Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm

2021-04-29 Thread OpenSSL run-checker 
Platform and configuration command:

$ uname -a
Linux run 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 
x86_64 x86_64 GNU/Linux
$ CC=clang ../openssl/config -d --strict-warnings no-asm

Commit log since last time:

d77ba503a2 Adjust ssl_test_new for SHA1 security level
8ce390e139 Adjust sslapitest for SHA1 security level
fdf312709a Adjust dtlstest for SHA1 security level
0f077b5fd8 asn1_lib.c: ASN1_put_object: Remove comment about "class 0".
c404e4fab3 Add test case for openssl crl -noout -hash output
872b7979c7 crl: noout is not an output item
3b9e47695f CHANGES: document the FIPS provider configuration and installation
f2ea01d9f1 README-FIPS: document the installation of the FIPS provider
b2d8c7b6a3 Configure: disable fips mode by default
afa0a13c1a Configure: sort the disablables alphabetically
d9ce268151 build.info: add the Perl wrapper to build generator programs on 
Windows
18da9fc31f Configure/Makefile: install the fips provider if it was configured
4e282708c5 Configure/Makefile: don't generate a fresh fipsmodule.cnf when 
installing it
5b68918185 Configure/Makefile: separate install of the FIPS module
c3bda8a2e0 Configure/Makefile: correct the FIPS module configuration file path
b6821df0d0 Configure/Makefile: use the correct openssl app for FIPS installation
59cf286919 Configure/Makefile: fix the `-macopt` argument of the fipsinstall 
command
f4585aeca9 runchecker: fix no-sock build by conditioning clean up on the 
NO_SOCK symbol.
2395ad8079 test: never run fipsinstall if the tests are not enabled.

Build log ended with (last 100 lines):

20-test_rand_config.t .. ok
25-test_crl.t .. ok
25-test_d2i.t .. ok
25-test_eai_data.t . ok
25-test_pkcs7.t  ok
25-test_req.t .. ok
25-test_rusext.t ... ok
25-test_sid.t .. ok
25-test_verify.t ... ok
25-test_verify_store.t . ok
25-test_x509.t . ok
30-test_acvp.t . skipped: ACVP is not supported by this test
30-test_aesgcm.t ... ok
30-test_afalg.t  ok
30-test_defltfips.t  ok
30-test_engine.t ... ok
30-test_evp.t .. ok
30-test_evp_extra.t  ok
30-test_evp_fetch_prov.t ... ok
30-test_evp_kdf.t .. ok
30-test_evp_libctx.t ... ok
30-test_evp_pkey_dparam.t .. ok
30-test_evp_pkey_provided.t  ok
30-test_pbelu.t  ok
30-test_pkey_meth.t  ok
30-test_pkey_meth_kdf.t  ok
30-test_provider_status.t .. skipped: provider_status is not supported 
by this test
40-test_rehash.t ... ok
60-test_x509_check_cert_pkey.t . ok
60-test_x509_dup_cert.t  ok
60-test_x509_store.t ... ok
60-test_x509_time.t  ok
61-test_bio_prefix.t ... ok
61-test_bio_readbuffer.t ... ok
65-test_cmp_asn.t .. ok
65-test_cmp_client.t ... ok
65-test_cmp_ctx.t .. ok
65-test_cmp_hdr.t .. ok
65-test_cmp_msg.t .. ok
65-test_cmp_protect.t .. ok
65-test_cmp_server.t ... ok
65-test_cmp_status.t ... ok
65-test_cmp_vfy.t .. ok
66-test_ossl_store.t ... ok
70-test_asyncio.t .. ok
70-test_bad_dtls.t . ok
70-test_clienthello.t .. ok
70-test_comp.t . ok
70-test_key_share.t  ok
70-test_packet.t ... ok
70-test_recordlen.t  ok
70-test_renegotiation.t  ok
70-test_servername.t ... ok
70-test_sslcbcpadding.t  ok
70-test_sslcertstatus.t  ok
70-test_sslextension.t . ok
70-test_sslmessages.t .. ok
70-test_sslrecords.t ... ok
70-test_sslsessiontick.t ... ok
70-test_sslsigalgs.t ... ok
70-test_sslsignature.t . ok
70-test_sslskewith0p.t . ok
70-test_sslversions.t .. ok
70-test_sslvertol.t  ok
70-test_tls13alerts.t .. ok
70-test_tls13cookie.t .. ok
70-test_tls13downgrade.t ... ok
70-test_tls13hrr.t . ok
70-test_tls13kexmodes.t  ok
70-test_tls13messages.t  ok
70-test_tls13psk.t . ok
70-test_tlsextms.t . ok
70-test_verify_extra.t . ok
70-test_wpacket.t .. ok
71-test_ssl_ctx.t .. ok
80-test_ca.t ... ok
80-test_cipherbytes.t .. ok
80-test_cipherlist.t ... ok
80-test_ciphername.t ... ok

# 
Killing mock server with pid=22009980-test_cmp_http.t . ok

# 80-test_cms.t .. ok
80-test_cmsapi.t

[openssl] master update

2021-04-29 Thread Dr . Paul Dale 
The branch master has been updated
   via  9ac653d81a857a5452f9f25278a24e1dfb226905 (commit)
  from  0b31c36797a36c4cc17dd634de7e254290f8dac6 (commit)


- Log -
commit 9ac653d81a857a5452f9f25278a24e1dfb226905
Author: Tomas Mraz 
Date:   Wed Apr 28 12:43:12 2021 +0200

Document the API breaking constification changes

The EVP_PKEY_asn1_set_public and EVP_PKEY_meth_set_copy have
some API breaking constification changes in 3.0.

Fixes #9296

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/15068)

---

Summary of changes:
 CHANGES.md| 9 +
 doc/man3/EVP_PKEY_ASN1_METHOD.pod | 8 +++-
 doc/man3/EVP_PKEY_meth_new.pod| 7 +--
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index e93d5df75a..0abee0a0ac 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -77,6 +77,15 @@ OpenSSL 3.0
 
*Boris Pismenny, John Baldwin and Andrew Gallatin*
 
+ * The signature of the `copy` functional parameter of the
+   EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
+   now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
+   the signature of the `pub_decode` functional parameter of the
+   EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is
+   now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
+
+   *David von Oheimb*
+
  * The error return values from some control calls (ctrl) have changed.
One significant change is that controls which used to return -2 for
invalid inputs, now return -1 indicating a generic error condition instead.
diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod 
b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
index 9f50a56964..544d2a99c9 100644
--- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod
+++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
@@ -156,7 +156,7 @@ L.
 The methods are the underlying implementations of a particular public
 key algorithm present by the B object.
 
- int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
+ int (*pub_decode) (EVP_PKEY *pk, const X509_PUBKEY *pub);
  int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
  int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
  int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
@@ -432,6 +432,12 @@ or 1 on success.
 EVP_PKEY_get0_asn1() returns NULL on error, or a pointer to a constant
 B object otherwise.
 
+=head1 HISTORY
+
+The signature of the I functional argument of
+EVP_PKEY_asn1_set_public() has changed in OpenSSL 3.0 so its I
+parameter is now constified.
+
 =head1 COPYRIGHT
 
 Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/EVP_PKEY_meth_new.pod b/doc/man3/EVP_PKEY_meth_new.pod
index 4432fff516..196b7ca885 100644
--- a/doc/man3/EVP_PKEY_meth_new.pod
+++ b/doc/man3/EVP_PKEY_meth_new.pod
@@ -46,7 +46,7 @@ L:
  int (*init) (EVP_PKEY_CTX *ctx));
  void EVP_PKEY_meth_set_copy(EVP_PKEY_METHOD *pmeth,
  int (*copy) (EVP_PKEY_CTX *dst,
-  EVP_PKEY_CTX *src));
+  const EVP_PKEY_CTX *src));
  void EVP_PKEY_meth_set_cleanup(EVP_PKEY_METHOD *pmeth,
 void (*cleanup) (EVP_PKEY_CTX *ctx));
  void EVP_PKEY_meth_set_paramgen(EVP_PKEY_METHOD *pmeth,
@@ -266,7 +266,7 @@ The methods are the underlying implementations of a 
particular public key
 algorithm present by the B object.
 
  int (*init) (EVP_PKEY_CTX *ctx);
- int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
+ int (*copy) (EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src);
  void (*cleanup) (EVP_PKEY_CTX *ctx);
 
 The init() method is called to initialize algorithm-specific data when a new
@@ -451,6 +451,9 @@ arguments.
 
 All of these functions were deprecated in OpenSSL 3.0.
 
+The signature of the I functional argument of EVP_PKEY_meth_set_copy()
+has changed in OpenSSL 3.0 so its I parameter is now constified.
+
 =head1 COPYRIGHT
 
 Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.

[openssl] master update

2021-04-29 Thread Dr . Paul Dale 
The branch master has been updated
   via  0b31c36797a36c4cc17dd634de7e254290f8dac6 (commit)
  from  c7d848e220ecb432faa05d2198ae689298d71728 (commit)


- Log -
commit 0b31c36797a36c4cc17dd634de7e254290f8dac6
Author: Eric Curtin 
Date:   Wed Apr 28 23:44:03 2021 +0100

Remove dated term and fixed typo anther

Just something I noticed while reading this code.
This was probably committed a very long time ago.
Fixed typo anther -> another.

Reviewed-by: Tim Hudson 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/15078)

---

Summary of changes:
 crypto/rc2/rc2_skey.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/rc2/rc2_skey.c b/crypto/rc2/rc2_skey.c
index 90fdface89..313250b58c 100644
--- a/crypto/rc2/rc2_skey.c
+++ b/crypto/rc2/rc2_skey.c
@@ -47,8 +47,8 @@ static const unsigned char key_table[256] = {
 
 /*
  * It has come to my attention that there are 2 versions of the RC2 key
- * schedule.  One which is normal, and anther which has a hook to use a
- * reduced key length. BSAFE uses the 'retarded' version.  What I previously
+ * schedule.  One which is normal, and another which has a hook to use a
+ * reduced key length. BSAFE uses the latter version.  What I previously
  * shipped is the same as specifying 1024 for the 'bits' parameter.  Bsafe
  * uses a version where the bits parameter is the same as len*8
  */

[tools] master update

2021-04-29 Thread Dr . Paul Dale 
The branch master has been updated
   via  ee7da65b64a2409255d9effb751b4082642e3d39 (commit)
  from  9d9c86fe443afcb8a13a8ae40b91674a6afefcd3 (commit)


- Log -
commit ee7da65b64a2409255d9effb751b4082642e3d39
Author: Tomas Mraz 
Date:   Wed Apr 28 11:24:42 2021 +0200

ghmerge: Rebase PR on top of master

ghmerge rebased the newer commits from master on top of PR first
which does not do much sense. Do it the other way around.

Also allow fixing eventual trivial rebase conflicts in the
background.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/tools/pull/83)

---

Summary of changes:
 review-tools/ghmerge | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/review-tools/ghmerge b/review-tools/ghmerge
index 06f6bfa..7f0746e 100755
--- a/review-tools/ghmerge
+++ b/review-tools/ghmerge
@@ -180,14 +180,14 @@ function cleanup {
 }
 trap 'cleanup' EXIT
 
-git checkout -b $WORK $REF
-
 # append new commits from $REPO/$BRANCH
 if [ "$PICK" != "yes" ]; then
 echo Rebasing $REPO/$BRANCH on $REF...
-git pull --rebase $REPO $BRANCH || (git rebase --abort; exit 1)
+git fetch $REPO $BRANCH && git checkout -b $WORK FETCH_HEAD
+git rebase $REF || (echo 'Fix or Ctrl-d to abort' ; read || (git rebase 
--abort; exit 1))
 else
 echo Cherry-picking $REPO/$BRANCH to $REF...
+git checkout -b $WORK $REF
 git fetch $REPO $BRANCH && git cherry-pick FETCH_HEAD
 fi

[openssl] master update

2021-04-29 Thread Matt Caswell 
The branch master has been updated
   via  d77ba503a2cf1c83098baca345327761b991d191 (commit)
   via  8ce390e1399a27e1c6e14756927e2331ee1cb5c5 (commit)
   via  fdf312709a34eb173f8366f55db0e0884b1f6a26 (commit)
  from  0f077b5fd86e2df0b41608fbd5684fa1a2b58f59 (commit)


- Log -
commit d77ba503a2cf1c83098baca345327761b991d191
Author: Matt Caswell 
Date:   Tue Apr 27 15:04:11 2021 +0100

Adjust ssl_test_new for SHA1 security level

SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled.

There are also adjustments required if using the FIPS module and DTLSv1.2
is disabled. The only DTLS version supported by the FIPS module is
DTLSv1.2.

Fixes  #14956

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/15047)

commit 8ce390e1399a27e1c6e14756927e2331ee1cb5c5
Author: Matt Caswell 
Date:   Tue Apr 27 12:05:00 2021 +0100

Adjust sslapitest for SHA1 security level

SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
sslapitest needed some adjustments in the event that DTLSv1.2 is disabled.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/15047)

commit fdf312709a34eb173f8366f55db0e0884b1f6a26
Author: Matt Caswell 
Date:   Tue Apr 27 11:07:57 2021 +0100

Adjust dtlstest for SHA1 security level

SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
dtlstest needed some adjustments in the event that DTLSv1.2 is disabled.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/15047)

---

Summary of changes:
 test/dtlstest.c   | 32 ++
 test/ssl-tests/16-dtls-certstatus.cnf |  8 ++---
 test/ssl-tests/16-dtls-certstatus.cnf.in  | 33 +++
 test/ssl-tests/18-dtls-renegotiate.cnf| 20 +--
 test/ssl-tests/18-dtls-renegotiate.cnf.in | 28 +---
 test/ssl-tests/protocol_version.pm|  7 ++--
 test/sslapitest.c | 55 +++
 7 files changed, 155 insertions(+), 28 deletions(-)

diff --git a/test/dtlstest.c b/test/dtlstest.c
index 4f0f9d549d..05b8ded9cc 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -67,8 +67,16 @@ static int test_dtls_unprocessed(int testidx)
, , cert, privkey)))
 return 0;
 
+#ifndef OPENSSL_NO_DTLS1_2
 if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA")))
 goto end;
+#else
+/* Default sigalgs are SHA1 based in  "certstatus-good",
 server => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
 extra => {
-"CertStatus" => "GoodResponse",
+"CertStatus" => "GoodResponse"
 },
 },
-client => {},
+client => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
+},
 test => {
 "Method" => "DTLS",
 "ExpectedResult" => "Success"
@@ -32,11 +39,14 @@ our @tests = (
 {
 name => "certstatus-bad",
 server => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
 extra => {
 "CertStatus" => "BadResponse",
 },
 },
-client => {},
+client => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
+},
 test => {
 "Method" => "DTLS",
 "ExpectedResult" => "ClientFail"
@@ -48,11 +58,14 @@ our @tests_sctp = (
 {
 name => "certstatus-good",
 server => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
 extra => {
 "CertStatus" => "GoodResponse",
 },
 },
-client => {},
+client => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
+},
 test => {
 "Method" => "DTLS",
 "UseSCTP" => "Yes",
@@ -62,11 +75,14 @@ our @tests_sctp = (
 {
 name => "certstatus-bad",
 server => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
 extra => {
 "CertStatus" => "BadResponse",
 },
 },
-client => {},
+client => {
+"CipherString" => "DEFAULT:\@SECLEVEL=0",
+},
 test => {
 "Method" => "DTLS",
 "UseSCTP" => "Yes",
@@ -75,4 +91,7 @@ our @tests_sctp = (
 },
 );
 
-push @tests, @tests_sctp unless disabled("sctp") || disabled("sock");
+if  (!$fips_mode || !disabled("dtls1_2")) {
+push @tests, @tests_standard;
+push @tests, @tests_sctp unless disabled("sctp") || disabled("sock");
+}
diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf

[openssl] master update

2021-04-29 Thread beldmit 
The branch master has been updated
   via  0f077b5fd86e2df0b41608fbd5684fa1a2b58f59 (commit)
  from  c404e4fab3b4497a2d04bc9c171c5460b940bf91 (commit)


- Log -
commit 0f077b5fd86e2df0b41608fbd5684fa1a2b58f59
Author: Scott McPeak 
Date:   Thu Apr 22 19:13:09 2021 -0700

asn1_lib.c: ASN1_put_object: Remove comment about "class 0".

ASN1_put_object() was preceded by the nonsensical comment:

  /*
   * class 0 is constructed constructed == 2 for indefinite length 
constructed
   */

This is the result of concatenating two sentences in 0f113f3ee4d by
automated reformatting.  The first sentence, "class 0 is constructed",
goes back to d02b48c63a, the import of SSLeay 0.8.1b.  Even in that
context, it made little sense; class 0 means "universal", not
constructed, and there is no special significance to class 0 in this
function in any case.

Therefore I have simply removed that first sentence.

CLA: trivial

Reviewed-by: Tomas Mraz 
Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/14998)

---

Summary of changes:
 crypto/asn1/asn1_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 72d15acc7e..b1fa6b55a0 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -155,7 +155,7 @@ static int asn1_get_length(const unsigned char **pp, int 
*inf, long *rl,
 }
 
 /*
- * class 0 is constructed constructed == 2 for indefinite length constructed
+ * constructed == 2 for indefinite length constructed
  */
 void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
  int xclass)

[openssl] master update

2021-04-29 Thread tomas 
The branch master has been updated
   via  c404e4fab3b4497a2d04bc9c171c5460b940bf91 (commit)
   via  872b7979c7c5f5d1f412964eb57507505c7a2ff9 (commit)
  from  3b9e47695f66e83b162d6d78f9a3c20e4464322d (commit)


- Log -
commit c404e4fab3b4497a2d04bc9c171c5460b940bf91
Author: Tomas Mraz 
Date:   Tue Apr 27 11:49:44 2021 +0200

Add test case for openssl crl -noout -hash output

Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/15044)

commit 872b7979c7c5f5d1f412964eb57507505c7a2ff9
Author: Tomas Mraz 
Date:   Tue Apr 27 11:44:05 2021 +0200

crl: noout is not an output item

Fixes #15034

Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/15044)

---

Summary of changes:
 apps/crl.c | 2 +-
 test/recipes/25-test_crl.t | 5 -
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/crl.c b/apps/crl.c
index 7f09d476c1..fbdd2a896c 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -177,7 +177,7 @@ int crl_main(int argc, char **argv)
 nextupdate = ++num;
 break;
 case OPT_NOOUT:
-noout = ++num;
+noout = 1;
 break;
 case OPT_FINGERPRINT:
 fingerprint = ++num;
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index 128ad116ff..a17383f043 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_crl");
 
-plan tests => 7;
+plan tests => 8;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
@@ -35,6 +35,9 @@ ok(compare1stline([qw{openssl crl -noout -fingerprint -in},
 ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in},
srctop_file('test', 'testcrl.pem')],
   'SHA2-256 
Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B'));
+ok(compare1stline([qw{openssl crl -noout -hash -in},
+   srctop_file('test', 'testcrl.pem')],
+  '106cd822'));
 
 ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-out", $out,
 "-nameopt", "utf8"])));

[openssl] master update

2021-04-29 Thread matthias . st . pierre 
The branch master has been updated
   via  3b9e47695f66e83b162d6d78f9a3c20e4464322d (commit)
   via  f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a (commit)
   via  b2d8c7b6a380bd93d350526ddd3746f82a76a18f (commit)
   via  afa0a13c1a61e075eb5949bf370f7b0c58d3b8e2 (commit)
   via  d9ce268151e5d3de4f15673aa8c0ae60b07eeadd (commit)
   via  18da9fc31f050edaf65da162f01c7bea920a5aac (commit)
   via  4e282708c5bb82b6caed8e0565b9ac4ac15a7ac3 (commit)
   via  5b689181853ca6d240d756cd7d65678124838b11 (commit)
   via  c3bda8a2e0d51a8be2c2c0afc673048bc9457dcd (commit)
   via  b6821df0d0713e05af338f5a7dba51a63f2c79b9 (commit)
   via  59cf2869199b695cace97869c578d40fafff24c6 (commit)
  from  f4585aeca99d43ed4cfd7053f8d74a4d816c95e4 (commit)


- Log -
commit 3b9e47695f66e83b162d6d78f9a3c20e4464322d
Author: Dr. Matthias St. Pierre 
Date:   Mon Apr 26 02:19:35 2021 +0200

CHANGES: document the FIPS provider configuration and installation

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit f2ea01d9f138dd7e99e55d4c9bd949d2aae64a2a
Author: Dr. Matthias St. Pierre 
Date:   Thu Apr 8 21:06:23 2021 +0200

README-FIPS: document the installation of the FIPS provider

Note that configuration and installation procedure has changed:

- The FIPS provider is now disabled by default and needs to
  be enabled by configuring with `enable-fips`.
- If the FIPS provider is enabled, it gets installed automatically.
  There is no extra installation step required anymore.

This is more natural and coincides with the expectation of the
user, namely "what's configured, gets installed".

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit b2d8c7b6a380bd93d350526ddd3746f82a76a18f
Author: Dr. Matthias St. Pierre 
Date:   Mon Apr 26 01:04:26 2021 +0200

Configure: disable fips mode by default

Building the fips provider in addition to the default provider
effectively doubles the build time. Since many users will not
need fips support, it is now disabled by default.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit afa0a13c1a61e075eb5949bf370f7b0c58d3b8e2
Author: Dr. Matthias St. Pierre 
Date:   Mon Apr 26 01:01:50 2021 +0200

Configure: sort the disablables alphabetically

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit d9ce268151e5d3de4f15673aa8c0ae60b07eeadd
Author: Dr. Matthias St. Pierre 
Date:   Wed Apr 14 20:23:43 2021 +0200

build.info: add the Perl wrapper to build generator programs on Windows

Pull request #14320 introduced the ability to use compiled programs
as generators in GENERATE rules of build.info files. Those generator
calls were wrapped by the Perl wrapper (wrap.pl) in the Unix makefile
template, but not on Windows.

This commit adds the missing wrapper for Windows, because for the
`fipsmodule.cnf` target it is essential that the `openssl fipsinstall`
command does not load any preinstalled openssl configuration file.

Fixes #13680

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit 18da9fc31f050edaf65da162f01c7bea920a5aac
Author: Dr. Matthias St. Pierre 
Date:   Mon Apr 26 00:14:59 2021 +0200

Configure/Makefile: install the fips provider if it was configured

To follow the principle "what you configure is what you install",
the `make install` target now includes the installation of the
fips provider (`make install_fips`) if (and only if) OpenSSL was
configured with fips support (`enable-fips`).

The `make install_fips` target exists as well and can be used
to install just the fips provider. It requires `enable-fips`
and issues an error message if `no-fips` was configured.

The anologue holds for the 'uninstall_fips' target.

Fixes #13693

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit 4e282708c5bb82b6caed8e0565b9ac4ac15a7ac3
Author: Dr. Matthias St. Pierre 
Date:   Wed Apr 14 20:37:37 2021 +0200

Configure/Makefile: don't generate a fresh fipsmodule.cnf when installing it

There is already a `providers/fipsmodule.cnf` target which is required by
the tests. Instead of creating another fipsmodule.cnf, the `install_fips`
target simply copies that configuration file to its final destination.

This commit also restores the minimal dependencies to build the 
`install_fips`
target immediately after configuring, which was broken after the removal
of the `install_sw` dependency.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/13684)

commit

[openssl] master update

2021-04-29 Thread Dr . Paul Dale 
The branch master has been updated
   via  f4585aeca99d43ed4cfd7053f8d74a4d816c95e4 (commit)
  from  2395ad8079bdc76790a004f9aaeb53ef0b1c8df8 (commit)


- Log -
commit f4585aeca99d43ed4cfd7053f8d74a4d816c95e4
Author: Pauli 
Date:   Wed Apr 28 10:38:08 2021 +1000

runchecker: fix no-sock build by conditioning clean up on the NO_SOCK 
symbol.

Fixes #15054

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/15055)

---

Summary of changes:
 apps/cmp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/cmp.c b/apps/cmp.c
index 494b27d294..51dd971162 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2855,7 +2855,9 @@ int cmp_main(int argc, char **argv)
 OSSL_CMP_CTX_print_errors(cmp_ctx);
 
 ossl_cmp_mock_srv_free(OSSL_CMP_CTX_get_transfer_cb_arg(cmp_ctx));
+#ifndef OPENSSL_NO_SOCK
 APP_HTTP_TLS_INFO_free(OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx));
+#endif
 X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx));
 OSSL_CMP_CTX_free(cmp_ctx);
 X509_VERIFY_PARAM_free(vpm);

[openssl] master update

2021-04-29 Thread Dr . Paul Dale 
The branch master has been updated
   via  2395ad8079bdc76790a004f9aaeb53ef0b1c8df8 (commit)
  from  3babc1e468c9a5cfb30582a3ea1d55c1ec776361 (commit)


- Log -
commit 2395ad8079bdc76790a004f9aaeb53ef0b1c8df8
Author: Pauli 
Date:   Wed Apr 28 11:25:52 2021 +1000

test: never run fipsinstall if the tests are not enabled.

Fixes #15056

The dependency for fipsinstall was being added to the makefile regardless of
it being used.  This means that a subsequent `make test` would fail if the
command line application wasn't present.  Rather than fix the instance in 
question,
it is better to leave out this part of the makefile if the tests cannot be
run.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/15057)

---

Summary of changes:
 providers/build.info | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/providers/build.info b/providers/build.info
index 4296aa05a6..b772e5ec25 100644
--- a/providers/build.info
+++ b/providers/build.info
@@ -147,11 +147,13 @@ IF[{- !$disabled{fips} -}]
   # module installation.  We have the output go to standard output, because
   # the generated commands in build templates are expected to catch that,
   # and thereby keep control over the exact output file location.
-  DEPEND[|tests|]=fipsmodule.cnf
-  GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \
--module providers/$(FIPSMODULENAME) -provider_name fips \
--mac_name HMAC -section_name fips_sect
-  DEPEND[fipsmodule.cnf]=$FIPSGOAL
+  IF[{- !$disabled{tests} -}]
+DEPEND[|tests|]=fipsmodule.cnf
+GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \
+  -module providers/$(FIPSMODULENAME) -provider_name fips \
+  -mac_name HMAC -section_name fips_sect
+DEPEND[fipsmodule.cnf]=$FIPSGOAL
+  ENDIF
 ENDIF
 
 #