Re: [openssl/openssl] 6332f4: CI: add GCC 11
This was a force push to remove the "CLA: trivial" lines in the commit messages. The CLA lines were missed by the reviewers and I merged them earlier today. The author quickly submitted an ICLA once I realised and mentioned it. Pauli On 27/6/22 12:18, pauli wrote: Branch: refs/heads/master Home: https://github.openssl.org/openssl/openssl Commit: 6332f4c4a2c153869b169d250d9736962abe12c6 https://github.openssl.org/openssl/openssl/commit/6332f4c4a2c153869b169d250d9736962abe12c6 Author: Sam James Date: 2022-06-27 (Mon, 27 Jun 2022) Changed paths: M .github/workflows/compiler-zoo.yml Log Message: --- CI: add GCC 11 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18639) Commit: 712c13c57b97e2e25ca23048f3ba6f50115cacd7 https://github.openssl.org/openssl/openssl/commit/712c13c57b97e2e25ca23048f3ba6f50115cacd7 Author: Sam James Date: 2022-06-27 (Mon, 27 Jun 2022) Changed paths: M .github/workflows/compiler-zoo.yml Log Message: --- CI: Upgrade to Ubuntu 22.04 to add GCC 12, Clang 13, Clang 14 Notably, this might have caught #18225, as Clang 14 wasn't - and is not yet until this commit - in OpenSSL's CI. It makes sense to ensure CI tests compilers used in newer Linux distributions: * Fedora 36 ships with GCC 12 * Ubuntu 22.04 ships with Clang 14 We switch from 'ubuntu-latest' (which can change meaning but currently points to ubuntu-20.04) to ubuntu-20.04 for the older existing compilers, and ubuntu-22.04 for the newer ones added by this commit. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18639) Commit: 6162a2402d6b47c597c271bfb6a67d64bf183383 https://github.openssl.org/openssl/openssl/commit/6162a2402d6b47c597c271bfb6a67d64bf183383 Author: Sam James Date: 2022-06-27 (Mon, 27 Jun 2022) Changed paths: M test/test_test.c Log Message: --- test: placate Clang's --Wbitwise-instead-of-logical ``` test/test_test.c:58:9: note: cast one or both operands to int to silence this warning test/test_test.c:58:9: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical] if (!TEST(1, TEST_uint_eq(3u, 3u)) ^~ test/test_test.c:58:9: note: cast one or both operands to int to silence this warning ``` Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18639) Compare: https://github.openssl.org/openssl/openssl/compare/1a645b98a212...6162a2402d6b
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 413ffdd1b6b6345f1b8891d1865fa090bcde5957 (commit) from 66d422c5738b74c6bd9d8b34e219eb98b6fcd60a (commit) - Log - commit 413ffdd1b6b6345f1b8891d1865fa090bcde5957 Author: Jiasheng Jiang Date: Thu Feb 17 17:47:00 2022 +0800 test/crltest.c: Add check for glue2bio As the glue2bio() could return NULL pointer if fails, it should be better to check the return value in order to avoid the use of NULL pointer. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17718) (cherry picked from commit 18cb1740cc0fd11940836fa2fcaf6d3634c00e90) --- Summary of changes: test/crltest.c | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/test/crltest.c b/test/crltest.c index 5d255d368a..f258c75efe 100644 --- a/test/crltest.c +++ b/test/crltest.c @@ -200,9 +200,16 @@ static BIO *glue2bio(const char **pem, char **out) */ static X509_CRL *CRL_from_strings(const char **pem) { +X509_CRL *crl; char *p; BIO *b = glue2bio(pem, ); -X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); + +if (b == NULL) { +OPENSSL_free(p); +return NULL; +} + +crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); @@ -214,9 +221,16 @@ static X509_CRL *CRL_from_strings(const char **pem) */ static X509 *X509_from_strings(const char **pem) { +X509 *x; char *p; BIO *b = glue2bio(pem, ); -X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); + +if (b == NULL) { +OPENSSL_free(p); +return NULL; +} + +x = PEM_read_bio_X509(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); @@ -363,6 +377,12 @@ static int test_reuse_crl(void) char *p; BIO *b = glue2bio(kRevokedCRL, ); +if (b == NULL) { +OPENSSL_free(p); +X509_CRL_free(reused_crl); +return 0; +} + reused_crl = PEM_read_bio_X509_CRL(b, _crl, NULL, NULL); OPENSSL_free(p);
[openssl] master update
The branch master has been updated via 18cb1740cc0fd11940836fa2fcaf6d3634c00e90 (commit) from cf21d1c62dcd92be624ea0fb8a86d91e4fbeed93 (commit) - Log - commit 18cb1740cc0fd11940836fa2fcaf6d3634c00e90 Author: Jiasheng Jiang Date: Thu Feb 17 17:47:00 2022 +0800 test/crltest.c: Add check for glue2bio As the glue2bio() could return NULL pointer if fails, it should be better to check the return value in order to avoid the use of NULL pointer. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17718) --- Summary of changes: test/crltest.c | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/test/crltest.c b/test/crltest.c index 3b76f4f0ae..2c0a8153c6 100644 --- a/test/crltest.c +++ b/test/crltest.c @@ -200,9 +200,16 @@ static BIO *glue2bio(const char **pem, char **out) */ static X509_CRL *CRL_from_strings(const char **pem) { +X509_CRL *crl; char *p; BIO *b = glue2bio(pem, ); -X509_CRL *crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); + +if (b == NULL) { +OPENSSL_free(p); +return NULL; +} + +crl = PEM_read_bio_X509_CRL(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); @@ -214,9 +221,16 @@ static X509_CRL *CRL_from_strings(const char **pem) */ static X509 *X509_from_strings(const char **pem) { +X509 *x; char *p; BIO *b = glue2bio(pem, ); -X509 *x = PEM_read_bio_X509(b, NULL, NULL, NULL); + +if (b == NULL) { +OPENSSL_free(p); +return NULL; +} + +x = PEM_read_bio_X509(b, NULL, NULL, NULL); OPENSSL_free(p); BIO_free(b); @@ -363,6 +377,12 @@ static int test_reuse_crl(void) char *p; BIO *b = glue2bio(kRevokedCRL, ); +if (b == NULL) { +OPENSSL_free(p); +X509_CRL_free(reused_crl); +return 0; +} + reused_crl = PEM_read_bio_X509_CRL(b, _crl, NULL, NULL); OPENSSL_free(p);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 66d422c5738b74c6bd9d8b34e219eb98b6fcd60a (commit) from e19edf7361b952674135b8500144df6afec18319 (commit) - Log - commit 66d422c5738b74c6bd9d8b34e219eb98b6fcd60a Author: Jiasheng Jiang Date: Fri Feb 18 10:13:08 2022 +0800 bio_enc.c: add check for BIO_new_mem_buf Since the memory allocation may fail, the BIO_new_mem_buf() may return NULL pointer. Therefore, it should be better to check it and return error if fails. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17730) (cherry picked from commit cf21d1c62dcd92be624ea0fb8a86d91e4fbeed93) --- Summary of changes: test/bio_enc_test.c | 52 +--- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/test/bio_enc_test.c b/test/bio_enc_test.c index b383cdce1c..d3f914b656 100644 --- a/test/bio_enc_test.c +++ b/test/bio_enc_test.c @@ -38,7 +38,7 @@ static const unsigned char IV[] = { static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, const unsigned char* iv) { -BIO *b; +BIO *b, *mem; static unsigned char inp[BUF_SIZE] = { 0 }; unsigned char out[BUF_SIZE], ref[BUF_SIZE]; int i, lref, len; @@ -54,8 +54,11 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, if (!TEST_ptr(b)) return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) -return 0; -BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); +goto err; +mem = BIO_new_mem_buf(inp, DATA_SIZE); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); lref = BIO_read(b, ref, sizeof(ref)); BIO_free_all(b); @@ -66,16 +69,19 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Split encrypt failed @ operation %d", i); -return 0; +goto err; } -BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); +mem = BIO_new_mem_buf(inp, DATA_SIZE); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); memset(out, 0, sizeof(out)); out[i] = ~ref[i]; len = BIO_read(b, out, i); /* check for overstep */ if (!TEST_uchar_eq(out[i], (unsigned char)~ref[i])) { TEST_info("Encrypt overstep check failed @ operation %d", i); -return 0; +goto err; } len += BIO_read(b, out + len, sizeof(out) - len); BIO_free_all(b); @@ -95,9 +101,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Small chunk encrypt failed @ operation %d", i); -return 0; +goto err; } -BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); +mem = BIO_new_mem_buf(inp, DATA_SIZE); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); memset(out, 0, sizeof(out)); for (len = 0; (delta = BIO_read(b, out + len, i)); ) { len += delta; @@ -117,9 +126,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, if (!TEST_ptr(b)) return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) -return 0; +goto err; /* Use original reference output as input */ -BIO_push(b, BIO_new_mem_buf(ref, lref)); +mem = BIO_new_mem_buf(ref, lref); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); (void)BIO_flush(b); memset(out, 0, sizeof(out)); len = BIO_read(b, out, sizeof(out)); @@ -135,16 +147,19 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) { TEST_info("Split decrypt failed @ operation %d", i); -return 0; +goto err; } -BIO_push(b, BIO_new_mem_buf(ref, lref)); +mem = BIO_new_mem_buf(ref, lref); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); memset(out, 0, sizeof(out)); out[i] = ~ref[i]; len = BIO_read(b, out, i); /* check for overstep */ if (!TEST_uchar_eq(out[i], (unsigned char)~ref[i])) { TEST_info("Decrypt overstep check failed @ operation %d", i); -return 0; +goto err; } len += BIO_read(b, out + len, sizeof(out) - len); BIO_free_all(b); @@ -164,9 +179,12 @@ static
[openssl] master update
The branch master has been updated via cf21d1c62dcd92be624ea0fb8a86d91e4fbeed93 (commit) from cbb6f4dbf0ce42b4cc4385d7b95236710504068d (commit) - Log - commit cf21d1c62dcd92be624ea0fb8a86d91e4fbeed93 Author: Jiasheng Jiang Date: Fri Feb 18 10:13:08 2022 +0800 bio_enc.c: add check for BIO_new_mem_buf Since the memory allocation may fail, the BIO_new_mem_buf() may return NULL pointer. Therefore, it should be better to check it and return error if fails. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17730) --- Summary of changes: test/bio_enc_test.c | 52 +--- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/test/bio_enc_test.c b/test/bio_enc_test.c index 0b95fae1cd..ffc69d00bf 100644 --- a/test/bio_enc_test.c +++ b/test/bio_enc_test.c @@ -38,7 +38,7 @@ static const unsigned char IV[] = { static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, const unsigned char* iv) { -BIO *b; +BIO *b, *mem; static unsigned char inp[BUF_SIZE] = { 0 }; unsigned char out[BUF_SIZE], ref[BUF_SIZE]; int i, lref, len; @@ -54,8 +54,11 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, if (!TEST_ptr(b)) return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) -return 0; -BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); +goto err; +mem = BIO_new_mem_buf(inp, DATA_SIZE); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); lref = BIO_read(b, ref, sizeof(ref)); BIO_free_all(b); @@ -66,16 +69,19 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Split encrypt failed @ operation %d", i); -return 0; +goto err; } -BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); +mem = BIO_new_mem_buf(inp, DATA_SIZE); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); memset(out, 0, sizeof(out)); out[i] = ~ref[i]; len = BIO_read(b, out, i); /* check for overstep */ if (!TEST_uchar_eq(out[i], (unsigned char)~ref[i])) { TEST_info("Encrypt overstep check failed @ operation %d", i); -return 0; +goto err; } len += BIO_read(b, out + len, sizeof(out) - len); BIO_free_all(b); @@ -95,9 +101,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, ENCRYPT))) { TEST_info("Small chunk encrypt failed @ operation %d", i); -return 0; +goto err; } -BIO_push(b, BIO_new_mem_buf(inp, DATA_SIZE)); +mem = BIO_new_mem_buf(inp, DATA_SIZE); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); memset(out, 0, sizeof(out)); for (len = 0; (delta = BIO_read(b, out + len, i)); ) { len += delta; @@ -117,9 +126,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, if (!TEST_ptr(b)) return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) -return 0; +goto err; /* Use original reference output as input */ -BIO_push(b, BIO_new_mem_buf(ref, lref)); +mem = BIO_new_mem_buf(ref, lref); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); (void)BIO_flush(b); memset(out, 0, sizeof(out)); len = BIO_read(b, out, sizeof(out)); @@ -135,16 +147,19 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key, return 0; if (!TEST_true(BIO_set_cipher(b, cipher, key, iv, DECRYPT))) { TEST_info("Split decrypt failed @ operation %d", i); -return 0; +goto err; } -BIO_push(b, BIO_new_mem_buf(ref, lref)); +mem = BIO_new_mem_buf(ref, lref); +if (!TEST_ptr(mem)) +goto err; +BIO_push(b, mem); memset(out, 0, sizeof(out)); out[i] = ~ref[i]; len = BIO_read(b, out, i); /* check for overstep */ if (!TEST_uchar_eq(out[i], (unsigned char)~ref[i])) { TEST_info("Decrypt overstep check failed @ operation %d", i); -return 0; +goto err; } len += BIO_read(b, out + len, sizeof(out) - len); BIO_free_all(b); @@ -164,9 +179,12 @@ static int do_bio_cipher(const EVP_CIPHER* cipher, const unsigned char* key,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via e19edf7361b952674135b8500144df6afec18319 (commit) from 6f4a98ce2157aca169709c80ea579e80e39011b6 (commit) - Log - commit e19edf7361b952674135b8500144df6afec18319 Author: Carlo Teubner <435950+c4...@users.noreply.github.com> Date: Fri Feb 18 10:00:52 2022 + X509_VERIFY_PARAM_set_flags.pod: fix typos CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17731) (cherry picked from commit cbb6f4dbf0ce42b4cc4385d7b95236710504068d) --- Summary of changes: doc/man3/X509_VERIFY_PARAM_set_flags.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 1213627be7..55bdf877b3 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -249,8 +249,8 @@ certificate. An error occurs if a suitable CRL cannot be found. B enables CRL checking for the entire certificate chain. -B disabled critical extension checking. By default -any unhandled critical extensions in certificates or (if checked) CRLs results +B disables critical extension checking. By default +any unhandled critical extensions in certificates or (if checked) CRLs result in a fatal error. If this flag is set unhandled critical extensions are ignored. B setting this option for anything other than debugging purposes can be a security risk. Finer control over which extensions are
[openssl] master update
The branch master has been updated via cbb6f4dbf0ce42b4cc4385d7b95236710504068d (commit) from 632e8be2b570959dc3781c6956171e7e49f1aa58 (commit) - Log - commit cbb6f4dbf0ce42b4cc4385d7b95236710504068d Author: Carlo Teubner <435950+c4...@users.noreply.github.com> Date: Fri Feb 18 10:00:52 2022 + X509_VERIFY_PARAM_set_flags.pod: fix typos CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17731) --- Summary of changes: doc/man3/X509_VERIFY_PARAM_set_flags.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 4437b93fd6..62ef00bc33 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -249,8 +249,8 @@ certificate. An error occurs if a suitable CRL cannot be found. B enables CRL checking for the entire certificate chain. -B disabled critical extension checking. By default -any unhandled critical extensions in certificates or (if checked) CRLs results +B disables critical extension checking. By default +any unhandled critical extensions in certificates or (if checked) CRLs result in a fatal error. If this flag is set unhandled critical extensions are ignored. B setting this option for anything other than debugging purposes can be a security risk. Finer control over which extensions are
[openssl] master update
The branch master has been updated via 632e8be2b570959dc3781c6956171e7e49f1aa58 (commit) from 42659159f4d4a8c16a0e9b089d40a5831b60cbb6 (commit) - Log - commit 632e8be2b570959dc3781c6956171e7e49f1aa58 Author: Raul Ferrando Date: Tue Feb 15 16:02:41 2022 +0100 Add -quiet option to pkcs7 for -print_certs Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17708) --- Summary of changes: apps/pkcs7.c | 13 + doc/man1/openssl-pkcs7.pod.in | 6 ++ test/recipes/25-test_pkcs7.t | 15 ++- .../grfc.pem => recipes/25-test_pkcs7_data/grfc.out} | 1 + 4 files changed, 30 insertions(+), 5 deletions(-) copy test/{certs/grfc.pem => recipes/25-test_pkcs7_data/grfc.out} (99%) diff --git a/apps/pkcs7.c b/apps/pkcs7.c index ac2dec152a..a95ea25377 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -23,8 +23,8 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, -OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE, -OPT_PROV_ENUM +OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_QUIET, +OPT_ENGINE, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkcs7_options[] = { @@ -46,6 +46,8 @@ const OPTIONS pkcs7_options[] = { {"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"}, {"print_certs", OPT_PRINT_CERTS, '-', "Print_certs print any certs or crl in the input"}, +{"quiet", OPT_QUIET, '-', + "When used with -print_certs, it produces a cleaner output"}, OPT_PROV_OPTIONS, {NULL} @@ -58,7 +60,7 @@ int pkcs7_main(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat = FORMAT_PEM, outformat = FORMAT_PEM; char *infile = NULL, *outfile = NULL, *prog; -int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1; +int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, quiet = 0, ret = 1; OPTION_CHOICE o; OSSL_LIB_CTX *libctx = app_get0_libctx(); @@ -100,6 +102,9 @@ int pkcs7_main(int argc, char **argv) case OPT_PRINT_CERTS: print_certs = 1; break; +case OPT_QUIET: +quiet = 1; +break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; @@ -171,7 +176,7 @@ int pkcs7_main(int argc, char **argv) x = sk_X509_value(certs, i); if (text) X509_print(out, x); -else +else if (!quiet) dump_cert_text(out, x); if (!noout) diff --git a/doc/man1/openssl-pkcs7.pod.in b/doc/man1/openssl-pkcs7.pod.in index efd772d1d4..eeb5c356f0 100644 --- a/doc/man1/openssl-pkcs7.pod.in +++ b/doc/man1/openssl-pkcs7.pod.in @@ -19,6 +19,7 @@ B B [B<-out> I] [B<-print>] [B<-print_certs>] +[B<-quiet>] [B<-text>] [B<-noout>] {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} @@ -63,6 +64,11 @@ Print out the full PKCS7 object. Prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format. +=item B<-quiet> + +When used with -print_certs, prints out just the PEM-encoded +certificates without any other output. + =item B<-text> Prints out certificate details in full rather than just subject and diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t index 37cd43dc6b..2905fe8fe0 100644 --- a/test/recipes/25-test_pkcs7.t +++ b/test/recipes/25-test_pkcs7.t @@ -15,10 +15,15 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_pkcs7"); -plan tests => 3; +plan tests => 6; require_ok(srctop_file('test','recipes','tconversion.pl')); +my @path = qw(test certs); +my $pemfile = "grfc.pem"; +my $p7file = "grfc.p7b"; +my $out = "grfc.out"; + subtest 'pkcs7 conversions -- pkcs7' => sub { tconversion( -type => 'p7', -in => srctop_file("test", "testp7.pem"), -args => ["pkcs7"] ); @@ -27,3 +32,11 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), -args => ["pkcs7"] ); }; +ok(run(app(["openssl", "crl2pkcs7", "-nocrl", +"-certfile", srctop_file(@path, $pemfile), +"-out", $p7file]))); +ok(run(app(["openssl", "pkcs7", "-print_certs", "-quiet", +"-in", $p7file, +"-out", $out]))); +is(cmp_text($out, srctop_file('test', 'recipes', '25-test_pkcs7_data', 'grfc.out')), +0, 'Comparing output'); \ No newline at end of file diff --git a/test/certs/grfc.pem b/test/recipes/25-test_pkcs7_data/grfc.out similarity index 99% copy from
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 6f4a98ce2157aca169709c80ea579e80e39011b6 (commit) from 06c20d437ba2554da33a47b9e62b1da5559a38f7 (commit) - Log - commit 6f4a98ce2157aca169709c80ea579e80e39011b6 Author: Matt Caswell Date: Tue Feb 22 11:49:04 2022 + Undeprecate OPENSSL_VERSION_NUMBER and OpenSSL_version_num() This macro and function were deprecated in the documentation but not in the source. Following an OTC vote the deprecation has been removed from the documentation. See https://github.com/openssl/technical-policies/issues/26 Fixes #17517 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17750) (cherry picked from commit 42659159f4d4a8c16a0e9b089d40a5831b60cbb6) --- Summary of changes: doc/man3/OpenSSL_version.pod | 52 +--- util/other.syms | 2 +- 2 files changed, 21 insertions(+), 33 deletions(-) diff --git a/doc/man3/OpenSSL_version.pod b/doc/man3/OpenSSL_version.pod index 034bd718fe..a0a9021431 100644 --- a/doc/man3/OpenSSL_version.pod +++ b/doc/man3/OpenSSL_version.pod @@ -38,8 +38,6 @@ OpenSSL_version_num, OPENSSL_info const char *OPENSSL_info(int t); -Deprecated: - /* from openssl/opensslv.h */ #define OPENSSL_VERSION_NUMBER 0xL @@ -81,6 +79,25 @@ version for the headers in use is at least at the given pre-requisite major header version number (B.B) is greater than or equal to B.B. +B is a combination of the major, minor and +patch version into a single integer 0xMNN00PP0L, where: + +=over 4 + +=item M + +is the number from B, in hexadecimal notation + +=item NN + +is the number from B, in hexadecimal notation + +=item PP + +is the number from B, in hexadecimal notation + +=back + =head2 Functions OPENSSL_version_major(), OPENSSL_version_minor(), OPENSSL_version_patch(), @@ -198,35 +215,6 @@ For x86 the string looks like C. For an unknown I, NULL is returned. -=head1 BACKWARD COMPATIBILITY - -For compatibility, some older macros and functions are retained or -synthesised. -They are all considered deprecated. - -=head2 Macros - -B is a combination of the major, minor and -patch version into a single integer 0xMNN00PP0L, where: - -=over 4 - -=item M - -is the number from B, in hexadecimal notation - -=item NN - -is the number from B, in hexadecimal notation - -=item PP - -is the number from B, in hexadecimal notation - -=back - -=head2 Functions - OpenSSL_version_num() returns the value of B. =head1 RETURN VALUES @@ -248,7 +236,7 @@ L =head1 HISTORY The macros and functions described here were added in OpenSSL 3.0, -with the exception of the L ones. +except for OPENSSL_VERSION_NUMBER and OpenSSL_version_num(). =head1 COPYRIGHT diff --git a/util/other.syms b/util/other.syms index 1ebffd1d26..0c0d147b33 100644 --- a/util/other.syms +++ b/util/other.syms @@ -362,7 +362,7 @@ OPENSSL_MSTRdefine OPENSSL_MSTR_HELPER define OPENSSL_VERSION_MAJOR define OPENSSL_VERSION_MINOR define -OPENSSL_VERSION_NUMBER define deprecated 3.0.0 +OPENSSL_VERSION_NUMBER define OPENSSL_VERSION_PATCH define OPENSSL_VERSION_PRE_RELEASE define OPENSSL_VERSION_PREREQ define
[openssl] master update
The branch master has been updated via 42659159f4d4a8c16a0e9b089d40a5831b60cbb6 (commit) from 0bc2fda3d3b76bd07243aef3eb7f824da3820b2d (commit) - Log - commit 42659159f4d4a8c16a0e9b089d40a5831b60cbb6 Author: Matt Caswell Date: Tue Feb 22 11:49:04 2022 + Undeprecate OPENSSL_VERSION_NUMBER and OpenSSL_version_num() This macro and function were deprecated in the documentation but not in the source. Following an OTC vote the deprecation has been removed from the documentation. See https://github.com/openssl/technical-policies/issues/26 Fixes #17517 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17750) --- Summary of changes: doc/man3/OpenSSL_version.pod | 52 +--- util/other.syms | 2 +- 2 files changed, 21 insertions(+), 33 deletions(-) diff --git a/doc/man3/OpenSSL_version.pod b/doc/man3/OpenSSL_version.pod index 034bd718fe..a0a9021431 100644 --- a/doc/man3/OpenSSL_version.pod +++ b/doc/man3/OpenSSL_version.pod @@ -38,8 +38,6 @@ OpenSSL_version_num, OPENSSL_info const char *OPENSSL_info(int t); -Deprecated: - /* from openssl/opensslv.h */ #define OPENSSL_VERSION_NUMBER 0xL @@ -81,6 +79,25 @@ version for the headers in use is at least at the given pre-requisite major header version number (B.B) is greater than or equal to B.B. +B is a combination of the major, minor and +patch version into a single integer 0xMNN00PP0L, where: + +=over 4 + +=item M + +is the number from B, in hexadecimal notation + +=item NN + +is the number from B, in hexadecimal notation + +=item PP + +is the number from B, in hexadecimal notation + +=back + =head2 Functions OPENSSL_version_major(), OPENSSL_version_minor(), OPENSSL_version_patch(), @@ -198,35 +215,6 @@ For x86 the string looks like C. For an unknown I, NULL is returned. -=head1 BACKWARD COMPATIBILITY - -For compatibility, some older macros and functions are retained or -synthesised. -They are all considered deprecated. - -=head2 Macros - -B is a combination of the major, minor and -patch version into a single integer 0xMNN00PP0L, where: - -=over 4 - -=item M - -is the number from B, in hexadecimal notation - -=item NN - -is the number from B, in hexadecimal notation - -=item PP - -is the number from B, in hexadecimal notation - -=back - -=head2 Functions - OpenSSL_version_num() returns the value of B. =head1 RETURN VALUES @@ -248,7 +236,7 @@ L =head1 HISTORY The macros and functions described here were added in OpenSSL 3.0, -with the exception of the L ones. +except for OPENSSL_VERSION_NUMBER and OpenSSL_version_num(). =head1 COPYRIGHT diff --git a/util/other.syms b/util/other.syms index ae675b78f4..974fe62f6a 100644 --- a/util/other.syms +++ b/util/other.syms @@ -362,7 +362,7 @@ OPENSSL_MSTRdefine OPENSSL_MSTR_HELPER define OPENSSL_VERSION_MAJOR define OPENSSL_VERSION_MINOR define -OPENSSL_VERSION_NUMBER define deprecated 3.0.0 +OPENSSL_VERSION_NUMBER define OPENSSL_VERSION_PATCH define OPENSSL_VERSION_PRE_RELEASE define OPENSSL_VERSION_PREREQ define
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 06c20d437ba2554da33a47b9e62b1da5559a38f7 (commit) from 9c1973e1c57d7de4d57f10545b3e9c921b34df23 (commit) - Log - commit 06c20d437ba2554da33a47b9e62b1da5559a38f7 Author: msa42 Date: Mon Feb 21 18:23:34 2022 + doc: Fix KDF example for scrypt CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17745) (cherry picked from commit 0bc2fda3d3b76bd07243aef3eb7f824da3820b2d) --- Summary of changes: doc/man1/openssl-kdf.pod.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/openssl-kdf.pod.in b/doc/man1/openssl-kdf.pod.in index 2880d1ff9d..548f69c707 100644 --- a/doc/man1/openssl-kdf.pod.in +++ b/doc/man1/openssl-kdf.pod.in @@ -166,7 +166,7 @@ Use PBKDF2 to create a hex-encoded derived key from a password and salt: Use scrypt to create a hex-encoded derived key from a password and salt: openssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \ --kdfopt N:1024 -kdfopt r:8 -kdfopt p:16 \ +-kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \ -kdfopt maxmem_bytes:10485760 SCRYPT =head1 NOTES
[openssl] master update
The branch master has been updated via 0bc2fda3d3b76bd07243aef3eb7f824da3820b2d (commit) from 7e1eda483ec9ead36c05066b45ecad618475544c (commit) - Log - commit 0bc2fda3d3b76bd07243aef3eb7f824da3820b2d Author: msa42 Date: Mon Feb 21 18:23:34 2022 + doc: Fix KDF example for scrypt CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17745) --- Summary of changes: doc/man1/openssl-kdf.pod.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/openssl-kdf.pod.in b/doc/man1/openssl-kdf.pod.in index 2880d1ff9d..548f69c707 100644 --- a/doc/man1/openssl-kdf.pod.in +++ b/doc/man1/openssl-kdf.pod.in @@ -166,7 +166,7 @@ Use PBKDF2 to create a hex-encoded derived key from a password and salt: Use scrypt to create a hex-encoded derived key from a password and salt: openssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \ --kdfopt N:1024 -kdfopt r:8 -kdfopt p:16 \ +-kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \ -kdfopt maxmem_bytes:10485760 SCRYPT =head1 NOTES
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 0ec286a62840c2a0de4b7a1b5063ace3338a925f (commit) from 46119286c16341734b3cb60945fb07d1ea30eb81 (commit) - Log - commit 0ec286a62840c2a0de4b7a1b5063ace3338a925f Author: xkernel Date: Mon Feb 21 15:29:25 2022 +0800 check *libctx which is allocated by OSSL_LIB_CTX_new() Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17740) (cherry picked from commit 8d215738a05350baa583c47a2c52371d9cff3197) --- Summary of changes: test/tls-provider.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/tls-provider.c b/test/tls-provider.c index 9ac1db51b3..3b7be54331 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -840,6 +840,9 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); +if (libctx == NULL) +return 0; + *provctx = libctx; /*
[openssl] master update
The branch master has been updated via 8d215738a05350baa583c47a2c52371d9cff3197 (commit) from b0317df2311769e02d9ceb4e7afe19521f8ffbf1 (commit) - Log - commit 8d215738a05350baa583c47a2c52371d9cff3197 Author: xkernel Date: Mon Feb 21 15:29:25 2022 +0800 check *libctx which is allocated by OSSL_LIB_CTX_new() Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17740) --- Summary of changes: test/tls-provider.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/tls-provider.c b/test/tls-provider.c index 7bff6e7406..c658514854 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -840,6 +840,9 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); +if (libctx == NULL) +return 0; + *provctx = libctx; /*
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 46119286c16341734b3cb60945fb07d1ea30eb81 (commit) from ad910cc482c8e06d04a141a9f5f79172a6e56f66 (commit) - Log - commit 46119286c16341734b3cb60945fb07d1ea30eb81 Author: Jiasheng Jiang Date: Mon Feb 21 10:54:29 2022 +0800 test/sslapitest.c: Add check for SSL_CTX_new As the potential failure of the memory allocation, it should be better to check the return value of SSL_CTX_new() and return error if fails, like SSL_CTX_new_ex(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17739) (cherry picked from commit b0317df2311769e02d9ceb4e7afe19521f8ffbf1) --- Summary of changes: test/sslapitest.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 9056fa28f1..b2f3471548 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8074,8 +8074,12 @@ static int test_cert_cb_int(int prot, int tst) else cert_cb_cnt = 0; -if (tst == 2) +if (tst == 2) { snictx = SSL_CTX_new(TLS_server_method()); +if (!TEST_ptr(snictx)) +goto end; +} + SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); if (!TEST_true(create_ssl_objects(sctx, cctx, , ,
[openssl] master update
The branch master has been updated via b0317df2311769e02d9ceb4e7afe19521f8ffbf1 (commit) from a044af49c43ec8fe099deeb5d06501ddf70abf7a (commit) - Log - commit b0317df2311769e02d9ceb4e7afe19521f8ffbf1 Author: Jiasheng Jiang Date: Mon Feb 21 10:54:29 2022 +0800 test/sslapitest.c: Add check for SSL_CTX_new As the potential failure of the memory allocation, it should be better to check the return value of SSL_CTX_new() and return error if fails, like SSL_CTX_new_ex(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17739) --- Summary of changes: test/sslapitest.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 181d0ef686..8ba5d8125c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8090,8 +8090,12 @@ static int test_cert_cb_int(int prot, int tst) else cert_cb_cnt = 0; -if (tst == 2) +if (tst == 2) { snictx = SSL_CTX_new(TLS_server_method()); +if (!TEST_ptr(snictx)) +goto end; +} + SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); if (!TEST_true(create_ssl_objects(sctx, cctx, , ,
[openssl] master update
The branch master has been updated via f596bbe4da779b56eea34d96168b557d78e1149a (commit) from 7b3041eba1c6e177eede0d6311d53a6b9ff58051 (commit) - Log - commit f596bbe4da779b56eea34d96168b557d78e1149a Author: Deepankar Bhattacharjee Date: Mon Sep 20 10:45:15 2021 -0400 chacha20 performance optimizations for ppc64le with 8x lanes, Performance increase around 50%. Co-authored-by: Madhusudhanan Duraisamy Co-authored-by: Nilamjyoti Goswami Co-authored-by: Siva Sundar Anbareeswaran Reviewed-by: Danny Tsen Tested-by: Danny Tsen Signed-off-by: Danny Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16637) --- Summary of changes: crypto/chacha/asm/chachap10-ppc.pl | 1354 crypto/chacha/build.info |3 +- crypto/chacha/chacha_ppc.c | 15 +- crypto/perlasm/ppc-xlate.pl| 17 + crypto/ppccap.c|9 + crypto/ppccpuid.pl | 11 + include/crypto/ppc_arch.h |1 + 7 files changed, 1404 insertions(+), 6 deletions(-) create mode 100755 crypto/chacha/asm/chachap10-ppc.pl diff --git a/crypto/chacha/asm/chachap10-ppc.pl b/crypto/chacha/asm/chachap10-ppc.pl new file mode 100755 index 00..752fc731e2 --- /dev/null +++ b/crypto/chacha/asm/chachap10-ppc.pl @@ -0,0 +1,1354 @@ +#! /usr/bin/env perl +# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# +# Written by Andy Polyakov for the OpenSSL +# project. The module is, however, dual licensed under OpenSSL and +# CRYPTOGAMS licenses depending on where you obtain it. For further +# details see http://www.openssl.org/~appro/cryptogams/. +# +# +# October 2015 +# +# ChaCha20 for PowerPC/AltiVec. +# +# June 2018 +# +# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for +# processors that can't issue more than one vector instruction per +# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x +# interleave would perform better. Incidentally PowerISA 2.07 (first +# implemented by POWER8) defined new usable instructions, hence 4xVSX +# code path... +# +# Performance in cycles per byte out of large buffer. +# +# IALU/gcc-4.x3xAltiVec+1xIALU4xVSX +# +# Freescale e300 13.6/+115% - - +# PPC74x0/G4e 6.81/+310% 3.81- +# PPC970/G59.29/+160% ? - +# POWER7 8.62/+61% 3.35- +# POWER8 8.70/+51% 2.912.09 +# POWER9 8.80/+29% 4.44(*) 2.45(**) +# +# (*) this is trade-off result, it's possible to improve it, but +# then it would negatively affect all others; +# (**) POWER9 seems to be "allergic" to mixing vector and integer +# instructions, which is why switch to vector-only code pays +# off that much; + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +if ($flavour =~ /64/) { + $SIZE_T =8; + $LRSAVE =2*$SIZE_T; + $STU="stdu"; + $POP="ld"; + $PUSH ="std"; + $UCMP ="cmpld"; +} elsif ($flavour =~ /32/) { + $SIZE_T =4; + $LRSAVE =$SIZE_T; + $STU="stwu"; + $POP="lwz"; + $PUSH ="stw"; + $UCMP ="cmplw"; +} else { die "nonsense $flavour"; } + +$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +die "can't locate ppc-xlate.pl"; + +open STDOUT,"| $^X $xlate $flavour \"$output\"" +or die "can't call $xlate: $!"; + +$LOCALS=6*$SIZE_T; +$FRAME=$LOCALS+64+18*$SIZE_T; # 64 is for local variables + +sub AUTOLOAD() # thunk [simplified] x86-style perlasm +{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; +$code .= "\t$opcode\t".join(',',@_)."\n"; +} + +my $sp = "r1"; + +my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); + + +{{{ +my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, +$xc0,$xc1,$xc2,$xc3,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 5675a5aaf6a2e489022bcfc18330dae9263e598e (commit) from eee4287febb296afae3de9e21c5d9cbae14a9802 (commit) - Log - commit 5675a5aaf6a2e489022bcfc18330dae9263e598e Author: Pauli Date: Wed Feb 16 10:41:58 2022 +1100 x509: handle returns from X509_TRUST_get_by_id() more consistently Reviewed-by: Bernd Edlinger Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17709) (cherry picked from commit 7b3041eba1c6e177eede0d6311d53a6b9ff58051) --- Summary of changes: crypto/x509/x509_trust.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index 0888e16c15..fa30c738a7 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -72,7 +72,7 @@ int X509_check_trust(X509 *x, int id, int flags) return obj_trust(NID_anyExtendedKeyUsage, x, flags | X509_TRUST_DO_SS_COMPAT); idx = X509_TRUST_get_by_id(id); -if (idx == -1) +if (idx < 0) return default_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); @@ -112,7 +112,7 @@ int X509_TRUST_get_by_id(int id) int X509_TRUST_set(int *t, int trust) { -if (X509_TRUST_get_by_id(trust) == -1) { +if (X509_TRUST_get_by_id(trust) < 0) { ERR_raise(ERR_LIB_X509, X509_R_INVALID_TRUST); return 0; } @@ -162,7 +162,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), trtmp->arg2 = arg2; /* If its a new entry manage the dynamic table */ -if (idx == -1) { +if (idx < 0) { if (trtable == NULL && (trtable = sk_X509_TRUST_new(tr_cmp)) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); @@ -175,7 +175,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), } return 1; err: -if (idx == -1) { +if (idx < 0) { OPENSSL_free(trtmp->name); OPENSSL_free(trtmp); }
[openssl] master update
The branch master has been updated via 7b3041eba1c6e177eede0d6311d53a6b9ff58051 (commit) from 09dca557332a2187598932388ac7bd7bbf16172b (commit) - Log - commit 7b3041eba1c6e177eede0d6311d53a6b9ff58051 Author: Pauli Date: Wed Feb 16 10:41:58 2022 +1100 x509: handle returns from X509_TRUST_get_by_id() more consistently Reviewed-by: Bernd Edlinger Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17709) --- Summary of changes: crypto/x509/x509_trust.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index bf674737f8..d3b9ad345d 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -72,7 +72,7 @@ int X509_check_trust(X509 *x, int id, int flags) return obj_trust(NID_anyExtendedKeyUsage, x, flags | X509_TRUST_DO_SS_COMPAT); idx = X509_TRUST_get_by_id(id); -if (idx == -1) +if (idx < 0) return default_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); @@ -112,7 +112,7 @@ int X509_TRUST_get_by_id(int id) int X509_TRUST_set(int *t, int trust) { -if (X509_TRUST_get_by_id(trust) == -1) { +if (X509_TRUST_get_by_id(trust) < 0) { ERR_raise(ERR_LIB_X509, X509_R_INVALID_TRUST); return 0; } @@ -162,7 +162,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), trtmp->arg2 = arg2; /* If its a new entry manage the dynamic table */ -if (idx == -1) { +if (idx < 0) { if (trtable == NULL && (trtable = sk_X509_TRUST_new(tr_cmp)) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); @@ -175,7 +175,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), } return 1; err: -if (idx == -1) { +if (idx < 0) { OPENSSL_free(trtmp->name); OPENSSL_free(trtmp); }
[openssl] master update
The branch master has been updated via 7850cc8307b9105f37dde864d5c8c881c522b28a (commit) from b089d546242bbc073aefb6f6471586e484118863 (commit) - Log - commit 7850cc8307b9105f37dde864d5c8c881c522b28a Author: EasySec Date: Sat Feb 12 02:07:34 2022 +0100 enc : add support for wrap mode Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17691) --- Summary of changes: apps/enc.c | 25 +++-- crypto/evp/c_allc.c | 3 +++ doc/man1/openssl-enc.pod.in | 20 +++- 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index b14129d9b0..d50baa6d2f 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -127,6 +127,8 @@ int enc_main(int argc, char **argv) int pbkdf2 = 0; int iter = 0; long n; +int streamable = 1; +int wrap = 0; struct doall_enc_ciphers dec; #ifdef ZLIB int do_zlib = 0; @@ -298,6 +300,10 @@ int enc_main(int argc, char **argv) /* Get the cipher name, either from progname (if set) or flag. */ if (!opt_cipher(ciphername, )) goto opthelp; +if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_WRAP_MODE)) { +wrap = 1; +streamable = 0; +} if (digestname != NULL) { if (!opt_md(digestname, )) goto opthelp; @@ -328,6 +334,10 @@ int enc_main(int argc, char **argv) buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer"); if (infile == NULL) { +if (!streamable) { +BIO_printf(bio_err, "Unstreamable cipher mode\n"); +goto end; +} in = dup_bio_in(informat); } else { in = bio_open_default(infile, 'r', informat); @@ -524,7 +534,8 @@ int enc_main(int argc, char **argv) } } if ((hiv == NULL) && (str == NULL) -&& EVP_CIPHER_get_iv_length(cipher) != 0) { +&& EVP_CIPHER_get_iv_length(cipher) != 0 +&& wrap == 0) { /* * No IV was explicitly set and no IV was generated. * Hence the IV is undefined, making correct decryption impossible. @@ -551,6 +562,9 @@ int enc_main(int argc, char **argv) BIO_get_cipher_ctx(benc, ); +if (wrap == 1) +EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", EVP_CIPHER_get0_name(cipher)); @@ -561,7 +575,8 @@ int enc_main(int argc, char **argv) if (nopad) EVP_CIPHER_CTX_set_padding(ctx, 0); -if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) { +if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, + (hiv == NULL && wrap == 1 ? NULL : iv), enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", EVP_CIPHER_get0_name(cipher)); ERR_print_errors(bio_err); @@ -607,10 +622,16 @@ int enc_main(int argc, char **argv) inl = BIO_read(rbio, (char *)buff, bsize); if (inl <= 0) break; +if (!streamable && !BIO_eof(rbio)) {/* do not output data */ +BIO_printf(bio_err, "Unstreamable cipher mode\n"); +goto end; +} if (BIO_write(wbio, (char *)buff, inl) != inl) { BIO_printf(bio_err, "error writing output file\n"); goto end; } +if (!streamable) +break; } if (!BIO_flush(wbio)) { BIO_printf(bio_err, "bad decrypt\n"); diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c index d556b5ab28..350a0e0527 100644 --- a/crypto/evp/c_allc.c +++ b/crypto/evp/c_allc.c @@ -149,6 +149,7 @@ void openssl_add_all_ciphers_int(void) EVP_add_cipher(EVP_aes_128_wrap()); EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); EVP_add_cipher(EVP_aes_128_wrap_pad()); +EVP_add_cipher_alias(SN_id_aes128_wrap_pad, "aes128-wrap-pad"); EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); EVP_add_cipher(EVP_aes_192_ecb()); @@ -166,6 +167,7 @@ void openssl_add_all_ciphers_int(void) EVP_add_cipher(EVP_aes_192_wrap()); EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); EVP_add_cipher(EVP_aes_192_wrap_pad()); +EVP_add_cipher_alias(SN_id_aes192_wrap_pad, "aes192-wrap-pad"); EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); EVP_add_cipher(EVP_aes_256_ecb()); @@ -184,6 +186,7 @@ void openssl_add_all_ciphers_int(void) EVP_add_cipher(EVP_aes_256_wrap()); EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
[openssl] master update
The branch master has been updated via d5530efada83825ef239a8458db541adc4b422ec (commit) from 3d27ac8d92ef89c202b518cf6c4e15477eb594b2 (commit) - Log - commit d5530efada83825ef239a8458db541adc4b422ec Author: Tomas Mraz Date: Thu Feb 10 11:49:37 2022 +0100 Add back check for the DH public key size This is needed for TLS-1.3. Also add check for uncompressed point format for ECDHE as the other formats are not allowed by RFC 8446. Fixes #17667 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17678) --- Summary of changes: ssl/ssl_local.h | 3 +++ ssl/statem/extensions_clnt.c | 4 ++-- ssl/statem/extensions_srvr.c | 6 +++--- ssl/t1_lib.c | 19 +++ 4 files changed, 27 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 58a3e9e08a..aee8f9272f 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -811,6 +811,9 @@ int ssl_hmac_final(SSL_HMAC *ctx, unsigned char *md, size_t *len, size_t ssl_hmac_size(const SSL_HMAC *ctx); int ssl_get_EC_curve_nid(const EVP_PKEY *pkey); +__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, + const unsigned char *enckey, + size_t enckeylen); typedef struct tls_group_info_st { char *tlsname; /* Curve Name as in TLS specs */ diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index c5de5ca5ba..0d90f0cc65 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1856,8 +1856,8 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 0; } -if (EVP_PKEY_set1_encoded_public_key(skey, PACKET_data(_pt), - PACKET_remaining(_pt)) <= 0) { +if (tls13_set_encoded_pub_key(skey, PACKET_data(_pt), + PACKET_remaining(_pt)) <= 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); EVP_PKEY_free(skey); return 0; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index fa64435a00..c2506879ef 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -665,9 +665,9 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 0; } -if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, -PACKET_data(_pt), -PACKET_remaining(_pt)) <= 0) { +if (tls13_set_encoded_pub_key(s->s3.peer_tmp, + PACKET_data(_pt), + PACKET_remaining(_pt)) <= 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); return 0; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ad248c4cdf..218e8a3ae8 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3532,3 +3532,22 @@ int ssl_get_EC_curve_nid(const EVP_PKEY *pkey) return NID_undef; } + +__owur int tls13_set_encoded_pub_key(EVP_PKEY *pkey, + const unsigned char *enckey, + size_t enckeylen) +{ +if (EVP_PKEY_is_a(pkey, "DH")) { +int bits = EVP_PKEY_get_bits(pkey); + +if (bits <= 0 || enckeylen != (size_t)bits / 8) +/* the encoded key must be padded to the length of the p */ +return 0; +} else if (EVP_PKEY_is_a(pkey, "EC")) { +if (enckeylen < 3 /* point format and at least 1 byte for x and y */ +|| enckey[0] != 0x04) +return 0; +} + +return EVP_PKEY_set1_encoded_public_key(pkey, enckey, enckeylen); +}
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 59de5a5e8603fb5e2e7b0aa78224152700ad905a (commit) from 3948abaf4458aac66bf47546874d0fb5a73a78a0 (commit) - Log - commit 59de5a5e8603fb5e2e7b0aa78224152700ad905a Author: Todd Short Date: Wed Feb 9 15:59:37 2022 -0500 Force macOS 10.15 or later to be 64-bit macOS Catalina (10.15) no longer supports 32-bit applications. Do not wait 5 seconds to give the user the option of using KERNEL_BITS=32 Do not accept the KERNEL_BITS=32 option Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17675) (cherry picked from commit b926548b362531e8a64e7482c081611fab7183a8) --- Summary of changes: util/perl/OpenSSL/config.pm | 8 1 file changed, 8 insertions(+) diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 81e9a03b48..17786defad 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -485,6 +485,14 @@ EOF [ 'x86_64-apple-darwin.*', sub { my $KERNEL_BITS = $ENV{KERNEL_BITS} // ''; +# macOS >= 10.15 is 64-bit only +my $SW_VERS = `sw_vers -productVersion 2>/dev/null`; +if ($SW_VERS =~ /^(\d+)\.(\d+)\.(\d+)$/) { +if ($1 > 10 || ($1 == 10 && $2 >= 15)) { +die "32-bit applications not supported on macOS 10.15 or later\n" if $KERNEL_BITS eq '32'; +return { target => "darwin64-x86_64" }; +} +} return { target => "darwin-i386" } if $KERNEL_BITS eq '32'; print <
[openssl] master update
The branch master has been updated via b926548b362531e8a64e7482c081611fab7183a8 (commit) from 065121ff198a84106023013420dedd57ac4ff53a (commit) - Log - commit b926548b362531e8a64e7482c081611fab7183a8 Author: Todd Short Date: Wed Feb 9 15:59:37 2022 -0500 Force macOS 10.15 or later to be 64-bit macOS Catalina (10.15) no longer supports 32-bit applications. Do not wait 5 seconds to give the user the option of using KERNEL_BITS=32 Do not accept the KERNEL_BITS=32 option Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17675) --- Summary of changes: util/perl/OpenSSL/config.pm | 8 1 file changed, 8 insertions(+) diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index fd4cce3c25..cb2f5097a8 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -485,6 +485,14 @@ EOF [ 'x86_64-apple-darwin.*', sub { my $KERNEL_BITS = $ENV{KERNEL_BITS} // ''; +# macOS >= 10.15 is 64-bit only +my $SW_VERS = `sw_vers -productVersion 2>/dev/null`; +if ($SW_VERS =~ /^(\d+)\.(\d+)\.(\d+)$/) { +if ($1 > 10 || ($1 == 10 && $2 >= 15)) { +die "32-bit applications not supported on macOS 10.15 or later\n" if $KERNEL_BITS eq '32'; +return { target => "darwin64-x86_64" }; +} +} return { target => "darwin-i386" } if $KERNEL_BITS eq '32'; print <
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via fc27d9f3af95aa33e5028c6cef8d56d1c7f17436 (commit) from b32b2167155cafc4ac133f49d9cd04a249e443c8 (commit) - Log - commit fc27d9f3af95aa33e5028c6cef8d56d1c7f17436 Author: Pauli Date: Wed Feb 9 11:17:57 2022 +1100 Change condition to avoid spurious compiler complaints. X509_TRUST_get0() is checking < 0, the code here was checking == -1. Both are equivalent in this situation but gcc-12 has conniptions about a subsequent possible NULL dereference (which isn't possible). Fixes #17665 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17668) (cherry picked from commit b84c6e86dd8ca88444207080808d1d598856041f) --- Summary of changes: crypto/x509/x509_trust.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index ff578aee73..0888e16c15 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -134,7 +134,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), /* Get existing entry if any */ idx = X509_TRUST_get_by_id(id); /* Need a new entry */ -if (idx == -1) { +if (idx < 0) { if ((trtmp = OPENSSL_malloc(sizeof(*trtmp))) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); return 0;
[openssl] master update
The branch master has been updated via b84c6e86dd8ca88444207080808d1d598856041f (commit) from 378c50f63dceb3a85bb4937a3499283b10d295b6 (commit) - Log - commit b84c6e86dd8ca88444207080808d1d598856041f Author: Pauli Date: Wed Feb 9 11:17:57 2022 +1100 Change condition to avoid spurious compiler complaints. X509_TRUST_get0() is checking < 0, the code here was checking == -1. Both are equivalent in this situation but gcc-12 has conniptions about a subsequent possible NULL dereference (which isn't possible). Fixes #17665 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17668) --- Summary of changes: crypto/x509/x509_trust.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index e71db0c9a1..bf674737f8 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -134,7 +134,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), /* Get existing entry if any */ idx = X509_TRUST_get_by_id(id); /* Need a new entry */ -if (idx == -1) { +if (idx < 0) { if ((trtmp = OPENSSL_malloc(sizeof(*trtmp))) == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); return 0;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via b32b2167155cafc4ac133f49d9cd04a249e443c8 (commit) from 09ade84a4a9e082c785cb51a9db2e85a45097cbd (commit) - Log - commit b32b2167155cafc4ac133f49d9cd04a249e443c8 Author: Kevin K Biju Date: Sat Feb 5 18:09:45 2022 +0530 Added checking for buflen overflow due to MAX_MISALIGNMENT. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17646) (cherry picked from commit 4b3777c9ad4a2058a9b87afb26289039ebf4a6c1) --- Summary of changes: apps/speed.c | 8 ++-- doc/man1/openssl-speed.pod.in | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 9be01bb4b2..b730a5c2b5 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -452,7 +452,7 @@ static const OPT_PAIR sm2_choices[SM2_NUM] = { static double sm2_results[SM2_NUM][2];/* 2 ops: sign then verify */ #endif /* OPENSSL_NO_SM2 */ -#define COND(unused_cond) (run && count < 0x7fff) +#define COND(unused_cond) (run && count < INT_MAX) #define COUNT(d) (count) typedef struct loopargs_st { @@ -1775,6 +1775,10 @@ int speed_main(int argc, char **argv) buflen = lengths[size_num - 1]; if (buflen < 36)/* size of random vector in RSA benchmark */ buflen = 36; +if (INT_MAX - (MAX_MISALIGNMENT + 1) < buflen) { +BIO_printf(bio_err, "Error: buffer size too large\n"); +goto end; +} buflen += MAX_MISALIGNMENT + 1; loopargs[i].buf_malloc = app_malloc(buflen, "input buffer"); loopargs[i].buf2_malloc = app_malloc(buflen, "input buffer"); @@ -3618,7 +3622,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, for (j = 0; j < num; j++) { print_message(alg_name, 0, mblengths[j], seconds->sym); Time_F(START); -for (count = 0; run && count < 0x7fff; count++) { +for (count = 0; run && count < INT_MAX; count++) { unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t len = mblengths[j]; diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in index bfe992797a..29181ea970 100644 --- a/doc/man1/openssl-speed.pod.in +++ b/doc/man1/openssl-speed.pod.in @@ -101,6 +101,8 @@ Run benchmarks for I seconds. =item B<-bytes> I Run benchmarks on I-byte buffers. Affects ciphers, digests and the CSPRNG. +The limit on the size of the buffer is INT_MAX - 64 bytes, which for a 32-bit +int would be 2147483583 bytes. =item B<-mr>
[openssl] master update
The branch master has been updated via 378c50f63dceb3a85bb4937a3499283b10d295b6 (commit) from 64dc57419ddd9329f7062b048dee5ecd9306 (commit) - Log - commit 378c50f63dceb3a85bb4937a3499283b10d295b6 Author: Kevin K Biju Date: Sat Feb 5 18:09:45 2022 +0530 Added checking for buflen overflow due to MAX_MISALIGNMENT. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17646) --- Summary of changes: apps/speed.c | 8 ++-- doc/man1/openssl-speed.pod.in | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index a790f280db..2201489fb4 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -456,7 +456,7 @@ static const OPT_PAIR sm2_choices[SM2_NUM] = { static double sm2_results[SM2_NUM][2];/* 2 ops: sign then verify */ #endif /* OPENSSL_NO_SM2 */ -#define COND(unused_cond) (run && count < 0x7fff) +#define COND(unused_cond) (run && count < INT_MAX) #define COUNT(d) (count) typedef struct loopargs_st { @@ -1779,6 +1779,10 @@ int speed_main(int argc, char **argv) buflen = lengths[size_num - 1]; if (buflen < 36)/* size of random vector in RSA benchmark */ buflen = 36; +if (INT_MAX - (MAX_MISALIGNMENT + 1) < buflen) { +BIO_printf(bio_err, "Error: buffer size too large\n"); +goto end; +} buflen += MAX_MISALIGNMENT + 1; loopargs[i].buf_malloc = app_malloc(buflen, "input buffer"); loopargs[i].buf2_malloc = app_malloc(buflen, "input buffer"); @@ -3613,7 +3617,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, for (j = 0; j < num; j++) { print_message(alg_name, 0, mblengths[j], seconds->sym); Time_F(START); -for (count = 0; run && count < 0x7fff; count++) { +for (count = 0; run && count < INT_MAX; count++) { unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t len = mblengths[j]; diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in index bfe992797a..98e3bac037 100644 --- a/doc/man1/openssl-speed.pod.in +++ b/doc/man1/openssl-speed.pod.in @@ -101,6 +101,8 @@ Run benchmarks for I seconds. =item B<-bytes> I Run benchmarks on I-byte buffers. Affects ciphers, digests and the CSPRNG. +The limit on the size of the buffer is INT_MAX - 64 bytes, which for a 32-bit +int would be 2147483583 bytes. =item B<-mr>
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 09ade84a4a9e082c785cb51a9db2e85a45097cbd (commit) from 828bbe3795c82fe060f823ff117a753e81fb48d3 (commit) - Log - commit 09ade84a4a9e082c785cb51a9db2e85a45097cbd Author: EasySec Date: Mon Feb 7 23:16:39 2022 +0100 Fix small typo in EVP_KEYEXCH-ECDH.html doc example Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17657) (cherry picked from commit 0fdb31669f88cbf5d63ba16d82d95c6c84575dc0) --- Summary of changes: doc/man7/EVP_KEYEXCH-ECDH.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man7/EVP_KEYEXCH-ECDH.pod b/doc/man7/EVP_KEYEXCH-ECDH.pod index a710625f22..69d0d87b35 100644 --- a/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -88,7 +88,7 @@ key but also using X963KDF with a user key material: size_t secret_len = out_len; unsigned int pad = 1; OSSL_PARAM params[6]; -EVP_PKET_CTX *dctx = EVP_PKEY_CTX_new_from_pkey(NULL, host_key, NULL); +EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_new_from_pkey(NULL, host_key, NULL); EVP_PKEY_derive_init(dctx);
[openssl] master update
The branch master has been updated via 0fdb31669f88cbf5d63ba16d82d95c6c84575dc0 (commit) from 3a23f01268ec47bf3423b849cc226be220745522 (commit) - Log - commit 0fdb31669f88cbf5d63ba16d82d95c6c84575dc0 Author: EasySec Date: Mon Feb 7 23:16:39 2022 +0100 Fix small typo in EVP_KEYEXCH-ECDH.html doc example Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17657) --- Summary of changes: doc/man7/EVP_KEYEXCH-ECDH.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man7/EVP_KEYEXCH-ECDH.pod b/doc/man7/EVP_KEYEXCH-ECDH.pod index a710625f22..69d0d87b35 100644 --- a/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -88,7 +88,7 @@ key but also using X963KDF with a user key material: size_t secret_len = out_len; unsigned int pad = 1; OSSL_PARAM params[6]; -EVP_PKET_CTX *dctx = EVP_PKEY_CTX_new_from_pkey(NULL, host_key, NULL); +EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_new_from_pkey(NULL, host_key, NULL); EVP_PKEY_derive_init(dctx);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 8aa353679f0ad72f478a4800c22ad30f6b972370 (commit) from 191c9e6c242b85184b72ccd52d2d9af5e1122637 (commit) - Log - commit 8aa353679f0ad72f478a4800c22ad30f6b972370 Author: Pauli Date: Tue Feb 1 12:37:25 2022 +1100 scrypt: increase memory usage beyond limit This brings these tests in line with 3.0 and master and makes them fail correctly. Fixes #17612 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17619) --- Summary of changes: test/recipes/30-test_evp_data/evpkdf.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/recipes/30-test_evp_data/evpkdf.txt b/test/recipes/30-test_evp_data/evpkdf.txt index 34c7e6ae65..2824cb2f16 100644 --- a/test/recipes/30-test_evp_data/evpkdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf.txt @@ -294,12 +294,12 @@ Ctrl.r = r:8 Ctrl.p = p:1 Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887 -# Out of memory +# Out of memory - request > 2 GB of memory KDF = scrypt Ctrl.pass = pass:pleaseletmein Ctrl.salt = salt:SodiumChloride -Ctrl.N = N:1048576 +Ctrl.N = N:2097152 Ctrl.r = r:8 Ctrl.p = p:1 -Result = KDF_MISMATCH +Result = KDF_DERIVE_ERROR
[openssl] master update
The branch master has been updated via 3a23f01268ec47bf3423b849cc226be220745522 (commit) from 09030ee73693411c19b596cb0e0f43eb512ac0e6 (commit) - Log - commit 3a23f01268ec47bf3423b849cc226be220745522 Author: Tom Cosgrove Date: Mon Feb 7 14:44:56 2022 + aarch64: fix branch target indications in arm64cpuid.pl and keccak1600 Add missing AARCH64_VALID_CALL_TARGET to armv8_rng_probe(). Also add these to the functions defined by gen_random(), and note that this Perl sub prints the assembler out directly, not going via the $code xlate mechanism (and therefore coming before the include of arm_arch.h). So fix this too. In KeccakF1600_int, AARCH64_SIGN_LINK_REGISTER functions as AARCH64_VALID_CALL_TARGET on BTI-only builds, so it needs to come before the 'adr' line. Change-Id: If241efe71591c88253a3e36647ced00300c3c1a3 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17653) --- Summary of changes: crypto/arm64cpuid.pl | 9 ++--- crypto/sha/asm/keccak1600-armv8.pl | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl index ebea4be59c..3ba593a488 100755 --- a/crypto/arm64cpuid.pl +++ b/crypto/arm64cpuid.pl @@ -189,6 +189,7 @@ CRYPTO_memcmp: .globl _armv8_rng_probe .type _armv8_rng_probe,%function _armv8_rng_probe: + AARCH64_VALID_CALL_TARGET mrs x0, s3_3_c2_c4_0// rndr mrs x0, s3_3_c2_c4_1// rndrrs ret @@ -199,7 +200,7 @@ sub gen_random { my $rdop = shift; my $rand_reg = $rdop eq "rndr" ? "s3_3_c2_c4_0" : "s3_3_c2_c4_1"; -print<<___; +return <<___; // Fill buffer with Randomly Generated Bytes // inputs: char * in x0 - Pointer to buffer // size_t in x1 - Number of bytes to write to buffer @@ -208,6 +209,7 @@ print<<___; .type OPENSSL_${rdop}_asm,%function .align 4 OPENSSL_${rdop}_asm: + AARCH64_VALID_CALL_TARGET mov x2,xzr mov x3,xzr @@ -244,8 +246,9 @@ OPENSSL_${rdop}_asm: .size OPENSSL_${rdop}_asm,.-OPENSSL_${rdop}_asm ___ } -gen_random("rndr"); -gen_random("rndrrs"); + +$code .= gen_random("rndr"); +$code .= gen_random("rndrrs"); print $code; close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl index cf54b62c63..40f7aa7a69 100755 --- a/crypto/sha/asm/keccak1600-armv8.pl +++ b/crypto/sha/asm/keccak1600-armv8.pl @@ -126,8 +126,8 @@ $code.=<<___; .type KeccakF1600_int,%function .align 5 KeccakF1600_int: - adr $C[2],iotas AARCH64_SIGN_LINK_REGISTER + adr $C[2],iotas stp $C[2],x30,[sp,#16] // 32 bytes on top are mine b .Loop .align 4
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 828bbe3795c82fe060f823ff117a753e81fb48d3 (commit) from ebdec62c38494739d9cb4cdd6b1c4a511d169a90 (commit) - Log - commit 828bbe3795c82fe060f823ff117a753e81fb48d3 Author: Jiasheng Jiang Date: Sat Feb 5 19:31:11 2022 +0800 Add the check after calling OPENSSL_strdup Since the potential failure of the memory allocation, the OPENSSL_strdup() could return NULL pointer. Therefore, it should be better to check it in order to guarantee the success of the configuration, same as the check for SSL_CTX_set_srp_username(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17643) (cherry picked from commit 09030ee73693411c19b596cb0e0f43eb512ac0e6) --- Summary of changes: test/helpers/handshake_srp.c | 16 1 file changed, 16 insertions(+) diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index f18e5c81a6..11825d1dca 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -49,6 +49,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); +if (server_ctx_data->srp_user == NULL || server_ctx_data->srp_password == NULL) { +OPENSSL_free(server_ctx_data->srp_user); +OPENSSL_free(server_ctx_data->srp_password); +server_ctx_data->srp_user = NULL; +server_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); } if (extra->server2.srp_user != NULL) { @@ -57,6 +64,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); +if (server2_ctx_data->srp_user == NULL || server2_ctx_data->srp_password == NULL) { +OPENSSL_free(server2_ctx_data->srp_user); +OPENSSL_free(server2_ctx_data->srp_password); +server2_ctx_data->srp_user = NULL; +server2_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); } if (extra->client.srp_user != NULL) { @@ -65,6 +79,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, return 0; SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); +if (client_ctx_data->srp_password == NULL) +return 0; SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); } return 1;
[openssl] master update
The branch master has been updated via 09030ee73693411c19b596cb0e0f43eb512ac0e6 (commit) from 29af9fba64fd3e4e086808f2360501b463627ea2 (commit) - Log - commit 09030ee73693411c19b596cb0e0f43eb512ac0e6 Author: Jiasheng Jiang Date: Sat Feb 5 19:31:11 2022 +0800 Add the check after calling OPENSSL_strdup Since the potential failure of the memory allocation, the OPENSSL_strdup() could return NULL pointer. Therefore, it should be better to check it in order to guarantee the success of the configuration, same as the check for SSL_CTX_set_srp_username(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17643) --- Summary of changes: test/helpers/handshake_srp.c | 16 1 file changed, 16 insertions(+) diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c index f18e5c81a6..11825d1dca 100644 --- a/test/helpers/handshake_srp.c +++ b/test/helpers/handshake_srp.c @@ -49,6 +49,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); +if (server_ctx_data->srp_user == NULL || server_ctx_data->srp_password == NULL) { +OPENSSL_free(server_ctx_data->srp_user); +OPENSSL_free(server_ctx_data->srp_password); +server_ctx_data->srp_user = NULL; +server_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); } if (extra->server2.srp_user != NULL) { @@ -57,6 +64,13 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); +if (server2_ctx_data->srp_user == NULL || server2_ctx_data->srp_password == NULL) { +OPENSSL_free(server2_ctx_data->srp_user); +OPENSSL_free(server2_ctx_data->srp_password); +server2_ctx_data->srp_user = NULL; +server2_ctx_data->srp_password = NULL; +return 0; +} SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); } if (extra->client.srp_user != NULL) { @@ -65,6 +79,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, return 0; SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); +if (client_ctx_data->srp_password == NULL) +return 0; SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); } return 1;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via ebdec62c38494739d9cb4cdd6b1c4a511d169a90 (commit) from e44b212bdce225fd2d7e2349a7f787e7c9ade4fd (commit) - Log - commit ebdec62c38494739d9cb4cdd6b1c4a511d169a90 Author: Matt Caswell Date: Mon Feb 7 10:32:08 2022 + Fix an enginetest failure when compiled with no-deprecated --api=1.1.1 Fixes #17649 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17652) (cherry picked from commit 29af9fba64fd3e4e086808f2360501b463627ea2) --- Summary of changes: test/enginetest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/test/enginetest.c b/test/enginetest.c index 04e61743a1..c00e1f82c4 100644 --- a/test/enginetest.c +++ b/test/enginetest.c @@ -24,6 +24,7 @@ # include # include # include +# include static void display_engine_list(void) {
[openssl] master update
The branch master has been updated via 29af9fba64fd3e4e086808f2360501b463627ea2 (commit) from 2a6994cfa08368a710d66caaae4fc07ad35631bf (commit) - Log - commit 29af9fba64fd3e4e086808f2360501b463627ea2 Author: Matt Caswell Date: Mon Feb 7 10:32:08 2022 + Fix an enginetest failure when compiled with no-deprecated --api=1.1.1 Fixes #17649 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17652) --- Summary of changes: test/enginetest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/test/enginetest.c b/test/enginetest.c index 04e61743a1..c00e1f82c4 100644 --- a/test/enginetest.c +++ b/test/enginetest.c @@ -24,6 +24,7 @@ # include # include # include +# include static void display_engine_list(void) {
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via e44b212bdce225fd2d7e2349a7f787e7c9ade4fd (commit) from 53234cb0f408bbfbb04ea0e12f1fc61feb2aa600 (commit) - Log - commit e44b212bdce225fd2d7e2349a7f787e7c9ade4fd Author: Daniel Date: Sun Feb 6 15:01:14 2022 +0100 Send auxiliary messages to bio_err. Fixes openssl#17613. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17650) (cherry picked from commit 2a6994cfa08368a710d66caaae4fc07ad35631bf) --- Summary of changes: apps/x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/x509.c b/apps/x509.c index 2880ae792a..c9c10c260e 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -706,9 +706,9 @@ int x509_main(int argc, char **argv) : "Certificate request self-signature did not match the contents\n"); goto end; } -BIO_printf(out, "Certificate request self-signature ok\n"); +BIO_printf(bio_err, "Certificate request self-signature ok\n"); -print_name(out, "subject=", X509_REQ_get_subject_name(req)); +print_name(bio_err, "subject=", X509_REQ_get_subject_name(req)); } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); }
[openssl] master update
The branch master has been updated via 2a6994cfa08368a710d66caaae4fc07ad35631bf (commit) from aefbcde29166caf851cf388361d70fd0dcf17d87 (commit) - Log - commit 2a6994cfa08368a710d66caaae4fc07ad35631bf Author: Daniel Date: Sun Feb 6 15:01:14 2022 +0100 Send auxiliary messages to bio_err. Fixes openssl#17613. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17650) --- Summary of changes: apps/x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/x509.c b/apps/x509.c index 29dc74ca9e..f62f809a9c 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -711,9 +711,9 @@ int x509_main(int argc, char **argv) : "Certificate request self-signature did not match the contents\n"); goto err; } -BIO_printf(out, "Certificate request self-signature ok\n"); +BIO_printf(bio_err, "Certificate request self-signature ok\n"); -print_name(out, "subject=", X509_REQ_get_subject_name(req)); +print_name(bio_err, "subject=", X509_REQ_get_subject_name(req)); } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); }
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 71efa57da1cc6ae6ab731b9127189c101ce6f908 (commit) from 25e02422374d4c5e7327320513230339db9b180b (commit) - Log - commit 71efa57da1cc6ae6ab731b9127189c101ce6f908 Author: Ankit Das Date: Wed Feb 2 23:38:41 2022 +0530 Fix SIZE_MAX not defined on z/OS etc Fixes openssl#17629 by including internal/numbers.h which defines SIZE_MAX CLA: trivial Fixes #17629 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17632) (cherry picked from commit 25a0a44dc6223e515f5e91e41798cccf09c5612b) --- Summary of changes: apps/speed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/speed.c b/apps/speed.c index ada559228d..9be01bb4b2 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -29,6 +29,7 @@ #include #include "apps.h" #include "progs.h" +#include "internal/numbers.h" #include #include #include
[openssl] master update
The branch master has been updated via 25a0a44dc6223e515f5e91e41798cccf09c5612b (commit) from 984cc9a0284ee4800862aa305f9f178827baf459 (commit) - Log - commit 25a0a44dc6223e515f5e91e41798cccf09c5612b Author: Ankit Das Date: Wed Feb 2 23:38:41 2022 +0530 Fix SIZE_MAX not defined on z/OS etc Fixes openssl#17629 by including internal/numbers.h which defines SIZE_MAX CLA: trivial Fixes #17629 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17632) --- Summary of changes: apps/speed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/speed.c b/apps/speed.c index 89a55c4efa..a790f280db 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -29,6 +29,7 @@ #include #include "apps.h" #include "progs.h" +#include "internal/numbers.h" #include #include #include
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 191c9e6c242b85184b72ccd52d2d9af5e1122637 (commit) from 624f858c82a05c41c3185785a3a4a396a7e23161 (commit) - Log - commit 191c9e6c242b85184b72ccd52d2d9af5e1122637 Author: Thomas1664 <46387399+thomas1...@users.noreply.github.com> Date: Thu Jan 20 10:02:59 2022 +0100 Correct return type for BIO_ptr_ctrl Fixes #17549 CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17636) (cherry picked from commit 984cc9a0284ee4800862aa305f9f178827baf459) --- Summary of changes: doc/man3/BIO_ctrl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/BIO_ctrl.pod b/doc/man3/BIO_ctrl.pod index 2e438c3ce9..a87abc7994 100644 --- a/doc/man3/BIO_ctrl.pod +++ b/doc/man3/BIO_ctrl.pod @@ -16,7 +16,7 @@ BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg); long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb); - char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); + void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); int BIO_reset(BIO *b);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 25e02422374d4c5e7327320513230339db9b180b (commit) from 25ee18e7f8803f6aaaeca15b49ba46d3e4d3f817 (commit) - Log - commit 25e02422374d4c5e7327320513230339db9b180b Author: Thomas1664 <46387399+thomas1...@users.noreply.github.com> Date: Thu Jan 20 10:02:59 2022 +0100 Correct return type for BIO_ptr_ctrl Fixes #17549 CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17636) (cherry picked from commit 984cc9a0284ee4800862aa305f9f178827baf459) --- Summary of changes: doc/man3/BIO_ctrl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/BIO_ctrl.pod b/doc/man3/BIO_ctrl.pod index bcdeac6f7b..cfb505e314 100644 --- a/doc/man3/BIO_ctrl.pod +++ b/doc/man3/BIO_ctrl.pod @@ -17,7 +17,7 @@ BIO_get_ktls_recv long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg); long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb); - char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); + void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); int BIO_reset(BIO *b);
[openssl] master update
The branch master has been updated via 984cc9a0284ee4800862aa305f9f178827baf459 (commit) from 345c99b6654b8313c792d54f829943068911ddbd (commit) - Log - commit 984cc9a0284ee4800862aa305f9f178827baf459 Author: Thomas1664 <46387399+thomas1...@users.noreply.github.com> Date: Thu Jan 20 10:02:59 2022 +0100 Correct return type for BIO_ptr_ctrl Fixes #17549 CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17636) --- Summary of changes: doc/man3/BIO_ctrl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/BIO_ctrl.pod b/doc/man3/BIO_ctrl.pod index bcdeac6f7b..cfb505e314 100644 --- a/doc/man3/BIO_ctrl.pod +++ b/doc/man3/BIO_ctrl.pod @@ -17,7 +17,7 @@ BIO_get_ktls_recv long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg); long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb); - char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); + void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); int BIO_reset(BIO *b);
[openssl] master update
The branch master has been updated via 345c99b6654b8313c792d54f829943068911ddbd (commit) from b2f90e93a07d992515782511a5770aa7cf7dc28f (commit) - Log - commit 345c99b6654b8313c792d54f829943068911ddbd Author: Danny Tsen Date: Thu Jan 27 18:49:59 2022 -0600 Fixed counter overflow Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17607) --- Summary of changes: crypto/modes/asm/aes-gcm-ppc.pl| 1 - include/crypto/aes_platform.h | 22 -- .../ciphers/cipher_aes_gcm_hw_ppc.inc | 82 +- 3 files changed, 96 insertions(+), 9 deletions(-) diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl index 1ca2a77dc5..6624e6c05b 100644 --- a/crypto/modes/asm/aes-gcm-ppc.pl +++ b/crypto/modes/asm/aes-gcm-ppc.pl @@ -81,7 +81,6 @@ open STDOUT,"| $^X $xlate $flavour \"$output\"" $code=<<___; .machine"any" -.abiversion 2 .text # 4x loops diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index 45021dfd9f..11ab823468 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -77,15 +77,23 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, # define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) # define AES_GCM_ENC_BYTES 128 # define AES_GCM_DEC_BYTES 128 -size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, - const void *key, unsigned char ivec[16], u64 *Xi); -size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, - const void *key, unsigned char ivec[16], u64 *Xi); -void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); -# define AES_gcm_encrypt ppc_aes_gcm_encrypt -# define AES_gcm_decrypt ppc_aes_gcm_decrypt +size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, unsigned char ivec[16], + u64 *Xi); +size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, unsigned char ivec[16], + u64 *Xi); +size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, +size_t len, const void *key, +unsigned char ivec[16], u64 *Xi); +size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, +size_t len, const void *key, +unsigned char ivec[16], u64 *Xi); +# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap +# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ (gctx)->gcm.ghash==gcm_ghash_p8) +void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); # endif /* PPC */ # if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc index dfc6bcbf58..4eed0f4ab0 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc @@ -13,7 +13,7 @@ */ static int aes_ppc_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, - size_t keylen) + size_t keylen) { PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; AES_KEY *ks = >ks.ks; @@ -23,6 +23,86 @@ static int aes_ppc_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, return 1; } + +extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, + const void *key, unsigned char ivec[16], u64 *Xi); +extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, + const void *key, unsigned char ivec[16], u64 *Xi); + +static inline u32 UTO32(unsigned char *buf) +{ +return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); +} + +static inline u32 add32TOU(unsigned char buf[4], u32 n) +{ +u32 r; + +r = UTO32(buf); +r += n; +buf[0] = (unsigned char) (r >> 24) & 0xFF; +buf[1] = (unsigned char) (r >> 16) & 0xFF; +buf[2] = (unsigned char) (r >> 8) & 0xFF; +buf[3] = (unsigned char) r & 0xFF; +return r; +} + +static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, +const void *key, unsigned char ivec[16],
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 25ee18e7f8803f6aaaeca15b49ba46d3e4d3f817 (commit) from 6e47da6363e9e32c14f0c3a750ca04cd189c85fe (commit) - Log - commit 25ee18e7f8803f6aaaeca15b49ba46d3e4d3f817 Author: Jiasheng Jiang Date: Wed Feb 2 19:45:59 2022 +0800 evp_test: Add the missing check after calling OPENSSL_strdup and sk_OPENSSL_STRING_new_null Since the memory allocation may fail, the 'mac_name' and 'controls' could be NULL. And the 'mac_name' will be printed in mac_test_run_mac() without check. Also the result of 'params_n + sk_OPENSSL_STRING_num(expected->controls)' in mac_test_run_mac() will be 'params_n - 1' if allocation fails , which does not make sense. Therefore, it should be better to check them in order to guarantee the complete success of initiation. If fails, we also need to free the 'mdat' to avoid the memory leak. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17628) (cherry picked from commit b2f90e93a07d992515782511a5770aa7cf7dc28f) --- Summary of changes: test/evp_test.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index f2b0924e2f..5e69b37b9b 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1181,9 +1181,18 @@ static int mac_test_init(EVP_TEST *t, const char *alg) return 0; mdat->type = type; -mdat->mac_name = OPENSSL_strdup(alg); +if (!TEST_ptr(mdat->mac_name = OPENSSL_strdup(alg))) { +OPENSSL_free(mdat); +return 0; +} + mdat->mac = mac; -mdat->controls = sk_OPENSSL_STRING_new_null(); +if (!TEST_ptr(mdat->controls = sk_OPENSSL_STRING_new_null())) { +OPENSSL_free(mdat->mac_name); +OPENSSL_free(mdat); +return 0; +} + mdat->output_size = mdat->block_size = -1; t->data = mdat; return 1;
[openssl] master update
The branch master has been updated via b2f90e93a07d992515782511a5770aa7cf7dc28f (commit) from 07c5465e9855cc485c4a84da8a4251a843bec258 (commit) - Log - commit b2f90e93a07d992515782511a5770aa7cf7dc28f Author: Jiasheng Jiang Date: Wed Feb 2 19:45:59 2022 +0800 evp_test: Add the missing check after calling OPENSSL_strdup and sk_OPENSSL_STRING_new_null Since the memory allocation may fail, the 'mac_name' and 'controls' could be NULL. And the 'mac_name' will be printed in mac_test_run_mac() without check. Also the result of 'params_n + sk_OPENSSL_STRING_num(expected->controls)' in mac_test_run_mac() will be 'params_n - 1' if allocation fails , which does not make sense. Therefore, it should be better to check them in order to guarantee the complete success of initiation. If fails, we also need to free the 'mdat' to avoid the memory leak. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17628) --- Summary of changes: test/evp_test.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index 6c4e64c159..a1b6bce8fa 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1201,9 +1201,18 @@ static int mac_test_init(EVP_TEST *t, const char *alg) return 0; mdat->type = type; -mdat->mac_name = OPENSSL_strdup(alg); +if (!TEST_ptr(mdat->mac_name = OPENSSL_strdup(alg))) { +OPENSSL_free(mdat); +return 0; +} + mdat->mac = mac; -mdat->controls = sk_OPENSSL_STRING_new_null(); +if (!TEST_ptr(mdat->controls = sk_OPENSSL_STRING_new_null())) { +OPENSSL_free(mdat->mac_name); +OPENSSL_free(mdat); +return 0; +} + mdat->output_size = mdat->block_size = -1; t->data = mdat; return 1;
[openssl] master update
The branch master has been updated via 07c5465e9855cc485c4a84da8a4251a843bec258 (commit) from 70f39a487d3f7d976a01e0ee7ae98a82ceeea7a0 (commit) - Log - commit 07c5465e9855cc485c4a84da8a4251a843bec258 Author: Dimitris Apostolou Date: Thu Feb 3 18:51:26 2022 +0200 Fix typos Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17634) --- Summary of changes: apps/speed.c | 2 +- crypto/bn/bn_lib.c | 4 +- crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl | 84 ++-- crypto/modes/asm/aes-gcm-ppc.pl | 4 +- 4 files changed, 47 insertions(+), 47 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 43c0802295..89a55c4efa 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1466,7 +1466,7 @@ int speed_main(int argc, char **argv) uint8_t ecdh_doit[EC_NUM] = { 0 }; uint8_t eddsa_doit[EdDSA_NUM] = { 0 }; -/* checks declarated curves against choices list. */ +/* checks declared curves against choices list. */ OPENSSL_assert(ed_curves[EdDSA_NUM - 1].nid == NID_ED448); OPENSSL_assert(strcmp(eddsa_choices[EdDSA_NUM - 1].name, "ed448") == 0); diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 9b19a7243c..b49c8a3bd2 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -452,7 +452,7 @@ static BIGNUM *bin2bn(const unsigned char *s, int len, BIGNUM *ret, /* * The loop that does the work iterates from least to most - * significant BIGNUM chunk, so we adapt parameters to tranfer + * significant BIGNUM chunk, so we adapt parameters to transfer * input bytes accordingly. */ switch (endianess) { @@ -591,7 +591,7 @@ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, /* * The loop that does the work iterates from least significant * to most significant BIGNUM limb, so we adapt parameters to - * tranfer output bytes accordingly. + * transfer output bytes accordingly. */ switch (endianess) { case LITTLE: diff --git a/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl b/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl index 1aaad663d7..8e492a8ee6 100644 --- a/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl +++ b/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl @@ -1098,7 +1098,7 @@ unroll8_eor3_aes_gcm_enc_128_kernel: ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid eor $rk4v.8b, $rk4v.8b, $res0.8b@ GHASH final-7 block - mid - movi$t0.8b, #0 @ surpress further partial tag feed in + movi$t0.8b, #0 @ supress further partial tag feed in eor3$res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result @@ -1119,7 +1119,7 @@ unroll8_eor3_aes_gcm_enc_128_kernel: pmull $rk3q1, $res0.1d, $h7.1d@ GHASH final-6 block - low eor $rk4v.8b, $rk4v.8b, $res0.8b@ GHASH final-6 block - mid - movi$t0.8b, #0 @ surpress further partial tag feed in + movi$t0.8b, #0 @ supress further partial tag feed in pmull $rk4v.1q, $rk4v.1d, $h78k.1d@ GHASH final-6 block - mid pmull2 $rk2q1, $res0.2d, $h7.2d@ GHASH final-6 block - high @@ -1148,7 +1148,7 @@ unroll8_eor3_aes_gcm_enc_128_kernel: eor3$res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result pmull $rk3q1, $res0.1d, $h6.1d@ GHASH final-5 block - low - movi$t0.8b, #0 @ surpress further partial tag feed in + movi$t0.8b, #0 @ supress further partial tag feed in pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d@ GHASH final-5 block - mid eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low @@ -1165,7 +1165,7 @@ unroll8_eor3_aes_gcm_enc_128_kernel: eor $res0b, $res0b, $t0.16b @ feed in partial tag ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid - movi$t0.8b, #0 @ surpress further partial tag feed in + movi$t0.8b, #0 @ supress further partial tag feed in pmull2 $rk2q1,
[openssl] master update
The branch master has been updated via 70f39a487d3f7d976a01e0ee7ae98a82ceeea7a0 (commit) via b30b45b7247d056b569e2b5139f8b503d36e646c (commit) via 80ce874a093087b919e1c722427df30f81f5dad5 (commit) from d5f9166bacfb3757dfd6117310ad54ab749b11f9 (commit) - Log - commit 70f39a487d3f7d976a01e0ee7ae98a82ceeea7a0 Author: Pauli Date: Thu Jan 27 13:33:36 2022 +1100 evp enc: cache cipher key length Instead of doing a heavy params based query every time a context is asked for its key length, this value is cached in the context and only queried if it could have been modified. Fixes #17064 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17543) commit b30b45b7247d056b569e2b5139f8b503d36e646c Author: Pauli Date: Wed Jan 26 15:04:51 2022 +1100 evp enc: cache cipher IV length Instead of doing a heavy params based query every time a context is asked for its IV length, this value is cached in the context and only queried if it could have been modified. Fixes #17064 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17543) commit 80ce874a093087b919e1c722427df30f81f5dad5 Author: Pauli Date: Thu Jan 27 12:51:13 2022 +1100 aes: avoid accessing key length field directly Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17543) --- Summary of changes: crypto/evp/e_aes.c | 305 +++ crypto/evp/e_aes_cbc_hmac_sha1.c | 23 ++- crypto/evp/evp_enc.c | 38 - crypto/evp/evp_lib.c | 68 ++--- crypto/evp/evp_local.h | 1 + 5 files changed, 303 insertions(+), 132 deletions(-) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 445a28445a..7915d327fa 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -146,20 +146,21 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, { int ret, mode; EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); +const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; +if (keylen <= 0) { +ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); +return 0; +} mode = EVP_CIPHER_CTX_get_mode(ctx); if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { -ret = aesni_set_decrypt_key(key, -EVP_CIPHER_CTX_get_key_length(ctx) * 8, ->ks.ks); +ret = aesni_set_decrypt_key(key, keylen, >ks.ks); dat->block = (block128_f) aesni_decrypt; dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? (cbc128_f) aesni_cbc_encrypt : NULL; } else { -ret = aesni_set_encrypt_key(key, -EVP_CIPHER_CTX_get_key_length(ctx) * 8, ->ks.ks); +ret = aesni_set_encrypt_key(key, keylen, >ks.ks); dat->block = (block128_f) aesni_encrypt; if (mode == EVP_CIPH_CBC_MODE) dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt; @@ -223,12 +224,19 @@ static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { -EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); -if (!iv && !key) +EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX, ctx); + +if (iv == NULL && key == NULL) return 1; + if (key) { -aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - >ks.ks); +const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + +if (keylen <= 0) { +ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); +return 0; +} +aesni_set_encrypt_key(key, keylen, >ks.ks); CRYPTO_gcm128_init(>gcm, >ks, (block128_f) aesni_encrypt); gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; /* @@ -262,14 +270,19 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); -if (!iv && !key) +if (iv == NULL && key == NULL) return 1; if (key) { /* The key is two half length keys in reality */ -const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; +const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); +const int bytes = keylen / 2; const int bits = bytes * 8; +if (keylen <= 0) { +ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); +return 0; +} /* * Verify that the two keys are different.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 41d979c7f5f70ab06fcf5a4880c252e40e99ad98 (commit) from 1fdd4da451a8e11b58f8a16c18d3d85e68c18188 (commit) - Log - commit 41d979c7f5f70ab06fcf5a4880c252e40e99ad98 Author: Jiasheng Jiang Date: Thu Jan 27 09:49:56 2022 +0800 x509: add the check for X509_STORE_lock Since we may fail to get the lock, for example there is no lock, the X509_STORE_lock() will return 0. Therefore, we should check it in order to prevent the dirty data. Signed-off-by: Jiasheng Jiang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17598) --- Summary of changes: crypto/x509/x509_lu.c | 32 +--- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 3b76b92f71..cd6207b1ed 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -321,7 +321,9 @@ int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs, stmp.type = X509_LU_NONE; stmp.data.ptr = NULL; -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) +return 0; + tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name); X509_STORE_unlock(store); @@ -371,7 +373,12 @@ static int x509_store_add(X509_STORE *store, void *x, int crl) { return 0; } -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) { +obj->type = X509_LU_NONE; +X509_OBJECT_free(obj); +return 0; +} + if (X509_OBJECT_retrieve_match(store->objs, obj)) { ret = 1; } else { @@ -553,7 +560,9 @@ STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store) } if ((sk = sk_X509_new_null()) == NULL) return NULL; -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) +goto out_free; + objs = X509_STORE_get0_objects(store); for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i)); @@ -567,6 +576,7 @@ STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store) err: X509_STORE_unlock(store); + out_free: sk_X509_pop_free(sk, X509_free); return NULL; } @@ -583,7 +593,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, if (store == NULL) return NULL; -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) +return NULL; + idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, ); if (idx < 0) { /* @@ -601,7 +613,8 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, return NULL; } X509_OBJECT_free(xobj); -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) +return NULL; idx = x509_object_idx_cnt(store->objs, X509_LU_X509, nm, ); if (idx < 0) { X509_STORE_unlock(store); @@ -642,7 +655,10 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *ctx, return NULL; } X509_OBJECT_free(xobj); -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) { +sk_X509_CRL_free(sk); +return NULL; +} idx = x509_object_idx_cnt(store->objs, X509_LU_CRL, nm, ); if (idx < 0) { X509_STORE_unlock(store); @@ -744,7 +760,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) /* Find index of first currently valid cert accepted by 'check_issued' */ ret = 0; -X509_STORE_lock(store); +if (!X509_STORE_lock(store)) +return 0; + idx = x509_object_idx_cnt(store->objs, X509_LU_X509, xn, ); if (idx != -1) { /* should be true as we've had at least one match */ /* Look through all matching certs for suitable issuer */
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 1fdd4da451a8e11b58f8a16c18d3d85e68c18188 (commit) from b882e1bb0b520f264f2ea1f53e753a5ef1a5974a (commit) - Log - commit 1fdd4da451a8e11b58f8a16c18d3d85e68c18188 Author: Ross Burton Date: Thu Jan 27 12:03:11 2022 + apps/progs.pl: use SOURCE_DATE_EPOCH if defined for copyright year As with 11d7d903, use SOURCE_DATE_EPOCH for the copyright year if it is defined, to avoid reproducibility problems. CLA: trivial Signed-off-by: Ross Burton Change-Id: I1bea19070411a69155c43de7082350fb2c499da3 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17601) (cherry picked from commit 27aca04e13ca8a9bead49de7bc380110ecb7064e) --- Summary of changes: apps/progs.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/progs.pl b/apps/progs.pl index 8a5759a961..77054902b4 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -21,7 +21,7 @@ die "Unrecognised option, must be -C or -H\n" my %commands = (); my $cmdre= qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; my $apps_openssl = shift @ARGV; -my $YEAR = [localtime()]->[5] + 1900; +my $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH} || time())]->[5] + 1900; # because the program apps/openssl has object files as sources, and # they then have the corresponding C files as source, we need to chain
[openssl] master update
The branch master has been updated via 27aca04e13ca8a9bead49de7bc380110ecb7064e (commit) from 7c7c3561ebfb26799e2d12b5f9f0826731a6a06b (commit) - Log - commit 27aca04e13ca8a9bead49de7bc380110ecb7064e Author: Ross Burton Date: Thu Jan 27 12:03:11 2022 + apps/progs.pl: use SOURCE_DATE_EPOCH if defined for copyright year As with 11d7d903, use SOURCE_DATE_EPOCH for the copyright year if it is defined, to avoid reproducibility problems. CLA: trivial Signed-off-by: Ross Burton Change-Id: I1bea19070411a69155c43de7082350fb2c499da3 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17601) --- Summary of changes: apps/progs.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/progs.pl b/apps/progs.pl index 8a5759a961..77054902b4 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -21,7 +21,7 @@ die "Unrecognised option, must be -C or -H\n" my %commands = (); my $cmdre= qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; my $apps_openssl = shift @ARGV; -my $YEAR = [localtime()]->[5] + 1900; +my $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH} || time())]->[5] + 1900; # because the program apps/openssl has object files as sources, and # they then have the corresponding C files as source, we need to chain
[openssl] master update
The branch master has been updated via 1751356267f64d5db8824cf4ff5b3496e15972da (commit) via b9d8ad3f157fa816c423bec6f7b4328ef894577c (commit) via d3aaf4e9e71944d869ae47821d7b5a8402234ee8 (commit) via 43332e405bea83a2d553e0519fdb04170879bc96 (commit) via 769cd46540b2ec2a2d91ee3886b9e4f9d78e9a51 (commit) via 2722eeceaa993f4488b295a22d2e1178f5ba1ce1 (commit) via 59558f9d8824747024b6ab756f3798a577ecae48 (commit) via cdcdcf5c6fa382c879cb3503609519d56fa62e81 (commit) via fe01052f775d1b5dff86ff9b405b6b0df5efd3cf (commit) via 4c1a841c3de645674ed2af92da25f7f5736fae1c (commit) via d54c52c28ebb780e2ffc5b7752d35359215cf0a6 (commit) via 95bd5ff65985e992827f7178deda84d95b1e6f66 (commit) via 0a10f71d3071bae0183cd4277da64d100f6b48eb (commit) via 6585d3aa7638c8cea2d4bb9f10e7298002f652e5 (commit) via c8adf19d2da318cd7b007753d6c8a7f9dc94d4ed (commit) via 5b030ec0800d4ad6022ecd00e18a19f77ada0b04 (commit) from a841d450a443efccf4df02922ebe02e4c2f11a2b (commit) - Log - commit 1751356267f64d5db8824cf4ff5b3496e15972da Author: Pauli Date: Wed Jan 26 12:01:57 2022 +1100 indentation fix Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit b9d8ad3f157fa816c423bec6f7b4328ef894577c Author: Pauli Date: Tue Jan 25 11:54:56 2022 +1100 tls1 prf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit d3aaf4e9e71944d869ae47821d7b5a8402234ee8 Author: Pauli Date: Tue Jan 25 11:54:42 2022 +1100 pkcs12 kdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 43332e405bea83a2d553e0519fdb04170879bc96 Author: Pauli Date: Tue Jan 25 11:47:23 2022 +1100 test: change pkey kdf dup fail test to a pkey kdf dup success test Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 769cd46540b2ec2a2d91ee3886b9e4f9d78e9a51 Author: Pauli Date: Mon Jan 24 17:38:57 2022 +1100 k942 kdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 2722eeceaa993f4488b295a22d2e1178f5ba1ce1 Author: Pauli Date: Mon Jan 24 17:32:16 2022 +1100 ss KDF: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 59558f9d8824747024b6ab756f3798a577ecae48 Author: Pauli Date: Mon Jan 24 17:22:37 2022 +1100 ssh kdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit cdcdcf5c6fa382c879cb3503609519d56fa62e81 Author: Pauli Date: Mon Jan 24 17:17:58 2022 +1100 scrypt: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit fe01052f775d1b5dff86ff9b405b6b0df5efd3cf Author: Pauli Date: Mon Jan 24 17:08:58 2022 +1100 pvk kdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 4c1a841c3de645674ed2af92da25f7f5736fae1c Author: Pauli Date: Mon Jan 24 17:02:29 2022 +1100 krb5kdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit d54c52c28ebb780e2ffc5b7752d35359215cf0a6 Author: Pauli Date: Mon Jan 24 16:58:54 2022 +1100 kbkdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 95bd5ff65985e992827f7178deda84d95b1e6f66 Author: Pauli Date: Mon Jan 24 16:51:24 2022 +1100 hkdf: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 0a10f71d3071bae0183cd4277da64d100f6b48eb Author: Pauli Date: Mon Jan 24 16:22:54 2022 +1100 pbkdf2: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 6585d3aa7638c8cea2d4bb9f10e7298002f652e5 Author: Pauli Date: Mon Jan 24 16:17:44 2022 +1100 pbkdf1: implement ctx dup operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit c8adf19d2da318cd7b007753d6c8a7f9dc94d4ed Author: Pauli Date: Mon Jan 24 16:17:25 2022 +1100 evp_test: add a ctx dup operation to the KDF tests Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/17572) commit 5b030ec0800d4ad6022ecd00e18a19f77ada0b04 Author: Pauli Date: Wed Jan 26 15:21:51 2022 +1100 prov: add a safe memdup function
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via b882e1bb0b520f264f2ea1f53e753a5ef1a5974a (commit) from 1f7c5c56c7365fefd9cff9bea4d3d27346ca44d1 (commit) - Log - commit b882e1bb0b520f264f2ea1f53e753a5ef1a5974a Author: EasySec Date: Sat Jan 29 00:59:24 2022 +0100 Fix bad HTML formatting in EVP_KEYEXCH-DH.html because of missing newline in pod file Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17609) (cherry picked from commit a841d450a443efccf4df02922ebe02e4c2f11a2b) --- Summary of changes: doc/man7/EVP_KEYEXCH-DH.pod | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/man7/EVP_KEYEXCH-DH.pod b/doc/man7/EVP_KEYEXCH-DH.pod index fc38531ae9..44811f1e37 100644 --- a/doc/man7/EVP_KEYEXCH-DH.pod +++ b/doc/man7/EVP_KEYEXCH-DH.pod @@ -58,6 +58,7 @@ To convert the received peer's public key from DER format on the host: To derive a shared secret on the host using the host's key and the peer's public key: + /* It is assumed that the host_key and peer_pub_key are set up */ void derive_secret(EVP_KEY *host_key, EVP_PKEY *peer_pub_key) {
[openssl] master update
The branch master has been updated via a841d450a443efccf4df02922ebe02e4c2f11a2b (commit) from 9927749ec2b8fc4b6146f0bd54cb6a44b8295974 (commit) - Log - commit a841d450a443efccf4df02922ebe02e4c2f11a2b Author: EasySec Date: Sat Jan 29 00:59:24 2022 +0100 Fix bad HTML formatting in EVP_KEYEXCH-DH.html because of missing newline in pod file Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17609) --- Summary of changes: doc/man7/EVP_KEYEXCH-DH.pod | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/man7/EVP_KEYEXCH-DH.pod b/doc/man7/EVP_KEYEXCH-DH.pod index fc38531ae9..44811f1e37 100644 --- a/doc/man7/EVP_KEYEXCH-DH.pod +++ b/doc/man7/EVP_KEYEXCH-DH.pod @@ -58,6 +58,7 @@ To convert the received peer's public key from DER format on the host: To derive a shared secret on the host using the host's key and the peer's public key: + /* It is assumed that the host_key and peer_pub_key are set up */ void derive_secret(EVP_KEY *host_key, EVP_PKEY *peer_pub_key) {
[openssl] master update
The branch master has been updated via 9927749ec2b8fc4b6146f0bd54cb6a44b8295974 (commit) from e180bf641ed23010073b0882d63d5dfd48409602 (commit) - Log - commit 9927749ec2b8fc4b6146f0bd54cb6a44b8295974 Author: Juergen Christ Date: Fri Jan 28 10:53:43 2022 +0100 Fix endianness problem in params_api_test On a big endian machine, we get test failures in params_api_test like # ERROR: (memory) 'buf1 == buf2' failed @ test/params_api_test.c:473 # --- buf1 # +++ buf2 # :-e901 # :+01e9 # # # OPENSSL_TEST_RAND_ORDER=1643313367 not ok 157 - iteration 3 They are due to an additional conversion copy. Remove this copy to solve the problem. Signed-off-by: Juergen Christ Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17608) --- Summary of changes: test/params_api_test.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/test/params_api_test.c b/test/params_api_test.c index d073477d5a..8aa6676e32 100644 --- a/test/params_api_test.c +++ b/test/params_api_test.c @@ -428,14 +428,15 @@ static int test_param_bignum(int n) int ret = 0; param.data = bnbuf; -param.data_size = len; +param.data_size = sizeof(bnbuf); -le_copy(buf, len, raw_values[n].value, len); if (!TEST_ptr(b = BN_lebin2bn(raw_values[n].value, (int)len, NULL))) goto err; -if (!TEST_true(OSSL_PARAM_set_BN(, b)) -|| !TEST_mem_eq(bnbuf, param.return_size, buf, param.return_size)) +if (!TEST_true(OSSL_PARAM_set_BN(, b))) +goto err; +le_copy(buf, len, bnbuf, sizeof(bnbuf)); +if (!TEST_mem_eq(raw_values[n].value, len, buf, len)) goto err; param.data_size = param.return_size; if (!TEST_true(OSSL_PARAM_get_BN(, )) @@ -451,7 +452,7 @@ err: static int test_param_signed_bignum(int n) { -unsigned char buf1[MAX_LEN], buf2[MAX_LEN], bnbuf[MAX_LEN]; +unsigned char buf[MAX_LEN], bnbuf[MAX_LEN]; const size_t len = raw_values[n].len; BIGNUM *b = NULL, *c = NULL; OSSL_PARAM param = OSSL_PARAM_DEFN("bn", OSSL_PARAM_INTEGER, NULL, 0); @@ -460,7 +461,6 @@ static int test_param_signed_bignum(int n) param.data = bnbuf; param.data_size = sizeof(bnbuf); -le_copy(buf1, len, raw_values[n].value, len); if (!TEST_ptr(b = BN_signed_lebin2bn(raw_values[n].value, (int)len, NULL))) goto err; @@ -469,8 +469,8 @@ static int test_param_signed_bignum(int n) goto err; if (!TEST_true(OSSL_PARAM_set_BN(, b))) goto err; -le_copy(buf2, len, bnbuf, sizeof(bnbuf)); -if (!TEST_mem_eq(buf1, len, buf2, len)) +le_copy(buf, len, bnbuf, sizeof(bnbuf)); +if (!TEST_mem_eq(raw_values[n].value, len, buf, len)) goto err; param.data_size = param.return_size; if (!TEST_true(OSSL_PARAM_get_BN(, ))
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 1f7c5c56c7365fefd9cff9bea4d3d27346ca44d1 (commit) from cb7e50ba3f250a9c9978a964e98a8c8940833595 (commit) - Log - commit 1f7c5c56c7365fefd9cff9bea4d3d27346ca44d1 Author: Pauli Date: Thu Jan 27 15:05:48 2022 +1100 aes: make the no-asm constant time code path not the default After OMC and OTC discussions, the 95% performance loss resulting from the constant time code was deemed excessive for something outside of our security policy. The option to use the constant time code exists as it was in OpenSSL 1.1.1. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17600) --- Summary of changes: CHANGES.md| 7 +++ crypto/aes/aes_core.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 50002e0af6..a7980daaeb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,13 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.1 and 3.0.2 [xx XXX ] + * Made the AES constant time code for no-asm configurations + optional due to the resulting 95% performance degradation. + The AES constant time code can be enabled, for no assembly + builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME + + *Paul Dale* + * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty passphrase strings. diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index 7b9989fd47..d3eaab349f 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -50,7 +50,7 @@ #include #include "aes_local.h" -#if !defined(OPENSSL_NO_AES_CONST_TIME) && !defined(AES_ASM) +#if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM) # if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) # define U64(C) C##UI64
[openssl] master update
The branch master has been updated via e180bf641ed23010073b0882d63d5dfd48409602 (commit) from 7fde39de848f062d6db45bf9e69439db2100b9bb (commit) - Log - commit e180bf641ed23010073b0882d63d5dfd48409602 Author: Pauli Date: Thu Jan 27 15:05:48 2022 +1100 aes: make the no-asm constant time code path not the default After OMC and OTC discussions, the 95% performance loss resulting from the constant time code was deemed excessive for something outside of our security policy. The option to use the constant time code exists as it was in OpenSSL 1.1.1. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17600) --- Summary of changes: CHANGES.md| 9 + crypto/aes/aes_core.c | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index a542e25374..3799c28c97 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -90,6 +90,15 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod +### Changes between 3.0.1 and 3.0.2 [xx XXX ] + + * Made the AES constant time code for no-asm configurations + optional due to the resulting 95% performance degradation. + The AES constant time code can be enabled, for no assembly + builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME + + *Paul Dale* + ### Changes between 3.0.0 and 3.0.1 [14 dec 2021] * Fixed invalid handling of X509_verify_cert() internal errors in libssl diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index 7b9989fd47..d3eaab349f 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -50,7 +50,7 @@ #include #include "aes_local.h" -#if !defined(OPENSSL_NO_AES_CONST_TIME) && !defined(AES_ASM) +#if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM) # if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) # define U64(C) C##UI64
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 4ac8e51e3272c7d7f2e7d62da699f52e0112ac05 (commit) from 17a27b8979d8dab8e57f2dad68d85dc2033cfeda (commit) - Log - commit 4ac8e51e3272c7d7f2e7d62da699f52e0112ac05 Author: Tomas Mraz Date: Tue Jan 25 18:10:26 2022 +0100 Fix IV length of DES EDE ECB implementations Fixes #17587 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17591) (cherry picked from commit d450eb84c802b2f78971f905b251a0fb89ebb7d1) --- Summary of changes: providers/implementations/ciphers/cipher_tdes.c | 6 +- providers/implementations/ciphers/cipher_tdes_default.c | 2 +- test/recipes/30-test_evp_data/evpciph_des3_common.txt | 15 ++- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/providers/implementations/ciphers/cipher_tdes.c b/providers/implementations/ciphers/cipher_tdes.c index e63c143755..409e2b8306 100644 --- a/providers/implementations/ciphers/cipher_tdes.c +++ b/providers/implementations/ciphers/cipher_tdes.c @@ -19,11 +19,7 @@ #include "cipher_tdes.h" #include "prov/implementations.h" -/* - * NOTE: ECB mode does not use an IV - but existing test code is setting - * an IV. Fixing this could potentially make applications break. - */ /* ossl_tdes_ede3_ecb_functions */ -IMPLEMENT_tdes_cipher(ede3, EDE3, ecb, ECB, TDES_FLAGS, 64*3, 64, 64, block); +IMPLEMENT_tdes_cipher(ede3, EDE3, ecb, ECB, TDES_FLAGS, 64*3, 64, 0, block); /* ossl_tdes_ede3_cbc_functions */ IMPLEMENT_tdes_cipher(ede3, EDE3, cbc, CBC, TDES_FLAGS, 64*3, 64, 64, block); diff --git a/providers/implementations/ciphers/cipher_tdes_default.c b/providers/implementations/ciphers/cipher_tdes_default.c index 0e75d0ff11..4d1fe5c3f9 100644 --- a/providers/implementations/ciphers/cipher_tdes_default.c +++ b/providers/implementations/ciphers/cipher_tdes_default.c @@ -26,7 +26,7 @@ IMPLEMENT_tdes_cipher(ede3, EDE3, cfb1, CFB, TDES_FLAGS, 64*3, 8, 64, stream); IMPLEMENT_tdes_cipher(ede3, EDE3, cfb8, CFB, TDES_FLAGS, 64*3, 8, 64, stream); /* ossl_tdes_ede2_ecb_functions */ -IMPLEMENT_tdes_cipher(ede2, EDE2, ecb, ECB, TDES_FLAGS, 64*2, 64, 64, block); +IMPLEMENT_tdes_cipher(ede2, EDE2, ecb, ECB, TDES_FLAGS, 64*2, 64, 0, block); /* ossl_tdes_ede2_cbc_functions */ IMPLEMENT_tdes_cipher(ede2, EDE2, cbc, CBC, TDES_FLAGS, 64*2, 64, 64, block); /* ossl_tdes_ede2_ofb_functions */ diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt index 30be60e842..d5e8f9728a 100644 --- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt @@ -11,7 +11,7 @@ # PrivPubKeyPair Sign Verify VerifyRecover # and continue until a blank line. Lines starting with a pound sign are ignored. -Title = DES3 Test +Title = DES3 Tests # DES EDE3 CBC tests (from destest) Cipher = DES-EDE3-CBC @@ -20,3 +20,16 @@ IV = fedcba9876543210 Plaintext = 37363534333231204E6F77206973207468652074696D6520666F7220 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 NextIV = 1c673812cfde9675 + +# DES EDE3 ECB test +Cipher = DES-EDE3-ECB +Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F7220 +Ciphertext = 62c10cc9efbf15aaa5ae2e487b690e56d8b1dfb8f5c5b293855e77dd9024b1b1 + +# DES EDE ECB test +Availablein = default +Cipher = DES-EDE-ECB +Key = 0123456789abcdeffedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F7220 +Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d
[openssl] master update
The branch master has been updated via d450eb84c802b2f78971f905b251a0fb89ebb7d1 (commit) from 748a2967ffd52cf86696582fb1074d513493f469 (commit) - Log - commit d450eb84c802b2f78971f905b251a0fb89ebb7d1 Author: Tomas Mraz Date: Tue Jan 25 18:10:26 2022 +0100 Fix IV length of DES EDE ECB implementations Fixes #17587 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17591) --- Summary of changes: providers/implementations/ciphers/cipher_tdes.c | 6 +- providers/implementations/ciphers/cipher_tdes_default.c | 2 +- test/recipes/30-test_evp_data/evpciph_des3_common.txt | 15 ++- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/providers/implementations/ciphers/cipher_tdes.c b/providers/implementations/ciphers/cipher_tdes.c index e63c143755..409e2b8306 100644 --- a/providers/implementations/ciphers/cipher_tdes.c +++ b/providers/implementations/ciphers/cipher_tdes.c @@ -19,11 +19,7 @@ #include "cipher_tdes.h" #include "prov/implementations.h" -/* - * NOTE: ECB mode does not use an IV - but existing test code is setting - * an IV. Fixing this could potentially make applications break. - */ /* ossl_tdes_ede3_ecb_functions */ -IMPLEMENT_tdes_cipher(ede3, EDE3, ecb, ECB, TDES_FLAGS, 64*3, 64, 64, block); +IMPLEMENT_tdes_cipher(ede3, EDE3, ecb, ECB, TDES_FLAGS, 64*3, 64, 0, block); /* ossl_tdes_ede3_cbc_functions */ IMPLEMENT_tdes_cipher(ede3, EDE3, cbc, CBC, TDES_FLAGS, 64*3, 64, 64, block); diff --git a/providers/implementations/ciphers/cipher_tdes_default.c b/providers/implementations/ciphers/cipher_tdes_default.c index 0e75d0ff11..4d1fe5c3f9 100644 --- a/providers/implementations/ciphers/cipher_tdes_default.c +++ b/providers/implementations/ciphers/cipher_tdes_default.c @@ -26,7 +26,7 @@ IMPLEMENT_tdes_cipher(ede3, EDE3, cfb1, CFB, TDES_FLAGS, 64*3, 8, 64, stream); IMPLEMENT_tdes_cipher(ede3, EDE3, cfb8, CFB, TDES_FLAGS, 64*3, 8, 64, stream); /* ossl_tdes_ede2_ecb_functions */ -IMPLEMENT_tdes_cipher(ede2, EDE2, ecb, ECB, TDES_FLAGS, 64*2, 64, 64, block); +IMPLEMENT_tdes_cipher(ede2, EDE2, ecb, ECB, TDES_FLAGS, 64*2, 64, 0, block); /* ossl_tdes_ede2_cbc_functions */ IMPLEMENT_tdes_cipher(ede2, EDE2, cbc, CBC, TDES_FLAGS, 64*2, 64, 64, block); /* ossl_tdes_ede2_ofb_functions */ diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt index 30be60e842..d5e8f9728a 100644 --- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt @@ -11,7 +11,7 @@ # PrivPubKeyPair Sign Verify VerifyRecover # and continue until a blank line. Lines starting with a pound sign are ignored. -Title = DES3 Test +Title = DES3 Tests # DES EDE3 CBC tests (from destest) Cipher = DES-EDE3-CBC @@ -20,3 +20,16 @@ IV = fedcba9876543210 Plaintext = 37363534333231204E6F77206973207468652074696D6520666F7220 Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 NextIV = 1c673812cfde9675 + +# DES EDE3 ECB test +Cipher = DES-EDE3-ECB +Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F7220 +Ciphertext = 62c10cc9efbf15aaa5ae2e487b690e56d8b1dfb8f5c5b293855e77dd9024b1b1 + +# DES EDE ECB test +Availablein = default +Cipher = DES-EDE-ECB +Key = 0123456789abcdeffedcba9876543210 +Plaintext = 37363534333231204E6F77206973207468652074696D6520666F7220 +Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d
[openssl] master update
The branch master has been updated via 44a563dde1584cd9284e80b6e45ee5019be8d36c (commit) from d94c2f1b98318cea4416c4dcd5e5f878de8d458f (commit) - Log - commit 44a563dde1584cd9284e80b6e45ee5019be8d36c Author: Danny Tsen Date: Mon Oct 18 10:51:42 2021 -0400 AES-GCM performance optimzation with stitched method for p9+ ppc64le Assembly code reviewed by Shricharan Srivatsan Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16854) --- Summary of changes: crypto/modes/asm/aes-gcm-ppc.pl| 1439 crypto/modes/build.info|3 +- include/crypto/aes_platform.h | 12 + .../implementations/ciphers/cipher_aes_gcm_hw.c|2 + ..._gcm_hw_aesni.inc => cipher_aes_gcm_hw_ppc.inc} | 15 +- 5 files changed, 1463 insertions(+), 8 deletions(-) create mode 100644 crypto/modes/asm/aes-gcm-ppc.pl copy providers/implementations/ciphers/{cipher_aes_gcm_hw_aesni.inc => cipher_aes_gcm_hw_ppc.inc} (67%) diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl new file mode 100644 index 00..29d4e2e6fb --- /dev/null +++ b/crypto/modes/asm/aes-gcm-ppc.pl @@ -0,0 +1,1439 @@ +#! /usr/bin/env perl +# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021- IBM Inc. All rights reserved +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +#=== +# Written by Danny Tsen for OpenSSL Project, +# +# GHASH is based on the Karatsuba multiplication method. +# +#Xi xor X1 +# +#X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H = +# (X1.h * H4.h + xX.l * H4.l + X1 * H4) + +# (X2.h * H3.h + X2.l * H3.l + X2 * H3) + +# (X3.h * H2.h + X3.l * H2.l + X3 * H2) + +# (X4.h * H.h + X4.l * H.l + X4 * H) +# +# Xi = v0 +# H Poly = v2 +# Hash keys = v3 - v14 +# ( H.l, H, H.h) +# ( H^2.l, H^2, H^2.h) +# ( H^3.l, H^3, H^3.h) +# ( H^4.l, H^4, H^4.h) +# +# v30 is IV +# v31 - counter 1 +# +# AES used, +# vs0 - vs14 for round keys +# v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted) +# +# This implementation uses stitched AES-GCM approach to improve overall performance. +# AES is implemented with 8x blocks and GHASH is using 2 4x blocks. +# +# Current large block (16384 bytes) performance per second with 128 bit key -- +# +#Encrypt Decrypt +# Power10[le] (3.5GHz) 5.32G5.26G +# +# === +# +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +if ($flavour =~ /64/) { + $SIZE_T=8; + $LRSAVE=2*$SIZE_T; + $STU="stdu"; + $POP="ld"; + $PUSH="std"; + $UCMP="cmpld"; + $SHRI="srdi"; +} elsif ($flavour =~ /32/) { + $SIZE_T=4; + $LRSAVE=$SIZE_T; + $STU="stwu"; + $POP="lwz"; + $PUSH="stw"; + $UCMP="cmplw"; + $SHRI="srwi"; +} else { die "nonsense $flavour"; } + +$sp="r1"; +$FRAME=6*$SIZE_T+13*16;# 13*16 is for v20-v31 offload + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +die "can't locate ppc-xlate.pl"; + +open STDOUT,"| $^X $xlate $flavour \"$output\"" +or die "can't call $xlate: $!"; + +$code=<<___; +.machine"any" +.abiversion 2 +.text + +# 4x loops +# v15 - v18 - input states +# vs1 - vs9 - round keys +# +.macro Loop_aes_middle4x + xxlor 19+32, 1, 1 + xxlor 20+32, 2, 2 + xxlor 21+32, 3, 3 + xxlor 22+32, 4, 4 + + vcipher 15, 15, 19 + vcipher 16, 16, 19 + vcipher 17, 17, 19 + vcipher 18, 18, 19 + + vcipher 15, 15, 20 + vcipher 16, 16, 20 + vcipher 17, 17, 20 + vcipher 18, 18, 20 + + vcipher 15, 15, 21 + vcipher 16, 16, 21 + vcipher 17, 17, 21 + vcipher 18, 18, 21 + + vcipher 15, 15, 22 + vcipher 16, 16, 22 + vcipher 17, 17, 22 + vcipher 18, 18, 22 + + xxlor 19+32, 5, 5 + xxlor 20+32, 6, 6 + xxlor 21+32, 7, 7 + xxlor 22+32, 8, 8 + + vcipher 15, 15, 19 + vcipher 16, 16, 19 + vcipher 17, 17, 19 + vcipher 18, 18, 19 + + vcipher
[openssl] master update
The branch master has been updated via d94c2f1b98318cea4416c4dcd5e5f878de8d458f (commit) from 1bfd20f08c042072cae44a9eb81626cbfff81116 (commit) - Log - commit d94c2f1b98318cea4416c4dcd5e5f878de8d458f Author: Todd Short Date: Thu Jan 20 14:38:33 2022 -0500 `make clean` should clean up fips provider shared object. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17556) (cherry picked from commit 45036df45048c6498efa49d3572869830d05df45) --- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 52d2f6a64e..6d4039c33f 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -582,7 +582,7 @@ clean: libclean $(RM) $(MANDOCS3) $(RM) $(MANDOCS5) $(RM) $(MANDOCS7) - $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(SCRIPTS) + $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(FIPSMODULE) $(SCRIPTS) $(RM) $(GENERATED_MANDATORY) $(GENERATED) -find . -name '*{- platform->depext() -}' \! -name '.*' \! -type d -exec $(RM) {} \; -find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 45036df45048c6498efa49d3572869830d05df45 (commit) from 9d0a228ae2c2af274995566ae79f3b07c2937069 (commit) - Log - commit 45036df45048c6498efa49d3572869830d05df45 Author: Todd Short Date: Thu Jan 20 14:38:33 2022 -0500 `make clean` should clean up fips provider shared object. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17556) --- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 52d2f6a64e..6d4039c33f 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -582,7 +582,7 @@ clean: libclean $(RM) $(MANDOCS3) $(RM) $(MANDOCS5) $(RM) $(MANDOCS7) - $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(SCRIPTS) + $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(FIPSMODULE) $(SCRIPTS) $(RM) $(GENERATED_MANDATORY) $(GENERATED) -find . -name '*{- platform->depext() -}' \! -name '.*' \! -type d -exec $(RM) {} \; -find . -name '*{- platform->objext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 9d0a228ae2c2af274995566ae79f3b07c2937069 (commit) from a28dbfe7c84b6a43746d0e2ef4153e2a13067c4a (commit) - Log - commit 9d0a228ae2c2af274995566ae79f3b07c2937069 Author: Pauli Date: Fri Jan 21 17:09:46 2022 +1100 self_test.h: fix the C++ wrapping Fixes #17557 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17562) (cherry picked from commit 1bfd20f08c042072cae44a9eb81626cbfff81116) --- Summary of changes: include/openssl/self_test.h | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h index 77c600a0d1..6d6c96abf8 100644 --- a/include/openssl/self_test.h +++ b/include/openssl/self_test.h @@ -73,10 +73,6 @@ extern "C" { # define OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND "TLS13_KDF_EXPAND" # define OSSL_SELF_TEST_DESC_RNG"RNG" -# ifdef __cplusplus -} -# endif - void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb, void *cbarg); void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, @@ -90,4 +86,7 @@ void OSSL_SELF_TEST_onbegin(OSSL_SELF_TEST *st, const char *type, int OSSL_SELF_TEST_oncorrupt_byte(OSSL_SELF_TEST *st, unsigned char *bytes); void OSSL_SELF_TEST_onend(OSSL_SELF_TEST *st, int ret); +# ifdef __cplusplus +} +# endif #endif /* OPENSSL_SELF_TEST_H */
[openssl] master update
The branch master has been updated via 1bfd20f08c042072cae44a9eb81626cbfff81116 (commit) from e1cd94f2dca4056ce042c62b89c468dffc088033 (commit) - Log - commit 1bfd20f08c042072cae44a9eb81626cbfff81116 Author: Pauli Date: Fri Jan 21 17:09:46 2022 +1100 self_test.h: fix the C++ wrapping Fixes #17557 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17562) --- Summary of changes: include/openssl/self_test.h | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h index 77c600a0d1..6d6c96abf8 100644 --- a/include/openssl/self_test.h +++ b/include/openssl/self_test.h @@ -73,10 +73,6 @@ extern "C" { # define OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND "TLS13_KDF_EXPAND" # define OSSL_SELF_TEST_DESC_RNG"RNG" -# ifdef __cplusplus -} -# endif - void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb, void *cbarg); void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, @@ -90,4 +86,7 @@ void OSSL_SELF_TEST_onbegin(OSSL_SELF_TEST *st, const char *type, int OSSL_SELF_TEST_oncorrupt_byte(OSSL_SELF_TEST *st, unsigned char *bytes); void OSSL_SELF_TEST_onend(OSSL_SELF_TEST *st, int ret); +# ifdef __cplusplus +} +# endif #endif /* OPENSSL_SELF_TEST_H */
[openssl] master update
The branch master has been updated via bca6cc53d4592ccbe78eeede3bc79f09d149603c (commit) from acce055778ecbf72e06a254b3a9bf2a2907e5170 (commit) - Log - commit bca6cc53d4592ccbe78eeede3bc79f09d149603c Author: fangming.fang Date: Tue Jan 18 02:58:08 2022 + Fix sm3ss1 translation issue in sm3-armv8.pl Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17542) --- Summary of changes: crypto/sm3/asm/sm3-armv8.pl | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/crypto/sm3/asm/sm3-armv8.pl b/crypto/sm3/asm/sm3-armv8.pl index bb71b2eade..f0555fd3f2 100644 --- a/crypto/sm3/asm/sm3-armv8.pl +++ b/crypto/sm3/asm/sm3-armv8.pl @@ -109,7 +109,7 @@ ___ $code=<<___; #include "arm_arch.h" -.arch armv8.2-a+sm4 +.arch armv8.2-a .text ___ @@ -222,8 +222,8 @@ my %sm3partopcode = ( "sm3partw1" => 0xce60C000, "sm3partw2" => 0xce60C400); -my %sm3sslopcode = ( - "sm3ssl"=> 0xce40); +my %sm3ss1opcode = ( + "sm3ss1"=> 0xce40); my %sm3ttopcode = ( "sm3tt1a" => 0xce408000, @@ -241,14 +241,13 @@ sub unsm3part { $mnemonic,$arg; } -sub unsm3ssl { +sub unsm3ss1 { my ($mnemonic,$arg)=@_; - $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*, -\s*[qv](\d+)/o + $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o && sprintf ".inst\t0x%08x\t//%s %s", - $sm3sslopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10), + $sm3ss1opcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10), $mnemonic,$arg; } @@ -274,7 +273,7 @@ foreach(split("\n",$code)) { s/\`([^\`]*)\`/eval($1)/ge; s/\b(sm3partw[1-2])\s+([qv].*)/unsm3part($1,$2)/ge; - s/\b(sm3ssl)\s+([qv].*)/unsm3ssl($1,$2)/ge; + s/\b(sm3ss1)\s+([qv].*)/unsm3ss1($1,$2)/ge; s/\b(sm3tt[1-2][a-b])\s+([qv].*)/unsm3tt($1,$2)/ge; print $_,"\n"; }
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 078439d78d1d1435f0ebaf97819daa38a8c81ad5 (commit) from 174adc705c2c3921cb3da34ce11641c159bd139b (commit) - Log - commit 078439d78d1d1435f0ebaf97819daa38a8c81ad5 Author: Pauli Date: Thu Jan 13 12:19:23 2022 +1100 ssl: better support TSAN operations For platforms that do not have native TSAN support, locking needs to be used instead. This adds the locking. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17489) (cherry picked from commit acce055778ecbf72e06a254b3a9bf2a2907e5170) --- Summary of changes: ssl/ssl_lib.c| 47 +++ ssl/ssl_local.h | 30 ++ ssl/ssl_sess.c | 11 ++- ssl/statem/extensions.c | 13 +++-- ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_lib.c | 17 ++--- 6 files changed, 93 insertions(+), 27 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f3993f0bc3..14030f8ebc 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2451,6 +2451,17 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) return ctx->sessions; } +static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat) +{ +int res = 0; + +if (ssl_tsan_lock(ctx)) { +res = tsan_load(stat); +ssl_tsan_unlock(ctx); +} +return res; +} + long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { long l; @@ -2506,27 +2517,27 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SESS_NUMBER: return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: -return tsan_load(>stats.sess_connect); +return ssl_tsan_load(ctx, >stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: -return tsan_load(>stats.sess_connect_good); +return ssl_tsan_load(ctx, >stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: -return tsan_load(>stats.sess_connect_renegotiate); +return ssl_tsan_load(ctx, >stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: -return tsan_load(>stats.sess_accept); +return ssl_tsan_load(ctx, >stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: -return tsan_load(>stats.sess_accept_good); +return ssl_tsan_load(ctx, >stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: -return tsan_load(>stats.sess_accept_renegotiate); +return ssl_tsan_load(ctx, >stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: -return tsan_load(>stats.sess_hit); +return ssl_tsan_load(ctx, >stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: -return tsan_load(>stats.sess_cb_hit); +return ssl_tsan_load(ctx, >stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: -return tsan_load(>stats.sess_miss); +return ssl_tsan_load(ctx, >stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: -return tsan_load(>stats.sess_timeout); +return ssl_tsan_load(ctx, >stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: -return tsan_load(>stats.sess_cache_full); +return ssl_tsan_load(ctx, >stats.sess_cache_full); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -3199,6 +3210,14 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, return NULL; } +#ifdef TSAN_REQUIRES_LOCKING +ret->tsan_lock = CRYPTO_THREAD_lock_new(); +if (ret->tsan_lock == NULL) { +ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); +goto err; +} +#endif + ret->libctx = libctx; if (propq != NULL) { ret->propq = OPENSSL_strdup(propq); @@ -3465,6 +3484,9 @@ void SSL_CTX_free(SSL_CTX *a) OPENSSL_free(a->sigalg_lookup_cache); CRYPTO_THREAD_lock_free(a->lock); +#ifdef TSAN_REQUIRES_LOCKING +CRYPTO_THREAD_lock_free(a->tsan_lock); +#endif OPENSSL_free(a->propq); @@ -3733,11 +3755,12 @@ void ssl_update_cache(SSL *s, int mode) /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { TSAN_QUALIFIER int *stat; + if (mode & SSL_SESS_CACHE_CLIENT) stat = >session_ctx->stats.sess_connect_good; else stat = >session_ctx->stats.sess_accept_good; -if ((tsan_load(stat) & 0xff) == 0xff) +if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); } } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index ce93049180..9f119a9d79 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -898,6 +898,9 @@ struct ssl_ctx_st {
[openssl] master update
The branch master has been updated via acce055778ecbf72e06a254b3a9bf2a2907e5170 (commit) from ed16b0fc282d29f755e656043e8a70553ef7bea5 (commit) - Log - commit acce055778ecbf72e06a254b3a9bf2a2907e5170 Author: Pauli Date: Thu Jan 13 12:19:23 2022 +1100 ssl: better support TSAN operations For platforms that do not have native TSAN support, locking needs to be used instead. This adds the locking. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17489) --- Summary of changes: ssl/ssl_lib.c| 47 +++ ssl/ssl_local.h | 30 ++ ssl/ssl_sess.c | 11 ++- ssl/statem/extensions.c | 13 +++-- ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_lib.c | 17 ++--- 6 files changed, 93 insertions(+), 27 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 20fe8bc786..655eac0b7c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2451,6 +2451,17 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) return ctx->sessions; } +static int ssl_tsan_load(SSL_CTX *ctx, TSAN_QUALIFIER int *stat) +{ +int res = 0; + +if (ssl_tsan_lock(ctx)) { +res = tsan_load(stat); +ssl_tsan_unlock(ctx); +} +return res; +} + long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { long l; @@ -2506,27 +2517,27 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SESS_NUMBER: return lh_SSL_SESSION_num_items(ctx->sessions); case SSL_CTRL_SESS_CONNECT: -return tsan_load(>stats.sess_connect); +return ssl_tsan_load(ctx, >stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: -return tsan_load(>stats.sess_connect_good); +return ssl_tsan_load(ctx, >stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: -return tsan_load(>stats.sess_connect_renegotiate); +return ssl_tsan_load(ctx, >stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: -return tsan_load(>stats.sess_accept); +return ssl_tsan_load(ctx, >stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: -return tsan_load(>stats.sess_accept_good); +return ssl_tsan_load(ctx, >stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: -return tsan_load(>stats.sess_accept_renegotiate); +return ssl_tsan_load(ctx, >stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: -return tsan_load(>stats.sess_hit); +return ssl_tsan_load(ctx, >stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: -return tsan_load(>stats.sess_cb_hit); +return ssl_tsan_load(ctx, >stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: -return tsan_load(>stats.sess_miss); +return ssl_tsan_load(ctx, >stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: -return tsan_load(>stats.sess_timeout); +return ssl_tsan_load(ctx, >stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: -return tsan_load(>stats.sess_cache_full); +return ssl_tsan_load(ctx, >stats.sess_cache_full); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -3199,6 +3210,14 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, return NULL; } +#ifdef TSAN_REQUIRES_LOCKING +ret->tsan_lock = CRYPTO_THREAD_lock_new(); +if (ret->tsan_lock == NULL) { +ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); +goto err; +} +#endif + ret->libctx = libctx; if (propq != NULL) { ret->propq = OPENSSL_strdup(propq); @@ -3465,6 +3484,9 @@ void SSL_CTX_free(SSL_CTX *a) OPENSSL_free(a->sigalg_lookup_cache); CRYPTO_THREAD_lock_free(a->lock); +#ifdef TSAN_REQUIRES_LOCKING +CRYPTO_THREAD_lock_free(a->tsan_lock); +#endif OPENSSL_free(a->propq); @@ -3733,11 +3755,12 @@ void ssl_update_cache(SSL *s, int mode) /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { TSAN_QUALIFIER int *stat; + if (mode & SSL_SESS_CACHE_CLIENT) stat = >session_ctx->stats.sess_connect_good; else stat = >session_ctx->stats.sess_accept_good; -if ((tsan_load(stat) & 0xff) == 0xff) +if ((ssl_tsan_load(s->session_ctx, stat) & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, (unsigned long)time(NULL)); } } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index ddae48b2af..2c83505660 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -898,6 +898,9 @@ struct ssl_ctx_st { * other processes - spooky
[openssl] master update
The branch master has been updated via ed16b0fc282d29f755e656043e8a70553ef7bea5 (commit) via 0be4b0403d2f65adf0d037581223dbebd0fa135e (commit) via 0324ae3e98725f722b7d7871c23fbbff596a5bf6 (commit) via 4e62f1a3af36512a1f5e1273d2dc54e3ce7f5fca (commit) via 2c9da416a608e2aaf19c16d920baddf2473c8392 (commit) from 15b7175f558bf9eb057ec3266685486f727dd70f (commit) - Log - commit ed16b0fc282d29f755e656043e8a70553ef7bea5 Author: Pauli Date: Mon Jan 17 13:09:41 2022 +1100 test: add cipher context dup test Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17529) commit 0be4b0403d2f65adf0d037581223dbebd0fa135e Author: Pauli Date: Fri Jan 7 11:47:20 2022 +1100 test: add digest context dup tests Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17529) commit 0324ae3e98725f722b7d7871c23fbbff596a5bf6 Author: Pauli Date: Fri Jan 7 11:47:02 2022 +1100 doc: document digest and cipher dup functions Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17529) commit 4e62f1a3af36512a1f5e1273d2dc54e3ce7f5fca Author: Pauli Date: Fri Jan 7 11:46:33 2022 +1100 Add context dup functions for digests and ciphers Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17529) commit 2c9da416a608e2aaf19c16d920baddf2473c8392 Author: Pauli Date: Fri Jan 7 11:45:33 2022 +1100 fix indentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17529) --- Summary of changes: crypto/evp/digest.c | 11 +++ crypto/evp/evp_enc.c | 11 +++ doc/man3/EVP_DigestInit.pod | 17 +-- doc/man3/EVP_EncryptInit.pod | 20 include/openssl/evp.h | 2 ++ providers/implementations/digests/sha3_prov.c | 2 +- providers/implementations/kdfs/pbkdf2.c | 8 ++--- test/evp_extra_test2.c| 16 ++ test/evp_test.c | 44 +++ util/libcrypto.num| 2 ++ 10 files changed, 114 insertions(+), 19 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index d4685e6489..db2eed6355 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -505,6 +505,17 @@ legacy: return ret; } +EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) +{ +EVP_MD_CTX *out = EVP_MD_CTX_new(); + +if (out != NULL && !EVP_MD_CTX_copy_ex(out, in)) { +EVP_MD_CTX_free(out); +out = NULL; +} +return out; +} + int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) { EVP_MD_CTX_reset(out); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 519cab3f2b..1c02cafa16 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1346,6 +1346,17 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) #endif /* FIPS_MODULE */ } +EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) +{ +EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new(); + +if (out != NULL && !EVP_CIPHER_CTX_copy(out, in)) { +EVP_CIPHER_CTX_free(out); +out = NULL; +} +return out; +} + int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if ((in == NULL) || (in->cipher == NULL)) { diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 5b9d75b704..2a2a17f27f 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -4,8 +4,8 @@ EVP_MD_fetch, EVP_MD_up_ref, EVP_MD_free, EVP_MD_get_params, EVP_MD_gettable_params, -EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy, -EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, +EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_dup, +EVP_MD_CTX_copy, EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_params, EVP_MD_CTX_get_params, EVP_MD_settable_ctx_params, EVP_MD_gettable_ctx_params, EVP_MD_CTX_settable_params, EVP_MD_CTX_gettable_params, @@ -63,6 +63,7 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); @@ -295,6 +296,12 @@ It retrieves the digest value from I and places it in I-sized I. After calling this function no additional calls to EVP_DigestUpdate() can be made, but EVP_DigestInit_ex2() can be called to initialize a new operation. +=item EVP_MD_CTX_dup() + +Can be used to duplicate
[openssl] master update
The branch master has been updated via 14951ef01f9b54d804baf2fabdf0a715c630827b (commit) via b461aff257e57b8ba8e72667078fdf6d5047bc91 (commit) via a09a342ffb459d0913954111b7802815e9a3481a (commit) via d715dbd8e566e7827ce8b2e9b6687c2bcd8a89a0 (commit) via e52698f9e33d77419dca827774e5d0bc1815100d (commit) via 1e3317278e4890e812a032b39c7c9dc43ca01458 (commit) from f242ce9817157817b19ccb303fd436fe487539b3 (commit) - Log - commit 14951ef01f9b54d804baf2fabdf0a715c630827b Author: Pauli Date: Mon Jan 17 16:51:03 2022 +1100 e_dasync: remove empty statement Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17528) commit b461aff257e57b8ba8e72667078fdf6d5047bc91 Author: Pauli Date: Mon Jan 17 16:50:16 2022 +1100 demo: remove end of line whitespace Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17528) commit a09a342ffb459d0913954111b7802815e9a3481a Author: Pauli Date: Mon Jan 17 16:49:58 2022 +1100 speed: rework if condition to avoid empty statement Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17528) commit d715dbd8e566e7827ce8b2e9b6687c2bcd8a89a0 Author: Pauli Date: Mon Jan 17 10:37:20 2022 +1100 replace ;; with ; as statement separator Fixes #17525 Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17528) commit e52698f9e33d77419dca827774e5d0bc1815100d Author: Pauli Date: Mon Jan 17 10:36:46 2022 +1100 apps/ca: replace ;; with ; as statement separator Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17528) commit 1e3317278e4890e812a032b39c7c9dc43ca01458 Author: Pauli Date: Mon Jan 17 10:36:06 2022 +1100 ssl: replace ;; with ; as statement separator Reviewed-by: Tim Hudson Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17528) --- Summary of changes: apps/ca.c| 2 +- apps/speed.c | 4 +--- crypto/rsa/rsa_backend.c | 2 +- crypto/x509/x509_trust.c | 2 +- demos/digest/EVP_MD_demo.c | 2 +- engines/e_dasync.c | 1 - providers/implementations/keymgmt/dh_kmgmt.c | 2 +- ssl/ssl_rsa.c| 2 +- ssl/statem/statem_lib.c | 2 +- ssl/t1_lib.c | 2 +- 10 files changed, 9 insertions(+), 12 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index a9d6c5c1a6..271f7de9df 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1855,7 +1855,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, p = "Valid"; else p = "\ninvalid type, Data base error\n"; -BIO_printf(bio_err, "Type :%s\n", p);; +BIO_printf(bio_err, "Type :%s\n", p); if (rrow[DB_type][0] == DB_TYPE_REV) { p = rrow[DB_exp_date]; if (p == NULL) diff --git a/apps/speed.c b/apps/speed.c index 0ee7347f5b..02e7b1f9b2 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -3551,9 +3551,7 @@ static int do_multi(int multi, int size_num) d = atof(sstrsep(, sep)); ffdh_results[k][0] += d; # endif /* OPENSSL_NO_DH */ -} else if (HAS_PREFIX(buf, "+H:")) { -; -} else { +} else if (!HAS_PREFIX(buf, "+H:")) { BIO_printf(bio_err, "Unknown type '%s' from child %d\n", buf, n); } diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c index dc397a6676..ae071f18bf 100644 --- a/crypto/rsa/rsa_backend.c +++ b/crypto/rsa/rsa_backend.c @@ -523,7 +523,7 @@ int ossl_rsa_pss_get_param_unverified(const RSA_PSS_PARAMS *pss, if (pss->trailerField) *ptrailerField = ASN1_INTEGER_get(pss->trailerField); else -*ptrailerField = ossl_rsa_pss_params_30_trailerfield(_params);; +*ptrailerField = ossl_rsa_pss_params_30_trailerfield(_params); return 1; } diff --git a/crypto/x509/x509_trust.c b/crypto/x509/x509_trust.c index ff578aee73..e71db0c9a1 100644 --- a/crypto/x509/x509_trust.c +++ b/crypto/x509/x509_trust.c @@ -166,7 +166,7 @@ int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int), if (trtable == NULL
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 5f7757265bfd7ccdf1973bf09f9d72634ea70949 (commit) from 454358be49b55c313fe3781bc6f5f6c644787f87 (commit) - Log - commit 5f7757265bfd7ccdf1973bf09f9d72634ea70949 Author: Kevin Jones Date: Sat Jan 15 01:38:41 2022 + Fix mistake in ERR_peek_error_all documentation. The `func` parameter was incorrect. It was documented as `const char *func` instead of `const char **func`. CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17522) (cherry picked from commit f242ce9817157817b19ccb303fd436fe487539b3) --- Summary of changes: doc/man3/ERR_get_error.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/ERR_get_error.pod b/doc/man3/ERR_get_error.pod index 6518458907..924c650184 100644 --- a/doc/man3/ERR_get_error.pod +++ b/doc/man3/ERR_get_error.pod @@ -31,7 +31,7 @@ ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data const char **func, const char **data, int *flags); unsigned long ERR_peek_error_all(const char **file, int *line, - const char *func, + const char **func, const char **data, int *flags); unsigned long ERR_peek_last_error_all(const char **file, int *line, const char *func,
[openssl] master update
The branch master has been updated via f242ce9817157817b19ccb303fd436fe487539b3 (commit) from cfbb5fcf4424395a1a23751556ea12c56b80b57e (commit) - Log - commit f242ce9817157817b19ccb303fd436fe487539b3 Author: Kevin Jones Date: Sat Jan 15 01:38:41 2022 + Fix mistake in ERR_peek_error_all documentation. The `func` parameter was incorrect. It was documented as `const char *func` instead of `const char **func`. CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17522) --- Summary of changes: doc/man3/ERR_get_error.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/ERR_get_error.pod b/doc/man3/ERR_get_error.pod index b5374e7652..4019bdd541 100644 --- a/doc/man3/ERR_get_error.pod +++ b/doc/man3/ERR_get_error.pod @@ -31,7 +31,7 @@ ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data const char **func, const char **data, int *flags); unsigned long ERR_peek_error_all(const char **file, int *line, - const char *func, + const char **func, const char **data, int *flags); unsigned long ERR_peek_last_error_all(const char **file, int *line, const char *func,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via ba4f941b081897747e8432296cd14bebafc97920 (commit) from 63c0fbcf865a711161feccd90aec9bf2e0e49199 (commit) - Log - commit ba4f941b081897747e8432296cd14bebafc97920 Author: EasySec Date: Thu Jan 13 23:30:30 2022 +0100 Fix typo in SSL_CTX_set_dh_auto Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17499) (cherry picked from commit 144316d276adf5b8172316f7bc20b372b8e31ac8) --- Summary of changes: doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index aacf82a80f..4340989976 100644 --- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -11,7 +11,7 @@ SSL_set_tmp_dh_callback, SSL_set_tmp_dh #include - long SSL_CTX_set_dh_auto(SSL *s, int onoff); + long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff); long SSL_set_dh_auto(SSL *s, int onoff); int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey);
[openssl] master update
The branch master has been updated via 144316d276adf5b8172316f7bc20b372b8e31ac8 (commit) from d73a7a3a71270aaadb4e4e678ae9bd3cef8b9cbd (commit) - Log - commit 144316d276adf5b8172316f7bc20b372b8e31ac8 Author: EasySec Date: Thu Jan 13 23:30:30 2022 +0100 Fix typo in SSL_CTX_set_dh_auto Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17499) --- Summary of changes: doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index bf8441294a..c9f06e9895 100644 --- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -11,7 +11,7 @@ SSL_set_tmp_dh_callback, SSL_set_tmp_dh #include - long SSL_CTX_set_dh_auto(SSL *s, int onoff); + long SSL_CTX_set_dh_auto(SSL_CTX *ctx, int onoff); long SSL_set_dh_auto(SSL *s, int onoff); int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey); int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 63c0fbcf865a711161feccd90aec9bf2e0e49199 (commit) from a8779af2f5cb76ac2563c28c1fdbdf314f0a6ebb (commit) - Log - commit 63c0fbcf865a711161feccd90aec9bf2e0e49199 Author: Dmytro Podgornyi Date: Wed Jan 12 19:25:23 2022 +0200 ssl/t1_enc: Fix kTLS RX offload path During counting of the unprocessed records, return code is treated in a wrong way. This forces kTLS RX path to be skipped in case of presence of unprocessed records. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17492) (cherry picked from commit d73a7a3a71270aaadb4e4e678ae9bd3cef8b9cbd) --- Summary of changes: ssl/t1_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 51688d4f2e..101cba6490 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -122,7 +122,7 @@ static int count_unprocessed_records(SSL *s) return -1; /* Read until next record */ -if (PACKET_get_length_prefixed_2(, )) +if (!PACKET_get_length_prefixed_2(, )) return -1; count += 1;
[openssl] master update
The branch master has been updated via d73a7a3a71270aaadb4e4e678ae9bd3cef8b9cbd (commit) from 57645339ab645fe5abffe14fc005b5402ce03b84 (commit) - Log - commit d73a7a3a71270aaadb4e4e678ae9bd3cef8b9cbd Author: Dmytro Podgornyi Date: Wed Jan 12 19:25:23 2022 +0200 ssl/t1_enc: Fix kTLS RX offload path During counting of the unprocessed records, return code is treated in a wrong way. This forces kTLS RX path to be skipped in case of presence of unprocessed records. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17492) --- Summary of changes: ssl/t1_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 51688d4f2e..101cba6490 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -122,7 +122,7 @@ static int count_unprocessed_records(SSL *s) return -1; /* Read until next record */ -if (PACKET_get_length_prefixed_2(, )) +if (!PACKET_get_length_prefixed_2(, )) return -1; count += 1;
[openssl] master update
The branch master has been updated via 57645339ab645fe5abffe14fc005b5402ce03b84 (commit) from 04bc3c1277b8b20dc29f96933f7be592c0535aa8 (commit) - Log - commit 57645339ab645fe5abffe14fc005b5402ce03b84 Author: Pauli Date: Sat Jan 1 12:43:31 2022 +1100 property: reduce memory consumption when OPENSSL_SMALL_FOOTPRINT is defined. This takes out the lock step stacks that allow a fast property to name resolution. Follow on from #17325. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17388) --- Summary of changes: crypto/property/property_string.c | 50 +++ 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c index 6c61bfbbb2..9191453d5a 100644 --- a/crypto/property/property_string.c +++ b/crypto/property/property_string.c @@ -40,8 +40,10 @@ typedef struct { PROP_TABLE *prop_values; OSSL_PROPERTY_IDX prop_name_idx; OSSL_PROPERTY_IDX prop_value_idx; +#ifndef OPENSSL_SMALL_FOOTPRINT STACK_OF(OPENSSL_CSTRING) *prop_namelist; STACK_OF(OPENSSL_CSTRING) *prop_valuelist; +#endif } PROPERTY_STRING_DATA; static unsigned long property_hash(const PROPERTY_STRING *a) @@ -80,9 +82,11 @@ static void property_string_data_free(void *vpropdata) CRYPTO_THREAD_lock_free(propdata->lock); property_table_free(>prop_names); property_table_free(>prop_values); +#ifndef OPENSSL_SMALL_FOOTPRINT sk_OPENSSL_CSTRING_free(propdata->prop_namelist); sk_OPENSSL_CSTRING_free(propdata->prop_valuelist); propdata->prop_namelist = propdata->prop_valuelist = NULL; +#endif propdata->prop_name_idx = propdata->prop_value_idx = 0; OPENSSL_free(propdata); @@ -99,13 +103,17 @@ static void *property_string_data_new(OSSL_LIB_CTX *ctx) { _cmp); propdata->prop_values = lh_PROPERTY_STRING_new(_hash, _cmp); +#ifndef OPENSSL_SMALL_FOOTPRINT propdata->prop_namelist = sk_OPENSSL_CSTRING_new_null(); propdata->prop_valuelist = sk_OPENSSL_CSTRING_new_null(); +#endif if (propdata->lock == NULL -|| propdata->prop_names == NULL -|| propdata->prop_values == NULL +#ifndef OPENSSL_SMALL_FOOTPRINT || propdata->prop_namelist == NULL -|| propdata->prop_valuelist == NULL) { +|| propdata->prop_valuelist == NULL +#endif +|| propdata->prop_names == NULL +|| propdata->prop_values == NULL) { property_string_data_free(propdata); return NULL; } @@ -141,7 +149,6 @@ static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, { PROPERTY_STRING p, *ps, *ps_new; PROP_TABLE *t; -STACK_OF(OPENSSL_CSTRING) *slist; OSSL_PROPERTY_IDX *pidx; PROPERTY_STRING_DATA *propdata = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, @@ -166,19 +173,25 @@ static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, pidx = name ? >prop_name_idx : >prop_value_idx; ps = lh_PROPERTY_STRING_retrieve(t, ); if (ps == NULL && (ps_new = new_property_string(s, pidx)) != NULL) { +#ifndef OPENSSL_SMALL_FOOTPRINT +STACK_OF(OPENSSL_CSTRING) *slist; + slist = name ? propdata->prop_namelist : propdata->prop_valuelist; if (sk_OPENSSL_CSTRING_push(slist, ps_new->s) <= 0) { property_free(ps_new); CRYPTO_THREAD_unlock(propdata->lock); return 0; } +#endif lh_PROPERTY_STRING_insert(t, ps_new); if (lh_PROPERTY_STRING_error(t)) { /*- * Undo the previous push which means also decrementing the * index and freeing the allocated storage. */ +#ifndef OPENSSL_SMALL_FOOTPRINT sk_OPENSSL_CSTRING_pop(slist); +#endif property_free(ps_new); --*pidx; CRYPTO_THREAD_unlock(propdata->lock); @@ -191,6 +204,21 @@ static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, return ps != NULL ? ps->idx : 0; } +#ifdef OPENSSL_SMALL_FOOTPRINT +struct find_str_st { +const char *str; +OSSL_PROPERTY_IDX idx; +}; + +static void find_str_fn(PROPERTY_STRING *prop, void *vfindstr) +{ +struct find_str_st *findstr = vfindstr; + +if (prop->idx == findstr->idx) +findstr->str = prop->s; +} +#endif + static const char *ossl_property_str(int name, OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) { @@ -206,8 +234,22 @@ static const char *ossl_property_str(int name, OSSL_LIB_CTX *ctx,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 2ee3e38f8f456db4b5afb023ae0472ff79204369 (commit) from 941c877bdb71038f6beeaf416d9b7b7951ff1f19 (commit) - Log - commit 2ee3e38f8f456db4b5afb023ae0472ff79204369 Author: Pauli Date: Thu Jan 13 12:30:59 2022 +1100 coverity 1497107: dereference after null check Add null checks to avoid dereferencing a pointer that could be null. Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/17488) --- Summary of changes: apps/lib/apps.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 25a6b6bcc3..07dd4550f2 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -696,10 +696,13 @@ int load_cert_certs(const char *uri, if (ret) { if (pcert != NULL) warn_cert(uri, *pcert, 0, vpm); -warn_certs(uri, *pcerts, 1, vpm); +if (pcerts != NULL) +warn_certs(uri, *pcerts, 1, vpm); } else { -sk_X509_pop_free(*pcerts, X509_free); -*pcerts = NULL; +if (pcerts != NULL) { +sk_X509_pop_free(*pcerts, X509_free); +*pcerts = NULL; +} } return ret; }
[openssl] master update
The branch master has been updated via 8c870f6bed241ec80c67453e60592461f0d8f2b8 (commit) from 79c7acc59bb98c2b8451b048ed1dd8cc517df76e (commit) - Log - commit 8c870f6bed241ec80c67453e60592461f0d8f2b8 Author: Pauli Date: Thu Jan 13 12:30:59 2022 +1100 coverity 1497107: dereference after null check Add null checks to avoid dereferencing a pointer that could be null. Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/17488) --- Summary of changes: apps/lib/apps.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 7ca30ef590..77edc1d936 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -691,10 +691,13 @@ int load_cert_certs(const char *uri, if (ret) { if (pcert != NULL) warn_cert(uri, *pcert, 0, vpm); -warn_certs(uri, *pcerts, 1, vpm); +if (pcerts != NULL) +warn_certs(uri, *pcerts, 1, vpm); } else { -OSSL_STACK_OF_X509_free(*pcerts); -*pcerts = NULL; +if (pcerts != NULL) { +OSSL_STACK_OF_X509_free(*pcerts); +*pcerts = NULL; +} } return ret; }
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 589e0ab4ebf35e1e73d826ad08160b9e6060e616 (commit) via d1a488e944275a1b5db50ce02c1593aedb37c1f9 (commit) via a69b93afd26d8da664e19847432cebe3c7d3fbb3 (commit) via cc05c3ea8c585eb58a46602f94c59e3c17f4383d (commit) via d1ec05915686019eec8fa8de9890292980fc5d6e (commit) via 3517a3e055d3ed27b70441e2ee087fbb709b58da (commit) from cca25d5eb83b56ae27d81bd72bebf69c2f393e43 (commit) - Log - commit 589e0ab4ebf35e1e73d826ad08160b9e6060e616 Author: Pauli Date: Wed Jan 12 15:01:17 2022 +1100 drbg: add handling for cases where TSAN isn't available Most of the DRGB code is run under lock from the EVP layer. This is relied on to make the majority of TSAN operations safe. However, it is still necessary to enable locking for all DRBGs created. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit d1a488e944275a1b5db50ce02c1593aedb37c1f9 Author: Pauli Date: Wed Jan 12 14:45:07 2022 +1100 lhash: use lock when TSAN not available for statistics gathering Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit a69b93afd26d8da664e19847432cebe3c7d3fbb3 Author: Pauli Date: Wed Jan 12 14:25:46 2022 +1100 mem: do not produce usage counts when tsan is unavailable. Doing the tsan operations under lock would be difficult to arrange here (locks require memory allocation). Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit cc05c3ea8c585eb58a46602f94c59e3c17f4383d Author: Pauli Date: Wed Jan 12 14:22:23 2022 +1100 core namemap: use updated tsan lock detection capabilities Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit d1ec05915686019eec8fa8de9890292980fc5d6e Author: Pauli Date: Wed Jan 12 13:26:38 2022 +1100 tsan: make detecting the need for locking when using tsan easier Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit 3517a3e055d3ed27b70441e2ee087fbb709b58da Author: Pauli Date: Wed Jan 12 14:24:49 2022 +1100 threadstest: add write check to lock checking Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) --- Summary of changes: crypto/core_namemap.c | 15 -- crypto/lhash/lh_stats.c| 25 crypto/lhash/lhash.c | 55 ++ crypto/lhash/lhash_local.h | 3 ++ crypto/mem.c | 14 ++--- include/internal/tsan_assist.h | 8 - providers/implementations/rands/drbg.c | 4 +++ test/threadstest.c | 2 ++ 8 files changed, 95 insertions(+), 31 deletions(-) diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index 2bee5ef194..6cb0ec5a06 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -37,11 +37,7 @@ struct ossl_namemap_st { CRYPTO_RWLOCK *lock; LHASH_OF(NAMENUM_ENTRY) *namenum; /* Name->number mapping */ -#ifdef tsan_ld_acq -TSAN_QUALIFIER int max_number; /* Current max number TSAN version */ -#else -int max_number;/* Current max number plain version */ -#endif +TSAN_QUALIFIER int max_number; /* Current max number */ }; /* LHASH callbacks */ @@ -99,10 +95,7 @@ static const OSSL_LIB_CTX_METHOD stored_namemap_method = { int ossl_namemap_empty(OSSL_NAMEMAP *namemap) { -#ifdef tsan_ld_acq -/* Have TSAN support */ -return namemap == NULL || tsan_load(>max_number) == 0; -#else +#ifdef TSAN_REQUIRES_LOCKING /* No TSAN support */ int rv; @@ -114,6 +107,9 @@ int ossl_namemap_empty(OSSL_NAMEMAP *namemap) rv = namemap->max_number == 0; CRYPTO_THREAD_unlock(namemap->lock); return rv; +#else +/* Have TSAN support */ +return namemap == NULL || tsan_load(>max_number) == 0; #endif } @@ -260,6 +256,7 @@ static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, || (namenum->name = OPENSSL_strndup(name, name_len)) == NULL) goto err; +/* The tsan_counter use here is safe since we're under lock */ namenum->number = number != 0 ? number : 1 + tsan_counter(>max_number); (void)lh_NAMENUM_ENTRY_insert(namemap->namenum, namenum); diff --git a/crypto/lhash/lh_stats.c b/crypto/lhash/lh_stats.c index 5e38c42580..0d4bc72608 100644 --- a/crypto/lhash/lh_stats.c +++ b/crypto/lhash/lh_stats.c @@ -61,6 +61,14 @@ void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp) void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out) { +int omit_tsan = 0; + +#ifdef
[openssl] master update
The branch master has been updated via 3d4d5305c292f5db62b4abf732f6682b2ada6f44 (commit) via 8ff861dcee38a41ce93374753e8c462e4b9012e2 (commit) via 43f132778b138870120d965f2fb61aa7411b78b2 (commit) via 5c41cee225094e6298799b709278b0431643fb1f (commit) via e6b8f359e79cdbe09033d02eaad7ecb4e24adb73 (commit) via d8ed9e4a9079b55a84bdbbc3172d36aa3be8bed7 (commit) via e22cbe5e67461470590e6fb8858c95285fcdea0e (commit) via 1fc97807d3a3b5e3065a7df80d1ad3601ccc5e2f (commit) from 9c5d1451292566e546d5dd01c7f19950fa34391d (commit) - Log - commit 3d4d5305c292f5db62b4abf732f6682b2ada6f44 Author: Pauli Date: Wed Jan 12 14:22:29 2022 +1100 threadstest: use locking for tsan operations if required Not all platforms support tsan operations, those that don't need to have an alternative locking path. Fixes #17447 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit 8ff861dcee38a41ce93374753e8c462e4b9012e2 Author: Pauli Date: Wed Jan 12 15:01:17 2022 +1100 drbg: add handling for cases where TSAN isn't available Most of the DRGB code is run under lock from the EVP layer. This is relied on to make the majority of TSAN operations safe. However, it is still necessary to enable locking for all DRBGs created. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit 43f132778b138870120d965f2fb61aa7411b78b2 Author: Pauli Date: Wed Jan 12 14:45:07 2022 +1100 lhash: use lock when TSAN not available for statistics gathering Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit 5c41cee225094e6298799b709278b0431643fb1f Author: Pauli Date: Wed Jan 12 14:25:46 2022 +1100 mem: do not produce usage counts when tsan is unavailable. Doing the tsan operations under lock would be difficult to arrange here (locks require memory allocation). Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit e6b8f359e79cdbe09033d02eaad7ecb4e24adb73 Author: Pauli Date: Wed Jan 12 14:25:35 2022 +1100 object: use updated tsan lock detection capabilities Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit d8ed9e4a9079b55a84bdbbc3172d36aa3be8bed7 Author: Pauli Date: Wed Jan 12 14:22:23 2022 +1100 core namemap: use updated tsan lock detection capabilities Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit e22cbe5e67461470590e6fb8858c95285fcdea0e Author: Pauli Date: Wed Jan 12 13:26:38 2022 +1100 tsan: make detecting the need for locking when using tsan easier Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) commit 1fc97807d3a3b5e3065a7df80d1ad3601ccc5e2f Author: Pauli Date: Wed Jan 12 14:24:49 2022 +1100 threadstest: add write check to lock checking Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/17479) --- Summary of changes: crypto/core_namemap.c | 15 -- crypto/lhash/lh_stats.c| 25 crypto/lhash/lhash.c | 55 ++ crypto/lhash/lhash_local.h | 3 ++ crypto/mem.c | 14 ++--- crypto/objects/obj_dat.c | 20 - include/internal/tsan_assist.h | 8 - providers/implementations/rands/drbg.c | 4 +++ test/threadstest.c | 30 +-- 9 files changed, 126 insertions(+), 48 deletions(-) diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index 2bee5ef194..6cb0ec5a06 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -37,11 +37,7 @@ struct ossl_namemap_st { CRYPTO_RWLOCK *lock; LHASH_OF(NAMENUM_ENTRY) *namenum; /* Name->number mapping */ -#ifdef tsan_ld_acq -TSAN_QUALIFIER int max_number; /* Current max number TSAN version */ -#else -int max_number;/* Current max number plain version */ -#endif +TSAN_QUALIFIER int max_number; /* Current max number */ }; /* LHASH callbacks */ @@ -99,10 +95,7 @@ static const OSSL_LIB_CTX_METHOD stored_namemap_method = { int ossl_namemap_empty(OSSL_NAMEMAP *namemap) { -#ifdef tsan_ld_acq -/* Have TSAN support */ -return namemap == NULL || tsan_load(>max_number) == 0; -#else +#ifdef TSAN_REQUIRES_LOCKING /* No TSAN support */ int rv; @@ -114,6 +107,9 @@ int ossl_namemap_empty(OSSL_NAMEMAP *namemap) rv = namemap->max_number == 0; CRYPTO_THREAD_unlock(namemap->lock);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via cca25d5eb83b56ae27d81bd72bebf69c2f393e43 (commit) from f7e71772becc0dba8a0cae9766b78ea42819b849 (commit) - Log - commit cca25d5eb83b56ae27d81bd72bebf69c2f393e43 Author: Pauli Date: Wed Jan 12 12:28:29 2022 +1100 Avoid using a macro expansion in a macro when statically initialising Circumvents a problem with ancient PA-RISC compilers on HP/UX. Fixes #17477 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17478) (cherry picked from commit 9c5d1451292566e546d5dd01c7f19950fa34391d) --- Summary of changes: providers/fips/self_test_data.inc | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index dd39ab5252..f2c1af04b6 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -18,7 +18,7 @@ { name, OSSL_PARAM_OCTET_STRING, ITM(data) } #define ST_KAT_PARAM_UTF8STRING(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM_STR(data) } -#define ST_KAT_PARAM_UTF8CHAR(name, data)\ +#define ST_KAT_PARAM_UTF8CHAR(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM(data) } #define ST_KAT_PARAM_INT(name, i) \ { name, OSSL_PARAM_INTEGER, ITM(i) } @@ -1291,9 +1291,15 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ST_KAT_PARAM_END() }; +/*- + * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient + * HP/UX PA-RISC compilers. + */ +static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; + static const ST_KAT_PARAM rsa_enc_params[] = { -ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, -OSSL_PKEY_RSA_PAD_MODE_NONE), +ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), ST_KAT_PARAM_END() };
[openssl] master update
The branch master has been updated via 9c5d1451292566e546d5dd01c7f19950fa34391d (commit) from 64a644530e023d3064db9027b0977d33b1d2ad9a (commit) - Log - commit 9c5d1451292566e546d5dd01c7f19950fa34391d Author: Pauli Date: Wed Jan 12 12:28:29 2022 +1100 Avoid using a macro expansion in a macro when statically initialising Circumvents a problem with ancient PA-RISC compilers on HP/UX. Fixes #17477 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17478) --- Summary of changes: providers/fips/self_test_data.inc | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index dd39ab5252..f2c1af04b6 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -18,7 +18,7 @@ { name, OSSL_PARAM_OCTET_STRING, ITM(data) } #define ST_KAT_PARAM_UTF8STRING(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM_STR(data) } -#define ST_KAT_PARAM_UTF8CHAR(name, data)\ +#define ST_KAT_PARAM_UTF8CHAR(name, data) \ { name, OSSL_PARAM_UTF8_STRING, ITM(data) } #define ST_KAT_PARAM_INT(name, i) \ { name, OSSL_PARAM_INTEGER, ITM(i) } @@ -1291,9 +1291,15 @@ static const ST_KAT_PARAM rsa_priv_key[] = { ST_KAT_PARAM_END() }; +/*- + * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient + * HP/UX PA-RISC compilers. + */ +static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; + static const ST_KAT_PARAM rsa_enc_params[] = { -ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, -OSSL_PKEY_RSA_PAD_MODE_NONE), +ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), ST_KAT_PARAM_END() };
[openssl] master update
The branch master has been updated via a10a576090022e583a06271ceced8e38dd509657 (commit) via 3ee3a2bd1e5763b0df5c0a2cba3b06edc26f5276 (commit) via 3831351da50b7ce07edba88056394a7a33c5e5d5 (commit) via 291c5b3e39f4c98e61cf7f65056fe49780d1f0ac (commit) via ac1082f00f991aca1c6e8282717fece16e9bb41f (commit) via 826da1451b2525b70f93fcc57ed5dbab61a19591 (commit) from b82fd89d8bae1445c89ec90d1a6145fe3216d2d7 (commit) - Log - commit a10a576090022e583a06271ceced8e38dd509657 Author: Pauli Date: Mon Jan 10 11:36:24 2022 +1100 param dup: add errors to failure returns Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17440) commit 3ee3a2bd1e5763b0df5c0a2cba3b06edc26f5276 Author: Pauli Date: Mon Jan 10 11:33:06 2022 +1100 param build set: add errors to failure returns Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17440) commit 3831351da50b7ce07edba88056394a7a33c5e5d5 Author: Pauli Date: Mon Jan 10 11:31:45 2022 +1100 param build: add errors to failure returns Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17440) commit 291c5b3e39f4c98e61cf7f65056fe49780d1f0ac Author: Pauli Date: Mon Jan 10 11:10:34 2022 +1100 test: check for properly raised errors during param conversion Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17440) commit ac1082f00f991aca1c6e8282717fece16e9bb41f Author: Pauli Date: Fri Jan 7 22:11:10 2022 +1100 params: add error messages for built in param conversions Specifically: * out of range * unsigned negatives * inexact reals * bad param types * buffers that are too small * null function arguments * unknown sizes of real Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17440) commit 826da1451b2525b70f93fcc57ed5dbab61a19591 Author: Pauli Date: Fri Jan 7 22:10:38 2022 +1100 err: add additional errors Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/17440) --- Summary of changes: crypto/cpt_err.c | 20 ++- crypto/err/openssl.txt| 15 ++- crypto/param_build.c | 4 +- crypto/param_build_set.c | 4 +- crypto/params.c | 305 +++--- crypto/params_dup.c | 12 +- include/crypto/cryptoerr.h| 2 +- include/openssl/cryptoerr.h | 11 +- test/params_conversion_test.c | 15 ++- 9 files changed, 324 insertions(+), 64 deletions(-) diff --git a/crypto/cpt_err.c b/crypto/cpt_err.c index 8574f31a81..02d631466c 100644 --- a/crypto/cpt_err.c +++ b/crypto/cpt_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,14 +29,32 @@ static const ERR_STRING_DATA CRYPTO_str_reasons[] = { "insufficient param size"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE), "insufficient secure data space"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INTEGER_OVERFLOW), +"integer overflow"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_NEGATIVE_VALUE), "invalid negative value"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_OSSL_PARAM_TYPE), "invalid ossl param type"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_NO_PARAMS_TO_MERGE), +"no params to merge"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_NO_SPACE_FOR_TERMINATING_NULL), +"no space for terminating null"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_CANNOT_BE_REPRESENTED_EXACTLY), +"param cannot be represented exactly"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_NOT_INTEGER_TYPE), +"param not integer type"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_OF_INCOMPATIBLE_TYPE), +"param of incompatible type"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_UNSIGNED_INTEGER_NEGATIVE_VALUE_UNSUPPORTED), +"param unsigned integer negative value unsupported"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_UNSUPPORTED_FLOATING_POINT_FORMAT), +"param unsupported floating point format"}, +{ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_VALUE_TOO_LARGE_FOR_DESTINATION), +"param value too large for
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 3755dc294d2e24b741e235550d063850464467cb (commit) from b64b8e39cfb5e89c0af8b9127a414cf529192846 (commit) - Log - commit 3755dc294d2e24b741e235550d063850464467cb Author: Tomas Mraz Date: Mon Jan 10 17:26:33 2022 +0100 pkeyutl: Fix regression with -kdflen option Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17461) (cherry picked from commit b82fd89d8bae1445c89ec90d1a6145fe3216d2d7) --- Summary of changes: apps/pkeyutl.c | 26 +- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 73012e3069..891f2280e3 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -464,23 +464,23 @@ int pkeyutl_main(int argc, char **argv) } goto end; } -if (kdflen != 0) { -buf_outlen = kdflen; -rv = 1; +if (rawin) { +/* rawin allocates the buffer in do_raw_keyop() */ +rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, + _out, (size_t *)_outlen); } else { -if (rawin) { -/* rawin allocates the buffer in do_raw_keyop() */ -rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, - _out, (size_t *)_outlen); +if (kdflen != 0) { +buf_outlen = kdflen; +rv = 1; } else { rv = do_keyop(ctx, pkey_op, NULL, (size_t *)_outlen, buf_in, (size_t)buf_inlen); -if (rv > 0 && buf_outlen != 0) { -buf_out = app_malloc(buf_outlen, "buffer output"); -rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)_outlen, - buf_in, (size_t)buf_inlen); -} +} +if (rv > 0 && buf_outlen != 0) { +buf_out = app_malloc(buf_outlen, "buffer output"); +rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)_outlen, + buf_in, (size_t)buf_inlen); } } if (rv <= 0) {
[openssl] master update
The branch master has been updated via b82fd89d8bae1445c89ec90d1a6145fe3216d2d7 (commit) from f5e97b3702916e69873746108ac7c100a31d2241 (commit) - Log - commit b82fd89d8bae1445c89ec90d1a6145fe3216d2d7 Author: Tomas Mraz Date: Mon Jan 10 17:26:33 2022 +0100 pkeyutl: Fix regression with -kdflen option Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17461) --- Summary of changes: apps/pkeyutl.c | 26 +- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 9e18dfc0e9..01c4f064d2 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -463,23 +463,23 @@ int pkeyutl_main(int argc, char **argv) } goto end; } -if (kdflen != 0) { -buf_outlen = kdflen; -rv = 1; +if (rawin) { +/* rawin allocates the buffer in do_raw_keyop() */ +rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, + _out, (size_t *)_outlen); } else { -if (rawin) { -/* rawin allocates the buffer in do_raw_keyop() */ -rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, NULL, 0, - _out, (size_t *)_outlen); +if (kdflen != 0) { +buf_outlen = kdflen; +rv = 1; } else { rv = do_keyop(ctx, pkey_op, NULL, (size_t *)_outlen, buf_in, (size_t)buf_inlen); -if (rv > 0 && buf_outlen != 0) { -buf_out = app_malloc(buf_outlen, "buffer output"); -rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)_outlen, - buf_in, (size_t)buf_inlen); -} +} +if (rv > 0 && buf_outlen != 0) { +buf_out = app_malloc(buf_outlen, "buffer output"); +rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)_outlen, + buf_in, (size_t)buf_inlen); } } if (rv <= 0) {
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via b64b8e39cfb5e89c0af8b9127a414cf529192846 (commit) from 56de678e426e619f01e70247fa669c45986aa205 (commit) - Log - commit b64b8e39cfb5e89c0af8b9127a414cf529192846 Author: Matt Caswell Date: Mon Jan 10 14:46:46 2022 + Ensure we test fetching encoder/decoder/store loader with a query string Although we had a test for fetching an encoder/decoder/store loader it did not use a query string. The issue highlighted by #17456 only occurs if a query string is used. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17459) --- Summary of changes: test/provfetchtest.c | 19 +-- 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/test/provfetchtest.c b/test/provfetchtest.c index 95ae87910e..aae9b40057 100644 --- a/test/provfetchtest.c +++ b/test/provfetchtest.c @@ -225,6 +225,7 @@ static int dummy_provider_init(const OSSL_CORE_HANDLE *handle, * Test 1: Encoder * Test 2: Store loader * Test 3: EVP_RAND + * Test 4-7: As above, but additionally with a query string */ static int fetch_test(int tst) { @@ -236,6 +237,7 @@ static int fetch_test(int tst) OSSL_STORE_LOADER *loader = NULL; int testresult = 0; unsigned char buf[32]; +int query = tst > 3; if (!TEST_ptr(libctx)) goto err; @@ -246,24 +248,29 @@ static int fetch_test(int tst) || !TEST_ptr(dummyprov = OSSL_PROVIDER_load(libctx, "dummy-prov"))) goto err; -switch(tst) { +switch (tst % 4) { case 0: -decoder = OSSL_DECODER_fetch(libctx, "DUMMY", NULL); +decoder = OSSL_DECODER_fetch(libctx, "DUMMY", + query ? "provider=dummy" : NULL); if (!TEST_ptr(decoder)) goto err; break; case 1: -encoder = OSSL_ENCODER_fetch(libctx, "DUMMY", NULL); +encoder = OSSL_ENCODER_fetch(libctx, "DUMMY", + query ? "provider=dummy" : NULL); if (!TEST_ptr(encoder)) goto err; break; case 2: -loader = OSSL_STORE_LOADER_fetch(libctx, "DUMMY", NULL); +loader = OSSL_STORE_LOADER_fetch(libctx, "DUMMY", + query ? "provider=dummy" : NULL); if (!TEST_ptr(loader)) goto err; break; case 3: -if (!TEST_true(RAND_set_DRBG_type(libctx, "DUMMY", NULL, NULL, NULL)) +if (!TEST_true(RAND_set_DRBG_type(libctx, "DUMMY", + query ? "provider=dummy" : NULL, + NULL, NULL)) || !TEST_int_ge(RAND_bytes_ex(libctx, buf, sizeof(buf), 0), 1)) goto err; break; @@ -284,7 +291,7 @@ static int fetch_test(int tst) int setup_tests(void) { -ADD_ALL_TESTS(fetch_test, 4); +ADD_ALL_TESTS(fetch_test, 8); return 1; }
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 56de678e426e619f01e70247fa669c45986aa205 (commit) from 408ba1775a82bad57f2e1a4bb4078e4b82cef10b (commit) - Log - commit 56de678e426e619f01e70247fa669c45986aa205 Author: Matt Caswell Date: Mon Jan 10 14:45:16 2022 + Fix Decoder, Encoder and Store loader fetching Attempting to fetch one of the above and providing a query string was failing with an internal assertion error. We must ensure that we give the provider when calling ossl_method_store_cache_set() Fixes #17456 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17459) (cherry picked from commit cd1981a0dc165ab6af5e2945beaaa9efe4484cee) --- Summary of changes: crypto/encode_decode/decoder_meth.c | 5 +++-- crypto/encode_decode/encoder_meth.c | 5 +++-- crypto/store/store_meth.c | 5 +++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index 6d44437314..25407b8999 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -375,13 +375,14 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, construct_decoder, destruct_decoder }; +OSSL_PROVIDER *prov = NULL; methdata->id = id; methdata->names = name; methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_DECODER, -NULL, 0 /* !force_cache */, +, 0 /* !force_cache */, , methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -392,7 +393,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, if (id == 0 && name != NULL) id = ossl_namemap_name2num(namemap, name); if (id != 0) -ossl_method_store_cache_set(store, NULL, id, properties, method, +ossl_method_store_cache_set(store, prov, id, properties, method, up_ref_decoder, free_decoder); } diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index 9c0214db6b..43eca755ac 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -385,13 +385,14 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, construct_encoder, destruct_encoder }; +OSSL_PROVIDER *prov = NULL; methdata->id = id; methdata->names = name; methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_ENCODER, -NULL, 0 /* !force_cache */, +, 0 /* !force_cache */, , methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -401,7 +402,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, */ if (id == 0) id = ossl_namemap_name2num(namemap, name); -ossl_method_store_cache_set(store, NULL, id, properties, method, +ossl_method_store_cache_set(store, prov, id, properties, method, up_ref_encoder, free_encoder); } diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index e79ec871fd..10b56bc685 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -317,13 +317,14 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, construct_loader, destruct_loader }; +OSSL_PROVIDER *prov = NULL; methdata->scheme_id = id; methdata->scheme = scheme; methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_STORE, -NULL, 0 /* !force_cache */, +, 0 /* !force_cache */, , methdata)) != NULL) { /* * If construction did create a method for us, we know that there @@ -332,7 +333,7 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, */ if (id == 0)
[openssl] master update
The branch master has been updated via f5e97b3702916e69873746108ac7c100a31d2241 (commit) via cd1981a0dc165ab6af5e2945beaaa9efe4484cee (commit) from 254217a4a0c9e64869495447a0e6bdc2323d4cd1 (commit) - Log - commit f5e97b3702916e69873746108ac7c100a31d2241 Author: Matt Caswell Date: Mon Jan 10 14:46:46 2022 + Ensure we test fetching encoder/decoder/store loader with a query string Although we had a test for fetching an encoder/decoder/store loader it did not use a query string. The issue highlighted by #17456 only occurs if a query string is used. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17459) commit cd1981a0dc165ab6af5e2945beaaa9efe4484cee Author: Matt Caswell Date: Mon Jan 10 14:45:16 2022 + Fix Decoder, Encoder and Store loader fetching Attempting to fetch one of the above and providing a query string was failing with an internal assertion error. We must ensure that we give the provider when calling ossl_method_store_cache_set() Fixes #17456 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17459) --- Summary of changes: crypto/encode_decode/decoder_meth.c | 5 +++-- crypto/encode_decode/encoder_meth.c | 5 +++-- crypto/store/store_meth.c | 5 +++-- test/provfetchtest.c| 19 +-- 4 files changed, 22 insertions(+), 12 deletions(-) diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index 6d44437314..25407b8999 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -375,13 +375,14 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, construct_decoder, destruct_decoder }; +OSSL_PROVIDER *prov = NULL; methdata->id = id; methdata->names = name; methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_DECODER, -NULL, 0 /* !force_cache */, +, 0 /* !force_cache */, , methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -392,7 +393,7 @@ inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, if (id == 0 && name != NULL) id = ossl_namemap_name2num(namemap, name); if (id != 0) -ossl_method_store_cache_set(store, NULL, id, properties, method, +ossl_method_store_cache_set(store, prov, id, properties, method, up_ref_decoder, free_decoder); } diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index 9c0214db6b..43eca755ac 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -385,13 +385,14 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, construct_encoder, destruct_encoder }; +OSSL_PROVIDER *prov = NULL; methdata->id = id; methdata->names = name; methdata->propquery = properties; methdata->flag_construct_error_occurred = 0; if ((method = ossl_method_construct(methdata->libctx, OSSL_OP_ENCODER, -NULL, 0 /* !force_cache */, +, 0 /* !force_cache */, , methdata)) != NULL) { /* * If construction did create a method for us, we know that @@ -401,7 +402,7 @@ inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, */ if (id == 0) id = ossl_namemap_name2num(namemap, name); -ossl_method_store_cache_set(store, NULL, id, properties, method, +ossl_method_store_cache_set(store, prov, id, properties, method, up_ref_encoder, free_encoder); } diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index e79ec871fd..10b56bc685 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -317,13 +317,14 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, construct_loader, destruct_loader }; +OSSL_PROVIDER *prov = NULL; methdata->scheme_id = id; methdata->scheme = scheme;
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 408ba1775a82bad57f2e1a4bb4078e4b82cef10b (commit) from 576cc3ecb34a8909bf549798430de95fc0fb4042 (commit) - Log - commit 408ba1775a82bad57f2e1a4bb4078e4b82cef10b Author: Matt Caswell Date: Fri Jan 7 17:30:39 2022 + Clarify the int param getter documentation OSSL_PARAMs that are of type OSSL_PARAM_INTEGER or OSSL_PARAM_UNSIGNED_INTEGER can be obtained using any of the functions EVP_PKEY_get_int_param(), EVP_PKEY_get_size_t_param() or EVP_PKEY_get_bn_param(). The former two will fail if the parameter is too large to fit into the C variable. We clarify this in the documentation. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17445) (cherry picked from commit 254217a4a0c9e64869495447a0e6bdc2323d4cd1) --- Summary of changes: doc/man3/EVP_PKEY_gettable_params.pod | 9 + 1 file changed, 9 insertions(+) diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index 23ac4bd8b0..29b8ec822b 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -37,6 +37,15 @@ EVP_PKEY_gettable_params() returns a constant list of I indicating the names and types of key parameters that can be retrieved. See L for information about parameters. +An B of type B or +B is of arbitrary length. Such a parameter can be +obtained using any of the functions EVP_PKEY_get_int_param(), +EVP_PKEY_get_size_t_param() or EVP_PKEY_get_bn_param(). Attempting to +obtain an integer value that does not fit into a native C B type will cause +EVP_PKEY_get_int_param() to fail. Similarly attempting to obtain an integer +value that is negative or does not fit into a native C B type using +EVP_PKEY_get_size_t_param() will also fail. + EVP_PKEY_get_int_param() retrieves a key I integer value I<*out> associated with a name of I.
[openssl] master update
The branch master has been updated via 254217a4a0c9e64869495447a0e6bdc2323d4cd1 (commit) from e5fb4b1469f317aa92768cdf804dfa29b72cb8f3 (commit) - Log - commit 254217a4a0c9e64869495447a0e6bdc2323d4cd1 Author: Matt Caswell Date: Fri Jan 7 17:30:39 2022 + Clarify the int param getter documentation OSSL_PARAMs that are of type OSSL_PARAM_INTEGER or OSSL_PARAM_UNSIGNED_INTEGER can be obtained using any of the functions EVP_PKEY_get_int_param(), EVP_PKEY_get_size_t_param() or EVP_PKEY_get_bn_param(). The former two will fail if the parameter is too large to fit into the C variable. We clarify this in the documentation. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17445) --- Summary of changes: doc/man3/EVP_PKEY_gettable_params.pod | 9 + 1 file changed, 9 insertions(+) diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index a3ccf8ec5f..383ca6eb58 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -37,6 +37,15 @@ EVP_PKEY_gettable_params() returns a constant list of I indicating the names and types of key parameters that can be retrieved. See L for information about parameters. +An B of type B or +B is of arbitrary length. Such a parameter can be +obtained using any of the functions EVP_PKEY_get_int_param(), +EVP_PKEY_get_size_t_param() or EVP_PKEY_get_bn_param(). Attempting to +obtain an integer value that does not fit into a native C B type will cause +EVP_PKEY_get_int_param() to fail. Similarly attempting to obtain an integer +value that is negative or does not fit into a native C B type using +EVP_PKEY_get_size_t_param() will also fail. + EVP_PKEY_get_int_param() retrieves a key I integer value I<*out> associated with a name of I.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 576cc3ecb34a8909bf549798430de95fc0fb4042 (commit) from afaa7755aa3e577348e1267d5ad34da695292917 (commit) - Log - commit 576cc3ecb34a8909bf549798430de95fc0fb4042 Author: Peiwei Hu Date: Wed Jan 5 23:17:53 2022 +0800 Fix: some patches related to error exiting Signed-off-by: Peiwei Hu Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17443) --- Summary of changes: apps/verify.c| 1 + crypto/ec/ec_lib.c | 4 ++-- crypto/x509/v3_crld.c| 1 + crypto/x509/v3_sxnet.c | 8 +--- ssl/statem/statem_clnt.c | 2 +- test/evp_test.c | 2 +- 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index acf80c65c4..a403f301fc 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -263,6 +263,7 @@ static int check(X509_STORE *ctx, const char *file, if (x509_ctrl_string(x, opt) <= 0) { BIO_printf(bio_err, "parameter error \"%s\"\n", opt); ERR_print_errors(bio_err); +X509_free(x); return 0; } } diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 3d3cf96962..2d85d4f23a 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1710,8 +1710,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (ptmp != NULL && !ossl_ec_encoding_param2id(ptmp, _flag)) { -ECerr(0, EC_R_INVALID_ENCODING); -return 0; +ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); +goto err; } if (encoding_flag == OPENSSL_EC_NAMED_CURVE) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c index bc755f5f0d..e704d419f7 100644 --- a/crypto/x509/v3_crld.c +++ b/crypto/x509/v3_crld.c @@ -83,6 +83,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, return -1; dnsect = X509V3_get_section(ctx, cnf->value); if (!dnsect) { +X509_NAME_free(nm); ERR_raise(ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND); return -1; } diff --git a/crypto/x509/v3_sxnet.c b/crypto/x509/v3_sxnet.c index 3e5ae048be..4c925900dd 100644 --- a/crypto/x509/v3_sxnet.c +++ b/crypto/x509/v3_sxnet.c @@ -167,11 +167,12 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, goto err; if (!ASN1_INTEGER_set(sx->version, 0)) goto err; -*psx = sx; } else sx = *psx; if (SXNET_get_id_INTEGER(sx, zone)) { ERR_raise(ERR_LIB_X509V3, X509V3_R_DUPLICATE_ZONE_ID); +if (*psx == NULL) +SXNET_free(sx); return 0; } @@ -185,13 +186,14 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, if (!sk_SXNETID_push(sx->ids, id)) goto err; id->zone = zone; +*psx = sx; return 1; err: ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); SXNETID_free(id); -SXNET_free(sx); -*psx = NULL; +if (*psx == NULL) +SXNET_free(sx); return 0; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 435888db21..f4e2c15600 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2926,7 +2926,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, _pub); if (encoded_pub_len == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -EVP_PKEY_free(skey); +EVP_PKEY_free(ckey); return EXT_RETURN_FAIL; } diff --git a/test/evp_test.c b/test/evp_test.c index eda8c827f9..47d4e6c878 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -2516,7 +2516,7 @@ static int rand_test_run(EVP_TEST *t) item->pr_entropyB_len); params[1] = OSSL_PARAM_construct_end(); if (!TEST_true(EVP_RAND_CTX_set_params(expected->parent, params))) -return 0; +goto err; } if (!TEST_true(EVP_RAND_generate (expected->ctx, got, got_len,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 7e1ec537a91d1f33c50e8f70dff82a4ed6668e9a (commit) from 79fc479baf848e91a991a215d775d8aae844fbe5 (commit) - Log - commit 7e1ec537a91d1f33c50e8f70dff82a4ed6668e9a Author: Gerd Hoffmann Date: Fri Jan 7 12:58:27 2022 +0100 crypto/bio: fix build on UEFI When compiling openssl for tianocore compiling abs_val() and pow_10() fails with the following error because SSE support is disabled: crypto/bio/bio_print.c:587:46: error: SSE register return with SSE disabled Fix that by using EFIAPI calling convention when compiling for UEFI. Signed-off-by: Gerd Hoffmann Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17442) (cherry picked from commit 328bf5adf9e23da523d4195db309083aa02403c4) --- Summary of changes: crypto/bio/bio_print.c | 9 + 1 file changed, 9 insertions(+) diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c index 1ea9a1a3c6..60b28c61ff 100644 --- a/crypto/bio/bio_print.c +++ b/crypto/bio/bio_print.c @@ -13,6 +13,7 @@ #include "crypto/ctype.h" #include "internal/numbers.h" #include +#include /* * Copyright Patrick Powell 1995 @@ -512,7 +513,11 @@ fmtint(char **sbuffer, return 1; } +#ifdef OPENSSL_SYS_UEFI +static LDOUBLE EFIAPI abs_val(LDOUBLE value) +#else static LDOUBLE abs_val(LDOUBLE value) +#endif { LDOUBLE result = value; if (value < 0) @@ -520,7 +525,11 @@ static LDOUBLE abs_val(LDOUBLE value) return result; } +#ifdef OPENSSL_SYS_UEFI +static LDOUBLE EFIAPI pow_10(int in_exp) +#else static LDOUBLE pow_10(int in_exp) +#endif { LDOUBLE result = 1; while (in_exp) {
[openssl] master update
The branch master has been updated via 328bf5adf9e23da523d4195db309083aa02403c4 (commit) from 40c24d74deaad8a0ad7566a68ea5ea757bc3ccef (commit) - Log - commit 328bf5adf9e23da523d4195db309083aa02403c4 Author: Gerd Hoffmann Date: Fri Jan 7 12:58:27 2022 +0100 crypto/bio: fix build on UEFI When compiling openssl for tianocore compiling abs_val() and pow_10() fails with the following error because SSE support is disabled: crypto/bio/bio_print.c:587:46: error: SSE register return with SSE disabled Fix that by using EFIAPI calling convention when compiling for UEFI. Signed-off-by: Gerd Hoffmann Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17442) --- Summary of changes: crypto/bio/bio_print.c | 9 + 1 file changed, 9 insertions(+) diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c index 1ea9a1a3c6..60b28c61ff 100644 --- a/crypto/bio/bio_print.c +++ b/crypto/bio/bio_print.c @@ -13,6 +13,7 @@ #include "crypto/ctype.h" #include "internal/numbers.h" #include +#include /* * Copyright Patrick Powell 1995 @@ -512,7 +513,11 @@ fmtint(char **sbuffer, return 1; } +#ifdef OPENSSL_SYS_UEFI +static LDOUBLE EFIAPI abs_val(LDOUBLE value) +#else static LDOUBLE abs_val(LDOUBLE value) +#endif { LDOUBLE result = value; if (value < 0) @@ -520,7 +525,11 @@ static LDOUBLE abs_val(LDOUBLE value) return result; } +#ifdef OPENSSL_SYS_UEFI +static LDOUBLE EFIAPI pow_10(int in_exp) +#else static LDOUBLE pow_10(int in_exp) +#endif { LDOUBLE result = 1; while (in_exp) {
[openssl] master update
The branch master has been updated via e1c122711edc3b9d64e506a51c3c0482569b7498 (commit) from 21095479c016f2ceaca0f71078fd27f0e9ba9375 (commit) - Log - commit e1c122711edc3b9d64e506a51c3c0482569b7498 Author: yangyangtiantianlonglong Date: Fri Dec 31 11:00:57 2021 +0800 Delete unused param about get_construct_message_f Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17385) --- Summary of changes: ssl/statem/statem.c | 4 ++-- ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_local.h | 4 ++-- ssl/statem/statem_srvr.c | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 4c463974ea..42a6577d5e 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -768,7 +768,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) WRITE_TRAN(*transition) (SSL *s); WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst); WORK_STATE(*post_work) (SSL *s, WORK_STATE wst); -int (*get_construct_message_f) (SSL *s, WPACKET *pkt, +int (*get_construct_message_f) (SSL *s, int (**confunc) (SSL *s, WPACKET *pkt), int *mt); void (*cb) (const SSL *ssl, int type, int val) = NULL; @@ -833,7 +833,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) case WORK_FINISHED_STOP: return SUB_STATE_END_HANDSHAKE; } -if (!get_construct_message_f(s, , , )) { +if (!get_construct_message_f(s, , )) { /* SSLfatal() already called */ return SUB_STATE_ERROR; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 05f915bd91..63008bcba0 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -879,7 +879,7 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) * 1: Success * 0: Error */ -int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, +int ossl_statem_client_construct_message(SSL *s, confunc_f *confunc, int *mt) { OSSL_STATEM *st = >statem; diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 1883b0166f..326abeba18 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -75,7 +75,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt); WRITE_TRAN ossl_statem_client_write_transition(SSL *s); WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst); WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst); -int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, +int ossl_statem_client_construct_message(SSL *s, confunc_f *confunc, int *mt); size_t ossl_statem_client_max_message_size(SSL *s); MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt); @@ -88,7 +88,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt); WRITE_TRAN ossl_statem_server_write_transition(SSL *s); WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst); WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst); -int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, +int ossl_statem_server_construct_message(SSL *s, confunc_f *confunc,int *mt); size_t ossl_statem_server_max_message_size(SSL *s); MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 045abfcbc0..cc65ee2d0e 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1014,7 +1014,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) * 1: Success * 0: Error */ -int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, +int ossl_statem_server_construct_message(SSL *s, confunc_f *confunc, int *mt) { OSSL_STATEM *st = >statem;
[openssl] master update
The branch master has been updated via 10481d33844218694929a7bad57314411a33ab74 (commit) from 22778abad905536fa6c93cdc6fffc8c736dfee79 (commit) - Log - commit 10481d33844218694929a7bad57314411a33ab74 Author: Peiwei Hu Date: Wed Jan 5 23:17:53 2022 +0800 Fix: some patches related to error exiting Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17417) --- Summary of changes: apps/verify.c| 1 + crypto/ec/ec_lib.c | 4 ++-- crypto/objects/obj_dat.c | 5 +++-- crypto/x509/v3_crld.c| 1 + crypto/x509/v3_sxnet.c | 8 +--- ssl/statem/statem_clnt.c | 2 +- test/evp_test.c | 2 +- 7 files changed, 14 insertions(+), 9 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index 24bbebf3f3..d504acd5b8 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -263,6 +263,7 @@ static int check(X509_STORE *ctx, const char *file, if (x509_ctrl_string(x, opt) <= 0) { BIO_printf(bio_err, "parameter error \"%s\"\n", opt); ERR_print_errors(bio_err); +X509_free(x); return 0; } } diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 3d3cf96962..2d85d4f23a 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1710,8 +1710,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (ptmp != NULL && !ossl_ec_encoding_param2id(ptmp, _flag)) { -ECerr(0, EC_R_INVALID_ENCODING); -return 0; +ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); +goto err; } if (encoding_flag == OPENSSL_EC_NAMED_CURVE) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index eef80d63ce..26d2508e86 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -747,16 +747,17 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) if ((sn != NULL && OBJ_sn2nid(sn) != NID_undef) || (ln != NULL && OBJ_ln2nid(ln) != NID_undef)) { ERR_raise(ERR_LIB_OBJ, OBJ_R_OID_EXISTS); -goto err; +return 0; } /* Convert numerical OID string to an ASN1_OBJECT structure */ tmpoid = OBJ_txt2obj(oid, 1); if (tmpoid == NULL) -goto err; +return 0; if (!ossl_obj_write_lock(1)) { ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); +ASN1_OBJECT_free(tmpoid); return 0; } diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c index b831f775db..0f239ca568 100644 --- a/crypto/x509/v3_crld.c +++ b/crypto/x509/v3_crld.c @@ -83,6 +83,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, return -1; dnsect = X509V3_get_section(ctx, cnf->value); if (!dnsect) { +X509_NAME_free(nm); ERR_raise(ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND); return -1; } diff --git a/crypto/x509/v3_sxnet.c b/crypto/x509/v3_sxnet.c index 4b19ce07d5..9d4113386a 100644 --- a/crypto/x509/v3_sxnet.c +++ b/crypto/x509/v3_sxnet.c @@ -167,11 +167,12 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, goto err; if (!ASN1_INTEGER_set(sx->version, 0)) goto err; -*psx = sx; } else sx = *psx; if (SXNET_get_id_INTEGER(sx, zone)) { ERR_raise(ERR_LIB_X509V3, X509V3_R_DUPLICATE_ZONE_ID); +if (*psx == NULL) +SXNET_free(sx); return 0; } @@ -183,13 +184,14 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, if (!sk_SXNETID_push(sx->ids, id)) goto err; id->zone = zone; +*psx = sx; return 1; err: ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); SXNETID_free(id); -SXNET_free(sx); -*psx = NULL; +if (*psx == NULL) +SXNET_free(sx); return 0; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index b7e40e6db8..05f915bd91 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2926,7 +2926,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, _pub); if (encoded_pub_len == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -EVP_PKEY_free(skey); +EVP_PKEY_free(ckey); return EXT_RETURN_FAIL; } diff --git a/test/evp_test.c b/test/evp_test.c index 6ae862b044..d068d6fa8e 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -2510,7 +2510,7 @@ static int rand_test_run(EVP_TEST *t)
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via e33f05660447c69e89f2e9f5d3140a56322411d5 (commit) from 277a8334cd4a213619fe92107dd393eab6d8a801 (commit) - Log - commit e33f05660447c69e89f2e9f5d3140a56322411d5 Author: Peiwei Hu Date: Thu Jan 6 09:47:05 2022 +0800 providers/implementations/keymgmt/rsa_kmgmt.c: refactor gen_init There is risk to pass the gctx with NULL value to rsa_gen_set_params which dereference gctx directly. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17429) (cherry picked from commit 22778abad905536fa6c93cdc6fffc8c736dfee79) --- Summary of changes: providers/implementations/keymgmt/rsa_kmgmt.c | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index b1c3011f14..29e5d10813 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -454,19 +454,24 @@ static void *gen_init(void *provctx, int selection, int rsa_type, gctx->libctx = libctx; if ((gctx->pub_exp = BN_new()) == NULL || !BN_set_word(gctx->pub_exp, RSA_F4)) { -BN_free(gctx->pub_exp); -OPENSSL_free(gctx); -return NULL; +goto err; } gctx->nbits = 2048; gctx->primes = RSA_DEFAULT_PRIME_NUM; gctx->rsa_type = rsa_type; +} else { +goto err; } -if (!rsa_gen_set_params(gctx, params)) { -OPENSSL_free(gctx); -return NULL; -} + +if (!rsa_gen_set_params(gctx, params)) +goto err; return gctx; + +err: +if (gctx != NULL) +BN_free(gctx->pub_exp); +OPENSSL_free(gctx); +return NULL; } static void *rsa_gen_init(void *provctx, int selection,
[openssl] master update
The branch master has been updated via 22778abad905536fa6c93cdc6fffc8c736dfee79 (commit) from 6e98b7f153fcf9dfad1053fbb3a592166837c6fc (commit) - Log - commit 22778abad905536fa6c93cdc6fffc8c736dfee79 Author: Peiwei Hu Date: Thu Jan 6 09:47:05 2022 +0800 providers/implementations/keymgmt/rsa_kmgmt.c: refactor gen_init There is risk to pass the gctx with NULL value to rsa_gen_set_params which dereference gctx directly. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17429) --- Summary of changes: providers/implementations/keymgmt/rsa_kmgmt.c | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index b1c3011f14..29e5d10813 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -454,19 +454,24 @@ static void *gen_init(void *provctx, int selection, int rsa_type, gctx->libctx = libctx; if ((gctx->pub_exp = BN_new()) == NULL || !BN_set_word(gctx->pub_exp, RSA_F4)) { -BN_free(gctx->pub_exp); -OPENSSL_free(gctx); -return NULL; +goto err; } gctx->nbits = 2048; gctx->primes = RSA_DEFAULT_PRIME_NUM; gctx->rsa_type = rsa_type; +} else { +goto err; } -if (!rsa_gen_set_params(gctx, params)) { -OPENSSL_free(gctx); -return NULL; -} + +if (!rsa_gen_set_params(gctx, params)) +goto err; return gctx; + +err: +if (gctx != NULL) +BN_free(gctx->pub_exp); +OPENSSL_free(gctx); +return NULL; } static void *rsa_gen_init(void *provctx, int selection,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 8e5ba8d0be7410fb784d5895d97dcc23d6266715 (commit) via f1c7b44ebb826ba89f5b74ae455d7e03dbe98642 (commit) from d0bfe6dc399e7071b660160d3470a050f0240013 (commit) - Log - commit 8e5ba8d0be7410fb784d5895d97dcc23d6266715 Author: Pauli Date: Tue Jan 4 10:52:52 2022 +1100 Revert "property: use a stack to efficiently convert index to string" This reverts commit e4a32f209ce6dcb380a7dc8c10a42946345ff38f. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/17403) commit f1c7b44ebb826ba89f5b74ae455d7e03dbe98642 Author: Pauli Date: Tue Jan 4 10:52:49 2022 +1100 Revert "test: add some unit tests for the property to string functions" This reverts commit e1436d54b9de5012d1716212c7329e46cf21a24a. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/17403) --- Summary of changes: crypto/property/property_string.c | 114 +- test/property_test.c | 61 ++-- 2 files changed, 78 insertions(+), 97 deletions(-) diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c index 6c61bfbbb2..38deab5af0 100644 --- a/crypto/property/property_string.c +++ b/crypto/property/property_string.c @@ -40,8 +40,6 @@ typedef struct { PROP_TABLE *prop_values; OSSL_PROPERTY_IDX prop_name_idx; OSSL_PROPERTY_IDX prop_value_idx; -STACK_OF(OPENSSL_CSTRING) *prop_namelist; -STACK_OF(OPENSSL_CSTRING) *prop_valuelist; } PROPERTY_STRING_DATA; static unsigned long property_hash(const PROPERTY_STRING *a) @@ -80,9 +78,6 @@ static void property_string_data_free(void *vpropdata) CRYPTO_THREAD_lock_free(propdata->lock); property_table_free(>prop_names); property_table_free(>prop_values); -sk_OPENSSL_CSTRING_free(propdata->prop_namelist); -sk_OPENSSL_CSTRING_free(propdata->prop_valuelist); -propdata->prop_namelist = propdata->prop_valuelist = NULL; propdata->prop_name_idx = propdata->prop_value_idx = 0; OPENSSL_free(propdata); @@ -95,21 +90,24 @@ static void *property_string_data_new(OSSL_LIB_CTX *ctx) { return NULL; propdata->lock = CRYPTO_THREAD_lock_new(); +if (propdata->lock == NULL) +goto err; + propdata->prop_names = lh_PROPERTY_STRING_new(_hash, _cmp); +if (propdata->prop_names == NULL) +goto err; + propdata->prop_values = lh_PROPERTY_STRING_new(_hash, _cmp); -propdata->prop_namelist = sk_OPENSSL_CSTRING_new_null(); -propdata->prop_valuelist = sk_OPENSSL_CSTRING_new_null(); -if (propdata->lock == NULL -|| propdata->prop_names == NULL -|| propdata->prop_values == NULL -|| propdata->prop_namelist == NULL -|| propdata->prop_valuelist == NULL) { -property_string_data_free(propdata); -return NULL; -} +if (propdata->prop_values == NULL) +goto err; + return propdata; + +err: +property_string_data_free(propdata); +return NULL; } static const OSSL_LIB_CTX_METHOD property_string_data_method = { @@ -136,65 +134,57 @@ static PROPERTY_STRING *new_property_string(const char *s, return ps; } -static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, - int create, const char *s) +static OSSL_PROPERTY_IDX ossl_property_string(CRYPTO_RWLOCK *lock, + PROP_TABLE *t, + OSSL_PROPERTY_IDX *pidx, + const char *s) { PROPERTY_STRING p, *ps, *ps_new; -PROP_TABLE *t; -STACK_OF(OPENSSL_CSTRING) *slist; -OSSL_PROPERTY_IDX *pidx; -PROPERTY_STRING_DATA *propdata -= ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -_string_data_method); -if (propdata == NULL) -return 0; - -t = name ? propdata->prop_names : propdata->prop_values; p.s = s; -if (!CRYPTO_THREAD_read_lock(propdata->lock)) { +if (!CRYPTO_THREAD_read_lock(lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); return 0; } ps = lh_PROPERTY_STRING_retrieve(t, ); -if (ps == NULL && create) { -CRYPTO_THREAD_unlock(propdata->lock); -if (!CRYPTO_THREAD_write_lock(propdata->lock)) { +if (ps == NULL && pidx != NULL) { +CRYPTO_THREAD_unlock(lock); +if (!CRYPTO_THREAD_write_lock(lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_WRITE_LOCK); return 0; } -pidx = name ? >prop_name_idx :
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via d0bfe6dc399e7071b660160d3470a050f0240013 (commit) from 5135551613f134d39fe34442d08b38d5221175b9 (commit) - Log - commit d0bfe6dc399e7071b660160d3470a050f0240013 Author: Matt Caswell Date: Wed Dec 29 13:42:58 2021 + Validate the category in OSSL_trace_end() OSSL_trace_end() should validate that the category it has been passed by the caler is valid, and return immediately if not. Fixes #17353 Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17371) (cherry picked from commit ee8a61e158c42c327c3303101083422b9a7cc504) --- Summary of changes: crypto/trace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/trace.c b/crypto/trace.c index f012b617ab..cc0b477698 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -496,6 +496,8 @@ void OSSL_trace_end(int category, BIO * channel) char *suffix = NULL; category = ossl_trace_get_category(category); +if (category < 0) +return; suffix = trace_channels[category].suffix; if (channel != NULL && ossl_assert(channel == current_channel)) {
[openssl] master update
The branch master has been updated via ee8a61e158c42c327c3303101083422b9a7cc504 (commit) from 0088ef48c3e7d9c68e5b3c75cb077da601d22f37 (commit) - Log - commit ee8a61e158c42c327c3303101083422b9a7cc504 Author: Matt Caswell Date: Wed Dec 29 13:42:58 2021 + Validate the category in OSSL_trace_end() OSSL_trace_end() should validate that the category it has been passed by the caler is valid, and return immediately if not. Fixes #17353 Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17371) --- Summary of changes: crypto/trace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/trace.c b/crypto/trace.c index f012b617ab..cc0b477698 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -496,6 +496,8 @@ void OSSL_trace_end(int category, BIO * channel) char *suffix = NULL; category = ossl_trace_get_category(category); +if (category < 0) +return; suffix = trace_channels[category].suffix; if (channel != NULL && ossl_assert(channel == current_channel)) {
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via e1436d54b9de5012d1716212c7329e46cf21a24a (commit) via e4a32f209ce6dcb380a7dc8c10a42946345ff38f (commit) from 824b0d56e757f4a5c0f8af48add768db33d8ce51 (commit) - Log - commit e1436d54b9de5012d1716212c7329e46cf21a24a Author: Pauli Date: Tue Dec 21 11:44:49 2021 +1100 test: add some unit tests for the property to string functions That is: ossl_property_name_str and ossl_property_value_str. These only have high level tests during the creation of child library contexts. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17325) (cherry picked from commit 9f6841e9d8964943cf5f616543750cee85c4911c) commit e4a32f209ce6dcb380a7dc8c10a42946345ff38f Author: Pauli Date: Tue Dec 21 11:44:31 2021 +1100 property: use a stack to efficiently convert index to string The existing code does this conversion by searching the hash table for the appropriate index which is slow and expensive. Fixes #15867 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17325) (cherry picked from commit 2e3c59356f847a76a90f9f837d4983428df6eb19) --- Summary of changes: crypto/property/property_string.c | 114 +- test/property_test.c | 61 ++-- 2 files changed, 97 insertions(+), 78 deletions(-) diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c index 38deab5af0..6c61bfbbb2 100644 --- a/crypto/property/property_string.c +++ b/crypto/property/property_string.c @@ -40,6 +40,8 @@ typedef struct { PROP_TABLE *prop_values; OSSL_PROPERTY_IDX prop_name_idx; OSSL_PROPERTY_IDX prop_value_idx; +STACK_OF(OPENSSL_CSTRING) *prop_namelist; +STACK_OF(OPENSSL_CSTRING) *prop_valuelist; } PROPERTY_STRING_DATA; static unsigned long property_hash(const PROPERTY_STRING *a) @@ -78,6 +80,9 @@ static void property_string_data_free(void *vpropdata) CRYPTO_THREAD_lock_free(propdata->lock); property_table_free(>prop_names); property_table_free(>prop_values); +sk_OPENSSL_CSTRING_free(propdata->prop_namelist); +sk_OPENSSL_CSTRING_free(propdata->prop_valuelist); +propdata->prop_namelist = propdata->prop_valuelist = NULL; propdata->prop_name_idx = propdata->prop_value_idx = 0; OPENSSL_free(propdata); @@ -90,24 +95,21 @@ static void *property_string_data_new(OSSL_LIB_CTX *ctx) { return NULL; propdata->lock = CRYPTO_THREAD_lock_new(); -if (propdata->lock == NULL) -goto err; - propdata->prop_names = lh_PROPERTY_STRING_new(_hash, _cmp); -if (propdata->prop_names == NULL) -goto err; - propdata->prop_values = lh_PROPERTY_STRING_new(_hash, _cmp); -if (propdata->prop_values == NULL) -goto err; - +propdata->prop_namelist = sk_OPENSSL_CSTRING_new_null(); +propdata->prop_valuelist = sk_OPENSSL_CSTRING_new_null(); +if (propdata->lock == NULL +|| propdata->prop_names == NULL +|| propdata->prop_values == NULL +|| propdata->prop_namelist == NULL +|| propdata->prop_valuelist == NULL) { +property_string_data_free(propdata); +return NULL; +} return propdata; - -err: -property_string_data_free(propdata); -return NULL; } static const OSSL_LIB_CTX_METHOD property_string_data_method = { @@ -134,57 +136,65 @@ static PROPERTY_STRING *new_property_string(const char *s, return ps; } -static OSSL_PROPERTY_IDX ossl_property_string(CRYPTO_RWLOCK *lock, - PROP_TABLE *t, - OSSL_PROPERTY_IDX *pidx, - const char *s) +static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, + int create, const char *s) { PROPERTY_STRING p, *ps, *ps_new; +PROP_TABLE *t; +STACK_OF(OPENSSL_CSTRING) *slist; +OSSL_PROPERTY_IDX *pidx; +PROPERTY_STRING_DATA *propdata += ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, +_string_data_method); +if (propdata == NULL) +return 0; + +t = name ? propdata->prop_names : propdata->prop_values; p.s = s; -if (!CRYPTO_THREAD_read_lock(lock)) { +if (!CRYPTO_THREAD_read_lock(propdata->lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); return 0; } ps = lh_PROPERTY_STRING_retrieve(t, ); -if (ps == NULL && pidx != NULL) { -CRYPTO_THREAD_unlock(lock); -if