[openssl] master update
The branch master has been updated via 2154a7a754f7347892ef060d5ab4072b8a86d440 (commit) from 9fe4f5bc82bb7b5352ce4f55c86d53ce802f5053 (commit) - Log - commit 2154a7a754f7347892ef060d5ab4072b8a86d440 Author: Matt Caswell Date: Tue Mar 16 15:29:46 2021 + Update README-FIPS.md The README-FIPS.md file was still the one used from 1.1.1. We update it with 3.0 specific information. Fixes #14237 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14575) --- Summary of changes: README-FIPS.md | 443 - 1 file changed, 442 insertions(+), 1 deletion(-) diff --git a/README-FIPS.md b/README-FIPS.md index ec70370177..0ea41daa46 100644 --- a/README-FIPS.md +++ b/README-FIPS.md @@ -1,4 +1,445 @@ OpenSSL FIPS support -This release does not support a FIPS 140-2 validated module. +This release of OpenSSL includes a cryptographic module that is intended to be +FIPS 140-2 validated. The module is implemented as an OpenSSL provider. See +the [README-PROVIDERS](README-PROVIDERS.md) file for further details about +providers. + +Installing the FIPS module +== + +Once OpenSSL has been built and installed you will need to take explicit steps +to complete the installation of the FIPS module (if you wish to use it). The +OpenSSL 3.0 FIPS support is in the form of the FIPS provider which, on Unix, is +in a `fips.so` file. On Windows this will be called `fips.dll`. Following +installation of OpenSSL 3.0 the default location for this file is +`/usr/local/lib/ossl-modules/fips.so` on Unix or +`C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll` on Windows. + +To complete the installation you need to run the `fipsinstall` command line +application. This does 2 things: + +- Runs the FIPS module self tests +- Generates FIPS module config file output containing information about the +module such as the self test status, and the module checksum. + +The FIPS module must have the self tests run, and the FIPS module config file +output generated on every machine that it is to be used on. You must not copy +the FIPS module config file output data from one machine to another. + +For example, to install the FIPS module to its default location on Unix: + +$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so + +If you installed OpenSSL to a different location, you need to adjust the output +and module path accordingly. + + +Using the FIPS Module in applications += + +There are a number of different ways that OpenSSL can be used in conjunction +with the FIPS module. Which is the correct approach to use will depend on your +own specific circumstances and what you are attempting to achieve. Note that the +old functions `FIPS_mode()` and `FIPS_mode_set()` are no longer present so you +must remove them from your application if you use them. + +Applications written to use the OpenSSL 3.0 FIPS module should not use any +legacy APIs or features that avoid the FIPS module. Specifically this includes: + +- Low level cryptographic APIs (use the high level APIs, such as EVP, instead) +- Engines +- Any functions that create or modify custom "METHODS" (for example +`EVP_MD_meth_new`, `EVP_CIPHER_meth_new`, `EVP_PKEY_meth_new`, `RSA_meth_new`, +`EC_KEY_METHOD_new`, etc.) + +All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to +avoid using all deprecated functions. + +Making all applications use the FIPS module by default +-- + +One simple approach is to cause all applications that are using OpenSSL to only +use the FIPS module for cryptographic algorithms by default. + +This approach can be done purely via configuration. As long as applications are +built and linked against OpenSSL 3.0 and do not override the loading of the +default config file or its settings then they can automatically start using the +FIPS module without the need for any further code changes. + +To do this the default OpenSSL config file will have to be modified. The +location of this config file will depend on the platform, and any options that +were given during the build process. You can check the location of the config +file by running this command: + +$ openssl version -d +OPENSSLDIR: "/usr/local/ssl" + +Caution: Many Operating Systems install OpenSSL by default. It is a common error +to not have the correct version of OpenSSL on your $PATH. Check that you are +running an OpenSSL 3.0 version like this: + +$ openssl version -v +OpenSSL 3.0.0-dev xx XXX (Library: OpenSSL 3.0.0-dev xx XXX ) + +The OPENSSLDIR value above gives the directory name for
Build failed: openssl master.40812
Build openssl master.40812 failed Commit 11eac04df0 by Kevin Cadieux on 3/17/2021 12:12 AM: memleaktest with MSVC's AddressSanitizer Configure your notification preferences
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert# cmp_main:../openssl/apps/cmp.c:2578:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2177:CMP warning: argument of -proxy option is empty string, resetting option # setup_client_ctx:../openssl/apps/cmp.c:1894:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:1944:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # -- # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # -- # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 5.80-test_cmp_http.t . Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok
Build failed: openssl master.40810
Build openssl master.40810 failed Commit 0939a68eb5 by Ben Avison on 3/10/2021 3:54 PM: ARM assembly pack: translate bit-sliced AES implementation to AArch64 Configure your notification preferences
[openssl] master update
The branch master has been updated
via 9fe4f5bc82bb7b5352ce4f55c86d53ce802f5053 (commit)
from ee067bc066ccc21462a1a489f8f1314c7207c01f (commit)
- Log -
commit 9fe4f5bc82bb7b5352ce4f55c86d53ce802f5053
Author: Richard Levitte
Date: Thu Mar 18 16:52:38 2021 +0100
Fix a missing rand -> ossl_rand rename
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14609)
---
Summary of changes:
providers/implementations/rands/seeding/rand_cpu_x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/providers/implementations/rands/seeding/rand_cpu_x86.c
b/providers/implementations/rands/seeding/rand_cpu_x86.c
index 0bdf1c302f..39da74e293 100644
--- a/providers/implementations/rands/seeding/rand_cpu_x86.c
+++ b/providers/implementations/rands/seeding/rand_cpu_x86.c
@@ -35,7 +35,7 @@ static size_t get_hardware_random_value(unsigned char *buf,
size_t len);
* Returns the total entropy count, if it exceeds the requested
* entropy count. Otherwise, returns an entropy count of 0.
*/
-size_t prov_acquire_entropy_from_cpu(RAND_POOL *pool)
+size_t ossl_prov_acquire_entropy_from_cpu(RAND_POOL *pool)
{
size_t bytes_needed;
unsigned char *buffer;
Build failed: openssl master.40808
Build openssl master.40808 failed Commit cab996b157 by Pauli on 3/17/2021 12:30 PM: fixup! evp: fix coverity 1473381 - dereference after null check Configure your notification preferences
Build failed: openssl master.40798
Build openssl master.40798 failed Commit 06bb02f524 by Tomas Mraz on 3/17/2021 8:47 AM: fixup! Added functions for printing EVP_PKEYs to FILE * Configure your notification preferences
[openssl] master update
The branch master has been updated
via ee067bc066ccc21462a1a489f8f1314c7207c01f (commit)
from 7e7e034a10842dad3866c9447481b8527024bf44 (commit)
- Log -
commit ee067bc066ccc21462a1a489f8f1314c7207c01f
Author: Matt Caswell
Date: Tue Mar 16 12:03:08 2021 +
Ensure we deregister thread handlers even after a failed init
If we attempt to init a provider but that init fails, then we should
still deregister any thread handlers. The provider may have failed after
these were registered.
Fixes #13338
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14576)
---
Summary of changes:
crypto/provider_core.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index 4d77108c33..632ea72a5d 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -359,9 +359,6 @@ void ossl_provider_free(OSSL_PROVIDER *prov)
*/
if (ref == 0) {
if (prov->flag_initialized) {
-#ifndef FIPS_MODULE
-ossl_init_thread_deregister(prov);
-#endif
if (prov->teardown != NULL)
prov->teardown(prov->provctx);
#ifndef OPENSSL_NO_ERR
@@ -380,6 +377,12 @@ void ossl_provider_free(OSSL_PROVIDER *prov)
}
#ifndef FIPS_MODULE
+/*
+ * We deregister thread handling whether or not the provider was
+ * initialized. If init was attempted but was not successful then
+ * the provider may still have registered a thread handler.
+ */
+ossl_init_thread_deregister(prov);
DSO_free(prov->module);
#endif
OPENSSL_free(prov->name);
@@ -561,10 +564,6 @@ static int provider_init(OSSL_PROVIDER *prov)
_dispatch, _provctx)) {
ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INIT_FAIL,
"name=%s", prov->name);
-#ifndef FIPS_MODULE
-DSO_free(prov->module);
-prov->module = NULL;
-#endif
goto end;
}
prov->provctx = tmp_provctx;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via f9398cc2b31858ddaaea3f5cfec2fce7f9b90347 (commit)
from 1136fedc334b574eef6f551be158860fda4199f2 (commit)
- Log -
commit f9398cc2b31858ddaaea3f5cfec2fce7f9b90347
Author: Pauli
Date: Wed Mar 17 12:23:52 2021 +1000
apps: fix coverity 966560: division by zero
Reviewed-by: Tomas Mraz
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/14586)
(cherry picked from commit 7e7e034a10842dad3866c9447481b8527024bf44)
---
Summary of changes:
apps/s_time.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/apps/s_time.c b/apps/s_time.c
index 628e65b26e..eabf3c1a79 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -263,7 +263,8 @@ int s_time_main(int argc, char **argv)
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
- nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
+ nConn, (long)time(NULL) - finishtime + maxtime,
+ nConn > 0 ? bytes_read / nConn : 0l);
/*
* Now loop and time connections using the same session id over and over
[openssl] master update
The branch master has been updated
via 7e7e034a10842dad3866c9447481b8527024bf44 (commit)
from 3de7f014a985637361bdee775f78209300c88aae (commit)
- Log -
commit 7e7e034a10842dad3866c9447481b8527024bf44
Author: Pauli
Date: Wed Mar 17 12:23:52 2021 +1000
apps: fix coverity 966560: division by zero
Reviewed-by: Tomas Mraz
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/14586)
---
Summary of changes:
apps/s_time.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/apps/s_time.c b/apps/s_time.c
index 2052a15c4f..386a81a78e 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -320,7 +320,8 @@ int s_time_main(int argc, char **argv)
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
- nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
+ nConn, (long)time(NULL) - finishtime + maxtime,
+ nConn > 0 ? bytes_read / nConn : 0l);
/*
* Now loop and time connections using the same session id over and over
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 1136fedc334b574eef6f551be158860fda4199f2 (commit)
from 81198bf323ea9deda907714170d329ca7d2ff01f (commit)
- Log -
commit 1136fedc334b574eef6f551be158860fda4199f2
Author: Pauli
Date: Wed Mar 17 12:00:42 2021 +1000
ssl: fix coverity 1451515: out of bounds memory access
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14585)
(cherry picked from commit 3de7f014a985637361bdee775f78209300c88aae)
---
Summary of changes:
ssl/statem/statem_clnt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d84cc0460f..09fba3d8c0 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2905,6 +2905,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET
*pkt)
if (psklen > PSK_MAX_PSK_LEN) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
+psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse
*/
goto err;
} else if (psklen == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
[openssl] master update
The branch master has been updated
via 3de7f014a985637361bdee775f78209300c88aae (commit)
from 145f12d12dc83c737676883c625c2a95d34251ed (commit)
- Log -
commit 3de7f014a985637361bdee775f78209300c88aae
Author: Pauli
Date: Wed Mar 17 12:00:42 2021 +1000
ssl: fix coverity 1451515: out of bounds memory access
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14585)
---
Summary of changes:
ssl/statem/statem_clnt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e7917be4fb..666ee43363 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2767,6 +2767,7 @@ static int tls_construct_cke_psk_preamble(SSL *s, WPACKET
*pkt)
if (psklen > PSK_MAX_PSK_LEN) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
+psklen = PSK_MAX_PSK_LEN; /* Avoid overrunning the array on cleanse
*/
goto err;
} else if (psklen == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 81198bf323ea9deda907714170d329ca7d2ff01f (commit)
from 8129ac6ac4c0ca3a488c225cde580ede7dabe874 (commit)
- Log -
commit 81198bf323ea9deda907714170d329ca7d2ff01f
Author: Pauli
Date: Wed Mar 17 11:40:13 2021 +1000
modes: fix coverity 1449851: overlapping memory copy
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14584)
(cherry picked from commit b875e0e820b07420429ebb90724ed28686a98853)
---
Summary of changes:
crypto/modes/cbc128.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c
index 4595b0f502..78949c1ed7 100644
--- a/crypto/modes/cbc128.c
+++ b/crypto/modes/cbc128.c
@@ -115,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in,
unsigned char *out,
out += 16;
}
}
-memcpy(ivec, iv, 16);
+if (ivec != iv)
+memcpy(ivec, iv, 16);
} else {
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 8129ac6ac4c0ca3a488c225cde580ede7dabe874 (commit) from 081a7061f3da07318c4b0f5de67b82285630bf6b (commit) - Log - commit 8129ac6ac4c0ca3a488c225cde580ede7dabe874 Author: Pauli Date: Wed Mar 17 11:41:48 2021 +1000 modes: fix coverity 1449860: overlapping memory copy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14584) (cherry picked from commit 145f12d12dc83c737676883c625c2a95d34251ed) --- Summary of changes: crypto/modes/cbc128.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c index c85e37c6a5..4595b0f502 100644 --- a/crypto/modes/cbc128.c +++ b/crypto/modes/cbc128.c @@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out, in += 16; out += 16; } -memcpy(ivec, iv, 16); +if (ivec != iv) +memcpy(ivec, iv, 16); } void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
[openssl] master update
The branch master has been updated
via 145f12d12dc83c737676883c625c2a95d34251ed (commit)
via b875e0e820b07420429ebb90724ed28686a98853 (commit)
from cf3306dc6b37cc24ea50cebc227a9354fefce158 (commit)
- Log -
commit 145f12d12dc83c737676883c625c2a95d34251ed
Author: Pauli
Date: Wed Mar 17 11:41:48 2021 +1000
modes: fix coverity 1449860: overlapping memory copy
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14584)
commit b875e0e820b07420429ebb90724ed28686a98853
Author: Pauli
Date: Wed Mar 17 11:40:13 2021 +1000
modes: fix coverity 1449851: overlapping memory copy
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14584)
---
Summary of changes:
crypto/modes/cbc128.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c
index df0ab244f8..86dd781c55 100644
--- a/crypto/modes/cbc128.c
+++ b/crypto/modes/cbc128.c
@@ -69,7 +69,8 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned
char *out,
in += 16;
out += 16;
}
-memcpy(ivec, iv, 16);
+if (ivec != iv)
+memcpy(ivec, iv, 16);
}
void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
@@ -114,7 +115,8 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in,
unsigned char *out,
out += 16;
}
}
-memcpy(ivec, iv, 16);
+if (ivec != iv)
+memcpy(ivec, iv, 16);
} else {
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec2m
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec2m Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this
[openssl] master update
The branch master has been updated
via cf3306dc6b37cc24ea50cebc227a9354fefce158 (commit)
from 628d2d3a7f2318b6a6a1c36f9d8d12032c69a9dd (commit)
- Log -
commit cf3306dc6b37cc24ea50cebc227a9354fefce158
Author: Jon Spillett
Date: Wed Mar 17 13:59:29 2021 +1000
Remove TODO comment. Resolves #14396
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14588)
---
Summary of changes:
crypto/evp/ec_support.c | 7 ---
1 file changed, 7 deletions(-)
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
index b06157098f..24337a5eac 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -122,13 +122,6 @@ const char *ossl_ec_curve_nid2name(int nid)
if (nid <= 0)
return NULL;
-/*
- * TODO(3.0) Figure out if we should try to find the nid with
- * EC_curve_nid2nist() first, i.e. make it a priority to return
- * NIST names if there is one for the NID. This is related to
- * the TODO comment in ossl_ec_curve_name2nid().
- */
-
for (i = 0; i < OSSL_NELEM(curve_list); i++) {
if (curve_list[i].nid == nid)
return curve_list[i].name;
[openssl] master update
The branch master has been updated
via 628d2d3a7f2318b6a6a1c36f9d8d12032c69a9dd (commit)
from c8830891e6cb8d0782986662ca50b8fa7c97f49f (commit)
- Log -
commit 628d2d3a7f2318b6a6a1c36f9d8d12032c69a9dd
Author: Kevin Cadieux
Date: Tue Mar 16 20:23:38 2021 -0700
Fixing stack buffer overflow error caused by incorrectly sized array.
CLA: trivial
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14582)
---
Summary of changes:
test/params_api_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/params_api_test.c b/test/params_api_test.c
index 38d6913ec5..c1dbdad129 100644
--- a/test/params_api_test.c
+++ b/test/params_api_test.c
@@ -390,8 +390,8 @@ static int test_param_size_t(int n)
static int test_param_time_t(int n)
{
time_t in, out;
-unsigned char buf[MAX_LEN], cmp[sizeof(size_t)];
-const size_t len = raw_values[n].len >= sizeof(size_t)
+unsigned char buf[MAX_LEN], cmp[sizeof(time_t)];
+const size_t len = raw_values[n].len >= sizeof(time_t)
? sizeof(time_t) : raw_values[n].len;
OSSL_PARAM param = OSSL_PARAM_time_t("a", NULL);
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): 70-test_sslcertstatus.t skipped: test_sslcertstatus needs the dynamic engine feature enabled 70-test_sslextension.t . skipped: test_sslextension needs the dynamic engine feature enabled 70-test_sslmessages.t .. skipped: test_sslmessages needs the dynamic engine feature enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs the dynamic engine feature enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the dynamic engine feature enabled 70-test_sslsigalgs.t ... skipped: test_sslsigalgs needs the dynamic engine feature enabled 70-test_sslsignature.t . skipped: test_sslsignature needs the dynamic engine feature enabled 70-test_sslskewith0p.t . skipped: test_sslskewith0p needs the dynamic engine feature enabled 70-test_sslversions.t .. skipped: test_sslversions needs the dynamic engine feature enabled 70-test_sslvertol.t skipped: test_sslextension needs the dynamic engine feature enabled 70-test_tls13alerts.t .. skipped: test_tls13alerts needs the dynamic engine feature enabled 70-test_tls13cookie.t .. skipped: test_tls13cookie needs the dynamic engine feature enabled 70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs the dynamic engine feature enabled 70-test_tls13hrr.t . skipped: test_tls13hrr needs the dynamic engine feature enabled 70-test_tls13kexmodes.t skipped: test_tls13kexmodes needs the dynamic engine feature enabled 70-test_tls13messages.t skipped: test_tls13messages needs the dynamic engine feature enabled 70-test_tls13psk.t . skipped: test_tls13psk needs the dynamic engine feature enabled 70-test_tlsextms.t . skipped: test_tlsextms needs the dynamic engine feature enabled 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 9a48544058 Make EVP_PKEY_missing_parameters work properly on provided RSA keys e08993eab6 evp_keymgmt_util_copy: Fix possible leak on copy failure 48fad58f7b apps/crl: Print just the hash value if printing just hash 50864bd2f7 Convert some TODO(3.0) comments in init.c to normal comments 19ad1e9d37 Remove a TODO(3.0) from EVP_PKEY_derive_set_peer() d11f644ba5 Fix up issues found when running evp_extra_test with a non-default library context 062490dbd0 Add testing for non-default library context into evp_extra_test 4139a0c6ec EVP_KDF-KB man page: fixup ABI/API change 1f79baa55e Remove TODOs from digest.c 7128458b8a params: clean up TODO 8f391c7d1b doc: remove TODOs about redesigning the AEAD API 95856e34bb prov: remove todos in rsa_keymgmt.c cc32fbdca1 prov: remove TODO in der_rsa_key.c d1f790de0c Add some encoder and decoder code examples 5db682733d Fix a TODO(3.0) in the siphash code 37cddb2e2d p_lib.c: Remove TODO comments a289d3a427 property_test: use property values that are not used elsewhere 2217d4c9cc core_get_libctx: use assert() instead of ossl_assert() a23deef281 provider_core: Remove two TODO 3.0 a8275fbc4a decoder_process: data_structure can be NULL 1e08f3ba9e property: default queries create the property values. bd55a0be1b Use --debug with no-caching build as sanitizers need it 92a36b3705 Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check() 2cf8bb46fc Ensure that ECX keys pass EVP_PKEY_param_check() 2db5834c43 Add a CHANGES entry for the cosmetic differences in textual output d8a809db4b apps: Make load_key_certs_crls to read only what is expected ea51096e51 apps: Add maybe_stdin argument to load_certs and set it in pkcs12 8287a4c3b2 Tiny clarification of comment for RSA_sign 3a37ddde91 Fix DSA EVP_PKEY_param_check() when defaults are used for param generation. Build log ended with (last 100 lines): 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_boringssl.t ... skipped: No external tests in this configuration 95-test_external_gost_engine.t .
[openssl] master update
The branch master has been updated
via 63b64f19c13d59d68dc2e525f454aea62a739842 (commit)
via bef876f97e26309ccd20f916cf1e5e305735ee98 (commit)
via 6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5 (commit)
via 49f07be43d031f0407db8ae1b8cdf6452a79e558 (commit)
from d07d8057991712261323c05bb022d000a01404d0 (commit)
- Log -
commit 63b64f19c13d59d68dc2e525f454aea62a739842
Author: Dr. David von Oheimb
Date: Fri Mar 12 19:45:40 2021 +0100
TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS
func
Also constify related CMS/PKCS7 functions and improve error codes thrown.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14503)
commit bef876f97e26309ccd20f916cf1e5e305735ee98
Author: Dr. David von Oheimb
Date: Fri Mar 12 15:54:34 2021 +0100
ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are
checked
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14503)
commit 6b937ae3a7a2dfac55d25a18bd6d5a084c24e3d5
Author: Dr. David von Oheimb
Date: Wed Mar 10 17:21:37 2021 +0100
TS ESS: Invert the search logic of ts_check_signing_certs() to correctly
cover cert ID list
Fixes #14190
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14503)
commit 49f07be43d031f0407db8ae1b8cdf6452a79e558
Author: Dr. David von Oheimb
Date: Sat Mar 13 11:29:19 2021 +0100
apps.c: Fix missing newline in warn_cert_msg() output
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14503)
---
Summary of changes:
CHANGES.md | 9 ++
apps/cms.c | 6 +-
apps/lib/apps.c| 2 +-
crypto/cms/cms_att.c | 3 +-
crypto/cms/cms_err.c | 2 -
crypto/cms/cms_ess.c | 63 +-
crypto/cms/cms_local.h | 3 +-
crypto/cms/cms_smime.c | 2 +-
crypto/err/openssl.txt | 10 +-
crypto/ess/ess_asn1.c | 4 +-
crypto/ess/ess_err.c | 14 ++-
crypto/ess/ess_lib.c | 127 -
crypto/pkcs7/pk7_doit.c| 8 +-
crypto/ts/ts_rsp_verify.c | 60 ++
doc/man1/openssl-cms.pod.in| 26 +++--
doc/man1/openssl-ts.pod.in | 11 +-
doc/man3/CMS_verify.pod| 4 +-
include/crypto/cms.h | 4 +-
include/crypto/ess.h | 12 +-
include/crypto/esserr.h| 2 +-
include/openssl/cms.h.in | 3 +-
include/openssl/cmserr.h | 1 -
include/openssl/esserr.h | 6 +
include/openssl/pkcs7.h.in | 4 +-
test/recipes/80-test_cms.t | 10 +-
test/recipes/80-test_tsa.t | 96 +++-
test/recipes/80-test_tsa_data/all-zero.tsq | Bin 0 -> 59 bytes
test/recipes/80-test_tsa_data/comodo-aaa.pem | 25
test/recipes/80-test_tsa_data/sectigo-all-zero.tsr | Bin 0 -> 4981 bytes
test/recipes/80-test_tsa_data/sectigo-signer.pem | 40 +++
.../80-test_tsa_data/sectigo-time-stamping-ca.pem | 39 +++
.../recipes/80-test_tsa_data/user-trust-ca-aaa.pem | 32 ++
test/recipes/80-test_tsa_data/user-trust-ca.pem| 34 ++
33 files changed, 415 insertions(+), 247 deletions(-)
create mode 100644 test/recipes/80-test_tsa_data/all-zero.tsq
create mode 100644 test/recipes/80-test_tsa_data/comodo-aaa.pem
create mode 100644 test/recipes/80-test_tsa_data/sectigo-all-zero.tsr
create mode 100644 test/recipes/80-test_tsa_data/sectigo-signer.pem
create mode 100644 test/recipes/80-test_tsa_data/sectigo-time-stamping-ca.pem
create mode 100644 test/recipes/80-test_tsa_data/user-trust-ca-aaa.pem
create mode 100644 test/recipes/80-test_tsa_data/user-trust-ca.pem
diff --git a/CHANGES.md b/CHANGES.md
index e51e61a96b..f6800a337d 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -58,6 +58,15 @@ OpenSSL 3.0
*Richard Levitte*
+ * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC
5035)
+ for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
+ As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both
present.
+ Correct the semantics of checking the validation chain in case
ESSCertID{,v2}
+ contains more than one certificate
