Microarchitecture timing vulnerability in ECC scalar multiplication

From no-reply at appveyor.com Thu Nov 1 08:55:57 2018 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 01 Nov 2018 08:55:57 +0000 Subject: [openssl-commits] Build failed: openssl master.20707 Message-ID: <20181101085557.1.79EDBB7EB0FE40B6@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Nov 1 09:22:44 2018 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 01 Nov 2018 09:22:44 +0000 Subject: [openssl-commits] Build completed: openssl master.20708 Message-ID: <20181101092244.1.DD9BA7829BA42248@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Thu Nov 1 14:42:00 2018 From: levitte at openssl.org (Richard Levitte) Date: Thu, 01 Nov 2018 14:42:00 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541083320.594855.11904.nullmailer@dev.openssl.org> The branch master has been updated via 3bed01a09071fb289484dfd265f0a8a991537282 (commit) from 54f3e855d48d08e9623a7ced715e263352c95274 (commit) - Log ----------------------------------------------------------------- commit 3bed01a09071fb289484dfd265f0a8a991537282 Author: Richard Levitte Date: Thu Nov 1 13:55:32 2018 +0100 Configure: ensure empty arrays aren't created inadvertently Just refering to a hash table element as an array reference will automatically create that element. Avoid that by defaulting to a separate empty array reference. Fixes #7543 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7544) ----------------------------------------------------------------------- Summary of changes: Configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configure b/Configure index bf0c2d5..f46be6b 100755 --- a/Configure +++ b/Configure @@ -2344,7 +2344,7 @@ EOF my %dirs = (); my $pd = dirname($product); - foreach (@{$unified_info{sources}->{$product}}, + foreach (@{$unified_info{sources}->{$product} // []}, @{$unified_info{shared_sources}->{$product} // []}) { my $d = dirname($_); From pauli at openssl.org Thu Nov 1 22:01:34 2018 From: pauli at openssl.org (Paul I. Dale) Date: Thu, 01 Nov 2018 22:01:34 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541109694.471971.28396.nullmailer@dev.openssl.org> The branch master has been updated via 0d1f7ae3c928486120b682a6ce6efcaeb36229d6 (commit) from 3bed01a09071fb289484dfd265f0a8a991537282 (commit) - Log ----------------------------------------------------------------- commit 0d1f7ae3c928486120b682a6ce6efcaeb36229d6 Author: Pauli Date: Thu Nov 1 14:25:20 2018 +1000 openssl list -mac-algorithms support. Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7541) ----------------------------------------------------------------------- Summary of changes: apps/openssl.c | 21 ++++++++++++++++++++- doc/man1/list.pod | 8 ++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/apps/openssl.c b/apps/openssl.c index 3d6b276..67b75e4 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -297,6 +297,20 @@ static void list_md_fn(const EVP_MD *m, } } +static void list_mac_fn(const EVP_MAC *m, + const char *from, const char *to, void *arg) +{ + if (m != NULL) { + BIO_printf(arg, "%s\n", EVP_MAC_name(m)); + } else { + if (from == NULL) + from = ""; + if (to == NULL) + to = ""; + BIO_printf(arg, "%s => %s\n", from, to); + } +} + static void list_missing_help(void) { const FUNCTION *fp; @@ -396,7 +410,7 @@ static void list_options_for_command(const char *command) /* Unified enum for help and list commands. */ typedef enum HELPLIST_CHOICE { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ONE, - OPT_COMMANDS, OPT_DIGEST_COMMANDS, OPT_OPTIONS, + OPT_COMMANDS, OPT_DIGEST_COMMANDS, OPT_MAC_ALGORITHMS, OPT_OPTIONS, OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS, OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_DISABLED, OPT_MISSING_HELP, OPT_OBJECTS @@ -410,6 +424,8 @@ const OPTIONS list_options[] = { "List of message digest commands"}, {"digest-algorithms", OPT_DIGEST_ALGORITHMS, '-', "List of message digest algorithms"}, + {"mac-algorithms", OPT_MAC_ALGORITHMS, '-', + "List of message authentication code algorithms"}, {"cipher-commands", OPT_CIPHER_COMMANDS, '-', "List of cipher commands"}, {"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-', "List of cipher algorithms"}, @@ -457,6 +473,9 @@ opthelp: case OPT_DIGEST_ALGORITHMS: EVP_MD_do_all_sorted(list_md_fn, bio_out); break; + case OPT_MAC_ALGORITHMS: + EVP_MAC_do_all_sorted(list_mac_fn, bio_out); + break; case OPT_CIPHER_COMMANDS: list_type(FT_cipher, one); break; diff --git a/doc/man1/list.pod b/doc/man1/list.pod index f2fd06b..eeb099b 100644 --- a/doc/man1/list.pod +++ b/doc/man1/list.pod @@ -13,6 +13,7 @@ B [B<-commands>] [B<-digest-commands>] [B<-digest-algorithms>] +[B<-mac-algorithms>] [B<-cipher-commands>] [B<-cipher-algorithms>] [B<-public-key-algorithms>] @@ -53,6 +54,13 @@ If a line is of the form foo => bar then B is an alias for the official algorithm name, B. +=item B<-mac-algorithms> + +Display a list of message authentication code algorithms. +If a line is of the form + foo => bar +then B is an alias for the official algorithm name, B. + =item B<-cipher-commands> Display a list of cipher commands, which are typically used as input From pauli at openssl.org Thu Nov 1 22:10:30 2018 From: pauli at openssl.org (Paul I. Dale) Date: Thu, 01 Nov 2018 22:10:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541110230.133557.31168.nullmailer@dev.openssl.org> The branch master has been updated via 00496b6423605391864fbbd1693f23631a1c5239 (commit) from 0d1f7ae3c928486120b682a6ce6efcaeb36229d6 (commit) - Log ----------------------------------------------------------------- commit 00496b6423605391864fbbd1693f23631a1c5239 Author: Pauli Date: Thu Nov 1 08:44:11 2018 +1000 Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_ossl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 2dd2d74..7a0b087 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -223,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); + BN_set_flags(l, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, From pauli at openssl.org Thu Nov 1 22:14:49 2018 From: pauli at openssl.org (Paul I. Dale) Date: Thu, 01 Nov 2018 22:14:49 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541110489.166923.32555.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 6039651c43944cf4633483a74c2ef3a6b8c0c6c0 (commit) from 222b0a8e1a43e67c8d65fd325828d8860ed2d348 (commit) - Log ----------------------------------------------------------------- commit 6039651c43944cf4633483a74c2ef3a6b8c0c6c0 Author: Pauli Date: Thu Nov 1 08:44:11 2018 +1000 Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_ossl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 2dd2d74..7a0b087 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -223,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); + BN_set_flags(l, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, From pauli at openssl.org Thu Nov 1 22:16:20 2018 From: pauli at openssl.org (Paul I. Dale) Date: Thu, 01 Nov 2018 22:16:20 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update Message-ID: <1541110580.677815.956.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_0-stable has been updated via 26d7fce13d469f8d1a1b42131467ed4a65f8137b (commit) from 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee (commit) - Log ----------------------------------------------------------------- commit 26d7fce13d469f8d1a1b42131467ed4a65f8137b Author: Pauli Date: Thu Nov 1 08:44:11 2018 +1000 Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_ossl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index be58625..868283a 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -225,6 +225,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, } while (BN_is_zero(k)); BN_set_flags(k, BN_FLG_CONSTTIME); + BN_set_flags(l, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, From pauli at openssl.org Thu Nov 1 22:18:30 2018 From: pauli at openssl.org (Paul I. Dale) Date: Thu, 01 Nov 2018 22:18:30 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1541110710.900869.2007.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 (commit) from ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 (commit) - Log ----------------------------------------------------------------- commit 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 Author: Pauli Date: Thu Nov 1 08:44:11 2018 +1000 Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_ossl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 80daf60..c887c3c 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -295,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { BN_set_flags(&k, BN_FLG_CONSTTIME); + BN_set_flags(&l, BN_FLG_CONSTTIME); } - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx)) From pauli at openssl.org Thu Nov 1 22:41:29 2018 From: pauli at openssl.org (Paul I. Dale) Date: Thu, 01 Nov 2018 22:41:29 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1541112089.602989.5016.nullmailer@dev.openssl.org> The branch master has been updated via b78d963402ca83b6ede75f1a5d42d64ca61c2c49 (commit) from ec4583cb047f1dd56918b38f5a36941747d50d28 (commit) - Log ----------------------------------------------------------------- commit b78d963402ca83b6ede75f1a5d42d64ca61c2c49 Author: Pauli Date: Fri Nov 2 08:40:27 2018 +1000 Update advisory for CVE-2018-0734 indicating that it introduced a new issue and that this has been fixed. Git commit versions are included. ----------------------------------------------------------------------- Summary of changes: news/secadv/20181030.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/news/secadv/20181030.txt b/news/secadv/20181030.txt index b33ac41..7569b56 100644 --- a/news/secadv/20181030.txt +++ b/news/secadv/20181030.txt @@ -19,6 +19,11 @@ git repository. This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. +As a result of the changes made to mitigate this vulnerability, a new +side channel attack was created. The mitigation for this new vulnerability +can be found in these commits: 6039651c43 (for 1.1.1), 26d7fce13d (for 1.1.0) +and 880d1c76ed (for 1.0.2) + References ========== From builds at travis-ci.org Thu Nov 1 22:44:42 2018 From: builds at travis-ci.org (Travis CI) Date: Thu, 01 Nov 2018 22:44:42 +0000 Subject: [openssl-commits] Broken: openssl/openssl#21457 (master - 00496b6) In-Reply-To: Message-ID: <5bdb81dab51cf_43fb517741a38910c1@40cc1ebc-13fd-4593-8f03-e785ee50bf2b.mail> Build Update for openssl/openssl ------------------------------------- Build: #21457 Status: Broken Duration: 21 mins and 25 secs Commit: 00496b6 (master) Author: Pauli Message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7549) View the changeset: https://github.com/openssl/openssl/compare/0d1f7ae3c928...00496b642360 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/449580103?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yang.yang at baishancloud.com Fri Nov 2 04:07:17 2018 From: yang.yang at baishancloud.com (yang.yang at baishancloud.com) Date: Fri, 02 Nov 2018 04:07:17 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541131637.101083.11506.nullmailer@dev.openssl.org> The branch master has been updated via e5a8712d03334c4b7cb9f29d6d1daee399c1223e (commit) from 00496b6423605391864fbbd1693f23631a1c5239 (commit) - Log ----------------------------------------------------------------- commit e5a8712d03334c4b7cb9f29d6d1daee399c1223e Author: Paul Yang Date: Thu Nov 1 23:27:31 2018 +0800 Fix a doc-nit in EVP_PKEY_CTX_ctrl.pod [skip-ci] Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7546) ----------------------------------------------------------------------- Summary of changes: doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 75fba58..4982e92 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -116,7 +116,7 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); #include - + int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc); int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode); From builds at travis-ci.org Fri Nov 2 04:25:58 2018 From: builds at travis-ci.org (Travis CI) Date: Fri, 02 Nov 2018 04:25:58 +0000 Subject: [openssl-commits] Fixed: openssl/openssl#21466 (master - e5a8712) In-Reply-To: Message-ID: <5bdbd1d622678_43fc29de5d3242221dc@4930b591-4a54-4402-bb9e-4760a8684cb9.mail> Build Update for openssl/openssl ------------------------------------- Build: #21466 Status: Fixed Duration: 17 mins and 59 secs Commit: e5a8712 (master) Author: Paul Yang Message: Fix a doc-nit in EVP_PKEY_CTX_ctrl.pod [skip-ci] Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7546) View the changeset: https://github.com/openssl/openssl/compare/00496b642360...e5a8712d0333 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/449672531?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Fri Nov 2 09:58:42 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 02 Nov 2018 09:58:42 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541152722.567630.27704.nullmailer@dev.openssl.org> The branch master has been updated via d91d443f0d26262148d1dc9d29f9fdf025b958ca (commit) from e5a8712d03334c4b7cb9f29d6d1daee399c1223e (commit) - Log ----------------------------------------------------------------- commit d91d443f0d26262148d1dc9d29f9fdf025b958ca Author: Richard Levitte Date: Fri Oct 19 00:36:04 2018 +0200 apps: Stop pretending to care about Netscape keys The documentation says some commands care, but the code says differently. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7440) ----------------------------------------------------------------------- Summary of changes: apps/apps.h | 6 +++--- apps/opt.c | 1 - apps/rsa.c | 4 ++-- apps/x509.c | 4 ++-- doc/man1/rsa.pod | 25 +++++-------------------- doc/man1/x509.pod | 11 +++++------ 6 files changed, 17 insertions(+), 34 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 5b98d27..d9eb650 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -369,7 +369,7 @@ typedef struct string_int_pair_st { # define OPT_FMT_SMIME (1L << 3) # define OPT_FMT_ENGINE (1L << 4) # define OPT_FMT_MSBLOB (1L << 5) -# define OPT_FMT_NETSCAPE (1L << 6) +/* (1L << 6) was OPT_FMT_NETSCAPE, but wasn't used */ # define OPT_FMT_NSS (1L << 7) # define OPT_FMT_TEXT (1L << 8) # define OPT_FMT_HTTP (1L << 9) @@ -378,8 +378,8 @@ typedef struct string_int_pair_st { # define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME) # define OPT_FMT_ANY ( \ OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ - OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \ - OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) + OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \ + OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) char *opt_progname(const char *argv0); char *opt_getprog(void); diff --git a/apps/opt.c b/apps/opt.c index cc14184..6668565 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -168,7 +168,6 @@ static OPT_PAIR formats[] = { {"smime", OPT_FMT_SMIME}, {"engine", OPT_FMT_ENGINE}, {"msblob", OPT_FMT_MSBLOB}, - {"netscape", OPT_FMT_NETSCAPE}, {"nss", OPT_FMT_NSS}, {"text", OPT_FMT_TEXT}, {"http", OPT_FMT_HTTP}, diff --git a/apps/rsa.c b/apps/rsa.c index 6458b3d..5098a20 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -38,8 +38,8 @@ typedef enum OPTION_choice { const OPTIONS rsa_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"}, - {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"}, + {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"}, + {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"}, {"in", OPT_IN, 's', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, diff --git a/apps/x509.c b/apps/x509.c index d40960c..81291a9 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -67,10 +67,10 @@ typedef enum OPTION_choice { const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'f', - "Input format - default PEM (one of DER, NET or PEM)"}, + "Input format - default PEM (one of DER or PEM)"}, {"in", OPT_IN, '<', "Input file - default stdin"}, {"outform", OPT_OUTFORM, 'f', - "Output format - default PEM (one of DER, NET or PEM)"}, + "Output format - default PEM (one of DER or PEM)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, diff --git a/doc/man1/rsa.pod b/doc/man1/rsa.pod index 14a8fb1..37f6461 100644 --- a/doc/man1/rsa.pod +++ b/doc/man1/rsa.pod @@ -9,8 +9,8 @@ rsa - RSA key processing tool B B [B<-help>] -[B<-inform PEM|NET|DER>] -[B<-outform PEM|NET|DER>] +[B<-inform PEM|DER>] +[B<-outform PEM|DER>] [B<-in filename>] [B<-passin arg>] [B<-out filename>] @@ -53,16 +53,15 @@ utility. Print out a usage message. -=item B<-inform DER|NET|PEM> +=item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. The B form is a format is described in the B -section. +keys are also accepted. -=item B<-outform DER|NET|PEM> +=item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. @@ -158,17 +157,6 @@ The PEM B format uses the header and footer lines: -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- -The B form is a format compatible with older Netscape servers -and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. -It is not very secure and so should only be used when necessary. - -Some newer version of IIS have additional data in the exported .key -files. To use these with the utility, view the file with a binary editor -and look for the string "private-key", then trace back to the byte -sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data -from this point onwards to another file and use that as the input -to the B utility with the B<-inform NET> option. - =head1 EXAMPLES To remove the pass phrase on an RSA private key: @@ -197,9 +185,6 @@ Output the public part of a private key in B format: =head1 BUGS -The command line password arguments don't currently work with -B format. - There should be an option that automatically handles .key files, without having to manually edit them. diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 6e4d288..547da5d 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -9,8 +9,8 @@ x509 - Certificate display and signing utility B B [B<-help>] -[B<-inform DER|PEM|NET>] -[B<-outform DER|PEM|NET>] +[B<-inform DER|PEM>] +[B<-outform DER|PEM>] [B<-keyform DER|PEM>] [B<-CAform DER|PEM>] [B<-CAkeyform DER|PEM>] @@ -86,16 +86,15 @@ various sections. Print out a usage message. -=item B<-inform DER|PEM|NET> +=item B<-inform DER|PEM> This specifies the input format normally the command will expect an X509 certificate but this can change if other options such as B<-req> are present. The DER format is the DER encoding of the certificate and PEM is the base64 encoding of the DER encoding with header and footer lines -added. The NET option is an obscure Netscape server format that is now -obsolete. The default format is PEM. +added. The default format is PEM. -=item B<-outform DER|PEM|NET> +=item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. From levitte at openssl.org Fri Nov 2 09:59:25 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 02 Nov 2018 09:59:25 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541152765.050198.28959.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via b33e7698b8cb853bf94623e5e26f860a893eb677 (commit) from 6039651c43944cf4633483a74c2ef3a6b8c0c6c0 (commit) - Log ----------------------------------------------------------------- commit b33e7698b8cb853bf94623e5e26f860a893eb677 Author: Richard Levitte Date: Fri Oct 19 00:36:04 2018 +0200 apps: Stop pretending to care about Netscape keys The documentation says some commands care, but the code says differently. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7440) (cherry picked from commit d91d443f0d26262148d1dc9d29f9fdf025b958ca) ----------------------------------------------------------------------- Summary of changes: apps/apps.h | 6 +++--- apps/opt.c | 1 - apps/rsa.c | 4 ++-- apps/x509.c | 4 ++-- doc/man1/rsa.pod | 25 +++++-------------------- doc/man1/x509.pod | 11 +++++------ 6 files changed, 17 insertions(+), 34 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 5b98d27..d9eb650 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -369,7 +369,7 @@ typedef struct string_int_pair_st { # define OPT_FMT_SMIME (1L << 3) # define OPT_FMT_ENGINE (1L << 4) # define OPT_FMT_MSBLOB (1L << 5) -# define OPT_FMT_NETSCAPE (1L << 6) +/* (1L << 6) was OPT_FMT_NETSCAPE, but wasn't used */ # define OPT_FMT_NSS (1L << 7) # define OPT_FMT_TEXT (1L << 8) # define OPT_FMT_HTTP (1L << 9) @@ -378,8 +378,8 @@ typedef struct string_int_pair_st { # define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME) # define OPT_FMT_ANY ( \ OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ - OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \ - OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) + OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \ + OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) char *opt_progname(const char *argv0); char *opt_getprog(void); diff --git a/apps/opt.c b/apps/opt.c index cc14184..6668565 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -168,7 +168,6 @@ static OPT_PAIR formats[] = { {"smime", OPT_FMT_SMIME}, {"engine", OPT_FMT_ENGINE}, {"msblob", OPT_FMT_MSBLOB}, - {"netscape", OPT_FMT_NETSCAPE}, {"nss", OPT_FMT_NSS}, {"text", OPT_FMT_TEXT}, {"http", OPT_FMT_HTTP}, diff --git a/apps/rsa.c b/apps/rsa.c index 6458b3d..5098a20 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -38,8 +38,8 @@ typedef enum OPTION_choice { const OPTIONS rsa_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, - {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"}, - {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"}, + {"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"}, + {"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"}, {"in", OPT_IN, 's', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, diff --git a/apps/x509.c b/apps/x509.c index d40960c..81291a9 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -67,10 +67,10 @@ typedef enum OPTION_choice { const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'f', - "Input format - default PEM (one of DER, NET or PEM)"}, + "Input format - default PEM (one of DER or PEM)"}, {"in", OPT_IN, '<', "Input file - default stdin"}, {"outform", OPT_OUTFORM, 'f', - "Output format - default PEM (one of DER, NET or PEM)"}, + "Output format - default PEM (one of DER or PEM)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, diff --git a/doc/man1/rsa.pod b/doc/man1/rsa.pod index 14a8fb1..37f6461 100644 --- a/doc/man1/rsa.pod +++ b/doc/man1/rsa.pod @@ -9,8 +9,8 @@ rsa - RSA key processing tool B B [B<-help>] -[B<-inform PEM|NET|DER>] -[B<-outform PEM|NET|DER>] +[B<-inform PEM|DER>] +[B<-outform PEM|DER>] [B<-in filename>] [B<-passin arg>] [B<-out filename>] @@ -53,16 +53,15 @@ utility. Print out a usage message. -=item B<-inform DER|NET|PEM> +=item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. The B form is a format is described in the B -section. +keys are also accepted. -=item B<-outform DER|NET|PEM> +=item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. @@ -158,17 +157,6 @@ The PEM B format uses the header and footer lines: -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- -The B form is a format compatible with older Netscape servers -and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. -It is not very secure and so should only be used when necessary. - -Some newer version of IIS have additional data in the exported .key -files. To use these with the utility, view the file with a binary editor -and look for the string "private-key", then trace back to the byte -sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data -from this point onwards to another file and use that as the input -to the B utility with the B<-inform NET> option. - =head1 EXAMPLES To remove the pass phrase on an RSA private key: @@ -197,9 +185,6 @@ Output the public part of a private key in B format: =head1 BUGS -The command line password arguments don't currently work with -B format. - There should be an option that automatically handles .key files, without having to manually edit them. diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 6e4d288..547da5d 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -9,8 +9,8 @@ x509 - Certificate display and signing utility B B [B<-help>] -[B<-inform DER|PEM|NET>] -[B<-outform DER|PEM|NET>] +[B<-inform DER|PEM>] +[B<-outform DER|PEM>] [B<-keyform DER|PEM>] [B<-CAform DER|PEM>] [B<-CAkeyform DER|PEM>] @@ -86,16 +86,15 @@ various sections. Print out a usage message. -=item B<-inform DER|PEM|NET> +=item B<-inform DER|PEM> This specifies the input format normally the command will expect an X509 certificate but this can change if other options such as B<-req> are present. The DER format is the DER encoding of the certificate and PEM is the base64 encoding of the DER encoding with header and footer lines -added. The NET option is an obscure Netscape server format that is now -obsolete. The default format is PEM. +added. The default format is PEM. -=item B<-outform DER|PEM|NET> +=item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. From matt at openssl.org Fri Nov 2 10:05:03 2018 From: matt at openssl.org (Matt Caswell) Date: Fri, 02 Nov 2018 10:05:03 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1541153103.301465.31391.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via f1e5009c1c95b708b9ba21c23693f95468089419 (commit) from 880d1c76ed9916cddb97fe05fb4c144f0f6f1012 (commit) - Log ----------------------------------------------------------------- commit f1e5009c1c95b708b9ba21c23693f95468089419 Author: Matt Caswell Date: Tue Oct 16 17:08:11 2018 +0100 Properly handle duplicated messages from the next epoch Since 3884b47b7c we may attempt to buffer a record from the next epoch that has already been buffered. Prior to that this never occurred. We simply ignore a failure to buffer a duplicated record. Fixes #6902 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7415) ----------------------------------------------------------------------- Summary of changes: ssl/d1_pkt.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index f5deddf..23aa9db 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -293,14 +293,12 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (-1); } - /* insert should not fail, since duplicates are dropped */ if (pqueue_insert(queue->q, item) == NULL) { - SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + /* Must be a duplicate so ignore it */ if (rdata->rbuf.buf != NULL) OPENSSL_free(rdata->rbuf.buf); OPENSSL_free(rdata); pitem_free(item); - return (-1); } return (1); From levitte at openssl.org Fri Nov 2 14:01:23 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 02 Nov 2018 14:01:23 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541167283.640947.30513.nullmailer@dev.openssl.org> The branch master has been updated via 2b201ce9417cc6e617b7ca2db0a99cc87bbc343b (commit) from d91d443f0d26262148d1dc9d29f9fdf025b958ca (commit) - Log ----------------------------------------------------------------- commit 2b201ce9417cc6e617b7ca2db0a99cc87bbc343b Author: Richard Levitte Date: Fri Nov 2 10:11:55 2018 +0100 doc/man7/EVP_MAC_*.pod: incorrect english corrected Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7552) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_MAC_CMAC.pod | 2 +- doc/man7/EVP_MAC_HMAC.pod | 2 +- doc/man7/EVP_MAC_SIPHASH.pod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man7/EVP_MAC_CMAC.pod b/doc/man7/EVP_MAC_CMAC.pod index bb37472..12c18a8 100644 --- a/doc/man7/EVP_MAC_CMAC.pod +++ b/doc/man7/EVP_MAC_CMAC.pod @@ -22,7 +22,7 @@ The supported controls are: =item B -EVP_MAC_ctrl_str() takes to type string for this control: +EVP_MAC_ctrl_str() takes two type strings for this control: =over 4 diff --git a/doc/man7/EVP_MAC_HMAC.pod b/doc/man7/EVP_MAC_HMAC.pod index 8276ff3..3e6f252 100644 --- a/doc/man7/EVP_MAC_HMAC.pod +++ b/doc/man7/EVP_MAC_HMAC.pod @@ -22,7 +22,7 @@ The supported controls are: =item B -EVP_MAC_ctrl_str() takes to type string for this control: +EVP_MAC_ctrl_str() takes two type strings for this control: =over 4 diff --git a/doc/man7/EVP_MAC_SIPHASH.pod b/doc/man7/EVP_MAC_SIPHASH.pod index 841cd7d..0d1349f 100644 --- a/doc/man7/EVP_MAC_SIPHASH.pod +++ b/doc/man7/EVP_MAC_SIPHASH.pod @@ -28,7 +28,7 @@ The value string is expected to contain a decimal number. =item B -EVP_MAC_ctrl_str() takes to type string for this control: +EVP_MAC_ctrl_str() takes two type strings for this control: =over 4 From levitte at openssl.org Fri Nov 2 19:22:34 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 02 Nov 2018 19:22:34 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541186554.963874.4346.nullmailer@dev.openssl.org> The branch master has been updated via 681e8cacdbdc44ac00af29b6656fc52745a9baa2 (commit) via 458c7dad9e3f59490fb0908c1a27ca39e4cf38dd (commit) via 28ac1bd9a97d9725273956e26d89ccfa5b4de67b (commit) via 36af124bfb209b49cb92a5fb9fab627d9cd4a44b (commit) from 2b201ce9417cc6e617b7ca2db0a99cc87bbc343b (commit) - Log ----------------------------------------------------------------- commit 681e8cacdbdc44ac00af29b6656fc52745a9baa2 Author: Richard Levitte Date: Fri Nov 2 10:24:24 2018 +0100 crypto/engine/eng_devcrypto.c: ensure we don't leak resources If engine building fails for some reason, we must make sure to close the /dev/crypto handle. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) commit 458c7dad9e3f59490fb0908c1a27ca39e4cf38dd Author: Richard Levitte Date: Wed Oct 31 19:23:44 2018 +0100 crypto/engine/eng_devcrypto.c: open /dev/crypto only once We opened /dev/crypto once for each session, which is quite unnecessary. With this change, we open /dev/crypto once at engine init, and close it on unload. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) commit 28ac1bd9a97d9725273956e26d89ccfa5b4de67b Author: Richard Levitte Date: Sat Oct 27 09:26:22 2018 +0200 crypto/engine/eng_devcrypto.c: new compilers are strict on prototypes Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) commit 36af124bfb209b49cb92a5fb9fab627d9cd4a44b Author: Richard Levitte Date: Sat Oct 27 09:15:04 2018 +0200 crypto/engine/eng_devcrypto.c: add digest copy Copying an EVP_MD_CTX, including the implementation local bits, is a necessary operation. In this case, though, it's the same as initializing the local bits to be "copied to". Fixes #7495 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) ----------------------------------------------------------------------- Summary of changes: crypto/engine/eng_devcrypto.c | 126 +++++++++++++++++++++++------------------- 1 file changed, 68 insertions(+), 58 deletions(-) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c index 51105ec..4a0ba09 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -28,6 +28,13 @@ # define CHECK_BSD_STYLE_MACROS #endif +/* + * ONE global file descriptor for all sessions. This allows operations + * such as digest session data copying (see digest_copy()), but is also + * saner... why re-open /dev/crypto for every session? + */ +static int cfd; + /****************************************************************************** * * Ciphers @@ -39,7 +46,6 @@ *****/ struct cipher_ctx { - int cfd; struct session_op sess; /* to pass from init to do_cipher */ @@ -135,19 +141,13 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const struct cipher_data_st *cipher_d = get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); - if ((cipher_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - SYSerr(SYS_F_OPEN, errno); - return 0; - } - memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); cipher_ctx->sess.cipher = cipher_d->devcryptoid; cipher_ctx->sess.keylen = cipher_d->keylen; cipher_ctx->sess.key = (void *)key; cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; - if (ioctl(cipher_ctx->cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { + if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { SYSerr(SYS_F_IOCTL, errno); - close(cipher_ctx->cfd); return 0; } @@ -186,7 +186,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, cryp.flags = COP_FLAG_WRITE_IV; #endif - if (ioctl(cipher_ctx->cfd, CIOCCRYPT, &cryp) < 0) { + if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -212,14 +212,10 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) struct cipher_ctx *cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - if (ioctl(cipher_ctx->cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) { + if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } - if (close(cipher_ctx->cfd) < 0) { - SYSerr(SYS_F_CLOSE, errno); - return 0; - } return 1; } @@ -233,14 +229,10 @@ static int known_cipher_nids[OSSL_NELEM(cipher_data)]; static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -static void prepare_cipher_methods() +static void prepare_cipher_methods(void) { size_t i; struct session_op sess; - int cfd; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) - return; memset(&sess, 0, sizeof(sess)); sess.key = (void *)"01234567890123456789012345678901234567890123456789"; @@ -281,8 +273,6 @@ static void prepare_cipher_methods() cipher_data[i].nid; } } - - close(cfd); } static const EVP_CIPHER *get_cipher_method(int nid) @@ -308,7 +298,7 @@ static void destroy_cipher_method(int nid) known_cipher_methods[i] = NULL; } -static void destroy_all_cipher_methods() +static void destroy_all_cipher_methods(void) { size_t i; @@ -329,11 +319,12 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, /* * We only support digests if the cryptodev implementation supports multiple - * data updates. Otherwise, we would be forced to maintain a cache, which is - * perilous if there's a lot of data coming in (if someone wants to checksum - * an OpenSSL tarball, for example). + * data updates and session copying. Otherwise, we would be forced to maintain + * a cache, which is perilous if there's a lot of data coming in (if someone + * wants to checksum an OpenSSL tarball, for example). */ -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#define IMPLEMENT_DIGEST /****************************************************************************** * @@ -346,7 +337,6 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, *****/ struct digest_ctx { - int cfd; struct session_op sess; int init; }; @@ -413,19 +403,12 @@ static int digest_init(EVP_MD_CTX *ctx) const struct digest_data_st *digest_d = get_digest_data(EVP_MD_CTX_type(ctx)); - if (digest_ctx->init == 0 - && (digest_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - SYSerr(SYS_F_OPEN, errno); - return 0; - } - digest_ctx->init = 1; memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); digest_ctx->sess.mac = digest_d->devcryptoid; - if (ioctl(digest_ctx->cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { + if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { SYSerr(SYS_F_IOCTL, errno); - close(digest_ctx->cfd); return 0; } @@ -444,7 +427,7 @@ static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen, cryp.dst = NULL; cryp.mac = res; cryp.flags = flags; - return ioctl(ctx->cfd, CIOCCRYPT, &cryp); + return ioctl(cfd, CIOCCRYPT, &cryp); } static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) @@ -472,7 +455,7 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) SYSerr(SYS_F_IOCTL, errno); return 0; } - if (ioctl(digest_ctx->cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { + if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -480,16 +463,38 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) return 1; } -static int digest_cleanup(EVP_MD_CTX *ctx) +static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) { - struct digest_ctx *digest_ctx = - (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); + struct digest_ctx *digest_from = + (struct digest_ctx *)EVP_MD_CTX_md_data(from); + struct digest_ctx *digest_to = + (struct digest_ctx *)EVP_MD_CTX_md_data(to); + struct cphash_op cphash; + + if (digest_from == NULL) + return 1; - if (close(digest_ctx->cfd) < 0) { - SYSerr(SYS_F_CLOSE, errno); + if (digest_from->init != 1) { + SYSerr(SYS_F_IOCTL, EINVAL); return 0; } + if (!digest_init(to)) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } + + cphash.src_ses = digest_from->sess.ses; + cphash.dst_ses = digest_to->sess.ses; + if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } + return 1; +} + +static int digest_cleanup(EVP_MD_CTX *ctx) +{ return 1; } @@ -502,14 +507,10 @@ static int known_digest_nids[OSSL_NELEM(digest_data)]; static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -static void prepare_digest_methods() +static void prepare_digest_methods(void) { size_t i; struct session_op sess; - int cfd; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) - return; memset(&sess, 0, sizeof(sess)); @@ -532,6 +533,7 @@ static void prepare_digest_methods() || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) + || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], sizeof(struct digest_ctx))) { @@ -541,8 +543,6 @@ static void prepare_digest_methods() known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; } } - - close(cfd); } static const EVP_MD *get_digest_method(int nid) @@ -568,7 +568,7 @@ static void destroy_digest_method(int nid) known_digest_methods[i] = NULL; } -static void destroy_all_digest_methods() +static void destroy_all_digest_methods(void) { size_t i; @@ -598,9 +598,12 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, static int devcrypto_unload(ENGINE *e) { destroy_all_cipher_methods(); -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST destroy_all_digest_methods(); #endif + + close(cfd); + return 1; } /* @@ -611,23 +614,30 @@ void engine_load_devcrypto_int() { ENGINE *e = NULL; - if (access("/dev/crypto", R_OK | W_OK) < 0) { - fprintf(stderr, - "/dev/crypto not present, not enabling devcrypto engine\n"); + if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); return; } prepare_cipher_methods(); -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST prepare_digest_methods(); #endif - if ((e = ENGINE_new()) == NULL) + if ((e = ENGINE_new()) == NULL + || !ENGINE_set_destroy_function(e, devcrypto_unload)) { + ENGINE_free(e); + /* + * We know that devcrypto_unload() won't be called when one of the + * above two calls have failed, so we close cfd explicitly here to + * avoid leaking resources. + */ + close(cfd); return; + } if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") - || !ENGINE_set_destroy_function(e, devcrypto_unload) /* * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD @@ -664,7 +674,7 @@ void engine_load_devcrypto_int() # endif #endif || !ENGINE_set_ciphers(e, devcrypto_ciphers) -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST || !ENGINE_set_digests(e, devcrypto_digests) #endif ) { From levitte at openssl.org Fri Nov 2 19:24:22 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 02 Nov 2018 19:24:22 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541186662.240822.5334.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via cd01707b7f7e71b6c5df013212c9b3613e9eab7c (commit) via 120fc33e29957864168dd3693df5992b62e58c04 (commit) via dcbbcf083c562b99e5a71429f7f35d7f171fc462 (commit) via 3dcca12a206119a1faed773135949d4b56af12c9 (commit) from b33e7698b8cb853bf94623e5e26f860a893eb677 (commit) - Log ----------------------------------------------------------------- commit cd01707b7f7e71b6c5df013212c9b3613e9eab7c Author: Richard Levitte Date: Fri Nov 2 10:24:24 2018 +0100 crypto/engine/eng_devcrypto.c: ensure we don't leak resources If engine building fails for some reason, we must make sure to close the /dev/crypto handle. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) (cherry picked from commit 681e8cacdbdc44ac00af29b6656fc52745a9baa2) commit 120fc33e29957864168dd3693df5992b62e58c04 Author: Richard Levitte Date: Wed Oct 31 19:23:44 2018 +0100 crypto/engine/eng_devcrypto.c: open /dev/crypto only once We opened /dev/crypto once for each session, which is quite unnecessary. With this change, we open /dev/crypto once at engine init, and close it on unload. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) (cherry picked from commit 458c7dad9e3f59490fb0908c1a27ca39e4cf38dd) commit dcbbcf083c562b99e5a71429f7f35d7f171fc462 Author: Richard Levitte Date: Sat Oct 27 09:26:22 2018 +0200 crypto/engine/eng_devcrypto.c: new compilers are strict on prototypes Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) (cherry picked from commit 28ac1bd9a97d9725273956e26d89ccfa5b4de67b) commit 3dcca12a206119a1faed773135949d4b56af12c9 Author: Richard Levitte Date: Sat Oct 27 09:15:04 2018 +0200 crypto/engine/eng_devcrypto.c: add digest copy Copying an EVP_MD_CTX, including the implementation local bits, is a necessary operation. In this case, though, it's the same as initializing the local bits to be "copied to". Fixes #7495 Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7506) (cherry picked from commit 36af124bfb209b49cb92a5fb9fab627d9cd4a44b) ----------------------------------------------------------------------- Summary of changes: crypto/engine/eng_devcrypto.c | 126 +++++++++++++++++++++++------------------- 1 file changed, 68 insertions(+), 58 deletions(-) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c index 51105ec..4a0ba09 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -28,6 +28,13 @@ # define CHECK_BSD_STYLE_MACROS #endif +/* + * ONE global file descriptor for all sessions. This allows operations + * such as digest session data copying (see digest_copy()), but is also + * saner... why re-open /dev/crypto for every session? + */ +static int cfd; + /****************************************************************************** * * Ciphers @@ -39,7 +46,6 @@ *****/ struct cipher_ctx { - int cfd; struct session_op sess; /* to pass from init to do_cipher */ @@ -135,19 +141,13 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const struct cipher_data_st *cipher_d = get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); - if ((cipher_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - SYSerr(SYS_F_OPEN, errno); - return 0; - } - memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); cipher_ctx->sess.cipher = cipher_d->devcryptoid; cipher_ctx->sess.keylen = cipher_d->keylen; cipher_ctx->sess.key = (void *)key; cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; - if (ioctl(cipher_ctx->cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { + if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { SYSerr(SYS_F_IOCTL, errno); - close(cipher_ctx->cfd); return 0; } @@ -186,7 +186,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, cryp.flags = COP_FLAG_WRITE_IV; #endif - if (ioctl(cipher_ctx->cfd, CIOCCRYPT, &cryp) < 0) { + if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -212,14 +212,10 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) struct cipher_ctx *cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - if (ioctl(cipher_ctx->cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) { + if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } - if (close(cipher_ctx->cfd) < 0) { - SYSerr(SYS_F_CLOSE, errno); - return 0; - } return 1; } @@ -233,14 +229,10 @@ static int known_cipher_nids[OSSL_NELEM(cipher_data)]; static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -static void prepare_cipher_methods() +static void prepare_cipher_methods(void) { size_t i; struct session_op sess; - int cfd; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) - return; memset(&sess, 0, sizeof(sess)); sess.key = (void *)"01234567890123456789012345678901234567890123456789"; @@ -281,8 +273,6 @@ static void prepare_cipher_methods() cipher_data[i].nid; } } - - close(cfd); } static const EVP_CIPHER *get_cipher_method(int nid) @@ -308,7 +298,7 @@ static void destroy_cipher_method(int nid) known_cipher_methods[i] = NULL; } -static void destroy_all_cipher_methods() +static void destroy_all_cipher_methods(void) { size_t i; @@ -329,11 +319,12 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, /* * We only support digests if the cryptodev implementation supports multiple - * data updates. Otherwise, we would be forced to maintain a cache, which is - * perilous if there's a lot of data coming in (if someone wants to checksum - * an OpenSSL tarball, for example). + * data updates and session copying. Otherwise, we would be forced to maintain + * a cache, which is perilous if there's a lot of data coming in (if someone + * wants to checksum an OpenSSL tarball, for example). */ -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#define IMPLEMENT_DIGEST /****************************************************************************** * @@ -346,7 +337,6 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, *****/ struct digest_ctx { - int cfd; struct session_op sess; int init; }; @@ -413,19 +403,12 @@ static int digest_init(EVP_MD_CTX *ctx) const struct digest_data_st *digest_d = get_digest_data(EVP_MD_CTX_type(ctx)); - if (digest_ctx->init == 0 - && (digest_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - SYSerr(SYS_F_OPEN, errno); - return 0; - } - digest_ctx->init = 1; memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); digest_ctx->sess.mac = digest_d->devcryptoid; - if (ioctl(digest_ctx->cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { + if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { SYSerr(SYS_F_IOCTL, errno); - close(digest_ctx->cfd); return 0; } @@ -444,7 +427,7 @@ static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen, cryp.dst = NULL; cryp.mac = res; cryp.flags = flags; - return ioctl(ctx->cfd, CIOCCRYPT, &cryp); + return ioctl(cfd, CIOCCRYPT, &cryp); } static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) @@ -472,7 +455,7 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) SYSerr(SYS_F_IOCTL, errno); return 0; } - if (ioctl(digest_ctx->cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { + if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -480,16 +463,38 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) return 1; } -static int digest_cleanup(EVP_MD_CTX *ctx) +static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) { - struct digest_ctx *digest_ctx = - (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); + struct digest_ctx *digest_from = + (struct digest_ctx *)EVP_MD_CTX_md_data(from); + struct digest_ctx *digest_to = + (struct digest_ctx *)EVP_MD_CTX_md_data(to); + struct cphash_op cphash; + + if (digest_from == NULL) + return 1; - if (close(digest_ctx->cfd) < 0) { - SYSerr(SYS_F_CLOSE, errno); + if (digest_from->init != 1) { + SYSerr(SYS_F_IOCTL, EINVAL); return 0; } + if (!digest_init(to)) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } + + cphash.src_ses = digest_from->sess.ses; + cphash.dst_ses = digest_to->sess.ses; + if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } + return 1; +} + +static int digest_cleanup(EVP_MD_CTX *ctx) +{ return 1; } @@ -502,14 +507,10 @@ static int known_digest_nids[OSSL_NELEM(digest_data)]; static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -static void prepare_digest_methods() +static void prepare_digest_methods(void) { size_t i; struct session_op sess; - int cfd; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) - return; memset(&sess, 0, sizeof(sess)); @@ -532,6 +533,7 @@ static void prepare_digest_methods() || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) + || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], sizeof(struct digest_ctx))) { @@ -541,8 +543,6 @@ static void prepare_digest_methods() known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; } } - - close(cfd); } static const EVP_MD *get_digest_method(int nid) @@ -568,7 +568,7 @@ static void destroy_digest_method(int nid) known_digest_methods[i] = NULL; } -static void destroy_all_digest_methods() +static void destroy_all_digest_methods(void) { size_t i; @@ -598,9 +598,12 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, static int devcrypto_unload(ENGINE *e) { destroy_all_cipher_methods(); -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST destroy_all_digest_methods(); #endif + + close(cfd); + return 1; } /* @@ -611,23 +614,30 @@ void engine_load_devcrypto_int() { ENGINE *e = NULL; - if (access("/dev/crypto", R_OK | W_OK) < 0) { - fprintf(stderr, - "/dev/crypto not present, not enabling devcrypto engine\n"); + if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); return; } prepare_cipher_methods(); -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST prepare_digest_methods(); #endif - if ((e = ENGINE_new()) == NULL) + if ((e = ENGINE_new()) == NULL + || !ENGINE_set_destroy_function(e, devcrypto_unload)) { + ENGINE_free(e); + /* + * We know that devcrypto_unload() won't be called when one of the + * above two calls have failed, so we close cfd explicitly here to + * avoid leaking resources. + */ + close(cfd); return; + } if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") - || !ENGINE_set_destroy_function(e, devcrypto_unload) /* * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD @@ -664,7 +674,7 @@ void engine_load_devcrypto_int() # endif #endif || !ENGINE_set_ciphers(e, devcrypto_ciphers) -#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +#ifdef IMPLEMENT_DIGEST || !ENGINE_set_digests(e, devcrypto_digests) #endif ) { From no-reply at appveyor.com Sat Nov 3 17:49:01 2018 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 03 Nov 2018 17:49:01 +0000 Subject: [openssl-commits] Build failed: openssl master.20766 Message-ID: <20181103174901.1.3834F47980B4620E@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Nov 3 22:26:40 2018 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 03 Nov 2018 22:26:40 +0000 Subject: [openssl-commits] Build failed: openssl master.20767 Message-ID: <20181103222640.1.61EA73D3BB46D7FB@appveyor.com> An HTML attachment was scrubbed... URL: From kaduk at mit.edu Sun Nov 4 04:26:52 2018 From: kaduk at mit.edu (kaduk at mit.edu) Date: Sun, 04 Nov 2018 04:26:52 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541305612.868686.22693.nullmailer@dev.openssl.org> The branch master has been updated via 2aaa0b146b967397a6e61fa8df969e7847f82086 (commit) via 95658c32436017aeeef3d8598957071baf6769a9 (commit) from 681e8cacdbdc44ac00af29b6656fc52745a9baa2 (commit) - Log ----------------------------------------------------------------- commit 2aaa0b146b967397a6e61fa8df969e7847f82086 Author: Benjamin Kaduk Date: Mon Oct 22 11:54:20 2018 -0500 Restore sensible "sess_accept" counter tracking Commit 9ef9088c1585e13b9727796f15f77da64dbbe623 switched the SSL/SSL_CTX statistics counters to using Thread-Sanitizer-friendly primitives. However, it erroneously converted an addition of -1 (for s->session_ctx->stats.sess_accept) to an addition of +1, since that is the only counter API provided by the internal tsan_assist.h header until the previous commit. This means that for each accepted (initial) connection, the session_ctx's counter would get doubly incremented, and the (switched) ctx's counter would also get incremented. Restore the counter decrement so that each accepted connection increments exactly one counter exactly once (in net effect). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) commit 95658c32436017aeeef3d8598957071baf6769a9 Author: Benjamin Kaduk Date: Mon Oct 22 11:51:35 2018 -0500 Add tsan_decr() API, counterpart of tsan_counter() The existing tsan_counter() API increments a reference counter. Provide a new API, tsan_decr(), to decrement such a reference counter. This can be used, for example, when a reference is added to the session_ctx's sess_accept stats but should more properly be tracked in the regular ctx's statistics. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) ----------------------------------------------------------------------- Summary of changes: include/internal/tsan_assist.h | 6 ++++++ ssl/statem/extensions.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index 2c76383..f30ffe3 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -57,6 +57,7 @@ # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) # define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) +# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,6 +70,7 @@ # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) # define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) +# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,8 +115,11 @@ # pragma intrinsic(_InterlockedExchangeAdd64) # define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ : _InterlockedExchangeAdd((ptr), 1)) +# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ + : _InterlockedExchangeAdd((ptr), -1)) # else # define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) +# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -129,6 +134,7 @@ # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) # define tsan_counter(ptr) ((*(ptr))++) +# define tsan_decr(ptr) ((*(ptr))--) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 8d4939d..ad4256d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -962,7 +962,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { tsan_counter(&s->ctx->stats.sess_accept); - tsan_counter(&s->session_ctx->stats.sess_accept); + tsan_decr(&s->session_ctx->stats.sess_accept); } /* From kaduk at mit.edu Sun Nov 4 04:52:46 2018 From: kaduk at mit.edu (kaduk at mit.edu) Date: Sun, 04 Nov 2018 04:52:46 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541307166.635599.26621.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 33a37a6179bcef6917a28edf7c90a65dcd89ff4a (commit) via a649b52f86a2aa039a15d9c8c0de5b6786bac0fc (commit) from cd01707b7f7e71b6c5df013212c9b3613e9eab7c (commit) - Log ----------------------------------------------------------------- commit 33a37a6179bcef6917a28edf7c90a65dcd89ff4a Author: Benjamin Kaduk Date: Mon Oct 22 11:54:20 2018 -0500 Restore sensible "sess_accept" counter tracking Commit 9ef9088c1585e13b9727796f15f77da64dbbe623 switched the SSL/SSL_CTX statistics counters to using Thread-Sanitizer-friendly primitives. However, it erroneously converted an addition of -1 (for s->session_ctx->stats.sess_accept) to an addition of +1, since that is the only counter API provided by the internal tsan_assist.h header until the previous commit. This means that for each accepted (initial) connection, the session_ctx's counter would get doubly incremented, and the (switched) ctx's counter would also get incremented. Restore the counter decrement so that each accepted connection increments exactly one counter exactly once (in net effect). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) (cherry picked from commit 2aaa0b146b967397a6e61fa8df969e7847f82086) commit a649b52f86a2aa039a15d9c8c0de5b6786bac0fc Author: Benjamin Kaduk Date: Mon Oct 22 11:51:35 2018 -0500 Add tsan_decr() API, counterpart of tsan_counter() The existing tsan_counter() API increments a reference counter. Provide a new API, tsan_decr(), to decrement such a reference counter. This can be used, for example, when a reference is added to the session_ctx's sess_accept stats but should more properly be tracked in the regular ctx's statistics. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7464) (cherry picked from commit 95658c32436017aeeef3d8598957071baf6769a9) ----------------------------------------------------------------------- Summary of changes: include/internal/tsan_assist.h | 6 ++++++ ssl/statem/extensions.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index 2c76383..f30ffe3 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -57,6 +57,7 @@ # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) # define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) +# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,6 +70,7 @@ # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) # define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) +# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,8 +115,11 @@ # pragma intrinsic(_InterlockedExchangeAdd64) # define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ : _InterlockedExchangeAdd((ptr), 1)) +# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ + : _InterlockedExchangeAdd((ptr), -1)) # else # define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) +# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -129,6 +134,7 @@ # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) # define tsan_counter(ptr) ((*(ptr))++) +# define tsan_decr(ptr) ((*(ptr))--) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 8d4939d..ad4256d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -962,7 +962,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) */ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { tsan_counter(&s->ctx->stats.sess_accept); - tsan_counter(&s->session_ctx->stats.sess_accept); + tsan_decr(&s->session_ctx->stats.sess_accept); } /* From scan-admin at coverity.com Sun Nov 4 07:26:20 2018 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 04 Nov 2018 07:26:20 +0000 (UTC) Subject: [openssl-commits] Coverity Scan: Analysis completed for openssl/openssl Message-ID: <5bde9f1bc0667_67e2ab1dd750f58714d1@node1.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUEcf-2B75FkFkxwwFKGZV8c1xA-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I1-2BQOJ8A0WQCkv1bmCIJ-2B9ZCtdob2w24CVZQLUsgE6mBmfrq8fsaT7MA8x-2BjUIZ8k5uWfs6uO1U5Z3Zkyg1OtCTZkUi5Lnpf7oGURV6hBVC7gsiLXTsuBAXG-2FPrWRPZFvLabvenDk7dRRKeEQFVJSfCx2IsAyMxPDKGGu53JlPALrxpsM5-2Bty8Yub-2Br8TolhOA-3D Build ID: 235651 Analysis Summary: New defects found: 0 Defects eliminated: 2 From scan-admin at coverity.com Sun Nov 4 07:45:54 2018 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 04 Nov 2018 07:45:54 +0000 (UTC) Subject: [openssl-commits] Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <5bdea3b1558fb_14962ab1dd750f5871432@node1.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUEeuRTZVWU4ku8PUBnVPw8PQ-3D-3D_19DGMz38yO7VfzGQuXkecdlEmzBoDG4v8Dvyanv-2F1I1S9cq88ZBrvvWXXz-2B7usWcjdn-2Bmn0s6OZoYrpQ-2BGrpoQ5TuabElA929pxqLnweny7ndV1yFR4we3S8vhBo0IwNGooYKU0U6Id7mYUrQ-2BF8m09RkdjgHSkEfXOUXNw4tzPC9MuxjVWBNUIghHKlvTni7UWYIexPMMJHOybSG8th-2Btp44HMYTy-2Fir1usbzh8fmc-3D Build ID: 235659 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sun Nov 4 22:10:25 2018 From: pauli at openssl.org (Paul I. Dale) Date: Sun, 04 Nov 2018 22:10:25 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541369425.590306.11510.nullmailer@dev.openssl.org> The branch master has been updated via afc580b9b0af0072233e9282915424fd55c366d0 (commit) from 2aaa0b146b967397a6e61fa8df969e7847f82086 (commit) - Log ----------------------------------------------------------------- commit afc580b9b0af0072233e9282915424fd55c366d0 Author: Pauli Date: Mon Nov 5 08:09:41 2018 +1000 GMAC implementation Remove GMAC demo program because it has been superceded by the EVP MAC one Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7548) ----------------------------------------------------------------------- Summary of changes: CHANGES | 3 + Configure | 2 +- crypto/err/openssl.txt | 2 + crypto/evp/c_allm.c | 1 + crypto/evp/evp_err.c | 3 + crypto/gmac/build.info | 2 + crypto/gmac/gmac.c | 183 ++++++++++++++++++++++++ crypto/include/internal/evp_int.h | 1 + crypto/objects/obj_dat.h | 15 +- crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 3 + demos/evp/Makefile | 8 +- demos/evp/gmac.c | 103 ------------- doc/man3/EVP_MAC.pod | 7 + doc/man7/{EVP_MAC_CMAC.pod => EVP_MAC_GMAC.pod} | 26 +++- fuzz/oids.txt | 1 + include/openssl/evp.h | 2 + include/openssl/evperr.h | 2 + include/openssl/obj_mac.h | 5 + test/evp_test.c | 18 +++ test/recipes/30-test_evp_data/evpmac.txt | 69 +++++++++ 21 files changed, 339 insertions(+), 118 deletions(-) create mode 100644 crypto/gmac/build.info create mode 100644 crypto/gmac/gmac.c delete mode 100644 demos/evp/gmac.c copy doc/man7/{EVP_MAC_CMAC.pod => EVP_MAC_GMAC.pod} (66%) diff --git a/CHANGES b/CHANGES index 29be4fc7..de10744 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,9 @@ Changes between 1.1.1 and 1.1.2 [xx XXX xxxx] + *) Add GMAC to EVP_MAC. + [Paul Dale] + *) Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC. [Richard Levitte] diff --git a/Configure b/Configure index f46be6b..53d5549 100755 --- a/Configure +++ b/Configure @@ -308,7 +308,7 @@ $config{sdirs} = [ "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", "buffer", "bio", "stack", "lhash", "rand", "err", "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", - "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" + "cms", "ts", "srp", "gmac", "cmac", "ct", "async", "kdf", "store" ]; # test/ subdirectories to build $config{tdirs} = [ "ossl_shim" ]; diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 151bc83..6c52881 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -801,6 +801,7 @@ EVP_F_EVP_PKEY_VERIFY_RECOVER:144:EVP_PKEY_verify_recover EVP_F_EVP_PKEY_VERIFY_RECOVER_INIT:145:EVP_PKEY_verify_recover_init EVP_F_EVP_SIGNFINAL:107:EVP_SignFinal EVP_F_EVP_VERIFYFINAL:108:EVP_VerifyFinal +EVP_F_GMAC_CTRL:215:gmac_ctrl EVP_F_INT_CTX_NEW:157:int_ctx_new EVP_F_OK_NEW:200:ok_new EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_keyivgen @@ -2223,6 +2224,7 @@ EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed EVP_R_BAD_DECRYPT:100:bad decrypt EVP_R_BUFFER_TOO_SMALL:155:buffer too small EVP_R_CAMELLIA_KEY_SETUP_FAILED:157:camellia key setup failed +EVP_R_CIPHER_NOT_GCM_MODE:184:cipher not gcm mode EVP_R_CIPHER_PARAMETER_ERROR:122:cipher parameter error EVP_R_COMMAND_NOT_SUPPORTED:147:command not supported EVP_R_COPY_ERROR:173:copy error diff --git a/crypto/evp/c_allm.c b/crypto/evp/c_allm.c index 2bcd9dc..2b9d442 100644 --- a/crypto/evp/c_allm.c +++ b/crypto/evp/c_allm.c @@ -15,6 +15,7 @@ void openssl_add_all_macs_int(void) #ifndef OPENSSL_NO_CMAC EVP_add_mac(&cmac_meth); #endif + EVP_add_mac(&gmac_meth); EVP_add_mac(&hmac_meth); #ifndef OPENSSL_NO_SIPHASH EVP_add_mac(&siphash_meth); diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 32760db..05d9565 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -141,6 +141,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = { "EVP_PKEY_verify_recover_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_SIGNFINAL, 0), "EVP_SignFinal"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_VERIFYFINAL, 0), "EVP_VerifyFinal"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_GMAC_CTRL, 0), "gmac_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_INT_CTX_NEW, 0), "int_ctx_new"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_OK_NEW, 0), "ok_new"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_PBE_KEYIVGEN, 0), "PKCS5_PBE_keyivgen"}, @@ -170,6 +171,8 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BUFFER_TOO_SMALL), "buffer too small"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CAMELLIA_KEY_SETUP_FAILED), "camellia key setup failed"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CIPHER_NOT_GCM_MODE), + "cipher not gcm mode"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CIPHER_PARAMETER_ERROR), "cipher parameter error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_COMMAND_NOT_SUPPORTED), diff --git a/crypto/gmac/build.info b/crypto/gmac/build.info new file mode 100644 index 0000000..6d9f22e --- /dev/null +++ b/crypto/gmac/build.info @@ -0,0 +1,2 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=gmac.c diff --git a/crypto/gmac/gmac.c b/crypto/gmac/gmac.c new file mode 100644 index 0000000..929d9a8 --- /dev/null +++ b/crypto/gmac/gmac.c @@ -0,0 +1,183 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "internal/cryptlib.h" +#include "internal/evp_int.h" + +/* typedef EVP_MAC_IMPL */ +struct evp_mac_impl_st { + EVP_CIPHER *cipher; /* Cache GCM cipher */ + EVP_CIPHER_CTX *ctx; /* Cipher context */ + ENGINE *engine; /* Engine implementating the algorithm */ +}; + +static void gmac_free(EVP_MAC_IMPL *gctx) +{ + if (gctx != NULL) { + EVP_CIPHER_CTX_free(gctx->ctx); + OPENSSL_free(gctx); + } +} + +static EVP_MAC_IMPL *gmac_new(void) +{ + EVP_MAC_IMPL *gctx; + + if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) == NULL + || (gctx->ctx = EVP_CIPHER_CTX_new()) == NULL) { + gmac_free(gctx); + return NULL; + } + return gctx; +} + +static int gmac_copy(EVP_MAC_IMPL *gdst, EVP_MAC_IMPL *gsrc) +{ + gdst->cipher = gsrc->cipher; + gdst->engine = gsrc->engine; + return EVP_CIPHER_CTX_copy(gdst->ctx, gsrc->ctx); +} + +static size_t gmac_size(EVP_MAC_IMPL *gctx) +{ + return EVP_GCM_TLS_TAG_LEN; +} + +static int gmac_init(EVP_MAC_IMPL *gctx) +{ + return 1; +} + +static int gmac_update(EVP_MAC_IMPL *gctx, const unsigned char *data, + size_t datalen) +{ + EVP_CIPHER_CTX *ctx = gctx->ctx; + int outlen; + + while (datalen > INT_MAX) { + if (!EVP_EncryptUpdate(ctx, NULL, &outlen, data, INT_MAX)) + return 0; + data += INT_MAX; + datalen -= INT_MAX; + } + return EVP_EncryptUpdate(ctx, NULL, &outlen, data, datalen); +} + +static int gmac_final(EVP_MAC_IMPL *gctx, unsigned char *out) +{ + int hlen; + + if (!EVP_EncryptFinal_ex(gctx->ctx, out, &hlen) + || !EVP_CIPHER_CTX_ctrl(gctx->ctx, EVP_CTRL_AEAD_GET_TAG, + gmac_size(gctx), out)) + return 0; + return 1; +} + +static int gmac_ctrl(EVP_MAC_IMPL *gctx, int cmd, va_list args) +{ + const unsigned char *p; + size_t len; + EVP_CIPHER_CTX *ctx = gctx->ctx; + const EVP_CIPHER *cipher; + ENGINE *engine; + + switch (cmd) { + case EVP_MAC_CTRL_SET_CIPHER: + cipher = va_arg(args, const EVP_CIPHER *); + if (cipher == NULL) + return 0; + if (EVP_CIPHER_mode(cipher) != EVP_CIPH_GCM_MODE) { + EVPerr(EVP_F_GMAC_CTRL, EVP_R_CIPHER_NOT_GCM_MODE); + return 0; + } + return EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL); + + case EVP_MAC_CTRL_SET_KEY: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + if (len != (size_t)EVP_CIPHER_CTX_key_length(ctx)) { + EVPerr(EVP_F_GMAC_CTRL, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + return EVP_EncryptInit_ex(ctx, NULL, NULL, p, NULL); + + case EVP_MAC_CTRL_SET_IV: + p = va_arg(args, const unsigned char *); + len = va_arg(args, size_t); + return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, len, NULL) + && EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, p); + + case EVP_MAC_CTRL_SET_ENGINE: + engine = va_arg(args, ENGINE *); + return EVP_EncryptInit_ex(ctx, NULL, engine, NULL, NULL); + + default: + return -2; + } +} + +static int gmac_ctrl_int(EVP_MAC_IMPL *gctx, int cmd, ...) +{ + int rv; + va_list args; + + va_start(args, cmd); + rv = gmac_ctrl(gctx, cmd, args); + va_end(args); + + return rv; +} + +static int gmac_ctrl_str_cb(void *gctx, int cmd, void *buf, size_t buflen) +{ + return gmac_ctrl_int(gctx, cmd, buf, buflen); +} + +static int gmac_ctrl_str(EVP_MAC_IMPL *gctx, const char *type, + const char *value) +{ + if (!value) + return 0; + if (strcmp(type, "cipher") == 0) { + const EVP_CIPHER *c = EVP_get_cipherbyname(value); + + if (c == NULL) + return 0; + return gmac_ctrl_int(gctx, EVP_MAC_CTRL_SET_CIPHER, c); + } + if (strcmp(type, "key") == 0) + return EVP_str2ctrl(gmac_ctrl_str_cb, gctx, EVP_MAC_CTRL_SET_KEY, + value); + if (strcmp(type, "hexkey") == 0) + return EVP_hex2ctrl(gmac_ctrl_str_cb, gctx, EVP_MAC_CTRL_SET_KEY, + value); + if (strcmp(type, "iv") == 0) + return EVP_str2ctrl(gmac_ctrl_str_cb, gctx, EVP_MAC_CTRL_SET_IV, + value); + if (strcmp(type, "hexiv") == 0) + return EVP_hex2ctrl(gmac_ctrl_str_cb, gctx, EVP_MAC_CTRL_SET_IV, + value); + return -2; +} + +const EVP_MAC gmac_meth = { + EVP_MAC_GMAC, + gmac_new, + gmac_copy, + gmac_free, + gmac_size, + gmac_init, + gmac_update, + gmac_final, + gmac_ctrl, + gmac_ctrl_str +}; diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index 060538e..98adf1f 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -129,6 +129,7 @@ struct evp_mac_st { }; extern const EVP_MAC cmac_meth; +extern const EVP_MAC gmac_meth; extern const EVP_MAC hmac_meth; extern const EVP_MAC siphash_meth; diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index e931f7f..d9365ce 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[7762] = { +static const unsigned char so[7767] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1076,9 +1076,10 @@ static const unsigned char so[7762] = { 0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x04, /* [ 7736] OBJ_id_tc26_gost_3410_2012_256_paramSetD */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0C, /* [ 7745] OBJ_hmacWithSHA512_224 */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + 0x28,0xCC,0x45,0x03,0x04, /* [ 7761] OBJ_gmac */ }; -#define NUM_NID 1195 +#define NUM_NID 1196 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2275,9 +2276,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"magma-mac", "magma-mac", NID_magma_mac}, {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"GMAC", "gmac", NID_gmac, 5, &so[7761]}, }; -#define NUM_SN 1186 +#define NUM_SN 1187 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2424,6 +2426,7 @@ static const unsigned int sn_objs[NUM_SN] = { 297, /* "DVCS" */ 1087, /* "ED25519" */ 1088, /* "ED448" */ + 1195, /* "GMAC" */ 99, /* "GN" */ 1036, /* "HKDF" */ 855, /* "HMAC" */ @@ -3467,7 +3470,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1186 +#define NUM_LN 1187 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -3961,6 +3964,7 @@ static const unsigned int ln_objs[NUM_LN] = { 509, /* "generationQualifier" */ 601, /* "generic cryptogram" */ 99, /* "givenName" */ + 1195, /* "gmac" */ 976, /* "gost-mac-12" */ 1009, /* "gost89-cbc" */ 814, /* "gost89-cnt" */ @@ -4657,7 +4661,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1071 +#define NUM_OBJ 1072 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -4904,6 +4908,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 637, /* OBJ_set_brand_Diners 2 23 42 8 30 */ 638, /* OBJ_set_brand_AmericanExpress 2 23 42 8 34 */ 639, /* OBJ_set_brand_JCB 2 23 42 8 35 */ + 1195, /* OBJ_gmac 1 0 9797 3 4 */ 1141, /* OBJ_oscca 1 2 156 10197 */ 805, /* OBJ_cryptopro 1 2 643 2 2 */ 806, /* OBJ_cryptocom 1 2 643 2 9 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 1b6a9c6..487eeff 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1192,3 +1192,4 @@ magma_cfb 1191 magma_mac 1192 hmacWithSHA512_224 1193 hmacWithSHA512_256 1194 +gmac 1195 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 6dbc41c..1e83dff 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -11,6 +11,9 @@ iso 2 : member-body : ISO Member Body iso 3 : identified-organization +# GMAC OID +iso 0 9797 3 4 : GMAC : gmac + # HMAC OIDs identified-organization 6 1 5 5 8 1 1 : HMAC-MD5 : hmac-md5 identified-organization 6 1 5 5 8 1 2 : HMAC-SHA1 : hmac-sha1 diff --git a/demos/evp/Makefile b/demos/evp/Makefile index 1fb0f39..c2e10a1 100644 --- a/demos/evp/Makefile +++ b/demos/evp/Makefile @@ -7,19 +7,17 @@ # # LD_LIBRARY_PATH=../.. ./aesccm # LD_LIBRARY_PATH=../.. ./aesgcm -# LD_LIBRARY_PATH=../.. ./gmac CFLAGS = $(OPENSSL_INCS_LOCATION) LDFLAGS = $(OPENSSL_LIBS_LOCATION) -lssl -lcrypto -all: aesccm aesgcm gmac +all: aesccm aesgcm aesccm: aesccm.o aesgcm: aesgcm.o -gmac: gmac.o -aesccm aesgcm gmac: +aesccm aesgcm: $(CC) $(CFLAGS) -o $@ $< $(LDFLAGS) clean: - $(RM) aesccm aesgcm gmac *.o + $(RM) aesccm aesgcm *.o diff --git a/demos/evp/gmac.c b/demos/evp/gmac.c deleted file mode 100644 index 0b2231b..0000000 --- a/demos/evp/gmac.c +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * Simple AES GMAC test program, uses the same NIST data used for the FIPS - * self test but uses the application level EVP APIs. - */ -#include -#include -#include -#include -#include - -/* AES-GMAC test data from NIST public test vectors */ - -static const unsigned char gmac_key[] = { 0x77, 0xbe, 0x63, 0x70, 0x89, 0x71, 0xc4, 0xe2, - 0x40, 0xd1, 0xcb, 0x79, 0xe8, 0xd7, 0x7f, 0xeb }; -static const unsigned char gmac_iv[] = { 0xe0, 0xe0, 0x0f, 0x19, 0xfe, 0xd7, 0xba, 0x01, - 0x36, 0xa7, 0x97, 0xf3 }; -static const unsigned char gmac_aad[] = { 0x7a, 0x43, 0xec, 0x1d, 0x9c, 0x0a, 0x5a, 0x78, - 0xa0, 0xb1, 0x65, 0x33, 0xa6, 0x21, 0x3c, 0xab }; - -static const unsigned char gmac_tag[] = { 0x20, 0x9f, 0xcc, 0x8d, 0x36, 0x75, 0xed, 0x93, - 0x8e, 0x9c, 0x71, 0x66, 0x70, 0x9d, 0xd9, 0x46 }; - -static int aes_gmac(void) -{ - EVP_CIPHER_CTX *ctx; - int outlen, tmplen; - unsigned char outbuf[1024]; - int ret = 0; - - printf("AES GMAC:\n"); - printf("Authenticated Data:\n"); - BIO_dump_fp(stdout, gmac_aad, sizeof(gmac_aad)); - - if ((ctx = EVP_CIPHER_CTX_new()) == NULL) { - printf("EVP_CIPHER_CTX_new: failed\n"); - goto err; - } - - /* Set cipher type and mode */ - if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL)) { - printf("EVP_EncryptInit_ex: failed\n"); - goto err; - } - - /* Set IV length if default 96 bits is not appropriate */ - if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, sizeof(gmac_iv), - NULL)) { - printf("EVP_CIPHER_CTX_ctrl: set IV length failed\n"); - goto err; - } - - /* Initialise key and IV */ - if (!EVP_EncryptInit_ex(ctx, NULL, NULL, gmac_key, gmac_iv)) { - printf("EVP_EncryptInit_ex: set key and IV failed\n"); - goto err; - } - - /* Zero or more calls to specify any AAD */ - if (!EVP_EncryptUpdate(ctx, NULL, &outlen, gmac_aad, sizeof(gmac_aad))) { - printf("EVP_EncryptUpdate: setting AAD failed\n"); - goto err; - } - - /* Finalise: note get no output for GMAC */ - if (!EVP_EncryptFinal_ex(ctx, outbuf, &outlen)) { - printf("EVP_EncryptFinal_ex: failed\n"); - goto err; - } - - /* Get tag */ - if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, outbuf)) { - printf("EVP_CIPHER_CTX_ctrl: failed\n"); - goto err; - } - - /* Output tag */ - printf("Tag:\n"); - BIO_dump_fp(stdout, outbuf, 16); - - /* Is the tag correct? */ - if (memcmp(outbuf, gmac_tag, sizeof(gmac_tag)) != 0) { - printf("Expected:\n"); - BIO_dump_fp(stdout, gmac_tag, sizeof(gmac_tag)); - } else - ret = 1; -err: - EVP_CIPHER_CTX_free(ctx); - return ret; -} - -int main(int argc, char **argv) -{ - return aes_gmac() ? EXIT_SUCCESS : EXIT_FAILURE; -} diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index a320181..473d6c9 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -163,6 +163,12 @@ For MACs that use an underlying computation algorithm, the algorithm I be set first, see B, B and B below. +=item B + +This control expects two arguments: C, C + +Some MAC implementations require an IV, this control sets the IV. + =item B This control expects one arguments: C @@ -327,6 +333,7 @@ F<./foo>) =head1 SEE ALSO L, +L, L, L diff --git a/doc/man7/EVP_MAC_CMAC.pod b/doc/man7/EVP_MAC_GMAC.pod similarity index 66% copy from doc/man7/EVP_MAC_CMAC.pod copy to doc/man7/EVP_MAC_GMAC.pod index 12c18a8..c35d781 100644 --- a/doc/man7/EVP_MAC_CMAC.pod +++ b/doc/man7/EVP_MAC_GMAC.pod @@ -2,15 +2,15 @@ =head1 NAME -EVP_MAC_CMAC - The CMAC EVP_MAC implementation +EVP_MAC_GMAC - The GMAC EVP_MAC implementation =head1 DESCRIPTION -Support for computing CMAC MACs through the B API. +Support for computing GMAC MACs through the B API. =head2 Numeric identity -B is the numeric identity for this implementation, and +B is the numeric identity for this implementation, and can be used in functions like EVP_MAC_CTX_new_id() and EVP_get_macbynid(). @@ -37,11 +37,29 @@ decoded before passing on as control value. =back +=item B + +EVP_MAC_ctrl_str() takes two type strings for this control: + +=over 4 + +=item "iv" + +The value string is used as is. + +=item "hexiv" + +The value string is expected to be a hexadecimal number, which will be +decoded before passing on as control value. + +=back + =item B =item B -These work as described in L. +These work as described in L with the restriction that the +cipher must be an AEAD one. EVP_MAC_ctrl_str() type string for B: "cipher" diff --git a/fuzz/oids.txt b/fuzz/oids.txt index fe363fd..79a68fc 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1063,3 +1063,4 @@ OBJ_id_tc26_gost_3410_2012_256_paramSetC="\x2A\x85\x03\x07\x01\x02\x01\x01\x03" OBJ_id_tc26_gost_3410_2012_256_paramSetD="\x2A\x85\x03\x07\x01\x02\x01\x01\x04" OBJ_hmacWithSHA512_224="\x2A\x86\x48\x86\xF7\x0D\x02\x0C" OBJ_hmacWithSHA512_256="\x2A\x86\x48\x86\xF7\x0D\x02\x0D" +OBJ_gmac="\x28\xCC\x45\x03\x04" diff --git a/include/openssl/evp.h b/include/openssl/evp.h index cfd6369..79845aa 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -988,6 +988,7 @@ void EVP_MD_do_all_sorted(void (*fn) /* MAC stuff */ # define EVP_MAC_CMAC NID_cmac +# define EVP_MAC_GMAC NID_gmac # define EVP_MAC_HMAC NID_hmac # define EVP_MAC_SIPHASH NID_siphash @@ -1024,6 +1025,7 @@ void EVP_MAC_do_all_sorted(void (*fn) # define EVP_MAC_CTRL_SET_MD 0x04 /* EVP_MD * */ # define EVP_MAC_CTRL_SET_CIPHER 0x04 /* EVP_CIPHER * */ # define EVP_MAC_CTRL_SET_SIZE 0x05 /* size_t */ +# define EVP_MAC_CTRL_SET_IV 0x06 /* unsigned char *, size_t */ /* PKEY stuff */ int EVP_PKEY_decrypt_old(unsigned char *dec_key, diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index a17e159..17b8187 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -111,6 +111,7 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_PKEY_VERIFY_RECOVER_INIT 145 # define EVP_F_EVP_SIGNFINAL 107 # define EVP_F_EVP_VERIFYFINAL 108 +# define EVP_F_GMAC_CTRL 215 # define EVP_F_INT_CTX_NEW 157 # define EVP_F_OK_NEW 200 # define EVP_F_PKCS5_PBE_KEYIVGEN 117 @@ -133,6 +134,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_BAD_DECRYPT 100 # define EVP_R_BUFFER_TOO_SMALL 155 # define EVP_R_CAMELLIA_KEY_SETUP_FAILED 157 +# define EVP_R_CIPHER_NOT_GCM_MODE 184 # define EVP_R_CIPHER_PARAMETER_ERROR 122 # define EVP_R_COMMAND_NOT_SUPPORTED 147 # define EVP_R_COPY_ERROR 173 diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 80ff5a7..0a3e4c5 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -44,6 +44,11 @@ #define NID_identified_organization 676 #define OBJ_identified_organization OBJ_iso,3L +#define SN_gmac "GMAC" +#define LN_gmac "gmac" +#define NID_gmac 1195 +#define OBJ_gmac OBJ_iso,0L,9797L,3L,4L + #define SN_hmac_md5 "HMAC-MD5" #define LN_hmac_md5 "hmac-md5" #define NID_hmac_md5 780 diff --git a/test/evp_test.c b/test/evp_test.c index 25b10d3..18b20af 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -838,6 +838,9 @@ typedef struct mac_data_st { /* MAC key */ unsigned char *key; size_t key_len; + /* MAC IV (GMAC) */ + unsigned char *iv; + size_t iv_len; /* Input to MAC */ unsigned char *input; size_t input_len; @@ -925,6 +928,7 @@ static void mac_test_cleanup(EVP_TEST *t) sk_OPENSSL_STRING_pop_free(mdat->controls, openssl_free); OPENSSL_free(mdat->alg); OPENSSL_free(mdat->key); + OPENSSL_free(mdat->iv); OPENSSL_free(mdat->input); OPENSSL_free(mdat->output); } @@ -936,6 +940,8 @@ static int mac_test_parse(EVP_TEST *t, if (strcmp(keyword, "Key") == 0) return parse_bin(value, &mdata->key, &mdata->key_len); + if (strcmp(keyword, "IV") == 0) + return parse_bin(value, &mdata->iv, &mdata->iv_len); if (strcmp(keyword, "Algorithm") == 0) { mdata->alg = OPENSSL_strdup(value); if (!mdata->alg) @@ -1119,6 +1125,18 @@ static int mac_test_run_mac(EVP_TEST *t) goto err; } + if (expected->iv != NULL) { + rv = EVP_MAC_ctrl(ctx, EVP_MAC_CTRL_SET_IV, + expected->iv, expected->iv_len); + if (rv == -2) { + t->err = "MAC_CTRL_INVALID"; + goto err; + } else if (rv <= 0) { + t->err = "MAC_CTRL_ERROR"; + goto err; + } + } + if (!EVP_MAC_init(ctx)) { t->err = "MAC_INIT_ERROR"; goto err; diff --git a/test/recipes/30-test_evp_data/evpmac.txt b/test/recipes/30-test_evp_data/evpmac.txt index 4788626..82a3507 100644 --- a/test/recipes/30-test_evp_data/evpmac.txt +++ b/test/recipes/30-test_evp_data/evpmac.txt @@ -386,6 +386,75 @@ Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23 Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E Output = 8F49A1B7D6AA2258 + +Title = GMAC Tests (from NIST) + +MAC = GMAC +Algorithm = AES-128-GCM +Key = 77BE63708971C4E240D1CB79E8D77FEB +IV = E0E00F19FED7BA0136A797F3 +Input = 7A43EC1D9C0A5A78A0B16533A6213CAB +Output = 209FCC8D3675ED938E9C7166709DD946 + +Title = GMAC Tests (from http://www.ieee802.org/1/files/public/docs2011/bn-randall-test-vectors-0511-v1.pdf) + +MAC = GMAC +Algorithm = AES-128-GCM +Key = AD7A2BD03EAC835A6F620FDCB506B345 +IV = 12153524C0895E81B2C28465 +Input = D609B1F056637A0D46DF998D88E5222AB2C2846512153524C0895E8108000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30313233340001 +Output = F09478A9B09007D06F46E9B6A1DA25DD + +MAC = GMAC +Algorithm = AES-256-GCM +Key = E3C08A8F06C6E3AD95A70557B23F75483CE33021A9C72B7025666204C69C0B72 +IV = 12153524C0895E81B2C28465 +Input = D609B1F056637A0D46DF998D88E5222AB2C2846512153524C0895E8108000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30313233340001 +Output = 2F0BC5AF409E06D609EA8B7D0FA5EA50 + +MAC = GMAC +Algorithm = AES-128-GCM +Key = 071B113B0CA743FECCCF3D051F737382 +IV = F0761E8DCD3D000176D457ED +Input = E20106D7CD0DF0761E8DCD3D88E5400076D457ED08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A0003 +Output = 0C017BC73B227DFCC9BAFA1C41ACC353 + +MAC = GMAC +Algorithm = AES-256-GCM +Key = 691D3EE909D7F54167FD1CA0B5D769081F2BDE1AEE655FDBAB80BD5295AE6BE7 +IV = F0761E8DCD3D000176D457ED +Input = E20106D7CD0DF0761E8DCD3D88E5400076D457ED08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A0003 +Output = 35217C774BBC31B63166BCF9D4ABED07 + +MAC = GMAC +Algorithm = AES-128-GCM +Key = 013FE00B5F11BE7F866D0CBBC55A7A90 +IV = 7CFDE9F9E33724C68932D612 +Input = 84C5D513D2AAF6E5BBD2727788E523008932D6127CFDE9F9E33724C608000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F0005 +Output = 217867E50C2DAD74C28C3B50ABDF695A + +MAC = GMAC +Algorithm = AES-256-GCM +Key = 83C093B58DE7FFE1C0DA926AC43FB3609AC1C80FEE1B624497EF942E2F79A823 +IV = 7CFDE9F9E33724C68932D612 +Input = 84C5D513D2AAF6E5BBD2727788E523008932D6127CFDE9F9E33724C608000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F0005 +Output = 6EE160E8FAECA4B36C86B234920CA975 + +MAC = GMAC +Algorithm = AES-128-GCM +Key = 88EE087FD95DA9FBF6725AA9D757B0CD +IV = 7AE8E2CA4EC500012E58495C +Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 +Output = 07922B8EBCF10BB2297588CA4C614523 + +MAC = GMAC +Algorithm = AES-256-GCM +Key = 4C973DBC7364621674F8B5B89E5C15511FCED9216490FB1C1A2CAA0FFE0407E5 +IV = 7AE8E2CA4EC500012E58495C +Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 +Output = 00BDA1B7E87608BCBF470F12157F4C07 + + Title = Poly1305 Tests (from RFC 7539 and others) MAC = Poly1305 From pauli at openssl.org Sun Nov 4 23:38:55 2018 From: pauli at openssl.org (Paul I. Dale) Date: Sun, 04 Nov 2018 23:38:55 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541374735.656358.25977.nullmailer@dev.openssl.org> The branch master has been updated via 748099b9e96e288f0fd1bc72634834d3687831ad (commit) from afc580b9b0af0072233e9282915424fd55c366d0 (commit) - Log ----------------------------------------------------------------- commit 748099b9e96e288f0fd1bc72634834d3687831ad Author: Pauli Date: Mon Nov 5 08:24:50 2018 +1000 Clarify the POD source for the list command. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7563) ----------------------------------------------------------------------- Summary of changes: doc/man1/list.pod | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/doc/man1/list.pod b/doc/man1/list.pod index eeb099b..ca7af49 100644 --- a/doc/man1/list.pod +++ b/doc/man1/list.pod @@ -50,16 +50,14 @@ as input to the L or L commands. =item B<-digest-algorithms> Display a list of message digest algorithms. -If a line is of the form - foo => bar -then B is an alias for the official algorithm name, B. +If a line is of the form C bar> then B is an alias for the +official algorithm name, B. =item B<-mac-algorithms> Display a list of message authentication code algorithms. -If a line is of the form - foo => bar -then B is an alias for the official algorithm name, B. +If a line is of the form C bar> then B is an alias for the +official algorithm name, B. =item B<-cipher-commands> @@ -69,9 +67,8 @@ to the L or L commands. =item B<-cipher-algorithms> Display a list of cipher algorithms. -If a line is of the form - foo => bar -then B is an alias for the official algorithm name, B. +If a line is of the form C bar> then B is an alias for the +official algorithm name, B. =item B<-public-key-algorithms> From yang.yang at baishancloud.com Mon Nov 5 05:08:07 2018 From: yang.yang at baishancloud.com (yang.yang at baishancloud.com) Date: Mon, 05 Nov 2018 05:08:07 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541394487.690661.5736.nullmailer@dev.openssl.org> The branch master has been updated via c1da4b2afe62644f42f95a8788cd80b0a4925e0c (commit) from 748099b9e96e288f0fd1bc72634834d3687831ad (commit) - Log ----------------------------------------------------------------- commit c1da4b2afe62644f42f95a8788cd80b0a4925e0c Author: Paul Yang Date: Mon Oct 22 14:54:24 2018 +0800 Add poly1305 MAC support This is based on the latest EVP MAC interface introduced in PR #7393. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7459) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 1 + crypto/evp/c_allm.c | 3 + crypto/evp/evp_err.c | 1 + crypto/evp/pkey_mac.c | 33 ++++ crypto/include/internal/evp_int.h | 1 + crypto/poly1305/build.info | 2 +- crypto/poly1305/poly1305_meth.c | 141 +++++++++++++++ crypto/poly1305/poly1305_pmeth.c | 194 --------------------- doc/man3/EVP_MAC.pod | 3 +- .../{EVP_MAC_SIPHASH.pod => EVP_MAC_POLY1305.pod} | 12 +- include/openssl/evp.h | 1 + include/openssl/evperr.h | 1 + test/recipes/30-test_evp_data/evpmac.txt | 20 +++ 13 files changed, 208 insertions(+), 205 deletions(-) create mode 100644 crypto/poly1305/poly1305_meth.c delete mode 100644 crypto/poly1305/poly1305_pmeth.c copy doc/man7/{EVP_MAC_SIPHASH.pod => EVP_MAC_POLY1305.pod} (73%) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 6c52881..b5a441a 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -810,6 +810,7 @@ EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen EVP_F_PKEY_MAC_INIT:214:pkey_mac_init EVP_F_PKEY_SET_TYPE:158:pkey_set_type +EVP_F_POLY1305_CTRL:215:poly1305_ctrl EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth EVP_F_RC5_CTRL:125:rc5_ctrl EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl diff --git a/crypto/evp/c_allm.c b/crypto/evp/c_allm.c index 2b9d442..ba8acc7 100644 --- a/crypto/evp/c_allm.c +++ b/crypto/evp/c_allm.c @@ -20,4 +20,7 @@ void openssl_add_all_macs_int(void) #ifndef OPENSSL_NO_SIPHASH EVP_add_mac(&siphash_meth); #endif +#ifndef OPENSSL_NO_POLY1305 + EVP_add_mac(&poly1305_meth); +#endif } diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 05d9565..4ef0cf5 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -153,6 +153,7 @@ static const ERR_STRING_DATA EVP_str_functs[] = { "PKCS5_v2_scrypt_keyivgen"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_MAC_INIT, 0), "pkey_mac_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_POLY1305_CTRL, 0), "poly1305_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"}, diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c index d8c0e89..d9e55ec 100644 --- a/crypto/evp/pkey_mac.c +++ b/crypto/evp/pkey_mac.c @@ -425,3 +425,36 @@ const EVP_PKEY_METHOD siphash_pkey_meth = { pkey_mac_ctrl, pkey_mac_ctrl_str }; + +const EVP_PKEY_METHOD poly1305_pkey_meth = { + EVP_PKEY_POLY1305, + EVP_PKEY_FLAG_SIGCTX_CUSTOM, + pkey_mac_init, + pkey_mac_copy, + pkey_mac_cleanup, + + 0, 0, + + 0, + pkey_mac_keygen, + + 0, 0, + + 0, 0, + + 0, 0, + + pkey_mac_signctx_init, + pkey_mac_signctx, + + 0, 0, + + 0, 0, + + 0, 0, + + 0, 0, + + pkey_mac_ctrl, + pkey_mac_ctrl_str +}; diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index 98adf1f..85d3487 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -132,6 +132,7 @@ extern const EVP_MAC cmac_meth; extern const EVP_MAC gmac_meth; extern const EVP_MAC hmac_meth; extern const EVP_MAC siphash_meth; +extern const EVP_MAC poly1305_meth; /* * This function is internal for now, but can be made external when needed. diff --git a/crypto/poly1305/build.info b/crypto/poly1305/build.info index 631b32b..363d62e 100644 --- a/crypto/poly1305/build.info +++ b/crypto/poly1305/build.info @@ -1,7 +1,7 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - poly1305_pmeth.c \ poly1305_ameth.c \ + poly1305_meth.c \ poly1305.c {- $target{poly1305_asm_src} -} GENERATE[poly1305-sparcv9.S]=asm/poly1305-sparcv9.pl $(PERLASM_SCHEME) diff --git a/crypto/poly1305/poly1305_meth.c b/crypto/poly1305/poly1305_meth.c new file mode 100644 index 0000000..dfee56d --- /dev/null +++ b/crypto/poly1305/poly1305_meth.c @@ -0,0 +1,141 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#include +#include "internal/evp_int.h" +#include "internal/poly1305.h" +#include "internal/cryptlib.h" +#include "poly1305_local.h" + +/* typedef EVP_MAC_IMPL */ +struct evp_mac_impl_st { + POLY1305 *ctx; /* poly1305 context */ +}; + +static EVP_MAC_IMPL *poly1305_new(void) +{ + EVP_MAC_IMPL *ctx; + + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL + || (ctx->ctx = OPENSSL_zalloc(sizeof(POLY1305))) == NULL) { + OPENSSL_free(ctx); + return 0; + } + return ctx; +} + +static void poly1305_free(EVP_MAC_IMPL *ctx) +{ + if (ctx != NULL) { + OPENSSL_free(ctx->ctx); + OPENSSL_free(ctx); + } +} + +static int poly1305_copy(EVP_MAC_IMPL *dst, EVP_MAC_IMPL *src) +{ + *dst->ctx = *src->ctx; + + return 1; +} + +static size_t poly1305_size(EVP_MAC_IMPL *ctx) +{ + return POLY1305_DIGEST_SIZE; +} + +static int poly1305_init(EVP_MAC_IMPL *ctx) +{ + /* initialize the context in MAC_ctrl function */ + return 1; +} + +static int poly1305_update(EVP_MAC_IMPL *ctx, const unsigned char *data, + size_t datalen) +{ + POLY1305 *poly_ctx = ctx->ctx; + + /* poly1305 has nothing to return in its update function */ + Poly1305_Update(poly_ctx, data, datalen); + return 1; +} + +static int poly1305_final(EVP_MAC_IMPL *ctx, unsigned char *out) +{ + POLY1305 *poly_ctx = ctx->ctx; + + Poly1305_Final(poly_ctx, out); + return 1; +} + +static int poly1305_ctrl(EVP_MAC_IMPL *ctx, int cmd, va_list args) +{ + POLY1305 *poly_ctx = ctx->ctx; + unsigned char *key; + size_t keylen; + + switch (cmd) { + case EVP_MAC_CTRL_SET_KEY: + key = va_arg(args, unsigned char *); + keylen = va_arg(args, size_t); + + if (keylen != POLY1305_KEY_SIZE) { + EVPerr(EVP_F_POLY1305_CTRL, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + Poly1305_Init(poly_ctx, key); + return 1; + default: + return -2; + } + return 1; +} + +static int poly1305_ctrl_int(EVP_MAC_IMPL *ctx, int cmd, ...) +{ + int rv; + va_list args; + + va_start(args, cmd); + rv = poly1305_ctrl(ctx, cmd, args); + va_end(args); + + return rv; +} + +static int poly1305_ctrl_str_cb(void *ctx, int cmd, void *buf, size_t buflen) +{ + return poly1305_ctrl_int(ctx, cmd, buf, buflen); +} + +static int poly1305_ctrl_str(EVP_MAC_IMPL *ctx, + const char *type, const char *value) +{ + if (value == NULL) + return 0; + if (strcmp(type, "key") == 0) + return EVP_str2ctrl(poly1305_ctrl_str_cb, ctx, EVP_MAC_CTRL_SET_KEY, + value); + if (strcmp(type, "hexkey") == 0) + return EVP_hex2ctrl(poly1305_ctrl_str_cb, ctx, EVP_MAC_CTRL_SET_KEY, + value); + return -2; +} + +const EVP_MAC poly1305_meth = { + EVP_MAC_POLY1305, + poly1305_new, + poly1305_copy, + poly1305_free, + poly1305_size, + poly1305_init, + poly1305_update, + poly1305_final, + poly1305_ctrl, + poly1305_ctrl_str +}; diff --git a/crypto/poly1305/poly1305_pmeth.c b/crypto/poly1305/poly1305_pmeth.c deleted file mode 100644 index 3bc24c9..0000000 --- a/crypto/poly1305/poly1305_pmeth.c +++ /dev/null @@ -1,194 +0,0 @@ -/* - * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include -#include "internal/cryptlib.h" -#include -#include -#include -#include -#include "internal/poly1305.h" -#include "poly1305_local.h" -#include "internal/evp_int.h" - -/* POLY1305 pkey context structure */ - -typedef struct { - ASN1_OCTET_STRING ktmp; /* Temp storage for key */ - POLY1305 ctx; -} POLY1305_PKEY_CTX; - -static int pkey_poly1305_init(EVP_PKEY_CTX *ctx) -{ - POLY1305_PKEY_CTX *pctx; - - if ((pctx = OPENSSL_zalloc(sizeof(*pctx))) == NULL) { - CRYPTOerr(CRYPTO_F_PKEY_POLY1305_INIT, ERR_R_MALLOC_FAILURE); - return 0; - } - pctx->ktmp.type = V_ASN1_OCTET_STRING; - - EVP_PKEY_CTX_set_data(ctx, pctx); - EVP_PKEY_CTX_set0_keygen_info(ctx, NULL, 0); - return 1; -} - -static void pkey_poly1305_cleanup(EVP_PKEY_CTX *ctx) -{ - POLY1305_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); - - if (pctx != NULL) { - OPENSSL_clear_free(pctx->ktmp.data, pctx->ktmp.length); - OPENSSL_clear_free(pctx, sizeof(*pctx)); - EVP_PKEY_CTX_set_data(ctx, NULL); - } -} - -static int pkey_poly1305_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) -{ - POLY1305_PKEY_CTX *sctx, *dctx; - - /* allocate memory for dst->data and a new POLY1305_CTX in dst->data->ctx */ - if (!pkey_poly1305_init(dst)) - return 0; - sctx = EVP_PKEY_CTX_get_data(src); - dctx = EVP_PKEY_CTX_get_data(dst); - if (ASN1_STRING_get0_data(&sctx->ktmp) != NULL && - !ASN1_STRING_copy(&dctx->ktmp, &sctx->ktmp)) { - /* cleanup and free the POLY1305_PKEY_CTX in dst->data */ - pkey_poly1305_cleanup(dst); - return 0; - } - memcpy(&dctx->ctx, &sctx->ctx, sizeof(POLY1305)); - return 1; -} - -static int pkey_poly1305_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) -{ - ASN1_OCTET_STRING *key; - POLY1305_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); - - if (ASN1_STRING_get0_data(&pctx->ktmp) == NULL) - return 0; - key = ASN1_OCTET_STRING_dup(&pctx->ktmp); - if (key == NULL) - return 0; - return EVP_PKEY_assign_POLY1305(pkey, key); -} - -static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - POLY1305_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(EVP_MD_CTX_pkey_ctx(ctx)); - - Poly1305_Update(&pctx->ctx, data, count); - return 1; -} - -static int poly1305_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx) -{ - POLY1305_PKEY_CTX *pctx = ctx->data; - ASN1_OCTET_STRING *key = (ASN1_OCTET_STRING *)ctx->pkey->pkey.ptr; - - if (key->length != POLY1305_KEY_SIZE) - return 0; - EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT); - EVP_MD_CTX_set_update_fn(mctx, int_update); - Poly1305_Init(&pctx->ctx, key->data); - return 1; -} -static int poly1305_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, - EVP_MD_CTX *mctx) -{ - POLY1305_PKEY_CTX *pctx = ctx->data; - - *siglen = POLY1305_DIGEST_SIZE; - if (sig != NULL) - Poly1305_Final(&pctx->ctx, sig); - return 1; -} - -static int pkey_poly1305_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) -{ - POLY1305_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); - const unsigned char *key; - size_t len; - - switch (type) { - - case EVP_PKEY_CTRL_MD: - /* ignore */ - break; - - case EVP_PKEY_CTRL_SET_MAC_KEY: - case EVP_PKEY_CTRL_DIGESTINIT: - if (type == EVP_PKEY_CTRL_SET_MAC_KEY) { - /* user explicitly setting the key */ - key = p2; - len = p1; - } else { - /* user indirectly setting the key via EVP_DigestSignInit */ - key = EVP_PKEY_get0_poly1305(EVP_PKEY_CTX_get0_pkey(ctx), &len); - } - if (key == NULL || len != POLY1305_KEY_SIZE || - !ASN1_OCTET_STRING_set(&pctx->ktmp, key, len)) - return 0; - Poly1305_Init(&pctx->ctx, ASN1_STRING_get0_data(&pctx->ktmp)); - break; - - default: - return -2; - - } - return 1; -} - -static int pkey_poly1305_ctrl_str(EVP_PKEY_CTX *ctx, - const char *type, const char *value) -{ - if (value == NULL) - return 0; - if (strcmp(type, "key") == 0) - return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value); - if (strcmp(type, "hexkey") == 0) - return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value); - return -2; -} - -const EVP_PKEY_METHOD poly1305_pkey_meth = { - EVP_PKEY_POLY1305, - EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */ - pkey_poly1305_init, - pkey_poly1305_copy, - pkey_poly1305_cleanup, - - 0, 0, - - 0, - pkey_poly1305_keygen, - - 0, 0, - - 0, 0, - - 0, 0, - - poly1305_signctx_init, - poly1305_signctx, - - 0, 0, - - 0, 0, - - 0, 0, - - 0, 0, - - pkey_poly1305_ctrl, - pkey_poly1305_ctrl_str -}; diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 473d6c9..cc0d543 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -335,7 +335,8 @@ F<./foo>) L, L, L, -L +L, +L =head1 COPYRIGHT diff --git a/doc/man7/EVP_MAC_SIPHASH.pod b/doc/man7/EVP_MAC_POLY1305.pod similarity index 73% copy from doc/man7/EVP_MAC_SIPHASH.pod copy to doc/man7/EVP_MAC_POLY1305.pod index 0d1349f..d25e1d5 100644 --- a/doc/man7/EVP_MAC_SIPHASH.pod +++ b/doc/man7/EVP_MAC_POLY1305.pod @@ -2,15 +2,15 @@ =head1 NAME -EVP_MAC_SIPHASH - The SipHash EVP_MAC implementation +EVP_MAC_POLY1305 - The Poly1305 EVP_MAC implementation =head1 DESCRIPTION -Support for computing SipHash MACs through the B API. +Support for computing Poly1305 MACs through the B API. =head2 Numeric identity -B is the numeric identity for this implementation, +B is the numeric identity for this implementation, and can be used in functions like EVP_MAC_CTX_new_id() and EVP_get_macbynid(). @@ -20,12 +20,6 @@ The supported controls are: =over 4 -=item B - -EVP_MAC_ctrl_str() type string: "digestsize" - -The value string is expected to contain a decimal number. - =item B EVP_MAC_ctrl_str() takes two type strings for this control: diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 79845aa..6661e2e 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -991,6 +991,7 @@ void EVP_MD_do_all_sorted(void (*fn) # define EVP_MAC_GMAC NID_gmac # define EVP_MAC_HMAC NID_hmac # define EVP_MAC_SIPHASH NID_siphash +# define EVP_MAC_POLY1305 NID_poly1305 EVP_MAC_CTX *EVP_MAC_CTX_new(const EVP_MAC *mac); EVP_MAC_CTX *EVP_MAC_CTX_new_id(int nid); diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index 17b8187..b5064fd 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -120,6 +120,7 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 # define EVP_F_PKEY_MAC_INIT 214 # define EVP_F_PKEY_SET_TYPE 158 +# define EVP_F_POLY1305_CTRL 215 # define EVP_F_RC2_MAGIC_TO_METH 109 # define EVP_F_RC5_CTRL 125 # define EVP_F_S390X_AES_GCM_CTRL 201 diff --git a/test/recipes/30-test_evp_data/evpmac.txt b/test/recipes/30-test_evp_data/evpmac.txt index 82a3507..640e1a1 100644 --- a/test/recipes/30-test_evp_data/evpmac.txt +++ b/test/recipes/30-test_evp_data/evpmac.txt @@ -710,3 +710,23 @@ Input = e33594d7505e43b900000000000000003394d7505e4379cd010000000000000000000000 Key = 0100000000000000040000000000000000000000000000000000000000000000 Output = 13000000000000000000000000000000 +# Here are 4 duplicated cases for Poly1305 by EVP_PKEY +MAC = Poly1305 by EVP_PKEY +Key = 0000000000000000000000000000000000000000000000000000000000000000 +Input = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Output = 00000000000000000000000000000000 + +MAC = Poly1305 by EVP_PKEY +Key = 0000000000000000000000000000000036e5f6b5c5e06070f0efca96227a863e +Input = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f +Output = 36e5f6b5c5e06070f0efca96227a863e + +MAC = Poly1305 by EVP_PKEY +Key = 36e5f6b5c5e06070f0efca96227a863e00000000000000000000000000000000 +Input = 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f +Output = f3477e7cd95417af89a6b8794c310cf0 + +MAC = Poly1305 by EVP_PKEY +Key = 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 +Input = 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e +Output = 4541669a7eaaee61e708dc7cbcc5eb62 From builds at travis-ci.org Mon Nov 5 05:27:39 2018 From: builds at travis-ci.org (Travis CI) Date: Mon, 05 Nov 2018 05:27:39 +0000 Subject: [openssl-commits] Broken: openssl/openssl#21514 (master - c1da4b2) In-Reply-To: Message-ID: <5bdfd4cb9c5e6_43ff50b617d18821aa@d30b9b60-8a45-46ff-9d88-7594e293e8c1.mail> Build Update for openssl/openssl ------------------------------------- Build: #21514 Status: Broken Duration: 18 mins and 47 secs Commit: c1da4b2 (master) Author: Paul Yang Message: Add poly1305 MAC support This is based on the latest EVP MAC interface introduced in PR #7393. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7459) View the changeset: https://github.com/openssl/openssl/compare/748099b9e96e...c1da4b2afe62 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/450699692?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Mon Nov 5 07:13:17 2018 From: levitte at openssl.org (Richard Levitte) Date: Mon, 05 Nov 2018 07:13:17 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541401997.019469.27765.nullmailer@dev.openssl.org> The branch master has been updated via 7b34f0fa5d060409be1fb5165ef29e5a159b1e33 (commit) via 0a37ff4dcaf7da498355dfe9a1672905ac5496a5 (commit) via 21712b2fc1e9ad0fa7ff9d6086b4cc6be6cb76a9 (commit) via 25628ab2ba7ebcf3a897944ede4bbeb3796e162c (commit) via b96ab5e6d0125c7e2a6804d568cb2a732cbf4504 (commit) from c1da4b2afe62644f42f95a8788cd80b0a4925e0c (commit) - Log ----------------------------------------------------------------- commit 7b34f0fa5d060409be1fb5165ef29e5a159b1e33 Author: Richard Levitte Date: Fri Nov 2 13:08:38 2018 +0100 Build: Make it possible to have defines assigned to end products as well This simple fix allows the following construct: PROGRAMS=foo SOURCE[foo]=foo.c bar.c DEFINE[foo]=FOO=1 BAR=0 These will trickle down to the build of object files, so building foo.o and bar.o will be done with these options: -DFOO=1 -DBAR=0 (exact syntax depending on platform, of course) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7553) commit 0a37ff4dcaf7da498355dfe9a1672905ac5496a5 Author: Richard Levitte Date: Fri Oct 14 17:10:15 2016 +0200 Build: adapt VMS build file template to use the extra macros Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7553) commit 21712b2fc1e9ad0fa7ff9d6086b4cc6be6cb76a9 Author: Richard Levitte Date: Fri Oct 14 17:10:05 2016 +0200 Build: adapt Windows makefile template to use the extra macros Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7553) commit 25628ab2ba7ebcf3a897944ede4bbeb3796e162c Author: Richard Levitte Date: Fri Oct 14 17:09:52 2016 +0200 Build: adapt Unix Makefile template to use the extra macros Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7553) commit b96ab5e6d0125c7e2a6804d568cb2a732cbf4504 Author: Richard Levitte Date: Fri Oct 14 16:56:34 2016 +0200 Build: make it possible to assign macro definitions for specific outputs Sometimes, some specific program or object file might need an extra macro definition of its own. This allows that to be easily done. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7553) ----------------------------------------------------------------------- Summary of changes: Configurations/README | 4 ++++ Configurations/README.design | 7 ++++--- Configurations/common.tmpl | 4 ++++ Configurations/descrip.mms.tmpl | 11 ++++++++++- Configurations/unix-Makefile.tmpl | 10 ++++++---- Configurations/windows-makefile.tmpl | 12 +++++++----- Configure | 31 +++++++++++++++++++++++++++++++ 7 files changed, 66 insertions(+), 13 deletions(-) diff --git a/Configurations/README b/Configurations/README index 9fd4922..1c67f75 100644 --- a/Configurations/README +++ b/Configurations/README @@ -467,6 +467,10 @@ include paths the build of their source files should use: INCLUDE[foo]=include +It's also possible to specify C macros that should be defined: + + DEFINE[foo]=FOO BAR=1 + In some cases, one might want to generate some source files from others, that's done as follows: diff --git a/Configurations/README.design b/Configurations/README.design index 8c50a92..c0b05bd 100644 --- a/Configurations/README.design +++ b/Configurations/README.design @@ -41,9 +41,10 @@ end products. There are variants for them with '_NO_INST' as suffix (PROGRAM_NO_INST etc) to specify end products that shouldn't get installed. -The variables SOURCE, DEPEND and INCLUDE are indexed by a produced -file, and their values are the source used to produce that particular -produced file, extra dependencies, and include directories needed. +The variables SOURCE, DEPEND, INCLUDE and DEFINE are indexed by a +produced file, and their values are the source used to produce that +particular produced file, extra dependencies, include directories +needed, or C macros to be defined. All their values in all the build.info throughout the source tree are collected together and form a set of programs, libraries, engines and diff --git a/Configurations/common.tmpl b/Configurations/common.tmpl index 4a08655..bf440d9 100644 --- a/Configurations/common.tmpl +++ b/Configurations/common.tmpl @@ -85,6 +85,8 @@ deps => $unified_info{depends}->{$src}, incs => [ @{$unified_info{includes}->{$obj}}, @{$unified_info{includes}->{$bin}} ], + defs => [ @{$unified_info{defines}->{$obj}}, + @{$unified_info{defines}->{$bin}} ], %opts); foreach (@{$unified_info{depends}->{$src}}) { dogenerate($_, $obj, $bin, %opts); @@ -107,6 +109,8 @@ deps => $unified_info{depends}->{$obj}, incs => [ @{$unified_info{includes}->{$obj}}, @{$unified_info{includes}->{$bin}} ], + defs => [ @{$unified_info{defines}->{$obj}}, + @{$unified_info{defines}->{$bin}} ], %opts); foreach ((@{$unified_info{sources}->{$obj}}, @{$unified_info{depends}->{$obj}})) { diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 44b22ed..eb0f9c5 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -199,7 +199,8 @@ ASOUTFLAG={- $target{asoutflag} -}$(OSSL_EMPTY) CNF_ASFLAGS={- join('', $target{asflags} || (), @{$config{asflags}}) -} CNF_DEFINES={- our $defines2 = join('', map { ",$_" } @{$target{defines}}, - @{$config{defines}}) -} + @{$config{defines}}, + "'extradefines'") -} CNF_INCLUDES={- our $includes2 = join(',', @{$target{includes}}, @{$config{includes}}) -} CNF_CPPFLAGS={- our $cppflags2 = join('', $target{cppflags} || (), @@ -810,6 +811,7 @@ EOF @{$args{incs}}); my $incs_on = join("\n\t\@ ", @{$incs_cmds[0]}) || '!'; my $incs_off = join("\n\t\@ ", @{$incs_cmds[1]}) || '!'; + my $defs = join("", map { ",".$_ } @{$args{defs}}); if (defined($generator)) { # If the target is named foo.S in build.info, we want to # end up generating foo.s in two steps. @@ -818,8 +820,10 @@ EOF $target : $args{generator}->[0] $deps $generator \$\@-S \@ $incs_on + \@ extradefines = "$defs" PIPE \$(CPP) $cppflags \$\@-S | - \$(PERL) -ne "/^#(\\s*line)?\\s*[0-9]+\\s+""/ or print" > \$\@-i + \@ DELETE/SYMBOL/LOCAL extradefines \@ $incs_off RENAME \$\@-i \$\@ DELETE \$\@-S @@ -834,9 +838,11 @@ EOF return <<"EOF"; $target : $args{generator}->[0] $deps \@ $incs_on + \@ extradefines = "$defs" SHOW SYMBOL qual_includes PIPE \$(CPP) $cppflags $args{generator}->[0] | - \$(PERL) "-ne" "/^#(\\s*line)?\\s*[0-9]+\\s+""/ or print" > \$\@ + \@ DELETE/SYMBOL/LOCAL extradefines \@ $incs_off EOF } @@ -894,6 +900,7 @@ EOF lib => '$(LIB_CPPFLAGS)', dso => '$(DSO_CPPFLAGS)', bin => '$(BIN_CPPFLAGS)' } -> {$args{intent}}; + my $defs = join("", map { ",".$_ } @{$args{defs}}); my @incs_cmds = includes({ shlib => '$(LIB_INCLUDES)', lib => '$(LIB_INCLUDES)', @@ -914,7 +921,9 @@ $obj.OBJ : $deps ${before} SET DEFAULT $forward \@ $incs_on + \@ extradefines = "$defs" \$(CC) ${cflags}${depbuild} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs + \@ DELETE/SYMBOL/LOCAL extradefines \@ $incs_off SET DEFAULT $backward ${after} diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index f81ebb0..bac56df 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -996,6 +996,7 @@ reconfigure reconf: my $generator = join(" ", @{$args{generator}}); my $generator_incs = join("", map { " -I".$_ } @{$args{generator_incs}}); my $incs = join("", map { " -I".$_ } @{$args{incs}}); + my $defs = join("", map { " -D".$_ } @{$args{defs}}); my $deps = join(" ", @{$args{generator_deps}}, @{$args{deps}}); if ($args{src} =~ /\.ld$/) { @@ -1049,7 +1050,7 @@ EOF } return <<"EOF"; $args{src}: $args{generator}->[0] $deps - \$(CC) $incs $cppflags -E $args{generator}->[0] | \\ + \$(CC) $incs $cppflags $defs -E $args{generator}->[0] | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@ EOF } @@ -1065,6 +1066,7 @@ EOF my $srcs = join(" ", @srcs); my $deps = join(" ", @srcs, @{$args{deps}}); my $incs = join("", map { " -I".$_ } @{$args{incs}}); + my $defs = join("", map { " -D".$_ } @{$args{defs}}); my $cmd; my $cmdflags; my $cmdcompile; @@ -1106,13 +1108,13 @@ EOF # hardly a point to drag it along... $recipe .= <<"EOF"; $obj$objext: $deps - $cmd $incs $cmdflags -c -o \$\@ $srcs + $cmd $incs $defs $cmdflags -c -o \$\@ $srcs EOF } elsif (defined $makedepprog && $makedepprog !~ /\/makedepend/ && !grep /\.rc$/, @srcs) { $recipe .= <<"EOF"; $obj$objext: $deps - $cmd $incs $cmdflags -MMD -MF $obj$depext.tmp -MT \$\@ -c -o \$\@ $srcs + $cmd $incs $defs $cmdflags -MMD -MF $obj$depext.tmp -MT \$\@ -c -o \$\@ $srcs \@touch $obj$depext.tmp \@if cmp $obj$depext.tmp $obj$depext > /dev/null 2> /dev/null; then \\ rm -f $obj$depext.tmp; \\ @@ -1123,7 +1125,7 @@ EOF } else { $recipe .= <<"EOF"; $obj$objext: $deps - $cmd $incs $cmdflags $cmdcompile -o \$\@ $srcs + $cmd $incs $defs $cmdflags $cmdcompile -o \$\@ $srcs EOF if (defined $makedepprog && $makedepprog =~ /\/makedepend/) { $recipe .= <<"EOF"; diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 6344d18..45c9280 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -501,6 +501,7 @@ reconfigure reconf: my $generator = '"'.$gen0.'"'.join('', map { " $_" } @gens); my $generator_incs = join("", map { " -I \"$_\"" } @{$args{generator_incs}}); my $incs = join("", map { " /I \"$_\"" } @{$args{incs}}); + my $defs = join("", map { " /D".$_ } @{$args{defs}}); my $deps = @{$args{deps}} ? '"'.join('" "', @{$args{generator_deps}}, @{$args{deps}}).'"' : ''; @@ -558,7 +559,7 @@ EOF $target: "$args{generator}->[0]" $deps set ASM=\$(AS) $generator \$@.S - \$(CPP) $cppflags \$@.S > \$@.i && move /Y \$@.i \$@ + \$(CPP) $cppflags $defs \$@.S > \$@.i && move /Y \$@.i \$@ del /Q \$@.S EOF } @@ -571,7 +572,7 @@ EOF } return <<"EOF"; $target: "$args{generator}->[0]" $deps - \$(CPP) $incs $cppflags "$args{generator}->[0]" > \$@.i && move /Y \$@.i \$@ + \$(CPP) $incs $cppflags $defs "$args{generator}->[0]" > \$@.i && move /Y \$@.i \$@ EOF } } @@ -583,6 +584,7 @@ EOF my $srcs = '"'.join('" "', @srcs).'"'; my $deps = '"'.join('" "', @srcs, @{$args{deps}}).'"'; my $incs = join("", map { ' /I "'.$_.'"' } @{$args{incs}}); + my $defs = join("", map { " /D".$_ } @{$args{defs}}); my $cflags = { shlib => ' $(LIB_CFLAGS)', lib => ' $(LIB_CFLAGS)', dso => ' $(DSO_CFLAGS)', @@ -612,15 +614,15 @@ EOF } elsif ($srcs[0] =~ /.S$/) { return <<"EOF"; $obj$objext: $deps - \$(CC) /EP /D__ASSEMBLER__ $cflags $srcs > \$@.asm && \$(AS) $asflags \$(ASOUTFLAG)\$\@ \$@.asm + \$(CC) /EP /D__ASSEMBLER__ $cflags $defs $srcs > \$@.asm && \$(AS) $asflags \$(ASOUTFLAG)\$\@ \$@.asm EOF } my $recipe = <<"EOF"; $obj$objext: $deps - \$(CC) $cflags -c \$(COUTFLAG)\$\@ $srcs + \$(CC) $cflags $defs -c \$(COUTFLAG)\$\@ $srcs EOF $recipe .= <<"EOF" unless $disabled{makedepend}; - \$(CC) $cflags /Zs /showIncludes $srcs 2>&1 > $obj$depext + \$(CC) $cflags $defs /Zs /showIncludes $srcs 2>&1 > $obj$depext EOF return $recipe; } diff --git a/Configure b/Configure index 53d5549..094898c 100755 --- a/Configure +++ b/Configure @@ -1722,6 +1722,7 @@ if ($builder eq "unified") { my %sources = (); my %shared_sources = (); my %includes = (); + my %defines = (); my %depends = (); my %renames = (); my %sharednames = (); @@ -1837,6 +1838,9 @@ if ($builder eq "unified") { qr/^\s*INCLUDE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/ => sub { push @{$includes{$1}}, tokenize($2) if !@skip || $skip[$#skip] > 0 }, + qr/^\s*DEFINE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/ + => sub { push @{$defines{$1}}, tokenize($2) + if !@skip || $skip[$#skip] > 0 }, qr/^\s*DEPEND\[((?:\\.|[^\\\]])*)\]\s*=\s*(.*)\s*$/ => sub { push @{$depends{$1}}, tokenize($2) if !@skip || $skip[$#skip] > 0 }, @@ -2169,6 +2173,27 @@ EOF unless grep { $_ eq $ib } @{$unified_info{includes}->{$ddest}->{build}}; } } + + foreach (keys %defines) { + my $dest = $_; + my $ddest = cleanfile($sourced, $_, $blddir); + + # If the destination doesn't exist in source, it can only be + # a generated file in the build tree. + if (! -f $ddest) { + $ddest = cleanfile($buildd, $_, $blddir); + if ($unified_info{rename}->{$ddest}) { + $ddest = $unified_info{rename}->{$ddest}; + } + } + foreach (@{$defines{$dest}}) { + m|^([^=]*)(=.*)?$|; + die "0 length macro name not permitted\n" if $1 eq ""; + die "$1 defined more than once\n" + if defined $unified_info{defines}->{$ddest}->{$1}; + $unified_info{defines}->{$ddest}->{$1} = $2; + } + } } my $ordinals_text = join(', ', sort keys %ordinals); @@ -2311,6 +2336,12 @@ EOF } } } + # Defines + foreach my $dest (sort keys %{$unified_info{defines}}) { + $unified_info{defines}->{$dest} + = [ map { $_.$unified_info{defines}->{$dest}->{$_} } + sort keys %{$unified_info{defines}->{$dest}} ]; + } # Includes foreach my $dest (sort keys %{$unified_info{includes}}) { if (defined($unified_info{includes}->{$dest}->{build})) { From builds at travis-ci.org Mon Nov 5 07:31:43 2018 From: builds at travis-ci.org (Travis CI) Date: Mon, 05 Nov 2018 07:31:43 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#21515 (master - 7b34f0f) In-Reply-To: Message-ID: <5bdff1df490ba_43fb84c917a3c456ee@8b776a57-08a8-40ae-8d11-1206e5e43201.mail> Build Update for openssl/openssl ------------------------------------- Build: #21515 Status: Still Failing Duration: 8 mins and 48 secs Commit: 7b34f0f (master) Author: Richard Levitte Message: Build: Make it possible to have defines assigned to end products as well This simple fix allows the following construct: PROGRAMS=foo SOURCE[foo]=foo.c bar.c DEFINE[foo]=FOO=1 BAR=0 These will trickle down to the build of object files, so building foo.o and bar.o will be done with these options: -DFOO=1 -DBAR=0 (exact syntax depending on platform, of course) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7553) View the changeset: https://github.com/openssl/openssl/compare/c1da4b2afe62...7b34f0fa5d06 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/450723237?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Mon Nov 5 08:33:51 2018 From: levitte at openssl.org (Richard Levitte) Date: Mon, 05 Nov 2018 08:33:51 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541406831.013816.7007.nullmailer@dev.openssl.org> The branch master has been updated via 75d47db49d41176d1f9a363f80e5a45e834563b8 (commit) via e0bf7c0181dbf17323dbd38dfd485970150c5244 (commit) via 9654924f587bd9cd72046607f54a76c679161d26 (commit) via 7f73eafe2f5014ce1f915702c19ee7274e6b8c2d (commit) from 7b34f0fa5d060409be1fb5165ef29e5a159b1e33 (commit) - Log ----------------------------------------------------------------- commit 75d47db49d41176d1f9a363f80e5a45e834563b8 Author: Richard Levitte Date: Sat Nov 3 18:38:04 2018 +0100 Simplify the processing of skipped source directories We kept a number of arrays of directory names to keep track of exactly which directories to look for build.info. Some of these had the extra function to hold the directories to actually build. With the added SUBDIRS keyword, these arrays are no longer needed. The logic for skipping certain directories needs to be kept, though. That is now very much simplified, and is made opportunistic. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7558) commit e0bf7c0181dbf17323dbd38dfd485970150c5244 Author: Richard Levitte Date: Sat Nov 3 18:34:09 2018 +0100 Collapse different classes of macro databases We have $config{openssl_algorithm_defines}, $config{openssl_other_defines} and $config{openssl_thread_defines}. These are treated exactly the same in include/openssl/opensslconf.h.in, so having them separated into three different databases isn't necessary, the reason for the separation being long gone. Therefore, we collapse them into one and the same, $config{openssl_feature_defines}. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7558) commit 9654924f587bd9cd72046607f54a76c679161d26 Author: Richard Levitte Date: Sat Nov 3 18:26:35 2018 +0100 Add SUBDIRS settings in relevant build.info files Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7558) commit 7f73eafe2f5014ce1f915702c19ee7274e6b8c2d Author: Richard Levitte Date: Sat Nov 3 15:03:59 2018 +0100 Build: make it possibly to specify subdirs in build.info This adds a keyword SUBDIRS for build.info, to be used like this: SUBDIRS=foo bar This tells Configure that it should look for 'build.info' in the relative subdirectories 'foo' and 'bar' as well. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7558) ----------------------------------------------------------------------- Summary of changes: CHANGES | 5 ++ Configurations/README | 8 ++- Configure | 114 +++++++++++++++++---------------------- build.info | 4 ++ crypto/build.info | 9 ++++ include/openssl/opensslconf.h.in | 18 +------ test/build.info | 1 + 7 files changed, 76 insertions(+), 83 deletions(-) diff --git a/CHANGES b/CHANGES index de10744..163dd98 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes between 1.1.1 and 1.1.2 [xx XXX xxxx] + *) Instead of having the source directories listed in Configure, add + a 'build.info' keyword SUBDIRS to indicate what sub-directories to + look into. + [Richard Levitte] + *) Add GMAC to EVP_MAC. [Paul Dale] diff --git a/Configurations/README b/Configurations/README index 1c67f75..10463aa 100644 --- a/Configurations/README +++ b/Configurations/README @@ -400,7 +400,13 @@ $sourcedir and $builddir, which are the locations of the source directory for the current build.info file and the corresponding build directory, all relative to the top of the build tree. -To begin with, things to be built are declared by setting specific +'Configure' only knows inherently about the top build.info file. For +any other directory that has one, further directories to look into +must be indicated like this: + + SUBDIRS=something someelse + +On to things to be built; they are declared by setting specific variables: PROGRAMS=foo bar diff --git a/Configure b/Configure index 094898c..94e48b4 100755 --- a/Configure +++ b/Configure @@ -15,7 +15,7 @@ use Config; use FindBin; use lib "$FindBin::Bin/util/perl"; use File::Basename; -use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/; +use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs splitdir/; use File::Path qw/mkpath/; use OpenSSL::Glob; @@ -298,21 +298,6 @@ $config{libdir}=""; my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -# Top level directories to build -$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; -# crypto/ subdirectories to build -$config{sdirs} = [ - "objects", - "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", - "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", - "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", - "buffer", "bio", "stack", "lhash", "rand", "err", - "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", - "cms", "ts", "srp", "gmac", "cmac", "ct", "async", "kdf", "store" - ]; -# test/ subdirectories to build -$config{tdirs} = [ "ossl_shim" ]; - # Known TLS and DTLS protocols my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); my @dtls = qw(dtls1 dtls1_2); @@ -606,10 +591,8 @@ $config{lflags} = [ env('__CNF_LDFLAGS') || () ]; $config{ex_libs} = [ env('__CNF_LDLIBS') || () ]; $config{openssl_api_defines}=[]; -$config{openssl_algorithm_defines}=[]; -$config{openssl_thread_defines}=[]; $config{openssl_sys_defines}=[]; -$config{openssl_other_defines}=[]; +$config{openssl_feature_defines}=[]; $config{options}=""; $config{build_type} = "release"; my $target=""; @@ -1027,7 +1010,7 @@ INSTALL instructions and the RAND_DRBG(7) manual page for more details. _____ } -push @{$config{openssl_other_defines}}, +push @{$config{openssl_feature_defines}}, map { (my $x = $_) =~ tr|[\-a-z]|[_A-Z]|; "OPENSSL_RAND_SEED_$x" } @seed_sources; @@ -1173,6 +1156,19 @@ foreach (keys %user) { # Allow overriding the build file name $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile"; +###################################################################### +# Build up information for skipping certain directories depending on disabled +# features, as well as setting up macros for disabled features. + +# This is a tentative database of directories to skip. Some entries may not +# correspond to anything real, but that's ok, they will simply be ignored. +# The actual processing of these entries is done in the build.info lookup +# loop further down. +# +# The key is a Unix formated path in the source tree, the value is an index +# into %disabled_info, so any existing path gets added to a corresponding +# 'skipped' entry in there with the list of skipped directories. +my %skipdir = (); my %disabled_info = (); # For configdata.pm foreach my $what (sort keys %disabled) { $config{options} .= " no-$what"; @@ -1181,32 +1177,18 @@ foreach my $what (sort keys %disabled) { 'dynamic-engine', 'makedepend', 'zlib-dynamic', 'zlib', 'sse2' )) { (my $WHAT = uc $what) =~ s|-|_|g; - - # Fix up C macro end names - $WHAT = "RMD160" if $what eq "ripemd"; + my $skipdir = $what; # fix-up crypto/directory name(s) - $what = "ripemd" if $what eq "rmd160"; - $what = "whrlpool" if $what eq "whirlpool"; + $skipdir = "ripemd" if $what eq "rmd160"; + $skipdir = "whrlpool" if $what eq "whirlpool"; my $macro = $disabled_info{$what}->{macro} = "OPENSSL_NO_$WHAT"; + push @{$config{openssl_feature_defines}}, $macro; - if ((grep { $what eq $_ } @{$config{sdirs}}) - && $what ne 'async' && $what ne 'err') { - @{$config{sdirs}} = grep { $what ne $_} @{$config{sdirs}}; - $disabled_info{$what}->{skipped} = [ catdir('crypto', $what) ]; - - if ($what ne 'engine') { - push @{$config{openssl_algorithm_defines}}, $macro; - } else { - @{$config{dirs}} = grep !/^engines$/, @{$config{dirs}}; - push @{$disabled_info{engine}->{skipped}}, catdir('engines'); - push @{$config{openssl_other_defines}}, $macro; - } - } else { - push @{$config{openssl_other_defines}}, $macro; - } - + $skipdir{engines} = $what if $what eq 'engine'; + $skipdir{"crypto/$skipdir"} = $what + unless $what eq 'async' || $what eq 'err'; } } @@ -1284,7 +1266,7 @@ unless ($disabled{threads}) { # If threads still aren't disabled, add a C macro to ensure the source # code knows about it. Any other flag is taken care of by the configs. unless($disabled{threads}) { - push @{$config{openssl_thread_defines}}, "OPENSSL_THREADS"; + push @{$config{openssl_feature_defines}}, "OPENSSL_THREADS"; } # With "deprecated" disable all deprecated features. @@ -1303,10 +1285,10 @@ if ($target{shared_target} eq "") } if ($disabled{"dynamic-engine"}) { - push @{$config{openssl_other_defines}}, "OPENSSL_NO_DYNAMIC_ENGINE"; + push @{$config{openssl_feature_defines}}, "OPENSSL_NO_DYNAMIC_ENGINE"; $config{dynamic_engines} = 0; } else { - push @{$config{openssl_other_defines}}, "OPENSSL_NO_STATIC_ENGINE"; + push @{$config{openssl_feature_defines}}, "OPENSSL_NO_STATIC_ENGINE"; $config{dynamic_engines} = 1; } @@ -1576,7 +1558,7 @@ unless ($disabled{afalgeng}) { } } -push @{$config{openssl_other_defines}}, "OPENSSL_NO_AFALGENG" if ($disabled{afalgeng}); +push @{$config{openssl_feature_defines}}, "OPENSSL_NO_AFALGENG" if ($disabled{afalgeng}); # Finish up %config by appending things the user gave us on the command line # apart from "make variables" @@ -1677,34 +1659,26 @@ if ($builder eq "unified") { cleanfile($srcdir, catfile("Configurations", "common.tmpl"), $blddir) ]; - my @build_infos = ( [ ".", "build.info" ] ); - foreach (@{$config{dirs}}) { - push @build_infos, [ $_, "build.info" ] - if (-f catfile($srcdir, $_, "build.info")); - } - foreach (@{$config{sdirs}}) { - push @build_infos, [ catdir("crypto", $_), "build.info" ] - if (-f catfile($srcdir, "crypto", $_, "build.info")); - } - foreach (@{$config{engdirs}}) { - push @build_infos, [ catdir("engines", $_), "build.info" ] - if (-f catfile($srcdir, "engines", $_, "build.info")); - } - foreach (@{$config{tdirs}}) { - push @build_infos, [ catdir("test", $_), "build.info" ] - if (-f catfile($srcdir, "test", $_, "build.info")); - } + my @build_dirs = ( [ ] ); # current directory $config{build_infos} = [ ]; my %ordinals = (); - foreach (@build_infos) { - my $sourced = catdir($srcdir, $_->[0]); - my $buildd = catdir($blddir, $_->[0]); + while (@build_dirs) { + my @curd = @{shift @build_dirs}; + my $sourced = catdir($srcdir, @curd); + my $buildd = catdir($blddir, @curd); + + my $unixdir = join('/', @curd); + if (exists $skipdir{$unixdir}) { + my $what = $skipdir{$unixdir}; + push @{$disabled_info{$what}->{skipped}}, catdir(@curd); + next; + } mkpath($buildd); - my $f = $_->[1]; + my $f = 'build.info'; # The basic things we're trying to build my @programs = (); my @programs_install = (); @@ -1783,6 +1757,14 @@ if ($builder eq "unified") { qr/^\s*ENDIF\s*$/ => sub { die "ENDIF out of scope" if ! @skip; pop @skip; }, + qr/^\s*SUBDIRS\s*=\s*(.*)\s*$/ + => sub { + if (!@skip || $skip[$#skip] > 0) { + foreach (tokenize($1)) { + push @build_dirs, [ @curd, splitdir($_, 1) ]; + } + } + }, qr/^\s*PROGRAMS(_NO_INST)?\s*=\s*(.*)\s*$/ => sub { if (!@skip || $skip[$#skip] > 0) { diff --git a/build.info b/build.info index ceb250f..53629c4 100644 --- a/build.info +++ b/build.info @@ -1,3 +1,7 @@ +# Note that some of these directories are filtered in Configure. Look for +# %skipdir there for further explanations. +SUBDIRS=crypto ssl apps test util tools fuzz engines + {- use File::Spec::Functions; diff --git a/crypto/build.info b/crypto/build.info index 2c619c6..a8b2497 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -1,3 +1,12 @@ +# Note that these directories are filtered in Configure. Look for %skipdir +# there for further explanations. +SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 x509v3 conf \ + txt_db pkcs7 pkcs12 ui kdf store \ + md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 blake2 \ + siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \ + seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \ + err comp ocsp cms ts srp cmac ct async + LIBS=../libcrypto SOURCE[../libcrypto]=\ cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ diff --git a/include/openssl/opensslconf.h.in b/include/openssl/opensslconf.h.in index bc98cad..41d1264 100644 --- a/include/openssl/opensslconf.h.in +++ b/include/openssl/opensslconf.h.in @@ -34,22 +34,8 @@ extern "C" { (my $macro, my $value) = $_ =~ /^(.*?)=(.*?)$/; $OUT .= "#define $macro $value\n"; } - if (@{$config{openssl_algorithm_defines}}) { - foreach (@{$config{openssl_algorithm_defines}}) { - $OUT .= "#ifndef $_\n"; - $OUT .= "# define $_\n"; - $OUT .= "#endif\n"; - } - } - if (@{$config{openssl_thread_defines}}) { - foreach (@{$config{openssl_thread_defines}}) { - $OUT .= "#ifndef $_\n"; - $OUT .= "# define $_\n"; - $OUT .= "#endif\n"; - } - } - if (@{$config{openssl_other_defines}}) { - foreach (@{$config{openssl_other_defines}}) { + if (@{$config{openssl_feature_defines}}) { + foreach (@{$config{openssl_feature_defines}}) { $OUT .= "#ifndef $_\n"; $OUT .= "# define $_\n"; $OUT .= "#endif\n"; diff --git a/test/build.info b/test/build.info index 4d3ea5d..d2acbed 100644 --- a/test/build.info +++ b/test/build.info @@ -1,3 +1,4 @@ +SUBDIRS=ossl_shim {- use File::Spec::Functions; sub rebase_files From no-reply at appveyor.com Mon Nov 5 08:47:36 2018 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 05 Nov 2018 08:47:36 +0000 Subject: [openssl-commits] Build failed: openssl master.20789 Message-ID: <20181105084736.1.8D31BBF62B6886BE@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Nov 5 08:56:48 2018 From: builds at travis-ci.org (Travis CI) Date: Mon, 05 Nov 2018 08:56:48 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#21516 (master - 75d47db) In-Reply-To: Message-ID: <5be005d07dc25_43fa0010a9688112136@ff19c5ec-9e60-4b12-ab2f-c9549471ae4e.mail> Build Update for openssl/openssl ------------------------------------- Build: #21516 Status: Still Failing Duration: 7 mins and 19 secs Commit: 75d47db (master) Author: Richard Levitte Message: Simplify the processing of skipped source directories We kept a number of arrays of directory names to keep track of exactly which directories to look for build.info. Some of these had the extra function to hold the directories to actually build. With the added SUBDIRS keyword, these arrays are no longer needed. The logic for skipping certain directories needs to be kept, though. That is now very much simplified, and is made opportunistic. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7558) View the changeset: https://github.com/openssl/openssl/compare/7b34f0fa5d06...75d47db49d41 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/450746371?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Nov 5 10:45:58 2018 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 05 Nov 2018 10:45:58 +0000 Subject: [openssl-commits] Build failed: openssl master.20790 Message-ID: <20181105104558.1.B236F38B19FB60F4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Nov 5 11:14:43 2018 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 05 Nov 2018 11:14:43 +0000 Subject: [openssl-commits] Build failed: openssl master.20791 Message-ID: <20181105111443.1.0144EF5414854636@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Nov 5 15:30:11 2018 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 05 Nov 2018 15:30:11 +0000 Subject: [openssl-commits] Build failed: openssl master.20792 Message-ID: <20181105153011.1.59256EAC94543EC4@appveyor.com> An HTML attachment was scrubbed... URL: From yang.yang at baishancloud.com Mon Nov 5 16:08:06 2018 From: yang.yang at baishancloud.com (yang.yang at baishancloud.com) Date: Mon, 05 Nov 2018 16:08:06 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541434086.640230.951.nullmailer@dev.openssl.org> The branch master has been updated via 41eac6122a9db8ef29ed6115c20f2de4c9232b9b (commit) from 75d47db49d41176d1f9a363f80e5a45e834563b8 (commit) - Log ----------------------------------------------------------------- commit 41eac6122a9db8ef29ed6115c20f2de4c9232b9b Author: Paul Yang Date: Mon Nov 5 23:08:34 2018 +0800 Fix a collision in function err numbers 'make update' complains about this Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7571) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 2 +- include/openssl/evperr.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index b5a441a..49e4875 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -810,7 +810,7 @@ EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen EVP_F_PKEY_MAC_INIT:214:pkey_mac_init EVP_F_PKEY_SET_TYPE:158:pkey_set_type -EVP_F_POLY1305_CTRL:215:poly1305_ctrl +EVP_F_POLY1305_CTRL:216:poly1305_ctrl EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth EVP_F_RC5_CTRL:125:rc5_ctrl EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index b5064fd..fff78cc 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -120,7 +120,7 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 # define EVP_F_PKEY_MAC_INIT 214 # define EVP_F_PKEY_SET_TYPE 158 -# define EVP_F_POLY1305_CTRL 215 +# define EVP_F_POLY1305_CTRL 216 # define EVP_F_RC2_MAGIC_TO_METH 109 # define EVP_F_RC5_CTRL 125 # define EVP_F_S390X_AES_GCM_CTRL 201 From levitte at openssl.org Mon Nov 5 16:09:14 2018 From: levitte at openssl.org (Richard Levitte) Date: Mon, 05 Nov 2018 16:09:14 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541434154.357707.2011.nullmailer@dev.openssl.org> The branch master has been updated via 93689797a4f4c0ad040f83f264deecbda5df2031 (commit) from 41eac6122a9db8ef29ed6115c20f2de4c9232b9b (commit) - Log ----------------------------------------------------------------- commit 93689797a4f4c0ad040f83f264deecbda5df2031 Author: Richard Levitte Date: Mon Nov 5 16:52:46 2018 +0100 GMAC: Add subdir info in crypto/build.info for this to build Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/@7572) ----------------------------------------------------------------------- Summary of changes: crypto/build.info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/build.info b/crypto/build.info index a8b2497..75739c0 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -2,7 +2,7 @@ # there for further explanations. SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 x509v3 conf \ txt_db pkcs7 pkcs12 ui kdf store \ - md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 blake2 \ + md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \ siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \ seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \ err comp ocsp cms ts srp cmac ct async From builds at travis-ci.org Mon Nov 5 16:24:31 2018 From: builds at travis-ci.org (Travis CI) Date: Mon, 05 Nov 2018 16:24:31 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#21521 (master - 41eac61) In-Reply-To: Message-ID: <5be06ebfe443_43ff61a1475e42888ac@97308e02-ff38-40c3-b2ee-8945ae9f674d.mail> Build Update for openssl/openssl ------------------------------------- Build: #21521 Status: Still Failing Duration: 6 mins and 43 secs Commit: 41eac61 (master) Author: Paul Yang Message: Fix a collision in function err numbers 'make update' complains about this Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7571) View the changeset: https://github.com/openssl/openssl/compare/75d47db49d41...41eac6122a9d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/450939277?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Nov 5 16:34:42 2018 From: builds at travis-ci.org (Travis CI) Date: Mon, 05 Nov 2018 16:34:42 +0000 Subject: [openssl-commits] Fixed: openssl/openssl#21522 (master - 9368979) In-Reply-To: Message-ID: <5be07122ecd2_43fe59a629d9029816a@566e59c1-3b4e-4b18-8e01-3332ef7a192e.mail> Build Update for openssl/openssl ------------------------------------- Build: #21522 Status: Fixed Duration: 22 mins and 41 secs Commit: 9368979 (master) Author: Richard Levitte Message: GMAC: Add subdir info in crypto/build.info for this to build Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/@7572) View the changeset: https://github.com/openssl/openssl/compare/41eac6122a9d...93689797a4f4 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/450939780?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Mon Nov 5 21:04:59 2018 From: pauli at openssl.org (Paul I. Dale) Date: Mon, 05 Nov 2018 21:04:59 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541451899.871229.3560.nullmailer@dev.openssl.org> The branch master has been updated via 38cfa99122f5c34b25e1671639be4446d0fa2b15 (commit) from 93689797a4f4c0ad040f83f264deecbda5df2031 (commit) - Log ----------------------------------------------------------------- commit 38cfa99122f5c34b25e1671639be4446d0fa2b15 Author: Pauli Date: Mon Nov 5 14:30:37 2018 +1000 EVP_MAC ctrl numbering duplicate removal. Both EVP_MAC_CTRL_SET_MD and EVP_MAC_CTRL_SET_CIPHER were numbered 4. This would preclude any future MAC from using both. Reviewed-by: Richard Levitte Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/7566) ----------------------------------------------------------------------- Summary of changes: include/openssl/evp.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 6661e2e..e803fa8 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1024,9 +1024,9 @@ void EVP_MAC_do_all_sorted(void (*fn) # define EVP_MAC_CTRL_SET_FLAGS 0x02 /* unsigned long */ # define EVP_MAC_CTRL_SET_ENGINE 0x03 /* ENGINE * */ # define EVP_MAC_CTRL_SET_MD 0x04 /* EVP_MD * */ -# define EVP_MAC_CTRL_SET_CIPHER 0x04 /* EVP_CIPHER * */ -# define EVP_MAC_CTRL_SET_SIZE 0x05 /* size_t */ -# define EVP_MAC_CTRL_SET_IV 0x06 /* unsigned char *, size_t */ +# define EVP_MAC_CTRL_SET_CIPHER 0x05 /* EVP_CIPHER * */ +# define EVP_MAC_CTRL_SET_SIZE 0x06 /* size_t */ +# define EVP_MAC_CTRL_SET_IV 0x07 /* unsigned char *, size_t */ /* PKEY stuff */ int EVP_PKEY_decrypt_old(unsigned char *dec_key, From pauli at openssl.org Mon Nov 5 21:07:41 2018 From: pauli at openssl.org (Paul I. Dale) Date: Mon, 05 Nov 2018 21:07:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541452061.881484.4820.nullmailer@dev.openssl.org> The branch master has been updated via 2087028612027368e9508e1b253aab715a5a35d6 (commit) via e931f370aa38d8645b35fb8d6260cb44d37b6b61 (commit) from 38cfa99122f5c34b25e1671639be4446d0fa2b15 (commit) - Log ----------------------------------------------------------------- commit 2087028612027368e9508e1b253aab715a5a35d6 Author: Pauli Date: Tue Nov 6 07:06:25 2018 +1000 Fix return formatting. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7564) commit e931f370aa38d8645b35fb8d6260cb44d37b6b61 Author: Pauli Date: Mon Nov 5 11:04:23 2018 +1000 Cleanse the key log buffer. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7564) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_lib.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 846b856..e7e8aa9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5104,7 +5104,8 @@ static int nss_keylog_int(const char *prefix, size_t i; size_t prefix_len; - if (ssl->ctx->keylog_callback == NULL) return 1; + if (ssl->ctx->keylog_callback == NULL) + return 1; /* * Our output buffer will contain the following strings, rendered with @@ -5115,7 +5116,7 @@ static int nss_keylog_int(const char *prefix, * hexadecimal, so we need a buffer that is twice their lengths. */ prefix_len = strlen(prefix); - out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; + out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE); @@ -5139,7 +5140,7 @@ static int nss_keylog_int(const char *prefix, *cursor = '\0'; ssl->ctx->keylog_callback(ssl, (const char *)out); - OPENSSL_free(out); + OPENSSL_clear_free(out, out_len); return 1; } From pauli at openssl.org Mon Nov 5 21:08:42 2018 From: pauli at openssl.org (Paul I. Dale) Date: Mon, 05 Nov 2018 21:08:42 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541452122.626845.5817.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 030da7436ed0f8feb65d3f0c5fd86f87f5ee2483 (commit) from 33a37a6179bcef6917a28edf7c90a65dcd89ff4a (commit) - Log ----------------------------------------------------------------- commit 030da7436ed0f8feb65d3f0c5fd86f87f5ee2483 Author: Pauli Date: Mon Nov 5 11:04:23 2018 +1000 Cleanse the key log buffer. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7564) (cherry picked from commit e931f370aa38d8645b35fb8d6260cb44d37b6b61) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index ec5b155..96b3ed0 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5117,7 +5117,7 @@ static int nss_keylog_int(const char *prefix, * hexadecimal, so we need a buffer that is twice their lengths. */ prefix_len = strlen(prefix); - out_len = prefix_len + (2*parameter_1_len) + (2*parameter_2_len) + 3; + out_len = prefix_len + (2 * parameter_1_len) + (2 * parameter_2_len) + 3; if ((out = cursor = OPENSSL_malloc(out_len)) == NULL) { SSLfatal(ssl, SSL_AD_INTERNAL_ERROR, SSL_F_NSS_KEYLOG_INT, ERR_R_MALLOC_FAILURE); @@ -5141,7 +5141,7 @@ static int nss_keylog_int(const char *prefix, *cursor = '\0'; ssl->ctx->keylog_callback(ssl, (const char *)out); - OPENSSL_free(out); + OPENSSL_clear_free(out, out_len); return 1; } From pauli at openssl.org Mon Nov 5 21:09:11 2018 From: pauli at openssl.org (Paul I. Dale) Date: Mon, 05 Nov 2018 21:09:11 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541452151.372081.6701.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 0f316a0c208b90336b171fa05f8eaf4056c5a01d (commit) from 030da7436ed0f8feb65d3f0c5fd86f87f5ee2483 (commit) - Log ----------------------------------------------------------------- commit 0f316a0c208b90336b171fa05f8eaf4056c5a01d Author: Pauli Date: Tue Nov 6 07:06:25 2018 +1000 Fix return formatting. Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7564) (cherry picked from commit 2087028612027368e9508e1b253aab715a5a35d6) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 96b3ed0..17b13d1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5106,7 +5106,8 @@ static int nss_keylog_int(const char *prefix, size_t i; size_t prefix_len; - if (ssl->ctx->keylog_callback == NULL) return 1; + if (ssl->ctx->keylog_callback == NULL) + return 1; /* * Our output buffer will contain the following strings, rendered with From bernd.edlinger at hotmail.de Mon Nov 5 21:42:14 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Mon, 05 Nov 2018 21:42:14 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541454134.221947.11041.nullmailer@dev.openssl.org> The branch master has been updated via fb9c3ff565aa11b08646e0f9f28fc082ed365cbd (commit) via 7ecd6c5186f3958b726edb3f5e5851f12ad56485 (commit) via c5e0b3a6d5f02aa53cf2a7c0cffb42e434ee3470 (commit) via 17209be89b4d5aad94b91cfe0d9d24d5243a4a2f (commit) from 2087028612027368e9508e1b253aab715a5a35d6 (commit) - Log ----------------------------------------------------------------- commit fb9c3ff565aa11b08646e0f9f28fc082ed365cbd Author: Bernd Edlinger Date: Fri Nov 2 11:46:38 2018 +0100 Fix error handling in RAND_DRBG_uninstantiate Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7517) commit 7ecd6c5186f3958b726edb3f5e5851f12ad56485 Author: Bernd Edlinger Date: Tue Oct 30 21:02:22 2018 +0100 Fix error handling in drbgtest.c Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7517) commit c5e0b3a6d5f02aa53cf2a7c0cffb42e434ee3470 Author: Bernd Edlinger Date: Tue Oct 30 20:57:53 2018 +0100 Fix error handling in rand_drbg_new Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7517) commit 17209be89b4d5aad94b91cfe0d9d24d5243a4a2f Author: Bernd Edlinger Date: Mon Oct 29 13:48:53 2018 +0100 Fix error handling in RAND_DRBG_set Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7517) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 13 ++++++++----- test/drbgtest.c | 33 +++++++++++++++++++-------------- 2 files changed, 27 insertions(+), 19 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 8e372e5..2cfa4f5 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -180,12 +180,17 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags) else ret = drbg_hash_init(drbg); } else { + drbg->type = 0; + drbg->flags = 0; + drbg->meth = NULL; RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE); return 0; } - if (ret == 0) + if (ret == 0) { + drbg->state = DRBG_ERROR; RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG); + } return ret; } @@ -290,10 +295,7 @@ static RAND_DRBG *rand_drbg_new(int secure, return drbg; err: - if (drbg->secure) - OPENSSL_secure_free(drbg); - else - OPENSSL_free(drbg); + RAND_DRBG_free(drbg); return NULL; } @@ -435,6 +437,7 @@ int RAND_DRBG_uninstantiate(RAND_DRBG *drbg) { int index = -1, type, flags; if (drbg->meth == NULL) { + drbg->state = DRBG_ERROR; RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE, RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED); return 0; diff --git a/test/drbgtest.c b/test/drbgtest.c index 882fef8..a3beebc 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -799,12 +799,15 @@ static void run_multi_thread_test(void) { unsigned char buf[256]; time_t start = time(NULL); - RAND_DRBG *public, *private; + RAND_DRBG *public = NULL, *private = NULL; - public = RAND_DRBG_get0_public(); - private = RAND_DRBG_get0_private(); - RAND_DRBG_set_reseed_time_interval(public, 1); + if (!TEST_ptr(public = RAND_DRBG_get0_public()) + || !TEST_ptr(private = RAND_DRBG_get0_private())) { + multi_thread_rand_bytes_succeeded = 0; + return; + } RAND_DRBG_set_reseed_time_interval(private, 1); + RAND_DRBG_set_reseed_time_interval(public, 1); do { if (RAND_bytes(buf, sizeof(buf)) <= 0) @@ -936,13 +939,16 @@ static size_t rand_drbg_seedlen(RAND_DRBG *drbg) */ static int test_rand_seed(void) { - RAND_DRBG *master = RAND_DRBG_get0_master(); + RAND_DRBG *master = NULL; unsigned char rand_buf[256]; size_t rand_buflen; -#ifdef OPENSSL_RAND_SEED_NONE - size_t required_seed_buflen = rand_drbg_seedlen(master); -#else size_t required_seed_buflen = 0; + + if (!TEST_ptr(master = RAND_DRBG_get0_master())) + return 0; + +#ifdef OPENSSL_RAND_SEED_NONE + required_seed_buflen = rand_drbg_seedlen(master); #endif memset(rand_buf, 0xCD, sizeof(rand_buf)); @@ -1025,14 +1031,13 @@ err: static int test_set_defaults(void) { - RAND_DRBG *master, *public, *private; - - master = RAND_DRBG_get0_master(); - public = RAND_DRBG_get0_public(); - private = RAND_DRBG_get0_private(); + RAND_DRBG *master = NULL, *public = NULL, *private = NULL; /* Check the default type and flags for master, public and private */ - return TEST_int_eq(master->type, RAND_DRBG_TYPE) + return TEST_ptr(master = RAND_DRBG_get0_master()) + && TEST_ptr(public = RAND_DRBG_get0_public()) + && TEST_ptr(private = RAND_DRBG_get0_private()) + && TEST_int_eq(master->type, RAND_DRBG_TYPE) && TEST_int_eq(master->flags, RAND_DRBG_FLAGS | RAND_DRBG_FLAG_MASTER) && TEST_int_eq(public->type, RAND_DRBG_TYPE) From bernd.edlinger at hotmail.de Mon Nov 5 21:49:02 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Mon, 05 Nov 2018 21:49:02 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541454542.738051.12715.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via c40c1ef4f3c3a6a4d7878bbf8b13742a5bffd963 (commit) via fd59e425a865f306f3745f576f8b7b7a40dbbfcf (commit) via ee5a79104c4f7f59343a7b75815be3979a0f6b83 (commit) via f98a893ed454faf97d77a53833da95646478c14c (commit) from 0f316a0c208b90336b171fa05f8eaf4056c5a01d (commit) - Log ----------------------------------------------------------------- commit c40c1ef4f3c3a6a4d7878bbf8b13742a5bffd963 Author: Bernd Edlinger Date: Fri Nov 2 11:46:38 2018 +0100 Fix error handling in RAND_DRBG_uninstantiate Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7519) commit fd59e425a865f306f3745f576f8b7b7a40dbbfcf Author: Bernd Edlinger Date: Tue Oct 30 21:02:22 2018 +0100 Fix error handling in drbgtest.c Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7519) commit ee5a79104c4f7f59343a7b75815be3979a0f6b83 Author: Bernd Edlinger Date: Tue Oct 30 20:57:53 2018 +0100 Fix error handling in rand_drbg_new Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7519) commit f98a893ed454faf97d77a53833da95646478c14c Author: Bernd Edlinger Date: Mon Oct 29 13:48:53 2018 +0100 Fix error handling in RAND_DRBG_set Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7519) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 13 ++++++++----- test/drbgtest.c | 22 ++++++++++++++-------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 43e7509..73fd942 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -115,6 +115,9 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags) switch (type) { default: + drbg->type = 0; + drbg->flags = 0; + drbg->meth = NULL; RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE); return 0; case 0: @@ -127,8 +130,10 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags) break; } - if (ret == 0) + if (ret == 0) { + drbg->state = DRBG_ERROR; RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG); + } return ret; } @@ -229,10 +234,7 @@ static RAND_DRBG *rand_drbg_new(int secure, return drbg; err: - if (drbg->secure) - OPENSSL_secure_free(drbg); - else - OPENSSL_free(drbg); + RAND_DRBG_free(drbg); return NULL; } @@ -372,6 +374,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, int RAND_DRBG_uninstantiate(RAND_DRBG *drbg) { if (drbg->meth == NULL) { + drbg->state = DRBG_ERROR; RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE, RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED); return 0; diff --git a/test/drbgtest.c b/test/drbgtest.c index b4453b0..371f138 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -790,12 +790,15 @@ static void run_multi_thread_test(void) { unsigned char buf[256]; time_t start = time(NULL); - RAND_DRBG *public, *private; + RAND_DRBG *public = NULL, *private = NULL; - public = RAND_DRBG_get0_public(); - private = RAND_DRBG_get0_private(); - RAND_DRBG_set_reseed_time_interval(public, 1); + if (!TEST_ptr(public = RAND_DRBG_get0_public()) + || !TEST_ptr(private = RAND_DRBG_get0_private())) { + multi_thread_rand_bytes_succeeded = 0; + return; + } RAND_DRBG_set_reseed_time_interval(private, 1); + RAND_DRBG_set_reseed_time_interval(public, 1); do { if (RAND_bytes(buf, sizeof(buf)) <= 0) @@ -927,13 +930,16 @@ static size_t rand_drbg_seedlen(RAND_DRBG *drbg) */ static int test_rand_seed(void) { - RAND_DRBG *master = RAND_DRBG_get0_master(); + RAND_DRBG *master = NULL; unsigned char rand_buf[256]; size_t rand_buflen; -#ifdef OPENSSL_RAND_SEED_NONE - size_t required_seed_buflen = rand_drbg_seedlen(master); -#else size_t required_seed_buflen = 0; + + if (!TEST_ptr(master = RAND_DRBG_get0_master())) + return 0; + +#ifdef OPENSSL_RAND_SEED_NONE + required_seed_buflen = rand_drbg_seedlen(master); #endif memset(rand_buf, 0xCD, sizeof(rand_buf)); From bernd.edlinger at hotmail.de Mon Nov 5 21:54:25 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Mon, 05 Nov 2018 21:54:25 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541454865.346426.14050.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 939ef2ea114235f94124832c804161f735cec6c8 (commit) from c40c1ef4f3c3a6a4d7878bbf8b13742a5bffd963 (commit) - Log ----------------------------------------------------------------- commit 939ef2ea114235f94124832c804161f735cec6c8 Author: Bernd Edlinger Date: Sat Oct 27 11:31:21 2018 +0200 Avoid two memory allocations in each RAND_DRBG_bytes Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7518) ----------------------------------------------------------------------- Summary of changes: crypto/include/internal/rand_int.h | 5 +++-- crypto/rand/drbg_lib.c | 28 +++++++++++++++++++++++----- crypto/rand/rand_lcl.h | 5 +++++ crypto/rand/rand_lib.c | 37 +++++++++++++++++++++++++------------ 4 files changed, 56 insertions(+), 19 deletions(-) diff --git a/crypto/include/internal/rand_int.h b/crypto/include/internal/rand_int.h index 3c966ab..888cab1 100644 --- a/crypto/include/internal/rand_int.h +++ b/crypto/include/internal/rand_int.h @@ -45,9 +45,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg, void rand_drbg_cleanup_nonce(RAND_DRBG *drbg, unsigned char *out, size_t outlen); -size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len); +size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout); -void rand_drbg_cleanup_additional_data(unsigned char *out, size_t outlen); +void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); /* * RAND_POOL functions @@ -59,6 +59,7 @@ void rand_pool_free(RAND_POOL *pool); const unsigned char *rand_pool_buffer(RAND_POOL *pool); unsigned char *rand_pool_detach(RAND_POOL *pool); +void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer); size_t rand_pool_entropy(RAND_POOL *pool); size_t rand_pool_length(RAND_POOL *pool); diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 73fd942..d9f01cb 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -109,6 +109,13 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags) flags = rand_drbg_flags; } + /* If set is called multiple times - clear the old one */ + if (drbg->type != 0 && (type != drbg->type || flags != drbg->flags)) { + drbg->meth->uninstantiate(drbg); + rand_pool_free(drbg->adin_pool); + drbg->adin_pool = NULL; + } + drbg->state = DRBG_UNINITIALISED; drbg->flags = flags; drbg->type = type; @@ -122,6 +129,7 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags) return 0; case 0: /* Uninitialized; that's okay. */ + drbg->meth = NULL; return 1; case NID_aes_128_ctr: case NID_aes_192_ctr: @@ -259,6 +267,7 @@ void RAND_DRBG_free(RAND_DRBG *drbg) if (drbg->meth != NULL) drbg->meth->uninstantiate(drbg); + rand_pool_free(drbg->adin_pool); CRYPTO_THREAD_lock_free(drbg->lock); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data); @@ -650,9 +659,18 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen) unsigned char *additional = NULL; size_t additional_len; size_t chunk; - size_t ret; + size_t ret = 0; + + if (drbg->adin_pool == NULL) { + if (drbg->type == 0) + goto err; + drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen); + if (drbg->adin_pool == NULL) + goto err; + } - additional_len = rand_drbg_get_additional_data(&additional, drbg->max_adinlen); + additional_len = rand_drbg_get_additional_data(drbg->adin_pool, + &additional); for ( ; outlen > 0; outlen -= chunk, out += chunk) { chunk = outlen; @@ -664,9 +682,9 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen) } ret = 1; -err: - if (additional_len != 0) - OPENSSL_secure_clear_free(additional, additional_len); + err: + if (additional != NULL) + rand_drbg_cleanup_additional_data(drbg->adin_pool, additional); return ret; } diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 10323a0..376efed 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -186,6 +186,11 @@ struct rand_drbg_st { struct rand_pool_st *pool; /* + * Auxiliary pool for additional data. + */ + struct rand_pool_st *adin_pool; + + /* * The following parameters are setup by the per-type "init" function. * * Currently the only type is CTR_DRBG, its init function is drbg_ctr_init(). diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 555fea3..884917a 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -279,14 +279,9 @@ void rand_drbg_cleanup_nonce(RAND_DRBG *drbg, * On success it allocates a buffer at |*pout| and returns the length of * the data. The buffer should get freed using OPENSSL_secure_clear_free(). */ -size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len) +size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout) { size_t ret = 0; - RAND_POOL *pool; - - pool = rand_pool_new(0, 0, max_len); - if (pool == NULL) - return 0; if (rand_pool_add_additional_data(pool) == 0) goto err; @@ -295,14 +290,12 @@ size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len) *pout = rand_pool_detach(pool); err: - rand_pool_free(pool); - return ret; } -void rand_drbg_cleanup_additional_data(unsigned char *out, size_t outlen) +void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out) { - OPENSSL_secure_clear_free(out, outlen); + rand_pool_reattach(pool, out); } void rand_fork(void) @@ -536,17 +529,27 @@ size_t rand_pool_length(RAND_POOL *pool) /* * Detach the |pool| buffer and return it to the caller. * It's the responsibility of the caller to free the buffer - * using OPENSSL_secure_clear_free(). + * using OPENSSL_secure_clear_free() or to re-attach it + * again to the pool using rand_pool_reattach(). */ unsigned char *rand_pool_detach(RAND_POOL *pool) { unsigned char *ret = pool->buffer; pool->buffer = NULL; - pool->len = 0; pool->entropy = 0; return ret; } +/* + * Re-attach the |pool| buffer. It is only allowed to pass + * the |buffer| which was previously detached from the same pool. + */ +void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer) +{ + pool->buffer = buffer; + OPENSSL_cleanse(pool->buffer, pool->len); + pool->len = 0; +} /* * If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one @@ -643,6 +646,11 @@ int rand_pool_add(RAND_POOL *pool, return 0; } + if (pool->buffer == NULL) { + RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR); + return 0; + } + if (len > 0) { memcpy(pool->buffer + pool->len, buffer, len); pool->len += len; @@ -674,6 +682,11 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len) return NULL; } + if (pool->buffer == NULL) { + RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR); + return 0; + } + return pool->buffer + pool->len; } From bernd.edlinger at hotmail.de Mon Nov 5 22:00:06 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Mon, 05 Nov 2018 22:00:06 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541455206.437296.15545.nullmailer@dev.openssl.org> The branch master has been updated via 2bb1b5ddd12c23bbfa7fb60ee3296612ca943fef (commit) from fb9c3ff565aa11b08646e0f9f28fc082ed365cbd (commit) - Log ----------------------------------------------------------------- commit 2bb1b5ddd12c23bbfa7fb60ee3296612ca943fef Author: Bernd Edlinger Date: Tue Oct 30 22:21:34 2018 +0100 Fix a race condition in drbgtest.c Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7531) ----------------------------------------------------------------------- Summary of changes: test/drbgtest.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/test/drbgtest.c b/test/drbgtest.c index a3beebc..c285c75 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -581,6 +581,8 @@ static void reset_drbg_hook_ctx(void) * 1: it is expected that the specified DRBG is reseeded * 0: it is expected that the specified DRBG is not reseeded * -1: don't check whether the specified DRBG was reseeded or not + * |reseed_time|: if nonzero, used instead of time(NULL) to set the + * |before_reseed| time. */ static int test_drbg_reseed(int expect_success, RAND_DRBG *master, @@ -588,7 +590,8 @@ static int test_drbg_reseed(int expect_success, RAND_DRBG *private, int expect_master_reseed, int expect_public_reseed, - int expect_private_reseed + int expect_private_reseed, + time_t reseed_time ) { unsigned char buf[32]; @@ -614,8 +617,11 @@ static int test_drbg_reseed(int expect_success, * step 2: generate random output */ + if (reseed_time == 0) + reseed_time = time(NULL); + /* Generate random output from the public and private DRBG */ - before_reseed = expect_master_reseed == 1 ? time(NULL) : 0; + before_reseed = expect_master_reseed == 1 ? reseed_time : 0; if (!TEST_int_eq(RAND_bytes(buf, sizeof(buf)), expect_success) || !TEST_int_eq(RAND_priv_bytes(buf, sizeof(buf)), expect_success)) return 0; @@ -682,6 +688,7 @@ static int test_rand_drbg_reseed(void) RAND_DRBG *master, *public, *private; unsigned char rand_add_buf[256]; int rv=0; + time_t before_reseed; /* Check whether RAND_OpenSSL() is the default method */ if (!TEST_ptr_eq(RAND_get_rand_method(), RAND_OpenSSL())) @@ -716,7 +723,7 @@ static int test_rand_drbg_reseed(void) /* * Test initial seeding of shared DRBGs */ - if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))) goto error; reset_drbg_hook_ctx(); @@ -724,7 +731,7 @@ static int test_rand_drbg_reseed(void) /* * Test initial state of shared DRBGs */ - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 0))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 0, 0))) goto error; reset_drbg_hook_ctx(); @@ -733,7 +740,7 @@ static int test_rand_drbg_reseed(void) * reseed counters differ from the master's reseed counter. */ master->reseed_prop_counter++; - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))) goto error; reset_drbg_hook_ctx(); @@ -743,7 +750,7 @@ static int test_rand_drbg_reseed(void) */ master->reseed_prop_counter++; private->reseed_prop_counter++; - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))) goto error; reset_drbg_hook_ctx(); @@ -753,7 +760,7 @@ static int test_rand_drbg_reseed(void) */ master->reseed_prop_counter++; public->reseed_prop_counter++; - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))) goto error; reset_drbg_hook_ctx(); @@ -762,10 +769,17 @@ static int test_rand_drbg_reseed(void) memset(rand_add_buf, 'r', sizeof(rand_add_buf)); /* - * Test whether all three DRBGs are reseeded by RAND_add() + * Test whether all three DRBGs are reseeded by RAND_add(). + * The before_reseed time has to be measured here and passed into the + * test_drbg_reseed() test, because the master DRBG gets already reseeded + * in RAND_add(), whence the check for the condition + * before_reseed <= master->reseed_time will fail if the time value happens + * to increase between the RAND_add() and the test_drbg_reseed() call. */ + before_reseed = time(NULL); RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); - if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, + before_reseed))) goto error; reset_drbg_hook_ctx(); @@ -776,7 +790,7 @@ static int test_rand_drbg_reseed(void) master_ctx.fail = 1; master->reseed_prop_counter++; RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); - if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0))) + if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))) goto error; reset_drbg_hook_ctx(); From bernd.edlinger at hotmail.de Mon Nov 5 22:01:09 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Mon, 05 Nov 2018 22:01:09 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541455269.432517.16421.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 7b7fdf8a791720f8d19276a9012b1248956e00e0 (commit) from 939ef2ea114235f94124832c804161f735cec6c8 (commit) - Log ----------------------------------------------------------------- commit 7b7fdf8a791720f8d19276a9012b1248956e00e0 Author: Bernd Edlinger Date: Tue Oct 30 22:21:34 2018 +0100 Fix a race condition in drbgtest.c Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7531) (cherry picked from commit 2bb1b5ddd12c23bbfa7fb60ee3296612ca943fef) ----------------------------------------------------------------------- Summary of changes: test/drbgtest.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/test/drbgtest.c b/test/drbgtest.c index 371f138..755f0b3 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -572,6 +572,8 @@ static void reset_drbg_hook_ctx(void) * 1: it is expected that the specified DRBG is reseeded * 0: it is expected that the specified DRBG is not reseeded * -1: don't check whether the specified DRBG was reseeded or not + * |reseed_time|: if nonzero, used instead of time(NULL) to set the + * |before_reseed| time. */ static int test_drbg_reseed(int expect_success, RAND_DRBG *master, @@ -579,7 +581,8 @@ static int test_drbg_reseed(int expect_success, RAND_DRBG *private, int expect_master_reseed, int expect_public_reseed, - int expect_private_reseed + int expect_private_reseed, + time_t reseed_time ) { unsigned char buf[32]; @@ -605,8 +608,11 @@ static int test_drbg_reseed(int expect_success, * step 2: generate random output */ + if (reseed_time == 0) + reseed_time = time(NULL); + /* Generate random output from the public and private DRBG */ - before_reseed = expect_master_reseed == 1 ? time(NULL) : 0; + before_reseed = expect_master_reseed == 1 ? reseed_time : 0; if (!TEST_int_eq(RAND_bytes(buf, sizeof(buf)), expect_success) || !TEST_int_eq(RAND_priv_bytes(buf, sizeof(buf)), expect_success)) return 0; @@ -673,6 +679,7 @@ static int test_rand_drbg_reseed(void) RAND_DRBG *master, *public, *private; unsigned char rand_add_buf[256]; int rv=0; + time_t before_reseed; /* Check whether RAND_OpenSSL() is the default method */ if (!TEST_ptr_eq(RAND_get_rand_method(), RAND_OpenSSL())) @@ -707,7 +714,7 @@ static int test_rand_drbg_reseed(void) /* * Test initial seeding of shared DRBGs */ - if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))) goto error; reset_drbg_hook_ctx(); @@ -715,7 +722,7 @@ static int test_rand_drbg_reseed(void) /* * Test initial state of shared DRBGs */ - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 0))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 0, 0))) goto error; reset_drbg_hook_ctx(); @@ -724,7 +731,7 @@ static int test_rand_drbg_reseed(void) * reseed counters differ from the master's reseed counter. */ master->reseed_prop_counter++; - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))) goto error; reset_drbg_hook_ctx(); @@ -734,7 +741,7 @@ static int test_rand_drbg_reseed(void) */ master->reseed_prop_counter++; private->reseed_prop_counter++; - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))) goto error; reset_drbg_hook_ctx(); @@ -744,7 +751,7 @@ static int test_rand_drbg_reseed(void) */ master->reseed_prop_counter++; public->reseed_prop_counter++; - if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))) goto error; reset_drbg_hook_ctx(); @@ -753,10 +760,17 @@ static int test_rand_drbg_reseed(void) memset(rand_add_buf, 'r', sizeof(rand_add_buf)); /* - * Test whether all three DRBGs are reseeded by RAND_add() + * Test whether all three DRBGs are reseeded by RAND_add(). + * The before_reseed time has to be measured here and passed into the + * test_drbg_reseed() test, because the master DRBG gets already reseeded + * in RAND_add(), whence the check for the condition + * before_reseed <= master->reseed_time will fail if the time value happens + * to increase between the RAND_add() and the test_drbg_reseed() call. */ + before_reseed = time(NULL); RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); - if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1))) + if (!TEST_true(test_drbg_reseed(1, master, public, private, 1, 1, 1, + before_reseed))) goto error; reset_drbg_hook_ctx(); @@ -767,7 +781,7 @@ static int test_rand_drbg_reseed(void) master_ctx.fail = 1; master->reseed_prop_counter++; RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); - if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0))) + if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))) goto error; reset_drbg_hook_ctx(); From pauli at openssl.org Wed Nov 7 04:14:29 2018 From: pauli at openssl.org (Paul I. Dale) Date: Wed, 07 Nov 2018 04:14:29 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541564069.262339.13793.nullmailer@dev.openssl.org> The branch master has been updated via 47d2080facaacda0610bb0954da9f289de8d700b (commit) from 2bb1b5ddd12c23bbfa7fb60ee3296612ca943fef (commit) - Log ----------------------------------------------------------------- commit 47d2080facaacda0610bb0954da9f289de8d700b Author: Rich Salz Date: Tue Oct 23 16:13:47 2018 -0400 Remove outdated e_chil.txt file Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7476) ----------------------------------------------------------------------- Summary of changes: demos/engines/e_chil.txt | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 demos/engines/e_chil.txt diff --git a/demos/engines/e_chil.txt b/demos/engines/e_chil.txt deleted file mode 100644 index dc7076b..0000000 --- a/demos/engines/e_chil.txt +++ /dev/null @@ -1,12 +0,0 @@ -HWCRHK_F_BIND_HELPER 110 -HWCRHK_F_HWCRHK_CTRL 100 -HWCRHK_F_HWCRHK_FINISH 101 -HWCRHK_F_HWCRHK_GET_PASS 102 -HWCRHK_F_HWCRHK_INIT 103 -HWCRHK_F_HWCRHK_INSERT_CARD 104 -HWCRHK_F_HWCRHK_LOAD_PRIVKEY 105 -HWCRHK_F_HWCRHK_LOAD_PUBKEY 106 -HWCRHK_F_HWCRHK_MOD_EXP 107 -HWCRHK_F_HWCRHK_MUTEX_INIT 111 -HWCRHK_F_HWCRHK_RAND_BYTES 108 -HWCRHK_F_HWCRHK_RSA_MOD_EXP 109 From no-reply at appveyor.com Wed Nov 7 10:30:56 2018 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 07 Nov 2018 10:30:56 +0000 Subject: [openssl-commits] Build failed: openssl master.20820 Message-ID: <20181107103056.1.96237626A55F9980@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Nov 7 11:53:49 2018 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 07 Nov 2018 11:53:49 +0000 Subject: [openssl-commits] Build completed: openssl master.20821 Message-ID: <20181107115349.1.D9B1B8EC2D2E0EE7@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Wed Nov 7 13:39:10 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 07 Nov 2018 13:39:10 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541597950.644300.18441.nullmailer@dev.openssl.org> The branch master has been updated via 3866b2247fb7904a4e660593a16365147f479415 (commit) from 47d2080facaacda0610bb0954da9f289de8d700b (commit) - Log ----------------------------------------------------------------- commit 3866b2247fb7904a4e660593a16365147f479415 Author: Richard Levitte Date: Thu Nov 1 14:02:21 2018 +0100 util/add-depends.pl: go through shared_sources too Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7545) ----------------------------------------------------------------------- Summary of changes: util/add-depends.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/util/add-depends.pl b/util/add-depends.pl index deb0de2..55d56b7 100644 --- a/util/add-depends.pl +++ b/util/add-depends.pl @@ -36,8 +36,10 @@ my @depfiles = scalar @st > 0; # Determines the grep result } map { (my $x = $_) =~ s|\.o$|$depext|; $x; } - grep { $unified_info{sources}->{$_}->[0] =~ /\.cc?$/ } - keys %{$unified_info{sources}}; + ( ( grep { $unified_info{sources}->{$_}->[0] =~ /\.cc?$/ } + keys %{$unified_info{sources}} ), + ( grep { $unified_info{shared_sources}->{$_}->[0] =~ /\.cc?$/ } + keys %{$unified_info{shared_sources}} ) ); exit 0 unless $rebuild; From levitte at openssl.org Wed Nov 7 13:40:22 2018 From: levitte at openssl.org (Richard Levitte) Date: Wed, 07 Nov 2018 13:40:22 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541598022.517776.19467.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 4274ef97c1300d1924c537b7d4c91bb8494a5de2 (commit) from 7b7fdf8a791720f8d19276a9012b1248956e00e0 (commit) - Log ----------------------------------------------------------------- commit 4274ef97c1300d1924c537b7d4c91bb8494a5de2 Author: Richard Levitte Date: Thu Nov 1 14:02:21 2018 +0100 util/add-depends.pl: go through shared_sources too Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7545) (cherry picked from commit 3866b2247fb7904a4e660593a16365147f479415) ----------------------------------------------------------------------- Summary of changes: util/add-depends.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/util/add-depends.pl b/util/add-depends.pl index deb0de2..55d56b7 100644 --- a/util/add-depends.pl +++ b/util/add-depends.pl @@ -36,8 +36,10 @@ my @depfiles = scalar @st > 0; # Determines the grep result } map { (my $x = $_) =~ s|\.o$|$depext|; $x; } - grep { $unified_info{sources}->{$_}->[0] =~ /\.cc?$/ } - keys %{$unified_info{sources}}; + ( ( grep { $unified_info{sources}->{$_}->[0] =~ /\.cc?$/ } + keys %{$unified_info{sources}} ), + ( grep { $unified_info{shared_sources}->{$_}->[0] =~ /\.cc?$/ } + keys %{$unified_info{shared_sources}} ) ); exit 0 unless $rebuild; From builds at travis-ci.org Wed Nov 7 13:57:15 2018 From: builds at travis-ci.org (Travis CI) Date: Wed, 07 Nov 2018 13:57:15 +0000 Subject: [openssl-commits] Errored: openssl/openssl#21551 (master - 3866b22) In-Reply-To: Message-ID: <5be2ef3b2dcda_43ff22906e9dc191555@be920dc7-2291-4446-bb3e-b40d450575c3.mail> Build Update for openssl/openssl ------------------------------------- Build: #21551 Status: Errored Duration: 17 mins and 15 secs Commit: 3866b22 (master) Author: Richard Levitte Message: util/add-depends.pl: go through shared_sources too Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7545) View the changeset: https://github.com/openssl/openssl/compare/47d2080facaa...3866b2247fb7 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/451887603?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernd.edlinger at hotmail.de Wed Nov 7 14:18:49 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Wed, 07 Nov 2018 14:18:49 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541600329.159017.24515.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 9bc987f0086052a03982694e0ef69e9617a2b2dc (commit) from 4274ef97c1300d1924c537b7d4c91bb8494a5de2 (commit) - Log ----------------------------------------------------------------- commit 9bc987f0086052a03982694e0ef69e9617a2b2dc Author: Bernd Edlinger Date: Tue Oct 30 23:09:56 2018 +0100 Initialize reseed_gen_counter to 1, like it is done in master Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7532) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index d9f01cb..de4f333 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -359,7 +359,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg, } drbg->state = DRBG_READY; - drbg->reseed_gen_counter = 0; + drbg->reseed_gen_counter = 1; drbg->reseed_time = time(NULL); tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter); @@ -451,7 +451,7 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg, goto end; drbg->state = DRBG_READY; - drbg->reseed_gen_counter = 0; + drbg->reseed_gen_counter = 1; drbg->reseed_time = time(NULL); tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter); From bernd.edlinger at hotmail.de Wed Nov 7 14:23:17 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Wed, 07 Nov 2018 14:23:17 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541600597.066507.26056.nullmailer@dev.openssl.org> The branch master has been updated via 31f32abb8eb2a3ebd8500e6e0460b4a6791e5ed7 (commit) from 3866b2247fb7904a4e660593a16365147f479415 (commit) - Log ----------------------------------------------------------------- commit 31f32abb8eb2a3ebd8500e6e0460b4a6791e5ed7 Author: Bernd Edlinger Date: Mon Nov 5 23:13:11 2018 +0100 Rename the rand_drbg_st data member "pool" to "seed_pool" ... to make the intended use more clear and differentiate it from the data member "adin_pool". Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7575) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 14 +++++++------- crypto/rand/rand_lcl.h | 2 +- crypto/rand/rand_lib.c | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index 2cfa4f5..d398b42 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -557,11 +557,11 @@ int rand_drbg_restart(RAND_DRBG *drbg, const unsigned char *adin = NULL; size_t adinlen = 0; - if (drbg->pool != NULL) { + if (drbg->seed_pool != NULL) { RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR); drbg->state = DRBG_ERROR; - rand_pool_free(drbg->pool); - drbg->pool = NULL; + rand_pool_free(drbg->seed_pool); + drbg->seed_pool = NULL; return 0; } @@ -581,8 +581,8 @@ int rand_drbg_restart(RAND_DRBG *drbg, } /* will be picked up by the rand_drbg_get_entropy() callback */ - drbg->pool = rand_pool_attach(buffer, len, entropy); - if (drbg->pool == NULL) + drbg->seed_pool = rand_pool_attach(buffer, len, entropy); + if (drbg->seed_pool == NULL) return 0; } else { if (drbg->max_adinlen < len) { @@ -628,8 +628,8 @@ int rand_drbg_restart(RAND_DRBG *drbg, } } - rand_pool_free(drbg->pool); - drbg->pool = NULL; + rand_pool_free(drbg->seed_pool); + drbg->seed_pool = NULL; return drbg->state == DRBG_READY; } diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 77be005..33b367c 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -203,7 +203,7 @@ struct rand_drbg_st { * with respect to how randomness is added to the RNG during reseeding * (see PR #4328). */ - struct rand_pool_st *pool; + struct rand_pool_st *seed_pool; /* * Auxiliary pool for additional data. diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 884917a..4f1a134 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -146,8 +146,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, return 0; } - if (drbg->pool != NULL) { - pool = drbg->pool; + if (drbg->seed_pool != NULL) { + pool = drbg->seed_pool; pool->entropy_requested = entropy; } else { pool = rand_pool_new(entropy, min_len, max_len); @@ -204,7 +204,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, } err: - if (drbg->pool == NULL) + if (drbg->seed_pool == NULL) rand_pool_free(pool); return ret; } @@ -216,7 +216,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen) { - if (drbg->pool == NULL) + if (drbg->seed_pool == NULL) OPENSSL_secure_clear_free(out, outlen); } From bernd.edlinger at hotmail.de Wed Nov 7 14:23:52 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Wed, 07 Nov 2018 14:23:52 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541600632.033475.26875.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 294941aebb28329efa17acd8fe6eb8b3cc3ce345 (commit) from 9bc987f0086052a03982694e0ef69e9617a2b2dc (commit) - Log ----------------------------------------------------------------- commit 294941aebb28329efa17acd8fe6eb8b3cc3ce345 Author: Bernd Edlinger Date: Mon Nov 5 23:13:11 2018 +0100 Rename the rand_drbg_st data member "pool" to "seed_pool" ... to make the intended use more clear and differentiate it from the data member "adin_pool". Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7575) (cherry picked from commit 31f32abb8eb2a3ebd8500e6e0460b4a6791e5ed7) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 14 +++++++------- crypto/rand/rand_lcl.h | 2 +- crypto/rand/rand_lib.c | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index de4f333..c1d89f8 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -487,11 +487,11 @@ int rand_drbg_restart(RAND_DRBG *drbg, const unsigned char *adin = NULL; size_t adinlen = 0; - if (drbg->pool != NULL) { + if (drbg->seed_pool != NULL) { RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR); drbg->state = DRBG_ERROR; - rand_pool_free(drbg->pool); - drbg->pool = NULL; + rand_pool_free(drbg->seed_pool); + drbg->seed_pool = NULL; return 0; } @@ -511,8 +511,8 @@ int rand_drbg_restart(RAND_DRBG *drbg, } /* will be picked up by the rand_drbg_get_entropy() callback */ - drbg->pool = rand_pool_attach(buffer, len, entropy); - if (drbg->pool == NULL) + drbg->seed_pool = rand_pool_attach(buffer, len, entropy); + if (drbg->seed_pool == NULL) return 0; } else { if (drbg->max_adinlen < len) { @@ -558,8 +558,8 @@ int rand_drbg_restart(RAND_DRBG *drbg, } } - rand_pool_free(drbg->pool); - drbg->pool = NULL; + rand_pool_free(drbg->seed_pool); + drbg->seed_pool = NULL; return drbg->state == DRBG_READY; } diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 376efed..9a4dc32 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -183,7 +183,7 @@ struct rand_drbg_st { * with respect to how randomness is added to the RNG during reseeding * (see PR #4328). */ - struct rand_pool_st *pool; + struct rand_pool_st *seed_pool; /* * Auxiliary pool for additional data. diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 884917a..4f1a134 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -146,8 +146,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, return 0; } - if (drbg->pool != NULL) { - pool = drbg->pool; + if (drbg->seed_pool != NULL) { + pool = drbg->seed_pool; pool->entropy_requested = entropy; } else { pool = rand_pool_new(entropy, min_len, max_len); @@ -204,7 +204,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, } err: - if (drbg->pool == NULL) + if (drbg->seed_pool == NULL) rand_pool_free(pool); return ret; } @@ -216,7 +216,7 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg, void rand_drbg_cleanup_entropy(RAND_DRBG *drbg, unsigned char *out, size_t outlen) { - if (drbg->pool == NULL) + if (drbg->seed_pool == NULL) OPENSSL_secure_clear_free(out, outlen); } From builds at travis-ci.org Wed Nov 7 14:50:34 2018 From: builds at travis-ci.org (Travis CI) Date: Wed, 07 Nov 2018 14:50:34 +0000 Subject: [openssl-commits] Passed: openssl/openssl#21554 (master - 31f32ab) In-Reply-To: Message-ID: <5be2fbb9c8953_43ff22906f56c21733f@be920dc7-2291-4446-bb3e-b40d450575c3.mail> Build Update for openssl/openssl ------------------------------------- Build: #21554 Status: Passed Duration: 26 mins and 17 secs Commit: 31f32ab (master) Author: Bernd Edlinger Message: Rename the rand_drbg_st data member "pool" to "seed_pool" ... to make the intended use more clear and differentiate it from the data member "adin_pool". Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7575) View the changeset: https://github.com/openssl/openssl/compare/3866b2247fb7...31f32abb8eb2 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/451908392?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Wed Nov 7 22:13:01 2018 From: pauli at openssl.org (Paul I. Dale) Date: Wed, 07 Nov 2018 22:13:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541628781.971947.13597.nullmailer@dev.openssl.org> The branch master has been updated via ac765685d4b08a48cefffc71c434760045154dad (commit) from 31f32abb8eb2a3ebd8500e6e0460b4a6791e5ed7 (commit) - Log ----------------------------------------------------------------- commit ac765685d4b08a48cefffc71c434760045154dad Author: Pauli Date: Thu Nov 8 07:22:01 2018 +1000 Add missing RAND initialisation call. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7587) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 4f1a134..277403c 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -363,7 +363,8 @@ void rand_cleanup_int(void) */ void RAND_keep_random_devices_open(int keep) { - rand_pool_keep_random_devices_open(keep); + if (RUN_ONCE(&rand_init, do_rand_init)) + rand_pool_keep_random_devices_open(keep); } /* From pauli at openssl.org Wed Nov 7 22:13:27 2018 From: pauli at openssl.org (Paul I. Dale) Date: Wed, 07 Nov 2018 22:13:27 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541628807.104968.14422.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via f7258489d88432dfc431772314ebac1c2997fdf8 (commit) from 294941aebb28329efa17acd8fe6eb8b3cc3ce345 (commit) - Log ----------------------------------------------------------------- commit f7258489d88432dfc431772314ebac1c2997fdf8 Author: Pauli Date: Thu Nov 8 07:22:01 2018 +1000 Add missing RAND initialisation call. Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/7587) (cherry picked from commit ac765685d4b08a48cefffc71c434760045154dad) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_lib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 4f1a134..277403c 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -363,7 +363,8 @@ void rand_cleanup_int(void) */ void RAND_keep_random_devices_open(int keep) { - rand_pool_keep_random_devices_open(keep); + if (RUN_ONCE(&rand_init, do_rand_init)) + rand_pool_keep_random_devices_open(keep); } /* From matt at openssl.org Thu Nov 8 11:39:42 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 08 Nov 2018 11:39:42 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541677182.321217.26999.nullmailer@dev.openssl.org> The branch master has been updated via 680bd131b69d57e891888ab70d300176a5a16617 (commit) via 589b6227a85ea0133fe91d744b16dd72edee929a (commit) from ac765685d4b08a48cefffc71c434760045154dad (commit) - Log ----------------------------------------------------------------- commit 680bd131b69d57e891888ab70d300176a5a16617 Author: Matt Caswell Date: Fri Oct 26 15:29:15 2018 +0100 Give a better error if an attempt is made to set a zero length groups list Previously we indicated this as a malloc failure which isn't very helpful. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/7479) commit 589b6227a85ea0133fe91d744b16dd72edee929a Author: Matt Caswell Date: Wed Oct 24 10:11:00 2018 +0100 Ignore disabled ciphers when deciding if we are using ECC use_ecc() was always returning 1 because there are default (TLSv1.3) ciphersuites that use ECC - even if those ciphersuites are disabled by other options. Fixes #7471 Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/7479) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set1_curves.pod | 3 +++ ssl/statem/extensions_clnt.c | 13 ++++++++----- ssl/t1_lib.c | 4 ++++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod index a250f20..2757ccb 100644 --- a/doc/man3/SSL_CTX_set1_curves.pod +++ b/doc/man3/SSL_CTX_set1_curves.pod @@ -32,6 +32,9 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve =head1 DESCRIPTION +For all of the functions below that set the supported groups there must be at +least one group in the list. + SSL_CTX_set1_groups() sets the supported groups for B to B groups in the array B. The array consist of all NIDs of groups in preference order. For a TLS client the groups are used directly in the diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 4b5e6fe..ab4dbf6 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #ifndef OPENSSL_NO_EC static int use_ecc(SSL *s) { - int i, end; + int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; @@ -123,7 +123,7 @@ static int use_ecc(SSL *s) if (s->version == SSL3_VERSION) return 0; - cipher_stack = SSL_get_ciphers(s); + cipher_stack = SSL_get1_supported_ciphers(s); end = sk_SSL_CIPHER_num(cipher_stack); for (i = 0; i < end; i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); @@ -132,11 +132,14 @@ static int use_ecc(SSL *s) alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) || (alg_a & SSL_aECDSA) - || c->min_tls >= TLS1_3_VERSION) - return 1; + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; + break; + } } - return 0; + sk_SSL_CIPHER_free(cipher_stack); + return ret; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1564979..b8b9fbd 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -343,6 +343,10 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, */ unsigned long dup_list = 0; + if (ngroups == 0) { + SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); + return 0; + } if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); return 0; From matt at openssl.org Thu Nov 8 11:39:52 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 08 Nov 2018 11:39:52 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541677192.504204.27882.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via efd67e01a5471f9b0745018d7707b69876b070f6 (commit) via f306b9e62a375add764c7d9de6e311aaa0229865 (commit) from f7258489d88432dfc431772314ebac1c2997fdf8 (commit) - Log ----------------------------------------------------------------- commit efd67e01a5471f9b0745018d7707b69876b070f6 Author: Matt Caswell Date: Fri Oct 26 15:29:15 2018 +0100 Give a better error if an attempt is made to set a zero length groups list Previously we indicated this as a malloc failure which isn't very helpful. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/7479) (cherry picked from commit 680bd131b69d57e891888ab70d300176a5a16617) commit f306b9e62a375add764c7d9de6e311aaa0229865 Author: Matt Caswell Date: Wed Oct 24 10:11:00 2018 +0100 Ignore disabled ciphers when deciding if we are using ECC use_ecc() was always returning 1 because there are default (TLSv1.3) ciphersuites that use ECC - even if those ciphersuites are disabled by other options. Fixes #7471 Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/7479) (cherry picked from commit 589b6227a85ea0133fe91d744b16dd72edee929a) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set1_curves.pod | 3 +++ ssl/statem/extensions_clnt.c | 13 ++++++++----- ssl/t1_lib.c | 4 ++++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod index a250f20..2757ccb 100644 --- a/doc/man3/SSL_CTX_set1_curves.pod +++ b/doc/man3/SSL_CTX_set1_curves.pod @@ -32,6 +32,9 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve =head1 DESCRIPTION +For all of the functions below that set the supported groups there must be at +least one group in the list. + SSL_CTX_set1_groups() sets the supported groups for B to B groups in the array B. The array consist of all NIDs of groups in preference order. For a TLS client the groups are used directly in the diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 4b5e6fe..ab4dbf6 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -115,7 +115,7 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #ifndef OPENSSL_NO_EC static int use_ecc(SSL *s) { - int i, end; + int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; @@ -123,7 +123,7 @@ static int use_ecc(SSL *s) if (s->version == SSL3_VERSION) return 0; - cipher_stack = SSL_get_ciphers(s); + cipher_stack = SSL_get1_supported_ciphers(s); end = sk_SSL_CIPHER_num(cipher_stack); for (i = 0; i < end; i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); @@ -132,11 +132,14 @@ static int use_ecc(SSL *s) alg_a = c->algorithm_auth; if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) || (alg_a & SSL_aECDSA) - || c->min_tls >= TLS1_3_VERSION) - return 1; + || c->min_tls >= TLS1_3_VERSION) { + ret = 1; + break; + } } - return 0; + sk_SSL_CIPHER_free(cipher_stack); + return ret; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1564979..b8b9fbd 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -343,6 +343,10 @@ int tls1_set_groups(uint16_t **pext, size_t *pextlen, */ unsigned long dup_list = 0; + if (ngroups == 0) { + SSLerr(SSL_F_TLS1_SET_GROUPS, SSL_R_BAD_LENGTH); + return 0; + } if ((glist = OPENSSL_malloc(ngroups * sizeof(*glist))) == NULL) { SSLerr(SSL_F_TLS1_SET_GROUPS, ERR_R_MALLOC_FAILURE); return 0; From matthias.st.pierre at ncp-e.com Thu Nov 8 15:30:30 2018 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 08 Nov 2018 15:30:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541691030.829541.21522.nullmailer@dev.openssl.org> The branch master has been updated via 1901516a4ba909fff12e0e7815aa2d499f4d6d67 (commit) via 1c615e4ce97715ae3af9255bc57be32a49687966 (commit) from 680bd131b69d57e891888ab70d300176a5a16617 (commit) - Log ----------------------------------------------------------------- commit 1901516a4ba909fff12e0e7815aa2d499f4d6d67 Author: Dr. Matthias St. Pierre Date: Fri Oct 26 01:13:19 2018 +0200 Test: enable internal tests for shared Windows builds Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7462) commit 1c615e4ce97715ae3af9255bc57be32a49687966 Author: Dr. Matthias St. Pierre Date: Mon Oct 22 18:05:14 2018 +0200 Test: link drbgtest statically against libcrypto and remove duplicate rand_drbg_seedlen() implementation again. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7462) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 6 +--- crypto/rand/rand_lcl.h | 2 +- test/build.info | 2 +- test/drbgtest.c | 40 -------------------------- test/recipes/02-test_internal_ctype.t | 3 -- test/recipes/03-test_internal_asn1.t | 3 -- test/recipes/03-test_internal_chacha.t | 3 -- test/recipes/03-test_internal_curve448.t | 3 -- test/recipes/03-test_internal_modes.t | 3 -- test/recipes/03-test_internal_poly1305.t | 3 -- test/recipes/03-test_internal_siphash.t | 3 -- test/recipes/03-test_internal_sm2.t | 3 -- test/recipes/03-test_internal_sm4.t | 3 -- test/recipes/03-test_internal_ssl_cert_table.t | 3 -- test/recipes/03-test_internal_x509.t | 3 -- test/recipes/06-test-rdrand.t | 3 -- test/recipes/90-test_tls13encryption.t | 3 -- 17 files changed, 3 insertions(+), 86 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index d398b42..16756d9 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -1045,12 +1045,8 @@ static int drbg_bytes(unsigned char *out, int count) * Calculates the minimum length of a full entropy buffer * which is necessary to seed (i.e. instantiate) the DRBG * successfully. - * - * NOTE: There is a copy of this function in drbgtest.c. - * If you change anything here, you need to update - * the copy accordingly. */ -static size_t rand_drbg_seedlen(RAND_DRBG *drbg) +size_t rand_drbg_seedlen(RAND_DRBG *drbg) { /* * If no os entropy source is available then RAND_seed(buffer, bufsize) diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 33b367c..3ec7189 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -309,7 +309,7 @@ extern int rand_fork_count; /* DRBG helpers */ int rand_drbg_restart(RAND_DRBG *drbg, const unsigned char *buffer, size_t len, size_t entropy); - +size_t rand_drbg_seedlen(RAND_DRBG *drbg); /* locking api */ int rand_drbg_lock(RAND_DRBG *drbg); int rand_drbg_unlock(RAND_DRBG *drbg); diff --git a/test/build.info b/test/build.info index d2acbed..0227212 100644 --- a/test/build.info +++ b/test/build.info @@ -342,7 +342,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=main SOURCE[drbgtest]=drbgtest.c INCLUDE[drbgtest]=../include - DEPEND[drbgtest]=../libcrypto libtestutil.a + DEPEND[drbgtest]=../libcrypto.a libtestutil.a SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data_ctr.c \ drbg_cavs_data_hash.c drbg_cavs_data_hmac.c diff --git a/test/drbgtest.c b/test/drbgtest.c index c285c75..1aef1fe 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -901,46 +901,6 @@ static int test_multi_thread(void) } #endif -#ifdef OPENSSL_RAND_SEED_NONE -/* - * Calculates the minimum buffer length which needs to be - * provided to RAND_seed() in order to successfully - * instantiate the DRBG. - * - * Copied from rand_drbg_seedlen() in rand_drbg.c - */ -static size_t rand_drbg_seedlen(RAND_DRBG *drbg) -{ - /* - * If no os entropy source is available then RAND_seed(buffer, bufsize) - * is expected to succeed if and only if the buffer length satisfies - * the following requirements, which follow from the calculations - * in RAND_DRBG_instantiate(). - */ - size_t min_entropy = drbg->strength; - size_t min_entropylen = drbg->min_entropylen; - - /* - * Extra entropy for the random nonce in the absence of a - * get_nonce callback, see comment in RAND_DRBG_instantiate(). - */ - if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) { - min_entropy += drbg->strength / 2; - min_entropylen += drbg->min_noncelen; - } - - /* - * Convert entropy requirement from bits to bytes - * (dividing by 8 without rounding upwards, because - * all entropy requirements are divisible by 8). - */ - min_entropy >>= 3; - - /* Return a value that satisfies both requirements */ - return min_entropy > min_entropylen ? min_entropy : min_entropylen; -} -#endif /*OPENSSL_RAND_SEED_NONE*/ - /* * Test that instantiation with RAND_seed() works as expected * diff --git a/test/recipes/02-test_internal_ctype.t b/test/recipes/02-test_internal_ctype.t index 5bf81bd..9990021 100644 --- a/test/recipes/02-test_internal_ctype.t +++ b/test/recipes/02-test_internal_ctype.t @@ -14,7 +14,4 @@ use OpenSSL::Test::Utils; setup("test_internal_ctype"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_ctype", "ctype_internal_test"); diff --git a/test/recipes/03-test_internal_asn1.t b/test/recipes/03-test_internal_asn1.t index d34445f..f6f3b5c 100644 --- a/test/recipes/03-test_internal_asn1.t +++ b/test/recipes/03-test_internal_asn1.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_asn1"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_asn1", "asn1_internal_test"); diff --git a/test/recipes/03-test_internal_chacha.t b/test/recipes/03-test_internal_chacha.t index bac1328..14ec5c6 100644 --- a/test/recipes/03-test_internal_chacha.t +++ b/test/recipes/03-test_internal_chacha.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_chacha"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_chacha", "chacha_internal_test", "chacha"); diff --git a/test/recipes/03-test_internal_curve448.t b/test/recipes/03-test_internal_curve448.t index fb41a6b..4decc98 100644 --- a/test/recipes/03-test_internal_curve448.t +++ b/test/recipes/03-test_internal_curve448.t @@ -13,9 +13,6 @@ use OpenSSL::Test::Utils; setup("test_internal_curve448"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - plan skip_all => "This test is unsupported in a no-ec build" if disabled("ec"); diff --git a/test/recipes/03-test_internal_modes.t b/test/recipes/03-test_internal_modes.t index 4371822..09c0664 100644 --- a/test/recipes/03-test_internal_modes.t +++ b/test/recipes/03-test_internal_modes.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_modes"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_modes", "modes_internal_test"); diff --git a/test/recipes/03-test_internal_poly1305.t b/test/recipes/03-test_internal_poly1305.t index b5809c1..a3b9849 100644 --- a/test/recipes/03-test_internal_poly1305.t +++ b/test/recipes/03-test_internal_poly1305.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_poly1305"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_poly1305", "poly1305_internal_test", "poly1305"); diff --git a/test/recipes/03-test_internal_siphash.t b/test/recipes/03-test_internal_siphash.t index 1817e4e..f5e8890 100644 --- a/test/recipes/03-test_internal_siphash.t +++ b/test/recipes/03-test_internal_siphash.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_siphash"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_siphash", "siphash_internal_test", "siphash"); diff --git a/test/recipes/03-test_internal_sm2.t b/test/recipes/03-test_internal_sm2.t index b93716e..7a3fc41 100644 --- a/test/recipes/03-test_internal_sm2.t +++ b/test/recipes/03-test_internal_sm2.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_sm2"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_sm2", "sm2_internal_test", "sm2"); diff --git a/test/recipes/03-test_internal_sm4.t b/test/recipes/03-test_internal_sm4.t index 459d83c..34de203 100644 --- a/test/recipes/03-test_internal_sm4.t +++ b/test/recipes/03-test_internal_sm4.t @@ -14,7 +14,4 @@ use OpenSSL::Test::Utils; setup("test_internal_sm4"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_sm4", "sm4_internal_test", "sm4"); diff --git a/test/recipes/03-test_internal_ssl_cert_table.t b/test/recipes/03-test_internal_ssl_cert_table.t index 1cafc23..8872cd5 100644 --- a/test/recipes/03-test_internal_ssl_cert_table.t +++ b/test/recipes/03-test_internal_ssl_cert_table.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_ssl_cert_table"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_ssl_cert_table", "ssl_cert_table_internal_test"); diff --git a/test/recipes/03-test_internal_x509.t b/test/recipes/03-test_internal_x509.t index d4aaa22..ef140eb 100644 --- a/test/recipes/03-test_internal_x509.t +++ b/test/recipes/03-test_internal_x509.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_x509"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_x509", "x509_internal_test"); diff --git a/test/recipes/06-test-rdrand.t b/test/recipes/06-test-rdrand.t index ac246bd..24be8ae 100644 --- a/test/recipes/06-test-rdrand.t +++ b/test/recipes/06-test-rdrand.t @@ -15,9 +15,6 @@ use OpenSSL::Test::Utils; setup("test_rdrand_sanity"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - # We also need static builds to be enabled even on linux plan skip_all => "This test is unsupported if static builds are not enabled" if disabled("static"); diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index f997b4d..e6ca97a 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -15,9 +15,6 @@ setup($test_name); plan skip_all => "$test_name is not supported in this build" if disabled("tls1_3"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - plan tests => 1; ok(run(test(["tls13encryptiontest"])), "running tls13encryptiontest"); From matthias.st.pierre at ncp-e.com Thu Nov 8 15:33:14 2018 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 08 Nov 2018 15:33:14 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541691194.440712.23000.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via cdf33504efb9cb429a920d4d6bfd30b9c7cd4bf8 (commit) via c39df745b08d9d9e8ae323a2b017db1961f5c0b8 (commit) from efd67e01a5471f9b0745018d7707b69876b070f6 (commit) - Log ----------------------------------------------------------------- commit cdf33504efb9cb429a920d4d6bfd30b9c7cd4bf8 Author: Dr. Matthias St. Pierre Date: Fri Oct 26 01:13:19 2018 +0200 Test: enable internal tests for shared Windows builds Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7462) (cherry picked from commit 1901516a4ba909fff12e0e7815aa2d499f4d6d67) commit c39df745b08d9d9e8ae323a2b017db1961f5c0b8 Author: Dr. Matthias St. Pierre Date: Mon Oct 22 18:05:14 2018 +0200 Test: link drbgtest statically against libcrypto and remove duplicate rand_drbg_seedlen() implementation again. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7462) (cherry picked from commit 1c615e4ce97715ae3af9255bc57be32a49687966) ----------------------------------------------------------------------- Summary of changes: crypto/rand/drbg_lib.c | 6 +--- crypto/rand/rand_lcl.h | 2 +- test/build.info | 2 +- test/drbgtest.c | 40 -------------------------- test/recipes/02-test_internal_ctype.t | 3 -- test/recipes/03-test_internal_asn1.t | 3 -- test/recipes/03-test_internal_chacha.t | 3 -- test/recipes/03-test_internal_curve448.t | 3 -- test/recipes/03-test_internal_modes.t | 3 -- test/recipes/03-test_internal_poly1305.t | 3 -- test/recipes/03-test_internal_siphash.t | 3 -- test/recipes/03-test_internal_sm2.t | 3 -- test/recipes/03-test_internal_sm4.t | 3 -- test/recipes/03-test_internal_ssl_cert_table.t | 3 -- test/recipes/03-test_internal_x509.t | 3 -- test/recipes/06-test-rdrand.t | 3 -- test/recipes/90-test_tls13encryption.t | 3 -- 17 files changed, 3 insertions(+), 86 deletions(-) diff --git a/crypto/rand/drbg_lib.c b/crypto/rand/drbg_lib.c index c1d89f8..a132821 100644 --- a/crypto/rand/drbg_lib.c +++ b/crypto/rand/drbg_lib.c @@ -974,12 +974,8 @@ static int drbg_bytes(unsigned char *out, int count) * Calculates the minimum length of a full entropy buffer * which is necessary to seed (i.e. instantiate) the DRBG * successfully. - * - * NOTE: There is a copy of this function in drbgtest.c. - * If you change anything here, you need to update - * the copy accordingly. */ -static size_t rand_drbg_seedlen(RAND_DRBG *drbg) +size_t rand_drbg_seedlen(RAND_DRBG *drbg) { /* * If no os entropy source is available then RAND_seed(buffer, bufsize) diff --git a/crypto/rand/rand_lcl.h b/crypto/rand/rand_lcl.h index 9a4dc32..c3e9804 100644 --- a/crypto/rand/rand_lcl.h +++ b/crypto/rand/rand_lcl.h @@ -280,7 +280,7 @@ extern int rand_fork_count; /* DRBG helpers */ int rand_drbg_restart(RAND_DRBG *drbg, const unsigned char *buffer, size_t len, size_t entropy); - +size_t rand_drbg_seedlen(RAND_DRBG *drbg); /* locking api */ int rand_drbg_lock(RAND_DRBG *drbg); int rand_drbg_unlock(RAND_DRBG *drbg); diff --git a/test/build.info b/test/build.info index b2a82a7..b6bb711 100644 --- a/test/build.info +++ b/test/build.info @@ -341,7 +341,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN SOURCE[drbgtest]=drbgtest.c INCLUDE[drbgtest]=../include - DEPEND[drbgtest]=../libcrypto libtestutil.a + DEPEND[drbgtest]=../libcrypto.a libtestutil.a SOURCE[drbg_cavs_test]=drbg_cavs_test.c drbg_cavs_data.c INCLUDE[drbg_cavs_test]=../include . .. diff --git a/test/drbgtest.c b/test/drbgtest.c index 755f0b3..b690475 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -892,46 +892,6 @@ static int test_multi_thread(void) } #endif -#ifdef OPENSSL_RAND_SEED_NONE -/* - * Calculates the minimum buffer length which needs to be - * provided to RAND_seed() in order to successfully - * instantiate the DRBG. - * - * Copied from rand_drbg_seedlen() in rand_drbg.c - */ -static size_t rand_drbg_seedlen(RAND_DRBG *drbg) -{ - /* - * If no os entropy source is available then RAND_seed(buffer, bufsize) - * is expected to succeed if and only if the buffer length satisfies - * the following requirements, which follow from the calculations - * in RAND_DRBG_instantiate(). - */ - size_t min_entropy = drbg->strength; - size_t min_entropylen = drbg->min_entropylen; - - /* - * Extra entropy for the random nonce in the absence of a - * get_nonce callback, see comment in RAND_DRBG_instantiate(). - */ - if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) { - min_entropy += drbg->strength / 2; - min_entropylen += drbg->min_noncelen; - } - - /* - * Convert entropy requirement from bits to bytes - * (dividing by 8 without rounding upwards, because - * all entropy requirements are divisible by 8). - */ - min_entropy >>= 3; - - /* Return a value that satisfies both requirements */ - return min_entropy > min_entropylen ? min_entropy : min_entropylen; -} -#endif /*OPENSSL_RAND_SEED_NONE*/ - /* * Test that instantiation with RAND_seed() works as expected * diff --git a/test/recipes/02-test_internal_ctype.t b/test/recipes/02-test_internal_ctype.t index 5bf81bd..9990021 100644 --- a/test/recipes/02-test_internal_ctype.t +++ b/test/recipes/02-test_internal_ctype.t @@ -14,7 +14,4 @@ use OpenSSL::Test::Utils; setup("test_internal_ctype"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_ctype", "ctype_internal_test"); diff --git a/test/recipes/03-test_internal_asn1.t b/test/recipes/03-test_internal_asn1.t index d34445f..f6f3b5c 100644 --- a/test/recipes/03-test_internal_asn1.t +++ b/test/recipes/03-test_internal_asn1.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_asn1"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_asn1", "asn1_internal_test"); diff --git a/test/recipes/03-test_internal_chacha.t b/test/recipes/03-test_internal_chacha.t index bac1328..14ec5c6 100644 --- a/test/recipes/03-test_internal_chacha.t +++ b/test/recipes/03-test_internal_chacha.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_chacha"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_chacha", "chacha_internal_test", "chacha"); diff --git a/test/recipes/03-test_internal_curve448.t b/test/recipes/03-test_internal_curve448.t index fb41a6b..4decc98 100644 --- a/test/recipes/03-test_internal_curve448.t +++ b/test/recipes/03-test_internal_curve448.t @@ -13,9 +13,6 @@ use OpenSSL::Test::Utils; setup("test_internal_curve448"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - plan skip_all => "This test is unsupported in a no-ec build" if disabled("ec"); diff --git a/test/recipes/03-test_internal_modes.t b/test/recipes/03-test_internal_modes.t index 4371822..09c0664 100644 --- a/test/recipes/03-test_internal_modes.t +++ b/test/recipes/03-test_internal_modes.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_modes"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_modes", "modes_internal_test"); diff --git a/test/recipes/03-test_internal_poly1305.t b/test/recipes/03-test_internal_poly1305.t index b5809c1..a3b9849 100644 --- a/test/recipes/03-test_internal_poly1305.t +++ b/test/recipes/03-test_internal_poly1305.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_poly1305"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_poly1305", "poly1305_internal_test", "poly1305"); diff --git a/test/recipes/03-test_internal_siphash.t b/test/recipes/03-test_internal_siphash.t index 1817e4e..f5e8890 100644 --- a/test/recipes/03-test_internal_siphash.t +++ b/test/recipes/03-test_internal_siphash.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_siphash"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_siphash", "siphash_internal_test", "siphash"); diff --git a/test/recipes/03-test_internal_sm2.t b/test/recipes/03-test_internal_sm2.t index b93716e..7a3fc41 100644 --- a/test/recipes/03-test_internal_sm2.t +++ b/test/recipes/03-test_internal_sm2.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_sm2"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_sm2", "sm2_internal_test", "sm2"); diff --git a/test/recipes/03-test_internal_sm4.t b/test/recipes/03-test_internal_sm4.t index 459d83c..34de203 100644 --- a/test/recipes/03-test_internal_sm4.t +++ b/test/recipes/03-test_internal_sm4.t @@ -14,7 +14,4 @@ use OpenSSL::Test::Utils; setup("test_internal_sm4"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_sm4", "sm4_internal_test", "sm4"); diff --git a/test/recipes/03-test_internal_ssl_cert_table.t b/test/recipes/03-test_internal_ssl_cert_table.t index 1cafc23..8872cd5 100644 --- a/test/recipes/03-test_internal_ssl_cert_table.t +++ b/test/recipes/03-test_internal_ssl_cert_table.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_ssl_cert_table"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_ssl_cert_table", "ssl_cert_table_internal_test"); diff --git a/test/recipes/03-test_internal_x509.t b/test/recipes/03-test_internal_x509.t index d4aaa22..ef140eb 100644 --- a/test/recipes/03-test_internal_x509.t +++ b/test/recipes/03-test_internal_x509.t @@ -13,7 +13,4 @@ use OpenSSL::Test::Utils; setup("test_internal_x509"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - simple_test("test_internal_x509", "x509_internal_test"); diff --git a/test/recipes/06-test-rdrand.t b/test/recipes/06-test-rdrand.t index ac246bd..24be8ae 100644 --- a/test/recipes/06-test-rdrand.t +++ b/test/recipes/06-test-rdrand.t @@ -15,9 +15,6 @@ use OpenSSL::Test::Utils; setup("test_rdrand_sanity"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - # We also need static builds to be enabled even on linux plan skip_all => "This test is unsupported if static builds are not enabled" if disabled("static"); diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index f997b4d..e6ca97a 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -15,9 +15,6 @@ setup($test_name); plan skip_all => "$test_name is not supported in this build" if disabled("tls1_3"); -plan skip_all => "This test is unsupported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - plan tests => 1; ok(run(test(["tls13encryptiontest"])), "running tls13encryptiontest"); From matthias.st.pierre at ncp-e.com Thu Nov 8 15:40:18 2018 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 08 Nov 2018 15:40:18 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541691618.960824.24458.nullmailer@dev.openssl.org> The branch master has been updated via 8cfc19716c22dac737ec8cfc5f7d085e7c37f4d8 (commit) from 1901516a4ba909fff12e0e7815aa2d499f4d6d67 (commit) - Log ----------------------------------------------------------------- commit 8cfc19716c22dac737ec8cfc5f7d085e7c37f4d8 Author: Dr. Matthias St. Pierre Date: Thu Oct 18 13:27:14 2018 +0200 rand_unix.c: open random devices on first use only Commit c7504aeb640a (pr #6432) fixed a regression for applications in chroot environments, which compensated the fact that the new OpenSSL CSPRNG (based on the NIST DRBG) now reseeds periodically, which the previous one didn't. Now the reseeding could fail in the chroot environment if the DEVRANDOM devices were not present anymore and no other entropy source (e.g. getrandom()) was available. The solution was to keep the file handles for the DEVRANDOM devices open by default. In fact, the fix did more than this, it opened the DEVRANDOM devices early and unconditionally in rand_pool_init(), which had the unwanted side effect that the devices were opened (and kept open) even in cases when they were not used at all, for example when the getrandom() system call was available. Due to a bug (issue #7419) this even happened when the feature was disabled by the application. This commit removes the unconditional opening of all DEVRANDOM devices. They will now only be opened (and kept open) on first use. In particular, if getrandom() is available, the handles will not be opened unnecessarily. This change does not introduce a regression for applications compiled for libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the above constellation the CSPRNG will only be properly seeded if it is happens before the forking and chrooting. Fixes #7419 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7437) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_unix.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index cb3a6b2..9d8ffdd 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -386,21 +386,13 @@ static void close_random_device(size_t n) rd->fd = -1; } -static void open_random_devices(void) -{ - size_t i; - - for (i = 0; i < OSSL_NELEM(random_devices); i++) - (void)get_random_device(i); -} - int rand_pool_init(void) { size_t i; for (i = 0; i < OSSL_NELEM(random_devices); i++) random_devices[i].fd = -1; - open_random_devices(); + return 1; } @@ -414,10 +406,9 @@ void rand_pool_cleanup(void) void rand_pool_keep_random_devices_open(int keep) { - if (keep) - open_random_devices(); - else + if (!keep) rand_pool_cleanup(); + keep_random_devices_open = keep; } From matthias.st.pierre at ncp-e.com Thu Nov 8 15:41:53 2018 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 08 Nov 2018 15:41:53 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541691713.950082.25343.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via abf58ed3191dcd3a7c6b296b1494bd7fd336e253 (commit) from cdf33504efb9cb429a920d4d6bfd30b9c7cd4bf8 (commit) - Log ----------------------------------------------------------------- commit abf58ed3191dcd3a7c6b296b1494bd7fd336e253 Author: Dr. Matthias St. Pierre Date: Thu Oct 18 13:27:14 2018 +0200 rand_unix.c: open random devices on first use only Commit c7504aeb640a (pr #6432) fixed a regression for applications in chroot environments, which compensated the fact that the new OpenSSL CSPRNG (based on the NIST DRBG) now reseeds periodically, which the previous one didn't. Now the reseeding could fail in the chroot environment if the DEVRANDOM devices were not present anymore and no other entropy source (e.g. getrandom()) was available. The solution was to keep the file handles for the DEVRANDOM devices open by default. In fact, the fix did more than this, it opened the DEVRANDOM devices early and unconditionally in rand_pool_init(), which had the unwanted side effect that the devices were opened (and kept open) even in cases when they were not used at all, for example when the getrandom() system call was available. Due to a bug (issue #7419) this even happened when the feature was disabled by the application. This commit removes the unconditional opening of all DEVRANDOM devices. They will now only be opened (and kept open) on first use. In particular, if getrandom() is available, the handles will not be opened unnecessarily. This change does not introduce a regression for applications compiled for libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the above constellation the CSPRNG will only be properly seeded if it is happens before the forking and chrooting. Fixes #7419 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7437) (cherry picked from commit 8cfc19716c22dac737ec8cfc5f7d085e7c37f4d8) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_unix.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index cb3a6b2..9d8ffdd 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -386,21 +386,13 @@ static void close_random_device(size_t n) rd->fd = -1; } -static void open_random_devices(void) -{ - size_t i; - - for (i = 0; i < OSSL_NELEM(random_devices); i++) - (void)get_random_device(i); -} - int rand_pool_init(void) { size_t i; for (i = 0; i < OSSL_NELEM(random_devices); i++) random_devices[i].fd = -1; - open_random_devices(); + return 1; } @@ -414,10 +406,9 @@ void rand_pool_cleanup(void) void rand_pool_keep_random_devices_open(int keep) { - if (keep) - open_random_devices(); - else + if (!keep) rand_pool_cleanup(); + keep_random_devices_open = keep; } From levitte at openssl.org Thu Nov 8 21:43:15 2018 From: levitte at openssl.org (Richard Levitte) Date: Thu, 08 Nov 2018 21:43:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541713395.471616.31946.nullmailer@dev.openssl.org> The branch master has been updated via 9c5f2ea677ac1ebe87690d8febd2c7e4629c4841 (commit) from 8cfc19716c22dac737ec8cfc5f7d085e7c37f4d8 (commit) - Log ----------------------------------------------------------------- commit 9c5f2ea677ac1ebe87690d8febd2c7e4629c4841 Author: Richard Levitte Date: Thu Nov 8 10:28:33 2018 +0100 VMS build: don't add a comma before 'extradefines' The variable extradefines will have the starting comma, if needed. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/7591) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index eb0f9c5..04c0089 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -198,9 +198,9 @@ ASOUTFLAG={- $target{asoutflag} -}$(OSSL_EMPTY) CNF_ASFLAGS={- join('', $target{asflags} || (), @{$config{asflags}}) -} -CNF_DEFINES={- our $defines2 = join('', map { ",$_" } @{$target{defines}}, - @{$config{defines}}, - "'extradefines'") -} +CNF_DEFINES={- our $defines2 = join('', (map { ",$_" } @{$target{defines}}, + @{$config{defines}}), + "'extradefines'") -} CNF_INCLUDES={- our $includes2 = join(',', @{$target{includes}}, @{$config{includes}}) -} CNF_CPPFLAGS={- our $cppflags2 = join('', $target{cppflags} || (), From yang.yang at baishancloud.com Fri Nov 9 04:54:42 2018 From: yang.yang at baishancloud.com (yang.yang at baishancloud.com) Date: Fri, 09 Nov 2018 04:54:42 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541739282.581907.19135.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 0178459aa17a87e6450903be985e92e46eb3095e (commit) from abf58ed3191dcd3a7c6b296b1494bd7fd336e253 (commit) - Log ----------------------------------------------------------------- commit 0178459aa17a87e6450903be985e92e46eb3095e Author: Paul Yang Date: Thu Nov 1 23:27:31 2018 +0800 Fix a doc-nit in EVP_PKEY_CTX_ctrl.pod [skip-ci] Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7546) (cherry picked from commit e5a8712d03334c4b7cb9f29d6d1daee399c1223e) ----------------------------------------------------------------------- Summary of changes: doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 75fba58..4982e92 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -116,7 +116,7 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); #include - + int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc); int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode); From levitte at openssl.org Fri Nov 9 05:19:54 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 05:19:54 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541740794.548247.23586.nullmailer@dev.openssl.org> The branch master has been updated via e8d01a608705e4320082a11a3870aa7e19c7290f (commit) via c1123d9f7efb005a109aeccaba82c40bf9bd4c1d (commit) from 9c5f2ea677ac1ebe87690d8febd2c7e4629c4841 (commit) - Log ----------------------------------------------------------------- commit e8d01a608705e4320082a11a3870aa7e19c7290f Author: Richard Levitte Date: Wed Nov 7 16:13:57 2018 +0100 Have install targets depend on more precise build targets We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d Author: Richard Levitte Date: Thu Oct 25 09:09:20 2018 +0200 Allow parallel install When trying 'make -j{n} install', you may occasionally run into trouble because to sub-targets (install_dev and install_runtime) try to install the same shared libraries. That makes parallel install difficult. This is solved by dividing install_runtime into two parts, one for libraries and one for programs, and have install_dev depend on install_runtime_libs instead of installing the shared runtime libraries itself. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 53 +++++++++++++++++------------------- Configurations/unix-Makefile.tmpl | 36 ++++++++++++++---------- Configurations/windows-makefile.tmpl | 17 ++++++++---- 3 files changed, 58 insertions(+), 48 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 04c0089..ae555d5 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -519,12 +519,10 @@ descrip.mms : FORCE # Install helper targets ############################################# -install_sw : all install_shared _install_dev_ns - - install_engines _install_runtime_ns - +install_sw : install_dev install_engines install_runtime - install_startup install_ivp -uninstall_sw : uninstall_shared _uninstall_dev_ns - - uninstall_engines _uninstall_runtime_ns - +uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime - uninstall_startup uninstall_ivp install_docs : install_html_docs @@ -553,17 +551,7 @@ install_ssldirs : check_INSTALLTOP COPY/PROT=W:R {- sourcefile("apps", "ct_log_list.cnf") -} - ossl_dataroot:[000000]ct_log_list.cnf -install_shared : check_INSTALLTOP - @ {- output_off() if $disabled{shared}; "" -} ! - @ WRITE SYS$OUTPUT "*** Installing shareable images" - @ ! Install shared (runtime) libraries - - CREATE/DIR ossl_installroot:[LIB.'arch'] - {- join("\n ", - map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } - @install_shlibs) -} - @ {- output_on() if $disabled{shared}; "" -} ! - -_install_dev_ns : check_INSTALLTOP +install_dev : check_INSTALLTOP install_runtime_libs @ WRITE SYS$OUTPUT "*** Installing development files" @ ! Install header files - CREATE/DIR ossl_installroot:[include.openssl] @@ -574,9 +562,29 @@ _install_dev_ns : check_INSTALLTOP map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" } @install_libs) -} -install_dev : install_shared _install_dev_ns +install_engines : check_INSTALLTOP install_runtime_libs build_engines + @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! + @ WRITE SYS$OUTPUT "*** Installing engines" + - CREATE/DIR ossl_installroot:[ENGINES{- $sover_dirname.$target{pointer_size} -}.'arch'] + {- join("\n ", + map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover_dirname$target{pointer_size}.'arch']" } + @{$unified_info{install}->{engines}}) -} + @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -_install_runtime_ns : check_INSTALLTOP +install_runtime: install_programs + +install_runtime_libs : check_INSTALLTOP build_libs + @ {- output_off() if $disabled{shared}; "" -} ! + @ WRITE SYS$OUTPUT "*** Installing shareable images" + @ ! Install shared (runtime) libraries + - CREATE/DIR ossl_installroot:[LIB.'arch'] + {- join("\n ", + map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } + @install_shlibs) -} + @ {- output_on() if $disabled{shared}; "" -} ! + +install_programs : check_INSTALLTOP install_runtime_libs build_programs + @ {- output_off() if $disabled{apps}; "" -} ! @ ! Install the main program - CREATE/DIR ossl_installroot:[EXE.'arch'] COPY/PROT=W:RE [.APPS]openssl.EXE - @@ -585,17 +593,6 @@ _install_runtime_ns : check_INSTALLTOP COPY/PROT=W:RE $(BIN_SCRIPTS) ossl_installroot:[EXE] @ ! {- output_on() if $disabled{apps}; "" -} -install_runtime : install_shared _install_runtime_ns - -install_engines : check_INSTALLTOP - @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! - @ WRITE SYS$OUTPUT "*** Installing engines" - - CREATE/DIR ossl_installroot:[ENGINES{- $sover_dirname.$target{pointer_size} -}.'arch'] - {- join("\n ", - map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover_dirname$target{pointer_size}.'arch']" } - @{$unified_info{install}->{engines}}) -} - @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! - install_startup : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com - [.VMS]openssl_utils.com, check_INSTALLTOP - CREATE/DIR ossl_installroot:[SYS$STARTUP] diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index bac56df..8b4b6fe 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -441,7 +441,7 @@ depend: # Install helper targets ############################################# -install_sw: all install_dev install_engines install_runtime +install_sw: install_dev install_engines install_runtime uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -495,7 +495,7 @@ install_ssldirs: chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \ fi -install_dev: +install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl @@ -528,11 +528,6 @@ install_dev: fn1=`basename $$s1`; \ fn2=`basename $$s2`; \ : {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \ - $(ECHO) "install $$s1 -> $(DESTDIR)$(libdir)/$$fn1"; \ - cp $$s1 $(DESTDIR)$(libdir)/$$fn1.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn1.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn1.new \ - $(DESTDIR)$(libdir)/$$fn1; \ if [ "$$fn1" != "$$fn2" ]; then \ $(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \ ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \ @@ -572,7 +567,7 @@ install_dev: @cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc -uninstall_dev: +uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @@ -616,7 +611,7 @@ uninstall_dev: -$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig -$(RMDIR) $(DESTDIR)$(libdir) -install_engines: +install_engines: install_runtime_libs build_engines @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/ @$(ECHO) "*** Installing engines" @@ -643,13 +638,14 @@ uninstall_engines: done -$(RMDIR) $(DESTDIR)$(ENGINESDIR) -install_runtime: +install_runtime: install_programs + +install_runtime_libs: build_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin @ : {- output_off() if windowsdll(); "" -} @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir) @ : {- output_on() if windowsdll(); "" -} - @$(ECHO) "*** Installing runtime files" + @$(ECHO) "*** Installing runtime libraries" @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ fn=`basename $$s`; \ @@ -667,6 +663,11 @@ install_runtime: $(DESTDIR)$(libdir)/$$fn; \ : {- output_on() if windowsdll(); "" -}; \ done + +install_programs: install_runtime_libs build_programs + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin + @$(ECHO) "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ @@ -686,8 +687,10 @@ install_runtime: $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done -uninstall_runtime: - @$(ECHO) "*** Uninstalling runtime files" +uninstall_runtime: uninstall_programs uninstall_runtime_libs + +uninstall_programs: + @$(ECHO) "*** Uninstalling runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); \ do \ if [ "$$x" = "dummy" ]; then continue; fi; \ @@ -702,6 +705,10 @@ uninstall_runtime: $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done + -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin + +uninstall_runtime_libs: + @$(ECHO) "*** Uninstalling runtime libraries" @ : {- output_off() unless windowsdll(); "" -} @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ @@ -710,7 +717,6 @@ uninstall_runtime: $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done @ : {- output_on() unless windowsdll(); "" -} - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin install_man_docs: diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 45c9280..e1426cc 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -387,7 +387,7 @@ depend: # Install helper targets ############################################# -install_sw: all install_dev install_engines install_runtime +install_sw: install_dev install_engines install_runtime uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -412,7 +412,7 @@ install_ssldirs: "$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\apps\ct_log_list.cnf" \ "$(OPENSSLDIR)\ct_log_list.cnf" -install_dev: +install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" @@ -432,7 +432,7 @@ install_dev: uninstall_dev: -install_engines: +install_engines: install_runtime_libs build_engines @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing engines" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)" @@ -443,15 +443,22 @@ install_engines: uninstall_engines: -install_runtime: +install_runtime: install_programs + +install_runtime_libs: build_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) - @$(ECHO) "*** Installing runtime files" + @$(ECHO) "*** Installing runtime libraries" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \ "$(INSTALLTOP)\bin" + +install_programs: install_runtime_libs build_programs + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing runtime programs" + @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMS) \ "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMPDBS) \ From levitte at openssl.org Fri Nov 9 05:21:07 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 05:21:07 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541740867.337212.24601.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 201a33f4abb639527da28e83e6ae782907a1c114 (commit) via d582f154695e5fd908bc86743432dc9b5866417b (commit) from 0178459aa17a87e6450903be985e92e46eb3095e (commit) - Log ----------------------------------------------------------------- commit 201a33f4abb639527da28e83e6ae782907a1c114 Author: Richard Levitte Date: Wed Nov 7 16:13:57 2018 +0100 Have install targets depend on more precise build targets We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f) commit d582f154695e5fd908bc86743432dc9b5866417b Author: Richard Levitte Date: Thu Oct 25 09:09:20 2018 +0200 Allow parallel install When trying 'make -j{n} install', you may occasionally run into trouble because to sub-targets (install_dev and install_runtime) try to install the same shared libraries. That makes parallel install difficult. This is solved by dividing install_runtime into two parts, one for libraries and one for programs, and have install_dev depend on install_runtime_libs instead of installing the shared runtime libraries itself. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 53 +++++++++++++++++------------------- Configurations/unix-Makefile.tmpl | 36 ++++++++++++++---------- Configurations/windows-makefile.tmpl | 17 ++++++++---- 3 files changed, 58 insertions(+), 48 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 0c2695d..6e393e3 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -513,12 +513,10 @@ descrip.mms : FORCE # Install helper targets ############################################# -install_sw : all install_shared _install_dev_ns - - install_engines _install_runtime_ns - +install_sw : install_dev install_engines install_runtime - install_startup install_ivp -uninstall_sw : uninstall_shared _uninstall_dev_ns - - uninstall_engines _uninstall_runtime_ns - +uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime - uninstall_startup uninstall_ivp install_docs : install_html_docs @@ -547,17 +545,7 @@ install_ssldirs : check_INSTALLTOP COPY/PROT=W:R {- sourcefile("apps", "ct_log_list.cnf") -} - ossl_dataroot:[000000]ct_log_list.cnf -install_shared : check_INSTALLTOP - @ {- output_off() if $disabled{shared}; "" -} ! - @ WRITE SYS$OUTPUT "*** Installing shareable images" - @ ! Install shared (runtime) libraries - - CREATE/DIR ossl_installroot:[LIB.'arch'] - {- join("\n ", - map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } - @install_shlibs) -} - @ {- output_on() if $disabled{shared}; "" -} ! - -_install_dev_ns : check_INSTALLTOP +install_dev : check_INSTALLTOP install_runtime_libs @ WRITE SYS$OUTPUT "*** Installing development files" @ ! Install header files - CREATE/DIR ossl_installroot:[include.openssl] @@ -568,9 +556,29 @@ _install_dev_ns : check_INSTALLTOP map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" } @install_libs) -} -install_dev : install_shared _install_dev_ns +install_engines : check_INSTALLTOP install_runtime_libs build_engines + @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! + @ WRITE SYS$OUTPUT "*** Installing engines" + - CREATE/DIR ossl_installroot:[ENGINES{- $sover_dirname.$target{pointer_size} -}.'arch'] + {- join("\n ", + map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover_dirname$target{pointer_size}.'arch']" } + @{$unified_info{install}->{engines}}) -} + @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -_install_runtime_ns : check_INSTALLTOP +install_runtime: install_programs + +install_runtime_libs : check_INSTALLTOP build_libs + @ {- output_off() if $disabled{shared}; "" -} ! + @ WRITE SYS$OUTPUT "*** Installing shareable images" + @ ! Install shared (runtime) libraries + - CREATE/DIR ossl_installroot:[LIB.'arch'] + {- join("\n ", + map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } + @install_shlibs) -} + @ {- output_on() if $disabled{shared}; "" -} ! + +install_programs : check_INSTALLTOP install_runtime_libs build_programs + @ {- output_off() if $disabled{apps}; "" -} ! @ ! Install the main program - CREATE/DIR ossl_installroot:[EXE.'arch'] COPY/PROT=W:RE [.APPS]openssl.EXE - @@ -579,17 +587,6 @@ _install_runtime_ns : check_INSTALLTOP COPY/PROT=W:RE $(BIN_SCRIPTS) ossl_installroot:[EXE] @ ! {- output_on() if $disabled{apps}; "" -} -install_runtime : install_shared _install_runtime_ns - -install_engines : check_INSTALLTOP - @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! - @ WRITE SYS$OUTPUT "*** Installing engines" - - CREATE/DIR ossl_installroot:[ENGINES{- $sover_dirname.$target{pointer_size} -}.'arch'] - {- join("\n ", - map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover_dirname$target{pointer_size}.'arch']" } - @{$unified_info{install}->{engines}}) -} - @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! - install_startup : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com - [.VMS]openssl_utils.com, check_INSTALLTOP - CREATE/DIR ossl_installroot:[SYS$STARTUP] diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index fe8a220..7de614a 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -437,7 +437,7 @@ depend: # Install helper targets ############################################# -install_sw: all install_dev install_engines install_runtime +install_sw: install_dev install_engines install_runtime uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -491,7 +491,7 @@ install_ssldirs: chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \ fi -install_dev: +install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl @@ -524,11 +524,6 @@ install_dev: fn1=`basename $$s1`; \ fn2=`basename $$s2`; \ : {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \ - $(ECHO) "install $$s1 -> $(DESTDIR)$(libdir)/$$fn1"; \ - cp $$s1 $(DESTDIR)$(libdir)/$$fn1.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn1.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn1.new \ - $(DESTDIR)$(libdir)/$$fn1; \ if [ "$$fn1" != "$$fn2" ]; then \ $(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \ ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \ @@ -568,7 +563,7 @@ install_dev: @cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig @chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc -uninstall_dev: +uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @@ -612,7 +607,7 @@ uninstall_dev: -$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig -$(RMDIR) $(DESTDIR)$(libdir) -install_engines: +install_engines: install_runtime_libs build_engines @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/ @$(ECHO) "*** Installing engines" @@ -639,13 +634,14 @@ uninstall_engines: done -$(RMDIR) $(DESTDIR)$(ENGINESDIR) -install_runtime: +install_runtime: install_programs + +install_runtime_libs: build_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin @ : {- output_off() if windowsdll(); "" -} @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir) @ : {- output_on() if windowsdll(); "" -} - @$(ECHO) "*** Installing runtime files" + @$(ECHO) "*** Installing runtime libraries" @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ fn=`basename $$s`; \ @@ -663,6 +659,11 @@ install_runtime: $(DESTDIR)$(libdir)/$$fn; \ : {- output_on() if windowsdll(); "" -}; \ done + +install_programs: install_runtime_libs build_programs + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin + @$(ECHO) "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ @@ -682,8 +683,10 @@ install_runtime: $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done -uninstall_runtime: - @$(ECHO) "*** Uninstalling runtime files" +uninstall_runtime: uninstall_programs uninstall_runtime_libs + +uninstall_programs: + @$(ECHO) "*** Uninstalling runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); \ do \ if [ "$$x" = "dummy" ]; then continue; fi; \ @@ -698,6 +701,10 @@ uninstall_runtime: $(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done + -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin + +uninstall_runtime_libs: + @$(ECHO) "*** Uninstalling runtime libraries" @ : {- output_off() unless windowsdll(); "" -} @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ @@ -706,7 +713,6 @@ uninstall_runtime: $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done @ : {- output_on() unless windowsdll(); "" -} - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin install_man_docs: diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index f8fae48..d420bff 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -383,7 +383,7 @@ depend: # Install helper targets ############################################# -install_sw: all install_dev install_engines install_runtime +install_sw: install_dev install_engines install_runtime uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -408,7 +408,7 @@ install_ssldirs: "$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\apps\ct_log_list.cnf" \ "$(OPENSSLDIR)\ct_log_list.cnf" -install_dev: +install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" @@ -428,7 +428,7 @@ install_dev: uninstall_dev: -install_engines: +install_engines: install_runtime_libs build_engines @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing engines" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)" @@ -439,15 +439,22 @@ install_engines: uninstall_engines: -install_runtime: +install_runtime: install_programs + +install_runtime_libs: build_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) - @$(ECHO) "*** Installing runtime files" + @$(ECHO) "*** Installing runtime libraries" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \ "$(INSTALLTOP)\bin" + +install_programs: install_runtime_libs build_programs + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing runtime programs" + @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMS) \ "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMPDBS) \ From levitte at openssl.org Fri Nov 9 05:26:44 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 05:26:44 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update Message-ID: <1541741204.545264.26058.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_0-stable has been updated via 2801f671288d592b29a38c6098f53e6f3221d27a (commit) via 82ca431857bf5ef2ce85d14f432dc1dec9c95e3c (commit) from 26d7fce13d469f8d1a1b42131467ed4a65f8137b (commit) - Log ----------------------------------------------------------------- commit 2801f671288d592b29a38c6098f53e6f3221d27a Author: Richard Levitte Date: Wed Nov 7 16:13:57 2018 +0100 Have install targets depend on more precise build targets We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f) commit 82ca431857bf5ef2ce85d14f432dc1dec9c95e3c Author: Richard Levitte Date: Thu Oct 25 09:09:20 2018 +0200 Allow parallel install When trying 'make -j{n} install', you may occasionally run into trouble because to sub-targets (install_dev and install_runtime) try to install the same shared libraries. That makes parallel install difficult. This is solved by dividing install_runtime into two parts, one for libraries and one for programs, and have install_dev depend on install_runtime_libs instead of installing the shared runtime libraries itself. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit c1123d9f7efb005a109aeccaba82c40bf9bd4c1d) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 53 +++++++++++++++++------------------- Configurations/unix-Makefile.tmpl | 27 ++++++++++++------ Configurations/windows-makefile.tmpl | 17 ++++++++---- 3 files changed, 56 insertions(+), 41 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 7e3356f..552decf 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -368,12 +368,10 @@ descrip.mms : FORCE # Install helper targets ############################################# -install_sw : all install_shared _install_dev_ns - - install_engines _install_runtime_ns - +install_sw : install_dev install_engines install_runtime - install_startup install_ivp -uninstall_sw : uninstall_shared _uninstall_dev_ns - - uninstall_engines _uninstall_runtime_ns - +uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime - uninstall_startup uninstall_ivp install_docs : install_html_docs @@ -396,17 +394,7 @@ install_ssldirs : check_INSTALLTOP COPY/PROT=W:R {- sourcefile("apps", "openssl-vms.cnf") -} - ossl_dataroot:[000000]openssl.cnf -install_shared : check_INSTALLTOP - @ {- output_off() if $disabled{shared}; "" -} ! - @ WRITE SYS$OUTPUT "*** Installing shareable images" - @ ! Install shared (runtime) libraries - - CREATE/DIR ossl_installroot:[LIB.'arch'] - {- join("\n ", - map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } - @install_shlibs) -} - @ {- output_on() if $disabled{shared}; "" -} ! - -_install_dev_ns : check_INSTALLTOP +install_dev : check_INSTALLTOP install_runtime_libs @ WRITE SYS$OUTPUT "*** Installing development files" @ ! Install header files - CREATE/DIR ossl_installroot:[include.openssl] @@ -417,9 +405,29 @@ _install_dev_ns : check_INSTALLTOP map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" } @{$unified_info{install}->{libraries}}) -} -install_dev : install_shared _install_dev_ns +install_engines : check_INSTALLTOP install_runtime_libs build_engines + @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! + @ WRITE SYS$OUTPUT "*** Installing engines" + - CREATE/DIR ossl_installroot:[ENGINES{- $sover.$target{pointer_size} -}.'arch'] + {- join("\n ", + map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover$target{pointer_size}.'arch']" } + @{$unified_info{install}->{engines}}) -} + @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -_install_runtime_ns : check_INSTALLTOP +install_runtime: install_programs + +install_runtime_libs : check_INSTALLTOP build_libs + @ {- output_off() if $disabled{shared}; "" -} ! + @ WRITE SYS$OUTPUT "*** Installing shareable images" + @ ! Install shared (runtime) libraries + - CREATE/DIR ossl_installroot:[LIB.'arch'] + {- join("\n ", + map { "COPY/PROT=W:R $_.EXE ossl_installroot:[LIB.'arch']" } + @install_shlibs) -} + @ {- output_on() if $disabled{shared}; "" -} ! + +install_programs : check_INSTALLTOP install_runtime_libs build_programs + @ {- output_off() if $disabled{apps}; "" -} ! @ ! Install the main program - CREATE/DIR ossl_installroot:[EXE.'arch'] COPY/PROT=W:RE [.APPS]openssl.EXE - @@ -428,17 +436,6 @@ _install_runtime_ns : check_INSTALLTOP COPY/PROT=W:RE $(BIN_SCRIPTS) ossl_installroot:[EXE] @ ! {- output_on() if $disabled{apps}; "" -} -install_runtime : install_shared _install_runtime_ns - -install_engines : check_INSTALLTOP - @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} ! - @ WRITE SYS$OUTPUT "*** Installing engines" - - CREATE/DIR ossl_installroot:[ENGINES{- $sover.$target{pointer_size} -}.'arch'] - {- join("\n ", - map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES$sover$target{pointer_size}.'arch']" } - @{$unified_info{install}->{engines}}) -} - @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! - install_startup : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com - [.VMS]openssl_utils.com, check_INSTALLTOP - CREATE/DIR ossl_installroot:[SYS$STARTUP] diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 034d93e..181b618 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -323,7 +323,7 @@ depend: # Install helper targets ############################################# -install_sw: all install_dev install_engines install_runtime +install_sw: install_dev install_engines install_runtime uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -355,7 +355,7 @@ install_ssldirs: chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ fi -install_dev: +install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @echo "*** Installing development files" @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl @@ -461,7 +461,7 @@ uninstall_dev: -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR) -install_engines: +install_engines: install_runtime_libs build_engines @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/ @echo "*** Installing engines" @@ -488,9 +488,10 @@ uninstall_engines: done -$(RMDIR) $(DESTDIR)$(ENGINESDIR) -install_runtime: +install_runtime: install_programs + +install_runtime_libs: build_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin @ : {- output_off() if windowsdll(); "" -} @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR) @ : {- output_on() if windowsdll(); "" -} @@ -512,6 +513,11 @@ install_runtime: $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \ : {- output_on() if windowsdll(); "" -}; \ done + +install_programs: install_runtime_libs build_programs + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin + @$(ECHO) "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ @@ -531,8 +537,10 @@ install_runtime: $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done -uninstall_runtime: - @echo "*** Uninstalling runtime files" +uninstall_runtime: uninstall_programs uninstall_runtime_libs + +uninstall_programs: + @echo "*** Uninstalling runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); \ do \ if [ "$$x" = "dummy" ]; then continue; fi; \ @@ -547,6 +555,10 @@ uninstall_runtime: echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \ $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done + -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin + +uninstall_runtime_libs: + @$(ECHO) "*** Uninstalling runtime libraries" @ : {- output_off() unless windowsdll(); "" -} @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ @@ -555,7 +567,6 @@ uninstall_runtime: $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \ done @ : {- output_on() unless windowsdll(); "" -} - -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin install_man_docs: diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 40dc41d..ef5af42 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -267,7 +267,7 @@ depend: # Install helper targets ############################################# -install_sw: all install_dev install_engines install_runtime +install_sw: install_dev install_engines install_runtime uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev @@ -287,7 +287,7 @@ install_ssldirs: @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(MISC_SCRIPTS) \ "$(OPENSSLDIR)\misc" -install_dev: +install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" @@ -309,7 +309,7 @@ install_dev: uninstall_dev: -install_engines: +install_engines: install_runtime_libs build_engines @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing engines" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(ENGINESDIR)" @@ -320,15 +320,22 @@ install_engines: uninstall_engines: -install_runtime: +install_runtime: install_programs + +install_runtime_libs: build_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) - @$(ECHO) "*** Installing runtime files" + @$(ECHO) "*** Installing runtime libraries" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBS) "$(INSTALLTOP)\bin" @if not "$(SHLIBS)"=="" \ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \ "$(INSTALLTOP)\bin" + +install_programs: install_runtime_libs build_programs + @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) + @$(ECHO) "*** Installing runtime programs" + @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMS) \ "$(INSTALLTOP)\bin" @"$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_PROGRAMPDBS) \ From builds at travis-ci.org Fri Nov 9 05:54:43 2018 From: builds at travis-ci.org (Travis CI) Date: Fri, 09 Nov 2018 05:54:43 +0000 Subject: [openssl-commits] Broken: openssl/openssl#21604 (OpenSSL_1_1_0-stable - 2801f67) In-Reply-To: Message-ID: <5be5212385f4d_43faeb249eee018236b@a4168ccc-600e-415c-b0eb-6ebe8d5fe39b.mail> Build Update for openssl/openssl ------------------------------------- Build: #21604 Status: Broken Duration: 18 mins and 51 secs Commit: 2801f67 (OpenSSL_1_1_0-stable) Author: Richard Levitte Message: Have install targets depend on more precise build targets We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7583) (cherry picked from commit e8d01a608705e4320082a11a3870aa7e19c7290f) View the changeset: https://github.com/openssl/openssl/compare/26d7fce13d46...2801f671288d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/452723869?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Fri Nov 9 11:29:23 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 11:29:23 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541762963.816066.9600.nullmailer@dev.openssl.org> The branch master has been updated via e9994901f835420764d020968d4588fc09ec74c3 (commit) from e8d01a608705e4320082a11a3870aa7e19c7290f (commit) - Log ----------------------------------------------------------------- commit e9994901f835420764d020968d4588fc09ec74c3 Author: Richard Levitte Date: Fri Nov 9 12:23:53 2018 +0100 VMS build: colon after target must be separated with a space ... otherwise, it's taken to be part of a device name. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7602) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index ae555d5..71660b3 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -571,7 +571,7 @@ install_engines : check_INSTALLTOP install_runtime_libs build_engines @{$unified_info{install}->{engines}}) -} @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -install_runtime: install_programs +install_runtime : install_programs install_runtime_libs : check_INSTALLTOP build_libs @ {- output_off() if $disabled{shared}; "" -} ! From levitte at openssl.org Fri Nov 9 11:30:21 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 11:30:21 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541763021.316842.10626.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 37044f45579368faa5c6fb2f2f71de8fd7f21ab2 (commit) from 201a33f4abb639527da28e83e6ae782907a1c114 (commit) - Log ----------------------------------------------------------------- commit 37044f45579368faa5c6fb2f2f71de8fd7f21ab2 Author: Richard Levitte Date: Fri Nov 9 12:23:53 2018 +0100 VMS build: colon after target must be separated with a space ... otherwise, it's taken to be part of a device name. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7602) (cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 6e393e3..40876bd 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -565,7 +565,7 @@ install_engines : check_INSTALLTOP install_runtime_libs build_engines @{$unified_info{install}->{engines}}) -} @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -install_runtime: install_programs +install_runtime : install_programs install_runtime_libs : check_INSTALLTOP build_libs @ {- output_off() if $disabled{shared}; "" -} ! From levitte at openssl.org Fri Nov 9 11:31:23 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 11:31:23 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update Message-ID: <1541763083.778528.11561.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_0-stable has been updated via 401e1c9d9d2202fff557f6286f47214803bf7e15 (commit) from 2801f671288d592b29a38c6098f53e6f3221d27a (commit) - Log ----------------------------------------------------------------- commit 401e1c9d9d2202fff557f6286f47214803bf7e15 Author: Richard Levitte Date: Fri Nov 9 12:23:53 2018 +0100 VMS build: colon after target must be separated with a space ... otherwise, it's taken to be part of a device name. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7602) (cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 552decf..7399288 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -414,7 +414,7 @@ install_engines : check_INSTALLTOP install_runtime_libs build_engines @{$unified_info{install}->{engines}}) -} @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} ! -install_runtime: install_programs +install_runtime : install_programs install_runtime_libs : check_INSTALLTOP build_libs @ {- output_off() if $disabled{shared}; "" -} ! From builds at travis-ci.org Fri Nov 9 12:06:58 2018 From: builds at travis-ci.org (Travis CI) Date: Fri, 09 Nov 2018 12:06:58 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#21614 (OpenSSL_1_1_0-stable - 401e1c9) In-Reply-To: Message-ID: <5be57861e6c09_43faeb249fea82717f2@a4168ccc-600e-415c-b0eb-6ebe8d5fe39b.mail> Build Update for openssl/openssl ------------------------------------- Build: #21614 Status: Still Failing Duration: 17 mins and 59 secs Commit: 401e1c9 (OpenSSL_1_1_0-stable) Author: Richard Levitte Message: VMS build: colon after target must be separated with a space ... otherwise, it's taken to be part of a device name. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7602) (cherry picked from commit e9994901f835420764d020968d4588fc09ec74c3) View the changeset: https://github.com/openssl/openssl/compare/2801f671288d...401e1c9d9d22 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/452830345?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernd.edlinger at hotmail.de Fri Nov 9 12:36:56 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Fri, 09 Nov 2018 12:36:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541767016.361280.20466.nullmailer@dev.openssl.org> The branch master has been updated via e2d227bb4a25bb75354a40816439630a8162f073 (commit) from e9994901f835420764d020968d4588fc09ec74c3 (commit) - Log ----------------------------------------------------------------- commit e2d227bb4a25bb75354a40816439630a8162f073 Author: Bernd Edlinger Date: Wed Nov 7 21:53:30 2018 +0100 Fix issues with do_rand_init/rand_cleanup_int Fixes #7022 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7588) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_lib.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 277403c..d8639c4 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -31,7 +31,7 @@ int rand_fork_count; static CRYPTO_RWLOCK *rand_nonce_lock; static int rand_nonce_count; -static int rand_cleaning_up = 0; +static int rand_inited = 0; #ifdef OPENSSL_RAND_SEED_RDTSC /* @@ -319,13 +319,15 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init) if (rand_nonce_lock == NULL) goto err2; - if (!rand_cleaning_up && !rand_pool_init()) + if (!rand_pool_init()) goto err3; + rand_inited = 1; return 1; err3: - rand_pool_cleanup(); + CRYPTO_THREAD_lock_free(rand_nonce_lock); + rand_nonce_lock = NULL; err2: CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; @@ -341,7 +343,8 @@ void rand_cleanup_int(void) { const RAND_METHOD *meth = default_RAND_meth; - rand_cleaning_up = 1; + if (!rand_inited) + return; if (meth != NULL && meth->cleanup != NULL) meth->cleanup(); @@ -355,6 +358,7 @@ void rand_cleanup_int(void) rand_meth_lock = NULL; CRYPTO_THREAD_lock_free(rand_nonce_lock); rand_nonce_lock = NULL; + rand_inited = 0; } /* From bernd.edlinger at hotmail.de Fri Nov 9 12:37:45 2018 From: bernd.edlinger at hotmail.de (bernd.edlinger at hotmail.de) Date: Fri, 09 Nov 2018 12:37:45 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541767065.712995.21344.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via bdb8897691942931184c38a9ab7b69a0977829b7 (commit) from 37044f45579368faa5c6fb2f2f71de8fd7f21ab2 (commit) - Log ----------------------------------------------------------------- commit bdb8897691942931184c38a9ab7b69a0977829b7 Author: Bernd Edlinger Date: Wed Nov 7 21:53:30 2018 +0100 Fix issues with do_rand_init/rand_cleanup_int Fixes #7022 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7588) (cherry picked from commit e2d227bb4a25bb75354a40816439630a8162f073) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_lib.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 277403c..d8639c4 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -31,7 +31,7 @@ int rand_fork_count; static CRYPTO_RWLOCK *rand_nonce_lock; static int rand_nonce_count; -static int rand_cleaning_up = 0; +static int rand_inited = 0; #ifdef OPENSSL_RAND_SEED_RDTSC /* @@ -319,13 +319,15 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init) if (rand_nonce_lock == NULL) goto err2; - if (!rand_cleaning_up && !rand_pool_init()) + if (!rand_pool_init()) goto err3; + rand_inited = 1; return 1; err3: - rand_pool_cleanup(); + CRYPTO_THREAD_lock_free(rand_nonce_lock); + rand_nonce_lock = NULL; err2: CRYPTO_THREAD_lock_free(rand_meth_lock); rand_meth_lock = NULL; @@ -341,7 +343,8 @@ void rand_cleanup_int(void) { const RAND_METHOD *meth = default_RAND_meth; - rand_cleaning_up = 1; + if (!rand_inited) + return; if (meth != NULL && meth->cleanup != NULL) meth->cleanup(); @@ -355,6 +358,7 @@ void rand_cleanup_int(void) rand_meth_lock = NULL; CRYPTO_THREAD_lock_free(rand_nonce_lock); rand_nonce_lock = NULL; + rand_inited = 0; } /* From levitte at openssl.org Fri Nov 9 13:14:45 2018 From: levitte at openssl.org (Richard Levitte) Date: Fri, 09 Nov 2018 13:14:45 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update Message-ID: <1541769285.139202.27963.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_0-stable has been updated via 4a498d0ed50f377584ebadce715fbcc2c0f53c23 (commit) from 401e1c9d9d2202fff557f6286f47214803bf7e15 (commit) - Log ----------------------------------------------------------------- commit 4a498d0ed50f377584ebadce715fbcc2c0f53c23 Author: Richard Levitte Date: Fri Nov 9 12:08:08 2018 +0100 Fix cherry-pick error A couple of $(ECHO) sneaked in from patches in newer branches Fixes #7600 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7601) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 181b618..7254478 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -517,7 +517,7 @@ install_runtime_libs: build_libs install_programs: install_runtime_libs build_programs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin - @$(ECHO) "*** Installing runtime programs" + @echo "*** Installing runtime programs" @set -e; for x in dummy $(INSTALL_PROGRAMS); do \ if [ "$$x" = "dummy" ]; then continue; fi; \ fn=`basename $$x`; \ @@ -558,7 +558,7 @@ uninstall_programs: -$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin uninstall_runtime_libs: - @$(ECHO) "*** Uninstalling runtime libraries" + @echo "*** Uninstalling runtime libraries" @ : {- output_off() unless windowsdll(); "" -} @set -e; for s in dummy $(INSTALL_SHLIBS); do \ if [ "$$s" = "dummy" ]; then continue; fi; \ From builds at travis-ci.org Fri Nov 9 13:27:56 2018 From: builds at travis-ci.org (Travis CI) Date: Fri, 09 Nov 2018 13:27:56 +0000 Subject: [openssl-commits] Fixed: openssl/openssl#21619 (OpenSSL_1_1_0-stable - 4a498d0) In-Reply-To: Message-ID: <5be58b5b990af_43fc78887278039197e@400ab93c-e0a0-4640-b1c4-54a0ffa35f46.mail> Build Update for openssl/openssl ------------------------------------- Build: #21619 Status: Fixed Duration: 12 mins and 26 secs Commit: 4a498d0 (OpenSSL_1_1_0-stable) Author: Richard Levitte Message: Fix cherry-pick error A couple of $(ECHO) sneaked in from patches in newer branches Fixes #7600 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7601) View the changeset: https://github.com/openssl/openssl/compare/401e1c9d9d22...4a498d0ed50f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/452870352?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthias.st.pierre at ncp-e.com Fri Nov 9 23:45:52 2018 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Fri, 09 Nov 2018 23:45:52 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1541807152.586616.8022.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 59b9c67fcaf1c1e2c0e30de6facca85910ac361a (commit) from f1e5009c1c95b708b9ba21c23693f95468089419 (commit) - Log ----------------------------------------------------------------- commit 59b9c67fcaf1c1e2c0e30de6facca85910ac361a Author: Dr. Matthias St. Pierre Date: Fri Nov 9 21:37:38 2018 +0100 Fix 'no-ecdh' build Fixes #3302 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7606) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_ciph.c | 8 +++++++- ssl/ssl_lib.c | 8 +++++--- ssl/t1_lib.c | 6 +++++- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index ccdf00f..e5a500d 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1406,11 +1406,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str, static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { - unsigned int suiteb_flags = 0, suiteb_comb2 = 0; + unsigned int suiteb_flags = 0; +# ifndef OPENSSL_NO_ECDH + unsigned int suiteb_comb2 = 0; +#endif + if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) { +# ifndef OPENSSL_NO_ECDH suiteb_comb2 = 1; +# endif suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index aa0cbdb..cfcfe76 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2259,10 +2259,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) int rsa_tmp_export, dh_tmp_export, kl; unsigned long mask_k, mask_a, emask_k, emask_a; #ifndef OPENSSL_NO_ECDSA - int have_ecc_cert, ecdsa_ok, ecc_pkey_size; + int have_ecc_cert, ecdsa_ok; #endif #ifndef OPENSSL_NO_ECDH - int have_ecdh_tmp, ecdh_ok; + int have_ecdh_tmp, ecdh_ok, ecc_pkey_size; #endif #ifndef OPENSSL_NO_EC X509 *x = NULL; @@ -2405,7 +2405,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (!(cpk->valid_flags & CERT_PKEY_SIGN)) ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); +# ifndef OPENSSL_NO_ECDH ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; +# endif EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); @@ -2467,7 +2469,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) -#ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECDH int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8cb8816..55f918d 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -500,7 +500,11 @@ static int tls1_get_curvelist(SSL *s, int sess, } else # endif { - if (!s->server || s->cert->ecdh_tmp_auto) { + if (!s->server +# ifndef OPENSSL_NO_ECDH + || s->cert->ecdh_tmp_auto +# endif + ) { *pcurves = eccurves_auto; pcurveslen = sizeof(eccurves_auto); } else { From nic.tuv at gmail.com Sat Nov 10 01:26:43 2018 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sat, 10 Nov 2018 01:26:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541813203.728921.20915.nullmailer@dev.openssl.org> The branch master has been updated via ecbb2fca9301ef22b15beb30c4c0303b29846935 (commit) via 2d263a4a73f852005b16359873475d48755999ad (commit) via eb7eb1378cd15c4652884b3701d4c0ef27b5b8a6 (commit) from e2d227bb4a25bb75354a40816439630a8162f073 (commit) - Log ----------------------------------------------------------------- commit ecbb2fca9301ef22b15beb30c4c0303b29846935 Author: David Woodhouse Date: Mon Oct 22 18:49:54 2018 +0100 Add EVP_PKEY_supports_digest_nid() Rather than relying only on mandatory default digests, add a way for the EVP_PKEY to individually report whether each digest algorithm is supported. Reviewed-by: Nicola Tuveri Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7408) commit 2d263a4a73f852005b16359873475d48755999ad Author: David Woodhouse Date: Tue Oct 16 07:59:46 2018 -0700 Honour mandatory digest on private key in has_usable_cert() If the private key says it can only support one specific digest, then don't ask it to perform a different one. Fixes: #7348 Reviewed-by: Nicola Tuveri Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7408) commit eb7eb1378cd15c4652884b3701d4c0ef27b5b8a6 Author: David Woodhouse Date: Tue Oct 16 07:41:17 2018 -0700 Stop marking default digest for EC keys as mandatory ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory digest algorithm, when the key can't support any others. That isn't true here, so return 1 instead. Partially fixes #7348 Reviewed-by: Nicola Tuveri Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7408) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ec_ameth.c | 2 +- crypto/evp/p_lib.c | 20 +++++++++++ doc/man3/EVP_PKEY_ASN1_METHOD.pod | 1 + doc/man3/EVP_PKEY_get_default_digest_nid.pod | 3 +- doc/man3/EVP_PKEY_supports_digest_nid.pod | 53 ++++++++++++++++++++++++++++ include/openssl/evp.h | 2 ++ ssl/t1_lib.c | 40 +++++++++++++++------ util/libcrypto.num | 1 + 8 files changed, 110 insertions(+), 12 deletions(-) create mode 100644 doc/man3/EVP_PKEY_supports_digest_nid.pod diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index a3164b5..8b363e0 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -505,7 +505,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha256; - return 2; + return 1; case ASN1_PKEY_CTRL_SET1_TLS_ENCPT: return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL); diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 154ef78..c8f3264 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -667,6 +667,26 @@ int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid) return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid); } +int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid) +{ + int rv, default_nid; + + rv = evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_SUPPORTS_MD_NID, nid, NULL); + if (rv == -2) { + /* + * If there is a mandatory default digest and this isn't it, then + * the answer is 'no'. + */ + rv = EVP_PKEY_get_default_digest_nid(pkey, &default_nid); + if (rv == 2) + return (nid == default_nid); + /* zero is an error from EVP_PKEY_get_default_digest_nid() */ + if (rv == 0) + return -1; + } + return rv; +} + int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const unsigned char *pt, size_t ptlen) { diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod index 3c2ffd9..ed8c24b 100644 --- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod +++ b/doc/man3/EVP_PKEY_ASN1_METHOD.pod @@ -257,6 +257,7 @@ L, and L. The pkey_ctrl() method adds extra algorithm specific control. It's called by L, +L, L, L, L, L, ... diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod index da76677..02d25d0 100644 --- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod +++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod @@ -18,7 +18,7 @@ a digest during signing. In this case B will be set to NID_undef. =head1 NOTES -For all current standard OpenSSL public key algorithms SHA1 is returned. +For all current standard OpenSSL public key algorithms SHA256 is returned. =head1 RETURN VALUES @@ -32,6 +32,7 @@ public key algorithm. L, L, +L, L, L, diff --git a/doc/man3/EVP_PKEY_supports_digest_nid.pod b/doc/man3/EVP_PKEY_supports_digest_nid.pod new file mode 100644 index 0000000..4f0882c --- /dev/null +++ b/doc/man3/EVP_PKEY_supports_digest_nid.pod @@ -0,0 +1,53 @@ +=pod + +=head1 NAME + +EVP_PKEY_supports_digest_nid - indicate support for signature digest + +=head1 SYNOPSIS + + #include + int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid); + +=head1 DESCRIPTION + +The EVP_PKEY_supports_digest_nid() function queries whether the message digest +NID B is supported for public key signature operations associated with key +B. + +=head1 NOTES + +If the EVP_PKEY implementation does not explicitly support this method, but +L returns a mandatory digest result, then +only that mandatory digest will be supported. + +=head1 RETURN VALUES + +The EVP_PKEY_supports_digest_nid() function returns 1 if the message digest +algorithm identified by B can be used for public key signature operations +associated with key B and 0 if it cannot be used. It returns a negative +value for failure. In particular a return value of -2 indicates the query +operation is not supported by the public key algorithm. + +=head1 SEE ALSO + +L, +L, +L, +L, +L, + +=head1 HISTORY + +This function was first added to OpenSSL 1.1.2. + +=head1 COPYRIGHT + +Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/include/openssl/evp.h b/include/openssl/evp.h index e803fa8..a0b7a54 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1111,6 +1111,7 @@ int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid); +int EVP_PKEY_supports_digest_nid(EVP_PKEY *pkey, int nid); int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const unsigned char *pt, size_t ptlen); @@ -1187,6 +1188,7 @@ int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num); # define ASN1_PKEY_CTRL_SET1_TLS_ENCPT 0x9 # define ASN1_PKEY_CTRL_GET1_TLS_ENCPT 0xa +# define ASN1_PKEY_CTRL_SUPPORTS_MD_NID 0xb int EVP_PKEY_asn1_get_count(void); const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b8b9fbd..91353e7 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2496,7 +2496,7 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu) static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) { const SIGALG_LOOKUP *lu; - int mdnid, pknid; + int mdnid, pknid, supported; size_t i; /* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */ @@ -2509,19 +2509,39 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx) lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]); if (lu == NULL || !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid, - &pknid, NULL, NULL)) + &pknid, NULL, NULL) + /* + * TODO this does not differentiate between the + * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not + * have a chain here that lets us look at the key OID in the + * signing certificate. + */ + || mdnid != lu->hash + || pknid != lu->sig) continue; - /* - * TODO this does not differentiate between the - * rsa_pss_pss_* and rsa_pss_rsae_* schemes since we do not - * have a chain here that lets us look at the key OID in the - * signing certificate. - */ - if (mdnid == lu->hash && pknid == lu->sig) - return 1; + + ERR_set_mark(); + supported = EVP_PKEY_supports_digest_nid(s->cert->pkeys[idx].privatekey, + mdnid); + if (supported == 0) + continue; + else if (supported < 0) + { + /* If it didn't report a mandatory NID, for whatever reasons, + * just clear the error and allow all hashes to be used. */ + ERR_pop_to_mark(); + } + return 1; } return 0; } + supported = EVP_PKEY_supports_digest_nid(s->cert->pkeys[idx].privatekey, + sig->hash); + if (supported == 0) + return 0; + else if (supported < 0) + ERR_clear_error(); + return 1; } diff --git a/util/libcrypto.num b/util/libcrypto.num index f159a40..c6de172 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4597,3 +4597,4 @@ EVP_MAC_do_all 4550 1_1_2 EXIST::FUNCTION: EVP_MAC_do_all_sorted 4551 1_1_2 EXIST::FUNCTION: EVP_str2ctrl 4552 1_1_2 EXIST::FUNCTION: EVP_hex2ctrl 4553 1_1_2 EXIST::FUNCTION: +EVP_PKEY_supports_digest_nid 4554 1_1_2 EXIST::FUNCTION: From nic.tuv at gmail.com Sat Nov 10 02:13:01 2018 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sat, 10 Nov 2018 02:13:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541815981.805917.28626.nullmailer@dev.openssl.org> The branch master has been updated via dd41956d80686638d74fd203bd67060f90966280 (commit) from ecbb2fca9301ef22b15beb30c4c0303b29846935 (commit) - Log ----------------------------------------------------------------- commit dd41956d80686638d74fd203bd67060f90966280 Author: Billy Brumley Date: Fri Nov 9 09:25:43 2018 +0200 [crypto/bn] swap BN_FLG_FIXED_TOP too Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7599) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_lib.c | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 266a3dd..80f910c 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ - t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; From nic.tuv at gmail.com Sat Nov 10 02:17:39 2018 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sat, 10 Nov 2018 02:17:39 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541816259.216405.30063.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 6f172154f5d389a9e52583c6564b2693cb631e7f (commit) from bdb8897691942931184c38a9ab7b69a0977829b7 (commit) - Log ----------------------------------------------------------------- commit 6f172154f5d389a9e52583c6564b2693cb631e7f Author: Billy Brumley Date: Fri Nov 9 09:25:43 2018 +0200 [crypto/bn] swap BN_FLG_FIXED_TOP too Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7599) (cherry picked from commit dd41956d80686638d74fd203bd67060f90966280) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_lib.c | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 266a3dd..80f910c 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ - t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; From nic.tuv at gmail.com Sat Nov 10 02:22:01 2018 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sat, 10 Nov 2018 02:22:01 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update Message-ID: <1541816521.583709.31242.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_0-stable has been updated via 6ab937f2df403bdda7e25b6c62a93b061171250e (commit) from 4a498d0ed50f377584ebadce715fbcc2c0f53c23 (commit) - Log ----------------------------------------------------------------- commit 6ab937f2df403bdda7e25b6c62a93b061171250e Author: Billy Brumley Date: Fri Nov 9 09:25:43 2018 +0200 [crypto/bn] swap BN_FLG_FIXED_TOP too Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7599) (cherry picked from commit dd41956d80686638d74fd203bd67060f90966280) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_lib.c | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 80f8599..3f3c7bb 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -852,26 +852,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) b->neg ^= t; /*- - * Idea behind BN_FLG_STATIC_DATA is actually to - * indicate that data may not be written to. - * Intention is actually to treat it as it's - * read-only data, and some (if not most) of it does - * reside in read-only segment. In other words - * observation of BN_FLG_STATIC_DATA in - * BN_consttime_swap should be treated as fatal - * condition. It would either cause SEGV or - * effectively cause data corruption. - * BN_FLG_MALLOCED refers to BN structure itself, - * and hence must be preserved. Remaining flags are - * BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be - * preserved, because it determines how x->d was - * allocated and hence how to free it. This leaves - * BN_FLG_CONSTTIME that one can do something about. - * To summarize it's sufficient to mask and swap - * BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should - * be treated as fatal. + * BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention + * is actually to treat it as it's read-only data, and some (if not most) + * of it does reside in read-only segment. In other words observation of + * BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal + * condition. It would either cause SEGV or effectively cause data + * corruption. + * + * BN_FLG_MALLOCED: refers to BN structure itself, and hence must be + * preserved. + * + * BN_FLG_SECURE: must be preserved, because it determines how x->d was + * allocated and hence how to free it. + * + * BN_FLG_CONSTTIME: sufficient to mask and swap + * + * BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on + * the data, so the d array may be padded with additional 0 values (i.e. + * top could be greater than the minimal value that it could be). We should + * be swapping it */ - t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + +#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP) + + t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition; a->flags ^= t; b->flags ^= t; From nic.tuv at gmail.com Sat Nov 10 02:41:57 2018 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sat, 10 Nov 2018 02:41:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1541817717.480875.1657.nullmailer@dev.openssl.org> The branch master has been updated via d896b79b0994a35ecfd1c8e729d348d67236150e (commit) from dd41956d80686638d74fd203bd67060f90966280 (commit) - Log ----------------------------------------------------------------- commit d896b79b0994a35ecfd1c8e729d348d67236150e Author: Mansour Ahmadi Date: Wed Oct 17 18:13:57 2018 -0400 Check return value of EVP_PKEY_new Reviewed-by: Paul Yang Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7427) ----------------------------------------------------------------------- Summary of changes: apps/rsa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/rsa.c b/apps/rsa.c index 5098a20..fdd02dc 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -269,6 +269,9 @@ int rsa_main(int argc, char **argv) } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { EVP_PKEY *pk; pk = EVP_PKEY_new(); + if (pk == NULL) + goto end; + EVP_PKEY_set1_RSA(pk, rsa); if (outformat == FORMAT_PVK) { if (pubin) { From nic.tuv at gmail.com Sat Nov 10 02:47:34 2018 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sat, 10 Nov 2018 02:47:34 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_1_1-stable update Message-ID: <1541818054.176833.2987.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 98f62979b2e6233470619c9adfa44704a7036699 (commit) from 6f172154f5d389a9e52583c6564b2693cb631e7f (commit) - Log ----------------------------------------------------------------- commit 98f62979b2e6233470619c9adfa44704a7036699 Author: Mansour Ahmadi Date: Wed Oct 17 18:13:57 2018 -0400 Check return value of EVP_PKEY_new Reviewed-by: Paul Yang