Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: eb78f95523 Make fipsinstall -out flag optional b238e78fe8 Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered. 1f085af02c Add coveralls to CI c08138e500 Fix compilation under -Werror 0dd19e750f Fix a windows build break 218e1263c4 ec_keymgmt: fix coverity 1474427: resource leak 9d8c53ed16 dh: fix coverty 1474423: resource leak 9ca269af63 apps: fix coverity 1451544: improper use of negative value 66325793cc test: fix coverity 1451534: improper use of negative value 69fb52e028 test: fix coverity 1469427: impropery use of negative value 51d1991ecd test: fix coverity 1454812: improper use of negative value 9ba18520ff test: fix coverity 1451574: improper use of negative value 1634b2df9f enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value fe10fa7521 test: fix coverity 1371689 & 1371690: improper use of negative values 5a14bd153a apps: fix coverity 271258: improper use of negative value a60b533125 err: fix coverity 1452768: dereference after null check 711d7ca594 pem: fix coverity 1474426: uninitialised scalar variable. a669418c8e Be more selective about copying libcrypto symbols into legacy.so ccdfcf07d9 Disable fips-securitychecks if no-fips is configured. 6511f686c2 endecode_test: Add file and line arguments to test callbacks e72dbd8e13 Fix usages of const EVP_MD. c781eb1c63 Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x. db89d8f04b APPS: fix load_certs_multifile() interpreting backslashes 251c48183b Fix DER reading from stdin for BIO_f_readbuffer Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # cmp_main:../openssl/apps/cmp.c:2578:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2177:CMP warning: argument of -proxy option is empty string, resetting option # setup_client_ctx:../openssl/apps/cmp.c:1894:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:1944:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # -- # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # -- # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t . Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok
[openssl] master update
The branch master has been updated via 8c63532002fdab11b437bc8d68012c2b05cf00ea (commit) via 8eca93f8fbd568df3431c449e2b53d4a3aa5bae4 (commit) via 27f37279df67abc2ed8239435042de86ae3c74ca (commit) via 40d6e05cf8075e1f37aeb5ea1b49f47896f951fa (commit) via 8cdcb63fc02239e92fc4bdcc5b97d38cc726c439 (commit) via 3352a4f6fade5da0d0dfa9e7c9c9c261598c4bac (commit) via f47865156a7b26c3ee4b6479f821588eaa53fddf (commit) via b8cb90cdb68d81770e21417ca554954c92603675 (commit) via 0d2b8bd261bbebc8a1834d85ede0a2bd22c71851 (commit) via a02d70dd510e66eb2f916a723e30fd7e75b33eef (commit) via 6a6844a219769aa9f58782fda2960c0ab5a4022b (commit) from 3c4c8dd84ac18345a44120bb28f7fc85e33da093 (commit) - Log - commit 8c63532002fdab11b437bc8d68012c2b05cf00ea Author: Pauli Date: Fri Mar 19 09:46:03 2021 +1000 test: fix coverity 1473609 & 1473610: unchecked return values Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 8eca93f8fbd568df3431c449e2b53d4a3aa5bae4 Author: Pauli Date: Fri Mar 19 09:43:24 2021 +1000 evp: fix coverity 1473378: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 27f37279df67abc2ed8239435042de86ae3c74ca Author: Pauli Date: Fri Mar 19 09:41:34 2021 +1000 params: fix coverity 1473069: unchecked return values Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 40d6e05cf8075e1f37aeb5ea1b49f47896f951fa Author: Pauli Date: Fri Mar 19 09:40:05 2021 +1000 evp: fix coverity 1467500 & 1467502: unchecked return values Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 8cdcb63fc02239e92fc4bdcc5b97d38cc726c439 Author: Pauli Date: Fri Mar 19 09:35:05 2021 +1000 apps: fix coverity 1455340: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 3352a4f6fade5da0d0dfa9e7c9c9c261598c4bac Author: Pauli Date: Fri Mar 19 09:30:07 2021 +1000 test: fix coverity 1451550: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit f47865156a7b26c3ee4b6479f821588eaa53fddf Author: Pauli Date: Fri Mar 19 09:22:50 2021 +1000 test: fix coverity 1429210: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit b8cb90cdb68d81770e21417ca554954c92603675 Author: Pauli Date: Fri Mar 19 09:19:08 2021 +1000 test: fix coverity 1416888: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 0d2b8bd261bbebc8a1834d85ede0a2bd22c71851 Author: Pauli Date: Fri Mar 19 09:14:40 2021 +1000 test: fix coverity 1414451: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit a02d70dd510e66eb2f916a723e30fd7e75b33eef Author: Pauli Date: Fri Mar 19 09:11:02 2021 +1000 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) commit 6a6844a219769aa9f58782fda2960c0ab5a4022b Author: Pauli Date: Fri Mar 19 08:44:09 2021 +1000 test: fix coverity 1338157: unchecked return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14615) --- Summary of changes: apps/lib/s_cb.c | 8 --- apps/speed.c| 45 +++-- crypto/evp/p_legacy.c | 16 +++-- crypto/evp/p_lib.c | 5 +++-- crypto/params_from_text.c | 7 +++--- test/bad_dtls_test.c| 44 +--- test/exptest.c | 21 - test/gmdifftest.c | 4 ++-- test/modes_internal_test.c | 3 ++- test/ssl_cert_table_internal_test.c | 33 ++- test/threadstest.c | 8 +++ 11 files changed, 110 insertions(+), 84 deletions(-) diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 4c209e76df..6824567c70 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1276,12 +1276,14 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls) { X509_CRL *crl; -int i; +int i, ret = 1; + for (i = 0; i < sk_X509_CRL_num(crls); i++) { crl = sk_X509_CRL_value(crls, i); -X509_STORE_add_crl(st,
[openssl] master update
The branch master has been updated via 3c4c8dd84ac18345a44120bb28f7fc85e33da093 (commit) via 26d5244253f94b6bd0fa41d4a222c827d8c5b3fe (commit) via fbe286a36efffacc846c9134c4f000f2a49355a0 (commit) via 993237a8b678a888c05bc88d6c872be74696b768 (commit) from 8f4cddbc903a402abb9f39c2e220ee3858188655 (commit) - Log - commit 3c4c8dd84ac18345a44120bb28f7fc85e33da093 Author: Pauli Date: Fri Mar 19 13:05:16 2021 +1000 encoder: fix coverity 1473235: null dereference Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14618) commit 26d5244253f94b6bd0fa41d4a222c827d8c5b3fe Author: Pauli Date: Fri Mar 19 10:23:12 2021 +1000 apps: fix coverity 1470781: explicit null dereference Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14618) commit fbe286a36efffacc846c9134c4f000f2a49355a0 Author: Pauli Date: Fri Mar 19 10:19:18 2021 +1000 sm2: fix coverity 1467503: explicit null dereference Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14618) commit 993237a8b678a888c05bc88d6c872be74696b768 Author: Pauli Date: Fri Mar 19 10:17:11 2021 +1000 rsa: fix coverity 1463571: explicit null dereference Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14618) --- Summary of changes: apps/gendsa.c | 8 crypto/encode_decode/encoder_pkey.c | 2 +- providers/implementations/keymgmt/rsa_kmgmt.c | 11 +-- providers/implementations/signature/sm2sig.c | 2 +- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/apps/gendsa.c b/apps/gendsa.c index 13ac69d37d..482191d8bf 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -60,8 +60,7 @@ int gendsa_main(int argc, char **argv) char *dsaparams = NULL, *ciphername = NULL; char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog; OPTION_CHOICE o; -int ret = 1, private = 0, verbose = 0; -const BIGNUM *p = NULL; +int ret = 1, private = 0, verbose = 0, nbits; prog = opt_init(argc, argv, gendsa_options); while ((o = opt_next()) != OPT_EOF) { @@ -126,7 +125,8 @@ int gendsa_main(int argc, char **argv) if (out == NULL) goto end2; -if (EVP_PKEY_bits(pkey) > OPENSSL_DSA_MAX_MODULUS_BITS) +nbits = EVP_PKEY_bits(pkey); +if (nbits > OPENSSL_DSA_MAX_MODULUS_BITS) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for DSA keys.\n" " Your key size is %d! Larger key size may behave not as expected.\n", @@ -144,7 +144,7 @@ int gendsa_main(int argc, char **argv) goto end; } if (verbose) -BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p)); +BIO_printf(bio_err, "Generating DSA key, %d bits\n", nbits); if (EVP_PKEY_keygen(ctx, ) <= 0) { BIO_printf(bio_err, "unable to generate key\n"); goto end; diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c index fc5a391420..713aa44131 100644 --- a/crypto/encode_decode/encoder_pkey.c +++ b/crypto/encode_decode/encoder_pkey.c @@ -261,7 +261,7 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, } } -if (OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) { +if (data != NULL && OSSL_ENCODER_CTX_get_num_encoders(ctx) != 0) { if (!OSSL_ENCODER_CTX_set_construct(ctx, encoder_construct_pkey) || !OSSL_ENCODER_CTX_set_construct_data(ctx, data) || !OSSL_ENCODER_CTX_set_cleanup(ctx, encoder_destruct_pkey)) diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index 394f3836dd..eac3843884 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -435,16 +435,15 @@ static void *gen_init(void *provctx, int selection, int rsa_type, || !BN_set_word(gctx->pub_exp, RSA_F4)) { BN_free(gctx->pub_exp); OPENSSL_free(gctx); -gctx = NULL; -} else { -gctx->nbits = 2048; -gctx->primes = RSA_DEFAULT_PRIME_NUM; -gctx->rsa_type = rsa_type; +return NULL; } +gctx->nbits = 2048; +gctx->primes = RSA_DEFAULT_PRIME_NUM; +gctx->rsa_type = rsa_type; } if (!rsa_gen_set_params(gctx, params)) { OPENSSL_free(gctx); -gctx = NULL; +return NULL; } return gctx; } diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c index 6fb0ff919b..9016aefc02 100644 --- a/providers/implementations/signature/sm2sig.c +++
[openssl] master update
The branch master has been updated via 8f4cddbc903a402abb9f39c2e220ee3858188655 (commit) via 9aa4be691f5c73eb3c68606d824c104550c053f7 (commit) via 96a68f21c305d33f89e1e0bc9c45b6afb0de7654 (commit) from 4f0831b837e97504d4cfbfecfca069c527be4a2b (commit) - Log - commit 8f4cddbc903a402abb9f39c2e220ee3858188655 Author: Pauli Date: Tue Mar 23 10:59:34 2021 +1000 rand: fix coverity 1473636: data race condition Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14651) commit 9aa4be691f5c73eb3c68606d824c104550c053f7 Author: Pauli Date: Tue Mar 23 10:35:13 2021 +1000 x509: fix coverity 1474424: data race condition Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14651) commit 96a68f21c305d33f89e1e0bc9c45b6afb0de7654 Author: Pauli Date: Tue Mar 23 10:33:15 2021 +1000 x509: fix coverity 1461225: data race condition Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14651) --- Summary of changes: crypto/rand/rand_lib.c | 13 + crypto/x509/pcy_map.c | 4 +++- crypto/x509/v3_purp.c | 5 - 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 318540cff0..f6c5bc15ee 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -158,7 +158,8 @@ int RAND_poll(void) } # ifndef OPENSSL_NO_DEPRECATED_3_0 -int RAND_set_rand_method(const RAND_METHOD *meth) +static int rand_set_rand_method_internal(const RAND_METHOD *meth, + ossl_unused ENGINE *e) { if (!RUN_ONCE(_init, do_rand_init)) return 0; @@ -167,13 +168,18 @@ int RAND_set_rand_method(const RAND_METHOD *meth) return 0; # ifndef OPENSSL_NO_ENGINE ENGINE_finish(funct_ref); -funct_ref = NULL; +funct_ref = e; # endif default_RAND_meth = meth; CRYPTO_THREAD_unlock(rand_meth_lock); return 1; } +int RAND_set_rand_method(const RAND_METHOD *meth) +{ +return rand_set_rand_method_internal(meth, NULL); +} + const RAND_METHOD *RAND_get_rand_method(void) { const RAND_METHOD *tmp_meth = NULL; @@ -228,8 +234,7 @@ int RAND_set_rand_engine(ENGINE *engine) } /* This function releases any prior ENGINE so call it first */ -RAND_set_rand_method(tmp_meth); -funct_ref = engine; +rand_set_rand_method_internal(tmp_meth, engine); CRYPTO_THREAD_unlock(rand_engine_lock); return 1; } diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c index b599ff9804..d129eca4c3 100644 --- a/crypto/x509/pcy_map.c +++ b/crypto/x509/pcy_map.c @@ -73,8 +73,10 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) ret = 1; bad_mapping: -if (ret == -1) +if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { x->ex_flags |= EXFLAG_INVALID_POLICY; +CRYPTO_THREAD_unlock(x->lock); +} sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); return ret; diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index b98fc584ff..5b13fd7445 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -681,7 +681,10 @@ static int check_ca(const X509 *x) void X509_set_proxy_flag(X509 *x) { -x->ex_flags |= EXFLAG_PROXY; +if (CRYPTO_THREAD_write_lock(x->lock)) { +x->ex_flags |= EXFLAG_PROXY; +CRYPTO_THREAD_unlock(x->lock); +} } void X509_set_proxy_pathlen(X509 *x, long l)
[openssl] master update
The branch master has been updated via 4f0831b837e97504d4cfbfecfca069c527be4a2b (commit) from 468d9d556409a53da2c5d16961f9531dd10a6e1b (commit) - Log - commit 4f0831b837e97504d4cfbfecfca069c527be4a2b Author: Tomas Mraz Date: Tue Mar 23 16:40:53 2021 +0100 EVP_PKCS82PKEY: Create provided keys if possible Use OSSL_DECODER to decode the PKCS8 data to create provided keys. If that fails fallback to the legacy implementation. Fixes #14302 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14659) --- Summary of changes: crypto/asn1/d2i_pr.c | 4 ++-- crypto/evp/evp_pkey.c | 33 +++-- include/crypto/evp.h | 2 ++ test/endecode_test.c | 2 ++ 4 files changed, 37 insertions(+), 4 deletions(-) diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 5d95c9e042..fb0ae08356 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -106,7 +106,7 @@ d2i_PrivateKey_legacy(int keytype, EVP_PKEY **a, const unsigned char **pp, ERR_clear_last_mark(); goto err; } -tmp = EVP_PKCS82PKEY_ex(p8, libctx, propq); +tmp = evp_pkcs82pkey_legacy(p8, libctx, propq); PKCS8_PRIV_KEY_INFO_free(p8); if (tmp == NULL) { ERR_clear_last_mark(); @@ -190,7 +190,7 @@ static EVP_PKEY *d2i_AutoPrivateKey_legacy(EVP_PKEY **a, ERR_raise(ERR_LIB_ASN1, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); return NULL; } -ret = EVP_PKCS82PKEY_ex(p8, libctx, propq); +ret = evp_pkcs82pkey_legacy(p8, libctx, propq); PKCS8_PRIV_KEY_INFO_free(p8); if (ret == NULL) return NULL; diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 9879392114..7aafd76822 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -13,6 +13,7 @@ #include #include #include +#include #include "internal/provider.h" #include "crypto/asn1.h" #include "crypto/evp.h" @@ -20,8 +21,8 @@ /* Extract a private key from a PKCS8 structure */ -EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, -const char *propq) +EVP_PKEY *evp_pkcs82pkey_legacy(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, +const char *propq) { EVP_PKEY *pkey = NULL; const ASN1_OBJECT *algoid; @@ -62,6 +63,34 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, return NULL; } +EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, +const char *propq) +{ +EVP_PKEY *pkey = NULL; +const unsigned char *p8_data = NULL; +unsigned char *encoded_data = NULL; +int encoded_len; +size_t len; +OSSL_DECODER_CTX *dctx = NULL; + +if ((encoded_len = i2d_PKCS8_PRIV_KEY_INFO(p8, _data)) <= 0) +goto end; + +p8_data = encoded_data; +len = encoded_len; +dctx = OSSL_DECODER_CTX_new_for_pkey(, "DER", "pkcs8", EVP_PKEY_NONE, + 0, libctx, propq); +if (dctx == NULL +|| !OSSL_DECODER_from_data(dctx, _data, )) +/* try legacy */ +pkey = evp_pkcs82pkey_legacy(p8, libctx, propq); + + end: +OPENSSL_clear_free(encoded_data, encoded_len); +OSSL_DECODER_CTX_free(dctx); +return pkey; +} + EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) { return EVP_PKCS82PKEY_ex(p8, NULL, NULL); diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 18c50cdd33..2089b8b913 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -727,6 +727,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, int evp_pkey_copy_downgraded(EVP_PKEY **dest, const EVP_PKEY *src); void *evp_pkey_get_legacy(EVP_PKEY *pk); void evp_pkey_free_legacy(EVP_PKEY *x); +EVP_PKEY *evp_pkcs82pkey_legacy(const PKCS8_PRIV_KEY_INFO *p8inf, +OSSL_LIB_CTX *libctx, const char *propq); #endif /* diff --git a/test/endecode_test.c b/test/endecode_test.c index 50b33ce057..ab4b631a8f 100644 --- a/test/endecode_test.c +++ b/test/endecode_test.c @@ -21,6 +21,7 @@ #include "internal/cryptlib.h" /* ossl_assert */ #include "crypto/pem.h" /* For PVK and "blob" PEM headers */ +#include "crypto/evp.h" /* For evp_pkey_is_provided() */ #include "helpers/predefined_dhparams.h" #include "testutil.h" @@ -498,6 +499,7 @@ static int check_unprotected_PKCS8_DER(const char *file, const int line, TEST_note("%s isn't any of %s", type, namelist); OPENSSL_free(namelist); } +ok = ok && TEST_FL_true(evp_pkey_is_provided(pkey));
[web] master update
The branch master has been updated via dd5f38e589cf996a273ab78b9ef741e7d78f2eb7 (commit) from 15064d72540a2d5405d749acd74caeb8683ae886 (commit) - Log - commit dd5f38e589cf996a273ab78b9ef741e7d78f2eb7 Author: Matt Caswell Date: Thu Mar 25 10:53:37 2021 + Updates for the 1.1.1k release Reviewed-by: Tim Hudson --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20210325.txt | 90 news/vulnerabilities.xml | 86 - 3 files changed, 176 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20210325.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 1bbcaf2..648a68a 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +25-Mar-2021: OpenSSL 1.1.1k is now available, including bug and security fixes 11-Mar-2021: Alpha 13 of OpenSSL 3.0 is now available: please download and test it 18-Feb-2021: Alpha 12 of OpenSSL 3.0 is now available: please download and test it 16-Feb-2021: OpenSSL 1.1.1j is now available, including bug and security fixes diff --git a/news/secadv/20210325.txt b/news/secadv/20210325.txt new file mode 100644 index 000..2ffb50c --- /dev/null +++ b/news/secadv/20210325.txt @@ -0,0 +1,90 @@ +OpenSSL Security Advisory [25 March 2021] += + +CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) + + +Severity: High + +The X509_V_FLAG_X509_STRICT flag enables additional security checks of the +certificates present in a certificate chain. It is not set by default. + +Starting from OpenSSL version 1.1.1h a check to disallow certificates in +the chain that have explicitly encoded elliptic curve parameters was added +as an additional strict check. + +An error in the implementation of this check meant that the result of a +previous check to confirm that certificates in the chain are valid CA +certificates was overwritten. This effectively bypasses the check +that non-CA certificates must not be able to issue other certificates. + +If a "purpose" has been configured then there is a subsequent opportunity +for checks that the certificate is a valid CA. All of the named "purpose" +values implemented in libcrypto perform this check. Therefore, where +a purpose is set the certificate chain will still be rejected even when the +strict flag has been used. A purpose is set by default in libssl client and +server certificate verification routines, but it can be overridden or +removed by an application. + +In order to be affected, an application must explicitly set the +X509_V_FLAG_X509_STRICT verification flag and either not set a purpose +for the certificate verification or, in the case of TLS client or server +applications, override the default purpose. + +OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these +versions should upgrade to OpenSSL 1.1.1k. + +OpenSSL 1.0.2 is not impacted by this issue. + +This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk +from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was +developed by Tomáš Mráz. + + +NULL pointer deref in signature_algorithms processing (CVE-2021-3449) += + +Severity: High + +An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation +ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits +the signature_algorithms extension (where it was present in the initial +ClientHello), but includes a signature_algorithms_cert extension then a NULL +pointer dereference will result, leading to a crash and a denial of service +attack. + +A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which +is the default configuration). OpenSSL TLS clients are not impacted by this +issue. + +All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions +should upgrade to OpenSSL 1.1.1k. + +OpenSSL 1.0.2 is not impacted by this issue. + +This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was +developed by Peter Kästle and Samuel Sapalski from Nokia. + +Note + + +OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended +support is available for premium support customers: +https://www.openssl.org/support/contracts.html + +OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. +The impact of these issues on OpenSSL 1.1.0 has not been analysed. + +Users of these versions should upgrade to OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://
[openssl] master update
The branch master has been updated via 468d9d556409a53da2c5d16961f9531dd10a6e1b (commit) via 39a140597d874e554b736885ac4dea16ac40a87a (commit) via 02b1636fe3db274497304a3e95a4e32ced7e841b (commit) via 112580c27b829b0ac0874d5c5787195f27c7952c (commit) via ae937a096c6ce42d016281b91677f78de3f3cfe3 (commit) from eb78f9552307248ca5ccfc28d61faa823dae7c7e (commit) - Log - commit 468d9d556409a53da2c5d16961f9531dd10a6e1b Author: Matt Caswell Date: Thu Mar 25 10:20:50 2021 + Update CHANGES.md and NEWS.md for new release Reviewed-by: Tomas Mraz commit 39a140597d874e554b736885ac4dea16ac40a87a Author: Matt Caswell Date: Thu Mar 18 16:52:10 2021 + Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale commit 02b1636fe3db274497304a3e95a4e32ced7e841b Author: Peter Kaestle Date: Mon Mar 15 13:19:56 2021 +0100 ssl sigalg extension: fix NULL pointer dereference As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34e61 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle Signed-off-by: Samuel Sapalski CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Matt Caswell commit 112580c27b829b0ac0874d5c5787195f27c7952c Author: Matt Caswell Date: Thu Mar 18 15:29:04 2021 + Add a test for CVE-2021-3449 We perform a reneg handshake, where the second ClientHello drops the sig_algs extension. It must also contain cert_sig_algs for the test to work. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale commit ae937a096c6ce42d016281b91677f78de3f3cfe3 Author: Matt Caswell Date: Thu Mar 18 15:25:42 2021 + Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Previously TLSProxy only knew how to "repack" messages for TLSv1.3. Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been too much of restriction. However we now want to modify reneg handshakes which are encrypted so we need to add that capability. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale --- Summary of changes: CHANGES.md | 43 NEWS.md | 5 + ssl/s3_lib.c | 5 - ssl/ssl_lib.c| 14 +--- ssl/statem/extensions.c | 2 ++ ssl/statem/extensions_clnt.c | 13 +-- ssl/statem/statem_clnt.c | 7 +- ssl/statem/statem_srvr.c | 15 ++--- test/recipes/70-test_renegotiation.t | 36 +- util/perl/TLSProxy/Message.pm| 37 +-- 10 files changed, 159 insertions(+), 18 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 559f09a035..c57b9ad4a5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1661,6 +1661,49 @@ OpenSSL 1.1.1 ### Changes between 1.1.1j and 1.1.1k [xx XXX ] + * Fixed a problem with verifying a certificate chain when using the + X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of + the certificates present in a certificate chain. It is not set by default. + + Starting from OpenSSL version 1.1.1h a check to disallow certificates in + the chain that have explicitly encoded elliptic curve parameters was added + as an additional strict check. + + An error in the implementation of this check meant that the result of a + previous check to confirm that certificates in the chain are valid CA + certificates was overwritten. This effectively bypasses the check + that non-CA certificates must not be able to issue other certificates. + + If a "purpose" has been configured then there is a subsequent opportunity + for checks that the certificate is a valid CA. All of the named "purpose" + values implemented in libcrypto perform this check. Therefore, where + a purpose is set the certificate chain will still be rejected even when the +
[openssl] OpenSSL_1_1_1k create
The annotated tag OpenSSL_1_1_1k has been created at 6503afba18b24332d3160a013179258a8edff959 (tag) tagging fd78df59b0f656aefe96e39533130454aa957c00 (commit) replaces OpenSSL_1_1_1j tagged by Matt Caswell on Thu Mar 25 13:28:38 2021 + - Log - OpenSSL 1.1.1k release tag -BEGIN PGP SIGNATURE- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBckAYRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJHB+wgArkcLVfMX7yKdoXiBbPsdcWKTuNvTBRK3 OTym+Szs10L0u13L+1F0JGTMRWIEtBLzCySN9wmxcALhpgs4UpDIgyPFhwIV+PMq GLTCR0DyYTLsaIiSgaYfw3UBYb9JFTdoYLyWrH3QVauuk03WCOo/zWgf3q5ozvfk zYk8ZW4dPpKcPLvVi2IA7OoEKYF9le7UqetkNsBbbSV8kPVOK8QwIwEgC5vrOkkz Qz8TG3fQIYzvgnhf/ZslRGoc8NF7znzP6ggxX6qKS3+5FUDLngGc3MrfxI6yZYk2 sNFr3nhbjP+ef8HaSNAt/qmTpNIBuAOV4eqE6A1egKWiCti4/PmhPQ== =+klc -END PGP SIGNATURE- Benjamin Kaduk (1): Check ASN1_item_ndef_i2d() return value. Chenglong Zhang (1): Fix missing INVALID_EXTENSION John Baldwin (2): Use CRIOGET to fetch a crypto descriptor when present. Close /dev/crypto file descriptor after CRIOGET ioctl(). Mark (1): Fix filename escaping in c_rehash Matt Caswell (8): Prepare for 1.1.1k-dev Add a missing RUN_ONCE in rand_lib.c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Add a test for CVE-2021-3449 Ensure buffer/length pairs are always in sync Update CHANGES and NEWS for new release Update copyright year Prepare for 1.1.1k release Nicola Tuveri (1): [github-ci] Add a out-of-tree_build job Pauli (4): modes: fix coverity 1449860: overlapping memory copy modes: fix coverity 1449851: overlapping memory copy ssl: fix coverity 1451515: out of bounds memory access apps: fix coverity 966560: division by zero Peter Kaestle (1): ssl sigalg extension: fix NULL pointer dereference Richard Levitte (3): TEST: Add missing initialization [1.1.1] Fix `make update` for out-of-tree builds ASN1: Reset the content dump flag after dumping Tomas Mraz (1): check_chain_extensions: Do not override error return value by check_curve Zhang Jinde (1): CRYPTO_gcm128_decrypt: fix mac or tag calculation jwalch (1): Fix an integer overflow in o_time.c panda (1): Check SSL_set1_chain error in set_cert_cb ---
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 122e5f7c010859f0b2984d553fa45cd1f18a6fc4 (commit) via fd78df59b0f656aefe96e39533130454aa957c00 (commit) via e83638bc3a3e2f731fd10946bd460b021465b285 (commit) via 62f75c999ec8b125f154ad70b028e92ea312d084 (commit) via d33c2a3d8453a75509bcc8d2cf7d2dc2a3a518d0 (commit) via fb9fa6b51defd48157eeb207f52181f735d96148 (commit) via 3ff38629a2df6635f36bfb79513cc6440db8cd70 (commit) via 46d81bcabe2d36055bdd37079ed6acf976d967a7 (commit) via 2a40b7bc7b94dd7de897a74571e7024f0cf0d63b (commit) from cfd74383d9b06f85cb1e166180346115a3f9a452 (commit) - Log - commit 122e5f7c010859f0b2984d553fa45cd1f18a6fc4 Author: Matt Caswell Date: Thu Mar 25 13:28:48 2021 + Prepare for 1.1.1l-dev Reviewed-by: Tomas Mraz commit fd78df59b0f656aefe96e39533130454aa957c00 Author: Matt Caswell Date: Thu Mar 25 13:28:38 2021 + Prepare for 1.1.1k release Reviewed-by: Tomas Mraz commit e83638bc3a3e2f731fd10946bd460b021465b285 Author: Matt Caswell Date: Thu Mar 25 13:21:32 2021 + Update copyright year Reviewed-by: Tomas Mraz commit 62f75c999ec8b125f154ad70b028e92ea312d084 Author: Matt Caswell Date: Thu Mar 25 10:29:55 2021 + Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz commit d33c2a3d8453a75509bcc8d2cf7d2dc2a3a518d0 Author: Matt Caswell Date: Thu Mar 18 16:52:10 2021 + Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale commit fb9fa6b51defd48157eeb207f52181f735d96148 Author: Peter Kaestle Date: Mon Mar 15 13:19:56 2021 +0100 ssl sigalg extension: fix NULL pointer dereference As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34e61 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle Signed-off-by: Samuel Sapalski CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Matt Caswell commit 3ff38629a2df6635f36bfb79513cc6440db8cd70 Author: Matt Caswell Date: Thu Mar 18 15:29:04 2021 + Add a test for CVE-2021-3449 We perform a reneg handshake, where the second ClientHello drops the sig_algs extension. It must also contain cert_sig_algs for the test to work. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale commit 46d81bcabe2d36055bdd37079ed6acf976d967a7 Author: Matt Caswell Date: Thu Mar 18 15:25:42 2021 + Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Previously TLSProxy only knew how to "repack" messages for TLSv1.3. Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been too much of restriction. However we now want to modify reneg handshakes which are encrypted so we need to add that capability. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale commit 2a40b7bc7b94dd7de897a74571e7024f0cf0d63b Author: Tomas Mraz Date: Mon Mar 22 08:51:52 2021 + check_chain_extensions: Do not override error return value by check_curve The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates with explicitly encoded elliptic curve parameters in the chain was added to the strict checks. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then a subsequent check that the certificate is consistent with that purpose also checks that it is a valid CA. Therefore where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec2m
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec2m Commit log since last time: eb78f95523 Make fipsinstall -out flag optional b238e78fe8 Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered. 1f085af02c Add coveralls to CI c08138e500 Fix compilation under -Werror 0dd19e750f Fix a windows build break 218e1263c4 ec_keymgmt: fix coverity 1474427: resource leak 9d8c53ed16 dh: fix coverty 1474423: resource leak 9ca269af63 apps: fix coverity 1451544: improper use of negative value 66325793cc test: fix coverity 1451534: improper use of negative value 69fb52e028 test: fix coverity 1469427: impropery use of negative value 51d1991ecd test: fix coverity 1454812: improper use of negative value 9ba18520ff test: fix coverity 1451574: improper use of negative value 1634b2df9f enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value fe10fa7521 test: fix coverity 1371689 & 1371690: improper use of negative values 5a14bd153a apps: fix coverity 271258: improper use of negative value a60b533125 err: fix coverity 1452768: dereference after null check 711d7ca594 pem: fix coverity 1474426: uninitialised scalar variable. a669418c8e Be more selective about copying libcrypto symbols into legacy.so ccdfcf07d9 Disable fips-securitychecks if no-fips is configured. 6511f686c2 endecode_test: Add file and line arguments to test callbacks e72dbd8e13 Fix usages of const EVP_MD. c781eb1c63 Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x. db89d8f04b APPS: fix load_certs_multifile() interpreting backslashes 251c48183b Fix DER reading from stdin for BIO_f_readbuffer Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_boringssl.t ... skipped: No
Build completed: openssl master.41003
Build openssl master.41003 completed Commit afc98d9004 by Andrey Matyukov on 3/24/2021 7:05 AM: Increase minimum clang version requirement for rsaz-avx512.pl Configure your notification preferences
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-dso
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: eb78f95523 Make fipsinstall -out flag optional b238e78fe8 Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered. 1f085af02c Add coveralls to CI c08138e500 Fix compilation under -Werror 0dd19e750f Fix a windows build break 218e1263c4 ec_keymgmt: fix coverity 1474427: resource leak 9d8c53ed16 dh: fix coverty 1474423: resource leak 9ca269af63 apps: fix coverity 1451544: improper use of negative value 66325793cc test: fix coverity 1451534: improper use of negative value 69fb52e028 test: fix coverity 1469427: impropery use of negative value 51d1991ecd test: fix coverity 1454812: improper use of negative value 9ba18520ff test: fix coverity 1451574: improper use of negative value 1634b2df9f enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value fe10fa7521 test: fix coverity 1371689 & 1371690: improper use of negative values 5a14bd153a apps: fix coverity 271258: improper use of negative value a60b533125 err: fix coverity 1452768: dereference after null check 711d7ca594 pem: fix coverity 1474426: uninitialised scalar variable. a669418c8e Be more selective about copying libcrypto symbols into legacy.so ccdfcf07d9 Disable fips-securitychecks if no-fips is configured. 6511f686c2 endecode_test: Add file and line arguments to test callbacks e72dbd8e13 Fix usages of const EVP_MD. c781eb1c63 Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x. db89d8f04b APPS: fix load_certs_multifile() interpreting backslashes 251c48183b Fix DER reading from stdin for BIO_f_readbuffer
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: eb78f95523 Make fipsinstall -out flag optional b238e78fe8 Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered. 1f085af02c Add coveralls to CI c08138e500 Fix compilation under -Werror 0dd19e750f Fix a windows build break 218e1263c4 ec_keymgmt: fix coverity 1474427: resource leak 9d8c53ed16 dh: fix coverty 1474423: resource leak 9ca269af63 apps: fix coverity 1451544: improper use of negative value 66325793cc test: fix coverity 1451534: improper use of negative value 69fb52e028 test: fix coverity 1469427: impropery use of negative value 51d1991ecd test: fix coverity 1454812: improper use of negative value 9ba18520ff test: fix coverity 1451574: improper use of negative value 1634b2df9f enc: fix coverity 1451499, 1451501, 1451506, 1451507, 1351511, 1451514, 1451517, 1451523, 1451526m 1451528, 1451539, 1451441, 1451549, 1451568 & 1451572: improper use of negative value fe10fa7521 test: fix coverity 1371689 & 1371690: improper use of negative values 5a14bd153a apps: fix coverity 271258: improper use of negative value a60b533125 err: fix coverity 1452768: dereference after null check 711d7ca594 pem: fix coverity 1474426: uninitialised scalar variable. a669418c8e Be more selective about copying libcrypto symbols into legacy.so ccdfcf07d9 Disable fips-securitychecks if no-fips is configured. 6511f686c2 endecode_test: Add file and line arguments to test callbacks e72dbd8e13 Fix usages of const EVP_MD. c781eb1c63 Dual 1024-bit exponentiation optimization for Intel IceLake CPU with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key operations. It uses 256-bit registers to avoid CPU frequency scaling issues. The performance speedup for RSA2k signature on ICL is ~2x. db89d8f04b APPS: fix load_certs_multifile() interpreting backslashes 251c48183b Fix DER reading from stdin for BIO_f_readbuffer Build log ended with (last 100 lines): 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this configuration
Build failed: openssl master.41002
Build openssl master.41002 failed Commit 1b371208a2 by Randall S. Becker on 3/18/2021 1:54 PM: Force flush in BIO_free. Configure your notification preferences