Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8021E565D47F:error:0A76:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3309: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021E565D47F:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # -- not ok 54 - test_ssl_pending # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/zy0avbUIu4 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C6B81E7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C6B81E7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:937 # false not ok 3 - test_large_message_dtls # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C6B81E7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C6B81E7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1418 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1496 # false not ok 4 - test_cleanse_plaintext # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C6B81E7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C6B81E7F:error:0A000129:SSL
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80811CD2567F:error:0A76:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3309: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80811CD2567F:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6567 # false not ok 2 - iteration 2 # -- not ok 54 - test_ssl_pending # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/Lx8Yw_1ht6 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 802177FB137F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 802177FB137F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:937 # false not ok 3 - test_large_message_dtls # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 802177FB137F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 802177FB137F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1418 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1496 # false not ok 4 - test_cleanse_plaintext # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 802177FB137F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 802177FB137F:error:0A000129:SSL routines:tls_setup_handshake:no
Build failed: openssl master.39542
Build openssl master.39542 failed Commit c659ae3a8e by Richard Levitte on 2/2/2021 3:20 PM: Merge branch 'test-algorithmid-reencoding' into fix-MDWithRSAEncryption Configure your notification preferences
Build failed: openssl master.39541
Build openssl master.39541 failed Commit 1d34bfba8a by Richard Levitte on 2/2/2021 3:19 PM: fixup! TEST: Add an algorithm ID tester for libcrypto vs provider Configure your notification preferences
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 2d8109f5f8205ac247630f397582727b9682be38 (commit) from c2fc1115eac53d2043e09bfa43ac5407f87fe417 (commit) - Log - commit 2d8109f5f8205ac247630f397582727b9682be38 Author: Dr. Matthias St. Pierre Date: Sun Jan 31 22:08:33 2021 +0100 Add some missing committers to the AUTHORS list Fixes #13815 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14029) (cherry picked from commit af403db090ee66715e81f0062d1ef614e8d921b5) --- Summary of changes: AUTHORS | 7 +++ 1 file changed, 7 insertions(+) diff --git a/AUTHORS b/AUTHORS index ac93b2e7b9..dac46f8b7e 100644 --- a/AUTHORS +++ b/AUTHORS @@ -13,6 +13,8 @@ Ben Kaduk Bernd Edlinger Bodo Möller David Benjamin +David von Oheimb +Dmitry Belyavskiy (Дмитрий Белявский) Emilia Käsper Eric Young Geoff Thorpe @@ -22,14 +24,19 @@ Lutz Jänicke Mark J. Cox Matt Caswell Matthias St. Pierre +Nicola Tuveri Nils Larsch +Patrick Steuer Paul Dale Paul C. Sutton +Paul Yang Ralf S. Engelschall Rich Salz Richard Levitte +Shane Lontis Stephen Henson Steve Marquess Tim Hudson +Tomáš Mráz Ulf Möller Viktor Dukhovni
[openssl] master update
The branch master has been updated via 6a1a6498ac4ecfb95331e30fc52d6e25cafbba43 (commit) from af403db090ee66715e81f0062d1ef614e8d921b5 (commit) - Log - commit 6a1a6498ac4ecfb95331e30fc52d6e25cafbba43 Author: Tomas Mraz Date: Mon Jan 25 19:12:43 2021 +0100 dh_cms_set_peerkey: Pad the public key to p size Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13958) --- Summary of changes: crypto/cms/cms_dh.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index 52bce12c73..e55b4a062f 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -48,7 +48,11 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, if ((public_key = d2i_ASN1_INTEGER(NULL, , plen)) == NULL) goto err; -plen = ASN1_STRING_length((ASN1_STRING *)public_key); +/* + * Pad to full p parameter size as that is checked by + * EVP_PKEY_set1_encoded_public_key() + */ +plen = EVP_PKEY_size(pk); if ((bnpub = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) goto err; if ((buf = OPENSSL_malloc(plen)) == NULL)
[openssl] master update
The branch master has been updated via af403db090ee66715e81f0062d1ef614e8d921b5 (commit) from f94a91698b82a1986b553a1f46e4cd51219d0223 (commit) - Log - commit af403db090ee66715e81f0062d1ef614e8d921b5 Author: Dr. Matthias St. Pierre Date: Sun Jan 31 22:08:33 2021 +0100 Add some missing committers to the AUTHORS list Fixes #13815 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14029) --- Summary of changes: AUTHORS.md | 7 +++ 1 file changed, 7 insertions(+) diff --git a/AUTHORS.md b/AUTHORS.md index af72f43b08..dc6b534b82 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -22,6 +22,8 @@ Individuals * Bernd Edlinger * Bodo Möller * David Benjamin + * David von Oheimb + * Dmitry Belyavskiy (Дмитрий Белявский) * Emilia Käsper * Eric Young * Geoff Thorpe @@ -31,14 +33,19 @@ Individuals * Mark J. Cox * Matt Caswell * Matthias St. Pierre + * Nicola Tuveri * Nils Larsch + * Patrick Steuer * Paul Dale * Paul C. Sutton + * Paul Yang * Ralf S. Engelschall * Rich Salz * Richard Levitte + * Shane Lontis * Stephen Henson * Steve Marquess * Tim Hudson + * Tomáš Mráz * Ulf Möller * Viktor Dukhovni
[openssl] master update
The branch master has been updated via f94a91698b82a1986b553a1f46e4cd51219d0223 (commit) via 0b07db6f56e0240de6cc2ea122eee6431459ef20 (commit) via 40994605140b9fcbe98a786dc75bdc1b9e9fee3f (commit) via 04b9435a991585d0f9a775a203cc3986d4872a6e (commit) via b233ea82765e80038e4884564153f9c8543d9396 (commit) via cd4e6a351201270cd2769e1e2af7e9fb875a3f80 (commit) via a0134d293e907672e2717fe54ce6a4b3ae425388 (commit) from 7ff9fdd4b31757f70080bd3fa2e633ca080408a4 (commit) - Log - commit f94a91698b82a1986b553a1f46e4cd51219d0223 Author: Matt Caswell Date: Wed Jan 27 17:23:13 2021 + Add a CI job to run the threads test with threads sanitizer on Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit 0b07db6f56e0240de6cc2ea122eee6431459ef20 Author: Matt Caswell Date: Wed Jan 27 17:18:27 2021 + Ensure the EVP_PKEY operation_cache is appropriately locked The EVP_PKEY operation_cache caches references to provider side key objects that have previously been exported for this EVP_PKEY, and their associated key managers. The cache may be updated from time to time as the EVP_PKEY is exported to more providers. Since an EVP_PKEY may be shared by multiple threads simultaneously we must be careful to ensure the cache updates are locked. Fixes #13818 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit 40994605140b9fcbe98a786dc75bdc1b9e9fee3f Author: Matt Caswell Date: Wed Jan 27 15:51:48 2021 + Ensure access to FIPS_state and rate_limit is appropriately locked These variables can be accessed concurrently from multiple threads so we ensure that we properly lock them before read or write. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit 04b9435a991585d0f9a775a203cc3986d4872a6e Author: Matt Caswell Date: Tue Jan 26 17:00:25 2021 + Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data() Otherwise we can get data races. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit b233ea82765e80038e4884564153f9c8543d9396 Author: Matt Caswell Date: Tue Jan 26 15:23:19 2021 + Avoid races by caching exported ciphers in the init function TSAN was reporting a race of the exported ciphers cache that we create in the default and fips providers. This was because we cached it in the query function rather than the init function, so this would cause a race if multiple threads queried at the same time. In practice it probably wouldn't make much difference since different threads should come up with the same answer. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit cd4e6a351201270cd2769e1e2af7e9fb875a3f80 Author: Matt Caswell Date: Tue Jan 26 15:14:02 2021 + Refactor RAND_get0_primary() locking Make sure we never read or write to dgbl->primary outside of a lock. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) commit a0134d293e907672e2717fe54ce6a4b3ae425388 Author: Matt Caswell Date: Tue Jan 26 13:30:06 2021 + Add a multi-thread test for shared EVP_PKEYs EVP_PKEYs may be shared across mutliple threads. For example this is common for users of libssl who provide a single EVP_PKEY private key for an SSL_CTX, which is then shared between multiple threads for each SSL object. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13987) --- Summary of changes: .github/workflows/ci.yml | 11 +++ crypto/context.c | 22 -- crypto/evp/keymgmt_lib.c | 39 +- crypto/evp/p_lib.c | 22 +- crypto/ex_data.c | 13 +++- crypto/rand/rand_lib.c | 64 ++--- .../man3/evp_keymgmt_util_export_to_provider.pod | 16 +++-- include/crypto/cryptlib.h | 3 + include/crypto/evp.h | 2 +- providers/defltprov.c | 2 +- providers/fips/fipsprov.c | 4 +- providers/fips/self_test.c | 46 test/recipes/90-test_threads.t | 6 +- .../90-test_threads_data/rsakey.pem} | 0 test/threadstest.c | 82 +- 15 files changed, 267 insertions(+), 65 deletions(-) copy test/{certs/serverkey.pem =>
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-sock
Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: a2a5506b93 rsa_kmgmt: Return OSSL_PKEY_PARAM_DEFAULT_DIGEST for unrestricted PSS keys e947a0642d EVP: fix keygen for EVP_PKEY_RSA_PSS d744934b75 Remove superfluous EVP_KDF_CTRL_ defines. 270a5ce1d9 Fix parameter types in sshkdf 732a4d15b0 Fix cipher reinit on s390x if no key is specified 199df4a93f check_sig_alg_match(): weaken sig nid comparison to allow RSA{,PSS} key verify RSA-PSS 03f5c8930c Fix rsa_pss_asn1_meth to refert to rsa_sig_info_set 26a44ad04b obj_xref: rsassaPss must map to 'undef rsassaPss' (not 'undef rsaEncryption') 302e63cbe5 Prepare for 3.0 alpha 12 31a89254d8 Prepare for release of 3.0 alpha 11 4333b89f50 Update copyright year 92bc61e467 Update NEWS.md before alpha11 release 5ac632eed7 APPS: Restore inclusions
[openssl] master update
The branch master has been updated via 7ff9fdd4b31757f70080bd3fa2e633ca080408a4 (commit) from d3372c2f35495d0c61ab09daf7fba3ecbbb595aa (commit) - Log - commit 7ff9fdd4b31757f70080bd3fa2e633ca080408a4 Author: Rich Salz Date: Thu Jan 28 10:17:13 2021 -0500 Deprecate X509_certificate_type Fixes: #13997 Reviewed-by: David von Oheimb Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14002) --- Summary of changes: CHANGES.md| 6 ++ crypto/x509/build.info| 6 +- include/openssl/evp.h | 22 -- include/openssl/x509.h.in | 3 ++- util/libcrypto.num| 2 +- 5 files changed, 26 insertions(+), 13 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e512b080c7..c10593c327 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,12 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX ] + * The undocumented function X509_certificate_type() has been deprecated; + applications can use X509_get0_pubkey() and X509_get0_signature() to + get the same information. + + *Rich Salz* + * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 93019cc5e6..05c8e3003b 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -4,7 +4,7 @@ SOURCE[../../libcrypto]=\ x509_obj.c x509_req.c x509spki.c x509_vfy.c \ x509_set.c x509cset.c x509rset.c x509_err.c \ x509name.c x509_v3.c x509_ext.c x509_att.c \ -x509type.c x509_meth.c x509_lu.c x_all.c x509_txt.c \ +x509_meth.c x509_lu.c x_all.c x509_txt.c \ x509_trs.c by_file.c by_dir.c by_store.c x509_vpm.c \ x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \ x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c \ @@ -15,3 +15,7 @@ SOURCE[../../libcrypto]=\ v3_pcia.c v3_pci.c v3_ist.c \ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \ v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c + +IF[{- !$disabled{'deprecated-3.0'} -}] + SOURCE[../../libcrypto]=x509type.c +ENDIF diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 68f2543a60..3b967202da 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -37,16 +37,18 @@ # include -# define EVP_PK_RSA 0x0001 -# define EVP_PK_DSA 0x0002 -# define EVP_PK_DH 0x0004 -# define EVP_PK_EC 0x0008 -# define EVP_PKT_SIGN0x0010 -# define EVP_PKT_ENC 0x0020 -# define EVP_PKT_EXCH0x0040 -# define EVP_PKS_RSA 0x0100 -# define EVP_PKS_DSA 0x0200 -# define EVP_PKS_EC 0x0400 +# ifndef OPENSSL_NO_DEPRECATED_3_0 +# define EVP_PK_RSA 0x0001 +# define EVP_PK_DSA 0x0002 +# define EVP_PK_DH 0x0004 +# define EVP_PK_EC 0x0008 +# define EVP_PKT_SIGN0x0010 +# define EVP_PKT_ENC 0x0020 +# define EVP_PKT_EXCH0x0040 +# define EVP_PKS_RSA 0x0100 +# define EVP_PKS_DSA 0x0200 +# define EVP_PKS_EC 0x0400 +# endif # define EVP_PKEY_NONE NID_undef # define EVP_PKEY_RSANID_rsaEncryption diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 8a3cb2e4d0..7aef798e5b 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -726,7 +726,6 @@ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); EVP_PKEY *X509_get0_pubkey(const X509 *x); EVP_PKEY *X509_get_pubkey(X509 *x); ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x); -int X509_certificate_type(const X509 *x, const EVP_PKEY *pubkey); long X509_REQ_get_version(const X509_REQ *req); int X509_REQ_set_version(X509_REQ *x, long version); @@ -838,6 +837,8 @@ int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); #ifndef OPENSSL_NO_DEPRECATED_3_0 # define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) +OSSL_DEPRECATEDIN_3_0 int X509_certificate_type(const X509 *x, +const EVP_PKEY *pubkey); #endif unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, const char *propq, int *ok); diff --git a/util/libcrypto.num b/util/libcrypto.num index f519518395..77612218c7 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -693,7 +693,7 @@ X509_add1_reject_object 710 3_0_0 EXIST::FUNCTION: ERR_set_mark7113_0_0 EXIST::FUNCTION: d2i_ASN1_VISIBLESTRING 7123_0_0 EXIST::FUNCTION: X509_NAME_ENTRY_dup 7143_0_0 EXIST::FUNCTION: -X509_certificate_type 7153_0_0 EXIST::FUNCTION: +X509_certificate_type
[openssl] master update
The branch master has been updated via d3372c2f35495d0c61ab09daf7fba3ecbbb595aa (commit) from 6aab42c39060c7aa39d96c7a265ddc661cea2ed8 (commit) - Log - commit d3372c2f35495d0c61ab09daf7fba3ecbbb595aa Author: Job Snijders Date: Sun Jan 24 14:00:02 2021 + Add some PKIX-RPKI objects References: RFC6482 - A Profile for Route Origin Authorizations (ROAs) RFC6484 - Certificate Policy (CP) for the RPKI RFC6493 - The RPKI Ghostbusters Record RFC8182 - The RPKI Repository Delta Protocol (RRDP) RFC8360 - RPKI Validation Reconsidered draft-ietf-sidrops-rpki-rta - A profile for RTAs CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13948) --- Summary of changes: crypto/objects/obj_dat.h | 70 ++ crypto/objects/obj_mac.num | 12 crypto/objects/objects.txt | 15 +- fuzz/oids.txt | 12 include/openssl/obj_mac.h | 51 + 5 files changed, 154 insertions(+), 6 deletions(-) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 1b852e6dfa..697cd527b3 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7947] = { +static const unsigned char so[8054] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,/* [6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1101,9 +1101,21 @@ static const unsigned char so[7947] = { 0x2A,0x85,0x03,0x64,0x71,0x04, /* [ 7928] OBJ_classSignToolKB1 */ 0x2A,0x85,0x03,0x64,0x71,0x05, /* [ 7934] OBJ_classSignToolKB2 */ 0x2A,0x85,0x03,0x64,0x71,0x06, /* [ 7940] OBJ_classSignToolKA1 */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x18, /* [ 7946] OBJ_id_ct_routeOriginAuthz */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1A, /* [ 7957] OBJ_id_ct_rpkiManifest */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x23, /* [ 7968] OBJ_id_ct_rpkiGhostbusters */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x24, /* [ 7979] OBJ_id_ct_resourceTaggedAttest */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,/* [ 7990] OBJ_id_cp */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1C, /* [ 7997] OBJ_sbgp_ipAddrBlockv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x1D, /* [ 8005] OBJ_sbgp_autonomousSysNumv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x02, /* [ 8013] OBJ_ipAddr_asNumber */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0E,0x03, /* [ 8021] OBJ_ipAddr_asNumberv2 */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0A, /* [ 8029] OBJ_rpkiManifest */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0B, /* [ 8037] OBJ_signedObject */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x0D, /* [ 8045] OBJ_rpkiNotify */ }; -#define NUM_NID 1234 +#define NUM_NID 1246 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, [0]}, @@ -2339,9 +2351,21 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"classSignToolKB1", "Class of Signing Tool KB1", NID_classSignToolKB1, 6, [7928]}, {"classSignToolKB2", "Class of Signing Tool KB2", NID_classSignToolKB2, 6, [7934]}, {"classSignToolKA1", "Class of Signing Tool KA1", NID_classSignToolKA1, 6, [7940]}, +{"id-ct-routeOriginAuthz", "id-ct-routeOriginAuthz", NID_id_ct_routeOriginAuthz, 11, [7946]}, +{"id-ct-rpkiManifest", "id-ct-rpkiManifest", NID_id_ct_rpkiManifest, 11, [7957]}, +{"id-ct-rpkiGhostbusters", "id-ct-rpkiGhostbusters", NID_id_ct_rpkiGhostbusters, 11, [7968]}, +{"id-ct-resourceTaggedAttest", "id-ct-resourceTaggedAttest", NID_id_ct_resourceTaggedAttest, 11, [7979]}, +{"id-cp", "id-cp", NID_id_cp, 7, [7990]}, +{"sbgp-ipAddrBlockv2", "sbgp-ipAddrBlockv2", NID_sbgp_ipAddrBlockv2, 8, [7997]}, +{"sbgp-autonomousSysNumv2", "sbgp-autonomousSysNumv2", NID_sbgp_autonomousSysNumv2, 8, [8005]}, +{"ipAddr-asNumber", "ipAddr-asNumber", NID_ipAddr_asNumber, 8, [8013]}, +{"ipAddr-asNumberv2", "ipAddr-asNumberv2", NID_ipAddr_asNumberv2, 8, [8021]}, +{"rpkiManifest", "RPKI Manifest", NID_rpkiManifest, 8, [8029]}, +{"signedObject", "Signed Object", NID_signedObject, 8, [8037]}, +{"rpkiNotify", "RPKI Notify", NID_rpkiNotify, 8, [8045]}, }; -#define NUM_SN 1225 +#define NUM_SN 1237 static const unsigned int sn_objs[NUM_SN] = { 364,/* "AD_DVCS" */ 419,/* "AES-128-CBC" */ @@ -2951,7 +2975,12 @@ static const unsigned int sn_objs[NUM_SN]