Build failed: openssl master.42040
Build openssl master.42040 failed Commit 7bc027d73b by Tomas Mraz on 5/13/2021 11:30 AM: Fallback to legacy pem decoding if OSSL_DECODER fails Configure your notification preferences
Build failed: openssl master.42039
Build openssl master.42039 failed Commit e9fe0f7e9d by Tomas Mraz on 5/13/2021 11:19 AM: Replace EVP_PKEY_supports_digest_nid Configure your notification preferences
Build failed: openssl master.42038
Build openssl master.42038 failed Commit a3c86ce9e8 by Tomas Mraz on 5/13/2021 11:02 AM: update-fips-checksums: Make the dependency on source list work Configure your notification preferences
Build failed: openssl master.42037
Build openssl master.42037 failed Commit 4639772523 by Dmitry Belyavskiy on 5/13/2021 10:24 AM: clarification about the DES status Configure your notification preferences
Build failed: openssl master.42034
Build openssl master.42034 failed Commit ce70766cb2 by Dr. David von Oheimb on 5/13/2021 9:15 AM: Makefile: Make sure providers/fipsmodule.cnf is re-built also for run_tests Configure your notification preferences
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a812f8fc8f3c9ba30e5ecd2c168cca0613f15dcd (commit) from 9a48d4a4fec6827d387ee63756504892e3656299 (commit) - Log - commit a812f8fc8f3c9ba30e5ecd2c168cca0613f15dcd Author: bonniegong <46280630+bonnieg...@users.noreply.github.com> Date: Mon Apr 12 10:43:13 2021 +0800 check i2d_ASN1_TYPE return value add a length check to the return value of function i2d_ASN1_TYPE. Return an error instead of trying to malloc a negative number. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14828) (cherry picked from commit c65abf2213117eb5348a46fbc18f706aca052e85) --- Summary of changes: crypto/asn1/a_strex.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 4879b33785..7cd18b4b85 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -280,6 +280,8 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, t.type = str->type; t.value.ptr = (char *)str; der_len = i2d_ASN1_TYPE(, NULL); +if (der_len <= 0) +return -1; if ((der_buf = OPENSSL_malloc(der_len)) == NULL) { ASN1err(ASN1_F_DO_DUMP, ERR_R_MALLOC_FAILURE); return -1;
[openssl] master update
The branch master has been updated via c65abf2213117eb5348a46fbc18f706aca052e85 (commit) from c4005c8b84f35196a4c455f2e8a5aecfa88372e5 (commit) - Log - commit c65abf2213117eb5348a46fbc18f706aca052e85 Author: bonniegong <46280630+bonnieg...@users.noreply.github.com> Date: Mon Apr 12 10:43:13 2021 +0800 check i2d_ASN1_TYPE return value add a length check to the return value of function i2d_ASN1_TYPE. Return an error instead of trying to malloc a negative number. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14828) --- Summary of changes: crypto/asn1/a_strex.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index b9b6f1c871..b31761aae6 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -280,6 +280,8 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, t.type = str->type; t.value.ptr = (char *)str; der_len = i2d_ASN1_TYPE(, NULL); +if (der_len <= 0) +return -1; if ((der_buf = OPENSSL_malloc(der_len)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1;
Build failed: openssl master.42031
Build openssl master.42031 failed Commit 66ddc0759a by Pauli on 5/13/2021 8:00 AM: x509: fix a dangling pointer Configure your notification preferences
Build failed: openssl master.42030
Build openssl master.42030 failed Commit 9a633a1c97 by Pauli on 5/13/2021 4:22 AM: test: fix thread test config file problem Configure your notification preferences
Build failed: openssl master.42029
Build openssl master.42029 failed Commit 7f24110a00 by Dr. David von Oheimb on 5/13/2021 1:56 AM: EVP_PKEY-X25519.pod: Correct EVP_PKEY_Q_keygen function name in example Configure your notification preferences
Build failed: openssl master.42028
Build openssl master.42028 failed Commit 307a38fa5f by Xiaofei Bai on 5/13/2021 1:44 AM: Add $AESDEF in libdefault.a to fix aes regression Configure your notification preferences
[openssl] master update
The branch master has been updated via c4005c8b84f35196a4c455f2e8a5aecfa88372e5 (commit) from afecd85db1359b5a62c037b8a507b928541c779c (commit) - Log - commit c4005c8b84f35196a4c455f2e8a5aecfa88372e5 Author: Dr. David von Oheimb Date: Wed May 12 18:19:07 2021 +0200 http_client.c: Fix inconsistency w.r.t. type of max_resp_len Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15251) --- Summary of changes: crypto/http/http_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index c32b352137..8069b2f645 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -52,7 +52,7 @@ struct ossl_http_req_ctx_st { int expect_asn1;/* response must be ASN.1-encoded */ long len_to_send; /* number of bytes in request still to send */ unsigned long resp_len; /* length of response */ -unsigned long max_resp_len; /* Maximum length of response */ +size_t max_resp_len;/* Maximum length of response */ int keep_alive; /* Persistent conn. 0=no, 1=prefer, 2=require */ time_t max_time;/* Maximum end time of current transfer, or 0 */ time_t max_total_time; /* Maximum end time of total transfer, or 0 */ @@ -135,7 +135,7 @@ void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return; } -rctx->max_resp_len = len != 0 ? len : HTTP_DEFAULT_MAX_RESP_LEN; +rctx->max_resp_len = len != 0 ? (size_t)len : HTTP_DEFAULT_MAX_RESP_LEN; } /* @@ -1020,7 +1020,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, int maxline, const STACK_OF(CONF_VALUE) *headers, const char *expected_ct, int expect_asn1, - unsigned long max_resp_len, int timeout) + size_t max_resp_len, int timeout) { time_t start_time = timeout > 0 ? time(NULL) : 0; char *current_url, *redirection_url = NULL;
[openssl] master update
The branch master has been updated via afecd85db1359b5a62c037b8a507b928541c779c (commit) from 2bdec3b037264540014120a02217fc67bf355f11 (commit) - Log - commit afecd85db1359b5a62c037b8a507b928541c779c Author: Tomas Mraz Date: Wed May 12 19:15:27 2021 +0200 Replace some of the ERR_clear_error() calls with mark calls Fixes #15219 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15253) --- Summary of changes: crypto/asn1/a_d2i_fp.c | 7 --- crypto/asn1/p5_pbev2.c | 3 ++- crypto/bio/bio_lib.c| 8 ++-- crypto/bio/bss_conn.c | 8 +--- crypto/ec/ec2_oct.c | 8 crypto/ec/ecp_oct.c | 10 -- crypto/pkcs12/p12_add.c | 3 ++- crypto/pkcs12/p12_p8e.c | 22 +- crypto/x509/by_file.c | 6 -- 9 files changed, 44 insertions(+), 31 deletions(-) diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c index 2c7acb34e0..f1e96b2eaf 100644 --- a/crypto/asn1/a_d2i_fp.c +++ b/crypto/asn1/a_d2i_fp.c @@ -115,7 +115,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) return -1; } -ERR_clear_error(); +ERR_set_mark(); for (;;) { diff = len - off; if (want >= diff) { @@ -149,10 +149,10 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) if (inf & 0x80) { unsigned long e; -e = ERR_GET_REASON(ERR_peek_error()); +e = ERR_GET_REASON(ERR_peek_last_error()); if (e != ASN1_R_TOO_LONG) goto err; -ERR_clear_error(); +ERR_pop_to_mark(); } i = q - p;/* header length */ off += i; /* end of data */ @@ -235,6 +235,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) *pb = b; return off; err: +ERR_clear_last_mark(); BUF_MEM_free(b); return -1; } diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index da227b96e2..c9d9d31cc2 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -88,11 +88,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter, * If prf NID unspecified see if cipher has a preference. An error is OK * here: just means use default PRF. */ +ERR_set_mark(); if ((prf_nid == -1) && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, _nid) <= 0) { -ERR_clear_error(); prf_nid = NID_hmacWithSHA256; } +ERR_pop_to_mark(); EVP_CIPHER_CTX_free(ctx); ctx = NULL; diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 5cdd6d7cfd..575107634c 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -870,7 +870,8 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) BIO_set_nbio(bio, !blocking); retry: -rv = BIO_do_connect(bio); /* This may indirectly call ERR_clear_error(); */ +ERR_set_mark(); +rv = BIO_do_connect(bio); if (rv <= 0) { /* could be timeout or retryable error or fatal error */ int err = ERR_peek_last_error(); @@ -897,7 +898,7 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) } } if (timeout >= 0 && do_retry) { -ERR_clear_error(); /* using ERR_pop_to_mark() would be cleaner */ +ERR_pop_to_mark(); /* will not actually wait if timeout == 0 (i.e., blocking BIO): */ rv = bio_wait(bio, max_time, nap_milliseconds); if (rv > 0) @@ -905,11 +906,14 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) ERR_raise(ERR_LIB_BIO, rv == 0 ? BIO_R_CONNECT_TIMEOUT : BIO_R_CONNECT_ERROR); } else { +ERR_clear_last_mark(); rv = -1; if (err == 0) /* missing error queue entry */ /* workaround: general error */ ERR_raise(ERR_LIB_BIO, BIO_R_CONNECT_ERROR); } +} else { +ERR_clear_last_mark(); } return rv; diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 7aaae65bc2..3ab2c0d4ba 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -155,6 +155,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) case BIO_CONN_S_CONNECT: BIO_clear_retry_flags(b); +ERR_set_mark(); ret = BIO_connect(b->num, BIO_ADDRINFO_address(c->addr_iter), BIO_SOCK_KEEPALIVE | c->connect_mode); b->retry_reason = 0; @@ -163,7 +164,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) BIO_set_retry_special(b); c->state = BIO_CONN_S_BLOCKED_CONNECT; b->retry_reason = BIO_RR_CONNECT; -
Build failed: openssl master.42027
Build openssl master.42027 failed Commit 36c5bb1aff by Rich Salz on 5/13/2021 1:18 AM: Fix cut/paste (?) error. Configure your notification preferences
Build failed: openssl pr14749-new.42026
Build openssl pr14749-new.42026 failed Commit b66c10421b by Benjamin Kaduk on 5/12/2021 10:39 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl pr14749.42025
Build openssl pr14749.42025 failed Commit b66c10421b by Benjamin Kaduk on 5/12/2021 10:39 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl master.42024
Build openssl master.42024 failed Commit b98f752ec3 by Shane Lontis on 5/12/2021 11:49 PM: Export/import flags for FFC params changed to seperate fields. Configure your notification preferences
Build failed: openssl pr14749.42023
Build openssl pr14749.42023 failed Commit b66c10421b by Benjamin Kaduk on 5/12/2021 10:39 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl pr14749-orig.42022
Build openssl pr14749-orig.42022 failed Commit 8b55415cb7 by Benjamin Kaduk on 5/12/2021 4:54 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl pr14749.42021
Build openssl pr14749.42021 failed Commit 8b55415cb7 by Benjamin Kaduk on 5/12/2021 4:54 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl master.42020
Build openssl master.42020 failed Commit 466cab4758 by Benjamin Kaduk on 5/12/2021 8:30 PM: apps: improve hygeine for SET_EXPECT macro Configure your notification preferences
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 9a48d4a4fec6827d387ee63756504892e3656299 (commit) via fffb067b468f8e6ffd003b346d7aba558f205c23 (commit) from 207b8693b0821aab356ce9dccb7f2fe86e5e035a (commit) - Log - commit 9a48d4a4fec6827d387ee63756504892e3656299 Author: Dmitry Belyavskiy Date: Fri Apr 30 18:13:14 2021 +0200 Testing private keys with extra attributes Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15075) commit fffb067b468f8e6ffd003b346d7aba558f205c23 Author: Dmitry Belyavskiy Date: Wed Apr 28 21:43:35 2021 +0300 Try to parse private key as PKCS#8 first, fallback afterwards Fixes #15022 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15075) --- Summary of changes: crypto/asn1/d2i_pr.c | 71 +++-- test/recipes/25-test_req.t | 27 +++-- test/testrsa_withattrs.der | Bin 0 -> 1277 bytes test/testrsa_withattrs.pem | 29 ++ 4 files changed, 103 insertions(+), 24 deletions(-) create mode 100644 test/testrsa_withattrs.der create mode 100644 test/testrsa_withattrs.pem diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 7b127d2092..091b6e7216 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -78,13 +78,53 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, * type */ +static EVP_PKEY *key_as_pkcs8(const unsigned char **pp, long length, int *carry_on) +{ +const unsigned char *p = *pp; +PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, , length); +EVP_PKEY *ret; + +if (p8 == NULL) +return NULL; + +ret = EVP_PKCS82PKEY(p8); +if (ret == NULL) +*carry_on = 0; + +PKCS8_PRIV_KEY_INFO_free(p8); + +if (ret != NULL) +*pp = p; + +return ret; +} + EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, long length) { STACK_OF(ASN1_TYPE) *inkey; const unsigned char *p; int keytype; +EVP_PKEY *ret = NULL; +int carry_on = 1; + +ERR_set_mark(); +ret = key_as_pkcs8(pp, length, _on); +if (ret != NULL) { +ERR_clear_last_mark(); +if (a != NULL) +*a = ret; +return ret; +} + +if (carry_on == 0) { +ERR_clear_last_mark(); +ASN1err(ASN1_F_D2I_AUTOPRIVATEKEY, +ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); +return NULL; +} p = *pp; + /* * Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE): by * analyzing it we can determine the passed structure: this assumes the @@ -100,28 +140,15 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, keytype = EVP_PKEY_DSA; else if (sk_ASN1_TYPE_num(inkey) == 4) keytype = EVP_PKEY_EC; -else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not - * traditional format */ -PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, , length); -EVP_PKEY *ret; - -sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); -if (!p8) { -ASN1err(ASN1_F_D2I_AUTOPRIVATEKEY, -ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE); -return NULL; -} -ret = EVP_PKCS82PKEY(p8); -PKCS8_PRIV_KEY_INFO_free(p8); -if (ret == NULL) -return NULL; -*pp = p; -if (a) { -*a = ret; -} -return ret; -} else +else keytype = EVP_PKEY_RSA; sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free); -return d2i_PrivateKey(keytype, a, pp, length); + +ret = d2i_PrivateKey(keytype, a, pp, length); +if (ret != NULL) +ERR_pop_to_mark(); +else +ERR_clear_last_mark(); + +return ret; } diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 5e1ea308a2..be4cdb1626 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -47,7 +47,7 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); subtest "generating certificate requests with RSA" => sub { -plan tests => 2; +plan tests => 6; SKIP: { skip "RSA is not supported by this OpenSSL build", 2 @@ -63,6 +63,29 @@ subtest "generating certificate requests with RSA" => sub { "-config", srctop_file("test", "test.cnf"), "-verify", "-in", "testreq.pem", "-noout"])), "Verifying signature on request"); + +ok(run(app(["openssl", "req", +"-config", srctop_file("test", "test.cnf"), +"-new", "-out",
[openssl] master update
The branch master has been updated via 2bdec3b037264540014120a02217fc67bf355f11 (commit) from da51566b256e0c0536d5b986e676863b0526bf5e (commit) - Log - commit 2bdec3b037264540014120a02217fc67bf355f11 Author: Xiaofei Bai Date: Tue May 11 09:37:22 2021 + crypto/arm_arch.h: add a variable declaration Add this variable declaration to prevent "-Werror,-Wmissing-variable-declarations" error from compiler. This error currently only happens on clang. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15240) --- Summary of changes: crypto/arm_arch.h | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index d98154bddb..9de35afcfd 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -72,6 +72,7 @@ # ifndef __ASSEMBLER__ extern unsigned int OPENSSL_armcap_P; extern unsigned int OPENSSL_arm_midr; +extern unsigned int OPENSSL_armv8_rsa_neonized; # endif # define ARMV7_NEON (1<<0)
[openssl] master update
The branch master has been updated via da51566b256e0c0536d5b986e676863b0526bf5e (commit) from 3ba3e350fd15c133a172095f67e6e0c99ab9b410 (commit) - Log - commit da51566b256e0c0536d5b986e676863b0526bf5e Author: Ben Avison Date: Wed Mar 10 15:54:44 2021 + ARM assembly pack: translate bit-sliced AES implementation to AArch64 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14592) --- Summary of changes: crypto/aes/asm/bsaes-armv8.S | 2338 ++ crypto/aes/build.info|5 +- 2 files changed, 2341 insertions(+), 2 deletions(-) create mode 100644 crypto/aes/asm/bsaes-armv8.S diff --git a/crypto/aes/asm/bsaes-armv8.S b/crypto/aes/asm/bsaes-armv8.S new file mode 100644 index 00..9bd02d0c8a --- /dev/null +++ b/crypto/aes/asm/bsaes-armv8.S @@ -0,0 +1,2338 @@ +// Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +// +// Licensed under the OpenSSL license (the "License"). You may not use +// this file except in compliance with the License. You can obtain a copy +// in the file LICENSE in the source distribution or at +// https://www.openssl.org/source/license.html +// +// +// Written by Ben Avison for the OpenSSL +// project. Rights for redistribution and usage in source and binary +// forms are granted according to the OpenSSL license. +// +// +// This implementation is a translation of bsaes-armv7 for AArch64. +// No attempt has been made to carry across the build switches for +// kernel targets, since the Linux kernel crypto support has moved on +// from when it was based on OpenSSL. + +// A lot of hand-scheduling has been performed. Consequently, this code +// doesn't factor out neatly into macros in the same way that the +// AArch32 version did, and there is little to be gained by wrapping it +// up in Perl, and it is presented as pure assembly. + + +#include "crypto/arm_arch.h" + +.text + +.type _bsaes_decrypt8,%function +.align 4 +// On entry: +// x9 -> key (previously expanded using _bsaes_key_convert) +// x10 = number of rounds +// v0-v7 input data +// On exit: +// x9-x11 corrupted +// other general-purpose registers preserved +// v0-v7 output data +// v11-v15 preserved +// other SIMD registers corrupted +_bsaes_decrypt8: +ldr q8, [x9], #16 +adr x11, .LM0ISR +moviv9.16b, #0x55 +ldr q10, [x11], #16 +moviv16.16b, #0x33 +moviv17.16b, #0x0f +sub x10, x10, #1 +eor v0.16b, v0.16b, v8.16b +eor v1.16b, v1.16b, v8.16b +eor v2.16b, v2.16b, v8.16b +eor v4.16b, v4.16b, v8.16b +eor v3.16b, v3.16b, v8.16b +eor v5.16b, v5.16b, v8.16b +tbl v0.16b, {v0.16b}, v10.16b +tbl v1.16b, {v1.16b}, v10.16b +tbl v2.16b, {v2.16b}, v10.16b +tbl v4.16b, {v4.16b}, v10.16b +eor v6.16b, v6.16b, v8.16b +eor v7.16b, v7.16b, v8.16b +tbl v3.16b, {v3.16b}, v10.16b +tbl v5.16b, {v5.16b}, v10.16b +tbl v6.16b, {v6.16b}, v10.16b +ushrv8.2d, v0.2d, #1 +tbl v7.16b, {v7.16b}, v10.16b +ushrv10.2d, v4.2d, #1 +ushrv18.2d, v2.2d, #1 +eor v8.16b, v8.16b, v1.16b +ushrv19.2d, v6.2d, #1 +eor v10.16b, v10.16b, v5.16b +eor v18.16b, v18.16b, v3.16b +and v8.16b, v8.16b, v9.16b +eor v19.16b, v19.16b, v7.16b +and v10.16b, v10.16b, v9.16b +and v18.16b, v18.16b, v9.16b +eor v1.16b, v1.16b, v8.16b +shl v8.2d, v8.2d, #1 +and v9.16b, v19.16b, v9.16b +eor v5.16b, v5.16b, v10.16b +shl v10.2d, v10.2d, #1 +eor v3.16b, v3.16b, v18.16b +shl v18.2d, v18.2d, #1 +eor v0.16b, v0.16b, v8.16b +shl v8.2d, v9.2d, #1 +eor v7.16b, v7.16b, v9.16b +eor v4.16b, v4.16b, v10.16b +eor v2.16b, v2.16b, v18.16b +ushrv9.2d, v1.2d, #2 +eor v6.16b, v6.16b, v8.16b +ushrv8.2d, v0.2d, #2 +ushrv10.2d, v5.2d, #2 +ushrv18.2d, v4.2d, #2 +eor v9.16b, v9.16b, v3.16b +eor v8.16b, v8.16b, v2.16b +eor v10.16b, v10.16b, v7.16b +eor v18.16b, v18.16b, v6.16b +and v9.16b, v9.16b, v16.16b +and v8.16b, v8.16b, v16.16b +and v10.16b, v10.16b, v16.16b +and v16.16b, v18.16b, v16.16b +eor v3.16b, v3.16b, v9.16b +shl v9.2d, v9.2d, #2 +eor
Build failed: openssl pr14749.42019
Build openssl pr14749.42019 failed Commit 8b55415cb7 by Benjamin Kaduk on 5/12/2021 4:54 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl pr14749.42018
Build openssl pr14749.42018 failed Commit 36c65b409d by Benjamin Kaduk on 5/12/2021 4:44 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
Build failed: openssl master.42017
Build openssl master.42017 failed Commit 80c25611ab by Benjamin Kaduk on 5/12/2021 4:11 PM: Update expected results for tls13kexmodes tests Configure your notification preferences
[openssl] master update
The branch master has been updated via 3ba3e350fd15c133a172095f67e6e0c99ab9b410 (commit) from 7bc027d73bc51cfa0ae23fbfd91134be9464d694 (commit) - Log - commit 3ba3e350fd15c133a172095f67e6e0c99ab9b410 Author: Pauli Date: Wed May 12 15:19:54 2021 +1000 doc: remove references to undepreciated commands being deprecated. The dsa, ec, ecparam, and rsa manual pages refer to themselves are being deprecated which they aren't. Address this and add a note pointing to the pkey command equivalents albeit without recommending it. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15239) --- Summary of changes: doc/man1/openssl-dsa.pod.in | 7 +-- doc/man1/openssl-ec.pod.in | 7 +-- doc/man1/openssl-ecparam.pod.in | 8 ++-- doc/man1/openssl-rsa.pod.in | 10 +++--- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in index b17b49ad0f..68ce5f319c 100644 --- a/doc/man1/openssl-dsa.pod.in +++ b/doc/man1/openssl-dsa.pod.in @@ -129,10 +129,13 @@ a public key. =back +The L command is capable of performing all the operations +this command can, as well as supporting other public key types. + =head1 EXAMPLES -Examples equivalent to these can be found in the documentation for the -non-deprecated L command. +The documentation for the L command contains examples +equivalent to the ones listed here. To remove the pass phrase on a DSA private key: diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index b3aabcb41a..479485cc80 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -147,10 +147,13 @@ This option checks the consistency of an EC private or public key. =back +The L command is capable of performing all the operations +this command can, as well as supporting other public key types. + =head1 EXAMPLES -Examples equivalent to these can be found in the documentation for the -non-deprecated L command. +The documentation for the L command contains examples +equivalent to the ones listed here. To encrypt a private key using triple DES: diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in index 2f0968c311..e0bdb75cf3 100644 --- a/doc/man1/openssl-ecparam.pod.in +++ b/doc/man1/openssl-ecparam.pod.in @@ -129,10 +129,14 @@ This option will generate an EC private key using the specified parameters. =back +The L and L commands are capable +of performing all the operations this command can, as well as supporting +other public key types. + =head1 EXAMPLES -Examples equivalent to these can be found in the documentation for the -non-deprecated L and L commands. +The documentation for the L and L +commands contains examples equivalent to the ones listed here. To create EC parameters with the group 'prime192v1': diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index d67a0f64bb..fab6408f14 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -57,7 +57,6 @@ various forms and their components printed out. Print out a usage message. - =item B<-inform> B|B|B|B The key input format; unspecified by default. @@ -140,10 +139,15 @@ Like B<-pubin> and B<-pubout> except B format is used instead. =back +=head1 NOTES + +The L command is capable of performing all the operations +this command can, as well as supporting other public key types. + =head1 EXAMPLES -Examples equivalent to these can be found in the documentation for the -non-deprecated L command. +The documentation for the L command contains examples +equivalent to the ones listed here. To remove the pass phrase on an RSA private key:
[openssl] master update
The branch master has been updated via 7bc027d73bc51cfa0ae23fbfd91134be9464d694 (commit) via b4c4a2c68817ea0b2df8012673fa4e0712681704 (commit) from e9fe0f7e9df7e0909ca52a024b889e48616a29d9 (commit) - Log - commit 7bc027d73bc51cfa0ae23fbfd91134be9464d694 Author: Tomas Mraz Date: Tue Apr 27 18:12:15 2021 +0200 Fallback to legacy pem decoding if OSSL_DECODER fails Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15045) commit b4c4a2c68817ea0b2df8012673fa4e0712681704 Author: Tomas Mraz Date: Tue Apr 27 16:01:13 2021 +0200 Implement pem_read_key directly through OSSL_DECODER Using OSSL_STORE is too heavy and breaks things. There were also needed various fixes mainly for missing proper handling of the SM2 keys in the OSSL_DECODER. Fixes #14788 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15045) --- Summary of changes: crypto/ec/ec_asn1.c | 7 + crypto/ec/ec_key.c| 3 + crypto/pem/pem_pkey.c | 232 +++--- crypto/x509/x_pubkey.c| 4 +- providers/fips-sources.checksums | 6 +- providers/fips.checksum | 2 +- providers/implementations/keymgmt/ec_kmgmt.c | 8 +- providers/implementations/keymgmt/rsa_kmgmt.c | 4 +- test/evp_extra_test2.c| 9 +- test/sslapitest.c | 30 ++-- 10 files changed, 221 insertions(+), 84 deletions(-) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index ed30d1b3a9..0e37b21ac3 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -965,6 +965,9 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) goto err; } +if (EC_GROUP_get_curve_name(ret->group) == NID_sm2) +EC_KEY_set_flags(ret, EC_FLAG_SM2_RANGE); + EC_POINT_clear_free(ret->pub_key); ret->pub_key = EC_POINT_new(ret->group); if (ret->pub_key == NULL) { @@ -1109,6 +1112,10 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) ret->dirty_cnt++; return NULL; } + +if (EC_GROUP_get_curve_name(ret->group) == NID_sm2) +EC_KEY_set_flags(ret, EC_FLAG_SM2_RANGE); + ret->dirty_cnt++; if (a) diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index f06715fa6b..ea2bad3e26 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -678,6 +678,9 @@ int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) return 0; EC_GROUP_free(key->group); key->group = EC_GROUP_dup(group); +if (key->group != NULL && EC_GROUP_get_curve_name(key->group) == NID_sm2) +EC_KEY_set_flags(key, EC_FLAG_SM2_RANGE); + key->dirty_cnt++; return (key->group == NULL) ? 0 : 1; } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 3faca8d0ec..3f0a9e4fef 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -/* We need to use some STORE deprecated APIs */ +/* We need to use some deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED #include @@ -20,82 +20,198 @@ #include #include #include -#include +#include #include -#include "crypto/store.h" #include "crypto/asn1.h" #include "crypto/evp.h" #include "pem_local.h" int ossl_pem_check_suffix(const char *pem_str, const char *suffix); -static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x, - pem_password_cb *cb, void *u, - OSSL_LIB_CTX *libctx, const char *propq, - int expected_store_info_type, - int try_secure) +static EVP_PKEY *pem_read_bio_key_decoder(BIO *bp, EVP_PKEY **x, + pem_password_cb *cb, void *u, + OSSL_LIB_CTX *libctx, + const char *propq, + int selection) { -EVP_PKEY *ret = NULL; -OSSL_STORE_CTX *ctx = NULL; -OSSL_STORE_INFO *info = NULL; -const UI_METHOD *ui_method = NULL; -UI_METHOD *allocated_ui_method = NULL; - -if (expected_store_info_type != OSSL_STORE_INFO_PKEY -&& expected_store_info_type != OSSL_STORE_INFO_PUBKEY -&& expected_store_info_type != OSSL_STORE_INFO_PARAMS) { -ERR_raise(ERR_LIB_PEM, ERR_R_PASSED_INVALID_ARGUMENT); +EVP_PKEY *pkey = NULL; +OSSL_DECODER_CTX *dctx = NULL; + +dctx = OSSL_DECODER_CTX_new_for_pkey(, "PEM", NULL, NULL, + selection, libctx, propq); + +if (dctx == NULL)
Build failed: openssl master.42016
Build openssl master.42016 failed Commit 8f965908a5 by Dr. David von Oheimb on 5/12/2021 1:11 PM: HTTP client: Minimal changes that include the improved API Configure your notification preferences
[openssl] master update
The branch master has been updated via e9fe0f7e9df7e0909ca52a024b889e48616a29d9 (commit) via 3c39bd9b89198c6b3834c369c7da6f582788f645 (commit) from a3c86ce9e8923bb7e5ba3e69eae17aac04dbc76d (commit) - Log - commit e9fe0f7e9df7e0909ca52a024b889e48616a29d9 Author: Tomas Mraz Date: Fri May 7 17:44:26 2021 +0200 Replace EVP_PKEY_supports_digest_nid The EVP_PKEY_supports_digest_nid() is renamed to EVP_PKEY_digestsign_supports_digest() and implemented via EVP_DigestSignInit_ex(). Fixes #14343 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15198) commit 3c39bd9b89198c6b3834c369c7da6f582788f645 Author: Tomas Mraz Date: Fri May 7 16:56:34 2021 +0200 Drop ASN1_PKEY_CTRL_SUPPORTS_MD_NID This is a legacy ASN1_PKEY_CTRL that was added after 1.1.1 and is not needed. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15198) --- Summary of changes: crypto/evp/p_lib.c | 28 ++--- doc/build.info | 12 +++--- doc/man3/EVP_PKEY_ASN1_METHOD.pod| 1 - doc/man3/EVP_PKEY_digestsign_supports_digest.pod | 44 doc/man3/EVP_PKEY_get_default_digest_nid.pod | 2 +- doc/man3/EVP_PKEY_supports_digest_nid.pod| 53 include/openssl/evp.h| 6 +-- ssl/t1_lib.c | 13 +++--- util/libcrypto.num | 2 +- 9 files changed, 76 insertions(+), 85 deletions(-) create mode 100644 doc/man3/EVP_PKEY_digestsign_supports_digest.pod delete mode 100644 doc/man3/EVP_PKEY_supports_digest_nid.pod diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 5cfc7405f3..6a8dc9 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1335,23 +1335,21 @@ int EVP_PKEY_get_group_name(const EVP_PKEY *pkey, char *gname, size_t gname_sz, gname, gname_sz, gname_len); } -int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid) +int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, +const char *name, const char *propq) { -int rv, default_nid; +int rv; +EVP_MD_CTX *ctx = NULL; -rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SUPPORTS_MD_NID, nid, NULL); -if (rv == -2) { -/* - * If there is a mandatory default digest and this isn't it, then - * the answer is 'no'. - */ -rv = EVP_PKEY_get_default_digest_nid(pkey, _nid); -if (rv == 2) -return (nid == default_nid); -/* zero is an error from EVP_PKEY_get_default_digest_nid() */ -if (rv == 0) -return -1; -} +if ((ctx = EVP_MD_CTX_new()) == NULL) +return -1; + +ERR_set_mark(); +rv = EVP_DigestSignInit_ex(ctx, NULL, name, libctx, + propq, pkey, NULL); +ERR_pop_to_mark(); + +EVP_MD_CTX_free(ctx); return rv; } diff --git a/doc/build.info b/doc/build.info index af0e0e0539..02882af91e 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1198,6 +1198,10 @@ DEPEND[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod GENERATE[html/man3/EVP_PKEY_derive.html]=man3/EVP_PKEY_derive.pod DEPEND[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod GENERATE[man/man3/EVP_PKEY_derive.3]=man3/EVP_PKEY_derive.pod +DEPEND[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod +GENERATE[html/man3/EVP_PKEY_digestsign_supports_digest.html]=man3/EVP_PKEY_digestsign_supports_digest.pod +DEPEND[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod +GENERATE[man/man3/EVP_PKEY_digestsign_supports_digest.3]=man3/EVP_PKEY_digestsign_supports_digest.pod DEPEND[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod GENERATE[html/man3/EVP_PKEY_encapsulate.html]=man3/EVP_PKEY_encapsulate.pod DEPEND[man/man3/EVP_PKEY_encapsulate.3]=man3/EVP_PKEY_encapsulate.pod @@ -1274,10 +1278,6 @@ DEPEND[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod GENERATE[html/man3/EVP_PKEY_size.html]=man3/EVP_PKEY_size.pod DEPEND[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod GENERATE[man/man3/EVP_PKEY_size.3]=man3/EVP_PKEY_size.pod -DEPEND[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod -GENERATE[html/man3/EVP_PKEY_supports_digest_nid.html]=man3/EVP_PKEY_supports_digest_nid.pod -DEPEND[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod -GENERATE[man/man3/EVP_PKEY_supports_digest_nid.3]=man3/EVP_PKEY_supports_digest_nid.pod DEPEND[html/man3/EVP_PKEY_todata.html]=man3/EVP_PKEY_todata.pod
[openssl] master update
The branch master has been updated via a3c86ce9e8923bb7e5ba3e69eae17aac04dbc76d (commit) from 4639772523e5cb979722483b9374e0c275afde7d (commit) - Log - commit a3c86ce9e8923bb7e5ba3e69eae17aac04dbc76d Author: Tomas Mraz Date: Thu May 13 12:51:14 2021 +0200 update-fips-checksums: Make the dependency on source list work Also clean the generated checksums with make clean Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15267) --- Summary of changes: Configurations/unix-Makefile.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index c07f8dd748..935210941f 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -569,6 +569,7 @@ clean: libclean $(RM) core $(RM) tags TAGS doc-nits cmd-nits md-nits $(RM) -r test/test-runs + $(RM) providers/fips*.new $(RM) openssl.pc libcrypto.pc libssl.pc -find . -type l \! -name '.*' -exec $(RM) {} \; @@ -1261,7 +1262,7 @@ tags TAGS: FORCE -ctags -R . -etags `find . -name '*.[ch]' -o -name '*.pm'` -providers/fips.checksum.new: generate_fips_sources +providers/fips.checksum.new: providers/fips.module.sources.new @which unifdef > /dev/null || \ ( echo >&2 "ERROR: unifdef not in your \$$PATH, FIPS checksums not calculated"; \ false )
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-ec2m
Platform and configuration command: $ uname -a Linux run 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec2m Commit log since last time: 80c25611ab Update expected results for tls13kexmodes tests e776858bce Don't send key_share for PSK-only key exchange f84ab284e9 make update efe0f31535 Improve RFC 8446 PSK key exchange mode compliance 8f965908a5 HTTP client: Minimal changes that include the improved API 4329f361ce Add ASN1_item_i2d_mem_bio(); document and improve also ASN1_item_d2i_bio() 202cbdd2fc A few cleanups of the provider build.infos 6a2ab4a9c8 Allow arbitrary digests with ECDSA and DSA b5d984bf67 apps: make list -help not continue with listing 482e6693b4 apps: change list command to only list fetchable algorithms. 4966411789 encoder: add a _name() function for encoders and decoders b337741372 doc: document the encoder and decoder name functions 63ac53aa51 Checksum update 5725ab8087 property: add test case for setting default user properties before fetching 1f12bf71fe property: create property names more eagerly. ab6db11e63 Run-checker converted to GitHub Actions 4da44374d1 coveralls: fix comment to indicate daily not weekly 7303c58217 Add OID for RPKI id-ct-signedChecklist de3379c941 find-doc-nits fix courtesy Rich Salz 8975b76efa use LHASH_OF(TYPE) macro to make the example consistent with the declaration in ssl.h 842d61b517 Checksum update 0df56c30f7 evp: fix return code check. 4885ecffc7 coverity: fix 1484542 dereference after null check 54e1c14a29 coverity: fix 1484540 resource leak b0f6402bf4 coverity: fix 1484539 resource leak c6b7239072 80-test_cmp_http.t: Improve fuzzing exclusion pattern - fixup! c7978e506b Fix missing $CPUIDDEF in libdefault.a b8be229dab Update FIPS checksums c1fb5e072f Exclude child provider code from the FIPS module 878be71c2d Update documentation following addition of OSSL_LIB_CTX_new_child() fb9b3a7bce Add additional testing of child libctx/providers abaa2dd298 Don't convert pre-existing providers into children 8c62707565 Add support for child provider to up_ref/free their parent 3b85bcfa14 Add a test to check that child provider callbacks are working 7b88c184b6 Register callbacks with core for child provider creation/deletion 5442611dff Add a test for OSSL_LIB_CTX_new_child() d0efad482f Modify the legacy provider to use OSSL_LIB_CTX_new_child() f12a5690de Add the concept of a child OSSL_LIB_CTX a16d21744d Add the ability for ex_data to have a priority d07af736de Only load the config file into the default libctx if necessary 56784203ec Constify EVP_PKEY_CTX_set_params(), EVP_PKEY_CTX_{set,get}table_params(), etc. f925315203 Add convenience functions and macros for asymmetric key generation 6dbb277627 Tests for creating req from PKCS8 keys with extra attrs f60e35d01e reduce surprise in choice of CASE/String/STRING by allowing all inputs to be in any case a7a7e6e3a6 Reduce the runtime/output from the gmdiff test f1a45f68bc armcap: fix Mac M1 SHA512 support. d29d7a7ff2 Fix i2d_PKCS8PrivateKey_nid_bio() regression. 333b31e300 checksum fix Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=76905280-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t
[openssl] master update
The branch master has been updated via 4639772523e5cb979722483b9374e0c275afde7d (commit) via 6581b17dedb77112fca328a09d6073723a013727 (commit) from ca6197ca3c1a18be004c447cf4bf5a1a40d7dd19 (commit) - Log - commit 4639772523e5cb979722483b9374e0c275afde7d Author: Dmitry Belyavskiy Date: Fri May 7 17:36:42 2021 +0200 clarification about the DES status Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15197) commit 6581b17dedb77112fca328a09d6073723a013727 Author: Dmitry Belyavskiy Date: Fri May 7 17:16:29 2021 +0200 Enumerating the legacy provider's cipher algorithms Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15197) --- Summary of changes: doc/man3/EVP_des_cbc.pod | 4 doc/man3/EVP_desx_cbc.pod | 4 doc/man7/OSSL_PROVIDER-legacy.pod | 26 ++ 3 files changed, 34 insertions(+) diff --git a/doc/man3/EVP_des_cbc.pod b/doc/man3/EVP_des_cbc.pod index d00179eacb..bcae9d7a4e 100644 --- a/doc/man3/EVP_des_cbc.pod +++ b/doc/man3/EVP_des_cbc.pod @@ -54,6 +54,10 @@ EVP_des_ofb() DES in CBC, ECB, CFB with 64-bit shift, CFB with 1-bit shift, CFB with 8-bit shift and OFB modes. +None of these algorithms are provided by the OpenSSL default provider. +To use them it is necessary to load either the OpenSSL legacy provider or another +implementation. + =item EVP_des_ede(), EVP_des_ede_cbc(), EVP_des_ede_cfb(), diff --git a/doc/man3/EVP_desx_cbc.pod b/doc/man3/EVP_desx_cbc.pod index c9e250f34c..2a41e08898 100644 --- a/doc/man3/EVP_desx_cbc.pod +++ b/doc/man3/EVP_desx_cbc.pod @@ -23,6 +23,10 @@ All modes below use a key length of 128 bits and acts on blocks of 128-bits. The DES-X algorithm in CBC mode. +This algorithm is not provided by the OpenSSL default provider. +To use it is necessary to load either the OpenSSL legacy provider or another +implementation. + =back =head1 RETURN VALUES diff --git a/doc/man7/OSSL_PROVIDER-legacy.pod b/doc/man7/OSSL_PROVIDER-legacy.pod index 36aeafec94..86ac3fa9a0 100644 --- a/doc/man7/OSSL_PROVIDER-legacy.pod +++ b/doc/man7/OSSL_PROVIDER-legacy.pod @@ -52,6 +52,32 @@ The OpenSSL legacy provider supports these operations and algorithms: =back +=head2 Symmetric Ciphers + +Not all of these symmetric cipher algorithms are enabled by default. + +=over 4 + +=item Blowfish + +=item CAST + +=item DES + +=item IDEA + +=item RC2 + +=item RC4 + +=item RC5 + +Disabled by default. Use I config option to enable. + +=item SEED + +=back + =begin comment When algorithms for other operations start appearing, the
[openssl] master update
The branch master has been updated via ca6197ca3c1a18be004c447cf4bf5a1a40d7dd19 (commit) from 9ce2ef9ba084ec9548b6d219687b24590f87eb1b (commit) - Log - commit ca6197ca3c1a18be004c447cf4bf5a1a40d7dd19 Author: Tomas Mraz Date: Thu May 13 12:05:36 2021 +0200 Ensure the pristine checksums are not recomputed When switching between the pristine and PR checkouts we must ensure the pristine checksums are not recomputed. Also ignore errors (such as trying to remove a label that is not set) when setting or removing labels. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15266) --- Summary of changes: .github/workflows/checksums.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml index 3b28d4e23b..5f444b639b 100644 --- a/.github/workflows/checksums.yml +++ b/.github/workflows/checksums.yml @@ -38,13 +38,14 @@ jobs: run: make fips-checksums working-directory: ./build - name: update checksums pristine -run: make update-fips-checksums +run: touch providers/fips.checksum.new && make update-fips-checksums working-directory: ./build-pristine - name: make diff-fips-checksums run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV working-directory: ./build - name: set label if: ${{ env.fips_changed }} +continue-on-error: true uses: actions/github-script@v4 with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -57,6 +58,7 @@ jobs: }) - name: remove label if: ${{ env.fips_unchanged }} +continue-on-error: true uses: actions/github-script@v4 with: github-token: ${{secrets.GITHUB_TOKEN}}
[openssl] master update
The branch master has been updated via 9ce2ef9ba084ec9548b6d219687b24590f87eb1b (commit) from ce70766cb22f2ff88d21d5f60f47cfb4d126ca61 (commit) - Log - commit 9ce2ef9ba084ec9548b6d219687b24590f87eb1b Author: Tomas Mraz Date: Thu May 13 11:34:53 2021 +0200 The FIPS Checksums job must be run on pull_request_target Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15265) --- Summary of changes: .github/workflows/checksums.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml index 9caf49c9fb..3b28d4e23b 100644 --- a/.github/workflows/checksums.yml +++ b/.github/workflows/checksums.yml @@ -1,5 +1,5 @@ name: FIPS Checksums -on: [pull_request] +on: [pull_request_target] jobs: apply-label: runs-on: ubuntu-latest
[openssl] master update
The branch master has been updated via ce70766cb22f2ff88d21d5f60f47cfb4d126ca61 (commit) via c612c7a455d9b3ea602c87fe720d09535f1f6e37 (commit) from 8f3683cda197cd3df1005dc058a2d57be0b6cc5a (commit) - Log - commit ce70766cb22f2ff88d21d5f60f47cfb4d126ca61 Author: Dr. David von Oheimb Date: Fri Apr 16 17:52:22 2021 +0200 Makefile: Make sure providers/fipsmodule.cnf is re-built also for run_tests Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14901) commit c612c7a455d9b3ea602c87fe720d09535f1f6e37 Author: Dr. David von Oheimb Date: Fri Apr 16 17:51:55 2021 +0200 Makefile: Simplify use of run_tests Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14901) --- Summary of changes: Configurations/unix-Makefile.tmpl | 11 --- providers/build.info | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 3f78d6d5de..c07f8dd748 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -506,7 +506,8 @@ build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) build_docs all: build_sw build_docs test: tests -{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils +{- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep link-utils run_tests +run_tests: @ : {- output_off() if $disabled{tests}; "" -} ( SRCTOP=$(SRCDIR) \ BLDTOP=$(BLDDIR) \ @@ -520,8 +521,7 @@ test: tests list-tests: @ : {- output_off() if $disabled{tests}; "" -} - @SRCTOP="$(SRCDIR)" \ -$(PERL) $(SRCDIR)/test/run_tests.pl list + $(MAKE) run_tests TESTS=list @ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} @echo "Tests are not supported with your chosen Configure options" @ : {- output_on() if !$disabled{tests}; "" -} @@ -1254,10 +1254,7 @@ ordinals: build_generated $(SSLHEADERS) test_ordinals: - ( cd test; \ - SRCTOP=../$(SRCDIR) \ - BLDTOP=../$(BLDDIR) \ - $(PERL) ../$(SRCDIR)/test/run_tests.pl test_ordinals ) + $(MAKE) run_tests TESTS=test_ordinals tags TAGS: FORCE rm -f TAGS tags diff --git a/providers/build.info b/providers/build.info index 065b570253..e9ec4cf646 100644 --- a/providers/build.info +++ b/providers/build.info @@ -119,7 +119,7 @@ IF[{- !$disabled{fips} -}] # the generated commands in build templates are expected to catch that, # and thereby keep control over the exact output file location. IF[{- !$disabled{tests} -}] -DEPEND[|tests|]=fipsmodule.cnf +DEPEND[|run_tests|]=fipsmodule.cnf GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \ -module providers/$(FIPSMODULENAME) -provider_name fips \ -mac_name HMAC -section_name fips_sect
[openssl] master update
The branch master has been updated via 8f3683cda197cd3df1005dc058a2d57be0b6cc5a (commit) from 91a05d65908c2ee21920d0effbda58b8536c2768 (commit) - Log - commit 8f3683cda197cd3df1005dc058a2d57be0b6cc5a Author: Tomas Mraz Date: Thu May 13 10:50:14 2021 +0200 Remove the .new suffix inside the fips.checksum.new Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15263) --- Summary of changes: Configurations/unix-Makefile.tmpl | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 9dcc0b0342..3f78d6d5de 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1264,7 +1264,7 @@ tags TAGS: FORCE -ctags -R . -etags `find . -name '*.[ch]' -o -name '*.pm'` -fips-checksums: generate_fips_sources +providers/fips.checksum.new: generate_fips_sources @which unifdef > /dev/null || \ ( echo >&2 "ERROR: unifdef not in your \$$PATH, FIPS checksums not calculated"; \ false ) @@ -1274,7 +1274,9 @@ fips-checksums: generate_fips_sources | xargs ./util/fips-checksums.sh ) \ > providers/fips-sources.checksums.new \ && sha256sum providers/fips-sources.checksums.new \ -> providers/fips.checksum.new +| sed -e 's|\.new||' > providers/fips.checksum.new + +fips-checksums: providers/fips.checksum.new $(SRCDIR)/providers/fips.checksum: providers/fips.checksum.new cp -p providers/fips.module.sources.new $(SRCDIR)/providers/fips.module.sources
[openssl] master update
The branch master has been updated via 91a05d65908c2ee21920d0effbda58b8536c2768 (commit) via 16e00da2c9a59e2e3ea774e546bdbe75b238595f (commit) via 220927071e91667e58297d24d64e22fa06439a98 (commit) via dea76175581ee827205bc70daa72c1de7872faf6 (commit) via b17e79929819be3093fda576a4b8566c7fc7df70 (commit) via 8e782e8b4f8da79713d67446ac179e87201f2a5a (commit) via f3b1e3488cc194b0145b61dbe65b7b0b49a1abc4 (commit) from 66ddc0759a435672f1c48b856a0968e7f6e35a82 (commit) - Log - commit 91a05d65908c2ee21920d0effbda58b8536c2768 Author: Tomas Mraz Date: Wed May 12 16:14:01 2021 +0200 Allow diff-fips-checksums in in-tree build Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) commit 16e00da2c9a59e2e3ea774e546bdbe75b238595f Author: Tomas Mraz Date: Wed May 12 09:04:59 2021 +0200 Remove the severity: fips change label if fips checksum unchanged Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) commit 220927071e91667e58297d24d64e22fa06439a98 Author: Tomas Mraz Date: Tue May 11 18:15:32 2021 +0200 Set the severity: fips change label if fips checksum changed Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) commit dea76175581ee827205bc70daa72c1de7872faf6 Author: Tomas Mraz Date: Tue May 11 17:50:13 2021 +0200 fipsprov: Missing teardown on fips_get_params_from_core() error Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) commit b17e79929819be3093fda576a4b8566c7fc7df70 Author: Tomas Mraz Date: Tue May 11 17:06:57 2021 +0200 Add checksums github CI action Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) commit 8e782e8b4f8da79713d67446ac179e87201f2a5a Author: Tomas Mraz Date: Tue May 11 16:20:51 2021 +0200 Add diff-fips-checksums target to compare BLDDIR and SRCDIR checksums Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) commit f3b1e3488cc194b0145b61dbe65b7b0b49a1abc4 Author: Tomas Mraz Date: Tue May 11 16:07:35 2021 +0200 Compute the FIPS checksums in $(BLDDIR) and remove it from update target Add also update-fips-checksums to update the checksums in the $(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is different. The fips-checksums and generate_fips_sources targets are always produced (regardless of enable-fips) as nothing else depends on them and they are developer targets. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15229) --- Summary of changes: .github/workflows/checksums.yml | 69 +++ Configurations/unix-Makefile.tmpl | 45 + providers/fips/fipsprov.c | 2 +- 3 files changed, 95 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/checksums.yml diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml new file mode 100644 index 00..9caf49c9fb --- /dev/null +++ b/.github/workflows/checksums.yml @@ -0,0 +1,69 @@ +name: FIPS Checksums +on: [pull_request] +jobs: + apply-label: +runs-on: ubuntu-latest +steps: + - name: install unifdef +run: | +sudo apt-get update +sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef + - uses: actions/checkout@v2 +with: + ref: ${{ github.event.pull_request.base.sha }} + - name: create build dirs +run: | + mkdir ./build-pristine + mkdir ./build + - name: config pristine +run: ../config enable-fips && perl configdata.pm --dump +working-directory: ./build-pristine + - name: make build_generated pristine +run: make -s build_generated +working-directory: ./build-pristine + - name: make fips-checksums pristine +run: make fips-checksums +working-directory: ./build-pristine + - uses: actions/checkout@v2 +with: + ref: ${{ github.event.pull_request.head.sha }} + clean: false + - name: config +run: ../config enable-fips && perl configdata.pm --dump +working-directory: ./build + - name: make build_generated +run: make -s build_generated +working-directory: ./build + - name: make fips-checksums +run: make fips-checksums +working-directory: ./build + - name: update checksums pristine +run: make update-fips-checksums +working-directory: ./build-pristine + - name: make diff-fips-checksums +run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV
[openssl] master update
The branch master has been updated via 66ddc0759a435672f1c48b856a0968e7f6e35a82 (commit) via b1423d04cdcad9dbbe2da6e4751f0895112cc977 (commit) from 9a633a1c97e387157560641c4f7043efe52dba6b (commit) - Log - commit 66ddc0759a435672f1c48b856a0968e7f6e35a82 Author: Pauli Date: Wed May 12 14:22:52 2021 +1000 x509: fix a dangling pointer If object was pointer was passed and an error occured the object was freed & the pointer returned. Fix this to NULL out the caller's pointer before returning. Fixes #15115 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15238) commit b1423d04cdcad9dbbe2da6e4751f0895112cc977 Author: Pauli Date: Wed May 12 14:10:49 2021 +1000 e_loader_attic: fix a use after free issue Fixes #15116 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15238) --- Summary of changes: crypto/x509/x_x509.c | 4 +++- engines/e_loader_attic.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 529d701bbb..7959ee223f 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -131,8 +131,10 @@ X509 *d2i_X509(X509 **a, const unsigned char **in, long len) /* Only cache the extensions if the cert object was passed in */ if (cert != NULL && a != NULL) { /* then cert == *a */ if (!ossl_x509v3_cache_extensions(cert)) { -if (free_on_error) +if (free_on_error) { +*a = NULL; X509_free(cert); +} cert = NULL; } } diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index 802b3d9067..4cb98280a5 100644 --- a/engines/e_loader_attic.c +++ b/engines/e_loader_attic.c @@ -199,6 +199,7 @@ static OSSL_STORE_INFO *new_EMBEDDED(const char *new_pem_name, return NULL; } +data->blob = embedded; data->pem_name = new_pem_name == NULL ? NULL : OPENSSL_strdup(new_pem_name); @@ -207,7 +208,6 @@ static OSSL_STORE_INFO *new_EMBEDDED(const char *new_pem_name, store_info_free(info); info = NULL; } -data->blob = embedded; return info; }
[tools] master update
The branch master has been updated via 0e935b5510ff4240341205184085f8a93eb36c24 (commit) from ca5cf74927c857e135ec53640b2dcf58740da56e (commit) - Log - commit 0e935b5510ff4240341205184085f8a93eb36c24 Author: Pauli Date: Wed May 12 11:25:35 2021 +1000 run-checker: reduce the number of builds With the addition of most run-checker jobs to GitHub Actions, there is no need to continue running these jobs ourselves. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/tools/pull/87) --- Summary of changes: run-checker/run-checker.sh | 29 + 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/run-checker/run-checker.sh b/run-checker/run-checker.sh index 699f30f..124259f 100755 --- a/run-checker/run-checker.sh +++ b/run-checker/run-checker.sh @@ -22,34 +22,7 @@ here=$(cd $(dirname $0); pwd) opts=( '' -no-afalgeng enable-asan no-asm no-async no-autoalginit no-autoerrinit -no-bf no-blake2 no-camellia no-capieng no-cast no-chacha no-cmac no-cms no-comp -enable-crypto-mdebug enable-crypto-mdebug-backtrace no-ct no-deprecated no-des -no-dgram no-dh no-dsa no-dso no-dynamic-engine no-ec no-ec2m no-ecdh -no-ecdsa enable-ec_nistp_64_gcc_128 enable-egd no-engine 'no-engine no-shared' -no-err no-filenames -no-aria no-asan no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng -no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer -no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ssl no-ssl-trace no-tests -no-ubsan no-ui-console no-unit-test no-weak-ssl-ciphers -no-zlib no-zlib-dynamic -enable-fuzz-afl enable-fuzz-libfuzzer enable-heartbeats no-hw no-hw-padlock -no-idea no-makedepend enable-md2 no-md4 no-mdc2 no-gost no-multiblock -no-nextprotoneg no-ocb no-ocsp no-pic no-poly1305 no-posix-io no-psk no-rc2 -no-rc4 enable-rc5 no-rdrand no-rfc3779 no-ripemd no-rmd160 no-scrypt enable-sctp -no-seed no-shared no-sock no-srp no-srtp no-sse2 enable-ssl-trace -no-static-engine no-stdio no-threads no-ts enable-ubsan no-ui -enable-unit-test no-whirlpool enable-weak-ssl-ciphers enable-zlib -enable-zlib-dynamic 386 no-dtls no-tls no-ssl3 no-tls1 no-tls1_1 no-tls1_2 -no-dtls1 no-dtls1_2 no-ssl3-method no-tls1-method no-tls1_1-method -no-tls1_2-method no-dtls1-method no-dtls1_2-method no-siphash no-tls1_3 no-sm2 -no-sm3 no-sm4 enable-trace no-legacy no-cached-fetch no-autoload-config -'no-buildtest-c++' no-bulk no-cmp no-ktls no-module no-padlockeng -no-pinshared no-secure-memory no-siv no-uplink enable-acvp-tests enable-fips -'enable-fips no-fips-securitychecks' 'enable-fips enable-acvp-tests' -'enable-fips no-tls' 'enable-fips no-tls1_1' 'enable-fips no-tls1' -'enable-fips no-ssl3-method' 'enable-fips no-tls1-method' -'enable-fips no-tls1_1-method' 'enable-fips no-tls1_3' +enable-fuzz-afl enable-fuzz-libfuzzer ) run-hook () {