[tools] master update
The branch master has been updated
via fa7b4ef4e67bb944a40c83539b216c398426bfc1 (commit)
from ee7da65b64a2409255d9effb751b4082642e3d39 (commit)
- Log -
commit fa7b4ef4e67bb944a40c83539b216c398426bfc1
Author: Pauli
Date: Fri Apr 30 09:56:39 2021 +1000
Add additional run-checker no-XXX options.
There were a number of options missing:
no-autoload-config
no-buildtest-c++
no-bulk
no-cmp
no-ktls
no-module
no-padlockeng
no-pinshared
no-secure-memory
no-siv
no-uplink
enable-acvp-tests
enable-fips
enable-fips no-fips-securitychecks
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/tools/pull/84)
---
Summary of changes:
run-checker/run-checker.sh | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/run-checker/run-checker.sh b/run-checker/run-checker.sh
index 05d6332..b59283c 100755
--- a/run-checker/run-checker.sh
+++ b/run-checker/run-checker.sh
@@ -43,7 +43,11 @@ enable-unit-test no-whirlpool enable-weak-ssl-ciphers
enable-zlib
enable-zlib-dynamic 386 no-dtls no-tls no-ssl3 no-tls1 no-tls1_1 no-tls1_2
no-dtls1 no-dtls1_2 no-ssl3-method no-tls1-method no-tls1_1-method
no-tls1_2-method no-dtls1-method no-dtls1_2-method no-siphash no-tls1_3 no-sm2
-no-sm3 no-sm4 enable-trace no-legacy no-cached-fetch)
+no-sm3 no-sm4 enable-trace no-legacy no-cached-fetch no-autoload-config
+'no-buildtest-c++' no-bulk no-cmp no-ktls no-module no-padlockeng
+no-pinshared no-secure-memory no-siv no-uplink enable-acvp-tests enable-fips
+'enable-fips no-fips-securitychecks'
+)
run-hook () {
local hookname=$1; shift
[openssl] master update
The branch master has been updated
via 39da32729401110572da1782c80bef39c6f3f64b (commit)
from 535130c39d33df41b6a7d14302a93ffaa10ebc46 (commit)
- Log -
commit 39da32729401110572da1782c80bef39c6f3f64b
Author: Tomas Mraz
Date: Thu Apr 29 16:32:59 2021 +0200
Simplify AppVeyor configuration
Adjust the stuff we are building and testing in various
configurations to trim the run time a little bit.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15087)
---
Summary of changes:
appveyor.yml | 19 ---
1 file changed, 4 insertions(+), 15 deletions(-)
diff --git a/appveyor.yml b/appveyor.yml
index 20d81c1b12..9bb6f04e0a 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -15,15 +15,6 @@ configuration:
- minimal
for:
--
-only_commits:
-message: /\[extended tests\]/
-configuration:
-- shared
-- plain
-- minimal
-environment:
-EXTENDED_TESTS: yes
-
branches:
only:
@@ -32,8 +23,6 @@ for:
- shared
- plain
- minimal
-environment:
-EXTENDED_TESTS: yes
before_build:
- ps: >-
@@ -50,11 +39,11 @@ before_build:
}
- ps: >-
If ($env:Configuration -Match "shared") {
-$env:CONFIG_OPTS=""
+$env:CONFIG_OPTS="enable-fips"
} ElseIf ($env:Configuration -Match "minimal") {
$env:CONFIG_OPTS="no-bulk no-asm -DOPENSSL_SMALL_FOOTPRINT"
} Else {
-$env:CONFIG_OPTS="no-shared"
+$env:CONFIG_OPTS="no-fips no-shared"
}
- call "C:\Program Files (x86)\Microsoft Visual
Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM%
- mkdir _build
@@ -80,13 +69,13 @@ build_script:
test_script:
- cd _build
- ps: >-
-if ($env:EXTENDED_TESTS) {
+if ($env:Configuration -Match "plain") {
cmd /c "%NMAKE% test VERBOSE_FAILURE=yes 2>&1"
} Else {
cmd /c "%NMAKE% test VERBOSE_FAILURE=yes TESTS=-test_fuzz 2>&1"
}
- ps: >-
-if ($env:EXTENDED_TESTS) {
+if ($env:Configuration -Match "shared") {
mkdir ..\_install
cmd /c "%NMAKE% install DESTDIR=..\_install 2>&1"
}
[openssl] master update
The branch master has been updated
via 535130c39d33df41b6a7d14302a93ffaa10ebc46 (commit)
from 38e12964a62b8bfb54693b92f13642e3c61bd8c4 (commit)
- Log -
commit 535130c39d33df41b6a7d14302a93ffaa10ebc46
Author: Tomas Mraz
Date: Thu Apr 29 15:19:11 2021 +0200
Add -latomic to threads enabled 32bit linux builds
It might not be necessary with the most recent toolchain versions
but apparently many 32bit linux architectures and commonly used
toolchain versions require this.
It is also harmless to include even on architectures that do not
need it.
Fixes #14083
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15086)
---
Summary of changes:
Configurations/10-main.conf | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 1e53f20861..8427a561e3 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -675,7 +675,7 @@ my %targets = (
# *-generic* is endian-neutral target, but ./config is free to
# throw in -D[BL]_ENDIAN, whichever appropriate...
-"linux-generic32" => {
+"linux-generic" => {
inherit_from => [ "BASE_unix" ],
CC => "gcc",
CXX => "g++",
@@ -697,8 +697,13 @@ my %targets = (
shared_ldflag=> sub { $disabled{pinshared} ? () : "-Wl,-znodelete"
},
enable => [ "afalgeng" ],
},
+"linux-generic32" => {
+inherit_from => [ "linux-generic" ],
+ex_libs => add(threads("-latomic")),
+bn_ops => "BN_LLONG RC4_CHAR",
+},
"linux-generic64" => {
-inherit_from => [ "linux-generic32" ],
+inherit_from => [ "linux-generic" ],
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
},
@@ -945,6 +950,7 @@ my %targets = (
cflags => add("-m64 -mcpu=ultrasparc"),
cxxflags => add("-m64 -mcpu=ultrasparc"),
lib_cppflags => add("-DB_ENDIAN"),
+ex_libs => add(threads("-latomic")),
bn_ops => "BN_LLONG RC4_CHAR",
asm_arch => 'sparcv9',
perlasm_scheme => 'void',
[openssl] master update
The branch master has been updated via 38e12964a62b8bfb54693b92f13642e3c61bd8c4 (commit) from 91034b68b39e3525f09fb263b9272de410a3ba4c (commit) - Log - commit 38e12964a62b8bfb54693b92f13642e3c61bd8c4 Author: Shane Lontis Date: Fri Apr 30 11:45:51 2021 +1000 Fix no-fips-securitychecks test failure Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15091) --- Summary of changes: test/recipes/30-test_evp_data/evppkey_ecdsa.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt index f09edd9032..7202b5ce70 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -210,6 +210,7 @@ Result = DIGESTSIGNINIT_ERROR # Test that SHA1 is not allowed in fips mode for signing Availablein = fips Sign = P-256 +Securitycheck = 1 Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Result = PKEY_CTRL_ERROR
Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: d77ba503a2 Adjust ssl_test_new for SHA1 security level 8ce390e139 Adjust sslapitest for SHA1 security level fdf312709a Adjust dtlstest for SHA1 security level 0f077b5fd8 asn1_lib.c: ASN1_put_object: Remove comment about "class 0". c404e4fab3 Add test case for openssl crl -noout -hash output 872b7979c7 crl: noout is not an output item 3b9e47695f CHANGES: document the FIPS provider configuration and installation f2ea01d9f1 README-FIPS: document the installation of the FIPS provider b2d8c7b6a3 Configure: disable fips mode by default afa0a13c1a Configure: sort the disablables alphabetically d9ce268151 build.info: add the Perl wrapper to build generator programs on Windows 18da9fc31f Configure/Makefile: install the fips provider if it was configured 4e282708c5 Configure/Makefile: don't generate a fresh fipsmodule.cnf when installing it 5b68918185 Configure/Makefile: separate install of the FIPS module c3bda8a2e0 Configure/Makefile: correct the FIPS module configuration file path b6821df0d0 Configure/Makefile: use the correct openssl app for FIPS installation 59cf286919 Configure/Makefile: fix the `-macopt` argument of the fipsinstall command f4585aeca9 runchecker: fix no-sock build by conditioning clean up on the NO_SOCK symbol. 2395ad8079 test: never run fipsinstall if the tests are not enabled. 3babc1e468 util/add-depends.pl: Adapt to localized /showIncludes output 2e535eb50a Configuration: rework how dependency making is handled 0bd138b8c3 Windows bulding: Make dependency generation not quite as talkative e9b30d9f50 Test a Finished message at the wrong time results in unexpected message f42e68dc47 Defer Finished MAC handling until after state transition 460d2fbcd7 Store the list of activated providers in the libctx 2d5695016d Properly protect access to the provider flag_activated field 98369ef25f Add a threading test for loading/unloading providers 4189dc3782 CMS ESS: Move four internal aux function to where they belong in crypto/cms 176a9a682a TS ESS: Move four internal aux function to where they belong in crypto/ts 1751768cd1 ESS: Export three core functions, clean up TS and CMS CAdES-BES usage 624359374b Skip test_fipsload when fips is disabled. 50c096ebb0 Explicitly enable or disable fips if it is or is not relevant for the test cdf63a3736 Add X509 version constants. d97adfda28 memleaktest with MSVC's AddressSanitizer 67ea4beb94 OPENSSL_sk functions are effectively already documented 5fd7eb5c8a Improve the implementation of X509_STORE_CTX_get1_issuer() e1491a2f15 Add testing for updated cipher IV 8365652287 Use "canonical" names when matching the output of the commands 680dbd16dc Skip GOST engine tests in out of tree builds eaf8a40d97 Prefer fetch over legacy get_digestby/get_cipherby c0a79e9836 Rename some globals, add ossl prefix. e6760e3e84 Add system guessing for linux64-riscv64 target e466dc3646 Test that we don't have a memory leak in d2i_ASN1_OBJECT. 1727465471 ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse 94471ccfda add verbosity for pyca job a938f0045e re-add pyca/cryptography testing a09fb26ba9 add wycheproof submodule f2561fa566 updated pyca/cryptography submodule version 3e4981dd59 Avoid #include with inline function on C++Builder c85c5e1a53 Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters(). 990aa405db Doc updates for DH/DSA examples f1ffaaeece Fixes related to separation of DH and DHX types 6c9bc258d2 Add type_name member to provided methods and use it d21224f1ad Documentation fix for openssl-verify certificates Build log ended with (last 100 lines): ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_http/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # -- # Failed test 'popo NONE' # at ../openssl/test/recipes/80-test_cmp_http.t line 145. Warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # cmp_main:../openssl/apps/cmp.c:2582:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2191:CMP warning: -proxy option argument is empty string, resetting option # setup_client_ctx:../openssl/apps/cmp.c:1891:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:167:CMP info: sending IR #
Build completed: openssl master.41920
Build openssl master.41920 completed Commit c230e938c7 by Richard Levitte on 4/30/2021 9:15 AM: CORE: Rework the pre-population of the namemap Configure your notification preferences
Build failed: openssl master.41919
Build openssl master.41919 failed Commit 38230e3011 by Pauli on 4/30/2021 7:51 AM: acvp: fix the no-acvp_test build Configure your notification preferences
[openssl] master update
The branch master has been updated via 91034b68b39e3525f09fb263b9272de410a3ba4c (commit) from 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (commit) - Log - commit 91034b68b39e3525f09fb263b9272de410a3ba4c Author: Petr Gotthard Date: Sat Apr 24 12:40:36 2021 +0200 apps/ca,req,x509: Switch to EVP_DigestSignInit_ex Switch lib/apps.c do_sign_init() to use EVP_DigestSignInit_ex, so it works with external providers. Since EVP_DigestSignInit_ex requires a digest name instead of an EVP_MD pointer, the apps using do_sign_init() had to be modified to pass char* instead of EVP_MD*. Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15014) --- Summary of changes: apps/ca.c | 47 +-- apps/include/apps.h | 6 +++--- apps/lib/apps.c | 20 +++- apps/req.c | 19 +-- apps/x509.c | 32 ++-- 5 files changed, 58 insertions(+), 66 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 2476343fdd..4f125b22a9 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -90,7 +90,7 @@ static char *lookup_conf(const CONF *conf, const char *group, const char *tag); static int certify(X509 **xret, const char *infile, int informat, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -102,7 +102,7 @@ static int certify(X509 **xret, const char *infile, int informat, int default_op, int ext_copy, int selfsign); static int certify_cert(X509 **xret, const char *infile, int certformat, const char *passin, EVP_PKEY *pkey, X509 *x509, -const EVP_MD *dgst, +const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(OPENSSL_STRING) *vfyopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, @@ -112,7 +112,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat, CONF *conf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, - X509 *x509, const EVP_MD *dgst, + X509 *x509, const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, @@ -121,7 +121,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, - const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, const char *subj, unsigned long chtype, int multirdn, int email_dn, const char *startdate, const char *enddate, long days, @@ -270,9 +270,9 @@ int ca_main(int argc, char **argv) STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; STACK_OF(X509) *cert_sk = NULL; X509_CRL *crl = NULL; -EVP_MD *dgst = NULL; char *configfile = default_config_file, *section = NULL; -char *md = NULL, *policy = NULL, *keyfile = NULL; +char def_dgst[80] = ""; +char *dgst = NULL, *policy = NULL, *keyfile = NULL; char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; int certformat = FORMAT_PEM, informat = FORMAT_PEM; const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; @@ -291,7 +291,7 @@ int ca_main(int argc, char **argv) int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0; int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; -int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret; +int rand_ser = 0, i, j, selfsign = 0, def_ret; char *crl_lastupdate = NULL, *crl_nextupdate = NULL; long crldays = 0, crlhours = 0, crlsec = 0, days = 0; unsigned long chtype = MBSTRING_ASC, certopt = 0; @@ -358,7 +358,7 @@ opthelp: days = atoi(opt_arg()); break; case OPT_MD: -
[openssl] master update
The branch master has been updated via 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 (commit) from b7f7a15f6ace4e6e25f8222a9996159582983aa8 (commit) - Log - commit 4489655c23f1f7f412309e25a5b9fd7acf7db3f2 Author: Daniel Bevenius Date: Thu Apr 29 14:46:28 2021 +0200 Fix typo in OSSL_DECODER_CTX_set_input_structure Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15085) --- Summary of changes: crypto/encode_decode/decoder_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index e37989fec4..45aeb39184 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -183,8 +183,8 @@ int OSSL_DECODER_CTX_set_input_structure(OSSL_DECODER_CTX *ctx, } /* - * NULL is a valid starting input type, and means that the caller leaves - * it to code to discover what the starting input type is. + * NULL is a valid starting input structure, and means that the caller + * leaves it to code to discover what the starting input structure is. */ ctx->input_structure = input_structure; return 1;
[openssl] master update
The branch master has been updated
via b7f7a15f6ace4e6e25f8222a9996159582983aa8 (commit)
from b594a227178ccd812e5bb196bcb59ebc52d538ab (commit)
- Log -
commit b7f7a15f6ace4e6e25f8222a9996159582983aa8
Author: Richard Levitte
Date: Wed Apr 28 09:50:42 2021 +0200
STORE: Fix the repeated prompting of passphrase
OSSL_STORE's loading function could prompt repeatedly for the same
passphrase. It turns out that OSSL_STORE_load() wasn't caching the
passphrase properly. Fixed in this change.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15064)
---
Summary of changes:
crypto/store/store_lib.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 134207d5c2..1a62d7f6ff 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -135,7 +135,8 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx,
const char *propq,
}
if (ui_method != NULL
-&& !ossl_pw_set_ui_method(>pwdata, ui_method, ui_data)) {
+&& (!ossl_pw_set_ui_method(>pwdata, ui_method, ui_data)
+|| !ossl_pw_enable_passphrase_caching(>pwdata))) {
ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB);
goto err;
}
@@ -413,6 +414,9 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
goto again;
}
+/* Clear any internally cached passphrase */
+(void)ossl_pw_clear_passphrase_cache(>pwdata);
+
if (v != NULL && ctx->expected_type != 0) {
int returned_type = OSSL_STORE_INFO_get_type(v);
[openssl] master update
The branch master has been updated
via b594a227178ccd812e5bb196bcb59ebc52d538ab (commit)
via 2c181ac5a6fff474bc26bfa93f0c717eebc1ab1b (commit)
from c230e938c75c7c2d24b5d1d322a34ec369d92696 (commit)
- Log -
commit b594a227178ccd812e5bb196bcb59ebc52d538ab
Author: Tomas Mraz
Date: Wed Apr 28 18:49:33 2021 +0200
SM2 signatures work correctly only with SM3 digests
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15074)
commit 2c181ac5a6fff474bc26bfa93f0c717eebc1ab1b
Author: Tomas Mraz
Date: Wed Apr 28 18:40:37 2021 +0200
sm2: Cleanup handling of DIGEST and DIGEST_SIZE parameters
Fixes #14873
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15074)
---
Summary of changes:
providers/implementations/signature/sm2sig.c | 90 ++-
test/recipes/30-test_evp_data/evppkey_sm2.txt | 1 +
2 files changed, 48 insertions(+), 43 deletions(-)
diff --git a/providers/implementations/signature/sm2sig.c
b/providers/implementations/signature/sm2sig.c
index 9016aefc02..8607a8b911 100644
--- a/providers/implementations/signature/sm2sig.c
+++ b/providers/implementations/signature/sm2sig.c
@@ -25,6 +25,7 @@
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/cryptlib.h"
+#include "internal/sm3.h"
#include "prov/implementations.h"
#include "prov/provider_ctx.h"
#include "crypto/ec.h"
@@ -63,13 +64,6 @@ typedef struct {
char *propq;
EC_KEY *ec;
-/*
- * Flag to determine if the hash function can be changed (1) or not (0)
- * Because it's dangerous to change during a DigestSign or DigestVerify
- * operation, this flag is cleared by their Init function, and set again
- * by their Final function.
- */
-unsigned int flag_allow_md : 1;
/*
* Flag to termine if the 'z' digest needs to be computed and fed to the
* hash function.
@@ -95,6 +89,21 @@ typedef struct {
size_t id_len;
} PROV_SM2_CTX;
+static int sm2sig_set_mdname(PROV_SM2_CTX *psm2ctx, const char *mdname)
+{
+if (psm2ctx->md == NULL) /* We need an SM3 md to compare with */
+psm2ctx->md = EVP_MD_fetch(psm2ctx->libctx, psm2ctx->mdname,
+ psm2ctx->propq);
+if (psm2ctx->md == NULL
+|| strlen(mdname) >= sizeof(psm2ctx->mdname)
+|| !EVP_MD_is_a(psm2ctx->md, mdname)) {
+return 0;
+}
+
+OPENSSL_strlcpy(psm2ctx->mdname, mdname, sizeof(psm2ctx->mdname));
+return 1;
+}
+
static void *sm2sig_newctx(void *provctx, const char *propq)
{
PROV_SM2_CTX *ctx = OPENSSL_zalloc(sizeof(PROV_SM2_CTX));
@@ -108,8 +117,8 @@ static void *sm2sig_newctx(void *provctx, const char *propq)
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return NULL;
}
-/* don't allow to change MD, and in fact there is no such need */
-ctx->flag_allow_md = 0;
+ctx->mdsize = SM3_DIGEST_LENGTH;
+strcpy(ctx->mdname, OSSL_DIGEST_NAME_SM3);
return ctx;
}
@@ -170,28 +179,27 @@ static void free_md(PROV_SM2_CTX *ctx)
EVP_MD_free(ctx->md);
ctx->mdctx = NULL;
ctx->md = NULL;
-ctx->mdsize = 0;
}
static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
void *ec, const OSSL_PARAM params[])
{
PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx;
-int md_nid = NID_sm3;
+int md_nid;
WPACKET pkt;
int ret = 0;
-free_md(ctx);
-
-if (!sm2sig_signature_init(vpsm2ctx, ec, params))
+if (!sm2sig_signature_init(vpsm2ctx, ec, params)
+|| !sm2sig_set_mdname(ctx, mdname))
return ret;
-ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
-ctx->mdsize = EVP_MD_size(ctx->md);
+EVP_MD_CTX_free(ctx->mdctx);
ctx->mdctx = EVP_MD_CTX_new();
if (ctx->mdctx == NULL)
goto error;
+md_nid = EVP_MD_type(ctx->md);
+
/*
* We do not care about DER writing errors.
* All it really means is that for some reason, there's no
@@ -285,10 +293,11 @@ int sm2sig_digest_verify_final(void *vpsm2ctx, const
unsigned char *sig,
unsigned char digest[EVP_MAX_MD_SIZE];
unsigned int dlen = 0;
-if (psm2ctx == NULL || psm2ctx->mdctx == NULL)
+if (psm2ctx == NULL
+|| psm2ctx->mdctx == NULL
+|| EVP_MD_size(psm2ctx->md) > (int)sizeof(digest))
return 0;
-/* SM2 always use SM3 so it's not possible to exceed the limit */
if (!(sm2sig_compute_z_digest(psm2ctx)
&& EVP_DigestFinal_ex(psm2ctx->mdctx, digest, )))
return 0;
@@ -392,7 +401,7 @@ static int sm2sig_set_ctx_params(void *vpsm2ctx, const
OSSL_PARAM params[])
{
PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
const OSSL_PARAM *p;
-char *mdname;
+
[openssl] master update
The branch master has been updated
via c230e938c75c7c2d24b5d1d322a34ec369d92696 (commit)
via e73fc81345ae2cdcc4be55768345d8a00fed6453 (commit)
from 38230e30118e434ca1c41d05d03fe2c41042d97d (commit)
- Log -
commit c230e938c75c7c2d24b5d1d322a34ec369d92696
Author: Richard Levitte
Date: Wed Apr 28 21:28:11 2021 +0200
CORE: Rework the pre-population of the namemap
The pre-population of names has become more thorough.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/15066)
commit e73fc81345ae2cdcc4be55768345d8a00fed6453
Author: Richard Levitte
Date: Wed Apr 28 11:02:36 2021 +0200
STORE: Use the 'expect' param to limit the amount of decoders used
In the provider file: scheme loader implementation, the OSSL_DECODER_CTX
was set up with all sorts of implementations, even if the caller has
declared a limited expectation on what should be loaded, which means
that even though a certificate is expected, all the diverse decoders
to produce an EVP_PKEY are added to the decoding change.
This optimization looks more closely at the expected type, and only
adds the EVP_PKEY related decoder implementations to the chain if
there is no expectation, or if the expectation is one of
OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/15066)
---
Summary of changes:
crypto/core_namemap.c| 71 +++-
providers/implementations/storemgmt/file_store.c | 14 +++--
2 files changed, 41 insertions(+), 44 deletions(-)
diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c
index daf22c3af2..1009fb1e94 100644
--- a/crypto/core_namemap.c
+++ b/crypto/core_namemap.c
@@ -379,66 +379,62 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int
number,
#include
/* Creates an initial namemap with names found in the legacy method db */
-static void get_legacy_evp_names(const char *name, const char *desc,
- const ASN1_OBJECT *obj, void *arg)
+static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name,
+ void *arg)
{
-int num = ossl_namemap_add_name(arg, 0, name);
+int num = 0;
+ASN1_OBJECT *obj;
-/*
- * We currently treat the description ("long name" in OBJ speak) as an
- * alias.
- */
-
-/*
- * We could check that the returned value is the same as id, but since
- * this is a void function, there's no sane way to report the error.
- * The best we can do is trust ourselve to keep the legacy method
- * database conflict free.
- *
- * This registers any alias with the same number as the main name.
- * Should it be that the current |on| *has* the main name, this is
- * simply a no-op.
- */
-if (desc != NULL) {
-(void)ossl_namemap_add_name(arg, num, desc);
+if (base_nid != NID_undef) {
+num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid));
+num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid));
}
-if (obj != NULL) {
-char txtoid[OSSL_MAX_NAME_SIZE];
+if (nid != NID_undef) {
+num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid));
+num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid));
+if ((obj = OBJ_nid2obj(nid)) != NULL) {
+char txtoid[OSSL_MAX_NAME_SIZE];
-if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1))
-(void)ossl_namemap_add_name(arg, num, txtoid);
+if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1))
+num = ossl_namemap_add_name(arg, num, txtoid);
+}
}
+if (pem_name != NULL)
+num = ossl_namemap_add_name(arg, num, pem_name);
}
static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg)
{
const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
-int nid = EVP_CIPHER_type(cipher);
-get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid),
- arg);
+get_legacy_evp_names(NID_undef, EVP_CIPHER_type(cipher), NULL, arg);
}
static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
{
const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
-int nid = EVP_MD_type(md);
-get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid),
- arg);
+get_legacy_evp_names(0, EVP_MD_type(md), NULL, arg);
}
static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
void *arg)
{
int nid = 0, base_nid = 0, flags = 0;
+const char *pem_name = NULL;
-EVP_PKEY_asn1_get0_info(, _nid, , NULL, NULL, ameth);
+
[openssl] master update
The branch master has been updated
via 38230e30118e434ca1c41d05d03fe2c41042d97d (commit)
from 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50 (commit)
- Log -
commit 38230e30118e434ca1c41d05d03fe2c41042d97d
Author: Pauli
Date: Thu Apr 29 12:38:23 2021 +1000
acvp: fix the no-acvp_test build
A pair of the disabled string checks were incorrect.
Reviewed-by: Tomas Mraz
Reviewed-by: Shane Lontis
(Merged from https://github.com/openssl/openssl/pull/15082)
---
Summary of changes:
Configure | 2 +-
INSTALL.md | 2 +-
test/build.info | 6 --
test/recipes/30-test_acvp.t | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/Configure b/Configure
index 83c9a6f382..7acbbc56b9 100755
--- a/Configure
+++ b/Configure
@@ -379,7 +379,7 @@ my @dtls = qw(dtls1 dtls1_2);
# For developers: keep it sorted alphabetically
my @disablables = (
-"acvp_tests",
+"acvp-tests",
"afalgeng",
"aria",
"asan",
diff --git a/INSTALL.md b/INSTALL.md
index f9b065d764..9414556427 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -521,7 +521,7 @@ never be used in production environments. It will only
work when used with
gcc or clang and should be used in conjunction with the [no-shared](#no-shared)
option.
-### no-acvp_tests
+### no-acvp-tests
Do not build support for Automated Cryptographic Validation Protocol (ACVP)
tests.
diff --git a/test/build.info b/test/build.info
index 8043f0d3be..98b94801e1 100644
--- a/test/build.info
+++ b/test/build.info
@@ -34,7 +34,7 @@ IF[{- !$disabled{tests} -}]
destest mdc2test \
exptest \
evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
- evp_fetch_prov_test acvp_test evp_libctx_test ossl_store_test \
+ evp_fetch_prov_test evp_libctx_test ossl_store_test \
v3nametest v3ext \
evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
evp_fetch_prov_test v3nametest v3ext \
@@ -159,7 +159,9 @@ IF[{- !$disabled{tests} -}]
INCLUDE[evp_pkey_provided_test]=../include ../apps/include
DEPEND[evp_pkey_provided_test]=../libcrypto.a libtestutil.a
- IF[{- !$disabled{acvp-tests} -}]
+ IF[{- !$disabled{'acvp-tests'} -}]
+PROGRAMS{noinst}=acvp_test
+
SOURCE[acvp_test]=acvp_test.c
INCLUDE[acvp_test]=../include ../apps/include
DEPEND[acvp_test]=../libcrypto.a libtestutil.a
diff --git a/test/recipes/30-test_acvp.t b/test/recipes/30-test_acvp.t
index 8f36325f21..566c59d78e 100644
--- a/test/recipes/30-test_acvp.t
+++ b/test/recipes/30-test_acvp.t
@@ -19,7 +19,7 @@ setup("test_acvp");
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
plan skip_all => "ACVP is not supported by this test"
-if $no_fips || disabled("acvp_tests");
+if $no_fips || disabled("acvp-tests");
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
[openssl] master update
The branch master has been updated
via 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50 (commit)
via 857c223bf73f6d3ec91567cf341c5267392a3e66 (commit)
via e9d62da6c305d947530d91e412fdb21a8d8e3510 (commit)
from 9ac653d81a857a5452f9f25278a24e1dfb226905 (commit)
- Log -
commit 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50
Author: Shane Lontis
Date: Wed Apr 28 17:51:15 2021 +1000
Update OSSL_STORE_attach() documentation to indicate it increases the
ref_count of the passed in bio
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15058)
commit 857c223bf73f6d3ec91567cf341c5267392a3e66
Author: Shane Lontis
Date: Wed Apr 28 17:22:50 2021 +1000
Fix memory leak in load_key_certs_crls() when using stdin.
A newly created BIO object within this function calls
OSSL_STORE_attach() which increases the ref count to 2.
OSSL_STORE_close() then decrements the ref count by 1, so the BIO still
remains.
The following new test was picking up this leak using..
> valgrind openssl crl -hash -noout < test/testcrl.pem
Not quite sure why the existing tests were not picking this up
since they appear to run through a similiar path.. such as
> valgrind openssl pkey < test-runs/test_rsa/rsa-pkcs8-ff.dd
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15058)
commit e9d62da6c305d947530d91e412fdb21a8d8e3510
Author: Shane Lontis
Date: Wed Apr 28 12:51:49 2021 +1000
Fix CRL app so that stdin works.
Fixes #15031
The maybe_stdin needed to be passed to load_key_certs_crls().
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15058)
---
Summary of changes:
apps/crl.c | 6 +++---
apps/include/apps.h| 2 +-
apps/lib/apps.c| 12 +++-
apps/s_client.c| 2 +-
apps/s_server.c| 2 +-
doc/man3/OSSL_STORE_attach.pod | 5 +++--
test/recipes/25-test_crl.t | 17 -
7 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/apps/crl.c b/apps/crl.c
index fbdd2a896c..8a0dc3605d 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -211,7 +211,7 @@ int crl_main(int argc, char **argv)
if (!opt_md(digestname, ))
goto opthelp;
}
-x = load_crl(infile, "CRL");
+x = load_crl(infile, 1, "CRL");
if (x == NULL)
goto end;
@@ -250,13 +250,13 @@ int crl_main(int argc, char **argv)
BIO_printf(bio_err, "verify OK\n");
}
-if (crldiff) {
+if (crldiff != NULL) {
X509_CRL *newcrl, *delta;
if (!keyfile) {
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
-newcrl = load_crl(crldiff, "other CRL");
+newcrl = load_crl(crldiff, 0, "other CRL");
if (!newcrl)
goto end;
pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 2d102246f8..9532d396eb 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -111,7 +111,7 @@ X509_REQ *load_csr(const char *file, int format, const char
*desc);
X509 *load_cert_pass(const char *uri, int maybe_stdin,
const char *pass, const char *desc);
#define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc)
-X509_CRL *load_crl(const char *uri, const char *desc);
+X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc);
void cleanse(char *str);
void clear_free(char *str);
EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 4b7b38cf5c..d715e25ff1 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -499,7 +499,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
return cert;
}
-X509_CRL *load_crl(const char *uri, const char *desc)
+X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc)
{
X509_CRL *crl = NULL;
@@ -510,7 +510,7 @@ X509_CRL *load_crl(const char *uri, const char *desc)
else if (IS_HTTP(uri))
crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */);
else
-(void)load_key_certs_crls(uri, 0, NULL, desc,
+(void)load_key_certs_crls(uri, maybe_stdin, NULL, desc,
NULL, NULL, NULL, NULL, NULL, , NULL);
if (crl == NULL) {
BIO_printf(bio_err, "Unable to load %s\n", desc);
@@ -924,9 +924,11 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
uri = "";
unbuffer(stdin);
bio = BIO_new_fp(stdin, 0);
-if (bio != NULL)
+if (bio != NULL) {
ctx =
