[openssl-commits] [openssl] master update
The branch master has been updated via fa1f03061037cbdac5369849a885c1191a2550d9 (commit) from 48fe4ce104df060dd5d2b4188a56eb554d94d819 (commit) - Log - commit fa1f03061037cbdac5369849a885c1191a2550d9 Author: David Asraf Date: Thu Feb 7 11:51:39 2019 +0200 Add EC_GROUP_get0_field New function to return internal pointer for field. Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8195) --- Summary of changes: crypto/ec/ec_lib.c | 5 + doc/man3/EC_GROUP_copy.pod | 5 - include/openssl/ec.h | 6 ++ test/ectest.c | 38 ++ util/libcrypto.num | 1 + 5 files changed, 54 insertions(+), 1 deletion(-) diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index c14d1a1..2623b53 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -364,6 +364,11 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group) return group->curve_name; } +const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group) +{ +return group->field; +} + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) { group->asn1_flag = flag; diff --git a/doc/man3/EC_GROUP_copy.pod b/doc/man3/EC_GROUP_copy.pod index 453825a..3f7108d 100644 --- a/doc/man3/EC_GROUP_copy.pod +++ b/doc/man3/EC_GROUP_copy.pod @@ -11,7 +11,7 @@ EC_GROUP_get_point_conversion_form, EC_GROUP_get0_seed, EC_GROUP_get_seed_len, EC_GROUP_set_seed, EC_GROUP_get_degree, EC_GROUP_check, EC_GROUP_check_discriminant, EC_GROUP_cmp, EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis, -EC_GROUP_get_pentanomial_basis +EC_GROUP_get_pentanomial_basis, EC_GROUP_get0_field - Functions for manipulating EC_GROUP objects =head1 SYNOPSIS @@ -32,6 +32,7 @@ EC_GROUP_get_pentanomial_basis int EC_GROUP_order_bits(const EC_GROUP *group); int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx); const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group); + const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group); void EC_GROUP_set_curve_name(EC_GROUP *group, int nid); int EC_GROUP_get_curve_name(const EC_GROUP *group); @@ -177,6 +178,8 @@ specified curve respectively. If there is no curve name associated with a curve EC_GROUP_get0_order() returns an internal pointer to the group order. EC_GROUP_order_bits() returns the number of bits in the group order. EC_GROUP_get0_cofactor() returns an internal pointer to the group cofactor. +EC_GROUP_get0_field() returns an internal pointer to the group field. For curves over GF(p), this is the modulus; for curves +over GF(2^m), this is the irreducible polynomial defining the field. EC_GROUP_get0_seed returns a pointer to the seed that was used to generate the parameter b, or NULL if the seed is not specified. EC_GROUP_get_seed_len returns the length of the seed or 0 if the seed is not specified. diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 4afaad4..7c15368 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -212,6 +212,12 @@ void EC_GROUP_set_curve_name(EC_GROUP *group, int nid); */ int EC_GROUP_get_curve_name(const EC_GROUP *group); +/** Gets the field of an EC_GROUP + * \param group EC_GROUP object + * \return the group field + */ +const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group); + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); int EC_GROUP_get_asn1_flag(const EC_GROUP *group); diff --git a/test/ectest.c b/test/ectest.c index cdfaeb6..0f42597 100644 --- a/test/ectest.c +++ b/test/ectest.c @@ -1159,6 +1159,43 @@ static int internal_curve_test_method(int n) return r; } +static int group_field_test(void) +{ +int r = 1; +BIGNUM *secp521r1_field = NULL; +BIGNUM *sect163r2_field = NULL; +EC_GROUP *secp521r1_group = NULL; +EC_GROUP *sect163r2_group = NULL; + +BN_hex2bn(_field, +"01FF" +"" +"" +"" +""); + + +BN_hex2bn(_field, +"0800" +"C9"); + +secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); +if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) + r = 0; + +# ifndef OPENSSL_NO_EC2M +sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); +if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) + r = 0; +# endif + +EC_GROUP_free(secp521r1_group); +EC_GROUP_free(sect163r2_group); +BN_free(secp521r1_field); +BN_free(sect163r2_field); +return r; +} + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 /* * nistp_test_params
[openssl-commits] [openssl] master update
The branch master has been updated via 48fe4ce104df060dd5d2b4188a56eb554d94d819 (commit) from 088dfa133561d7613b9391a56ddbce58f32c934a (commit) - Log - commit 48fe4ce104df060dd5d2b4188a56eb554d94d819 Author: Richard Levitte Date: Fri Feb 15 08:06:36 2019 +0100 Mark generated functions unused (applies to safestack, lhash, sparse_array) safestack.h, lhash.h and sparse_array.h all define macros to generate a full API for the containers as static inline functions. This potentially generates unused code, which some compilers may complain about. We therefore need to mark those generated functions as unused, so the compiler knows that we know, and stops complaining about it. Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8246) --- Summary of changes: crypto/include/internal/sparse_array.h | 25 +- include/openssl/e_os2.h| 7 + include/openssl/lhash.h| 28 ++-- include/openssl/safestack.h| 48 +- 4 files changed, 58 insertions(+), 50 deletions(-) diff --git a/crypto/include/internal/sparse_array.h b/crypto/include/internal/sparse_array.h index 839fced..648e41a 100644 --- a/crypto/include/internal/sparse_array.h +++ b/crypto/include/internal/sparse_array.h @@ -11,6 +11,8 @@ #ifndef HEADER_SPARSE_ARRAY_H # define HEADER_SPARSE_ARRAY_H +# include + # ifdef __cplusplus extern "C" { # endif @@ -19,43 +21,42 @@ extern "C" { # define DEFINE_SPARSE_ARRAY_OF(type) \ SPARSE_ARRAY_OF(type); \ -static ossl_inline SPARSE_ARRAY_OF(type) * \ +static ossl_unused ossl_inline SPARSE_ARRAY_OF(type) * \ ossl_sa_##type##_new(void) \ { \ return (SPARSE_ARRAY_OF(type) *)OPENSSL_SA_new(); \ } \ -static ossl_inline void ossl_sa_##type##_free(SPARSE_ARRAY_OF(type) *sa) \ +static ossl_unused ossl_inline void ossl_sa_##type##_free(SPARSE_ARRAY_OF(type) *sa) \ { \ OPENSSL_SA_free((OPENSSL_SA *)sa); \ } \ -static ossl_inline void ossl_sa_##type##_free_leaves(SPARSE_ARRAY_OF(type) *sa) \ +static ossl_unused ossl_inline void ossl_sa_##type##_free_leaves(SPARSE_ARRAY_OF(type) *sa) \ { \ OPENSSL_SA_free_leaves((OPENSSL_SA *)sa); \ } \ -static ossl_inline size_t ossl_sa_##type##_num(const SPARSE_ARRAY_OF(type) *sa) \ +static ossl_unused ossl_inline size_t ossl_sa_##type##_num(const SPARSE_ARRAY_OF(type) *sa) \ { \ return OPENSSL_SA_num((OPENSSL_SA *)sa); \ } \ -static ossl_inline void ossl_sa_##type##_doall(const SPARSE_ARRAY_OF(type) *sa, \ +static ossl_unused ossl_inline void ossl_sa_##type##_doall(const SPARSE_ARRAY_OF(type) *sa, \ void (*leaf)(size_t, type *)) \ { \ OPENSSL_SA_doall((OPENSSL_SA *)sa, (void (*)(size_t, void *))leaf); \ } \ -static ossl_inline void ossl_sa_##type##_doall_arg(const SPARSE_ARRAY_OF(type) *sa, \ - void (*leaf)(size_t, \ -type *, \ - void *),\ - void *arg) \ +static ossl_unused ossl_inline \ +void ossl_sa_##type##_doall_arg(const SPARSE_ARRAY_OF(type) *sa, \ +void (*leaf)(size_t, type *, void *), \ +void *arg) \ { \ OPENSSL_SA_doall_arg((OPENSSL_SA *)sa, (void (*)(size_t, void *, void *))leaf, \ arg); \ } \ -static ossl_inline type *ossl_sa_##type##_get(const SPARSE_ARRAY_OF(type) *sa, \ +static ossl_unused ossl_inline type *ossl_sa_##type##_get(const SPARSE_ARRAY_OF(type) *sa, \ size_t n) \ { \ return (type *)OPENSSL_SA_get((OPENSSL_SA *)sa, n); \ } \ -static ossl_inline int ossl_sa_##type##_set(SPARSE_ARRAY_OF(type) *sa, \ +static ossl_unused ossl_inline int ossl_sa_##type##_set(SPARSE_ARRAY_OF(type) *sa, \ size_t n, type *val) \ { \ return OPENSSL_SA_set((OPENSSL_SA *)sa, n, (void *)val); \ diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index 002cea3..b88abc1 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -287,6 +287,13 @@ typedef unsigned __int64 uint64_t; # define ossl_noreturn # endif +/* ossl_unused: portable unused attribute for use in public headers */ +# if defined(__GNUC__) +# define ossl_unused __attribute__((unused)) +# else +# define ossl_unused +# endif + #ifdef
[openssl-commits] [openssl] master update
The branch master has been updated via 088dfa133561d7613b9391a56ddbce58f32c934a (commit) from 9fc8f18f59f4a4c853466dca64a23b8af681bf1c (commit) - Log - commit 088dfa133561d7613b9391a56ddbce58f32c934a Author: Todd Short Date: Mon Jul 10 13:28:35 2017 -0400 Add option to disable Extended Master Secret Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/3910) --- Summary of changes: doc/man3/SSL_CONF_cmd.pod | 4 + doc/man3/SSL_CTX_set_options.pod | 12 +- include/openssl/ssl.h | 21 ++- ssl/ssl_conf.c | 3 +- ssl/statem/extensions.c| 3 +- ssl/statem/extensions_clnt.c | 5 + ssl/statem/extensions_srvr.c | 3 + test/recipes/80-test_ssl_new.t | 3 +- test/ssl-tests/16-certstatus.conf | 0 test/ssl-tests/30-extended-master-secret.conf | 203 + ...t.conf.in => 30-extended-master-secret.conf.in} | 58 -- test/sslapitest.c | 46 + 12 files changed, 328 insertions(+), 33 deletions(-) delete mode 100644 test/ssl-tests/16-certstatus.conf create mode 100644 test/ssl-tests/30-extended-master-secret.conf copy test/ssl-tests/{19-mac-then-encrypt.conf.in => 30-extended-master-secret.conf.in} (56%) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 0a51e9e..b8c2a35 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -486,6 +486,10 @@ specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built-in OpenSSL functionality is not required. Disabling anti-replay is equivalent to setting B. +B: use extended master secret extension, enabled by +default. Inverse of B: that is, +B<-ExtendedMasterSecret> is the same as setting B. + =item B The B argument is a comma separated list of flags to set. diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 63d3aae..7626bd3 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -198,6 +198,14 @@ RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. If this option is set, Encrypt-then-MAC is disabled. Clients will not propose, and servers will not accept the extension. +=item SSL_OP_NO_EXTENDED_MASTER_SECRET + +Normally clients and servers will transparently attempt to negotiate the +RFC7627 Extended Master Secret option on TLS and DTLS connection. + +If this option is set, Extended Master Secret is disabled. Clients will +not propose, and servers will not accept the extension. + =item SSL_OP_NO_RENEGOTIATION Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest @@ -366,9 +374,11 @@ OpenSSL 0.9.8m. The B and B options were added in OpenSSL 1.1.1. +The B option was added in OpenSSL 3.0.0. + =head1 COPYRIGHT -Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 35311ac..9d6e1c5 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -297,23 +297,26 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); /* - * Some values are reserved until OpenSSL 1.2.0 because they were previously + * Some values are reserved until OpenSSL 3.0.0 because they were previously * included in SSL_OP_ALL in a 1.1.x release. - * - * Reserved value (until OpenSSL 1.2.0) 0x0001U - * Reserved value (until OpenSSL 1.2.0) 0x0002U */ + +/* Disable Extended master secret */ +# define SSL_OP_NO_EXTENDED_MASTER_SECRET0x0001U + +/* Reserved value (until OpenSSL 3.0.0) 0x0002U */ + /* Allow initial connection to servers that don't support RI */ # define SSL_OP_LEGACY_SERVER_CONNECT0x0004U -/* Reserved value (until OpenSSL 1.2.0)
[openssl-commits] [openssl] master update
The branch master has been updated via 9fc8f18f59f4a4c853466dca64a23b8af681bf1c (commit) from 0cf5c6a9a06b58a85d93aafefbc07039773b5b43 (commit) - Log - commit 9fc8f18f59f4a4c853466dca64a23b8af681bf1c Author: Matt Caswell Date: Thu Feb 14 12:21:20 2019 + Use order not degree to calculate a buffer size in ecdsatest Otherwise this can result in an incorrect calculation of the maximum encoded integer length, meaning an insufficient buffer size is allocated. Thanks to Billy Brumley for helping to track this down. Fixes #8209 Reviewed-by: Nicola Tuveri Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8237) --- Summary of changes: test/ecdsatest.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 004f39e..bc3adc0 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -223,7 +223,7 @@ static int test_builtin(void) const BIGNUM *sig_r, *sig_s; BIGNUM *modified_r = NULL, *modified_s = NULL; BIGNUM *unmodified_r = NULL, *unmodified_s = NULL; -unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len; +unsigned int sig_len, order, r_len, s_len, bn_len, buf_len; int nid, ret = 0; /* fill digest values with some random data */ @@ -251,7 +251,7 @@ static int test_builtin(void) || !TEST_true(EC_KEY_set_group(eckey, group))) goto builtin_err; EC_GROUP_free(group); -degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); +order = EC_GROUP_order_bits(EC_KEY_get0_group(eckey)); TEST_info("testing %s", OBJ_nid2sn(nid)); @@ -316,7 +316,7 @@ static int test_builtin(void) /* Store the two BIGNUMs in raw_buf. */ r_len = BN_num_bytes(sig_r); s_len = BN_num_bytes(sig_s); -bn_len = (degree + 7) / 8; +bn_len = (order + 7) / 8; if (!TEST_false(r_len > bn_len) || !TEST_false(s_len > bn_len)) goto builtin_err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 0cf5c6a9a06b58a85d93aafefbc07039773b5b43 (commit) from fcee53948b7f9a5951d42f4ee321e706ea6b4b84 (commit) - Log - commit 0cf5c6a9a06b58a85d93aafefbc07039773b5b43 Author: Matt Caswell Date: Thu Feb 14 15:22:59 2019 + Fix no-stdio Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8238) --- Summary of changes: include/openssl/kdf.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index 0f39a14..663ba90 100644 --- a/include/openssl/kdf.h +++ b/include/openssl/kdf.h @@ -10,6 +10,8 @@ #ifndef HEADER_KDF_H # define HEADER_KDF_H +# include +# include # include # include # ifdef __cplusplus _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via fcee53948b7f9a5951d42f4ee321e706ea6b4b84 (commit) from 78021171dbcb05ddab1b5daffbfc62504ea709a4 (commit) - Log - commit fcee53948b7f9a5951d42f4ee321e706ea6b4b84 Author: Richard Levitte Date: Thu Feb 14 16:26:40 2019 +0100 Configure: make --strict-warnings a regular user provided compiler option This makes `--strict-warnings` into a compiler pseudo-option, i.e. it gets treated the same way as any other compiler option given on the configuration command line, but is retroactively replaced by actual compiler warning options, depending on what compiler is used. This makes it easier to see in what order options are given to the compiler from the configuration command line, i.e. this: ./config -Wall --strict-warnings would give the compiler flags in the same order as they're given, i.e.: -Wall -Werror -Wno-whatever ... instead of what we got previously: -Werror -Wno-whatever ... -Wall Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8239) --- Summary of changes: Configure | 36 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/Configure b/Configure index 0f5807c..03053bc 100755 --- a/Configure +++ b/Configure @@ -752,7 +752,11 @@ while (@argvcopy) } elsif (/^--strict-warnings$/) { - $strict_warnings = 1; + # Pretend that our strict flags is a C flag, and replace it + # with the proper flags later on + push @{$useradd{CFLAGS}}, '--ossl-strict-warnings'; + push @{$useradd{CXXFLAGS}}, '--ossl-strict-warnings'; + $strict_warnings=1; } elsif (/^--debug$/) { @@ -1503,6 +1507,7 @@ $config{openssl_api_defines} = [ "OPENSSL_MIN_API=".($apitable->{$config{api} // ""} // -1) ]; +my @strict_warnings_collection=(); if ($strict_warnings) { my $wopt; @@ -1510,26 +1515,17 @@ if ($strict_warnings) die "ERROR --strict-warnings requires gcc[>=4] or gcc-alike" unless $gccver >= 4; - foreach $wopt (split /\s+/, $gcc_devteam_warn) - { - push @{$config{cflags}}, $wopt - unless grep { $_ eq $wopt } @{$config{cflags}}; - push @{$config{cxxflags}}, $wopt - if ($config{CXX} - && !grep { $_ eq $wopt } @{$config{cxxflags}}); - } - if (defined($predefined{__clang__})) - { - foreach $wopt (split /\s+/, $clang_devteam_warn) - { - push @{$config{cflags}}, $wopt - unless grep { $_ eq $wopt } @{$config{cflags}}; - push @{$config{cxxflags}}, $wopt - if ($config{CXX} - && !grep { $_ eq $wopt } @{$config{cxxflags}}); - } - } + push @strict_warnings_collection, (split /\s+/, $gcc_devteam_warn); + push @strict_warnings_collection, (split /\s+/, $clang_devteam_warn) + if (defined($predefined{__clang__})); } +foreach (qw(CFLAGS CXXFLAGS)) +{ +$useradd{$_} = [ map { $_ eq '--ossl-strict-warnings' + ? @strict_warnings_collection + : ( $_ ) } +@{$useradd{$_}} ]; +} unless ($disabled{"crypto-mdebug-backtrace"}) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 78021171dbcb05ddab1b5daffbfc62504ea709a4 (commit) from 4af5836b55442f31795eff6c8c81ea7a1b8cf94b (commit) - Log - commit 78021171dbcb05ddab1b5daffbfc62504ea709a4 Author: Matt Caswell Date: Thu Jan 24 12:21:39 2019 + Fix -verify_return_error in s_client The "verify_return_error" option in s_client is documented as: Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. In practice this option was ignored unless also accompanied with the "-verify" option. It's unclear what the original intention was. One fix could have been to change the documentation to match the actual behaviour. However it seems unecessarily complex and unexpected that you should need to have both options. Instead the fix implemented here is make the option match the documentation so that "-verify" is not also required. Note that s_server has a similar option where "-verify" (or "-Verify") is still required. This makes more sense because those options additionally request a certificate from the client. Without a certificate there is no possibility of a verification failing, and so "-verify_return_error" doing nothing seems ok. Fixes #8079 Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8080) --- Summary of changes: apps/s_cb.c | 4 ++-- apps/s_client.c | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index af57c34..705550b 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -24,7 +24,7 @@ #define COOKIE_SECRET_LENGTH16 -VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 }; +VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 }; #ifndef OPENSSL_NO_SOCK static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; @@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) if (!ok) { BIO_printf(bio_err, "verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err)); -if (verify_args.depth >= depth) { +if (verify_args.depth < 0 || verify_args.depth >= depth) { if (!verify_args.return_error) ok = 1; verify_args.error = err; diff --git a/apps/s_client.c b/apps/s_client.c index 2a8313d..a30dff4 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1138,6 +1138,7 @@ int s_client_main(int argc, char **argv) goto opthelp; break; case OPT_VERIFY_RET_ERROR: +verify = SSL_VERIFY_PEER; verify_args.return_error = 1; break; case OPT_VERIFY_QUIET: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 4af5836b55442f31795eff6c8c81ea7a1b8cf94b (commit) from 3c83c5ba4f6502c708b7a5f55c98a10e312668da (commit) - Log - commit 4af5836b55442f31795eff6c8c81ea7a1b8cf94b Author: Matt Caswell Date: Sun Jan 27 11:00:16 2019 + Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message exchange in TLSv1.3. Unfortunately experience has shown that this confuses some applications who mistake it for a TLSv1.2 renegotiation. This means that KeyUpdate messages are not handled properly. This commit removes the use of SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake message exchange. Individual post-handshake messages are still signalled in the normal way. This is a potentially breaking change if there are any applications already written that expect to see these TLSv1.3 events. However, without it, KeyUpdate is not currently usable for many applications. Fixes #8069 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8096) --- Summary of changes: CHANGES| 13 + doc/man3/SSL_CTX_set_info_callback.pod | 14 -- ssl/statem/statem.c| 6 +++-- ssl/statem/statem_lib.c| 11 +--- ssl/statem/statem_srvr.c | 19 - test/sslapitest.c | 49 +++--- 6 files changed, 51 insertions(+), 61 deletions(-) diff --git a/CHANGES b/CHANGES index d9a2e1b..2fbe89f 100644 --- a/CHANGES +++ b/CHANGES @@ -119,6 +119,19 @@ applications with zero-copy system calls such as sendfile and splice. [Boris Pismenny] + Changes between 1.1.1a and 1.1.1b [xx XXX ] + + *) Change the info callback signals for the start and end of a post-handshake + message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START + and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get + confused by this and assume that a TLSv1.2 renegotiation has started. This + can break KeyUpdate handling. Instead we no longer signal the start and end + of a post handshake message exchange (although the messages themselves are + still signalled). This could break some applications that were expecting + the old signals. However without this KeyUpdate is not usable for many + applications. + [Matt Caswell] + Changes between 1.1.1 and 1.1.1a [20 Nov 2018] *) Timing vulnerability in DSA signature generation diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod index cb8f996..3248e10 100644 --- a/doc/man3/SSL_CTX_set_info_callback.pod +++ b/doc/man3/SSL_CTX_set_info_callback.pod @@ -92,17 +92,13 @@ Callback has been called due to an alert being sent or received. =item SSL_CB_HANDSHAKE_START -Callback has been called because a new handshake is started. In TLSv1.3 this is -also used for the start of post-handshake message exchanges such as for the -exchange of session tickets, or for key updates. It also occurs when resuming a -handshake following a pause to handle early data. +Callback has been called because a new handshake is started. It also occurs when +resuming a handshake following a pause to handle early data. -=item SSL_CB_HANDSHAKE_DONE 0x20 +=item SSL_CB_HANDSHAKE_DONE -Callback has been called because a handshake is finished. In TLSv1.3 this is -also used at the end of an exchange of post-handshake messages such as for -session tickets or key updates. It also occurs if the handshake is paused to -allow the exchange of early data. +Callback has been called because a handshake is finished. It also occurs if the +handshake is paused to allow the exchange of early data. =back diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index ebe471b..24c7e94 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -342,8 +342,10 @@ static int state_machine(SSL *s, int server) } s->server = server; -if (cb != NULL) -cb(s, SSL_CB_HANDSHAKE_START, 1); +if (cb != NULL) { +if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_IS_TLS13(s)) +cb(s, SSL_CB_HANDSHAKE_START, 1); +} /* * Fatal errors in this block don't send an alert because we have diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 2f78a3f..8a7ada8 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1030,6 +1030,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
[openssl-commits] [openssl] master update
The branch master has been updated via 3c83c5ba4f6502c708b7a5f55c98a10e312668da (commit) from f11ffa505f8a9345145a26a05bf77b012b6941bd (commit) - Log - commit 3c83c5ba4f6502c708b7a5f55c98a10e312668da Author: Sam Roberts Date: Mon Nov 26 13:58:52 2018 -0800 Ignore cipher suites when setting cipher list set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or failure should not depend on whether set_ciphersuites() has been used to setup TLSv1.3 ciphers. Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7759) --- Summary of changes: ssl/ssl_lib.c | 24 ++-- test/cipherlist_test.c | 35 ++ test/clienthellotest.c | 3 ++- test/ssltest_old.c | 51 +- 4 files changed, 105 insertions(+), 8 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b001da7..322a438 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2579,6 +2579,26 @@ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) return NULL; } +/* + * Distinguish between ciphers controlled by set_ciphersuite() and + * set_cipher_list() when counting. + */ +static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk) +{ +int i, num = 0; +const SSL_CIPHER *c; + +if (sk == NULL) +return 0; +for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { +c = sk_SSL_CIPHER_value(sk, i); +if (c->min_tls >= TLS1_3_VERSION) +continue; +num++; +} +return num; +} + /** specify the ciphers to be used by default by the SSL_CTX */ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { @@ -2596,7 +2616,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) */ if (sk == NULL) return 0; -else if (sk_SSL_CIPHER_num(sk) == 0) { +else if (cipher_list_tls12_num(sk) == 0) { SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); return 0; } @@ -2614,7 +2634,7 @@ int SSL_set_cipher_list(SSL *s, const char *str) /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; -else if (sk_SSL_CIPHER_num(sk) == 0) { +else if (cipher_list_tls12_num(sk) == 0) { SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); return 0; } diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c index 89ef1b1..b950411 100644 --- a/test/cipherlist_test.c +++ b/test/cipherlist_test.c @@ -215,9 +215,44 @@ static int test_default_cipherlist_explicit(void) return result; } +/* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */ +static int test_default_cipherlist_clear(void) +{ +SETUP_CIPHERLIST_TEST_FIXTURE(); +SSL *s = NULL; + +if (fixture == NULL) +return 0; + +if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0)) +goto end; + +if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH)) +goto end; + +s = SSL_new(fixture->client); + +if (!TEST_ptr(s)) + goto end; + +if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0)) +goto end; + +if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), +SSL_R_NO_CIPHER_MATCH)) +goto end; + +result = 1; +end: +SSL_free(s); +tear_down(fixture); +return result; +} + int setup_tests(void) { ADD_TEST(test_default_cipherlist_implicit); ADD_TEST(test_default_cipherlist_explicit); +ADD_TEST(test_default_cipherlist_clear); return 1; } diff --git a/test/clienthellotest.c b/test/clienthellotest.c index 2c1110b..7fdb5bc 100644 --- a/test/clienthellotest.c +++ b/test/clienthellotest.c @@ -99,8 +99,9 @@ static int test_client_hello(int currtest) * ClientHello is already going to be quite long. To avoid getting one * that is too long for this test we use a restricted ciphersuite list */ -if (!TEST_true(SSL_CTX_set_cipher_list(ctx, ""))) +if (!TEST_false(SSL_CTX_set_cipher_list(ctx, ""))) goto end; +ERR_clear_error(); /* Fall through */ case TEST_ADD_PADDING: case TEST_PADDING_NOT_NEEDED: diff --git a/test/ssltest_old.c b/test/ssltest_old.c index f26bf85..390ca88 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1382,11 +1382,52 @@ int main(int argc, char *argv[]) goto end; if (cipher != NULL) { -if (!SSL_CTX_set_cipher_list(c_ctx, cipher) -|| !SSL_CTX_set_cipher_list(s_ctx, cipher) -|| !SSL_CTX_set_cipher_list(s_ctx2, cipher)) { -ERR_print_errors(bio_err); -goto end; +if (strcmp(cipher, "") == 0) { +
[openssl-commits] [openssl] master update
The branch master has been updated via f11ffa505f8a9345145a26a05bf77b012b6941bd (commit) from 008b4ff92f785cf3808df26ac5b23f25a691b23c (commit) - Log - commit f11ffa505f8a9345145a26a05bf77b012b6941bd Author: Richard Levitte Date: Thu Feb 14 09:25:40 2019 +0100 Configure: stop forcing use of DEFINE macros in headers There are times when one might want to use something like DEFINE_STACK_OF in a .c file, because it defines a stack for a type defined in that .c file. Unfortunately, when configuring with `--strict-warnings`, clang aggressively warn about unused functions in such cases, which forces the use of such DEFINE macros to header files. We therefore disable this warning from the `--strict-warnings` definition for clang. (note for the curious: `-Wunused-function` is enabled via `-Wall`) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8234) --- Summary of changes: Configure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Configure b/Configure index d6ae2be..0f5807c 100755 --- a/Configure +++ b/Configure @@ -145,6 +145,8 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED" # -Wlanguage-extension-token -- no, we use asm() # -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc # -Wextended-offsetof -- no, needed in CMS ASN1 code +# -Wunused-function -- no, it forces header use of safestack et al +#DEFINE macros my $clang_devteam_warn = "" . " -Wswitch-default" . " -Wno-parentheses-equality" @@ -154,6 +156,7 @@ my $clang_devteam_warn = "" . " -Wincompatible-pointer-types-discards-qualifiers" . " -Wmissing-variable-declarations" . " -Wno-unknown-warning-option" +. " -Wno-unused-function" ; # This adds backtrace information to the memory leak info. Is only used _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 008b4ff92f785cf3808df26ac5b23f25a691b23c (commit) from fa63e45262971b9c2a6aeb33db8c52a5a84fc8b5 (commit) - Log - commit 008b4ff92f785cf3808df26ac5b23f25a691b23c Author: Pauli Date: Thu Feb 14 08:13:58 2019 +1000 Sparse array iterators include index position. Iterators over the sparse array structures have gained an initial argument which indicates the index into the array of the element. This can be used, e.g., to delete or modify the associated value. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8229) --- Summary of changes: crypto/include/internal/sparse_array.h | 15 +++-- crypto/sparse_array.c| 22 --- doc/internal/man3/DEFINE_SPARSE_ARRAY_OF.pod | 20 -- test/sparse_array_test.c | 95 4 files changed, 129 insertions(+), 23 deletions(-) diff --git a/crypto/include/internal/sparse_array.h b/crypto/include/internal/sparse_array.h index bf0a996..839fced 100644 --- a/crypto/include/internal/sparse_array.h +++ b/crypto/include/internal/sparse_array.h @@ -37,16 +37,17 @@ extern "C" { return OPENSSL_SA_num((OPENSSL_SA *)sa); \ } \ static ossl_inline void ossl_sa_##type##_doall(const SPARSE_ARRAY_OF(type) *sa, \ - void (*leaf)(type *)) \ + void (*leaf)(size_t, type *)) \ { \ -OPENSSL_SA_doall((OPENSSL_SA *)sa, (void (*)(void *))leaf); \ +OPENSSL_SA_doall((OPENSSL_SA *)sa, (void (*)(size_t, void *))leaf); \ } \ static ossl_inline void ossl_sa_##type##_doall_arg(const SPARSE_ARRAY_OF(type) *sa, \ - void (*leaf)(type *, \ + void (*leaf)(size_t, \ +type *, \ void *),\ void *arg) \ { \ -OPENSSL_SA_doall_arg((OPENSSL_SA *)sa, (void (*)(void *, void *))leaf, \ +OPENSSL_SA_doall_arg((OPENSSL_SA *)sa, (void (*)(size_t, void *, void *))leaf, \ arg); \ } \ static ossl_inline type *ossl_sa_##type##_get(const SPARSE_ARRAY_OF(type) *sa, \ @@ -66,9 +67,9 @@ OPENSSL_SA *OPENSSL_SA_new(void); void OPENSSL_SA_free(OPENSSL_SA *sa); void OPENSSL_SA_free_leaves(OPENSSL_SA *sa); size_t OPENSSL_SA_num(const OPENSSL_SA *sa); -void OPENSSL_SA_doall(const OPENSSL_SA *sa, void (*leaf)(void *)); -void OPENSSL_SA_doall_arg(const OPENSSL_SA *sa, void (*leaf)(void *, void *), - void *); +void OPENSSL_SA_doall(const OPENSSL_SA *sa, void (*leaf)(size_t, void *)); +void OPENSSL_SA_doall_arg(const OPENSSL_SA *sa, + void (*leaf)(size_t, void *, void *), void *); void *OPENSSL_SA_get(const OPENSSL_SA *sa, size_t n); int OPENSSL_SA_set(OPENSSL_SA *sa, size_t n, void *val); diff --git a/crypto/sparse_array.c b/crypto/sparse_array.c index 8c9efed..796d35e 100644 --- a/crypto/sparse_array.c +++ b/crypto/sparse_array.c @@ -68,10 +68,11 @@ OPENSSL_SA *OPENSSL_SA_new(void) } static void sa_doall(const OPENSSL_SA *sa, void (*node)(void **), - void (*leaf)(void *, void *), void *arg) + void (*leaf)(size_t, void *, void *), void *arg) { int i[SA_BLOCK_MAX_LEVELS]; void *nodes[SA_BLOCK_MAX_LEVELS]; +size_t idx = 0; int l = 0; i[0] = 0; @@ -84,14 +85,17 @@ static void sa_doall(const OPENSSL_SA *sa, void (*node)(void **), if (p != NULL && node != NULL) (*node)(p); l--; +idx >>= OPENSSL_SA_BLOCK_BITS; } else { i[l] = n + 1; if (p != NULL && p[n] != NULL) { +idx = (idx & ~SA_BLOCK_MASK) | n; if (l < sa->levels - 1) { i[++l] = 0; nodes[l] = p[n]; +idx <<= OPENSSL_SA_BLOCK_BITS; } else if (leaf != NULL) { -(*leaf)(p[n], arg); +(*leaf)(idx, p[n], arg); } } } @@ -103,7 +107,7 @@ static void sa_free_node(void **p) OPENSSL_free(p); } -static void sa_free_leaf(void *p, void *arg) +static void sa_free_leaf(size_t n, void *p, void *arg) { OPENSSL_free(p); } @@ -122,15 +126,15 @@ void OPENSSL_SA_free_leaves(OPENSSL_SA *sa) /* Wrap this in a structure to avoid compiler warnings */ struct trampoline_st { -void (*func)(void *); +void (*func)(size_t, void *); }; -static void
[openssl-commits] [openssl] master update
The branch master has been updated via 953315ae60e135057e308ebd0778ed823d620970 (commit) from 5a285addbf39f91d567f95f04b2b41764127950d (commit) - Log - commit 953315ae60e135057e308ebd0778ed823d620970 Author: Richard Levitte Date: Wed Feb 13 18:59:13 2019 +0100 test/build.info: add missing ../apps/include Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8227) --- Summary of changes: test/build.info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/build.info b/test/build.info index 5904267..231d362 100644 --- a/test/build.info +++ b/test/build.info @@ -332,7 +332,7 @@ IF[{- !$disabled{tests} -}] DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a SOURCE[evp_kdf_test]=evp_kdf_test.c - INCLUDE[evp_kdf_test]=../include + INCLUDE[evp_kdf_test]=../include ../apps/include DEPEND[evp_kdf_test]=../libcrypto libtestutil.a SOURCE[x509_time_test]=x509_time_test.c _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e0ae0585bee898184cbbe8144d2fa8ce25e8ca72 (commit) from b754a8a1590b8c5c9662c8a0ba49573991488b20 (commit) - Log - commit e0ae0585bee898184cbbe8144d2fa8ce25e8ca72 Author: Pauli Date: Wed Feb 13 16:11:16 2019 +1000 Sparse array limit testing: reduce the range limit for the number of bits in a sparse array pointer block. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/8221) --- Summary of changes: crypto/sparse_array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/sparse_array.c b/crypto/sparse_array.c index 9255f9d..8c9efed 100644 --- a/crypto/sparse_array.c +++ b/crypto/sparse_array.c @@ -37,7 +37,7 @@ # else # define OPENSSL_SA_BLOCK_BITS 12 # endif -#elif OPENSSL_SA_BLOCK_BITS < 2 || OPENSSL_SA_BLOCK_BITS > BN_BITS2 +#elif OPENSSL_SA_BLOCK_BITS < 2 || OPENSSL_SA_BLOCK_BITS > (BN_BITS2 - 1) # error OPENSSL_SA_BLOCK_BITS is out of range #endif _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via b754a8a1590b8c5c9662c8a0ba49573991488b20 (commit) from 5674466e007d892ec55441059b3763abd5dd5440 (commit) - Log - commit b754a8a1590b8c5c9662c8a0ba49573991488b20 Author: Daniel DeFreez Date: Wed Feb 13 14:26:14 2019 +0800 Fix null pointer dereference in cms_RecipientInfo_kari_init CLA: trivial Reviewed-by: Bernd Edlinger Reviewed-by: Paul Yang Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8137) --- Summary of changes: crypto/cms/cms_kari.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 4ee7017..9f1f5d5 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -282,7 +282,7 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, return rv; } -/* Initialise a ktri based on passed certificate and key */ +/* Initialise a kari based on passed certificate and key */ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *pk, unsigned int flags) @@ -299,6 +299,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, kari->version = 3; rek = M_ASN1_new_of(CMS_RecipientEncryptedKey); +if (rek == NULL) +return 0; + if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) { M_ASN1_free_of(rek, CMS_RecipientEncryptedKey); return 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5674466e007d892ec55441059b3763abd5dd5440 (commit) from 7f4268bff3cf49b96d25bfd83013ee310c31520b (commit) - Log - commit 5674466e007d892ec55441059b3763abd5dd5440 Author: Richard Levitte Date: Tue Feb 12 11:37:43 2019 +0100 Move libapps headers into their own directory This got triggered by test/testutil.h including ../apps/opt.h. Some compilers do all inclusions from the directory of the C file being compiled, so when a C file includes a header file with a relative file spec, and that header file also includes another header file with a relative file spec, the compiler no longer follows. As a specific example, test/testutil/basic_output.c included ../testutil.h. Fine so far, but then, test/testutil.h includes ../apps/opt.h, and the compiler ends up trying to include (seen from the source top) test/apps/opt.h rather than apps/opt.h, and fails. The solution could have been to simply add apps/ as an inclusion directory. However, that directory also has header files that have nothing to do with libapps, so we take this a bit further, create apps/include and move libapps specific headers there, and then add apps/include as inclusion directory in the build.info files where needed. Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/8210) --- Summary of changes: apps/build.info | 4 +- apps/{ => include}/apps.h| 0 apps/{ => include}/apps_ui.h | 0 apps/{ => include}/fmt.h | 0 apps/{ => include}/opt.h | 0 apps/{ => include}/s_apps.h | 0 test/build.info | 226 +-- test/testutil.h | 2 +- 8 files changed, 116 insertions(+), 116 deletions(-) rename apps/{ => include}/apps.h (100%) rename apps/{ => include}/apps_ui.h (100%) rename apps/{ => include}/fmt.h (100%) rename apps/{ => include}/opt.h (100%) rename apps/{ => include}/s_apps.h (100%) diff --git a/apps/build.info b/apps/build.info index 7a5e876..9b77c46 100644 --- a/apps/build.info +++ b/apps/build.info @@ -15,12 +15,12 @@ IF[{- !$disabled{apps} -}] LIBS{noinst}=libapps.a SOURCE[libapps.a]={- join(" ", @apps_lib_src) -} - INCLUDE[libapps.a]=.. ../include + INCLUDE[libapps.a]=.. ../include include PROGRAMS=openssl SOURCE[openssl]={- join(" ", @apps_init_src) -} SOURCE[openssl]={- join(" ", @apps_openssl_src) -} - INCLUDE[openssl]=.. ../include + INCLUDE[openssl]=.. ../include include DEPEND[openssl]=libapps.a ../libssl IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}] diff --git a/apps/apps.h b/apps/include/apps.h similarity index 100% rename from apps/apps.h rename to apps/include/apps.h diff --git a/apps/apps_ui.h b/apps/include/apps_ui.h similarity index 100% rename from apps/apps_ui.h rename to apps/include/apps_ui.h diff --git a/apps/fmt.h b/apps/include/fmt.h similarity index 100% rename from apps/fmt.h rename to apps/include/fmt.h diff --git a/apps/opt.h b/apps/include/opt.h similarity index 100% rename from apps/opt.h rename to apps/include/opt.h diff --git a/apps/s_apps.h b/apps/include/s_apps.h similarity index 100% rename from apps/s_apps.h rename to apps/include/s_apps.h diff --git a/test/build.info b/test/build.info index b2b7375..7d4f953 100644 --- a/test/build.info +++ b/test/build.info @@ -15,7 +15,7 @@ IF[{- !$disabled{tests} -}] testutil/format_output.c testutil/tap_bio.c \ testutil/test_cleanup.c testutil/main.c testutil/init.c \ testutil/options.c testutil/test_options.c ../apps/opt.c - INCLUDE[libtestutil.a]=../include .. + INCLUDE[libtestutil.a]=../include ../apps/include .. DEPEND[libtestutil.a]=../libcrypto PROGRAMS{noinst}=\ @@ -48,234 +48,234 @@ IF[{- !$disabled{tests} -}] sysdefaulttest errtest gosttest SOURCE[versions]=versions.c - INCLUDE[versions]=../include + INCLUDE[versions]=../include ../apps/include DEPEND[versions]=../libcrypto SOURCE[aborttest]=aborttest.c - INCLUDE[aborttest]=../include + INCLUDE[aborttest]=../include ../apps/include DEPEND[aborttest]=../libcrypto SOURCE[sanitytest]=sanitytest.c - INCLUDE[sanitytest]=../include + INCLUDE[sanitytest]=../include ../apps/include DEPEND[sanitytest]=../libcrypto libtestutil.a SOURCE[rsa_complex]=rsa_complex.c - INCLUDE[rsa_complex]=../include + INCLUDE[rsa_complex]=../include ../apps/include SOURCE[test_test]=test_test.c - INCLUDE[test_test]=../include + INCLUDE[test_test]=../include ../apps/include DEPEND[test_test]=../libcrypto libtestutil.a SOURCE[exdatatest]=exdatatest.c - INCLUDE[exdatatest]=../include + INCLUDE[exdatatest]=../include ../apps/include DEPEND[exdatatest]=../libcrypto libtestutil.a
[openssl-commits] [openssl] master update
The branch master has been updated via 7f4268bff3cf49b96d25bfd83013ee310c31520b (commit) from 583fd0c1085c6297e3dd632ac588afee723aae5a (commit) - Log - commit 7f4268bff3cf49b96d25bfd83013ee310c31520b Author: Pauli Date: Wed Feb 13 09:30:20 2019 +1000 Fix master build. The recent change from ENGINES to MODULES broke the configure it seems. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/8219) --- Summary of changes: engines/build.info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engines/build.info b/engines/build.info index f94e620..e493ced 100644 --- a/engines/build.info +++ b/engines/build.info @@ -43,7 +43,7 @@ IF[{- !$disabled{"engine"} -}] ENDIF ENDIF IF[{- !$disabled{"devcryptoeng"} -}] - ENGINES=devcrypto + MODULES=devcrypto SOURCE[devcrypto]=e_devcrypto.c DEPEND[devcrypto]=../libcrypto INCLUDE[devcrypto]=../include _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e5fee28f0e49fe2e07b2088985eee2d0ffaaf17e (commit) from 54b5fb2dab8b216c11adfbe6320c27e18a44ffb3 (commit) - Log - commit e5fee28f0e49fe2e07b2088985eee2d0ffaaf17e Author: Pauli Date: Wed Feb 13 09:22:36 2019 +1000 Fix typo in comment Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/8218) --- Summary of changes: crypto/sparse_array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/sparse_array.c b/crypto/sparse_array.c index b256478..9255f9d 100644 --- a/crypto/sparse_array.c +++ b/crypto/sparse_array.c @@ -44,7 +44,7 @@ /* * From the number of bits, work out: *the number of pointers in a tree node; - *a bit mask to quickly extra an index and + *a bit mask to quickly extract an index and *the maximum depth of the tree structure. */ #define SA_BLOCK_MAX(1 << OPENSSL_SA_BLOCK_BITS) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 54b5fb2dab8b216c11adfbe6320c27e18a44ffb3 (commit) from c703a808a1394fea7f77067db20c9508e6964d0b (commit) - Log - commit 54b5fb2dab8b216c11adfbe6320c27e18a44ffb3 Author: Richard Levitte Date: Tue Feb 12 19:54:08 2019 +0100 To use BN_BITS2, we'd better include openssl/bn.h Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8212) --- Summary of changes: crypto/sparse_array.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/sparse_array.c b/crypto/sparse_array.c index 8b56b25..b256478 100644 --- a/crypto/sparse_array.c +++ b/crypto/sparse_array.c @@ -9,6 +9,7 @@ */ #include +#include #include "internal/sparse_array.h" /* _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via c703a808a1394fea7f77067db20c9508e6964d0b (commit) via c244aa7bdac4eb26504b68e430557ed3e5a12ae9 (commit) via 2afebe0bab5e03c9ae1555fd79044940245d7235 (commit) from 9a18aae5f21efc59da8b697ad67d5d37b95ab322 (commit) - Log - commit c703a808a1394fea7f77067db20c9508e6964d0b Author: Eneas U de Queiroz Date: Tue Feb 12 10:44:19 2019 -0200 eng_devcrypto.c: close open session on init cipher_init may be called on an already initialized context, without a necessary cleanup. This separates cleanup from initialization, closing an eventual open session before creating a new one. Signed-off-by: Eneas U de Queiroz Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7859) commit c244aa7bdac4eb26504b68e430557ed3e5a12ae9 Author: Eneas U de Queiroz Date: Thu Nov 8 11:07:44 2018 -0200 CHANGES: add note about building devcrypto dynamic Signed-off-by: Eneas U de Queiroz Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7859) commit 2afebe0bab5e03c9ae1555fd79044940245d7235 Author: Eneas U de Queiroz Date: Tue Nov 6 10:57:03 2018 -0200 e_devcrypto: make the /dev/crypto engine dynamic Engine has been moved from crypto/engine/eng_devcrypto.c to engines/e_devcrypto.c. Signed-off-by: Eneas U de Queiroz Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7859) --- Summary of changes: CHANGES| 3 + crypto/engine/build.info | 3 - crypto/init.c | 34 ++--- engines/build.info | 13 ++ .../eng_devcrypto.c => engines/e_devcrypto.c | 160 ++--- 5 files changed, 144 insertions(+), 69 deletions(-) rename crypto/engine/eng_devcrypto.c => engines/e_devcrypto.c (94%) diff --git a/CHANGES b/CHANGES index 9d712f0..02258ce 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,9 @@ Changes between 1.1.1 and 3.0.0 [xx XXX ] + *) Build devcrypto engine as a dynamic engine. + [Eneas U de Queiroz] + *) Add keyed BLAKE2 to EVP_MAC. [Antoine Salon] diff --git a/crypto/engine/build.info b/crypto/engine/build.info index e00802a..47fe948 100644 --- a/crypto/engine/build.info +++ b/crypto/engine/build.info @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c tb_eckey.c \ eng_openssl.c eng_cnf.c eng_dyn.c \ eng_rdrand.c -IF[{- !$disabled{devcryptoeng} -}] - SOURCE[../../libcrypto]=eng_devcrypto.c -ENDIF diff --git a/crypto/init.c b/crypto/init.c index 22d28a9..ddea63a 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -353,18 +353,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) engine_load_openssl_int(); return 1; } -# ifndef OPENSSL_NO_DEVCRYPTOENG -static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; -DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) -{ -# ifdef OPENSSL_INIT_DEBUG -fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -"engine_load_devcrypto_int()\n"); -# endif -engine_load_devcrypto_int(); -return 1; -} -# endif # ifndef OPENSSL_NO_RDRAND static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; @@ -389,6 +377,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) return 1; } # ifndef OPENSSL_NO_STATIC_ENGINE +# ifndef OPENSSL_NO_DEVCRYPTOENG +static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; +DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) +{ +# ifdef OPENSSL_INIT_DEBUG +fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " +"engine_load_devcrypto_int()\n"); +# endif +engine_load_devcrypto_int(); +return 1; +} +# endif # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) @@ -747,11 +747,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) && !RUN_ONCE(_openssl, ossl_init_engine_openssl)) return 0; -# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_DEVCRYPTOENG) -if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -&& !RUN_ONCE(_devcrypto, ossl_init_engine_devcrypto)) -return 0; -# endif # ifndef OPENSSL_NO_RDRAND if ((opts & OPENSSL_INIT_ENGINE_RDRAND) && !RUN_ONCE(_rdrand, ossl_init_engine_rdrand)) @@ -761,6 +756,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS
[openssl-commits] [openssl] master update
The branch master has been updated via 9a18aae5f21efc59da8b697ad67d5d37b95ab322 (commit) from a40f0f6475711f01d32c4cdc39e54311b7e9c876 (commit) - Log - commit 9a18aae5f21efc59da8b697ad67d5d37b95ab322 Author: Andy Polyakov Date: Mon Feb 11 15:33:43 2019 +0100 AArch64 assembly pack: authenticate return addresses. ARMv8.3 adds pointer authentication extension, which in this case allows to ensure that, when offloaded to stack, return address is same at return as at entry to the subroutine. The new instructions are nops on processors that don't implement the extension, so that the vetification is backward compatible. Reviewed-by: Kurt Roeckx Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8205) --- Summary of changes: crypto/aes/asm/aesv8-armx.pl | 2 ++ crypto/aes/asm/vpaes-armv8.pl | 18 ++ crypto/bn/asm/armv8-mont.pl | 4 crypto/chacha/asm/chacha-armv8.pl | 8 crypto/ec/asm/ecp_nistz256-armv8.pl | 28 +++- crypto/poly1305/asm/poly1305-armv8.pl | 2 ++ crypto/sha/asm/keccak1600-armv8.pl| 14 ++ crypto/sha/asm/sha512-armv8.pl| 2 ++ 8 files changed, 77 insertions(+), 1 deletion(-) diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl index b61bdba..9ab2158 100755 --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -262,6 +262,7 @@ $code.=<<___; ${prefix}_set_decrypt_key: ___ $code.=<<___ if ($flavour =~ /64/); + .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 ___ @@ -305,6 +306,7 @@ $code.=<<___if ($flavour !~ /64/); ___ $code.=<<___ if ($flavour =~ /64/); ldp x29,x30,[sp],#16 + .inst 0xd50323bf // autiasp ret ___ $code.=<<___; diff --git a/crypto/aes/asm/vpaes-armv8.pl b/crypto/aes/asm/vpaes-armv8.pl index 1fce0c5..ece9f20 100755 --- a/crypto/aes/asm/vpaes-armv8.pl +++ b/crypto/aes/asm/vpaes-armv8.pl @@ -255,6 +255,7 @@ _vpaes_encrypt_core: .type vpaes_encrypt,%function .align 4 vpaes_encrypt: + .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -264,6 +265,7 @@ vpaes_encrypt: st1 {v0.16b}, [$out] ldp x29,x30,[sp],#16 + .inst 0xd50323bf // autiasp ret .size vpaes_encrypt,.-vpaes_encrypt @@ -486,6 +488,7 @@ _vpaes_decrypt_core: .type vpaes_decrypt,%function .align 4 vpaes_decrypt: + .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -495,6 +498,7 @@ vpaes_decrypt: st1 {v0.16b}, [$out] ldp x29,x30,[sp],#16 + .inst 0xd50323bf // autiasp ret .size vpaes_decrypt,.-vpaes_decrypt @@ -665,6 +669,7 @@ _vpaes_key_preheat: .type _vpaes_schedule_core,%function .align 4 _vpaes_schedule_core: + .inst 0xd503233f // paciasp stp x29, x30, [sp,#-16]! add x29,sp,#0 @@ -829,6 +834,7 @@ _vpaes_schedule_core: eor v6.16b, v6.16b, v6.16b // vpxor%xmm6, %xmm6, %xmm6 eor v7.16b, v7.16b, v7.16b // vpxor%xmm7, %xmm7, %xmm7 ldp x29, x30, [sp],#16 + .inst 0xd50323bf // autiasp ret .size _vpaes_schedule_core,.-_vpaes_schedule_core @@ -1041,6 +1047,7 @@ _vpaes_schedule_mangle: .type vpaes_set_encrypt_key,%function .align 4 vpaes_set_encrypt_key: + .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]!// ABI spec says so @@ -1056,6 +1063,7 @@ vpaes_set_encrypt_key: ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 + .inst 0xd50323bf // autiasp ret .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key @@ -1063,6 +1071,7 @@ vpaes_set_encrypt_key: .type vpaes_set_decrypt_key,%function .align 4 vpaes_set_decrypt_key: + .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]!// ABI spec says so @@ -1082,6 +1091,7 @@ vpaes_set_decrypt_key: ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 + .inst 0xd50323bf // autiasp ret .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key ___ @@ -1098,6 +1108,7 @@ vpaes_cbc_encrypt: cmp w5, #0 // check direction b.eqvpaes_cbc_decrypt + .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]!
[openssl-commits] [openssl] master update
The branch master has been updated via a40f0f6475711f01d32c4cdc39e54311b7e9c876 (commit) from dff298135b9b8bbaac1f452a219bb446e50728d1 (commit) - Log - commit a40f0f6475711f01d32c4cdc39e54311b7e9c876 Author: Pauli Date: Thu Jan 24 12:15:54 2019 +1000 Add sparse array data type. This commit adds a space and time efficient sparse array data structure. The structure's raw API is wrapped by inline functions which provide type safety. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8197) --- Summary of changes: crypto/README.sparse_array | 155 +++ crypto/build.info | 4 +- crypto/include/internal/sparse_array.h | 78 crypto/sparse_array.c | 213 + doc/internal/man3/DEFINE_SPARSE_ARRAY_OF.pod | 112 +++ test/build.info| 6 +- .../{02-test_lhash.t => 02-test_sparse_array.t}| 6 +- test/sparse_array_test.c | 103 ++ 8 files changed, 671 insertions(+), 6 deletions(-) create mode 100644 crypto/README.sparse_array create mode 100644 crypto/include/internal/sparse_array.h create mode 100644 crypto/sparse_array.c create mode 100644 doc/internal/man3/DEFINE_SPARSE_ARRAY_OF.pod copy test/recipes/{02-test_lhash.t => 02-test_sparse_array.t} (63%) create mode 100644 test/sparse_array_test.c diff --git a/crypto/README.sparse_array b/crypto/README.sparse_array new file mode 100644 index 000..947c34d --- /dev/null +++ b/crypto/README.sparse_array @@ -0,0 +1,155 @@ +The sparse_array.c file contains an implementation of a sparse array that +attempts to be both space and time efficient. + +The sparse array is represented using a tree structure. Each node in the +tree contains a block of pointers to either the user supplied leaf values or +to another node. + +There are a number of parameters used to define the block size: + +OPENSSL_SA_BLOCK_BITS Specifies the number of bits covered by each block +SA_BLOCK_MAXSpecifies the number of pointers in each block +SA_BLOCK_MASK Specifies a bit mask to perform modulo block size +SA_BLOCK_MAX_LEVELS Indicates the maximum possible height of the tree + +These constants are inter-related: +SA_BLOCK_MAX= 2 ^ OPENSSL_SA_BLOCK_BITS +SA_BLOCK_MASK = SA_BLOCK_MAX - 1 +SA_BLOCK_MAX_LEVELS = number of bits in size_t divided by + OPENSSL_SA_BLOCK_BITS rounded up to the next multiple + of OPENSSL_SA_BLOCK_BITS + +OPENSSL_SA_BLOCK_BITS can be defined at compile time and this overrides the +built in setting. + +As a space and performance optimisation, the height of the tree is usually +less than the maximum possible height. Only sufficient height is allocated to +accommodate the largest index added to the data structure. + +The largest index used to add a value to the array determines the tree height: + ++--+-+ +| Largest Added Index | Height of Tree| ++--+-+ +| SA_BLOCK_MAX - 1 | 1 | +| SA_BLOCK_MAX ^ 2 - 1 | 2 | +| SA_BLOCK_MAX ^ 3 - 1 | 3 | +| ... | ...| +| size_t max | SA_BLOCK_MAX_LEVELS | ++--+-+ + +The tree height is dynamically increased as needed based on additions. + +An empty tree is represented by a NULL root pointer. Inserting a value at +index 0 results in the allocation of a top level node full of null pointers +except for the single pointer to the user's data (N = SA_BLOCK_MAX for +breviety): + +++ +|Root| +|Node| ++-+--+ + | + | + | + v ++-+-+---+---+---+---+ +| 0 | 1 | 2 |...|N-1| +| |nil|nil|...|nil| ++-+-+---+---+---+---+ + | + | + | + v ++-+--+ +|User| +|Data| +++ +Index 0 + + +Inserting at element 2N+1 creates a new root node and pushes down the old root +node. It then creates a second second level node to hold the pointer to the +user's new data: + +++ +|Root| +|Node| ++-+--+ + | + | + | + v ++-+-+---+---+---+---+ +| 0 | 1 | 2 |...|N-1| +| |nil| |...|nil| ++-+-+---+-+-+---+---+ + | | + | +--+ + | | +
[openssl-commits] [openssl] master update
The branch master has been updated via ca811248d838058c13236a6c3b688e0ac98c02c8 (commit) from 6e68f244f48bd7118b9262ff5905da1c3b15cae9 (commit) - Log - commit ca811248d838058c13236a6c3b688e0ac98c02c8 Author: Richard Levitte Date: Mon Nov 12 18:16:27 2018 +0100 apps/ocsp.c Use the same HAVE_FORK / NO_FORK as in speed.c This allows the user to override our defaults if needed, and in a consistent manner. Partial fix for #7607 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7624) --- Summary of changes: apps/ocsp.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index 7c2a904..09eeb9c 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -36,7 +36,21 @@ NON_EMPTY_TRANSLATION_UNIT # include # include -# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \ +#ifndef HAVE_FORK +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) +# define HAVE_FORK 0 +# else +# define HAVE_FORK 1 +# endif +#endif + +#if HAVE_FORK +# undef NO_FORK +#else +# define NO_FORK +#endif + +# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \ && !defined(OPENSSL_NO_POSIX_IO) # define OCSP_DAEMON # include _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 6e68f244f48bd7118b9262ff5905da1c3b15cae9 (commit) from 61db9961417e74cbd4a285fe482f1f2b30c5536b (commit) - Log - commit 6e68f244f48bd7118b9262ff5905da1c3b15cae9 Author: Richard Levitte Date: Fri Jan 25 23:57:09 2019 +0100 test/recipes/02-err_errstr: skip errors that may not be loaded on Windows Fixes #8091 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8094) (cherry picked from commit 0e1b0e510dfe078b3fb2586d987d7b49ff8ef0b2) --- Summary of changes: test/recipes/02-test_errstr.t | 37 + 1 file changed, 37 insertions(+) diff --git a/test/recipes/02-test_errstr.t b/test/recipes/02-test_errstr.t index ce2792b..a9e8ed4 100644 --- a/test/recipes/02-test_errstr.t +++ b/test/recipes/02-test_errstr.t @@ -38,6 +38,43 @@ plan skip_all => 'OpenSSL is configured "no-autoerrinit" or "no-err"' # (this is documented) my @posix_errors = @{$Errno::EXPORT_TAGS{POSIX}}; +if ($^O eq 'MSWin32') { +# On Windows, these errors have been observed to not always be loaded by +# apps/openssl, while they are in perl, which causes a difference that we +# consider a false alarm. So we skip checking these errors. +# Because we can't know exactly what symbols exist in a perticular perl +# version, we resort to discovering them directly in the Errno package +# symbol table. +my @error_skiplist = qw( +ENETDOWN +ENETUNREACH +ENETRESET +ECONNABORTED +EISCONN +ENOTCONN +ESHUTDOWN +ETOOMANYREFS +ETIMEDOUT +EHOSTDOWN +EHOSTUNREACH +EALREADY +EINPROGRESS +ESTALE +EUCLEAN +ENOTNAM +ENAVAIL +ENOMEDIUM +ENOKEY +); +@posix_errors = +grep { +my $x = $_; +! grep { +exists $Errno::{$_} && $x == $Errno::{$_} +} @error_skiplist +} @posix_errors; +} + plan tests => scalar @posix_errors +1 # Checking that error 128 gives 'reason(128)' +1 # Checking that error 0 gives the library name _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 61db9961417e74cbd4a285fe482f1f2b30c5536b (commit) from 1842f369e5541d8ed9b2716cdd7d516005994733 (commit) - Log - commit 61db9961417e74cbd4a285fe482f1f2b30c5536b Author: Richard Levitte Date: Sat Feb 2 09:47:16 2019 +0100 Build: correct BASE shlib_version_as_filename This function is designed to use $config{shlib_version} directly instead of taking an input argument, yet the BASE variant didn't do this. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8146) --- Summary of changes: Configurations/platform/BASE.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/platform/BASE.pm b/Configurations/platform/BASE.pm index b7fec11..fcd7b70 100644 --- a/Configurations/platform/BASE.pm +++ b/Configurations/platform/BASE.pm @@ -28,8 +28,8 @@ sub sharedname { return __isshared($_[1]) ? $_[1] : undef } # Name of shared li sub staticname { return __base($_[1], '.a') } # Name of static lib # Convenience function to convert the shlib version to an acceptable part -# of a file or directory name. -sub shlib_version_as_filename { return $_[1] } +# of a file or directory name. By default, we consider it acceptable as is. +sub shlib_version_as_filename { return $config{shlib_version} } # Convenience functions to convert the possible extension of an input file name sub bin { return $_[0]->binname($_[1]) . $_[0]->binext() } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 1842f369e5541d8ed9b2716cdd7d516005994733 (commit) from a43ce58f5569a160272c492c680f2e42d38ec769 (commit) - Log - commit 1842f369e5541d8ed9b2716cdd7d516005994733 Author: Richard Levitte Date: Thu Jan 31 00:06:50 2019 +0100 ENGINE modules aren't special, so call them MODULES The only thing that makes an ENGINE module special is its entry points. Other than that, it's a normal dynamically loadable module, nothing special about it. This change has us stop pretending anything else. We retain using ENGINE as a term for installation, because it's related to a specific installation directory, and we therefore also mark ENGINE modules specifically as such with an attribute in the build.info files. Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/8147) --- Summary of changes: Configurations/README| 8 Configurations/README.design | 36 ++-- Configurations/common.tmpl | 8 Configurations/descrip.mms.tmpl | 29 +++-- Configurations/unix-Makefile.tmpl| 23 --- Configurations/windows-makefile.tmpl | 32 +--- Configure| 27 +++ doc/man1/version.pod | 2 +- engines/build.info | 8 9 files changed, 90 insertions(+), 83 deletions(-) diff --git a/Configurations/README b/Configurations/README index a106f8c..8efabb3 100644 --- a/Configurations/README +++ b/Configurations/README @@ -159,7 +159,7 @@ In each table entry, the following keys are significant: below [2]. dso_scheme => The type of dynamic shared objects to build for. This mostly comes into play with - engines, but can be used for other purposes + modules, but can be used for other purposes as well. Valid values are "DLFCN" (dlopen() et al), "DLFCN_NO_H" (for systems that use dlopen() et al but do not have @@ -350,7 +350,7 @@ In each table entry, the following keys are significant: - shared libraries; that would be libcrypto and libssl. - shared objects (sometimes called dynamic libraries); that would - be the engines. + be the modules. - applications; those are apps/openssl and all the test apps. Very roughly speaking, linking is done like this (words in braces @@ -411,10 +411,10 @@ variables: PROGRAMS=foo bar LIBS=libsomething -ENGINES=libeng +MODULES=libeng SCRIPTS=myhack -Note that the files mentioned for PROGRAMS, LIBS and ENGINES *must* be +Note that the files mentioned for PROGRAMS, LIBS and MODULES *must* be without extensions. The build file templates will figure them out. For each thing to be built, it is then possible to say what sources diff --git a/Configurations/README.design b/Configurations/README.design index 75c19a6..b79d0b2 100644 --- a/Configurations/README.design +++ b/Configurations/README.design @@ -36,7 +36,7 @@ in build.info. Their file name extensions will be inferred by the build-file templates, adapted for the platform they are meant for (see sections on %unified_info and build-file templates further down). -The variables PROGRAMS, LIBS, ENGINES and SCRIPTS are used to declare +The variables PROGRAMS, LIBS, MODULES and SCRIPTS are used to declare end products. There are variants for them with '_NO_INST' as suffix (PROGRAM_NO_INST etc) to specify end products that shouldn't get installed. @@ -47,12 +47,12 @@ particular produced file, extra dependencies, include directories needed, or C macros to be defined. All their values in all the build.info throughout the source tree are -collected together and form a set of programs, libraries, engines and +collected together and form a set of programs, libraries, modules and scripts to be produced, source files, dependencies, etc etc etc. Let's have a pretend example, a very limited contraption of OpenSSL, composed of the program 'apps/openssl', the libraries 'libssl' and -'libcrypto', an engine 'engines/ossltest' and their sources and +'libcrypto', an module 'engines/ossltest' and their sources and dependencies. # build.info @@ -120,22 +120,22 @@ This is the build.info file in 'ssl/', and it tells us that the library 'libssl' is built from the source file 'ssl/tls.c'. # engines/build.info -ENGINES=dasync +MODULES=dasync SOURCE[dasync]=e_dasync.c DEPEND[dasync]=../libcrypto INCLUDE[dasync]=../include -
[openssl-commits] [openssl] master update
The branch master has been updated via a43ce58f5569a160272c492c680f2e42d38ec769 (commit) from 9d5560331d86c6463e965321f774e4eed582ce0b (commit) - Log - commit a43ce58f5569a160272c492c680f2e42d38ec769 Author: Shane Lontis Date: Thu Aug 16 12:36:01 2018 +1000 Updated test command line parsing to support commmon commands Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6975) --- Summary of changes: apps/apps.c | 270 -- apps/apps.h | 362 +-- apps/apps_ui.c | 197 +++ apps/apps_ui.h | 28 +++ apps/build.info | 3 +- crypto/conf/conf_lcl.h => apps/fmt.c | 8 +- apps/fmt.h | 44 + apps/opt.c | 190 +++--- apps/{apps.h => opt.h} | 316 ++ test/asynciotest.c | 2 + test/bftest.c| 47 +++-- test/bioprinttest.c | 33 +++- test/bntest.c| 11 ++ test/build.info | 11 +- test/clienthellotest.c | 2 + test/cmsapitest.c| 11 ++ test/conf_include_test.c | 36 +++- test/curve448_internal_test.c| 52 +++-- test/d2i_test.c | 6 +- test/danetest.c | 6 +- test/dtlstest.c | 2 + test/ecstresstest.c | 62 +++--- test/evp_test.c | 6 +- test/fatalerrtest.c | 2 + test/gosttest.c | 2 + test/ocspapitest.c | 4 +- test/recipes/90-test_includes.t | 2 +- test/recordlentest.c | 2 + test/ssl_test.c | 2 + test/ssl_test_ctx_test.c | 6 +- test/sslapitest.c| 3 + test/sslbuffertest.c | 2 + test/sslcorrupttest.c| 6 +- test/testutil.h | 95 +++-- test/testutil/driver.c | 179 +++-- test/testutil/main.c | 86 + test/testutil/options.c | 64 +++ test/testutil/test_options.c | 21 ++ test/testutil/tu_local.h | 12 +- test/tls13ccstest.c | 2 + test/uitest.c| 6 +- test/v3ext.c | 4 +- test/verify_extra_test.c | 6 +- test/x509_check_cert_pkey_test.c | 17 +- test/x509_dup_cert_test.c| 8 +- test/x509aux.c | 7 +- 46 files changed, 1061 insertions(+), 1182 deletions(-) create mode 100644 apps/apps_ui.c create mode 100644 apps/apps_ui.h copy crypto/conf/conf_lcl.h => apps/fmt.c (59%) create mode 100644 apps/fmt.h copy apps/{apps.h => opt.h} (56%) create mode 100644 test/testutil/options.c create mode 100644 test/testutil/test_options.c diff --git a/apps/apps.c b/apps/apps.c index 39535e9..44a90a3 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -54,9 +54,6 @@ typedef struct { unsigned long mask; } NAME_EX_TBL; -static UI_METHOD *ui_method = NULL; -static const UI_METHOD *ui_fallback_method = NULL; - static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL * in_tbl); static int set_multi_opts(unsigned long *flags, const char *arg, @@ -173,179 +170,12 @@ int dump_cert_text(BIO *out, X509 *x) return 0; } -static int ui_open(UI *ui) -{ -int (*opener)(UI *ui) = UI_method_get_opener(ui_fallback_method); - -if (opener) -return opener(ui); -return 1; -} - -static int ui_read(UI *ui, UI_STRING *uis) -{ -int (*reader)(UI *ui, UI_STRING *uis) = NULL; - -if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD -&& UI_get0_user_data(ui)) { -switch (UI_get_string_type(uis)) { -case UIT_PROMPT: -case UIT_VERIFY: -{ -const char *password = -((PW_CB_DATA *)UI_get0_user_data(ui))->password; -if (password && password[0] != '\0') { -UI_set_result(ui, uis, password); -return 1; -} -} -break; -case UIT_NONE: -case UIT_BOOLEAN: -case UIT_INFO: -case UIT_ERROR: -break; -} -} - -reader = UI_method_get_reader(ui_fallback_method); -if (reader) -return reader(ui, uis); -return 1; -} - -static int ui_write(UI *ui, UI_STRING *uis) -{ -int (*writer)(UI *ui, UI_STRING *uis) = NULL; - -if
[openssl-commits] [openssl] master update
The branch master has been updated via 9d5560331d86c6463e965321f774e4eed582ce0b (commit) from 2beb004b24ff524d1f27e71994cdcfffb85d7075 (commit) - Log - commit 9d5560331d86c6463e965321f774e4eed582ce0b Author: Tomas Mraz Date: Fri Feb 1 14:32:36 2019 +0100 Allow the syntax of the .include directive to optionally have '=' If the old openssl versions not supporting the .include directive load a config file with it, they will bail out with error. This change allows using the .include = syntax which is interpreted as variable assignment by the old openssl config file parser. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8141) --- Summary of changes: crypto/conf/conf_def.c | 7 ++- doc/man5/config.pod| 7 +++ test/recipes/90-test_includes.t| 4 +++- .../{includes-file.cnf => includes-eq-ws.cnf} | 2 +- .../90-test_includes_data/{includes-file.cnf => includes-eq.cnf} | 2 +- 5 files changed, 18 insertions(+), 4 deletions(-) copy test/recipes/90-test_includes_data/{includes-file.cnf => includes-eq-ws.cnf} (66%) copy test/recipes/90-test_includes_data/{includes-file.cnf => includes-eq.cnf} (68%) diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 8a34218..594f7c5 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -348,10 +348,15 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) psection = section; } p = eat_ws(conf, end); -if (strncmp(pname, ".include", 8) == 0 && p != pname + 8) { +if (strncmp(pname, ".include", 8) == 0 +&& (p != pname + 8 || *p == '=')) { char *include = NULL; BIO *next; +if (*p == '=') { +p++; +p = eat_ws(conf, p); +} trim_ws(conf, p); if (!str_copy(conf, psection, , p)) goto err; diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 275d96c..3d0842c 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -42,6 +42,13 @@ working directory so unless the configuration file containing the B<.include> directive is application specific the inclusion will not work as expected. +There can be optional B<=> character and whitespace characters between +B<.include> directive and the path which can be useful in cases the +configuration file needs to be loaded by old OpenSSL versions which do +not support the B<.include> syntax. They would bail out with error +if the B<=> character is not present but with it they just ignore +the include. + Each section in a configuration file consists of a number of name and value pairs of the form B diff --git a/test/recipes/90-test_includes.t b/test/recipes/90-test_includes.t index 5169700..c6a86fc 100644 --- a/test/recipes/90-test_includes.t +++ b/test/recipes/90-test_includes.t @@ -11,11 +11,13 @@ plan skip_all => "test_includes doesn't work without posix-io" if disabled("posix-io"); plan tests => # The number of tests being performed -3 +5 + ($^O eq "VMS" ? 2 : 0); ok(run(test(["conf_include_test", data_file("includes.cnf")])), "test directory includes"); ok(run(test(["conf_include_test", data_file("includes-file.cnf")])), "test file includes"); +ok(run(test(["conf_include_test", data_file("includes-eq.cnf")])), "test includes with equal character"); +ok(run(test(["conf_include_test", data_file("includes-eq-ws.cnf")])), "test includes with equal and whitespaces"); if ($^O eq "VMS") { ok(run(test(["conf_include_test", data_file("vms-includes.cnf")])), "test directory includes, VMS syntax"); diff --git a/test/recipes/90-test_includes_data/includes-file.cnf b/test/recipes/90-test_includes_data/includes-eq-ws.cnf similarity index 66% copy from test/recipes/90-test_includes_data/includes-file.cnf copy to test/recipes/90-test_includes_data/includes-eq-ws.cnf index 1737b70..38109a7 100644 --- a/test/recipes/90-test_includes_data/includes-file.cnf +++ b/test/recipes/90-test_includes_data/includes-eq-ws.cnf @@ -2,4 +2,4 @@ # Example configuration file using includes. # -.include includes.cnf +.include = conf-includes diff --git a/test/recipes/90-test_includes_data/includes-file.cnf b/test/recipes/90-test_includes_data/includes-eq.cnf similarity index 68% copy from test/recipes/90-test_includes_data/includes-file.cnf copy to test/recipes/90-test_includes_data/includes-eq.cnf index 1737b70..9d37158 100644 --- a/test/recipes/90-test_includes_data/includes-file.cnf +++
[openssl-commits] [openssl] master update
The branch master has been updated via 758229f7d22775d7547e3b3b886b7f6a289c6897 (commit) from 1980ce45d6bdd2b57df7003d6b56b5df560b9064 (commit) - Log - commit 758229f7d22775d7547e3b3b886b7f6a289c6897 Author: Daniel DeFreez Date: Thu Feb 7 09:55:14 2019 -0800 Fix null pointer dereference in ssl_module_init CLA: Trivial Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8183) --- Summary of changes: crypto/conf/conf_ssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/conf/conf_ssl.c b/crypto/conf/conf_ssl.c index a1b24b2..d703f73 100644 --- a/crypto/conf/conf_ssl.c +++ b/crypto/conf/conf_ssl.c @@ -78,6 +78,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) cnt = sk_CONF_VALUE_num(cmd_lists); ssl_module_free(md); ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt); +if (ssl_names == NULL) +goto err; ssl_names_count = cnt; for (i = 0; i < ssl_names_count; i++) { struct ssl_conf_name_st *ssl_name = ssl_names + i; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2beb004b24ff524d1f27e71994cdcfffb85d7075 (commit) from 758229f7d22775d7547e3b3b886b7f6a289c6897 (commit) - Log - commit 2beb004b24ff524d1f27e71994cdcfffb85d7075 Author: Pauli Date: Thu Jan 24 12:22:48 2019 +1000 Fix comment typo Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8196) --- Summary of changes: crypto/rsa/rsa_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 994978b..0848936 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -181,7 +181,7 @@ static const unsigned int c1_923 = 0x07b126;/* scale * 1.923 */ static const unsigned int c4_690 = 0x12c28f;/* scale * 4.690 */ /* - * Multiply two scale integers together and rescale the result. + * Multiply two scaled integers together and rescale the result. */ static ossl_inline uint64_t mul2(uint64_t a, uint64_t b) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 1980ce45d6bdd2b57df7003d6b56b5df560b9064 (commit) via 2aa2beb06cc25c1f8accdc3d87b946205becfd86 (commit) from b1522fa5ef676b7af0128eab3eee608af3416182 (commit) - Log - commit 1980ce45d6bdd2b57df7003d6b56b5df560b9064 Author: Todd Short Date: Wed Feb 6 09:28:22 2019 -0500 Update d2i_PrivateKey documentation Reviewed-by: Paul Yang Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8168) commit 2aa2beb06cc25c1f8accdc3d87b946205becfd86 Author: Todd Short Date: Mon Feb 4 16:04:11 2019 -0500 Fix d2i_PublicKey() for EC keys o2i_ECPublicKey() requires an EC_KEY structure filled with an EC_GROUP. o2i_ECPublicKey() is called by d2i_PublicKey(). In order to fulfill the o2i_ECPublicKey()'s requirement, d2i_PublicKey() needs to be called with an EVP_PKEY with an EC_KEY containing an EC_GROUP. However, the call to EVP_PKEY_set_type() frees any existing key structure inside the EVP_PKEY, thus freeing the EC_KEY with the EC_GROUP that o2i_ECPublicKey() needs. This means you can't d2i_PublicKey() for an EC key... The fix is to check to see if the type is already set appropriately, and if so, not call EVP_PKEY_set_type(). Reviewed-by: Paul Yang Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8168) --- Summary of changes: crypto/asn1/d2i_pu.c| 2 +- doc/man3/d2i_PrivateKey.pod | 18 +++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c index 73093a6..8876878 100644 --- a/crypto/asn1/d2i_pu.c +++ b/crypto/asn1/d2i_pu.c @@ -32,7 +32,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, } else ret = *a; -if (!EVP_PKEY_set_type(ret, type)) { +if (type != EVP_PKEY_id(ret) && !EVP_PKEY_set_type(ret, type)) { ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_EVP_LIB); goto err; } diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod index 87ac8a8..eab98b3 100644 --- a/doc/man3/d2i_PrivateKey.pod +++ b/doc/man3/d2i_PrivateKey.pod @@ -50,15 +50,19 @@ If the B<*a> is not NULL when calling d2i_PrivateKey() or d2i_AutoPrivateKey() (i.e. an existing structure is being reused) and the key format is PKCS#8 then B<*a> will be freed and replaced on a successful call. +To decode a key with type B, d2i_PublicKey() requires B<*a> to be +a non-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper +EC_GROUP. + =head1 RETURN VALUES -d2i_PrivateKey() and d2i_AutoPrivateKey() return a valid B structure -or B if an error occurs. The error code can be obtained by calling -L. +The d2i_PrivateKey(), d2i_AutoPrivateKey(), d2i_PrivateKey_bio(), d2i_PrivateKey_fp(), +and d2i_PublicKey() functions return a valid B structure or B if an +error occurs. The error code can be obtained by calling L. -i2d_PrivateKey() returns the number of bytes successfully encoded or a -negative value if an error occurs. The error code can be obtained by calling -L. +i2d_PrivateKey() and i2d_PublicKey() return the number of bytes successfully +encoded or a negative value if an error occurs. The error code can be obtained +by calling L. =head1 SEE ALSO @@ -67,7 +71,7 @@ L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via b1522fa5ef676b7af0128eab3eee608af3416182 (commit) from 03cdfe1efaf2a3b5192b8cb3ef331939af7bfeb8 (commit) - Log - commit b1522fa5ef676b7af0128eab3eee608af3416182 Author: Pauli Date: Fri Dec 21 12:03:19 2018 +1000 Address a bug in the DRBG tests where the reseeding wasn't properly reinstantiating the DRBG. Bug reported by Doug Gibbons. Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/8184) --- Summary of changes: test/drbgtest.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/drbgtest.c b/test/drbgtest.c index c788f19..362a1d2 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -429,7 +429,7 @@ static int error_check(DRBG_SELFTEST_DATA *td) */ /* Test explicit reseed with too large additional input */ -if (!init(drbg, td, ) +if (!instantiate(drbg, td, ) || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0) goto err; @@ -440,7 +440,7 @@ static int error_check(DRBG_SELFTEST_DATA *td) goto err; /* Test explicit reseed with too much entropy */ -if (!init(drbg, td, )) +if (!instantiate(drbg, td, )) goto err; t.entropylen = drbg->max_entropylen + 1; if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0) @@ -448,7 +448,7 @@ static int error_check(DRBG_SELFTEST_DATA *td) goto err; /* Test explicit reseed with too little entropy */ -if (!init(drbg, td, )) +if (!instantiate(drbg, td, )) goto err; t.entropylen = drbg->min_entropylen - 1; if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 03cdfe1efaf2a3b5192b8cb3ef331939af7bfeb8 (commit) from ef45aa14c5af024fcb8bef1c9007f3d1c115bd85 (commit) - Log - commit 03cdfe1efaf2a3b5192b8cb3ef331939af7bfeb8 Author: Richard Levitte Date: Wed Feb 6 20:51:47 2019 +0100 test/drbgtest.c: call OPENSSL_thread_stop() explicitly The manual says this in its notes: ... and therefore applications using static linking should also call OPENSSL_thread_stop() on each thread. ... Fixes #8171 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/8173) --- Summary of changes: test/drbgtest.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/test/drbgtest.c b/test/drbgtest.c index 4546f63..c788f19 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -839,6 +839,11 @@ typedef HANDLE thread_t; static DWORD WINAPI thread_run(LPVOID arg) { run_multi_thread_test(); +/* + * Because we're linking with a static library, we must stop each + * thread explicitly, or so says OPENSSL_thread_stop(3) + */ +OPENSSL_thread_stop(); return 0; } @@ -860,6 +865,11 @@ typedef pthread_t thread_t; static void *thread_run(void *arg) { run_multi_thread_test(); +/* + * Because we're linking with a static library, we must stop each + * thread explicitly, or so says OPENSSL_thread_stop(3) + */ +OPENSSL_thread_stop(); return NULL; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via ef45aa14c5af024fcb8bef1c9007f3d1c115bd85 (commit) from f2ed96dac01421f1e660e353e8e257f2d0b7424a (commit) - Log - commit ef45aa14c5af024fcb8bef1c9007f3d1c115bd85 Author: Matt Caswell Date: Tue Feb 5 14:25:18 2019 + Make OPENSSL_malloc_init() a no-op Making this a no-op removes a potential infinite loop than can occur in some situations. Fixes #2865 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8167) --- Summary of changes: doc/man3/OPENSSL_malloc.pod | 6 ++ include/openssl/crypto.h| 9 ++--- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/doc/man3/OPENSSL_malloc.pod b/doc/man3/OPENSSL_malloc.pod index e17ff63..f1de27a 100644 --- a/doc/man3/OPENSSL_malloc.pod +++ b/doc/man3/OPENSSL_malloc.pod @@ -90,10 +90,8 @@ generally macro's that add the standard C B<__FILE__> and B<__LINE__> parameters and call a lower-level B API. Some functions do not add those parameters, but exist for consistency. -OPENSSL_malloc_init() sets the lower-level memory allocation functions -to their default implementation. -It is generally not necessary to call this, except perhaps in certain -shared-library situations. +OPENSSL_malloc_init() does nothing and does not need to be called. It is +included for compatibility with older versions of OpenSSL. OPENSSL_malloc(), OPENSSL_realloc(), and OPENSSL_free() are like the C malloc(), realloc(), and free() functions. diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index f912302..cbde3d5 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -109,13 +109,8 @@ DEFINE_STACK_OF(void) # define CRYPTO_EX_INDEX_DRBG15 # define CRYPTO_EX_INDEX__COUNT 16 -/* - * This is the default callbacks, but we can have others as well: this is - * needed in Win32 where the application malloc and the library malloc may - * not be the same. - */ -#define OPENSSL_malloc_init() \ -CRYPTO_set_mem_functions(CRYPTO_malloc, CRYPTO_realloc, CRYPTO_free) +/* No longer needed, so this is a no-op */ +#define OPENSSL_malloc_init() while(0) continue int CRYPTO_mem_ctrl(int mode); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f2ed96dac01421f1e660e353e8e257f2d0b7424a (commit) from 8269e44f9e40831a497fe9f31ba1d65aeb49a5c1 (commit) - Log - commit f2ed96dac01421f1e660e353e8e257f2d0b7424a Author: Antoine Salon Date: Wed Feb 6 11:49:19 2019 -0800 Add CHANGES entry for blake2mac Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8172) --- Summary of changes: CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 7c678b4..9d712f0 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,9 @@ Changes between 1.1.1 and 3.0.0 [xx XXX ] + *) Add keyed BLAKE2 to EVP_MAC. + [Antoine Salon] + *) Fix a bug in the computation of the endpoint-pair shared secret used by DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 8269e44f9e40831a497fe9f31ba1d65aeb49a5c1 (commit) via b215db236c6668c785bd99787b3fd07d5b2e6a10 (commit) via 33e113b0cbd9a0845f6f8a63e8aad558a897cac6 (commit) via 13b3cd7bc77d5d9297a755727100aee22d3e22b6 (commit) via d1ad7c834e10543b3d1ecb36ccbd110384063b8f (commit) via c3a261f8d31c1d04db01de36eccfe001b4ca0368 (commit) via fc3c0223e8a70bfe8f8aefc98b819f7d852f3594 (commit) via 18568864169d970bcbda300e76f6fb1a1015a0d5 (commit) from df4439186fb70ce72668d472943dbcd057df8f30 (commit) - Log - commit 8269e44f9e40831a497fe9f31ba1d65aeb49a5c1 Author: Antoine Salon Date: Mon Jan 7 15:09:55 2019 -0800 blake2: avoid writing to output buffer when using default digest length Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit b215db236c6668c785bd99787b3fd07d5b2e6a10 Author: Antoine Salon Date: Thu Dec 20 15:36:40 2018 -0800 blake2: add evpmac test vectors Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit 33e113b0cbd9a0845f6f8a63e8aad558a897cac6 Author: Antoine Salon Date: Thu Dec 20 15:36:07 2018 -0800 blake2: backport changes to blake2s Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit 13b3cd7bc77d5d9297a755727100aee22d3e22b6 Author: Antoine Salon Date: Thu Dec 20 15:34:22 2018 -0800 blake2: add EVP_MAC man page Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit d1ad7c834e10543b3d1ecb36ccbd110384063b8f Author: Antoine Salon Date: Thu Dec 20 15:32:58 2018 -0800 blake2: register MAC objects Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit c3a261f8d31c1d04db01de36eccfe001b4ca0368 Author: Antoine Salon Date: Thu Dec 20 15:28:10 2018 -0800 blake2b: add EVP_MAC API Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit fc3c0223e8a70bfe8f8aefc98b819f7d852f3594 Author: Antoine Salon Date: Thu Dec 20 15:20:00 2018 -0800 blake2b: add support for parameter setting and keyed hash The param block structure is used as a container for parameter values Added blake2b keyed init Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) commit 18568864169d970bcbda300e76f6fb1a1015a0d5 Author: Antoine Salon Date: Thu Dec 20 15:08:23 2018 -0800 blake2: add implementation support for variable digest length Signed-off-by: Antoine Salon Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7726) --- Summary of changes: crypto/blake2/blake2_locl.h | 27 ++- crypto/blake2/blake2b.c | 78 +++- crypto/blake2/blake2b_mac.c | 190 ++ crypto/blake2/blake2s.c | 81 ++-- crypto/blake2/blake2s_mac.c | 190 ++ crypto/blake2/build.info | 2 +- crypto/blake2/m_blake2b.c | 8 +- crypto/blake2/m_blake2s.c | 8 +- crypto/err/openssl.txt| 5 + crypto/evp/c_allm.c | 4 + crypto/evp/evp_err.c | 6 + crypto/include/internal/evp_int.h | 2 + crypto/objects/obj_dat.h | 12 +- crypto/objects/obj_mac.num| 2 + crypto/objects/objects.txt| 2 + doc/man3/EVP_MAC.pod | 17 +- doc/man7/{EVP_MAC_KMAC.pod => EVP_MAC_BLAKE2.pod} | 52 +++-- include/openssl/evp.h | 3 + include/openssl/evperr.h | 5 + include/openssl/obj_mac.h | 8 + test/evp_test.c | 26 ++- test/recipes/30-test_evp_data/evpmac.txt | 230 ++ 22 files changed, 897 insertions(+), 61 deletions(-) create mode 100644 crypto/blake2/blake2b_mac.c
[openssl-commits] [openssl] master update
The branch master has been updated via df4439186fb70ce72668d472943dbcd057df8f30 (commit) from d6f4b0a8bfbe901c72294d8923eb5b6f54ca7732 (commit) - Log - commit df4439186fb70ce72668d472943dbcd057df8f30 Author: Sam Roberts Date: Thu Jan 31 09:55:30 2019 -0800 Remove unnecessary trailing whitespace Trim trailing whitespace. It doesn't match OpenSSL coding standards, AFAICT, and it can cause problems with git tooling. Trailing whitespace remains in test data and external source. Reviewed-by: Kurt Roeckx Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8092) --- Summary of changes: CHANGES | 2 +- CONTRIBUTING | 2 +- Configurations/00-base-templates.conf| 2 +- Configurations/50-win-onecore.conf | 2 +- Configurations/README| 2 +- Configurations/README.design | 8 Configurations/descrip.mms.tmpl | 2 +- Configurations/unix-Makefile.tmpl| 2 +- NOTES.ANDROID| 2 +- NOTES.DJGPP | 4 ++-- NOTES.VMS| 2 +- apps/ct_log_list.cnf | 4 ++-- apps/demoSRP/srp_verifier.txt| 2 +- apps/dh1024.pem | 2 +- apps/dh2048.pem | 4 ++-- apps/dh4096.pem | 4 ++-- apps/openssl-vms.cnf | 4 ++-- apps/openssl.cnf | 4 ++-- apps/s_client.c | 4 ++-- config | 16 crypto/bn/asm/ia64.S | 4 ++-- crypto/bn/asm/sparcv8plus.S | 4 ++-- crypto/bn/bn_ctx.c | 4 ++-- crypto/cryptlib.c| 6 +++--- crypto/des/asm/des_enc.m4| 4 ++-- crypto/ec/curve448/point_448.h | 14 +++--- crypto/engine/README | 2 +- crypto/engine/eng_lib.c | 2 +- crypto/evp/e_aes.c | 2 +- crypto/objects/objects.txt | 2 +- crypto/pem/pem_info.c| 2 +- crypto/srp/srp_vfy.c | 2 +- demos/bio/accept.cnf | 2 +- demos/bio/connect.cnf| 2 +- demos/bio/descrip.mms| 2 +- demos/certs/README | 2 +- demos/certs/apps/mkxcerts.sh | 2 +- demos/certs/mkcerts.sh | 2 +- doc/HOWTO/certificates.txt | 2 +- doc/HOWTO/proxy_certificates.txt | 2 +- doc/fingerprints.txt | 2 +- doc/man1/ca.pod | 2 +- doc/man1/s_server.pod| 2 +- doc/man3/EVP_PKEY_asn1_get_count.pod | 2 +- doc/man3/HMAC.pod| 2 +- doc/man3/SSL_CTX_set0_CA_list.pod| 2 +- doc/man3/SSL_CTX_set_ctlog_list_file.pod | 2 +- doc/man3/SSL_read_early_data.pod | 2 +- include/internal/thread_once.h | 12 ++-- include/internal/tsan_assist.h | 2 +- test/README.external | 2 +- test/build.info | 2 +- test/rdrand_sanitytest.c | 4 ++-- test/servername_test.c | 2 +- test/testutil/main.c | 2 +- test/tls13secretstest.c | 2 +- util/indent.pro | 2 +- util/openssl-format-source | 28 ++-- util/perl/TLSProxy/Alert.pm | 2 +- util/perl/TLSProxy/Message.pm| 4 ++-- util/perl/TLSProxy/Record.pm | 2 +- util/perl/TLSProxy/ServerHello.pm| 4 ++-- util/perl/TLSProxy/ServerKeyExchange.pm | 2 +- 63 files changed, 113 insertions(+), 113 deletions(-) diff --git a/CHANGES b/CHANGES index a72daba..7c678b4 100644 --- a/CHANGES +++ b/CHANGES @@ -74,7 +74,7 @@ implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued use of MACs through raw private keys in functionality such as EVP_DigestSign* and EVP_DigestVerify*. - [Richard Levitte] + [Richard Levitte] *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type). diff --git a/CONTRIBUTING b/CONTRIBUTING index 639c3cf..250bbdb 100644 --- a/CONTRIBUTING +++ b/CONTRIBUTING @@ -57,7 +57,7 @@ guidelines: 7. For user visible changes (API changes, behaviour changes, ...), consider adding a note in CHANGES. This could be a summarising description of the
[openssl-commits] [openssl] master update
The branch master has been updated via d6f4b0a8bfbe901c72294d8923eb5b6f54ca7732 (commit) from 3499327bad401eb510d76266428923d06c9c7bb7 (commit) - Log - commit d6f4b0a8bfbe901c72294d8923eb5b6f54ca7732 Author: Patrick Steuer Date: Mon Feb 6 10:54:54 2017 +0100 crypto/poly1305/asm/poly1305-s390x.pl: add vx code path. Signed-off-by: Patrick Steuer Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7991) --- Summary of changes: crypto/poly1305/asm/poly1305-s390x.pl | 944 -- 1 file changed, 780 insertions(+), 164 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-s390x.pl b/crypto/poly1305/asm/poly1305-s390x.pl index 21ca860..390f9ee 100755 --- a/crypto/poly1305/asm/poly1305-s390x.pl +++ b/crypto/poly1305/asm/poly1305-s390x.pl @@ -24,204 +24,820 @@ # # On side note, z13 enables vector base 2^26 implementation... -$flavour = shift; +# +# January 2019 +# +# Add vx code path (base 2^26). +# +# Copyright IBM Corp. 2019 +# Author: Patrick Steuer +use strict; +use FindBin qw($Bin); +use lib "$Bin/../.."; +use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL); + +my $flavour = shift; + +my ($z,$SIZE_T); if ($flavour =~ /3[12]/) { + $z=0; # S/390 ABI $SIZE_T=4; - $g=""; } else { + $z=1; # zSeries ABI $SIZE_T=8; - $g="g"; } +my $output; while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; -$sp="%r15"; +my $sp="%r15"; + +# novx code path ctx layout +# - +# var value baseoff +# - +# u64 h[3] hash2^64 0 +# u32 pad[2] +# u64 r[2] key 2^64 32 + +# vx code path ctx layout +# - +# var value baseoff +# - +# u32 acc1[5] r^2-acc 2^26 0 +# u32 pad +# u32 acc2[5] r-acc 2^26 24 +# u32 pad +# u32 r1[5]r 2^26 48 +# u32 r15[5] 5*r 2^26 68 +# u32 r2[5]r^2 2^26 88 +# u32 r25[5] 5*r^2 2^26108 +# u32 r4[5]r^4 2^26128 +# u32 r45[5] 5*r^4 2^26148 + +PERLASM_BEGIN($output); + +TEXT (); + + +# static void poly1305_init(void *ctx, const unsigned char key[16]) +{ +my ($ctx,$key)=map("%r$_",(2..3)); +my ($r0,$r1,$r2)=map("%r$_",(9,11,13)); -my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5)); +sub MUL_RKEY { # r*=key +my ($d0hi,$d0lo,$d1hi,$d1lo)=map("%r$_",(4..7)); +my ($t0,$t1,$s1)=map("%r$_",(8,10,12)); + + lg ("%r0","32($ctx)"); + lg ("%r1","40($ctx)"); + + srlg($s1,"%r1",2); + algr($s1,"%r1"); + + lgr ($d0lo,$r0); + lgr ($d1lo,$r1); + + mlgr($d0hi,"%r0"); + lgr ($r1,$d1lo); + mlgr($d1hi,$s1); + + mlgr($t0,"%r1"); + mlgr($t1,"%r0"); + + algr($d0lo,$d1lo); + lgr ($d1lo,$r2); + alcgr ($d0hi,$d1hi); + lghi($d1hi,0); + + algr($r1,$r0); + alcgr ($t1,$t0); + + msgr($d1lo,$s1); + msgr($r2,"%r0"); + + algr($r1,$d1lo); + alcgr ($t1,$d1hi); + + algr($r1,$d0hi); + alcgr ($r2,$t1); + + lghi($r0,-4); + ngr ($r0,$r2); + srlg($t0,$r2,2); + algr($r0,$t0); + lghi($t1,3); + ngr ($r2,$t1); + + algr($r0,$d0lo); + alcgr ($r1,$d1hi); + alcgr ($r2,$d1hi); +} + +sub ST_R5R { # store r,5*r -> base 2^26 +my @d=map("%r$_",(4..8)); +my @off=@_; + + lgr (@d[2],$r0); + lr ("%r1",@d[2]); + nilh("%r1",1023); + lgr (@d[3],$r1); + lr (@d[0],"%r1"); + srlg("%r1",@d[2],52); + lgr (@d[4],$r2); + srlg("%r0",@d[2],26); + sll (@d[4],24); + lr (@d[2],@d[3]); + nilh("%r0",1023); + sll (@d[2],12); + lr (@d[1],"%r0"); +(@d[2],"%r1"); + srlg("%r1",@d[3],40); + nilh(@d[2],1023); +(@d[4],"%r1"); + srlg(@d[3],@d[3],14); + nilh(@d[4],1023); + nilh(@d[3],1023); + + stm (@d[0],@d[4],"@off[0]($ctx)"); + mhi (@d[$_],5) for (0..4); + stm (@d[0],@d[4],"@off[1]($ctx)"); +} -$code.=<<___; -.text - -.globl poly1305_init -.type poly1305_init,\@function -.align 16 -poly1305_init: - lghi%r0,0 - lghi%r1,-1 - stg %r0,0($ctx) # zero hash value - stg %r0,8($ctx) - stg %r0,16($ctx) - - cl${g}r $inp,%r0 - je .Lno_key - - lrvg%r4,0($inp) # load little-endian key - lrvg%r5,8($inp) - - nihl%r1,0xffc0
[openssl-commits] [openssl] master update
The branch master has been updated via 3499327bad401eb510d76266428923d06c9c7bb7 (commit) from 66a60003719240399f6596e58c239df0465a4f70 (commit) - Log - commit 3499327bad401eb510d76266428923d06c9c7bb7 Author: Sam Roberts Date: Fri Feb 1 15:06:26 2019 -0800 Make some simple getters take const SSL/SSL_CTX Reviewed-by: Kurt Roeckx Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8145) --- Summary of changes: doc/man3/SSL_CTX_set_record_padding_callback.pod | 4 ++-- doc/man3/SSL_CTX_set_ssl_version.pod | 2 +- doc/man3/SSL_key_update.pod | 4 ++-- include/openssl/ssl.h| 20 ++-- ssl/ssl_lib.c| 20 ++-- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/doc/man3/SSL_CTX_set_record_padding_callback.pod b/doc/man3/SSL_CTX_set_record_padding_callback.pod index 4bf87c8..3df6621 100644 --- a/doc/man3/SSL_CTX_set_record_padding_callback.pod +++ b/doc/man3/SSL_CTX_set_record_padding_callback.pod @@ -19,10 +19,10 @@ SSL_set_block_padding - install callback to specify TLS 1.3 record padding void SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); - void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx); + void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx); void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg); - void *SSL_get_record_padding_callback_arg(SSL *ssl); + void *SSL_get_record_padding_callback_arg(const SSL *ssl); int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size); int SSL_set_block_padding(SSL *ssl, size_t block_size); diff --git a/doc/man3/SSL_CTX_set_ssl_version.pod b/doc/man3/SSL_CTX_set_ssl_version.pod index 0671b53..b410731 100644 --- a/doc/man3/SSL_CTX_set_ssl_version.pod +++ b/doc/man3/SSL_CTX_set_ssl_version.pod @@ -11,7 +11,7 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *method); int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method); - const SSL_METHOD *SSL_get_ssl_method(SSL *ssl); + const SSL_METHOD *SSL_get_ssl_method(const SSL *ssl); =head1 DESCRIPTION diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod index 6102143..f95d89e 100644 --- a/doc/man3/SSL_key_update.pod +++ b/doc/man3/SSL_key_update.pod @@ -14,11 +14,11 @@ SSL_renegotiate_pending #include int SSL_key_update(SSL *s, int updatetype); - int SSL_get_key_update_type(SSL *s); + int SSL_get_key_update_type(const SSL *s); int SSL_renegotiate(SSL *s); int SSL_renegotiate_abbreviated(SSL *s); - int SSL_renegotiate_pending(SSL *s); + int SSL_renegotiate_pending(const SSL *s); =head1 DESCRIPTION diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index dc7285f..35311ac 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1931,17 +1931,17 @@ __owur STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); __owur int SSL_do_handshake(SSL *s); int SSL_key_update(SSL *s, int updatetype); -int SSL_get_key_update_type(SSL *s); +int SSL_get_key_update_type(const SSL *s); int SSL_renegotiate(SSL *s); int SSL_renegotiate_abbreviated(SSL *s); -__owur int SSL_renegotiate_pending(SSL *s); +__owur int SSL_renegotiate_pending(const SSL *s); int SSL_shutdown(SSL *s); __owur int SSL_verify_client_post_handshake(SSL *s); void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); void SSL_set_post_handshake_auth(SSL *s, int val); -__owur const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx); -__owur const SSL_METHOD *SSL_get_ssl_method(SSL *s); +__owur const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx); +__owur const SSL_METHOD *SSL_get_ssl_method(const SSL *s); __owur int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method); __owur const char *SSL_alert_type_string_long(int value); __owur const char *SSL_alert_type_string(int value); @@ -2089,8 +2089,8 @@ void SSL_set_tmp_dh_callback(SSL *ssl, int keylength)); # endif -__owur const COMP_METHOD *SSL_get_current_compression(SSL *s); -__owur const COMP_METHOD *SSL_get_current_expansion(SSL *s); +__owur const COMP_METHOD *SSL_get_current_compression(const SSL *s); +__owur const COMP_METHOD *SSL_get_current_expansion(const SSL *s); __owur const char *SSL_COMP_get_name(const COMP_METHOD *comp); __owur const char *SSL_COMP_get0_name(const SSL_COMP *comp); __owur int SSL_COMP_get_id(const SSL_COMP *comp); @@ -2134,20 +2134,20 @@ void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, size_t (*cb) (SSL *ssl, int type,
[openssl-commits] [openssl] master update
The branch master has been updated via 66a60003719240399f6596e58c239df0465a4f70 (commit) from adc7e221f12462c6e10bc7c2c7afaf52490cb292 (commit) - Log - commit 66a60003719240399f6596e58c239df0465a4f70 Author: Matthias Kraft Date: Mon Feb 4 09:55:07 2019 +0100 Fix Invalid Argument return code from IP_Factory in connect_to_server(). Fixes #7732 Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8158) --- Summary of changes: util/perl/TLSProxy/Proxy.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm index 3821385..a583e63 100644 --- a/util/perl/TLSProxy/Proxy.pm +++ b/util/perl/TLSProxy/Proxy.pm @@ -44,7 +44,7 @@ BEGIN $s->close(); }; if ($@ eq "") { -$IP_factory = sub { IO::Socket::INET6->new(@_); }; +$IP_factory = sub { IO::Socket::INET6->new(Domain => AF_INET6, @_); }; $have_IPv6 = 1; } else { eval { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via adc7e221f12462c6e10bc7c2c7afaf52490cb292 (commit) from 1039c7825535d8219b88372b7ad4a3b94c42605d (commit) - Log - commit adc7e221f12462c6e10bc7c2c7afaf52490cb292 Author: batist73 Date: Sat Feb 2 13:45:06 2019 +0300 Android build: fix usage of NDK home variable ($ndk_var) CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8153) --- Summary of changes: Configurations/15-android.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/15-android.conf b/Configurations/15-android.conf index c94da41..7b496a4 100644 --- a/Configurations/15-android.conf +++ b/Configurations/15-android.conf @@ -24,7 +24,8 @@ my $ndk_var; my $ndk; -foreach $ndk_var (qw(ANDROID_NDK_HOME ANDROID_NDK)) { +foreach (qw(ANDROID_NDK_HOME ANDROID_NDK)) { +$ndk_var = $_; $ndk = $ENV{$ndk_var}; last if defined $ndk; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 1039c7825535d8219b88372b7ad4a3b94c42605d (commit) from b2aea0e3d9a15e30ebce8b6da213df4a3f346155 (commit) - Log - commit 1039c7825535d8219b88372b7ad4a3b94c42605d Author: Richard Levitte Date: Mon Feb 4 07:55:56 2019 +0100 Build: correct assembler generation in crypto/rc4/build.info In the removal of BEGINRAW / ENDRAW, attention to the difference between capital .S and lowercase .s wasn't duly paid. This corrects the error. Fixes #8155 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8157) --- Summary of changes: crypto/rc4/build.info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rc4/build.info b/crypto/rc4/build.info index 9941e6e..8d272e4 100644 --- a/crypto/rc4/build.info +++ b/crypto/rc4/build.info @@ -10,5 +10,5 @@ GENERATE[rc4-x86_64.s]=asm/rc4-x86_64.pl $(PERLASM_SCHEME) GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x86_64.pl $(PERLASM_SCHEME) GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME) -GENERATE[rc4-c64xplus.S]=asm/rc4-c64xplus.pl $(PERLASM_SCHEME) -GENERATE[rc4-s390x.S]=asm/rc4-s390x.pl $(PERLASM_SCHEME) +GENERATE[rc4-c64xplus.s]=asm/rc4-c64xplus.pl $(PERLASM_SCHEME) +GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via b2aea0e3d9a15e30ebce8b6da213df4a3f346155 (commit) from 1050f687226d43720da59a22b9afe45a4840659e (commit) - Log - commit b2aea0e3d9a15e30ebce8b6da213df4a3f346155 Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Add an entry to the CHANGES for the d2i_X509_PUBKEY fix The commit 5dc40a83c74be579575a512b30d9c1e0364e6a7b forgot to add a short description to the CHANGES file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8144) --- Summary of changes: CHANGES | 4 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 20b1f5c..a72daba 100644 --- a/CHANGES +++ b/CHANGES @@ -16,6 +16,10 @@ interoperability with such broken implementations. However, enabling this switch breaks interoperability with correct implementations. + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 1050f687226d43720da59a22b9afe45a4840659e (commit) from 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674 (commit) - Log - commit 1050f687226d43720da59a22b9afe45a4840659e Author: Richard Levitte Date: Fri Feb 1 10:51:20 2019 +0100 VMS: Clean away stray debugging prints from descrip.mms.tmpl Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8140) --- Summary of changes: Configurations/descrip.mms.tmpl | 5 - 1 file changed, 5 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 46b9ffc..a0bc93d 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -102,9 +102,6 @@ return "$target : build_generated\n\t\pipe \$(MMS) \$(MMSQUALIFIERS) depend && \$(MMS) \$(MMSQUALIFIERS) _$target\n_$target"; } - #use Data::Dumper; - #print STDERR "DEBUG: before:\n", Dumper($unified_info{before}); - #print STDERR "DEBUG: after:\n", Dumper($unified_info{after}); ""; -} PLATFORM={- $config{target} -} @@ -1097,10 +1094,8 @@ EOF join("\n\t", "WRITE OPT_FILE \"CASE_SENSITIVE=YES\"", map { my @lines = (); use Data::Dumper; - print STDERR "DEBUG: ",Dumper($_); my $x = $_->{lib} =~ /\[/ ? $_->{lib} : "[]".$_->{lib}; - print STDERR "DEBUG: ",Dumper($x); if ($x =~ m|\.EXE$|) { push @lines, "\@ WRITE OPT_FILE \"$x/SHARE\""; } elsif ($x =~ m|\.OLB$|) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674 (commit) from a28e4890eed847e6122a1c4d50653566e0813f45 (commit) - Log - commit 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674 Author: Michael Tuexen Date: Wed Dec 26 12:44:53 2018 +0100 Fix end-point shared secret for DTLS/SCTP When computing the end-point shared secret, don't take the terminating NULL character into account. Please note that this fix breaks interoperability with older versions of OpenSSL, which are not fixed. Fixes #7956 Reviewed-by: Kurt Roeckx Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7957) --- Summary of changes: CHANGES| 7 ++ apps/s_client.c| 15 +++ apps/s_server.c| 17 ++- doc/man1/s_client.pod | 9 ++ doc/man1/s_server.pod | 9 ++ doc/man3/SSL_CTX_set_mode.pod | 9 ++ include/openssl/ssl.h | 12 +++ ssl/statem/statem_clnt.c | 16 ++- ssl/statem/statem_srvr.c | 16 ++- test/handshake_helper.c| 33 +- test/recipes/80-test_ssl_new.t | 3 +- test/ssl-tests/29-dtls-sctp-label-bug.conf | 116 + ...atus.conf.in => 29-dtls-sctp-label-bug.conf.in} | 57 -- test/ssl_test_ctx.c| 4 + test/ssl_test_ctx.h| 4 + 15 files changed, 286 insertions(+), 41 deletions(-) create mode 100644 test/ssl-tests/29-dtls-sctp-label-bug.conf copy test/ssl-tests/{16-dtls-certstatus.conf.in => 29-dtls-sctp-label-bug.conf.in} (54%) diff --git a/CHANGES b/CHANGES index 311d6c6..20b1f5c 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,13 @@ Changes between 1.1.1 and 3.0.0 [xx XXX ] + *) Fix a bug in the computation of the endpoint-pair shared secret used + by DTLS over SCTP. This breaks interoperability with older versions + of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime + switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling + interoperability with such broken implementations. However, enabling + this switch breaks interoperability with correct implementations. + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] diff --git a/apps/s_client.c b/apps/s_client.c index 6e06f15..872496c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -598,6 +598,7 @@ typedef enum OPTION_choice { #endif OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME, OPT_ENABLE_PHA, +OPT_SCTP_LABEL_BUG, OPT_R_ENUM } OPTION_CHOICE; @@ -754,6 +755,7 @@ const OPTIONS s_client_options[] = { #endif #ifndef OPENSSL_NO_SCTP {"sctp", OPT_SCTP, '-', "Use SCTP"}, +{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"}, #endif #ifndef OPENSSL_NO_SSL_TRACE {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"}, @@ -982,6 +984,9 @@ int s_client_main(int argc, char **argv) #endif char *psksessf = NULL; int enable_pha = 0; +#ifndef OPENSSL_NO_SCTP +int sctp_label_bug = 0; +#endif FD_ZERO(); FD_ZERO(); @@ -1335,6 +1340,11 @@ int s_client_main(int argc, char **argv) protocol = IPPROTO_SCTP; #endif break; +case OPT_SCTP_LABEL_BUG: +#ifndef OPENSSL_NO_SCTP +sctp_label_bug = 1; +#endif +break; case OPT_TIMEOUT: #ifndef OPENSSL_NO_DTLS enable_timeouts = 1; @@ -1729,6 +1739,11 @@ int s_client_main(int argc, char **argv) } } +#ifndef OPENSSL_NO_SCTP +if (protocol == IPPROTO_SCTP && sctp_label_bug == 1) +SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); +#endif + if (min_version != 0 && SSL_CTX_set_min_proto_version(ctx, min_version) == 0) goto end; diff --git a/apps/s_server.c b/apps/s_server.c index 8565a3a..fbbfd6c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -751,7 +751,7 @@ typedef enum OPTION_choice { OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA, -OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, +OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG, OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, @@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = { #endif #ifndef OPENSSL_NO_SCTP {"sctp", OPT_SCTP, '-', "Use SCTP"}, +{"sctp_label_bug",
[openssl-commits] [openssl] master update
The branch master has been updated via a28e4890eed847e6122a1c4d50653566e0813f45 (commit) via f8f3d624b7c71e8f5acbe373479a5b0f6b73d13f (commit) from 5dc40a83c74be579575a512b30d9c1e0364e6a7b (commit) - Log - commit a28e4890eed847e6122a1c4d50653566e0813f45 Author: Andy Polyakov Date: Wed Jan 23 14:56:19 2019 +0100 poly1305/asm/poly1305-ppc.pl: add vector base 2^26 implementation. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8120) commit f8f3d624b7c71e8f5acbe373479a5b0f6b73d13f Author: Andy Polyakov Date: Wed Jan 23 15:03:23 2019 +0100 perlasm/ppc-xlate.pl: add VSX word load/store instructions. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8120) --- Summary of changes: crypto/perlasm/ppc-xlate.pl |2 + crypto/poly1305/asm/poly1305-ppc.pl | 1552 --- crypto/ppccap.c | 11 +- 3 files changed, 1454 insertions(+), 111 deletions(-) diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl index 1c972a1..e52f2f6 100755 --- a/crypto/perlasm/ppc-xlate.pl +++ b/crypto/perlasm/ppc-xlate.pl @@ -273,6 +273,8 @@ my $mtvrwz = sub { my ($f, $vrt, $ra) = @_; " .long ".sprintf "0x%X",(31<<26)|($vrt<<21)|($ra<<16)|(243<<1)|1; }; +my $lvwzx_u= sub { vsxmem_op(@_, 12); }; # lxsiwzx +my $stvwx_u= sub { vsxmem_op(@_, 140); }; # stxsiwx # PowerISA 3.0 stuff my $maddhdu= sub { vfour(@_,49); }; diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl index e9118ba..9f15c0d 100755 --- a/crypto/poly1305/asm/poly1305-ppc.pl +++ b/crypto/poly1305/asm/poly1305-ppc.pl @@ -8,10 +8,10 @@ # # -# Written by Andy Polyakov for the OpenSSL -# project. The module is, however, dual licensed under OpenSSL and -# CRYPTOGAMS licenses depending on where you obtain it. For further -# details see http://www.openssl.org/~appro/cryptogams/. +# Written by Andy Polyakov, @dot-asm, initially for use in the OpenSSL +# project. The module is dual licensed under OpenSSL and CRYPTOGAMS +# licenses depending on where you obtain it. For further details see +# https://github.com/dot-asm/cryptogams/. # # # This module implements Poly1305 hash for PowerPC. @@ -44,6 +44,13 @@ # # On side note, Power ISA 2.07 enables vector base 2^26 implementation, # and POWER8 might have capacity to break 1.0 cycle per byte barrier... +# +# January 2019 +# +# ... Unfortunately not:-( Estimate was a projection of ARM result, +# but ARM has vector multiply-n-add instruction, while PowerISA does +# not, not one usable in the context. Improvement is ~40% over -m64 +# result above and is ~1.43 on little-endian systems. $flavour = shift; @@ -99,6 +106,7 @@ $code.=<<___; std r0,0($ctx) # zero hash value std r0,8($ctx) std r0,16($ctx) + stw r0,24($ctx) # clear is_base2_26 $UCMP $inp,r0 beq-Lno_key @@ -140,6 +148,7 @@ Lno_key: .globl .poly1305_blocks .align 4 .poly1305_blocks: +Lpoly1305_blocks: srdi. $len,$len,4 beq-Labort @@ -238,60 +247,120 @@ Labort: .long 0 .byte 0,12,4,1,0x80,5,4,0 .size .poly1305_blocks,.-.poly1305_blocks +___ +{ +my ($h0,$h1,$h2,$h3,$h4,$t0) = map("r$_",(7..12)); +$code.=<<___; .globl .poly1305_emit -.align 4 +.align 5 .poly1305_emit: - ld $h0,0($ctx) # load hash - ld $h1,8($ctx) - ld $h2,16($ctx) - ld $padbit,0($nonce) # load nonce - ld $nonce,8($nonce) - - addic $d0,$h0,5 # compare to modulus - addze $d1,$h1 - addze $d2,$h2 - - srdi$mask,$d2,2 # did it carry/borrow? - neg $mask,$mask + lwz $h0,0($ctx) # load hash value base 2^26 + lwz $h1,4($ctx) + lwz $h2,8($ctx) + lwz $h3,12($ctx) + lwz $h4,16($ctx) + lwz r0,24($ctx) # is_base2_26 + + sldi$h1,$h1,26 # base 2^26 -> base 2^64 + sldi$t0,$h2,52 + srdi$h2,$h2,12 + sldi$h3,$h3,14 + add $h0,$h0,$h1 + addc$h0,$h0,$t0 + sldi$t0,$h4,40 + srdi$h4,$h4,24 + adde$h1,$h2,$h3 + addc$h1,$h1,$t0 + addze $h2,$h4 + + ld $h3,0($ctx) # load hash value base 2^64 + ld $h4,8($ctx) + ld $t0,16($ctx) + + neg r0,r0 + xor $h0,$h0,$h3 # choose between radixes + xor $h1,$h1,$h4 +
[openssl-commits] [openssl] master update
The branch master has been updated via 5dc40a83c74be579575a512b30d9c1e0364e6a7b (commit) from 53649022509129bce8036c8fb4978dbce9432a86 (commit) - Log - commit 5dc40a83c74be579575a512b30d9c1e0364e6a7b Author: Bernd Edlinger Date: Wed Jan 30 16:20:31 2019 +0100 Fix a crash in reuse of i2d_X509_PUBKEY If the second PUBKEY is malformed there is use after free. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8122) --- Summary of changes: crypto/x509/x_pubkey.c | 1 + test/evp_extra_test.c | 49 + 2 files changed, 50 insertions(+) diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index f980af7..be42684 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -36,6 +36,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, /* Attempt to decode public key and cache in pubkey structure. */ X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); +pubkey->pkey = NULL; /* * Opportunistically decode the key but remove any non fatal errors * from the queue. Subsequent explicit attempts to decode/use the key diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index eefebd5..eac0c43 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -299,6 +299,21 @@ static const unsigned char kExampleECPubKeyDER[] = { 0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5 }; +/* + * kExampleBadECKeyDER is a sample EC public key with a wrong OID + * 1.2.840.10045.2.2 instead of 1.2.840.10045.2.1 - EC Public Key + */ +static const unsigned char kExampleBadECPubKeyDER[] = { +0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, +0x02, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, +0x42, 0x00, 0x04, 0xba, 0xeb, 0x83, 0xfb, 0x3b, 0xb2, 0xff, 0x30, 0x53, +0xdb, 0xce, 0x32, 0xf2, 0xac, 0xae, 0x44, 0x0d, 0x3d, 0x13, 0x53, 0xb8, +0xd1, 0x68, 0x55, 0xde, 0x44, 0x46, 0x05, 0xa6, 0xc9, 0xd2, 0x04, 0xb7, +0xe3, 0xa2, 0x96, 0xc8, 0xb2, 0x5e, 0x22, 0x03, 0xd7, 0x03, 0x7a, 0x8b, +0x13, 0x5c, 0x42, 0x49, 0xc2, 0xab, 0x86, 0xd6, 0xac, 0x6b, 0x93, 0x20, +0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5 +}; + static const unsigned char pExampleECParamDER[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; @@ -963,6 +978,37 @@ static int test_HKDF(void) return ret; } +#ifndef OPENSSL_NO_EC +static int test_X509_PUBKEY_inplace(void) +{ + int ret = 0; + X509_PUBKEY *xp = NULL; + const unsigned char *p = kExampleECPubKeyDER; + size_t input_len = sizeof(kExampleECPubKeyDER); + + if (!TEST_ptr(xp = d2i_X509_PUBKEY(NULL, , input_len))) +goto done; + + if (!TEST_ptr(X509_PUBKEY_get0(xp))) +goto done; + + p = kExampleBadECPubKeyDER; + input_len = sizeof(kExampleBadECPubKeyDER); + + if (!TEST_ptr(xp = d2i_X509_PUBKEY(, , input_len))) +goto done; + + if (!TEST_true(X509_PUBKEY_get0(xp) == NULL)) +goto done; + + ret = 1; + +done: + X509_PUBKEY_free(xp); + return ret; +} +#endif + int setup_tests(void) { ADD_TEST(test_EVP_DigestSignInit); @@ -987,5 +1033,8 @@ int setup_tests(void) return 0; ADD_ALL_TESTS(test_EVP_PKEY_check, OSSL_NELEM(keycheckdata)); ADD_TEST(test_HKDF); +#ifndef OPENSSL_NO_EC +ADD_TEST(test_X509_PUBKEY_inplace); +#endif return 1; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 53649022509129bce8036c8fb4978dbce9432a86 (commit) from a727627922b8a9ec6628ffaa2054b4b3833d674b (commit) - Log - commit 53649022509129bce8036c8fb4978dbce9432a86 Author: Bernd Edlinger Date: Tue Jan 29 19:51:59 2019 +0100 Fixed d2i_X509 in-place not re-hashing the ex_flags Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8116) --- Summary of changes: crypto/x509/x_x509.c | 23 +++ test/x509aux.c | 9 + 2 files changed, 32 insertions(+) diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 596e1e4..bf0270e 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -40,12 +40,35 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, switch (operation) { +case ASN1_OP_D2I_PRE: +CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, >ex_data); +X509_CERT_AUX_free(ret->aux); +ASN1_OCTET_STRING_free(ret->skid); +AUTHORITY_KEYID_free(ret->akid); +CRL_DIST_POINTS_free(ret->crldp); +policy_cache_free(ret->policy_cache); +GENERAL_NAMES_free(ret->altname); +NAME_CONSTRAINTS_free(ret->nc); +#ifndef OPENSSL_NO_RFC3779 +sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); +ASIdentifiers_free(ret->rfc3779_asid); +#endif + +/* fall thru */ + case ASN1_OP_NEW_POST: +ret->ex_cached = 0; +ret->ex_kusage = 0; +ret->ex_xkusage = 0; +ret->ex_nscert = 0; ret->ex_flags = 0; ret->ex_pathlen = -1; ret->ex_pcpathlen = -1; ret->skid = NULL; ret->akid = NULL; +ret->policy_cache = NULL; +ret->altname = NULL; +ret->nc = NULL; #ifndef OPENSSL_NO_RFC3779 ret->rfc3779_addr = NULL; ret->rfc3779_asid = NULL; diff --git a/test/x509aux.c b/test/x509aux.c index a9764ef..4488aa6 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -30,6 +30,7 @@ static int test_certs(int num) typedef int (*i2d_X509_t)(X509 *, unsigned char **); int err = 0; BIO *fp = BIO_new_file(test_get_argument(num), "r"); +X509 *reuse = NULL; if (!TEST_ptr(fp)) return 0; @@ -91,6 +92,13 @@ static int test_certs(int num) err = 1; goto next; } +p = buf; +reuse = d2i(, , enclen); +if (reuse == NULL || X509_cmp (reuse, cert)) { +TEST_error("X509_cmp does not work with %s", name); +err = 1; +goto next; +} OPENSSL_free(buf); buf = NULL; @@ -139,6 +147,7 @@ static int test_certs(int num) OPENSSL_free(data); } BIO_free(fp); +X509_free(reuse); if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { /* Reached end of PEM file */ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a727627922b8a9ec6628ffaa2054b4b3833d674b (commit) from 62b563b9df161a992fde18a0cb0d1a0969158412 (commit) - Log - commit a727627922b8a9ec6628ffaa2054b4b3833d674b Author: Bernd Edlinger Date: Tue Jan 29 14:16:28 2019 +0100 Fix a memory leak with di2_X509_CRL reuse Additionally avoid undefined behavior with in-place memcpy in X509_CRL_digest. Fixes #8099 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8112) --- Summary of changes: crypto/x509/x_crl.c | 12 test/crltest.c | 15 +++ 2 files changed, 27 insertions(+) diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index 89e13e8..3984f01 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -158,6 +158,18 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, int idx; switch (operation) { +case ASN1_OP_D2I_PRE: +if (crl->meth->crl_free) { +if (!crl->meth->crl_free(crl)) +return 0; +} +AUTHORITY_KEYID_free(crl->akid); +ISSUING_DIST_POINT_free(crl->idp); +ASN1_INTEGER_free(crl->crl_number); +ASN1_INTEGER_free(crl->base_crl_number); +sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); +/* fall thru */ + case ASN1_OP_NEW_POST: crl->idp = NULL; crl->akid = NULL; diff --git a/test/crltest.c b/test/crltest.c index 3b0fab7..6a2ef4e 100644 --- a/test/crltest.c +++ b/test/crltest.c @@ -357,6 +357,20 @@ static int test_unknown_critical_crl(int n) return r; } +static int test_reuse_crl(void) +{ +X509_CRL *reused_crl = CRL_from_strings(kBasicCRL); +char *p; +BIO *b = glue2bio(kRevokedCRL, ); + +reused_crl = PEM_read_bio_X509_CRL(b, _crl, NULL, NULL); + +OPENSSL_free(p); +BIO_free(b); +X509_CRL_free(reused_crl); +return 1; +} + int setup_tests(void) { if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) @@ -368,6 +382,7 @@ int setup_tests(void) ADD_TEST(test_bad_issuer_crl); ADD_TEST(test_known_critical_crl); ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); +ADD_TEST(test_reuse_crl); return 1; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 62b563b9df161a992fde18a0cb0d1a0969158412 (commit) from a17089b0d750732d1b9d19ad924b3f8a2d7c3111 (commit) - Log - commit 62b563b9df161a992fde18a0cb0d1a0969158412 Author: Richard Levitte Date: Thu Jan 31 13:42:46 2019 +0100 Better phrasing around 1.1.0 Fixes #8129 Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/8130) --- Summary of changes: INSTALL | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/INSTALL b/INSTALL index 2fd2235..1195643 100644 --- a/INSTALL +++ b/INSTALL @@ -973,10 +973,10 @@ * COMPILING existing applications - OpenSSL 1.1.0 hides a number of structures that were previously - open. This includes all internal libssl structures and a number - of EVP types. Accessor functions have been added to allow - controlled access to the structures' data. + Starting with version 1.1.0, OpenSSL hides a number of structures + that were previously open. This includes all internal libssl + structures and a number of EVP types. Accessor functions have + been added to allow controlled access to the structures' data. This means that some software needs to be rewritten to adapt to the new ways of doing things. This often amounts to allocating @@ -1079,7 +1079,7 @@ depend Rebuild the dependencies in the Makefiles. This is a legacy -option that no longer needs to be used in OpenSSL 1.1.0. +option that no longer needs to be used since OpenSSL 1.1.0. install Install all OpenSSL components. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a17089b0d750732d1b9d19ad924b3f8a2d7c3111 (commit) via fb3637d9ae260fa49615f4442127473d0ce27ebf (commit) via da7e31e0c7be390d37b84c6200afd802def700c5 (commit) via 77adb75e16142cd4da2af8814090a4f2c2bd5aea (commit) via 77550dbf7af4d31b915d076ee968cfc75e14a411 (commit) from d1dd5d6f4c2f13478aa45557b4546febd51f0cb3 (commit) - Log - commit a17089b0d750732d1b9d19ad924b3f8a2d7c3111 Author: Richard Levitte Date: Wed Jan 30 19:25:01 2019 +0100 Configure: clean away unused variables and double assignments Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8125) commit fb3637d9ae260fa49615f4442127473d0ce27ebf Author: Richard Levitte Date: Wed Jan 30 19:12:38 2019 +0100 Build: clean away RENAME and SHARED_NAME Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8125) commit da7e31e0c7be390d37b84c6200afd802def700c5 Author: Richard Levitte Date: Wed Jan 30 19:10:26 2019 +0100 Build: remove EXTRA We never used it for anything Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8125) commit 77adb75e16142cd4da2af8814090a4f2c2bd5aea Author: Richard Levitte Date: Wed Jan 30 18:58:01 2019 +0100 Build: Remove BEGINRAW / ENDRAW / OVERRIDE It was an ugly hack to avoid certain problems that are no more. Also added GENERATE lines for perlasm scripts that didn't have that explicitly. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8125) commit 77550dbf7af4d31b915d076ee968cfc75e14a411 Author: Richard Levitte Date: Wed Jan 30 18:18:34 2019 +0100 Build cleanup: Remove the VMS hack from test/build.info There was a hack specifically for VMS, which involved setting a make variable to indicate that test/libtestutil contains a 'main'. Instead, we use the new attributes 'has_main' to indicate this, and let the VMS build file template fend with it appropriately. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8125) --- Summary of changes: Configurations/README | 43 - Configurations/README.design| 11 --- Configurations/common.tmpl | 4 Configurations/descrip.mms.tmpl | 39 - Configure | 43 ++--- crypto/aes/build.info | 11 +-- crypto/build.info | 3 --- crypto/chacha/build.info| 9 ++--- crypto/ec/build.info| 5 - crypto/modes/build.info | 7 +-- crypto/poly1305/build.info | 7 ++- crypto/rc4/build.info | 8 ++-- crypto/sha/build.info | 22 +++-- test/build.info | 9 + 14 files changed, 49 insertions(+), 172 deletions(-) diff --git a/Configurations/README b/Configurations/README index c1f80fe..1e4d545 100644 --- a/Configurations/README +++ b/Configurations/README @@ -413,7 +413,6 @@ variables: LIBS=libsomething ENGINES=libeng SCRIPTS=myhack -EXTRA=file1 file2 Note that the files mentioned for PROGRAMS, LIBS and ENGINES *must* be without extensions. The build file templates will figure them out. @@ -486,48 +485,6 @@ be used in that case: NOTE: GENERATE lines are limited to one command only per GENERATE. -As a last resort, it's possible to have raw build file lines, between -BEGINRAW and ENDRAW lines as follows: - -BEGINRAW[Makefile(unix)] -haha.h: {- $builddir -}/Makefile -echo "/* haha */" > haha.h -ENDRAW[Makefile(unix)] - -The word within square brackets is the build_file configuration item -or the build_file configuration item followed by the second word in the -build_scheme configuration item for the configured target within -parenthesis as shown above. For example, with the following relevant -configuration items: - - build_file => "build.ninja" - build_scheme => [ "unified", "unix" ] - -... these lines will be considered: - - BEGINRAW[build.ninja] - build haha.h: echo "/* haha */" > haha.h - ENDRAW[build.ninja] - - BEGINRAW[build.ninja(unix)] - build hoho.h: echo "/* hoho */" > hoho.h - ENDRAW[build.ninja(unix)] - -Should it be needed because the recipes within a RAW section might -clash with those generated by Configure, it's possible to tell it -not to generate them with the use of OVERRIDES, for example: - -SOURCE[libfoo]=foo.c bar.c - -OVERRIDES=bar.o -BEGINRAW[Makefile(unix)] -bar.o: bar.c - $(CC) $(CFLAGS) -DSPECIAL -c -o $@ $< -ENDRAW[Makefile(unix)] - -See the documentation further up for
[openssl-commits] [openssl] master update
The branch master has been updated via d1dd5d6f4c2f13478aa45557b4546febd51f0cb3 (commit) from e57120128fa4e2afa4bda5022a77f73a1e3a0b27 (commit) - Log - commit d1dd5d6f4c2f13478aa45557b4546febd51f0cb3 Author: Richard Levitte Date: Thu Jan 31 14:23:22 2019 +0100 VMS: force 'pinshared' VMS doesn't currently support unloading of shared object, and we need to reflect that. Without this, the shlibload test fails Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8131) --- Summary of changes: Configurations/10-main.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 054e38c..859e3d9 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1724,6 +1724,8 @@ my %targets = ( asflags => sub { vms_info()->{asflags} }, perlasm_scheme => sub { vms_info()->{perlasm_scheme} }, +disable => add('pinshared'), + apps_aux_src => "vms_term_sock.c", apps_init_src=> "vms_decc_init.c", }, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e57120128fa4e2afa4bda5022a77f73a1e3a0b27 (commit) from c4734493d7da404b1747195a805c8d536dbe6910 (commit) - Log - commit e57120128fa4e2afa4bda5022a77f73a1e3a0b27 Author: weinholtendian <45032224+weinholtend...@users.noreply.github.com> Date: Thu Jan 31 15:16:20 2019 +0800 Fix error message for s_server -psk option Previously if -psk was given a bad key it would print "Not a hex number 's_server'". CLA: Trivial Reviewed-by: Paul Yang Reviewed-by: Kurt Roeckx Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8113) --- Summary of changes: apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 364f76b..8565a3a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1407,7 +1407,7 @@ int s_server_main(int argc, char *argv[]) for (p = psk_key = opt_arg(); *p; p++) { if (isxdigit(_UC(*p))) continue; -BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); +BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key); goto end; } break; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via c4734493d7da404b1747195a805c8d536dbe6910 (commit) from a97faad76a1be22eadd6c1a39972ad5e095d9e80 (commit) - Log - commit c4734493d7da404b1747195a805c8d536dbe6910 Author: Petr Vorel Date: Wed Jan 30 19:21:42 2019 +0100 Reuse already defined macros instead of duplicity the code. CLA: trivial Signed-off-by: Petr Vorel Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8127) --- Summary of changes: include/openssl/evp.h | 9 ++--- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 9f1dbd4..940a4b1 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -958,14 +958,9 @@ const EVP_CIPHER *EVP_sm4_ctr(void); | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) # ifdef OPENSSL_LOAD_CONF -# define OpenSSL_add_all_algorithms() \ -OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ -| OPENSSL_INIT_ADD_ALL_DIGESTS \ -| OPENSSL_INIT_LOAD_CONFIG, NULL) +# define OpenSSL_add_all_algorithms() OPENSSL_add_all_algorithms_conf() # else -# define OpenSSL_add_all_algorithms() \ -OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ -| OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) +# define OpenSSL_add_all_algorithms() OPENSSL_add_all_algorithms_noconf() # endif # define OpenSSL_add_all_ciphers() \ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 40b64553f577716cb4898895f5fd4530a6266c75 (commit) from 522b11e969cbdc82eca369512275f227080a86fa (commit) - Log - commit 40b64553f577716cb4898895f5fd4530a6266c75 Author: Matt Caswell Date: Tue Jan 29 15:04:38 2019 + Complain if -twopass is used incorrectly The option -twopass to the pkcs12 app is ignored if -passin, -passout or -password is used. We should complain if an attempt is made to use it in combination with those options. Fixes #8107 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8114) --- Summary of changes: apps/pkcs12.c | 7 +++ doc/man1/pkcs12.pod | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 94d6661..bf22aeb 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -311,6 +311,13 @@ int pkcs12_main(int argc, char **argv) if (cpass != NULL) { mpass = cpass; noprompt = 1; +if (twopass) { +if (export_cert) +BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n"); +else +BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n"); +goto end; +} } else { cpass = pass; mpass = macpass; diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod index 67adaa1..b1b6884 100644 --- a/doc/man1/pkcs12.pod +++ b/doc/man1/pkcs12.pod @@ -154,7 +154,8 @@ Don't attempt to verify the integrity MAC before reading the file. Prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such -PKCS#12 files unreadable. +PKCS#12 files unreadable. Cannot be used in combination with the options +-password, -passin (if importing) or -passout (if exporting). =back _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 522b11e969cbdc82eca369512275f227080a86fa (commit) from fa6b1ee1115c1e5e3a8286d833dcbaa2c1ce2b77 (commit) - Log - commit 522b11e969cbdc82eca369512275f227080a86fa Author: Matt Caswell Date: Tue Jan 29 11:41:32 2019 + Fix no-dso builds Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8111) --- Summary of changes: test/recipes/90-test_shlibload.t | 1 + 1 file changed, 1 insertion(+) diff --git a/test/recipes/90-test_shlibload.t b/test/recipes/90-test_shlibload.t index 1f097ed..fee56cd 100644 --- a/test/recipes/90-test_shlibload.t +++ b/test/recipes/90-test_shlibload.t @@ -21,6 +21,7 @@ use platform; plan skip_all => "Test only supported in a shared build" if disabled("shared"); plan skip_all => "Test is disabled on AIX" if config('target') =~ m|^aix|; +plan skip_all => "Test only supported in a dso build" if disabled("dso"); plan tests => 10; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via fa6b1ee1115c1e5e3a8286d833dcbaa2c1ce2b77 (commit) from 6e826c471b7f0431391a4e9f9484f6ea2833774a (commit) - Log - commit fa6b1ee1115c1e5e3a8286d833dcbaa2c1ce2b77 Author: Matt Caswell Date: Mon Jan 28 17:17:59 2019 + Don't leak memory from ERR_add_error_vdata() If the call the ERR_set_error_data() in ERR_add_error_vdata() fails then a mem leak can occur. This commit checks that we successfully added the error data, and if not frees the buffer. Fixes #8085 Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/8105) --- Summary of changes: crypto/err/err.c | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 4505479..3aa3dae 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -791,20 +791,31 @@ int ERR_get_next_error_library(void) return ret; } -void ERR_set_error_data(char *data, int flags) +static int err_set_error_data_int(char *data, int flags) { ERR_STATE *es; int i; es = ERR_get_state(); if (es == NULL) -return; +return 0; i = es->top; err_clear_data(es, i); es->err_data[i] = data; es->err_data_flags[i] = flags; + +return 1; +} + +void ERR_set_error_data(char *data, int flags) +{ +/* + * This function is void so we cannot propagate the error return. Since it + * is also in the public API we can't change the return type. + */ +err_set_error_data_int(data, flags); } void ERR_add_error_data(int num, ...) @@ -844,7 +855,8 @@ void ERR_add_error_vdata(int num, va_list args) } OPENSSL_strlcat(str, a, (size_t)s + 1); } -ERR_set_error_data(str, ERR_TXT_MALLOCED | ERR_TXT_STRING); +if (!err_set_error_data_int(str, ERR_TXT_MALLOCED | ERR_TXT_STRING)) +OPENSSL_free(str); } int ERR_set_mark(void) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 6e826c471b7f0431391a4e9f9484f6ea2833774a (commit) from e85d19c68e7fb3302410bd72d434793e5c0c23a0 (commit) - Log - commit 6e826c471b7f0431391a4e9f9484f6ea2833774a Author: Richard Levitte Date: Mon Jan 28 14:53:19 2019 +0100 Android build: use ANDROID_NDK_HOME rather than ANDROID_NDK It apepars that ANDROID_NDK_HOME is the recommended standard environment variable for the NDK. We retain ANDROID_NDK as a fallback. Fixes #8101 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8103) --- Summary of changes: Configurations/15-android.conf | 19 --- NOTES.ANDROID | 14 +++--- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/Configurations/15-android.conf b/Configurations/15-android.conf index 10342ed..c94da41 100644 --- a/Configurations/15-android.conf +++ b/Configurations/15-android.conf @@ -22,13 +22,18 @@ return $android_ndk = { bn_ops => "BN_AUTO" }; } -my $ndk = $ENV{ANDROID_NDK}; -die "\$ANDROID_NDK is not defined" if (!$ndk); +my $ndk_var; +my $ndk; +foreach $ndk_var (qw(ANDROID_NDK_HOME ANDROID_NDK)) { +$ndk = $ENV{$ndk_var}; +last if defined $ndk; +} +die "\$ANDROID_NDK_HOME is not defined" if (!$ndk); if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") { # $ndk/platforms is traditional "all-inclusive" NDK, while # $ndk/AndroidVersion.txt is so-called standalone toolchain # tailored for specific target down to API level. -die "\$ANDROID_NDK=$ndk is invalid"; +die "\$ANDROID_NDK_HOME=$ndk is invalid"; } $ndk = canonpath($ndk); @@ -90,7 +95,7 @@ (my $tridefault = $triarch) =~ s/^arm-/$arm-/; (my $tritools = $triarch) =~ s/(?:x|i6)86(_64)?-.*/x86$1/; $cflags .= " -target $tridefault " -. "-gcc-toolchain \$(ANDROID_NDK)/toolchains" +. "-gcc-toolchain \$($ndk_var)/toolchains" . "/$tritools-4.9/prebuilt/$host"; $user{CC} = "clang" if ($user{CC} !~ m|clang|); $user{CROSS_COMPILE} = undef; @@ -127,13 +132,13 @@ die "no $incroot/$triarch" if (!-d "$incroot/$triarch"); $incroot =~ s|^$ndk/||; $cppflags = "-D__ANDROID_API__=$api"; -$cppflags .= " -isystem \$(ANDROID_NDK)/$incroot/$triarch"; -$cppflags .= " -isystem \$(ANDROID_NDK)/$incroot"; +$cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch"; +$cppflags .= " -isystem \$($ndk_var)/$incroot"; } $sysroot =~ s|^$ndk/||; $android_ndk = { -cflags => "$cflags --sysroot=\$(ANDROID_NDK)/$sysroot", +cflags => "$cflags --sysroot=\$($ndk_var)/$sysroot", cppflags => $cppflags, bn_ops => $arch =~ m/64$/ ? "SIXTY_FOUR_BIT_LONG" : "BN_LLONG", diff --git a/NOTES.ANDROID b/NOTES.ANDROID index 6b4741c..eeacdad 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -23,7 +23,7 @@ platform. Though you still need to know the prefix to extend your PATH, in order to invoke $(CROSS_COMPILE)gcc and company. (Configure will fail and give you a hint if you get it wrong.) Apart from PATH adjustment - you need to set ANDROID_NDK environment to point at NDK directory + you need to set ANDROID_NDK_HOME environment to point at NDK directory as /some/where/android-ndk-. Both variables are significant at both configuration and compilation times. NDK customarily supports multiple Android API levels, e.g. android-14, android-21, etc. By default latest @@ -32,13 +32,13 @@ target platform version. For example, to compile for ICS on ARM with NDK 10d: -export ANDROID_NDK=/some/where/android-ndk-10d - PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH +export ANDROID_NDK_HOME=/some/where/android-ndk-10d + PATH=$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH ./Configure android-arm -D__ANDROID_API__=14 make Caveat lector! Earlier OpenSSL versions relied on additional CROSS_SYSROOT - variable set to $ANDROID_NDK/platforms/android-/arch- to + variable set to $ANDROID_NDK_HOME/platforms/android-/arch- to appoint headers-n-libraries' location. It's still recognized in order to facilitate migration from older projects. However, since API level appears in
[openssl-commits] [openssl] master update
The branch master has been updated via e85d19c68e7fb3302410bd72d434793e5c0c23a0 (commit) from 9f5a87fd665cb597fa1c1f4eef882d2d2f833e61 (commit) - Log - commit e85d19c68e7fb3302410bd72d434793e5c0c23a0 Author: Antonio Iacono Date: Wed Dec 12 23:08:49 2018 +0100 crypto/cms: Add support for CAdES Basic Electronic Signatures (CAdES-BES) A CAdES Basic Electronic Signature (CAdES-BES) contains, among other specifications, a collection of Signing Certificate reference attributes, stored in the signedData ether as ESS signing-certificate or as ESS signing-certificate-v2. These are described in detail in Section 5.7.2 of RFC 5126 - CMS Advanced Electronic Signatures (CAdES). This patch adds support for adding ESS signing-certificate[-v2] attributes to CMS signedData. Although it implements only a small part of the RFC, it is sufficient many cases to enable the `openssl cms` app to create signatures which comply with legal requirements of some European States (e.g Italy). Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7893) --- Summary of changes: apps/cms.c | 8 +- crypto/build.info | 2 +- crypto/cms/cms_err.c | 4 + crypto/cms/cms_ess.c | 73 +- crypto/cms/cms_sd.c| 21 +++ crypto/err/err.c | 1 + crypto/err/err_all.c | 2 + crypto/err/openssl.ec | 1 + crypto/err/openssl.txt | 19 ++- crypto/ess/build.info | 3 + crypto/ess/ess_asn1.c | 57 crypto/ess/ess_err.c | 53 crypto/ess/ess_lib.c | 269 + crypto/include/internal/ess_int.h | 78 +++ crypto/ts/ts_asn1.c| 41 -- crypto/ts/ts_err.c | 14 +- crypto/ts/ts_lcl.h | 61 - crypto/ts/ts_rsp_sign.c| 250 +- crypto/ts/ts_rsp_verify.c | 32 + doc/man1/cms.pod | 41 ++ doc/man3/CMS_add1_signing_cert.pod | 45 +++ include/openssl/cms.h | 6 +- include/openssl/cmserr.h | 2 + include/openssl/err.h | 2 + include/openssl/ess.h | 80 +++ include/openssl/esserr.h | 38 ++ include/openssl/ts.h | 48 +-- include/openssl/tserr.h| 8 +- test/recipes/80-test_cms.t | 16 +++ util/libcrypto.num | 55 30 files changed, 852 insertions(+), 478 deletions(-) create mode 100644 crypto/ess/build.info create mode 100644 crypto/ess/ess_asn1.c create mode 100644 crypto/ess/ess_err.c create mode 100644 crypto/ess/ess_lib.c create mode 100644 crypto/include/internal/ess_int.h create mode 100644 doc/man3/CMS_add1_signing_cert.pod create mode 100644 include/openssl/ess.h create mode 100644 include/openssl/esserr.h diff --git a/apps/cms.c b/apps/cms.c index 8402a27..b2037b4 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -65,7 +65,7 @@ struct cms_key_param_st { typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, -OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, +OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN, OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, @@ -102,6 +102,7 @@ const OPTIONS cms_options[] = { {"sign", OPT_SIGN, '-', "Sign message"}, {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, {"resign", OPT_RESIGN, '-', "Resign a signed message"}, +{"cades", OPT_CADES, '-', "Include signer certificate digest"}, {"verify", OPT_VERIFY, '-', "Verify signed message"}, {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, @@ -326,6 +327,9 @@ int cms_main(int argc, char **argv) case OPT_BINARY: flags |= CMS_BINARY; break; +case OPT_CADES: +flags |= CMS_CADES; +break; case OPT_KEYID: flags |= CMS_USE_KEYID; break; diff --git a/crypto/build.info b/crypto/build.info index
[openssl-commits] [openssl] master update
The branch master has been updated via 9f5a87fd665cb597fa1c1f4eef882d2d2f833e61 (commit) from 61e033308b1c004bd808352fb1d786547dcdf62b (commit) - Log - commit 9f5a87fd665cb597fa1c1f4eef882d2d2f833e61 Author: Ping Yu Date: Mon Nov 5 15:41:01 2018 -0500 add an additional async notification communication method based on callback Reviewed-by: Matt Caswell Reviewed-by: Paul Yang Signed-off-by: Ping Yu Signed-off-by: Steven Linsell (Merged from https://github.com/openssl/openssl/pull/7573) --- Summary of changes: crypto/async/async_locl.h | 3 ++ crypto/async/async_wait.c | 35 ++ doc/man3/ASYNC_WAIT_CTX_new.pod | 73 ++-- doc/man3/ASYNC_start_job.pod| 36 +++--- doc/man3/SSL_set_async_callback.pod | 96 + engines/e_dasync.c | 14 ++ include/openssl/async.h | 14 ++ include/openssl/ssl.h | 9 ssl/ssl_lib.c | 48 +++ ssl/ssl_locl.h | 8 test/asynctest.c| 38 +++ util/libcrypto.num | 4 ++ util/libssl.num | 5 ++ util/private.num| 6 +++ 14 files changed, 369 insertions(+), 20 deletions(-) create mode 100644 doc/man3/SSL_set_async_callback.pod diff --git a/crypto/async/async_locl.h b/crypto/async/async_locl.h index 2325ce9..85dfcfa 100644 --- a/crypto/async/async_locl.h +++ b/crypto/async/async_locl.h @@ -59,6 +59,9 @@ struct async_wait_ctx_st { struct fd_lookup_st *fds; size_t numadd; size_t numdel; +ASYNC_callback_fn callback; +void *callback_arg; +int status; }; DEFINE_STACK_OF(ASYNC_JOB) diff --git a/crypto/async/async_wait.c b/crypto/async/async_wait.c index 2553298..642b781 100644 --- a/crypto/async/async_wait.c +++ b/crypto/async/async_wait.c @@ -182,6 +182,41 @@ int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key) return 0; } +int ASYNC_WAIT_CTX_set_callback(ASYNC_WAIT_CTX *ctx, +ASYNC_callback_fn callback, +void *callback_arg) +{ + if (ctx == NULL) + return 0; + + ctx->callback = callback; + ctx->callback_arg = callback_arg; + return 1; +} + +int ASYNC_WAIT_CTX_get_callback(ASYNC_WAIT_CTX *ctx, +ASYNC_callback_fn *callback, +void **callback_arg) +{ + if (ctx->callback == NULL) + return 0; + + *callback = ctx->callback; + *callback_arg = ctx->callback_arg; + return 1; +} + +int ASYNC_WAIT_CTX_set_status(ASYNC_WAIT_CTX *ctx, int status) +{ + ctx->status = status; + return 1; +} + +int ASYNC_WAIT_CTX_get_status(ASYNC_WAIT_CTX *ctx) +{ + return ctx->status; +} + void async_wait_ctx_reset_counts(ASYNC_WAIT_CTX *ctx) { struct fd_lookup_st *curr, *prev = NULL; diff --git a/doc/man3/ASYNC_WAIT_CTX_new.pod b/doc/man3/ASYNC_WAIT_CTX_new.pod index eeb2777..9076be8 100644 --- a/doc/man3/ASYNC_WAIT_CTX_new.pod +++ b/doc/man3/ASYNC_WAIT_CTX_new.pod @@ -4,13 +4,22 @@ ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, -ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd - functions to manage -waiting for asynchronous jobs to complete +ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd, +ASYNC_WAIT_CTX_set_callback, ASYNC_WAIT_CTX_get_callback, +ASYNC_WAIT_CTX_set_status, ASYNC_WAIT_CTX_get_status, ASYNC_callback_fn, +ASYNC_STATUS_UNSUPPORTED, ASYNC_STATUS_ERR, ASYNC_STATUS_OK, +ASYNC_STATUS_EAGAIN +- functions to manage waiting for asynchronous jobs to complete =head1 SYNOPSIS #include + #define ASYNC_STATUS_UNSUPPORTED0 + #define ASYNC_STATUS_ERR1 + #define ASYNC_STATUS_OK 2 + #define ASYNC_STATUS_EAGAIN 3 + typedef int (*ASYNC_callback_fn)(void *arg); ASYNC_WAIT_CTX *ASYNC_WAIT_CTX_new(void); void ASYNC_WAIT_CTX_free(ASYNC_WAIT_CTX *ctx); int ASYNC_WAIT_CTX_set_wait_fd(ASYNC_WAIT_CTX *ctx, const void *key, @@ -26,6 +35,14 @@ waiting for asynchronous jobs to complete size_t *numaddfds, OSSL_ASYNC_FD *delfd, size_t *numdelfds); int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key); + int ASYNC_WAIT_CTX_set_callback(ASYNC_WAIT_CTX *ctx, + ASYNC_callback_fn callback, + void *callback_arg); + int ASYNC_WAIT_CTX_get_callback(ASYNC_WAIT_CTX *ctx, + ASYNC_callback_fn *callback, + void **callback_arg); + int
[openssl-commits] [openssl] master update
The branch master has been updated via 61e033308b1c004bd808352fb1d786547dcdf62b (commit) from 3d43f9c809e42b960be94f2f4490d6d14e063486 (commit) - Log - commit 61e033308b1c004bd808352fb1d786547dcdf62b Author: Michael Richardson Date: Thu Dec 27 13:26:49 2018 -0500 clarify which functions are the CMS functions which must have CMS_PARTIAL set Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7960) --- Summary of changes: doc/man3/CMS_get0_type.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/man3/CMS_get0_type.pod b/doc/man3/CMS_get0_type.pod index bd45e14..986154f 100644 --- a/doc/man3/CMS_get0_type.pod +++ b/doc/man3/CMS_get0_type.pod @@ -20,7 +20,8 @@ an ASN1_OBJECT pointer. An application can then decide how to process the CMS_ContentInfo structure based on this value. CMS_set1_eContentType() sets the embedded content type of a CMS_ContentInfo -structure. It should be called with CMS functions with the B +structure. It should be called with CMS functions (such as L, L) +with the B flag and B the structure is finalised, otherwise the results are undefined. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 3d43f9c809e42b960be94f2f4490d6d14e063486 (commit) from 5478e2100260b8d6f9df77de875f37763d8eeec6 (commit) - Log - commit 3d43f9c809e42b960be94f2f4490d6d14e063486 Author: David Asraf Date: Wed Jan 23 11:10:11 2019 + crypto/bn: fix return value in BN_generate_prime When the ret parameter is NULL the generated prime is in rnd variable and not in ret. CLA: trivial Reviewed-by: Nicola Tuveri Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8076) --- Summary of changes: crypto/bn/bn_depr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bn/bn_depr.c b/crypto/bn/bn_depr.c index 705ca1e..2ff0eed 100644 --- a/crypto/bn/bn_depr.c +++ b/crypto/bn/bn_depr.c @@ -40,7 +40,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, goto err; /* we have a prime :-) */ -return ret; +return rnd; err: BN_free(rnd); return NULL; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5478e2100260b8d6f9df77de875f37763d8eeec6 (commit) from d7bcbfd0828616f33008e711eabc6ec00b32e87b (commit) - Log - commit 5478e2100260b8d6f9df77de875f37763d8eeec6 Author: Shigeki Ohtsu Date: Thu Jan 24 22:45:50 2019 +0900 s_client: fix not to send a command letter of R Before 1.1.0, this command letter is not sent to a server. CLA: trivial (cherry picked from commit bc180cb4887c2e82111cb714723a94de9f6d2c35) Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8081) --- Summary of changes: apps/s_client.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 9705c4c..6e06f15 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3083,9 +3083,7 @@ int s_client_main(int argc, char **argv) BIO_printf(bio_err, "RENEGOTIATING\n"); SSL_renegotiate(con); cbuf_len = 0; -} - -if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' ) + } else if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' ) && cmdletters) { BIO_printf(bio_err, "KEYUPDATE\n"); SSL_key_update(con, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d7bcbfd0828616f33008e711eabc6ec00b32e87b (commit) from 6638b2214761b5f30300534e0fe522448113c6cf (commit) - Log - commit d7bcbfd0828616f33008e711eabc6ec00b32e87b Author: Tomas Mraz Date: Thu Jan 24 17:58:56 2019 +0100 Remove stray -modulus option from the ec manual page. Reviewed-by: Paul Yang Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8082) --- Summary of changes: doc/man1/ec.pod | 4 1 file changed, 4 deletions(-) diff --git a/doc/man1/ec.pod b/doc/man1/ec.pod index 9d2fc1f..0a1e7af 100644 --- a/doc/man1/ec.pod +++ b/doc/man1/ec.pod @@ -101,10 +101,6 @@ Prints out the public, private key components and parameters. This option prevents output of the encoded version of the key. -=item B<-modulus> - -This option prints out the value of the public key component of the key. - =item B<-pubin> By default, a private key is read from the input file. With this option a _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 6638b2214761b5f30300534e0fe522448113c6cf (commit) from 2c75f03b39de2fa7d006bc0f0d7c58235a54d9bb (commit) - Log - commit 6638b2214761b5f30300534e0fe522448113c6cf Author: Matthias Kraft Date: Fri Jan 18 13:09:06 2019 +0100 Add "weak" declarations of symbols used in safestack.h and lhash.h Only for SunCC for now. It turns out that some compilers to generate external variants of unused static inline functions, and if they use other external symbols, those need to be present as well. If you then happen to include one of safestack.h or lhash.h without linking with libcrypto, the build fails. Fixes #6912 Signed-off-by: Matthias Kraft Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8087) --- Summary of changes: include/openssl/lhash.h | 27 ++- include/openssl/safestack.h | 37 - 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index a142ea0..672841d 100644 --- a/include/openssl/lhash.h +++ b/include/openssl/lhash.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -210,6 +210,31 @@ DEFINE_LHASH_OF(OPENSSL_CSTRING); # pragma warning (pop) # endif +/* + * If called without higher optimization (min. -xO3) the Oracle Developer + * Studio compiler generates code for the defined (static inline) functions + * above. + * This would later lead to the linker complaining about missing symbols when + * this header file is included but the resulting object is not linked against + * the Crypto library (openssl#6912). + */ +# ifdef __SUNPRO_C +# pragma weak OPENSSL_LH_new +# pragma weak OPENSSL_LH_free +# pragma weak OPENSSL_LH_insert +# pragma weak OPENSSL_LH_delete +# pragma weak OPENSSL_LH_retrieve +# pragma weak OPENSSL_LH_error +# pragma weak OPENSSL_LH_num_items +# pragma weak OPENSSL_LH_node_stats_bio +# pragma weak OPENSSL_LH_node_usage_stats_bio +# pragma weak OPENSSL_LH_stats_bio +# pragma weak OPENSSL_LH_get_down_load +# pragma weak OPENSSL_LH_set_down_load +# pragma weak OPENSSL_LH_doall +# pragma weak OPENSSL_LH_doall_arg +# endif /* __SUNPRO_C */ + #ifdef __cplusplus } #endif diff --git a/include/openssl/safestack.h b/include/openssl/safestack.h index aad53d1..ba38ff7 100644 --- a/include/openssl/safestack.h +++ b/include/openssl/safestack.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -166,6 +166,41 @@ DEFINE_SPECIAL_STACK_OF_CONST(OPENSSL_CSTRING, char) typedef void *OPENSSL_BLOCK; DEFINE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) +/* + * If called without higher optimization (min. -xO3) the Oracle Developer + * Studio compiler generates code for the defined (static inline) functions + * above. + * This would later lead to the linker complaining about missing symbols when + * this header file is included but the resulting object is not linked against + * the Crypto library (openssl#6912). + */ +# ifdef __SUNPRO_C +# pragma weak OPENSSL_sk_num +# pragma weak OPENSSL_sk_value +# pragma weak OPENSSL_sk_new +# pragma weak OPENSSL_sk_new_null +# pragma weak OPENSSL_sk_new_reserve +# pragma weak OPENSSL_sk_reserve +# pragma weak OPENSSL_sk_free +# pragma weak OPENSSL_sk_zero +# pragma weak OPENSSL_sk_delete +# pragma weak OPENSSL_sk_delete_ptr +# pragma weak OPENSSL_sk_push +# pragma weak OPENSSL_sk_unshift +# pragma weak OPENSSL_sk_pop +# pragma weak OPENSSL_sk_shift +# pragma weak OPENSSL_sk_pop_free +# pragma weak OPENSSL_sk_insert +# pragma weak OPENSSL_sk_set +# pragma weak OPENSSL_sk_find +# pragma weak OPENSSL_sk_find_ex +# pragma weak OPENSSL_sk_sort +# pragma weak OPENSSL_sk_is_sorted +# pragma weak OPENSSL_sk_dup +# pragma weak OPENSSL_sk_deep_copy +# pragma weak OPENSSL_sk_set_cmp_func +# endif /* __SUNPRO_C */ + # ifdef __cplusplus } # endif _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2c75f03b39de2fa7d006bc0f0d7c58235a54d9bb (commit) from 5c8b7b4caa0faedb69277063a7c6b3a8e56c6308 (commit) - Log - commit 2c75f03b39de2fa7d006bc0f0d7c58235a54d9bb Author: Dr. Matthias St. Pierre Date: Fri Jan 25 08:40:46 2019 +0100 X509_STORE: fix two misspelled compatibility macros Fixes #8084 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8086) --- Summary of changes: include/openssl/x509_vfy.h | 4 1 file changed, 4 insertions(+) diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 0df8028..e9a70f5 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -366,7 +366,11 @@ X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx); # define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted # define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack # define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject +# define X509_STORE_get1_certs X509_STORE_CTX_get1_certs +# define X509_STORE_get1_crls X509_STORE_CTX_get1_crls +/* the following macro is misspelled; use X509_STORE_get1_certs instead */ # define X509_STORE_get1_cert X509_STORE_CTX_get1_certs +/* the following macro is misspelled; use X509_STORE_get1_crls instead */ # define X509_STORE_get1_crl X509_STORE_CTX_get1_crls #endif _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5c8b7b4caa0faedb69277063a7c6b3a8e56c6308 (commit) from 0b53fe1cdc24a3dce450e77db6895a0243ddcb26 (commit) - Log - commit 5c8b7b4caa0faedb69277063a7c6b3a8e56c6308 Author: Klotz, Tobias Date: Thu Dec 20 12:59:31 2018 +0100 Cleanup vxworks support to be able to compile for VxWorks 7 Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7569) --- Summary of changes: apps/apps.c| 2 +- apps/ocsp.c| 14 ++ apps/rehash.c | 20 apps/speed.c | 6 +++--- crypto/bio/b_addr.c| 5 + crypto/rand/rand_unix.c| 21 + crypto/ui/ui_openssl.c | 6 ++ include/internal/sockets.h | 6 +- test/ssltestlib.c | 16 +--- 9 files changed, 84 insertions(+), 12 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index ed1b618..39535e9 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2192,7 +2192,7 @@ double app_tminterval(int stop, int usertime) return ret; } -#elif defined(OPENSSL_SYSTEM_VXWORKS) +#elif defined(OPENSSL_SYS_VXWORKS) # include double app_tminterval(int stop, int usertime) diff --git a/apps/ocsp.c b/apps/ocsp.c index fb0a95b..7c2a904 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -53,6 +53,20 @@ NON_EMPTY_TRANSLATION_UNIT # define LOG_ERR 2 # endif +# if defined(OPENSSL_SYS_VXWORKS) +/* not supported */ +int setpgid(pid_t pid, pid_t pgid) +{ +errno = ENOSYS; +return 0; +} +/* not supported */ +pid_t fork(void) +{ +errno = ENOSYS; +return (pid_t) -1; +} +# endif /* Maximum leeway in validity period: default 5 minutes */ # define MAX_VALIDITY_PERIOD(5 * 60) diff --git a/apps/rehash.c b/apps/rehash.c index 6a641a8..a1fc379 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -51,6 +51,26 @@ # endif # define MAX_COLLISIONS 256 +# if defined(OPENSSL_SYS_VXWORKS) +/* + * VxWorks has no symbolic links + */ + +# define lstat(path, buf) stat(path, buf) + +int symlink(const char *target, const char *linkpath) +{ +errno = ENOSYS; +return -1; +} + +ssize_t readlink(const char *pathname, char *buf, size_t bufsiz) +{ +errno = ENOSYS; +return -1; +} +# endif + typedef struct hentry_st { struct hentry_st *next; char *filename; diff --git a/apps/speed.c b/apps/speed.c index bb8836d..1125f5a 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -100,7 +100,7 @@ #include #ifndef HAVE_FORK -# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VXWORKS) # define HAVE_FORK 0 # else # define HAVE_FORK 1 @@ -1522,11 +1522,11 @@ int speed_main(int argc, char **argv) {"nistp192", NID_X9_62_prime192v1, 192}, {"nistp224", NID_secp224r1, 224}, {"nistp256", NID_X9_62_prime256v1, 256}, -{"nistp384", NID_secp384r1, 384}, +{"nistp384", NID_secp384r1, 384}, {"nistp521", NID_secp521r1, 521}, /* Binary Curves */ {"nistk163", NID_sect163k1, 163}, -{"nistk233", NID_sect233k1, 233}, +{"nistk233", NID_sect233k1, 233}, {"nistk283", NID_sect283k1, 283}, {"nistk409", NID_sect409k1, 409}, {"nistk571", NID_sect571k1, 571}, diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c index 1484f6a..4be74e4 100644 --- a/crypto/bio/b_addr.c +++ b/crypto/bio/b_addr.c @@ -782,7 +782,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, * anyway [above getaddrinfo/gai_strerror is]. We just let * system administrator figure this out... */ +# if defined(OPENSSL_SYS_VXWORKS) +/* h_errno doesn't exist on VxWorks */ +SYSerr(SYS_F_GETHOSTBYNAME, 1000 ); +# else SYSerr(SYS_F_GETHOSTBYNAME, 1000 + h_errno); +# endif #else SYSerr(SYS_F_GETHOSTBYNAME, WSAGetLastError()); #endif diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index f5b9c0c..35777ff 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -93,6 +93,27 @@ static uint64_t get_timer_bits(void); # error "UEFI and VXWorks only support seeding NONE" #endif +#if defined(OPENSSL_SYS_VXWORKS) +/* empty implementation */ +int rand_pool_init(void) +{ +return 1; +} + +void rand_pool_cleanup(void) +{ +} + +void rand_pool_keep_random_devices_open(int keep) +{ +} + +size_t rand_pool_acquire_entropy(RAND_POOL *pool) +{ +return rand_pool_entropy_available(pool); +} +#endif + #if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \ || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \ ||
[openssl-commits] [openssl] master update
The branch master has been updated via bcc1f3e2baa9caa83a0a94bd19fb37488ef3ee57 (commit) via 80c455d5ae405e855391e298a2bf8a24629dd95d (commit) from 5cae2d349b561a84dbfc93d6b6abc5fb7263fb7c (commit) - Log - commit bcc1f3e2baa9caa83a0a94bd19fb37488ef3ee57 Author: Matt Caswell Date: Fri Jan 18 12:10:07 2019 + Revert "Keep the DTLS timer running after the end of the handshake if appropriate" This commit erroneously kept the DTLS timer running after the end of the handshake. This is not correct behaviour and shold be reverted. This reverts commit f7506416b1311e65d5c440defdbcfe176f633c50. Fixes #7998 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8047) commit 80c455d5ae405e855391e298a2bf8a24629dd95d Author: Matt Caswell Date: Fri Jan 18 15:24:57 2019 + Make sure we trigger retransmits in DTLS testing During a DTLS handshake we may need to periodically handle timeouts in the DTLS timer to ensure retransmits due to lost packets are performed. However, one peer will always complete a handshake before the other. The DTLS timer stops once the handshake has finished so any handshake messages lost after that point will not automatically get retransmitted simply by calling DTLSv1_handle_timeout(). However attempting an SSL_read implies a DTLSv1_handle_timeout() and additionally will process records received from the peer. If those records are themselves retransmits then we know that the peer has not completed its handshake yet and a retransmit of our final flight automatically occurs. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8047) --- Summary of changes: ssl/record/rec_layer_d1.c | 13 - ssl/statem/statem_lib.c | 18 -- test/dtlstest.c | 14 +- test/sslapitest.c | 2 +- test/ssltestlib.c | 31 --- test/ssltestlib.h | 3 ++- 6 files changed, 36 insertions(+), 45 deletions(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index c8ef0f7..a4b03ce 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -440,19 +440,6 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, && SSL3_RECORD_get_length(rr) != 0) s->rlayer.alert_count = 0; -if (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE -&& SSL3_RECORD_get_type(rr) != SSL3_RT_CHANGE_CIPHER_SPEC -&& !SSL_in_init(s) -&& (s->d1->next_timeout.tv_sec != 0 -|| s->d1->next_timeout.tv_usec != 0)) { -/* - * The timer is still running but we've received something that isn't - * handshake data - so the peer must have finished processing our - * last handshake flight. Stop the timer. - */ -dtls1_stop_timer(s); -} - /* we now have a packet which can be read and processed */ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 1a9aa41..2f78a3f 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1076,15 +1076,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) /* N.B. s->ctx may not equal s->session_ctx */ tsan_counter(>ctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; - -if (SSL_IS_DTLS(s) && !s->hit) { -/* - * We are finishing after the client. We start the timer going - * in case there are any retransmits of our final flight - * required. - */ -dtls1_start_timer(s); -} } else { if (SSL_IS_TLS13(s)) { /* @@ -1106,15 +1097,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) s->handshake_func = ossl_statem_connect; tsan_counter(>session_ctx->stats.sess_connect_good); - -if (SSL_IS_DTLS(s) && s->hit) { -/* - * We are finishing after the server. We start the timer going - * in case there are any retransmits of our final flight - * required. - */ -dtls1_start_timer(s); -} } if (SSL_IS_DTLS(s)) { diff --git a/test/dtlstest.c b/test/dtlstest.c index 0b04886..d196fb5 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -87,17 +87,21 @@ static int test_dtls_unprocessed(int testidx) /* * Inject a dummy record from the next epoch. In test 0, this should never * get used because
[openssl-commits] [openssl] master update
The branch master has been updated via 0b53fe1cdc24a3dce450e77db6895a0243ddcb26 (commit) from bcc1f3e2baa9caa83a0a94bd19fb37488ef3ee57 (commit) - Log - commit 0b53fe1cdc24a3dce450e77db6895a0243ddcb26 Author: Matt Caswell Date: Tue Jan 22 14:27:25 2019 + Fix s_client so that it builds on Windows Fixes #8050 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8065) --- Summary of changes: apps/s_client.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index d788b89..9705c4c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2360,9 +2360,11 @@ int s_client_main(int argc, char **argv) if (proxypass != NULL) l += strlen(proxypass); proxyauth = app_malloc(l + 2, "Proxy auth string"); -snprintf(proxyauth, l + 2, "%s:%s", proxyuser, (proxypass != NULL) ? proxypass : ""); +BIO_snprintf(proxyauth, l + 2, "%s:%s", proxyuser, + (proxypass != NULL) ? proxypass : ""); proxyauthenc = base64encode(proxyauth, strlen(proxyauth)); -BIO_printf(fbio, "Proxy-Authorization: Basic %s\r\n", proxyauthenc); +BIO_printf(fbio, "Proxy-Authorization: Basic %s\r\n", + proxyauthenc); OPENSSL_clear_free(proxyauth, strlen(proxyauth)); OPENSSL_clear_free(proxyauthenc, strlen(proxyauthenc)); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5cae2d349b561a84dbfc93d6b6abc5fb7263fb7c (commit) from 13234dd310511ed2ae1832bb643dd298ddfefb0b (commit) - Log - commit 5cae2d349b561a84dbfc93d6b6abc5fb7263fb7c Author: Richard Levitte Date: Tue Jan 22 15:46:54 2019 +0100 Build: change remaining $unified_info{install} checks to use attributes Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8063) --- Summary of changes: Configurations/common.tmpl | 36 Configurations/descrip.mms.tmpl| 12 ++-- Configurations/platform/Unix.pm| 4 +--- Configurations/platform/VMS.pm | 4 +--- Configurations/platform/Windows.pm | 4 +--- 5 files changed, 21 insertions(+), 39 deletions(-) diff --git a/Configurations/common.tmpl b/Configurations/common.tmpl index 132852c..53384c7 100644 --- a/Configurations/common.tmpl +++ b/Configurations/common.tmpl @@ -52,18 +52,6 @@ map { $replace{$_} // $_; } @newlist; } - # is_installed checks if a given file will be installed (i.e. they are - # not defined _NO_INST in build.info) - sub is_installed { - my $product = shift; - if (grep { $product eq $_ } - map { (@{$unified_info{install}->{$_}}) } - keys %{$unified_info{install}}) { - return 1; - } - return 0; - } - # dogenerate is responsible for producing all the recipes that build # generated source files. It recurses in case a dependency is also a # generated source file. @@ -132,14 +120,14 @@ $OUT .= $obj2shlib->(lib => $lib, attrs => $unified_info{attributes}->{$lib}, objs => $unified_info{shared_sources}->{$lib}, - deps => [ reducedepends(resolvedepends($lib)) ], - installed => is_installed($lib)); + deps => [ reducedepends(resolvedepends($lib)) ]); foreach ((@{$unified_info{shared_sources}->{$lib}}, @{$unified_info{sources}->{$lib}})) { # If this is somehow a compiled object, take care of it that way # Otherwise, it might simply be generated if (defined $unified_info{sources}->{$_}) { - doobj($_, $lib, intent => "shlib", installed => is_installed($lib)); + doobj($_, $lib, intent => "shlib", + attrs => $unified_info{attributes}->{$lib}); } else { dogenerate($_, undef, undef, intent => "lib"); } @@ -149,7 +137,8 @@ attrs => $unified_info{attributes}->{$lib}, objs => [ @{$unified_info{sources}->{$lib}} ]); foreach (@{$unified_info{sources}->{$lib}}) { - doobj($_, $lib, intent => "lib", installed => is_installed($lib)); + doobj($_, $lib, intent => "lib", + attrs => $unified_info{attributes}->{$lib}); } $cache{$lib} = 1; } @@ -163,13 +152,13 @@ $OUT .= obj2dso(lib => $lib, attrs => $unified_info{attributes}->{$lib}, objs => $unified_info{shared_sources}->{$lib}, - deps => [ resolvedepends($lib) ], - installed => is_installed($lib)); + deps => [ resolvedepends($lib) ]); foreach (@{$unified_info{shared_sources}->{$lib}}) { # If this is somehow a compiled object, take care of it that way # Otherwise, it might simply be generated if (defined $unified_info{sources}->{$_}) { - doobj($_, $lib, intent => "dso", installed => is_installed($lib)); + doobj($_, $lib, intent => "dso", + attrs => $unified_info{attributes}->{$lib}); } else { dogenerate($_, undef, $lib, intent => "dso"); } @@ -186,10 +175,10 @@ $OUT .= obj2bin(bin => $bin, attrs => $unified_info{attributes}->{$bin}, objs => [ @{$unified_info{sources}->{$bin}} ], - deps => $deps, - installed => is_installed($bin)); + deps => $deps); foreach (@{$unified_info{sources}->{$bin}}) { - doobj($_, $bin, intent => "bin", installed => is_installed($bin)); + doobj($_, $bin, intent => "bin", + attrs => $unified_info{attributes}->{$bin}); } $cache{$bin} = 1; } @@ -201,8 +190,7 @@ return "" if $cache{$script}; $OUT .= in2script(script => $script, attrs => $unified_info{attributes}->{$script}, - sources => $unified_info{sources}->{$script}, - installed => is_installed($script)); + sources =>
[openssl-commits] [openssl] master update
The branch master has been updated via 13234dd310511ed2ae1832bb643dd298ddfefb0b (commit) from 5f8257494c72ba4ea2a99d693916798517a610e1 (commit) - Log - commit 13234dd310511ed2ae1832bb643dd298ddfefb0b Author: Richard Levitte Date: Tue Jan 22 12:17:36 2019 +0100 Rework build: Windows dependency building fix One variable misssing Fixes #8060 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8061) --- Summary of changes: Configurations/windows-makefile.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 872ef4b..0cd1e86 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -613,6 +613,7 @@ $res: $deps EOF } my $obj = platform->obj($args{obj}); + my $dep = platform->dep($args{obj}); if ($srcs[0] =~ /\.asm$/) { return <<"EOF"; $obj: $deps _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5f8257494c72ba4ea2a99d693916798517a610e1 (commit) via 994e86a9ffd4195f08a7b0ce61bf001e3bebf891 (commit) via ac6bba6f6ea328ba22425d6f3f95847452193293 (commit) via c91f24d4cca5862f11876457e0ffb6dd54814814 (commit) via 5d3af25934dc5a6850004d6e58af6a89df97e927 (commit) from 52bcd4afc84d75f9d22866a3cefaf9ae4e9ff997 (commit) - Log - commit 5f8257494c72ba4ea2a99d693916798517a610e1 Author: Richard Levitte Date: Wed Nov 7 11:10:50 2018 +0100 Build: pass attributes down to make rule generators For good measure, we pass down attributes when calling obj2shlib, obj2lib, obj2dso, obj2bin, or in2script. We currently don't use them in our build file templates, but might as well for future use. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7581) commit 994e86a9ffd4195f08a7b0ce61bf001e3bebf891 Author: Richard Levitte Date: Wed Nov 7 11:05:17 2018 +0100 Build: use attributes to indicate installed script classes We have two classes of scripts to be installed, those that are installed as "normal" programs, and those that are installed as "misc" scripts. These classes are installed in different locations, so the build file templates must pay attention. Because we didn't have the tools to indicate what scripts go where, we had these scripts hard coded in the build template files, with the maintenance issues that may cause. Now that we have attributes, those can be used to classify the installed scripts, and have the build file templates simply check the attributes to know what's what. Furthermore, the 'tsget.pl' script exists both as 'tsget.pl' and 'tsget', which is done by installing a symbolic link (or copy). This link name is now given through an attribute, which results in even less hard coding in the Unix Makefile template. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7581) commit ac6bba6f6ea328ba22425d6f3f95847452193293 Author: Richard Levitte Date: Wed Nov 7 11:02:06 2018 +0100 Build: Change all _NO_INST to use attributes instead. This means that all PROGRAMS_NO_INST, LIBS_NO_INST, ENGINES_NO_INST and SCRIPTS_NO_INST are changed to be PROGRAM, LIBS, ENGINES and SCRIPTS with the associated attribute 'noinst'. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7581) commit c91f24d4cca5862f11876457e0ffb6dd54814814 Author: Richard Levitte Date: Wed Nov 7 10:44:05 2018 +0100 Configure: add attributes to end product build.info variables Among others, this avoids having special variables like PROGRAMS_NO_INST. Instead, we can have something like this: PROGRAMS{noinst}=foo bar Configure itself is entirely agnostic to these attributes, they are simply passed to the build file templates, to be used as they see fit. Attributes can also have values, for example: SCRIPTS{linkname=foo}=foo.pl This could help indicate to build file templates that care that the perl script 'foo.pl' should also exist with the name 'foo', preferably as a symbolic link. Fixes #7568 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7581) commit 5d3af25934dc5a6850004d6e58af6a89df97e927 Author: Richard Levitte Date: Wed Nov 7 10:34:05 2018 +0100 Configure: teach the tokenizer to handle other separators than spaces Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7581) --- Summary of changes: Configurations/common.tmpl | 5 + Configurations/descrip.mms.tmpl | 32 -- Configurations/unix-Makefile.tmpl| 53 ++--- Configurations/windows-makefile.tmpl | 63 --- Configure| 203 --- apps/build.info | 7 +- engines/build.info | 2 +- fuzz/build.info | 12 +-- test/build.info | 34 +++--- test/ossl_shim/build.info| 2 +- util/build.info | 4 +- 11 files changed, 266 insertions(+), 151 deletions(-) diff --git a/Configurations/common.tmpl b/Configurations/common.tmpl index 9e07a6f..132852c 100644 --- a/Configurations/common.tmpl +++ b/Configurations/common.tmpl @@ -130,6 +130,7 @@ unless ($disabled{shared} || $lib =~ /\.a$/) { my $obj2shlib = defined ? \ : \ $OUT .= $obj2shlib->(lib => $lib, + attrs => $unified_info{attributes}->{$lib}, objs => $unified_info{shared_sources}->{$lib},
[openssl-commits] [openssl] master update
The branch master has been updated via 52bcd4afc84d75f9d22866a3cefaf9ae4e9ff997 (commit) from f5fb6f0543cafd3db6671cfb987bf475a35f30f6 (commit) - Log - commit 52bcd4afc84d75f9d22866a3cefaf9ae4e9ff997 Author: Matt Eaton Date: Mon Jan 21 20:14:34 2019 -0600 Update NOTES.ANDROID Minor typo fix to `adjustment` in the line: "In such case you have to pass matching target name to Configure and shouldn't use -D__ANDROID_API__=N. PATH adjustment becomes simpler, $ANDROID_NDK/bin:$PATH suffices." Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8054) --- Summary of changes: NOTES.ANDROID | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTES.ANDROID b/NOTES.ANDROID index bbbd8e4..6b4741c 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -54,7 +54,7 @@ Another option is to create so called "standalone toolchain" tailored for single specific platform including Android API level, and assign its location to ANDROID_NDK. In such case you have to pass matching target - name to Configure and shouldn't use -D__ANDROID_API__=N. PATH adjusment + name to Configure and shouldn't use -D__ANDROID_API__=N. PATH adjustment becomes simpler, $ANDROID_NDK/bin:$PATH suffices. Running tests (on Linux) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f5fb6f0543cafd3db6671cfb987bf475a35f30f6 (commit) via 9afc2b92fe6725336f9c7d917deb5ca8c5e4011b (commit) via 9dd4ed28eb5972f62723985429b57f42eefda124 (commit) via c162a8c344f12b2e0e788920358f51181ddf168f (commit) via 957689611b355f3514bd9051829f3a9a0d9d4517 (commit) via d7e4932eaf53a82a2606a73282d9c8a242c1a39d (commit) from ac454d8d4663e2fcf8a8437fab8aefd883091c37 (commit) - Log - commit f5fb6f0543cafd3db6671cfb987bf475a35f30f6 Author: Richard Levitte Date: Tue Oct 23 15:45:24 2018 +0200 Rework building: Get rid of old %unified_info structures Now that we have the names of libraries on different systems established through platform modules, we can remove the old structure to establish the same thing, i.e. $unified_info{sharednames} and $unified_info{rename}. That means removing support for the RENAME and SHARED_NAME keywords in build.info as well. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7473) commit 9afc2b92fe6725336f9c7d917deb5ca8c5e4011b Author: Richard Levitte Date: Tue Oct 23 15:42:46 2018 +0200 Rework building: adapt some scripts The platform module collection is made in such a way that any Perl script that wants to take part of the available information can use them just as well as the build system. This change adapts test/recipes/90-test_shlibload.t, util/mkdef.pl, and util/shlib_wrap.sh.in Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7473) commit 9dd4ed28eb5972f62723985429b57f42eefda124 Author: Richard Levitte Date: Tue Oct 23 15:09:57 2018 +0200 Rework building: Unix changes to handle extensions and product names Add platform::Unix, which is a generic Unix module to support product name and extensions functionlity. However, this isn't quite enough, as mingw and Cygwin builds are done using the same templates, but since shared libraries work as on Windows and are named accordingly, platform::mingw and platform::Cygwin were also added to provide the necessary tweaks. This reworks Configurations/unix-Makefile.tmpl to work out product names in platform::Unix et al terms. In this one, we currently do care about the *_extension config attributes, and the modules adapt accordingly where it matters. This change also affected crypto/include/internal/dso_conf.h.in, since the DSO extension is meant to be the same as the short shared library extension, which isn't '.so' everywhere. 'shared_extension' attributes that had the value '.so.\$(SHLIB_VERSION_NUMBER)' are removed, platform::Unix provides an extension where the shared library version number is hard-coded instead. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7473) commit c162a8c344f12b2e0e788920358f51181ddf168f Author: Richard Levitte Date: Tue Oct 23 15:00:36 2018 +0200 Rework building: VMS changes to handle extensions and product names Add platform::VMS, which is a generic VMS module. Additional modules to support specific building aspects (such as specific compilers) may be added later, but since we currently work on file names and those are generic enough, this is also enough. This reworks Configurations/descrip.mms.tmpl to work out product names in platform::VMS terms. Something to be noted is that the new functionality ignores the *_extension config attributes, as they were never used. VMS is very consistent in its use of extensions, so there is no reason to believe much will change in this respect. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7473) commit 957689611b355f3514bd9051829f3a9a0d9d4517 Author: Richard Levitte Date: Tue Oct 23 14:36:23 2018 +0200 Rework building: Windows changes to handle extensions and product names Add platform::Windows, which is a generic Windows module, and platform::Windows::MSVC, which is a module specifically for MS Visual C. This reworks Configurations/windows-makeffile.tmpl to work out product names in platform::Windows. Something to be noted is that the new functionality ignores the *_extension config attributes, as they were never used. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7473) commit d7e4932eaf53a82a2606a73282d9c8a242c1a39d Author: Richard Levitte Date: Tue Oct 23 14:14:48 2018 +0200 Rework building: initial changes This is the start of a major work to correct some quirks in the
[openssl-commits] [openssl] master update
The branch master has been updated via ac454d8d4663e2fcf8a8437fab8aefd883091c37 (commit) from c8f370485c43729db44b680e41e875ddd7f3108c (commit) - Log - commit ac454d8d4663e2fcf8a8437fab8aefd883091c37 Author: Bernd Edlinger Date: Fri Sep 21 09:05:16 2018 +0200 Make ca command silently use default if .attr file does not exist Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7286) --- Summary of changes: apps/apps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/apps.c b/apps/apps.c index 67d28ee..ed1b618 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1557,7 +1557,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr) #else BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile); #endif -dbattr_conf = app_load_config(buf); +dbattr_conf = app_load_config_quiet(buf); retdb = app_malloc(sizeof(*retdb), "new DB"); retdb->db = tmpdb; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via c8f370485c43729db44b680e41e875ddd7f3108c (commit) from 11642f35531e6afc5d6c4135c5e2ea6057e0e39a (commit) - Log - commit c8f370485c43729db44b680e41e875ddd7f3108c Author: Bernd Edlinger Date: Thu Jan 17 15:15:57 2019 +0100 PPC: Try out if mftb works before using it If this fails try out if mfspr268 works. Use OPENSSL_ppccap=0x20 for enabling mftb, OPENSSL_ppccap=0x40 for enabling mfspr268, and OPENSSL_ppccap=0 for enabling neither. Fixes #8012 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8043) --- Summary of changes: crypto/cryptlib.c | 10 crypto/ppc_arch.h | 2 + crypto/ppccap.c | 55 ++-- crypto/ppccpuid.pl | 123 include/internal/cryptlib.h | 2 + 5 files changed, 167 insertions(+), 25 deletions(-) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 9cf264b..9018358 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -460,4 +460,14 @@ uint32_t OPENSSL_rdtsc(void) { return 0; } + +size_t OPENSSL_instrument_bus(unsigned int *out, size_t cnt) +{ +return 0; +} + +size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) +{ +return 0; +} #endif diff --git a/crypto/ppc_arch.h b/crypto/ppc_arch.h index f235358..ce98f5b 100644 --- a/crypto/ppc_arch.h +++ b/crypto/ppc_arch.h @@ -22,5 +22,7 @@ extern unsigned int OPENSSL_ppccap_P; # define PPC_CRYPTO207 (1<<2) # define PPC_FPU (1<<3) # define PPC_MADD300 (1<<4) +# define PPC_MFTB(1<<5) +# define PPC_MFSPR268(1<<6) #endif diff --git a/crypto/ppccap.c b/crypto/ppccap.c index e50f757..70829e4 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -168,6 +168,45 @@ void OPENSSL_altivec_probe(void); void OPENSSL_crypto207_probe(void); void OPENSSL_madd300_probe(void); +long OPENSSL_rdtsc_mftb(void); +long OPENSSL_rdtsc_mfspr268(void); + +uint32_t OPENSSL_rdtsc(void) +{ +if (OPENSSL_ppccap_P & PPC_MFTB) +return OPENSSL_rdtsc_mftb(); +else if (OPENSSL_ppccap_P & PPC_MFSPR268) +return OPENSSL_rdtsc_mfspr268(); +else +return 0; +} + +size_t OPENSSL_instrument_bus_mftb(unsigned int *, size_t); +size_t OPENSSL_instrument_bus_mfspr268(unsigned int *, size_t); + +size_t OPENSSL_instrument_bus(unsigned int *out, size_t cnt) +{ +if (OPENSSL_ppccap_P & PPC_MFTB) +return OPENSSL_instrument_bus_mftb(out, cnt); +else if (OPENSSL_ppccap_P & PPC_MFSPR268) +return OPENSSL_instrument_bus_mfspr268(out, cnt); +else +return 0; +} + +size_t OPENSSL_instrument_bus2_mftb(unsigned int *, size_t, size_t); +size_t OPENSSL_instrument_bus2_mfspr268(unsigned int *, size_t, size_t); + +size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) +{ +if (OPENSSL_ppccap_P & PPC_MFTB) +return OPENSSL_instrument_bus2_mftb(out, cnt, max); +else if (OPENSSL_ppccap_P & PPC_MFSPR268) +return OPENSSL_instrument_bus2_mfspr268(out, cnt, max); +else +return 0; +} + #if defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # include @@ -300,8 +339,6 @@ void OPENSSL_cpuid_setup(void) if (hwcap & HWCAP_ARCH_3_00) { OPENSSL_ppccap_P |= PPC_MADD300; } - -return; } #endif @@ -322,15 +359,16 @@ void OPENSSL_cpuid_setup(void) sigprocmask(SIG_SETMASK, _act.sa_mask, ); sigaction(SIGILL, _act, _oact); +#ifndef OSSL_IMPLEMENT_GETAUXVAL if (sigsetjmp(ill_jmp,1) == 0) { OPENSSL_fpu_probe(); OPENSSL_ppccap_P |= PPC_FPU; if (sizeof(size_t) == 4) { -#ifdef __linux +# ifdef __linux struct utsname uts; if (uname() == 0 && strcmp(uts.machine, "ppc64") == 0) -#endif +# endif if (sigsetjmp(ill_jmp, 1) == 0) { OPENSSL_ppc64_probe(); OPENSSL_ppccap_P |= PPC_FPU64; @@ -355,6 +393,15 @@ void OPENSSL_cpuid_setup(void) OPENSSL_madd300_probe(); OPENSSL_ppccap_P |= PPC_MADD300; } +#endif + +if (sigsetjmp(ill_jmp, 1) == 0) { +OPENSSL_rdtsc_mftb(); +OPENSSL_ppccap_P |= PPC_MFTB; +} else if (sigsetjmp(ill_jmp, 1) == 0) { +OPENSSL_rdtsc_mfspr268(); +OPENSSL_ppccap_P |= PPC_MFSPR268; +} sigaction(SIGILL, _oact, NULL); sigprocmask(SIG_SETMASK, , NULL); diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl index b1241a7..0c1e124 100755 --- a/crypto/ppccpuid.pl +++ b/crypto/ppccpuid.pl @@ -124,26 +124,23 @@ Ladd: lwarx r5,0,r3 .long 0 .size .OPENSSL_atomic_add,.-.OPENSSL_atomic_add -.globl .OPENSSL_rdtsc +.globl .OPENSSL_rdtsc_mftb .align 4 -.OPENSSL_rdtsc: -___
[openssl-commits] [openssl] master update
The branch master has been updated via 11642f35531e6afc5d6c4135c5e2ea6057e0e39a (commit) via a4abcaeab8b0e1b01f76cddda70a437991c1ff57 (commit) from c6048af23c577bcf85f15122dd03b65f959c9ecb (commit) - Log - commit 11642f35531e6afc5d6c4135c5e2ea6057e0e39a Author: David von Oheimb Date: Thu Jan 17 14:52:18 2019 +0100 update Copyright date Reviewed-by: Kurt Roeckx Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8036) commit a4abcaeab8b0e1b01f76cddda70a437991c1ff57 Author: David von Oheimb Date: Wed Jan 16 15:38:34 2019 +0100 add 'L' after _OPENSSL_VERSION_PRE_RELEASE literals, fixes #8021 Reviewed-by: Kurt Roeckx Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8036) --- Summary of changes: include/openssl/opensslv.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 08d9075..73e64a7 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -126,9 +126,9 @@ const char *OPENSSL_version_build_metadata(void); # if !OPENSSL_API_4 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ # ifdef OPENSSL_VERSION_PRE_RELEASE -# define _OPENSSL_VERSION_PRE_RELEASE 0x0 +# define _OPENSSL_VERSION_PRE_RELEASE 0x0L # else -# define _OPENSSL_VERSION_PRE_RELEASE 0xf +# define _OPENSSL_VERSION_PRE_RELEASE 0xfL # endif # define OPENSSL_VERSION_NUMBER\ ( (OPENSSL_VERSION_MAJOR<<28) \ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via c6048af23c577bcf85f15122dd03b65f959c9ecb (commit) from 37842dfaebcf28b4ca452c6abd93ebde1b4aa6dc (commit) - Log - commit c6048af23c577bcf85f15122dd03b65f959c9ecb Author: Corey Minyard Date: Mon Jan 21 17:47:02 2019 +1000 Fix a memory leak in the mem bio If you use a BIO and set up your own buffer that is not freed, the memory bio will leak the BIO_BUF_MEM object it allocates. The trouble is that the BIO_BUF_MEM is allocated and kept around, but it is not freed if BIO_NOCLOSE is set. The freeing of BIO_BUF_MEM was fairly confusing, simplify things so mem_buf_free only frees the memory buffer and free the BIO_BUF_MEM in mem_free(), where it should be done. Alse add a test for a leak in the memory bio Setting a memory buffer caused a leak. Signed-off-by: Corey Minyard Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8051) --- Summary of changes: crypto/bio/bss_mem.c | 24 ++ test/bio_memleak_test.c| 54 ++ test/build.info| 6 ++- .../{04-test_err.t => 90-test_bio_memleak.t} | 4 +- 4 files changed, 75 insertions(+), 13 deletions(-) create mode 100644 test/bio_memleak_test.c copy test/recipes/{04-test_err.t => 90-test_bio_memleak.t} (70%) diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c index ee9ea91..89c54b2 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -20,7 +20,7 @@ static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int mem_new(BIO *h); static int secmem_new(BIO *h); static int mem_free(BIO *data); -static int mem_buf_free(BIO *data, int free_all); +static int mem_buf_free(BIO *data); static int mem_buf_sync(BIO *h); static const BIO_METHOD mem_method = { @@ -140,10 +140,20 @@ static int secmem_new(BIO *bi) static int mem_free(BIO *a) { -return mem_buf_free(a, 1); +BIO_BUF_MEM *bb; + +if (a == NULL) +return 0; + +bb = (BIO_BUF_MEM *)a->ptr; +if (!mem_buf_free(a)) +return 0; +OPENSSL_free(bb->readp); +OPENSSL_free(bb); +return 1; } -static int mem_buf_free(BIO *a, int free_all) +static int mem_buf_free(BIO *a) { if (a == NULL) return 0; @@ -155,11 +165,6 @@ static int mem_buf_free(BIO *a, int free_all) if (a->flags & BIO_FLAGS_MEM_RDONLY) b->data = NULL; BUF_MEM_free(b); -if (free_all) { -OPENSSL_free(bb->readp); -OPENSSL_free(bb); -} -a->ptr = NULL; } return 1; } @@ -266,11 +271,10 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) } break; case BIO_C_SET_BUF_MEM: -mem_buf_free(b, 0); +mem_buf_free(b); b->shutdown = (int)num; bbm->buf = ptr; *bbm->readp = *bbm->buf; -b->ptr = bbm; break; case BIO_C_GET_BUF_MEM_PTR: if (ptr != NULL) { diff --git a/test/bio_memleak_test.c b/test/bio_memleak_test.c new file mode 100644 index 000..36680e3 --- /dev/null +++ b/test/bio_memleak_test.c @@ -0,0 +1,54 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#include +#include +#include +#include + +#include "testutil.h" + +static int test_bio_memleak(void) +{ +int ok = 0; +BIO *bio; +BUF_MEM bufmem; +const char *str = "BIO test\n"; +char buf[100]; + +bio = BIO_new(BIO_s_mem()); +if (bio == NULL) +goto finish; +bufmem.length = strlen(str) + 1; +bufmem.data = (char *) str; +bufmem.max = bufmem.length; +BIO_set_mem_buf(bio, , BIO_NOCLOSE); +BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); + +if (BIO_read(bio, buf, sizeof(buf)) <= 0) + goto finish; + +ok = strcmp(buf, str) == 0; + +finish: +BIO_free(bio); +return ok; +} + +int global_init(void) +{ +CRYPTO_set_mem_debug(1); +CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); +return 1; +} + +int setup_tests(void) +{ +ADD_TEST(test_bio_memleak); +return 1; +} diff --git a/test/build.info b/test/build.info index 962af11..2e17a5f 100644 --- a/test/build.info +++ b/test/build.info @@ -42,7 +42,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=main packettest asynctest secmemtest srptest memleaktest stack_test \ dtlsv1listentest ct_test threadstest afalgtest d2i_test \ ssl_test_ctx_test ssl_test x509aux
[openssl-commits] [openssl] master update
The branch master has been updated via 69738dadcda1b242a0b5e41d5d2fe4be3f55a448 (commit) from 3afd537a3c2319f68280804004e9bf2e798a43f7 (commit) - Log - commit 69738dadcda1b242a0b5e41d5d2fe4be3f55a448 Author: Marc <34656315+marct...@users.noreply.github.com> Date: Thu Jan 3 00:32:00 2019 + s_client: Add basic proxy authentication support 1) Add two new flags (-proxy_user & -proxy_pass) to s_client to add support for basic (base64) proxy authentication. 2) Add a "Proxy-Connection: Keep-Alive" HTTP header which is a workaround for some broken proxies which otherwise close the connection when entering tunnel mode (eg Squid 2.6). Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7975) --- Summary of changes: apps/s_client.c | 81 +++ doc/man1/s_client.pod | 17 +++ 2 files changed, 93 insertions(+), 5 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 51001d5..d788b89 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -74,6 +74,7 @@ static void print_stuff(BIO *berr, SSL *con, int full); static int ocsp_resp_cb(SSL *s, void *arg); #endif static int ldap_ExtendedResponse_parse(const char *buf, long rem); +static char *base64encode (const void *buf, size_t len); static int saved_errno; @@ -590,7 +591,8 @@ typedef enum OPTION_choice { OPT_V_ENUM, OPT_X_ENUM, OPT_S_ENUM, -OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN, +OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_PROXY_USER, OPT_PROXY_PASS, +OPT_DANE_TLSA_DOMAIN, #ifndef OPENSSL_NO_CT OPT_CT, OPT_NOCT, OPT_CTLOG_FILE, #endif @@ -608,6 +610,8 @@ const OPTIONS s_client_options[] = { {"bind", OPT_BIND, 's', "bind local address for connection"}, {"proxy", OPT_PROXY, 's', "Connect to via specified proxy to the real server"}, +{"proxy_user", OPT_PROXY_USER, 's', "UserID for proxy authentication"}, +{"proxy_pass", OPT_PROXY_PASS, 's', "Proxy authentication password source"}, #ifdef AF_UNIX {"unix", OPT_UNIX, 's', "Connect over the specified Unix-domain socket"}, #endif @@ -894,8 +898,10 @@ int s_client_main(int argc, char **argv) STACK_OF(X509_CRL) *crls = NULL; const SSL_METHOD *meth = TLS_client_method(); const char *CApath = NULL, *CAfile = NULL; -char *cbuf = NULL, *sbuf = NULL; -char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL, *bindstr = NULL; +char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL; +char *proxystr = NULL, *proxyuser = NULL; +char *proxypassarg = NULL, *proxypass = NULL; +char *connectstr = NULL, *bindstr = NULL; char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; char *chCApath = NULL, *chCAfile = NULL, *host = NULL; char *port = OPENSSL_strdup(PORT); @@ -1075,6 +1081,12 @@ int s_client_main(int argc, char **argv) proxystr = opt_arg(); starttls_proto = PROTO_CONNECT; break; +case OPT_PROXY_USER: +proxyuser = opt_arg(); +break; +case OPT_PROXY_PASS: +proxypassarg = opt_arg(); +break; #ifdef AF_UNIX case OPT_UNIX: connect_type = use_unix; @@ -1619,7 +1631,17 @@ int s_client_main(int argc, char **argv) #endif if (!app_passwd(passarg, NULL, , NULL)) { -BIO_printf(bio_err, "Error getting password\n"); +BIO_printf(bio_err, "Error getting private key password\n"); +goto end; +} + +if (!app_passwd(proxypassarg, NULL, , NULL)) { +BIO_printf(bio_err, "Error getting proxy password\n"); +goto end; +} + +if (proxypass != NULL && proxyuser == NULL) { +BIO_printf(bio_err, "Error: Must specify proxy_user with proxy_pass\n"); goto end; } @@ -2322,7 +2344,31 @@ int s_client_main(int argc, char **argv) BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); -BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr); +BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n", connectstr); +/* + * Workaround for broken proxies which would otherwise close + * the connection when entering tunnel mode (eg Squid 2.6) + */ +BIO_printf(fbio, "Proxy-Connection: Keep-Alive\r\n"); + +/* Support for basic (base64) proxy authentication */ +if (proxyuser != NULL) { +size_t l; +char *proxyauth, *proxyauthenc; + +l = strlen(proxyuser); +if (proxypass != NULL) +l += strlen(proxypass); +proxyauth = app_malloc(l + 2, "Proxy auth string"); +snprintf(proxyauth, l
[openssl-commits] [openssl] master update
The branch master has been updated via 37842dfaebcf28b4ca452c6abd93ebde1b4aa6dc (commit) from 69738dadcda1b242a0b5e41d5d2fe4be3f55a448 (commit) - Log - commit 37842dfaebcf28b4ca452c6abd93ebde1b4aa6dc Author: Antoine Salon Date: Fri Dec 14 12:47:07 2018 -0800 Add missing EVP_MD documentation Signed-off-by: Antoine Salon Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7905) --- Summary of changes: doc/man3/EVP_DigestInit.pod | 88 +--- doc/man3/EVP_MD_meth_new.pod | 21 --- 2 files changed, 91 insertions(+), 18 deletions(-) diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index f7ecda5..37cdb27 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -2,17 +2,17 @@ =head1 NAME -EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex, -EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, -EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate, +EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy, +EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, +EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, +EVP_Digest, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal, -EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, -EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, -EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data, +EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags, +EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, +EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn, EVP_md_null, -EVP_get_digestbyname, EVP_get_digestbynid, -EVP_get_digestbyobj, -EVP_MD_CTX_set_pkey_ctx - EVP digest routines +EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj, +EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_set_pkey_ctx - EVP digest routines =head1 SYNOPSIS @@ -26,6 +26,8 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); + int EVP_Digest(const void *data, size_t count, unsigned char *md, +unsigned int *size, const EVP_MD *type, ENGINE *impl); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); @@ -42,12 +44,18 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines int EVP_MD_pkey_type(const EVP_MD *md); int EVP_MD_size(const EVP_MD *md); int EVP_MD_block_size(const EVP_MD *md); + unsigned long EVP_MD_flags(const EVP_MD *md); const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); int EVP_MD_CTX_size(const EVP_MD *ctx); int EVP_MD_CTX_block_size(const EVP_MD *ctx); int EVP_MD_CTX_type(const EVP_MD *ctx); void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); + int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, + const void *data, size_t count); + void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, + int (*update)(EVP_MD_CTX *ctx, + const void *data, size_t count)); const EVP_MD *EVP_md_null(void); @@ -55,6 +63,7 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines const EVP_MD *EVP_get_digestbynid(int type); const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *o); + EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); =head1 DESCRIPTION @@ -79,12 +88,24 @@ Cleans up digest context B and frees up the space allocated to it. =item EVP_MD_CTX_ctrl() -Performs digest-specific control actions on context B. +Performs digest-specific control actions on context B. The control command +is indicated in B and any additional arguments in B and B. +EVP_MD_CTX_ctrl() must be called after EVP_DigestInit_ex(). Other restrictions +may apply depending on the control type and digest implementation. +See L below for more information. =item EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags() Sets, clears and tests B flags. See L below for more information. +=item EVP_Digest() + +A wrapper around the Digest Init_ex, Update and Final_ex functions. +Hashes B bytes of data at B using a digest B from ENGINE +B. The digest value is placed in B and its length is written at B +if the pointer is not NULL. At most B bytes will be written. +If B is NULL the default implementation of digest B is used. + =item EVP_DigestInit_ex() Sets up digest context B to use a
[openssl-commits] [openssl] master update
The branch master has been updated via 3afd537a3c2319f68280804004e9bf2e798a43f7 (commit) from 9b10986d7742a5105ac8c5f4eba8b103caf57ae9 (commit) - Log - commit 3afd537a3c2319f68280804004e9bf2e798a43f7 Author: David Benjamin Date: Tue Sep 11 13:49:28 2018 -0700 Reduce inputs before the RSAZ code. The RSAZ code requires the input be fully-reduced. To be consistent with the other codepaths, move the BN_nnmod logic before the RSAZ check. This fixes an oft-reported fuzzer bug. https://github.com/google/oss-fuzz/issues/1761 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7187) --- Summary of changes: crypto/bn/bn_exp.c | 64 -- test/bntest.c | 25 + 2 files changed, 58 insertions(+), 31 deletions(-) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 83b0e5a..9ea120b 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -648,34 +648,41 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; } +if (a->neg || BN_ucmp(a, m) >= 0) { +BIGNUM *reduced = BN_CTX_get(ctx); +if (reduced == NULL +|| !BN_nnmod(reduced, a, m, ctx)) { +goto err; +} +a = reduced; +} + #ifdef RSAZ_ENABLED -if (!a->neg) { -/* - * If the size of the operands allow it, perform the optimized - * RSAZ exponentiation. For further information see - * crypto/bn/rsaz_exp.c and accompanying assembly modules. - */ -if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) -&& rsaz_avx2_eligible()) { -if (NULL == bn_wexpand(rr, 16)) -goto err; -RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d, - mont->n0[0]); -rr->top = 16; -rr->neg = 0; -bn_correct_top(rr); -ret = 1; +/* + * If the size of the operands allow it, perform the optimized + * RSAZ exponentiation. For further information see + * crypto/bn/rsaz_exp.c and accompanying assembly modules. + */ +if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) +&& rsaz_avx2_eligible()) { +if (NULL == bn_wexpand(rr, 16)) goto err; -} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) { -if (NULL == bn_wexpand(rr, 8)) -goto err; -RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d); -rr->top = 8; -rr->neg = 0; -bn_correct_top(rr); -ret = 1; +RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d, + mont->n0[0]); +rr->top = 16; +rr->neg = 0; +bn_correct_top(rr); +ret = 1; +goto err; +} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) { +if (NULL == bn_wexpand(rr, 8)) goto err; -} +RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d); +rr->top = 8; +rr->neg = 0; +bn_correct_top(rr); +ret = 1; +goto err; } #endif @@ -747,12 +754,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; /* prepare a^1 in Montgomery domain */ -if (a->neg || BN_ucmp(a, m) >= 0) { -if (!BN_nnmod(, a, m, ctx)) -goto err; -if (!bn_to_mont_fixed_top(, , mont, ctx)) -goto err; -} else if (!bn_to_mont_fixed_top(, a, mont, ctx)) +if (!bn_to_mont_fixed_top(, a, mont, ctx)) goto err; #if defined(SPARC_T4_MONT) diff --git a/test/bntest.c b/test/bntest.c index e760c64..d042a3e 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -519,6 +519,31 @@ static int test_modexp_mont5(void) if (!TEST_BN_eq(c, d)) goto err; +/* + * rsaz_1024_mul_avx2 expects fully-reduced inputs. + * BN_mod_exp_mont_consttime should reduce the input first. + */ +BN_hex2bn(, +"" +"" +"" +"2020202020DF"); +BN_hex2bn(, +"1FA53F26F8811C58BE0357897AA5E165693230BC9DF5F01DFA6A2D59229EC69D" +"9DE6A89C36E3B6957B22D6FAAD5A3C73AE587B710DBE92E83D3A9A3339A085CB" +"B58F508CA4F837924BB52CC1698B7FDC2FD74362456A595A5B58E38E38E38E38" +"E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E"); +BN_hex2bn(, +
[openssl-commits] [openssl] master update
The branch master has been updated via 9b10986d7742a5105ac8c5f4eba8b103caf57ae9 (commit) from 807989df56988da92560bce4706d91d7c1371783 (commit) - Log - commit 9b10986d7742a5105ac8c5f4eba8b103caf57ae9 Author: Richard Levitte Date: Wed Jan 16 21:54:48 2019 +0100 apps/verify.c: Change an old comment to clarify what the callback does Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7922) --- Summary of changes: apps/verify.c | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index 3768fed..2f66912 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx) cert_error, X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(cert_error)); + +/* + * Pretend that some errors are ok, so they don't stop further + * processing of the certificate chain. Setting ok = 1 does this. + * After X509_verify_cert() is done, we verify that there were + * no actual errors, even if the returned value was positive. + */ switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(ctx); /* fall thru */ case X509_V_ERR_CERT_HAS_EXPIRED: - -/* - * since we are just checking the certificates, it is ok if they - * are self signed. But we should still warn the user. - */ +/* Continue even if the leaf is a self signed cert */ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: /* Continue after extension errors too */ case X509_V_ERR_INVALID_CA: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 807989df56988da92560bce4706d91d7c1371783 (commit) from 5f40dd158cbfa0a3bd86c32f7a77fec8754bb245 (commit) - Log - commit 807989df56988da92560bce4706d91d7c1371783 Author: Richard Levitte Date: Wed Dec 12 22:37:37 2018 +0100 crypto/bio/b_dump.c: change all char* to void*, and constify Some of these functions take char*, which is seldom right, they should have been unsigned char*, because the content isn't expected to be text. Even better is to simply take void* as data type, which also happens to be transparent for any type these functions are called with, be it char* or unsigned char*. This shouldn't break anything. While we're at it, constify the input data parameters. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7890) --- Summary of changes: crypto/bio/b_dump.c | 24 +--- include/openssl/bio.h | 14 +++--- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c index f4d2de3..e4ad361 100644 --- a/crypto/bio/b_dump.c +++ b/crypto/bio/b_dump.c @@ -20,14 +20,15 @@ #define SPACE(buf, pos, n) (sizeof(buf) - (pos) > (n)) int BIO_dump_cb(int (*cb) (const void *data, size_t len, void *u), -void *u, const char *s, int len) +void *u, const void *s, int len) { return BIO_dump_indent_cb(cb, u, s, len, 0); } int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u), - void *u, const char *s, int len, int indent) + void *u, const void *v, int len, int indent) { +const unsigned char *s = v; int ret = 0; char buf[288 + 1]; int i, j, rows, n; @@ -51,7 +52,7 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u), if (((i * dump_width) + j) >= len) { strcpy(buf + n, " "); } else { -ch = ((unsigned char)*(s + i * dump_width + j)) & 0xff; +ch = *(s + i * dump_width + j) & 0xff; BIO_snprintf(buf + n, 4, "%02x%c", ch, j == 7 ? '-' : ' '); } @@ -66,7 +67,7 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u), if (((i * dump_width) + j) >= len) break; if (SPACE(buf, n, 1)) { -ch = ((unsigned char)*(s + i * dump_width + j)) & 0xff; +ch = *(s + i * dump_width + j) & 0xff; #ifndef CHARSET_EBCDIC buf[n++] = ((ch >= ' ') && (ch <= '~')) ? ch : '.'; #else @@ -96,12 +97,12 @@ static int write_fp(const void *data, size_t len, void *fp) return UP_fwrite(data, len, 1, fp); } -int BIO_dump_fp(FILE *fp, const char *s, int len) +int BIO_dump_fp(FILE *fp, const void *s, int len) { return BIO_dump_cb(write_fp, fp, s, len); } -int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent) +int BIO_dump_indent_fp(FILE *fp, const void *s, int len, int indent) { return BIO_dump_indent_cb(write_fp, fp, s, len, indent); } @@ -112,19 +113,20 @@ static int write_bio(const void *data, size_t len, void *bp) return BIO_write((BIO *)bp, (const char *)data, len); } -int BIO_dump(BIO *bp, const char *s, int len) +int BIO_dump(BIO *bp, const void *s, int len) { return BIO_dump_cb(write_bio, bp, s, len); } -int BIO_dump_indent(BIO *bp, const char *s, int len, int indent) +int BIO_dump_indent(BIO *bp, const void *s, int len, int indent) { return BIO_dump_indent_cb(write_bio, bp, s, len, indent); } -int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data, +int BIO_hex_string(BIO *out, int indent, int width, const void *data, int datalen) { +const unsigned char *d = data; int i, j = 0; if (datalen < 1) @@ -134,7 +136,7 @@ int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data, if (i && !j) BIO_printf(out, "%*s", indent, ""); -BIO_printf(out, "%02X:", data[i]); +BIO_printf(out, "%02X:", d[i]); j = (j + 1) % width; if (!j) @@ -143,6 +145,6 @@ int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data, if (i && !j) BIO_printf(out, "%*s", indent, ""); -BIO_printf(out, "%02X", data[datalen - 1]); +BIO_printf(out, "%02X", d[datalen - 1]); return 1; } diff --git a/include/openssl/bio.h b/include/openssl/bio.h index cdeacc8..ed9d489 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -641,16 +641,16 @@ int BIO_sock_non_fatal_error(int error); int BIO_fd_should_retry(int i); int BIO_fd_non_fatal_error(int error); int
[openssl-commits] [openssl] master update
The branch master has been updated via 5f40dd158cbfa0a3bd86c32f7a77fec8754bb245 (commit) from aefb980c45134d84f1757de1a9c61d699c8a7e33 (commit) - Log - commit 5f40dd158cbfa0a3bd86c32f7a77fec8754bb245 Author: Richard Levitte Date: Wed Jan 16 06:31:15 2019 +0100 crypto/armcap.c, crypto/ppccap.c: stricter use of getauxval() Having a weak getauxval() and only depending on GNU C without looking at the library we build against meant that it got picked up where not really expected. So we change this to check for the glibc version, and since we know it exists from that version, there's no real need to make it weak. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/8028) --- Summary of changes: crypto/armcap.c | 77 ++--- crypto/ppccap.c | 19 ++ 2 files changed, 49 insertions(+), 47 deletions(-) diff --git a/crypto/armcap.c b/crypto/armcap.c index e97bdd1..70d2719 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -62,14 +62,12 @@ uint32_t OPENSSL_rdtsc(void) # if defined(__GNUC__) && __GNUC__>=2 void OPENSSL_cpuid_setup(void) __attribute__ ((constructor)); # endif -/* - * Use a weak reference to getauxval() so we can use it if it is available but - * don't break the build if it is not. - */ -# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) -extern unsigned long getauxval(unsigned long type) __attribute__ ((weak)); -# else -static unsigned long (*getauxval) (unsigned long) = NULL; + +# if defined(__GLIBC__) && defined(__GLIBC_PREREQ) +# if __GLIBC_PREREQ(2, 16) +# include +# define OSSL_IMPLEMENT_GETAUXVAL +# endif # endif /* @@ -134,6 +132,33 @@ void OPENSSL_cpuid_setup(void) */ # endif +OPENSSL_armcap_P = 0; + +# ifdef OSSL_IMPLEMENT_GETAUXVAL +if (getauxval(HWCAP) & HWCAP_NEON) { +unsigned long hwcap = getauxval(HWCAP_CE); + +OPENSSL_armcap_P |= ARMV7_NEON; + +if (hwcap & HWCAP_CE_AES) +OPENSSL_armcap_P |= ARMV8_AES; + +if (hwcap & HWCAP_CE_PMULL) +OPENSSL_armcap_P |= ARMV8_PMULL; + +if (hwcap & HWCAP_CE_SHA1) +OPENSSL_armcap_P |= ARMV8_SHA1; + +if (hwcap & HWCAP_CE_SHA256) +OPENSSL_armcap_P |= ARMV8_SHA256; + +# ifdef __aarch64__ +if (hwcap & HWCAP_CE_SHA512) +OPENSSL_armcap_P |= ARMV8_SHA512; +# endif +} +# endif + sigfillset(_masked); sigdelset(_masked, SIGILL); sigdelset(_masked, SIGTRAP); @@ -141,8 +166,6 @@ void OPENSSL_cpuid_setup(void) sigdelset(_masked, SIGBUS); sigdelset(_masked, SIGSEGV); -OPENSSL_armcap_P = 0; - memset(_act, 0, sizeof(ill_act)); ill_act.sa_handler = ill_handler; ill_act.sa_mask = all_masked; @@ -150,30 +173,9 @@ void OPENSSL_cpuid_setup(void) sigprocmask(SIG_SETMASK, _act.sa_mask, ); sigaction(SIGILL, _act, _oact); -if (getauxval != NULL) { -if (getauxval(HWCAP) & HWCAP_NEON) { -unsigned long hwcap = getauxval(HWCAP_CE); - -OPENSSL_armcap_P |= ARMV7_NEON; - -if (hwcap & HWCAP_CE_AES) -OPENSSL_armcap_P |= ARMV8_AES; - -if (hwcap & HWCAP_CE_PMULL) -OPENSSL_armcap_P |= ARMV8_PMULL; - -if (hwcap & HWCAP_CE_SHA1) -OPENSSL_armcap_P |= ARMV8_SHA1; - -if (hwcap & HWCAP_CE_SHA256) -OPENSSL_armcap_P |= ARMV8_SHA256; - -# ifdef __aarch64__ -if (hwcap & HWCAP_CE_SHA512) -OPENSSL_armcap_P |= ARMV8_SHA512; -# endif -} -} else if (sigsetjmp(ill_jmp, 1) == 0) { +/* If we used getauxval, we already have all the values */ +# ifndef OSSL_IMPLEMENT_GETAUXVAL +if (sigsetjmp(ill_jmp, 1) == 0) { _armv7_neon_probe(); OPENSSL_armcap_P |= ARMV7_NEON; if (sigsetjmp(ill_jmp, 1) == 0) { @@ -191,13 +193,16 @@ void OPENSSL_cpuid_setup(void) _armv8_sha256_probe(); OPENSSL_armcap_P |= ARMV8_SHA256; } -# if defined(__aarch64__) && !defined(__APPLE__) +# if defined(__aarch64__) && !defined(__APPLE__) if (sigsetjmp(ill_jmp, 1) == 0) { _armv8_sha512_probe(); OPENSSL_armcap_P |= ARMV8_SHA512; } -# endif +# endif } +# endif + +/* Things that getauxval didn't tell us */ if (sigsetjmp(ill_jmp, 1) == 0) { _armv7_tick(); OPENSSL_armcap_P |= ARMV7_TICK; diff --git a/crypto/ppccap.c b/crypto/ppccap.c index 4214762..e50f757 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -168,16 +168,11 @@ void OPENSSL_altivec_probe(void); void OPENSSL_crypto207_probe(void); void OPENSSL_madd300_probe(void); -/* - * Use a weak reference to getauxval() so we can use it if it is available - *
[openssl-commits] [openssl] master update
The branch master has been updated via aefb980c45134d84f1757de1a9c61d699c8a7e33 (commit) from ea09abc80892920ee5db4de82bed7a193b5896f0 (commit) - Log - commit aefb980c45134d84f1757de1a9c61d699c8a7e33 Author: Richard Levitte Date: Thu Dec 20 10:17:38 2018 +0100 crypto/uid.c: use own macro as guard rather than AT_SECURE It turns out that AT_SECURE may be defined through other means than our inclusion of sys/auxv.h, so to be on the safe side, we define our own guard and use that to determine if getauxval() should be used or not. Fixes #7932 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7933) --- Summary of changes: crypto/uid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/uid.c b/crypto/uid.c index 6635639..494dbde 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -34,12 +34,13 @@ int OPENSSL_issetugid(void) # if defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # include +# define OSSL_IMPLEMENT_GETAUXVAL # endif # endif int OPENSSL_issetugid(void) { -# ifdef AT_SECURE +# ifdef OSSL_IMPLEMENT_GETAUXVAL return getauxval(AT_SECURE) != 0; # else return getuid() != geteuid() || getgid() != getegid(); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via ea09abc80892920ee5db4de82bed7a193b5896f0 (commit) via 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4 (commit) from d63bde7827b0be1172f823baf25309b54aa87e0f (commit) - Log - commit ea09abc80892920ee5db4de82bed7a193b5896f0 Author: Matt Caswell Date: Mon Jan 14 16:37:14 2019 + Don't get the mac type in TLSv1.3 We don't use this information so we shouldn't fetch it. As noted in the comments in #8005. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) commit 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4 Author: Matt Caswell Date: Mon Jan 14 16:36:33 2019 + Add missing entries in ssl_mac_pkey_id Fixes #8005 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) --- Summary of changes: ssl/ssl_ciph.c | 2 ++ ssl/tls13_enc.c | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index bd97c0f..461a9de 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -171,6 +171,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, /* GOST2012_512 */ EVP_PKEY_HMAC, +/* MD5/SHA1, SHA224, SHA512 */ +NID_undef, NID_undef, NID_undef }; static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX]; diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 6022950..e6cd705 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -323,11 +323,9 @@ int tls13_setup_key_block(SSL *s) { const EVP_CIPHER *c; const EVP_MD *hash; -int mac_type = NID_undef; s->session->cipher = s->s3->tmp.new_cipher; -if (!ssl_cipher_get_evp -(s->session, , , _type, NULL, NULL, 0)) { +if (!ssl_cipher_get_evp(s->session, , , NULL, NULL, NULL, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d63bde7827b0be1172f823baf25309b54aa87e0f (commit) via 0a5bda639f8fd59e15051cf757708e3b94bcf399 (commit) from e26f653defd08334ebfa517b6715a338f543fbf1 (commit) - Log - commit d63bde7827b0be1172f823baf25309b54aa87e0f Author: Matt Caswell Date: Mon Jan 14 11:22:42 2019 + Check more return values in the SRP code Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) commit 0a5bda639f8fd59e15051cf757708e3b94bcf399 Author: Matt Caswell Date: Mon Jan 14 11:06:43 2019 + Check a return value in the SRP code Spotted by OSTIF audit Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) --- Summary of changes: crypto/srp/srp_lib.c | 4 +++- crypto/srp/srp_vfy.c | 21 ++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index c43d27a..8cba189 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -26,6 +26,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N) unsigned char *tmp = NULL; int numN = BN_num_bytes(N); BIGNUM *res = NULL; + if (x != N && BN_ucmp(x, N) >= 0) return NULL; if (y != N && BN_ucmp(y, N) >= 0) @@ -139,7 +140,8 @@ BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass) || !EVP_DigestFinal_ex(ctxt, dig, NULL) || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL)) goto err; -BN_bn2bin(s, cs); +if (BN_bn2bin(s, cs) < 0) +goto err; if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s))) goto err; diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 4ed94b7..d69e330 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -614,10 +614,14 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0) goto err; N_bn_alloc = BN_bin2bn(tmp, len, NULL); +if (N_bn_alloc == NULL) +goto err; N_bn = N_bn_alloc; if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0) goto err; g_bn_alloc = BN_bin2bn(tmp, len, NULL); +if (g_bn_alloc == NULL) +goto err; g_bn = g_bn_alloc; defgNid = "*"; } else { @@ -639,15 +643,19 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, goto err; s = BN_bin2bn(tmp2, len, NULL); } +if (s == NULL) +goto err; if (!SRP_create_verifier_BN(user, pass, , , N_bn, g_bn)) goto err; -BN_bn2bin(v, tmp); +if (BN_bn2bin(v, tmp) < 0) +goto err; vfsize = BN_num_bytes(v) * 2; if (((vf = OPENSSL_malloc(vfsize)) == NULL)) goto err; -t_tob64(vf, tmp, BN_num_bytes(v)); +if (!t_tob64(vf, tmp, BN_num_bytes(v))) +goto err; if (*salt == NULL) { char *tmp_salt; @@ -655,7 +663,10 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { goto err; } -t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN); +if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) { +OPENSSL_free(tmp_salt); +goto err; +} *salt = tmp_salt; } @@ -702,11 +713,15 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, goto err; salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); +if (salttmp == NULL) +goto err; } else { salttmp = *salt; } x = SRP_Calc_x(salttmp, user, pass); +if (x == NULL) +goto err; *verifier = BN_new(); if (*verifier == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e26f653defd08334ebfa517b6715a338f543fbf1 (commit) from 7835e97b6ff5cd94a10c5aeac439f4aa145a77b2 (commit) - Log - commit e26f653defd08334ebfa517b6715a338f543fbf1 Author: Anna Henningsen Date: Sun Jan 13 18:26:43 2019 +0100 Fix compilation with `-DREF_PRINT` CLA: trivial Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8016) --- Summary of changes: crypto/dso/dso_lib.c | 2 +- crypto/ec/ecp_nistz256.c | 2 +- crypto/x509/x509_lu.c| 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index f426be0..f1b193b 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -111,7 +111,7 @@ int DSO_up_ref(DSO *dso) if (CRYPTO_UP_REF(>references, , dso->lock) <= 0) return 0; -REF_PRINT_COUNT("DSO", r); +REF_PRINT_COUNT("DSO", dso); REF_ASSERT_ISNT(i < 2); return ((i > 1) ? 1 : 0); } diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 2db7d19..82affd6 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1432,7 +1432,7 @@ void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *pre) return; CRYPTO_DOWN_REF(>references, , pre->lock); -REF_PRINT_COUNT("EC_nistz256", x); +REF_PRINT_COUNT("EC_nistz256", pre); if (i > 0) return; REF_ASSERT_ISNT(i < 0); diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 6bcdafb..fa8153d 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -237,7 +237,7 @@ int X509_STORE_up_ref(X509_STORE *vfy) if (CRYPTO_UP_REF(>references, , vfy->lock) <= 0) return 0; -REF_PRINT_COUNT("X509_STORE", a); +REF_PRINT_COUNT("X509_STORE", vfy); REF_ASSERT_ISNT(i < 2); return ((i > 1) ? 1 : 0); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 7835e97b6ff5cd94a10c5aeac439f4aa145a77b2 (commit) from 87d06aed64395afcd9ee4e7c699950dd57278259 (commit) - Log - commit 7835e97b6ff5cd94a10c5aeac439f4aa145a77b2 Author: Matt Caswell Date: Wed Oct 17 16:17:25 2018 +0100 Don't artificially limit the size of the ClientHello We were setting a limit of SSL3_RT_MAX_PLAIN_LENGTH on the size of the ClientHello. AFAIK there is nothing in the standards that requires this limit. The limit goes all the way back to when support for extensions was first added for TLSv1.0. It got converted into a WPACKET max size in 1.1.1. Most likely it was originally added to avoid the complexity of having to grow the init_buf in the middle of adding extensions. With WPACKET this is irrelevant since it will grow automatically. This issue came up when an attempt was made to send a very large certificate_authorities extension in the ClientHello. We should just remove the limit. Reviewed-by: Paul Dale Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/7424) --- Summary of changes: ssl/statem/statem_clnt.c | 7 --- 1 file changed, 7 deletions(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 3b6cbb7..53bc5ef 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1112,13 +1112,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) SSL_SESSION *sess = s->session; unsigned char *session_id; -if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) { -/* Should not happen */ -SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); -return 0; -} - /* Work out what SSL/TLS/DTLS version to use */ protverr = ssl_set_client_hello_version(s); if (protverr != 0) { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 87d06aed64395afcd9ee4e7c699950dd57278259 (commit) from 760e2d60e62511a6fb96f547f6730d05eb5f47ec (commit) - Log - commit 87d06aed64395afcd9ee4e7c699950dd57278259 Author: Matt Caswell Date: Mon Jan 7 15:16:23 2019 + Fix compilation on sparc Fixes #7966 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7997) --- Summary of changes: crypto/des/asm/des_enc.m4 | 2 -- crypto/evp/e_aes.c| 5 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/des/asm/des_enc.m4 b/crypto/des/asm/des_enc.m4 index 92b9678..9a17fac 100644 --- a/crypto/des/asm/des_enc.m4 +++ b/crypto/des/asm/des_enc.m4 @@ -29,8 +29,6 @@ .ident "des_enc.m4 2.1" .file "des_enc-sparc.S" -#include - #if defined(__SUNPRO_C) && defined(__sparcv9) # define ABI64 /* They've said -xarch=v9 at command line */ #elif defined(__GNUC__) && defined(__arch64__) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 6080d16..8dc5235 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -927,6 +927,11 @@ static int aes_t4_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len); # endif/* OPENSSL_NO_OCB */ +# ifndef OPENSSL_NO_SIV +# define aes_t4_siv_init_key aes_siv_init_key +# define aes_t4_siv_cipher aes_siv_cipher +# endif /* OPENSSL_NO_SIV */ + # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \ static const EVP_CIPHER aes_t4_##keylen##_##mode = { \ nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 760e2d60e62511a6fb96f547f6730d05eb5f47ec (commit) from df1f538f28c10f2954757164b17781040d2355ef (commit) - Log - commit 760e2d60e62511a6fb96f547f6730d05eb5f47ec Author: FdaSilvaYY Date: Tue Jan 8 16:27:27 2019 +1000 Fix CID 1434549: Unchecked return value in test/evp_test.c 5. check_return: Calling EVP_EncodeUpdate without checking return value (as is done elsewhere 4 out of 5 times). Fix CID 1371695, 1371698: Resource leak in test/evp_test.c - leaked_storage: Variable edata going out of scope leaks the storage it points to. - leaked_storage: Variable encode_ctx going out of scope leaks the storage it points to Fix CID 1430437, 1430426, 1430429 : Dereference before null check in test/drbg_cavs_test.c check_after_deref: Null-checking drbg suggests that it may be null, but it has already been dereferenced on all paths leading to the check Fix CID 1440765: Dereference before null check in test/ssltestlib.c check_after_deref: Null-checking ctx suggests that it may be null, but it has already been dereferenced on all paths leading to the check. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7993) --- Summary of changes: test/drbg_cavs_test.c | 29 ++--- test/evp_test.c | 21 - test/ssltestlib.c | 6 -- 3 files changed, 26 insertions(+), 30 deletions(-) diff --git a/test/drbg_cavs_test.c b/test/drbg_cavs_test.c index 4bb65f0..99d4472 100644 --- a/test/drbg_cavs_test.c +++ b/test/drbg_cavs_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -106,12 +106,9 @@ static int single_kat_no_reseed(const struct drbg_kat *td) failures++; err: -if (buff != NULL) -OPENSSL_free(buff); -if (drbg != NULL) { -RAND_DRBG_uninstantiate(drbg); -RAND_DRBG_free(drbg); -} +OPENSSL_free(buff); +RAND_DRBG_uninstantiate(drbg); +RAND_DRBG_free(drbg); return failures == 0; } @@ -176,12 +173,9 @@ static int single_kat_pr_false(const struct drbg_kat *td) failures++; err: -if (buff != NULL) -OPENSSL_free(buff); -if (drbg != NULL) { -RAND_DRBG_uninstantiate(drbg); -RAND_DRBG_free(drbg); -} +OPENSSL_free(buff); +RAND_DRBG_uninstantiate(drbg); +RAND_DRBG_free(drbg); return failures == 0; } @@ -249,12 +243,9 @@ static int single_kat_pr_true(const struct drbg_kat *td) failures++; err: -if (buff != NULL) -OPENSSL_free(buff); -if (drbg != NULL) { -RAND_DRBG_uninstantiate(drbg); -RAND_DRBG_free(drbg); -} +OPENSSL_free(buff); +RAND_DRBG_uninstantiate(drbg); +RAND_DRBG_free(drbg); return failures == 0; } diff --git a/test/evp_test.c b/test/evp_test.c index f3dd79b..eaedab2 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1761,15 +1761,18 @@ static int encode_test_init(EVP_TEST *t, const char *encoding) } else if (strcmp(encoding, "invalid") == 0) { edata->encoding = BASE64_INVALID_ENCODING; if (!TEST_ptr(t->expected_err = OPENSSL_strdup("DECODE_ERROR"))) -return 0; +goto err; } else { TEST_error("Bad encoding: %s." " Should be one of {canonical, valid, invalid}", encoding); -return 0; +goto err; } t->data = edata; return 1; +err: +OPENSSL_free(edata); +return 0; } static void encode_test_cleanup(EVP_TEST *t) @@ -1798,7 +1801,7 @@ static int encode_test_run(EVP_TEST *t) ENCODE_DATA *expected = t->data; unsigned char *encode_out = NULL, *decode_out = NULL; int output_len, chunk_len; -EVP_ENCODE_CTX *decode_ctx; +EVP_ENCODE_CTX *decode_ctx = NULL, *encode_ctx = NULL; if (!TEST_ptr(decode_ctx = EVP_ENCODE_CTX_new())) { t->err = "INTERNAL_ERROR"; @@ -1806,7 +1809,6 @@ static int encode_test_run(EVP_TEST *t) } if (expected->encoding == BASE64_CANONICAL_ENCODING) { -
[openssl-commits] [openssl] master update
The branch master has been updated via df1f538f28c10f2954757164b17781040d2355ef (commit) via b2f16a2271c40faed168c8bd89b562919a18cb3f (commit) from 9effc496ad8a9b0ec737c69cc0fddf610a045ea4 (commit) - Log - commit df1f538f28c10f2954757164b17781040d2355ef Author: Viktor Dukhovni Date: Tue Jan 1 02:53:24 2019 -0500 More configurable crypto and ssl library initialization 1. In addition to overriding the default application name, one can now also override the configuration file name and flags passed to CONF_modules_load_file(). 2. By default we still keep going when configuration file processing fails. But, applications that want to be strict about initialization errors can now make explicit flag choices via non-null OPENSSL_INIT_SETTINGS that omit the CONF_MFLAGS_IGNORE_RETURN_CODES flag (which had so far been both undocumented and unused). 3. In OPENSSL_init_ssl() do not request OPENSSL_INIT_LOAD_CONFIG if the options already include OPENSSL_INIT_NO_LOAD_CONFIG. 4. Don't set up atexit() handlers when called with INIT_BASE_ONLY. Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7986) commit b2f16a2271c40faed168c8bd89b562919a18cb3f Author: Viktor Dukhovni Date: Tue Jan 1 19:19:43 2019 -0500 Update generator copyright year. Some Travis builds appear to fail because generated objects get 2019 copyrights now, and the diff complains. Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7986) --- Summary of changes: crypto/asn1/charmap.pl | 2 +- crypto/bn/bn_prime.pl | 2 +- crypto/conf/conf_lib.c | 26 + crypto/conf/conf_mod.c | 3 +++ crypto/conf/conf_sap.c | 23 +- crypto/conf/keysets.pl | 2 +- crypto/err/err.c| 12 crypto/init.c | 38 + crypto/objects/obj_dat.pl | 2 +- crypto/objects/objects.pl | 2 +- crypto/objects/objxref.pl | 2 +- doc/man3/CONF_modules_load_file.pod | 10 +- doc/man3/OPENSSL_init_crypto.pod| 37 +--- include/internal/conf.h | 9 - include/openssl/crypto.h| 6 +- ssl/ssl_init.c | 13 +++-- util/libcrypto.num | 2 ++ 17 files changed, 148 insertions(+), 43 deletions(-) diff --git a/crypto/asn1/charmap.pl b/crypto/asn1/charmap.pl index 20f05fc..d29a21b 100644 --- a/crypto/asn1/charmap.pl +++ b/crypto/asn1/charmap.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.pl b/crypto/bn/bn_prime.pl index fb54810..76df3fc 100644 --- a/crypto/bn/bn_prime.pl +++ b/crypto/bn/bn_prime.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c index 860ac67..606563a 100644 --- a/crypto/conf/conf_lib.c +++ b/crypto/conf/conf_lib.c @@ -358,11 +358,36 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void) if (ret != NULL) memset(ret, 0, sizeof(*ret)); +ret->flags = DEFAULT_CONF_MFLAGS; + return ret; } #ifndef OPENSSL_NO_STDIO +int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, + const char *filename) +{ +char *newfilename = NULL; + +if (filename != NULL) { +newfilename = strdup(filename); +if (newfilename == NULL) +return 0; +} + +free(settings->filename); +settings->filename = newfilename; + +return 1; +} + +void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings, +unsigned long flags) +{ +settings->flags = flags; +} + int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings, const char *appname) { @@ -383,6 +408,7 @@ int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings, void
[openssl-commits] [openssl] master update
The branch master has been updated via 9effc496ad8a9b0ec737c69cc0fddf610a045ea4 (commit) via 23fed8ba0ec895e1b2a089cae380697f15170afc (commit) from 67ee899cb51d3e3d7b5f00b878f8f82a097b93f0 (commit) - Log - commit 9effc496ad8a9b0ec737c69cc0fddf610a045ea4 Author: Matt Caswell Date: Fri Jan 4 16:55:15 2019 + Add a test for correct handling of the cryptopro bug extension This was complicated by the fact that we were using this extension for our duplicate extension handling tests. In order to add tests for cryptopro bug the duplicate extension handling tests needed to change first. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7984) commit 23fed8ba0ec895e1b2a089cae380697f15170afc Author: Matt Caswell Date: Fri Jan 4 16:54:03 2019 + Don't complain if we receive the cryptopro extension in the ClientHello The cryptopro extension is supposed to be unsolicited and appears in the ServerHello only. Additionally it is unofficial and unregistered - therefore we should really treat it like any other unknown extension if we see it in the ClientHello. Fixes #7747 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7984) --- Summary of changes: ssl/statem/extensions.c | 6 -- test/recipes/70-test_sslextension.t | 32 +++ util/perl/TLSProxy/Certificate.pm | 5 - util/perl/TLSProxy/ClientHello.pm | 7 ++- util/perl/TLSProxy/EncryptedExtensions.pm | 5 - util/perl/TLSProxy/Message.pm | 16 +++- util/perl/TLSProxy/ServerHello.pm | 2 +- 7 files changed, 46 insertions(+), 27 deletions(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index ffa4b46..773309a 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -348,10 +348,12 @@ static const EXTENSION_DEFINITION ext_defs[] = { { /* * Special unsolicited ServerHello extension only used when - * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set + * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but + * ignore it. */ TLSEXT_TYPE_cryptopro_bug, -SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, +SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO +| SSL_EXT_TLS1_2_AND_BELOW_ONLY, NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL }, { diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 79466b6..e725b44 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -88,9 +88,11 @@ sub inject_duplicate_extension foreach my $message (@{$proxy->message_list}) { if ($message->mt == $message_type) { my %extensions = %{$message->extension_data}; -# Add a duplicate (unknown) extension. - $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); - $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); +# Add a duplicate extension. We use cryptopro_bug since we never +# normally write that one, and it is allowed as unsolicited in the +# ServerHello + $message->set_extension(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION, ""); +$message->dupext(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION); $message->repack(); } } @@ -173,9 +175,23 @@ sub inject_unsolicited_extension $sent_unsolisited_extension = 1; } +sub inject_cryptopro_extension +{ +my $proxy = shift; + +# We're only interested in the initial ClientHello +if ($proxy->flight != 0) { +return; +} + +my $message = ${$proxy->message_list}[0]; +$message->set_extension(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION, ""); +$message->repack(); +} + # Test 1-2: Sending a duplicate extension should fail. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 7; +plan tests => 8; ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; @@ -234,3 +250,11 @@ SKIP: { $proxy->start(); ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)"); } + +#Test 8: Send the cryptopro extension in a ClientHello. Normally this is an +#unsolicited extension only ever seen in the ServerHello. We should +#ignore it in a ClientHello +$proxy->clear(); +$proxy->filter(\_cryptopro_extension); +$proxy->start(); +ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/util/perl/TLSProxy/Certificate.pm b/util/perl/TLSProxy/Certificate.pm index 70c9fae..03f6619 100644 ---
[openssl-commits] [openssl] master update
The branch master has been updated via 67ee899cb51d3e3d7b5f00b878f8f82a097b93f0 (commit) from 673e0bbbe4b9cbd19a247c0b18c171bb0421915a (commit) - Log - commit 67ee899cb51d3e3d7b5f00b878f8f82a097b93f0 Author: Dr. Matthias St. Pierre Date: Mon Jan 7 01:21:56 2019 +0100 doc/man1/x509.pod: fix typo This looks like a copy error from req.pod to x509.pod. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7995) --- Summary of changes: doc/man1/x509.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 8c096ed..75919ca 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -173,7 +173,7 @@ options. See the B section for more information. =item B<-noout> -This option prevents output of the encoded version of the request. +This option prevents output of the encoded version of the certificate. =item B<-pubkey> _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 673e0bbbe4b9cbd19a247c0b18c171bb0421915a (commit) from 5e9072ed99971fa5e47326c2f8ffa4bc9624a584 (commit) - Log - commit 673e0bbbe4b9cbd19a247c0b18c171bb0421915a Author: Dmitry Belyavskiy Date: Fri Jan 4 20:38:29 2019 +0300 Restore compatibility with GOST2001 implementations. Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7985) --- Summary of changes: ssl/statem/extensions.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index c549218..ffa4b46 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -623,7 +623,12 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, && type != TLSEXT_TYPE_cookie && type != TLSEXT_TYPE_renegotiate && type != TLSEXT_TYPE_signed_certificate_timestamp -&& (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) { +&& (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0 +#ifndef OPENSSL_NO_GOST +&& !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 + && type == TLSEXT_TYPE_cryptopro_bug) +#endif + ) { SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 5e9072ed99971fa5e47326c2f8ffa4bc9624a584 (commit) from 87bbbfb1e4fc2035e8f9ec1d6313a41c410a3218 (commit) - Log - commit 5e9072ed99971fa5e47326c2f8ffa4bc9624a584 Author: Matt Caswell Date: Fri Jan 4 11:13:39 2019 + Fix no-sock Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7981) --- Summary of changes: test/sslapitest.c | 6 -- test/ssltestlib.c | 9 ++--- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index d52380c..1868eb3 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -657,7 +657,8 @@ static int execute_test_large_message(const SSL_METHOD *smeth, return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \ +&& !defined(OPENSSL_NO_SOCK) /* sock must be connected */ static int ktls_chk_platform(int sock) @@ -6053,7 +6054,8 @@ int setup_tests(void) #endif } -#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_KTLS) \ +&& !defined(OPENSSL_NO_SOCK) ADD_TEST(test_ktls_client_server); ADD_TEST(test_ktls_no_client_server); ADD_TEST(test_ktls_client_no_server); diff --git a/test/ssltestlib.c b/test/ssltestlib.c index 50c7112..8187513 100644 --- a/test/ssltestlib.c +++ b/test/ssltestlib.c @@ -663,7 +663,7 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, #define MAXLOOPS100 -#ifndef OPENSSL_NO_KTLS +#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) static int set_nb(int fd) { int flags; @@ -736,12 +736,6 @@ success: close(afd); return ret; } -#else -int create_test_sockets(int *cfd, int *sfd) -{ -return 0; -} -#endif int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, SSL **cssl, int sfd, int cfd) @@ -775,6 +769,7 @@ int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, BIO_free(c_to_s_bio); return 0; } +#endif /* * NOTE: Transfers control of the BIOs - this function will free them on error _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 87bbbfb1e4fc2035e8f9ec1d6313a41c410a3218 (commit) from e74be3d497e5ef60515c186100f3abef832a9f9d (commit) - Log - commit 87bbbfb1e4fc2035e8f9ec1d6313a41c410a3218 Author: Matt Caswell Date: Fri Jan 4 10:24:19 2019 + Fix no-cmac Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7979) --- Summary of changes: test/recipes/90-test_gost.t | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/recipes/90-test_gost.t b/test/recipes/90-test_gost.t index ac214e2..d4f27b8 100644 --- a/test/recipes/90-test_gost.t +++ b/test/recipes/90-test_gost.t @@ -12,11 +12,11 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_gost"); # The GOST ciphers are dynamically loaded via the GOST engine, so we must be -# able to support that. The engine also uses DSA and CMS symbols, so we skip -# this test on no-dsa or no-cms. +# able to support that. The engine also uses DSA, CMS and CMAC symbols, so we +# skip this test on no-dsa, no-cms or no-cmac. plan skip_all => "GOST support is disabled in this OpenSSL build" if disabled("gost") || disabled("engine") || disabled("dynamic-engine") - || disabled("dsa") || disabled("cms"); + || disabled("dsa") || disabled("cms") || disabled("cmac"); plan skip_all => "TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build" if disabled("tls1_3") || disabled("tls1_2"); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e74be3d497e5ef60515c186100f3abef832a9f9d (commit) from f760137b2144740916afd9ff381451fa16c710de (commit) - Log - commit e74be3d497e5ef60515c186100f3abef832a9f9d Author: Richard Levitte Date: Sat Jan 5 09:33:22 2019 +0100 crypto/evp/e_aes.c: build again on s390x The stuff needed to build with SIV wasn't in place for s390x Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7988) --- Summary of changes: crypto/evp/e_aes.c | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index a882f21..6080d16 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -2427,6 +2427,18 @@ static int s390x_aes_ocb_cleanup(EVP_CIPHER_CTX *); static int s390x_aes_ocb_ctrl(EVP_CIPHER_CTX *, int type, int arg, void *ptr); # endif +# ifndef OPENSSL_NO_SIV +# define S390X_AES_SIV_CTX EVP_AES_SIV_CTX +# define S390X_aes_128_siv_CAPABLE 0 +# define S390X_aes_192_siv_CAPABLE 0 +# define S390X_aes_256_siv_CAPABLE 0 + +# define s390x_aes_siv_init_key aes_siv_init_key +# define s390x_aes_siv_cipher aes_siv_cipher +# define s390x_aes_siv_cleanup aes_siv_cleanup +# define s390x_aes_siv_ctrl aes_siv_ctrl +# endif + # define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode, \ MODE,flags) \ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ @@ -2468,7 +2480,7 @@ const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ nid##_##keylen##_##mode, \ blocksize, \ -(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \ + (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \ ivlen, \ flags | EVP_CIPH_##MODE##_MODE,\ s390x_aes_##mode##_init_key, \ @@ -2482,7 +2494,7 @@ static const EVP_CIPHER s390x_aes_##keylen##_##mode = { \ }; \ static const EVP_CIPHER aes_##keylen##_##mode = { \ nid##_##keylen##_##mode,blocksize, \ -(EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * keylen / 8, \ + (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE||EVP_CIPH_##MODE##_MODE==EVP_CIPH_SIV_MODE ? 2 : 1) * keylen / 8, \ ivlen, \ flags | EVP_CIPH_##MODE##_MODE,\ aes_##mode##_init_key, \ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f760137b2144740916afd9ff381451fa16c710de (commit) via c66bb88cb08adbc848271dd388aa9695c7e200be (commit) from de2debc524e8de89a9e4e8cd890af3882cf1aaab (commit) - Log - commit f760137b2144740916afd9ff381451fa16c710de Author: Patrick Steuer Date: Sat Aug 4 00:10:06 2018 +0200 crypto/chacha/asm/chacha-s390x.pl: add vx code path. Signed-off-by: Patrick Steuer Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6919) commit c66bb88cb08adbc848271dd388aa9695c7e200be Author: Patrick Steuer Date: Wed Dec 7 12:58:34 2016 +0100 s390x assembly pack: perlasm support. Added crypto/perlasm/s390x.pm Perl module. Its primary use is to be independent of binutils version, that is to write byte codes of instructions that are not part of the base instruction set. Currently only gas format is supported. Signed-off-by: Patrick Steuer Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6919) --- Summary of changes: crypto/chacha/asm/chacha-s390x.pl | 816 ++ crypto/chacha/build.info |1 + crypto/perlasm/s390x.pm | 3060 + 3 files changed, 3618 insertions(+), 259 deletions(-) create mode 100644 crypto/perlasm/s390x.pm diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl index 1b13a41..005c810 100755 --- a/crypto/chacha/asm/chacha-s390x.pl +++ b/crypto/chacha/asm/chacha-s390x.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -20,41 +20,46 @@ # # 3 times faster than compiler-generated code. -$flavour = shift; +# +# August 2018 +# +# Add vx code path. +# +# Copyright IBM Corp. 2018 +# Author: Patrick Steuer +use strict; +use FindBin qw($Bin); +use lib "$Bin/../.."; +use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE); + +my $flavour = shift; + +my ($z,$SIZE_T); if ($flavour =~ /3[12]/) { + $z=0; # S/390 ABI $SIZE_T=4; - $g=""; } else { + $z=1; # zSeries ABI $SIZE_T=8; - $g="g"; } +my $output; while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; - -sub AUTOLOAD() # thunk [simplified] x86-style perlasm -{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; -$code .= "\t$opcode\t".join(',',@_)."\n"; -} my $sp="%r15"; - my $stdframe=16*$SIZE_T+4*8; -my $frame=$stdframe+4*20; - -my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6)); my @x=map("%r$_",(0..7,"x","x","x","x",(10..13))); my @t=map("%r$_",(8,9)); +my @v=map("%v$_",(16..31)); sub ROUND { my ($a0,$b0,$c0,$d0)=@_; my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); -my ($xc,$xc_)=map("\"$_\"",@t); -my @x=map("\"$_\"",@x); +my ($xc,$xc_)=map("$_",@t); # Consider order in which variables are addressed by their # index: @@ -78,249 +83,542 @@ my @x=map("\"$_\"",@x); # 'c' stores and loads in the middle, but none in the beginning # or end. - ( - " (@x[$a0],@x[$b0])", # Q1 -" (@x[$a1],@x[$b1])", # Q2 - "(@x[$d0],@x[$a0])", -" (@x[$d1],@x[$a1])", - " (@x[$d0],@x[$d0],16)", -" (@x[$d1],@x[$d1],16)", - - " ($xc,@x[$d0])", -" ($xc_,@x[$d1])", - "(@x[$b0],$xc)", -" (@x[$b1],$xc_)", - " (@x[$b0],@x[$b0],12)", -" (@x[$b1],@x[$b1],12)", - - " (@x[$a0],@x[$b0])", -" (@x[$a1],@x[$b1])", - "(@x[$d0],@x[$a0])", -" (@x[$d1],@x[$a1])", - " (@x[$d0],@x[$d0],8)", -" (@x[$d1],@x[$d1],8)", - - " ($xc,@x[$d0])", -" ($xc_,@x[$d1])", - "(@x[$b0],$xc)", -" (@x[$b1],$xc_)", - " (@x[$b0],@x[$b0],7)", -" (@x[$b1],@x[$b1],7)", - - " ($xc,$xc_,'$stdframe+4*8+4*$c0($sp)')", # reload pair of 'c's - "($xc,$xc_,'$stdframe+4*8+4*$c2($sp)')", - - " (@x[$a2],@x[$b2])", # Q3 -" (@x[$a3],@x[$b3])", # Q4 - "(@x[$d2],@x[$a2])", -" (@x[$d3],@x[$a3])", - " (@x[$d2],@x[$d2],16)", -" (@x[$d3],@x[$d3],16)", - - " ($xc,@x[$d2])", -" ($xc_,@x[$d3])", - "(@x[$b2],$xc)", -" (@x[$b3],$xc_)", - " (@x[$b2],@x[$b2],12)", -
[openssl-commits] [openssl] master update
The branch master has been updated via de2debc524e8de89a9e4e8cd890af3882cf1aaab (commit) via 41999e7d358c3657a254b34b85fd9e948180529b (commit) via 88d57bf83fe32b2c8ceb1264562fdd028de504bf (commit) via d0f2f202c5aa6365d3c13e18a0b9e26837c290a0 (commit) via 8f6a5c56c17aa89b80fef73875beec53aef1f2c8 (commit) via 660a1e0434eb5eb8548bea3ad35f3821d49c5c15 (commit) via df5228e3b294fc546d0f8ea46e40ac111db58650 (commit) from 9c5ef4ea486f675f33592b34775c3e453f60ee69 (commit) - Log - commit de2debc524e8de89a9e4e8cd890af3882cf1aaab Author: Matt Caswell Date: Fri Nov 16 17:26:23 2018 + Support _onexit() in preference to atexit() on Windows This enables cleanup to happen on DLL unload instead of at process exit. [extended tests] Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) commit 41999e7d358c3657a254b34b85fd9e948180529b Author: Matt Caswell Date: Fri Nov 16 14:05:14 2018 + Introduce a no-pinshared option This option prevents OpenSSL from pinning itself in memory. Fixes #7598 [extended tests] Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) commit 88d57bf83fe32b2c8ceb1264562fdd028de504bf Author: Matt Caswell Date: Thu Nov 15 17:41:06 2018 + Test atexit handlers Test that atexit handlers get called properly at process exit, unless we have explicitly asked for them not to be. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) commit d0f2f202c5aa6365d3c13e18a0b9e26837c290a0 Author: Matt Caswell Date: Thu Nov 15 16:59:41 2018 + Don't link shlibloadtest against libcrypto The whole point of shlibloadtest is to test dynamically loading and unloading the library. If we link shlibloadtest against libcrypto then that might mask potential issues. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) commit 8f6a5c56c17aa89b80fef73875beec53aef1f2c8 Author: Matt Caswell Date: Thu Nov 15 16:27:34 2018 + Implement OPENSSL_INIT_NO_ATEXIT Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) commit 660a1e0434eb5eb8548bea3ad35f3821d49c5c15 Author: Matt Caswell Date: Tue Nov 20 15:32:55 2018 + Fix a RUN_ONCE bug We have a number of instances where there are multiple "init" functions for a single CRYPTO_ONCE variable, e.g. to load config automatically or to not load config automatically. Unfortunately the RUN_ONCE mechanism was not correctly giving the right return value where an alternative init function was being used. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) commit df5228e3b294fc546d0f8ea46e40ac111db58650 Author: Matt Caswell Date: Thu Nov 15 14:50:52 2018 + Fix shlibloadtest to properly execute the dso_ref test Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7647) --- Summary of changes: Configurations/10-main.conf | 2 +- Configure| 1 + INSTALL | 18 crypto/init.c| 105 +++ doc/man3/OPENSSL_init_crypto.pod | 9 +- include/internal/thread_once.h | 92 + include/openssl/crypto.h | 2 +- ssl/ssl_init.c | 6 +- test/build.info | 1 - test/recipes/90-test_shlibload.t | 45 +++-- test/shlibloadtest.c | 213 +++ 11 files changed, 394 insertions(+), 100 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 6506203..21d8345 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -651,7 +651,7 @@ my %targets = ( dso_scheme => "dlfcn", shared_target=> "linux-shared", shared_cflag => "-fPIC", -shared_ldflag=> "-Wl,-znodelete", +shared_ldflag=> sub { $disabled{pinshared} ? () : "-Wl,-znodelete" }, shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", enable => [ "afalgeng" ], }, diff --git a/Configure b/Configure index da09003..7a2be83 100755 --- a/Configure +++ b/Configure @@ -374,6 +374,7 @@ my @disablables = ( "msan", "multiblock", "nextprotoneg", +"pinshared", "ocb", "ocsp", "pic", diff --git a/INSTALL b/INSTALL index 049ff21..2fd2235 100644 --- a/INSTALL +++ b/INSTALL @@ -416,6 +416,24 @@ no-pic Don't build with support for Position Independent Code. + no-pinshared By default OpenSSL will attempt to
[openssl-commits] [openssl] master update
The branch master has been updated via 9c5ef4ea486f675f33592b34775c3e453f60ee69 (commit) via d072eea2e39cecce3598556053a4c552d9a2 (commit) from 51adf14a948ac0999114f3807fa6ceae1bb060ac (commit) - Log - commit 9c5ef4ea486f675f33592b34775c3e453f60ee69 Author: Dmitry Belyavskiy Date: Wed Jan 2 15:47:07 2019 +0300 Eliminate unused buffers from ssl3_change_cipher_state Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7971) commit d072eea2e39cecce3598556053a4c552d9a2 Author: Dmitry Belyavskiy Date: Wed Jan 2 13:28:07 2019 +0300 Remove unused variables from tls1_change_cipher_state Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7971) --- Summary of changes: ssl/s3_enc.c | 6 -- ssl/t1_enc.c | 12 2 files changed, 18 deletions(-) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 9af4ccb..4d884f4 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -90,8 +90,6 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p, *mac_secret; -unsigned char exp_key[EVP_MAX_KEY_LENGTH]; -unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms, *key, *iv; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -239,12 +237,8 @@ int ssl3_change_cipher_state(SSL *s, int which) } s->statem.enc_write_state = ENC_WRITE_STATE_VALID; -OPENSSL_cleanse(exp_key, sizeof(exp_key)); -OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return 1; err: -OPENSSL_cleanse(exp_key, sizeof(exp_key)); -OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return 0; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index adcc626..9b58bd8 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -85,10 +85,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) int tls1_change_cipher_state(SSL *s, int which) { unsigned char *p, *mac_secret; -unsigned char tmp1[EVP_MAX_KEY_LENGTH]; -unsigned char tmp2[EVP_MAX_KEY_LENGTH]; -unsigned char iv1[EVP_MAX_IV_LENGTH * 2]; -unsigned char iv2[EVP_MAX_IV_LENGTH * 2]; unsigned char *ms, *key, *iv; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -408,16 +404,8 @@ int tls1_change_cipher_state(SSL *s, int which) printf("\n"); #endif -OPENSSL_cleanse(tmp1, sizeof(tmp1)); -OPENSSL_cleanse(tmp2, sizeof(tmp1)); -OPENSSL_cleanse(iv1, sizeof(iv1)); -OPENSSL_cleanse(iv2, sizeof(iv2)); return 1; err: -OPENSSL_cleanse(tmp1, sizeof(tmp1)); -OPENSSL_cleanse(tmp2, sizeof(tmp1)); -OPENSSL_cleanse(iv1, sizeof(iv1)); -OPENSSL_cleanse(iv2, sizeof(iv2)); return 0; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits