Still Failing: openssl/openssl#28311 (master - a218770)
Build Update for openssl/openssl - Build: #28311 Status: Still Failing Duration: 19 mins and 19 secs Commit: a218770 (master) Author: Pauli Message: Fix examples in the section 7 KDF man pages. All of the examples called EVP_KDF_set_params() when they should have been calling EVP_KDF_CTX_set_params(). Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9898) View the changeset: https://github.com/openssl/openssl/compare/f3f3318a25e6...a218770d4de8 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/585100312?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated
via a218770d4de819afc9453284dc13b609eeea4639 (commit)
from f3f3318a25e62f471a69e1e8dd117bf30191da20 (commit)
- Log -
commit a218770d4de819afc9453284dc13b609eeea4639
Author: Pauli
Date: Sun Sep 15 09:44:14 2019 +1000
Fix examples in the section 7 KDF man pages.
All of the examples called EVP_KDF_set_params() when they should have been
calling EVP_KDF_CTX_set_params().
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/9898)
---
Summary of changes:
doc/man7/EVP_KDF-HKDF.pod | 4 ++--
doc/man7/EVP_KDF-SCRYPT.pod | 4 ++--
doc/man7/EVP_KDF-SS.pod | 12 ++--
doc/man7/EVP_KDF-SSHKDF.pod | 2 +-
doc/man7/EVP_KDF-TLS1_PRF.pod | 4 ++--
doc/man7/EVP_KDF-X942.pod | 4 ++--
doc/man7/EVP_KDF-X963.pod | 4 ++--
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/doc/man7/EVP_KDF-HKDF.pod b/doc/man7/EVP_KDF-HKDF.pod
index 746e7fb972..fb675b2d45 100644
--- a/doc/man7/EVP_KDF-HKDF.pod
+++ b/doc/man7/EVP_KDF-HKDF.pod
@@ -119,8 +119,8 @@ salt value "salt" and info value "label":
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
"salt", (size_t)4);
*p = OSSL_PARAM_construct_end();
- if (EVP_KDF_set_params(kctx, params) <= 0) {
- error("EVP_KDF_set_params");
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0) {
+ error("EVP_KDF_CTX_set_params");
}
if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
error("EVP_KDF_derive");
diff --git a/doc/man7/EVP_KDF-SCRYPT.pod b/doc/man7/EVP_KDF-SCRYPT.pod
index ce22aaa7ca..dff8e15f39 100644
--- a/doc/man7/EVP_KDF-SCRYPT.pod
+++ b/doc/man7/EVP_KDF-SCRYPT.pod
@@ -93,8 +93,8 @@ This example derives a 64-byte long test vector using scrypt
with the password
*p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_SCRYPT_R, (uint32_t)8);
*p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_SCRYPT_P, (uint32_t)16);
*p = OSSL_PARAM_construct_end();
- if (EVP_KDF_set_params(kctx, params) <= 0) {
- error("EVP_KDF_set_params");
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0) {
+ error("EVP_KDF_CTX_set_params");
}
if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
error("EVP_KDF_derive");
diff --git a/doc/man7/EVP_KDF-SS.pod b/doc/man7/EVP_KDF-SS.pod
index be69606701..be45d9e3c7 100644
--- a/doc/man7/EVP_KDF-SS.pod
+++ b/doc/man7/EVP_KDF-SS.pod
@@ -92,8 +92,8 @@ and fixedinfo value "label":
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
"label", (size_t)5);
*p = OSSL_PARAM_construct_end();
- if (EVP_KDF_set_params(kctx, params) <= 0) {
- error("EVP_KDF_set_params");
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0) {
+ error("EVP_KDF_CTX_set_params");
}
if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
error("EVP_KDF_derive");
@@ -124,8 +124,8 @@ fixedinfo value "label" and salt "salt":
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
"salt", (size_t)4);
*p = OSSL_PARAM_construct_end();
- if (EVP_KDF_set_params(kctx, params) <= 0) {
- error("EVP_KDF_set_params");
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0) {
+ error("EVP_KDF_CTX_set_params");
}
if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
error("EVP_KDF_derive");
@@ -157,8 +157,8 @@ fixedinfo value "label", salt of "salt" and KMAC outlen of
20:
"salt", (size_t)4);
*p++ = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_MAC_SIZE, (size_t)20);
*p = OSSL_PARAM_construct_end();
- if (EVP_KDF_set_params(kctx, params) <= 0) {
- error("EVP_KDF_set_params");
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0) {
+ error("EVP_KDF_CTX_set_params");
}
if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
error("EVP_KDF_derive");
diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod
index 0ed57626ef..cd05abe9dd 100644
--- a/doc/man7/EVP_KDF-SSHKDF.pod
+++ b/doc/man7/EVP_KDF-SSHKDF.pod
@@ -125,7 +125,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K
"key" and appropriate
*p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_SSHKDF_TYPE,
EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV);
*p = OSSL_PARAM_construct_end();
- if (EVP_KDF_set_params(kctx, params) <= 0)
+ if (EVP_KDF_CTX_set_params(kctx, params) <= 0)
/* Error */
if (EVP_KDF_derive(kctx, out, &outlen) <= 0)
diff --git a/doc/man7/EVP_KDF-TLS1_PRF.pod b/doc/man7/EVP_KDF-TLS1_PRF.pod
index a04f811792..2adcf9f0aa 100644
--- a/doc/man7/EVP_KDF-TLS1_PRF.pod
+++ b/doc/man7/EVP_KDF-TLS1_PRF.pod
@@ -80,8 +80,8 @@ and seed value "seed":
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
"seed"
Still Failing: openssl/openssl#28305 (OpenSSL_1_1_1-stable - b8f2701)
Build Update for openssl/openssl - Build: #28305 Status: Still Failing Duration: 13 mins and 26 secs Commit: b8f2701 (OpenSSL_1_1_1-stable) Author: Richard Levitte Message: Do no mention private headers in public headers Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/9812) (cherry picked from commit bd9faf117db1e53b2ad2ee9cbfe8def8c98ecb7b) View the changeset: https://github.com/openssl/openssl/compare/32bfa2e66ef8...b8f2701c38cf View the full build log and details: https://travis-ci.org/openssl/openssl/builds/585065351?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via b8f2701c38cf07f364a9899dfc20c972a9dafaef (commit)
from 32bfa2e66ef81d2bc7e1ae1896efca01d03cdc10 (commit)
- Log -
commit b8f2701c38cf07f364a9899dfc20c972a9dafaef
Author: Richard Levitte
Date: Mon Sep 9 02:41:26 2019 +0200
Do no mention private headers in public headers
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/9812)
(cherry picked from commit bd9faf117db1e53b2ad2ee9cbfe8def8c98ecb7b)
---
Summary of changes:
include/openssl/ct.h| 2 --
include/openssl/dtls1.h | 2 +-
include/openssl/evp.h | 2 +-
3 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/include/openssl/ct.h b/include/openssl/ct.h
index d4262fa048..ebdba34d67 100644
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -463,8 +463,6 @@ __owur int CTLOG_STORE_load_file(CTLOG_STORE *store, const
char *file);
/*
* Loads the default CT log list into a |store|.
- * See internal/cryptlib.h for the environment variable and file path that are
- * consulted to find the default file.
* Returns 1 if loading is successful, or 0 otherwise.
*/
__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h
index a312e386cf..d55ca9c332 100644
--- a/include/openssl/dtls1.h
+++ b/include/openssl/dtls1.h
@@ -43,7 +43,7 @@ extern "C" {
# define DTLS1_AL_HEADER_LENGTH 2
-/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
+/* Timeout multipliers */
# define DTLS1_TMO_READ_COUNT 2
# define DTLS1_TMO_WRITE_COUNT 2
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 545654a98b..8abcd8a8a3 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -180,7 +180,7 @@ int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX
*ctx, int cmd,
* if the following flag is set.
*/
# define EVP_MD_CTX_FLAG_FINALISE0x0200
-/* NOTE: 0x0400 is reserved for internal usage in evp_int.h */
+/* NOTE: 0x0400 is reserved for internal usage */
EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len);
EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher);
Build failed: openssl master.27732
Build openssl master.27732 failed Commit 1dac75a6de by Richard Levitte on 9/14/2019 2:45 PM: apps/list.c: modify to handle multiple names per algorithm implementation Configure your notification preferences
Still Failing: openssl/openssl#28298 (master - f3f3318)
Build Update for openssl/openssl - Build: #28298 Status: Still Failing Duration: 22 mins and 5 secs Commit: f3f3318 (master) Author: Andreas Kretschmer Message: fix CRMF symmetric key handling Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9774) View the changeset: https://github.com/openssl/openssl/compare/7b6b194b5281...f3f3318a25e6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/584920185?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated
via f3f3318a25e62f471a69e1e8dd117bf30191da20 (commit)
from 7b6b194b5281649ad5c50ecead0f3725d2d2a6a0 (commit)
- Log -
commit f3f3318a25e62f471a69e1e8dd117bf30191da20
Author: Andreas Kretschmer
Date: Thu Sep 5 13:21:03 2019 +0200
fix CRMF symmetric key handling
Reviewed-by: Bernd Edlinger
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/9774)
---
Summary of changes:
crypto/crmf/crmf_lib.c | 39 ---
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index e519c50677..2974341446 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -29,6 +29,7 @@
#include
#include "crmf_int.h"
+#include "internal/constant_time_locl.h"
/* explicit #includes not strictly needed since implied by the above: */
#include
@@ -654,7 +655,9 @@ X509
*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
X509 *cert = NULL; /* decrypted certificate */
EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */
unsigned char *ek = NULL; /* decrypted symmetric encryption key */
+size_t eksize = 0; /* size of decrypted symmetric encryption key */
const EVP_CIPHER *cipher = NULL; /* used cipher */
+int cikeysize = 0; /* key size from cipher */
unsigned char *iv = NULL; /* initial vector for symmetric encryption */
unsigned char *outbuf = NULL; /* decryption output buffer */
const unsigned char *p = NULL; /* needed for decoding ASN1 */
@@ -673,18 +676,31 @@ X509
*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
CRMF_R_UNSUPPORTED_CIPHER);
return NULL;
}
-
+/* select symmetric cipher based on algorithm given in message */
+if ((cipher = EVP_get_cipherbynid(symmAlg)) == NULL) {
+CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
+CRMF_R_UNSUPPORTED_CIPHER);
+goto end;
+}
+cikeysize = EVP_CIPHER_key_length(cipher);
/* first the symmetric key needs to be decrypted */
pkctx = EVP_PKEY_CTX_new(pkey, NULL);
if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx)) {
ASN1_BIT_STRING *encKey = ecert->encSymmKey;
-size_t eksize = 0;
+size_t failure;
+int retval;
-if (EVP_PKEY_decrypt(pkctx, NULL, &eksize, encKey->data,
encKey->length)
-<= 0
-|| (ek = OPENSSL_malloc(eksize)) == NULL
-|| EVP_PKEY_decrypt(pkctx, ek, &eksize, encKey->data,
-encKey->length) <= 0) {
+if (EVP_PKEY_decrypt(pkctx, NULL, &eksize,
+ encKey->data, encKey->length) <= 0
+|| (ek = OPENSSL_malloc(eksize)) == NULL)
+goto oom;
+retval = EVP_PKEY_decrypt(pkctx, ek, &eksize,
+ encKey->data, encKey->length);
+ERR_clear_error(); /* error state may have sensitive information */
+failure = ~constant_time_is_zero_s(constant_time_msb(retval)
+ | constant_time_is_zero(retval));
+failure |= ~constant_time_eq_s(eksize, (size_t)cikeysize);
+if (failure) {
CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY);
goto end;
@@ -692,13 +708,6 @@ X509
*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
} else {
goto oom;
}
-
-/* select symmetric cipher based on algorithm given in message */
-if ((cipher = EVP_get_cipherbynid(symmAlg)) == NULL) {
-CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
-CRMF_R_UNSUPPORTED_CIPHER);
-goto end;
-}
if ((iv = OPENSSL_malloc(EVP_CIPHER_iv_length(cipher))) == NULL)
goto oom;
if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
@@ -743,7 +752,7 @@ X509
*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
EVP_PKEY_CTX_free(pkctx);
OPENSSL_free(outbuf);
EVP_CIPHER_CTX_free(evp_ctx);
-OPENSSL_free(ek);
+OPENSSL_clear_free(ek, eksize);
OPENSSL_free(iv);
return cert;
}
