[openssl] master update
The branch master has been updated via 1941684daf54da9de8cf1d2a9b1df471ecdcb1a1 (commit) from 599429e09a6ddae2d6de2e031bf82817f29f4af0 (commit) - Log - commit 1941684daf54da9de8cf1d2a9b1df471ecdcb1a1 Author: Shane Lontis Date: Mon Jun 14 16:36:39 2021 +1000 Add missing migration_guide API mappings. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15732) --- Summary of changes: doc/man7/migration_guide.pod | 24 1 file changed, 24 insertions(+) diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 6a71d68b9a..82c7ffcc43 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -581,6 +581,14 @@ L, L and L =item - +L + +=item - + +b2i_RSA_PVK_bio() and i2b_PVK_bio() + +=item - + L and L =item - @@ -627,6 +635,10 @@ L, L and L =item - +L + +=item - + L =item - @@ -705,6 +717,14 @@ L =item - +L + +=item - + +L + +=item - + L =item - @@ -747,6 +767,10 @@ Passing NULL will use the default library context. =item - +L + +=item - + L and L =item -
[openssl] master update
The branch master has been updated via 599429e09a6ddae2d6de2e031bf82817f29f4af0 (commit) via 87e60f09aa8b253c38d457c3560680ba839a6cf2 (commit) via 97abae6a9d94c29314dc28f6d4d6a4171b9b0c38 (commit) from b88a3b10167963e31145e2ba427eb6f55e77f9b8 (commit) - Log - commit 599429e09a6ddae2d6de2e031bf82817f29f4af0 Author: Matt Caswell Date: Wed Jun 9 16:10:03 2021 +0100 Add documentation for the newly added OBJ up calls Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15681) commit 87e60f09aa8b253c38d457c3560680ba839a6cf2 Author: Matt Caswell Date: Wed Jun 9 15:50:37 2021 +0100 Add a test for the newly added OBJ upcalls Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15681) commit 97abae6a9d94c29314dc28f6d4d6a4171b9b0c38 Author: Matt Caswell Date: Wed Jun 9 14:05:26 2021 +0100 Add various OBJ functions as callbacks This enables providers to register new OIDs in the same libcrypto instance as is used by the application. Fixes #15624 Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15681) --- Summary of changes: crypto/provider_core.c | 37 +++ doc/man3/OBJ_nid2obj.pod | 51 ++ doc/man7/provider-base.pod | 34 ++- include/openssl/core_dispatch.h| 13 +++ test/build.info| 6 +- test/recipes/{05-test_rand.t => 04-test_upcalls.t} | 9 +- test/upcallstest.c | 112 + util/missingcrypto.txt | 1 - 8 files changed, 234 insertions(+), 29 deletions(-) copy test/recipes/{05-test_rand.t => 04-test_upcalls.t} (80%) create mode 100644 test/upcallstest.c diff --git a/crypto/provider_core.c b/crypto/provider_core.c index c6a8fa3f26..4c423a6bda 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -1543,6 +1543,8 @@ static OSSL_FUNC_core_vset_error_fn core_vset_error; static OSSL_FUNC_core_set_error_mark_fn core_set_error_mark; static OSSL_FUNC_core_clear_last_error_mark_fn core_clear_last_error_mark; static OSSL_FUNC_core_pop_error_to_mark_fn core_pop_error_to_mark; +static OSSL_FUNC_core_obj_add_sigid_fn core_obj_add_sigid; +static OSSL_FUNC_core_obj_create_fn core_obj_create; #endif static const OSSL_PARAM *core_gettable_params(const OSSL_CORE_HANDLE *handle) @@ -1673,6 +1675,39 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle) { return ERR_pop_to_mark(); } + +static int core_obj_add_sigid(const OSSL_CORE_HANDLE *prov, + const char *sign_name, const char *digest_name, + const char *pkey_name) +{ +int sign_nid = OBJ_txt2nid(sign_name); +int digest_nid = OBJ_txt2nid(digest_name); +int pkey_nid = OBJ_txt2nid(pkey_name); + +if (sign_nid == NID_undef) +return 0; + +/* + * Check if it already exists. This is a success if so (even if we don't + * have nids for the digest/pkey) + */ +if (OBJ_find_sigid_algs(sign_nid, NULL, NULL)) +return 1; + +if (digest_nid == NID_undef +|| pkey_nid == NID_undef) +return 0; + +return OBJ_add_sigid(sign_nid, digest_nid, pkey_nid); +} + +static int core_obj_create(const OSSL_CORE_HANDLE *prov, const char *oid, + const char *sn, const char *ln) +{ +/* Check if it already exists and create it if not */ +return OBJ_txt2nid(oid) != NID_undef + || OBJ_create(oid, sn, ln) != NID_undef; +} #endif /* FIPS_MODULE */ /* @@ -1737,6 +1772,8 @@ static const OSSL_DISPATCH core_dispatch_[] = { (void (*)(void))provider_up_ref_intern }, { OSSL_FUNC_PROVIDER_FREE, (void (*)(void))provider_free_intern }, +{ OSSL_FUNC_CORE_OBJ_ADD_SIGID, (void (*)(void))core_obj_add_sigid }, +{ OSSL_FUNC_CORE_OBJ_CREATE, (void (*)(void))core_obj_create }, #endif { 0, NULL } }; diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index 9089f95622..54b751f6df 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -5,7 +5,7 @@ i2t_ASN1_OBJECT, OBJ_length, OBJ_get0_data, OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, OBJ_cmp, -OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup +OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup, OBJ_add_sigid -
[openssl] master update
The branch master has been updated via b88a3b10167963e31145e2ba427eb6f55e77f9b8 (commit) from cb37af461dd3cb20dc38fb3710dd010046a3047e (commit) - Log - commit b88a3b10167963e31145e2ba427eb6f55e77f9b8 Author: Pauli Date: Mon Jun 14 18:07:49 2021 +1000 doc: finish the provider child up call documentation The bulk of the documentation was there but it wasn't quite complete. Fixes #15678 Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15734) --- Summary of changes: doc/man7/provider-base.pod | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index 292752afe9..7ade4a1c8e 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -99,7 +99,6 @@ provider-base int provider_up_ref(const OSSL_CORE_HANDLE *prov, int activate); int provider_free(const OSSL_CORE_HANDLE *prov, int deactivate); - /* Functions offered by the provider to libcrypto */ void provider_teardown(void *provctx); const OSSL_ITEM *provider_gettable_params(void *provctx); @@ -171,6 +170,13 @@ provider): ossl_rand_cleanup_entropy OSSL_FUNC_CLEANUP_ENTROPY ossl_rand_get_nonceOSSL_FUNC_GET_NONCE ossl_rand_cleanup_nonceOSSL_FUNC_CLEANUP_NONCE + provider_register_child_cb OSSL_FUNC_PROVIDER_REGISTER_CHILD_CB + provider_deregister_child_cb OSSL_FUNC_PROVIDER_DEREGISTER_CHILD_CB + provider_name OSSL_FUNC_PROVIDER_NAME + provider_get0_provider_ctx OSSL_FUNC_PROVIDER_GET0_PROVIDER_CTX + provider_get0_dispatch OSSL_FUNC_PROVIDER_GET0_DISPATCH + provider_up_refOSSL_FUNC_PROVIDER_UP_REF + provider_free OSSL_FUNC_PROVIDER_FREE For I<*out> (the B array passed from the provider to F):
[openssl] master update
The branch master has been updated via cb37af461dd3cb20dc38fb3710dd010046a3047e (commit) via 07b8c0a18658354356870e2d42da9875aa299d9b (commit) from 42cf25fcb6ea3c9e5998a1c4f55eedaad53b346f (commit) - Log - commit cb37af461dd3cb20dc38fb3710dd010046a3047e Author: Richard Levitte Date: Tue Jun 15 18:50:55 2021 +0200 TEST: Skip test/recipes/01-test_symbol_presence.t on MacOS It renames symbols, so we can a false negative Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15776) commit 07b8c0a18658354356870e2d42da9875aa299d9b Author: Richard Levitte Date: Tue Jun 15 18:15:52 2021 +0200 TEST: Display the correct shared library name In test/recipes/01-test_symbol_presence.t Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15776) --- Summary of changes: test/recipes/01-test_symbol_presence.t | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t index e979c18f46..edcac23978 100644 --- a/test/recipes/01-test_symbol_presence.t +++ b/test/recipes/01-test_symbol_presence.t @@ -21,6 +21,8 @@ use lib bldtop_dir('.'); use platform; plan skip_all => "Test is disabled on NonStop" if config('target') =~ m|^nonstop|; +# MacOS arranges symbol names differently +plan skip_all => "Test is disabled on MacOS" if config('target') =~ m|^darwin|; plan skip_all => "Only useful when building shared libraries" if disabled("shared"); @@ -39,7 +41,8 @@ note foreach my $libname (@libnames) { SKIP: { -my $shlibpath = bldtop_file(platform->sharedlib("lib$libname")); +my $shlibname = platform->sharedlib("lib$libname"); +my $shlibpath = bldtop_file($shlibname); *OSTDERR = *STDERR; *OSTDOUT = *STDOUT; open STDERR, ">", devnull(); @@ -107,18 +110,18 @@ foreach my $libname (@libnames) { } if (scalar @missing) { -note "The following symbols are missing in lib$libname.so:"; +note "The following symbols are missing in ${shlibname}:"; foreach (@missing) { note " $_"; } } if (scalar @extra) { -note "The following symbols are extra in lib$libname.so:"; +note "The following symbols are extra in ${shlibname}:"; foreach (@extra) { note " $_"; } } ok(scalar @missing == 0, - "check that there are no missing symbols in lib$libname.so"); + "check that there are no missing symbols in ${shlibname}"); } }
[openssl] master update
The branch master has been updated via 42cf25fcb6ea3c9e5998a1c4f55eedaad53b346f (commit) via 8b29badad16266ca520f8ca1232518df4eb896ff (commit) from 4832560be3b2a709557497cd881f8c390ba7ec34 (commit) - Log - commit 42cf25fcb6ea3c9e5998a1c4f55eedaad53b346f Author: Pauli Date: Tue Jun 15 08:32:48 2021 +1000 new: update NEWS.md so it is correct. - Removing the deprecation note for public key commands. - Fixing the note about ECX and SHAKE in the FIPS provider. - Noting which KDFs are included. - Noting which MACs are included. Fixes #15743 Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15746) commit 8b29badad16266ca520f8ca1232518df4eb896ff Author: Pauli Date: Tue Jun 15 08:30:23 2021 +1000 new: update NEWS.md so it is correct. - Removing the deprecation note for public key commands. - Fixing the note about ECX and SHAKE in the FIPS provider. - Noting which KDFs are included. - Noting which MACs are included. Fixes #15743 Reviewed-by: Shane Lontis Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15746) --- Summary of changes: NEWS.md | 16 +++- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/NEWS.md b/NEWS.md index 50a2fd36e2..13a4e1bbf6 100644 --- a/NEWS.md +++ b/NEWS.md @@ -39,12 +39,8 @@ OpenSSL 3.0 * Deprecated the `ENGINE` API. * Added `OSSL_LIB_CTX`, a libcrypto library context. * Interactive mode is removed from the 'openssl' program. - * The X25519, X448, Ed25519, Ed448 and SHAKE256 algorithms are included in -the FIPS provider. None have the "fips=yes" property set and, as such, -will not be accidentially used. - * The algorithm specific public key command line applications have -been deprecated. These include dhparam, gendsa and others. The pkey -alternatives should be used instead: pkey, pkeyparam and genpkey. + * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are +included in the FIPS provider. * X509 certificates signed using SHA1 are no longer allowed at security level 1 or higher. The default security level for TLS is 1, so certificates signed using SHA1 are by default no longer trusted to @@ -75,10 +71,12 @@ OpenSSL 3.0 * Changed our version number scheme and set the next major release to 3.0.0 * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC -bridge. +bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305 +and SIPHASH. * Removed the heartbeat message in DTLS feature. - * Added EVP_KDF, an EVP layer KDF API, and a generic EVP_PKEY to EVP_KDF -bridge. + * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to +EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2, +PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF. * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512 and Whirlpool digest functions have been deprecated.
Still FAILED build of OpenSSL branch master with options --strict-warnings
Platform and configuration command: $ uname -a Linux run 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config --strict-warnings Commit log since last time: 4832560be3 Disabling Encrypt-then-MAC extension in s_client/s_server 835dd706d3 TEST: Make test/recipes/01-test_symbol_presence.t more platform agnostic 29b3fdad2b Refactor OSSL_STORE_LOADER_do_all_provided() to behave like OSSL_STORE_LOADER_fetch() 5d8ad7d385 test/evp_extra_test.c: Peek at the error instead of getting it. 27fb7a0a27 DECODER & ENCODER: Add better tracing cd77073879 Adapt all public EVP_XXX_do_all_provided() for the changed evp_generic_do_all() 793b05865a Refactor evp_generic_do_all() to behave like evp_generic_fetch() b3f5d5d368 Refactor OSSL_ENCODER_do_all_provided() to behave like OSSL_ENCODER_fetch() 0756282830 Refactor OSSL_DECODER_do_all_provided() to behave like OSSL_DECODER_fetch() f0191d0b13 Add the internal function ossl_method_store_do_all() 04fb4ec8fa s_server: make -rev option easier to find (mention echo) 9067cf6ccd CORE: Move away the allocation of the temporary no_cache method store 515480be79 ASN1_parse_dump(): allow NULL BIO input, to simplify applications not needing output bb19b9d456 BIO_write_ex(): Make handing of BIO b == NULL and dlen == 0 less redundant 1d8897176d BIO: Make source file names in crypto/bio/ consistent 3b66592490 BIO_dum_indent_cb(): Fix handling of cb return value f42b3b70d8 fuzz/asn1parse.c: Clean up non-portable code and catch malloc failure 9d9691f78a BIO: prevent crash on NULL BIO for prefix_ctrl() and thus for BIO_set_prefix(), BIO_set_indent(), etc. 4439a6483e ASN1: rename asn1_par.c to asn1_parse.c for clarity; simplify asn1_parse2() a5d250e57e Use getauxval on Android with API level > 18 5bbe213418 Remove "-immedate_renegotiation" option f4752e8827 Move AllowClientRenegotiation tests 60d13c8ff8 remove end of line whitespace dfb0b8d63a cms: free PKEY_CTX 8dff167dfe cms: fix coverity 1485981: unchecked return value a1fb5eb920 apps: move global libctx and property query into their own file c696f4bfc3 speed: make sure to free any allocated EVP_MAC structures 09495e4301 pkcs12: use the app's libctx and property query when searching for algorithms 4d574312db speed: use the app's libctx and property query when searching for algorithms f147fa3e7d list: use the app's libctx and property query when searching for algorithms f64851c5b3 kdf: use the app's libctx and property query when searching for algorithms c8dd887d3c fipsinstall: use the app's libctx and property query when searching for algorithms 3334e039cf add libctx and property query to fetch functions 02288cbb65 test: add SPKAC command test 81743ed9d7 spkac: document -digest option e1a77f9cff spkac: allow digests other than MD5 to be used for signing 42e97dde80 Add missing NULL check in OSSL_DECODER_from_bio(). Build log ended with (last 100 lines): # ERROR: (bool) 'create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, , , ciphers[idx].certnum == 0 ? cert1 : cert2, ciphers[idx].certnum == 0 ? privkey1 : privkey2) == true' failed @ ../openssl/test/gosttest.c:57 # false # 80E1FCA7127F:error:0372:digital envelope routines:X509_PUBKEY_get0:decode error:../openssl/crypto/x509/x_pubkey.c:441: # 80E1FCA7127F:error:0A00018F:SSL routines:SSL_CTX_use_certificate:ee key too small:../openssl/ssl/ssl_rsa.c:221: # OPENSSL_TEST_RAND_ORDER=1623794837 not ok 3 - iteration 3 # -- # ERROR: (int) 'SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM) == 1' failed @ ../openssl/test/helpers/ssltestlib.c:741 # [0] compared to [1] # ERROR: (bool) 'create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, , , ciphers[idx].certnum == 0 ? cert1 : cert2, ciphers[idx].certnum == 0 ? privkey1 : privkey2) == true' failed @ ../openssl/test/gosttest.c:57 # false # 80E1FCA7127F:error:0372:digital envelope routines:X509_PUBKEY_get0:decode error:../openssl/crypto/x509/x_pubkey.c:441: # 80E1FCA7127F:error:0A00018F:SSL routines:SSL_CTX_use_certificate:ee key too small:../openssl/ssl/ssl_rsa.c:221: # OPENSSL_TEST_RAND_ORDER=1623794837 not ok 4 - iteration 4 # -- # ERROR: (int) 'SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM) == 1' failed @ ../openssl/test/helpers/ssltestlib.c:741 # [0] compared to [1] # ERROR: (bool) 'create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, , , ciphers[idx].certnum == 0 ? cert1 : cert2, ciphers[idx].certnum == 0 ? privkey1 : privkey2) == true' failed @ ../openssl/test/gosttest.c:57 # false #
[openssl] master update
The branch master has been updated via 4832560be3b2a709557497cd881f8c390ba7ec34 (commit) from 835dd706d3a916dacdb302905899a32638ed8adc (commit) - Log - commit 4832560be3b2a709557497cd881f8c390ba7ec34 Author: Dmitry Belyavskiy Date: Mon Jun 14 11:40:31 2021 +0200 Disabling Encrypt-then-MAC extension in s_client/s_server Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15735) --- Summary of changes: apps/include/opt.h | 9 ++--- doc/man1/openssl-s_client.pod.in | 5 + doc/man1/openssl-s_server.pod.in | 5 + doc/perlvars.pm | 3 ++- ssl/ssl_conf.c | 6 +- 5 files changed, 23 insertions(+), 5 deletions(-) diff --git a/apps/include/opt.h b/apps/include/opt.h index b77c5a52e5..96e78e4b79 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -163,7 +163,7 @@ OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \ OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \ OPT_S_MINPROTO, OPT_S_MAXPROTO, \ -OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST +OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, OPT_S__LAST # define OPT_S_OPTIONS \ OPT_SECTION("TLS/SSL"), \ @@ -216,7 +216,9 @@ {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \ "Perform all sorts of protocol violations for testing purposes"}, \ {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \ -"Disable TLSv1.3 middlebox compat mode" } +"Disable TLSv1.3 middlebox compat mode" }, \ +{"no_etm", OPT_S_NO_ETM, '-', \ +"Disable Encrypt-then-Mac extension"} # define OPT_S_CASES \ OPT_S__FIRST: case OPT_S__LAST: break; \ @@ -250,7 +252,8 @@ case OPT_S_MINPROTO: \ case OPT_S_MAXPROTO: \ case OPT_S_DEBUGBROKE: \ -case OPT_S_NO_MIDDLEBOX +case OPT_S_NO_MIDDLEBOX: \ +case OPT_S_NO_ETM #define IS_NO_PROT_FLAG(o) \ (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \ diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 144e367d4e..6328cd07d9 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -56,6 +56,7 @@ B B [B<-msg>] [B<-timeout>] [B<-mtu> I] +[B<-no_etm>] [B<-keymatexport> I] [B<-keymatexportlen> I] [B<-msgfile> I] @@ -448,6 +449,10 @@ Enable send/receive timeout on DTLS connections. Set MTU of the link layer to the specified size. +=item B<-no_etm> + +Disable Encrypt-then-MAC negotiation. + =item B<-keymatexport> I Export keying material using the specified label. diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index c4289a12e3..115eceb0e3 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -70,6 +70,7 @@ B B [B<-verify_quiet>] [B<-ign_eof>] [B<-no_ign_eof>] +[B<-no_etm>] [B<-status>] [B<-status_verbose>] [B<-status_timeout> I] @@ -487,6 +488,10 @@ Ignore input EOF (default: when B<-quiet>). Do not ignore input EOF. +=item B<-no_etm> + +Disable Encrypt-then-MAC negotiation. + =item B<-status> Enables certificate status request support (aka OCSP stapling). diff --git a/doc/perlvars.pm b/doc/perlvars.pm index 133ad3c416..f4c20aa392 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -185,6 +185,7 @@ $OpenSSL::safe::opt_s_synopsis = "" . "[B<-no_resumption_on_reneg>]\n" . "[B<-legacy_server_connect>]\n" . "[B<-no_legacy_server_connect>]\n" +. "[B<-no_etm>]\n" . "[B<-allow_no_dhe_kex>]\n" . "[B<-prioritize_chacha>]\n" . "[B<-strict>]\n" @@ -205,7 +206,7 @@ $OpenSSL::safe::opt_s_item = "" . "B<-client_renegotiation>,\n" . "B<-legacy_renegotiation>, B<-no_renegotiation>,\n" . "B<-no_resumption_on_reneg>,\n" -. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n" +. "B<-legacy_server_connect>, B<-no_legacy_server_connect>, B<-no_etm>\n" . "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n" . "I, B<-client_sigalgs> I, B<-groups> I, B<-curves>\n" . "I, B<-named_curve> I, B<-cipher> I, B<-ciphersuites>\n" diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index b15c847176..c0cbbe5e2c 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -676,7 +676,8 @@ typedef struct { #define SSL_CONF_CMD_SWITCH(name, flags) \ {0, NULL, name, flags, SSL_CONF_TYPE_NONE} -/* See apps/apps.h if you change this table. */ +/* See apps/include/opt.h if you change this table. */ +/* The SSL_CONF_CMD_SWITCH should be the same order as ssl_cmd_switches */ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_ssl3", 0), SSL_CONF_CMD_SWITCH("no_tls1", 0), @@ -701,6 +702,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
[openssl] master update
The branch master has been updated via 835dd706d3a916dacdb302905899a32638ed8adc (commit) from 29b3fdad2b078f45f840f6e45b0fe483b77dbc6f (commit) - Log - commit 835dd706d3a916dacdb302905899a32638ed8adc Author: Richard Levitte Date: Tue Jun 15 17:43:02 2021 +0200 TEST: Make test/recipes/01-test_symbol_presence.t more platform agnostic Assuming ".so" as shared library ending is faulty on MacOS, where the normal shared library extension is ".dylib". We use the platform module to get the same extension as the build process. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15771) --- Summary of changes: test/recipes/01-test_symbol_presence.t | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t index 9df57de421..e979c18f46 100644 --- a/test/recipes/01-test_symbol_presence.t +++ b/test/recipes/01-test_symbol_presence.t @@ -9,10 +9,16 @@ use strict; use File::Spec::Functions qw(devnull); -use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_dir bldtop_file); +use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file); use OpenSSL::Test::Utils; -setup("test_symbol_presence"); +BEGIN { +setup("test_symbol_presence"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; plan skip_all => "Test is disabled on NonStop" if config('target') =~ m|^nonstop|; plan skip_all => "Only useful when building shared libraries" @@ -33,7 +39,7 @@ note foreach my $libname (@libnames) { SKIP: { -my $shlibpath = bldtop_file("lib" . $libname . ".so"); +my $shlibpath = bldtop_file(platform->sharedlib("lib$libname")); *OSTDERR = *STDERR; *OSTDOUT = *STDOUT; open STDERR, ">", devnull();
[openssl] master update
The branch master has been updated via 29b3fdad2b078f45f840f6e45b0fe483b77dbc6f (commit) via 5d8ad7d385f1be0d2ef6fd3bfc91debdf3835c96 (commit) via 27fb7a0a27c2b35b8f385fa2a23588603c7a94a4 (commit) via cd770738796c591f93b2db630bab57cd8d3d5796 (commit) via 793b05865a3892258522e875df6ba4dff2ceb817 (commit) via b3f5d5d3684c4059b09e73b951a84fc0d77594e9 (commit) via 07562828308417205f39a628af3b78af0d30d308 (commit) via f0191d0b1373bb7b0c50a0103d63791f51ed3398 (commit) from 04fb4ec8facce1e289029c289ebc4b487db8 (commit) - Log - commit 29b3fdad2b078f45f840f6e45b0fe483b77dbc6f Author: Richard Levitte Date: Thu Jun 10 07:31:13 2021 +0200 Refactor OSSL_STORE_LOADER_do_all_provided() to behave like OSSL_STORE_LOADER_fetch() This is refactored to use inner_loader_fetch() without any given name, which is just there to ensure all decoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal ossl_store_loader_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the decoder implementations, or if listing may happen multiple times. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 5d8ad7d385f1be0d2ef6fd3bfc91debdf3835c96 Author: Richard Levitte Date: Wed Jun 9 11:00:00 2021 +0200 test/evp_extra_test.c: Peek at the error instead of getting it. If there is an error report, we want to get it printed too. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 27fb7a0a27c2b35b8f385fa2a23588603c7a94a4 Author: Richard Levitte Date: Wed Jun 9 10:58:33 2021 +0200 DECODER & ENCODER: Add better tracing Now that we have functions to get the name and properties of the diverse implementations, we can as well display them for clarity. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit cd770738796c591f93b2db630bab57cd8d3d5796 Author: Richard Levitte Date: Wed Jun 9 07:52:09 2021 +0200 Adapt all public EVP_XXX_do_all_provided() for the changed evp_generic_do_all() Fixes #15538 Fixes #14837 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 793b05865a3892258522e875df6ba4dff2ceb817 Author: Richard Levitte Date: Wed Jun 9 07:50:08 2021 +0200 Refactor evp_generic_do_all() to behave like evp_generic_fetch() This is refactored to use inner_evp_generic_fetch() without any given name, which is just there to ensure all decoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal evp_generic_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the decoder implementations, or if listing may happen multiple times. Fixes #15538 Fixes #14837 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit b3f5d5d3684c4059b09e73b951a84fc0d77594e9 Author: Richard Levitte Date: Wed Jun 9 07:47:41 2021 +0200 Refactor OSSL_ENCODER_do_all_provided() to behave like OSSL_ENCODER_fetch() This is refactored to use inner_ossl_encoder_fetch() without any given name, which is just there to ensure all encoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal ossl_encoder_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the encoder implementations, or if listing may happen multiple times. Fixes #15538 Fixes #14837 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 07562828308417205f39a628af3b78af0d30d308 Author: Richard Levitte Date: Fri Jun 4 14:29:07 2021 +0200 Refactor OSSL_DECODER_do_all_provided() to behave like OSSL_DECODER_fetch() This is refactored to use inner_ossl_decoder_fetch() without any given name, which is just there to ensure all decoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal ossl_decoder_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the decoder implementations, or if listing may happen multiple times. Fixes #15538 Fixes #14837
[openssl] master update
The branch master has been updated via 04fb4ec8facce1e289029c289ebc4b487db8 (commit) from 9067cf6ccdce0a73922f06937e54c2fce2752038 (commit) - Log - commit 04fb4ec8facce1e289029c289ebc4b487db8 Author: Hubert Kario Date: Mon Jun 14 13:38:02 2021 +0200 s_server: make -rev option easier to find (mention echo) Since the service is echo-like (see TCP port 7 from RFC 862 or gnutls-serv --echo), make it easier to find by mentioning "echo" in the description of it in the help message an man page Also fixes the man page inconsistency ("sends it back to the server") Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15739) --- Summary of changes: apps/s_server.c | 2 +- doc/man1/openssl-s_server.pod.in | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index e32d25e800..9c0c467ed6 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -856,7 +856,7 @@ const OPTIONS s_server_options[] = { {"brief", OPT_BRIEF, '-', "Restrict output to brief summary of connection parameters"}, {"rev", OPT_REV, '-', - "act as a simple test server which just sends back with the received text reversed"}, + "act as an echo server that sends back received text reversed"}, {"debug", OPT_DEBUG, '-', "Print more output"}, {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>', diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 97852ae7bf..c4289a12e3 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -545,9 +545,8 @@ output. =item B<-rev> -Simple test server which just reverses the text received from the client -and sends it back to the server. Also sets B<-brief>. Cannot be used in -conjunction with B<-early_data>. +Simple echo server that sends back received text reversed. Also sets B<-brief>. +Cannot be used in conjunction with B<-early_data>. =item B<-async>
[openssl] master update
The branch master has been updated via 9067cf6ccdce0a73922f06937e54c2fce2752038 (commit) from 515480be79de6907fcf0f7797aa0d3cd45e7d33c (commit) - Log - commit 9067cf6ccdce0a73922f06937e54c2fce2752038 Author: Richard Levitte Date: Mon Jun 14 09:25:53 2021 +0200 CORE: Move away the allocation of the temporary no_cache method store The responsibility for managing the temporary store for methods from algorithm implementations flaged "no_store" is moved up to the diverse method fetching functions. This allows them to allocate it "just in time", or in other words not at all if there is not such algorithm implementation. This makes this temporary store more flexible if it's needed outside of the core fetching functionality, and slightly faster when this temporary store isn't necessary at all. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15737) --- Summary of changes: crypto/core_fetch.c | 46 ++ crypto/encode_decode/decoder_meth.c | 63 +++--- crypto/encode_decode/encoder_meth.c | 63 +++--- crypto/evp/evp_fetch.c | 76 ++--- crypto/store/store_meth.c | 63 +++--- include/internal/core.h | 6 +-- 6 files changed, 188 insertions(+), 129 deletions(-) diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c index 0c30f985d6..fade75f4c9 100644 --- a/crypto/core_fetch.c +++ b/crypto/core_fetch.c @@ -83,19 +83,25 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider, */ if (data->force_store || !no_store) { +/* If we haven't been told not to store, add to the global store */ +data->mcm->put(data->libctx, NULL, method, provider, + data->operation_id, algo->algorithm_names, + algo->property_definition, data->mcm_data); +} else { /* - * If we haven't been told not to store, - * add to the global store + * If we have been told not to store the method "permanently", we + * ask for a temporary store, and store the method there. + * The owner of |data->mcm| is completely responsible for managing + * that temporary store. */ -data->mcm->put(data->libctx, NULL, method, provider, +if ((data->store = data->mcm->get_tmp_store(data->mcm_data)) == NULL) +return; + +data->mcm->put(data->libctx, data->store, method, provider, data->operation_id, algo->algorithm_names, algo->property_definition, data->mcm_data); } -data->mcm->put(data->libctx, data->store, method, provider, - data->operation_id, algo->algorithm_names, - algo->property_definition, data->mcm_data); - /* refcnt-- because we're dropping the reference */ data->mcm->destruct(method, data->mcm_data); } @@ -109,14 +115,8 @@ void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, if ((method = mcm->get(libctx, NULL, mcm_data)) == NULL) { struct construct_data_st cbdata; -/* - * We have a temporary store to be able to easily search among new - * items, or items that should find themselves in the global store. - */ -if ((cbdata.store = mcm->alloc_tmp_store(libctx)) == NULL) -goto fin; - cbdata.libctx = libctx; +cbdata.store = NULL; cbdata.operation_id = operation_id; cbdata.force_store = force_store; cbdata.mcm = mcm; @@ -127,20 +127,14 @@ void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, ossl_method_construct_postcondition, ); -method = mcm->get(libctx, cbdata.store, mcm_data); -if (method == NULL) { -/* - * If we get here then we did not construct the method that we - * attempted to construct. It's possible that another thread got - * there first and so we skipped construction (pre-condition - * failed). We check the global store again to see if it has - * appeared by now. - */ +/* If there is a temporary store, try there first */ +if (cbdata.store != NULL) +method = mcm->get(libctx, cbdata.store, mcm_data); + +/* If no method was found yet, try the global store */ +if (method == NULL) method = mcm->get(libctx, NULL, mcm_data); -} -mcm->dealloc_tmp_store(cbdata.store); } - fin: return method; } diff --git
[openssl] master update
The branch master has been updated via 515480be79de6907fcf0f7797aa0d3cd45e7d33c (commit) via bb19b9d4561228599b2259f6a4912066274ae622 (commit) via 1d8897176d06eeb88738182dbd4ad08df2f045e9 (commit) via 3b66592490e7b43b94298f53d4e58a611644fe4e (commit) via f42b3b70d8f2b399e6a0f217bd022f38884343eb (commit) via 9d9691f78a67fed1b30b0cf84b2f3601897b9639 (commit) via 4439a6483e1579359a75f061373b377995516032 (commit) from a5d250e57e88650986e8cf2dff6c698c50eb3255 (commit) - Log - commit 515480be79de6907fcf0f7797aa0d3cd45e7d33c Author: Dr. David von Oheimb Date: Mon Jun 14 12:58:40 2021 +0200 ASN1_parse_dump(): allow NULL BIO input, to simplify applications not needing output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) commit bb19b9d4561228599b2259f6a4912066274ae622 Author: Dr. David von Oheimb Date: Sat Jun 12 11:49:22 2021 +0200 BIO_write_ex(): Make handing of BIO b == NULL and dlen == 0 less redundant Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) commit 1d8897176d06eeb88738182dbd4ad08df2f045e9 Author: Dr. David von Oheimb Date: Sat Jun 12 13:47:38 2021 +0200 BIO: Make source file names in crypto/bio/ consistent Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) commit 3b66592490e7b43b94298f53d4e58a611644fe4e Author: Dr. David von Oheimb Date: Sat Jun 12 13:41:19 2021 +0200 BIO_dum_indent_cb(): Fix handling of cb return value Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) commit f42b3b70d8f2b399e6a0f217bd022f38884343eb Author: Dr. David von Oheimb Date: Sat Jun 12 11:35:09 2021 +0200 fuzz/asn1parse.c: Clean up non-portable code and catch malloc failure Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) commit 9d9691f78a67fed1b30b0cf84b2f3601897b9639 Author: Dr. David von Oheimb Date: Sat Jun 12 11:27:28 2021 +0200 BIO: prevent crash on NULL BIO for prefix_ctrl() and thus for BIO_set_prefix(), BIO_set_indent(), etc. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) commit 4439a6483e1579359a75f061373b377995516032 Author: Dr. David von Oheimb Date: Sat Jun 12 11:25:07 2021 +0200 ASN1: rename asn1_par.c to asn1_parse.c for clarity; simplify asn1_parse2() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15722) --- Summary of changes: crypto/asn1/{asn1_par.c => asn1_parse.c} | 28 +++- crypto/asn1/build.info | 2 +- crypto/bio/bf_prefix.c | 4 ++-- crypto/bio/{b_addr.c => bio_addr.c}| 0 crypto/bio/{b_dump.c => bio_dump.c}| 7 +-- crypto/bio/bio_lib.c | 9 ++--- crypto/bio/{b_print.c => bio_print.c} | 0 crypto/bio/{b_sock.c => bio_sock.c}| 0 crypto/bio/{b_sock2.c => bio_sock2.c} | 0 crypto/bio/build.info | 6 +++--- crypto/bio/{core_bio.c => ossl_core_bio.c} | 0 fuzz/asn1parse.c | 4 ++-- 12 files changed, 26 insertions(+), 34 deletions(-) rename crypto/asn1/{asn1_par.c => asn1_parse.c} (95%) rename crypto/bio/{b_addr.c => bio_addr.c} (100%) rename crypto/bio/{b_dump.c => bio_dump.c} (97%) rename crypto/bio/{b_print.c => bio_print.c} (100%) rename crypto/bio/{b_sock.c => bio_sock.c} (100%) rename crypto/bio/{b_sock2.c => bio_sock2.c} (100%) rename crypto/bio/{core_bio.c => ossl_core_bio.c} (100%) diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_parse.c similarity index 95% rename from crypto/asn1/asn1_par.c rename to crypto/asn1/asn1_parse.c index 3a493de0fc..a131713d73 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_parse.c @@ -41,15 +41,16 @@ static int asn1_print_info(BIO *bp, long offset, int depth, int hl, long len, offset, depth, (long)hl, p) <= 0) goto err; } -if (BIO_set_prefix(bp, str) <= 0) { -if ((bp = BIO_push(BIO_new(BIO_f_prefix()), bp)) == NULL) +if (bp != NULL) { +if (BIO_set_prefix(bp, str) <= 0) { +if ((bp = BIO_push(BIO_new(BIO_f_prefix()), bp)) == NULL) +goto err; +pop_f_prefix = 1; +} +saved_indent = BIO_get_indent(bp); +if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) < 0) goto err; -pop_f_prefix = 1; } -saved_indent = BIO_get_indent(bp); -if (BIO_set_prefix(bp, str) <= 0 -|| BIO_set_indent(bp, indent) < 0) -goto err; /* * BIO_set_prefix made a copy of |str|, so we can safely use it
[openssl] master update
The branch master has been updated via a5d250e57e88650986e8cf2dff6c698c50eb3255 (commit) from 5bbe2134188a45a937e7aefd46b7258d0ab8 (commit) - Log - commit a5d250e57e88650986e8cf2dff6c698c50eb3255 Author: Lars Immisch Date: Thu Mar 5 11:26:06 2020 +0100 Use getauxval on Android with API level > 18 We received analytics that devices of the device family Oppo A37x are crashing with SIGILL when trying to load libcrypto.so. These crashes were fixed by using the system-supplied getauxval function. Reviewed-by: Kurt Roeckx Reviewed-by: Tim Hudson Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11257) --- Summary of changes: crypto/armcap.c | 9 + 1 file changed, 9 insertions(+) diff --git a/crypto/armcap.c b/crypto/armcap.c index 43438e0aa4..93aeac85a3 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -93,6 +93,15 @@ static unsigned long getauxval(unsigned long key) # endif # endif +/* + * Android: according to https://developer.android.com/ndk/guides/cpu-features, + * getauxval is supported starting with API level 18 + */ +# if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18 +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif + /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas * AArch64 used AT_HWCAP.
[openssl] master update
The branch master has been updated via 5bbe2134188a45a937e7aefd46b7258d0ab8 (commit) via f4752e88272933777dbdbda31d00b388fa5a8e2d (commit) from 60d13c8ff824720580db9665489832fb50f9e60a (commit) - Log - commit 5bbe2134188a45a937e7aefd46b7258d0ab8 Author: Rich Salz Date: Sun Jun 13 10:49:47 2021 -0400 Remove "-immedate_renegotiation" option Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15415) commit f4752e88272933777dbdbda31d00b388fa5a8e2d Author: Rich Salz Date: Fri May 21 13:26:33 2021 -0400 Move AllowClientRenegotiation tests Move them from test_renegotiation to renegotiation in ssl_new Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15415) --- Summary of changes: apps/include/opt.h | 4 +-- apps/s_client.c | 3 -- apps/s_server.c | 6 doc/man3/SSL_CONF_cmd.pod| 6 doc/perlvars.pm | 5 ++- test/README.ssltest.md | 8 +++-- test/generate_ssl_tests.pl | 2 +- test/helpers/ssl_test_ctx.c | 1 + test/recipes/70-test_renegotiation.t | 15 + test/ssl-tests/17-renegotiate.cnf| 62 +++- test/ssl-tests/17-renegotiate.cnf.in | 32 +++ 11 files changed, 104 insertions(+), 40 deletions(-) diff --git a/apps/include/opt.h b/apps/include/opt.h index 951557974b..b77c5a52e5 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -162,7 +162,7 @@ OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \ OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \ OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \ -OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_IMMEDIATE_RENEG, \ +OPT_S_MINPROTO, OPT_S_MAXPROTO, \ OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST # define OPT_S_OPTIONS \ @@ -211,8 +211,6 @@ {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \ {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \ {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \ -{"immediate_renegotiation", OPT_S_IMMEDIATE_RENEG, '-', \ -"Immediately attempt renegotiation"}, \ {"record_padding", OPT_S_RECORD_PADDING, 's', \ "Block size to pad TLS 1.3 records to."}, \ {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \ diff --git a/apps/s_client.c b/apps/s_client.c index ac9b08dfc2..3b9be0e8c2 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1047,9 +1047,6 @@ int s_client_main(int argc, char **argv) case OPT_BRIEF: c_brief = verify_args.quiet = c_quiet = 1; break; -case OPT_S_IMMEDIATE_RENEG: -/* Option ignored on client. */ -break; case OPT_S_CASES: if (ssl_args == NULL) ssl_args = sk_OPENSSL_STRING_new_null(); diff --git a/apps/s_server.c b/apps/s_server.c index 009ac5a1eb..e32d25e800 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -78,7 +78,6 @@ static int accept_socket = -1; static int s_nbio = 0; static int s_nbio_test = 0; static int s_crlf = 0; -static int immediate_reneg = 0; static SSL_CTX *ctx = NULL; static SSL_CTX *ctx2 = NULL; static int www = 0; @@ -1270,9 +1269,6 @@ int s_server_main(int argc, char *argv[]) if (!opt_format(opt_arg(), OPT_FMT_PEMDER, _format)) goto opthelp; break; -case OPT_S_IMMEDIATE_RENEG: -immediate_reneg = 1; -break; case OPT_S_CASES: case OPT_S_NUM_TICKETS: case OPT_ANTI_REPLAY: @@ -2811,8 +2807,6 @@ static int init_ssl_connection(SSL *con) } else { do { i = SSL_accept(con); -if (immediate_reneg) -SSL_renegotiate(con); if (i <= 0) retry = is_retryable(con, i); diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 68c05d33d7..7971d6e0b5 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -83,12 +83,6 @@ Sets B. Only used by servers. Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to setting or clearing B. -=item B<-immediate_renegotiation> - -Try to do a renegotiation immediately after the handshake. -This is for debugging and has no option equivalent. -Ignored by the B command. - =item B<-prioritize_chacha> Prioritize ChaCha ciphers when the
[openssl] master update
The branch master has been updated via 60d13c8ff824720580db9665489832fb50f9e60a (commit) via dfb0b8d63a1b627c5d796ba0174ee4693b330989 (commit) via 8dff167dfe5a85932ccb1fc67c8f66af00a616ce (commit) from a1fb5eb920fb156eda474f0e59d268316b6c893d (commit) - Log - commit 60d13c8ff824720580db9665489832fb50f9e60a Author: Pauli Date: Tue Jun 15 19:01:00 2021 +1000 remove end of line whitespace Reviewed-by: Tomas Mraz Reviewed-by: David von Oheimb commit dfb0b8d63a1b627c5d796ba0174ee4693b330989 Author: Pauli Date: Mon Jun 14 21:22:55 2021 +1000 cms: free PKEY_CTX Preventing a memory leak. Reviewed-by: Tomas Mraz Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/15731) commit 8dff167dfe5a85932ccb1fc67c8f66af00a616ce Author: Pauli Date: Mon Jun 14 09:50:36 2021 +1000 cms: fix coverity 1485981: unchecked return value Reviewed-by: Tomas Mraz Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/15731) --- Summary of changes: crypto/cms/cms_ec.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index 4cf208f5f2..65018956a8 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -20,12 +20,12 @@ static EVP_PKEY *pkey_type2param(int ptype, const void *pval, { EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx = NULL; +OSSL_DECODER_CTX *ctx = NULL; if (ptype == V_ASN1_SEQUENCE) { const ASN1_STRING *pstr = pval; const unsigned char *pm = pstr->data; size_t pmlen = (size_t)pstr->length; -OSSL_DECODER_CTX *ctx = NULL; int selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS; ctx = OSSL_DECODER_CTX_new_for_pkey(, "DER", NULL, "EC", @@ -33,8 +33,12 @@ static EVP_PKEY *pkey_type2param(int ptype, const void *pval, if (ctx == NULL) goto err; -OSSL_DECODER_from_data(ctx, , ); +if (!OSSL_DECODER_from_data(ctx, , )) { +ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR); +goto err; +} OSSL_DECODER_CTX_free(ctx); +return pkey; } else if (ptype == V_ASN1_OBJECT) { const ASN1_OBJECT *poid = pval; char groupname[OSSL_MAX_NAME_SIZE]; @@ -50,16 +54,17 @@ static EVP_PKEY *pkey_type2param(int ptype, const void *pval, } if (EVP_PKEY_paramgen(pctx, ) <= 0) goto err; -} else { -ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR); -goto err; +EVP_PKEY_CTX_free(pctx); +return pkey; } -return pkey; +ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR); +return NULL; err: EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); +OSSL_DECODER_CTX_free(ctx); return NULL; }
[openssl] master update
The branch master has been updated via a1fb5eb920fb156eda474f0e59d268316b6c893d (commit) via c696f4bfc303d9b43a3167f48b3661972495211c (commit) via 09495e4301ea5805b51c8128f99587de64a20b6c (commit) via 4d574312dbeba89f3bf874aabbbd67a25b1cdf87 (commit) via f147fa3e7def18076d158783d9c566619151878e (commit) via f64851c5b3d8325121eb1b6669f4682ded51901a (commit) via c8dd887d3c415bfeaabf12e719353b00d5d2e700 (commit) via 3334e039cf3de72dbb7dd6151db26110afa8c993 (commit) via 02288cbb65397841dd0a06ddaa1cb1cdd1b05c10 (commit) via 81743ed9d737d415a43aaf0259616dd007a9e3a4 (commit) via e1a77f9cffbd7f8642ff900a3e5b7c81e8c26fb7 (commit) from 42e97dde808e6471575696fdec41e2f8d2ef9feb (commit) - Log - commit a1fb5eb920fb156eda474f0e59d268316b6c893d Author: Pauli Date: Thu Jun 10 16:58:12 2021 +1000 apps: move global libctx and property query into their own file The header has been split out so the functions should be as well. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit c696f4bfc303d9b43a3167f48b3661972495211c Author: Pauli Date: Thu Jun 10 12:05:28 2021 +1000 speed: make sure to free any allocated EVP_MAC structures Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit 09495e4301ea5805b51c8128f99587de64a20b6c Author: Pauli Date: Thu Jun 10 11:27:44 2021 +1000 pkcs12: use the app's libctx and property query when searching for algorithms Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit 4d574312dbeba89f3bf874aabbbd67a25b1cdf87 Author: Pauli Date: Thu Jun 10 11:27:31 2021 +1000 speed: use the app's libctx and property query when searching for algorithms Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit f147fa3e7def18076d158783d9c566619151878e Author: Pauli Date: Thu Jun 10 10:26:43 2021 +1000 list: use the app's libctx and property query when searching for algorithms Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit f64851c5b3d8325121eb1b6669f4682ded51901a Author: Pauli Date: Thu Jun 10 10:26:43 2021 +1000 kdf: use the app's libctx and property query when searching for algorithms Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit c8dd887d3c415bfeaabf12e719353b00d5d2e700 Author: Pauli Date: Thu Jun 10 10:26:43 2021 +1000 fipsinstall: use the app's libctx and property query when searching for algorithms Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit 3334e039cf3de72dbb7dd6151db26110afa8c993 Author: Pauli Date: Thu Jun 10 11:35:26 2021 +1000 add libctx and property query to fetch functions Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit 02288cbb65397841dd0a06ddaa1cb1cdd1b05c10 Author: Pauli Date: Thu Jun 10 10:48:51 2021 +1000 test: add SPKAC command test Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit 81743ed9d737d415a43aaf0259616dd007a9e3a4 Author: Pauli Date: Thu Jun 10 10:33:13 2021 +1000 spkac: document -digest option Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) commit e1a77f9cffbd7f8642ff900a3e5b7c81e8c26fb7 Author: Pauli Date: Thu Jun 10 10:06:20 2021 +1000 spkac: allow digests other than MD5 to be used for signing Fixes #15683 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15687) --- Summary of changes: apps/fipsinstall.c | 2 +- test/filterprov.h => apps/include/app_libctx.h | 14 +--- apps/include/apps.h| 7 +--- apps/kdf.c | 3 +- apps/lib/app_libctx.c | 48 ++ apps/lib/apps.c| 43 ++- apps/lib/build.info| 2 +- apps/lib/opt.c | 1 + apps/list.c| 38 +++- apps/pkcs12.c | 3 +- apps/speed.c | 27 ++- apps/spkac.c | 14 ++-- doc/man1/openssl-spkac.pod.in | 8 + test/recipes/20-test_spkac.t | 41 ++ 14 files changed, 169 insertions(+), 82 deletions(-) copy test/filterprov.h => apps/include/app_libctx.h (58%)
[openssl] master update
The branch master has been updated via 42e97dde808e6471575696fdec41e2f8d2ef9feb (commit) from f77208693ec3bda99618e6f76c0f8d279c0077bb (commit) - Log - commit 42e97dde808e6471575696fdec41e2f8d2ef9feb Author: Shane Lontis Date: Mon Jun 14 16:43:28 2021 +1000 Add missing NULL check in OSSL_DECODER_from_bio(). Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15733) --- Summary of changes: crypto/encode_decode/decoder_lib.c | 5 + 1 file changed, 5 insertions(+) diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index 4053eac62e..c637b5bfef 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -48,6 +48,11 @@ int OSSL_DECODER_from_bio(OSSL_DECODER_CTX *ctx, BIO *in) int ok = 0; BIO *new_bio = NULL; +if (in == NULL) { +ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_PASSED_NULL_PARAMETER); +return 0; +} + if (OSSL_DECODER_CTX_get_num_decoders(ctx) == 0) { ERR_raise_data(ERR_LIB_OSSL_DECODER, OSSL_DECODER_R_DECODER_NOT_FOUND, "No decoders were found. For standard decoders you need "