From openssl at openssl.org Fri Jan 1 20:52:53 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 01 Jan 2021 20:52:53 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1609534373.287774.1244736.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 30af356df4 Don't call EVP_CIPHER_CTX_block_size() to find the block size Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80216E01F67F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80216E01F67F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/MzicHD5nGO default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/MzicHD5nGO fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 1029 wallclock secs (14.70 usr 1.46 sys + 934.34 cusr 89.97 csys = 1040.47 CPU) Result: FAIL make[1]: *** [Makefile:3252: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3249: tests] Error 2 From openssl at openssl.org Fri Jan 1 23:15:47 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 01 Jan 2021 23:15:47 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1609542947.364748.1547798.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 30af356df4 Don't call EVP_CIPHER_CTX_block_size() to find the block size Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80913F6B027F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80913F6B027F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/e6xJZzg77S default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/e6xJZzg77S fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 890 wallclock secs (13.89 usr 1.39 sys + 796.51 cusr 89.05 csys = 900.84 CPU) Result: FAIL make[1]: *** [Makefile:3250: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3247: tests] Error 2 From openssl at openssl.org Mon Jan 4 01:06:05 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 01:06:05 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1609722365.838211.2158089.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): rm -f test/sysdefaulttest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sysdefaulttest \ test/sysdefaulttest-bin-sysdefaulttest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13ccstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13ccstest \ test/helpers/tls13ccstest-bin-ssltestlib.o \ test/tls13ccstest-bin-tls13ccstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13secretstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok make[1]: *** [Makefile:3244: _tests] Terminated make: *** [Makefile:3241: tests] Terminated From openssl at openssl.org Mon Jan 4 01:56:44 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 01:56:44 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1609725404.902846.2267183.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3423, 884 wallclock secs (14.44 usr 1.28 sys + 794.72 cusr 85.10 csys = 895.54 CPU) Result: FAIL make[1]: *** [Makefile:3255: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3252: tests] Error 2 From dev at ddvo.net Mon Jan 4 07:01:15 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 04 Jan 2021 07:01:15 +0000 Subject: [openssl] master update Message-ID: <1609743675.523505.14548.nullmailer@dev.openssl.org> The branch master has been updated via 38b57c4c5268e4db0cad6db6744bf70ce4a0e188 (commit) from ea08f8b294d129371536649463c76a81dc4d4e55 (commit) - Log ----------------------------------------------------------------- commit 38b57c4c5268e4db0cad6db6744bf70ce4a0e188 Author: Dr. David von Oheimb Date: Fri Jan 1 20:43:46 2021 +0100 Update copyright years of auto-generated headers (make update) Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/13764) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h | 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- include/openssl/obj_mac.h | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index e855b15977..ac1eb076cc 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index ef16bb43d0..8a859ac02e 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 3fdb6a9b4a..1f66a58e09 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 440fd1d6af..1b852e6dfa 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index ba290cc661..0f8a05652e 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 5af0024989..89b449037f 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at From openssl at openssl.org Mon Jan 4 07:27:54 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 07:27:54 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1609745274.627667.2971884.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3425, 845 wallclock secs (14.28 usr 1.44 sys + 754.59 cusr 85.65 csys = 855.96 CPU) Result: FAIL make[1]: *** [Makefile:3210: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3207: tests] Error 2 From openssl at openssl.org Mon Jan 4 08:37:54 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 08:37:54 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso Message-ID: <1609749474.403766.3133533.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -DNO_FIPS_MODULE -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.d.tmp -MT test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o -c -o test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o ../openssl/test/evp_pkey_dparams_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_provided_test-bin-evp_pkey_provided_test.d.tmp -MT test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o -c -o test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o ../openssl/test/evp_pkey_provided_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_test-bin-evp_test.d.tmp -MT test/evp_test-bin-evp_test.o -c -o test/evp_test-bin-evp_test.o ../openssl/test/evp_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exdatatest-bin-exdatatest.d.tmp -MT test/exdatatest-bin-exdatatest.o -c -o test/exdatatest-bin-exdatatest.o ../openssl/test/exdatatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exptest-bin-exptest.d.tmp -MT test/exptest-bin-exptest.o -c -o test/exptest-bin-exptest.o ../openssl/test/exptest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/fatalerrtest-bin-fatalerrtest.d.tmp -MT test/fatalerrtest-bin-fatalerrtest.o -c -o test/fatalerrtest-bin-fatalerrtest.o ../openssl/test/fatalerrtest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/fatalerrtest-bin-ssltestlib.d.tmp -MT test/helpers/fatalerrtest-bin-ssltestlib.o -c -o test/helpers/fatalerrtest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ffc_internal_test-bin-ffc_internal_test.d.tmp -MT test/ffc_internal_test-bin-ffc_internal_test.o -c -o test/ffc_internal_test-bin-ffc_internal_test.o ../openssl/test/ffc_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gmdifftest-bin-gmdifftest.d.tmp -MT test/gmdifftest-bin-gmdifftest.o -c -o test/gmdifftest-bin-gmdifftest.o ../openssl/test/gmdifftest.c clang -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gosttest-bin-gosttest.d.tmp -MT test/gosttest-bin-gosttest.o -c -o test/gosttest-bin-gosttest.o ../openssl/test/gosttest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/gosttest-bin-ssltestlib.d.tmp -MT test/helpers/gosttest-bin-ssltestlib.o -c -o test/helpers/gosttest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hexstr_test-bin-hexstr_test.d.tmp -MT test/hexstr_test-bin-hexstr_test.o -c -o test/hexstr_test-bin-hexstr_test.o ../openssl/test/hexstr_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hmactest-bin-hmactest.d.tmp -MT test/hmactest-bin-hmactest.o -c -o test/hmactest-bin-hmactest.o ../openssl/test/hmactest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/http_test-bin-http_test.d.tmp -MT test/http_test-bin-http_test.o -c -o test/http_test-bin-http_test.o ../openssl/test/http_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ideatest-bin-ideatest.d.tmp -MT test/ideatest-bin-ideatest.o -c -o test/ideatest-bin-ideatest.o ../openssl/test/ideatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/igetest-bin-igetest.d.tmp -MT test/igetest-bin-igetest.o -c -o test/igetest-bin-igetest.o ../openssl/test/igetest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/keymgmt_internal_test-bin-keymgmt_internal_test.d.tmp -MT test/keymgmt_internal_test-bin-keymgmt_internal_test.o -c -o test/keymgmt_internal_test-bin-keymgmt_internal_test.o ../openssl/test/keymgmt_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/lhash_test-bin-lhash_test.d.tmp -MT test/lhash_test-bin-lhash_test.o -c -o test/lhash_test-bin-lhash_test.o ../openssl/test/lhash_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2_internal_test-bin-mdc2_internal_test.d.tmp -MT test/mdc2_internal_test-bin-mdc2_internal_test.o -c -o test/mdc2_internal_test-bin-mdc2_internal_test.o ../openssl/test/mdc2_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2test-bin-mdc2test.d.tmp -MT test/mdc2test-bin-mdc2test.o -c -o test/mdc2test-bin-mdc2test.o ../openssl/test/mdc2test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/memleaktest-bin-memleaktest.d.tmp -MT test/memleaktest-bin-memleaktest.o -c -o test/memleaktest-bin-memleaktest.o ../openssl/test/memleaktest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/modes_internal_test-bin-modes_internal_test.d.tmp -MT test/modes_internal_test-bin-modes_internal_test.o -c -o test/modes_internal_test-bin-modes_internal_test.o ../openssl/test/modes_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-moduleloadtest.d.tmp -MT test/moduleloadtest-bin-moduleloadtest.o -c -o test/moduleloadtest-bin-moduleloadtest.o ../openssl/test/moduleloadtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-simpledynamic.d.tmp -MT test/moduleloadtest-bin-simpledynamic.o -c -o test/moduleloadtest-bin-simpledynamic.o ../openssl/test/simpledynamic.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/namemap_internal_test-bin-namemap_internal_test.d.tmp -MT test/namemap_internal_test-bin-namemap_internal_test.o -c -o test/namemap_internal_test-bin-namemap_internal_test.o ../openssl/test/namemap_internal_test.c In file included from In file included from ../openssl/test/simpledynamic.c../openssl/test/moduleloadtest.c::1319: : ../openssl/test/simpledynamic.h../openssl/test/simpledynamic.h::3939::3535:: errorerror: : unknown type name 'SD'unknown type name 'SD' int sd_load(const char *filename, SD *sd, int type);int sd_load(const char *filename, SD *sd, int type); ^ ^ ../openssl/test/simpledynamic.h:40:12:../openssl/test/simpledynamic.h :error40: :unknown type name 'SD'12 : error: unknown type name 'SD' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ../openssl/test/simpledynamic.h ^: 40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ 4 errors generated. 4 errors generated. make[1]: *** [Makefile:24774: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: *** [Makefile:24766: test/moduleloadtest-bin-moduleloadtest.o] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dso' make: *** [Makefile:3067: build_sw] Error 2 From matt at openssl.org Mon Jan 4 12:15:46 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 04 Jan 2021 12:15:46 +0000 Subject: [openssl] master update Message-ID: <1609762546.287682.12907.nullmailer@dev.openssl.org> The branch master has been updated via 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb (commit) via ce1119265005bd254fc92395f72490c19adc707c (commit) from 38b57c4c5268e4db0cad6db6744bf70ce4a0e188 (commit) - Log ----------------------------------------------------------------- commit 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb Author: Nirbheek Chauhan Date: Wed Jul 8 23:23:04 2020 +0530 win-onecore: Build with /APPCONTAINER for UWP compat When targeting the win-onecore configuration, we must link with /APPCONTAINER which is a requirement for submitting apps to the Windows Store. Without this, the Windows App Certificate Kit will reject the app: https://docs.microsoft.com/en-us/cpp/build/reference/appcontainer-windows-store-app Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12400) commit ce1119265005bd254fc92395f72490c19adc707c Author: Nirbheek Chauhan Date: Wed Jul 8 23:10:34 2020 +0530 crypto/win: Don't use disallowed APIs on UWP CreateFiber and ConvertThreadToFiber are not allowed in Windows Store (Universal Windows Platform) apps since they have been replaced by their Ex variants which have a new dwFlags parameter. This flag allows the fiber to do floating-point arithmetic in the fiber on x86, which would silently cause corruption otherwise since the floating-point state is not switched by default. Switch to these "new" APIs which were added in Vista. See: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex#parameters Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12400) ----------------------------------------------------------------------- Summary of changes: Configurations/50-win-onecore.conf | 9 +++++---- crypto/async/arch/async_win.c | 4 ++++ crypto/async/arch/async_win.h | 10 +++++++++- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/Configurations/50-win-onecore.conf b/Configurations/50-win-onecore.conf index 91e77b663f..efa2c837bc 100644 --- a/Configurations/50-win-onecore.conf +++ b/Configurations/50-win-onecore.conf @@ -36,13 +36,14 @@ my %targets = ( # /NODEFAULTLIB:kernel32.lib is needed, because MSVCRT.LIB has # hidden reference to kernel32.lib, but we don't actually want # it in "onecore" build. - lflags => add("/NODEFAULTLIB:kernel32.lib"), + # /APPCONTAINER is needed for Universal Windows Platform compat + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), defines => add("OPENSSL_SYS_WIN_CORE"), ex_libs => "onecore.lib", }, "VC-WIN64A-ONECORE" => { inherit_from => [ "VC-WIN64A" ], - lflags => add("/NODEFAULTLIB:kernel32.lib"), + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), defines => add("OPENSSL_SYS_WIN_CORE"), ex_libs => "onecore.lib", }, @@ -68,7 +69,7 @@ my %targets = ( defines => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE", "OPENSSL_SYS_WIN_CORE"), bn_ops => "BN_LLONG RC4_CHAR", - lflags => add("/NODEFAULTLIB:kernel32.lib"), + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), ex_libs => "onecore.lib", multilib => "-arm", }, @@ -77,7 +78,7 @@ my %targets = ( defines => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE", "OPENSSL_SYS_WIN_CORE"), bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", - lflags => add("/NODEFAULTLIB:kernel32.lib"), + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), ex_libs => "onecore.lib", multilib => "-arm64", }, diff --git a/crypto/async/arch/async_win.c b/crypto/async/arch/async_win.c index 0db9efe3c1..72cc27c214 100644 --- a/crypto/async/arch/async_win.c +++ b/crypto/async/arch/async_win.c @@ -34,7 +34,11 @@ void async_local_cleanup(void) int async_fibre_init_dispatcher(async_fibre *fibre) { +# if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 + fibre->fibre = ConvertThreadToFiberEx(NULL, FIBER_FLAG_FLOAT_SWITCH); +# else fibre->fibre = ConvertThreadToFiber(NULL); +# endif if (fibre->fibre == NULL) { fibre->converted = 0; fibre->fibre = GetCurrentFiber(); diff --git a/crypto/async/arch/async_win.h b/crypto/async/arch/async_win.h index 87e661d766..eb61b032e0 100644 --- a/crypto/async/arch/async_win.h +++ b/crypto/async/arch/async_win.h @@ -26,8 +26,16 @@ typedef struct async_fibre_st { # define async_fibre_swapcontext(o,n,r) \ (SwitchToFiber((n)->fibre), 1) -# define async_fibre_makecontext(c) \ + +# if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 +# define async_fibre_makecontext(c) \ + ((c)->fibre = CreateFiberEx(0, 0, FIBER_FLAG_FLOAT_SWITCH, \ + async_start_func_win, 0)) +# else +# define async_fibre_makecontext(c) \ ((c)->fibre = CreateFiber(0, async_start_func_win, 0)) +# endif + # define async_fibre_free(f) (DeleteFiber((f)->fibre)) int async_fibre_init_dispatcher(async_fibre *fibre); From mark at openssl.org Mon Jan 4 16:03:11 2021 From: mark at openssl.org (Mark J. Cox) Date: Mon, 04 Jan 2021 16:03:11 +0000 Subject: [web] master update Message-ID: <1609776191.583593.31111.nullmailer@dev.openssl.org> The branch master has been updated via 32ac25c3dc11364b8854de9e91303951f6ba406d (commit) via 9720d7fff327192e2d845f4e4d305c32cc0fe8b9 (commit) from 0689c523b599d89f0ce5caedab4f7d66bee1efb6 (commit) - Log ----------------------------------------------------------------- commit 32ac25c3dc11364b8854de9e91303951f6ba406d Merge: 0689c52 9720d7f Author: Mark J. Cox Date: Mon Jan 4 15:49:15 2021 +0000 Merge pull request #211 from iamamoose/sponsorupdate Update the Sponsorship page to remove sponsorships that have lapsed commit 9720d7fff327192e2d845f4e4d305c32cc0fe8b9 Author: Mark J. Cox Date: Mon Jan 4 15:29:11 2021 +0000 Update the Sponsorship page to remove sponsorships that have lapsed and add a link to recognise the GitHub Sponsors ----------------------------------------------------------------------- Summary of changes: support/acks.html | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/support/acks.html b/support/acks.html index 419924e..f3c75d2 100644 --- a/support/acks.html +++ b/support/acks.html @@ -15,10 +15,9 @@

Sponsorship Donations

-

We would like to identify and thank the following sponsors for their donations which give significant support to the OpenSSL project. - Please note some sponsors remain anonymous.

+ Please note sponsors may choose to remain anonymous.

-

Exceptional:

- -
- -
- -

Platinum:

- -
- -
-

Bronze:

beslist.nl

-

CarGurus

@@ -63,7 +47,9 @@

Other Donations

- We also identify and thank organizations who contribute + We also would like to thank those who contribute + via GitHub Sponsors, + as well as the organizations who contribute in-kind donations to the project.

From no-reply at appveyor.com Mon Jan 4 21:27:08 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Jan 2021 21:27:08 +0000 Subject: Build failed: openssl master.38943 Message-ID: <20210104212708.1.C8D5B45044A27129@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 4 23:09:26 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 23:09:26 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1609801766.842490.692957.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=227, Tests=2999, 639 wallclock secs ( 9.40 usr 1.28 sys + 564.05 cusr 62.76 csys = 637.49 CPU) Result: FAIL make[1]: *** [Makefile:2463: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2460: tests] Error 2 From no-reply at appveyor.com Tue Jan 5 01:01:13 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Jan 2021 01:01:13 +0000 Subject: Build failed: openssl master.38949 Message-ID: <20210105010113.1.517E1192B0ED0A38@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 5 02:13:42 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Jan 2021 02:13:42 +0000 Subject: Build completed: openssl master.38950 Message-ID: <20210105021342.1.C90FDC95F55C611A@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Tue Jan 5 11:29:01 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Tue, 05 Jan 2021 11:29:01 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1609846141.741832.13530.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 80d5badd8fa7dcc7dffc88745376df53161e392a (commit) from 9be10637502bf32189055dff8d3442e140e845c5 (commit) - Log ----------------------------------------------------------------- commit 80d5badd8fa7dcc7dffc88745376df53161e392a Author: Dr. David von Oheimb Date: Sat Jan 2 21:23:12 2021 +0100 Update copyright years of auto-generated headers (make update) This backports #13764. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13769) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h | 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- include/openssl/obj_mac.h | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index cac354c6bf..e234c9e615 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index ba48244534..1a25c28577 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 2ced300e40..1e4a03e10b 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index d1b1bc7faf..24b49a2df2 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 1ca04bbff1..5c3561ab7d 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 483fc0509e..eb812ed18d 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at From tmraz at fedoraproject.org Tue Jan 5 15:44:43 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Tue, 05 Jan 2021 15:44:43 +0000 Subject: [openssl] master update Message-ID: <1609861483.213427.25418.nullmailer@dev.openssl.org> The branch master has been updated via b043c41c0059786eb78492fb64217053272ef37d (commit) via b2d14651533897b709208e633d4b4f590e0eff1c (commit) from 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb (commit) - Log ----------------------------------------------------------------- commit b043c41c0059786eb78492fb64217053272ef37d Author: Etienne Millon Date: Mon Jan 4 11:33:55 2021 +0100 28-seclevel.cnf.in: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13768) commit b2d14651533897b709208e633d4b4f590e0eff1c Author: Etienne Millon Date: Mon Jan 4 11:28:36 2021 +0100 EVP_SIGNATURE-ED25519.pod: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13768) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_SIGNATURE-ED25519.pod | 2 +- test/ssl-tests/28-seclevel.cnf.in | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index bb91ae2434..e2fc31f724 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -15,7 +15,7 @@ one-shot digest sign and digest verify using PureEdDSA and B or B be specified when diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index ebb082c0af..b7b96e87b7 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -34,7 +34,7 @@ our @tests_ec = ( test => { "ExpectedResult" => "Success" }, }, { - # The Ed488 signature algorithm will not be enabled. + # The Ed448 signature algorithm will not be enabled. # Because of the config order, the certificate is first loaded, and # then the security level is chaged. If you try this with s_server # the order will be reversed and it will instead fail to load the key. @@ -47,7 +47,7 @@ our @tests_ec = ( test => { "ExpectedResult" => "ServerFail" }, }, { - # The client will not sent the Ed488 signature algorithm, so the server + # The client will not sent the Ed448 signature algorithm, so the server # doesn't have a useable signature algorithm for the certificate. name => "SECLEVEL 5 client with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", From matt at openssl.org Tue Jan 5 18:09:37 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 05 Jan 2021 18:09:37 +0000 Subject: [openssl] master update Message-ID: <1609870177.248964.22759.nullmailer@dev.openssl.org> The branch master has been updated via 3497cc8776d50397ceefbd41bd3356a7f5d30c14 (commit) from b043c41c0059786eb78492fb64217053272ef37d (commit) - Log ----------------------------------------------------------------- commit 3497cc8776d50397ceefbd41bd3356a7f5d30c14 Author: bazmoz Date: Sun Dec 27 22:05:14 2020 +0530 Updated SSL_CTX_new doc Fixes #13703 Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13741) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_new.pod | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index b71cda9be0..4093e657e8 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -73,11 +73,12 @@ functions =head1 DESCRIPTION -SSL_CTX_new_ex() creates a new B object as a framework to -establish TLS/SSL or DTLS enabled connections using the library context -I (see L). Any cryptographic algorithms that are used -by any B objects created from this B will be fetched from the -I using the property query string I (see +SSL_CTX_new_ex() creates a new B object, which holds various +configuration and data relevant to TLS/SSL or DTLS session establishment. The +library context I (see L) is used to provide the +cryptographic algorithms needed for the session. Any cryptographic algorithms +that are used by any B objects created from this B will be fetched +from the I using the property query string I (see L. Either or both the I or I parameters may be NULL. @@ -90,6 +91,10 @@ SSL_CTX_free) decrements it. When the reference count drops to zero, any memory or resources allocated to the B object are freed. SSL_CTX_up_ref() increments the reference count for an existing B structure. +An B object should not be changed after it is used to create any B +objects or from multiple threads concurrently, since the implementation does not +provide serialization of access for these cases. + =head1 NOTES The SSL_CTX object uses I as the connection method. From openssl at openssl.org Tue Jan 5 21:09:09 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 05 Jan 2021 21:09:09 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1609880949.024793.3311836.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80C17CF03A7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80C17CF03A7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/hKckL8WvgN default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/hKckL8WvgN fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 868 wallclock secs (14.05 usr 1.46 sys + 772.73 cusr 91.80 csys = 880.04 CPU) Result: FAIL make[1]: *** [Makefile:3259: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3256: tests] Error 2 From openssl at openssl.org Tue Jan 5 23:36:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 05 Jan 2021 23:36:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1609889775.157147.3613991.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80918175B37F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80918175B37F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/j8p8AbYHtB default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/j8p8AbYHtB fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 1004 wallclock secs (13.86 usr 1.26 sys + 916.02 cusr 85.05 csys = 1016.19 CPU) Result: FAIL make[1]: *** [Makefile:3252: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3249: tests] Error 2 From kaduk at mit.edu Wed Jan 6 00:32:47 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Wed, 06 Jan 2021 00:32:47 +0000 Subject: [openssl] master update Message-ID: <1609893167.096070.32238.nullmailer@dev.openssl.org> The branch master has been updated via 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f (commit) via b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4 (commit) from 3497cc8776d50397ceefbd41bd3356a7f5d30c14 (commit) - Log ----------------------------------------------------------------- commit 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f Author: John Baldwin Date: Fri Nov 20 17:45:48 2020 -0800 Support session information on FreeBSD. FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it does provide other ioctls that can be used to provide similar functionality. First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts a 'struct session2_op'. This structure extends 'struct session_op' with a 'crid' member which can be used to either request an individual driver by id, or a class of drivers via flags. To determine if the available drivers for a given algorithm are accelerated or not, use CIOCGESSION2 to first attempt to create an accelerated (hardware) session. If that fails, fall back to attempting a software session. In addition, when requesting a new cipher session, use the current setting of the 'use_softdrivers' flag to determine the value assigned to 'crid' when invoking CIOCGSESSION2. Finally, use the returned 'crid' value from CIOCGSESSION2 to look up the name of the associated driver via the CIOCFINDDEV ioctl. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13468) commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4 Author: John Baldwin Date: Fri Nov 20 17:07:35 2020 -0800 Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13468) ----------------------------------------------------------------------- Summary of changes: engines/e_devcrypto.c | 86 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 73 insertions(+), 13 deletions(-) diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index d54ca3bbc1..7f3768d36c 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -34,6 +34,16 @@ #define engine_devcrypto_id "devcrypto" +/* + * Use session2_op on FreeBSD which permits requesting specific + * drivers or classes of drivers at session creation time. + */ +#ifdef CIOCGSESSION2 +typedef struct session2_op session_op_t; +#else +typedef struct session_op session_op_t; +#endif + /* * ONE global file descriptor for all sessions. This allows operations * such as digest session data copying (see digest_copy()), but is also @@ -73,12 +83,12 @@ struct driver_info_st { void engine_load_devcrypto_int(void); #endif -static int clean_devcrypto_session(struct session_op *sess) { +static int clean_devcrypto_session(session_op_t *sess) { if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { ERR_raise_data(ERR_LIB_SYS, errno, "calling ioctl()"); return 0; } - memset(sess, 0, sizeof(struct session_op)); + memset(sess, 0, sizeof(*sess)); return 1; } @@ -93,7 +103,7 @@ static int clean_devcrypto_session(struct session_op *sess) { *****/ struct cipher_ctx { - struct session_op sess; + session_op_t sess; int op; /* COP_ENCRYPT or COP_DECRYPT */ unsigned long mode; /* EVP_CIPH_*_MODE */ @@ -198,6 +208,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); const struct cipher_data_st *cipher_d = get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); + int ret; /* cleanup a previous session */ if (cipher_ctx->sess.ses != 0 && @@ -210,7 +221,15 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; cipher_ctx->blocksize = cipher_d->blocksize; - if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { +#ifdef CIOCGSESSION2 + cipher_ctx->sess.crid = (use_softdrivers == DEVCRYPTO_USE_SOFTWARE) ? + CRYPTO_FLAG_SOFTWARE | CRYPTO_FLAG_HARDWARE : + CRYPTO_FLAG_HARDWARE; + ret = ioctl(cfd, CIOCGSESSION2, &cipher_ctx->sess); +#else + ret = ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess); +#endif + if (ret < 0) { ERR_raise_data(ERR_LIB_SYS, errno, "calling ioctl()"); return 0; } @@ -406,9 +425,12 @@ static int devcrypto_test_cipher(size_t cipher_data_index) static void prepare_cipher_methods(void) { size_t i; - struct session_op sess; + session_op_t sess; unsigned long cipher_mode; -#ifdef CIOCGSESSINFO +#ifdef CIOCGSESSION2 + struct crypt_find_op fop; + enum devcrypto_accelerated_t accelerated; +#elif defined(CIOCGSESSINFO) struct session_info_op siop; #endif @@ -426,10 +448,29 @@ static void prepare_cipher_methods(void) */ sess.cipher = cipher_data[i].devcryptoid; sess.keylen = cipher_data[i].keylen; +#ifdef CIOCGSESSION2 + /* + * When using CIOCGSESSION2, first try to allocate a hardware + * ("accelerated") session. If that fails, fall back to + * allocating a software session. + */ + sess.crid = CRYPTO_FLAG_HARDWARE; + if (ioctl(cfd, CIOCGSESSION2, &sess) == 0) { + accelerated = DEVCRYPTO_ACCELERATED; + } else { + sess.crid = CRYPTO_FLAG_SOFTWARE; + if (ioctl(cfd, CIOCGSESSION2, &sess) < 0) { + cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; + continue; + } + accelerated = DEVCRYPTO_NOT_ACCELERATED; + } +#else if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; continue; } +#endif cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; @@ -460,7 +501,14 @@ static void prepare_cipher_methods(void) known_cipher_methods[i] = NULL; } else { cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -#ifdef CIOCGSESSINFO +#ifdef CIOCGSESSION2 + cipher_driver_info[i].accelerated = accelerated; + fop.crid = sess.crid; + if (ioctl(cfd, CIOCFINDDEV, &fop) == 0) { + cipher_driver_info[i].driver_name = + OPENSSL_strndup(fop.name, sizeof(fop.name)); + } +#elif defined(CIOCGSESSINFO) siop.ses = sess.ses; if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; @@ -624,7 +672,7 @@ static void dump_cipher_info(void) *****/ struct digest_ctx { - struct session_op sess; + session_op_t sess; /* This signals that the init function was called, not that it succeeded. */ int init_called; unsigned char digest_res[HASH_MAX_LEN]; @@ -843,7 +891,7 @@ static void rebuild_known_digest_nids(ENGINE *e) static void prepare_digest_methods(void) { size_t i; - struct session_op sess1, sess2; + session_op_t sess1, sess2; #ifdef CIOCGSESSINFO struct session_info_op siop; #endif @@ -1051,7 +1099,7 @@ static void dump_digest_info(void) #define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) static const ENGINE_CMD_DEFN devcrypto_cmds[] = { -#ifdef CIOCGSESSINFO +#if defined(CIOCGSESSINFO) || defined(CIOCGSESSION2) {DEVCRYPTO_CMD_USE_SOFTDRIVERS, "USE_SOFTDRIVERS", "specifies whether to use software (not accelerated) drivers (" @@ -1087,7 +1135,7 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) { int *new_list; switch (cmd) { -#ifdef CIOCGSESSINFO +#if defined(CIOCGSESSINFO) || defined(CIOCGSESSION2) case DEVCRYPTO_CMD_USE_SOFTDRIVERS: switch (i) { case DEVCRYPTO_REQUIRE_ACCELERATED: @@ -1106,7 +1154,7 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) #endif rebuild_known_cipher_nids(e); return 1; -#endif /* CIOCGSESSINFO */ +#endif /* CIOCGSESSINFO || CIOCGSESSION2 */ case DEVCRYPTO_CMD_CIPHERS: if (p == NULL) @@ -1172,10 +1220,12 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) */ static int open_devcrypto(void) { + int fd; + if (cfd >= 0) return 1; - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { #ifndef ENGINE_DEVCRYPTO_DEBUG if (errno != ENOENT) #endif @@ -1183,6 +1233,16 @@ static int open_devcrypto(void) return 0; } +#ifdef CRIOGET + if (ioctl(fd, CRIOGET, &cfd) < 0) { + fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + cfd = -1; + return 0; + } +#else + cfd = fd; +#endif + return 1; } From tmraz at fedoraproject.org Wed Jan 6 10:07:13 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 06 Jan 2021 10:07:13 +0000 Subject: [openssl] master update Message-ID: <1609927633.754759.7377.nullmailer@dev.openssl.org> The branch master has been updated via 7c0e98a5c40806ff9dde15cf4a619cc931800fd9 (commit) from 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f (commit) - Log ----------------------------------------------------------------- commit 7c0e98a5c40806ff9dde15cf4a619cc931800fd9 Author: David CARLIER Date: Mon Jan 4 16:42:47 2021 +0000 Mac M1 setting change proposal. Running tests takes very long with the current setting while it takes a lot shorter time with this change. Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13771) ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 5f672fbb77..ef892b555a 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1623,7 +1623,7 @@ my %targets = ( cflags => add("-arch arm64"), lib_cppflags => add("-DL_ENDIAN"), bn_ops => "SIXTY_FOUR_BIT_LONG", - asm_arch => 'aarch64_asm', + asm_arch => 'aarch64', perlasm_scheme => "ios64", }, From matt at openssl.org Wed Jan 6 11:26:43 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 06 Jan 2021 11:26:43 +0000 Subject: [openssl] master update Message-ID: <1609932403.590050.18962.nullmailer@dev.openssl.org> The branch master has been updated via e260bee0a97d4e6de60eae2c86d7c11ed03f2010 (commit) from 7c0e98a5c40806ff9dde15cf4a619cc931800fd9 (commit) - Log ----------------------------------------------------------------- commit e260bee0a97d4e6de60eae2c86d7c11ed03f2010 Author: Matt Caswell Date: Mon Jan 4 17:29:35 2021 +0000 Only perform special TLS handling if TLS has been configured Skip over special TLS steps for stream ciphers if we haven't been configured for TLS. Fixes #12528 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13774) ----------------------------------------------------------------------- Summary of changes: providers/implementations/ciphers/ciphercommon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index 0941210f20..0e3e367dfc 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -429,7 +429,7 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out, } *outl = inl; - if (!ctx->enc) { + if (!ctx->enc && ctx->tlsversion > 0) { /* * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and * cipher_aes_cbc_hmac_sha256_hw.c From no-reply at appveyor.com Wed Jan 6 18:49:12 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 06 Jan 2021 18:49:12 +0000 Subject: Build failed: openssl master.38985 Message-ID: <20210106184912.1.FF04BE1166082F36@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Jan 6 20:13:15 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 06 Jan 2021 20:13:15 +0000 Subject: Build completed: openssl master.38986 Message-ID: <20210106201315.1.D805FDEC57CC35A7@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Jan 7 01:05:28 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 01:05:28 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1609981528.357004.4164225.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. make: *** [Makefile:3241: tests] Terminated From openssl at openssl.org Thu Jan 7 01:55:19 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 01:55:19 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1609984519.607193.79366.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3423, 845 wallclock secs (14.47 usr 1.40 sys + 752.47 cusr 86.52 csys = 854.86 CPU) Result: FAIL make[1]: *** [Makefile:3244: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3241: tests] Error 2 From openssl at openssl.org Thu Jan 7 07:26:05 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 07:26:05 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1610004365.129166.784619.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3425, 862 wallclock secs (14.30 usr 1.63 sys + 759.10 cusr 83.78 csys = 858.81 CPU) Result: FAIL make[1]: *** [Makefile:3187: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3184: tests] Error 2 From openssl at openssl.org Thu Jan 7 08:39:28 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 08:39:28 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso Message-ID: <1610008768.791698.946482.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -DNO_FIPS_MODULE -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.d.tmp -MT test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o -c -o test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o ../openssl/test/evp_pkey_dparams_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_provided_test-bin-evp_pkey_provided_test.d.tmp -MT test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o -c -o test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o ../openssl/test/evp_pkey_provided_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_test-bin-evp_test.d.tmp -MT test/evp_test-bin-evp_test.o -c -o test/evp_test-bin-evp_test.o ../openssl/test/evp_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exdatatest-bin-exdatatest.d.tmp -MT test/exdatatest-bin-exdatatest.o -c -o test/exdatatest-bin-exdatatest.o ../openssl/test/exdatatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exptest-bin-exptest.d.tmp -MT test/exptest-bin-exptest.o -c -o test/exptest-bin-exptest.o ../openssl/test/exptest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/fatalerrtest-bin-fatalerrtest.d.tmp -MT test/fatalerrtest-bin-fatalerrtest.o -c -o test/fatalerrtest-bin-fatalerrtest.o ../openssl/test/fatalerrtest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/fatalerrtest-bin-ssltestlib.d.tmp -MT test/helpers/fatalerrtest-bin-ssltestlib.o -c -o test/helpers/fatalerrtest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ffc_internal_test-bin-ffc_internal_test.d.tmp -MT test/ffc_internal_test-bin-ffc_internal_test.o -c -o test/ffc_internal_test-bin-ffc_internal_test.o ../openssl/test/ffc_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gmdifftest-bin-gmdifftest.d.tmp -MT test/gmdifftest-bin-gmdifftest.o -c -o test/gmdifftest-bin-gmdifftest.o ../openssl/test/gmdifftest.c clang -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gosttest-bin-gosttest.d.tmp -MT test/gosttest-bin-gosttest.o -c -o test/gosttest-bin-gosttest.o ../openssl/test/gosttest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/gosttest-bin-ssltestlib.d.tmp -MT test/helpers/gosttest-bin-ssltestlib.o -c -o test/helpers/gosttest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hexstr_test-bin-hexstr_test.d.tmp -MT test/hexstr_test-bin-hexstr_test.o -c -o test/hexstr_test-bin-hexstr_test.o ../openssl/test/hexstr_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hmactest-bin-hmactest.d.tmp -MT test/hmactest-bin-hmactest.o -c -o test/hmactest-bin-hmactest.o ../openssl/test/hmactest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/http_test-bin-http_test.d.tmp -MT test/http_test-bin-http_test.o -c -o test/http_test-bin-http_test.o ../openssl/test/http_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ideatest-bin-ideatest.d.tmp -MT test/ideatest-bin-ideatest.o -c -o test/ideatest-bin-ideatest.o ../openssl/test/ideatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/igetest-bin-igetest.d.tmp -MT test/igetest-bin-igetest.o -c -o test/igetest-bin-igetest.o ../openssl/test/igetest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/keymgmt_internal_test-bin-keymgmt_internal_test.d.tmp -MT test/keymgmt_internal_test-bin-keymgmt_internal_test.o -c -o test/keymgmt_internal_test-bin-keymgmt_internal_test.o ../openssl/test/keymgmt_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/lhash_test-bin-lhash_test.d.tmp -MT test/lhash_test-bin-lhash_test.o -c -o test/lhash_test-bin-lhash_test.o ../openssl/test/lhash_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2_internal_test-bin-mdc2_internal_test.d.tmp -MT test/mdc2_internal_test-bin-mdc2_internal_test.o -c -o test/mdc2_internal_test-bin-mdc2_internal_test.o ../openssl/test/mdc2_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2test-bin-mdc2test.d.tmp -MT test/mdc2test-bin-mdc2test.o -c -o test/mdc2test-bin-mdc2test.o ../openssl/test/mdc2test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/memleaktest-bin-memleaktest.d.tmp -MT test/memleaktest-bin-memleaktest.o -c -o test/memleaktest-bin-memleaktest.o ../openssl/test/memleaktest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/modes_internal_test-bin-modes_internal_test.d.tmp -MT test/modes_internal_test-bin-modes_internal_test.o -c -o test/modes_internal_test-bin-modes_internal_test.o ../openssl/test/modes_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-moduleloadtest.d.tmp -MT test/moduleloadtest-bin-moduleloadtest.o -c -o test/moduleloadtest-bin-moduleloadtest.o ../openssl/test/moduleloadtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-simpledynamic.d.tmp -MT test/moduleloadtest-bin-simpledynamic.o -c -o test/moduleloadtest-bin-simpledynamic.o ../openssl/test/simpledynamic.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/namemap_internal_test-bin-namemap_internal_test.d.tmp -MT test/namemap_internal_test-bin-namemap_internal_test.o -c -o test/namemap_internal_test-bin-namemap_internal_test.o ../openssl/test/namemap_internal_test.c In file included from ../openssl/test/moduleloadtest.c:19: ../openssl/test/simpledynamic.h:39:35: error: unknown type name 'SD' int sd_load(const char *filename, SD *sd, int type); ^ ../openssl/test/simpledynamic.h:40:12: error: unknown type name 'SD' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ 4 errors generated. make[1]: *** [Makefile:24764: test/moduleloadtest-bin-moduleloadtest.o] Error 1 make[1]: *** Waiting for unfinished jobs.... In file included from ../openssl/test/simpledynamic.c:13: ../openssl/test/simpledynamic.h:39:35: error: unknown type name 'SD' int sd_load(const char *filename, SD *sd, int type); ^ ../openssl/test/simpledynamic.h:40:12: error: unknown type name 'SD' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ 4 errors generated. make[1]: *** [Makefile:24772: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dso' make: *** [Makefile:3065: build_sw] Error 2 From tmraz at fedoraproject.org Thu Jan 7 08:58:41 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 07 Jan 2021 08:58:41 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610009921.419218.12659.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via a953f26dba5dadf8ac69c6fcbf71ebe3efba9407 (commit) from 80d5badd8fa7dcc7dffc88745376df53161e392a (commit) - Log ----------------------------------------------------------------- commit a953f26dba5dadf8ac69c6fcbf71ebe3efba9407 Author: Ole Andr? Vadla Ravn?s Date: Wed Dec 30 22:14:23 2020 +0100 poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue I.e.: error: out of range immediate fixup value This fix is identical to one of the changes made in 3405db9, which I discovered right after taking a quick stab at fixing this. CLA: trivial Fixes #7878 Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13757) ----------------------------------------------------------------------- Summary of changes: crypto/poly1305/asm/poly1305-armv4.pl | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/poly1305/asm/poly1305-armv4.pl index f77e1170f6..0a4fe55d98 100755 --- a/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/poly1305/asm/poly1305-armv4.pl @@ -133,10 +133,10 @@ poly1305_init: # ifdef __thumb2__ itete eq # endif - addeq r12,r11,#(poly1305_emit-.Lpoly1305_init) - addne r12,r11,#(poly1305_emit_neon-.Lpoly1305_init) - addeq r11,r11,#(poly1305_blocks-.Lpoly1305_init) - addne r11,r11,#(poly1305_blocks_neon-.Lpoly1305_init) + addeq r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init) + addne r12,r11,#(.Lpoly1305_emit_neon-.Lpoly1305_init) + addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init) + addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init) # endif # ifdef __thumb2__ orr r12,r12,#1 @ thumb-ify address @@ -352,6 +352,7 @@ $code.=<<___; .type poly1305_emit,%function .align 5 poly1305_emit: +.Lpoly1305_emit: stmdb sp!,{r4-r11} .Lpoly1305_emit_enter: @@ -671,6 +672,7 @@ poly1305_init_neon: .type poly1305_blocks_neon,%function .align 5 poly1305_blocks_neon: +.Lpoly1305_blocks_neon: ldr ip,[$ctx,#36] @ is_base2_26 ands $len,$len,#-16 beq .Lno_data_neon @@ -1157,6 +1159,7 @@ poly1305_blocks_neon: .type poly1305_emit_neon,%function .align 5 poly1305_emit_neon: +.Lpoly1305_emit_neon: ldr ip,[$ctx,#36] @ is_base2_26 stmdb sp!,{r4-r11} From matt at openssl.org Thu Jan 7 13:45:49 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 13:45:49 +0000 Subject: [openssl] master update Message-ID: <1610027149.185137.13165.nullmailer@dev.openssl.org> The branch master has been updated via bd0c71298a82cc78aadba39485fc1ebec3c1c0ad (commit) from e260bee0a97d4e6de60eae2c86d7c11ed03f2010 (commit) - Log ----------------------------------------------------------------- commit bd0c71298a82cc78aadba39485fc1ebec3c1c0ad Author: Matt Caswell Date: Thu Jan 7 13:38:50 2021 +0000 Update copyright year Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/13800) ----------------------------------------------------------------------- Summary of changes: crypto/async/arch/async_win.c | 2 +- crypto/async/arch/async_win.h | 2 +- doc/man3/SSL_CTX_new.pod | 2 +- doc/man7/EVP_SIGNATURE-ED25519.pod | 2 +- engines/e_devcrypto.c | 2 +- providers/implementations/ciphers/ciphercommon.c | 2 +- test/ssl-tests/28-seclevel.cnf.in | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/async/arch/async_win.c b/crypto/async/arch/async_win.c index 72cc27c214..0b276fd504 100644 --- a/crypto/async/arch/async_win.c +++ b/crypto/async/arch/async_win.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/async/arch/async_win.h b/crypto/async/arch/async_win.h index eb61b032e0..0fab95996e 100644 --- a/crypto/async/arch/async_win.h +++ b/crypto/async/arch/async_win.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index 4093e657e8..1c953098e2 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -233,7 +233,7 @@ SSL_CTX_new_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index e2fc31f724..2183d83c2e 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -92,7 +92,7 @@ L, =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index 7f3768d36c..d549edfd29 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index 0e3e367dfc..ffe644bb4c 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index b7b96e87b7..56c23eba3a 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy From matt at openssl.org Thu Jan 7 14:03:30 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 14:03:30 +0000 Subject: [web] master update Message-ID: <1610028210.149616.4732.nullmailer@dev.openssl.org> The branch master has been updated via 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 (commit) from 32ac25c3dc11364b8854de9e91303951f6ba406d (commit) - Log ----------------------------------------------------------------- commit 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 Author: Matt Caswell Date: Thu Jan 7 14:00:02 2021 +0000 Add newsflash entry for alpha10 release Reviewed-by: Mark J. Cox Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/web/pull/212) ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 6b39413..1d842c7 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +07-Jan-2021: Alpha 10 of OpenSSL 3.0 is now available: please download and test it 08-Dec-2020: OpenSSL 1.1.1i is now available, including bug and security fixes 26-Nov-2020: Alpha 9 of OpenSSL 3.0 is now available: please download and test it 05-Nov-2020: Alpha 8 of OpenSSL 3.0 is now available: please download and test it From matt at openssl.org Thu Jan 7 14:07:24 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 14:07:24 +0000 Subject: [openssl] master update Message-ID: <1610028444.803327.21842.nullmailer@dev.openssl.org> The branch master has been updated via a86add03abf7ebdf63d79971b9feb396931b8697 (commit) via cae118f9382c3790359b3ff050d6e01c11579a7f (commit) from bd0c71298a82cc78aadba39485fc1ebec3c1c0ad (commit) - Log ----------------------------------------------------------------- commit a86add03abf7ebdf63d79971b9feb396931b8697 Author: Matt Caswell Date: Thu Jan 7 13:48:32 2021 +0000 Prepare for 3.0 alpha 11 Reviewed-by: Nicola Tuveri commit cae118f9382c3790359b3ff050d6e01c11579a7f Author: Matt Caswell Date: Thu Jan 7 13:48:10 2021 +0000 Prepare for release of 3.0 alpha 10 Reviewed-by: Nicola Tuveri ----------------------------------------------------------------------- Summary of changes: VERSION.dat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.dat b/VERSION.dat index 5a486d1b91..9956ebb7e7 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 PATCH=0 -PRE_RELEASE_TAG=alpha10-dev +PRE_RELEASE_TAG=alpha11-dev BUILD_METADATA= RELEASE_DATE="" SHLIB_VERSION=3 From matt at openssl.org Thu Jan 7 14:07:34 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 14:07:34 +0000 Subject: [openssl] openssl-3.0.0-alpha10 create Message-ID: <1610028454.928022.25195.nullmailer@dev.openssl.org> The annotated tag openssl-3.0.0-alpha10 has been created at 45817feda8996f2e0812731b9b3e565d2682d694 (tag) tagging cae118f9382c3790359b3ff050d6e01c11579a7f (commit) replaces openssl-3.0.0-alpha9 tagged by Matt Caswell on Thu Jan 7 13:48:21 2021 +0000 - Log ----------------------------------------------------------------- OpenSSL 3.0.0-alpha10 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/3ESURHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJF8eQgAiULWDjFXQy/pgDxFDB3Z2k3KsiqEFzty Z7ymUtQTNAyEDsxO6KRCBVPL6HeogGrNZmqD0MxS2QhW6pcAgnaqgeNwIwEYGh8Z nSsihgXRQyos5YhEpIuVzFk1iCtugVw+zayyxAyDhVvYJ05+XX656G1ZmsgSR2Rn GmxoH2b7sIVNapyLDPXSJHceP9fIYu0elVyHTl8PFoubKapTW+zqh0m1KLfIQ+cx wg2Bh9sSrbV63CK0yDOvgqK1Wz1HMobNHM8+5avbzVHrF57hAKr9IrpPfaV7uXx/ bGAqiY7ppsc0nforH4szCQdseJJiMhppHs97bFaVSk2crmcDOV+6Bg== =GxWV -----END PGP SIGNATURE----- Ankita Shetty (4): cmp_client.c: Remove dead code of variable 'txt' in cert_response() cmp_client.c: Fix indentation and remove empty line openssl.pod: Carve out Trusted Certificate, Pass Phrase, Name Format, and Format Options openssl.pod: Fix openSSL options doc Ard Biesheuvel (1): aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode Benjamin Kaduk (1): Fix comment in do_dtls1_write() Daiki Ueno (1): openssl dgst: add option to specify output length for XOF Daniel Bevenius (2): EVP: don't touch the lock for evp_pkey_downgrade STORE: clear err after ossl_store_get0_loader_int David CARLIER (1): Mac M1 setting change proposal. David Carlier (2): CRYPTO_secure_malloc_init: Add FreeBSD support for secure-malloc dont-dump-region. Add MAP_CONCEAL from OpenBSD which has similar purpose but on mmap call level. David von Oheimb (1): openssl.pod: Move verification doc to new doc/man1/openssl-verification-options.pod Dmitry Belyavskiy (8): OPENSSL_NO_GOST has nothing to do with low-level algos Deprecate -cipher-commands and -digest-commands options Skip unavailable digests and ciphers in -*-commands Documenting the options deprecating Documenting the options deprecating in CHANGES.md Skip tests depending on deprecated list -*-commands options Fetch provided algorithm once per benchmark Fix doc-nits for list command Dr. David von Oheimb (42): asn1t.h: Improve comments documenting ASN1_ITYPE_... and the 'funcs' field X509_dup: fix copying of libctx and propq using new ASN1_OP_DUP_POST cb operation endecode_test.c: Significant speedup in generating DH and DHX keys remove obsolete test/drbg_extra_test.h remove obsolete test/drbg_cavs_data.h test cleanup: move helper .c and .h files to test/helpers/ endecode_test.c: Add warning that 512-bit DH key size is for testing only apps/pkcs12.c: Correct default legacy algs and make related doc consistent apps/pkcs12.c: Improve user guidance, re-ordering no-export vs. export options x509_vfy.c: Restore rejection of expired trusted (root) certificate appveyor.yml: Let 'nmake' run by defaut silently (/S), using MAKEVERBOSE like .travis.yml appveyor.yml: Let 'nmake' do builds in parallel on all CPU cores .travis.yml: Do some build (gcc) runs in parallel (-j4) ci.yml: Add 'perl configdata.pm --dump' to each config ci.yml: Let 'make' run silently (-s) with build (gcc) runs in parallel (-j4) appveyor.yml: Move printing of env variables such that locally defined ones are shown as well. encode_key2any.c: Fix build error on OPENSSL_NO_DH and OPENSSL_NO_EC encode_key2text.c: Fix build error on OPENSSL_NO_{DH,DSA,EC} fuzz/server.c: Fix build error on OPENSSL_NO_{DSA,EC,DEPECATED_3_0} apps/speed.c: Fix build errors on OPENSSL_NO_{RSA,DSA,EC,DEPECATED_3_0} endecode_test.c: Fix build errors on OPENSSL_NO_{DH,DSA,EC,EC2M} evp_pkey_dparams_test.c: Fix build error on OPENSSL_NO_{DH,DSA,EC} apps/speed.c: Rename misleading 'rsa_count' variable to 'op_count' {.travis,ci,appveyor}.yml: Make minimal config consistent, add no-deprecated no-ec no-ktls no-siv apps/verify:c: Enable output of multiple verification errors due to -x509_strict x509_vfy.c: Improve comments (correcting typos etc.) test/certs/setup.sh: Fix two glitches find-doc-nits: fix regexp and point out that CA.pl and tsget.pod are special Use adapted test_get_libctx() for simpler test setup and better error reporting apps/req.c: Improve diagnostics on multiple/overriding X.509 extensions defined via -reqext option x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3 apps/{req,x509,ca}.c: Cleanup: move shared X509{,_REQ,_CRL} code to apps/lib/apps.c apps/x509.c: Factor out common aspects of X509 signing openssl-ca.pod.in: Clarify the -extensions/-crlexts options vs. x509_extensions/crl_extensions X509V3_EXT_add_nconf_sk(): Improve description and use of 'sk' arg, which may be NULL v2i_AUTHORITY_KEYID(): Correct out-of-memory behavior and avoid mem leaks openssl_hexstr2buf_sep(): Prevent misleading 'malloc failure' errors on short input apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances apps/cmp.c: Fix bug on -path option introduced in commit 3c9d6266ed85 apps/cmp.c: Correct -keyform option range w.r.t engine Update copyright years of auto-generated headers (make update) Etienne Millon (2): EVP_SIGNATURE-ED25519.pod: fix typo in algo name 28-seclevel.cnf.in: fix typo in algo name Fangming.Fang (1): Read MIDR_EL1 system register on aarch64 Ingo Schwarze (1): Fix NULL pointer access caused by X509_ATTRIBUTE_create() J08nY (1): README: Move Travis link to .com from .org. John Baldwin (4): Allow zero-byte writes to be reported as success. Collapse two identical if statements into a single body. Use CRIOGET to fetch a crypto descriptor when present. Support session information on FreeBSD. Kelvin Lee (1): Fix simpledynamic.c - a typo and missed a header Liang Liu (1): [DOC]Fix two broken links in INSTALL.md; Change name of zlib flag to the current one. Matt Caswell (56): Prepare for 3.0 alpha 10 Fix no-posix-io Deprecate DH_new as well as i2d_DHparams and d2i_DHparams Deprecate functions for getting and setting DH values in an EVP_PKEY Deprecate EVP_PKEY_assign_DH and other similar macros Deprecate the DHparams and DHxparams PEM routines Remove fuzzing of deprecated functions in a no-deprecated build Don't test a deprecated function in a no-deprecated build Deprecate more DH functions Convert DH deprecations to the new way of deprecating functions Updates the CHANGES.md entry regarding DH deprecation Remove d2i_DHparams.pod and move documentation to d2i_RSAPrivateKey.pod Fix no-engine Fix instances of pointer addition with the NULL pointer Fix TLS1.2 CHACHA20-POLY1305 ciphersuites with OPENSSL_SMALL_FOOTPRINT Fix builds that specify both no-dh and no-ec Don't Overflow when printing Thawte Strong Extranet Version Fix a compile error with the no-sock option Fix no-dtls Fix no-dsa DirectoryString is a CHOICE type and therefore uses explicit tagging Correctly compare EdiPartyName in GENERAL_NAME_cmp() Check that multi-strings/CHOICE types don't use implicit tagging Complain if we are attempting to encode with an invalid ASN.1 template Add a test for GENERAL_NAME_cmp Add a test for encoding/decoding using an invalid ASN.1 Template Update CHANGES and NEWS for new release Fix a test failure with no-tls1_3 Fix a compilation failure with no-tls_1_2 Fix no-err Modify is_tls13_capable() to take account of the servername cb Test that we can negotiate TLSv1.3 if we have an SNI callback Don't use no-asm in the Github CIs Skip evp_test cases where we need the legacy prov and its not available Fix sslapitest.c if built with no-legacy Don't use legacy provider if not available in test_ssl_old Don't load the legacy provider in endecoder_legacy_test Skip testing ciphers in the legacy provider if no legacy Don't load the legacy provider if not available in test_enc_more Don't load the legacy provider in test_evp_libctx unnecessarily Don't use the legacy provider in test_store if its not available Don't run a legacy specific PKCS12 test if no legacy provider Skip cms tests using RC2 if no legacy provider Fix some typos in EVP_PKEY-DH.pod Fix no-threads Move the caching of cipher constants into evp_cipher_from_dispatch Cache Digest constants Optimise OPENSSL_init_crypto to not need a lock when loading config Don't call EVP_CIPHER_CTX_block_size() to find the block size Add some more CRYPTO_atomic functions Optimise OPENSSL_init_crypto Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load Add a test for the new CRYPTO_atomic_* functions Only perform special TLS handling if TLS has been configured Update copyright year Prepare for release of 3.0 alpha 10 Nan Xiao (1): Fix typo in OPENSSL_malloc.pod Nirbheek Chauhan (2): crypto/win: Don't use disallowed APIs on UWP win-onecore: Build with /APPCONTAINER for UWP compat Pauli (19): Print random seed on test failure. remove unused return value assignments remove unused assignments remove unused initialisations tag unused function arguments as ossl_unused rand: add a provider side seed source. Fix error clash in build rand seed: include lock and unlock functions. rand: don't leak memory rand: allow seed-src to be missing params: allow more variations in integer conversions. params: add integer conversion test cases. test: print OPENSSL_TEST_RAND_ORDER=x when a randomised test fails. test: document the random test ordering env variable dsa: documentation deprecation changes dsa: fuzzer deprecation changes dsa: apps deprecation changes dsa: provider and library deprecation changes dsa: add additional deprecated functions to CHANGES entry. Petr Gotthard (1): Fix OSSL_PARAM creation in OSSL_STORE_open_ex Rich Salz (3): Deprecate OCSP_REQ_CTX_set1_req Document OCSP_REQ_CTX_i2d. Check non-option arguments Richard Levitte (80): APPS: Make it possible for apps to set the base (fallback) UI_METHOD APPS: Modify apps/cmp.c to use set_base_ui_method() for its -batch option ERR: Restore the similarity of ERR_print_error_cb() and ERR_error_string_n() TEST: Adapt test/errtest for the 'no-err' configuration EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available ERR: Drop or deprecate dangerous or overly confusing functions ERR: drop err_delete_thread_state() TODO marker TEST: Fix path length in test/ossl_store_test.c RSA: correct digestinfo_ripemd160_der[] TEST: Break out the local dynamic loading code from shlibloadtest.c TEST: Add a simple module loader, and test the FIPS module with it ENCODER: Don't pass libctx to OSSL_ENCODER_CTX_new_by_EVP_PKEY() Adapt everything else to the updated OSSL_ENCODER_CTX_new_by_EVP_PKEY() APPS: Add OSSL_STORE loader for engine keys APPS: Adapt load_key() and load_pubkey() for the engine: loader Add test to demonstrate the app's new engine key loading Switch deprecation method for AES Switch deprecation method for ASN.1 Switch deprecation method for BIO Switch deprecation method for Blowfish Switch deprecation method for BIGNUM Switch deprecation method for Camellia Switch deprecation method for CAST Switch deprecation method for CMAC Switch deprecation method for CONF Switch deprecation method for CRYPTO Switch deprecation method for DES Switch deprecation method for ENGINE Switch deprecation method for ERR Switch deprecation method for EVP Switch deprecation method for HMAC Switch deprecation method for IDEA Switch deprecation method for MD2 Switch deprecation method for MD4 Switch deprecation method for MD5 Switch deprecation method for MDC2 Switch deprecation method for PKCS#12 Switch deprecation method for RAND Switch deprecation method for RC2 Switch deprecation method for RC4 Switch deprecation method for RC5 Switch deprecation method for RIPEMD Switch deprecation method for SEED Switch deprecation method for SHA Switch deprecation method for SRP Switch deprecation method for SSL Switch deprecation method for OSSL_STORE Switch deprecation method for Whirlpool Switch deprecation method for X.509 DSA: Make DSA_bits() and DSA_size() check that there are key parameters EVP: Adjust EVP_PKEY_size(), EVP_PKEY_bits() and EVP_PKEY_security_bits() PEM: Add a more generic way to implement PEM _ex functions for libctx providers/common/der/build.info: Improve checks of disabled algos EVP: constify the EVP_PKEY_get_*_param() argument |pkey| EVP: Add EVP_PKEY_get_group_name() to extract the group name of a pkey TLS: Use EVP_PKEY_get_group_name() to get the group name DOCS: Update OSSL_DECODER_CTX_new_by_EVP_PKEY.pod to match declarations DOCS: Improve documentation of the EVP_PKEY type Building: Fix the library file names for MSVC builds to include multilib PEM: Unlock MSBLOB and PVK functions from 'no-dsa' and 'no-rc4' Remove unnecessary guards around MSBLOB and PVK readers and writers APPS: Correct the output structure for public keys in 'openssl rsa' TEST: Fix test/recipes/15-test_rsa.t PROV: Add MSBLOB and PVK encoders EVP_PKEY & DSA: move dsa_ctrl.c to be included only on libcrypto EVP_PKEY & DH: Make DH EVP_PKEY_CTX parameter ctrls / setters more available EVP_PKEY & EC_KEY: Make EC EVP_PKEY_CTX parameter ctrls / setters more available Drop unnecessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC Add necessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC DECODER EVP_PKEY: Don't store all the EVP_KEYMGMTs MSBLOB & PVK: Make it possible to write EVP_PKEYs with provided internal key DECODER: Adjust the library context of keys in our decoders CORE: Separate OSSL_PROVIDER activation from OSSL_PROVIDER reference EVP: Fix memory leak in EVP_PKEY_CTX_dup() GitHub CI: Add 'check-update' and 'check-docs' make update TEST: Fix test/endecode_test.c for 'no-legacy' Fix 'no-deprecated' GitHub CI: Separate no-deprecated job from minimal job Drop OPENSSL_NO_RSA everywhere Sebastian Andrzej Siewior (1): Configurations: PowerPC is big endian Shane Lontis (16): Fix EVP_CIPHER_CTX_set_padding for legacy path Fix no-deprecated configuration Fix s390 EDDSA HW support in providers. Add EVP_KDF-X942 to the fips module Fix X509 propq so it does not use references Fix x509_crl propq so that it uses a copy fix x509_PUBKEY propq so that it uses a copy Fix EVP_PKEY_CTX propq so that it uses a copy Fix ecdsa digest setting code to match dsa. Fix dsa & rsa signature dupctx() so that ctx->propq is strduped Change OPENSSL_hexstr2buf_ex() & OPENSSL_buf2hexstr_ex() to pass the separator Deprecate EC_POINT_bn2point and EC_POINT_point2bn. Add validate method to ECX keymanager Add fips self tests for all included kdf Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation. Change AES-CTS modes CS2 and CS3 to also be inside the fips module. Tim Hudson (1): Correct system guessing for darwin64-arm64 target Tomas Mraz (6): EVP_DigestFinalXOF must not reset the EVP_MD_CTX Add test for no reset after DigestFinal_ex and DigestFinalXOF Fix regression in EVP_DigestInit_ex: crash when called with NULL type Documentation improvements for EVP_DigestInit_ex and related functions v3nametest: Make the gennames structure static Github CI: run also on repository pushes bazmoz (1): Updated SSL_CTX_new doc ihsinme (1): Update bio_ok.c jwalch (1): Restore v2i_AUTHORITY_INFO_ACCESS() behavior ----------------------------------------------------------------------- From tmraz at fedoraproject.org Thu Jan 7 16:40:09 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 07 Jan 2021 16:40:09 +0000 Subject: [openssl] master update Message-ID: <1610037609.443433.7684.nullmailer@dev.openssl.org> The branch master has been updated via 3d0b6494d5a973d516e0944bc02b22385fca318a (commit) via 981b4b95721907384f4add9de72bf90e0ba39288 (commit) via 1c47539a2331ff0b58a4e8663bcc6db0dc2c6449 (commit) via c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 (commit) from a86add03abf7ebdf63d79971b9feb396931b8697 (commit) - Log ----------------------------------------------------------------- commit 3d0b6494d5a973d516e0944bc02b22385fca318a Author: Otto Hollmann Date: Tue Oct 20 12:47:55 2020 +0200 Remove extra space. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) commit 981b4b95721907384f4add9de72bf90e0ba39288 Author: Otto Hollmann Date: Mon Oct 19 16:25:26 2020 +0200 Fixed error and return code. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) commit 1c47539a2331ff0b58a4e8663bcc6db0dc2c6449 Author: Otto Hollmann Date: Mon Oct 19 10:05:57 2020 +0200 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) commit c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 Author: Otto Hollmann Date: Tue Jun 9 15:50:12 2020 +0200 Fix set_ciphersuites ignore unknown ciphers. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 +++++ doc/man3/SSL_CTX_set_cipher_list.pod | 10 +++++----- ssl/ssl_ciph.c | 18 +++++++++--------- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index a296406137..94bf750ffc 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,11 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() + to ignore unknown ciphers. + + *Otto Hollmann* + * The -cipher-commands and -digest-commands options of the command line utility list has been deprecated. Instead use the -cipher-algorithms and -digest-algorithms options. diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 2fdebdf51d..c2786295b7 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -65,11 +65,11 @@ cipher string for TLSv1.3 ciphersuites. =head1 NOTES -The control string B for SSL_CTX_set_cipher_list() and -SSL_set_cipher_list() should be universally usable and not depend -on details of the library configuration (ciphers compiled in). Thus no -syntax checking takes place. Items that are not recognized, because the -corresponding ciphers are not compiled in or because they are mistyped, +The control string B for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(), +SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally +usable and not depend on details of the library configuration (ciphers compiled +in). Thus no syntax checking takes place. Items that are not recognized, because +the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64ecc543ba..6c77cd3d40 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1288,19 +1288,17 @@ static int ciphersuite_cb(const char *elem, int len, void *arg) /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ char name[80]; - if (len > (int)(sizeof(name) - 1)) { - ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); - return 0; - } + if (len > (int)(sizeof(name) - 1)) + /* Anyway return 1 so we can parse rest of the list */ + return 1; memcpy(name, elem, len); name[len] = '\0'; cipher = ssl3_get_cipher_by_std_name(name); - if (cipher == NULL) { - ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); - return 0; - } + if (cipher == NULL) + /* Ciphersuite not found but return 1 to parse rest of the list */ + return 1; if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); @@ -1319,7 +1317,9 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha /* Parse the list. We explicitly allow an empty list */ if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0 + || sk_SSL_CIPHER_num(newciphers) == 0)) { + ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); sk_SSL_CIPHER_free(newciphers); return 0; } From openssl at openssl.org Thu Jan 7 23:11:10 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 23:11:10 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1610061070.053587.2698585.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=227, Tests=2999, 703 wallclock secs (10.20 usr 1.40 sys + 617.70 cusr 71.88 csys = 701.18 CPU) Result: FAIL make[1]: *** [Makefile:2458: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2455: tests] Error 2 From matt at openssl.org Fri Jan 8 10:43:51 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 08 Jan 2021 10:43:51 +0000 Subject: [openssl] master update Message-ID: <1610102631.138808.12460.nullmailer@dev.openssl.org> The branch master has been updated via d0afb30ef3950cacff50ec539e90073b95a276df (commit) from 3d0b6494d5a973d516e0944bc02b22385fca318a (commit) - Log ----------------------------------------------------------------- commit d0afb30ef3950cacff50ec539e90073b95a276df Author: Matt Caswell Date: Thu Dec 10 10:36:23 2020 +0000 Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes #13649 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13655) ----------------------------------------------------------------------- Summary of changes: ssl/d1_lib.c | 9 +++++---- ssl/record/rec_layer_d1.c | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index cc41eee976..62c5f26e5d 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -142,10 +142,11 @@ void dtls1_free(SSL *s) ssl3_free(s); - dtls1_clear_queues(s); - - pqueue_free(s->d1->buffered_messages); - pqueue_free(s->d1->sent_messages); + if (s->d1 != NULL) { + dtls1_clear_queues(s); + pqueue_free(s->d1->buffered_messages); + pqueue_free(s->d1->sent_messages); + } OPENSSL_free(s->d1); s->d1 = NULL; diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index cc412bae37..10321ce015 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -46,6 +46,9 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl) { + if (rl->d == NULL) + return; + DTLS_RECORD_LAYER_clear(rl); pqueue_free(rl->d->unprocessed_rcds.q); pqueue_free(rl->d->processed_rcds.q); From matt at openssl.org Fri Jan 8 10:44:02 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 08 Jan 2021 10:44:02 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610102642.452109.13452.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 (commit) from a953f26dba5dadf8ac69c6fcbf71ebe3efba9407 (commit) - Log ----------------------------------------------------------------- commit 37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 Author: Matt Caswell Date: Thu Dec 10 10:36:23 2020 +0000 Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes #13649 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13655) (cherry picked from commit d0afb30ef3950cacff50ec539e90073b95a276df) ----------------------------------------------------------------------- Summary of changes: ssl/d1_lib.c | 9 +++++---- ssl/record/rec_layer_d1.c | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 2a15ee8ad9..8874bed353 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -142,10 +142,11 @@ void dtls1_free(SSL *s) ssl3_free(s); - dtls1_clear_queues(s); - - pqueue_free(s->d1->buffered_messages); - pqueue_free(s->d1->sent_messages); + if (s->d1 != NULL) { + dtls1_clear_queues(s); + pqueue_free(s->d1->buffered_messages); + pqueue_free(s->d1->sent_messages); + } OPENSSL_free(s->d1); s->d1 = NULL; diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index e56c6b9595..d0cb72d757 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -46,6 +46,9 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl) { + if (rl->d == NULL) + return; + DTLS_RECORD_LAYER_clear(rl); pqueue_free(rl->d->unprocessed_rcds.q); pqueue_free(rl->d->processed_rcds.q); From tmraz at fedoraproject.org Fri Jan 8 11:12:39 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Fri, 08 Jan 2021 11:12:39 +0000 Subject: [openssl] master update Message-ID: <1610104359.532482.21386.nullmailer@dev.openssl.org> The branch master has been updated via 22aa4a3afb53984201c84970ec03b251d0117f00 (commit) from d0afb30ef3950cacff50ec539e90073b95a276df (commit) - Log ----------------------------------------------------------------- commit 22aa4a3afb53984201c84970ec03b251d0117f00 Author: Billy Brumley Date: Tue Jan 5 13:08:09 2021 +0200 [crypto/dh] side channel hardening for computing DH shared keys Reviewed-by: Nicola Tuveri Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13783) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_key.c | 34 +++++++++++++++++++++++++++++++--- doc/man3/DH_generate_key.pod | 27 +++++++++++++++++++++------ 2 files changed, 52 insertions(+), 9 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 2e61ccbaa2..4535715367 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -86,26 +86,53 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; } - ret = BN_bn2bin(tmp, key); + /* return the padded key, i.e. same number of bytes as the modulus */ + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->params.p)); err: BN_CTX_end(ctx); BN_CTX_free(ctx); return ret; } +/*- + * NB: This function is inherently not constant time due to the + * RFC 5246 (8.1.2) padding style that strips leading zero bytes. + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + + /* compute the key; ret is constant unless compute_key is external */ #ifdef FIPS_MODULE - return compute_key(key, pub_key, dh); + ret = compute_key(key, pub_key, dh); #else - return dh->meth->compute_key(key, pub_key, dh); + ret = dh->meth->compute_key(key, pub_key, dh); #endif + if (ret <= 0) + return ret; + + /* count leading zero bytes, yet still touch all bytes */ + for (i = 0; i < ret; i++) { + mask &= !key[i]; + npad += mask; + } + + /* unpad key */ + ret -= npad; + /* key-dependent memory access, potentially leaking npad / ret */ + memmove(key, key + npad, ret); + /* key-dependent memory access, potentially leaking npad / ret */ + memset(key + ret, 0, npad); + + return ret; } int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; + /* rv is constant unless compute_key is external */ #ifdef FIPS_MODULE rv = compute_key(key, pub_key, dh); #else @@ -114,6 +141,7 @@ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (rv <= 0) return rv; pad = BN_num_bytes(dh->params.p) - rv; + /* pad is constant (zero) unless compute_key is external */ if (pad > 0) { memmove(key + pad, key, rv); memset(key, 0, pad); diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod index 7cc9e84a44..c5b58615e0 100644 --- a/doc/man3/DH_generate_key.pod +++ b/doc/man3/DH_generate_key.pod @@ -2,7 +2,8 @@ =head1 NAME -DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange +DH_generate_key, DH_compute_key, DH_compute_key_padded - perform +Diffie-Hellman key exchange =head1 SYNOPSIS @@ -14,18 +15,20 @@ L: int DH_generate_key(DH *dh); - int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); + + int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh); =head1 DESCRIPTION -Both of the functions described on this page are deprecated. +All of the functions described on this page are deprecated. Applications should instead use L and L. DH_generate_key() performs the first step of a Diffie-Hellman key exchange by generating private and public DH values. By calling -DH_compute_key(), these are combined with the other party's public -value to compute the shared key. +DH_compute_key() or DH_compute_key_padded(), these are combined with +the other party's public value to compute the shared key. DH_generate_key() expects B to contain the shared parameters Bp> and Bg>. It generates a random private DH value @@ -36,6 +39,14 @@ published. DH_compute_key() computes the shared secret from the private DH value in B and the other party's public value in B and stores it in B. B must point to B bytes of memory. +The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. +It is not constant time due to the leading zero bytes being stripped. +The return value should be considered public. + +DH_compute_key_padded() is similar but stores a fixed number of bytes. +The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes. +It is constant time due to the leading zero bytes being retained. +The return value should be considered public. =head1 RETURN VALUES @@ -44,6 +55,8 @@ DH_generate_key() returns 1 on success, 0 otherwise. DH_compute_key() returns the size of the shared secret on success, -1 on error. +DH_compute_key_padded() returns B on success, -1 on error. + The error codes can be obtained by L. =head1 SEE ALSO @@ -53,7 +66,9 @@ L, L, L, L =head1 HISTORY -Both of these functions were deprecated in OpenSSL 3.0. +DH_compute_key_padded() was added in OpenSSL 1.0.2. + +All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT From openssl at openssl.org Fri Jan 8 16:36:03 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 08 Jan 2021 16:36:03 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers Message-ID: <1610123763.594759.570387.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok ERROR in SERVER 40B7F7449E7F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 28 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40C7004F817F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 42 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 4077479FD97F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 118 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40D7A439157F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 143 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ # Looks like you failed 4 tests of 148. not ok 4 - Testing ciphersuites # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 12.80-test_ssl_old.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/12 subtests 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_old.t (Wstat: 256 Tests: 12 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=227, Tests=3560, 881 wallclock secs (14.53 usr 1.47 sys + 784.51 cusr 90.90 csys = 891.41 CPU) Result: FAIL make[1]: *** [Makefile:3237: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-weak-ssl-ciphers' make: *** [Makefile:3234: tests] Error 2 From matt at openssl.org Fri Jan 8 17:27:32 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 08 Jan 2021 17:27:32 +0000 Subject: [openssl] master update Message-ID: <1610126852.671287.3281.nullmailer@dev.openssl.org> The branch master has been updated via becbacd705170952725571ae4404846b0ecee86a (commit) from 22aa4a3afb53984201c84970ec03b251d0117f00 (commit) - Log ----------------------------------------------------------------- commit becbacd705170952725571ae4404846b0ecee86a Author: Michael Baentsch Date: Thu Jan 7 09:09:32 2021 +0100 Adding TLS group name retrieval Function SSL_group_to_name() added, together with documentation and tests. This now permits displaying names of internal and external provider-implemented groups. Partial fix of #13767 Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13785) ----------------------------------------------------------------------- Summary of changes: apps/lib/s_cb.c | 23 ++++------------------ doc/man3/SSL_group_to_name.pod | 43 ++++++++++++++++++++++++++++++++++++++++++ include/openssl/ssl.h.in | 2 ++ ssl/s3_lib.c | 18 ++++++++++++++++++ ssl/ssl_local.h | 1 + ssl/t1_lib.c | 2 +- test/sslapitest.c | 23 ++++++++++++++++++++++ util/libssl.num | 1 + 8 files changed, 93 insertions(+), 20 deletions(-) create mode 100644 doc/man3/SSL_group_to_name.pod diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index c7994417aa..67e0fbd5bd 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -345,7 +345,6 @@ int ssl_print_point_formats(BIO *out, SSL *s) int ssl_print_groups(BIO *out, SSL *s, int noshared) { int i, ngroups, *groups, nid; - const char *gname; ngroups = SSL_get1_groups(s, NULL); if (ngroups <= 0) @@ -353,39 +352,25 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) groups = app_malloc(ngroups * sizeof(int), "groups to print"); SSL_get1_groups(s, groups); - BIO_puts(out, "Supported Elliptic Groups: "); + BIO_puts(out, "Supported groups: "); for (i = 0; i < ngroups; i++) { if (i) BIO_puts(out, ":"); nid = groups[i]; - /* If unrecognised print out hex version */ - if (nid & TLSEXT_nid_unknown) { - BIO_printf(out, "0x%04X", nid & 0xFFFF); - } else { - /* TODO(TLS1.3): Get group name here */ - /* Use NIST name for curve if it exists */ - gname = EC_curve_nid2nist(nid); - if (gname == NULL) - gname = OBJ_nid2sn(nid); - BIO_printf(out, "%s", gname); - } + BIO_printf(out, "%s", SSL_group_to_name(s, nid)); } OPENSSL_free(groups); if (noshared) { BIO_puts(out, "\n"); return 1; } - BIO_puts(out, "\nShared Elliptic groups: "); + BIO_puts(out, "\nShared groups: "); ngroups = SSL_get_shared_group(s, -1); for (i = 0; i < ngroups; i++) { if (i) BIO_puts(out, ":"); nid = SSL_get_shared_group(s, i); - /* TODO(TLS1.3): Convert for DH groups */ - gname = EC_curve_nid2nist(nid); - if (gname == NULL) - gname = OBJ_nid2sn(nid); - BIO_printf(out, "%s", gname); + BIO_printf(out, "%s", SSL_group_to_name(s, nid)); } if (ngroups == 0) BIO_puts(out, "NONE"); diff --git a/doc/man3/SSL_group_to_name.pod b/doc/man3/SSL_group_to_name.pod new file mode 100644 index 0000000000..9c0e75c188 --- /dev/null +++ b/doc/man3/SSL_group_to_name.pod @@ -0,0 +1,43 @@ +=pod + +=head1 NAME + +SSL_group_to_name - get name of group + +=head1 SYNOPSIS + + #include + + const char *SSL_group_to_name(const SSL *ssl, int id); + +=head1 DESCRIPTION + +SSL_group_to_name() is used to retrieve the TLS group name +associated with a given TLS group ID, as registered via built-in +or external providers and as returned by a call to SSL_get1_groups() +or SSL_get_shared_group(). + +=head1 RETURN VALUES + +If non-NULL, SSL_group_to_name() returns the TLS group name +corresponding to the given I as a NULL-terminated string. +If SSL_group_to_name() returns NULL, an error occurred; possibly no +corresponding tlsname was registered during provider initialisation. + +Note that the return value is valid only during the lifetime of the +SSL object I. + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 37b4c82f02..4e5d50bd6d 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1501,6 +1501,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_get_max_proto_version(s) \ SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) +const char *SSL_group_to_name(SSL *s, int id); + /* Backwards compatibility, original 1.1.0 names */ # define SSL_CTRL_GET_SERVER_TMP_KEY \ SSL_CTRL_GET_PEER_TMP_KEY diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 298efdc1cb..0739bc9082 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4986,3 +4986,21 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey, EVP_PKEY_CTX_free(pctx); return rv; } + +const char *SSL_group_to_name(SSL *s, int nid) { + int group_id = 0; + const TLS_GROUP_INFO *cinf = NULL; + + /* first convert to real group id for internal and external IDs */ + if (nid & TLSEXT_nid_unknown) + group_id = nid & 0xFFFF; + else + group_id = tls1_nid2group_id(nid); + + /* then look up */ + cinf = tls1_group_id_lookup(s->ctx, group_id); + + if (cinf != NULL) + return cinf->tlsname; + return NULL; +} diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index c2a4087c3b..22ab387422 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2650,6 +2650,7 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); __owur const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t curve_id); __owur int tls1_group_id2nid(uint16_t group_id, int include_unknown); +__owur uint16_t tls1_nid2group_id(int nid); __owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves); __owur uint16_t tls1_shared_group(SSL *s, int nmatch); __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index bc366c8a7c..60c17dd809 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -460,7 +460,7 @@ int tls1_group_id2nid(uint16_t group_id, int include_unknown) return TLSEXT_nid_unknown | (int)group_id; } -static uint16_t tls1_nid2group_id(int nid) +uint16_t tls1_nid2group_id(int nid) { size_t i; diff --git a/test/sslapitest.c b/test/sslapitest.c index 915387a87c..984c6a8764 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4318,6 +4318,7 @@ static int test_key_exchange(int idx) int *kexch_groups = &kexch_alg; int kexch_groups_size = 1; int max_version = TLS1_3_VERSION; + char *kexch_name0 = NULL; switch (idx) { # ifndef OPENSSL_NO_EC @@ -4329,47 +4330,60 @@ static int test_key_exchange(int idx) case 0: kexch_groups = ecdhe_kexch_groups; kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups); + kexch_name0 = "secp256r1"; break; case 1: kexch_alg = NID_X9_62_prime256v1; + kexch_name0 = "secp256r1"; break; case 2: kexch_alg = NID_secp384r1; + kexch_name0 = "secp384r1"; break; case 3: kexch_alg = NID_secp521r1; + kexch_name0 = "secp521r1"; break; case 4: kexch_alg = NID_X25519; + kexch_name0 = "x25519"; break; case 5: kexch_alg = NID_X448; + kexch_name0 = "x448"; break; # endif # ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_TLS1_2 case 13: max_version = TLS1_2_VERSION; + kexch_name0 = "ffdhe2048"; # endif /* Fall through */ case 6: kexch_groups = ffdhe_kexch_groups; kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups); + kexch_name0 = "ffdhe2048"; break; case 7: kexch_alg = NID_ffdhe2048; + kexch_name0 = "ffdhe2048"; break; case 8: kexch_alg = NID_ffdhe3072; + kexch_name0 = "ffdhe3072"; break; case 9: kexch_alg = NID_ffdhe4096; + kexch_name0 = "ffdhe4096"; break; case 10: kexch_alg = NID_ffdhe6144; + kexch_name0 = "ffdhe6144"; break; case 11: kexch_alg = NID_ffdhe8192; + kexch_name0 = "ffdhe8192"; break; # endif default: @@ -4425,6 +4439,11 @@ static int test_key_exchange(int idx) if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), idx == 13 ? 0 : kexch_groups[0])) goto end; + + if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]), + kexch_name0)) + goto end; + if (max_version == TLS1_3_VERSION) { if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0])) goto end; @@ -8000,6 +8019,10 @@ static int test_pluggable_group(int idx) if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; + if (!TEST_str_eq(group_name, + SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0)))) + goto end; + testresult = 1; end: diff --git a/util/libssl.num b/util/libssl.num index 37b0d37735..cd62067763 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -519,3 +519,4 @@ SSL_get1_peer_certificate ? 3_0_0 EXIST::FUNCTION: SSL_load_client_CA_file_ex ? 3_0_0 EXIST::FUNCTION: SSL_set0_tmp_dh_pkey ? 3_0_0 EXIST::FUNCTION: SSL_CTX_set0_tmp_dh_pkey ? 3_0_0 EXIST::FUNCTION: +SSL_group_to_name ? 3_0_0 EXIST::FUNCTION: From openssl at openssl.org Fri Jan 8 21:00:36 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 08 Jan 2021 21:00:36 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1610139636.132429.1124262.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80A180BC427F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80A180BC427F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/AKa_WsAuw0 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/AKa_WsAuw0 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 868 wallclock secs (14.04 usr 1.51 sys + 775.95 cusr 90.34 csys = 881.84 CPU) Result: FAIL make[1]: *** [Makefile:3246: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3243: tests] Error 2 From no-reply at appveyor.com Fri Jan 8 21:31:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 08 Jan 2021 21:31:02 +0000 Subject: Build failed: openssl master.39035 Message-ID: <20210108213102.1.4B7E6C989D0D6E10@appveyor.com> An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Fri Jan 8 22:05:53 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 22:05:53 +0000 Subject: [openssl] master update Message-ID: <1610143553.708200.28583.nullmailer@dev.openssl.org> The branch master has been updated via 1330093b9c7e0325ca76589fb9ace5b664830c6d (commit) via 9e49aff2aaac4c42ea6c4078266947c75761276b (commit) via 4554988e582e676a51c451de031939b45e60d00c (commit) via ed37336b6383cacbcbb8f6b1334eba0ad43530d5 (commit) via c5bc5ec849273ae0c3f8b32f1d23c33d93be3203 (commit) from becbacd705170952725571ae4404846b0ecee86a (commit) - Log ----------------------------------------------------------------- commit 1330093b9c7e0325ca76589fb9ace5b664830c6d Author: Nicola Tuveri Date: Tue Nov 10 12:28:52 2020 +0200 [test][pkey_check] Add more invalid SM2 key tests Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit 9e49aff2aaac4c42ea6c4078266947c75761276b Author: Nicola Tuveri Date: Tue Nov 10 01:11:48 2020 +0200 Add SM2 private key range validation According to the relevant standards, the valid range for SM2 private keys is [1, n-1), where n is the order of the curve generator. For this reason we cannot reuse the EC validation function as it is, and we introduce a new internal function `sm2_key_private_check()`. Partially fixes https://github.com/openssl/openssl/issues/8435 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit 4554988e582e676a51c451de031939b45e60d00c Author: Nicola Tuveri Date: Mon Nov 9 23:34:00 2020 +0200 [test][pkey_check] Add invalid SM2 key test SM2 private keys have different validation requirements than EC keys: this test checks one corner case highlighted in https://github.com/openssl/openssl/issues/8435 As @bbbrumley mentioned in https://github.com/openssl/openssl/issues/8435#issuecomment-720504282 this only fixes the absence of a regression test for validation of this kind of boundary issues for decoded SM2 keys. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit ed37336b6383cacbcbb8f6b1334eba0ad43530d5 Author: Nicola Tuveri Date: Mon Nov 9 22:35:28 2020 +0200 [apps/pkey] Return error on failed `-[pub]check` Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit c5bc5ec849273ae0c3f8b32f1d23c33d93be3203 Author: Nicola Tuveri Date: Mon Nov 9 22:34:18 2020 +0200 [test] Add `pkey -check` validation tests Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 14 +++++ apps/pkey.c | 5 +- crypto/err/openssl.txt | 1 + crypto/sm2/build.info | 2 +- crypto/sm2/sm2_err.c | 2 + crypto/sm2/sm2_key.c | 49 ++++++++++++++++ include/crypto/sm2.h | 2 + include/crypto/sm2err.h | 1 + providers/implementations/keymgmt/build.info | 4 +- providers/implementations/keymgmt/ec_kmgmt.c | 67 +++++++++++++++++++--- test/recipes/91-test_pkey_check.t | 61 ++++++++++++++++++++ .../91-test_pkey_check_data/ec_p256_bad_0.pem | 4 ++ .../91-test_pkey_check_data/ec_p256_bad_1.pem | 4 ++ test/recipes/91-test_pkey_check_data/sm2_bad_0.pem | 4 ++ test/recipes/91-test_pkey_check_data/sm2_bad_1.pem | 4 ++ .../91-test_pkey_check_data/sm2_bad_neg1.pem | 4 ++ 16 files changed, 215 insertions(+), 13 deletions(-) create mode 100644 crypto/sm2/sm2_key.c create mode 100644 test/recipes/91-test_pkey_check.t create mode 100644 test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem create mode 100644 test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem create mode 100644 test/recipes/91-test_pkey_check_data/sm2_bad_0.pem create mode 100644 test/recipes/91-test_pkey_check_data/sm2_bad_1.pem create mode 100644 test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem diff --git a/CHANGES.md b/CHANGES.md index 94bf750ffc..65031b89a5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,20 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Validation of SM2 keys has been separated from the validation of regular EC + keys, allowing to improve the SM2 validation process to reject loaded private + keys that are not conforming to the SM2 ISO standard. + In particular, a private scalar `k` outside the range `1 <= k < n-1` is now + correctly rejected. + + *Nicola Tuveri* + + * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck` + switches: a validation failure triggers an early exit, returning a failure + exit status to the parent process. + + *Nicola Tuveri* + * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() to ignore unknown ciphers. diff --git a/apps/pkey.c b/apps/pkey.c index 65988a8fc2..67dc8c012c 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -82,6 +82,7 @@ int pkey_main(int argc, char **argv) BIO *in = NULL, *out = NULL; ENGINE *e = NULL; EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; const EVP_CIPHER *cipher = NULL; char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; char *passinarg = NULL, *passoutarg = NULL, *prog; @@ -231,7 +232,6 @@ int pkey_main(int argc, char **argv) if (check || pub_check) { int r; - EVP_PKEY_CTX *ctx; ctx = EVP_PKEY_CTX_new(pkey, e); if (ctx == NULL) { @@ -260,8 +260,8 @@ int pkey_main(int argc, char **argv) ERR_reason_error_string(err)); ERR_get_error(); /* remove err from error stack */ } + goto end; } - EVP_PKEY_CTX_free(ctx); } if (!noout) { @@ -313,6 +313,7 @@ int pkey_main(int argc, char **argv) end: if (ret != 0) ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); release_engine(e); BIO_free_all(out); diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 5440e47093..4e36fc3394 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -3103,6 +3103,7 @@ SM2_R_INVALID_DIGEST:102:invalid digest SM2_R_INVALID_DIGEST_TYPE:103:invalid digest type SM2_R_INVALID_ENCODING:104:invalid encoding SM2_R_INVALID_FIELD:105:invalid field +SM2_R_INVALID_PRIVATE_KEY:113:invalid private key SM2_R_NO_PARAMETERS_SET:109:no parameters set SM2_R_USER_ID_TOO_LARGE:106:user id too large SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed diff --git a/crypto/sm2/build.info b/crypto/sm2/build.info index 402a76cc5d..a50d08d0bc 100644 --- a/crypto/sm2/build.info +++ b/crypto/sm2/build.info @@ -1,5 +1,5 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - sm2_sign.c sm2_crypt.c sm2_err.c + sm2_sign.c sm2_crypt.c sm2_err.c sm2_key.c diff --git a/crypto/sm2/sm2_err.c b/crypto/sm2/sm2_err.c index 60509e14d1..ab9c094a9d 100644 --- a/crypto/sm2/sm2_err.c +++ b/crypto/sm2/sm2_err.c @@ -28,6 +28,8 @@ static const ERR_STRING_DATA SM2_str_reasons[] = { "invalid digest type"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_ENCODING), "invalid encoding"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_FIELD), "invalid field"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PRIVATE_KEY), + "invalid private key"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NO_PARAMETERS_SET), "no parameters set"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_USER_ID_TOO_LARGE), "user id too large"}, {0, NULL} diff --git a/crypto/sm2/sm2_key.c b/crypto/sm2/sm2_key.c new file mode 100644 index 0000000000..5182d01058 --- /dev/null +++ b/crypto/sm2/sm2_key.c @@ -0,0 +1,49 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "crypto/sm2err.h" +#include "crypto/sm2.h" +#include /* EC_KEY and EC_GROUP functions */ + +/* + * SM2 key generation is implemented within ec_generate_key() in + * crypto/ec/ec_key.c + */ + +int sm2_key_private_check(const EC_KEY *eckey) +{ + int ret = 0; + BIGNUM *max = NULL; + const EC_GROUP *group = NULL; + const BIGNUM *priv_key = NULL, *order = NULL; + + if (eckey == NULL + || (group = EC_KEY_get0_group(eckey)) == NULL + || (priv_key = EC_KEY_get0_private_key(eckey)) == NULL + || (order = EC_GROUP_get0_order(group)) == NULL ) { + ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + /* range of SM2 private key is [1, n-1) */ + max = BN_dup(order); + if (max == NULL || !BN_sub_word(max, 1)) + goto end; + if (BN_cmp(priv_key, BN_value_one()) < 0 + || BN_cmp(priv_key, max) >= 0) { + ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY); + goto end; + } + ret = 1; + + end: + BN_free(max); + return ret; +} diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h index fe87c84bba..e442e7aec7 100644 --- a/include/crypto/sm2.h +++ b/include/crypto/sm2.h @@ -17,6 +17,8 @@ # include +int sm2_key_private_check(const EC_KEY *eckey); + /* The default user id as specified in GM/T 0009-2012 */ # define SM2_DEFAULT_USERID "1234567812345678" diff --git a/include/crypto/sm2err.h b/include/crypto/sm2err.h index f8fabcb74e..fe081ddba8 100644 --- a/include/crypto/sm2err.h +++ b/include/crypto/sm2err.h @@ -61,6 +61,7 @@ int err_load_SM2_strings_int(void); # define SM2_R_INVALID_DIGEST_TYPE 103 # define SM2_R_INVALID_ENCODING 104 # define SM2_R_INVALID_FIELD 105 +# define SM2_R_INVALID_PRIVATE_KEY 113 # define SM2_R_NO_PARAMETERS_SET 109 # define SM2_R_USER_ID_TOO_LARGE 106 diff --git a/providers/implementations/keymgmt/build.info b/providers/implementations/keymgmt/build.info index 75f61a6de1..f434a720bc 100644 --- a/providers/implementations/keymgmt/build.info +++ b/providers/implementations/keymgmt/build.info @@ -1,7 +1,6 @@ # We make separate GOAL variables for each algorithm, to make it easy to # switch each to the Legacy provider when needed. -$EC_GOAL=../../libimplementations.a $ECX_GOAL=../../libimplementations.a $KDF_GOAL=../../libimplementations.a @@ -14,7 +13,8 @@ IF[{- !$disabled{dsa} -}] SOURCE[../../libnonfips.a]=dsa_kmgmt.c ENDIF IF[{- !$disabled{ec} -}] - SOURCE[$EC_GOAL]=ec_kmgmt.c + SOURCE[../../libfips.a]=ec_kmgmt.c + SOURCE[../../libnonfips.a]=ec_kmgmt.c ENDIF IF[{- !$disabled{asm} -}] diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 7e3fadc580..ac7094490e 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -27,7 +27,12 @@ #include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "internal/param_build_set.h" -#include "crypto/sm2.h" + +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 +# include "crypto/sm2.h" +# endif +#endif static OSSL_FUNC_keymgmt_new_fn ec_newdata; static OSSL_FUNC_keymgmt_gen_init_fn ec_gen_init; @@ -50,13 +55,16 @@ static OSSL_FUNC_keymgmt_import_types_fn ec_import_types; static OSSL_FUNC_keymgmt_export_fn ec_export; static OSSL_FUNC_keymgmt_export_types_fn ec_export_types; static OSSL_FUNC_keymgmt_query_operation_name_fn ec_query_operation_name; -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static OSSL_FUNC_keymgmt_gen_fn sm2_gen; static OSSL_FUNC_keymgmt_get_params_fn sm2_get_params; static OSSL_FUNC_keymgmt_gettable_params_fn sm2_gettable_params; static OSSL_FUNC_keymgmt_settable_params_fn sm2_settable_params; static OSSL_FUNC_keymgmt_import_fn sm2_import; static OSSL_FUNC_keymgmt_query_operation_name_fn sm2_query_operation_name; +static OSSL_FUNC_keymgmt_validate_fn sm2_validate; +# endif #endif #define EC_DEFAULT_MD "SHA256" @@ -76,7 +84,8 @@ const char *ec_query_operation_name(int operation_id) return NULL; } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static const char *sm2_query_operation_name(int operation_id) { @@ -86,6 +95,7 @@ const char *sm2_query_operation_name(int operation_id) } return NULL; } +# endif #endif /* @@ -364,12 +374,14 @@ int ec_import(void *keydata, int selection, const OSSL_PARAM params[]) return common_import(keydata, selection, params, 0); } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static int sm2_import(void *keydata, int selection, const OSSL_PARAM params[]) { return common_import(keydata, selection, params, 1); } +# endif #endif static @@ -746,7 +758,8 @@ int ec_set_params(void *key, const OSSL_PARAM params[]) return ec_key_otherparams_fromdata(eck, params); } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static int sm2_get_params(void *key, OSSL_PARAM params[]) { @@ -782,6 +795,40 @@ const OSSL_PARAM *sm2_settable_params(ossl_unused void *provctx) { return sm2_known_settable_params; } + +static +int sm2_validate(const void *keydata, int selection) +{ + const EC_KEY *eck = keydata; + int ok = 0; + BN_CTX *ctx = NULL; + + if (!ossl_prov_is_running()) + return 0; + + ctx = BN_CTX_new_ex(ec_key_get_libctx(eck)); + if (ctx == NULL) + return 0; + + if ((selection & EC_POSSIBLE_SELECTIONS) != 0) + ok = 1; + + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) + ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + ok = ok && ec_key_public_check(eck, ctx); + + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + ok = ok && sm2_key_private_check(eck); + + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) + ok = ok && ec_key_pairwise_check(eck, ctx); + + BN_CTX_free(ctx); + return ok; +} +# endif #endif static @@ -1084,7 +1131,8 @@ err: return NULL; } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 /* * The callback arguments (osslcb & cbarg) are not used by EC_KEY generation */ @@ -1130,6 +1178,7 @@ err: EC_KEY_free(ec); return NULL; } +# endif #endif static void ec_gen_cleanup(void *genctx) @@ -1195,7 +1244,8 @@ const OSSL_DISPATCH ossl_ec_keymgmt_functions[] = { { 0, NULL } }; -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 const OSSL_DISPATCH sm2_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata }, { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))ec_gen_init }, @@ -1213,7 +1263,7 @@ const OSSL_DISPATCH sm2_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))sm2_settable_params }, { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))ec_has }, { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))ec_match }, - { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))ec_validate }, + { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))sm2_validate }, { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))sm2_import }, { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))ec_import_types }, { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))ec_export }, @@ -1222,4 +1272,5 @@ const OSSL_DISPATCH sm2_keymgmt_functions[] = { (void (*)(void))sm2_query_operation_name }, { 0, NULL } }; +# endif #endif diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t new file mode 100644 index 0000000000..4dce838d1f --- /dev/null +++ b/test/recipes/91-test_pkey_check.t @@ -0,0 +1,61 @@ +#! /usr/bin/env perl +# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test::Utils; + +sub check_key { + my $f = shift; + + return run(app(['openssl', 'pkey', '-check', '-text', + '-in', $f])); +} + +sub check_key_notok { + my $f = shift; + my $str = "$f should fail validation"; + + $f = data_file($f); + + if ( -s $f ) { + ok(!check_key($f), $str); + } else { + fail("Missing file $f"); + } +} + +setup("test_pkey_check"); + +my @tests = (); + +push(@tests, ( + # For EC keys the range for the secret scalar `k` is `1 <= k <= n-1` + "ec_p256_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid) + "ec_p256_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid) + )) unless disabled("ec"); + +push(@tests, ( + # For SM2 keys the range for the secret scalar `k` is `1 <= k < n-1` + "sm2_bad_neg1.pem", # `k` set to `n-1` (invalid, because SM2 range) + "sm2_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid) + "sm2_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid) + )) unless disabled("sm2"); + +plan skip_all => "No tests within the current enabled feature set" + unless @tests; + +plan tests => scalar(@tests); + +foreach my $t (@tests) { + check_key_notok($t); +} diff --git a/test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem b/test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem new file mode 100644 index 0000000000..64c273901f --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD/////AAAAAP////// +////vOb6racXnoTzucrC/GMlUQ== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem b/test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem new file mode 100644 index 0000000000..5171958a27 --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD/////AAAAAP////// +////vOb6racXnoTzucrC/GMlUg== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_0.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_0.pem new file mode 100644 index 0000000000..5ad2bd184b --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/sm2_bad_0.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+//////////// +////cgPfayHGBStTu/QJOdVBIw== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_1.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_1.pem new file mode 100644 index 0000000000..d094d4d296 --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/sm2_bad_1.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+//////////// +////cgPfayHGBStTu/QJOdVBJA== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem new file mode 100644 index 0000000000..36adb93fb9 --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+////////////////cgPfayHG +BStTu/QJOdVBIg== +-----END PRIVATE KEY----- From no-reply at appveyor.com Fri Jan 8 22:24:07 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 08 Jan 2021 22:24:07 +0000 Subject: Build failed: openssl master.39042 Message-ID: <20210108222407.1.CC8DCF1E0DBD7863@appveyor.com> An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Fri Jan 8 22:26:12 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 22:26:12 +0000 Subject: [openssl] master update Message-ID: <1610144772.278100.32512.nullmailer@dev.openssl.org> The branch master has been updated via 6d4313f03eddd39ca8d06a5e1d20fc1adcb207c5 (commit) from 1330093b9c7e0325ca76589fb9ace5b664830c6d (commit) - Log ----------------------------------------------------------------- commit 6d4313f03eddd39ca8d06a5e1d20fc1adcb207c5 Author: Thomas De Schampheleire Date: Mon Dec 21 15:17:24 2020 +0100 replace 'unsigned const char' with 'const unsigned char' The openssl code base has only a few occurrences of 'unsigned const char' (15 occurrences), compared to the more common 'const unsigned char' (4420 occurrences). While the former is not illegal C, mixing the 'const' keyword (a 'type qualifier') in between 'unsigned' and 'char' (both 'type specifiers') is a bit odd. The background for writing this patch is not to be pedantic, but because the 'opmock' program (used to mock headers for unit tests) does not accept the 'unsigned const char' construct. While this definitely is a bug in opmock or one of its dependencies, openssl is the only piece of software we are using in combination with opmock that has this construct. CLA: trivial Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/13722) ----------------------------------------------------------------------- Summary of changes: apps/passwd.c | 12 ++++++------ crypto/des/fcrypt.c | 4 ++-- doc/man3/SSL_CTX_dane_enable.pod | 4 ++-- include/openssl/ssl.h.in | 4 ++-- ssl/ssl_lib.c | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/apps/passwd.c b/apps/passwd.c index c39254460d..6673040273 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -22,7 +22,7 @@ #include #include -static unsigned const char cov_2char[64] = { +static const unsigned char cov_2char[64] = { /* from crypto/des/fcrypt.c */ 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, @@ -413,7 +413,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL)) goto err; if (!EVP_DigestUpdate(md2, - (i & 1) ? (unsigned const char *)passwd : buf, + (i & 1) ? (const unsigned char *)passwd : buf, (i & 1) ? passwd_len : sizeof(buf))) goto err; if (i % 3) { @@ -425,7 +425,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) goto err; } if (!EVP_DigestUpdate(md2, - (i & 1) ? buf : (unsigned const char *)passwd, + (i & 1) ? buf : (const unsigned char *)passwd, (i & 1) ? sizeof(buf) : passwd_len)) goto err; if (!EVP_DigestFinal_ex(md2, buf, NULL)) @@ -627,7 +627,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) n = passwd_len; while (n) { if (!EVP_DigestUpdate(md, - (n & 1) ? buf : (unsigned const char *)passwd, + (n & 1) ? buf : (const unsigned char *)passwd, (n & 1) ? buf_size : passwd_len)) goto err; n >>= 1; @@ -673,7 +673,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) if (!EVP_DigestInit_ex(md2, sha, NULL)) goto err; if (!EVP_DigestUpdate(md2, - (n & 1) ? (unsigned const char *)p_bytes : buf, + (n & 1) ? (const unsigned char *)p_bytes : buf, (n & 1) ? passwd_len : buf_size)) goto err; if (n % 3) { @@ -685,7 +685,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) goto err; } if (!EVP_DigestUpdate(md2, - (n & 1) ? buf : (unsigned const char *)p_bytes, + (n & 1) ? buf : (const unsigned char *)p_bytes, (n & 1) ? buf_size : passwd_len)) goto err; if (!EVP_DigestFinal_ex(md2, buf, NULL)) diff --git a/crypto/des/fcrypt.c b/crypto/des/fcrypt.c index 0b181fda3b..190a44dbdf 100644 --- a/crypto/des/fcrypt.c +++ b/crypto/des/fcrypt.c @@ -31,7 +31,7 @@ * Added more values to handle illegal salt values the way normal crypt() * implementations do. */ -static unsigned const char con_salt[128] = { +static const unsigned char con_salt[128] = { 0xD2, 0xD3, 0xD4, 0xD5, 0xD6, 0xD7, 0xD8, 0xD9, 0xDA, 0xDB, 0xDC, 0xDD, 0xDE, 0xDF, 0xE0, 0xE1, 0xE2, 0xE3, 0xE4, 0xE5, 0xE6, 0xE7, 0xE8, 0xE9, @@ -50,7 +50,7 @@ static unsigned const char con_salt[128] = { 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, }; -static unsigned const char cov_2char[64] = { +static const unsigned char cov_2char[64] = { 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, diff --git a/doc/man3/SSL_CTX_dane_enable.pod b/doc/man3/SSL_CTX_dane_enable.pod index e886325191..72fd1bf883 100644 --- a/doc/man3/SSL_CTX_dane_enable.pod +++ b/doc/man3/SSL_CTX_dane_enable.pod @@ -18,10 +18,10 @@ TLS client uint8_t mtype, uint8_t ord); int SSL_dane_enable(SSL *s, const char *basedomain); int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen); + uint8_t mtype, const unsigned char *data, size_t dlen); int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, unsigned const char **data, + uint8_t *mtype, const unsigned char **data, size_t *dlen); unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags); unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags); diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 4e5d50bd6d..0025a2a8cd 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1810,10 +1810,10 @@ __owur int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, uint8_t ord); __owur int SSL_dane_enable(SSL *s, const char *basedomain); __owur int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen); + uint8_t mtype, const unsigned char *data, size_t dlen); __owur int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, unsigned const char **data, + uint8_t *mtype, const unsigned char **data, size_t *dlen); /* * Bridge opacity barrier between libcrypt and libssl, also needed to support diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d14d5819ba..a8a1416073 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -269,7 +269,7 @@ static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) static int dane_tlsa_add(SSL_DANE *dane, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen) + uint8_t mtype, const unsigned char *data, size_t dlen) { danetls_record *t; const EVP_MD *md = NULL; @@ -1099,7 +1099,7 @@ int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) } int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, unsigned const char **data, size_t *dlen) + uint8_t *mtype, const unsigned char **data, size_t *dlen) { SSL_DANE *dane = &s->dane; @@ -1126,7 +1126,7 @@ SSL_DANE *SSL_get0_dane(SSL *s) } int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen) + uint8_t mtype, const unsigned char *data, size_t dlen) { return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); } From nic.tuv at gmail.com Fri Jan 8 22:40:05 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 22:40:05 +0000 Subject: [openssl] master update Message-ID: <1610145605.400650.21203.nullmailer@dev.openssl.org> The branch master has been updated via 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (commit) from 6d4313f03eddd39ca8d06a5e1d20fc1adcb207c5 (commit) - Log ----------------------------------------------------------------- commit 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e Author: Romain Geissler Date: Thu Jan 7 16:54:58 2021 +0000 Fix simpledynamic test compilation when condigured without DSO support. This fixes this compilation error: In file included from test/simpledynamic.c:13: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ make[1]: *** [Makefile:24670: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: *** Waiting for unfinished jobs.... In file included from test/moduleloadtest.c:19: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13802) ----------------------------------------------------------------------- Summary of changes: test/simpledynamic.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/simpledynamic.h b/test/simpledynamic.h index cc4aed5c43..247b49f7fe 100644 --- a/test/simpledynamic.h +++ b/test/simpledynamic.h @@ -36,9 +36,11 @@ typedef void *SD_SYM; # endif +# if defined(DSO_DLFCN) || defined(DSO_WIN32) int sd_load(const char *filename, SD *sd, int type); int sd_sym(SD sd, const char *symname, SD_SYM *sym); int sd_close(SD lib); const char *sd_error(void); +# endif #endif From nic.tuv at gmail.com Fri Jan 8 23:15:27 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 23:15:27 +0000 Subject: [openssl] master update Message-ID: <1610147727.789272.27894.nullmailer@dev.openssl.org> The branch master has been updated via 42141197a107ef9cd297a7755fece569b84016b8 (commit) from 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (commit) - Log ----------------------------------------------------------------- commit 42141197a107ef9cd297a7755fece569b84016b8 Author: anupamam13 Date: Mon Nov 2 17:50:11 2020 +0530 Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13297) ----------------------------------------------------------------------- Summary of changes: ssl/statem/extensions.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index a4e60d417c..7b42016d59 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -957,7 +957,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); } From nic.tuv at gmail.com Fri Jan 8 23:17:13 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 23:17:13 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610147833.419389.29244.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 212d7118a788e332dae4123d40f65ea6e24044d2 (commit) from 37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 (commit) - Log ----------------------------------------------------------------- commit 212d7118a788e332dae4123d40f65ea6e24044d2 Author: anupamam13 Date: Mon Nov 2 17:50:11 2020 +0530 Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13297) ----------------------------------------------------------------------- Summary of changes: ssl/statem/extensions.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index c785ab785d..e24b1b0e4d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -966,7 +966,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); } From openssl at openssl.org Fri Jan 8 23:21:08 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 08 Jan 2021 23:21:08 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1610148068.808519.1427330.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041A8F0FA7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041A8F0FA7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/mYhhqxdo1_ default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/mYhhqxdo1_ fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 835 wallclock secs (13.91 usr 1.39 sys + 742.93 cusr 87.80 csys = 846.03 CPU) Result: FAIL make[1]: *** [Makefile:3253: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3250: tests] Error 2 From no-reply at appveyor.com Fri Jan 8 23:34:25 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 08 Jan 2021 23:34:25 +0000 Subject: Build completed: openssl master.39043 Message-ID: <20210108233425.1.E552EFA8365723F1@appveyor.com> An HTML attachment was scrubbed... URL: From beldmit at gmail.com Sat Jan 9 17:24:26 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Sat, 09 Jan 2021 17:24:26 +0000 Subject: [openssl] master update Message-ID: <1610213066.364291.31359.nullmailer@dev.openssl.org> The branch master has been updated via e211d949cd5737e53cd3399e6a88453930768b98 (commit) from 42141197a107ef9cd297a7755fece569b84016b8 (commit) - Log ----------------------------------------------------------------- commit e211d949cd5737e53cd3399e6a88453930768b98 Author: Sahana Prasad Date: Fri Jan 8 16:26:21 2021 +0100 doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. Signed-off-by: Sahana Prasad Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13814) ----------------------------------------------------------------------- Summary of changes: doc/man7/provider.pod | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/man7/provider.pod b/doc/man7/provider.pod index 2eb396fad3..18a80eff5a 100644 --- a/doc/man7/provider.pod +++ b/doc/man7/provider.pod @@ -324,34 +324,34 @@ Fetch any available implementation of SHA2-256 in the default context: EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", NULL); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Fetch any available implementation of AES-128-CBC in the default context: EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES-128-CBC", NULL); ... - EVP_CIPHER_meth_free(cipher); + EVP_CIPHER_free(cipher); Fetch an implementation of SHA2-256 from the default provider in the default context: EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider=default"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Fetch an implementation of SHA2-256 that is not from the default provider in the default context: EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider!=default"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Fetch an implementation of SHA2-256 from the default provider in the specified context: EVP_MD *md = EVP_MD_fetch(ctx, "SHA2-256", "provider=default"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Load the legacy provider into the default context and then fetch an implementation of WHIRLPOOL from it: @@ -361,7 +361,7 @@ implementation of WHIRLPOOL from it: EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Note that in the above example the property string "provider=legacy" is optional since, assuming no other providers have been loaded, the only implementation of @@ -376,8 +376,8 @@ other providers: EVP_MD *md_whirlpool = EVP_MD_fetch(NULL, "whirlpool", NULL); EVP_MD *md_sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL); ... - EVP_MD_meth_free(md_whirlpool); - EVP_MD_meth_free(md_sha256); + EVP_MD_free(md_whirlpool); + EVP_MD_free(md_sha256); =head1 SEE ALSO From scan-admin at coverity.com Sun Jan 10 07:50:18 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 10 Jan 2021 07:50:18 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <5ffab1b9e912a_458922ade9bab2f58686eb@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DsGXX_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFujZ1lz0noQIDRODCPOfT2gslJFX5VTxA9O8tqtayO382k4vT-2B-2FJjz6r8oZdkZil2QpR10K9od-2BCVps4rQgXF08wgdOfiXw8cQ4cCa-2BNp9CmKm8sTOs1TNMNV3Rjn7dU6XmnY-2BbKxZvi3plSFWyEJu5FfCTKusbXxktLokOu8kRPoDzFtmgu-2BV5DCBQASm7lQ-3D Build ID: 362876 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jan 10 07:53:29 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 10 Jan 2021 07:53:29 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <5ffab2794a667_45a402ade9bab2f586861b@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DVEWn_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE-2FLts1UuKG3YgAU4l0DWSxQgNC63xqIZKzB29uyx8oVFk8LcbMvOuKdWAKt-2BY-2F3x4tXjaQPYbVkDqDNyw-2BctpW0-2BIDUEqXgThsEK1t9es627mhHRSjyjrYJPV5-2FvOUgu5ENADBrv1DPrYrN6Z9HiJLj433tw0-2FldxKrPa6NDhWAkfzqij9YiJ-2B-2BYeH4j6UogY-3D Build ID: 362875 Analysis Summary: New defects found: 0 Defects eliminated: 0 From nic.tuv at gmail.com Sun Jan 10 20:10:10 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sun, 10 Jan 2021 20:10:10 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610309410.672117.10958.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 6e3ba20dc49ccbf12ff4c27a4d8b84dcbeb71654 (commit) from 212d7118a788e332dae4123d40f65ea6e24044d2 (commit) - Log ----------------------------------------------------------------- commit 6e3ba20dc49ccbf12ff4c27a4d8b84dcbeb71654 Author: Billy Brumley Date: Fri Jan 8 13:45:49 2021 +0200 [crypto/dh] side channel hardening for computing DH shared keys (1.1.1) Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/13772) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_key.c | 31 +++++++++++++++++++++++++++++-- doc/man3/DH_generate_key.pod | 25 +++++++++++++++++++++---- 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index daffdf74dd..ccf51b3546 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -25,18 +25,45 @@ int DH_generate_key(DH *dh) return dh->meth->generate_key(dh); } +/*- + * NB: This function is inherently not constant time due to the + * RFC 5246 (8.1.2) padding style that strips leading zero bytes. + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { - return dh->meth->compute_key(key, pub_key, dh); + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + + /* compute the key; ret is constant unless compute_key is external */ + if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) + return ret; + + /* count leading zero bytes, yet still touch all bytes */ + for (i = 0; i < ret; i++) { + mask &= !key[i]; + npad += mask; + } + + /* unpad key */ + ret -= npad; + /* key-dependent memory access, potentially leaking npad / ret */ + memmove(key, key + npad, ret); + /* key-dependent memory access, potentially leaking npad / ret */ + memset(key + ret, 0, npad); + + return ret; } int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; + + /* rv is constant unless compute_key is external */ rv = dh->meth->compute_key(key, pub_key, dh); if (rv <= 0) return rv; pad = BN_num_bytes(dh->p) - rv; + /* pad is constant (zero) unless compute_key is external */ if (pad > 0) { memmove(key + pad, key, rv); memset(key, 0, pad); @@ -212,7 +239,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; } - ret = BN_bn2bin(tmp, key); + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); err: BN_CTX_end(ctx); BN_CTX_free(ctx); diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod index 297e7fbf47..fab14d77e8 100644 --- a/doc/man3/DH_generate_key.pod +++ b/doc/man3/DH_generate_key.pod @@ -2,7 +2,8 @@ =head1 NAME -DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange +DH_generate_key, DH_compute_key, DH_compute_key_padded - perform +Diffie-Hellman key exchange =head1 SYNOPSIS @@ -10,14 +11,16 @@ DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange int DH_generate_key(DH *dh); - int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); + + int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh); =head1 DESCRIPTION DH_generate_key() performs the first step of a Diffie-Hellman key exchange by generating private and public DH values. By calling -DH_compute_key(), these are combined with the other party's public -value to compute the shared key. +DH_compute_key() or DH_compute_key_padded(), these are combined with +the other party's public value to compute the shared key. DH_generate_key() expects B to contain the shared parameters Bp> and Bg>. It generates a random private DH value @@ -28,6 +31,14 @@ published. DH_compute_key() computes the shared secret from the private DH value in B and the other party's public value in B and stores it in B. B must point to B bytes of memory. +The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. +It is not constant time due to the leading zero bytes being stripped. +The return value should be considered public. + +DH_compute_key_padded() is similar but stores a fixed number of bytes. +The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes. +It is constant time due to the leading zero bytes being retained. +The return value should be considered public. =head1 RETURN VALUES @@ -36,12 +47,18 @@ DH_generate_key() returns 1 on success, 0 otherwise. DH_compute_key() returns the size of the shared secret on success, -1 on error. +DH_compute_key_padded() returns B on success, -1 on error. + The error codes can be obtained by L. =head1 SEE ALSO L, L, L, L +=head1 HISTORY + +DH_compute_key_padded() was added in OpenSSL 1.0.2. + =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. From openssl at openssl.org Mon Jan 11 01:02:23 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 01:02:23 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1610326943.961679.2072330.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok make: *** [Makefile:3249: tests] Terminated make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. From openssl at openssl.org Mon Jan 11 01:53:55 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 01:53:55 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1610330035.478823.2181685.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3428, 894 wallclock secs (14.47 usr 1.47 sys + 804.50 cusr 84.66 csys = 905.10 CPU) Result: FAIL make[1]: *** [Makefile:3276: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3273: tests] Error 2 From no-reply at appveyor.com Mon Jan 11 05:12:09 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 11 Jan 2021 05:12:09 +0000 Subject: Build failed: openssl master.39067 Message-ID: <20210111051209.1.67AAEB171F68B36B@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 11 07:24:58 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 07:24:58 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1610349898.921333.2888004.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3430, 889 wallclock secs (14.02 usr 1.41 sys + 798.32 cusr 86.37 csys = 900.12 CPU) Result: FAIL make[1]: *** [Makefile:3185: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3182: tests] Error 2 From no-reply at appveyor.com Mon Jan 11 08:19:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 11 Jan 2021 08:19:02 +0000 Subject: Build completed: openssl master.39068 Message-ID: <20210111081902.1.9D279A3F94CC0199@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 11 08:52:45 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 08:52:45 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-dso Message-ID: <1610355165.561403.3080852.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year From dev at ddvo.net Mon Jan 11 18:36:08 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 11 Jan 2021 18:36:08 +0000 Subject: [openssl] master update Message-ID: <1610390168.312348.29975.nullmailer@dev.openssl.org> The branch master has been updated via 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 (commit) via 1f7643e86e7dfdc559092fe4a467bad2ce86f6f2 (commit) via 475d10028e57ae0987911af580f0de8d701325ec (commit) via 400e2acfe0bae9aec1f9df50fa51f6b7cf8ad779 (commit) from e211d949cd5737e53cd3399e6a88453930768b98 (commit) - Log ----------------------------------------------------------------- commit 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 Author: Dr. David von Oheimb Date: Tue Dec 22 10:28:03 2020 +0100 apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) commit 1f7643e86e7dfdc559092fe4a467bad2ce86f6f2 Author: Dr. David von Oheimb Date: Tue Dec 22 08:37:03 2020 +0100 apps/pkey.c: Re-order help output and option documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) commit 475d10028e57ae0987911af580f0de8d701325ec Author: Dr. David von Oheimb Date: Tue Dec 15 14:30:38 2020 +0100 apps/pkey.c: Make clear that -passout is not supported for DER output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) commit 400e2acfe0bae9aec1f9df50fa51f6b7cf8ad779 Author: Dr. David von Oheimb Date: Thu Dec 10 17:10:52 2020 +0100 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) ----------------------------------------------------------------------- Summary of changes: apps/lib/apps.c | 8 +-- apps/pkey.c | 94 ++++++++++++++++++----------- doc/man1/openssl-pkey.pod.in | 141 ++++++++++++++++++++++++++----------------- 3 files changed, 147 insertions(+), 96 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 1998a8bc2f..457dac87bc 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -469,10 +469,10 @@ CONF *app_load_config_modules(const char *configfile) return conf; } -#define IS_HTTP(uri) \ - (strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0) -#define IS_HTTPS(uri) \ - (strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) +#define IS_HTTP(uri) ((uri) != NULL \ + && strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0) +#define IS_HTTPS(uri) ((uri) != NULL \ + && strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) X509 *load_cert_pass(const char *uri, int maybe_stdin, const char *pass, const char *desc) diff --git a/apps/pkey.c b/apps/pkey.c index 67dc8c012c..5d12cc059a 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -36,7 +36,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB, - OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK, + OPT_TEXT, OPT_NOOUT, OPT_CIPHER, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK, OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -47,33 +47,36 @@ const OPTIONS pkey_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif + OPT_PROV_OPTIONS, + {"check", OPT_CHECK, '-', "Check key consistency"}, {"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"}, - {"", OPT_MD, '-', "Any supported cipher"}, - {"ec_param_enc", OPT_EC_PARAM_ENC, 's', - "Specifies the way the ec parameters are encoded"}, - {"ec_conv_form", OPT_EC_CONV_FORM, 's', - "Specifies the point conversion form "}, OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input key"}, - {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"inform", OPT_INFORM, 'f', + "Key input format (ENGINE, other values ignored)"}, + {"passin", OPT_PASSIN, 's', "Key input pass phrase source"}, {"pubin", OPT_PUBIN, '-', - "Read public key from input (default is private key)"}, - {"traditional", OPT_TRADITIONAL, '-', - "Use traditional format for private keys"}, + "Read only public components from key input"}, OPT_SECTION("Output"), - {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"out", OPT_OUT, '>', "Output file"}, - {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, - {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"}, - {"text", OPT_TEXT, '-', "Output in plaintext as well"}, - {"noout", OPT_NOOUT, '-', "Don't output the key"}, + {"out", OPT_OUT, '>', "Output file for encoded and/or text output"}, + {"outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)"}, + {"", OPT_CIPHER, '-', "Any supported cipher to be used for encryption"}, + {"passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source"}, + {"traditional", OPT_TRADITIONAL, '-', + "Use traditional format for private key PEM output"}, + {"pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components"}, + {"noout", OPT_NOOUT, '-', "Do not output the key in encoded form"}, + {"text", OPT_TEXT, '-', "Output key components in plaintext"}, + {"text_pub", OPT_TEXT_PUB, '-', + "Output only public key components in text form"}, + {"ec_conv_form", OPT_EC_CONV_FORM, 's', + "Specifies the EC point conversion form in the encoding"}, + {"ec_param_enc", OPT_EC_PARAM_ENC, 's', + "Specifies the way the EC parameters are encoded"}, - OPT_PROV_OPTIONS, {NULL} }; @@ -88,7 +91,7 @@ int pkey_main(int argc, char **argv) char *passinarg = NULL, *passoutarg = NULL, *prog; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM; - int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1; + int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1; int private = 0, traditional = 0, check = 0, pub_check = 0; #ifndef OPENSSL_NO_EC EC_KEY *eckey; @@ -133,13 +136,13 @@ int pkey_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_PUBIN: - pubin = pubout = pubtext = 1; + pubin = pubout = 1; break; case OPT_PUBOUT: pubout = 1; break; case OPT_TEXT_PUB: - pubtext = text = 1; + text_pub = 1; break; case OPT_TEXT: text = 1; @@ -156,7 +159,7 @@ int pkey_main(int argc, char **argv) case OPT_PUB_CHECK: pub_check = 1; break; - case OPT_MD: + case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &cipher)) goto opthelp; break; @@ -192,10 +195,28 @@ int pkey_main(int argc, char **argv) if (argc != 0) goto opthelp; - private = !noout && !pubout ? 1 : 0; - if (text && !pubtext) - private = 1; + if (noout && pubout) + BIO_printf(bio_err, + "Warning: The -pubout option is ignored with -noout\n"); + if (text && text_pub) + BIO_printf(bio_err, + "Warning: The -text option is ignored with -text_pub\n"); + if (traditional && (noout || outformat != FORMAT_PEM)) + BIO_printf(bio_err, + "Warning: The -traditional is ignored since there is no PEM output\n"); + private = (!noout && !pubout) || (text && !text_pub); + if (cipher == NULL) { + if (passoutarg != NULL) + BIO_printf(bio_err, + "Warning: The -passout option is ignored without a cipher option\n"); + } else { + if (noout || outformat != FORMAT_PEM) { + BIO_printf(bio_err, + "Error: Cipher options are supported only for PEM output\n"); + goto end; + } + } if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; @@ -283,6 +304,11 @@ int pkey_main(int argc, char **argv) } } } else if (outformat == FORMAT_ASN1) { + if (text || text_pub) { + BIO_printf(bio_err, + "Error: Text output cannot be combined with DER output\n"); + goto end; + } if (pubout) { if (!i2d_PUBKEY_bio(out, pkey)) goto end; @@ -297,15 +323,13 @@ int pkey_main(int argc, char **argv) } } - if (text) { - if (pubtext) { - if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0) - goto end; - } else { - assert(private); - if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0) - goto end; - } + if (text_pub) { + if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0) + goto end; + } else if (text) { + assert(private); + if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0) + goto end; } ret = 0; diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index 86597c9e36..df031fb258 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -13,118 +13,149 @@ openssl-pkey - public or private key processing command B B [B<-help>] -[B<-inform> B|B|B|B] -[B<-outform> B|B] +{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +[B<-check>] +[B<-pubcheck>] [B<-in> I|I] +[B<-inform> B|B|B|B] [B<-passin> I] +[B<-pubin>] [B<-out> I] +[B<-outform> B|B] +[B<-I>] [B<-passout> I] [B<-traditional>] -[B<-I>] +[B<-pubout>] +[B<-noout>] [B<-text>] [B<-text_pub>] -[B<-noout>] -[B<-pubin>] -[B<-pubout>] -[B<-check>] -[B<-pubcheck>] [B<-ec_conv_form> I] [B<-ec_param_enc> I] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine =head1 DESCRIPTION This command processes public or private keys. They can be -converted between various forms and their components printed out. +converted between various forms and their components printed. =head1 OPTIONS +=head2 General options + =over 4 =item B<-help> Print out a usage message. +{- $OpenSSL::safe::opt_engine_item -} + +{- $OpenSSL::safe::opt_provider_item -} + +=item B<-check> + +This option checks the consistency of a key pair for both public and private +components. + +=item B<-pubcheck> + +This option checks the correctness of either a public key +or the public component of a key pair. + +=back + +=head2 Input options + +=over 4 + +=item B<-in> I|I + +This specifies the input to read a key from +or standard input if this option is not specified. +If the key input is encrypted and B<-passin> is not given +a pass phrase will be prompted for. + =item B<-inform> B|B|B|B The key input format; the default is B. The only value with effect is B; all others have become obsolete. See L for details. -=item B<-outform> B|B +=item B<-passin> I -The key output formats; the default is B. -See L for details. +The password source for the key input. -=item B<-in> I|I +For more information about the format of B +see L. -This specifies the input to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. +=item B<-pubin> -=item B<-passin> I, B<-passout> I +By default a private key is read from the input. +With this option only the public components are read. -The password source for the input and output file. -For more information about the format of B -see L. +=back + +=head2 Output options + +=over 4 =item B<-out> I -This specifies the output filename to write a key to or standard output if this -option is not specified. If any encryption options are set then a pass phrase -will be prompted for. The output filename should B be the same as the input -filename. +This specifies the output filename to save the encoded and/or text output of key +or standard output if this option is not specified. +If any cipher option is set but no B<-passout> is given +then a pass phrase will be prompted for. +The output filename should B be the same as the input filename. -=item B<-traditional> +=item B<-outform> B|B -Normally a private key is written using standard format: this is PKCS#8 form -with the appropriate encryption algorithm (if any). If the B<-traditional> -option is specified then the older "traditional" format is used instead. +The key output format; the default is B. +See L for details. =item B<-I> -These options encrypt the private key with the supplied cipher. Any algorithm -name accepted by EVP_get_cipherbyname() is acceptable such as B. +Encrypt the PEM encoded private key with the supplied cipher. Any algorithm +name accepted by EVP_get_cipherbyname() is acceptable such as B. +Encryption is not supported for DER output. -=item B<-text> - -Prints out the various public or private key components in -plain text in addition to the encoded version. +=item B<-passout> I -=item B<-text_pub> +The password source for the output file. -Print out only public key components even if a private key is being processed. +For more information about the format of B +see L. -=item B<-noout> +=item B<-traditional> -Do not output the encoded version of the key. +Normally a private key is written using standard format: this is PKCS#8 form +with the appropriate encryption algorithm (if any). If the B<-traditional> +option is specified then the older "traditional" format is used instead. -=item B<-pubin> +=item B<-pubout> -By default a private key is read from the input file: with this -option a public key is read instead. +By default the encoded private and public key is output; +this option restricts the encoded output to the public components. +This option is automatically set if the input is a public key. -=item B<-pubout> +=item B<-noout> -By default a private key is output: with this option a public -key will be output instead. This option is automatically set if -the input is a public key. +Do not output the key in encoded form. -=item B<-check> +=item B<-text> -This option checks the consistency of a key pair for both public and private -components. +Output the various key components in plain text +(possibly in addition to the PEM encoded form). +This cannot be combined with encoded output in DER format. -=item B<-pubcheck> +=item B<-text_pub> -This option checks the correctness of either a public key or the public component -of a key pair. +Output in text form only the public key components (also for private keys). +This cannot be combined with encoded output in DER format. =item B<-ec_conv_form> I -This option only applies to elliptic curve based public and private keys. +This option only applies to elliptic-curve based keys. This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: B (the default @@ -146,10 +177,6 @@ EC parameters structures). The default value is B. B the B alternative, as specified in RFC 3279, is currently not implemented in OpenSSL. -{- $OpenSSL::safe::opt_engine_item -} - -{- $OpenSSL::safe::opt_provider_item -} - =back =head1 EXAMPLES From dev at ddvo.net Mon Jan 11 18:40:41 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 11 Jan 2021 18:40:41 +0000 Subject: [openssl] master update Message-ID: <1610390441.530688.18492.nullmailer@dev.openssl.org> The branch master has been updated via 678cae0295e3fe600edc049742b8c765a58edebc (commit) via 3372039252c4d9c67de784a0fbdad5589991a347 (commit) from 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 (commit) - Log ----------------------------------------------------------------- commit 678cae0295e3fe600edc049742b8c765a58edebc Author: Dr. David von Oheimb Date: Thu Jan 7 10:16:12 2021 +0100 APPS: Print help also on -h and --h; print high-level help when no cmd given Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13799) commit 3372039252c4d9c67de784a0fbdad5589991a347 Author: Dr. David von Oheimb Date: Thu Jan 7 09:00:02 2021 +0100 APPS: Fix confusion between program and app/command name used in diagnostic/help output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13799) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 6 ++---- apps/dgst.c | 3 +-- apps/enc.c | 16 ++++++++-------- apps/include/opt.h | 1 + apps/lib/opt.c | 13 +++++++++++-- apps/openssl.c | 37 ++++++++++++++++++------------------- apps/s_client.c | 3 +-- test/recipes/20-test_app.t | 10 ++++++++-- 8 files changed, 50 insertions(+), 39 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index a484234f90..b28b7431ce 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -42,6 +42,7 @@ #include #include +static char *prog; static char *opt_config = NULL; #define CMP_SECTION "cmp" #define SECTION_NAME_MAX 40 /* max length of section name */ @@ -49,10 +50,6 @@ static char *opt_config = NULL; static char *opt_section = CMP_SECTION; static int opt_verbosity = OSSL_CMP_LOG_INFO; -#undef PROG -#define PROG cmp_main -static char *prog = "cmp"; - static int read_config(void); static CONF *conf = NULL; /* OpenSSL config file context structure */ @@ -2625,6 +2622,7 @@ int cmp_main(int argc, char **argv) int ret = 0; /* default: failure */ if (argc <= 1) { + prog = opt_appname(argv[0]); opt_help(cmp_options); goto err; } diff --git a/apps/dgst.c b/apps/dgst.c index 7110a97cf4..845c2eabc9 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -111,9 +111,8 @@ int dgst_main(int argc, char **argv) int engine_impl = 0; struct doall_dgst_digests dec; - prog = opt_progname(argv[0]); buf = app_malloc(BUFSIZE, "I/O buffer"); - md = EVP_get_digestbyname(prog); + md = EVP_get_digestbyname(argv[0]); prog = opt_init(argc, argv, dgst_options); while ((o = opt_next()) != OPT_EOF) { diff --git a/apps/enc.c b/apps/enc.c index f97621b1a6..42b14d4993 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -112,7 +112,7 @@ int enc_main(int argc, char **argv) const EVP_CIPHER *cipher = NULL, *c; const EVP_MD *dgst = NULL; char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; - char *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *prog, *arg0; char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; char mbuf[sizeof(magic) - 1]; OPTION_CHOICE o; @@ -131,18 +131,18 @@ int enc_main(int argc, char **argv) BIO *bzl = NULL; #endif - /* first check the program name */ - prog = opt_progname(argv[0]); - if (strcmp(prog, "base64") == 0) { + /* first check the command name */ + arg0 = argv[0]; + if (strcmp(arg0, "base64") == 0) { base64 = 1; #ifdef ZLIB - } else if (strcmp(prog, "zlib") == 0) { + } else if (strcmp(arg0, "zlib") == 0) { do_zlib = 1; #endif } else { - cipher = EVP_get_cipherbyname(prog); - if (cipher == NULL && strcmp(prog, "enc") != 0) { - BIO_printf(bio_err, "%s is not a known cipher\n", prog); + cipher = EVP_get_cipherbyname(arg0); + if (cipher == NULL && strcmp(arg0, "enc") != 0) { + BIO_printf(bio_err, "%s is not a known cipher\n", arg0); goto end; } } diff --git a/apps/include/opt.h b/apps/include/opt.h index 56de57cf4c..15375e3a80 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -341,6 +341,7 @@ typedef struct string_int_pair_st { const char *opt_path_end(const char *filename); char *opt_progname(const char *argv0); +char *opt_appname(const char *arg0); char *opt_getprog(void); char *opt_init(int ac, char **av, const OPTIONS * o); int opt_next(void); diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 260ff3b1c2..22d4138301 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -138,6 +138,15 @@ char *opt_progname(const char *argv0) } #endif +char *opt_appname(const char *arg0) +{ + size_t len = strlen(prog); + + if (arg0 != NULL) + snprintf(prog + len, sizeof(prog) - len - 1, " %s", arg0); + return prog; +} + char *opt_getprog(void) { return prog; @@ -151,7 +160,6 @@ char *opt_init(int ac, char **av, const OPTIONS *o) argv = av; opt_begin(); opts = o; - opt_progname(av[0]); unknown = NULL; /* Check all options up until the PARAM marker (if present) */ @@ -724,7 +732,8 @@ int opt_next(void) *arg++ = '\0'; for (o = opts; o->name; ++o) { /* If not this option, move on to the next one. */ - if (strcmp(p, o->name) != 0) + if (!(strcmp(p, "h") == 0 && strcmp(o->name, "help") == 0) + && strcmp(p, o->name) != 0) continue; /* If it doesn't take a value, make sure none was given. */ diff --git a/apps/openssl.c b/apps/openssl.c index e6746087ad..b61ed5f81d 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -235,7 +235,9 @@ int main(int argc, char *argv[]) FUNCTION f, *fp; LHASH_OF(FUNCTION) *prog = NULL; char *pname; + const char *fname; ARGS arg; + int global_help = 0; int ret = 0; arg.argv = NULL; @@ -249,9 +251,7 @@ int main(int argc, char *argv[]) #if defined(OPENSSL_SYS_VMS) && defined(__DECC) argv = copy_argv(&argc, argv); #elif defined(_WIN32) - /* - * Replace argv[] with UTF-8 encoded strings. - */ + /* Replace argv[] with UTF-8 encoded strings. */ win32_utf8argv(&argc, &argv); #endif @@ -259,18 +259,11 @@ int main(int argc, char *argv[]) setup_trace(getenv("OPENSSL_TRACE")); #endif - if (!apps_startup()) { - BIO_printf(bio_err, - "FATAL: Startup failure (dev note: apps_startup() failed)\n"); - ERR_print_errors(bio_err); - ret = 1; - goto end; - } - - prog = prog_init(); - if (prog == NULL) { + if ((fname = "apps_startup", !apps_startup()) + || (fname = "prog_init", (prog = prog_init()) == NULL)) { BIO_printf(bio_err, - "FATAL: Startup failure (dev note: prog_init() failed)\n"); + "FATAL: Startup failure (dev note: %s()) for %s\n", + fname, argv[0]); ERR_print_errors(bio_err); ret = 1; goto end; @@ -285,15 +278,21 @@ int main(int argc, char *argv[]) f.name = pname; fp = lh_FUNCTION_retrieve(prog, &f); if (fp == NULL) { - /* We assume we've been called as 'openssl cmd' */ + /* We assume we've been called as 'openssl ...' */ + global_help = argc > 1 + && (strcmp(argv[1], "-help") == 0 || strcmp(argv[1], "--help") == 0 + || strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--h") == 0); argc--; argv++; + opt_appname(argc == 1 || global_help ? "help" : argv[0]); + } else { + argv[0] = pname; } /* If there's a command, run with that, otherwise "help". */ - ret = argc > 0 - ? do_cmd(prog, argc, argv) - : do_cmd(prog, 1, help_argv); + ret = argc == 0 || global_help + ? do_cmd(prog, 1, help_argv) + : do_cmd(prog, argc, argv); end: OPENSSL_free(default_config_file); @@ -360,7 +359,7 @@ int help_main(int argc, char **argv) } calculate_columns(functions, &dc); - BIO_printf(bio_err, "Standard commands"); + BIO_printf(bio_err, "%s:\n\nStandard commands", prog); i = 0; tp = FT_none; for (fp = functions; fp->name != NULL; fp++) { diff --git a/apps/s_client.c b/apps/s_client.c index 56444baeca..25c01f4088 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1010,7 +1010,6 @@ int s_client_main(int argc, char **argv) # endif #endif - prog = opt_progname(argv[0]); c_quiet = 0; c_debug = 0; c_showcerts = 0; @@ -1019,7 +1018,7 @@ int s_client_main(int argc, char **argv) cctx = SSL_CONF_CTX_new(); if (vpm == NULL || cctx == NULL) { - BIO_printf(bio_err, "%s: out of memory\n", prog); + BIO_printf(bio_err, "%s: out of memory\n", opt_getprog()); goto end; } diff --git a/test/recipes/20-test_app.t b/test/recipes/20-test_app.t index e7246565f2..dfd0db25b8 100644 --- a/test/recipes/20-test_app.t +++ b/test/recipes/20-test_app.t @@ -13,7 +13,7 @@ use OpenSSL::Test; setup("test_app"); -plan tests => 3; +plan tests => 5; ok(run(app(["openssl"])), "Run openssl app with no args"); @@ -21,5 +21,11 @@ ok(run(app(["openssl"])), ok(run(app(["openssl", "help"])), "Run openssl app with help"); -ok(!run(app(["openssl", "-help"])), +ok(!run(app(["openssl", "-wrong"])), "Run openssl app with incorrect arg"); + +ok(run(app(["openssl", "-help"])), + "Run openssl app with -help"); + +ok(run(app(["openssl", "--help"])), + "Run openssl app with --help"); From no-reply at appveyor.com Mon Jan 11 20:28:37 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 11 Jan 2021 20:28:37 +0000 Subject: Build failed: openssl master.39082 Message-ID: <20210111202837.1.B9596B86F5F56362@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 11 23:34:47 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 23:34:47 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1610408087.872619.643438.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=3004, 693 wallclock secs (10.61 usr 1.32 sys + 610.63 cusr 71.30 csys = 693.86 CPU) Result: FAIL make[1]: *** [Makefile:2459: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2456: tests] Error 2 From kaduk at mit.edu Mon Jan 11 23:51:21 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Mon, 11 Jan 2021 23:51:21 +0000 Subject: [openssl] master update Message-ID: <1610409081.301923.4306.nullmailer@dev.openssl.org> The branch master has been updated via 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c (commit) from 678cae0295e3fe600edc049742b8c765a58edebc (commit) - Log ----------------------------------------------------------------- commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c Author: John Baldwin Date: Thu Jan 7 14:09:41 2021 -0800 Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13807) ----------------------------------------------------------------------- Summary of changes: engines/e_devcrypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index d549edfd29..e1c4372f72 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -1236,9 +1236,11 @@ static int open_devcrypto(void) #ifdef CRIOGET if (ioctl(fd, CRIOGET, &cfd) < 0) { fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + close(fd); cfd = -1; return 0; } + close(fd); #else cfd = fd; #endif From no-reply at appveyor.com Tue Jan 12 03:19:43 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 12 Jan 2021 03:19:43 +0000 Subject: Build failed: openssl master.39095 Message-ID: <20210112031943.1.5C9BD2F84A3B4EC4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 12 03:37:18 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 12 Jan 2021 03:37:18 +0000 Subject: Build failed: openssl master.39096 Message-ID: <20210112033718.1.C586B57084123E3B@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 12 06:29:31 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 12 Jan 2021 06:29:31 +0000 Subject: Build completed: openssl master.39097 Message-ID: <20210112062931.1.048BE900A70FD4CD@appveyor.com> An HTML attachment was scrubbed... URL: From matthias.st.pierre at ncp-e.com Tue Jan 12 10:19:48 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Tue, 12 Jan 2021 10:19:48 +0000 Subject: [openssl] master update Message-ID: <1610446788.625383.23994.nullmailer@dev.openssl.org> The branch master has been updated via b209835364de35541d835185f3dc3a984e2c1545 (commit) from 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c (commit) - Log ----------------------------------------------------------------- commit b209835364de35541d835185f3dc3a984e2c1545 Author: Dr. Matthias St. Pierre Date: Sat Jan 9 17:29:47 2021 +0100 v3_ocsp.c: fix indentation of include directives Fixes #13820 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13822) ----------------------------------------------------------------------- Summary of changes: crypto/ocsp/v3_ocsp.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crypto/ocsp/v3_ocsp.c b/crypto/ocsp/v3_ocsp.c index 7d3d730457..9e24102685 100644 --- a/crypto/ocsp/v3_ocsp.c +++ b/crypto/ocsp/v3_ocsp.c @@ -7,14 +7,14 @@ * https://www.openssl.org/source/license.html */ -# include -# include "internal/cryptlib.h" -# include -# include -# include -# include "ocsp_local.h" -# include -# include "../x509/ext_dat.h" +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ocsp_local.h" +#include +#include "../x509/ext_dat.h" /* * OCSP extensions and a couple of CRL entry extensions From levitte at openssl.org Tue Jan 12 10:27:10 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 12 Jan 2021 10:27:10 +0000 Subject: [openssl] master update Message-ID: <1610447230.546613.26404.nullmailer@dev.openssl.org> The branch master has been updated via 0d11846e4b2850773d1ee0df206608549a7d45d0 (commit) via 2497e2e7dbe54420cd98dc2ff013ed5886cd4d8e (commit) via 5e16ac142e812864e01c6c534888d4efaca6d9bf (commit) via 507f83800fe9c85c6249e9baad4602075df2b5b7 (commit) from b209835364de35541d835185f3dc3a984e2c1545 (commit) - Log ----------------------------------------------------------------- commit 0d11846e4b2850773d1ee0df206608549a7d45d0 Author: Richard Levitte Date: Sun Jan 10 09:28:58 2021 +0100 Remove duplicate GENERATE declarations for .pod files Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) commit 2497e2e7dbe54420cd98dc2ff013ed5886cd4d8e Author: Richard Levitte Date: Sun Jan 10 09:26:22 2021 +0100 Configure: warn about duplicate GENERATE declarations in build.info files This sort of duplication is permitted, as the end result will be a single item anyway, but we might as well warn to avoid future confusion. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) commit 5e16ac142e812864e01c6c534888d4efaca6d9bf Author: Richard Levitte Date: Sun Jan 10 09:13:14 2021 +0100 Configure: clean away perl syntax faults The faults aren't fatal (i.e. perl just shrugs), but are curious. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) commit 507f83800fe9c85c6249e9baad4602075df2b5b7 Author: Richard Levitte Date: Sun Jan 10 09:08:46 2021 +0100 Configure: Check all SOURCE declarations, to ensure consistency If the given sources are GENERATEd, we check those generators as well. This ensures that the declarations in the diverse build.info files are consistent with existing files. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) ----------------------------------------------------------------------- Summary of changes: Configure | 81 ++++++++++++++++++++++++++++++++++++++++++++++++----- build.info | 1 - doc/man1/build.info | 55 ++---------------------------------- 3 files changed, 76 insertions(+), 61 deletions(-) diff --git a/Configure b/Configure index f0ad787bc4..ccdb037de2 100755 --- a/Configure +++ b/Configure @@ -1891,6 +1891,17 @@ if ($builder eq "unified") { $config{build_infos} = [ ]; + # We want to detect configdata.pm in the source tree, so we + # don't use it if the build tree is different. + my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir); + + # Any source file that we recognise is placed in this hash table, with + # the list of its intended destinations as value. When everything has + # been collected, there's a routine that checks that these source files + # exist, or if they are generated, that the generator exists. + my %check_exist = (); + my %check_generate = (); + my %ordinals = (); while (@build_dirs) { my @curd = @{shift @build_dirs}; @@ -2038,11 +2049,6 @@ if ($builder eq "unified") { } }; - # We want to detect configdata.pm in the source tree, so we - # don't use it if the build tree is different. - my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir); - - if ($buildinfo_debug) { print STDERR "DEBUG: Reading ",catfile($sourced, $f),"\n"; } @@ -2242,6 +2248,7 @@ EOF } # We recognise C++, C and asm files if ($s =~ /\.(cc|cpp|c|s|S)$/) { + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.[csS]$/.o/; # C and assembler $o =~ s/\.(cc|cpp)$/_cc.o/; # C++ @@ -2250,12 +2257,14 @@ EOF $unified_info{sources}->{$o}->{$s} = -1; } elsif ($s =~ /\.rc$/) { # We also recognise resource files + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.rc$/.res/; # Resource configuration - my $o = cleanfile($buildd, $o, $blddir); + $o = cleanfile($buildd, $o, $blddir); $unified_info{sources}->{$ddest}->{$o} = -1; $unified_info{sources}->{$o}->{$s} = -1; } else { + push @{$check_exist{$s}}, $ddest; $unified_info{sources}->{$ddest}->{$s} = 1; } } @@ -2275,6 +2284,7 @@ EOF if ($s =~ /\.(cc|cpp|c|s|S)$/) { # We recognise C++, C and asm files + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.[csS]$/.o/; # C and assembler $o =~ s/\.(cc|cpp)$/_cc.o/; # C++ @@ -2283,14 +2293,16 @@ EOF $unified_info{sources}->{$o}->{$s} = -1; } elsif ($s =~ /\.rc$/) { # We also recognise resource files + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.rc$/.res/; # Resource configuration - my $o = cleanfile($buildd, $o, $blddir); + $o = cleanfile($buildd, $o, $blddir); $unified_info{shared_sources}->{$ddest}->{$o} = -1; $unified_info{sources}->{$o}->{$s} = -1; } elsif ($s =~ /\.ld$/) { # We also recognise linker scripts (or corresponding) # We know they are generated files + push @{$check_exist{$s}}, $ddest; my $ld = cleanfile($buildd, $_, $blddir); $unified_info{shared_sources}->{$ddest}->{$ld} = 1; } else { @@ -2313,6 +2325,7 @@ EOF if ($generate{$gen}) { $generator[0] = cleanfile($buildd, $gen, $blddir); } + $check_generate{$ddest}->{$generator[0]}++; $unified_info{generate}->{$ddest} = [ @generator ]; } @@ -2417,6 +2430,60 @@ They are ignored and should be replaced with a combination of GENERATE, DEPEND and SHARED_SOURCE. EOF + # Check that each generated file is only generated once + my $ambiguous_generation = 0; + foreach (sort keys %check_generate) { + my @generators = sort keys %{$check_generate{$_}}; + my $generators_txt = join(', ', @generators); + if (scalar @generators > 1) { + warn "$_ is GENERATEd by more than one generator ($generators_txt)\n"; + $ambiguous_generation++; + } + if ($check_generate{$_}->{$generators[0]} > 1) { + warn "INFO: $_ has more than one GENERATE declaration (same generator)\n" + } + } + die "There are ambiguous source file generations\n" + if $ambiguous_generation > 0; + + # All given source files should exist, or if generated, their + # generator should exist. This loop ensures this is true. + my $missing = 0; + foreach my $orig (sort keys %check_exist) { + foreach my $dest (@{$check_exist{$orig}}) { + if ($orig ne $src_configdata) { + if ($orig =~ /\.a$/) { + # Static library names may be used as sources, so we + # need to detect those and give them special treatment. + unless (grep { $_ eq $orig } + keys %{$unified_info{libraries}}) { + warn "$orig is given as source for $dest, but no such library is built\n"; + $missing++; + } + } else { + # A source may be generated, and its generator may be + # generated as well. We therefore loop to dig out the + # first generator. + my $gen = $orig; + + while (my @next = keys %{$check_generate{$gen}}) { + $gen = $next[0]; + } + + if (! -f $gen) { + if ($gen ne $orig) { + $missing++; + warn "$orig is given as source for $dest, but its generator (leading to $gen) is missing\n"; + } else { + $missing++; + warn "$orig is given as source for $dest, but is missing\n"; + } + } + } + } + } + } + die "There are files missing\n" if $missing > 0; # Go through the sources of all libraries and check that the same basename # doesn't appear more than once. Some static library archivers depend on diff --git a/build.info b/build.info index 44ecee35cb..27818b7fce 100644 --- a/build.info +++ b/build.info @@ -68,7 +68,6 @@ GENERATE[include/openssl/x509v3.h]=include/openssl/x509v3.h.in GENERATE[include/openssl/x509_vfy.h]=include/openssl/x509_vfy.h.in GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in -GENERATE[doc/man7/openssl_user_macros.pod]=doc/man7/openssl_user_macros.pod.in IF[{- defined $target{shared_defflag} -}] SHARED_SOURCE[libcrypto]=libcrypto.ld diff --git a/doc/man1/build.info b/doc/man1/build.info index 40df5d360e..6d9d7b564c 100644 --- a/doc/man1/build.info +++ b/doc/man1/build.info @@ -108,56 +108,5 @@ DEPEND[openssl-verify.pod]=../perlvars.pm DEPEND[openssl-version.pod]=../perlvars.pm DEPEND[openssl-x509.pod]=../perlvars.pm -GENERATE[openssl-asn1parse.pod]=openssl-asn1parse.pod.in -GENERATE[openssl-ca.pod]=openssl-ca.pod.in -GENERATE[openssl-ciphers.pod]=openssl-ciphers.pod.in -GENERATE[openssl-cmds.pod]=openssl-cmds.pod.in -GENERATE[openssl-cmp.pod]=openssl-cmp.pod.in -GENERATE[openssl-cms.pod]=openssl-cms.pod.in -GENERATE[openssl-crl2pkcs7.pod]=openssl-crl2pkcs7.pod.in -GENERATE[openssl-crl.pod]=openssl-crl.pod.in -GENERATE[openssl-dgst.pod]=openssl-dgst.pod.in -GENERATE[openssl-dhparam.pod]=openssl-dhparam.pod.in -GENERATE[openssl-dsaparam.pod]=openssl-dsaparam.pod.in -GENERATE[openssl-dsa.pod]=openssl-dsa.pod.in -GENERATE[openssl-ecparam.pod]=openssl-ecparam.pod.in -GENERATE[openssl-ec.pod]=openssl-ec.pod.in -GENERATE[openssl-enc.pod]=openssl-enc.pod.in -GENERATE[openssl-engine.pod]=openssl-engine.pod.in -GENERATE[openssl-errstr.pod]=openssl-errstr.pod.in -GENERATE[openssl-fipsinstall.pod]=openssl-fipsinstall.pod.in -GENERATE[openssl-gendsa.pod]=openssl-gendsa.pod.in -GENERATE[openssl-genpkey.pod]=openssl-genpkey.pod.in -GENERATE[openssl-genrsa.pod]=openssl-genrsa.pod.in -GENERATE[openssl-info.pod]=openssl-info.pod.in -GENERATE[openssl-kdf.pod]=openssl-kdf.pod.in -GENERATE[openssl-list.pod]=openssl-list.pod.in -GENERATE[openssl-mac.pod]=openssl-mac.pod.in -GENERATE[openssl-nseq.pod]=openssl-nseq.pod.in -GENERATE[openssl-ocsp.pod]=openssl-ocsp.pod.in -GENERATE[openssl-passwd.pod]=openssl-passwd.pod.in -GENERATE[openssl-pkcs12.pod]=openssl-pkcs12.pod.in -GENERATE[openssl-pkcs7.pod]=openssl-pkcs7.pod.in -GENERATE[openssl-pkcs8.pod]=openssl-pkcs8.pod.in -GENERATE[openssl-pkeyparam.pod]=openssl-pkeyparam.pod.in -GENERATE[openssl-pkey.pod]=openssl-pkey.pod.in -GENERATE[openssl-pkeyutl.pod]=openssl-pkeyutl.pod.in -GENERATE[openssl-prime.pod]=openssl-prime.pod.in -GENERATE[openssl-rand.pod]=openssl-rand.pod.in -GENERATE[openssl-rehash.pod]=openssl-rehash.pod.in -GENERATE[openssl-req.pod]=openssl-req.pod.in -GENERATE[openssl-rsa.pod]=openssl-rsa.pod.in -GENERATE[openssl-rsautl.pod]=openssl-rsautl.pod.in -GENERATE[openssl-s_client.pod]=openssl-s_client.pod.in -GENERATE[openssl-sess_id.pod]=openssl-sess_id.pod.in -GENERATE[openssl-smime.pod]=openssl-smime.pod.in -GENERATE[openssl-speed.pod]=openssl-speed.pod.in -GENERATE[openssl-spkac.pod]=openssl-spkac.pod.in -GENERATE[openssl-srp.pod]=openssl-srp.pod.in -GENERATE[openssl-s_server.pod]=openssl-s_server.pod.in -GENERATE[openssl-s_time.pod]=openssl-s_time.pod.in -GENERATE[openssl-storeutl.pod]=openssl-storeutl.pod.in -GENERATE[openssl-ts.pod]=openssl-ts.pod.in -GENERATE[openssl-verify.pod]=openssl-verify.pod.in -GENERATE[openssl-version.pod]=openssl-version.pod.in -GENERATE[openssl-x509.pod]=openssl-x509.pod.in +# All .pod.in files are detected by build.info in the parent directory, and +# turned into appropriate GENERATE lines. From openssl at openssl.org Tue Jan 12 16:51:34 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 12 Jan 2021 16:51:34 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers Message-ID: <1610470294.408059.2711189.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok ERROR in SERVER 40D743FAD17F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 28 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40A73178527F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 42 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40471307367F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 118 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40374CB36C7F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 143 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ # Looks like you failed 4 tests of 148. not ok 4 - Testing ciphersuites # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 12.80-test_ssl_old.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/12 subtests 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_old.t (Wstat: 256 Tests: 12 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=228, Tests=3565, 790 wallclock secs (11.21 usr 1.08 sys + 727.09 cusr 57.92 csys = 797.30 CPU) Result: FAIL make[1]: *** [Makefile:3274: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-weak-ssl-ciphers' make: *** [Makefile:3271: tests] Error 2 From levitte at openssl.org Tue Jan 12 18:03:08 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 12 Jan 2021 18:03:08 +0000 Subject: [openssl] master update Message-ID: <1610474588.414899.13408.nullmailer@dev.openssl.org> The branch master has been updated via 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit) via d6d42cda5fbc05aeaadf8c760db60e9089e3609b (commit) from 0d11846e4b2850773d1ee0df206608549a7d45d0 (commit) - Log ----------------------------------------------------------------- commit 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 Author: Richard Levitte Date: Fri Nov 20 23:07:56 2020 +0100 Clean away extraneous library specific FETCH_FAILED reason codes Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13467) commit d6d42cda5fbc05aeaadf8c760db60e9089e3609b Author: Richard Levitte Date: Sat Oct 17 07:07:41 2020 +0200 Use centralized fetching errors We've spread around FETCH_FAILED errors in quite a few places, and that gives somewhat crude error records, as there's no way to tell if the error was unavailable algorithms or some other error at such high levels. As an alternative, we take recording of these kinds of errors down to the fetching functions, which are in a much better place to tell what kind of error it was, thereby relieving the higher level calls from having to guess. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13467) ----------------------------------------------------------------------- Summary of changes: crypto/context.c | 13 ++++++++++ crypto/encode_decode/decoder_meth.c | 48 +++++++++++++++++++++++++++++++++--- crypto/encode_decode/encoder_meth.c | 48 +++++++++++++++++++++++++++++++++--- crypto/err/err.c | 9 +++++++ crypto/err/openssl.txt | 2 -- crypto/evp/evp_err.c | 1 - crypto/evp/evp_fetch.c | 26 +++++--------------- crypto/store/store_meth.c | 49 ++++++++++++++++++++++++++++++++++--- include/internal/cryptlib.h | 1 + include/openssl/err.h.in | 2 ++ include/openssl/evperr.h | 1 - include/openssl/sslerr.h | 2 -- ssl/s3_enc.c | 3 ++- ssl/ssl_err.c | 4 --- ssl/statem/statem.c | 21 ++++++++++------ ssl/statem/statem.h | 2 ++ ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_srvr.c | 3 ++- ssl/t1_enc.c | 3 ++- ssl/tls13_enc.c | 7 +++--- test/tls13secretstest.c | 4 +++ 21 files changed, 198 insertions(+), 54 deletions(-) diff --git a/crypto/context.c b/crypto/context.c index 4dbfb723e1..c351ff9619 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -368,3 +368,16 @@ int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn) return 1; } + +const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx) +{ +#ifdef FIPS_MODULE + return "FIPS internal library context"; +#else + if (ossl_lib_ctx_is_global_default(libctx)) + return "Global default library context"; + if (ossl_lib_ctx_is_default(libctx)) + return "Thread-local default library context"; + return "Non-default library context"; +#endif +} diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index 0d389ac5a6..915c91fd80 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -87,6 +87,8 @@ struct decoder_data_st { int id; /* For get_decoder_from_store() */ const char *names; /* For get_decoder_from_store() */ const char *propquery; /* For get_decoder_from_store() */ + + unsigned int flag_construct_error_occured : 1; }; /* @@ -242,7 +244,7 @@ void *ossl_decoder_from_dispatch(int id, const OSSL_ALGORITHM *algodef, * then call ossl_decoder_from_dispatch() with that identity number. */ static void *construct_decoder(const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov, void *unused) + OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_decoder_from_store() returned @@ -250,6 +252,7 @@ static void *construct_decoder(const OSSL_ALGORITHM *algodef, * namemap entry, this is it. Should the name already exist there, we * know that ossl_namemap_add() will return its corresponding number. */ + struct decoder_data_st *methdata = data; OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); const char *names = algodef->algorithm_names; @@ -259,6 +262,14 @@ static void *construct_decoder(const OSSL_ALGORITHM *algodef, if (id != 0) method = ossl_decoder_from_dispatch(id, algodef, prov); + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + return method; } @@ -286,20 +297,32 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id, OSSL_METHOD_STORE *store = get_decoder_store(libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If we have been passed neither a name_id or a name, we have an * internal programming error. */ - if (!ossl_assert(id != 0 || name != NULL)) + if (!ossl_assert(id != 0 || name != NULL)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); return NULL; + } if (id == 0) id = ossl_namemap_name2num(namemap, name); + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (id == 0) + unsupported = 1; + if (id == 0 || !ossl_method_store_cache_get(store, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { @@ -317,6 +340,7 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id, mcmdata.id = id; mcmdata.names = name; mcmdata.propquery = properties; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, OSSL_OP_DECODER, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -331,6 +355,24 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id, ossl_method_store_cache_set(store, id, properties, method, up_ref_decoder, free_decoder); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (name == NULL) + name = ossl_namemap_num2name(namemap, id, 0); + ERR_raise_data(ERR_LIB_OSSL_DECODER, code, + "%s, Name (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + name = NULL ? "" : name, id, + properties == NULL ? "" : properties); } return method; diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index 99c4a119d3..d3eea415ff 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -87,6 +87,8 @@ struct encoder_data_st { int id; /* For get_encoder_from_store() */ const char *names; /* For get_encoder_from_store() */ const char *propquery; /* For get_encoder_from_store() */ + + unsigned int flag_construct_error_occured : 1; }; /* @@ -254,7 +256,7 @@ static void *encoder_from_dispatch(int id, const OSSL_ALGORITHM *algodef, * then call encoder_from_dispatch() with that identity number. */ static void *construct_encoder(const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov, void *unused) + OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_encoder_from_store() returned @@ -262,6 +264,7 @@ static void *construct_encoder(const OSSL_ALGORITHM *algodef, * namemap entry, this is it. Should the name already exist there, we * know that ossl_namemap_add() will return its corresponding number. */ + struct encoder_data_st *methdata = data; OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); const char *names = algodef->algorithm_names; @@ -271,6 +274,14 @@ static void *construct_encoder(const OSSL_ALGORITHM *algodef, if (id != 0) method = encoder_from_dispatch(id, algodef, prov); + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + return method; } @@ -298,20 +309,32 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx, OSSL_METHOD_STORE *store = get_encoder_store(libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If we have been passed neither a name_id or a name, we have an * internal programming error. */ - if (!ossl_assert(id != 0 || name != NULL)) + if (!ossl_assert(id != 0 || name != NULL)) { + ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INTERNAL_ERROR); return NULL; + } if (id == 0) id = ossl_namemap_name2num(namemap, name); + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (id == 0) + unsupported = 1; + if (id == 0 || !ossl_method_store_cache_get(store, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { @@ -329,6 +352,7 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx, mcmdata.id = id; mcmdata.names = name; mcmdata.propquery = properties; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, OSSL_OP_ENCODER, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -343,6 +367,24 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx, ossl_method_store_cache_set(store, id, properties, method, up_ref_encoder, free_encoder); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (name == NULL) + name = ossl_namemap_num2name(namemap, id, 0); + ERR_raise_data(ERR_LIB_OSSL_ENCODER, code, + "%s, Name (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + name = NULL ? "" : name, id, + properties == NULL ? "" : properties); } return method; diff --git a/crypto/err/err.c b/crypto/err/err.c index 9528158a08..bc7ce875d0 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -117,6 +117,15 @@ static ERR_STRING_DATA ERR_str_reasons[] = { {ERR_R_INVALID_PROVIDER_FUNCTIONS, "invalid provider functions"}, {ERR_R_INTERRUPTED_OR_CANCELLED, "interrupted or cancelled"}, + /* + * Something is unsupported, exactly what is expressed with additional data + */ + {ERR_R_UNSUPPORTED, "unsupported"}, + /* + * A fetch failed for other reasons than the name to be fetched being + * unsupported. + */ + {ERR_R_FETCH_FAILED, "fetch failed"}, {0, NULL}, }; #endif diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 4e36fc3394..bb200a7960 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2554,7 +2554,6 @@ EVP_R_EXPECTING_A_ECX_KEY:219:expecting a ecx key EVP_R_EXPECTING_A_EC_KEY:142:expecting a ec key EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key -EVP_R_FETCH_FAILED:202:fetch failed EVP_R_FINAL_ERROR:188:final error EVP_R_FIPS_MODE_NOT_SUPPORTED:167:fips mode not supported EVP_R_GENERATE_ERROR:214:generate error @@ -3106,7 +3105,6 @@ SM2_R_INVALID_FIELD:105:invalid field SM2_R_INVALID_PRIVATE_KEY:113:invalid private key SM2_R_NO_PARAMETERS_SET:109:no parameters set SM2_R_USER_ID_TOO_LARGE:106:user id too large -SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\ application data after close notify SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 894f0cebcb..e08c373b33 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -71,7 +71,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "expecting a poly1305 key"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_SIPHASH_KEY), "expecting a siphash key"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FETCH_FAILED), "fetch failed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FINAL_ERROR), "final error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"}, diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 7a0a3fcda7..5d6d3dbb29 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -215,19 +215,6 @@ static void destruct_evp_method(void *method, void *data) methdata->destruct_method(method); } -static const char *libctx_descriptor(OSSL_LIB_CTX *libctx) -{ -#ifdef FIPS_MODULE - return "FIPS internal library context"; -#else - if (ossl_lib_ctx_is_global_default(libctx)) - return "Global default library context"; - if (ossl_lib_ctx_is_default(libctx)) - return "Thread-local default library context"; - return "Non-default library context"; -#endif -} - static void * inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, int name_id, const char *name, @@ -245,7 +232,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, int unsupported = 0; if (store == NULL || namemap == NULL) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT); + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; } @@ -254,7 +241,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * programming error. */ if (!ossl_assert(operation_id > 0)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; } @@ -263,7 +250,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * internal programming error. */ if (!ossl_assert(name_id != 0 || name != NULL)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; } @@ -280,7 +267,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * For all intents and purposes, this is an internal error. */ if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; } @@ -337,14 +324,13 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, } if (method == NULL) { - int code = - unsupported ? EVP_R_UNSUPPORTED_ALGORITHM : EVP_R_FETCH_FAILED; + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; if (name == NULL) name = ossl_namemap_num2name(namemap, name_id, 0); ERR_raise_data(ERR_LIB_EVP, code, "%s, Algorithm (%s : %d), Properties (%s)", - libctx_descriptor(libctx), + ossl_lib_ctx_get_descriptor(libctx), name = NULL ? "" : name, name_id, properties == NULL ? "" : properties); } diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index 166b885806..979f42a16d 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -92,6 +92,8 @@ struct loader_data_st { int scheme_id; /* For get_loader_from_store() */ const char *scheme; /* For get_loader_from_store() */ const char *propquery; /* For get_loader_from_store() */ + + unsigned int flag_construct_error_occured : 1; }; /* @@ -227,7 +229,7 @@ static void *loader_from_dispatch(int scheme_id, const OSSL_ALGORITHM *algodef, * then call loader_from_dispatch() with that identity number. */ static void *construct_loader(const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov, void *unused) + OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_loader_from_store() returned @@ -235,6 +237,7 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef, * namemap entry, this is it. Should the scheme already exist there, we * know that ossl_namemap_add() will return its corresponding number. */ + struct loader_data_st *methdata = data; OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); const char *scheme = algodef->algorithm_names; @@ -244,6 +247,14 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef, if (id != 0) method = loader_from_dispatch(id, algodef, prov); + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + return method; } @@ -261,20 +272,33 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, OSSL_METHOD_STORE *store = get_loader_store(libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If we have been passed neither a scheme_id or a scheme, we have an * internal programming error. */ - if (!ossl_assert(id != 0 || scheme != NULL)) + if (!ossl_assert(id != 0 || scheme != NULL)) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_INTERNAL_ERROR); return NULL; + } + /* If we haven't received a name id yet, try to get one for the name */ if (id == 0) id = ossl_namemap_name2num(namemap, scheme); + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (id == 0) + unsupported = 1; + if (id == 0 || !ossl_method_store_cache_get(store, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { @@ -292,6 +316,7 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, mcmdata.scheme_id = id; mcmdata.scheme = scheme; mcmdata.propquery = properties; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, OSSL_OP_STORE, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -305,6 +330,24 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, ossl_method_store_cache_set(store, id, properties, method, up_ref_loader, free_loader); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (scheme == NULL) + scheme = ossl_namemap_num2name(namemap, id, 0); + ERR_raise_data(ERR_LIB_OSSL_STORE, code, + "%s, Scheme (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + scheme = NULL ? "" : scheme, id, + properties == NULL ? "" : properties); } return method; diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index eae10dfb6c..0267e3f82e 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -184,6 +184,7 @@ typedef void (ossl_lib_ctx_onfree_fn)(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, ossl_lib_ctx_run_once_fn run_once_fn); int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); +const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); OSSL_LIB_CTX *crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); int crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, diff --git a/include/openssl/err.h.in b/include/openssl/err.h.in index deb6117d82..697186a288 100644 --- a/include/openssl/err.h.in +++ b/include/openssl/err.h.in @@ -355,6 +355,8 @@ static ossl_unused ossl_inline int ERR_COMMON_ERROR(unsigned long errcode) # define ERR_R_INTERRUPTED_OR_CANCELLED (265|ERR_RFLAG_COMMON) # define ERR_R_NESTED_ASN1_ERROR (266|ERR_RFLAG_COMMON) # define ERR_R_MISSING_ASN1_EOS (267|ERR_RFLAG_COMMON) +# define ERR_R_UNSUPPORTED (268|ERR_RFLAG_COMMON) +# define ERR_R_FETCH_FAILED (269|ERR_RFLAG_COMMON) typedef struct ERR_string_data_st { unsigned long error; diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index 4e9989899f..c25cc49025 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -190,7 +190,6 @@ # define EVP_R_EXPECTING_A_EC_KEY 142 # define EVP_R_EXPECTING_A_POLY1305_KEY 164 # define EVP_R_EXPECTING_A_SIPHASH_KEY 175 -# define EVP_R_FETCH_FAILED 202 # define EVP_R_FINAL_ERROR 188 # define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 # define EVP_R_GENERATE_ERROR 214 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index d2721d354c..24bb156344 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -458,7 +458,6 @@ /* * SSL reason codes. */ -# define SSL_R_ALGORITHM_FETCH_FAILED 295 # define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291 # define SSL_R_APP_DATA_IN_HANDSHAKE 100 # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 @@ -513,7 +512,6 @@ # define SSL_R_CERT_LENGTH_MISMATCH 135 # define SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED 218 # define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 -# define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 # define SSL_R_CLIENTHELLO_TLSEXT 226 # define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 # define SSL_R_COMPRESSION_DISABLED 343 diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index f1fb9dd987..02b0291dfa 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -251,7 +251,8 @@ int ssl3_setup_key_block(SSL *s) if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, &comp, 0)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); return 0; } diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 39db31bee6..8aeef5ffb3 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -15,8 +15,6 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA SSL_str_reasons[] = { - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED), - "algorithm fetch failed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY), "application data after close notify"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE), @@ -90,8 +88,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "ciphersuite digest has changed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE), - "cipher or hash unavailable"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG), "compressed length too long"}, diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 009f370f97..a70f8bc53c 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -111,6 +111,18 @@ void ossl_statem_set_renegotiate(SSL *s) s->statem.request_state = TLS_ST_SW_HELLO_REQ; } +void ossl_statem_send_fatal(SSL *s, int al) +{ + /* We shouldn't call SSLfatal() twice. Once is enough */ + if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) + return; + s->statem.in_init = 1; + s->statem.state = MSG_FLOW_ERROR; + if (al != SSL_AD_NO_ALERT + && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) + ssl3_send_alert(s, SSL3_AL_FATAL, al); +} + /* * Error reporting building block that's used instead of ERR_set_error(). * In addition to what ERR_set_error() does, this puts the state machine @@ -125,14 +137,7 @@ void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...) ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); va_end(args); - /* We shouldn't call SSLfatal() twice. Once is enough */ - if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) - return; - s->statem.in_init = 1; - s->statem.state = MSG_FLOW_ERROR; - if (al != SSL_AD_NO_ALERT - && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) - ssl3_send_alert(s, SSL3_AL_FATAL, al); + ossl_statem_send_fatal(s, al); } /* diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h index 72d10dffcf..d435cfe704 100644 --- a/ssl/statem/statem.h +++ b/ssl/statem/statem.h @@ -132,8 +132,10 @@ __owur int ossl_statem_accept(SSL *s); __owur int ossl_statem_connect(SSL *s); void ossl_statem_clear(SSL *s); void ossl_statem_set_renegotiate(SSL *s); +void ossl_statem_send_fatal(SSL *s, int al); void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...); # define SSL_AD_NO_ALERT -1 +# define SSLfatal_alert(s, al) ossl_statem_send_fatal((s), (al)) # define SSLfatal(s, al, r) SSLfatal_data((s), (al), (r), NULL) # define SSLfatal_data \ (ERR_new(), \ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 875ea59589..045db8265e 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2557,7 +2557,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) */ sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq); if (sha256 == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_ALGORITHM_FETCH_FAILED); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); goto err; } /* diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index cc09a23960..597456ae83 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3776,7 +3776,8 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, s->ctx->propq); if (cipher == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_ALGORITHM_FETCH_FAILED); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); goto err; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 8a403a1e14..b02961e0eb 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -539,7 +539,8 @@ int tls1_setup_key_block(SSL *s) if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type, &mac_secret_size, &comp, s->ext.use_etm)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); return 0; } diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index c53d374b69..62adddea26 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -383,7 +383,8 @@ int tls13_setup_key_block(SSL *s) s->session->cipher = s->s3.tmp.new_cipher; if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, 0)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); return 0; } @@ -595,8 +596,8 @@ int tls13_change_cipher_state(SSL *s, int which) * it again */ if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_R_ALGORITHM_FETCH_FAILED); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); EVP_MD_CTX_free(mdctx); goto err; } diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index 9dab53baf6..9d80fe5fc4 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -198,6 +198,10 @@ const EVP_MD *ssl_md(SSL_CTX *ctx, int idx) return EVP_sha256(); } +void ossl_statem_send_fatal(SSL *s, int al) +{ +} + void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...) { } From openssl at openssl.org Tue Jan 12 21:18:32 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 12 Jan 2021 21:18:32 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1610486312.138702.3269006.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80F12EB0D17F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80F12EB0D17F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/f_kGTV1sku default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/f_kGTV1sku fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3564, 915 wallclock secs (13.99 usr 1.42 sys + 825.83 cusr 87.40 csys = 928.64 CPU) Result: FAIL make[1]: *** [Makefile:3247: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3244: tests] Error 2 From openssl at openssl.org Tue Jan 12 23:43:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 12 Jan 2021 23:43:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1610494995.521898.3571562.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80F18CB6487F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80F18CB6487F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/o9b3WtF_Ol default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/o9b3WtF_Ol fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3564, 948 wallclock secs (14.44 usr 1.42 sys + 854.89 cusr 90.92 csys = 961.67 CPU) Result: FAIL make[1]: *** [Makefile:3256: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3253: tests] Error 2 From dev at ddvo.net Wed Jan 13 08:10:29 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 13 Jan 2021 08:10:29 +0000 Subject: [openssl] master update Message-ID: <1610525429.789466.14818.nullmailer@dev.openssl.org> The branch master has been updated via 4dd009180a06ad973620c5beec28f2a6839c16ca (commit) via 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 (commit) via 0b7368dda011611855c66543f0b9c66b5bd646d1 (commit) via bf973d0697e61a44dc46d08b0421a08a8cb61887 (commit) from 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit) - Log ----------------------------------------------------------------- commit 4dd009180a06ad973620c5beec28f2a6839c16ca Author: Dr. David von Oheimb Date: Mon Dec 28 11:25:59 2020 +0100 x509_vfy.c: Fix a regression in find_issuer() ...in case the candidate issuer cert is identical to the target cert. This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 Author: Dr. David von Oheimb Date: Tue Dec 29 12:37:05 2020 +0100 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit 0b7368dda011611855c66543f0b9c66b5bd646d1 Author: Dr. David von Oheimb Date: Mon Dec 28 19:45:01 2020 +0100 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit bf973d0697e61a44dc46d08b0421a08a8cb61887 Author: Dr. David von Oheimb Date: Mon Dec 28 11:27:31 2020 +0100 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) ----------------------------------------------------------------------- Summary of changes: apps/crl.c | 17 +++- apps/rehash.c | 19 +++- crypto/pem/pem_info.c | 13 ++- crypto/x509/by_dir.c | 5 +- crypto/x509/x509_cmp.c | 27 +++--- crypto/x509/x509_vfy.c | 19 ++-- doc/man3/X509_LOOKUP_hash_dir.pod | 4 +- doc/man3/X509_get_subject_name.pod | 58 +++++++++--- engines/e_loader_attic.c | 3 +- include/openssl/x509.h.in | 6 +- providers/implementations/storemgmt/file_store.c | 7 +- ssl/ssl_cert.c | 3 +- test/build.info | 2 +- test/cmp_client_test.c | 10 +- test/cmp_msg_test.c | 10 +- test/cmp_protect_test.c | 14 +-- test/cmp_vfy_test.c | 16 ++-- test/helpers/cmp_testlib.c | 42 --------- test/helpers/cmp_testlib.h | 3 - test/helpers/pkcs12.c | 16 ++-- test/http_test.c | 16 +--- test/testutil.h | 7 ++ test/testutil/load.c | 97 +++++++++++++++++++ test/verify_extra_test.c | 113 ++++++----------------- util/find-doc-nits | 2 +- util/libcrypto.num | 2 +- util/missingcrypto.txt | 1 - util/other.syms | 1 + 28 files changed, 296 insertions(+), 237 deletions(-) create mode 100644 test/testutil/load.c diff --git a/apps/crl.c b/apps/crl.c index 0daded01e3..58d63e71d5 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -287,22 +287,33 @@ int crl_main(int argc, char **argv) } if (crlnumber == i) { ASN1_INTEGER *crlnum; + crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL); BIO_printf(bio_out, "crlNumber="); if (crlnum) { BIO_puts(bio_out, "0x"); i2a_ASN1_INTEGER(bio_out, crlnum); ASN1_INTEGER_free(crlnum); - } else + } else { BIO_puts(bio_out, ""); + } BIO_printf(bio_out, "\n"); } if (hash == i) { - BIO_printf(bio_out, "%08lx\n", - X509_NAME_hash(X509_CRL_get_issuer(x))); + int ok; + unsigned long hash_value = + X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(), + app_get0_propq(), &ok); + + BIO_printf(bio_out, "issuer name hash="); + if (ok) + BIO_printf(bio_out, "%08lx\n", hash_value); + else + BIO_puts(bio_out, ""); } #ifndef OPENSSL_NO_MD5 if (hash_old == i) { + BIO_printf(bio_out, "issuer name old hash="); BIO_printf(bio_out, "%08lx\n", X509_NAME_hash_old(X509_CRL_get_issuer(x))); } diff --git a/apps/rehash.c b/apps/rehash.c index 2b867d43cc..29dc76bc38 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -291,10 +291,23 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) goto end; } if (name != NULL) { - if ((h == HASH_NEW) || (h == HASH_BOTH)) - errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); + if (h == HASH_NEW || h == HASH_BOTH) { + int ok; + unsigned long hash_value = + X509_NAME_hash_ex(name, + app_get0_libctx(), app_get0_propq(), &ok); + + if (ok) { + errs += add_entry(type, hash_value, filename, digest, 1, ~0); + } else { + BIO_printf(bio_err, "%s: error calculating SHA1 hash value\n", + opt_getprog()); + errs++; + } + } if ((h == HASH_OLD) || (h == HASH_BOTH)) - errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); + errs += add_entry(type, X509_NAME_hash_old(name), + filename, digest, 1, ~0); } end: diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index 3911fdc5ee..3eda164121 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -48,10 +48,10 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, } #endif -STACK_OF(X509_INFO) -*PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk, - pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx, - const char *propq) +STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u, + OSSL_LIB_CTX *libctx, + const char *propq) { X509_INFO *xi = NULL; char *name = NULL, *header = NULL; @@ -77,15 +77,18 @@ STACK_OF(X509_INFO) for (;;) { raw = 0; ptype = 0; + ERR_set_mark(); i = PEM_read_bio(bp, &name, &header, &data, &len); if (i == 0) { error = ERR_GET_REASON(ERR_peek_last_error()); if (error == PEM_R_NO_START_LINE) { - ERR_clear_error(); + ERR_pop_to_mark(); break; } + ERR_clear_last_mark(); goto err; } + ERR_clear_last_mark(); start: if ((strcmp(name, PEM_STRING_X509) == 0) || (strcmp(name, PEM_STRING_X509_OLD) == 0)) { diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 965625973c..ff1c875b4d 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -252,8 +252,9 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, } ctx = (BY_DIR *)xl->method_data; - - h = X509_NAME_hash(name); + h = X509_NAME_hash_ex(name, libctx, propq, &i); + if (i == 0) + goto finish; for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) { BY_DIR_ENTRY *ent; int idx; diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 9c968b49b0..1231fb4be1 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -93,7 +93,7 @@ X509_NAME *X509_get_issuer_name(const X509 *a) unsigned long X509_issuer_name_hash(X509 *x) { - return X509_NAME_hash(x->cert_info.issuer); + return X509_NAME_hash_ex(x->cert_info.issuer, NULL, NULL, NULL); } #ifndef OPENSSL_NO_MD5 @@ -120,7 +120,7 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a) unsigned long X509_subject_name_hash(X509 *x) { - return X509_NAME_hash(x->cert_info.subject); + return X509_NAME_hash_ex(x->cert_info.subject, NULL, NULL, NULL); } #ifndef OPENSSL_NO_MD5 @@ -250,20 +250,26 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) return ret < 0 ? -1 : ret > 0; } -unsigned long X509_NAME_hash(const X509_NAME *x) +unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, + const char *propq, int *ok) { unsigned long ret = 0; unsigned char md[SHA_DIGEST_LENGTH]; + EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq); /* Make sure X509_NAME structure contains valid cached encoding */ i2d_X509_NAME(x, NULL); - if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), - NULL)) - return 0; - - ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) - ) & 0xffffffffL; + if (ok != NULL) + *ok = 0; + if (sha1 != NULL + && EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, sha1, NULL)) { + ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | + ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) + ) & 0xffffffffL; + if (ok != NULL) + *ok = 1; + } + EVP_MD_free(sha1); return ret; } @@ -272,7 +278,6 @@ unsigned long X509_NAME_hash(const X509_NAME *x) * I now DER encode the name and hash it. Since I cache the DER encoding, * this is reasonably efficient. */ - unsigned long X509_NAME_hash_old(const X509_NAME *x) { EVP_MD *md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips"); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 3a5673b307..f5849a5603 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -136,7 +136,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) X509 *xtmp = NULL; int i; /* Lookup all certs with matching subject name */ + ERR_set_mark(); certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); + ERR_pop_to_mark(); if (certs == NULL) return NULL; /* Look for exact match */ @@ -314,9 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) } /* - * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x. - * The issuer must not be the same as x and must not yet be in ctx->chain, where the - * exceptional case x is self-issued and ctx->chain has just one element is allowed. + * Find in given STACK_OF(X509) sk an issuer cert of given cert x. + * The issuer must not yet be in ctx->chain, where the exceptional case + * that x is self-issued and ctx->chain has just one element is allowed. + * Prefer the first one that is not expired, else take the last expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -325,16 +328,12 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - /* - * Below check 'issuer != x' is an optimization and safety precaution: - * Candidate issuer cert cannot be the same as the subject cert 'x'. - */ - if (issuer != x && ctx->check_issued(ctx, x, issuer) + if (ctx->check_issued(ctx, x, issuer) && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1) || !sk_X509_contains(ctx->chain, issuer))) { + if (x509_check_cert_time(ctx, issuer, -1)) + return issuer; rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; } } return rv; diff --git a/doc/man3/X509_LOOKUP_hash_dir.pod b/doc/man3/X509_LOOKUP_hash_dir.pod index 5a660f100d..282b25807b 100644 --- a/doc/man3/X509_LOOKUP_hash_dir.pod +++ b/doc/man3/X509_LOOKUP_hash_dir.pod @@ -87,8 +87,8 @@ the directory. The directory should contain one certificate or CRL per file in PEM format, with a filename of the form I.I for a certificate, or I.BI for a CRL. -The I is the value returned by the L function applied -to the subject name for certificates or issuer name for CRLs. +The I is the value returned by the L function +applied to the subject name for certificates or issuer name for CRLs. The hash can also be obtained via the B<-hash> option of the L or L commands. diff --git a/doc/man3/X509_get_subject_name.pod b/doc/man3/X509_get_subject_name.pod index a9c8fb1d87..5a4ff47554 100644 --- a/doc/man3/X509_get_subject_name.pod +++ b/doc/man3/X509_get_subject_name.pod @@ -2,20 +2,29 @@ =head1 NAME -X509_get_subject_name, X509_set_subject_name, X509_get_issuer_name, -X509_set_issuer_name, X509_REQ_get_subject_name, X509_REQ_set_subject_name, -X509_CRL_get_issuer, X509_CRL_set_issuer_name - get and set issuer or -subject names +X509_NAME_hash_ex, X509_NAME_hash, +X509_get_subject_name, X509_set_subject_name, X509_subject_name_hash, +X509_get_issuer_name, X509_set_issuer_name, X509_issuer_name_hash, +X509_REQ_get_subject_name, X509_REQ_set_subject_name, +X509_CRL_get_issuer, X509_CRL_set_issuer_name - +get X509_NAME hashes or get and set issuer or subject names =head1 SYNOPSIS #include + unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, + const char *propq, int *ok); +Deprecated since OpenSSL 3.0: + #define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) + X509_NAME *X509_get_subject_name(const X509 *x); int X509_set_subject_name(X509 *x, const X509_NAME *name); + unsigned long X509_subject_name_hash(X509 *x); X509_NAME *X509_get_issuer_name(const X509 *x); int X509_set_issuer_name(X509 *x, const X509_NAME *name); + unsigned long X509_issuer_name_hash(X509 *x); X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name); @@ -25,16 +34,29 @@ subject names =head1 DESCRIPTION -X509_get_subject_name() returns the subject name of certificate B. The +X509_NAME_hash_ex() returns a hash value of name I or 0 on failure, +using any given library context I and property query I. +The I result argument may be NULL +or else is used to return 1 for success and 0 for failure. +Failure may happen on malloc error or if no SHA1 implementation is available. + +X509_NAME_hash() returns a hash value of name I or 0 on failure, +using the default library context and default property query. + +X509_get_subject_name() returns the subject name of certificate I. The returned value is an internal pointer which B be freed. -X509_set_subject_name() sets the issuer name of certificate B to -B. The B parameter is copied internally and should be freed +X509_set_subject_name() sets the issuer name of certificate I to +I. The I parameter is copied internally and should be freed up when it is no longer needed. -X509_get_issuer_name() and X509_set_issuer_name() are identical to -X509_get_subject_name() and X509_set_subject_name() except the get and -set the issuer name of B. +X509_subject_name_hash() returns a hash value of the subject name of +certificate I. + +X509_get_issuer_name(), X509_set_issuer_name(), and X509_issuer_name_hash() +are identical to +X509_get_subject_name(), X509_set_subject_name(), and X509_subject_name_hash() +except they relate to the issuer name of I. Similarly X509_REQ_get_subject_name(), X509_REQ_set_subject_name(), X509_CRL_get_issuer() and X509_CRL_set_issuer_name() get or set the subject @@ -45,9 +67,21 @@ or issuer names of certificate requests of CRLs respectively. X509_get_subject_name(), X509_get_issuer_name(), X509_REQ_get_subject_name() and X509_CRL_get_issuer() return an B pointer. +X509_NAME_hash_ex(), X509_NAME_hash(), +X509_subject_name_hash() and X509_issuer_name_hash() +return the first four bytes of the SHA1 hash value, +converted to B in little endian order, +or 0 on failure. + X509_set_subject_name(), X509_set_issuer_name(), X509_REQ_set_subject_name() and X509_CRL_set_issuer_name() return 1 for success and 0 for failure. +=head1 BUGS + +In case X509_NAME_hash(), X509_subject_name_hash(), or X509_issuer_name_hash() +returns 0 it remains unclear if this is the real hash value or due to failure. +Better use X509_NAME_hash_ex() instead. + =head1 SEE ALSO L, @@ -74,9 +108,11 @@ earlier versions. X509_CRL_get_issuer() is a function in OpenSSL 1.1.0. It was previously added in OpenSSL 1.0.0 as a macro. +X509_NAME_hash() was turned into a macro and deprecated in OpenSSL 3.0. + =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index 586a21df41..0a738b0ff7 100644 --- a/engines/e_loader_attic.c +++ b/engines/e_loader_attic.c @@ -1155,7 +1155,8 @@ static int file_find(OSSL_STORE_LOADER_CTX *ctx, return 0; } - hash = X509_NAME_hash(OSSL_STORE_SEARCH_get0_name(search)); + hash = X509_NAME_hash_ex(OSSL_STORE_SEARCH_get0_name(search), + NULL, NULL, NULL); BIO_snprintf(ctx->_.dir.search_name, sizeof(ctx->_.dir.search_name), "%08lx", hash); return 1; diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 825c941aeb..1d9ca63405 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -824,7 +824,11 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags); int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); -unsigned long X509_NAME_hash(const X509_NAME *x); +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) +#endif +unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, + const char *propq, int *ok); unsigned long X509_NAME_hash_old(const X509_NAME *x); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 5607f169cc..15af70218c 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -471,6 +471,7 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) size_t der_len = 0; X509_NAME *x509_name; unsigned long hash; + int ok; if (ctx->type != IS_DIR) { ERR_raise(ERR_LIB_PROV, @@ -481,10 +482,14 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len) || (x509_name = d2i_X509_NAME(NULL, &der, der_len)) == NULL) return 0; - hash = X509_NAME_hash(x509_name); + hash = X509_NAME_hash_ex(x509_name, + ossl_prov_ctx_get0_libctx(ctx->provctx), NULL, + &ok); BIO_snprintf(ctx->_.dir.search_name, sizeof(ctx->_.dir.search_name), "%08lx", hash); X509_NAME_free(x509_name); + if (ok == 0) + return 0; } return 1; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 4f085dd7e6..967f004bb0 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -601,7 +601,8 @@ static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b) static unsigned long xname_hash(const X509_NAME *a) { - return X509_NAME_hash((X509_NAME *)a); + /* This returns 0 also if SHA1 is not available */ + return X509_NAME_hash_ex((X509_NAME *)a, NULL, NULL, NULL); } STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file, diff --git a/test/build.info b/test/build.info index 81f9b9cb66..a8f60c385b 100644 --- a/test/build.info +++ b/test/build.info @@ -20,7 +20,7 @@ IF[{- !$disabled{tests} -}] LIBS{noinst,has_main}=libtestutil.a SOURCE[libtestutil.a]=testutil/basic_output.c testutil/output.c \ testutil/driver.c testutil/tests.c testutil/cb.c testutil/stanza.c \ - testutil/format_output.c \ + testutil/format_output.c testutil/load.c \ testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ testutil/options.c testutil/test_options.c testutil/provider.c \ testutil/apps_mem.c testutil/random.c $LIBAPPSSRC diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index efb185402b..e2c0ca5534 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -226,7 +226,7 @@ static int test_exec_P10CR_ses(void) SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_P10CR; fixture->expected = 1; - if (!TEST_ptr(req = load_csr(pkcs10_f)) + if (!TEST_ptr(req = load_csr_der(pkcs10_f)) || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) { tear_down(fixture); fixture = NULL; @@ -369,10 +369,10 @@ int setup_tests(void) if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 5, USAGE)) return 0; - if (!TEST_ptr(server_key = load_pem_key(server_key_f, libctx)) - || !TEST_ptr(server_cert = load_pem_cert(server_cert_f, libctx)) - || !TEST_ptr(client_key = load_pem_key(client_key_f, libctx)) - || !TEST_ptr(client_cert = load_pem_cert(client_cert_f, libctx)) + if (!TEST_ptr(server_key = load_pkey_pem(server_key_f, libctx)) + || !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx)) + || !TEST_ptr(client_key = load_pkey_pem(client_key_f, libctx)) + || !TEST_ptr(client_cert = load_cert_pem(client_cert_f, libctx)) || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) { cleanup_tests(); return 0; diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c index 0b56d66d45..696679980f 100644 --- a/test/cmp_msg_test.c +++ b/test/cmp_msg_test.c @@ -226,7 +226,7 @@ static int test_cmp_create_p10cr(void) fixture->bodytype = OSSL_CMP_PKIBODY_P10CR; fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ; fixture->expected = 1; - if (!TEST_ptr(p10cr = load_csr(pkcs10_f)) + if (!TEST_ptr(p10cr = load_csr_der(pkcs10_f)) || !TEST_true(set1_newPkey(ctx, newkey)) || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(ctx, p10cr))) { tear_down(fixture); @@ -504,8 +504,8 @@ static int test_cmp_pkimessage_create(int bodytype) switch (fixture->bodytype = bodytype) { case OSSL_CMP_PKIBODY_P10CR: fixture->expected = 1; - if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, - p10cr = load_csr(pkcs10_f)))) { + p10cr = load_csr_der(pkcs10_f); + if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, p10cr))) { tear_down(fixture); fixture = NULL; } @@ -564,8 +564,8 @@ int setup_tests(void) if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 3, USAGE)) return 0; - if (!TEST_ptr(newkey = load_pem_key(newkey_f, libctx)) - || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx)) + if (!TEST_ptr(newkey = load_pkey_pem(newkey_f, libctx)) + || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx)) || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) { cleanup_tests(); return 0; diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index d4acb716e7..cc8aabb14d 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -541,21 +541,21 @@ int setup_tests(void) if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE)) return 0; - if (!TEST_ptr(loadedkey = load_pem_key(server_key_f, libctx)) - || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx))) + if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx)) + || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx))) return 0; - if (!TEST_ptr(loadedprivkey = load_pem_key(server_f, libctx))) + if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx))) return 0; if (TEST_true(EVP_PKEY_up_ref(loadedprivkey))) loadedpubkey = loadedprivkey; if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f)) || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f))) return 0; - if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx)) - || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx)) - || !TEST_ptr(root = load_pem_cert(root_f, libctx)) - || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx))) + if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx)) + || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx)) + || !TEST_ptr(root = load_cert_pem(root_f, libctx)) + || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx))) return 0; if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) return 0; diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index d45c938335..646d1a9aa1 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -604,19 +604,19 @@ int setup_tests(void) return 0; /* Load certificates for cert chain */ - if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx)) - || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx)) - || !TEST_ptr(root = load_pem_cert(root_f, NULL)) - || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx))) + if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx)) + || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx)) + || !TEST_ptr(root = load_cert_pem(root_f, NULL)) + || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx))) goto err; - if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f, libctx)) - || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f, libctx))) + if (!TEST_ptr(insta_cert = load_cert_pem(instacert_f, libctx)) + || !TEST_ptr(instaca_cert = load_cert_pem(instaca_f, libctx))) goto err; /* Load certificates for message validation */ - if (!TEST_ptr(srvcert = load_pem_cert(server_f, libctx)) - || !TEST_ptr(clcert = load_pem_cert(client_f, libctx))) + if (!TEST_ptr(srvcert = load_cert_pem(server_f, libctx)) + || !TEST_ptr(clcert = load_cert_pem(client_f, libctx))) goto err; if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) goto err; diff --git a/test/helpers/cmp_testlib.c b/test/helpers/cmp_testlib.c index 627b73c3b1..3c58f69b0c 100644 --- a/test/helpers/cmp_testlib.c +++ b/test/helpers/cmp_testlib.c @@ -12,36 +12,6 @@ #include "cmp_testlib.h" #include /* needed in case config no-deprecated */ -EVP_PKEY *load_pem_key(const char *file, OSSL_LIB_CTX *libctx) -{ - EVP_PKEY *key = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) - return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0)) - (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL, - libctx, NULL)); - - BIO_free(bio); - return key; -} - -X509 *load_pem_cert(const char *file, OSSL_LIB_CTX *libctx) -{ - X509 *cert = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) - return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0) - && TEST_ptr(cert = X509_new_ex(libctx, NULL))) - (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL)); - - BIO_free(bio); - return cert; -} - OSSL_CMP_MSG *load_pkimsg(const char *file) { OSSL_CMP_MSG *msg; @@ -50,18 +20,6 @@ OSSL_CMP_MSG *load_pkimsg(const char *file) return msg; } -X509_REQ *load_csr(const char *file) -{ - X509_REQ *csr = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb"))) - return NULL; - (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL)); - BIO_free(bio); - return csr; -} - /* * Checks whether the syntax of msg conforms to ASN.1 */ diff --git a/test/helpers/cmp_testlib.h b/test/helpers/cmp_testlib.h index 0bee099a67..b33c1b5400 100644 --- a/test/helpers/cmp_testlib.h +++ b/test/helpers/cmp_testlib.h @@ -22,9 +22,6 @@ # ifndef OPENSSL_NO_CMP # define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */ -EVP_PKEY *load_pem_key(const char *file, OSSL_LIB_CTX *libctx); -X509 *load_pem_cert(const char *file, OSSL_LIB_CTX *libctx); -X509_REQ *load_csr(const char *file); OSSL_CMP_MSG *load_pkimsg(const char *file); int valid_asn1_encoding(const OSSL_CMP_MSG *msg); int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2); diff --git a/test/helpers/pkcs12.c b/test/helpers/pkcs12.c index 6489609d25..1c3a80c5c6 100644 --- a/test/helpers/pkcs12.c +++ b/test/helpers/pkcs12.c @@ -28,9 +28,6 @@ int write_files = 0; * Local function declarations */ -static X509 *load_cert(const unsigned char *bytes, int len); -static EVP_PKEY *load_pkey(const unsigned char *bytes, int len); - static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs); static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac); @@ -47,7 +44,7 @@ static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_A * Test data load functions */ -static X509 *load_cert(const unsigned char *bytes, int len) +static X509 *load_cert_asn1(const unsigned char *bytes, int len) { X509 *cert = NULL; @@ -58,7 +55,7 @@ err: return cert; } -static EVP_PKEY *load_pkey(const unsigned char *bytes, int len) +static EVP_PKEY *load_pkey_asn1(const unsigned char *bytes, int len) { EVP_PKEY *pkey = NULL; @@ -69,7 +66,6 @@ err: return pkey; } - /* ------------------------------------------------------------------------- * PKCS12 builder */ @@ -333,7 +329,7 @@ void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, if (!pb->success) return; - cert = load_cert(bytes, len); + cert = load_cert_asn1(bytes, len); if (!TEST_ptr(cert)) { pb->success = 0; return; @@ -368,7 +364,7 @@ void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, TEST_info("Adding key"); - pkey = load_pkey(bytes, len); + pkey = load_pkey_asn1(bytes, len); if (!TEST_ptr(pkey)) { pb->success = 0; return; @@ -511,7 +507,7 @@ void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, pb->success = 0; goto err; } - ref_x509 = load_cert(bytes, len); + ref_x509 = load_cert_asn1(bytes, len); if (!TEST_false(X509_cmp(x509, ref_x509))) pb->success = 0; err: @@ -574,7 +570,7 @@ void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, } /* PKEY compare returns 1 for match */ - ref_pkey = load_pkey(bytes, len); + ref_pkey = load_pkey_asn1(bytes, len); if (!TEST_true(EVP_PKEY_eq(pkey, ref_pkey))) pb->success = 0; err: diff --git a/test/http_test.c b/test/http_test.c index 437fca97dc..e95249d21b 100644 --- a/test/http_test.c +++ b/test/http_test.c @@ -22,20 +22,6 @@ static X509 *x509 = NULL; #define RPATH "path/any.crt" static const char *rpath; -static X509 *load_pem_cert(const char *file) -{ - X509 *cert = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) - return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0)) - (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)); - - BIO_free(bio); - return cert; -} - /* * pretty trivial HTTP mock server: * for POST, copy request headers+body from mem BIO 'in' as response to 'out' @@ -238,7 +224,7 @@ int setup_tests(void) } x509_it = ASN1_ITEM_rptr(X509); - if (!TEST_ptr((x509 = load_pem_cert(test_get_argument(0))))) + if (!TEST_ptr((x509 = load_cert_pem(test_get_argument(0), NULL)))) return 1; ADD_TEST(test_http_url_dns); diff --git a/test/testutil.h b/test/testutil.h index 91e4d4bdd9..73e522a817 100644 --- a/test/testutil.h +++ b/test/testutil.h @@ -16,6 +16,7 @@ # include # include # include +# include # include "opt.h" /*- @@ -568,4 +569,10 @@ void test_random_seed(uint32_t sd); /* Create a file path from a directory and a filename */ char *test_mk_file_path(const char *dir, const char *file); +EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx); +X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx); +X509 *load_cert_der(const unsigned char *bytes, int len); +STACK_OF(X509) *load_certs_pem(const char *file); +X509_REQ *load_csr_der(const char *file); + #endif /* OSSL_TESTUTIL_H */ diff --git a/test/testutil/load.c b/test/testutil/load.c new file mode 100644 index 0000000000..9b188eb8a6 --- /dev/null +++ b/test/testutil/load.c @@ -0,0 +1,97 @@ +/* + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include +#include + +#include "../testutil.h" + +X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx) +{ + X509 *cert = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0) + && TEST_ptr(cert = X509_new_ex(libctx, NULL))) + (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL)); + + BIO_free(bio); + return cert; +} + +STACK_OF(X509) *load_certs_pem(const char *filename) +{ + STACK_OF(X509) *certs; + BIO *bio; + X509 *x; + + bio = BIO_new_file(filename, "r"); + + if (bio == NULL) { + return NULL; + } + + certs = sk_X509_new_null(); + if (certs == NULL) { + BIO_free(bio); + return NULL; + } + + ERR_set_mark(); + do { + x = PEM_read_bio_X509(bio, NULL, 0, NULL); + if (x != NULL && !sk_X509_push(certs, x)) { + sk_X509_pop_free(certs, X509_free); + BIO_free(bio); + return NULL; + } else if (x == NULL) { + /* + * We probably just ran out of certs, so ignore any errors + * generated + */ + ERR_pop_to_mark(); + } + } while (x != NULL); + + BIO_free(bio); + + return certs; +} + +EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx) +{ + EVP_PKEY *key = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) + (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL, + libctx, NULL)); + + BIO_free(bio); + return key; +} + +X509_REQ *load_csr_der(const char *file) +{ + X509_REQ *csr = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb"))) + return NULL; + (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL)); + BIO_free(bio); + return csr; +} diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index 668b62d408..1b308ca84b 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -22,58 +22,9 @@ static const char *untrusted_f; static const char *bad_f; static const char *req_f; -static X509 *load_cert_from_file(const char *filename) -{ - X509 *cert = NULL; - BIO *bio; - - bio = BIO_new_file(filename, "r"); - if (bio != NULL) - cert = PEM_read_bio_X509(bio, NULL, 0, NULL); - BIO_free(bio); - return cert; -} - -static STACK_OF(X509) *load_certs_from_file(const char *filename) -{ - STACK_OF(X509) *certs; - BIO *bio; - X509 *x; - - bio = BIO_new_file(filename, "r"); +#define load_cert_from_file(file) load_cert_pem(file, NULL) - if (bio == NULL) { - return NULL; - } - - certs = sk_X509_new_null(); - if (certs == NULL) { - BIO_free(bio); - return NULL; - } - - ERR_set_mark(); - do { - x = PEM_read_bio_X509(bio, NULL, 0, NULL); - if (x != NULL && !sk_X509_push(certs, x)) { - sk_X509_pop_free(certs, X509_free); - BIO_free(bio); - return NULL; - } else if (x == NULL) { - /* - * We probably just ran out of certs, so ignore any errors - * generated - */ - ERR_pop_to_mark(); - } - } while (x != NULL); - - BIO_free(bio); - - return certs; -} - -/* +/*- * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: @@ -122,7 +73,7 @@ static int test_alt_chains_cert_forgery(void) if (!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM)) goto err; - untrusted = load_certs_from_file(untrusted_f); + untrusted = load_certs_pem(untrusted_f); if ((x = load_cert_from_file(bad_f)) == NULL) goto err; @@ -148,37 +99,6 @@ static int test_alt_chains_cert_forgery(void) return ret; } -static int test_store_ctx(void) -{ - X509_STORE_CTX *sctx = NULL; - X509 *x = NULL; - int testresult = 0, ret; - - x = load_cert_from_file(bad_f); - if (x == NULL) - goto err; - - sctx = X509_STORE_CTX_new(); - if (sctx == NULL) - goto err; - - if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) - goto err; - - /* Verifying a cert where we have no trusted certs should fail */ - ret = X509_verify_cert(sctx); - - if (ret == 0) { - /* This is the result we were expecting: Test passed */ - testresult = 1; - } - - err: - X509_STORE_CTX_free(sctx); - X509_free(x); - return testresult; -} - OPT_TEST_DECLARE_USAGE("roots.pem untrusted.pem bad.pem\n") static int test_distinguishing_id(void) @@ -255,30 +175,49 @@ static int test_req_distinguishing_id(void) return ret; } -static int test_self_signed(const char *filename, int expected) +static int test_self_signed(const char *filename, int use_trusted, int expected) { X509 *cert; + STACK_OF(X509) *trusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); int ret; cert = load_cert_from_file(filename); /* may result in NULL */ ret = TEST_int_eq(X509_self_signed(cert, 1), expected); + + if (cert != NULL) { + if (use_trusted) + ret = ret && TEST_true(sk_X509_push(trusted, cert)); + ret = ret && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); + ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); + } + + X509_STORE_CTX_free(ctx); + sk_X509_free(trusted); X509_free(cert); return ret; } static int test_self_signed_good(void) { - return test_self_signed(root_f, 1); + return test_self_signed(root_f, 1, 1); } static int test_self_signed_bad(void) { - return test_self_signed(bad_f, 0); + return test_self_signed(bad_f, 1, 0); } static int test_self_signed_error(void) { - return test_self_signed("nonexistent file name", -1); + return test_self_signed("nonexistent file name", 1, -1); +} + +static int test_store_ctx(void) +{ + /* Verifying a cert where we have no trusted certs should fail */ + return test_self_signed(bad_f, 0, 0); } int setup_tests(void) diff --git a/util/find-doc-nits b/util/find-doc-nits index 6d8b7144df..6c559ba05d 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -885,7 +885,7 @@ sub checkstate () { err("$_ is supposedly public but is documented as internal") if ( $declared_public && $name_map{$_} =~ /\/internal\// ); - err("$_ is supposedly internal but is documented as public") + err("$_ is supposedly internal (maybe missing from other.syms) but is documented as public") if ( $declared_internal && $name_map{$_} !~ /\/internal\// ); } } diff --git a/util/libcrypto.num b/util/libcrypto.num index 289a6672f9..aa35b4185c 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -1345,7 +1345,7 @@ EVP_PKEY_asn1_free 1375 3_0_0 EXIST::FUNCTION: ENGINE_unregister_DH 1376 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE PROXY_CERT_INFO_EXTENSION_it 1377 3_0_0 EXIST::FUNCTION: CT_POLICY_EVAL_CTX_set1_cert 1378 3_0_0 EXIST::FUNCTION:CT -X509_NAME_hash 1379 3_0_0 EXIST::FUNCTION: +X509_NAME_hash_ex 1379 3_0_0 EXIST::FUNCTION: SCT_set_timestamp 1380 3_0_0 EXIST::FUNCTION:CT UI_new 1381 3_0_0 EXIST::FUNCTION: TS_REQ_get_msg_imprint 1382 3_0_0 EXIST::FUNCTION:TS diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 8a2c773e1d..b547e52858 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -1333,7 +1333,6 @@ X509_INFO_free(3) X509_INFO_new(3) X509_NAME_ENTRY_it(3) X509_NAME_ENTRY_set(3) -X509_NAME_hash(3) X509_NAME_hash_old(3) X509_NAME_it(3) X509_NAME_set(3) diff --git a/util/other.syms b/util/other.syms index f35b354cbb..3ffbcb1005 100644 --- a/util/other.syms +++ b/util/other.syms @@ -588,6 +588,7 @@ X509_LOOKUP_load_file define X509_LOOKUP_load_file_ex define X509_LOOKUP_load_store define X509_LOOKUP_load_store_ex define +X509_NAME_hash define X509_STORE_set_lookup_crls_cb define X509_STORE_set_verify_func define EVP_PKEY_CTX_set1_id define From matt at openssl.org Wed Jan 13 09:14:37 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 13 Jan 2021 09:14:37 +0000 Subject: [openssl] master update Message-ID: <1610529277.352766.13880.nullmailer@dev.openssl.org> The branch master has been updated via 1dccccf33351a732dac3c700b2de05d34f708e33 (commit) from 4dd009180a06ad973620c5beec28f2a6839c16ca (commit) - Log ----------------------------------------------------------------- commit 1dccccf33351a732dac3c700b2de05d34f708e33 Author: Matt Caswell Date: Thu Jan 7 17:40:09 2021 +0000 Fix enable-weak-ssl-ciphers Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched rc4-hmac-md5 cipher implementation did not recognise the tls_version parameter, and therefore was being incorrectly handled. Fixes #13795 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13803) ----------------------------------------------------------------------- Summary of changes: providers/implementations/ciphers/cipher_rc4_hmac_md5.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 69d47b03fe..ee0cff9b86 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -169,6 +169,14 @@ static int rc4_hmac_md5_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } GET_HW(ctx)->init_mackey(&ctx->base, p->data, p->data_size); } + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION); + if (p != NULL) { + if (!OSSL_PARAM_get_uint(p, &ctx->base.tlsversion)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + } + return 1; } From tmraz at fedoraproject.org Wed Jan 13 09:35:43 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 13 Jan 2021 09:35:43 +0000 Subject: [openssl] master update Message-ID: <1610530543.627776.18351.nullmailer@dev.openssl.org> The branch master has been updated via 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 (commit) from 1dccccf33351a732dac3c700b2de05d34f708e33 (commit) - Log ----------------------------------------------------------------- commit 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 Author: Agustin Gianni Date: Fri Jan 8 16:04:05 2021 +0100 Fix incorrect use of BN_CTX API In some edge cases BN_CTX_end was being called without first calling BN_CTX_start. This creates a situation where the state of the big number allocator is corrupted and may lead to crashes. Fixes #13812 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13813) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_prime.c | 6 ++++-- crypto/bn/bn_sqrt.c | 5 ++++- crypto/bn/bn_x931p.c | 2 +- crypto/ec/ec_mult.c | 5 ++++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index a344d7df02..810f3c7b3d 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -145,8 +145,10 @@ int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe, } mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES); - if (mods == NULL) - goto err; + if (mods == NULL) { + ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); + return 0; + } BN_CTX_start(ctx); t = BN_CTX_get(ctx); diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c index e323a7f7ab..e0b21ab575 100644 --- a/crypto/bn/bn_sqrt.c +++ b/crypto/bn/bn_sqrt.c @@ -22,6 +22,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) int r; BIGNUM *A, *b, *q, *t, *x, *y; int e, i, j; + int used_ctx = 0; if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { if (BN_abs_is_word(p, 2)) { @@ -57,6 +58,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } BN_CTX_start(ctx); + used_ctx = 1; A = BN_CTX_get(ctx); b = BN_CTX_get(ctx); q = BN_CTX_get(ctx); @@ -353,7 +355,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) BN_clear_free(ret); ret = NULL; } - BN_CTX_end(ctx); + if (used_ctx) + BN_CTX_end(ctx); bn_check_top(ret); return ret; } diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 1e4d4991b2..bca7c9788e 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -174,7 +174,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) * exceeded. */ if (!BN_priv_rand_ex(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, ctx)) - goto err; + return 0; BN_CTX_start(ctx); t = BN_CTX_get(ctx); diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 87b9eab604..98bcab2321 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -835,6 +835,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) EC_POINT **points = NULL; EC_PRE_COMP *pre_comp; int ret = 0; + int used_ctx = 0; #ifndef FIPS_MODULE BN_CTX *new_ctx = NULL; #endif @@ -858,6 +859,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) goto err; BN_CTX_start(ctx); + used_ctx = 1; order = EC_GROUP_get0_order(group); if (order == NULL) @@ -967,7 +969,8 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ret = 1; err: - BN_CTX_end(ctx); + if (used_ctx) + BN_CTX_end(ctx); #ifndef FIPS_MODULE BN_CTX_free(new_ctx); #endif From tmraz at fedoraproject.org Wed Jan 13 09:37:28 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 13 Jan 2021 09:37:28 +0000 Subject: [tools] master update Message-ID: <1610530648.602781.19663.nullmailer@dev.openssl.org> The branch master has been updated via bd6c6f78c080744a0092f04c04b7a38121ddcff3 (commit) from 51ba5bc2c18780f94136c71800afc3cf8fd32d40 (commit) - Log ----------------------------------------------------------------- commit bd6c6f78c080744a0092f04c04b7a38121ddcff3 Author: Tomas Mraz Date: Thu Jan 7 10:01:04 2021 +0100 addrev: Silence the git filter-branch warning message Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/tools/pull/81) ----------------------------------------------------------------------- Summary of changes: review-tools/addrev | 1 + 1 file changed, 1 insertion(+) diff --git a/review-tools/addrev b/review-tools/addrev index aa5215a..8f28b02 100755 --- a/review-tools/addrev +++ b/review-tools/addrev @@ -82,6 +82,7 @@ if ($useself) { } my $err = "/tmp/addrev$$"; +$ENV{FILTER_BRANCH_SQUELCH_WARNING} = 1; system("git filter-branch -f --tag-name-filter cat --msg-filter \"gitaddrev $args\" $filterargs || (echo addrev failed; exit 1)"); die if $?; From dev at ddvo.net Wed Jan 13 10:19:37 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 13 Jan 2021 10:19:37 +0000 Subject: [openssl] master update Message-ID: <1610533177.317765.29141.nullmailer@dev.openssl.org> The branch master has been updated via f2a0458731f15fd4d45f5574a221177f4591b1d8 (commit) via 3339606a38cc9023c807428b429e01cfa1fde4d9 (commit) from 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 (commit) - Log ----------------------------------------------------------------- commit f2a0458731f15fd4d45f5574a221177f4591b1d8 Author: Dr. David von Oheimb Date: Wed Dec 30 09:49:20 2020 +0100 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the upstream fix for #13698 reported for v1.1.1 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13755) commit 3339606a38cc9023c807428b429e01cfa1fde4d9 Author: Dr. David von Oheimb Date: Wed Dec 30 09:46:38 2020 +0100 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() Partly fixes #13754 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13755) ----------------------------------------------------------------------- Summary of changes: crypto/x509/v3_purp.c | 16 ++++++++-------- crypto/x509/x509_cmp.c | 24 ++++++++++++++++-------- crypto/x509/x509_lu.c | 2 +- crypto/x509/x_all.c | 4 ++-- crypto/x509/x_crl.c | 4 ++-- crypto/x509/x_x509.c | 6 +++++- doc/internal/man3/x509v3_cache_extensions.pod | 3 ++- doc/man3/X509_cmp.pod | 3 ++- doc/man3/X509_get_extension_flags.pod | 9 +++++++-- include/openssl/x509v3.h.in | 1 + test/certs/invalid-cert.pem | 19 +++++++++++++++++++ test/recipes/80-test_x509aux.t | 13 ++++++++----- test/x509aux.c | 17 +++++++++++------ 13 files changed, 84 insertions(+), 37 deletions(-) create mode 100644 test/certs/invalid-cert.pem diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index a3673e63fa..d9ce52faa4 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -387,6 +387,7 @@ static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject) /* * Cache info on various X.509v3 extensions and further derived information, * e.g., if cert 'x' is self-issued, in x->ex_flags and other internal fields. + * x->sha1_hash is filled in, or else EXFLAG_NO_FINGERPRINT is set in x->flags. * X509_SIG_INFO_VALID is set in x->flags if x->siginf was filled successfully. * Set EXFLAG_INVALID and return 0 in case the certificate is invalid. */ @@ -411,15 +412,12 @@ int x509v3_cache_extensions(X509 *x) CRYPTO_THREAD_unlock(x->lock); return (x->ex_flags & EXFLAG_INVALID) == 0; } - ERR_set_mark(); /* Cache the SHA1 digest of the cert */ if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) - /* - * Note that the cert is marked invalid also on internal malloc failure - * or on failure of EVP_MD_fetch(), potentially called by X509_digest(). - */ - x->ex_flags |= EXFLAG_INVALID; + x->ex_flags |= EXFLAG_NO_FINGERPRINT; + + ERR_set_mark(); /* V1 should mean no extensions ... */ if (X509_get_version(x) == 0) @@ -625,11 +623,13 @@ int x509v3_cache_extensions(X509 *x) */ #endif ERR_pop_to_mark(); - if ((x->ex_flags & EXFLAG_INVALID) == 0) { + if ((x->ex_flags & (EXFLAG_INVALID | EXFLAG_NO_FINGERPRINT)) == 0) { CRYPTO_THREAD_unlock(x->lock); return 1; } - ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE); + if ((x->ex_flags & EXFLAG_INVALID) != 0) + ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE); + /* If computing sha1_hash failed the error queue already reflects this. */ err: x->ex_flags |= EXFLAG_SET; /* indicate that cert has been processed */ diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 1231fb4be1..d18d1e2b67 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -81,7 +81,13 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { - int rv = memcmp(a->sha1_hash, b->sha1_hash, 20); + int rv; + + if ((a->flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + else + return -2; return rv < 0 ? -1 : rv > 0; } @@ -140,19 +146,21 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - int rv; + int rv = 0; if (a == b) /* for efficiency */ return 0; - /* ensure hash is valid */ - if (X509_check_purpose((X509 *)a, -1, 0) != 1) - return -2; - if (X509_check_purpose((X509 *)b, -1, 0) != 1) - return -2; - rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + /* attempt to compute cert hash */ + (void)X509_check_purpose((X509 *)a, -1, 0); + (void)X509_check_purpose((X509 *)b, -1, 0); + + if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); if (rv != 0) return rv < 0 ? -1 : 1; + /* Check for match against stored encoding too */ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { if (a->cert_info.enc.len < b->cert_info.enc.len) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index eb730bb24d..00d45ea809 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -702,7 +702,7 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, if (!X509_cmp(obj->data.x509, x->data.x509)) return obj; } else if (x->type == X509_LU_CRL) { - if (!X509_CRL_match(obj->data.crl, x->data.crl)) + if (X509_CRL_match(obj->data.crl, x->data.crl) == 0) return obj; } else return obj; diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 680a1cf48c..9d9079f7f5 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -392,7 +392,7 @@ int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data, unsigned int *len) { if (EVP_MD_is_a(md, SN_sha1) && (cert->ex_flags & EXFLAG_SET) != 0 - && (cert->ex_flags & EXFLAG_INVALID) == 0) { + && (cert->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1 and we already computed it. */ if (len != NULL) *len = sizeof(cert->sha1_hash); @@ -436,7 +436,7 @@ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0 - && (data->flags & EXFLAG_INVALID) == 0) { + && (data->flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1; always computed in CRL d2i. */ if (len != NULL) *len = sizeof(data->sha1_hash); diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index 164d425ab2..ef54a9a3cd 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -147,7 +147,7 @@ static int crl_set_issuers(X509_CRL *crl) /* * The X509_CRL structure needs a bit of customisation. Cache some extensions - * and hash of the whole CRL. + * and hash of the whole CRL or set EXFLAG_NO_FINGERPRINT if this fails. */ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -185,7 +185,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_D2I_POST: if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) - crl->flags |= EXFLAG_INVALID; + crl->flags |= EXFLAG_NO_FINGERPRINT; crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL); diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index b09fa2754a..287b6c2a1e 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -125,12 +125,16 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509) X509 *d2i_X509(X509 **a, const unsigned char **in, long len) { X509 *cert = NULL; + int free_on_error = a != NULL && *a == NULL; cert = (X509 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (X509_it())); /* Only cache the extensions if the cert object was passed in */ if (cert != NULL && a != NULL) { - if (!x509v3_cache_extensions(cert)) + if (!x509v3_cache_extensions(cert)) { + if (free_on_error) + X509_free(cert); cert = NULL; + } } return cert; } diff --git a/doc/internal/man3/x509v3_cache_extensions.pod b/doc/internal/man3/x509v3_cache_extensions.pod index 418a19738c..cd00942333 100644 --- a/doc/internal/man3/x509v3_cache_extensions.pod +++ b/doc/internal/man3/x509v3_cache_extensions.pod @@ -17,7 +17,8 @@ This function processes any X509v3 extensions present in an X509 object I and caches the result of that processing as well as further derived info, for instance whether the certificate is self-issued or has version X.509v1. It computes the SHA1 digest of the certificate using the default library context -and property query string and stores the result in x->sha1_hash. +and property query string and stores the result in x->sha1_hash, +or on failure sets B in x->flags. It sets B in x->flags if x->siginf was filled successfully, which may not be possible if a referenced algorithm is unknown or not available. Many OpenSSL functions that use an X509 object call this function implicitly. diff --git a/doc/man3/X509_cmp.pod b/doc/man3/X509_cmp.pod index 1e6a166e65..777d055ad8 100644 --- a/doc/man3/X509_cmp.pod +++ b/doc/man3/X509_cmp.pod @@ -55,7 +55,8 @@ The B comparison functions return B<-1>, B<0>, or B<1> if object I is found to be less than, to match, or be greater than object I, respectively. X509_NAME_cmp(), X509_issuer_and_serial_cmp(), X509_issuer_name_cmp(), -X509_subject_name_cmp() and X509_CRL_cmp() may return B<-2> to indicate an error. +X509_subject_name_cmp(), X509_CRL_cmp(), and X509_CRL_match() +may return B<-2> to indicate an error. =head1 NOTES diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod index 3f09939e52..cac43d716e 100644 --- a/doc/man3/X509_get_extension_flags.pod +++ b/doc/man3/X509_get_extension_flags.pod @@ -78,12 +78,17 @@ The certificate contains an unhandled critical extension. =item B -Some certificate extension values are invalid or inconsistent. The -certificate should be rejected. +Some certificate extension values are invalid or inconsistent. +The certificate should be rejected. This bit may also be raised after an out-of-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. +=item B + +Failed to compute the internal SHA1 hash value of the certificate or CRL. +This may be due to malloc failure or because no SHA1 implementation was found. + =item B The NID_certificate_policies certificate extension is invalid or diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 7234aa2c62..dad8694ffa 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -406,6 +406,7 @@ struct ISSUING_DIST_POINT_st { # define EXFLAG_AKID_CRITICAL 0x20000 # define EXFLAG_SKID_CRITICAL 0x40000 # define EXFLAG_SAN_CRITICAL 0x80000 +# define EXFLAG_NO_FINGERPRINT 0x100000 # define KU_DIGITAL_SIGNATURE 0x0080 # define KU_NON_REPUDIATION 0x0040 diff --git a/test/certs/invalid-cert.pem b/test/certs/invalid-cert.pem new file mode 100644 index 0000000000..a8951305a3 --- /dev/null +++ b/test/certs/invalid-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIUEUSW5o7qpgNCWyXic9Fc9tCLS0gwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwIUGVyc29TaW0wHhcNMjAxMjE2MDY1NjM5WhcNMzAxMjE2 +MDY1NjM5WjATMREwDwYDVQQDDAhQZXJzb1NpbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMsgRKnnZbQtG9bB9Hn+CoOOsanmnRELSlGq521qi/eBgs2w +SdHYM6rsJFwY89RvINLGeUZh/pu7c+ODtTafAWE3JkynG01d2Zrvp1V1r97+FGyD +f+b1hAggxBy70bTRyr1gAoKQTAm74U/1lj13EpWz7zshgXJ/Pn/hUyTmpNW+fTRE +xaifN0jkl5tZUURGA6w3+BRhVDQtt92vLihqUGaEFpL8yqqFnN44AoQ5+lgMafWi +UyYMHcK75ZB8WWklq8zjRP3xC1h56k01rT6KJO6i+BxMcADerYsn5qTlcUiKcpRU +b6RzLvCUwj91t1aX6npDI3BzSP+wBUUANBfuHEMCAwEAAaNxMG8wFwYDVR0OBBA8 +yBBnvz1Zt6pHm2GwBaRyMBcGA1UdIwQQPMgQZ789WbeqR5thsAWkcjAPBgNVHRMB +Af8EBTADAQH/MAsGA1UdDwQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIEzVbttOUc7kK4aY+74TANFZK/qtBQ7 +94a/P30TGWSRUq2HnDsR8Vo4z8xm5oKeC+SIi6NGzviWYquuzpJ7idcbr0MIuSyD ++Vg6n1sG64DxWNdGO9lR5c4mWFdIajShczS2+4QIRB/lFZCf7GhPMtIcbP1o9ckY +2vyv5ZAEU9Z5n0PY+abrKsj0XyvJwdycEsUTywa36fuv6hP3UboLtvK6naXLMrTj +WtSA6PXjHy7h8h0NC8XLk64mc0lcRC4WM+xJ/C+NHglpmBqBxnStpnZykMZYD1Vy +JJ1wNc+Y3e2uMBDxZviH3dIPIgqP1Vpi2TWfqr3DTBNCRf4dl/wwNU8= +-----END TRUSTED CERTIFICATE----- diff --git a/test/recipes/80-test_x509aux.t b/test/recipes/80-test_x509aux.t index 8debd80fc1..327f861fe1 100644 --- a/test/recipes/80-test_x509aux.t +++ b/test/recipes/80-test_x509aux.t @@ -14,14 +14,17 @@ use OpenSSL::Test::Utils; setup("test_x509aux"); +my @path = qw(test certs); + plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build" if disabled("ec"); plan tests => 1; # The number of tests being performed ok(run(test(["x509aux", - srctop_file("test", "certs", "roots.pem"), - srctop_file("test", "certs", "root+anyEKU.pem"), - srctop_file("test", "certs", "root-anyEKU.pem"), - srctop_file("test", "certs", "root-cert.pem")] - )), "x509aux tests"); + srctop_file(@path, "roots.pem"), + srctop_file(@path, "root+anyEKU.pem"), + srctop_file(@path, "root-anyEKU.pem"), + srctop_file(@path, "root-cert.pem"), + srctop_file(@path, "invalid-cert.pem"), + ])), "x509aux tests"); diff --git a/test/x509aux.c b/test/x509aux.c index bd8a781bdb..d170cf7e9e 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -30,17 +30,16 @@ static int test_certs(int num) typedef int (*i2d_X509_t)(const X509 *, unsigned char **); int err = 0; BIO *fp = BIO_new_file(test_get_argument(num), "r"); - X509 *reuse = NULL; if (!TEST_ptr(fp)) return 0; for (c = 0; !err && PEM_read_bio(fp, &name, &header, &data, &len); ++c) { const int trusted = (strcmp(name, PEM_STRING_X509_TRUSTED) == 0); - d2i_X509_t d2i = trusted ? d2i_X509_AUX : d2i_X509; i2d_X509_t i2d = trusted ? i2d_X509_AUX : i2d_X509; X509 *cert = NULL; + X509 *reuse = NULL; const unsigned char *p = data; unsigned char *buf = NULL; unsigned char *bufp; @@ -93,9 +92,15 @@ static int test_certs(int num) goto next; } p = buf; - reuse = d2i(&reuse, &p, enclen); - if (reuse == NULL || X509_cmp (reuse, cert)) { - TEST_error("X509_cmp does not work with %s", name); + reuse = d2i(NULL, &p, enclen); + if (reuse == NULL) { + TEST_error("second d2i call failed for %s", name); + err = 1; + goto next; + } + err = X509_cmp(reuse, cert); + if (err != 0) { + TEST_error("X509_cmp for %s resulted in %d", name, err); err = 1; goto next; } @@ -141,13 +146,13 @@ static int test_certs(int num) */ next: X509_free(cert); + X509_free(reuse); OPENSSL_free(buf); OPENSSL_free(name); OPENSSL_free(header); OPENSSL_free(data); } BIO_free(fp); - X509_free(reuse); if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { /* Reached end of PEM file */ From dev at ddvo.net Wed Jan 13 10:59:53 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 13 Jan 2021 10:59:53 +0000 Subject: [openssl] master update Message-ID: <1610535593.235907.26176.nullmailer@dev.openssl.org> The branch master has been updated via 2ed63033e46953d0d95ff100c1334da7cc32c49b (commit) via 04a1b3fa7b6090aaca88d2d884de847822e89bef (commit) via 0ae8d4ca9e2db5fd93683dbc42d28c2eba18045d (commit) via 73b1d24c1abfdf0c890b4461c3d07b8bff45844c (commit) via b65c5ec8f5f8c9fa082c44bf805beed03d0fee0c (commit) via 41e597a01d95540f52e8bc4d69f88c3d93a093ce (commit) via ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (commit) via 7836f949c2550a00fe2720e96cfaffd824d357d1 (commit) via 855c68163b182960f2b27bb961a323944d96237e (commit) via f0a057dd5343ca81849dd140ee9c302cda914f41 (commit) via 6ad957f1273e9918c22b27d0f1b1812360964a4e (commit) via 157959438308e586593592cc751195fbf3930a7d (commit) via ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad (commit) from f2a0458731f15fd4d45f5574a221177f4591b1d8 (commit) - Log ----------------------------------------------------------------- commit 2ed63033e46953d0d95ff100c1334da7cc32c49b Author: Dr. David von Oheimb Date: Mon Jan 11 07:52:45 2021 +0100 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 04a1b3fa7b6090aaca88d2d884de847822e89bef Author: Dr. David von Oheimb Date: Wed Jan 6 12:16:44 2021 +0100 apps/req.c: Make sure -verify option takes effect also with -x509 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 0ae8d4ca9e2db5fd93683dbc42d28c2eba18045d Author: Dr. David von Oheimb Date: Wed Jan 6 12:12:25 2021 +0100 apps/req.c: Cosmetic improvements of code and documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 73b1d24c1abfdf0c890b4461c3d07b8bff45844c Author: Dr. David von Oheimb Date: Fri Dec 25 12:10:44 2020 +0100 crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit b65c5ec8f5f8c9fa082c44bf805beed03d0fee0c Author: Dr. David von Oheimb Date: Thu Dec 24 12:43:39 2020 +0100 apps/req.c: Add -copy_extensions option for use with -x509; default: none Fixes #13708 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 41e597a01d95540f52e8bc4d69f88c3d93a093ce Author: Dr. David von Oheimb Date: Thu Dec 24 11:25:47 2020 +0100 Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert Also clean up some related auxiliary functions and documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit ea9fd333d19096d654cb252a2f6785ca03bfcbc1 Author: Dr. David von Oheimb Date: Thu Dec 24 07:42:08 2020 +0100 apps/req.c: make -subj work with -x509; clean up related code Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 7836f949c2550a00fe2720e96cfaffd824d357d1 Author: Dr. David von Oheimb Date: Mon Dec 21 15:52:01 2020 +0100 X509_PUBKEY_set(): Fix error reporting Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 855c68163b182960f2b27bb961a323944d96237e Author: Dr. David von Oheimb Date: Mon Dec 21 13:50:09 2020 +0100 apps/lib/opt.c: Fix error message on unknown option/digest Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit f0a057dd5343ca81849dd140ee9c302cda914f41 Author: Dr. David von Oheimb Date: Sat Dec 19 19:49:25 2020 +0100 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 6ad957f1273e9918c22b27d0f1b1812360964a4e Author: Dr. David von Oheimb Date: Sat Dec 19 19:46:14 2020 +0100 apps/req.c: add -CA and -CAkey options; improve code and doc Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 157959438308e586593592cc751195fbf3930a7d Author: Dr. David von Oheimb Date: Thu Dec 10 21:02:47 2020 +0100 APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad Author: Dr. David von Oheimb Date: Thu Dec 10 15:23:41 2020 +0100 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default Fixes #13603 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 208 ++++++------- apps/ca.c | 9 +- apps/include/apps.h | 10 +- apps/lib/apps.c | 85 ++++-- apps/lib/opt.c | 3 +- apps/req.c | 473 ++++++++++++++++-------------- apps/srp.c | 5 +- apps/x509.c | 16 +- crypto/conf/conf_api.c | 4 +- crypto/conf/conf_def.c | 5 +- crypto/conf/conf_mod.c | 11 +- crypto/x509/build.info | 2 +- crypto/x509/{v3_akey.c => v3_akid.c} | 53 ++-- crypto/x509/v3_conf.c | 34 ++- crypto/x509/{v3_alt.c => v3_san.c} | 6 +- crypto/x509/{v3_skey.c => v3_skid.c} | 62 ++-- crypto/x509/v3_utf8.c | 1 - crypto/x509/x_pubkey.c | 16 +- doc/internal/man3/s2i_ASN1_UTF8STRING.pod | 46 --- doc/man1/openssl-ca.pod.in | 49 ++-- doc/man1/openssl-req.pod.in | 103 +++++-- doc/man1/openssl.pod | 11 +- doc/man3/ASN1_generate_nconf.pod | 6 +- doc/man3/CONF_modules_load_file.pod | 12 +- doc/man3/X509V3_set_ctx.pod | 63 ++++ doc/man3/s2i_ASN1_IA5STRING.pod | 21 +- doc/man5/config.pod | 2 +- doc/man5/x509v3_config.pod | 27 +- doc/man7/openssl-env.pod | 2 +- include/crypto/x509.h | 2 + include/crypto/x509v3.h | 23 -- include/openssl/x509v3.h.in | 22 +- test/certs/ext-check.csr | 18 ++ test/recipes/25-test_req.t | 104 ++++++- test/recipes/25-test_x509.t | 19 +- test/recipes/tconversion.pl | 47 +++ util/libcrypto.num | 3 + util/missingcrypto.txt | 2 - util/missingcrypto111.txt | 1 - util/missingmacro.txt | 1 + 40 files changed, 988 insertions(+), 599 deletions(-) rename crypto/x509/{v3_akey.c => v3_akid.c} (76%) rename crypto/x509/{v3_alt.c => v3_san.c} (99%) rename crypto/x509/{v3_skey.c => v3_skid.c} (68%) delete mode 100644 doc/internal/man3/s2i_ASN1_UTF8STRING.pod create mode 100644 doc/man3/X509V3_set_ctx.pod delete mode 100644 include/crypto/x509v3.h create mode 100644 test/certs/ext-check.csr diff --git a/CHANGES.md b/CHANGES.md index 65031b89a5..ac0b22c6fb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -42,9 +42,9 @@ OpenSSL 3.0 *Otto Hollmann* - * The -cipher-commands and -digest-commands options of the command line - utility list has been deprecated. - Instead use the -cipher-algorithms and -digest-algorithms options. + * The `-cipher-commands` and `-digest-commands` options + of the command line utility `list` have been deprecated. + Instead use the `-cipher-algorithms` and `-digest-algorithms` options. *Dmitry Belyavskiy* @@ -80,11 +80,11 @@ OpenSSL 3.0 *Matt Caswell* - * The -crypt option to the passwd command line tool has been removed. + * The `-crypt` option to the `passwd` command line tool has been removed. *Paul Dale* - * The -C option to the x509, dhparam, dsaparam, and ecparam commands + * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands were removed. *Rich Salz* @@ -139,8 +139,8 @@ OpenSSL 3.0 *Richard Levitte* - * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced - EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred. + * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced + `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred. *Jeremy Walch* @@ -156,7 +156,7 @@ OpenSSL 3.0 implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the RAND_DRBG API is a mixture of 'front end' and 'back end' API calls and some of its API calls are rather low-level. This holds in particular - for the callback mechanism (RAND_DRBG_set_callbacks()). + for the callback mechanism (`RAND_DRBG_set_callbacks()`). Adding a compatibility layer to continue supporting the RAND_DRBG API as a legacy API for a regular deprecation period turned out to come at the @@ -166,7 +166,7 @@ OpenSSL 3.0 *Paul Dale and Matthias St. Pierre* - * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses + * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses as well as actual hostnames. *David Woodhouse* @@ -180,7 +180,7 @@ OpenSSL 3.0 and DTLS. SSL_CTX instances that are created for a fixed protocol version (e.g. - TLSv1_server_method()) also silently ignore version bounds. Previously + `TLSv1_server_method()`) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options. @@ -244,14 +244,13 @@ OpenSSL 3.0 *Tomas Mraz* - * Dropped interactive mode from the 'openssl' program. From now on, - the `openssl` command without arguments is equivalent to `openssl - help`. + * Dropped interactive mode from the `openssl` program. From now on, + running it without arguments is equivalent to `openssl help`. *Richard Levitte* - * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and - EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq(). + * Renamed `EVP_PKEY_cmp()` to `EVP_PKEY_eq()` and + `EVP_PKEY_cmp_parameters()` to `EVP_PKEY_parameters_eq()`. While the old function names have been retained for backward compatibility they should not be used in new developments because their return values are confusing: Unlike other `_cmp()` functions @@ -259,8 +258,8 @@ OpenSSL 3.0 *David von Oheimb* - * Deprecated EC_METHOD_get_field_type(). Applications should switch to - EC_GROUP_get_field_type(). + * Deprecated `EC_METHOD_get_field_type()`. Applications should switch to + `EC_GROUP_get_field_type()`. *Billy Bob Brumley* @@ -339,7 +338,7 @@ OpenSSL 3.0 reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security level 0. The security level can be changed either using the cipher string - with @SECLEVEL, or calling SSL_CTX_set_security_level(). + with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`. *Kurt Roeckx* @@ -396,14 +395,14 @@ OpenSSL 3.0 *Richard Levitte* * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). - This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*. + This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`. See L and L as starting points. *David von Oheimb, Martin Peylo* - * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/. - The legacy OCSP-focused and only partly documented API is retained. - See L etc. for details. + * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`. + The legacy OCSP-focused and only partly documented API is retained for + backward compatibility. See L etc. for details. *David von Oheimb* @@ -414,9 +413,9 @@ OpenSSL 3.0 *David von Oheimb* - * BIO_do_connect and BIO_do_handshake have been extended: + * `BIO_do_connect()` and `BIO_do_handshake()` have been extended: If domain name resolution yields multiple IP addresses all of them are tried - after connect() failures. + after `connect()` failures. *David von Oheimb* @@ -461,13 +460,13 @@ OpenSSL 3.0 * X509 certificates signed using SHA1 are no longer allowed at security level 1 and above. In TLS/SSL the default security level is 1. It can be set either - using the cipher string with @SECLEVEL, or calling - SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1, - a call to SSL_CTX_use_certificate() will fail if the security level is not + using the cipher string with `@SECLEVEL`, or calling + `SSL_CTX_set_security_level()`. If the leaf certificate is signed with SHA-1, + a call to `SSL_CTX_use_certificate()` will fail if the security level is not lowered first. Outside TLS/SSL, the default security level is -1 (effectively 0). It can - be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level - options of the apps. + be set using `X509_VERIFY_PARAM_set_auth_level()` or using the `-auth_level` + options of the commands. *Kurt Roeckx* @@ -514,10 +513,11 @@ OpenSSL 3.0 OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files. Finaly functions that assign or obtain DH objects from an EVP_PKEY such as - EVP_PKEY_assign_DH(), EVP_PKEY_get0_DH, EVP_PKEY_get1_DH, EVP_PKEY_set1_DH - are also deprecated. Applications should instead either read or write an - EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs. Or load an - EVP_PKEY directly from DH data using EVP_PKEY_fromdata(). + `EVP_PKEY_assign_DH()`, `EVP_PKEY_get0_DH()`, `EVP_PKEY_get1_DH()`, and + `EVP_PKEY_set1_DH()` are also deprecated. + Applications should instead either read or write an + EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs. + Or load an EVP_PKEY directly from DH data using `EVP_PKEY_fromdata()`. *Paul Dale and Matt Caswell* @@ -551,7 +551,7 @@ OpenSSL 3.0 automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This means that applications don't have to look at the curve NID and `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations. - However, they still can, that EVP_PKEY_set_alias_type() call acts as + However, they still can, that `EVP_PKEY_set_alias_type()` call acts as a no-op when the EVP_PKEY is already of the given type. Parameter and key generation is also reworked to make it possible @@ -882,8 +882,8 @@ OpenSSL 3.0 *Jon Spillett* - * Deprecated the public definition of ERR_STATE as well as the function - ERR_get_state(). This is done in preparation of making ERR_STATE an + * Deprecated the public definition of `ERR_STATE` as well as the function + `ERR_get_state()`. This is done in preparation of making `ERR_STATE` an opaque type. *Richard Levitte* @@ -914,7 +914,23 @@ OpenSSL 3.0 *Richard Levitte* - * Added several checks to X509_verify_cert() according to requirements in + * Added the `<-copy_extensions` option to the `req` command for use with `-x509`. + When given with the `copy` or `copyall` argument, + any extensions present in the certification request are copied to the certificate. + + *David von Oheimb* + + * The `x509`, `req`, and `ca` commands now make sure that certificates they + generate are RFC 5280 compliant by default: For X.509 version 3 certs they ensure that + a subjectKeyIdentifier extension is included containing a hash value of the public key + and an authorityKeyIdentifier extension is included for not self-signed certs + containing a keyIdentifier field with the hash value identifying the signing key. + This is done unless some configuration overrides the new default behavior, + e.g. `authorityKeyIdentifier = none`. + + *David von Oheimb* + + * Added several checks to `X509_verify_cert()` according to requirements in RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set (which may be done by using the CLI option `-x509_strict`): * The basicConstraints of CA certificates must be marked critical. @@ -933,7 +949,7 @@ OpenSSL 3.0 *David von Oheimb* - * Certificate verification using X509_verify_cert() meanwhile rejects EC keys + * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys with explicit curve parameters (specifiedCurve) as required by RFC 5480. *Tomas Mraz* @@ -1004,20 +1020,20 @@ OpenSSL 3.0 * Changed the library initialisation so that the config file is now loaded by default. This was already the case for libssl. It now occurs for both libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to - OPENSSL_init_crypto() to suppress automatic loading of a config file. + `OPENSSL_init_crypto()` to suppress automatic loading of a config file. *Matt Caswell* - * Introduced new error raising macros, ERR_raise() and ERR_raise_data(), - where the former acts as a replacement for ERR_put_error(), and the - latter replaces the combination ERR_put_error()+ERR_add_error_data(). - ERR_raise_data() adds more flexibility by taking a format string and + * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`, + where the former acts as a replacement for `ERR_put_error()`, and the + latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`. + `ERR_raise_data()` adds more flexibility by taking a format string and an arbitrary number of arguments following it, to be processed with - BIO_snprintf(). + `BIO_snprintf()`. *Richard Levitte* - * Introduced a new function, OSSL_PROVIDER_available(), which can be used + * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used to check if a named provider is loaded and available. When called, it will also activate all fallback providers if such are still present. @@ -1081,7 +1097,7 @@ OpenSSL 3.0 *Paul Yang* - * Use SHA256 as the default digest for TS query in the ts app. + * Use SHA256 as the default digest for TS query in the `ts` app. *Tomas Mraz* @@ -1110,13 +1126,6 @@ OpenSSL 3.0 *Richard Levitte* - * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. - - *Kurt Roeckx* - * Added command 'openssl kdf' that uses the EVP_KDF API. *Shane Lontis* @@ -1178,7 +1187,7 @@ OpenSSL 3.0 by registering BIOs as trace channels for a number of tracing and debugging categories. - The 'openssl' application has been expanded to enable any of the types + The `openssl` program has been expanded to enable any of the types available via environment variables defined by the user, and serves as one possible example on how to use this functionality. @@ -1629,9 +1638,9 @@ OpenSSL 1.1.1 *Patrick Steuer* * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. + This changes the size when using the `genpkey` command when no size is given. + It fixes an omission in earlier changes that changed all RSA, DSA and DH + generation commands to use 2048 bits by default. *Kurt Roeckx* @@ -1645,7 +1654,7 @@ OpenSSL 1.1.1 *Matt Caswell* - * Have apps like 's_client' and 's_server' output the signature scheme + * Have commands like `s_client` and `s_server` output the signature scheme along with other cipher suite parameters when debugging. *Lorinczy Zsigmond* @@ -1870,7 +1879,7 @@ OpenSSL 1.1.1 *Matt Caswell* - * Enforce checking in the pkeyutl command line app to ensure that the input + * Enforce checking in the `pkeyutl` command to ensure that the input length does not exceed the maximum supported digest length when performing a sign, verify or verifyrecover operation. @@ -2343,9 +2352,9 @@ OpenSSL 1.1.0 ### Changes between 1.1.0j and 1.1.0k [28 May 2019] * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. + This changes the size when using the `genpkey` command when no size is given. + It fixes an omission in earlier changes that changed all RSA, DSA and DH + generation commands to use 2048 bits by default. *Kurt Roeckx* @@ -3136,7 +3145,7 @@ OpenSSL 1.1.0 * Configuration change; it's now possible to build dynamic engines without having to build shared libraries and vice versa. This - only applies to the engines in engines/, those in crypto/engine/ + only applies to the engines in `engines/`, those in `crypto/engine/` will always be built into libcrypto (i.e. "static"). Building dynamic engines is enabled by default; to disable, use @@ -4140,9 +4149,9 @@ OpenSSL 1.0.2 ### Changes between 1.0.2r and 1.0.2s [28 May 2019] * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. + This changes the size when using the `genpkey` command when no size is given. + It fixes an omission in earlier changes that changed all RSA, DSA and DH + generation commands to use 2048 bits by default. *Kurt Roeckx* @@ -4877,10 +4886,10 @@ OpenSSL 1.0.2 *Andy Polyakov* - * Change the req app to generate a 2048-bit RSA/DSA key by default, + * Change the `req` command to generate a 2048-bit RSA/DSA key by default, if no keysize is specified with default_bits. This fixes an omission in an earlier change that changed all RSA/DSA key generation - apps to use 2048 bits by default. + commands to use 2048 bits by default. *Emilia K?sper* @@ -6079,10 +6088,10 @@ OpenSSL 1.0.1 *Andy Polyakov* - * Change the req app to generate a 2048-bit RSA/DSA key by default, + * Change the req command to generate a 2048-bit RSA/DSA key by default, if no keysize is specified with default_bits. This fixes an omission in an earlier change that changed all RSA/DSA key generation - apps to use 2048 bits by default. + commands to use 2048 bits by default. *Emilia K?sper* @@ -7975,7 +7984,7 @@ OpenSSL 1.0.1.] *Steve Henson* - * Add load_crls() function to apps tidying load_certs() too. Add option + * Add load_crls() function to commands tidying load_certs() too. Add option to verify utility to allow additional CRLs to be included. *Steve Henson* @@ -7990,7 +7999,7 @@ OpenSSL 1.0.1.] *Julia Lawall * - * Update verify callback code in apps/s_cb.c and apps/verify.c, it + * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it needlessly dereferenced structures, used obsolete functions and didn't handle all updated verify codes correctly. @@ -8420,7 +8429,7 @@ OpenSSL 1.0.1.] arranges the ciphersuites in reasonable order before starting to process the rule string. Thus, the definition for "DEFAULT" (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but - remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". + remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`. This makes it much easier to arrive at a reasonable default order in applications for which anonymous ciphers are OK (meaning that you can't actually use DEFAULT). @@ -9442,7 +9451,7 @@ OpenSSL 0.9.x - fixed x86nasm.pl to create correct asm files for NASM COFF output - added AES, WHIRLPOOL and CPUID assembler code to build files - added missing AES assembler make rules to mk1mf.pl - - fixed order of includes in apps/ocsp.c so that e_os.h settings apply + - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply *Guenter Knauf * @@ -9951,7 +9960,7 @@ OpenSSL 0.9.8.] *Nils Larsch* * Use SHA-1 instead of MD5 as the default digest algorithm for - the apps/openssl applications. + the `apps/openssl` commands. *Nils Larsch* @@ -11734,7 +11743,7 @@ OpenSSL 0.9.7.] * Add the configuration target debug-linux-ppro. Make 'openssl rsa' use the general key loading routines - implemented in apps.c, and make those routines able to + implemented in `apps.c`, and make those routines able to handle the key format FORMAT_NETSCAPE and the variant FORMAT_IISSGC. @@ -12229,12 +12238,13 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *"Brian Havard" and Richard Levitte* - * Rewrite apps to use NCONF routines instead of the old CONF. New functions - to support NCONF routines in extension code. New function CONF_set_nconf() - to allow functions which take an NCONF to also handle the old LHASH - structure: this means that the old CONF compatible routines can be - retained (in particular wrt extensions) without having to duplicate the - code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. + * Rewrite commands to use `NCONF` routines instead of the old `CONF`. + New functions to support `NCONF `routines in extension code. + New function `CONF_set_nconf()` + to allow functions which take an `NCONF` to also handle the old `LHASH` + structure: this means that the old `CONF` compatible routines can be + retained (in particular w.rt. extensions) without having to duplicate the + code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack. *Steve Henson* @@ -12739,7 +12749,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *Steve Henson* - * Disable stdin buffering in load_cert (apps/apps.c) so that no certs are + * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are skipped when using openssl x509 multiple times on a single input file, e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) ; problem pointed out by Bodo Moeller* - * Check various `X509_...()` return values in apps/req.c. + * Check various `X509_...()` return values in `apps/req.c`. *Nils Larsch * @@ -15268,7 +15278,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *Steve Henson* - * Bugfixes in apps/x509.c: Avoid a memory leak; and don't use + * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use perror when PEM_read_bio_X509_REQ fails, the error message must be obtained from the error queue. @@ -15833,7 +15843,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k The syntax for the cipher sorting has been extended to support sorting by cipher-strength (using the strength_bits hard coded in the tables). - The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). + The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`). Fix a bug in the cipher-command parser: when supplying a cipher command string with an "undefined" symbol (neither command nor alphanumeric @@ -16286,7 +16296,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k because it isn't possible to mix certificates and CRLs in DER format without choking one or the other routine. Changed this to just read a certificate: this is the best we can do. Also modified the code - in apps/verify.c to take notice of return codes: it was previously + in `apps/verify.c` to take notice of return codes: it was previously attempting to read in certificates from NULL pointers and ignoring any errors: this is one reason why the cert and CRL reader seemed to work. It doesn't check return codes from the default certificate @@ -16459,7 +16469,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *Bodo Moeller* - * New file apps/app_rand.c with commonly needed functionality + * New file `apps/app_rand.c` with commonly needed functionality for handling the random seed file. Use the random seed file in some applications that previously did not: @@ -17190,7 +17200,7 @@ ndif *Steve Henson* - * Set #! path to perl in apps/der_chop to where we found it + * Set #! path to perl in `apps/der_chop` to where we found it instead of using a fixed path. *Bodo Moeller* @@ -18065,14 +18075,14 @@ ndif *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* - * Run extensive memory leak checks on SSL apps. Fixed *lots* of memory - leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes - in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c + * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory + leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes + in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`. *Steve Henson* * Support for RAW extensions where an arbitrary extension can be - created by including its DER encoding. See apps/openssl.cnf for + created by including its DER encoding. See `apps/openssl.cnf` for an example. *Steve Henson* @@ -18331,7 +18341,7 @@ ndif *Ben Laurie* - * Get the gendsa program working (hopefully) and add it to app list. Remove + * Get the `gendsa` command working and add it to the `list` command. Remove encryption from sample DSA keys (in case anyone is interested the password was "1234"). @@ -18350,7 +18360,7 @@ ndif *Bodo Moeller <3moeller at informatik.uni-hamburg.de>* - * Don't blow it for numeric -newkey arguments to apps/req. + * Don't blow it for numeric `-newkey` arguments to `apps/req`. *Bodo Moeller <3moeller at informatik.uni-hamburg.de>* @@ -18390,7 +18400,7 @@ ndif *Ralf S. Engelschall* - * Fix the various library and apps files to free up pkeys obtained from + * Fix the various library and `apps/` files to free up pkeys obtained from X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. *Steve Henson* @@ -18400,7 +18410,7 @@ ndif *Steve Henson and Ben Laurie* - * First cut of a cleanup for apps/. First the `ssleay` program is now named + * First cut of a cleanup for `apps/`. First the `ssleay` program is now named `openssl` and second, the shortcut symlinks for the `openssl ` are no longer created. This way we have a single and consistent command line interface `openssl `, similar to `cvs `. @@ -18550,11 +18560,13 @@ ndif *Ralf S. Engelschall* * Removed dummy files from the 0.9.1b source tree: + ``` crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f + ``` *Ralf S. Engelschall* diff --git a/apps/ca.c b/apps/ca.c index 2772072b79..d97be7568e 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -494,9 +494,7 @@ end_of_options: argc = opt_num_rest(); argv = opt_rest(); - BIO_printf(bio_err, "Using configuration from %s\n", configfile); - - if ((conf = app_load_config(configfile)) == NULL) + if ((conf = app_load_config_verbose(configfile, 1)) == NULL) goto end; if (configfile != default_config_file && !app_load_modules(conf)) goto end; @@ -1482,6 +1480,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, OPENSSL_STRING *irow = NULL; OPENSSL_STRING *rrow = NULL; char buf[25]; + X509V3_CTX ext_ctx; for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; @@ -1699,8 +1698,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { - X509V3_CTX ext_ctx; - /* Initialize the context structure */ X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, ret, req, NULL, X509V3_CTX_REPLACE); @@ -1903,7 +1900,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp, pkey); - if (!do_X509_sign(ret, pkey, dgst, sigopts)) + if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx)) goto end; /* We now just add it to the database as DB_TYPE_VAL('V') */ diff --git a/apps/include/apps.h b/apps/include/apps.h index 0a8d6f4060..4bed7d7540 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -48,7 +48,7 @@ void app_RAND_load_conf(CONF *c, const char *section); void app_RAND_write(void); -extern char *default_config_file; +extern char *default_config_file; /* may be "" */ extern BIO *bio_in; extern BIO *bio_out; extern BIO *bio_err; @@ -63,8 +63,10 @@ BIO *bio_open_owner(const char *filename, int format, int private); BIO *bio_open_default(const char *filename, char mode, int format); BIO *bio_open_default_quiet(const char *filename, char mode, int format); CONF *app_load_config_bio(BIO *in, const char *filename); -CONF *app_load_config(const char *filename); -CONF *app_load_config_quiet(const char *filename); +#define app_load_config(filename) app_load_config_internal(filename, 0) +#define app_load_config_quiet(filename) app_load_config_internal(filename, 1) +CONF *app_load_config_internal(const char *filename, int quiet); +CONF *app_load_config_verbose(const char *filename, int verbose); int app_load_modules(const CONF *config); CONF *app_load_config_modules(const char *configfile); void unbuffer(FILE *fp); @@ -231,7 +233,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param, OSSL_LIB_CTX *libctx, const char *propq); int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, - STACK_OF(OPENSSL_STRING) *sigopts); + STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx); int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 457dac87bc..d5654d9dc9 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -54,6 +54,9 @@ static int WIN32_rename(const char *from, const char *to); # define _kbhit kbhit #endif +static BIO *bio_open_default_(const char *filename, char mode, int format, + int quiet); + #define PASS_SOURCE_SIZE_MAX 4 DEFINE_STACK_OF(CONF) @@ -379,29 +382,25 @@ CONF *app_load_config_bio(BIO *in, const char *filename) return NULL; } -CONF *app_load_config(const char *filename) +CONF *app_load_config_verbose(const char *filename, int verbose) { - BIO *in; - CONF *conf; - - in = bio_open_default(filename, 'r', FORMAT_TEXT); - if (in == NULL) - return NULL; - - conf = app_load_config_bio(in, filename); - BIO_free(in); - return conf; + if (verbose) { + if (*filename == '\0') + BIO_printf(bio_err, "No configuration used\n"); + else + BIO_printf(bio_err, "Using configuration from %s\n", filename); + } + return app_load_config_internal(filename, 0); } -CONF *app_load_config_quiet(const char *filename) +CONF *app_load_config_internal(const char *filename, int quiet) { - BIO *in; + BIO *in = NULL; /* leads to empty config in case filename == "" */ CONF *conf; - in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT); - if (in == NULL) + if (*filename != '\0' + && (in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL) return NULL; - conf = app_load_config_bio(in, filename); BIO_free(in); return conf; @@ -457,9 +456,7 @@ CONF *app_load_config_modules(const char *configfile) CONF *conf = NULL; if (configfile != NULL) { - BIO_printf(bio_err, "Using configuration from %s\n", configfile); - - if ((conf = app_load_config(configfile)) == NULL) + if ((conf = app_load_config_verbose(configfile, 1)) == NULL) return NULL; if (configfile != default_config_file && !app_load_modules(conf)) { NCONF_free(conf); @@ -1982,12 +1979,41 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, && do_pkey_ctx_init(pkctx, sigopts); } -/* Ensure RFC 5280 compliance and then sign the certificate info */ +static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, + const char *name, const char *value, int add_default) +{ + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); + X509_EXTENSION *new_ext = X509V3_EXT_nconf(NULL, ext_ctx, name, value); + int idx, rv = 0; + + if (new_ext == NULL) + return rv; + + idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1); + if (idx >= 0) { + X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx); + ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext); + int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */ + + if (disabled) { + X509_delete_ext(cert, idx); + X509_EXTENSION_free(found_ext); + } /* else keep existing key identifier, which might be outdated */ + rv = 1; + } else { + rv = !add_default || X509_add_ext(cert, new_ext, -1); + } + X509_EXTENSION_free(new_ext); + return rv; +} + +/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, - STACK_OF(OPENSSL_STRING) *sigopts) + STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) { const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + int self_sign; int rv = 0; if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) { @@ -1995,6 +2021,21 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */ goto end; + /* + * Add default SKID before such that default AKID can make use of it + * in case the certificate is self-signed + */ + /* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */ + if (!adapt_keyid_ext(cert, ext_ctx, "subjectKeyIdentifier", "hash", 1)) + goto end; + /* Prevent X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER */ + ERR_set_mark(); + self_sign = X509_check_private_key(cert, pkey); + ERR_pop_to_mark(); + if (!adapt_keyid_ext(cert, ext_ctx, "authorityKeyIdentifier", + "keyid, issuer", !self_sign)) + goto end; + /* TODO any further measures for ensuring default RFC 5280 compliance */ } @@ -2745,7 +2786,7 @@ static BIO *bio_open_default_(const char *filename, char mode, int format, if (ret != NULL) return ret; BIO_printf(bio_err, - "Can't open %s for %s, %s\n", + "Can't open \"%s\" for %s, %s\n", filename, modeverb(mode), strerror(errno)); } ERR_print_errors(bio_err); diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 22d4138301..9675bc474d 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -370,7 +370,8 @@ int opt_md(const char *name, const EVP_MD **mdp) *mdp = EVP_get_digestbyname(name); if (*mdp != NULL) return 1; - opt_printf_stderr("%s: Unknown message digest: %s\n", prog, name); + opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog, + name != NULL ? name : "\"\""); return 0; } diff --git a/apps/req.c b/apps/req.c index acd0cd09cb..8c66f2a5fb 100644 --- a/apps/req.c +++ b/apps/req.c @@ -30,23 +30,24 @@ # include #endif -#define BITS "default_bits" -#define KEYFILE "default_keyfile" -#define PROMPT "prompt" -#define DISTINGUISHED_NAME "distinguished_name" -#define ATTRIBUTES "attributes" -#define V3_EXTENSIONS "x509_extensions" -#define REQ_EXTENSIONS "req_extensions" -#define STRING_MASK "string_mask" -#define UTF8_IN "utf8" - -#define DEFAULT_KEY_LENGTH 2048 -#define MIN_KEY_LENGTH 512 - -static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, - int attribs, unsigned long chtype); -static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, - int multirdn); +#define BITS "default_bits" +#define KEYFILE "default_keyfile" +#define PROMPT "prompt" +#define DISTINGUISHED_NAME "distinguished_name" +#define ATTRIBUTES "attributes" +#define V3_EXTENSIONS "x509_extensions" +#define REQ_EXTENSIONS "req_extensions" +#define STRING_MASK "string_mask" +#define UTF8_IN "utf8" + +#define DEFAULT_KEY_LENGTH 2048 +#define MIN_KEY_LENGTH 512 +#define DEFAULT_DAYS 30 /* default cert validity period in days */ +#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */ +#define EXT_COPY_UNSET -1 + +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, + int mutlirdn, int attribs, unsigned long chtype); static int prompt_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, @@ -61,11 +62,9 @@ static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, int nid, int n_min, int n_max, unsigned long chtype, int mval); static int genpkey_cb(EVP_PKEY_CTX *ctx); -static int build_data(char *text, const char *def, - char *value, int n_min, int n_max, - char *buf, const int buf_size, - const char *desc1, const char *desc2 - ); +static int build_data(char *text, const char *def, char *value, + int n_min, int n_max, char *buf, const int buf_size, + const char *desc1, const char *desc2); static int req_check_len(int len, int n_min, int n_max); static int check_end(const char *str, const char *end); static int join(char buf[], size_t buf_size, const char *name, @@ -87,7 +86,9 @@ typedef enum OPTION_choice { OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, - OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, + OPT_CA, OPT_CAKEY, + OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, + OPT_COPY_EXTENSIONS, OPT_ADDEXT, OPT_EXTENSIONS, OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SECTION, OPT_R_ENUM, OPT_PROV_ENUM @@ -101,9 +102,9 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif - {"in", OPT_IN, '<', "Input file"}, + {"in", OPT_IN, '<', "X.509 request input file"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, - {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, + {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, OPT_SECTION("Certificate"), {"new", OPT_NEW, '-', "New request"}, @@ -115,13 +116,19 @@ const OPTIONS req_options[] = { {"text", OPT_TEXT, '-', "Text form of request"}, {"x509", OPT_X509, '-', "Output an x509 structure instead of a cert request"}, + {"CA", OPT_CA, '<', "Issuer certificate to use with -x509"}, + {"CAkey", OPT_CAKEY, 's', + "Issuer private key to use with -x509; default is -CA arg"}, {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, - {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, - {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, + {"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"}, + {"subject", OPT_SUBJECT, '-', + "Print the subject of the output request or cert"}, {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', "Deprecated; multi-valued RDNs support is always on."}, {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, + {"copy_extensions", OPT_COPY_EXTENSIONS, 's', + "copy extensions from request when using -x509"}, {"addext", OPT_ADDEXT, 's', "Additional cert extension key=value pair (may be given more than once)"}, {"extensions", OPT_EXTENSIONS, 's', @@ -134,8 +141,8 @@ const OPTIONS req_options[] = { {"key", OPT_KEY, 's', "Private key to use"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, - {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, - {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"keyout", OPT_KEYOUT, '>', "File to save newly created private key"}, + {"passin", OPT_PASSIN, 's', "Private key and certificate password source"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, @@ -160,7 +167,6 @@ const OPTIONS req_options[] = { {NULL} }; - /* * An LHASH of strings, where each string is an extension name. */ @@ -180,9 +186,8 @@ static void exts_cleanup(OPENSSL_STRING *x) } /* - * Is the |kv| key already duplicated? This is remarkably tricky to get - * right. Return 0 if unique, -1 on runtime error; 1 if found or a syntax - * error. + * Is the |kv| key already duplicated? This is remarkably tricky to get right. + * Return 0 if unique, -1 on runtime error; 1 if found or a syntax error. */ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) { @@ -211,7 +216,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) *p = '\0'; /* Finally have a clean "key"; see if it's there [by attempt to add it]. */ - p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv); + p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING *)kv); if (p != NULL) { OPENSSL_free(p); return 1; @@ -228,30 +233,34 @@ int req_main(int argc, char **argv) ASN1_INTEGER *serial = NULL; BIO *out = NULL; ENGINE *e = NULL, *gen_eng = NULL; - EVP_PKEY *pkey = NULL; + EVP_PKEY *pkey = NULL, *CAkey = NULL; EVP_PKEY_CTX *genctx = NULL; STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL, *vfyopts = NULL; LHASH_OF(OPENSSL_STRING) *addexts = NULL; - X509 *x509ss = NULL; + X509 *new_x509 = NULL, *CAcert = NULL; X509_REQ *req = NULL; const EVP_CIPHER *cipher = NULL; const EVP_MD *md_alg = NULL, *digest = NULL; + int ext_copy = EXT_COPY_UNSET; BIO *addext_bio = NULL; - char *extensions = NULL, *infile = NULL; + char *extensions = NULL; + const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL; char *outfile = NULL, *keyfile = NULL; char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *nofree_passin = NULL, *nofree_passout = NULL; char *req_exts = NULL, *subj = NULL; + X509_NAME *fsubj = NULL; char *template = default_config_file, *keyout = NULL; const char *keyalg = NULL; OPTION_CHOICE o; - int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0; - int pkey_type = -1, private = 0; + int days = UNSET_DAYS; + int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; + int pkey_type = -1; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; - long newkey = -1; + long newkey_len = -1; unsigned long chtype = MBSTRING_ASC, reqflag = 0; #ifndef OPENSSL_NO_DES @@ -392,10 +401,21 @@ int req_main(int argc, char **argv) text = 1; break; case OPT_X509: - x509 = 1; + gen_x509 = 1; + break; + case OPT_CA: + CAfile = opt_arg(); + break; + case OPT_CAKEY: + CAkeyfile = opt_arg(); break; case OPT_DAYS: days = atoi(opt_arg()); + if (days < -1) { + BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n", + prog); + goto end; + } break; case OPT_SET_SERIAL: if (serial != NULL) { @@ -415,6 +435,13 @@ int req_main(int argc, char **argv) case OPT_MULTIVALUE_RDN: /* obsolete */ break; + case OPT_COPY_EXTENSIONS: + if (!set_ext_copy(&ext_copy, opt_arg())) { + BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", + opt_arg()); + goto end; + } + break; case OPT_ADDEXT: p = opt_arg(); if (addexts == NULL) { @@ -453,22 +480,21 @@ int req_main(int argc, char **argv) if (argc != 0) goto opthelp; - if (days && !x509) - BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n"); - if (x509 && infile == NULL) + if (!gen_x509) { + if (days != UNSET_DAYS) + BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n"); + if (ext_copy == EXT_COPY_NONE) + BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n"); + } + if (gen_x509 && infile == NULL) newreq = 1; - /* TODO: simplify this as pkey is still always NULL here */ - private = newreq && (pkey == NULL) ? 1 : 0; - if (!app_passwd(passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } - if (verbose) - BIO_printf(bio_err, "Using configuration from %s\n", template); - if ((req_conf = app_load_config(template)) == NULL) + if ((req_conf = app_load_config_verbose(template, verbose)) == NULL) goto end; if (addext_bio != NULL) { if (verbose) @@ -489,10 +515,11 @@ int req_main(int argc, char **argv) oid_bio = BIO_new_file(p, "r"); if (oid_bio == NULL) { - /*- - BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); - ERR_print_errors(bio_err); - */ + if (verbose) { + BIO_printf(bio_err, + "Problems opening '%s' for extra OIDs\n", p); + ERR_print_errors(bio_err); + } } else { OBJ_create_objects(oid_bio); BIO_free(oid_bio); @@ -521,17 +548,20 @@ int req_main(int argc, char **argv) if (extensions != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { BIO_printf(bio_err, - "Error checking x509 extension section %s\n", extensions); + "Error checking x509 extension section %s\n", + extensions); goto end; } } if (addext_conf != NULL) { /* Check syntax of command line extensions */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, addext_conf); if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { @@ -579,6 +609,7 @@ int req_main(int argc, char **argv) if (req_exts != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { @@ -596,46 +627,48 @@ int req_main(int argc, char **argv) app_RAND_load_conf(req_conf, section); } - if (newreq && (pkey == NULL)) { + if (newreq && pkey == NULL) { app_RAND_load_conf(req_conf, section); - if (!NCONF_get_number(req_conf, section, BITS, &newkey)) { - newkey = DEFAULT_KEY_LENGTH; + if (!NCONF_get_number(req_conf, section, BITS, &newkey_len)) { + newkey_len = DEFAULT_KEY_LENGTH; } if (keyalg != NULL) { - genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, + genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey_len, &keyalgstr, gen_eng); if (genctx == NULL) goto end; } - if (newkey < MIN_KEY_LENGTH + if (newkey_len < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { - BIO_printf(bio_err, "private key length is too short,\n"); - BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", - MIN_KEY_LENGTH, newkey); + BIO_printf(bio_err, "Private key length is too short,\n"); + BIO_printf(bio_err, "it needs to be at least %d bits, not %ld.\n", + MIN_KEY_LENGTH, newkey_len); goto end; } - if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS) + if (pkey_type == EVP_PKEY_RSA + && newkey_len > OPENSSL_RSA_MAX_MODULUS_BITS) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for RSA keys.\n" " Your key size is %ld! Larger key size may behave not as expected.\n", - OPENSSL_RSA_MAX_MODULUS_BITS, newkey); + OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len); #ifndef OPENSSL_NO_DSA - if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS) + if (pkey_type == EVP_PKEY_DSA + && newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for DSA keys.\n" " Your key size is %ld! Larger key size may behave not as expected.\n", - OPENSSL_DSA_MAX_MODULUS_BITS, newkey); + OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len); #endif if (genctx == NULL) { - genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, + genctx = set_keygen_ctx(NULL, &pkey_type, &newkey_len, &keyalgstr, gen_eng); - if (!genctx) + if (genctx == NULL) goto end; } @@ -644,8 +677,7 @@ int req_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { genopt = sk_OPENSSL_STRING_value(pkeyopts, i); if (pkey_ctrl_string(genctx, genopt) <= 0) { - BIO_printf(bio_err, "parameter error \"%s\"\n", genopt); - ERR_print_errors(bio_err); + BIO_printf(bio_err, "Key parameter error \"%s\"\n", genopt); goto end; } } @@ -675,10 +707,10 @@ int req_main(int argc, char **argv) } if (keyout == NULL) - BIO_printf(bio_err, "writing new private key to stdout\n"); + BIO_printf(bio_err, "Writing new private key to stdout\n"); else - BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); - out = bio_open_owner(keyout, outformat, private); + BIO_printf(bio_err, "Writing new private key to '%s'\n", keyout); + out = bio_open_owner(keyout, outformat, newreq); if (out == NULL) goto end; @@ -696,7 +728,7 @@ int req_main(int argc, char **argv) i = 0; loop: - assert(private); + assert(newreq); if (!PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, passout)) { if ((ERR_GET_REASON(ERR_peek_error()) == @@ -712,15 +744,55 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "-----\n"); } + /* + * subj is expected to be in the format /type0=value0/type1=value1/type2=... + * where characters may be escaped by \ + */ + if (subj != NULL + && (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL) + goto end; + if (!newreq) { req = load_csr(infile, informat, "X509 request"); if (req == NULL) goto end; } - if (newreq || x509) { - if (pkey == NULL) { - BIO_printf(bio_err, "you need to specify a private key\n"); + if (CAkeyfile == NULL) + CAkeyfile = CAfile; + if (CAkeyfile != NULL) { + if (CAfile == NULL) { + BIO_printf(bio_err, + "Ignoring -CAkey option since no -CA option is given\n"); + } else { + if ((CAkey = load_key(CAkeyfile, FORMAT_PEM, + 0, passin, e, "issuer private key")) == NULL) + goto end; + } + } + if (CAfile != NULL) { + if (!gen_x509) { + BIO_printf(bio_err, + "Warning: Ignoring -CA option without -x509\n"); + } else { + if (CAkeyfile == NULL) { + BIO_printf(bio_err, + "Need to give the -CAkey option if using -CA\n"); + goto end; + } + if ((CAcert = load_cert_pass(CAfile, 1, passin, + "issuer certificate")) == NULL) + goto end; + if (!X509_check_private_key(CAcert, CAkey)) { + BIO_printf(bio_err, + "Issuer certificate and key do not match\n"); + goto end; + } + } + } + if (newreq || gen_x509) { + if (pkey == NULL /* can happen only if !newreq */) { + BIO_printf(bio_err, "Must provide a signature key using -key\n"); goto end; } @@ -730,82 +802,95 @@ int req_main(int argc, char **argv) goto end; } - i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); - subj = NULL; /* done processing '-subj' option */ - if (!i) { - BIO_printf(bio_err, "problems making Certificate Request\n"); + if (!make_REQ(req, pkey, fsubj, multirdn, !gen_x509, chtype)){ + BIO_printf(bio_err, "Error making certificate request\n"); goto end; } } - if (x509) { - EVP_PKEY *tmppkey; + if (gen_x509) { + EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); X509V3_CTX ext_ctx; - if ((x509ss = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) + X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : + X509_REQ_get_subject_name(req); + X509_NAME *n_subj = fsubj != NULL ? fsubj : + X509_REQ_get_subject_name(req); + + if ((new_x509 = X509_new_ex(app_get0_libctx(), + app_get0_propq())) == NULL) goto end; - /* Set version to V3 */ if (serial != NULL) { - if (!X509_set_serialNumber(x509ss, serial)) + if (!X509_set_serialNumber(new_x509, serial)) goto end; } else { - if (!rand_serial(NULL, X509_get_serialNumber(x509ss))) + if (!rand_serial(NULL, X509_get_serialNumber(new_x509))) goto end; } - if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) + if (!X509_set_issuer_name(new_x509, issuer)) goto end; - if (days == 0) { - /* set default days if it's not specified */ - days = 30; + if (days == UNSET_DAYS) { + days = DEFAULT_DAYS; } - if (!set_cert_times(x509ss, NULL, NULL, days)) + if (!set_cert_times(new_x509, NULL, NULL, days)) + goto end; + if (!X509_set_subject_name(new_x509, n_subj)) goto end; - if (!X509_set_subject_name - (x509ss, X509_REQ_get_subject_name(req))) + if (!pub_key || !X509_set_pubkey(new_x509, pub_key)) goto end; - tmppkey = X509_REQ_get0_pubkey(req); - if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) + if (ext_copy == EXT_COPY_UNSET) { + BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n"); + } else if (!copy_extensions(new_x509, req, ext_copy)) { + BIO_printf(bio_err, "Error copying extensions from request\n"); goto end; + } /* Set up V3 context struct */ - - X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, X509V3_CTX_REPLACE); + X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, + new_x509, NULL, NULL, X509V3_CTX_REPLACE); + if (CAcert == NULL) { /* self-issued, possibly self-signed */ + if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */ + goto end; + ERR_set_mark(); + if (!X509_check_private_key(new_x509, pkey)) + BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); + ERR_pop_to_mark(); + } X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ - if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf, - &ext_ctx, extensions, - x509ss)) { + if (extensions != NULL + && !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extensions, + new_x509)) { BIO_printf(bio_err, "Error adding x509 extensions from section %s\n", extensions); goto end; } if (addext_conf != NULL && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default", - x509ss)) { + new_x509)) { BIO_printf(bio_err, "Error adding extensions defined via -addext\n"); goto end; } /* If a pre-cert was requested, we need to add a poison extension */ if (precert) { - if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) - != 1) { + if (X509_add1_ext_i2d(new_x509, NID_ct_precert_poison, + NULL, 1, 0) != 1) { BIO_printf(bio_err, "Error adding poison extension\n"); goto end; } } - i = do_X509_sign(x509ss, pkey, digest, sigopts); - if (!i) { - ERR_print_errors(bio_err); + i = do_X509_sign(new_x509, CAcert != NULL ? CAkey : pkey, + digest, sigopts, &ext_ctx); + if (!i) goto end; - } } else { X509V3_CTX ext_ctx; /* Set up V3 context struct */ - X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); X509V3_set_nconf(&ext_ctx, req_conf); @@ -824,38 +909,30 @@ int req_main(int argc, char **argv) goto end; } i = do_X509_REQ_sign(req, pkey, digest, sigopts); - if (!i) { - ERR_print_errors(bio_err); + if (!i) goto end; - } } } - if (subj && x509) { - BIO_printf(bio_err, "Cannot modify certificate subject\n"); - goto end; - } - - if (subj && !x509) { + if (subj != NULL && !newreq && !gen_x509) { if (verbose) { - BIO_printf(bio_err, "Modifying Request's Subject\n"); - print_name(bio_err, "old subject=", + BIO_printf(bio_err, "Modifying subject of certificate request\n"); + print_name(bio_err, "Old subject=", X509_REQ_get_subject_name(req), get_nameopt()); } - if (build_subject(req, subj, chtype, multirdn) == 0) { - BIO_printf(bio_err, "ERROR: cannot modify subject\n"); - ret = 1; + if (!X509_REQ_set_subject_name(req, fsubj)) { + BIO_printf(bio_err, "Error modifying subject of certificate request\n"); goto end; } if (verbose) { - print_name(bio_err, "new subject=", + print_name(bio_err, "New subject=", X509_REQ_get_subject_name(req), get_nameopt()); } } - if (verify && !x509) { + if (verify) { EVP_PKEY *tpubkey = pkey; if (tpubkey == NULL) { @@ -869,10 +946,10 @@ int req_main(int argc, char **argv) if (i < 0) { goto end; } else if (i == 0) { - BIO_printf(bio_err, "verify failure\n"); + BIO_printf(bio_err, "Certificate request self-signature verify failure\n"); ERR_print_errors(bio_err); - } else { /* if (i > 0) */ - BIO_printf(bio_err, "verify OK\n"); + } else { /* i > 0 */ + BIO_printf(bio_err, "Certificate request self-signature verify OK\n"); } } @@ -893,32 +970,29 @@ int req_main(int argc, char **argv) if (tpubkey == NULL) { BIO_printf(bio_err, "Error getting public key\n"); - ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, tpubkey); } if (text) { - if (x509) - ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag); + if (gen_x509) + ret = X509_print_ex(out, new_x509, get_nameopt(), reqflag); else ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag); if (ret == 0) { - if (x509) - BIO_printf(bio_err, "Error printing certificate\n"); + if (gen_x509) + BIO_printf(bio_err, "Error printing certificate\n"); else - BIO_printf(bio_err, "Error printing certificate request\n"); - - ERR_print_errors(bio_err); + BIO_printf(bio_err, "Error printing certificate request\n"); goto end; } } if (subject) { - if (x509) - print_name(out, "subject=", X509_get_subject_name(x509ss), + if (gen_x509) + print_name(out, "subject=", X509_get_subject_name(new_x509), get_nameopt()); else print_name(out, "subject=", X509_REQ_get_subject_name(req), @@ -928,12 +1002,12 @@ int req_main(int argc, char **argv) if (modulus) { EVP_PKEY *tpubkey; - if (x509) - tpubkey = X509_get0_pubkey(x509ss); + if (gen_x509) + tpubkey = X509_get0_pubkey(new_x509); else tpubkey = X509_REQ_get0_pubkey(req); if (tpubkey == NULL) { - fprintf(stdout, "Modulus=unavailable\n"); + fprintf(stdout, "Modulus is unavailable\n"); goto end; } fprintf(stdout, "Modulus="); @@ -950,7 +1024,7 @@ int req_main(int argc, char **argv) fprintf(stdout, "\n"); } - if (!noout && !x509) { + if (!noout && !gen_x509) { if (outformat == FORMAT_ASN1) i = i2d_X509_REQ_bio(out, req); else if (newhdr) @@ -958,17 +1032,17 @@ int req_main(int argc, char **argv) else i = PEM_write_bio_X509_REQ(out, req); if (!i) { - BIO_printf(bio_err, "unable to write X509 request\n"); + BIO_printf(bio_err, "Unable to write certificate request\n"); goto end; } } - if (!noout && x509 && (x509ss != NULL)) { + if (!noout && gen_x509 && new_x509 != NULL) { if (outformat == FORMAT_ASN1) - i = i2d_X509_bio(out, x509ss); + i = i2d_X509_bio(out, new_x509); else - i = PEM_write_bio_X509(out, x509ss); + i = PEM_write_bio_X509(out, new_x509); if (!i) { - BIO_printf(bio_err, "unable to write X509 certificate\n"); + BIO_printf(bio_err, "Unable to write X509 certificate\n"); goto end; } } @@ -993,7 +1067,10 @@ int req_main(int argc, char **argv) #endif OPENSSL_free(keyalgstr); X509_REQ_free(req); - X509_free(x509ss); + X509_NAME_free(fsubj); + X509_free(new_x509); + X509_free(CAcert); + EVP_PKEY_free(CAkey); ASN1_INTEGER_free(serial); release_engine(e); if (passin != nofree_passin) @@ -1003,12 +1080,12 @@ int req_main(int argc, char **argv) return ret; } -static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, - int attribs, unsigned long chtype) +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, + int multirdn, int attribs, unsigned long chtype) { int ret = 0, i; char no_prompt = 0; - STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; + STACK_OF(CONF_VALUE) *dn_sk = NULL, *attr_sk = NULL; char *tmp, *dn_sect, *attr_sect; tmp = NCONF_get_string(req_conf, section, PROMPT); @@ -1019,34 +1096,31 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME); if (dn_sect == NULL) { - BIO_printf(bio_err, "unable to find '%s' in config\n", - DISTINGUISHED_NAME); - goto err; - } - dn_sk = NCONF_get_section(req_conf, dn_sect); - if (dn_sk == NULL) { - BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect); - goto err; + ERR_clear_error(); + } else { + dn_sk = NCONF_get_section(req_conf, dn_sect); + if (dn_sk == NULL) { + BIO_printf(bio_err, "Unable to get '%s' section\n", dn_sect); + goto err; + } } attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES); if (attr_sect == NULL) { ERR_clear_error(); - attr_sk = NULL; } else { attr_sk = NCONF_get_section(req_conf, attr_sect); if (attr_sk == NULL) { - BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect); + BIO_printf(bio_err, "Unable to get '%s' section\n", attr_sect); goto err; } } - /* setup version number */ - if (!X509_REQ_set_version(req, 0L)) - goto err; /* version 1 */ + if (!X509_REQ_set_version(req, 0L)) /* so far there is only version 1 */ + goto err; - if (subj) - i = build_subject(req, subj, chtype, multirdn); + if (fsubj != NULL) + i = X509_REQ_set_subject_name(req, fsubj); else if (no_prompt) i = auto_info(req, dn_sk, attr_sk, attribs, chtype); else @@ -1063,26 +1137,6 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, return ret; } -/* - * subject is expected to be in the format /type0=value0/type1=value1/type2=... - * where characters may be escaped by \ - */ -static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, - int multirdn) -{ - X509_NAME *n; - - if ((n = parse_name(subject, chtype, multirdn, "subject")) == NULL) - return 0; - - if (!X509_REQ_set_subject_name(req, n)) { - X509_NAME_free(n); - return 0; - } - X509_NAME_free(n); - return 1; -} - static int prompt_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, @@ -1116,7 +1170,7 @@ static int prompt_info(X509_REQ *req, if (sk_CONF_VALUE_num(dn_sk)) { i = -1; start: - for ( ; ; ) { + for (;;) { i++; if (sk_CONF_VALUE_num(dn_sk) <= i) break; @@ -1168,7 +1222,6 @@ static int prompt_info(X509_REQ *req, n_min = -1; } - if (!join(buf, sizeof(buf), v->name, "_max", "Name")) return 0; if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { @@ -1181,7 +1234,7 @@ static int prompt_info(X509_REQ *req, return 0; } if (X509_NAME_entry_count(subj) == 0) { - BIO_printf(bio_err, "error, no objects specified in config file\n"); + BIO_printf(bio_err, "Error: No objects specified in config file\n"); return 0; } @@ -1196,7 +1249,7 @@ static int prompt_info(X509_REQ *req, i = -1; start2: - for ( ; ; ) { + for (;;) { i++; if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) break; @@ -1222,7 +1275,7 @@ static int prompt_info(X509_REQ *req, value = NULL; } - if (!join(buf, sizeof(buf), type,"_min", "Name")) + if (!join(buf, sizeof(buf), type, "_min", "Name")) return 0; if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { ERR_clear_error(); @@ -1273,10 +1326,10 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, */ for (p = v->name; *p; p++) { #ifndef CHARSET_EBCDIC - spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); + spec_char = (*p == ':' || *p == ',' || *p == '.'); #else - spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) - || (*p == os_toascii['.'])); + spec_char = (*p == os_toascii[':'] || *p == os_toascii[','] + || *p == os_toascii['.']); #endif if (spec_char) { p++; @@ -1304,7 +1357,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, } if (!X509_NAME_entry_count(subj)) { - BIO_printf(bio_err, "error, no objects specified in config file\n"); + BIO_printf(bio_err, "Error: No objects specified in config file\n"); return 0; } if (attribs) { @@ -1361,12 +1414,9 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def, return ret; } - -static int build_data(char *text, const char *def, - char *value, int n_min, int n_max, - char *buf, const int buf_size, - const char *desc1, const char *desc2 - ) +static int build_data(char *text, const char *def, char *value, + int n_min, int n_max, char *buf, const int buf_size, + const char *desc1, const char *desc2) { int i; start: @@ -1401,7 +1451,7 @@ static int build_data(char *text, const char *def, i = strlen(buf); if (buf[i - 1] != '\n') { - BIO_printf(bio_err, "weird input :-(\n"); + BIO_printf(bio_err, "Missing newline at end of input\n"); return 0; } buf[--i] = '\0'; @@ -1418,16 +1468,14 @@ static int build_data(char *text, const char *def, static int req_check_len(int len, int n_min, int n_max) { - if ((n_min > 0) && (len < n_min)) { + if (n_min > 0 && len < n_min) { BIO_printf(bio_err, - "string is too short, it needs to be at least %d bytes long\n", - n_min); + "String too short, must be at least %d bytes long\n", n_min); return 0; } - if ((n_max >= 0) && (len > n_max)) { + if (n_max >= 0 && len > n_max) { BIO_printf(bio_err, - "string is too long, it needs to be no more than %d bytes long\n", - n_max); + "String too long, must be at most %d bytes long\n", n_max); return 0; } return 1; @@ -1525,7 +1573,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, if (paramfile != NULL) { pbio = BIO_new_file(paramfile, "r"); if (pbio == NULL) { - BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); + BIO_printf(bio_err, "Cannot open parameter file %s\n", paramfile); return NULL; } param = PEM_read_bio_Parameters(pbio, NULL); @@ -1550,7 +1598,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, if (*pkey_type == -1) { *pkey_type = EVP_PKEY_id(param); } else if (*pkey_type != EVP_PKEY_base_id(param)) { - BIO_printf(bio_err, "Key Type does not match parameters\n"); + BIO_printf(bio_err, "Key type does not match parameters\n"); EVP_PKEY_free(param); return NULL; } @@ -1583,20 +1631,17 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, if (gctx == NULL) { BIO_puts(bio_err, "Error allocating keygen context\n"); - ERR_print_errors(bio_err); return NULL; } if (EVP_PKEY_keygen_init(gctx) <= 0) { BIO_puts(bio_err, "Error initializing keygen context\n"); - ERR_print_errors(bio_err); EVP_PKEY_CTX_free(gctx); return NULL; } if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { BIO_puts(bio_err, "Error setting RSA keysize\n"); - ERR_print_errors(bio_err); EVP_PKEY_CTX_free(gctx); return NULL; } diff --git a/apps/srp.c b/apps/srp.c index 3d8ce3e7c6..f7edfa9930 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -338,10 +338,7 @@ int srp_main(int argc, char **argv) if (configfile == NULL) configfile = default_config_file; - if (verbose) - BIO_printf(bio_err, "Using configuration from %s\n", - configfile); - conf = app_load_config(configfile); + conf = app_load_config_verbose(configfile, verbose); if (conf == NULL) goto end; if (configfile != default_config_file && !app_load_modules(conf)) diff --git a/apps/x509.c b/apps/x509.c index c8fcb7a7ae..5769f5f982 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1067,6 +1067,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, const EVP_MD *digest, CONF *conf, const char *section, int preserve_dates) { + X509V3_CTX ext_ctx; + if (!X509_set_issuer_name(x, X509_get_subject_name(issuer))) return 0; @@ -1077,10 +1079,14 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } - if (conf != NULL) { - X509V3_CTX ext_ctx; - X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); + X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); + if (issuer == x + /* prepare the correct AKID of self-issued, possibly self-signed cert */ + && !X509V3_set_issuer_pkey(&ext_ctx, pkey)) + return 0; + + if (conf != NULL) { X509V3_set_nconf(&ext_ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) { BIO_printf(bio_err, @@ -1088,7 +1094,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, return 0; } } - return do_X509_sign(x, pkey, digest, sigopts); + return do_X509_sign(x, pkey, digest, sigopts, &ext_ctx); } static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) @@ -1149,7 +1155,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names) exts = X509_get0_extensions(x); if ((num = sk_X509_EXTENSION_num(exts)) <= 0) { - BIO_printf(bio, "No extensions in certificate\n"); + BIO_printf(bio_err, "No extensions in certificate\n"); ret = 1; goto end; } diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c index d64cc5031a..5133114fc8 100644 --- a/crypto/conf/conf_api.c +++ b/crypto/conf/conf_api.c @@ -27,7 +27,7 @@ CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section) return NULL; vv.name = NULL; vv.section = (char *)section; - return lh_CONF_VALUE_retrieve(conf->data, &vv); + return conf->data != NULL ? lh_CONF_VALUE_retrieve(conf->data, &vv) : NULL; } STACK_OF(CONF_VALUE) *_CONF_get_section_values(const CONF *conf, @@ -72,6 +72,8 @@ char *_CONF_get_string(const CONF *conf, const char *section, return NULL; if (conf == NULL) return ossl_safe_getenv(name); + if (conf->data == NULL) + return NULL; if (section != NULL) { vv.name = (char *)name; vv.section = (char *)section; diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 3f63a5f88d..a7f5677a26 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -239,11 +239,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) p = &(buff->data[bufnum]); *p = '\0'; read_retry: - BIO_gets(in, p, CONFBUFSIZE - 1); + if (in != NULL && BIO_gets(in, p, CONFBUFSIZE - 1) < 0) + goto err; p[CONFBUFSIZE - 1] = '\0'; ii = i = strlen(p); if (i == 0 && !again) { - /* the currently processed BIO is at EOF */ + /* the currently processed BIO is NULL or at EOF */ BIO *parent; #ifndef OPENSSL_NO_POSIX_IO diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index cb1bf7cd3c..8de3222c34 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -156,11 +156,6 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, CONF *conf = NULL; int ret = 0, diagnostics = 0; - ERR_set_mark(); - conf = NCONF_new_ex(libctx, NULL); - if (conf == NULL) - goto err; - if (filename == NULL) { file = CONF_get1_default_config_file(); if (file == NULL) @@ -169,6 +164,11 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, file = (char *)filename; } + ERR_set_mark(); + conf = NCONF_new_ex(libctx, NULL); + if (conf == NULL) + goto err; + if (NCONF_load(conf, file, NULL) <= 0) { if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) && (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE)) { @@ -539,7 +539,6 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data) } /* Return default config file name */ - char *CONF_get1_default_config_file(void) { const char *t; diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 04b63d0bc3..93019cc5e6 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -9,7 +9,7 @@ SOURCE[../../libcrypto]=\ x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \ x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c \ v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_utf8.c v3_lib.c \ - v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \ + v3_prn.c v3_utl.c v3err.c v3_genn.c v3_san.c v3_skid.c v3_akid.c \ v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c \ v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \ v3_pcia.c v3_pci.c v3_ist.c \ diff --git a/crypto/x509/v3_akey.c b/crypto/x509/v3_akid.c similarity index 76% rename from crypto/x509/v3_akey.c rename to crypto/x509/v3_akid.c index 96e415aeb1..0b1283f0af 100644 --- a/crypto/x509/v3_akey.c +++ b/crypto/x509/v3_akid.c @@ -13,6 +13,7 @@ #include #include #include +#include "crypto/x509.h" #include "ext_dat.h" static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, @@ -78,7 +79,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, STACK_OF(CONF_VALUE) *values) { char keyid = 0, issuer = 0; - int i; + int i, n = sk_CONF_VALUE_num(values); CONF_VALUE *cnf; ASN1_OCTET_STRING *ikeyid = NULL; X509_NAME *isname = NULL; @@ -86,13 +87,17 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, GENERAL_NAME *gen = NULL; ASN1_INTEGER *serial = NULL; X509_EXTENSION *ext; - X509 *cert; + X509 *issuer_cert; AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new(); if (akeyid == NULL) goto err; - for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + if (n == 1 && strcmp(sk_CONF_VALUE_value(values, 0)->name, "none") == 0) { + return akeyid; + } + + for (i = 0; i < n; i++) { cnf = sk_CONF_VALUE_value(values, i); if (strcmp(cnf->name, "keyid") == 0) { keyid = 1; @@ -109,35 +114,49 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, } } - if (!ctx || !ctx->issuer_cert) { - if (ctx && (ctx->flags == CTX_TEST)) - return akeyid; + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) + return akeyid; + + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + if ((issuer_cert = ctx->issuer_cert) == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE); goto err; } - cert = ctx->issuer_cert; - - if (keyid) { - i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - if ((i >= 0) && (ext = X509_get_ext(cert, i))) + if (keyid != 0) { + /* prefer any pre-existing subject key identifier of the issuer cert */ + i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1); + if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL) ikeyid = X509V3_EXT_d2i(ext); - if ((keyid == 2 || issuer == 0) && ikeyid == NULL) { + if (ikeyid == NULL && ctx->issuer_pkey != NULL) { /* fallback */ + /* generate AKID from scratch, emulating s2i_skey_id(..., "hash") */ + X509_PUBKEY *pubkey = NULL; + + if (X509_PUBKEY_set(&pubkey, ctx->issuer_pkey)) + ikeyid = x509_pubkey_hash(pubkey); + X509_PUBKEY_free(pubkey); + } + if ((keyid == 2 || issuer == 0) + && (ikeyid == NULL + || ASN1_STRING_length(ikeyid) <= 2) /* indicating "none" */) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); goto err; } } - if ((issuer && !ikeyid) || (issuer == 2)) { - isname = X509_NAME_dup(X509_get_issuer_name(cert)); - serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert)); - if (!isname || !serial) { + if (issuer == 2 || (issuer == 1 && ikeyid == NULL)) { + isname = X509_NAME_dup(X509_get_issuer_name(issuer_cert)); + serial = ASN1_INTEGER_dup(X509_get0_serialNumber(issuer_cert)); + if (isname == NULL || serial == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); goto err; } } - if (isname) { + if (isname != NULL) { if ((gens = sk_GENERAL_NAME_new_null()) == NULL || (gen = GENERAL_NAME_new()) == NULL || !sk_GENERAL_NAME_push(gens, gen)) { diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index 1f424325a0..f8a2e3fe27 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -437,6 +437,10 @@ static X509V3_CONF_METHOD nconf_method = { void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return; + } ctx->db_meth = &nconf_method; ctx->db = conf; } @@ -444,11 +448,33 @@ void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, X509_CRL *crl, int flags) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return; + } + ctx->flags = flags; ctx->issuer_cert = issuer; ctx->subject_cert = subj; - ctx->crl = crl; ctx->subject_req = req; - ctx->flags = flags; + ctx->crl = crl; + ctx->db_meth = NULL; + ctx->db = NULL; + ctx->issuer_pkey = NULL; +} + +/* For API backward compatibility, this is separate from X509V3_set_ctx() */ +int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey) +{ + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + if (ctx->subject_cert == NULL && pkey != NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + ctx->issuer_pkey = pkey; + return 1; } /* Old conf compatibility functions */ @@ -489,6 +515,10 @@ static X509V3_CONF_METHOD conf_lhash_method = { void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return; + } ctx->db_meth = &conf_lhash_method; ctx->db = lhash; } diff --git a/crypto/x509/v3_alt.c b/crypto/x509/v3_san.c similarity index 99% rename from crypto/x509/v3_alt.c rename to crypto/x509/v3_san.c index 2344c554fa..cf7fdc6e38 100644 --- a/crypto/x509/v3_alt.c +++ b/crypto/x509/v3_san.c @@ -325,7 +325,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) X509_EXTENSION *ext; int i, num; - if (ctx && (ctx->flags == CTX_TEST)) + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) return 1; if (!ctx || !ctx->issuer_cert) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_DETAILS); @@ -410,12 +410,12 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) GENERAL_NAME *gen = NULL; int i = -1; - if (ctx != NULL && ctx->flags == CTX_TEST) + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) return 1; if (ctx == NULL || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_SUBJECT_DETAILS); - goto err; + return 0; } /* Find the subject name */ if (ctx->subject_cert) diff --git a/crypto/x509/v3_skey.c b/crypto/x509/v3_skid.c similarity index 68% rename from crypto/x509/v3_skey.c rename to crypto/x509/v3_skid.c index b4b1616688..f1581e7452 100644 --- a/crypto/x509/v3_skey.c +++ b/crypto/x509/v3_skid.c @@ -52,55 +52,49 @@ ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, } -static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str) +ASN1_OCTET_STRING *x509_pubkey_hash(X509_PUBKEY *pubkey) { ASN1_OCTET_STRING *oct; - X509_PUBKEY *pubkey; const unsigned char *pk; int pklen; unsigned char pkey_dig[EVP_MAX_MD_SIZE]; unsigned int diglen; - if (strcmp(str, "hash")) - return s2i_ASN1_OCTET_STRING(method, ctx, str); - - if ((oct = ASN1_OCTET_STRING_new()) == NULL) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); + if (pubkey == NULL) { + ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); return NULL; } + if ((oct = ASN1_OCTET_STRING_new()) == NULL) + return NULL; - if (ctx && (ctx->flags == CTX_TEST)) + X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey); + /* TODO(3.0) - explicitly fetch the digest */ + if (EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL) + && ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) return oct; - if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) { - ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); - goto err; - } - - if (ctx->subject_req) - pubkey = ctx->subject_req->req_info.pubkey; - else - pubkey = ctx->subject_cert->cert_info.key; - - if (pubkey == NULL) { - ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); - goto err; - } + ASN1_OCTET_STRING_free(oct); + return NULL; +} - X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey); +static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, char *str) +{ + if (strcmp(str, "none") == 0) + return ASN1_OCTET_STRING_new(); /* dummy */ - if (!EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL)) - goto err; + if (strcmp(str, "hash") != 0) + return s2i_ASN1_OCTET_STRING(method, ctx /* not used */, str); - if (!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - goto err; + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) + return ASN1_OCTET_STRING_new(); + if (ctx == NULL + || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) { + ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_SUBJECT_DETAILS); + return NULL; } - return oct; - - err: - ASN1_OCTET_STRING_free(oct); - return NULL; + return x509_pubkey_hash(ctx->subject_req != NULL ? + ctx->subject_req->req_info.pubkey : + ctx->subject_cert->cert_info.key); } diff --git a/crypto/x509/v3_utf8.c b/crypto/x509/v3_utf8.c index d37ac73246..465e0a39a3 100644 --- a/crypto/x509/v3_utf8.c +++ b/crypto/x509/v3_utf8.c @@ -12,7 +12,6 @@ #include #include #include -#include #include "ext_dat.h" /* diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index a9beef682b..7423b122d3 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -99,11 +99,10 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { X509_PUBKEY *pk = NULL; - if (x == NULL) + if (x == NULL || pkey == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; - - if (pkey == NULL) - goto unsupported; + } if (pkey->ameth != NULL) { if ((pk = X509_PUBKEY_new()) == NULL) { @@ -137,8 +136,10 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) OPENSSL_free(der); } - if (pk == NULL) - goto unsupported; + if (pk == NULL) { + ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); + goto error; + } X509_PUBKEY_free(*x); if (!EVP_PKEY_up_ref(pkey)) { @@ -165,9 +166,6 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) pk->pkey = pkey; return 1; - unsupported: - ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); - error: X509_PUBKEY_free(pk); return 0; diff --git a/doc/internal/man3/s2i_ASN1_UTF8STRING.pod b/doc/internal/man3/s2i_ASN1_UTF8STRING.pod deleted file mode 100644 index b6d1375189..0000000000 --- a/doc/internal/man3/s2i_ASN1_UTF8STRING.pod +++ /dev/null @@ -1,46 +0,0 @@ -=pod - -=head1 NAME - -i2s_ASN1_UTF8STRING, -s2i_ASN1_UTF8STRING -- convert objects from/to ASN.1/string representation - -=head1 SYNOPSIS - - #include "crypto/x509v3.h" - - char *i2s_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, - ASN1_UTF8STRING *utf8); - ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str); - -=head1 DESCRIPTION - -These functions convert OpenSSL objects to and from their ASN.1/string -representation. This function is used for B extensions. - -=head1 NOTES - -The letters B and B in i2s_ASN1_UTF8STRING() stand for -"internal" (that is, an internal C structure) and string respectively. -So B() converts from internal to string. - -=head1 RETURN VALUES - -B() return a valid -B structure or NULL if an error occurs. - -B() returns the pointer to a UTF-8 string -or NULL if an error occurs. - -=head1 COPYRIGHT - -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the Apache License 2.0 (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index d2d3bfb13d..e222f6f2a8 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -69,15 +69,20 @@ B B =head1 DESCRIPTION -This command is a minimal CA application. It can be used -to sign certificate requests in a variety of forms and generate -CRLs. It also maintains a text database of issued certificates -and their status. -When signing certificates, a single certificate request can be specified +This command emulates a CA application. +See the B especially when considering to use it productively. +It can be used to sign certificate requests (CSRs) in a variety of forms +and generate certificate revocation lists (CRLs). +It also maintains a text database of issued certificates and their status. +When signing certificates, a single request can be specified with the B<-in> option, or multiple requests can be processed by specifying a set of B files after all options. -The options descriptions will be divided into each purpose. +Note that there are also very lean ways of generating certificates: +the B and B commands can be used for directly creating certificates. +See L and L for details. + +The descriptions of the B command options are divided into each purpose. =head1 OPTIONS @@ -104,12 +109,12 @@ B in the B section). =item B<-in> I -An input filename containing a single certificate request to be +An input filename containing a single certificate request (CSR) to be signed by the CA. =item B<-inform> B|B -The format of the data in CSR input files. +The format of the data in certificate request input files. The default is PEM. =item B<-ss_cert> I @@ -150,7 +155,8 @@ This option has no effect and is retained for backward compatibility only. =item B<-keyfile> I|I -The CA private key to sign requests with. This must match with B<-cert>. +The CA private key to sign certificate requests with. +This must match with B<-cert>. =item B<-keyform> B|B|B|B @@ -168,8 +174,8 @@ Names and values of these options are algorithm-specific. Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific. -This often needs to be given while signing too, because the input -certificate signature request is verified against its own public key, +This often needs to be given while signing too, because the self-signature of +a certificate signing request (CSR) is verified against the included public key, and that verification may need its own set of options. =item B<-key> I @@ -192,9 +198,8 @@ see L. Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with B<-keyfile>). -Certificate requests signed with a different key are ignored. If -B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is -ignored. +Certificate requests signed with a different key are ignored. +If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored. A consequence of using B<-selfsign> is that the self-signed certificate appears among the entries in the certificate database @@ -739,6 +744,8 @@ possible to include one SPKAC or self-signed certificate. =head1 BUGS +This command is quirky and at times downright unfriendly. + The use of an in-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory. @@ -760,11 +767,14 @@ create an empty file. =head1 WARNINGS -This command is quirky and at times downright unfriendly. - -This command was originally meant as an example of how to do -things in a CA. It was not supposed to be used as a full blown CA itself: -nevertheless some people are using it for this purpose. +This command was originally meant as an example of how to do things in a CA. +Its code does not have production quality. +It was not supposed to be used as a full blown CA itself, +nevertheless some people are using it for this purpose at least internally. +When doing so, specific care should be taken to +properly secure the private key(s) used for signing certificates. +It is advisable to keep them in a secure HW storage such as a smart card or HSM +and access them via a suitable engine or crypto provider. This command command is effectively a single user command: no locking is done on the various files and attempts to run more than one B @@ -776,7 +786,6 @@ request contains a basicConstraints extension with CA:TRUE and the B value is set to B and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate. - This situation can be avoided by setting B to B and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index f778ec5cea..72f9997aea 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -33,9 +33,12 @@ B B [B<-config> I] [B<-section> I] [B<-x509>] +[B<-CA> I|I] +[B<-CAkey> I|I] [B<-days> I] [B<-set_serial> I] [B<-newhdr>] +[B<-copy_extensions> I] [B<-addext> I] [B<-extensions> I
] [B<-reqexts> I
] @@ -57,8 +60,8 @@ B B =head1 DESCRIPTION -This command primarily creates and processes certificate requests -in PKCS#10 format. It can additionally create self signed certificates +This command primarily creates and processes certificate requests (CSRs) +in PKCS#10 format. It can additionally create self-signed certificates for use as root CAs for example. =head1 OPTIONS @@ -71,7 +74,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B -The input and formats; the default is B. +The input and output formats; the default is B. See L for details. The data is a PKCS#10 object. @@ -80,7 +83,7 @@ The data is a PKCS#10 object. This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation -options (B<-new> and B<-newkey>) are not specified. +options (B<-new> or B<-newkey>) are not specified. =item B<-sigopt> I:I @@ -100,16 +103,21 @@ which supports both options for good reasons. =end comment -=item B<-passin> I, B<-passout> I +=item B<-passin> I -The password source for the input and output file. +The password source for the request input file and the certificate input. +For more information about the format of B +see L. + +=item B<-passout> I + +The password source for the output file. For more information about the format of B see L. =item B<-out> I -This specifies the output filename to write to or standard output by -default. +This specifies the output filename to write to or standard output by default. =item B<-text> @@ -117,25 +125,24 @@ Prints out the certificate request in text form. =item B<-subject> -Prints out the request subject (or certificate subject if B<-x509> is -specified) +Prints out the certificate request subject +(or certificate subject if B<-x509> is specified). =item B<-pubkey> -Outputs the public key. +Prints out the public key. =item B<-noout> -This option prevents output of the encoded version of the request. +This option prevents output of the encoded version of the certificate request. =item B<-modulus> -This option prints out the value of the modulus of the public key -contained in the request. +Prints out the value of the modulus of the public key contained in the request. =item B<-verify> -Verifies the signature on the request. +Verifies the self-signature on the request. =item B<-new> @@ -144,8 +151,9 @@ the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions. -If the B<-key> option is not used it will generate a new RSA private -key using information specified in the configuration file. +If the B<-key> option is not given it will generate a new RSA private key +using information specified in the configuration file or given with +the B<-newkey> and B<-pkeyopt> options, else by default with 2048 bits length. =item B<-newkey> I @@ -183,8 +191,9 @@ See L for more details. =item B<-key> I|I -This specifies the private key to use. It also -accepts PKCS#8 format private keys for PEM format files. +This specifies the private key to use for request self-signature +and signing certificates produced using the B<-x509> option. +It also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B|B|B @@ -231,7 +240,7 @@ Specifies the name of the section to use; the default is B. =item B<-subj> I Sets subject name for new request or supersedes the subject name -when processing a request. +when processing a certificate request. The arg must be formatted as C. Special characters may be escaped by C<\> (backslash), whitespace is retained. @@ -250,15 +259,33 @@ This option has been deprecated and has no effect. =item B<-x509> -This option outputs a self signed certificate instead of a certificate -request. This is typically used to generate a test certificate or -a self signed root CA. The extensions added to the certificate -(if any) are specified in the configuration file. Unless specified -using the B<-set_serial> option, a large random number will be used for -the serial number. +This option outputs a certificate instead of a certificate request. +This is typically used to generate test certificates. + +If an existing request is specified with the B<-in> option, it is converted +to the a certificate; otherwise a request is created from scratch. + +Unless specified using the B<-set_serial> option, +a large random number will be used for the serial number. + +Unless the B<-copy_extensions> option is used, +X.509 extensions are not copied from any provided request input file. -If existing request is specified with the B<-in> option, it is converted -to the self signed certificate otherwise new request is created. +X.509 extensions to be added can be specified in the configuration file +or using the B<-addext> option. + +=item B<-CA> I|I + +Specifies the "CA" certificate to be used for signing with the B<-x509> option. +When present, this behaves like a "micro CA" as follows: +The subject name of the "CA" certificate is placed as issuer name in the new +certificate, which is then signed using the "CA" key given as specified below. + +=item B<-CAkey> I|I + +Sets the "CA" private key to sign a certificate with. +The private key must match the public key of the certificate given with B<-CA>. +If this option is not provided then the key must be present in the B<-CA> input. =item B<-days> I @@ -268,8 +295,20 @@ be a positive integer. The default is 30 days. =item B<-set_serial> I -Serial number to use when outputting a self signed certificate. This -may be specified as a decimal value or a hex value if preceded by C<0x>. +Serial number to use when outputting a self-signed certificate. +This may be specified as a decimal value or a hex value if preceded by C<0x>. +If not given, a large random number will be used. + +=item B<-copy_extensions> I + +Determines how X.509 extensions in certificate requests should be handled +when B<-x509> is given. +If I is B or this option is not present then extensions are ignored. +If I is B or B then +all extensions in the request are copied to the certificate. + +The main use of this option is to allow a certificate request to supply +values for certain extensions such as subjectAltName. =item B<-addext> I @@ -308,7 +347,7 @@ configuration file, must be valid UTF8 strings. =item B<-reqopt> I