Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm
Platform and configuration command: $ uname -a Linux run 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: d77ba503a2 Adjust ssl_test_new for SHA1 security level 8ce390e139 Adjust sslapitest for SHA1 security level fdf312709a Adjust dtlstest for SHA1 security level 0f077b5fd8 asn1_lib.c: ASN1_put_object: Remove comment about "class 0". c404e4fab3 Add test case for openssl crl -noout -hash output 872b7979c7 crl: noout is not an output item 3b9e47695f CHANGES: document the FIPS provider configuration and installation f2ea01d9f1 README-FIPS: document the installation of the FIPS provider b2d8c7b6a3 Configure: disable fips mode by default afa0a13c1a Configure: sort the disablables alphabetically d9ce268151 build.info: add the Perl wrapper to build generator programs on Windows 18da9fc31f Configure/Makefile: install the fips provider if it was configured 4e282708c5 Configure/Makefile: don't generate a fresh fipsmodule.cnf when installing it 5b68918185 Configure/Makefile: separate install of the FIPS module c3bda8a2e0 Configure/Makefile: correct the FIPS module configuration file path b6821df0d0 Configure/Makefile: use the correct openssl app for FIPS installation 59cf286919 Configure/Makefile: fix the `-macopt` argument of the fipsinstall command f4585aeca9 runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol. 2395ad8079 test: never run fipsinstall if the tests are not enabled. Build log ended with (last 100 lines): 20-test_rand_config.t .. ok 25-test_crl.t .. ok 25-test_d2i.t .. ok 25-test_eai_data.t . ok 25-test_pkcs7.t ok 25-test_req.t .. ok 25-test_rusext.t ... ok 25-test_sid.t .. ok 25-test_verify.t ... ok 25-test_verify_store.t . ok 25-test_x509.t . ok 30-test_acvp.t . skipped: ACVP is not supported by this test 30-test_aesgcm.t ... ok 30-test_afalg.t ok 30-test_defltfips.t ok 30-test_engine.t ... ok 30-test_evp.t .. ok 30-test_evp_extra.t ok 30-test_evp_fetch_prov.t ... ok 30-test_evp_kdf.t .. ok 30-test_evp_libctx.t ... ok 30-test_evp_pkey_dparam.t .. ok 30-test_evp_pkey_provided.t ok 30-test_pbelu.t ok 30-test_pkey_meth.t ok 30-test_pkey_meth_kdf.t ok 30-test_provider_status.t .. skipped: provider_status is not supported by this test 40-test_rehash.t ... ok 60-test_x509_check_cert_pkey.t . ok 60-test_x509_dup_cert.t ok 60-test_x509_store.t ... ok 60-test_x509_time.t ok 61-test_bio_prefix.t ... ok 61-test_bio_readbuffer.t ... ok 65-test_cmp_asn.t .. ok 65-test_cmp_client.t ... ok 65-test_cmp_ctx.t .. ok 65-test_cmp_hdr.t .. ok 65-test_cmp_msg.t .. ok 65-test_cmp_protect.t .. ok 65-test_cmp_server.t ... ok 65-test_cmp_status.t ... ok 65-test_cmp_vfy.t .. ok 66-test_ossl_store.t ... ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=22009980-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t
[openssl] master update
The branch master has been updated via 9ac653d81a857a5452f9f25278a24e1dfb226905 (commit) from 0b31c36797a36c4cc17dd634de7e254290f8dac6 (commit) - Log - commit 9ac653d81a857a5452f9f25278a24e1dfb226905 Author: Tomas Mraz Date: Wed Apr 28 12:43:12 2021 +0200 Document the API breaking constification changes The EVP_PKEY_asn1_set_public and EVP_PKEY_meth_set_copy have some API breaking constification changes in 3.0. Fixes #9296 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15068) --- Summary of changes: CHANGES.md| 9 + doc/man3/EVP_PKEY_ASN1_METHOD.pod | 8 +++- doc/man3/EVP_PKEY_meth_new.pod| 7 +-- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e93d5df75a..0abee0a0ac 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -77,6 +77,15 @@ OpenSSL 3.0 *Boris Pismenny, John Baldwin and Andrew Gallatin* + * The signature of the `copy` functional parameter of the + EVP_PKEY_meth_set_copy() function has changed so its `src` argument is + now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly + the signature of the `pub_decode` functional parameter of the + EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is + now `const X509_PUBKEY *` instead of `X509_PUBKEY *`. + + *David von Oheimb* + * The error return values from some control calls (ctrl) have changed. One significant change is that controls which used to return -2 for invalid inputs, now return -1 indicating a generic error condition instead. diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod index 9f50a56964..544d2a99c9 100644 --- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod +++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod @@ -156,7 +156,7 @@ L. The methods are the underlying implementations of a particular public key algorithm present by the B object. - int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub); + int (*pub_decode) (EVP_PKEY *pk, const X509_PUBKEY *pub); int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk); int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b); int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent, @@ -432,6 +432,12 @@ or 1 on success. EVP_PKEY_get0_asn1() returns NULL on error, or a pointer to a constant B object otherwise. +=head1 HISTORY + +The signature of the I functional argument of +EVP_PKEY_asn1_set_public() has changed in OpenSSL 3.0 so its I +parameter is now constified. + =head1 COPYRIGHT Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/EVP_PKEY_meth_new.pod b/doc/man3/EVP_PKEY_meth_new.pod index 4432fff516..196b7ca885 100644 --- a/doc/man3/EVP_PKEY_meth_new.pod +++ b/doc/man3/EVP_PKEY_meth_new.pod @@ -46,7 +46,7 @@ L: int (*init) (EVP_PKEY_CTX *ctx)); void EVP_PKEY_meth_set_copy(EVP_PKEY_METHOD *pmeth, int (*copy) (EVP_PKEY_CTX *dst, - EVP_PKEY_CTX *src)); + const EVP_PKEY_CTX *src)); void EVP_PKEY_meth_set_cleanup(EVP_PKEY_METHOD *pmeth, void (*cleanup) (EVP_PKEY_CTX *ctx)); void EVP_PKEY_meth_set_paramgen(EVP_PKEY_METHOD *pmeth, @@ -266,7 +266,7 @@ The methods are the underlying implementations of a particular public key algorithm present by the B object. int (*init) (EVP_PKEY_CTX *ctx); - int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src); + int (*copy) (EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src); void (*cleanup) (EVP_PKEY_CTX *ctx); The init() method is called to initialize algorithm-specific data when a new @@ -451,6 +451,9 @@ arguments. All of these functions were deprecated in OpenSSL 3.0. +The signature of the I functional argument of EVP_PKEY_meth_set_copy() +has changed in OpenSSL 3.0 so its I parameter is now constified. + =head1 COPYRIGHT Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
[openssl] master update
The branch master has been updated via 0b31c36797a36c4cc17dd634de7e254290f8dac6 (commit) from c7d848e220ecb432faa05d2198ae689298d71728 (commit) - Log - commit 0b31c36797a36c4cc17dd634de7e254290f8dac6 Author: Eric Curtin Date: Wed Apr 28 23:44:03 2021 +0100 Remove dated term and fixed typo anther Just something I noticed while reading this code. This was probably committed a very long time ago. Fixed typo anther -> another. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15078) --- Summary of changes: crypto/rc2/rc2_skey.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rc2/rc2_skey.c b/crypto/rc2/rc2_skey.c index 90fdface89..313250b58c 100644 --- a/crypto/rc2/rc2_skey.c +++ b/crypto/rc2/rc2_skey.c @@ -47,8 +47,8 @@ static const unsigned char key_table[256] = { /* * It has come to my attention that there are 2 versions of the RC2 key - * schedule. One which is normal, and anther which has a hook to use a - * reduced key length. BSAFE uses the 'retarded' version. What I previously + * schedule. One which is normal, and another which has a hook to use a + * reduced key length. BSAFE uses the latter version. What I previously * shipped is the same as specifying 1024 for the 'bits' parameter. Bsafe * uses a version where the bits parameter is the same as len*8 */
[tools] master update
The branch master has been updated via ee7da65b64a2409255d9effb751b4082642e3d39 (commit) from 9d9c86fe443afcb8a13a8ae40b91674a6afefcd3 (commit) - Log - commit ee7da65b64a2409255d9effb751b4082642e3d39 Author: Tomas Mraz Date: Wed Apr 28 11:24:42 2021 +0200 ghmerge: Rebase PR on top of master ghmerge rebased the newer commits from master on top of PR first which does not do much sense. Do it the other way around. Also allow fixing eventual trivial rebase conflicts in the background. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/tools/pull/83) --- Summary of changes: review-tools/ghmerge | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/review-tools/ghmerge b/review-tools/ghmerge index 06f6bfa..7f0746e 100755 --- a/review-tools/ghmerge +++ b/review-tools/ghmerge @@ -180,14 +180,14 @@ function cleanup { } trap 'cleanup' EXIT -git checkout -b $WORK $REF - # append new commits from $REPO/$BRANCH if [ "$PICK" != "yes" ]; then echo Rebasing $REPO/$BRANCH on $REF... -git pull --rebase $REPO $BRANCH || (git rebase --abort; exit 1) +git fetch $REPO $BRANCH && git checkout -b $WORK FETCH_HEAD +git rebase $REF || (echo 'Fix or Ctrl-d to abort' ; read || (git rebase --abort; exit 1)) else echo Cherry-picking $REPO/$BRANCH to $REF... +git checkout -b $WORK $REF git fetch $REPO $BRANCH && git cherry-pick FETCH_HEAD fi
[openssl] master update
The branch master has been updated via d77ba503a2cf1c83098baca345327761b991d191 (commit) via 8ce390e1399a27e1c6e14756927e2331ee1cb5c5 (commit) via fdf312709a34eb173f8366f55db0e0884b1f6a26 (commit) from 0f077b5fd86e2df0b41608fbd5684fa1a2b58f59 (commit) - Log - commit d77ba503a2cf1c83098baca345327761b991d191 Author: Matt Caswell Date: Tue Apr 27 15:04:11 2021 +0100 Adjust ssl_test_new for SHA1 security level SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled. There are also adjustments required if using the FIPS module and DTLSv1.2 is disabled. The only DTLS version supported by the FIPS module is DTLSv1.2. Fixes #14956 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15047) commit 8ce390e1399a27e1c6e14756927e2331ee1cb5c5 Author: Matt Caswell Date: Tue Apr 27 12:05:00 2021 +0100 Adjust sslapitest for SHA1 security level SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore sslapitest needed some adjustments in the event that DTLSv1.2 is disabled. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15047) commit fdf312709a34eb173f8366f55db0e0884b1f6a26 Author: Matt Caswell Date: Tue Apr 27 11:07:57 2021 +0100 Adjust dtlstest for SHA1 security level SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore dtlstest needed some adjustments in the event that DTLSv1.2 is disabled. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15047) --- Summary of changes: test/dtlstest.c | 32 ++ test/ssl-tests/16-dtls-certstatus.cnf | 8 ++--- test/ssl-tests/16-dtls-certstatus.cnf.in | 33 +++ test/ssl-tests/18-dtls-renegotiate.cnf| 20 +-- test/ssl-tests/18-dtls-renegotiate.cnf.in | 28 +--- test/ssl-tests/protocol_version.pm| 7 ++-- test/sslapitest.c | 55 +++ 7 files changed, 155 insertions(+), 28 deletions(-) diff --git a/test/dtlstest.c b/test/dtlstest.c index 4f0f9d549d..05b8ded9cc 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -67,8 +67,16 @@ static int test_dtls_unprocessed(int testidx) , , cert, privkey))) return 0; +#ifndef OPENSSL_NO_DTLS1_2 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA"))) goto end; +#else +/* Default sigalgs are SHA1 based in "certstatus-good", server => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { -"CertStatus" => "GoodResponse", +"CertStatus" => "GoodResponse" }, }, -client => {}, +client => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", +}, test => { "Method" => "DTLS", "ExpectedResult" => "Success" @@ -32,11 +39,14 @@ our @tests = ( { name => "certstatus-bad", server => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { "CertStatus" => "BadResponse", }, }, -client => {}, +client => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", +}, test => { "Method" => "DTLS", "ExpectedResult" => "ClientFail" @@ -48,11 +58,14 @@ our @tests_sctp = ( { name => "certstatus-good", server => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { "CertStatus" => "GoodResponse", }, }, -client => {}, +client => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", +}, test => { "Method" => "DTLS", "UseSCTP" => "Yes", @@ -62,11 +75,14 @@ our @tests_sctp = ( { name => "certstatus-bad", server => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { "CertStatus" => "BadResponse", }, }, -client => {}, +client => { +"CipherString" => "DEFAULT:\@SECLEVEL=0", +}, test => { "Method" => "DTLS", "UseSCTP" => "Yes", @@ -75,4 +91,7 @@ our @tests_sctp = ( }, ); -push @tests, @tests_sctp unless disabled("sctp") || disabled("sock"); +if (!$fips_mode || !disabled("dtls1_2")) { +push @tests, @tests_standard; +push @tests, @tests_sctp unless disabled("sctp") || disabled("sock"); +} diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf
[openssl] master update
The branch master has been updated via 0f077b5fd86e2df0b41608fbd5684fa1a2b58f59 (commit) from c404e4fab3b4497a2d04bc9c171c5460b940bf91 (commit) - Log - commit 0f077b5fd86e2df0b41608fbd5684fa1a2b58f59 Author: Scott McPeak Date: Thu Apr 22 19:13:09 2021 -0700 asn1_lib.c: ASN1_put_object: Remove comment about "class 0". ASN1_put_object() was preceded by the nonsensical comment: /* * class 0 is constructed constructed == 2 for indefinite length constructed */ This is the result of concatenating two sentences in 0f113f3ee4d by automated reformatting. The first sentence, "class 0 is constructed", goes back to d02b48c63a, the import of SSLeay 0.8.1b. Even in that context, it made little sense; class 0 means "universal", not constructed, and there is no special significance to class 0 in this function in any case. Therefore I have simply removed that first sentence. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/14998) --- Summary of changes: crypto/asn1/asn1_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 72d15acc7e..b1fa6b55a0 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -155,7 +155,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, } /* - * class 0 is constructed constructed == 2 for indefinite length constructed + * constructed == 2 for indefinite length constructed */ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, int xclass)
[openssl] master update
The branch master has been updated via c404e4fab3b4497a2d04bc9c171c5460b940bf91 (commit) via 872b7979c7c5f5d1f412964eb57507505c7a2ff9 (commit) from 3b9e47695f66e83b162d6d78f9a3c20e4464322d (commit) - Log - commit c404e4fab3b4497a2d04bc9c171c5460b940bf91 Author: Tomas Mraz Date: Tue Apr 27 11:49:44 2021 +0200 Add test case for openssl crl -noout -hash output Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15044) commit 872b7979c7c5f5d1f412964eb57507505c7a2ff9 Author: Tomas Mraz Date: Tue Apr 27 11:44:05 2021 +0200 crl: noout is not an output item Fixes #15034 Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15044) --- Summary of changes: apps/crl.c | 2 +- test/recipes/25-test_crl.t | 5 - 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/apps/crl.c b/apps/crl.c index 7f09d476c1..fbdd2a896c 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -177,7 +177,7 @@ int crl_main(int argc, char **argv) nextupdate = ++num; break; case OPT_NOOUT: -noout = ++num; +noout = 1; break; case OPT_FINGERPRINT: fingerprint = ++num; diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t index 128ad116ff..a17383f043 100644 --- a/test/recipes/25-test_crl.t +++ b/test/recipes/25-test_crl.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_crl"); -plan tests => 7; +plan tests => 8; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -35,6 +35,9 @@ ok(compare1stline([qw{openssl crl -noout -fingerprint -in}, ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in}, srctop_file('test', 'testcrl.pem')], 'SHA2-256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B')); +ok(compare1stline([qw{openssl crl -noout -hash -in}, + srctop_file('test', 'testcrl.pem')], + '106cd822')); ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-out", $out, "-nameopt", "utf8"])));
[openssl] master update
The branch master has been updated via 3b9e47695f66e83b162d6d78f9a3c20e4464322d (commit) via f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a (commit) via b2d8c7b6a380bd93d350526ddd3746f82a76a18f (commit) via afa0a13c1a61e075eb5949bf370f7b0c58d3b8e2 (commit) via d9ce268151e5d3de4f15673aa8c0ae60b07eeadd (commit) via 18da9fc31f050edaf65da162f01c7bea920a5aac (commit) via 4e282708c5bb82b6caed8e0565b9ac4ac15a7ac3 (commit) via 5b689181853ca6d240d756cd7d65678124838b11 (commit) via c3bda8a2e0d51a8be2c2c0afc673048bc9457dcd (commit) via b6821df0d0713e05af338f5a7dba51a63f2c79b9 (commit) via 59cf2869199b695cace97869c578d40fafff24c6 (commit) from f4585aeca99d43ed4cfd7053f8d74a4d816c95e4 (commit) - Log - commit 3b9e47695f66e83b162d6d78f9a3c20e4464322d Author: Dr. Matthias St. Pierre Date: Mon Apr 26 02:19:35 2021 +0200 CHANGES: document the FIPS provider configuration and installation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a Author: Dr. Matthias St. Pierre Date: Thu Apr 8 21:06:23 2021 +0200 README-FIPS: document the installation of the FIPS provider Note that configuration and installation procedure has changed: - The FIPS provider is now disabled by default and needs to be enabled by configuring with `enable-fips`. - If the FIPS provider is enabled, it gets installed automatically. There is no extra installation step required anymore. This is more natural and coincides with the expectation of the user, namely "what's configured, gets installed". Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit b2d8c7b6a380bd93d350526ddd3746f82a76a18f Author: Dr. Matthias St. Pierre Date: Mon Apr 26 01:04:26 2021 +0200 Configure: disable fips mode by default Building the fips provider in addition to the default provider effectively doubles the build time. Since many users will not need fips support, it is now disabled by default. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit afa0a13c1a61e075eb5949bf370f7b0c58d3b8e2 Author: Dr. Matthias St. Pierre Date: Mon Apr 26 01:01:50 2021 +0200 Configure: sort the disablables alphabetically Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit d9ce268151e5d3de4f15673aa8c0ae60b07eeadd Author: Dr. Matthias St. Pierre Date: Wed Apr 14 20:23:43 2021 +0200 build.info: add the Perl wrapper to build generator programs on Windows Pull request #14320 introduced the ability to use compiled programs as generators in GENERATE rules of build.info files. Those generator calls were wrapped by the Perl wrapper (wrap.pl) in the Unix makefile template, but not on Windows. This commit adds the missing wrapper for Windows, because for the `fipsmodule.cnf` target it is essential that the `openssl fipsinstall` command does not load any preinstalled openssl configuration file. Fixes #13680 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit 18da9fc31f050edaf65da162f01c7bea920a5aac Author: Dr. Matthias St. Pierre Date: Mon Apr 26 00:14:59 2021 +0200 Configure/Makefile: install the fips provider if it was configured To follow the principle "what you configure is what you install", the `make install` target now includes the installation of the fips provider (`make install_fips`) if (and only if) OpenSSL was configured with fips support (`enable-fips`). The `make install_fips` target exists as well and can be used to install just the fips provider. It requires `enable-fips` and issues an error message if `no-fips` was configured. The anologue holds for the 'uninstall_fips' target. Fixes #13693 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit 4e282708c5bb82b6caed8e0565b9ac4ac15a7ac3 Author: Dr. Matthias St. Pierre Date: Wed Apr 14 20:37:37 2021 +0200 Configure/Makefile: don't generate a fresh fipsmodule.cnf when installing it There is already a `providers/fipsmodule.cnf` target which is required by the tests. Instead of creating another fipsmodule.cnf, the `install_fips` target simply copies that configuration file to its final destination. This commit also restores the minimal dependencies to build the `install_fips` target immediately after configuring, which was broken after the removal of the `install_sw` dependency. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13684) commit
[openssl] master update
The branch master has been updated via f4585aeca99d43ed4cfd7053f8d74a4d816c95e4 (commit) from 2395ad8079bdc76790a004f9aaeb53ef0b1c8df8 (commit) - Log - commit f4585aeca99d43ed4cfd7053f8d74a4d816c95e4 Author: Pauli Date: Wed Apr 28 10:38:08 2021 +1000 runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol. Fixes #15054 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15055) --- Summary of changes: apps/cmp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/cmp.c b/apps/cmp.c index 494b27d294..51dd971162 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2855,7 +2855,9 @@ int cmp_main(int argc, char **argv) OSSL_CMP_CTX_print_errors(cmp_ctx); ossl_cmp_mock_srv_free(OSSL_CMP_CTX_get_transfer_cb_arg(cmp_ctx)); +#ifndef OPENSSL_NO_SOCK APP_HTTP_TLS_INFO_free(OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx)); +#endif X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx)); OSSL_CMP_CTX_free(cmp_ctx); X509_VERIFY_PARAM_free(vpm);
[openssl] master update
The branch master has been updated via 2395ad8079bdc76790a004f9aaeb53ef0b1c8df8 (commit) from 3babc1e468c9a5cfb30582a3ea1d55c1ec776361 (commit) - Log - commit 2395ad8079bdc76790a004f9aaeb53ef0b1c8df8 Author: Pauli Date: Wed Apr 28 11:25:52 2021 +1000 test: never run fipsinstall if the tests are not enabled. Fixes #15056 The dependency for fipsinstall was being added to the makefile regardless of it being used. This means that a subsequent `make test` would fail if the command line application wasn't present. Rather than fix the instance in question, it is better to leave out this part of the makefile if the tests cannot be run. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15057) --- Summary of changes: providers/build.info | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/providers/build.info b/providers/build.info index 4296aa05a6..b772e5ec25 100644 --- a/providers/build.info +++ b/providers/build.info @@ -147,11 +147,13 @@ IF[{- !$disabled{fips} -}] # module installation. We have the output go to standard output, because # the generated commands in build templates are expected to catch that, # and thereby keep control over the exact output file location. - DEPEND[|tests|]=fipsmodule.cnf - GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \ --module providers/$(FIPSMODULENAME) -provider_name fips \ --mac_name HMAC -section_name fips_sect - DEPEND[fipsmodule.cnf]=$FIPSGOAL + IF[{- !$disabled{tests} -}] +DEPEND[|tests|]=fipsmodule.cnf +GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \ + -module providers/$(FIPSMODULENAME) -provider_name fips \ + -mac_name HMAC -section_name fips_sect +DEPEND[fipsmodule.cnf]=$FIPSGOAL + ENDIF ENDIF #