[openssl] master update
The branch master has been updated via da496bc159361b0bc22df2432fb07b1cd7491ac2 (commit) via 2fc02378ffcd9a266077eeea224890c534b7aaef (commit) from 92c03668c0cd77434006b613e3429888a0a8ecfe (commit) - Log - commit da496bc159361b0bc22df2432fb07b1cd7491ac2 Author: Beat Bolli Date: Fri Jul 30 18:40:27 2021 +0200 doc: replace markdown backticks with perlpod syntax Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16190) commit 2fc02378ffcd9a266077eeea224890c534b7aaef Author: Beat Bolli Date: Fri Jul 30 18:39:51 2021 +0200 doc: use the documented =item markers The generated lists[1] look weird when using a dash as the list item character. Perlpod documents[2] '*' for unordered lists and '1.' (note the period) for ordered lists. Use these characters instead. [1] e.g. https://www.openssl.org/docs/manmaster/man7/migration_guide.html#New-Algorithms [2] https://perldoc.perl.org/perlpod Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16190) --- Summary of changes: doc/internal/man7/deprecation.pod | 4 +- doc/man1/openssl-ocsp.pod.in | 2 +- doc/man1/openssl-verification-options.pod | 22 +- doc/man3/OSSL_STORE_INFO.pod | 2 +- doc/man7/fips_module.pod | 14 +- doc/man7/migration_guide.pod | 493 +++--- doc/man7/passphrase-encoding.pod | 2 +- util/perl/OpenSSL/Template.pm | 4 +- 8 files changed, 273 insertions(+), 270 deletions(-) diff --git a/doc/internal/man7/deprecation.pod b/doc/internal/man7/deprecation.pod index 15e1c7aef1..e0efa75ce4 100644 --- a/doc/internal/man7/deprecation.pod +++ b/doc/internal/man7/deprecation.pod @@ -21,10 +21,10 @@ Removal of a symbol is not the same thing as deprecation, as it actually explicitly removes the symbol from public view. OpenSSL configuration supports deprecation as well as simulating removal of -symbols from public view (with the configuration option `no-deprecated`, or +symbols from public view (with the configuration option C, or if the user chooses to do so, with L), and also supports doing this in terms of a specified OpenSSL version (with the -configuration option `--api`, or if the user chooses to do so, with +configuration option C<--api>, or if the user chooses to do so, with L). Deprecation is done using attribute macros named diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index 0ef1e1a002..fbad5079af 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -371,7 +371,7 @@ subject name. Port to listen for OCSP requests on. The port may also be specified using the B option. -A `0` argument indicates that any available port shall be chosen automatically. +A C<0> argument indicates that any available port shall be chosen automatically. =item B<-ignore_err> diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index c634ccae15..70daa986b8 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -274,50 +274,50 @@ among others, the following certificate well-formedness conditions are checked: =over 4 -=item - +=item * The basicConstraints of CA certificates must be marked critical. -=item - +=item * CA certificates must explicitly include the keyUsage extension. -=item - +=item * If a pathlenConstraint is given the key usage keyCertSign must be allowed. -=item - +=item * The pathlenConstraint must not be given for non-CA certificates. -=item - +=item * The issuer name of any certificate must not be empty. -=item - +=item * The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. -=item - +=item * If a subjectAlternativeName extension is given it must not be empty. -=item - +=item * The signatureAlgorithm field and the cert signature must be consistent. -=item - +=item * Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. -=item - +=item * The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. -=item - +=item * The subjectKeyIdentifier must be given for all X.509v3 CA certs. diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod index 299249ceb1..39bb93fbf5 100644 --- a/doc/man3/OSSL_STORE_INFO.pod +++ b/doc/man3/OSSL_STORE_INFO.pod @@ -108,7 +108,7 @@ OSSL_STORE_INFO_new_CERT() and OSSL_STORE_INFO_new_CRL() create a B object to hold the given input object. On success the input object is consumed. -Additionally, for B`
[openssl] master update
The branch master has been updated via 92c03668c0cd77434006b613e3429888a0a8ecfe (commit) from 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d (commit) - Log - commit 92c03668c0cd77434006b613e3429888a0a8ecfe Author: Pauli Date: Thu Jul 29 09:55:09 2021 +1000 Add config_diagnostics to our configuration files. The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16171) --- Summary of changes: apps/openssl-vms.cnf | 3 +-- apps/openssl.cnf | 3 +-- demos/bio/accept.cnf | 6 ++ demos/bio/cmod.cnf | 3 +++ demos/bio/connect.cnf | 6 ++ demos/certs/apps/apps.cnf | 4 demos/certs/ca.cnf | 3 +++ test/CAtsa.cnf | 3 +++ test/ca-and-certs.cnf | 3 +++ test/ct/log_list.cnf | 3 +++ test/default-and-fips.cnf | 3 +++ test/default-and-legacy.cnf| 3 +++ test/default.cnf | 3 +++ test/fips-and-base.cnf | 3 +++ test/fips.cnf | 3 +++ test/legacy.cnf| 3 +++ test/provider_internal_test.cnf.in | 3 +++ test/proxy.cnf | 3 +++ test/smime-certs/ca.cnf| 3 +++ test/sysdefault.cnf| 3 +++ 20 files changed, 63 insertions(+), 4 deletions(-) diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index f18e63c351..4d96a1f32d 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -16,8 +16,7 @@ HOME = . # Use this in order to automatically load providers. openssl_conf = openssl_init -# Comment this out if you deliberately want to ignore -# configuration errors +# Comment out the next line to ignore configuration errors config_diagnostics = 1 # Extra OBJECT IDENTIFIER info: diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 97567a67be..ffb424a871 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -16,8 +16,7 @@ HOME = . # Use this in order to automatically load providers. openssl_conf = openssl_init -# Comment this out if you deliberately want to ignore -# configuration errors +# Comment out the next line to ignore configuration errors config_diagnostics = 1 # Extra OBJECT IDENTIFIER info: diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf index cb0cefba75..ce36678ee9 100644 --- a/demos/bio/accept.cnf +++ b/demos/bio/accept.cnf @@ -1,10 +1,16 @@ # Example configuration file + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Port to listen on Port = 4433 + # Disable TLS v1.2 for test. # Protocol = ALL, -TLSv1.2 # Only support 3 curves Curves = P-521:P-384:P-256 + # Restricted signature algorithms SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 Certificate=server.pem diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf index 39ac54edd9..df514dba79 100644 --- a/demos/bio/cmod.cnf +++ b/demos/bio/cmod.cnf @@ -4,6 +4,9 @@ # and section containing configuration testapp = test_sect +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [test_sect] # list of configuration modules diff --git a/demos/bio/connect.cnf b/demos/bio/connect.cnf index ab764403a4..0049a77b2d 100644 --- a/demos/bio/connect.cnf +++ b/demos/bio/connect.cnf @@ -1,9 +1,15 @@ # Example configuration file + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Connects to the default port of s_server Connect = localhost:4433 + # Disable TLS v1.2 for test. # Protocol = ALL, -TLSv1.2 # Only support 3 curves Curves = P-521:P-384:P-256 + # Restricted signature algorithms SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index 07a3d10b55..72ed70de75 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -7,6 +7,10 @@ HOME = . CN = "Not Defined" +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + + [ req ] default_bits = 2048 diff --git
[openssl] master update
The branch master has been updated
via 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d (commit)
from ab98861e919b8f8f7fee3f2d44ef3b4b05908a25 (commit)
- Log -
commit 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d
Author: Dmitry Belyavskiy
Date: Mon Aug 2 17:00:51 2021 +0200
If we have passed the private key, don't copy it implicitly
Fixes #16197
Reviewed-by: David von Oheimb
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16199)
---
Summary of changes:
apps/req.c | 2 +-
doc/man1/openssl-req.pod.in | 11 ++-
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index eb286f8a8e..5524092f2c 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
EVP_PKEY_CTX_free(genctx);
genctx = NULL;
}
-if (keyout == NULL) {
+if (keyout == NULL && keyfile == NULL) {
keyout = NCONF_get_string(req_conf, section, KEYFILE);
if (keyout == NULL)
ERR_clear_error();
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 7897610818..75d0da1743 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -205,11 +205,12 @@ See L for details.
=item B<-keyout> I
This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B option is used, if present. Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly. If a new key is generated and no filename is
+specified the key is written to standard output.
=item B<-noenc>
Coverity Scan: Analysis completed for OpenSSL-1.0.2
Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DFy4E_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGhlviRdg2vARl0RkzxZibJoYI1gsPmCzwGsjTMmRJ9-2Fwc4JRgVsmtN-2BE8e9BC4kmZg7auxpgwuQrTP4thUeHqO738u65kkWZXWphql4ao25B3DACIe9evjonSmX6ayWmRlUR9vtFiJ1W1C-2BMYvKyiVlGS1MiBKVRrtucm-2BMOt4VAvLVmGOlbUyyndaAZ50Dpg-3D Build ID: 400367 Analysis Summary: New defects found: 0 Defects eliminated: 0
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DWYzL_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHhVchbitCYNcNPYSe5fjdmz0WTe93XfeVqa-2FypZNRGrzhZbf9OlX0YXHPWBByEL-2FR0WJXyjYvgtb63cS3Jkf-2BzIIACLHDU7kl3hzRSBvypVnw8006vWP9a4MR-2Fe-2BeGeogqou10VbpURnN-2BUUgbIvDvgcGG5CkmMSS7mFtLP58ZQivR0Iaq7M1r-2BZzu9pKUomI-3D Build ID: 400366 Analysis Summary: New defects found: 0 Defects eliminated: 0
