Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1df333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1df333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1df333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): 30-test_engine.t ... ok 30-test_evp.t .. ok 30-test_evp_extra.t ok 30-test_evp_fetch_prov.t ... ok 30-test_evp_kdf.t .. ok 30-test_evp_libctx.t ... ok 30-test_evp_pkey_dparam.t .. ok 30-test_evp_pkey_provided.t ok 30-test_pbelu.t ok 30-test_pkey_meth.t ok 30-test_pkey_meth_kdf.t ok 30-test_provider_status.t .. ok 40-test_rehash.t ... ok 60-test_x509_check_cert_pkey.t . ok 60-test_x509_dup_cert.t ok 60-test_x509_store.t ... ok 60-test_x509_time.t ok 61-test_bio_prefix.t ... ok 65-test_cmp_asn.t .. ok 65-test_cmp_client.t ... ok 65-test_cmp_ctx.t .. ok 65-test_cmp_hdr.t .. ok 65-test_cmp_msg.t .. ok 65-test_cmp_protect.t .. ok 65-test_cmp_server.t ... ok 65-test_cmp_status.t ... ok 65-test_cmp_vfy.t .. ok 66-test_ossl_store.t ... ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok
[openssl] master update
The branch master has been updated via 879365e6d4a53d80e83bbe468fcf2cdd02d30ba1 (commit) from 0f2380066de6436c0e8debfad1391db134ad4c25 (commit) - Log - commit 879365e6d4a53d80e83bbe468fcf2cdd02d30ba1 Author: Richard Levitte Date: Tue Jan 12 15:44:43 2021 +0100 Make header references conform with man-pages(7) in all manuals Details from man-pages(7) that are used: Formatting conventions (general) ... Filenames (whether pathnames, or references to header files) are always in italics (e.g., ), except in the SYNOPSIS section, where in‐ cluded files are in bold (e.g., #include ). When referring to a standard header file include, specify the header file surrounded by angle brackets, in the usual C way (e.g., ). ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13843) --- Summary of changes: doc/man3/ASYNC_WAIT_CTX_new.pod | 6 +++--- doc/man3/ASYNC_start_job.pod | 6 +++--- doc/man3/BIO_find_type.pod| 2 +- doc/man3/BIO_meth_new.pod | 14 +++--- doc/man3/CRYPTO_THREAD_run_once.pod | 13 +++-- doc/man3/CRYPTO_get_ex_new_index.pod | 4 ++-- doc/man3/EC_GROUP_copy.pod| 4 ++-- doc/man3/ENGINE_add.pod | 10 +- doc/man3/OSSL_CRMF_pbmp_new.pod | 2 +- doc/man3/OSSL_PARAM_BLD.pod | 2 +- doc/man3/OSSL_trace_enabled.pod | 2 +- doc/man3/OSSL_trace_set_channel.pod | 2 +- doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 2 +- doc/man3/SSL_get_all_async_fds.pod| 6 +++--- doc/man3/X509_NAME_get_index_by_NID.pod | 4 ++-- doc/man3/X509_verify_cert.pod | 4 ++-- 16 files changed, 42 insertions(+), 41 deletions(-) diff --git a/doc/man3/ASYNC_WAIT_CTX_new.pod b/doc/man3/ASYNC_WAIT_CTX_new.pod index f1d6a02219..d6e5d38a12 100644 --- a/doc/man3/ASYNC_WAIT_CTX_new.pod +++ b/doc/man3/ASYNC_WAIT_CTX_new.pod @@ -192,12 +192,12 @@ ASYNC_WAIT_CTX_get_status() returns the engine status. =head1 NOTES -On Windows platforms the openssl/async.h header is dependent on some -of the types customarily made available by including windows.h. The +On Windows platforms the F<< >> header is dependent on some +of the types customarily made available by including F<< >>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer's responsibility to include -windows.h prior to async.h. +F<< >> prior to F<< >>. =head1 SEE ALSO diff --git a/doc/man3/ASYNC_start_job.pod b/doc/man3/ASYNC_start_job.pod index 983fcf9cf4..5335ae281c 100644 --- a/doc/man3/ASYNC_start_job.pod +++ b/doc/man3/ASYNC_start_job.pod @@ -167,12 +167,12 @@ otherwise. =head1 NOTES -On Windows platforms the openssl/async.h header is dependent on some -of the types customarily made available by including windows.h. The +On Windows platforms the F<< >> header is dependent on some +of the types customarily made available by including F<< >>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer's responsibility to include -windows.h prior to async.h. +F<< >> prior to F<< >>. =head1 EXAMPLES diff --git a/doc/man3/BIO_find_type.pod b/doc/man3/BIO_find_type.pod index 354e347330..32a97c55f1 100644 --- a/doc/man3/BIO_find_type.pod +++ b/doc/man3/BIO_find_type.pod @@ -24,7 +24,7 @@ found. The following general types are defined: B, B, and B. -For a list of the specific types, see the B header file. +For a list of the specific types, see the F<< >> header file. BIO_next() returns the next BIO in a chain. It can be used to traverse all BIOs in a chain or used in conjunction with BIO_find_type() to find all BIOs of a diff --git a/doc/man3/BIO_meth_new.pod b/doc/man3/BIO_meth_new.pod index b2e2c24692..a2c2848a96 100644 --- a/doc/man3/BIO_meth_new.pod +++ b/doc/man3/BIO_meth_new.pod @@ -67,13 +67,13 @@ unique integer B and a string that represents its B. Use BIO_get_new_index() to get the value for B. The set of -standard OpenSSL provided BIO types is provided in B. Some examples -include B and B. Filter BIOs should have a -type which have the "filter" bit set (B). Source/sink BIOs -should have the "source/sink" bit set (B). File descriptor -based BIOs (e.g. socket, fd, connect, accept etc) should additionally have the -"descriptor" bit set (B). See the L page for -more information. +standard OpenSSL provided BIO types is
[openssl] master update
The branch master has been updated via 0f2380066de6436c0e8debfad1391db134ad4c25 (commit) from 2645c94bb56120a6b7b7c34d70a2900aeda1637c (commit) - Log - commit 0f2380066de6436c0e8debfad1391db134ad4c25 Author: Richard Levitte Date: Tue Jan 12 16:24:10 2021 +0100 Make the OSSL_trace manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13842) --- Summary of changes: doc/man3/OSSL_trace_enabled.pod | 32 +-- doc/man3/OSSL_trace_set_channel.pod | 62 ++--- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/doc/man3/OSSL_trace_enabled.pod b/doc/man3/OSSL_trace_enabled.pod index d49a77936b..26168b45a3 100644 --- a/doc/man3/OSSL_trace_enabled.pod +++ b/doc/man3/OSSL_trace_enabled.pod @@ -56,7 +56,7 @@ The tracing output is divided into types which are enabled individually by the application. The tracing types are described in detail in L. -The fallback type C should I be used +The fallback type B should I be used with the functions described here. Tracing for a specific category is enabled if a so called @@ -86,10 +86,10 @@ but rather uses a set of convenience macros, see the L section below. =head2 Functions OSSL_trace_enabled() can be used to check if tracing for the given -C is enabled. +I is enabled. OSSL_trace_begin() is used to starts a tracing section, and get the -channel for the given C in form of a BIO. +channel for the given I in form of a BIO. This BIO can only be used for output. OSSL_trace_end() is used to end a tracing section. @@ -104,8 +104,8 @@ sections is undefined. There are a number of convenience macros defined, to make tracing easy and consistent. -C and C reserve -the B C and are used as follows to wrap a trace section: +OSSL_TRACE_BEGIN() and OSSL_TRACE_END() reserve the B C and are +used as follows to wrap a trace section: OSSL_TRACE_BEGIN(TLS) { @@ -124,8 +124,8 @@ This will normally expand to: OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out); } while (0); -C must be used before returning from or -jumping out of a trace section: +OSSL_TRACE_CANCEL() must be used before returning from or jumping out of a +trace section: OSSL_TRACE_BEGIN(TLS) { @@ -152,7 +152,7 @@ This will normally expand to: } while (0); -C and C, C, ... C are +OSSL_TRACE() and OSSL_TRACE1(), OSSL_TRACE2(), ... OSSL_TRACE9() are so-called one-shot macros: The macro call C, produces literal text trace output. @@ -165,14 +165,14 @@ It expands to: BIO_printf(trc_out, format, arg1, ..., argN) } OSSL_TRACE_END(category) -Internally, all one-shot macros are implemented using a generic C +Internally, all one-shot macros are implemented using a generic OSSL_TRACEV() macro, since C90 does not support variadic macros. This helper macro has a rather weird synopsis and should not be used directly. -The C macro can be used to conditionally execute -some code only if a specific trace category is enabled. +The OSSL_TRACE_ENABLED() macro can be used to conditionally execute some code +only if a specific trace category is enabled. In some situations this is simpler than entering a trace section using -C and C. +OSSL_TRACE_BEGIN() and OSSL_TRACE_END(). For example, the code if (OSSL_TRACE_ENABLED(TLS)) { @@ -230,7 +230,7 @@ When the library is built with tracing disabled: =item * -The macro C is defined in C. +The macro B is defined in C. =item * @@ -270,11 +270,11 @@ When the tracing API isn't operational, that will expand to: =head1 RETURN VALUES -OSSL_trace_enabled() returns 1 if tracing for the given B is +OSSL_trace_enabled() returns 1 if tracing for the given I is operational and enabled, otherwise 0. -OSSL_trace_begin() returns a C if the given B is enabled, -otherwise C. +OSSL_trace_begin() returns a B pointer if the given I is enabled, +otherwise NULL. =head1 HISTORY diff --git a/doc/man3/OSSL_trace_set_channel.pod b/doc/man3/OSSL_trace_set_channel.pod index 7ae19aedd3..8e88fb75e1 100644 --- a/doc/man3/OSSL_trace_set_channel.pod +++ b/doc/man3/OSSL_trace_set_channel.pod @@ -41,7 +41,7 @@ respectively. =head2 Functions OSSL_trace_set_channel() is used to enable the given trace C -by attaching the B C object as (simple) trace channel. +by attaching the B I object as (simple) trace channel.
[openssl] master update
The branch master has been updated via 2645c94bb56120a6b7b7c34d70a2900aeda1637c (commit) from ad2cc1a08e67207f566e80c6b1f342294364901f (commit) - Log - commit 2645c94bb56120a6b7b7c34d70a2900aeda1637c Author: Richard Levitte Date: Tue Jan 12 16:13:42 2021 +0100 Make the OSSL_PROVIDER manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13845) --- Summary of changes: doc/man3/OSSL_PROVIDER.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index fa9d45b11d..2baccfffaf 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -61,8 +61,8 @@ L for further details. =head2 Functions -OSSL_PROVIDER_set_default_search_path() specifies the default search B -that is to be used for looking for providers in the specified B. +OSSL_PROVIDER_set_default_search_path() specifies the default search I +that is to be used for looking for providers in the specified I. If left unspecified, an environment variable and a fall back default value will be used instead. @@ -138,7 +138,7 @@ OSSL_PROVIDER_add(), OSSL_PROVIDER_unload(), OSSL_PROVIDER_get_params() and OSSL_PROVIDER_get_capabilities() return 1 on success, or 0 on error. OSSL_PROVIDER_load() and OSSL_PROVIDER_try_load() return a pointer to a -provider object on success, or B on error. +provider object on success, or NULL on error. OSSL_PROVIDER_available() returns 1 if the named provider is available, otherwise 0.
[openssl] master update
The branch master has been updated via ad2cc1a08e67207f566e80c6b1f342294364901f (commit) from ab2160895262abbb9501a859d86b8740bd850a40 (commit) - Log - commit ad2cc1a08e67207f566e80c6b1f342294364901f Author: Richard Levitte Date: Tue Jan 12 16:05:55 2021 +0100 Make the OSSL_HTTP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13847) --- Summary of changes: doc/man3/OSSL_HTTP_transfer.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index f78d96be1f..4839b975a6 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -198,15 +198,15 @@ where IPv6 addresses should be enclosed in square brackets C<[> and C<]>. The port component is optional and defaults to "443" for HTTPS, else "80". If the I argument is NULL the port specification can be in mnemonic form such as "http" like with L, else -it must be in numerical form and its integer value is assigned to B<*pport_num>. +it must be in numerical form and its integer value is assigned to I<*pport_num>. The path component is also optional and defaults to "/". On success the function assigns via each non-NULL result pointer argument I, I, I, I, and I the respective url component. -On error, B<*phost>, B<*pport>, and B<*ppath> are assigned to NULL, +On error, I<*phost>, I<*pport>, and I<*ppath> are assigned to NULL, else they are guaranteed to contain non-NULL string pointers. It is the reponsibility of the caller to free them using L. -A string returned via B<*ppath> is guaranteed to begin with a C character. +A string returned via I<*ppath> is guaranteed to begin with a C character. =head1 NOTES
[openssl] master update
The branch master has been updated via ab2160895262abbb9501a859d86b8740bd850a40 (commit) from b91f41daba982d19b04eee979a39cddeddd8033c (commit) - Log - commit ab2160895262abbb9501a859d86b8740bd850a40 Author: Richard Levitte Date: Tue Jan 12 16:14:43 2021 +0100 Make the OSSL_SELF_TEST manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13849) --- Summary of changes: doc/man3/OSSL_SELF_TEST_set_callback.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/man3/OSSL_SELF_TEST_set_callback.pod b/doc/man3/OSSL_SELF_TEST_set_callback.pod index beea50ff33..21d07a4aa5 100644 --- a/doc/man3/OSSL_SELF_TEST_set_callback.pod +++ b/doc/man3/OSSL_SELF_TEST_set_callback.pod @@ -24,7 +24,8 @@ See L for further information on the callback. =head1 RETURN VALUES OSSL_SELF_TEST_get_callback() returns the callback and callback argument that -has been set via OSSL_SELF_TEST_set_callback() for the given library context B. +has been set via OSSL_SELF_TEST_set_callback() for the given library context +I. These returned parameters will be NULL if OSSL_SELF_TEST_set_callback() has not been called.
[openssl] master update
The branch master has been updated via b91f41daba982d19b04eee979a39cddeddd8033c (commit) from 8bc5b0a570c8a2c9886a3cae9dea2016d510578d (commit) - Log - commit b91f41daba982d19b04eee979a39cddeddd8033c Author: Richard Levitte Date: Tue Jan 12 16:10:15 2021 +0100 Make the OSSL_PARAM manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13848) --- Summary of changes: doc/man3/OSSL_PARAM_int.pod | 109 ++-- 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index 3d124d7442..ebb5e8ecb8 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -107,7 +107,7 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified =head1 DESCRIPTION A collection of utility functions that simplify and add type safety to the -OSSL_PARAM arrays. The following B names are supported: +OSSL_PARAM arrays. The following B> names are supported: =over 1 @@ -159,124 +159,125 @@ unsigned long int (ulong) OSSL_PARAM_TYPE() are a series of macros designed to assist initialising an array of OSSL_PARAM structures. -Each of these macros defines a parameter of the specified B with the -provided B and parameter variable B. +Each of these macros defines a parameter of the specified B> with the +provided I and parameter variable I. OSSL_PARAM_utf8_string(), OSSL_PARAM_octet_string(), OSSL_PARAM_utf8_ptr(), OSSL_PARAM_octet_ptr(), OSSL_PARAM_BN() are macros that provide support for defining UTF8 strings, OCTET strings and big numbers. -A parameter with name B is defined. -The storage for this parameter is at B and is of B bytes. +A parameter with name I is defined. +The storage for this parameter is at I and is of I bytes. OSSL_PARAM_END provides an end of parameter list marker. This should terminate all OSSL_PARAM arrays. OSSL_PARAM_construct_TYPE() are a series of functions that create OSSL_PARAM records dynamically. -A parameter with name B is created. -The parameter will use storage pointed to by B and return size of B. +A parameter with name I is created. +The parameter will use storage pointed to by I and return size of I. OSSL_PARAM_construct_BN() is a function that constructs a large integer OSSL_PARAM structure. -A parameter with name B, storage B, size B and return -size B is created. +A parameter with name I, storage I, size I and return +size I is created. OSSL_PARAM_construct_utf8_string() is a function that constructs a UTF8 string OSSL_PARAM structure. -A parameter with name B, storage B and size B is created. -If B is zero, the string length is determined using strlen(3) + 1 for the +A parameter with name I, storage I and size I is created. +If I is zero, the string length is determined using strlen(3) + 1 for the null termination byte. -Generally pass zero for B instead of calling strlen(3) yourself. +Generally pass zero for I instead of calling strlen(3) yourself. OSSL_PARAM_construct_octet_string() is a function that constructs an OCTET string OSSL_PARAM structure. -A parameter with name B, storage B and size B is created. +A parameter with name I, storage I and size I is created. OSSL_PARAM_construct_utf8_ptr() is a function that constructs a UTF string pointer OSSL_PARAM structure. -A parameter with name B, storage pointer B<*buf> and size B +A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_octet_ptr() is a function that constructs an OCTET string pointer OSSL_PARAM structure. -A parameter with name B, storage pointer B<*buf> and size B +A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_end() is a function that constructs the terminating OSSL_PARAM structure. -OSSL_PARAM_locate() is a function that searches an B of parameters for -the one matching the B name. +OSSL_PARAM_locate() is a function that searches an I of parameters for +the one matching the I name. OSSL_PARAM_locate_const() behaves exactly like OSSL_PARAM_locate() except for -the presence of I for the B argument and its return value. +the presence of I for the I argument and its return value. -OSSL_PARAM_get_TYPE() retrieves a value of type B from the parameter B. -The value is copied
Build completed: openssl master.39150
Build openssl master.39150 completed Commit bda4fe1916 by Rich Salz on 1/8/2021 8:08 PM: Address comment from Kurt Configure your notification preferences
Build failed: openssl master.39149
Build openssl master.39149 failed Commit 75fe409db5 by Hubert Kario on 1/12/2021 1:58 PM: rsa: add test vectors for the implicit rejection in RSA PKCS#1 v1.5 Configure your notification preferences
Build failed: openssl master.39142
Build openssl master.39142 failed Commit 651cf26543 by Dr. David von Oheimb on 1/13/2021 12:30 PM: fixup! internal_verify(): (Re-)check that the chain root is trusted Configure your notification preferences
[openssl] master update
The branch master has been updated via 8bc5b0a570c8a2c9886a3cae9dea2016d510578d (commit) from 2ed63033e46953d0d95ff100c1334da7cc32c49b (commit) - Log - commit 8bc5b0a570c8a2c9886a3cae9dea2016d510578d Author: Tomas Mraz Date: Tue Jan 12 16:53:33 2021 +0100 chacha20: Properly reinitialize the cipher context with NULL key Same for chacha20-poly1305. The test_cipher_reinit and test_cipher_reinit_partialupdate is modified to test this case of cipher context reinitialization. Fixes #13064 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13850) --- Summary of changes: .../implementations/ciphers/cipher_chacha20_hw.c | 1 + .../ciphers/cipher_chacha20_poly1305_hw.c | 6 test/evp_libctx_test.c | 36 -- 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/providers/implementations/ciphers/cipher_chacha20_hw.c b/providers/implementations/ciphers/cipher_chacha20_hw.c index 06cb6b12d3..4ce4af0906 100644 --- a/providers/implementations/ciphers/cipher_chacha20_hw.c +++ b/providers/implementations/ciphers/cipher_chacha20_hw.c @@ -34,6 +34,7 @@ static int chacha20_initiv(PROV_CIPHER_CTX *bctx) for (i = 0; i < CHACHA_CTR_SIZE; i += 4) ctx->counter[i / 4] = CHACHA_U8TOU32(bctx->oiv + i); } +ctx->partial_len = 0; return 1; } diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c index 65f0fe1ee8..55a57de726 100644 --- a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c +++ b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c @@ -79,6 +79,12 @@ static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx) unsigned char tempiv[CHACHA_CTR_SIZE] = { 0 }; int ret = 1; +ctx->len.aad = 0; +ctx->len.text = 0; +ctx->aad = 0; +ctx->mac_inited = 0; +ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH; + /* pad on the left */ if (ctx->nonce_len <= CHACHA_CTR_SIZE) { memcpy(tempiv + CHACHA_CTR_SIZE - ctx->nonce_len, bctx->oiv, diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c index c306bd9a16..66d2d4cddb 100644 --- a/test/evp_libctx_test.c +++ b/test/evp_libctx_test.c @@ -295,11 +295,13 @@ err: static int test_cipher_reinit(int test_id) { -int ret = 0, out1_len = 0, out2_len = 0, diff, ccm; +int ret = 0, diff, ccm, siv; +int out1_len = 0, out2_len = 0, out3_len = 0; EVP_CIPHER *cipher = NULL; EVP_CIPHER_CTX *ctx = NULL; unsigned char out1[256]; unsigned char out2[256]; +unsigned char out3[256]; unsigned char in[16] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10 @@ -330,6 +332,9 @@ static int test_cipher_reinit(int test_id) /* ccm fails on the second update - this matches OpenSSL 1_1_1 behaviour */ ccm = (EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE); +/* siv cannot be called with NULL key as the iv is irrelevant */ +siv = (EVP_CIPHER_mode(cipher) == EVP_CIPH_SIV_MODE); + /* DES3-WRAP uses random every update - so it will give a different value */ diff = EVP_CIPHER_is_a(cipher, "DES3-WRAP"); @@ -337,15 +342,21 @@ static int test_cipher_reinit(int test_id) || !TEST_true(EVP_EncryptUpdate(ctx, out1, _len, in, sizeof(in))) || !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) || !TEST_int_eq(EVP_EncryptUpdate(ctx, out2, _len, in, sizeof(in)), -ccm ? 0 : 1)) +ccm ? 0 : 1) +|| !TEST_true(EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv)) +|| !TEST_int_eq(EVP_EncryptUpdate(ctx, out3, _len, in, sizeof(in)), +ccm || siv ? 0 : 1)) goto err; if (ccm == 0) { if (diff) { -if (!TEST_mem_ne(out1, out1_len, out2, out2_len)) +if (!TEST_mem_ne(out1, out1_len, out2, out2_len) +|| !TEST_mem_ne(out1, out1_len, out3, out3_len) +|| !TEST_mem_ne(out2, out2_len, out3, out3_len)) goto err; } else { -if (!TEST_mem_eq(out1, out1_len, out2, out2_len)) +if (!TEST_mem_eq(out1, out1_len, out2, out2_len) +|| (!siv && !TEST_mem_eq(out1, out1_len, out3, out3_len))) goto err; } } @@ -364,11 +375,13 @@ err: */ static int test_cipher_reinit_partialupdate(int test_id) { -int ret = 0, out1_len = 0, out2_len = 0, in_len; +int ret = 0, in_len; +int out1_len = 0, out2_len = 0, out3_len = 0; EVP_CIPHER *cipher = NULL; EVP_CIPHER_CTX *ctx = NULL; unsigned char out1[256]; unsigned char
Build completed: openssl master.39133
Build openssl master.39133 completed Commit a755dcaed3 by Matt Caswell on 1/13/2021 9:02 AM: fixup! Fix a failure where fetches can return NULL in multi-threaded code Configure your notification preferences
Build failed: openssl master.39132
Build openssl master.39132 failed Commit 9c67c39314 by Dr. David von Oheimb on 1/4/2021 3:39 PM: x509_vfy.c: Make chain building succeed as soon as hitting a trust anchor Configure your notification preferences
[openssl] master update
The branch master has been updated via 2ed63033e46953d0d95ff100c1334da7cc32c49b (commit) via 04a1b3fa7b6090aaca88d2d884de847822e89bef (commit) via 0ae8d4ca9e2db5fd93683dbc42d28c2eba18045d (commit) via 73b1d24c1abfdf0c890b4461c3d07b8bff45844c (commit) via b65c5ec8f5f8c9fa082c44bf805beed03d0fee0c (commit) via 41e597a01d95540f52e8bc4d69f88c3d93a093ce (commit) via ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (commit) via 7836f949c2550a00fe2720e96cfaffd824d357d1 (commit) via 855c68163b182960f2b27bb961a323944d96237e (commit) via f0a057dd5343ca81849dd140ee9c302cda914f41 (commit) via 6ad957f1273e9918c22b27d0f1b1812360964a4e (commit) via 157959438308e586593592cc751195fbf3930a7d (commit) via ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad (commit) from f2a0458731f15fd4d45f5574a221177f4591b1d8 (commit) - Log - commit 2ed63033e46953d0d95ff100c1334da7cc32c49b Author: Dr. David von Oheimb Date: Mon Jan 11 07:52:45 2021 +0100 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 04a1b3fa7b6090aaca88d2d884de847822e89bef Author: Dr. David von Oheimb Date: Wed Jan 6 12:16:44 2021 +0100 apps/req.c: Make sure -verify option takes effect also with -x509 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 0ae8d4ca9e2db5fd93683dbc42d28c2eba18045d Author: Dr. David von Oheimb Date: Wed Jan 6 12:12:25 2021 +0100 apps/req.c: Cosmetic improvements of code and documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 73b1d24c1abfdf0c890b4461c3d07b8bff45844c Author: Dr. David von Oheimb Date: Fri Dec 25 12:10:44 2020 +0100 crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit b65c5ec8f5f8c9fa082c44bf805beed03d0fee0c Author: Dr. David von Oheimb Date: Thu Dec 24 12:43:39 2020 +0100 apps/req.c: Add -copy_extensions option for use with -x509; default: none Fixes #13708 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 41e597a01d95540f52e8bc4d69f88c3d93a093ce Author: Dr. David von Oheimb Date: Thu Dec 24 11:25:47 2020 +0100 Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert Also clean up some related auxiliary functions and documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit ea9fd333d19096d654cb252a2f6785ca03bfcbc1 Author: Dr. David von Oheimb Date: Thu Dec 24 07:42:08 2020 +0100 apps/req.c: make -subj work with -x509; clean up related code Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 7836f949c2550a00fe2720e96cfaffd824d357d1 Author: Dr. David von Oheimb Date: Mon Dec 21 15:52:01 2020 +0100 X509_PUBKEY_set(): Fix error reporting Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 855c68163b182960f2b27bb961a323944d96237e Author: Dr. David von Oheimb Date: Mon Dec 21 13:50:09 2020 +0100 apps/lib/opt.c: Fix error message on unknown option/digest Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit f0a057dd5343ca81849dd140ee9c302cda914f41 Author: Dr. David von Oheimb Date: Sat Dec 19 19:49:25 2020 +0100 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 6ad957f1273e9918c22b27d0f1b1812360964a4e Author: Dr. David von Oheimb Date: Sat Dec 19 19:46:14 2020 +0100 apps/req.c: add -CA and -CAkey options; improve code and doc Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 157959438308e586593592cc751195fbf3930a7d Author: Dr. David von Oheimb Date: Thu Dec 10 21:02:47 2020 +0100 APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad Author: Dr. David von Oheimb Date: Thu Dec 10 15:23:41 2020 +0100 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default Fixes #13603 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) --- Summary of changes:
[openssl] master update
The branch master has been updated via f2a0458731f15fd4d45f5574a221177f4591b1d8 (commit) via 3339606a38cc9023c807428b429e01cfa1fde4d9 (commit) from 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 (commit) - Log - commit f2a0458731f15fd4d45f5574a221177f4591b1d8 Author: Dr. David von Oheimb Date: Wed Dec 30 09:49:20 2020 +0100 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the upstream fix for #13698 reported for v1.1.1 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13755) commit 3339606a38cc9023c807428b429e01cfa1fde4d9 Author: Dr. David von Oheimb Date: Wed Dec 30 09:46:38 2020 +0100 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() Partly fixes #13754 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13755) --- Summary of changes: crypto/x509/v3_purp.c | 16 crypto/x509/x509_cmp.c| 24 crypto/x509/x509_lu.c | 2 +- crypto/x509/x_all.c | 4 ++-- crypto/x509/x_crl.c | 4 ++-- crypto/x509/x_x509.c | 6 +- doc/internal/man3/x509v3_cache_extensions.pod | 3 ++- doc/man3/X509_cmp.pod | 3 ++- doc/man3/X509_get_extension_flags.pod | 9 +++-- include/openssl/x509v3.h.in | 1 + test/certs/invalid-cert.pem | 19 +++ test/recipes/80-test_x509aux.t| 13 - test/x509aux.c| 17 +++-- 13 files changed, 84 insertions(+), 37 deletions(-) create mode 100644 test/certs/invalid-cert.pem diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index a3673e63fa..d9ce52faa4 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -387,6 +387,7 @@ static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject) /* * Cache info on various X.509v3 extensions and further derived information, * e.g., if cert 'x' is self-issued, in x->ex_flags and other internal fields. + * x->sha1_hash is filled in, or else EXFLAG_NO_FINGERPRINT is set in x->flags. * X509_SIG_INFO_VALID is set in x->flags if x->siginf was filled successfully. * Set EXFLAG_INVALID and return 0 in case the certificate is invalid. */ @@ -411,15 +412,12 @@ int x509v3_cache_extensions(X509 *x) CRYPTO_THREAD_unlock(x->lock); return (x->ex_flags & EXFLAG_INVALID) == 0; } -ERR_set_mark(); /* Cache the SHA1 digest of the cert */ if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) -/* - * Note that the cert is marked invalid also on internal malloc failure - * or on failure of EVP_MD_fetch(), potentially called by X509_digest(). - */ -x->ex_flags |= EXFLAG_INVALID; +x->ex_flags |= EXFLAG_NO_FINGERPRINT; + +ERR_set_mark(); /* V1 should mean no extensions ... */ if (X509_get_version(x) == 0) @@ -625,11 +623,13 @@ int x509v3_cache_extensions(X509 *x) */ #endif ERR_pop_to_mark(); -if ((x->ex_flags & EXFLAG_INVALID) == 0) { +if ((x->ex_flags & (EXFLAG_INVALID | EXFLAG_NO_FINGERPRINT)) == 0) { CRYPTO_THREAD_unlock(x->lock); return 1; } -ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE); +if ((x->ex_flags & EXFLAG_INVALID) != 0) +ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE); +/* If computing sha1_hash failed the error queue already reflects this. */ err: x->ex_flags |= EXFLAG_SET; /* indicate that cert has been processed */ diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 1231fb4be1..d18d1e2b67 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -81,7 +81,13 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { -int rv = memcmp(a->sha1_hash, b->sha1_hash, 20); +int rv; + +if ((a->flags & EXFLAG_NO_FINGERPRINT) == 0 +&& (b->flags & EXFLAG_NO_FINGERPRINT) == 0) +rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); +else +return -2; return rv < 0 ? -1 : rv > 0; } @@ -140,19 +146,21 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { -int rv; +int rv = 0; if (a == b) /* for efficiency */ return 0; -/* ensure hash is valid */ -if (X509_check_purpose((X509 *)a, -1, 0) != 1) -return -2; -if (X509_check_purpose((X509 *)b, -1, 0) != 1) -return -2; -rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); +
[tools] master update
The branch master has been updated via bd6c6f78c080744a0092f04c04b7a38121ddcff3 (commit) from 51ba5bc2c18780f94136c71800afc3cf8fd32d40 (commit) - Log - commit bd6c6f78c080744a0092f04c04b7a38121ddcff3 Author: Tomas Mraz Date: Thu Jan 7 10:01:04 2021 +0100 addrev: Silence the git filter-branch warning message Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/tools/pull/81) --- Summary of changes: review-tools/addrev | 1 + 1 file changed, 1 insertion(+) diff --git a/review-tools/addrev b/review-tools/addrev index aa5215a..8f28b02 100755 --- a/review-tools/addrev +++ b/review-tools/addrev @@ -82,6 +82,7 @@ if ($useself) { } my $err = "/tmp/addrev$$"; +$ENV{FILTER_BRANCH_SQUELCH_WARNING} = 1; system("git filter-branch -f --tag-name-filter cat --msg-filter \"gitaddrev $args\" $filterargs || (echo addrev failed; exit 1)"); die if $?;
[openssl] master update
The branch master has been updated via 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 (commit) from 1df33351a732dac3c700b2de05d34f708e33 (commit) - Log - commit 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 Author: Agustin Gianni Date: Fri Jan 8 16:04:05 2021 +0100 Fix incorrect use of BN_CTX API In some edge cases BN_CTX_end was being called without first calling BN_CTX_start. This creates a situation where the state of the big number allocator is corrupted and may lead to crashes. Fixes #13812 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13813) --- Summary of changes: crypto/bn/bn_prime.c | 6 -- crypto/bn/bn_sqrt.c | 5 - crypto/bn/bn_x931p.c | 2 +- crypto/ec/ec_mult.c | 5 - 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index a344d7df02..810f3c7b3d 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -145,8 +145,10 @@ int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe, } mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES); -if (mods == NULL) -goto err; +if (mods == NULL) { +ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); +return 0; +} BN_CTX_start(ctx); t = BN_CTX_get(ctx); diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c index e323a7f7ab..e0b21ab575 100644 --- a/crypto/bn/bn_sqrt.c +++ b/crypto/bn/bn_sqrt.c @@ -22,6 +22,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) int r; BIGNUM *A, *b, *q, *t, *x, *y; int e, i, j; +int used_ctx = 0; if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { if (BN_abs_is_word(p, 2)) { @@ -57,6 +58,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } BN_CTX_start(ctx); +used_ctx = 1; A = BN_CTX_get(ctx); b = BN_CTX_get(ctx); q = BN_CTX_get(ctx); @@ -353,7 +355,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) BN_clear_free(ret); ret = NULL; } -BN_CTX_end(ctx); +if (used_ctx) +BN_CTX_end(ctx); bn_check_top(ret); return ret; } diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 1e4d4991b2..bca7c9788e 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -174,7 +174,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) * exceeded. */ if (!BN_priv_rand_ex(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, ctx)) -goto err; +return 0; BN_CTX_start(ctx); t = BN_CTX_get(ctx); diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 87b9eab604..98bcab2321 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -835,6 +835,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) EC_POINT **points = NULL; EC_PRE_COMP *pre_comp; int ret = 0; +int used_ctx = 0; #ifndef FIPS_MODULE BN_CTX *new_ctx = NULL; #endif @@ -858,6 +859,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) goto err; BN_CTX_start(ctx); +used_ctx = 1; order = EC_GROUP_get0_order(group); if (order == NULL) @@ -967,7 +969,8 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ret = 1; err: -BN_CTX_end(ctx); +if (used_ctx) +BN_CTX_end(ctx); #ifndef FIPS_MODULE BN_CTX_free(new_ctx); #endif
[openssl] master update
The branch master has been updated via 1df33351a732dac3c700b2de05d34f708e33 (commit) from 4dd009180a06ad973620c5beec28f2a6839c16ca (commit) - Log - commit 1df33351a732dac3c700b2de05d34f708e33 Author: Matt Caswell Date: Thu Jan 7 17:40:09 2021 + Fix enable-weak-ssl-ciphers Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched rc4-hmac-md5 cipher implementation did not recognise the tls_version parameter, and therefore was being incorrectly handled. Fixes #13795 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13803) --- Summary of changes: providers/implementations/ciphers/cipher_rc4_hmac_md5.c | 8 1 file changed, 8 insertions(+) diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 69d47b03fe..ee0cff9b86 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -169,6 +169,14 @@ static int rc4_hmac_md5_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } GET_HW(ctx)->init_mackey(>base, p->data, p->data_size); } +p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION); +if (p != NULL) { +if (!OSSL_PARAM_get_uint(p, >base.tlsversion)) { +ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); +return 0; +} +} + return 1; }
[openssl] master update
The branch master has been updated via 4dd009180a06ad973620c5beec28f2a6839c16ca (commit) via 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 (commit) via 0b7368dda011611855c66543f0b9c66b5bd646d1 (commit) via bf973d0697e61a44dc46d08b0421a08a8cb61887 (commit) from 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit) - Log - commit 4dd009180a06ad973620c5beec28f2a6839c16ca Author: Dr. David von Oheimb Date: Mon Dec 28 11:25:59 2020 +0100 x509_vfy.c: Fix a regression in find_issuer() ...in case the candidate issuer cert is identical to the target cert. This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 Author: Dr. David von Oheimb Date: Tue Dec 29 12:37:05 2020 +0100 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit 0b7368dda011611855c66543f0b9c66b5bd646d1 Author: Dr. David von Oheimb Date: Mon Dec 28 19:45:01 2020 +0100 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit bf973d0697e61a44dc46d08b0421a08a8cb61887 Author: Dr. David von Oheimb Date: Mon Dec 28 11:27:31 2020 +0100 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) --- Summary of changes: apps/crl.c | 17 +++- apps/rehash.c| 19 +++- crypto/pem/pem_info.c| 13 ++- crypto/x509/by_dir.c | 5 +- crypto/x509/x509_cmp.c | 27 +++--- crypto/x509/x509_vfy.c | 19 ++-- doc/man3/X509_LOOKUP_hash_dir.pod| 4 +- doc/man3/X509_get_subject_name.pod | 58 +--- engines/e_loader_attic.c | 3 +- include/openssl/x509.h.in| 6 +- providers/implementations/storemgmt/file_store.c | 7 +- ssl/ssl_cert.c | 3 +- test/build.info | 2 +- test/cmp_client_test.c | 10 +- test/cmp_msg_test.c | 10 +- test/cmp_protect_test.c | 14 +-- test/cmp_vfy_test.c | 16 ++-- test/helpers/cmp_testlib.c | 42 - test/helpers/cmp_testlib.h | 3 - test/helpers/pkcs12.c| 16 ++-- test/http_test.c | 16 +--- test/testutil.h | 7 ++ test/testutil/load.c | 97 +++ test/verify_extra_test.c | 113 ++- util/find-doc-nits | 2 +- util/libcrypto.num | 2 +- util/missingcrypto.txt | 1 - util/other.syms | 1 + 28 files changed, 296 insertions(+), 237 deletions(-) create mode 100644 test/testutil/load.c diff --git a/apps/crl.c b/apps/crl.c index 0daded01e3..58d63e71d5 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -287,22 +287,33 @@ int crl_main(int argc, char **argv) } if (crlnumber == i) { ASN1_INTEGER *crlnum; + crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL); BIO_printf(bio_out, "crlNumber="); if (crlnum) { BIO_puts(bio_out, "0x"); i2a_ASN1_INTEGER(bio_out, crlnum); ASN1_INTEGER_free(crlnum); -} else +} else { BIO_puts(bio_out, ""); +} BIO_printf(bio_out, "\n"); } if (hash == i) { -BIO_printf(bio_out, "%08lx\n", - X509_NAME_hash(X509_CRL_get_issuer(x))); +int ok; +unsigned long hash_value = +X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(), + app_get0_propq(), ); + +BIO_printf(bio_out, "issuer name hash="); +if (ok) +BIO_printf(bio_out, "%08lx\n",