Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method
Platform and configuration command:
$ uname -a
Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method
Commit log since last time:
8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key
2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509
0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation
73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c,
v3_{alt,san}.c
b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default:
none
41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not
self-signed cert
ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code
7836f949c2 X509_PUBKEY_set(): Fix error reporting
855c68163b apps/lib/opt.c: Fix error message on unknown option/digest
f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by
apps/{req,x509,ca}.c
6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc
1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file
ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509
extensions by default
f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed
to due to invalid cert
3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()
48116c2d0f Fix incorrect use of BN_CTX API
1df333 Fix enable-weak-ssl-ciphers
4dd009180a x509_vfy.c: Fix a regression in find_issuer()
0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new
testutil/load.c
bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to
unsupported SHA1
5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes
d6d42cda5f Use centralized fetching errors
0d11846e4b Remove duplicate GENERATE declarations for .pod files
2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info
files
5e16ac142e Configure: clean away perl syntax faults
507f83800f Configure: Check all SOURCE declarations, to ensure consistency
b209835364 v3_ocsp.c: fix indentation of include directives
3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl().
678cae0295 APPS: Print help also on -h and --h; print high-level help when no
cmd given
3372039252 APPS: Fix confusion between program and app/command name used in
diagnostic/help output
046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical
option combinations
1f7643e86e apps/pkey.c: Re-order help output and option documentation
475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output
400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
Build log ended with (last 100 lines):
# SSL_accept() failed -1, 1
# 8001915EEE7F:error:0A76:SSL routines:tls_choose_sigalg:no
suitable signature algorithm:../openssl/ssl/t1_lib.c:3308:
# INFO: @ ../openssl/test/helpers/ssltestlib.c:942
# SSL_connect() failed -1, 1
# 8001915EEE7F:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1
alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number
80
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482
# false
not ok 2 - iteration 2
# --
not ok 53 - test_ssl_pending
# --
../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs
../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/u7U_5Yisn9
default ../../../openssl/test/default.cnf => 1
not ok 1 - running sslapitest
# --
# INFO: @ ../openssl/test/helpers/ssltestlib.c:942
# SSL_connect() failed -1, 1
# 80E1EA531A7F:error:0A000129:SSL routines:tls_setup_handshake:no
suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max
supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in
the loaded providers. Use (D)TLSv1.2 or above, or load different providers
# INFO: @ ../openssl/test/helpers/ssltestlib.c:960
# SSL_accept() failed -1, 1
# 80E1EA531A7F:error:0A000129:SSL routines:tls_setup_handshake:no
suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max
supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in
the loaded providers. Use (D)TLSv1.2 or above, or load different providers
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE) == true' failed @ ../o
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2
Platform and configuration command:
$ uname -a
Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2
Commit log since last time:
8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key
2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509
0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation
73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c,
v3_{alt,san}.c
b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default:
none
41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not
self-signed cert
ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code
7836f949c2 X509_PUBKEY_set(): Fix error reporting
855c68163b apps/lib/opt.c: Fix error message on unknown option/digest
f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by
apps/{req,x509,ca}.c
6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc
1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file
ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509
extensions by default
f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed
to due to invalid cert
3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()
48116c2d0f Fix incorrect use of BN_CTX API
1df333 Fix enable-weak-ssl-ciphers
4dd009180a x509_vfy.c: Fix a regression in find_issuer()
0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new
testutil/load.c
bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to
unsupported SHA1
5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes
d6d42cda5f Use centralized fetching errors
0d11846e4b Remove duplicate GENERATE declarations for .pod files
2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info
files
5e16ac142e Configure: clean away perl syntax faults
507f83800f Configure: Check all SOURCE declarations, to ensure consistency
b209835364 v3_ocsp.c: fix indentation of include directives
3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl().
678cae0295 APPS: Print help also on -h and --h; print high-level help when no
cmd given
3372039252 APPS: Fix confusion between program and app/command name used in
diagnostic/help output
046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical
option combinations
1f7643e86e apps/pkey.c: Re-order help output and option documentation
475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output
400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
Build log ended with (last 100 lines):
# SSL_accept() failed -1, 1
# 8011A82D337F:error:0A76:SSL routines:tls_choose_sigalg:no
suitable signature algorithm:../openssl/ssl/t1_lib.c:3308:
# INFO: @ ../openssl/test/helpers/ssltestlib.c:942
# SSL_connect() failed -1, 1
# 8011A82D337F:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1
alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number
80
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482
# false
not ok 2 - iteration 2
# --
not ok 53 - test_ssl_pending
# --
../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs
../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/fxSmPBPIEM
default ../../../openssl/test/default.cnf => 1
not ok 1 - running sslapitest
# --
# INFO: @ ../openssl/test/helpers/ssltestlib.c:942
# SSL_connect() failed -1, 1
# 80B10764687F:error:0A000129:SSL routines:tls_setup_handshake:no
suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max
supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in
the loaded providers. Use (D)TLSv1.2 or above, or load different providers
# INFO: @ ../openssl/test/helpers/ssltestlib.c:960
# SSL_accept() failed -1, 1
# 80B10764687F:error:0A000129:SSL routines:tls_setup_handshake:no
suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max
supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in
the loaded providers. Use (D)TLSv1.2 or above, or load different providers
# ERROR: (bool) 'create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE) == true' failed @ ../openssl/
[web] master update
The branch master has been updated via 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a (commit) from 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 (commit) - Log - commit 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a Author: Kurt Roeckx Date: Fri Jan 15 18:49:59 2021 +0100 Update expiration date --- Summary of changes: news/openssl-security.asc | 80 +++ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index 2b32a4b..8e6c0cc 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -11,33 +11,33 @@ Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO 5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB -tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz -bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAl3n9TkFCQvHY5oACgkQ2JTizos9efVbRQ//aItr -wyVa5j+OtrMaIJI9x835ES4bBaEIY1YVwGzoKzj+MOxdai0spUR6KZ9TYnEC5R4b -yFac7H9g+R4V5rv3+HogMBTYaCTmbFmZ4Y8viD7YaDsHHMcbHQymyV55l7ZfzyNt -pw3D3acvS3nOij9JQqRTOHuIOtS5FtJh1/+pig5sEk1TigOemJ7cnC7uWmfkzDzx -ywz29EBFZXeFV7Dg+hjkUuVtMqcbhouvjJlwvx7cgcAPwFRZcu7UoirVoq0+sSJj -kxxohVekpc+daZK9ge6qpHi7LObgM64fVPjR4FizuTmHU+f7ptUaI7BEGxmPtmBa -skj1Wi4lkSgQ4SfS7PpnlPphM2Tms7mG4gPO4f0cZ/qZriCoaU5DZ8kPx0xgY7Yf -Uol3NyRxAXJZi7voSWsj/YM1rsyd8Q7bYFW0Rx/hcjbT2AwZcqruqAuYEM6+M3Sb -JzOm28w+lnS7urnog8MBSSX9wsFzwHEXKBiqY2Qp+jU/fmSebqiDrRaAXJPvidCM -gsPNrK6HrQOjemZTG7dReIxqIjWuguhcN4aoellXwJYuR0NOo0uRK79IGbjFU8Vy -UBuv5AMCWgpblLaDyVHkhnQbNjnpvJnVoCqvTU4R0ttmjKQV4aWwgdryuc/a564J -PKcfr4pmeb+4Lfh1SxpNP3O2pzI1OY1zSj5nFRm0JU9wZW5TU0wgT01DIDxvcGVu -c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCXef1QQUJC8djmgAKCRDY -lOLOiz159UcFD/9XdBn0wKmEwBO2KyM/zfHLpTysV3A1QM98C3Oy2/jPI/wcWmIN -1PoXbDEUGTBCKAEYhcnQKb5E7FsD+68i/07S5eBP65R24G182f6Qofy8Hy/Kbed/ -GmQEoprDaYqpUp6qFoPxBExW8bwEzkSRWTz4d/ptjDREOF3d4oJS3CE/HOr3l9Jy -0Jgvg1iAw2uiRSNb5/miUZM7wa/wGYmJmtbGomr3/suyyLeRh4UwoOAZulB6crql -ITxoyv9M7IF+YAYIdRQB1/zbE6d+i+5AKeyGmBxhXyYlIIFHjmFpMmz+HbHZ31tr -FodE/1EK9kxGcOOv9jSxiplLdgl0d4XqAb2wsNYygNb2n6uj/7Vz+iZwWnCDfNEo -UPazufcFh4KMPV6ZzqguXWpV6aV40rEjqWWwXfwXiSL7Yc1TYdnj+koCy2sXoiLd -d2VlCX/wWhl38KsAN69OgYlDNVne5ctQ2zpdYyYrQZlL9yk164evBroZGOrJSTl4 -5ZNSmsbX/alNQRTCVuPmICY6KOEE0CylvhcZtXbDvT9OTm0wNg99jj0Hpd3r8I6d -zGlsBfnipSWVnXtg4ozzvsIKdHy/1kfbiojwBwhD3QyIheQuA1MfmbItw60olEHH -iGqEzcztmQBTSXtyZ2ZhhPN9ZYGAxFmDmju3alqOqRIwu3C86WN3XCl/urQnT3Bl +tCVPcGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+ +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9 +efUFAmAB1NUFCQ2zHrYACgkQ2JTizos9efUHgxAAjTBfDLtetgRSnmNMTtgLOIGj +hFpE+eAKoc8xGT0FFmSPFPi2FQ51SjhJlk9PnoRGJC41vECdWY2dpXOVTCQL4ZPv +koVOUmf2979HjVGK1Z5dMnAFZP3bKxFR4KfuhH1rgIkcAoDghyl6w3ONlbBvH9Cx +Mrw36nOYFdRHjJZPVB6/BSZZL2AQE8n/Bwtp9Ea7mqi71ExLSBkPkwlMJ35tbq0e +hAL40r1I2GobcqyntB+K4Kqm891AEHLxRAymvucoxv3Y1yJXpET6GuSKQ9yKsDKK +fTwfbsDuKsLq4dCTcXmluBEKgA0Ni1XzygEh79o957J988WacJDsthhJ5YDjdyK8 +fu6Ie5C2b/hzZZ5oECuEYBsti3hP/WSVsvGDhkI8tvFr071MIk6mHzi0Wxlxyk6F +uO8WeqPkf9cPrWCzTdjAvCmiQe5X4lipOWkysQm/NEc6DKfiYmjfoVuebZmg6Br8 +oypIDJIzy3AK+2sNt5CjvODZ/w7uAHQrFBDAoTLmQL9e5e/fQmgoTFMjn8yzOuiU +BBiw6uGMmhb35OBegzk5ov/1EOQxnMVWLTdLe3xUG6RSGEW8Vy4jgaGWquXhLxeV +bWBTE5DacbCOqGyDoFG/Ehe2eFOOspkL3jPoQN5XqEsqcdiLWRMhH5m/ZISeqI3j +495QYZlxN8HDsjLWK7G0NE9wZW5TU0wgc2VjdXJpdHkgdGVhbSA8b3BlbnNzbC1z +ZWN1cml0eUBvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCYAHU4wUJDbMetgAKCRDY +lOLOiz159U7NEACQFr0PgsoNl+/dCdzWN7JrkddTSfY0bEhak8fOwTIb/7ybxzS/ +8qXaso2K5/D+w2RDLyl+faFxuvYIdySOAomxZTeorXpxnba8p13cwEEXgH6wIShi +o22bz9EH/qrsWqwXa22CkYzhWJQTED703+i5Rm+eO9oeOq6inx3ceCAKNfEDhfKC +dSAP08Mo41mMPf6+2CM/dPiN1LaouZVg/stQ/FPnuEZOetOtXZH/nEgPHAaVDhaF +FQQ6JlxvXzC+BCrJ0eJgJuhuU8K/y5SahEKqRbcHxBB7MBIH1ZqBhmMJ1eWxYX2S +PFJaTNgjVJ82vpLstHdSE6boamtEEtkeYEzNnaOOiebNwyIHlrsCaPKNXAuISKe/ +pD91maFDcXPF/4IP+juegnNjdFi1g8mmIwEvJnb1ZqoY0+ay+zH2q1ZshRixsCG5 +5afQCM+nwXhuAVhUqxOC7FG0f+/geTBJnXWw4C1QiiJjXYQhKH9g+R6vj/ODskOY +dFqe7uZQZzcd1DNmvNYfQVWMyW6hYDNgbFqqshsPaZaQicaa4rAWfyenWBSlR/yH +xqbfZJW+31MvFk5auz8Rv96W4/nOppUmUqEZ0xhAgPhmBUKgvVnyfg6RR9Il/rUU +kZUvwN45CtSdKQZWhrEHIEWzp3PdooTHDKeuTczCrdRvsSsFx1pMG1NcIbQnT3Bl blNTTCB0ZWFtIDxvcGVuc3NsLXRlYW1Ab3BlbnNzbC5vcmc+iQJZBDABCgBDFiEE 78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ9jUlHSBSZXBsYWNlZCBieSBvcGVuc3Ns LW9tY0BvcGVuc3NsLm9yZwAKCRDYlOLOiz159VAiD/wLVz8KE84z+iPBcDXJR4hr @@ -63,17 +63,17 @@ ncd+VYvth6cM9jDWsTJAXEaqNoFjVfw227NnQ/hxqGCwEVzweBi7a7dix3nCa9JO w5eV3xCyezUohQ6nOBbDnoAnp3FLeUrhBJQXCPNtlb0fSMnj14EwBoD6EKO/xz/g EW5mr0a+xp+fjbkvHVX/c8UmU+7nlX7upaN46RLM1y0y
Build completed: openssl master.39203
Build openssl master.39203 completed Commit 001df00cc4 by Michael Baentsch on 1/15/2021 10:40 AM: Update SERVER_HELLO_MAX_LENGTH Configure your notification preferences
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers
Platform and configuration command:
$ uname -a
Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers
Commit log since last time:
8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key
2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST
04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509
0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation
73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c,
v3_{alt,san}.c
b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default:
none
41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not
self-signed cert
ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code
7836f949c2 X509_PUBKEY_set(): Fix error reporting
855c68163b apps/lib/opt.c: Fix error message on unknown option/digest
f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by
apps/{req,x509,ca}.c
6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc
1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file
ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509
extensions by default
f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed
to due to invalid cert
3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()
48116c2d0f Fix incorrect use of BN_CTX API
1df333 Fix enable-weak-ssl-ciphers
4dd009180a x509_vfy.c: Fix a regression in find_issuer()
0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new
testutil/load.c
bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to
unsupported SHA1
5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes
d6d42cda5f Use centralized fetching errors
0d11846e4b Remove duplicate GENERATE declarations for .pod files
2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info
files
5e16ac142e Configure: clean away perl syntax faults
507f83800f Configure: Check all SOURCE declarations, to ensure consistency
b209835364 v3_ocsp.c: fix indentation of include directives
3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl().
678cae0295 APPS: Print help also on -h and --h; print high-level help when no
cmd given
3372039252 APPS: Fix confusion between program and app/command name used in
diagnostic/help output
046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical
option combinations
1f7643e86e apps/pkey.c: Re-order help output and option documentation
475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output
400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
[openssl] master update
The branch master has been updated
via 2c04b34140be8833dae0e4debcb6ebf5fd0f287c (commit)
from 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd (commit)
- Log -
commit 2c04b34140be8833dae0e4debcb6ebf5fd0f287c
Author: Jon Spillett
Date: Wed Jan 13 14:10:51 2021 +1000
Allow EVP_PKEY private key objects to be created without a public component
Reviewed-by: Richard Levitte
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/13855)
---
Summary of changes:
crypto/dh/dh_backend.c | 9 ---
crypto/dsa/dsa_backend.c | 7 --
crypto/dsa/dsa_lib.c | 7 --
crypto/ec/ec_backend.c | 4 --
test/evp_extra_test.c| 162 +--
5 files changed, 158 insertions(+), 31 deletions(-)
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 660bb4845a..6e545763dc 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -69,15 +69,6 @@ int dh_key_fromdata(DH *dh, const OSSL_PARAM params[])
param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
-/*
- * DH documentation says that a public key must be present if a
- * private key is present.
- * We want to have at least a public key either way, so we end up
- * requiring it unconditionally.
- */
-if (param_priv_key != NULL && param_pub_key == NULL)
-return 0;
-
if ((param_priv_key != NULL
&& !OSSL_PARAM_get_BN(param_priv_key, &priv_key))
|| (param_pub_key != NULL
diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c
index 4809b3100b..6a053611e1 100644
--- a/crypto/dsa/dsa_backend.c
+++ b/crypto/dsa/dsa_backend.c
@@ -39,13 +39,6 @@ int dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[])
if (param_priv_key == NULL && param_pub_key == NULL)
return 1;
-/*
- * DSA documentation says that a public key must be present if a
- * private key is present.
- */
-if (param_priv_key != NULL && param_pub_key == NULL)
-return 0;
-
if (param_pub_key != NULL && !OSSL_PARAM_get_BN(param_pub_key, &pub_key))
goto err;
if (param_priv_key != NULL && !OSSL_PARAM_get_BN(param_priv_key,
&priv_key))
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index df9dd73dfd..7488fa2451 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -310,13 +310,6 @@ void DSA_get0_key(const DSA *d,
int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
{
-/* If the field pub_key in d is NULL, the corresponding input
- * parameters MUST be non-NULL. The priv_key field may
- * be left NULL.
- */
-if (d->pub_key == NULL && pub_key == NULL)
-return 0;
-
if (pub_key != NULL) {
BN_free(d->pub_key);
d->pub_key = pub_key;
diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c
index dccf6a15b9..f950657173 100644
--- a/crypto/ec/ec_backend.c
+++ b/crypto/ec/ec_backend.c
@@ -245,10 +245,6 @@ int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[],
int include_private)
if (ctx == NULL)
goto err;
-/* OpenSSL decree: If there's a private key, there must be a public key */
-if (param_priv_key != NULL && param_pub_key == NULL)
-goto err;
-
if (param_pub_key != NULL)
if (!OSSL_PARAM_get_octet_string(param_pub_key,
(void **)&pub_key, 0, &pub_key_len)
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 67e5a48c3e..832989ae00 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -485,6 +485,135 @@ err:
return res;
}
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DSA)
+/*
+ * Test combinations of private, public, missing and private + public key
+ * params to ensure they are all accepted
+ */
+static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
+{
+OSSL_PARAM_BLD *bld = NULL;
+OSSL_PARAM *params = NULL;
+BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL;
+EVP_PKEY_CTX *pctx = NULL;
+EVP_PKEY *pkey = NULL;
+int ret = 0;
+
+/*
+ * Setup the parameters for our pkey object. For our purposes they don't
+ * have to actually be *valid* parameters. We just need to set something.
+ */
+if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, NULL))
+|| !TEST_ptr(p = BN_new())
+|| !TEST_ptr(q = BN_new())
+|| !TEST_ptr(g = BN_new())
+|| !TEST_ptr(pub = BN_new())
+|| !TEST_ptr(priv = BN_new()))
+goto err;
+
+/* Test !priv and !pub */
+if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
+|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
+|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FF
Build failed: openssl master.39202
Build openssl master.39202 failed Commit 39f3427dc1 by Richard Levitte on 1/15/2021 10:19 AM: Fix incomplete deprecation guard in test/sslapitest.c Configure your notification preferences
Build failed: openssl master.39201
Build openssl master.39201 failed Commit 9b9946ad13 by Tomas Mraz on 1/15/2021 10:12 AM: Make the smdh.pem test certificate usable with fips provider Configure your notification preferences
[openssl] master update
The branch master has been updated
via 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd (commit)
via 3f6e891d423ed911eb779bfd1401a26ec18cfa41 (commit)
from e604b7c9156c66c05dd1640707f196f9fd49a184 (commit)
- Log -
commit 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd
Author: Richard Levitte
Date: Thu Jan 14 00:00:41 2021 +0100
Fix incomplete deprecation guard in test/sslapitest.c
OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--api=' in account.
Fixes #13865
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/13866)
commit 3f6e891d423ed911eb779bfd1401a26ec18cfa41
Author: Richard Levitte
Date: Wed Jan 13 23:55:51 2021 +0100
Fix crypto/des/build.info
!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a. Use !$disabled{des} instead.
Fixes #13865
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/13866)
---
Summary of changes:
crypto/des/build.info | 2 +-
test/sslapitest.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/des/build.info b/crypto/des/build.info
index b73e740bec..ad8553a41a 100644
--- a/crypto/des/build.info
+++ b/crypto/des/build.info
@@ -31,7 +31,7 @@ DEFINE[../../providers/liblegacy.a]=$DESDEF
# When all deprecated symbols are removed, libcrypto doesn't export the
# DES functions, so we must include them directly in liblegacy.a
-IF[{- $disabled{'deprecated-3.0'} && !$disabled{"mdc2"} -}]
+IF[{- $disabled{'deprecated-3.0'} && !$disabled{des} -}]
SOURCE[../../providers/liblegacy.a]=$ALL
DEFINE[../../providers/liblegacy.a]=$DESDEF
ENDIF
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 984c6a8764..c6520482f6 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -8157,7 +8157,7 @@ static EVP_PKEY *get_tmp_dh_params(void)
return tmp_dh_params;
}
-# ifndef OPENSSL_NO_DEPRECATED
+# ifndef OPENSSL_NO_DEPRECATED_3_0
/* Callback used by test_set_tmp_dh() */
static DH *tmp_dh_callback(SSL *s, int is_export, int keylen)
{
[openssl] master update
The branch master has been updated via e604b7c9156c66c05dd1640707f196f9fd49a184 (commit) from 975aae76db8792c9137921adf0e4ecbbf375f46b (commit) - Log - commit e604b7c9156c66c05dd1640707f196f9fd49a184 Author: Rich Salz Date: Tue Jan 5 18:05:42 2021 -0500 Document openssl thread-safety Also discuss reference-counting, mutability and safety. Thanks to David Benjamin for pointing to comment text he added to boringSSL's header files. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13788) --- Summary of changes: doc/man3/CRYPTO_THREAD_run_once.pod | 2 +- doc/man7/openssl-threads.pod| 105 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 doc/man7/openssl-threads.pod diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index 3a46809efe..c15dc319fa 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -179,7 +179,7 @@ repeatedly load/unload shared libraries that allocate locks. =head1 SEE ALSO -L +L, L. =head1 COPYRIGHT diff --git a/doc/man7/openssl-threads.pod b/doc/man7/openssl-threads.pod new file mode 100644 index 00..56cc638e1b --- /dev/null +++ b/doc/man7/openssl-threads.pod @@ -0,0 +1,105 @@ +=pod + +=head1 NAME + +openssl-threads - Overview of thread safety in OpenSSL + +=head1 DESCRIPTION + +In this man page, we use the term B to indicate that an +object or function can be used by multiple threads at the same time. + +OpenSSL can be built with or without threads support. The most important +use of this support is so that OpenSSL itself can use a single consistent +API, as shown in L. +Multi-platform applications can also use this API. + +In particular, being configured for threads support does not imply that +all OpenSSL objects are thread-safe. +To emphasize: I. +Exceptions to this should be documented on the specific manual pages, and +some general high-level guidance is given here. + +One major use of the OpenSSL thread API is to implement reference counting. +Many objects within OpenSSL are reference-counted, so resources are not +released, until the last reference is removed. +References are often increased automatically (such as when an B +certificate object is added into an B trust store). +There is often an B_up_ref>() function that can be used to increase +the reference count. +Failure to match B_up_ref>() calls with the right number of +B_free>() calls is a common source of memory leaks when a program +exits. + +Many objects have set and get API's to set attributes in the object. +A C passes ownership from the caller to the object and a +C returns a pointer but the attribute ownership +remains with the object and a reference to it is returned. +A C or C function does not change the ownership, but instead +updates the attribute's reference count so that the object is shared +between the caller and the object; the caller must free the returned +attribute when finished. +Functions that involve attributes that have reference counts themselves, +but are named with just C or C are historical; and the documentation +must state how the references are handled. +Get methods are often thread-safe as long as the ownership requirements are +met and shared objects are not modified. +Set methods, or modifying shared objects, are generally not thread-safe +as discussed below. + +Objects are thread-safe +as long as the API's being invoked don't modify the object; in this +case the parameter is usually marked in the API as C. +Not all parameters are marked this way. +Note that a C declaration does not mean immutable; for example +L takes pointers to C objects, but the implementation +uses a C cast to remove that so it can lock objects, generate and cache +a DER encoding, and so on. + +Another instance of thread-safety is when updates to an object's +internal state, such as cached values, are done with locks. +One example of this is the reference counting API's described above. + +In all cases, however, it is generally not safe for one thread to +mutate an object, such as setting elements of a private or public key, +while another thread is using that object, such as verifying a signature. + +The same API's can usually be used simultaneously on different objects +without interference. +For example, two threads can calculate a signature using two different +B objects. + +For implicit global state or singletons, thread-safety depends on the facility. +The L and related API's have their own lock, +while L assumes the underlying platform allocation +will do any necessary locking. +Some API's, such as L and related, or L +do no locking at all; this can be considered a bug. + +A separate, although related, iss
[openssl] master update
The branch master has been updated
via 975aae76db8792c9137921adf0e4ecbbf375f46b (commit)
from 0434f9841d45dee081c64ea3aba794a922787ece (commit)
- Log -
commit 975aae76db8792c9137921adf0e4ecbbf375f46b
Author: Pauli
Date: Thu Jan 14 11:49:47 2021 +1000
Remove unused DRBG tests.
The DRBG known answer tests are performed by evp_test and the old vectors
are not used.
Reviewed-by: Shane Lontis
(Merged from https://github.com/openssl/openssl/pull/13867)
---
Summary of changes:
test/drbgtest.c |1 -
test/drbgtest.h | 1670 ---
2 files changed, 1671 deletions(-)
delete mode 100644 test/drbgtest.h
diff --git a/test/drbgtest.c b/test/drbgtest.c
index 30c6b270d0..8c3ed23c35 100644
--- a/test/drbgtest.c
+++ b/test/drbgtest.c
@@ -38,7 +38,6 @@
#endif
#include "testutil.h"
-#include "drbgtest.h"
/*
* DRBG generate wrappers
diff --git a/test/drbgtest.h b/test/drbgtest.h
deleted file mode 100644
index a00c168c8c..00
--- a/test/drbgtest.h
+++ /dev/null
@@ -1,1670 +0,0 @@
-/*
- * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Known answer tests for SP800-90 DRBG CTR mode.
- */
-
-
-/*
- * AES-128 use df PR
- */
-static const unsigned char aes_128_use_df_pr_entropyinput[] = {
-0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
-0xc8, 0xdb, 0xff, 0x12
-};
-static const unsigned char aes_128_use_df_pr_nonce[] = {
-0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
-};
-static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
-0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
-0xd7, 0xd7, 0x01, 0x67
-};
-static const unsigned char aes_128_use_df_pr_additionalinput[] = {
-0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
-0x9a, 0x47, 0x08, 0x76
-};
-static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
-0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
-0x09, 0xfb, 0xa3, 0xb6
-};
-static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
-0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
-0x66, 0x1c, 0xea, 0x5b
-};
-static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
-0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
-0x3f, 0x5e, 0x31, 0x06
-};
-static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
-0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
-0xa7, 0xe3, 0xa8, 0x67
-};
-static const unsigned char aes_128_use_df_pr_returnedbits[] = {
-0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
-0x0f, 0x38, 0x43, 0xc6
-};
-
-
-/*
- * AES-128 use df no PR
- */
-static const unsigned char aes_128_use_df_entropyinput[] = {
-0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
-0x9d, 0x7d, 0x1c, 0x9b
-};
-static const unsigned char aes_128_use_df_nonce[] = {
-0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
-};
-static const unsigned char aes_128_use_df_personalizationstring[] = {
-0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
-0x38, 0x66, 0xba, 0x1b
-};
-static const unsigned char aes_128_use_df_additionalinput[] = {
-0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
-0xb5, 0xe2, 0xb2, 0x41
-};
-static const unsigned char aes_128_use_df_int_returnedbits[] = {
-0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
-0xe7, 0x57, 0x11, 0xb4
-};
-static const unsigned char aes_128_use_df_entropyinputreseed[] = {
-0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
-0xc7, 0xc4, 0x9e, 0x39
-};
-static const unsigned char aes_128_use_df_additionalinputreseed[] = {
-0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
-0xc8, 0x93, 0xfa, 0x84
-};
-static const unsigned char aes_128_use_df_additionalinput2[] = {
-0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
-0x06, 0x0c, 0x15, 0x2c
-};
-static const unsigned char aes_128_use_df_returnedbits[] = {
-0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
-0x46, 0x81, 0xc7, 0x19
-};
-
-
-/*
- * AES-192 use df PR
- */
-static const unsigned char aes_192_use_df_pr_entropyinput[] = {
-0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
-0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x
[openssl] master update
The branch master has been updated via 0434f9841d45dee081c64ea3aba794a922787ece (commit) from 3bc061eb0a990a95d35c462b9206bdf74905cfa2 (commit) - Log - commit 0434f9841d45dee081c64ea3aba794a922787ece Author: Daniel Bevenius Date: Wed Jan 13 15:30:20 2021 +0100 Correct typo in rsa_oaep.c Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13861) --- Summary of changes: crypto/rsa/rsa_oaep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index f47369a1af..66f2ae40c2 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -45,7 +45,7 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, } /* - * Perform ihe padding as per NIST 800-56B 7.2.2.3 + * Perform the padding as per NIST 800-56B 7.2.2.3 * from (K) is the key material. * param (A) is the additional input. * Step numbers are included here but not in the constant time inverse below
Build failed: openssl master.39193
Build openssl master.39193 failed
Commit f0ee0a0142 by Dr. David von Oheimb on 1/15/2021 7:27 AM:
x509: Replace magic numbers returned by {X509_,}check_ca() by proper mnemonic names
Configure your notification preferences
