date:20211009

Build completed: openssl openssl-3.0.42838

2021-10-09 Thread AppVeyor



Build openssl openssl-3.0.42838 completed



Commit 6e3d51ae68 by Pauli on 10/9/2021 1:30 PM:

property: produce error if a name is duplicated


Configure your notification preferences

[openssl] master update

2021-10-09 Thread beldmit

The branch master has been updated
   via  518ce65d93692ecd4c004b96b47d58da8e5922ea (commit)
   via  a4c4090c21058a75e8bf1ffcc469b6d9755c55ce (commit)
   via  61cab65029e787d59d3f3138e0160adb8df85f99 (commit)
   via  b3a33dac8880b88038083b64d234506659921436 (commit)
  from  78de5a94d8e2b0a27ae026de29c195e944a49c6d (commit)


- Log -
commit 518ce65d93692ecd4c004b96b47d58da8e5922ea
Author: Matt Caswell 
Date:   Fri Oct 8 13:45:51 2021 +0100

Update gost-engine to the latest version

Update the gost-engine submodule to pick up the latest version
including fixes for the default security level of 2.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16760)

commit a4c4090c21058a75e8bf1ffcc469b6d9755c55ce
Author: Matt Caswell 
Date:   Wed Oct 6 15:08:43 2021 +0100

Update document for default security level change

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16760)

commit 61cab65029e787d59d3f3138e0160adb8df85f99
Author: Matt Caswell 
Date:   Tue Oct 5 17:30:09 2021 +0100

Fix tests for new default security level

Fix tests that were expecting a default security level of 1 to work with
the new default of 2.

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16760)

commit b3a33dac8880b88038083b64d234506659921436
Author: Matt Caswell 
Date:   Tue Oct 5 17:29:35 2021 +0100

Increase the default security level to 2

OTC voted to increase the security level from 1 to 2

Reviewed-by: Dmitry Belyavskiy 
(Merged from https://github.com/openssl/openssl/pull/16760)

---

Summary of changes:
 CHANGES.md  |   9 ++
 doc/man3/SSL_CTX_set_security_level.pod |   8 +-
 gost-engine |   2 +-
 include/openssl/tls1.h  |   2 +-
 test/ssl-tests/12-ct.cnf|  24 ++--
 test/ssl-tests/12-ct.cnf.in |  18 ++-
 test/ssl-tests/14-curves.cnf| 220 
 test/ssl-tests/14-curves.cnf.in |   9 +-
 test/ssl-tests/22-compression.cnf   |  32 ++---
 test/ssl-tests/22-compression.cnf.in|  16 +++
 test/sslapitest.c   |  24 +++-
 11 files changed, 207 insertions(+), 157 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 963289ca09..4902332206 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,15 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1 [xx XXX ]
 
+ * The default SSL/TLS security level has been changed from 1 to 2. RSA,
+   DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
+   of 160 bits and above and less than 224 bits were previously accepted by
+   default but are now no longer allowed. By default TLS compression was
+   already disabled in previous OpenSSL versions. At security level 2 it cannot
+   be enabled.
+
+   *Matt Caswell*
+
  * The SSL_CTX_set_cipher_list family functions now accept ciphers using their
IANA standard names.
 
diff --git a/doc/man3/SSL_CTX_set_security_level.pod 
b/doc/man3/SSL_CTX_set_security_level.pod
index d9965572c8..85dae713f0 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -75,10 +75,8 @@ OpenSSL.
 The security level corresponds to a minimum of 80 bits of security. Any
 parameters offering below 80 bits of security are excluded. As a result RSA,
 DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
-are prohibited. All export cipher suites are prohibited since they all offer
-less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
-using MD5 for the MAC is also prohibited. Any cipher suites using CCM with
-a 64 bit authentication tag are prohibited.
+are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any
+cipher suites using CCM with a 64 bit authentication tag are prohibited.
 
 =item B
 
@@ -116,7 +114,7 @@ I
 =head1 NOTES
 
 The default security level can be configured when OpenSSL is compiled by
-setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
+setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 2 is used.
 
 The security framework disables or reject parameters inconsistent with the
 set security level. In the past this was difficult as applications had to set
diff --git a/gost-engine b/gost-engine
index 9869058423..a6014f3569 16
--- a/gost-engine
+++ b/gost-engine
@@ -1 +1 @@
-Subproject commit 986905842330e4a54e61334eb508fe3147c43e38
+Subproject commit a6014f3569ca1819b6d3060124f8cdc5125f074e
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index d6e9331fa1..7be6d473f8 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -28,7 +28,7 @@ extern "C" {

Build failed: openssl master.42837

2021-10-09 Thread AppVeyor




Build openssl master.42837 failed


Commit 78de5a94d8 by Pauli on 10/9/2021 1:29 PM:

doc: document that property names are unique


Configure your notification preferences

[openssl] openssl-3.0 update

2021-10-09 Thread Dr . Paul Dale

The branch openssl-3.0 has been updated
   via  ce5b392c8dc99f849dabea8bc9a21f66908b4188 (commit)
  from  c3b89fc770f3e83ddd0976403c1b321496778b38 (commit)


- Log -
commit ce5b392c8dc99f849dabea8bc9a21f66908b4188
Author: Pauli 
Date:   Thu Sep 30 11:39:41 2021 +1000

doc: document that property names are unique

Both queries and definitions only support each individual name appearing 
once.
It is an error to have a name appear more than once.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16716)

(cherry picked from commit 78de5a94d8e2b0a27ae026de29c195e944a49c6d)

---

Summary of changes:
 doc/man7/property.pod | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/man7/property.pod b/doc/man7/property.pod
index a75f262246..109336ba47 100644
--- a/doc/man7/property.pod
+++ b/doc/man7/property.pod
@@ -41,7 +41,8 @@ property names like
 
 A I is a I pair.
 A I is a sequence of comma separated properties.
-There can be any number of properties in a definition.
+There can be any number of properties in a definition, however each name must
+be unique.
 For example: "" defines an empty property definition (i.e., no restriction);
 "my.foo=bar" defines a property named I which has a string value I
 and "iteration.count=3" defines a property named I which
@@ -68,6 +69,7 @@ Matching such clauses is not a requirement, but any 
additional optional
 match counts in favor of the algorithm.
 More details about that in the B section.
 A I is a sequence of comma separated property query clauses.
+It is an error if a property name appears in more than one query clause.
 The full syntax for property queries appears below, but the available syntactic
 features are:

[openssl] openssl-3.0 update

2021-10-09 Thread Dr . Paul Dale

The branch openssl-3.0 has been updated
   via  c3b89fc770f3e83ddd0976403c1b321496778b38 (commit)
  from  6e3d51ae6826850580138790bcc13ac7c01d7b47 (commit)


- Log -
commit c3b89fc770f3e83ddd0976403c1b321496778b38
Author: Pauli 
Date:   Thu Sep 30 11:35:32 2021 +1000

test: add failure testing for property parsing

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16716)

(cherry picked from commit 747d142318c5c9ecd80de3f061f54d7af4189039)

---

Summary of changes:
 test/property_test.c | 47 +++
 1 file changed, 47 insertions(+)

diff --git a/test/property_test.c b/test/property_test.c
index 6cc8eec138..c23ddb0f99 100644
--- a/test/property_test.c
+++ b/test/property_test.c
@@ -145,6 +145,52 @@ static int test_property_query_value_create(void)
 return r;
 }
 
+static const struct {
+int query;
+const char *ps;
+} parse_error_tests[] = {
+{ 0, "n=1, n=1" },  /* duplicate name */
+{ 0, "n=1, a=hi, n=1" },/* duplicate name */
+{ 1, "n=1, a=bye, ?n=0" },  /* duplicate name */
+{ 0, "a=abc,#@!, n=1" },/* non-ASCII character located */
+{ 1, "a='Hello" },  /* Unterminated string */
+{ 0, "a=\"World" }, /* Unterminated string */
+{ 1, "a=2, n=012345678" },  /* Bad octal digit */
+{ 0, "n=0x28FG, a=3" }, /* Bad hex digit */
+{ 0, "n=145d, a=2" },   /* Bad decimal digit */
+{ 1, "@='hello'" }, /* Invalid name */
+{ 1, "n0123456789012345678901234567890123456789"
+ "0123456789012345678901234567890123456789"
+ "0123456789012345678901234567890123456789"
+ "0123456789012345678901234567890123456789=yes" }, /* Name too long */
+{ 0, ".n=3" },  /* Invalid name */
+{ 1, "fnord.fnord.=3" } /* Invalid name */
+};
+
+static int test_property_parse_error(int n)
+{
+OSSL_METHOD_STORE *store;
+OSSL_PROPERTY_LIST *p = NULL;
+int r = 0;
+const char *ps;
+
+if (!TEST_ptr(store = ossl_method_store_new(NULL))
+|| !add_property_names("a", "n", NULL))
+goto err;
+ps = parse_error_tests[n].ps;
+if (parse_error_tests[n].query) {
+if (!TEST_ptr_null(p = ossl_parse_query(NULL, ps, 1)))
+goto err;
+} else if (!TEST_ptr_null(p = ossl_parse_property(NULL, ps))) {
+goto err;
+}
+r = 1;
+ err:
+ossl_property_free(p);
+ossl_method_store_free(store);
+return r;
+}
+
 static const struct {
 const char *q_global;
 const char *q_local;
@@ -493,6 +539,7 @@ int setup_tests(void)
 ADD_TEST(test_property_string);
 ADD_TEST(test_property_query_value_create);
 ADD_ALL_TESTS(test_property_parse, OSSL_NELEM(parser_tests));
+ADD_ALL_TESTS(test_property_parse_error, OSSL_NELEM(parse_error_tests));
 ADD_ALL_TESTS(test_property_merge, OSSL_NELEM(merge_tests));
 ADD_TEST(test_property_defn_cache);
 ADD_ALL_TESTS(test_definition_compares, OSSL_NELEM(definition_tests));

[openssl] openssl-3.0 update

2021-10-09 Thread Dr . Paul Dale

The branch openssl-3.0 has been updated
   via  6e3d51ae6826850580138790bcc13ac7c01d7b47 (commit)
  from  cc51b5d641b098b0188e04f7f8bb3b33b1aa465e (commit)


- Log -
commit 6e3d51ae6826850580138790bcc13ac7c01d7b47
Author: Pauli 
Date:   Thu Sep 30 11:33:37 2021 +1000

property: produce error if a name is duplicated

Neither queries nor definitions handle duplicated property names well.
Make having such an error.

Fixes #16715

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16716)

(cherry picked from commit 8e61832ed7f59c15da003aa86aeaa4e5f44df711)

---

Summary of changes:
 crypto/property/property_parse.c | 20 +---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c
index 21228b4a39..3673fd7b05 100644
--- a/crypto/property/property_parse.c
+++ b/crypto/property/property_parse.c
@@ -277,12 +277,16 @@ static void pd_free(OSSL_PROPERTY_DEFINITION *pd)
 /*
  * Convert a stack of property definitions and queries into a fixed array.
  * The items are sorted for efficient query.  The stack is not freed.
+ * This function also checks for duplicated names and returns an error if
+ * any exist.
  */
 static OSSL_PROPERTY_LIST *
-stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk)
+stack_to_property_list(OSSL_LIB_CTX *ctx,
+   STACK_OF(OSSL_PROPERTY_DEFINITION) *sk)
 {
 const int n = sk_OSSL_PROPERTY_DEFINITION_num(sk);
 OSSL_PROPERTY_LIST *r;
+OSSL_PROPERTY_IDX prev_name_idx = 0;
 int i;
 
 r = OPENSSL_malloc(sizeof(*r)
@@ -294,6 +298,16 @@ stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) 
*sk)
 for (i = 0; i < n; i++) {
 r->properties[i] = *sk_OSSL_PROPERTY_DEFINITION_value(sk, i);
 r->has_optional |= r->properties[i].optional;
+
+/* Check for duplicated names */
+if (i > 0 && r->properties[i].name_idx == prev_name_idx) {
+OPENSSL_free(r);
+ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED,
+   "Duplicated name `%s'",
+   ossl_property_name_str(ctx, prev_name_idx));
+return NULL;
+}
+prev_name_idx = r->properties[i].name_idx;
 }
 r->num_properties = n;
 }
@@ -351,7 +365,7 @@ OSSL_PROPERTY_LIST *ossl_parse_property(OSSL_LIB_CTX *ctx, 
const char *defn)
"HERE-->%s", s);
 goto err;
 }
-res = stack_to_property_list(sk);
+res = stack_to_property_list(ctx, sk);
 
 err:
 OPENSSL_free(prop);
@@ -414,7 +428,7 @@ skip_value:
"HERE-->%s", s);
 goto err;
 }
-res = stack_to_property_list(sk);
+res = stack_to_property_list(ctx, sk);
 
 err:
 OPENSSL_free(prop);

[openssl] master update

2021-10-09 Thread Dr . Paul Dale

The branch master has been updated
   via  78de5a94d8e2b0a27ae026de29c195e944a49c6d (commit)
   via  747d142318c5c9ecd80de3f061f54d7af4189039 (commit)
   via  8e61832ed7f59c15da003aa86aeaa4e5f44df711 (commit)
  from  0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9 (commit)


- Log -
commit 78de5a94d8e2b0a27ae026de29c195e944a49c6d
Author: Pauli 
Date:   Thu Sep 30 11:39:41 2021 +1000

doc: document that property names are unique

Both queries and definitions only support each individual name appearing 
once.
It is an error to have a name appear more than once.

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16716)

commit 747d142318c5c9ecd80de3f061f54d7af4189039
Author: Pauli 
Date:   Thu Sep 30 11:35:32 2021 +1000

test: add failure testing for property parsing

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16716)

commit 8e61832ed7f59c15da003aa86aeaa4e5f44df711
Author: Pauli 
Date:   Thu Sep 30 11:33:37 2021 +1000

property: produce error if a name is duplicated

Neither queries nor definitions handle duplicated property names well.
Make having such an error.

Fixes #16715

Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16716)

---

Summary of changes:
 crypto/property/property_parse.c | 20 ++---
 doc/man7/property.pod|  4 +++-
 test/property_test.c | 47 
 3 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c
index 21228b4a39..3673fd7b05 100644
--- a/crypto/property/property_parse.c
+++ b/crypto/property/property_parse.c
@@ -277,12 +277,16 @@ static void pd_free(OSSL_PROPERTY_DEFINITION *pd)
 /*
  * Convert a stack of property definitions and queries into a fixed array.
  * The items are sorted for efficient query.  The stack is not freed.
+ * This function also checks for duplicated names and returns an error if
+ * any exist.
  */
 static OSSL_PROPERTY_LIST *
-stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk)
+stack_to_property_list(OSSL_LIB_CTX *ctx,
+   STACK_OF(OSSL_PROPERTY_DEFINITION) *sk)
 {
 const int n = sk_OSSL_PROPERTY_DEFINITION_num(sk);
 OSSL_PROPERTY_LIST *r;
+OSSL_PROPERTY_IDX prev_name_idx = 0;
 int i;
 
 r = OPENSSL_malloc(sizeof(*r)
@@ -294,6 +298,16 @@ stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) 
*sk)
 for (i = 0; i < n; i++) {
 r->properties[i] = *sk_OSSL_PROPERTY_DEFINITION_value(sk, i);
 r->has_optional |= r->properties[i].optional;
+
+/* Check for duplicated names */
+if (i > 0 && r->properties[i].name_idx == prev_name_idx) {
+OPENSSL_free(r);
+ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED,
+   "Duplicated name `%s'",
+   ossl_property_name_str(ctx, prev_name_idx));
+return NULL;
+}
+prev_name_idx = r->properties[i].name_idx;
 }
 r->num_properties = n;
 }
@@ -351,7 +365,7 @@ OSSL_PROPERTY_LIST *ossl_parse_property(OSSL_LIB_CTX *ctx, 
const char *defn)
"HERE-->%s", s);
 goto err;
 }
-res = stack_to_property_list(sk);
+res = stack_to_property_list(ctx, sk);
 
 err:
 OPENSSL_free(prop);
@@ -414,7 +428,7 @@ skip_value:
"HERE-->%s", s);
 goto err;
 }
-res = stack_to_property_list(sk);
+res = stack_to_property_list(ctx, sk);
 
 err:
 OPENSSL_free(prop);
diff --git a/doc/man7/property.pod b/doc/man7/property.pod
index a75f262246..109336ba47 100644
--- a/doc/man7/property.pod
+++ b/doc/man7/property.pod
@@ -41,7 +41,8 @@ property names like
 
 A I is a I pair.
 A I is a sequence of comma separated properties.
-There can be any number of properties in a definition.
+There can be any number of properties in a definition, however each name must
+be unique.
 For example: "" defines an empty property definition (i.e., no restriction);
 "my.foo=bar" defines a property named I which has a string value I
 and "iteration.count=3" defines a property named I which
@@ -68,6 +69,7 @@ Matching such clauses is not a requirement, but any 
additional optional
 match counts in favor of the algorithm.
 More details about that in the B section.
 A I is a sequence of comma separated property query clauses.
+It is an error if a property name appears in more than one query clause.
 The full syntax for property queries appears below, but the available syntactic
 features are:
 
diff --git a/test/property_test.c b/test/property_test.c
index 6cc8eec138..c23ddb0f99 100644
---

[openssl] OpenSSL_1_1_1-stable update

2021-10-09 Thread beldmit

The branch OpenSSL_1_1_1-stable has been updated
   via  a653e037ef0236ea9cd84ec4c94f0bb94aca56ab (commit)
  from  14357a51130510d87fe5f31e45baaf70bd5c9027 (commit)


- Log -
commit a653e037ef0236ea9cd84ec4c94f0bb94aca56ab
Author: Dmitry Belyavskiy 
Date:   Thu Oct 7 19:14:50 2021 +0200

Bindhost/bindport should be freed

Reviewed-by: Matt Caswell 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16775)

(cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9)

---

Summary of changes:
 apps/s_client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index 83b3fc9c7f..fe34487787 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3151,6 +3151,8 @@ int s_client_main(int argc, char **argv)
 #endif
 OPENSSL_free(connectstr);
 OPENSSL_free(bindstr);
+OPENSSL_free(bindhost);
+OPENSSL_free(bindport);
 OPENSSL_free(host);
 OPENSSL_free(port);
 X509_VERIFY_PARAM_free(vpm);

[openssl] openssl-3.0 update

2021-10-09 Thread beldmit

The branch openssl-3.0 has been updated
   via  cc51b5d641b098b0188e04f7f8bb3b33b1aa465e (commit)
  from  4c09066ca62130c3a80365b1f94ade6c32b5d13b (commit)


- Log -
commit cc51b5d641b098b0188e04f7f8bb3b33b1aa465e
Author: Dmitry Belyavskiy 
Date:   Thu Oct 7 19:14:50 2021 +0200

Bindhost/bindport should be freed

Reviewed-by: Matt Caswell 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16775)

(cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9)

---

Summary of changes:
 apps/s_client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index 3b9be0e8c2..9ae2e22c1e 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv)
 #endif
 OPENSSL_free(connectstr);
 OPENSSL_free(bindstr);
+OPENSSL_free(bindhost);
+OPENSSL_free(bindport);
 OPENSSL_free(host);
 OPENSSL_free(port);
 OPENSSL_free(thost);

[openssl] master update

2021-10-09 Thread beldmit

The branch master has been updated
   via  0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9 (commit)
  from  59a3e7b29574ff45f62e825f6e9923f45060f142 (commit)


- Log -
commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9
Author: Dmitry Belyavskiy 
Date:   Thu Oct 7 19:14:50 2021 +0200

Bindhost/bindport should be freed

Reviewed-by: Matt Caswell 
Reviewed-by: Tomas Mraz 
(Merged from https://github.com/openssl/openssl/pull/16775)

---

Summary of changes:
 apps/s_client.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index 6ccb7a42d0..760d2de550 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3056,6 +3056,8 @@ int s_client_main(int argc, char **argv)
 #endif
 OPENSSL_free(connectstr);
 OPENSSL_free(bindstr);
+OPENSSL_free(bindhost);
+OPENSSL_free(bindport);
 OPENSSL_free(host);
 OPENSSL_free(port);
 OPENSSL_free(thost);

Build completed: openssl openssl-3.0.42838

[openssl] master update

Build failed: openssl master.42837

[openssl] openssl-3.0 update

[openssl] openssl-3.0 update

[openssl] openssl-3.0 update

[openssl] master update

[openssl] OpenSSL_1_1_1-stable update

[openssl] openssl-3.0 update

[openssl] master update

10 matches

Site Navigation

Mail list logo

Footer information