[openssl] master update

[dev]

The branch master has been updated
   via  bb30bce22b1f1e0dd6e3e33f28ddb24dc5b285ab (commit)
   via  543a802fabc6e53cd7b50b5561b9b0abbf769667 (commit)
   via  61994781011ba4dde5b546971623ce6590d5d60f (commit)
  from  7eb48cfc66372772c088c7ef1f443432a36e8a5c (commit)


- Log -
commit bb30bce22b1f1e0dd6e3e33f28ddb24dc5b285ab
Author: Dr. David von Oheimb 
Date:   Tue Sep 8 15:30:33 2020 +0200

bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving 
extraCerts in code and doc

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12822)

commit 543a802fabc6e53cd7b50b5561b9b0abbf769667
Author: Dr. David von Oheimb 
Date:   Fri Sep 4 17:09:13 2020 +0200

bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also 
for unprotected CMP requests

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12822)

commit 61994781011ba4dde5b546971623ce6590d5d60f
Author: Dr. David von Oheimb 
Date:   Fri Sep 4 10:58:26 2020 +0200

bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when 
using PBM

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12822)

---

Summary of changes:
 apps/cmp.c| 40 ++--
 crypto/cmp/cmp_client.c   | 15 ---
 crypto/cmp/cmp_protect.c  | 27 ++-
 doc/man1/openssl-cmp.pod.in   |  8 
 doc/man3/OSSL_CMP_CTX_new.pod | 10 +-
 5 files changed, 53 insertions(+), 47 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 3e7b010fcb..1c3b592f7f 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2818,27 +2818,27 @@ int cmp_main(int argc, char **argv)
 switch (opt_cmd) {
 case CMP_IR:
 newcert = OSSL_CMP_exec_IR_ses(cmp_ctx);
-if (newcert == NULL)
-goto err;
+if (newcert != NULL)
+ret = 1;
 break;
 case CMP_KUR:
 newcert = OSSL_CMP_exec_KUR_ses(cmp_ctx);
-if (newcert == NULL)
-goto err;
+if (newcert != NULL)
+ret = 1;
 break;
 case CMP_CR:
 newcert = OSSL_CMP_exec_CR_ses(cmp_ctx);
-if (newcert == NULL)
-goto err;
+if (newcert != NULL)
+ret = 1;
 break;
 case CMP_P10CR:
 newcert = OSSL_CMP_exec_P10CR_ses(cmp_ctx);
-if (newcert == NULL)
-goto err;
+if (newcert != NULL)
+ret = 1;
 break;
 case CMP_RR:
-if (OSSL_CMP_exec_RR_ses(cmp_ctx) == NULL)
-goto err;
+if (OSSL_CMP_exec_RR_ses(cmp_ctx) != NULL)
+ret = 1;
 break;
 case CMP_GENM:
 {
@@ -2852,10 +2852,11 @@ int cmp_main(int argc, char **argv)
 OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);
 }
 
-if ((itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx)) == NULL)
-goto err;
-print_itavs(itavs);
-sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+if ((itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx)) != NULL) {
+print_itavs(itavs);
+sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+ret = 1;
+}
 break;
 }
 default:
@@ -2863,7 +2864,7 @@ int cmp_main(int argc, char **argv)
 }
 
 {
-/* print PKIStatusInfo (this is in case there has been no error) */
+/* print PKIStatusInfo */
 int status = OSSL_CMP_CTX_get_status(cmp_ctx);
 char *buf = app_malloc(OSSL_CMP_PKISI_BUFLEN, "PKIStatusInfo buf");
 const char *string =
@@ -2885,11 +2886,14 @@ int cmp_main(int argc, char **argv)
 OPENSSL_free(buf);
 }
 
-if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
-opt_cacertsout, "CA") < 0)
-goto err;
 if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_extraCertsIn(cmp_ctx),
 opt_extracertsout, "extra") < 0)
+ret = 0;
+if (!ret)
+goto err;
+ret = 0;
+if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
+opt_cacertsout, "CA") < 0)
 goto err;
 if (newcert != NULL) {
 STACK_OF(X509) *certs = sk_X509_new_null();
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 4f8a9e2444..fe7168916a 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -190,6 +190,11 @@ static int 

[openssl] master update

[dev]

The branch master has been updated
   via  7eb48cfc66372772c088c7ef1f443432a36e8a5c (commit)
   via  eb5087fc7caaf40a2f4dafb294f3cba1b9ca2619 (commit)
   via  4245fd64c810bf4ecdcd8e2c7384e71d084541c0 (commit)
   via  57371e16741ae619ecd7c33b3b4a7fd728616e01 (commit)
  from  c4adc5ba5b4a7b5f999732fc565d0d6e3f8222e9 (commit)


- Log -
commit 7eb48cfc66372772c088c7ef1f443432a36e8a5c
Author: Dr. David von Oheimb 
Date:   Fri Sep 4 15:10:22 2020 +0200

test/cmp_{client,msg}_test.c: minor code cleanup

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12655)

commit eb5087fc7caaf40a2f4dafb294f3cba1b9ca2619
Author: Dr. David von Oheimb 
Date:   Fri Sep 4 15:09:32 2020 +0200

test/recipes/81-test_cmp_cli_data/Mock/server.cnf: minor cleanup

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12655)

commit 4245fd64c810bf4ecdcd8e2c7384e71d084541c0
Author: Dr. David von Oheimb 
Date:   Sun Aug 30 13:22:57 2020 +0200

81-test_cmp_cli: Make test output files all different according to #11080

Also some minor improvements mostly of test cases regarding PKCS#10 CSR 
input

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12655)

commit 57371e16741ae619ecd7c33b3b4a7fd728616e01
Author: Dr. David von Oheimb 
Date:   Sat Aug 29 09:22:07 2020 +0200

81-test_cmp_cli.t: Stop unlinking test output files according to #11080

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12655)

---

Summary of changes:
 test/cmp_client_test.c |   2 +-
 test/cmp_msg_test.c|   1 +
 test/recipes/81-test_cmp_cli.t |   6 +-
 test/recipes/81-test_cmp_cli_data/Mock/csr.pem |   8 +
 test/recipes/81-test_cmp_cli_data/Mock/server.cnf  |   6 +-
 .../Mock/wrong_csr.pem}|   0
 .../81-test_cmp_cli_data/test_credentials.csv  |   2 +-
 .../81-test_cmp_cli_data/test_enrollment.csv   | 206 ++---
 8 files changed, 119 insertions(+), 112 deletions(-)
 create mode 100644 test/recipes/81-test_cmp_cli_data/Mock/csr.pem
 copy test/recipes/{04-test_pem_data/csr.pem => 
81-test_cmp_cli_data/Mock/wrong_csr.pem} (100%)

diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index 111a4c27f4..9043ee1196 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -350,7 +350,7 @@ void cleanup_tests(void)
 return;
 }
 
-#define USAGE "server.key server.crt client.key client.crt client.csr 
module_name [module_conf_file]\n"
+# define USAGE "server.key server.crt client.key client.crt client.csr 
module_name [module_conf_file]\n"
 OPT_TEST_DECLARE_USAGE(USAGE)
 
 int setup_tests(void)
diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c
index a56f04f1df..a593f37cfc 100644
--- a/test/cmp_msg_test.c
+++ b/test/cmp_msg_test.c
@@ -86,6 +86,7 @@ static X509 *cert = NULL;
 TEST_ptr_null(msg = (expr)); \
  \
 OSSL_CMP_MSG_free(msg); \
+ERR_print_errors_fp(stderr); \
 return good; \
 } while (0)
 
diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t
index fa70c84981..2aea3b8f0c 100644
--- a/test/recipes/81-test_cmp_cli.t
+++ b/test/recipes/81-test_cmp_cli.t
@@ -65,7 +65,7 @@ my @cmp_basic_tests = (
 );
 
 my $rsp_cert = "signer_only.crt";
-my $outfile = "test.cert.pem";
+my $outfile = "test.certout.pem";
 my $secret = "pass:test";
 
 # this uses the mock server directly in the cmp app, without TCP
@@ -87,7 +87,7 @@ sub use_mock_srv_internally
 "-certout" , $outfile]))
&& compare_text($outfile, $rsp_cert) == 0,
"CMP app with -use_mock_srv and -poll_count 1");
-unlink $outfile;
+# not unlinking $outfile
 }
 
 # the CMP server configuration consists of:
@@ -200,7 +200,7 @@ sub test_cmp_cli_aspect {
 }
 }
 };
-unlink "test.cert.pem", "test.cacerts.pem", "test.extracerts.pem";
+# not unlinking test.certout_*.pem, test.cacerts.pem, and 
test.extracerts.pem
 }
 
 indir data_dir() => sub {
diff --git a/test/recipes/81-test_cmp_cli_data/Mock/csr.pem 
b/test/recipes/81-test_cmp_cli_data/Mock/csr.pem
new file mode 100644
index 00..8d20bc011c
--- /dev/null
+++ b/test/recipes/81-test_cmp_cli_data/Mock/csr.pem
@@ -0,0 +1,8 @@
+-BEGIN CERTIFICATE REQUEST-
+MIHxMIGXAgEAMAwxCjAIBgNVBAMMAXgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAQe6gjg9c+IFRkK35/7OgK5/rcoUMPxDKkgzNq6DtUm5l3BTZIZO6xe8OvI503Z
++mntgoUUvD7JNn6mDq0V3LuMoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwID6DAKBggqhkjOPQQDAgNJADBGAiEA6UNz3byazvlD6yIFySFM
+NKQv+YWWHphH3bIcT7NbvLwCIQCWc8ONyVmhz0tlsXtXEkBvPeWNeaIb+GPH9Dp5
+GvQuEw==
+-END CERTIFICATE REQUEST-
diff --git 

[openssl] master update

[dev]

The branch master has been updated
   via  c4adc5ba5b4a7b5f999732fc565d0d6e3f8222e9 (commit)
  from  a877d2629b8a512aae550be68b9afd91eae22f19 (commit)


- Log -
commit c4adc5ba5b4a7b5f999732fc565d0d6e3f8222e9
Author: Dr. David von Oheimb 
Date:   Sun Aug 30 13:25:40 2020 +0200

apps.c: Fix mem leaks on error in load_certs() and load_crls()

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12823)

---

Summary of changes:
 apps/lib/apps.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index b631a2670a..f10e91deb7 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -659,22 +659,38 @@ void* app_malloc(int sz, const char *what)
 
 /*
  * Initialize or extend, if *certs != NULL, a certificate stack.
+ * The caller is responsible for freeing *certs if its value is left not NULL.
  */
 int load_certs(const char *uri, STACK_OF(X509) **certs,
const char *pass, const char *desc)
 {
-return load_key_certs_crls(uri, 0, pass, desc, NULL, NULL,
-   NULL, certs, NULL, NULL);
+int was_NULL = *certs == NULL;
+int ret = load_key_certs_crls(uri, 0, pass, desc, NULL, NULL,
+  NULL, certs, NULL, NULL);
+
+if (!ret && was_NULL) {
+sk_X509_pop_free(*certs, X509_free);
+*certs = NULL;
+}
+return ret;
 }
 
 /*
  * Initialize or extend, if *crls != NULL, a certificate stack.
+ * The caller is responsible for freeing *crls if its value is left not NULL.
  */
 int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
   const char *pass, const char *desc)
 {
-return load_key_certs_crls(uri, 0, pass, desc, NULL, NULL,
-   NULL, NULL, NULL, crls);
+int was_NULL = *crls == NULL;
+int ret = load_key_certs_crls(uri, 0, pass, desc, NULL, NULL,
+  NULL, NULL, NULL, crls);
+
+if (!ret && was_NULL) {
+sk_X509_CRL_pop_free(*crls, X509_CRL_free);
+*crls = NULL;
+}
+return ret;
 }
 
 /*

[openssl] master update

[dev]

The branch master has been updated
   via  a877d2629b8a512aae550be68b9afd91eae22f19 (commit)
   via  87495d56a959b0c3a3f6d8305d84d1b21e9222a6 (commit)
  from  aad086e2ae5f8d1b3b0934b1e67f7a426352727d (commit)


- Log -
commit a877d2629b8a512aae550be68b9afd91eae22f19
Author: Dr. David von Oheimb 
Date:   Thu Sep 3 16:51:06 2020 +0200

apps/cmp.c: clear leftover errors on loading libengines.so etc.

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12824)

commit 87495d56a959b0c3a3f6d8305d84d1b21e9222a6
Author: Dr. David von Oheimb 
Date:   Fri Aug 28 11:57:18 2020 +0200

apps.c: Fix diagnostics and return value of load_key_certs_crls() on error

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/12824)

---

Summary of changes:
 apps/cmp.c  |  1 +
 apps/lib/apps.c | 29 -
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index 7524930b8f..3e7b010fcb 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2620,6 +2620,7 @@ int cmp_main(int argc, char **argv)
 char mock_server[] = "mock server:1";
 int ret = 0; /* default: failure */
 
+ERR_clear_error(); /* clear leftover errors on loading libengines.so etc. 
*/
 if (argc <= 1) {
 opt_help(cmp_options);
 goto err;
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 342c364aa4..b631a2670a 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -702,7 +702,7 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
 const char *propq = app_get0_propq();
 int ncerts = 0;
 int ncrls = 0;
-const char *failed = NULL;
+const char *failed = "any";
 /* TODO make use of the engine reference 'eng' when loading pkeys */
 
 if (ppkey != NULL)
@@ -714,14 +714,14 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
 if (pcerts != NULL && *pcerts == NULL
 && (*pcerts = sk_X509_new_null()) == NULL) {
 BIO_printf(bio_err, "Out of memory");
-return 0;
+goto end;
 }
 if (pcrl != NULL)
 *pcrl = NULL;
 if (pcrls != NULL && *pcrls == NULL
 && (*pcrls = sk_X509_CRL_new_null()) == NULL) {
 BIO_printf(bio_err, "Out of memory");
-return 0;
+goto end;
 }
 
 if (desc == NULL)
@@ -753,6 +753,7 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
 goto end;
 }
 
+failed = NULL;
 while (!OSSL_STORE_eof(ctx)) {
 OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
 int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
@@ -806,17 +807,19 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
 
  end:
 OSSL_STORE_close(ctx);
-if (ppkey != NULL && *ppkey == NULL)
-failed = "key";
-else if ((pcert != NULL || pcerts != NULL) && ncerts == 0)
-failed = "cert";
-else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0)
-failed = "CRL";
-if (failed != NULL) {
-BIO_printf(bio_err, "Could not read any %s of %s from %s\n",
-   failed, desc, uri);
-ERR_print_errors(bio_err);
+if (failed == NULL) {
+if (ppkey != NULL && *ppkey == NULL)
+failed = "key";
+else if ((pcert != NULL || pcerts != NULL) && ncerts == 0)
+failed = "cert";
+else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0)
+failed = "CRL";
+if (failed != NULL)
+BIO_printf(bio_err, "Could not read any %s of %s from %s\n",
+   failed, desc, uri);
 }
+if (failed != NULL)
+ERR_print_errors(bio_err);
 return failed == NULL;
 }
 

[openssl] master update

[dev]

The branch master has been updated
   via  aad086e2ae5f8d1b3b0934b1e67f7a426352727d (commit)
   via  a0745e2be6635ffdf286ba5bc3bd867c8d4152a9 (commit)
  from  474853c39a2b631f9f401df32834043500081b7c (commit)


- Log -
commit aad086e2ae5f8d1b3b0934b1e67f7a426352727d
Author: Dr. David von Oheimb 
Date:   Mon Sep 7 14:12:49 2020 +0200

Replace all wrong usages of 'B<...>' (typically by 'I<...>') in 
OSSL_CMP_CTX_new.pod

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/12741)

commit a0745e2be6635ffdf286ba5bc3bd867c8d4152a9
Author: Dr. David von Oheimb 
Date:   Fri Aug 28 12:11:31 2020 +0200

Clean up CMP chain building for CMP signer, TLS client, and newly enrolled 
certs

* Use strenghtened cert chain building, verifying chain using optional 
trust store
  while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to 
OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/12741)

---

Summary of changes:
 apps/cmp.c | 255 +
 crypto/cmp/cmp_client.c|  46 --
 crypto/cmp/cmp_ctx.c   |  13 +-
 crypto/cmp/cmp_local.h |   1 +
 crypto/cmp/cmp_protect.c   |  47 +++---
 doc/internal/man3/ossl_cmp_msg_protect.pod |   2 +-
 doc/man1/openssl-cmp.pod.in|   1 +
 doc/man3/OSSL_CMP_CTX_new.pod  | 173 ++-
 doc/man3/OSSL_CMP_exec_certreq.pod |  15 +-
 9 files changed, 280 insertions(+), 273 deletions(-)

diff --git a/apps/cmp.c b/apps/cmp.c
index f9b50fc659..7524930b8f 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -888,23 +888,6 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
 return res;
 }
 
-static int set1_store_parameters(X509_STORE *ts)
-{
-if (ts == NULL)
-return 0;
-
-/* copy vpm to store */
-if (!X509_STORE_set1_param(ts, vpm /* may be NULL */)) {
-BIO_printf(bio_err, "error setting verification parameters\n");
-OSSL_CMP_CTX_print_errors(cmp_ctx);
-return 0;
-}
-
-X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
-
-return 1;
-}
-
 static int set_name(const char *str,
 int (*set_fn) (OSSL_CMP_CTX *ctx, const X509_NAME *name),
 OSSL_CMP_CTX *ctx, const char *desc)
@@ -990,6 +973,24 @@ static X509_STORE *load_certstore(char *input, const char 
*desc)
 return store;
 }
 
+static X509_STORE *load_trusted(char *input, int for_new_cert, const char 
*desc)
+{
+X509_STORE *ts = load_certstore(input, desc);
+
+if (ts == NULL)
+return NULL;
+X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
+
+/* copy vpm to store */
+if (X509_STORE_set1_param(ts, vpm /* may be NULL */)
+&& (for_new_cert || truststore_set_host_etc(ts, NULL)))
+return ts;
+BIO_printf(bio_err, "error setting verification parameters\n");
+OSSL_CMP_CTX_print_errors(cmp_ctx);
+X509_STORE_free(ts);
+return NULL;
+}
+
 /* TODO potentially move to apps/lib/apps.c */
 static STACK_OF(X509) *load_certs_multifile(char *files,
 const char *pass, const char *desc)
@@ -1025,31 +1026,20 @@ static STACK_OF(X509) *load_certs_multifile(char *files,
 }
 
 typedef int (*add_X509_stack_fn_t)(void *ctx, const STACK_OF(X509) *certs);
-typedef int (*add_X509_fn_t)(void *ctx, const X509 *cert);
 
 static int setup_certs(char *files, const char *desc, void *ctx,
-   add_X509_stack_fn_t addn_fn, add_X509_fn_t add1_fn)
+   add_X509_stack_fn_t set1_fn)
 {
-int ret = 1;
+STACK_OF(X509) *certs;
+int ok;
 
-if (files != NULL) {
-STACK_OF(X509) *certs = load_certs_multifile(files, opt_otherpass,
- desc);
-if (certs == NULL) {
-ret = 0;
-} else {
-if (addn_fn != NULL) {
-ret = (*addn_fn)(ctx, certs);
-} else {
-int i;
-
-for (i = 0; i < sk_X509_num(certs /* may be NULL */); i++)
-ret &= (*add1_fn)(ctx, sk_X509_value(certs, i));
-}
-sk_X509_pop_free(certs, X509_free);
-}
-}
-return ret;
+if (files == NULL)
+return 1;
+if ((certs = load_certs_multifile(files, opt_otherpass, desc)) == NULL)
+return 0;
+ok = (*set1_fn)(ctx, certs);
+sk_X509_pop_free(certs, X509_free);
+return ok;
 }
 
 
@@ -1175,13 +1165,9 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)

Errored: openssl/openssl#37347 (master - 474853c)

[Travis CI]

Build Update for openssl/openssl
-

Build: #37347
Status: Errored

Duration: 1 hr, 23 mins, and 0 secs
Commit: 474853c (master)
Author: Rich Salz
Message: Fix markdown nits in NOTES-Windows.txt

And add a comment that this file is in markdown, but has a .txt
extension on purpose.

Reviewed-by: Richard Levitte 
Reviewed-by: Paul Dale 
Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/12805)

View the changeset: 
https://github.com/openssl/openssl/compare/10203a34725e...474853c39a2b

View the full build log and details: 
https://travis-ci.com/github/openssl/openssl/builds/183641531?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the openssl/openssl repository going 
to 
https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-rc2

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-rc2

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

70-test_servername.t ... ok
70-test_sslcbcpadding.t  ok
70-test_sslcertstatus.t  ok
70-test_sslextension.t . ok
70-test_sslmessages.t .. ok
70-test_sslrecords.t ... ok
70-test_sslsessiontick.t ... ok
70-test_sslsigalgs.t ... ok
70-test_sslsignature.t . ok
70-test_sslskewith0p.t . ok
70-test_sslversions.t .. ok
70-test_sslvertol.t  ok
70-test_tls13alerts.t .. ok
70-test_tls13cookie.t .. ok
70-test_tls13downgrade.t ... ok
70-test_tls13hrr.t . ok
70-test_tls13kexmodes.t  ok
70-test_tls13messages.t  ok
70-test_tls13psk.t . ok
70-test_tlsextms.t . ok
70-test_verify_extra.t . ok
70-test_wpacket.t .. ok
71-test_ssl_ctx.t .. ok
80-test_ca.t ... ok
80-test_cipherbytes.t .. ok
80-test_cipherlist.t ... ok
80-test_ciphername.t ... ok

# 80-test_cms.t .. ok
80-test_cmsapi.t ... ok
80-test_ct.t ... ok
80-test_dane.t . ok
80-test_dtls.t . ok
80-test_dtls_mtu.t . ok
80-test_dtlsv1listen.t . ok
80-test_http.t . ok
80-test_ocsp.t . ok

Could not read any cert of certificates from -in file from 
../../../openssl/test/certs/v3-certs-RC2.p12
C0A0828B1A7F:error::asn1 encoding routines:ASN1_get_object:header too 
long:../openssl/crypto/asn1/asn1_lib.c:105:
../../util/wrap.pl ../../apps/openssl pkcs12 -export -in 
../../../openssl/test/certs/v3-certs-RC2.p12 -passin 'pass:v3-certs' -provider 
default -provider legacy -nokeys -passout 'pass:v3-certs' -descert -out tmp.p12 
=> 1
not ok 5 - test_pkcs12_passcert
# --
#   Failed test 'test_pkcs12_passcert'
#   at ../openssl/test/recipes/80-test_pkcs12.t line 93.
# Looks like you failed 1 test of 5.80-test_pkcs12.t ... 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/5 subtests 
80-test_ssl_new.t .. ok
80-test_ssl_old.t .. ok
80-test_ssl_test_ctx.t . ok
80-test_sslcorrupt.t ... ok
80-test_tsa.t .. ok
80-test_x509aux.t .. ok

# 81-test_cmp_cli.t .. ok
90-test_asn1_time.t  ok
90-test_async.t  ok
90-test_bio_enc.t .. ok
90-test_bio_memleak.t .. ok
90-test_constant_time.t  ok
90-test_fatalerr.t . ok
90-test_gmdiff.t ... ok
90-test_gost.t . ok
90-test_ige.t .. ok
90-test_includes.t . ok
90-test_memleak.t .. ok
90-test_overhead.t . ok
90-test_secmem.t ... ok
90-test_shlibload.t  ok
90-test_srp.t .. ok
90-test_sslapi.t ... ok
90-test_sslbuffers.t ... ok
90-test_store.t  ok
90-test_sysdefault.t ... ok
90-test_threads.t .. ok
90-test_time_offset.t .. ok
90-test_tls13ccs.t . ok
90-test_tls13encryption.t .. ok

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-posix-io

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-posix-io

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

rm -f doc/man/man1/CA.pl.1 doc/man/man1/openssl-asn1parse.1 
doc/man/man1/openssl-ca.1 doc/man/man1/openssl-ciphers.1 
doc/man/man1/openssl-cmds.1 doc/man/man1/openssl-cmp.1 
doc/man/man1/openssl-cms.1 doc/man/man1/openssl-crl.1 
doc/man/man1/openssl-crl2pkcs7.1 doc/man/man1/openssl-dgst.1 
doc/man/man1/openssl-dhparam.1 doc/man/man1/openssl-dsa.1 
doc/man/man1/openssl-dsaparam.1 doc/man/man1/openssl-ec.1 
doc/man/man1/openssl-ecparam.1 doc/man/man1/openssl-enc.1 
doc/man/man1/openssl-engine.1 doc/man/man1/openssl-errstr.1 
doc/man/man1/openssl-fipsinstall.1 doc/man/man1/openssl-gendsa.1 
doc/man/man1/openssl-genpkey.1 doc/man/man1/openssl-genrsa.1 
doc/man/man1/openssl-info.1 doc/man/man1/openssl-kdf.1 
doc/man/man1/openssl-list.1 doc/man/man1/openssl-mac.1 
doc/man/man1/openssl-nseq.1 doc/man/man1/openssl-ocsp.1 
doc/man/man1/openssl-passwd.1 doc/man/man1/openssl-pkcs12.1 
doc/man/man1/openssl-pkcs7.1 doc/man/man1/openssl-pkcs8.1 
doc/man/man1/openssl-pkey.1 doc/man/man1/openssl-pkeyparam.1 doc/ma
 n/man1/openssl-pkeyutl.1 doc/man/man1/openssl-prime.1 
doc/man/man1/openssl-provider.1 doc/man/man1/openssl-rand.1 
doc/man/man1/openssl-rehash.1 doc/man/man1/openssl-req.1 
doc/man/man1/openssl-rsa.1 doc/man/man1/openssl-rsautl.1 
doc/man/man1/openssl-s_client.1 doc/man/man1/openssl-s_server.1 
doc/man/man1/openssl-s_time.1 doc/man/man1/openssl-sess_id.1 
doc/man/man1/openssl-smime.1 doc/man/man1/openssl-speed.1 
doc/man/man1/openssl-spkac.1 doc/man/man1/openssl-srp.1 
doc/man/man1/openssl-storeutl.1 doc/man/man1/openssl-ts.1 
doc/man/man1/openssl-verify.1 doc/man/man1/openssl-version.1 
doc/man/man1/openssl-x509.1 doc/man/man1/openssl.1 doc/man/man1/tsget.1 
doc/man/man3/ADMISSIONS.3 doc/man/man3/ASN1_INTEGER_get_int64.3 
doc/man/man3/ASN1_INTEGER_new.3 doc/man/man3/ASN1_ITEM_lookup.3 
doc/man/man3/ASN1_OBJECT_new.3 doc/man/man3/ASN1_STRING_TABLE_add.3 
doc/man/man3/ASN1_STRING_length.3 doc/man/man3/ASN1_STRING_new.3 
doc/man/man3/ASN1_STRING_print_ex.3 doc/man/man3/ASN1_TIME_set.3 doc/man/man3/
 ASN1_TYPE_get.3 doc/man/man3/ASN1_generate_nconf.3 
doc/man/man3/ASYNC_WAIT_CTX_new.3 doc/man/man3/ASYNC_start_job.3 
doc/man/man3/BF_encrypt.3 doc/man/man3/BIO_ADDR.3 doc/man/man3/BIO_ADDRINFO.3 
doc/man/man3/BIO_connect.3 doc/man/man3/BIO_ctrl.3 doc/man/man3/BIO_f_base64.3 
doc/man/man3/BIO_f_buffer.3 doc/man/man3/BIO_f_cipher.3 doc/man/man3/BIO_f_md.3 
doc/man/man3/BIO_f_null.3 doc/man/man3/BIO_f_prefix.3 doc/man/man3/BIO_f_ssl.3 
doc/man/man3/BIO_find_type.3 doc/man/man3/BIO_get_data.3 
doc/man/man3/BIO_get_ex_new_index.3 doc/man/man3/BIO_meth_new.3 
doc/man/man3/BIO_new.3 doc/man/man3/BIO_new_CMS.3 
doc/man/man3/BIO_parse_hostserv.3 doc/man/man3/BIO_printf.3 
doc/man/man3/BIO_push.3 doc/man/man3/BIO_read.3 doc/man/man3/BIO_s_accept.3 
doc/man/man3/BIO_s_bio.3 doc/man/man3/BIO_s_connect.3 doc/man/man3/BIO_s_fd.3 
doc/man/man3/BIO_s_file.3 doc/man/man3/BIO_s_mem.3 doc/man/man3/BIO_s_null.3 
doc/man/man3/BIO_s_socket.3 doc/man/man3/BIO_set_callback.3 
doc/man/man3/BIO_should_retry.3 doc/man/man
 3/BIO_socket_wait.3 doc/man/man3/BN_BLINDING_new.3 doc/man/man3/BN_CTX_new.3 
doc/man/man3/BN_CTX_start.3 doc/man/man3/BN_add.3 doc/man/man3/BN_add_word.3 
doc/man/man3/BN_bn2bin.3 doc/man/man3/BN_cmp.3 doc/man/man3/BN_copy.3 
doc/man/man3/BN_generate_prime.3 doc/man/man3/BN_mod_inverse.3 
doc/man/man3/BN_mod_mul_montgomery.3 doc/man/man3/BN_mod_mul_reciprocal.3 
doc/man/man3/BN_new.3 

Errored: openssl/openssl#37341 (master - 10203a3)

[Travis CI]

Build Update for openssl/openssl
-

Build: #37341
Status: Errored

Duration: 1 hr, 21 mins, and 11 secs
Commit: 10203a3 (master)
Author: Kurt Roeckx
Message: Support writing RSA keys using the traditional format again

Fixes: #6855

Reviewed-by: Richard Levitte 
GH: #8743

View the changeset: 
https://github.com/openssl/openssl/compare/8ae40cf57d21...10203a34725e

View the full build log and details: 
https://travis-ci.com/github/openssl/openssl/builds/183588368?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the openssl/openssl repository going 
to 
https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

Build failed: openssl master.36796

[AppVeyor]

Build openssl master.36796 failed


Commit 1c266cfac2 by Shane Lontis on 9/2/2020 12:45 PM:

fixup! Add Generated File


Configure your notification preferences

Errored: openssl/openssl#37339 (master - 8ae40cf)

[Travis CI]

Build Update for openssl/openssl
-

Build: #37339
Status: Errored

Duration: 1 hr, 20 mins, and 29 secs
Commit: 8ae40cf (master)
Author: Richard Levitte
Message: ENCODER: Refactor provider implementations, and some cleanup

The encoder implementations were implemented by unnecessarily copying
code into numerous topical source files, making them hard to maintain.
This changes merges all those into two source files, one that encodes
into DER and PEM, the other to text.

Diverse small cleanups are included.

Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/12803)

View the changeset: 
https://github.com/openssl/openssl/compare/ce43db7a3fcd...8ae40cf57d21

View the full build log and details: 
https://travis-ci.com/github/openssl/openssl/builds/183569217?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the openssl/openssl repository going 
to 
https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

[openssl] master update

[shane . lontis]

The branch master has been updated
   via  474853c39a2b631f9f401df32834043500081b7c (commit)
  from  10203a34725ec75136b03d64fd2126b321419ac1 (commit)


- Log -
commit 474853c39a2b631f9f401df32834043500081b7c
Author: Rich Salz 
Date:   Mon Sep 7 11:38:48 2020 -0400

Fix markdown nits in NOTES-Windows.txt

And add a comment that this file is in markdown, but has a .txt
extension on purpose.

Reviewed-by: Richard Levitte 
Reviewed-by: Paul Dale 
Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/12805)

---

Summary of changes:
 Configurations/unix-Makefile.tmpl |  2 +-
 NOTES-Windows.txt | 38 --
 2 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/Configurations/unix-Makefile.tmpl 
b/Configurations/unix-Makefile.tmpl
index ff37aa0290..cb6263c911 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -998,7 +998,7 @@ cmd-nits: build_generated apps/openssl
 # Finally, there's a Node.js version, which we haven't tried, that
 # can be found at https://github.com/DavidAnson/markdownlint
 md-nits:
-   mdl -s util/markdownlint.rb .
+   mdl -s util/markdownlint.rb . NOTES-Windows.txt
 
 # Test coverage is a good idea for the future
 #coverage: $(PROGRAMS) $(TESTPROGRAMS)
diff --git a/NOTES-Windows.txt b/NOTES-Windows.txt
index 683e40671e..20cce41911 100644
--- a/NOTES-Windows.txt
+++ b/NOTES-Windows.txt
@@ -1,6 +1,8 @@
+NOTES FOR WINDOWS PLATFORMS
+===
 
- NOTES FOR WINDOWS PLATFORMS
- ===
+ (This file, like the others, is in "markdown" format, but has a ".txt"
+ extension to make it easier to view/edit on Windows.)
 
  There are various options to build and run OpenSSL on the Windows platforms.
 
@@ -17,7 +19,6 @@
  for building (using GNU/Unix shell, compiler, and tools) and at run time.
  For this option you can use Cygwin.
 
-
  Visual C++ native builds, aka VC-*
  =
 
@@ -28,17 +29,17 @@
  these are required as well:
 
  - Perl.
-   We recommend Strawberry Perl, available from http://strawberryperl.com/
+   We recommend Strawberry Perl, available from 
Please read NOTES.PERL for more information, including the use of CPAN.
-   An alternative is ActiveState Perl, https://www.activestate.com/ActivePerl
+   An alternative is ActiveState Perl, 
for which you may need to explicitly build the Perl module Win32/Console.pm
-   via https://platform.activestate.com/ActiveState and then download it.
+   via  and then download it.
 
  - Microsoft Visual C compiler.
Since these are proprietary and ever-changing we cannot test them all.
Older versions may not work. Use a recent version wherever possible.
 
- - Netwide Assembler (NASM), available from https://www.nasm.us
+ - Netwide Assembler (NASM), available from 
Note that NASM is the only supported assembler.
 
  Quick start
@@ -55,7 +56,8 @@
 Or run "cmd" and execute "vcvarsall.bat" with one of the options x86,
 x86_amd64, x86_arm, x86_arm64, amd64, amd64_x86, amd64_arm, or amd64_arm64.
 This sets up the environment variables needed for nmake.exe, cl.exe, etc.
-See also https://docs.microsoft.com/cpp/build/building-on-the-command-line
+See also
+
 
  5. From the root of the OpenSSL source directory enter
 perl Configure VC-WIN32if you want 32-bit OpenSSL or
@@ -109,7 +111,6 @@
"vcvarsall.bat" before you compile. For example, if you want to build
"arm64" builds, you should run "vcvarsall.bat x86_arm64 uwp".
 
-
  Native OpenSSL built using MinGW
  
 
@@ -124,7 +125,7 @@
 
Requirement details
 
-   - MSYS2 shell, from https://www.msys2.org/
+   - MSYS2 shell, from 
 
- Perl, at least version 5.10.0, which usually comes pre-installed with 
MSYS2
 
@@ -177,19 +178,20 @@
  and exporting from .exe image in question own _OPENSSL_isservice not
  relying on USER32.DLL. E.g., on Windows Vista and later you could:
 
-   __declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
-   {   DWORD sess;
-   if (ProcessIdToSessionId(GetCurrentProcessId(),))
-   return sess==0;
-   return FALSE;
-   }
+__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
+{
+DWORD sess;
+
+if (ProcessIdToSessionId(GetCurrentProcessId(), ))
+return sess == 0;
+return FALSE;
+}
 
  If you link with OpenSSL .DLLs, then you're expected to include into
  your application code a 

Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

#   Failed test 'unprotected request'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
# Looks like you failed 3 tests of 38.
not ok 5 - CMP app CLI Mock credentials
# --
# cmp_main:../openssl/apps/cmp.c:2688:CMP info: using OpenSSL configuration 
file '../Mock/test.cnf'
# opt_str:../openssl/apps/cmp.c:2286:CMP warning: argument of -proxy option is 
empty string, resetting option
# warn_cert_msg:../openssl/apps/cmp.c:690:CMP warning: certificate from 
'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert
# setup_client_ctx:../openssl/apps/cmp.c:2008:CMP info: will contact 
http://127.0.0.1:1700/pkix/
# ASN1_get_object:../openssl/crypto/asn1/asn1_lib.c:105:CMP error: header too 
long
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending IR
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received 
IP
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending 
CERTCONF
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received 
PKICONF
# save_free_certs:../openssl/apps/cmp.c:2058:CMP info: received 1 enrolled 
certificate(s), saving to file 'test.cert.pem'
../../../../../enable-fuzz-afl/util/wrap.pl 
../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf 
-section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey 
new.key -newkeypass 'pass:' -popo 0 -certout test.cert.pem -out_trusted 
root.crt => 0
not ok 43 - popo RAVERIFIED
# --
# cmp_main:../openssl/apps/cmp.c:2688:CMP info: using OpenSSL configuration 
file '../Mock/test.cnf'
# opt_str:../openssl/apps/cmp.c:2286:CMP warning: argument of -proxy option is 
empty string, resetting option
# warn_cert_msg:../openssl/apps/cmp.c:690:CMP warning: certificate from 
'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert
# setup_client_ctx:../openssl/apps/cmp.c:2008:CMP info: will contact 
http://127.0.0.1:1700/pkix/
# ASN1_get_object:../openssl/crypto/asn1/asn1_lib.c:105:CMP error: header too 
long
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending IR
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received 
IP
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:172:CMP info: sending 
CERTCONF
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:190:CMP info: received 
PKICONF
# save_free_certs:../openssl/apps/cmp.c:2058:CMP info: received 1 enrolled 
certificate(s), saving to file 'test.cert.pem'
../../../../../enable-fuzz-afl/util/wrap.pl 
../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf 
-section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey 
new.key -newkeypass 'pass:' -popo -1 -certout test.cert.pem -out_trusted 
root.crt => 0
not ok 47 - popo NONE
# --
#   Failed test 'popo NONE'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
# cmp_main:../openssl/apps/cmp.c:2688:CMP info: using OpenSSL configuration 
file '../Mock/test.cnf'
# opt_str:../openssl/apps/cmp.c:2286:CMP warning: argument of -proxy option is 
empty string, resetting option
# warn_cert_msg:../openssl/apps/cmp.c:690:CMP warning: certificate from 
'trusted.crt' with subject 

Errored: openssl/openssl#37333 (master - ce43db7)

[Travis CI]

Build Update for openssl/openssl
-

Build: #37333
Status: Errored

Duration: 1 hr, 19 mins, and 35 secs
Commit: ce43db7 (master)
Author: Jon Spillett
Message: Fix up issue on AIX caused by broken compiler handling of macro 
expansion

Reviewed-by: Tim Hudson 
Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/12812)

View the changeset: 
https://github.com/openssl/openssl/compare/b7a8fb52a95d...ce43db7a3fcd

View the full build log and details: 
https://travis-ci.com/github/openssl/openssl/builds/183514847?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the openssl/openssl repository going 
to 
https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ui-console

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-ui-console

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

#   Failed test 'p10cr csr empty file'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd p10cr -newkey new.key 
-newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -csr 
wrong.csr.pem => 139
not ok 78 - p10cr wrong csr
# --
#   Failed test 'p10cr wrong csr'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key 
-newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -revreason 5 
=> 139
not ok 79 - ir + ignored revocation
# --
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd cr -newkey new.key 
-newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt => 139
not ok 82 - cr command
# --
#   Failed test 'cr command'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey new.key 
-newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert 
test.cert.pem -server '127.0.0.1:1700' -cert test.cert.pem -key new.key 
-extracerts issuing.crt => 139
not ok 83 - kur command explicit options
# --
#   Failed test 'kur command explicit options'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -subject "" -certout 
test.cert.pem -oldcert test.cert.pem -server '127.0.0.1:1700' -cert 
test.cert.pem -key new.key -extracerts issuing.crt -secret "" => 139
not ok 84 - kur command minimal options
# --
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey dir/ 
-newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert 
test.cert.pem -server '127.0.0.1:1700' => 139
not ok 86 - kur newkey is directory
# --
../../../../../no-ui-console/util/wrap.pl 
../../../../../no-ui-console/apps/openssl cmp -config ../Mock/test.cnf -section 
'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd kur -newkey new.key 
-newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -oldcert dir/ 
-server '127.0.0.1:1700' => 139
not ok 89 - kur oldcert is directory
# --
#   

Errored: openssl/openssl#37329 (master - b7a8fb5)

[Travis CI]

Build Update for openssl/openssl
-

Build: #37329
Status: Errored

Duration: 1 hr, 30 mins, and 48 secs
Commit: b7a8fb5 (master)
Author: Pauli
Message: s_time: check return values better

Reviewed-by: Dmitry Belyavskiy 
Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/12808)

View the changeset: 
https://github.com/openssl/openssl/compare/e942111267f2...b7a8fb52a95d

View the full build log and details: 
https://travis-ci.com/github/openssl/openssl/builds/183505139?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the openssl/openssl repository going 
to 
https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

[openssl] master update

[Kurt Roeckx]

The branch master has been updated
   via  10203a34725ec75136b03d64fd2126b321419ac1 (commit)
  from  8ae40cf57d2138af92a3479e23f35037ae8c5c30 (commit)


- Log -
commit 10203a34725ec75136b03d64fd2126b321419ac1
Author: Kurt Roeckx 
Date:   Sat Apr 13 15:52:47 2019 +0200

Support writing RSA keys using the traditional format again

Fixes: #6855

Reviewed-by: Richard Levitte 
GH: #8743

---

Summary of changes:
 CHANGES.md |  4 ++--
 apps/genrsa.c  | 20 +++-
 apps/rsa.c | 17 ++---
 doc/man1/openssl-genrsa.pod.in |  5 +
 doc/man1/openssl-rsa.pod.in| 12 +---
 doc/man1/openssl.pod   |  2 +-
 test/testrsa.pem   | 19 ++-
 7 files changed, 52 insertions(+), 27 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index c2bbf0d167..0f6880d716 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -353,8 +353,8 @@ OpenSSL 3.0
*Paul Dale*
 
  * The command line utilities genrsa and rsa have been modified to use PKEY
-   APIs  These commands are now in maintenance mode and no new features will
-   be added to them.
+   APIs. They now write PKCS#8 keys by default. These commands are now in
+   maintenance mode and no new features will be added to them.
 
*Paul Dale*
 
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 4f589e98c1..04315a559b 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -38,7 +38,7 @@ typedef enum OPTION_choice {
 #endif
 OPT_F4, OPT_ENGINE,
 OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE,
-OPT_R_ENUM, OPT_PROV_ENUM
+OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
 } OPTION_CHOICE;
 
 const OPTIONS genrsa_options[] = {
@@ -62,6 +62,8 @@ const OPTIONS genrsa_options[] = {
 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
 {"primes", OPT_PRIMES, 'p', "Specify number of primes"},
 {"verbose", OPT_VERBOSE, '-', "Verbose output"},
+{"traditional", OPT_TRADITIONAL, '-',
+ "Use traditional format for private keys"},
 {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
 
 OPT_R_OPTIONS,
@@ -88,7 +90,7 @@ int genrsa_main(int argc, char **argv)
 char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
 char *prog, *hexe, *dece;
 OPTION_CHOICE o;
-unsigned char *ebuf = NULL;
+int traditional = 0;
 
 if (bn == NULL || cb == NULL)
 goto end;
@@ -141,6 +143,9 @@ opthelp:
 case OPT_VERBOSE:
 verbose = 1;
 break;
+case OPT_TRADITIONAL:
+traditional = 1;
+break;
 }
 }
 argc = opt_num_rest();
@@ -214,8 +219,14 @@ opthelp:
 OPENSSL_free(hexe);
 OPENSSL_free(dece);
 }
-if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
-goto end;
+if (traditional) {
+if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
+  NULL, passout))
+goto end;
+} else {
+if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
+goto end;
+}
 
 ret = 0;
  end:
@@ -226,7 +237,6 @@ opthelp:
 BIO_free_all(out);
 release_engine(eng);
 OPENSSL_free(passout);
-OPENSSL_free(ebuf);
 if (ret != 0)
 ERR_print_errors(bio_err);
 return ret;
diff --git a/apps/rsa.c b/apps/rsa.c
index 0464729f71..fdee96d570 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -31,7 +31,7 @@ typedef enum OPTION_choice {
 /* Do not change the order here; see case statements below */
 OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
 OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER,
-OPT_PROV_ENUM
+OPT_PROV_ENUM, OPT_TRADITIONAL
 } OPTION_CHOICE;
 
 const OPTIONS rsa_options[] = {
@@ -59,6 +59,8 @@ const OPTIONS rsa_options[] = {
 {"noout", OPT_NOOUT, '-', "Don't print key out"},
 {"text", OPT_TEXT, '-', "Print the key in text"},
 {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
+{"traditional", OPT_TRADITIONAL, '-',
+ "Use traditional format for private keys"},
 
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
 OPT_SECTION("PVK"),
@@ -88,6 +90,7 @@ int rsa_main(int argc, char **argv)
 int pvk_encr = 2;
 #endif
 OPTION_CHOICE o;
+int traditional = 0;
 
 prog = opt_init(argc, argv, rsa_options);
 while ((o = opt_next()) != OPT_EOF) {
@@ -163,6 +166,9 @@ int rsa_main(int argc, char **argv)
 if (!opt_provider(o))
 goto end;
 break;
+case OPT_TRADITIONAL:
+traditional = 1;
+break;
 }
 }
 argc = opt_num_rest();
@@ -280,8 +286,13 @@ int rsa_main(int argc, char **argv)
 i = PEM_write_bio_RSA_PUBKEY(out, rsa);
 

Errored: openssl/openssl#37328 (master - e942111)

[Travis CI]

Build Update for openssl/openssl
-

Build: #37328
Status: Errored

Duration: 1 hr, 29 mins, and 42 secs
Commit: e942111 (master)
Author: Pauli
Message: In a non-shared build, don't include the md5 object files in legacy 
provider

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/11961)

View the changeset: 
https://github.com/openssl/openssl/compare/b434b2c08d20...e942111267f2

View the full build log and details: 
https://travis-ci.com/github/openssl/openssl/builds/183504905?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the openssl/openssl repository going 
to 
https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

Build completed: openssl master.36781

[AppVeyor]

Build openssl master.36781 completed



Commit ed2c05ebef by jwalch on 9/9/2020 1:22 AM:

Remove ERR_GET_LIB from libcrypto.num


Configure your notification preferences

Build failed: openssl master.36780

[AppVeyor]

Build openssl master.36780 failed


Commit 4e50b17a6f by Chris Novakovic on 9/3/2020 10:42 PM:

apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified


Configure your notification preferences

[web] master update

[Mark J . Cox]

The branch master has been updated
   via  4a2dac4738e42fc30f7f38d9292a9391f715757e (commit)
  from  9b73985f37ba01f63b9aeb5c25560d2f6409dba4 (commit)


- Log -
commit 4a2dac4738e42fc30f7f38d9292a9391f715757e
Author: Mark J. Cox 
Date:   Wed Sep 9 12:59:40 2020 +0100

Add Racoon advisory, vulnerability db entry, and newsflash pointing to the 
advisory

---

Summary of changes:
 news/newsflash.txt   |  1 +
 news/secadv/20200909.txt | 76 
 news/vulnerabilities.xml | 47 +-
 3 files changed, 123 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20200909.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index edc8cc8..c1820fa 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -5,6 +5,7 @@
 # headings.  URL paths must all be absolute.
 Date: Item
 
+09-Sep-2020: Security Advisory: 
Raccoon attack
 05-Sep-2020: New Blog post: OpenSSL Is Looking for a 
Full Time Administrator and Manager
 06-Aug-2020: Alpha 6 of OpenSSL 3.0 is now available: please download and test 
it
 16-Jul-2020: Alpha 5 of OpenSSL 3.0 is now available: please download and test 
it
diff --git a/news/secadv/20200909.txt b/news/secadv/20200909.txt
new file mode 100644
index 000..bbe32dd
--- /dev/null
+++ b/news/secadv/20200909.txt
@@ -0,0 +1,76 @@
+OpenSSL Security Advisory [09 September 2020]
+=
+
+Raccoon Attack (CVE-2020-1968)
+==
+
+Severity: Low
+
+The Raccoon attack exploits a flaw in the TLS specification which can lead to
+an attacker being able to compute the pre-master secret in connections which
+have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
+result in the attacker being able to eavesdrop on all encrypted communications
+sent over that TLS connection. The attack can only be exploited if an
+implementation re-uses a DH secret across multiple TLS connections. Note that
+this issue only impacts DH ciphersuites and not ECDH ciphersuites.
+
+OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
+does not implement any "static" DH ciphersuites.
+
+OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
+ciphersuite is used. These static "DH" ciphersuites are ones that start with 
the
+text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
+ciphersuites all start with "TLS_DH_" but excludes those that start with
+"TLS_DH_anon_".
+
+OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
+connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
+explicitly configured. Therefore all ciphersuites that use DH in servers
+(including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
+SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
+response to CVE-2016-0701.
+
+Since the vulnerability lies in the TLS specification, fixing the affected
+ciphersuites is not viable. For this reason 1.0.2w moves the affected
+ciphersuites into the "weak-ssl-ciphers" list. Support for the
+"weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
+interoperability problems in most cases since use of these ciphersuites is 
rare.
+Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
+compile time with the "enable-weak-ssl-ciphers" option. This is not 
recommended.
+
+OpenSSL 1.0.2 is out of support and no longer receiving public updates.
+
+Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
+upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
+that affected ciphersuites are disabled through runtime configuration. Also
+note that the affected ciphersuites are only available on the server side if a
+DH certificate has been configured. These certificates are very rarely used and
+for this reason this issue has been classified as LOW severity.
+
+This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and 
Juraj
+Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
+allow co-ordinated disclosure with other implementations.
+
+Note
+
+
+OpenSSL 1.0.2 is out of support and no longer receiving public updates. 
Extended
+support is available for premium support customers:
+https://www.openssl.org/support/contracts.html
+
+OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
+The impact of this issue on OpenSSL 1.1.0 has not been analysed.
+
+Users of these versions should upgrade to OpenSSL 1.1.1.
+
+References
+==
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20200909.txt
+
+Note: t

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-err

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-err

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

65-test_cmp_status.t ... ok
65-test_cmp_vfy.t .. ok
70-test_asyncio.t .. ok
70-test_bad_dtls.t . ok
70-test_clienthello.t .. ok
70-test_comp.t . ok
70-test_key_share.t  ok
70-test_packet.t ... ok
70-test_recordlen.t  ok
70-test_renegotiation.t  ok
70-test_servername.t ... ok
70-test_sslcbcpadding.t  ok
70-test_sslcertstatus.t  ok
70-test_sslextension.t . ok
70-test_sslmessages.t .. ok
70-test_sslrecords.t ... ok
70-test_sslsessiontick.t ... ok
70-test_sslsigalgs.t ... ok
70-test_sslsignature.t . ok
70-test_sslskewith0p.t . ok
70-test_sslversions.t .. ok
70-test_sslvertol.t  ok
70-test_tls13alerts.t .. ok
70-test_tls13cookie.t .. ok
70-test_tls13downgrade.t ... ok
70-test_tls13hrr.t . ok
70-test_tls13kexmodes.t  ok
70-test_tls13messages.t  ok
70-test_tls13psk.t . ok
70-test_tlsextms.t . ok
70-test_verify_extra.t . ok
70-test_wpacket.t .. ok
71-test_ssl_ctx.t .. ok
80-test_ca.t ... ok
80-test_cipherbytes.t .. ok
80-test_cipherlist.t ... ok
80-test_ciphername.t ... ok

# 80-test_cms.t .. ok
80-test_cmsapi.t ... ok
80-test_ct.t ... ok
80-test_dane.t . ok
80-test_dtls.t . ok
80-test_dtls_mtu.t . ok
80-test_dtlsv1listen.t . ok
80-test_http.t . ok
80-test_ocsp.t . ok
80-test_pkcs12.t ... ok
80-test_ssl_new.t .. ok
80-test_ssl_old.t .. ok
80-test_ssl_test_ctx.t . ok
80-test_sslcorrupt.t ... ok
80-test_tsa.t .. ok
80-test_x509aux.t .. ok

# 81-test_cmp_cli.t .. ok
90-test_asn1_time.t  ok
90-test_async.t  ok
90-test_bio_enc.t .. ok
90-test_bio_memleak.t .. ok
90-test_constant_time.t  ok
90-test_fatalerr.t . ok
90-test_gmdiff.t ... ok
90-test_gost.t . ok
90-test_ige.t .. ok
90-test_includes.t . ok
90-test_memleak.t .. ok
90-test_overhead.t . ok
90-test_secmem.t ... ok
90-test_shlibload.t  ok
90-test_srp.t .. ok
90-test_sslapi.t ... ok
90-test_sslbuffers.t ... ok
90-test_store.t  ok
90-test_sysdefault.t ... ok
90-test_threads.t .. ok
90-test_time_offset.t .. ok
90-test_tls13ccs.t . ok
90-test_tls13encryption.t .. ok
90-test_tls13secrets.t . ok
90-test_v3name.t ... ok
95-test_external_boringssl.t ... skipped: No external tests in this 
configuration
95-test_external_gost_engine.t . skipped: No external tests in this 
configuration
95-test_external_krb5.t  skipped: No external tests in this 
configuration
95-test_external_pyca.t 

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-engine

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-engine

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic 
-certs -noout ../../../../openssl/test/testcrl.pem => 1
not ok 410 - Checking that -certs returns 0 objects on a CRL file
# --
#   Failed test 'Checking that -certs returns 0 objects on a CRL file'
#   at ../openssl/test/recipes/90-test_store.t line 208.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic -crls 
-noout ../../../../openssl/test/testx509.pem => 1
not ok 411 - Checking that -crls returns 0 objects on a certificate file
# --
#   Failed test 'Checking that -crls returns 0 objects on a certificate file'
#   at ../openssl/test/recipes/90-test_store.t line 212.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic -crls 
-noout ../../../../openssl/test/testcrl.pem => 1
not ok 412 - Checking that -crls returns 1 object on a CRL file
# --
#   Failed test 'Checking that -crls returns 1 object on a CRL file'
#   at ../openssl/test/recipes/90-test_store.t line 215.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic 
-noout -subject '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert' rehash => 1
not ok 413
# --
#   Failed test at ../openssl/test/recipes/90-test_store.t line 226.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic 
-noout -subject '/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification 
Authority' rehash => 1
not ok 414
# --
#   Failed test at ../openssl/test/recipes/90-test_store.t line 229.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic 
-noout -certs -subject '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert' rehash => 1
not ok 415
# --
#   Failed test at ../openssl/test/recipes/90-test_store.t line 233.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic 
-noout -crls -subject '/C=AU/ST=QLD/CN=SSLeay\/rsa test cert' rehash => 1
not ok 416
# --
#   Failed test at ../openssl/test/recipes/90-test_store.t line 236.
storeutl: Unknown message digest: engine
storeutl: Use -help for summary.
../../../util/wrap.pl ../../../apps/openssl storeutl -engine loader_attic 
-noout -certs -subject '/C=US/O=RSA Data Security, Inc./OU=Secure Server 
Certification Authority' rehash => 1
not ok 417
# --
#   Failed test at ../openssl/test/recipes/90-test_store.t line 239.
storeutl: Unknown message digest: engine
storeutl: Use -help for 

[openssl] master update

[shane . lontis]

The branch master has been updated
   via  ce43db7a3fcd18866385a4552f5e4a83adfc0979 (commit)
  from  b7a8fb52a95d606e073a6f232262cc121659a1fe (commit)


- Log -
commit ce43db7a3fcd18866385a4552f5e4a83adfc0979
Author: Jon Spillett 
Date:   Tue Sep 8 10:33:28 2020 +1000

Fix up issue on AIX caused by broken compiler handling of macro expansion

Reviewed-by: Tim Hudson 
Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/12812)

---

Summary of changes:
 providers/baseprov.c  | 4 ++--
 providers/defltprov.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/providers/baseprov.c b/providers/baseprov.c
index 38d9090bb3..e9502f68cd 100644
--- a/providers/baseprov.c
+++ b/providers/baseprov.c
@@ -87,8 +87,8 @@ static const OSSL_ALGORITHM base_decoder[] = {
 #undef DECODER
 
 static const OSSL_ALGORITHM base_store[] = {
-#define STORE(name, fips, func_table)   \
-{ name, "provider=base,fips=" fips, (func_table) },
+#define STORE(name, _fips, func_table)   \
+{ name, "provider=base,fips=" _fips, (func_table) },
 
 #include "stores.inc"
 { NULL, NULL, NULL }
diff --git a/providers/defltprov.c b/providers/defltprov.c
index beaf60bb1e..371d942f4a 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -434,8 +434,8 @@ static const OSSL_ALGORITHM deflt_decoder[] = {
 #undef DECODER
 
 static const OSSL_ALGORITHM deflt_store[] = {
-#define STORE(name, fips, func_table)   \
-{ name, "provider=default,fips=" fips, (func_table) },
+#define STORE(name, _fips, func_table)   \
+{ name, "provider=default,fips=" _fips, (func_table) },
 
 #include "stores.inc"
 { NULL, NULL, NULL }

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec2m

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-ec2m

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

65-test_cmp_status.t ... ok
65-test_cmp_vfy.t .. ok
70-test_asyncio.t .. ok
70-test_bad_dtls.t . ok
70-test_clienthello.t .. ok
70-test_comp.t . ok
70-test_key_share.t  ok
70-test_packet.t ... ok
70-test_recordlen.t  ok
70-test_renegotiation.t  ok
70-test_servername.t ... ok
70-test_sslcbcpadding.t  ok
70-test_sslcertstatus.t  ok
70-test_sslextension.t . ok
70-test_sslmessages.t .. ok
70-test_sslrecords.t ... ok
70-test_sslsessiontick.t ... ok
70-test_sslsigalgs.t ... ok
70-test_sslsignature.t . ok
70-test_sslskewith0p.t . ok
70-test_sslversions.t .. ok
70-test_sslvertol.t  ok
70-test_tls13alerts.t .. ok
70-test_tls13cookie.t .. ok
70-test_tls13downgrade.t ... ok
70-test_tls13hrr.t . ok
70-test_tls13kexmodes.t  ok
70-test_tls13messages.t  ok
70-test_tls13psk.t . ok
70-test_tlsextms.t . ok
70-test_verify_extra.t . ok
70-test_wpacket.t .. ok
71-test_ssl_ctx.t .. ok
80-test_ca.t ... ok
80-test_cipherbytes.t .. ok
80-test_cipherlist.t ... ok
80-test_ciphername.t ... ok

# 80-test_cms.t .. ok
80-test_cmsapi.t ... ok
80-test_ct.t ... ok
80-test_dane.t . ok
80-test_dtls.t . ok
80-test_dtls_mtu.t . ok
80-test_dtlsv1listen.t . ok
80-test_http.t . ok
80-test_ocsp.t . ok
80-test_pkcs12.t ... ok
80-test_ssl_new.t .. ok
80-test_ssl_old.t .. ok
80-test_ssl_test_ctx.t . ok
80-test_sslcorrupt.t ... ok
80-test_tsa.t .. ok
80-test_x509aux.t .. ok

# 81-test_cmp_cli.t .. ok
90-test_asn1_time.t  ok
90-test_async.t  ok
90-test_bio_enc.t .. ok
90-test_bio_memleak.t .. ok
90-test_constant_time.t  ok
90-test_fatalerr.t . ok
90-test_gmdiff.t ... ok
90-test_gost.t . ok
90-test_ige.t .. ok
90-test_includes.t . ok
90-test_memleak.t .. ok
90-test_overhead.t . ok
90-test_secmem.t ... ok
90-test_shlibload.t  ok
90-test_srp.t .. ok
90-test_sslapi.t ... ok
90-test_sslbuffers.t ... ok
90-test_store.t  ok
90-test_sysdefault.t ... ok
90-test_threads.t .. ok
90-test_time_offset.t .. ok
90-test_tls13ccs.t . ok
90-test_tls13encryption.t .. ok
90-test_tls13secrets.t . ok
90-test_v3name.t ... ok
95-test_external_boringssl.t ... skipped: No external tests in this 
configuration
95-test_external_gost_engine.t . skipped: No external tests in this 
configuration
95-test_external_krb5.t  skipped: No external tests in this 
configuration
95-test_external_pyca.t 

[openssl] master update

[Dr . Paul Dale]

The branch master has been updated
   via  b7a8fb52a95d606e073a6f232262cc121659a1fe (commit)
  from  e942111267f292070cbc8397e0cc5fddaf8371a0 (commit)


- Log -
commit b7a8fb52a95d606e073a6f232262cc121659a1fe
Author: Pauli 
Date:   Tue Sep 8 07:35:29 2020 +1000

s_time: check return values better

Reviewed-by: Dmitry Belyavskiy 
Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/12808)

---

Summary of changes:
 apps/s_time.c | 15 +++
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/apps/s_time.c b/apps/s_time.c
index ac9c72e622..3730ca540a 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -416,12 +416,19 @@ static SSL *doConnection(SSL *scon, const char *host, 
SSL_CTX *ctx)
 if ((conn = BIO_new(BIO_s_connect())) == NULL)
 return NULL;
 
-BIO_set_conn_hostname(conn, host);
-BIO_set_conn_mode(conn, BIO_SOCK_NODELAY);
+if (BIO_set_conn_hostname(conn, host) <= 0
+|| BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) <= 0) {
+BIO_free(conn);
+return NULL;
+}
 
-if (scon == NULL)
+if (scon == NULL) {
 serverCon = SSL_new(ctx);
-else {
+if (serverCon == NULL) {
+BIO_free(conn);
+return NULL;
+}
+} else {
 serverCon = scon;
 SSL_set_connect_state(serverCon);
 }

[openssl] master update

[Dr . Paul Dale]

The branch master has been updated
   via  e942111267f292070cbc8397e0cc5fddaf8371a0 (commit)
   via  5c97eeb726dac6194e7a3aecf8231a512e0243ea (commit)
   via  b924d1b6e1b66def84979dbbf3c79059cff1d554 (commit)
   via  81661a14bcf9fb92eadedb15de75c3eb5b4e97a8 (commit)
   via  b250fc7be771d912460b60285ad7124e0b38ef94 (commit)
  from  b434b2c08d2025936fb8b7ece3a590861f6b (commit)


- Log -
commit e942111267f292070cbc8397e0cc5fddaf8371a0
Author: Pauli 
Date:   Sun Sep 6 20:39:12 2020 +1000

In a non-shared build, don't include the md5 object files in legacy provider

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/11961)

commit 5c97eeb726dac6194e7a3aecf8231a512e0243ea
Author: Pauli 
Date:   Sun Sep 6 17:14:38 2020 +1000

TLS fixes for CBC mode and no-deprecated

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/11961)

commit b924d1b6e1b66def84979dbbf3c79059cff1d554
Author: Pauli 
Date:   Sun Sep 6 13:44:08 2020 +1000

TLS: remove legacy code path supporting special CBC mode

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/11961)

commit 81661a14bcf9fb92eadedb15de75c3eb5b4e97a8
Author: Pauli 
Date:   Tue May 26 20:20:09 2020 +1000

legacy: include MD5 code in legacy provider

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/11961)

commit b250fc7be771d912460b60285ad7124e0b38ef94
Author: Pauli 
Date:   Tue May 26 19:38:23 2020 +1000

Deprecate SHA and MD5 again.

This reverts commit a978dc3bffb63e6bfc40fe6955e8798bdffb4e7e.

Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/11961)

---

Summary of changes:
 crypto/md5/build.info| 11 ++
 include/openssl/md5.h| 35 ++
 include/openssl/sha.h| 96 +++-
 ssl/build.info   |  5 ++-
 ssl/record/ssl3_record.c | 23 
 ssl/s3_cbc.c | 19 --
 util/libcrypto.num   | 56 ++--
 7 files changed, 141 insertions(+), 104 deletions(-)

diff --git a/crypto/md5/build.info b/crypto/md5/build.info
index afcf7c4426..bbb70fde3c 100644
--- a/crypto/md5/build.info
+++ b/crypto/md5/build.info
@@ -18,10 +18,21 @@ $COMMON=md5_dgst.c md5_one.c md5_sha1.c $MD5ASM
 SOURCE[../../libcrypto]=$COMMON
 SOURCE[../../providers/libimplementations.a]=$COMMON
 
+# A no-deprecated no-shared build ends up with double function definitions
+# without conditioning this on dso. The issue is MD5 which is needed in the
+# legacy provider for one of the spliced algorithms, however it resides in the
+# default provider.  A no-deprecated build removes the external definition from
+# libcrypto and this means that the code needs to be in liblegacy.  However,
+# when building without 'dso', liblegacy is included in libcrypto.
+IF[{- !$disabled{dso} -}]
+  SOURCE[../../providers/liblegacy.a]=$COMMON
+ENDIF
+
 # Implementations are now spread across several libraries, so the defines
 # need to be applied to all affected libraries and modules.
 DEFINE[../../libcrypto]=$MD5DEF
 DEFINE[../../providers/libimplementations.a]=$MD5DEF
+DEFINE[../../providers/liblegacy.a]=$MD5DEF
 
 GENERATE[md5-586.s]=asm/md5-586.pl
 
diff --git a/include/openssl/md5.h b/include/openssl/md5.h
index 0a75b084a2..c61b3d94c8 100644
--- a/include/openssl/md5.h
+++ b/include/openssl/md5.h
@@ -19,22 +19,24 @@
 # include 
 
 # ifndef OPENSSL_NO_MD5
-# include 
-# include 
-# ifdef  __cplusplus
+#  include 
+#  include 
+#  ifdef  __cplusplus
 extern "C" {
-# endif
+#  endif
+
+#  define MD5_DIGEST_LENGTH 16
 
+#  if !defined(OPENSSL_NO_DEPRECATED_3_0)
 /*
  * !
  * ! MD5_LONG has to be at least 32 bits wide. !
  * !
  */
-# define MD5_LONG unsigned int
+#   define MD5_LONG unsigned int
 
-# define MD5_CBLOCK  64
-# define MD5_LBLOCK  (MD5_CBLOCK/4)
-# define MD5_DIGEST_LENGTH 16
+#   define MD5_CBLOCK  64
+#   define MD5_LBLOCK  (MD5_CBLOCK/4)
 
 typedef struct MD5state_st {
 MD5_LONG A, B, C, D;
@@ -42,15 +44,18 @@ typedef struct MD5state_st {
 MD5_LONG data[MD5_LBLOCK];
 unsigned int num;
 } MD5_CTX;
+#  endif
 
-int MD5_Init(MD5_CTX *c);
-int MD5_Update(MD5_CTX *c, const void *data, size_t len);
-int MD5_Final(unsigned char *md, MD5_CTX *c);
-unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md);
-void MD5_Transform(MD5_CTX *c, const unsigned char *b);
-# ifdef  __cplusplus
+DEPRECATEDIN_3_0(int MD5_Init(MD5_CTX *c))
+DEPRECATEDIN_3_0(int MD5_Update(MD5_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int MD5_Final(unsigned char 

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dsa

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-dsa

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

65-test_cmp_status.t ... ok
65-test_cmp_vfy.t .. ok
70-test_asyncio.t .. ok
70-test_bad_dtls.t . ok
70-test_clienthello.t .. ok
70-test_comp.t . ok
70-test_key_share.t  ok
70-test_packet.t ... ok
70-test_recordlen.t  ok
70-test_renegotiation.t  ok
70-test_servername.t ... ok
70-test_sslcbcpadding.t  ok
70-test_sslcertstatus.t  ok
70-test_sslextension.t . ok
70-test_sslmessages.t .. ok
70-test_sslrecords.t ... ok
70-test_sslsessiontick.t ... ok
70-test_sslsigalgs.t ... ok
70-test_sslsignature.t . ok
70-test_sslskewith0p.t . ok
70-test_sslversions.t .. ok
70-test_sslvertol.t  ok
70-test_tls13alerts.t .. ok
70-test_tls13cookie.t .. ok
70-test_tls13downgrade.t ... ok
70-test_tls13hrr.t . ok
70-test_tls13kexmodes.t  ok
70-test_tls13messages.t  ok
70-test_tls13psk.t . ok
70-test_tlsextms.t . ok
70-test_verify_extra.t . ok
70-test_wpacket.t .. ok
71-test_ssl_ctx.t .. ok
80-test_ca.t ... ok
80-test_cipherbytes.t .. ok
80-test_cipherlist.t ... ok
80-test_ciphername.t ... ok

# 80-test_cms.t .. ok
80-test_cmsapi.t ... ok
80-test_ct.t ... ok
80-test_dane.t . ok
80-test_dtls.t . ok
80-test_dtls_mtu.t . ok
80-test_dtlsv1listen.t . ok
80-test_http.t . ok
80-test_ocsp.t . ok
80-test_pkcs12.t ... ok
80-test_ssl_new.t .. ok
80-test_ssl_old.t .. ok
80-test_ssl_test_ctx.t . ok
80-test_sslcorrupt.t ... ok
80-test_tsa.t .. ok
80-test_x509aux.t .. ok

# 81-test_cmp_cli.t .. ok
90-test_asn1_time.t  ok
90-test_async.t  ok
90-test_bio_enc.t .. ok
90-test_bio_memleak.t .. ok
90-test_constant_time.t  ok
90-test_fatalerr.t . ok
90-test_gmdiff.t ... ok
90-test_gost.t . skipped: GOST support is disabled in this 
OpenSSL build
90-test_ige.t .. ok
90-test_includes.t . ok
90-test_memleak.t .. ok
90-test_overhead.t . ok
90-test_secmem.t ... ok
90-test_shlibload.t  ok
90-test_srp.t .. ok
90-test_sslapi.t ... ok
90-test_sslbuffers.t ... ok
90-test_store.t  ok
90-test_sysdefault.t ... ok
90-test_threads.t .. ok
90-test_time_offset.t .. ok
90-test_tls13ccs.t . ok
90-test_tls13encryption.t .. ok
90-test_tls13secrets.t . ok
90-test_v3name.t ... ok
95-test_external_boringssl.t ... skipped: No external tests in this 
configuration
95-test_external_gost_engine.t . skipped: No external tests in this 
configuration
95-test_external_krb5.t  skipped: No external tests in 

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dh

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-dh

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

65-test_cmp_status.t ... ok
65-test_cmp_vfy.t .. ok
70-test_asyncio.t .. ok
70-test_bad_dtls.t . ok
70-test_clienthello.t .. ok
70-test_comp.t . ok
70-test_key_share.t  ok
70-test_packet.t ... ok
70-test_recordlen.t  ok
70-test_renegotiation.t  ok
70-test_servername.t ... ok
70-test_sslcbcpadding.t  ok
70-test_sslcertstatus.t  ok
70-test_sslextension.t . ok
70-test_sslmessages.t .. ok
70-test_sslrecords.t ... ok
70-test_sslsessiontick.t ... ok
70-test_sslsigalgs.t ... ok
70-test_sslsignature.t . ok
70-test_sslskewith0p.t . skipped: dh is not supported by this 
OpenSSL build
70-test_sslversions.t .. ok
70-test_sslvertol.t  ok
70-test_tls13alerts.t .. ok
70-test_tls13cookie.t .. ok
70-test_tls13downgrade.t ... ok
70-test_tls13hrr.t . ok
70-test_tls13kexmodes.t  ok
70-test_tls13messages.t  ok
70-test_tls13psk.t . ok
70-test_tlsextms.t . ok
70-test_verify_extra.t . ok
70-test_wpacket.t .. ok
71-test_ssl_ctx.t .. ok
80-test_ca.t ... ok
80-test_cipherbytes.t .. ok
80-test_cipherlist.t ... ok
80-test_ciphername.t ... ok

# 80-test_cms.t .. ok
80-test_cmsapi.t ... ok
80-test_ct.t ... ok
80-test_dane.t . ok
80-test_dtls.t . ok
80-test_dtls_mtu.t . ok
80-test_dtlsv1listen.t . skipped: dh is not supported by this 
OpenSSL build
80-test_http.t . ok
80-test_ocsp.t . ok
80-test_pkcs12.t ... ok
80-test_ssl_new.t .. ok
80-test_ssl_old.t .. ok
80-test_ssl_test_ctx.t . ok
80-test_sslcorrupt.t ... ok
80-test_tsa.t .. ok
80-test_x509aux.t .. ok

# 81-test_cmp_cli.t .. ok
90-test_asn1_time.t  ok
90-test_async.t  ok
90-test_bio_enc.t .. ok
90-test_bio_memleak.t .. ok
90-test_constant_time.t  ok
90-test_fatalerr.t . ok
90-test_gmdiff.t ... ok
90-test_gost.t . ok
90-test_ige.t .. ok
90-test_includes.t . ok
90-test_memleak.t .. ok
90-test_overhead.t . ok
90-test_secmem.t ... ok
90-test_shlibload.t  ok
90-test_srp.t .. ok
90-test_sslapi.t ... ok
90-test_sslbuffers.t ... ok
90-test_store.t  ok
90-test_sysdefault.t ... ok
90-test_threads.t .. ok
90-test_time_offset.t .. ok
90-test_tls13ccs.t . ok
90-test_tls13encryption.t .. ok
90-test_tls13secrets.t . ok
90-test_v3name.t ... ok
95-test_external_boringssl.t ... skipped: No external tests in this 
configuration
95-test_external_gost_engine.t . skipped: No external tests in this 
configuration
95-test_external_krb5.t 

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dgram

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-dgram

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):


# 80-test_cms.t .. ok
80-test_cmsapi.t ... ok
80-test_ct.t ... ok
80-test_dane.t . ok
80-test_dtls.t . skipped: No DTLS protocols are supported 
by this OpenSSL build
80-test_dtls_mtu.t . skipped: test_dtls_mtu needs DTLS and PSK 
support enabled
80-test_dtlsv1listen.t . ok
80-test_http.t . ok
80-test_ocsp.t . ok
80-test_pkcs12.t ... ok

# ERROR: (ptr) 'server_ctx != NULL' failed @ 
../openssl/test/ssl_test.c:479
# 0x0
not ok 7 - iteration 7
# --
# ERROR: (ptr) 'server_ctx != NULL' failed @ 
../openssl/test/ssl_test.c:479
# 0x0
not ok 8 - iteration 8
# --
# ERROR: (ptr) 'server_ctx != NULL' failed @ 
../openssl/test/ssl_test.c:479
# 0x0
not ok 9 - iteration 9
# --
# ERROR: (ptr) 'server_ctx != NULL' failed @ 
../openssl/test/ssl_test.c:479
# 0x0
not ok 10 - iteration 10
# --
# ERROR: (ptr) 'server_ctx != NULL' failed @ 
../openssl/test/ssl_test.c:479
# 0x0
not ok 11 - iteration 11
# --
# ERROR: (ptr) 'server_ctx != NULL' failed @ 
../openssl/test/ssl_test.c:479
# 0x0
not ok 12 - iteration 12
# --
not ok 1 - test_handshake
# --
../../util/wrap.pl ../../test/ssl_test 04-client_auth.cnf.fips fips 
../../../openssl/test/fips-and-base.cnf => 1
not ok 9 - running ssl_test 04-client_auth.cnf
# --
#   Failed test 'running ssl_test 04-client_auth.cnf'
#   at ../openssl/test/recipes/80-test_ssl_new.t line 173.
# Looks like you failed 1 test of 9.
not ok 5 - Test configuration 04-client_auth.cnf
# --
# Looks like you failed 1 test of 31.80-test_ssl_new.t .. 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/31 subtests 
80-test_ssl_old.t .. ok
80-test_ssl_test_ctx.t . ok
80-test_sslcorrupt.t ... ok
80-test_tsa.t .. ok
80-test_x509aux.t .. ok

# 81-test_cmp_cli.t .. ok
90-test_asn1_time.t  ok
90-test_async.t  ok
90-test_bio_enc.t .. ok
90-test_bio_memleak.t .. ok
90-test_constant_time.t  ok
90-test_fatalerr.t . ok
90-test_gmdiff.t ... ok
90-test_gost.t . ok
90-test_ige.t .. ok
90-test_includes.t . ok
90-test_memleak.t .. ok
90-test_overhead.t . ok
90-test_secmem.t ... ok
90-test_shlibload.t  

Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des

[OpenSSL run-checker]

Platform and configuration command:

$ uname -a
Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-des

Commit log since last time:

b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and 
-secret options
15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys
4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle 
provider-native keys
924663c36d Add CMS AuthEnvelopedData with AES-GCM support
d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with 
-server option
6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing 
parse_addr() and atoint()
d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and 
strengthen documentation
8d6481f532 EVP: Move the functions and controls for setting and getting distid
b968945204 EVP: Expand the use of EVP_PKEY_CTX_md()
86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters
ea0add4a82 New GOST PKCS12 standard support
08497fc64f Fix test/evp_extra_test.c
20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records
509144964b EVP: Preserve the EVP_PKEY id in a few more spots
884baafba4 Use return code for 'which command' checks
4348995b0d Fix memory leaks in conf_def.c
385deae79f Building: Build Unix static libraries one object file at a time

Build log ended with (last 100 lines):

C0C054EB207F:error::asn1 encoding routines:ASN1_get_object:header too 
long:../openssl/crypto/asn1/asn1_lib.c:105:
Unable to load private key for CMP client certificate
cmp_main:../openssl/apps/cmp.c:2841:CMP error: cannot set up CMP context
# cmp_main:../openssl/apps/cmp.c:2688:CMP info: using OpenSSL configuration 
file '../Mock/test.cnf'
# opt_str:../openssl/apps/cmp.c:2286:CMP warning: argument of -proxy option is 
empty string, resetting option
# warn_cert_msg:../openssl/apps/cmp.c:690:CMP warning: certificate from 
'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert
../../../../../no-des/util/wrap.pl ../../../../../no-des/apps/openssl cmp 
-config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 
127.0.0.1 -cmd cr -newkey new.key -newkeypass 'pass:' -certout test.cert.pem 
-out_trusted root.crt => 1
not ok 82 - cr command
# --
#   Failed test 'cr command'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
Could not open file or uri test.cert.pem for loading CMP client certificate 
(optionally with chain)
Could not read any cert of CMP client certificate (optionally with chain) from 
test.cert.pem
C0A0874ADF7F:error::asn1 encoding routines:ASN1_get_object:header too 
long:../openssl/crypto/asn1/asn1_lib.c:105:
C0A0874ADF7F:error::STORE routines:ossl_store_get0_loader_int:unregistered 
scheme:../openssl/crypto/store/store_register.c:240:scheme=file
C0A0874ADF7F:error::system library:file_open:No such file or 
directory:../openssl/providers/implementations/storemgmt/file_store.c:278:calling
 stat(test.cert.pem)
cmp_main:../openssl/apps/cmp.c:2841:CMP error: cannot set up CMP context
# cmp_main:../openssl/apps/cmp.c:2688:CMP info: using OpenSSL configuration 
file '../Mock/test.cnf'
# opt_str:../openssl/apps/cmp.c:2286:CMP warning: argument of -proxy option is 
empty string, resetting option
# setup_client_ctx:../openssl/apps/cmp.c:1909:CMP warning: -subject 
'/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf' given, which overrides 
the subject of 'test.cert.pem' in KUR
# warn_cert_msg:../openssl/apps/cmp.c:690:CMP warning: certificate from 
'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert
../../../../../no-des/util/wrap.pl ../../../../../no-des/apps/openssl cmp 
-config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 
127.0.0.1 -cmd kur -newkey new.key -newkeypass 'pass:' -certout test.cert.pem 
-out_trusted root.crt -oldcert test.cert.pem -server '127.0.0.1:1700' -cert 
test.cert.pem -key new.key -extracerts issuing.crt => 1
not ok 83 - kur command explicit options
# --
#   Failed test 'kur command explicit options'
#   at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
Could not open file or uri test.cert.pem for loading CMP client certificate 
(optionally with chain)
Could not read any cert of CMP client certificate (optionally with chain) from 
test.cert.pem
C040EAB3627F:error::asn1 encoding routines:ASN1_get_object:header too 
long:../openssl/crypto/asn1/asn1_lib.c:105:
C040EAB3627F:error::STORE routines:ossl_store_get0_loader_int:unregistered 
scheme:../openssl/crypto/store/store_register.c:240:scheme=file
C040EAB3627F:error::system library:file_open:No such file or