Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1df333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8001915EEE7F:error:0A76:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8001915EEE7F:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # -- not ok 53 - test_ssl_pending # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/u7U_5Yisn9 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E1EA531A7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E1EA531A7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../o
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1df333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8011A82D337F:error:0A76:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8011A82D337F:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # -- not ok 53 - test_ssl_pending # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/fxSmPBPIEM default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B10764687F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B10764687F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/
[web] master update
The branch master has been updated via 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a (commit) from 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 (commit) - Log - commit 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a Author: Kurt Roeckx Date: Fri Jan 15 18:49:59 2021 +0100 Update expiration date --- Summary of changes: news/openssl-security.asc | 80 +++ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index 2b32a4b..8e6c0cc 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -11,33 +11,33 @@ Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO 5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB -tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz -bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAl3n9TkFCQvHY5oACgkQ2JTizos9efVbRQ//aItr -wyVa5j+OtrMaIJI9x835ES4bBaEIY1YVwGzoKzj+MOxdai0spUR6KZ9TYnEC5R4b -yFac7H9g+R4V5rv3+HogMBTYaCTmbFmZ4Y8viD7YaDsHHMcbHQymyV55l7ZfzyNt -pw3D3acvS3nOij9JQqRTOHuIOtS5FtJh1/+pig5sEk1TigOemJ7cnC7uWmfkzDzx -ywz29EBFZXeFV7Dg+hjkUuVtMqcbhouvjJlwvx7cgcAPwFRZcu7UoirVoq0+sSJj -kxxohVekpc+daZK9ge6qpHi7LObgM64fVPjR4FizuTmHU+f7ptUaI7BEGxmPtmBa -skj1Wi4lkSgQ4SfS7PpnlPphM2Tms7mG4gPO4f0cZ/qZriCoaU5DZ8kPx0xgY7Yf -Uol3NyRxAXJZi7voSWsj/YM1rsyd8Q7bYFW0Rx/hcjbT2AwZcqruqAuYEM6+M3Sb -JzOm28w+lnS7urnog8MBSSX9wsFzwHEXKBiqY2Qp+jU/fmSebqiDrRaAXJPvidCM -gsPNrK6HrQOjemZTG7dReIxqIjWuguhcN4aoellXwJYuR0NOo0uRK79IGbjFU8Vy -UBuv5AMCWgpblLaDyVHkhnQbNjnpvJnVoCqvTU4R0ttmjKQV4aWwgdryuc/a564J -PKcfr4pmeb+4Lfh1SxpNP3O2pzI1OY1zSj5nFRm0JU9wZW5TU0wgT01DIDxvcGVu -c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCXef1QQUJC8djmgAKCRDY -lOLOiz159UcFD/9XdBn0wKmEwBO2KyM/zfHLpTysV3A1QM98C3Oy2/jPI/wcWmIN -1PoXbDEUGTBCKAEYhcnQKb5E7FsD+68i/07S5eBP65R24G182f6Qofy8Hy/Kbed/ -GmQEoprDaYqpUp6qFoPxBExW8bwEzkSRWTz4d/ptjDREOF3d4oJS3CE/HOr3l9Jy -0Jgvg1iAw2uiRSNb5/miUZM7wa/wGYmJmtbGomr3/suyyLeRh4UwoOAZulB6crql -ITxoyv9M7IF+YAYIdRQB1/zbE6d+i+5AKeyGmBxhXyYlIIFHjmFpMmz+HbHZ31tr -FodE/1EK9kxGcOOv9jSxiplLdgl0d4XqAb2wsNYygNb2n6uj/7Vz+iZwWnCDfNEo -UPazufcFh4KMPV6ZzqguXWpV6aV40rEjqWWwXfwXiSL7Yc1TYdnj+koCy2sXoiLd -d2VlCX/wWhl38KsAN69OgYlDNVne5ctQ2zpdYyYrQZlL9yk164evBroZGOrJSTl4 -5ZNSmsbX/alNQRTCVuPmICY6KOEE0CylvhcZtXbDvT9OTm0wNg99jj0Hpd3r8I6d -zGlsBfnipSWVnXtg4ozzvsIKdHy/1kfbiojwBwhD3QyIheQuA1MfmbItw60olEHH -iGqEzcztmQBTSXtyZ2ZhhPN9ZYGAxFmDmju3alqOqRIwu3C86WN3XCl/urQnT3Bl +tCVPcGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+ +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9 +efUFAmAB1NUFCQ2zHrYACgkQ2JTizos9efUHgxAAjTBfDLtetgRSnmNMTtgLOIGj +hFpE+eAKoc8xGT0FFmSPFPi2FQ51SjhJlk9PnoRGJC41vECdWY2dpXOVTCQL4ZPv +koVOUmf2979HjVGK1Z5dMnAFZP3bKxFR4KfuhH1rgIkcAoDghyl6w3ONlbBvH9Cx +Mrw36nOYFdRHjJZPVB6/BSZZL2AQE8n/Bwtp9Ea7mqi71ExLSBkPkwlMJ35tbq0e +hAL40r1I2GobcqyntB+K4Kqm891AEHLxRAymvucoxv3Y1yJXpET6GuSKQ9yKsDKK +fTwfbsDuKsLq4dCTcXmluBEKgA0Ni1XzygEh79o957J988WacJDsthhJ5YDjdyK8 +fu6Ie5C2b/hzZZ5oECuEYBsti3hP/WSVsvGDhkI8tvFr071MIk6mHzi0Wxlxyk6F +uO8WeqPkf9cPrWCzTdjAvCmiQe5X4lipOWkysQm/NEc6DKfiYmjfoVuebZmg6Br8 +oypIDJIzy3AK+2sNt5CjvODZ/w7uAHQrFBDAoTLmQL9e5e/fQmgoTFMjn8yzOuiU +BBiw6uGMmhb35OBegzk5ov/1EOQxnMVWLTdLe3xUG6RSGEW8Vy4jgaGWquXhLxeV +bWBTE5DacbCOqGyDoFG/Ehe2eFOOspkL3jPoQN5XqEsqcdiLWRMhH5m/ZISeqI3j +495QYZlxN8HDsjLWK7G0NE9wZW5TU0wgc2VjdXJpdHkgdGVhbSA8b3BlbnNzbC1z +ZWN1cml0eUBvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCYAHU4wUJDbMetgAKCRDY +lOLOiz159U7NEACQFr0PgsoNl+/dCdzWN7JrkddTSfY0bEhak8fOwTIb/7ybxzS/ +8qXaso2K5/D+w2RDLyl+faFxuvYIdySOAomxZTeorXpxnba8p13cwEEXgH6wIShi +o22bz9EH/qrsWqwXa22CkYzhWJQTED703+i5Rm+eO9oeOq6inx3ceCAKNfEDhfKC +dSAP08Mo41mMPf6+2CM/dPiN1LaouZVg/stQ/FPnuEZOetOtXZH/nEgPHAaVDhaF +FQQ6JlxvXzC+BCrJ0eJgJuhuU8K/y5SahEKqRbcHxBB7MBIH1ZqBhmMJ1eWxYX2S +PFJaTNgjVJ82vpLstHdSE6boamtEEtkeYEzNnaOOiebNwyIHlrsCaPKNXAuISKe/ +pD91maFDcXPF/4IP+juegnNjdFi1g8mmIwEvJnb1ZqoY0+ay+zH2q1ZshRixsCG5 +5afQCM+nwXhuAVhUqxOC7FG0f+/geTBJnXWw4C1QiiJjXYQhKH9g+R6vj/ODskOY +dFqe7uZQZzcd1DNmvNYfQVWMyW6hYDNgbFqqshsPaZaQicaa4rAWfyenWBSlR/yH +xqbfZJW+31MvFk5auz8Rv96W4/nOppUmUqEZ0xhAgPhmBUKgvVnyfg6RR9Il/rUU +kZUvwN45CtSdKQZWhrEHIEWzp3PdooTHDKeuTczCrdRvsSsFx1pMG1NcIbQnT3Bl blNTTCB0ZWFtIDxvcGVuc3NsLXRlYW1Ab3BlbnNzbC5vcmc+iQJZBDABCgBDFiEE 78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ9jUlHSBSZXBsYWNlZCBieSBvcGVuc3Ns LW9tY0BvcGVuc3NsLm9yZwAKCRDYlOLOiz159VAiD/wLVz8KE84z+iPBcDXJR4hr @@ -63,17 +63,17 @@ ncd+VYvth6cM9jDWsTJAXEaqNoFjVfw227NnQ/hxqGCwEVzweBi7a7dix3nCa9JO w5eV3xCyezUohQ6nOBbDnoAnp3FLeUrhBJQXCPNtlb0fSMnj14EwBoD6EKO/xz/g EW5mr0a+xp+fjbkvHVX/c8UmU+7nlX7upaN46RLM1y0y
Build completed: openssl master.39203
Build openssl master.39203 completed Commit 001df00cc4 by Michael Baentsch on 1/15/2021 10:40 AM: Update SERVER_HELLO_MAX_LENGTH Configure your notification preferences
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1df333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL
[openssl] master update
The branch master has been updated via 2c04b34140be8833dae0e4debcb6ebf5fd0f287c (commit) from 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd (commit) - Log - commit 2c04b34140be8833dae0e4debcb6ebf5fd0f287c Author: Jon Spillett Date: Wed Jan 13 14:10:51 2021 +1000 Allow EVP_PKEY private key objects to be created without a public component Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13855) --- Summary of changes: crypto/dh/dh_backend.c | 9 --- crypto/dsa/dsa_backend.c | 7 -- crypto/dsa/dsa_lib.c | 7 -- crypto/ec/ec_backend.c | 4 -- test/evp_extra_test.c| 162 +-- 5 files changed, 158 insertions(+), 31 deletions(-) diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index 660bb4845a..6e545763dc 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -69,15 +69,6 @@ int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); -/* - * DH documentation says that a public key must be present if a - * private key is present. - * We want to have at least a public key either way, so we end up - * requiring it unconditionally. - */ -if (param_priv_key != NULL && param_pub_key == NULL) -return 0; - if ((param_priv_key != NULL && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) || (param_pub_key != NULL diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index 4809b3100b..6a053611e1 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -39,13 +39,6 @@ int dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]) if (param_priv_key == NULL && param_pub_key == NULL) return 1; -/* - * DSA documentation says that a public key must be present if a - * private key is present. - */ -if (param_priv_key != NULL && param_pub_key == NULL) -return 0; - if (param_pub_key != NULL && !OSSL_PARAM_get_BN(param_pub_key, &pub_key)) goto err; if (param_priv_key != NULL && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index df9dd73dfd..7488fa2451 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -310,13 +310,6 @@ void DSA_get0_key(const DSA *d, int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) { -/* If the field pub_key in d is NULL, the corresponding input - * parameters MUST be non-NULL. The priv_key field may - * be left NULL. - */ -if (d->pub_key == NULL && pub_key == NULL) -return 0; - if (pub_key != NULL) { BN_free(d->pub_key); d->pub_key = pub_key; diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index dccf6a15b9..f950657173 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -245,10 +245,6 @@ int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) if (ctx == NULL) goto err; -/* OpenSSL decree: If there's a private key, there must be a public key */ -if (param_priv_key != NULL && param_pub_key == NULL) -goto err; - if (param_pub_key != NULL) if (!OSSL_PARAM_get_octet_string(param_pub_key, (void **)&pub_key, 0, &pub_key_len) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 67e5a48c3e..832989ae00 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -485,6 +485,135 @@ err: return res; } +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DSA) +/* + * Test combinations of private, public, missing and private + public key + * params to ensure they are all accepted + */ +static int test_EVP_PKEY_ffc_priv_pub(char *keytype) +{ +OSSL_PARAM_BLD *bld = NULL; +OSSL_PARAM *params = NULL; +BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; +EVP_PKEY_CTX *pctx = NULL; +EVP_PKEY *pkey = NULL; +int ret = 0; + +/* + * Setup the parameters for our pkey object. For our purposes they don't + * have to actually be *valid* parameters. We just need to set something. + */ +if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, NULL)) +|| !TEST_ptr(p = BN_new()) +|| !TEST_ptr(q = BN_new()) +|| !TEST_ptr(g = BN_new()) +|| !TEST_ptr(pub = BN_new()) +|| !TEST_ptr(priv = BN_new())) +goto err; + +/* Test !priv and !pub */ +if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) +|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)) +|| !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FF
Build failed: openssl master.39202
Build openssl master.39202 failed Commit 39f3427dc1 by Richard Levitte on 1/15/2021 10:19 AM: Fix incomplete deprecation guard in test/sslapitest.c Configure your notification preferences
Build failed: openssl master.39201
Build openssl master.39201 failed Commit 9b9946ad13 by Tomas Mraz on 1/15/2021 10:12 AM: Make the smdh.pem test certificate usable with fips provider Configure your notification preferences
[openssl] master update
The branch master has been updated via 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd (commit) via 3f6e891d423ed911eb779bfd1401a26ec18cfa41 (commit) from e604b7c9156c66c05dd1640707f196f9fd49a184 (commit) - Log - commit 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd Author: Richard Levitte Date: Thu Jan 14 00:00:41 2021 +0100 Fix incomplete deprecation guard in test/sslapitest.c OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED, as the latter doesn't take the configuration option '--api=' in account. Fixes #13865 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13866) commit 3f6e891d423ed911eb779bfd1401a26ec18cfa41 Author: Richard Levitte Date: Wed Jan 13 23:55:51 2021 +0100 Fix crypto/des/build.info !$disabled{mdc2} was used to determine if DES files should be included in providers/liblegacy.a. Use !$disabled{des} instead. Fixes #13865 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13866) --- Summary of changes: crypto/des/build.info | 2 +- test/sslapitest.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/des/build.info b/crypto/des/build.info index b73e740bec..ad8553a41a 100644 --- a/crypto/des/build.info +++ b/crypto/des/build.info @@ -31,7 +31,7 @@ DEFINE[../../providers/liblegacy.a]=$DESDEF # When all deprecated symbols are removed, libcrypto doesn't export the # DES functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} && !$disabled{"mdc2"} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{des} -}] SOURCE[../../providers/liblegacy.a]=$ALL DEFINE[../../providers/liblegacy.a]=$DESDEF ENDIF diff --git a/test/sslapitest.c b/test/sslapitest.c index 984c6a8764..c6520482f6 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8157,7 +8157,7 @@ static EVP_PKEY *get_tmp_dh_params(void) return tmp_dh_params; } -# ifndef OPENSSL_NO_DEPRECATED +# ifndef OPENSSL_NO_DEPRECATED_3_0 /* Callback used by test_set_tmp_dh() */ static DH *tmp_dh_callback(SSL *s, int is_export, int keylen) {
[openssl] master update
The branch master has been updated via e604b7c9156c66c05dd1640707f196f9fd49a184 (commit) from 975aae76db8792c9137921adf0e4ecbbf375f46b (commit) - Log - commit e604b7c9156c66c05dd1640707f196f9fd49a184 Author: Rich Salz Date: Tue Jan 5 18:05:42 2021 -0500 Document openssl thread-safety Also discuss reference-counting, mutability and safety. Thanks to David Benjamin for pointing to comment text he added to boringSSL's header files. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13788) --- Summary of changes: doc/man3/CRYPTO_THREAD_run_once.pod | 2 +- doc/man7/openssl-threads.pod| 105 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 doc/man7/openssl-threads.pod diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index 3a46809efe..c15dc319fa 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -179,7 +179,7 @@ repeatedly load/unload shared libraries that allocate locks. =head1 SEE ALSO -L +L, L. =head1 COPYRIGHT diff --git a/doc/man7/openssl-threads.pod b/doc/man7/openssl-threads.pod new file mode 100644 index 00..56cc638e1b --- /dev/null +++ b/doc/man7/openssl-threads.pod @@ -0,0 +1,105 @@ +=pod + +=head1 NAME + +openssl-threads - Overview of thread safety in OpenSSL + +=head1 DESCRIPTION + +In this man page, we use the term B to indicate that an +object or function can be used by multiple threads at the same time. + +OpenSSL can be built with or without threads support. The most important +use of this support is so that OpenSSL itself can use a single consistent +API, as shown in L. +Multi-platform applications can also use this API. + +In particular, being configured for threads support does not imply that +all OpenSSL objects are thread-safe. +To emphasize: I. +Exceptions to this should be documented on the specific manual pages, and +some general high-level guidance is given here. + +One major use of the OpenSSL thread API is to implement reference counting. +Many objects within OpenSSL are reference-counted, so resources are not +released, until the last reference is removed. +References are often increased automatically (such as when an B +certificate object is added into an B trust store). +There is often an B_up_ref>() function that can be used to increase +the reference count. +Failure to match B_up_ref>() calls with the right number of +B_free>() calls is a common source of memory leaks when a program +exits. + +Many objects have set and get API's to set attributes in the object. +A C passes ownership from the caller to the object and a +C returns a pointer but the attribute ownership +remains with the object and a reference to it is returned. +A C or C function does not change the ownership, but instead +updates the attribute's reference count so that the object is shared +between the caller and the object; the caller must free the returned +attribute when finished. +Functions that involve attributes that have reference counts themselves, +but are named with just C or C are historical; and the documentation +must state how the references are handled. +Get methods are often thread-safe as long as the ownership requirements are +met and shared objects are not modified. +Set methods, or modifying shared objects, are generally not thread-safe +as discussed below. + +Objects are thread-safe +as long as the API's being invoked don't modify the object; in this +case the parameter is usually marked in the API as C. +Not all parameters are marked this way. +Note that a C declaration does not mean immutable; for example +L takes pointers to C objects, but the implementation +uses a C cast to remove that so it can lock objects, generate and cache +a DER encoding, and so on. + +Another instance of thread-safety is when updates to an object's +internal state, such as cached values, are done with locks. +One example of this is the reference counting API's described above. + +In all cases, however, it is generally not safe for one thread to +mutate an object, such as setting elements of a private or public key, +while another thread is using that object, such as verifying a signature. + +The same API's can usually be used simultaneously on different objects +without interference. +For example, two threads can calculate a signature using two different +B objects. + +For implicit global state or singletons, thread-safety depends on the facility. +The L and related API's have their own lock, +while L assumes the underlying platform allocation +will do any necessary locking. +Some API's, such as L and related, or L +do no locking at all; this can be considered a bug. + +A separate, although related, iss
[openssl] master update
The branch master has been updated via 975aae76db8792c9137921adf0e4ecbbf375f46b (commit) from 0434f9841d45dee081c64ea3aba794a922787ece (commit) - Log - commit 975aae76db8792c9137921adf0e4ecbbf375f46b Author: Pauli Date: Thu Jan 14 11:49:47 2021 +1000 Remove unused DRBG tests. The DRBG known answer tests are performed by evp_test and the old vectors are not used. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/13867) --- Summary of changes: test/drbgtest.c |1 - test/drbgtest.h | 1670 --- 2 files changed, 1671 deletions(-) delete mode 100644 test/drbgtest.h diff --git a/test/drbgtest.c b/test/drbgtest.c index 30c6b270d0..8c3ed23c35 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -38,7 +38,6 @@ #endif #include "testutil.h" -#include "drbgtest.h" /* * DRBG generate wrappers diff --git a/test/drbgtest.h b/test/drbgtest.h deleted file mode 100644 index a00c168c8c..00 --- a/test/drbgtest.h +++ /dev/null @@ -1,1670 +0,0 @@ -/* - * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * Known answer tests for SP800-90 DRBG CTR mode. - */ - - -/* - * AES-128 use df PR - */ -static const unsigned char aes_128_use_df_pr_entropyinput[] = { -0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, -0xc8, 0xdb, 0xff, 0x12 -}; -static const unsigned char aes_128_use_df_pr_nonce[] = { -0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 -}; -static const unsigned char aes_128_use_df_pr_personalizationstring[] = { -0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, -0xd7, 0xd7, 0x01, 0x67 -}; -static const unsigned char aes_128_use_df_pr_additionalinput[] = { -0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, -0x9a, 0x47, 0x08, 0x76 -}; -static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { -0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, -0x09, 0xfb, 0xa3, 0xb6 -}; -static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { -0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, -0x66, 0x1c, 0xea, 0x5b -}; -static const unsigned char aes_128_use_df_pr_additionalinput2[] = { -0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, -0x3f, 0x5e, 0x31, 0x06 -}; -static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { -0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, -0xa7, 0xe3, 0xa8, 0x67 -}; -static const unsigned char aes_128_use_df_pr_returnedbits[] = { -0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, -0x0f, 0x38, 0x43, 0xc6 -}; - - -/* - * AES-128 use df no PR - */ -static const unsigned char aes_128_use_df_entropyinput[] = { -0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, -0x9d, 0x7d, 0x1c, 0x9b -}; -static const unsigned char aes_128_use_df_nonce[] = { -0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96, -}; -static const unsigned char aes_128_use_df_personalizationstring[] = { -0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, -0x38, 0x66, 0xba, 0x1b -}; -static const unsigned char aes_128_use_df_additionalinput[] = { -0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, -0xb5, 0xe2, 0xb2, 0x41 -}; -static const unsigned char aes_128_use_df_int_returnedbits[] = { -0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, -0xe7, 0x57, 0x11, 0xb4 -}; -static const unsigned char aes_128_use_df_entropyinputreseed[] = { -0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, -0xc7, 0xc4, 0x9e, 0x39 -}; -static const unsigned char aes_128_use_df_additionalinputreseed[] = { -0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, -0xc8, 0x93, 0xfa, 0x84 -}; -static const unsigned char aes_128_use_df_additionalinput2[] = { -0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, -0x06, 0x0c, 0x15, 0x2c -}; -static const unsigned char aes_128_use_df_returnedbits[] = { -0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, -0x46, 0x81, 0xc7, 0x19 -}; - - -/* - * AES-192 use df PR - */ -static const unsigned char aes_192_use_df_pr_entropyinput[] = { -0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, -0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x
[openssl] master update
The branch master has been updated via 0434f9841d45dee081c64ea3aba794a922787ece (commit) from 3bc061eb0a990a95d35c462b9206bdf74905cfa2 (commit) - Log - commit 0434f9841d45dee081c64ea3aba794a922787ece Author: Daniel Bevenius Date: Wed Jan 13 15:30:20 2021 +0100 Correct typo in rsa_oaep.c Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13861) --- Summary of changes: crypto/rsa/rsa_oaep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index f47369a1af..66f2ae40c2 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -45,7 +45,7 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, } /* - * Perform ihe padding as per NIST 800-56B 7.2.2.3 + * Perform the padding as per NIST 800-56B 7.2.2.3 * from (K) is the key material. * param (A) is the additional input. * Step numbers are included here but not in the constant time inverse below
Build failed: openssl master.39193
Build openssl master.39193 failed Commit f0ee0a0142 by Dr. David von Oheimb on 1/15/2021 7:27 AM: x509: Replace magic numbers returned by {X509_,}check_ca() by proper mnemonic names Configure your notification preferences