Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ... ok
[openssl] master update
The branch master has been updated via 4e030ed45dbf56be2f09d86f76f697ae6a0c567f (commit) from 2ec6491669d1a93a5c4a445715aae6b1582cb2a4 (commit) - Log - commit 4e030ed45dbf56be2f09d86f76f697ae6a0c567f Author: Dr. David von Oheimb Date: Mon Apr 19 16:03:53 2021 +0200 apps/cmp.c: Fix double free on OSSL_CMP_CTX_set1_p10CSR() failure Fixes #14910 Also slightly improve further error handling of setup_request_ctx(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14929) --- Summary of changes: apps/cmp.c | 17 +++-- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 644fb545d2..da28c3215e 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1580,18 +1580,15 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_cmd == CMP_GENM) { CMP_warn("-csr option is ignored for command 'genm'"); } else { -csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR"); -if (csr == NULL) +if ((csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR")) == NULL) return 0; -if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) { -X509_REQ_free(csr); +if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) goto oom; -} } } if (opt_reqexts != NULL || opt_policies != NULL) { if ((exts = sk_X509_EXTENSION_new_null()) == NULL) -goto exts_err; +goto oom; X509V3_set_ctx(_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE); X509V3_set_nconf(_ctx, conf); if (opt_reqexts != NULL @@ -1607,15 +1604,14 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto exts_err; } OSSL_CMP_CTX_set0_reqExtensions(ctx, exts); -exts = NULL; } X509_REQ_free(csr); -csr = NULL; +/* After here, must not goto oom/exts_err */ + if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) { CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); return 0; } - if (!set_gennames(ctx, opt_sans, "Subject Alternative Name")) return 0; @@ -1675,7 +1671,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) { X509_free(oldcert); -goto oom; +CMP_err("out of memory"); +return 0; } X509_free(oldcert); }
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6630 # false # OPENSSL_TEST_RAND_ORDER=1618977569 not ok 244 - iteration 2 # -- # OPENSSL_TEST_RAND_ORDER=1618977569 not ok 56 - test_ssl_pending #
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t
Build failed: openssl master.41638
Build openssl master.41638 failed Commit eda290806c by Matt Caswell on 4/19/2021 3:46 PM: Test a Finished message at the wrong time results in unexpected message Configure your notification preferences
[openssl] master update
The branch master has been updated via 2ec6491669d1a93a5c4a445715aae6b1582cb2a4 (commit) via c4685815bf7edbc546add24b9fa99b632a2ba366 (commit) via 42e7d043f09f7a54005800fb00cb11a0c38e891f (commit) via 3f700d4b95f249308e03c0f1fcb3c9620dad94fe (commit) via e27fea4640defe3adc9309a4b573101055228ef3 (commit) via 27344bb82a65ce13de4c9f6c78615fa91d93d3eb (commit) via 192d50087881c031ee60307c8e0460d8470efaa9 (commit) from 6bcbc3698557739da03495920a57be4ffe219fa4 (commit) - Log - commit 2ec6491669d1a93a5c4a445715aae6b1582cb2a4 Author: Pauli Date: Thu Apr 15 10:42:01 2021 +1000 asn1: fix indentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) commit c4685815bf7edbc546add24b9fa99b632a2ba366 Author: Pauli Date: Wed Apr 14 16:38:07 2021 +1000 dsa: remove unused macro Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) commit 42e7d043f09f7a54005800fb00cb11a0c38e891f Author: Pauli Date: Thu Apr 15 10:35:28 2021 +1000 srp: remove references to EVP_sha1() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) commit 3f700d4b95f249308e03c0f1fcb3c9620dad94fe Author: Pauli Date: Thu Apr 15 10:35:08 2021 +1000 pem: remove references to EVP_sha1() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) commit e27fea4640defe3adc9309a4b573101055228ef3 Author: Pauli Date: Thu Apr 15 10:34:48 2021 +1000 ocsp: remove references to EVP_sha1() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) commit 27344bb82a65ce13de4c9f6c78615fa91d93d3eb Author: Pauli Date: Thu Apr 15 10:33:59 2021 +1000 cms: remove most references to EVP_sha1() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) commit 192d50087881c031ee60307c8e0460d8470efaa9 Author: Pauli Date: Thu Apr 15 10:31:58 2021 +1000 x509: remove most references to EVP_sha1() Fixes #14387 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14881) --- Summary of changes: crypto/asn1/a_digest.c | 4 ++-- crypto/cms/cms_smime.c | 4 crypto/dsa/dsa_depr.c | 7 --- crypto/evp/p5_crpt2.c | 10 -- crypto/ocsp/ocsp_lib.c | 1 + crypto/ocsp/ocsp_vfy.c | 18 -- crypto/pem/pvkfmt.c| 7 +-- crypto/srp/srp_vfy.c | 13 ++--- crypto/x509/t_x509.c | 13 ++--- crypto/x509/v3_skid.c | 19 +++ 10 files changed, 67 insertions(+), 29 deletions(-) diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c index cac6c327da..9d7efcdb70 100644 --- a/crypto/asn1/a_digest.c +++ b/crypto/asn1/a_digest.c @@ -75,8 +75,8 @@ int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *md, void *asn, #endif fetched_md = EVP_MD_fetch(libctx, EVP_MD_name(md), propq); } - if (fetched_md == NULL) - goto err; +if (fetched_md == NULL) +goto err; ret = EVP_Digest(str, i, data, len, fetched_md, NULL); err: diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 3ab4cd2e6f..d48bbcb6c7 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -169,6 +169,10 @@ CMS_ContentInfo *CMS_digest_create_ex(BIO *in, const EVP_MD *md, { CMS_ContentInfo *cms; +/* + * Because the EVP_MD is cached and can be a legacy algorithm, we + * cannot fetch the algorithm if it isn't supplied. + */ if (md == NULL) md = EVP_sha1(); cms = ossl_cms_DigestedData_create(md, ctx, propq); diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c index 1149c50c8b..57f6ce4faf 100644 --- a/crypto/dsa/dsa_depr.c +++ b/crypto/dsa/dsa_depr.c @@ -18,13 +18,6 @@ */ #include "internal/deprecated.h" -/* - * Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186, - * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in FIPS PUB - * 180-1) - */ -#define xxxHASHEVP_sha1() - #include #include diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index d2fe56a87f..b8edf4b5a8 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -92,8 +92,14 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, int keylen, unsigned char *out) { -return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, EVP_sha1(), - keylen, out); +EVP_MD *digest; +int r = 0; + +if ((digest = EVP_MD_fetch(NULL, SN_sha1, NULL)) != NULL) +r = ossl_pkcs5_pbkdf2_hmac_ex(pass, passlen, salt, saltlen, iter, +
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via e41290cfc007b833b393864cf12e0d8d815b7081 (commit) from a3dea76f742896b7d75a0c0529c0af1e628bd853 (commit) - Log - commit e41290cfc007b833b393864cf12e0d8d815b7081 Author: Pauli Date: Mon Apr 19 08:57:18 2021 +1000 engine: fix double free on error path. In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481. If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8. In the nop8 branch, p8 is freed again at line 491. Bug reported by @Yunlongs Fixes #14915 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d) --- Summary of changes: crypto/store/loader_file.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c index 9c9e3bd085..258f71afec 100644 --- a/crypto/store/loader_file.c +++ b/crypto/store/loader_file.c @@ -370,6 +370,7 @@ static OSSL_STORE_INFO *try_decode_PKCS8Encrypted(const char *pem_name, mem->data = (char *)new_data; mem->max = mem->length = (size_t)new_data_len; X509_SIG_free(p8); +p8 = NULL; store_info = ossl_store_info_new_EMBEDDED(PEM_STRING_PKCS8INF, mem); if (store_info == NULL) {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a3dea76f742896b7d75a0c0529c0af1e628bd853 (commit) from 7f424d16c5358a2c5c652cd23b841e44550d1027 (commit) - Log - commit a3dea76f742896b7d75a0c0529c0af1e628bd853 Author: Pauli Date: Mon Apr 19 08:55:37 2021 +1000 ts: fix double free on error path. In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299. In the implementation of ts_compute_imprint, it allocates md_alg at line 406. But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439. After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token. In the err branch, md_alg will be freed in the second time at line 320. Bug reported by @Yunlongs Fixes #14914 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7) --- Summary of changes: crypto/ts/ts_rsp_verify.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index c2e7abd67f..7302e0f8d1 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -612,6 +612,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info, err: EVP_MD_CTX_free(md_ctx); X509_ALGOR_free(*md_alg); +*md_alg = NULL; OPENSSL_free(*imprint); *imprint_len = 0; *imprint = 0;
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 7f424d16c5358a2c5c652cd23b841e44550d1027 (commit) from 86a90dc749af91f8a7b8da6628c9ffca2bae3009 (commit) - Log - commit 7f424d16c5358a2c5c652cd23b841e44550d1027 Author: Pauli Date: Mon Apr 19 08:51:38 2021 +1000 srp: fix double free, In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., , ..) at line 653. In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738. And *verify is freed via BN_clear_free() at line 743, and return 0. Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687. Bug reported by @Yunlongs Fixes #14913 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) (cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed) --- Summary of changes: crypto/srp/srp_vfy.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 3dd2ab0507..a846b37672 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -684,7 +684,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM *x = NULL; BN_CTX *bn_ctx = BN_CTX_new(); unsigned char tmp2[MAX_LEN]; -BIGNUM *salttmp = NULL; +BIGNUM *salttmp = NULL, *verif; if ((user == NULL) || (pass == NULL) || @@ -707,17 +707,18 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, if (x == NULL) goto err; -*verifier = BN_new(); -if (*verifier == NULL) +verif = BN_new(); +if (verif == NULL) goto err; -if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) { -BN_clear_free(*verifier); +if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { +BN_clear_free(verif); goto err; } result = 1; *salt = salttmp; +*verifier = verif; err: if (salt != NULL && *salt != salttmp)
[openssl] master update
The branch master has been updated via 6bcbc3698557739da03495920a57be4ffe219fa4 (commit) via efe8d69daa1a68be0a7f0f73220947c848e7ed1d (commit) via db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7 (commit) via b06450bcf763735a89b65ca3ec176600fe7fceed (commit) from 4ecb19d1092d6db1397aa24512996f98f8e5e268 (commit) - Log - commit 6bcbc3698557739da03495920a57be4ffe219fa4 Author: Pauli Date: Mon Apr 19 08:59:37 2021 +1000 test: fix double free problems. In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577. If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630. The same problem also happens at line 593 and line 609, which causes two double free bugs. Bugs reported by @Yunlongs Fixes 14916 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d Author: Pauli Date: Mon Apr 19 08:57:18 2021 +1000 engine: fix double free on error path. In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481. If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8. In the nop8 branch, p8 is freed again at line 491. Bug reported by @Yunlongs Fixes #14915 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7 Author: Pauli Date: Mon Apr 19 08:55:37 2021 +1000 ts: fix double free on error path. In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299. In the implementation of ts_compute_imprint, it allocates md_alg at line 406. But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439. After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token. In the err branch, md_alg will be freed in the second time at line 320. Bug reported by @Yunlongs Fixes #14914 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) commit b06450bcf763735a89b65ca3ec176600fe7fceed Author: Pauli Date: Mon Apr 19 08:51:38 2021 +1000 srp: fix double free, In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., , ..) at line 653. In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738. And *verify is freed via BN_clear_free() at line 743, and return 0. Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687. Bug reported by @Yunlongs Fixes #14913 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14921) --- Summary of changes: crypto/srp/srp_vfy.c | 11 ++- crypto/ts/ts_rsp_verify.c | 1 + engines/e_loader_attic.c | 1 + test/evp_extra_test.c | 3 +++ 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 0693a23be0..2c2ec11cd4 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -712,7 +712,7 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, BIGNUM *x = NULL; BN_CTX *bn_ctx = BN_CTX_new_ex(libctx); unsigned char tmp2[MAX_LEN]; -BIGNUM *salttmp = NULL; +BIGNUM *salttmp = NULL, *verif; if ((user == NULL) || (pass == NULL) || @@ -735,17 +735,18 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, if (x == NULL) goto err; -*verifier = BN_new(); -if (*verifier == NULL) +verif = BN_new(); +if (verif == NULL) goto err; -if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) { -BN_clear_free(*verifier); +if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { +BN_clear_free(verif); goto err; } result = 1; *salt = salttmp; +*verifier = verif; err: if (salt != NULL && *salt != salttmp) diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 89428cdf54..f307e29fda 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -437,6 +437,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info, err: EVP_MD_CTX_free(md_ctx); X509_ALGOR_free(*md_alg); +*md_alg = NULL; OPENSSL_free(*imprint); *imprint_len = 0; *imprint = 0; diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index 3ec31f8fc7..802b3d9067 100644
[openssl] master update
The branch master has been updated via 4ecb19d1092d6db1397aa24512996f98f8e5e268 (commit) from 1c0eede9827b0962f1d752fa4ab5d436fa039da4 (commit) - Log - commit 4ecb19d1092d6db1397aa24512996f98f8e5e268 Author: Pauli Date: Mon Apr 19 09:50:52 2021 +1000 params_dup: fix off by one error that allows array overreach. The end of loop test allows the index to go one step too far to be able to terminate the param array but the end of list record is still added. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14922) --- Summary of changes: crypto/params_dup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/params_dup.c b/crypto/params_dup.c index e1b1405979..6a58b52f65 100644 --- a/crypto/params_dup.c +++ b/crypto/params_dup.c @@ -147,8 +147,8 @@ static int compare_params(const void *left, const void *right) OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2) { -const OSSL_PARAM *list1[OSSL_PARAM_MERGE_LIST_MAX]; -const OSSL_PARAM *list2[OSSL_PARAM_MERGE_LIST_MAX]; +const OSSL_PARAM *list1[OSSL_PARAM_MERGE_LIST_MAX + 1]; +const OSSL_PARAM *list2[OSSL_PARAM_MERGE_LIST_MAX + 1]; const OSSL_PARAM *p = NULL; const OSSL_PARAM **p1cur, **p2cur; OSSL_PARAM *params, *dst;
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-stdio
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-stdio Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): clang -I. -Iinclude -Iproviders/common/include -Iproviders/implementations/include -I../openssl -I../openssl/include -I../openssl/providers/common/include -I../openssl/providers/implementations/include -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ
SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-sock
Platform and configuration command: $ uname -a Linux run 5.4.0-70-generic #78-Ubuntu SMP Fri Mar 19 13:29:52 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 05aed12f54 CORE: pre-populate the namemap with legacy OIDs too a0fff549e6 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname 01ba6c8e43 CORE: Register all legacy "names" when generating the initial namemap ad57a13bb8 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() 42423ac961 TEST: Modify how the retrieved digest name for SM2 digestsign is checked 6ee1ae3293 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually ebb3c82b9c TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID e2f5df3613 PROV: Add OIDs we know to all provider applicable algorithms f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD 543e740b95 Standard style for all EVP_xxx_free routines ad72484909 Fix typo in aesccm.c 44c75ba67d apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname cd69b4bd7c OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors e494fac705 Fix naming for EVP_RAND_CTX_gettable functions. 7b9f02798f Sanity check provider up-calls 6ce58488bd Store some FIPS global variables in the FIPS_GLOBAL structure 81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue ed34837807 lifecycle: correct [sg]ettable to [sg]et b000a2f95b demos: Add clean target for bio/Makefile 42e7d2f10e Add more negative checks for integers passed to OPENSSL_malloc(). 34ed733396 SipHash: Fix CTRL API for the digest size. 4a95b70d1e Github workflows: re-implement a no-shared build a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions. a56fcf20da Add OID for mdc2WithRSASignature and remove related TODO 3.0 ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name 9c1b19eb6f changes: note that some ctrl calls have a different error return. 7e43baed2a Do not allow creating empty RSA keys by duplication 85fcc3fb77 Remove keymgmt_copy function from the provider API b4f447c038 Add selection support to the provider keymgmt_dup function 4a9fe33c8e Implement provider-side keymgmt_dup function b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error
[openssl] master update
The branch master has been updated via 1c0eede9827b0962f1d752fa4ab5d436fa039da4 (commit) from a78c7c0bfe56d67022ca18cfabefc73926dde0ae (commit) - Log - commit 1c0eede9827b0962f1d752fa4ab5d436fa039da4 Author: Dr. David von Oheimb Date: Mon Dec 28 21:33:09 2020 +0100 Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14128) --- Summary of changes: crypto/cmp/cmp_client.c| 5 +-- crypto/cmp/cmp_ctx.c | 4 +- crypto/cmp/cmp_local.h | 4 -- crypto/cmp/cmp_protect.c | 5 +-- crypto/cmp/cmp_util.c | 61 -- crypto/x509/x509_vfy.c | 42 crypto/x509/x_x509.c | 2 +- doc/internal/man3/ossl_cmp_msg_protect.pod | 20 -- doc/man3/X509_verify_cert.pod | 27 +++-- include/openssl/x509_vfy.h.in | 3 ++ test/cmp_ctx_test.c| 1 - test/cmp_protect_test.c| 39 --- test/verify_extra_test.c | 3 +- util/libcrypto.num | 1 + 14 files changed, 112 insertions(+), 105 deletions(-) diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 728ec21968..54c8f5094b 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -496,9 +496,8 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, return fail_info; ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); -chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, - out_trusted /* may be NULL */, - ctx->untrusted, cert); +chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */, + 0, ctx->libctx, ctx->propq); if (sk_X509_num(chain) > 0) X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ if (out_trusted != NULL) { diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 110361320d..7e7af63b4a 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -735,8 +735,8 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, return 0; ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); -chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted, - ctx->untrusted, ctx->cert); +chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0, + ctx->libctx, ctx->propq); if (chain == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN); return 0; diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 1ec16d4b2b..b2a3382079 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -749,10 +749,6 @@ int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, const ASN1_OCTET_STRING *src); int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, const unsigned char *bytes, int len); -STACK_OF(X509) -*ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, const char *propq, - X509_STORE *store, - STACK_OF(X509) *certs, X509 *cert); /* from cmp_ctx.c */ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index 45bea73d13..36a6597145 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -144,9 +144,8 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) if (ctx->chain == NULL) { ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); -ctx->chain = -ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL, - ctx->untrusted, ctx->cert); +ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0, + ctx->libctx, ctx->propq); if (ctx->chain != NULL) { ossl_cmp_debug(ctx, "success building chain for own CMP signer cert"); diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index 56f2b0eeb8..fbb8d1e249 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -220,67 +220,6 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, return 1; } -/*- - * Builds a certificate chain starting from
[openssl] master update
The branch master has been updated via a78c7c0bfe56d67022ca18cfabefc73926dde0ae (commit) via 99adfa455ccd1abb73e264224c33c09e586776d2 (commit) via 606a417fb2b6ce5d1d112f2f3f710c8085744627 (commit) from c39352e4e4952a9f4b2171134af0e015a4d40768 (commit) - Log - commit a78c7c0bfe56d67022ca18cfabefc73926dde0ae Author: Rich Salz Date: Fri Apr 16 11:29:35 2021 -0400 Flip ordering back Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14219) commit 99adfa455ccd1abb73e264224c33c09e586776d2 Author: Rich Salz Date: Thu Apr 15 17:00:57 2021 -0400 Fetch before get-by-name This causes tests to break. Pushing it to help others debug. Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14219) commit 606a417fb2b6ce5d1d112f2f3f710c8085744627 Author: Rich Salz Date: Wed Feb 17 16:15:27 2021 -0500 Fetch and free cipher and md's Reviewed-by: Richard Levitte Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14219) --- Summary of changes: apps/ca.c | 5 +++-- apps/cms.c | 17 ++--- apps/crl.c | 3 ++- apps/dgst.c| 10 ++ apps/dsa.c | 3 ++- apps/ec.c | 3 ++- apps/enc.c | 8 +--- apps/gendsa.c | 3 ++- apps/genpkey.c | 3 ++- apps/genrsa.c | 3 ++- apps/include/opt.h | 4 ++-- apps/lib/opt.c | 14 ++ apps/ocsp.c| 14 -- apps/pkcs12.c | 9 + apps/pkcs8.c | 9 + apps/pkey.c| 3 ++- apps/pkeyutl.c | 2 ++ apps/req.c | 8 +--- apps/rsa.c | 3 ++- apps/smime.c | 8 +--- apps/storeutl.c| 3 ++- apps/ts.c | 3 ++- apps/x509.c| 3 ++- 23 files changed, 88 insertions(+), 53 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index cec5c8f1ac..6c1df8d2e3 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -270,7 +270,7 @@ int ca_main(int argc, char **argv) STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; STACK_OF(X509) *cert_sk = NULL; X509_CRL *crl = NULL; -const EVP_MD *dgst = NULL; +EVP_MD *dgst = NULL; char *configfile = default_config_file, *section = NULL; char *md = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; @@ -795,7 +795,7 @@ end_of_options: */ if (def_ret == 2 && def_nid == NID_undef) { /* The signing algorithm requires there to be no digest */ -dgst = EVP_md_null(); +dgst = (EVP_MD *)EVP_md_null(); } else if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) { goto end; @@ -1330,6 +1330,7 @@ end_of_options: sk_OPENSSL_STRING_free(sigopts); sk_OPENSSL_STRING_free(vfyopts); EVP_PKEY_free(pkey); +EVP_MD_free(dgst); X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); diff --git a/apps/cms.c b/apps/cms.c index 56f0b37bbf..b55e0063dd 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -276,8 +276,8 @@ int cms_main(int argc, char **argv) CMS_ReceiptRequest *rr = NULL; ENGINE *e = NULL; EVP_PKEY *key = NULL; -const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; -const EVP_MD *sign_md = NULL; +EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; +EVP_MD *sign_md = NULL; STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; STACK_OF(X509) *encerts = NULL, *other = NULL; @@ -679,17 +679,17 @@ int cms_main(int argc, char **argv) break; case OPT_3DES_WRAP: # ifndef OPENSSL_NO_DES -wrap_cipher = EVP_des_ede3_wrap(); +wrap_cipher = (EVP_CIPHER *)EVP_des_ede3_wrap(); # endif break; case OPT_AES128_WRAP: -wrap_cipher = EVP_aes_128_wrap(); +wrap_cipher = (EVP_CIPHER *)EVP_aes_128_wrap(); break; case OPT_AES192_WRAP: -wrap_cipher = EVP_aes_192_wrap(); +wrap_cipher = (EVP_CIPHER *)EVP_aes_192_wrap(); break; case OPT_AES256_WRAP: -wrap_cipher = EVP_aes_256_wrap(); +wrap_cipher = (EVP_CIPHER *)EVP_aes_256_wrap(); break; case OPT_WRAP: if (!opt_cipher(opt_unknown(), _cipher)) @@ -803,7 +803,7 @@ int cms_main(int argc, char **argv) if (operation == SMIME_ENCRYPT) { if (!cipher) { # ifndef OPENSSL_NO_DES -cipher = EVP_des_ede3_cbc(); +cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); # else BIO_printf(bio_err, "No cipher
[openssl] master update
The branch master has been updated via c39352e4e4952a9f4b2171134af0e015a4d40768 (commit) from 72f649e061bef86cbf41303fede1a61c9fe2c05b (commit) - Log - commit c39352e4e4952a9f4b2171134af0e015a4d40768 Author: Juergen Christ Date: Mon Apr 19 15:04:13 2021 +0200 Fix compile errors on s390. Commit f6c95e46c03025b2694241e1ad785d8bd3ac083b added an "origin" field to EVP_CIPHER and EVP_MD structures but did not update the s390 specific implementations. Update these to fix compile errors on s390. Signed-off-by: Juergen Christ Reviewed-by: Patrick Steuer Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14926) --- Summary of changes: crypto/evp/e_aes.c | 4 1 file changed, 4 insertions(+) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index ffafdbcc22..91e8cd861c 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -2185,6 +2185,7 @@ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ keylen / 8, \ ivlen, \ flags | EVP_CIPH_##MODE##_MODE, \ +EVP_ORIG_GLOBAL,\ s390x_aes_##mode##_init_key,\ s390x_aes_##mode##_cipher, \ NULL, \ @@ -2200,6 +2201,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ keylen / 8, \ ivlen, \ flags | EVP_CIPH_##MODE##_MODE, \ +EVP_ORIG_GLOBAL,\ aes_init_key, \ aes_##mode##_cipher,\ NULL, \ @@ -,6 +2224,7 @@ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8,\ ivlen, \ flags | EVP_CIPH_##MODE##_MODE, \ +EVP_ORIG_GLOBAL,\ s390x_aes_##mode##_init_key,\ s390x_aes_##mode##_cipher, \ s390x_aes_##mode##_cleanup, \ @@ -2236,6 +2239,7 @@ static const EVP_CIPHER aes_##keylen##_##mode = { \ (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8,\ ivlen, \ flags | EVP_CIPH_##MODE##_MODE, \ +EVP_ORIG_GLOBAL,\ aes_##mode##_init_key, \ aes_##mode##_cipher,\ aes_##mode##_cleanup, \