Build completed: openssl master.39235
Build openssl master.39235 completed Commit 97e4ca9dc5 by Shane Lontis on 12/8/2020 2:52 AM: fixup! Remove pkey_downgrade from PKCS7 code Configure your notification preferences
Build failed: openssl master.39234
Build openssl master.39234 failed Commit d65de2048d by Dr. David von Oheimb on 1/18/2021 7:08 PM: fixup! make various test CA certs RFC 5280 compliant w.r.t. X509 extensions Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # -- # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../ope
[openssl] master update
The branch master has been updated via 47b784a41b729d5df9ad47c99355db2f2026a709 (commit) from 038f4dc68edd16f719ce5cf140eda2fb5b86a62a (commit) - Log - commit 47b784a41b729d5df9ad47c99355db2f2026a709 Author: Kurt Roeckx Date: Thu Dec 17 22:28:17 2020 +0100 Fix memory leak in mac_newctx() on error Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13702) --- Summary of changes: providers/implementations/signature/mac_legacy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index b92dabde3c..79a5c911a3 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -74,6 +74,7 @@ static void *mac_newctx(void *provctx, const char *propq, const char *macname) return pmacctx; err: +OPENSSL_free(pmacctx->propq); OPENSSL_free(pmacctx); EVP_MAC_free(mac); return NULL;
[openssl] master update
The branch master has been updated
via 038f4dc68edd16f719ce5cf140eda2fb5b86a62a (commit)
via 84af8027c5f2132a9166673e7a47b0f31c7cfe1d (commit)
from 0d83b7b9036feea680ba45751df028ff5e86cd63 (commit)
- Log -
commit 038f4dc68edd16f719ce5cf140eda2fb5b86a62a
Author: Shane Lontis
Date: Fri Dec 11 19:24:46 2020 +1000
Fix PKCS7 potential segfault
As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue #13624 needs to be applied.
Reviewed-by: Tim Hudson
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/13668)
commit 84af8027c5f2132a9166673e7a47b0f31c7cfe1d
Author: Shane Lontis
Date: Fri Dec 11 19:19:37 2020 +1000
CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.
Fixes #13624
Reviewed-by: Tim Hudson
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/13668)
---
Summary of changes:
crypto/cms/cms_enc.c | 7 +-
crypto/cms/cms_env.c | 20 +++--
crypto/cms/cms_ess.c | 5 +-
crypto/cms/cms_io.c | 4 +-
crypto/cms/cms_kari.c| 19 +++--
crypto/cms/cms_lib.c | 19 ++---
crypto/cms/cms_pwri.c| 7 +-
crypto/cms/cms_sd.c | 28 ---
crypto/cms/cms_smime.c | 6 +-
crypto/pkcs7/pk7_asn1.c | 2 +-
crypto/pkcs7/pk7_doit.c | 44 ++
crypto/pkcs7/pk7_lib.c | 6 +-
crypto/pkcs7/pk7_mime.c | 2 +-
crypto/pkcs7/pk7_smime.c | 3 +-
crypto/x509/x_all.c | 4 +-
test/cmsapitest.c| 212 ++-
16 files changed, 318 insertions(+), 70 deletions(-)
diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 0069bde939..c7583f4088 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -37,6 +37,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo
*ec,
size_t tkeylen = 0;
int ok = 0;
int enc, keep_key = 0;
+OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(cms_ctx);
+const char *propq = cms_ctx_get0_propq(cms_ctx);
enc = ec->cipher ? 1 : 0;
@@ -60,8 +62,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo
*ec,
cipher = EVP_get_cipherbyobj(calg->algorithm);
}
if (cipher != NULL) {
-fetched_ciph = EVP_CIPHER_fetch(cms_ctx->libctx,
EVP_CIPHER_name(cipher),
-cms_ctx->propq);
+fetched_ciph = EVP_CIPHER_fetch(libctx, EVP_CIPHER_name(cipher),
propq);
if (fetched_ciph != NULL)
cipher = fetched_ciph;
}
@@ -82,7 +83,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo
*ec,
/* Generate a random IV if we need one */
ivlen = EVP_CIPHER_CTX_iv_length(ctx);
if (ivlen > 0) {
-if (RAND_bytes_ex(cms_ctx->libctx, iv, ivlen) <= 0)
+if (RAND_bytes_ex(libctx, iv, ivlen) <= 0)
goto err;
piv = iv;
}
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 15ebe1b86b..d2f630146e 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -181,7 +181,8 @@ void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms)
break;
case CMS_RECIPINFO_TRANS:
ri->d.ktri->cms_ctx = ctx;
-x509_set0_libctx(ri->d.ktri->recip, ctx->libctx, ctx->propq);
+x509_set0_libctx(ri->d.ktri->recip, cms_ctx_get0_libctx(ctx),
+ cms_ctx_get0_propq(ctx));
break;
case CMS_RECIPINFO_KEK:
ri->d.kekri->cms_ctx = ctx;
@@ -310,8 +311,9 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo
*ri, X509 *recip,
ktri->recip = recip;
if (flags & CMS_KEY_PARAM) {
-ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey,
-ctx->propq);
+ktri->pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx),
+ktri->pkey,
+cms_ctx_get0_propq(ctx));
if (ktri->pctx == NULL)
return 0;
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
@@ -470,7 +472,8 @@ static int cms_RecipientInfo_ktri_encrypt(const
CMS_ContentInfo *cms,
if (!cms_env_asn1_ctrl(ri, 0))
goto err;
} else {
-pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, ctx->propq);
+pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), ktri->pkey,
+ cms_ctx_get0_propq(ctx));
if (pctx == NULL)
return 0;
@@ -524,6 +527,8 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo
*cms,
EVP_CIPHER *fetched_cipher = NULL;
CMS_Encrypt
[openssl] master update
The branch master has been updated
via 0d83b7b9036feea680ba45751df028ff5e86cd63 (commit)
from 3aff5b4bac7186fda9208a76127eff040cafae13 (commit)
- Log -
commit 0d83b7b9036feea680ba45751df028ff5e86cd63
Author: Tomas Mraz
Date: Thu Jan 14 15:19:46 2021 +0100
Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity
To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv.
Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV
to better align with the function name.
Fixes #13411
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/13870)
---
Summary of changes:
crypto/evp/evp_lib.c | 14
...t_iv.pod => EVP_CIPHER_CTX_get_original_iv.pod} | 41 +-
doc/man7/provider-cipher.pod | 4 +--
include/openssl/core_names.h | 2 +-
include/openssl/evp.h | 4 +--
.../ciphers/cipher_aes_cbc_hmac_sha.c | 7 ++--
providers/implementations/ciphers/cipher_aes_ocb.c | 4 +--
providers/implementations/ciphers/ciphercommon.c | 4 +--
.../implementations/ciphers/ciphercommon_ccm.c | 2 +-
.../implementations/ciphers/ciphercommon_gcm.c | 2 +-
.../implementations/include/prov/ciphercommon.h| 2 +-
ssl/ktls.c | 6 ++--
test/aesgcmtest.c | 2 +-
test/evp_extra_test.c | 4 +--
test/evp_test.c| 2 +-
util/libcrypto.num | 4 +--
16 files changed, 56 insertions(+), 48 deletions(-)
rename doc/man3/{EVP_CIPHER_CTX_get_iv.pod =>
EVP_CIPHER_CTX_get_original_iv.pod} (52%)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 954acaae0d..32f67a9242 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -511,8 +511,8 @@ const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX
*ctx)
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
params[0] =
-OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v,
- sizeof(ctx->iv));
+OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV,
+ (void **)&v, sizeof(ctx->iv));
ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params);
return ok != 0 ? v : NULL;
@@ -525,24 +525,24 @@ unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX
*ctx)
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
params[0] =
-OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v,
- sizeof(ctx->iv));
+OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV,
+ (void **)&v, sizeof(ctx->iv));
ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params);
return ok != 0 ? v : NULL;
}
#endif /* OPENSSL_NO_DEPRECATED_3_0_0 */
-int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len)
+int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len)
{
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
params[0] =
-OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV_STATE, buf,
len);
+OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, buf,
len);
return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params);
}
-int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len)
+int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len)
{
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
diff --git a/doc/man3/EVP_CIPHER_CTX_get_iv.pod
b/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod
similarity index 52%
rename from doc/man3/EVP_CIPHER_CTX_get_iv.pod
rename to doc/man3/EVP_CIPHER_CTX_get_original_iv.pod
index e099d96dec..c5995a584d 100644
--- a/doc/man3/EVP_CIPHER_CTX_get_iv.pod
+++ b/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod
@@ -2,29 +2,36 @@
=head1 NAME
-EVP_CIPHER_CTX_get_iv, EVP_CIPHER_CTX_get_iv_state, EVP_CIPHER_CTX_iv,
EVP_CIPHER_CTX_original_iv, EVP_CIPHER_CTX_iv_noconst - Routines to inspect
EVP_CIPHER_CTX IV data
+EVP_CIPHER_CTX_get_original_iv, EVP_CIPHER_CTX_get_updated_iv,
+EVP_CIPHER_CTX_iv, EVP_CIPHER_CTX_original_iv,
+EVP_CIPHER_CTX_iv_noconst - Routines to inspect EVP_CIPHER_CTX IV data
=head1 SYNOPSIS
#include
- int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len);
- int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len);
+ int EVP_CIPHER_CTX_get_
[openssl] master update
The branch master has been updated via 3aff5b4bac7186fda9208a76127eff040cafae13 (commit) from ed4a9b15d9cd1eea7493873d01949f075cea2b65 (commit) - Log - commit 3aff5b4bac7186fda9208a76127eff040cafae13 Author: Michael Baentsch Date: Fri Jan 15 11:40:31 2021 +0100 Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes #13868 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13874) --- Summary of changes: ssl/statem/statem_local.h | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 9e03b7d363..40c3724bed 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -19,13 +19,16 @@ /* The spec allows for a longer length than this, but we limit it */ #define HELLO_VERIFY_REQUEST_MAX_LENGTH 258 #define END_OF_EARLY_DATA_MAX_LENGTH0 -#define SERVER_HELLO_MAX_LENGTH 2 #define HELLO_RETRY_REQUEST_MAX_LENGTH 2 #define ENCRYPTED_EXTENSIONS_MAX_LENGTH 2 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH0 #define KEY_UPDATE_MAX_LENGTH 1 #define CCS_MAX_LENGTH 1 + +/* Max ServerHello size permitted by RFC 8446 */ +#define SERVER_HELLO_MAX_LENGTH 65607 + /* Max should actually be 36 but we are generous */ #define FINISHED_MAX_LENGTH 64
