[openssl] master update
The branch master has been updated via a291cfdfdee0cb40a684e1c379eff88ba43f784b (commit) from 9698a56e82da0262146c0f74b40d132f99099850 (commit) - Log - commit a291cfdfdee0cb40a684e1c379eff88ba43f784b Author: Pauli Date: Wed Aug 25 10:06:11 2021 +1000 doc: document the rsa_oaep_md: pkeyopt This was missing but essential for using non-SHA1 digests with OAEP. Fixes #15998 Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16410) --- Summary of changes: doc/man1/openssl-pkeyutl.pod.in | 10 ++ 1 file changed, 10 insertions(+) diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index 06365ef76d..b0054ead66 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -262,6 +262,11 @@ B block structure. For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not explicitly set in PSS mode then the signing digest is used. +=item BI + +Sets the digest used for the OAEP hash function. If not explicitly set then +SHA1 is used. + =back =head1 RSA-PSS ALGORITHM @@ -391,6 +396,11 @@ Verify some data using an L certificate and a specific ID: openssl pkeyutl -verify -certin -in file -inkey sm2.cert -sigfile sig \ -rawin -digest sm3 -pkeyopt distid:someid +Decrypt some data using a private key with OAEP padding using SHA256: + + openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \ +-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 + =head1 SEE ALSO L,
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 7a1a91556cc271d38944410b133a2ab5e2cf8ca8 (commit) from 18622c7625436d7f99c0f51895c4d3cea233c62e (commit) - Log - commit 7a1a91556cc271d38944410b133a2ab5e2cf8ca8 Author: Tianjia Zhang Date: Mon Aug 23 17:40:22 2021 +0800 apps/ciphers: Fix wrong return value when using -convert parameter Command 'openssl ciphers -convert ' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang Reviewed-by: Paul Yang Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16383) (cherry picked from commit 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd) --- Summary of changes: apps/ciphers.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/ciphers.c b/apps/ciphers.c index 0bb33a4aca..e403130eeb 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -172,6 +172,7 @@ int ciphers_main(int argc, char **argv) if (convert != NULL) { BIO_printf(bio_out, "OpenSSL cipher name: %s\n", OPENSSL_cipher_name(convert)); +ret = 0; goto end; }
[openssl] master update
The branch master has been updated via 9698a56e82da0262146c0f74b40d132f99099850 (commit) via 31656f27855ddd477349f5960b29d605d32fe38d (commit) from 69b920bb134417213adce260e15da3f751922cf4 (commit) - Log - commit 9698a56e82da0262146c0f74b40d132f99099850 Author: Pauli Date: Tue Aug 24 09:40:52 2021 +1000 aes-wrap: improve error handling The AES wrap cipher was return -1 on error from the provider rather than 0. This is fixed. There was a problem with the error handling in AES wrap which fell back to a default "final error". This adds a fix for the error and more specific errors for the different failure possibilities. Fixes #16387 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16391) commit 31656f27855ddd477349f5960b29d605d32fe38d Author: Pauli Date: Tue Aug 24 09:40:28 2021 +1000 Add invalid input length error Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16391) --- Summary of changes: crypto/err/openssl.txt | 1 + include/openssl/proverr.h | 1 + providers/common/provider_err.c| 2 ++ providers/implementations/ciphers/cipher_aes_wrp.c | 28 -- 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index da3fee84d1..b47293a27a 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -992,6 +992,7 @@ PROV_R_INVALID_DATA:115:invalid data PROV_R_INVALID_DIGEST:122:invalid digest PROV_R_INVALID_DIGEST_LENGTH:166:invalid digest length PROV_R_INVALID_DIGEST_SIZE:218:invalid digest size +PROV_R_INVALID_INPUT_LENGTH:230:invalid input length PROV_R_INVALID_ITERATION_COUNT:123:invalid iteration count PROV_R_INVALID_IV_LENGTH:109:invalid iv length PROV_R_INVALID_KEY:158:invalid key diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h index bdfdda2c93..ad67a8f897 100644 --- a/include/openssl/proverr.h +++ b/include/openssl/proverr.h @@ -59,6 +59,7 @@ # define PROV_R_INVALID_DIGEST122 # define PROV_R_INVALID_DIGEST_LENGTH 166 # define PROV_R_INVALID_DIGEST_SIZE 218 +# define PROV_R_INVALID_INPUT_LENGTH 230 # define PROV_R_INVALID_ITERATION_COUNT 123 # define PROV_R_INVALID_IV_LENGTH 109 # define PROV_R_INVALID_KEY 158 diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index d08192e64b..344c122112 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -80,6 +80,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "invalid digest length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_DIGEST_SIZE), "invalid digest size"}, +{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_INPUT_LENGTH), +"invalid input length"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_ITERATION_COUNT), "invalid iteration count"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_INVALID_IV_LENGTH), "invalid iv length"}, diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c index f797db4596..8bddf475e2 100644 --- a/providers/implementations/ciphers/cipher_aes_wrp.c +++ b/providers/implementations/ciphers/cipher_aes_wrp.c @@ -152,16 +152,22 @@ static int aes_wrap_cipher_internal(void *vctx, unsigned char *out, return 0; /* Input length must always be non-zero */ -if (inlen == 0) +if (inlen == 0) { +ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH); return -1; +} /* If decrypting need at least 16 bytes and multiple of 8 */ -if (!ctx->enc && (inlen < 16 || inlen & 0x7)) +if (!ctx->enc && (inlen < 16 || inlen & 0x7)) { +ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH); return -1; +} /* If not padding input must be multiple of 8 */ -if (!pad && inlen & 0x7) +if (!pad && inlen & 0x7) { +ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_INPUT_LENGTH); return -1; +} if (out == NULL) { if (ctx->enc) { @@ -182,7 +188,15 @@ static int aes_wrap_cipher_internal(void *vctx, unsigned char *out, rv = wctx->wrapfn(>ks.ks, ctx->iv_set ? ctx->iv : NULL, out, in, inlen, ctx->block); -return rv ? (int)rv : -1; +if (!rv) { +ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); +return -1; +} +if (rv > INT_MAX) { +ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); +return -1; +} +return (int)rv; } static int aes_wrap_final(void *vctx, unsigned char *out, size_t *outl,
Still FAILED build of OpenSSL branch master with options enable-fuzz-afl no-shared no-module
Platform and configuration command: $ uname -a Linux run 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config enable-fuzz-afl no-shared no-module Commit log since last time: 69b920bb13 CMS app: Fix new -wrap option e5f8935c5b changes: add note about 3DES key wrap matching the standard 3d491c054e test: add unit tests for TDES key wrap 06447b58b2 Avoid using undefined value in generate_stateless_cookie_callback 0760d132da Avoid invoking memcpy if size is zero or the supplied buffer is NULL 562d4cd3c3 Fix the array size of dtlsseq in tls1_enc 1501de3380 Add multilib to the NonStop configuration definitions. 33a62d448c VMS: Correct faulty source directory specification 8b4e9c5265 apps/ciphers: Fix wrong return value when using -convert parameter 32f7be2ab7 APPS: Fix result type of dump_cert_text() and behavior of print_name() on out==NULL fdd436436d news/changes: fix formatting nits e1c2913833 cpp: fix included files to avoid failure in no-deprecated builds 2576b70d43 sm2: fix error raise to not fail make update Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 40E777A5A27F:error:068C0100:asn1 encoding routines:ASN1_STRING_set:malloc failure:../openssl/crypto/asn1/asn1_lib.c:311: # 40E777A5A27F:error:068C0100:asn1 encoding routines:asn1_ex_c2i:malloc failure:../openssl/crypto/asn1/tasn_dec.c:944: # 40E777A5A27F:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:685:Field=session_id, Type=SSL_SESSION_ASN1 # 40E777A5A27F:error:0A0C0103:SSL routines:construct_stateless_ticket:internal error:../openssl/ssl/statem/statem_srvr.c:3706: # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 40E777A5A27F:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_s3.c:1584:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:9260 # false # OPENSSL_TEST_RAND_ORDER=1629930058 not ok 372 - iteration 7 # -- # OPENSSL_TEST_RAND_ORDER=1629930058 not ok 74 - test_dh_auto # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 40E777A5A27F:error:068C0100:asn1 encoding routines:ASN1_STRING_set:malloc failure:../openssl/crypto/asn1/asn1_lib.c:311: # 40E777A5A27F:error:068C0100:asn1 encoding routines:asn1_ex_c2i:malloc failure:../openssl/crypto/asn1/tasn_dec.c:944: # 40E777A5A27F:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:685: # 40E777A5A27F:error:0688010A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:../openssl/crypto/asn1/tasn_dec.c:537:Field=session_id_context, Type=SSL_SESSION_ASN1 # 40E777A5A27F:error:0A0C0103:SSL routines:construct_stateless_ticket:internal error:../openssl/ssl/statem/statem_srvr.c:3706: # INFO: @ ../openssl/test/helpers/ssltestlib.c:1004 # No progress made # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:9315 # false # OPENSSL_TEST_RAND_ORDER=1629930058 not ok 75 - test_sni_tls13 # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/cpVNSglCXd default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 32. # Looks like you failed 1 test of 1.90-test_sslapi.t ... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests Test Summary Report --- 80-test_ssl_new.t(Wstat: 7168 Tests: 30 Failed: 28) Failed tests: 1-21, 23-28, 30 Non-zero exit status: 28 20-test_spkac.t (Wstat: 512 Tests: 4 Failed: 2) Failed tests: 2, 4 Non-zero exit status: 2 25-test_crl.t(Wstat: 256 Tests: 10 Failed: 1) Failed test: 3 Non-zero exit status: 1 25-test_sid.t(Wstat: 256 Tests: 2 Failed: 1) Failed test: 2 Non-zero exit status: 1 65-test_cmp_ctx.t(Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_asyncio.t(Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_clienthello.t(Wstat:
[openssl] master update
The branch master has been updated via 69b920bb134417213adce260e15da3f751922cf4 (commit) from e5f8935c5bdf4677618017f7d907ce1d9e3df6a6 (commit) - Log - commit 69b920bb134417213adce260e15da3f751922cf4 Author: Dr. David von Oheimb Date: Tue Aug 24 12:15:41 2021 +0200 CMS app: Fix new -wrap option Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16396) --- Summary of changes: apps/cms.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/cms.c b/apps/cms.c index b30273f171..76c7896719 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -680,7 +680,7 @@ int cms_main(int argc, char **argv) goto end; break; case OPT_WRAP: -wrapname = opt_unknown(); +wrapname = opt_arg(); break; case OPT_AES128_WRAP: case OPT_AES192_WRAP:
[openssl] master update
The branch master has been updated via e5f8935c5bdf4677618017f7d907ce1d9e3df6a6 (commit) via 3d491c054ea8f662dc9dc499d3029d126a8726d3 (commit) from 06447b58b234be050d405c6c75bfc987c6dcfdf9 (commit) - Log - commit e5f8935c5bdf4677618017f7d907ce1d9e3df6a6 Author: Pauli Date: Tue Aug 24 19:07:18 2021 +1000 changes: add note about 3DES key wrap matching the standard Also note that it is no longer interoperable with 1.1.1. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16343) commit 3d491c054ea8f662dc9dc499d3029d126a8726d3 Author: Pauli Date: Wed Aug 18 11:58:11 2021 +1000 test: add unit tests for TDES key wrap This functionality was completely untested. Doesn't fix #16002 since that's a bug against 1.1.1. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16343) --- Summary of changes: CHANGES.md | 5 test/destest.c | 75 ++ 2 files changed, 80 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 905ad50a50..ac10632734 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -40,6 +40,11 @@ breaking changes, and mappings for the large list of deprecated functions. *Jan Lána* + * The triple DES key wrap functionality now conforms to RFC 3217 but is + no longer interoperable with OpenSSL 1.1.1. + + *Paul Dale* + * The ERR_GET_FUNC() function was removed. With the loss of meaningful function codes, this function can only cause problems for calling applications. diff --git a/test/destest.c b/test/destest.c index b61c9eecc8..d2f3cfe6a7 100644 --- a/test/destest.c +++ b/test/destest.c @@ -17,6 +17,7 @@ #include #include "testutil.h" +#include "internal/nelem.h" #ifndef OPENSSL_NO_DES # include @@ -697,6 +698,79 @@ static int test_des_quad_cksum(void) return 0; return 1; } + +/* + * Test TDES based key wrapping. + * The wrapping process uses a randomly generated IV so it is difficult to + * undertake KATs. End to end testing is performed instead. + */ +static const int test_des_key_wrap_sizes[] = { +8, 16, 24, 32, 64, 80 +}; + +static int test_des_key_wrap(int idx) +{ +int in_bytes = test_des_key_wrap_sizes[idx]; +unsigned char in[100], c_txt[200], p_txt[200], key[24]; +int clen, clen_upd, clen_fin, plen, plen_upd, plen_fin, expect, bs, i; +EVP_CIPHER *cipher = NULL; +EVP_CIPHER_CTX *ctx = NULL; +int res = 0; + +/* Some sanity checks and cipher loading */ +if (!TEST_size_t_le(in_bytes, sizeof(in)) +|| !TEST_ptr(cipher = EVP_CIPHER_fetch(NULL, "DES3-WRAP", NULL)) +|| !TEST_int_eq(bs = EVP_CIPHER_get_block_size(cipher), 8) +|| !TEST_size_t_eq(bs * 3u, sizeof(key)) +|| !TEST_true(in_bytes % bs == 0) +|| !TEST_ptr(ctx = EVP_CIPHER_CTX_new())) +goto err; + +/* Create random data to end to end test */ +for (i = 0; i < in_bytes; i++) +in[i] = test_random(); + +/* Build the key */ +memcpy(key, cbc_key, sizeof(cbc_key)); +memcpy(key + sizeof(cbc_key), cbc2_key, sizeof(cbc2_key)); +memcpy(key + sizeof(cbc_key) + sizeof(cbc3_key), cbc_key, sizeof(cbc3_key)); + +/* Wrap / encrypt the key */ +clen_upd = sizeof(c_txt); +if (!TEST_true(EVP_EncryptInit(ctx, cipher, key, NULL)) +|| !TEST_true(EVP_EncryptUpdate(ctx, c_txt, _upd, +in, in_bytes))) +goto err; + +expect = (in_bytes + (bs - 1)) / bs * bs + 2 * bs; +if (!TEST_int_eq(clen_upd, expect)) +goto err; + +clen_fin = sizeof(c_txt) - clen_upd; +if (!TEST_true(EVP_EncryptFinal(ctx, c_txt + clen_upd, _fin)) +|| !TEST_int_eq(clen_fin, 0)) +goto err; +clen = clen_upd + clen_fin; + +/* Decrypt the wrapped key */ +plen_upd = sizeof(p_txt); +if (!TEST_true(EVP_DecryptInit(ctx, cipher, key, NULL)) +|| !TEST_true(EVP_DecryptUpdate(ctx, p_txt, _upd, +c_txt, clen))) +goto err; +plen_fin = sizeof(p_txt) - plen_upd; +if (!TEST_true(EVP_DecryptFinal(ctx, p_txt + plen_upd, _fin))) +goto err; +plen = plen_upd + plen_fin; + +if (!TEST_mem_eq(in, in_bytes, p_txt, plen)) +goto err; +res = 1; + err: +EVP_CIPHER_free(cipher); +EVP_CIPHER_CTX_free(ctx); +return res; +} #endif int setup_tests(void) @@ -722,6 +796,7 @@ int setup_tests(void) ADD_TEST(test_des_crypt); ADD_ALL_TESTS(test_input_align, 4); ADD_ALL_TESTS(test_output_align, 4); +ADD_ALL_TESTS(test_des_key_wrap, OSSL_NELEM(test_des_key_wrap_sizes)); #endif return 1; }
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 18622c7625436d7f99c0f51895c4d3cea233c62e (commit) from cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9 (commit) - Log - commit 18622c7625436d7f99c0f51895c4d3cea233c62e Author: Bernd Edlinger Date: Sun Aug 22 21:28:51 2021 +0200 Fix some strict gcc-12 warnings Reviewed-by: Paul Dale Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16375) --- Summary of changes: crypto/ec/curve448/field.h | 2 +- ssl/s3_cbc.c | 2 +- ssl/ssl_local.h| 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h index ccd04482d2..4ce263d436 100644 --- a/crypto/ec/curve448/field.h +++ b/crypto/ec/curve448/field.h @@ -62,7 +62,7 @@ mask_t gf_eq(const gf x, const gf y); mask_t gf_lobit(const gf x); mask_t gf_hibit(const gf x); -void gf_serialize(uint8_t *serial, const gf x, int with_highbit); +void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit); mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask); diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index aa7d63f84a..ae2a330ba5 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -128,7 +128,7 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, - const unsigned char header[13], + const unsigned char *header, const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index f92472117a..9f346e30e8 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2622,7 +2622,7 @@ __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, - const unsigned char header[13], + const unsigned char *header, const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size,
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9 (commit) from 801abbe01ebd380a9b66f08d59fcc5e8738134a5 (commit) - Log - commit cf2b1d6f11aa7ec4aa909ff1ecb9bee6892285d9 Author: Bernd Edlinger Date: Mon Aug 23 11:11:29 2021 +0200 Avoid using undefined value in generate_stateless_cookie_callback Reviewed-by: Paul Yang Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16381) --- Summary of changes: apps/s_cb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index dee1b2e5b4..d066a423de 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -819,7 +819,9 @@ int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, { unsigned int temp; int res = generate_cookie_callback(ssl, cookie, ); -*cookie_len = temp; + +if (res != 0) +*cookie_len = temp; return res; }
[openssl] master update
The branch master has been updated via 06447b58b234be050d405c6c75bfc987c6dcfdf9 (commit) from 0760d132da046063f6ac3c28bd2ee1d8505e6fcd (commit) - Log - commit 06447b58b234be050d405c6c75bfc987c6dcfdf9 Author: Bernd Edlinger Date: Mon Aug 23 11:11:29 2021 +0200 Avoid using undefined value in generate_stateless_cookie_callback Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16384) --- Summary of changes: apps/lib/s_cb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 245bae6249..c9a611aa3a 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -823,7 +823,8 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, size_t temp = 0; int res = generate_stateless_cookie_callback(ssl, cookie, ); -*cookie_len = (unsigned int)temp; +if (res != 0) +*cookie_len = (unsigned int)temp; return res; }
[openssl] master update
The branch master has been updated via 0760d132da046063f6ac3c28bd2ee1d8505e6fcd (commit) from 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4 (commit) - Log - commit 0760d132da046063f6ac3c28bd2ee1d8505e6fcd Author: Paul Dreik Date: Fri Nov 29 19:23:35 2019 +0100 Avoid invoking memcpy if size is zero or the supplied buffer is NULL This allows for passing a NULL pointer with zero max_len. Invoking memcpy on NULL is undefined behaviour, even if the size is zero. https://en.cppreference.com/w/c/string/byte/memcpy The function can now be queried for the necessary buffer length. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10541) --- Summary of changes: crypto/asn1/evp_asn1.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c index 3122c4724f..13d8ed3893 100644 --- a/crypto/asn1/evp_asn1.c +++ b/crypto/asn1/evp_asn1.c @@ -27,7 +27,10 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) return 1; } -/* int max_len: for returned value*/ +/* int max_len: for returned value + * if passing NULL in data, nothing is copied but the necessary length + * for it is returned. + */ int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len) { int ret, num; @@ -43,7 +46,8 @@ int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_l num = ret; else num = max_len; -memcpy(data, p, num); +if (num > 0 && data != NULL) +memcpy(data, p, num); return ret; }
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 801abbe01ebd380a9b66f08d59fcc5e8738134a5 (commit) from a2056b09fbef58bcb79b0fe8b88b592c560eb32f (commit) - Log - commit 801abbe01ebd380a9b66f08d59fcc5e8738134a5 Author: Bernd Edlinger Date: Mon Aug 23 14:03:20 2021 +0200 Fix the array size of dtlsseq in tls1_enc Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16385) (cherry picked from commit 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4) --- Summary of changes: ssl/record/ssl3_record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index e6a8bbd710..f158544789 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1039,7 +1039,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) if (SSL_IS_DTLS(s)) { /* DTLS does not support pipelining */ -unsigned char dtlsseq[9], *p = dtlsseq; +unsigned char dtlsseq[8], *p = dtlsseq; s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(>rlayer) : DTLS_RECORD_LAYER_get_r_epoch(>rlayer), p);
[openssl] master update
The branch master has been updated via 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4 (commit) from 1501de3380aa1907a6b27c734a3c30f0962048ed (commit) - Log - commit 562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4 Author: Bernd Edlinger Date: Mon Aug 23 14:03:20 2021 +0200 Fix the array size of dtlsseq in tls1_enc Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16385) --- Summary of changes: ssl/record/ssl3_record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 30af6508a7..b6ac61e0e8 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1047,7 +1047,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, if (SSL_IS_DTLS(s)) { /* DTLS does not support pipelining */ -unsigned char dtlsseq[9], *p = dtlsseq; +unsigned char dtlsseq[8], *p = dtlsseq; s2n(sending ? DTLS_RECORD_LAYER_get_w_epoch(>rlayer) : DTLS_RECORD_LAYER_get_r_epoch(>rlayer), p);
[openssl] master update
The branch master has been updated via 1501de3380aa1907a6b27c734a3c30f0962048ed (commit) from 33a62d448c95c01a5bff7be8a00bf95b6a6a6f37 (commit) - Log - commit 1501de3380aa1907a6b27c734a3c30f0962048ed Author: Richard Levitte Date: Tue Aug 24 13:45:27 2021 +0200 Add multilib to the NonStop configuration definitions. Fixes: #16373 Co-authored-by: Randall S. Becker Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16398) --- Summary of changes: Configurations/50-nonstop.conf | 12 +++- NOTES-NONSTOP.md | 8 +++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/Configurations/50-nonstop.conf b/Configurations/50-nonstop.conf index 7524c50016..ed3fe828b3 100644 --- a/Configurations/50-nonstop.conf +++ b/Configurations/50-nonstop.conf @@ -203,12 +203,14 @@ 'nonstop-ilp32', 'nonstop-efloat-x86_64', 'nonstop-model-put' ], +multilib => '-put', }, 'nonstop-nsx_64' => { inherit_from => [ 'nonstop-common', 'nonstop-archenv-x86_64-oss', 'nonstop-lp64-x86_64', 'nonstop-efloat-x86_64' ], +multilib => '64', disable => ['threads'], }, 'nonstop-nsx_64_put' => { @@ -217,13 +219,15 @@ 'nonstop-lp64-x86_64', 'nonstop-efloat-x86_64', 'nonstop-model-put' ], +multilib => '64-put', }, 'nonstop-nsx_spt' => { inherit_from => [ 'nonstop-common', - 'nonstop-archenv-x86_64-oss', + 'nonstop-archenv-x86_64-oss', 'nonstop-ilp32', 'nonstop-efloat-x86_64', 'nonstop-model-spt' ], +multilib => '-spt', }, 'nonstop-nsx_spt_floss' => { inherit_from => [ 'nonstop-common', @@ -232,6 +236,7 @@ 'nonstop-efloat-x86_64', 'nonstop-model-floss', 'nonstop-model-spt'], +multilib => '-spt', }, 'nonstop-nsx_g' => { inherit_from => [ 'nonstop-common', @@ -261,12 +266,14 @@ 'nonstop-ilp32', 'nonstop-efloat-itanium', 'nonstop-model-put' ], +multilib => '-put', }, 'nonstop-nse_64' => { inherit_from => [ 'nonstop-common', 'nonstop-archenv-itanium-oss', 'nonstop-lp64-itanium', 'nonstop-efloat-itanium' ], +multilib => '64', disable => ['threads'], }, 'nonstop-nse_64_put' => { @@ -275,6 +282,7 @@ 'nonstop-lp64-itanium', 'nonstop-efloat-itanium', 'nonstop-model-put' ], +multilib => '64-put', }, 'nonstop-nse_spt' => { inherit_from => [ 'nonstop-common', @@ -282,6 +290,7 @@ 'nonstop-ilp32', 'nonstop-efloat-itanium', 'nonstop-model-spt' ], +multilib => '-spt', }, 'nonstop-nse_spt_floss' => { inherit_from => [ 'nonstop-common', @@ -289,6 +298,7 @@ 'nonstop-ilp32', 'nonstop-efloat-itanium', 'nonstop-model-floss', 'nonstop-model-spt' ], +multilib => '-spt', }, 'nonstop-nse_g' => { inherit_from => [ 'nonstop-common', diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md index 171f394a9d..586fbabef0 100644 --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -56,8 +56,14 @@ options, and keeping your memory and float options consistent, for example: * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl` * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl` + +As of 3.0, the NonStop configurations use the multilib attribute to distinguish +between different models: + * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl` - * For 3.0 PUT `--prefix=/usr/local-ssl3.0_put --openssldir=/usr/local-ssl3.0_put/ssl` + +The PUT model is placed in `${prefix}/lib-put` for 32-bit models and +`${prefix}/lib64-put` for 64-bit models. Use the `_RLD_LIB_PATH` environment
[openssl] master update
The branch master has been updated via 33a62d448c95c01a5bff7be8a00bf95b6a6a6f37 (commit) from 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd (commit) - Log - commit 33a62d448c95c01a5bff7be8a00bf95b6a6a6f37 Author: Richard Levitte Date: Mon Aug 23 14:12:28 2021 +0200 VMS: Correct faulty source directory specification $(SRCDIR)/doc doesn't work right on VMS. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16395) --- Summary of changes: Configurations/descrip.mms.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 3ffd387903..2d17ddebfd 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -886,9 +886,10 @@ EOF my $title = basename($args{src}, ".html"); my $pod = $gen0; my $mkpod2html = sourcefile('util', 'mkpod2html.pl'); + my $srcdoc = sourcedir('doc'); return <<"EOF"; $args{src} : $pod - \$(PERL) $mkpod2html -i $pod -o \$\@ -t "$title" -r "\$(SRCDIR)/doc" + \$(PERL) $mkpod2html -i $pod -o \$\@ -t "$title" -r "$srcdoc" EOF } elsif ($args{src} =~ /\.(\d)$/) { #
Coverity Scan: Analysis completed for OpenSSL-1.0.2
Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3D5cFn_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEKPQ-2BY5FHOkqNcOH6tkf1rSEzJJiHd0Wnf1xXbLpCUbBohANS96f12Hfbcgz-2ByeXB0KxbHfwHFgXJ0cNdqFCCsJg6XFjGb4f4anzkkPw2WZSqZ1frK0J89VIVoX3ROTS4Yhq78aE0DjM3-2F6J06SeqjEy8Si2VXHFy2V5tGe8rh9ucGtWuOThwmh-2F9i70CJZYM-3D Build ID: 404121 Analysis Summary: New defects found: 0 Defects eliminated: 0
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DZmCo_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEk3RP2dXOG5V8dSqFdMV9MK-2FU-2FONFBFN3EjzOfX4yS9c-2Fr3hF-2Bz7aGjaUEcrnSuwF4hD94ewC6HliVXtM46d-2BD7aIoY6QmfV5rv3uY1AVIrsM-2BIWCMGGwXg0HhSeTlgfCbpoEVECcB4kx0l5HQ6oC60rUQ0qh5cK6NV2IuMEVzDW5HfPCclIaXcqOsQugXjgw-3D Build ID: 404120 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] master update
The branch master has been updated via 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd (commit) from 32f7be2ab72ee22e98a2254709cb6128492b207a (commit) - Log - commit 8b4e9c5265ffd3457ad37133502a9d8a4e8daccd Author: Tianjia Zhang Date: Mon Aug 23 17:40:22 2021 +0800 apps/ciphers: Fix wrong return value when using -convert parameter Command 'openssl ciphers -convert ' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang Reviewed-by: Paul Yang Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16383) --- Summary of changes: apps/ciphers.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/ciphers.c b/apps/ciphers.c index 6e4fedd9a7..9c494224a1 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -183,6 +183,7 @@ int ciphers_main(int argc, char **argv) if (convert != NULL) { BIO_printf(bio_out, "OpenSSL cipher name: %s\n", OPENSSL_cipher_name(convert)); +ret = 0; goto end; }