 doc/man/man3/CONF_modules_load_file.3
Build completed: openssl OpenSSL_1_1_1-stable.35894
Build openssl OpenSSL_1_1_1-stable.35894 completed Commit 5e50448360 by Norman Ashley on 7/31/2020 3:21 AM: Update ecdh_kdf.c Configure your notification preferences
Build failed: openssl OpenSSL_1_1_1-stable.35893
Build openssl OpenSSL_1_1_1-stable.35893 failed Commit 72eff81a06 by Norman Ashley on 7/31/2020 2:22 AM: Update ecdh_kdf.c Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock credentials' -proxy '' -no_proxy 127.0.0.1 -cert "" -key "" -keypass "" -unprotected_requests => 0 not ok 38 - unprotected request # -- # Failed test 'unprotected request' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. # Looks like you failed 3 tests of 38. not ok 5 - CMP app CLI Mock credentials # -- OPENSSL_FUNC:../openssl/apps/cmp.c:3119:CMP info: received from 127.0.0.1 PKIStatus: accepted # OPENSSL_FUNC:../openssl/apps/cmp.c:2895:CMP info: using OpenSSL configuration file '../Mock/test.cnf' # OPENSSL_FUNC:../openssl/apps/cmp.c:2501:CMP warning: argument of -proxy option is empty string, resetting option # OPENSSL_FUNC:../openssl/apps/cmp.c:2112:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received PKICONF # OPENSSL_FUNC:../openssl/apps/cmp.c:2276:CMP info: received 1 enrolled certificate(s), saving to file 'test.cert.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout test.cert.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # -- OPENSSL_FUNC:../openssl/apps/cmp.c:3119:CMP info: received from 127.0.0.1 PKIStatus: accepted # OPENSSL_FUNC:../openssl/apps/cmp.c:2895:CMP info: using OpenSSL configuration file '../Mock/test.cnf' # OPENSSL_FUNC:../openssl/apps/cmp.c:2501:CMP warning: argument of -proxy option is empty string, resetting option # OPENSSL_FUNC:../openssl/apps/cmp.c:2112:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received PKICONF # OPENSSL_FUNC:../openssl/apps/cmp.c:2276:CMP info: received 1 enrolled certificate(s), saving to file 'test.cert.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout test.cert.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. OPENSSL_FUNC:../openssl/apps/cmp.c:3119:CMP info: received from 127.0.0.1 PKIStatus: accepted # OPENSSL_FUNC:../openssl/apps/cmp.c:2895:CMP info: using OpenSSL configuration file '../Mock/test.cnf' # OPENSSL_FUNC:../openssl/apps/cmp.c:2501:CMP warning: argument of -proxy option is empty string, resetting option # OPENSSL_FUNC:../openssl/apps/cmp.c:2112:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received PKICONF # OPENSSL_FUNC:../openssl/apps/cmp.c:2276:CMP info: received 1 enrolled certificate(s), saving to file 'test.cert.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via ea7a58a60659d12d102ec78af4d6c3e589347150 (commit) from 6328d3673fabc336e3064368d855c2d1153ef54c (commit) - Log - commit ea7a58a60659d12d102ec78af4d6c3e589347150 Author: Matt Caswell Date: Tue Jul 28 15:28:06 2020 +0100 Fix a test_verify failure A recently added certificate in test/certs expired causing test_verify to fail. This add a replacement certificate with a long expiry date. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12561) --- Summary of changes: test/certs/ee-self-signed.pem | 33 + test/certs/setup.sh | 2 +- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/test/certs/ee-self-signed.pem b/test/certs/ee-self-signed.pem index ad1e37ba0e..e854c9ad27 100644 --- a/test/certs/ee-self-signed.pem +++ b/test/certs/ee-self-signed.pem @@ -1,18 +1,19 @@ -BEGIN CERTIFICATE- -MIICzzCCAbegAwIBAgIUBP7iEKPlKuinZGQNFxSY3IBIb0swDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwHhcNMjAwNjI4MTA1MTQ1WhcN -MjAwNzI4MTA1MTQ1WjAZMRcwFQYDVQQDDA5lZS1zZWxmLXNpZ25lZDCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU -fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC -76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz -BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl -V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv -0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaMP -MA0wCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBiLmIUCGb+hmRGbmpO -lDqEwiRVdxHBs4OSb3IA9QgU1QKUDRqn7q27RRelmzTXllubZZcX3K6o+dunRW5G -d3f3FVr+3Z7wnmkQtC2y3NWtGuWNczss+6rMLzKvla5CjRiNPlSvluMNpcs7BJxI -ppk1LxlaiYlQkDW32OPyxzXWDNv1ZkphcOcoCkHAagnq9x1SszvLTjAlo5XpYrm5 -CPgBOEnVwFCgne5Ab4QPTgkxPh/Ta508I/FKaPLJqci1EfGKipZkS7mMGTUJEeVK -wZrn4z7RiTfJ4PdqO5iv8eOpt03fqdPEXQWe8DrKyfGM6/e369FaXMFhcd2ZxZy2 -WHoc +MIIDIjCCAgqgAwIBAgIUT99h/YrAdcDg3fdLy5UajB8e994wDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwIBcNMjAwNzI4MTQxNjA4WhgP +MjEyMDA3MDQxNDE2MDhaMBkxFzAVBgNVBAMMDmVlLXNlbGYtc2lnbmVkMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7bLA/Vc/vit6gbenVg +K9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8NxkP+MTT4KNh16aO7 +iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7CNqAR/8BZNf1JHN0c +QjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqCGxWL0Zmr5J5vlKrS +luVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0dopynHP0riIie075Bj +1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+eTQfSokftwIDAQAB +o2AwXjAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6IwHwYDVR0jBBgwFoAU +55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMC +B4AwDQYJKoZIhvcNAQELBQADggEBAGDEbS5kJArjjQNK02oxhQyz1dbDy23evRxm +WW/NtlJAQAgEMXoNo9fioj0L4cvDy40r87V6/RsV2eijwZEfwGloACif7v78w8QO +h4XiW9oGxcQkdMIYZLDVW9AZPDIkK5NHNfQaeAxCprAufYnRMv035UotLzCBRrkG +G2TIs45vRp/6mYFVtm0Nf9CFvu4dXH8W+GlBONG0FAiBW+JzgTr9OmrzfqJTEDrf +vv/hOiu8XvvlF5piPBqKE76rEvkXUSjgDZ2/Ju1fjqpV2I8Hz1Mj9w9tRE8g4E9o +ZcRXX3MNPaHxnNhgYSPdpywwkyILz2AHwmAzh07cdttRFFPw+fM= -END CERTIFICATE- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 7e40f65b68..57fca3f448 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -186,7 +186,7 @@ OPENSSL_KEYBITS=768 \ ./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert # self-signed end-entity cert with explicit keyUsage not including KeyCertSign -openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature +openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36500 # Proxy certificates, off of ee-client # Start with some good ones
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ui-console
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ui-console Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m Build log ended with (last 100 lines): # Failed test 'p10cr csr empty file' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd p10cr -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -csr wrong.csr.pem => 139 not ok 78 - p10cr wrong csr # -- # Failed test 'p10cr wrong csr' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -revreason 5 => 139 not ok 79 - ir + ignored revocation # -- ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd cr -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt => 139 not ok 82 - cr command # -- # Failed test 'cr command' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert test.cert.pem -server '127.0.0.1:1700' -cert test.cert.pem -key new.key -extracerts issuing.crt => 139 not ok 83 - kur command explicit options # -- # Failed test 'kur command explicit options' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -subject "" -certout test.cert.pem -oldcert test.cert.pem -server '127.0.0.1:1700' -cert test.cert.pem -key new.key -extracerts issuing.crt -secret "" => 139 not ok 84 - kur command minimal options # -- ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey dir/ -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert test.cert.pem -server '127.0.0.1:1700' => 139 not ok 86 - kur newkey is directory # -- ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert dir/ -server '127.0.0.1:1700' => 139 not ok 89 - kur oldcert is directory # -- # Failed test 'kur oldcert is directory' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert idontexist -server '127.0.0.1:1700' => 139 not ok 90 - kur oldcert not existing # -- # Failed test 'kur oldcert not existing' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. ../../../../../no-ui-console/util/wrap.pl ../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock
Still Failing: openssl/openssl#36429 (master - 1202de4)
Build Update for openssl/openssl - Build: #36429 Status: Still Failing Duration: 57 mins and 33 secs Commit: 1202de4 (master) Author: Dr. David von Oheimb Message: Add OSSL_CMP_MSG_write(), use it in apps/cmp.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12421) View the changeset: https://github.com/openssl/openssl/compare/a3f15e237c03...1202de4481df View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/177854113?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 1202de4481df88d63a2a5cc1e9e0450a7e72f4ac (commit) via fafa56a14fc4787060818715c151e1ef7b25e72f (commit) via 87d20a96510ecc78068865423e0fa127d17486de (commit) from a3f15e237c0325718f488ebf9a242c031f4f864e (commit) - Log - commit 1202de4481df88d63a2a5cc1e9e0450a7e72f4ac Author: Dr. David von Oheimb Date: Sat Jul 11 12:26:22 2020 +0200 Add OSSL_CMP_MSG_write(), use it in apps/cmp.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12421) commit fafa56a14fc4787060818715c151e1ef7b25e72f Author: Dr. David von Oheimb Date: Sat Jul 11 11:36:48 2020 +0200 Export ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c Fixes #12403 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12421) commit 87d20a96510ecc78068865423e0fa127d17486de Author: Dr. David von Oheimb Date: Sat Jul 11 11:21:06 2020 +0200 apps/cmp.c: Improve documentation of -recipient option Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12421) --- Summary of changes: apps/cmp.c| 24 +--- crypto/cmp/cmp_local.h| 1 - crypto/cmp/cmp_msg.c | 24 ++-- doc/internal/man3/ossl_cmp_msg_create.pod | 5 - doc/man1/openssl-cmp.pod.in | 3 ++- doc/man3/OSSL_CMP_MSG_get0_header.pod | 17 +++-- include/openssl/cmp.h | 2 ++ test/cmp_testlib.c| 2 +- util/libcrypto.num| 2 ++ 9 files changed, 49 insertions(+), 31 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 17b5bed6ff..e5f72cbea7 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -321,7 +321,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "also used as reference (defaulting to -cert) for subject DN and SANs."}, {OPT_MORE_STR, 0, 0, - "Its issuer is used as recipient unless -srvcert, -recipient or -issuer given"}, + "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer given"}, {"revreason", OPT_REVREASON, 'n', "Reason code to include in revocation request (rr); possible values:"}, {OPT_MORE_STR, 0, 0, @@ -354,7 +354,7 @@ const OPTIONS cmp_options[] = { {"srvcert", OPT_SRVCERT, 's', "Server cert to pin and trust directly when verifying signed CMP responses"}, {"recipient", OPT_RECIPIENT, 's', - "Distinguished Name (DN) to use as msg recipient; see man page for defaults"}, + "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"}, {"expect_sender", OPT_EXPECT_SENDER, 's', "DN of expected sender of responses. Defaults to subject of -srvcert, if any"}, {"ignore_keyusage", OPT_IGNORE_KEYUSAGE, '-', @@ -934,7 +934,6 @@ static X509_STORE *sk_X509_to_store(X509_STORE *store /* may be NULL */, static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames) { char *file; -BIO *bio; if (msg == NULL || filenames == NULL) { CMP_err("NULL arg to write_PKIMESSAGE"); @@ -947,17 +946,10 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames) file = *filenames; *filenames = next_item(file); -bio = BIO_new_file(file, "wb"); -if (bio == NULL) { -CMP_err1("Cannot open file '%s' for writing", file); -return 0; -} -if (i2d_OSSL_CMP_MSG_bio(bio, msg) < 0) { +if (OSSL_CMP_MSG_write(file, msg) < 0) { CMP_err1("Cannot write PKIMessage to file '%s'", file); -BIO_free(bio); return 0; } -BIO_free(bio); return 1; } @@ -965,7 +957,6 @@ static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames) static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) { char *file; -BIO *bio; OSSL_CMP_MSG *ret; if (filenames == NULL) { @@ -979,15 +970,10 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames) file = *filenames; *filenames = next_item(file); -bio = BIO_new_file(file, "rb"); -if (bio == NULL) { -CMP_err1("Cannot open file '%s' for reading", file); -return NULL; -} -ret = d2i_OSSL_CMP_MSG_bio(bio, NULL); + +ret = OSSL_CMP_MSG_read(file); if (ret == NULL) CMP_err1("Cannot read PKIMessage from file '%s'", file); -BIO_free(bio); return ret; } diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 92f192bb5f..4e33fd339c 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -896,7 +896,6 @@ ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, int rid); X509
Still Failing: openssl/openssl#36425 (master - a3f15e2)
Build Update for openssl/openssl - Build: #36425 Status: Still Failing Duration: 1 hr, 30 mins, and 34 secs Commit: a3f15e2 (master) Author: Pauli Message: deserialisation: add deserialisation to the base provider Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12104) View the changeset: https://github.com/openssl/openssl/compare/adf3f83e5227...a3f15e237c03 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/19604?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-err
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-err Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m Build log ended with (last 100 lines): 65-test_cmp_status.t ... ok 65-test_cmp_vfy.t .. ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this configuration 95-test_external_gost_engine.t . skipped: No external tests in this configuration 95-test_external_krb5.t skipped: No external tests in this configuration 95-test_external_pyca.t skipped: No external tests in this configuration 99-test_ecstress.t . ok 99-test_fuzz.t . ok Test Summary Report --- 04-test_err.t(Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=207, Tests=3113, 862 wallclock secs (12.42 usr 1.30 sys + 800.94 cusr 60.67 csys = 875.33 CPU) Result: FAIL Makefile:3151: recipe for target '_tests' failed make[1]: *** [_tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-err' Makefile:3149: recipe for target 'tests' failed make: *** [tests] Error 2
Still Failing: openssl/openssl#36424 (master - adf3f83)
Build Update for openssl/openssl - Build: #36424 Status: Still Failing Duration: 1 hr, 27 mins, and 3 secs Commit: adf3f83 (master) Author: Matt Caswell Message: Fix test_cmp_cli for extended tests The test_cmp_cli was failing in the extended tests on cross-compiled mingw builds. This was due to the test not using wine when it should do. The simplest solution is to just skip the test in this case. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12555) View the changeset: https://github.com/openssl/openssl/compare/b8ea8d391200...adf3f83e5227 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/10655?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#36423 (master - b8ea8d3)
Build Update for openssl/openssl - Build: #36423 Status: Still Failing Duration: 1 hr, 19 mins, and 37 secs Commit: b8ea8d3 (master) Author: Matt Caswell Message: Don't fallback to legacy in DigestSignInit/DigestVerifyInit too easily The only reason we should fallback to legacy codepaths in DigestSignInit/ DigestVerifyInit, is if we have an engine, or we have a legacy algorithm that does not (yet) have a provider based equivalent (e.g. SM2, HMAC, etc). Currently we were falling back even if we have a suitable key manager but the export of the key fails. This might be for legitimate reasons (e.g. we only have the FIPS provider, but we're trying to export a brainpool key). In those circumstances we don't want to fallback to the legacy code. Therefore we tighten then checks for falling back to legacy. Eventually this particular fallback can be removed entirely (once all legacy algorithms have provider based key managers). Reviewed-by: Nicola Tuveri Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12550) View the changeset: https://github.com/openssl/openssl/compare/593d6554f873...b8ea8d391200 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/177765685?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via a3f15e237c0325718f488ebf9a242c031f4f864e (commit) via dfc0857d8191d43be320f4ba472b7c782248a35d (commit) via aa97970c1a69ae15b4191aa58cdb56e016f15922 (commit) from adf3f83e5227206a011ca1bca3ef9f63709fb96e (commit) - Log - commit a3f15e237c0325718f488ebf9a242c031f4f864e Author: Pauli Date: Mon Jul 27 14:47:59 2020 +1000 deserialisation: add deserialisation to the base provider Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12104) commit dfc0857d8191d43be320f4ba472b7c782248a35d Author: Pauli Date: Thu Jun 11 09:08:01 2020 +1000 serialisation: Add a built-in base provider. Move the libcrypto serialisation functionality into a place where it can be provided at some point. The serialisation still remains native in the default provider. Add additional code to the list command to display what kind of serialisation each entry is capable of. Having the FIPS provider auto load the base provider is a future (but necessary) enhancement. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12104) commit aa97970c1a69ae15b4191aa58cdb56e016f15922 Author: Pauli Date: Thu Jun 11 09:42:34 2020 +1000 unify spelling of serialize Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12104) --- Summary of changes: apps/list.c| 146 +- apps/s_server.c| 2 +- crypto/bn/bn_mont.c| 2 +- crypto/ec/curve448/eddsa.c | 2 +- crypto/ec/ecp_nistp256.c | 4 +- crypto/ec/ecp_nistp521.c | 4 +- crypto/provider_predefined.c | 2 + doc/man1/openssl-list.pod.in | 16 ++ doc/man7/OSSL_PROVIDER-base.pod| 96 doc/man7/OSSL_PROVIDER-default.pod | 9 +- doc/man7/provider.pod | 8 + include/openssl/ct.h | 2 +- include/openssl/dsa.h | 2 +- providers/baseprov.c | 170 + providers/build.info | 10 ++ providers/defltprov.c | 163 ++-- .../ciphers/cipher_aes_cts.h => deserializers.inc} | 12 +- providers/serializers.inc | 102 + ssl/s3_cbc.c | 2 +- 19 files changed, 580 insertions(+), 174 deletions(-) create mode 100644 doc/man7/OSSL_PROVIDER-base.pod create mode 100644 providers/baseprov.c copy providers/{implementations/ciphers/cipher_aes_cts.h => deserializers.inc} (56%) create mode 100644 providers/serializers.inc diff --git a/apps/list.c b/apps/list.c index b58871b1c5..69a516763c 100644 --- a/apps/list.c +++ b/apps/list.c @@ -16,6 +16,9 @@ #include #include #include +#include +#include +#include #include "apps.h" #include "app_params.h" #include "progs.h" @@ -351,6 +354,127 @@ static void list_random_generators(void) sk_EVP_RAND_pop_free(rands, EVP_RAND_free); } +/* + * Serializers + */ +DEFINE_STACK_OF(OSSL_SERIALIZER) +static int serializer_cmp(const OSSL_SERIALIZER * const *a, + const OSSL_SERIALIZER * const *b) +{ +int ret = OSSL_SERIALIZER_number(*a) - OSSL_SERIALIZER_number(*b); + +if (ret == 0) +ret = strcmp(OSSL_PROVIDER_name(OSSL_SERIALIZER_provider(*a)), + OSSL_PROVIDER_name(OSSL_SERIALIZER_provider(*b))); +return ret; +} + +static void collect_serializers(OSSL_SERIALIZER *serializer, void *stack) +{ +STACK_OF(OSSL_SERIALIZER) *serializer_stack = stack; + +sk_OSSL_SERIALIZER_push(serializer_stack, serializer); +OSSL_SERIALIZER_up_ref(serializer); +} + +static void list_serializers(void) +{ +STACK_OF(OSSL_SERIALIZER) *serializers; +int i; + +serializers = sk_OSSL_SERIALIZER_new(serializer_cmp); +if (serializers == NULL) { +BIO_printf(bio_err, "ERROR: Memory allocation\n"); +return; +} +BIO_printf(bio_out, "Provided SERIALIZERs:\n"); +OSSL_SERIALIZER_do_all_provided(NULL, collect_serializers, serializers); +sk_OSSL_SERIALIZER_sort(serializers); + +for (i = 0; i < sk_OSSL_SERIALIZER_num(serializers); i++) { +OSSL_SERIALIZER *k = sk_OSSL_SERIALIZER_value(serializers, i); +STACK_OF(OPENSSL_CSTRING) *names = +sk_OPENSSL_CSTRING_new(name_cmp); + +OSSL_SERIALIZER_names_do_all(k, collect_names, names); + +BIO_printf(bio_out, " "); +print_names(bio_out,
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-ec2m
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec2m Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m
[openssl] master update
The branch master has been updated via adf3f83e5227206a011ca1bca3ef9f63709fb96e (commit) from b8ea8d3912006223891a621a7bff19225e93469d (commit) - Log - commit adf3f83e5227206a011ca1bca3ef9f63709fb96e Author: Matt Caswell Date: Wed Jul 29 13:58:18 2020 +0100 Fix test_cmp_cli for extended tests The test_cmp_cli was failing in the extended tests on cross-compiled mingw builds. This was due to the test not using wine when it should do. The simplest solution is to just skip the test in this case. [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12555) --- Summary of changes: test/recipes/81-test_cmp_cli.t | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t index 009cdcc4d8..51b4baf6a5 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/81-test_cmp_cli.t @@ -34,6 +34,8 @@ plan skip_all => "These tests are not supported in a no-ec build" plan skip_all => "Tests involving CMP server not available on Windows or VMS" if $^O =~ /^(VMS|MSWin32)$/; +plan skip_all => "Tests involving CMP server not available in cross-compile builds" +if defined $ENV{EXE_SHELL}; plan skip_all => "Tests involving CMP server require 'kill' command" unless `which kill`; plan skip_all => "Tests involving CMP server require 'lsof' command"
Still Failing: openssl/openssl#36420 (master - 593d655)
Build Update for openssl/openssl - Build: #36420 Status: Still Failing Duration: 1 hr, 19 mins, and 50 secs Commit: 593d655 (master) Author: Dr. David von Oheimb Message: Export crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM() Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12431) View the changeset: https://github.com/openssl/openssl/compare/cfae32c69a0d...593d6554f873 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/177758333?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via b8ea8d3912006223891a621a7bff19225e93469d (commit) from 593d6554f87310f3184c2f45d71c09975ffe9f53 (commit) - Log - commit b8ea8d3912006223891a621a7bff19225e93469d Author: Matt Caswell Date: Tue Jul 28 16:47:03 2020 +0100 Don't fallback to legacy in DigestSignInit/DigestVerifyInit too easily The only reason we should fallback to legacy codepaths in DigestSignInit/ DigestVerifyInit, is if we have an engine, or we have a legacy algorithm that does not (yet) have a provider based equivalent (e.g. SM2, HMAC, etc). Currently we were falling back even if we have a suitable key manager but the export of the key fails. This might be for legitimate reasons (e.g. we only have the FIPS provider, but we're trying to export a brainpool key). In those circumstances we don't want to fallback to the legacy code. Therefore we tighten then checks for falling back to legacy. Eventually this particular fallback can be removed entirely (once all legacy algorithms have provider based key managers). Reviewed-by: Nicola Tuveri Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12550) --- Summary of changes: crypto/evp/m_sigver.c | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 44e7cab1af..8d37f19d6c 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -85,13 +85,25 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, /* * Ensure that the key is provided, either natively, or as a cached export. - * If not, go legacy */ tmp_keymgmt = locpctx->keymgmt; provkey = evp_pkey_export_to_provider(locpctx->pkey, locpctx->libctx, _keymgmt, locpctx->propquery); -if (provkey == NULL) -goto legacy; +if (provkey == NULL) { +/* + * If we couldn't find a keymgmt at all try legacy. + * TODO(3.0): Once all legacy algorithms (SM2, HMAC etc) have provider + * based implementations this fallback shouldn't be necessary. Either + * we have an ENGINE based implementation (in which case we should have + * already fallen back in the test above here), or we don't have the + * provider based implementation loaded (in which case this is an + * application config error) + */ +if (locpctx->keymgmt == NULL) +goto legacy; +ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +goto err; +} if (!EVP_KEYMGMT_up_ref(tmp_keymgmt)) { ERR_clear_last_mark(); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
[openssl] master update
The branch master has been updated via 593d6554f87310f3184c2f45d71c09975ffe9f53 (commit) via 299e0f1eaea1c57354e50a45ecb1c97ac8adb833 (commit) from cfae32c69a0dde5a47fbd5aed4103fb01fc59acf (commit) - Log - commit 593d6554f87310f3184c2f45d71c09975ffe9f53 Author: Dr. David von Oheimb Date: Sat Jul 18 16:59:06 2020 +0200 Export crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM() Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12431) commit 299e0f1eaea1c57354e50a45ecb1c97ac8adb833 Author: Dr. David von Oheimb Date: Mon Jul 13 14:12:02 2020 +0200 Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq() Fixes #12395 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12431) --- Summary of changes: crypto/cmp/cmp_client.c| 45 ++ crypto/cmp/cmp_err.c | 8 ++-- crypto/cmp/cmp_local.h | 6 +-- crypto/cmp/cmp_msg.c | 53 -- crypto/cmp/cmp_server.c| 2 +- crypto/crmf/crmf_asn.c | 2 +- crypto/err/openssl.txt | 6 +-- ...mp_certReq_new.pod => ossl_cmp_certreq_new.pod} | 16 +++ doc/internal/man3/ossl_cmp_msg_create.pod | 2 +- doc/internal/man3/ossl_cmp_pkisi_get_status.pod| 2 +- doc/man3/OSSL_CMP_CTX_new.pod | 5 +- doc/man3/OSSL_CMP_MSG_get0_header.pod | 13 ++ ...P_exec_IR_ses.pod => OSSL_CMP_exec_certreq.pod} | 45 -- doc/man3/OSSL_CMP_validate_msg.pod | 2 +- doc/man3/X509_dup.pod | 1 + fuzz/cmp.c | 2 +- include/openssl/cmp.h | 26 +++ include/openssl/cmperr.h | 6 +-- include/openssl/crmf.h | 1 + test/cmp_client_test.c | 38 test/cmp_msg_test.c| 8 ++-- util/libcrypto.num | 7 ++- util/other.syms| 4 ++ 23 files changed, 164 insertions(+), 136 deletions(-) rename doc/internal/man3/{ossl_cmp_certReq_new.pod => ossl_cmp_certreq_new.pod} (93%) rename doc/man3/{OSSL_CMP_exec_IR_ses.pod => OSSL_CMP_exec_certreq.pod} (78%) diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index f38d8651f4..37473c7a6c 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -630,7 +630,8 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, return ret; } -int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter) +int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, + const OSSL_CRMF_MSG *crm, int *checkAfter) { OSSL_CMP_MSG *req = NULL; OSSL_CMP_MSG *rep = NULL; @@ -652,7 +653,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter) if (ctx->total_timeout > 0) /* else ctx->end_time is not used */ ctx->end_time = time(NULL) + ctx->total_timeout; -req = ossl_cmp_certReq_new(ctx, req_type, 0 /* req_err */); +req = ossl_cmp_certreq_new(ctx, req_type, crm); if (req == NULL) /* also checks if all necessary options are set */ return 0; @@ -685,18 +686,26 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter) * TODO: another function to request two certificates at once should be created. * Returns pointer to received certificate, or NULL if none was received. */ -static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err, -int rep_type) +X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, +const OSSL_CRMF_MSG *crm) { + OSSL_CMP_MSG *req = NULL; OSSL_CMP_MSG *rep = NULL; -int rid = (req_type == OSSL_CMP_PKIBODY_P10CR) ? -1 : OSSL_CMP_CERTREQID; +int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; +int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID; +int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; X509 *result = NULL; if (ctx == NULL) { CMPerr(0, CMP_R_NULL_ARGUMENT); return NULL; } +if (is_p10 && crm != NULL) { +CMPerr(0, CMP_R_INVALID_ARGS); +return NULL; +} + ctx->status = -1; if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) return NULL; @@ -705,7 +714,7 @@ static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err, ctx->end_time = time(NULL) + ctx->total_timeout; /*
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dgram
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dgram Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m Build log ended with (last 100 lines): # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t . skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 7 - iteration 7 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 8 - iteration 8 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 9 - iteration 9 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 10 - iteration 10 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 11 - iteration 11 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 12 - iteration 12 # -- not ok 1 - test_handshake # -- ../../util/wrap.pl ../../test/ssl_test 04-client_auth.cnf.fips fips ../../../openssl/test/fips.cnf => 1 not ok 9 - running ssl_test 04-client_auth.cnf # -- # Failed test 'running ssl_test 04-client_auth.cnf' # at ../openssl/test/recipes/80-test_ssl_new.t line 173. # Looks like you failed 1 test of 9. not ok 5 - Test configuration 04-client_auth.cnf # -- # Looks like you failed 1 test of 31.80-test_ssl_new.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this configuration 95-test_external_gost_engine.t . skipped: No external tests in this configuration 95-test_external_krb5.t skipped: No external tests in this configuration 95-test_external_pyca.t skipped: No external tests in this
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: cfae32c69a [test][ectest] Minor touches to custom_generator_test f5384f064e [test] Vertically test explicit EC params API patterns 79410c5f8b namemap: fix threading issue 5cd9962272 Fix a test_verify failure ef8980176d Deprecate -nodes in favor of -noenc in pkcs12 and req app 846f96f821 TEST: Add RSA-PSS cases in test/serdes_test.c a4e559 PROV: Add a DER to RSA-PSS deserializer implementation 456b3b97a4 EVP, PROV: Add misc missing bits for RSA-PSS 51d9ac870a Fix no-ec2m Build log ended with (last 100 lines): C030D795747F:error::asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:698: C030D795747F:error::asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:630:Field=pkey, Type=PKCS8_PRIV_KEY_INFO C030D795747F:error::asn1 encoding routines:d2i_PrivateKey_ex:ASN1 lib:../openssl/crypto/asn1/d2i_pr.c:67: C030D795747F:error::asn1 encoding routines:d2i_PrivateKey_ex:ASN1 lib:../openssl/crypto/asn1/d2i_pr.c:67: C030D795747F:error::asn1 encoding routines:asn1_check_tlen:wrong tag:../openssl/crypto/asn1/tasn_dec.c:1135: C030D795747F:error::asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:698: C030D795747F:error::asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:630:Field=pkey, Type=PKCS8_PRIV_KEY_INFO C030D795747F:error::asn1 encoding routines:asn1_check_tlen:wrong tag:../openssl/crypto/asn1/tasn_dec.c:1135: C030D795747F:error::asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:698: C030D795747F:error::asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:630:Field=pkey, Type=PKCS8_PRIV_KEY_INFO OPENSSL_FUNC:../openssl/apps/cmp.c:3053:CMP error: cannot set up CMP context # OPENSSL_FUNC:../openssl/apps/cmp.c:2895:CMP info: using OpenSSL configuration file '../Mock/test.cnf' # OPENSSL_FUNC:../openssl/apps/cmp.c:2501:CMP warning: argument of -proxy option is empty string, resetting option # OPENSSL_FUNC:../openssl/apps/cmp.c:2112:CMP info: will contact http://127.0.0.1:1700/pkix/ ../../../../../no-des/util/wrap.pl ../../../../../no-des/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd cr -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt => 1 not ok 82 - cr command # -- # Failed test 'cr command' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. Could not open file or uri test.cert.pem for loading CMP client certificate (and optionally extra certs) C0C0ED1D2F7F:error::system library:file_open_with_libctx:No such file or directory:../openssl/crypto/store/loader_file.c:928:calling stat(test.cert.pem) Unable to load CMP client certificate (and optionally extra certs) OPENSSL_FUNC:../openssl/apps/cmp.c:3053:CMP error: cannot set up CMP context # OPENSSL_FUNC:../openssl/apps/cmp.c:2895:CMP info: using OpenSSL configuration file '../Mock/test.cnf' # OPENSSL_FUNC:../openssl/apps/cmp.c:2501:CMP warning: argument of -proxy option is empty string, resetting option # OPENSSL_FUNC:../openssl/apps/cmp.c:2112:CMP info: will contact http://127.0.0.1:1700/pkix/ # OPENSSL_FUNC:../openssl/apps/cmp.c:2136:CMP warning: -subject '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf' given, which overrides the subject of 'test.cert.pem' in KUR # OPENSSL_FUNC:../openssl/apps/cmp.c:826:CMP warning: can load only one certificate in DER format from test.cert.pem ../../../../../no-des/util/wrap.pl ../../../../../no-des/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert test.cert.pem -server '127.0.0.1:1700' -cert test.cert.pem -key new.key -extracerts issuing.crt => 1 not ok 83 - kur command explicit options # -- # Failed test 'kur command explicit options' # at ../openssl/test/recipes/81-test_cmp_cli.t line 182. Could not open file or uri test.cert.pem for loading CMP client certificate (and optionally extra certs) C060AB64F07F:error::system library:file_open_with_libctx:No such file or directory:../openssl/crypto/store/loader_file.c:928:calling stat(test.cert.pem) Unable to load CMP client certificate (and optionally extra certs) OPENSSL_FUNC:../openssl/apps/cmp.c:3053:CMP error: cannot set up CMP context #