Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # cmp_main:../openssl/apps/cmp.c:2585:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2180:CMP warning: argument of -proxy option is empty string, resetting option # setup_client_ctx:../openssl/apps/cmp.c:1894:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:187:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:1944:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # -- # Looks like you failed 3 tests of 92. not ok 5 - CMP app CLI Mock enrollment # -- # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. Killing mock server with pid=3247067 # Looks like you failed 3 tests of 5.80-test_cmp_http.t . Dubious, test returned 3 (wstat 768, 0x300) Failed 3/5 subtests # 80-test_cms.t
[openssl] master update
The branch master has been updated via 72f649e061bef86cbf41303fede1a61c9fe2c05b (commit) from cd0aca532091de4dfadf2f12b18dd99e9cba7615 (commit) - Log - commit 72f649e061bef86cbf41303fede1a61c9fe2c05b Author: Rich Salz Date: Fri Apr 16 17:57:30 2021 -0400 Remove extra trailing semicolon Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14903) --- Summary of changes: providers/common/provider_seeding.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/providers/common/provider_seeding.c b/providers/common/provider_seeding.c index 73a2a14187..51e9badc82 100644 --- a/providers/common/provider_seeding.c +++ b/providers/common/provider_seeding.c @@ -23,7 +23,8 @@ int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns) * multiple versions of libcrypto (e.g. one static and one dynamic), but * sharing a single fips.so. We do a simple sanity check here. */ -#define set_func(c, f) if (c == NULL) c = f; else if (c != f) return 0; +#define set_func(c, f) \ +do { if (c == NULL) c = f; else if (c != f) return 0; } while (0) switch (fns->function_id) { case OSSL_FUNC_GET_ENTROPY: set_func(c_get_entropy, OSSL_FUNC_get_entropy(fns)); @@ -38,6 +39,7 @@ int ossl_prov_seeding_from_dispatch(const OSSL_DISPATCH *fns) set_func(c_cleanup_nonce, OSSL_FUNC_cleanup_nonce(fns)); break; } +#undef set_func } return 1; }
[openssl] master update
The branch master has been updated via cd0aca532091de4dfadf2f12b18dd99e9cba7615 (commit) from 16b8862d80dbfb627b72cba36739de29235d8f3d (commit) - Log - commit cd0aca532091de4dfadf2f12b18dd99e9cba7615 Author: Tomas Mraz Date: Wed Apr 14 15:12:52 2021 +0200 Update krb5 module to latest release Fixes #14902 Also add workaround of `sudo hostname localhost` for the intermittent test failures seen in CI. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14872) --- Summary of changes: .github/workflows/ci.yml| 2 ++ krb5| 2 +- test/recipes/95-test_external_krb5.t| 2 +- test/recipes/95-test_external_krb5_data/krb5.sh | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee4a2c8f2b..ec35e84ff3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -221,6 +221,8 @@ jobs: uses: perl-actions/install-with-cpanm@v1 with: install: Test2::V0 +- name: setup hostname workaround + run: sudo hostname localhost - name: config run: ./config --strict-warnings --debug no-afalgeng enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests && perl configdata.pm --dump - name: make diff --git a/krb5 b/krb5 index 890ca2f401..3195e18f66 16 --- a/krb5 +++ b/krb5 @@ -1 +1 @@ -Subproject commit 890ca2f401924cdcb88f493950b04700bbe52db3 +Subproject commit 3195e18f6608890866cf7a60ea538f4649d4fe82 diff --git a/test/recipes/95-test_external_krb5.t b/test/recipes/95-test_external_krb5.t index dca2c065d3..9b8067d5d1 100644 --- a/test/recipes/95-test_external_krb5.t +++ b/test/recipes/95-test_external_krb5.t @@ -17,7 +17,7 @@ setup("test_external_krb5"); plan skip_all => "No external tests in this configuration" if disabled("external-tests"); plan skip_all => "krb5 not available" -if ! -f srctop_file("krb5", "src", "configure.in"); +if ! -f srctop_file("krb5", "src", "configure.ac"); plan tests => 1; diff --git a/test/recipes/95-test_external_krb5_data/krb5.sh b/test/recipes/95-test_external_krb5_data/krb5.sh index 6b267242f7..4c901bebf7 100755 --- a/test/recipes/95-test_external_krb5_data/krb5.sh +++ b/test/recipes/95-test_external_krb5_data/krb5.sh @@ -13,7 +13,7 @@ CFLAGS="-I`pwd`/$BLDTOP/include -I`pwd`/$SRCTOP/include" cd $SRCTOP/krb5/src autoreconf -./configure --with-ldap --with-prng-alg=os --enable-pkinit \ +./configure --with-ldap --with-prng-alg=os --disable-pkinit \ --with-crypto-impl=openssl --with-tls-impl=openssl \ CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
[openssl] master update
The branch master has been updated via 16b8862d80dbfb627b72cba36739de29235d8f3d (commit) from ee203a87ff1ff1af46a5ff11f761bdd07a5503e4 (commit) - Log - commit 16b8862d80dbfb627b72cba36739de29235d8f3d Author: Dr. David von Oheimb Date: Thu Apr 15 19:21:28 2021 +0200 PKCS12 etc.: Add hints on using -legacy and -provider-path options Fixes #14790 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14891) --- Summary of changes: apps/lib/app_provider.c| 3 ++- doc/man1/openssl-pkcs12.pod.in | 10 ++ doc/man1/openssl.pod | 2 ++ doc/man7/openssl-env.pod | 1 + doc/perlvars.pm| 2 +- 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c index fd7d55c09b..c3100b2fa8 100644 --- a/apps/lib/app_provider.c +++ b/apps/lib/app_provider.c @@ -33,7 +33,8 @@ int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name) prov = OSSL_PROVIDER_load(libctx, provider_name); if (prov == NULL) { -opt_printf_stderr("%s: unable to load provider %s\n", +opt_printf_stderr("%s: unable to load provider %s\n" + "Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n", opt_getprog(), provider_name); ERR_print_errors(bio_err); return 0; diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index b367be2b7f..7a75d9ca32 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -85,8 +85,13 @@ The PKCS#12 export encryption and MAC options such as B<-certpbe> and B<-iter> and many further options such as B<-chain> are relevant only with B<-export>. Conversely, the options regarding encryption of private keys when outputting PKCS#12 input are relevant only when the B<-export> option is not given. + The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation. +When encountering problems loading legacy PKCS#12 files that involve, +for example, RC2-40-CBC, +try using the B<-legacy> option and, if needed, the B<-provider-path> option. + =over 4 =item B<-help> @@ -132,6 +137,11 @@ and so the input is just verified. =item B<-legacy> Use legacy mode of operation and automatically load the legacy provider. +If OpenSSL is not installed system-wide, +it is necessary to also use, for example, C<-provider-path ./providers> +or to set the environment variable B +to point to the directory where the providers can be found. + In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 7b84921893..78b98ab7a6 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -652,10 +652,12 @@ the PKCS#11 URI as defined in RFC 7512 should be possible to use directly: =item B<-provider> I Load and initialize the provider identified by I. +See L for a more detailed description. =item B<-provider-path> I Specifies the search path that is to be used for looking for providers. +Equivalently, the B environment variable may be set. =item B<-propquery> I diff --git a/doc/man7/openssl-env.pod b/doc/man7/openssl-env.pod index f29f5e2835..f691191b6f 100644 --- a/doc/man7/openssl-env.pod +++ b/doc/man7/openssl-env.pod @@ -49,6 +49,7 @@ See L. =item B Specifies the directory from which cryptographic providers are loaded. +Equivalently, the generic B<-provider-path> command-line option may be used. =item B diff --git a/doc/perlvars.pm b/doc/perlvars.pm index 0be68e275d..91dd5d8284 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -102,7 +102,7 @@ $OpenSSL::safe::opt_provider_item = "" . "\n" . "=item B<-propquery> I\n" . "\n" -. "See L."; +. "See L, L, and L."; # Configuration option $OpenSSL::safe::opt_config_synopsis = ""
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec2m
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec2m Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=154466380-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok
[openssl] master update
The branch master has been updated via ee203a87ff1ff1af46a5ff11f761bdd07a5503e4 (commit) via 978e323a4dbc9e790c13cc479b68c260677dc4c4 (commit) via 92b20fb8f742d50ca9eae8c28a855df94b9a3783 (commit) from 145a4c871d9632a6eb2145f8a2b417bec58e7ee5 (commit) - Log - commit ee203a87ff1ff1af46a5ff11f761bdd07a5503e4 Author: Matt Caswell Date: Fri Apr 16 12:21:50 2021 +0100 Add a test for OSSL_LIB_CTX_set0_default Also includes testing for OSSL_LIB_CTX_get0_global_default(). Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14890) commit 978e323a4dbc9e790c13cc479b68c260677dc4c4 Author: Matt Caswell Date: Fri Apr 16 11:13:30 2021 +0100 Add the function OSSL_LIB_CTX_get0_global_default() An API function for obtaining the global default lib ctx. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14890) commit 92b20fb8f742d50ca9eae8c28a855df94b9a3783 Author: Matt Caswell Date: Thu Apr 15 16:46:35 2021 +0100 Change the semantics of OSSL_LIB_CTX_set0_default() NULL handling Change things so that passing NULL to OSSL_LIB_CTX_set0_default() means keep the current library context unchanged. This has the advantage of simplifying error handling, e.g. you can call OSSL_LIB_CTX_set0_default in an error/finalisation block safe in the knowledge the if the "prevctx" was never set then it will be a no-op (like calling a "free" function with NULL). Fixes #14593 Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14890) --- Summary of changes: crypto/context.c | 18 +++ doc/man3/OSSL_LIB_CTX.pod| 22 +- include/openssl/crypto.h.in | 1 + test/context_internal_test.c | 55 util/libcrypto.num | 1 + 5 files changed, 87 insertions(+), 10 deletions(-) diff --git a/crypto/context.c b/crypto/context.c index 6c088e6628..d7671d66a8 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -199,18 +199,28 @@ void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx) OPENSSL_free(ctx); } +#ifndef FIPS_MODULE +OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void) +{ +if (!RUN_ONCE(_context_init, default_context_do_init)) +return NULL; + +return _context_int; +} + OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) { -#ifndef FIPS_MODULE OSSL_LIB_CTX *current_defctx; -if ((current_defctx = get_default_context()) != NULL -&& set_default_context(libctx)) +if ((current_defctx = get_default_context()) != NULL) { +if (libctx != NULL) +set_default_context(libctx); return current_defctx; -#endif +} return NULL; } +#endif OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) { diff --git a/doc/man3/OSSL_LIB_CTX.pod b/doc/man3/OSSL_LIB_CTX.pod index 01b6a47b48..f2bf3d9de6 100644 --- a/doc/man3/OSSL_LIB_CTX.pod +++ b/doc/man3/OSSL_LIB_CTX.pod @@ -3,7 +3,7 @@ =head1 NAME OSSL_LIB_CTX, OSSL_LIB_CTX_new, OSSL_LIB_CTX_free, OSSL_LIB_CTX_load_config, -OSSL_LIB_CTX_set0_default +OSSL_LIB_CTX_get0_global_default, OSSL_LIB_CTX_set0_default - OpenSSL library context =head1 SYNOPSIS @@ -15,6 +15,7 @@ OSSL_LIB_CTX_set0_default OSSL_LIB_CTX *OSSL_LIB_CTX_new(void); int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file); void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx); + OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void); OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *ctx); =head1 DESCRIPTION @@ -38,10 +39,17 @@ from a configuration. OSSL_LIB_CTX_free() frees the given I, unless it happens to be the default OpenSSL library context. +OSSL_LIB_CTX_get0_global_default() returns a concrete (non NULL) reference to +the global default library context. + OSSL_LIB_CTX_set0_default() sets the default OpenSSL library context to be I in the current thread. The previous default library context is returned. Care should be taken by the caller to restore the previous -default library context with a subsequent call of this function. +default library context with a subsequent call of this function. If I is +NULL then no change is made to the default library context, but a pointer to +the current library context is still returned. On a successful call of this +function the returned value will always be a concrete (non NULL) library +context. Care should be taken when changing the default library context and starting async jobs (see L), as the default library context when @@ -53,15 +61,17 @@ that job has
[openssl] master update
The branch master has been updated via 145a4c871d9632a6eb2145f8a2b417bec58e7ee5 (commit) from 21d1994faf7f6e41ad3221caeab2385e3aaba892 (commit) - Log - commit 145a4c871d9632a6eb2145f8a2b417bec58e7ee5 Author: Matt Caswell Date: Thu Apr 15 16:32:45 2021 +0100 Remove a TODO(3.0) from keymgmt_lib.c The TODO suggest a possible refactoring. The refactoring doesn't seem necessary at this stage. If it is required later it can be done without affecting external APIs - so just remove the TODO. Fixes #14397 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14888) --- Summary of changes: crypto/evp/keymgmt_lib.c | 4 1 file changed, 4 deletions(-) diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index f196bc4d88..f3118a76c9 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -123,10 +123,6 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) CRYPTO_THREAD_unlock(pk->lock); /* If the "origin" |keymgmt| doesn't support exporting, give up */ -/* - * TODO(3.0) consider an evp_keymgmt_export() return value that indicates - * that the method is unsupported. - */ if (pk->keymgmt->export == NULL) return NULL;
[openssl] master update
The branch master has been updated via 21d1994faf7f6e41ad3221caeab2385e3aaba892 (commit) from 57e7401fc5c6af8e9266a721be669a3b70fbfb3f (commit) - Log - commit 21d1994faf7f6e41ad3221caeab2385e3aaba892 Author: Matt Caswell Date: Thu Apr 15 16:16:59 2021 +0100 Don't worry about magic in the Makefile for 3.0 We remove a TODO(3.0) from the unix Makefile template. The current approach works. It can be improved later. Fixes #14403 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14887) --- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 64c5faff18..c4755c54cd 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1696,7 +1696,7 @@ EOF @{$args{objs}}; my @deps = compute_lib_depends(@{$args{deps}}); my $shared_def = join("", map { ' '.$target{shared_defflag}.$_ } @defs); - # TODO(3.0): next line needs to become "less magic" (see PR #11950) + # Next line needs to become "less magic" (see PR #11950) $shared_def .= ' '.$target{shared_fipsflag} if (m/providers\/fips/ && defined $target{shared_fipsflag}); my $objs = join(" \\\n\t\t", fill_lines(' ', $COLUMNS - 16, @objs)); my $deps = join(" \\\n" . ' ' x (length($dso) + 2),
[openssl] master update
The branch master has been updated via 57e7401fc5c6af8e9266a721be669a3b70fbfb3f (commit) from b247113c053903ebb61a54ba5324847ba883ed70 (commit) - Log - commit 57e7401fc5c6af8e9266a721be669a3b70fbfb3f Author: Matt Caswell Date: Thu Apr 15 10:00:40 2021 +0100 Fix some TODO(3.0) occurrences in ssl/t1_lib.c One was related to probing for the combination of signature and hash algorithm together. This is currently not easily possible. The TODO(3.0) is converted to a normal comment and I've raised the problem as issue number #14885 as something to resolve post 3.0. The other TODO was a hard coded limit on the number of groups that could be registered. This has been amended so that there is no limit. Fixes #14333 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14886) --- Summary of changes: ssl/t1_lib.c| 38 +++-- test/tls-provider.c | 61 +++-- 2 files changed, 82 insertions(+), 17 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 31873a3fa2..14c16e355d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -691,13 +691,13 @@ err: return 0; } -/* TODO(3.0): An arbitrary amount for now. Take another look at this */ -# define MAX_GROUPLIST 40 +# define GROUPLIST_INCREMENT 40 # define GROUP_NAME_BUFFER_LENGTH 64 typedef struct { SSL_CTX *ctx; size_t gidcnt; -uint16_t gid_arr[MAX_GROUPLIST]; +size_t gidmax; +uint16_t *gid_arr; } gid_cb_st; static int gid_cb(const char *elem, int len, void *arg) @@ -709,8 +709,14 @@ static int gid_cb(const char *elem, int len, void *arg) if (elem == NULL) return 0; -if (garg->gidcnt == MAX_GROUPLIST) -return 0; +if (garg->gidcnt == garg->gidmax) { +uint16_t *tmp = +OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); +if (tmp == NULL) +return 0; +garg->gidmax += GROUPLIST_INCREMENT; +garg->gid_arr = tmp; +} if (len > (int)(sizeof(etmp) - 1)) return 0; memcpy(etmp, elem, len); @@ -732,13 +738,20 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, { gid_cb_st gcb; uint16_t *tmparr; +int ret = 0; gcb.gidcnt = 0; +gcb.gidmax = GROUPLIST_INCREMENT; +gcb.gid_arr = OPENSSL_malloc(gcb.gidmax * sizeof(*gcb.gid_arr)); +if (gcb.gid_arr == NULL) +return 0; gcb.ctx = ctx; if (!CONF_parse_list(str, ':', 1, gid_cb, )) -return 0; -if (pext == NULL) -return 1; +goto end; +if (pext == NULL) { +ret = 1; +goto end; +} /* * gid_cb ensurse there are no duplicates so we can just go ahead and set @@ -746,10 +759,13 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, */ tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); if (tmparr == NULL) -return 0; +goto end; *pext = tmparr; *pextlen = gcb.gidcnt; -return 1; +ret = 1; + end: +OPENSSL_free(gcb.gid_arr); +return ret; } /* Check a group id matches preferences */ @@ -1142,7 +1158,7 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) /* * Check hash is available. - * TODO(3.0): This test is not perfect. A provider could have support + * This test is not perfect. A provider could have support * for a signature scheme, but not a particular hash. However the hash * could be available from some other loaded provider. In that case it * could be that the signature is available, and the hash is available diff --git a/test/tls-provider.c b/test/tls-provider.c index 482c3aa0da..d9d52664b2 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -14,6 +14,7 @@ #include /* For TLS1_3_VERSION */ #include +#include static OSSL_FUNC_keymgmt_import_fn xor_import; static OSSL_FUNC_keymgmt_import_types_fn xor_import_types; @@ -167,16 +168,52 @@ static const OSSL_PARAM xor_kemgroup_params[] = { OSSL_PARAM_END }; +#define NUM_DUMMY_GROUPS 50 +static char *dummy_group_names[NUM_DUMMY_GROUPS]; static int tls_prov_get_capabilities(void *provctx, const char *capability, OSSL_CALLBACK *cb, void *arg) { -if (strcmp(capability, "TLS-GROUP") == 0) -return cb(xor_group_params, arg) -&& cb(xor_kemgroup_params, arg); +int ret; +int i; +const char *dummy_base = "dummy"; +const size_t dummy_name_max_size = strlen(dummy_base) + 3; + +if (strcmp(capability, "TLS-GROUP") != 0) { +/* We don't support this capability */ +return 0; +} + +/* Register our 2 groups */ +ret =
[openssl] master update
The branch master has been updated via b247113c053903ebb61a54ba5324847ba883ed70 (commit) from 5ae52001e115452ca285713feb1c2feaf07902ad (commit) - Log - commit b247113c053903ebb61a54ba5324847ba883ed70 Author: Tomas Mraz Date: Tue Apr 13 17:31:08 2021 +0200 Detect low-level engine and app method based keys The low-level engine and app method based keys have to be treated as foreign and must be used with old legacy pmeths. Fixes #14632 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14859) --- Summary of changes: crypto/dh/dh_backend.c | 13 ++--- crypto/dsa/dsa_backend.c | 13 ++--- crypto/ec/ec_backend.c | 10 ++ crypto/evp/p_lib.c | 41 ++--- crypto/evp/pmeth_lib.c | 4 +++- crypto/rsa/rsa_backend.c | 13 +++-- include/crypto/dh.h | 1 + include/crypto/dsa.h | 1 + include/crypto/ec.h | 1 + include/crypto/evp.h | 3 ++- include/crypto/rsa.h | 1 + 11 files changed, 88 insertions(+), 13 deletions(-) diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index 18cf3f5992..a727d5c87b 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -118,6 +118,15 @@ int ossl_dh_key_todata(DH *dh, OSSL_PARAM_BLD *bld, OSSL_PARAM params[]) return 1; } +int ossl_dh_is_foreign(const DH *dh) +{ +#ifndef FIPS_MODULE +if (dh->engine != NULL || ossl_dh_get_method(dh) != DH_OpenSSL()) +return 1; +#endif +return 0; +} + static ossl_inline int dh_bn_dup_check(BIGNUM **out, const BIGNUM *f) { if (f != NULL && (*out = BN_dup(f)) == NULL) @@ -129,11 +138,9 @@ DH *ossl_dh_dup(const DH *dh, int selection) { DH *dupkey = NULL; -#ifndef FIPS_MODULE /* Do not try to duplicate foreign DH keys */ -if (ossl_dh_get_method(dh) != DH_OpenSSL()) +if (ossl_dh_is_foreign(dh)) return NULL; -#endif if ((dupkey = ossl_dh_new_ex(dh->libctx)) == NULL) return NULL; diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index 2ef8cbc9f3..e4fa070f23 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -57,6 +57,15 @@ int ossl_dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]) return 0; } +int ossl_dsa_is_foreign(const DSA *dsa) +{ +#ifndef FIPS_MODULE +if (dsa->engine != NULL || DSA_get_method((DSA *)dsa) != DSA_OpenSSL()) +return 1; +#endif +return 0; +} + static ossl_inline int dsa_bn_dup_check(BIGNUM **out, const BIGNUM *f) { if (f != NULL && (*out = BN_dup(f)) == NULL) @@ -68,11 +77,9 @@ DSA *ossl_dsa_dup(const DSA *dsa, int selection) { DSA *dupkey = NULL; -#ifndef FIPS_MODULE /* Do not try to duplicate foreign DSA keys */ -if (DSA_get_method((DSA *)dsa) != DSA_OpenSSL()) +if (ossl_dsa_is_foreign(dsa)) return NULL; -#endif if ((dupkey = ossl_dsa_new(dsa->libctx)) == NULL) return NULL; diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index 0189a33a91..e9843eb4ac 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -520,6 +520,16 @@ int ossl_ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) return 1; } +int ossl_ec_key_is_foreign(const EC_KEY *ec) +{ +#ifndef FIPS_MODULE +if (ec->engine != NULL || EC_KEY_get_method(ec) != EC_KEY_OpenSSL()) +return 1; +#endif +return 0; + +} + EC_KEY *ossl_ec_key_dup(const EC_KEY *src, int selection) { EC_KEY *ret = ossl_ec_key_new_method_int(src->libctx, src->propq, diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 407ef22154..db334fb1ef 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -37,14 +37,15 @@ #include "internal/ffc.h" #include "crypto/asn1.h" #include "crypto/evp.h" +#include "crypto/dh.h" +#include "crypto/dsa.h" #include "crypto/ec.h" #include "crypto/ecx.h" +#include "crypto/rsa.h" #include "crypto/x509.h" #include "internal/provider.h" #include "evp_local.h" -#include "crypto/ec.h" - #include "e_os.h"/* strcasecmp on Windows */ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, @@ -691,6 +692,38 @@ ENGINE *EVP_PKEY_get0_engine(const EVP_PKEY *pkey) # endif # ifndef OPENSSL_NO_DEPRECATED_3_0 +static void detect_foreign_key(EVP_PKEY *pkey) +{ +switch (pkey->type) { +case EVP_PKEY_RSA: +pkey->foreign = pkey->pkey.rsa != NULL +&& ossl_rsa_is_foreign(pkey->pkey.rsa); +break; +# ifndef OPENSSL_NO_EC +case EVP_PKEY_SM2: +case EVP_PKEY_EC: +pkey->foreign = pkey->pkey.ec != NULL +&& ossl_ec_key_is_foreign(pkey->pkey.ec); +break; +# endif +# ifndef OPENSSL_NO_DSA +case EVP_PKEY_DSA: +pkey->foreign = pkey->pkey.dsa !=
[openssl] master update
The branch master has been updated via 5ae52001e115452ca285713feb1c2feaf07902ad (commit) via daf98015aac8bf392cf95edf9a54d845c1c22fd7 (commit) via 491a1e3363228e8276ee293a86acd7a961ffe9d3 (commit) via 16f2a44435fccbd7466b0659220c765a17e5d0c0 (commit) via 96d4ec6724a9ecc5d193172d0cf1a347f428372a (commit) via 6afb36342d4bc63a774fd96088ededfc00401e1d (commit) via 5fee3fe2760d65a141873601c4b7b9fd2fc5c7b1 (commit) via c4f4cb14e3f06362c2ee9e0e480b816ab46f15b6 (commit) via 55aa235e85e156bf71c339804ef317ad4d0f27a5 (commit) via d5a6b54b49905cdb4edfe1e1caf9656896171cb6 (commit) via 847f41d97c966707d45da5640792e3bd8f8d23fd (commit) via 583a9f1f6b0d0842f8d63a21c335b24494fc67bc (commit) via f1ee757daaf8ea1000c6558abd1ffc8ad5234c09 (commit) via a8368d573e5b4553e7344dd37239da6d72480832 (commit) via a75a87561b491fc9b96b15153eba1f5e142280c5 (commit) via 830cd025b199fab165a378884fb5b4373799bde9 (commit) via 8557bdde4836b4dc63ad305c9f3c648816a05e86 (commit) via e15eff3aaabe17be37ec42ae7ca342cbf2a2733c (commit) via 118faf5ffe2ba495407f482a8d8438b7d266815c (commit) via 23f3242ffe8613411714eb9350275371059c7bfe (commit) via 1bb381227b432676451ead3f9d4b92352464e9cc (commit) from a4afa6c1d00c027a5afc8974a298e0f54607f1b5 (commit) - Log - commit 5ae52001e115452ca285713feb1c2feaf07902ad Author: Tanzinul Islam Date: Mon Dec 14 23:31:49 2020 + Remove crypt32.lib from C++Builder configuration `import32.lib` serves the purpose for most Windows API libraries, including this one. For example, with a GNU `grep` utility: >tdump %BDS%\lib\win32c\release\import32.lib | grep -B 3 -A 1 CertOpenStore 171E32 COMENT Purge: Yes, List: Yes, Class: 160 (0A0h), SubClass: 1 (01h) Dynamic link import (IMPDEF) Imported by: name Internal Name: CertOpenStore Module Name: CRYPT32.dll Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13540) commit daf98015aac8bf392cf95edf9a54d845c1c22fd7 Author: Tanzinul Islam Date: Sun Dec 13 18:04:43 2020 + Link with uplink module The Clang-based `bcc32c.exe` expects AT syntax for inline assembly. References: - http://docwiki.embarcadero.com/RADStudio/Sydney/en/Differences_Between_Clang-enhanced_C%2B%2B_Compilers_and_Previous-Generation_C%2B%2B_Compilers#Inline_Assembly - https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html - https://sourceware.org/binutils/docs/as/i386_002dVariations.html Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13540) commit 491a1e3363228e8276ee293a86acd7a961ffe9d3 Author: Tanzinul Islam Date: Sun Dec 13 18:01:46 2020 + Link with .def files MSVC's `link.exe` automatically finds `__cdecl` C functions (which are decorated with a leading underscore by the compiler) when they are mentioned in a `.def` file without the leading underscore. This is an [under-documented feature][1] of MSVC's `link.exe`. C++Builder's `ilink32.exe` doesn't do this, and thus needs the name-translation in the `.def` file. Then `implib.exe` needs to be told to re-add it. (The Clang-based `bcc32c.exe` doesn't implement the [`-vu` or `-u-`][2] options to skip adding the leading underscore to `__cdecl` C function names, so this is the only way to have things work with non-underscored export names in the DLLs.) [1]: https://github.com/MicrosoftDocs/cpp-docs/issues/2653 [2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Options_Not_Supported_by_Clang-enhanced_C%2B%2B_Compilers#BCC32_Options_that_Are_Not_Supported_by_Clang-enhanced_C.2B.2B_Compilers Also silence linker warnings on duplicate symbols and ensure that error- case cleanup in link rules work in C++Builder's `make.exe`. Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13540) commit 16f2a44435fccbd7466b0659220c765a17e5d0c0 Author: Tanzinul Islam Date: Thu Dec 10 14:53:07 2020 + Generate dependency information The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we have to use [`cpp32.exe`][1] instead. Therefore, change the dependency- emitting command to use `$(CPP)` instead of `$(CC)`, which which also uncovered the [existing bug of `2>&1` before `> $dep`][2]. Also C++Builder's `make.exe` doesn't implement `2>&1` in its command runner, so wrap the whole line in a `cmd /C`. [1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/CPP32.EXE,_the_C_Compiler_Preprocessor [2]:
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function Build log ended with (last 100 lines): 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=121383980-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok
[openssl] master update
The branch master has been updated via a4afa6c1d00c027a5afc8974a298e0f54607f1b5 (commit) via d6c6f6c51d0d9bb02d5b40a8a69471f6a2929617 (commit) from ae6f65ae08262d4c32575ad94e491d9fb59f00ff (commit) - Log - commit a4afa6c1d00c027a5afc8974a298e0f54607f1b5 Author: Tomas Mraz Date: Thu Apr 15 11:53:42 2021 +0200 Add test for the IV handling of DES based ciphers Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14882) commit d6c6f6c51d0d9bb02d5b40a8a69471f6a2929617 Author: Tomas Mraz Date: Thu Apr 15 09:55:04 2021 +0200 Do IV reset also for DES and 3DES implementations Fixes #14704 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14882) --- Summary of changes: providers/implementations/ciphers/cipher_des.c | 3 + .../implementations/ciphers/cipher_tdes_common.c | 6 ++ test/evp_extra_test.c | 112 - 3 files changed, 119 insertions(+), 2 deletions(-) diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c index 9010ce9099..4563ea2edb 100644 --- a/providers/implementations/ciphers/cipher_des.c +++ b/providers/implementations/ciphers/cipher_des.c @@ -86,6 +86,9 @@ static int des_init(void *vctx, const unsigned char *key, size_t keylen, if (iv != NULL) { if (!ossl_cipher_generic_initiv(ctx, iv, ivlen)) return 0; +} else if (ctx->iv_set) { +/* reset IV to keep compatibility with 1.1.1 */ +memcpy(ctx->iv, ctx->oiv, ctx->ivlen); } if (key != NULL) { diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 048b08661d..88acc16049 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -77,6 +77,12 @@ static int tdes_init(void *vctx, const unsigned char *key, size_t keylen, if (iv != NULL) { if (!ossl_cipher_generic_initiv(ctx, iv, ivlen)) return 0; +} else if (ctx->iv_set + && (ctx->mode == EVP_CIPH_CBC_MODE + || ctx->mode == EVP_CIPH_CFB_MODE + || ctx->mode == EVP_CIPH_OFB_MODE)) { +/* reset IV to keep compatibility with 1.1.1 */ +memcpy(ctx->iv, ctx->oiv, ctx->ivlen); } if (key != NULL) { diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index a9eec323a0..6140e16e26 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -2447,7 +2447,7 @@ static int test_rand_agglomeration(void) * an encryption operation. * Run multiple times for some different relevant algorithms/modes. */ -static int test_evp_iv(int idx) +static int test_evp_iv_aes(int idx) { int ret = 0; EVP_CIPHER_CTX *ctx = NULL; @@ -2584,6 +2584,111 @@ err: return ret; } +#ifndef OPENSSL_NO_DES +static int test_evp_iv_des(int idx) +{ +int ret = 0; +EVP_CIPHER_CTX *ctx = NULL; +static const unsigned char key[24] = { +0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, +0xf1, 0xe0, 0xd3, 0xc2, 0xb5, 0xa4, 0x97, 0x86, +0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 +}; +static const unsigned char init_iv[8] = { +0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 +}; +static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8, + 9, 10, 11, 12, 13, 14, 15, 16 }; +unsigned char ciphertext[32], oiv[8], iv[8]; +unsigned const char *ref_iv; +static const unsigned char cbc_state_des[8] = { +0x4f, 0xa3, 0x85, 0xcd, 0x8b, 0xf3, 0x06, 0x2a +}; +static const unsigned char cbc_state_3des[8] = { +0x35, 0x27, 0x7d, 0x65, 0x6c, 0xfb, 0x50, 0xd9 +}; +static const unsigned char ofb_state_des[8] = { +0xa7, 0x0d, 0x1d, 0x45, 0xf9, 0x96, 0x3f, 0x2c +}; +static const unsigned char ofb_state_3des[8] = { +0xab, 0x16, 0x24, 0xbb, 0x5b, 0xac, 0xed, 0x5e +}; +static const unsigned char cfb_state_des[8] = { +0x91, 0xeb, 0x6d, 0x29, 0x4b, 0x08, 0xbd, 0x73 +}; +static const unsigned char cfb_state_3des[8] = { +0x34, 0xdd, 0xfb, 0x47, 0x33, 0x1c, 0x61, 0xf7 +}; +int len = sizeof(ciphertext); +size_t ivlen, ref_len; +EVP_CIPHER *type = NULL; + +if (lgcyprov == NULL && idx < 3) +return TEST_skip("Test requires legacy provider to be loaded"); + +switch(idx) { +case 0: +type = EVP_CIPHER_fetch(testctx, "des-cbc", testpropq); +ref_iv = cbc_state_des; +ref_len = sizeof(cbc_state_des); +break; +case 1: +type = EVP_CIPHER_fetch(testctx, "des-ofb", testpropq); +ref_iv = ofb_state_des; +