[tools] master update
The branch master has been updated via fa7b4ef4e67bb944a40c83539b216c398426bfc1 (commit) from ee7da65b64a2409255d9effb751b4082642e3d39 (commit) - Log - commit fa7b4ef4e67bb944a40c83539b216c398426bfc1 Author: Pauli Date: Fri Apr 30 09:56:39 2021 +1000 Add additional run-checker no-XXX options. There were a number of options missing: no-autoload-config no-buildtest-c++ no-bulk no-cmp no-ktls no-module no-padlockeng no-pinshared no-secure-memory no-siv no-uplink enable-acvp-tests enable-fips enable-fips no-fips-securitychecks Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/tools/pull/84) --- Summary of changes: run-checker/run-checker.sh | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/run-checker/run-checker.sh b/run-checker/run-checker.sh index 05d6332..b59283c 100755 --- a/run-checker/run-checker.sh +++ b/run-checker/run-checker.sh @@ -43,7 +43,11 @@ enable-unit-test no-whirlpool enable-weak-ssl-ciphers enable-zlib enable-zlib-dynamic 386 no-dtls no-tls no-ssl3 no-tls1 no-tls1_1 no-tls1_2 no-dtls1 no-dtls1_2 no-ssl3-method no-tls1-method no-tls1_1-method no-tls1_2-method no-dtls1-method no-dtls1_2-method no-siphash no-tls1_3 no-sm2 -no-sm3 no-sm4 enable-trace no-legacy no-cached-fetch) +no-sm3 no-sm4 enable-trace no-legacy no-cached-fetch no-autoload-config +'no-buildtest-c++' no-bulk no-cmp no-ktls no-module no-padlockeng +no-pinshared no-secure-memory no-siv no-uplink enable-acvp-tests enable-fips +'enable-fips no-fips-securitychecks' +) run-hook () { local hookname=$1; shift
[openssl] master update
The branch master has been updated via 39da32729401110572da1782c80bef39c6f3f64b (commit) from 535130c39d33df41b6a7d14302a93ffaa10ebc46 (commit) - Log - commit 39da32729401110572da1782c80bef39c6f3f64b Author: Tomas Mraz Date: Thu Apr 29 16:32:59 2021 +0200 Simplify AppVeyor configuration Adjust the stuff we are building and testing in various configurations to trim the run time a little bit. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15087) --- Summary of changes: appveyor.yml | 19 --- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/appveyor.yml b/appveyor.yml index 20d81c1b12..9bb6f04e0a 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -15,15 +15,6 @@ configuration: - minimal for: -- -only_commits: -message: /\[extended tests\]/ -configuration: -- shared -- plain -- minimal -environment: -EXTENDED_TESTS: yes - branches: only: @@ -32,8 +23,6 @@ for: - shared - plain - minimal -environment: -EXTENDED_TESTS: yes before_build: - ps: >- @@ -50,11 +39,11 @@ before_build: } - ps: >- If ($env:Configuration -Match "shared") { -$env:CONFIG_OPTS="" +$env:CONFIG_OPTS="enable-fips" } ElseIf ($env:Configuration -Match "minimal") { $env:CONFIG_OPTS="no-bulk no-asm -DOPENSSL_SMALL_FOOTPRINT" } Else { -$env:CONFIG_OPTS="no-shared" +$env:CONFIG_OPTS="no-fips no-shared" } - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM% - mkdir _build @@ -80,13 +69,13 @@ build_script: test_script: - cd _build - ps: >- -if ($env:EXTENDED_TESTS) { +if ($env:Configuration -Match "plain") { cmd /c "%NMAKE% test VERBOSE_FAILURE=yes 2>&1" } Else { cmd /c "%NMAKE% test VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1" } - ps: >- -if ($env:EXTENDED_TESTS) { +if ($env:Configuration -Match "shared") { mkdir ..\_install cmd /c "%NMAKE% install DESTDIR=..\_install 2>&1" }
[openssl] master update
The branch master has been updated via 535130c39d33df41b6a7d14302a93ffaa10ebc46 (commit) from 38e12964a62b8bfb54693b92f13642e3c61bd8c4 (commit) - Log - commit 535130c39d33df41b6a7d14302a93ffaa10ebc46 Author: Tomas Mraz Date: Thu Apr 29 15:19:11 2021 +0200 Add -latomic to threads enabled 32bit linux builds It might not be necessary with the most recent toolchain versions but apparently many 32bit linux architectures and commonly used toolchain versions require this. It is also harmless to include even on architectures that do not need it. Fixes #14083 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15086) --- Summary of changes: Configurations/10-main.conf | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 1e53f20861..8427a561e3 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -675,7 +675,7 @@ my %targets = ( # *-generic* is endian-neutral target, but ./config is free to # throw in -D[BL]_ENDIAN, whichever appropriate... -"linux-generic32" => { +"linux-generic" => { inherit_from => [ "BASE_unix" ], CC => "gcc", CXX => "g++", @@ -697,8 +697,13 @@ my %targets = ( shared_ldflag=> sub { $disabled{pinshared} ? () : "-Wl,-znodelete" }, enable => [ "afalgeng" ], }, +"linux-generic32" => { +inherit_from => [ "linux-generic" ], +ex_libs => add(threads("-latomic")), +bn_ops => "BN_LLONG RC4_CHAR", +}, "linux-generic64" => { -inherit_from => [ "linux-generic32" ], +inherit_from => [ "linux-generic" ], bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", }, @@ -945,6 +950,7 @@ my %targets = ( cflags => add("-m64 -mcpu=ultrasparc"), cxxflags => add("-m64 -mcpu=ultrasparc"), lib_cppflags => add("-DB_ENDIAN"), +ex_libs => add(threads("-latomic")), bn_ops => "BN_LLONG RC4_CHAR", asm_arch => 'sparcv9', perlasm_scheme => 'void',
[openssl] master update
The branch master has been updated via 38e12964a62b8bfb54693b92f13642e3c61bd8c4 (commit) from 91034b68b39e3525f09fb263b9272de410a3ba4c (commit) - Log - commit 38e12964a62b8bfb54693b92f13642e3c61bd8c4 Author: Shane Lontis Date: Fri Apr 30 11:45:51 2021 +1000 Fix no-fips-securitychecks test failure Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15091) --- Summary of changes: test/recipes/30-test_evp_data/evppkey_ecdsa.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt index f09edd9032..7202b5ce70 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -210,6 +210,7 @@ Result = DIGESTSIGNINIT_ERROR # Test that SHA1 is not allowed in fips mode for signing Availablein = fips Sign = P-256 +Securitycheck = 1 Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Result = PKEY_CTRL_ERROR
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: d77ba503a2 Adjust ssl_test_new for SHA1 security level 8ce390e139 Adjust sslapitest for SHA1 security level fdf312709a Adjust dtlstest for SHA1 security level 0f077b5fd8 asn1_lib.c: ASN1_put_object: Remove comment about "class 0". c404e4fab3 Add test case for openssl crl -noout -hash output 872b7979c7 crl: noout is not an output item 3b9e47695f CHANGES: document the FIPS provider configuration and installation f2ea01d9f1 README-FIPS: document the installation of the FIPS provider b2d8c7b6a3 Configure: disable fips mode by default afa0a13c1a Configure: sort the disablables alphabetically d9ce268151 build.info: add the Perl wrapper to build generator programs on Windows 18da9fc31f Configure/Makefile: install the fips provider if it was configured 4e282708c5 Configure/Makefile: don't generate a fresh fipsmodule.cnf when installing it 5b68918185 Configure/Makefile: separate install of the FIPS module c3bda8a2e0 Configure/Makefile: correct the FIPS module configuration file path b6821df0d0 Configure/Makefile: use the correct openssl app for FIPS installation 59cf286919 Configure/Makefile: fix the `-macopt` argument of the fipsinstall command f4585aeca9 runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol. 2395ad8079 test: never run fipsinstall if the tests are not enabled. 3babc1e468 util/add-depends.pl: Adapt to localized /showIncludes output 2e535eb50a Configuration: rework how dependency making is handled 0bd138b8c3 Windows bulding: Make dependency generation not quite as talkative e9b30d9f50 Test a Finished message at the wrong time results in unexpected message f42e68dc47 Defer Finished MAC handling until after state transition 460d2fbcd7 Store the list of activated providers in the libctx 2d5695016d Properly protect access to the provider flag_activated field 98369ef25f Add a threading test for loading/unloading providers 4189dc3782 CMS ESS: Move four internal aux function to where they belong in crypto/cms 176a9a682a TS ESS: Move four internal aux function to where they belong in crypto/ts 1751768cd1 ESS: Export three core functions, clean up TS and CMS CAdES-BES usage 624359374b Skip test_fipsload when fips is disabled. 50c096ebb0 Explicitly enable or disable fips if it is or is not relevant for the test cdf63a3736 Add X509 version constants. d97adfda28 memleaktest with MSVC's AddressSanitizer 67ea4beb94 OPENSSL_sk functions are effectively already documented 5fd7eb5c8a Improve the implementation of X509_STORE_CTX_get1_issuer() e1491a2f15 Add testing for updated cipher IV 8365652287 Use "canonical" names when matching the output of the commands 680dbd16dc Skip GOST engine tests in out of tree builds eaf8a40d97 Prefer fetch over legacy get_digestby/get_cipherby c0a79e9836 Rename some globals, add ossl prefix. e6760e3e84 Add system guessing for linux64-riscv64 target e466dc3646 Test that we don't have a memory leak in d2i_ASN1_OBJECT. 1727465471 ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse 94471ccfda add verbosity for pyca job a938f0045e re-add pyca/cryptography testing a09fb26ba9 add wycheproof submodule f2561fa566 updated pyca/cryptography submodule version 3e4981dd59 Avoid #include with inline function on C++Builder c85c5e1a53 Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters(). 990aa405db Doc updates for DH/DSA examples f1ffaaeece Fixes related to separation of DH and DHX types 6c9bc258d2 Add type_name member to provided methods and use it d21224f1ad Documentation fix for openssl-verify certificates Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # cmp_main:../openssl/apps/cmp.c:2582:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2191:CMP warning: -proxy option argument is empty string, resetting option # setup_client_ctx:../openssl/apps/cmp.c:1891:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR #
Build completed: openssl master.41920
Build openssl master.41920 completed Commit c230e938c7 by Richard Levitte on 4/30/2021 9:15 AM: CORE: Rework the pre-population of the namemap Configure your notification preferences
Build failed: openssl master.41919
Build openssl master.41919 failed Commit 38230e3011 by Pauli on 4/30/2021 7:51 AM: acvp: fix the no-acvp_test build Configure your notification preferences
[openssl] master update
The branch master has been updated via 91034b68b39e3525f09fb263b9272de410a3ba4c (commit) from 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (commit) - Log - commit 91034b68b39e3525f09fb263b9272de410a3ba4c Author: Petr Gotthard Date: Sat Apr 24 12:40:36 2021 +0200 apps/ca,req,x509: Switch to EVP_DigestSignInit_ex Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it works with external providers. Since EVP_DigestSignInit_ex requires a digest name instead of an EVP_MD pointer, the apps using do_sign_init() had to be modified to pass char* instead of EVP_MD*. Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15014) --- Summary of changes: apps/ca.c | 47 +-- apps/include/apps.h | 6 +++--- apps/lib/apps.c | 20 +++- apps/req.c | 19 +-- apps/x509.c | 32 ++-- 5 files changed, 58 insertions(+), 66 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 2476343fdd..4f125b22a9 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -90,7 +90,7 @@ static char *lookup_conf(const CONF *conf, const char *group, const char *tag); static int certify(X509 **xret, const char *infile, int informat, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -102,7 +102,7 @@ static int certify(X509 **xret, const char *infile, int informat, int default_op, int ext_copy, int selfsign); static int certify_cert(X509 **xret, const char *infile, int certformat, const char *passin, EVP_PKEY *pkey, X509 *x509, -const EVP_MD *dgst, +const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -112,7 +112,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, - X509 *x509, const EVP_MD *dgst, + X509 *x509, const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, @@ -121,7 +121,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, int multirdn, int email_dn, const char *startdate, const char *enddate, long days, @@ -270,9 +270,9 @@ int ca_main(int argc, char **argv) STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; STACK_OF(X509) *cert_sk = NULL; X509_CRL *crl = NULL; -EVP_MD *dgst = NULL; char *configfile = default_config_file, *section = NULL; -char *md = NULL, *policy = NULL, *keyfile = NULL; +char def_dgst[80] = ""; +char *dgst = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; int certformat = FORMAT_PEM, informat = FORMAT_PEM; const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; @@ -291,7 +291,7 @@ int ca_main(int argc, char **argv) int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; -int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret; +int rand_ser = 0, i, j, selfsign = 0, def_ret; char *crl_lastupdate = NULL, *crl_nextupdate = NULL; long crldays = 0, crlhours = 0, crlsec = 0, days = 0; unsigned long chtype = MBSTRING_ASC, certopt = 0; @@ -358,7 +358,7 @@ opthelp: days = atoi(opt_arg()); break; case OPT_MD: -
[openssl] master update
The branch master has been updated via 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (commit) from b7f7a15f6ace4e6e25f8222a9996159582983aa8 (commit) - Log - commit 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 Author: Daniel Bevenius Date: Thu Apr 29 14:46:28 2021 +0200 Fix typo in OSSL_DECODER_CTX_set_input_structure Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15085) --- Summary of changes: crypto/encode_decode/decoder_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index e37989fec4..45aeb39184 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -183,8 +183,8 @@ int OSSL_DECODER_CTX_set_input_structure(OSSL_DECODER_CTX *ctx, } /* - * NULL is a valid starting input type, and means that the caller leaves - * it to code to discover what the starting input type is. + * NULL is a valid starting input structure, and means that the caller + * leaves it to code to discover what the starting input structure is. */ ctx->input_structure = input_structure; return 1;
[openssl] master update
The branch master has been updated via b7f7a15f6ace4e6e25f8222a9996159582983aa8 (commit) from b594a227178ccd812e5bb196bcb59ebc52d538ab (commit) - Log - commit b7f7a15f6ace4e6e25f8222a9996159582983aa8 Author: Richard Levitte Date: Wed Apr 28 09:50:42 2021 +0200 STORE: Fix the repeated prompting of passphrase OSSL_STORE's loading function could prompt repeatedly for the same passphrase. It turns out that OSSL_STORE_load() wasn't caching the passphrase properly. Fixed in this change. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15064) --- Summary of changes: crypto/store/store_lib.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 134207d5c2..1a62d7f6ff 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -135,7 +135,8 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, } if (ui_method != NULL -&& !ossl_pw_set_ui_method(>pwdata, ui_method, ui_data)) { +&& (!ossl_pw_set_ui_method(>pwdata, ui_method, ui_data) +|| !ossl_pw_enable_passphrase_caching(>pwdata))) { ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB); goto err; } @@ -413,6 +414,9 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) goto again; } +/* Clear any internally cached passphrase */ +(void)ossl_pw_clear_passphrase_cache(>pwdata); + if (v != NULL && ctx->expected_type != 0) { int returned_type = OSSL_STORE_INFO_get_type(v);
[openssl] master update
The branch master has been updated via b594a227178ccd812e5bb196bcb59ebc52d538ab (commit) via 2c181ac5a6fff474bc26bfa93f0c717eebc1ab1b (commit) from c230e938c75c7c2d24b5d1d322a34ec369d92696 (commit) - Log - commit b594a227178ccd812e5bb196bcb59ebc52d538ab Author: Tomas Mraz Date: Wed Apr 28 18:49:33 2021 +0200 SM2 signatures work correctly only with SM3 digests Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15074) commit 2c181ac5a6fff474bc26bfa93f0c717eebc1ab1b Author: Tomas Mraz Date: Wed Apr 28 18:40:37 2021 +0200 sm2: Cleanup handling of DIGEST and DIGEST_SIZE parameters Fixes #14873 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15074) --- Summary of changes: providers/implementations/signature/sm2sig.c | 90 ++- test/recipes/30-test_evp_data/evppkey_sm2.txt | 1 + 2 files changed, 48 insertions(+), 43 deletions(-) diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c index 9016aefc02..8607a8b911 100644 --- a/providers/implementations/signature/sm2sig.c +++ b/providers/implementations/signature/sm2sig.c @@ -25,6 +25,7 @@ #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/cryptlib.h" +#include "internal/sm3.h" #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "crypto/ec.h" @@ -63,13 +64,6 @@ typedef struct { char *propq; EC_KEY *ec; -/* - * Flag to determine if the hash function can be changed (1) or not (0) - * Because it's dangerous to change during a DigestSign or DigestVerify - * operation, this flag is cleared by their Init function, and set again - * by their Final function. - */ -unsigned int flag_allow_md : 1; /* * Flag to termine if the 'z' digest needs to be computed and fed to the * hash function. @@ -95,6 +89,21 @@ typedef struct { size_t id_len; } PROV_SM2_CTX; +static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname) +{ +if (psm2ctx->md == NULL) /* We need an SM3 md to compare with */ +psm2ctx->md = EVP_MD_fetch(psm2ctx->libctx, psm2ctx->mdname, + psm2ctx->propq); +if (psm2ctx->md == NULL +|| strlen(mdname) >= sizeof(psm2ctx->mdname) +|| !EVP_MD_is_a(psm2ctx->md, mdname)) { +return 0; +} + +OPENSSL_strlcpy(psm2ctx->mdname, mdname, sizeof(psm2ctx->mdname)); +return 1; +} + static void *sm2sig_newctx(void *provctx, const char *propq) { PROV_SM2_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_SM2_CTX)); @@ -108,8 +117,8 @@ static void *sm2sig_newctx(void *provctx, const char *propq) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return NULL; } -/* don't allow to change MD, and in fact there is no such need */ -ctx->flag_allow_md = 0; +ctx->mdsize = SM3_DIGEST_LENGTH; +strcpy(ctx->mdname, OSSL_DIGEST_NAME_SM3); return ctx; } @@ -170,28 +179,27 @@ static void free_md(PROV_SM2_CTX *ctx) EVP_MD_free(ctx->md); ctx->mdctx = NULL; ctx->md = NULL; -ctx->mdsize = 0; } static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname, void *ec, const OSSL_PARAM params[]) { PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx; -int md_nid = NID_sm3; +int md_nid; WPACKET pkt; int ret = 0; -free_md(ctx); - -if (!sm2sig_signature_init(vpsm2ctx, ec, params)) +if (!sm2sig_signature_init(vpsm2ctx, ec, params) +|| !sm2sig_set_mdname(ctx, mdname)) return ret; -ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq); -ctx->mdsize = EVP_MD_size(ctx->md); +EVP_MD_CTX_free(ctx->mdctx); ctx->mdctx = EVP_MD_CTX_new(); if (ctx->mdctx == NULL) goto error; +md_nid = EVP_MD_type(ctx->md); + /* * We do not care about DER writing errors. * All it really means is that for some reason, there's no @@ -285,10 +293,11 @@ int sm2sig_digest_verify_final(void *vpsm2ctx, const unsigned char *sig, unsigned char digest[EVP_MAX_MD_SIZE]; unsigned int dlen = 0; -if (psm2ctx == NULL || psm2ctx->mdctx == NULL) +if (psm2ctx == NULL +|| psm2ctx->mdctx == NULL +|| EVP_MD_size(psm2ctx->md) > (int)sizeof(digest)) return 0; -/* SM2 always use SM3 so it's not possible to exceed the limit */ if (!(sm2sig_compute_z_digest(psm2ctx) && EVP_DigestFinal_ex(psm2ctx->mdctx, digest, ))) return 0; @@ -392,7 +401,7 @@ static int sm2sig_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[]) { PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx; const OSSL_PARAM *p; -char *mdname; +
[openssl] master update
The branch master has been updated via c230e938c75c7c2d24b5d1d322a34ec369d92696 (commit) via e73fc81345ae2cdcc4be55768345d8a00fed6453 (commit) from 38230e30118e434ca1c41d05d03fe2c41042d97d (commit) - Log - commit c230e938c75c7c2d24b5d1d322a34ec369d92696 Author: Richard Levitte Date: Wed Apr 28 21:28:11 2021 +0200 CORE: Rework the pre-population of the namemap The pre-population of names has become more thorough. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15066) commit e73fc81345ae2cdcc4be55768345d8a00fed6453 Author: Richard Levitte Date: Wed Apr 28 11:02:36 2021 +0200 STORE: Use the 'expect' param to limit the amount of decoders used In the provider file: scheme loader implementation, the OSSL_DECODER_CTX was set up with all sorts of implementations, even if the caller has declared a limited expectation on what should be loaded, which means that even though a certificate is expected, all the diverse decoders to produce an EVP_PKEY are added to the decoding change. This optimization looks more closely at the expected type, and only adds the EVP_PKEY related decoder implementations to the chain if there is no expectation, or if the expectation is one of OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15066) --- Summary of changes: crypto/core_namemap.c| 71 +++- providers/implementations/storemgmt/file_store.c | 14 +++-- 2 files changed, 41 insertions(+), 44 deletions(-) diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index daf22c3af2..1009fb1e94 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -379,66 +379,62 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, #include /* Creates an initial namemap with names found in the legacy method db */ -static void get_legacy_evp_names(const char *name, const char *desc, - const ASN1_OBJECT *obj, void *arg) +static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name, + void *arg) { -int num = ossl_namemap_add_name(arg, 0, name); +int num = 0; +ASN1_OBJECT *obj; -/* - * We currently treat the description ("long name" in OBJ speak) as an - * alias. - */ - -/* - * We could check that the returned value is the same as id, but since - * this is a void function, there's no sane way to report the error. - * The best we can do is trust ourselve to keep the legacy method - * database conflict free. - * - * This registers any alias with the same number as the main name. - * Should it be that the current |on| *has* the main name, this is - * simply a no-op. - */ -if (desc != NULL) { -(void)ossl_namemap_add_name(arg, num, desc); +if (base_nid != NID_undef) { +num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid)); +num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid)); } -if (obj != NULL) { -char txtoid[OSSL_MAX_NAME_SIZE]; +if (nid != NID_undef) { +num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid)); +num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid)); +if ((obj = OBJ_nid2obj(nid)) != NULL) { +char txtoid[OSSL_MAX_NAME_SIZE]; -if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1)) -(void)ossl_namemap_add_name(arg, num, txtoid); +if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1)) +num = ossl_namemap_add_name(arg, num, txtoid); +} } +if (pem_name != NULL) +num = ossl_namemap_add_name(arg, num, pem_name); } static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg) { const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type); -int nid = EVP_CIPHER_type(cipher); -get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid), - arg); +get_legacy_evp_names(NID_undef, EVP_CIPHER_type(cipher), NULL, arg); } static void get_legacy_md_names(const OBJ_NAME *on, void *arg) { const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type); -int nid = EVP_MD_type(md); -get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid), - arg); +get_legacy_evp_names(0, EVP_MD_type(md), NULL, arg); } static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth, void *arg) { int nid = 0, base_nid = 0, flags = 0; +const char *pem_name = NULL; -EVP_PKEY_asn1_get0_info(, _nid, , NULL, NULL, ameth); +
[openssl] master update
The branch master has been updated via 38230e30118e434ca1c41d05d03fe2c41042d97d (commit) from 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50 (commit) - Log - commit 38230e30118e434ca1c41d05d03fe2c41042d97d Author: Pauli Date: Thu Apr 29 12:38:23 2021 +1000 acvp: fix the no-acvp_test build A pair of the disabled string checks were incorrect. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15082) --- Summary of changes: Configure | 2 +- INSTALL.md | 2 +- test/build.info | 6 -- test/recipes/30-test_acvp.t | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/Configure b/Configure index 83c9a6f382..7acbbc56b9 100755 --- a/Configure +++ b/Configure @@ -379,7 +379,7 @@ my @dtls = qw(dtls1 dtls1_2); # For developers: keep it sorted alphabetically my @disablables = ( -"acvp_tests", +"acvp-tests", "afalgeng", "aria", "asan", diff --git a/INSTALL.md b/INSTALL.md index f9b065d764..9414556427 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -521,7 +521,7 @@ never be used in production environments. It will only work when used with gcc or clang and should be used in conjunction with the [no-shared](#no-shared) option. -### no-acvp_tests +### no-acvp-tests Do not build support for Automated Cryptographic Validation Protocol (ACVP) tests. diff --git a/test/build.info b/test/build.info index 8043f0d3be..98b94801e1 100644 --- a/test/build.info +++ b/test/build.info @@ -34,7 +34,7 @@ IF[{- !$disabled{tests} -}] destest mdc2test \ exptest \ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test acvp_test evp_libctx_test ossl_store_test \ + evp_fetch_prov_test evp_libctx_test ossl_store_test \ v3nametest v3ext \ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ evp_fetch_prov_test v3nametest v3ext \ @@ -159,7 +159,9 @@ IF[{- !$disabled{tests} -}] INCLUDE[evp_pkey_provided_test]=../include ../apps/include DEPEND[evp_pkey_provided_test]=../libcrypto.a libtestutil.a - IF[{- !$disabled{acvp-tests} -}] + IF[{- !$disabled{'acvp-tests'} -}] +PROGRAMS{noinst}=acvp_test + SOURCE[acvp_test]=acvp_test.c INCLUDE[acvp_test]=../include ../apps/include DEPEND[acvp_test]=../libcrypto.a libtestutil.a diff --git a/test/recipes/30-test_acvp.t b/test/recipes/30-test_acvp.t index 8f36325f21..566c59d78e 100644 --- a/test/recipes/30-test_acvp.t +++ b/test/recipes/30-test_acvp.t @@ -19,7 +19,7 @@ setup("test_acvp"); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan skip_all => "ACVP is not supported by this test" -if $no_fips || disabled("acvp_tests"); +if $no_fips || disabled("acvp-tests"); use lib srctop_dir('Configurations'); use lib bldtop_dir('.');
[openssl] master update
The branch master has been updated via 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50 (commit) via 857c223bf73f6d3ec91567cf341c5267392a3e66 (commit) via e9d62da6c305d947530d91e412fdb21a8d8e3510 (commit) from 9ac653d81a857a5452f9f25278a24e1dfb226905 (commit) - Log - commit 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50 Author: Shane Lontis Date: Wed Apr 28 17:51:15 2021 +1000 Update OSSL_STORE_attach() documentation to indicate it increases the ref_count of the passed in bio Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15058) commit 857c223bf73f6d3ec91567cf341c5267392a3e66 Author: Shane Lontis Date: Wed Apr 28 17:22:50 2021 +1000 Fix memory leak in load_key_certs_crls() when using stdin. A newly created BIO object within this function calls OSSL_STORE_attach() which increases the ref count to 2. OSSL_STORE_close() then decrements the ref count by 1, so the BIO still remains. The following new test was picking up this leak using.. > valgrind openssl crl -hash -noout < test/testcrl.pem Not quite sure why the existing tests were not picking this up since they appear to run through a similiar path.. such as > valgrind openssl pkey < test-runs/test_rsa/rsa-pkcs8-ff.dd Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15058) commit e9d62da6c305d947530d91e412fdb21a8d8e3510 Author: Shane Lontis Date: Wed Apr 28 12:51:49 2021 +1000 Fix CRL app so that stdin works. Fixes #15031 The maybe_stdin needed to be passed to load_key_certs_crls(). Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15058) --- Summary of changes: apps/crl.c | 6 +++--- apps/include/apps.h| 2 +- apps/lib/apps.c| 12 +++- apps/s_client.c| 2 +- apps/s_server.c| 2 +- doc/man3/OSSL_STORE_attach.pod | 5 +++-- test/recipes/25-test_crl.t | 17 - 7 files changed, 32 insertions(+), 14 deletions(-) diff --git a/apps/crl.c b/apps/crl.c index fbdd2a896c..8a0dc3605d 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -211,7 +211,7 @@ int crl_main(int argc, char **argv) if (!opt_md(digestname, )) goto opthelp; } -x = load_crl(infile, "CRL"); +x = load_crl(infile, 1, "CRL"); if (x == NULL) goto end; @@ -250,13 +250,13 @@ int crl_main(int argc, char **argv) BIO_printf(bio_err, "verify OK\n"); } -if (crldiff) { +if (crldiff != NULL) { X509_CRL *newcrl, *delta; if (!keyfile) { BIO_puts(bio_err, "Missing CRL signing key\n"); goto end; } -newcrl = load_crl(crldiff, "other CRL"); +newcrl = load_crl(crldiff, 0, "other CRL"); if (!newcrl) goto end; pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); diff --git a/apps/include/apps.h b/apps/include/apps.h index 2d102246f8..9532d396eb 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -111,7 +111,7 @@ X509_REQ *load_csr(const char *file, int format, const char *desc); X509 *load_cert_pass(const char *uri, int maybe_stdin, const char *pass, const char *desc); #define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc) -X509_CRL *load_crl(const char *uri, const char *desc); +X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc); void cleanse(char *str); void clear_free(char *str); EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 4b7b38cf5c..d715e25ff1 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -499,7 +499,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, return cert; } -X509_CRL *load_crl(const char *uri, const char *desc) +X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc) { X509_CRL *crl = NULL; @@ -510,7 +510,7 @@ X509_CRL *load_crl(const char *uri, const char *desc) else if (IS_HTTP(uri)) crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */); else -(void)load_key_certs_crls(uri, 0, NULL, desc, +(void)load_key_certs_crls(uri, maybe_stdin, NULL, desc, NULL, NULL, NULL, NULL, NULL, , NULL); if (crl == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); @@ -924,9 +924,11 @@ int load_key_certs_crls(const char *uri, int maybe_stdin, uri = ""; unbuffer(stdin); bio = BIO_new_fp(stdin, 0); -if (bio != NULL) +if (bio != NULL) { ctx =