[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 4aa163a217aa428b324564db5b4dff2653ce26a4 (commit) from b76422e708654663990b6f3b3ce85066ae05ad4a (commit) - Log - commit 4aa163a217aa428b324564db5b4dff2653ce26a4 Author: Arne Schwabe Date: Wed Oct 13 15:16:58 2021 +0200 Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1 The exclusion of SHA1 for X509 signatures is not obvious as the "intuative" idea is that SHA1 should have 80 security bits. However the security bits of SHA1 are explicitly set to 63 to avoid the it being strong enough for security level 1. x509_set.c has the comment: /* * SHA1 and MD5 are known to be broken. Reduce security bits so that * they're no longer accepted at security level 1. * The real values don't really matter as long as they're lower than 80, * which is our security level 1. */ Signed-off-by: Arne Schwabe Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16828) --- Summary of changes: doc/man3/SSL_CTX_set_security_level.pod | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index 292d6a2333..fc1ff39246 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -77,7 +77,9 @@ parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite -using MD5 for the MAC is also prohibited. +using MD5 for the MAC is also prohibited. Note that signatures using SHA1 +and MD5 are also forbidden at this level as they have less than 80 security +bits. =item B @@ -147,10 +149,11 @@ key size or the DH parameter size will abort the handshake with a fatal alert. Attempts to set certificates or parameters with insufficient security are -also blocked. For example trying to set a certificate using a 512 bit RSA -key using SSL_CTX_use_certificate() at level 1. Applications which do not -check the return values for errors will misbehave: for example it might -appear that a certificate is not set at all because it had been rejected. +also blocked. For example trying to set a certificate using a 512 bit RSA key +or a certificate with a signature with SHA1 digest at level 1 using +SSL_CTX_use_certificate(). Applications which do not check the return values +for errors will misbehave: for example it might appear that a certificate is +not set at all because it had been rejected. =head1 RETURN VALUES
[openssl] master update
The branch master has been updated
via 4f716249643fe97a2bdf59a11cc10e1bef8103e9 (commit)
from 25ead551aa31feae91cab91b648a2ca16bc7a8dc (commit)
- Log -
commit 4f716249643fe97a2bdf59a11cc10e1bef8103e9
Author: Michael Baentsch
Date: Thu Oct 7 10:45:48 2021 +0200
Permit no/empty digest in core_obj_add_sigid
Also add digest parameter documentation for add_sigid and
permit NULL as digest name in the provider upcall.
Reviewed-by: Matt Caswell
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16770)
---
Summary of changes:
crypto/objects/obj_xref.c | 2 +-
crypto/provider_core.c | 9 ++---
doc/man3/OBJ_nid2obj.pod | 3 ++-
doc/man7/provider-base.pod | 5 +++--
test/upcallstest.c | 9 +
5 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c
index 3a6ae02bf0..8b4980d5b5 100644
--- a/crypto/objects/obj_xref.c
+++ b/crypto/objects/obj_xref.c
@@ -141,7 +141,7 @@ int OBJ_add_sigid(int signid, int dig_id, int pkey_id)
nid_triple *ntr;
int dnid = NID_undef, pnid = NID_undef, ret = 0;
-if (signid == NID_undef || dig_id == NID_undef || pkey_id == NID_undef)
+if (signid == NID_undef || pkey_id == NID_undef)
return 0;
if (!obj_sig_init())
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index e4069eb4f7..b39fb3bb1d 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -1933,9 +1933,13 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE
*prov,
const char *pkey_name)
{
int sign_nid = OBJ_txt2nid(sign_name);
-int digest_nid = OBJ_txt2nid(digest_name);
+int digest_nid = NID_undef;
int pkey_nid = OBJ_txt2nid(pkey_name);
+if (digest_name != NULL && digest_name[0] != '\0'
+&& (digest_nid = OBJ_txt2nid(digest_name)) == NID_undef)
+return 0;
+
if (sign_nid == NID_undef)
return 0;
@@ -1946,8 +1950,7 @@ static int core_obj_add_sigid(const OSSL_CORE_HANDLE
*prov,
if (OBJ_find_sigid_algs(sign_nid, NULL, NULL))
return 1;
-if (digest_nid == NID_undef
-|| pkey_nid == NID_undef)
+if (pkey_nid == NID_undef)
return 0;
return OBJ_add_sigid(sign_nid, digest_nid, pkey_nid);
diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod
index 2d16cc83cc..306b33c03d 100644
--- a/doc/man3/OBJ_nid2obj.pod
+++ b/doc/man3/OBJ_nid2obj.pod
@@ -99,7 +99,8 @@ given NID with two other NIDs - one representing the
underlying signature
algorithm and the other representing a digest algorithm to be used in
conjunction with it. I represents the NID for the composite "Signature
Algorithm", I is the NID for the digest algorithm and I is the
-NID for the underlying signature algorithm.
+NID for the underlying signature algorithm. As there are signature algorithms
+that do not require a digest, NID_undef is a valid I.
OBJ_cleanup() releases any resources allocated by creating new objects.
diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod
index 881854a3af..b3298d5c10 100644
--- a/doc/man7/provider-base.pod
+++ b/doc/man7/provider-base.pod
@@ -284,8 +284,9 @@ function L, except that the objects are
identified by name
rather than a numeric NID. Any name (OID, short name or long name) can be used
to identify the object. It will treat as success the case where the composite
signature algorithm already exists (even if registered against a different
-underlying signature or digest algorithm). It returns 1 on success or 0 on
-failure.
+underlying signature or digest algorithm). For I, NULL or an
+empty string is permissible for signature algorithms that do not need a digest
+to operate correctly. The function returns 1 on success or 0 on failure.
CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_memdup(), CRYPTO_strdup(),
CRYPTO_strndup(), CRYPTO_free(), CRYPTO_clear_free(),
diff --git a/test/upcallstest.c b/test/upcallstest.c
index 01e4e95237..76899fee3d 100644
--- a/test/upcallstest.c
+++ b/test/upcallstest.c
@@ -68,6 +68,15 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle,
if (!c_obj_add_sigid(handle, SIGALG_OID, DIGEST_SN, SIG_LN))
return 0;
+/* additional tests checking empty digest algs are accepted, too */
+if (!c_obj_add_sigid(handle, SIGALG_OID, "", SIG_LN))
+return 0;
+if (!c_obj_add_sigid(handle, SIGALG_OID, NULL, SIG_LN))
+return 0;
+/* checking wrong digest alg name is rejected: */
+if (c_obj_add_sigid(handle, SIGALG_OID, "NonsenseAlg", SIG_LN))
+return 0;
+
return 1;
}
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via b76422e708654663990b6f3b3ce85066ae05ad4a (commit) from fd7c2ff23c65eb8b06ae2d9d600d6e3301d98aaf (commit) - Log - commit b76422e708654663990b6f3b3ce85066ae05ad4a Author: Kinshuk Dua Date: Thu Oct 21 18:47:53 2021 +0530 Doc: be explicit about NUL in max_identity_len Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16877) (cherry picked from commit 25ead551aa31feae91cab91b648a2ca16bc7a8dc) --- Summary of changes: doc/man3/SSL_CTX_set_psk_client_callback.pod | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod b/doc/man3/SSL_CTX_set_psk_client_callback.pod index 23bab17317..dd302983fd 100644 --- a/doc/man3/SSL_CTX_set_psk_client_callback.pod +++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod @@ -107,11 +107,11 @@ the pre-shared key to use during the connection setup phase. The callback is set using functions SSL_CTX_set_psk_client_callback() or SSL_set_psk_client_callback(). The callback function is given the -connection in parameter B, a B-terminated PSK identity hint +connection in parameter B, a B-terminated PSK identity hint sent by the server in parameter B, a buffer B of -length B bytes where the resulting -B-terminated identity is to be stored, and a buffer B of -length B bytes where the resulting pre-shared key is to +length B bytes (including the B-terminator) where the +resulting B-terminated identity is to be stored, and a buffer B +of length B bytes where the resulting pre-shared key is to be stored. The callback for use in TLSv1.2 will also work in TLSv1.3 although it is
[openssl] master update
The branch master has been updated via 25ead551aa31feae91cab91b648a2ca16bc7a8dc (commit) from 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c (commit) - Log - commit 25ead551aa31feae91cab91b648a2ca16bc7a8dc Author: Kinshuk Dua Date: Thu Oct 21 18:47:53 2021 +0530 Doc: be explicit about NUL in max_identity_len Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16877) --- Summary of changes: doc/man3/SSL_CTX_set_psk_client_callback.pod | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod b/doc/man3/SSL_CTX_set_psk_client_callback.pod index 23bab17317..dd302983fd 100644 --- a/doc/man3/SSL_CTX_set_psk_client_callback.pod +++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod @@ -107,11 +107,11 @@ the pre-shared key to use during the connection setup phase. The callback is set using functions SSL_CTX_set_psk_client_callback() or SSL_set_psk_client_callback(). The callback function is given the -connection in parameter B, a B-terminated PSK identity hint +connection in parameter B, a B-terminated PSK identity hint sent by the server in parameter B, a buffer B of -length B bytes where the resulting -B-terminated identity is to be stored, and a buffer B of -length B bytes where the resulting pre-shared key is to +length B bytes (including the B-terminator) where the +resulting B-terminated identity is to be stored, and a buffer B +of length B bytes where the resulting pre-shared key is to be stored. The callback for use in TLSv1.2 will also work in TLSv1.3 although it is
[web] master update
The branch master has been updated
via 47a7a6de93b5fd3f1fd73b638d4119d2ca55a61f (commit)
from 08d5ca8ee5e497a78944ceacd9df305d1773a811 (commit)
- Log -
commit 47a7a6de93b5fd3f1fd73b638d4119d2ca55a61f
Author: Richard Levitte
Date: Fri Oct 22 13:05:00 2021 +0200
bin/mk-latest: Treat post 1.x.x releases right
The currently produced .htaccess has this RewriteRule
RewriteRule ^openssl-3.0.0-latest.tar.gz$ openssl-3.0.0.tar.gz
[L,R=302,NC]
It should really be this:
RewriteRule ^openssl-3.0-latest.tar.gz$ openssl-3.0.0.tar.gz
[L,R=302,NC]
Also, since all other scripts that handle our tarballs are passed
$(RELEASEDIR), not just 'source', so should this one.
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/271)
---
Summary of changes:
Makefile | 2 +-
bin/mk-latest | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index a271213..83d8e53 100644
--- a/Makefile
+++ b/Makefile
@@ -332,7 +332,7 @@ $(eval $(call mknews_vulnerability,-$(S),-b $(S
source/.htaccess: $(wildcard source/openssl-*.tar.gz) bin/mk-latest
@rm -f @?
- ./bin/mk-latest source >$@
+ ./bin/mk-latest $(RELEASEDIR) >$@
source/index.inc: $(wildcard $(RELEASEDIR)/openssl-*.tar.gz) bin/mk-filelist
@rm -f $@
./bin/mk-filelist $(RELEASEDIR) '' 'openssl-*.tar.gz' >$@
diff --git a/bin/mk-latest b/bin/mk-latest
index 7a57fdd..8a43268 100755
--- a/bin/mk-latest
+++ b/bin/mk-latest
@@ -12,7 +12,8 @@ my @tarballs =
my %series = ();
foreach(@tarballs) {
- my ($version, $serie) = /^openssl-((\d+\.\d+\.\d+)[a-z]*)\./;
+my ($version, $serie) =
+/^openssl-(?|(([01]\.\d+\.\d+)[a-z]*)|((\d+\.\d+)\.\d+))\./;
$series{$serie} = $_;
}
my $latest = $series{ (reverse sort keys %series)[0] };
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 0ad7578822b188447b1946e65a0ec4b5b07ead3f (commit)
from b28d41afbfebd8c668ee039d10d1a0edbed09dba (commit)
- Log -
commit 0ad7578822b188447b1946e65a0ec4b5b07ead3f
Author: Matt Caswell
Date: Thu Oct 14 17:31:36 2021 +0100
Fix the s_server psk_server_cb for use in DTLS
Commit 0007ff257c added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.
Fixes #16707
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/16838)
(cherry picked from commit 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c)
---
Summary of changes:
apps/s_server.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index 938e244222..64d53e68d0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -134,12 +134,12 @@ static unsigned int psk_server_cb(SSL *ssl, const char
*identity,
if (s_debug)
BIO_printf(bio_s_out, "psk_server_cb\n");
-if (SSL_version(ssl) >= TLS1_3_VERSION) {
+if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
/*
- * This callback is designed for use in TLSv1.2. It is possible to use
- * a single callback for all protocol versions - but it is preferred to
- * use a dedicated callback for TLSv1.3. For TLSv1.3 we have
- * psk_find_session_cb.
+ * This callback is designed for use in (D)TLSv1.2 (or below). It is
+ * possible to use a single callback for all protocol versions - but it
+ * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
+ * have psk_find_session_cb.
*/
return 0;
}
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via fd7c2ff23c65eb8b06ae2d9d600d6e3301d98aaf (commit)
from d49d1c120dac5349df0bb36960bc914e211368bd (commit)
- Log -
commit fd7c2ff23c65eb8b06ae2d9d600d6e3301d98aaf
Author: Matt Caswell
Date: Thu Oct 14 17:31:36 2021 +0100
Fix the s_server psk_server_cb for use in DTLS
Commit 0007ff257c added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.
Fixes #16707
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/16838)
(cherry picked from commit 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c)
---
Summary of changes:
apps/s_server.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index c5d9221e90..0e71c161ef 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -131,12 +131,12 @@ static unsigned int psk_server_cb(SSL *ssl, const char
*identity,
if (s_debug)
BIO_printf(bio_s_out, "psk_server_cb\n");
-if (SSL_version(ssl) >= TLS1_3_VERSION) {
+if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
/*
- * This callback is designed for use in TLSv1.2. It is possible to use
- * a single callback for all protocol versions - but it is preferred to
- * use a dedicated callback for TLSv1.3. For TLSv1.3 we have
- * psk_find_session_cb.
+ * This callback is designed for use in (D)TLSv1.2 (or below). It is
+ * possible to use a single callback for all protocol versions - but it
+ * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
+ * have psk_find_session_cb.
*/
return 0;
}
[openssl] master update
The branch master has been updated
via 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c (commit)
from f11c01a666e9d5b97e859cbc74586802549dee00 (commit)
- Log -
commit 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c
Author: Matt Caswell
Date: Thu Oct 14 17:31:36 2021 +0100
Fix the s_server psk_server_cb for use in DTLS
Commit 0007ff257c added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.
Fixes #16707
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/16838)
---
Summary of changes:
apps/s_server.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index 9f448298f0..0003f7a2a6 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -131,12 +131,12 @@ static unsigned int psk_server_cb(SSL *ssl, const char
*identity,
if (s_debug)
BIO_printf(bio_s_out, "psk_server_cb\n");
-if (SSL_version(ssl) >= TLS1_3_VERSION) {
+if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
/*
- * This callback is designed for use in TLSv1.2. It is possible to use
- * a single callback for all protocol versions - but it is preferred to
- * use a dedicated callback for TLSv1.3. For TLSv1.3 we have
- * psk_find_session_cb.
+ * This callback is designed for use in (D)TLSv1.2 (or below). It is
+ * possible to use a single callback for all protocol versions - but it
+ * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
+ * have psk_find_session_cb.
*/
return 0;
}
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via d49d1c120dac5349df0bb36960bc914e211368bd (commit)
from d641ad51326e96b41f0490e2e3398d08e8f87557 (commit)
- Log -
commit d49d1c120dac5349df0bb36960bc914e211368bd
Author: yuanjungong
Date: Wed Sep 1 11:33:34 2021 +0800
Clean up on failed BIO creation
Reviewed-by: Shane Lontis
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16316)
(cherry picked from commit f11c01a666e9d5b97e859cbc74586802549dee00)
---
Summary of changes:
apps/openssl.c| 5 -
test/testutil/testutil_init.c | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/apps/openssl.c b/apps/openssl.c
index 2693350ffc..e20661277e 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -168,14 +168,17 @@ static void setup_trace_category(int category)
{
BIO *channel;
tracedata *trace_data;
+BIO *bio = NULL;
if (OSSL_trace_enabled(category))
return;
-channel = BIO_push(BIO_new(BIO_f_prefix()), dup_bio_err(FORMAT_TEXT));
+bio = BIO_new(BIO_f_prefix());
+channel = BIO_push(bio, dup_bio_err(FORMAT_TEXT));
trace_data = OPENSSL_zalloc(sizeof(*trace_data));
if (trace_data == NULL
+|| bio == NULL
|| (trace_data->bio = channel) == NULL
|| OSSL_trace_set_callback(category, internal_trace_cb,
trace_data) == 0
diff --git a/test/testutil/testutil_init.c b/test/testutil/testutil_init.c
index a91b0e4ba3..3301551ab2 100644
--- a/test/testutil/testutil_init.c
+++ b/test/testutil/testutil_init.c
@@ -71,15 +71,18 @@ static void setup_trace_category(int category)
{
BIO *channel;
tracedata *trace_data;
+BIO *bio = NULL;
if (OSSL_trace_enabled(category))
return;
-channel = BIO_push(BIO_new(BIO_f_prefix()),
+bio = BIO_new(BIO_f_prefix());
+channel = BIO_push(bio,
BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT));
trace_data = OPENSSL_zalloc(sizeof(*trace_data));
if (trace_data == NULL
+|| bio == NULL
|| (trace_data->bio = channel) == NULL
|| OSSL_trace_set_callback(category, internal_trace_cb,
trace_data) == 0
[openssl] master update
The branch master has been updated
via f11c01a666e9d5b97e859cbc74586802549dee00 (commit)
from 5001287c0dcd8ca4ffc564b360f86df79bba40c1 (commit)
- Log -
commit f11c01a666e9d5b97e859cbc74586802549dee00
Author: yuanjungong
Date: Wed Sep 1 11:33:34 2021 +0800
Clean up on failed BIO creation
Reviewed-by: Shane Lontis
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16316)
---
Summary of changes:
apps/openssl.c| 5 -
test/testutil/testutil_init.c | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/apps/openssl.c b/apps/openssl.c
index 2693350ffc..e20661277e 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -168,14 +168,17 @@ static void setup_trace_category(int category)
{
BIO *channel;
tracedata *trace_data;
+BIO *bio = NULL;
if (OSSL_trace_enabled(category))
return;
-channel = BIO_push(BIO_new(BIO_f_prefix()), dup_bio_err(FORMAT_TEXT));
+bio = BIO_new(BIO_f_prefix());
+channel = BIO_push(bio, dup_bio_err(FORMAT_TEXT));
trace_data = OPENSSL_zalloc(sizeof(*trace_data));
if (trace_data == NULL
+|| bio == NULL
|| (trace_data->bio = channel) == NULL
|| OSSL_trace_set_callback(category, internal_trace_cb,
trace_data) == 0
diff --git a/test/testutil/testutil_init.c b/test/testutil/testutil_init.c
index a91b0e4ba3..3301551ab2 100644
--- a/test/testutil/testutil_init.c
+++ b/test/testutil/testutil_init.c
@@ -71,15 +71,18 @@ static void setup_trace_category(int category)
{
BIO *channel;
tracedata *trace_data;
+BIO *bio = NULL;
if (OSSL_trace_enabled(category))
return;
-channel = BIO_push(BIO_new(BIO_f_prefix()),
+bio = BIO_new(BIO_f_prefix());
+channel = BIO_push(bio,
BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT));
trace_data = OPENSSL_zalloc(sizeof(*trace_data));
if (trace_data == NULL
+|| bio == NULL
|| (trace_data->bio = channel) == NULL
|| OSSL_trace_set_callback(category, internal_trace_cb,
trace_data) == 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via d641ad51326e96b41f0490e2e3398d08e8f87557 (commit) from ef3889e7a2e21e9acea3bc0927c22f962da36eed (commit) - Log - commit d641ad51326e96b41f0490e2e3398d08e8f87557 Author: PW Hu Date: Thu Oct 7 11:40:49 2021 +0800 Fix documentation errors, mainly caused by return values of BIO_ctrl Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16767) (cherry picked from commit 5001287c0dcd8ca4ffc564b360f86df79bba40c1) --- Summary of changes: doc/man3/ASN1_TYPE_get.pod | 2 +- doc/man3/BIO_ctrl.pod | 15 --- doc/man3/BIO_f_buffer.pod | 7 --- doc/man3/BIO_f_cipher.pod | 10 +- doc/man3/BIO_f_md.pod | 2 +- doc/man3/BIO_f_prefix.pod | 6 +++--- doc/man3/BIO_s_accept.pod | 6 +++--- doc/man3/BIO_s_connect.pod | 8 doc/man3/BIO_s_fd.pod | 4 ++-- doc/man3/BIO_s_file.pod| 5 ++--- 10 files changed, 33 insertions(+), 32 deletions(-) diff --git a/doc/man3/ASN1_TYPE_get.pod b/doc/man3/ASN1_TYPE_get.pod index c34572345f..1d87f676f4 100644 --- a/doc/man3/ASN1_TYPE_get.pod +++ b/doc/man3/ASN1_TYPE_get.pod @@ -24,7 +24,7 @@ These functions allow an B structure to be manipulated. The B structure can contain any ASN.1 type or constructed type such as a SEQUENCE: it is effectively equivalent to the ASN.1 ANY type. -ASN1_TYPE_get() returns the type of I. +ASN1_TYPE_get() returns the type of I or 0 if it fails. ASN1_TYPE_set() sets the value of I to I and I. This function uses the pointer I internally so it must B be freed diff --git a/doc/man3/BIO_ctrl.pod b/doc/man3/BIO_ctrl.pod index fdffda7b41..bcdeac6f7b 100644 --- a/doc/man3/BIO_ctrl.pod +++ b/doc/man3/BIO_ctrl.pod @@ -77,26 +77,27 @@ return a size_t type and are functions, BIO_pending() and BIO_wpending() are macros which call BIO_ctrl(). BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -sending. Otherwise, it returns zero. +sending. Otherwise, it returns zero. It also returns negative values for failure. BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -receiving. Otherwise, it returns zero. +receiving. Otherwise, it returns zero. It also returns negative values for failure. =head1 RETURN VALUES -BIO_reset() normally returns 1 for success and 0 or -1 for failure. File +BIO_reset() normally returns 1 for success and <=0 for failure. File BIOs are an exception, they return 0 for success and -1 for failure. BIO_seek() and BIO_tell() both return the current file position on success and -1 for failure, except file BIOs which for BIO_seek() always return 0 for success and -1 for failure. -BIO_flush() returns 1 for success and 0 or -1 for failure. +BIO_flush() returns 1 for success and <=0 for failure. -BIO_eof() returns 1 if EOF has been reached, 0 if not, or -1 for failure. +BIO_eof() returns 1 if EOF has been reached, 0 if not, or negative values for failure. -BIO_set_close() always returns 1. +BIO_set_close() returns 1 on success or <=0 for failure. -BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. +BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. It also +returns other negative values if an error occurs. BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() return the amount of pending data. diff --git a/doc/man3/BIO_f_buffer.pod b/doc/man3/BIO_f_buffer.pod index ed32e11d92..2eb6e8eab1 100644 --- a/doc/man3/BIO_f_buffer.pod +++ b/doc/man3/BIO_f_buffer.pod @@ -74,12 +74,13 @@ source/sink BIO is non blocking. BIO_f_buffer() returns the buffering BIO method. -BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0). +BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0) or +a negative value in case of errors. BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size() -return 1 if the buffer was successfully resized or 0 for failure. +return 1 if the buffer was successfully resized or <=0 for failure. -BIO_set_buffer_read_data() returns 1 if the data was set correctly or 0 if +BIO_set_buffer_read_data() returns 1 if the data was set correctly or <=0 if there was an error. =head1 SEE ALSO diff --git a/doc/man3/BIO_f_cipher.pod b/doc/man3/BIO_f_cipher.pod index 48f5536039..cb6b14a0c0 100644 --- a/doc/man3/BIO_f_cipher.pod +++ b/doc/man3/BIO_f_cipher.pod @@ -12,8 +12,8 @@ BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher #include const BIO_METHOD *BIO_f_cipher(void); - void BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv, int enc); + int BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, +co
[openssl] master update
The branch master has been updated via 5001287c0dcd8ca4ffc564b360f86df79bba40c1 (commit) from f1d077f1108b1bc2334350a4d53a46e29e082910 (commit) - Log - commit 5001287c0dcd8ca4ffc564b360f86df79bba40c1 Author: PW Hu Date: Thu Oct 7 11:40:49 2021 +0800 Fix documentation errors, mainly caused by return values of BIO_ctrl Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16767) --- Summary of changes: doc/man3/ASN1_TYPE_get.pod | 2 +- doc/man3/BIO_ctrl.pod | 15 --- doc/man3/BIO_f_buffer.pod | 7 --- doc/man3/BIO_f_cipher.pod | 10 +- doc/man3/BIO_f_md.pod | 2 +- doc/man3/BIO_f_prefix.pod | 6 +++--- doc/man3/BIO_s_accept.pod | 6 +++--- doc/man3/BIO_s_connect.pod | 8 doc/man3/BIO_s_fd.pod | 4 ++-- doc/man3/BIO_s_file.pod| 5 ++--- 10 files changed, 33 insertions(+), 32 deletions(-) diff --git a/doc/man3/ASN1_TYPE_get.pod b/doc/man3/ASN1_TYPE_get.pod index c34572345f..1d87f676f4 100644 --- a/doc/man3/ASN1_TYPE_get.pod +++ b/doc/man3/ASN1_TYPE_get.pod @@ -24,7 +24,7 @@ These functions allow an B structure to be manipulated. The B structure can contain any ASN.1 type or constructed type such as a SEQUENCE: it is effectively equivalent to the ASN.1 ANY type. -ASN1_TYPE_get() returns the type of I. +ASN1_TYPE_get() returns the type of I or 0 if it fails. ASN1_TYPE_set() sets the value of I to I and I. This function uses the pointer I internally so it must B be freed diff --git a/doc/man3/BIO_ctrl.pod b/doc/man3/BIO_ctrl.pod index fdffda7b41..bcdeac6f7b 100644 --- a/doc/man3/BIO_ctrl.pod +++ b/doc/man3/BIO_ctrl.pod @@ -77,26 +77,27 @@ return a size_t type and are functions, BIO_pending() and BIO_wpending() are macros which call BIO_ctrl(). BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -sending. Otherwise, it returns zero. +sending. Otherwise, it returns zero. It also returns negative values for failure. BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -receiving. Otherwise, it returns zero. +receiving. Otherwise, it returns zero. It also returns negative values for failure. =head1 RETURN VALUES -BIO_reset() normally returns 1 for success and 0 or -1 for failure. File +BIO_reset() normally returns 1 for success and <=0 for failure. File BIOs are an exception, they return 0 for success and -1 for failure. BIO_seek() and BIO_tell() both return the current file position on success and -1 for failure, except file BIOs which for BIO_seek() always return 0 for success and -1 for failure. -BIO_flush() returns 1 for success and 0 or -1 for failure. +BIO_flush() returns 1 for success and <=0 for failure. -BIO_eof() returns 1 if EOF has been reached, 0 if not, or -1 for failure. +BIO_eof() returns 1 if EOF has been reached, 0 if not, or negative values for failure. -BIO_set_close() always returns 1. +BIO_set_close() returns 1 on success or <=0 for failure. -BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. +BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. It also +returns other negative values if an error occurs. BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() return the amount of pending data. diff --git a/doc/man3/BIO_f_buffer.pod b/doc/man3/BIO_f_buffer.pod index ed32e11d92..2eb6e8eab1 100644 --- a/doc/man3/BIO_f_buffer.pod +++ b/doc/man3/BIO_f_buffer.pod @@ -74,12 +74,13 @@ source/sink BIO is non blocking. BIO_f_buffer() returns the buffering BIO method. -BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0). +BIO_get_buffer_num_lines() returns the number of lines buffered (may be 0) or +a negative value in case of errors. BIO_set_read_buffer_size(), BIO_set_write_buffer_size() and BIO_set_buffer_size() -return 1 if the buffer was successfully resized or 0 for failure. +return 1 if the buffer was successfully resized or <=0 for failure. -BIO_set_buffer_read_data() returns 1 if the data was set correctly or 0 if +BIO_set_buffer_read_data() returns 1 if the data was set correctly or <=0 if there was an error. =head1 SEE ALSO diff --git a/doc/man3/BIO_f_cipher.pod b/doc/man3/BIO_f_cipher.pod index 48f5536039..cb6b14a0c0 100644 --- a/doc/man3/BIO_f_cipher.pod +++ b/doc/man3/BIO_f_cipher.pod @@ -12,8 +12,8 @@ BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx - cipher #include const BIO_METHOD *BIO_f_cipher(void); - void BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv, int enc); + int BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, +const unsigned char *key, const unsigned char *iv, int enc); int BIO_get_cipher_st
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via b28d41afbfebd8c668ee039d10d1a0edbed09dba (commit)
from 851abe78b4ea7b8f238a652cd911420cd0950ff6 (commit)
- Log -
commit b28d41afbfebd8c668ee039d10d1a0edbed09dba
Author: Peiwei Hu
Date: Sat Oct 9 09:25:27 2021 +0800
Fix BIO_get_md_ctx return value check
Reviewed-by: Shane Lontis
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16792)
---
Summary of changes:
apps/dgst.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/apps/dgst.c b/apps/dgst.c
index e595f7d818..b07fff3fb3 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -316,7 +316,7 @@ int dgst_main(int argc, char **argv)
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
int r;
-if (!BIO_get_md_ctx(bmd, &mctx)) {
+if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
@@ -345,7 +345,7 @@ int dgst_main(int argc, char **argv)
/* we use md as a filter, reading from 'in' */
else {
EVP_MD_CTX *mctx = NULL;
-if (!BIO_get_md_ctx(bmd, &mctx)) {
+if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 851abe78b4ea7b8f238a652cd911420cd0950ff6 (commit) from 69211b0fce408537bdfec7dd4cc5814b3c4eda8c (commit) - Log - commit 851abe78b4ea7b8f238a652cd911420cd0950ff6 Author: PW Hu Date: Sat Oct 9 15:21:00 2021 +0800 Fix some documentation errors related to return values Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16794) (cherry picked from commit f1d077f1108b1bc2334350a4d53a46e29e082910) --- Summary of changes: doc/man3/ENGINE_add.pod | 5 ++--- doc/man3/ERR_load_strings.pod | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod index 369900c248..74589538b2 100644 --- a/doc/man3/ENGINE_add.pod +++ b/doc/man3/ENGINE_add.pod @@ -597,8 +597,7 @@ B implementations. All ENGINE_register_TYPE() functions return 1 on success or 0 on error. -ENGINE_register_complete() and ENGINE_register_all_complete() return 1 on success -or 0 on error. +ENGINE_register_complete() and ENGINE_register_all_complete() always return 1. ENGINE_ctrl() returns a positive value on success or others on error. @@ -609,7 +608,7 @@ ENGINE_ctrl_cmd() and ENGINE_ctrl_cmd_string() return 1 on success or 0 on error ENGINE_new() returns a valid B structure on success or NULL if an error occurred. -ENGINE_free() returns 1 on success or 0 on error. +ENGINE_free() always returns 1. ENGINE_up_ref() returns 1 on success or 0 on error. diff --git a/doc/man3/ERR_load_strings.pod b/doc/man3/ERR_load_strings.pod index 3167f27150..8c708584c0 100644 --- a/doc/man3/ERR_load_strings.pod +++ b/doc/man3/ERR_load_strings.pod @@ -9,7 +9,7 @@ arbitrary error strings #include - void ERR_load_strings(int lib, ERR_STRING_DATA str[]); + int ERR_load_strings(int lib, ERR_STRING_DATA *str); int ERR_get_next_error_library(void); @@ -38,7 +38,7 @@ to user libraries at runtime. =head1 RETURN VALUES -ERR_load_strings() returns no value. ERR_PACK() return the error code. +ERR_load_strings() returns 1 for success and 0 for failure. ERR_PACK() returns the error code. ERR_get_next_error_library() returns zero on failure, otherwise a new library number.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via ef3889e7a2e21e9acea3bc0927c22f962da36eed (commit) from d9f8032ea6c414fbcf91ed541059dd6c32a9abc6 (commit) - Log - commit ef3889e7a2e21e9acea3bc0927c22f962da36eed Author: PW Hu Date: Sat Oct 9 15:21:00 2021 +0800 Fix some documentation errors related to return values Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16794) (cherry picked from commit f1d077f1108b1bc2334350a4d53a46e29e082910) --- Summary of changes: doc/man3/ENGINE_add.pod | 5 ++--- doc/man3/ERR_load_strings.pod | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod index c9279e871f..982a4001b7 100644 --- a/doc/man3/ENGINE_add.pod +++ b/doc/man3/ENGINE_add.pod @@ -604,8 +604,7 @@ B implementations. All ENGINE_register_TYPE() functions return 1 on success or 0 on error. -ENGINE_register_complete() and ENGINE_register_all_complete() return 1 on success -or 0 on error. +ENGINE_register_complete() and ENGINE_register_all_complete() always return 1. ENGINE_ctrl() returns a positive value on success or others on error. @@ -616,7 +615,7 @@ ENGINE_ctrl_cmd() and ENGINE_ctrl_cmd_string() return 1 on success or 0 on error ENGINE_new() returns a valid B structure on success or NULL if an error occurred. -ENGINE_free() returns 1 on success or 0 on error. +ENGINE_free() always returns 1. ENGINE_up_ref() returns 1 on success or 0 on error. diff --git a/doc/man3/ERR_load_strings.pod b/doc/man3/ERR_load_strings.pod index 56d31e6611..55f4cb244e 100644 --- a/doc/man3/ERR_load_strings.pod +++ b/doc/man3/ERR_load_strings.pod @@ -9,7 +9,7 @@ arbitrary error strings #include - void ERR_load_strings(int lib, ERR_STRING_DATA str[]); + int ERR_load_strings(int lib, ERR_STRING_DATA *str); int ERR_get_next_error_library(void); @@ -38,7 +38,7 @@ to user libraries at run time. =head1 RETURN VALUES -ERR_load_strings() returns no value. ERR_PACK() return the error code. +ERR_load_strings() returns 1 for success and 0 for failure. ERR_PACK() returns the error code. ERR_get_next_error_library() returns zero on failure, otherwise a new library number.
[openssl] master update
The branch master has been updated via f1d077f1108b1bc2334350a4d53a46e29e082910 (commit) from cde5a12d5e83ba0d7c5b2dd7bafa4d2abe2d45bf (commit) - Log - commit f1d077f1108b1bc2334350a4d53a46e29e082910 Author: PW Hu Date: Sat Oct 9 15:21:00 2021 +0800 Fix some documentation errors related to return values Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16794) --- Summary of changes: doc/man3/ENGINE_add.pod | 5 ++--- doc/man3/ERR_load_strings.pod | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod index c9279e871f..982a4001b7 100644 --- a/doc/man3/ENGINE_add.pod +++ b/doc/man3/ENGINE_add.pod @@ -604,8 +604,7 @@ B implementations. All ENGINE_register_TYPE() functions return 1 on success or 0 on error. -ENGINE_register_complete() and ENGINE_register_all_complete() return 1 on success -or 0 on error. +ENGINE_register_complete() and ENGINE_register_all_complete() always return 1. ENGINE_ctrl() returns a positive value on success or others on error. @@ -616,7 +615,7 @@ ENGINE_ctrl_cmd() and ENGINE_ctrl_cmd_string() return 1 on success or 0 on error ENGINE_new() returns a valid B structure on success or NULL if an error occurred. -ENGINE_free() returns 1 on success or 0 on error. +ENGINE_free() always returns 1. ENGINE_up_ref() returns 1 on success or 0 on error. diff --git a/doc/man3/ERR_load_strings.pod b/doc/man3/ERR_load_strings.pod index 56d31e6611..55f4cb244e 100644 --- a/doc/man3/ERR_load_strings.pod +++ b/doc/man3/ERR_load_strings.pod @@ -9,7 +9,7 @@ arbitrary error strings #include - void ERR_load_strings(int lib, ERR_STRING_DATA str[]); + int ERR_load_strings(int lib, ERR_STRING_DATA *str); int ERR_get_next_error_library(void); @@ -38,7 +38,7 @@ to user libraries at run time. =head1 RETURN VALUES -ERR_load_strings() returns no value. ERR_PACK() return the error code. +ERR_load_strings() returns 1 for success and 0 for failure. ERR_PACK() returns the error code. ERR_get_next_error_library() returns zero on failure, otherwise a new library number.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via d9f8032ea6c414fbcf91ed541059dd6c32a9abc6 (commit) from d86d703711c6431b611afabc2de3b174fbf8ec36 (commit) - Log - commit d9f8032ea6c414fbcf91ed541059dd6c32a9abc6 Author: Tomas Mraz Date: Fri Oct 15 14:50:17 2021 +0200 doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16843) (cherry picked from commit cde5a12d5e83ba0d7c5b2dd7bafa4d2abe2d45bf) --- Summary of changes: doc/man3/EVP_PKEY_gettable_params.pod | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index b28ed69939..23ac4bd8b0 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -52,11 +52,15 @@ buffer I of maximum size I associated with a name of I. The maximum size must be large enough to accomodate the string value including a terminating NUL byte, or this function will fail. If I is not NULL, I<*out_len> is set to the length of the string -not including the terminating NUL byte. +not including the terminating NUL byte. The required buffer size not including +the terminating NUL byte can be obtained from I<*out_len> by calling the +function with I set to NULL. EVP_PKEY_get_octet_string_param() get a key I's octet string value into a buffer I of maximum size I associated with a name of I. If I is not NULL, I<*out_len> is set to the length of the contents. +The required buffer size can be obtained from I<*out_len> by calling the +function with I set to NULL. =head1 NOTES
[openssl] master update
The branch master has been updated via cde5a12d5e83ba0d7c5b2dd7bafa4d2abe2d45bf (commit) from 3d63315366f673328b41750a6e1708d3d6cf11a0 (commit) - Log - commit cde5a12d5e83ba0d7c5b2dd7bafa4d2abe2d45bf Author: Tomas Mraz Date: Fri Oct 15 14:50:17 2021 +0200 doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16843) --- Summary of changes: doc/man3/EVP_PKEY_gettable_params.pod | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index b28ed69939..23ac4bd8b0 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -52,11 +52,15 @@ buffer I of maximum size I associated with a name of I. The maximum size must be large enough to accomodate the string value including a terminating NUL byte, or this function will fail. If I is not NULL, I<*out_len> is set to the length of the string -not including the terminating NUL byte. +not including the terminating NUL byte. The required buffer size not including +the terminating NUL byte can be obtained from I<*out_len> by calling the +function with I set to NULL. EVP_PKEY_get_octet_string_param() get a key I's octet string value into a buffer I of maximum size I associated with a name of I. If I is not NULL, I<*out_len> is set to the length of the contents. +The required buffer size can be obtained from I<*out_len> by calling the +function with I set to NULL. =head1 NOTES
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via d86d703711c6431b611afabc2de3b174fbf8ec36 (commit) from beb00a330c7e1c213c72a249894ed23f0f8df5a2 (commit) - Log - commit d86d703711c6431b611afabc2de3b174fbf8ec36 Author: Tomas Mraz Date: Wed Oct 20 18:27:47 2021 +0200 doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16869) (cherry picked from commit 3d63315366f673328b41750a6e1708d3d6cf11a0) --- Summary of changes: doc/man3/EVP_PKEY_CTX_ctrl.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 7c8db14cb6..c2c7042172 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -116,7 +116,7 @@ EVP_PKEY_CTX_set_kem_op int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen); - int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char *label, + int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int len); int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); @@ -356,8 +356,8 @@ EVP_MD object instead. Note that only known, built-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). -EVP_PKEY_CTX_set0_rsa_oaep_label() sets the RSA OAEP label to -I and its length to I. If I is NULL or I is 0, +EVP_PKEY_CTX_set0_rsa_oaep_label() sets the RSA OAEP label to binary data +I and its length in bytes to I. If I is NULL or I is 0, the label is cleared. The library takes ownership of the label so the caller should not free the original memory pointed to by I. The padding mode must have been set to B.
[openssl] master update
The branch master has been updated via 3d63315366f673328b41750a6e1708d3d6cf11a0 (commit) from 7cce994d3e57345ba729388b9321d9bf8b661b4f (commit) - Log - commit 3d63315366f673328b41750a6e1708d3d6cf11a0 Author: Tomas Mraz Date: Wed Oct 20 18:27:47 2021 +0200 doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16869) --- Summary of changes: doc/man3/EVP_PKEY_CTX_ctrl.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 7c8db14cb6..c2c7042172 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -116,7 +116,7 @@ EVP_PKEY_CTX_set_kem_op int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md); int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name, size_t namelen); - int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char *label, + int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int len); int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); @@ -356,8 +356,8 @@ EVP_MD object instead. Note that only known, built-in EVP_MD objects will be returned. The EVP_MD object may be NULL if the digest is not one of these (such as a digest only implemented in a third party provider). -EVP_PKEY_CTX_set0_rsa_oaep_label() sets the RSA OAEP label to -I and its length to I. If I is NULL or I is 0, +EVP_PKEY_CTX_set0_rsa_oaep_label() sets the RSA OAEP label to binary data +I and its length in bytes to I. If I is NULL or I is 0, the label is cleared. The library takes ownership of the label so the caller should not free the original memory pointed to by I. The padding mode must have been set to B.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via beb00a330c7e1c213c72a249894ed23f0f8df5a2 (commit) via 726c6cc71155494ba99cf8719cd1281403e49ed8 (commit) via e3c654c813ebd4e456060f594964107f03ca3e12 (commit) via 60722c167cd3f26f1670d50a8638ee21979bea36 (commit) via 60f5e48f44b0d4e4179960741e8b73e5c475d3e8 (commit) via 1974be5912fc10c4f589c328063aba7a09d3aa93 (commit) via 55398b354f55955a1f504f591b8cf64a559a5793 (commit) via 4fffef3dedcb80d2bfa657d4b7c2850dddaef1b4 (commit) via 97c453a6395c5c5a53331c514d55b82be926d141 (commit) from 04b0646950449e2e0eaa40427a9d0e0040b028dc (commit) - Log - commit beb00a330c7e1c213c72a249894ed23f0f8df5a2 Author: Matt Caswell Date: Wed Oct 20 15:47:22 2021 +0100 Update pyca-cryptography sub-module Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit 7cce994d3e57345ba729388b9321d9bf8b661b4f) commit 726c6cc71155494ba99cf8719cd1281403e49ed8 Author: Matt Caswell Date: Mon Oct 11 13:43:19 2021 +0100 Fix acvp_test sig_gen Ensure we set the size of the signature buffer before we call EVP_DigestSign() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit 1b327433e52c8acd6db0a69bc772d4bd1800a109) commit e3c654c813ebd4e456060f594964107f03ca3e12 Author: Matt Caswell Date: Mon Oct 11 13:12:49 2021 +0100 Fix test_CMAC_keygen Make sure we correctly pass through the size of the buffer to EVP_DigestSignFinal Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit cff7d58eb4c8e0ef43e2fd0b12bc067bd3540e2c) commit 60722c167cd3f26f1670d50a8638ee21979bea36 Author: Matt Caswell Date: Mon Oct 11 12:08:29 2021 +0100 Fix a bug in signature self tests in the FIPS module When calling EVP_PKEY_sign(), the size of the signature buffer must be passed in *siglen. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit 61adb6cf950b65a7bfce9a8d78a7744dfae9f978) commit 60f5e48f44b0d4e4179960741e8b73e5c475d3e8 Author: Matt Caswell Date: Fri Oct 8 14:43:17 2021 +0100 Add an additional note to EVP_DigestSign() documentation Clarify what happens if it fails. Make it clear that you can pass a NULL "sig" buffer to get the "siglen". Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit dc3f057ce1701d5fd77cc4fcc1d14afe3e3122a3) commit 1974be5912fc10c4f589c328063aba7a09d3aa93 Author: Matt Caswell Date: Thu Oct 7 14:15:47 2021 +0100 Test short buffers Test that calling EVP_DigestSign(), EVP_DigestSignFinal(), EVP_PKEY_sign(), EVP_PKEY_get_raw_private_key(), or EVP_PKEY_get_raw_public_key() with a short output buffer results in a failure. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit 15ff7d7c2569a1aceaf6e85b61aee62422628fc9) commit 55398b354f55955a1f504f591b8cf64a559a5793 Author: Matt Caswell Date: Thu Oct 7 14:14:52 2021 +0100 Fix SSKDF to not claim a buffer size that is too small for the MAC We also check that our buffer is sufficiently sized for the MAC output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit 7be8ba546267787c1b0df8a4fddaf9cb29944cbb) commit 4fffef3dedcb80d2bfa657d4b7c2850dddaef1b4 Author: Matt Caswell Date: Thu Oct 7 14:06:32 2021 +0100 Enforce a size check in EVP_MAC_final() Make sure that the outsize for the buffer is large enough for the output from the MAC. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit b97f4dd73b4711eebf731ae0efa6e9b77c7f3304) commit 97c453a6395c5c5a53331c514d55b82be926d141 Author: Matt Caswell Date: Thu Oct 7 11:33:17 2021 +0100 Prevent an overflow if an application supplies a buffer that is too small If an application bug means that a buffer smaller than is necessary is passed to various functions then OpenSSL does not spot that the buffer is too small and fills it anyway. This PR prevents that. Since it requires an application bug to hit this problem, no CVE is allocated. Thanks to David Benjamin for reporting this issue. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) (cherry picked from commit 43da9a14f0e73f42f28ae34219929b44df5d1a11) --- Summary of changes:
[openssl] master update
The branch master has been updated via 7cce994d3e57345ba729388b9321d9bf8b661b4f (commit) via 1b327433e52c8acd6db0a69bc772d4bd1800a109 (commit) via cff7d58eb4c8e0ef43e2fd0b12bc067bd3540e2c (commit) via 61adb6cf950b65a7bfce9a8d78a7744dfae9f978 (commit) via dc3f057ce1701d5fd77cc4fcc1d14afe3e3122a3 (commit) via 15ff7d7c2569a1aceaf6e85b61aee62422628fc9 (commit) via 7be8ba546267787c1b0df8a4fddaf9cb29944cbb (commit) via b97f4dd73b4711eebf731ae0efa6e9b77c7f3304 (commit) via 43da9a14f0e73f42f28ae34219929b44df5d1a11 (commit) from 251e941283f554f0dc4b315e3a8fb82ef5b71982 (commit) - Log - commit 7cce994d3e57345ba729388b9321d9bf8b661b4f Author: Matt Caswell Date: Wed Oct 20 15:47:22 2021 +0100 Update pyca-cryptography sub-module Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit 1b327433e52c8acd6db0a69bc772d4bd1800a109 Author: Matt Caswell Date: Mon Oct 11 13:43:19 2021 +0100 Fix acvp_test sig_gen Ensure we set the size of the signature buffer before we call EVP_DigestSign() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit cff7d58eb4c8e0ef43e2fd0b12bc067bd3540e2c Author: Matt Caswell Date: Mon Oct 11 13:12:49 2021 +0100 Fix test_CMAC_keygen Make sure we correctly pass through the size of the buffer to EVP_DigestSignFinal Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit 61adb6cf950b65a7bfce9a8d78a7744dfae9f978 Author: Matt Caswell Date: Mon Oct 11 12:08:29 2021 +0100 Fix a bug in signature self tests in the FIPS module When calling EVP_PKEY_sign(), the size of the signature buffer must be passed in *siglen. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit dc3f057ce1701d5fd77cc4fcc1d14afe3e3122a3 Author: Matt Caswell Date: Fri Oct 8 14:43:17 2021 +0100 Add an additional note to EVP_DigestSign() documentation Clarify what happens if it fails. Make it clear that you can pass a NULL "sig" buffer to get the "siglen". Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit 15ff7d7c2569a1aceaf6e85b61aee62422628fc9 Author: Matt Caswell Date: Thu Oct 7 14:15:47 2021 +0100 Test short buffers Test that calling EVP_DigestSign(), EVP_DigestSignFinal(), EVP_PKEY_sign(), EVP_PKEY_get_raw_private_key(), or EVP_PKEY_get_raw_public_key() with a short output buffer results in a failure. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit 7be8ba546267787c1b0df8a4fddaf9cb29944cbb Author: Matt Caswell Date: Thu Oct 7 14:14:52 2021 +0100 Fix SSKDF to not claim a buffer size that is too small for the MAC We also check that our buffer is sufficiently sized for the MAC output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit b97f4dd73b4711eebf731ae0efa6e9b77c7f3304 Author: Matt Caswell Date: Thu Oct 7 14:06:32 2021 +0100 Enforce a size check in EVP_MAC_final() Make sure that the outsize for the buffer is large enough for the output from the MAC. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) commit 43da9a14f0e73f42f28ae34219929b44df5d1a11 Author: Matt Caswell Date: Thu Oct 7 11:33:17 2021 +0100 Prevent an overflow if an application supplies a buffer that is too small If an application bug means that a buffer smaller than is necessary is passed to various functions then OpenSSL does not spot that the buffer is too small and fills it anyway. This PR prevents that. Since it requires an application bug to hit this problem, no CVE is allocated. Thanks to David Benjamin for reporting this issue. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16789) --- Summary of changes: crypto/evp/m_sigver.c | 7 +- crypto/evp/mac_lib.c | 8 +- crypto/evp/p_lib.c | 6 +- crypto/evp/signature.c | 2 +- doc/man3/EVP_DigestSignInit.pod| 6 +- providers/fips/self_test_kats.c| 2 +- providers/implementations/kdfs/sskdf.c | 4 +- pyca-cryptography | 2 +- test/acvp_test.c | 1 + test/evp_extra_test.c | 159 +++-- 10 files changed, 160 insertions(+), 37 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 806ef3224c..70669c3e6d 100644 --- a/crypto/evp/m_sigver.c +++ b/cry
