Build completed: openssl master.39235
Build openssl master.39235 completed Commit 97e4ca9dc5 by Shane Lontis on 12/8/2020 2:52 AM: fixup! Remove pkey_downgrade from PKCS7 code Configure your notification preferences
Build failed: openssl master.39234
Build openssl master.39234 failed Commit d65de2048d by Dr. David von Oheimb on 1/18/2021 7:08 PM: fixup! make various test CA certs RFC 5280 compliant w.r.t. X509 extensions Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # -- # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../ope
[openssl] master update
The branch master has been updated via 47b784a41b729d5df9ad47c99355db2f2026a709 (commit) from 038f4dc68edd16f719ce5cf140eda2fb5b86a62a (commit) - Log - commit 47b784a41b729d5df9ad47c99355db2f2026a709 Author: Kurt Roeckx Date: Thu Dec 17 22:28:17 2020 +0100 Fix memory leak in mac_newctx() on error Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13702) --- Summary of changes: providers/implementations/signature/mac_legacy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index b92dabde3c..79a5c911a3 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -74,6 +74,7 @@ static void *mac_newctx(void *provctx, const char *propq, const char *macname) return pmacctx; err: +OPENSSL_free(pmacctx->propq); OPENSSL_free(pmacctx); EVP_MAC_free(mac); return NULL;
[openssl] master update
The branch master has been updated via 038f4dc68edd16f719ce5cf140eda2fb5b86a62a (commit) via 84af8027c5f2132a9166673e7a47b0f31c7cfe1d (commit) from 0d83b7b9036feea680ba45751df028ff5e86cd63 (commit) - Log - commit 038f4dc68edd16f719ce5cf140eda2fb5b86a62a Author: Shane Lontis Date: Fri Dec 11 19:24:46 2020 +1000 Fix PKCS7 potential segfault As the code that handles libctx, propq for PKCS7 is very similar to CMS code, a similiar fix for issue #13624 needs to be applied. Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13668) commit 84af8027c5f2132a9166673e7a47b0f31c7cfe1d Author: Shane Lontis Date: Fri Dec 11 19:19:37 2020 +1000 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. Fixes #13624 Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13668) --- Summary of changes: crypto/cms/cms_enc.c | 7 +- crypto/cms/cms_env.c | 20 +++-- crypto/cms/cms_ess.c | 5 +- crypto/cms/cms_io.c | 4 +- crypto/cms/cms_kari.c| 19 +++-- crypto/cms/cms_lib.c | 19 ++--- crypto/cms/cms_pwri.c| 7 +- crypto/cms/cms_sd.c | 28 --- crypto/cms/cms_smime.c | 6 +- crypto/pkcs7/pk7_asn1.c | 2 +- crypto/pkcs7/pk7_doit.c | 44 ++ crypto/pkcs7/pk7_lib.c | 6 +- crypto/pkcs7/pk7_mime.c | 2 +- crypto/pkcs7/pk7_smime.c | 3 +- crypto/x509/x_all.c | 4 +- test/cmsapitest.c| 212 ++- 16 files changed, 318 insertions(+), 70 deletions(-) diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index 0069bde939..c7583f4088 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -37,6 +37,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, size_t tkeylen = 0; int ok = 0; int enc, keep_key = 0; +OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(cms_ctx); +const char *propq = cms_ctx_get0_propq(cms_ctx); enc = ec->cipher ? 1 : 0; @@ -60,8 +62,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, cipher = EVP_get_cipherbyobj(calg->algorithm); } if (cipher != NULL) { -fetched_ciph = EVP_CIPHER_fetch(cms_ctx->libctx, EVP_CIPHER_name(cipher), -cms_ctx->propq); +fetched_ciph = EVP_CIPHER_fetch(libctx, EVP_CIPHER_name(cipher), propq); if (fetched_ciph != NULL) cipher = fetched_ciph; } @@ -82,7 +83,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { -if (RAND_bytes_ex(cms_ctx->libctx, iv, ivlen) <= 0) +if (RAND_bytes_ex(libctx, iv, ivlen) <= 0) goto err; piv = iv; } diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 15ebe1b86b..d2f630146e 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -181,7 +181,8 @@ void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms) break; case CMS_RECIPINFO_TRANS: ri->d.ktri->cms_ctx = ctx; -x509_set0_libctx(ri->d.ktri->recip, ctx->libctx, ctx->propq); +x509_set0_libctx(ri->d.ktri->recip, cms_ctx_get0_libctx(ctx), + cms_ctx_get0_propq(ctx)); break; case CMS_RECIPINFO_KEK: ri->d.kekri->cms_ctx = ctx; @@ -310,8 +311,9 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, ktri->recip = recip; if (flags & CMS_KEY_PARAM) { -ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, -ctx->propq); +ktri->pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), +ktri->pkey, +cms_ctx_get0_propq(ctx)); if (ktri->pctx == NULL) return 0; if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) @@ -470,7 +472,8 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms, if (!cms_env_asn1_ctrl(ri, 0)) goto err; } else { -pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, ctx->propq); +pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), ktri->pkey, + cms_ctx_get0_propq(ctx)); if (pctx == NULL) return 0; @@ -524,6 +527,8 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, EVP_CIPHER *fetched_cipher = NULL; CMS_Encrypt
[openssl] master update
The branch master has been updated via 0d83b7b9036feea680ba45751df028ff5e86cd63 (commit) from 3aff5b4bac7186fda9208a76127eff040cafae13 (commit) - Log - commit 0d83b7b9036feea680ba45751df028ff5e86cd63 Author: Tomas Mraz Date: Thu Jan 14 15:19:46 2021 +0100 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity To clarify the purpose of these two calls rename them to EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv. Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV to better align with the function name. Fixes #13411 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13870) --- Summary of changes: crypto/evp/evp_lib.c | 14 ...t_iv.pod => EVP_CIPHER_CTX_get_original_iv.pod} | 41 +- doc/man7/provider-cipher.pod | 4 +-- include/openssl/core_names.h | 2 +- include/openssl/evp.h | 4 +-- .../ciphers/cipher_aes_cbc_hmac_sha.c | 7 ++-- providers/implementations/ciphers/cipher_aes_ocb.c | 4 +-- providers/implementations/ciphers/ciphercommon.c | 4 +-- .../implementations/ciphers/ciphercommon_ccm.c | 2 +- .../implementations/ciphers/ciphercommon_gcm.c | 2 +- .../implementations/include/prov/ciphercommon.h| 2 +- ssl/ktls.c | 6 ++-- test/aesgcmtest.c | 2 +- test/evp_extra_test.c | 4 +-- test/evp_test.c| 2 +- util/libcrypto.num | 4 +-- 16 files changed, 56 insertions(+), 48 deletions(-) rename doc/man3/{EVP_CIPHER_CTX_get_iv.pod => EVP_CIPHER_CTX_get_original_iv.pod} (52%) diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 954acaae0d..32f67a9242 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -511,8 +511,8 @@ const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = -OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v, - sizeof(ctx->iv)); +OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV, + (void **)&v, sizeof(ctx->iv)); ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); return ok != 0 ? v : NULL; @@ -525,24 +525,24 @@ unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = -OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v, - sizeof(ctx->iv)); +OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV, + (void **)&v, sizeof(ctx->iv)); ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); return ok != 0 ? v : NULL; } #endif /* OPENSSL_NO_DEPRECATED_3_0_0 */ -int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len) +int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = -OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV_STATE, buf, len); +OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, buf, len); return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); } -int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) +int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; diff --git a/doc/man3/EVP_CIPHER_CTX_get_iv.pod b/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod similarity index 52% rename from doc/man3/EVP_CIPHER_CTX_get_iv.pod rename to doc/man3/EVP_CIPHER_CTX_get_original_iv.pod index e099d96dec..c5995a584d 100644 --- a/doc/man3/EVP_CIPHER_CTX_get_iv.pod +++ b/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod @@ -2,29 +2,36 @@ =head1 NAME -EVP_CIPHER_CTX_get_iv, EVP_CIPHER_CTX_get_iv_state, EVP_CIPHER_CTX_iv, EVP_CIPHER_CTX_original_iv, EVP_CIPHER_CTX_iv_noconst - Routines to inspect EVP_CIPHER_CTX IV data +EVP_CIPHER_CTX_get_original_iv, EVP_CIPHER_CTX_get_updated_iv, +EVP_CIPHER_CTX_iv, EVP_CIPHER_CTX_original_iv, +EVP_CIPHER_CTX_iv_noconst - Routines to inspect EVP_CIPHER_CTX IV data =head1 SYNOPSIS #include - int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); - int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len); + int EVP_CIPHER_CTX_get_
[openssl] master update
The branch master has been updated via 3aff5b4bac7186fda9208a76127eff040cafae13 (commit) from ed4a9b15d9cd1eea7493873d01949f075cea2b65 (commit) - Log - commit 3aff5b4bac7186fda9208a76127eff040cafae13 Author: Michael Baentsch Date: Fri Jan 15 11:40:31 2021 +0100 Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes #13868 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13874) --- Summary of changes: ssl/statem/statem_local.h | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 9e03b7d363..40c3724bed 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -19,13 +19,16 @@ /* The spec allows for a longer length than this, but we limit it */ #define HELLO_VERIFY_REQUEST_MAX_LENGTH 258 #define END_OF_EARLY_DATA_MAX_LENGTH0 -#define SERVER_HELLO_MAX_LENGTH 2 #define HELLO_RETRY_REQUEST_MAX_LENGTH 2 #define ENCRYPTED_EXTENSIONS_MAX_LENGTH 2 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH0 #define KEY_UPDATE_MAX_LENGTH 1 #define CCS_MAX_LENGTH 1 + +/* Max ServerHello size permitted by RFC 8446 */ +#define SERVER_HELLO_MAX_LENGTH 65607 + /* Max should actually be 36 but we are generous */ #define FINISHED_MAX_LENGTH 64