[openssl] master update
The branch master has been updated
via 76624df15fef0725f28a8b9d0f31256946669b1a (commit)
via d82c7f3dba44b190eac80e5ddffac9a00cefd47d (commit)
via 13e85fb3214fc5c84e30258ed56add1275b0fde3 (commit)
via f4a3799cc45cb986d5920403b3e0471678fee020 (commit)
from 7dc67708c8ae6ec06c7fec34781225ed60b5e68d (commit)
- Log -
commit 76624df15fef0725f28a8b9d0f31256946669b1a
Author: Richard Levitte
Date: Wed Feb 3 16:48:21 2021 +0100
EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key()
These functions are modified to use EVP_PKEY_set_octet_string_param()
and EVP_PKEY_get_octet_string_param() instead of evp_keymgmt_set_params()
and evp_keymgmt_get_params().
To accomplish this fully, EVP_PKEY_get_octet_string_param() is changed
slightly to populate |*out_sz| with the return size, even if getting
the params resulted in an error.
We also modify EVP_PKEY_get_utf8_string_param() to match
EVP_PKEY_get_octet_string_param()
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14056)
commit d82c7f3dba44b190eac80e5ddffac9a00cefd47d
Author: Richard Levitte
Date: Wed Feb 3 14:10:08 2021 +0100
EVP: Modify the checks in EVP_PKEY_{set,get}_xxx_param() functions
The checks of the type of EVP_PKEY were from before we had the macro
evp_pkey_is_provided().
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14056)
commit 13e85fb3214fc5c84e30258ed56add1275b0fde3
Author: Richard Levitte
Date: Wed Feb 3 13:55:30 2021 +0100
EVP: Adapt the other EVP_PKEY_set_xxx_param() functions
They were calling evp_keymgmt_set_params() directly. Those calls are
changed to go through EVP_PKEY_set_params().
We take the opportunity to constify these functions. They have to
unconstify internally for the compiler to stop complaining when
placing those pointers in an OSSL_PARAM element, but that's still
better than forcing the callers to do that cast.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14056)
commit f4a3799cc45cb986d5920403b3e0471678fee020
Author: Richard Levitte
Date: Wed Feb 3 13:50:23 2021 +0100
EVP: Make EVP_PKEY_set_params() increment the dirty count
When the internal key is changed, we must count it as muted, so that
next time the affected key is considered for an operation, it gets
re-exported to the signing provider. In other words, this will clear
the EVP_PKEY export cache when the next export attempt occurs.
This also updates evp_keymgmt_util_export_to_provider() to actually
look at the dirty count for provider native origin keys, and act
appropriately.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14056)
---
Summary of changes:
crypto/evp/keymgmt_lib.c | 31 +++--
crypto/evp/p_lib.c| 207 +++---
doc/man3/EVP_PKEY_gettable_params.pod | 11 +-
doc/man3/EVP_PKEY_settable_params.pod | 9 +-
include/openssl/evp.h | 10 +-
util/libcrypto.num| 1 +
6 files changed, 134 insertions(+), 135 deletions(-)
diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
index 0c643b3b49..0112036263 100644
--- a/crypto/evp/keymgmt_lib.c
+++ b/crypto/evp/keymgmt_lib.c
@@ -101,15 +101,22 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk,
EVP_KEYMGMT *keymgmt)
if (pk->keymgmt == keymgmt)
return pk->keydata;
-/* If this key is already exported to |keymgmt|, no more to do */
CRYPTO_THREAD_read_lock(pk->lock);
-i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt);
-if (i < OSSL_NELEM(pk->operation_cache)
-&& pk->operation_cache[i].keymgmt != NULL) {
-void *ret = pk->operation_cache[i].keydata;
+/*
+ * If the provider native "origin" hasn't changed since last time, we
+ * try to find our keymgmt in the operation cache. If it has changed,
+ * |i| remains zero, and we will clear the cache further down.
+ */
+if (pk->dirty_cnt == pk->dirty_cnt_copy) {
+/* If this key is already exported to |keymgmt|, no more to do */
+i = evp_keymgmt_util_find_operation_cache_index(pk, keymgmt);
+if (i < OSSL_NELEM(pk->operation_cache)
+&& pk->operation_cache[i].keymgmt != NULL) {
+void *ret = pk->operation_cache[i].keydata;
-CRYPTO_THREAD_unlock(pk->lock);
-return ret;
+CRYPTO_THREAD_unlock(pk->lock);
+return ret;
+}
}
CRYPTO_THREAD_unlock(pk->lock);
@@ -177,12 +184,22 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk,
EVP_KEYMGMT *keymgmt)
return ret;
}
+/*
+
[openssl] master update
The branch master has been updated
via 7dc67708c8ae6ec06c7fec34781225ed60b5e68d (commit)
from 88444854affe31ce08a5daaf4b6afc86e6972c63 (commit)
- Log -
commit 7dc67708c8ae6ec06c7fec34781225ed60b5e68d
Author: Petr Gotthard
Date: Sat Dec 26 21:32:14 2020 +0100
apps/openssl: add -propquery command line option
Fixes #13656. Right now all openssl commands use a NULL propq. This
patch adds a possibility to specify a custom propq.
The implementation follows the example of set_nameopt/get_nameopt.
Various tools had to be modified to call app_get0_propq after it has
been populated. Otherwise the -propquery has no effect.
The tests then verify the -propquery affects the tool behaviour by
requesting a non-existing property.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/13707)
---
Summary of changes:
apps/cms.c| 26 --
apps/genpkey.c| 5 ++---
apps/include/apps.h | 1 +
apps/include/opt.h| 8 +---
apps/lib/app_provider.c | 2 ++
apps/lib/apps.c | 11 +--
apps/mac.c| 2 +-
apps/pkcs7.c | 3 +--
apps/pkeyutl.c| 12 ++--
apps/smime.c | 7 +++
apps/storeutl.c | 11 +--
doc/man1/openssl.pod | 20
doc/perlvars.pm | 5 -
test/recipes/15-test_genrsa.t | 5 -
test/recipes/20-test_mac.t| 5 +
15 files changed, 80 insertions(+), 43 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index e8254cb85c..36fb88e15c 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -28,7 +28,7 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx);
static void receipt_request_print(CMS_ContentInfo *cms);
static CMS_ReceiptRequest *make_receipt_request(
STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
-STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx, const char
*propq);
+STACK_OF(OPENSSL_STRING) *rr_from, OSSL_LIB_CTX *libctx);
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param);
@@ -303,7 +303,6 @@ int cms_main(int argc, char **argv)
const char *mime_eol = "\n";
OPTION_CHOICE o;
OSSL_LIB_CTX *libctx = app_get0_libctx();
-const char *propq = app_get0_propq();
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
return 1;
@@ -457,7 +456,7 @@ int cms_main(int argc, char **argv)
goto opthelp;
} else {
rcms = load_content_info(rctformat, rctin, NULL, "recipient",
- libctx, propq);
+ libctx, app_get0_propq());
}
break;
case OPT_CERTFILE:
@@ -870,7 +869,7 @@ int cms_main(int argc, char **argv)
goto end;
if (operation & SMIME_IP) {
-cms = load_content_info(informat, in, , "SMIME", libctx, propq);
+cms = load_content_info(informat, in, , "SMIME", libctx,
app_get0_propq());
if (cms == NULL)
goto end;
if (contfile != NULL) {
@@ -901,7 +900,7 @@ int cms_main(int argc, char **argv)
}
rcms = load_content_info(rctformat, rctin, NULL, "recipient", libctx,
- propq);
+ app_get0_propq());
if (rcms == NULL)
goto end;
}
@@ -922,15 +921,15 @@ int cms_main(int argc, char **argv)
ret = 3;
if (operation == SMIME_DATA_CREATE) {
-cms = CMS_data_create_ex(in, flags, libctx, propq);
+cms = CMS_data_create_ex(in, flags, libctx, app_get0_propq());
} else if (operation == SMIME_DIGEST_CREATE) {
-cms = CMS_digest_create_ex(in, sign_md, flags, libctx, propq);
+cms = CMS_digest_create_ex(in, sign_md, flags, libctx,
app_get0_propq());
} else if (operation == SMIME_COMPRESS) {
cms = CMS_compress(in, -1, flags);
} else if (operation == SMIME_ENCRYPT) {
int i;
flags |= CMS_PARTIAL;
-cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx, propq);
+cms = CMS_encrypt_ex(NULL, in, cipher, flags, libctx,
app_get0_propq());
if (cms == NULL)
goto end;
for (i = 0; i < sk_X509_num(encerts); i++) {
@@ -996,7 +995,7 @@ int cms_main(int argc, char **argv)
}
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
cms = CMS_EncryptedData_encrypt_ex(in, cipher, secret_key,
- secret_keylen, flags, libctx,
propq);
+ secret_keylen, flags, libctx,
app_get0_propq());
}
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command:
$ uname -a
Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
$ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module
Commit log since last time:
9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP
977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed
EVP_PKEY_CTX
60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically
8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size()
28e1904250 apps/ecparam: Avoid crash when parameters fail to load
963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb
1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn()
66194839fe Add diacritics to my name in CHANGES.md
6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size
af403db090 Add some missing committers to the AUTHORS list
f94a91698b Add a CI job to run the threads test with threads sanitizer on
0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked
4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked
04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data()
b233ea8276 Avoid races by caching exported ciphers in the init function
cd4e6a3512 Refactor RAND_get0_primary() locking
a0134d293e Add a multi-thread test for shared EVP_PKEYs
7ff9fdd4b3 Deprecate X509_certificate_type
d3372c2f35 Add some PKIX-RPKI objects
6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various
improvements
4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio()
a6d40689ec HTTP: add more error detection to low-level API
d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params
8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio()
673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req
len still to send
f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality
58f422f6f4 Fix some odd names in our provider source code
b8a1272d57 Test that EC keys without a public key in them work as expected
ec7aef3356 Ensure EC keys with a private key but without a public key can be
created
Build log ended with (last 100 lines):
# setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact
http://127.0.0.1:1700/pkix/
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received
IP
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending
CERTCONF
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received
PKICONF
# save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled
certificate(s), saving to file
'../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem'
../../../../../enable-fuzz-afl/util/wrap.pl
../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf
-section 'Mock enrollment' -certout
../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy ''
-no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0
-certout
../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem
-out_trusted root.crt => 0
not ok 43 - popo RAVERIFIED
# --
# cmp_main:../openssl/apps/cmp.c:2685:CMP info: using section(s) 'Mock
enrollment' of OpenSSL configuration file '../Mock/test.cnf'
# opt_str:../openssl/apps/cmp.c:2284:CMP warning: argument of -proxy option is
empty string, resetting option
# warn_cert_msg:../openssl/apps/cmp.c:694:CMP warning: certificate from
'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert
# setup_client_ctx:../openssl/apps/cmp.c:2001:CMP info: will contact
http://127.0.0.1:1700/pkix/
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received
IP
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending
CERTCONF
# send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received
PKICONF
# save_free_certs:../openssl/apps/cmp.c:2051:CMP info: received 1 enrolled
certificate(s), saving to file
'../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem'
../../../../../enable-fuzz-afl/util/wrap.pl
../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf
-section 'Mock enrollment' -certout
../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy ''
-no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1
-certout
../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem
-out_trusted root.crt => 0
not ok 47 - popo NONE
# --
# Failed test 'popo NONE'
# at
Build completed: openssl master.39601
Build openssl master.39601 completed Commit ba1b06c85b by Richard Levitte on 2/4/2021 1:11 PM: Merge branch 'test-algorithmid-reencoding' into fix-MDWithRSAEncryption Configure your notification preferences
Build failed: openssl master.39600
Build openssl master.39600 failed Commit f8d337b38b by Richard Levitte on 2/4/2021 1:10 PM: fixup! TEST: Add an algorithm ID tester for libcrypto vs provider Configure your notification preferences
[openssl] master update
The branch master has been updated
via 88444854affe31ce08a5daaf4b6afc86e6972c63 (commit)
from af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 (commit)
- Log -
commit 88444854affe31ce08a5daaf4b6afc86e6972c63
Author: Dr. David von Oheimb
Date: Sun Oct 4 21:55:49 2020 +0200
x509_vfy.c: Improve coding style and comments all over the file
No changes in semantics.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/13070)
---
Summary of changes:
crypto/x509/x509_vfy.c | 680 ++---
1 file changed, 301 insertions(+), 379 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 8e78c13b8e..ec7df5caa6 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -29,41 +29,16 @@
/* CRL score values */
-/* No unhandled critical extensions */
-
-#define CRL_SCORE_NOCRITICAL0x100
-
-/* certificate is within CRL scope */
-
-#define CRL_SCORE_SCOPE 0x080
-
-/* CRL times valid */
-
-#define CRL_SCORE_TIME 0x040
-
-/* Issuer name matches certificate */
-
-#define CRL_SCORE_ISSUER_NAME 0x020
-
-/* If this score or above CRL is probably valid */
-
-#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
-
-/* CRL issuer is certificate issuer */
-
-#define CRL_SCORE_ISSUER_CERT 0x018
-
-/* CRL issuer is on certificate path */
-
-#define CRL_SCORE_SAME_PATH 0x008
-
-/* CRL issuer matches CRL AKID */
-
-#define CRL_SCORE_AKID 0x004
-
-/* Have a delta CRL with valid times */
-
-#define CRL_SCORE_TIME_DELTA0x002
+#define CRL_SCORE_NOCRITICAL0x100 /* No unhandled critical extensions */
+#define CRL_SCORE_SCOPE 0x080 /* certificate is within CRL scope */
+#define CRL_SCORE_TIME 0x040 /* CRL times valid */
+#define CRL_SCORE_ISSUER_NAME 0x020 /* Issuer name matches certificate */
+#define CRL_SCORE_VALID /* If this score or above CRL is probably valid */ \
+(CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
+#define CRL_SCORE_ISSUER_CERT 0x018 /* CRL issuer is certificate issuer */
+#define CRL_SCORE_SAME_PATH 0x008 /* CRL issuer is on certificate path */
+#define CRL_SCORE_AKID 0x004 /* CRL issuer matches CRL AKID */
+#define CRL_SCORE_TIME_DELTA0x002 /* Have a delta CRL with valid times */
static int build_chain(X509_STORE_CTX *ctx);
static int verify_chain(X509_STORE_CTX *ctx);
@@ -137,6 +112,7 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
STACK_OF(X509) *certs;
X509 *xtmp = NULL;
int i;
+
/* Lookup all certs with matching subject name */
ERR_set_mark();
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
@@ -233,26 +209,26 @@ static int verify_chain(X509_STORE_CTX *ctx)
(ok = check_id(ctx)) == 0 || 1)
X509_get_pubkey_parameters(NULL, ctx->chain);
if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)
-return ok;
+return 0;
err = X509_chain_check_suiteb(>error_depth, NULL, ctx->chain,
ctx->param->flags);
CB_FAIL_IF(err != X509_V_OK, ctx, NULL, ctx->error_depth, err);
/* Verify chain signatures and expiration times */
-ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx);
+ok = ctx->verify != NULL ? ctx->verify(ctx) : internal_verify(ctx);
if (!ok)
-return ok;
+return 0;
if ((ok = check_name_constraints(ctx)) == 0)
-return ok;
+return 0;
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
if ((ok = X509v3_asid_validate_path(ctx)) == 0)
-return ok;
+return 0;
if ((ok = X509v3_addr_validate_path(ctx)) == 0)
-return ok;
+return 0;
#endif
/* If we get this far evaluate policies */
@@ -292,10 +268,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
CB_FAIL_IF(!check_key_level(ctx, ctx->cert),
ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL);
-if (DANETLS_ENABLED(dane))
-ret = dane_verify(ctx);
-else
-ret = verify_chain(ctx);
+ret = DANETLS_ENABLED(dane) ? dane_verify(ctx) : verify_chain(ctx);
/*
* Safety-net. If we are returning an error, we must also set ctx->error,
@@ -353,13 +326,9 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx,
X509 *x, X509 *issuer)
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
+if (*issuer != NULL && X509_up_ref(*issuer))
+return 1;
-if (*issuer == NULL || !X509_up_ref(*issuer))
-goto err;
-
-return 1;
-
- err:
*issuer = NULL;
return 0;
}
@@ -440,10 +409,8 @@ static int check_chain(X509_STORE_CTX *ctx)
{
int i,
[openssl] master update
The branch master has been updated via af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 (commit) via 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b (commit) from a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 (commit) - Log - commit af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 Author: Matt Caswell Date: Mon Feb 1 17:31:05 2021 + Remove a DSA related TODO There are no instances of the macros that this comment is referring to being used anywhere within current master. All of the macros were deprecated by commit f41ac0e. Therefore this TODO should just be removed. Fixes #13020 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14038) commit 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b Author: Matt Caswell Date: Mon Feb 1 15:45:44 2021 + Remove some TODO(OpenSSL1.2) references We had a couple of stray references to OpenSSL1.2 in libssl. We just reword the comments to remove those references without changing any behaviour. The first one in t1_lib.c is a technical non-compliance in the TLSv1.3 spec where, under some circumstances, we offer DSA sigalgs even in a ClientHello that eventually negotiates TLSv1.3. We explicitly chose to accept this behaviour in 1.1.1 and we're not planning to change it for 3.0. The second one in s3_lib.c is regarnding the behaviour of SSL_set_tlsext_host_name(). Technically you shouldn't be able to call this from a server - but we allow it and just ignore it rather than raising an error. The TODO suggest we consider raising an error instead. However, with 3.0 we are trying to minimise breaking changes so I suggest not making this change now. Fixes #13161 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/14037) --- Summary of changes: include/openssl/dsa.h | 4 ssl/s3_lib.c | 1 - ssl/t1_lib.c | 5 - 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 681058597b..eacc6caa28 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -98,10 +98,6 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); /* typedef struct dsa_st DSA; */ /* typedef struct dsa_method DSA_METHOD; */ -/* - * TODO(3.0): consider removing the ASN.1 encoding and decoding when - * deserialization is completed elsewhere. - */ # define d2i_DSAparams_fp(fp, x) \ (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \ (char *(*)())d2i_DSAparams, (fp), \ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ae27add6df..a6c87ad75d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3491,7 +3491,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #endif case SSL_CTRL_SET_TLSEXT_HOSTNAME: /* - * TODO(OpenSSL1.2) * This API is only used for a client to set what SNI it will request * from the server, but we currently allow it to be used on servers * as well, which is a programming error. Currently we just clear diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c777a86eb7..7328c8e2b1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2036,7 +2036,10 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu) /* DSA is not allowed in TLS 1.3 */ if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) return 0; -/* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */ +/* + * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 + * spec + */ if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX || lu->hash_idx == SSL_MD_MD5_IDX
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings enable-ec_nistp_64_gcc_128
Platform and configuration command:
$ uname -a
Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings enable-ec_nistp_64_gcc_128
Commit log since last time:
9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP
977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed
EVP_PKEY_CTX
60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically
8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size()
28e1904250 apps/ecparam: Avoid crash when parameters fail to load
963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb
1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn()
66194839fe Add diacritics to my name in CHANGES.md
6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size
af403db090 Add some missing committers to the AUTHORS list
f94a91698b Add a CI job to run the threads test with threads sanitizer on
0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked
4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked
04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data()
b233ea8276 Avoid races by caching exported ciphers in the init function
cd4e6a3512 Refactor RAND_get0_primary() locking
a0134d293e Add a multi-thread test for shared EVP_PKEYs
7ff9fdd4b3 Deprecate X509_certificate_type
d3372c2f35 Add some PKIX-RPKI objects
6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various
improvements
4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio()
a6d40689ec HTTP: add more error detection to low-level API
d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params
8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio()
673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req
len still to send
f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality
58f422f6f4 Fix some odd names in our provider source code
b8a1272d57 Test that EC keys without a public key in them work as expected
ec7aef3356 Ensure EC keys with a private key but without a public key can be
created
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-ec
Platform and configuration command:
$ uname -a
Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-ec
Commit log since last time:
9db6af922c EC: Reverse the default asn1_flag in a new EC_GROUP
977e95b912 EVP: Fix evp_pkey_ctx_store_cached_data() to handle provider backed
EVP_PKEY_CTX
60488d2434 EVP: Don't find standard EVP_PKEY_METHODs automatically
8ce04db808 CORE & PROV: clean away OSSL_FUNC_mac_size()
28e1904250 apps/ecparam: Avoid crash when parameters fail to load
963a65bfb4 apps/ca: Properly handle certificate expiration times in do_updatedb
1409b5f664 Deprecate EVP_MD_CTX_{set_}update_fn()
66194839fe Add diacritics to my name in CHANGES.md
6a1a6498ac dh_cms_set_peerkey: Pad the public key to p size
af403db090 Add some missing committers to the AUTHORS list
f94a91698b Add a CI job to run the threads test with threads sanitizer on
0b07db6f56 Ensure the EVP_PKEY operation_cache is appropriately locked
4099460514 Ensure access to FIPS_state and rate_limit is appropriately locked
04b9435a99 Always ensure we hold ctx->lock when calling CRYPTO_get_ex_data()
b233ea8276 Avoid races by caching exported ciphers in the init function
cd4e6a3512 Refactor RAND_get0_primary() locking
a0134d293e Add a multi-thread test for shared EVP_PKEYs
7ff9fdd4b3 Deprecate X509_certificate_type
d3372c2f35 Add some PKIX-RPKI objects
6aab42c390 OSSL_HTTP_REQ_CTX.pod and OSSL_HTTP_transfer.pod: various
improvements
4d190f99ef Constify OSSL_HTTP_REQ_CTX_get0_mem_bio()
a6d40689ec HTTP: add more error detection to low-level API
d337af1891 HTTP: Fix mistakes and unclarities on maxline and max_resp_len params
8e71614797 Fix not backwards-compat X509_http_nbio() and X509_CRL_http_nbio()
673474b164 OSSL_HTTP_REQ_CTX_nbio(): Revert to having state var that keeps req
len still to send
f2db0528d8 PROV: Add SM2 encoders and decoders, as well as support functionality
58f422f6f4 Fix some odd names in our provider source code
b8a1272d57 Test that EC keys without a public key in them work as expected
ec7aef3356 Ensure EC keys with a private key but without a public key can be
created
[openssl] master update
The branch master has been updated
via a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 (commit)
from d53b437f9992f974c1623e9b9b9bdf053aefbcc3 (commit)
- Log -
commit a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896
Author: Dmitry Belyavskiy
Date: Fri Jan 22 14:54:09 2021 +0100
DH/DHX parameter check using pkeyparam
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/13930)
---
Summary of changes:
test/recipes/20-test_dhparam_check.t | 84 ++
.../20-test_dhparam_check_data/valid/dh5114_1.pem | 8 +++
.../20-test_dhparam_check_data/valid/dh5114_2.pem | 14
.../20-test_dhparam_check_data/valid/dh5114_3.pem | 14
.../valid/dh_p1024_t1862.pem | 8 +++
.../valid/dh_p2048_t1862.pem | 13
.../valid/dh_p2048_t1864.pem | 13
.../valid/dh_p3072_t1862.pem | 19 +
.../valid/dhx_p1024_q160_t1862.pem | 9 +++
.../valid/dhx_p1024_q160_t1864.pem | 9 +++
.../valid/dhx_p1024_q224_t1862.pem | 9 +++
.../valid/dhx_p1024_q256_t1862.pem | 10 +++
.../valid/dhx_p2048_q160_t1862.pem | 15
.../valid/dhx_p2048_q224_t1862.pem | 15
.../valid/dhx_p2048_q224_t1864.pem | 15
.../valid/dhx_p2048_q256_t1862.pem | 15
.../valid/dhx_p2048_q256_t1864.pem | 15
.../valid/dhx_p3072_q160_t1862.pem | 20 ++
.../valid/dhx_p3072_q224_t1862.pem | 20 ++
.../valid/dhx_p3072_q256_t1862.pem | 20 ++
20 files changed, 345 insertions(+)
create mode 100644 test/recipes/20-test_dhparam_check.t
create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh5114_1.pem
create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh5114_2.pem
create mode 100644 test/recipes/20-test_dhparam_check_data/valid/dh5114_3.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dh_p1024_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dh_p2048_t1864.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dh_p3072_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q160_t1864.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q224_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p1024_q256_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q160_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q224_t1864.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p2048_q256_t1864.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q160_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q224_t1862.pem
create mode 100644
test/recipes/20-test_dhparam_check_data/valid/dhx_p3072_q256_t1862.pem
diff --git a/test/recipes/20-test_dhparam_check.t
b/test/recipes/20-test_dhparam_check.t
new file mode 100644
index 00..97e1506d8a
--- /dev/null
+++ b/test/recipes/20-test_dhparam_check.t
@@ -0,0 +1,84 @@
+#! /usr/bin/env perl
+# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use File::Spec;
+use OpenSSL::Glob;
+use OpenSSL::Test qw/:DEFAULT data_file/;
+use OpenSSL::Test::Utils;
+
+setup("test_dhparam_check");
+
+plan skip_all => "DH isn't supported in this build"
+if disabled("dh");
+
+=pod Generation script
+
+#!/bin/sh
+
+TESTDIR=test/recipes/20-test_dhparam_check_data/valid
+rm -rf $TESTDIR
+mkdir -p $TESTDIR
+
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:1
-out $TESTDIR/dh5114_1.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:2
-out $TESTDIR/dh5114_2.pem
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt dh_rfc5114:3
-out $TESTDIR/dh5114_3.pem
+
+./util/opensslwrap.sh genpkey -genparam -algorithm DH -pkeyopt pbits:1024
-pkeyopt type:fips186_2 -out
