[openssl] master update

[yang . yang]

The branch master has been updated
   via  bc42bd6298702a1abf70aa6383d36886dd5af4b3 (commit)
  from  53a11c6da09988efba93eccfdd10bf7edf1d53b2 (commit)


- Log -
commit bc42bd6298702a1abf70aa6383d36886dd5af4b3
Author: Paul Yang 
Date:   Wed Jun 5 14:46:48 2019 +0800

Support SM2 certificate signing

SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.

Documentation and test cases are added.

Reviewed-by: Tim Hudson 
Reviewed-by: Shane Lontis 
(Merged from https://github.com/openssl/openssl/pull/9085)

---

Summary of changes:
 CHANGES  |   3 +
 apps/ca.c|  68 +++-
 apps/req.c   | 149 +--
 crypto/asn1/a_sign.c |  13 ++-
 crypto/ec/ec_pmeth.c |   3 +-
 crypto/err/openssl.txt   |   3 +
 crypto/include/internal/x509_int.h   |   3 +
 crypto/x509/x509_err.c   |   4 +
 crypto/x509/x_all.c  |  85 +++
 crypto/x509/x_req.c  |  38 ++-
 crypto/x509/x_x509.c |   3 +
 doc/man1/ca.pod  |  16 +++
 doc/man1/req.pod |  21 
 doc/man3/X509_get0_sm2_id.pod|  12 ++-
 include/openssl/x509.h   |   2 +
 include/openssl/x509err.h|   3 +
 test/certs/sm2-csr.pem   |   9 ++
 test/certs/{sm2-ca-cert.pem => sm2-root.crt} |   0
 test/certs/sm2-root.key  |   5 +
 test/recipes/25-test_req.t   |  21 +++-
 test/recipes/70-test_verify_extra.t  |   3 +-
 test/recipes/80-test_ca.t|  20 +++-
 test/verify_extra_test.c |  45 +++-
 util/libcrypto.num   |   2 +
 24 files changed, 487 insertions(+), 44 deletions(-)
 create mode 100644 test/certs/sm2-csr.pem
 copy test/certs/{sm2-ca-cert.pem => sm2-root.crt} (100%)
 create mode 100644 test/certs/sm2-root.key

diff --git a/CHANGES b/CHANGES
index 0b9add5..b99241e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,9 @@
 
  Changes between 1.1.1 and 3.0.0 [xx XXX ]
 
+  *) Support SM2 signing and verification schemes with X509 certificate.
+ [Paul Yang]
+
   *) Use SHA256 as the default digest for TS query in the ts app.
  [Tomas Mraz]
 
diff --git a/apps/ca.c b/apps/ca.c
index 4464b2b..b188b9b 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -96,7 +96,8 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY 
*pkey, X509 *x509,
const char *enddate,
long days, int batch, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
-   int default_op, int ext_copy, int selfsign);
+   int default_op, int ext_copy, int selfsign,
+   unsigned char *sm2_id, size_t sm2idlen);
 static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 
*x509,
 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
 STACK_OF(CONF_VALUE) *policy, CA_DB *db,
@@ -147,7 +148,7 @@ typedef enum OPTION_choice {
 OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
 OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
 OPT_RAND_SERIAL,
-OPT_R_ENUM,
+OPT_R_ENUM, OPT_SM2ID, OPT_SM2HEXID,
 /* Do not change the order here; see related case statements below */
 OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE
 } OPTION_CHOICE;
@@ -218,6 +219,12 @@ const OPTIONS ca_options[] = {
 #ifndef OPENSSL_NO_ENGINE
 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+#ifndef OPENSSL_NO_SM2
+{"sm2-id", OPT_SM2ID, 's',
+ "Specify an ID string to verify an SM2 certificate request"},
+{"sm2-hex-id", OPT_SM2HEXID, 's',
+ "Specify a hex ID string to verify an SM2 certificate request"},
+#endif
 {NULL}
 };
 
@@ -262,6 +269,9 @@ int ca_main(int argc, char **argv)
 REVINFO_TYPE rev_type = REV_NONE;
 X509_REVOKED *r = NULL;
 OPTION_CHOICE o;
+unsigned char *sm2_id = NULL;
+size_t sm2_idlen = 0;
+int sm2_free = 0;
 
 prog = opt_init(argc, argv, ca_options);
 while ((o = opt_next()) != OPT_EOF) {
@@ -425,6 +435,30 @@ opthelp:
 case OPT_ENGINE:
 e = setup_engine(opt_arg(), 0);
 break;
+case OPT_SM2ID:
+/* we assume the input is not a hex string */
+if (sm2_id != NULL) {
+BIO_printf(bio_err,
+   "Use one of the 

[openssl] master update

[yang . yang]

The branch master has been updated
   via  4b931252bedae3f1a5c1b9836ca20a5af9445bc7 (commit)
  from  edc62356485257a37eb8775f25c5a19345b83a50 (commit)


- Log -
commit 4b931252bedae3f1a5c1b9836ca20a5af9445bc7
Author: Paul Yang 
Date:   Wed Jun 26 17:36:56 2019 +0800

Fix incorrect usage of a test case

test/x509_check_cert_pkey_test.c has incorrect usage description.

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/9250)

---

Summary of changes:
 test/x509_check_cert_pkey_test.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/test/x509_check_cert_pkey_test.c b/test/x509_check_cert_pkey_test.c
index 434054f..6c1587b 100644
--- a/test/x509_check_cert_pkey_test.c
+++ b/test/x509_check_cert_pkey_test.c
@@ -110,10 +110,11 @@ const OPTIONS *test_get_options(void)
 {
 enum { OPT_TEST_ENUM };
 static const OPTIONS test_options[] = {
-OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("certname key.pem type expected\n"),
-{ OPT_HELP_STR, 1, '-', "certname\tCertificate filename .pem/.req\n" },
-{ OPT_HELP_STR, 1, '-', "type\t\tvalue must be 'pem' or 'req'\n" },
-{ OPT_HELP_STR, 1, '-', "expected\tthe expected return value\n" },
+OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("cert key type expected\n"),
+{ OPT_HELP_STR, 1, '-', "cert\tcertificate or CSR filename in PEM\n" },
+{ OPT_HELP_STR, 1, '-', "key\tprivate key filename in PEM\n" },
+{ OPT_HELP_STR, 1, '-', "type\t\tvalue must be 'cert' or 'req'\n" },
+{ OPT_HELP_STR, 1, '-', "expected\tthe expected return value, either 
'ok' or 'failed'\n" },
 { NULL }
 };
 return test_options;

[openssl] master update

[yang . yang]

The branch master has been updated
   via  4bfe304ea85ed4b2b00dd0857ccf9bdeba4ce7b5 (commit)
  from  07c244f0cdb0dc47611b95e3f89f52b75b90a814 (commit)


- Log -
commit 4bfe304ea85ed4b2b00dd0857ccf9bdeba4ce7b5
Author: Paul Yang 
Date:   Thu Jun 6 11:42:02 2019 +0800

Add documentation for X509_cmp and related APIs

Fixes: #9088

Functions documented in this commit: X509_cmp, X509_NAME_cmp,
X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp,
X509_CRL_cmp, X509_CRL_match

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/9091)

---

Summary of changes:
 doc/man3/X509_cmp.pod | 80 +++
 1 file changed, 80 insertions(+)
 create mode 100644 doc/man3/X509_cmp.pod

diff --git a/doc/man3/X509_cmp.pod b/doc/man3/X509_cmp.pod
new file mode 100644
index 000..3cb16b2
--- /dev/null
+++ b/doc/man3/X509_cmp.pod
@@ -0,0 +1,80 @@
+=pod
+
+=head1 NAME
+
+X509_cmp, X509_NAME_cmp,
+X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp,
+X509_CRL_cmp, X509_CRL_match
+- compare X509 certificates and related values
+
+=head1 SYNOPSIS
+
+ #include 
+
+ int X509_cmp(const X509 *a, const X509 *b);
+ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
+ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
+ int X509_issuer_name_cmp(const X509 *a, const X509 *b);
+ int X509_subject_name_cmp(const X509 *a, const X509 *b);
+ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
+ int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
+
+=head1 DESCRIPTION
+
+This set of functions are used to compare X509 objects, including X509
+certificates, X509 CRL objects and various values in an X509 certificate.
+
+The X509_cmp() function compares two B objects indicated by parameters
+B and B. The comparison is based on the B result of the hash
+values of two B objects and the canonical (DER) encoding values.
+
+The X509_NAME_cmp() function compares two B objects indicated by
+parameters B and B. The comparison is based on the B result of
+the canonical (DER) encoding values of the two objects. L
+has a more detailed description of the DER encoding of the B 
structure.
+
+The X509_issuer_and_serial_cmp() function compares the serial number and issuer
+values in the given B objects B and B.
+
+The X509_issuer_name_cmp(), X509_subject_name_cmp() and X509_CRL_cmp() 
functions
+are effectively wrappers of the X509_NAME_cmp() function. These functions 
compare
+issuer names and subject names of the X<509> objects, or issuers of B
+objects, respectively.
+
+The X509_CRL_match() function compares two B objects. Unlike the
+X509_CRL_cmp() function, this function compares the whole CRL content instead
+of just the issuer name.
+
+=head1 RETURN VALUES
+
+Like common memory comparison functions, the B comparison functions 
return
+an integer less than, equal to, or greater than zero if object B is found to
+be less than, to match, or be greater than object B, respectively.
+
+X509_NAME_cmp(), X509_issuer_and_serial_cmp(), X509_issuer_name_cmp(),
+X509_subject_name_cmp() and X509_CRL_cmp() may return B<-2> to indicate an 
error.
+
+=head1 NOTES
+
+These functions in fact utilize the underlying B of the C library to do
+the comparison job. Data to be compared varies from DER encoding data, hash
+value or B. The sign of the comparison can be used to order the
+objects but it does not have a special meaning in some cases.
+
+X509_NAME_cmp() and wrappers utilize the value B<-2> to indicate errors in some
+circumstances, which could cause confusion for the applications.
+
+=head1 SEE ALSO
+
+L, L
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L.
+
+=cut

[openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  ea5d4b89cc6f0273d5085f5902b68fc4aa32cb80 (commit)
  from  ed29a5f72e0d43526e9e5e7e9ff7de478ee99a50 (commit)


- Log -
commit ea5d4b89cc6f0273d5085f5902b68fc4aa32cb80
Author: Paul Yang 
Date:   Thu Jun 6 11:42:02 2019 +0800

Add documentation for X509_cmp and related APIs

Fixes: #9088

Functions documented in this commit: X509_cmp, X509_NAME_cmp,
X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp,
X509_CRL_cmp, X509_CRL_match

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/9091)

(cherry picked from commit 4bfe304ea85ed4b2b00dd0857ccf9bdeba4ce7b5)

---

Summary of changes:
 doc/man3/X509_cmp.pod | 80 +++
 1 file changed, 80 insertions(+)
 create mode 100644 doc/man3/X509_cmp.pod

diff --git a/doc/man3/X509_cmp.pod b/doc/man3/X509_cmp.pod
new file mode 100644
index 000..3cb16b2
--- /dev/null
+++ b/doc/man3/X509_cmp.pod
@@ -0,0 +1,80 @@
+=pod
+
+=head1 NAME
+
+X509_cmp, X509_NAME_cmp,
+X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp,
+X509_CRL_cmp, X509_CRL_match
+- compare X509 certificates and related values
+
+=head1 SYNOPSIS
+
+ #include 
+
+ int X509_cmp(const X509 *a, const X509 *b);
+ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
+ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
+ int X509_issuer_name_cmp(const X509 *a, const X509 *b);
+ int X509_subject_name_cmp(const X509 *a, const X509 *b);
+ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
+ int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
+
+=head1 DESCRIPTION
+
+This set of functions are used to compare X509 objects, including X509
+certificates, X509 CRL objects and various values in an X509 certificate.
+
+The X509_cmp() function compares two B objects indicated by parameters
+B and B. The comparison is based on the B result of the hash
+values of two B objects and the canonical (DER) encoding values.
+
+The X509_NAME_cmp() function compares two B objects indicated by
+parameters B and B. The comparison is based on the B result of
+the canonical (DER) encoding values of the two objects. L
+has a more detailed description of the DER encoding of the B 
structure.
+
+The X509_issuer_and_serial_cmp() function compares the serial number and issuer
+values in the given B objects B and B.
+
+The X509_issuer_name_cmp(), X509_subject_name_cmp() and X509_CRL_cmp() 
functions
+are effectively wrappers of the X509_NAME_cmp() function. These functions 
compare
+issuer names and subject names of the X<509> objects, or issuers of B
+objects, respectively.
+
+The X509_CRL_match() function compares two B objects. Unlike the
+X509_CRL_cmp() function, this function compares the whole CRL content instead
+of just the issuer name.
+
+=head1 RETURN VALUES
+
+Like common memory comparison functions, the B comparison functions 
return
+an integer less than, equal to, or greater than zero if object B is found to
+be less than, to match, or be greater than object B, respectively.
+
+X509_NAME_cmp(), X509_issuer_and_serial_cmp(), X509_issuer_name_cmp(),
+X509_subject_name_cmp() and X509_CRL_cmp() may return B<-2> to indicate an 
error.
+
+=head1 NOTES
+
+These functions in fact utilize the underlying B of the C library to do
+the comparison job. Data to be compared varies from DER encoding data, hash
+value or B. The sign of the comparison can be used to order the
+objects but it does not have a special meaning in some cases.
+
+X509_NAME_cmp() and wrappers utilize the value B<-2> to indicate errors in some
+circumstances, which could cause confusion for the applications.
+
+=head1 SEE ALSO
+
+L, L
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L.
+
+=cut

[openssl] master update

[yang . yang]

The branch master has been updated
   via  ccf453610f48fe88968f0cfc63784b503eae33a0 (commit)
  from  bbcaef632440067d173e2c4bfc40dd96ef2c0112 (commit)


- Log -
commit ccf453610f48fe88968f0cfc63784b503eae33a0
Author: Paul Yang 
Date:   Mon Apr 1 10:21:53 2019 +0900

Make X509_set_sm2_id consistent with other setters

This commit makes the X509_set_sm2_id to 'set0' behaviour, which means
the memory management is passed to X509 and user doesn't need to free
the sm2_id parameter later. API name also changes to X509_set0_sm2_id.

Document and test case are also updated.

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/8626)

---

Summary of changes:
 apps/verify.c  | 40 +
 crypto/include/internal/x509_int.h |  2 +-
 crypto/x509/x_all.c|  5 -
 crypto/x509/x_x509.c   | 13 ---
 doc/man3/X509_get0_sm2_id.pod  | 12 ++
 include/openssl/x509.h |  2 +-
 test/verify_extra_test.c   | 46 ++
 util/libcrypto.num |  2 +-
 8 files changed, 97 insertions(+), 25 deletions(-)

diff --git a/apps/verify.c b/apps/verify.c
index 67d3276..3767972 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -246,27 +246,37 @@ static int check(X509_STORE *ctx, const char *file,
 
 if (sm2id != NULL) {
 #ifndef OPENSSL_NO_SM2
-ASN1_OCTET_STRING v;
+ASN1_OCTET_STRING *v;
 
-v.data = sm2id;
-v.length = sm2idlen;
+v = ASN1_OCTET_STRING_new();
+if (v == NULL) {
+BIO_printf(bio_err, "error: SM2 ID allocation failed\n");
+goto end;
+}
 
-X509_set_sm2_id(x, );
+if (!ASN1_OCTET_STRING_set(v, sm2id, sm2idlen)) {
+BIO_printf(bio_err, "error: setting SM2 ID failed\n");
+ASN1_OCTET_STRING_free(v);
+goto end;
+}
+
+X509_set0_sm2_id(x, v);
 #endif
 }
 
 csc = X509_STORE_CTX_new();
 if (csc == NULL) {
-printf("error %s: X.509 store context allocation failed\n",
-   (file == NULL) ? "stdin" : file);
+BIO_printf(bio_err, "error %s: X.509 store context allocation 
failed\n",
+   (file == NULL) ? "stdin" : file);
 goto end;
 }
 
 X509_STORE_set_flags(ctx, vflags);
 if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
 X509_STORE_CTX_free(csc);
-printf("error %s: X.509 store context initialization failed\n",
-   (file == NULL) ? "stdin" : file);
+BIO_printf(bio_err,
+   "error %s: X.509 store context initialization failed\n",
+   (file == NULL) ? "stdin" : file);
 goto end;
 }
 if (tchain != NULL)
@@ -275,28 +285,30 @@ static int check(X509_STORE *ctx, const char *file,
 X509_STORE_CTX_set0_crls(csc, crls);
 i = X509_verify_cert(csc);
 if (i > 0 && X509_STORE_CTX_get_error(csc) == X509_V_OK) {
-printf("%s: OK\n", (file == NULL) ? "stdin" : file);
+BIO_printf(bio_out, "%s: OK\n", (file == NULL) ? "stdin" : file);
 ret = 1;
 if (show_chain) {
 int j;
 
 chain = X509_STORE_CTX_get1_chain(csc);
 num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
-printf("Chain:\n");
+BIO_printf(bio_out, "Chain:\n");
 for (j = 0; j < sk_X509_num(chain); j++) {
 X509 *cert = sk_X509_value(chain, j);
-printf("depth=%d: ", j);
+BIO_printf(bio_out, "depth=%d: ", j);
 X509_NAME_print_ex_fp(stdout,
   X509_get_subject_name(cert),
   0, get_nameopt());
 if (j < num_untrusted)
-printf(" (untrusted)");
-printf("\n");
+BIO_printf(bio_out, " (untrusted)");
+BIO_printf(bio_out, "\n");
 }
 sk_X509_pop_free(chain, X509_free);
 }
 } else {
-printf("error %s: verification failed\n", (file == NULL) ? "stdin" : 
file);
+BIO_printf(bio_err,
+   "error %s: verification failed\n",
+   (file == NULL) ? "stdin" : file);
 }
 X509_STORE_CTX_free(csc);
 
diff --git a/crypto/include/internal/x509_int.h 
b/crypto/include/internal/x509_int.h
index 93f923e..7c40b15 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -184,7 +184,7 @@ struct x509_st {
 CRYPTO_RWLOCK *lock;
 volatile int ex_cached;
 # ifndef OPENSSL_NO_SM2
-ASN1_OCTET_STRING sm2_id;
+ASN1_OCTET_STRING *sm2_id;
 # endif
 } /* X509 */ ;
 
diff --git a/crypto/x509/x_all.c 

[openssl] master update

[yang . yang]

The branch master has been updated
   via  875c9a9a342383b3c3fd74a5c872bbf3fe9cdbd3 (commit)
   via  7eba43e837eb3669d6b32d4ba27c3e93db29b8c3 (commit)
   via  317ba78fe16380dbcd16f846794e58f498e975a4 (commit)
  from  3a8269b3194f7528e3657cef70fe2db1ed38b755 (commit)


- Log -
commit 875c9a9a342383b3c3fd74a5c872bbf3fe9cdbd3
Author: Paul Yang 
Date:   Wed Mar 13 18:04:05 2019 +0800

Fix a memleak in apps/verify

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/8465)

commit 7eba43e837eb3669d6b32d4ba27c3e93db29b8c3
Author: Paul Yang 
Date:   Wed Mar 13 17:22:31 2019 +0800

Add documents for SM2 cert verification

This follows #8321 which added the SM2 certificate verification feature.
This commit adds the related docs - the newly added 2 APIs and options
in apps/verify.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/8465)

commit 317ba78fe16380dbcd16f846794e58f498e975a4
Author: Paul Yang 
Date:   Wed Mar 13 16:54:11 2019 +0800

Add test cases for SM2 cert verification

This follows #8321 which added the SM2 certificate verification feature.
This commit adds some test cases for #8321.

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/8465)

---

Summary of changes:
 apps/verify.c   |  4 
 doc/man1/verify.pod | 16 ++-
 doc/man3/X509_get0_sm2_id.pod   | 43 +
 test/certs/sm2-ca-cert.pem  | 14 ++
 test/certs/{sm2.crt => sm2.pem} |  0
 test/recipes/20-test_pkeyutl.t  |  6 +++---
 test/recipes/25-test_verify.t   | 14 +-
 7 files changed, 92 insertions(+), 5 deletions(-)
 create mode 100644 doc/man3/X509_get0_sm2_id.pod
 create mode 100644 test/certs/sm2-ca-cert.pem
 rename test/certs/{sm2.crt => sm2.pem} (100%)

diff --git a/apps/verify.c b/apps/verify.c
index fcd10dd..67d3276 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -80,6 +80,7 @@ int verify_main(int argc, char **argv)
 OPTION_CHOICE o;
 unsigned char *sm2_id = NULL;
 size_t sm2_idlen = 0;
+int sm2_free = 0;
 
 if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
 goto end;
@@ -174,6 +175,7 @@ int verify_main(int argc, char **argv)
 break;
 case OPT_SM2HEXID:
 /* try to parse the input as hex string first */
+sm2_free = 1;
 sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)_idlen);
 if (sm2_id == NULL) {
 BIO_printf(bio_err, "Invalid hex string input\n");
@@ -216,6 +218,8 @@ int verify_main(int argc, char **argv)
 }
 
  end:
+if (sm2_free)
+OPENSSL_free(sm2_id);
 X509_VERIFY_PARAM_free(vpm);
 X509_STORE_free(store);
 sk_X509_pop_free(untrusted, X509_free);
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod
index 6465fd8..10fd848 100644
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -50,6 +50,8 @@ B B
 [B<-verify_name name>]
 [B<-x509_strict>]
 [B<-show_chain>]
+[B<-sm2-id string>]
+[B<-sm2-hex-id hex-string>]
 [B<->]
 [certificates]
 
@@ -316,6 +318,16 @@ Display information about the certificate chain that has 
been built (if
 successful). Certificates in the chain that came from the untrusted list will 
be
 flagged as "untrusted".
 
+=item B<-sm2-id>
+
+Specify the ID string to use when verifying an SM2 certificate. The ID string 
is
+required by the SM2 signature algorithm for signing and verification.
+
+=item B<-sm2-hex-id>
+
+Specify a binary ID string to use when signing or verifying using an SM2
+certificate. The argument for this option is string of hexadecimal digits.
+
 =item B<->
 
 Indicates the last option. All arguments following this are assumed to be
@@ -767,9 +779,11 @@ The B<-show_chain> option was added in OpenSSL 1.1.0.
 The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
 is silently ignored.
 
+The B<-sm2-id> and B<-sm2-hex-id> options were added in OpenSSL 3.0.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/X509_get0_sm2_id.pod b/doc/man3/X509_get0_sm2_id.pod
new file mode 100644
index 000..84da71e
--- /dev/null
+++ b/doc/man3/X509_get0_sm2_id.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+X509_get0_sm2_id, X509_set_sm2_id - get or set SM2 ID for certificate 
operations
+
+=head1 SYNOPSIS
+
+ #include 
+
+ ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
+ void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
+
+=head1 DESCRIPTION
+
+X509_get0_sm2_id() gets the ID value of an 

[openssl] master update

[yang . yang]

The branch master has been updated
   via  8267becb8b2e3b5ec4d46e3df5656b747930be79 (commit)
  from  9e11fe0d85c7d8bd2b77076c8b2e93433091e765 (commit)


- Log -
commit 8267becb8b2e3b5ec4d46e3df5656b747930be79
Author: 杨洋 
Date:   Fri Oct 26 21:34:08 2018 +0800

Support SM2 certificate verification

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/8321)

---

Summary of changes:
 apps/verify.c  |  45 +--
 crypto/asn1/a_verify.c |   3 +-
 crypto/err/openssl.txt |   2 +
 crypto/include/internal/x509_int.h |   5 +-
 crypto/objects/obj_dat.h   |  15 +++--
 crypto/objects/obj_mac.num |   1 +
 crypto/objects/obj_xref.h  |   2 +
 crypto/objects/obj_xref.txt|   2 +
 crypto/objects/objects.txt |   2 +
 crypto/sm2/sm2_pmeth.c |   4 ++
 crypto/x509/x509_err.c |   4 +-
 crypto/x509/x_all.c| 110 +
 crypto/x509/x_x509.c   |  12 
 fuzz/oids.txt  |   1 +
 include/openssl/obj_mac.h  |   5 ++
 include/openssl/x509.h |   3 +
 include/openssl/x509err.h  |   2 +
 util/libcrypto.num |   2 +
 18 files changed, 206 insertions(+), 14 deletions(-)

diff --git a/apps/verify.c b/apps/verify.c
index 2f66912..fcd10dd 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -21,7 +21,8 @@
 static int cb(int ok, X509_STORE_CTX *ctx);
 static int check(X509_STORE *ctx, const char *file,
  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
- STACK_OF(X509_CRL) *crls, int show_chain);
+ STACK_OF(X509_CRL) *crls, int show_chain,
+ unsigned char *sm2id, size_t sm2idlen);
 static int v_verbose = 0, vflags = 0;
 
 typedef enum OPTION_choice {
@@ -29,7 +30,7 @@ typedef enum OPTION_choice {
 OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,
 OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
 OPT_V_ENUM, OPT_NAMEOPT,
-OPT_VERBOSE
+OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID
 } OPTION_CHOICE;
 
 const OPTIONS verify_options[] = {
@@ -57,6 +58,12 @@ const OPTIONS verify_options[] = {
 #ifndef OPENSSL_NO_ENGINE
 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+#ifndef OPENSSL_NO_SM2
+{"sm2-id", OPT_SM2ID, 's',
+ "Specify an ID string to verify an SM2 certificate"},
+{"sm2-hex-id", OPT_SM2HEXID, 's',
+ "Specify a hex ID string to verify an SM2 certificate"},
+#endif
 {NULL}
 };
 
@@ -71,6 +78,8 @@ int verify_main(int argc, char **argv)
 int noCApath = 0, noCAfile = 0;
 int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
 OPTION_CHOICE o;
+unsigned char *sm2_id = NULL;
+size_t sm2_idlen = 0;
 
 if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
 goto end;
@@ -158,6 +167,19 @@ int verify_main(int argc, char **argv)
 case OPT_VERBOSE:
 v_verbose = 1;
 break;
+case OPT_SM2ID:
+/* we assume the input is not a hex string */
+sm2_id = (unsigned char *)opt_arg();
+sm2_idlen = strlen((const char *)sm2_id);
+break;
+case OPT_SM2HEXID:
+/* try to parse the input as hex string first */
+sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)_idlen);
+if (sm2_id == NULL) {
+BIO_printf(bio_err, "Invalid hex string input\n");
+goto end;
+}
+break;
 }
 }
 argc = opt_num_rest();
@@ -183,12 +205,13 @@ int verify_main(int argc, char **argv)
 
 ret = 0;
 if (argc < 1) {
-if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1)
+if (check(store, NULL, untrusted, trusted, crls, show_chain,
+  sm2_id, sm2_idlen) != 1)
 ret = -1;
 } else {
 for (i = 0; i < argc; i++)
 if (check(store, argv[i], untrusted, trusted, crls,
-  show_chain) != 1)
+  show_chain, sm2_id, sm2_idlen) != 1)
 ret = -1;
 }
 
@@ -204,7 +227,8 @@ int verify_main(int argc, char **argv)
 
 static int check(X509_STORE *ctx, const char *file,
  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
- STACK_OF(X509_CRL) *crls, int show_chain)
+ STACK_OF(X509_CRL) *crls, int show_chain,
+ unsigned char *sm2id, size_t sm2idlen)
 {
 X509 *x = NULL;
 int i = 0, ret = 0;
@@ -216,6 +240,17 @@ static int check(X509_STORE *ctx, const char *file,
 if (x == NULL)
 goto end;
 
+if (sm2id != NULL) {
+#ifndef OPENSSL_NO_SM2
+ASN1_OCTET_STRING v;
+
+v.data = sm2id;
+ 

[openssl] master update

[yang . yang]

The branch master has been updated
   via  cc838ee2d66f7295bf7a7e6695aab1080d6791e9 (commit)
   via  4564e77ae9dd1866e8a033f03511b6a1792c024e (commit)
  from  69f6b3ceaba493e70e1296880ea6c93e40714f0f (commit)


- Log -
commit cc838ee2d66f7295bf7a7e6695aab1080d6791e9
Author: Paul Yang 
Date:   Tue Feb 26 13:51:02 2019 +0800

Add section order check in util/find-doc-nits

This patch checks if the EXAMPLES section in a pod file is placed
before the RETURN VALUES section.

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/8338)

commit 4564e77ae9dd1866e8a033f03511b6a1792c024e
Author: Paul Yang 
Date:   Tue Feb 26 13:11:10 2019 +0800

Place return values after examples in doc

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/8338)

---

Summary of changes:
 doc/internal/man3/openssl_ctx_get_data.pod|  16 ++--
 doc/man3/ASN1_TIME_set.pod|  64 ++---
 doc/man3/ASN1_generate_nconf.pod  |  14 +--
 doc/man3/BIO_push.pod |  14 +--
 doc/man3/BIO_s_file.pod   |  36 +++
 doc/man3/CONF_modules_load_file.pod   |  12 +--
 doc/man3/EVP_PKEY_set1_RSA.pod|  14 +--
 doc/man3/OBJ_nid2obj.pod  |  22 ++---
 doc/man3/OPENSSL_s390xcap.pod |   8 +-
 doc/man3/PEM_read_bio_PrivateKey.pod  | 130 +-
 doc/man3/SSL_CONF_cmd.pod |  34 +++
 doc/man3/SSL_CTX_load_verify_locations.pod|  34 +++
 doc/man3/SSL_CTX_set1_sigalgs.pod |   8 +-
 doc/man3/SSL_CTX_set_generate_session_id.pod  |  16 ++--
 doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod |   8 +-
 doc/man3/SSL_CTX_set_tmp_dh_callback.pod  |  16 ++--
 doc/man3/SSL_load_client_CA_file.pod  |  30 +++---
 doc/man3/X509_NAME_add_entry_by_txt.pod   |  18 ++--
 doc/man3/X509_NAME_get_index_by_NID.pod   |  24 ++---
 doc/man3/d2i_X509.pod |  26 +++---
 util/find-doc-nits|  14 +++
 21 files changed, 286 insertions(+), 272 deletions(-)

diff --git a/doc/internal/man3/openssl_ctx_get_data.pod 
b/doc/internal/man3/openssl_ctx_get_data.pod
index ee98dc2..db066ad 100644
--- a/doc/internal/man3/openssl_ctx_get_data.pod
+++ b/doc/internal/man3/openssl_ctx_get_data.pod
@@ -39,6 +39,14 @@ context is freed.
 openssl_ctx_get_data() is used to retrieve a pointer to the data in
 the library context C associated with the given C.
 
+=head1 RETURN VALUES
+
+openssl_ctx_new_index() returns -1 on error, otherwise the allocated
+index number.
+
+openssl_ctx_get_data() returns a pointer on success, or C on
+failure.
+
 =head1 EXAMPLES
 
 =head2 Initialization
@@ -88,14 +96,6 @@ To get and use the data stored in the library context, 
simply do this:
   */
  FOO *data = openssl_ctx_get_data(ctx, foo_index);
 
-=head1 RETURN VALUES
-
-openssl_ctx_new_index() returns -1 on error, otherwise the allocated
-index number.
-
-openssl_ctx_get_data() returns a pointer on success, or C on
-failure.
-
 =head1 SEE ALSO
 
 L
diff --git a/doc/man3/ASN1_TIME_set.pod b/doc/man3/ASN1_TIME_set.pod
index 009e6f6..9db9970 100644
--- a/doc/man3/ASN1_TIME_set.pod
+++ b/doc/man3/ASN1_TIME_set.pod
@@ -173,38 +173,6 @@ certificates complying with RFC5280 et al use GMT anyway.
 Use the ASN1_TIME_normalize() function to normalize the time value before
 printing to get GMT results.
 
-=head1 EXAMPLES
-
-Set a time structure to one hour after the current time and print it out:
-
- #include 
- #include 
-
- ASN1_TIME *tm;
- time_t t;
- BIO *b;
-
- t = time(NULL);
- tm = ASN1_TIME_adj(NULL, t, 0, 60 * 60);
- b = BIO_new_fp(stdout, BIO_NOCLOSE);
- ASN1_TIME_print(b, tm);
- ASN1_STRING_free(tm);
- BIO_free(b);
-
-Determine if one time is later or sooner than the current time:
-
- int day, sec;
-
- if (!ASN1_TIME_diff(, , NULL, to))
- /* Invalid time format */
-
- if (day > 0 || sec > 0)
- printf("Later\n");
- else if (day < 0 || sec < 0)
- printf("Sooner\n");
- else
- printf("Same\n");
-
 =head1 RETURN VALUES
 
 ASN1_TIME_set(), ASN1_UTCTIME_set(), ASN1_GENERALIZEDTIME_set(), 
ASN1_TIME_adj(),
@@ -238,6 +206,38 @@ ASN1_TIME_compare() returns -1 if B is before B, 0 
if B equals B, or
 ASN1_TIME_to_generalizedtime() returns a pointer to
 the appropriate time structure on success or NULL if an error occurred.
 
+=head1 EXAMPLES
+
+Set a time structure to one hour after the current time and print it out:
+
+ #include 
+ #include 
+
+ ASN1_TIME *tm;
+ time_t t;
+ BIO *b;
+
+ t = time(NULL);
+ tm = ASN1_TIME_adj(NULL, t, 0, 60 * 60);
+ b = BIO_new_fp(stdout, BIO_NOCLOSE);
+ ASN1_TIME_print(b, tm);
+ ASN1_STRING_free(tm);
+ BIO_free(b);
+
+Determine if one time is later or sooner than the current 

[openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  9c6d536f532a737216f2ae0e7d168c99ed989a0d (commit)
  from  e8dc6580368fdc26384fc69d58e038a3e1c6e368 (commit)


- Log -
commit 9c6d536f532a737216f2ae0e7d168c99ed989a0d
Author: Paul Yang 
Date:   Mon Feb 25 17:34:03 2019 +0800

Fix the default digest algorthm of SM2

Currently SM2 shares the ameth with EC, so the current default digest
algorithm returned is SHA256. This fixes the default digest algorithm of
SM2 to SM3, which is the only valid digest algorithm for SM2 signature.

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/8186)

(cherry picked from commit e766f4a0531bffdab8ad2038279b755928d7a40a)

---

Summary of changes:
 crypto/ec/ec_ameth.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 8b363e0..48aa801 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -504,7 +504,12 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, 
void *arg2)
 #endif
 
 case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-*(int *)arg2 = NID_sha256;
+if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) {
+/* For SM2, the only valid digest-alg is SM3 */
+*(int *)arg2 = NID_sm3;
+} else {
+*(int *)arg2 = NID_sha256;
+}
 return 1;
 
 case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:

[openssl] master update

[yang . yang]

The branch master has been updated
   via  e766f4a0531bffdab8ad2038279b755928d7a40a (commit)
   via  a7cef52f9b961dcb1e5d0c3b75185a12a88ad2db (commit)
  from  4089b4340701e3c13e07169e67a7d14519c98658 (commit)


- Log -
commit e766f4a0531bffdab8ad2038279b755928d7a40a
Author: Paul Yang 
Date:   Mon Feb 25 17:34:03 2019 +0800

Fix the default digest algorthm of SM2

Currently SM2 shares the ameth with EC, so the current default digest
algorithm returned is SHA256. This fixes the default digest algorithm of
SM2 to SM3, which is the only valid digest algorithm for SM2 signature.

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/8186)

commit a7cef52f9b961dcb1e5d0c3b75185a12a88ad2db
Author: Paul Yang 
Date:   Wed Jan 16 16:16:28 2019 +0800

Support raw input data in apps/pkeyutl

Some signature algorithms require special treatment for digesting, such
as SM2. This patch adds the ability of handling raw input data in
apps/pkeyutl other than accepting only pre-hashed input data.

Beside, SM2 requries an ID string when signing or verifying a piece of data,
this patch also adds the ability for apps/pkeyutil to specify that ID
string.

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/8186)

---

Summary of changes:
 apps/pkeyutl.c | 169 -
 crypto/ec/ec_ameth.c   |   7 +-
 crypto/sm2/sm2_pmeth.c |   3 +
 doc/man1/pkeyutl.pod   |  45 +++
 test/certs/sm2.crt |  13 
 test/certs/sm2.key |   5 ++
 test/recipes/20-test_pkeyutl.t |  43 +++
 7 files changed, 267 insertions(+), 18 deletions(-)
 create mode 100644 test/certs/sm2.crt
 create mode 100644 test/certs/sm2.key
 create mode 100644 test/recipes/20-test_pkeyutl.t

diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 8ee4a30..b3452d3 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -22,7 +22,7 @@
 static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
   const char *keyfile, int keyform, int key_type,
   char *passinarg, int pkey_op, ENGINE *e,
-  const int impl);
+  const int impl, EVP_PKEY **ppkey);
 
 static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
   ENGINE *e);
@@ -31,6 +31,11 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
 unsigned char *out, size_t *poutlen,
 const unsigned char *in, size_t inlen);
 
+static int do_raw_keyop(int pkey_op, EVP_PKEY_CTX *ctx,
+const EVP_MD *md, EVP_PKEY *pkey, BIO *in,
+unsigned char *sig, int siglen,
+unsigned char **out, size_t *poutlen);
+
 typedef enum OPTION_choice {
 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
 OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
@@ -38,12 +43,16 @@ typedef enum OPTION_choice {
 OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
 OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
 OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
-OPT_KDFLEN, OPT_R_ENUM
+OPT_KDFLEN, OPT_R_ENUM,
+OPT_RAWIN, OPT_DIGEST
 } OPTION_CHOICE;
 
 const OPTIONS pkeyutl_options[] = {
 {"help", OPT_HELP, '-', "Display this summary"},
 {"in", OPT_IN, '<', "Input file - default stdin"},
+{"rawin", OPT_RAWIN, '-', "Indicate the input data is in raw form"},
+{"digest", OPT_DIGEST, 's',
+ "Specify the digest algorithm when signing the raw input data"},
 {"out", OPT_OUT, '>', "Output file - default stdout"},
 {"pubin", OPT_PUBIN, '-', "Input is a public key"},
 {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
@@ -82,6 +91,7 @@ int pkeyutl_main(int argc, char **argv)
 BIO *in = NULL, *out = NULL;
 ENGINE *e = NULL;
 EVP_PKEY_CTX *ctx = NULL;
+EVP_PKEY *pkey = NULL;
 char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
 char hexdump = 0, asn1parse = 0, rev = 0, *prog;
 unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
@@ -97,6 +107,8 @@ int pkeyutl_main(int argc, char **argv)
 int kdflen = 0;
 STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
 STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
+int rawin = 0;
+const EVP_MD *md = NULL;
 
 prog = opt_init(argc, argv, pkeyutl_options);
 while ((o = opt_next()) != OPT_EOF) {
@@ -203,12 +215,39 @@ int pkeyutl_main(int argc, char **argv)
 goto end;
 }
 break;
+case OPT_RAWIN:
+rawin = 1;
+break;
+case OPT_DIGEST:
+if 

[openssl] OpenSSL_1_1_0-stable update

[yang . yang]

The branch OpenSSL_1_1_0-stable has been updated
   via  3318493b85a8189f6385d5489f97f0e101471f92 (commit)
  from  f499873c2ff5a6da5f1a23c099730f97c822e90c (commit)


- Log -
commit 3318493b85a8189f6385d5489f97f0e101471f92
Author: Jeff Mahoney 
Date:   Sun Feb 24 16:56:28 2019 +0800

apps/speed: fix segfault while looking up algorithm name

The backport of master commit 5c6a69f539a (apps/speed: fix possible OOB
access in some EC arrays) as 1.1.0 commit 4e07941373a introduced a
regression.  The ecdh_choices array is iterated using an element count
but is NULL terminated.  This means that running 'openssl speed somealgo'
will result in a segfault when opt_found hits the NULL entry.

Fixes #8243

CLA: trivial

Signed-off-by: Jeff Mahoney 

Reviewed-by: Paul Yang 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/8244)

---

Summary of changes:
 apps/speed.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/speed.c b/apps/speed.c
index 6672fe6..4595cc6 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -537,7 +537,6 @@ static const OPT_PAIR ecdh_choices[] = {
 {"ecdhb409", R_EC_B409},
 {"ecdhb571", R_EC_B571},
 {"ecdhx25519", R_EC_X25519},
-{NULL}
 };
 # define EC_NUM   OSSL_NELEM(ecdh_choices)
 

[openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  d600f3d34cf85003d11bea2b8296834874cdebcf (commit)
  from  ebf7bd7f4b5200c4a0e7d86b1f13442e7a6154b6 (commit)


- Log -
commit d600f3d34cf85003d11bea2b8296834874cdebcf
Author: Paul Yang 
Date:   Fri Feb 22 14:27:39 2019 +0800

Fix a grammar nit in CRYPTO_get_ex_new_index.pod

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/8303)

(cherry picked from commit 84712024da5e5485e8397afc763555355bddf960)

---

Summary of changes:
 doc/man3/CRYPTO_get_ex_new_index.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/CRYPTO_get_ex_new_index.pod 
b/doc/man3/CRYPTO_get_ex_new_index.pod
index 4d5a2b9..04ef5ec 100644
--- a/doc/man3/CRYPTO_get_ex_new_index.pod
+++ b/doc/man3/CRYPTO_get_ex_new_index.pod
@@ -100,7 +100,7 @@ to avoid likely double-free crashes.
 The function B is used to free all exdata attached
 to a structure. The appropriate type-specific routine must be used.
 The B identifies the structure type, the B is
-be the pointer to the actual structure, and B is a pointer to the
+a pointer to the actual structure, and B is a pointer to the
 structure's exdata field.
 
 =head2 Callback Functions

[openssl] master update

[yang . yang]

The branch master has been updated
   via  84712024da5e5485e8397afc763555355bddf960 (commit)
  from  32d40d0d8942ac7156066c55354dc174f7b8b3bc (commit)


- Log -
commit 84712024da5e5485e8397afc763555355bddf960
Author: Paul Yang 
Date:   Fri Feb 22 14:27:39 2019 +0800

Fix a grammar nit in CRYPTO_get_ex_new_index.pod

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/8303)

---

Summary of changes:
 doc/man3/CRYPTO_get_ex_new_index.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/CRYPTO_get_ex_new_index.pod 
b/doc/man3/CRYPTO_get_ex_new_index.pod
index 44bab62..f37d532 100644
--- a/doc/man3/CRYPTO_get_ex_new_index.pod
+++ b/doc/man3/CRYPTO_get_ex_new_index.pod
@@ -104,7 +104,7 @@ to avoid likely double-free crashes.
 The function B is used to free all exdata attached
 to a structure. The appropriate type-specific routine must be used.
 The B identifies the structure type, the B is
-be the pointer to the actual structure, and B is a pointer to the
+a pointer to the actual structure, and B is a pointer to the
 structure's exdata field.
 
 =head2 Callback Functions

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  851437094aca6067d425f7869751df41cde775fe (commit)
  from  2cf7fd698ec1375421f91338ff8a44e7da5238b6 (commit)


- Log -
commit 851437094aca6067d425f7869751df41cde775fe
Author: Daniel DeFreez 
Date:   Wed Feb 13 14:26:14 2019 +0800

Fix null pointer dereference in cms_RecipientInfo_kari_init

CLA: trivial

Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Yang 
Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/8137)

(cherry picked from commit b754a8a1590b8c5c9662c8a0ba49573991488b20)

---

Summary of changes:
 crypto/cms/cms_kari.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 3bc46fe..f104eec 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -282,7 +282,7 @@ static int 
cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
 return rv;
 }
 
-/* Initialise a ktri based on passed certificate and key */
+/* Initialise a kari based on passed certificate and key */
 
 int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
 EVP_PKEY *pk, unsigned int flags)
@@ -299,6 +299,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 
*recip,
 kari->version = 3;
 
 rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
+if (rek == NULL)
+return 0;
+
 if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) 
{
 M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
 return 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  b754a8a1590b8c5c9662c8a0ba49573991488b20 (commit)
  from  5674466e007d892ec55441059b3763abd5dd5440 (commit)


- Log -
commit b754a8a1590b8c5c9662c8a0ba49573991488b20
Author: Daniel DeFreez 
Date:   Wed Feb 13 14:26:14 2019 +0800

Fix null pointer dereference in cms_RecipientInfo_kari_init

CLA: trivial

Reviewed-by: Bernd Edlinger 
Reviewed-by: Paul Yang 
Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/8137)

---

Summary of changes:
 crypto/cms/cms_kari.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 4ee7017..9f1f5d5 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -282,7 +282,7 @@ static int 
cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
 return rv;
 }
 
-/* Initialise a ktri based on passed certificate and key */
+/* Initialise a kari based on passed certificate and key */
 
 int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
 EVP_PKEY *pk, unsigned int flags)
@@ -299,6 +299,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 
*recip,
 kari->version = 3;
 
 rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
+if (rek == NULL)
+return 0;
+
 if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) 
{
 M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
 return 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  43bc3d84f82c09b786ae6920ba2086d073fae57a (commit)
  from  db6c6c3df296558d00fd21ae1a29a7523d884b55 (commit)


- Log -
commit 43bc3d84f82c09b786ae6920ba2086d073fae57a
Author: weinholtendian <45032224+weinholtend...@users.noreply.github.com>
Date:   Thu Jan 31 15:16:20 2019 +0800

Fix error message for s_server -psk option

Previously if -psk was given a bad key it would print "Not a hex
number 's_server'".

CLA: Trivial

Reviewed-by: Paul Yang 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/8113)

(cherry picked from commit e57120128fa4e2afa4bda5022a77f73a1e3a0b27)

---

Summary of changes:
 apps/s_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 15b4b43..aa0c9ae 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1407,7 +1407,7 @@ int s_server_main(int argc, char *argv[])
 for (p = psk_key = opt_arg(); *p; p++) {
 if (isxdigit(_UC(*p)))
 continue;
-BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
+BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
 goto end;
 }
 break;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  e57120128fa4e2afa4bda5022a77f73a1e3a0b27 (commit)
  from  c4734493d7da404b1747195a805c8d536dbe6910 (commit)


- Log -
commit e57120128fa4e2afa4bda5022a77f73a1e3a0b27
Author: weinholtendian <45032224+weinholtend...@users.noreply.github.com>
Date:   Thu Jan 31 15:16:20 2019 +0800

Fix error message for s_server -psk option

Previously if -psk was given a bad key it would print "Not a hex
number 's_server'".

CLA: Trivial

Reviewed-by: Paul Yang 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Ben Kaduk 
(Merged from https://github.com/openssl/openssl/pull/8113)

---

Summary of changes:
 apps/s_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 364f76b..8565a3a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1407,7 +1407,7 @@ int s_server_main(int argc, char *argv[])
 for (p = psk_key = opt_arg(); *p; p++) {
 if (isxdigit(_UC(*p)))
 continue;
-BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
+BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
 goto end;
 }
 break;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  30e35ee1d54a7ad55ba724da795c513f07653252 (commit)
  from  d0afc7bffa3f632671e833738056df15e26dc6f3 (commit)


- Log -
commit 30e35ee1d54a7ad55ba724da795c513f07653252
Author: Behrang <18451+behran...@users.noreply.github.com>
Date:   Thu Dec 20 23:56:03 2018 +1100

Fixed minor typo in the req.pod docs

CLA: Trivial

Fixes #7928.

Reviewed-by: Paul Yang 
Reviewed-by: Viktor Dukhovni 
(Merged from https://github.com/openssl/openssl/pull/7973)

(cherry picked from commit 005247af76aa8d623fadbf3a82aa7b8ef449989f)

---

Summary of changes:
 doc/man1/req.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index c76d63d..a9b5b16 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -502,7 +502,7 @@ The actual permitted field names are any object identifier 
short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
 organizationalUnitName, stateOrProvinceName. Additionally emailAddress
-is include as well as name, surname, givenName initials and dnQualifier.
+is included as well as name, surname, givenName, initials, and dnQualifier.
 
 Additional object identifiers can be defined with the B or
 B options in the configuration file. Any additional fields
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  005247af76aa8d623fadbf3a82aa7b8ef449989f (commit)
  from  fff1470cda05dedd98d2e8e18c3bc320635365d4 (commit)


- Log -
commit 005247af76aa8d623fadbf3a82aa7b8ef449989f
Author: Behrang <18451+behran...@users.noreply.github.com>
Date:   Thu Dec 20 23:56:03 2018 +1100

Fixed minor typo in the req.pod docs

CLA: Trivial

Fixes #7928.

Reviewed-by: Paul Yang 
Reviewed-by: Viktor Dukhovni 
(Merged from https://github.com/openssl/openssl/pull/7973)

---

Summary of changes:
 doc/man1/req.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 67cb8ad..3517627 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -502,7 +502,7 @@ The actual permitted field names are any object identifier 
short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
 organizationalUnitName, stateOrProvinceName. Additionally emailAddress
-is include as well as name, surname, givenName initials and dnQualifier.
+is included as well as name, surname, givenName, initials, and dnQualifier.
 
 Additional object identifiers can be defined with the B or
 B options in the configuration file. Any additional fields
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  ee4afacd96f5bfbe7662c8f0ec4464c6eee4c450 (commit)
  from  e436664828429a23bf210710ede34203bdfdc2b8 (commit)


- Log -
commit ee4afacd96f5bfbe7662c8f0ec4464c6eee4c450
Author: Rich Salz 
Date:   Wed Oct 17 10:25:00 2018 -0400

Ignore duplicated undocumented things

Reviewed-by: Richard Levitte 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7423)

---

Summary of changes:
 util/find-doc-nits | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/util/find-doc-nits b/util/find-doc-nits
index affe4eb..d722d3c 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -35,7 +35,7 @@ Find small errors (nits) in documentation.  Options:
 -l Print bogus links
 -n Print nits in POD pages
 -p Warn if non-public name documented (implies -n)
--u List undocumented functions
+-u Count undocumented functions
 -h Print this help message
 -c List undocumented commands and options
 EOF
@@ -270,6 +270,7 @@ my %docced;
 sub checkmacros()
 {
 my $count = 0;
+my %seen;
 
 print "# Checking macros (approximate)\n";
 foreach my $f ( glob('include/openssl/*.h') ) {
@@ -281,7 +282,7 @@ sub checkmacros()
 while (  ) {
 next unless /^#\s*define\s*(\S+)\(/;
 my $macro = $1;
-next if $docced{$macro};
+next if $docced{$macro} || defined $seen{$macro};
 next if $macro =~ /i2d_/
 || $macro =~ /d2i_/
 || $macro =~ /DEPRECATEDIN/
@@ -289,6 +290,7 @@ sub checkmacros()
 || $macro =~ /DECLARE_/;
 print "$f:$macro\n" if $opt_d;
 $count++;
+$seen{$macro} = 1;
 }
 close(IN);
 }
@@ -300,15 +302,17 @@ sub printem()
 my $libname = shift;
 my $numfile = shift;
 my $count = 0;
+my %seen;
 
 foreach my $func ( ($numfile) ) {
-next if $docced{$func};
+next if $docced{$func} || defined $seen{$func};
 
 # Skip ASN1 utilities
 next if $func =~ /^ASN1_/;
 
 print "$libname:$func\n" if $opt_d;
 $count++;
+$seen{$func} = 1;
 }
 print "# Found $count missing from $numfile\n\n";
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  5a4481f0e0bbf836c7f41805e84617784cb6b1db (commit)
  from  f19d20b60fcdfde802f96afa3796f20d0da25eab (commit)


- Log -
commit 5a4481f0e0bbf836c7f41805e84617784cb6b1db
Author: Paul Yang 
Date:   Mon Nov 26 16:57:55 2018 +0800

Fix access zero memory if SSL_DEBUG is enabled

If compile OpenSSL with SSL_DEBUG macro, some test cases will cause the
process crashed in the debug code.

Reviewed-by: Tim Hudson 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7707)

---

Summary of changes:
 ssl/statem/statem_clnt.c | 3 ++-
 ssl/statem/statem_lib.c  | 6 --
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 0a11b88..5a8f116 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2353,7 +2353,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, 
PACKET *pkt)
 }
 #ifdef SSL_DEBUG
 if (SSL_USE_SIGALGS(s))
-fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+md == NULL ? "n/a" : EVP_MD_name(md));
 #endif
 
 if (!PACKET_get_length_prefixed_2(pkt, )
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 4324896..be270e2 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -396,7 +396,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET 
*pkt)
 
 #ifdef SSL_DEBUG
 if (SSL_USE_SIGALGS(s))
-fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+md == NULL ? "n/a" : EVP_MD_name(md));
 #endif
 
 /* Check for broken implementations of GOST ciphersuites */
@@ -439,7 +440,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET 
*pkt)
 }
 
 #ifdef SSL_DEBUG
-fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
+fprintf(stderr, "Using client verify alg %s\n",
+md == NULL ? "n/a" : EVP_MD_name(md));
 #endif
 if (EVP_DigestVerifyInit(mctx, , md, NULL, pkey) <= 0) {
 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  9465e716398ea13391aa7a0c93f10abf003245c0 (commit)
  from  156c4d6290fddb2379c13870e19a1a8ef0b0f095 (commit)


- Log -
commit 9465e716398ea13391aa7a0c93f10abf003245c0
Author: Paul Yang 
Date:   Mon Nov 26 16:57:55 2018 +0800

Fix access zero memory if SSL_DEBUG is enabled

If compile OpenSSL with SSL_DEBUG macro, some test cases will cause the
process crashed in the debug code.

Reviewed-by: Tim Hudson 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7707)

(cherry picked from commit 5a4481f0e0bbf836c7f41805e84617784cb6b1db)

---

Summary of changes:
 ssl/statem/statem_clnt.c | 3 ++-
 ssl/statem/statem_lib.c  | 6 --
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 0a11b88..5a8f116 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2353,7 +2353,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, 
PACKET *pkt)
 }
 #ifdef SSL_DEBUG
 if (SSL_USE_SIGALGS(s))
-fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+md == NULL ? "n/a" : EVP_MD_name(md));
 #endif
 
 if (!PACKET_get_length_prefixed_2(pkt, )
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 4324896..be270e2 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -396,7 +396,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET 
*pkt)
 
 #ifdef SSL_DEBUG
 if (SSL_USE_SIGALGS(s))
-fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+md == NULL ? "n/a" : EVP_MD_name(md));
 #endif
 
 /* Check for broken implementations of GOST ciphersuites */
@@ -439,7 +440,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET 
*pkt)
 }
 
 #ifdef SSL_DEBUG
-fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
+fprintf(stderr, "Using client verify alg %s\n",
+md == NULL ? "n/a" : EVP_MD_name(md));
 #endif
 if (EVP_DigestVerifyInit(mctx, , md, NULL, pkey) <= 0) {
 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  3b91ae1c07a4310778b3d7ba74ff4ff787f0 (commit)
  from  e587e8e36a0279674882f4b8bdba81ed1b10e1a6 (commit)


- Log -
commit 3b91ae1c07a4310778b3d7ba74ff4ff787f0
Author: Paul Yang 
Date:   Wed Nov 21 13:16:27 2018 +0800

Fix wrong return value in ssl3_ctx_ctrl

This fixes issue #7677

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7678)

---

Summary of changes:
 ssl/s3_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 866ca4d..99ae481 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void 
*parg)
   EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
 EVP_PKEY_free(pkdh);
-return 1;
+return 0;
 }
 EVP_PKEY_free(ctx->cert->dh_tmp);
 ctx->cert->dh_tmp = pkdh;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  0178459aa17a87e6450903be985e92e46eb3095e (commit)
  from  abf58ed3191dcd3a7c6b296b1494bd7fd336e253 (commit)


- Log -
commit 0178459aa17a87e6450903be985e92e46eb3095e
Author: Paul Yang 
Date:   Thu Nov 1 23:27:31 2018 +0800

Fix a doc-nit in EVP_PKEY_CTX_ctrl.pod

[skip-ci]

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/7546)

(cherry picked from commit e5a8712d03334c4b7cb9f29d6d1daee399c1223e)

---

Summary of changes:
 doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
index 75fba58..4982e92 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -116,7 +116,7 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, 
EVP_PKEY_CTX_get1_id_len
  int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 
  #include 
- 
+
  int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
  int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
  int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  41eac6122a9db8ef29ed6115c20f2de4c9232b9b (commit)
  from  75d47db49d41176d1f9a363f80e5a45e834563b8 (commit)


- Log -
commit 41eac6122a9db8ef29ed6115c20f2de4c9232b9b
Author: Paul Yang 
Date:   Mon Nov 5 23:08:34 2018 +0800

Fix a collision in function err numbers

'make update' complains about this

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7571)

---

Summary of changes:
 crypto/err/openssl.txt   | 2 +-
 include/openssl/evperr.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index b5a441a..49e4875 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -810,7 +810,7 @@ EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
 EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
 EVP_F_PKEY_MAC_INIT:214:pkey_mac_init
 EVP_F_PKEY_SET_TYPE:158:pkey_set_type
-EVP_F_POLY1305_CTRL:215:poly1305_ctrl
+EVP_F_POLY1305_CTRL:216:poly1305_ctrl
 EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
 EVP_F_RC5_CTRL:125:rc5_ctrl
 EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index b5064fd..fff78cc 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -120,7 +120,7 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN   180
 # define EVP_F_PKEY_MAC_INIT  214
 # define EVP_F_PKEY_SET_TYPE  158
-# define EVP_F_POLY1305_CTRL  215
+# define EVP_F_POLY1305_CTRL  216
 # define EVP_F_RC2_MAGIC_TO_METH  109
 # define EVP_F_RC5_CTRL   125
 # define EVP_F_S390X_AES_GCM_CTRL 201
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  c1da4b2afe62644f42f95a8788cd80b0a4925e0c (commit)
  from  748099b9e96e288f0fd1bc72634834d3687831ad (commit)


- Log -
commit c1da4b2afe62644f42f95a8788cd80b0a4925e0c
Author: Paul Yang 
Date:   Mon Oct 22 14:54:24 2018 +0800

Add poly1305 MAC support

This is based on the latest EVP MAC interface introduced in PR #7393.

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/7459)

---

Summary of changes:
 crypto/err/openssl.txt |   1 +
 crypto/evp/c_allm.c|   3 +
 crypto/evp/evp_err.c   |   1 +
 crypto/evp/pkey_mac.c  |  33 
 crypto/include/internal/evp_int.h  |   1 +
 crypto/poly1305/build.info |   2 +-
 crypto/poly1305/poly1305_meth.c| 141 +++
 crypto/poly1305/poly1305_pmeth.c   | 194 -
 doc/man3/EVP_MAC.pod   |   3 +-
 .../{EVP_MAC_SIPHASH.pod => EVP_MAC_POLY1305.pod}  |  12 +-
 include/openssl/evp.h  |   1 +
 include/openssl/evperr.h   |   1 +
 test/recipes/30-test_evp_data/evpmac.txt   |  20 +++
 13 files changed, 208 insertions(+), 205 deletions(-)
 create mode 100644 crypto/poly1305/poly1305_meth.c
 delete mode 100644 crypto/poly1305/poly1305_pmeth.c
 copy doc/man7/{EVP_MAC_SIPHASH.pod => EVP_MAC_POLY1305.pod} (73%)

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 6c52881..b5a441a 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -810,6 +810,7 @@ EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
 EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
 EVP_F_PKEY_MAC_INIT:214:pkey_mac_init
 EVP_F_PKEY_SET_TYPE:158:pkey_set_type
+EVP_F_POLY1305_CTRL:215:poly1305_ctrl
 EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
 EVP_F_RC5_CTRL:125:rc5_ctrl
 EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
diff --git a/crypto/evp/c_allm.c b/crypto/evp/c_allm.c
index 2b9d442..ba8acc7 100644
--- a/crypto/evp/c_allm.c
+++ b/crypto/evp/c_allm.c
@@ -20,4 +20,7 @@ void openssl_add_all_macs_int(void)
 #ifndef OPENSSL_NO_SIPHASH
 EVP_add_mac(_meth);
 #endif
+#ifndef OPENSSL_NO_POLY1305
+EVP_add_mac(_meth);
+#endif
 }
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 05d9565..4ef0cf5 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -153,6 +153,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
  "PKCS5_v2_scrypt_keyivgen"},
 {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_MAC_INIT, 0), "pkey_mac_init"},
 {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
+{ERR_PACK(ERR_LIB_EVP, EVP_F_POLY1305_CTRL, 0), "poly1305_ctrl"},
 {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
 {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
 {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c
index d8c0e89..d9e55ec 100644
--- a/crypto/evp/pkey_mac.c
+++ b/crypto/evp/pkey_mac.c
@@ -425,3 +425,36 @@ const EVP_PKEY_METHOD siphash_pkey_meth = {
 pkey_mac_ctrl,
 pkey_mac_ctrl_str
 };
+
+const EVP_PKEY_METHOD poly1305_pkey_meth = {
+EVP_PKEY_POLY1305,
+EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+pkey_mac_init,
+pkey_mac_copy,
+pkey_mac_cleanup,
+
+0, 0,
+
+0,
+pkey_mac_keygen,
+
+0, 0,
+
+0, 0,
+
+0, 0,
+
+pkey_mac_signctx_init,
+pkey_mac_signctx,
+
+0, 0,
+
+0, 0,
+
+0, 0,
+
+0, 0,
+
+pkey_mac_ctrl,
+pkey_mac_ctrl_str
+};
diff --git a/crypto/include/internal/evp_int.h 
b/crypto/include/internal/evp_int.h
index 98adf1f..85d3487 100644
--- a/crypto/include/internal/evp_int.h
+++ b/crypto/include/internal/evp_int.h
@@ -132,6 +132,7 @@ extern const EVP_MAC cmac_meth;
 extern const EVP_MAC gmac_meth;
 extern const EVP_MAC hmac_meth;
 extern const EVP_MAC siphash_meth;
+extern const EVP_MAC poly1305_meth;
 
 /*
  * This function is internal for now, but can be made external when needed.
diff --git a/crypto/poly1305/build.info b/crypto/poly1305/build.info
index 631b32b..363d62e 100644
--- a/crypto/poly1305/build.info
+++ b/crypto/poly1305/build.info
@@ -1,7 +1,7 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
-poly1305_pmeth.c \
 poly1305_ameth.c \
+poly1305_meth.c \
 poly1305.c {- $target{poly1305_asm_src} -}
 
 GENERATE[poly1305-sparcv9.S]=asm/poly1305-sparcv9.pl $(PERLASM_SCHEME)
diff --git a/crypto/poly1305/poly1305_meth.c b/crypto/poly1305/poly1305_meth.c
new file mode 100644
index 000..dfee56d
--- /dev/null
+++ b/crypto/poly1305/poly1305_meth.c
@@ -0,0 +1,141 @@
+/*
+ * 

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  e5a8712d03334c4b7cb9f29d6d1daee399c1223e (commit)
  from  00496b6423605391864fbbd1693f23631a1c5239 (commit)


- Log -
commit e5a8712d03334c4b7cb9f29d6d1daee399c1223e
Author: Paul Yang 
Date:   Thu Nov 1 23:27:31 2018 +0800

Fix a doc-nit in EVP_PKEY_CTX_ctrl.pod

[skip-ci]

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/7546)

---

Summary of changes:
 doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
index 75fba58..4982e92 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -116,7 +116,7 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, 
EVP_PKEY_CTX_get1_id_len
  int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 
  #include 
- 
+
  int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
  int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
  int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  c23e497da7815bf6ef84461f92339442d3702eda (commit)
  from  a83dc59afa2e0207180d7218efed19b20d48de95 (commit)


- Log -
commit c23e497da7815bf6ef84461f92339442d3702eda
Author: Fraser Tweedale 
Date:   Sat Oct 27 12:11:41 2018 +0800

Support GeneralSubtrees with minimum = 0

The Name Constraints extension contains GeneralSubtree values
indicating included or excluded subtrees.  It is defined as:

  GeneralSubtree ::= SEQUENCE {
baseGeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }

RFC 5280 further specifies:

  Within this profile, the minimum and maximum fields are not used with
  any name forms, thus, the minimum MUST be zero, and maximum MUST be
  absent.

Because the minimum fields has DEFAULT 0, and certificates should be
encoded using DER, the situation where minimum = 0 occurs in a
certificate should not arise.  Nevertheless, it does arise.  For
example, I have seen certificates issued by Microsoft programs that
contain GeneralSubtree values encoded thus.

Enhance the Name Constraints matching routine to handle the case
where minimum is specified.  If present, it must be zero.  The
maximum field remains prohibited.

Reviewed-by: Paul Yang 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7039)

---

Summary of changes:
 crypto/x509v3/v3_ncons.c | 26 --
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 9a2cd5a..8465818 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -14,6 +14,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "internal/x509_int.h"
 #include "ext_dat.h"
@@ -435,6 +436,27 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS 
*nc)
 return X509_V_OK;
 }
 
+/*
+ * Return nonzero if the GeneralSubtree has valid 'minimum' field
+ * (must be absent or 0) and valid 'maximum' field (must be absent).
+ */
+static int nc_minmax_valid(GENERAL_SUBTREE *sub) {
+BIGNUM *bn = NULL;
+int ok = 1;
+
+if (sub->maximum)
+ok = 0;
+
+if (sub->minimum) {
+bn = ASN1_INTEGER_to_BN(sub->minimum, NULL);
+if (bn == NULL || !BN_is_zero(bn))
+ok = 0;
+BN_free(bn);
+}
+
+return ok;
+}
+
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 {
 GENERAL_SUBTREE *sub;
@@ -449,7 +471,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
 if (gen->type != sub->base->type)
 continue;
-if (sub->minimum || sub->maximum)
+if (!nc_minmax_valid(sub))
 return X509_V_ERR_SUBTREE_MINMAX;
 /* If we already have a match don't bother trying any more */
 if (match == 2)
@@ -472,7 +494,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
 if (gen->type != sub->base->type)
 continue;
-if (sub->minimum || sub->maximum)
+if (!nc_minmax_valid(sub))
 return X509_V_ERR_SUBTREE_MINMAX;
 
 r = nc_match_single(gen, sub->base);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  3924d699655a39d5d886ab3d4f8c467ef2fa0899 (commit)
  from  2b03114593c59b3010a0d5166ec349b8985a8290 (commit)


- Log -
commit 3924d699655a39d5d886ab3d4f8c467ef2fa0899
Author: Mykola Baibuz 
Date:   Thu Oct 11 12:07:26 2018 +0800

Safer memory cleanup in (crypto/rsa/rsa_lib.c)

We don't need to use secure clean for public key.

CLA: trivial

Reviewed-by: Paul Dale 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7363)

(cherry picked from commit c033101db39c93cf41d80dfee4357f2617ede1a0)

---

Summary of changes:
 crypto/rsa/rsa_lib.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 72d1b5e..49c34b7 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -125,8 +125,8 @@ void RSA_free(RSA *r)
 
 CRYPTO_THREAD_lock_free(r->lock);
 
-BN_clear_free(r->n);
-BN_clear_free(r->e);
+BN_free(r->n);
+BN_free(r->e);
 BN_clear_free(r->d);
 BN_clear_free(r->p);
 BN_clear_free(r->q);
@@ -196,7 +196,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 r->e = e;
 }
 if (d != NULL) {
-BN_free(r->d);
+BN_clear_free(r->d);
 r->d = d;
 }
 
@@ -213,11 +213,11 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
 return 0;
 
 if (p != NULL) {
-BN_free(r->p);
+BN_clear_free(r->p);
 r->p = p;
 }
 if (q != NULL) {
-BN_free(r->q);
+BN_clear_free(r->q);
 r->q = q;
 }
 
@@ -235,15 +235,15 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM 
*dmq1, BIGNUM *iqmp)
 return 0;
 
 if (dmp1 != NULL) {
-BN_free(r->dmp1);
+BN_clear_free(r->dmp1);
 r->dmp1 = dmp1;
 }
 if (dmq1 != NULL) {
-BN_free(r->dmq1);
+BN_clear_free(r->dmq1);
 r->dmq1 = dmq1;
 }
 if (iqmp != NULL) {
-BN_free(r->iqmp);
+BN_clear_free(r->iqmp);
 r->iqmp = iqmp;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  c033101db39c93cf41d80dfee4357f2617ede1a0 (commit)
  from  19ac1bf2de07214ee7ee6d2e118fa3aa8e5850f3 (commit)


- Log -
commit c033101db39c93cf41d80dfee4357f2617ede1a0
Author: Mykola Baibuz 
Date:   Thu Oct 11 12:07:26 2018 +0800

Safer memory cleanup in (crypto/rsa/rsa_lib.c)

We don't need to use secure clean for public key.

CLA: trivial

Reviewed-by: Paul Dale 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7363)

---

Summary of changes:
 crypto/rsa/rsa_lib.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 72d1b5e..49c34b7 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -125,8 +125,8 @@ void RSA_free(RSA *r)
 
 CRYPTO_THREAD_lock_free(r->lock);
 
-BN_clear_free(r->n);
-BN_clear_free(r->e);
+BN_free(r->n);
+BN_free(r->e);
 BN_clear_free(r->d);
 BN_clear_free(r->p);
 BN_clear_free(r->q);
@@ -196,7 +196,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 r->e = e;
 }
 if (d != NULL) {
-BN_free(r->d);
+BN_clear_free(r->d);
 r->d = d;
 }
 
@@ -213,11 +213,11 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
 return 0;
 
 if (p != NULL) {
-BN_free(r->p);
+BN_clear_free(r->p);
 r->p = p;
 }
 if (q != NULL) {
-BN_free(r->q);
+BN_clear_free(r->q);
 r->q = q;
 }
 
@@ -235,15 +235,15 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM 
*dmq1, BIGNUM *iqmp)
 return 0;
 
 if (dmp1 != NULL) {
-BN_free(r->dmp1);
+BN_clear_free(r->dmp1);
 r->dmp1 = dmp1;
 }
 if (dmq1 != NULL) {
-BN_free(r->dmq1);
+BN_clear_free(r->dmq1);
 r->dmq1 = dmq1;
 }
 if (iqmp != NULL) {
-BN_free(r->iqmp);
+BN_clear_free(r->iqmp);
 r->iqmp = iqmp;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  a53561e822f151071a834ddeb3870b1363ac9e1e (commit)
  from  7f0e220f4d842a7694ed0f8ff9675745977ce9a0 (commit)


- Log -
commit a53561e822f151071a834ddeb3870b1363ac9e1e
Author: Paul Yang 
Date:   Mon Oct 8 16:36:49 2018 +0800

Fix compiling warnings in example code

The example code in EVP_DigestInit.pod generates warnings if users try
to compile it.

[skip ci]

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7362)

(cherry picked from commit 19ac1bf2de07214ee7ee6d2e118fa3aa8e5850f3)

---

Summary of changes:
 doc/man3/EVP_DigestInit.pod | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index 0fedd17..5ecbcc5 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -310,16 +310,17 @@ This example digests the data "Test Message\n" and "Hello 
World\n", using the
 digest name passed on the command line.
 
  #include 
+ #include 
  #include 
 
- main(int argc, char *argv[])
+ int main(int argc, char *argv[])
  {
  EVP_MD_CTX *mdctx;
  const EVP_MD *md;
  char mess1[] = "Test Message\n";
  char mess2[] = "Hello World\n";
  unsigned char md_value[EVP_MAX_MD_SIZE];
- int md_len, i;
+ unsigned int md_len, i;
 
  if (argv[1] == NULL) {
  printf("Usage: mdtest digestname\n");
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  19ac1bf2de07214ee7ee6d2e118fa3aa8e5850f3 (commit)
  from  c2e33a05b1eb9dda988aebdeaa529973d7c22142 (commit)


- Log -
commit 19ac1bf2de07214ee7ee6d2e118fa3aa8e5850f3
Author: Paul Yang 
Date:   Mon Oct 8 16:36:49 2018 +0800

Fix compiling warnings in example code

The example code in EVP_DigestInit.pod generates warnings if users try
to compile it.

[skip ci]

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7362)

---

Summary of changes:
 doc/man3/EVP_DigestInit.pod | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index 0fedd17..5ecbcc5 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -310,16 +310,17 @@ This example digests the data "Test Message\n" and "Hello 
World\n", using the
 digest name passed on the command line.
 
  #include 
+ #include 
  #include 
 
- main(int argc, char *argv[])
+ int main(int argc, char *argv[])
  {
  EVP_MD_CTX *mdctx;
  const EVP_MD *md;
  char mess1[] = "Test Message\n";
  char mess2[] = "Hello World\n";
  unsigned char md_value[EVP_MAX_MD_SIZE];
- int md_len, i;
+ unsigned int md_len, i;
 
  if (argv[1] == NULL) {
  printf("Usage: mdtest digestname\n");
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  8848b14fda7eded1c5a88f9f84eb13dcf69c3960 (commit)
  from  a7ee1ef61b1893038008691a4a6979cf2da91439 (commit)


- Log -
commit 8848b14fda7eded1c5a88f9f84eb13dcf69c3960
Author: Paul Yang 
Date:   Mon Oct 8 17:04:14 2018 +0800

Fix a nit of copyright date range

Should be 2018 instead of 20018.

Reviewed-by: Tim Hudson 
Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/7364)

---

Summary of changes:
 crypto/poly1305/poly1305_ieee754.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/poly1305/poly1305_ieee754.c 
b/crypto/poly1305/poly1305_ieee754.c
index 995a02e..7cfd968 100644
--- a/crypto/poly1305/poly1305_ieee754.c
+++ b/crypto/poly1305/poly1305_ieee754.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-20018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  5c1bd555d3c81cbd46d5032e84c29d16bb4a8f06 (commit)
  from  3d362f190306b62a17aa2fd475b2bc8b3faa8142 (commit)


- Log -
commit 5c1bd555d3c81cbd46d5032e84c29d16bb4a8f06
Author: Paul Yang 
Date:   Mon Oct 8 17:04:14 2018 +0800

Fix a nit of copyright date range

Should be 2018 instead of 20018.

Reviewed-by: Tim Hudson 
Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/7364)

---

Summary of changes:
 crypto/poly1305/poly1305_ieee754.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/poly1305/poly1305_ieee754.c 
b/crypto/poly1305/poly1305_ieee754.c
index 995a02e..7cfd968 100644
--- a/crypto/poly1305/poly1305_ieee754.c
+++ b/crypto/poly1305/poly1305_ieee754.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-20018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  a2516f0c3e9474f8ac16f713fa0d9b1caff994ac (commit)
  from  5224df0d9a3cbeb0695ed005da8ca3b749d0d3ce (commit)


- Log -
commit a2516f0c3e9474f8ac16f713fa0d9b1caff994ac
Author: Antoine Salon 
Date:   Wed Sep 26 16:56:05 2018 +0800

Add missing cipher aliases to openssl(1)

And references to other manpages are also added in openssl(1).

Signed-off-by: Antoine Salon 

Reviewed-by: Paul Yang 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7314)

---

Summary of changes:
 doc/man1/openssl.pod | 57 
 1 file changed, 57 insertions(+)

diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index c656a34..a39cf96 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -40,6 +40,9 @@ The B program provides a rich variety of commands 
(I in the
 SYNOPSIS above), each of which often has a wealth of options and arguments
 (I and I in the SYNOPSIS).
 
+Detailed documentation and use cases for most standard subcommands are 
available
+(e.g., L or L).
+
 Many commands use an external configuration file for some or all of their
 arguments and have a B<-config> option to specify that file.
 The environment variable B can be used to specify
@@ -369,8 +372,38 @@ SM3 Digest
 
 =head2 Encoding and Cipher Commands
 
+The following aliases provide convenient access to the most used encodings
+and ciphers.
+
+Depending on how OpenSSL was configured and built, not all ciphers listed
+here may be present. See L for more information and command usage.
+
 =over 4
 
+=item B, B, B, B, 
B, B
+
+AES-128 Cipher
+
+=item B, B, B, B, 
B, B
+
+AES-192 Cipher
+
+=item B, B, B, B, 
B, B
+
+AES-256 Cipher
+
+=item B, B, B, B, 
B, B
+
+Aria-128 Cipher
+
+=item B, B, B, B, 
B, B
+
+Aria-192 Cipher
+
+=item B, B, B, B, 
B, B
+
+Aria-256 Cipher
+
 =item B
 
 Base64 Encoding
@@ -379,6 +412,18 @@ Base64 Encoding
 
 Blowfish Cipher
 
+=item B, B, B, 
B, B, B
+
+Camellia-128 Cipher
+
+=item B, B, B, 
B, B, B
+
+Camellia-192 Cipher
+
+=item B, B, B, 
B, B, B
+
+Camellia-256 Cipher
+
 =item B, B
 
 CAST Cipher
@@ -387,6 +432,10 @@ CAST Cipher
 
 CAST5 Cipher
 
+=item B
+
+Chacha20 Cipher
+
 =item B, B, B, B, B, B, 
B, B, B
 
 DES Cipher
@@ -411,6 +460,14 @@ RC4 Cipher
 
 RC5 Cipher
 
+=item B, B, B, B, B
+
+SEED Cipher
+
+=item B, B, B, B, B, B
+
+SM4 Cipher
+
 =back
 
 =head1 OPTIONS
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  1362190b1b786a87378e55e9a1c20c46b6b6a286 (commit)
  from  306bb728d75cac39302bd672ad48d8bf103eba4c (commit)


- Log -
commit 1362190b1b786a87378e55e9a1c20c46b6b6a286
Author: Antoine Salon 
Date:   Wed Sep 26 16:56:05 2018 +0800

Add missing cipher aliases to openssl(1)

And references to other manpages are also added in openssl(1).

Signed-off-by: Antoine Salon 

Reviewed-by: Paul Yang 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7314)

---

Summary of changes:
 doc/man1/openssl.pod | 57 
 1 file changed, 57 insertions(+)

diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index c656a34..a39cf96 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -40,6 +40,9 @@ The B program provides a rich variety of commands 
(I in the
 SYNOPSIS above), each of which often has a wealth of options and arguments
 (I and I in the SYNOPSIS).
 
+Detailed documentation and use cases for most standard subcommands are 
available
+(e.g., L or L).
+
 Many commands use an external configuration file for some or all of their
 arguments and have a B<-config> option to specify that file.
 The environment variable B can be used to specify
@@ -369,8 +372,38 @@ SM3 Digest
 
 =head2 Encoding and Cipher Commands
 
+The following aliases provide convenient access to the most used encodings
+and ciphers.
+
+Depending on how OpenSSL was configured and built, not all ciphers listed
+here may be present. See L for more information and command usage.
+
 =over 4
 
+=item B, B, B, B, 
B, B
+
+AES-128 Cipher
+
+=item B, B, B, B, 
B, B
+
+AES-192 Cipher
+
+=item B, B, B, B, 
B, B
+
+AES-256 Cipher
+
+=item B, B, B, B, 
B, B
+
+Aria-128 Cipher
+
+=item B, B, B, B, 
B, B
+
+Aria-192 Cipher
+
+=item B, B, B, B, 
B, B
+
+Aria-256 Cipher
+
 =item B
 
 Base64 Encoding
@@ -379,6 +412,18 @@ Base64 Encoding
 
 Blowfish Cipher
 
+=item B, B, B, 
B, B, B
+
+Camellia-128 Cipher
+
+=item B, B, B, 
B, B, B
+
+Camellia-192 Cipher
+
+=item B, B, B, 
B, B, B
+
+Camellia-256 Cipher
+
 =item B, B
 
 CAST Cipher
@@ -387,6 +432,10 @@ CAST Cipher
 
 CAST5 Cipher
 
+=item B
+
+Chacha20 Cipher
+
 =item B, B, B, B, B, B, 
B, B, B
 
 DES Cipher
@@ -411,6 +460,14 @@ RC4 Cipher
 
 RC5 Cipher
 
+=item B, B, B, B, B
+
+SEED Cipher
+
+=item B, B, B, B, B, B
+
+SM4 Cipher
+
 =back
 
 =head1 OPTIONS
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  306bb728d75cac39302bd672ad48d8bf103eba4c (commit)
  from  eadde90bff01a6755399a4e1f6a3e4a9ed0fd61d (commit)


- Log -
commit 306bb728d75cac39302bd672ad48d8bf103eba4c
Author: James Callahan 
Date:   Thu Aug 23 12:12:05 2018 +1000

doc/man3/SSL_set_bio.pod: Fix wrong function name in return values section

Reviewed-by: Paul Yang 
Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/7035)

---

Summary of changes:
 doc/man3/SSL_set_bio.pod | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/man3/SSL_set_bio.pod b/doc/man3/SSL_set_bio.pod
index 0161752..1fa0d34 100644
--- a/doc/man3/SSL_set_bio.pod
+++ b/doc/man3/SSL_set_bio.pod
@@ -90,7 +90,7 @@ use SSL_set0_rbio() and SSL_set0_wbio() instead.
 
 =head1 RETURN VALUES
 
-SSL_set_bio(), SSL_set_rbio() and SSL_set_wbio() cannot fail.
+SSL_set_bio(), SSL_set0_rbio() and SSL_set0_wbio() cannot fail.
 
 =head1 SEE ALSO
 
@@ -104,7 +104,7 @@ SSL_set0_rbio() and SSL_set0_wbio() were added in OpenSSL 
1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  5224df0d9a3cbeb0695ed005da8ca3b749d0d3ce (commit)
  from  37e9944685ee91e3fe521c39294c0b50d2053bf7 (commit)


- Log -
commit 5224df0d9a3cbeb0695ed005da8ca3b749d0d3ce
Author: James Callahan 
Date:   Thu Aug 23 12:12:05 2018 +1000

doc/man3/SSL_set_bio.pod: Fix wrong function name in return values section

Reviewed-by: Paul Yang 
Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/7035)

---

Summary of changes:
 doc/man3/SSL_set_bio.pod | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/man3/SSL_set_bio.pod b/doc/man3/SSL_set_bio.pod
index 0161752..1fa0d34 100644
--- a/doc/man3/SSL_set_bio.pod
+++ b/doc/man3/SSL_set_bio.pod
@@ -90,7 +90,7 @@ use SSL_set0_rbio() and SSL_set0_wbio() instead.
 
 =head1 RETURN VALUES
 
-SSL_set_bio(), SSL_set_rbio() and SSL_set_wbio() cannot fail.
+SSL_set_bio(), SSL_set0_rbio() and SSL_set0_wbio() cannot fail.
 
 =head1 SEE ALSO
 
@@ -104,7 +104,7 @@ SSL_set0_rbio() and SSL_set0_wbio() were added in OpenSSL 
1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  41a6fa74e6c95ea3edd0baf2616839ca7cb62c3d (commit)
  from  d3c72e392ab72d418ea5147857701a8730def3fd (commit)


- Log -
commit 41a6fa74e6c95ea3edd0baf2616839ca7cb62c3d
Author: Paul Yang 
Date:   Thu Sep 20 17:04:15 2018 +0800

Add some missing ciphers in 'enc' document

The original issue is #7273 and this commit fixes part of that issue.

[skip ci]

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7275)

---

Summary of changes:
 doc/man1/enc.pod | 25 +
 1 file changed, 25 insertions(+)

diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod
index 01cca4e..55b1b51 100644
--- a/doc/man1/enc.pod
+++ b/doc/man1/enc.pod
@@ -277,6 +277,7 @@ standard data format and performs the needed key/iv/nonce 
management.
 
  bf-cbc Blowfish in CBC mode
  bf Alias for bf-cbc
+ blowfish   Alias for bf-cbc
  bf-cfb Blowfish in CFB mode
  bf-ecb Blowfish in ECB mode
  bf-ofb Blowfish in OFB mode
@@ -288,6 +289,8 @@ standard data format and performs the needed key/iv/nonce 
management.
  cast5-ecb  CAST5 in ECB mode
  cast5-ofb  CAST5 in OFB mode
 
+ chacha20   ChaCha20 algorithm
+
  des-cbcDES in CBC mode
  desAlias for des-cbc
  des-cfbDES in CFB mode
@@ -334,6 +337,19 @@ standard data format and performs the needed key/iv/nonce 
management.
  rc5-ecbRC5 cipher in ECB mode
  rc5-ofbRC5 cipher in OFB mode
 
+ seed-cbc   SEED cipher in CBC mode
+ seed   Alias for seed-cbc
+ seed-cfb   SEED cipher in CFB mode
+ seed-ecb   SEED cipher in ECB mode
+ seed-ofb   SEED cipher in OFB mode
+
+ sm4-cbcSM4 cipher in CBC mode
+ sm4Alias for sm4-cbc
+ sm4-cfbSM4 cipher in CFB mode
+ sm4-ctrSM4 cipher in CTR mode
+ sm4-ecbSM4 cipher in ECB mode
+ sm4-ofbSM4 cipher in OFB mode
+
  aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
  aes[128|192|256]   Alias for aes-[128|192|256]-cbc
  aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
@@ -343,6 +359,15 @@ standard data format and performs the needed key/iv/nonce 
management.
  aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
  aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
 
+ aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
+ aria[128|192|256]   Alias for aria-[128|192|256]-cbc
+ aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
+ aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
+ aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
+ aria-[128|192|256]-ctr  128/192/256 bit ARIA in CTR mode
+ aria-[128|192|256]-ecb  128/192/256 bit ARIA in ECB mode
+ aria-[128|192|256]-ofb  128/192/256 bit ARIA in OFB mode
+
  camellia-[128|192|256]-cbc  128/192/256 bit Camellia in CBC mode
  camellia[128|192|256]   Alias for camellia-[128|192|256]-cbc
  camellia-[128|192|256]-cfb  128/192/256 bit Camellia in 128 bit CFB mode
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  ea94f19b660debfc7044c69b25418a697dec735d (commit)
  from  a2a9f8896b861fbc2cf52bbc19cde1cf91fea0ee (commit)


- Log -
commit ea94f19b660debfc7044c69b25418a697dec735d
Author: Paul Yang 
Date:   Thu Sep 20 17:04:15 2018 +0800

Add some missing ciphers in 'enc' document

The original issue is #7273 and this commit fixes part of that issue.

[skip ci]

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7275)

---

Summary of changes:
 doc/man1/enc.pod | 25 +
 1 file changed, 25 insertions(+)

diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod
index 01cca4e..55b1b51 100644
--- a/doc/man1/enc.pod
+++ b/doc/man1/enc.pod
@@ -277,6 +277,7 @@ standard data format and performs the needed key/iv/nonce 
management.
 
  bf-cbc Blowfish in CBC mode
  bf Alias for bf-cbc
+ blowfish   Alias for bf-cbc
  bf-cfb Blowfish in CFB mode
  bf-ecb Blowfish in ECB mode
  bf-ofb Blowfish in OFB mode
@@ -288,6 +289,8 @@ standard data format and performs the needed key/iv/nonce 
management.
  cast5-ecb  CAST5 in ECB mode
  cast5-ofb  CAST5 in OFB mode
 
+ chacha20   ChaCha20 algorithm
+
  des-cbcDES in CBC mode
  desAlias for des-cbc
  des-cfbDES in CFB mode
@@ -334,6 +337,19 @@ standard data format and performs the needed key/iv/nonce 
management.
  rc5-ecbRC5 cipher in ECB mode
  rc5-ofbRC5 cipher in OFB mode
 
+ seed-cbc   SEED cipher in CBC mode
+ seed   Alias for seed-cbc
+ seed-cfb   SEED cipher in CFB mode
+ seed-ecb   SEED cipher in ECB mode
+ seed-ofb   SEED cipher in OFB mode
+
+ sm4-cbcSM4 cipher in CBC mode
+ sm4Alias for sm4-cbc
+ sm4-cfbSM4 cipher in CFB mode
+ sm4-ctrSM4 cipher in CTR mode
+ sm4-ecbSM4 cipher in ECB mode
+ sm4-ofbSM4 cipher in OFB mode
+
  aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
  aes[128|192|256]   Alias for aes-[128|192|256]-cbc
  aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
@@ -343,6 +359,15 @@ standard data format and performs the needed key/iv/nonce 
management.
  aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
  aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
 
+ aria-[128|192|256]-cbc  128/192/256 bit ARIA in CBC mode
+ aria[128|192|256]   Alias for aria-[128|192|256]-cbc
+ aria-[128|192|256]-cfb  128/192/256 bit ARIA in 128 bit CFB mode
+ aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
+ aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
+ aria-[128|192|256]-ctr  128/192/256 bit ARIA in CTR mode
+ aria-[128|192|256]-ecb  128/192/256 bit ARIA in ECB mode
+ aria-[128|192|256]-ofb  128/192/256 bit ARIA in OFB mode
+
  camellia-[128|192|256]-cbc  128/192/256 bit Camellia in CBC mode
  camellia[128|192|256]   Alias for camellia-[128|192|256]-cbc
  camellia-[128|192|256]-cfb  128/192/256 bit Camellia in 128 bit CFB mode
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

[yang . yang]

The branch OpenSSL_1_1_1-stable has been updated
   via  2ccfcbfb710937bc6e541453745042c7a48675b3 (commit)
  from  76864436b35e7aec867d85b967e9d6c0d7294c53 (commit)


- Log -
commit 2ccfcbfb710937bc6e541453745042c7a48675b3
Author: Paul Yang 
Date:   Thu Sep 13 11:17:14 2018 +0900

Make some return checks consistent with others

Reviewed-by: Richard Levitte 
Reviewed-by: Bernd Edlinger 
(Merged from https://github.com/openssl/openssl/pull/7209)

---

Summary of changes:
 crypto/evp/pmeth_lib.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 633cb88..7fbf895 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -837,21 +837,21 @@ void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth,
 void EVP_PKEY_meth_get_check(const EVP_PKEY_METHOD *pmeth,
  int (**pcheck) (EVP_PKEY *pkey))
 {
-if (*pcheck)
+if (pcheck != NULL)
 *pcheck = pmeth->check;
 }
 
 void EVP_PKEY_meth_get_public_check(const EVP_PKEY_METHOD *pmeth,
 int (**pcheck) (EVP_PKEY *pkey))
 {
-if (*pcheck)
+if (pcheck != NULL)
 *pcheck = pmeth->public_check;
 }
 
 void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth,
int (**pcheck) (EVP_PKEY *pkey))
 {
-if (*pcheck)
+if (pcheck != NULL)
 *pcheck = pmeth->param_check;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  34f5c8b1ff7b9a9a15f6a71c22fe83c2762b99d9 (commit)
  from  6ef40f1fc08f0c4ffb08438d63eed83eae7eb2b8 (commit)


- Log -
commit 34f5c8b1ff7b9a9a15f6a71c22fe83c2762b99d9
Author: Paul Yang 
Date:   Thu Sep 13 11:17:14 2018 +0900

Make some return checks consistent with others

Reviewed-by: Richard Levitte 
Reviewed-by: Bernd Edlinger 
(Merged from https://github.com/openssl/openssl/pull/7209)

---

Summary of changes:
 crypto/evp/pmeth_lib.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 633cb88..7fbf895 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -837,21 +837,21 @@ void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth,
 void EVP_PKEY_meth_get_check(const EVP_PKEY_METHOD *pmeth,
  int (**pcheck) (EVP_PKEY *pkey))
 {
-if (*pcheck)
+if (pcheck != NULL)
 *pcheck = pmeth->check;
 }
 
 void EVP_PKEY_meth_get_public_check(const EVP_PKEY_METHOD *pmeth,
 int (**pcheck) (EVP_PKEY *pkey))
 {
-if (*pcheck)
+if (pcheck != NULL)
 *pcheck = pmeth->public_check;
 }
 
 void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth,
int (**pcheck) (EVP_PKEY *pkey))
 {
-if (*pcheck)
+if (pcheck != NULL)
 *pcheck = pmeth->param_check;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  f922dac87d859cc7419207301533fe89582ac3ea (commit)
   via  81c7945388a49799f819f5ca5bfe6acd506840c3 (commit)
   via  571286b0a463b02ef2f9040a7e5d602635854832 (commit)
   via  675f4ceef880f9c4eb0fda5dacd18b001fefb5bc (commit)
   via  a6c4cb845a031f09c6303a2c3452e253d0d01518 (commit)
   via  4803717f5e3bcfba3e3442e1611f421bf1090a47 (commit)
   via  00433bad41bfa492f2e204675d42061314028ff2 (commit)
   via  0a8fdef7523ae796ca2e734c279791737148c001 (commit)
   via  00902d9414b4c6e46f78d7a6b6c8edc4d313d4b7 (commit)
   via  5bd0abe7a2f76d8c80f566ae615c10113884d843 (commit)
  from  63c5ac801f7ccdbc1e975f880eb74c1bed63d5e4 (commit)


- Log -
commit f922dac87d859cc7419207301533fe89582ac3ea
Author: Paul Yang 
Date:   Thu Sep 6 10:36:11 2018 +0800

Add missing SM2err and fix doc nits

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 81c7945388a49799f819f5ca5bfe6acd506840c3
Author: Paul Yang 
Date:   Wed Sep 5 22:01:33 2018 +0800

Allow EVP_MD_CTX_set_pkey_ctx to accept NULL pctx

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 571286b0a463b02ef2f9040a7e5d602635854832
Author: Paul Yang 
Date:   Wed Sep 5 20:20:33 2018 +0800

Add a SM2(7) man page

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 675f4ceef880f9c4eb0fda5dacd18b001fefb5bc
Author: Paul Yang 
Date:   Wed Sep 5 15:19:17 2018 +0800

Update document for SM2 stuffs

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit a6c4cb845a031f09c6303a2c3452e253d0d01518
Author: Jack Lloyd 
Date:   Tue Sep 4 23:25:29 2018 +0800

Add test case for SM2 evp verification

This test case is originally submitted in #6757, by Jack Lloyd. The test
case has been modified to use the a different method to set the ID when
computing the Z hash of SM2 signature.

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 4803717f5e3bcfba3e3442e1611f421bf1090a47
Author: Paul Yang 
Date:   Tue Sep 4 17:21:10 2018 +0800

Support setting SM2 ID

zero-length ID is allowed, but it's not allowed to skip the ID.

Fixes: #6534

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 00433bad41bfa492f2e204675d42061314028ff2
Author: Paul Yang 
Date:   Tue Sep 4 01:24:55 2018 +0800

Make SM2 ID stick to specification

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 0a8fdef7523ae796ca2e734c279791737148c001
Author: Paul Yang 
Date:   Tue Sep 4 00:51:04 2018 +0800

Support pmeth->digest_custom

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 00902d9414b4c6e46f78d7a6b6c8edc4d313d4b7
Author: Paul Yang 
Date:   Mon Sep 3 23:56:41 2018 +0800

Introduce EVP_MD_CTX_set_pkey_ctx

Thus users can use this function to set customized EVP_PKEY_CTX to
EVP_MD_CTX structure.

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

commit 5bd0abe7a2f76d8c80f566ae615c10113884d843
Author: Paul Yang 
Date:   Mon Sep 3 22:08:17 2018 +0800

Remove unnecessary sm2_za.c

Reviewed-by: Tim Hudson 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/7113)

---

Summary of changes:
 crypto/err/openssl.txt|   6 ++
 crypto/evp/digest.c   |  12 ++-
 crypto/evp/evp_lib.c  |  19 +
 crypto/evp/m_sigver.c |  17 +++--
 crypto/evp/pmeth_lib.c|  22 +-
 crypto/include/internal/evp_int.h |   8 ++
 crypto/include/internal/sm2.h |  20 +++--
 crypto/include/internal/sm2err.h  |   6 ++
 crypto/sm2/build.info |   2 +-
 crypto/sm2/sm2_err.c  |   8 ++
 crypto/sm2/sm2_pmeth.c| 106 ++
 crypto/sm2/sm2_sign.c | 153 ++
 crypto/sm2/sm2_za.c   | 132 
 doc/man3/EVP_DigestInit.pod   |  20 -
 doc/man3/EVP_DigestSignInit.pod   |  11 ++-
 doc/man3/EVP_DigestVerifyInit.pod |   9 ++-
 doc/man3/EVP_PKEY_CTX_ctrl.pod|  22 +-
 doc/man3/EVP_PKEY_meth_new.pod|  17 +
 doc/man7/SM2.pod  |  79 
 

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  a7eeefeadc29f4290978ef1cdd800f3ea2850c10 (commit)
  from  64a48fc7f0bc2d3ff587791b93a357bd98e1a5b8 (commit)


- Log -
commit a7eeefeadc29f4290978ef1cdd800f3ea2850c10
Author: wzhang 
Date:   Wed Aug 8 01:04:18 2018 -0700

Fix the comment of PEM_read_bio_ex

Add one more unit test case

Reviewed-by: Richard Levitte 
Reviewed-by: Tim Hudson 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/6892)

---

Summary of changes:
 crypto/pem/pem_lib.c |  3 +--
 test/pemtest.c   | 30 ++
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 5c21a86..4bb8646 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -880,8 +880,7 @@ err:
  * Read in PEM-formatted data from the given BIO.
  *
  * By nature of the PEM format, all content must be printable ASCII (except
- * for line endings).  Other characters, or lines that are longer than 80
- * characters, are malformed input and will be rejected.
+ * for line endings).  Other characters are malformed input and will be 
rejected.
  */
 int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 unsigned char **data, long *len_out, unsigned int flags)
diff --git a/test/pemtest.c b/test/pemtest.c
index dfef80d..7f40ea3 100644
--- a/test/pemtest.c
+++ b/test/pemtest.c
@@ -12,18 +12,31 @@
 #include 
 
 #include "testutil.h"
+#include "internal/nelem.h"
 
-static const char raw[] = "hello world";
-static const char encoded[] = "aGVsbG8gd29ybGQ=";
-static const char pemtype[] = "PEMTESTDATA";
+typedef struct {
+const char *raw;
+const char *encoded;
+} TESTDATA;
 
-static int test_b64(void)
+static TESTDATA b64_pem_data[] = {
+{ "hello world",
+  "aGVsbG8gd29ybGQ=" },
+{ "a very 
ooong
 input",
+  
"YSB2ZXJ5IG9vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29uZyBpbnB1dA=="
 }
+};
+
+static const char *pemtype = "PEMTESTDATA";
+
+static int test_b64(int idx)
 {
 BIO *b = BIO_new(BIO_s_mem());
 char *name = NULL, *header = NULL;
 unsigned char *data = NULL;
 long len;
 int ret = 0;
+const char *raw = b64_pem_data[idx].raw;
+const char *encoded = b64_pem_data[idx].encoded;
 
 if (!TEST_ptr(b)
 || !TEST_true(BIO_printf(b, "-BEGIN %s-\n", pemtype))
@@ -32,9 +45,9 @@ static int test_b64(void)
 || !TEST_true(PEM_read_bio_ex(b, , , , ,
   PEM_FLAG_ONLY_B64)))
 goto err;
-if (!TEST_int_eq(memcmp(pemtype, name, sizeof(pemtype) - 1), 0)
-|| !TEST_int_eq(len,sizeof(raw) - 1)
-|| !TEST_int_eq(memcmp(data, raw, sizeof(raw) - 1), 0))
+if (!TEST_int_eq(memcmp(pemtype, name, strlen(pemtype)), 0)
+|| !TEST_int_eq(len, strlen(raw))
+|| !TEST_int_eq(memcmp(data, raw, strlen(raw)), 0))
 goto err;
 ret = 1;
  err:
@@ -51,6 +64,7 @@ static int test_invalid(void)
 char *name = NULL, *header = NULL;
 unsigned char *data = NULL;
 long len;
+const char *encoded = b64_pem_data[0].encoded;
 
 if (!TEST_ptr(b)
 || !TEST_true(BIO_printf(b, "-BEGIN %s-\n", pemtype))
@@ -71,7 +85,7 @@ static int test_invalid(void)
 
 int setup_tests(void)
 {
-ADD_TEST(test_b64);
+ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
 ADD_TEST(test_invalid);
 return 1;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  322755cc2a91d08b66826b38a7b8c20f68cd8890 (commit)
  from  13da3ad00c80e1da816ca27f6c15b0ecee1bb0b8 (commit)


- Log -
commit 322755cc2a91d08b66826b38a7b8c20f68cd8890
Author: Hubert Kario 
Date:   Sat Sep 1 08:40:51 2018 +0800

TLSv1.3 related changes to man pages

Add or update the documentation of the different man pages in relation to 
TLSv1.3 behaviour.

Reviewed-by: Tim Hudson 
Reviewed-by: Ben Kaduk 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/6939)

---

Summary of changes:
 doc/man1/s_time.pod   |  8 +--
 doc/man1/sess_id.pod  |  2 +-
 doc/man3/SSL_CONF_cmd.pod | 80 +--
 doc/man3/SSL_CTX_new.pod  |  7 ++-
 doc/man3/SSL_CTX_set_cert_cb.pod  |  6 +-
 doc/man3/SSL_SESSION_get_protocol_version.pod |  2 +-
 doc/man3/SSL_check_chain.pod  |  6 +-
 doc/man3/SSL_get_peer_signature_nid.pod   |  4 +-
 doc/man3/SSL_get_shared_sigalgs.pod   |  8 ++-
 doc/man7/ssl.pod  |  2 +
 10 files changed, 78 insertions(+), 47 deletions(-)

diff --git a/doc/man1/s_time.pod b/doc/man1/s_time.pod
index d17e137..c08e44a 100644
--- a/doc/man1/s_time.pod
+++ b/doc/man1/s_time.pod
@@ -135,16 +135,16 @@ option enables various workarounds.
 This allows the TLSv1.2 and below cipher list sent by the client to be 
modified.
 This list will be combined with any TLSv1.3 ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
-take the first supported cipher in the list sent by the client. See the
-L command for more information.
+take the first supported cipher in the list sent by the client. See
+L for more information.
 
 =item B<-ciphersuites val>
 
 This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
 list will be combined with any TLSv1.2 and below ciphersuites that have been
 configured. Although the server determines which cipher suite is used it should
-take the first supported cipher in the list sent by the client. See the
-B command for more information. The format for this list is a simple
+take the first supported cipher in the list sent by the client. See
+L for more information. The format for this list is a simple
 colon (":") separated list of TLSv1.3 ciphersuite names.
 
 =item B<-time length>
diff --git a/doc/man1/sess_id.pod b/doc/man1/sess_id.pod
index 0c0e7e8..99aa858 100644
--- a/doc/man1/sess_id.pod
+++ b/doc/man1/sess_id.pod
@@ -99,7 +99,7 @@ Theses are described below in more detail.
 
 =item B
 
-This is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
+This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
 
 =item B
 
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 4edd49c..b399bcf 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -33,25 +33,36 @@ prefix for command line commands is B<-> and that is 
reflected below.
 
 =item B<-sigalgs>
 
-This sets the supported signature algorithms for TLS v1.2. For clients this
+This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
+For clients this
 value is used directly for the supported signature algorithms extension. For
 servers it is used to determine which signature algorithms to support.
 
 The B argument should be a colon separated list of signature algorithms
-in order of decreasing preference of the form B. B
+in order of decreasing preference of the form B or
+B. B
 is one of B, B or B and B is a supported algorithm
 OID short name such as B, B, B, B of B.
 Note: algorithm and hash names are case sensitive.
+B is one of the signature schemes defined in TLSv1.3,
+specified using the IETF name, e.g., B, B,
+or B.
 
 If this option is not set then all signature algorithms supported by the
 OpenSSL library are permissible.
 
+Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
+using B as the B or by using one of the B
+identifiers) are ignored in TLSv1.3 and will not be negotiated.
+
 =item B<-client_sigalgs>
 
 This sets the supported signature algorithms associated with client
-authentication for TLS v1.2. For servers the value is used in the supported
-signature algorithms field of a certificate request. For clients it is
-used to determine which signature algorithm to with the client certificate.
+authentication for TLSv1.2 and TLSv1.3.
+For servers the value is used in the
+B field of a B message.
+For clients it is
+used to determine which signature algorithm to use with the client certificate.
 If a server does not request a certificate this option has no effect.
 
 The syntax of B is identical to B<-sigalgs>. If not set then
@@ -61,22 +72,21 @@ the 

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  d6c46adf180aa3e29d5dac075fb673bbc273ae08 (commit)
  from  322755cc2a91d08b66826b38a7b8c20f68cd8890 (commit)


- Log -
commit d6c46adf180aa3e29d5dac075fb673bbc273ae08
Author: Erik Forsberg 
Date:   Sun Aug 19 10:24:44 2018 -0700

Fix ssl/t1_trce.c to parse certificate chains

Fixes #6994

Reviewed-by: Matt Caswell 
Reviewed-by: Tim Hudson 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7009)

---

Summary of changes:
 ssl/t1_trce.c | 27 +--
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index b79c776..be3039a 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -885,28 +885,35 @@ static int ssl_print_extensions(BIO *bio, int indent, int 
server,
 
 BIO_indent(bio, indent, 80);
 if (msglen == 0) {
-BIO_puts(bio, "No Extensions\n");
+BIO_puts(bio, "No extensions\n");
 return 1;
 }
 if (msglen < 2)
 return 0;
 extslen = (msg[0] << 8) | msg[1];
-if (extslen != msglen - 2)
-return 0;
+msglen -= 2;
 msg += 2;
-msglen = extslen;
-BIO_printf(bio, "extensions, length = %d\n", (int)msglen);
-while (msglen > 0) {
+if (extslen == 0) {
+BIO_puts(bio, "No extensions\n");
+*msgin = msg;
+*msginlen = msglen;
+return 1;
+}
+if (extslen > msglen)
+return 0;
+BIO_printf(bio, "extensions, length = %d\n", (int)extslen);
+msglen -= extslen;
+while (extslen > 0) {
 int extype;
 size_t extlen;
-if (msglen < 4)
+if (extslen < 4)
 return 0;
 extype = (msg[0] << 8) | msg[1];
 extlen = (msg[2] << 8) | msg[3];
-if (msglen < extlen + 4) {
+if (extslen < extlen + 4) {
 BIO_printf(bio, "extensions, extype = %d, extlen = %d\n", extype,
(int)extlen);
-BIO_dump_indent(bio, (const char *)msg, msglen, indent + 2);
+BIO_dump_indent(bio, (const char *)msg, extslen, indent + 2);
 return 0;
 }
 msg += 4;
@@ -914,7 +921,7 @@ static int ssl_print_extensions(BIO *bio, int indent, int 
server,
  extlen))
 return 0;
 msg += extlen;
-msglen -= extlen + 4;
+extslen -= extlen + 4;
 }
 
 *msgin = msg;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  354e010757b95d27fb36d364412ee7a5e7111963 (commit)
  from  d6c46adf180aa3e29d5dac075fb673bbc273ae08 (commit)


- Log -
commit 354e010757b95d27fb36d364412ee7a5e7111963
Author: Matt Caswell 
Date:   Thu Aug 23 14:37:01 2018 +0100

Add a note in the docs about sharing PSKs between TLSv1.2 and TLSv1.3

Fixes #6490

Reviewed-by: Tim Hudson 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7044)

---

Summary of changes:
 doc/man3/SSL_CTX_set_psk_client_callback.pod |  8 
 doc/man3/SSL_CTX_use_psk_identity_hint.pod   | 10 ++
 2 files changed, 18 insertions(+)

diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod 
b/doc/man3/SSL_CTX_set_psk_client_callback.pod
index 6d1a9b5..eb4e4f5 100644
--- a/doc/man3/SSL_CTX_set_psk_client_callback.pod
+++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod
@@ -132,6 +132,14 @@ Note that parameter B given to the callback may be 
B.
 A connection established via a TLSv1.3 PSK will appear as if session resumption
 has occurred so that L will return true.
 
+There are no known security issues with sharing the same PSK between TLSv1.2 
(or
+below) and TLSv1.3. However the RFC has this note of caution:
+
+"While there is no known way in which the same PSK might produce related output
+in both versions, only limited analysis has been done.  Implementations can
+ensure safety from cross-protocol related output by not reusing PSKs between
+TLS 1.3 and TLS 1.2."
+
 =head1 RETURN VALUES
 
 Return values from the B callback are interpreted as
diff --git a/doc/man3/SSL_CTX_use_psk_identity_hint.pod 
b/doc/man3/SSL_CTX_use_psk_identity_hint.pod
index 2b2bc3e..c8f7526 100644
--- a/doc/man3/SSL_CTX_use_psk_identity_hint.pod
+++ b/doc/man3/SSL_CTX_use_psk_identity_hint.pod
@@ -123,6 +123,16 @@ completely.
 The B callback should return 1 on success or 0 on
 failure. In the event of failure the connection setup fails.
 
+=head1 NOTES
+
+There are no known security issues with sharing the same PSK between TLSv1.2 
(or
+below) and TLSv1.3. However the RFC has this note of caution:
+
+"While there is no known way in which the same PSK might produce related output
+in both versions, only limited analysis has been done.  Implementations can
+ensure safety from cross-protocol related output by not reusing PSKs between
+TLS 1.3 and TLS 1.2."
+
 =head1 SEE ALSO
 
 L,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  67afcfd35b9b429493947594becf4e269bcd1a5b (commit)
   via  c2cb1a18e00fc0a9a44d9a83134e3d3b1bfb7454 (commit)
  from  307a494e5b01ff9f334a8242d31b8254c7c54baa (commit)


- Log -
commit 67afcfd35b9b429493947594becf4e269bcd1a5b
Author: Matt Caswell 
Date:   Mon Aug 27 15:04:28 2018 +0100

Free SSL object on an error path

Thanks to @fangang190 for reporting this

Fixes #7061

Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7065)

commit c2cb1a18e00fc0a9a44d9a83134e3d3b1bfb7454
Author: Matt Caswell 
Date:   Mon Aug 27 14:52:09 2018 +0100

Fix a mem leak on error in the PSK code

Thanks to @fangang190 for reporting this issue.

Fixes #7060

Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7065)

---

Summary of changes:
 apps/s_server.c | 8 ++--
 ssl/s3_lib.c| 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index 94c1826..e3bb1a6 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2968,8 +2968,10 @@ static int www_body(int s, int stype, int prot, unsigned 
char *context)
 
 if (context != NULL
 && !SSL_set_session_id_context(con, context,
-   strlen((char *)context)))
+   strlen((char *)context))) {
+SSL_free(con);
 goto err;
+}
 
 sbio = BIO_new_socket(s, BIO_NOCLOSE);
 if (s_nbio_test) {
@@ -2981,7 +2983,7 @@ static int www_body(int s, int stype, int prot, unsigned 
char *context)
 SSL_set_bio(con, sbio, sbio);
 SSL_set_accept_state(con);
 
-/* SSL_set_fd(con,s); */
+/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
 BIO_push(io, ssl_bio);
 #ifdef CHARSET_EBCDIC
@@ -3337,6 +3339,7 @@ static int rev_body(int s, int stype, int prot, unsigned 
char *context)
 if (context != NULL
 && !SSL_set_session_id_context(con, context,
strlen((char *)context))) {
+SSL_free(con);
 ERR_print_errors(bio_err);
 goto err;
 }
@@ -3345,6 +3348,7 @@ static int rev_body(int s, int stype, int prot, unsigned 
char *context)
 SSL_set_bio(con, sbio, sbio);
 SSL_set_accept_state(con);
 
+/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
 BIO_push(io, ssl_bio);
 #ifdef CHARSET_EBCDIC
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5ecbc3c..7713f76 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4621,6 +4621,7 @@ int ssl_generate_master_secret(SSL *s, unsigned char 
*pms, size_t pmslen,
 if (!s->method->ssl3_enc->generate_master_secret(s,
 s->session->master_key,pskpms, pskpmslen,
 >session->master_key_length)) {
+OPENSSL_clear_free(pskpms, pskpmslen);
 /* SSLfatal() already called */
 goto err;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[yang . yang]

The branch OpenSSL_1_1_0-stable has been updated
   via  521637702fa7bee89cb598fe9b1ba7ff0f60 (commit)
  from  73bebc17a14da5278b01416b39e5c28a7d0c1861 (commit)


- Log -
commit 521637702fa7bee89cb598fe9b1ba7ff0f60
Author: Matt Caswell 
Date:   Mon Aug 27 15:04:28 2018 +0100

Free SSL object on an error path

Thanks to @fangang190 for reporting this

Fixes #7061

Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7065)

---

Summary of changes:
 apps/s_server.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index e8aa323..8629833 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2660,8 +2660,10 @@ static int www_body(int s, int stype, unsigned char 
*context)
 
 if (context
 && !SSL_set_session_id_context(con, context,
-   strlen((char *)context)))
+   strlen((char *)context))) {
+SSL_free(con);
 goto err;
+}
 
 sbio = BIO_new_socket(s, BIO_NOCLOSE);
 if (s_nbio_test) {
@@ -2673,7 +2675,7 @@ static int www_body(int s, int stype, unsigned char 
*context)
 SSL_set_bio(con, sbio, sbio);
 SSL_set_accept_state(con);
 
-/* SSL_set_fd(con,s); */
+/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
 BIO_push(io, ssl_bio);
 #ifdef CHARSET_EBCDIC
@@ -3030,6 +3032,7 @@ static int rev_body(int s, int stype, unsigned char 
*context)
 if (context
 && !SSL_set_session_id_context(con, context,
strlen((char *)context))) {
+SSL_free(con);
 ERR_print_errors(bio_err);
 goto err;
 }
@@ -3038,6 +3041,7 @@ static int rev_body(int s, int stype, unsigned char 
*context)
 SSL_set_bio(con, sbio, sbio);
 SSL_set_accept_state(con);
 
+/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
 BIO_push(io, ssl_bio);
 #ifdef CHARSET_EBCDIC
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[yang . yang]

The branch OpenSSL_1_0_2-stable has been updated
   via  19096672b48b3282bb9f11c4adadbcdd545f54a3 (commit)
  from  9804228a4313fcdff1cface0f87ce8b8ed180259 (commit)


- Log -
commit 19096672b48b3282bb9f11c4adadbcdd545f54a3
Author: Hubert Kario 
Date:   Mon Aug 27 21:21:18 2018 +0800

document the -no_ecdhe option in s_server man page

the option is provided in the -help message of the s_server utility
but it is not documented in the man page, this fixes it

Reviewed-by: Nicola Tuveri 
Reviewed-by: Tim Hudson 
Reviewed-by: Paul Yang 
(Merged from https://github.com/openssl/openssl/pull/7046)

---

Summary of changes:
 doc/apps/s_server.pod | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 9916fc3..84777ee 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -49,6 +49,7 @@ B B
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
+[B<-no_ecdhe>]
 [B<-bugs>]
 [B<-hack>]
 [B<-www>]
@@ -144,6 +145,11 @@ a static set of parameters hard coded into the s_server 
program will be used.
 if this option is set then no DH parameters will be loaded effectively
 disabling the ephemeral DH cipher suites.
 
+=item B<-no_ecdhe>
+
+if this option is set then no ECDH parameters will be selected, effectively
+disabling the ephemeral ECDH cipher suites.
+
 =item B<-no_tmp_rsa>
 
 certain export cipher suites sometimes use a temporary RSA key, this option
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

[yang . yang]

The branch master has been updated
   via  21ebd2fc3fc00d7871ad00f52daffde4039da665 (commit)
  from  c87af534e6387dda5b81c762c83b19d014f156b2 (commit)


- Log -
commit 21ebd2fc3fc00d7871ad00f52daffde4039da665
Author: Paul Yang 
Date:   Fri Aug 24 20:38:04 2018 +0800

Add semicolon at the end of the function prototypes

Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/7041)

---

Summary of changes:
 doc/man3/EVP_sm3.pod |  4 ++--
 doc/man3/EVP_sm4_cbc.pod | 12 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/doc/man3/EVP_sm3.pod b/doc/man3/EVP_sm3.pod
index a68fe66..50ec429 100644
--- a/doc/man3/EVP_sm3.pod
+++ b/doc/man3/EVP_sm3.pod
@@ -9,7 +9,7 @@ EVP_sm3
 
  #include 
 
- const EVP_MD *EVP_sm3(void)
+ const EVP_MD *EVP_sm3(void);
 
 =head1 DESCRIPTION
 
@@ -42,7 +42,7 @@ L
 
 =head1 COPYRIGHT
 
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 Copyright 2017 Ribose Inc. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
diff --git a/doc/man3/EVP_sm4_cbc.pod b/doc/man3/EVP_sm4_cbc.pod
index 38abfad..4e02409 100644
--- a/doc/man3/EVP_sm4_cbc.pod
+++ b/doc/man3/EVP_sm4_cbc.pod
@@ -13,11 +13,11 @@ EVP_sm4_ctr
 
  #include 
 
- const EVP_CIPHER *EVP_sm4_cbc(void)
- const EVP_CIPHER *EVP_sm4_ecb(void)
- const EVP_CIPHER *EVP_sm4_cfb(void)
- const EVP_CIPHER *EVP_sm4_ofb(void)
- const EVP_CIPHER *EVP_sm4_ctr(void)
+ const EVP_CIPHER *EVP_sm4_cbc(void);
+ const EVP_CIPHER *EVP_sm4_ecb(void);
+ const EVP_CIPHER *EVP_sm4_cfb(void);
+ const EVP_CIPHER *EVP_sm4_ofb(void);
+ const EVP_CIPHER *EVP_sm4_ctr(void);
 
 =head1 DESCRIPTION
 
@@ -52,7 +52,7 @@ L
 
 =head1 COPYRIGHT
 
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 Copyright 2017 Ribose Inc. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits