[openssl] master update
The branch master has been updated
via 6b1428ac12749f7ff0e49be363e9f7097f0e58b0 (commit)
from 434343f896a2bb3e5857cc9831c38f8cd1cceec1 (commit)
- Log -
commit 6b1428ac12749f7ff0e49be363e9f7097f0e58b0
Author: Randall S. Becker
Date: Sun Sep 20 16:30:14 2020 -0600
Added FIPS DEP initialization for the NonStop platform in fips/self_test.c.
CLA: Permission is granted by the author to the OpenSSL team to use these
modifications.
Fixes #12918
Signed-off-by: Randall S. Becker
Reviewed-by: Paul Dale
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/12928)
---
Summary of changes:
providers/fips/self_test.c | 16
1 file changed, 16 insertions(+)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index 9d95f0ccf1..81f475e900 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -123,6 +123,22 @@ DEP_DECLARE()
#elif defined(__GNUC__)
# define DEP_INIT_ATTRIBUTE static __attribute__((constructor))
# define DEP_FINI_ATTRIBUTE static __attribute__((destructor))
+
+#elif defined(__TANDEM)
+DEP_DECLARE() /* must be declared before calling init() or cleanup() */
+# define DEP_INIT_ATTRIBUTE
+# define DEP_FINI_ATTRIBUTE
+
+/* Method automatically called by the NonStop OS when the DLL loads */
+void __INIT__init(void) {
+init();
+}
+
+/* Method automatically called by the NonStop OS prior to unloading the DLL */
+void __TERM__cleanup(void) {
+cleanup();
+}
+
#endif
#if defined(DEP_INIT_ATTRIBUTE) && defined(DEP_FINI_ATTRIBUTE)
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-cms
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-cms Commit log since last time: 434343f896 Add const to 'ppin' function parameter 6600baa9bb DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in 36871717ac Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign 9c13b49a9f Increase PSK_MAX_IDENTITY_LEN from 128 to 256 639bb581ce apps/ocsp: Return non zero exit code with invalid certID e57bbf9e1a Increase PSK_MAX_PSK_LEN to 512 627ddf7b5b Correct certificate and key names for explicit ec param test d5b170a2fc Fixed EVP_MAC_final argument count in example a316356133 Fix merge error with libcrypto.num b1415dc182 util/find-doc-nits: Add a regexp for C symbols and use it 48b62fb33a DECODER: Some cleanups, and aligning with OSSL_ENCODER ae12eac074 TEST: Adapt applicable tests to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY() 97bb8dff1f ENCODER: Adapt calls to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY() 111dc4b0f1 ENCODER: Refactor our provider encoder implementations b8975c68b1 ENCODER: Refactor the OSSL_ENCODER API to be more like OSSL_DECODER 5a6d6fe666 ENCODER: Redefine the libcrypto <-> provider interface 4a71bee6cf ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies b5f82567af Fix: ecp_nistz256-armv4.S bad arguments 08e9684c53 Deprecate ASN1_STRING_length_set in OpenSSL 3.0. 28a5f5b39c util/mkerr.h: Restore header file rename 7889e7aef8 Fix ec keygen so that it passes the library context to SSL_SELF_TEST_get_callback(). f8e747471e Add a copy of OSSL_SELF_TEST_get_callback() to the fips module. 80f4fd18f7 Add KEM (Key encapsulation mechanism) support to providers 28833f1465 Update the EdDSA docs with information about Algorithm Identifiers 4c6348c23a Make sure we properly test for EdDSA with alg ids d12a2fe4e7 Teach EdDSA signature algorithms about AlgorithmIdentifiers 991a6bb581 Add option to fipsinstall to disable fips security checks at run time. 7a810fac86 Add 'fips-securitychecks' option and plumb this into the actual fips checks 850a485f25 fix provider exchange operations 49ed5ba8f6 fix provider signatures 16fbda848d Separate fips and non fips code for key operations a88d105ea8 Add missing 'ossl_unused' tags to some gettable and settable methods. f85a9d26be Add error message to genpkey app for the '-genparam' option 341c3e7f28 Add fips checks for ecdh key agreement 8d17cca5b8 Add fips checks for rsa encryption b8237707d4 Add fips checks for dh key agreement 0645110ebd Add fips checks for ecdsa signatures e43b448241 Add fips checks for dsa signatures 3f699197ac Add fips checks for rsa signatures. 282de1cc2d Fix some doc-nits and make update errors 028b31b32d Remove some unneeded code from lhash.h efffd8a6e4 Update err.h to use the new lhash generation code 2ca697ce00 Update conf.h.in to use the new lhash generation code 726b329339 Provide basis for fixing lhash code ecf15b16ee s_client.pod: Fix grammar in NOTES section. Build log ended with (last 100 lines): clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/srptest-bin-srptest.d.tmp -MT test/srptest-bin-srptest.o -c -o test/srptest-bin-srptest.o ../openssl/test/srptest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ssl_cert_table_internal_test-bin-ssl_cert_table_internal_test.d.tmp -MT test/ssl_cert_table_internal_test-bin-ssl_cert_table_internal_test.o -c -o test/ssl_cert_table_internal_test-bin-ssl_cert_table_internal_test.o ../openssl/test/ssl_cert_table_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED
Build failed: openssl master.37084
Build openssl master.37084 failed Commit 2cb54c3873 by Dr. David von Oheimb on 8/10/2020 12:23 PM: apps/pkcs12: Clean up the order in which many options are presented Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 434343f896 Add const to 'ppin' function parameter 6600baa9bb DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in 36871717ac Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign 9c13b49a9f Increase PSK_MAX_IDENTITY_LEN from 128 to 256 639bb581ce apps/ocsp: Return non zero exit code with invalid certID e57bbf9e1a Increase PSK_MAX_PSK_LEN to 512 627ddf7b5b Correct certificate and key names for explicit ec param test d5b170a2fc Fixed EVP_MAC_final argument count in example a316356133 Fix merge error with libcrypto.num b1415dc182 util/find-doc-nits: Add a regexp for C symbols and use it 48b62fb33a DECODER: Some cleanups, and aligning with OSSL_ENCODER ae12eac074 TEST: Adapt applicable tests to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY() 97bb8dff1f ENCODER: Adapt calls to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY() 111dc4b0f1 ENCODER: Refactor our provider encoder implementations b8975c68b1 ENCODER: Refactor the OSSL_ENCODER API to be more like OSSL_DECODER 5a6d6fe666 ENCODER: Redefine the libcrypto <-> provider interface 4a71bee6cf ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies b5f82567af Fix: ecp_nistz256-armv4.S bad arguments 08e9684c53 Deprecate ASN1_STRING_length_set in OpenSSL 3.0. 28a5f5b39c util/mkerr.h: Restore header file rename 7889e7aef8 Fix ec keygen so that it passes the library context to SSL_SELF_TEST_get_callback(). f8e747471e Add a copy of OSSL_SELF_TEST_get_callback() to the fips module. 80f4fd18f7 Add KEM (Key encapsulation mechanism) support to providers 28833f1465 Update the EdDSA docs with information about Algorithm Identifiers 4c6348c23a Make sure we properly test for EdDSA with alg ids d12a2fe4e7 Teach EdDSA signature algorithms about AlgorithmIdentifiers 991a6bb581 Add option to fipsinstall to disable fips security checks at run time. 7a810fac86 Add 'fips-securitychecks' option and plumb this into the actual fips checks 850a485f25 fix provider exchange operations 49ed5ba8f6 fix provider signatures 16fbda848d Separate fips and non fips code for key operations a88d105ea8 Add missing 'ossl_unused' tags to some gettable and settable methods. f85a9d26be Add error message to genpkey app for the '-genparam' option 341c3e7f28 Add fips checks for ecdh key agreement 8d17cca5b8 Add fips checks for rsa encryption b8237707d4 Add fips checks for dh key agreement 0645110ebd Add fips checks for ecdsa signatures e43b448241 Add fips checks for dsa signatures 3f699197ac Add fips checks for rsa signatures. 282de1cc2d Fix some doc-nits and make update errors 028b31b32d Remove some unneeded code from lhash.h efffd8a6e4 Update err.h to use the new lhash generation code 2ca697ce00 Update conf.h.in to use the new lhash generation code 726b329339 Provide basis for fixing lhash code ecf15b16ee s_client.pod: Fix grammar in NOTES section. Build log ended with (last 100 lines): 65-test_cmp_vfy.t .. ok 66-test_ossl_store.t ... ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok
Still FAILED build of OpenSSL branch master with options -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT Commit log since last time: 434343f896 Add const to 'ppin' function parameter 6600baa9bb DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in 36871717ac Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign 9c13b49a9f Increase PSK_MAX_IDENTITY_LEN from 128 to 256 639bb581ce apps/ocsp: Return non zero exit code with invalid certID e57bbf9e1a Increase PSK_MAX_PSK_LEN to 512 627ddf7b5b Correct certificate and key names for explicit ec param test d5b170a2fc Fixed EVP_MAC_final argument count in example a316356133 Fix merge error with libcrypto.num b1415dc182 util/find-doc-nits: Add a regexp for C symbols and use it 48b62fb33a DECODER: Some cleanups, and aligning with OSSL_ENCODER ae12eac074 TEST: Adapt applicable tests to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY() 97bb8dff1f ENCODER: Adapt calls to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY() 111dc4b0f1 ENCODER: Refactor our provider encoder implementations b8975c68b1 ENCODER: Refactor the OSSL_ENCODER API to be more like OSSL_DECODER 5a6d6fe666 ENCODER: Redefine the libcrypto <-> provider interface 4a71bee6cf ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies b5f82567af Fix: ecp_nistz256-armv4.S bad arguments 08e9684c53 Deprecate ASN1_STRING_length_set in OpenSSL 3.0. 28a5f5b39c util/mkerr.h: Restore header file rename 7889e7aef8 Fix ec keygen so that it passes the library context to SSL_SELF_TEST_get_callback(). f8e747471e Add a copy of OSSL_SELF_TEST_get_callback() to the fips module. 80f4fd18f7 Add KEM (Key encapsulation mechanism) support to providers 28833f1465 Update the EdDSA docs with information about Algorithm Identifiers 4c6348c23a Make sure we properly test for EdDSA with alg ids d12a2fe4e7 Teach EdDSA signature algorithms about AlgorithmIdentifiers 991a6bb581 Add option to fipsinstall to disable fips security checks at run time. 7a810fac86 Add 'fips-securitychecks' option and plumb this into the actual fips checks 850a485f25 fix provider exchange operations 49ed5ba8f6 fix provider signatures 16fbda848d Separate fips and non fips code for key operations a88d105ea8 Add missing 'ossl_unused' tags to some gettable and settable methods. f85a9d26be Add error message to genpkey app for the '-genparam' option 341c3e7f28 Add fips checks for ecdh key agreement 8d17cca5b8 Add fips checks for rsa encryption b8237707d4 Add fips checks for dh key agreement 0645110ebd Add fips checks for ecdsa signatures e43b448241 Add fips checks for dsa signatures 3f699197ac Add fips checks for rsa signatures. 282de1cc2d Fix some doc-nits and make update errors 028b31b32d Remove some unneeded code from lhash.h efffd8a6e4 Update err.h to use the new lhash generation code 2ca697ce00 Update conf.h.in to use the new lhash generation code 726b329339 Provide basis for fixing lhash code ecf15b16ee s_client.pod: Fix grammar in NOTES section. Build log ended with (last 100 lines): # Server sent alert unexpected_message but client received no alert. # 80B73F9CCC7F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_srvr.c:314: not ok 9 - iteration 9 # -- not ok 1 - test_handshake # -- ../../util/wrap.pl ../../test/ssl_test 25-cipher.cnf.default default => 1 not ok 6 - running ssl_test 25-cipher.cnf # -- # Looks like you failed 2 tests of 9. not ok 26 - Test configuration 25-cipher.cnf # -- # Looks like you failed 1 test of 31.80-test_ssl_new.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok # INFO: @ ../openssl/test/sslcorrupttest.c:197 # Starting #2, ECDHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @ ../openssl/test/ssltestlib.c:1032 # [1] compared to [2] # ERROR: (bool) 'create_ssl_connection(server, client, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslcorrupttest.c:227 # false # 80B7F0A7DF7F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_clnt.c:399: not ok 3 - iteration 3 # -- # INFO: @ ../openssl/test/sslcorrupttest.c:197 # Starting #3, DHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings Commit log since last time: 434343f896 Add const to 'ppin' function parameter 6600baa9bb DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in 36871717ac Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign 9c13b49a9f Increase PSK_MAX_IDENTITY_LEN from 128 to 256 639bb581ce apps/ocsp: Return non zero exit code with invalid certID e57bbf9e1a Increase PSK_MAX_PSK_LEN to 512 627ddf7b5b Correct certificate and key names for explicit ec param test d5b170a2fc Fixed EVP_MAC_final argument count in example a316356133 Fix merge error with libcrypto.num
Errored: openssl/openssl#37613 (master - 434343f)
Build Update for openssl/openssl - Build: #37613 Status: Errored Duration: 1 hr, 20 mins, and 24 secs Commit: 434343f (master) Author: olszomal Message: Add const to 'ppin' function parameter CLA: trivial Reviewed-by: Kurt Roeckx Reviewed-by: Matt Caswell GH: #12205 View the changeset: https://github.com/openssl/openssl/compare/6600baa9bb6e...434343f896a2 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185653841?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#37609 (master - 6600baa)
Build Update for openssl/openssl - Build: #37609 Status: Errored Duration: 1 hr, 20 mins, and 14 secs Commit: 6600baa (master) Author: Richard Levitte Message: DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12924) View the changeset: https://github.com/openssl/openssl/compare/36871717ac83...6600baa9bb6e View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185604802?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#37602 (master - 3687171)
Build Update for openssl/openssl - Build: #37602 Status: Errored Duration: 1 hr, 26 mins, and 49 secs Commit: 3687171 (master) Author: Norman Ashley Message: Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK. If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail because the X509_check_private_key() can fail. The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c as a common place to check. Checks in ssl_rsa.c were removed. Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12419) (cherry picked from commit 56e8fe0b4efbf582e40ae91319727c9d176c5e1e) View the changeset: https://github.com/openssl/openssl/compare/9c13b49a9f22...36871717ac83 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185578770?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#37600 (master - 9c13b49)
Build Update for openssl/openssl - Build: #37600 Status: Errored Duration: 1 hr, 20 mins, and 6 secs Commit: 9c13b49 (master) Author: Eric Curtin Message: Increase PSK_MAX_IDENTITY_LEN from 128 to 256 We are considering using the format "host-nqn controller-nqn" for psk-id in the NVMe-oF/TCP over TLS spec, it's in the current version, but openssl's limit was 128 upto now, we need a little longer than that. Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12771) View the changeset: https://github.com/openssl/openssl/compare/639bb581ce5b...9c13b49a9f22 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185569358?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 256989ce442c19151ae2b79b8d137c364e8479f2 (commit) from 56e8fe0b4efbf582e40ae91319727c9d176c5e1e (commit) - Log - commit 256989ce442c19151ae2b79b8d137c364e8479f2 Author: olszomal Date: Fri Jun 19 15:00:32 2020 +0200 Add const to 'ppin' function parameter CLA: trivial Reviewed-by: Kurt Roeckx Reviewed-by: Matt Caswell GH: #12205 (cherry picked from commit 434343f896a2bb3e5857cc9831c38f8cd1cceec1) --- Summary of changes: doc/man3/d2i_DHparams.pod | 2 +- doc/man3/d2i_X509.pod | 8 +--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/man3/d2i_DHparams.pod b/doc/man3/d2i_DHparams.pod index d4e34fe877..befcafa8a1 100644 --- a/doc/man3/d2i_DHparams.pod +++ b/doc/man3/d2i_DHparams.pod @@ -8,7 +8,7 @@ d2i_DHparams, i2d_DHparams - PKCS#3 DH parameter functions #include - DH *d2i_DHparams(DH **a, unsigned char **pp, long length); + DH *d2i_DHparams(DH **a, const unsigned char **pp, long length); int i2d_DHparams(DH *a, unsigned char **pp); =head1 DESCRIPTION diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 245df0c8d9..e42049d2ba 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -365,7 +365,7 @@ i2d_X509_VAL, =for comment generic - TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length); + TYPE *d2i_TYPE(TYPE **a, const unsigned char **ppin, long length); TYPE *d2i_TYPE_bio(BIO *bp, TYPE **a); TYPE *d2i_TYPE_fp(FILE *fp, TYPE **a); @@ -529,7 +529,8 @@ Allocate and encode the DER encoding of an X509 structure: Attempt to decode a buffer: X509 *x; - unsigned char *buf, *p; + unsigned char *buf; + const unsigned char *p; int len; /* Set up buf and len to point to the input buffer. */ @@ -541,7 +542,8 @@ Attempt to decode a buffer: Alternative technique: X509 *x; - unsigned char *buf, *p; + unsigned char *buf; + const unsigned char *p; int len; /* Set up buf and len to point to the input buffer. */
[openssl] master update
The branch master has been updated via 434343f896a2bb3e5857cc9831c38f8cd1cceec1 (commit) from 6600baa9bb6e59be91692791a6251c172a099a65 (commit) - Log - commit 434343f896a2bb3e5857cc9831c38f8cd1cceec1 Author: olszomal Date: Fri Jun 19 15:00:32 2020 +0200 Add const to 'ppin' function parameter CLA: trivial Reviewed-by: Kurt Roeckx Reviewed-by: Matt Caswell GH: #12205 --- Summary of changes: doc/man3/d2i_DHparams.pod | 2 +- doc/man3/d2i_X509.pod | 8 +--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/man3/d2i_DHparams.pod b/doc/man3/d2i_DHparams.pod index c554099816..83c3fd9c4b 100644 --- a/doc/man3/d2i_DHparams.pod +++ b/doc/man3/d2i_DHparams.pod @@ -8,7 +8,7 @@ d2i_DHparams, i2d_DHparams - PKCS#3 DH parameter functions #include - DH *d2i_DHparams(DH **a, unsigned char **pp, long length); + DH *d2i_DHparams(DH **a, const unsigned char **pp, long length); int i2d_DHparams(DH *a, unsigned char **pp); =head1 DESCRIPTION diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 971339bba0..a46977bc93 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -397,7 +397,7 @@ i2d_X509_VAL, =for openssl generic - TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length); + TYPE *d2i_TYPE(TYPE **a, const unsigned char **ppin, long length); TYPE *d2i_TYPE_bio(BIO *bp, TYPE **a); TYPE *d2i_TYPE_fp(FILE *fp, TYPE **a); @@ -564,7 +564,8 @@ Allocate and encode the DER encoding of an X509 structure: Attempt to decode a buffer: X509 *x; - unsigned char *buf, *p; + unsigned char *buf; + const unsigned char *p; int len; /* Set up buf and len to point to the input buffer. */ @@ -576,7 +577,8 @@ Attempt to decode a buffer: Alternative technique: X509 *x; - unsigned char *buf, *p; + unsigned char *buf; + const unsigned char *p; int len; /* Set up buf and len to point to the input buffer. */
Errored: openssl/openssl#37598 (master - 639bb58)
Build Update for openssl/openssl - Build: #37598 Status: Errored Duration: 1 hr, 35 mins, and 22 secs Commit: 639bb58 (master) Author: Tomas Mraz Message: apps/ocsp: Return non zero exit code with invalid certID Fixes #7151 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12916) View the changeset: https://github.com/openssl/openssl/compare/e57bbf9e1a95...639bb581ce5b View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185566581?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#37597 (master - e57bbf9)
Build Update for openssl/openssl - Build: #37597 Status: Errored Duration: 1 hr, 16 mins, and 51 secs Commit: e57bbf9 (master) Author: Rutger Hendriks Message: Increase PSK_MAX_PSK_LEN to 512 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12777) View the changeset: https://github.com/openssl/openssl/compare/627ddf7b5b7b...e57bbf9e1a95 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185566247?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via 6600baa9bb6e59be91692791a6251c172a099a65 (commit) from 36871717ac83fe049f8620ff82be4a5d36e0d97d (commit) - Log - commit 6600baa9bb6e59be91692791a6251c172a099a65 Author: Richard Levitte Date: Sat Sep 19 09:22:34 2020 +0200 DOC: POD syntax fixes in doc/man1/openssl-cmp.pod.in Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12924) --- Summary of changes: doc/man1/openssl-cmp.pod.in | 5 + 1 file changed, 5 insertions(+) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 71902ab7da..9ca8bbc97b 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -452,6 +452,7 @@ Defaults to the environment variable C if set, else C in case no TLS is used, otherwise C if set, else C. =item B<-no_proxy> I + List of IP addresses and/or DNS names of servers not to use an HTTP(S) proxy for, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). @@ -1026,10 +1027,14 @@ to issue the following shell commands. cd /path/to/openssl export OPENSSL_CONF=openssl.cnf + =begin comment + wget 'http://pki.certificate.fi:8081/install-ca-cert.html/ca-certificate.crt\ ?ca-id=632=1' -O insta.ca.crt + =end comment + openssl genrsa -out insta.priv.pem openssl cmp -section insta
Errored: openssl/openssl#37596 (master - 627ddf7)
Build Update for openssl/openssl - Build: #37596 Status: Errored Duration: 1 hr, 33 mins, and 51 secs Commit: 627ddf7 (master) Author: Tomas Mraz Message: Correct certificate and key names for explicit ec param test Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/12915) View the changeset: https://github.com/openssl/openssl/compare/d5b170a2fcf8...627ddf7b5b7b View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185565858?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#37595 (master - d5b170a)
Build Update for openssl/openssl - Build: #37595 Status: Errored Duration: 1 hr, 31 mins, and 26 secs Commit: d5b170a (master) Author: ozppupbg Message: Fixed EVP_MAC_final argument count in example EVP_MAC_final had only three arguments / the buffer/tag size was missing. Fixes #12424 Note, that I didn't try to compile the example to look for other problems. Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12429) View the changeset: https://github.com/openssl/openssl/compare/a31635613323...d5b170a2fcf8 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/185559901?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 56e8fe0b4efbf582e40ae91319727c9d176c5e1e (commit)
from fdcddd9357fcda1f0507fda0307d94e8244f2b51 (commit)
- Log -
commit 56e8fe0b4efbf582e40ae91319727c9d176c5e1e
Author: Norman Ashley
Date: Fri Jul 10 19:01:32 2020 -0400
Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for
RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to
crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell
Reviewed-by: Tim Hudson
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/12419)
---
Summary of changes:
crypto/rsa/rsa_ameth.c | 9 +
ssl/ssl_rsa.c | 26 --
2 files changed, 9 insertions(+), 26 deletions(-)
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 6692a51ed8..cc686fcbda 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -118,6 +118,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY
*pubkey)
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
+/*
+ * Don't check the public/private key, this is mostly for smart
+ * cards.
+ */
+if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+|| (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
+return 1;
+}
+
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
return 0;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index b9693527b3..51abd27e27 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -148,15 +148,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
-/*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
-if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
-&& RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
-else
-#endif
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = NULL;
@@ -342,16 +333,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
-/*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
-if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
-&& RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
-RSA_METHOD_FLAG_NO_CHECK) ;
-else
-#endif /* OPENSSL_NO_RSA */
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
/*
* don't fail for a cert/key mismatch, just free current private
@@ -1082,13 +1063,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx,
X509 *x509, EVP_PKEY *pr
EVP_PKEY_copy_parameters(pubkey, privatekey);
} /* else both have parameters */
-/* Copied from ssl_set_cert/pkey */
-#ifndef OPENSSL_NO_RSA
-if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
-((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) &
RSA_METHOD_FLAG_NO_CHECK)))
-/* no-op */ ;
-else
-#endif
/* check that key <-> cert match */
if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
[openssl] master update
The branch master has been updated
via 36871717ac83fe049f8620ff82be4a5d36e0d97d (commit)
from 9c13b49a9f22d91c7f0576377975157f4f67984c (commit)
- Log -
commit 36871717ac83fe049f8620ff82be4a5d36e0d97d
Author: Norman Ashley
Date: Fri Jul 10 19:01:32 2020 -0400
Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for
RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to
crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell
Reviewed-by: Tim Hudson
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/12419)
(cherry picked from commit 56e8fe0b4efbf582e40ae91319727c9d176c5e1e)
---
Summary of changes:
crypto/rsa/rsa_ameth.c | 9 +
ssl/ssl_rsa.c | 26 --
2 files changed, 9 insertions(+), 26 deletions(-)
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 130f6156c5..6558e1c662 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -144,6 +144,15 @@ static int rsa_pub_decode(EVP_PKEY *pkey, const
X509_PUBKEY *pubkey)
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
+/*
+ * Don't check the public/private key, this is mostly for smart
+ * cards.
+ */
+if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+|| (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
+return 1;
+}
+
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
return 0;
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 3a28b60ba6..76270b677e 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -166,15 +166,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
-/*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
-if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
-&& RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
-else
-#endif
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = NULL;
@@ -365,16 +356,6 @@ static int ssl_set_cert(CERT *c, X509 *x)
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
-/*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
-if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
-&& RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
-RSA_METHOD_FLAG_NO_CHECK) ;
-else
-#endif /* OPENSSL_NO_RSA */
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
/*
* don't fail for a cert/key mismatch, just free current private
@@ -1134,13 +1115,6 @@ static int ssl_set_cert_and_key(SSL *ssl, SSL_CTX *ctx,
X509 *x509, EVP_PKEY *pr
EVP_PKEY_copy_parameters(pubkey, privatekey);
} /* else both have parameters */
-/* Copied from ssl_set_cert/pkey */
-#ifndef OPENSSL_NO_RSA
-if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
-((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) &
RSA_METHOD_FLAG_NO_CHECK)))
-/* no-op */ ;
-else
-#endif
/* check that key <-> cert match */
if (EVP_PKEY_eq(pubkey, privatekey) != 1) {
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
[openssl] master update
The branch master has been updated via 9c13b49a9f22d91c7f0576377975157f4f67984c (commit) from 639bb581ce5bfed0f3a6286ff4b2ccb773d3353d (commit) - Log - commit 9c13b49a9f22d91c7f0576377975157f4f67984c Author: Eric Curtin Date: Wed Sep 2 10:49:47 2020 +0100 Increase PSK_MAX_IDENTITY_LEN from 128 to 256 We are considering using the format "host-nqn controller-nqn" for psk-id in the NVMe-oF/TCP over TLS spec, it's in the current version, but openssl's limit was 128 upto now, we need a little longer than that. Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12771) --- Summary of changes: include/openssl/ssl.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index ac7c521e95..1d7996ed61 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -849,7 +849,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, * the maximum length of the buffer given to callbacks containing the * resulting identity/psk */ -# define PSK_MAX_IDENTITY_LEN 128 +# define PSK_MAX_IDENTITY_LEN 256 # define PSK_MAX_PSK_LEN 512 typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, const char *hint,
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via fdcddd9357fcda1f0507fda0307d94e8244f2b51 (commit)
via 398c8da5c8c3cf3369ac7e8883823e0c94735ca7 (commit)
from ee617d0e020d6dd28c079fa7819d009790f2d2b9 (commit)
- Log -
commit fdcddd9357fcda1f0507fda0307d94e8244f2b51
Author: Tomas Mraz
Date: Fri Sep 11 09:09:29 2020 +0200
Disallow certs with explicit curve in verification chain
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes #12139
Reviewed-by: David von Oheimb
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/12909)
commit 398c8da5c8c3cf3369ac7e8883823e0c94735ca7
Author: Tomas Mraz
Date: Fri Aug 21 14:50:52 2020 +0200
EC_KEY: add EC_KEY_decoded_from_explicit_params()
The function returns 1 when the encoding of a decoded EC key used
explicit encoding of the curve parameters.
Reviewed-by: David von Oheimb
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/12909)
---
Summary of changes:
crypto/ec/ec_asn1.c | 31 +++---
crypto/ec/ec_key.c | 7 +++
crypto/ec/ec_lib.c | 1 +
crypto/ec/ec_local.h | 2 +
crypto/x509/x509_txt.c | 2 +
crypto/x509/x509_vfy.c | 35 +++
doc/man3/EC_KEY_new.pod | 8 ++-
include/openssl/ec.h | 2 +
include/openssl/x509_vfy.h | 1 +
ssl/statem/statem_lib.c | 1 +
test/certs/ca-cert-ec-explicit.pem | 19 ++
test/certs/ca-cert-ec-named.pem | 14 +
test/certs/ca-key-ec-explicit.pem| 10 +++
test/certs/ca-key-ec-named.pem | 5 ++
test/certs/ee-cert-ec-explicit.pem | 16 +
test/certs/ee-cert-ec-named-explicit.pem | 11
test/certs/ee-cert-ec-named-named.pem| 11
test/certs/ee-key-ec-explicit.pem| 10 +++
test/certs/ee-key-ec-named-explicit.pem | 5 ++
test/certs/ee-key-ec-named-named.pem | 5 ++
test/certs/setup.sh | 12
test/ec_internal_test.c | 101 +++
test/recipes/25-test_verify.t| 23 ++-
util/libcrypto.num | 1 +
24 files changed, 323 insertions(+), 10 deletions(-)
create mode 100644 test/certs/ca-cert-ec-explicit.pem
create mode 100644 test/certs/ca-cert-ec-named.pem
create mode 100644 test/certs/ca-key-ec-explicit.pem
create mode 100644 test/certs/ca-key-ec-named.pem
create mode 100644 test/certs/ee-cert-ec-explicit.pem
create mode 100644 test/certs/ee-cert-ec-named-explicit.pem
create mode 100644 test/certs/ee-cert-ec-named-named.pem
create mode 100644 test/certs/ee-key-ec-explicit.pem
create mode 100644 test/certs/ee-key-ec-named-explicit.pem
create mode 100644 test/certs/ee-key-ec-named-named.pem
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 96e7d83ea7..7b7c75ce84 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -137,6 +137,12 @@ struct ec_parameters_st {
ASN1_INTEGER *cofactor;
} /* ECPARAMETERS */ ;
+typedef enum {
+ECPKPARAMETERS_TYPE_NAMED = 0,
+ECPKPARAMETERS_TYPE_EXPLICIT,
+ECPKPARAMETERS_TYPE_IMPLICIT
+} ecpk_parameters_type_t;
+
struct ecpk_parameters_st {
int type;
union {
@@ -535,9 +541,10 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP
*group,
return NULL;
}
} else {
-if (ret->type == 0)
+if (ret->type == ECPKPARAMETERS_TYPE_NAMED)
ASN1_OBJECT_free(ret->value.named_curve);
-else if (ret->type == 1 && ret->value.parameters)
+else if (ret->type == ECPKPARAMETERS_TYPE_EXPLICIT
+ && ret->value.parameters != NULL)
ECPARAMETERS_free(ret->value.parameters);
}
@@ -554,7 +561,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP
*group,
ECerr(EC_F_EC_GROUP_GET_ECPKPARAMETERS, EC_R_MISSING_OID);
ok = 0;
} else {
-ret->type = 0;
+ret->type = ECPKPARAMETERS_TYPE_NAMED;
ret->value.named_curve = asn1obj;
}
} else
@@ -562,7 +569,7 @@ ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP
*group,
ok = 0;
} else {
/* use the ECPARAMETERS structure */
-ret->type = 1;
+ret->type = ECPKPARAMETERS_TYPE_EXPLICIT;
if ((ret->value.parameters =
EC_GROUP_get_ecparameters(group, NULL)) == NULL)
ok = 0;
@@ -901,7 +908,8 @@ EC_GROUP *EC_GROUP_new_from_ecpkparameters(const
ECPKPARAMETERS *params)
return NULL;
}
-if (params->type == 0) {/* the curve
[openssl] master update
The branch master has been updated
via 639bb581ce5bfed0f3a6286ff4b2ccb773d3353d (commit)
from e57bbf9e1a95a93551dc711664d69ca086f7e0b1 (commit)
- Log -
commit 639bb581ce5bfed0f3a6286ff4b2ccb773d3353d
Author: Tomas Mraz
Date: Fri Sep 18 16:43:00 2020 +0200
apps/ocsp: Return non zero exit code with invalid certID
Fixes #7151
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/12916)
---
Summary of changes:
apps/ocsp.c | 18 --
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 93c17f4a07..4d01e99c15 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -62,7 +62,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
-static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
@@ -813,7 +813,8 @@ redo_accept:
}
}
-print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage);
+if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
+ret = 1;
end:
ERR_print_errors(bio_err);
@@ -929,7 +930,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
return 0;
}
-static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage)
@@ -938,10 +939,13 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP
*bs, OCSP_REQUEST *req,
const char *name;
int i, status, reason;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+int ret = 1;
-if (bs == NULL || req == NULL || !sk_OPENSSL_STRING_num(names)
-|| !sk_OCSP_CERTID_num(ids))
-return;
+if (req == NULL || !sk_OPENSSL_STRING_num(names))
+return 1;
+
+if (bs == NULL || !sk_OCSP_CERTID_num(ids))
+return 0;
for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
id = sk_OCSP_CERTID_value(ids, i);
@@ -951,6 +955,7 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP
*bs, OCSP_REQUEST *req,
if (!OCSP_resp_find_status(bs, id, , ,
, , )) {
BIO_puts(out, "ERROR: No Status found.\n");
+ret = 0;
continue;
}
@@ -984,6 +989,7 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP
*bs, OCSP_REQUEST *req,
ASN1_GENERALIZEDTIME_print(out, rev);
BIO_puts(out, "\n");
}
+return ret;
}
static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST
*req,
[openssl] master update
The branch master has been updated
via e57bbf9e1a95a93551dc711664d69ca086f7e0b1 (commit)
from 627ddf7b5b7b1f0f69a57495c25f7cbd39c33961 (commit)
- Log -
commit e57bbf9e1a95a93551dc711664d69ca086f7e0b1
Author: Rutger Hendriks
Date: Mon Aug 31 13:59:51 2020 +0200
Increase PSK_MAX_PSK_LEN to 512
Reviewed-by: Matt Caswell
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/12777)
---
Summary of changes:
include/openssl/ssl.h.in | 2 +-
ssl/ssl_local.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 264b7eddb7..ac7c521e95 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -850,7 +850,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned
char **data,
* resulting identity/psk
*/
# define PSK_MAX_IDENTITY_LEN 128
-# define PSK_MAX_PSK_LEN 256
+# define PSK_MAX_PSK_LEN 512
typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl,
const char *hint,
char *identity,
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 49d24e6a96..fd4eacdc38 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -524,7 +524,7 @@ struct ssl_method_st {
* Matches the length of PSK_MAX_PSK_LEN. We keep it the same value for
* consistency, even in the event of OPENSSL_NO_PSK being defined.
*/
-# define TLS13_MAX_RESUMPTION_PSK_LENGTH 256
+# define TLS13_MAX_RESUMPTION_PSK_LENGTH 512
/*-
* Lets make this into an ASN.1 type structure as follows
[openssl] master update
The branch master has been updated via 627ddf7b5b7b1f0f69a57495c25f7cbd39c33961 (commit) from d5b170a2fcf8b22c67e86a09222dff7ce306c7ad (commit) - Log - commit 627ddf7b5b7b1f0f69a57495c25f7cbd39c33961 Author: Tomas Mraz Date: Fri Sep 18 13:59:55 2020 +0200 Correct certificate and key names for explicit ec param test Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/12915) --- Summary of changes: test/certs/setup.sh | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 6839e60674..ee3d678219 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -191,9 +191,11 @@ OPENSSL_KEYBITS=768 \ # EC cert with explicit curve signed by named curve ca ./mkcert.sh genee server.example ee-key-ec-explicit ee-cert-ec-explicit ca-key-ec-named ca-cert-ec-named # EC cert with named curve signed by explicit curve ca -./mkcert.sh genee server.example ee-key-ec-named ee-cert-ec-named ca-key-ec-explicit ca-cert-ec-explicit +./mkcert.sh genee server.example ee-key-ec-named-explicit \ +ee-cert-ec-named-explicit ca-key-ec-explicit ca-cert-ec-explicit # EC cert with named curve signed by named curve ca -./mkcert.sh genee server.example ee-key-ec-namnam ee-cert-ec-namnam ca-key-ec-named ca-cert-ec-named +./mkcert.sh genee server.example ee-key-ec-named-named \ +ee-cert-ec-named-named ca-key-ec-named ca-cert-ec-named # self-signed end-entity cert with explicit keyUsage not including KeyCertSign openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36500
[openssl] master update
The branch master has been updated
via d5b170a2fcf8b22c67e86a09222dff7ce306c7ad (commit)
from a31635613323f7a1c28a96ff47cb360681faf9bd (commit)
- Log -
commit d5b170a2fcf8b22c67e86a09222dff7ce306c7ad
Author: ozppupbg <43532395+ozppu...@users.noreply.github.com>
Date: Mon Jul 13 07:04:28 2020 +0200
Fixed EVP_MAC_final argument count in example
EVP_MAC_final had only three arguments / the buffer/tag size was missing.
Fixes #12424
Note, that I didn't try to compile the example to look for other problems.
Reviewed-by: Paul Yang
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/12429)
---
Summary of changes:
doc/man3/EVP_MAC.pod | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod
index dc90ee5421..b33af5a670 100644
--- a/doc/man3/EVP_MAC.pod
+++ b/doc/man3/EVP_MAC.pod
@@ -322,7 +322,7 @@ EVP_MAC_do_all_provided() returns nothing at all.
EVP_MAC_CTX *ctx = NULL;
unsigned char buf[4096];
- ssize_t read_l;
+ size_t read_l;
size_t final_l;
size_t i;
@@ -332,12 +332,12 @@ EVP_MAC_do_all_provided() returns nothing at all.
if (cipher != NULL)
params[params_n++] =
- OSSL_PARAM_construct_utf8_string("cipher", cipher, 0;
+ OSSL_PARAM_construct_utf8_string("cipher", (char*)cipher, 0);
if (digest != NULL)
params[params_n++] =
- OSSL_PARAM_construct_utf8_string("digest", digest, 0);
+ OSSL_PARAM_construct_utf8_string("digest", (char*)digest, 0);
params[params_n++] =
- OSSL_PARAM_construct_octet_string("key", key, strlen(key));
+ OSSL_PARAM_construct_octet_string("key", (void*)key, strlen(key));
params[params_n] = OSSL_PARAM_construct_end();
if (mac == NULL
@@ -354,7 +354,7 @@ EVP_MAC_do_all_provided() returns nothing at all.
goto err;
}
- if (!EVP_MAC_final(ctx, buf, _l))
+ if (!EVP_MAC_final(ctx, buf, _l, sizeof(buf)))
goto err;
printf("Result: ");
