Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-cms
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-cms Commit log since last time: b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options 15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types 1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys 4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys 924663c36d Add CMS AuthEnvelopedData with AES-GCM support d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option 6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint() d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation 8d6481f532 EVP: Move the functions and controls for setting and getting distid b968945204 EVP: Expand the use of EVP_PKEY_CTX_md() 86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters ea0add4a82 New GOST PKCS12 standard support 08497fc64f Fix test/evp_extra_test.c 20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records 509144964b EVP: Preserve the EVP_PKEY id in a few more spots 884baafba4 Use return code for 'which command' checks 4348995b0d Fix memory leaks in conf_def.c 385deae79f Building: Build Unix static libraries one object file at a time Build log ended with (last 100 lines): clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/srptest-bin-srptest.d.tmp -MT test/srptest-bin-srptest.o -c -o test/srptest-bin-srptest.o ../openssl/test/srptest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ssl_cert_table_internal_test-bin-ssl_cert_table_internal_test.d.tmp -MT test/ssl_cert_table_internal_test-bin-ssl_cert_table_internal_test.o -c -o test/ssl_cert_table_internal_test-bin-ssl_cert_table_internal_test.o ../openssl/test/ssl_cert_table_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ssl_ctx_test-bin-ssl_ctx_test.d.tmp -MT test/ssl_ctx_test-bin-ssl_ctx_test.o -c -o test/ssl_ctx_test-bin-ssl_ctx_test.o ../openssl/test/ssl_ctx_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ssl_test-bin-handshake_helper.d.tmp -MT test/ssl_test-bin-handshake_helper.o -c -o test/ssl_test-bin-handshake_helper.o ../openssl/test/handshake_helper.c clang -Iinclude -Iapps/include -I../openssl/include
Still Failing: openssl/openssl#37303 (master - b434b2c)
Build Update for openssl/openssl - Build: #37303 Status: Still Failing Duration: 1 hr, 28 mins, and 1 sec Commit: b434b2c (master) Author: Dr. David von Oheimb Message: Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12806) View the changeset: https://github.com/openssl/openssl/compare/15633d74dcfe...b434b2c08d20 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183446683?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#37302 (master - 15633d7)
Build Update for openssl/openssl - Build: #37302 Status: Still Failing Duration: 1 hr, 20 mins, and 42 secs Commit: 15633d7 (master) Author: Dr. David von Oheimb Message: Add 4 new OIDs for PKIX key purposes and 3 new CMP information types Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12807) View the changeset: https://github.com/openssl/openssl/compare/1251cddf8d41...15633d74dcfe View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183446405?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options 15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types 1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys 4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys 924663c36d Add CMS AuthEnvelopedData with AES-GCM support d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option 6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint() d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation 8d6481f532 EVP: Move the functions and controls for setting and getting distid b968945204 EVP: Expand the use of EVP_PKEY_CTX_md() 86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters ea0add4a82 New GOST PKCS12 standard support 08497fc64f Fix test/evp_extra_test.c 20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records 509144964b EVP: Preserve the EVP_PKEY id in a few more spots 884baafba4 Use return code for 'which command' checks 4348995b0d Fix memory leaks in conf_def.c 385deae79f Building: Build Unix static libraries one object file at a time Build log ended with (last 100 lines): 65-test_cmp_status.t ... ok 65-test_cmp_vfy.t .. ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this configuration 95-test_external_gost_engine.t . skipped: No external tests in this configuration 95-test_external_krb5.t skipped: No external tests in this configuration 95-test_external_pyca.t
Still FAILED build of OpenSSL branch master with options -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT Commit log since last time: b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options 15633d74dc Add 4 new OIDs for PKIX key purposes and 3 new CMP information types 1251cddf8d TEST: modify test/endecode_test.c to not use legacy keys 4ce1025a8a PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys 924663c36d Add CMS AuthEnvelopedData with AES-GCM support d96486dc80 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option 6e477a60e4 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint() d7fcee3b3b OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation 8d6481f532 EVP: Move the functions and controls for setting and getting distid b968945204 EVP: Expand the use of EVP_PKEY_CTX_md() 86df26b394 EVP: Add support for delayed EVP_PKEY operation parameters ea0add4a82 New GOST PKCS12 standard support 08497fc64f Fix test/evp_extra_test.c 20d56d6d62 EVP: Don't shadow EVP_PKEY_CTX_new* error records 509144964b EVP: Preserve the EVP_PKEY id in a few more spots 884baafba4 Use return code for 'which command' checks 4348995b0d Fix memory leaks in conf_def.c 385deae79f Building: Build Unix static libraries one object file at a time Build log ended with (last 100 lines): # Server sent alert unexpected_message but client received no alert. # 8047EBE33B7F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_srvr.c:318: not ok 9 - iteration 9 # -- not ok 1 - test_handshake # -- ../../util/wrap.pl ../../test/ssl_test 25-cipher.cnf.default default => 1 not ok 6 - running ssl_test 25-cipher.cnf # -- # Looks like you failed 2 tests of 9. not ok 26 - Test configuration 25-cipher.cnf # -- # Looks like you failed 1 test of 31.80-test_ssl_new.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok # INFO: @ ../openssl/test/sslcorrupttest.c:199 # Starting #2, ECDHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @ ../openssl/test/ssltestlib.c:1032 # [1] compared to [2] # ERROR: (bool) 'create_ssl_connection(server, client, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslcorrupttest.c:229 # false # 8047432C237F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_clnt.c:403: not ok 3 - iteration 3 # -- # INFO: @ ../openssl/test/sslcorrupttest.c:199 # Starting #3, DHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @ ../openssl/test/ssltestlib.c:1032 # [1] compared to [2] # ERROR: (bool) 'create_ssl_connection(server, client, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslcorrupttest.c:229 # false # 8047432C237F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_clnt.c:403: not ok 4 - iteration 4 # -- not ok 1 - test_ssl_corrupt # -- ../../util/wrap.pl ../../test/sslcorrupttest ../../../openssl/apps/server.pem ../../../openssl/apps/server.pem => 1 not ok 1 - running sslcorrupttest # -- # Failed test 'running sslcorrupttest' # at ../openssl/test/recipes/80-test_sslcorrupt.t line 19. # Looks like you failed 1 test of 1.80-test_sslcorrupt.t ... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t .. ok 90-test_includes.t
[openssl] master update
The branch master has been updated via b434b2c08d2025936fb8b7ece3a590861f6b (commit) from 15633d74dcfe446d309d612c69fd075616d45c5b (commit) - Log - commit b434b2c08d2025936fb8b7ece3a590861f6b Author: Dr. David von Oheimb Date: Fri Aug 28 13:37:04 2020 +0200 Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12806) --- Summary of changes: apps/cmp.c | 6 ++ crypto/cmp/cmp_vfy.c| 8 doc/man1/openssl-cmp.pod.in | 8 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index dd49142309..f9b50fc659 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1546,10 +1546,8 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) } EVP_PKEY_free(pkey); } -if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL) { -CMP_err("missing -secret or -srvcert or -trusted"); -goto err; -} +if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL) +CMP_warn("will not authenticate server due to missing -secret, -trusted, or -srvcert"); if (opt_cert != NULL) { X509 *cert; diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 9b8a88f94b..f5026e0bbc 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -568,6 +568,10 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) switch (ossl_cmp_hdr_get_protection_nid(msg->header)) { /* 5.1.3.1. Shared Secret Information */ case NID_id_PasswordBasedMAC: +if (ctx->secretValue == NULL) { +ossl_cmp_warn(ctx, "no secret available for verifying PBM-based CMP message protection"); +return 1; +} if (verify_PBMAC(ctx, msg)) { /* * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is @@ -615,6 +619,10 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) default: scrt = ctx->srvCert; if (scrt == NULL) { +if (ctx->trusted == NULL) { +ossl_cmp_warn(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection"); +return 1; +} if (check_msg_find_cert(ctx, msg)) return 1; } else { /* use pinned sender cert */ diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 46c5059d84..623e3f7dee 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -174,6 +174,7 @@ Default filename is from the environment variable C. Section(s) to use within config file defining CMP options. An empty string C<""> means no specific section. Default is C. + Multiple section names may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Contents of sections named later may override contents of sections named before. @@ -485,6 +486,9 @@ This option gives more flexibility than the B<-srvcert> option because the protection certificate is not pinned but may be any certificate for which a chain to one of the given trusted certificates can be constructed. +If no B<-trusted>, B<-srvcert>, and B<-secret> option is given +then protected response messages from the server are not authenticated. + Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. @@ -809,6 +813,7 @@ Default is one invocation. =item B<-reqin> I Take sequence of CMP requests from file(s). + Multiple filenames may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). As many files are read as needed for a complete transaction. @@ -823,18 +828,21 @@ and the CMP server complains that the transaction ID has already been used. =item B<-reqout> I Save sequence of CMP requests to file(s). + Multiple filenames may be given, separated by commas and/or whitespace. As many files are written as needed to store the complete transaction. =item B<-rspin> I Process sequence of CMP responses provided in file(s), skipping server. + Multiple filenames may be given, separated by commas and/or whitespace. As many files are read as needed for the complete transaction. =item B<-rspout> I Save sequence of CMP responses to file(s). + Multiple filenames may be given, separated by commas and/or whitespace. As many files are written as needed to store the complete transaction.
[openssl] master update
The branch master has been updated via 15633d74dcfe446d309d612c69fd075616d45c5b (commit) from 1251cddf8d413af3747e81e39141f34318f92cd6 (commit) - Log - commit 15633d74dcfe446d309d612c69fd075616d45c5b Author: Dr. David von Oheimb Date: Mon Sep 7 20:27:19 2020 +0200 Add 4 new OIDs for PKIX key purposes and 3 new CMP information types Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12807) --- Summary of changes: crypto/objects/obj_dat.h | 45 - crypto/objects/obj_mac.num | 7 +++ crypto/objects/objects.txt | 9 + fuzz/oids.txt | 7 +++ include/openssl/obj_mac.h | 32 5 files changed, 95 insertions(+), 5 deletions(-) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index decf33ef9b..0abd2a8d72 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7845] = { +static const unsigned char so[7901] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,/* [6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1086,9 +1086,16 @@ static const unsigned char so[7845] = { 0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x05, /* [ 7820] OBJ_XmppAddr */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x07, /* [ 7828] OBJ_SRVName */ 0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x08, /* [ 7836] OBJ_NAIRealm */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1D, /* [ 7844] OBJ_cmcArchive */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1E, /* [ 7852] OBJ_id_kp_bgpsec_router */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1F, /* [ 7860] OBJ_id_kp_BrandIndicatorforMessageIdentification */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x20, /* [ 7868] OBJ_cmKGA */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x11, /* [ 7876] OBJ_id_it_caCerts */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x12, /* [ 7884] OBJ_id_it_rootCaKeyUpdate */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x13, /* [ 7892] OBJ_id_it_certReqTemplate */ }; -#define NUM_NID 1219 +#define NUM_NID 1226 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, [0]}, @@ -2309,9 +2316,16 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"modp_6144", "modp_6144", NID_modp_6144}, {"modp_8192", "modp_8192", NID_modp_8192}, {"KxGOST18", "kx-gost18", NID_kx_gost18}, +{"cmcArchive", "CMC Archive Server", NID_cmcArchive, 8, [7844]}, +{"id-kp-bgpsec-router", "BGPsec Router", NID_id_kp_bgpsec_router, 8, [7852]}, +{"id-kp-BrandIndicatorforMessageIdentification", "Brand Indicator for Message Identification", NID_id_kp_BrandIndicatorforMessageIdentification, 8, [7860]}, +{"cmKGA", "Certificate Management Key Generation Authority", NID_cmKGA, 8, [7868]}, +{"id-it-caCerts", "id-it-caCerts", NID_id_it_caCerts, 8, [7876]}, +{"id-it-rootCaKeyUpdate", "id-it-rootCaKeyUpdate", NID_id_it_rootCaKeyUpdate, 8, [7884]}, +{"id-it-certReqTemplate", "id-it-certReqTemplate", NID_id_it_certReqTemplate, 8, [7892]}, }; -#define NUM_SN 1210 +#define NUM_SN 1217 static const unsigned int sn_objs[NUM_SN] = { 364,/* "AD_DVCS" */ 419,/* "AES-128-CBC" */ @@ -2692,6 +2706,8 @@ static const unsigned int sn_objs[NUM_SN] = { 407,/* "characteristic-two-field" */ 395,/* "clearance" */ 130,/* "clientAuth" */ +1222,/* "cmKGA" */ +1219,/* "cmcArchive" */ 1131,/* "cmcCA" */ 1132,/* "cmcRA" */ 131,/* "codeSigning" */ @@ -2931,8 +2947,10 @@ static const unsigned int sn_objs[NUM_SN] = { 1104,/* "id-hmacWithSHA3-384" */ 1105,/* "id-hmacWithSHA3-512" */ 260,/* "id-it" */ +1223,/* "id-it-caCerts" */ 302,/* "id-it-caKeyUpdateInfo" */ 298,/* "id-it-caProtEncCert" */ +1225,/* "id-it-certReqTemplate" */ 311,/* "id-it-confirmWaitTime" */ 303,/* "id-it-currentCRL" */ 300,/* "id-it-encKeyPairTypes" */ @@ -2942,12 +2960,15 @@ static const unsigned int sn_objs[NUM_SN] = { 312,/* "id-it-origPKIMessage" */ 301,/* "id-it-preferredSymmAlg" */ 309,/* "id-it-revPassphrase" */ +1224,/* "id-it-rootCaKeyUpdate" */ 299,/* "id-it-signKeyPairTypes" */ 305,/* "id-it-subscriptionRequest" */ 306,/* "id-it-subscriptionResponse" */ 784,/* "id-it-suppLangTags" */ 304,/* "id-it-unsupportedOIDs" */ 128,/* "id-kp" */ +1221,/*
Still Failing: openssl/openssl#37292 (master - 1251cdd)
Build Update for openssl/openssl - Build: #37292 Status: Still Failing Duration: 1 hr, 19 mins, and 16 secs Commit: 1251cdd (master) Author: Richard Levitte Message: TEST: modify test/endecode_test.c to not use legacy keys Now that PEM_write_bio_PrivateKey_traditional() can handle provider-native EVP_PKEYs, we don't need to use explicitly legacy ones. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12738) View the changeset: https://github.com/openssl/openssl/compare/924663c36d47...1251cddf8d41 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183385057?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_3
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . skipped: TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok # INFO: @ ../openssl/test/ssltestlib.c:946 # SSL_connect() failed -1, 1 # C01088E5A07F:error::SSL routines::no suitable digest algorithm:../openssl/ssl/s3_enc.c:413: # INFO: @ ../openssl/test/ssltestlib.c:964 # SSL_accept() failed -1, 1 # C01088E5A07F:error::SSL routines::tlsv1 alert internal error:../openssl/ssl/record/rec_layer_s3.c:1615:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:7912 # false not ok 2 - iteration 2 # -- # INFO: @ ../openssl/test/ssltestlib.c:964 #
Still Failing: openssl/openssl#37287 (master - 924663c)
Build Update for openssl/openssl - Build: #37287 Status: Still Failing Duration: 1 hr, 29 mins, and 6 secs Commit: 924663c (master) Author: Jakub Zelenka Message: Add CMS AuthEnvelopedData with AES-GCM support Add the AuthEnvelopedData as defined in RFC 5083 with AES-GCM parameter as defined in RFC 5084. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8024) View the changeset: https://github.com/openssl/openssl/compare/d96486dc809b...924663c36d47 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183371637?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): # INFO: @ ../openssl/test/ssltestlib.c:946 # SSL_connect() failed -1, 1 # C040557A137F:error::SSL routines::tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:618:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1327 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1405 # false not ok 4 - test_cleanse_plaintext # -- # INFO: @ ../openssl/test/ssltestlib.c:964 # SSL_accept() failed -1, 1 # C040557A137F:error::SSL routines::no suitable signature algorithm:../openssl/ssl/t1_lib.c:3329: # INFO: @ ../openssl/test/ssltestlib.c:946 # SSL_connect() failed -1, 1 # C040557A137F:error::SSL routines::tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:618:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6456 # false not ok 2 - iteration 2 # -- not ok 53 - test_ssl_pending #
Still Failing: openssl/openssl#37285 (master - d96486d)
Build Update for openssl/openssl - Build: #37285 Status: Still Failing Duration: 1 hr, 23 mins, and 32 secs Commit: d96486d (master) Author: Dr. David von Oheimb Message: apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12786) View the changeset: https://github.com/openssl/openssl/compare/8d6481f532ab...d96486dc809b View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183370528?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): # INFO: @ ../openssl/test/ssltestlib.c:946 # SSL_connect() failed -1, 1 # C0009766637F:error::SSL routines::tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:618:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1327 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1405 # false not ok 4 - test_cleanse_plaintext # -- # INFO: @ ../openssl/test/ssltestlib.c:964 # SSL_accept() failed -1, 1 # C0009766637F:error::SSL routines::no suitable signature algorithm:../openssl/ssl/t1_lib.c:3329: # INFO: @ ../openssl/test/ssltestlib.c:946 # SSL_connect() failed -1, 1 # C0009766637F:error::SSL routines::tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:618:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6456 # false not ok 2 - iteration 2 # -- not ok 53 - test_ssl_pending #
[openssl] master update
The branch master has been updated via 1251cddf8d413af3747e81e39141f34318f92cd6 (commit) via 4ce1025a8ac37d255f569147116dd776f9267cce (commit) from 924663c36d47066d5307937da77fed7e872730c7 (commit) - Log - commit 1251cddf8d413af3747e81e39141f34318f92cd6 Author: Richard Levitte Date: Mon Sep 7 08:47:00 2020 +0200 TEST: modify test/endecode_test.c to not use legacy keys Now that PEM_write_bio_PrivateKey_traditional() can handle provider-native EVP_PKEYs, we don't need to use explicitly legacy ones. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12738) commit 4ce1025a8ac37d255f569147116dd776f9267cce Author: Richard Levitte Date: Thu Aug 27 10:07:09 2020 +0200 PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys PEM_write_bio_PrivateKey_traditional() didn't handle provider-native keys very well. Originally, it would simply use the corresponding encoder, which is likely to output modern PEM (not "traditional"). PEM_write_bio_PrivateKey_traditional() is now changed to try and get a legacy copy of the input EVP_PKEY, and use that copy for traditional output, if it has such support. Internally, evp_pkey_copy_downgraded() is added, to be used when evp_pkey_downgrade() is too intrusive for what it's needed for. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12738) --- Summary of changes: crypto/evp/p_lib.c| 222 +- crypto/pem/pem_pkey.c | 20 +- doc/internal/man3/evp_pkey_export_to_provider.pod | 10 +- include/crypto/evp.h | 2 + test/endecode_test.c | 221 - 5 files changed, 242 insertions(+), 233 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index fec4e2d43b..0f5378c4fe 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1369,6 +1369,19 @@ size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt) /*- All methods below can also be used in FIPS_MODULE */ +static int evp_pkey_reset_unlocked(EVP_PKEY *pk) +{ +if (pk == NULL) +return 0; + +memset(pk, 0, sizeof(*pk)); +pk->type = EVP_PKEY_NONE; +pk->save_type = EVP_PKEY_NONE; +pk->references = 1; +pk->save_parameters = 1; +return 1; +} + EVP_PKEY *EVP_PKEY_new(void) { EVP_PKEY *ret = OPENSSL_zalloc(sizeof(*ret)); @@ -1377,10 +1390,10 @@ EVP_PKEY *EVP_PKEY_new(void) EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE); return NULL; } -ret->type = EVP_PKEY_NONE; -ret->save_type = EVP_PKEY_NONE; -ret->references = 1; -ret->save_parameters = 1; + +if (!evp_pkey_reset_unlocked(ret)) +goto err; + ret->lock = CRYPTO_THREAD_lock_new(); if (ret->lock == NULL) { EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE); @@ -1802,109 +1815,142 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OPENSSL_CTX *libctx, } #ifndef FIPS_MODULE -int evp_pkey_downgrade(EVP_PKEY *pk) +int evp_pkey_copy_downgraded(EVP_PKEY **dest, const EVP_PKEY *src) { -EVP_KEYMGMT *keymgmt = pk->keymgmt; -void *keydata = pk->keydata; -int type = pk->type; -const char *keytype = NULL; +if (!ossl_assert(dest != NULL)) +return 0; -/* If this isn't a provider side key, we're done */ -if (keymgmt == NULL) -return 1; +if (evp_pkey_is_assigned(src) && evp_pkey_is_provided(src)) { +EVP_KEYMGMT *keymgmt = src->keymgmt; +void *keydata = src->keydata; +int type = src->type; +const char *keytype = NULL; -keytype = evp_first_name(EVP_KEYMGMT_provider(keymgmt), keymgmt->name_id); +keytype = evp_first_name(EVP_KEYMGMT_provider(keymgmt), + keymgmt->name_id); -/* - * If the type is EVP_PKEY_NONE, then we have a problem somewhere else - * in our code. If it's not one of the well known EVP_PKEY_xxx values, - * it should at least be EVP_PKEY_KEYMGMT at this point. - * TODO(3.0) remove this check when we're confident that the rest of the - * code treats this correctly. - */ -if (!ossl_assert(type != EVP_PKEY_NONE)) { -ERR_raise_data(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR, - "keymgmt key type = %s but legacy type = EVP_PKEY_NONE", - keytype); -return 0; -} +/* + * If the type is EVP_PKEY_NONE, then we have a problem somewhere + * else in our code. If it's not one of the well known EVP_PKEY_xxx + * values, it should at least be EVP_PKEY_KEYMGMT at this point. + * TODO(3.0) remove this check when we're
[openssl] master update
The branch master has been updated via 924663c36d47066d5307937da77fed7e872730c7 (commit) from d96486dc809b5d134055785bfa6d707195d95534 (commit) - Log - commit 924663c36d47066d5307937da77fed7e872730c7 Author: Jakub Zelenka Date: Sun Sep 6 19:11:34 2020 +0100 Add CMS AuthEnvelopedData with AES-GCM support Add the AuthEnvelopedData as defined in RFC 5083 with AES-GCM parameter as defined in RFC 5084. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8024) --- Summary of changes: crypto/asn1/evp_asn1.c| 108 +-- crypto/cms/cms_asn1.c | 12 ++ crypto/cms/cms_enc.c | 32 +++- crypto/cms/cms_env.c | 345 ++ crypto/cms/cms_err.c | 3 + crypto/cms/cms_kari.c | 4 +- crypto/cms/cms_lib.c | 24 +++ crypto/cms/cms_local.h| 21 ++- crypto/cms/cms_pwri.c | 16 +- crypto/cms/cms_smime.c| 20 +- crypto/err/openssl.txt| 3 + crypto/evp/evp_lib.c | 107 --- crypto/evp/evp_local.h| 5 + doc/man1/openssl-cms.pod.in | 3 + doc/man3/CMS_EnvelopedData_create.pod | 48 +++-- doc/man3/CMS_decrypt.pod | 6 +- doc/man3/CMS_encrypt.pod | 22 ++- include/crypto/asn1.h | 9 + include/crypto/evp.h | 12 ++ include/openssl/asn1err.h | 1 + include/openssl/cms.h | 5 + include/openssl/cmserr.h | 2 + test/cmsapitest.c | 29 ++- test/drbgtest.c | 1 + test/recipes/80-test_cms.t| 26 ++- util/libcrypto.num| 2 + 26 files changed, 686 insertions(+), 180 deletions(-) diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c index c775a22181..844aabe603 100644 --- a/crypto/asn1/evp_asn1.c +++ b/crypto/asn1/evp_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,7 @@ #include "internal/cryptlib.h" #include #include +#include "crypto/asn1.h" int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) { @@ -46,6 +47,34 @@ int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_l return ret; } +static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct, + unsigned char *data, int len) +{ +oct->data = data; +oct->type = V_ASN1_OCTET_STRING; +oct->length = len; +oct->flags = 0; +} + +static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum, + long *num, unsigned char *data, int max_len) +{ +int ret = ASN1_STRING_length(oct), n; + +if (num != NULL) +*num = anum; + +if (max_len > ret) +n = ret; +else +n = max_len; + +if (data != NULL) +memcpy(data, ASN1_STRING_get0_data(oct), n); + +return ret; +} + typedef struct { int32_t num; ASN1_OCTET_STRING *oct; @@ -66,25 +95,18 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data, atmp.num = num; atmp.oct = -oct.data = data; -oct.type = V_ASN1_OCTET_STRING; -oct.length = len; -oct.flags = 0; +asn1_type_init_oct(, data, len); if (ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(asn1_int_oct), , )) return 1; return 0; } -/* - * we return the actual length... - */ -/* int max_len: for returned value*/ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, unsigned char *data, int max_len) { asn1_int_oct *atmp = NULL; -int ret = -1, n; +int ret = -1; if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL)) { goto err; @@ -95,17 +117,8 @@ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, if (atmp == NULL) goto err; -if (num != NULL) -*num = atmp->num; +ret = asn1_type_get_int_oct(atmp->oct, atmp->num, num, data, max_len); -ret = ASN1_STRING_length(atmp->oct); -if (max_len > ret) -n = ret; -else -n = max_len; - -if (data != NULL) -memcpy(data, ASN1_STRING_get0_data(atmp->oct), n); if (ret == -1) { err: ASN1err(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING, ASN1_R_DATA_IS_WRONG); @@ -113,3 +126,58 @@ int
[openssl] master update
The branch master has been updated via d96486dc809b5d134055785bfa6d707195d95534 (commit) via 6e477a60e42978f63623ad64d8e28e7a3e5f2e28 (commit) via d7fcee3b3b5fae674f107c736f8d53610212ce4e (commit) from 8d6481f532ab8c502de2ad17e09f688abb675a71 (commit) - Log - commit d96486dc809b5d134055785bfa6d707195d95534 Author: Dr. David von Oheimb Date: Fri Sep 4 08:11:41 2020 +0200 apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12786) commit 6e477a60e42978f63623ad64d8e28e7a3e5f2e28 Author: Dr. David von Oheimb Date: Fri Sep 4 08:05:46 2020 +0200 apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint() Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12786) commit d7fcee3b3b5fae674f107c736f8d53610212ce4e Author: Dr. David von Oheimb Date: Thu Sep 3 13:32:56 2020 +0200 OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12786) --- Summary of changes: apps/cmp.c | 93 -- apps/lib/apps.c| 2 +- apps/ocsp.c| 2 +- apps/s_server.c| 4 +- crypto/err/openssl.txt | 3 + crypto/http/http_client.c | 3 +- crypto/http/http_err.c | 5 + crypto/http/http_lib.c | 102 ++-- doc/man1/openssl-cmp.pod.in| 7 +- doc/man3/OSSL_HTTP_transfer.pod| 136 +++-- include/openssl/http.h | 2 +- include/openssl/httperr.h | 4 + test/http_test.c | 72 +++ .../81-test_cmp_cli_data/test_connection.csv | 3 + 14 files changed, 260 insertions(+), 178 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 9846e7a9c2..dd49142309 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -74,11 +74,10 @@ typedef enum { /* message transfer */ static char *opt_server = NULL; -static char server_port_s[32] = { '\0' }; -static int server_port = 0; +static char server_port[32] = { '\0' }; static char *opt_proxy = NULL; static char *opt_no_proxy = NULL; -static char *opt_path = "/"; +static char *opt_path = NULL; static int opt_msg_timeout = -1; static int opt_total_timeout = -1; @@ -334,9 +333,9 @@ const OPTIONS cmp_options[] = { OPT_SECTION("Message transfer"), {"server", OPT_SERVER, 's', - "[http[s]://]address[:port] of CMP server. Default port 80 or 443."}, + "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."}, {OPT_MORE_STR, 0, 0, - "The address may be a DNS name or an IP address"}, + "address may be a DNS name or an IP address; path can be overridden by -path"}, {"proxy", OPT_PROXY, 's', "[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"}, {"no_proxy", OPT_NO_PROXY, 's', @@ -344,7 +343,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"}, {"path", OPT_PATH, 's', - "HTTP path (aka CMP alias) at the CMP server. Default \"/\""}, + "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""}, {"msg_timeout", OPT_MSG_TIMEOUT, 'n', "Timeout per CMP message round trip (or 0 for none). Default 120 seconds"}, {"total_timeout", OPT_TOTAL_TIMEOUT, 'n', @@ -889,49 +888,6 @@ static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx, return res; } -/* - * parse string as integer value, not allowing trailing garbage, see also - * https://www.gnu.org/software/libc/manual/html_node/Parsing-of-Integers.html - * - * returns integer value, or INT_MIN on error - */ -static int atoint(const char *str) -{ -char *tailptr; -long res = strtol(str, , 10); - -if ((*tailptr != '\0') || (res < INT_MIN) || (res > INT_MAX)) -return INT_MIN; -else -return (int)res; -} - -static int parse_addr(char **opt_string, int port, const char *name) -{ -char *port_string; - -if (strncasecmp(*opt_string, OSSL_HTTP_PREFIX, -strlen(OSSL_HTTP_PREFIX)) == 0) { -*opt_string += strlen(OSSL_HTTP_PREFIX); -} else if (strncasecmp(*opt_string, OSSL_HTTPS_PREFIX, - strlen(OSSL_HTTPS_PREFIX)) == 0) { -*opt_string += strlen(OSSL_HTTPS_PREFIX); -if (port == 0) -port
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . skipped: No DTLS protocols are supported by this OpenSSL build 80-test_dtls_mtu.t . skipped: test_dtls_mtu needs DTLS and PSK support enabled 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 7 - iteration 7 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 8 - iteration 8 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 9 - iteration 9 # -- # ERROR: (ptr) 'server_ctx != NULL' failed @ ../openssl/test/ssl_test.c:479 # 0x0 not ok 10 - iteration 10 # -- # ERROR: (ptr) 'server_ctx !=
Still Failing: openssl/openssl#37279 (master - 8d6481f)
Build Update for openssl/openssl - Build: #37279 Status: Still Failing Duration: 1 hr, 28 mins, and 30 secs Commit: 8d6481f (master) Author: Richard Levitte Message: EVP: Move the functions and controls for setting and getting distid Those functions were located in the EC files, but is really broader than that, even thought currently only used for SM2. They should therefore be in a more central location, which was also indicated by diverse TODOs. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12789) View the changeset: https://github.com/openssl/openssl/compare/ea0add4a8227...8d6481f532ab View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183332516?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ui
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ui Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): # Failed test 'p10cr csr empty file' # at ../openssl/test/recipes/81-test_cmp_cli.t line 184. ../../../../../no-ui/util/wrap.pl ../../../../../no-ui/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd p10cr -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -csr wrong.csr.pem => 139 not ok 78 - p10cr wrong csr # -- # Failed test 'p10cr wrong csr' # at ../openssl/test/recipes/81-test_cmp_cli.t line 184. ../../../../../no-ui/util/wrap.pl ../../../../../no-ui/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt -revreason 5 => 139 not ok 79 - ir + ignored revocation # -- ../../../../../no-ui/util/wrap.pl ../../../../../no-ui/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -proxy '' -no_proxy 127.0.0.1 -cmd cr -newkey new.key -newkeypass 'pass:' -certout test.cert.pem -out_trusted root.crt => 139 not ok 82 - cr command # -- # Failed test 'cr command' # at ../openssl/test/recipes/81-test_cmp_cli.t line 184.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings enable-ubsan -DPEDANTIC -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=alignment
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-ubsan -DPEDANTIC -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=alignment Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): # Server sent alert unexpected_message but client received no alert. # 40A7D41BA37F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_srvr.c:318: not ok 9 - iteration 9 # -- not ok 1 - test_handshake # -- ../../util/wrap.pl ../../test/ssl_test 25-cipher.cnf.default default => 1 not ok 6 - running ssl_test 25-cipher.cnf # -- # Looks like you failed 2 tests of 9. not ok 26 - Test configuration 25-cipher.cnf # -- # Looks like you failed 1 test of 31.80-test_ssl_new.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok # INFO: @ ../openssl/test/sslcorrupttest.c:199 # Starting #2, ECDHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @ ../openssl/test/ssltestlib.c:1032 # [1] compared to [2] # ERROR: (bool) 'create_ssl_connection(server, client, SSL_ERROR_NONE) == true' failed @
[openssl] master update
The branch master has been updated via 8d6481f532ab8c502de2ad17e09f688abb675a71 (commit) via b968945204130620b1328f585610cbe1d6b5a69e (commit) via 86df26b3943509219057ae87f8764b3c15e0d8b8 (commit) from ea0add4a822749d620714a4660eedd86a91e8e1b (commit) - Log - commit 8d6481f532ab8c502de2ad17e09f688abb675a71 Author: Richard Levitte Date: Fri Sep 4 18:00:29 2020 +0200 EVP: Move the functions and controls for setting and getting distid Those functions were located in the EC files, but is really broader than that, even thought currently only used for SM2. They should therefore be in a more central location, which was also indicated by diverse TODOs. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12789) commit b968945204130620b1328f585610cbe1d6b5a69e Author: Richard Levitte Date: Thu Sep 3 07:22:00 2020 +0200 EVP: Expand the use of EVP_PKEY_CTX_md() Setting a hash function was reserved for signature operations. However, it turns out that SM2 uses a hash function for encryption and decryption as well. Therefore, EVP_PKEY_CTX_md() must be called with an expanded operation type combination that includes EVP_PKEY_OP_TYPE_CRYPT when used in a generic way. For SM2, test/recipes/30-test_evp_data/evppkey_sm2.txt is expanded to test decryption both with an implicit and an explicit digest. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12789) commit 86df26b3943509219057ae87f8764b3c15e0d8b8 Author: Richard Levitte Date: Wed Sep 2 15:54:13 2020 +0200 EVP: Add support for delayed EVP_PKEY operation parameters They get called "delayed parameters" because they may make it to the implementation at a later time than when they're given. This currently only covers the distinguished ID, as that's the only EVP_PKEY operation parameter so far that has been possible to give before the operation has been initialized. This includes a re-implementation of EVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id(), and EVP_PKEY_CTX_get1_id_len(). Also, the more rigorous controls of keytype and optype are restored. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12789) --- Summary of changes: crypto/evp/m_sigver.c | 13 +- crypto/evp/pmeth_lib.c| 369 ++ crypto/evp/signature.c| 9 +- include/crypto/evp.h | 21 ++ include/openssl/core_names.h | 1 + include/openssl/ec.h | 16 -- include/openssl/evp.h | 8 +- test/recipes/30-test_evp_data/evppkey_sm2.txt | 6 + util/libcrypto.num| 3 + 9 files changed, 376 insertions(+), 70 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 0278d9ca09..a60d6e770b 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -204,7 +204,8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, mdname, provkey); } -return ret ? 1 : 0; +goto end; + err: evp_pkey_ctx_free_old_ops(locpctx); locpctx->operation = EVP_PKEY_OP_UNDEFINED; @@ -279,7 +280,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, if (ctx->pctx->pmeth->digest_custom != NULL) ctx->pctx->flag_call_digest_custom = 1; -return 1; +ret = 1; + + end: +#ifndef FIPS_MODULE +if (ret > 0) +ret = evp_pkey_ctx_use_cached_data(locpctx); +#endif + +return ret > 0 ? 1 : 0; } int EVP_DigestSignInit_with_libctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 7f144b0afc..e557e14e18 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,14 @@ #ifndef FIPS_MODULE +static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx, + int keytype, int optype, + int cmd, const char *name, + const void *data, size_t data_len); +static void evp_pkey_ctx_free_cached_data(EVP_PKEY_CTX *ctx, + int cmd, const char *name); +static void evp_pkey_ctx_free_all_cached_data(EVP_PKEY_CTX *ctx); + typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void); typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); @@ -122,6 +130,29 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) return pmeth; } +/* Three possible states: */ +# define EVP_PKEY_STATE_UNKNOWN 0 +# define
Still Failing: openssl/openssl#37275 (master - ea0add4)
Build Update for openssl/openssl - Build: #37275 Status: Still Failing Duration: 1 hr, 16 mins, and 35 secs Commit: ea0add4 (master) Author: Dmitry Belyavskiy Message: New GOST PKCS12 standard support Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12780) View the changeset: https://github.com/openssl/openssl/compare/08497fc64f68...ea0add4a8227 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183290832?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 6353507e9d DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples d9ea62c2c2 DOC: Modify one example in EVP_PKEY_fromdata(3) bef7638610 Cleanup deprecation of ENGINE_setup_bsd_cryptodev 7f0f88240e Slightly abstract ktls_start() to reduce OS-specific #ifdefs. 74eee1bdaa Remove unused dummy functions from ktls.h. 4b09e19216 Fix the socket BIO control methods to use ktls_crypto_info_t. 076bf8c2c9 X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs 0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 15076c26d7 Strengthen chain building for CMP 39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 09e76c5dd3 test/drbgtest: improve the reseed after fork test 59ed733989 Fix coverity CID #1454815 - NULL ptr dereference in initthread.c 5340c8ea2a Fix coverity CID #1452769 & #1452771 - Arg passed to function that cannot be negative in cms_ess.c 776cf98b49 Fix coverity CID #1457935 - Check return value in ffc_params.c for BIO_indent/BIO_puts calls. d135774e7d Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c 3320026911 Fix coverity CID #1466371 - fix dereference before NULL check. 0e540f231c Fix coverity CID #1466375 - Remove dead code. 7ce49eeaca Fix coverity CID #1466377 - resource leak due to early return in ec_get_params(). ea47869792 Fix coverity CID #1466378 - Incorrect expression in ec_backend.c d55d0935de ASN1: Make ASN1_item_verify_ctx() work with provider-native keys 5045abb2e9 EC: Remove one error record that shadows another 7192e4dfa1 TEST: Ensure that the base provider i activated when needed 96b924105f Revert "TEST: separate out NIST ECC tests from non-NIST" 4feda976de EVP: Don't report malloc failure in new_raw_key_int() 88c1d0c1da TEST: have key_unsupported() in evp_test.c look at the last error c2150f7357 STORE: Stop the flood of errors 67b6401356 CORE: Fix small bug in passphrase caching 7a30681095 STORE: Fix potential memory leak a10847c427 "Downgrade" provider-native keys to legacy where needed b527564884 EVP: Downgrade EVP_PKEYs in EVP_PKEY2PKCS8() 7620d89c3f TEST: Modify test/recipes/90-test_store.t for use with different 'file:' loaders a1447076be STORE: Deprecate legacy / ENGINE functions 63f187cfed STORE: Add a built-in 'file:' storemgmt implementation (loader) 16feca7154 STORE: Move the built-in 'file:' loader to become an engine module bd7a6f16eb OSSL_ENCODER / OSSL_DECODER post-rename cleanup a955676141 ASN1: Fix d2i_KeyParams() to advance |pp| like all other d2i functions do 0bc193dd05 Ensure EVP_MAC_update() passes the length even if it is 0 13c9843cff Convert ssl3_cbc_digest_record() to use EVP_MD_is_a() 820d87bc98 Update the EVP_PKEY MAC documentation f271389305 Enable PKEY MAC bridge signature algs to take ctx params e08f86ddb1 Make ssl3_cbc_digest_record() use the real data_size 2e2084dac3 Start using the provider side TLS HMAC implementation 3fddbb264e Add an HMAC implementation that is TLS aware b48ca22a56 Avoid AIX compiler issue by making the macro argument names not match any substring 6f04bcc7e3 Fix typo in FIPS_MODULE endif macro comment 1010e4ac97 Fix post-condition in algorithm_do_this 2b748d722b Fix use of OPENSSL_realloc in provider Build log ended with (last 100 lines): rm -f doc/man/man1/CA.pl.1 doc/man/man1/openssl-asn1parse.1 doc/man/man1/openssl-ca.1 doc/man/man1/openssl-ciphers.1 doc/man/man1/openssl-cmds.1 doc/man/man1/openssl-cmp.1 doc/man/man1/openssl-cms.1 doc/man/man1/openssl-crl.1 doc/man/man1/openssl-crl2pkcs7.1 doc/man/man1/openssl-dgst.1 doc/man/man1/openssl-dhparam.1 doc/man/man1/openssl-dsa.1 doc/man/man1/openssl-dsaparam.1 doc/man/man1/openssl-ec.1 doc/man/man1/openssl-ecparam.1 doc/man/man1/openssl-enc.1 doc/man/man1/openssl-engine.1 doc/man/man1/openssl-errstr.1 doc/man/man1/openssl-fipsinstall.1 doc/man/man1/openssl-gendsa.1 doc/man/man1/openssl-genpkey.1 doc/man/man1/openssl-genrsa.1 doc/man/man1/openssl-info.1 doc/man/man1/openssl-kdf.1 doc/man/man1/openssl-list.1 doc/man/man1/openssl-mac.1 doc/man/man1/openssl-nseq.1 doc/man/man1/openssl-ocsp.1 doc/man/man1/openssl-passwd.1 doc/man/man1/openssl-pkcs12.1 doc/man/man1/openssl-pkcs7.1 doc/man/man1/openssl-pkcs8.1 doc/man/man1/openssl-pkey.1 doc/man/man1/openssl-pkeyparam.1 doc/ma n/man1/openssl-pkeyutl.1 doc/man/man1/openssl-prime.1 doc/man/man1/openssl-provider.1 doc/man/man1/openssl-rand.1 doc/man/man1/openssl-rehash.1 doc/man/man1/openssl-req.1 doc/man/man1/openssl-rsa.1 doc/man/man1/openssl-rsautl.1 doc/man/man1/openssl-s_client.1 doc/man/man1/openssl-s_server.1 doc/man/man1/openssl-s_time.1 doc/man/man1/openssl-sess_id.1 doc/man/man1/openssl-smime.1 doc/man/man1/openssl-speed.1
Still Failing: openssl/openssl#37271 (master - 08497fc)
Build Update for openssl/openssl - Build: #37271 Status: Still Failing Duration: 1 hr, 21 mins, and 42 secs Commit: 08497fc (master) Author: Richard Levitte Message: Fix test/evp_extra_test.c Because EVP_PKEY_CTX_new_from_name() could return a non-NULL context with no value in it, the lack of legacy implementation when OpenSSL was configured with 'no-ec' went through undetected. This adds the necessary guards to skip a test of SM2 in that case. Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/12785) View the changeset: https://github.com/openssl/openssl/compare/884baafba4a5...08497fc64f68 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/183277598?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via ea0add4a822749d620714a4660eedd86a91e8e1b (commit) from 08497fc64f688a91d421de74a8498aff33573485 (commit) - Log - commit ea0add4a822749d620714a4660eedd86a91e8e1b Author: Dmitry Belyavskiy Date: Thu Sep 3 16:47:19 2020 +0300 New GOST PKCS12 standard support Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/12780) --- Summary of changes: crypto/pkcs12/p12_decr.c | 50 +++- 1 file changed, 45 insertions(+), 5 deletions(-) diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index b9d13d9cf5..32e5597e06 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -24,13 +24,14 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, unsigned char *out = NULL; int outlen, i; EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); +int max_out_len, mac_len = 0; if (ctx == NULL) { PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE); goto err; } -/* Decrypt data */ +/* Process data */ if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen, algor->parameter, ctx, en_de)) { PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, @@ -38,8 +39,37 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, goto err; } -if ((out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(ctx))) -== NULL) { +/* + * GOST algorithm specifics: + * OMAC algorithm calculate and encrypt MAC of the encrypted objects + * It's appended to encrypted text on encrypting + * MAC should be processed on decrypting separately from plain text + */ +max_out_len = inlen + EVP_CIPHER_CTX_block_size(ctx); +if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { +if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_TLS1_AAD, 0, _len) < 0) { +PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_INTERNAL_ERROR); +goto err; +} + +if (EVP_CIPHER_CTX_encrypting(ctx)) { +max_out_len += mac_len; +} else { +if (inlen < mac_len) { +PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, + PKCS12_R_UNSUPPORTED_PKCS12_MODE); +goto err; +} +inlen -= mac_len; +if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, +(int)mac_len, (unsigned char *)in+inlen) < 0) { +PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_INTERNAL_ERROR); +goto err; +} +} +} + +if ((out = OPENSSL_malloc(max_out_len)) == NULL) { PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_MALLOC_FAILURE); goto err; } @@ -60,6 +90,16 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, goto err; } outlen += i; +if (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_CIPHER_WITH_MAC) { +if (EVP_CIPHER_CTX_encrypting(ctx)) { +if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, +(int)mac_len, out+outlen) < 0) { +PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT, ERR_R_INTERNAL_ERROR); +goto err; +} +outlen += mac_len; +} +} if (datalen) *datalen = outlen; if (data) @@ -79,10 +119,10 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, const char *pass, int passlen, const ASN1_OCTET_STRING *oct, int zbuf) { -unsigned char *out; +unsigned char *out = NULL; const unsigned char *p; void *ret; -int outlen; +int outlen = 0; if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, , , 0)) {