From matthias.st.pierre at ncp-e.com Sun Dec 1 02:27:54 2019 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Sun, 01 Dec 2019 02:27:54 +0000 Subject: [openssl] master update Message-ID: <1575167274.882307.30685.nullmailer@dev.openssl.org> The branch master has been updated via be3acd799bfd0fb09ea934e4984ec9eda19d8b8f (commit) from 14ee781eef0e55563432f377d8911529823bee58 (commit) - Log ----------------------------------------------------------------- commit be3acd799bfd0fb09ea934e4984ec9eda19d8b8f Author: Dr. Matthias St. Pierre Date: Sat Nov 23 08:54:29 2019 +0100 Fix typos in fipsinstall test Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10506) ----------------------------------------------------------------------- Summary of changes: test/recipes/03-test_fipsinstall.t | 22 +++++++++++----------- test/recipes/30-test_evp.t | 2 +- test/recipes/30-test_evp_fetch_prov.t | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index 6f7c38a124..40a962253d 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -29,19 +29,19 @@ plan tests => 6; my $infile = bldtop_file('providers', platform->dso('fips')); $ENV{OPENSSL_MODULES} = bldtop_dir("providers"); -#fail if no module name +# fail if no module name ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', '-provider_name', 'fips', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', '-section_name', 'fips_install'])), - "fipinstall fail"); + "fipsinstall fail"); -# fail to Verify if the configuration file is missing +# fail to verify if the configuration file is missing ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', '-section_name', 'fips_install', '-verify'])), - "fipinstall verify fail"); + "fipsinstall verify fail"); # output a fips.conf file containing mac data @@ -49,25 +49,25 @@ ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', '-section_name', 'fips_install'])), - "fipinstall"); + "fipsinstall"); -# Verify the fips.conf file +# verify the fips.conf file ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.conf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', '-section_name', 'fips_install', '-verify'])), - "fipinstall verify"); + "fipsinstall verify"); -# Fail to Verify the fips.conf file if a different key is used +# fail to verify the fips.conf file if a different key is used ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.conf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:01', '-section_name', 'fips_install', '-verify'])), - "fipinstall verify fail bad key"); + "fipsinstall verify fail bad key"); -# Fail to Verify the fips.conf file if a different mac digest is used +# fail to verify the fips.conf file if a different mac digest is used ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.conf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA512', '-macopt', 'hexkey:00', '-section_name', 'fips_install', '-verify'])), - "fipinstall verify fail incorrect digest"); + "fipsinstall verify fail incorrect digest"); diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 979811b0e6..23c4aa8620 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -83,7 +83,7 @@ unless ($no_fips) { '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', '-section_name', 'fips_sect'])), - "fipinstall"); + "fipsinstall"); } foreach (@configs) { diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t index d7a44ec306..82d984353b 100644 --- a/test/recipes/30-test_evp_fetch_prov.t +++ b/test/recipes/30-test_evp_fetch_prov.t @@ -53,7 +53,7 @@ unless ($no_fips) { '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', '-section_name', 'fips_sect']), - message => "fipinstall" + message => "fipsinstall" }; push @testdata, ( { config => srctop_file("test", "fips.cnf"), From builds at travis-ci.org Sun Dec 1 02:56:30 2019 From: builds at travis-ci.org (Travis CI) Date: Sun, 01 Dec 2019 02:56:30 +0000 Subject: Still Failing: openssl/openssl#30434 (master - be3acd7) In-Reply-To: Message-ID: <5de32bddf14eb_43fb8e1e342f027971c@813172a4-2243-42f1-ba30-5110fe6f9fb5.mail> Build Update for openssl/openssl ------------------------------------- Build: #30434 Status: Still Failing Duration: 28 mins and 3 secs Commit: be3acd7 (master) Author: Dr. Matthias St. Pierre Message: Fix typos in fipsinstall test Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10506) View the changeset: https://github.com/openssl/openssl/compare/14ee781eef0e...be3acd799bfd View the full build log and details: https://travis-ci.org/openssl/openssl/builds/619114300?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 03:19:16 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 03:19:16 +0000 Subject: Build failed: openssl master.29864 Message-ID: <20191201031916.1.413770A31ADB0E93@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 03:47:43 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 03:47:43 +0000 Subject: Build completed: openssl master.29865 Message-ID: <20191201034743.1.7B83B6C834885DC2@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 08:50:18 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 08:50:18 +0000 Subject: Build failed: openssl master.29868 Message-ID: <20191201085018.1.C9BABE5AE4B9DA06@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 09:24:06 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 09:24:06 +0000 Subject: Build completed: openssl master.29869 Message-ID: <20191201092406.1.47E72276EC28F1AA@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 10:30:59 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 10:30:59 +0000 Subject: Build failed: openssl master.29872 Message-ID: <20191201103059.1.C47BC33F30DBE406@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 11:20:31 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 11:20:31 +0000 Subject: Build completed: openssl master.29873 Message-ID: <20191201112031.1.64BD21820D07630D@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Dec 1 20:52:15 2019 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 01 Dec 2019 20:52:15 +0000 Subject: Build failed: openssl master.29875 Message-ID: <20191201205215.1.B790EC0C798BD6D6@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Dec 2 06:12:03 2019 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 02 Dec 2019 06:12:03 +0000 Subject: Build failed: openssl master.29876 Message-ID: <20191202061203.1.954B7A8586FBFC0C@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Dec 2 11:20:54 2019 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 02 Dec 2019 11:20:54 +0000 Subject: Build failed: openssl master.29880 Message-ID: <20191202112054.1.CF87A07C9346E420@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Dec 2 11:52:20 2019 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 02 Dec 2019 11:52:20 +0000 Subject: Build completed: openssl master.29881 Message-ID: <20191202115220.1.1AAF3CE928375D35@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 02:25:30 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 02:25:30 +0000 Subject: Build failed: openssl master.29890 Message-ID: <20191203022530.1.55F9BBE10D7DEEBB@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 04:54:34 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 04:54:34 +0000 Subject: Build failed: openssl master.29893 Message-ID: <20191203045434.1.B5548F62CFE4F714@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 06:10:58 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 06:10:58 +0000 Subject: Build completed: openssl master.29894 Message-ID: <20191203061058.1.A5B18E01BF780868@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Tue Dec 3 09:32:14 2019 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 03 Dec 2019 09:32:14 +0000 Subject: [openssl] master update Message-ID: <1575365534.021935.20753.nullmailer@dev.openssl.org> The branch master has been updated via 59ae04d74a57cf791af510a717b5822950a0f875 (commit) from be3acd799bfd0fb09ea934e4984ec9eda19d8b8f (commit) - Log ----------------------------------------------------------------- commit 59ae04d74a57cf791af510a717b5822950a0f875 Author: raja-ashok Date: Tue Dec 3 19:31:49 2019 +1000 Set argument only after successful dup on CMP APIs Reviewed-by: Matt Caswell Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/10511) ----------------------------------------------------------------------- Summary of changes: crypto/cmp/cmp_ctx.c | 23 ++++++++++++++++++----- crypto/cmp/cmp_util.c | 8 +++++--- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 4a70b33ee7..89ecab1413 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -68,14 +68,21 @@ STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx) */ int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) { + STACK_OF(X509) *untrusted_certs; if (ctx == NULL) { CMPerr(0, CMP_R_NULL_ARGUMENT); return 0; } - sk_X509_pop_free(ctx->untrusted_certs, X509_free); - if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL) + if ((untrusted_certs = sk_X509_new_null()) == NULL) return 0; - return ossl_cmp_sk_X509_add1_certs(ctx->untrusted_certs, certs, 0, 1, 0); + if (ossl_cmp_sk_X509_add1_certs(untrusted_certs, certs, 0, 1, 0) != 1) + goto err; + sk_X509_pop_free(ctx->untrusted_certs, X509_free); + ctx->untrusted_certs = untrusted_certs; + return 1; +err: + sk_X509_pop_free(untrusted_certs, X509_free); + return 0; } /* @@ -373,13 +380,19 @@ int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, const int len) { + ASN1_OCTET_STRING *secretValue = NULL; if (ctx == NULL) { CMPerr(0, CMP_R_NULL_ARGUMENT); return 0; } - if (ctx->secretValue != NULL) + if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1) + return 0; + if (ctx->secretValue != NULL) { OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length); - return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->secretValue, sec, len); + ASN1_OCTET_STRING_free(ctx->secretValue); + } + ctx->secretValue = secretValue; + return 1; } /* diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index 9490496cbe..0390c23e66 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -408,21 +408,23 @@ STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert) int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, const ASN1_OCTET_STRING *src) { + ASN1_OCTET_STRING *new; if (tgt == NULL) { CMPerr(0, CMP_R_NULL_ARGUMENT); return 0; } if (*tgt == src) /* self-assignment */ return 1; - ASN1_OCTET_STRING_free(*tgt); if (src != NULL) { - if ((*tgt = ASN1_OCTET_STRING_dup(src)) == NULL) + if ((new = ASN1_OCTET_STRING_dup(src)) == NULL) return 0; } else { - *tgt = NULL; + new = NULL; } + ASN1_OCTET_STRING_free(*tgt); + *tgt = new; return 1; } From pauli at openssl.org Tue Dec 3 09:51:53 2019 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 03 Dec 2019 09:51:53 +0000 Subject: [openssl] master update Message-ID: <1575366713.158417.24860.nullmailer@dev.openssl.org> The branch master has been updated via d3a27c5ee45a29edd9c0d60ad5929f67996f89fd (commit) from 59ae04d74a57cf791af510a717b5822950a0f875 (commit) - Log ----------------------------------------------------------------- commit d3a27c5ee45a29edd9c0d60ad5929f67996f89fd Author: zero Date: Tue Dec 3 19:50:52 2019 +1000 Update NOTES.ANDROID for newer NDK versions + small fixes. Fixes #8941 Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10478) ----------------------------------------------------------------------- Summary of changes: NOTES.ANDROID | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/NOTES.ANDROID b/NOTES.ANDROID index 86459778fa..5eb29fb994 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -15,22 +15,33 @@ Configuration ------------- - Android is naturally cross-compiled target and you can't use ./config. + Android is a naturally cross-compiled target and you can't use ./config. You have to use ./Configure and name your target explicitly; there are android-arm, android-arm64, android-mips, android-mip64, android-x86 - and android-x86_64. Do not pass --cross-compile-prefix (as you might - be tempted), as it will be "calculated" automatically based on chosen - platform. Though you still need to know the prefix to extend your PATH, - in order to invoke $(CROSS_COMPILE)gcc and company. (Configure will fail - and give you a hint if you get it wrong.) Apart from PATH adjustment - you need to set ANDROID_NDK_HOME environment to point at NDK directory - as /some/where/android-ndk-. Both variables are significant at both - configuration and compilation times. NDK customarily supports multiple - Android API levels, e.g. android-14, android-21, etc. By default latest - one available is chosen. If you need to target older platform, pass - additional -D__ANDROID_API__=N to Configure. N is numeric value of the - target platform version. For example, to compile for ICS on ARM with - NDK 10d: + and android-x86_64 (*MIPS targets are no longer supported with NDK R20+). + Do not pass --cross-compile-prefix (as you might be tempted), as it will + be "calculated" automatically based on chosen platform. Though you still + need to know the prefix to extend your PATH, in order to invoke + $(CROSS_COMPILE)clang [*gcc on NDK 19 and lower] and company. (Configure + will fail and give you a hint if you get it wrong.) Apart from PATH + adjustment you need to set ANDROID_NDK_HOME environment to point at the + NDK directory. If you're using a side-by-side NDK the path will look + something like /some/where/android-sdk/ndk/, and for a standalone + NDK the path will be something like /some/where/android-ndk-. + Both variables are significant at both configuration and compilation times. + The NDK customarily supports multiple Android API levels, e.g. android-14, + android-21, etc. By default latest API level is chosen. If you need to + target an older platform pass the argument -D__ANDROID_API__=N to Configure, + with N being the numerical value of the target platform version. For example, + to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570 + + export ANDROID_NDK_HOME=/home/whoever/Android/android-sdk/ndk/20.0.5594570 + PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH + ./Configure android-arm64 -D__ANDROID_API__=29 + make + + Older versions of the NDK have GCC under their common prebuilt tools directory, so the bin path + will be slightly different. EG: to compile for ICS on ARM with NDK 10d: export ANDROID_NDK_HOME=/some/where/android-ndk-10d PATH=$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH From pauli at openssl.org Tue Dec 3 09:59:13 2019 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 03 Dec 2019 09:59:13 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1575367153.371211.27372.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via cdb2763e7daeea87c61ea874ae820046d84dd016 (commit) from dbcf53f867146766845f6e64243208d87007f970 (commit) - Log ----------------------------------------------------------------- commit cdb2763e7daeea87c61ea874ae820046d84dd016 Author: zero Date: Tue Dec 3 19:50:52 2019 +1000 Update NOTES.ANDROID for newer NDK versions + small fixes. Fixes #8941 Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10478) (cherry picked from commit d3a27c5ee45a29edd9c0d60ad5929f67996f89fd) ----------------------------------------------------------------------- Summary of changes: NOTES.ANDROID | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/NOTES.ANDROID b/NOTES.ANDROID index 86459778fa..5eb29fb994 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -15,22 +15,33 @@ Configuration ------------- - Android is naturally cross-compiled target and you can't use ./config. + Android is a naturally cross-compiled target and you can't use ./config. You have to use ./Configure and name your target explicitly; there are android-arm, android-arm64, android-mips, android-mip64, android-x86 - and android-x86_64. Do not pass --cross-compile-prefix (as you might - be tempted), as it will be "calculated" automatically based on chosen - platform. Though you still need to know the prefix to extend your PATH, - in order to invoke $(CROSS_COMPILE)gcc and company. (Configure will fail - and give you a hint if you get it wrong.) Apart from PATH adjustment - you need to set ANDROID_NDK_HOME environment to point at NDK directory - as /some/where/android-ndk-. Both variables are significant at both - configuration and compilation times. NDK customarily supports multiple - Android API levels, e.g. android-14, android-21, etc. By default latest - one available is chosen. If you need to target older platform, pass - additional -D__ANDROID_API__=N to Configure. N is numeric value of the - target platform version. For example, to compile for ICS on ARM with - NDK 10d: + and android-x86_64 (*MIPS targets are no longer supported with NDK R20+). + Do not pass --cross-compile-prefix (as you might be tempted), as it will + be "calculated" automatically based on chosen platform. Though you still + need to know the prefix to extend your PATH, in order to invoke + $(CROSS_COMPILE)clang [*gcc on NDK 19 and lower] and company. (Configure + will fail and give you a hint if you get it wrong.) Apart from PATH + adjustment you need to set ANDROID_NDK_HOME environment to point at the + NDK directory. If you're using a side-by-side NDK the path will look + something like /some/where/android-sdk/ndk/, and for a standalone + NDK the path will be something like /some/where/android-ndk-. + Both variables are significant at both configuration and compilation times. + The NDK customarily supports multiple Android API levels, e.g. android-14, + android-21, etc. By default latest API level is chosen. If you need to + target an older platform pass the argument -D__ANDROID_API__=N to Configure, + with N being the numerical value of the target platform version. For example, + to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570 + + export ANDROID_NDK_HOME=/home/whoever/Android/android-sdk/ndk/20.0.5594570 + PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH + ./Configure android-arm64 -D__ANDROID_API__=29 + make + + Older versions of the NDK have GCC under their common prebuilt tools directory, so the bin path + will be slightly different. EG: to compile for ICS on ARM with NDK 10d: export ANDROID_NDK_HOME=/some/where/android-ndk-10d PATH=$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH From builds at travis-ci.org Tue Dec 3 10:01:55 2019 From: builds at travis-ci.org (Travis CI) Date: Tue, 03 Dec 2019 10:01:55 +0000 Subject: Still Failing: openssl/openssl#30466 (master - 59ae04d) In-Reply-To: Message-ID: <5de63292e2250_43fd0f27e65b487589@1a09733d-00e5-4ce5-b999-090657ca6796.mail> Build Update for openssl/openssl ------------------------------------- Build: #30466 Status: Still Failing Duration: 28 mins and 55 secs Commit: 59ae04d (master) Author: raja-ashok Message: Set argument only after successful dup on CMP APIs Reviewed-by: Matt Caswell Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/10511) View the changeset: https://github.com/openssl/openssl/compare/be3acd799bfd...59ae04d74a57 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620029773?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Tue Dec 3 10:20:47 2019 From: builds at travis-ci.org (Travis CI) Date: Tue, 03 Dec 2019 10:20:47 +0000 Subject: Still Failing: openssl/openssl#30467 (master - d3a27c5) In-Reply-To: Message-ID: <5de636ff3063_43fd0eee1666894941@1a09733d-00e5-4ce5-b999-090657ca6796.mail> Build Update for openssl/openssl ------------------------------------- Build: #30467 Status: Still Failing Duration: 28 mins and 32 secs Commit: d3a27c5 (master) Author: zero Message: Update NOTES.ANDROID for newer NDK versions + small fixes. Fixes #8941 Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10478) View the changeset: https://github.com/openssl/openssl/compare/59ae04d74a57...d3a27c5ee45a View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620036400?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Tue Dec 3 10:28:32 2019 From: builds at travis-ci.org (Travis CI) Date: Tue, 03 Dec 2019 10:28:32 +0000 Subject: Still Failing: openssl/openssl#30468 (OpenSSL_1_1_1-stable - cdb2763) In-Reply-To: Message-ID: <5de638d0922f8_43f8b1a615af08657e@968d24f7-9624-44b1-8f5f-a5e4f0ad58af.mail> Build Update for openssl/openssl ------------------------------------- Build: #30468 Status: Still Failing Duration: 26 mins and 8 secs Commit: cdb2763 (OpenSSL_1_1_1-stable) Author: zero Message: Update NOTES.ANDROID for newer NDK versions + small fixes. Fixes #8941 Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10478) (cherry picked from commit d3a27c5ee45a29edd9c0d60ad5929f67996f89fd) View the changeset: https://github.com/openssl/openssl/compare/dbcf53f86714...cdb2763e7dae View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620039229?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 10:48:51 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 10:48:51 +0000 Subject: Build failed: openssl master.29897 Message-ID: <20191203104851.1.1770EC48C0235168@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 11:58:06 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 11:58:06 +0000 Subject: Build completed: openssl OpenSSL_1_1_1-stable.29898 Message-ID: <20191203115806.1.755288E70EB9FD87@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 18:46:42 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 18:46:42 +0000 Subject: Build failed: openssl master.29917 Message-ID: <20191203184642.1.9882A49A8691882D@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Dec 3 20:05:35 2019 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 03 Dec 2019 20:05:35 +0000 Subject: Build failed: openssl master.29922 Message-ID: <20191203200535.1.37158D7D84A91AAB@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Tue Dec 3 22:03:03 2019 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 03 Dec 2019 22:03:03 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings Message-ID: <1575410583.112951.24205.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux Commit log since last time: d3a27c5ee4 Update NOTES.ANDROID for newer NDK versions + small fixes. 59ae04d74a Set argument only after successful dup on CMP APIs be3acd799b Fix typos in fipsinstall test 14ee781eef util/find-doc-nits: ignore macros ending in _fnsig 31d3a75902 util/find-doc-nits: limit the prototype check c48e2d106b Add NEWS and CHANGES entries about OSSL_SERIALIZER 6ae5543c5f TEST: add tests of text and PEM printout of a provider made key 264b789bc2 PROV SERIALIZER: add support for writing DSA keys and parameters 045e51cbf4 PROV SERIALIZER: add support for writing DH keys and parameters 677add3800 PROV SERIALIZER: add support for writing RSA keys cb58d81e68 PROV SERIALIZER: add common functionality to serialize keys 63665fff84 PROV BIO: add a BIO_vprintf() upcall, and a provider BIO library 54c1711f87 SERIALIZER: add hooks in EVP_PKEY_print_ routines f864a9396a SERIALIZER: add hooks in PEM_write_bio_ and PEM_write_fp_ routines 866234ac35 SERIALIZER: add support for serializing EVP_PKEYs 1793d270f3 CORE: expose the property parsers and checker to the rest of the libraries 742496f130 SERIALIZER: add functions for serialization to file 0d003c52d3 SERIALIZER: New API for serialization of objects through providers 36fa4d8a0d CORE: pass the full algorithm definition to the method constructor 3d83c73536 CORE: ossl_namemap_add_names(): new function to add multiple names cc38e643cb Disable mem leak checking for the self test lock 14a684bfb0 Make sure we only run the self tests once 17197a2f61 Check the return from OPENSSL_buf2hexstr() c1ff599440 Check that OPENSSL_zalloc was successful when creating EVP types b4be6937f2 Add a test for NULL chunks in encrypt/decrypt 4b9c750be8 Make sure we handle input NULL with length 0 cff64af553 Configure: make it possible to have generated generators b0940b33a6 Adapt *.tmpl to generate docs at build time df8f116ecd Add doc/build.info to build the documentation 829f86bb7b Add the possibility to generate documentation at build time fbd03b1c59 configdata.pm.in, util/dofile.pl: load 'platform' unconditionally e9b95e42fb apps/ocsp.c: sock_timeout -> socket_timeout Build log ended with (last 100 lines): From levitte at openssl.org Tue Dec 3 23:19:50 2019 From: levitte at openssl.org (Richard Levitte) Date: Tue, 03 Dec 2019 23:19:50 +0000 Subject: [openssl] master update Message-ID: <1575415190.257031.29092.nullmailer@dev.openssl.org> The branch master has been updated via 278de77b881739267d86f96088557af3da966982 (commit) from d3a27c5ee45a29edd9c0d60ad5929f67996f89fd (commit) - Log ----------------------------------------------------------------- commit 278de77b881739267d86f96088557af3da966982 Author: Richard Levitte Date: Sun Dec 1 08:20:09 2019 +0100 configdata.pm.in: Don't try to quotify undefined values Fixes #10503 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/10548) ----------------------------------------------------------------------- Summary of changes: configdata.pm.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/configdata.pm.in b/configdata.pm.in index 312122686f..71627b48ef 100644 --- a/configdata.pm.in +++ b/configdata.pm.in @@ -245,7 +245,13 @@ _____ foreach (sort keys %target) { next if $_ =~ m|^_| || $_ eq 'template'; my $quotify = sub { - map { (my $x = $_) =~ s|([\\\$\@"])|\\$1|g; "\"$x\""} @_; + map { + if (defined $_) { + (my $x = $_) =~ s|([\\\$\@"])|\\$1|g; "\"$x\"" + } else { + "undef"; + } + } @_; }; print ' ', $_, ' => '; if (ref($target{$_}) eq "ARRAY") { From levitte at openssl.org Tue Dec 3 23:23:42 2019 From: levitte at openssl.org (Richard Levitte) Date: Tue, 03 Dec 2019 23:23:42 +0000 Subject: [openssl] master update Message-ID: <1575415422.924208.30384.nullmailer@dev.openssl.org> The branch master has been updated via dc5d74e648c499d5247ff2d3db125c347abc5c1f (commit) from 278de77b881739267d86f96088557af3da966982 (commit) - Log ----------------------------------------------------------------- commit dc5d74e648c499d5247ff2d3db125c347abc5c1f Author: Richard Levitte Date: Sun Dec 1 09:14:48 2019 +0100 util/mkerr.pl: don't stop reading conserved symbols from the state file If we don't read them, they will not be conserved. Fixes #10522 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/10549) ----------------------------------------------------------------------- Summary of changes: util/mkerr.pl | 6 ------ 1 file changed, 6 deletions(-) diff --git a/util/mkerr.pl b/util/mkerr.pl index 0b09fb3327..d72b407909 100755 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -210,12 +210,6 @@ if ( ! $reindex && $statefile ) { print "Skipping $_"; $skippedstate++; next; - } elsif ( $hinc{$lib} eq 'NONE' ) { - # When the header is NONE but the err file is specified, - # it signifies that the err file should be conserved but - # remain untouched, and the same goes for the symbols in - # the state file. - next; } if ( $name =~ /^(?:OSSL_|OPENSSL_)?[A-Z0-9]{2,}_R_/ ) { die "$lib reason code $code collision at $name\n" From builds at travis-ci.org Tue Dec 3 23:56:08 2019 From: builds at travis-ci.org (Travis CI) Date: Tue, 03 Dec 2019 23:56:08 +0000 Subject: Still Failing: openssl/openssl#30498 (master - 278de77) In-Reply-To: Message-ID: <5de6f617d9443_43fc85f2920904726b@3898931e-2f2a-466a-a0f3-96b6594e95e2.mail> Build Update for openssl/openssl ------------------------------------- Build: #30498 Status: Still Failing Duration: 30 mins and 12 secs Commit: 278de77 (master) Author: Richard Levitte Message: configdata.pm.in: Don't try to quotify undefined values Fixes #10503 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/10548) View the changeset: https://github.com/openssl/openssl/compare/d3a27c5ee45a...278de77b8817 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620376358?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Wed Dec 4 00:18:32 2019 From: builds at travis-ci.org (Travis CI) Date: Wed, 04 Dec 2019 00:18:32 +0000 Subject: Still Failing: openssl/openssl#30499 (master - dc5d74e) In-Reply-To: Message-ID: <5de6fb5895209_43f9bb78e4378278091@bb6a5cea-c441-4fe0-bc51-2608d0a3468f.mail> Build Update for openssl/openssl ------------------------------------- Build: #30499 Status: Still Failing Duration: 39 mins and 29 secs Commit: dc5d74e (master) Author: Richard Levitte Message: util/mkerr.pl: don't stop reading conserved symbols from the state file If we don't read them, they will not be conserved. Fixes #10522 Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/10549) View the changeset: https://github.com/openssl/openssl/compare/278de77b8817...dc5d74e648c4 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620377711?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 00:35:31 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 00:35:31 +0000 Subject: Build failed: openssl master.29928 Message-ID: <20191204003531.1.1CADCEA62DA7C28E@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 09:12:58 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 09:12:58 +0000 Subject: Build failed: openssl master.29934 Message-ID: <20191204091258.1.6074A31BFEF9D5BE@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 09:51:37 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 09:51:37 +0000 Subject: Build completed: openssl master.29935 Message-ID: <20191204095137.1.658AD6490266E569@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 10:57:58 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 10:57:58 +0000 Subject: Build failed: openssl master.29938 Message-ID: <20191204105758.1.96E7C755C857E662@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 11:21:14 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 11:21:14 +0000 Subject: Build completed: openssl OpenSSL_1_1_1-stable.29939 Message-ID: <20191204112114.1.61CAB958FA55BD0F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 13:22:35 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 13:22:35 +0000 Subject: Build failed: openssl master.29943 Message-ID: <20191204132235.1.00730EB0E05EE3CB@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 13:54:04 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 13:54:04 +0000 Subject: Build completed: openssl master.29944 Message-ID: <20191204135404.1.CF2DD7F3E99A45C1@appveyor.com> An HTML attachment was scrubbed... URL: From matt at openssl.org Wed Dec 4 15:23:05 2019 From: matt at openssl.org (Matt Caswell) Date: Wed, 04 Dec 2019 15:23:05 +0000 Subject: [openssl] master update Message-ID: <1575472985.445770.17454.nullmailer@dev.openssl.org> The branch master has been updated via 25d7cd1d69e5d5df9c9f346922a48797baca03b7 (commit) from dc5d74e648c499d5247ff2d3db125c347abc5c1f (commit) - Log ----------------------------------------------------------------- commit 25d7cd1d69e5d5df9c9f346922a48797baca03b7 Author: Dr. David von Oheimb Date: Fri Nov 22 13:02:52 2019 +0100 add X509_cmp_timeframe() including its documentation Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10502) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 25 ++++++++++++++++ crypto/x509/x509_vpm.c | 2 +- doc/man3/X509_VERIFY_PARAM_set_flags.pod | 2 +- doc/man3/X509_cmp_time.pod | 34 +++++++++++++++++---- include/openssl/x509.h | 2 ++ include/openssl/x509_vfy.h | 2 +- test/x509_time_test.c | 51 ++++++++++++++++++++++++++++++++ util/libcrypto.num | 1 + 8 files changed, 110 insertions(+), 9 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1e2e4cd557..c8d1258803 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1851,6 +1851,31 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) return ret; } +/* + * Return 0 if time should not be checked or reference time is in range, + * or else 1 if it is past the end, or -1 if it is before the start + */ +int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm, + const ASN1_TIME *start, const ASN1_TIME *end) +{ + time_t ref_time; + time_t *time = NULL; + unsigned long flags = vpm == NULL ? 0 : X509_VERIFY_PARAM_get_flags(vpm); + + if ((flags & X509_V_FLAG_USE_CHECK_TIME) != 0) { + ref_time = X509_VERIFY_PARAM_get_time(vpm); + time = &ref_time; + } else if ((flags & X509_V_FLAG_NO_CHECK_TIME) != 0) { + return 0; /* this means ok */ + } /* else reference time is the current time */ + + if (end != NULL && X509_cmp_time(end, time) < 0) + return 1; + if (start != NULL && X509_cmp_time(start, time) > 0) + return -1; + return 0; +} + ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) { return X509_time_adj(s, adj, NULL); diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 782fa136f2..27156b9b4d 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -282,7 +282,7 @@ int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, return 1; } -unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) +unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param) { return param->flags; } diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 2d161ebbab..8352a39b86 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -26,7 +26,7 @@ X509_VERIFY_PARAM_set1_ip_asc unsigned long flags); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags); - unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); + unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, uint32_t flags); diff --git a/doc/man3/X509_cmp_time.pod b/doc/man3/X509_cmp_time.pod index 6fbb66f1c2..73ef9e3fbc 100644 --- a/doc/man3/X509_cmp_time.pod +++ b/doc/man3/X509_cmp_time.pod @@ -2,13 +2,16 @@ =head1 NAME -X509_cmp_time, X509_cmp_current_time, X509_time_adj, X509_time_adj_ex +X509_cmp_time, X509_cmp_current_time, X509_cmp_timeframe, +X509_time_adj, X509_time_adj_ex - X509 time functions =head1 SYNOPSIS int X509_cmp_time(const ASN1_TIME *asn1_time, time_t *in_tm); int X509_cmp_current_time(const ASN1_TIME *asn1_time); + int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm, + const ASN1_TIME *start, const ASN1_TIME *end); ASN1_TIME *X509_time_adj(ASN1_TIME *asn1_time, long offset_sec, time_t *in_tm); ASN1_TIME *X509_time_adj_ex(ASN1_TIME *asn1_time, int offset_day, long offset_sec, time_t *in_tm); @@ -16,10 +19,14 @@ X509_cmp_time, X509_cmp_current_time, X509_time_adj, X509_time_adj_ex =head1 DESCRIPTION X509_cmp_time() compares the ASN1_TIME in B with the time -in . X509_cmp_current_time() compares the ASN1_TIME in -B with the current time, expressed as time_t. B -must satisfy the ASN1_TIME format mandated by RFC 5280, i.e., its -format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ. +in . + +X509_cmp_current_time() compares the ASN1_TIME in +B with the current time, expressed as time_t. + +X509_cmp_timeframe() compares the given time period with the reference time +included in the verification parameters B if they are not NULL and contain +B; else the current time is used as reference time. X509_time_adj_ex() sets the ASN1_TIME structure B to the time B and B after B. @@ -35,6 +42,9 @@ is allocated and returned. In all methods, if B is NULL, the current time, expressed as time_t, is used. +B must satisfy the ASN1_TIME format mandated by RFC 5280, +i.e., its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ. + =head1 BUGS Unlike many standard comparison functions, X509_cmp_time() and @@ -43,12 +53,24 @@ X509_cmp_current_time() return 0 on error. =head1 RETURN VALUES X509_cmp_time() and X509_cmp_current_time() return -1 if B -is earlier than, or equal to, B (resp. current time), and 1 +is earlier than, or equal to, B (resp. current time), and 1 otherwise. These methods return 0 on error. +X509_cmp_timeframe() returns 0 if B is not NULL and the verification +parameters do not contain B +but do contain B. Otherwise it returns +1 if the end time is not NULL and the reference time (which has determined as +stated above) is past the end time, -1 if the start time is not NULL and the +reference time is before, else 0 to indicate that the reference time is in range +(implying that the end time is not before the start time if both are present). + X509_time_adj() and X509_time_adj_ex() return a pointer to the updated ASN1_TIME structure, and NULL on error. +=head1 HISTORY + +X509_cmp_timeframe() was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/x509.h b/include/openssl/x509.h index e4de10e6f9..9d8cc03c53 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -495,6 +495,8 @@ DECLARE_ASN1_DUP_FUNCTION(X509_NAME_ENTRY) int X509_cmp_time(const ASN1_TIME *s, time_t *t); int X509_cmp_current_time(const ASN1_TIME *s); +int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm, + const ASN1_TIME *start, const ASN1_TIME *end); ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *t); ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *t); diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 651ffbcbe6..affdc67d80 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -558,7 +558,7 @@ int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags); -unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); +unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); diff --git a/test/x509_time_test.c b/test/x509_time_test.c index 79c23cf5b3..8e813cb0f9 100644 --- a/test/x509_time_test.c +++ b/test/x509_time_test.c @@ -297,6 +297,56 @@ static int test_x509_cmp_time_current(void) return failed == 0; } +static int test_X509_cmp_timeframe_vpm(const X509_VERIFY_PARAM *vpm, + ASN1_TIME *asn1_before, + ASN1_TIME *asn1_mid, + ASN1_TIME *asn1_after) +{ + int always_0 = vpm != NULL + && (X509_VERIFY_PARAM_get_flags(vpm) & X509_V_FLAG_USE_CHECK_TIME) == 0 + && (X509_VERIFY_PARAM_get_flags(vpm) & X509_V_FLAG_NO_CHECK_TIME) != 0; + + return asn1_before != NULL && asn1_mid != NULL && asn1_after != NULL + && TEST_int_eq(X509_cmp_timeframe(vpm, asn1_before, asn1_after), 0) + && TEST_int_eq(X509_cmp_timeframe(vpm, asn1_before, NULL), 0) + && TEST_int_eq(X509_cmp_timeframe(vpm, NULL, asn1_after), 0) + && TEST_int_eq(X509_cmp_timeframe(vpm, NULL, NULL), 0) + && TEST_int_eq(X509_cmp_timeframe(vpm, asn1_after, asn1_after), + always_0 ? 0 : -1) + && TEST_int_eq(X509_cmp_timeframe(vpm, asn1_before, asn1_before), + always_0 ? 0 : 1) + && TEST_int_eq(X509_cmp_timeframe(vpm, asn1_after, asn1_before), + always_0 ? 0 : 1); +} + +static int test_X509_cmp_timeframe(void) +{ + time_t now = time(NULL); + ASN1_TIME *asn1_mid = ASN1_TIME_adj(NULL, now, 0, 0); + /* Pick a day earlier and later, relative to any system clock. */ + ASN1_TIME *asn1_before = ASN1_TIME_adj(NULL, now, -1, 0); + ASN1_TIME *asn1_after = ASN1_TIME_adj(NULL, now, 1, 0); + X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new(); + int res; + + res = vpm != NULL + && test_X509_cmp_timeframe_vpm(NULL, asn1_before, asn1_mid, asn1_after) + && test_X509_cmp_timeframe_vpm(vpm, asn1_before, asn1_mid, asn1_after); + + X509_VERIFY_PARAM_set_time(vpm, now); + res = res + && test_X509_cmp_timeframe_vpm(vpm, asn1_before, asn1_mid, asn1_after) + && X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME) + && test_X509_cmp_timeframe_vpm(vpm, asn1_before, asn1_mid, asn1_after); + + X509_VERIFY_PARAM_free(vpm); + ASN1_TIME_free(asn1_mid); + ASN1_TIME_free(asn1_before); + ASN1_TIME_free(asn1_after); + + return res; +} + static int test_x509_time(int idx) { ASN1_TIME *t = NULL; @@ -485,6 +535,7 @@ static int test_x509_time_print(int idx) int setup_tests(void) { ADD_TEST(test_x509_cmp_time_current); + ADD_TEST(test_X509_cmp_timeframe); ADD_ALL_TESTS(test_x509_cmp_time, OSSL_NELEM(x509_cmp_tests)); ADD_ALL_TESTS(test_x509_time, OSSL_NELEM(x509_format_tests)); ADD_ALL_TESTS(test_days, OSSL_NELEM(day_of_week_tests)); diff --git a/util/libcrypto.num b/util/libcrypto.num index 32b502147c..0553f88859 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4909,3 +4909,4 @@ i2d_X509_PUBKEY_fp ? 3_0_0 EXIST::FUNCTION:STDIO d2i_X509_PUBKEY_bio ? 3_0_0 EXIST::FUNCTION: i2d_X509_PUBKEY_bio ? 3_0_0 EXIST::FUNCTION: RSA_get0_pss_params ? 3_0_0 EXIST::FUNCTION:RSA +X509_cmp_timeframe ? 3_0_0 EXIST::FUNCTION: From no-reply at appveyor.com Wed Dec 4 16:27:47 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 16:27:47 +0000 Subject: Build failed: openssl master.29947 Message-ID: <20191204162747.1.835E0038F9786ADC@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Wed Dec 4 16:16:19 2019 From: builds at travis-ci.org (Travis CI) Date: Wed, 04 Dec 2019 16:16:19 +0000 Subject: Still Failing: openssl/openssl#30518 (master - 25d7cd1) In-Reply-To: Message-ID: <5de7dbd3610ef_43fd1321f3fcc974a7@9c28f6ee-b282-4cee-b295-cc1f59bc1033.mail> Build Update for openssl/openssl ------------------------------------- Build: #30518 Status: Still Failing Duration: 52 mins and 47 secs Commit: 25d7cd1 (master) Author: Dr. David von Oheimb Message: add X509_cmp_timeframe() including its documentation Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10502) View the changeset: https://github.com/openssl/openssl/compare/dc5d74e648c4...25d7cd1d69e5 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620678040?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Wed Dec 4 17:51:29 2019 From: matt at openssl.org (Matt Caswell) Date: Wed, 04 Dec 2019 17:51:29 +0000 Subject: [openssl] master update Message-ID: <1575481889.381653.5324.nullmailer@dev.openssl.org> The branch master has been updated via 7573fe1af54c190ccd8d07d753b334637a30f3a2 (commit) via 67b8f5bdbf95ad4def2dd27c220545b15d847aae (commit) from 25d7cd1d69e5d5df9c9f346922a48797baca03b7 (commit) - Log ----------------------------------------------------------------- commit 7573fe1af54c190ccd8d07d753b334637a30f3a2 Author: Matt Caswell Date: Fri Nov 29 12:02:54 2019 +0000 Deprecate the AES_ige_*() functions These functions were already partially deprecated. Now we do it fully. Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10558) commit 67b8f5bdbf95ad4def2dd27c220545b15d847aae Author: Matt Caswell Date: Fri Nov 29 12:01:18 2019 +0000 Add the ability to supress deprecation warnings We add a new macro OPENSSL_SUPRESS_DEPRECATED which enables applications to supress deprecation warnings where necessary. Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10558) ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 3 +++ include/openssl/aes.h | 19 ++++++++++--------- include/openssl/macros.h | 20 +++++++++++--------- test/igetest.c | 3 +++ 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 53ae4c4e58..e4b104e9c3 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -17,6 +17,9 @@ #define EdDSA_SECONDS 10 #define SM2_SECONDS 10 +/* We need to use some deprecated APIs */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include #include diff --git a/include/openssl/aes.h b/include/openssl/aes.h index a21e72d473..510edce18d 100644 --- a/include/openssl/aes.h +++ b/include/openssl/aes.h @@ -73,17 +73,18 @@ void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, int *num); -# ifndef OPENSSL_NO_DEPRECATED_3_0 + /* NB: the IV is _two_ blocks long */ -void AES_ige_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - unsigned char *ivec, const int enc); +DEPRECATEDIN_3_0(void + AES_ige_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, const int enc)) /* NB: the IV is _four_ blocks long */ -void AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const AES_KEY *key, - const AES_KEY *key2, const unsigned char *ivec, - const int enc); -# endif +DEPRECATEDIN_3_0(void + AES_bi_ige_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + const AES_KEY *key2, + const unsigned char *ivec, const int enc)) int AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, diff --git a/include/openssl/macros.h b/include/openssl/macros.h index 8548bde542..a38387f131 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -28,15 +28,17 @@ */ # ifndef DECLARE_DEPRECATED # define DECLARE_DEPRECATED(f) f; -# ifdef __GNUC__ -# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) -# undef DECLARE_DEPRECATED -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); -# endif -# elif defined(__SUNPRO_C) -# if (__SUNPRO_C >= 0x5130) -# undef DECLARE_DEPRECATED -# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +# ifndef OPENSSL_SUPPRESS_DEPRECATED +# ifdef __GNUC__ +# if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0) +# undef DECLARE_DEPRECATED +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +# endif +# elif defined(__SUNPRO_C) +# if (__SUNPRO_C >= 0x5130) +# undef DECLARE_DEPRECATED +# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated)); +# endif # endif # endif # endif diff --git a/test/igetest.c b/test/igetest.c index 5a9ebb5b56..7a8ff68802 100644 --- a/test/igetest.c +++ b/test/igetest.c @@ -7,6 +7,9 @@ * https://www.openssl.org/source/license.html */ +/* The AES_ige_* functions are deprecated, so we suppress warnings about them */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include #include From kurt at openssl.org Wed Dec 4 18:09:32 2019 From: kurt at openssl.org (Kurt Roeckx) Date: Wed, 04 Dec 2019 18:09:32 +0000 Subject: [web] master update Message-ID: <1575482972.066930.9145.nullmailer@dev.openssl.org> The branch master has been updated via 4139e6e2815280bdd6fe1618a793918c1c7156f2 (commit) from f4b6f035624adcd2228c450cb10e74c940aee37f (commit) - Log ----------------------------------------------------------------- commit 4139e6e2815280bdd6fe1618a793918c1c7156f2 Author: Kurt Roeckx Date: Wed Dec 4 19:09:01 2019 +0100 Update key's expiration date ----------------------------------------------------------------------- Summary of changes: news/openssl-security.asc | 74 +++++++++++++++++++++++------------------------ 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index 9dddc89..2b32a4b 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -13,31 +13,31 @@ zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAlvEwCcFCQmW/3kACgkQ2JTizos9efW23BAAqYqN -dyXOqaK1R6IuYs2fcPcQmIr+sIa4YI3QQj5viT+mz29GjU9BJIUOKAbDod4grVaw -V43moFytTUdUs3vzx/5MQEYPTceq2n7/Y0RdoqztBPPn2FNp1ds/Eo7no9rgCHzB -CVtBpzibEf6Z5/muj9jWvKsLsKBKFltq08KoAjTj8E1gFqoAebGK7eTPEYZkmV1t -L+jZggEFa5xmxLKoArgS6NFqsj7M1ugREKlLL4+GgALnEiGa9r2jeE514YNFXZSN -X9RN9prNpUpDVxAnUmFnk9XllZ9pzyom6Xj6yV7hxxD9RqjPc+9PqLajZ+6myCK9 -mgrvWqAJHKmzQjOljehYGW9AR/1ywcmTOpLC4zuTg9QR0j5Cuxw0yw2k0BWG8x9S -Labllr1YfpfeWuQJptyHOCWck28NCO0uJ9JaPiRuJfPVq1rGMACbI9QoZ9E4rRf1 -UzBuyTrRRygSszb1zmOx/Oc1PAMbwuZYrOby3qUnONTV8CaEe5fgsItYRSCSETuk -UladwcCPpgEkWQJ/WWgqjcnwx4RUJ7aZ+tO6UZdnh7zueyjda9XyTmQcfD/aeEtL -KgbPUFxeMDZQTNr/03uDBqvsM0EBbaHybgUhKTdIx6VbqRxmUVpAksnTOE6Aka8B -IXJb9xr1JotVgM8tuUgW2keNPPwYBAE9l6+k1Fy0JU9wZW5TU0wgT01DIDxvcGVu +Z9YTy4PH7W0w2JTizos9efUFAl3n9TkFCQvHY5oACgkQ2JTizos9efVbRQ//aItr +wyVa5j+OtrMaIJI9x835ES4bBaEIY1YVwGzoKzj+MOxdai0spUR6KZ9TYnEC5R4b +yFac7H9g+R4V5rv3+HogMBTYaCTmbFmZ4Y8viD7YaDsHHMcbHQymyV55l7ZfzyNt +pw3D3acvS3nOij9JQqRTOHuIOtS5FtJh1/+pig5sEk1TigOemJ7cnC7uWmfkzDzx +ywz29EBFZXeFV7Dg+hjkUuVtMqcbhouvjJlwvx7cgcAPwFRZcu7UoirVoq0+sSJj +kxxohVekpc+daZK9ge6qpHi7LObgM64fVPjR4FizuTmHU+f7ptUaI7BEGxmPtmBa +skj1Wi4lkSgQ4SfS7PpnlPphM2Tms7mG4gPO4f0cZ/qZriCoaU5DZ8kPx0xgY7Yf +Uol3NyRxAXJZi7voSWsj/YM1rsyd8Q7bYFW0Rx/hcjbT2AwZcqruqAuYEM6+M3Sb +JzOm28w+lnS7urnog8MBSSX9wsFzwHEXKBiqY2Qp+jU/fmSebqiDrRaAXJPvidCM +gsPNrK6HrQOjemZTG7dReIxqIjWuguhcN4aoellXwJYuR0NOo0uRK79IGbjFU8Vy +UBuv5AMCWgpblLaDyVHkhnQbNjnpvJnVoCqvTU4R0ttmjKQV4aWwgdryuc/a564J +PKcfr4pmeb+4Lfh1SxpNP3O2pzI1OY1zSj5nFRm0JU9wZW5TU0wgT01DIDxvcGVu c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCW8TAGAUJCZb/eQAKCRDY -lOLOiz159Xe0EACD9dOKa8Yy0K8xrC77KZteyEJb49O3e0fagjulquebwXQNjdzv -SvAo3W67bwJ2zRA6kBRHzCxh70dtdd9PvD7gkbqombeZ8CKf1ADj0P31I3dOBJM4 -rupTWnzycKkSzR2JvhoXmA7bNqpGIgRtOSJBKNCVPMtLSR/Oc2Z/KckjbldY110s -zaa6ef1lLtc9CrNnQb9GQNu4hrIbRrFFFyvyIb+46R8XPcjCTnwyfMpWo9/6ftk9 -MbpnsQRwsX3YujnzH6z20nlp+vRtNEbXCfkvz4j744QiffYLA9DQHoV4jjaN5cZ1 -3isaODNnIFuq9QPbN6LzlJrfTplQ4ugPmK5IBe1WTIratFGp8bLyb5HRNXVNDblK -RBp1R/V/PWBL5C3IDgyG4zh/09hHqQ1TOMeQYDDDopMb5seKJB0A4oIQNhmDP1tj -3BIPnd9BOHyvkOFD152AVABmwnlHmOi5m77lt4bxU/U66+AoDjvzL9VZfrGcosKo -B+IX6nhp7RYNObZxCJnKyRMtDY1oLTESYCD0OBN3S/0215VUwp5WmloawTbW9pfu -zbbw+Pax/wQDCXmKq1wlkxVUwd2Yx6uiN3QeeZY+mVsFWjBpNPEtwzP9eqWvGXvK -WHo2oDeEUrUHCEWQAfogS9dia4Bk0S3MWX63ibmWwYeuUf6Wy1C5KXbm/7QnT3Bl +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCXef1QQUJC8djmgAKCRDY +lOLOiz159UcFD/9XdBn0wKmEwBO2KyM/zfHLpTysV3A1QM98C3Oy2/jPI/wcWmIN +1PoXbDEUGTBCKAEYhcnQKb5E7FsD+68i/07S5eBP65R24G182f6Qofy8Hy/Kbed/ +GmQEoprDaYqpUp6qFoPxBExW8bwEzkSRWTz4d/ptjDREOF3d4oJS3CE/HOr3l9Jy +0Jgvg1iAw2uiRSNb5/miUZM7wa/wGYmJmtbGomr3/suyyLeRh4UwoOAZulB6crql +ITxoyv9M7IF+YAYIdRQB1/zbE6d+i+5AKeyGmBxhXyYlIIFHjmFpMmz+HbHZ31tr +FodE/1EK9kxGcOOv9jSxiplLdgl0d4XqAb2wsNYygNb2n6uj/7Vz+iZwWnCDfNEo +UPazufcFh4KMPV6ZzqguXWpV6aV40rEjqWWwXfwXiSL7Yc1TYdnj+koCy2sXoiLd +d2VlCX/wWhl38KsAN69OgYlDNVne5ctQ2zpdYyYrQZlL9yk164evBroZGOrJSTl4 +5ZNSmsbX/alNQRTCVuPmICY6KOEE0CylvhcZtXbDvT9OTm0wNg99jj0Hpd3r8I6d +zGlsBfnipSWVnXtg4ozzvsIKdHy/1kfbiojwBwhD3QyIheQuA1MfmbItw60olEHH +iGqEzcztmQBTSXtyZ2ZhhPN9ZYGAxFmDmju3alqOqRIwu3C86WN3XCl/urQnT3Bl blNTTCB0ZWFtIDxvcGVuc3NsLXRlYW1Ab3BlbnNzbC5vcmc+iQJZBDABCgBDFiEE 78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ9jUlHSBSZXBsYWNlZCBieSBvcGVuc3Ns LW9tY0BvcGVuc3NsLm9yZwAKCRDYlOLOiz159VAiD/wLVz8KE84z+iPBcDXJR4hr @@ -63,17 +63,17 @@ ncd+VYvth6cM9jDWsTJAXEaqNoFjVfw227NnQ/hxqGCwEVzweBi7a7dix3nCa9JO w5eV3xCyezUohQ6nOBbDnoAnp3FLeUrhBJQXCPNtlb0fSMnj14EwBoD6EKO/xz/g EW5mr0a+xp+fjbkvHVX/c8UmU+7nlX7upaN46RLM1y0yWYKo9BV61tn+kcsAk7kh Q7dKhOzmSXpsBHMAEQEAAYkCPAQYAQoAJgIbDBYhBO/ApGfWE8uDx+1tMNiU4s6L -PXn1BQJcCEC3BQkJl0OYAAoJENiU4s6LPXn12EAP/Aq6g9XE6Hodr9ig01NC5VtZ -ryNvxSQtMnQuIJIiCcpY0rVzCLVI+Qcnd66vZIm+7w6WEBJQo6F/9zMPS36OQXDc -2UE4Wz3Sgrwk1PYnRu77M/eEdDsCWsSNjQR0wvjqNuZEAxb8qOs1qkg2pXGdNWW5 -lZ6017A7osKOBhTOdYWR7LXtMRTY1npg6ayHomkIf4oIJhhmnRauCZdCIKG3UG/q -L3pbLc31IvL3U0/lgsMKqi1VbKt5maNuq5Fld8XgBmTznq1mKTqVsJIrV+IERoXb -esk1PBEHYhEcHYSmAy6xPyjXXliGw3+WlDIaXvJtsMs9DSr3LoK8w/aD1Gct3jzT -isx+MbJa5dIOYxGVHn1PUA+rQAAbf3DR26xxOgGlPNNXHvhvASaa/f9h7zvQ335m -GCzBr4ZgtRGaNMnllAriL4MV1n1234+6ri177hQirsCtXQ8n8Swcx2wDjWcXFLsQ -P60qs23jkjwyQI7EK2X/cMJnsWfc69fk+K7s9/Yh6SaVwuYQhcVEimq3E2MdSIHW -li90mxGkLF7fyNWxoDzSx81xxp98jdocLxPE13Z794vepShRhGtAd0+pE6IWRNK8 -ktfYS9okDGtcUygdCPH8AGKCaPOI3igOHsRg4EzW/pP9p025bie71W3XWI5Q9LSK -IIDso8yXpj81Y6M8gLz/ -=6A1a +PXn1BQJd5/VdBQkLx2O+AAoJENiU4s6LPXn1YRkP/2xVlNtTQpCYamiP7N2+aetg +1pXftTqUQsulSagT0vtLjT2O+pOP7B0Wj1/q4m/ny/NQa/8KRXurry8VbC+6FPz4 +3jcFjdGif1E7reEL27YgW2zwae3dt+AwgKzLhOiXqkpZeiU5n6+43e1loRiPbNM3 +2Juj0XdV7IjUinMoEDlX6xp2w2ZmSoii2+r/Ts2m9h/UbILyoTCFZG4hI6mGej7u +QFwcnZNJTXnTPBEczIpYFWyLA+vPU/8YVolUVlzWOv15InAerQX/eQ0LTkax0Fh+ +LzoE2itiALthAf2JAnmyGmc41ISrexwTcJUr03LIpOUn90a0qktIwt+7kH463CuQ +K68FEPaAxtE2MAoO9e/wxWa7WWtY3LEMFhM5l5WgQjydBHtthc9a+QeHeiRmzGZr +wPetm5iJXYdagA5qZS87vChr/6kP0UD0JLAOr4TGa3Kn6jOG8J+jyTbYfrpZf8O2 +eqfagD3YX4tOAM+1uX7IvsU2bDQUZ/ucyUzdSNmRkErLQPheJ7dpg4EMlP3hAcsB +uDX9fcCnp4WOR3bwayOMAACa9FKuTS03+Hh/Ds75R6MW3u7a0xk4h0MsuJR+OIot +NrmGFutOuR+GxNF/km/Xod7P7M27yvUQ/j9lcsg0EYPBOdG1x2IP739fAH83luTm +3WE76/JWH40w3RvCFWmT +=u/5v -----END PGP PUBLIC KEY BLOCK----- From builds at travis-ci.org Wed Dec 4 18:24:15 2019 From: builds at travis-ci.org (Travis CI) Date: Wed, 04 Dec 2019 18:24:15 +0000 Subject: Still Failing: openssl/openssl#30519 (master - 7573fe1) In-Reply-To: Message-ID: <5de7f9cf5f4e4_43f9e2d5e29cc165386@368c65d2-1d9c-4ffd-bf70-194ba849f2ea.mail> Build Update for openssl/openssl ------------------------------------- Build: #30519 Status: Still Failing Duration: 32 mins and 1 sec Commit: 7573fe1 (master) Author: Matt Caswell Message: Deprecate the AES_ige_*() functions These functions were already partially deprecated. Now we do it fully. Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10558) View the changeset: https://github.com/openssl/openssl/compare/25d7cd1d69e5...7573fe1af54c View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620742841?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 19:00:44 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 19:00:44 +0000 Subject: Build failed: openssl master.29948 Message-ID: <20191204190044.1.E716C0D925975691@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 19:33:41 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 19:33:41 +0000 Subject: Build completed: openssl master.29949 Message-ID: <20191204193341.1.0E14F39FBE047D4D@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Wed Dec 4 21:26:34 2019 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 04 Dec 2019 21:26:34 +0000 Subject: [openssl] master update Message-ID: <1575494794.729392.28983.nullmailer@dev.openssl.org> The branch master has been updated via 7ba46774b7f1b2e83d44323a8831b615a49f9f37 (commit) from 7573fe1af54c190ccd8d07d753b334637a30f3a2 (commit) - Log ----------------------------------------------------------------- commit 7ba46774b7f1b2e83d44323a8831b615a49f9f37 Author: Pauli Date: Tue Dec 3 19:56:41 2019 +1000 Remove spurious space from file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10562) ----------------------------------------------------------------------- Summary of changes: NOTES.ANDROID | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTES.ANDROID b/NOTES.ANDROID index 5eb29fb994..f19ec71b83 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -39,7 +39,7 @@ PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH ./Configure android-arm64 -D__ANDROID_API__=29 make - + Older versions of the NDK have GCC under their common prebuilt tools directory, so the bin path will be slightly different. EG: to compile for ICS on ARM with NDK 10d: From pauli at openssl.org Wed Dec 4 21:27:13 2019 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 04 Dec 2019 21:27:13 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1575494833.142426.29985.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 1d320e5c4cb90f75565465b89e6e5fd09cf2093b (commit) from cdb2763e7daeea87c61ea874ae820046d84dd016 (commit) - Log ----------------------------------------------------------------- commit 1d320e5c4cb90f75565465b89e6e5fd09cf2093b Author: Pauli Date: Tue Dec 3 19:56:41 2019 +1000 Remove spurious space from file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10562) (cherry picked from commit 7ba46774b7f1b2e83d44323a8831b615a49f9f37) ----------------------------------------------------------------------- Summary of changes: NOTES.ANDROID | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTES.ANDROID b/NOTES.ANDROID index 5eb29fb994..f19ec71b83 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -39,7 +39,7 @@ PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH ./Configure android-arm64 -D__ANDROID_API__=29 make - + Older versions of the NDK have GCC under their common prebuilt tools directory, so the bin path will be slightly different. EG: to compile for ICS on ARM with NDK 10d: From builds at travis-ci.org Wed Dec 4 22:01:31 2019 From: builds at travis-ci.org (Travis CI) Date: Wed, 04 Dec 2019 22:01:31 +0000 Subject: Still Failing: openssl/openssl#30529 (master - 7ba4677) In-Reply-To: Message-ID: <5de82cb8e5e91_43f91a9ee2ef4135489@9aa4f431-1e84-47e6-abc1-6a2d00b6ebf5.mail> Build Update for openssl/openssl ------------------------------------- Build: #30529 Status: Still Failing Duration: 34 mins and 26 secs Commit: 7ba4677 (master) Author: Pauli Message: Remove spurious space from file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10562) View the changeset: https://github.com/openssl/openssl/compare/7573fe1af54c...7ba46774b7f1 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620831656?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Wed Dec 4 22:04:03 2019 From: openssl at openssl.org (OpenSSL run-checker) Date: Wed, 04 Dec 2019 22:04:03 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings Message-ID: <1575497043.969014.22462.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 4.15.0-54-generic #58-Ubuntu SMP Mon Jun 24 10:55:24 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings Commit log since last time: 7ba46774b7 Remove spurious space from file. 7573fe1af5 Deprecate the AES_ige_*() functions 67b8f5bdbf Add the ability to supress deprecation warnings 25d7cd1d69 add X509_cmp_timeframe() including its documentation dc5d74e648 util/mkerr.pl: don't stop reading conserved symbols from the state file 278de77b88 configdata.pm.in: Don't try to quotify undefined values Build log ended with (last 100 lines): $ CC=clang ../openssl/config -d --strict-warnings Operating system: x86_64-whatever-linux2 Configuring OpenSSL version 3.0.0-dev for target linux-x86_64-clang Using os-specific seed configuration Creating configdata.pm Running configdata.pm Creating Makefile ********************************************************************** *** *** *** OpenSSL has been successfully configured *** *** *** *** If you encounter a problem while building, please open an *** *** issue on GitHub *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (If you are new to OpenSSL, you might want to consult the *** *** 'Troubleshooting' section in the INSTALL file first) *** *** *** ********************************************************************** $ make clean rm -f libcrypto.so.3 rm -f libcrypto.so rm -f libssl.so.3 rm -f libssl.so rm -f apps/libapps.a libcrypto.a libssl.a providers/libcommon.a providers/libfips.a providers/libimplementations.a providers/liblegacy.a providers/libnonfips.a test/libtestutil.a rm -f *.ld rm -f doc/html/man1/CA.pl.html doc/html/man1/openssl-asn1parse.html doc/html/man1/openssl-ca.html doc/html/man1/openssl-ciphers.html doc/html/man1/openssl-cmds.html doc/html/man1/openssl-cms.html doc/html/man1/openssl-crl.html doc/html/man1/openssl-crl2pkcs7.html doc/html/man1/openssl-dgst.html doc/html/man1/openssl-dhparam.html doc/html/man1/openssl-dsa.html doc/html/man1/openssl-dsaparam.html doc/html/man1/openssl-ec.html doc/html/man1/openssl-ecparam.html doc/html/man1/openssl-enc.html doc/html/man1/openssl-engine.html doc/html/man1/openssl-errstr.html doc/html/man1/openssl-fipsinstall.html doc/html/man1/openssl-gendsa.html doc/html/man1/openssl-genpkey.html doc/html/man1/openssl-genrsa.html doc/html/man1/openssl-info.html doc/html/man1/openssl-kdf.html doc/html/man1/openssl-list.html doc/html/man1/openssl-mac.html doc/html/man1/openssl-nseq.html doc/html/man1/openssl-ocsp.html doc/html/man1/openssl-passwd.html doc/html/man1/openssl-pkcs12.html doc/html/man1/openssl-pkcs7.html doc/html/man1/openssl-pkcs8.html doc/html/man1/openssl-pkey.html doc/html/man1/openssl-pkeyparam.html doc/html/man1/openssl-pkeyutl.html doc/html/man1/openssl-prime.html doc/html/man1/openssl-provider.html doc/html/man1/openssl-rand.html doc/html/man1/openssl-rehash.html doc/html/man1/openssl-req.html doc/html/man1/openssl-rsa.html doc/html/man1/openssl-rsautl.html doc/html/man1/openssl-s_client.html doc/html/man1/openssl-s_server.html doc/html/man1/openssl-s_time.html doc/html/man1/openssl-sess_id.html doc/html/man1/openssl-smime.html doc/html/man1/openssl-speed.html doc/html/man1/openssl-spkac.html doc/html/man1/openssl-srp.html doc/html/man1/openssl-storeutl.html doc/html/man1/openssl-ts.html doc/html/man1/openssl-verify.html doc/html/man1/openssl-version.html doc/html/man1/openssl-x509.html doc/html/man1/openssl.html doc/html/man1/tsget.html doc/html/man3/ADMISSIONS.html doc/html/man3/ASN1_INTEGER_get_int64.html doc/html/man3/ASN1_ITEM_lookup.html doc/html/man3/ASN1_OBJECT_new.html doc/html/man3/ASN1_STRING_TABLE_add.html doc/html/man3/ASN1_STRING_length.html doc/html/man3/ASN1_STRING_new.html doc/html/man3/ASN1_STRING_print_ex.html doc/html/man3/ASN1_TIME_set.html doc/html/man3/ASN1_TYPE_get.html doc/html/man3/ASN1_generate_nconf.html doc/html/man3/ASYNC_WAIT_CTX_new.html doc/html/man3/ASYNC_start_job.html doc/html/man3/BF_encrypt.html doc/html/man3/BIO_ADDR.html doc/html/man3/BIO_ADDRINFO.html doc/html/man3/BIO_connect.html doc/html/man3/BIO_ctrl.html doc/html/man3/BIO_f_base64.html doc/html/man3/BIO_f_buffer.html doc/html/man3/BIO_f_cipher.html doc/html/man3/BIO_f_md.html doc/html/man3/BIO_f_null.html doc/html/man3/BIO_f_ssl.html doc/html/man3/BIO_find_type.html doc/html/man3/BIO_get_data.html doc/html/man3/BIO_get_ex_new_index.html doc/html/man3/BIO_meth_new.html doc/html/man3/BIO_new.html doc/html/man3/BIO_new_CMS.html doc/html/man3/BIO_parse_hostserv.html doc/html/man3/BIO_printf.html doc/html/man3/BIO_push.html doc/html/man3/BIO_read.html doc/html/man3/BIO_s_accept.html doc/html/man3/BIO_s_bio.html doc/html/man3/BIO_s_connect.html doc/html/man3/BIO_s_fd.html doc/html/man3/BIO_s_file.html doc/html/man3/BIO_s_mem.html doc/html/man3/BIO_s_null.html doc/html/man3/BIO_s_socket.html doc/html/man3/BIO_set_callback.html doc/html/man3/BIO_should_retry.html doc/html/man3/BN_BLINDING_new.html doc/html/man3/BN_CTX_new.html doc/html/man3/BN_CTX_start.html doc/html/man3/BN_add.html doc/html/man3/BN_add_word.html doc/html/man3/BN_bn2bin.html doc/html/man3/BN_cmp.html doc/html/man3/BN_copy.html doc/html/man3/BN_generate_prime.html doc/html/man3/BN_mod_inverse.html doc/html/man3/BN_mod_mul_montgomery.html doc/html/man3/BN_mod_mul_reciprocal.html doc/html/man3/BN_new.html doc/html/man3/BN_num_bytes.html doc/html/man3/BN_rand.html doc/html/man3/BN_security_bits.html doc/html/man3/BN_set_bit.html doc/html/man3/BN_swap.html doc/html/man3/BN_zero.html doc/html/man3/BUF_MEM_new.html doc/html/man3/CMS_add0_cert.html doc/html/man3/CMS_add1_recipient_cert.html doc/html/man3/CMS_add1_signer.html doc/html/man3/CMS_compress.html doc/html/man3/CMS_decrypt.html doc/html/man3/CMS_encrypt.html doc/html/man3/CMS_final.html doc/html/man3/CMS_get0_RecipientInfos.html doc/html/man3/CMS_get0_SignerInfos.html doc/html/man3/CMS_get0_type.html doc/html/man3/CMS_get1_ReceiptRequest.html doc/html/man3/CMS_sign.html doc/html/man3/CMS_sign_receipt.html doc/html/man3/CMS_uncompress.html doc/html/man3/CMS_verify.html doc/html/man3/CMS_verify_receipt.html doc/html/man3/CONF_modules_free.html doc/html/man3/CONF_modules_load_file.html doc/html/man3/CRYPTO_THREAD_run_once.html doc/html/man3/CRYPTO_get_ex_new_index.html doc/html/man3/CRYPTO_memcmp.html doc/html/man3/CTLOG_STORE_get0_log_by_id.html doc/html/man3/CTLOG_STORE_new.html doc/html/man3/CTLOG_new.html doc/html/man3/CT_POLICY_EVAL_CTX_new.html doc/html/man3/DEFINE_STACK_OF.html doc/html/man3/DES_random_key.html doc/html/man3/DH_generate_key.html doc/html/man3/DH_generate_parameters.html doc/html/man3/DH_get0_pqg.html doc/html/man3/DH_get_1024_160.html doc/html/man3/DH_meth_new.html doc/html/man3/DH_new.html doc/html/man3/DH_new_by_nid.html doc/html/man3/DH_set_method.html doc/html/man3/DH_size.html doc/html/man3/DSA_SIG_new.html doc/html/man3/DSA_do_sign.html doc/html/man3/DSA_dup_DH.html doc/html/man3/DSA_generate_key.html doc/html/man3/DSA_generate_parameters.html doc/html/man3/DSA_get0_pqg.html doc/html/man3/DSA_meth_new.html doc/html/man3/DSA_new.html doc/html/man3/DSA_set_method.html doc/html/man3/DSA_sign.html doc/html/man3/DSA_size.html doc/html/man3/DTLS_get_data_mtu.html doc/html/man3/DTLS_set_timer_cb.html doc/html/man3/DTLSv1_listen.html doc/html/man3/ECDSA_SIG_new.html doc/html/man3/ECPKParameters_print.html doc/html/man3/EC_GFp_simple_method.html doc/html/man3/EC_GROUP_copy.html doc/html/man3/EC_GROUP_new.html doc/html/man3/EC_KEY_get_enc_flags.html doc/html/man3/EC_KEY_new.html doc/html/man3/EC_POINT_add.html doc/html/man3/EC_POINT_new.html doc/html/man3/ENGINE_add.html doc/html/man3/ERR_GET_LIB.html doc/html/man3/ERR_clear_error.html doc/html/man3/ERR_error_string.html doc/html/man3/ERR_get_error.html doc/html/man3/ERR_load_crypto_strings.html doc/html/man3/ERR_load_strings.html doc/html/man3/ERR_new.html doc/html/man3/ERR_print_errors.html doc/html/man3/ERR_put_error.html doc/html/man3/ERR_remove_state.html doc/html/man3/ERR_set_mark.html doc/html/man3/EVP_ASYM_CIPHER_free.html doc/html/man3/EVP_BytesToKey.html doc/html/man3/EVP_CIPHER_CTX_get_cipher_data.html doc/html/man3/EVP_CIPHER_meth_new.html doc/html/man3/EVP_DigestInit.html doc/html/man3/EVP_DigestSignInit.html doc/html/man3/EVP_DigestVerifyInit.html doc/html/man3/EVP_ From builds at travis-ci.org Wed Dec 4 22:05:44 2019 From: builds at travis-ci.org (Travis CI) Date: Wed, 04 Dec 2019 22:05:44 +0000 Subject: Still Failing: openssl/openssl#30530 (OpenSSL_1_1_1-stable - 1d320e5) In-Reply-To: Message-ID: <5de82db7475d2_43f9fe9215ad41730da@198c0dd9-fcb5-4668-9c2c-b6b61fd8ffc5.mail> Build Update for openssl/openssl ------------------------------------- Build: #30530 Status: Still Failing Duration: 26 mins and 23 secs Commit: 1d320e5 (OpenSSL_1_1_1-stable) Author: Pauli Message: Remove spurious space from file. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/10562) (cherry picked from commit 7ba46774b7f1b2e83d44323a8831b615a49f9f37) View the changeset: https://github.com/openssl/openssl/compare/cdb2763e7dae...1d320e5c4cb9 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620831969?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Dec 4 22:59:38 2019 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 04 Dec 2019 22:59:38 +0000 Subject: Build failed: openssl master.29958 Message-ID: <20191204225938.1.97544D10249492D4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 00:06:44 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 00:06:44 +0000 Subject: Build completed: openssl OpenSSL_1_1_1-stable.29959 Message-ID: <20191205000644.1.55ED17C52F2D8579@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 00:12:26 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 00:12:26 +0000 Subject: Build failed: openssl master.29960 Message-ID: <20191205001226.1.8E393CE7041C4C6E@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 00:43:21 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 00:43:21 +0000 Subject: Build completed: openssl master.29961 Message-ID: <20191205004321.1.F54A845ECB37D6AC@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 02:10:47 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 02:10:47 +0000 Subject: Build failed: openssl master.29973 Message-ID: <20191205021047.1.345EE72F7CFDB6B4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 02:37:53 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 02:37:53 +0000 Subject: Build completed: openssl OpenSSL_1_1_1-stable.29974 Message-ID: <20191205023753.1.E08BF5EF3CCF2FE5@appveyor.com> An HTML attachment was scrubbed... URL: From shane.lontis at oracle.com Thu Dec 5 04:42:10 2019 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Thu, 05 Dec 2019 04:42:10 +0000 Subject: [openssl] master update Message-ID: <1575520930.532772.26225.nullmailer@dev.openssl.org> The branch master has been updated via 6df44cf65fbc7e150965149d7e681ac3e22d11d8 (commit) from 7ba46774b7f1b2e83d44323a8831b615a49f9f37 (commit) - Log ----------------------------------------------------------------- commit 6df44cf65fbc7e150965149d7e681ac3e22d11d8 Author: Fangming.Fang Date: Mon Dec 2 02:44:21 2019 +0000 Fix exit issue in travisci Ungraceful 'exit' probably causes unexpeced error on background activity. So replace 'exit' with recommended 'travis_terminate'. Also see https://travis-ci.community/t/exit-0-cannot-exit-successfully-on-arm/5731/4 Change-Id: I382bd93a3e15ecdf305bab23fc4adefbf0348ffb Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/10561) ----------------------------------------------------------------------- Summary of changes: .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a5b66b3dfa..5e65d37795 100644 --- a/.travis.yml +++ b/.travis.yml @@ -130,7 +130,7 @@ matrix: before_script: - env - if [ "$TRAVIS_PULL_REQUEST" != "false" -a -n "$EXTENDED_TEST" ]; then - (git log -1 $TRAVIS_COMMIT_RANGE | grep '\[extended tests\]' > /dev/null) || exit 0; + (git log -1 $TRAVIS_COMMIT_RANGE | grep '\[extended tests\]' > /dev/null) || travis_terminate 0; fi - if [ -n "$DESTDIR" ]; then sh .travis-create-release.sh $TRAVIS_OS_NAME; From shane.lontis at oracle.com Thu Dec 5 04:51:56 2019 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Thu, 05 Dec 2019 04:51:56 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1575521516.388282.28495.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 7a4d39f0d176f0d17f2de15672e1869b22f3e1d8 (commit) from 1d320e5c4cb90f75565465b89e6e5fd09cf2093b (commit) - Log ----------------------------------------------------------------- commit 7a4d39f0d176f0d17f2de15672e1869b22f3e1d8 Author: Fangming.Fang Date: Mon Dec 2 02:44:21 2019 +0000 Fix exit issue in travisci Ungraceful 'exit' probably causes unexpeced error on background activity. So replace 'exit' with recommended 'travis_terminate'. Also see https://travis-ci.community/t/exit-0-cannot-exit-successfully-on-arm/5731/4 Change-Id: I382bd93a3e15ecdf305bab23fc4adefbf0348ffb Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/10561) (cherry picked from commit 6df44cf65fbc7e150965149d7e681ac3e22d11d8) ----------------------------------------------------------------------- Summary of changes: .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 455ccd628f..5e760e5f72 100644 --- a/.travis.yml +++ b/.travis.yml @@ -152,7 +152,7 @@ matrix: before_script: - env - if [ "$TRAVIS_PULL_REQUEST" != "false" -a -n "$EXTENDED_TEST" ]; then - (git log -1 $TRAVIS_COMMIT_RANGE | grep '\[extended tests\]' > /dev/null) || exit 0; + (git log -1 $TRAVIS_COMMIT_RANGE | grep '\[extended tests\]' > /dev/null) || travis_terminate 0; fi - if [ -n "$DESTDIR" ]; then sh .travis-create-release.sh $TRAVIS_OS_NAME; From builds at travis-ci.org Thu Dec 5 05:15:44 2019 From: builds at travis-ci.org (Travis CI) Date: Thu, 05 Dec 2019 05:15:44 +0000 Subject: Still Failing: openssl/openssl#30551 (master - 6df44cf) In-Reply-To: Message-ID: <5de892803dd80_43f9fea7475b0278894@198c0dd9-fcb5-4668-9c2c-b6b61fd8ffc5.mail> Build Update for openssl/openssl ------------------------------------- Build: #30551 Status: Still Failing Duration: 32 mins and 58 secs Commit: 6df44cf (master) Author: Fangming.Fang Message: Fix exit issue in travisci Ungraceful 'exit' probably causes unexpeced error on background activity. So replace 'exit' with recommended 'travis_terminate'. Also see https://travis-ci.community/t/exit-0-cannot-exit-successfully-on-arm/5731/4 Change-Id: I382bd93a3e15ecdf305bab23fc4adefbf0348ffb Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/10561) View the changeset: https://github.com/openssl/openssl/compare/7ba46774b7f1...6df44cf65fbc View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620957723?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Thu Dec 5 05:22:14 2019 From: builds at travis-ci.org (Travis CI) Date: Thu, 05 Dec 2019 05:22:14 +0000 Subject: Still Failing: openssl/openssl#30552 (OpenSSL_1_1_1-stable - 7a4d39f) In-Reply-To: Message-ID: <5de894065480d_43fe6a27161149636d@7e7b2e66-7a26-4a47-b6ed-3acf6383771c.mail> Build Update for openssl/openssl ------------------------------------- Build: #30552 Status: Still Failing Duration: 14 mins and 32 secs Commit: 7a4d39f (OpenSSL_1_1_1-stable) Author: Fangming.Fang Message: Fix exit issue in travisci Ungraceful 'exit' probably causes unexpeced error on background activity. So replace 'exit' with recommended 'travis_terminate'. Also see https://travis-ci.community/t/exit-0-cannot-exit-successfully-on-arm/5731/4 Change-Id: I382bd93a3e15ecdf305bab23fc4adefbf0348ffb Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/10561) (cherry picked from commit 6df44cf65fbc7e150965149d7e681ac3e22d11d8) View the changeset: https://github.com/openssl/openssl/compare/1d320e5c4cb9...7a4d39f0d176 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/620959682?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 06:16:00 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 06:16:00 +0000 Subject: Build failed: openssl master.29980 Message-ID: <20191205061600.1.7A3A0426104273E5@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Dec 5 07:15:49 2019 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 05 Dec 2019 07:15:49 +0000 Subject: Build completed: openssl OpenSSL_1_1_1-stable.29981 Message-ID: <20191205071549.1.BBB0472770FC8563@appveyor.com> An HTML attachment was scrubbed... URL: From matt at openssl.org Thu Dec 5 16:21:20 2019 From: matt at openssl.org (Matt Caswell) Date: Thu, 05 Dec 2019 16:21:20 +0000 Subject: [openssl] master update Message-ID: <1575562880.483178.14181.nullmailer@dev.openssl.org> The branch master has been updated via 350c92351705aa5916ffdf07fd7b81c1cbcb178b (commit) via e7db9680db57e180c525bc57c3858d8dd5637940 (commit) via d9a75107478380641b6862acac74d0bb870a5374 (commit) from 6df44cf65fbc7e150965149d7e681ac3e22d11d8 (commit) - Log ----------------------------------------------------------------- commit 350c92351705aa5916ffdf07fd7b81c1cbcb178b Author: Matt Caswell Date: Mon Nov 11 16:33:24 2019 +0000 Add documentation for the newly added RSA_PKCS1_WITH_TLS_PADDING Documentation for RSA_PKCS1_WITH_TLS_PADDING padding mode as per the previous commits, as well as the associated parameters for this mode. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10411) commit e7db9680db57e180c525bc57c3858d8dd5637940 Author: Matt Caswell Date: Mon Nov 11 15:54:33 2019 +0000 Move constant time RSA code out of libssl Server side RSA key transport code in a Client Key Exchange message currently uses constant time code to check that the RSA decrypt is correctly formatted. The previous commit taught the underlying RSA implementation how to do this instead, so we use that implementation and remove this code from libssl. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10411) commit d9a75107478380641b6862acac74d0bb870a5374 Author: Matt Caswell Date: Mon Nov 11 14:37:02 2019 +0000 Teach the RSA implementation about TLS RSA Key Transport In TLSv1.2 a pre-master secret value is passed from the client to the server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange message. As well as the normal formatting rules for RSA PKCA1 type 2 padding TLS imposes some additional rules about what constitutes a well formed key. Specifically it must be exactly the right length and encode the TLS version originally requested by the client (as opposed to the actual negotiated version) in its first two bytes. All of these checks need to be done in constant time and, if they fail, then the TLS implementation is supposed to continue anyway with a random key (and therefore the connection will fail later on). This avoids padding oracle type attacks. This commit implements this within the RSA padding code so that we keep all the constant time padding logic in one place. A later commit will remove it from libssl. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10411) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 2 + crypto/rsa/rsa_pk1.c | 125 ++++++++++++++++++- doc/man3/EVP_PKEY_CTX_ctrl.pod | 23 +++- doc/man7/provider-asymcipher.pod | 17 +++ include/crypto/rsa.h | 4 + include/openssl/core_names.h | 16 +-- include/openssl/rsa.h | 14 ++- providers/common/include/prov/providercommonerr.h | 2 + providers/common/provider_err.c | 3 + providers/implementations/asymciphers/rsa_enc.c | 100 +++++++++++++--- ssl/statem/statem_srvr.c | 140 ++++++++-------------- 11 files changed, 322 insertions(+), 124 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e81c32fe4f..4baed5c48e 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2684,9 +2684,11 @@ PROV_R_AES_KEY_SETUP_FAILED:101:aes key setup failed PROV_R_BAD_DECRYPT:100:bad decrypt PROV_R_BAD_ENCODING:141:bad encoding PROV_R_BAD_LENGTH:142:bad length +PROV_R_BAD_TLS_CLIENT_VERSION:161:bad tls client version PROV_R_BN_ERROR:160:bn error PROV_R_BOTH_MODE_AND_MODE_INT:127:both mode and mode int PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed +PROV_R_FAILED_TO_DECRYPT:162:failed to decrypt PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 0c77422404..007e9b8cd5 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -10,10 +10,13 @@ #include "internal/constant_time.h" #include -#include "internal/cryptlib.h" #include #include #include +/* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ +#include +#include "internal/cryptlib.h" +#include "crypto/rsa.h" int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *from, int flen) @@ -253,3 +256,123 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, return constant_time_select_int(good, mlen, -1); } + +/* + * rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 + * padding from a decrypted RSA message in a TLS signature. The result is stored + * in the buffer pointed to by |to| which should be |tlen| bytes long. |tlen| + * must be at least SSL_MAX_MASTER_KEY_LENGTH. The original decrypted message + * should be stored in |from| which must be |flen| bytes in length and padded + * such that |flen == RSA_size()|. The TLS protocol version that the client + * originally requested should be passed in |client_version|. Some buggy clients + * can exist which use the negotiated version instead of the originally + * requested protocol version. If it is necessary to work around this bug then + * the negotiated protocol version can be passed in |alt_version|, otherwise 0 + * should be passed. + * + * If the passed message is publicly invalid or some other error that can be + * treated in non-constant time occurs then -1 is returned. On success the + * length of the decrypted data is returned. This will always be + * SSL_MAX_MASTER_KEY_LENGTH. If an error occurs that should be treated in + * constant time then this function will appear to return successfully, but the + * decrypted data will be randomly generated (as per + * https://tools.ietf.org/html/rfc5246#section-7.4.7.1). + */ +int rsa_padding_check_PKCS1_type_2_TLS(unsigned char *to, size_t tlen, + const unsigned char *from, size_t flen, + int client_version, int alt_version) +{ + unsigned int i, good, version_good; + unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; + + /* + * If these checks fail then either the message in publicly invalid, or + * we've been called incorrectly. We can fail immediately. + */ + if (flen < RSA_PKCS1_PADDING_SIZE + SSL_MAX_MASTER_KEY_LENGTH + || tlen < SSL_MAX_MASTER_KEY_LENGTH) { + ERR_raise(ERR_LIB_RSA, RSA_R_PKCS_DECODING_ERROR); + return -1; + } + + /* + * Generate a random premaster secret to use in the event that we fail + * to decrypt. + */ + if (RAND_priv_bytes(rand_premaster_secret, + sizeof(rand_premaster_secret)) <= 0) { + ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); + return -1; + } + + good = constant_time_is_zero(from[0]); + good &= constant_time_eq(from[1], 2); + + /* Check we have the expected padding data */ + for (i = 2; i < flen - SSL_MAX_MASTER_KEY_LENGTH - 1; i++) + good &= ~constant_time_is_zero_8(from[i]); + good &= constant_time_is_zero_8(from[flen - SSL_MAX_MASTER_KEY_LENGTH - 1]); + + + /* + * If the version in the decrypted pre-master secret is correct then + * version_good will be 0xff, otherwise it'll be zero. The + * Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version number + * check as a "bad version oracle". Thus version checks are done in + * constant time and are treated like any other decryption error. + */ + version_good = + constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], + (client_version >> 8) & 0xff); + version_good &= + constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], + client_version & 0xff); + + /* + * The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send the negotiated protocol + * version instead if the server does not support the requested + * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set then we tolerate + * such clients. In that case alt_version will be non-zero and set to + * the negotiated version. + */ + if (alt_version > 0) { + unsigned int workaround_good; + + workaround_good = + constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH], + (alt_version >> 8) & 0xff); + workaround_good &= + constant_time_eq(from[flen - SSL_MAX_MASTER_KEY_LENGTH + 1], + alt_version & 0xff); + version_good |= workaround_good; + } + + good &= version_good; + + + /* + * Now copy the result over to the to buffer if good, or random data if + * not good. + */ + for (i = 0; i < SSL_MAX_MASTER_KEY_LENGTH; i++) { + to[i] = + constant_time_select_8(good, + from[flen - SSL_MAX_MASTER_KEY_LENGTH + i], + rand_premaster_secret[i]); + } + + /* + * We must not leak whether a decryption failure occurs because of + * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, + * section 7.4.7.1). The code follows that advice of the TLS RFC and + * generates a random premaster secret for the case that the decrypt + * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 + * So, whether we actually succeeded or not, return success. + */ + + return SSL_MAX_MASTER_KEY_LENGTH; +} diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 06151d4a5c..306b20b603 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -258,7 +258,9 @@ The B parameter can take the value B for PKCS#1 padding, B for SSLv23 padding, B for no padding, B for OAEP padding (encrypt and decrypt only), B for X9.31 padding (signature operations -only) and B (sign and verify only). +only), B (sign and verify only) and +B for TLS RSA ClientKeyExchange message padding +(decryption only). Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md() is used. If this macro is called for PKCS#1 padding the plaintext buffer is @@ -352,6 +354,25 @@ B