[openssl] master update
The branch master has been updated via 2154a7a754f7347892ef060d5ab4072b8a86d440 (commit) from 9fe4f5bc82bb7b5352ce4f55c86d53ce802f5053 (commit) - Log - commit 2154a7a754f7347892ef060d5ab4072b8a86d440 Author: Matt Caswell Date: Tue Mar 16 15:29:46 2021 + Update README-FIPS.md The README-FIPS.md file was still the one used from 1.1.1. We update it with 3.0 specific information. Fixes #14237 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14575) --- Summary of changes: README-FIPS.md | 443 - 1 file changed, 442 insertions(+), 1 deletion(-) diff --git a/README-FIPS.md b/README-FIPS.md index ec70370177..0ea41daa46 100644 --- a/README-FIPS.md +++ b/README-FIPS.md @@ -1,4 +1,445 @@ OpenSSL FIPS support -This release does not support a FIPS 140-2 validated module. +This release of OpenSSL includes a cryptographic module that is intended to be +FIPS 140-2 validated. The module is implemented as an OpenSSL provider. See +the [README-PROVIDERS](README-PROVIDERS.md) file for further details about +providers. + +Installing the FIPS module +== + +Once OpenSSL has been built and installed you will need to take explicit steps +to complete the installation of the FIPS module (if you wish to use it). The +OpenSSL 3.0 FIPS support is in the form of the FIPS provider which, on Unix, is +in a `fips.so` file. On Windows this will be called `fips.dll`. Following +installation of OpenSSL 3.0 the default location for this file is +`/usr/local/lib/ossl-modules/fips.so` on Unix or +`C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll` on Windows. + +To complete the installation you need to run the `fipsinstall` command line +application. This does 2 things: + +- Runs the FIPS module self tests +- Generates FIPS module config file output containing information about the +module such as the self test status, and the module checksum. + +The FIPS module must have the self tests run, and the FIPS module config file +output generated on every machine that it is to be used on. You must not copy +the FIPS module config file output data from one machine to another. + +For example, to install the FIPS module to its default location on Unix: + +$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so + +If you installed OpenSSL to a different location, you need to adjust the output +and module path accordingly. + + +Using the FIPS Module in applications += + +There are a number of different ways that OpenSSL can be used in conjunction +with the FIPS module. Which is the correct approach to use will depend on your +own specific circumstances and what you are attempting to achieve. Note that the +old functions `FIPS_mode()` and `FIPS_mode_set()` are no longer present so you +must remove them from your application if you use them. + +Applications written to use the OpenSSL 3.0 FIPS module should not use any +legacy APIs or features that avoid the FIPS module. Specifically this includes: + +- Low level cryptographic APIs (use the high level APIs, such as EVP, instead) +- Engines +- Any functions that create or modify custom "METHODS" (for example +`EVP_MD_meth_new`, `EVP_CIPHER_meth_new`, `EVP_PKEY_meth_new`, `RSA_meth_new`, +`EC_KEY_METHOD_new`, etc.) + +All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to +avoid using all deprecated functions. + +Making all applications use the FIPS module by default +-- + +One simple approach is to cause all applications that are using OpenSSL to only +use the FIPS module for cryptographic algorithms by default. + +This approach can be done purely via configuration. As long as applications are +built and linked against OpenSSL 3.0 and do not override the loading of the +default config file or its settings then they can automatically start using the +FIPS module without the need for any further code changes. + +To do this the default OpenSSL config file will have to be modified. The +location of this config file will depend on the platform, and any options that +were given during the build process. You can check the location of the config +file by running this command: + +$ openssl version -d +OPENSSLDIR: "/usr/local/ssl" + +Caution: Many Operating Systems install OpenSSL by default. It is a common error +to not have the correct version of OpenSSL on your $PATH. Check that you are +running an OpenSSL 3.0 version like this: + +$ openssl version -v +OpenSSL 3.0.0-dev xx XXX (Library: OpenSSL 3.0.0-dev xx XXX ) + +The OPENSSLDIR value above gives the directory name for
Build failed: openssl master.40812
Build openssl master.40812 failed Commit 11eac04df0 by Kevin Cadieux on 3/17/2021 12:12 AM: memleaktest with MSVC's AddressSanitizer Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert# cmp_main:../openssl/apps/cmp.c:2578:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2177:CMP warning: argument of -proxy option is empty string, resetting option # setup_client_ctx:../openssl/apps/cmp.c:1894:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:1944:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # -- # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # -- # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t . Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok
Build failed: openssl master.40810
Build openssl master.40810 failed Commit 0939a68eb5 by Ben Avison on 3/10/2021 3:54 PM: ARM assembly pack: translate bit-sliced AES implementation to AArch64 Configure your notification preferences
[openssl] master update
The branch master has been updated via 9fe4f5bc82bb7b5352ce4f55c86d53ce802f5053 (commit) from ee067bc066ccc21462a1a489f8f1314c7207c01f (commit) - Log - commit 9fe4f5bc82bb7b5352ce4f55c86d53ce802f5053 Author: Richard Levitte Date: Thu Mar 18 16:52:38 2021 +0100 Fix a missing rand -> ossl_rand rename Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14609) --- Summary of changes: providers/implementations/rands/seeding/rand_cpu_x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/rands/seeding/rand_cpu_x86.c b/providers/implementations/rands/seeding/rand_cpu_x86.c index 0bdf1c302f..39da74e293 100644 --- a/providers/implementations/rands/seeding/rand_cpu_x86.c +++ b/providers/implementations/rands/seeding/rand_cpu_x86.c @@ -35,7 +35,7 @@ static size_t get_hardware_random_value(unsigned char *buf, size_t len); * Returns the total entropy count, if it exceeds the requested * entropy count. Otherwise, returns an entropy count of 0. */ -size_t prov_acquire_entropy_from_cpu(RAND_POOL *pool) +size_t ossl_prov_acquire_entropy_from_cpu(RAND_POOL *pool) { size_t bytes_needed; unsigned char *buffer;
Build failed: openssl master.40808
Build openssl master.40808 failed Commit cab996b157 by Pauli on 3/17/2021 12:30 PM: fixup! evp: fix coverity 1473381 - dereference after null check Configure your notification preferences
Build failed: openssl master.40798
Build openssl master.40798 failed Commit 06bb02f524 by Tomas Mraz on 3/17/2021 8:47 AM: fixup! Added functions for printing EVP_PKEYs to FILE * Configure your notification preferences
[openssl] master update
The branch master has been updated via ee067bc066ccc21462a1a489f8f1314c7207c01f (commit) from 7e7e034a10842dad3866c9447481b8527024bf44 (commit) - Log - commit ee067bc066ccc21462a1a489f8f1314c7207c01f Author: Matt Caswell Date: Tue Mar 16 12:03:08 2021 + Ensure we deregister thread handlers even after a failed init If we attempt to init a provider but that init fails, then we should still deregister any thread handlers. The provider may have failed after these were registered. Fixes #13338 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14576) --- Summary of changes: crypto/provider_core.c | 13 ++--- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 4d77108c33..632ea72a5d 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -359,9 +359,6 @@ void ossl_provider_free(OSSL_PROVIDER *prov) */ if (ref == 0) { if (prov->flag_initialized) { -#ifndef FIPS_MODULE -ossl_init_thread_deregister(prov); -#endif if (prov->teardown != NULL) prov->teardown(prov->provctx); #ifndef OPENSSL_NO_ERR @@ -380,6 +377,12 @@ void ossl_provider_free(OSSL_PROVIDER *prov) } #ifndef FIPS_MODULE +/* + * We deregister thread handling whether or not the provider was + * initialized. If init was attempted but was not successful then + * the provider may still have registered a thread handler. + */ +ossl_init_thread_deregister(prov); DSO_free(prov->module); #endif OPENSSL_free(prov->name); @@ -561,10 +564,6 @@ static int provider_init(OSSL_PROVIDER *prov) _dispatch, _provctx)) { ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL, "name=%s", prov->name); -#ifndef FIPS_MODULE -DSO_free(prov->module); -prov->module = NULL; -#endif goto end; } prov->provctx = tmp_provctx;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via f9398cc2b31858ddaaea3f5cfec2fce7f9b90347 (commit) from 1136fedc334b574eef6f551be158860fda4199f2 (commit) - Log - commit f9398cc2b31858ddaaea3f5cfec2fce7f9b90347 Author: Pauli Date: Wed Mar 17 12:23:52 2021 +1000 apps: fix coverity 966560: division by zero Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14586) (cherry picked from commit 7e7e034a10842dad3866c9447481b8527024bf44) --- Summary of changes: apps/s_time.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/s_time.c b/apps/s_time.c index 628e65b26e..eabf3c1a79 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -263,7 +263,8 @@ int s_time_main(int argc, char **argv) nConn, totalTime, ((double)nConn / totalTime), bytes_read); printf ("%d connections in %ld real seconds, %ld bytes read per connection\n", - nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); + nConn, (long)time(NULL) - finishtime + maxtime, + nConn > 0 ? bytes_read / nConn : 0l); /* * Now loop and time connections using the same session id over and over
[openssl] master update
The branch master has been updated via 7e7e034a10842dad3866c9447481b8527024bf44 (commit) from 3de7f014a985637361bdee775f78209300c88aae (commit) - Log - commit 7e7e034a10842dad3866c9447481b8527024bf44 Author: Pauli Date: Wed Mar 17 12:23:52 2021 +1000 apps: fix coverity 966560: division by zero Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14586) --- Summary of changes: apps/s_time.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/s_time.c b/apps/s_time.c index 2052a15c4f..386a81a78e 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -320,7 +320,8 @@ int s_time_main(int argc, char **argv) nConn, totalTime, ((double)nConn / totalTime), bytes_read); printf ("%d connections in %ld real seconds, %ld bytes read per connection\n", - nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); + nConn, (long)time(NULL) - finishtime + maxtime, + nConn > 0 ? bytes_read / nConn : 0l); /* * Now loop and time connections using the same session id over and over
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 1136fedc334b574eef6f551be158860fda4199f2 (commit) from 81198bf323ea9deda907714170d329ca7d2ff01f (commit) - Log - commit 1136fedc334b574eef6f551be158860fda4199f2 Author: Pauli Date: Wed Mar 17 12:00:42 2021 +1000 ssl: fix coverity 1451515: out of bounds memory access Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14585) (cherry picked from commit 3de7f014a985637361bdee775f78209300c88aae) --- Summary of changes: ssl/statem/statem_clnt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d84cc0460f..09fba3d8c0 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2905,6 +2905,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) if (psklen > PSK_MAX_PSK_LEN) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR); +psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */ goto err; } else if (psklen == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
[openssl] master update
The branch master has been updated via 3de7f014a985637361bdee775f78209300c88aae (commit) from 145f12d12dc83c737676883c625c2a95d34251ed (commit) - Log - commit 3de7f014a985637361bdee775f78209300c88aae Author: Pauli Date: Wed Mar 17 12:00:42 2021 +1000 ssl: fix coverity 1451515: out of bounds memory access Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14585) --- Summary of changes: ssl/statem/statem_clnt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e7917be4fb..666ee43363 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2767,6 +2767,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) if (psklen > PSK_MAX_PSK_LEN) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); +psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse */ goto err; } else if (psklen == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 81198bf323ea9deda907714170d329ca7d2ff01f (commit) from 8129ac6ac4c0ca3a488c225cde580ede7dabe874 (commit) - Log - commit 81198bf323ea9deda907714170d329ca7d2ff01f Author: Pauli Date: Wed Mar 17 11:40:13 2021 +1000 modes: fix coverity 1449851: overlapping memory copy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit b875e0e820b07420429ebb90724ed28686a98853) --- Summary of changes: crypto/modes/cbc128.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c index 4595b0f502..78949c1ed7 100644 --- a/crypto/modes/cbc128.c +++ b/crypto/modes/cbc128.c @@ -115,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out, out += 16; } } -memcpy(ivec, iv, 16); +if (ivec != iv) +memcpy(ivec, iv, 16); } else { if (STRICT_ALIGNMENT && ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 8129ac6ac4c0ca3a488c225cde580ede7dabe874 (commit) from 081a7061f3da07318c4b0f5de67b82285630bf6b (commit) - Log - commit 8129ac6ac4c0ca3a488c225cde580ede7dabe874 Author: Pauli Date: Wed Mar 17 11:41:48 2021 +1000 modes: fix coverity 1449860: overlapping memory copy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit 145f12d12dc83c737676883c625c2a95d34251ed) --- Summary of changes: crypto/modes/cbc128.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c index c85e37c6a5..4595b0f502 100644 --- a/crypto/modes/cbc128.c +++ b/crypto/modes/cbc128.c @@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out, in += 16; out += 16; } -memcpy(ivec, iv, 16); +if (ivec != iv) +memcpy(ivec, iv, 16); } void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
[openssl] master update
The branch master has been updated via 145f12d12dc83c737676883c625c2a95d34251ed (commit) via b875e0e820b07420429ebb90724ed28686a98853 (commit) from cf3306dc6b37cc24ea50cebc227a9354fefce158 (commit) - Log - commit 145f12d12dc83c737676883c625c2a95d34251ed Author: Pauli Date: Wed Mar 17 11:41:48 2021 +1000 modes: fix coverity 1449860: overlapping memory copy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14584) commit b875e0e820b07420429ebb90724ed28686a98853 Author: Pauli Date: Wed Mar 17 11:40:13 2021 +1000 modes: fix coverity 1449851: overlapping memory copy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14584) --- Summary of changes: crypto/modes/cbc128.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c index df0ab244f8..86dd781c55 100644 --- a/crypto/modes/cbc128.c +++ b/crypto/modes/cbc128.c @@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out, in += 16; out += 16; } -memcpy(ivec, iv, 16); +if (ivec != iv) +memcpy(ivec, iv, 16); } void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out, @@ -114,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out, out += 16; } } -memcpy(ivec, iv, 16); +if (ivec != iv) +memcpy(ivec, iv, 16); } else { if (STRICT_ALIGNMENT && ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec2m
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec2m Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this
[openssl] master update
The branch master has been updated via cf3306dc6b37cc24ea50cebc227a9354fefce158 (commit) from 628d2d3a7f2318b6a6a1c36f9d8d12032c69a9dd (commit) - Log - commit cf3306dc6b37cc24ea50cebc227a9354fefce158 Author: Jon Spillett Date: Wed Mar 17 13:59:29 2021 +1000 Remove TODO comment. Resolves #14396 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14588) --- Summary of changes: crypto/evp/ec_support.c | 7 --- 1 file changed, 7 deletions(-) diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c index b06157098f..24337a5eac 100644 --- a/crypto/evp/ec_support.c +++ b/crypto/evp/ec_support.c @@ -122,13 +122,6 @@ const char *ossl_ec_curve_nid2name(int nid) if (nid <= 0) return NULL; -/* - * TODO(3.0) Figure out if we should try to find the nid with - * EC_curve_nid2nist() first, i.e. make it a priority to return - * NIST names if there is one for the NID. This is related to - * the TODO comment in ossl_ec_curve_name2nid(). - */ - for (i = 0; i < OSSL_NELEM(curve_list); i++) { if (curve_list[i].nid == nid) return curve_list[i].name;
[openssl] master update
The branch master has been updated via 628d2d3a7f2318b6a6a1c36f9d8d12032c69a9dd (commit) from c8830891e6cb8d0782986662ca50b8fa7c97f49f (commit) - Log - commit 628d2d3a7f2318b6a6a1c36f9d8d12032c69a9dd Author: Kevin Cadieux Date: Tue Mar 16 20:23:38 2021 -0700 Fixing stack buffer overflow error caused by incorrectly sized array. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14582) --- Summary of changes: test/params_api_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/params_api_test.c b/test/params_api_test.c index 38d6913ec5..c1dbdad129 100644 --- a/test/params_api_test.c +++ b/test/params_api_test.c @@ -390,8 +390,8 @@ static int test_param_size_t(int n) static int test_param_time_t(int n) { time_t in, out; -unsigned char buf[MAX_LEN], cmp[sizeof(size_t)]; -const size_t len = raw_values[n].len >= sizeof(size_t) +unsigned char buf[MAX_LEN], cmp[sizeof(time_t)]; +const size_t len = raw_values[n].len >= sizeof(time_t) ? sizeof(time_t) : raw_values[n].len; OSSL_PARAM param = OSSL_PARAM_time_t("a", NULL);
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): 70-test_sslcertstatus.t skipped: test_sslcertstatus needs the dynamic engine feature enabled 70-test_sslextension.t . skipped: test_sslextension needs the dynamic engine feature enabled 70-test_sslmessages.t .. skipped: test_sslmessages needs the dynamic engine feature enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs the dynamic engine feature enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the dynamic engine feature enabled 70-test_sslsigalgs.t ... skipped: test_sslsigalgs needs the dynamic engine feature enabled 70-test_sslsignature.t . skipped: test_sslsignature needs the dynamic engine feature enabled 70-test_sslskewith0p.t . skipped: test_sslskewith0p needs the dynamic engine feature enabled 70-test_sslversions.t .. skipped: test_sslversions needs the dynamic engine feature enabled 70-test_sslvertol.t skipped: test_sslextension needs the dynamic engine feature enabled 70-test_tls13alerts.t .. skipped: test_tls13alerts needs the dynamic engine feature enabled 70-test_tls13cookie.t .. skipped: test_tls13cookie needs the dynamic engine feature enabled 70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs the dynamic engine feature enabled 70-test_tls13hrr.t . skipped: test_tls13hrr needs the dynamic engine feature enabled 70-test_tls13kexmodes.t skipped: test_tls13kexmodes needs the dynamic engine feature enabled 70-test_tls13messages.t skipped: test_tls13messages needs the dynamic engine feature enabled 70-test_tls13psk.t . skipped: test_tls13psk needs the dynamic engine feature enabled 70-test_tlsextms.t . skipped: test_tlsextms needs the dynamic engine feature enabled 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this configuration 95-test_external_gost_engine.t .
[openssl] master update
The branch master has been updated via 63b64f19c13d59d68dc2e525f454aea62a739842 (commit) via bef876f97e26309ccd20f916cf1e5e305735ee98 (commit) via 6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5 (commit) via 49f07be43d031f0407db8ae1b8cdf6452a79e558 (commit) from d07d8057991712261323c05bb022d000a01404d0 (commit) - Log - commit 63b64f19c13d59d68dc2e525f454aea62a739842 Author: Dr. David von Oheimb Date: Fri Mar 12 19:45:40 2021 +0100 TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func Also constify related CMS/PKCS7 functions and improve error codes thrown. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) commit bef876f97e26309ccd20f916cf1e5e305735ee98 Author: Dr. David von Oheimb Date: Fri Mar 12 15:54:34 2021 +0100 ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) commit 6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5 Author: Dr. David von Oheimb Date: Wed Mar 10 17:21:37 2021 +0100 TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list Fixes #14190 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) commit 49f07be43d031f0407db8ae1b8cdf6452a79e558 Author: Dr. David von Oheimb Date: Sat Mar 13 11:29:19 2021 +0100 apps.c: Fix missing newline in warn_cert_msg() output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) --- Summary of changes: CHANGES.md | 9 ++ apps/cms.c | 6 +- apps/lib/apps.c| 2 +- crypto/cms/cms_att.c | 3 +- crypto/cms/cms_err.c | 2 - crypto/cms/cms_ess.c | 63 +- crypto/cms/cms_local.h | 3 +- crypto/cms/cms_smime.c | 2 +- crypto/err/openssl.txt | 10 +- crypto/ess/ess_asn1.c | 4 +- crypto/ess/ess_err.c | 14 ++- crypto/ess/ess_lib.c | 127 - crypto/pkcs7/pk7_doit.c| 8 +- crypto/ts/ts_rsp_verify.c | 60 ++ doc/man1/openssl-cms.pod.in| 26 +++-- doc/man1/openssl-ts.pod.in | 11 +- doc/man3/CMS_verify.pod| 4 +- include/crypto/cms.h | 4 +- include/crypto/ess.h | 12 +- include/crypto/esserr.h| 2 +- include/openssl/cms.h.in | 3 +- include/openssl/cmserr.h | 1 - include/openssl/esserr.h | 6 + include/openssl/pkcs7.h.in | 4 +- test/recipes/80-test_cms.t | 10 +- test/recipes/80-test_tsa.t | 96 +++- test/recipes/80-test_tsa_data/all-zero.tsq | Bin 0 -> 59 bytes test/recipes/80-test_tsa_data/comodo-aaa.pem | 25 test/recipes/80-test_tsa_data/sectigo-all-zero.tsr | Bin 0 -> 4981 bytes test/recipes/80-test_tsa_data/sectigo-signer.pem | 40 +++ .../80-test_tsa_data/sectigo-time-stamping-ca.pem | 39 +++ .../recipes/80-test_tsa_data/user-trust-ca-aaa.pem | 32 ++ test/recipes/80-test_tsa_data/user-trust-ca.pem| 34 ++ 33 files changed, 415 insertions(+), 247 deletions(-) create mode 100644 test/recipes/80-test_tsa_data/all-zero.tsq create mode 100644 test/recipes/80-test_tsa_data/comodo-aaa.pem create mode 100644 test/recipes/80-test_tsa_data/sectigo-all-zero.tsr create mode 100644 test/recipes/80-test_tsa_data/sectigo-signer.pem create mode 100644 test/recipes/80-test_tsa_data/sectigo-time-stamping-ca.pem create mode 100644 test/recipes/80-test_tsa_data/user-trust-ca-aaa.pem create mode 100644 test/recipes/80-test_tsa_data/user-trust-ca.pem diff --git a/CHANGES.md b/CHANGES.md index e51e61a96b..f6800a337d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -58,6 +58,15 @@ OpenSSL 3.0 *Richard Levitte* + * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) + for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. + Correct the semantics of checking the validation chain in case ESSCertID{,v2} + contains more than one certificate