Build completed: openssl openssl-3.0.42838
Build openssl openssl-3.0.42838 completed Commit 6e3d51ae68 by Pauli on 10/9/2021 1:30 PM: property: produce error if a name is duplicated Configure your notification preferences
[openssl] master update
The branch master has been updated via 518ce65d93692ecd4c004b96b47d58da8e5922ea (commit) via a4c4090c21058a75e8bf1ffcc469b6d9755c55ce (commit) via 61cab65029e787d59d3f3138e0160adb8df85f99 (commit) via b3a33dac8880b88038083b64d234506659921436 (commit) from 78de5a94d8e2b0a27ae026de29c195e944a49c6d (commit) - Log - commit 518ce65d93692ecd4c004b96b47d58da8e5922ea Author: Matt Caswell Date: Fri Oct 8 13:45:51 2021 +0100 Update gost-engine to the latest version Update the gost-engine submodule to pick up the latest version including fixes for the default security level of 2. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16760) commit a4c4090c21058a75e8bf1ffcc469b6d9755c55ce Author: Matt Caswell Date: Wed Oct 6 15:08:43 2021 +0100 Update document for default security level change Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16760) commit 61cab65029e787d59d3f3138e0160adb8df85f99 Author: Matt Caswell Date: Tue Oct 5 17:30:09 2021 +0100 Fix tests for new default security level Fix tests that were expecting a default security level of 1 to work with the new default of 2. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16760) commit b3a33dac8880b88038083b64d234506659921436 Author: Matt Caswell Date: Tue Oct 5 17:29:35 2021 +0100 Increase the default security level to 2 OTC voted to increase the security level from 1 to 2 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16760) --- Summary of changes: CHANGES.md | 9 ++ doc/man3/SSL_CTX_set_security_level.pod | 8 +- gost-engine | 2 +- include/openssl/tls1.h | 2 +- test/ssl-tests/12-ct.cnf| 24 ++-- test/ssl-tests/12-ct.cnf.in | 18 ++- test/ssl-tests/14-curves.cnf| 220 test/ssl-tests/14-curves.cnf.in | 9 +- test/ssl-tests/22-compression.cnf | 32 ++--- test/ssl-tests/22-compression.cnf.in| 16 +++ test/sslapitest.c | 24 +++- 11 files changed, 207 insertions(+), 157 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 963289ca09..4902332206 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,15 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX ] + * The default SSL/TLS security level has been changed from 1 to 2. RSA, + DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys + of 160 bits and above and less than 224 bits were previously accepted by + default but are now no longer allowed. By default TLS compression was + already disabled in previous OpenSSL versions. At security level 2 it cannot + be enabled. + + *Matt Caswell* + * The SSL_CTX_set_cipher_list family functions now accept ciphers using their IANA standard names. diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index d9965572c8..85dae713f0 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -75,10 +75,8 @@ OpenSSL. The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits -are prohibited. All export cipher suites are prohibited since they all offer -less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite -using MD5 for the MAC is also prohibited. Any cipher suites using CCM with -a 64 bit authentication tag are prohibited. +are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any +cipher suites using CCM with a 64 bit authentication tag are prohibited. =item B @@ -116,7 +114,7 @@ I =head1 NOTES The default security level can be configured when OpenSSL is compiled by -setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used. +setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 2 is used. The security framework disables or reject parameters inconsistent with the set security level. In the past this was difficult as applications had to set diff --git a/gost-engine b/gost-engine index 9869058423..a6014f3569 16 --- a/gost-engine +++ b/gost-engine @@ -1 +1 @@ -Subproject commit 986905842330e4a54e61334eb508fe3147c43e38 +Subproject commit a6014f3569ca1819b6d3060124f8cdc5125f074e diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index d6e9331fa1..7be6d473f8 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -28,7 +28,7 @@ extern "C" {
Build failed: openssl master.42837
Build openssl master.42837 failed Commit 78de5a94d8 by Pauli on 10/9/2021 1:29 PM: doc: document that property names are unique Configure your notification preferences
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via ce5b392c8dc99f849dabea8bc9a21f66908b4188 (commit) from c3b89fc770f3e83ddd0976403c1b321496778b38 (commit) - Log - commit ce5b392c8dc99f849dabea8bc9a21f66908b4188 Author: Pauli Date: Thu Sep 30 11:39:41 2021 +1000 doc: document that property names are unique Both queries and definitions only support each individual name appearing once. It is an error to have a name appear more than once. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16716) (cherry picked from commit 78de5a94d8e2b0a27ae026de29c195e944a49c6d) --- Summary of changes: doc/man7/property.pod | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/man7/property.pod b/doc/man7/property.pod index a75f262246..109336ba47 100644 --- a/doc/man7/property.pod +++ b/doc/man7/property.pod @@ -41,7 +41,8 @@ property names like A I is a I pair. A I is a sequence of comma separated properties. -There can be any number of properties in a definition. +There can be any number of properties in a definition, however each name must +be unique. For example: "" defines an empty property definition (i.e., no restriction); "my.foo=bar" defines a property named I which has a string value I and "iteration.count=3" defines a property named I which @@ -68,6 +69,7 @@ Matching such clauses is not a requirement, but any additional optional match counts in favor of the algorithm. More details about that in the B section. A I is a sequence of comma separated property query clauses. +It is an error if a property name appears in more than one query clause. The full syntax for property queries appears below, but the available syntactic features are:
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via c3b89fc770f3e83ddd0976403c1b321496778b38 (commit) from 6e3d51ae6826850580138790bcc13ac7c01d7b47 (commit) - Log - commit c3b89fc770f3e83ddd0976403c1b321496778b38 Author: Pauli Date: Thu Sep 30 11:35:32 2021 +1000 test: add failure testing for property parsing Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16716) (cherry picked from commit 747d142318c5c9ecd80de3f061f54d7af4189039) --- Summary of changes: test/property_test.c | 47 +++ 1 file changed, 47 insertions(+) diff --git a/test/property_test.c b/test/property_test.c index 6cc8eec138..c23ddb0f99 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -145,6 +145,52 @@ static int test_property_query_value_create(void) return r; } +static const struct { +int query; +const char *ps; +} parse_error_tests[] = { +{ 0, "n=1, n=1" }, /* duplicate name */ +{ 0, "n=1, a=hi, n=1" },/* duplicate name */ +{ 1, "n=1, a=bye, ?n=0" }, /* duplicate name */ +{ 0, "a=abc,#@!, n=1" },/* non-ASCII character located */ +{ 1, "a='Hello" }, /* Unterminated string */ +{ 0, "a=\"World" }, /* Unterminated string */ +{ 1, "a=2, n=012345678" }, /* Bad octal digit */ +{ 0, "n=0x28FG, a=3" }, /* Bad hex digit */ +{ 0, "n=145d, a=2" }, /* Bad decimal digit */ +{ 1, "@='hello'" }, /* Invalid name */ +{ 1, "n0123456789012345678901234567890123456789" + "0123456789012345678901234567890123456789" + "0123456789012345678901234567890123456789" + "0123456789012345678901234567890123456789=yes" }, /* Name too long */ +{ 0, ".n=3" }, /* Invalid name */ +{ 1, "fnord.fnord.=3" } /* Invalid name */ +}; + +static int test_property_parse_error(int n) +{ +OSSL_METHOD_STORE *store; +OSSL_PROPERTY_LIST *p = NULL; +int r = 0; +const char *ps; + +if (!TEST_ptr(store = ossl_method_store_new(NULL)) +|| !add_property_names("a", "n", NULL)) +goto err; +ps = parse_error_tests[n].ps; +if (parse_error_tests[n].query) { +if (!TEST_ptr_null(p = ossl_parse_query(NULL, ps, 1))) +goto err; +} else if (!TEST_ptr_null(p = ossl_parse_property(NULL, ps))) { +goto err; +} +r = 1; + err: +ossl_property_free(p); +ossl_method_store_free(store); +return r; +} + static const struct { const char *q_global; const char *q_local; @@ -493,6 +539,7 @@ int setup_tests(void) ADD_TEST(test_property_string); ADD_TEST(test_property_query_value_create); ADD_ALL_TESTS(test_property_parse, OSSL_NELEM(parser_tests)); +ADD_ALL_TESTS(test_property_parse_error, OSSL_NELEM(parse_error_tests)); ADD_ALL_TESTS(test_property_merge, OSSL_NELEM(merge_tests)); ADD_TEST(test_property_defn_cache); ADD_ALL_TESTS(test_definition_compares, OSSL_NELEM(definition_tests));
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 6e3d51ae6826850580138790bcc13ac7c01d7b47 (commit) from cc51b5d641b098b0188e04f7f8bb3b33b1aa465e (commit) - Log - commit 6e3d51ae6826850580138790bcc13ac7c01d7b47 Author: Pauli Date: Thu Sep 30 11:33:37 2021 +1000 property: produce error if a name is duplicated Neither queries nor definitions handle duplicated property names well. Make having such an error. Fixes #16715 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16716) (cherry picked from commit 8e61832ed7f59c15da003aa86aeaa4e5f44df711) --- Summary of changes: crypto/property/property_parse.c | 20 +--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c index 21228b4a39..3673fd7b05 100644 --- a/crypto/property/property_parse.c +++ b/crypto/property/property_parse.c @@ -277,12 +277,16 @@ static void pd_free(OSSL_PROPERTY_DEFINITION *pd) /* * Convert a stack of property definitions and queries into a fixed array. * The items are sorted for efficient query. The stack is not freed. + * This function also checks for duplicated names and returns an error if + * any exist. */ static OSSL_PROPERTY_LIST * -stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) +stack_to_property_list(OSSL_LIB_CTX *ctx, + STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) { const int n = sk_OSSL_PROPERTY_DEFINITION_num(sk); OSSL_PROPERTY_LIST *r; +OSSL_PROPERTY_IDX prev_name_idx = 0; int i; r = OPENSSL_malloc(sizeof(*r) @@ -294,6 +298,16 @@ stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) for (i = 0; i < n; i++) { r->properties[i] = *sk_OSSL_PROPERTY_DEFINITION_value(sk, i); r->has_optional |= r->properties[i].optional; + +/* Check for duplicated names */ +if (i > 0 && r->properties[i].name_idx == prev_name_idx) { +OPENSSL_free(r); +ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED, + "Duplicated name `%s'", + ossl_property_name_str(ctx, prev_name_idx)); +return NULL; +} +prev_name_idx = r->properties[i].name_idx; } r->num_properties = n; } @@ -351,7 +365,7 @@ OSSL_PROPERTY_LIST *ossl_parse_property(OSSL_LIB_CTX *ctx, const char *defn) "HERE-->%s", s); goto err; } -res = stack_to_property_list(sk); +res = stack_to_property_list(ctx, sk); err: OPENSSL_free(prop); @@ -414,7 +428,7 @@ skip_value: "HERE-->%s", s); goto err; } -res = stack_to_property_list(sk); +res = stack_to_property_list(ctx, sk); err: OPENSSL_free(prop);
[openssl] master update
The branch master has been updated via 78de5a94d8e2b0a27ae026de29c195e944a49c6d (commit) via 747d142318c5c9ecd80de3f061f54d7af4189039 (commit) via 8e61832ed7f59c15da003aa86aeaa4e5f44df711 (commit) from 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9 (commit) - Log - commit 78de5a94d8e2b0a27ae026de29c195e944a49c6d Author: Pauli Date: Thu Sep 30 11:39:41 2021 +1000 doc: document that property names are unique Both queries and definitions only support each individual name appearing once. It is an error to have a name appear more than once. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16716) commit 747d142318c5c9ecd80de3f061f54d7af4189039 Author: Pauli Date: Thu Sep 30 11:35:32 2021 +1000 test: add failure testing for property parsing Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16716) commit 8e61832ed7f59c15da003aa86aeaa4e5f44df711 Author: Pauli Date: Thu Sep 30 11:33:37 2021 +1000 property: produce error if a name is duplicated Neither queries nor definitions handle duplicated property names well. Make having such an error. Fixes #16715 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16716) --- Summary of changes: crypto/property/property_parse.c | 20 ++--- doc/man7/property.pod| 4 +++- test/property_test.c | 47 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c index 21228b4a39..3673fd7b05 100644 --- a/crypto/property/property_parse.c +++ b/crypto/property/property_parse.c @@ -277,12 +277,16 @@ static void pd_free(OSSL_PROPERTY_DEFINITION *pd) /* * Convert a stack of property definitions and queries into a fixed array. * The items are sorted for efficient query. The stack is not freed. + * This function also checks for duplicated names and returns an error if + * any exist. */ static OSSL_PROPERTY_LIST * -stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) +stack_to_property_list(OSSL_LIB_CTX *ctx, + STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) { const int n = sk_OSSL_PROPERTY_DEFINITION_num(sk); OSSL_PROPERTY_LIST *r; +OSSL_PROPERTY_IDX prev_name_idx = 0; int i; r = OPENSSL_malloc(sizeof(*r) @@ -294,6 +298,16 @@ stack_to_property_list(STACK_OF(OSSL_PROPERTY_DEFINITION) *sk) for (i = 0; i < n; i++) { r->properties[i] = *sk_OSSL_PROPERTY_DEFINITION_value(sk, i); r->has_optional |= r->properties[i].optional; + +/* Check for duplicated names */ +if (i > 0 && r->properties[i].name_idx == prev_name_idx) { +OPENSSL_free(r); +ERR_raise_data(ERR_LIB_PROP, PROP_R_PARSE_FAILED, + "Duplicated name `%s'", + ossl_property_name_str(ctx, prev_name_idx)); +return NULL; +} +prev_name_idx = r->properties[i].name_idx; } r->num_properties = n; } @@ -351,7 +365,7 @@ OSSL_PROPERTY_LIST *ossl_parse_property(OSSL_LIB_CTX *ctx, const char *defn) "HERE-->%s", s); goto err; } -res = stack_to_property_list(sk); +res = stack_to_property_list(ctx, sk); err: OPENSSL_free(prop); @@ -414,7 +428,7 @@ skip_value: "HERE-->%s", s); goto err; } -res = stack_to_property_list(sk); +res = stack_to_property_list(ctx, sk); err: OPENSSL_free(prop); diff --git a/doc/man7/property.pod b/doc/man7/property.pod index a75f262246..109336ba47 100644 --- a/doc/man7/property.pod +++ b/doc/man7/property.pod @@ -41,7 +41,8 @@ property names like A I is a I pair. A I is a sequence of comma separated properties. -There can be any number of properties in a definition. +There can be any number of properties in a definition, however each name must +be unique. For example: "" defines an empty property definition (i.e., no restriction); "my.foo=bar" defines a property named I which has a string value I and "iteration.count=3" defines a property named I which @@ -68,6 +69,7 @@ Matching such clauses is not a requirement, but any additional optional match counts in favor of the algorithm. More details about that in the B section. A I is a sequence of comma separated property query clauses. +It is an error if a property name appears in more than one query clause. The full syntax for property queries appears below, but the available syntactic features are: diff --git a/test/property_test.c b/test/property_test.c index 6cc8eec138..c23ddb0f99 100644 ---
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a653e037ef0236ea9cd84ec4c94f0bb94aca56ab (commit) from 14357a51130510d87fe5f31e45baaf70bd5c9027 (commit) - Log - commit a653e037ef0236ea9cd84ec4c94f0bb94aca56ab Author: Dmitry Belyavskiy Date: Thu Oct 7 19:14:50 2021 +0200 Bindhost/bindport should be freed Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16775) (cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9) --- Summary of changes: apps/s_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/s_client.c b/apps/s_client.c index 83b3fc9c7f..fe34487787 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3151,6 +3151,8 @@ int s_client_main(int argc, char **argv) #endif OPENSSL_free(connectstr); OPENSSL_free(bindstr); +OPENSSL_free(bindhost); +OPENSSL_free(bindport); OPENSSL_free(host); OPENSSL_free(port); X509_VERIFY_PARAM_free(vpm);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via cc51b5d641b098b0188e04f7f8bb3b33b1aa465e (commit) from 4c09066ca62130c3a80365b1f94ade6c32b5d13b (commit) - Log - commit cc51b5d641b098b0188e04f7f8bb3b33b1aa465e Author: Dmitry Belyavskiy Date: Thu Oct 7 19:14:50 2021 +0200 Bindhost/bindport should be freed Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16775) (cherry picked from commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9) --- Summary of changes: apps/s_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/s_client.c b/apps/s_client.c index 3b9be0e8c2..9ae2e22c1e 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv) #endif OPENSSL_free(connectstr); OPENSSL_free(bindstr); +OPENSSL_free(bindhost); +OPENSSL_free(bindport); OPENSSL_free(host); OPENSSL_free(port); OPENSSL_free(thost);
[openssl] master update
The branch master has been updated via 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9 (commit) from 59a3e7b29574ff45f62e825f6e9923f45060f142 (commit) - Log - commit 0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9 Author: Dmitry Belyavskiy Date: Thu Oct 7 19:14:50 2021 +0200 Bindhost/bindport should be freed Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16775) --- Summary of changes: apps/s_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/s_client.c b/apps/s_client.c index 6ccb7a42d0..760d2de550 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3056,6 +3056,8 @@ int s_client_main(int argc, char **argv) #endif OPENSSL_free(connectstr); OPENSSL_free(bindstr); +OPENSSL_free(bindhost); +OPENSSL_free(bindport); OPENSSL_free(host); OPENSSL_free(port); OPENSSL_free(thost);