[openssl] master update
The branch master has been updated via 5e56f4587de2f2e06c079272fa4d6712d56dbcf0 (commit) via 98431c431366ec3445e92cf4c50a1d3ac80573a5 (commit) via 159dacca4682a48ccc3625c64678b7eaf31681ef (commit) via 196feb18de28cc5e6b59483ab61453dbca8d5c4b (commit) via 01fb4bff9bee4b6a652d42ec9f1b63280450 (commit) from 10af976962b2383bb3044120a764037361b8bff7 (commit) - Log - commit 5e56f4587de2f2e06c079272fa4d6712d56dbcf0 Author: Pauli Date: Tue Jun 29 08:26:11 2021 +1000 evp: fix coverity 1473380 Copy into fixed size buffer (STRING_OVERFLOW) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15943) commit 98431c431366ec3445e92cf4c50a1d3ac80573a5 Author: Pauli Date: Tue Jun 29 08:18:30 2021 +1000 dh_test: fix coverity 1473239 Argument cannot be negative (NEGATIVE_RETURNS) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15943) commit 159dacca4682a48ccc3625c64678b7eaf31681ef Author: Pauli Date: Tue Jun 29 08:05:19 2021 +1000 s_time: avoid unlikely division by zero Fixing coverity 966560 Division or modulo by zero (DIVIDE_BY_ZERO) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15943) commit 196feb18de28cc5e6b59483ab61453dbca8d5c4b Author: Pauli Date: Tue Jun 29 08:01:13 2021 +1000 bio: check for valid socket when closing Fixes coverity 271258 Improper use of negative value (NEGATIVE_RETURNS) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15943) commit 01fb4bff9bee4b6a652d42ec9f1b63280450 Author: Pauli Date: Tue Jun 29 07:59:00 2021 +1000 test: fix coverity 1469427 Improper use of negative value (NEGATIVE_RETURNS) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15943) --- Summary of changes: apps/s_time.c | 11 +++ crypto/bio/bio_sock2.c | 2 +- crypto/evp/ctrl_params_translate.c | 4 +++- test/dhtest.c | 11 +++ test/endecoder_legacy_test.c | 3 ++- 5 files changed, 20 insertions(+), 11 deletions(-) diff --git a/apps/s_time.c b/apps/s_time.c index 34e939d047..1a58e19de5 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -394,10 +394,13 @@ int s_time_main(int argc, char **argv) printf ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn / totalTime), bytes_read); -printf -("%d connections in %ld real seconds, %ld bytes read per connection\n", - nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); - +if (nConn > 0) +printf +("%d connections in %ld real seconds, %ld bytes read per connection\n", + nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); +else +printf("0 connections in %ld real seconds\n", + (long)time(NULL) - finishtime + maxtime); ret = 0; end: diff --git a/crypto/bio/bio_sock2.c b/crypto/bio/bio_sock2.c index f13f20148b..b6c95913ce 100644 --- a/crypto/bio/bio_sock2.c +++ b/crypto/bio/bio_sock2.c @@ -335,7 +335,7 @@ int BIO_accept_ex(int accept_sock, BIO_ADDR *addr_, int options) */ int BIO_closesocket(int sock) { -if (closesocket(sock) < 0) +if (sock < 0 || closesocket(sock) < 0) return 0; return 1; } diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index 6998dcc6fc..c532e57f8f 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1353,7 +1353,9 @@ static int fix_rsa_pss_saltlen(enum state state, if (i == OSSL_NELEM(str_value_map)) { BIO_snprintf(ctx->name_buf, sizeof(ctx->name_buf), "%d", ctx->p1); } else { -strcpy(ctx->name_buf, str_value_map[i].ptr); +strncpy(ctx->name_buf, str_value_map[i].ptr, sizeof(ctx->name_buf)); +/* This won't truncate but it will quiet static analysers */ +ctx->name_buf[sizeof(ctx->name_buf) - 1] = '\0'; } ctx->p2 = ctx->name_buf; ctx->p1 = strlen(ctx->p2); diff --git a/test/dhtest.c b/test/dhtest.c index adbe3afd78..cb8d9a7de4 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -558,6 +558,7 @@ static int rfc5114_test(void) DH *dhB = NULL; unsigned char *Z1 = NULL; unsigned char *Z2 = NULL; +int szA, szB; const rfc5114_td *td = NULL; BIGNUM *priv_key = NULL, *pub_key = NULL; const BIGNUM *pub_key_tmp; @@ -580,12 +581,14 @@ static int rfc5114_test(void) goto bad_err; priv_key = pub_key = NULL; -if (!TEST_uint_eq(td->Z_len, (size_t)DH_size(dhA)) -||
[openssl] master update
The branch master has been updated via 10af976962b2383bb3044120a764037361b8bff7 (commit) from a73a5d0a14842f51d1a6bad15f3e997b0468b99d (commit) - Log - commit 10af976962b2383bb3044120a764037361b8bff7 Author: Pauli Date: Tue Jun 29 11:43:00 2021 +1000 x509: improve error reporting Distinguish between not being able to extract a public key versus not knowing the key's type. Alternative to #15921 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15944) --- Summary of changes: crypto/x509/x509_cmp.c | 19 --- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 1c1a5e6a27..8b4e46a589 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -391,15 +391,12 @@ int X509_check_private_key(const X509 *x, const EVP_PKEY *k) int ret; xk = X509_get0_pubkey(x); +if (xk == NULL) { +ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); +return 0; +} -if (xk) -ret = EVP_PKEY_eq(xk, k); -else -ret = -2; - -switch (ret) { -case 1: -break; +switch (ret = EVP_PKEY_eq(xk, k)) { case 0: ERR_raise(ERR_LIB_X509, X509_R_KEY_VALUES_MISMATCH); break; @@ -408,10 +405,10 @@ int X509_check_private_key(const X509 *x, const EVP_PKEY *k) break; case -2: ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_KEY_TYPE); +break; } -if (ret > 0) -return 1; -return 0; + +return ret > 0; } /*
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via b58ac9f1e3f828b5c65c9edd5bb86603a4886a26 (commit) from efac3f67637b7e9b89a924c246577e16445d6e04 (commit) - Log - commit b58ac9f1e3f828b5c65c9edd5bb86603a4886a26 Author: David CARLIER Date: Mon Jun 28 09:55:22 2021 +0100 apple getentropy removal backport of #15924 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15935) --- Summary of changes: crypto/rand/rand_unix.c | 8 1 file changed, 8 insertions(+) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index ec6be791b3..eda0d5ae20 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -34,6 +34,9 @@ #if defined(__OpenBSD__) # include #endif +#if defined(__APPLE__) +# include +#endif #if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) # include @@ -378,6 +381,11 @@ static ssize_t syscall_random(void *buf, size_t buflen) if (errno != ENOSYS) return -1; } +# elif defined(__APPLE__) +if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) + return (ssize_t)buflen; + +return -1; # else union { void *p;
[openssl] master update
The branch master has been updated via a73a5d0a14842f51d1a6bad15f3e997b0468b99d (commit) from 452580e5b0f85201006bacb1a697e0c5b7154b76 (commit) - Log - commit a73a5d0a14842f51d1a6bad15f3e997b0468b99d Author: Dmitry Belyavskiy Date: Mon Jun 28 15:44:45 2021 +0200 Missing link to fips_config documentation Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15940) --- Summary of changes: doc/man7/fips_module.pod | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index 8133f01eaf..1d709be513 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -452,8 +452,7 @@ L. =head1 SEE ALSO -L, -L +L, L, L =head1 COPYRIGHT
[openssl] master update
The branch master has been updated via 452580e5b0f85201006bacb1a697e0c5b7154b76 (commit) via 475c5bbd1091717411d67b8662320a1b0a8c9e42 (commit) from 69e14a546d5455de39222d1553ad18a1631e5fe9 (commit) - Log - commit 452580e5b0f85201006bacb1a697e0c5b7154b76 Author: Tomas Mraz Date: Mon Jun 28 17:13:31 2021 +0200 coverity #1486532: fix potential NULL dereference in test_mk_file_path() Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15942) commit 475c5bbd1091717411d67b8662320a1b0a8c9e42 Author: Tomas Mraz Date: Mon Jun 28 17:09:08 2021 +0200 coverity #1486531: return error properly from x509_pubkey_ex_new_ex() Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15942) --- Summary of changes: crypto/x509/x_pubkey.c | 1 + test/testutil/driver.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index b20b756e9a..0c07c39a1f 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -116,6 +116,7 @@ static int x509_pubkey_ex_new_ex(ASN1_VALUE **pval, const ASN1_ITEM *it, || !x509_pubkey_ex_populate((ASN1_VALUE **), NULL) || !x509_pubkey_set0_libctx(ret, libctx, propq)) { x509_pubkey_ex_free((ASN1_VALUE **), NULL); +ret = NULL; ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); } else { *pval = (ASN1_VALUE *)ret; diff --git a/test/testutil/driver.c b/test/testutil/driver.c index f91d1ab932..8568a51fd7 100644 --- a/test/testutil/driver.c +++ b/test/testutil/driver.c @@ -439,11 +439,12 @@ char *test_mk_file_path(const char *dir, const char *file) char *dir_end; char dir_end_sep; # endif -size_t len = strlen(dir) + strlen(sep) + strlen(file) + 1; +size_t dirlen = dir != NULL ? strlen(dir) : 0; +size_t len = dirlen + strlen(sep) + strlen(file) + 1; char *full_file = OPENSSL_zalloc(len); if (full_file != NULL) { -if (dir != NULL && dir[0] != '\0') { +if (dir != NULL && dirlen > 0) { OPENSSL_strlcpy(full_file, dir, len); # ifdef OPENSSL_SYS_VMS /*
[openssl] master update
The branch master has been updated via 69e14a546d5455de39222d1553ad18a1631e5fe9 (commit) via 398f8fe1c48e19e29f099a55bb49d601911f463d (commit) from 6eaf139f62001b958861f25c5cebc41c76c579bd (commit) - Log - commit 69e14a546d5455de39222d1553ad18a1631e5fe9 Author: Richard Levitte Date: Mon Jun 28 07:08:51 2021 +0200 EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15934) commit 398f8fe1c48e19e29f099a55bb49d601911f463d Author: Richard Levitte Date: Mon Jun 28 05:52:42 2021 +0200 DECODER & ENCODER: Make sure to pass around the original selection bits When decoding a key and asking the keymgmt to import the key data, it was told that the key data includes everything. This may not be true, since the user may have specified a different selection, and some keymgmts may want to be informed. Our key decoders' export function, on the other hand, didn't care either, and simply export anything they could, regardless. In both cases, the selection that was specified by the user is now passed all the way. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15934) --- Summary of changes: crypto/encode_decode/decoder_pkey.c | 4 +++- crypto/evp/evp_pkey.c | 4 +++- providers/implementations/encode_decode/decode_der2key.c| 13 +++-- providers/implementations/encode_decode/decode_msblob2key.c | 6 -- providers/implementations/encode_decode/decode_pvk2key.c| 7 +-- 5 files changed, 22 insertions(+), 12 deletions(-) diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index 0270ba2e70..719bd17b2f 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -57,6 +57,7 @@ DEFINE_STACK_OF(EVP_KEYMGMT) struct decoder_pkey_data_st { OSSL_LIB_CTX *libctx; char *propq; +int selection; STACK_OF(EVP_KEYMGMT) *keymgmts; char *object_type; /* recorded object data type, may be NULL */ @@ -150,7 +151,7 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, import_data.keymgmt = keymgmt; import_data.keydata = NULL; -import_data.selection = OSSL_KEYMGMT_SELECT_ALL; +import_data.selection = data->selection; /* * No need to check for errors here, the value of @@ -375,6 +376,7 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, process_data->object = (void **)pkey; process_data->libctx = libctx; +process_data->selection = ctx->selection; /* First, find all keymgmts to form goals */ EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 683f4bec54..6f0b3dbda9 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -70,6 +70,7 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, const unsigned char *p8_data = NULL; unsigned char *encoded_data = NULL; int encoded_len; +int selection; size_t len; OSSL_DECODER_CTX *dctx = NULL; @@ -79,8 +80,9 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, p8_data = encoded_data; len = encoded_len; +selection = EVP_PKEY_KEYPAIR | EVP_PKEY_KEY_PARAMETERS; dctx = OSSL_DECODER_CTX_new_for_pkey(, "DER", "PrivateKeyInfo", - EVP_PKEY_NONE, 0, libctx, propq); + NULL, selection, libctx, propq); if (dctx == NULL || !OSSL_DECODER_from_data(dctx, _data, )) /* try legacy */ diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index fd4a7c6e2a..356e65b403 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -89,6 +89,8 @@ struct keytype_desc_st { struct der2key_ctx_st { PROV_CTX *provctx; const struct keytype_desc_st *desc; +/* The selection that is passed to der2key_decode() */ +int selection; /* Flag used to signal that a failure is fatal */ unsigned int flag_fatal : 1; }; @@ -180,9 +182,9 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, const unsigned char *derp; long der_len = 0; void *key = NULL; -int orig_selection = selection; int ok = 0; +ctx->selection = selection; /* * The caller is allowed to specify 0 as a selection
[openssl] master update
The branch master has been updated via 6eaf139f62001b958861f25c5cebc41c76c579bd (commit) from b2eabccbe52d57f009b351700b472b42195380d9 (commit) - Log - commit 6eaf139f62001b958861f25c5cebc41c76c579bd Author: Dr. David von Oheimb Date: Mon Jun 28 12:17:25 2021 +0200 ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533 The issues are due to an integer overflow that may happen on '(ERR_SYSTEM_FLAG << 1)'. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15938) --- Summary of changes: crypto/cmp/cmp_msg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index fe4b64d575..4fef006933 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -748,7 +748,8 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, goto err; if (!ASN1_INTEGER_set_int64(msg->body->value.error->errorCode, errorCode)) goto err; -if (errorCode > 0 && errorCode < (ERR_SYSTEM_FLAG << 1)) { +if (errorCode > 0 +&& (uint64_t)errorCode < ((uint64_t)ERR_SYSTEM_FLAG << 1)) { lib = ERR_lib_error_string((unsigned long)errorCode); reason = ERR_reason_error_string((unsigned long)errorCode); }
[openssl] master update
The branch master has been updated via b2eabccbe52d57f009b351700b472b42195380d9 (commit) from f0b9e75e4f9d6ae74389cd1b019b77cf2bd01033 (commit) - Log - commit b2eabccbe52d57f009b351700b472b42195380d9 Author: Hubert Kario Date: Fri Jun 25 13:34:31 2021 +0200 doc: make error checking in ticket handling code explicit Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15918) --- Summary of changes: doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod index e658e6c83e..f4730066fa 100644 --- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -179,14 +179,17 @@ Reference Implementation: } memcpy(key_name, key->name, 16); - EVP_EncryptInit_ex(, EVP_aes_256_cbc(), NULL, key->aes_key, iv); + if (EVP_EncryptInit_ex(, EVP_aes_256_cbc(), NULL, key->aes_key, +iv) == 0) +return -1; /* error in cipher initialisation */ params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, key->hmac_key, 32); params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); params[2] = OSSL_PARAM_construct_end(); - EVP_MAC_CTX_set_params(hctx, params); + if (EVP_MAC_CTX_set_params(hctx, params) == 0) +return -1; /* error in mac initialisation */ return 1; @@ -202,9 +205,12 @@ Reference Implementation: params[1] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); params[2] = OSSL_PARAM_construct_end(); - EVP_MAC_CTX_set_params(hctx, params); + if (EVP_MAC_CTX_set_params(hctx, params) == 0) +return -1; /* error in mac initialisation */ - EVP_DecryptInit_ex(, EVP_aes_256_cbc(), NULL, key->aes_key, iv); + if (EVP_DecryptInit_ex(, EVP_aes_256_cbc(), NULL, key->aes_key, +iv) == 0) +return -1; /* error in cipher initialisation */ if (key->expire < t - RENEW_TIME) { /* RENEW_TIME: implement */ /*
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via efac3f67637b7e9b89a924c246577e16445d6e04 (commit) from 2357e6e94a46362dbf56eecfec6ffbaa8bd76a68 (commit) - Log - commit efac3f67637b7e9b89a924c246577e16445d6e04 Author: luyahan Date: Mon Mar 29 16:33:23 2021 +0900 Add riscv64 target Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14724) --- Summary of changes: Configurations/10-main.conf | 7 +++ 1 file changed, 7 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 8dc3e858df..61c6689a0c 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -754,6 +754,13 @@ my %targets = ( multilib => "64", }, +# riscv64 below refers to contemporary RISCV Architecture +# specifications, +"linux64-riscv64" => { +inherit_from => [ "linux-generic64"], +perlasm_scheme => "linux64", +}, + IA-32 targets... These two targets are a bit aged and are to be used on older Linux machines where gcc doesn't understand -m32 and -m64
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 2357e6e94a46362dbf56eecfec6ffbaa8bd76a68 (commit) from b2dea4d5f22ec146373324c282fb1bcecd5a7d90 (commit) - Log - commit 2357e6e94a46362dbf56eecfec6ffbaa8bd76a68 Author: Lars Immisch Date: Thu Mar 5 11:26:06 2020 +0100 Use getauxval on Android with API level > 18 We received analytics that devices of the device family Oppo A37x are crashing with SIGILL when trying to load libcrypto.so. These crashes were fixed by using the system-supplied getauxval function. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15763) --- Summary of changes: crypto/armcap.c | 9 + 1 file changed, 9 insertions(+) diff --git a/crypto/armcap.c b/crypto/armcap.c index 9e209f36aa..c5685bde58 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -93,6 +93,15 @@ static unsigned long getauxval(unsigned long key) # endif # endif +/* + * Android: according to https://developer.android.com/ndk/guides/cpu-features, + * getauxval is supported starting with API level 18 + */ +# if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18 +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif + /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas * AArch64 used AT_HWCAP.
[openssl] master update
The branch master has been updated via f0b9e75e4f9d6ae74389cd1b019b77cf2bd01033 (commit) from 19c0b46b83335b36a9816abef4e82f74863a4e0a (commit) - Log - commit f0b9e75e4f9d6ae74389cd1b019b77cf2bd01033 Author: David CARLIER Date: Sat Jun 26 14:12:38 2021 +0100 darwin platform replacing getentropy usage by platform api instead. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15924) --- Summary of changes: providers/implementations/rands/seeding/rand_unix.c | 9 + 1 file changed, 9 insertions(+) diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c index 2e6429344c..eab08a8150 100644 --- a/providers/implementations/rands/seeding/rand_unix.c +++ b/providers/implementations/rands/seeding/rand_unix.c @@ -40,6 +40,9 @@ # include # include #endif +#if defined(__APPLE__) +# include +#endif #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \ || defined(__DJGPP__) @@ -366,6 +369,12 @@ static ssize_t syscall_random(void *buf, size_t buflen) if (errno != ENOSYS) return -1; } +#elif defined(__APPLE__) + +if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) + return (ssize_t)buflen; + +return -1; #else union { void *p;
[openssl] master update
The branch master has been updated via 19c0b46b83335b36a9816abef4e82f74863a4e0a (commit) from f616ad4b022b8afa8416a7d9e475d02c49164192 (commit) - Log - commit 19c0b46b83335b36a9816abef4e82f74863a4e0a Author: Richard Levitte Date: Mon Jun 28 04:36:33 2021 +0200 OSSL_STORE: Fix crash when tracing STORE Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15931) --- Summary of changes: crypto/store/store_lib.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 4b31c6f7d5..636a94e832 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -72,7 +72,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, OSSL_STORE_CTX *ctx = NULL; char *propq_copy = NULL; int no_loader_found = 1; -char scheme_copy[256], *p, *schemes[2]; +char scheme_copy[256], *p, *schemes[2], *scheme = NULL; size_t schemes_n = 0; size_t i; @@ -111,9 +111,10 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, * elsewhere. */ for (i = 0; loader_ctx == NULL && i < schemes_n; i++) { -OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]); +scheme = schemes[i]; +OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme); #ifndef OPENSSL_NO_DEPRECATED_3_0 -if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) { +if ((loader = ossl_store_get0_loader_int(scheme)) != NULL) { no_loader_found = 0; if (loader->open_ex != NULL) loader_ctx = loader->open_ex(loader, uri, libctx, propq, @@ -124,7 +125,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, #endif if (loader == NULL && (fetched_loader = -OSSL_STORE_LOADER_fetch(libctx, schemes[i], propq)) != NULL) { +OSSL_STORE_LOADER_fetch(libctx, scheme, propq)) != NULL) { const OSSL_PROVIDER *provider = OSSL_STORE_LOADER_get0_provider(fetched_loader); void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); @@ -151,7 +152,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, */ goto err; -OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); +OSSL_TRACE1(STORE, "Found loader for scheme %s\n", scheme); if (loader_ctx == NULL) /*
[openssl] master update
The branch master has been updated via f616ad4b022b8afa8416a7d9e475d02c49164192 (commit) from 16561896ae5d3babc4662cca9a2c75cb6297ae17 (commit) - Log - commit f616ad4b022b8afa8416a7d9e475d02c49164192 Author: Richard Levitte Date: Mon Jun 28 05:37:22 2021 +0200 ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt If there are keymgmts and en/decoders from the same provider, try to combine them first. This avoids unnecessary export/import dances, and also tries to avoid issues where the keymgmt doesn't fully support exporting and importing, which we can assume will be the case for HSM protected keys. Fixes #15932 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15933) --- Summary of changes: crypto/encode_decode/decoder_pkey.c | 51 ++--- crypto/encode_decode/encoder_pkey.c | 24 + crypto/evp/keymgmt_meth.c | 7 - include/crypto/evp.h| 1 + 4 files changed, 67 insertions(+), 16 deletions(-) diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index cb66ee4617..0270ba2e70 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -58,6 +58,7 @@ struct decoder_pkey_data_st { OSSL_LIB_CTX *libctx; char *propq; +STACK_OF(EVP_KEYMGMT) *keymgmts; char *object_type; /* recorded object data type, may be NULL */ void **object; /* Where the result should end up */ }; @@ -69,7 +70,10 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, struct decoder_pkey_data_st *data = construct_data; OSSL_DECODER *decoder = OSSL_DECODER_INSTANCE_get_decoder(decoder_inst); void *decoderctx = OSSL_DECODER_INSTANCE_get_decoder_ctx(decoder_inst); +const OSSL_PROVIDER *decoder_prov = OSSL_DECODER_get0_provider(decoder); EVP_KEYMGMT *keymgmt = NULL; +const OSSL_PROVIDER *keymgmt_prov = NULL; +int i, end; /* * |object_ref| points to a provider reference to an object, its exact * contents entirely opaque to us, but may be passed to any provider @@ -103,13 +107,33 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, object_ref = p->data; object_ref_sz = p->data_size; -keymgmt = EVP_KEYMGMT_fetch(data->libctx, data->object_type, data->propq); +/* + * First, we try to find a keymgmt that comes from the same provider as + * the decoder that passed the params. + */ +end = sk_EVP_KEYMGMT_num(data->keymgmts); +for (i = 0; i < end; i++) { +keymgmt = sk_EVP_KEYMGMT_value(data->keymgmts, i); +keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt); + +if (keymgmt_prov == decoder_prov +&& evp_keymgmt_has_load(keymgmt) +&& EVP_KEYMGMT_is_a(keymgmt, data->object_type)) +break; +} +if (i < end) { +/* To allow it to be freed further down */ +if (!EVP_KEYMGMT_up_ref(keymgmt)) +return 0; +} else { +keymgmt = EVP_KEYMGMT_fetch(data->libctx, +data->object_type, data->propq); +keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt); +} if (keymgmt != NULL) { EVP_PKEY *pkey = NULL; void *keydata = NULL; -const OSSL_PROVIDER *keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt); -const OSSL_PROVIDER *decoder_prov = OSSL_DECODER_get0_provider(decoder); /* * If the EVP_KEYMGMT and the OSSL_DECODER are from the @@ -164,6 +188,7 @@ static void decoder_clean_pkey_construct_arg(void *construct_data) struct decoder_pkey_data_st *data = construct_data; if (data != NULL) { +sk_EVP_KEYMGMT_pop_free(data->keymgmts, EVP_KEYMGMT_free); OPENSSL_free(data->propq); OPENSSL_free(data->object_type); OPENSSL_free(data); @@ -315,12 +340,12 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, const char *propquery) { struct decoder_pkey_data_st *process_data = NULL; -STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; STACK_OF(OPENSSL_CSTRING) *names = NULL; const char *input_type = ctx->start_input_type; const char *input_structure = ctx->input_structure; int ok = 0; int isecoid = 0; +int i, end; if (keytype != NULL && (strcmp(keytype, "id-ecPublicKey") == 0 @@ -342,7 +367,7 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL || (propquery != NULL && (process_data->propq = OPENSSL_strdup(propquery)) == NULL) -||