[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 09126044f0120b0039b13365b30465d4b6d0f8f0 (commit)
via 5d9be38211fdb8b6a1d4c9257715e8c28832a317 (commit)
from 9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba (commit)
- Log -
commit 09126044f0120b0039b13365b30465d4b6d0f8f0
Author: Viktor Dukhovni
Date: Mon Aug 30 15:09:43 2021 -0400
Test for DANE cross cert fix
Reviewed-by: Tomáš Mráz
commit 5d9be38211fdb8b6a1d4c9257715e8c28832a317
Author: Viktor Dukhovni
Date: Mon Aug 30 14:17:16 2021 -0400
Prioritise DANE TLSA issuer certs over peer certs
When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.
This is important when the server sends a cross cert, but TLSA records
include
the underlying root CA cert. We want to construct a chain with the issuer
from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).
Reviewed-by: Tomáš Mráz
---
Summary of changes:
crypto/x509/x509_vfy.c | 62 --
test/certs/cross-key.pem | 28 ++
test/certs/cross-root.pem | 18 +++
test/certs/root-cross-cert.pem | 18 +++
test/certs/setup.sh| 2 +
test/dane-cross.in | 113 +
test/danetest.c| 2 +-
test/recipes/80-test_dane.t| 6 ++-
8 files changed, 221 insertions(+), 28 deletions(-)
create mode 100644 test/certs/cross-key.pem
create mode 100644 test/certs/cross-root.pem
create mode 100644 test/certs/root-cross-cert.pem
create mode 100644 test/dane-cross.in
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 20a36e763c..e404fcc602 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2924,6 +2924,26 @@ static int get_issuer(X509 **issuer, X509_STORE_CTX
*ctx, X509 *cert)
return ok;
}
+static int augment_stack(STACK_OF(X509) *src, STACK_OF(X509) **dstPtr)
+{
+if (src) {
+STACK_OF(X509) *dst;
+int i;
+
+if (*dstPtr == NULL)
+return ((*dstPtr = sk_X509_dup(src)) != NULL);
+
+for (dst = *dstPtr, i = 0; i < sk_X509_num(src); ++i) {
+if (!sk_X509_push(dst, sk_X509_value(src, i))) {
+sk_X509_free(dst);
+*dstPtr = NULL;
+return 0;
+}
+}
+}
+return 1;
+}
+
static int build_chain(X509_STORE_CTX *ctx)
{
SSL_DANE *dane = ctx->dane;
@@ -2967,18 +2987,7 @@ static int build_chain(X509_STORE_CTX *ctx)
}
/*
- * Shallow-copy the stack of untrusted certificates (with TLS, this is
- * typically the content of the peer's certificate message) so can make
- * multiple passes over it, while free to remove elements as we go.
- */
-if (ctx->untrusted && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
-X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-ctx->error = X509_V_ERR_OUT_OF_MEM;
-return 0;
-}
-
-/*
- * If we got any "DANE-TA(2) Cert(0) Full(0)" trust-anchors from DNS, add
+ * If we got any "Cert(0) Full(0)" issuer certificates from DNS, *prepend*
* them to our working copy of the untrusted certificate stack. Since the
* caller of X509_STORE_CTX_init() may have provided only a leaf cert with
* no corresponding stack of untrusted certificates, we may need to create
@@ -2987,20 +2996,21 @@ static int build_chain(X509_STORE_CTX *ctx)
* containing at least the leaf certificate, but we must be prepared for
* this to change. ]
*/
-if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
-if (sktmp == NULL && (sktmp = sk_X509_new_null()) == NULL) {
-X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-ctx->error = X509_V_ERR_OUT_OF_MEM;
-return 0;
-}
-for (i = 0; i < sk_X509_num(dane->certs); ++i) {
-if (!sk_X509_push(sktmp, sk_X509_value(dane->certs, i))) {
-sk_X509_free(sktmp);
-X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
-ctx->error = X509_V_ERR_OUT_OF_MEM;
-return 0;
-}
-}
+if (DANETLS_ENABLED(dane) && !augment_stack(dane->certs, )) {
+X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+ctx->error = X509_V_ERR_OUT_OF_MEM;
+return 0;
+}
+
+/*
+ * Shallow-copy the stack of untrusted certificates (with TLS, this is
+ * typically the content of the peer's certificate message) so can make
+ * multiple passes over it, while free to remove elements as we go.
+ */
+if (!augment_stack(ctx->untrusted, )) {
+X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
+
[openssl] master update
The branch master has been updated via 305c77aa8211beefe9c4081a8ffea4280c9765fc (commit) via 661de442e4231a9b0411dc8562f9e465d1d7fabc (commit) from 505d44c623c2a883cf015f26a499842cea0161f0 (commit) - Log - commit 305c77aa8211beefe9c4081a8ffea4280c9765fc Author: Viktor Dukhovni Date: Mon Aug 30 15:09:43 2021 -0400 Test for DANE cross cert fix Reviewed-by: Tomáš Mráz commit 661de442e4231a9b0411dc8562f9e465d1d7fabc Author: Viktor Dukhovni Date: Mon Aug 30 14:17:16 2021 -0400 Prioritise DANE TLSA issuer certs over peer certs When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the peer. This is important when the server sends a cross cert, but TLSA records include the underlying root CA cert. We want to construct a chain with the issuer from the TLSA record, which can then match the TLSA records (while the associated cross cert may not). Reviewed-by: Tomáš Mráz --- Summary of changes: crypto/x509/x509_vfy.c | 20 +--- test/certs/cross-key.pem | 28 ++ test/certs/cross-root.pem | 18 +++ test/certs/root-cross-cert.pem | 18 +++ test/certs/setup.sh| 3 ++ test/dane-cross.in | 113 + test/danetest.c| 2 +- test/recipes/80-test_dane.t| 6 ++- 8 files changed, 198 insertions(+), 10 deletions(-) create mode 100644 test/certs/cross-key.pem create mode 100644 test/certs/cross-root.pem create mode 100644 test/certs/root-cross-cert.pem create mode 100644 test/dane-cross.in diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 18c6172c98..0e5b18f67e 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3023,22 +3023,26 @@ static int build_chain(X509_STORE_CTX *ctx) may_trusted = 1; } -/* - * Shallow-copy the stack of untrusted certificates (with TLS, this is - * typically the content of the peer's certificate message) so can make - * multiple passes over it, while free to remove elements as we go. - */ -if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL) +/* Initialize empty untrusted stack. */ +if ((sk_untrusted = sk_X509_new_null()) == NULL) goto memerr; /* - * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add - * them to our working copy of the untrusted certificate stack. + * If we got any "Cert(0) Full(0)" trust anchors from DNS, *prepend* them + * to our working copy of the untrusted certificate stack. */ if (DANETLS_ENABLED(dane) && dane->certs != NULL && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) goto memerr; +/* + * Shallow-copy the stack of untrusted certificates (with TLS, this is + * typically the content of the peer's certificate message) so we can make + * multiple passes over it, while free to remove elements as we go. + */ +if (!X509_add_certs(sk_untrusted, ctx->untrusted, X509_ADD_FLAG_DEFAULT)) +goto memerr; + /* * Still absurdly large, but arithmetically safe, a lower hard upper bound * might be reasonable. diff --git a/test/certs/cross-key.pem b/test/certs/cross-key.pem new file mode 100644 index 00..93cd467ac7 --- /dev/null +++ b/test/certs/cross-key.pem @@ -0,0 +1,28 @@ +-BEGIN PRIVATE KEY- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCSkfwkYXTJFL4I +ICRQFXji6eX9I1NI97GBu2Yk8ejwctMttcJTlBLYpYRFQnZgsLwVEhA25KKlSNPz +PPrEVipT5Ll5J6uhWEBGLHETh8Qx4sI508B2zUP+2tnDapYtk5MNSVdQZXVt6wJu +sXY8vd58nHPLo4zr61MTwrj3Ld0lU18YHtxnGSMMYPPTxecE0mjYU038ELxZMdlT ++VSC0KOBJddj64+kXRdiDtQGVWE58MtX5/18LgSY3J/hvNhmcWuY611pgXcmwDPr +Sn1fDeRqG87Qs8KniS1dtWHDCVW/5KZOQeLcK6VTaEdnwdPYQ7BiJp4+3ypKmErd +T9TYBs8XAgMBAAECggEABIxdeGpm8DjGRgSQLjLg88CNPWG89sBrQk0SbvQ1HJfq +dJXRDxgMFtBsFTfX6kla3xfyHpQ/dY4qJZvmQNBXIQ/oiqumw9Ah153qlGJJmXdG +PEQDEz7+2lExawwmjgk6Uvs58LMHmCNUibUdzHgsdZcwudq8R6FWZ8lvIIo6GOJg +1gOoPbeAQtNAx8LPr+eDvpXoWJrCKJKuZCSRLV2CDmEH/+KH123cD4Lg+MsPNBJd +DsOitnVczlqnKDf5gSUXy3cwQlKFtOBa/0pN9wZvZDEWa30RmJmXI2bLo/h6GxGB +JXK57mTJG3UboWFIgNBU9IudPOdzDfJE1ul/Jon/AQKBgQC7/mmZg31a/8zlPLji +oWoEEutyNu0O28BCbBrw9t1SqtPFLm53AzIzB4RFVjn9i5dnxljh618KQiY4FbKM +mz1Yuzf7zCV7n8c1NakGwmW9Ezl8ZoLE44Nu7Pccukorl6uEY7kZa2vGa7krmIcI +6kFbvVbl4scbXlDL88hGHezhoQKBgQDHl3O8kOvOhIwfVH6qIjIO+0oR57Tqtwaw +A3oq6Ppdp65GK9G4f+/5L0z/Ay69MyauBLRA6+9LlW6SmAACSK69juvPMK6gd5uS +yWQ8imh6l304BAryjOHiNXHtpnmiaPAGNgFZKPsPbWlOo4ZexTEBq23i4JM1TUph +xpCmGY1ltwKBgEuYyPo0iAo55zkfq/Fmm2079nYdZEKfV7beJg9UFjgR/crDGyS8 +okkm8qe3PuaYZbATcNaYgcVsSFYxU3V7T7YIw0B8HW6TF9Zr16aiMatQucMurdNi +8g1/OPfSadURzqUUPPDd458M3o+LbHHHUbUEdJdJFGwLB06cn6KikglBAoGAMz8M
[openssl] master update
The branch master has been updated
via 505d44c623c2a883cf015f26a499842cea0161f0 (commit)
from 1b9e467887d7852d79270c73cb88383c50460b0a (commit)
- Log -
commit 505d44c623c2a883cf015f26a499842cea0161f0
Author: Pauli
Date: Mon Jul 26 16:11:34 2021 +1000
rand: avoid using the derivation function for the public and private DRBGs
There is no point using it becuase they are getting full quality entropy
from
the primary DRBG (which remains using the d.f.).
Also cleaned up the parameter passing to the DRBGs to not pass parameters
that
are unknown.
Fixes #16117
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/16156)
---
Summary of changes:
crypto/rand/rand_lib.c | 32 ++--
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 8f76c8a5f0..30b6cb817f 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -552,12 +552,13 @@ static EVP_RAND_CTX *rand_new_seed(OSSL_LIB_CTX *libctx)
static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx, EVP_RAND_CTX *parent,
unsigned int reseed_interval,
- time_t reseed_time_interval)
+ time_t reseed_time_interval, int use_df)
{
EVP_RAND *rand;
RAND_GLOBAL *dgbl = rand_get_global(libctx);
EVP_RAND_CTX *ctx;
-OSSL_PARAM params[7], *p = params;
+OSSL_PARAM params[8], *p = params;
+const OSSL_PARAM *settables;
char *name, *cipher;
name = dgbl->rng_name != NULL ? dgbl->rng_name : "CTR-DRBG";
@@ -573,20 +574,23 @@ static EVP_RAND_CTX *rand_new_drbg(OSSL_LIB_CTX *libctx,
EVP_RAND_CTX *parent,
return NULL;
}
-/*
- * Rather than trying to decode the DRBG settings, just pass them through
- * and rely on the other end to ignore those it doesn't care about.
- */
-cipher = dgbl->rng_cipher != NULL ? dgbl->rng_cipher : "AES-256-CTR";
-*p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER,
-cipher, 0);
-if (dgbl->rng_digest != NULL)
+settables = EVP_RAND_CTX_settable_params(ctx);
+if (OSSL_PARAM_locate_const(settables, OSSL_DRBG_PARAM_CIPHER)) {
+cipher = dgbl->rng_cipher != NULL ? dgbl->rng_cipher : "AES-256-CTR";
+*p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER,
+cipher, 0);
+}
+if (dgbl->rng_digest != NULL
+&& OSSL_PARAM_locate_const(settables, OSSL_DRBG_PARAM_DIGEST))
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_DIGEST,
dgbl->rng_digest, 0);
if (dgbl->rng_propq != NULL)
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_PROPERTIES,
dgbl->rng_propq, 0);
-*p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_MAC, "HMAC", 0);
+if (OSSL_PARAM_locate_const(settables, OSSL_ALG_PARAM_MAC))
+*p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_MAC, "HMAC", 0);
+if (OSSL_PARAM_locate_const(settables, OSSL_DRBG_PARAM_USE_DF))
+*p++ = OSSL_PARAM_construct_int(OSSL_DRBG_PARAM_USE_DF, _df);
*p++ = OSSL_PARAM_construct_uint(OSSL_DRBG_PARAM_RESEED_REQUESTS,
_interval);
*p++ = OSSL_PARAM_construct_time_t(OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL,
@@ -641,7 +645,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx)
ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
PRIMARY_RESEED_INTERVAL,
-PRIMARY_RESEED_TIME_INTERVAL);
+PRIMARY_RESEED_TIME_INTERVAL, 1);
/*
* The primary DRBG may be shared between multiple threads so we must
* enable locking.
@@ -683,7 +687,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx)
&& !ossl_init_thread_start(NULL, ctx,
rand_delete_thread_state))
return NULL;
rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
- SECONDARY_RESEED_TIME_INTERVAL);
+ SECONDARY_RESEED_TIME_INTERVAL, 0);
CRYPTO_THREAD_set_local(>public, rand);
}
return rand;
@@ -716,7 +720,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx)
&& !ossl_init_thread_start(NULL, ctx,
rand_delete_thread_state))
return NULL;
rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL,
- SECONDARY_RESEED_TIME_INTERVAL);
+ SECONDARY_RESEED_TIME_INTERVAL, 0);
[tools] master update
The branch master has been updated via f6070cac86caad71cde3b62cd3fd0e35c724eae3 (commit) from 35717050e0abb88170873e8403c369127fb877b1 (commit) - Log - commit f6070cac86caad71cde3b62cd3fd0e35c724eae3 Author: Tomas Mraz Date: Thu Sep 2 14:04:36 2021 +0200 Remove run-checker completely as it is not used anymore Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/tools/pull/93) --- Summary of changes: run-checker/README | 88 --- run-checker/build-gost.sh | 41 -- run-checker/run-checker-autohooks/README| 50 --- run-checker/run-checker-autohooks/hook-end | 100 - run-checker/run-checker-autohooks/hook-prepare | 49 --- run-checker/run-checker-autohooks/hook-start| 81 --- run-checker/run-checker-autohooks/hook-takedown | 7 - run-checker/run-checker-cleanup.sh | 18 --- run-checker/run-checker.sh | 186 9 files changed, 620 deletions(-) delete mode 100644 run-checker/README delete mode 100755 run-checker/build-gost.sh delete mode 100644 run-checker/run-checker-autohooks/README delete mode 100755 run-checker/run-checker-autohooks/hook-end delete mode 100755 run-checker/run-checker-autohooks/hook-prepare delete mode 100755 run-checker/run-checker-autohooks/hook-start delete mode 100755 run-checker/run-checker-autohooks/hook-takedown delete mode 100755 run-checker/run-checker-cleanup.sh delete mode 100755 run-checker/run-checker.sh diff --git a/run-checker/README b/run-checker/README deleted file mode 100644 index b9540a0..000 --- a/run-checker/README +++ /dev/null @@ -1,88 +0,0 @@ -This tool is used to build various predefined config options of -openssl and generate okay/fail reports. The array of config options -is found in run-checker.sh, assigned to 'opts'. - -Quick manual run - - -To run a check on the master branch: - -git clone git://git.openssl.org/openssl.git openssl -/path/to/run-checker.sh - -To run a check on a release branch: - -git clone -b OpenSSL_1_1_0-stable git://git.openssl.org/openssl.git openssl -/path/to/run-checker.sh - - -Hooks -- - -run-checker supports a few hooks, in form of scripts that are -executed: - -hook-prepare This script is run once, when run-checker is - starting. If it exits with a status other - than zero, run-checker.sh will stop. It gets - no arguments. - -hook-start This script is run before each option build. - If it exits with a status other than zero, - run-checker.sh will skip the current build. - It gets the following arguments: - - $1 The build directory. - $2 The option being checked. - $3... Configure options and arguments. - -hook-end This script is run after each option build. - If gets the following arguments: - - $1 The build directory. - $2 "pass" or "fail", depending on the - build result. - -hook-takedown This script is run once, just before - run-checker terminates. It gets no arguments. - - -The hooks and documentation in run-checker-autohooks are an advanced -example, and what the OpenSSL Team runs daily (automatically). - - -Example hooks 1 - -The run-checker script uses disk space by leaving every build tree -behind! It may be that you want to clear the build tree after each -build. This little hook can help: - -hook-end: - -#! /bin/sh -builddir="$1" -mv "$builddir"/build.log "$builddir".log && rm -rf "$builddir" - -Example hook 2 --- - -This is a variant of Example hook 1 that saves away the build dir into -a tarball: - -hook-end: - -#! /bin/sh -builddir="$1" -tar --remove-files -cJf "$builddir.tar.xz" "./$builddir" - -Example hook 3 --- - -You might want to avoid some builds, based on the options. For -example, all the fuzz builds may require installations that you're not -willing to do. hook-start is the perfect place for this: - -#! /bin/sh -if [ echo "$2" | grep -E '.*fuzz.*' ]; then exit 1; fi -exit 0 diff --git a/run-checker/build-gost.sh b/run-checker/build-gost.sh deleted file mode 100755 index a6f3468..000 --- a/run-checker/build-gost.sh +++ /dev/null @@ -1,41 +0,0 @@ -#! /bin/bash -# -# Run in a directory for a gost engine build. -# Two subdirectories will be created: -# -#gost-engine a checkout of
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 37ceb9b17561554256fb60eb73e9dec418132b29 (commit)
from bc0812acef4f9001d771c7aa95b0bae61709ff09 (commit)
- Log -
commit 37ceb9b17561554256fb60eb73e9dec418132b29
Author: Daniel Bevenius
Date: Wed Sep 1 11:45:45 2021 +0200
Fix indentation of tls13_hkdf_expand parameters
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16489)
(cherry picked from commit 1b9e467887d7852d79270c73cb88383c50460b0a)
---
Summary of changes:
ssl/tls13_enc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 7f6133f29c..12388922e3 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -32,9 +32,9 @@ static const unsigned char label_prefix[] = "tls13 ";
* |fatal| is set. Returns 1 on success 0 on failure.
*/
int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
- const unsigned char *label, size_t labellen,
- const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen, int fatal)
+ const unsigned char *label, size_t labellen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *out, size_t outlen, int fatal)
{
EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF,
s->ctx->propq);
[openssl] master update
The branch master has been updated
via 1b9e467887d7852d79270c73cb88383c50460b0a (commit)
from f92bfddc1d4c4957c57337d7f4192c586cc09a5c (commit)
- Log -
commit 1b9e467887d7852d79270c73cb88383c50460b0a
Author: Daniel Bevenius
Date: Wed Sep 1 11:45:45 2021 +0200
Fix indentation of tls13_hkdf_expand parameters
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16489)
---
Summary of changes:
ssl/tls13_enc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 7f6133f29c..12388922e3 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -32,9 +32,9 @@ static const unsigned char label_prefix[] = "tls13 ";
* |fatal| is set. Returns 1 on success 0 on failure.
*/
int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
- const unsigned char *label, size_t labellen,
- const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen, int fatal)
+ const unsigned char *label, size_t labellen,
+ const unsigned char *data, size_t datalen,
+ unsigned char *out, size_t outlen, int fatal)
{
EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF,
s->ctx->propq);
[web] master update
The branch master has been updated via d0614db41e68ab5e2a739cf01436a01ea3f96d7a (commit) from 7a653503fe9891b570cc6bc0ca07c7edf0b5 (commit) - Log - commit d0614db41e68ab5e2a739cf01436a01ea3f96d7a Author: Richard Levitte Date: Thu Sep 2 15:47:20 2021 +0200 Correct missing parenthesis --- Summary of changes: Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 72eaf43..6aba02c 100644 --- a/Makefile +++ b/Makefile @@ -260,7 +260,7 @@ $(eval $(call mknews_changelogtxt,changelog.md,openssl/CHANGES.md)) # Create the target 'news/clxy.md' for all releases from 3.0 and on, taking # the source from $(CHECKOUTS)/openssl-x.y/CHANGES.md $(foreach S,$(SERIES3),\ -$(eval $(call mknews_changelogtxt,cl$(subst .,,$(S)).txt,openssl-$(S)/CHANGES.md)) +$(eval $(call mknews_changelogtxt,cl$(subst .,,$(S)).txt,openssl-$(S)/CHANGES.md))) # Create the targets 'news/clxyz.txt' for all current pre-3.0 releases, # taking the source from $(CHECKOUTS)/openssl-x.y.z-stable/CHANGES
[web] master update
The branch master has been updated via 7a653503fe9891b570cc6bc0ca07c7edf0b5 (commit) from 1353aad58c10c84ca4cc09250ca72179b58fe8a8 (commit) - Log - commit 7a653503fe9891b570cc6bc0ca07c7edf0b5 Author: Richard Levitte Date: Tue Aug 31 12:40:36 2021 +0200 Take into account the OpenSSL 3.0 branch This does the necessary modifications to the Makefile to do what's needed with a 3.0 branch. The 3.0 branch is expected to be named 'openssl-3.0' and to be checked out in /var/cache/openssl/checkouts/openssl-3.0 on the appropriate machine. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/255) --- Summary of changes: Makefile | 71 +--- 1 file changed, 50 insertions(+), 21 deletions(-) diff --git a/Makefile b/Makefile index 27d99ae..72eaf43 100644 --- a/Makefile +++ b/Makefile @@ -24,19 +24,33 @@ PERSONDB=FORCE ## The numbers given here RULE ## -## Current series -SERIES=1.1.1 +## Current series. Variable names are numbered to indicate: +## +## SERIES1OpenSSL pre-3.0 +## SERIES3OpenSSL 3.0 and on +## SERIES The concatenation of the above, for ease of use +## +## We mostly use $(SERIES) further down, but there are places where we +## need to make the distinction, because certain files are produced +## differently. +SERIES1=1.1.1 +SERIES3=3.0 +SERIES=$(SERIES3) $(SERIES1) ## Older series. The second type is for source listings OLDSERIES=1.1.0 1.0.2 1.0.1 1.0.0 0.9.8 0.9.7 0.9.6 OLDSERIES2=1.1.0 1.0.2 1.0.1 1.0.0 0.9.x -## Series for manual layouts +## Series for manual layouts, named similar to SERIES1, SERIES3, SERIES MANSERIES1=1.1.1 MANSERIES3=3.0 +MANSERIES=$(MANSERIES3) $(MANSERIES1) ## Future series, i.e. a series that hasn't had any final release yet. +## This would typically be a major or minor version that's still only +## on the master branch, but that has come far enough for us to start +## to make alpha and beta releases. ## We distinguish them to avoid having to produce notes, vulnerability -## documents, ... -FUTURESERIES=3.0 +## documents, ... but still being able to present tarballs. +FUTURESERIES= # All simple generated files. SIMPLE = newsflash.inc sitemap.txt \ @@ -166,14 +180,17 @@ endef # Start off with creating the 'manpages-master' target, taking the # source from $(CHECKOUTS)/openssl/doc $(eval $(call makemanuals3,openssl,master)) -#$(foreach S,$(MANSERIES3),$(eval $(call makemanuals3,openssl-$(S),$(S -# Next, create 'manpages-x.y.z' for all current releases, taking the +# Next, create 'manpages-x.y' for all current releases from 3.0 and on, +# taking the source from $(CHECKOUTS)/openssl-x.y/doc +$(foreach S,$(MANSERIES3),$(eval $(call makemanuals3,openssl-$(S),$(S + +# Next, create 'manpages-x.y.z' for all current pre-3.0 releases, taking the # source from $(CHECKOUTS)/openssl-x.y.z-stable/doc $(foreach S,$(MANSERIES1),$(eval $(call makemanuals1,openssl-$(S)-stable,$(S manmaster: man-apropos-master man-index-master -manpages: $(foreach S,$(MANSERIES1),man-apropos-$(S) man-index-$(S)) +manpages: $(foreach S,$(MANSERIES),man-apropos-$(S) man-index-$(S)) mancross: ./bin/mk-mancross master $(SERIES) @@ -221,8 +238,8 @@ news/changelog.inc: news/changelog.md bin/mk-changelog news/changelog.html: news/changelog.html.tt news/changelog.inc @rm -f $@ ./bin/from-tt 'releases=$(SERIES)' $< -# Additionally, make news/changelog.html depend on clxyz.txt, where xyz -# comes from the release number x.y.z. This permits it to be automatically +# Additionally, make news/changelog.html depend on clxy[z].txt, where xy[z] +# comes from the release number x.y[.z]. This permits it to be automatically # recreated whenever there's a new major release. news/changelog.html: $(foreach S,$(SERIES),news/cl$(subst .,,$(S)).txt) @@ -240,9 +257,14 @@ endef # $(CHECKOUTS)/openssl/CHANGES.md $(eval $(call mknews_changelogtxt,changelog.md,openssl/CHANGES.md)) -# Create the targets 'news/clxyz.txt' for all current releases, taking the -# source from $(CHECKOUTS)/openssl-x.y.z-stable/CHANGES -$(foreach S,$(SERIES),\ +# Create the target 'news/clxy.md' for all releases from 3.0 and on, taking +# the source from $(CHECKOUTS)/openssl-x.y/CHANGES.md +$(foreach S,$(SERIES3),\ +$(eval $(call mknews_changelogtxt,cl$(subst .,,$(S)).txt,openssl-$(S)/CHANGES.md)) + +# Create the targets 'news/clxyz.txt' for all current pre-3.0 releases, +# taking the source from $(CHECKOUTS)/openssl-x.y.z-stable/CHANGES +$(foreach S,$(SERIES1),\ $(eval $(call mknews_changelogtxt,cl$(subst .,,$(S)).txt,openssl-$(S)-stable/CHANGES))) # mknews_noteshtml creates two targets and rulesets for creating notes from @@ -260,10 +282,16 @@ news/openssl-$(1)-notes.inc:
[tools] master update
The branch master has been updated
via 35717050e0abb88170873e8403c369127fb877b1 (commit)
from ed247a7778c7a043f726f862e9544c963fd22e83 (commit)
- Log -
commit 35717050e0abb88170873e8403c369127fb877b1
Author: Pauli
Date: Fri Aug 27 14:25:14 2021 +1000
run-checker: remove the fuzzing builds
Not to be merged until after openssl/openssl#16438 is merged and working.
Reviewed-by: Richard Levitte
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/tools/pull/91)
---
Summary of changes:
run-checker/run-checker.sh | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/run-checker/run-checker.sh b/run-checker/run-checker.sh
index 124259f..b3be342 100755
--- a/run-checker/run-checker.sh
+++ b/run-checker/run-checker.sh
@@ -21,9 +21,7 @@
# hook-takedown - called at the very end
here=$(cd $(dirname $0); pwd)
-opts=( ''
-enable-fuzz-afl enable-fuzz-libfuzzer
-)
+opts=( '' )
run-hook () {
local hookname=$1; shift
[web] master update
The branch master has been updated via 1353aad58c10c84ca4cc09250ca72179b58fe8a8 (commit) via 7027987f060c25f61c8217cd26479f9b4af56bf6 (commit) from 30a512b2e4a02e643216a163af87db97ccbf00d2 (commit) - Log - commit 1353aad58c10c84ca4cc09250ca72179b58fe8a8 Merge: 30a512b 7027987 Author: Mark J. Cox Date: Thu Sep 2 12:22:25 2021 +0100 Merge pull request #256 from iamamoose/20210902 Add Activision Silver Sponsorship commit 7027987f060c25f61c8217cd26479f9b4af56bf6 Author: Mark J. Cox Date: Thu Sep 2 11:22:18 2021 +0100 Add Activision Silver sponsorship --- Summary of changes: support/acks.html | 1 + 1 file changed, 1 insertion(+) diff --git a/support/acks.html b/support/acks.html index 0b70d47..63f2366 100644 --- a/support/acks.html +++ b/support/acks.html @@ -46,6 +46,7 @@ Silver: +https://activision.com/;>Activision https://cargurus.com/;>CarGurus https://shiguredo.jp/;>Shiguredo Inc.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via bc0812acef4f9001d771c7aa95b0bae61709ff09 (commit)
from d24b979dbf247ed3eecf973f3ee669a2e3b59e8f (commit)
- Log -
commit bc0812acef4f9001d771c7aa95b0bae61709ff09
Author: Pauli
Date: Fri Aug 27 10:37:35 2021 +1000
CI: add last run-checker fuzzing CIs to Actions
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16438)
(cherry picked from commit f92bfddc1d4c4957c57337d7f4192c586cc09a5c)
---
Summary of changes:
.github/workflows/fuzz-checker.yml | 61 ++
1 file changed, 61 insertions(+)
create mode 100644 .github/workflows/fuzz-checker.yml
diff --git a/.github/workflows/fuzz-checker.yml
b/.github/workflows/fuzz-checker.yml
new file mode 100644
index 00..5b784deb10
--- /dev/null
+++ b/.github/workflows/fuzz-checker.yml
@@ -0,0 +1,61 @@
+name: Fuzz-checker CI
+
+on: [push]
+
+jobs:
+ fuzz-checker:
+strategy:
+ fail-fast: false
+ matrix:
+fuzzy: [
+ {
+name: AFL,
+config: enable-fuzz-afl no-module,
+install: afl++-clang,
+cc: afl-clang-fast
+ }, {
+name: libFuzzer,
+config: enable-fuzz-libfuzzer -DPEDANTIC enable-asan enable-ubsan,
+libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a
--with-fuzzer-include=/usr/lib/llvm-12/build/lib/clang/12.0.0/include/fuzzer,
+install: libfuzzer-12-dev,
+cc: clang-12,
+linker: clang++-12,
+tests: -test_memleak
+ }, {
+name: libFuzzer+,
+config: enable-fuzz-libfuzzer -DPEDANTIC enable-asan enable-ubsan
-fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION,
+libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a
--with-fuzzer-include=/usr/lib/llvm-12/build/lib/clang/12.0.0/include/fuzzer,
+extra: enable-fips enable-ec_nistp_64_gcc_128
-fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5
enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg,
+install: libfuzzer-12-dev,
+cc: clang-12,
+linker: clang++-12,
+tests: -test_memleak
+ }
+]
+runs-on: ubuntu-latest
+steps:
+- name: install packages
+ run: |
+sudo apt-get update
+sudo apt-get -yq --force-yes install ${{ matrix.fuzzy.install }}
+- uses: actions/checkout@v2
+
+- name: config
+ run: |
+CC=${{ matrix.fuzzy.cc }} ./config --banner=Configured no-shared \
+${{ matrix.fuzzy.config }} ${{ matrix.fuzzy.libs }} ${{
matrix.fuzzy.extra }}
+
+- name: config dump
+ run: ./configdata.pm --dump
+- name: make with explicit linker
+ if: matrix.fuzzy.linker != ''
+ run: LDCMD=${{ matrix.fuzzy.linker }} make -s -j4
+- name: make sans explicit linker
+ if: matrix.fuzzy.linker == ''
+ run: make -s -j4
+- name: make test restricted
+ if: matrix.fuzzy.tests != ''
+ run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS="${{
matrix.fuzzy.tests }}"
+- name: make test all
+ if: matrix.fuzzy.tests == ''
+ run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
[openssl] master update
The branch master has been updated
via f92bfddc1d4c4957c57337d7f4192c586cc09a5c (commit)
from 473664aafdff1f60db99929bdd43c2a9b26d14cd (commit)
- Log -
commit f92bfddc1d4c4957c57337d7f4192c586cc09a5c
Author: Pauli
Date: Fri Aug 27 10:37:35 2021 +1000
CI: add last run-checker fuzzing CIs to Actions
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16438)
---
Summary of changes:
.github/workflows/fuzz-checker.yml | 61 ++
1 file changed, 61 insertions(+)
create mode 100644 .github/workflows/fuzz-checker.yml
diff --git a/.github/workflows/fuzz-checker.yml
b/.github/workflows/fuzz-checker.yml
new file mode 100644
index 00..5b784deb10
--- /dev/null
+++ b/.github/workflows/fuzz-checker.yml
@@ -0,0 +1,61 @@
+name: Fuzz-checker CI
+
+on: [push]
+
+jobs:
+ fuzz-checker:
+strategy:
+ fail-fast: false
+ matrix:
+fuzzy: [
+ {
+name: AFL,
+config: enable-fuzz-afl no-module,
+install: afl++-clang,
+cc: afl-clang-fast
+ }, {
+name: libFuzzer,
+config: enable-fuzz-libfuzzer -DPEDANTIC enable-asan enable-ubsan,
+libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a
--with-fuzzer-include=/usr/lib/llvm-12/build/lib/clang/12.0.0/include/fuzzer,
+install: libfuzzer-12-dev,
+cc: clang-12,
+linker: clang++-12,
+tests: -test_memleak
+ }, {
+name: libFuzzer+,
+config: enable-fuzz-libfuzzer -DPEDANTIC enable-asan enable-ubsan
-fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION,
+libs: --with-fuzzer-lib=/usr/lib/llvm-12/lib/libFuzzer.a
--with-fuzzer-include=/usr/lib/llvm-12/build/lib/clang/12.0.0/include/fuzzer,
+extra: enable-fips enable-ec_nistp_64_gcc_128
-fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5
enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg,
+install: libfuzzer-12-dev,
+cc: clang-12,
+linker: clang++-12,
+tests: -test_memleak
+ }
+]
+runs-on: ubuntu-latest
+steps:
+- name: install packages
+ run: |
+sudo apt-get update
+sudo apt-get -yq --force-yes install ${{ matrix.fuzzy.install }}
+- uses: actions/checkout@v2
+
+- name: config
+ run: |
+CC=${{ matrix.fuzzy.cc }} ./config --banner=Configured no-shared \
+${{ matrix.fuzzy.config }} ${{ matrix.fuzzy.libs }} ${{
matrix.fuzzy.extra }}
+
+- name: config dump
+ run: ./configdata.pm --dump
+- name: make with explicit linker
+ if: matrix.fuzzy.linker != ''
+ run: LDCMD=${{ matrix.fuzzy.linker }} make -s -j4
+- name: make sans explicit linker
+ if: matrix.fuzzy.linker == ''
+ run: make -s -j4
+- name: make test restricted
+ if: matrix.fuzzy.tests != ''
+ run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS="${{
matrix.fuzzy.tests }}"
+- name: make test all
+ if: matrix.fuzzy.tests == ''
+ run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3D_Qeo_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFC4-2F8u6kJ4cfRtWikIFiC3t3PNN6vqLpoyvW4s8TWZ3TcNJw8mWtgOr9fIFgxKRQuM6kOJd9e410Q5ot2bqM6fHBDOWbKAdbfBfINgWAwKnJIEJFe84KgtQjLOzlFaYfUWQZM9qk7aU9Lxl3FKlkBMYS91-2Bs9IJBxfKWLO2ePpT-2FgUa4Dg2X4eIioAn4EYszs-3D Build ID: 405494 Analysis Summary: New defects found: 0 Defects eliminated: 0
Coverity Scan: Analysis completed for OpenSSL-1.0.2
Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3D-tvk_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGx-2FC7C7-2BAqEYRakFdwk9OoUOHmvQ1Fkw5zeudqR2CIcjKqaq0drnjH1eYVLADjUyp05eRTEGRo0ZZPpjRuJ4Wt-2BDl5BGTUMTnUv0cbOrmgoY7MiINGBynDMzjBfQUNBR2oC7X0Z-2FQQQ8lmf9o10A5tVHtOn7K90FgMsC4ZbJoGu5IaQaESrc05gb5w9yWqVAE-3D Build ID: 405495 Analysis Summary: New defects found: 0 Defects eliminated: 0
[tools] master update
The branch master has been updated
via ed247a7778c7a043f726f862e9544c963fd22e83 (commit)
from f39ecd88bc71cdb4332ec42b12405abf3738bde2 (commit)
- Log -
commit ed247a7778c7a043f726f862e9544c963fd22e83
Author: Pauli
Date: Wed Sep 1 09:08:21 2021 +1000
Update tools scripts to know about 3.0
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/tools/pull/92)
---
Summary of changes:
review-tools/opensslpull| 4
review-tools/pick-to-branch | 3 +++
2 files changed, 7 insertions(+)
diff --git a/review-tools/opensslpull b/review-tools/opensslpull
index 0c8a40b..d8b97c6 100755
--- a/review-tools/opensslpull
+++ b/review-tools/opensslpull
@@ -9,6 +9,7 @@ test -f ./config || {
git checkout --quiet OpenSSL_1_0_2-stable ; git pull --rebase
git checkout --quiet OpenSSL_1_1_0-stable ; git pull --rebase
git checkout --quiet OpenSSL_1_1_1-stable ; git pull --rebase
+git checkout --quiet openssl-3.0 ; git pull --rebase
git checkout --quiet master
git rebase -p origin/master
@@ -17,6 +18,9 @@ for B in `git branch | fgrep -v '*'` ; do
OpenSSL*-stable)
echo "skipping $B"
;;
+openssl-*)
+echo "skipping $B"
+;;
*)
# If .skiplist exists and this branch is listed, don't rebase
if test -f .skiplist && grep -q "$B" .skiplist ; then
diff --git a/review-tools/pick-to-branch b/review-tools/pick-to-branch
index a5dd427..c446763 100755
--- a/review-tools/pick-to-branch
+++ b/review-tools/pick-to-branch
@@ -28,6 +28,9 @@ case $b in
*1*1*1*)
branch=OpenSSL_1_1_1-stable
;;
+*3*0*)
+branch=openssl-3.0
+;;
m*)
branch=master
;;
