SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-tls1_3
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: d830526c71 APPS: Improve diagnostics for string options and options expecting int >= 0 1ae33400bf APPS: Prevent ASAN hickup on idempotent strncpy() in opt_progname() a70936a845 TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt 3d80b5e611 STORE: Simplify error filtering in der2obj_decode() 521a0bf6a1 crypto/store/ossl_result.c: Better filtering of errors e36a4dc476 EVP: evp_keymgmt_util_try_import() should clean up on failed import f58f7ec939 Don't remove $(TARFILE) when cleaning 45e72d1f27 test: separate some DES based tests out to permit a no-des build to work e98a182e51 test: fix test_evp_kdf when DES is disabled. 582043dae7 Runchecker fix for the no-autoerrinit build 9c11e8ec1f Runchecker: fix failure with no-autoalginit option by disabling FIPS 94dc4282c3 Runchecker: fix TLS curves test failure with no-tls1_3 option da671c4184 Runchecker: fix no-ec2m build which was trying to validate the e2cm curves 5af6e154d0 Trivial shortcuts for EVP_PKEY_eq() 0ba8bc0583 Remove obsolete comment 2de02e7dca Added Perl installation instructions to NOTES-PERL.md for HPE NonStop. 75f036c6c5 BIO_s_connect.pod: Improve doc of BIO_set_conn_hostname() etc. ef203432f7 apps/cmp.c and APP_HTTP_TLS_INFO: Fix use-after-free and add proper free() function 078fa35c7b Remove an unused parameter 1f3b58d841 Some compilers define __STDC_VERSION__ in c++ ef7ae35910 Read a REQUEST not RESPONSE in ocsp responder 64c609e71e test_sslextension: skip tests that cannot work with no-tls1_2 bf6aeeb481 http/http_lib.c: Include stdio.h for sscanf() b5644c2a09 Force public key to be included unless explicitly excluded with -no_public 309c6fbace Add RUN_ONCE support to zlib init 1fac270501 Fix potential NULL dereference in OSSL_PARAM_get_utf8_string() db6b1266ab Fix potential NULL dereference in ossl_ec_key_dup() 59088414bc Removed dead code in linebuffer_ctrl() 6b2978406d e_os.h: Include wspiapi.h to improve Windows backward compatibility fc5245a92e add Changelog item for TLS1.3 FFDHE work ed82976b43 Prepare for 3.0 alpha 16 b07412ef80 Prepare for release of 3.0 alpha 15 f5afac4bda Update copyright year d97f087063 Fix build failure with MSVC cd28d129b6 Avoid the need for Configure time 128-bit int detection af9fb19a47 Fix typos 16df436df2 Add missing argname for keymgmt_gettable_params and keymgmt_settable_params prototypes
[openssl] master update
The branch master has been updated via 8365652287a27179143ee67b88c607a087f5d6f8 (commit) via 680dbd16dc35c6f004c551d19090869e70040af1 (commit) via eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a (commit) from c0a79e9836a9aa30912978f69fab3b3bb3a8ddc5 (commit) - Log - commit 8365652287a27179143ee67b88c607a087f5d6f8 Author: Tomas Mraz Date: Mon Apr 26 15:04:53 2021 +0200 Use "canonical" names when matching the output of the commands Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15028) commit 680dbd16dc35c6f004c551d19090869e70040af1 Author: Tomas Mraz Date: Mon Apr 26 13:12:28 2021 +0200 Skip GOST engine tests in out of tree builds Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15028) commit eaf8a40d97d642ccd2c55fbf8bb8ee3242aec04a Author: Tomas Mraz Date: Mon Apr 26 12:08:27 2021 +0200 Prefer fetch over legacy get_digestby/get_cipherby Fixes #14198 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15028) --- Summary of changes: apps/include/opt.h | 2 + apps/lib/opt.c | 53 +- apps/req.c | 11 ++-- apps/speed.c| 86 +++-- crypto/crmf/crmf_lib.c | 19 ++- crypto/ess/ess_lib.c| 50 +++-- crypto/ocsp/ocsp_vfy.c | 50 +++-- crypto/ts/ts_rsp_verify.c | 26 +++-- test/recipes/20-test_dgst.t | 4 +- test/recipes/25-test_crl.t | 2 +- test/recipes/95-test_external_gost_engine.t | 4 +- 11 files changed, 177 insertions(+), 130 deletions(-) diff --git a/apps/include/opt.h b/apps/include/opt.h index c8024975b2..f9ac5accae 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -368,7 +368,9 @@ int opt_umax(const char *arg, uintmax_t *result); int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result); int opt_string(const char *name, const char **options); int opt_cipher(const char *name, EVP_CIPHER **cipherp); +int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp); int opt_md(const char *name, EVP_MD **mdp); +int opt_md_silent(const char *name, EVP_MD **mdp); char *opt_name(void); char *opt_arg(void); char *opt_flag(void); diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 0c7405a921..83ae28cdc1 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -359,34 +360,56 @@ void print_format_error(int format, unsigned long flags) } /* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */ -int opt_cipher(const char *name, EVP_CIPHER **cipherp) +int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp) { -*cipherp = EVP_CIPHER_fetch(NULL, name, NULL); -if (*cipherp != NULL) -return 1; -*cipherp = (EVP_CIPHER *)EVP_get_cipherbyname(name); -if (*cipherp != NULL) +EVP_CIPHER_free(*cipherp); + +ERR_set_mark(); +if ((*cipherp = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL +|| (*cipherp = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) { +ERR_pop_to_mark(); return 1; -opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name); +} +ERR_clear_last_mark(); return 0; } +int opt_cipher(const char *name, EVP_CIPHER **cipherp) +{ +int ret; + +if ((ret = opt_cipher_silent(name, cipherp)) == 0) + opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name); +return ret; +} + /* * Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1. */ -int opt_md(const char *name, EVP_MD **mdp) +int opt_md_silent(const char *name, EVP_MD **mdp) { -*mdp = (EVP_MD *)EVP_get_digestbyname(name); -if (*mdp != NULL) -return 1; -*mdp = EVP_MD_fetch(NULL, name, NULL); -if (*mdp != NULL) +EVP_MD_free(*mdp); + +ERR_set_mark(); +if ((*mdp = EVP_MD_fetch(NULL, name, NULL)) != NULL +|| (*mdp = (EVP_MD *)EVP_get_digestbyname(name)) != NULL) { +ERR_pop_to_mark(); return 1; -opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog, - name != NULL ? name : "\"\""); +} +ERR_clear_last_mark(); return 0; } +int opt_md(const char *name, EVP_MD **mdp) +{ +int ret; + +if ((ret = opt_md_silent(name, mdp)) == 0) +opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog, + name != NULL ? name : "\"\""); +return ret; +} + /* Look through a list of name/value pairs. */ int opt_pair(const char *name, const OPT_PAIR
[openssl] master update
The branch master has been updated via e1491a2f15a985e642043f234240953886d2f989 (commit) from 8365652287a27179143ee67b88c607a087f5d6f8 (commit) - Log - commit e1491a2f15a985e642043f234240953886d2f989 Author: Jon Spillett Date: Tue Apr 27 14:56:00 2021 +1000 Add testing for updated cipher IV Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15041) --- Summary of changes: test/evp_test.c| 17 + .../30-test_evp_data/evpciph_aes_common.txt| 74 ++ test/recipes/30-test_evp_data/evpciph_aria.txt | 12 test/recipes/30-test_evp_data/evpciph_camellia.txt | 60 ++ test/recipes/30-test_evp_data/evpciph_des.txt | 3 +- .../30-test_evp_data/evpciph_des3_common.txt | 1 + test/recipes/30-test_evp_data/evpciph_rc2.txt | 4 ++ test/recipes/30-test_evp_data/evpciph_rc5.txt | 8 +++ test/recipes/30-test_evp_data/evpciph_seed.txt | 42 9 files changed, 220 insertions(+), 1 deletion(-) diff --git a/test/evp_test.c b/test/evp_test.c index 7bfe97f4ae..79ca676c87 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -504,6 +504,7 @@ typedef struct cipher_data_st { size_t key_len; size_t key_bits; /* Used by RC2 */ unsigned char *iv; +unsigned char *next_iv; /* Expected IV state after operation */ unsigned int rounds; size_t iv_len; unsigned char *plaintext; @@ -564,6 +565,7 @@ static void cipher_test_cleanup(EVP_TEST *t) OPENSSL_free(cdat->key); OPENSSL_free(cdat->iv); +OPENSSL_free(cdat->next_iv); OPENSSL_free(cdat->ciphertext); OPENSSL_free(cdat->plaintext); for (i = 0; i < AAD_NUM; i++) @@ -589,6 +591,8 @@ static int cipher_test_parse(EVP_TEST *t, const char *keyword, } if (strcmp(keyword, "IV") == 0) return parse_bin(value, &cdat->iv, &cdat->iv_len); +if (strcmp(keyword, "NextIV") == 0) +return parse_bin(value, &cdat->next_iv, &cdat->iv_len); if (strcmp(keyword, "Plaintext") == 0) return parse_bin(value, &cdat->plaintext, &cdat->plaintext_len); if (strcmp(keyword, "Ciphertext") == 0) @@ -885,6 +889,19 @@ static int cipher_test_enc(EVP_TEST *t, int enc, rtag, expected->tag_len)) goto err; } +/* Check the updated IV */ +if (expected->next_iv != NULL) { +/* Some (e.g., GCM) tests use IVs longer than EVP_MAX_IV_LENGTH. */ +unsigned char iv[128]; +if (!TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv))) +|| ((EVP_CIPHER_flags(expected->cipher) & EVP_CIPH_CUSTOM_IV) == 0 +&& !TEST_mem_eq(expected->next_iv, expected->iv_len, iv, +expected->iv_len))) { +t->err = "INVALID_NEXT_IV"; +goto err; +} +} + t->err = NULL; ok = 1; err: diff --git a/test/recipes/30-test_evp_data/evpciph_aes_common.txt b/test/recipes/30-test_evp_data/evpciph_aes_common.txt index e2d88b1335..c0ed605646 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_common.txt @@ -148,24 +148,28 @@ Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = 000102030405060708090A0B0C0D0E0F Plaintext = 6BC1BEE22E409F96E93D7E117393172A Ciphertext = 7649ABAC8119B246CEE98E9B12E9197D +NextIV = 7649abac8119b246cee98e9b12e9197d Cipher = AES-128-CBC Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = 7649ABAC8119B246CEE98E9B12E9197D Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 Ciphertext = 5086CB9B507219EE95DB113A917678B2 +NextIV = 5086cb9b507219ee95db113a917678b2 Cipher = AES-128-CBC Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = 5086CB9B507219EE95DB113A917678B2 Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF Ciphertext = 73BED6B8E3C1743B7116E69E9516 +NextIV = 73bed6b8e3c1743b7116e69e9516 Cipher = AES-128-CBC Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = 73BED6B8E3C1743B7116E69E9516 Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7 +NextIV = 3ff1caa1681fac09120eca307586e1a7 # CBC-AES192.Encrypt and CBC-AES192.Decrypt Cipher = AES-192-CBC @@ -173,24 +177,28 @@ Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B IV = 000102030405060708090A0B0C0D0E0F Plaintext = 6BC1BEE22E409F96E93D7E117393172A Ciphertext = 4F021DB243BC633D7178183A9FA071E8 +NextIV = 4f021db243bc633d7178183a9fa071e8 Cipher = AES-192-CBC Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B IV = 4F021DB243BC633D7178183A9FA071E8 Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 Ciphertext = B4D9ADA9AD7DEDF4E5E738763F69145A +NextIV = b4d9ada9ad7dedf4e5e738763f69145a Cipher = AES-192-CBC Key = 8E73B0F7DA0E6452C810F32B
[openssl] master update
The branch master has been updated via 67ea4beb9451ff3855877c2771dd4def0fc10a73 (commit) via 5fd7eb5c8a45e8aba7a2610dfcfbcfb2eb6c1aec (commit) from e1491a2f15a985e642043f234240953886d2f989 (commit) - Log - commit 67ea4beb9451ff3855877c2771dd4def0fc10a73 Author: Tomas Mraz Date: Mon Mar 29 14:18:10 2021 +0200 OPENSSL_sk functions are effectively already documented Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14728) commit 5fd7eb5c8a45e8aba7a2610dfcfbcfb2eb6c1aec Author: Tomas Mraz Date: Mon Mar 29 12:41:18 2021 +0200 Improve the implementation of X509_STORE_CTX_get1_issuer() It is possible for the stack of X509_OBJECTs held in an X509_STORE_CTX to have a custom compare function associated with it. Normally (by default) this uses X509_NAME_cmp(). The X509_STORE_CTX_get1_issuer() function assumed that it would always be X509_NAME_cmp(). By implementing OPENSSL_sk_find_all() function we can avoid explicitly using X509_NAME_cmp() in X509_STORE_CTX_get1_issuer(). Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14728) --- Summary of changes: crypto/stack/stack.c | 34 ++ crypto/x509/x509_lu.c | 22 -- doc/man3/DEFINE_STACK_OF.pod | 42 -- include/openssl/safestack.h.in | 4 include/openssl/stack.h| 1 + util/libcrypto.num | 1 + util/missingcrypto.txt | 24 util/perl/OpenSSL/stackhash.pm | 1 + 8 files changed, 69 insertions(+), 60 deletions(-) diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index 4c234f5a74..3d8e4746cf 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -297,7 +297,7 @@ void *OPENSSL_sk_delete(OPENSSL_STACK *st, int loc) } static int internal_find(OPENSSL_STACK *st, const void *data, - int ret_val_options) + int ret_val_options, int *pnum) { const void *r; int i; @@ -307,8 +307,13 @@ static int internal_find(OPENSSL_STACK *st, const void *data, if (st->comp == NULL) { for (i = 0; i < st->num; i++) -if (st->data[i] == data) +if (st->data[i] == data) { +if (pnum != NULL) +*pnum = 1; return i; +} +if (pnum != NULL) +*pnum = 0; return -1; } @@ -319,20 +324,41 @@ static int internal_find(OPENSSL_STACK *st, const void *data, } if (data == NULL) return -1; +if (pnum != NULL) +ret_val_options |= OSSL_BSEARCH_FIRST_VALUE_ON_MATCH; r = ossl_bsearch(&data, st->data, st->num, sizeof(void *), st->comp, ret_val_options); +if (pnum != NULL) { +*pnum = 0; +if (r != NULL) { +const void **p = (const void **)r; + +while (p < st->data + st->num) { +if (st->comp(&data, p) != 0) +break; +++*pnum; +++p; +} +} +} + return r == NULL ? -1 : (int)((const void **)r - st->data); } int OPENSSL_sk_find(OPENSSL_STACK *st, const void *data) { -return internal_find(st, data, OSSL_BSEARCH_FIRST_VALUE_ON_MATCH); +return internal_find(st, data, OSSL_BSEARCH_FIRST_VALUE_ON_MATCH, NULL); } int OPENSSL_sk_find_ex(OPENSSL_STACK *st, const void *data) { -return internal_find(st, data, OSSL_BSEARCH_VALUE_ON_NOMATCH); +return internal_find(st, data, OSSL_BSEARCH_VALUE_ON_NOMATCH, NULL); +} + +int OPENSSL_sk_find_all(OPENSSL_STACK *st, const void *data, int *pnum) +{ +return internal_find(st, data, OSSL_BSEARCH_FIRST_VALUE_ON_MATCH, pnum); } int OPENSSL_sk_push(OPENSSL_STACK *st, const void *data) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 0bd23c21b1..bce0fa760c 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -516,19 +516,7 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, return -1; } -idx = sk_X509_OBJECT_find(h, &stmp); -if (idx >= 0 && pnmatch) { -int tidx; -const X509_OBJECT *tobj, *pstmp; -*pnmatch = 1; -pstmp = &stmp; -for (tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) { -tobj = sk_X509_OBJECT_value(h, tidx); -if (x509_object_cmp(&tobj, &pstmp)) -break; -(*pnmatch)++; -} -} +idx = sk_X509_OBJECT_find_all(h, &stmp, pnmatch); return idx; } @@ -725,7 +713,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) const X509_NAME *xn; X509_OBJECT *obj = X509_OBJE
[openssl] master update
The branch master has been updated via d97adfda2868aeb9e62df96216203e8120a95d6d (commit) from 67ea4beb9451ff3855877c2771dd4def0fc10a73 (commit) - Log - commit d97adfda2868aeb9e62df96216203e8120a95d6d Author: Kevin Cadieux Date: Fri Mar 19 13:54:05 2021 -0700 memleaktest with MSVC's AddressSanitizer Disabling memleaktest under MSVC because leak detection is not a supported feature with MSVC's AddressSanitizer. Leaving ASan enabled in this case causes a test failure because the test suite is expecting the leak to be detected. CLA: trivial Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14581) --- Summary of changes: test/memleaktest.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/test/memleaktest.c b/test/memleaktest.c index 1e07723a6f..b48dbced0d 100644 --- a/test/memleaktest.c +++ b/test/memleaktest.c @@ -20,7 +20,10 @@ # endif #endif /* If __SANITIZE_ADDRESS__ isn't defined, define it to be false */ -#ifndef __SANITIZE_ADDRESS__ +/* Leak detection is not yet supported with MSVC on Windows, so */ +/* set __SANITIZE_ADDRESS__ to false in this case as well. */ +#if !defined(__SANITIZE_ADDRESS__) || defined(_MSC_VER) +# undef __SANITIZE_ADDRESS__ # define __SANITIZE_ADDRESS__ 0 #endif
[openssl] master update
The branch master has been updated via cdf63a3736a91a534bd3bc952b1dc3ef714604dd (commit) from d97adfda2868aeb9e62df96216203e8120a95d6d (commit) - Log - commit cdf63a3736a91a534bd3bc952b1dc3ef714604dd Author: David Benjamin Date: Thu Mar 11 14:43:04 2021 -0500 Add X509 version constants. The X509 version APIs return the numerical values of the version numbers, which are one off from the names. This is a bit confusing. Where they don't get it wrong (accidentally making an "X509v4" certificate), callers tend to try commenting every call site to explain the mismatch, including in OpenSSL itself. Define constants for these values, so code can be self-documenting and callers are nudged towards the right values. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14549) --- Summary of changes: apps/ca.c | 4 ++-- apps/lib/apps.c | 2 +- apps/req.c| 3 ++- crypto/x509/t_crl.c | 2 +- crypto/x509/t_req.c | 2 +- crypto/x509/t_x509.c | 2 +- crypto/x509/v3_purp.c | 2 +- crypto/x509/x509_cmp.c| 4 ++-- crypto/x509/x509_vfy.c| 4 ++-- doc/man3/X509_get_version.pod | 10 ++ include/openssl/x509.h.in | 9 + test/v3nametest.c | 2 +- 12 files changed, 29 insertions(+), 17 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 6c1df8d2e3..2476343fdd 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -1255,8 +1255,8 @@ end_of_options: } } if (crl_ext != NULL || crl_v2) { -if (!X509_CRL_set_version(crl, 1)) -goto end; /* version 2 CRL */ +if (!X509_CRL_set_version(crl, X509_CRL_VERSION_2)) +goto end; } /* we have a CRL number that need updating */ diff --git a/apps/lib/apps.c b/apps/lib/apps.c index e39e7cd061..4b7b38cf5c 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2209,7 +2209,7 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) { /* Prevent X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 */ -if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */ +if (!X509_set_version(cert, X509_VERSION_3)) goto end; /* diff --git a/apps/req.c b/apps/req.c index 89bde55b93..0a524118f0 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1117,7 +1117,8 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, } } -if (!X509_REQ_set_version(req, 0L)) /* so far there is only version 1 */ +/* so far there is only version 1 */ +if (!X509_REQ_set_version(req, X509_REQ_VERSION_1)) goto err; if (fsubj != NULL) diff --git a/crypto/x509/t_crl.c b/crypto/x509/t_crl.c index b9bffbb0c6..48bcf5bb44 100644 --- a/crypto/x509/t_crl.c +++ b/crypto/x509/t_crl.c @@ -48,7 +48,7 @@ int X509_CRL_print_ex(BIO *out, X509_CRL *x, unsigned long nmflag) BIO_printf(out, "Certificate Revocation List (CRL):\n"); l = X509_CRL_get_version(x); -if (l >= 0 && l <= 1) +if (l >= X509_CRL_VERSION_1 && l <= X509_CRL_VERSION_2) BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", l + 1, (unsigned long)l); else BIO_printf(out, "%8sVersion unknown (%ld)\n", "", l); diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c index 29479b0886..095c165100 100644 --- a/crypto/x509/t_req.c +++ b/crypto/x509/t_req.c @@ -60,7 +60,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_REQ_get_version(x); -if (l >= 0 && l <= 2) { +if (l == X509_REQ_VERSION_1) { if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0) goto err; } else { diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 78d4452156..bdfb4cb08b 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -71,7 +71,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_get_version(x); -if (l >= 0 && l <= 2) { +if (l >= X509_VERSION_1 && l <= X509_VERSION_3) { if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0) goto err; } else { diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index 5b13fd7445..ede556d8ef 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -425,7 +425,7 @@ int ossl_x509v3_cache_extensions(X509 *x) ERR_set_mark(); /* V1 should mean no extensions ... */ -if (X509_get_version(x) == 0) +if (X50
[openssl] master update
The branch master has been updated via 624359374b9af4f99ce1bfaf89e28b730698 (commit) via 50c096ebb036773fd5d3f298533412c02f3c6432 (commit) from cdf63a3736a91a534bd3bc952b1dc3ef714604dd (commit) - Log - commit 624359374b9af4f99ce1bfaf89e28b730698 Author: Tomas Mraz Date: Mon Apr 26 12:59:23 2021 +0200 Skip test_fipsload when fips is disabled. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15027) commit 50c096ebb036773fd5d3f298533412c02f3c6432 Author: Tomas Mraz Date: Mon Apr 26 12:19:49 2021 +0200 Explicitly enable or disable fips if it is or is not relevant for the test Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15027) --- Summary of changes: .github/workflows/ci.yml| 32 test/recipes/90-test_fipsload.t | 1 + 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a7e6592c6d..2e18fba41a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings && perl configdata.pm --dump + run: ./config --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated run: make -s build_generated - name: make update @@ -30,7 +30,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings && perl configdata.pm --dump + run: ./config --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated run: make -s build_generated - name: make doc-nits @@ -44,7 +44,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: CPPFLAGS=-ansi ./config no-asm no-makedepend enable-buildtest-c++ --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump + run: CPPFLAGS=-ansi ./config no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make run: make -s -j4 @@ -53,7 +53,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings && perl configdata.pm --dump + run: ./config enable-fips --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -64,7 +64,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: CC=clang ./config --strict-warnings && perl configdata.pm --dump + run: CC=clang ./config no-fips --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -86,7 +86,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings no-deprecated && perl configdata.pm --dump + run: ./config --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -100,7 +100,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings no-shared && perl configdata.pm --dump + run: ./config --strict-warnings no-shared no-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -111,7 +111,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --debug enable-asan enable-ubsan no-cached-fetch no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump + run: ./config --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -122,7 +122,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump + run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -133,7 +133,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: CC=clang ./config --strict-warnings -fsanitize=thread && perl configdata.pm --dump + run: CC=clang ./config no-fips --strict-warnings -fsanitize=thread && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -144,7 +144,7 @@ jobs: steps: - uses: actions/checkou
[tools] master update
The branch master has been updated via 9d9c86fe443afcb8a13a8ae40b91674a6afefcd3 (commit) from e1fc98e1c15660ad4d51526cc6da9c44e2f49cd4 (commit) - Log - commit 9d9c86fe443afcb8a13a8ae40b91674a6afefcd3 Author: Richard Levitte Date: Tue Nov 17 11:28:23 2020 +0100 release-tools: Separate do-release.pl docs from mkrelease.pl docs Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/tools/pull/74) --- Summary of changes: release-tools/DO-RELEASE.md | 34 ++ release-tools/MKRELEASE.md | 35 --- release-tools/README.md | 2 +- 3 files changed, 35 insertions(+), 36 deletions(-) create mode 100644 release-tools/DO-RELEASE.md diff --git a/release-tools/DO-RELEASE.md b/release-tools/DO-RELEASE.md new file mode 100644 index 000..636d60b --- /dev/null +++ b/release-tools/DO-RELEASE.md @@ -0,0 +1,34 @@ +# Documentation on the do-release script + +The do-release.pl script copies distributions from the temporary holding area +to the http and ftp areas. It it intended to be run as the `openssl` user on +dev.openssl.org. + +It does the following: + +1. Copy OpenSSL release files from the holding area to the http and ftp + locations: currently /v/openssl/www/source and /v/openssl/ftp/source +2. Move OpenSSL release files from holding area to ~openssl/dist/old By + doing this the script wont try and make a release again with old files. +3. Mail the release message. This is sent to openssl-project openssl-users + and openssl-announce (it needs to be approved in openssl-announce). The + subject line is `OpenSSL version xxx released`. + +## do-release options + +- `--copy` + Copy files to http and ftp directories. **You will have to manually move + the OLD files to old/ directories.** + +- `--move` + Move files from holding area to ~openssl/dist/old + +- `--mail` + Send out announcement email: if this option is not given, the command you + need to call to send the release mail will be printed out. + +- `--full-release` + Perform all operations for a release (copy, move and mail). + +Note: because several of these options are irreversible they have to be +explicitly included. diff --git a/release-tools/MKRELEASE.md b/release-tools/MKRELEASE.md index 3c8c1e4..be9e73e 100644 --- a/release-tools/MKRELEASE.md +++ b/release-tools/MKRELEASE.md @@ -136,38 +136,3 @@ For local testing, you can do something like this: - `--branch-version=version` Use branch `version` instead of the one autodetected for the current branch. This option is not normally needed. - -# The do-release script - -The do-release.pl script copies distributions from the temporary holding area -to the http and ftp areas. It it intended to be run as the `openssl` user on -dev.openssl.org. - -It does the following: - -1. Copy OpenSSL release files from the holding area to the http and ftp - locations: currently /v/openssl/www/source and /v/openssl/ftp/source -2. Move OpenSSL release files from holding area to ~openssl/dist/old By - doing this the script wont try and make a release again with old files. -3. Mail the release message. This is sent to openssl-dev openssl-users and - openssl-announce (it needs to be approved in openssl-announce). The - subject line is `OpenSSL version xxx released`. - -## do-release options - -- `--copy` - Copy files to http and ftp directories. **You will have to manually move - the OLD files to old/ directories.** - -- `--move` - Move files from holding area to ~openssl/dist/old - -- `--mail` - Send out announcement email: if this option is not given, the command you - need to call to send the release mail will be printed out. - -- `--full-release` - Perform all operations for a release (copy, move and mail). - -Note: because several of these options are irreversible they have to be -explicitly included. diff --git a/release-tools/README.md b/release-tools/README.md index ad03508..dc18f74 100644 --- a/release-tools/README.md +++ b/release-tools/README.md @@ -114,7 +114,7 @@ associated files should be in ~openssl/dist/new. They should be owned by the openssl userid and world-readable. Copy the tarballs to appropriate directories. This can be -done using the do-release.pl script. See MKRELEASE.md for a description of +done using the do-release.pl script. See DO-RELEASE.md for a description of the options. For example: sudo -u openssl perl ~openssl/do-release.pl --copy --move
[openssl] master update
The branch master has been updated via 4189dc3782c5989dbaa7d247e41a96a25b27c940 (commit) via 176a9a682a22d556037b0a959911e6020c8d2ecd (commit) via 1751768cd191c3541dc89a2bb24da1e506385c37 (commit) from 624359374b9af4f99ce1bfaf89e28b730698 (commit) - Log - commit 4189dc3782c5989dbaa7d247e41a96a25b27c940 Author: Dr. David von Oheimb Date: Tue Mar 16 16:41:52 2021 +0100 CMS ESS: Move four internal aux function to where they belong in crypto/cms Also constify and slightly refactor them. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14601) commit 176a9a682a22d556037b0a959911e6020c8d2ecd Author: Dr. David von Oheimb Date: Tue Mar 16 16:04:08 2021 +0100 TS ESS: Move four internal aux function to where they belong in crypto/ts Also constify and slightly refactor them. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14601) commit 1751768cd191c3541dc89a2bb24da1e506385c37 Author: Dr. David von Oheimb Date: Mon Mar 15 20:24:40 2021 +0100 ESS: Export three core functions, clean up TS and CMS CAdES-BES usage Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14601) --- Summary of changes: crypto/cms/cms_ess.c | 121 ++ crypto/cms/cms_sd.c | 55 +- crypto/ess/ess_asn1.c | 63 +--- crypto/ess/ess_lib.c | 161 +++--- crypto/ts/ts_rsp_sign.c | 54 +- crypto/ts/ts_rsp_verify.c | 27 - doc/build.info| 6 ++ doc/man3/CMS_verify.pod | 1 + doc/man3/OSSL_ESS_check_signing_certs.pod | 88 doc/man3/TS_VERIFY_CTX_set_certs.pod | 4 + doc/man3/X509_dup.pod | 2 + include/crypto/cms.h | 27 - include/crypto/ess.h | 22 include/openssl/ess.h.in | 20 +++- include/openssl/esserr.h | 2 - test/recipes/80-test_cms.t| 2 +- util/libcrypto.num| 5 + 17 files changed, 344 insertions(+), 316 deletions(-) create mode 100644 doc/man3/OSSL_ESS_check_signing_certs.pod delete mode 100644 include/crypto/cms.h diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index ba78b6ebad..d029b75b69 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -16,7 +16,6 @@ #include #include #include "crypto/ess.h" -#include "crypto/cms.h" #include "crypto/x509.h" #include "cms_local.h" @@ -46,6 +45,60 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) return 1; } +/* + * Returns 0 if attribute is not found, 1 if found, + * or -1 on attribute parsing failure. + */ +static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, +ESS_SIGNING_CERT **psc) +{ +ASN1_STRING *str; +ESS_SIGNING_CERT *sc; +ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate); + +if (psc != NULL) +*psc = NULL; +str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE); +if (str == NULL) +return 0; + +sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT)); +if (sc == NULL) +return -1; +if (psc != NULL) +*psc = sc; +else +ESS_SIGNING_CERT_free(sc); +return 1; +} + +/* + * Returns 0 if attribute is not found, 1 if found, + * or -1 on attribute parsing failure. + */ +static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, + ESS_SIGNING_CERT_V2 **psc) +{ +ASN1_STRING *str; +ESS_SIGNING_CERT_V2 *sc; +ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2); + +if (psc != NULL) +*psc = NULL; +str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE); +if (str == NULL) +return 0; + +sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2)); +if (sc == NULL) +return -1; +if (psc != NULL) +*psc = sc; +else +ESS_SIGNING_CERT_V2_free(sc); +return 1; +} + int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, const STACK_OF(X509) *chain) { @@ -53,7 +106,7 @@ int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *ssv2 = NULL; int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0 && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0 -&& ossl_ess_check_signing_certs(ss, ssv2, chain, 1); +&& OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0
[web] master update
The branch master has been updated via 4fab73cc1edf551a6ade144dfcae1223fa2aa120 (commit) via a56110d2a6791f92040bcd9ba6239a86916024ac (commit) via 6cea194f8dacf63ea52758c8e2a7bc2452918ca7 (commit) from be9a59e85c1be6992ed7f61737bcf630d6cad0f6 (commit) - Log - commit 4fab73cc1edf551a6ade144dfcae1223fa2aa120 Merge: be9a59e a56110d Author: Mark J. Cox Date: Wed Apr 28 14:07:16 2021 +0100 Merge pull request #237 from iamamoose/fixrt Fix security advisory links to rt.openssl.org commit a56110d2a6791f92040bcd9ba6239a86916024ac Author: Mark J. Cox Date: Wed Apr 28 13:54:47 2021 +0100 Remember we're in XML so escape & commit 6cea194f8dacf63ea52758c8e2a7bc2452918ca7 Author: Mark J. Cox Date: Wed Apr 28 13:52:47 2021 +0100 We have some old links to rt.openssl.org as advisories, just link those to the archive version for now, we could dump these to txt files later --- Summary of changes: news/vulnerabilities.xml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index c1b47e2..ba187fd 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -6391,7 +6391,7 @@ Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation. -https://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest"/> +https://web.archive.org/web/20100710092848/https://rt.openssl.org/Ticket/Display.html?id=1838"/> @@ -6415,7 +6415,7 @@ remote attacker could use this flaw to cause a DTLS server to crash. -https://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest"/> +https://web.archive.org/web/20120306065500/http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest"/> @@ -6445,7 +6445,7 @@ memory left. -https://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest"/> +https://web.archive.org/web/20101120211136/http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest"/> @@ -6475,7 +6475,7 @@ left. -https://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest"/> +https://web.archive.org/web/20100824233642/http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest"/>
[openssl] master update
The branch master has been updated via 2d5695016d880b9c6681f293ed5afb0379ce86b7 (commit) via 98369ef25f87ee1dfc5d17da5489bbacb4150972 (commit) from 4189dc3782c5989dbaa7d247e41a96a25b27c940 (commit) - Log - commit 2d5695016d880b9c6681f293ed5afb0379ce86b7 Author: Matt Caswell Date: Fri Apr 23 16:18:28 2021 +0100 Properly protect access to the provider flag_activated field This was not always locked when it should be. Fixes #15005 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15010) commit 98369ef25f87ee1dfc5d17da5489bbacb4150972 Author: Matt Caswell Date: Fri Apr 23 14:10:07 2021 +0100 Add a threading test for loading/unloading providers Check that we don't see any threading issues when loading/unloading a provider from multiple threads. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15010) --- Summary of changes: crypto/provider_core.c | 110 +++-- test/threadstest.c | 26 +++- 2 files changed, 94 insertions(+), 42 deletions(-) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index f3a4f297bf..1ef2cd5ca7 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -48,7 +48,6 @@ struct ossl_provider_st { unsigned int flag_initialized:1; unsigned int flag_activated:1; unsigned int flag_fallback:1; /* Can be used as fallback */ -unsigned int flag_activated_as_fallback:1; /* Getting and setting the flags require synchronization */ CRYPTO_RWLOCK *flag_lock; @@ -56,8 +55,7 @@ struct ossl_provider_st { /* OpenSSL library side data */ CRYPTO_REF_COUNT refcnt; CRYPTO_RWLOCK *refcnt_lock; /* For the ref counter */ -CRYPTO_REF_COUNT activatecnt; -CRYPTO_RWLOCK *activatecnt_lock; /* For the activate counter */ +int activatecnt; char *name; char *path; DSO *module; @@ -263,7 +261,6 @@ static OSSL_PROVIDER *provider_new(const char *name, if ((prov = OPENSSL_zalloc(sizeof(*prov))) == NULL #ifndef HAVE_ATOMICS || (prov->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL -|| (prov->activatecnt_lock = CRYPTO_THREAD_lock_new()) == NULL #endif || !ossl_provider_up_ref(prov) /* +1 One reference to be returned */ || (prov->opbits_lock = CRYPTO_THREAD_lock_new()) == NULL @@ -395,7 +392,6 @@ void ossl_provider_free(OSSL_PROVIDER *prov) CRYPTO_THREAD_lock_free(prov->flag_lock); #ifndef HAVE_ATOMICS CRYPTO_THREAD_lock_free(prov->refcnt_lock); -CRYPTO_THREAD_lock_free(prov->activatecnt_lock); #endif OPENSSL_free(prov); } @@ -479,7 +475,7 @@ int OSSL_PROVIDER_set_default_search_path(OSSL_LIB_CTX *libctx, * locking. Direct callers must remember to set the store flags when * appropriate. */ -static int provider_init(OSSL_PROVIDER *prov) +static int provider_init(OSSL_PROVIDER *prov, int flag_lock) { const OSSL_DISPATCH *provider_dispatch = NULL; void *tmp_provctx = NULL;/* safety measure */ @@ -496,7 +492,7 @@ static int provider_init(OSSL_PROVIDER *prov) * modifies a number of things in the provider structure that this * function needs to perform under lock anyway. */ -if (!CRYPTO_THREAD_write_lock(prov->flag_lock)) +if (flag_lock && !CRYPTO_THREAD_write_lock(prov->flag_lock)) goto end; if (prov->flag_initialized) { ok = 1; @@ -675,48 +671,41 @@ static int provider_init(OSSL_PROVIDER *prov) ok = 1; end: -CRYPTO_THREAD_unlock(prov->flag_lock); +if (flag_lock) +CRYPTO_THREAD_unlock(prov->flag_lock); return ok; } static int provider_deactivate(OSSL_PROVIDER *prov) { -int ref = 0; - if (!ossl_assert(prov != NULL)) return 0; -if (CRYPTO_DOWN_REF(&prov->activatecnt, &ref, prov->activatecnt_lock) <= 0) +if (!CRYPTO_THREAD_write_lock(prov->flag_lock)) return 0; -if (ref < 1) { -if (!CRYPTO_THREAD_write_lock(prov->flag_lock)) -return 0; +if (--prov->activatecnt < 1) prov->flag_activated = 0; -CRYPTO_THREAD_unlock(prov->flag_lock); -} + +CRYPTO_THREAD_unlock(prov->flag_lock); /* We don't deinit here, that's done in ossl_provider_free() */ return 1; } -static int provider_activate(OSSL_PROVIDER *prov) +static int provider_activate(OSSL_PROVIDER *prov, int flag_lock) { -int ref = 0; - -if (CRYPTO_UP_REF(&prov->activatecnt, &ref, prov->activatecnt_lock) <= 0) -return 0; - -if (provider_init(prov)) { -if (!CRYPTO_THREAD_write_lock(prov->flag_lock)) +if (provider_init(prov, flag_lock)) { +if (flag_lock && !CRYPTO_THREAD_write_lock(prov->flag_lock)) r
[openssl] master update
The branch master has been updated via 460d2fbcd75bef492638b54c17aa5f5bca7eec2a (commit) from 2d5695016d880b9c6681f293ed5afb0379ce86b7 (commit) - Log - commit 460d2fbcd75bef492638b54c17aa5f5bca7eec2a Author: Matt Caswell Date: Mon Apr 26 14:58:40 2021 +0100 Store the list of activated providers in the libctx The provider config module was storing the list of activated providers in a global variable. However, because different libctxs can each load providers via config files we need to keep the list of activated providers separate and in the libctx. Partially fixes #15030 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15033) --- Summary of changes: crypto/provider_conf.c | 50 + include/internal/cryptlib.h | 3 ++- 2 files changed, 39 insertions(+), 14 deletions(-) diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index fb83977e6d..a04a7aa553 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -13,12 +13,41 @@ #include #include #include "internal/provider.h" +#include "internal/cryptlib.h" DEFINE_STACK_OF(OSSL_PROVIDER) /* PROVIDER config module */ -static STACK_OF(OSSL_PROVIDER) *activated_providers = NULL; +typedef struct { +STACK_OF(OSSL_PROVIDER) *activated_providers; +} PROVIDER_CONF_GLOBAL; + +static void *prov_conf_ossl_ctx_new(OSSL_LIB_CTX *libctx) +{ +PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl)); + +if (pcgbl == NULL) +return NULL; + +return pcgbl; +} + +static void prov_conf_ossl_ctx_free(void *vpcgbl) +{ +PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl; + +sk_OSSL_PROVIDER_pop_free(pcgbl->activated_providers, + ossl_provider_free); + +OSSL_TRACE(CONF, "Cleaned up providers\n"); +OPENSSL_free(pcgbl); +} + +static const OSSL_LIB_CTX_METHOD provider_conf_ossl_ctx_method = { +prov_conf_ossl_ctx_new, +prov_conf_ossl_ctx_free, +}; static const char *skip_dot(const char *name) { @@ -80,6 +109,9 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, const char *path = NULL; long activate = 0; int ok = 0; +PROVIDER_CONF_GLOBAL *pcgbl += ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, +&provider_conf_ossl_ctx_method); name = skip_dot(name); OSSL_TRACE1(CONF, "Configuring provider %s\n", name); @@ -133,9 +165,9 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, if (!ossl_provider_activate(prov, 0)) { ok = 0; } else { -if (activated_providers == NULL) -activated_providers = sk_OSSL_PROVIDER_new_null(); -sk_OSSL_PROVIDER_push(activated_providers, prov); +if (pcgbl->activated_providers == NULL) +pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); +sk_OSSL_PROVIDER_push(pcgbl->activated_providers, prov); ok = 1; } } @@ -172,16 +204,8 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) return 1; } - -static void provider_conf_deinit(CONF_IMODULE *md) -{ -sk_OSSL_PROVIDER_pop_free(activated_providers, ossl_provider_free); -activated_providers = NULL; -OSSL_TRACE(CONF, "Cleaned up providers\n"); -} - void ossl_provider_add_conf_module(void) { OSSL_TRACE(CONF, "Adding config module 'providers'\n"); -CONF_module_add("providers", provider_conf_init, provider_conf_deinit); +CONF_module_add("providers", provider_conf_init, NULL); } diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index ea42447e78..e7dd1f65b4 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -162,7 +162,8 @@ typedef struct ossl_ex_data_global_st { # define OSSL_LIB_CTX_BIO_PROV_INDEX13 # define OSSL_LIB_CTX_GLOBAL_PROPERTIES 14 # define OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX 15 -# define OSSL_LIB_CTX_MAX_INDEXES 16 +# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 +# define OSSL_LIB_CTX_MAX_INDEXES 17 typedef struct ossl_lib_ctx_method { void *(*new_func)(OSSL_LIB_CTX *ctx);
[openssl] master update
The branch master has been updated via e9b30d9f50a356b3b0a9d60e6fc877e08f68a40e (commit) via f42e68dc473081393835b0ae7dad19d393ee589d (commit) from 460d2fbcd75bef492638b54c17aa5f5bca7eec2a (commit) - Log - commit e9b30d9f50a356b3b0a9d60e6fc877e08f68a40e Author: Matt Caswell Date: Mon Apr 19 16:46:30 2021 +0100 Test a Finished message at the wrong time results in unexpected message We test that sending a Finished message instead of a ClientHello results in an unexpected message error. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/14930) commit f42e68dc473081393835b0ae7dad19d393ee589d Author: Matt Caswell Date: Mon Apr 19 15:21:54 2021 +0100 Defer Finished MAC handling until after state transition In TLS we process received messages like this: 1) Read Message Header 2) Validate and transition state based on received message type 3) Read Message Body 4) Process Message In DTLS we read messages like this: 1) Read Message Header and Body 2) Validate and transition state based on received message type 3) Process Message The difference is because of the stream vs datagram semantics of the underlying transport. In both TLS and DTLS we were doing finished MAC processing as part of reading the message body. This means that in DTLS this was occurring *before* the state transition has been validated. A crash was occurring in DTLS if a Finished message was sent in an invalid state due to assumptions in the code that certain variables would have been setup by the time a Finished message arrives. To avoid this problem we shift the finished MAC processing to be after the state transition in DTLS. Thanks to github user @bathooman for reporting this issue. Fixes #14906 Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/14930) --- Summary of changes: ssl/statem/statem.c | 19 +++- ssl/statem/statem_dtls.c | 51 ++-- ssl/statem/statem_local.h | 3 +- test/dtlstest.c | 74 +++ 4 files changed, 124 insertions(+), 23 deletions(-) diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 3b6e78e3f8..4c463974ea 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -582,7 +582,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) /* * In DTLS we get the whole message in one go - header and body */ -ret = dtls_get_message(s, &mt, &len); +ret = dtls_get_message(s, &mt); } else { ret = tls_get_message_header(s, &mt); } @@ -625,13 +625,18 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) /* Fall through */ case READ_STATE_BODY: -if (!SSL_IS_DTLS(s)) { -/* We already got this above for DTLS */ +if (SSL_IS_DTLS(s)) { +/* + * Actually we already have the body, but we give DTLS the + * opportunity to do any further processing. + */ +ret = dtls_get_message_body(s, &len); +} else { ret = tls_get_message_body(s, &len); -if (ret == 0) { -/* Could be non-blocking IO */ -return SUB_STATE_ERROR; -} +} +if (ret == 0) { +/* Could be non-blocking IO */ +return SUB_STATE_ERROR; } s->first_packet = 0; diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index c4bed3d3ee..1fcd064ea6 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -328,7 +328,7 @@ int dtls1_do_write(SSL *s, int type) return 0; } -int dtls_get_message(SSL *s, int *mt, size_t *len) +int dtls_get_message(SSL *s, int *mt) { struct hm_header_st *msg_hdr; unsigned char *p; @@ -352,7 +352,6 @@ int dtls_get_message(SSL *s, int *mt, size_t *len) *mt = s->s3.tmp.message_type; p = (unsigned char *)s->init_buf->data; -*len = s->init_num; if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) { if (s->msg_callback) { @@ -373,32 +372,54 @@ int dtls_get_message(SSL *s, int *mt, size_t *len) s2n(msg_hdr->seq, p); l2n3(0, p); l2n3(msg_len, p); -if (s->version != DTLS1_BAD_VER) { -p -= DTLS1_HM_HEADER_LENGTH; -msg_len += DTLS1_HM_HEADER_LENGTH; -} +memset(msg_hdr, 0, sizeof(*msg_hdr)); + +s->d1->handshake_read_seq++; + +s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_
[openssl] master update
The branch master has been updated via 3babc1e468c9a5cfb30582a3ea1d55c1ec776361 (commit) via 2e535eb50aa9c6b73c796f668e1aef8bc17f14c4 (commit) via 0bd138b8c36c7e8e504beb2c12a2771929c24cfb (commit) from e9b30d9f50a356b3b0a9d60e6fc877e08f68a40e (commit) - Log - commit 3babc1e468c9a5cfb30582a3ea1d55c1ec776361 Author: Richard Levitte Date: Mon Apr 26 09:28:12 2021 +0200 util/add-depends.pl: Adapt to localized /showIncludes output It was discovered that MSVC has localized /showIncludes output. Fortunately, it still seems to follow the same generic format, so we can adapt the regular expression to make it language agnostic. Fixes #14994 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15006) commit 2e535eb50aa9c6b73c796f668e1aef8bc17f14c4 Author: Richard Levitte Date: Mon Apr 26 09:17:05 2021 +0200 Configuration: rework how dependency making is handled Previously, we had dependency making pretty much hard coded in the build file templates, with a bit of an exception for Unix family platforms, where we had different cases depending on what dependency making program was found. With the Embarcadero C++ builder, a separate scheme appeared, with a different logic. This change merges the two, and introduces two config target attributes: makedepcmd The program to use, where this is relevant. This replaces the earlier configuration attribute 'makedepprog'. makedep_scheme This is a keyword that can be used by build files templates to produce different sorts of commands, but most importantly, to pass as argument to util/add-depend.pl, which uses this keyword as a "producer" for the dependency lines. If the config target doesn't define the 'makedep_scheme' attribute, Configure tries to figure it out by looking for GCC compatible compilers or for the 'makedepend' command. Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15006) commit 0bd138b8c36c7e8e504beb2c12a2771929c24cfb Author: Richard Levitte Date: Fri Apr 23 16:19:23 2021 +0200 Windows bulding: Make dependency generation not quite as talkative The modified way to generate .d files had an unfortunate side effect, that it outputs the whole preprocessed file and not just the dependency lines, at least with MSVC's cl. That gave util/add-depends.pl a whole lot more to read through, which impacts greatly on the performance of dependency treatment. We modify the process by adding a config target attribute 'make_depend', which can be any suitable command for generating such lines. All it needs is to also accept C flags and macro definitions. Fixes #14994 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15006) --- Summary of changes: Configurations/10-main.conf | 4 +- Configurations/50-cppbuilder.conf| 8 +++- Configurations/descrip.mms.tmpl | 2 +- Configurations/platform/Unix.pm | 2 +- Configurations/platform/mingw.pm | 2 +- Configurations/unix-Makefile.tmpl| 14 +++ Configurations/windows-makefile.tmpl | 6 +-- Configure| 28 - util/add-depends.pl | 77 9 files changed, 102 insertions(+), 41 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index f5e5754b3a..1e53f20861 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1278,13 +1278,14 @@ my %targets = ( CPP => '"$(CC)" /EP /C', CFLAGS => "/W3 /wd4090 /nologo", coutflag => "/Fo", -cpp_depend_flags => "/Zs /showIncludes", LD => "link", LDFLAGS => "/nologo /debug", ldoutflag=> "/out:", ldpostoutflag=> "", ld_resp_delim=> "\n", bin_lflags => "setargv.obj", +makedepcmd => '"$(CC)" /Zs /showIncludes', +makedep_scheme => 'VC', AR => "lib", ARFLAGS => "/nologo", aroutflag=> "/out:", @@ -1838,6 +1839,7 @@ my %targets = ( dso_scheme => "vms", thread_scheme=> "pthreads", +makedep_scheme => 'VMS C', AS => sub { vms_info()->{AS} }, A
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 3babc1e468 util/add-depends.pl: Adapt to localized /showIncludes output 2e535eb50a Configuration: rework how dependency making is handled 0bd138b8c3 Windows bulding: Make dependency generation not quite as talkative e9b30d9f50 Test a Finished message at the wrong time results in unexpected message f42e68dc47 Defer Finished MAC handling until after state transition 460d2fbcd7 Store the list of activated providers in the libctx 2d5695016d Properly protect access to the provider flag_activated field 98369ef25f Add a threading test for loading/unloading providers 4189dc3782 CMS ESS: Move four internal aux function to where they belong in crypto/cms 176a9a682a TS ESS: Move four internal aux function to where they belong in crypto/ts 1751768cd1 ESS: Export three core functions, clean up TS and CMS CAdES-BES usage 624359374b Skip test_fipsload when fips is disabled. 50c096ebb0 Explicitly enable or disable fips if it is or is not relevant for the test cdf63a3736 Add X509 version constants. d97adfda28 memleaktest with MSVC's AddressSanitizer 67ea4beb94 OPENSSL_sk functions are effectively already documented 5fd7eb5c8a Improve the implementation of X509_STORE_CTX_get1_issuer() e1491a2f15 Add testing for updated cipher IV 8365652287 Use "canonical" names when matching the output of the commands 680dbd16dc Skip GOST engine tests in out of tree builds eaf8a40d97 Prefer fetch over legacy get_digestby/get_cipherby c0a79e9836 Rename some globals, add ossl prefix. e6760e3e84 Add system guessing for linux64-riscv64 target e466dc3646 Test that we don't have a memory leak in d2i_ASN1_OBJECT. 1727465471 ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse 94471ccfda add verbosity for pyca job a938f0045e re-add pyca/cryptography testing a09fb26ba9 add wycheproof submodule f2561fa566 updated pyca/cryptography submodule version 3e4981dd59 Avoid #include with inline function on C++Builder c85c5e1a53 Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters(). 990aa405db Doc updates for DH/DSA examples f1ffaaeece Fixes related to separation of DH and DHX types 6c9bc258d2 Add type_name member to provided methods and use it d21224f1ad Documentation fix for openssl-verify certificates Build log ended with (last 100 lines): 02-test_internal_context.t . ok 02-test_internal_ctype.t ... ok 02-test_internal_keymgmt.t . ok 02-test_internal_provider.t ok 02-test_lhash.t ok 02-test_ordinals.t . ok 02-test_sparse_array.t . ok 02-test_stack.t ok 03-test_exdata.t ... ok 03-test_fipsinstall.t .. ok 03-test_internal_asn1.t ok 03-test_internal_asn1_dsa.t ok 03-test_internal_bn.t .. ok 03-test_internal_chacha.t .. ok 03-test_internal_curve448.t ok 03-test_internal_ec.t .. ok 03-test_internal_ffc.t . ok 03-test_internal_mdc2.t ok 03-test_internal_modes.t ... ok 03-test_internal_namemap.t . ok 03-test_internal_poly1305.t ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t . ok 03-test_internal_sm2.t . ok 03-test_internal_sm4.t . ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ok 03-test_params_api.t ... ok 03-test_property.t . ok 03-test_ui.t ... ok 04-test_asn1_decode.t .. ok 04-test_asn1_encode.t .. ok 04-test_asn1_string_table.t ok 04-test_bio_callback.t . ok 04-test_bioprint.t . ok 04-test_conf.t . ok 04-test_encoder_decoder.t .. ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t .. ok 04-test_hexstring.t ok 04-test_param_build.t .. ok 04-test_params.t ... ok 04-test_params_conversion.t ok 04-test_pem_read_depr.t ok 04-test_pem_reading.t .. ok 04-test_provider.t . ok 04-test_provider_fallback.t ok 05-test_bf.t ... ok 05-test_cast.t . ok 05-test_cmac.t . ok 05-test_des.t .. ok 05-test_hmac.t . ok 05-test_idea.t . ok 05-test_rand.t . ok 05-test_rc2.t .. ok 05-test_rc4.t .. ok 05-test_rc5.t .. skipped: rc5 is not supported by this OpenSSL build 06-test_algorithmid.t .. ok 06-test_rdrand_sanity.t ok 10-test_bn.t ... ok 10-test_exp.t .. ok 15-test_dh.t