From openssl at openssl.org Fri Jan 1 20:52:53 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 01 Jan 2021 20:52:53 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1609534373.287774.1244736.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 30af356df4 Don't call EVP_CIPHER_CTX_block_size() to find the block size Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80216E01F67F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80216E01F67F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/MzicHD5nGO default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041188D5F7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/MzicHD5nGO fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 1029 wallclock secs (14.70 usr 1.46 sys + 934.34 cusr 89.97 csys = 1040.47 CPU) Result: FAIL make[1]: *** [Makefile:3252: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3249: tests] Error 2 From openssl at openssl.org Fri Jan 1 23:15:47 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 01 Jan 2021 23:15:47 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1609542947.364748.1547798.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 30af356df4 Don't call EVP_CIPHER_CTX_block_size() to find the block size Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80913F6B027F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80913F6B027F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/e6xJZzg77S default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B1C9610E7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/e6xJZzg77S fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 890 wallclock secs (13.89 usr 1.39 sys + 796.51 cusr 89.05 csys = 900.84 CPU) Result: FAIL make[1]: *** [Makefile:3250: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3247: tests] Error 2 From openssl at openssl.org Mon Jan 4 01:06:05 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 01:06:05 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1609722365.838211.2158089.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): rm -f test/sysdefaulttest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/sysdefaulttest \ test/sysdefaulttest-bin-sysdefaulttest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13ccstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13ccstest \ test/helpers/tls13ccstest-bin-ssltestlib.o \ test/tls13ccstest-bin-tls13ccstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/tls13secretstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok make[1]: *** [Makefile:3244: _tests] Terminated make: *** [Makefile:3241: tests] Terminated From openssl at openssl.org Mon Jan 4 01:56:44 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 01:56:44 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1609725404.902846.2267183.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3423, 884 wallclock secs (14.44 usr 1.28 sys + 794.72 cusr 85.10 csys = 895.54 CPU) Result: FAIL make[1]: *** [Makefile:3255: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3252: tests] Error 2 From dev at ddvo.net Mon Jan 4 07:01:15 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 04 Jan 2021 07:01:15 +0000 Subject: [openssl] master update Message-ID: <1609743675.523505.14548.nullmailer@dev.openssl.org> The branch master has been updated via 38b57c4c5268e4db0cad6db6744bf70ce4a0e188 (commit) from ea08f8b294d129371536649463c76a81dc4d4e55 (commit) - Log ----------------------------------------------------------------- commit 38b57c4c5268e4db0cad6db6744bf70ce4a0e188 Author: Dr. David von Oheimb Date: Fri Jan 1 20:43:46 2021 +0100 Update copyright years of auto-generated headers (make update) Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/13764) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h | 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- include/openssl/obj_mac.h | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index e855b15977..ac1eb076cc 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index ef16bb43d0..8a859ac02e 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 3fdb6a9b4a..1f66a58e09 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 440fd1d6af..1b852e6dfa 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index ba290cc661..0f8a05652e 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 5af0024989..89b449037f 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at From openssl at openssl.org Mon Jan 4 07:27:54 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 07:27:54 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1609745274.627667.2971884.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3425, 845 wallclock secs (14.28 usr 1.44 sys + 754.59 cusr 85.65 csys = 855.96 CPU) Result: FAIL make[1]: *** [Makefile:3210: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3207: tests] Error 2 From openssl at openssl.org Mon Jan 4 08:37:54 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 08:37:54 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso Message-ID: <1609749474.403766.3133533.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -DNO_FIPS_MODULE -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.d.tmp -MT test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o -c -o test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o ../openssl/test/evp_pkey_dparams_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_provided_test-bin-evp_pkey_provided_test.d.tmp -MT test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o -c -o test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o ../openssl/test/evp_pkey_provided_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_test-bin-evp_test.d.tmp -MT test/evp_test-bin-evp_test.o -c -o test/evp_test-bin-evp_test.o ../openssl/test/evp_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exdatatest-bin-exdatatest.d.tmp -MT test/exdatatest-bin-exdatatest.o -c -o test/exdatatest-bin-exdatatest.o ../openssl/test/exdatatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exptest-bin-exptest.d.tmp -MT test/exptest-bin-exptest.o -c -o test/exptest-bin-exptest.o ../openssl/test/exptest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/fatalerrtest-bin-fatalerrtest.d.tmp -MT test/fatalerrtest-bin-fatalerrtest.o -c -o test/fatalerrtest-bin-fatalerrtest.o ../openssl/test/fatalerrtest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/fatalerrtest-bin-ssltestlib.d.tmp -MT test/helpers/fatalerrtest-bin-ssltestlib.o -c -o test/helpers/fatalerrtest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ffc_internal_test-bin-ffc_internal_test.d.tmp -MT test/ffc_internal_test-bin-ffc_internal_test.o -c -o test/ffc_internal_test-bin-ffc_internal_test.o ../openssl/test/ffc_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gmdifftest-bin-gmdifftest.d.tmp -MT test/gmdifftest-bin-gmdifftest.o -c -o test/gmdifftest-bin-gmdifftest.o ../openssl/test/gmdifftest.c clang -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gosttest-bin-gosttest.d.tmp -MT test/gosttest-bin-gosttest.o -c -o test/gosttest-bin-gosttest.o ../openssl/test/gosttest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/gosttest-bin-ssltestlib.d.tmp -MT test/helpers/gosttest-bin-ssltestlib.o -c -o test/helpers/gosttest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hexstr_test-bin-hexstr_test.d.tmp -MT test/hexstr_test-bin-hexstr_test.o -c -o test/hexstr_test-bin-hexstr_test.o ../openssl/test/hexstr_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hmactest-bin-hmactest.d.tmp -MT test/hmactest-bin-hmactest.o -c -o test/hmactest-bin-hmactest.o ../openssl/test/hmactest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/http_test-bin-http_test.d.tmp -MT test/http_test-bin-http_test.o -c -o test/http_test-bin-http_test.o ../openssl/test/http_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ideatest-bin-ideatest.d.tmp -MT test/ideatest-bin-ideatest.o -c -o test/ideatest-bin-ideatest.o ../openssl/test/ideatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/igetest-bin-igetest.d.tmp -MT test/igetest-bin-igetest.o -c -o test/igetest-bin-igetest.o ../openssl/test/igetest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/keymgmt_internal_test-bin-keymgmt_internal_test.d.tmp -MT test/keymgmt_internal_test-bin-keymgmt_internal_test.o -c -o test/keymgmt_internal_test-bin-keymgmt_internal_test.o ../openssl/test/keymgmt_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/lhash_test-bin-lhash_test.d.tmp -MT test/lhash_test-bin-lhash_test.o -c -o test/lhash_test-bin-lhash_test.o ../openssl/test/lhash_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2_internal_test-bin-mdc2_internal_test.d.tmp -MT test/mdc2_internal_test-bin-mdc2_internal_test.o -c -o test/mdc2_internal_test-bin-mdc2_internal_test.o ../openssl/test/mdc2_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2test-bin-mdc2test.d.tmp -MT test/mdc2test-bin-mdc2test.o -c -o test/mdc2test-bin-mdc2test.o ../openssl/test/mdc2test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/memleaktest-bin-memleaktest.d.tmp -MT test/memleaktest-bin-memleaktest.o -c -o test/memleaktest-bin-memleaktest.o ../openssl/test/memleaktest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/modes_internal_test-bin-modes_internal_test.d.tmp -MT test/modes_internal_test-bin-modes_internal_test.o -c -o test/modes_internal_test-bin-modes_internal_test.o ../openssl/test/modes_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-moduleloadtest.d.tmp -MT test/moduleloadtest-bin-moduleloadtest.o -c -o test/moduleloadtest-bin-moduleloadtest.o ../openssl/test/moduleloadtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-simpledynamic.d.tmp -MT test/moduleloadtest-bin-simpledynamic.o -c -o test/moduleloadtest-bin-simpledynamic.o ../openssl/test/simpledynamic.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/namemap_internal_test-bin-namemap_internal_test.d.tmp -MT test/namemap_internal_test-bin-namemap_internal_test.o -c -o test/namemap_internal_test-bin-namemap_internal_test.o ../openssl/test/namemap_internal_test.c In file included from In file included from ../openssl/test/simpledynamic.c../openssl/test/moduleloadtest.c::1319: : ../openssl/test/simpledynamic.h../openssl/test/simpledynamic.h::3939::3535:: errorerror: : unknown type name 'SD'unknown type name 'SD' int sd_load(const char *filename, SD *sd, int type);int sd_load(const char *filename, SD *sd, int type); ^ ^ ../openssl/test/simpledynamic.h:40:12:../openssl/test/simpledynamic.h :error40: :unknown type name 'SD'12 : error: unknown type name 'SD' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ../openssl/test/simpledynamic.h ^: 40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ 4 errors generated. 4 errors generated. make[1]: *** [Makefile:24774: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: *** [Makefile:24766: test/moduleloadtest-bin-moduleloadtest.o] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dso' make: *** [Makefile:3067: build_sw] Error 2 From matt at openssl.org Mon Jan 4 12:15:46 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 04 Jan 2021 12:15:46 +0000 Subject: [openssl] master update Message-ID: <1609762546.287682.12907.nullmailer@dev.openssl.org> The branch master has been updated via 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb (commit) via ce1119265005bd254fc92395f72490c19adc707c (commit) from 38b57c4c5268e4db0cad6db6744bf70ce4a0e188 (commit) - Log ----------------------------------------------------------------- commit 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb Author: Nirbheek Chauhan Date: Wed Jul 8 23:23:04 2020 +0530 win-onecore: Build with /APPCONTAINER for UWP compat When targeting the win-onecore configuration, we must link with /APPCONTAINER which is a requirement for submitting apps to the Windows Store. Without this, the Windows App Certificate Kit will reject the app: https://docs.microsoft.com/en-us/cpp/build/reference/appcontainer-windows-store-app Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12400) commit ce1119265005bd254fc92395f72490c19adc707c Author: Nirbheek Chauhan Date: Wed Jul 8 23:10:34 2020 +0530 crypto/win: Don't use disallowed APIs on UWP CreateFiber and ConvertThreadToFiber are not allowed in Windows Store (Universal Windows Platform) apps since they have been replaced by their Ex variants which have a new dwFlags parameter. This flag allows the fiber to do floating-point arithmetic in the fiber on x86, which would silently cause corruption otherwise since the floating-point state is not switched by default. Switch to these "new" APIs which were added in Vista. See: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex#parameters Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12400) ----------------------------------------------------------------------- Summary of changes: Configurations/50-win-onecore.conf | 9 +++++---- crypto/async/arch/async_win.c | 4 ++++ crypto/async/arch/async_win.h | 10 +++++++++- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/Configurations/50-win-onecore.conf b/Configurations/50-win-onecore.conf index 91e77b663f..efa2c837bc 100644 --- a/Configurations/50-win-onecore.conf +++ b/Configurations/50-win-onecore.conf @@ -36,13 +36,14 @@ my %targets = ( # /NODEFAULTLIB:kernel32.lib is needed, because MSVCRT.LIB has # hidden reference to kernel32.lib, but we don't actually want # it in "onecore" build. - lflags => add("/NODEFAULTLIB:kernel32.lib"), + # /APPCONTAINER is needed for Universal Windows Platform compat + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), defines => add("OPENSSL_SYS_WIN_CORE"), ex_libs => "onecore.lib", }, "VC-WIN64A-ONECORE" => { inherit_from => [ "VC-WIN64A" ], - lflags => add("/NODEFAULTLIB:kernel32.lib"), + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), defines => add("OPENSSL_SYS_WIN_CORE"), ex_libs => "onecore.lib", }, @@ -68,7 +69,7 @@ my %targets = ( defines => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE", "OPENSSL_SYS_WIN_CORE"), bn_ops => "BN_LLONG RC4_CHAR", - lflags => add("/NODEFAULTLIB:kernel32.lib"), + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), ex_libs => "onecore.lib", multilib => "-arm", }, @@ -77,7 +78,7 @@ my %targets = ( defines => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE", "OPENSSL_SYS_WIN_CORE"), bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", - lflags => add("/NODEFAULTLIB:kernel32.lib"), + lflags => add("/NODEFAULTLIB:kernel32.lib /APPCONTAINER"), ex_libs => "onecore.lib", multilib => "-arm64", }, diff --git a/crypto/async/arch/async_win.c b/crypto/async/arch/async_win.c index 0db9efe3c1..72cc27c214 100644 --- a/crypto/async/arch/async_win.c +++ b/crypto/async/arch/async_win.c @@ -34,7 +34,11 @@ void async_local_cleanup(void) int async_fibre_init_dispatcher(async_fibre *fibre) { +# if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 + fibre->fibre = ConvertThreadToFiberEx(NULL, FIBER_FLAG_FLOAT_SWITCH); +# else fibre->fibre = ConvertThreadToFiber(NULL); +# endif if (fibre->fibre == NULL) { fibre->converted = 0; fibre->fibre = GetCurrentFiber(); diff --git a/crypto/async/arch/async_win.h b/crypto/async/arch/async_win.h index 87e661d766..eb61b032e0 100644 --- a/crypto/async/arch/async_win.h +++ b/crypto/async/arch/async_win.h @@ -26,8 +26,16 @@ typedef struct async_fibre_st { # define async_fibre_swapcontext(o,n,r) \ (SwitchToFiber((n)->fibre), 1) -# define async_fibre_makecontext(c) \ + +# if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 +# define async_fibre_makecontext(c) \ + ((c)->fibre = CreateFiberEx(0, 0, FIBER_FLAG_FLOAT_SWITCH, \ + async_start_func_win, 0)) +# else +# define async_fibre_makecontext(c) \ ((c)->fibre = CreateFiber(0, async_start_func_win, 0)) +# endif + # define async_fibre_free(f) (DeleteFiber((f)->fibre)) int async_fibre_init_dispatcher(async_fibre *fibre); From mark at openssl.org Mon Jan 4 16:03:11 2021 From: mark at openssl.org (Mark J. Cox) Date: Mon, 04 Jan 2021 16:03:11 +0000 Subject: [web] master update Message-ID: <1609776191.583593.31111.nullmailer@dev.openssl.org> The branch master has been updated via 32ac25c3dc11364b8854de9e91303951f6ba406d (commit) via 9720d7fff327192e2d845f4e4d305c32cc0fe8b9 (commit) from 0689c523b599d89f0ce5caedab4f7d66bee1efb6 (commit) - Log ----------------------------------------------------------------- commit 32ac25c3dc11364b8854de9e91303951f6ba406d Merge: 0689c52 9720d7f Author: Mark J. Cox Date: Mon Jan 4 15:49:15 2021 +0000 Merge pull request #211 from iamamoose/sponsorupdate Update the Sponsorship page to remove sponsorships that have lapsed commit 9720d7fff327192e2d845f4e4d305c32cc0fe8b9 Author: Mark J. Cox Date: Mon Jan 4 15:29:11 2021 +0000 Update the Sponsorship page to remove sponsorships that have lapsed and add a link to recognise the GitHub Sponsors ----------------------------------------------------------------------- Summary of changes: support/acks.html | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/support/acks.html b/support/acks.html index 419924e..f3c75d2 100644 --- a/support/acks.html +++ b/support/acks.html @@ -15,10 +15,9 @@

Sponsorship Donations

-

We would like to identify and thank the following sponsors for their donations which give significant support to the OpenSSL project. - Please note some sponsors remain anonymous.

+ Please note sponsors may choose to remain anonymous.


-

Exceptional:

- -
- -
- -

Platinum:

- -
- -
-

Bronze:

@@ -63,7 +47,9 @@

Other Donations

- We also identify and thank organizations who contribute + We also would like to thank those who contribute + via GitHub Sponsors, + as well as the organizations who contribute in-kind donations to the project.

From no-reply at appveyor.com Mon Jan 4 21:27:08 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Jan 2021 21:27:08 +0000 Subject: Build failed: openssl master.38943 Message-ID: <20210104212708.1.C8D5B45044A27129@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 4 23:09:26 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 04 Jan 2021 23:09:26 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1609801766.842490.692957.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=227, Tests=2999, 639 wallclock secs ( 9.40 usr 1.28 sys + 564.05 cusr 62.76 csys = 637.49 CPU) Result: FAIL make[1]: *** [Makefile:2463: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2460: tests] Error 2 From no-reply at appveyor.com Tue Jan 5 01:01:13 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Jan 2021 01:01:13 +0000 Subject: Build failed: openssl master.38949 Message-ID: <20210105010113.1.517E1192B0ED0A38@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 5 02:13:42 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Jan 2021 02:13:42 +0000 Subject: Build completed: openssl master.38950 Message-ID: <20210105021342.1.C90FDC95F55C611A@appveyor.com> An HTML attachment was scrubbed... URL: From dev at ddvo.net Tue Jan 5 11:29:01 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Tue, 05 Jan 2021 11:29:01 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1609846141.741832.13530.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 80d5badd8fa7dcc7dffc88745376df53161e392a (commit) from 9be10637502bf32189055dff8d3442e140e845c5 (commit) - Log ----------------------------------------------------------------- commit 80d5badd8fa7dcc7dffc88745376df53161e392a Author: Dr. David von Oheimb Date: Sat Jan 2 21:23:12 2021 +0100 Update copyright years of auto-generated headers (make update) This backports #13764. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/13769) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h | 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- include/openssl/obj_mac.h | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index cac354c6bf..e234c9e615 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index ba48244534..1a25c28577 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 2ced300e40..1e4a03e10b 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index d1b1bc7faf..24b49a2df2 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 1ca04bbff1..5c3561ab7d 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 483fc0509e..eb812ed18d 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at From tmraz at fedoraproject.org Tue Jan 5 15:44:43 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Tue, 05 Jan 2021 15:44:43 +0000 Subject: [openssl] master update Message-ID: <1609861483.213427.25418.nullmailer@dev.openssl.org> The branch master has been updated via b043c41c0059786eb78492fb64217053272ef37d (commit) via b2d14651533897b709208e633d4b4f590e0eff1c (commit) from 2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb (commit) - Log ----------------------------------------------------------------- commit b043c41c0059786eb78492fb64217053272ef37d Author: Etienne Millon Date: Mon Jan 4 11:33:55 2021 +0100 28-seclevel.cnf.in: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13768) commit b2d14651533897b709208e633d4b4f590e0eff1c Author: Etienne Millon Date: Mon Jan 4 11:28:36 2021 +0100 EVP_SIGNATURE-ED25519.pod: fix typo in algo name CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13768) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_SIGNATURE-ED25519.pod | 2 +- test/ssl-tests/28-seclevel.cnf.in | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index bb91ae2434..e2fc31f724 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -15,7 +15,7 @@ one-shot digest sign and digest verify using PureEdDSA and B or B be specified when diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index ebb082c0af..b7b96e87b7 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -34,7 +34,7 @@ our @tests_ec = ( test => { "ExpectedResult" => "Success" }, }, { - # The Ed488 signature algorithm will not be enabled. + # The Ed448 signature algorithm will not be enabled. # Because of the config order, the certificate is first loaded, and # then the security level is chaged. If you try this with s_server # the order will be reversed and it will instead fail to load the key. @@ -47,7 +47,7 @@ our @tests_ec = ( test => { "ExpectedResult" => "ServerFail" }, }, { - # The client will not sent the Ed488 signature algorithm, so the server + # The client will not sent the Ed448 signature algorithm, so the server # doesn't have a useable signature algorithm for the certificate. name => "SECLEVEL 5 client with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", From matt at openssl.org Tue Jan 5 18:09:37 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 05 Jan 2021 18:09:37 +0000 Subject: [openssl] master update Message-ID: <1609870177.248964.22759.nullmailer@dev.openssl.org> The branch master has been updated via 3497cc8776d50397ceefbd41bd3356a7f5d30c14 (commit) from b043c41c0059786eb78492fb64217053272ef37d (commit) - Log ----------------------------------------------------------------- commit 3497cc8776d50397ceefbd41bd3356a7f5d30c14 Author: bazmoz Date: Sun Dec 27 22:05:14 2020 +0530 Updated SSL_CTX_new doc Fixes #13703 Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13741) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_new.pod | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index b71cda9be0..4093e657e8 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -73,11 +73,12 @@ functions =head1 DESCRIPTION -SSL_CTX_new_ex() creates a new B object as a framework to -establish TLS/SSL or DTLS enabled connections using the library context -I (see L). Any cryptographic algorithms that are used -by any B objects created from this B will be fetched from the -I using the property query string I (see +SSL_CTX_new_ex() creates a new B object, which holds various +configuration and data relevant to TLS/SSL or DTLS session establishment. The +library context I (see L) is used to provide the +cryptographic algorithms needed for the session. Any cryptographic algorithms +that are used by any B objects created from this B will be fetched +from the I using the property query string I (see L. Either or both the I or I parameters may be NULL. @@ -90,6 +91,10 @@ SSL_CTX_free) decrements it. When the reference count drops to zero, any memory or resources allocated to the B object are freed. SSL_CTX_up_ref() increments the reference count for an existing B structure. +An B object should not be changed after it is used to create any B +objects or from multiple threads concurrently, since the implementation does not +provide serialization of access for these cases. + =head1 NOTES The SSL_CTX object uses I as the connection method. From openssl at openssl.org Tue Jan 5 21:09:09 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 05 Jan 2021 21:09:09 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1609880949.024793.3311836.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80C17CF03A7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80C17CF03A7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/hKckL8WvgN default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1AA42FA7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/hKckL8WvgN fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 868 wallclock secs (14.05 usr 1.46 sys + 772.73 cusr 91.80 csys = 880.04 CPU) Result: FAIL make[1]: *** [Makefile:3259: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3256: tests] Error 2 From openssl at openssl.org Tue Jan 5 23:36:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 05 Jan 2021 23:36:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1609889775.157147.3613991.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: ea08f8b294 Add a test for the new CRYPTO_atomic_* functions 49fff26d67 Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load db6bcc81ab Optimise OPENSSL_init_crypto d5e742de65 Add some more CRYPTO_atomic functions Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80918175B37F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80918175B37F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/j8p8AbYHtB default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80212C69497F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/j8p8AbYHtB fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 1004 wallclock secs (13.86 usr 1.26 sys + 916.02 cusr 85.05 csys = 1016.19 CPU) Result: FAIL make[1]: *** [Makefile:3252: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3249: tests] Error 2 From kaduk at mit.edu Wed Jan 6 00:32:47 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Wed, 06 Jan 2021 00:32:47 +0000 Subject: [openssl] master update Message-ID: <1609893167.096070.32238.nullmailer@dev.openssl.org> The branch master has been updated via 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f (commit) via b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4 (commit) from 3497cc8776d50397ceefbd41bd3356a7f5d30c14 (commit) - Log ----------------------------------------------------------------- commit 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f Author: John Baldwin Date: Fri Nov 20 17:45:48 2020 -0800 Support session information on FreeBSD. FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it does provide other ioctls that can be used to provide similar functionality. First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts a 'struct session2_op'. This structure extends 'struct session_op' with a 'crid' member which can be used to either request an individual driver by id, or a class of drivers via flags. To determine if the available drivers for a given algorithm are accelerated or not, use CIOCGESSION2 to first attempt to create an accelerated (hardware) session. If that fails, fall back to attempting a software session. In addition, when requesting a new cipher session, use the current setting of the 'use_softdrivers' flag to determine the value assigned to 'crid' when invoking CIOCGSESSION2. Finally, use the returned 'crid' value from CIOCGSESSION2 to look up the name of the associated driver via the CIOCFINDDEV ioctl. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13468) commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4 Author: John Baldwin Date: Fri Nov 20 17:07:35 2020 -0800 Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13468) ----------------------------------------------------------------------- Summary of changes: engines/e_devcrypto.c | 86 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 73 insertions(+), 13 deletions(-) diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index d54ca3bbc1..7f3768d36c 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -34,6 +34,16 @@ #define engine_devcrypto_id "devcrypto" +/* + * Use session2_op on FreeBSD which permits requesting specific + * drivers or classes of drivers at session creation time. + */ +#ifdef CIOCGSESSION2 +typedef struct session2_op session_op_t; +#else +typedef struct session_op session_op_t; +#endif + /* * ONE global file descriptor for all sessions. This allows operations * such as digest session data copying (see digest_copy()), but is also @@ -73,12 +83,12 @@ struct driver_info_st { void engine_load_devcrypto_int(void); #endif -static int clean_devcrypto_session(struct session_op *sess) { +static int clean_devcrypto_session(session_op_t *sess) { if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { ERR_raise_data(ERR_LIB_SYS, errno, "calling ioctl()"); return 0; } - memset(sess, 0, sizeof(struct session_op)); + memset(sess, 0, sizeof(*sess)); return 1; } @@ -93,7 +103,7 @@ static int clean_devcrypto_session(struct session_op *sess) { *****/ struct cipher_ctx { - struct session_op sess; + session_op_t sess; int op; /* COP_ENCRYPT or COP_DECRYPT */ unsigned long mode; /* EVP_CIPH_*_MODE */ @@ -198,6 +208,7 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); const struct cipher_data_st *cipher_d = get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); + int ret; /* cleanup a previous session */ if (cipher_ctx->sess.ses != 0 && @@ -210,7 +221,15 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; cipher_ctx->blocksize = cipher_d->blocksize; - if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { +#ifdef CIOCGSESSION2 + cipher_ctx->sess.crid = (use_softdrivers == DEVCRYPTO_USE_SOFTWARE) ? + CRYPTO_FLAG_SOFTWARE | CRYPTO_FLAG_HARDWARE : + CRYPTO_FLAG_HARDWARE; + ret = ioctl(cfd, CIOCGSESSION2, &cipher_ctx->sess); +#else + ret = ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess); +#endif + if (ret < 0) { ERR_raise_data(ERR_LIB_SYS, errno, "calling ioctl()"); return 0; } @@ -406,9 +425,12 @@ static int devcrypto_test_cipher(size_t cipher_data_index) static void prepare_cipher_methods(void) { size_t i; - struct session_op sess; + session_op_t sess; unsigned long cipher_mode; -#ifdef CIOCGSESSINFO +#ifdef CIOCGSESSION2 + struct crypt_find_op fop; + enum devcrypto_accelerated_t accelerated; +#elif defined(CIOCGSESSINFO) struct session_info_op siop; #endif @@ -426,10 +448,29 @@ static void prepare_cipher_methods(void) */ sess.cipher = cipher_data[i].devcryptoid; sess.keylen = cipher_data[i].keylen; +#ifdef CIOCGSESSION2 + /* + * When using CIOCGSESSION2, first try to allocate a hardware + * ("accelerated") session. If that fails, fall back to + * allocating a software session. + */ + sess.crid = CRYPTO_FLAG_HARDWARE; + if (ioctl(cfd, CIOCGSESSION2, &sess) == 0) { + accelerated = DEVCRYPTO_ACCELERATED; + } else { + sess.crid = CRYPTO_FLAG_SOFTWARE; + if (ioctl(cfd, CIOCGSESSION2, &sess) < 0) { + cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; + continue; + } + accelerated = DEVCRYPTO_NOT_ACCELERATED; + } +#else if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; continue; } +#endif cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; @@ -460,7 +501,14 @@ static void prepare_cipher_methods(void) known_cipher_methods[i] = NULL; } else { cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -#ifdef CIOCGSESSINFO +#ifdef CIOCGSESSION2 + cipher_driver_info[i].accelerated = accelerated; + fop.crid = sess.crid; + if (ioctl(cfd, CIOCFINDDEV, &fop) == 0) { + cipher_driver_info[i].driver_name = + OPENSSL_strndup(fop.name, sizeof(fop.name)); + } +#elif defined(CIOCGSESSINFO) siop.ses = sess.ses; if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; @@ -624,7 +672,7 @@ static void dump_cipher_info(void) *****/ struct digest_ctx { - struct session_op sess; + session_op_t sess; /* This signals that the init function was called, not that it succeeded. */ int init_called; unsigned char digest_res[HASH_MAX_LEN]; @@ -843,7 +891,7 @@ static void rebuild_known_digest_nids(ENGINE *e) static void prepare_digest_methods(void) { size_t i; - struct session_op sess1, sess2; + session_op_t sess1, sess2; #ifdef CIOCGSESSINFO struct session_info_op siop; #endif @@ -1051,7 +1099,7 @@ static void dump_digest_info(void) #define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) static const ENGINE_CMD_DEFN devcrypto_cmds[] = { -#ifdef CIOCGSESSINFO +#if defined(CIOCGSESSINFO) || defined(CIOCGSESSION2) {DEVCRYPTO_CMD_USE_SOFTDRIVERS, "USE_SOFTDRIVERS", "specifies whether to use software (not accelerated) drivers (" @@ -1087,7 +1135,7 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) { int *new_list; switch (cmd) { -#ifdef CIOCGSESSINFO +#if defined(CIOCGSESSINFO) || defined(CIOCGSESSION2) case DEVCRYPTO_CMD_USE_SOFTDRIVERS: switch (i) { case DEVCRYPTO_REQUIRE_ACCELERATED: @@ -1106,7 +1154,7 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) #endif rebuild_known_cipher_nids(e); return 1; -#endif /* CIOCGSESSINFO */ +#endif /* CIOCGSESSINFO || CIOCGSESSION2 */ case DEVCRYPTO_CMD_CIPHERS: if (p == NULL) @@ -1172,10 +1220,12 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) */ static int open_devcrypto(void) { + int fd; + if (cfd >= 0) return 1; - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { #ifndef ENGINE_DEVCRYPTO_DEBUG if (errno != ENOENT) #endif @@ -1183,6 +1233,16 @@ static int open_devcrypto(void) return 0; } +#ifdef CRIOGET + if (ioctl(fd, CRIOGET, &cfd) < 0) { + fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + cfd = -1; + return 0; + } +#else + cfd = fd; +#endif + return 1; } From tmraz at fedoraproject.org Wed Jan 6 10:07:13 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 06 Jan 2021 10:07:13 +0000 Subject: [openssl] master update Message-ID: <1609927633.754759.7377.nullmailer@dev.openssl.org> The branch master has been updated via 7c0e98a5c40806ff9dde15cf4a619cc931800fd9 (commit) from 7fd1ca723a06739e76a17d1065ac94bcfcfc4f9f (commit) - Log ----------------------------------------------------------------- commit 7c0e98a5c40806ff9dde15cf4a619cc931800fd9 Author: David CARLIER Date: Mon Jan 4 16:42:47 2021 +0000 Mac M1 setting change proposal. Running tests takes very long with the current setting while it takes a lot shorter time with this change. Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13771) ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 5f672fbb77..ef892b555a 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1623,7 +1623,7 @@ my %targets = ( cflags => add("-arch arm64"), lib_cppflags => add("-DL_ENDIAN"), bn_ops => "SIXTY_FOUR_BIT_LONG", - asm_arch => 'aarch64_asm', + asm_arch => 'aarch64', perlasm_scheme => "ios64", }, From matt at openssl.org Wed Jan 6 11:26:43 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 06 Jan 2021 11:26:43 +0000 Subject: [openssl] master update Message-ID: <1609932403.590050.18962.nullmailer@dev.openssl.org> The branch master has been updated via e260bee0a97d4e6de60eae2c86d7c11ed03f2010 (commit) from 7c0e98a5c40806ff9dde15cf4a619cc931800fd9 (commit) - Log ----------------------------------------------------------------- commit e260bee0a97d4e6de60eae2c86d7c11ed03f2010 Author: Matt Caswell Date: Mon Jan 4 17:29:35 2021 +0000 Only perform special TLS handling if TLS has been configured Skip over special TLS steps for stream ciphers if we haven't been configured for TLS. Fixes #12528 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13774) ----------------------------------------------------------------------- Summary of changes: providers/implementations/ciphers/ciphercommon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index 0941210f20..0e3e367dfc 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -429,7 +429,7 @@ int ossl_cipher_generic_stream_update(void *vctx, unsigned char *out, } *outl = inl; - if (!ctx->enc) { + if (!ctx->enc && ctx->tlsversion > 0) { /* * Remove any TLS padding. Only used by cipher_aes_cbc_hmac_sha1_hw.c and * cipher_aes_cbc_hmac_sha256_hw.c From no-reply at appveyor.com Wed Jan 6 18:49:12 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 06 Jan 2021 18:49:12 +0000 Subject: Build failed: openssl master.38985 Message-ID: <20210106184912.1.FF04BE1166082F36@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Jan 6 20:13:15 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 06 Jan 2021 20:13:15 +0000 Subject: Build completed: openssl master.38986 Message-ID: <20210106201315.1.D805FDEC57CC35A7@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Jan 7 01:05:28 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 01:05:28 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1609981528.357004.4164225.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. make: *** [Makefile:3241: tests] Terminated From openssl at openssl.org Thu Jan 7 01:55:19 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 01:55:19 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1609984519.607193.79366.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3423, 845 wallclock secs (14.47 usr 1.40 sys + 752.47 cusr 86.52 csys = 854.86 CPU) Result: FAIL make[1]: *** [Makefile:3244: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3241: tests] Error 2 From openssl at openssl.org Thu Jan 7 07:26:05 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 07:26:05 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1610004365.129166.784619.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=227, Tests=3425, 862 wallclock secs (14.30 usr 1.63 sys + 759.10 cusr 83.78 csys = 858.81 CPU) Result: FAIL make[1]: *** [Makefile:3187: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3184: tests] Error 2 From openssl at openssl.org Thu Jan 7 08:39:28 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 08:39:28 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso Message-ID: <1610008768.791698.946482.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -DNO_FIPS_MODULE -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.d.tmp -MT test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o -c -o test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o ../openssl/test/evp_pkey_dparams_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_provided_test-bin-evp_pkey_provided_test.d.tmp -MT test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o -c -o test/evp_pkey_provided_test-bin-evp_pkey_provided_test.o ../openssl/test/evp_pkey_provided_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_test-bin-evp_test.d.tmp -MT test/evp_test-bin-evp_test.o -c -o test/evp_test-bin-evp_test.o ../openssl/test/evp_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exdatatest-bin-exdatatest.d.tmp -MT test/exdatatest-bin-exdatatest.o -c -o test/exdatatest-bin-exdatatest.o ../openssl/test/exdatatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/exptest-bin-exptest.d.tmp -MT test/exptest-bin-exptest.o -c -o test/exptest-bin-exptest.o ../openssl/test/exptest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/fatalerrtest-bin-fatalerrtest.d.tmp -MT test/fatalerrtest-bin-fatalerrtest.o -c -o test/fatalerrtest-bin-fatalerrtest.o ../openssl/test/fatalerrtest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/fatalerrtest-bin-ssltestlib.d.tmp -MT test/helpers/fatalerrtest-bin-ssltestlib.o -c -o test/helpers/fatalerrtest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ffc_internal_test-bin-ffc_internal_test.d.tmp -MT test/ffc_internal_test-bin-ffc_internal_test.o -c -o test/ffc_internal_test-bin-ffc_internal_test.o ../openssl/test/ffc_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gmdifftest-bin-gmdifftest.d.tmp -MT test/gmdifftest-bin-gmdifftest.o -c -o test/gmdifftest-bin-gmdifftest.o ../openssl/test/gmdifftest.c clang -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/gosttest-bin-gosttest.d.tmp -MT test/gosttest-bin-gosttest.o -c -o test/gosttest-bin-gosttest.o ../openssl/test/gosttest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I. -I../openssl/include -I../openssl/apps/include -I../openssl -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/gosttest-bin-ssltestlib.d.tmp -MT test/helpers/gosttest-bin-ssltestlib.o -c -o test/helpers/gosttest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hexstr_test-bin-hexstr_test.d.tmp -MT test/hexstr_test-bin-hexstr_test.o -c -o test/hexstr_test-bin-hexstr_test.o ../openssl/test/hexstr_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/hmactest-bin-hmactest.d.tmp -MT test/hmactest-bin-hmactest.o -c -o test/hmactest-bin-hmactest.o ../openssl/test/hmactest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/http_test-bin-http_test.d.tmp -MT test/http_test-bin-http_test.o -c -o test/http_test-bin-http_test.o ../openssl/test/http_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ideatest-bin-ideatest.d.tmp -MT test/ideatest-bin-ideatest.o -c -o test/ideatest-bin-ideatest.o ../openssl/test/ideatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/igetest-bin-igetest.d.tmp -MT test/igetest-bin-igetest.o -c -o test/igetest-bin-igetest.o ../openssl/test/igetest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/keymgmt_internal_test-bin-keymgmt_internal_test.d.tmp -MT test/keymgmt_internal_test-bin-keymgmt_internal_test.o -c -o test/keymgmt_internal_test-bin-keymgmt_internal_test.o ../openssl/test/keymgmt_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/lhash_test-bin-lhash_test.d.tmp -MT test/lhash_test-bin-lhash_test.o -c -o test/lhash_test-bin-lhash_test.o ../openssl/test/lhash_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2_internal_test-bin-mdc2_internal_test.d.tmp -MT test/mdc2_internal_test-bin-mdc2_internal_test.o -c -o test/mdc2_internal_test-bin-mdc2_internal_test.o ../openssl/test/mdc2_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/mdc2test-bin-mdc2test.d.tmp -MT test/mdc2test-bin-mdc2test.o -c -o test/mdc2test-bin-mdc2test.o ../openssl/test/mdc2test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/memleaktest-bin-memleaktest.d.tmp -MT test/memleaktest-bin-memleaktest.o -c -o test/memleaktest-bin-memleaktest.o ../openssl/test/memleaktest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/modes_internal_test-bin-modes_internal_test.d.tmp -MT test/modes_internal_test-bin-modes_internal_test.o -c -o test/modes_internal_test-bin-modes_internal_test.o ../openssl/test/modes_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-moduleloadtest.d.tmp -MT test/moduleloadtest-bin-moduleloadtest.o -c -o test/moduleloadtest-bin-moduleloadtest.o ../openssl/test/moduleloadtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/moduleloadtest-bin-simpledynamic.d.tmp -MT test/moduleloadtest-bin-simpledynamic.o -c -o test/moduleloadtest-bin-simpledynamic.o ../openssl/test/simpledynamic.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/namemap_internal_test-bin-namemap_internal_test.d.tmp -MT test/namemap_internal_test-bin-namemap_internal_test.o -c -o test/namemap_internal_test-bin-namemap_internal_test.o ../openssl/test/namemap_internal_test.c In file included from ../openssl/test/moduleloadtest.c:19: ../openssl/test/simpledynamic.h:39:35: error: unknown type name 'SD' int sd_load(const char *filename, SD *sd, int type); ^ ../openssl/test/simpledynamic.h:40:12: error: unknown type name 'SD' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ 4 errors generated. make[1]: *** [Makefile:24764: test/moduleloadtest-bin-moduleloadtest.o] Error 1 make[1]: *** Waiting for unfinished jobs.... In file included from ../openssl/test/simpledynamic.c:13: ../openssl/test/simpledynamic.h:39:35: error: unknown type name 'SD' int sd_load(const char *filename, SD *sd, int type); ^ ../openssl/test/simpledynamic.h:40:12: error: unknown type name 'SD' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' int sd_sym(SD sd, const char *symname, SD_SYM *sym); ^ ../openssl/test/simpledynamic.h:41:14: error: unknown type name 'SD' int sd_close(SD lib); ^ 4 errors generated. make[1]: *** [Makefile:24772: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dso' make: *** [Makefile:3065: build_sw] Error 2 From tmraz at fedoraproject.org Thu Jan 7 08:58:41 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 07 Jan 2021 08:58:41 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610009921.419218.12659.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via a953f26dba5dadf8ac69c6fcbf71ebe3efba9407 (commit) from 80d5badd8fa7dcc7dffc88745376df53161e392a (commit) - Log ----------------------------------------------------------------- commit a953f26dba5dadf8ac69c6fcbf71ebe3efba9407 Author: Ole Andr? Vadla Ravn?s Date: Wed Dec 30 22:14:23 2020 +0100 poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue I.e.: error: out of range immediate fixup value This fix is identical to one of the changes made in 3405db9, which I discovered right after taking a quick stab at fixing this. CLA: trivial Fixes #7878 Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13757) ----------------------------------------------------------------------- Summary of changes: crypto/poly1305/asm/poly1305-armv4.pl | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/poly1305/asm/poly1305-armv4.pl index f77e1170f6..0a4fe55d98 100755 --- a/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/poly1305/asm/poly1305-armv4.pl @@ -133,10 +133,10 @@ poly1305_init: # ifdef __thumb2__ itete eq # endif - addeq r12,r11,#(poly1305_emit-.Lpoly1305_init) - addne r12,r11,#(poly1305_emit_neon-.Lpoly1305_init) - addeq r11,r11,#(poly1305_blocks-.Lpoly1305_init) - addne r11,r11,#(poly1305_blocks_neon-.Lpoly1305_init) + addeq r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init) + addne r12,r11,#(.Lpoly1305_emit_neon-.Lpoly1305_init) + addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init) + addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init) # endif # ifdef __thumb2__ orr r12,r12,#1 @ thumb-ify address @@ -352,6 +352,7 @@ $code.=<<___; .type poly1305_emit,%function .align 5 poly1305_emit: +.Lpoly1305_emit: stmdb sp!,{r4-r11} .Lpoly1305_emit_enter: @@ -671,6 +672,7 @@ poly1305_init_neon: .type poly1305_blocks_neon,%function .align 5 poly1305_blocks_neon: +.Lpoly1305_blocks_neon: ldr ip,[$ctx,#36] @ is_base2_26 ands $len,$len,#-16 beq .Lno_data_neon @@ -1157,6 +1159,7 @@ poly1305_blocks_neon: .type poly1305_emit_neon,%function .align 5 poly1305_emit_neon: +.Lpoly1305_emit_neon: ldr ip,[$ctx,#36] @ is_base2_26 stmdb sp!,{r4-r11} From matt at openssl.org Thu Jan 7 13:45:49 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 13:45:49 +0000 Subject: [openssl] master update Message-ID: <1610027149.185137.13165.nullmailer@dev.openssl.org> The branch master has been updated via bd0c71298a82cc78aadba39485fc1ebec3c1c0ad (commit) from e260bee0a97d4e6de60eae2c86d7c11ed03f2010 (commit) - Log ----------------------------------------------------------------- commit bd0c71298a82cc78aadba39485fc1ebec3c1c0ad Author: Matt Caswell Date: Thu Jan 7 13:38:50 2021 +0000 Update copyright year Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/13800) ----------------------------------------------------------------------- Summary of changes: crypto/async/arch/async_win.c | 2 +- crypto/async/arch/async_win.h | 2 +- doc/man3/SSL_CTX_new.pod | 2 +- doc/man7/EVP_SIGNATURE-ED25519.pod | 2 +- engines/e_devcrypto.c | 2 +- providers/implementations/ciphers/ciphercommon.c | 2 +- test/ssl-tests/28-seclevel.cnf.in | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/async/arch/async_win.c b/crypto/async/arch/async_win.c index 72cc27c214..0b276fd504 100644 --- a/crypto/async/arch/async_win.c +++ b/crypto/async/arch/async_win.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/async/arch/async_win.h b/crypto/async/arch/async_win.h index eb61b032e0..0fab95996e 100644 --- a/crypto/async/arch/async_win.h +++ b/crypto/async/arch/async_win.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index 4093e657e8..1c953098e2 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -233,7 +233,7 @@ SSL_CTX_new_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index e2fc31f724..2183d83c2e 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -92,7 +92,7 @@ L, =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index 7f3768d36c..d549edfd29 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index 0e3e367dfc..ffe644bb4c 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index b7b96e87b7..56c23eba3a 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy From matt at openssl.org Thu Jan 7 14:03:30 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 14:03:30 +0000 Subject: [web] master update Message-ID: <1610028210.149616.4732.nullmailer@dev.openssl.org> The branch master has been updated via 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 (commit) from 32ac25c3dc11364b8854de9e91303951f6ba406d (commit) - Log ----------------------------------------------------------------- commit 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 Author: Matt Caswell Date: Thu Jan 7 14:00:02 2021 +0000 Add newsflash entry for alpha10 release Reviewed-by: Mark J. Cox Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/web/pull/212) ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 6b39413..1d842c7 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +07-Jan-2021: Alpha 10 of OpenSSL 3.0 is now available: please download and test it 08-Dec-2020: OpenSSL 1.1.1i is now available, including bug and security fixes 26-Nov-2020: Alpha 9 of OpenSSL 3.0 is now available: please download and test it 05-Nov-2020: Alpha 8 of OpenSSL 3.0 is now available: please download and test it From matt at openssl.org Thu Jan 7 14:07:24 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 14:07:24 +0000 Subject: [openssl] master update Message-ID: <1610028444.803327.21842.nullmailer@dev.openssl.org> The branch master has been updated via a86add03abf7ebdf63d79971b9feb396931b8697 (commit) via cae118f9382c3790359b3ff050d6e01c11579a7f (commit) from bd0c71298a82cc78aadba39485fc1ebec3c1c0ad (commit) - Log ----------------------------------------------------------------- commit a86add03abf7ebdf63d79971b9feb396931b8697 Author: Matt Caswell Date: Thu Jan 7 13:48:32 2021 +0000 Prepare for 3.0 alpha 11 Reviewed-by: Nicola Tuveri commit cae118f9382c3790359b3ff050d6e01c11579a7f Author: Matt Caswell Date: Thu Jan 7 13:48:10 2021 +0000 Prepare for release of 3.0 alpha 10 Reviewed-by: Nicola Tuveri ----------------------------------------------------------------------- Summary of changes: VERSION.dat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION.dat b/VERSION.dat index 5a486d1b91..9956ebb7e7 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 PATCH=0 -PRE_RELEASE_TAG=alpha10-dev +PRE_RELEASE_TAG=alpha11-dev BUILD_METADATA= RELEASE_DATE="" SHLIB_VERSION=3 From matt at openssl.org Thu Jan 7 14:07:34 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 07 Jan 2021 14:07:34 +0000 Subject: [openssl] openssl-3.0.0-alpha10 create Message-ID: <1610028454.928022.25195.nullmailer@dev.openssl.org> The annotated tag openssl-3.0.0-alpha10 has been created at 45817feda8996f2e0812731b9b3e565d2682d694 (tag) tagging cae118f9382c3790359b3ff050d6e01c11579a7f (commit) replaces openssl-3.0.0-alpha9 tagged by Matt Caswell on Thu Jan 7 13:48:21 2021 +0000 - Log ----------------------------------------------------------------- OpenSSL 3.0.0-alpha10 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl/3ESURHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJF8eQgAiULWDjFXQy/pgDxFDB3Z2k3KsiqEFzty Z7ymUtQTNAyEDsxO6KRCBVPL6HeogGrNZmqD0MxS2QhW6pcAgnaqgeNwIwEYGh8Z nSsihgXRQyos5YhEpIuVzFk1iCtugVw+zayyxAyDhVvYJ05+XX656G1ZmsgSR2Rn GmxoH2b7sIVNapyLDPXSJHceP9fIYu0elVyHTl8PFoubKapTW+zqh0m1KLfIQ+cx wg2Bh9sSrbV63CK0yDOvgqK1Wz1HMobNHM8+5avbzVHrF57hAKr9IrpPfaV7uXx/ bGAqiY7ppsc0nforH4szCQdseJJiMhppHs97bFaVSk2crmcDOV+6Bg== =GxWV -----END PGP SIGNATURE----- Ankita Shetty (4): cmp_client.c: Remove dead code of variable 'txt' in cert_response() cmp_client.c: Fix indentation and remove empty line openssl.pod: Carve out Trusted Certificate, Pass Phrase, Name Format, and Format Options openssl.pod: Fix openSSL options doc Ard Biesheuvel (1): aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode Benjamin Kaduk (1): Fix comment in do_dtls1_write() Daiki Ueno (1): openssl dgst: add option to specify output length for XOF Daniel Bevenius (2): EVP: don't touch the lock for evp_pkey_downgrade STORE: clear err after ossl_store_get0_loader_int David CARLIER (1): Mac M1 setting change proposal. David Carlier (2): CRYPTO_secure_malloc_init: Add FreeBSD support for secure-malloc dont-dump-region. Add MAP_CONCEAL from OpenBSD which has similar purpose but on mmap call level. David von Oheimb (1): openssl.pod: Move verification doc to new doc/man1/openssl-verification-options.pod Dmitry Belyavskiy (8): OPENSSL_NO_GOST has nothing to do with low-level algos Deprecate -cipher-commands and -digest-commands options Skip unavailable digests and ciphers in -*-commands Documenting the options deprecating Documenting the options deprecating in CHANGES.md Skip tests depending on deprecated list -*-commands options Fetch provided algorithm once per benchmark Fix doc-nits for list command Dr. David von Oheimb (42): asn1t.h: Improve comments documenting ASN1_ITYPE_... and the 'funcs' field X509_dup: fix copying of libctx and propq using new ASN1_OP_DUP_POST cb operation endecode_test.c: Significant speedup in generating DH and DHX keys remove obsolete test/drbg_extra_test.h remove obsolete test/drbg_cavs_data.h test cleanup: move helper .c and .h files to test/helpers/ endecode_test.c: Add warning that 512-bit DH key size is for testing only apps/pkcs12.c: Correct default legacy algs and make related doc consistent apps/pkcs12.c: Improve user guidance, re-ordering no-export vs. export options x509_vfy.c: Restore rejection of expired trusted (root) certificate appveyor.yml: Let 'nmake' run by defaut silently (/S), using MAKEVERBOSE like .travis.yml appveyor.yml: Let 'nmake' do builds in parallel on all CPU cores .travis.yml: Do some build (gcc) runs in parallel (-j4) ci.yml: Add 'perl configdata.pm --dump' to each config ci.yml: Let 'make' run silently (-s) with build (gcc) runs in parallel (-j4) appveyor.yml: Move printing of env variables such that locally defined ones are shown as well. encode_key2any.c: Fix build error on OPENSSL_NO_DH and OPENSSL_NO_EC encode_key2text.c: Fix build error on OPENSSL_NO_{DH,DSA,EC} fuzz/server.c: Fix build error on OPENSSL_NO_{DSA,EC,DEPECATED_3_0} apps/speed.c: Fix build errors on OPENSSL_NO_{RSA,DSA,EC,DEPECATED_3_0} endecode_test.c: Fix build errors on OPENSSL_NO_{DH,DSA,EC,EC2M} evp_pkey_dparams_test.c: Fix build error on OPENSSL_NO_{DH,DSA,EC} apps/speed.c: Rename misleading 'rsa_count' variable to 'op_count' {.travis,ci,appveyor}.yml: Make minimal config consistent, add no-deprecated no-ec no-ktls no-siv apps/verify:c: Enable output of multiple verification errors due to -x509_strict x509_vfy.c: Improve comments (correcting typos etc.) test/certs/setup.sh: Fix two glitches find-doc-nits: fix regexp and point out that CA.pl and tsget.pod are special Use adapted test_get_libctx() for simpler test setup and better error reporting apps/req.c: Improve diagnostics on multiple/overriding X.509 extensions defined via -reqext option x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3 apps/{req,x509,ca}.c: Cleanup: move shared X509{,_REQ,_CRL} code to apps/lib/apps.c apps/x509.c: Factor out common aspects of X509 signing openssl-ca.pod.in: Clarify the -extensions/-crlexts options vs. x509_extensions/crl_extensions X509V3_EXT_add_nconf_sk(): Improve description and use of 'sk' arg, which may be NULL v2i_AUTHORITY_KEYID(): Correct out-of-memory behavior and avoid mem leaks openssl_hexstr2buf_sep(): Prevent misleading 'malloc failure' errors on short input apps/{ca,req,x509}.c: Improve diag and doc mostly on X.509 extensions, fix multiple instances apps/cmp.c: Fix bug on -path option introduced in commit 3c9d6266ed85 apps/cmp.c: Correct -keyform option range w.r.t engine Update copyright years of auto-generated headers (make update) Etienne Millon (2): EVP_SIGNATURE-ED25519.pod: fix typo in algo name 28-seclevel.cnf.in: fix typo in algo name Fangming.Fang (1): Read MIDR_EL1 system register on aarch64 Ingo Schwarze (1): Fix NULL pointer access caused by X509_ATTRIBUTE_create() J08nY (1): README: Move Travis link to .com from .org. John Baldwin (4): Allow zero-byte writes to be reported as success. Collapse two identical if statements into a single body. Use CRIOGET to fetch a crypto descriptor when present. Support session information on FreeBSD. Kelvin Lee (1): Fix simpledynamic.c - a typo and missed a header Liang Liu (1): [DOC]Fix two broken links in INSTALL.md; Change name of zlib flag to the current one. Matt Caswell (56): Prepare for 3.0 alpha 10 Fix no-posix-io Deprecate DH_new as well as i2d_DHparams and d2i_DHparams Deprecate functions for getting and setting DH values in an EVP_PKEY Deprecate EVP_PKEY_assign_DH and other similar macros Deprecate the DHparams and DHxparams PEM routines Remove fuzzing of deprecated functions in a no-deprecated build Don't test a deprecated function in a no-deprecated build Deprecate more DH functions Convert DH deprecations to the new way of deprecating functions Updates the CHANGES.md entry regarding DH deprecation Remove d2i_DHparams.pod and move documentation to d2i_RSAPrivateKey.pod Fix no-engine Fix instances of pointer addition with the NULL pointer Fix TLS1.2 CHACHA20-POLY1305 ciphersuites with OPENSSL_SMALL_FOOTPRINT Fix builds that specify both no-dh and no-ec Don't Overflow when printing Thawte Strong Extranet Version Fix a compile error with the no-sock option Fix no-dtls Fix no-dsa DirectoryString is a CHOICE type and therefore uses explicit tagging Correctly compare EdiPartyName in GENERAL_NAME_cmp() Check that multi-strings/CHOICE types don't use implicit tagging Complain if we are attempting to encode with an invalid ASN.1 template Add a test for GENERAL_NAME_cmp Add a test for encoding/decoding using an invalid ASN.1 Template Update CHANGES and NEWS for new release Fix a test failure with no-tls1_3 Fix a compilation failure with no-tls_1_2 Fix no-err Modify is_tls13_capable() to take account of the servername cb Test that we can negotiate TLSv1.3 if we have an SNI callback Don't use no-asm in the Github CIs Skip evp_test cases where we need the legacy prov and its not available Fix sslapitest.c if built with no-legacy Don't use legacy provider if not available in test_ssl_old Don't load the legacy provider in endecoder_legacy_test Skip testing ciphers in the legacy provider if no legacy Don't load the legacy provider if not available in test_enc_more Don't load the legacy provider in test_evp_libctx unnecessarily Don't use the legacy provider in test_store if its not available Don't run a legacy specific PKCS12 test if no legacy provider Skip cms tests using RC2 if no legacy provider Fix some typos in EVP_PKEY-DH.pod Fix no-threads Move the caching of cipher constants into evp_cipher_from_dispatch Cache Digest constants Optimise OPENSSL_init_crypto to not need a lock when loading config Don't call EVP_CIPHER_CTX_block_size() to find the block size Add some more CRYPTO_atomic functions Optimise OPENSSL_init_crypto Add documentation for CRYPTO_atomic_or and CRYPTO_atomic_load Add a test for the new CRYPTO_atomic_* functions Only perform special TLS handling if TLS has been configured Update copyright year Prepare for release of 3.0 alpha 10 Nan Xiao (1): Fix typo in OPENSSL_malloc.pod Nirbheek Chauhan (2): crypto/win: Don't use disallowed APIs on UWP win-onecore: Build with /APPCONTAINER for UWP compat Pauli (19): Print random seed on test failure. remove unused return value assignments remove unused assignments remove unused initialisations tag unused function arguments as ossl_unused rand: add a provider side seed source. Fix error clash in build rand seed: include lock and unlock functions. rand: don't leak memory rand: allow seed-src to be missing params: allow more variations in integer conversions. params: add integer conversion test cases. test: print OPENSSL_TEST_RAND_ORDER=x when a randomised test fails. test: document the random test ordering env variable dsa: documentation deprecation changes dsa: fuzzer deprecation changes dsa: apps deprecation changes dsa: provider and library deprecation changes dsa: add additional deprecated functions to CHANGES entry. Petr Gotthard (1): Fix OSSL_PARAM creation in OSSL_STORE_open_ex Rich Salz (3): Deprecate OCSP_REQ_CTX_set1_req Document OCSP_REQ_CTX_i2d. Check non-option arguments Richard Levitte (80): APPS: Make it possible for apps to set the base (fallback) UI_METHOD APPS: Modify apps/cmp.c to use set_base_ui_method() for its -batch option ERR: Restore the similarity of ERR_print_error_cb() and ERR_error_string_n() TEST: Adapt test/errtest for the 'no-err' configuration EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available ERR: Drop or deprecate dangerous or overly confusing functions ERR: drop err_delete_thread_state() TODO marker TEST: Fix path length in test/ossl_store_test.c RSA: correct digestinfo_ripemd160_der[] TEST: Break out the local dynamic loading code from shlibloadtest.c TEST: Add a simple module loader, and test the FIPS module with it ENCODER: Don't pass libctx to OSSL_ENCODER_CTX_new_by_EVP_PKEY() Adapt everything else to the updated OSSL_ENCODER_CTX_new_by_EVP_PKEY() APPS: Add OSSL_STORE loader for engine keys APPS: Adapt load_key() and load_pubkey() for the engine: loader Add test to demonstrate the app's new engine key loading Switch deprecation method for AES Switch deprecation method for ASN.1 Switch deprecation method for BIO Switch deprecation method for Blowfish Switch deprecation method for BIGNUM Switch deprecation method for Camellia Switch deprecation method for CAST Switch deprecation method for CMAC Switch deprecation method for CONF Switch deprecation method for CRYPTO Switch deprecation method for DES Switch deprecation method for ENGINE Switch deprecation method for ERR Switch deprecation method for EVP Switch deprecation method for HMAC Switch deprecation method for IDEA Switch deprecation method for MD2 Switch deprecation method for MD4 Switch deprecation method for MD5 Switch deprecation method for MDC2 Switch deprecation method for PKCS#12 Switch deprecation method for RAND Switch deprecation method for RC2 Switch deprecation method for RC4 Switch deprecation method for RC5 Switch deprecation method for RIPEMD Switch deprecation method for SEED Switch deprecation method for SHA Switch deprecation method for SRP Switch deprecation method for SSL Switch deprecation method for OSSL_STORE Switch deprecation method for Whirlpool Switch deprecation method for X.509 DSA: Make DSA_bits() and DSA_size() check that there are key parameters EVP: Adjust EVP_PKEY_size(), EVP_PKEY_bits() and EVP_PKEY_security_bits() PEM: Add a more generic way to implement PEM _ex functions for libctx providers/common/der/build.info: Improve checks of disabled algos EVP: constify the EVP_PKEY_get_*_param() argument |pkey| EVP: Add EVP_PKEY_get_group_name() to extract the group name of a pkey TLS: Use EVP_PKEY_get_group_name() to get the group name DOCS: Update OSSL_DECODER_CTX_new_by_EVP_PKEY.pod to match declarations DOCS: Improve documentation of the EVP_PKEY type Building: Fix the library file names for MSVC builds to include multilib PEM: Unlock MSBLOB and PVK functions from 'no-dsa' and 'no-rc4' Remove unnecessary guards around MSBLOB and PVK readers and writers APPS: Correct the output structure for public keys in 'openssl rsa' TEST: Fix test/recipes/15-test_rsa.t PROV: Add MSBLOB and PVK encoders EVP_PKEY & DSA: move dsa_ctrl.c to be included only on libcrypto EVP_PKEY & DH: Make DH EVP_PKEY_CTX parameter ctrls / setters more available EVP_PKEY & EC_KEY: Make EC EVP_PKEY_CTX parameter ctrls / setters more available Drop unnecessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC Add necessary checks of OPENSSL_NO_DH, OPENSSL_NO_DSA and OPENSSL_NO_EC DECODER EVP_PKEY: Don't store all the EVP_KEYMGMTs MSBLOB & PVK: Make it possible to write EVP_PKEYs with provided internal key DECODER: Adjust the library context of keys in our decoders CORE: Separate OSSL_PROVIDER activation from OSSL_PROVIDER reference EVP: Fix memory leak in EVP_PKEY_CTX_dup() GitHub CI: Add 'check-update' and 'check-docs' make update TEST: Fix test/endecode_test.c for 'no-legacy' Fix 'no-deprecated' GitHub CI: Separate no-deprecated job from minimal job Drop OPENSSL_NO_RSA everywhere Sebastian Andrzej Siewior (1): Configurations: PowerPC is big endian Shane Lontis (16): Fix EVP_CIPHER_CTX_set_padding for legacy path Fix no-deprecated configuration Fix s390 EDDSA HW support in providers. Add EVP_KDF-X942 to the fips module Fix X509 propq so it does not use references Fix x509_crl propq so that it uses a copy fix x509_PUBKEY propq so that it uses a copy Fix EVP_PKEY_CTX propq so that it uses a copy Fix ecdsa digest setting code to match dsa. Fix dsa & rsa signature dupctx() so that ctx->propq is strduped Change OPENSSL_hexstr2buf_ex() & OPENSSL_buf2hexstr_ex() to pass the separator Deprecate EC_POINT_bn2point and EC_POINT_point2bn. Add validate method to ECX keymanager Add fips self tests for all included kdf Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation. Change AES-CTS modes CS2 and CS3 to also be inside the fips module. Tim Hudson (1): Correct system guessing for darwin64-arm64 target Tomas Mraz (6): EVP_DigestFinalXOF must not reset the EVP_MD_CTX Add test for no reset after DigestFinal_ex and DigestFinalXOF Fix regression in EVP_DigestInit_ex: crash when called with NULL type Documentation improvements for EVP_DigestInit_ex and related functions v3nametest: Make the gennames structure static Github CI: run also on repository pushes bazmoz (1): Updated SSL_CTX_new doc ihsinme (1): Update bio_ok.c jwalch (1): Restore v2i_AUTHORITY_INFO_ACCESS() behavior ----------------------------------------------------------------------- From tmraz at fedoraproject.org Thu Jan 7 16:40:09 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 07 Jan 2021 16:40:09 +0000 Subject: [openssl] master update Message-ID: <1610037609.443433.7684.nullmailer@dev.openssl.org> The branch master has been updated via 3d0b6494d5a973d516e0944bc02b22385fca318a (commit) via 981b4b95721907384f4add9de72bf90e0ba39288 (commit) via 1c47539a2331ff0b58a4e8663bcc6db0dc2c6449 (commit) via c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 (commit) from a86add03abf7ebdf63d79971b9feb396931b8697 (commit) - Log ----------------------------------------------------------------- commit 3d0b6494d5a973d516e0944bc02b22385fca318a Author: Otto Hollmann Date: Tue Oct 20 12:47:55 2020 +0200 Remove extra space. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) commit 981b4b95721907384f4add9de72bf90e0ba39288 Author: Otto Hollmann Date: Mon Oct 19 16:25:26 2020 +0200 Fixed error and return code. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) commit 1c47539a2331ff0b58a4e8663bcc6db0dc2c6449 Author: Otto Hollmann Date: Mon Oct 19 10:05:57 2020 +0200 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) commit c1e8a0c66e32b4144fdeb49bd5ff7acb76df72b9 Author: Otto Hollmann Date: Tue Jun 9 15:50:12 2020 +0200 Fix set_ciphersuites ignore unknown ciphers. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12100) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 +++++ doc/man3/SSL_CTX_set_cipher_list.pod | 10 +++++----- ssl/ssl_ciph.c | 18 +++++++++--------- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index a296406137..94bf750ffc 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,11 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() + to ignore unknown ciphers. + + *Otto Hollmann* + * The -cipher-commands and -digest-commands options of the command line utility list has been deprecated. Instead use the -cipher-algorithms and -digest-algorithms options. diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 2fdebdf51d..c2786295b7 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -65,11 +65,11 @@ cipher string for TLSv1.3 ciphersuites. =head1 NOTES -The control string B for SSL_CTX_set_cipher_list() and -SSL_set_cipher_list() should be universally usable and not depend -on details of the library configuration (ciphers compiled in). Thus no -syntax checking takes place. Items that are not recognized, because the -corresponding ciphers are not compiled in or because they are mistyped, +The control string B for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(), +SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally +usable and not depend on details of the library configuration (ciphers compiled +in). Thus no syntax checking takes place. Items that are not recognized, because +the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64ecc543ba..6c77cd3d40 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1288,19 +1288,17 @@ static int ciphersuite_cb(const char *elem, int len, void *arg) /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ char name[80]; - if (len > (int)(sizeof(name) - 1)) { - ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); - return 0; - } + if (len > (int)(sizeof(name) - 1)) + /* Anyway return 1 so we can parse rest of the list */ + return 1; memcpy(name, elem, len); name[len] = '\0'; cipher = ssl3_get_cipher_by_std_name(name); - if (cipher == NULL) { - ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); - return 0; - } + if (cipher == NULL) + /* Ciphersuite not found but return 1 to parse rest of the list */ + return 1; if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); @@ -1319,7 +1317,9 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha /* Parse the list. We explicitly allow an empty list */ if (*str != '\0' - && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) { + && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0 + || sk_SSL_CIPHER_num(newciphers) == 0)) { + ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); sk_SSL_CIPHER_free(newciphers); return 0; } From openssl at openssl.org Thu Jan 7 23:11:10 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 07 Jan 2021 23:11:10 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1610061070.053587.2698585.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=227, Tests=2999, 703 wallclock secs (10.20 usr 1.40 sys + 617.70 cusr 71.88 csys = 701.18 CPU) Result: FAIL make[1]: *** [Makefile:2458: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2455: tests] Error 2 From matt at openssl.org Fri Jan 8 10:43:51 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 08 Jan 2021 10:43:51 +0000 Subject: [openssl] master update Message-ID: <1610102631.138808.12460.nullmailer@dev.openssl.org> The branch master has been updated via d0afb30ef3950cacff50ec539e90073b95a276df (commit) from 3d0b6494d5a973d516e0944bc02b22385fca318a (commit) - Log ----------------------------------------------------------------- commit d0afb30ef3950cacff50ec539e90073b95a276df Author: Matt Caswell Date: Thu Dec 10 10:36:23 2020 +0000 Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes #13649 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13655) ----------------------------------------------------------------------- Summary of changes: ssl/d1_lib.c | 9 +++++---- ssl/record/rec_layer_d1.c | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index cc41eee976..62c5f26e5d 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -142,10 +142,11 @@ void dtls1_free(SSL *s) ssl3_free(s); - dtls1_clear_queues(s); - - pqueue_free(s->d1->buffered_messages); - pqueue_free(s->d1->sent_messages); + if (s->d1 != NULL) { + dtls1_clear_queues(s); + pqueue_free(s->d1->buffered_messages); + pqueue_free(s->d1->sent_messages); + } OPENSSL_free(s->d1); s->d1 = NULL; diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index cc412bae37..10321ce015 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -46,6 +46,9 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl) { + if (rl->d == NULL) + return; + DTLS_RECORD_LAYER_clear(rl); pqueue_free(rl->d->unprocessed_rcds.q); pqueue_free(rl->d->processed_rcds.q); From matt at openssl.org Fri Jan 8 10:44:02 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 08 Jan 2021 10:44:02 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610102642.452109.13452.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 (commit) from a953f26dba5dadf8ac69c6fcbf71ebe3efba9407 (commit) - Log ----------------------------------------------------------------- commit 37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 Author: Matt Caswell Date: Thu Dec 10 10:36:23 2020 +0000 Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes #13649 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13655) (cherry picked from commit d0afb30ef3950cacff50ec539e90073b95a276df) ----------------------------------------------------------------------- Summary of changes: ssl/d1_lib.c | 9 +++++---- ssl/record/rec_layer_d1.c | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 2a15ee8ad9..8874bed353 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -142,10 +142,11 @@ void dtls1_free(SSL *s) ssl3_free(s); - dtls1_clear_queues(s); - - pqueue_free(s->d1->buffered_messages); - pqueue_free(s->d1->sent_messages); + if (s->d1 != NULL) { + dtls1_clear_queues(s); + pqueue_free(s->d1->buffered_messages); + pqueue_free(s->d1->sent_messages); + } OPENSSL_free(s->d1); s->d1 = NULL; diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index e56c6b9595..d0cb72d757 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -46,6 +46,9 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl) void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl) { + if (rl->d == NULL) + return; + DTLS_RECORD_LAYER_clear(rl); pqueue_free(rl->d->unprocessed_rcds.q); pqueue_free(rl->d->processed_rcds.q); From tmraz at fedoraproject.org Fri Jan 8 11:12:39 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Fri, 08 Jan 2021 11:12:39 +0000 Subject: [openssl] master update Message-ID: <1610104359.532482.21386.nullmailer@dev.openssl.org> The branch master has been updated via 22aa4a3afb53984201c84970ec03b251d0117f00 (commit) from d0afb30ef3950cacff50ec539e90073b95a276df (commit) - Log ----------------------------------------------------------------- commit 22aa4a3afb53984201c84970ec03b251d0117f00 Author: Billy Brumley Date: Tue Jan 5 13:08:09 2021 +0200 [crypto/dh] side channel hardening for computing DH shared keys Reviewed-by: Nicola Tuveri Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13783) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_key.c | 34 +++++++++++++++++++++++++++++++--- doc/man3/DH_generate_key.pod | 27 +++++++++++++++++++++------ 2 files changed, 52 insertions(+), 9 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 2e61ccbaa2..4535715367 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -86,26 +86,53 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; } - ret = BN_bn2bin(tmp, key); + /* return the padded key, i.e. same number of bytes as the modulus */ + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->params.p)); err: BN_CTX_end(ctx); BN_CTX_free(ctx); return ret; } +/*- + * NB: This function is inherently not constant time due to the + * RFC 5246 (8.1.2) padding style that strips leading zero bytes. + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + + /* compute the key; ret is constant unless compute_key is external */ #ifdef FIPS_MODULE - return compute_key(key, pub_key, dh); + ret = compute_key(key, pub_key, dh); #else - return dh->meth->compute_key(key, pub_key, dh); + ret = dh->meth->compute_key(key, pub_key, dh); #endif + if (ret <= 0) + return ret; + + /* count leading zero bytes, yet still touch all bytes */ + for (i = 0; i < ret; i++) { + mask &= !key[i]; + npad += mask; + } + + /* unpad key */ + ret -= npad; + /* key-dependent memory access, potentially leaking npad / ret */ + memmove(key, key + npad, ret); + /* key-dependent memory access, potentially leaking npad / ret */ + memset(key + ret, 0, npad); + + return ret; } int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; + /* rv is constant unless compute_key is external */ #ifdef FIPS_MODULE rv = compute_key(key, pub_key, dh); #else @@ -114,6 +141,7 @@ int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (rv <= 0) return rv; pad = BN_num_bytes(dh->params.p) - rv; + /* pad is constant (zero) unless compute_key is external */ if (pad > 0) { memmove(key + pad, key, rv); memset(key, 0, pad); diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod index 7cc9e84a44..c5b58615e0 100644 --- a/doc/man3/DH_generate_key.pod +++ b/doc/man3/DH_generate_key.pod @@ -2,7 +2,8 @@ =head1 NAME -DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange +DH_generate_key, DH_compute_key, DH_compute_key_padded - perform +Diffie-Hellman key exchange =head1 SYNOPSIS @@ -14,18 +15,20 @@ L: int DH_generate_key(DH *dh); - int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); + + int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh); =head1 DESCRIPTION -Both of the functions described on this page are deprecated. +All of the functions described on this page are deprecated. Applications should instead use L and L. DH_generate_key() performs the first step of a Diffie-Hellman key exchange by generating private and public DH values. By calling -DH_compute_key(), these are combined with the other party's public -value to compute the shared key. +DH_compute_key() or DH_compute_key_padded(), these are combined with +the other party's public value to compute the shared key. DH_generate_key() expects B to contain the shared parameters Bp> and Bg>. It generates a random private DH value @@ -36,6 +39,14 @@ published. DH_compute_key() computes the shared secret from the private DH value in B and the other party's public value in B and stores it in B. B must point to B bytes of memory. +The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. +It is not constant time due to the leading zero bytes being stripped. +The return value should be considered public. + +DH_compute_key_padded() is similar but stores a fixed number of bytes. +The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes. +It is constant time due to the leading zero bytes being retained. +The return value should be considered public. =head1 RETURN VALUES @@ -44,6 +55,8 @@ DH_generate_key() returns 1 on success, 0 otherwise. DH_compute_key() returns the size of the shared secret on success, -1 on error. +DH_compute_key_padded() returns B on success, -1 on error. + The error codes can be obtained by L. =head1 SEE ALSO @@ -53,7 +66,9 @@ L, L, L, L =head1 HISTORY -Both of these functions were deprecated in OpenSSL 3.0. +DH_compute_key_padded() was added in OpenSSL 1.0.2. + +All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT From openssl at openssl.org Fri Jan 8 16:36:03 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 08 Jan 2021 16:36:03 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers Message-ID: <1610123763.594759.570387.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok ERROR in SERVER 40B7F7449E7F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 28 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40C7004F817F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 42 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 4077479FD97F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 118 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40D7A439157F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 143 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ # Looks like you failed 4 tests of 148. not ok 4 - Testing ciphersuites # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 12.80-test_ssl_old.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/12 subtests 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_old.t (Wstat: 256 Tests: 12 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=227, Tests=3560, 881 wallclock secs (14.53 usr 1.47 sys + 784.51 cusr 90.90 csys = 891.41 CPU) Result: FAIL make[1]: *** [Makefile:3237: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-weak-ssl-ciphers' make: *** [Makefile:3234: tests] Error 2 From matt at openssl.org Fri Jan 8 17:27:32 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 08 Jan 2021 17:27:32 +0000 Subject: [openssl] master update Message-ID: <1610126852.671287.3281.nullmailer@dev.openssl.org> The branch master has been updated via becbacd705170952725571ae4404846b0ecee86a (commit) from 22aa4a3afb53984201c84970ec03b251d0117f00 (commit) - Log ----------------------------------------------------------------- commit becbacd705170952725571ae4404846b0ecee86a Author: Michael Baentsch Date: Thu Jan 7 09:09:32 2021 +0100 Adding TLS group name retrieval Function SSL_group_to_name() added, together with documentation and tests. This now permits displaying names of internal and external provider-implemented groups. Partial fix of #13767 Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13785) ----------------------------------------------------------------------- Summary of changes: apps/lib/s_cb.c | 23 ++++------------------ doc/man3/SSL_group_to_name.pod | 43 ++++++++++++++++++++++++++++++++++++++++++ include/openssl/ssl.h.in | 2 ++ ssl/s3_lib.c | 18 ++++++++++++++++++ ssl/ssl_local.h | 1 + ssl/t1_lib.c | 2 +- test/sslapitest.c | 23 ++++++++++++++++++++++ util/libssl.num | 1 + 8 files changed, 93 insertions(+), 20 deletions(-) create mode 100644 doc/man3/SSL_group_to_name.pod diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index c7994417aa..67e0fbd5bd 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -345,7 +345,6 @@ int ssl_print_point_formats(BIO *out, SSL *s) int ssl_print_groups(BIO *out, SSL *s, int noshared) { int i, ngroups, *groups, nid; - const char *gname; ngroups = SSL_get1_groups(s, NULL); if (ngroups <= 0) @@ -353,39 +352,25 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) groups = app_malloc(ngroups * sizeof(int), "groups to print"); SSL_get1_groups(s, groups); - BIO_puts(out, "Supported Elliptic Groups: "); + BIO_puts(out, "Supported groups: "); for (i = 0; i < ngroups; i++) { if (i) BIO_puts(out, ":"); nid = groups[i]; - /* If unrecognised print out hex version */ - if (nid & TLSEXT_nid_unknown) { - BIO_printf(out, "0x%04X", nid & 0xFFFF); - } else { - /* TODO(TLS1.3): Get group name here */ - /* Use NIST name for curve if it exists */ - gname = EC_curve_nid2nist(nid); - if (gname == NULL) - gname = OBJ_nid2sn(nid); - BIO_printf(out, "%s", gname); - } + BIO_printf(out, "%s", SSL_group_to_name(s, nid)); } OPENSSL_free(groups); if (noshared) { BIO_puts(out, "\n"); return 1; } - BIO_puts(out, "\nShared Elliptic groups: "); + BIO_puts(out, "\nShared groups: "); ngroups = SSL_get_shared_group(s, -1); for (i = 0; i < ngroups; i++) { if (i) BIO_puts(out, ":"); nid = SSL_get_shared_group(s, i); - /* TODO(TLS1.3): Convert for DH groups */ - gname = EC_curve_nid2nist(nid); - if (gname == NULL) - gname = OBJ_nid2sn(nid); - BIO_printf(out, "%s", gname); + BIO_printf(out, "%s", SSL_group_to_name(s, nid)); } if (ngroups == 0) BIO_puts(out, "NONE"); diff --git a/doc/man3/SSL_group_to_name.pod b/doc/man3/SSL_group_to_name.pod new file mode 100644 index 0000000000..9c0e75c188 --- /dev/null +++ b/doc/man3/SSL_group_to_name.pod @@ -0,0 +1,43 @@ +=pod + +=head1 NAME + +SSL_group_to_name - get name of group + +=head1 SYNOPSIS + + #include + + const char *SSL_group_to_name(const SSL *ssl, int id); + +=head1 DESCRIPTION + +SSL_group_to_name() is used to retrieve the TLS group name +associated with a given TLS group ID, as registered via built-in +or external providers and as returned by a call to SSL_get1_groups() +or SSL_get_shared_group(). + +=head1 RETURN VALUES + +If non-NULL, SSL_group_to_name() returns the TLS group name +corresponding to the given I as a NULL-terminated string. +If SSL_group_to_name() returns NULL, an error occurred; possibly no +corresponding tlsname was registered during provider initialisation. + +Note that the return value is valid only during the lifetime of the +SSL object I. + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 37b4c82f02..4e5d50bd6d 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1501,6 +1501,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_get_max_proto_version(s) \ SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) +const char *SSL_group_to_name(SSL *s, int id); + /* Backwards compatibility, original 1.1.0 names */ # define SSL_CTRL_GET_SERVER_TMP_KEY \ SSL_CTRL_GET_PEER_TMP_KEY diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 298efdc1cb..0739bc9082 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4986,3 +4986,21 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey, EVP_PKEY_CTX_free(pctx); return rv; } + +const char *SSL_group_to_name(SSL *s, int nid) { + int group_id = 0; + const TLS_GROUP_INFO *cinf = NULL; + + /* first convert to real group id for internal and external IDs */ + if (nid & TLSEXT_nid_unknown) + group_id = nid & 0xFFFF; + else + group_id = tls1_nid2group_id(nid); + + /* then look up */ + cinf = tls1_group_id_lookup(s->ctx, group_id); + + if (cinf != NULL) + return cinf->tlsname; + return NULL; +} diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index c2a4087c3b..22ab387422 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2650,6 +2650,7 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); __owur const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t curve_id); __owur int tls1_group_id2nid(uint16_t group_id, int include_unknown); +__owur uint16_t tls1_nid2group_id(int nid); __owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves); __owur uint16_t tls1_shared_group(SSL *s, int nmatch); __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index bc366c8a7c..60c17dd809 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -460,7 +460,7 @@ int tls1_group_id2nid(uint16_t group_id, int include_unknown) return TLSEXT_nid_unknown | (int)group_id; } -static uint16_t tls1_nid2group_id(int nid) +uint16_t tls1_nid2group_id(int nid) { size_t i; diff --git a/test/sslapitest.c b/test/sslapitest.c index 915387a87c..984c6a8764 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4318,6 +4318,7 @@ static int test_key_exchange(int idx) int *kexch_groups = &kexch_alg; int kexch_groups_size = 1; int max_version = TLS1_3_VERSION; + char *kexch_name0 = NULL; switch (idx) { # ifndef OPENSSL_NO_EC @@ -4329,47 +4330,60 @@ static int test_key_exchange(int idx) case 0: kexch_groups = ecdhe_kexch_groups; kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups); + kexch_name0 = "secp256r1"; break; case 1: kexch_alg = NID_X9_62_prime256v1; + kexch_name0 = "secp256r1"; break; case 2: kexch_alg = NID_secp384r1; + kexch_name0 = "secp384r1"; break; case 3: kexch_alg = NID_secp521r1; + kexch_name0 = "secp521r1"; break; case 4: kexch_alg = NID_X25519; + kexch_name0 = "x25519"; break; case 5: kexch_alg = NID_X448; + kexch_name0 = "x448"; break; # endif # ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_TLS1_2 case 13: max_version = TLS1_2_VERSION; + kexch_name0 = "ffdhe2048"; # endif /* Fall through */ case 6: kexch_groups = ffdhe_kexch_groups; kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups); + kexch_name0 = "ffdhe2048"; break; case 7: kexch_alg = NID_ffdhe2048; + kexch_name0 = "ffdhe2048"; break; case 8: kexch_alg = NID_ffdhe3072; + kexch_name0 = "ffdhe3072"; break; case 9: kexch_alg = NID_ffdhe4096; + kexch_name0 = "ffdhe4096"; break; case 10: kexch_alg = NID_ffdhe6144; + kexch_name0 = "ffdhe6144"; break; case 11: kexch_alg = NID_ffdhe8192; + kexch_name0 = "ffdhe8192"; break; # endif default: @@ -4425,6 +4439,11 @@ static int test_key_exchange(int idx) if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), idx == 13 ? 0 : kexch_groups[0])) goto end; + + if (!TEST_str_eq(SSL_group_to_name(serverssl, kexch_groups[0]), + kexch_name0)) + goto end; + if (max_version == TLS1_3_VERSION) { if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0])) goto end; @@ -8000,6 +8019,10 @@ static int test_pluggable_group(int idx) if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; + if (!TEST_str_eq(group_name, + SSL_group_to_name(serverssl, SSL_get_shared_group(serverssl, 0)))) + goto end; + testresult = 1; end: diff --git a/util/libssl.num b/util/libssl.num index 37b0d37735..cd62067763 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -519,3 +519,4 @@ SSL_get1_peer_certificate ? 3_0_0 EXIST::FUNCTION: SSL_load_client_CA_file_ex ? 3_0_0 EXIST::FUNCTION: SSL_set0_tmp_dh_pkey ? 3_0_0 EXIST::FUNCTION: SSL_CTX_set0_tmp_dh_pkey ? 3_0_0 EXIST::FUNCTION: +SSL_group_to_name ? 3_0_0 EXIST::FUNCTION: From openssl at openssl.org Fri Jan 8 21:00:36 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 08 Jan 2021 21:00:36 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1610139636.132429.1124262.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80A180BC427F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80A180BC427F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/AKa_WsAuw0 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80D1277C647F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/AKa_WsAuw0 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 868 wallclock secs (14.04 usr 1.51 sys + 775.95 cusr 90.34 csys = 881.84 CPU) Result: FAIL make[1]: *** [Makefile:3246: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3243: tests] Error 2 From no-reply at appveyor.com Fri Jan 8 21:31:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 08 Jan 2021 21:31:02 +0000 Subject: Build failed: openssl master.39035 Message-ID: <20210108213102.1.4B7E6C989D0D6E10@appveyor.com> An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Fri Jan 8 22:05:53 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 22:05:53 +0000 Subject: [openssl] master update Message-ID: <1610143553.708200.28583.nullmailer@dev.openssl.org> The branch master has been updated via 1330093b9c7e0325ca76589fb9ace5b664830c6d (commit) via 9e49aff2aaac4c42ea6c4078266947c75761276b (commit) via 4554988e582e676a51c451de031939b45e60d00c (commit) via ed37336b6383cacbcbb8f6b1334eba0ad43530d5 (commit) via c5bc5ec849273ae0c3f8b32f1d23c33d93be3203 (commit) from becbacd705170952725571ae4404846b0ecee86a (commit) - Log ----------------------------------------------------------------- commit 1330093b9c7e0325ca76589fb9ace5b664830c6d Author: Nicola Tuveri Date: Tue Nov 10 12:28:52 2020 +0200 [test][pkey_check] Add more invalid SM2 key tests Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit 9e49aff2aaac4c42ea6c4078266947c75761276b Author: Nicola Tuveri Date: Tue Nov 10 01:11:48 2020 +0200 Add SM2 private key range validation According to the relevant standards, the valid range for SM2 private keys is [1, n-1), where n is the order of the curve generator. For this reason we cannot reuse the EC validation function as it is, and we introduce a new internal function `sm2_key_private_check()`. Partially fixes https://github.com/openssl/openssl/issues/8435 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit 4554988e582e676a51c451de031939b45e60d00c Author: Nicola Tuveri Date: Mon Nov 9 23:34:00 2020 +0200 [test][pkey_check] Add invalid SM2 key test SM2 private keys have different validation requirements than EC keys: this test checks one corner case highlighted in https://github.com/openssl/openssl/issues/8435 As @bbbrumley mentioned in https://github.com/openssl/openssl/issues/8435#issuecomment-720504282 this only fixes the absence of a regression test for validation of this kind of boundary issues for decoded SM2 keys. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit ed37336b6383cacbcbb8f6b1334eba0ad43530d5 Author: Nicola Tuveri Date: Mon Nov 9 22:35:28 2020 +0200 [apps/pkey] Return error on failed `-[pub]check` Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) commit c5bc5ec849273ae0c3f8b32f1d23c33d93be3203 Author: Nicola Tuveri Date: Mon Nov 9 22:34:18 2020 +0200 [test] Add `pkey -check` validation tests Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13359) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 14 +++++ apps/pkey.c | 5 +- crypto/err/openssl.txt | 1 + crypto/sm2/build.info | 2 +- crypto/sm2/sm2_err.c | 2 + crypto/sm2/sm2_key.c | 49 ++++++++++++++++ include/crypto/sm2.h | 2 + include/crypto/sm2err.h | 1 + providers/implementations/keymgmt/build.info | 4 +- providers/implementations/keymgmt/ec_kmgmt.c | 67 +++++++++++++++++++--- test/recipes/91-test_pkey_check.t | 61 ++++++++++++++++++++ .../91-test_pkey_check_data/ec_p256_bad_0.pem | 4 ++ .../91-test_pkey_check_data/ec_p256_bad_1.pem | 4 ++ test/recipes/91-test_pkey_check_data/sm2_bad_0.pem | 4 ++ test/recipes/91-test_pkey_check_data/sm2_bad_1.pem | 4 ++ .../91-test_pkey_check_data/sm2_bad_neg1.pem | 4 ++ 16 files changed, 215 insertions(+), 13 deletions(-) create mode 100644 crypto/sm2/sm2_key.c create mode 100644 test/recipes/91-test_pkey_check.t create mode 100644 test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem create mode 100644 test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem create mode 100644 test/recipes/91-test_pkey_check_data/sm2_bad_0.pem create mode 100644 test/recipes/91-test_pkey_check_data/sm2_bad_1.pem create mode 100644 test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem diff --git a/CHANGES.md b/CHANGES.md index 94bf750ffc..65031b89a5 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,20 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Validation of SM2 keys has been separated from the validation of regular EC + keys, allowing to improve the SM2 validation process to reject loaded private + keys that are not conforming to the SM2 ISO standard. + In particular, a private scalar `k` outside the range `1 <= k < n-1` is now + correctly rejected. + + *Nicola Tuveri* + + * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck` + switches: a validation failure triggers an early exit, returning a failure + exit status to the parent process. + + *Nicola Tuveri* + * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() to ignore unknown ciphers. diff --git a/apps/pkey.c b/apps/pkey.c index 65988a8fc2..67dc8c012c 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -82,6 +82,7 @@ int pkey_main(int argc, char **argv) BIO *in = NULL, *out = NULL; ENGINE *e = NULL; EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; const EVP_CIPHER *cipher = NULL; char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; char *passinarg = NULL, *passoutarg = NULL, *prog; @@ -231,7 +232,6 @@ int pkey_main(int argc, char **argv) if (check || pub_check) { int r; - EVP_PKEY_CTX *ctx; ctx = EVP_PKEY_CTX_new(pkey, e); if (ctx == NULL) { @@ -260,8 +260,8 @@ int pkey_main(int argc, char **argv) ERR_reason_error_string(err)); ERR_get_error(); /* remove err from error stack */ } + goto end; } - EVP_PKEY_CTX_free(ctx); } if (!noout) { @@ -313,6 +313,7 @@ int pkey_main(int argc, char **argv) end: if (ret != 0) ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); release_engine(e); BIO_free_all(out); diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 5440e47093..4e36fc3394 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -3103,6 +3103,7 @@ SM2_R_INVALID_DIGEST:102:invalid digest SM2_R_INVALID_DIGEST_TYPE:103:invalid digest type SM2_R_INVALID_ENCODING:104:invalid encoding SM2_R_INVALID_FIELD:105:invalid field +SM2_R_INVALID_PRIVATE_KEY:113:invalid private key SM2_R_NO_PARAMETERS_SET:109:no parameters set SM2_R_USER_ID_TOO_LARGE:106:user id too large SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed diff --git a/crypto/sm2/build.info b/crypto/sm2/build.info index 402a76cc5d..a50d08d0bc 100644 --- a/crypto/sm2/build.info +++ b/crypto/sm2/build.info @@ -1,5 +1,5 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - sm2_sign.c sm2_crypt.c sm2_err.c + sm2_sign.c sm2_crypt.c sm2_err.c sm2_key.c diff --git a/crypto/sm2/sm2_err.c b/crypto/sm2/sm2_err.c index 60509e14d1..ab9c094a9d 100644 --- a/crypto/sm2/sm2_err.c +++ b/crypto/sm2/sm2_err.c @@ -28,6 +28,8 @@ static const ERR_STRING_DATA SM2_str_reasons[] = { "invalid digest type"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_ENCODING), "invalid encoding"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_FIELD), "invalid field"}, + {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_INVALID_PRIVATE_KEY), + "invalid private key"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_NO_PARAMETERS_SET), "no parameters set"}, {ERR_PACK(ERR_LIB_SM2, 0, SM2_R_USER_ID_TOO_LARGE), "user id too large"}, {0, NULL} diff --git a/crypto/sm2/sm2_key.c b/crypto/sm2/sm2_key.c new file mode 100644 index 0000000000..5182d01058 --- /dev/null +++ b/crypto/sm2/sm2_key.c @@ -0,0 +1,49 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "crypto/sm2err.h" +#include "crypto/sm2.h" +#include /* EC_KEY and EC_GROUP functions */ + +/* + * SM2 key generation is implemented within ec_generate_key() in + * crypto/ec/ec_key.c + */ + +int sm2_key_private_check(const EC_KEY *eckey) +{ + int ret = 0; + BIGNUM *max = NULL; + const EC_GROUP *group = NULL; + const BIGNUM *priv_key = NULL, *order = NULL; + + if (eckey == NULL + || (group = EC_KEY_get0_group(eckey)) == NULL + || (priv_key = EC_KEY_get0_private_key(eckey)) == NULL + || (order = EC_GROUP_get0_order(group)) == NULL ) { + ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + /* range of SM2 private key is [1, n-1) */ + max = BN_dup(order); + if (max == NULL || !BN_sub_word(max, 1)) + goto end; + if (BN_cmp(priv_key, BN_value_one()) < 0 + || BN_cmp(priv_key, max) >= 0) { + ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY); + goto end; + } + ret = 1; + + end: + BN_free(max); + return ret; +} diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h index fe87c84bba..e442e7aec7 100644 --- a/include/crypto/sm2.h +++ b/include/crypto/sm2.h @@ -17,6 +17,8 @@ # include +int sm2_key_private_check(const EC_KEY *eckey); + /* The default user id as specified in GM/T 0009-2012 */ # define SM2_DEFAULT_USERID "1234567812345678" diff --git a/include/crypto/sm2err.h b/include/crypto/sm2err.h index f8fabcb74e..fe081ddba8 100644 --- a/include/crypto/sm2err.h +++ b/include/crypto/sm2err.h @@ -61,6 +61,7 @@ int err_load_SM2_strings_int(void); # define SM2_R_INVALID_DIGEST_TYPE 103 # define SM2_R_INVALID_ENCODING 104 # define SM2_R_INVALID_FIELD 105 +# define SM2_R_INVALID_PRIVATE_KEY 113 # define SM2_R_NO_PARAMETERS_SET 109 # define SM2_R_USER_ID_TOO_LARGE 106 diff --git a/providers/implementations/keymgmt/build.info b/providers/implementations/keymgmt/build.info index 75f61a6de1..f434a720bc 100644 --- a/providers/implementations/keymgmt/build.info +++ b/providers/implementations/keymgmt/build.info @@ -1,7 +1,6 @@ # We make separate GOAL variables for each algorithm, to make it easy to # switch each to the Legacy provider when needed. -$EC_GOAL=../../libimplementations.a $ECX_GOAL=../../libimplementations.a $KDF_GOAL=../../libimplementations.a @@ -14,7 +13,8 @@ IF[{- !$disabled{dsa} -}] SOURCE[../../libnonfips.a]=dsa_kmgmt.c ENDIF IF[{- !$disabled{ec} -}] - SOURCE[$EC_GOAL]=ec_kmgmt.c + SOURCE[../../libfips.a]=ec_kmgmt.c + SOURCE[../../libnonfips.a]=ec_kmgmt.c ENDIF IF[{- !$disabled{asm} -}] diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 7e3fadc580..ac7094490e 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -27,7 +27,12 @@ #include "prov/providercommonerr.h" #include "prov/provider_ctx.h" #include "internal/param_build_set.h" -#include "crypto/sm2.h" + +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 +# include "crypto/sm2.h" +# endif +#endif static OSSL_FUNC_keymgmt_new_fn ec_newdata; static OSSL_FUNC_keymgmt_gen_init_fn ec_gen_init; @@ -50,13 +55,16 @@ static OSSL_FUNC_keymgmt_import_types_fn ec_import_types; static OSSL_FUNC_keymgmt_export_fn ec_export; static OSSL_FUNC_keymgmt_export_types_fn ec_export_types; static OSSL_FUNC_keymgmt_query_operation_name_fn ec_query_operation_name; -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static OSSL_FUNC_keymgmt_gen_fn sm2_gen; static OSSL_FUNC_keymgmt_get_params_fn sm2_get_params; static OSSL_FUNC_keymgmt_gettable_params_fn sm2_gettable_params; static OSSL_FUNC_keymgmt_settable_params_fn sm2_settable_params; static OSSL_FUNC_keymgmt_import_fn sm2_import; static OSSL_FUNC_keymgmt_query_operation_name_fn sm2_query_operation_name; +static OSSL_FUNC_keymgmt_validate_fn sm2_validate; +# endif #endif #define EC_DEFAULT_MD "SHA256" @@ -76,7 +84,8 @@ const char *ec_query_operation_name(int operation_id) return NULL; } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static const char *sm2_query_operation_name(int operation_id) { @@ -86,6 +95,7 @@ const char *sm2_query_operation_name(int operation_id) } return NULL; } +# endif #endif /* @@ -364,12 +374,14 @@ int ec_import(void *keydata, int selection, const OSSL_PARAM params[]) return common_import(keydata, selection, params, 0); } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static int sm2_import(void *keydata, int selection, const OSSL_PARAM params[]) { return common_import(keydata, selection, params, 1); } +# endif #endif static @@ -746,7 +758,8 @@ int ec_set_params(void *key, const OSSL_PARAM params[]) return ec_key_otherparams_fromdata(eck, params); } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 static int sm2_get_params(void *key, OSSL_PARAM params[]) { @@ -782,6 +795,40 @@ const OSSL_PARAM *sm2_settable_params(ossl_unused void *provctx) { return sm2_known_settable_params; } + +static +int sm2_validate(const void *keydata, int selection) +{ + const EC_KEY *eck = keydata; + int ok = 0; + BN_CTX *ctx = NULL; + + if (!ossl_prov_is_running()) + return 0; + + ctx = BN_CTX_new_ex(ec_key_get_libctx(eck)); + if (ctx == NULL) + return 0; + + if ((selection & EC_POSSIBLE_SELECTIONS) != 0) + ok = 1; + + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) + ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx); + + if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) + ok = ok && ec_key_public_check(eck, ctx); + + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + ok = ok && sm2_key_private_check(eck); + + if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_KEYPAIR) + ok = ok && ec_key_pairwise_check(eck, ctx); + + BN_CTX_free(ctx); + return ok; +} +# endif #endif static @@ -1084,7 +1131,8 @@ err: return NULL; } -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 /* * The callback arguments (osslcb & cbarg) are not used by EC_KEY generation */ @@ -1130,6 +1178,7 @@ err: EC_KEY_free(ec); return NULL; } +# endif #endif static void ec_gen_cleanup(void *genctx) @@ -1195,7 +1244,8 @@ const OSSL_DISPATCH ossl_ec_keymgmt_functions[] = { { 0, NULL } }; -#ifndef OPENSSL_NO_SM2 +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_SM2 const OSSL_DISPATCH sm2_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))ec_newdata }, { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))ec_gen_init }, @@ -1213,7 +1263,7 @@ const OSSL_DISPATCH sm2_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))sm2_settable_params }, { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))ec_has }, { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))ec_match }, - { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))ec_validate }, + { OSSL_FUNC_KEYMGMT_VALIDATE, (void (*)(void))sm2_validate }, { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))sm2_import }, { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))ec_import_types }, { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))ec_export }, @@ -1222,4 +1272,5 @@ const OSSL_DISPATCH sm2_keymgmt_functions[] = { (void (*)(void))sm2_query_operation_name }, { 0, NULL } }; +# endif #endif diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t new file mode 100644 index 0000000000..4dce838d1f --- /dev/null +++ b/test/recipes/91-test_pkey_check.t @@ -0,0 +1,61 @@ +#! /usr/bin/env perl +# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test::Utils; + +sub check_key { + my $f = shift; + + return run(app(['openssl', 'pkey', '-check', '-text', + '-in', $f])); +} + +sub check_key_notok { + my $f = shift; + my $str = "$f should fail validation"; + + $f = data_file($f); + + if ( -s $f ) { + ok(!check_key($f), $str); + } else { + fail("Missing file $f"); + } +} + +setup("test_pkey_check"); + +my @tests = (); + +push(@tests, ( + # For EC keys the range for the secret scalar `k` is `1 <= k <= n-1` + "ec_p256_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid) + "ec_p256_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid) + )) unless disabled("ec"); + +push(@tests, ( + # For SM2 keys the range for the secret scalar `k` is `1 <= k < n-1` + "sm2_bad_neg1.pem", # `k` set to `n-1` (invalid, because SM2 range) + "sm2_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid) + "sm2_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid) + )) unless disabled("sm2"); + +plan skip_all => "No tests within the current enabled feature set" + unless @tests; + +plan tests => scalar(@tests); + +foreach my $t (@tests) { + check_key_notok($t); +} diff --git a/test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem b/test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem new file mode 100644 index 0000000000..64c273901f --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/ec_p256_bad_0.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD/////AAAAAP////// +////vOb6racXnoTzucrC/GMlUQ== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem b/test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem new file mode 100644 index 0000000000..5171958a27 --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/ec_p256_bad_1.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCD/////AAAAAP////// +////vOb6racXnoTzucrC/GMlUg== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_0.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_0.pem new file mode 100644 index 0000000000..5ad2bd184b --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/sm2_bad_0.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+//////////// +////cgPfayHGBStTu/QJOdVBIw== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_1.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_1.pem new file mode 100644 index 0000000000..d094d4d296 --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/sm2_bad_1.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+//////////// +////cgPfayHGBStTu/QJOdVBJA== +-----END PRIVATE KEY----- diff --git a/test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem b/test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem new file mode 100644 index 0000000000..36adb93fb9 --- /dev/null +++ b/test/recipes/91-test_pkey_check_data/sm2_bad_neg1.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEECAQAwEwYHKoZIzj0CAQYIKoEcz1UBgi0EJzAlAgEBBCD////+////////////////cgPfayHG +BStTu/QJOdVBIg== +-----END PRIVATE KEY----- From no-reply at appveyor.com Fri Jan 8 22:24:07 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 08 Jan 2021 22:24:07 +0000 Subject: Build failed: openssl master.39042 Message-ID: <20210108222407.1.CC8DCF1E0DBD7863@appveyor.com> An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Fri Jan 8 22:26:12 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 22:26:12 +0000 Subject: [openssl] master update Message-ID: <1610144772.278100.32512.nullmailer@dev.openssl.org> The branch master has been updated via 6d4313f03eddd39ca8d06a5e1d20fc1adcb207c5 (commit) from 1330093b9c7e0325ca76589fb9ace5b664830c6d (commit) - Log ----------------------------------------------------------------- commit 6d4313f03eddd39ca8d06a5e1d20fc1adcb207c5 Author: Thomas De Schampheleire Date: Mon Dec 21 15:17:24 2020 +0100 replace 'unsigned const char' with 'const unsigned char' The openssl code base has only a few occurrences of 'unsigned const char' (15 occurrences), compared to the more common 'const unsigned char' (4420 occurrences). While the former is not illegal C, mixing the 'const' keyword (a 'type qualifier') in between 'unsigned' and 'char' (both 'type specifiers') is a bit odd. The background for writing this patch is not to be pedantic, but because the 'opmock' program (used to mock headers for unit tests) does not accept the 'unsigned const char' construct. While this definitely is a bug in opmock or one of its dependencies, openssl is the only piece of software we are using in combination with opmock that has this construct. CLA: trivial Reviewed-by: Nicola Tuveri Reviewed-by: Matt Caswell Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/13722) ----------------------------------------------------------------------- Summary of changes: apps/passwd.c | 12 ++++++------ crypto/des/fcrypt.c | 4 ++-- doc/man3/SSL_CTX_dane_enable.pod | 4 ++-- include/openssl/ssl.h.in | 4 ++-- ssl/ssl_lib.c | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/apps/passwd.c b/apps/passwd.c index c39254460d..6673040273 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -22,7 +22,7 @@ #include #include -static unsigned const char cov_2char[64] = { +static const unsigned char cov_2char[64] = { /* from crypto/des/fcrypt.c */ 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, @@ -413,7 +413,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL)) goto err; if (!EVP_DigestUpdate(md2, - (i & 1) ? (unsigned const char *)passwd : buf, + (i & 1) ? (const unsigned char *)passwd : buf, (i & 1) ? passwd_len : sizeof(buf))) goto err; if (i % 3) { @@ -425,7 +425,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) goto err; } if (!EVP_DigestUpdate(md2, - (i & 1) ? buf : (unsigned const char *)passwd, + (i & 1) ? buf : (const unsigned char *)passwd, (i & 1) ? sizeof(buf) : passwd_len)) goto err; if (!EVP_DigestFinal_ex(md2, buf, NULL)) @@ -627,7 +627,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) n = passwd_len; while (n) { if (!EVP_DigestUpdate(md, - (n & 1) ? buf : (unsigned const char *)passwd, + (n & 1) ? buf : (const unsigned char *)passwd, (n & 1) ? buf_size : passwd_len)) goto err; n >>= 1; @@ -673,7 +673,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) if (!EVP_DigestInit_ex(md2, sha, NULL)) goto err; if (!EVP_DigestUpdate(md2, - (n & 1) ? (unsigned const char *)p_bytes : buf, + (n & 1) ? (const unsigned char *)p_bytes : buf, (n & 1) ? passwd_len : buf_size)) goto err; if (n % 3) { @@ -685,7 +685,7 @@ static char *shacrypt(const char *passwd, const char *magic, const char *salt) goto err; } if (!EVP_DigestUpdate(md2, - (n & 1) ? buf : (unsigned const char *)p_bytes, + (n & 1) ? buf : (const unsigned char *)p_bytes, (n & 1) ? buf_size : passwd_len)) goto err; if (!EVP_DigestFinal_ex(md2, buf, NULL)) diff --git a/crypto/des/fcrypt.c b/crypto/des/fcrypt.c index 0b181fda3b..190a44dbdf 100644 --- a/crypto/des/fcrypt.c +++ b/crypto/des/fcrypt.c @@ -31,7 +31,7 @@ * Added more values to handle illegal salt values the way normal crypt() * implementations do. */ -static unsigned const char con_salt[128] = { +static const unsigned char con_salt[128] = { 0xD2, 0xD3, 0xD4, 0xD5, 0xD6, 0xD7, 0xD8, 0xD9, 0xDA, 0xDB, 0xDC, 0xDD, 0xDE, 0xDF, 0xE0, 0xE1, 0xE2, 0xE3, 0xE4, 0xE5, 0xE6, 0xE7, 0xE8, 0xE9, @@ -50,7 +50,7 @@ static unsigned const char con_salt[128] = { 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, }; -static unsigned const char cov_2char[64] = { +static const unsigned char cov_2char[64] = { 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, diff --git a/doc/man3/SSL_CTX_dane_enable.pod b/doc/man3/SSL_CTX_dane_enable.pod index e886325191..72fd1bf883 100644 --- a/doc/man3/SSL_CTX_dane_enable.pod +++ b/doc/man3/SSL_CTX_dane_enable.pod @@ -18,10 +18,10 @@ TLS client uint8_t mtype, uint8_t ord); int SSL_dane_enable(SSL *s, const char *basedomain); int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen); + uint8_t mtype, const unsigned char *data, size_t dlen); int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, unsigned const char **data, + uint8_t *mtype, const unsigned char **data, size_t *dlen); unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags); unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags); diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 4e5d50bd6d..0025a2a8cd 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1810,10 +1810,10 @@ __owur int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, uint8_t ord); __owur int SSL_dane_enable(SSL *s, const char *basedomain); __owur int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen); + uint8_t mtype, const unsigned char *data, size_t dlen); __owur int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, unsigned const char **data, + uint8_t *mtype, const unsigned char **data, size_t *dlen); /* * Bridge opacity barrier between libcrypt and libssl, also needed to support diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index d14d5819ba..a8a1416073 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -269,7 +269,7 @@ static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) static int dane_tlsa_add(SSL_DANE *dane, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen) + uint8_t mtype, const unsigned char *data, size_t dlen) { danetls_record *t; const EVP_MD *md = NULL; @@ -1099,7 +1099,7 @@ int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki) } int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, - uint8_t *mtype, unsigned const char **data, size_t *dlen) + uint8_t *mtype, const unsigned char **data, size_t *dlen) { SSL_DANE *dane = &s->dane; @@ -1126,7 +1126,7 @@ SSL_DANE *SSL_get0_dane(SSL *s) } int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned const char *data, size_t dlen) + uint8_t mtype, const unsigned char *data, size_t dlen) { return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); } From nic.tuv at gmail.com Fri Jan 8 22:40:05 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 22:40:05 +0000 Subject: [openssl] master update Message-ID: <1610145605.400650.21203.nullmailer@dev.openssl.org> The branch master has been updated via 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (commit) from 6d4313f03eddd39ca8d06a5e1d20fc1adcb207c5 (commit) - Log ----------------------------------------------------------------- commit 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e Author: Romain Geissler Date: Thu Jan 7 16:54:58 2021 +0000 Fix simpledynamic test compilation when condigured without DSO support. This fixes this compilation error: In file included from test/simpledynamic.c:13: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ make[1]: *** [Makefile:24670: test/moduleloadtest-bin-simpledynamic.o] Error 1 make[1]: *** Waiting for unfinished jobs.... In file included from test/moduleloadtest.c:19: test/simpledynamic.h:39:35: error: unknown type name 'SD' 39 | int sd_load(const char *filename, SD *sd, int type); | ^~ test/simpledynamic.h:40:12: error: unknown type name 'SD' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~ test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM' 40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym); | ^~~~~~ test/simpledynamic.h:41:14: error: unknown type name 'SD' 41 | int sd_close(SD lib); | ^~ Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13802) ----------------------------------------------------------------------- Summary of changes: test/simpledynamic.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/simpledynamic.h b/test/simpledynamic.h index cc4aed5c43..247b49f7fe 100644 --- a/test/simpledynamic.h +++ b/test/simpledynamic.h @@ -36,9 +36,11 @@ typedef void *SD_SYM; # endif +# if defined(DSO_DLFCN) || defined(DSO_WIN32) int sd_load(const char *filename, SD *sd, int type); int sd_sym(SD sd, const char *symname, SD_SYM *sym); int sd_close(SD lib); const char *sd_error(void); +# endif #endif From nic.tuv at gmail.com Fri Jan 8 23:15:27 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 23:15:27 +0000 Subject: [openssl] master update Message-ID: <1610147727.789272.27894.nullmailer@dev.openssl.org> The branch master has been updated via 42141197a107ef9cd297a7755fece569b84016b8 (commit) from 732e24bb14ea9c4f68b8c9cd2bf605e0bd6b498e (commit) - Log ----------------------------------------------------------------- commit 42141197a107ef9cd297a7755fece569b84016b8 Author: anupamam13 Date: Mon Nov 2 17:50:11 2020 +0530 Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13297) ----------------------------------------------------------------------- Summary of changes: ssl/statem/extensions.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index a4e60d417c..7b42016d59 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -957,7 +957,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); } From nic.tuv at gmail.com Fri Jan 8 23:17:13 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Fri, 08 Jan 2021 23:17:13 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610147833.419389.29244.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 212d7118a788e332dae4123d40f65ea6e24044d2 (commit) from 37d9e3d7fdfbe7713adcdeca55b1303c6ad8dc12 (commit) - Log ----------------------------------------------------------------- commit 212d7118a788e332dae4123d40f65ea6e24044d2 Author: anupamam13 Date: Mon Nov 2 17:50:11 2020 +0530 Fix for negative return value from `SSL_CTX_sess_accept()` Fixes #13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13297) ----------------------------------------------------------------------- Summary of changes: ssl/statem/extensions.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index c785ab785d..e24b1b0e4d 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -966,7 +966,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { + if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + && s->hello_retry_request == SSL_HRR_NONE) { tsan_counter(&s->ctx->stats.sess_accept); tsan_decr(&s->session_ctx->stats.sess_accept); } From openssl at openssl.org Fri Jan 8 23:21:08 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 08 Jan 2021 23:21:08 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1610148068.808519.1427330.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: e260bee0a9 Only perform special TLS handling if TLS has been configured 7c0e98a5c4 Mac M1 setting change proposal. 7fd1ca723a Support session information on FreeBSD. b39c215dec Use CRIOGET to fetch a crypto descriptor when present. 3497cc8776 Updated SSL_CTX_new doc b043c41c00 28-seclevel.cnf.in: fix typo in algo name b2d1465153 EVP_SIGNATURE-ED25519.pod: fix typo in algo name 2c61a670eb win-onecore: Build with /APPCONTAINER for UWP compat ce11192650 crypto/win: Don't use disallowed APIs on UWP 38b57c4c52 Update copyright years of auto-generated headers (make update) Build log ended with (last 100 lines): # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8041A8F0FA7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8041A8F0FA7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:610:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/mYhhqxdo1_ default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8021C885577F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6463 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/mYhhqxdo1_ fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=227, Tests=3559, 835 wallclock secs (13.91 usr 1.39 sys + 742.93 cusr 87.80 csys = 846.03 CPU) Result: FAIL make[1]: *** [Makefile:3253: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3250: tests] Error 2 From no-reply at appveyor.com Fri Jan 8 23:34:25 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 08 Jan 2021 23:34:25 +0000 Subject: Build completed: openssl master.39043 Message-ID: <20210108233425.1.E552EFA8365723F1@appveyor.com> An HTML attachment was scrubbed... URL: From beldmit at gmail.com Sat Jan 9 17:24:26 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Sat, 09 Jan 2021 17:24:26 +0000 Subject: [openssl] master update Message-ID: <1610213066.364291.31359.nullmailer@dev.openssl.org> The branch master has been updated via e211d949cd5737e53cd3399e6a88453930768b98 (commit) from 42141197a107ef9cd297a7755fece569b84016b8 (commit) - Log ----------------------------------------------------------------- commit e211d949cd5737e53cd3399e6a88453930768b98 Author: Sahana Prasad Date: Fri Jan 8 16:26:21 2021 +0100 doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. Signed-off-by: Sahana Prasad Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13814) ----------------------------------------------------------------------- Summary of changes: doc/man7/provider.pod | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/man7/provider.pod b/doc/man7/provider.pod index 2eb396fad3..18a80eff5a 100644 --- a/doc/man7/provider.pod +++ b/doc/man7/provider.pod @@ -324,34 +324,34 @@ Fetch any available implementation of SHA2-256 in the default context: EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", NULL); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Fetch any available implementation of AES-128-CBC in the default context: EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES-128-CBC", NULL); ... - EVP_CIPHER_meth_free(cipher); + EVP_CIPHER_free(cipher); Fetch an implementation of SHA2-256 from the default provider in the default context: EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider=default"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Fetch an implementation of SHA2-256 that is not from the default provider in the default context: EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider!=default"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Fetch an implementation of SHA2-256 from the default provider in the specified context: EVP_MD *md = EVP_MD_fetch(ctx, "SHA2-256", "provider=default"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Load the legacy provider into the default context and then fetch an implementation of WHIRLPOOL from it: @@ -361,7 +361,7 @@ implementation of WHIRLPOOL from it: EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy"); ... - EVP_MD_meth_free(md); + EVP_MD_free(md); Note that in the above example the property string "provider=legacy" is optional since, assuming no other providers have been loaded, the only implementation of @@ -376,8 +376,8 @@ other providers: EVP_MD *md_whirlpool = EVP_MD_fetch(NULL, "whirlpool", NULL); EVP_MD *md_sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL); ... - EVP_MD_meth_free(md_whirlpool); - EVP_MD_meth_free(md_sha256); + EVP_MD_free(md_whirlpool); + EVP_MD_free(md_sha256); =head1 SEE ALSO From scan-admin at coverity.com Sun Jan 10 07:50:18 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 10 Jan 2021 07:50:18 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <5ffab1b9e912a_458922ade9bab2f58686eb@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DsGXX_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFujZ1lz0noQIDRODCPOfT2gslJFX5VTxA9O8tqtayO382k4vT-2B-2FJjz6r8oZdkZil2QpR10K9od-2BCVps4rQgXF08wgdOfiXw8cQ4cCa-2BNp9CmKm8sTOs1TNMNV3Rjn7dU6XmnY-2BbKxZvi3plSFWyEJu5FfCTKusbXxktLokOu8kRPoDzFtmgu-2BV5DCBQASm7lQ-3D Build ID: 362876 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jan 10 07:53:29 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 10 Jan 2021 07:53:29 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <5ffab2794a667_45a402ade9bab2f586861b@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DVEWn_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE-2FLts1UuKG3YgAU4l0DWSxQgNC63xqIZKzB29uyx8oVFk8LcbMvOuKdWAKt-2BY-2F3x4tXjaQPYbVkDqDNyw-2BctpW0-2BIDUEqXgThsEK1t9es627mhHRSjyjrYJPV5-2FvOUgu5ENADBrv1DPrYrN6Z9HiJLj433tw0-2FldxKrPa6NDhWAkfzqij9YiJ-2B-2BYeH4j6UogY-3D Build ID: 362875 Analysis Summary: New defects found: 0 Defects eliminated: 0 From nic.tuv at gmail.com Sun Jan 10 20:10:10 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Sun, 10 Jan 2021 20:10:10 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610309410.672117.10958.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 6e3ba20dc49ccbf12ff4c27a4d8b84dcbeb71654 (commit) from 212d7118a788e332dae4123d40f65ea6e24044d2 (commit) - Log ----------------------------------------------------------------- commit 6e3ba20dc49ccbf12ff4c27a4d8b84dcbeb71654 Author: Billy Brumley Date: Fri Jan 8 13:45:49 2021 +0200 [crypto/dh] side channel hardening for computing DH shared keys (1.1.1) Reviewed-by: Tomas Mraz Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/13772) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_key.c | 31 +++++++++++++++++++++++++++++-- doc/man3/DH_generate_key.pod | 25 +++++++++++++++++++++---- 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index daffdf74dd..ccf51b3546 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -25,18 +25,45 @@ int DH_generate_key(DH *dh) return dh->meth->generate_key(dh); } +/*- + * NB: This function is inherently not constant time due to the + * RFC 5246 (8.1.2) padding style that strips leading zero bytes. + */ int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { - return dh->meth->compute_key(key, pub_key, dh); + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + + /* compute the key; ret is constant unless compute_key is external */ + if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) + return ret; + + /* count leading zero bytes, yet still touch all bytes */ + for (i = 0; i < ret; i++) { + mask &= !key[i]; + npad += mask; + } + + /* unpad key */ + ret -= npad; + /* key-dependent memory access, potentially leaking npad / ret */ + memmove(key, key + npad, ret); + /* key-dependent memory access, potentially leaking npad / ret */ + memset(key + ret, 0, npad); + + return ret; } int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) { int rv, pad; + + /* rv is constant unless compute_key is external */ rv = dh->meth->compute_key(key, pub_key, dh); if (rv <= 0) return rv; pad = BN_num_bytes(dh->p) - rv; + /* pad is constant (zero) unless compute_key is external */ if (pad > 0) { memmove(key + pad, key, rv); memset(key, 0, pad); @@ -212,7 +239,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) goto err; } - ret = BN_bn2bin(tmp, key); + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); err: BN_CTX_end(ctx); BN_CTX_free(ctx); diff --git a/doc/man3/DH_generate_key.pod b/doc/man3/DH_generate_key.pod index 297e7fbf47..fab14d77e8 100644 --- a/doc/man3/DH_generate_key.pod +++ b/doc/man3/DH_generate_key.pod @@ -2,7 +2,8 @@ =head1 NAME -DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange +DH_generate_key, DH_compute_key, DH_compute_key_padded - perform +Diffie-Hellman key exchange =head1 SYNOPSIS @@ -10,14 +11,16 @@ DH_generate_key, DH_compute_key - perform Diffie-Hellman key exchange int DH_generate_key(DH *dh); - int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); + + int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh); =head1 DESCRIPTION DH_generate_key() performs the first step of a Diffie-Hellman key exchange by generating private and public DH values. By calling -DH_compute_key(), these are combined with the other party's public -value to compute the shared key. +DH_compute_key() or DH_compute_key_padded(), these are combined with +the other party's public value to compute the shared key. DH_generate_key() expects B to contain the shared parameters Bp> and Bg>. It generates a random private DH value @@ -28,6 +31,14 @@ published. DH_compute_key() computes the shared secret from the private DH value in B and the other party's public value in B and stores it in B. B must point to B bytes of memory. +The padding style is RFC 5246 (8.1.2) that strips leading zero bytes. +It is not constant time due to the leading zero bytes being stripped. +The return value should be considered public. + +DH_compute_key_padded() is similar but stores a fixed number of bytes. +The padding style is NIST SP 800-56A (C.1) that retains leading zero bytes. +It is constant time due to the leading zero bytes being retained. +The return value should be considered public. =head1 RETURN VALUES @@ -36,12 +47,18 @@ DH_generate_key() returns 1 on success, 0 otherwise. DH_compute_key() returns the size of the shared secret on success, -1 on error. +DH_compute_key_padded() returns B on success, -1 on error. + The error codes can be obtained by L. =head1 SEE ALSO L, L, L, L +=head1 HISTORY + +DH_compute_key_padded() was added in OpenSSL 1.0.2. + =head1 COPYRIGHT Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. From openssl at openssl.org Mon Jan 11 01:02:23 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 01:02:23 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1610326943.961679.2072330.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok make: *** [Makefile:3249: tests] Terminated make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. From openssl at openssl.org Mon Jan 11 01:53:55 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 01:53:55 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1610330035.478823.2181685.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3428, 894 wallclock secs (14.47 usr 1.47 sys + 804.50 cusr 84.66 csys = 905.10 CPU) Result: FAIL make[1]: *** [Makefile:3276: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3273: tests] Error 2 From no-reply at appveyor.com Mon Jan 11 05:12:09 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 11 Jan 2021 05:12:09 +0000 Subject: Build failed: openssl master.39067 Message-ID: <20210111051209.1.67AAEB171F68B36B@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 11 07:24:58 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 07:24:58 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1610349898.921333.2888004.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3430, 889 wallclock secs (14.02 usr 1.41 sys + 798.32 cusr 86.37 csys = 900.12 CPU) Result: FAIL make[1]: *** [Makefile:3185: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3182: tests] Error 2 From no-reply at appveyor.com Mon Jan 11 08:19:02 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 11 Jan 2021 08:19:02 +0000 Subject: Build completed: openssl master.39068 Message-ID: <20210111081902.1.9D279A3F94CC0199@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 11 08:52:45 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 08:52:45 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-dso Message-ID: <1610355165.561403.3080852.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year From dev at ddvo.net Mon Jan 11 18:36:08 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 11 Jan 2021 18:36:08 +0000 Subject: [openssl] master update Message-ID: <1610390168.312348.29975.nullmailer@dev.openssl.org> The branch master has been updated via 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 (commit) via 1f7643e86e7dfdc559092fe4a467bad2ce86f6f2 (commit) via 475d10028e57ae0987911af580f0de8d701325ec (commit) via 400e2acfe0bae9aec1f9df50fa51f6b7cf8ad779 (commit) from e211d949cd5737e53cd3399e6a88453930768b98 (commit) - Log ----------------------------------------------------------------- commit 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 Author: Dr. David von Oheimb Date: Tue Dec 22 10:28:03 2020 +0100 apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) commit 1f7643e86e7dfdc559092fe4a467bad2ce86f6f2 Author: Dr. David von Oheimb Date: Tue Dec 22 08:37:03 2020 +0100 apps/pkey.c: Re-order help output and option documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) commit 475d10028e57ae0987911af580f0de8d701325ec Author: Dr. David von Oheimb Date: Tue Dec 15 14:30:38 2020 +0100 apps/pkey.c: Make clear that -passout is not supported for DER output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) commit 400e2acfe0bae9aec1f9df50fa51f6b7cf8ad779 Author: Dr. David von Oheimb Date: Thu Dec 10 17:10:52 2020 +0100 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13712) ----------------------------------------------------------------------- Summary of changes: apps/lib/apps.c | 8 +-- apps/pkey.c | 94 ++++++++++++++++++----------- doc/man1/openssl-pkey.pod.in | 141 ++++++++++++++++++++++++++----------------- 3 files changed, 147 insertions(+), 96 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 1998a8bc2f..457dac87bc 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -469,10 +469,10 @@ CONF *app_load_config_modules(const char *configfile) return conf; } -#define IS_HTTP(uri) \ - (strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0) -#define IS_HTTPS(uri) \ - (strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) +#define IS_HTTP(uri) ((uri) != NULL \ + && strncmp(uri, OSSL_HTTP_PREFIX, strlen(OSSL_HTTP_PREFIX)) == 0) +#define IS_HTTPS(uri) ((uri) != NULL \ + && strncmp(uri, OSSL_HTTPS_PREFIX, strlen(OSSL_HTTPS_PREFIX)) == 0) X509 *load_cert_pass(const char *uri, int maybe_stdin, const char *pass, const char *desc) diff --git a/apps/pkey.c b/apps/pkey.c index 67dc8c012c..5d12cc059a 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -36,7 +36,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB, - OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK, + OPT_TEXT, OPT_NOOUT, OPT_CIPHER, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK, OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -47,33 +47,36 @@ const OPTIONS pkey_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif + OPT_PROV_OPTIONS, + {"check", OPT_CHECK, '-', "Check key consistency"}, {"pubcheck", OPT_PUB_CHECK, '-', "Check public key consistency"}, - {"", OPT_MD, '-', "Any supported cipher"}, - {"ec_param_enc", OPT_EC_PARAM_ENC, 's', - "Specifies the way the ec parameters are encoded"}, - {"ec_conv_form", OPT_EC_CONV_FORM, 's', - "Specifies the point conversion form "}, OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input key"}, - {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"}, - {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"inform", OPT_INFORM, 'f', + "Key input format (ENGINE, other values ignored)"}, + {"passin", OPT_PASSIN, 's', "Key input pass phrase source"}, {"pubin", OPT_PUBIN, '-', - "Read public key from input (default is private key)"}, - {"traditional", OPT_TRADITIONAL, '-', - "Use traditional format for private keys"}, + "Read only public components from key input"}, OPT_SECTION("Output"), - {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, - {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, - {"out", OPT_OUT, '>', "Output file"}, - {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, - {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"}, - {"text", OPT_TEXT, '-', "Output in plaintext as well"}, - {"noout", OPT_NOOUT, '-', "Don't output the key"}, + {"out", OPT_OUT, '>', "Output file for encoded and/or text output"}, + {"outform", OPT_OUTFORM, 'F', "Output encoding format (DER or PEM)"}, + {"", OPT_CIPHER, '-', "Any supported cipher to be used for encryption"}, + {"passout", OPT_PASSOUT, 's', "Output PEM file pass phrase source"}, + {"traditional", OPT_TRADITIONAL, '-', + "Use traditional format for private key PEM output"}, + {"pubout", OPT_PUBOUT, '-', "Restrict encoded output to public components"}, + {"noout", OPT_NOOUT, '-', "Do not output the key in encoded form"}, + {"text", OPT_TEXT, '-', "Output key components in plaintext"}, + {"text_pub", OPT_TEXT_PUB, '-', + "Output only public key components in text form"}, + {"ec_conv_form", OPT_EC_CONV_FORM, 's', + "Specifies the EC point conversion form in the encoding"}, + {"ec_param_enc", OPT_EC_PARAM_ENC, 's', + "Specifies the way the EC parameters are encoded"}, - OPT_PROV_OPTIONS, {NULL} }; @@ -88,7 +91,7 @@ int pkey_main(int argc, char **argv) char *passinarg = NULL, *passoutarg = NULL, *prog; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM; - int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1; + int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1; int private = 0, traditional = 0, check = 0, pub_check = 0; #ifndef OPENSSL_NO_EC EC_KEY *eckey; @@ -133,13 +136,13 @@ int pkey_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_PUBIN: - pubin = pubout = pubtext = 1; + pubin = pubout = 1; break; case OPT_PUBOUT: pubout = 1; break; case OPT_TEXT_PUB: - pubtext = text = 1; + text_pub = 1; break; case OPT_TEXT: text = 1; @@ -156,7 +159,7 @@ int pkey_main(int argc, char **argv) case OPT_PUB_CHECK: pub_check = 1; break; - case OPT_MD: + case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &cipher)) goto opthelp; break; @@ -192,10 +195,28 @@ int pkey_main(int argc, char **argv) if (argc != 0) goto opthelp; - private = !noout && !pubout ? 1 : 0; - if (text && !pubtext) - private = 1; + if (noout && pubout) + BIO_printf(bio_err, + "Warning: The -pubout option is ignored with -noout\n"); + if (text && text_pub) + BIO_printf(bio_err, + "Warning: The -text option is ignored with -text_pub\n"); + if (traditional && (noout || outformat != FORMAT_PEM)) + BIO_printf(bio_err, + "Warning: The -traditional is ignored since there is no PEM output\n"); + private = (!noout && !pubout) || (text && !text_pub); + if (cipher == NULL) { + if (passoutarg != NULL) + BIO_printf(bio_err, + "Warning: The -passout option is ignored without a cipher option\n"); + } else { + if (noout || outformat != FORMAT_PEM) { + BIO_printf(bio_err, + "Error: Cipher options are supported only for PEM output\n"); + goto end; + } + } if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; @@ -283,6 +304,11 @@ int pkey_main(int argc, char **argv) } } } else if (outformat == FORMAT_ASN1) { + if (text || text_pub) { + BIO_printf(bio_err, + "Error: Text output cannot be combined with DER output\n"); + goto end; + } if (pubout) { if (!i2d_PUBKEY_bio(out, pkey)) goto end; @@ -297,15 +323,13 @@ int pkey_main(int argc, char **argv) } } - if (text) { - if (pubtext) { - if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0) - goto end; - } else { - assert(private); - if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0) - goto end; - } + if (text_pub) { + if (EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0) + goto end; + } else if (text) { + assert(private); + if (EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0) + goto end; } ret = 0; diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index 86597c9e36..df031fb258 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -13,118 +13,149 @@ openssl-pkey - public or private key processing command B B [B<-help>] -[B<-inform> B|B|B|B] -[B<-outform> B|B] +{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} +[B<-check>] +[B<-pubcheck>] [B<-in> I|I] +[B<-inform> B|B|B|B] [B<-passin> I] +[B<-pubin>] [B<-out> I] +[B<-outform> B|B] +[B<-I>] [B<-passout> I] [B<-traditional>] -[B<-I>] +[B<-pubout>] +[B<-noout>] [B<-text>] [B<-text_pub>] -[B<-noout>] -[B<-pubin>] -[B<-pubout>] -[B<-check>] -[B<-pubcheck>] [B<-ec_conv_form> I] [B<-ec_param_enc> I] -{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine =head1 DESCRIPTION This command processes public or private keys. They can be -converted between various forms and their components printed out. +converted between various forms and their components printed. =head1 OPTIONS +=head2 General options + =over 4 =item B<-help> Print out a usage message. +{- $OpenSSL::safe::opt_engine_item -} + +{- $OpenSSL::safe::opt_provider_item -} + +=item B<-check> + +This option checks the consistency of a key pair for both public and private +components. + +=item B<-pubcheck> + +This option checks the correctness of either a public key +or the public component of a key pair. + +=back + +=head2 Input options + +=over 4 + +=item B<-in> I|I + +This specifies the input to read a key from +or standard input if this option is not specified. +If the key input is encrypted and B<-passin> is not given +a pass phrase will be prompted for. + =item B<-inform> B|B|B|B The key input format; the default is B. The only value with effect is B; all others have become obsolete. See L for details. -=item B<-outform> B|B +=item B<-passin> I -The key output formats; the default is B. -See L for details. +The password source for the key input. -=item B<-in> I|I +For more information about the format of B +see L. -This specifies the input to read a key from or standard input if this -option is not specified. If the key is encrypted a pass phrase will be -prompted for. +=item B<-pubin> -=item B<-passin> I, B<-passout> I +By default a private key is read from the input. +With this option only the public components are read. -The password source for the input and output file. -For more information about the format of B -see L. +=back + +=head2 Output options + +=over 4 =item B<-out> I -This specifies the output filename to write a key to or standard output if this -option is not specified. If any encryption options are set then a pass phrase -will be prompted for. The output filename should B be the same as the input -filename. +This specifies the output filename to save the encoded and/or text output of key +or standard output if this option is not specified. +If any cipher option is set but no B<-passout> is given +then a pass phrase will be prompted for. +The output filename should B be the same as the input filename. -=item B<-traditional> +=item B<-outform> B|B -Normally a private key is written using standard format: this is PKCS#8 form -with the appropriate encryption algorithm (if any). If the B<-traditional> -option is specified then the older "traditional" format is used instead. +The key output format; the default is B. +See L for details. =item B<-I> -These options encrypt the private key with the supplied cipher. Any algorithm -name accepted by EVP_get_cipherbyname() is acceptable such as B. +Encrypt the PEM encoded private key with the supplied cipher. Any algorithm +name accepted by EVP_get_cipherbyname() is acceptable such as B. +Encryption is not supported for DER output. -=item B<-text> - -Prints out the various public or private key components in -plain text in addition to the encoded version. +=item B<-passout> I -=item B<-text_pub> +The password source for the output file. -Print out only public key components even if a private key is being processed. +For more information about the format of B +see L. -=item B<-noout> +=item B<-traditional> -Do not output the encoded version of the key. +Normally a private key is written using standard format: this is PKCS#8 form +with the appropriate encryption algorithm (if any). If the B<-traditional> +option is specified then the older "traditional" format is used instead. -=item B<-pubin> +=item B<-pubout> -By default a private key is read from the input file: with this -option a public key is read instead. +By default the encoded private and public key is output; +this option restricts the encoded output to the public components. +This option is automatically set if the input is a public key. -=item B<-pubout> +=item B<-noout> -By default a private key is output: with this option a public -key will be output instead. This option is automatically set if -the input is a public key. +Do not output the key in encoded form. -=item B<-check> +=item B<-text> -This option checks the consistency of a key pair for both public and private -components. +Output the various key components in plain text +(possibly in addition to the PEM encoded form). +This cannot be combined with encoded output in DER format. -=item B<-pubcheck> +=item B<-text_pub> -This option checks the correctness of either a public key or the public component -of a key pair. +Output in text form only the public key components (also for private keys). +This cannot be combined with encoded output in DER format. =item B<-ec_conv_form> I -This option only applies to elliptic curve based public and private keys. +This option only applies to elliptic-curve based keys. This specifies how the points on the elliptic curve are converted into octet strings. Possible values are: B (the default @@ -146,10 +177,6 @@ EC parameters structures). The default value is B. B the B alternative, as specified in RFC 3279, is currently not implemented in OpenSSL. -{- $OpenSSL::safe::opt_engine_item -} - -{- $OpenSSL::safe::opt_provider_item -} - =back =head1 EXAMPLES From dev at ddvo.net Mon Jan 11 18:40:41 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Mon, 11 Jan 2021 18:40:41 +0000 Subject: [openssl] master update Message-ID: <1610390441.530688.18492.nullmailer@dev.openssl.org> The branch master has been updated via 678cae0295e3fe600edc049742b8c765a58edebc (commit) via 3372039252c4d9c67de784a0fbdad5589991a347 (commit) from 046a7aaa5e3c398b19fcdb5b486d57ab9c6ced30 (commit) - Log ----------------------------------------------------------------- commit 678cae0295e3fe600edc049742b8c765a58edebc Author: Dr. David von Oheimb Date: Thu Jan 7 10:16:12 2021 +0100 APPS: Print help also on -h and --h; print high-level help when no cmd given Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13799) commit 3372039252c4d9c67de784a0fbdad5589991a347 Author: Dr. David von Oheimb Date: Thu Jan 7 09:00:02 2021 +0100 APPS: Fix confusion between program and app/command name used in diagnostic/help output Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13799) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 6 ++---- apps/dgst.c | 3 +-- apps/enc.c | 16 ++++++++-------- apps/include/opt.h | 1 + apps/lib/opt.c | 13 +++++++++++-- apps/openssl.c | 37 ++++++++++++++++++------------------- apps/s_client.c | 3 +-- test/recipes/20-test_app.t | 10 ++++++++-- 8 files changed, 50 insertions(+), 39 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index a484234f90..b28b7431ce 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -42,6 +42,7 @@ #include #include +static char *prog; static char *opt_config = NULL; #define CMP_SECTION "cmp" #define SECTION_NAME_MAX 40 /* max length of section name */ @@ -49,10 +50,6 @@ static char *opt_config = NULL; static char *opt_section = CMP_SECTION; static int opt_verbosity = OSSL_CMP_LOG_INFO; -#undef PROG -#define PROG cmp_main -static char *prog = "cmp"; - static int read_config(void); static CONF *conf = NULL; /* OpenSSL config file context structure */ @@ -2625,6 +2622,7 @@ int cmp_main(int argc, char **argv) int ret = 0; /* default: failure */ if (argc <= 1) { + prog = opt_appname(argv[0]); opt_help(cmp_options); goto err; } diff --git a/apps/dgst.c b/apps/dgst.c index 7110a97cf4..845c2eabc9 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -111,9 +111,8 @@ int dgst_main(int argc, char **argv) int engine_impl = 0; struct doall_dgst_digests dec; - prog = opt_progname(argv[0]); buf = app_malloc(BUFSIZE, "I/O buffer"); - md = EVP_get_digestbyname(prog); + md = EVP_get_digestbyname(argv[0]); prog = opt_init(argc, argv, dgst_options); while ((o = opt_next()) != OPT_EOF) { diff --git a/apps/enc.c b/apps/enc.c index f97621b1a6..42b14d4993 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -112,7 +112,7 @@ int enc_main(int argc, char **argv) const EVP_CIPHER *cipher = NULL, *c; const EVP_MD *dgst = NULL; char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; - char *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *prog, *arg0; char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; char mbuf[sizeof(magic) - 1]; OPTION_CHOICE o; @@ -131,18 +131,18 @@ int enc_main(int argc, char **argv) BIO *bzl = NULL; #endif - /* first check the program name */ - prog = opt_progname(argv[0]); - if (strcmp(prog, "base64") == 0) { + /* first check the command name */ + arg0 = argv[0]; + if (strcmp(arg0, "base64") == 0) { base64 = 1; #ifdef ZLIB - } else if (strcmp(prog, "zlib") == 0) { + } else if (strcmp(arg0, "zlib") == 0) { do_zlib = 1; #endif } else { - cipher = EVP_get_cipherbyname(prog); - if (cipher == NULL && strcmp(prog, "enc") != 0) { - BIO_printf(bio_err, "%s is not a known cipher\n", prog); + cipher = EVP_get_cipherbyname(arg0); + if (cipher == NULL && strcmp(arg0, "enc") != 0) { + BIO_printf(bio_err, "%s is not a known cipher\n", arg0); goto end; } } diff --git a/apps/include/opt.h b/apps/include/opt.h index 56de57cf4c..15375e3a80 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -341,6 +341,7 @@ typedef struct string_int_pair_st { const char *opt_path_end(const char *filename); char *opt_progname(const char *argv0); +char *opt_appname(const char *arg0); char *opt_getprog(void); char *opt_init(int ac, char **av, const OPTIONS * o); int opt_next(void); diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 260ff3b1c2..22d4138301 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -138,6 +138,15 @@ char *opt_progname(const char *argv0) } #endif +char *opt_appname(const char *arg0) +{ + size_t len = strlen(prog); + + if (arg0 != NULL) + snprintf(prog + len, sizeof(prog) - len - 1, " %s", arg0); + return prog; +} + char *opt_getprog(void) { return prog; @@ -151,7 +160,6 @@ char *opt_init(int ac, char **av, const OPTIONS *o) argv = av; opt_begin(); opts = o; - opt_progname(av[0]); unknown = NULL; /* Check all options up until the PARAM marker (if present) */ @@ -724,7 +732,8 @@ int opt_next(void) *arg++ = '\0'; for (o = opts; o->name; ++o) { /* If not this option, move on to the next one. */ - if (strcmp(p, o->name) != 0) + if (!(strcmp(p, "h") == 0 && strcmp(o->name, "help") == 0) + && strcmp(p, o->name) != 0) continue; /* If it doesn't take a value, make sure none was given. */ diff --git a/apps/openssl.c b/apps/openssl.c index e6746087ad..b61ed5f81d 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -235,7 +235,9 @@ int main(int argc, char *argv[]) FUNCTION f, *fp; LHASH_OF(FUNCTION) *prog = NULL; char *pname; + const char *fname; ARGS arg; + int global_help = 0; int ret = 0; arg.argv = NULL; @@ -249,9 +251,7 @@ int main(int argc, char *argv[]) #if defined(OPENSSL_SYS_VMS) && defined(__DECC) argv = copy_argv(&argc, argv); #elif defined(_WIN32) - /* - * Replace argv[] with UTF-8 encoded strings. - */ + /* Replace argv[] with UTF-8 encoded strings. */ win32_utf8argv(&argc, &argv); #endif @@ -259,18 +259,11 @@ int main(int argc, char *argv[]) setup_trace(getenv("OPENSSL_TRACE")); #endif - if (!apps_startup()) { - BIO_printf(bio_err, - "FATAL: Startup failure (dev note: apps_startup() failed)\n"); - ERR_print_errors(bio_err); - ret = 1; - goto end; - } - - prog = prog_init(); - if (prog == NULL) { + if ((fname = "apps_startup", !apps_startup()) + || (fname = "prog_init", (prog = prog_init()) == NULL)) { BIO_printf(bio_err, - "FATAL: Startup failure (dev note: prog_init() failed)\n"); + "FATAL: Startup failure (dev note: %s()) for %s\n", + fname, argv[0]); ERR_print_errors(bio_err); ret = 1; goto end; @@ -285,15 +278,21 @@ int main(int argc, char *argv[]) f.name = pname; fp = lh_FUNCTION_retrieve(prog, &f); if (fp == NULL) { - /* We assume we've been called as 'openssl cmd' */ + /* We assume we've been called as 'openssl ...' */ + global_help = argc > 1 + && (strcmp(argv[1], "-help") == 0 || strcmp(argv[1], "--help") == 0 + || strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--h") == 0); argc--; argv++; + opt_appname(argc == 1 || global_help ? "help" : argv[0]); + } else { + argv[0] = pname; } /* If there's a command, run with that, otherwise "help". */ - ret = argc > 0 - ? do_cmd(prog, argc, argv) - : do_cmd(prog, 1, help_argv); + ret = argc == 0 || global_help + ? do_cmd(prog, 1, help_argv) + : do_cmd(prog, argc, argv); end: OPENSSL_free(default_config_file); @@ -360,7 +359,7 @@ int help_main(int argc, char **argv) } calculate_columns(functions, &dc); - BIO_printf(bio_err, "Standard commands"); + BIO_printf(bio_err, "%s:\n\nStandard commands", prog); i = 0; tp = FT_none; for (fp = functions; fp->name != NULL; fp++) { diff --git a/apps/s_client.c b/apps/s_client.c index 56444baeca..25c01f4088 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1010,7 +1010,6 @@ int s_client_main(int argc, char **argv) # endif #endif - prog = opt_progname(argv[0]); c_quiet = 0; c_debug = 0; c_showcerts = 0; @@ -1019,7 +1018,7 @@ int s_client_main(int argc, char **argv) cctx = SSL_CONF_CTX_new(); if (vpm == NULL || cctx == NULL) { - BIO_printf(bio_err, "%s: out of memory\n", prog); + BIO_printf(bio_err, "%s: out of memory\n", opt_getprog()); goto end; } diff --git a/test/recipes/20-test_app.t b/test/recipes/20-test_app.t index e7246565f2..dfd0db25b8 100644 --- a/test/recipes/20-test_app.t +++ b/test/recipes/20-test_app.t @@ -13,7 +13,7 @@ use OpenSSL::Test; setup("test_app"); -plan tests => 3; +plan tests => 5; ok(run(app(["openssl"])), "Run openssl app with no args"); @@ -21,5 +21,11 @@ ok(run(app(["openssl"])), ok(run(app(["openssl", "help"])), "Run openssl app with help"); -ok(!run(app(["openssl", "-help"])), +ok(!run(app(["openssl", "-wrong"])), "Run openssl app with incorrect arg"); + +ok(run(app(["openssl", "-help"])), + "Run openssl app with -help"); + +ok(run(app(["openssl", "--help"])), + "Run openssl app with --help"); From no-reply at appveyor.com Mon Jan 11 20:28:37 2021 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 11 Jan 2021 20:28:37 +0000 Subject: Build failed: openssl master.39082 Message-ID: <20210111202837.1.B9596B86F5F56362@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Mon Jan 11 23:34:47 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 11 Jan 2021 23:34:47 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1610408087.872619.643438.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2663:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2263:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:687:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1980:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2030:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=3004, 693 wallclock secs (10.61 usr 1.32 sys + 610.63 cusr 71.30 csys = 693.86 CPU) Result: FAIL make[1]: *** [Makefile:2459: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2456: tests] Error 2 From kaduk at mit.edu Mon Jan 11 23:51:21 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Mon, 11 Jan 2021 23:51:21 +0000 Subject: [openssl] master update Message-ID: <1610409081.301923.4306.nullmailer@dev.openssl.org> The branch master has been updated via 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c (commit) from 678cae0295e3fe600edc049742b8c765a58edebc (commit) - Log ----------------------------------------------------------------- commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c Author: John Baldwin Date: Thu Jan 7 14:09:41 2021 -0800 Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13807) ----------------------------------------------------------------------- Summary of changes: engines/e_devcrypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index d549edfd29..e1c4372f72 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -1236,9 +1236,11 @@ static int open_devcrypto(void) #ifdef CRIOGET if (ioctl(fd, CRIOGET, &cfd) < 0) { fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + close(fd); cfd = -1; return 0; } + close(fd); #else cfd = fd; #endif From no-reply at appveyor.com Tue Jan 12 03:19:43 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 12 Jan 2021 03:19:43 +0000 Subject: Build failed: openssl master.39095 Message-ID: <20210112031943.1.5C9BD2F84A3B4EC4@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 12 03:37:18 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 12 Jan 2021 03:37:18 +0000 Subject: Build failed: openssl master.39096 Message-ID: <20210112033718.1.C586B57084123E3B@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 12 06:29:31 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 12 Jan 2021 06:29:31 +0000 Subject: Build completed: openssl master.39097 Message-ID: <20210112062931.1.048BE900A70FD4CD@appveyor.com> An HTML attachment was scrubbed... URL: From matthias.st.pierre at ncp-e.com Tue Jan 12 10:19:48 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Tue, 12 Jan 2021 10:19:48 +0000 Subject: [openssl] master update Message-ID: <1610446788.625383.23994.nullmailer@dev.openssl.org> The branch master has been updated via b209835364de35541d835185f3dc3a984e2c1545 (commit) from 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c (commit) - Log ----------------------------------------------------------------- commit b209835364de35541d835185f3dc3a984e2c1545 Author: Dr. Matthias St. Pierre Date: Sat Jan 9 17:29:47 2021 +0100 v3_ocsp.c: fix indentation of include directives Fixes #13820 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13822) ----------------------------------------------------------------------- Summary of changes: crypto/ocsp/v3_ocsp.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crypto/ocsp/v3_ocsp.c b/crypto/ocsp/v3_ocsp.c index 7d3d730457..9e24102685 100644 --- a/crypto/ocsp/v3_ocsp.c +++ b/crypto/ocsp/v3_ocsp.c @@ -7,14 +7,14 @@ * https://www.openssl.org/source/license.html */ -# include -# include "internal/cryptlib.h" -# include -# include -# include -# include "ocsp_local.h" -# include -# include "../x509/ext_dat.h" +#include +#include "internal/cryptlib.h" +#include +#include +#include +#include "ocsp_local.h" +#include +#include "../x509/ext_dat.h" /* * OCSP extensions and a couple of CRL entry extensions From levitte at openssl.org Tue Jan 12 10:27:10 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 12 Jan 2021 10:27:10 +0000 Subject: [openssl] master update Message-ID: <1610447230.546613.26404.nullmailer@dev.openssl.org> The branch master has been updated via 0d11846e4b2850773d1ee0df206608549a7d45d0 (commit) via 2497e2e7dbe54420cd98dc2ff013ed5886cd4d8e (commit) via 5e16ac142e812864e01c6c534888d4efaca6d9bf (commit) via 507f83800fe9c85c6249e9baad4602075df2b5b7 (commit) from b209835364de35541d835185f3dc3a984e2c1545 (commit) - Log ----------------------------------------------------------------- commit 0d11846e4b2850773d1ee0df206608549a7d45d0 Author: Richard Levitte Date: Sun Jan 10 09:28:58 2021 +0100 Remove duplicate GENERATE declarations for .pod files Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) commit 2497e2e7dbe54420cd98dc2ff013ed5886cd4d8e Author: Richard Levitte Date: Sun Jan 10 09:26:22 2021 +0100 Configure: warn about duplicate GENERATE declarations in build.info files This sort of duplication is permitted, as the end result will be a single item anyway, but we might as well warn to avoid future confusion. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) commit 5e16ac142e812864e01c6c534888d4efaca6d9bf Author: Richard Levitte Date: Sun Jan 10 09:13:14 2021 +0100 Configure: clean away perl syntax faults The faults aren't fatal (i.e. perl just shrugs), but are curious. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) commit 507f83800fe9c85c6249e9baad4602075df2b5b7 Author: Richard Levitte Date: Sun Jan 10 09:08:46 2021 +0100 Configure: Check all SOURCE declarations, to ensure consistency If the given sources are GENERATEd, we check those generators as well. This ensures that the declarations in the diverse build.info files are consistent with existing files. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13824) ----------------------------------------------------------------------- Summary of changes: Configure | 81 ++++++++++++++++++++++++++++++++++++++++++++++++----- build.info | 1 - doc/man1/build.info | 55 ++---------------------------------- 3 files changed, 76 insertions(+), 61 deletions(-) diff --git a/Configure b/Configure index f0ad787bc4..ccdb037de2 100755 --- a/Configure +++ b/Configure @@ -1891,6 +1891,17 @@ if ($builder eq "unified") { $config{build_infos} = [ ]; + # We want to detect configdata.pm in the source tree, so we + # don't use it if the build tree is different. + my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir); + + # Any source file that we recognise is placed in this hash table, with + # the list of its intended destinations as value. When everything has + # been collected, there's a routine that checks that these source files + # exist, or if they are generated, that the generator exists. + my %check_exist = (); + my %check_generate = (); + my %ordinals = (); while (@build_dirs) { my @curd = @{shift @build_dirs}; @@ -2038,11 +2049,6 @@ if ($builder eq "unified") { } }; - # We want to detect configdata.pm in the source tree, so we - # don't use it if the build tree is different. - my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir); - - if ($buildinfo_debug) { print STDERR "DEBUG: Reading ",catfile($sourced, $f),"\n"; } @@ -2242,6 +2248,7 @@ EOF } # We recognise C++, C and asm files if ($s =~ /\.(cc|cpp|c|s|S)$/) { + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.[csS]$/.o/; # C and assembler $o =~ s/\.(cc|cpp)$/_cc.o/; # C++ @@ -2250,12 +2257,14 @@ EOF $unified_info{sources}->{$o}->{$s} = -1; } elsif ($s =~ /\.rc$/) { # We also recognise resource files + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.rc$/.res/; # Resource configuration - my $o = cleanfile($buildd, $o, $blddir); + $o = cleanfile($buildd, $o, $blddir); $unified_info{sources}->{$ddest}->{$o} = -1; $unified_info{sources}->{$o}->{$s} = -1; } else { + push @{$check_exist{$s}}, $ddest; $unified_info{sources}->{$ddest}->{$s} = 1; } } @@ -2275,6 +2284,7 @@ EOF if ($s =~ /\.(cc|cpp|c|s|S)$/) { # We recognise C++, C and asm files + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.[csS]$/.o/; # C and assembler $o =~ s/\.(cc|cpp)$/_cc.o/; # C++ @@ -2283,14 +2293,16 @@ EOF $unified_info{sources}->{$o}->{$s} = -1; } elsif ($s =~ /\.rc$/) { # We also recognise resource files + push @{$check_exist{$s}}, $ddest; my $o = $_; $o =~ s/\.rc$/.res/; # Resource configuration - my $o = cleanfile($buildd, $o, $blddir); + $o = cleanfile($buildd, $o, $blddir); $unified_info{shared_sources}->{$ddest}->{$o} = -1; $unified_info{sources}->{$o}->{$s} = -1; } elsif ($s =~ /\.ld$/) { # We also recognise linker scripts (or corresponding) # We know they are generated files + push @{$check_exist{$s}}, $ddest; my $ld = cleanfile($buildd, $_, $blddir); $unified_info{shared_sources}->{$ddest}->{$ld} = 1; } else { @@ -2313,6 +2325,7 @@ EOF if ($generate{$gen}) { $generator[0] = cleanfile($buildd, $gen, $blddir); } + $check_generate{$ddest}->{$generator[0]}++; $unified_info{generate}->{$ddest} = [ @generator ]; } @@ -2417,6 +2430,60 @@ They are ignored and should be replaced with a combination of GENERATE, DEPEND and SHARED_SOURCE. EOF + # Check that each generated file is only generated once + my $ambiguous_generation = 0; + foreach (sort keys %check_generate) { + my @generators = sort keys %{$check_generate{$_}}; + my $generators_txt = join(', ', @generators); + if (scalar @generators > 1) { + warn "$_ is GENERATEd by more than one generator ($generators_txt)\n"; + $ambiguous_generation++; + } + if ($check_generate{$_}->{$generators[0]} > 1) { + warn "INFO: $_ has more than one GENERATE declaration (same generator)\n" + } + } + die "There are ambiguous source file generations\n" + if $ambiguous_generation > 0; + + # All given source files should exist, or if generated, their + # generator should exist. This loop ensures this is true. + my $missing = 0; + foreach my $orig (sort keys %check_exist) { + foreach my $dest (@{$check_exist{$orig}}) { + if ($orig ne $src_configdata) { + if ($orig =~ /\.a$/) { + # Static library names may be used as sources, so we + # need to detect those and give them special treatment. + unless (grep { $_ eq $orig } + keys %{$unified_info{libraries}}) { + warn "$orig is given as source for $dest, but no such library is built\n"; + $missing++; + } + } else { + # A source may be generated, and its generator may be + # generated as well. We therefore loop to dig out the + # first generator. + my $gen = $orig; + + while (my @next = keys %{$check_generate{$gen}}) { + $gen = $next[0]; + } + + if (! -f $gen) { + if ($gen ne $orig) { + $missing++; + warn "$orig is given as source for $dest, but its generator (leading to $gen) is missing\n"; + } else { + $missing++; + warn "$orig is given as source for $dest, but is missing\n"; + } + } + } + } + } + } + die "There are files missing\n" if $missing > 0; # Go through the sources of all libraries and check that the same basename # doesn't appear more than once. Some static library archivers depend on diff --git a/build.info b/build.info index 44ecee35cb..27818b7fce 100644 --- a/build.info +++ b/build.info @@ -68,7 +68,6 @@ GENERATE[include/openssl/x509v3.h]=include/openssl/x509v3.h.in GENERATE[include/openssl/x509_vfy.h]=include/openssl/x509_vfy.h.in GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in -GENERATE[doc/man7/openssl_user_macros.pod]=doc/man7/openssl_user_macros.pod.in IF[{- defined $target{shared_defflag} -}] SHARED_SOURCE[libcrypto]=libcrypto.ld diff --git a/doc/man1/build.info b/doc/man1/build.info index 40df5d360e..6d9d7b564c 100644 --- a/doc/man1/build.info +++ b/doc/man1/build.info @@ -108,56 +108,5 @@ DEPEND[openssl-verify.pod]=../perlvars.pm DEPEND[openssl-version.pod]=../perlvars.pm DEPEND[openssl-x509.pod]=../perlvars.pm -GENERATE[openssl-asn1parse.pod]=openssl-asn1parse.pod.in -GENERATE[openssl-ca.pod]=openssl-ca.pod.in -GENERATE[openssl-ciphers.pod]=openssl-ciphers.pod.in -GENERATE[openssl-cmds.pod]=openssl-cmds.pod.in -GENERATE[openssl-cmp.pod]=openssl-cmp.pod.in -GENERATE[openssl-cms.pod]=openssl-cms.pod.in -GENERATE[openssl-crl2pkcs7.pod]=openssl-crl2pkcs7.pod.in -GENERATE[openssl-crl.pod]=openssl-crl.pod.in -GENERATE[openssl-dgst.pod]=openssl-dgst.pod.in -GENERATE[openssl-dhparam.pod]=openssl-dhparam.pod.in -GENERATE[openssl-dsaparam.pod]=openssl-dsaparam.pod.in -GENERATE[openssl-dsa.pod]=openssl-dsa.pod.in -GENERATE[openssl-ecparam.pod]=openssl-ecparam.pod.in -GENERATE[openssl-ec.pod]=openssl-ec.pod.in -GENERATE[openssl-enc.pod]=openssl-enc.pod.in -GENERATE[openssl-engine.pod]=openssl-engine.pod.in -GENERATE[openssl-errstr.pod]=openssl-errstr.pod.in -GENERATE[openssl-fipsinstall.pod]=openssl-fipsinstall.pod.in -GENERATE[openssl-gendsa.pod]=openssl-gendsa.pod.in -GENERATE[openssl-genpkey.pod]=openssl-genpkey.pod.in -GENERATE[openssl-genrsa.pod]=openssl-genrsa.pod.in -GENERATE[openssl-info.pod]=openssl-info.pod.in -GENERATE[openssl-kdf.pod]=openssl-kdf.pod.in -GENERATE[openssl-list.pod]=openssl-list.pod.in -GENERATE[openssl-mac.pod]=openssl-mac.pod.in -GENERATE[openssl-nseq.pod]=openssl-nseq.pod.in -GENERATE[openssl-ocsp.pod]=openssl-ocsp.pod.in -GENERATE[openssl-passwd.pod]=openssl-passwd.pod.in -GENERATE[openssl-pkcs12.pod]=openssl-pkcs12.pod.in -GENERATE[openssl-pkcs7.pod]=openssl-pkcs7.pod.in -GENERATE[openssl-pkcs8.pod]=openssl-pkcs8.pod.in -GENERATE[openssl-pkeyparam.pod]=openssl-pkeyparam.pod.in -GENERATE[openssl-pkey.pod]=openssl-pkey.pod.in -GENERATE[openssl-pkeyutl.pod]=openssl-pkeyutl.pod.in -GENERATE[openssl-prime.pod]=openssl-prime.pod.in -GENERATE[openssl-rand.pod]=openssl-rand.pod.in -GENERATE[openssl-rehash.pod]=openssl-rehash.pod.in -GENERATE[openssl-req.pod]=openssl-req.pod.in -GENERATE[openssl-rsa.pod]=openssl-rsa.pod.in -GENERATE[openssl-rsautl.pod]=openssl-rsautl.pod.in -GENERATE[openssl-s_client.pod]=openssl-s_client.pod.in -GENERATE[openssl-sess_id.pod]=openssl-sess_id.pod.in -GENERATE[openssl-smime.pod]=openssl-smime.pod.in -GENERATE[openssl-speed.pod]=openssl-speed.pod.in -GENERATE[openssl-spkac.pod]=openssl-spkac.pod.in -GENERATE[openssl-srp.pod]=openssl-srp.pod.in -GENERATE[openssl-s_server.pod]=openssl-s_server.pod.in -GENERATE[openssl-s_time.pod]=openssl-s_time.pod.in -GENERATE[openssl-storeutl.pod]=openssl-storeutl.pod.in -GENERATE[openssl-ts.pod]=openssl-ts.pod.in -GENERATE[openssl-verify.pod]=openssl-verify.pod.in -GENERATE[openssl-version.pod]=openssl-version.pod.in -GENERATE[openssl-x509.pod]=openssl-x509.pod.in +# All .pod.in files are detected by build.info in the parent directory, and +# turned into appropriate GENERATE lines. From openssl at openssl.org Tue Jan 12 16:51:34 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 12 Jan 2021 16:51:34 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers Message-ID: <1610470294.408059.2711189.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok ERROR in SERVER 40D743FAD17F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 28 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40A73178527F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1 => 1 not ok 42 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40471307367F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 ADH-RC4-MD5, temp key: 2048 bits DH ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'ADH-RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 118 - Testing ADH-RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ ERROR in SERVER 40374CB36C7F0000:error:0A0000F4:SSL routines:ossl_statem_server_read_transition:unexpected message:../openssl/ssl/statem/statem_srvr.c:312: Doing handshakes=1 bytes=256 TLSv1.2, cipher SSLv3 RC4-MD5, 2048 bits RSA ../../util/wrap.pl ../../test/ssl_old_test -s_key keyU.ss -s_cert certU.ss -c_key keyU.ss -c_cert certU.ss -config ../../../openssl/test/default-and-legacy.cnf -provider default -provider legacy -s_cert certD.ss -s_key keyD.ss -s_cert certE.ss -s_key keyE.ss -cipher 'RC4-MD5:@SECLEVEL=0' -ciphersuites '' -tls1_2 => 1 not ok 143 - Testing RC4-MD5:@SECLEVEL=0 # ------------------------------------------------------------------------------ # Looks like you failed 4 tests of 148. not ok 4 - Testing ciphersuites # ------------------------------------------------------------------------------ # Looks like you failed 1 test of 12.80-test_ssl_old.t .................. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/12 subtests 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_ssl_old.t (Wstat: 256 Tests: 12 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=228, Tests=3565, 790 wallclock secs (11.21 usr 1.08 sys + 727.09 cusr 57.92 csys = 797.30 CPU) Result: FAIL make[1]: *** [Makefile:3274: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-weak-ssl-ciphers' make: *** [Makefile:3271: tests] Error 2 From levitte at openssl.org Tue Jan 12 18:03:08 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 12 Jan 2021 18:03:08 +0000 Subject: [openssl] master update Message-ID: <1610474588.414899.13408.nullmailer@dev.openssl.org> The branch master has been updated via 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit) via d6d42cda5fbc05aeaadf8c760db60e9089e3609b (commit) from 0d11846e4b2850773d1ee0df206608549a7d45d0 (commit) - Log ----------------------------------------------------------------- commit 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 Author: Richard Levitte Date: Fri Nov 20 23:07:56 2020 +0100 Clean away extraneous library specific FETCH_FAILED reason codes Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13467) commit d6d42cda5fbc05aeaadf8c760db60e9089e3609b Author: Richard Levitte Date: Sat Oct 17 07:07:41 2020 +0200 Use centralized fetching errors We've spread around FETCH_FAILED errors in quite a few places, and that gives somewhat crude error records, as there's no way to tell if the error was unavailable algorithms or some other error at such high levels. As an alternative, we take recording of these kinds of errors down to the fetching functions, which are in a much better place to tell what kind of error it was, thereby relieving the higher level calls from having to guess. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13467) ----------------------------------------------------------------------- Summary of changes: crypto/context.c | 13 ++++++++++ crypto/encode_decode/decoder_meth.c | 48 +++++++++++++++++++++++++++++++++--- crypto/encode_decode/encoder_meth.c | 48 +++++++++++++++++++++++++++++++++--- crypto/err/err.c | 9 +++++++ crypto/err/openssl.txt | 2 -- crypto/evp/evp_err.c | 1 - crypto/evp/evp_fetch.c | 26 +++++--------------- crypto/store/store_meth.c | 49 ++++++++++++++++++++++++++++++++++--- include/internal/cryptlib.h | 1 + include/openssl/err.h.in | 2 ++ include/openssl/evperr.h | 1 - include/openssl/sslerr.h | 2 -- ssl/s3_enc.c | 3 ++- ssl/ssl_err.c | 4 --- ssl/statem/statem.c | 21 ++++++++++------ ssl/statem/statem.h | 2 ++ ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_srvr.c | 3 ++- ssl/t1_enc.c | 3 ++- ssl/tls13_enc.c | 7 +++--- test/tls13secretstest.c | 4 +++ 21 files changed, 198 insertions(+), 54 deletions(-) diff --git a/crypto/context.c b/crypto/context.c index 4dbfb723e1..c351ff9619 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -368,3 +368,16 @@ int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn) return 1; } + +const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx) +{ +#ifdef FIPS_MODULE + return "FIPS internal library context"; +#else + if (ossl_lib_ctx_is_global_default(libctx)) + return "Global default library context"; + if (ossl_lib_ctx_is_default(libctx)) + return "Thread-local default library context"; + return "Non-default library context"; +#endif +} diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index 0d389ac5a6..915c91fd80 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -87,6 +87,8 @@ struct decoder_data_st { int id; /* For get_decoder_from_store() */ const char *names; /* For get_decoder_from_store() */ const char *propquery; /* For get_decoder_from_store() */ + + unsigned int flag_construct_error_occured : 1; }; /* @@ -242,7 +244,7 @@ void *ossl_decoder_from_dispatch(int id, const OSSL_ALGORITHM *algodef, * then call ossl_decoder_from_dispatch() with that identity number. */ static void *construct_decoder(const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov, void *unused) + OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_decoder_from_store() returned @@ -250,6 +252,7 @@ static void *construct_decoder(const OSSL_ALGORITHM *algodef, * namemap entry, this is it. Should the name already exist there, we * know that ossl_namemap_add() will return its corresponding number. */ + struct decoder_data_st *methdata = data; OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); const char *names = algodef->algorithm_names; @@ -259,6 +262,14 @@ static void *construct_decoder(const OSSL_ALGORITHM *algodef, if (id != 0) method = ossl_decoder_from_dispatch(id, algodef, prov); + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + return method; } @@ -286,20 +297,32 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id, OSSL_METHOD_STORE *store = get_decoder_store(libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If we have been passed neither a name_id or a name, we have an * internal programming error. */ - if (!ossl_assert(id != 0 || name != NULL)) + if (!ossl_assert(id != 0 || name != NULL)) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); return NULL; + } if (id == 0) id = ossl_namemap_name2num(namemap, name); + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (id == 0) + unsupported = 1; + if (id == 0 || !ossl_method_store_cache_get(store, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { @@ -317,6 +340,7 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id, mcmdata.id = id; mcmdata.names = name; mcmdata.propquery = properties; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, OSSL_OP_DECODER, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -331,6 +355,24 @@ static OSSL_DECODER *inner_ossl_decoder_fetch(OSSL_LIB_CTX *libctx, int id, ossl_method_store_cache_set(store, id, properties, method, up_ref_decoder, free_decoder); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (name == NULL) + name = ossl_namemap_num2name(namemap, id, 0); + ERR_raise_data(ERR_LIB_OSSL_DECODER, code, + "%s, Name (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + name = NULL ? "" : name, id, + properties == NULL ? "" : properties); } return method; diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index 99c4a119d3..d3eea415ff 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -87,6 +87,8 @@ struct encoder_data_st { int id; /* For get_encoder_from_store() */ const char *names; /* For get_encoder_from_store() */ const char *propquery; /* For get_encoder_from_store() */ + + unsigned int flag_construct_error_occured : 1; }; /* @@ -254,7 +256,7 @@ static void *encoder_from_dispatch(int id, const OSSL_ALGORITHM *algodef, * then call encoder_from_dispatch() with that identity number. */ static void *construct_encoder(const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov, void *unused) + OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_encoder_from_store() returned @@ -262,6 +264,7 @@ static void *construct_encoder(const OSSL_ALGORITHM *algodef, * namemap entry, this is it. Should the name already exist there, we * know that ossl_namemap_add() will return its corresponding number. */ + struct encoder_data_st *methdata = data; OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); const char *names = algodef->algorithm_names; @@ -271,6 +274,14 @@ static void *construct_encoder(const OSSL_ALGORITHM *algodef, if (id != 0) method = encoder_from_dispatch(id, algodef, prov); + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + return method; } @@ -298,20 +309,32 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx, OSSL_METHOD_STORE *store = get_encoder_store(libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If we have been passed neither a name_id or a name, we have an * internal programming error. */ - if (!ossl_assert(id != 0 || name != NULL)) + if (!ossl_assert(id != 0 || name != NULL)) { + ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INTERNAL_ERROR); return NULL; + } if (id == 0) id = ossl_namemap_name2num(namemap, name); + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (id == 0) + unsupported = 1; + if (id == 0 || !ossl_method_store_cache_get(store, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { @@ -329,6 +352,7 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx, mcmdata.id = id; mcmdata.names = name; mcmdata.propquery = properties; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, OSSL_OP_ENCODER, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -343,6 +367,24 @@ static OSSL_ENCODER *inner_ossl_encoder_fetch(OSSL_LIB_CTX *libctx, ossl_method_store_cache_set(store, id, properties, method, up_ref_encoder, free_encoder); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (name == NULL) + name = ossl_namemap_num2name(namemap, id, 0); + ERR_raise_data(ERR_LIB_OSSL_ENCODER, code, + "%s, Name (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + name = NULL ? "" : name, id, + properties == NULL ? "" : properties); } return method; diff --git a/crypto/err/err.c b/crypto/err/err.c index 9528158a08..bc7ce875d0 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -117,6 +117,15 @@ static ERR_STRING_DATA ERR_str_reasons[] = { {ERR_R_INVALID_PROVIDER_FUNCTIONS, "invalid provider functions"}, {ERR_R_INTERRUPTED_OR_CANCELLED, "interrupted or cancelled"}, + /* + * Something is unsupported, exactly what is expressed with additional data + */ + {ERR_R_UNSUPPORTED, "unsupported"}, + /* + * A fetch failed for other reasons than the name to be fetched being + * unsupported. + */ + {ERR_R_FETCH_FAILED, "fetch failed"}, {0, NULL}, }; #endif diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 4e36fc3394..bb200a7960 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2554,7 +2554,6 @@ EVP_R_EXPECTING_A_ECX_KEY:219:expecting a ecx key EVP_R_EXPECTING_A_EC_KEY:142:expecting a ec key EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key -EVP_R_FETCH_FAILED:202:fetch failed EVP_R_FINAL_ERROR:188:final error EVP_R_FIPS_MODE_NOT_SUPPORTED:167:fips mode not supported EVP_R_GENERATE_ERROR:214:generate error @@ -3106,7 +3105,6 @@ SM2_R_INVALID_FIELD:105:invalid field SM2_R_INVALID_PRIVATE_KEY:113:invalid private key SM2_R_NO_PARAMETERS_SET:109:no parameters set SM2_R_USER_ID_TOO_LARGE:106:user id too large -SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\ application data after close notify SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 894f0cebcb..e08c373b33 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -71,7 +71,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { "expecting a poly1305 key"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_SIPHASH_KEY), "expecting a siphash key"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FETCH_FAILED), "fetch failed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FINAL_ERROR), "final error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"}, diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 7a0a3fcda7..5d6d3dbb29 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -215,19 +215,6 @@ static void destruct_evp_method(void *method, void *data) methdata->destruct_method(method); } -static const char *libctx_descriptor(OSSL_LIB_CTX *libctx) -{ -#ifdef FIPS_MODULE - return "FIPS internal library context"; -#else - if (ossl_lib_ctx_is_global_default(libctx)) - return "Global default library context"; - if (ossl_lib_ctx_is_default(libctx)) - return "Thread-local default library context"; - return "Non-default library context"; -#endif -} - static void * inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, int name_id, const char *name, @@ -245,7 +232,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, int unsupported = 0; if (store == NULL || namemap == NULL) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT); + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; } @@ -254,7 +241,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * programming error. */ if (!ossl_assert(operation_id > 0)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; } @@ -263,7 +250,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * internal programming error. */ if (!ossl_assert(name_id != 0 || name != NULL)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; } @@ -280,7 +267,7 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, * For all intents and purposes, this is an internal error. */ if (name_id != 0 && (meth_id = evp_method_id(name_id, operation_id)) == 0) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); return NULL; } @@ -337,14 +324,13 @@ inner_evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, } if (method == NULL) { - int code = - unsupported ? EVP_R_UNSUPPORTED_ALGORITHM : EVP_R_FETCH_FAILED; + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; if (name == NULL) name = ossl_namemap_num2name(namemap, name_id, 0); ERR_raise_data(ERR_LIB_EVP, code, "%s, Algorithm (%s : %d), Properties (%s)", - libctx_descriptor(libctx), + ossl_lib_ctx_get_descriptor(libctx), name = NULL ? "" : name, name_id, properties == NULL ? "" : properties); } diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index 166b885806..979f42a16d 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -92,6 +92,8 @@ struct loader_data_st { int scheme_id; /* For get_loader_from_store() */ const char *scheme; /* For get_loader_from_store() */ const char *propquery; /* For get_loader_from_store() */ + + unsigned int flag_construct_error_occured : 1; }; /* @@ -227,7 +229,7 @@ static void *loader_from_dispatch(int scheme_id, const OSSL_ALGORITHM *algodef, * then call loader_from_dispatch() with that identity number. */ static void *construct_loader(const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov, void *unused) + OSSL_PROVIDER *prov, void *data) { /* * This function is only called if get_loader_from_store() returned @@ -235,6 +237,7 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef, * namemap entry, this is it. Should the scheme already exist there, we * know that ossl_namemap_add() will return its corresponding number. */ + struct loader_data_st *methdata = data; OSSL_LIB_CTX *libctx = ossl_provider_libctx(prov); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); const char *scheme = algodef->algorithm_names; @@ -244,6 +247,14 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef, if (id != 0) method = loader_from_dispatch(id, algodef, prov); + /* + * Flag to indicate that there was actual construction errors. This + * helps inner_evp_generic_fetch() determine what error it should + * record on inaccessible algorithms. + */ + if (method == NULL) + methdata->flag_construct_error_occured = 1; + return method; } @@ -261,20 +272,33 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, OSSL_METHOD_STORE *store = get_loader_store(libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); void *method = NULL; + int unsupported = 0; - if (store == NULL || namemap == NULL) + if (store == NULL || namemap == NULL) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; + } /* * If we have been passed neither a scheme_id or a scheme, we have an * internal programming error. */ - if (!ossl_assert(id != 0 || scheme != NULL)) + if (!ossl_assert(id != 0 || scheme != NULL)) { + ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_INTERNAL_ERROR); return NULL; + } + /* If we haven't received a name id yet, try to get one for the name */ if (id == 0) id = ossl_namemap_name2num(namemap, scheme); + /* + * If we haven't found the name yet, chances are that the algorithm to + * be fetched is unsupported. + */ + if (id == 0) + unsupported = 1; + if (id == 0 || !ossl_method_store_cache_get(store, id, properties, &method)) { OSSL_METHOD_CONSTRUCT_METHOD mcm = { @@ -292,6 +316,7 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, mcmdata.scheme_id = id; mcmdata.scheme = scheme; mcmdata.propquery = properties; + mcmdata.flag_construct_error_occured = 0; if ((method = ossl_method_construct(libctx, OSSL_OP_STORE, 0 /* !force_cache */, &mcm, &mcmdata)) != NULL) { @@ -305,6 +330,24 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, ossl_method_store_cache_set(store, id, properties, method, up_ref_loader, free_loader); } + + /* + * If we never were in the constructor, the algorithm to be fetched + * is unsupported. + */ + unsupported = !mcmdata.flag_construct_error_occured; + } + + if (method == NULL) { + int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; + + if (scheme == NULL) + scheme = ossl_namemap_num2name(namemap, id, 0); + ERR_raise_data(ERR_LIB_OSSL_STORE, code, + "%s, Scheme (%s : %d), Properties (%s)", + ossl_lib_ctx_get_descriptor(libctx), + scheme = NULL ? "" : scheme, id, + properties == NULL ? "" : properties); } return method; diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index eae10dfb6c..0267e3f82e 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -184,6 +184,7 @@ typedef void (ossl_lib_ctx_onfree_fn)(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, ossl_lib_ctx_run_once_fn run_once_fn); int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); +const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); OSSL_LIB_CTX *crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); int crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, diff --git a/include/openssl/err.h.in b/include/openssl/err.h.in index deb6117d82..697186a288 100644 --- a/include/openssl/err.h.in +++ b/include/openssl/err.h.in @@ -355,6 +355,8 @@ static ossl_unused ossl_inline int ERR_COMMON_ERROR(unsigned long errcode) # define ERR_R_INTERRUPTED_OR_CANCELLED (265|ERR_RFLAG_COMMON) # define ERR_R_NESTED_ASN1_ERROR (266|ERR_RFLAG_COMMON) # define ERR_R_MISSING_ASN1_EOS (267|ERR_RFLAG_COMMON) +# define ERR_R_UNSUPPORTED (268|ERR_RFLAG_COMMON) +# define ERR_R_FETCH_FAILED (269|ERR_RFLAG_COMMON) typedef struct ERR_string_data_st { unsigned long error; diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index 4e9989899f..c25cc49025 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -190,7 +190,6 @@ # define EVP_R_EXPECTING_A_EC_KEY 142 # define EVP_R_EXPECTING_A_POLY1305_KEY 164 # define EVP_R_EXPECTING_A_SIPHASH_KEY 175 -# define EVP_R_FETCH_FAILED 202 # define EVP_R_FINAL_ERROR 188 # define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 # define EVP_R_GENERATE_ERROR 214 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index d2721d354c..24bb156344 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -458,7 +458,6 @@ /* * SSL reason codes. */ -# define SSL_R_ALGORITHM_FETCH_FAILED 295 # define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291 # define SSL_R_APP_DATA_IN_HANDSHAKE 100 # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 @@ -513,7 +512,6 @@ # define SSL_R_CERT_LENGTH_MISMATCH 135 # define SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED 218 # define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 -# define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 # define SSL_R_CLIENTHELLO_TLSEXT 226 # define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 # define SSL_R_COMPRESSION_DISABLED 343 diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index f1fb9dd987..02b0291dfa 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -251,7 +251,8 @@ int ssl3_setup_key_block(SSL *s) if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, &comp, 0)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); return 0; } diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 39db31bee6..8aeef5ffb3 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -15,8 +15,6 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA SSL_str_reasons[] = { - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED), - "algorithm fetch failed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY), "application data after close notify"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE), @@ -90,8 +88,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "ciphersuite digest has changed"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE), - "cipher or hash unavailable"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG), "compressed length too long"}, diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 009f370f97..a70f8bc53c 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -111,6 +111,18 @@ void ossl_statem_set_renegotiate(SSL *s) s->statem.request_state = TLS_ST_SW_HELLO_REQ; } +void ossl_statem_send_fatal(SSL *s, int al) +{ + /* We shouldn't call SSLfatal() twice. Once is enough */ + if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) + return; + s->statem.in_init = 1; + s->statem.state = MSG_FLOW_ERROR; + if (al != SSL_AD_NO_ALERT + && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) + ssl3_send_alert(s, SSL3_AL_FATAL, al); +} + /* * Error reporting building block that's used instead of ERR_set_error(). * In addition to what ERR_set_error() does, this puts the state machine @@ -125,14 +137,7 @@ void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...) ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); va_end(args); - /* We shouldn't call SSLfatal() twice. Once is enough */ - if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) - return; - s->statem.in_init = 1; - s->statem.state = MSG_FLOW_ERROR; - if (al != SSL_AD_NO_ALERT - && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) - ssl3_send_alert(s, SSL3_AL_FATAL, al); + ossl_statem_send_fatal(s, al); } /* diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h index 72d10dffcf..d435cfe704 100644 --- a/ssl/statem/statem.h +++ b/ssl/statem/statem.h @@ -132,8 +132,10 @@ __owur int ossl_statem_accept(SSL *s); __owur int ossl_statem_connect(SSL *s); void ossl_statem_clear(SSL *s); void ossl_statem_set_renegotiate(SSL *s); +void ossl_statem_send_fatal(SSL *s, int al); void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...); # define SSL_AD_NO_ALERT -1 +# define SSLfatal_alert(s, al) ossl_statem_send_fatal((s), (al)) # define SSLfatal(s, al, r) SSLfatal_data((s), (al), (r), NULL) # define SSLfatal_data \ (ERR_new(), \ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 875ea59589..045db8265e 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2557,7 +2557,8 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) */ sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq); if (sha256 == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_ALGORITHM_FETCH_FAILED); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); goto err; } /* diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index cc09a23960..597456ae83 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3776,7 +3776,8 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, s->ctx->propq); if (cipher == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_ALGORITHM_FETCH_FAILED); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); goto err; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 8a403a1e14..b02961e0eb 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -539,7 +539,8 @@ int tls1_setup_key_block(SSL *s) if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type, &mac_secret_size, &comp, s->ext.use_etm)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); return 0; } diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index c53d374b69..62adddea26 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -383,7 +383,8 @@ int tls13_setup_key_block(SSL *s) s->session->cipher = s->s3.tmp.new_cipher; if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, 0)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); return 0; } @@ -595,8 +596,8 @@ int tls13_change_cipher_state(SSL *s, int which) * it again */ if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_R_ALGORITHM_FETCH_FAILED); + /* Error is already recorded */ + SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); EVP_MD_CTX_free(mdctx); goto err; } diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index 9dab53baf6..9d80fe5fc4 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -198,6 +198,10 @@ const EVP_MD *ssl_md(SSL_CTX *ctx, int idx) return EVP_sha256(); } +void ossl_statem_send_fatal(SSL *s, int al) +{ +} + void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...) { } From openssl at openssl.org Tue Jan 12 21:18:32 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 12 Jan 2021 21:18:32 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1610486312.138702.3269006.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80F12EB0D17F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80F12EB0D17F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/f_kGTV1sku default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E113EC807F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/f_kGTV1sku fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3564, 915 wallclock secs (13.99 usr 1.42 sys + 825.83 cusr 87.40 csys = 928.64 CPU) Result: FAIL make[1]: *** [Makefile:3247: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3244: tests] Error 2 From openssl at openssl.org Tue Jan 12 23:43:15 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 12 Jan 2021 23:43:15 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1610494995.521898.3571562.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: e211d949cd doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free() instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code. 42141197a1 Fix for negative return value from `SSL_CTX_sess_accept()` 732e24bb14 Fix simpledynamic test compilation when condigured without DSO support. 6d4313f03e replace 'unsigned const char' with 'const unsigned char' 1330093b9c [test][pkey_check] Add more invalid SM2 key tests 9e49aff2aa Add SM2 private key range validation 4554988e58 [test][pkey_check] Add invalid SM2 key test ed37336b63 [apps/pkey] Return error on failed `-[pub]check` c5bc5ec849 [test] Add `pkey -check` validation tests becbacd705 Adding TLS group name retrieval 22aa4a3afb [crypto/dh] side channel hardening for computing DH shared keys d0afb30ef3 Ensure DTLS free functions can handle NULL 3d0b6494d5 Remove extra space. 981b4b9572 Fixed error and return code. 1c47539a23 Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites. c1e8a0c66e Fix set_ciphersuites ignore unknown ciphers. a86add03ab Prepare for 3.0 alpha 11 cae118f938 Prepare for release of 3.0 alpha 10 bd0c71298a Update copyright year Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80F18CB6487F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80F18CB6487F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/o9b3WtF_Ol default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80313AEF6C7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/o9b3WtF_Ol fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3564, 948 wallclock secs (14.44 usr 1.42 sys + 854.89 cusr 90.92 csys = 961.67 CPU) Result: FAIL make[1]: *** [Makefile:3256: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3253: tests] Error 2 From dev at ddvo.net Wed Jan 13 08:10:29 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 13 Jan 2021 08:10:29 +0000 Subject: [openssl] master update Message-ID: <1610525429.789466.14818.nullmailer@dev.openssl.org> The branch master has been updated via 4dd009180a06ad973620c5beec28f2a6839c16ca (commit) via 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 (commit) via 0b7368dda011611855c66543f0b9c66b5bd646d1 (commit) via bf973d0697e61a44dc46d08b0421a08a8cb61887 (commit) from 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit) - Log ----------------------------------------------------------------- commit 4dd009180a06ad973620c5beec28f2a6839c16ca Author: Dr. David von Oheimb Date: Mon Dec 28 11:25:59 2020 +0100 x509_vfy.c: Fix a regression in find_issuer() ...in case the candidate issuer cert is identical to the target cert. This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 Author: Dr. David von Oheimb Date: Tue Dec 29 12:37:05 2020 +0100 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit 0b7368dda011611855c66543f0b9c66b5bd646d1 Author: Dr. David von Oheimb Date: Mon Dec 28 19:45:01 2020 +0100 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) commit bf973d0697e61a44dc46d08b0421a08a8cb61887 Author: Dr. David von Oheimb Date: Mon Dec 28 11:27:31 2020 +0100 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13762) ----------------------------------------------------------------------- Summary of changes: apps/crl.c | 17 +++- apps/rehash.c | 19 +++- crypto/pem/pem_info.c | 13 ++- crypto/x509/by_dir.c | 5 +- crypto/x509/x509_cmp.c | 27 +++--- crypto/x509/x509_vfy.c | 19 ++-- doc/man3/X509_LOOKUP_hash_dir.pod | 4 +- doc/man3/X509_get_subject_name.pod | 58 +++++++++--- engines/e_loader_attic.c | 3 +- include/openssl/x509.h.in | 6 +- providers/implementations/storemgmt/file_store.c | 7 +- ssl/ssl_cert.c | 3 +- test/build.info | 2 +- test/cmp_client_test.c | 10 +- test/cmp_msg_test.c | 10 +- test/cmp_protect_test.c | 14 +-- test/cmp_vfy_test.c | 16 ++-- test/helpers/cmp_testlib.c | 42 --------- test/helpers/cmp_testlib.h | 3 - test/helpers/pkcs12.c | 16 ++-- test/http_test.c | 16 +--- test/testutil.h | 7 ++ test/testutil/load.c | 97 +++++++++++++++++++ test/verify_extra_test.c | 113 ++++++----------------- util/find-doc-nits | 2 +- util/libcrypto.num | 2 +- util/missingcrypto.txt | 1 - util/other.syms | 1 + 28 files changed, 296 insertions(+), 237 deletions(-) create mode 100644 test/testutil/load.c diff --git a/apps/crl.c b/apps/crl.c index 0daded01e3..58d63e71d5 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -287,22 +287,33 @@ int crl_main(int argc, char **argv) } if (crlnumber == i) { ASN1_INTEGER *crlnum; + crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL); BIO_printf(bio_out, "crlNumber="); if (crlnum) { BIO_puts(bio_out, "0x"); i2a_ASN1_INTEGER(bio_out, crlnum); ASN1_INTEGER_free(crlnum); - } else + } else { BIO_puts(bio_out, ""); + } BIO_printf(bio_out, "\n"); } if (hash == i) { - BIO_printf(bio_out, "%08lx\n", - X509_NAME_hash(X509_CRL_get_issuer(x))); + int ok; + unsigned long hash_value = + X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(), + app_get0_propq(), &ok); + + BIO_printf(bio_out, "issuer name hash="); + if (ok) + BIO_printf(bio_out, "%08lx\n", hash_value); + else + BIO_puts(bio_out, ""); } #ifndef OPENSSL_NO_MD5 if (hash_old == i) { + BIO_printf(bio_out, "issuer name old hash="); BIO_printf(bio_out, "%08lx\n", X509_NAME_hash_old(X509_CRL_get_issuer(x))); } diff --git a/apps/rehash.c b/apps/rehash.c index 2b867d43cc..29dc76bc38 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -291,10 +291,23 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) goto end; } if (name != NULL) { - if ((h == HASH_NEW) || (h == HASH_BOTH)) - errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); + if (h == HASH_NEW || h == HASH_BOTH) { + int ok; + unsigned long hash_value = + X509_NAME_hash_ex(name, + app_get0_libctx(), app_get0_propq(), &ok); + + if (ok) { + errs += add_entry(type, hash_value, filename, digest, 1, ~0); + } else { + BIO_printf(bio_err, "%s: error calculating SHA1 hash value\n", + opt_getprog()); + errs++; + } + } if ((h == HASH_OLD) || (h == HASH_BOTH)) - errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); + errs += add_entry(type, X509_NAME_hash_old(name), + filename, digest, 1, ~0); } end: diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index 3911fdc5ee..3eda164121 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -48,10 +48,10 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, } #endif -STACK_OF(X509_INFO) -*PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk, - pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx, - const char *propq) +STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u, + OSSL_LIB_CTX *libctx, + const char *propq) { X509_INFO *xi = NULL; char *name = NULL, *header = NULL; @@ -77,15 +77,18 @@ STACK_OF(X509_INFO) for (;;) { raw = 0; ptype = 0; + ERR_set_mark(); i = PEM_read_bio(bp, &name, &header, &data, &len); if (i == 0) { error = ERR_GET_REASON(ERR_peek_last_error()); if (error == PEM_R_NO_START_LINE) { - ERR_clear_error(); + ERR_pop_to_mark(); break; } + ERR_clear_last_mark(); goto err; } + ERR_clear_last_mark(); start: if ((strcmp(name, PEM_STRING_X509) == 0) || (strcmp(name, PEM_STRING_X509_OLD) == 0)) { diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 965625973c..ff1c875b4d 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -252,8 +252,9 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, } ctx = (BY_DIR *)xl->method_data; - - h = X509_NAME_hash(name); + h = X509_NAME_hash_ex(name, libctx, propq, &i); + if (i == 0) + goto finish; for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) { BY_DIR_ENTRY *ent; int idx; diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 9c968b49b0..1231fb4be1 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -93,7 +93,7 @@ X509_NAME *X509_get_issuer_name(const X509 *a) unsigned long X509_issuer_name_hash(X509 *x) { - return X509_NAME_hash(x->cert_info.issuer); + return X509_NAME_hash_ex(x->cert_info.issuer, NULL, NULL, NULL); } #ifndef OPENSSL_NO_MD5 @@ -120,7 +120,7 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a) unsigned long X509_subject_name_hash(X509 *x) { - return X509_NAME_hash(x->cert_info.subject); + return X509_NAME_hash_ex(x->cert_info.subject, NULL, NULL, NULL); } #ifndef OPENSSL_NO_MD5 @@ -250,20 +250,26 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) return ret < 0 ? -1 : ret > 0; } -unsigned long X509_NAME_hash(const X509_NAME *x) +unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, + const char *propq, int *ok) { unsigned long ret = 0; unsigned char md[SHA_DIGEST_LENGTH]; + EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq); /* Make sure X509_NAME structure contains valid cached encoding */ i2d_X509_NAME(x, NULL); - if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), - NULL)) - return 0; - - ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) - ) & 0xffffffffL; + if (ok != NULL) + *ok = 0; + if (sha1 != NULL + && EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, sha1, NULL)) { + ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | + ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) + ) & 0xffffffffL; + if (ok != NULL) + *ok = 1; + } + EVP_MD_free(sha1); return ret; } @@ -272,7 +278,6 @@ unsigned long X509_NAME_hash(const X509_NAME *x) * I now DER encode the name and hash it. Since I cache the DER encoding, * this is reasonably efficient. */ - unsigned long X509_NAME_hash_old(const X509_NAME *x) { EVP_MD *md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips"); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 3a5673b307..f5849a5603 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -136,7 +136,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) X509 *xtmp = NULL; int i; /* Lookup all certs with matching subject name */ + ERR_set_mark(); certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); + ERR_pop_to_mark(); if (certs == NULL) return NULL; /* Look for exact match */ @@ -314,9 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) } /* - * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x. - * The issuer must not be the same as x and must not yet be in ctx->chain, where the - * exceptional case x is self-issued and ctx->chain has just one element is allowed. + * Find in given STACK_OF(X509) sk an issuer cert of given cert x. + * The issuer must not yet be in ctx->chain, where the exceptional case + * that x is self-issued and ctx->chain has just one element is allowed. + * Prefer the first one that is not expired, else take the last expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -325,16 +328,12 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - /* - * Below check 'issuer != x' is an optimization and safety precaution: - * Candidate issuer cert cannot be the same as the subject cert 'x'. - */ - if (issuer != x && ctx->check_issued(ctx, x, issuer) + if (ctx->check_issued(ctx, x, issuer) && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1) || !sk_X509_contains(ctx->chain, issuer))) { + if (x509_check_cert_time(ctx, issuer, -1)) + return issuer; rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; } } return rv; diff --git a/doc/man3/X509_LOOKUP_hash_dir.pod b/doc/man3/X509_LOOKUP_hash_dir.pod index 5a660f100d..282b25807b 100644 --- a/doc/man3/X509_LOOKUP_hash_dir.pod +++ b/doc/man3/X509_LOOKUP_hash_dir.pod @@ -87,8 +87,8 @@ the directory. The directory should contain one certificate or CRL per file in PEM format, with a filename of the form I.I for a certificate, or I.BI for a CRL. -The I is the value returned by the L function applied -to the subject name for certificates or issuer name for CRLs. +The I is the value returned by the L function +applied to the subject name for certificates or issuer name for CRLs. The hash can also be obtained via the B<-hash> option of the L or L commands. diff --git a/doc/man3/X509_get_subject_name.pod b/doc/man3/X509_get_subject_name.pod index a9c8fb1d87..5a4ff47554 100644 --- a/doc/man3/X509_get_subject_name.pod +++ b/doc/man3/X509_get_subject_name.pod @@ -2,20 +2,29 @@ =head1 NAME -X509_get_subject_name, X509_set_subject_name, X509_get_issuer_name, -X509_set_issuer_name, X509_REQ_get_subject_name, X509_REQ_set_subject_name, -X509_CRL_get_issuer, X509_CRL_set_issuer_name - get and set issuer or -subject names +X509_NAME_hash_ex, X509_NAME_hash, +X509_get_subject_name, X509_set_subject_name, X509_subject_name_hash, +X509_get_issuer_name, X509_set_issuer_name, X509_issuer_name_hash, +X509_REQ_get_subject_name, X509_REQ_set_subject_name, +X509_CRL_get_issuer, X509_CRL_set_issuer_name - +get X509_NAME hashes or get and set issuer or subject names =head1 SYNOPSIS #include + unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, + const char *propq, int *ok); +Deprecated since OpenSSL 3.0: + #define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) + X509_NAME *X509_get_subject_name(const X509 *x); int X509_set_subject_name(X509 *x, const X509_NAME *name); + unsigned long X509_subject_name_hash(X509 *x); X509_NAME *X509_get_issuer_name(const X509 *x); int X509_set_issuer_name(X509 *x, const X509_NAME *name); + unsigned long X509_issuer_name_hash(X509 *x); X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name); @@ -25,16 +34,29 @@ subject names =head1 DESCRIPTION -X509_get_subject_name() returns the subject name of certificate B. The +X509_NAME_hash_ex() returns a hash value of name I or 0 on failure, +using any given library context I and property query I. +The I result argument may be NULL +or else is used to return 1 for success and 0 for failure. +Failure may happen on malloc error or if no SHA1 implementation is available. + +X509_NAME_hash() returns a hash value of name I or 0 on failure, +using the default library context and default property query. + +X509_get_subject_name() returns the subject name of certificate I. The returned value is an internal pointer which B be freed. -X509_set_subject_name() sets the issuer name of certificate B to -B. The B parameter is copied internally and should be freed +X509_set_subject_name() sets the issuer name of certificate I to +I. The I parameter is copied internally and should be freed up when it is no longer needed. -X509_get_issuer_name() and X509_set_issuer_name() are identical to -X509_get_subject_name() and X509_set_subject_name() except the get and -set the issuer name of B. +X509_subject_name_hash() returns a hash value of the subject name of +certificate I. + +X509_get_issuer_name(), X509_set_issuer_name(), and X509_issuer_name_hash() +are identical to +X509_get_subject_name(), X509_set_subject_name(), and X509_subject_name_hash() +except they relate to the issuer name of I. Similarly X509_REQ_get_subject_name(), X509_REQ_set_subject_name(), X509_CRL_get_issuer() and X509_CRL_set_issuer_name() get or set the subject @@ -45,9 +67,21 @@ or issuer names of certificate requests of CRLs respectively. X509_get_subject_name(), X509_get_issuer_name(), X509_REQ_get_subject_name() and X509_CRL_get_issuer() return an B pointer. +X509_NAME_hash_ex(), X509_NAME_hash(), +X509_subject_name_hash() and X509_issuer_name_hash() +return the first four bytes of the SHA1 hash value, +converted to B in little endian order, +or 0 on failure. + X509_set_subject_name(), X509_set_issuer_name(), X509_REQ_set_subject_name() and X509_CRL_set_issuer_name() return 1 for success and 0 for failure. +=head1 BUGS + +In case X509_NAME_hash(), X509_subject_name_hash(), or X509_issuer_name_hash() +returns 0 it remains unclear if this is the real hash value or due to failure. +Better use X509_NAME_hash_ex() instead. + =head1 SEE ALSO L, @@ -74,9 +108,11 @@ earlier versions. X509_CRL_get_issuer() is a function in OpenSSL 1.1.0. It was previously added in OpenSSL 1.0.0 as a macro. +X509_NAME_hash() was turned into a macro and deprecated in OpenSSL 3.0. + =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index 586a21df41..0a738b0ff7 100644 --- a/engines/e_loader_attic.c +++ b/engines/e_loader_attic.c @@ -1155,7 +1155,8 @@ static int file_find(OSSL_STORE_LOADER_CTX *ctx, return 0; } - hash = X509_NAME_hash(OSSL_STORE_SEARCH_get0_name(search)); + hash = X509_NAME_hash_ex(OSSL_STORE_SEARCH_get0_name(search), + NULL, NULL, NULL); BIO_snprintf(ctx->_.dir.search_name, sizeof(ctx->_.dir.search_name), "%08lx", hash); return 1; diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 825c941aeb..1d9ca63405 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -824,7 +824,11 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags); int X509_cmp(const X509 *a, const X509 *b); int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); -unsigned long X509_NAME_hash(const X509_NAME *x); +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL) +#endif +unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx, + const char *propq, int *ok); unsigned long X509_NAME_hash_old(const X509_NAME *x); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 5607f169cc..15af70218c 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -471,6 +471,7 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) size_t der_len = 0; X509_NAME *x509_name; unsigned long hash; + int ok; if (ctx->type != IS_DIR) { ERR_raise(ERR_LIB_PROV, @@ -481,10 +482,14 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len) || (x509_name = d2i_X509_NAME(NULL, &der, der_len)) == NULL) return 0; - hash = X509_NAME_hash(x509_name); + hash = X509_NAME_hash_ex(x509_name, + ossl_prov_ctx_get0_libctx(ctx->provctx), NULL, + &ok); BIO_snprintf(ctx->_.dir.search_name, sizeof(ctx->_.dir.search_name), "%08lx", hash); X509_NAME_free(x509_name); + if (ok == 0) + return 0; } return 1; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 4f085dd7e6..967f004bb0 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -601,7 +601,8 @@ static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b) static unsigned long xname_hash(const X509_NAME *a) { - return X509_NAME_hash((X509_NAME *)a); + /* This returns 0 also if SHA1 is not available */ + return X509_NAME_hash_ex((X509_NAME *)a, NULL, NULL, NULL); } STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file, diff --git a/test/build.info b/test/build.info index 81f9b9cb66..a8f60c385b 100644 --- a/test/build.info +++ b/test/build.info @@ -20,7 +20,7 @@ IF[{- !$disabled{tests} -}] LIBS{noinst,has_main}=libtestutil.a SOURCE[libtestutil.a]=testutil/basic_output.c testutil/output.c \ testutil/driver.c testutil/tests.c testutil/cb.c testutil/stanza.c \ - testutil/format_output.c \ + testutil/format_output.c testutil/load.c \ testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ testutil/options.c testutil/test_options.c testutil/provider.c \ testutil/apps_mem.c testutil/random.c $LIBAPPSSRC diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index efb185402b..e2c0ca5534 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -226,7 +226,7 @@ static int test_exec_P10CR_ses(void) SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up); fixture->req_type = OSSL_CMP_P10CR; fixture->expected = 1; - if (!TEST_ptr(req = load_csr(pkcs10_f)) + if (!TEST_ptr(req = load_csr_der(pkcs10_f)) || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) { tear_down(fixture); fixture = NULL; @@ -369,10 +369,10 @@ int setup_tests(void) if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 5, USAGE)) return 0; - if (!TEST_ptr(server_key = load_pem_key(server_key_f, libctx)) - || !TEST_ptr(server_cert = load_pem_cert(server_cert_f, libctx)) - || !TEST_ptr(client_key = load_pem_key(client_key_f, libctx)) - || !TEST_ptr(client_cert = load_pem_cert(client_cert_f, libctx)) + if (!TEST_ptr(server_key = load_pkey_pem(server_key_f, libctx)) + || !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx)) + || !TEST_ptr(client_key = load_pkey_pem(client_key_f, libctx)) + || !TEST_ptr(client_cert = load_cert_pem(client_cert_f, libctx)) || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) { cleanup_tests(); return 0; diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c index 0b56d66d45..696679980f 100644 --- a/test/cmp_msg_test.c +++ b/test/cmp_msg_test.c @@ -226,7 +226,7 @@ static int test_cmp_create_p10cr(void) fixture->bodytype = OSSL_CMP_PKIBODY_P10CR; fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ; fixture->expected = 1; - if (!TEST_ptr(p10cr = load_csr(pkcs10_f)) + if (!TEST_ptr(p10cr = load_csr_der(pkcs10_f)) || !TEST_true(set1_newPkey(ctx, newkey)) || !TEST_true(OSSL_CMP_CTX_set1_p10CSR(ctx, p10cr))) { tear_down(fixture); @@ -504,8 +504,8 @@ static int test_cmp_pkimessage_create(int bodytype) switch (fixture->bodytype = bodytype) { case OSSL_CMP_PKIBODY_P10CR: fixture->expected = 1; - if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, - p10cr = load_csr(pkcs10_f)))) { + p10cr = load_csr_der(pkcs10_f); + if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, p10cr))) { tear_down(fixture); fixture = NULL; } @@ -564,8 +564,8 @@ int setup_tests(void) if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 3, USAGE)) return 0; - if (!TEST_ptr(newkey = load_pem_key(newkey_f, libctx)) - || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx)) + if (!TEST_ptr(newkey = load_pkey_pem(newkey_f, libctx)) + || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx)) || !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) { cleanup_tests(); return 0; diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index d4acb716e7..cc8aabb14d 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -541,21 +541,21 @@ int setup_tests(void) if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE)) return 0; - if (!TEST_ptr(loadedkey = load_pem_key(server_key_f, libctx)) - || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx))) + if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx)) + || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx))) return 0; - if (!TEST_ptr(loadedprivkey = load_pem_key(server_f, libctx))) + if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx))) return 0; if (TEST_true(EVP_PKEY_up_ref(loadedprivkey))) loadedpubkey = loadedprivkey; if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f)) || !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f))) return 0; - if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx)) - || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx)) - || !TEST_ptr(root = load_pem_cert(root_f, libctx)) - || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx))) + if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx)) + || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx)) + || !TEST_ptr(root = load_cert_pem(root_f, libctx)) + || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx))) return 0; if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) return 0; diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index d45c938335..646d1a9aa1 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -604,19 +604,19 @@ int setup_tests(void) return 0; /* Load certificates for cert chain */ - if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx)) - || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx)) - || !TEST_ptr(root = load_pem_cert(root_f, NULL)) - || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx))) + if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx)) + || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx)) + || !TEST_ptr(root = load_cert_pem(root_f, NULL)) + || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx))) goto err; - if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f, libctx)) - || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f, libctx))) + if (!TEST_ptr(insta_cert = load_cert_pem(instacert_f, libctx)) + || !TEST_ptr(instaca_cert = load_cert_pem(instaca_f, libctx))) goto err; /* Load certificates for message validation */ - if (!TEST_ptr(srvcert = load_pem_cert(server_f, libctx)) - || !TEST_ptr(clcert = load_pem_cert(client_f, libctx))) + if (!TEST_ptr(srvcert = load_cert_pem(server_f, libctx)) + || !TEST_ptr(clcert = load_cert_pem(client_f, libctx))) goto err; if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) goto err; diff --git a/test/helpers/cmp_testlib.c b/test/helpers/cmp_testlib.c index 627b73c3b1..3c58f69b0c 100644 --- a/test/helpers/cmp_testlib.c +++ b/test/helpers/cmp_testlib.c @@ -12,36 +12,6 @@ #include "cmp_testlib.h" #include /* needed in case config no-deprecated */ -EVP_PKEY *load_pem_key(const char *file, OSSL_LIB_CTX *libctx) -{ - EVP_PKEY *key = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) - return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0)) - (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL, - libctx, NULL)); - - BIO_free(bio); - return key; -} - -X509 *load_pem_cert(const char *file, OSSL_LIB_CTX *libctx) -{ - X509 *cert = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) - return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0) - && TEST_ptr(cert = X509_new_ex(libctx, NULL))) - (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL)); - - BIO_free(bio); - return cert; -} - OSSL_CMP_MSG *load_pkimsg(const char *file) { OSSL_CMP_MSG *msg; @@ -50,18 +20,6 @@ OSSL_CMP_MSG *load_pkimsg(const char *file) return msg; } -X509_REQ *load_csr(const char *file) -{ - X509_REQ *csr = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb"))) - return NULL; - (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL)); - BIO_free(bio); - return csr; -} - /* * Checks whether the syntax of msg conforms to ASN.1 */ diff --git a/test/helpers/cmp_testlib.h b/test/helpers/cmp_testlib.h index 0bee099a67..b33c1b5400 100644 --- a/test/helpers/cmp_testlib.h +++ b/test/helpers/cmp_testlib.h @@ -22,9 +22,6 @@ # ifndef OPENSSL_NO_CMP # define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */ -EVP_PKEY *load_pem_key(const char *file, OSSL_LIB_CTX *libctx); -X509 *load_pem_cert(const char *file, OSSL_LIB_CTX *libctx); -X509_REQ *load_csr(const char *file); OSSL_CMP_MSG *load_pkimsg(const char *file); int valid_asn1_encoding(const OSSL_CMP_MSG *msg); int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2); diff --git a/test/helpers/pkcs12.c b/test/helpers/pkcs12.c index 6489609d25..1c3a80c5c6 100644 --- a/test/helpers/pkcs12.c +++ b/test/helpers/pkcs12.c @@ -28,9 +28,6 @@ int write_files = 0; * Local function declarations */ -static X509 *load_cert(const unsigned char *bytes, int len); -static EVP_PKEY *load_pkey(const unsigned char *bytes, int len); - static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs); static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac); @@ -47,7 +44,7 @@ static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_A * Test data load functions */ -static X509 *load_cert(const unsigned char *bytes, int len) +static X509 *load_cert_asn1(const unsigned char *bytes, int len) { X509 *cert = NULL; @@ -58,7 +55,7 @@ err: return cert; } -static EVP_PKEY *load_pkey(const unsigned char *bytes, int len) +static EVP_PKEY *load_pkey_asn1(const unsigned char *bytes, int len) { EVP_PKEY *pkey = NULL; @@ -69,7 +66,6 @@ err: return pkey; } - /* ------------------------------------------------------------------------- * PKCS12 builder */ @@ -333,7 +329,7 @@ void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, if (!pb->success) return; - cert = load_cert(bytes, len); + cert = load_cert_asn1(bytes, len); if (!TEST_ptr(cert)) { pb->success = 0; return; @@ -368,7 +364,7 @@ void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, TEST_info("Adding key"); - pkey = load_pkey(bytes, len); + pkey = load_pkey_asn1(bytes, len); if (!TEST_ptr(pkey)) { pb->success = 0; return; @@ -511,7 +507,7 @@ void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, pb->success = 0; goto err; } - ref_x509 = load_cert(bytes, len); + ref_x509 = load_cert_asn1(bytes, len); if (!TEST_false(X509_cmp(x509, ref_x509))) pb->success = 0; err: @@ -574,7 +570,7 @@ void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len, } /* PKEY compare returns 1 for match */ - ref_pkey = load_pkey(bytes, len); + ref_pkey = load_pkey_asn1(bytes, len); if (!TEST_true(EVP_PKEY_eq(pkey, ref_pkey))) pb->success = 0; err: diff --git a/test/http_test.c b/test/http_test.c index 437fca97dc..e95249d21b 100644 --- a/test/http_test.c +++ b/test/http_test.c @@ -22,20 +22,6 @@ static X509 *x509 = NULL; #define RPATH "path/any.crt" static const char *rpath; -static X509 *load_pem_cert(const char *file) -{ - X509 *cert = NULL; - BIO *bio = NULL; - - if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) - return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0)) - (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)); - - BIO_free(bio); - return cert; -} - /* * pretty trivial HTTP mock server: * for POST, copy request headers+body from mem BIO 'in' as response to 'out' @@ -238,7 +224,7 @@ int setup_tests(void) } x509_it = ASN1_ITEM_rptr(X509); - if (!TEST_ptr((x509 = load_pem_cert(test_get_argument(0))))) + if (!TEST_ptr((x509 = load_cert_pem(test_get_argument(0), NULL)))) return 1; ADD_TEST(test_http_url_dns); diff --git a/test/testutil.h b/test/testutil.h index 91e4d4bdd9..73e522a817 100644 --- a/test/testutil.h +++ b/test/testutil.h @@ -16,6 +16,7 @@ # include # include # include +# include # include "opt.h" /*- @@ -568,4 +569,10 @@ void test_random_seed(uint32_t sd); /* Create a file path from a directory and a filename */ char *test_mk_file_path(const char *dir, const char *file); +EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx); +X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx); +X509 *load_cert_der(const unsigned char *bytes, int len); +STACK_OF(X509) *load_certs_pem(const char *file); +X509_REQ *load_csr_der(const char *file); + #endif /* OSSL_TESTUTIL_H */ diff --git a/test/testutil/load.c b/test/testutil/load.c new file mode 100644 index 0000000000..9b188eb8a6 --- /dev/null +++ b/test/testutil/load.c @@ -0,0 +1,97 @@ +/* + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include +#include + +#include "../testutil.h" + +X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx) +{ + X509 *cert = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0) + && TEST_ptr(cert = X509_new_ex(libctx, NULL))) + (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL)); + + BIO_free(bio); + return cert; +} + +STACK_OF(X509) *load_certs_pem(const char *filename) +{ + STACK_OF(X509) *certs; + BIO *bio; + X509 *x; + + bio = BIO_new_file(filename, "r"); + + if (bio == NULL) { + return NULL; + } + + certs = sk_X509_new_null(); + if (certs == NULL) { + BIO_free(bio); + return NULL; + } + + ERR_set_mark(); + do { + x = PEM_read_bio_X509(bio, NULL, 0, NULL); + if (x != NULL && !sk_X509_push(certs, x)) { + sk_X509_pop_free(certs, X509_free); + BIO_free(bio); + return NULL; + } else if (x == NULL) { + /* + * We probably just ran out of certs, so ignore any errors + * generated + */ + ERR_pop_to_mark(); + } + } while (x != NULL); + + BIO_free(bio); + + return certs; +} + +EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx) +{ + EVP_PKEY *key = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) + (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL, + libctx, NULL)); + + BIO_free(bio); + return key; +} + +X509_REQ *load_csr_der(const char *file) +{ + X509_REQ *csr = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb"))) + return NULL; + (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL)); + BIO_free(bio); + return csr; +} diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index 668b62d408..1b308ca84b 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -22,58 +22,9 @@ static const char *untrusted_f; static const char *bad_f; static const char *req_f; -static X509 *load_cert_from_file(const char *filename) -{ - X509 *cert = NULL; - BIO *bio; - - bio = BIO_new_file(filename, "r"); - if (bio != NULL) - cert = PEM_read_bio_X509(bio, NULL, 0, NULL); - BIO_free(bio); - return cert; -} - -static STACK_OF(X509) *load_certs_from_file(const char *filename) -{ - STACK_OF(X509) *certs; - BIO *bio; - X509 *x; - - bio = BIO_new_file(filename, "r"); +#define load_cert_from_file(file) load_cert_pem(file, NULL) - if (bio == NULL) { - return NULL; - } - - certs = sk_X509_new_null(); - if (certs == NULL) { - BIO_free(bio); - return NULL; - } - - ERR_set_mark(); - do { - x = PEM_read_bio_X509(bio, NULL, 0, NULL); - if (x != NULL && !sk_X509_push(certs, x)) { - sk_X509_pop_free(certs, X509_free); - BIO_free(bio); - return NULL; - } else if (x == NULL) { - /* - * We probably just ran out of certs, so ignore any errors - * generated - */ - ERR_pop_to_mark(); - } - } while (x != NULL); - - BIO_free(bio); - - return certs; -} - -/* +/*- * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: @@ -122,7 +73,7 @@ static int test_alt_chains_cert_forgery(void) if (!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM)) goto err; - untrusted = load_certs_from_file(untrusted_f); + untrusted = load_certs_pem(untrusted_f); if ((x = load_cert_from_file(bad_f)) == NULL) goto err; @@ -148,37 +99,6 @@ static int test_alt_chains_cert_forgery(void) return ret; } -static int test_store_ctx(void) -{ - X509_STORE_CTX *sctx = NULL; - X509 *x = NULL; - int testresult = 0, ret; - - x = load_cert_from_file(bad_f); - if (x == NULL) - goto err; - - sctx = X509_STORE_CTX_new(); - if (sctx == NULL) - goto err; - - if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) - goto err; - - /* Verifying a cert where we have no trusted certs should fail */ - ret = X509_verify_cert(sctx); - - if (ret == 0) { - /* This is the result we were expecting: Test passed */ - testresult = 1; - } - - err: - X509_STORE_CTX_free(sctx); - X509_free(x); - return testresult; -} - OPT_TEST_DECLARE_USAGE("roots.pem untrusted.pem bad.pem\n") static int test_distinguishing_id(void) @@ -255,30 +175,49 @@ static int test_req_distinguishing_id(void) return ret; } -static int test_self_signed(const char *filename, int expected) +static int test_self_signed(const char *filename, int use_trusted, int expected) { X509 *cert; + STACK_OF(X509) *trusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); int ret; cert = load_cert_from_file(filename); /* may result in NULL */ ret = TEST_int_eq(X509_self_signed(cert, 1), expected); + + if (cert != NULL) { + if (use_trusted) + ret = ret && TEST_true(sk_X509_push(trusted, cert)); + ret = ret && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); + ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); + } + + X509_STORE_CTX_free(ctx); + sk_X509_free(trusted); X509_free(cert); return ret; } static int test_self_signed_good(void) { - return test_self_signed(root_f, 1); + return test_self_signed(root_f, 1, 1); } static int test_self_signed_bad(void) { - return test_self_signed(bad_f, 0); + return test_self_signed(bad_f, 1, 0); } static int test_self_signed_error(void) { - return test_self_signed("nonexistent file name", -1); + return test_self_signed("nonexistent file name", 1, -1); +} + +static int test_store_ctx(void) +{ + /* Verifying a cert where we have no trusted certs should fail */ + return test_self_signed(bad_f, 0, 0); } int setup_tests(void) diff --git a/util/find-doc-nits b/util/find-doc-nits index 6d8b7144df..6c559ba05d 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -885,7 +885,7 @@ sub checkstate () { err("$_ is supposedly public but is documented as internal") if ( $declared_public && $name_map{$_} =~ /\/internal\// ); - err("$_ is supposedly internal but is documented as public") + err("$_ is supposedly internal (maybe missing from other.syms) but is documented as public") if ( $declared_internal && $name_map{$_} !~ /\/internal\// ); } } diff --git a/util/libcrypto.num b/util/libcrypto.num index 289a6672f9..aa35b4185c 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -1345,7 +1345,7 @@ EVP_PKEY_asn1_free 1375 3_0_0 EXIST::FUNCTION: ENGINE_unregister_DH 1376 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE PROXY_CERT_INFO_EXTENSION_it 1377 3_0_0 EXIST::FUNCTION: CT_POLICY_EVAL_CTX_set1_cert 1378 3_0_0 EXIST::FUNCTION:CT -X509_NAME_hash 1379 3_0_0 EXIST::FUNCTION: +X509_NAME_hash_ex 1379 3_0_0 EXIST::FUNCTION: SCT_set_timestamp 1380 3_0_0 EXIST::FUNCTION:CT UI_new 1381 3_0_0 EXIST::FUNCTION: TS_REQ_get_msg_imprint 1382 3_0_0 EXIST::FUNCTION:TS diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 8a2c773e1d..b547e52858 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -1333,7 +1333,6 @@ X509_INFO_free(3) X509_INFO_new(3) X509_NAME_ENTRY_it(3) X509_NAME_ENTRY_set(3) -X509_NAME_hash(3) X509_NAME_hash_old(3) X509_NAME_it(3) X509_NAME_set(3) diff --git a/util/other.syms b/util/other.syms index f35b354cbb..3ffbcb1005 100644 --- a/util/other.syms +++ b/util/other.syms @@ -588,6 +588,7 @@ X509_LOOKUP_load_file define X509_LOOKUP_load_file_ex define X509_LOOKUP_load_store define X509_LOOKUP_load_store_ex define +X509_NAME_hash define X509_STORE_set_lookup_crls_cb define X509_STORE_set_verify_func define EVP_PKEY_CTX_set1_id define From matt at openssl.org Wed Jan 13 09:14:37 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 13 Jan 2021 09:14:37 +0000 Subject: [openssl] master update Message-ID: <1610529277.352766.13880.nullmailer@dev.openssl.org> The branch master has been updated via 1dccccf33351a732dac3c700b2de05d34f708e33 (commit) from 4dd009180a06ad973620c5beec28f2a6839c16ca (commit) - Log ----------------------------------------------------------------- commit 1dccccf33351a732dac3c700b2de05d34f708e33 Author: Matt Caswell Date: Thu Jan 7 17:40:09 2021 +0000 Fix enable-weak-ssl-ciphers Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched rc4-hmac-md5 cipher implementation did not recognise the tls_version parameter, and therefore was being incorrectly handled. Fixes #13795 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/13803) ----------------------------------------------------------------------- Summary of changes: providers/implementations/ciphers/cipher_rc4_hmac_md5.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c index 69d47b03fe..ee0cff9b86 100644 --- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c +++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c @@ -169,6 +169,14 @@ static int rc4_hmac_md5_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } GET_HW(ctx)->init_mackey(&ctx->base, p->data, p->data_size); } + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION); + if (p != NULL) { + if (!OSSL_PARAM_get_uint(p, &ctx->base.tlsversion)) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); + return 0; + } + } + return 1; } From tmraz at fedoraproject.org Wed Jan 13 09:35:43 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 13 Jan 2021 09:35:43 +0000 Subject: [openssl] master update Message-ID: <1610530543.627776.18351.nullmailer@dev.openssl.org> The branch master has been updated via 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 (commit) from 1dccccf33351a732dac3c700b2de05d34f708e33 (commit) - Log ----------------------------------------------------------------- commit 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 Author: Agustin Gianni Date: Fri Jan 8 16:04:05 2021 +0100 Fix incorrect use of BN_CTX API In some edge cases BN_CTX_end was being called without first calling BN_CTX_start. This creates a situation where the state of the big number allocator is corrupted and may lead to crashes. Fixes #13812 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13813) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_prime.c | 6 ++++-- crypto/bn/bn_sqrt.c | 5 ++++- crypto/bn/bn_x931p.c | 2 +- crypto/ec/ec_mult.c | 5 ++++- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index a344d7df02..810f3c7b3d 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -145,8 +145,10 @@ int BN_generate_prime_ex2(BIGNUM *ret, int bits, int safe, } mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES); - if (mods == NULL) - goto err; + if (mods == NULL) { + ERR_raise(ERR_LIB_BN, ERR_R_MALLOC_FAILURE); + return 0; + } BN_CTX_start(ctx); t = BN_CTX_get(ctx); diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c index e323a7f7ab..e0b21ab575 100644 --- a/crypto/bn/bn_sqrt.c +++ b/crypto/bn/bn_sqrt.c @@ -22,6 +22,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) int r; BIGNUM *A, *b, *q, *t, *x, *y; int e, i, j; + int used_ctx = 0; if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { if (BN_abs_is_word(p, 2)) { @@ -57,6 +58,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } BN_CTX_start(ctx); + used_ctx = 1; A = BN_CTX_get(ctx); b = BN_CTX_get(ctx); q = BN_CTX_get(ctx); @@ -353,7 +355,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) BN_clear_free(ret); ret = NULL; } - BN_CTX_end(ctx); + if (used_ctx) + BN_CTX_end(ctx); bn_check_top(ret); return ret; } diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 1e4d4991b2..bca7c9788e 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -174,7 +174,7 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) * exceeded. */ if (!BN_priv_rand_ex(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, ctx)) - goto err; + return 0; BN_CTX_start(ctx); t = BN_CTX_get(ctx); diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 87b9eab604..98bcab2321 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -835,6 +835,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) EC_POINT **points = NULL; EC_PRE_COMP *pre_comp; int ret = 0; + int used_ctx = 0; #ifndef FIPS_MODULE BN_CTX *new_ctx = NULL; #endif @@ -858,6 +859,7 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) goto err; BN_CTX_start(ctx); + used_ctx = 1; order = EC_GROUP_get0_order(group); if (order == NULL) @@ -967,7 +969,8 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ret = 1; err: - BN_CTX_end(ctx); + if (used_ctx) + BN_CTX_end(ctx); #ifndef FIPS_MODULE BN_CTX_free(new_ctx); #endif From tmraz at fedoraproject.org Wed Jan 13 09:37:28 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 13 Jan 2021 09:37:28 +0000 Subject: [tools] master update Message-ID: <1610530648.602781.19663.nullmailer@dev.openssl.org> The branch master has been updated via bd6c6f78c080744a0092f04c04b7a38121ddcff3 (commit) from 51ba5bc2c18780f94136c71800afc3cf8fd32d40 (commit) - Log ----------------------------------------------------------------- commit bd6c6f78c080744a0092f04c04b7a38121ddcff3 Author: Tomas Mraz Date: Thu Jan 7 10:01:04 2021 +0100 addrev: Silence the git filter-branch warning message Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/tools/pull/81) ----------------------------------------------------------------------- Summary of changes: review-tools/addrev | 1 + 1 file changed, 1 insertion(+) diff --git a/review-tools/addrev b/review-tools/addrev index aa5215a..8f28b02 100755 --- a/review-tools/addrev +++ b/review-tools/addrev @@ -82,6 +82,7 @@ if ($useself) { } my $err = "/tmp/addrev$$"; +$ENV{FILTER_BRANCH_SQUELCH_WARNING} = 1; system("git filter-branch -f --tag-name-filter cat --msg-filter \"gitaddrev $args\" $filterargs || (echo addrev failed; exit 1)"); die if $?; From dev at ddvo.net Wed Jan 13 10:19:37 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 13 Jan 2021 10:19:37 +0000 Subject: [openssl] master update Message-ID: <1610533177.317765.29141.nullmailer@dev.openssl.org> The branch master has been updated via f2a0458731f15fd4d45f5574a221177f4591b1d8 (commit) via 3339606a38cc9023c807428b429e01cfa1fde4d9 (commit) from 48116c2d0fbb1db875e2bc703c08089bf3c5c5c3 (commit) - Log ----------------------------------------------------------------- commit f2a0458731f15fd4d45f5574a221177f4591b1d8 Author: Dr. David von Oheimb Date: Wed Dec 30 09:49:20 2020 +0100 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the upstream fix for #13698 reported for v1.1.1 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13755) commit 3339606a38cc9023c807428b429e01cfa1fde4d9 Author: Dr. David von Oheimb Date: Wed Dec 30 09:46:38 2020 +0100 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() Partly fixes #13754 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13755) ----------------------------------------------------------------------- Summary of changes: crypto/x509/v3_purp.c | 16 ++++++++-------- crypto/x509/x509_cmp.c | 24 ++++++++++++++++-------- crypto/x509/x509_lu.c | 2 +- crypto/x509/x_all.c | 4 ++-- crypto/x509/x_crl.c | 4 ++-- crypto/x509/x_x509.c | 6 +++++- doc/internal/man3/x509v3_cache_extensions.pod | 3 ++- doc/man3/X509_cmp.pod | 3 ++- doc/man3/X509_get_extension_flags.pod | 9 +++++++-- include/openssl/x509v3.h.in | 1 + test/certs/invalid-cert.pem | 19 +++++++++++++++++++ test/recipes/80-test_x509aux.t | 13 ++++++++----- test/x509aux.c | 17 +++++++++++------ 13 files changed, 84 insertions(+), 37 deletions(-) create mode 100644 test/certs/invalid-cert.pem diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index a3673e63fa..d9ce52faa4 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -387,6 +387,7 @@ static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject) /* * Cache info on various X.509v3 extensions and further derived information, * e.g., if cert 'x' is self-issued, in x->ex_flags and other internal fields. + * x->sha1_hash is filled in, or else EXFLAG_NO_FINGERPRINT is set in x->flags. * X509_SIG_INFO_VALID is set in x->flags if x->siginf was filled successfully. * Set EXFLAG_INVALID and return 0 in case the certificate is invalid. */ @@ -411,15 +412,12 @@ int x509v3_cache_extensions(X509 *x) CRYPTO_THREAD_unlock(x->lock); return (x->ex_flags & EXFLAG_INVALID) == 0; } - ERR_set_mark(); /* Cache the SHA1 digest of the cert */ if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) - /* - * Note that the cert is marked invalid also on internal malloc failure - * or on failure of EVP_MD_fetch(), potentially called by X509_digest(). - */ - x->ex_flags |= EXFLAG_INVALID; + x->ex_flags |= EXFLAG_NO_FINGERPRINT; + + ERR_set_mark(); /* V1 should mean no extensions ... */ if (X509_get_version(x) == 0) @@ -625,11 +623,13 @@ int x509v3_cache_extensions(X509 *x) */ #endif ERR_pop_to_mark(); - if ((x->ex_flags & EXFLAG_INVALID) == 0) { + if ((x->ex_flags & (EXFLAG_INVALID | EXFLAG_NO_FINGERPRINT)) == 0) { CRYPTO_THREAD_unlock(x->lock); return 1; } - ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE); + if ((x->ex_flags & EXFLAG_INVALID) != 0) + ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE); + /* If computing sha1_hash failed the error queue already reflects this. */ err: x->ex_flags |= EXFLAG_SET; /* indicate that cert has been processed */ diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 1231fb4be1..d18d1e2b67 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -81,7 +81,13 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { - int rv = memcmp(a->sha1_hash, b->sha1_hash, 20); + int rv; + + if ((a->flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + else + return -2; return rv < 0 ? -1 : rv > 0; } @@ -140,19 +146,21 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - int rv; + int rv = 0; if (a == b) /* for efficiency */ return 0; - /* ensure hash is valid */ - if (X509_check_purpose((X509 *)a, -1, 0) != 1) - return -2; - if (X509_check_purpose((X509 *)b, -1, 0) != 1) - return -2; - rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + /* attempt to compute cert hash */ + (void)X509_check_purpose((X509 *)a, -1, 0); + (void)X509_check_purpose((X509 *)b, -1, 0); + + if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); if (rv != 0) return rv < 0 ? -1 : 1; + /* Check for match against stored encoding too */ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { if (a->cert_info.enc.len < b->cert_info.enc.len) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index eb730bb24d..00d45ea809 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -702,7 +702,7 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, if (!X509_cmp(obj->data.x509, x->data.x509)) return obj; } else if (x->type == X509_LU_CRL) { - if (!X509_CRL_match(obj->data.crl, x->data.crl)) + if (X509_CRL_match(obj->data.crl, x->data.crl) == 0) return obj; } else return obj; diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 680a1cf48c..9d9079f7f5 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -392,7 +392,7 @@ int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data, unsigned int *len) { if (EVP_MD_is_a(md, SN_sha1) && (cert->ex_flags & EXFLAG_SET) != 0 - && (cert->ex_flags & EXFLAG_INVALID) == 0) { + && (cert->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1 and we already computed it. */ if (len != NULL) *len = sizeof(cert->sha1_hash); @@ -436,7 +436,7 @@ int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0 - && (data->flags & EXFLAG_INVALID) == 0) { + && (data->flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1; always computed in CRL d2i. */ if (len != NULL) *len = sizeof(data->sha1_hash); diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index 164d425ab2..ef54a9a3cd 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -147,7 +147,7 @@ static int crl_set_issuers(X509_CRL *crl) /* * The X509_CRL structure needs a bit of customisation. Cache some extensions - * and hash of the whole CRL. + * and hash of the whole CRL or set EXFLAG_NO_FINGERPRINT if this fails. */ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -185,7 +185,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_D2I_POST: if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) - crl->flags |= EXFLAG_INVALID; + crl->flags |= EXFLAG_NO_FINGERPRINT; crl->idp = X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL); diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index b09fa2754a..287b6c2a1e 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -125,12 +125,16 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509) X509 *d2i_X509(X509 **a, const unsigned char **in, long len) { X509 *cert = NULL; + int free_on_error = a != NULL && *a == NULL; cert = (X509 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (X509_it())); /* Only cache the extensions if the cert object was passed in */ if (cert != NULL && a != NULL) { - if (!x509v3_cache_extensions(cert)) + if (!x509v3_cache_extensions(cert)) { + if (free_on_error) + X509_free(cert); cert = NULL; + } } return cert; } diff --git a/doc/internal/man3/x509v3_cache_extensions.pod b/doc/internal/man3/x509v3_cache_extensions.pod index 418a19738c..cd00942333 100644 --- a/doc/internal/man3/x509v3_cache_extensions.pod +++ b/doc/internal/man3/x509v3_cache_extensions.pod @@ -17,7 +17,8 @@ This function processes any X509v3 extensions present in an X509 object I and caches the result of that processing as well as further derived info, for instance whether the certificate is self-issued or has version X.509v1. It computes the SHA1 digest of the certificate using the default library context -and property query string and stores the result in x->sha1_hash. +and property query string and stores the result in x->sha1_hash, +or on failure sets B in x->flags. It sets B in x->flags if x->siginf was filled successfully, which may not be possible if a referenced algorithm is unknown or not available. Many OpenSSL functions that use an X509 object call this function implicitly. diff --git a/doc/man3/X509_cmp.pod b/doc/man3/X509_cmp.pod index 1e6a166e65..777d055ad8 100644 --- a/doc/man3/X509_cmp.pod +++ b/doc/man3/X509_cmp.pod @@ -55,7 +55,8 @@ The B comparison functions return B<-1>, B<0>, or B<1> if object I is found to be less than, to match, or be greater than object I, respectively. X509_NAME_cmp(), X509_issuer_and_serial_cmp(), X509_issuer_name_cmp(), -X509_subject_name_cmp() and X509_CRL_cmp() may return B<-2> to indicate an error. +X509_subject_name_cmp(), X509_CRL_cmp(), and X509_CRL_match() +may return B<-2> to indicate an error. =head1 NOTES diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod index 3f09939e52..cac43d716e 100644 --- a/doc/man3/X509_get_extension_flags.pod +++ b/doc/man3/X509_get_extension_flags.pod @@ -78,12 +78,17 @@ The certificate contains an unhandled critical extension. =item B -Some certificate extension values are invalid or inconsistent. The -certificate should be rejected. +Some certificate extension values are invalid or inconsistent. +The certificate should be rejected. This bit may also be raised after an out-of-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. +=item B + +Failed to compute the internal SHA1 hash value of the certificate or CRL. +This may be due to malloc failure or because no SHA1 implementation was found. + =item B The NID_certificate_policies certificate extension is invalid or diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 7234aa2c62..dad8694ffa 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -406,6 +406,7 @@ struct ISSUING_DIST_POINT_st { # define EXFLAG_AKID_CRITICAL 0x20000 # define EXFLAG_SKID_CRITICAL 0x40000 # define EXFLAG_SAN_CRITICAL 0x80000 +# define EXFLAG_NO_FINGERPRINT 0x100000 # define KU_DIGITAL_SIGNATURE 0x0080 # define KU_NON_REPUDIATION 0x0040 diff --git a/test/certs/invalid-cert.pem b/test/certs/invalid-cert.pem new file mode 100644 index 0000000000..a8951305a3 --- /dev/null +++ b/test/certs/invalid-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIUEUSW5o7qpgNCWyXic9Fc9tCLS0gwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwIUGVyc29TaW0wHhcNMjAxMjE2MDY1NjM5WhcNMzAxMjE2 +MDY1NjM5WjATMREwDwYDVQQDDAhQZXJzb1NpbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMsgRKnnZbQtG9bB9Hn+CoOOsanmnRELSlGq521qi/eBgs2w +SdHYM6rsJFwY89RvINLGeUZh/pu7c+ODtTafAWE3JkynG01d2Zrvp1V1r97+FGyD +f+b1hAggxBy70bTRyr1gAoKQTAm74U/1lj13EpWz7zshgXJ/Pn/hUyTmpNW+fTRE +xaifN0jkl5tZUURGA6w3+BRhVDQtt92vLihqUGaEFpL8yqqFnN44AoQ5+lgMafWi +UyYMHcK75ZB8WWklq8zjRP3xC1h56k01rT6KJO6i+BxMcADerYsn5qTlcUiKcpRU +b6RzLvCUwj91t1aX6npDI3BzSP+wBUUANBfuHEMCAwEAAaNxMG8wFwYDVR0OBBA8 +yBBnvz1Zt6pHm2GwBaRyMBcGA1UdIwQQPMgQZ789WbeqR5thsAWkcjAPBgNVHRMB +Af8EBTADAQH/MAsGA1UdDwQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIEzVbttOUc7kK4aY+74TANFZK/qtBQ7 +94a/P30TGWSRUq2HnDsR8Vo4z8xm5oKeC+SIi6NGzviWYquuzpJ7idcbr0MIuSyD ++Vg6n1sG64DxWNdGO9lR5c4mWFdIajShczS2+4QIRB/lFZCf7GhPMtIcbP1o9ckY +2vyv5ZAEU9Z5n0PY+abrKsj0XyvJwdycEsUTywa36fuv6hP3UboLtvK6naXLMrTj +WtSA6PXjHy7h8h0NC8XLk64mc0lcRC4WM+xJ/C+NHglpmBqBxnStpnZykMZYD1Vy +JJ1wNc+Y3e2uMBDxZviH3dIPIgqP1Vpi2TWfqr3DTBNCRf4dl/wwNU8= +-----END TRUSTED CERTIFICATE----- diff --git a/test/recipes/80-test_x509aux.t b/test/recipes/80-test_x509aux.t index 8debd80fc1..327f861fe1 100644 --- a/test/recipes/80-test_x509aux.t +++ b/test/recipes/80-test_x509aux.t @@ -14,14 +14,17 @@ use OpenSSL::Test::Utils; setup("test_x509aux"); +my @path = qw(test certs); + plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build" if disabled("ec"); plan tests => 1; # The number of tests being performed ok(run(test(["x509aux", - srctop_file("test", "certs", "roots.pem"), - srctop_file("test", "certs", "root+anyEKU.pem"), - srctop_file("test", "certs", "root-anyEKU.pem"), - srctop_file("test", "certs", "root-cert.pem")] - )), "x509aux tests"); + srctop_file(@path, "roots.pem"), + srctop_file(@path, "root+anyEKU.pem"), + srctop_file(@path, "root-anyEKU.pem"), + srctop_file(@path, "root-cert.pem"), + srctop_file(@path, "invalid-cert.pem"), + ])), "x509aux tests"); diff --git a/test/x509aux.c b/test/x509aux.c index bd8a781bdb..d170cf7e9e 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -30,17 +30,16 @@ static int test_certs(int num) typedef int (*i2d_X509_t)(const X509 *, unsigned char **); int err = 0; BIO *fp = BIO_new_file(test_get_argument(num), "r"); - X509 *reuse = NULL; if (!TEST_ptr(fp)) return 0; for (c = 0; !err && PEM_read_bio(fp, &name, &header, &data, &len); ++c) { const int trusted = (strcmp(name, PEM_STRING_X509_TRUSTED) == 0); - d2i_X509_t d2i = trusted ? d2i_X509_AUX : d2i_X509; i2d_X509_t i2d = trusted ? i2d_X509_AUX : i2d_X509; X509 *cert = NULL; + X509 *reuse = NULL; const unsigned char *p = data; unsigned char *buf = NULL; unsigned char *bufp; @@ -93,9 +92,15 @@ static int test_certs(int num) goto next; } p = buf; - reuse = d2i(&reuse, &p, enclen); - if (reuse == NULL || X509_cmp (reuse, cert)) { - TEST_error("X509_cmp does not work with %s", name); + reuse = d2i(NULL, &p, enclen); + if (reuse == NULL) { + TEST_error("second d2i call failed for %s", name); + err = 1; + goto next; + } + err = X509_cmp(reuse, cert); + if (err != 0) { + TEST_error("X509_cmp for %s resulted in %d", name, err); err = 1; goto next; } @@ -141,13 +146,13 @@ static int test_certs(int num) */ next: X509_free(cert); + X509_free(reuse); OPENSSL_free(buf); OPENSSL_free(name); OPENSSL_free(header); OPENSSL_free(data); } BIO_free(fp); - X509_free(reuse); if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { /* Reached end of PEM file */ From dev at ddvo.net Wed Jan 13 10:59:53 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 13 Jan 2021 10:59:53 +0000 Subject: [openssl] master update Message-ID: <1610535593.235907.26176.nullmailer@dev.openssl.org> The branch master has been updated via 2ed63033e46953d0d95ff100c1334da7cc32c49b (commit) via 04a1b3fa7b6090aaca88d2d884de847822e89bef (commit) via 0ae8d4ca9e2db5fd93683dbc42d28c2eba18045d (commit) via 73b1d24c1abfdf0c890b4461c3d07b8bff45844c (commit) via b65c5ec8f5f8c9fa082c44bf805beed03d0fee0c (commit) via 41e597a01d95540f52e8bc4d69f88c3d93a093ce (commit) via ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (commit) via 7836f949c2550a00fe2720e96cfaffd824d357d1 (commit) via 855c68163b182960f2b27bb961a323944d96237e (commit) via f0a057dd5343ca81849dd140ee9c302cda914f41 (commit) via 6ad957f1273e9918c22b27d0f1b1812360964a4e (commit) via 157959438308e586593592cc751195fbf3930a7d (commit) via ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad (commit) from f2a0458731f15fd4d45f5574a221177f4591b1d8 (commit) - Log ----------------------------------------------------------------- commit 2ed63033e46953d0d95ff100c1334da7cc32c49b Author: Dr. David von Oheimb Date: Mon Jan 11 07:52:45 2021 +0100 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 04a1b3fa7b6090aaca88d2d884de847822e89bef Author: Dr. David von Oheimb Date: Wed Jan 6 12:16:44 2021 +0100 apps/req.c: Make sure -verify option takes effect also with -x509 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 0ae8d4ca9e2db5fd93683dbc42d28c2eba18045d Author: Dr. David von Oheimb Date: Wed Jan 6 12:12:25 2021 +0100 apps/req.c: Cosmetic improvements of code and documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 73b1d24c1abfdf0c890b4461c3d07b8bff45844c Author: Dr. David von Oheimb Date: Fri Dec 25 12:10:44 2020 +0100 crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit b65c5ec8f5f8c9fa082c44bf805beed03d0fee0c Author: Dr. David von Oheimb Date: Thu Dec 24 12:43:39 2020 +0100 apps/req.c: Add -copy_extensions option for use with -x509; default: none Fixes #13708 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 41e597a01d95540f52e8bc4d69f88c3d93a093ce Author: Dr. David von Oheimb Date: Thu Dec 24 11:25:47 2020 +0100 Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert Also clean up some related auxiliary functions and documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit ea9fd333d19096d654cb252a2f6785ca03bfcbc1 Author: Dr. David von Oheimb Date: Thu Dec 24 07:42:08 2020 +0100 apps/req.c: make -subj work with -x509; clean up related code Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 7836f949c2550a00fe2720e96cfaffd824d357d1 Author: Dr. David von Oheimb Date: Mon Dec 21 15:52:01 2020 +0100 X509_PUBKEY_set(): Fix error reporting Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 855c68163b182960f2b27bb961a323944d96237e Author: Dr. David von Oheimb Date: Mon Dec 21 13:50:09 2020 +0100 apps/lib/opt.c: Fix error message on unknown option/digest Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit f0a057dd5343ca81849dd140ee9c302cda914f41 Author: Dr. David von Oheimb Date: Sat Dec 19 19:49:25 2020 +0100 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 6ad957f1273e9918c22b27d0f1b1812360964a4e Author: Dr. David von Oheimb Date: Sat Dec 19 19:46:14 2020 +0100 apps/req.c: add -CA and -CAkey options; improve code and doc Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit 157959438308e586593592cc751195fbf3930a7d Author: Dr. David von Oheimb Date: Thu Dec 10 21:02:47 2020 +0100 APPS: Allow OPENSSL_CONF to be empty, not loading a config file Also document the function CONF_get1_default_config_file() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) commit ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad Author: Dr. David von Oheimb Date: Thu Dec 10 15:23:41 2020 +0100 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default Fixes #13603 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13658) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 208 ++++++------- apps/ca.c | 9 +- apps/include/apps.h | 10 +- apps/lib/apps.c | 85 ++++-- apps/lib/opt.c | 3 +- apps/req.c | 473 ++++++++++++++++-------------- apps/srp.c | 5 +- apps/x509.c | 16 +- crypto/conf/conf_api.c | 4 +- crypto/conf/conf_def.c | 5 +- crypto/conf/conf_mod.c | 11 +- crypto/x509/build.info | 2 +- crypto/x509/{v3_akey.c => v3_akid.c} | 53 ++-- crypto/x509/v3_conf.c | 34 ++- crypto/x509/{v3_alt.c => v3_san.c} | 6 +- crypto/x509/{v3_skey.c => v3_skid.c} | 62 ++-- crypto/x509/v3_utf8.c | 1 - crypto/x509/x_pubkey.c | 16 +- doc/internal/man3/s2i_ASN1_UTF8STRING.pod | 46 --- doc/man1/openssl-ca.pod.in | 49 ++-- doc/man1/openssl-req.pod.in | 103 +++++-- doc/man1/openssl.pod | 11 +- doc/man3/ASN1_generate_nconf.pod | 6 +- doc/man3/CONF_modules_load_file.pod | 12 +- doc/man3/X509V3_set_ctx.pod | 63 ++++ doc/man3/s2i_ASN1_IA5STRING.pod | 21 +- doc/man5/config.pod | 2 +- doc/man5/x509v3_config.pod | 27 +- doc/man7/openssl-env.pod | 2 +- include/crypto/x509.h | 2 + include/crypto/x509v3.h | 23 -- include/openssl/x509v3.h.in | 22 +- test/certs/ext-check.csr | 18 ++ test/recipes/25-test_req.t | 104 ++++++- test/recipes/25-test_x509.t | 19 +- test/recipes/tconversion.pl | 47 +++ util/libcrypto.num | 3 + util/missingcrypto.txt | 2 - util/missingcrypto111.txt | 1 - util/missingmacro.txt | 1 + 40 files changed, 988 insertions(+), 599 deletions(-) rename crypto/x509/{v3_akey.c => v3_akid.c} (76%) rename crypto/x509/{v3_alt.c => v3_san.c} (99%) rename crypto/x509/{v3_skey.c => v3_skid.c} (68%) delete mode 100644 doc/internal/man3/s2i_ASN1_UTF8STRING.pod create mode 100644 doc/man3/X509V3_set_ctx.pod delete mode 100644 include/crypto/x509v3.h create mode 100644 test/certs/ext-check.csr diff --git a/CHANGES.md b/CHANGES.md index 65031b89a5..ac0b22c6fb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -42,9 +42,9 @@ OpenSSL 3.0 *Otto Hollmann* - * The -cipher-commands and -digest-commands options of the command line - utility list has been deprecated. - Instead use the -cipher-algorithms and -digest-algorithms options. + * The `-cipher-commands` and `-digest-commands` options + of the command line utility `list` have been deprecated. + Instead use the `-cipher-algorithms` and `-digest-algorithms` options. *Dmitry Belyavskiy* @@ -80,11 +80,11 @@ OpenSSL 3.0 *Matt Caswell* - * The -crypt option to the passwd command line tool has been removed. + * The `-crypt` option to the `passwd` command line tool has been removed. *Paul Dale* - * The -C option to the x509, dhparam, dsaparam, and ecparam commands + * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands were removed. *Rich Salz* @@ -139,8 +139,8 @@ OpenSSL 3.0 *Richard Levitte* - * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced - EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred. + * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced + `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred. *Jeremy Walch* @@ -156,7 +156,7 @@ OpenSSL 3.0 implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the RAND_DRBG API is a mixture of 'front end' and 'back end' API calls and some of its API calls are rather low-level. This holds in particular - for the callback mechanism (RAND_DRBG_set_callbacks()). + for the callback mechanism (`RAND_DRBG_set_callbacks()`). Adding a compatibility layer to continue supporting the RAND_DRBG API as a legacy API for a regular deprecation period turned out to come at the @@ -166,7 +166,7 @@ OpenSSL 3.0 *Paul Dale and Matthias St. Pierre* - * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses + * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses as well as actual hostnames. *David Woodhouse* @@ -180,7 +180,7 @@ OpenSSL 3.0 and DTLS. SSL_CTX instances that are created for a fixed protocol version (e.g. - TLSv1_server_method()) also silently ignore version bounds. Previously + `TLSv1_server_method()`) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options. @@ -244,14 +244,13 @@ OpenSSL 3.0 *Tomas Mraz* - * Dropped interactive mode from the 'openssl' program. From now on, - the `openssl` command without arguments is equivalent to `openssl - help`. + * Dropped interactive mode from the `openssl` program. From now on, + running it without arguments is equivalent to `openssl help`. *Richard Levitte* - * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and - EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq(). + * Renamed `EVP_PKEY_cmp()` to `EVP_PKEY_eq()` and + `EVP_PKEY_cmp_parameters()` to `EVP_PKEY_parameters_eq()`. While the old function names have been retained for backward compatibility they should not be used in new developments because their return values are confusing: Unlike other `_cmp()` functions @@ -259,8 +258,8 @@ OpenSSL 3.0 *David von Oheimb* - * Deprecated EC_METHOD_get_field_type(). Applications should switch to - EC_GROUP_get_field_type(). + * Deprecated `EC_METHOD_get_field_type()`. Applications should switch to + `EC_GROUP_get_field_type()`. *Billy Bob Brumley* @@ -339,7 +338,7 @@ OpenSSL 3.0 reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security level 0. The security level can be changed either using the cipher string - with @SECLEVEL, or calling SSL_CTX_set_security_level(). + with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`. *Kurt Roeckx* @@ -396,14 +395,14 @@ OpenSSL 3.0 *Richard Levitte* * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). - This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*. + This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`. See L and L as starting points. *David von Oheimb, Martin Peylo* - * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/. - The legacy OCSP-focused and only partly documented API is retained. - See L etc. for details. + * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`. + The legacy OCSP-focused and only partly documented API is retained for + backward compatibility. See L etc. for details. *David von Oheimb* @@ -414,9 +413,9 @@ OpenSSL 3.0 *David von Oheimb* - * BIO_do_connect and BIO_do_handshake have been extended: + * `BIO_do_connect()` and `BIO_do_handshake()` have been extended: If domain name resolution yields multiple IP addresses all of them are tried - after connect() failures. + after `connect()` failures. *David von Oheimb* @@ -461,13 +460,13 @@ OpenSSL 3.0 * X509 certificates signed using SHA1 are no longer allowed at security level 1 and above. In TLS/SSL the default security level is 1. It can be set either - using the cipher string with @SECLEVEL, or calling - SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1, - a call to SSL_CTX_use_certificate() will fail if the security level is not + using the cipher string with `@SECLEVEL`, or calling + `SSL_CTX_set_security_level()`. If the leaf certificate is signed with SHA-1, + a call to `SSL_CTX_use_certificate()` will fail if the security level is not lowered first. Outside TLS/SSL, the default security level is -1 (effectively 0). It can - be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level - options of the apps. + be set using `X509_VERIFY_PARAM_set_auth_level()` or using the `-auth_level` + options of the commands. *Kurt Roeckx* @@ -514,10 +513,11 @@ OpenSSL 3.0 OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files. Finaly functions that assign or obtain DH objects from an EVP_PKEY such as - EVP_PKEY_assign_DH(), EVP_PKEY_get0_DH, EVP_PKEY_get1_DH, EVP_PKEY_set1_DH - are also deprecated. Applications should instead either read or write an - EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs. Or load an - EVP_PKEY directly from DH data using EVP_PKEY_fromdata(). + `EVP_PKEY_assign_DH()`, `EVP_PKEY_get0_DH()`, `EVP_PKEY_get1_DH()`, and + `EVP_PKEY_set1_DH()` are also deprecated. + Applications should instead either read or write an + EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs. + Or load an EVP_PKEY directly from DH data using `EVP_PKEY_fromdata()`. *Paul Dale and Matt Caswell* @@ -551,7 +551,7 @@ OpenSSL 3.0 automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This means that applications don't have to look at the curve NID and `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations. - However, they still can, that EVP_PKEY_set_alias_type() call acts as + However, they still can, that `EVP_PKEY_set_alias_type()` call acts as a no-op when the EVP_PKEY is already of the given type. Parameter and key generation is also reworked to make it possible @@ -882,8 +882,8 @@ OpenSSL 3.0 *Jon Spillett* - * Deprecated the public definition of ERR_STATE as well as the function - ERR_get_state(). This is done in preparation of making ERR_STATE an + * Deprecated the public definition of `ERR_STATE` as well as the function + `ERR_get_state()`. This is done in preparation of making `ERR_STATE` an opaque type. *Richard Levitte* @@ -914,7 +914,23 @@ OpenSSL 3.0 *Richard Levitte* - * Added several checks to X509_verify_cert() according to requirements in + * Added the `<-copy_extensions` option to the `req` command for use with `-x509`. + When given with the `copy` or `copyall` argument, + any extensions present in the certification request are copied to the certificate. + + *David von Oheimb* + + * The `x509`, `req`, and `ca` commands now make sure that certificates they + generate are RFC 5280 compliant by default: For X.509 version 3 certs they ensure that + a subjectKeyIdentifier extension is included containing a hash value of the public key + and an authorityKeyIdentifier extension is included for not self-signed certs + containing a keyIdentifier field with the hash value identifying the signing key. + This is done unless some configuration overrides the new default behavior, + e.g. `authorityKeyIdentifier = none`. + + *David von Oheimb* + + * Added several checks to `X509_verify_cert()` according to requirements in RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set (which may be done by using the CLI option `-x509_strict`): * The basicConstraints of CA certificates must be marked critical. @@ -933,7 +949,7 @@ OpenSSL 3.0 *David von Oheimb* - * Certificate verification using X509_verify_cert() meanwhile rejects EC keys + * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys with explicit curve parameters (specifiedCurve) as required by RFC 5480. *Tomas Mraz* @@ -1004,20 +1020,20 @@ OpenSSL 3.0 * Changed the library initialisation so that the config file is now loaded by default. This was already the case for libssl. It now occurs for both libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to - OPENSSL_init_crypto() to suppress automatic loading of a config file. + `OPENSSL_init_crypto()` to suppress automatic loading of a config file. *Matt Caswell* - * Introduced new error raising macros, ERR_raise() and ERR_raise_data(), - where the former acts as a replacement for ERR_put_error(), and the - latter replaces the combination ERR_put_error()+ERR_add_error_data(). - ERR_raise_data() adds more flexibility by taking a format string and + * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`, + where the former acts as a replacement for `ERR_put_error()`, and the + latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`. + `ERR_raise_data()` adds more flexibility by taking a format string and an arbitrary number of arguments following it, to be processed with - BIO_snprintf(). + `BIO_snprintf()`. *Richard Levitte* - * Introduced a new function, OSSL_PROVIDER_available(), which can be used + * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used to check if a named provider is loaded and available. When called, it will also activate all fallback providers if such are still present. @@ -1081,7 +1097,7 @@ OpenSSL 3.0 *Paul Yang* - * Use SHA256 as the default digest for TS query in the ts app. + * Use SHA256 as the default digest for TS query in the `ts` app. *Tomas Mraz* @@ -1110,13 +1126,6 @@ OpenSSL 3.0 *Richard Levitte* - * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. - - *Kurt Roeckx* - * Added command 'openssl kdf' that uses the EVP_KDF API. *Shane Lontis* @@ -1178,7 +1187,7 @@ OpenSSL 3.0 by registering BIOs as trace channels for a number of tracing and debugging categories. - The 'openssl' application has been expanded to enable any of the types + The `openssl` program has been expanded to enable any of the types available via environment variables defined by the user, and serves as one possible example on how to use this functionality. @@ -1629,9 +1638,9 @@ OpenSSL 1.1.1 *Patrick Steuer* * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. + This changes the size when using the `genpkey` command when no size is given. + It fixes an omission in earlier changes that changed all RSA, DSA and DH + generation commands to use 2048 bits by default. *Kurt Roeckx* @@ -1645,7 +1654,7 @@ OpenSSL 1.1.1 *Matt Caswell* - * Have apps like 's_client' and 's_server' output the signature scheme + * Have commands like `s_client` and `s_server` output the signature scheme along with other cipher suite parameters when debugging. *Lorinczy Zsigmond* @@ -1870,7 +1879,7 @@ OpenSSL 1.1.1 *Matt Caswell* - * Enforce checking in the pkeyutl command line app to ensure that the input + * Enforce checking in the `pkeyutl` command to ensure that the input length does not exceed the maximum supported digest length when performing a sign, verify or verifyrecover operation. @@ -2343,9 +2352,9 @@ OpenSSL 1.1.0 ### Changes between 1.1.0j and 1.1.0k [28 May 2019] * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. + This changes the size when using the `genpkey` command when no size is given. + It fixes an omission in earlier changes that changed all RSA, DSA and DH + generation commands to use 2048 bits by default. *Kurt Roeckx* @@ -3136,7 +3145,7 @@ OpenSSL 1.1.0 * Configuration change; it's now possible to build dynamic engines without having to build shared libraries and vice versa. This - only applies to the engines in engines/, those in crypto/engine/ + only applies to the engines in `engines/`, those in `crypto/engine/` will always be built into libcrypto (i.e. "static"). Building dynamic engines is enabled by default; to disable, use @@ -4140,9 +4149,9 @@ OpenSSL 1.0.2 ### Changes between 1.0.2r and 1.0.2s [28 May 2019] * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. + This changes the size when using the `genpkey` command when no size is given. + It fixes an omission in earlier changes that changed all RSA, DSA and DH + generation commands to use 2048 bits by default. *Kurt Roeckx* @@ -4877,10 +4886,10 @@ OpenSSL 1.0.2 *Andy Polyakov* - * Change the req app to generate a 2048-bit RSA/DSA key by default, + * Change the `req` command to generate a 2048-bit RSA/DSA key by default, if no keysize is specified with default_bits. This fixes an omission in an earlier change that changed all RSA/DSA key generation - apps to use 2048 bits by default. + commands to use 2048 bits by default. *Emilia K?sper* @@ -6079,10 +6088,10 @@ OpenSSL 1.0.1 *Andy Polyakov* - * Change the req app to generate a 2048-bit RSA/DSA key by default, + * Change the req command to generate a 2048-bit RSA/DSA key by default, if no keysize is specified with default_bits. This fixes an omission in an earlier change that changed all RSA/DSA key generation - apps to use 2048 bits by default. + commands to use 2048 bits by default. *Emilia K?sper* @@ -7975,7 +7984,7 @@ OpenSSL 1.0.1.] *Steve Henson* - * Add load_crls() function to apps tidying load_certs() too. Add option + * Add load_crls() function to commands tidying load_certs() too. Add option to verify utility to allow additional CRLs to be included. *Steve Henson* @@ -7990,7 +7999,7 @@ OpenSSL 1.0.1.] *Julia Lawall * - * Update verify callback code in apps/s_cb.c and apps/verify.c, it + * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it needlessly dereferenced structures, used obsolete functions and didn't handle all updated verify codes correctly. @@ -8420,7 +8429,7 @@ OpenSSL 1.0.1.] arranges the ciphersuites in reasonable order before starting to process the rule string. Thus, the definition for "DEFAULT" (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but - remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". + remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`. This makes it much easier to arrive at a reasonable default order in applications for which anonymous ciphers are OK (meaning that you can't actually use DEFAULT). @@ -9442,7 +9451,7 @@ OpenSSL 0.9.x - fixed x86nasm.pl to create correct asm files for NASM COFF output - added AES, WHIRLPOOL and CPUID assembler code to build files - added missing AES assembler make rules to mk1mf.pl - - fixed order of includes in apps/ocsp.c so that e_os.h settings apply + - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply *Guenter Knauf * @@ -9951,7 +9960,7 @@ OpenSSL 0.9.8.] *Nils Larsch* * Use SHA-1 instead of MD5 as the default digest algorithm for - the apps/openssl applications. + the `apps/openssl` commands. *Nils Larsch* @@ -11734,7 +11743,7 @@ OpenSSL 0.9.7.] * Add the configuration target debug-linux-ppro. Make 'openssl rsa' use the general key loading routines - implemented in apps.c, and make those routines able to + implemented in `apps.c`, and make those routines able to handle the key format FORMAT_NETSCAPE and the variant FORMAT_IISSGC. @@ -12229,12 +12238,13 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *"Brian Havard" and Richard Levitte* - * Rewrite apps to use NCONF routines instead of the old CONF. New functions - to support NCONF routines in extension code. New function CONF_set_nconf() - to allow functions which take an NCONF to also handle the old LHASH - structure: this means that the old CONF compatible routines can be - retained (in particular wrt extensions) without having to duplicate the - code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. + * Rewrite commands to use `NCONF` routines instead of the old `CONF`. + New functions to support `NCONF `routines in extension code. + New function `CONF_set_nconf()` + to allow functions which take an `NCONF` to also handle the old `LHASH` + structure: this means that the old `CONF` compatible routines can be + retained (in particular w.rt. extensions) without having to duplicate the + code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack. *Steve Henson* @@ -12739,7 +12749,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *Steve Henson* - * Disable stdin buffering in load_cert (apps/apps.c) so that no certs are + * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are skipped when using openssl x509 multiple times on a single input file, e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) ; problem pointed out by Bodo Moeller* - * Check various `X509_...()` return values in apps/req.c. + * Check various `X509_...()` return values in `apps/req.c`. *Nils Larsch * @@ -15268,7 +15278,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *Steve Henson* - * Bugfixes in apps/x509.c: Avoid a memory leak; and don't use + * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use perror when PEM_read_bio_X509_REQ fails, the error message must be obtained from the error queue. @@ -15833,7 +15843,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k The syntax for the cipher sorting has been extended to support sorting by cipher-strength (using the strength_bits hard coded in the tables). - The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). + The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`). Fix a bug in the cipher-command parser: when supplying a cipher command string with an "undefined" symbol (neither command nor alphanumeric @@ -16286,7 +16296,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k because it isn't possible to mix certificates and CRLs in DER format without choking one or the other routine. Changed this to just read a certificate: this is the best we can do. Also modified the code - in apps/verify.c to take notice of return codes: it was previously + in `apps/verify.c` to take notice of return codes: it was previously attempting to read in certificates from NULL pointers and ignoring any errors: this is one reason why the cert and CRL reader seemed to work. It doesn't check return codes from the default certificate @@ -16459,7 +16469,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *Bodo Moeller* - * New file apps/app_rand.c with commonly needed functionality + * New file `apps/app_rand.c` with commonly needed functionality for handling the random seed file. Use the random seed file in some applications that previously did not: @@ -17190,7 +17200,7 @@ ndif *Steve Henson* - * Set #! path to perl in apps/der_chop to where we found it + * Set #! path to perl in `apps/der_chop` to where we found it instead of using a fixed path. *Bodo Moeller* @@ -18065,14 +18075,14 @@ ndif *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* - * Run extensive memory leak checks on SSL apps. Fixed *lots* of memory - leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes - in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c + * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory + leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes + in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`. *Steve Henson* * Support for RAW extensions where an arbitrary extension can be - created by including its DER encoding. See apps/openssl.cnf for + created by including its DER encoding. See `apps/openssl.cnf` for an example. *Steve Henson* @@ -18331,7 +18341,7 @@ ndif *Ben Laurie* - * Get the gendsa program working (hopefully) and add it to app list. Remove + * Get the `gendsa` command working and add it to the `list` command. Remove encryption from sample DSA keys (in case anyone is interested the password was "1234"). @@ -18350,7 +18360,7 @@ ndif *Bodo Moeller <3moeller at informatik.uni-hamburg.de>* - * Don't blow it for numeric -newkey arguments to apps/req. + * Don't blow it for numeric `-newkey` arguments to `apps/req`. *Bodo Moeller <3moeller at informatik.uni-hamburg.de>* @@ -18390,7 +18400,7 @@ ndif *Ralf S. Engelschall* - * Fix the various library and apps files to free up pkeys obtained from + * Fix the various library and `apps/` files to free up pkeys obtained from X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. *Steve Henson* @@ -18400,7 +18410,7 @@ ndif *Steve Henson and Ben Laurie* - * First cut of a cleanup for apps/. First the `ssleay` program is now named + * First cut of a cleanup for `apps/`. First the `ssleay` program is now named `openssl` and second, the shortcut symlinks for the `openssl ` are no longer created. This way we have a single and consistent command line interface `openssl `, similar to `cvs `. @@ -18550,11 +18560,13 @@ ndif *Ralf S. Engelschall* * Removed dummy files from the 0.9.1b source tree: + ``` crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f + ``` *Ralf S. Engelschall* diff --git a/apps/ca.c b/apps/ca.c index 2772072b79..d97be7568e 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -494,9 +494,7 @@ end_of_options: argc = opt_num_rest(); argv = opt_rest(); - BIO_printf(bio_err, "Using configuration from %s\n", configfile); - - if ((conf = app_load_config(configfile)) == NULL) + if ((conf = app_load_config_verbose(configfile, 1)) == NULL) goto end; if (configfile != default_config_file && !app_load_modules(conf)) goto end; @@ -1482,6 +1480,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, OPENSSL_STRING *irow = NULL; OPENSSL_STRING *rrow = NULL; char buf[25]; + X509V3_CTX ext_ctx; for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; @@ -1699,8 +1698,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { - X509V3_CTX ext_ctx; - /* Initialize the context structure */ X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, ret, req, NULL, X509V3_CTX_REPLACE); @@ -1903,7 +1900,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, !EVP_PKEY_missing_parameters(pkey)) EVP_PKEY_copy_parameters(pktmp, pkey); - if (!do_X509_sign(ret, pkey, dgst, sigopts)) + if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx)) goto end; /* We now just add it to the database as DB_TYPE_VAL('V') */ diff --git a/apps/include/apps.h b/apps/include/apps.h index 0a8d6f4060..4bed7d7540 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -48,7 +48,7 @@ void app_RAND_load_conf(CONF *c, const char *section); void app_RAND_write(void); -extern char *default_config_file; +extern char *default_config_file; /* may be "" */ extern BIO *bio_in; extern BIO *bio_out; extern BIO *bio_err; @@ -63,8 +63,10 @@ BIO *bio_open_owner(const char *filename, int format, int private); BIO *bio_open_default(const char *filename, char mode, int format); BIO *bio_open_default_quiet(const char *filename, char mode, int format); CONF *app_load_config_bio(BIO *in, const char *filename); -CONF *app_load_config(const char *filename); -CONF *app_load_config_quiet(const char *filename); +#define app_load_config(filename) app_load_config_internal(filename, 0) +#define app_load_config_quiet(filename) app_load_config_internal(filename, 1) +CONF *app_load_config_internal(const char *filename, int quiet); +CONF *app_load_config_verbose(const char *filename, int verbose); int app_load_modules(const CONF *config); CONF *app_load_config_modules(const char *configfile); void unbuffer(FILE *fp); @@ -231,7 +233,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param, OSSL_LIB_CTX *libctx, const char *propq); int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, - STACK_OF(OPENSSL_STRING) *sigopts); + STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx); int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 457dac87bc..d5654d9dc9 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -54,6 +54,9 @@ static int WIN32_rename(const char *from, const char *to); # define _kbhit kbhit #endif +static BIO *bio_open_default_(const char *filename, char mode, int format, + int quiet); + #define PASS_SOURCE_SIZE_MAX 4 DEFINE_STACK_OF(CONF) @@ -379,29 +382,25 @@ CONF *app_load_config_bio(BIO *in, const char *filename) return NULL; } -CONF *app_load_config(const char *filename) +CONF *app_load_config_verbose(const char *filename, int verbose) { - BIO *in; - CONF *conf; - - in = bio_open_default(filename, 'r', FORMAT_TEXT); - if (in == NULL) - return NULL; - - conf = app_load_config_bio(in, filename); - BIO_free(in); - return conf; + if (verbose) { + if (*filename == '\0') + BIO_printf(bio_err, "No configuration used\n"); + else + BIO_printf(bio_err, "Using configuration from %s\n", filename); + } + return app_load_config_internal(filename, 0); } -CONF *app_load_config_quiet(const char *filename) +CONF *app_load_config_internal(const char *filename, int quiet) { - BIO *in; + BIO *in = NULL; /* leads to empty config in case filename == "" */ CONF *conf; - in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT); - if (in == NULL) + if (*filename != '\0' + && (in = bio_open_default_(filename, 'r', FORMAT_TEXT, quiet)) == NULL) return NULL; - conf = app_load_config_bio(in, filename); BIO_free(in); return conf; @@ -457,9 +456,7 @@ CONF *app_load_config_modules(const char *configfile) CONF *conf = NULL; if (configfile != NULL) { - BIO_printf(bio_err, "Using configuration from %s\n", configfile); - - if ((conf = app_load_config(configfile)) == NULL) + if ((conf = app_load_config_verbose(configfile, 1)) == NULL) return NULL; if (configfile != default_config_file && !app_load_modules(conf)) { NCONF_free(conf); @@ -1982,12 +1979,41 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, && do_pkey_ctx_init(pkctx, sigopts); } -/* Ensure RFC 5280 compliance and then sign the certificate info */ +static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, + const char *name, const char *value, int add_default) +{ + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); + X509_EXTENSION *new_ext = X509V3_EXT_nconf(NULL, ext_ctx, name, value); + int idx, rv = 0; + + if (new_ext == NULL) + return rv; + + idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1); + if (idx >= 0) { + X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx); + ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext); + int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */ + + if (disabled) { + X509_delete_ext(cert, idx); + X509_EXTENSION_free(found_ext); + } /* else keep existing key identifier, which might be outdated */ + rv = 1; + } else { + rv = !add_default || X509_add_ext(cert, new_ext, -1); + } + X509_EXTENSION_free(new_ext); + return rv; +} + +/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, - STACK_OF(OPENSSL_STRING) *sigopts) + STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) { const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + int self_sign; int rv = 0; if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) { @@ -1995,6 +2021,21 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */ goto end; + /* + * Add default SKID before such that default AKID can make use of it + * in case the certificate is self-signed + */ + /* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */ + if (!adapt_keyid_ext(cert, ext_ctx, "subjectKeyIdentifier", "hash", 1)) + goto end; + /* Prevent X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER */ + ERR_set_mark(); + self_sign = X509_check_private_key(cert, pkey); + ERR_pop_to_mark(); + if (!adapt_keyid_ext(cert, ext_ctx, "authorityKeyIdentifier", + "keyid, issuer", !self_sign)) + goto end; + /* TODO any further measures for ensuring default RFC 5280 compliance */ } @@ -2745,7 +2786,7 @@ static BIO *bio_open_default_(const char *filename, char mode, int format, if (ret != NULL) return ret; BIO_printf(bio_err, - "Can't open %s for %s, %s\n", + "Can't open \"%s\" for %s, %s\n", filename, modeverb(mode), strerror(errno)); } ERR_print_errors(bio_err); diff --git a/apps/lib/opt.c b/apps/lib/opt.c index 22d4138301..9675bc474d 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -370,7 +370,8 @@ int opt_md(const char *name, const EVP_MD **mdp) *mdp = EVP_get_digestbyname(name); if (*mdp != NULL) return 1; - opt_printf_stderr("%s: Unknown message digest: %s\n", prog, name); + opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog, + name != NULL ? name : "\"\""); return 0; } diff --git a/apps/req.c b/apps/req.c index acd0cd09cb..8c66f2a5fb 100644 --- a/apps/req.c +++ b/apps/req.c @@ -30,23 +30,24 @@ # include #endif -#define BITS "default_bits" -#define KEYFILE "default_keyfile" -#define PROMPT "prompt" -#define DISTINGUISHED_NAME "distinguished_name" -#define ATTRIBUTES "attributes" -#define V3_EXTENSIONS "x509_extensions" -#define REQ_EXTENSIONS "req_extensions" -#define STRING_MASK "string_mask" -#define UTF8_IN "utf8" - -#define DEFAULT_KEY_LENGTH 2048 -#define MIN_KEY_LENGTH 512 - -static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, - int attribs, unsigned long chtype); -static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, - int multirdn); +#define BITS "default_bits" +#define KEYFILE "default_keyfile" +#define PROMPT "prompt" +#define DISTINGUISHED_NAME "distinguished_name" +#define ATTRIBUTES "attributes" +#define V3_EXTENSIONS "x509_extensions" +#define REQ_EXTENSIONS "req_extensions" +#define STRING_MASK "string_mask" +#define UTF8_IN "utf8" + +#define DEFAULT_KEY_LENGTH 2048 +#define MIN_KEY_LENGTH 512 +#define DEFAULT_DAYS 30 /* default cert validity period in days */ +#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */ +#define EXT_COPY_UNSET -1 + +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, + int mutlirdn, int attribs, unsigned long chtype); static int prompt_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, @@ -61,11 +62,9 @@ static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, int nid, int n_min, int n_max, unsigned long chtype, int mval); static int genpkey_cb(EVP_PKEY_CTX *ctx); -static int build_data(char *text, const char *def, - char *value, int n_min, int n_max, - char *buf, const int buf_size, - const char *desc1, const char *desc2 - ); +static int build_data(char *text, const char *def, char *value, + int n_min, int n_max, char *buf, const int buf_size, + const char *desc1, const char *desc2); static int req_check_len(int len, int n_min, int n_max); static int check_end(const char *str, const char *end); static int join(char buf[], size_t buf_size, const char *name, @@ -87,7 +86,9 @@ typedef enum OPTION_choice { OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, - OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, + OPT_CA, OPT_CAKEY, + OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, + OPT_COPY_EXTENSIONS, OPT_ADDEXT, OPT_EXTENSIONS, OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SECTION, OPT_R_ENUM, OPT_PROV_ENUM @@ -101,9 +102,9 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif - {"in", OPT_IN, '<', "Input file"}, + {"in", OPT_IN, '<', "X.509 request input file"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, - {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, + {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, OPT_SECTION("Certificate"), {"new", OPT_NEW, '-', "New request"}, @@ -115,13 +116,19 @@ const OPTIONS req_options[] = { {"text", OPT_TEXT, '-', "Text form of request"}, {"x509", OPT_X509, '-', "Output an x509 structure instead of a cert request"}, + {"CA", OPT_CA, '<', "Issuer certificate to use with -x509"}, + {"CAkey", OPT_CAKEY, 's', + "Issuer private key to use with -x509; default is -CA arg"}, {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, - {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, - {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, + {"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"}, + {"subject", OPT_SUBJECT, '-', + "Print the subject of the output request or cert"}, {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', "Deprecated; multi-valued RDNs support is always on."}, {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, + {"copy_extensions", OPT_COPY_EXTENSIONS, 's', + "copy extensions from request when using -x509"}, {"addext", OPT_ADDEXT, 's', "Additional cert extension key=value pair (may be given more than once)"}, {"extensions", OPT_EXTENSIONS, 's', @@ -134,8 +141,8 @@ const OPTIONS req_options[] = { {"key", OPT_KEY, 's', "Private key to use"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, - {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, - {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"keyout", OPT_KEYOUT, '>', "File to save newly created private key"}, + {"passin", OPT_PASSIN, 's', "Private key and certificate password source"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, @@ -160,7 +167,6 @@ const OPTIONS req_options[] = { {NULL} }; - /* * An LHASH of strings, where each string is an extension name. */ @@ -180,9 +186,8 @@ static void exts_cleanup(OPENSSL_STRING *x) } /* - * Is the |kv| key already duplicated? This is remarkably tricky to get - * right. Return 0 if unique, -1 on runtime error; 1 if found or a syntax - * error. + * Is the |kv| key already duplicated? This is remarkably tricky to get right. + * Return 0 if unique, -1 on runtime error; 1 if found or a syntax error. */ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) { @@ -211,7 +216,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) *p = '\0'; /* Finally have a clean "key"; see if it's there [by attempt to add it]. */ - p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv); + p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING *)kv); if (p != NULL) { OPENSSL_free(p); return 1; @@ -228,30 +233,34 @@ int req_main(int argc, char **argv) ASN1_INTEGER *serial = NULL; BIO *out = NULL; ENGINE *e = NULL, *gen_eng = NULL; - EVP_PKEY *pkey = NULL; + EVP_PKEY *pkey = NULL, *CAkey = NULL; EVP_PKEY_CTX *genctx = NULL; STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL, *vfyopts = NULL; LHASH_OF(OPENSSL_STRING) *addexts = NULL; - X509 *x509ss = NULL; + X509 *new_x509 = NULL, *CAcert = NULL; X509_REQ *req = NULL; const EVP_CIPHER *cipher = NULL; const EVP_MD *md_alg = NULL, *digest = NULL; + int ext_copy = EXT_COPY_UNSET; BIO *addext_bio = NULL; - char *extensions = NULL, *infile = NULL; + char *extensions = NULL; + const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL; char *outfile = NULL, *keyfile = NULL; char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; char *nofree_passin = NULL, *nofree_passout = NULL; char *req_exts = NULL, *subj = NULL; + X509_NAME *fsubj = NULL; char *template = default_config_file, *keyout = NULL; const char *keyalg = NULL; OPTION_CHOICE o; - int ret = 1, x509 = 0, days = 0, i = 0, newreq = 0, verbose = 0; - int pkey_type = -1, private = 0; + int days = UNSET_DAYS; + int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; + int pkey_type = -1; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; - long newkey = -1; + long newkey_len = -1; unsigned long chtype = MBSTRING_ASC, reqflag = 0; #ifndef OPENSSL_NO_DES @@ -392,10 +401,21 @@ int req_main(int argc, char **argv) text = 1; break; case OPT_X509: - x509 = 1; + gen_x509 = 1; + break; + case OPT_CA: + CAfile = opt_arg(); + break; + case OPT_CAKEY: + CAkeyfile = opt_arg(); break; case OPT_DAYS: days = atoi(opt_arg()); + if (days < -1) { + BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n", + prog); + goto end; + } break; case OPT_SET_SERIAL: if (serial != NULL) { @@ -415,6 +435,13 @@ int req_main(int argc, char **argv) case OPT_MULTIVALUE_RDN: /* obsolete */ break; + case OPT_COPY_EXTENSIONS: + if (!set_ext_copy(&ext_copy, opt_arg())) { + BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", + opt_arg()); + goto end; + } + break; case OPT_ADDEXT: p = opt_arg(); if (addexts == NULL) { @@ -453,22 +480,21 @@ int req_main(int argc, char **argv) if (argc != 0) goto opthelp; - if (days && !x509) - BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n"); - if (x509 && infile == NULL) + if (!gen_x509) { + if (days != UNSET_DAYS) + BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n"); + if (ext_copy == EXT_COPY_NONE) + BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n"); + } + if (gen_x509 && infile == NULL) newreq = 1; - /* TODO: simplify this as pkey is still always NULL here */ - private = newreq && (pkey == NULL) ? 1 : 0; - if (!app_passwd(passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } - if (verbose) - BIO_printf(bio_err, "Using configuration from %s\n", template); - if ((req_conf = app_load_config(template)) == NULL) + if ((req_conf = app_load_config_verbose(template, verbose)) == NULL) goto end; if (addext_bio != NULL) { if (verbose) @@ -489,10 +515,11 @@ int req_main(int argc, char **argv) oid_bio = BIO_new_file(p, "r"); if (oid_bio == NULL) { - /*- - BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); - ERR_print_errors(bio_err); - */ + if (verbose) { + BIO_printf(bio_err, + "Problems opening '%s' for extra OIDs\n", p); + ERR_print_errors(bio_err); + } } else { OBJ_create_objects(oid_bio); BIO_free(oid_bio); @@ -521,17 +548,20 @@ int req_main(int argc, char **argv) if (extensions != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { BIO_printf(bio_err, - "Error checking x509 extension section %s\n", extensions); + "Error checking x509 extension section %s\n", + extensions); goto end; } } if (addext_conf != NULL) { /* Check syntax of command line extensions */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, addext_conf); if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { @@ -579,6 +609,7 @@ int req_main(int argc, char **argv) if (req_exts != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { @@ -596,46 +627,48 @@ int req_main(int argc, char **argv) app_RAND_load_conf(req_conf, section); } - if (newreq && (pkey == NULL)) { + if (newreq && pkey == NULL) { app_RAND_load_conf(req_conf, section); - if (!NCONF_get_number(req_conf, section, BITS, &newkey)) { - newkey = DEFAULT_KEY_LENGTH; + if (!NCONF_get_number(req_conf, section, BITS, &newkey_len)) { + newkey_len = DEFAULT_KEY_LENGTH; } if (keyalg != NULL) { - genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, + genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey_len, &keyalgstr, gen_eng); if (genctx == NULL) goto end; } - if (newkey < MIN_KEY_LENGTH + if (newkey_len < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { - BIO_printf(bio_err, "private key length is too short,\n"); - BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", - MIN_KEY_LENGTH, newkey); + BIO_printf(bio_err, "Private key length is too short,\n"); + BIO_printf(bio_err, "it needs to be at least %d bits, not %ld.\n", + MIN_KEY_LENGTH, newkey_len); goto end; } - if (pkey_type == EVP_PKEY_RSA && newkey > OPENSSL_RSA_MAX_MODULUS_BITS) + if (pkey_type == EVP_PKEY_RSA + && newkey_len > OPENSSL_RSA_MAX_MODULUS_BITS) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for RSA keys.\n" " Your key size is %ld! Larger key size may behave not as expected.\n", - OPENSSL_RSA_MAX_MODULUS_BITS, newkey); + OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len); #ifndef OPENSSL_NO_DSA - if (pkey_type == EVP_PKEY_DSA && newkey > OPENSSL_DSA_MAX_MODULUS_BITS) + if (pkey_type == EVP_PKEY_DSA + && newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for DSA keys.\n" " Your key size is %ld! Larger key size may behave not as expected.\n", - OPENSSL_DSA_MAX_MODULUS_BITS, newkey); + OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len); #endif if (genctx == NULL) { - genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, + genctx = set_keygen_ctx(NULL, &pkey_type, &newkey_len, &keyalgstr, gen_eng); - if (!genctx) + if (genctx == NULL) goto end; } @@ -644,8 +677,7 @@ int req_main(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { genopt = sk_OPENSSL_STRING_value(pkeyopts, i); if (pkey_ctrl_string(genctx, genopt) <= 0) { - BIO_printf(bio_err, "parameter error \"%s\"\n", genopt); - ERR_print_errors(bio_err); + BIO_printf(bio_err, "Key parameter error \"%s\"\n", genopt); goto end; } } @@ -675,10 +707,10 @@ int req_main(int argc, char **argv) } if (keyout == NULL) - BIO_printf(bio_err, "writing new private key to stdout\n"); + BIO_printf(bio_err, "Writing new private key to stdout\n"); else - BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); - out = bio_open_owner(keyout, outformat, private); + BIO_printf(bio_err, "Writing new private key to '%s'\n", keyout); + out = bio_open_owner(keyout, outformat, newreq); if (out == NULL) goto end; @@ -696,7 +728,7 @@ int req_main(int argc, char **argv) i = 0; loop: - assert(private); + assert(newreq); if (!PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, passout)) { if ((ERR_GET_REASON(ERR_peek_error()) == @@ -712,15 +744,55 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "-----\n"); } + /* + * subj is expected to be in the format /type0=value0/type1=value1/type2=... + * where characters may be escaped by \ + */ + if (subj != NULL + && (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL) + goto end; + if (!newreq) { req = load_csr(infile, informat, "X509 request"); if (req == NULL) goto end; } - if (newreq || x509) { - if (pkey == NULL) { - BIO_printf(bio_err, "you need to specify a private key\n"); + if (CAkeyfile == NULL) + CAkeyfile = CAfile; + if (CAkeyfile != NULL) { + if (CAfile == NULL) { + BIO_printf(bio_err, + "Ignoring -CAkey option since no -CA option is given\n"); + } else { + if ((CAkey = load_key(CAkeyfile, FORMAT_PEM, + 0, passin, e, "issuer private key")) == NULL) + goto end; + } + } + if (CAfile != NULL) { + if (!gen_x509) { + BIO_printf(bio_err, + "Warning: Ignoring -CA option without -x509\n"); + } else { + if (CAkeyfile == NULL) { + BIO_printf(bio_err, + "Need to give the -CAkey option if using -CA\n"); + goto end; + } + if ((CAcert = load_cert_pass(CAfile, 1, passin, + "issuer certificate")) == NULL) + goto end; + if (!X509_check_private_key(CAcert, CAkey)) { + BIO_printf(bio_err, + "Issuer certificate and key do not match\n"); + goto end; + } + } + } + if (newreq || gen_x509) { + if (pkey == NULL /* can happen only if !newreq */) { + BIO_printf(bio_err, "Must provide a signature key using -key\n"); goto end; } @@ -730,82 +802,95 @@ int req_main(int argc, char **argv) goto end; } - i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); - subj = NULL; /* done processing '-subj' option */ - if (!i) { - BIO_printf(bio_err, "problems making Certificate Request\n"); + if (!make_REQ(req, pkey, fsubj, multirdn, !gen_x509, chtype)){ + BIO_printf(bio_err, "Error making certificate request\n"); goto end; } } - if (x509) { - EVP_PKEY *tmppkey; + if (gen_x509) { + EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); X509V3_CTX ext_ctx; - if ((x509ss = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) + X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : + X509_REQ_get_subject_name(req); + X509_NAME *n_subj = fsubj != NULL ? fsubj : + X509_REQ_get_subject_name(req); + + if ((new_x509 = X509_new_ex(app_get0_libctx(), + app_get0_propq())) == NULL) goto end; - /* Set version to V3 */ if (serial != NULL) { - if (!X509_set_serialNumber(x509ss, serial)) + if (!X509_set_serialNumber(new_x509, serial)) goto end; } else { - if (!rand_serial(NULL, X509_get_serialNumber(x509ss))) + if (!rand_serial(NULL, X509_get_serialNumber(new_x509))) goto end; } - if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) + if (!X509_set_issuer_name(new_x509, issuer)) goto end; - if (days == 0) { - /* set default days if it's not specified */ - days = 30; + if (days == UNSET_DAYS) { + days = DEFAULT_DAYS; } - if (!set_cert_times(x509ss, NULL, NULL, days)) + if (!set_cert_times(new_x509, NULL, NULL, days)) + goto end; + if (!X509_set_subject_name(new_x509, n_subj)) goto end; - if (!X509_set_subject_name - (x509ss, X509_REQ_get_subject_name(req))) + if (!pub_key || !X509_set_pubkey(new_x509, pub_key)) goto end; - tmppkey = X509_REQ_get0_pubkey(req); - if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) + if (ext_copy == EXT_COPY_UNSET) { + BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n"); + } else if (!copy_extensions(new_x509, req, ext_copy)) { + BIO_printf(bio_err, "Error copying extensions from request\n"); goto end; + } /* Set up V3 context struct */ - - X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, X509V3_CTX_REPLACE); + X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, + new_x509, NULL, NULL, X509V3_CTX_REPLACE); + if (CAcert == NULL) { /* self-issued, possibly self-signed */ + if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */ + goto end; + ERR_set_mark(); + if (!X509_check_private_key(new_x509, pkey)) + BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); + ERR_pop_to_mark(); + } X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ - if (extensions != NULL && !X509V3_EXT_add_nconf(req_conf, - &ext_ctx, extensions, - x509ss)) { + if (extensions != NULL + && !X509V3_EXT_add_nconf(req_conf, &ext_ctx, extensions, + new_x509)) { BIO_printf(bio_err, "Error adding x509 extensions from section %s\n", extensions); goto end; } if (addext_conf != NULL && !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default", - x509ss)) { + new_x509)) { BIO_printf(bio_err, "Error adding extensions defined via -addext\n"); goto end; } /* If a pre-cert was requested, we need to add a poison extension */ if (precert) { - if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) - != 1) { + if (X509_add1_ext_i2d(new_x509, NID_ct_precert_poison, + NULL, 1, 0) != 1) { BIO_printf(bio_err, "Error adding poison extension\n"); goto end; } } - i = do_X509_sign(x509ss, pkey, digest, sigopts); - if (!i) { - ERR_print_errors(bio_err); + i = do_X509_sign(new_x509, CAcert != NULL ? CAkey : pkey, + digest, sigopts, &ext_ctx); + if (!i) goto end; - } } else { X509V3_CTX ext_ctx; /* Set up V3 context struct */ - X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); X509V3_set_nconf(&ext_ctx, req_conf); @@ -824,38 +909,30 @@ int req_main(int argc, char **argv) goto end; } i = do_X509_REQ_sign(req, pkey, digest, sigopts); - if (!i) { - ERR_print_errors(bio_err); + if (!i) goto end; - } } } - if (subj && x509) { - BIO_printf(bio_err, "Cannot modify certificate subject\n"); - goto end; - } - - if (subj && !x509) { + if (subj != NULL && !newreq && !gen_x509) { if (verbose) { - BIO_printf(bio_err, "Modifying Request's Subject\n"); - print_name(bio_err, "old subject=", + BIO_printf(bio_err, "Modifying subject of certificate request\n"); + print_name(bio_err, "Old subject=", X509_REQ_get_subject_name(req), get_nameopt()); } - if (build_subject(req, subj, chtype, multirdn) == 0) { - BIO_printf(bio_err, "ERROR: cannot modify subject\n"); - ret = 1; + if (!X509_REQ_set_subject_name(req, fsubj)) { + BIO_printf(bio_err, "Error modifying subject of certificate request\n"); goto end; } if (verbose) { - print_name(bio_err, "new subject=", + print_name(bio_err, "New subject=", X509_REQ_get_subject_name(req), get_nameopt()); } } - if (verify && !x509) { + if (verify) { EVP_PKEY *tpubkey = pkey; if (tpubkey == NULL) { @@ -869,10 +946,10 @@ int req_main(int argc, char **argv) if (i < 0) { goto end; } else if (i == 0) { - BIO_printf(bio_err, "verify failure\n"); + BIO_printf(bio_err, "Certificate request self-signature verify failure\n"); ERR_print_errors(bio_err); - } else { /* if (i > 0) */ - BIO_printf(bio_err, "verify OK\n"); + } else { /* i > 0 */ + BIO_printf(bio_err, "Certificate request self-signature verify OK\n"); } } @@ -893,32 +970,29 @@ int req_main(int argc, char **argv) if (tpubkey == NULL) { BIO_printf(bio_err, "Error getting public key\n"); - ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, tpubkey); } if (text) { - if (x509) - ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag); + if (gen_x509) + ret = X509_print_ex(out, new_x509, get_nameopt(), reqflag); else ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag); if (ret == 0) { - if (x509) - BIO_printf(bio_err, "Error printing certificate\n"); + if (gen_x509) + BIO_printf(bio_err, "Error printing certificate\n"); else - BIO_printf(bio_err, "Error printing certificate request\n"); - - ERR_print_errors(bio_err); + BIO_printf(bio_err, "Error printing certificate request\n"); goto end; } } if (subject) { - if (x509) - print_name(out, "subject=", X509_get_subject_name(x509ss), + if (gen_x509) + print_name(out, "subject=", X509_get_subject_name(new_x509), get_nameopt()); else print_name(out, "subject=", X509_REQ_get_subject_name(req), @@ -928,12 +1002,12 @@ int req_main(int argc, char **argv) if (modulus) { EVP_PKEY *tpubkey; - if (x509) - tpubkey = X509_get0_pubkey(x509ss); + if (gen_x509) + tpubkey = X509_get0_pubkey(new_x509); else tpubkey = X509_REQ_get0_pubkey(req); if (tpubkey == NULL) { - fprintf(stdout, "Modulus=unavailable\n"); + fprintf(stdout, "Modulus is unavailable\n"); goto end; } fprintf(stdout, "Modulus="); @@ -950,7 +1024,7 @@ int req_main(int argc, char **argv) fprintf(stdout, "\n"); } - if (!noout && !x509) { + if (!noout && !gen_x509) { if (outformat == FORMAT_ASN1) i = i2d_X509_REQ_bio(out, req); else if (newhdr) @@ -958,17 +1032,17 @@ int req_main(int argc, char **argv) else i = PEM_write_bio_X509_REQ(out, req); if (!i) { - BIO_printf(bio_err, "unable to write X509 request\n"); + BIO_printf(bio_err, "Unable to write certificate request\n"); goto end; } } - if (!noout && x509 && (x509ss != NULL)) { + if (!noout && gen_x509 && new_x509 != NULL) { if (outformat == FORMAT_ASN1) - i = i2d_X509_bio(out, x509ss); + i = i2d_X509_bio(out, new_x509); else - i = PEM_write_bio_X509(out, x509ss); + i = PEM_write_bio_X509(out, new_x509); if (!i) { - BIO_printf(bio_err, "unable to write X509 certificate\n"); + BIO_printf(bio_err, "Unable to write X509 certificate\n"); goto end; } } @@ -993,7 +1067,10 @@ int req_main(int argc, char **argv) #endif OPENSSL_free(keyalgstr); X509_REQ_free(req); - X509_free(x509ss); + X509_NAME_free(fsubj); + X509_free(new_x509); + X509_free(CAcert); + EVP_PKEY_free(CAkey); ASN1_INTEGER_free(serial); release_engine(e); if (passin != nofree_passin) @@ -1003,12 +1080,12 @@ int req_main(int argc, char **argv) return ret; } -static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, - int attribs, unsigned long chtype) +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj, + int multirdn, int attribs, unsigned long chtype) { int ret = 0, i; char no_prompt = 0; - STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; + STACK_OF(CONF_VALUE) *dn_sk = NULL, *attr_sk = NULL; char *tmp, *dn_sect, *attr_sect; tmp = NCONF_get_string(req_conf, section, PROMPT); @@ -1019,34 +1096,31 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME); if (dn_sect == NULL) { - BIO_printf(bio_err, "unable to find '%s' in config\n", - DISTINGUISHED_NAME); - goto err; - } - dn_sk = NCONF_get_section(req_conf, dn_sect); - if (dn_sk == NULL) { - BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect); - goto err; + ERR_clear_error(); + } else { + dn_sk = NCONF_get_section(req_conf, dn_sect); + if (dn_sk == NULL) { + BIO_printf(bio_err, "Unable to get '%s' section\n", dn_sect); + goto err; + } } attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES); if (attr_sect == NULL) { ERR_clear_error(); - attr_sk = NULL; } else { attr_sk = NCONF_get_section(req_conf, attr_sect); if (attr_sk == NULL) { - BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect); + BIO_printf(bio_err, "Unable to get '%s' section\n", attr_sect); goto err; } } - /* setup version number */ - if (!X509_REQ_set_version(req, 0L)) - goto err; /* version 1 */ + if (!X509_REQ_set_version(req, 0L)) /* so far there is only version 1 */ + goto err; - if (subj) - i = build_subject(req, subj, chtype, multirdn); + if (fsubj != NULL) + i = X509_REQ_set_subject_name(req, fsubj); else if (no_prompt) i = auto_info(req, dn_sk, attr_sk, attribs, chtype); else @@ -1063,26 +1137,6 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, return ret; } -/* - * subject is expected to be in the format /type0=value0/type1=value1/type2=... - * where characters may be escaped by \ - */ -static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, - int multirdn) -{ - X509_NAME *n; - - if ((n = parse_name(subject, chtype, multirdn, "subject")) == NULL) - return 0; - - if (!X509_REQ_set_subject_name(req, n)) { - X509_NAME_free(n); - return 0; - } - X509_NAME_free(n); - return 1; -} - static int prompt_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, @@ -1116,7 +1170,7 @@ static int prompt_info(X509_REQ *req, if (sk_CONF_VALUE_num(dn_sk)) { i = -1; start: - for ( ; ; ) { + for (;;) { i++; if (sk_CONF_VALUE_num(dn_sk) <= i) break; @@ -1168,7 +1222,6 @@ static int prompt_info(X509_REQ *req, n_min = -1; } - if (!join(buf, sizeof(buf), v->name, "_max", "Name")) return 0; if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { @@ -1181,7 +1234,7 @@ static int prompt_info(X509_REQ *req, return 0; } if (X509_NAME_entry_count(subj) == 0) { - BIO_printf(bio_err, "error, no objects specified in config file\n"); + BIO_printf(bio_err, "Error: No objects specified in config file\n"); return 0; } @@ -1196,7 +1249,7 @@ static int prompt_info(X509_REQ *req, i = -1; start2: - for ( ; ; ) { + for (;;) { i++; if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) break; @@ -1222,7 +1275,7 @@ static int prompt_info(X509_REQ *req, value = NULL; } - if (!join(buf, sizeof(buf), type,"_min", "Name")) + if (!join(buf, sizeof(buf), type, "_min", "Name")) return 0; if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { ERR_clear_error(); @@ -1273,10 +1326,10 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, */ for (p = v->name; *p; p++) { #ifndef CHARSET_EBCDIC - spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); + spec_char = (*p == ':' || *p == ',' || *p == '.'); #else - spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) - || (*p == os_toascii['.'])); + spec_char = (*p == os_toascii[':'] || *p == os_toascii[','] + || *p == os_toascii['.']); #endif if (spec_char) { p++; @@ -1304,7 +1357,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, } if (!X509_NAME_entry_count(subj)) { - BIO_printf(bio_err, "error, no objects specified in config file\n"); + BIO_printf(bio_err, "Error: No objects specified in config file\n"); return 0; } if (attribs) { @@ -1361,12 +1414,9 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def, return ret; } - -static int build_data(char *text, const char *def, - char *value, int n_min, int n_max, - char *buf, const int buf_size, - const char *desc1, const char *desc2 - ) +static int build_data(char *text, const char *def, char *value, + int n_min, int n_max, char *buf, const int buf_size, + const char *desc1, const char *desc2) { int i; start: @@ -1401,7 +1451,7 @@ static int build_data(char *text, const char *def, i = strlen(buf); if (buf[i - 1] != '\n') { - BIO_printf(bio_err, "weird input :-(\n"); + BIO_printf(bio_err, "Missing newline at end of input\n"); return 0; } buf[--i] = '\0'; @@ -1418,16 +1468,14 @@ static int build_data(char *text, const char *def, static int req_check_len(int len, int n_min, int n_max) { - if ((n_min > 0) && (len < n_min)) { + if (n_min > 0 && len < n_min) { BIO_printf(bio_err, - "string is too short, it needs to be at least %d bytes long\n", - n_min); + "String too short, must be at least %d bytes long\n", n_min); return 0; } - if ((n_max >= 0) && (len > n_max)) { + if (n_max >= 0 && len > n_max) { BIO_printf(bio_err, - "string is too long, it needs to be no more than %d bytes long\n", - n_max); + "String too long, must be at most %d bytes long\n", n_max); return 0; } return 1; @@ -1525,7 +1573,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, if (paramfile != NULL) { pbio = BIO_new_file(paramfile, "r"); if (pbio == NULL) { - BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); + BIO_printf(bio_err, "Cannot open parameter file %s\n", paramfile); return NULL; } param = PEM_read_bio_Parameters(pbio, NULL); @@ -1550,7 +1598,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, if (*pkey_type == -1) { *pkey_type = EVP_PKEY_id(param); } else if (*pkey_type != EVP_PKEY_base_id(param)) { - BIO_printf(bio_err, "Key Type does not match parameters\n"); + BIO_printf(bio_err, "Key type does not match parameters\n"); EVP_PKEY_free(param); return NULL; } @@ -1583,20 +1631,17 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, if (gctx == NULL) { BIO_puts(bio_err, "Error allocating keygen context\n"); - ERR_print_errors(bio_err); return NULL; } if (EVP_PKEY_keygen_init(gctx) <= 0) { BIO_puts(bio_err, "Error initializing keygen context\n"); - ERR_print_errors(bio_err); EVP_PKEY_CTX_free(gctx); return NULL; } if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { BIO_puts(bio_err, "Error setting RSA keysize\n"); - ERR_print_errors(bio_err); EVP_PKEY_CTX_free(gctx); return NULL; } diff --git a/apps/srp.c b/apps/srp.c index 3d8ce3e7c6..f7edfa9930 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -338,10 +338,7 @@ int srp_main(int argc, char **argv) if (configfile == NULL) configfile = default_config_file; - if (verbose) - BIO_printf(bio_err, "Using configuration from %s\n", - configfile); - conf = app_load_config(configfile); + conf = app_load_config_verbose(configfile, verbose); if (conf == NULL) goto end; if (configfile != default_config_file && !app_load_modules(conf)) diff --git a/apps/x509.c b/apps/x509.c index c8fcb7a7ae..5769f5f982 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1067,6 +1067,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, const EVP_MD *digest, CONF *conf, const char *section, int preserve_dates) { + X509V3_CTX ext_ctx; + if (!X509_set_issuer_name(x, X509_get_subject_name(issuer))) return 0; @@ -1077,10 +1079,14 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } - if (conf != NULL) { - X509V3_CTX ext_ctx; - X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); + X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); + if (issuer == x + /* prepare the correct AKID of self-issued, possibly self-signed cert */ + && !X509V3_set_issuer_pkey(&ext_ctx, pkey)) + return 0; + + if (conf != NULL) { X509V3_set_nconf(&ext_ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) { BIO_printf(bio_err, @@ -1088,7 +1094,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, return 0; } } - return do_X509_sign(x, pkey, digest, sigopts); + return do_X509_sign(x, pkey, digest, sigopts, &ext_ctx); } static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) @@ -1149,7 +1155,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names) exts = X509_get0_extensions(x); if ((num = sk_X509_EXTENSION_num(exts)) <= 0) { - BIO_printf(bio, "No extensions in certificate\n"); + BIO_printf(bio_err, "No extensions in certificate\n"); ret = 1; goto end; } diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c index d64cc5031a..5133114fc8 100644 --- a/crypto/conf/conf_api.c +++ b/crypto/conf/conf_api.c @@ -27,7 +27,7 @@ CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section) return NULL; vv.name = NULL; vv.section = (char *)section; - return lh_CONF_VALUE_retrieve(conf->data, &vv); + return conf->data != NULL ? lh_CONF_VALUE_retrieve(conf->data, &vv) : NULL; } STACK_OF(CONF_VALUE) *_CONF_get_section_values(const CONF *conf, @@ -72,6 +72,8 @@ char *_CONF_get_string(const CONF *conf, const char *section, return NULL; if (conf == NULL) return ossl_safe_getenv(name); + if (conf->data == NULL) + return NULL; if (section != NULL) { vv.name = (char *)name; vv.section = (char *)section; diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 3f63a5f88d..a7f5677a26 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -239,11 +239,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) p = &(buff->data[bufnum]); *p = '\0'; read_retry: - BIO_gets(in, p, CONFBUFSIZE - 1); + if (in != NULL && BIO_gets(in, p, CONFBUFSIZE - 1) < 0) + goto err; p[CONFBUFSIZE - 1] = '\0'; ii = i = strlen(p); if (i == 0 && !again) { - /* the currently processed BIO is at EOF */ + /* the currently processed BIO is NULL or at EOF */ BIO *parent; #ifndef OPENSSL_NO_POSIX_IO diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index cb1bf7cd3c..8de3222c34 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -156,11 +156,6 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, CONF *conf = NULL; int ret = 0, diagnostics = 0; - ERR_set_mark(); - conf = NCONF_new_ex(libctx, NULL); - if (conf == NULL) - goto err; - if (filename == NULL) { file = CONF_get1_default_config_file(); if (file == NULL) @@ -169,6 +164,11 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename, file = (char *)filename; } + ERR_set_mark(); + conf = NCONF_new_ex(libctx, NULL); + if (conf == NULL) + goto err; + if (NCONF_load(conf, file, NULL) <= 0) { if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) && (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE)) { @@ -539,7 +539,6 @@ void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data) } /* Return default config file name */ - char *CONF_get1_default_config_file(void) { const char *t; diff --git a/crypto/x509/build.info b/crypto/x509/build.info index 04b63d0bc3..93019cc5e6 100644 --- a/crypto/x509/build.info +++ b/crypto/x509/build.info @@ -9,7 +9,7 @@ SOURCE[../../libcrypto]=\ x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \ x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c \ v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_utf8.c v3_lib.c \ - v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \ + v3_prn.c v3_utl.c v3err.c v3_genn.c v3_san.c v3_skid.c v3_akid.c \ v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c \ v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \ v3_pcia.c v3_pci.c v3_ist.c \ diff --git a/crypto/x509/v3_akey.c b/crypto/x509/v3_akid.c similarity index 76% rename from crypto/x509/v3_akey.c rename to crypto/x509/v3_akid.c index 96e415aeb1..0b1283f0af 100644 --- a/crypto/x509/v3_akey.c +++ b/crypto/x509/v3_akid.c @@ -13,6 +13,7 @@ #include #include #include +#include "crypto/x509.h" #include "ext_dat.h" static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, @@ -78,7 +79,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, STACK_OF(CONF_VALUE) *values) { char keyid = 0, issuer = 0; - int i; + int i, n = sk_CONF_VALUE_num(values); CONF_VALUE *cnf; ASN1_OCTET_STRING *ikeyid = NULL; X509_NAME *isname = NULL; @@ -86,13 +87,17 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, GENERAL_NAME *gen = NULL; ASN1_INTEGER *serial = NULL; X509_EXTENSION *ext; - X509 *cert; + X509 *issuer_cert; AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new(); if (akeyid == NULL) goto err; - for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + if (n == 1 && strcmp(sk_CONF_VALUE_value(values, 0)->name, "none") == 0) { + return akeyid; + } + + for (i = 0; i < n; i++) { cnf = sk_CONF_VALUE_value(values, i); if (strcmp(cnf->name, "keyid") == 0) { keyid = 1; @@ -109,35 +114,49 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, } } - if (!ctx || !ctx->issuer_cert) { - if (ctx && (ctx->flags == CTX_TEST)) - return akeyid; + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) + return akeyid; + + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + if ((issuer_cert = ctx->issuer_cert) == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE); goto err; } - cert = ctx->issuer_cert; - - if (keyid) { - i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - if ((i >= 0) && (ext = X509_get_ext(cert, i))) + if (keyid != 0) { + /* prefer any pre-existing subject key identifier of the issuer cert */ + i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1); + if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL) ikeyid = X509V3_EXT_d2i(ext); - if ((keyid == 2 || issuer == 0) && ikeyid == NULL) { + if (ikeyid == NULL && ctx->issuer_pkey != NULL) { /* fallback */ + /* generate AKID from scratch, emulating s2i_skey_id(..., "hash") */ + X509_PUBKEY *pubkey = NULL; + + if (X509_PUBKEY_set(&pubkey, ctx->issuer_pkey)) + ikeyid = x509_pubkey_hash(pubkey); + X509_PUBKEY_free(pubkey); + } + if ((keyid == 2 || issuer == 0) + && (ikeyid == NULL + || ASN1_STRING_length(ikeyid) <= 2) /* indicating "none" */) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); goto err; } } - if ((issuer && !ikeyid) || (issuer == 2)) { - isname = X509_NAME_dup(X509_get_issuer_name(cert)); - serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert)); - if (!isname || !serial) { + if (issuer == 2 || (issuer == 1 && ikeyid == NULL)) { + isname = X509_NAME_dup(X509_get_issuer_name(issuer_cert)); + serial = ASN1_INTEGER_dup(X509_get0_serialNumber(issuer_cert)); + if (isname == NULL || serial == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); goto err; } } - if (isname) { + if (isname != NULL) { if ((gens = sk_GENERAL_NAME_new_null()) == NULL || (gen = GENERAL_NAME_new()) == NULL || !sk_GENERAL_NAME_push(gens, gen)) { diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index 1f424325a0..f8a2e3fe27 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -437,6 +437,10 @@ static X509V3_CONF_METHOD nconf_method = { void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return; + } ctx->db_meth = &nconf_method; ctx->db = conf; } @@ -444,11 +448,33 @@ void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, X509_CRL *crl, int flags) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return; + } + ctx->flags = flags; ctx->issuer_cert = issuer; ctx->subject_cert = subj; - ctx->crl = crl; ctx->subject_req = req; - ctx->flags = flags; + ctx->crl = crl; + ctx->db_meth = NULL; + ctx->db = NULL; + ctx->issuer_pkey = NULL; +} + +/* For API backward compatibility, this is separate from X509V3_set_ctx() */ +int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey) +{ + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + if (ctx->subject_cert == NULL && pkey != NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + ctx->issuer_pkey = pkey; + return 1; } /* Old conf compatibility functions */ @@ -489,6 +515,10 @@ static X509V3_CONF_METHOD conf_lhash_method = { void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash) { + if (ctx == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER); + return; + } ctx->db_meth = &conf_lhash_method; ctx->db = lhash; } diff --git a/crypto/x509/v3_alt.c b/crypto/x509/v3_san.c similarity index 99% rename from crypto/x509/v3_alt.c rename to crypto/x509/v3_san.c index 2344c554fa..cf7fdc6e38 100644 --- a/crypto/x509/v3_alt.c +++ b/crypto/x509/v3_san.c @@ -325,7 +325,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) X509_EXTENSION *ext; int i, num; - if (ctx && (ctx->flags == CTX_TEST)) + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) return 1; if (!ctx || !ctx->issuer_cert) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_DETAILS); @@ -410,12 +410,12 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) GENERAL_NAME *gen = NULL; int i = -1; - if (ctx != NULL && ctx->flags == CTX_TEST) + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) return 1; if (ctx == NULL || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_SUBJECT_DETAILS); - goto err; + return 0; } /* Find the subject name */ if (ctx->subject_cert) diff --git a/crypto/x509/v3_skey.c b/crypto/x509/v3_skid.c similarity index 68% rename from crypto/x509/v3_skey.c rename to crypto/x509/v3_skid.c index b4b1616688..f1581e7452 100644 --- a/crypto/x509/v3_skey.c +++ b/crypto/x509/v3_skid.c @@ -52,55 +52,49 @@ ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, } -static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str) +ASN1_OCTET_STRING *x509_pubkey_hash(X509_PUBKEY *pubkey) { ASN1_OCTET_STRING *oct; - X509_PUBKEY *pubkey; const unsigned char *pk; int pklen; unsigned char pkey_dig[EVP_MAX_MD_SIZE]; unsigned int diglen; - if (strcmp(str, "hash")) - return s2i_ASN1_OCTET_STRING(method, ctx, str); - - if ((oct = ASN1_OCTET_STRING_new()) == NULL) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); + if (pubkey == NULL) { + ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); return NULL; } + if ((oct = ASN1_OCTET_STRING_new()) == NULL) + return NULL; - if (ctx && (ctx->flags == CTX_TEST)) + X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey); + /* TODO(3.0) - explicitly fetch the digest */ + if (EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL) + && ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) return oct; - if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) { - ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); - goto err; - } - - if (ctx->subject_req) - pubkey = ctx->subject_req->req_info.pubkey; - else - pubkey = ctx->subject_cert->cert_info.key; - - if (pubkey == NULL) { - ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); - goto err; - } + ASN1_OCTET_STRING_free(oct); + return NULL; +} - X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey); +static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, char *str) +{ + if (strcmp(str, "none") == 0) + return ASN1_OCTET_STRING_new(); /* dummy */ - if (!EVP_Digest(pk, pklen, pkey_dig, &diglen, EVP_sha1(), NULL)) - goto err; + if (strcmp(str, "hash") != 0) + return s2i_ASN1_OCTET_STRING(method, ctx /* not used */, str); - if (!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); - goto err; + if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0) + return ASN1_OCTET_STRING_new(); + if (ctx == NULL + || (ctx->subject_cert == NULL && ctx->subject_req == NULL)) { + ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_SUBJECT_DETAILS); + return NULL; } - return oct; - - err: - ASN1_OCTET_STRING_free(oct); - return NULL; + return x509_pubkey_hash(ctx->subject_req != NULL ? + ctx->subject_req->req_info.pubkey : + ctx->subject_cert->cert_info.key); } diff --git a/crypto/x509/v3_utf8.c b/crypto/x509/v3_utf8.c index d37ac73246..465e0a39a3 100644 --- a/crypto/x509/v3_utf8.c +++ b/crypto/x509/v3_utf8.c @@ -12,7 +12,6 @@ #include #include #include -#include #include "ext_dat.h" /* diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index a9beef682b..7423b122d3 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -99,11 +99,10 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { X509_PUBKEY *pk = NULL; - if (x == NULL) + if (x == NULL || pkey == NULL) { + ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); return 0; - - if (pkey == NULL) - goto unsupported; + } if (pkey->ameth != NULL) { if ((pk = X509_PUBKEY_new()) == NULL) { @@ -137,8 +136,10 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) OPENSSL_free(der); } - if (pk == NULL) - goto unsupported; + if (pk == NULL) { + ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); + goto error; + } X509_PUBKEY_free(*x); if (!EVP_PKEY_up_ref(pkey)) { @@ -165,9 +166,6 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) pk->pkey = pkey; return 1; - unsupported: - ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); - error: X509_PUBKEY_free(pk); return 0; diff --git a/doc/internal/man3/s2i_ASN1_UTF8STRING.pod b/doc/internal/man3/s2i_ASN1_UTF8STRING.pod deleted file mode 100644 index b6d1375189..0000000000 --- a/doc/internal/man3/s2i_ASN1_UTF8STRING.pod +++ /dev/null @@ -1,46 +0,0 @@ -=pod - -=head1 NAME - -i2s_ASN1_UTF8STRING, -s2i_ASN1_UTF8STRING -- convert objects from/to ASN.1/string representation - -=head1 SYNOPSIS - - #include "crypto/x509v3.h" - - char *i2s_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, - ASN1_UTF8STRING *utf8); - ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, const char *str); - -=head1 DESCRIPTION - -These functions convert OpenSSL objects to and from their ASN.1/string -representation. This function is used for B extensions. - -=head1 NOTES - -The letters B and B in i2s_ASN1_UTF8STRING() stand for -"internal" (that is, an internal C structure) and string respectively. -So B() converts from internal to string. - -=head1 RETURN VALUES - -B() return a valid -B structure or NULL if an error occurs. - -B() returns the pointer to a UTF-8 string -or NULL if an error occurs. - -=head1 COPYRIGHT - -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the Apache License 2.0 (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index d2d3bfb13d..e222f6f2a8 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -69,15 +69,20 @@ B B =head1 DESCRIPTION -This command is a minimal CA application. It can be used -to sign certificate requests in a variety of forms and generate -CRLs. It also maintains a text database of issued certificates -and their status. -When signing certificates, a single certificate request can be specified +This command emulates a CA application. +See the B especially when considering to use it productively. +It can be used to sign certificate requests (CSRs) in a variety of forms +and generate certificate revocation lists (CRLs). +It also maintains a text database of issued certificates and their status. +When signing certificates, a single request can be specified with the B<-in> option, or multiple requests can be processed by specifying a set of B files after all options. -The options descriptions will be divided into each purpose. +Note that there are also very lean ways of generating certificates: +the B and B commands can be used for directly creating certificates. +See L and L for details. + +The descriptions of the B command options are divided into each purpose. =head1 OPTIONS @@ -104,12 +109,12 @@ B in the B section). =item B<-in> I -An input filename containing a single certificate request to be +An input filename containing a single certificate request (CSR) to be signed by the CA. =item B<-inform> B|B -The format of the data in CSR input files. +The format of the data in certificate request input files. The default is PEM. =item B<-ss_cert> I @@ -150,7 +155,8 @@ This option has no effect and is retained for backward compatibility only. =item B<-keyfile> I|I -The CA private key to sign requests with. This must match with B<-cert>. +The CA private key to sign certificate requests with. +This must match with B<-cert>. =item B<-keyform> B|B|B|B @@ -168,8 +174,8 @@ Names and values of these options are algorithm-specific. Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific. -This often needs to be given while signing too, because the input -certificate signature request is verified against its own public key, +This often needs to be given while signing too, because the self-signature of +a certificate signing request (CSR) is verified against the included public key, and that verification may need its own set of options. =item B<-key> I @@ -192,9 +198,8 @@ see L. Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with B<-keyfile>). -Certificate requests signed with a different key are ignored. If -B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is -ignored. +Certificate requests signed with a different key are ignored. +If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored. A consequence of using B<-selfsign> is that the self-signed certificate appears among the entries in the certificate database @@ -739,6 +744,8 @@ possible to include one SPKAC or self-signed certificate. =head1 BUGS +This command is quirky and at times downright unfriendly. + The use of an in-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory. @@ -760,11 +767,14 @@ create an empty file. =head1 WARNINGS -This command is quirky and at times downright unfriendly. - -This command was originally meant as an example of how to do -things in a CA. It was not supposed to be used as a full blown CA itself: -nevertheless some people are using it for this purpose. +This command was originally meant as an example of how to do things in a CA. +Its code does not have production quality. +It was not supposed to be used as a full blown CA itself, +nevertheless some people are using it for this purpose at least internally. +When doing so, specific care should be taken to +properly secure the private key(s) used for signing certificates. +It is advisable to keep them in a secure HW storage such as a smart card or HSM +and access them via a suitable engine or crypto provider. This command command is effectively a single user command: no locking is done on the various files and attempts to run more than one B @@ -776,7 +786,6 @@ request contains a basicConstraints extension with CA:TRUE and the B value is set to B and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate. - This situation can be avoided by setting B to B and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index f778ec5cea..72f9997aea 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -33,9 +33,12 @@ B B [B<-config> I] [B<-section> I] [B<-x509>] +[B<-CA> I|I] +[B<-CAkey> I|I] [B<-days> I] [B<-set_serial> I] [B<-newhdr>] +[B<-copy_extensions> I] [B<-addext> I] [B<-extensions> I
] [B<-reqexts> I
] @@ -57,8 +60,8 @@ B B =head1 DESCRIPTION -This command primarily creates and processes certificate requests -in PKCS#10 format. It can additionally create self signed certificates +This command primarily creates and processes certificate requests (CSRs) +in PKCS#10 format. It can additionally create self-signed certificates for use as root CAs for example. =head1 OPTIONS @@ -71,7 +74,7 @@ Print out a usage message. =item B<-inform> B|B, B<-outform> B|B -The input and formats; the default is B. +The input and output formats; the default is B. See L for details. The data is a PKCS#10 object. @@ -80,7 +83,7 @@ The data is a PKCS#10 object. This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation -options (B<-new> and B<-newkey>) are not specified. +options (B<-new> or B<-newkey>) are not specified. =item B<-sigopt> I:I @@ -100,16 +103,21 @@ which supports both options for good reasons. =end comment -=item B<-passin> I, B<-passout> I +=item B<-passin> I -The password source for the input and output file. +The password source for the request input file and the certificate input. +For more information about the format of B +see L. + +=item B<-passout> I + +The password source for the output file. For more information about the format of B see L. =item B<-out> I -This specifies the output filename to write to or standard output by -default. +This specifies the output filename to write to or standard output by default. =item B<-text> @@ -117,25 +125,24 @@ Prints out the certificate request in text form. =item B<-subject> -Prints out the request subject (or certificate subject if B<-x509> is -specified) +Prints out the certificate request subject +(or certificate subject if B<-x509> is specified). =item B<-pubkey> -Outputs the public key. +Prints out the public key. =item B<-noout> -This option prevents output of the encoded version of the request. +This option prevents output of the encoded version of the certificate request. =item B<-modulus> -This option prints out the value of the modulus of the public key -contained in the request. +Prints out the value of the modulus of the public key contained in the request. =item B<-verify> -Verifies the signature on the request. +Verifies the self-signature on the request. =item B<-new> @@ -144,8 +151,9 @@ the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions. -If the B<-key> option is not used it will generate a new RSA private -key using information specified in the configuration file. +If the B<-key> option is not given it will generate a new RSA private key +using information specified in the configuration file or given with +the B<-newkey> and B<-pkeyopt> options, else by default with 2048 bits length. =item B<-newkey> I @@ -183,8 +191,9 @@ See L for more details. =item B<-key> I|I -This specifies the private key to use. It also -accepts PKCS#8 format private keys for PEM format files. +This specifies the private key to use for request self-signature +and signing certificates produced using the B<-x509> option. +It also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B|B|B @@ -231,7 +240,7 @@ Specifies the name of the section to use; the default is B. =item B<-subj> I Sets subject name for new request or supersedes the subject name -when processing a request. +when processing a certificate request. The arg must be formatted as C. Special characters may be escaped by C<\> (backslash), whitespace is retained. @@ -250,15 +259,33 @@ This option has been deprecated and has no effect. =item B<-x509> -This option outputs a self signed certificate instead of a certificate -request. This is typically used to generate a test certificate or -a self signed root CA. The extensions added to the certificate -(if any) are specified in the configuration file. Unless specified -using the B<-set_serial> option, a large random number will be used for -the serial number. +This option outputs a certificate instead of a certificate request. +This is typically used to generate test certificates. + +If an existing request is specified with the B<-in> option, it is converted +to the a certificate; otherwise a request is created from scratch. + +Unless specified using the B<-set_serial> option, +a large random number will be used for the serial number. + +Unless the B<-copy_extensions> option is used, +X.509 extensions are not copied from any provided request input file. -If existing request is specified with the B<-in> option, it is converted -to the self signed certificate otherwise new request is created. +X.509 extensions to be added can be specified in the configuration file +or using the B<-addext> option. + +=item B<-CA> I|I + +Specifies the "CA" certificate to be used for signing with the B<-x509> option. +When present, this behaves like a "micro CA" as follows: +The subject name of the "CA" certificate is placed as issuer name in the new +certificate, which is then signed using the "CA" key given as specified below. + +=item B<-CAkey> I|I + +Sets the "CA" private key to sign a certificate with. +The private key must match the public key of the certificate given with B<-CA>. +If this option is not provided then the key must be present in the B<-CA> input. =item B<-days> I @@ -268,8 +295,20 @@ be a positive integer. The default is 30 days. =item B<-set_serial> I -Serial number to use when outputting a self signed certificate. This -may be specified as a decimal value or a hex value if preceded by C<0x>. +Serial number to use when outputting a self-signed certificate. +This may be specified as a decimal value or a hex value if preceded by C<0x>. +If not given, a large random number will be used. + +=item B<-copy_extensions> I + +Determines how X.509 extensions in certificate requests should be handled +when B<-x509> is given. +If I is B or this option is not present then extensions are ignored. +If I is B or B then +all extensions in the request are copied to the certificate. + +The main use of this option is to allow a certificate request to supply +values for certain extensions such as subjectAltName. =item B<-addext> I @@ -308,7 +347,7 @@ configuration file, must be valid UTF8 strings. =item B<-reqopt> I
. +Each of these macros defines a parameter of the specified B> with the +provided I and parameter variable I
. OSSL_PARAM_utf8_string(), OSSL_PARAM_octet_string(), OSSL_PARAM_utf8_ptr(), OSSL_PARAM_octet_ptr(), OSSL_PARAM_BN() are macros that provide support for defining UTF8 strings, OCTET strings and big numbers. -A parameter with name B is defined. -The storage for this parameter is at B
and is of B bytes. +A parameter with name I is defined. +The storage for this parameter is at I
and is of I bytes. OSSL_PARAM_END provides an end of parameter list marker. This should terminate all OSSL_PARAM arrays. OSSL_PARAM_construct_TYPE() are a series of functions that create OSSL_PARAM records dynamically. -A parameter with name B is created. -The parameter will use storage pointed to by B and return size of B. +A parameter with name I is created. +The parameter will use storage pointed to by I and return size of I. OSSL_PARAM_construct_BN() is a function that constructs a large integer OSSL_PARAM structure. -A parameter with name B, storage B, size B and return -size B is created. +A parameter with name I, storage I, size I and return +size I is created. OSSL_PARAM_construct_utf8_string() is a function that constructs a UTF8 string OSSL_PARAM structure. -A parameter with name B, storage B and size B is created. -If B is zero, the string length is determined using strlen(3) + 1 for the +A parameter with name I, storage I and size I is created. +If I is zero, the string length is determined using strlen(3) + 1 for the null termination byte. -Generally pass zero for B instead of calling strlen(3) yourself. +Generally pass zero for I instead of calling strlen(3) yourself. OSSL_PARAM_construct_octet_string() is a function that constructs an OCTET string OSSL_PARAM structure. -A parameter with name B, storage B and size B is created. +A parameter with name I, storage I and size I is created. OSSL_PARAM_construct_utf8_ptr() is a function that constructs a UTF string pointer OSSL_PARAM structure. -A parameter with name B, storage pointer B<*buf> and size B +A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_octet_ptr() is a function that constructs an OCTET string pointer OSSL_PARAM structure. -A parameter with name B, storage pointer B<*buf> and size B +A parameter with name I, storage pointer I<*buf> and size I is created. OSSL_PARAM_construct_end() is a function that constructs the terminating OSSL_PARAM structure. -OSSL_PARAM_locate() is a function that searches an B of parameters for -the one matching the B name. +OSSL_PARAM_locate() is a function that searches an I of parameters for +the one matching the I name. OSSL_PARAM_locate_const() behaves exactly like OSSL_PARAM_locate() except for -the presence of I for the B argument and its return value. +the presence of I for the I argument and its return value. -OSSL_PARAM_get_TYPE() retrieves a value of type B from the parameter B

. -The value is copied to the address B. +OSSL_PARAM_get_TYPE() retrieves a value of type B> from the parameter +I

. +The value is copied to the address I. Type coercion takes place as discussed in the NOTES section. -OSSL_PARAM_set_TYPE() stores a value B of type B into the parameter -B

. +OSSL_PARAM_set_TYPE() stores a value I of type B> into the +parameter I

. If the parameter's I field is NULL, then only its I field will be assigned the size the parameter's I buffer should have. Type coercion takes place as discussed in the NOTES section. -OSSL_PARAM_get_BN() retrieves a BIGNUM from the parameter pointed to by B

. -The BIGNUM referenced by B is updated and is allocated if B<*val> is -B. +OSSL_PARAM_get_BN() retrieves a BIGNUM from the parameter pointed to by I

. +The BIGNUM referenced by I is updated and is allocated if I<*val> is +NULL. -OSSL_PARAM_set_BN() stores the BIGNUM B into the parameter B

. +OSSL_PARAM_set_BN() stores the BIGNUM I into the parameter I

. If the parameter's I field is NULL, then only its I field will be assigned the size the parameter's I buffer should have. OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter -pointed to by B

. -The string is either stored into B<*val> with a length limit of B or, -in the case when B<*val> is B, memory is allocated for the string and -B is ignored. +pointed to by I

. +The string is either stored into I<*val> with a length limit of I or, +in the case when I<*val> is NULL, memory is allocated for the string and +I is ignored. If memory is allocated by this function, it must be freed by the caller. OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to -by B

to the value referenced by B. +by I

to the value referenced by I. If the parameter's I field is NULL, then only its I field will be assigned the size the parameter's I buffer should have. OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter -pointed to by B

. -The OCTETs are either stored into B<*val> with a length limit of B or, -in the case when B<*val> is B, memory is allocated and -B is ignored. B<*used_len> is populated with the number of OCTETs -stored. If B is NULL then the OCTETS are not stored, but B<*used_len> is +pointed to by I

. +The OCTETs are either stored into I<*val> with a length limit of I or, +in the case when I<*val> is NULL, memory is allocated and +I is ignored. I<*used_len> is populated with the number of OCTETs +stored. If I is NULL then the OCTETS are not stored, but I<*used_len> is still populated. If memory is allocated by this function, it must be freed by the caller. OSSL_PARAM_set_octet_string() sets an OCTET string from the parameter -pointed to by B

to the value referenced by B. +pointed to by I

to the value referenced by I. If the parameter's I field is NULL, then only its I field will be assigned the size the parameter's I buffer should have. OSSL_PARAM_get_utf8_ptr() retrieves the UTF8 string pointer from the parameter -referenced by B

and stores it in B<*val>. +referenced by I

and stores it in I<*val>. OSSL_PARAM_set_utf8_ptr() sets the UTF8 string pointer in the parameter -referenced by B

to the values B. +referenced by I

to the values I. OSSL_PARAM_get_octet_ptr() retrieves the OCTET string pointer from the parameter -referenced by B

and stores it in B<*val>. -The length of the OCTET string is stored in B<*used_len>. +referenced by I

and stores it in I<*val>. +The length of the OCTET string is stored in I<*used_len>. OSSL_PARAM_set_octet_ptr() sets the OCTET string pointer in the parameter -referenced by B

to the values B. -The length of the OCTET string is provided by B. +referenced by I

to the values I. +The length of the OCTET string is provided by I. OSSL_PARAM_get_utf8_string_ptr() retrieves the pointer to a UTF8 string from -the parameter pointed to by B

, and stores that pointer in B<*val>. +the parameter pointed to by I

, and stores that pointer in I<*val>. This is different from OSSL_PARAM_get_utf8_string(), which copies the string. OSSL_PARAM_get_octet_string_ptr() retrieves the pointer to a octet string -from the parameter pointed to by B

, and stores that pointer in B<*val>, -along with the string's length in B<*used_len>. +from the parameter pointed to by I

, and stores that pointer in I<*val>, +along with the string's length in I<*used_len>. This is different from OSSL_PARAM_get_octet_string(), which copies the string. @@ -285,11 +286,11 @@ creation, via either the macros or construct calls, the I field is set to this. If the parameter is set using the calls defined herein, the I field is changed. -OSSL_PARAM_modified() queries if the parameter B has been set or not +OSSL_PARAM_modified() queries if the parameter I has been set or not using the calls defined herein. OSSL_PARAM_set_all_unmodified() resets the unused indicator for all parameters -in the array B. +in the array I. =head1 RETURN VALUES @@ -299,12 +300,12 @@ OSSL_PARAM_construct_utf8_ptr() and OSSL_PARAM_construct_octet_ptr() return a populated OSSL_PARAM structure. OSSL_PARAM_locate() and OSSL_PARAM_locate_const() return a pointer to -the matching OSSL_PARAM object. They return B on error or when -no object matching B exists in the B. +the matching OSSL_PARAM object. They return NULL on error or when +no object matching I exists in the I. -OSSL_PARAM_modified() returns B<1> if the parameter was set and B<0> otherwise. +OSSL_PARAM_modified() returns 1 if the parameter was set and 0 otherwise. -All other functions return B<1> on success and B<0> on failure. +All other functions return 1 on success and 0 on failure. =head1 NOTES @@ -314,9 +315,9 @@ Apart from that, the functions must be used appropriately for the expected type of the parameter. For OSSL_PARAM_construct_utf8_ptr() and OSSL_PARAM_consstruct_octet_ptr(), -B is not relevant if the purpose is to send the B array +I is not relevant if the purpose is to send the B array to a I, i.e. to get parameter data back. -In that case, B can safely be given zero. +In that case, I can safely be given zero. See L for further information on the possible purposes. From levitte at openssl.org Wed Jan 13 22:32:15 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 13 Jan 2021 22:32:15 +0000 Subject: [openssl] master update Message-ID: <1610577135.742081.25913.nullmailer@dev.openssl.org> The branch master has been updated via ab2160895262abbb9501a859d86b8740bd850a40 (commit) from b91f41daba982d19b04eee979a39cddeddd8033c (commit) - Log ----------------------------------------------------------------- commit ab2160895262abbb9501a859d86b8740bd850a40 Author: Richard Levitte Date: Tue Jan 12 16:14:43 2021 +0100 Make the OSSL_SELF_TEST manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13849) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_SELF_TEST_set_callback.pod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/man3/OSSL_SELF_TEST_set_callback.pod b/doc/man3/OSSL_SELF_TEST_set_callback.pod index beea50ff33..21d07a4aa5 100644 --- a/doc/man3/OSSL_SELF_TEST_set_callback.pod +++ b/doc/man3/OSSL_SELF_TEST_set_callback.pod @@ -24,7 +24,8 @@ See L for further information on the callback. =head1 RETURN VALUES OSSL_SELF_TEST_get_callback() returns the callback and callback argument that -has been set via OSSL_SELF_TEST_set_callback() for the given library context B. +has been set via OSSL_SELF_TEST_set_callback() for the given library context +I. These returned parameters will be NULL if OSSL_SELF_TEST_set_callback() has not been called. From levitte at openssl.org Wed Jan 13 22:34:02 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 13 Jan 2021 22:34:02 +0000 Subject: [openssl] master update Message-ID: <1610577242.372668.30513.nullmailer@dev.openssl.org> The branch master has been updated via ad2cc1a08e67207f566e80c6b1f342294364901f (commit) from ab2160895262abbb9501a859d86b8740bd850a40 (commit) - Log ----------------------------------------------------------------- commit ad2cc1a08e67207f566e80c6b1f342294364901f Author: Richard Levitte Date: Tue Jan 12 16:05:55 2021 +0100 Make the OSSL_HTTP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13847) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_HTTP_transfer.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index f78d96be1f..4839b975a6 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -198,15 +198,15 @@ where IPv6 addresses should be enclosed in square brackets C<[> and C<]>. The port component is optional and defaults to "443" for HTTPS, else "80". If the I argument is NULL the port specification can be in mnemonic form such as "http" like with L, else -it must be in numerical form and its integer value is assigned to B<*pport_num>. +it must be in numerical form and its integer value is assigned to I<*pport_num>. The path component is also optional and defaults to "/". On success the function assigns via each non-NULL result pointer argument I, I, I, I, and I the respective url component. -On error, B<*phost>, B<*pport>, and B<*ppath> are assigned to NULL, +On error, I<*phost>, I<*pport>, and I<*ppath> are assigned to NULL, else they are guaranteed to contain non-NULL string pointers. It is the reponsibility of the caller to free them using L. -A string returned via B<*ppath> is guaranteed to begin with a C character. +A string returned via I<*ppath> is guaranteed to begin with a C character. =head1 NOTES From levitte at openssl.org Wed Jan 13 22:35:34 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 13 Jan 2021 22:35:34 +0000 Subject: [openssl] master update Message-ID: <1610577334.789890.9885.nullmailer@dev.openssl.org> The branch master has been updated via 2645c94bb56120a6b7b7c34d70a2900aeda1637c (commit) from ad2cc1a08e67207f566e80c6b1f342294364901f (commit) - Log ----------------------------------------------------------------- commit 2645c94bb56120a6b7b7c34d70a2900aeda1637c Author: Richard Levitte Date: Tue Jan 12 16:13:42 2021 +0100 Make the OSSL_PROVIDER manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13845) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_PROVIDER.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index fa9d45b11d..2baccfffaf 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -61,8 +61,8 @@ L for further details. =head2 Functions -OSSL_PROVIDER_set_default_search_path() specifies the default search B -that is to be used for looking for providers in the specified B. +OSSL_PROVIDER_set_default_search_path() specifies the default search I +that is to be used for looking for providers in the specified I. If left unspecified, an environment variable and a fall back default value will be used instead. @@ -138,7 +138,7 @@ OSSL_PROVIDER_add(), OSSL_PROVIDER_unload(), OSSL_PROVIDER_get_params() and OSSL_PROVIDER_get_capabilities() return 1 on success, or 0 on error. OSSL_PROVIDER_load() and OSSL_PROVIDER_try_load() return a pointer to a -provider object on success, or B on error. +provider object on success, or NULL on error. OSSL_PROVIDER_available() returns 1 if the named provider is available, otherwise 0. From levitte at openssl.org Wed Jan 13 22:37:30 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 13 Jan 2021 22:37:30 +0000 Subject: [openssl] master update Message-ID: <1610577450.814315.29044.nullmailer@dev.openssl.org> The branch master has been updated via 0f2380066de6436c0e8debfad1391db134ad4c25 (commit) from 2645c94bb56120a6b7b7c34d70a2900aeda1637c (commit) - Log ----------------------------------------------------------------- commit 0f2380066de6436c0e8debfad1391db134ad4c25 Author: Richard Levitte Date: Tue Jan 12 16:24:10 2021 +0100 Make the OSSL_trace manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13842) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_trace_enabled.pod | 32 +++++++++---------- doc/man3/OSSL_trace_set_channel.pod | 62 ++++++++++++++++++------------------- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/doc/man3/OSSL_trace_enabled.pod b/doc/man3/OSSL_trace_enabled.pod index d49a77936b..26168b45a3 100644 --- a/doc/man3/OSSL_trace_enabled.pod +++ b/doc/man3/OSSL_trace_enabled.pod @@ -56,7 +56,7 @@ The tracing output is divided into types which are enabled individually by the application. The tracing types are described in detail in L. -The fallback type C should I be used +The fallback type B should I be used with the functions described here. Tracing for a specific category is enabled if a so called @@ -86,10 +86,10 @@ but rather uses a set of convenience macros, see the L section below. =head2 Functions OSSL_trace_enabled() can be used to check if tracing for the given -C is enabled. +I is enabled. OSSL_trace_begin() is used to starts a tracing section, and get the -channel for the given C in form of a BIO. +channel for the given I in form of a BIO. This BIO can only be used for output. OSSL_trace_end() is used to end a tracing section. @@ -104,8 +104,8 @@ sections is undefined. There are a number of convenience macros defined, to make tracing easy and consistent. -C and C reserve -the B C and are used as follows to wrap a trace section: +OSSL_TRACE_BEGIN() and OSSL_TRACE_END() reserve the B C and are +used as follows to wrap a trace section: OSSL_TRACE_BEGIN(TLS) { @@ -124,8 +124,8 @@ This will normally expand to: OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out); } while (0); -C must be used before returning from or -jumping out of a trace section: +OSSL_TRACE_CANCEL() must be used before returning from or jumping out of a +trace section: OSSL_TRACE_BEGIN(TLS) { @@ -152,7 +152,7 @@ This will normally expand to: } while (0); -C and C, C, ... C are +OSSL_TRACE() and OSSL_TRACE1(), OSSL_TRACE2(), ... OSSL_TRACE9() are so-called one-shot macros: The macro call C, produces literal text trace output. @@ -165,14 +165,14 @@ It expands to: BIO_printf(trc_out, format, arg1, ..., argN) } OSSL_TRACE_END(category) -Internally, all one-shot macros are implemented using a generic C +Internally, all one-shot macros are implemented using a generic OSSL_TRACEV() macro, since C90 does not support variadic macros. This helper macro has a rather weird synopsis and should not be used directly. -The C macro can be used to conditionally execute -some code only if a specific trace category is enabled. +The OSSL_TRACE_ENABLED() macro can be used to conditionally execute some code +only if a specific trace category is enabled. In some situations this is simpler than entering a trace section using -C and C. +OSSL_TRACE_BEGIN() and OSSL_TRACE_END(). For example, the code if (OSSL_TRACE_ENABLED(TLS)) { @@ -230,7 +230,7 @@ When the library is built with tracing disabled: =item * -The macro C is defined in C. +The macro B is defined in C. =item * @@ -270,11 +270,11 @@ When the tracing API isn't operational, that will expand to: =head1 RETURN VALUES -OSSL_trace_enabled() returns 1 if tracing for the given B is +OSSL_trace_enabled() returns 1 if tracing for the given I is operational and enabled, otherwise 0. -OSSL_trace_begin() returns a C if the given B is enabled, -otherwise C. +OSSL_trace_begin() returns a B pointer if the given I is enabled, +otherwise NULL. =head1 HISTORY diff --git a/doc/man3/OSSL_trace_set_channel.pod b/doc/man3/OSSL_trace_set_channel.pod index 7ae19aedd3..8e88fb75e1 100644 --- a/doc/man3/OSSL_trace_set_channel.pod +++ b/doc/man3/OSSL_trace_set_channel.pod @@ -41,7 +41,7 @@ respectively. =head2 Functions OSSL_trace_set_channel() is used to enable the given trace C -by attaching the B C object as (simple) trace channel. +by attaching the B I object as (simple) trace channel. OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add an extra line for each channel, to be output before and after group of @@ -53,8 +53,8 @@ tracing prefixes, consider setting a callback with OSSL_trace_set_callback() instead. OSSL_trace_set_callback() is used to enable the given trace -C by giving it the tracer callback C with the associated -data C, which will simply be passed through to C whenever +I by giving it the tracer callback I with the associated +data I, which will simply be passed through to I whenever it's called. The callback function is internally wrapped by a dedicated BIO object, the so called I. This should be used when it's desirable to do form the trace output to @@ -65,42 +65,42 @@ OSSL_trace_set_channel() and OSSL_trace_set_callback() are mutually exclusive, calling one of them will clear whatever was set by the previous call. -Calling OSSL_trace_set_channel() with C for C or -OSSL_trace_set_callback() with C for C disables tracing for -the given C +Calling OSSL_trace_set_channel() with NULL for I or +OSSL_trace_set_callback() with NULL for I disables tracing for +the given I. =head2 Trace callback -The tracer callback must return a C, which must be zero on +The tracer callback must return a B, which must be zero on error and otherwise return the number of bytes that were output. -It receives a text buffer C with C bytes of text, as well as -the C, a control number C, and the C that was +It receives a text buffer I with I bytes of text, as well as +the I, a control number I, and the I that was passed to OSSL_trace_set_callback(). The possible control numbers are: =over 4 -=item C +=item B The callback is called from OSSL_trace_begin(), which gives the callback the possibility to output a dynamic starting line, or set a prefix that should be output at the beginning of each line, or something other. -=item C +=item B This callback is called whenever data is written to the BIO by some regular BIO output routine. -An arbitrary number of C callbacks can occur -inside a group marked by a pair of C and -C calls, but never outside such a group. +An arbitrary number of B callbacks can occur +inside a group marked by a pair of B and +B calls, but never outside such a group. -=item C +=item B The callback is called from OSSL_trace_end(), which gives the callback the possibility to output a dynamic ending line, or reset the line -prefix that was set with OSSL_TRACE_CTRL_BEGIN, or something other. +prefix that was set with B, or something other. =back @@ -110,14 +110,14 @@ The trace categories are simple numbers available through macros. =over 4 -=item C +=item B Traces the OpenSSL trace API itself. More precisely, this will generate trace output any time a new trace hook is set. -=item C +=item B Traces OpenSSL library initialization and cleanup. @@ -128,15 +128,15 @@ prematurely. A suggestion is to make such cleanup part of a function that's registered very early with L. -=item C +=item B Traces the TLS/SSL protocol. -=item C +=item B Traces the ciphers used by the TLS/SSL protocol. -=item C +=item B Traces the ENGINE algorithm table selection. @@ -144,43 +144,43 @@ More precisely, engine_table_select(), the function that is used by RSA, DSA (etc) code to select registered ENGINEs, cache defaults and functional references (etc), will generate trace summaries. -=item C +=item B -Tracds the ENGINE reference counting. +Traces the ENGINE reference counting. More precisely, both reference counts in the ENGINE structure will be monitored with a line of trace output generated for each change. -=item C +=item B Traces PKCS#5 v2 key generation. -=item C +=item B Traces PKCS#12 key generation. -=item C +=item B Traces PKCS#12 decryption. -=item C +=item B Traces X509v3 policy processing. More precisely, this generates the complete policy tree at various point during evaluation. -=item C +=item B Traces BIGNUM context operations. -=item C +=item B Traces details about the provider and engine configuration. =back -There is also C, which works as a fallback +There is also B, which works as a fallback and can be used to get I trace output. Note, however, that in this case all trace output will effectively be @@ -288,7 +288,7 @@ use the tracing functionality documented here, it is therefore necessary to configure and build OpenSSL with the 'enable-trace' option. When the library is built with tracing disabled, the macro -C is defined in C and all +B is defined in C and all functions described here are inoperational, i.e. will do nothing. =head1 HISTORY From levitte at openssl.org Wed Jan 13 22:40:51 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 13 Jan 2021 22:40:51 +0000 Subject: [openssl] master update Message-ID: <1610577651.701991.8984.nullmailer@dev.openssl.org> The branch master has been updated via 879365e6d4a53d80e83bbe468fcf2cdd02d30ba1 (commit) from 0f2380066de6436c0e8debfad1391db134ad4c25 (commit) - Log ----------------------------------------------------------------- commit 879365e6d4a53d80e83bbe468fcf2cdd02d30ba1 Author: Richard Levitte Date: Tue Jan 12 15:44:43 2021 +0100 Make header references conform with man-pages(7) in all manuals Details from man-pages(7) that are used: Formatting conventions (general) ... Filenames (whether pathnames, or references to header files) are always in italics (e.g., ), except in the SYNOPSIS section, where in? cluded files are in bold (e.g., #include ). When referring to a standard header file include, specify the header file surrounded by angle brackets, in the usual C way (e.g., ). ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13843) ----------------------------------------------------------------------- Summary of changes: doc/man3/ASYNC_WAIT_CTX_new.pod | 6 +++--- doc/man3/ASYNC_start_job.pod | 6 +++--- doc/man3/BIO_find_type.pod | 2 +- doc/man3/BIO_meth_new.pod | 14 +++++++------- doc/man3/CRYPTO_THREAD_run_once.pod | 13 +++++++------ doc/man3/CRYPTO_get_ex_new_index.pod | 4 ++-- doc/man3/EC_GROUP_copy.pod | 4 ++-- doc/man3/ENGINE_add.pod | 10 +++++----- doc/man3/OSSL_CRMF_pbmp_new.pod | 2 +- doc/man3/OSSL_PARAM_BLD.pod | 2 +- doc/man3/OSSL_trace_enabled.pod | 2 +- doc/man3/OSSL_trace_set_channel.pod | 2 +- doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 2 +- doc/man3/SSL_get_all_async_fds.pod | 6 +++--- doc/man3/X509_NAME_get_index_by_NID.pod | 4 ++-- doc/man3/X509_verify_cert.pod | 4 ++-- 16 files changed, 42 insertions(+), 41 deletions(-) diff --git a/doc/man3/ASYNC_WAIT_CTX_new.pod b/doc/man3/ASYNC_WAIT_CTX_new.pod index f1d6a02219..d6e5d38a12 100644 --- a/doc/man3/ASYNC_WAIT_CTX_new.pod +++ b/doc/man3/ASYNC_WAIT_CTX_new.pod @@ -192,12 +192,12 @@ ASYNC_WAIT_CTX_get_status() returns the engine status. =head1 NOTES -On Windows platforms the openssl/async.h header is dependent on some -of the types customarily made available by including windows.h. The +On Windows platforms the F<< >> header is dependent on some +of the types customarily made available by including F<< >>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer's responsibility to include -windows.h prior to async.h. +F<< >> prior to F<< >>. =head1 SEE ALSO diff --git a/doc/man3/ASYNC_start_job.pod b/doc/man3/ASYNC_start_job.pod index 983fcf9cf4..5335ae281c 100644 --- a/doc/man3/ASYNC_start_job.pod +++ b/doc/man3/ASYNC_start_job.pod @@ -167,12 +167,12 @@ otherwise. =head1 NOTES -On Windows platforms the openssl/async.h header is dependent on some -of the types customarily made available by including windows.h. The +On Windows platforms the F<< >> header is dependent on some +of the types customarily made available by including F<< >>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer's responsibility to include -windows.h prior to async.h. +F<< >> prior to F<< >>. =head1 EXAMPLES diff --git a/doc/man3/BIO_find_type.pod b/doc/man3/BIO_find_type.pod index 354e347330..32a97c55f1 100644 --- a/doc/man3/BIO_find_type.pod +++ b/doc/man3/BIO_find_type.pod @@ -24,7 +24,7 @@ found. The following general types are defined: B, B, and B. -For a list of the specific types, see the B header file. +For a list of the specific types, see the F<< >> header file. BIO_next() returns the next BIO in a chain. It can be used to traverse all BIOs in a chain or used in conjunction with BIO_find_type() to find all BIOs of a diff --git a/doc/man3/BIO_meth_new.pod b/doc/man3/BIO_meth_new.pod index b2e2c24692..a2c2848a96 100644 --- a/doc/man3/BIO_meth_new.pod +++ b/doc/man3/BIO_meth_new.pod @@ -67,13 +67,13 @@ unique integer B and a string that represents its B. Use BIO_get_new_index() to get the value for B. The set of -standard OpenSSL provided BIO types is provided in B. Some examples -include B and B. Filter BIOs should have a -type which have the "filter" bit set (B). Source/sink BIOs -should have the "source/sink" bit set (B). File descriptor -based BIOs (e.g. socket, fd, connect, accept etc) should additionally have the -"descriptor" bit set (B). See the L page for -more information. +standard OpenSSL provided BIO types is provided in F<< >>. +Some examples include B and B. Filter BIOs +should have a type which have the "filter" bit set (B). +Source/sink BIOs should have the "source/sink" bit set (B). +File descriptor based BIOs (e.g. socket, fd, connect, accept etc) should +additionally have the "descriptor" bit set (B). See the +L page for more information. BIO_meth_free() destroys a B structure and frees up any memory associated with it. diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index a182359f47..3a46809efe 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -113,12 +113,13 @@ The other functions return 1 on success, or 0 on error. =head1 NOTES On Windows platforms the CRYPTO_THREAD_* types and functions in the -openssl/crypto.h header are dependent on some of the types customarily -made available by including windows.h. The application developer is -likely to require control over when the latter is included, commonly as -one of the first included headers. Therefore, it is defined as an -application developer's responsibility to include windows.h prior to -crypto.h where use of CRYPTO_THREAD_* types and functions is required. +F<< >> header are dependent on some of the types +customarily made available by including F<< >>. The application +developer is likely to require control over when the latter is included, +commonly as one of the first included headers. Therefore, it is defined as an +application developer's responsibility to include F<< >> prior to +F<< >> where use of CRYPTO_THREAD_* types and functions is +required. =head1 EXAMPLES diff --git a/doc/man3/CRYPTO_get_ex_new_index.pod b/doc/man3/CRYPTO_get_ex_new_index.pod index 463e2c8646..d53fe8c792 100644 --- a/doc/man3/CRYPTO_get_ex_new_index.pod +++ b/doc/man3/CRYPTO_get_ex_new_index.pod @@ -62,8 +62,8 @@ The specific structures are: In addition, the B name is reserved for use by application code. -Each is identified by an B define in the B -header file. In addition, B is reserved for +Each is identified by an B define in the header file +F<< >>. In addition, B is reserved for applications to use this facility for their own structures. The API described here is used by OpenSSL to manipulate exdata for specific diff --git a/doc/man3/EC_GROUP_copy.pod b/doc/man3/EC_GROUP_copy.pod index 1dd0364d98..f1d8632236 100644 --- a/doc/man3/EC_GROUP_copy.pod +++ b/doc/man3/EC_GROUP_copy.pod @@ -214,7 +214,7 @@ EC_GROUP_get_degree() returns the degree for B or 0 if the operation is n EC_GROUP_get_field_type() returns either B for prime curves or B for binary curves; -these values are defined in the obj_mac.h header file. +these values are defined in the F<< >> header file. EC_GROUP_check_named_curve() returns the nid of the matching named curve, otherwise it returns 0 for no match, or -1 on error. @@ -232,7 +232,7 @@ EC_GROUP_set_seed() returns the length of the seed that has been set. If the sup EC_GROUP_cmp() returns 0 if the curves are equal, 1 if they are not equal, or -1 on error. -EC_GROUP_get_basis_type() returns the values NID_X9_62_tpBasis or NID_X9_62_ppBasis (as defined in ) for a +EC_GROUP_get_basis_type() returns the values NID_X9_62_tpBasis or NID_X9_62_ppBasis (as defined in F<< >>) for a trinomial or pentanomial respectively. Alternatively in the event of an error a 0 is returned. =head1 SEE ALSO diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod index 97abc3beb0..279cfdaade 100644 --- a/doc/man3/ENGINE_add.pod +++ b/doc/man3/ENGINE_add.pod @@ -247,7 +247,7 @@ released on behalf of the caller. To clarify a particular function's handling of references, one should always consult that function's documentation "man" page, or failing that -the openssl/engine.h header file includes some hints. +the F<< >> header file includes some hints. I @@ -498,10 +498,10 @@ and input parameters of the control commands supported by an ENGINE using a structural reference. Note that some control commands are defined by OpenSSL itself and it will intercept and handle these control commands on behalf of the ENGINE, i.e. the ENGINE's ctrl() handler is not used for the control command. -openssl/engine.h defines an index, ENGINE_CMD_BASE, that all control commands -implemented by ENGINEs should be numbered from. Any command value lower than -this symbol is considered a "generic" command is handled directly by the -OpenSSL core routines. +F<< >> defines an index, ENGINE_CMD_BASE, that all control +commands implemented by ENGINEs should be numbered from. Any command value +lower than this symbol is considered a "generic" command is handled directly +by the OpenSSL core routines. It is using these "core" control commands that one can discover the control commands implemented by a given ENGINE, specifically the commands: diff --git a/doc/man3/OSSL_CRMF_pbmp_new.pod b/doc/man3/OSSL_CRMF_pbmp_new.pod index 9b4761b8ba..912426b194 100644 --- a/doc/man3/OSSL_CRMF_pbmp_new.pod +++ b/doc/man3/OSSL_CRMF_pbmp_new.pod @@ -42,7 +42,7 @@ for the random number generation (DRBG) and may be NULL for the default. =head1 NOTES The algorithms for the OWF (one-way function) and for the MAC (message -authentication code) may be any with a NID defined in C. +authentication code) may be any with a NID defined in F<< >>. As specified by RFC 4210, these should include NID_hmac_sha1. RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long, diff --git a/doc/man3/OSSL_PARAM_BLD.pod b/doc/man3/OSSL_PARAM_BLD.pod index 844b715820..acb60841e2 100644 --- a/doc/man3/OSSL_PARAM_BLD.pod +++ b/doc/man3/OSSL_PARAM_BLD.pod @@ -18,7 +18,7 @@ OSSL_PARAM_BLD_push_octet_string, OSSL_PARAM_BLD_push_octet_ptr =for openssl generic - #include "openssl/param_build.h" + #include typedef struct OSSL_PARAM_BLD; diff --git a/doc/man3/OSSL_trace_enabled.pod b/doc/man3/OSSL_trace_enabled.pod index 26168b45a3..8bf44dce7c 100644 --- a/doc/man3/OSSL_trace_enabled.pod +++ b/doc/man3/OSSL_trace_enabled.pod @@ -230,7 +230,7 @@ When the library is built with tracing disabled: =item * -The macro B is defined in C. +The macro B is defined in F<< >>. =item * diff --git a/doc/man3/OSSL_trace_set_channel.pod b/doc/man3/OSSL_trace_set_channel.pod index 8e88fb75e1..4ca2d1aef3 100644 --- a/doc/man3/OSSL_trace_set_channel.pod +++ b/doc/man3/OSSL_trace_set_channel.pod @@ -288,7 +288,7 @@ use the tracing functionality documented here, it is therefore necessary to configure and build OpenSSL with the 'enable-trace' option. When the library is built with tracing disabled, the macro -B is defined in C and all +B is defined in F<< >> and all functions described here are inoperational, i.e. will do nothing. =head1 HISTORY diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod index a81dc76591..2b35cc1d5f 100644 --- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -61,7 +61,7 @@ I, and set the cipher context I and the hash context I. The I is 16 characters long and is used as a key identifier. The I length is the length of the IV of the corresponding cipher. The -maximum IV length is B bytes defined in B. +maximum IV length is B bytes defined in F<< >>. The initialization vector I should be a random value. The cipher context I should use the initialisation vector I. The cipher context can be diff --git a/doc/man3/SSL_get_all_async_fds.pod b/doc/man3/SSL_get_all_async_fds.pod index c944d315d8..c0a900c436 100644 --- a/doc/man3/SSL_get_all_async_fds.pod +++ b/doc/man3/SSL_get_all_async_fds.pod @@ -60,12 +60,12 @@ SSL_get_all_async_fds() and SSL_get_changed_async_fds() return 1 on success or =head1 NOTES -On Windows platforms the openssl/async.h header is dependent on some -of the types customarily made available by including windows.h. The +On Windows platforms the F<< >> header is dependent on some +of the types customarily made available by including F<< >>. The application developer is likely to require control over when the latter is included, commonly as one of the first included headers. Therefore, it is defined as an application developer's responsibility to include -windows.h prior to async.h. +F<< >> prior to F<< >>. =head1 SEE ALSO diff --git a/doc/man3/X509_NAME_get_index_by_NID.pod b/doc/man3/X509_NAME_get_index_by_NID.pod index e005c146ff..944790377e 100644 --- a/doc/man3/X509_NAME_get_index_by_NID.pod +++ b/doc/man3/X509_NAME_get_index_by_NID.pod @@ -65,8 +65,8 @@ X509_NAME_get_entry() on any matching indices and then the various B utility functions on the result. The list of all relevant B and B can be found in -the source code header files Eopenssl/obj_mac.hE and/or -Eopenssl/objects.hE. +the source code header files F<< >> and/or +F<< >>. Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID() should check for the return value of -2. Alternatively the NID validity diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod index 764e4df28e..753477fd74 100644 --- a/doc/man3/X509_verify_cert.pod +++ b/doc/man3/X509_verify_cert.pod @@ -46,9 +46,9 @@ examining B using, for example L. =head1 BUGS -This function uses the header F<< >> +This function uses the header F<< >> as opposed to most chain verification -functions which use F<< >>. +functions which use F<< >>. =head1 SEE ALSO From openssl at openssl.org Thu Jan 14 01:05:24 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 14 Jan 2021 01:05:24 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1610586324.359868.4129587.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): 30-test_engine.t ................... ok 30-test_evp.t ...................... ok 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok make: *** [Makefile:3262: tests] Terminated make[1]: *** [Makefile:3265: _tests] Terminated From openssl at openssl.org Thu Jan 14 01:57:03 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 14 Jan 2021 01:57:03 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1610589423.172024.45362.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3456, 1051 wallclock secs (14.38 usr 1.30 sys + 958.69 cusr 87.03 csys = 1061.40 CPU) Result: FAIL make[1]: *** [Makefile:3276: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3273: tests] Error 2 From openssl at openssl.org Thu Jan 14 07:33:37 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 14 Jan 2021 07:33:37 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1610609617.145928.754027.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3458, 927 wallclock secs (14.58 usr 1.77 sys + 817.91 cusr 88.21 csys = 922.47 CPU) Result: FAIL make[1]: *** [Makefile:3199: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3196: tests] Error 2 From matt at openssl.org Thu Jan 14 08:32:51 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 14 Jan 2021 08:32:51 +0000 Subject: [openssl] master update Message-ID: <1610613171.239338.3117.nullmailer@dev.openssl.org> The branch master has been updated via b57ec7394aace731c460b509aa84039274337600 (commit) from 879365e6d4a53d80e83bbe468fcf2cdd02d30ba1 (commit) - Log ----------------------------------------------------------------- commit b57ec7394aace731c460b509aa84039274337600 Author: David Carlier Date: Sat Jan 9 14:17:29 2021 +0000 OPENSSL_cpuid_setup FreeBSD PowerPC update Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13821) ----------------------------------------------------------------------- Summary of changes: crypto/ppccap.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/crypto/ppccap.c b/crypto/ppccap.c index 4989e43221..d2adb0a441 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -229,6 +229,24 @@ size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) # endif #endif +#if defined(__FreeBSD__) +# include +# if __FreeBSD_version >= 1200000 +# include +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +#endif + /* I wish was universally available */ #define HWCAP 16 /* AT_HWCAP */ #define HWCAP_PPC64 (1U << 30) From matt at openssl.org Thu Jan 14 08:33:03 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 14 Jan 2021 08:33:03 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610613183.077479.3744.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via fc4ca443c7b999bb47bec6b8ea828973e3c4c7e1 (commit) from 6e3ba20dc49ccbf12ff4c27a4d8b84dcbeb71654 (commit) - Log ----------------------------------------------------------------- commit fc4ca443c7b999bb47bec6b8ea828973e3c4c7e1 Author: David Carlier Date: Sat Jan 9 14:17:29 2021 +0000 OPENSSL_cpuid_setup FreeBSD PowerPC update Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13821) (cherry picked from commit b57ec7394aace731c460b509aa84039274337600) ----------------------------------------------------------------------- Summary of changes: crypto/ppccap.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/crypto/ppccap.c b/crypto/ppccap.c index b12cd949cc..1d62226965 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -214,6 +214,24 @@ size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) # endif #endif +#if defined(__FreeBSD__) +# include +# if __FreeBSD_version >= 1200000 +# include +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +#endif + /* I wish was universally available */ #define HWCAP 16 /* AT_HWCAP */ #define HWCAP_PPC64 (1U << 30) From matt at openssl.org Thu Jan 14 08:38:15 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 14 Jan 2021 08:38:15 +0000 Subject: [openssl] master update Message-ID: <1610613495.432691.5531.nullmailer@dev.openssl.org> The branch master has been updated via 5eb24fbd1c3e0d130ba7f81f1ccf457a2b9d75ad (commit) from b57ec7394aace731c460b509aa84039274337600 (commit) - Log ----------------------------------------------------------------- commit 5eb24fbd1c3e0d130ba7f81f1ccf457a2b9d75ad Author: David Carlier Date: Wed Dec 9 20:23:32 2020 +0000 OPENSSL_cpuid_setup FreeBSD arm update. when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach. Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13650) ----------------------------------------------------------------------- Summary of changes: crypto/armcap.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/crypto/armcap.c b/crypto/armcap.c index 7bd82f8ebc..6c0acda244 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -71,6 +71,23 @@ void OPENSSL_cpuid_setup(void) __attribute__ ((constructor)); # define OSSL_IMPLEMENT_GETAUXVAL # endif # endif +# if defined(__FreeBSD__) +# include +# if __FreeBSD_version >= 1200000 +# include +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +# endif /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas From matt at openssl.org Thu Jan 14 08:38:28 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 14 Jan 2021 08:38:28 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610613508.625370.6513.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via dfe07182aac02b962a5a72d86cab69e59e90aeca (commit) from fc4ca443c7b999bb47bec6b8ea828973e3c4c7e1 (commit) - Log ----------------------------------------------------------------- commit dfe07182aac02b962a5a72d86cab69e59e90aeca Author: David Carlier Date: Wed Dec 9 20:23:32 2020 +0000 OPENSSL_cpuid_setup FreeBSD arm update. when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach. Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13650) (cherry picked from commit 5eb24fbd1c3e0d130ba7f81f1ccf457a2b9d75ad) ----------------------------------------------------------------------- Summary of changes: crypto/armcap.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/crypto/armcap.c b/crypto/armcap.c index 58e54f0da2..53c2855883 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -69,6 +69,23 @@ void OPENSSL_cpuid_setup(void) __attribute__ ((constructor)); # define OSSL_IMPLEMENT_GETAUXVAL # endif # endif +# if defined(__FreeBSD__) +# include +# if __FreeBSD_version >= 1200000 +# include +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +# endif /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas From levitte at openssl.org Thu Jan 14 09:38:13 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 14 Jan 2021 09:38:13 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610617093.360901.3258.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via cfd7225fbb9507b2e443a494459bdaab5236d29d (commit) from dfe07182aac02b962a5a72d86cab69e59e90aeca (commit) - Log ----------------------------------------------------------------- commit cfd7225fbb9507b2e443a494459bdaab5236d29d Author: Todd Short Date: Wed Sep 2 16:57:46 2020 -0400 Fix -static builds Pull in check from #10878 Move disabling of pic, threads and statics up higher before they are checked. Fixes #12772 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/12773) ----------------------------------------------------------------------- Summary of changes: Configure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Configure b/Configure index 1d73d06e1b..f25b84bff2 100755 --- a/Configure +++ b/Configure @@ -1201,6 +1201,10 @@ foreach (keys %useradd) { # At this point, we can forget everything about %user and %useradd, # because it's now all been merged into the corresponding $config entry +if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) { + disable('static', 'pic', 'threads'); +} + # Allow overriding the build file name $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile"; @@ -1521,10 +1525,6 @@ if ($strict_warnings) } } -if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) { - disable('static', 'pic', 'threads'); -} - $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings' ? @strict_warnings_collection : ( $_ ) } From beldmit at gmail.com Thu Jan 14 10:21:08 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Thu, 14 Jan 2021 10:21:08 +0000 Subject: [openssl] master update Message-ID: <1610619668.122983.11798.nullmailer@dev.openssl.org> The branch master has been updated via 4369a882a565c42673b28c586a5c46a8bca98d17 (commit) from 5eb24fbd1c3e0d130ba7f81f1ccf457a2b9d75ad (commit) - Log ----------------------------------------------------------------- commit 4369a882a565c42673b28c586a5c46a8bca98d17 Author: Dmitry Belyavskiy Date: Wed Jan 13 08:51:39 2021 +0100 Skip BOM when reading the config file Fixes #13840 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13857) ----------------------------------------------------------------------- Summary of changes: crypto/conf/conf_def.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index a7f5677a26..99063eaf68 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -194,6 +194,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) BUF_MEM *buff = NULL; char *s, *p, *end; int again; + int first_call = 1; long eline = 0; char btmp[DECIMAL_SIZE(eline) + 1]; CONF_VALUE *v = NULL, *tv; @@ -243,6 +244,19 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) goto err; p[CONFBUFSIZE - 1] = '\0'; ii = i = strlen(p); + if (first_call) { + /* Other BOMs imply unsupported multibyte encoding, + * so don't strip them and let the error raise */ + const unsigned char utf8_bom[3] = {0xEF, 0xBB, 0xBF}; + + if (i >= 3 && memcmp(p, utf8_bom, 3) == 0) { + memmove(p, p + 3, i - 3); + p[i - 3] = 0; + i -= 3; + ii -= 3; + } + first_call = 0; + } if (i == 0 && !again) { /* the currently processed BIO is NULL or at EOF */ BIO *parent; From beldmit at gmail.com Thu Jan 14 10:24:29 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Thu, 14 Jan 2021 10:24:29 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610619869.990591.13255.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 2a9785c252df6836da90da33aaeed8edb506e556 (commit) from cfd7225fbb9507b2e443a494459bdaab5236d29d (commit) - Log ----------------------------------------------------------------- commit 2a9785c252df6836da90da33aaeed8edb506e556 Author: Dmitry Belyavskiy Date: Wed Jan 13 08:51:39 2021 +0100 Skip BOM when reading the config file Fixes #13840 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13857) (cherry picked from commit 4369a882a565c42673b28c586a5c46a8bca98d17) ----------------------------------------------------------------------- Summary of changes: crypto/conf/conf_def.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 3d710f12ae..c097ec1286 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -185,6 +185,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) BUF_MEM *buff = NULL; char *s, *p, *end; int again; + int first_call = 1; long eline = 0; char btmp[DECIMAL_SIZE(eline) + 1]; CONF_VALUE *v = NULL, *tv; @@ -233,6 +234,19 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) BIO_gets(in, p, CONFBUFSIZE - 1); p[CONFBUFSIZE - 1] = '\0'; ii = i = strlen(p); + if (first_call) { + /* Other BOMs imply unsupported multibyte encoding, + * so don't strip them and let the error raise */ + const unsigned char utf8_bom[3] = {0xEF, 0xBB, 0xBF}; + + if (i >= 3 && memcmp(p, utf8_bom, 3) == 0) { + memmove(p, p + 3, i - 3); + p[i - 3] = 0; + i -= 3; + ii -= 3; + } + first_call = 0; + } if (i == 0 && !again) { /* the currently processed BIO is at EOF */ BIO *parent; From levitte at openssl.org Thu Jan 14 10:38:59 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 14 Jan 2021 10:38:59 +0000 Subject: [openssl] master update Message-ID: <1610620739.822642.16355.nullmailer@dev.openssl.org> The branch master has been updated via f5f4fbaa44af055e0658c6810b91aa8607e8383a (commit) from 4369a882a565c42673b28c586a5c46a8bca98d17 (commit) - Log ----------------------------------------------------------------- commit f5f4fbaa44af055e0658c6810b91aa8607e8383a Author: Richard Levitte Date: Tue Jan 12 15:41:10 2021 +0100 Make the OSSL_CMP manual conform with man-pages(7) Details from man-pages(7) that are used: Formatting conventions for manual pages describing functions ... Variable names should, like argument names, be specified in italics. ... Formatting conventions (general) ... Special macros, which are usually in uppercase, are in bold. Exception: don't boldface NULL. ... Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13846) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_CMP_CTX_new.pod | 2 +- doc/man3/OSSL_CMP_ITAV_set0.pod | 18 +++++++++--------- doc/man3/OSSL_CMP_MSG_get0_header.pod | 4 ++-- doc/man3/OSSL_CMP_MSG_http_perform.pod | 4 ++-- doc/man3/OSSL_CMP_SRV_CTX_new.pod | 8 ++++---- doc/man3/OSSL_CMP_STATUSINFO_new.pod | 8 ++++---- doc/man3/OSSL_CMP_exec_certreq.pod | 32 ++++++++++++++++---------------- doc/man3/OSSL_CMP_log_open.pod | 15 ++++++++------- doc/man3/OSSL_CMP_validate_msg.pod | 10 +++++----- 9 files changed, 51 insertions(+), 50 deletions(-) diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index b468c93272..c2dfce7389 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -313,7 +313,7 @@ OSSL_CMP_OPT_LOG_VERBOSITY context option to the given level. OSSL_CMP_CTX_print_errors() outputs any entries in the OpenSSL error queue. It is similar to L but uses the CMP log callback function -if set in the C for uniformity with CMP logging if given. Otherwise it uses +if set in the I for uniformity with CMP logging if given. Otherwise it uses L to print to STDERR (unless OPENSSL_NO_STDIO is defined). OSSL_CMP_CTX_set1_serverPath() sets the HTTP path of the CMP server on the host, diff --git a/doc/man3/OSSL_CMP_ITAV_set0.pod b/doc/man3/OSSL_CMP_ITAV_set0.pod index 276daa7d51..cca4537fd8 100644 --- a/doc/man3/OSSL_CMP_ITAV_set0.pod +++ b/doc/man3/OSSL_CMP_ITAV_set0.pod @@ -29,21 +29,21 @@ ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210 section 5.3.19 and Appendix F. It is used at various places in CMP messages, e.g., in the generalInfo PKIHeader field, to hold a key-value pair. -OSSL_CMP_ITAV_create() creates a new OSSL_CMP_ITAV structure and fills it in. -It combines B and B. +OSSL_CMP_ITAV_create() creates a new B structure and fills it in. +It combines OSSL_CMP_ITAV_new() and OSSL_CMP_ITAV_set0(). -OSSL_CMP_ITAV_set0() sets the B with an infoType of B and an -infoValue of B. This function uses the pointers B and B +OSSL_CMP_ITAV_set0() sets the I with an infoType of I and an +infoValue of I. This function uses the pointers I and I internally, so they must B be freed up after the call. OSSL_CMP_ITAV_get0_type() returns a direct pointer to the infoType in the -B. +I. OSSL_CMP_ITAV_get0_value() returns a direct pointer to the infoValue in -the B as generic ASN1_TYPE*. +the I as generic B pointer. -OSSL_CMP_ITAV_push0_stack_item() pushes B to the stack pointed to -by B<*itav_sk_p>. It creates a new stack if B<*itav_sk_p> points to NULL. +OSSL_CMP_ITAV_push0_stack_item() pushes I to the stack pointed to +by I<*itav_sk_p>. It creates a new stack if I<*itav_sk_p> points to NULL. =head1 NOTES @@ -65,7 +65,7 @@ OSSL_CMP_ITAV_push0_stack_item() returns 1 on success, 0 on error. The following code creates and sets a structure representing a generic InfoTypeAndValue sequence, using an OID created from text as type, and an -integer as value. Afterwards, it is pushed to the OSSL_CMP_CTX to be later +integer as value. Afterwards, it is pushed to the B to be later included in the requests' PKIHeader's genInfo field. ASN1_OBJECT *type = OBJ_txt2obj("1.2.3.4.5", 1); diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index 8503b74b7c..3896eb0dfb 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -39,9 +39,9 @@ then it copies the subject DN from there if I is set or the I does not include a subjectAltName. The I defines the request identifier to use, which typically is 0. -OSSL_CMP_MSG_read() loads a DER-encoded OSSL_CMP_MSG from B. +OSSL_CMP_MSG_read() loads a DER-encoded OSSL_CMP_MSG from I. -OSSL_CMP_MSG_write() stores the given OSSL_CMP_MSG to B in DER encoding. +OSSL_CMP_MSG_write() stores the given OSSL_CMP_MSG to I in DER encoding. d2i_OSSL_CMP_MSG_bio() parses an ASN.1-encoded OSSL_CMP_MSG from the BIO I. It assigns a pointer to the new structure to I<*msg> if I is not NULL. diff --git a/doc/man3/OSSL_CMP_MSG_http_perform.pod b/doc/man3/OSSL_CMP_MSG_http_perform.pod index 344c6b7763..97621088f7 100644 --- a/doc/man3/OSSL_CMP_MSG_http_perform.pod +++ b/doc/man3/OSSL_CMP_MSG_http_perform.pod @@ -14,8 +14,8 @@ OSSL_CMP_MSG_http_perform =head1 DESCRIPTION -OSSL_CMP_MSG_http_perform() sends the given PKIMessage B -to the CMP server specified in B via L +OSSL_CMP_MSG_http_perform() sends the given PKIMessage I +to the CMP server specified in I via L and optionally L, using any "CMP alias" optionally specified via L. The default port is 80 for HTTP and 443 for HTTPS; the default path is "/". diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index a69df1b47d..96dd78e3ff 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -91,8 +91,8 @@ the respective callback function (if present) for more specific processing, and then assembles a result message, which may be a CMP error message. OSSL_CMP_CTX_server_perform() is an interface to -B that can be used by a CMP client -in the same way as B. +OSSL_CMP_SRV_process_request() that can be used by a CMP client +in the same way as L. The B must be set as I of I. OSSL_CMP_SRV_CTX_new() creates and initializes an B structure @@ -112,7 +112,7 @@ type of CMP message is not supported by the server. OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns the B from the I. OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context from -I that has been set using B. +I that has been set using OSSL_CMP_SRV_CTX_init(). OSSL_CMP_SRV_CTX_set_send_unprotected_errors() enables sending error messages and other forms of negative responses unprotected. @@ -144,7 +144,7 @@ OSSL_CMP_SRV_CTX_get0_cmp_ctx() returns a B structure on success, NULL on error. OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context -that has been set using B. +that has been set using OSSL_CMP_SRV_CTX_init(). All other functions return 1 on success, 0 on error. diff --git a/doc/man3/OSSL_CMP_STATUSINFO_new.pod b/doc/man3/OSSL_CMP_STATUSINFO_new.pod index 2409b8cef1..fe484f6c76 100644 --- a/doc/man3/OSSL_CMP_STATUSINFO_new.pod +++ b/doc/man3/OSSL_CMP_STATUSINFO_new.pod @@ -25,16 +25,16 @@ OpenSSL. OSSL_CMP_STATUSINFO_new() creates a new PKIStatusInfo structure and fills in the given values. -It sets the status field to B, -copies B (unless it is NULL) to statusString, -and interprets B as bit pattern for the failInfo field. +It sets the status field to I, +copies I (unless it is NULL) to statusString, +and interprets I as bit pattern for the failInfo field. OSSL_CMP_snprint_PKIStatusInfo() places a human-readable string representing the given statusInfo in the given buffer, with the given maximal length. OSSL_CMP_CTX_snprint_PKIStatus() places a human-readable string -representing the PKIStatusInfo components of the CMP context B +representing the PKIStatusInfo components of the CMP context I in the given buffer, with the given maximal length. =head1 NOTES diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 55fa73f563..895a8a9497 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -46,7 +46,7 @@ credentials the client can use for authenticating itself to the client. In order to authenticate the server the client typically needs a trust store. The functions return their respective main results directly, while there are also accessor functions for retrieving various results and status information -from the B. See L etc. for details. +from the I. See L etc. for details. The default conveying protocol is HTTP. Timeout values may be given per request-response pair and per transaction. @@ -64,10 +64,10 @@ These four types of certificate enrollment are implemented as macros calling OSSL_CMP_exec_certreq(). OSSL_CMP_exec_certreq() performs a certificate request of the type specified -by the B parameter, which may be IR, CR, P10CR, or KUR. +by the I parameter, which may be IR, CR, P10CR, or KUR. For IR, CR, and KUR, the certificate template to be used in the request -may be supplied via the B parameter pointing to a CRMF structure. -Typically B is NULL, then the template ingredients are taken from B +may be supplied via the I parameter pointing to a CRMF structure. +Typically I is NULL, then the template ingredients are taken from I and need to be filled in using L, L, L, etc. For P10CR, L needs to be used instead. @@ -77,11 +77,11 @@ CA (or an intermedate PKI component) can fully process and answer the request. OSSL_CMP_try_certreq() is an alternative to the above functions that is more flexible regarding what to do after receiving a checkAfter value. When called for the first time (with no certificate request in progress for -the given B) it starts a new transaction by sending a certificate request -constructed as stated above using the B and optional B parameter. -Otherwise (when according to B a 'waiting' status has been received before) +the given I) it starts a new transaction by sending a certificate request +constructed as stated above using the I and optional I parameter. +Otherwise (when according to I a 'waiting' status has been received before) it continues polling for the pending request -unless the B argument is < 0, which aborts the request. +unless the I argument is < 0, which aborts the request. If the requested certificate is available the function returns 1 and the caller can use L to retrieve the new certificate. If no error occurred but no certificate is available yet then @@ -95,11 +95,11 @@ OSSL_CMP_try_certreq() again with the same parameter values as before. OSSL_CMP_try_certreq() then polls to see whether meanwhile the requested certificate is available. If the caller decides to abort the pending certificate request and provides -a negative value as the B argument then OSSL_CMP_try_certreq() +a negative value as the I argument then OSSL_CMP_try_certreq() aborts the CMP transaction by sending an error message to the server. OSSL_CMP_exec_RR_ses() requests the revocation of the certificate -specified in the B using L. +specified in the I using L. RFC 4210 is vague in which PKIStatus should be returned by the server. We take "accepted" and "grantedWithMods" as clear success and handle "revocationWarning" and "revocationNotification" just as warnings because CAs @@ -109,7 +109,7 @@ make no sense for revocation and thus are treated as an error as well. OSSL_CMP_exec_GENM_ses() sends a general message containing the sequence of infoType and infoValue pairs (InfoTypeAndValue; short: B) -provided in the B using L. +provided in the I using L. It returns the list of Bs received in the GenRep. This can be used, for instance, to poll for CRLs or CA Key Updates. See RFC 4210 section 5.3.19 and appendix E.5 for details. @@ -125,7 +125,7 @@ So far the CMP client implementation is limited to one request per CMP message OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(), OSSL_CMP_exec_P10CR_ses(), and OSSL_CMP_exec_KUR_ses() return a -pointer to the newly obtained X509 certificate on success, B on error. +pointer to the newly obtained X509 certificate on success, NULL on error. This pointer will be freed implicitly by OSSL_CMP_CTX_free() or CSSL_CMP_CTX_reinit(). @@ -134,15 +134,15 @@ via L or on successfully aborting a pending certificate request, 0 on error, and -1 in case a 'waiting' status has been received and checkAfter value is available. In the latter case L yields NULL -and the output parameter B has been used to -assign the received value unless B is NULL. +and the output parameter I has been used to +assign the received value unless I is NULL. OSSL_CMP_exec_RR_ses() returns the -pointer to the revoked certificate on success, B on error. +pointer to the revoked certificate on success, NULL on error. This pointer will be freed implicitly by OSSL_CMP_CTX_free(). OSSL_CMP_exec_GENM_ses() returns a -pointer to the received B sequence on success, B on error. +pointer to the received B sequence on success, NULL on error. This pointer must be freed by the caller. =head1 EXAMPLES diff --git a/doc/man3/OSSL_CMP_log_open.pod b/doc/man3/OSSL_CMP_log_open.pod index 5c6b924bda..1467a78147 100644 --- a/doc/man3/OSSL_CMP_log_open.pod +++ b/doc/man3/OSSL_CMP_log_open.pod @@ -72,10 +72,10 @@ a message string describing the nature of the event, terminated by '\n'. Even when an activity is successful some warnings may be useful and some degree of auditing may be required. Therefore, the logging facility supports a severity -level and the callback function has a B parameter indicating such a +level and the callback function has a I parameter indicating such a level, such that error, warning, info, debug, etc. can be treated differently. The callback is activated only when the severity level is sufficient according -to the current level of verbosity, which by default is OSSL_CMP_LOG_INFO. +to the current level of verbosity, which by default is B. The callback function may itself do non-trivial tasks like writing to a log file or remote stream, which in turn may fail. @@ -92,14 +92,15 @@ any pending CMP-specific log output and deallocate related resources. It may be called multiple times. It does get called at OpenSSL stutdown. OSSL_CMP_print_to_bio() prints the given component info, filename, line number, -severity level, and log message or error queue message to the given B. -B usually is a function or module name. +severity level, and log message or error queue message to the given I. +I usually is a function or module name. If it is NULL, empty, or "(unknown function)" then "CMP" is used as fallback. OSSL_CMP_print_errors_cb() outputs any entries in the OpenSSL error queue. -It is similar to B but uses the CMP log callback function -C for uniformity with CMP logging if not B. Otherwise it prints to -STDERR using B (unless OPENSSL_NO_STDIO is defined). +It is similar to L but uses the CMP log callback +function I for uniformity with CMP logging if not NULL. Otherwise it +prints to STDERR using L (unless B +is defined). =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index ed2ff6c2c6..5ada09a6fe 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -19,17 +19,17 @@ This is the API for validating the protection of CMP messages, which includes validating CMP message sender certificates and their paths while optionally checking the revocation status of the certificates(s). -OSSL_CMP_validate_msg() validates the protection of the given C +OSSL_CMP_validate_msg() validates the protection of the given I using either password-based mac (PBM) or a signature algorithm. In case of signature algorithm, the certificate to use for the signature check is preferably the one provided by a call to L. If no such sender cert has been pinned then candidate sender certificates are -taken from the list of certificates received in the C extraCerts, then any +taken from the list of certificates received in the I extraCerts, then any certificates provided before via L, and then all trusted certificates provided via L, where a candidate is acceptable only if has not expired, its subject DN matches -the C sender DN (as far as present), and its subject key identifier +the I sender DN (as far as present), and its subject key identifier is present and matches the senderKID (as far as the latter present). Each acceptable cert is tried in the given order to see if the message signature check succeeds and the cert and its path can be verified @@ -37,7 +37,7 @@ using any trust store set via L. If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling L, for an Initialization Response (IP) message -any self-issued certificate from the C extraCerts field may also be used +any self-issued certificate from the I extraCerts field may also be used as trust anchor for the path verification of an acceptable cert if it can be used also to validate the issued certificate returned in the IP message. This is according to TS 33.310 [Network Domain Security (NDS); Authentication Framework @@ -48,7 +48,7 @@ validating the signatures of subsequent messages in the same transaction. OSSL_CMP_validate_cert_path() attempts to validate the given certificate and its path using the given store of trusted certs (possibly including CRLs and a cert -verification callback) and non-trusted intermediate certs from the B. +verification callback) and non-trusted intermediate certs from the I. =head1 NOTES From dev at ddvo.net Thu Jan 14 13:34:12 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 14 Jan 2021 13:34:12 +0000 Subject: [openssl] master update Message-ID: <1610631252.325835.4715.nullmailer@dev.openssl.org> The branch master has been updated via c476c06f507a2c64a59c8cc86f2109aa00cf5133 (commit) from f5f4fbaa44af055e0658c6810b91aa8607e8383a (commit) - Log ----------------------------------------------------------------- commit c476c06f507a2c64a59c8cc86f2109aa00cf5133 Author: Dr. David von Oheimb Date: Thu Jan 7 20:02:39 2021 +0100 find_issuer(): When returning an expired issuer, take the most recently expired one Also point out in the documenting comment that a non-expired issuer is preferred. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13805) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 12 +++++++----- doc/man1/openssl-verification-options.pod | 2 ++ 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f5849a5603..1bef0a3665 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -316,10 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) } /* - * Find in given STACK_OF(X509) sk an issuer cert of given cert x. - * The issuer must not yet be in ctx->chain, where the exceptional case - * that x is self-issued and ctx->chain has just one element is allowed. - * Prefer the first one that is not expired, else take the last expired one. + * Find in given STACK_OF(X509) |sk| an issuer cert (if any) of given cert |x|. + * The issuer must not yet be in |ctx->chain|, yet allowing the exception that + * |x| is self-issued and |ctx->chain| has just one element. + * Prefer the first non-expired one, else take the most recently expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -333,7 +333,9 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) || !sk_X509_contains(ctx->chain, issuer))) { if (x509_check_cert_time(ctx, issuer, -1)) return issuer; - rv = issuer; + if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer), + X509_get0_notAfter(rv)) > 0) + rv = issuer; } } return rv; diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index af1c7e3a43..620eacf5cc 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -36,6 +36,8 @@ name of the current certificate are subject to further tests. The relevant authority key identifier components of the current certificate (if present) must match the subject key identifier (if present) and issuer and serial number of the candidate issuer certificate. +If there is such a certificate, the first one found that is currently valid +is taken, otherwise the one that expired most recently of all such certificates. The lookup first searches for issuer certificates in the trust store. If it does not find a match there it consults From dev at ddvo.net Thu Jan 14 13:36:39 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 14 Jan 2021 13:36:39 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610631399.194546.4424.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via fb1e2411042f0367c2560e4ec5e4b1189ca9cd45 (commit) from 2a9785c252df6836da90da33aaeed8edb506e556 (commit) - Log ----------------------------------------------------------------- commit fb1e2411042f0367c2560e4ec5e4b1189ca9cd45 Author: Dr. David von Oheimb Date: Wed Dec 30 09:57:49 2020 +0100 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the backport of #13755 to v1.1.1. Fixes #13698 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13756) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_cmp.c | 20 +++++++++++--------- crypto/x509/x_all.c | 2 +- crypto/x509v3/v3_purp.c | 3 ++- doc/man3/X509_get_extension_flags.pod | 9 +++++++-- include/openssl/x509v3.h | 5 +++-- test/certs/invalid-cert.pem | 19 +++++++++++++++++++ test/recipes/80-test_x509aux.t | 13 ++++++++----- test/x509aux.c | 17 +++++++++++------ 8 files changed, 62 insertions(+), 26 deletions(-) create mode 100644 test/certs/invalid-cert.pem diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index ad620af0af..c9d8933640 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -133,19 +133,21 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - int rv; + int rv = 0; if (a == b) /* for efficiency */ return 0; - /* ensure hash is valid */ - if (X509_check_purpose((X509 *)a, -1, 0) != 1) - return -2; - if (X509_check_purpose((X509 *)b, -1, 0) != 1) - return -2; - - rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); - if (rv) + + /* try to make sure hash is valid */ + (void)X509_check_purpose((X509 *)a, -1, 0); + (void)X509_check_purpose((X509 *)b, -1, 0); + + if ((a->ex_flags & EXFLAG_NO_FINGERPRINT) == 0 + && (b->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) + rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + if (rv != 0) return rv; + /* Check for match against stored encoding too */ if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { if (a->cert_info.enc.len < b->cert_info.enc.len) diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index aa5ccba448..bec850af57 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -363,7 +363,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { if (type == EVP_sha1() && (data->ex_flags & EXFLAG_SET) != 0 - && (data->ex_flags & EXFLAG_INVALID) == 0) { + && (data->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { /* Asking for SHA1 and we already computed it. */ if (len != NULL) *len = sizeof(data->sha1_hash); diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 2b06dba053..93b5ca4d42 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -391,7 +391,8 @@ static void x509v3_cache_extensions(X509 *x) } if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) - x->ex_flags |= EXFLAG_INVALID; + x->ex_flags |= (EXFLAG_NO_FINGERPRINT | EXFLAG_INVALID); + /* V1 should mean no extensions ... */ if (!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod index 43c9c952c6..cca72c71fc 100644 --- a/doc/man3/X509_get_extension_flags.pod +++ b/doc/man3/X509_get_extension_flags.pod @@ -78,12 +78,17 @@ The certificate contains an unhandled critical extension. =item B -Some certificate extension values are invalid or inconsistent. The -certificate should be rejected. +Some certificate extension values are invalid or inconsistent. +The certificate should be rejected. This bit may also be raised after an out-of-memory error while processing the X509 object, so it may not be related to the processed ASN1 object itself. +=item B + +Failed to compute the internal SHA1 hash value of the certificate. +This may be due to malloc failure or because no SHA1 implementation was found. + =item B The NID_certificate_policies certificate extension is invalid or diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 6c6eca38a5..b9a8943273 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -364,8 +364,9 @@ struct ISSUING_DIST_POINT_st { # define EXFLAG_INVALID_POLICY 0x800 # define EXFLAG_FRESHEST 0x1000 -/* Self signed */ -# define EXFLAG_SS 0x2000 +# define EXFLAG_SS 0x2000 /* cert is apparently self-signed */ + +# define EXFLAG_NO_FINGERPRINT 0x100000 # define KU_DIGITAL_SIGNATURE 0x0080 # define KU_NON_REPUDIATION 0x0040 diff --git a/test/certs/invalid-cert.pem b/test/certs/invalid-cert.pem new file mode 100644 index 0000000000..a8951305a3 --- /dev/null +++ b/test/certs/invalid-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIUEUSW5o7qpgNCWyXic9Fc9tCLS0gwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwIUGVyc29TaW0wHhcNMjAxMjE2MDY1NjM5WhcNMzAxMjE2 +MDY1NjM5WjATMREwDwYDVQQDDAhQZXJzb1NpbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMsgRKnnZbQtG9bB9Hn+CoOOsanmnRELSlGq521qi/eBgs2w +SdHYM6rsJFwY89RvINLGeUZh/pu7c+ODtTafAWE3JkynG01d2Zrvp1V1r97+FGyD +f+b1hAggxBy70bTRyr1gAoKQTAm74U/1lj13EpWz7zshgXJ/Pn/hUyTmpNW+fTRE +xaifN0jkl5tZUURGA6w3+BRhVDQtt92vLihqUGaEFpL8yqqFnN44AoQ5+lgMafWi +UyYMHcK75ZB8WWklq8zjRP3xC1h56k01rT6KJO6i+BxMcADerYsn5qTlcUiKcpRU +b6RzLvCUwj91t1aX6npDI3BzSP+wBUUANBfuHEMCAwEAAaNxMG8wFwYDVR0OBBA8 +yBBnvz1Zt6pHm2GwBaRyMBcGA1UdIwQQPMgQZ789WbeqR5thsAWkcjAPBgNVHRMB +Af8EBTADAQH/MAsGA1UdDwQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB +BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIEzVbttOUc7kK4aY+74TANFZK/qtBQ7 +94a/P30TGWSRUq2HnDsR8Vo4z8xm5oKeC+SIi6NGzviWYquuzpJ7idcbr0MIuSyD ++Vg6n1sG64DxWNdGO9lR5c4mWFdIajShczS2+4QIRB/lFZCf7GhPMtIcbP1o9ckY +2vyv5ZAEU9Z5n0PY+abrKsj0XyvJwdycEsUTywa36fuv6hP3UboLtvK6naXLMrTj +WtSA6PXjHy7h8h0NC8XLk64mc0lcRC4WM+xJ/C+NHglpmBqBxnStpnZykMZYD1Vy +JJ1wNc+Y3e2uMBDxZviH3dIPIgqP1Vpi2TWfqr3DTBNCRf4dl/wwNU8= +-----END TRUSTED CERTIFICATE----- diff --git a/test/recipes/80-test_x509aux.t b/test/recipes/80-test_x509aux.t index 65ba5fcf52..30adf25257 100644 --- a/test/recipes/80-test_x509aux.t +++ b/test/recipes/80-test_x509aux.t @@ -14,14 +14,17 @@ use OpenSSL::Test::Utils; setup("test_x509aux"); +my @path = qw(test certs); + plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build" if disabled("ec"); plan tests => 1; # The number of tests being performed ok(run(test(["x509aux", - srctop_file("test", "certs", "roots.pem"), - srctop_file("test", "certs", "root+anyEKU.pem"), - srctop_file("test", "certs", "root-anyEKU.pem"), - srctop_file("test", "certs", "root-cert.pem")] - )), "x509aux tests"); + srctop_file(@path, "roots.pem"), + srctop_file(@path, "root+anyEKU.pem"), + srctop_file(@path, "root-anyEKU.pem"), + srctop_file(@path, "root-cert.pem"), + srctop_file(@path, "invalid-cert.pem"), + ])), "x509aux tests"); diff --git a/test/x509aux.c b/test/x509aux.c index e41f1f6809..78013f23ae 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -30,17 +30,16 @@ static int test_certs(int num) typedef int (*i2d_X509_t)(X509 *, unsigned char **); int err = 0; BIO *fp = BIO_new_file(test_get_argument(num), "r"); - X509 *reuse = NULL; if (!TEST_ptr(fp)) return 0; for (c = 0; !err && PEM_read_bio(fp, &name, &header, &data, &len); ++c) { const int trusted = (strcmp(name, PEM_STRING_X509_TRUSTED) == 0); - d2i_X509_t d2i = trusted ? d2i_X509_AUX : d2i_X509; i2d_X509_t i2d = trusted ? i2d_X509_AUX : i2d_X509; X509 *cert = NULL; + X509 *reuse = NULL; const unsigned char *p = data; unsigned char *buf = NULL; unsigned char *bufp; @@ -93,9 +92,15 @@ static int test_certs(int num) goto next; } p = buf; - reuse = d2i(&reuse, &p, enclen); - if (reuse == NULL || X509_cmp (reuse, cert)) { - TEST_error("X509_cmp does not work with %s", name); + reuse = d2i(NULL, &p, enclen); + if (reuse == NULL) { + TEST_error("second d2i call failed for %s", name); + err = 1; + goto next; + } + err = X509_cmp(reuse, cert); + if (err != 0) { + TEST_error("X509_cmp for %s resulted in %d", name, err); err = 1; goto next; } @@ -141,13 +146,13 @@ static int test_certs(int num) */ next: X509_free(cert); + X509_free(reuse); OPENSSL_free(buf); OPENSSL_free(name); OPENSSL_free(header); OPENSSL_free(data); } BIO_free(fp); - X509_free(reuse); if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { /* Reached end of PEM file */ From dev at ddvo.net Thu Jan 14 13:44:31 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 14 Jan 2021 13:44:31 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1610631871.911286.14214.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 76ed0c0ad119569f6e6f6c96b27b76d3b110413b (commit) from fb1e2411042f0367c2560e4ec5e4b1189ca9cd45 (commit) - Log ----------------------------------------------------------------- commit 76ed0c0ad119569f6e6f6c96b27b76d3b110413b Author: Dr. David von Oheimb Date: Mon Dec 28 11:25:59 2020 +0100 x509_vfy.c: Fix a regression in find_isser() ...in case the candidate issuer cert is identical to the target cert. Fixes #13739 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13749) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 13 ++++----- test/recipes/70-test_verify_extra.t | 3 ++- test/verify_extra_test.c | 53 ++++++++++++++++++++++++++++++++++--- 3 files changed, 57 insertions(+), 12 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 730a0160ff..883c6d7118 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -323,9 +323,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) } /* - * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x. - * The issuer must not be the same as x and must not yet be in ctx->chain, where the - * exceptional case x is self-issued and ctx->chain has just one element is allowed. + * Find in given STACK_OF(X509) sk an issuer cert of given cert x. + * The issuer must not yet be in ctx->chain, where the exceptional case + * that x is self-issued and ctx->chain has just one element is allowed. + * Prefer the first one that is not expired, else take the last expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -334,11 +335,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - /* - * Below check 'issuer != x' is an optimization and safety precaution: - * Candidate issuer cert cannot be the same as the subject cert 'x'. - */ - if (issuer != x && ctx->check_issued(ctx, x, issuer) + if (ctx->check_issued(ctx, x, issuer) && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1) || !sk_X509_contains(ctx->chain, issuer))) { rv = issuer; diff --git a/test/recipes/70-test_verify_extra.t b/test/recipes/70-test_verify_extra.t index 79a33cd016..e3bdcbaaf9 100644 --- a/test/recipes/70-test_verify_extra.t +++ b/test/recipes/70-test_verify_extra.t @@ -16,4 +16,5 @@ plan tests => 1; ok(run(test(["verify_extra_test", srctop_file("test", "certs", "roots.pem"), srctop_file("test", "certs", "untrusted.pem"), - srctop_file("test", "certs", "bad.pem")]))); + srctop_file("test", "certs", "bad.pem"), + srctop_file("test", "certs", "rootCA.pem")]))); diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index d9d1498954..94faa4c78b 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -18,6 +18,21 @@ static const char *roots_f; static const char *untrusted_f; static const char *bad_f; +static const char *good_f; + +static X509 *load_cert_pem(const char *file) +{ + X509 *cert = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) + (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)); + + BIO_free(bio); + return cert; +} static STACK_OF(X509) *load_certs_from_file(const char *filename) { @@ -58,7 +73,7 @@ static STACK_OF(X509) *load_certs_from_file(const char *filename) return certs; } -/* +/*- * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) * * Chain is as follows: @@ -175,16 +190,48 @@ static int test_store_ctx(void) return testresult; } +static int test_self_signed(const char *filename, int expected) +{ + X509 *cert = load_cert_pem(filename); + STACK_OF(X509) *trusted = sk_X509_new_null(); + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + int ret; + + ret = TEST_ptr(cert) + && TEST_true(sk_X509_push(trusted, cert)) + && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); + X509_STORE_CTX_trusted_stack(ctx, trusted); + ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); + + X509_STORE_CTX_free(ctx); + sk_X509_free(trusted); + X509_free(cert); + return ret; +} + +static int test_self_signed_good(void) +{ + return test_self_signed(good_f, 1); +} + +static int test_self_signed_bad(void) +{ + return test_self_signed(bad_f, 0); +} + int setup_tests(void) { if (!TEST_ptr(roots_f = test_get_argument(0)) || !TEST_ptr(untrusted_f = test_get_argument(1)) - || !TEST_ptr(bad_f = test_get_argument(2))) { - TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n"); + || !TEST_ptr(bad_f = test_get_argument(2)) + || !TEST_ptr(good_f = test_get_argument(3))) { + TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n"); return 0; } ADD_TEST(test_alt_chains_cert_forgery); ADD_TEST(test_store_ctx); + ADD_TEST(test_self_signed_good); + ADD_TEST(test_self_signed_bad); return 1; } From matt at openssl.org Thu Jan 14 17:30:57 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 14 Jan 2021 17:30:57 +0000 Subject: [openssl] master update Message-ID: <1610645457.880600.20621.nullmailer@dev.openssl.org> The branch master has been updated via b11ba50fd9bd3c33e1627ca5c64f08b403e88173 (commit) via 7dd2cb569358591bb832af66fdabd6a6c580c1d4 (commit) via b457c8f514130d3b92de574620d38c1058eb7b35 (commit) via f5a50c2a07e288187c14b784be253b3a2a23483b (commit) via 2c40421440d260ddb97a807b064033f61ae3b2b3 (commit) via c25a1524aad3a2f3a5d74880d8016de31f59adc8 (commit) via 886ad0045bf128795049b48f7d7977f72cc7220c (commit) via ae95a40e8d453aa9d4f6499568f658ffc88a7d6e (commit) via f6b72c7d75658e843ea0864e2f202cdc091020f9 (commit) from c476c06f507a2c64a59c8cc86f2109aa00cf5133 (commit) - Log ----------------------------------------------------------------- commit b11ba50fd9bd3c33e1627ca5c64f08b403e88173 Author: Matt Caswell Date: Tue Jan 12 16:50:17 2021 +0000 Fix a failure where fetches can return NULL in multi-threaded code When a fetch is attempted simultaneously from multiple threads then both threads can attempt to construct the method. However only one of those will get added to the global evp method store. The one that "lost" the race to add the method to the global evp method store ended up with the fetch call returning NULL, instead of returning the method that was already available. Fixes #13682 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit 7dd2cb569358591bb832af66fdabd6a6c580c1d4 Author: Matt Caswell Date: Mon Jan 11 17:02:01 2021 +0000 Fix an issue in provider_activate_fallbacks() The above function was running while holding the store lock with a read lock. Unfortunately it actually modifies the store, so a write lock is required instead. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit b457c8f514130d3b92de574620d38c1058eb7b35 Author: Matt Caswell Date: Mon Jan 11 17:01:07 2021 +0000 Extend the threads test to add simple fetch from multi threads Issue #13682 suggests that doing a simple fetch from multi-threads may result in issues so we add a test for that. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit f5a50c2a07e288187c14b784be253b3a2a23483b Author: Matt Caswell Date: Fri Jan 8 13:48:13 2021 +0000 Enable locking on the primary DRBG when we create it The primary DRBG may be shared across multiple threads and therefore we must use locking to access it. Previously we were enabling that locking lazily when we attempted to obtain one of the child DRBGs. Part of the process of enabling the lock, is to create the lock. But if we create the lock lazily then it is too late - we may race with other threads where each thread is independently attempting to enable the locking. This results in multiple locks being created - only one of which "sticks" and the rest are leaked. Instead we enable locking on the primary when we first create it. This is already locked and therefore we cannot race. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit 2c40421440d260ddb97a807b064033f61ae3b2b3 Author: Matt Caswell Date: Fri Jan 8 13:22:59 2021 +0000 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() The function ossl_lib_ctx_generic_new() modifies the exdata. This may be simultaneously being modified by other threads and therefore we need to make sure we take the lock before doing so. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit c25a1524aad3a2f3a5d74880d8016de31f59adc8 Author: Matt Caswell Date: Fri Dec 11 16:29:25 2020 +0000 Lock the provider operation_bits The provider operation_bits array can see concurrent access by multiple threads and can be reallocated at any time. Therefore we need to ensure that it is appropriately locked. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit 886ad0045bf128795049b48f7d7977f72cc7220c Author: Matt Caswell Date: Thu Dec 10 16:57:33 2020 +0000 Document the core_thread_start upcall The core_thread_start upcall previously had a placeholder in the docs. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit ae95a40e8d453aa9d4f6499568f658ffc88a7d6e Author: Matt Caswell Date: Thu Dec 10 15:39:58 2020 +0000 Add a test for performing work in multiple concurrent threads We test both the default provider and the fips provider Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) commit f6b72c7d75658e843ea0864e2f202cdc091020f9 Author: Matt Caswell Date: Thu Dec 10 14:44:25 2020 +0000 Fix a crash with multi-threaded applications using the FIPS module The FIPS implementation of the ossl_ctx_thread_stop function needs to use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was assuming that these are the same thing (which was true at one point during development) - but that is no longer the case. The fix is to get the OSSL_LIB_CTX out of the provctx. Fixes #13469 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13660) ----------------------------------------------------------------------- Summary of changes: crypto/context.c | 8 +- crypto/core_fetch.c | 10 +++ crypto/err/openssl.txt | 2 +- crypto/evp/evp_err.c | 2 +- crypto/evp/evp_rand.c | 6 -- crypto/initthread.c | 6 +- crypto/provider_core.c | 73 ++++++++++------ crypto/rand/rand_lib.c | 11 +++ doc/man3/EVP_RAND.pod | 4 +- doc/man7/provider-base.pod | 11 ++- include/openssl/evperr.h | 2 +- test/recipes/90-test_threads.t | 32 ++++++- test/threadstest.c | 183 ++++++++++++++++++++++++++++++++++++++++- 13 files changed, 307 insertions(+), 43 deletions(-) diff --git a/crypto/context.c b/crypto/context.c index c351ff9619..953de5a489 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -228,10 +228,14 @@ static void ossl_lib_ctx_generic_new(void *parent_ign, void *ptr_ign, long argl_ign, void *argp) { const OSSL_LIB_CTX_METHOD *meth = argp; - void *ptr = meth->new_func(crypto_ex_data_get_ossl_lib_ctx(ad)); + OSSL_LIB_CTX *ctx = crypto_ex_data_get_ossl_lib_ctx(ad); + void *ptr = meth->new_func(ctx); - if (ptr != NULL) + if (ptr != NULL) { + CRYPTO_THREAD_write_lock(ctx->lock); CRYPTO_set_ex_data(ad, index, ptr); + CRYPTO_THREAD_unlock(ctx->lock); + } } static void ossl_lib_ctx_generic_free(void *parent_ign, void *ptr, CRYPTO_EX_DATA *ad, int index, diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c index 4fb432754b..12d52a03d0 100644 --- a/crypto/core_fetch.c +++ b/crypto/core_fetch.c @@ -128,6 +128,16 @@ void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, &cbdata); method = mcm->get(libctx, cbdata.store, mcm_data); + if (method == NULL) { + /* + * If we get here then we did not construct the method that we + * attempted to construct. It's possible that another thread got + * there first and so we skipped construction (pre-condition + * failed). We check the global store again to see if it has + * appeared by now. + */ + method = mcm->get(libctx, NULL, mcm_data); + } mcm->dealloc_tmp_store(cbdata.store); } diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index bb200a7960..40f93ba0cd 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2609,7 +2609,7 @@ EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa EVP_R_SET_DEFAULT_PROPERTY_FAILURE:209:set default property failure EVP_R_TOO_MANY_RECORDS:183:too many records -EVP_R_UNABLE_TO_ENABLE_PARENT_LOCKING:212:unable to enable parent locking +EVP_R_UNABLE_TO_ENABLE_LOCKING:212:unable to enable locking EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE:215:unable to get maximum request size EVP_R_UNABLE_TO_GET_RANDOM_STRENGTH:216:unable to get random strength EVP_R_UNABLE_TO_LOCK_CONTEXT:211:unable to lock context diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index e08c373b33..ab6e3e879d 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -152,7 +152,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = { {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_SET_DEFAULT_PROPERTY_FAILURE), "set default property failure"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_MANY_RECORDS), "too many records"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_ENABLE_PARENT_LOCKING), + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_ENABLE_LOCKING), "unable to enable parent locking"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE), "unable to get maximum request size"}, diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index 6a4f57414c..42e51b4ea1 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -333,12 +333,6 @@ EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent) return NULL; } if (parent != NULL) { - if (!EVP_RAND_enable_locking(parent)) { - ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_PARENT_LOCKING); - CRYPTO_THREAD_lock_free(ctx->refcnt_lock); - OPENSSL_free(ctx); - return NULL; - } if (!evp_rand_ctx_up_ref(parent)) { ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); CRYPTO_THREAD_lock_free(ctx->refcnt_lock); diff --git a/crypto/initthread.c b/crypto/initthread.c index 8a7afbfd86..f172c53cd6 100644 --- a/crypto/initthread.c +++ b/crypto/initthread.c @@ -14,6 +14,8 @@ #include "internal/thread_once.h" #ifdef FIPS_MODULE +#include "prov/provider_ctx.h" + /* * Thread aware code may want to be told about thread stop events. We register * to hear about those thread stop events when we see a new thread has started. @@ -281,7 +283,7 @@ static const OSSL_LIB_CTX_METHOD thread_event_ossl_ctx_method = { void ossl_ctx_thread_stop(void *arg) { THREAD_EVENT_HANDLER **hands; - OSSL_LIB_CTX *ctx = arg; + OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(arg); CRYPTO_THREAD_LOCAL *local = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX, &thread_event_ossl_ctx_method); @@ -289,7 +291,7 @@ void ossl_ctx_thread_stop(void *arg) if (local == NULL) return; hands = init_get_thread_local(local, 0, 0); - init_thread_stop(arg, hands); + init_thread_stop(ctx, hands); OPENSSL_free(hands); } #endif /* FIPS_MODULE */ diff --git a/crypto/provider_core.c b/crypto/provider_core.c index f0d6fb20f8..91cfcaa9ec 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -85,6 +85,7 @@ struct ossl_provider_st { */ unsigned char *operation_bits; size_t operation_bits_sz; + CRYPTO_RWLOCK *opbits_lock; /* Provider side data */ void *provctx; @@ -252,6 +253,7 @@ static OSSL_PROVIDER *provider_new(const char *name, || (prov->activatecnt_lock = CRYPTO_THREAD_lock_new()) == NULL #endif || !ossl_provider_up_ref(prov) /* +1 One reference to be returned */ + || (prov->opbits_lock = CRYPTO_THREAD_lock_new()) == NULL || (prov->name = OPENSSL_strdup(name)) == NULL) { ossl_provider_free(prov); ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); @@ -371,6 +373,7 @@ void ossl_provider_free(OSSL_PROVIDER *prov) OPENSSL_free(prov->name); OPENSSL_free(prov->path); sk_INFOPAIR_pop_free(prov->parameters, free_infopair); + CRYPTO_THREAD_lock_free(prov->opbits_lock); #ifndef HAVE_ATOMICS CRYPTO_THREAD_lock_free(prov->refcnt_lock); CRYPTO_THREAD_lock_free(prov->activatecnt_lock); @@ -726,34 +729,50 @@ static int provider_forall_loaded(struct provider_store_st *store, */ static void provider_activate_fallbacks(struct provider_store_st *store) { - if (store->use_fallbacks) { - int num_provs = sk_OSSL_PROVIDER_num(store->providers); - int activated_fallback_count = 0; - int i; + int use_fallbacks; + int num_provs; + int activated_fallback_count = 0; + int i; + + CRYPTO_THREAD_read_lock(store->lock); + use_fallbacks = store->use_fallbacks; + CRYPTO_THREAD_unlock(store->lock); + if (!use_fallbacks) + return; + + CRYPTO_THREAD_write_lock(store->lock); + /* Check again, just in case another thread changed it */ + use_fallbacks = store->use_fallbacks; + if (!use_fallbacks) { + CRYPTO_THREAD_unlock(store->lock); + return; + } - for (i = 0; i < num_provs; i++) { - OSSL_PROVIDER *prov = sk_OSSL_PROVIDER_value(store->providers, i); + num_provs = sk_OSSL_PROVIDER_num(store->providers); + for (i = 0; i < num_provs; i++) { + OSSL_PROVIDER *prov = sk_OSSL_PROVIDER_value(store->providers, i); - if (ossl_provider_up_ref(prov)) { - if (prov->flag_fallback) { - if (provider_activate(prov)) { - prov->flag_activated_as_fallback = 1; - activated_fallback_count++; - } + if (ossl_provider_up_ref(prov)) { + if (prov->flag_fallback) { + if (provider_activate(prov)) { + prov->flag_activated_as_fallback = 1; + activated_fallback_count++; } - ossl_provider_free(prov); } + ossl_provider_free(prov); } - - /* - * We assume that all fallbacks have been added to the store before - * any fallback is activated. - * TODO: We may have to reconsider this, IF we find ourselves adding - * fallbacks after any previous fallback has been activated. - */ - if (activated_fallback_count > 0) - store->use_fallbacks = 0; } + + /* + * We assume that all fallbacks have been added to the store before + * any fallback is activated. + * TODO: We may have to reconsider this, IF we find ourselves adding + * fallbacks after any previous fallback has been activated. + */ + if (activated_fallback_count > 0) + store->use_fallbacks = 0; + + CRYPTO_THREAD_unlock(store->lock); } int ossl_provider_forall_loaded(OSSL_LIB_CTX *ctx, @@ -773,10 +792,9 @@ int ossl_provider_forall_loaded(OSSL_LIB_CTX *ctx, #endif if (store != NULL) { - CRYPTO_THREAD_read_lock(store->lock); - provider_activate_fallbacks(store); + CRYPTO_THREAD_read_lock(store->lock); /* * Now, we sweep through all providers */ @@ -791,9 +809,7 @@ int ossl_provider_forall_loaded(OSSL_LIB_CTX *ctx, int ossl_provider_available(OSSL_PROVIDER *prov) { if (prov != NULL) { - CRYPTO_THREAD_read_lock(prov->store->lock); provider_activate_fallbacks(prov->store); - CRYPTO_THREAD_unlock(prov->store->lock); return prov->flag_activated; } @@ -907,11 +923,13 @@ int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum) size_t byte = bitnum / 8; unsigned char bit = (1 << (bitnum % 8)) & 0xFF; + CRYPTO_THREAD_write_lock(provider->opbits_lock); if (provider->operation_bits_sz <= byte) { unsigned char *tmp = OPENSSL_realloc(provider->operation_bits, byte + 1); if (tmp == NULL) { + CRYPTO_THREAD_unlock(provider->opbits_lock); ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); return 0; } @@ -921,6 +939,7 @@ int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum) provider->operation_bits_sz = byte + 1; } provider->operation_bits[byte] |= bit; + CRYPTO_THREAD_unlock(provider->opbits_lock); return 1; } @@ -936,8 +955,10 @@ int ossl_provider_test_operation_bit(OSSL_PROVIDER *provider, size_t bitnum, } *result = 0; + CRYPTO_THREAD_read_lock(provider->opbits_lock); if (provider->operation_bits_sz > byte) *result = ((provider->operation_bits[byte] & bit) != 0); + CRYPTO_THREAD_unlock(provider->opbits_lock); return 1; } diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index f0284aab08..01927401ab 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -571,6 +571,17 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) dgbl->primary = rand_new_drbg(ctx, dgbl->seed, PRIMARY_RESEED_INTERVAL, PRIMARY_RESEED_TIME_INTERVAL); + /* + * The primary DRBG may be shared between multiple threads so we must + * enable locking. + */ + if (dgbl->primary != NULL && !EVP_RAND_enable_locking(dgbl->primary)) { + ERR_raise(ERR_LIB_EVP, EVP_R_UNABLE_TO_ENABLE_LOCKING); + EVP_RAND_CTX_free(dgbl->primary); + dgbl->primary = NULL; + CRYPTO_THREAD_lock_free(dgbl->lock); + return NULL; + } CRYPTO_THREAD_unlock(dgbl->lock); } return dgbl->primary; diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index e53cddff2f..4e1eb88afd 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -152,7 +152,9 @@ appropriate size. EVP_RAND_enable_locking() enables locking for the RAND I and all of its parents. After this I will operate in a thread safe manner, albeit -more slowly. +more slowly. This function is not itself thread safe if called with the same +I from multiple threads. Typically locking should be enabled before a +I is shared across multiple threads. EVP_RAND_get_params() retrieves details about the implementation I. diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index 7e8f5188a5..e2315e7bc4 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -18,8 +18,11 @@ provider-base /* Functions offered by libcrypto to the providers */ const OSSL_ITEM *core_gettable_params(const OSSL_CORE_HANDLE *handle); int core_get_params(const OSSL_CORE_HANDLE *handle, OSSL_PARAM params[]); + + typedef void (*OSSL_thread_stop_handler_fn)(void *arg); int core_thread_start(const OSSL_CORE_HANDLE *handle, OSSL_thread_stop_handler_fn handfn); + OPENSSL_CORE_CTX *core_get_libctx(const OSSL_CORE_HANDLE *handle); void core_new_error(const OSSL_CORE_HANDLE *handle); void core_set_error_debug(const OSSL_CORE_HANDLE *handle, @@ -164,7 +167,13 @@ core_get_params() retrieves parameters from the core for the given I. See L below for a description of currently known parameters. -=for comment core_thread_start() TBA +The core_thread_start() function informs the core that the provider has started +an interest in the current thread. The core will inform the provider when the +thread eventually stops. It must be passed the I for this provider, as +well as a callback I which will be called when the thread stops. The +callback will subsequently be called from the thread that is stopping and gets +passed the provider context as an argument. This may be useful to perform thread +specific clean up such as freeing thread local variables. core_get_libctx() retrieves the library context in which the library object for the current provider is stored, accessible through the I. diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h index c25cc49025..309f4cd341 100644 --- a/include/openssl/evperr.h +++ b/include/openssl/evperr.h @@ -243,7 +243,7 @@ # define EVP_R_PUBLIC_KEY_NOT_RSA 106 # define EVP_R_SET_DEFAULT_PROPERTY_FAILURE 209 # define EVP_R_TOO_MANY_RECORDS 183 -# define EVP_R_UNABLE_TO_ENABLE_PARENT_LOCKING 212 +# define EVP_R_UNABLE_TO_ENABLE_LOCKING 212 # define EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE 215 # define EVP_R_UNABLE_TO_GET_RANDOM_STRENGTH 216 # define EVP_R_UNABLE_TO_LOCK_CONTEXT 211 diff --git a/test/recipes/90-test_threads.t b/test/recipes/90-test_threads.t index e629f24d1c..fa4d2b8de9 100644 --- a/test/recipes/90-test_threads.t +++ b/test/recipes/90-test_threads.t @@ -8,5 +8,35 @@ use OpenSSL::Test::Simple; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/; +use OpenSSL::Test::Utils; +use Cwd qw(abs_path); -simple_test("test_threads", "threadstest"); +BEGIN { +setup("test_threads"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; + +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); + + +plan tests => 1 + ($no_fips ? 0 : 1); + +if (!$no_fips) { + my $infile = bldtop_file('providers', platform->dso('fips')); + ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsmodule.cnf'), + '-module', $infile])), + "fipsinstall"); +} + +if ($no_fips) { + $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf")); + ok(run(test(["threadstest"])), "running test_threads"); +} else { + $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default-and-fips.cnf")); + ok(run(test(["threadstest", "-fips"])), "running test_threads"); +} diff --git a/test/threadstest.c b/test/threadstest.c index d7ed59781d..13405f4948 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -11,9 +11,15 @@ # include #endif +#include #include +#include +#include +#include #include "testutil.h" +static int do_fips = 0; + #if !defined(OPENSSL_THREADS) || defined(CRYPTO_TDEBUG) typedef unsigned int thread_t; @@ -254,16 +260,191 @@ static int test_atomic(void) testresult = 1; err: - CRYPTO_THREAD_lock_free(lock); return testresult; } +static OSSL_LIB_CTX *multi_libctx = NULL; +static int multi_success; + +static void thread_general_worker(void) +{ + EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); + EVP_MD *md = EVP_MD_fetch(multi_libctx, "SHA2-256", NULL); + EVP_CIPHER_CTX *cipherctx = EVP_CIPHER_CTX_new(); + EVP_CIPHER *ciph = EVP_CIPHER_fetch(multi_libctx, "AES-128-CBC", NULL); + const char *message = "Hello World"; + size_t messlen = strlen(message); + /* Should be big enough for encryption output too */ + unsigned char out[EVP_MAX_MD_SIZE]; + const unsigned char key[AES_BLOCK_SIZE] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f + }; + const unsigned char iv[AES_BLOCK_SIZE] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, + 0x0c, 0x0d, 0x0e, 0x0f + }; + unsigned int mdoutl; + int ciphoutl; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + int testresult = 0; + int i, isfips; + + isfips = OSSL_PROVIDER_available(multi_libctx, "fips"); + + if (!TEST_ptr(mdctx) + || !TEST_ptr(md) + || !TEST_ptr(cipherctx) + || !TEST_ptr(ciph)) + goto err; + + /* Do some work */ + for (i = 0; i < 5; i++) { + if (!TEST_true(EVP_DigestInit_ex(mdctx, md, NULL)) + || !TEST_true(EVP_DigestUpdate(mdctx, message, messlen)) + || !TEST_true(EVP_DigestFinal(mdctx, out, &mdoutl))) + goto err; + } + for (i = 0; i < 5; i++) { + if (!TEST_true(EVP_EncryptInit_ex(cipherctx, ciph, NULL, key, iv)) + || !TEST_true(EVP_EncryptUpdate(cipherctx, out, &ciphoutl, + (unsigned char *)message, + messlen)) + || !TEST_true(EVP_EncryptFinal(cipherctx, out, &ciphoutl))) + goto err; + } + + pctx = EVP_PKEY_CTX_new_from_name(multi_libctx, "RSA", NULL); + if (!TEST_ptr(pctx) + || !TEST_int_gt(EVP_PKEY_keygen_init(pctx), 0) + /* + * We want the test to run quickly - not securely. Therefore we + * use an insecure bit length where we can (512). In the FIPS + * module though we must use a longer length. + */ + || !TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, + isfips ? 2048 : 512), + 0) + || !TEST_int_gt(EVP_PKEY_keygen(pctx, &pkey), 0)) + goto err; + + testresult = 1; + err: + EVP_MD_CTX_free(mdctx); + EVP_MD_free(md); + EVP_CIPHER_CTX_free(cipherctx); + EVP_CIPHER_free(ciph); + EVP_PKEY_CTX_free(pctx); + EVP_PKEY_free(pkey); + if (!testresult) + multi_success = 0; +} + +static void thread_multi_simple_fetch(void) +{ + EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", NULL); + + if (md != NULL) + EVP_MD_free(md); + else + multi_success = 0; +} + +/* + * Do work in multiple worker threads at the same time. + * Test 0: General worker, using the default provider + * Test 1: General worker, using the fips provider + * Test 2: Simple fetch worker + */ +static int test_multi(int idx) +{ + thread_t thread1, thread2; + int testresult = 0; + OSSL_PROVIDER *prov = NULL; + void (*worker)(void); + + if (idx == 1 && !do_fips) + return TEST_skip("FIPS not supported"); + + multi_success = 1; + multi_libctx = OSSL_LIB_CTX_new(); + if (!TEST_ptr(multi_libctx)) + goto err; + prov = OSSL_PROVIDER_load(multi_libctx, (idx == 1) ? "fips" : "default"); + if (!TEST_ptr(prov)) + goto err; + + switch (idx) { + case 0: + case 1: + worker = thread_general_worker; + break; + case 2: + worker = thread_multi_simple_fetch; + break; + default: + TEST_error("Invalid test index"); + goto err; + } + + if (!TEST_true(run_thread(&thread1, worker)) + || !TEST_true(run_thread(&thread2, worker))) + goto err; + + worker(); + + if (!TEST_true(wait_for_thread(thread1)) + || !TEST_true(wait_for_thread(thread2)) + || !TEST_true(multi_success)) + goto err; + + testresult = 1; + + err: + OSSL_PROVIDER_unload(prov); + OSSL_LIB_CTX_free(multi_libctx); + return testresult; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, + OPT_EOF = 0, + OPT_FIPS, + OPT_TEST_ENUM +} OPTION_CHOICE; + +const OPTIONS *test_get_options(void) +{ + static const OPTIONS options[] = { + OPT_TEST_OPTIONS_DEFAULT_USAGE, + { "fips", OPT_FIPS, '-', "Test the FIPS provider" }, + { NULL } + }; + return options; +} + int setup_tests(void) { + OPTION_CHOICE o; + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_FIPS: + do_fips = 1; + break; + case OPT_TEST_CASES: + break; + default: + return 0; + } + } + ADD_TEST(test_lock); ADD_TEST(test_once); ADD_TEST(test_thread_local); ADD_TEST(test_atomic); + ADD_ALL_TESTS(test_multi, 3); return 1; } From matt at openssl.org Thu Jan 14 17:34:35 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 14 Jan 2021 17:34:35 +0000 Subject: [openssl] master update Message-ID: <1610645675.118181.32068.nullmailer@dev.openssl.org> The branch master has been updated via 3bc061eb0a990a95d35c462b9206bdf74905cfa2 (commit) from b11ba50fd9bd3c33e1627ca5c64f08b403e88173 (commit) - Log ----------------------------------------------------------------- commit 3bc061eb0a990a95d35c462b9206bdf74905cfa2 Author: Michael Baentsch Date: Wed Jan 13 11:06:13 2021 +0100 Enhance default provider documentation Bring Wiki and man page documentation in line regarding default provider fall-back behaviour. Fixes #13844 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13859) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_PROVIDER.pod | 15 ++++++++++++--- doc/man7/OSSL_PROVIDER-default.pod | 15 +++++++++++++-- doc/man7/provider.pod | 4 +++- 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index 2baccfffaf..dbae09334f 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -78,9 +78,9 @@ or load a provider module with the given name and run its provider entry point, C. OSSL_PROVIDER_try_load() functions like OSSL_PROVIDER_load(), except that -it does not disable the fall-back providers if the provider cannot be +it does not disable the fallback providers if the provider cannot be loaded and initialized. -If the provider loads successfully, however, the fall-back providers are +If the provider loads successfully, however, the fallback providers are disabled. OSSL_PROVIDER_unload() unloads the given provider. @@ -92,7 +92,11 @@ for use. OSSL_PROVIDER_do_all() iterates over all loaded providers, calling I for each one, with the current provider in I and the -I that comes from the caller. +I that comes from the caller. If no other provider has been loaded +before calling this function, the default provider is still available as +fallback. +See L for more information on this fallback +behaviour. OSSL_PROVIDER_gettable_params() is used to get a provider parameter descriptor set as a constant B array. @@ -140,6 +144,11 @@ OSSL_PROVIDER_get_capabilities() return 1 on success, or 0 on error. OSSL_PROVIDER_load() and OSSL_PROVIDER_try_load() return a pointer to a provider object on success, or NULL on error. +OSSL_PROVIDER_do_all() returns 1 if the callback I returns 1 for every +provider it is called with, or 0 if any provider callback invocation returns 0; +callback processing stops at the first callback invocation on a provider +that returns 0. + OSSL_PROVIDER_available() returns 1 if the named provider is available, otherwise 0. diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 96144e2260..472bff65fd 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -7,8 +7,19 @@ OSSL_PROVIDER-default - OpenSSL default provider =head1 DESCRIPTION The OpenSSL default provider supplies the majority of OpenSSL's diverse -algorithm implementations. It also acts as a fallback when no other -provider has been loaded. +algorithm implementations. If an application doesn't specify anything else +explicitly (e.g. in the application or via config), then this is the +provider that will be used as fallback: It is loaded automatically the +first time that an algorithm is fetched from a provider or a function +acting on providers is called and no other provider has been loaded yet. + +If an attempt to load a provider has already been made (whether successful +or not) then the default provider won't be loaded automatically. Therefore +if the default provider is to be used in conjunction with other providers +then it must be loaded explicitly. Automatic loading of the default +provider only occurs a maximum of once; if the default provider is +explicitly unloaded then the default provider will not be automatically +loaded again. =head2 Properties diff --git a/doc/man7/provider.pod b/doc/man7/provider.pod index 18a80eff5a..65bbda5063 100644 --- a/doc/man7/provider.pod +++ b/doc/man7/provider.pod @@ -196,7 +196,9 @@ This may be NULL to signify the default (global) library context, or a context created by the user. Only providers loaded in this library context (see L) will be considered by the fetching -function. +function. In case no provider has been loaded in this library context +the default provider will be loaded as fallback (see +L). =item An identifier From openssl at openssl.org Thu Jan 14 23:40:50 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 14 Jan 2021 23:40:50 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1610667650.869892.2710737.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=3032, 738 wallclock secs ( 9.85 usr 1.30 sys + 656.24 cusr 71.67 csys = 739.06 CPU) Result: FAIL make[1]: *** [Makefile:2463: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2460: tests] Error 2 From no-reply at appveyor.com Fri Jan 15 08:00:40 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 15 Jan 2021 08:00:40 +0000 Subject: Build failed: openssl master.39193 Message-ID: <20210115080040.1.4A7E92BFA3FA861F@appveyor.com> An HTML attachment was scrubbed... URL: From tmraz at fedoraproject.org Fri Jan 15 09:02:50 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Fri, 15 Jan 2021 09:02:50 +0000 Subject: [openssl] master update Message-ID: <1610701370.800193.18152.nullmailer@dev.openssl.org> The branch master has been updated via 0434f9841d45dee081c64ea3aba794a922787ece (commit) from 3bc061eb0a990a95d35c462b9206bdf74905cfa2 (commit) - Log ----------------------------------------------------------------- commit 0434f9841d45dee081c64ea3aba794a922787ece Author: Daniel Bevenius Date: Wed Jan 13 15:30:20 2021 +0100 Correct typo in rsa_oaep.c Reviewed-by: Kurt Roeckx Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13861) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_oaep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index f47369a1af..66f2ae40c2 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -45,7 +45,7 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, } /* - * Perform ihe padding as per NIST 800-56B 7.2.2.3 + * Perform the padding as per NIST 800-56B 7.2.2.3 * from (K) is the key material. * param (A) is the additional input. * Step numbers are included here but not in the constant time inverse below From pauli at openssl.org Fri Jan 15 09:32:23 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 15 Jan 2021 09:32:23 +0000 Subject: [openssl] master update Message-ID: <1610703143.789675.24066.nullmailer@dev.openssl.org> The branch master has been updated via 975aae76db8792c9137921adf0e4ecbbf375f46b (commit) from 0434f9841d45dee081c64ea3aba794a922787ece (commit) - Log ----------------------------------------------------------------- commit 975aae76db8792c9137921adf0e4ecbbf375f46b Author: Pauli Date: Thu Jan 14 11:49:47 2021 +1000 Remove unused DRBG tests. The DRBG known answer tests are performed by evp_test and the old vectors are not used. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/13867) ----------------------------------------------------------------------- Summary of changes: test/drbgtest.c | 1 - test/drbgtest.h | 1670 ------------------------------------------------------- 2 files changed, 1671 deletions(-) delete mode 100644 test/drbgtest.h diff --git a/test/drbgtest.c b/test/drbgtest.c index 30c6b270d0..8c3ed23c35 100644 --- a/test/drbgtest.c +++ b/test/drbgtest.c @@ -38,7 +38,6 @@ #endif #include "testutil.h" -#include "drbgtest.h" /* * DRBG generate wrappers diff --git a/test/drbgtest.h b/test/drbgtest.h deleted file mode 100644 index a00c168c8c..0000000000 --- a/test/drbgtest.h +++ /dev/null @@ -1,1670 +0,0 @@ -/* - * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * Known answer tests for SP800-90 DRBG CTR mode. - */ - - -/* - * AES-128 use df PR - */ -static const unsigned char aes_128_use_df_pr_entropyinput[] = { - 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, - 0xc8, 0xdb, 0xff, 0x12 -}; -static const unsigned char aes_128_use_df_pr_nonce[] = { - 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 -}; -static const unsigned char aes_128_use_df_pr_personalizationstring[] = { - 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, - 0xd7, 0xd7, 0x01, 0x67 -}; -static const unsigned char aes_128_use_df_pr_additionalinput[] = { - 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, - 0x9a, 0x47, 0x08, 0x76 -}; -static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { - 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, - 0x09, 0xfb, 0xa3, 0xb6 -}; -static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { - 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, - 0x66, 0x1c, 0xea, 0x5b -}; -static const unsigned char aes_128_use_df_pr_additionalinput2[] = { - 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, - 0x3f, 0x5e, 0x31, 0x06 -}; -static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { - 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, - 0xa7, 0xe3, 0xa8, 0x67 -}; -static const unsigned char aes_128_use_df_pr_returnedbits[] = { - 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, - 0x0f, 0x38, 0x43, 0xc6 -}; - - -/* - * AES-128 use df no PR - */ -static const unsigned char aes_128_use_df_entropyinput[] = { - 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, - 0x9d, 0x7d, 0x1c, 0x9b -}; -static const unsigned char aes_128_use_df_nonce[] = { - 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96, -}; -static const unsigned char aes_128_use_df_personalizationstring[] = { - 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, - 0x38, 0x66, 0xba, 0x1b -}; -static const unsigned char aes_128_use_df_additionalinput[] = { - 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, - 0xb5, 0xe2, 0xb2, 0x41 -}; -static const unsigned char aes_128_use_df_int_returnedbits[] = { - 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, - 0xe7, 0x57, 0x11, 0xb4 -}; -static const unsigned char aes_128_use_df_entropyinputreseed[] = { - 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, - 0xc7, 0xc4, 0x9e, 0x39 -}; -static const unsigned char aes_128_use_df_additionalinputreseed[] = { - 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, - 0xc8, 0x93, 0xfa, 0x84 -}; -static const unsigned char aes_128_use_df_additionalinput2[] = { - 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, - 0x06, 0x0c, 0x15, 0x2c -}; -static const unsigned char aes_128_use_df_returnedbits[] = { - 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, - 0x46, 0x81, 0xc7, 0x19 -}; - - -/* - * AES-192 use df PR - */ -static const unsigned char aes_192_use_df_pr_entropyinput[] = { - 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, - 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d -}; -static const unsigned char aes_192_use_df_pr_nonce[] = { - 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, - 0xd1, 0x80, 0x78, 0xfa -}; -static const unsigned char aes_192_use_df_pr_personalizationstring[] = { - 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, - 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, - 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 -}; -static const unsigned char aes_192_use_df_pr_additionalinput[] = { - 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, - 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, - 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 -}; -static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { - 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, - 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5, -}; -static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { - 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, - 0x19, 0x30, 0x6b, 0x67 -}; -static const unsigned char aes_192_use_df_pr_additionalinput2[] = { - 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, - 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, - 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 -}; -static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { - 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, - 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e, -}; -static const unsigned char aes_192_use_df_pr_returnedbits[] = { - 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, - 0x7e, 0x1a, 0x2b, 0x83 -}; - - -/* - * AES-192 use df no PR - */ -static const unsigned char aes_192_use_df_entropyinput[] = { - 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, - 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b, -}; -static const unsigned char aes_192_use_df_nonce[] = { - 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, - 0x77, 0xd7, 0x41, 0x0e -}; -static const unsigned char aes_192_use_df_personalizationstring[] = { - 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, - 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, - 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 -}; -static const unsigned char aes_192_use_df_additionalinput[] = { - 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, - 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, - 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 -}; -static const unsigned char aes_192_use_df_int_returnedbits[] = { - 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, - 0xb7, 0xed, 0xe9, 0xea -}; -static const unsigned char aes_192_use_df_entropyinputreseed[] = { - 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, - 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01, -}; -static const unsigned char aes_192_use_df_additionalinputreseed[] = { - 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, - 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, - 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 -}; -static const unsigned char aes_192_use_df_additionalinput2[] = { - 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, - 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, - 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 -}; -static const unsigned char aes_192_use_df_returnedbits[] = { - 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, - 0x1a, 0xf9, 0x13, 0x28 -}; - - -/* - * AES-256 use df PR - */ -static const unsigned char aes_256_use_df_pr_entropyinput[] = { - 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, - 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, - 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a -}; -static const unsigned char aes_256_use_df_pr_nonce[] = { - 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, - 0x2b, 0x36, 0xff, 0xa4 -}; -static const unsigned char aes_256_use_df_pr_personalizationstring[] = { - 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, - 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, - 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d -}; -static const unsigned char aes_256_use_df_pr_additionalinput[] = { - 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, - 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, - 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde -}; -static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { - 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, - 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, - 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 -}; -static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { - 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, - 0x17, 0xab, 0x3c, 0x7a -}; -static const unsigned char aes_256_use_df_pr_additionalinput2[] = { - 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, - 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, - 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 -}; -static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { - 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, - 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, - 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f -}; -static const unsigned char aes_256_use_df_pr_returnedbits[] = { - 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, - 0xd9, 0xe2, 0x97, 0x00 -}; - - -/* - * AES-256 use df no PR - */ -static const unsigned char aes_256_use_df_entropyinput[] = { - 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, - 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, - 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 -}; -static const unsigned char aes_256_use_df_nonce[] = { - 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, - 0x4c, 0x44, 0x84, 0x40 -}; -static const unsigned char aes_256_use_df_personalizationstring[] = { - 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, - 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, - 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 -}; -static const unsigned char aes_256_use_df_additionalinput[] = { - 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, - 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, - 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 -}; -static const unsigned char aes_256_use_df_int_returnedbits[] = { - 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, - 0x28, 0x0c, 0x3b, 0xc1 -}; -static const unsigned char aes_256_use_df_entropyinputreseed[] = { - 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, - 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, - 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e -}; -static const unsigned char aes_256_use_df_additionalinputreseed[] = { - 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, - 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, - 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 -}; -static const unsigned char aes_256_use_df_additionalinput2[] = { - 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, - 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, - 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d -}; -static const unsigned char aes_256_use_df_returnedbits[] = { - 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, - 0xfa, 0xfd, 0x35, 0x5e -}; - - -/* - * AES-128 no df PR - */ -static const unsigned char aes_128_no_df_pr_entropyinput[] = { - 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, - 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, - 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a -}; -static const unsigned char aes_128_no_df_pr_nonce[] = { - 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1, -}; -static const unsigned char aes_128_no_df_pr_personalizationstring[] = { - 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, - 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, - 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 -}; -static const unsigned char aes_128_no_df_pr_additionalinput[] = { - 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, - 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, - 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 -}; -static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { - 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, - 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, - 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e -}; -static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { - 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, - 0xaf, 0x19, 0x32, 0x16 -}; -static const unsigned char aes_128_no_df_pr_additionalinput2[] = { - 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, - 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, - 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 -}; -static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { - 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, - 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, - 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 -}; -static const unsigned char aes_128_no_df_pr_returnedbits[] = { - 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, - 0x57, 0x82, 0x33, 0xaf -}; - - -/* - * AES-128 no df no PR - */ -static const unsigned char aes_128_no_df_entropyinput[] = { - 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, - 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, - 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 -}; -static const unsigned char aes_128_no_df_nonce[] = { - 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13, -}; -static const unsigned char aes_128_no_df_personalizationstring[] = { - 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, - 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, - 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce -}; -static const unsigned char aes_128_no_df_additionalinput[] = { - 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, - 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, - 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 -}; -static const unsigned char aes_128_no_df_int_returnedbits[] = { - 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, - 0xed, 0x3e, 0x65, 0xc2 -}; -static const unsigned char aes_128_no_df_entropyinputreseed[] = { - 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, - 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, - 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 -}; -static const unsigned char aes_128_no_df_additionalinputreseed[] = { - 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, - 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, - 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 -}; -static const unsigned char aes_128_no_df_additionalinput2[] = { - 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, - 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, - 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 -}; -static const unsigned char aes_128_no_df_returnedbits[] = { - 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, - 0x81, 0x37, 0x19, 0xd4 -}; - - -/* - * AES-192 no df PR - */ -static const unsigned char aes_192_no_df_pr_entropyinput[] = { - 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, - 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, - 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, - 0x17, 0x1f, 0x8d, 0x9a -}; -static const unsigned char aes_192_no_df_pr_nonce[] = { - 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, - 0x61, 0x5c, 0xee, 0x0f -}; -static const unsigned char aes_192_no_df_pr_personalizationstring[] = { - 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, - 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, - 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, - 0x57, 0x2e, 0xe7, 0x55 -}; -static const unsigned char aes_192_no_df_pr_additionalinput[] = { - 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, - 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, - 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, - 0xe2, 0xd0, 0x0c, 0x2f -}; -static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { - 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, - 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, - 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, - 0x1d, 0x30, 0xb3, 0x78 -}; -static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { - 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, - 0x7e, 0x3e, 0x0c, 0x26 -}; -static const unsigned char aes_192_no_df_pr_additionalinput2[] = { - 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, - 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, - 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, - 0x0c, 0x4b, 0xee, 0x6e -}; -static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { - 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, - 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, - 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, - 0x8e, 0x0a, 0x83, 0xdf -}; -static const unsigned char aes_192_no_df_pr_returnedbits[] = { - 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, - 0xb9, 0xa1, 0x21, 0x68 -}; - - -/* - * AES-192 no df no PR - */ -static const unsigned char aes_192_no_df_entropyinput[] = { - 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, - 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, - 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, - 0x94, 0xc3, 0x59, 0x63 -}; -static const unsigned char aes_192_no_df_nonce[] = { - 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, - 0x29, 0xfd, 0x45, 0x71 -}; -static const unsigned char aes_192_no_df_personalizationstring[] = { - 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, - 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, - 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, - 0x3b, 0x88, 0xce, 0x35 -}; -static const unsigned char aes_192_no_df_additionalinput[] = { - 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, - 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, - 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, - 0x3e, 0xbe, 0xd4, 0x8e -}; -static const unsigned char aes_192_no_df_int_returnedbits[] = { - 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, - 0x45, 0xe7, 0x4a, 0xc5 -}; -static const unsigned char aes_192_no_df_entropyinputreseed[] = { - 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, - 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, - 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, - 0x9b, 0xcb, 0x7e, 0x75 -}; -static const unsigned char aes_192_no_df_additionalinputreseed[] = { - 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, - 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, - 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, - 0x5d, 0x7a, 0x25, 0x79 -}; -static const unsigned char aes_192_no_df_additionalinput2[] = { - 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, - 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, - 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, - 0x91, 0x6a, 0xe3, 0x5f -}; -static const unsigned char aes_192_no_df_returnedbits[] = { - 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, - 0x66, 0x67, 0x2c, 0x92 -}; - - -/* - * AES-256 no df PR - */ -static const unsigned char aes_256_no_df_pr_entropyinput[] = { - 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, - 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, - 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, - 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c, -}; -static const unsigned char aes_256_no_df_pr_nonce[] = { - 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, - 0xcc, 0x4b, 0xee, 0x2e -}; -static const unsigned char aes_256_no_df_pr_personalizationstring[] = { - 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, - 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, - 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, - 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06, -}; -static const unsigned char aes_256_no_df_pr_additionalinput[] = { - 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, - 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, - 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, - 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e, -}; -static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { - 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, - 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, - 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, - 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f, -}; -static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { - 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, - 0x79, 0x60, 0x93, 0xcf -}; -static const unsigned char aes_256_no_df_pr_additionalinput2[] = { - 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, - 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, - 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, - 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb, -}; -static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { - 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, - 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, - 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, - 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f, -}; -static const unsigned char aes_256_no_df_pr_returnedbits[] = { - 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, - 0x2d, 0x5f, 0x4a, 0x46 -}; - - -/* - * AES-256 no df no PR - */ -static const unsigned char aes_256_no_df_entropyinput[] = { - 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, - 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, - 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, - 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3, -}; -static const unsigned char aes_256_no_df_nonce[] = { - 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, - 0x43, 0x96, 0xb9, 0xf0 -}; -static const unsigned char aes_256_no_df_personalizationstring[] = { - 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, - 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, - 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, - 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d, -}; -static const unsigned char aes_256_no_df_additionalinput[] = { - 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, - 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, - 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, - 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17, -}; -static const unsigned char aes_256_no_df_int_returnedbits[] = { - 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, - 0xd2, 0x25, 0x75, 0x0e -}; -static const unsigned char aes_256_no_df_entropyinputreseed[] = { - 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, - 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, - 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, - 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb, -}; -static const unsigned char aes_256_no_df_additionalinputreseed[] = { - 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, - 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, - 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, - 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29, -}; -static const unsigned char aes_256_no_df_additionalinput2[] = { - 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, - 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, - 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, - 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6, -}; -static const unsigned char aes_256_no_df_returnedbits[] = { - 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, - 0xf6, 0x02, 0x32, 0xe2 -}; - - -/* SHA-1 PR */ -static const unsigned char sha1_pr_entropyinput[] = -{ - 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, - 0x31, 0xa5, 0x91, 0x13 -}; -static const unsigned char sha1_pr_nonce[] = -{ - 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 -}; -static const unsigned char sha1_pr_personalizationstring[] = -{ - 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, - 0xda, 0xea, 0x77, 0x52 -}; -static const unsigned char sha1_pr_additionalinput[] = -{ - 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, - 0x6a, 0x51, 0xe3, 0xf8 -}; -static const unsigned char sha1_pr_entropyinputpr[] = -{ - 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, - 0xcb, 0xa9, 0x36, 0x7a -}; -static const unsigned char sha1_pr_int_returnedbits[] = -{ - 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, - 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 -}; -static const unsigned char sha1_pr_additionalinput2[] = -{ - 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, - 0x16, 0x03, 0x19, 0x47 -}; -static const unsigned char sha1_pr_entropyinputpr2[] = -{ - 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, - 0xae, 0xcd, 0x8c, 0xc4 -}; -static const unsigned char sha1_pr_returnedbits[] = -{ - 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, - 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 -}; - - -/* SHA-1 No PR */ -static const unsigned char sha1_entropyinput[] = -{ - 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, - 0xe2, 0x7f, 0x4c, 0x7b -}; -static const unsigned char sha1_nonce[] = -{ - 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 -}; -static const unsigned char sha1_personalizationstring[] = -{ - 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, - 0x28, 0xec, 0x6d, 0xca -}; -static const unsigned char sha1_additionalinput[] = -{ - 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, - 0xc0, 0x72, 0xca, 0x28 -}; -static const unsigned char sha1_int_returnedbits[] = -{ - 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, - 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea -}; -static const unsigned char sha1_entropyinputreseed[] = -{ - 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, - 0xd6, 0x99, 0x27, 0xed -}; -static const unsigned char sha1_additionalinputreseed[] = -{ - 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, - 0x84, 0x3d, 0xd4, 0xc0 -}; -static const unsigned char sha1_additionalinput2[] = -{ - 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, - 0x52, 0x65, 0xcd, 0x96 -}; -static const unsigned char sha1_returnedbits[] = -{ - 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, - 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 -}; - - -/* SHA-224 PR */ -static const unsigned char sha224_pr_entropyinput[] = -{ - 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, - 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 -}; -static const unsigned char sha224_pr_nonce[] = -{ - 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 -}; -static const unsigned char sha224_pr_personalizationstring[] = -{ - 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, - 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae -}; -static const unsigned char sha224_pr_additionalinput[] = -{ - 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, - 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 -}; -static const unsigned char sha224_pr_entropyinputpr[] = -{ - 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, - 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 -}; -static const unsigned char sha224_pr_int_returnedbits[] = -{ - 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, - 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, - 0x54, 0x60, 0xee, 0x6a -}; -static const unsigned char sha224_pr_additionalinput2[] = -{ - 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, - 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 -}; -static const unsigned char sha224_pr_entropyinputpr2[] = -{ - 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, - 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 -}; -static const unsigned char sha224_pr_returnedbits[] = -{ - 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, - 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, - 0xdd, 0x11, 0x4c, 0xc4 -}; - - -/* SHA-224 No PR */ -static const unsigned char sha224_entropyinput[] = -{ - 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, - 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb -}; -static const unsigned char sha224_nonce[] = -{ - 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 -}; -static const unsigned char sha224_personalizationstring[] = -{ - 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, - 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c -}; -static const unsigned char sha224_additionalinput[] = -{ - 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, - 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f -}; -static const unsigned char sha224_int_returnedbits[] = -{ - 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, - 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, - 0x55, 0x22, 0x9a, 0xad -}; -static const unsigned char sha224_entropyinputreseed[] = -{ - 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, - 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 -}; -static const unsigned char sha224_additionalinputreseed[] = -{ - 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, - 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 -}; -static const unsigned char sha224_additionalinput2[] = -{ - 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, - 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 -}; -static const unsigned char sha224_returnedbits[] = -{ - 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, - 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, - 0x3b, 0xa7, 0x5c, 0x93 -}; - - -/* SHA-256 PR */ -static const unsigned char sha256_pr_entropyinput[] = -{ - 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, - 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, - 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe -}; -static const unsigned char sha256_pr_nonce[] = -{ - 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, - 0x2b, 0x91, 0x4d, 0x38 -}; -static const unsigned char sha256_pr_personalizationstring[] = -{ - 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, - 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, - 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba -}; -static const unsigned char sha256_pr_additionalinput[] = -{ - 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, - 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, - 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f -}; -static const unsigned char sha256_pr_entropyinputpr[] = -{ - 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, - 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, - 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 -}; -static const unsigned char sha256_pr_int_returnedbits[] = -{ - 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, - 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, - 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 -}; -static const unsigned char sha256_pr_additionalinput2[] = -{ - 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, - 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, - 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 -}; -static const unsigned char sha256_pr_entropyinputpr2[] = -{ - 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, - 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, - 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 -}; -static const unsigned char sha256_pr_returnedbits[] = -{ - 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, - 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, - 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 -}; - - -/* SHA-256 No PR */ -static const unsigned char sha256_entropyinput[] = -{ - 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, - 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, - 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c -}; -static const unsigned char sha256_nonce[] = -{ - 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, - 0x5d, 0x6f, 0x6d, 0x35 -}; -static const unsigned char sha256_personalizationstring[] = -{ - 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, - 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, - 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c -}; -static const unsigned char sha256_additionalinput[] = -{ - 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, - 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, - 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 -}; -static const unsigned char sha256_int_returnedbits[] = -{ - 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, - 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, - 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 -}; -static const unsigned char sha256_entropyinputreseed[] = -{ - 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, - 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, - 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d -}; -static const unsigned char sha256_additionalinputreseed[] = -{ - 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, - 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, - 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 -}; -static const unsigned char sha256_additionalinput2[] = -{ - 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, - 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, - 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda -}; -static const unsigned char sha256_returnedbits[] = -{ - 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, - 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, - 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 -}; - - -/* SHA-384 PR */ -static const unsigned char sha384_pr_entropyinput[] = -{ - 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, - 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, - 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e -}; -static const unsigned char sha384_pr_nonce[] = -{ - 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, - 0x38, 0x3e, 0x2e, 0x56 -}; -static const unsigned char sha384_pr_personalizationstring[] = -{ - 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, - 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, - 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 -}; -static const unsigned char sha384_pr_additionalinput[] = -{ - 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, - 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, - 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e -}; -static const unsigned char sha384_pr_entropyinputpr[] = -{ - 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, - 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, - 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d -}; -static const unsigned char sha384_pr_int_returnedbits[] = -{ - 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, - 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, - 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, - 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf -}; -static const unsigned char sha384_pr_additionalinput2[] = -{ - 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, - 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, - 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 -}; -static const unsigned char sha384_pr_entropyinputpr2[] = -{ - 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, - 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, - 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 -}; -static const unsigned char sha384_pr_returnedbits[] = -{ - 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, - 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, - 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, - 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 -}; - - -/* SHA-384 No PR */ -static const unsigned char sha384_entropyinput[] = -{ - 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, - 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, - 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 -}; -static const unsigned char sha384_nonce[] = -{ - 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, - 0x44, 0xaf, 0x2f, 0x09 -}; -static const unsigned char sha384_personalizationstring[] = -{ - 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, - 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, - 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 -}; -static const unsigned char sha384_additionalinput[] = -{ - 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, - 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, - 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 -}; -static const unsigned char sha384_int_returnedbits[] = -{ - 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, - 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, - 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, - 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a -}; -static const unsigned char sha384_entropyinputreseed[] = -{ - 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, - 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, - 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c -}; -static const unsigned char sha384_additionalinputreseed[] = -{ - 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, - 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, - 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 -}; -static const unsigned char sha384_additionalinput2[] = -{ - 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, - 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, - 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 -}; -static const unsigned char sha384_returnedbits[] = -{ - 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, - 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, - 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, - 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 -}; - - -/* SHA-512 PR */ -static const unsigned char sha512_pr_entropyinput[] = -{ - 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, - 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, - 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 -}; -static const unsigned char sha512_pr_nonce[] = -{ - 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, - 0x88, 0xc7, 0xa2, 0xc4 -}; -static const unsigned char sha512_pr_personalizationstring[] = -{ - 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, - 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, - 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b -}; -static const unsigned char sha512_pr_additionalinput[] = -{ - 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, - 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, - 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d -}; -static const unsigned char sha512_pr_entropyinputpr[] = -{ - 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, - 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, - 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 -}; -static const unsigned char sha512_pr_int_returnedbits[] = -{ - 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, - 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, - 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, - 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, - 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, - 0xe2, 0xc6, 0x8b, 0xc3 -}; -static const unsigned char sha512_pr_additionalinput2[] = -{ - 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, - 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, - 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 -}; -static const unsigned char sha512_pr_entropyinputpr2[] = -{ - 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, - 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, - 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 -}; -static const unsigned char sha512_pr_returnedbits[] = -{ - 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, - 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, - 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, - 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, - 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, - 0x67, 0xf7, 0x68, 0xdd -}; - - -/* SHA-512 No PR */ -static const unsigned char sha512_entropyinput[] = -{ - 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, - 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, - 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd -}; -static const unsigned char sha512_nonce[] = -{ - 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, - 0x5a, 0x64, 0xf0, 0xf7 -}; -static const unsigned char sha512_personalizationstring[] = -{ - 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, - 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, - 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 -}; -static const unsigned char sha512_additionalinput[] = -{ - 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, - 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, - 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 -}; -static const unsigned char sha512_int_returnedbits[] = -{ - 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, - 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, - 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, - 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, - 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, - 0x28, 0xd4, 0x39, 0x9a -}; -static const unsigned char sha512_entropyinputreseed[] = -{ - 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, - 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, - 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee -}; -static const unsigned char sha512_additionalinputreseed[] = -{ - 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, - 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, - 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 -}; -static const unsigned char sha512_additionalinput2[] = -{ - 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, - 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, - 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 -}; -static const unsigned char sha512_returnedbits[] = -{ - 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, - 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, - 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, - 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, - 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, - 0x68, 0xde, 0x42, 0xb5 -}; - - -/* HMAC SHA-1 PR */ -static const unsigned char hmac_sha1_pr_entropyinput[] = -{ - 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, - 0x2c, 0x18, 0x17, 0x1b -}; -static const unsigned char hmac_sha1_pr_nonce[] = -{ - 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e -}; -static const unsigned char hmac_sha1_pr_personalizationstring[] = -{ - 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, - 0x80, 0xe2, 0x7f, 0x2a -}; -static const unsigned char hmac_sha1_pr_additionalinput[] = -{ - 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, - 0xd7, 0xbb, 0x42, 0x09 -}; -static const unsigned char hmac_sha1_pr_entropyinputpr[] = -{ - 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, - 0x23, 0x87, 0x2a, 0xed -}; -static const unsigned char hmac_sha1_pr_int_returnedbits[] = -{ - 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, - 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c -}; -static const unsigned char hmac_sha1_pr_additionalinput2[] = -{ - 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, - 0xa0, 0x4b, 0x93, 0x6e -}; -static const unsigned char hmac_sha1_pr_entropyinputpr2[] = -{ - 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, - 0x0f, 0xff, 0x2e, 0xaf -}; -static const unsigned char hmac_sha1_pr_returnedbits[] = -{ - 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, - 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 -}; - - -/* HMAC SHA-1 No PR */ -static const unsigned char hmac_sha1_entropyinput[] = -{ - 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, - 0x17, 0xfe, 0x47, 0x70 -}; -static const unsigned char hmac_sha1_nonce[] = -{ - 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 -}; -static const unsigned char hmac_sha1_personalizationstring[] = -{ - 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, - 0x72, 0xf7, 0xd3, 0x5e -}; -static const unsigned char hmac_sha1_additionalinput[] = -{ - 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, - 0xbb, 0xe3, 0xaa, 0xea -}; -static const unsigned char hmac_sha1_int_returnedbits[] = -{ - 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, - 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 -}; -static const unsigned char hmac_sha1_entropyinputreseed[] = -{ - 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, - 0x86, 0x52, 0x6d, 0x9c -}; -static const unsigned char hmac_sha1_additionalinputreseed[] = -{ - 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, - 0x79, 0xc5, 0x82, 0x28 -}; -static const unsigned char hmac_sha1_additionalinput2[] = -{ - 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, - 0x8a, 0xca, 0xa4, 0x7f -}; -static const unsigned char hmac_sha1_returnedbits[] = -{ - 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, - 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 -}; - - -/* HMAC SHA-224 PR */ -static const unsigned char hmac_sha224_pr_entropyinput[] = -{ - 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, - 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 -}; -static const unsigned char hmac_sha224_pr_nonce[] = -{ - 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 -}; -static const unsigned char hmac_sha224_pr_personalizationstring[] = -{ - 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, - 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd -}; -static const unsigned char hmac_sha224_pr_additionalinput[] = -{ - 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, - 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b -}; -static const unsigned char hmac_sha224_pr_entropyinputpr[] = -{ - 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, - 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab -}; -static const unsigned char hmac_sha224_pr_int_returnedbits[] = -{ - 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, - 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, - 0x41, 0xfe, 0x99, 0xf2 -}; -static const unsigned char hmac_sha224_pr_additionalinput2[] = -{ - 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, - 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f -}; -static const unsigned char hmac_sha224_pr_entropyinputpr2[] = -{ - 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, - 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 -}; -static const unsigned char hmac_sha224_pr_returnedbits[] = -{ - 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, - 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, - 0x6d, 0xd8, 0x9e, 0x72 -}; - - -/* HMAC SHA-224 No PR */ -static const unsigned char hmac_sha224_entropyinput[] = -{ - 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, - 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d -}; -static const unsigned char hmac_sha224_nonce[] = -{ - 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b -}; -static const unsigned char hmac_sha224_personalizationstring[] = -{ - 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, - 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 -}; -static const unsigned char hmac_sha224_additionalinput[] = -{ - 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, - 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 -}; -static const unsigned char hmac_sha224_int_returnedbits[] = -{ - 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, - 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, - 0xcd, 0xd6, 0xa9, 0xcc -}; -static const unsigned char hmac_sha224_entropyinputreseed[] = -{ - 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, - 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 -}; -static const unsigned char hmac_sha224_additionalinputreseed[] = -{ - 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, - 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 -}; -static const unsigned char hmac_sha224_additionalinput2[] = -{ - 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, - 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 -}; -static const unsigned char hmac_sha224_returnedbits[] = -{ - 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, - 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, - 0x45, 0x84, 0xa8, 0x94 -}; - - -/* HMAC SHA-256 PR */ -static const unsigned char hmac_sha256_pr_entropyinput[] = -{ - 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, - 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, - 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 -}; -static const unsigned char hmac_sha256_pr_nonce[] = -{ - 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, - 0xaa, 0xd3, 0x30, 0x9a -}; -static const unsigned char hmac_sha256_pr_personalizationstring[] = -{ - 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, - 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, - 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 -}; -static const unsigned char hmac_sha256_pr_additionalinput[] = -{ - 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, - 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, - 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b -}; -static const unsigned char hmac_sha256_pr_entropyinputpr[] = -{ - 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, - 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, - 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 -}; -static const unsigned char hmac_sha256_pr_int_returnedbits[] = -{ - 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, - 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, - 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 -}; -static const unsigned char hmac_sha256_pr_additionalinput2[] = -{ - 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, - 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, - 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 -}; -static const unsigned char hmac_sha256_pr_entropyinputpr2[] = -{ - 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, - 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, - 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 -}; -static const unsigned char hmac_sha256_pr_returnedbits[] = -{ - 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, - 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, - 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e -}; - - -/* HMAC SHA-256 No PR */ -static const unsigned char hmac_sha256_entropyinput[] = -{ - 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, - 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, - 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc -}; -static const unsigned char hmac_sha256_nonce[] = -{ - 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, - 0xc7, 0xfc, 0xc2, 0x01 -}; -static const unsigned char hmac_sha256_personalizationstring[] = -{ - 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, - 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, - 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 -}; -static const unsigned char hmac_sha256_additionalinput[] = -{ - 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, - 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, - 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 -}; -static const unsigned char hmac_sha256_int_returnedbits[] = -{ - 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, - 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, - 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 -}; -static const unsigned char hmac_sha256_entropyinputreseed[] = -{ - 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, - 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, - 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d -}; -static const unsigned char hmac_sha256_additionalinputreseed[] = -{ - 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, - 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, - 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e -}; -static const unsigned char hmac_sha256_additionalinput2[] = -{ - 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, - 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, - 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d -}; -static const unsigned char hmac_sha256_returnedbits[] = -{ - 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, - 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, - 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 -}; - - -/* HMAC SHA-384 PR */ -static const unsigned char hmac_sha384_pr_entropyinput[] = -{ - 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, - 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, - 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 -}; -static const unsigned char hmac_sha384_pr_nonce[] = -{ - 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, - 0xee, 0x16, 0xc9, 0xde -}; -static const unsigned char hmac_sha384_pr_personalizationstring[] = -{ - 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, - 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, - 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 -}; -static const unsigned char hmac_sha384_pr_additionalinput[] = -{ - 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, - 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, - 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 -}; -static const unsigned char hmac_sha384_pr_entropyinputpr[] = -{ - 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, - 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, - 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 -}; -static const unsigned char hmac_sha384_pr_int_returnedbits[] = -{ - 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, - 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, - 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, - 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba -}; -static const unsigned char hmac_sha384_pr_additionalinput2[] = -{ - 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, - 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, - 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 -}; -static const unsigned char hmac_sha384_pr_entropyinputpr2[] = -{ - 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, - 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, - 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 -}; - - -static const unsigned char hmac_sha384_pr_returnedbits[] = -{ - 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, - 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, - 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, - 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 -}; - - -/* HMAC SHA-384 No PR */ -static const unsigned char hmac_sha384_entropyinput[] = -{ - 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, - 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, - 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f -}; -static const unsigned char hmac_sha384_nonce[] = -{ - 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, - 0x38, 0xe3, 0xeb, 0x62 -}; -static const unsigned char hmac_sha384_personalizationstring[] = -{ - 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, - 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, - 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 -}; -static const unsigned char hmac_sha384_additionalinput[] = -{ - 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, - 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, - 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce -}; -static const unsigned char hmac_sha384_int_returnedbits[] = -{ - 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, - 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, - 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, - 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b -}; -static const unsigned char hmac_sha384_entropyinputreseed[] = -{ - 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, - 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, - 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c -}; -static const unsigned char hmac_sha384_additionalinputreseed[] = -{ - 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, - 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, - 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 -}; -static const unsigned char hmac_sha384_additionalinput2[] = -{ - 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, - 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, - 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 -}; -static const unsigned char hmac_sha384_returnedbits[] = -{ - 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, - 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, - 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, - 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb -}; - - -/* HMAC SHA-512 PR */ -static const unsigned char hmac_sha512_pr_entropyinput[] = -{ - 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, - 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, - 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d -}; -static const unsigned char hmac_sha512_pr_nonce[] = -{ - 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, - 0x86, 0xea, 0xaf, 0xa2 -}; -static const unsigned char hmac_sha512_pr_personalizationstring[] = -{ - 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, - 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, - 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad -}; -static const unsigned char hmac_sha512_pr_additionalinput[] = -{ - 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, - 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, - 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 -}; -static const unsigned char hmac_sha512_pr_entropyinputpr[] = -{ - 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, - 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, - 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 -}; -static const unsigned char hmac_sha512_pr_int_returnedbits[] = -{ - 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, - 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, - 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, - 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, - 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, - 0x05, 0x17, 0xbe, 0x0d -}; -static const unsigned char hmac_sha512_pr_additionalinput2[] = -{ - 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, - 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, - 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa -}; -static const unsigned char hmac_sha512_pr_entropyinputpr2[] = -{ - 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, - 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, - 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 -}; -static const unsigned char hmac_sha512_pr_returnedbits[] = -{ - 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, - 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, - 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, - 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, - 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, - 0xb6, 0xaf, 0xbc, 0xd3 -}; - - -/* HMAC SHA-512 No PR */ -static const unsigned char hmac_sha512_entropyinput[] = -{ - 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, - 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, - 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 -}; -static const unsigned char hmac_sha512_nonce[] = -{ - 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, - 0xd9, 0xaf, 0x43, 0x3c -}; -static const unsigned char hmac_sha512_personalizationstring[] = -{ - 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, - 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, - 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 -}; -static const unsigned char hmac_sha512_additionalinput[] = -{ - 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, - 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, - 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 -}; -static const unsigned char hmac_sha512_int_returnedbits[] = -{ - 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, - 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, - 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, - 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, - 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, - 0xb1, 0x57, 0x69, 0xe8 -}; -static const unsigned char hmac_sha512_entropyinputreseed[] = -{ - 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, - 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, - 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 -}; -static const unsigned char hmac_sha512_additionalinputreseed[] = -{ - 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, - 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, - 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c -}; -static const unsigned char hmac_sha512_additionalinput2[] = -{ - 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, - 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, - 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 -}; -static const unsigned char hmac_sha512_returnedbits[] = -{ - 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, - 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, - 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, - 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, - 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, - 0xc2, 0xd6, 0xfd, 0xa5 -}; - From tmraz at fedoraproject.org Fri Jan 15 09:52:07 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Fri, 15 Jan 2021 09:52:07 +0000 Subject: [openssl] master update Message-ID: <1610704327.475156.29279.nullmailer@dev.openssl.org> The branch master has been updated via e604b7c9156c66c05dd1640707f196f9fd49a184 (commit) from 975aae76db8792c9137921adf0e4ecbbf375f46b (commit) - Log ----------------------------------------------------------------- commit e604b7c9156c66c05dd1640707f196f9fd49a184 Author: Rich Salz Date: Tue Jan 5 18:05:42 2021 -0500 Document openssl thread-safety Also discuss reference-counting, mutability and safety. Thanks to David Benjamin for pointing to comment text he added to boringSSL's header files. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13788) ----------------------------------------------------------------------- Summary of changes: doc/man3/CRYPTO_THREAD_run_once.pod | 2 +- doc/man7/openssl-threads.pod | 105 ++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 doc/man7/openssl-threads.pod diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index 3a46809efe..c15dc319fa 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -179,7 +179,7 @@ repeatedly load/unload shared libraries that allocate locks. =head1 SEE ALSO -L +L, L. =head1 COPYRIGHT diff --git a/doc/man7/openssl-threads.pod b/doc/man7/openssl-threads.pod new file mode 100644 index 0000000000..56cc638e1b --- /dev/null +++ b/doc/man7/openssl-threads.pod @@ -0,0 +1,105 @@ +=pod + +=head1 NAME + +openssl-threads - Overview of thread safety in OpenSSL + +=head1 DESCRIPTION + +In this man page, we use the term B to indicate that an +object or function can be used by multiple threads at the same time. + +OpenSSL can be built with or without threads support. The most important +use of this support is so that OpenSSL itself can use a single consistent +API, as shown in L. +Multi-platform applications can also use this API. + +In particular, being configured for threads support does not imply that +all OpenSSL objects are thread-safe. +To emphasize: I. +Exceptions to this should be documented on the specific manual pages, and +some general high-level guidance is given here. + +One major use of the OpenSSL thread API is to implement reference counting. +Many objects within OpenSSL are reference-counted, so resources are not +released, until the last reference is removed. +References are often increased automatically (such as when an B +certificate object is added into an B trust store). +There is often an B_up_ref>() function that can be used to increase +the reference count. +Failure to match B_up_ref>() calls with the right number of +B_free>() calls is a common source of memory leaks when a program +exits. + +Many objects have set and get API's to set attributes in the object. +A C passes ownership from the caller to the object and a +C returns a pointer but the attribute ownership +remains with the object and a reference to it is returned. +A C or C function does not change the ownership, but instead +updates the attribute's reference count so that the object is shared +between the caller and the object; the caller must free the returned +attribute when finished. +Functions that involve attributes that have reference counts themselves, +but are named with just C or C are historical; and the documentation +must state how the references are handled. +Get methods are often thread-safe as long as the ownership requirements are +met and shared objects are not modified. +Set methods, or modifying shared objects, are generally not thread-safe +as discussed below. + +Objects are thread-safe +as long as the API's being invoked don't modify the object; in this +case the parameter is usually marked in the API as C. +Not all parameters are marked this way. +Note that a C declaration does not mean immutable; for example +L takes pointers to C objects, but the implementation +uses a C cast to remove that so it can lock objects, generate and cache +a DER encoding, and so on. + +Another instance of thread-safety is when updates to an object's +internal state, such as cached values, are done with locks. +One example of this is the reference counting API's described above. + +In all cases, however, it is generally not safe for one thread to +mutate an object, such as setting elements of a private or public key, +while another thread is using that object, such as verifying a signature. + +The same API's can usually be used simultaneously on different objects +without interference. +For example, two threads can calculate a signature using two different +B objects. + +For implicit global state or singletons, thread-safety depends on the facility. +The L and related API's have their own lock, +while L assumes the underlying platform allocation +will do any necessary locking. +Some API's, such as L and related, or L +do no locking at all; this can be considered a bug. + +A separate, although related, issue is modifying "factory" objects +when other objects have been created from that. +For example, an B object created by L is used +to create per-connection B objects by calling L. +In this specific case, and probably for factory methods in general, it is +not safe to modify the factory object after it has been used to create +other objects. + +=head1 SEE ALSO + +CRYPTO_THREAD_run_once(3), +local system threads documentation. + +=head1 BUGS + +This page is admittedly very incomplete. + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut From levitte at openssl.org Fri Jan 15 10:20:16 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 15 Jan 2021 10:20:16 +0000 Subject: [openssl] master update Message-ID: <1610706016.951546.21598.nullmailer@dev.openssl.org> The branch master has been updated via 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd (commit) via 3f6e891d423ed911eb779bfd1401a26ec18cfa41 (commit) from e604b7c9156c66c05dd1640707f196f9fd49a184 (commit) - Log ----------------------------------------------------------------- commit 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd Author: Richard Levitte Date: Thu Jan 14 00:00:41 2021 +0100 Fix incomplete deprecation guard in test/sslapitest.c OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED, as the latter doesn't take the configuration option '--api=' in account. Fixes #13865 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13866) commit 3f6e891d423ed911eb779bfd1401a26ec18cfa41 Author: Richard Levitte Date: Wed Jan 13 23:55:51 2021 +0100 Fix crypto/des/build.info !$disabled{mdc2} was used to determine if DES files should be included in providers/liblegacy.a. Use !$disabled{des} instead. Fixes #13865 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13866) ----------------------------------------------------------------------- Summary of changes: crypto/des/build.info | 2 +- test/sslapitest.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/des/build.info b/crypto/des/build.info index b73e740bec..ad8553a41a 100644 --- a/crypto/des/build.info +++ b/crypto/des/build.info @@ -31,7 +31,7 @@ DEFINE[../../providers/liblegacy.a]=$DESDEF # When all deprecated symbols are removed, libcrypto doesn't export the # DES functions, so we must include them directly in liblegacy.a -IF[{- $disabled{'deprecated-3.0'} && !$disabled{"mdc2"} -}] +IF[{- $disabled{'deprecated-3.0'} && !$disabled{des} -}] SOURCE[../../providers/liblegacy.a]=$ALL DEFINE[../../providers/liblegacy.a]=$DESDEF ENDIF diff --git a/test/sslapitest.c b/test/sslapitest.c index 984c6a8764..c6520482f6 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8157,7 +8157,7 @@ static EVP_PKEY *get_tmp_dh_params(void) return tmp_dh_params; } -# ifndef OPENSSL_NO_DEPRECATED +# ifndef OPENSSL_NO_DEPRECATED_3_0 /* Callback used by test_set_tmp_dh() */ static DH *tmp_dh_callback(SSL *s, int is_export, int keylen) { From no-reply at appveyor.com Fri Jan 15 12:51:53 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 15 Jan 2021 12:51:53 +0000 Subject: Build failed: openssl master.39201 Message-ID: <20210115125153.1.D2AABD38F37CD83A@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Jan 15 15:57:54 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 15 Jan 2021 15:57:54 +0000 Subject: Build failed: openssl master.39202 Message-ID: <20210115155754.1.414D40D30B3324FD@appveyor.com> An HTML attachment was scrubbed... URL: From tmraz at fedoraproject.org Fri Jan 15 16:25:25 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Fri, 15 Jan 2021 16:25:25 +0000 Subject: [openssl] master update Message-ID: <1610727925.926573.1321.nullmailer@dev.openssl.org> The branch master has been updated via 2c04b34140be8833dae0e4debcb6ebf5fd0f287c (commit) from 39f3427dc1cd8cf72cf4b3c8c26256874a067bfd (commit) - Log ----------------------------------------------------------------- commit 2c04b34140be8833dae0e4debcb6ebf5fd0f287c Author: Jon Spillett Date: Wed Jan 13 14:10:51 2021 +1000 Allow EVP_PKEY private key objects to be created without a public component Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13855) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_backend.c | 9 --- crypto/dsa/dsa_backend.c | 7 -- crypto/dsa/dsa_lib.c | 7 -- crypto/ec/ec_backend.c | 4 -- test/evp_extra_test.c | 162 +++++++++++++++++++++++++++++++++++++++++++++-- 5 files changed, 158 insertions(+), 31 deletions(-) diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index 660bb4845a..6e545763dc 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -69,15 +69,6 @@ int dh_key_fromdata(DH *dh, const OSSL_PARAM params[]) param_priv_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY); - /* - * DH documentation says that a public key must be present if a - * private key is present. - * We want to have at least a public key either way, so we end up - * requiring it unconditionally. - */ - if (param_priv_key != NULL && param_pub_key == NULL) - return 0; - if ((param_priv_key != NULL && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) || (param_pub_key != NULL diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index 4809b3100b..6a053611e1 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -39,13 +39,6 @@ int dsa_key_fromdata(DSA *dsa, const OSSL_PARAM params[]) if (param_priv_key == NULL && param_pub_key == NULL) return 1; - /* - * DSA documentation says that a public key must be present if a - * private key is present. - */ - if (param_priv_key != NULL && param_pub_key == NULL) - return 0; - if (param_pub_key != NULL && !OSSL_PARAM_get_BN(param_pub_key, &pub_key)) goto err; if (param_priv_key != NULL && !OSSL_PARAM_get_BN(param_priv_key, &priv_key)) diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index df9dd73dfd..7488fa2451 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -310,13 +310,6 @@ void DSA_get0_key(const DSA *d, int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) { - /* If the field pub_key in d is NULL, the corresponding input - * parameters MUST be non-NULL. The priv_key field may - * be left NULL. - */ - if (d->pub_key == NULL && pub_key == NULL) - return 0; - if (pub_key != NULL) { BN_free(d->pub_key); d->pub_key = pub_key; diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index dccf6a15b9..f950657173 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -245,10 +245,6 @@ int ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_private) if (ctx == NULL) goto err; - /* OpenSSL decree: If there's a private key, there must be a public key */ - if (param_priv_key != NULL && param_pub_key == NULL) - goto err; - if (param_pub_key != NULL) if (!OSSL_PARAM_get_octet_string(param_pub_key, (void **)&pub_key, 0, &pub_key_len) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 67e5a48c3e..832989ae00 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -485,6 +485,135 @@ err: return res; } +#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DSA) +/* + * Test combinations of private, public, missing and private + public key + * params to ensure they are all accepted + */ +static int test_EVP_PKEY_ffc_priv_pub(char *keytype) +{ + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey = NULL; + int ret = 0; + + /* + * Setup the parameters for our pkey object. For our purposes they don't + * have to actually be *valid* parameters. We just need to set something. + */ + if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, keytype, NULL)) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(q = BN_new()) + || !TEST_ptr(g = BN_new()) + || !TEST_ptr(pub = BN_new()) + || !TEST_ptr(priv = BN_new())) + goto err; + + /* Test !priv and !pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + goto err; + + if (!TEST_ptr(pkey)) + goto err; + + EVP_PKEY_free(pkey); + pkey = NULL; + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + + /* Test priv and !pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + goto err; + + if (!TEST_ptr(pkey)) + goto err; + + EVP_PKEY_free(pkey); + pkey = NULL; + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + + /* Test !priv and pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, + pub))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + goto err; + + if (!TEST_ptr(pkey)) + goto err; + + EVP_PKEY_free(pkey); + pkey = NULL; + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + + /* Test priv and pub */ + if (!TEST_ptr(bld = OSSL_PARAM_BLD_new()) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, + pub)) + || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv))) + goto err; + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) + goto err; + + if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0) + || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0)) + goto err; + + if (!TEST_ptr(pkey)) + goto err; + + ret = 1; + err: + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(pctx); + OSSL_PARAM_BLD_free_params(params); + OSSL_PARAM_BLD_free(bld); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(pub); + BN_free(priv); + + return ret; +} +#endif /* !OPENSSL_NO_DH && !OPENSSL_NO_DSA */ + static int test_EVP_Enveloped(void) { int ret = 0; @@ -1718,7 +1847,17 @@ static int test_DSA_get_set_params(void) return ret; } -#endif + +/* + * Test combinations of private, public, missing and private + public key + * params to ensure they are all accepted + */ +static int test_DSA_priv_pub(void) +{ + return test_EVP_PKEY_ffc_priv_pub("DSA"); +} + +#endif /* !OPENSSL_NO_DSA */ static int test_RSA_get_set_params(void) { @@ -1833,7 +1972,17 @@ static int test_decrypt_null_chunks(void) } #endif /* !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) */ -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#ifndef OPENSSL_NO_DH +/* + * Test combinations of private, public, missing and private + public key + * params to ensure they are all accepted + */ +static int test_DH_priv_pub(void) +{ + return test_EVP_PKEY_ffc_priv_pub("DH"); +} + +# ifndef OPENSSL_NO_DEPRECATED_3_0 static int test_EVP_PKEY_set1_DH(void) { DH *x942dh = NULL, *noqdh = NULL; @@ -1878,7 +2027,8 @@ static int test_EVP_PKEY_set1_DH(void) return ret; } -#endif +# endif /* !OPENSSL_NO_DEPRECATED_3_0 */ +#endif /* !OPENSSL_NO_DH */ /* * We test what happens with an empty template. For the sake of this test, @@ -2181,13 +2331,17 @@ int setup_tests(void) #endif #ifndef OPENSSL_NO_DSA ADD_TEST(test_DSA_get_set_params); + ADD_TEST(test_DSA_priv_pub); #endif ADD_TEST(test_RSA_get_set_params); #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) ADD_TEST(test_decrypt_null_chunks); #endif -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0) +#ifndef OPENSSL_NO_DH + ADD_TEST(test_DH_priv_pub); +# ifndef OPENSSL_NO_DEPRECATED_3_0 ADD_TEST(test_EVP_PKEY_set1_DH); +# endif #endif ADD_ALL_TESTS(test_keygen_with_empty_template, 2); ADD_ALL_TESTS(test_pkey_ctx_fail_without_provider, 2); From openssl at openssl.org Fri Jan 15 17:13:26 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 15 Jan 2021 17:13:26 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings enable-weak-ssl-ciphers Message-ID: <1610730806.687357.593176.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-weak-ssl-ciphers Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL From no-reply at appveyor.com Fri Jan 15 17:24:54 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 15 Jan 2021 17:24:54 +0000 Subject: Build completed: openssl master.39203 Message-ID: <20210115172454.1.0942327EBD8CA274@appveyor.com> An HTML attachment was scrubbed... URL: From kurt at openssl.org Fri Jan 15 17:50:15 2021 From: kurt at openssl.org (Kurt Roeckx) Date: Fri, 15 Jan 2021 17:50:15 +0000 Subject: [web] master update Message-ID: <1610733015.266005.3944.nullmailer@dev.openssl.org> The branch master has been updated via 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a (commit) from 89d554f676bdacf8497b41c8f2eae3b395bb2ff9 (commit) - Log ----------------------------------------------------------------- commit 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a Author: Kurt Roeckx Date: Fri Jan 15 18:49:59 2021 +0100 Update expiration date ----------------------------------------------------------------------- Summary of changes: news/openssl-security.asc | 80 +++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/news/openssl-security.asc b/news/openssl-security.asc index 2b32a4b..8e6c0cc 100644 --- a/news/openssl-security.asc +++ b/news/openssl-security.asc @@ -11,33 +11,33 @@ Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO 5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB -tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz -bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAl3n9TkFCQvHY5oACgkQ2JTizos9efVbRQ//aItr -wyVa5j+OtrMaIJI9x835ES4bBaEIY1YVwGzoKzj+MOxdai0spUR6KZ9TYnEC5R4b -yFac7H9g+R4V5rv3+HogMBTYaCTmbFmZ4Y8viD7YaDsHHMcbHQymyV55l7ZfzyNt -pw3D3acvS3nOij9JQqRTOHuIOtS5FtJh1/+pig5sEk1TigOemJ7cnC7uWmfkzDzx -ywz29EBFZXeFV7Dg+hjkUuVtMqcbhouvjJlwvx7cgcAPwFRZcu7UoirVoq0+sSJj -kxxohVekpc+daZK9ge6qpHi7LObgM64fVPjR4FizuTmHU+f7ptUaI7BEGxmPtmBa -skj1Wi4lkSgQ4SfS7PpnlPphM2Tms7mG4gPO4f0cZ/qZriCoaU5DZ8kPx0xgY7Yf -Uol3NyRxAXJZi7voSWsj/YM1rsyd8Q7bYFW0Rx/hcjbT2AwZcqruqAuYEM6+M3Sb -JzOm28w+lnS7urnog8MBSSX9wsFzwHEXKBiqY2Qp+jU/fmSebqiDrRaAXJPvidCM -gsPNrK6HrQOjemZTG7dReIxqIjWuguhcN4aoellXwJYuR0NOo0uRK79IGbjFU8Vy -UBuv5AMCWgpblLaDyVHkhnQbNjnpvJnVoCqvTU4R0ttmjKQV4aWwgdryuc/a564J -PKcfr4pmeb+4Lfh1SxpNP3O2pzI1OY1zSj5nFRm0JU9wZW5TU0wgT01DIDxvcGVu -c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCXef1QQUJC8djmgAKCRDY -lOLOiz159UcFD/9XdBn0wKmEwBO2KyM/zfHLpTysV3A1QM98C3Oy2/jPI/wcWmIN -1PoXbDEUGTBCKAEYhcnQKb5E7FsD+68i/07S5eBP65R24G182f6Qofy8Hy/Kbed/ -GmQEoprDaYqpUp6qFoPxBExW8bwEzkSRWTz4d/ptjDREOF3d4oJS3CE/HOr3l9Jy -0Jgvg1iAw2uiRSNb5/miUZM7wa/wGYmJmtbGomr3/suyyLeRh4UwoOAZulB6crql -ITxoyv9M7IF+YAYIdRQB1/zbE6d+i+5AKeyGmBxhXyYlIIFHjmFpMmz+HbHZ31tr -FodE/1EK9kxGcOOv9jSxiplLdgl0d4XqAb2wsNYygNb2n6uj/7Vz+iZwWnCDfNEo -UPazufcFh4KMPV6ZzqguXWpV6aV40rEjqWWwXfwXiSL7Yc1TYdnj+koCy2sXoiLd -d2VlCX/wWhl38KsAN69OgYlDNVne5ctQ2zpdYyYrQZlL9yk164evBroZGOrJSTl4 -5ZNSmsbX/alNQRTCVuPmICY6KOEE0CylvhcZtXbDvT9OTm0wNg99jj0Hpd3r8I6d -zGlsBfnipSWVnXtg4ozzvsIKdHy/1kfbiojwBwhD3QyIheQuA1MfmbItw60olEHH -iGqEzcztmQBTSXtyZ2ZhhPN9ZYGAxFmDmju3alqOqRIwu3C86WN3XCl/urQnT3Bl +tCVPcGVuU1NMIE9NQyA8b3BlbnNzbC1vbWNAb3BlbnNzbC5vcmc+iQJUBBMBCgA+ +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78CkZ9YTy4PH7W0w2JTizos9 +efUFAmAB1NUFCQ2zHrYACgkQ2JTizos9efUHgxAAjTBfDLtetgRSnmNMTtgLOIGj +hFpE+eAKoc8xGT0FFmSPFPi2FQ51SjhJlk9PnoRGJC41vECdWY2dpXOVTCQL4ZPv +koVOUmf2979HjVGK1Z5dMnAFZP3bKxFR4KfuhH1rgIkcAoDghyl6w3ONlbBvH9Cx +Mrw36nOYFdRHjJZPVB6/BSZZL2AQE8n/Bwtp9Ea7mqi71ExLSBkPkwlMJ35tbq0e +hAL40r1I2GobcqyntB+K4Kqm891AEHLxRAymvucoxv3Y1yJXpET6GuSKQ9yKsDKK +fTwfbsDuKsLq4dCTcXmluBEKgA0Ni1XzygEh79o957J988WacJDsthhJ5YDjdyK8 +fu6Ie5C2b/hzZZ5oECuEYBsti3hP/WSVsvGDhkI8tvFr071MIk6mHzi0Wxlxyk6F +uO8WeqPkf9cPrWCzTdjAvCmiQe5X4lipOWkysQm/NEc6DKfiYmjfoVuebZmg6Br8 +oypIDJIzy3AK+2sNt5CjvODZ/w7uAHQrFBDAoTLmQL9e5e/fQmgoTFMjn8yzOuiU +BBiw6uGMmhb35OBegzk5ov/1EOQxnMVWLTdLe3xUG6RSGEW8Vy4jgaGWquXhLxeV +bWBTE5DacbCOqGyDoFG/Ehe2eFOOspkL3jPoQN5XqEsqcdiLWRMhH5m/ZISeqI3j +495QYZlxN8HDsjLWK7G0NE9wZW5TU0wgc2VjdXJpdHkgdGVhbSA8b3BlbnNzbC1z +ZWN1cml0eUBvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCYAHU4wUJDbMetgAKCRDY +lOLOiz159U7NEACQFr0PgsoNl+/dCdzWN7JrkddTSfY0bEhak8fOwTIb/7ybxzS/ +8qXaso2K5/D+w2RDLyl+faFxuvYIdySOAomxZTeorXpxnba8p13cwEEXgH6wIShi +o22bz9EH/qrsWqwXa22CkYzhWJQTED703+i5Rm+eO9oeOq6inx3ceCAKNfEDhfKC +dSAP08Mo41mMPf6+2CM/dPiN1LaouZVg/stQ/FPnuEZOetOtXZH/nEgPHAaVDhaF +FQQ6JlxvXzC+BCrJ0eJgJuhuU8K/y5SahEKqRbcHxBB7MBIH1ZqBhmMJ1eWxYX2S +PFJaTNgjVJ82vpLstHdSE6boamtEEtkeYEzNnaOOiebNwyIHlrsCaPKNXAuISKe/ +pD91maFDcXPF/4IP+juegnNjdFi1g8mmIwEvJnb1ZqoY0+ay+zH2q1ZshRixsCG5 +5afQCM+nwXhuAVhUqxOC7FG0f+/geTBJnXWw4C1QiiJjXYQhKH9g+R6vj/ODskOY +dFqe7uZQZzcd1DNmvNYfQVWMyW6hYDNgbFqqshsPaZaQicaa4rAWfyenWBSlR/yH +xqbfZJW+31MvFk5auz8Rv96W4/nOppUmUqEZ0xhAgPhmBUKgvVnyfg6RR9Il/rUU +kZUvwN45CtSdKQZWhrEHIEWzp3PdooTHDKeuTczCrdRvsSsFx1pMG1NcIbQnT3Bl blNTTCB0ZWFtIDxvcGVuc3NsLXRlYW1Ab3BlbnNzbC5vcmc+iQJZBDABCgBDFiEE 78CkZ9YTy4PH7W0w2JTizos9efUFAlnZ9jUlHSBSZXBsYWNlZCBieSBvcGVuc3Ns LW9tY0BvcGVuc3NsLm9yZwAKCRDYlOLOiz159VAiD/wLVz8KE84z+iPBcDXJR4hr @@ -63,17 +63,17 @@ ncd+VYvth6cM9jDWsTJAXEaqNoFjVfw227NnQ/hxqGCwEVzweBi7a7dix3nCa9JO w5eV3xCyezUohQ6nOBbDnoAnp3FLeUrhBJQXCPNtlb0fSMnj14EwBoD6EKO/xz/g EW5mr0a+xp+fjbkvHVX/c8UmU+7nlX7upaN46RLM1y0yWYKo9BV61tn+kcsAk7kh Q7dKhOzmSXpsBHMAEQEAAYkCPAQYAQoAJgIbDBYhBO/ApGfWE8uDx+1tMNiU4s6L -PXn1BQJd5/VdBQkLx2O+AAoJENiU4s6LPXn1YRkP/2xVlNtTQpCYamiP7N2+aetg -1pXftTqUQsulSagT0vtLjT2O+pOP7B0Wj1/q4m/ny/NQa/8KRXurry8VbC+6FPz4 -3jcFjdGif1E7reEL27YgW2zwae3dt+AwgKzLhOiXqkpZeiU5n6+43e1loRiPbNM3 -2Juj0XdV7IjUinMoEDlX6xp2w2ZmSoii2+r/Ts2m9h/UbILyoTCFZG4hI6mGej7u -QFwcnZNJTXnTPBEczIpYFWyLA+vPU/8YVolUVlzWOv15InAerQX/eQ0LTkax0Fh+ -LzoE2itiALthAf2JAnmyGmc41ISrexwTcJUr03LIpOUn90a0qktIwt+7kH463CuQ -K68FEPaAxtE2MAoO9e/wxWa7WWtY3LEMFhM5l5WgQjydBHtthc9a+QeHeiRmzGZr -wPetm5iJXYdagA5qZS87vChr/6kP0UD0JLAOr4TGa3Kn6jOG8J+jyTbYfrpZf8O2 -eqfagD3YX4tOAM+1uX7IvsU2bDQUZ/ucyUzdSNmRkErLQPheJ7dpg4EMlP3hAcsB -uDX9fcCnp4WOR3bwayOMAACa9FKuTS03+Hh/Ds75R6MW3u7a0xk4h0MsuJR+OIot -NrmGFutOuR+GxNF/km/Xod7P7M27yvUQ/j9lcsg0EYPBOdG1x2IP739fAH83luTm -3WE76/JWH40w3RvCFWmT -=u/5v +PXn1BQJgAdUEBQkNsx7lAAoJENiU4s6LPXn1p/wP/1jwlO91ZNKVH7oDKR7j9BEp +h4ZN2l5P9GUA4Hwc5loI4tjBQwHYJME67y6YoQBwMjGB3Fiy4O1XByHZdvxI9rgy +MRknsr1IZtlkEQF2sh1Fg5LZ5Cp76Xe+JCTOu9d3QxjKsoVyWqYJhmnUKteST/WA +8vtsQWDQB7outugDWyV/LVfoX0DIB/ZRiQwcFLN/NhqqA0woz9bgC4+YeVFbaWiN +RsVUQe2YD0whRrzTnH0MUuCH3inKtQQ0MXmh0YhusFKztHA6r+lOn/wk/x/y6cMk +VECm7nxN9Iko090oPQnBt5e/5X0DG5LzR6stTiou9FyJ6iiF7K8RjVNkdpN2wEem +cxXZ75gyX0rwvdaBKcYcWGGHkY4h5DmA7YWHcBHipatxJdQR9SvxgaBtZS2oQsSW +o6u/SnShPfGfG9PkxXc0I/55OYdaFZpOZp+7PMBPZFqIoDB8XIqmkzLSVOzpUnSe +xghSU4AgeyCwCZe+Corkb8KIPZGh6ZPMZzKPE9Ver3sKc4JUEC42mk6pVbNvMEXd +N2ZNjE3KNTBwDIO6YbCI2l8d5R+OLGq4xdZdBrrtUc7ZkQehZoN+EqZYM/rAYHiY +yPNyhy39Omi3GzookeE4j9/rhaitUtrV5Ey4Q8Yw4icBpdHq9IciXDROTEalihvq +bs5KWxo7SoklxXno1Fb+ +=EV2L -----END PGP PUBLIC KEY BLOCK----- From openssl at openssl.org Fri Jan 15 21:48:19 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 15 Jan 2021 21:48:19 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1610747299.923185.1148672.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8011A82D337F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8011A82D337F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/fxSmPBPIEM default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B10764687F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B10764687F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B10764687F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B10764687F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80B10764687F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80B10764687F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/fxSmPBPIEM fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3592, 927 wallclock secs (14.36 usr 1.29 sys + 834.34 cusr 89.14 csys = 939.13 CPU) Result: FAIL make[1]: *** [Makefile:3261: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3258: tests] Error 2 From openssl at openssl.org Sat Jan 16 00:13:19 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Sat, 16 Jan 2021 00:13:19 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1610755999.367950.1454579.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 8bc5b0a570 chacha20: Properly reinitialize the cipher context with NULL key 2ed63033e4 x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST 04a1b3fa7b apps/req.c: Make sure -verify option takes effect also with -x509 0ae8d4ca9e apps/req.c: Cosmetic improvements of code and documentation 73b1d24c1a crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c b65c5ec8f5 apps/req.c: Add -copy_extensions option for use with -x509; default: none 41e597a01d Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert ea9fd333d1 apps/req.c: make -subj work with -x509; clean up related code 7836f949c2 X509_PUBKEY_set(): Fix error reporting 855c68163b apps/lib/opt.c: Fix error message on unknown option/digest f0a057dd53 Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c 6ad957f127 apps/req.c: add -CA and -CAkey options; improve code and doc 1579594383 APPS: Allow OPENSSL_CONF to be empty, not loading a config file ec2bfb7d23 apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default f2a0458731 X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert 3339606a38 d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX() 48116c2d0f Fix incorrect use of BN_CTX API 1dccccf333 Fix enable-weak-ssl-ciphers 4dd009180a x509_vfy.c: Fix a regression in find_issuer() 0cbb3602f5 Make PEM_X509_INFO_read_bio_ex() conservative on the error queue 0b7368dda0 TEST: move cert, key, and CSR loading aux functions to new testutil/load.c bf973d0697 Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 5a2d0ef36f Clean away extraneous library specific FETCH_FAILED reason codes d6d42cda5f Use centralized fetching errors 0d11846e4b Remove duplicate GENERATE declarations for .pod files 2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files 5e16ac142e Configure: clean away perl syntax faults 507f83800f Configure: Check all SOURCE declarations, to ensure consistency b209835364 v3_ocsp.c: fix indentation of include directives 3ddf44ea5a Close /dev/crypto file descriptor after CRIOGET ioctl(). 678cae0295 APPS: Print help also on -h and --h; print high-level help when no cmd given 3372039252 APPS: Fix confusion between program and app/command name used in diagnostic/help output 046a7aaa5e apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations 1f7643e86e apps/pkey.c: Re-order help output and option documentation 475d10028e apps/pkey.c: Make clear that -passout is not supported for DER output 400e2acfe0 apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8001915EEE7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8001915EEE7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/u7U_5Yisn9 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E1EA531A7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E1EA531A7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E1EA531A7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E1EA531A7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80E1EA531A7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80E1EA531A7F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/u7U_5Yisn9 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3592, 901 wallclock secs (14.48 usr 1.45 sys + 806.51 cusr 90.30 csys = 912.74 CPU) Result: FAIL make[1]: *** [Makefile:3250: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3247: tests] Error 2 From dev at ddvo.net Sat Jan 16 10:30:14 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sat, 16 Jan 2021 10:30:14 +0000 Subject: [openssl] master update Message-ID: <1610793014.964115.28297.nullmailer@dev.openssl.org> The branch master has been updated via ed4a9b15d9cd1eea7493873d01949f075cea2b65 (commit) via dc88a0390608ccba76df6a26358215d1c0592948 (commit) via ab8af35aa2abf570d2042498751e9ac1261f26f0 (commit) from 2c04b34140be8833dae0e4debcb6ebf5fd0f287c (commit) - Log ----------------------------------------------------------------- commit ed4a9b15d9cd1eea7493873d01949f075cea2b65 Author: Dr. David von Oheimb Date: Mon Dec 21 08:16:30 2020 +0100 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13713) commit dc88a0390608ccba76df6a26358215d1c0592948 Author: Dr. David von Oheimb Date: Sat Dec 12 14:07:41 2020 +0100 bio_lib.c: Fix error queue entries and return codes on NULL args etc. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13713) commit ab8af35aa2abf570d2042498751e9ac1261f26f0 Author: Dr. David von Oheimb Date: Fri Dec 11 19:30:40 2020 +0100 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13713) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_err.c | 1 - crypto/bio/bio_lib.c | 107 +++++++++++++++++++++++++---------------------- crypto/bio/bss_mem.c | 4 +- crypto/err/openssl.txt | 1 - crypto/x509/v3_conf.c | 38 ++++++++--------- include/openssl/bioerr.h | 2 +- 6 files changed, 78 insertions(+), 75 deletions(-) diff --git a/crypto/bio/bio_err.c b/crypto/bio/bio_err.c index 08bf8dc98a..0ea23b62cf 100644 --- a/crypto/bio/bio_err.c +++ b/crypto/bio/bio_err.c @@ -46,7 +46,6 @@ static const ERR_STRING_DATA BIO_str_reasons[] = { "no hostname or service specified"}, {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_PORT_DEFINED), "no port defined"}, {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_SUCH_FILE), "no such file"}, - {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NULL_PARAMETER), "null parameter"}, {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_TRANSFER_ERROR), "transfer error"}, {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_TRANSFER_TIMEOUT), "transfer timeout"}, {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNABLE_TO_BIND_SOCKET), diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 940ab085d7..17537de6d9 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -13,13 +13,12 @@ #include "bio_local.h" #include "internal/cryptlib.h" - /* * Helper macro for the callback to determine whether an operator expects a * len parameter or not */ -#define HAS_LEN_OPER(o) ((o) == BIO_CB_READ || (o) == BIO_CB_WRITE || \ - (o) == BIO_CB_GETS) +#define HAS_LEN_OPER(o) ((o) == BIO_CB_READ || (o) == BIO_CB_WRITE \ + || (o) == BIO_CB_GETS) /* * Helper function to work out whether to call the new style callback or the old @@ -29,7 +28,8 @@ * for the "long" used for "inret" */ static long bio_call_callback(BIO *b, int oper, const char *argp, size_t len, - int argi, long argl, long inret, size_t *processed) + int argi, long argl, long inret, + size_t *processed) { long ret; int bareoper; @@ -184,7 +184,7 @@ int BIO_up_ref(BIO *a) REF_PRINT_COUNT("BIO", a); REF_ASSERT_ISNT(i < 2); - return ((i > 1) ? 1 : 0); + return i > 1; } void BIO_clear_flags(BIO *b, int flags) @@ -252,7 +252,11 @@ static int bio_read_intern(BIO *b, void *data, size_t dlen, size_t *readbytes) { int ret; - if ((b == NULL) || (b->method == NULL) || (b->method->bread == NULL)) { + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (b->method == NULL || b->method->bread == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } @@ -264,7 +268,7 @@ static int bio_read_intern(BIO *b, void *data, size_t dlen, size_t *readbytes) if (!b->init) { ERR_raise(ERR_LIB_BIO, BIO_R_UNINITIALIZED); - return -2; + return -1; } ret = b->method->bread(b, data, dlen, readbytes); @@ -305,16 +309,7 @@ int BIO_read(BIO *b, void *data, int dlen) int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) { - int ret; - - ret = bio_read_intern(b, data, dlen, readbytes); - - if (ret > 0) - ret = 1; - else - ret = 0; - - return ret; + return bio_read_intern(b, data, dlen, readbytes) > 0; } static int bio_write_intern(BIO *b, const void *data, size_t dlen, @@ -322,10 +317,11 @@ static int bio_write_intern(BIO *b, const void *data, size_t dlen, { int ret; - if (b == NULL) - return 0; - - if ((b->method == NULL) || (b->method->bwrite == NULL)) { + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (b->method == NULL || b->method->bwrite == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } @@ -337,7 +333,7 @@ static int bio_write_intern(BIO *b, const void *data, size_t dlen, if (!b->init) { ERR_raise(ERR_LIB_BIO, BIO_R_UNINITIALIZED); - return -2; + return -1; } ret = b->method->bwrite(b, data, dlen, written); @@ -372,16 +368,7 @@ int BIO_write(BIO *b, const void *data, int dlen) int BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) { - int ret; - - ret = bio_write_intern(b, data, dlen, written); - - if (ret > 0) - ret = 1; - else - ret = 0; - - return ret; + return bio_write_intern(b, data, dlen, written) > 0; } int BIO_puts(BIO *b, const char *buf) @@ -389,7 +376,11 @@ int BIO_puts(BIO *b, const char *buf) int ret; size_t written = 0; - if ((b == NULL) || (b->method == NULL) || (b->method->bputs == NULL)) { + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (b->method == NULL || b->method->bputs == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } @@ -402,7 +393,7 @@ int BIO_puts(BIO *b, const char *buf) if (!b->init) { ERR_raise(ERR_LIB_BIO, BIO_R_UNINITIALIZED); - return -2; + return -1; } ret = b->method->bputs(b, buf); @@ -434,14 +425,18 @@ int BIO_gets(BIO *b, char *buf, int size) int ret; size_t readbytes = 0; - if ((b == NULL) || (b->method == NULL) || (b->method->bgets == NULL)) { + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (b->method == NULL || b->method->bgets == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } if (size < 0) { ERR_raise(ERR_LIB_BIO, BIO_R_INVALID_ARGUMENT); - return 0; + return -1; } if (b->callback != NULL || b->callback_ex != NULL) { @@ -452,7 +447,7 @@ int BIO_gets(BIO *b, char *buf, int size) if (!b->init) { ERR_raise(ERR_LIB_BIO, BIO_R_UNINITIALIZED); - return -2; + return -1; } ret = b->method->bgets(b, buf, size); @@ -511,10 +506,11 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) { long ret; - if (b == NULL) - return 0; - - if ((b->method == NULL) || (b->method->ctrl == NULL)) { + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + if (b->method == NULL || b->method->ctrl == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } @@ -538,11 +534,12 @@ long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) { long ret; - if (b == NULL) - return 0; - - if ((b->method == NULL) || (b->method->callback_ctrl == NULL) - || (cmd != BIO_CTRL_SET_CALLBACK)) { + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + return -2; + } + if (b->method == NULL || b->method->callback_ctrl == NULL + || cmd != BIO_CTRL_SET_CALLBACK) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; } @@ -601,8 +598,10 @@ BIO *BIO_pop(BIO *b) { BIO *ret; - if (b == NULL) + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); return NULL; + } ret = b->next_bio; BIO_ctrl(b, BIO_CTRL_POP, 0, b); @@ -649,8 +648,10 @@ BIO *BIO_find_type(BIO *bio, int type) { int mt, mask; - if (bio == NULL) + if (bio == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); return NULL; + } mask = type & 0xff; do { if (bio->method != NULL) { @@ -659,8 +660,9 @@ BIO *BIO_find_type(BIO *bio, int type) if (!mask) { if (mt & type) return bio; - } else if (mt == type) + } else if (mt == type) { return bio; + } } bio = bio->next_bio; } while (bio != NULL); @@ -669,8 +671,10 @@ BIO *BIO_find_type(BIO *bio, int type) BIO *BIO_next(BIO *b) { - if (b == NULL) + if (b == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); return NULL; + } return b->next_bio; } @@ -897,7 +901,8 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) } else { rv = -1; if (err == 0) /* missing error queue entry */ - ERR_raise(ERR_LIB_BIO, BIO_R_CONNECT_ERROR); /* workaround: general error */ + /* workaround: general error */ + ERR_raise(ERR_LIB_BIO, BIO_R_CONNECT_ERROR); } } diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c index ad7e8a6106..3bdf457966 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -91,7 +91,7 @@ BIO *BIO_new_mem_buf(const void *buf, int len) size_t sz; if (buf == NULL) { - ERR_raise(ERR_LIB_BIO, BIO_R_NULL_PARAMETER); + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); return NULL; } sz = (len < 0) ? strlen(buf) : (size_t)len; @@ -222,7 +222,7 @@ static int mem_write(BIO *b, const char *in, int inl) BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; if (in == NULL) { - ERR_raise(ERR_LIB_BIO, BIO_R_NULL_PARAMETER); + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); goto end; } if (b->flags & BIO_FLAGS_MEM_RDONLY) { diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 40f93ba0cd..a06e3ced39 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2039,7 +2039,6 @@ BIO_R_NO_ACCEPT_ADDR_OR_SERVICE_SPECIFIED:143:\ BIO_R_NO_HOSTNAME_OR_SERVICE_SPECIFIED:144:no hostname or service specified BIO_R_NO_PORT_DEFINED:113:no port defined BIO_R_NO_SUCH_FILE:128:no such file -BIO_R_NULL_PARAMETER:115:null parameter BIO_R_TRANSFER_ERROR:104:transfer error BIO_R_TRANSFER_TIMEOUT:105:transfer timeout BIO_R_UNABLE_TO_BIND_SOCKET:117:unable to bind socket diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index f8a2e3fe27..740108fefd 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -306,8 +306,8 @@ static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext) /* * This is the main function: add a bunch of extensions based on a config * file section to an extension STACK. Just check in case sk == NULL. + * Note that on error new elements may have been added to *sk if sk != NULL. */ - int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, STACK_OF(X509_EXTENSION) **sk) { @@ -337,45 +337,45 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, } /* - * Convenience functions to add extensions to a certificate, CRL and request + * Add extensions to a certificate. Just check in case cert == NULL. + * Note that on error new elements may remain added to cert if cert != NULL. */ - int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, X509 *cert) { STACK_OF(X509_EXTENSION) **sk = NULL; - if (cert) + if (cert != NULL) sk = &cert->cert_info.extensions; return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); } -/* Same as above but for a CRL */ - +/* + * Add extensions to a CRL. Just check in case crl == NULL. + * Note that on error new elements may remain added to crl if crl != NULL. + */ int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, X509_CRL *crl) { STACK_OF(X509_EXTENSION) **sk = NULL; - if (crl) + if (crl != NULL) sk = &crl->crl.extensions; return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); } -/* Add extensions to certificate request */ - +/* + * Add extensions to certificate request. Just check in case req is NULL. + * Note that on error new elements may remain added to req if req != NULL. + */ int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, X509_REQ *req) { - STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL; - int i; + STACK_OF(X509_EXTENSION) *exts = NULL; + int ret = X509V3_EXT_add_nconf_sk(conf, ctx, section, &exts); - if (req) - sk = &extlist; - i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); - if (!i || !sk) - return i; - i = X509_REQ_add_extensions(req, extlist); - sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free); - return i; + if (ret && req != NULL && exts != NULL) + ret = X509_REQ_add_extensions(req, exts); + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + return ret; } /* Config database functions */ diff --git a/include/openssl/bioerr.h b/include/openssl/bioerr.h index 00a7df227e..e2d247ea65 100644 --- a/include/openssl/bioerr.h +++ b/include/openssl/bioerr.h @@ -106,7 +106,7 @@ # define BIO_R_NO_HOSTNAME_OR_SERVICE_SPECIFIED 144 # define BIO_R_NO_PORT_DEFINED 113 # define BIO_R_NO_SUCH_FILE 128 -# define BIO_R_NULL_PARAMETER 115 +# define BIO_R_NULL_PARAMETER 115 /* unused */ # define BIO_R_TRANSFER_ERROR 104 # define BIO_R_TRANSFER_TIMEOUT 105 # define BIO_R_UNABLE_TO_BIND_SOCKET 117 From scan-admin at coverity.com Sun Jan 17 07:50:29 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 17 Jan 2021 07:50:29 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <6003ec455ae18_199102ad4e0f12f406525a@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3D4Q--_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH4AHmPSySF3-2BzJMuGGtWhRIxvpen6xFVyjPwMWDBfd-2FnAFsWI0MScxXYge7plTHGZioBy6AsdU0s9Dqs3M6-2Fos6bFzQmoy-2BS88q81OUwzWaiIcssA6aWNhOI-2Bcs6PKQ-2B2yFmf6Zw1DFB579RLDe1F3rwktcpZ1qDD-2F24sLGCBe4Yw01ycg2-2FqLm0vfKW6IeEM-3D Build ID: 364210 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jan 17 07:54:10 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 17 Jan 2021 07:54:10 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <6003ed227bd71_19ade2ad4e0f12f40652c9@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DrYlt_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE7qEctG5nvE2nUTFQP4R2fZAIZJmZ3rQ-2Fv1wqViaGsHfb88gu54INsLmqZPkKRRM3eZz4iRyQrJMD1y-2FJ0QPdzZyhRlZqcRCq4nwgEUk2EJmDGiSulMytYv2khUhDRQTZ6wqrYgnYyFxclbF3dCNhd4oV1C-2FmqQxqibLjWMgkl98lkJbcg-2F-2FL5dSggBCIm-2BaE-3D Build ID: 364209 Analysis Summary: New defects found: 4 Defects eliminated: 6 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3DCTa9_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE7qEctG5nvE2nUTFQP4R2fZAIZJmZ3rQ-2Fv1wqViaGsHae4s8oyWKXtqHKhUKh9Bl-2Fzzbm8YoOcN0htobU4acNlwgQTE1QcysEx-2BL7qn7flhWBttbEXM4oaM0Bkl7V66xTA-2B7GEN9UZB1Z-2F-2FOzAEeLRtVoZg8-2BzIY7Q782VHJJ-2FKGvK8IvqdyDSPC4KZvsMX5o-3D From openssl at openssl.org Mon Jan 18 01:08:58 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 18 Jan 2021 01:08:58 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1610932138.421998.2093704.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): 20-test_enc.t ...................... ok 20-test_enc_more.t ................. ok 20-test_kdf.t ...................... ok 20-test_mac.t ...................... ok 20-test_passwd.t ................... ok 20-test_pkeyutl.t .................. ok 20-test_rand_config.t .............. ok 25-test_crl.t ...................... ok 25-test_d2i.t ...................... ok 25-test_eai_data.t ................. ok 25-test_pkcs7.t .................... ok 25-test_req.t ...................... ok 25-test_rusext.t ................... ok 25-test_sid.t ...................... ok 25-test_verify.t ................... ok 25-test_verify_store.t ............. ok 25-test_x509.t ..................... ok 30-test_acvp.t ..................... ok 30-test_aesgcm.t ................... ok 30-test_afalg.t .................... ok 30-test_defltfips.t ................ ok 30-test_engine.t ................... ok 30-test_evp.t ...................... ok 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok make[1]: *** wait: No child processes. Stop. make[1]: *** Waiting for unfinished jobs.... make[1]: *** wait: No child processes. Stop. make: *** [Makefile:3252: tests] Terminated From openssl at openssl.org Mon Jan 18 01:58:41 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 18 Jan 2021 01:58:41 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1610935121.146320.2203432.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3457, 841 wallclock secs (14.53 usr 1.26 sys + 750.31 cusr 88.14 csys = 854.24 CPU) Result: FAIL make[1]: *** [Makefile:3291: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3288: tests] Error 2 From openssl at openssl.org Mon Jan 18 07:29:07 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 18 Jan 2021 07:29:07 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1610954947.657686.2912148.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3459, 742 wallclock secs (11.81 usr 1.26 sys + 673.77 cusr 66.21 csys = 753.05 CPU) Result: FAIL make[1]: *** [Makefile:3206: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3203: tests] Error 2 From openssl at openssl.org Mon Jan 18 07:56:25 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 18 Jan 2021 07:56:25 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-dh Message-ID: <1610956585.240536.2976127.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dh Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): /usr/bin/perl ../openssl/test/generate_buildtest.pl mdc2 > test/buildtest_mdc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl modes > test/buildtest_modes.c /usr/bin/perl ../openssl/test/generate_buildtest.pl obj_mac > test/buildtest_obj_mac.c /usr/bin/perl ../openssl/test/generate_buildtest.pl objects > test/buildtest_objects.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ossl_typ > test/buildtest_ossl_typ.c /usr/bin/perl ../openssl/test/generate_buildtest.pl param_build > test/buildtest_param_build.c /usr/bin/perl ../openssl/test/generate_buildtest.pl params > test/buildtest_params.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem > test/buildtest_pem.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem2 > test/buildtest_pem2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl provider > test/buildtest_provider.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rand > test/buildtest_rand.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc2 > test/buildtest_rc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc4 > test/buildtest_rc4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ripemd > test/buildtest_ripemd.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rsa > test/buildtest_rsa.c /usr/bin/perl ../openssl/test/generate_buildtest.pl seed > test/buildtest_seed.c /usr/bin/perl ../openssl/test/generate_buildtest.pl self_test > test/buildtest_self_test.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sha > test/buildtest_sha.c /usr/bin/perl ../openssl/test/generate_buildtest.pl srtp > test/buildtest_srtp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ssl2 > test/buildtest_ssl2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sslerr_legacy > test/buildtest_sslerr_legacy.c /usr/bin/perl ../openssl/test/generate_buildtest.pl stack > test/buildtest_stack.c /usr/bin/perl ../openssl/test/generate_buildtest.pl store > test/buildtest_store.c /usr/bin/perl ../openssl/test/generate_buildtest.pl symhacks > test/buildtest_symhacks.c /usr/bin/perl ../openssl/test/generate_buildtest.pl tls1 > test/buildtest_tls1.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ts > test/buildtest_ts.c /usr/bin/perl ../openssl/test/generate_buildtest.pl txt_db > test/buildtest_txt_db.c /usr/bin/perl ../openssl/test/generate_buildtest.pl types > test/buildtest_types.c /usr/bin/perl ../openssl/test/generate_buildtest.pl whrlpool > test/buildtest_whrlpool.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/casttest-bin-casttest.d.tmp -MT test/casttest-bin-casttest.o -c -o test/casttest-bin-casttest.o ../openssl/test/casttest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/chacha_internal_test-bin-chacha_internal_test.d.tmp -MT test/chacha_internal_test-bin-chacha_internal_test.o -c -o test/chacha_internal_test-bin-chacha_internal_test.o ../openssl/test/chacha_internal_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipher_overhead_test-bin-cipher_overhead_test.d.tmp -MT test/cipher_overhead_test-bin-cipher_overhead_test.o -c -o test/cipher_overhead_test-bin-cipher_overhead_test.o ../openssl/test/cipher_overhead_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherbytes_test-bin-cipherbytes_test.d.tmp -MT test/cipherbytes_test-bin-cipherbytes_test.o -c -o test/cipherbytes_test-bin-cipherbytes_test.o ../openssl/test/cipherbytes_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherlist_test-bin-cipherlist_test.d.tmp -MT test/cipherlist_test-bin-cipherlist_test.o -c -o test/cipherlist_test-bin-cipherlist_test.o ../openssl/test/cipherlist_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ciphername_test-bin-ciphername_test.d.tmp -MT test/ciphername_test-bin-ciphername_test.o -c -o test/ciphername_test-bin-ciphername_test.o ../openssl/test/ciphername_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/clienthellotest-bin-clienthellotest.d.tmp -MT test/clienthellotest-bin-clienthellotest.o -c -o test/clienthellotest-bin-clienthellotest.o ../openssl/test/clienthellotest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmactest-bin-cmactest.d.tmp -MT test/cmactest-bin-cmactest.o -c -o test/cmactest-bin-cmactest.o ../openssl/test/cmactest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_asn_test-bin-cmp_asn_test.d.tmp -MT test/cmp_asn_test-bin-cmp_asn_test.o -c -o test/cmp_asn_test-bin-cmp_asn_test.o ../openssl/test/cmp_asn_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_asn_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_asn_test-bin-cmp_testlib.o -c -o test/helpers/cmp_asn_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_client_test-bin-cmp_client_test.d.tmp -MT test/cmp_client_test-bin-cmp_client_test.o -c -o test/cmp_client_test-bin-cmp_client_test.o ../openssl/test/cmp_client_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_client_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_client_test-bin-cmp_testlib.o -c -o test/helpers/cmp_client_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_ctx_test-bin-cmp_ctx_test.d.tmp -MT test/cmp_ctx_test-bin-cmp_ctx_test.o -c -o test/cmp_ctx_test-bin-cmp_ctx_test.o ../openssl/test/cmp_ctx_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_ctx_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_ctx_test-bin-cmp_testlib.o -c -o test/helpers/cmp_ctx_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_hdr_test-bin-cmp_hdr_test.d.tmp -MT test/cmp_hdr_test-bin-cmp_hdr_test.o -c -o test/cmp_hdr_test-bin-cmp_hdr_test.o ../openssl/test/cmp_hdr_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_hdr_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_hdr_test-bin-cmp_testlib.o -c -o test/helpers/cmp_hdr_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_msg_test-bin-cmp_msg_test.d.tmp -MT test/cmp_msg_test-bin-cmp_msg_test.o -c -o test/cmp_msg_test-bin-cmp_msg_test.o ../openssl/test/cmp_msg_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_msg_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_msg_test-bin-cmp_testlib.o -c -o test/helpers/cmp_msg_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_protect_test-bin-cmp_protect_test.d.tmp -MT test/cmp_protect_test-bin-cmp_protect_test.o -c -o test/cmp_protect_test-bin-cmp_protect_test.o ../openssl/test/cmp_protect_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_protect_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_protect_test-bin-cmp_testlib.o -c -o test/helpers/cmp_protect_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.d.tmp -MT test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o -c -o test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o ../openssl/test/evp_pkey_dparams_test.c ../openssl/test/evp_extra_test.c:1857:12: error: implicit declaration of function 'test_EVP_PKEY_ffc_priv_pub' is invalid in C99 [-Werror,-Wimplicit-function-declaration] return test_EVP_PKEY_ffc_priv_pub("DSA"); ^ 1 error generated. make[1]: *** [Makefile:26266: test/evp_extra_test-bin-evp_extra_test.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: Leaving directory '/home/openssl/run-checker/no-dh' make: *** [Makefile:3200: build_sw] Error 2 From openssl at openssl.org Mon Jan 18 07:59:01 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 18 Jan 2021 07:59:01 +0000 Subject: FAILED build of OpenSSL branch master with options -d --strict-warnings no-dsa Message-ID: <1610956741.806430.2989226.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dsa Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): /usr/bin/perl ../openssl/test/generate_buildtest.pl mdc2 > test/buildtest_mdc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl modes > test/buildtest_modes.c /usr/bin/perl ../openssl/test/generate_buildtest.pl obj_mac > test/buildtest_obj_mac.c /usr/bin/perl ../openssl/test/generate_buildtest.pl objects > test/buildtest_objects.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ossl_typ > test/buildtest_ossl_typ.c /usr/bin/perl ../openssl/test/generate_buildtest.pl param_build > test/buildtest_param_build.c /usr/bin/perl ../openssl/test/generate_buildtest.pl params > test/buildtest_params.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem > test/buildtest_pem.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem2 > test/buildtest_pem2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl provider > test/buildtest_provider.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rand > test/buildtest_rand.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc2 > test/buildtest_rc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc4 > test/buildtest_rc4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ripemd > test/buildtest_ripemd.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rsa > test/buildtest_rsa.c /usr/bin/perl ../openssl/test/generate_buildtest.pl seed > test/buildtest_seed.c /usr/bin/perl ../openssl/test/generate_buildtest.pl self_test > test/buildtest_self_test.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sha > test/buildtest_sha.c /usr/bin/perl ../openssl/test/generate_buildtest.pl srtp > test/buildtest_srtp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ssl2 > test/buildtest_ssl2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sslerr_legacy > test/buildtest_sslerr_legacy.c /usr/bin/perl ../openssl/test/generate_buildtest.pl stack > test/buildtest_stack.c /usr/bin/perl ../openssl/test/generate_buildtest.pl store > test/buildtest_store.c /usr/bin/perl ../openssl/test/generate_buildtest.pl symhacks > test/buildtest_symhacks.c /usr/bin/perl ../openssl/test/generate_buildtest.pl tls1 > test/buildtest_tls1.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ts > test/buildtest_ts.c /usr/bin/perl ../openssl/test/generate_buildtest.pl txt_db > test/buildtest_txt_db.c /usr/bin/perl ../openssl/test/generate_buildtest.pl types > test/buildtest_types.c /usr/bin/perl ../openssl/test/generate_buildtest.pl whrlpool > test/buildtest_whrlpool.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/casttest-bin-casttest.d.tmp -MT test/casttest-bin-casttest.o -c -o test/casttest-bin-casttest.o ../openssl/test/casttest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/chacha_internal_test-bin-chacha_internal_test.d.tmp -MT test/chacha_internal_test-bin-chacha_internal_test.o -c -o test/chacha_internal_test-bin-chacha_internal_test.o ../openssl/test/chacha_internal_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipher_overhead_test-bin-cipher_overhead_test.d.tmp -MT test/cipher_overhead_test-bin-cipher_overhead_test.o -c -o test/cipher_overhead_test-bin-cipher_overhead_test.o ../openssl/test/cipher_overhead_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherbytes_test-bin-cipherbytes_test.d.tmp -MT test/cipherbytes_test-bin-cipherbytes_test.o -c -o test/cipherbytes_test-bin-cipherbytes_test.o ../openssl/test/cipherbytes_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherlist_test-bin-cipherlist_test.d.tmp -MT test/cipherlist_test-bin-cipherlist_test.o -c -o test/cipherlist_test-bin-cipherlist_test.o ../openssl/test/cipherlist_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ciphername_test-bin-ciphername_test.d.tmp -MT test/ciphername_test-bin-ciphername_test.o -c -o test/ciphername_test-bin-ciphername_test.o ../openssl/test/ciphername_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/clienthellotest-bin-clienthellotest.d.tmp -MT test/clienthellotest-bin-clienthellotest.o -c -o test/clienthellotest-bin-clienthellotest.o ../openssl/test/clienthellotest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmactest-bin-cmactest.d.tmp -MT test/cmactest-bin-cmactest.o -c -o test/cmactest-bin-cmactest.o ../openssl/test/cmactest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_asn_test-bin-cmp_asn_test.d.tmp -MT test/cmp_asn_test-bin-cmp_asn_test.o -c -o test/cmp_asn_test-bin-cmp_asn_test.o ../openssl/test/cmp_asn_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_asn_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_asn_test-bin-cmp_testlib.o -c -o test/helpers/cmp_asn_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_client_test-bin-cmp_client_test.d.tmp -MT test/cmp_client_test-bin-cmp_client_test.o -c -o test/cmp_client_test-bin-cmp_client_test.o ../openssl/test/cmp_client_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_client_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_client_test-bin-cmp_testlib.o -c -o test/helpers/cmp_client_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_ctx_test-bin-cmp_ctx_test.d.tmp -MT test/cmp_ctx_test-bin-cmp_ctx_test.o -c -o test/cmp_ctx_test-bin-cmp_ctx_test.o ../openssl/test/cmp_ctx_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_ctx_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_ctx_test-bin-cmp_testlib.o -c -o test/helpers/cmp_ctx_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_hdr_test-bin-cmp_hdr_test.d.tmp -MT test/cmp_hdr_test-bin-cmp_hdr_test.o -c -o test/cmp_hdr_test-bin-cmp_hdr_test.o ../openssl/test/cmp_hdr_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_hdr_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_hdr_test-bin-cmp_testlib.o -c -o test/helpers/cmp_hdr_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_msg_test-bin-cmp_msg_test.d.tmp -MT test/cmp_msg_test-bin-cmp_msg_test.o -c -o test/cmp_msg_test-bin-cmp_msg_test.o ../openssl/test/cmp_msg_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_msg_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_msg_test-bin-cmp_testlib.o -c -o test/helpers/cmp_msg_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_protect_test-bin-cmp_protect_test.d.tmp -MT test/cmp_protect_test-bin-cmp_protect_test.o -c -o test/cmp_protect_test-bin-cmp_protect_test.o ../openssl/test/cmp_protect_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_protect_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_protect_test-bin-cmp_testlib.o -c -o test/helpers/cmp_protect_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c ../openssl/test/evp_extra_test.c:1982:12: error: implicit declaration of function 'test_EVP_PKEY_ffc_priv_pub' is invalid in C99 [-Werror,-Wimplicit-function-declaration] return test_EVP_PKEY_ffc_priv_pub("DH"); ^ clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.d.tmp -MT test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o -c -o test/evp_pkey_dparams_test-bin-evp_pkey_dparams_test.o ../openssl/test/evp_pkey_dparams_test.c 1 error generated. make[1]: *** [Makefile:26174: test/evp_extra_test-bin-evp_extra_test.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: Leaving directory '/home/openssl/run-checker/no-dsa' make: *** [Makefile:3196: build_sw] Error 2 From matt at openssl.org Mon Jan 18 09:16:53 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 18 Jan 2021 09:16:53 +0000 Subject: [openssl] master update Message-ID: <1610961413.671247.7315.nullmailer@dev.openssl.org> The branch master has been updated via 3aff5b4bac7186fda9208a76127eff040cafae13 (commit) from ed4a9b15d9cd1eea7493873d01949f075cea2b65 (commit) - Log ----------------------------------------------------------------- commit 3aff5b4bac7186fda9208a76127eff040cafae13 Author: Michael Baentsch Date: Fri Jan 15 11:40:31 2021 +0100 Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes #13868 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13874) ----------------------------------------------------------------------- Summary of changes: ssl/statem/statem_local.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 9e03b7d363..40c3724bed 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -19,13 +19,16 @@ /* The spec allows for a longer length than this, but we limit it */ #define HELLO_VERIFY_REQUEST_MAX_LENGTH 258 #define END_OF_EARLY_DATA_MAX_LENGTH 0 -#define SERVER_HELLO_MAX_LENGTH 20000 #define HELLO_RETRY_REQUEST_MAX_LENGTH 20000 #define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH 0 #define KEY_UPDATE_MAX_LENGTH 1 #define CCS_MAX_LENGTH 1 + +/* Max ServerHello size permitted by RFC 8446 */ +#define SERVER_HELLO_MAX_LENGTH 65607 + /* Max should actually be 36 but we are generous */ #define FINISHED_MAX_LENGTH 64 From tmraz at fedoraproject.org Mon Jan 18 13:28:07 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Mon, 18 Jan 2021 13:28:07 +0000 Subject: [openssl] master update Message-ID: <1610976487.541038.1992.nullmailer@dev.openssl.org> The branch master has been updated via 0d83b7b9036feea680ba45751df028ff5e86cd63 (commit) from 3aff5b4bac7186fda9208a76127eff040cafae13 (commit) - Log ----------------------------------------------------------------- commit 0d83b7b9036feea680ba45751df028ff5e86cd63 Author: Tomas Mraz Date: Thu Jan 14 15:19:46 2021 +0100 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity To clarify the purpose of these two calls rename them to EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv. Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV to better align with the function name. Fixes #13411 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13870) ----------------------------------------------------------------------- Summary of changes: crypto/evp/evp_lib.c | 14 ++++---- ...t_iv.pod => EVP_CIPHER_CTX_get_original_iv.pod} | 41 +++++++++++++--------- doc/man7/provider-cipher.pod | 4 +-- include/openssl/core_names.h | 2 +- include/openssl/evp.h | 4 +-- .../ciphers/cipher_aes_cbc_hmac_sha.c | 7 ++-- providers/implementations/ciphers/cipher_aes_ocb.c | 4 +-- providers/implementations/ciphers/ciphercommon.c | 4 +-- .../implementations/ciphers/ciphercommon_ccm.c | 2 +- .../implementations/ciphers/ciphercommon_gcm.c | 2 +- .../implementations/include/prov/ciphercommon.h | 2 +- ssl/ktls.c | 6 ++-- test/aesgcmtest.c | 2 +- test/evp_extra_test.c | 4 +-- test/evp_test.c | 2 +- util/libcrypto.num | 4 +-- 16 files changed, 56 insertions(+), 48 deletions(-) rename doc/man3/{EVP_CIPHER_CTX_get_iv.pod => EVP_CIPHER_CTX_get_original_iv.pod} (52%) diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 954acaae0d..32f67a9242 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -511,8 +511,8 @@ const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = - OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v, - sizeof(ctx->iv)); + OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV, + (void **)&v, sizeof(ctx->iv)); ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); return ok != 0 ? v : NULL; @@ -525,24 +525,24 @@ unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = - OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_IV_STATE, (void **)&v, - sizeof(ctx->iv)); + OSSL_PARAM_construct_octet_ptr(OSSL_CIPHER_PARAM_UPDATED_IV, + (void **)&v, sizeof(ctx->iv)); ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); return ok != 0 ? v : NULL; } #endif /* OPENSSL_NO_DEPRECATED_3_0_0 */ -int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len) +int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; params[0] = - OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV_STATE, buf, len); + OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, buf, len); return evp_do_ciph_ctx_getparams(ctx->cipher, ctx->provctx, params); } -int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) +int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; diff --git a/doc/man3/EVP_CIPHER_CTX_get_iv.pod b/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod similarity index 52% rename from doc/man3/EVP_CIPHER_CTX_get_iv.pod rename to doc/man3/EVP_CIPHER_CTX_get_original_iv.pod index e099d96dec..c5995a584d 100644 --- a/doc/man3/EVP_CIPHER_CTX_get_iv.pod +++ b/doc/man3/EVP_CIPHER_CTX_get_original_iv.pod @@ -2,29 +2,36 @@ =head1 NAME -EVP_CIPHER_CTX_get_iv, EVP_CIPHER_CTX_get_iv_state, EVP_CIPHER_CTX_iv, EVP_CIPHER_CTX_original_iv, EVP_CIPHER_CTX_iv_noconst - Routines to inspect EVP_CIPHER_CTX IV data +EVP_CIPHER_CTX_get_original_iv, EVP_CIPHER_CTX_get_updated_iv, +EVP_CIPHER_CTX_iv, EVP_CIPHER_CTX_original_iv, +EVP_CIPHER_CTX_iv_noconst - Routines to inspect EVP_CIPHER_CTX IV data =head1 SYNOPSIS #include - int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); - int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len); + int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); + int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); + +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx); unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); =head1 DESCRIPTION -EVP_CIPHER_CTX_get_iv() and EVP_CIPHER_CTX_get_iv_state() copy initialization -vector (IV) information from the B into the caller-supplied -buffer. L can be used to determine an -appropriate buffer size, and if the supplied buffer is too small, an error -will be returned (and no data copied). EVP_CIPHER_CTX_get_iv() accesses the -("original") IV that was supplied when the B was created, and -EVP_CIPHER_CTX_get_iv_state() accesses the current "IV state" of the cipher, -which is updated during cipher operation for certain cipher modes (e.g., CBC -and OFB). +EVP_CIPHER_CTX_get_original_iv() and EVP_CIPHER_CTX_get_updated_iv() copy +initialization vector (IV) information from the B into the +caller-supplied buffer. L can be used to determine +an appropriate buffer size, and if the supplied buffer is too small, an error +will be returned (and no data copied). EVP_CIPHER_CTX_get_original_iv() +accesses the ("original") IV that was supplied when the B was +initialized, and EVP_CIPHER_CTX_get_updated_iv() accesses the current "IV state" +of the cipher, which is updated during cipher operation for certain cipher modes +(e.g., CBC and OFB). The functions EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() are deprecated functions that provide similar (at @@ -38,8 +45,8 @@ different return type for the pointer. =head1 RETURN VALUES -EVP_CIPHER_CTX_get_iv() and EVP_CIPHER_CTX_get_iv_state() return 1 on success -and 0 on failure. +EVP_CIPHER_CTX_get_original_iv() and EVP_CIPHER_CTX_get_updated_iv() return 1 +on success and 0 on failure. The functions EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() return a pointer to an IV as an array of bytes on @@ -47,8 +54,8 @@ success, and NULL on failure. =head1 HISTORY -EVP_CIPHER_CTX_get_iv() and EVP_CIPHER_CTX_get_iv_state() were added in -OpenSSL 3.0.0. +EVP_CIPHER_CTX_get_original_iv() and EVP_CIPHER_CTX_get_updated_iv() were added +in OpenSSL 3.0.0. EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() were added in OpenSSL 1.1.0, and were deprecated @@ -56,7 +63,7 @@ in OpenSSL 3.0.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index d6d544c0ba..d8bd906c10 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -242,9 +242,9 @@ The length of the "ivlen" parameter should not exceed that of a B. Gets the IV used to initialize the associated cipher ctx. -=item "iv-state" (B) +=item "updated-iv" (B) -Gets the current pseudo-IV state for the associated cipher ctx, e.g., +Gets the updated pseudo-IV state for the associated cipher ctx, e.g., the previous ciphertext block for CBC mode or the iteratively encrypted IV value for OFB mode. Note that octet pointer access is deprecated and is provided only for backwards compatibility with historical libcrypto APIs. diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 73585831ed..17b0573ac3 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -73,7 +73,7 @@ extern "C" { #define OSSL_CIPHER_PARAM_KEYLEN "keylen" /* size_t */ #define OSSL_CIPHER_PARAM_IVLEN "ivlen" /* size_t */ #define OSSL_CIPHER_PARAM_IV "iv" /* octet_string OR octet_ptr */ -#define OSSL_CIPHER_PARAM_IV_STATE "iv-state" /* octet_string OR octet_ptr */ +#define OSSL_CIPHER_PARAM_UPDATED_IV "updated-iv" /* octet_string OR octet_ptr */ #define OSSL_CIPHER_PARAM_NUM "num" /* uint */ #define OSSL_CIPHER_PARAM_ROUNDS "rounds" /* uint */ #define OSSL_CIPHER_PARAM_AEAD_TAG "tag" /* octet_string */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 692a6832c3..ae9488acbb 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -573,8 +573,8 @@ OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CT OSSL_DEPRECATEDIN_3_0 const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx); OSSL_DEPRECATEDIN_3_0 unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); # endif -int EVP_CIPHER_CTX_get_iv_state(EVP_CIPHER_CTX *ctx, void *buf, size_t len); -int EVP_CIPHER_CTX_get_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); +int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); +int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_num(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num); diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c index c1934afac5..0c2ef4ec3c 100644 --- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c +++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c @@ -257,9 +257,10 @@ static int aes_get_ctx_params(void *vctx, OSSL_PARAM params[]) ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); if (p != NULL - && !OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen)) { + && !OSSL_PARAM_set_octet_string(p, ctx->base.iv, ctx->base.ivlen) + && !OSSL_PARAM_set_octet_ptr(p, &ctx->base.iv, ctx->base.ivlen)) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } @@ -277,7 +278,7 @@ static const OSSL_PARAM cipher_aes_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), OSSL_PARAM_END }; const OSSL_PARAM *aes_gettable_ctx_params(ossl_unused void *provctx) diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c index fa2c014a01..64e3aa75e9 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb.c +++ b/providers/implementations/ciphers/cipher_aes_ocb.c @@ -432,7 +432,7 @@ static int aes_ocb_get_ctx_params(void *vctx, OSSL_PARAM params[]) return 0; } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); if (p != NULL) { if (ctx->base.ivlen > p->data_size) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); @@ -464,7 +464,7 @@ static const OSSL_PARAM cipher_ocb_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_END }; diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index ffe644bb4c..d1e8c461b5 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -113,7 +113,7 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TAGLEN, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), @@ -519,7 +519,7 @@ int ossl_cipher_generic_get_ctx_params(void *vctx, OSSL_PARAM params[]) ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); return 0; } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); if (p != NULL && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen) && !OSSL_PARAM_set_octet_string(p, &ctx->iv, ctx->ivlen)) { diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c index b7f21b3df6..3f789da01e 100644 --- a/providers/implementations/ciphers/ciphercommon_ccm.c +++ b/providers/implementations/ciphers/ciphercommon_ccm.c @@ -172,7 +172,7 @@ int ccm_get_ctx_params(void *vctx, OSSL_PARAM params[]) } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); if (p != NULL) { if (ccm_get_ivlen(ctx) > p->data_size) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IVLEN); diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c index e70fc474a3..2744e1fafc 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c @@ -171,7 +171,7 @@ int gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) } } - p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV_STATE); + p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); if (p != NULL) { if (ctx->iv_state == IV_STATE_UNINITIALISED) return 0; diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index a6071c28b7..cf7841818d 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -317,7 +317,7 @@ static const OSSL_PARAM name##_known_gettable_ctx_params[] = { \ OSSL_PARAM_uint(OSSL_CIPHER_PARAM_PADDING, NULL), \ OSSL_PARAM_uint(OSSL_CIPHER_PARAM_NUM, NULL), \ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV, NULL, 0), \ - OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_IV_STATE, NULL, 0), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_UPDATED_IV, NULL, 0), #define CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(name) \ OSSL_PARAM_END \ diff --git a/ssl/ktls.c b/ssl/ktls.c index e6c0963259..dc5bb2bbc3 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -158,9 +158,9 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, if (s->version == TLS1_2_VERSION && EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { - if (!EVP_CIPHER_CTX_get_iv_state(dd, geniv, - EVP_GCM_TLS_FIXED_IV_LEN - + EVP_GCM_TLS_EXPLICIT_IV_LEN)) + if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, + EVP_GCM_TLS_FIXED_IV_LEN + + EVP_GCM_TLS_EXPLICIT_IV_LEN)) return 0; iiv = geniv; } diff --git a/test/aesgcmtest.c b/test/aesgcmtest.c index a68ec74d3a..5117df199b 100644 --- a/test/aesgcmtest.c +++ b/test/aesgcmtest.c @@ -58,7 +58,7 @@ static int do_encrypt(unsigned char *iv_gen, unsigned char *ct, int *ct_len, && TEST_true(EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, tag) > 0) && TEST_true(iv_gen == NULL - || EVP_CIPHER_CTX_get_iv(ctx, iv_gen, 12)); + || EVP_CIPHER_CTX_get_original_iv(ctx, iv_gen, 12)); EVP_CIPHER_CTX_free(ctx); return ret; } diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 832989ae00..42f4319d6c 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -2266,8 +2266,8 @@ static int test_evp_iv(int idx) || !TEST_true(EVP_EncryptInit_ex(ctx, type, NULL, key, init_iv)) || !TEST_true(EVP_EncryptUpdate(ctx, ciphertext, &len, msg, (int)sizeof(msg))) - || !TEST_true(EVP_CIPHER_CTX_get_iv(ctx, oiv, sizeof(oiv))) - || !TEST_true(EVP_CIPHER_CTX_get_iv_state(ctx, iv, sizeof(iv))) + || !TEST_true(EVP_CIPHER_CTX_get_original_iv(ctx, oiv, sizeof(oiv))) + || !TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx, iv, sizeof(iv))) || !TEST_true(EVP_EncryptFinal_ex(ctx, ciphertext, &len))) goto err; ivlen = EVP_CIPHER_CTX_iv_length(ctx); diff --git a/test/evp_test.c b/test/evp_test.c index fecbd9e09d..b1c9c72b8b 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -764,7 +764,7 @@ static int cipher_test_enc(EVP_TEST *t, int enc, if (expected->iv != NULL) { /* Some (e.g., GCM) tests use IVs longer than EVP_MAX_IV_LENGTH. */ unsigned char iv[128]; - if (!TEST_true(EVP_CIPHER_CTX_get_iv_state(ctx_base, iv, sizeof(iv))) + if (!TEST_true(EVP_CIPHER_CTX_get_updated_iv(ctx_base, iv, sizeof(iv))) || ((EVP_CIPHER_flags(expected->cipher) & EVP_CIPH_CUSTOM_IV) == 0 && !TEST_mem_eq(expected->iv, expected->iv_len, iv, expected->iv_len))) { diff --git a/util/libcrypto.num b/util/libcrypto.num index 2f3255303d..16536b2a6e 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5191,8 +5191,8 @@ EVP_PKEY_CTX_set_dh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_dh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get_iv_state ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get_iv ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_updated_iv ? 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_original_iv ? 3_0_0 EXIST::FUNCTION: EVP_KEYMGMT_gettable_params ? 3_0_0 EXIST::FUNCTION: EVP_KEYMGMT_settable_params ? 3_0_0 EXIST::FUNCTION: EVP_KEYMGMT_gen_settable_params ? 3_0_0 EXIST::FUNCTION: From tmraz at fedoraproject.org Mon Jan 18 14:01:51 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Mon, 18 Jan 2021 14:01:51 +0000 Subject: [openssl] master update Message-ID: <1610978511.234537.29323.nullmailer@dev.openssl.org> The branch master has been updated via 038f4dc68edd16f719ce5cf140eda2fb5b86a62a (commit) via 84af8027c5f2132a9166673e7a47b0f31c7cfe1d (commit) from 0d83b7b9036feea680ba45751df028ff5e86cd63 (commit) - Log ----------------------------------------------------------------- commit 038f4dc68edd16f719ce5cf140eda2fb5b86a62a Author: Shane Lontis Date: Fri Dec 11 19:24:46 2020 +1000 Fix PKCS7 potential segfault As the code that handles libctx, propq for PKCS7 is very similar to CMS code, a similiar fix for issue #13624 needs to be applied. Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13668) commit 84af8027c5f2132a9166673e7a47b0f31c7cfe1d Author: Shane Lontis Date: Fri Dec 11 19:19:37 2020 +1000 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. Fixes #13624 Reviewed-by: Tim Hudson Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13668) ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_enc.c | 7 +- crypto/cms/cms_env.c | 20 +++-- crypto/cms/cms_ess.c | 5 +- crypto/cms/cms_io.c | 4 +- crypto/cms/cms_kari.c | 19 +++-- crypto/cms/cms_lib.c | 19 ++--- crypto/cms/cms_pwri.c | 7 +- crypto/cms/cms_sd.c | 28 ++++--- crypto/cms/cms_smime.c | 6 +- crypto/pkcs7/pk7_asn1.c | 2 +- crypto/pkcs7/pk7_doit.c | 44 ++++++---- crypto/pkcs7/pk7_lib.c | 6 +- crypto/pkcs7/pk7_mime.c | 2 +- crypto/pkcs7/pk7_smime.c | 3 +- crypto/x509/x_all.c | 4 +- test/cmsapitest.c | 212 ++++++++++++++++++++++++++++++++++++++++++++++- 16 files changed, 318 insertions(+), 70 deletions(-) diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index 0069bde939..c7583f4088 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -37,6 +37,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, size_t tkeylen = 0; int ok = 0; int enc, keep_key = 0; + OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(cms_ctx); + const char *propq = cms_ctx_get0_propq(cms_ctx); enc = ec->cipher ? 1 : 0; @@ -60,8 +62,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, cipher = EVP_get_cipherbyobj(calg->algorithm); } if (cipher != NULL) { - fetched_ciph = EVP_CIPHER_fetch(cms_ctx->libctx, EVP_CIPHER_name(cipher), - cms_ctx->propq); + fetched_ciph = EVP_CIPHER_fetch(libctx, EVP_CIPHER_name(cipher), propq); if (fetched_ciph != NULL) cipher = fetched_ciph; } @@ -82,7 +83,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_bytes_ex(cms_ctx->libctx, iv, ivlen) <= 0) + if (RAND_bytes_ex(libctx, iv, ivlen) <= 0) goto err; piv = iv; } diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 15ebe1b86b..d2f630146e 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -181,7 +181,8 @@ void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms) break; case CMS_RECIPINFO_TRANS: ri->d.ktri->cms_ctx = ctx; - x509_set0_libctx(ri->d.ktri->recip, ctx->libctx, ctx->propq); + x509_set0_libctx(ri->d.ktri->recip, cms_ctx_get0_libctx(ctx), + cms_ctx_get0_propq(ctx)); break; case CMS_RECIPINFO_KEK: ri->d.kekri->cms_ctx = ctx; @@ -310,8 +311,9 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, ktri->recip = recip; if (flags & CMS_KEY_PARAM) { - ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, - ctx->propq); + ktri->pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), + ktri->pkey, + cms_ctx_get0_propq(ctx)); if (ktri->pctx == NULL) return 0; if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) @@ -470,7 +472,8 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms, if (!cms_env_asn1_ctrl(ri, 0)) goto err; } else { - pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), ktri->pkey, + cms_ctx_get0_propq(ctx)); if (pctx == NULL) return 0; @@ -524,6 +527,8 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, EVP_CIPHER *fetched_cipher = NULL; CMS_EncryptedContentInfo *ec; const CMS_CTX *ctx = cms_get0_cmsctx(cms); + OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); + const char *propq = cms_ctx_get0_propq(ctx); ec = cms_get0_env_enc_content(cms); @@ -538,7 +543,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, const char *name = OBJ_nid2sn(OBJ_obj2nid(calg->algorithm)); (void)ERR_set_mark(); - fetched_cipher = EVP_CIPHER_fetch(ctx->libctx, name, ctx->propq); + fetched_cipher = EVP_CIPHER_fetch(libctx, name, propq); if (fetched_cipher != NULL) cipher = fetched_cipher; @@ -555,7 +560,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, EVP_CIPHER_free(fetched_cipher); } - ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pkey, ctx->propq); + ktri->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); if (ktri->pctx == NULL) goto err; @@ -808,7 +813,8 @@ static EVP_CIPHER *cms_get_key_wrap_cipher(size_t keylen, const CMS_CTX *ctx) default: return NULL; } - return EVP_CIPHER_fetch(ctx->libctx, alg, ctx->propq); + return EVP_CIPHER_fetch(cms_ctx_get0_libctx(ctx), alg, + cms_ctx_get0_propq(ctx)); } diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index ba05d4695c..9b02bb4363 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -219,8 +219,9 @@ static int cms_msgSigDigest(CMS_SignerInfo *si, if (md == NULL) return 0; if (!asn1_item_digest_ex(ASN1_ITEM_rptr(CMS_Attributes_Verify), md, - si->signedAttrs, dig, diglen, si->cms_ctx->libctx, - si->cms_ctx->propq)) + si->signedAttrs, dig, diglen, + cms_ctx_get0_libctx(si->cms_ctx), + cms_ctx_get0_propq(si->cms_ctx))) return 0; return 1; } diff --git a/crypto/cms/cms_io.c b/crypto/cms/cms_io.c index a12ac0d0f4..f09038a158 100644 --- a/crypto/cms/cms_io.c +++ b/crypto/cms/cms_io.c @@ -38,7 +38,7 @@ CMS_ContentInfo *d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms) CMS_ContentInfo *ci; ci = ASN1_item_d2i_bio(ASN1_ITEM_rptr(CMS_ContentInfo), bp, cms); - if (ci != NULL && cms != NULL) + if (ci != NULL) cms_resolve_libctx(ci); return ci; } @@ -97,7 +97,7 @@ CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, BIO **bcont, CMS_ContentInfo **cms) ci = (CMS_ContentInfo *)SMIME_read_ASN1_ex(bio, bcont, ASN1_ITEM_rptr(CMS_ContentInfo), (ASN1_VALUE **)cms); - if (ci != NULL && cms != NULL) + if (ci != NULL) cms_resolve_libctx(ci); return ci; } diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index a9a35b4300..b343bf4c95 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -168,8 +168,8 @@ int CMS_RecipientInfo_kari_set0_pkey_and_peer(CMS_RecipientInfo *ri, EVP_PKEY *p if (pk == NULL) return 1; - pctx = EVP_PKEY_CTX_new_from_pkey(kari->cms_ctx->libctx, pk, - kari->cms_ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(kari->cms_ctx), pk, + cms_ctx_get0_propq(kari->cms_ctx)); if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0) goto err; @@ -284,8 +284,10 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *ekey = NULL; int rv = 0; const CMS_CTX *ctx = kari->cms_ctx; + OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); + const char *propq = cms_ctx_get0_propq(ctx); - pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pk, ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pk, propq); if (pctx == NULL) goto err; if (EVP_PKEY_keygen_init(pctx) <= 0) @@ -293,7 +295,7 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, if (EVP_PKEY_keygen(pctx, &ekey) <= 0) goto err; EVP_PKEY_CTX_free(pctx); - pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ekey, ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(libctx, ekey, propq); if (pctx == NULL) goto err; if (EVP_PKEY_derive_init(pctx) <= 0) @@ -315,7 +317,9 @@ static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, int rv = 0; const CMS_CTX *ctx = kari->cms_ctx; - pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, originatorPrivKey, ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), + originatorPrivKey, + cms_ctx_get0_propq(ctx)); if (pctx == NULL) goto err; if (EVP_PKEY_derive_init(pctx) <= 0) @@ -455,8 +459,9 @@ static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, else kekcipher_name = SN_id_aes256_wrap; enc: - fetched_kekcipher = EVP_CIPHER_fetch(cms_ctx->libctx, kekcipher_name, - cms_ctx->propq); + fetched_kekcipher = EVP_CIPHER_fetch(cms_ctx_get0_libctx(cms_ctx), + kekcipher_name, + cms_ctx_get0_propq(cms_ctx)); if (fetched_kekcipher == NULL) return 0; ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL); diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 427f62c56c..62029b8931 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -30,7 +30,7 @@ CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, ci = (CMS_ContentInfo *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (CMS_ContentInfo_it())); - if (ci != NULL && a != NULL) + if (ci != NULL) cms_resolve_libctx(ci); return ci; } @@ -80,12 +80,12 @@ const CMS_CTX *cms_get0_cmsctx(const CMS_ContentInfo *cms) OSSL_LIB_CTX *cms_ctx_get0_libctx(const CMS_CTX *ctx) { - return ctx->libctx; + return ctx != NULL ? ctx->libctx : NULL; } const char *cms_ctx_get0_propq(const CMS_CTX *ctx) { - return ctx->propq; + return ctx != NULL ? ctx->propq : NULL; } void cms_resolve_libctx(CMS_ContentInfo *ci) @@ -93,12 +93,10 @@ void cms_resolve_libctx(CMS_ContentInfo *ci) int i; CMS_CertificateChoices *cch; STACK_OF(CMS_CertificateChoices) **pcerts; - const CMS_CTX *ctx; + const CMS_CTX *ctx = cms_get0_cmsctx(ci); + OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); + const char *propq = cms_ctx_get0_propq(ctx); - if (ci == NULL) - return; - - ctx = cms_get0_cmsctx(ci); cms_SignerInfos_set_cmsctx(ci); cms_RecipientInfos_set_cmsctx(ci); @@ -107,7 +105,7 @@ void cms_resolve_libctx(CMS_ContentInfo *ci) for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { cch = sk_CMS_CertificateChoices_value(*pcerts, i); if (cch->type == CMS_CERTCHOICE_CERT) - x509_set0_libctx(cch->d.certificate, ctx->libctx, ctx->propq); + x509_set0_libctx(cch->d.certificate, libctx, propq); } } } @@ -411,7 +409,8 @@ BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, alg = OBJ_nid2sn(OBJ_obj2nid(digestoid)); (void)ERR_set_mark(); - fetched_digest = EVP_MD_fetch(ctx->libctx, alg, ctx->propq); + fetched_digest = EVP_MD_fetch(cms_ctx_get0_libctx(ctx), alg, + cms_ctx_get0_propq(ctx)); if (fetched_digest != NULL) digest = fetched_digest; diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index 8b55f7d0a8..ecfa1f5ffe 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -93,7 +93,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_bytes_ex(cms_ctx->libctx, iv, ivlen) <= 0) + if (RAND_bytes_ex(cms_ctx_get0_libctx(cms_ctx), iv, ivlen) <= 0) goto err; if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) { ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB); @@ -262,7 +262,7 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen, memcpy(out + 4, in, inlen); /* Add random padding to end */ if (olen > inlen + 4 - && RAND_bytes_ex(cms_ctx->libctx, out + 4 + inlen, + && RAND_bytes_ex(cms_ctx_get0_libctx(cms_ctx), out + 4 + inlen, olen - 4 - inlen) <= 0) return 0; /* Encrypt twice */ @@ -316,7 +316,8 @@ int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, } name = OBJ_nid2sn(OBJ_obj2nid(kekalg->algorithm)); - kekcipher = EVP_CIPHER_fetch(cms_ctx->libctx, name, cms_ctx->propq); + kekcipher = EVP_CIPHER_fetch(cms_ctx_get0_libctx(cms_ctx), name, + cms_ctx_get0_propq(cms_ctx)); if (kekcipher == NULL) { ERR_raise(ERR_LIB_CMS, CMS_R_UNKNOWN_CIPHER); diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 96b92bdc63..d803a6c006 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -407,8 +407,9 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, if (flags & CMS_KEY_PARAM) { if (flags & CMS_NOATTR) { - si->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, si->pkey, - ctx->propq); + si->pctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), + si->pkey, + cms_ctx_get0_propq(ctx)); if (si->pctx == NULL) goto err; if (EVP_PKEY_sign_init(si->pctx) <= 0) @@ -416,7 +417,8 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0) goto err; } else if (EVP_DigestSignInit_ex(si->mctx, &si->pctx, EVP_MD_name(md), - ctx->libctx, ctx->propq, pk) <= 0) { + cms_ctx_get0_libctx(ctx), + cms_ctx_get0_propq(ctx), pk) <= 0) { goto err; } } @@ -678,8 +680,9 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); goto err; } - if (!EVP_SignFinal_ex(mctx, sig, &siglen, si->pkey, ctx->libctx, - ctx->propq)) { + if (!EVP_SignFinal_ex(mctx, sig, &siglen, si->pkey, + cms_ctx_get0_libctx(ctx), + cms_ctx_get0_propq(ctx))) { ERR_raise(ERR_LIB_CMS, CMS_R_SIGNFINAL_ERROR); OPENSSL_free(sig); goto err; @@ -737,8 +740,8 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) pctx = si->pctx; else { EVP_MD_CTX_reset(mctx); - if (EVP_DigestSignInit_ex(mctx, &pctx, md_name, ctx->libctx, ctx->propq, - si->pkey) <= 0) + if (EVP_DigestSignInit_ex(mctx, &pctx, md_name, cms_ctx_get0_libctx(ctx), + cms_ctx_get0_propq(ctx), si->pkey) <= 0) goto err; si->pctx = pctx; } @@ -815,6 +818,8 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) const EVP_MD *md; EVP_MD *fetched_md = NULL; const CMS_CTX *ctx = si->cms_ctx; + OSSL_LIB_CTX *libctx = cms_ctx_get0_libctx(ctx); + const char *propq = cms_ctx_get0_propq(ctx); if (si->pkey == NULL) { ERR_raise(ERR_LIB_CMS, CMS_R_NO_PUBLIC_KEY); @@ -827,7 +832,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) name = OBJ_nid2sn(OBJ_obj2nid(si->digestAlgorithm->algorithm)); (void)ERR_set_mark(); - fetched_md = EVP_MD_fetch(ctx->libctx, name, ctx->propq); + fetched_md = EVP_MD_fetch(libctx, name, propq); if (fetched_md != NULL) md = fetched_md; @@ -845,8 +850,8 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) goto err; } mctx = si->mctx; - if (EVP_DigestVerifyInit_ex(mctx, &si->pctx, EVP_MD_name(md), ctx->libctx, - NULL, si->pkey) <= 0) + if (EVP_DigestVerifyInit_ex(mctx, &si->pctx, EVP_MD_name(md), libctx, + propq, si->pkey) <= 0) goto err; if (!cms_sd_asn1_ctrl(si, 1)) @@ -953,7 +958,8 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) const EVP_MD *md = EVP_MD_CTX_md(mctx); const CMS_CTX *ctx = si->cms_ctx; - pkctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, si->pkey, ctx->propq); + pkctx = EVP_PKEY_CTX_new_from_pkey(cms_ctx_get0_libctx(ctx), si->pkey, + cms_ctx_get0_propq(ctx)); if (pkctx == NULL) goto err; if (EVP_PKEY_verify_init(pkctx) <= 0) diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 5c903f204b..6c62d904eb 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -264,7 +264,8 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si, X509 *signer; int i, j, r = 0; - ctx = X509_STORE_CTX_new_ex(cms_ctx->libctx, cms_ctx->propq); + ctx = X509_STORE_CTX_new_ex(cms_ctx_get0_libctx(cms_ctx), + cms_ctx_get0_propq(cms_ctx)); if (ctx == NULL) { ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); goto err; @@ -567,7 +568,8 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, /* Initialize signed data */ - cms = CMS_sign_ex(NULL, NULL, certs, NULL, flags, ctx->libctx, ctx->propq); + cms = CMS_sign_ex(NULL, NULL, certs, NULL, flags, cms_ctx_get0_libctx(ctx), + cms_ctx_get0_propq(ctx)); if (cms == NULL) goto err; diff --git a/crypto/pkcs7/pk7_asn1.c b/crypto/pkcs7/pk7_asn1.c index 9820d1b8eb..9136d9afaf 100644 --- a/crypto/pkcs7/pk7_asn1.c +++ b/crypto/pkcs7/pk7_asn1.c @@ -68,7 +68,7 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, const unsigned char **in, long len) PKCS7 *ret; ret = (PKCS7 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (PKCS7_it())); - if (ret != NULL && a != NULL) + if (ret != NULL) pkcs7_resolve_libctx(ret); return ret; } diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 111088703d..d6acfd4754 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -69,7 +69,8 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, name = OBJ_nid2sn(OBJ_obj2nid(alg->algorithm)); (void)ERR_set_mark(); - fetched = EVP_MD_fetch(ctx->libctx, name, ctx->propq); + fetched = EVP_MD_fetch(pkcs7_ctx_get0_libctx(ctx), name, + pkcs7_ctx_get0_propq(ctx)); if (fetched != NULL) md = fetched; else @@ -113,7 +114,8 @@ static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, if (pkey == NULL) return 0; - pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pkey, ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(pkcs7_ctx_get0_libctx(ctx), pkey, + pkcs7_ctx_get0_propq(ctx)); if (pctx == NULL) return 0; @@ -161,7 +163,8 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, int ret = -1; const PKCS7_CTX *ctx = ri->ctx; - pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pkey, ctx->propq); + pctx = EVP_PKEY_CTX_new_from_pkey(pkcs7_ctx_get0_libctx(ctx), pkey, + pkcs7_ctx_get0_propq(ctx)); if (pctx == NULL) return -1; @@ -222,12 +225,16 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) PKCS7_RECIP_INFO *ri = NULL; ASN1_OCTET_STRING *os = NULL; const PKCS7_CTX *p7_ctx; + OSSL_LIB_CTX *libctx; + const char *propq; if (p7 == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER); return NULL; } p7_ctx = pkcs7_get0_ctx(p7); + libctx = pkcs7_ctx_get0_libctx(p7_ctx); + propq = pkcs7_ctx_get0_propq(p7_ctx); /* * The content field in the PKCS7 ContentInfo is optional, but that really @@ -304,13 +311,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) ivlen = EVP_CIPHER_iv_length(evp_cipher); xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); if (ivlen > 0) - if (RAND_bytes_ex(p7_ctx->libctx, iv, ivlen) <= 0) + if (RAND_bytes_ex(libctx, iv, ivlen) <= 0) goto err; (void)ERR_set_mark(); - fetched_cipher = EVP_CIPHER_fetch(p7_ctx->libctx, + fetched_cipher = EVP_CIPHER_fetch(libctx, EVP_CIPHER_name(evp_cipher), - p7_ctx->propq); + propq); (void)ERR_pop_to_mark(); if (fetched_cipher != NULL) cipher = fetched_cipher; @@ -411,6 +418,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) int eklen = 0, tkeylen = 0; const char *name; const PKCS7_CTX *p7_ctx; + OSSL_LIB_CTX *libctx; + const char *propq; if (p7 == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER); @@ -418,6 +427,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } p7_ctx = pkcs7_get0_ctx(p7); + libctx = pkcs7_ctx_get0_libctx(p7_ctx); + propq = pkcs7_ctx_get0_propq(p7_ctx); if (p7->d.ptr == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_CONTENT); @@ -452,7 +463,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) name = OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)); (void)ERR_set_mark(); - evp_cipher = EVP_CIPHER_fetch(p7_ctx->libctx, name, p7_ctx->propq); + evp_cipher = EVP_CIPHER_fetch(libctx, name, propq); if (evp_cipher != NULL) cipher = evp_cipher; else @@ -473,7 +484,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) name = OBJ_nid2sn(OBJ_obj2nid(enc_alg->algorithm)); (void)ERR_set_mark(); - evp_cipher = EVP_CIPHER_fetch(p7_ctx->libctx, name, p7_ctx->propq); + evp_cipher = EVP_CIPHER_fetch(libctx, name, propq); if (evp_cipher != NULL) cipher = evp_cipher; else @@ -509,7 +520,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) name = OBJ_nid2sn(OBJ_obj2nid(xa->algorithm)); (void)ERR_set_mark(); - evp_md = EVP_MD_fetch(p7_ctx->libctx, name, p7_ctx->propq); + evp_md = EVP_MD_fetch(libctx, name, propq); if (evp_md != NULL) md = evp_md; else @@ -843,7 +854,8 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) goto err; if (!EVP_SignFinal_ex(ctx_tmp, abuf, &abuflen, si->pkey, - p7_ctx->libctx, p7_ctx->propq)) { + pkcs7_ctx_get0_libctx(p7_ctx), + pkcs7_ctx_get0_propq(p7_ctx))) { OPENSSL_free(abuf); ERR_raise(ERR_LIB_PKCS7, ERR_R_EVP_LIB); goto err; @@ -914,8 +926,9 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) goto err; } - if (EVP_DigestSignInit_ex(mctx, &pctx, EVP_MD_name(md), ctx->libctx, - ctx->propq, si->pkey) <= 0) + if (EVP_DigestSignInit_ex(mctx, &pctx, EVP_MD_name(md), + pkcs7_ctx_get0_libctx(ctx), + pkcs7_ctx_get0_propq(ctx), si->pkey) <= 0) goto err; /* @@ -1063,6 +1076,8 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, BIO *btmp; EVP_PKEY *pkey; const PKCS7_CTX *ctx = pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = pkcs7_ctx_get0_libctx(ctx); + const char *propq = pkcs7_ctx_get0_propq(ctx); mdc_tmp = EVP_MD_CTX_new(); if (mdc_tmp == NULL) { @@ -1129,7 +1144,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, } (void)ERR_set_mark(); - fetched_md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(md_type), ctx->propq); + fetched_md = EVP_MD_fetch(libctx, OBJ_nid2sn(md_type), propq); if (fetched_md != NULL) md = fetched_md; @@ -1162,8 +1177,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, goto err; } - i = EVP_VerifyFinal_ex(mdc_tmp, os->data, os->length, pkey, ctx->libctx, - ctx->propq); + i = EVP_VerifyFinal_ex(mdc_tmp, os->data, os->length, pkey, libctx, propq); if (i <= 0) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNATURE_FAILURE); ret = -1; diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 1cc233e89d..35a757062b 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -401,6 +401,8 @@ void pkcs7_resolve_libctx(PKCS7 *p7) { int i; const PKCS7_CTX *ctx = pkcs7_get0_ctx(p7); + OSSL_LIB_CTX *libctx = pkcs7_ctx_get0_libctx(ctx); + const char *propq = pkcs7_ctx_get0_propq(ctx); STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); @@ -409,12 +411,12 @@ void pkcs7_resolve_libctx(PKCS7 *p7) return; for (i = 0; i < sk_X509_num(certs); i++) - x509_set0_libctx(sk_X509_value(certs, i), ctx->libctx, ctx->propq); + x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) { PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i); - x509_set0_libctx(ri->cert, ctx->libctx, ctx->propq); + x509_set0_libctx(ri->cert, libctx, propq); } for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index 381df40a94..40f87f8043 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -52,7 +52,7 @@ PKCS7 *SMIME_read_PKCS7_ex(BIO *bio, BIO **bcont, PKCS7 **p7) ret = (PKCS7 *)SMIME_read_ASN1_ex(bio, bcont, ASN1_ITEM_rptr(PKCS7), (ASN1_VALUE **)p7); - if (ret != NULL && p7 != NULL) + if (ret != NULL) pkcs7_resolve_libctx(ret); return ret; } diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 770534d9f6..b5dfc916a5 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -266,7 +266,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, /* Now verify the certificates */ p7_ctx = pkcs7_get0_ctx(p7); - cert_ctx = X509_STORE_CTX_new_ex(p7_ctx->libctx, p7_ctx->propq); + cert_ctx = X509_STORE_CTX_new_ex(pkcs7_ctx_get0_libctx(p7_ctx), + pkcs7_ctx_get0_propq(p7_ctx)); if (cert_ctx == NULL) goto err; if (!(flags & PKCS7_NOVERIFY)) diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 9d9079f7f5..3a0e8bc181 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -178,7 +178,7 @@ PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7) PKCS7 *ret; ret = ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7); - if (ret != NULL && p7 != NULL) + if (ret != NULL) pkcs7_resolve_libctx(ret); return ret; } @@ -194,7 +194,7 @@ PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7) PKCS7 *ret; ret = ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7); - if (ret != NULL && p7 != NULL) + if (ret != NULL) pkcs7_resolve_libctx(ret); return ret; } diff --git a/test/cmsapitest.c b/test/cmsapitest.c index a69fcc949d..373cc930b0 100644 --- a/test/cmsapitest.c +++ b/test/cmsapitest.c @@ -78,6 +78,216 @@ static int test_encrypt_decrypt_aes_256_gcm(void) return test_encrypt_decrypt(EVP_aes_256_gcm()); } +static int test_d2i_CMS_bio_NULL(void) +{ + BIO *bio; + CMS_ContentInfo *cms = NULL; + int ret = 0; + + /* + * Test data generated using: + * openssl cms -sign -md sha256 -signer ./test/certs/rootCA.pem -inkey \ + * ./test/certs/rootCA.key -nodetach -outform DER -in ./in.txt -out out.der \ + * -nosmimecap + */ + static const unsigned char cms_data[] = { + 0x30, 0x82, 0x05, 0xc5, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, + 0x82, 0x05, 0xb6, 0x30, 0x82, 0x05, 0xb2, 0x02, + 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, + 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x0f, + 0x04, 0x0d, 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, + 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x0d, 0x0a, 0xa0, + 0x82, 0x03, 0x83, 0x30, 0x82, 0x03, 0x7f, 0x30, + 0x82, 0x02, 0x67, 0xa0, 0x03, 0x02, 0x01, 0x02, + 0x02, 0x09, 0x00, 0x88, 0x43, 0x29, 0xcb, 0xc2, + 0xeb, 0x15, 0x9a, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x30, 0x56, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41, + 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, + 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21, + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74, + 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, + 0x64, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0c, 0x06, 0x72, 0x6f, 0x6f, 0x74, + 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, + 0x30, 0x37, 0x30, 0x32, 0x31, 0x33, 0x31, 0x35, + 0x31, 0x31, 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, + 0x37, 0x30, 0x32, 0x31, 0x33, 0x31, 0x35, 0x31, + 0x31, 0x5a, 0x30, 0x56, 0x31, 0x0b, 0x30, 0x09, + 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41, + 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, + 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21, + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74, + 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, + 0x64, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x0c, 0x06, 0x72, 0x6f, 0x6f, 0x74, + 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, + 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, + 0x01, 0x01, 0x00, 0xc0, 0xf1, 0x6b, 0x77, 0x88, + 0xac, 0x35, 0xdf, 0xfb, 0x73, 0x53, 0x2f, 0x92, + 0x80, 0x2f, 0x74, 0x16, 0x32, 0x4d, 0xf5, 0x10, + 0x20, 0x6f, 0x6c, 0x3a, 0x8e, 0xd1, 0xdc, 0x6b, + 0xe1, 0x2e, 0x3e, 0xc3, 0x04, 0x0f, 0xbf, 0x9b, + 0xc4, 0xc9, 0x12, 0xd1, 0xe4, 0x0b, 0x45, 0x97, + 0xe5, 0x06, 0xcd, 0x66, 0x3a, 0xe1, 0xe0, 0xe2, + 0x2b, 0xdf, 0xa2, 0xc4, 0xec, 0x7b, 0xd3, 0x3d, + 0x3c, 0x8a, 0xff, 0x5e, 0x74, 0xa0, 0xab, 0xa7, + 0x03, 0x6a, 0x16, 0x5b, 0x5e, 0x92, 0xc4, 0x7e, + 0x5b, 0x79, 0x8a, 0x69, 0xd4, 0xbc, 0x83, 0x5e, + 0xae, 0x42, 0x92, 0x74, 0xa5, 0x2b, 0xe7, 0x00, + 0xc1, 0xa9, 0xdc, 0xd5, 0xb1, 0x53, 0x07, 0x0f, + 0x73, 0xf7, 0x8e, 0xad, 0x14, 0x3e, 0x25, 0x9e, + 0xe5, 0x1e, 0xe6, 0xcc, 0x91, 0xcd, 0x95, 0x0c, + 0x80, 0x44, 0x20, 0xc3, 0xfd, 0x17, 0xcf, 0x91, + 0x3d, 0x63, 0x10, 0x1c, 0x14, 0x5b, 0xfb, 0xc3, + 0xa8, 0xc1, 0x88, 0xb2, 0x77, 0xff, 0x9c, 0xdb, + 0xfc, 0x6a, 0x44, 0x44, 0x44, 0xf7, 0x85, 0xec, + 0x08, 0x2c, 0xd4, 0xdf, 0x81, 0xa3, 0x79, 0xc9, + 0xfe, 0x1e, 0x9b, 0x93, 0x16, 0x53, 0xb7, 0x97, + 0xab, 0xbe, 0x4f, 0x1a, 0xa5, 0xe2, 0xfa, 0x46, + 0x05, 0xe4, 0x0d, 0x9c, 0x2a, 0xa4, 0xcc, 0xb9, + 0x1e, 0x21, 0xa0, 0x6c, 0xc4, 0xab, 0x59, 0xb0, + 0x40, 0x39, 0xbb, 0xf9, 0x88, 0xad, 0xfd, 0xdf, + 0x8d, 0xb4, 0x0b, 0xaf, 0x7e, 0x41, 0xe0, 0x21, + 0x3c, 0xc8, 0x33, 0x45, 0x49, 0x84, 0x2f, 0x93, + 0x06, 0xee, 0xfd, 0x4f, 0xed, 0x4f, 0xf3, 0xbc, + 0x9b, 0xde, 0xfc, 0x25, 0x5e, 0x55, 0xd5, 0x75, + 0xd4, 0xc5, 0x7b, 0x3a, 0x40, 0x35, 0x06, 0x9f, + 0xc4, 0x84, 0xb4, 0x6c, 0x93, 0x0c, 0xaf, 0x37, + 0x5a, 0xaf, 0xb6, 0x41, 0x4d, 0x26, 0x23, 0x1c, + 0xb8, 0x02, 0xb3, 0x02, 0x03, 0x01, 0x00, 0x01, + 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x85, 0x56, 0x89, + 0x35, 0xe2, 0x9f, 0x00, 0x1a, 0xe1, 0x86, 0x03, + 0x0b, 0x4b, 0xaf, 0x76, 0x12, 0x6b, 0x33, 0x6d, + 0xfd, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, + 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x85, 0x56, + 0x89, 0x35, 0xe2, 0x9f, 0x00, 0x1a, 0xe1, 0x86, + 0x03, 0x0b, 0x4b, 0xaf, 0x76, 0x12, 0x6b, 0x33, + 0x6d, 0xfd, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x32, 0x0a, + 0xbf, 0x2a, 0x0a, 0xe2, 0xbb, 0x4f, 0x43, 0xce, + 0x88, 0xda, 0x5a, 0x39, 0x10, 0x37, 0x80, 0xbb, + 0x37, 0x2d, 0x5e, 0x2d, 0x88, 0xdd, 0x26, 0x69, + 0x9c, 0xe7, 0xb4, 0x98, 0x20, 0xb1, 0x25, 0xe6, + 0x61, 0x59, 0x6d, 0x12, 0xec, 0x9b, 0x87, 0xbe, + 0x57, 0xe1, 0x12, 0x05, 0xc5, 0x04, 0xf1, 0x17, + 0xce, 0x14, 0xb8, 0x1c, 0x92, 0xd4, 0x95, 0x95, + 0x2c, 0x5b, 0x28, 0x89, 0xfb, 0x72, 0x9c, 0x20, + 0xd3, 0x32, 0x81, 0xa8, 0x85, 0xec, 0xc8, 0x08, + 0x7b, 0xa8, 0x59, 0x5b, 0x3a, 0x6c, 0x31, 0xab, + 0x52, 0xe2, 0x66, 0xcd, 0x14, 0x49, 0x5c, 0xf3, + 0xd3, 0x3e, 0x62, 0xbc, 0x91, 0x16, 0xb4, 0x1c, + 0xf5, 0xdd, 0x54, 0xaa, 0x3c, 0x61, 0x97, 0x79, + 0xac, 0xe4, 0xc8, 0x43, 0x35, 0xc3, 0x0f, 0xfc, + 0xf3, 0x70, 0x1d, 0xaf, 0xf0, 0x9c, 0x8a, 0x2a, + 0x92, 0x93, 0x48, 0xaa, 0xd0, 0xe8, 0x47, 0xbe, + 0x35, 0xc1, 0xc6, 0x7b, 0x6d, 0xda, 0xfa, 0x5d, + 0x57, 0x45, 0xf3, 0xea, 0x41, 0x8f, 0x36, 0xc1, + 0x3c, 0xf4, 0x52, 0x7f, 0x6e, 0x31, 0xdd, 0xba, + 0x9a, 0xbc, 0x70, 0x56, 0x71, 0x38, 0xdc, 0x49, + 0x57, 0x0c, 0xfd, 0x91, 0x17, 0xc5, 0xea, 0x87, + 0xe5, 0x23, 0x74, 0x19, 0xb2, 0xb6, 0x99, 0x0c, + 0x6b, 0xa2, 0x05, 0xf8, 0x51, 0x68, 0xed, 0x97, + 0xe0, 0xdf, 0x62, 0xf9, 0x7e, 0x7a, 0x3a, 0x44, + 0x71, 0x83, 0x57, 0x28, 0x49, 0x88, 0x69, 0xb5, + 0x14, 0x1e, 0xda, 0x46, 0xe3, 0x6e, 0x78, 0xe1, + 0xcb, 0x8f, 0xb5, 0x98, 0xb3, 0x2d, 0x6e, 0x5b, + 0xb7, 0xf6, 0x93, 0x24, 0x14, 0x1f, 0xa4, 0xf6, + 0x69, 0xbd, 0xff, 0x4c, 0x52, 0x50, 0x02, 0xc5, + 0x43, 0x8d, 0x14, 0xe2, 0xd0, 0x75, 0x9f, 0x12, + 0x5e, 0x94, 0x89, 0xd1, 0xef, 0x77, 0x89, 0x7d, + 0x89, 0xd9, 0x9e, 0x76, 0x99, 0x24, 0x31, 0x82, + 0x01, 0xf7, 0x30, 0x82, 0x01, 0xf3, 0x02, 0x01, + 0x01, 0x30, 0x63, 0x30, 0x56, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, + 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, + 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, + 0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, + 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, + 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, + 0x74, 0x64, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, + 0x55, 0x04, 0x03, 0x0c, 0x06, 0x72, 0x6f, 0x6f, + 0x74, 0x43, 0x41, 0x02, 0x09, 0x00, 0x88, 0x43, + 0x29, 0xcb, 0xc2, 0xeb, 0x15, 0x9a, 0x30, 0x0b, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0xa0, 0x69, 0x30, 0x18, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, + 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, + 0x32, 0x30, 0x31, 0x32, 0x31, 0x31, 0x30, 0x39, + 0x30, 0x30, 0x31, 0x33, 0x5a, 0x30, 0x2f, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x09, 0x04, 0x31, 0x22, 0x04, 0x20, 0xb0, 0x80, + 0x22, 0xd3, 0x15, 0xcf, 0x1e, 0xb1, 0x2d, 0x26, + 0x65, 0xbd, 0xed, 0x0e, 0x6a, 0xf4, 0x06, 0x53, + 0xc0, 0xa0, 0xbe, 0x97, 0x52, 0x32, 0xfb, 0x49, + 0xbc, 0xbd, 0x02, 0x1c, 0xfc, 0x36, 0x30, 0x0d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, + 0x00, 0x37, 0x44, 0x39, 0x08, 0xb2, 0x19, 0x52, + 0x35, 0x9c, 0xd0, 0x67, 0x87, 0xae, 0xb8, 0x1c, + 0x80, 0xf4, 0x03, 0x29, 0x2e, 0xe3, 0x76, 0x4a, + 0xb0, 0x98, 0x10, 0x00, 0x9a, 0x30, 0xdb, 0x05, + 0x28, 0x53, 0x34, 0x31, 0x14, 0xbd, 0x87, 0xb9, + 0x4d, 0x45, 0x07, 0x97, 0xa3, 0x57, 0x0b, 0x7e, + 0xd1, 0x67, 0xfb, 0x4e, 0x0f, 0x5b, 0x90, 0xb2, + 0x6f, 0xe6, 0xce, 0x49, 0xdd, 0x72, 0x46, 0x71, + 0x26, 0xa1, 0x1b, 0x98, 0x23, 0x7d, 0x69, 0x73, + 0x84, 0xdc, 0xf9, 0xd2, 0x1c, 0x6d, 0xf6, 0xf5, + 0x17, 0x49, 0x6e, 0x9d, 0x4d, 0xf1, 0xe2, 0x43, + 0x29, 0x53, 0x55, 0xa5, 0x22, 0x1e, 0x89, 0x2c, + 0xaf, 0xf2, 0x43, 0x47, 0xd5, 0xfa, 0xad, 0xe7, + 0x89, 0x60, 0xbf, 0x96, 0x35, 0x6f, 0xc2, 0x99, + 0xb7, 0x55, 0xc5, 0xe3, 0x04, 0x25, 0x1b, 0xf6, + 0x7e, 0xf2, 0x2b, 0x14, 0xa9, 0x57, 0x96, 0xbe, + 0xbd, 0x6e, 0x95, 0x44, 0x94, 0xbd, 0xaf, 0x9a, + 0x6d, 0x77, 0x55, 0x5e, 0x6c, 0xf6, 0x32, 0x37, + 0xec, 0xef, 0xe5, 0x81, 0xb0, 0xe3, 0x35, 0xc7, + 0x86, 0xea, 0x47, 0x59, 0x38, 0xb6, 0x16, 0xfb, + 0x1d, 0x10, 0x55, 0x48, 0xb1, 0x44, 0x33, 0xde, + 0xf6, 0x29, 0xbe, 0xbf, 0xbc, 0x71, 0x3e, 0x49, + 0xba, 0xe7, 0x9f, 0x4d, 0x6c, 0xfb, 0xec, 0xd2, + 0xe0, 0x12, 0xa9, 0x7c, 0xc9, 0x9a, 0x7b, 0x85, + 0x83, 0xb8, 0xca, 0xdd, 0xf6, 0xb7, 0x15, 0x75, + 0x7b, 0x4a, 0x69, 0xcf, 0x0a, 0xc7, 0x80, 0x01, + 0xe7, 0x94, 0x16, 0x7f, 0x8d, 0x3c, 0xfa, 0x1f, + 0x05, 0x71, 0x76, 0x15, 0xb0, 0xf6, 0x61, 0x30, + 0x58, 0x16, 0xbe, 0x1b, 0xd1, 0x93, 0xc4, 0x1a, + 0x91, 0x0c, 0x48, 0xe2, 0x1c, 0x8e, 0xa5, 0xc5, + 0xa7, 0x81, 0x44, 0x48, 0x3b, 0x10, 0xc2, 0x74, + 0x07, 0xdf, 0xa8, 0xae, 0x57, 0xee, 0x7f, 0xe3, + 0x6a + }; + + ret = TEST_ptr(bio = BIO_new_mem_buf(cms_data, sizeof(cms_data))) + && TEST_ptr(cms = d2i_CMS_bio(bio, NULL)) + && TEST_true(CMS_verify(cms, NULL, NULL, NULL, NULL, + CMS_NO_SIGNER_CERT_VERIFY)); + CMS_ContentInfo_free(cms); + BIO_free(bio); + return ret; +} + OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n") int setup_tests(void) @@ -121,7 +331,7 @@ int setup_tests(void) ADD_TEST(test_encrypt_decrypt_aes_128_gcm); ADD_TEST(test_encrypt_decrypt_aes_192_gcm); ADD_TEST(test_encrypt_decrypt_aes_256_gcm); - + ADD_TEST(test_d2i_CMS_bio_NULL); return 1; } From tmraz at fedoraproject.org Mon Jan 18 14:26:44 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Mon, 18 Jan 2021 14:26:44 +0000 Subject: [openssl] master update Message-ID: <1610980004.588290.3105.nullmailer@dev.openssl.org> The branch master has been updated via 47b784a41b729d5df9ad47c99355db2f2026a709 (commit) from 038f4dc68edd16f719ce5cf140eda2fb5b86a62a (commit) - Log ----------------------------------------------------------------- commit 47b784a41b729d5df9ad47c99355db2f2026a709 Author: Kurt Roeckx Date: Thu Dec 17 22:28:17 2020 +0100 Fix memory leak in mac_newctx() on error Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13702) ----------------------------------------------------------------------- Summary of changes: providers/implementations/signature/mac_legacy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index b92dabde3c..79a5c911a3 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -74,6 +74,7 @@ static void *mac_newctx(void *provctx, const char *propq, const char *macname) return pmacctx; err: + OPENSSL_free(pmacctx->propq); OPENSSL_free(pmacctx); EVP_MAC_free(mac); return NULL; From openssl at openssl.org Mon Jan 18 23:03:32 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 18 Jan 2021 23:03:32 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1611011012.117747.601891.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=3032, 735 wallclock secs ( 9.61 usr 1.43 sys + 657.23 cusr 64.43 csys = 732.70 CPU) Result: FAIL make[1]: *** [Makefile:2473: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2470: tests] Error 2 From no-reply at appveyor.com Tue Jan 19 01:49:58 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 19 Jan 2021 01:49:58 +0000 Subject: Build failed: openssl master.39234 Message-ID: <20210119014958.1.7A4C184B5A7795B0@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Jan 19 03:01:56 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 19 Jan 2021 03:01:56 +0000 Subject: Build completed: openssl master.39235 Message-ID: <20210119030156.1.28DE2951FEB9A235@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Tue Jan 19 10:10:51 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 19 Jan 2021 10:10:51 +0000 Subject: [openssl] master update Message-ID: <1611051051.530425.13100.nullmailer@dev.openssl.org> The branch master has been updated via fee0af0863dff8d13b09cd59af0afbd7e4ae2d57 (commit) from 47b784a41b729d5df9ad47c99355db2f2026a709 (commit) - Log ----------------------------------------------------------------- commit fee0af0863dff8d13b09cd59af0afbd7e4ae2d57 Author: Richard Levitte Date: Mon Jan 18 10:09:58 2021 +0100 DOCS: Fix the last few remaining pass phrase options references There were a few lingering older style references to the pass phrase options section, now streamlined with all the others. Fixes #13883 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13885) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-cmp.pod.in | 20 ++++++++++---------- doc/man1/openssl-pkcs12.pod.in | 6 +++--- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 0993186158..7841d2b0f3 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -256,8 +256,8 @@ if any, or else the current client key, if given. Pass phrase source for the key given with the B<-newkey> option. If not given here, the password will be prompted for if needed. -For more information about the format of B see the -B section in L. +For more information about the format of B see +L. =item B<-subject> I @@ -606,8 +606,8 @@ and (as far as needed) for verifying PBM-based protection of incoming messages. PBM stands for Password-Based Message Authentication Code. This takes precedence over the B<-cert> and B<-key> options. -For more information about the format of B see the -B section in L. +For more information about the format of B see +L. =item B<-cert> I @@ -655,8 +655,8 @@ Pass phrase source for the private key given with the B<-key> option. Also used for B<-cert> and B<-oldcert> in case it is an encrypted PKCS#12 file. If not given here, the password will be prompted for if needed. -For more information about the format of B see the -B section in L. +For more information about the format of B see +L. =item B<-digest> I @@ -713,8 +713,8 @@ B<-srv_trusted>, B<-srv_untrusted>, B<-rsp_extracerts>, B<-rsp_capubs>, B<-tls_extra>, and B<-tls_trusted> options. If not given here, the password will be prompted for if needed. -For more information about the format of B see the -B section in L. +For more information about the format of B see +L. {- $OpenSSL::safe::opt_engine_item -} @@ -759,8 +759,8 @@ Pass phrase source for client's private TLS key B. Also used for B<-tls_cert> in case it is an encrypted PKCS#12 file. If not given here, the password will be prompted for if needed. -For more information about the format of B see the -B section in L. +For more information about the format of B see +L. =item B<-tls_extra> I diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index c0e0fdfca9..fdb78ae139 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -98,7 +98,7 @@ Print out a usage message. The password source for the input, and for encrypting any private keys that are output. For more information about the format of B -see L. +see L. =item B<-passout> I @@ -257,8 +257,8 @@ if the B<-export> option is given. The password source for certificate input such as B<-certfile> and B<-untrusted>. -For more information about the format of B -see the B section in L. +For more information about the format of B see +L. =item B<-chain> From levitte at openssl.org Tue Jan 19 10:14:15 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 19 Jan 2021 10:14:15 +0000 Subject: [openssl] master update Message-ID: <1611051255.716173.470.nullmailer@dev.openssl.org> The branch master has been updated via 83b6dc8dc739ce7ca82652461bea92c31e634a57 (commit) from fee0af0863dff8d13b09cd59af0afbd7e4ae2d57 (commit) - Log ----------------------------------------------------------------- commit 83b6dc8dc739ce7ca82652461bea92c31e634a57 Author: Rich Salz Date: Sat Dec 26 10:21:41 2020 -0500 Deprecate OCSP_xxx API for OSSL_HTTP_xxx Deprecations made: OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES text inline. Some of the original functions had no documentation: OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio, OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod Fixes #12234 Co-authored-by: Richard Levitte Reviewed-by: David von Oheimb Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13742) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 15 ++++ crypto/http/http_local.h | 14 ---- crypto/ocsp/ocsp_http.c | 21 ++--- doc/man3/OCSP_sendreq_new.pod | 134 +++++++++++++----------------- doc/man3/OSSL_HTTP_REQ_CTX.pod | 183 +++++++++++++++++++++++++++++++++++++++++ include/openssl/http.h | 21 +++++ include/openssl/ocsp.h.in | 55 ++++++------- include/openssl/types.h | 2 +- util/indent.pro | 2 +- util/libcrypto.num | 18 ++-- util/missingcrypto.txt | 10 +-- util/other.syms | 5 ++ 12 files changed, 334 insertions(+), 146 deletions(-) create mode 100644 doc/man3/OSSL_HTTP_REQ_CTX.pod diff --git a/CHANGES.md b/CHANGES.md index ac0b22c6fb..cd093491be 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,21 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), + OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(), + OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(), + OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These + were used to collect all necessary data to form a HTTP request, and to + perform the HTTP transfer with that request. With OpenSSL 3.0, the + type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced + with OSSL_HTTP_REQ_CTX_new(), OSSL_HTTP_REQ_CTX_free(), + OSSL_HTTP_REQ_CTX_header(), OSSL_HTTP_REQ_CTX_add1_header(), + OSSL_HTTP_REQ_CTX_i2d(), OSSL_HTTP_REQ_CTX_nbio(), + OSSL_HTTP_REQ_CTX_sendreq_d2i(), OSSL_HTTP_REQ_CTX_get0_mem_bio() and + OSSL_HTTP_REQ_CTX_set_max_response_length(). + + *Rich Salz and Richard Levitte* + * Validation of SM2 keys has been separated from the validation of regular EC keys, allowing to improve the SM2 validation process to reject loaded private keys that are not conforming to the SM2 ISO standard. diff --git a/crypto/http/http_local.h b/crypto/http/http_local.h index 729d24e47f..d98dc54e1f 100644 --- a/crypto/http/http_local.h +++ b/crypto/http/http_local.h @@ -13,20 +13,6 @@ # include -/* name aliases for legacy names with name prefix "OCSP_" */ -typedef OCSP_REQ_CTX OSSL_HTTP_REQ_CTX; -/* functions meanwhile only used internally */ -# define OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_new -# define OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_free -# define OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_http -# define OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_add1_header -# define OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_i2d -# define OSSL_HTTP_REQ_CTX_nbio OCSP_REQ_CTX_nbio -# define OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio_d2i -/* functions that are meanwhile unused */ -# define OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_REQ_CTX_get0_mem_bio /* undoc'd */ -# define OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_set_max_response_length - BIO *HTTP_asn1_item2bio(const ASN1_ITEM *it, const ASN1_VALUE *val); OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy, const char *server, const char *port, diff --git a/crypto/ocsp/ocsp_http.c b/crypto/ocsp/ocsp_http.c index eae6107dff..c5508698c8 100644 --- a/crypto/ocsp/ocsp_http.c +++ b/crypto/ocsp/ocsp_http.c @@ -14,19 +14,20 @@ #ifndef OPENSSL_NO_OCSP # ifndef OPENSSL_NO_DEPRECATED_3_0 -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req) +int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req) { - return OCSP_REQ_CTX_i2d(rctx, "application/ocsp-request", - ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req); + return OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", + ASN1_ITEM_rptr(OCSP_REQUEST), + (ASN1_VALUE *)req); } # endif -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, - int maxline) +OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, + OCSP_REQUEST *req, int maxline) { BIO *req_mem = HTTP_asn1_item2bio(ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req); - OCSP_REQ_CTX *res = + OSSL_HTTP_REQ_CTX *res = HTTP_REQ_CTX_new(io, io, 0 /* no HTTP proxy used */, NULL, NULL, path, NULL /* headers */, "application/ocsp-request", req_mem /* may be NULL */, @@ -37,17 +38,17 @@ OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, return res; } -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) +int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx) { *presp = (OCSP_RESPONSE *) - OCSP_REQ_CTX_nbio_d2i(rctx, ASN1_ITEM_rptr(OCSP_RESPONSE)); + OSSL_HTTP_REQ_CTX_sendreq_d2i(rctx, ASN1_ITEM_rptr(OCSP_RESPONSE)); return *presp != NULL; } OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) { OCSP_RESPONSE *resp = NULL; - OCSP_REQ_CTX *ctx; + OSSL_HTTP_REQ_CTX *ctx; int rv; ctx = OCSP_sendreq_new(b, path, req, -1 /* default max resp line length */); @@ -57,7 +58,7 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) rv = OCSP_sendreq_nbio(&resp, ctx); /* this indirectly calls ERR_clear_error(): */ - OCSP_REQ_CTX_free(ctx); + OSSL_HTTP_REQ_CTX_free(ctx); return rv == 1 ? resp : NULL; } diff --git a/doc/man3/OCSP_sendreq_new.pod b/doc/man3/OCSP_sendreq_new.pod index 0f9d1339c9..6e346bdd44 100644 --- a/doc/man3/OCSP_sendreq_new.pod +++ b/doc/man3/OCSP_sendreq_new.pod @@ -4,11 +4,11 @@ OCSP_sendreq_new, OCSP_sendreq_nbio, -OCSP_REQ_CTX_free, -OCSP_set_max_response_length, -OCSP_REQ_CTX_add1_header, OCSP_sendreq_bio, OCSP_REQ_CTX_i2d, +OCSP_REQ_CTX_add1_header, +OCSP_REQ_CTX_free, +OCSP_set_max_response_length, OCSP_REQ_CTX_set1_req - OCSP responder query functions @@ -16,104 +16,78 @@ OCSP_REQ_CTX_set1_req #include - OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline); - - int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); - - void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); - - void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, - unsigned long len); + OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, + OCSP_REQUEST *req, int maxline); - int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, - const char *name, const char *value); + int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req); - int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type, - const ASN1_ITEM *it, ASN1_VALUE *req); - Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: + int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const char *content_type, + const ASN1_ITEM *it, ASN1_VALUE *req); + int OCSP_REQ_CTX_add1_header(OCSP_REQ_CT *rctx, + const char *name, const char *value); + void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); + void OCSP_set_max_response_length(OCSP_REQ_CT *rctx, + unsigned long len); int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req); =head1 DESCRIPTION -The function OCSP_sendreq_new() returns an B structure using the -responder B, the URL path B, the OCSP request B and with a -response header maximum line length of B. If B is zero a -default value of 4k is used. The OCSP request B may be set to B -and provided later if required. - -OCSP_sendreq_nbio() performs I/O on the OCSP request context B. -When the operation is complete it returns the response in B<*presp>. - -OCSP_REQ_CTX_free() frees up the OCSP context B. +These functions perform an OCSP request / response transfer over HTTP, using +the HTTP request functions described in L. -OCSP_set_max_response_length() sets the maximum response length -for B to B. If the response exceeds this length an error occurs. -If not set a default value of 100k is used. +The function OCSP_sendreq_new() builds a complete B +structure using connection B I, the URL path I, the OCSP +request I and with a response header maximum line length of I. +If I is zero a default value of 4k is used. The OCSP request I +may be set to NULL and provided later with L if +required. -OCSP_REQ_CTX_add1_header() adds header B with value B to the -context B. It can be called more than once to add multiple headers. -It B be called before any calls to OCSP_sendreq_nbio(). The B -parameter in the initial to OCSP_sendreq_new() call MUST be set to B if -additional headers are set. +The I and I arguments to OCSP_sendreq_new() correspond to the +components of the URL. +For example if the responder URL is C the BIO +I should be connected to host C on port 80 and I +should be set to C. -OCSP_sendreq_bio() performs an OCSP request using the responder B, the URL -path B, the OCSP request B and with a response header maximum line -length 4k. It waits indefinitely on a response. +OCSP_sendreq_nbio() performs I/O on the OCSP request context I. +When the operation is complete it assigns the response, a pointer to a +B structure, in I<*presp>. -OCSP_REQ_CTX_i2d() sets the request context B to have the request -B, which has the ASN.1 type B. -The B, if not NULL, will be included in the HTTP request. -The function should be called after all other headers have already been added. +OCSP_sendreq_bio() is the same as a call to OCSP_sendreq_new() followed by +OCSP_sendreq_nbio() and then OCSP_REQ_CTX_free() in a single call, with a +response header maximum line length 4k. It waits indefinitely on a response. +It does not support setting a timeout or adding headers and is retained +for compatibility; use OCSP_sendreq_nbio() instead. OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following: - OCSP_REQ_CTX_i2d(rctx, "application/ocsp-request", - ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req) + OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", + ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req) + +The other deprecated type and functions have been superseded by the +following equivalents: +B by L, +OCSP_REQ_CTX_i2d() by L, +OCSP_REQ_CTX_add1_header() by L, +OCSP_REQ_CTX_free() by L, and +OCSP_set_max_response_length() by +L. =head1 RETURN VALUES -OCSP_sendreq_new() returns a valid B structure or B +OCSP_sendreq_new() returns a valid B structure or NULL if an error occurred. -OCSP_sendreq_nbio(), OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_i2d(), -and OCSP_REQ_CTX_set1_req() -return B<1> for success and B<0> for failure. +OCSP_sendreq_nbio(), OCSP_REQ_CTX_i2d(), and OCSP_REQ_CTX_set1_req() +return 1 for success and 0 for failure. OCSP_sendreq_bio() returns the B structure sent by the -responder or B if an error occurred. - -OCSP_REQ_CTX_free() and OCSP_set_max_response_length() -do not return values. - -=head1 NOTES - -These functions only perform a minimal HTTP query to a responder. If an -application wishes to support more advanced features it should use an -alternative more complete HTTP library. - -Currently only HTTP POST queries to responders are supported. - -The arguments to OCSP_sendreq_new() correspond to the components of the URL. -For example if the responder URL is B the BIO -B should be connected to host B on port 80 and B -should be set to B<"/ocspreq"> - -The headers added with OCSP_REQ_CTX_add1_header() are of the form -"B: B" or just "B" if B is B. So to add -a Host header for B you would call: - - OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com"); - -OCSP_sendreq_bio() does not support timeout nor setting extra headers. -It is retained for compatibility. -Better use B instead. +responder or NULL if an error occurred. =head1 SEE ALSO @@ -126,11 +100,17 @@ L =head1 HISTORY -The OCSP_REQ_CTX_set1_req() function was deprecated in OpenSSL 3.0. +B, +OCSP_REQ_CTX_i2d(), +OCSP_REQ_CTX_add1_header(), +OCSP_REQ_CTX_free(), +OCSP_set_max_response_length(), +and OCSP_REQ_CTX_set1_req() +were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod new file mode 100644 index 0000000000..b75bac5f8c --- /dev/null +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -0,0 +1,183 @@ +=pod + +=head1 NAME + +OSSL_HTTP_REQ_CTX, +OSSL_HTTP_REQ_CTX_new, +OSSL_HTTP_REQ_CTX_free, +OSSL_HTTP_REQ_CTX_header, +OSSL_HTTP_REQ_CTX_add1_header, +OSSL_HTTP_REQ_CTX_i2d, +OSSL_HTTP_REQ_CTX_nbio, +OSSL_HTTP_REQ_CTX_sendreq_d2i, +OSSL_HTTP_REQ_CTX_get0_mem_bio, +OSSL_HTTP_REQ_CTX_set_max_response_length +- HTTP request functions + +=head1 SYNOPSIS + + #include + + typedef struct ossl_http_req_ctx_st OSSL_HTTP_REQ_CTX; + + OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, + int method_GET, int maxline, + unsigned long max_resp_len, + int timeout, + const char *expected_content_type, + int expect_asn1); + void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); + + int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, + const char *server, + const char *port, const char *path); + int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, + const char *name, const char *value); + + int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, + const ASN1_ITEM *it, ASN1_VALUE *req); + int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx); + ASN1_VALUE *OSSL_HTTP_REQ_CTX_sendreq_d2i(OSSL_HTTP_REQ_CTX *rctx, + const ASN1_ITEM *it); + + BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx); + void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, + unsigned long len); + +=head1 DESCRIPTION + +B is a context structure for an HTTP request, used to +collect all the necessary data to perform that request. + +This file documents low-level HTTP functions rarely used directly. High-level +HTTP client functions like L and L +should be preferred. + +OSSL_HTTP_REQ_CTX_new() allocates a new HTTP request context structure, which +gets populated with the B to send the request to (I), the B to +read the response from (I, which may be the same as I), the +request method (I, which may be 1 to indicate that the C +method is to be used, or 0 to indicate that the C method is to be used), +the maximum expected response header length (I, where any zero +or less indicates the default of 4KiB), a response timeout measure in seconds +(I, where 0 indicates no timeout, i.e., waiting indefinitely), the +expected MIME content type of the response (I, which +may be NULL for no expectation), and a flag indicating that the response is +expected to be a DER encoded ASN.1 structure (I). +The allocated context structure is also populated with an internal allocated +memory B, which collects the HTTP request and additional headers as text. +The returned context should only be used for a single HTTP request/response. + +OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I. +The I and I are not free'd and it is up to the application +to do so. + +OSSL_HTTP_REQ_CTX_header() adds an HTTP request line to the request context. +The request command itself becomes C or C depending on the value +of I in the OSSL_HTTP_REQ_CTX_new() call. I and I +may be set to indicate a proxy server and port that the request should go +through, otherwise they should be left NULL. I is the HTTP request path; +if left NULL, C is used. + +OSSL_HTTP_REQ_CTX_add1_header() adds header I with value I to the +context I. It can be called more than once to add multiple headers. +For example, to add a C header for C you would call: + + OSSL_HTTP_REQ_CTX_add1_header(ctx, "Host", "example.com"); + +OSSL_HTTP_REQ_CTX_i2d() finalizes the HTTP request context by adding the DER +encoding of I, using the ASN.1 template I to do the encoding. The +HTTP header C is automatically filled out, and if +I isn't NULL, the HTTP header C is also added with +its content as value. All of this ends up in the internal memory B. +This requires that the request type be C, i.e. that I is 0 +in the OSSL_HTTP_REQ_CTX_new() call. + +OSSL_HTTP_REQ_CTX_nbio() attempts the exchange of request and response via HTTP, +using the I and I that were given in the OSSL_HTTP_REQ_CTX_new() +call. When successful, the contents of the internal memory B is replaced +with the contents of the HTTP response, without the response headers. +It may need to be called again if its result is -1, which indicates +L. In such a case it is advisable to sleep a little in +between to prevent a busy loop. + +OSSL_HTTP_REQ_CTX_sendreq_d2i() calls OSSL_HTTP_REQ_CTX_nbio(), possibly +several times until a timeout is reached, and DER decodes the received +response using the ASN.1 template I. + +OSSL_HTTP_REQ_CTX_set_max_response_length() sets the maximum response length +for I to I. If the response exceeds this length an error occurs. +If not set a default value of 100k is used. + +OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B. This can +be used to affect the HTTP request text. I + +=head1 WARNINGS + +The server's response may be unexpected if the hostname that was used to +create the I, any C header, and the host specified in the +request URL do not match. + +Many of these functions must be called in a certain order. + +First, the HTTP request context must be allocated: +OSSL_HTTP_REQ_CTX_new(). + +Then, the HTTP request must be prepared with request data: + +=over 4 + +=item 1. + +Calling OSSL_HTTP_REQ_CTX_header(). This must be done exactly once. + +=item 2. + +Adding extra headers with OSSL_HTTP_REQ_CTX_add1_header(). This is optional. + +=item 3. + +Add C data with OSSL_HTTP_REQ_CTX_i2d(). This may only be done if +I was 0 in the OSSL_HTTP_REQ_CTX_new() call, and must be done +exactly once in that case. + +=back + +When the request context is fully prepared, the HTTP exchange may be performed +with OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_sendreq_d2i(). + +Furthermore, all calls of OSSL_HTTP_REQ_CTX_header() and +OSSL_HTTP_REQ_CTX_add1_header() must be done before any call to +int OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_sendreq_d2i(). + +=head1 RETURN VALUES + +OSSL_HTTP_REQ_CTX_new() returns a pointer to a B, or NULL +on error. + +OSSL_HTTP_REQ_CTX_free() and OSSL_HTTP_REQ_CTX_set_max_response_length() +do not return values. + +OSSL_HTTP_REQ_CTX_header(), OSSL_HTTP_REQ_CTX_add1_header(), +OSSL_HTTP_REQ_CTX_i2d() and OSSL_HTTP_REQ_CTX_nbio return 1 for success and 0 +for failure. + +OSSL_HTTP_REQ_CTX_sendreq_d2i() returns a pointer to an B for +success and NULL for failure. + +OSSL_HTTP_REQ_CTX_get0_mem_bio() returns the internal memory B. + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/include/openssl/http.h b/include/openssl/http.h index 2c9ce9d86e..0bd32e514e 100644 --- a/include/openssl/http.h +++ b/include/openssl/http.h @@ -35,6 +35,27 @@ typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail) # define OPENSSL_HTTP_PROXY "HTTP_PROXY" # define OPENSSL_HTTPS_PROXY "HTTPS_PROXY" +OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, + int method_GET, int maxline, + unsigned long max_resp_len, + int timeout, + const char *expected_content_type, + int expect_asn1); +void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); +int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, + const char *server, + const char *port, const char *path); +int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, + const char *name, const char *value); +int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, + const ASN1_ITEM *it, ASN1_VALUE *req); +int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx); +ASN1_VALUE *OSSL_HTTP_REQ_CTX_sendreq_d2i(OSSL_HTTP_REQ_CTX *rctx, + const ASN1_ITEM *it); +BIO *OSSL_HTTP_REQ_CTX_get0_mem_bio(OSSL_HTTP_REQ_CTX *rctx); +void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, + unsigned long len); + BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, BIO *bio, BIO *rbio, OSSL_HTTP_bio_cb_t bio_update_fn, void *arg, diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index 8422ecf451..c3a0b0e267 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -23,7 +23,8 @@ use OpenSSL::stackhash qw(generate_stack_macros); # endif # include -# include /* for OSSL_HTTP_parse_url */ +# include +# include /* * These definitions are outside the OPENSSL_NO_OCSP guard because although for @@ -56,30 +57,6 @@ use OpenSSL::stackhash qw(generate_stack_macros); # define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 # define OCSP_REVOKED_STATUS_AACOMPROMISE 10 -/* - * These definitions are outside the OPENSSL_NO_OCSP guard because although for - * historical reasons they have OCSP_* names, they are used for the HTTP client. - */ -# include -/* The following functions are used only internally */ -OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *wbio, BIO *rbio, - int method_GET, int maxline, - unsigned long max_resp_len, int timeout, - const char *expected_content_type, - int expect_asn1); -void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); -int OCSP_REQ_CTX_http(OCSP_REQ_CTX *rctx, - const char *server, const char *port, const char *path); -int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, - const char *name, const char *value); -int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type, - const ASN1_ITEM *it, ASN1_VALUE *req); -int OCSP_REQ_CTX_nbio(OCSP_REQ_CTX *rctx); -ASN1_VALUE *OCSP_REQ_CTX_nbio_d2i(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it); -BIO *OCSP_REQ_CTX_get0_mem_bio(OCSP_REQ_CTX *rctx); -void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len); -/* End of functions used only internally */ - # ifndef OPENSSL_NO_OCSP @@ -194,13 +171,33 @@ typedef struct ocsp_service_locator_st OCSP_SERVICELOC; DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID) OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, - int maxline); -int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); +OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, + OCSP_REQUEST *req, int maxline); +int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 +typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; OSSL_DEPRECATEDIN_3_0 -int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req); +int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); + +# define OCSP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) \ + OSSL_HTTP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) +# define OCSP_REQ_CTX_free(r) \ + OSSL_HTTP_REQ_CTX_free(r) +# define OCSP_REQ_CTX_http(r, s, po, pa) \ + OSSL_HTTP_REQ_CTX_header(r, s, po, pa) +# define OCSP_REQ_CTX_add1_header(r, n, v) \ + OSSL_HTTP_REQ_CTX_add1_header(r, n, v) +# define OCSP_REQ_CTX_i2d(r, c, i, req) \ + OSSL_HTTP_REQ_CTX_i2d(r, c, i, req) +# define OCSP_REQ_CTX_nbio(r) \ + OSSL_HTTP_REQ_CTX_nbio(r) +# define OCSP_REQ_CTX_nbio_d2i(r, i) \ + OSSL_HTTP_REQ_CTX_sendreq_d2i(r, i) +# define OCSP_REQ_CTX_get0_mem_bio(r) \ + OSSL_HTTP_REQ_CTX_get0_mem_bio(r) +# define OCSP_set_max_response_length(r, l) \ + OSSL_HTTP_REQ_CTX_set_max_response_length(r, l) # endif OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, diff --git a/include/openssl/types.h b/include/openssl/types.h index d44eb03a7c..cf11b8549d 100644 --- a/include/openssl/types.h +++ b/include/openssl/types.h @@ -196,7 +196,7 @@ typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; typedef struct crypto_ex_data_st CRYPTO_EX_DATA; -typedef struct ossl_http_req_ctx_st OCSP_REQ_CTX; /* backward compatibility */ +typedef struct ossl_http_req_ctx_st OSSL_HTTP_REQ_CTX; typedef struct ocsp_response_st OCSP_RESPONSE; typedef struct ocsp_responder_id_st OCSP_RESPID; diff --git a/util/indent.pro b/util/indent.pro index 509377d204..4851c7338a 100644 --- a/util/indent.pro +++ b/util/indent.pro @@ -302,7 +302,7 @@ -T OCSP_ONEREQ -T OCSP_REQINFO -T OCSP_REQUEST --T OCSP_REQ_CTX +-T OSSL_HTTP_REQ_CTX -T OCSP_RESPBYTES -T OCSP_RESPDATA -T OCSP_RESPID diff --git a/util/libcrypto.num b/util/libcrypto.num index 16536b2a6e..a1e9b5cc34 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -133,7 +133,7 @@ d2i_OCSP_BASICRESP 134 3_0_0 EXIST::FUNCTION:OCSP X509v3_add_ext 135 3_0_0 EXIST::FUNCTION: X509v3_addr_subset 136 3_0_0 EXIST::FUNCTION:RFC3779 CRYPTO_strndup 137 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_free 138 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_free 138 3_0_0 EXIST::FUNCTION: X509_STORE_new 140 3_0_0 EXIST::FUNCTION: ASN1_TYPE_free 141 3_0_0 EXIST::FUNCTION: PKCS12_BAGS_new 142 3_0_0 EXIST::FUNCTION: @@ -615,7 +615,7 @@ UI_get0_result_string 629 3_0_0 EXIST::FUNCTION: TS_RESP_CTX_add_policy 630 3_0_0 EXIST::FUNCTION:TS X509_REQ_dup 631 3_0_0 EXIST::FUNCTION: d2i_DSA_PUBKEY_fp 633 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA,STDIO -OCSP_REQ_CTX_nbio_d2i 634 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_sendreq_d2i 634 3_0_0 EXIST::FUNCTION: d2i_X509_REQ_fp 635 3_0_0 EXIST::FUNCTION:STDIO DH_OpenSSL 636 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DH BN_get_rfc3526_prime_8192 637 3_0_0 EXIST::FUNCTION: @@ -1115,7 +1115,7 @@ PEM_write_bio_PKCS7 1141 3_0_0 EXIST::FUNCTION: MDC2_Final 1142 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,MDC2 SMIME_crlf_copy 1143 3_0_0 EXIST::FUNCTION: OCSP_REQUEST_get_ext_count 1144 3_0_0 EXIST::FUNCTION:OCSP -OCSP_REQ_CTX_new 1145 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_new 1145 3_0_0 EXIST::FUNCTION: X509_load_cert_crl_file 1146 3_0_0 EXIST::FUNCTION: EVP_PKEY_new_mac_key 1147 3_0_0 EXIST::FUNCTION: DIST_POINT_new 1148 3_0_0 EXIST::FUNCTION: @@ -1379,7 +1379,7 @@ BIO_set_ex_data 1411 3_0_0 EXIST::FUNCTION: SHA512 1412 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_STORE_CTX_get_explicit_policy 1413 3_0_0 EXIST::FUNCTION: EVP_DecodeBlock 1414 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_http 1415 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_header 1415 3_0_0 EXIST::FUNCTION: EVP_MD_CTX_reset 1416 3_0_0 EXIST::FUNCTION: X509_NAME_new 1417 3_0_0 EXIST::FUNCTION: ASN1_item_pack 1418 3_0_0 EXIST::FUNCTION: @@ -1577,7 +1577,7 @@ BIO_ADDRINFO_address 1613 3_0_0 EXIST::FUNCTION:SOCK ASN1_STRING_print_ex 1614 3_0_0 EXIST::FUNCTION: i2d_CMS_ReceiptRequest 1615 3_0_0 EXIST::FUNCTION:CMS d2i_TS_REQ_fp 1616 3_0_0 EXIST::FUNCTION:STDIO,TS -OCSP_REQ_CTX_i2d 1617 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_i2d 1617 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_default_digest_nid 1618 3_0_0 EXIST::FUNCTION: ASIdOrRange_new 1619 3_0_0 EXIST::FUNCTION:RFC3779 ASN1_SCTX_new 1620 3_0_0 EXIST::FUNCTION: @@ -1593,7 +1593,7 @@ CRYPTO_ocb128_cleanup 1629 3_0_0 EXIST::FUNCTION:OCB EVP_des_ede_cbc 1630 3_0_0 EXIST::FUNCTION:DES i2d_ASN1_TIME 1631 3_0_0 EXIST::FUNCTION: ENGINE_register_all_pkey_asn1_meths 1632 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OCSP_set_max_response_length 1633 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_set_max_response_length 1633 3_0_0 EXIST::FUNCTION: d2i_ISSUING_DIST_POINT 1634 3_0_0 EXIST::FUNCTION: CMS_RecipientInfo_set0_key 1635 3_0_0 EXIST::FUNCTION:CMS NCONF_new 1636 3_0_0 EXIST::FUNCTION: @@ -1850,7 +1850,7 @@ OCSP_ONEREQ_add_ext 1892 3_0_0 EXIST::FUNCTION:OCSP CMS_uncompress 1893 3_0_0 EXIST::FUNCTION:CMS CRYPTO_mem_debug_pop 1895 3_0_0 EXIST::FUNCTION:CRYPTO_MDEBUG,DEPRECATEDIN_3_0 EVP_aes_192_cfb128 1896 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_nbio 1897 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_nbio 1897 3_0_0 EXIST::FUNCTION: EVP_CIPHER_CTX_copy 1898 3_0_0 EXIST::FUNCTION: CRYPTO_secure_allocated 1899 3_0_0 EXIST::FUNCTION: UI_UTIL_read_pw_string 1900 3_0_0 EXIST::FUNCTION: @@ -2416,7 +2416,7 @@ Camellia_decrypt 2466 3_0_0 EXIST::FUNCTION:CAMELLIA,DEPR X509_signature_print 2467 3_0_0 EXIST::FUNCTION: EVP_camellia_128_ecb 2468 3_0_0 EXIST::FUNCTION:CAMELLIA MD2_Final 2469 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,MD2 -OCSP_REQ_CTX_add1_header 2470 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_add1_header 2470 3_0_0 EXIST::FUNCTION: NETSCAPE_SPKAC_it 2471 3_0_0 EXIST::FUNCTION: ASIdOrRange_free 2472 3_0_0 EXIST::FUNCTION:RFC3779 EC_POINT_get_Jprojective_coordinates_GFp 2473 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC @@ -3762,7 +3762,7 @@ i2d_PrivateKey_bio 3843 3_0_0 EXIST::FUNCTION: RSA_padding_add_PKCS1_type_1 3844 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 i2d_re_X509_tbs 3845 3_0_0 EXIST::FUNCTION: EVP_CIPHER_iv_length 3846 3_0_0 EXIST::FUNCTION: -OCSP_REQ_CTX_get0_mem_bio 3847 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_get0_mem_bio 3847 3_0_0 EXIST::FUNCTION: i2d_PKCS8PrivateKeyInfo_bio 3848 3_0_0 EXIST::FUNCTION: d2i_OCSP_CERTID 3849 3_0_0 EXIST::FUNCTION:OCSP EVP_CIPHER_meth_set_init 3850 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt index 8b3ebab119..169aab1bd6 100644 --- a/util/missingcrypto.txt +++ b/util/missingcrypto.txt @@ -791,6 +791,11 @@ OCSP_ONEREQ_get_ext_by_critical(3) OCSP_ONEREQ_get_ext_count(3) OCSP_ONEREQ_it(3) OCSP_REQINFO_it(3) +OCSP_REQ_CTX_get0_mem_bio(3) +OCSP_REQ_CTX_http(3) +OCSP_REQ_CTX_new(3) +OCSP_REQ_CTX_nbio(3) +OCSP_REQ_CTX_nbio_d2i(3) OCSP_REQUEST_add1_ext_i2d(3) OCSP_REQUEST_add_ext(3) OCSP_REQUEST_delete_ext(3) @@ -802,11 +807,6 @@ OCSP_REQUEST_get_ext_by_critical(3) OCSP_REQUEST_get_ext_count(3) OCSP_REQUEST_it(3) OCSP_REQUEST_print(3) -OCSP_REQ_CTX_get0_mem_bio(3) -OCSP_REQ_CTX_http(3) -OCSP_REQ_CTX_nbio(3) -OCSP_REQ_CTX_nbio_d2i(3) -OCSP_REQ_CTX_new(3) OCSP_RESPBYTES_it(3) OCSP_RESPDATA_it(3) OCSP_RESPID_it(3) diff --git a/util/other.syms b/util/other.syms index 3ffbcb1005..9644d3d02d 100644 --- a/util/other.syms +++ b/util/other.syms @@ -55,6 +55,7 @@ OSSL_ENCODER_CTX datatype OSSL_ENCODER_CONSTRUCT datatype OSSL_ENCODER_CLEANUP datatype OSSL_ENCODER_INSTANCE datatype +OSSL_HTTP_REQ_CTX datatype OSSL_STORE_CTX datatype OSSL_STORE_INFO datatype OSSL_STORE_LOADER datatype @@ -332,6 +333,10 @@ EVP_seed_cfb define EVP_sm4_cfb define OBJ_cleanup define deprecated 1.1.0 OCSP_parse_url define +OCSP_REQ_CTX_add1_header define deprecated 3.0.0 +OCSP_REQ_CTX_free define deprecated 3.0.0 +OCSP_REQ_CTX_i2d define deprecated 3.0.0 +OCSP_set_max_response_length define deprecated 3.0.0 OPENSSL_FILE define OPENSSL_FUNC define OPENSSL_LINE define From levitte at openssl.org Tue Jan 19 11:36:50 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 19 Jan 2021 11:36:50 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1611056210.421071.32561.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via a83690c0b61e342f35a9583868b74e7ff6023101 (commit) from 76ed0c0ad119569f6e6f6c96b27b76d3b110413b (commit) - Log ----------------------------------------------------------------- commit a83690c0b61e342f35a9583868b74e7ff6023101 Author: Richard Levitte Date: Mon Jan 18 10:51:11 2021 +0100 DOCS: Fix incorrect pass phrase options references There were a number of older style references to the pass phrase options section, now streamlined with the current openssl(1). Fixes #13883 Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/13886) ----------------------------------------------------------------------- Summary of changes: doc/man1/ca.pod | 2 +- doc/man1/cms.pod | 2 +- doc/man1/dgst.pod | 2 +- doc/man1/dsa.pod | 4 ++-- doc/man1/ec.pod | 4 ++-- doc/man1/enc.pod | 2 +- doc/man1/genpkey.pod | 2 +- doc/man1/genrsa.pod | 2 +- doc/man1/pkcs12.pod | 12 ++++-------- doc/man1/pkcs8.pod | 4 ++-- doc/man1/pkey.pod | 4 ++-- doc/man1/pkeyutl.pod | 2 +- doc/man1/req.pod | 4 ++-- doc/man1/rsa.pod | 4 ++-- doc/man1/s_client.pod | 2 +- doc/man1/s_server.pod | 2 +- doc/man1/smime.pod | 2 +- doc/man1/spkac.pod | 2 +- doc/man1/storeutl.pod | 2 +- doc/man1/ts.pod | 2 +- doc/man1/x509.pod | 2 +- 21 files changed, 30 insertions(+), 34 deletions(-) diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 159d9d8125..39726b7ae6 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -163,7 +163,7 @@ self-signed certificate. =item B<-passin arg> The key password source. For more information about the format of B -see the B section in L. +see L. =item B<-notext> diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod index 72cd9b5d4e..e9c35cb2d1 100644 --- a/doc/man1/cms.pod +++ b/doc/man1/cms.pod @@ -465,7 +465,7 @@ or to modify default parameters for ECDH. =item B<-passin arg> The private key password source. For more information about the format of B -see the B section in L. +see L. =item B<-rand file...> diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod index 4c6034cdd6..155c971081 100644 --- a/doc/man1/dgst.pod +++ b/doc/man1/dgst.pod @@ -109,7 +109,7 @@ Names and values of these options are algorithm-specific. =item B<-passin arg> The private key password source. For more information about the format of B -see the B section in L. +see L. =item B<-verify filename> diff --git a/doc/man1/dsa.pod b/doc/man1/dsa.pod index fb6cbf122a..39c2dbd122 100644 --- a/doc/man1/dsa.pod +++ b/doc/man1/dsa.pod @@ -75,7 +75,7 @@ prompted for. =item B<-passin arg> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-out filename> @@ -87,7 +87,7 @@ filename. =item B<-passout arg> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> diff --git a/doc/man1/ec.pod b/doc/man1/ec.pod index 4d368e20ae..776fbc7359 100644 --- a/doc/man1/ec.pod +++ b/doc/man1/ec.pod @@ -68,7 +68,7 @@ prompted for. =item B<-passin arg> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-out filename> @@ -80,7 +80,7 @@ filename. =item B<-passout arg> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-des|-des3|-idea> diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod index 7bba89ee07..621ad4b1b2 100644 --- a/doc/man1/enc.pod +++ b/doc/man1/enc.pod @@ -76,7 +76,7 @@ The output filename, standard output by default. =item B<-pass arg> The password source. For more information about the format of B -see the B section in L. +see L. =item B<-e> diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod index 1ba54d4866..3a2b46f2b9 100644 --- a/doc/man1/genpkey.pod +++ b/doc/man1/genpkey.pod @@ -44,7 +44,7 @@ This specifies the output format DER or PEM. The default format is PEM. =item B<-pass arg> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-I> diff --git a/doc/man1/genrsa.pod b/doc/man1/genrsa.pod index a9c994ffb1..023081ce8b 100644 --- a/doc/man1/genrsa.pod +++ b/doc/man1/genrsa.pod @@ -51,7 +51,7 @@ standard output is used. =item B<-passout arg> The output file password source. For more information about the format -of B see the B section in L. +of B see L. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod index fdaf6e49cd..c1a3cee050 100644 --- a/doc/man1/pkcs12.pod +++ b/doc/man1/pkcs12.pod @@ -78,14 +78,12 @@ default. They are all written in PEM format. =item B<-passin arg> The PKCS#12 file (i.e. input file) password source. For more information about -the format of B see the B section in -L. +the format of B see L. =item B<-passout arg> Pass phrase source to encrypt any outputted private keys with. For more -information about the format of B see the B section -in L. +information about the format of B see L. =item B<-password arg> @@ -206,14 +204,12 @@ displays them. =item B<-pass arg>, B<-passout arg> The PKCS#12 file (i.e. output file) password source. For more information about -the format of B see the B section in -L. +the format of B see L. =item B<-passin password> Pass phrase source to decrypt any input private keys with. For more information -about the format of B see the B section in -L. +about the format of B see L. =item B<-chain> diff --git a/doc/man1/pkcs8.pod b/doc/man1/pkcs8.pod index 9efc8bc11e..ff7dfe4c09 100644 --- a/doc/man1/pkcs8.pod +++ b/doc/man1/pkcs8.pod @@ -75,7 +75,7 @@ prompted for. =item B<-passin arg> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-out filename> @@ -87,7 +87,7 @@ filename. =item B<-passout arg> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-iter count> diff --git a/doc/man1/pkey.pod b/doc/man1/pkey.pod index 9569fe0e41..762811be0a 100644 --- a/doc/man1/pkey.pod +++ b/doc/man1/pkey.pod @@ -57,7 +57,7 @@ prompted for. =item B<-passin arg> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-out filename> @@ -69,7 +69,7 @@ filename. =item B<-passout password> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-traditional> diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod index ae24fdc100..6a26838fc6 100644 --- a/doc/man1/pkeyutl.pod +++ b/doc/man1/pkeyutl.pod @@ -74,7 +74,7 @@ The key format PEM, DER or ENGINE. Default is PEM. =item B<-passin arg> The input key password source. For more information about the format of B -see the B section in L. +see L. =item B<-peerkey file> diff --git a/doc/man1/req.pod b/doc/man1/req.pod index 730c59079d..dc2db3db3c 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -91,7 +91,7 @@ Names and values of these options are algorithm-specific. =item B<-passin arg> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-out filename> @@ -101,7 +101,7 @@ default. =item B<-passout arg> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-text> diff --git a/doc/man1/rsa.pod b/doc/man1/rsa.pod index 37f64616c0..089e0080b4 100644 --- a/doc/man1/rsa.pod +++ b/doc/man1/rsa.pod @@ -75,7 +75,7 @@ prompted for. =item B<-passin arg> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-out filename> @@ -87,7 +87,7 @@ filename. =item B<-passout password> The output file password source. For more information about the format of B -see the B section in L. +see L. =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 132778b4d9..0224541d74 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -258,7 +258,7 @@ Extra certificate and private key format respectively. =item B<-pass arg> the private key password source. For more information about the format of B -see the B section in L. +see L. =item B<-verify depth> diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index c78a677abc..968d0eac03 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -297,7 +297,7 @@ The private format to use: DER or PEM. PEM is the default. =item B<-pass val> The private key password source. For more information about the format of B -see the B section in L. +see L. =item B<-dcert infile>, B<-dkey infile> diff --git a/doc/man1/smime.pod b/doc/man1/smime.pod index 7f224fdc5e..dead874286 100644 --- a/doc/man1/smime.pod +++ b/doc/man1/smime.pod @@ -295,7 +295,7 @@ specified, the argument is given to the engine as a key identifier. =item B<-passin arg> The private key password source. For more information about the format of B -see the B section in L. +see L. =item B<-rand file...> diff --git a/doc/man1/spkac.pod b/doc/man1/spkac.pod index 655f135807..2cc2089ff3 100644 --- a/doc/man1/spkac.pod +++ b/doc/man1/spkac.pod @@ -60,7 +60,7 @@ The default is PEM. =item B<-passin password> The input file password source. For more information about the format of B -see the B section in L. +see L. =item B<-challenge string> diff --git a/doc/man1/storeutl.pod b/doc/man1/storeutl.pod index a8d82bfb61..bbd14928b5 100644 --- a/doc/man1/storeutl.pod +++ b/doc/man1/storeutl.pod @@ -51,7 +51,7 @@ this option prevents output of the PEM data. =item B<-passin arg> the key password source. For more information about the format of B -see the B section in L. +see L. =item B<-text> diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod index ee700a8f6e..b7038adfc1 100644 --- a/doc/man1/ts.pod +++ b/doc/man1/ts.pod @@ -242,7 +242,7 @@ The name of the file containing a DER encoded timestamp request. (Optional) =item B<-passin> password_src Specifies the password source for the private key of the TSA. See -B in L. (Optional) +L. (Optional) =item B<-signer> tsa_cert.pem diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 98d285e414..12b1243739 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -376,7 +376,7 @@ Names and values of these options are algorithm-specific. =item B<-passin arg> The key password source. For more information about the format of B -see the B section in L. +see L. =item B<-clrext> From dev at ddvo.net Tue Jan 19 16:25:51 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Tue, 19 Jan 2021 16:25:51 +0000 Subject: [openssl] master update Message-ID: <1611073551.232551.733.nullmailer@dev.openssl.org> The branch master has been updated via c972577684f8627267556f0bffa3c4035e9456e4 (commit) from 83b6dc8dc739ce7ca82652461bea92c31e634a57 (commit) - Log ----------------------------------------------------------------- commit c972577684f8627267556f0bffa3c4035e9456e4 Author: Dr. David von Oheimb Date: Sat Dec 19 19:50:16 2020 +0100 util/check-format.pl: Minor improvements of whitespace checks Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13710) ----------------------------------------------------------------------- Summary of changes: util/check-format-test-negatives.c | 4 ++-- util/check-format-test-positives.c | 4 +++- util/check-format.pl | 12 ++++++------ 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/util/check-format-test-negatives.c b/util/check-format-test-negatives.c index 3ce0740bc1..eb67d39a3d 100644 --- a/util/check-format-test-negatives.c +++ b/util/check-format-test-negatives.c @@ -242,9 +242,9 @@ struct s_type #define X 1 + 1 #define Y /* .. */ 2 + 2 -#define Z 3 + 3 +#define Z 3 + 3 * (*a++) -static varref cmp_vars[] = { /* comment */ +static varref cmp_vars[] = { /* comment. comment? comment! */ {&opt_config}, {&opt_section}, {&opt_server}, {&opt_proxy}, {&opt_path}, diff --git a/util/check-format-test-positives.c b/util/check-format-test-positives.c index c2ad61f0d2..cd64ee7997 100644 --- a/util/check-format-test-positives.c +++ b/util/check-format-test-positives.c @@ -42,7 +42,9 @@ *@ multi-line comment indent off by -1 *X*@ no spc after leading '*' in multi-line comment, reported unless sloppy-spc *@0 more than two spaces after . in comment, reported unless sloppy-spc -*/ /*@2 multi-line comment end indent off by -1 (relative to comment start) */ + *@0 more than two spaces after ? in comment, reported unless sloppy-spc + *@0 more than two spaces after ! in comment, reported unless sloppy-spc +*/ /*@ multi-line comment end indent off by -1 (relative to comment start) */ */ /*@ unexpected comment ending delimiter outside comment */ /*@ comment line is 4 columns tooooooooooooooooo wide, reported unless sloppy-len */ /*@ comment line is 5 columns toooooooooooooooooooooooooooooooooooooooooooooo wide */ diff --git a/util/check-format.pl b/util/check-format.pl index 3230dc31fb..a1f796c749 100755 --- a/util/check-format.pl +++ b/util/check-format.pl @@ -241,7 +241,7 @@ sub blind_nonspace { # blind non-space text of comment as @, preserving length a # the @ character is used because it cannot occur in normal program code so there is no confusion # comment text is not blinded to whitespace in order to be able to check double SPC also in comments my $comment_text = shift; - $comment_text =~ s/\.\s\s/.. /g; # in double SPC checks allow one extra space after period '.' in comments + $comment_text =~ s/([\.\?\!])\s\s/$1. /g; # in double SPC checks allow one extra space after period '.', '?', or '!' in comments return $comment_text =~ tr/ /@/cr; } @@ -675,17 +675,17 @@ while (<>) { # loop over all lines of all input files report("no SPC before '=' or '='") if $intra_line =~ m/\S(=)/; # '=' etc. without preceding space report("no SPC before '$1'") if $intra_line =~ m/\S([|\/%<>^\?])/; # |/%<>^? without preceding space # TODO ternary ':' without preceding SPC, while allowing no SPC before ':' after 'case' - report("no SPC before '$1'") if $intra_line =~ m/[^\s{()\[]([+\-])/;# +/- without preceding space or {()[ + report("no SPC before binary '$1'") if $intra_line =~ m/[^\s{()\[]([+\-])/;# +/- without preceding space or {()[ # or ')' (which is used f type casts) - report("no SPC before '$1'") if $intra_line =~ m/[^\s{()\[*]([*])/; # '*' without preceding space or {()[* - report("no SPC before '$1'") if $intra_line =~ m/[^\s{()\[]([&])/; # '&' without preceding space or {()[ + report("no SPC before binary '$1'") if $intra_line =~ m/[^\s{()\[*]([*])/; # '*' without preceding space or {()[* + report("no SPC before binary '$1'") if $intra_line =~ m/[^\s{()\[]([&])/; # '&' without preceding space or {()[ report("no SPC after ternary '$1'") if $intra_line =~ m/(:)[^\s\d]/; # ':' without following space or digit report("no SPC after '$1'") if $intra_line =~ m/([,;=|\/%<>^\?])\S/; # ,;=|/%<>^? without following space - report("no SPC after binary '$1'") if $intra_line=~m/([*])[^\sa-zA-Z_(),*]/;# '*' w/o space or \w(),* after + report("no SPC after binary '$1'") if $intra_line=~m/[^{(\[]([*])[^\sa-zA-Z_(),*]/;# '*' w/o space or \w(),* after # TODO unary '*' must not be followed by SPC report("no SPC after binary '$1'") if $intra_line=~m/([&])[^\sa-zA-Z_(]/; # '&' w/o following space or \w( # TODO unary '&' must not be followed by SPC - report("no SPC after binary '$1'") if $intra_line=~m/([+\-])[^\s\d(]/; # +/- w/o following space or \d( + report("no SPC after binary '$1'") if $intra_line=~m/[^{(\[]([+\-])[^\s\d(]/; # +/- w/o following space or \d( # TODO unary '+' and '-' must not be followed by SPC report("no SPC after '$2'") if $intra_line =~ m/(^|\W)(if|while|for|switch|case)[^\w\s]/; # kw w/o SPC report("no SPC after '$2'") if $intra_line =~ m/(^|\W)(return)[^\w\s;]/; # return w/o SPC or ';' From openssl at openssl.org Tue Jan 19 20:50:22 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 19 Jan 2021 20:50:22 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1611089422.533990.3235470.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80C1F7A18B7F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80C1F7A18B7F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/yKPDj_Z8lU default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8081FD2F817F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8081FD2F817F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8081FD2F817F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8081FD2F817F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8081FD2F817F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8081FD2F817F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/yKPDj_Z8lU fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3593, 885 wallclock secs (14.01 usr 1.62 sys + 793.11 cusr 91.84 csys = 900.58 CPU) Result: FAIL make[1]: *** [Makefile:3261: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3258: tests] Error 2 From openssl at openssl.org Tue Jan 19 23:09:58 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Tue, 19 Jan 2021 23:09:58 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1611097798.618778.3540114.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: ed4a9b15d9 replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER dc88a03906 bio_lib.c: Fix error queue entries and return codes on NULL args etc. ab8af35aa2 X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it 2c04b34140 Allow EVP_PKEY private key objects to be created without a public component 39f3427dc1 Fix incomplete deprecation guard in test/sslapitest.c 3f6e891d42 Fix crypto/des/build.info e604b7c915 Document openssl thread-safety 975aae76db Remove unused DRBG tests. 0434f9841d Correct typo in rsa_oaep.c 3bc061eb0a Enhance default provider documentation b11ba50fd9 Fix a failure where fetches can return NULL in multi-threaded code 7dd2cb5693 Fix an issue in provider_activate_fallbacks() b457c8f514 Extend the threads test to add simple fetch from multi threads f5a50c2a07 Enable locking on the primary DRBG when we create it 2c40421440 Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() c25a1524aa Lock the provider operation_bits 886ad0045b Document the core_thread_start upcall ae95a40e8d Add a test for performing work in multiple concurrent threads f6b72c7d75 Fix a crash with multi-threaded applications using the FIPS module c476c06f50 find_issuer(): When returning an expired issuer, take the most recently expired one f5f4fbaa44 Make the OSSL_CMP manual conform with man-pages(7) 4369a882a5 Skip BOM when reading the config file 5eb24fbd1c OPENSSL_cpuid_setup FreeBSD arm update. b57ec7394a OPENSSL_cpuid_setup FreeBSD PowerPC update 879365e6d4 Make header references conform with man-pages(7) in all manuals 0f2380066d Make the OSSL_trace manual conform with man-pages(7) 2645c94bb5 Make the OSSL_PROVIDER manual conform with man-pages(7) ad2cc1a08e Make the OSSL_HTTP manual conform with man-pages(7) ab21608952 Make the OSSL_SELF_TEST manual conform with man-pages(7) b91f41daba Make the OSSL_PARAM manual conform with man-pages(7) Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 800187FE927F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 800187FE927F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/O5oYVYmzrj default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8061B881627F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8061B881627F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8061B881627F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8061B881627F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8061B881627F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8061B881627F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/O5oYVYmzrj fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3593, 705 wallclock secs (11.54 usr 1.16 sys + 636.87 cusr 67.41 csys = 716.98 CPU) Result: FAIL make[1]: *** [Makefile:3260: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3257: tests] Error 2 From no-reply at appveyor.com Tue Jan 19 23:35:00 2021 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 19 Jan 2021 23:35:00 +0000 Subject: Build failed: openssl master.39260 Message-ID: <20210119233500.1.FFF3C96A1172CF34@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Wed Jan 20 02:03:40 2021 From: no-reply at appveyor.com (AppVeyor) Date: Wed, 20 Jan 2021 02:03:40 +0000 Subject: Build completed: openssl master.39261 Message-ID: <20210120020340.1.B9D1F615A63CBF3F@appveyor.com> An HTML attachment was scrubbed... URL: From shane.lontis at oracle.com Wed Jan 20 05:39:50 2021 From: shane.lontis at oracle.com (shane.lontis at oracle.com) Date: Wed, 20 Jan 2021 05:39:50 +0000 Subject: [openssl] master update Message-ID: <1611121190.152701.11779.nullmailer@dev.openssl.org> The branch master has been updated via 3e878d924f138f4a71c04628b57be75f1d45ef8e (commit) from c972577684f8627267556f0bffa3c4035e9456e4 (commit) - Log ----------------------------------------------------------------- commit 3e878d924f138f4a71c04628b57be75f1d45ef8e Author: Shane Lontis Date: Wed Nov 18 16:56:29 2020 +1000 Remove pkey_downgrade from PKCS7 code Fixes #12991 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13435) ----------------------------------------------------------------------- Summary of changes: apps/smime.c | 15 ---------- crypto/dsa/dsa_ameth.c | 18 ------------ crypto/ec/ec_ameth.c | 19 ------------ crypto/pkcs7/pk7_lib.c | 78 +++++++++++++++++++++++++++++++++++++++++--------- crypto/rsa/rsa_ameth.c | 13 --------- 5 files changed, 64 insertions(+), 79 deletions(-) diff --git a/apps/smime.c b/apps/smime.c index b8451d8403..07abcbf8c9 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -478,14 +478,6 @@ int smime_main(int argc, char **argv) key = load_key(keyfile, keyform, 0, passin, e, "signing key"); if (key == NULL) goto end; - - /* - * TODO: Remove this when CMS has full support for provider-native - * EVP_PKEYs - */ - if (EVP_PKEY_get0(key) == NULL) - goto end; - } in = bio_open_default(infile, 'r', informat); @@ -579,13 +571,6 @@ int smime_main(int argc, char **argv) if (key == NULL) goto end; - /* - * TODO: Remove this when CMS has full support for provider-native - * EVP_PKEYs - */ - if (EVP_PKEY_get0(key) == NULL) - goto end; - if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags)) goto end; X509_free(signer); diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index ff4904952d..60ef9812e1 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -464,31 +464,13 @@ static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, static int dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { switch (op) { - case ASN1_PKEY_CTRL_PKCS7_SIGN: - if (arg1 == 0) { - int snid, hnid; - X509_ALGOR *alg1, *alg2; - PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); - if (alg1 == NULL || alg1->algorithm == NULL) - return -1; - hnid = OBJ_obj2nid(alg1->algorithm); - if (hnid == NID_undef) - return -1; - if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) - return -1; - X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); - } - return 1; - case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha256; return 1; default: return -2; - } - } static size_t dsa_pkey_dirty_cnt(const EVP_PKEY *pkey) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index c137a72614..3e4bc8454a 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -472,23 +472,6 @@ static int old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { switch (op) { - case ASN1_PKEY_CTRL_PKCS7_SIGN: - if (arg1 == 0) { - int snid, hnid; - X509_ALGOR *alg1, *alg2; - - PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, &alg1, &alg2); - if (alg1 == NULL || alg1->algorithm == NULL) - return -1; - hnid = OBJ_obj2nid(alg1->algorithm); - if (hnid == NID_undef) - return -1; - if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) - return -1; - X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); - } - return 1; - case ASN1_PKEY_CTRL_DEFAULT_MD_NID: if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) { /* For SM2, the only valid digest-alg is SM3 */ @@ -507,9 +490,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) default: return -2; - } - } static int ec_pkey_check(const EVP_PKEY *pkey) diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 35a757062b..ad59417529 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -11,6 +11,7 @@ #include "internal/cryptlib.h" #include #include +#include #include "crypto/asn1.h" #include "crypto/evp.h" #include "crypto/x509.h" /* for sk_X509_add1_cert() */ @@ -292,6 +293,39 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) return 1; } +static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, + int verify) +{ + if (verify == 0) { + int snid, hnid; + X509_ALGOR *alg1, *alg2; + EVP_PKEY *pkey = si->pkey; + + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2); + if (alg1 == NULL || alg1->algorithm == NULL) + return -1; + hnid = OBJ_obj2nid(alg1->algorithm); + if (hnid == NID_undef) + return -1; + if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) + return -1; + X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); + } + return 1; +} + +static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify) +{ + if (verify == 0) { + X509_ALGOR *alg = NULL; + + PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg); + if (alg != NULL) + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + } + return 1; +} + int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst) { @@ -313,17 +347,6 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, ASN1_INTEGER_dup(X509_get0_serialNumber(x509)))) goto err; - /* - * TODO(3.0) Adapt for provider-native keys - * Meanwhile, we downgrade the key. - * #legacy - */ - if (!evp_pkey_downgrade(pkey)) { - ERR_raise(ERR_LIB_PKCS7, - PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); - goto err; - } - /* lets keep the pkey around for a while */ EVP_PKEY_up_ref(pkey); p7i->pkey = pkey; @@ -333,7 +356,12 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_type(dgst)), V_ASN1_NULL, NULL); - if (pkey->ameth && pkey->ameth->pkey_ctrl) { + if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA")) + return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0); + if (EVP_PKEY_is_a(pkey, "RSA")) + return pkcs7_rsa_sign_verify_setup(p7i, 0); + + if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) { ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i); if (ret > 0) return 1; @@ -526,6 +554,18 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) return 1; } +static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt) +{ + X509_ALGOR *alg = NULL; + + if (decrypt == 0) { + PKCS7_RECIP_INFO_get0_alg(ri, &alg); + if (alg != NULL) + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + } + return 1; +} + int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) { int ret; @@ -542,8 +582,18 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) return 0; pkey = X509_get0_pubkey(x509); + if (pkey == NULL) + return 0; - if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) { + if (EVP_PKEY_is_a(pkey, "RSA-PSS")) + return -2; + if (EVP_PKEY_is_a(pkey, "RSA")) { + if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0) + goto err; + goto finished; + } + + if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); goto err; @@ -559,7 +609,7 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE); goto err; } - +finished: X509_up_ref(x509); p7i->cert = x509; diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 3988024082..1e494f9044 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -492,19 +492,6 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) int min_saltlen; switch (op) { - - case ASN1_PKEY_CTRL_PKCS7_SIGN: - if (arg1 == 0) - PKCS7_SIGNER_INFO_get0_algs(arg2, NULL, NULL, &alg); - break; - - case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: - if (pkey_is_pss(pkey)) - return -2; - if (arg1 == 0) - PKCS7_RECIP_INFO_get0_alg(arg2, &alg); - break; - case ASN1_PKEY_CTRL_DEFAULT_MD_NID: if (pkey->pkey.rsa->pss != NULL) { if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, From dev at ddvo.net Wed Jan 20 10:08:53 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 20 Jan 2021 10:08:53 +0000 Subject: [openssl] master update Message-ID: <1611137333.931739.1298.nullmailer@dev.openssl.org> The branch master has been updated via 07b6068d240fb5af56fab880f2f971293a49f124 (commit) from 3e878d924f138f4a71c04628b57be75f1d45ef8e (commit) - Log ----------------------------------------------------------------- commit 07b6068d240fb5af56fab880f2f971293a49f124 Author: Dr. David von Oheimb Date: Mon Jan 4 20:27:33 2021 +0100 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() Also improve list layout of some comments. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13895) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 243 +++++++++++++++++++++---------------------------- 1 file changed, 106 insertions(+), 137 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1bef0a3665..1d79449331 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -172,8 +172,8 @@ static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) return ctx->verify_cb(0, ctx); } -#define CHECK_CB(cond, ctx, cert, depth, err) \ - if ((cond) && verify_cb_cert(ctx, cert, depth, err) == 0) \ +#define CB_FAIL_IF(cond, ctx, cert, depth, err) \ + if ((cond) && verify_cb_cert(ctx, cert, depth, err) == 0) \ return 0 /*- @@ -204,14 +204,14 @@ static int check_auth_level(X509_STORE_CTX *ctx) * We've already checked the security of the leaf key, so here we only * check the security of issuer keys. */ - CHECK_CB(i > 0 && !check_key_level(ctx, cert), - ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL); + CB_FAIL_IF(i > 0 && !check_key_level(ctx, cert), + ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL); /* * We also check the signature algorithm security of all certificates * except those of the trust anchor at index num-1. */ - CHECK_CB(i < num - 1 && !check_sig_level(ctx, cert), - ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK); + CB_FAIL_IF(i < num - 1 && !check_sig_level(ctx, cert), + ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK); } return 1; } @@ -235,7 +235,7 @@ static int verify_chain(X509_STORE_CTX *ctx) err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, ctx->param->flags); - CHECK_CB(err != X509_V_OK, ctx, NULL, ctx->error_depth, err); + CB_FAIL_IF(err != X509_V_OK, ctx, NULL, ctx->error_depth, err); /* Verify chain signatures and expiration times */ ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx); @@ -287,8 +287,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ctx->num_untrusted = 1; /* If the peer's public key is too weak, we can stop early. */ - CHECK_CB(!check_key_level(ctx, ctx->cert), - ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL); + CB_FAIL_IF(!check_key_level(ctx, ctx->cert), + ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL); if (DANETLS_ENABLED(dane)) ret = dane_verify(ctx); @@ -433,11 +433,7 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE); } -/* - * Check a certificate chains extensions for consistency with the supplied - * purpose - */ - +/* Check extensions of a cert chain for consistency with the supplied purpose */ static int check_chain(X509_STORE_CTX *ctx) { int i, must_be_ca, plen = 0; @@ -472,34 +468,34 @@ static int check_chain(X509_STORE_CTX *ctx) int ret; x = sk_X509_value(ctx->chain, i); - CHECK_CB((ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) == 0 - && (x->ex_flags & EXFLAG_CRITICAL) != 0, - ctx, x, i, X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION); - CHECK_CB(!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY), - ctx, x, i, X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED); + CB_FAIL_IF((ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) == 0 + && (x->ex_flags & EXFLAG_CRITICAL) != 0, + ctx, x, i, X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION); + CB_FAIL_IF(!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY), + ctx, x, i, X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED); ret = X509_check_ca(x); switch (must_be_ca) { case -1: - CHECK_CB((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0 - && ret != 1 && ret != 0, - ctx, x, i, X509_V_ERR_INVALID_CA); + CB_FAIL_IF((ctx->param->flags & X509_V_FLAG_X509_STRICT) != 0 + && ret != 1 && ret != 0, + ctx, x, i, X509_V_ERR_INVALID_CA); break; case 0: - CHECK_CB(ret != 0, ctx, x, i, X509_V_ERR_INVALID_NON_CA); + CB_FAIL_IF(ret != 0, ctx, x, i, X509_V_ERR_INVALID_NON_CA); break; default: /* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */ - CHECK_CB(ret == 0 - || ((i + 1 < num - || ctx->param->flags & X509_V_FLAG_X509_STRICT) - && ret != 1), ctx, x, i, X509_V_ERR_INVALID_CA); + CB_FAIL_IF(ret == 0 + || ((i + 1 < num + || ctx->param->flags & X509_V_FLAG_X509_STRICT) + && ret != 1), ctx, x, i, X509_V_ERR_INVALID_CA); break; } if (num > 1) { /* Check for presence of explicit elliptic curve parameters */ ret = check_curve(x); - CHECK_CB(ret < 0, ctx, x, i, X509_V_ERR_UNSPECIFIED); - CHECK_CB(ret == 0, ctx, x, i, X509_V_ERR_EC_KEY_EXPLICIT_PARAMS); + CB_FAIL_IF(ret < 0, ctx, x, i, X509_V_ERR_UNSPECIFIED); + CB_FAIL_IF(ret == 0, ctx, x, i, X509_V_ERR_EC_KEY_EXPLICIT_PARAMS); } /* * Do the following set of checks only if strict checking is requested @@ -514,63 +510,64 @@ static int check_chain(X509_STORE_CTX *ctx) */ /* Check Basic Constraints according to RFC 5280 section 4.2.1.9 */ if (x->ex_pathlen != -1) { - CHECK_CB((x->ex_flags & EXFLAG_CA) == 0, - ctx, x, i, X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA); - CHECK_CB((x->ex_kusage & KU_KEY_CERT_SIGN) == 0, ctx, x, i, - X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN); + CB_FAIL_IF((x->ex_flags & EXFLAG_CA) == 0, + ctx, x, i, X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA); + CB_FAIL_IF((x->ex_kusage & KU_KEY_CERT_SIGN) == 0, ctx, + x, i, X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN); } - CHECK_CB((x->ex_flags & EXFLAG_CA) != 0 - && (x->ex_flags & EXFLAG_BCONS) != 0 - && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0, - ctx, x, i, X509_V_ERR_CA_BCONS_NOT_CRITICAL); + CB_FAIL_IF((x->ex_flags & EXFLAG_CA) != 0 + && (x->ex_flags & EXFLAG_BCONS) != 0 + && (x->ex_flags & EXFLAG_BCONS_CRITICAL) == 0, + ctx, x, i, X509_V_ERR_CA_BCONS_NOT_CRITICAL); /* Check Key Usage according to RFC 5280 section 4.2.1.3 */ if ((x->ex_flags & EXFLAG_CA) != 0) { - CHECK_CB((x->ex_flags & EXFLAG_KUSAGE) == 0, - ctx, x, i, X509_V_ERR_CA_CERT_MISSING_KEY_USAGE); + CB_FAIL_IF((x->ex_flags & EXFLAG_KUSAGE) == 0, + ctx, x, i, X509_V_ERR_CA_CERT_MISSING_KEY_USAGE); } else { - CHECK_CB((x->ex_kusage & KU_KEY_CERT_SIGN) != 0, ctx, x, i, - X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA); + CB_FAIL_IF((x->ex_kusage & KU_KEY_CERT_SIGN) != 0, ctx, x, i, + X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA); } /* Check issuer is non-empty acc. to RFC 5280 section 4.1.2.4 */ - CHECK_CB(X509_NAME_entry_count(X509_get_issuer_name(x)) == 0, - ctx, x, i, X509_V_ERR_ISSUER_NAME_EMPTY); + CB_FAIL_IF(X509_NAME_entry_count(X509_get_issuer_name(x)) == 0, + ctx, x, i, X509_V_ERR_ISSUER_NAME_EMPTY); /* Check subject is non-empty acc. to RFC 5280 section 4.1.2.6 */ - CHECK_CB(((x->ex_flags & EXFLAG_CA) != 0 - || (x->ex_kusage & KU_CRL_SIGN) != 0 - || x->altname == NULL - ) && X509_NAME_entry_count(X509_get_subject_name(x)) == 0, - ctx, x, i, X509_V_ERR_SUBJECT_NAME_EMPTY); - CHECK_CB(X509_NAME_entry_count(X509_get_subject_name(x)) == 0 - && x->altname != NULL - && (x->ex_flags & EXFLAG_SAN_CRITICAL) == 0, - ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL); + CB_FAIL_IF(((x->ex_flags & EXFLAG_CA) != 0 + || (x->ex_kusage & KU_CRL_SIGN) != 0 + || x->altname == NULL) + && X509_NAME_entry_count(X509_get_subject_name(x)) == 0, + ctx, x, i, X509_V_ERR_SUBJECT_NAME_EMPTY); + CB_FAIL_IF(X509_NAME_entry_count(X509_get_subject_name(x)) == 0 + && x->altname != NULL + && (x->ex_flags & EXFLAG_SAN_CRITICAL) == 0, + ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL); /* Check SAN is non-empty according to RFC 5280 section 4.2.1.6 */ - CHECK_CB(x->altname != NULL && sk_GENERAL_NAME_num(x->altname) <= 0, - ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_ALT_NAME); + CB_FAIL_IF(x->altname != NULL + && sk_GENERAL_NAME_num(x->altname) <= 0, + ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_ALT_NAME); /* TODO add more checks on SAN entries */ /* Check sig alg consistency acc. to RFC 5280 section 4.1.1.2 */ - CHECK_CB(X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0, - ctx, x, i, X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY); - CHECK_CB(x->akid != NULL - && (x->ex_flags & EXFLAG_AKID_CRITICAL) != 0, - ctx, x, i, X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL); - CHECK_CB(x->skid != NULL - && (x->ex_flags & EXFLAG_SKID_CRITICAL) != 0, - ctx, x, i, X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL); + CB_FAIL_IF(X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0, + ctx, x, i, X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY); + CB_FAIL_IF(x->akid != NULL + && (x->ex_flags & EXFLAG_AKID_CRITICAL) != 0, + ctx, x, i, X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL); + CB_FAIL_IF(x->skid != NULL + && (x->ex_flags & EXFLAG_SKID_CRITICAL) != 0, + ctx, x, i, X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL); if (X509_get_version(x) >= 2) { /* at least X.509v3 */ /* Check AKID presence acc. to RFC 5280 section 4.2.1.1 */ - CHECK_CB(i + 1 < num /* - * this means not last cert in chain, - * taken as "generated by conforming CAs" - */ - && (x->akid == NULL || x->akid->keyid == NULL), ctx, - x, i, X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER); + CB_FAIL_IF(i + 1 < num /* + * this means not last cert in chain, + * taken as "generated by conforming CAs" + */ + && (x->akid == NULL || x->akid->keyid == NULL), ctx, + x, i, X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER); /* Check SKID presence acc. to RFC 5280 section 4.2.1.2 */ - CHECK_CB((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL, - ctx, x, i, X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER); + CB_FAIL_IF((x->ex_flags & EXFLAG_CA) != 0 && x->skid == NULL, + ctx, x, i, X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER); } else { - CHECK_CB(sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0, - ctx, x, i, X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3); + CB_FAIL_IF(sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0, + ctx, x, i, X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3); } } @@ -578,9 +575,9 @@ static int check_chain(X509_STORE_CTX *ctx) if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) return 0; /* Check path length */ - CHECK_CB(i > 1 && x->ex_pathlen != -1 - && plen > x->ex_pathlen + proxy_path_length, - ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED); + CB_FAIL_IF(i > 1 && x->ex_pathlen != -1 + && plen > x->ex_pathlen + proxy_path_length, + ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED); /* Increment path length if not a self-issued intermediate CA */ if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0) plen++; @@ -602,8 +599,8 @@ static int check_chain(X509_STORE_CTX *ctx) * increment proxy_path_length. */ if (x->ex_pcpathlen != -1) { - CHECK_CB(proxy_path_length > x->ex_pcpathlen, - ctx, x, i, X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED); + CB_FAIL_IF(proxy_path_length > x->ex_pcpathlen, + ctx, x, i, X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED); proxy_path_length = x->ex_pcpathlen; } proxy_path_length++; @@ -715,7 +712,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) X509_NAME_free(tmpsubject); proxy_name_done: - CHECK_CB(err != X509_V_OK, ctx, x, i, err); + CB_FAIL_IF(err != X509_V_OK, ctx, x, i, err); } /* @@ -745,7 +742,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) case X509_V_ERR_OUT_OF_MEM: return 0; default: - CHECK_CB(1, ctx, x, i, rv); + CB_FAIL_IF(1, ctx, x, i, rv); break; } } @@ -937,9 +934,7 @@ static int check_cert(X509_STORE_CTX *ctx) ok = ctx->get_crl(ctx, &crl, x); else ok = get_crl_delta(ctx, &crl, &dcrl, x); - /* - * If error looking up CRL, nothing we can do except notify callback - */ + /* If error looking up CRL, nothing we can do except notify callback */ if (!ok) { ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); goto done; @@ -988,7 +983,6 @@ static int check_cert(X509_STORE_CTX *ctx) } /* Check CRL times against values in X509_STORE_CTX */ - static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; @@ -1099,7 +1093,6 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, * Compare two CRL extensions for delta checking purposes. They should be * both present or both absent. If both present all fields must be identical. */ - static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { ASN1_OCTET_STRING *exta, *extb; @@ -1136,7 +1129,6 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) } /* See if a base and delta are compatible */ - static int check_delta_base(X509_CRL *delta, X509_CRL *base) { /* Delta CRL must be a delta */ @@ -1166,7 +1158,6 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base) * For a given base CRL find a delta... maybe extend to delta scoring or * retrieve a chain of deltas... */ - static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, X509_CRL *base, STACK_OF(X509_CRL) *crls) { @@ -1196,7 +1187,6 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, * also used to determine if the CRL is suitable: if no new reasons the CRL * is rejected, otherwise reasons is updated. */ - static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x) { @@ -1239,7 +1229,6 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, crl_akid_check(ctx, crl, pissuer, &crl_score); /* If we can't locate certificate issuer at this point forget it */ - if (!(crl_score & CRL_SCORE_AKID)) return 0; @@ -1292,7 +1281,6 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, } /* Anything else needs extended CRL support */ - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) return; @@ -1318,7 +1306,6 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, * parent. This could be optimised somewhat since a lot of path checking will * be duplicated by the parent, but this will rarely be used in practice. */ - static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { X509_STORE_CTX crl_ctx; @@ -1357,7 +1344,6 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) * though some discussions remain... until this is resolved we use the * RFC5280 version */ - static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, STACK_OF(X509) *crl_path) @@ -1377,7 +1363,6 @@ static int check_crl_chain(X509_STORE_CTX *ctx, * 3. Both are full names and compare two GENERAL_NAMES. * 4. One is NULL: automatic match. */ - static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { X509_NAME *nm = NULL; @@ -1454,7 +1439,6 @@ static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) } /* Check CRLDP and IDP */ - static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, unsigned int *preasons) { @@ -1488,7 +1472,6 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, * Retrieve CRL corresponding to current certificate. If deltas enabled try * to find a delta CRL too */ - static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) { @@ -1507,7 +1490,6 @@ static int get_crl_delta(X509_STORE_CTX *ctx, goto done; /* Lookup CRLs from store */ - skcrl = ctx->lookup_crls(ctx, nm); /* If no CRLs found and a near match from get_crl_sk use that */ @@ -1676,8 +1658,8 @@ static int check_policy(X509_STORE_CTX *ctx) for (i = 1; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); - CHECK_CB((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, - ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, + ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); } return 1; } @@ -1728,14 +1710,14 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) i = X509_cmp_time(X509_get0_notBefore(x), ptime); if (i >= 0 && depth < 0) return 0; - CHECK_CB(i == 0, ctx, x, depth, X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD); - CHECK_CB(i > 0, ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID); + CB_FAIL_IF(i == 0, ctx, x, depth, X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD); + CB_FAIL_IF(i > 0, ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID); i = X509_cmp_time(X509_get0_notAfter(x), ptime); if (i <= 0 && depth < 0) return 0; - CHECK_CB(i == 0, ctx, x, depth, X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD); - CHECK_CB(i < 0, ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED); + CB_FAIL_IF(i == 0, ctx, x, depth, X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD); + CB_FAIL_IF(i < 0, ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED); return 1; } @@ -1758,14 +1740,14 @@ static int internal_verify(X509_STORE_CTX *ctx) } if (ctx->check_issued(ctx, xi, xi)) - xs = xi; /* the typical case: last cert in the chain is self-issued */ + xs = xi; /* The typical case: last cert in the chain is self-issued */ else { if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { xs = xi; goto check_cert_time; } if (n <= 0) { - CHECK_CB(1, ctx, xi, 0, X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); + CB_FAIL_IF(1, ctx, xi, 0, X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); xs = xi; goto check_cert_time; @@ -1781,7 +1763,7 @@ static int internal_verify(X509_STORE_CTX *ctx) * is allowed to reset errors (at its own peril). */ while (n >= 0) { - /* + /*- * For each iteration of this loop: * n is the subject depth * xs is the subject cert, for which the signature is to be checked @@ -1816,13 +1798,13 @@ static int internal_verify(X509_STORE_CTX *ctx) int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0 ? X509_V_OK : x509_signing_allowed(xi, xs); - CHECK_CB(ret != X509_V_OK, ctx, xi, issuer_depth, ret); + CB_FAIL_IF(ret != X509_V_OK, ctx, xi, issuer_depth, ret); if ((pkey = X509_get0_pubkey(xi)) == NULL) { - CHECK_CB(1, ctx, xi, issuer_depth, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY); + CB_FAIL_IF(1, ctx, xi, issuer_depth, + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY); } else { - CHECK_CB(X509_verify(xs, pkey) <= 0, - ctx, xs, n, X509_V_ERR_CERT_SIGNATURE_FAILURE); + CB_FAIL_IF(X509_verify(xs, pkey) <= 0, + ctx, xs, n, X509_V_ERR_CERT_SIGNATURE_FAILURE); } } @@ -1865,7 +1847,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) #else const char upper_z = 'Z'; #endif - /* + /*- * Note that ASN.1 allows much more slack in the time format than RFC5280. * In RFC5280, the representation is fixed: * UTCTime: YYMMDDHHMMSSZ @@ -2011,7 +1993,6 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) } /* Make a delta CRL as the difference between two full CRLs */ - X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey, const EVP_MD *md, unsigned int flags) { @@ -2067,7 +2048,6 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, goto memerr; /* Set base CRL number: must be critical */ - if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) goto memerr; @@ -2075,7 +2055,6 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, * Copy extensions across from newest CRL to delta: this will set CRL * number to correct value too. */ - for (i = 0; i < X509_CRL_get_ext_count(newer); i++) { X509_EXTENSION *ext; ext = X509_CRL_get_ext(newer, i); @@ -2084,7 +2063,6 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, } /* Go through revoked entries, copying as needed */ - revs = X509_CRL_get_REVOKED(newer); for (i = 0; i < sk_X509_REVOKED_num(revs); i++) { @@ -2408,9 +2386,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, goto err; } - /* - * Inherit callbacks and flags from X509_STORE if not set use defaults. - */ + /* Inherit callbacks and flags from X509_STORE if not set use defaults. */ if (store) ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else @@ -2697,9 +2673,7 @@ static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth) mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK; - /* - * The trust store is not applicable with DANE-TA(2) - */ + /* The trust store is not applicable with DANE-TA(2) */ if (depth >= ctx->num_untrusted) mask &= DANETLS_PKIX_MASK; @@ -2884,9 +2858,7 @@ static int check_dane_pkeys(X509_STORE_CTX *ctx) static void dane_reset(SSL_DANE *dane) { - /* - * Reset state to verify another chain, or clear after failure. - */ + /* Reset state to verify another chain, or clear after failure. */ X509_free(dane->mcert); dane->mcert = NULL; dane->mtlsa = NULL; @@ -2898,7 +2870,7 @@ static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) { int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags); - CHECK_CB(err != X509_V_OK, ctx, cert, 0, err); + CB_FAIL_IF(err != X509_V_OK, ctx, cert, 0, err); return 1; } @@ -3309,9 +3281,7 @@ static int build_chain(X509_STORE_CTX *ctx) return 0; } - /* - * Check for DANE-TA trust of the topmost untrusted certificate. - */ + /* Check for DANE-TA trust of the topmost untrusted certificate. */ switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) { case X509_TRUST_TRUSTED: case X509_TRUST_REJECTED: @@ -3343,10 +3313,11 @@ static int build_chain(X509_STORE_CTX *ctx) case X509_TRUST_UNTRUSTED: default: num = sk_X509_num(ctx->chain); - CHECK_CB(num > depth, ctx, NULL, num-1, X509_V_ERR_CERT_CHAIN_TOO_LONG); - CHECK_CB(DANETLS_ENABLED(dane) - && (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0), - ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); + CB_FAIL_IF(num > depth, + ctx, NULL, num-1, X509_V_ERR_CERT_CHAIN_TOO_LONG); + CB_FAIL_IF(DANETLS_ENABLED(dane) + && (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0), + ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); if (self_signed) return verify_cb_cert(ctx, NULL, num-1, sk_X509_num(ctx->chain) == 1 @@ -3362,10 +3333,8 @@ static int build_chain(X509_STORE_CTX *ctx) static const int minbits_table[] = { 80, 112, 128, 192, 256 }; static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); -/* - * Check whether the public key of ``cert`` meets the security level of - * ``ctx``. - * +/*- + * Check whether the public key of `cert` meets the security level of `ctx`. * Returns 1 on success, 0 otherwise. */ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) @@ -3392,7 +3361,7 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1]; } -/* +/*- * Check whether the public key of ``cert`` does not use explicit params * for an elliptic curve. * @@ -3418,7 +3387,7 @@ static int check_curve(X509 *cert) return 1; } -/* +/*- * Check whether the signature digest algorithm of ``cert`` meets the security * level of ``ctx``. Should not be checked for trust anchors (whether * self-signed or otherwise). From tmraz at fedoraproject.org Wed Jan 20 12:13:22 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 20 Jan 2021 12:13:22 +0000 Subject: [openssl] master update Message-ID: <1611144802.163308.23989.nullmailer@dev.openssl.org> The branch master has been updated via 3d63348a871d2319f7ff3512f97fd660fa7fadea (commit) via ac6ea3a7c5f53dad710987aae289a66a2e3f159e (commit) from 07b6068d240fb5af56fab880f2f971293a49f124 (commit) - Log ----------------------------------------------------------------- commit 3d63348a871d2319f7ff3512f97fd660fa7fadea Author: Jon Spillett Date: Tue Jan 19 13:43:35 2021 +1000 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters Needed to be able to set the libctx and propq. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13894) commit ac6ea3a7c5f53dad710987aae289a66a2e3f159e Author: Jon Spillett Date: Thu Aug 20 15:10:21 2020 +1000 test-gendsa: Add test cases with FIPS provider Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13894) ----------------------------------------------------------------------- Summary of changes: apps/genpkey.c | 2 +- test/recipes/15-test_gendsa.t | 52 ++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 50 insertions(+), 4 deletions(-) diff --git a/apps/genpkey.c b/apps/genpkey.c index 523ec1da8f..68dbbf87eb 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -252,7 +252,7 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e, return 0; } - pkey = PEM_read_bio_Parameters(pbio, NULL); + pkey = PEM_read_bio_Parameters_ex(pbio, NULL, libctx, propq); BIO_free(pbio); if (pkey == NULL) { diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t index 5e36109b37..4616deacc1 100644 --- a/test/recipes/15-test_gendsa.t +++ b/test/recipes/15-test_gendsa.t @@ -11,15 +11,25 @@ use strict; use warnings; use File::Spec; -use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/; use OpenSSL::Test::Utils; -setup("test_gendsa"); +BEGIN { + setup("test_gendsa"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; plan skip_all => "This test is unsupported in a no-dsa build" if disabled("dsa"); -plan tests => 11; +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); + +plan tests => + ($no_fips ? 0 : 3) # FIPS install test + fips related tests + + 11; ok(run(app([ 'openssl', 'genpkey', '-genparam', '-algorithm', 'DSA', @@ -97,3 +107,39 @@ ok(run(app([ 'openssl', 'genpkey', ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DSA'])), "genpkey DSA with no params should fail"); + +unless ($no_fips) { + my $provconf = srctop_file("test", "fips-and-base.cnf"); + my $provpath = bldtop_dir("providers"); + my @prov = ( "-provider-path", $provpath, + "-config", $provconf); + my $infile = bldtop_file('providers', platform->dso('fips')); + + ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsmodule.cnf'), + '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-section_name', 'fips_sect'])), + "fipsinstall"); + + $ENV{OPENSSL_TEST_LIBCTX} = "1"; + + # Generate params + ok(run(app(['openssl', 'genpkey', + @prov, + '-genparam', + '-algorithm', 'DSA', + '-pkeyopt', 'pbits:3072', + '-pkeyopt', 'qbits:256', + '-out', 'gendsatest3072params.pem'])), + "Generating 3072-bit DSA params"); + + # Generate keypair + ok(run(app(['openssl', 'genpkey', + @prov, + '-paramfile', 'gendsatest3072params.pem', + '-text', + '-out', 'gendsatest3072.pem'])), + "Generating 3072-bit DSA keypair"); + +} From dev at ddvo.net Wed Jan 20 14:54:08 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 20 Jan 2021 14:54:08 +0000 Subject: [openssl] master update Message-ID: <1611154448.648409.29082.nullmailer@dev.openssl.org> The branch master has been updated via 9495cfbc22393aee87aa877e9e2e726c2cc441f1 (commit) from 3d63348a871d2319f7ff3512f97fd660fa7fadea (commit) - Log ----------------------------------------------------------------- commit 9495cfbc22393aee87aa877e9e2e726c2cc441f1 Author: Dr. David von Oheimb Date: Sat Dec 12 21:36:06 2020 +0100 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13719) ----------------------------------------------------------------------- Summary of changes: test/certs/ca-cert-768.pem | 22 +++++++++++----------- test/certs/ca-cert-768i.pem | 14 +++++++------- test/certs/ca-cert-ec-explicit.pem | 20 ++++++++++---------- test/certs/ca-cert-ec-named.pem | 20 ++++++++++---------- test/certs/ca-cert-md5-any.pem | 21 +++++++++++---------- test/certs/ca-cert-md5.pem | 20 ++++++++++---------- test/certs/ca-cert.pem | 20 ++++++++++---------- test/certs/ca-cert2.pem | 20 ++++++++++---------- test/certs/ca-expired.pem | 20 ++++++++++---------- test/certs/ca-name2.pem | 21 +++++++++++---------- test/certs/ca-nonbc.pem | 14 +++++++------- test/certs/ca-nonca.pem | 14 +++++++------- test/certs/ca-root2.pem | 20 ++++++++++---------- test/certs/cca+anyEKU.pem | 22 +++++++++++----------- test/certs/cca+clientAuth.pem | 22 +++++++++++----------- test/certs/cca+serverAuth.pem | 22 +++++++++++----------- test/certs/cca-anyEKU.pem | 22 +++++++++++----------- test/certs/cca-cert.pem | 22 +++++++++++----------- test/certs/cca-clientAuth.pem | 22 +++++++++++----------- test/certs/cca-serverAuth.pem | 22 +++++++++++----------- test/certs/croot-cert.pem | 22 +++++++++++----------- test/certs/mkcert.sh | 8 ++++++-- test/certs/ncca1-cert.pem | 25 +++++++++++++------------ test/certs/ncca2-cert.pem | 24 ++++++++++++------------ test/certs/ncca3-cert.pem | 24 ++++++++++++------------ test/certs/root-cert-768.pem | 15 ++++++++------- test/certs/root-cert-md5.pem | 21 +++++++++++---------- test/certs/root-cert.pem | 21 +++++++++++---------- test/certs/root-cert2.pem | 21 +++++++++++---------- test/certs/root-ed448-cert.pem | 17 +++++++++-------- test/certs/root-expired.pem | 21 +++++++++++---------- test/certs/root-name2.pem | 21 +++++++++++---------- test/certs/sca+anyEKU.pem | 22 +++++++++++----------- test/certs/sca+clientAuth.pem | 22 +++++++++++----------- test/certs/sca+serverAuth.pem | 22 +++++++++++----------- test/certs/sca-anyEKU.pem | 22 +++++++++++----------- test/certs/sca-cert.pem | 22 +++++++++++----------- test/certs/sca-clientAuth.pem | 22 +++++++++++----------- test/certs/sca-serverAuth.pem | 22 +++++++++++----------- test/certs/setup.sh | 2 +- test/certs/sroot-cert.pem | 22 +++++++++++----------- test/v3_ca_exts.cnf | 2 +- 42 files changed, 417 insertions(+), 403 deletions(-) diff --git a/test/certs/ca-cert-768.pem b/test/certs/ca-cert-768.pem index 0c8ff29440..71c95415ab 100644 --- a/test/certs/ca-cert-768.pem +++ b/test/certs/ca-cert-768.pem @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICRDCCASygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD +MIICVDCCATygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC3wNLc1A9gAjz1H94ozPrLOhE2 R8c6RQjkUIALCOuw8xbZV+AEDSqP11Bw8MVzvmpksR9s1idJhLOugwMNTHfTXJjV -DWoQh9ofR51J5sOph4yDhQBXRmiuvqMDj+a81UkCAwEAAaNQME4wHQYDVR0OBBYE -FKrzei/LKJop6yShiJupKskW0ZQcMB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslT -nE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFr4hjVtLuZz -gxLILAOREEtanckfnapUrhTLukog9Q8uzqMUE+YDEhkcP4YAVjcab6HaXrbcxXsn -zn+v+GPszD9G3doGbUjuwEEAHz+k/9sjsn8QAGw/XslYhd5dktaRRCqaTNiWT+Ks -xKntAsgXcgWNIpvGikzTB/W7IrjIV8/S1JjLABtoY88tFUX81Ohr3bFFsRc9EHVS -MtGnEwfoBOSlCUjaTWBNHHi1HstK9sG2SNT/nhN1HATk/aiCiQRKr/bm6ezPC2If -6mRidaNiQN8+vzvtn86BqtRJOEi8jj5CBax6IqwfE+lDZIwT7H9C9Cu8Yp4mTM0x -wwzRDnFVisM= +DWoQh9ofR51J5sOph4yDhQBXRmiuvqMDj+a81UkCAwEAAaNgMF4wDwYDVR0TAQH/ +BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFKrzei/LKJop6yShiJupKskW +0ZQcMB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA0GCSqGSIb3DQEB +CwUAA4IBAQDTEFRFx4DczHVSiHSFrwWLaAvCvwGVOAXQIk5c1ApUT4IcMr2CGuYI +xOXheZBAJ4yp6PidB6Xf/rVcEFsEURxQBL4a0+FW7CDfHLbSh5p/OWM/CmM/n154 +9rf+g5CoZ5dIVdCgH4Gn6Xe5iVeIfvvusFBVHUtScFU+QmXMWGMCcyE2AV0hCY1E +7eJGQ1PyogGof2pI0W7ywXhZzt0xcTsvf65uoFKycck0hRZPZKSaEJ2ti17m1hXD +gNg+g8MSxYAmzT2yw00Kky+Q0Ami9zYZdhxnvb3Xi910M72QcO+rhqEarmt9ggWx ++5+1gg+oPbsTFDa9RspXsCN3zCD+o9c6 -----END CERTIFICATE----- diff --git a/test/certs/ca-cert-768i.pem b/test/certs/ca-cert-768i.pem index acc432fadd..e0adb9a77f 100644 --- a/test/certs/ca-cert-768i.pem +++ b/test/certs/ca-cert-768i.pem @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICSjCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD +MIICWjCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFFjzE/eu8wvKwzb2aODw52C+0gLVMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADYQCZM1sSpIyjyuGirBYvezFryUq5EyZiME3HIHJ7AbmquPtE -LcoE8lwxEYXl7OTbLZHxIKkt6+WX2TL/0yshJLq/42nh5DZwyug7fIITmkzmzidF -rbnl7fIop7OJX/kELbY= +CLNNsUcCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFFjzE/eu8wvK +wzb2aODw52C+0gLVMA0GCSqGSIb3DQEBCwUAA2EAgYsusTJvfb3SqqD3izIlgJ/9 +i+HwTT/Tu56owj8bVAFl+M1U0BLh0XSYxCYmpk6HFN76yoen/PM3+254sV/meHuX +AOBOwEMZEYcDbR0awc6gsW1aNa/0V+AcwAu/Cj5w -----END CERTIFICATE----- diff --git a/test/certs/ca-cert-ec-explicit.pem b/test/certs/ca-cert-ec-explicit.pem index d741ecdb65..77207484d5 100644 --- a/test/certs/ca-cert-ec-explicit.pem +++ b/test/certs/ca-cert-ec-explicit.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- -MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTIwMDkxNTEzMDY0MVoYDzIxMjAwOTE2MTMwNjQxWjANMQswCQYDVQQD +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCAUswggEDBgcqhkjOPQIBMIH3AgEBMCwGByqGSM49AQECIQD/////AAAA AQAAAAAAAAAAAAAAAP///////////////zBbBCD/////AAAAAQAAAAAAAAAAAAAA AP///////////////AQgWsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEsD @@ -8,12 +8,12 @@ FQDEnTYIhucEk2pmeOETnSa3gZ9+kARBBGsX0fLhLEJH+Lzm5WOkQPJ3A32BLesz oPShOUXYmMKWT+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfUCIQD///// AAAAAP//////////vOb6racXnoTzucrC/GMlUQIBAQNCAASlXna3kSD/Yol3RA5I icjIxYb9UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM -5NDco1MwUTAdBgNVHQ4EFgQUFk6ucH6gMXeadmuV7a1iWEnU/CIwHwYDVR0jBBgw -FoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG -9w0BAQsFAAOCAQEAdyUgfT0eAsZzoHFXoWN5uqi0MHuhLI37TEzkH5h7iTpDQJTQ -F0SjbawfM/nxxUekRW3mjFu3lft+VA7yC0OTNBLffan/vTh+HGOvvYZSMJYgKrMG -PRWgDId+n9RTcQCf+91cISvOazHixRiJG7JfRLdNZsAE+miw4HgPLFboTwpxtTDJ -zJ4ssBC6P+5IHwBCtNMiilJMMMzuSaZa5iSo6M9AdXWfcQN3uhW1lgQOLOlKLcbo -3UhW1GMMhTTeytM5aylbKhRsnL7ozmS44zsKZ25YaQxgjdKitFjVN6j7eyQ7C9J2 -bLXgl3APweLQbGGs0zv08Ad0SCCKYLHK6mMJqg== +5NDco2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU +Fk6ucH6gMXeadmuV7a1iWEnU/CIwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOc +TXL3o1IwDQYJKoZIhvcNAQELBQADggEBAJodbCIVJypVoZM/FHZKO1/WACRoN47s +1ZBzUDBvCIO44uv4Umv8iYtiP4qxIr9FkK+DQNZ5LUaqhwiMk7wIGGfRK8hJ8+7A +bhNYtsIRoPJNyM9cTmDhA04OBJcEiqHHEfngq9YkGkX1qPByzKuFqEeLp3+vskew +OvJ4lMSBC+OwC/8xJIfv9BG8U2im34V5MX/xgorWzsG0C+8d4eQiPDtbY+SImN03 +HpUJIXiEispX/6SIXqYA7Y/7yf2YefOtcrhVV3HdtgDvq9mgPJRjMLgCyg8OeVr+ +b0dJ1GAZ5B7acCn4fK96dMGGJKZcQhquogTLyw+gpe4wm7cxuHjlbjw= -----END CERTIFICATE----- diff --git a/test/certs/ca-cert-ec-named.pem b/test/certs/ca-cert-ec-named.pem index 5fbe251afb..a2ca88d240 100644 --- a/test/certs/ca-cert-ec-named.pem +++ b/test/certs/ca-cert-ec-named.pem @@ -1,14 +1,14 @@ -----BEGIN CERTIFICATE----- -MIICJDCCAQygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTIwMDkxNTEzMDY1MFoYDzIxMjAwOTE2MTMwNjUwWjANMQswCQYDVQQD +MIICMTCCARmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPt+MXCi9+wztEvmdG2EVSk7 bAiJMXJXW/u0NbcGCrrbhO1NJSHHV3Lks888sqeSPh/bif/ASJ0HX+VarMUoFIKj -UzBRMB0GA1UdDgQWBBRjigU5REz8Lwf1iD6mALVhsHIanjAfBgNVHSMEGDAWgBSO -9SWvHptrhD18gJrJU5xNcvejUjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB -CwUAA4IBAQCQs9wpblefb2C9a7usGL1DJjWJQIFHtUf+6p/KPgEV7LF138ECjL5s -0AWRd8Q8SbsBH49j2r3LLLMkvFglyRaN+FF+TCC/UQtclTb4+HgLsUT2xSU8U2cY -SOnzNB5AX/qAAsdOGqOjivPtGXcXFexDKPsw3n+3rJgymBP6hbLagb47IabNhot5 -bMM6S+bmfpMwfsm885zr5vG2Gg9FjjH94Vx4I7eRLkjCS88gkIR1J35ecHFteOdo -idOaCHQddYiKukBzgdjtTxSDXKffkaybylrwOZ8VBlQd3zC7s02d+riHCnroLnnE -cwYLlJ5z6jN7zoPZ55yX/EmA0RVny2le +YDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBRjigU5 +REz8Lwf1iD6mALVhsHIanjAfBgNVHSMEGDAWgBSO9SWvHptrhD18gJrJU5xNcvej +UjANBgkqhkiG9w0BAQsFAAOCAQEAasFD2s0bM5csgXN+iVVFOHstzD70mayWkpIj +Kb9S2l7yEQ/kCh4jD3nLHuN/aOKi9pcFLfZsqSCKfY5DRpjKFXLRgX3U5UW/+vdQ +d4Ygyca280c5p8IAjDFvhKCsbFrOAZx3QMqSQFHqAM3G2Pw8ZJVDVRudWSiEY1DV +8ZtOYy/zV0N3Lpzxf5wGLNfoo8pygV4vjRrcax5DnZV3ZqMRnzA32+R7uNQUO9rd +q3D85ojh7mtlIos4a7GwkWSLHU7bWanJVaUxrYbi6CUtA4C+u3Qgkx/pitKQraSa +ZtWxZAg2GV0XedBgBPQ4TlTggnXwP8kptaqjz+pA5BBOUh7iOQ== -----END CERTIFICATE----- diff --git a/test/certs/ca-cert-md5-any.pem b/test/certs/ca-cert-md5-any.pem index 7c2b53f5da..c4c1d6af9f 100644 --- a/test/certs/ca-cert-md5-any.pem +++ b/test/certs/ca-cert-md5-any.pem @@ -1,18 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD +MIIC/DCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQEEBQADggEBACTmLO0KOkXFNjj6hXozC9GzQYMXdCfNmgMuetk8xdVm -TqkF/qIGK2FBWn91IH0/9ydZbL83EKjPjqjwqzXqExJ0Un+fy7XbYMKtjGJ21egJ -x97jzKey5phEwRD/4fJ+PCml9eE/SNzBV0xKSDq4qQYvSJ3GF6KCATVlr0bDzQJZ -yTY3FeNoy+K7Mb0rHtsGru60C/Ft1dl9uiJ+yKXMiCxPcDjYb+95mA9QJ1kXfR8J -JVfeKhEEK+QIVpz/37aQ4jx/zbGblFsruALK22aLnpgrfUzrsYQ8W8T/DV2dV1ra -4wHz/QtlE4isInOaK2+pvXwyGar+1/s3+VxXEiPlZ7IwCDAGBgRVHSUA +CLNNsUcCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMA0GCSqGSIb3DQEBBAUAA4IBAQB8mcy5HS7TmJCuoghu+8pB +WG+sP3GP7Zqo1nkb7DRZsKTzt3sx6XDR4/ZnD4SUTycsGp1YbkDkvc5fV3tXjdPl +utXd17tkbs6SsNtbyUdUzqVbV7/rzquBG6hAXbF+2lehob33r3ntQpOMb/64+mrd +9KaWwOMQlfNXH2gqGKnmOPYUAaTOQzxBoro8hodXeTBKYZXx0mFOeCrhNtluyxE8 +VO85zaaVjJ6viuBV7/fPwtgRGHhn5yqzQjLBleGZvL8v9m4vEhYoOrDmw/T78C8o +XJhJ/4I039ZdPimeyTHv0JtkX2YKs5MATmBv8VwngHQdMbf/yolRCQVfVYATW021 +MAgwBgYEVR0lAA== -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/ca-cert-md5.pem b/test/certs/ca-cert-md5.pem index be564ddd10..5752db1012 100644 --- a/test/certs/ca-cert-md5.pem +++ b/test/certs/ca-cert-md5.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD +MIIC/DCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQEEBQADggEBACTmLO0KOkXFNjj6hXozC9GzQYMXdCfNmgMuetk8xdVm -TqkF/qIGK2FBWn91IH0/9ydZbL83EKjPjqjwqzXqExJ0Un+fy7XbYMKtjGJ21egJ -x97jzKey5phEwRD/4fJ+PCml9eE/SNzBV0xKSDq4qQYvSJ3GF6KCATVlr0bDzQJZ -yTY3FeNoy+K7Mb0rHtsGru60C/Ft1dl9uiJ+yKXMiCxPcDjYb+95mA9QJ1kXfR8J -JVfeKhEEK+QIVpz/37aQ4jx/zbGblFsruALK22aLnpgrfUzrsYQ8W8T/DV2dV1ra -4wHz/QtlE4isInOaK2+pvXwyGar+1/s3+VxXEiPlZ7I= +CLNNsUcCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMA0GCSqGSIb3DQEBBAUAA4IBAQB8mcy5HS7TmJCuoghu+8pB +WG+sP3GP7Zqo1nkb7DRZsKTzt3sx6XDR4/ZnD4SUTycsGp1YbkDkvc5fV3tXjdPl +utXd17tkbs6SsNtbyUdUzqVbV7/rzquBG6hAXbF+2lehob33r3ntQpOMb/64+mrd +9KaWwOMQlfNXH2gqGKnmOPYUAaTOQzxBoro8hodXeTBKYZXx0mFOeCrhNtluyxE8 +VO85zaaVjJ6viuBV7/fPwtgRGHhn5yqzQjLBleGZvL8v9m4vEhYoOrDmw/T78C8o +XJhJ/4I039ZdPimeyTHv0JtkX2YKs5MATmBv8VwngHQdMbf/yolRCQVfVYATW021 -----END CERTIFICATE----- diff --git a/test/certs/ca-cert.pem b/test/certs/ca-cert.pem index f6bc233026..58f45bd97a 100644 --- a/test/certs/ca-cert.pem +++ b/test/certs/ca-cert.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +MIIC/DCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTY1MFoYDzIxMjAxMjEzMjAxNjUwWjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk -IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 -AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi -8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 -uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR -5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4= +CLNNsUcCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMA0GCSqGSIb3DQEBCwUAA4IBAQDacg5HHo+yaApPb6mk/SP8 +J3CjQWhRzv91kwsGLnhPgZI4HcspdJgTaznrstiiA1VRjkQ/kwzd29Sftb1kBio0 +pAyblmravufRdojfTgkMnFyRSaj4FHuOQq8lnX3gwlKn5hBtEF6Qd+U79MkpMALa +cxPdyJs2tgDOpP1jweubOawqsKlxhAjwgdeX0Qp8iUj4BrY0zg4Q5im0mEKo4hij +49dQQqoWakCejH4QP2+T1urJsRGn9rXk/nkW9daNYaQDyoAPlnhr5oU+pP3+hSec +Ol83n08VZ8BizTSPkG0J66sZGC5jvsf5rX8YHURv0jNxHcG8QVEmyCwPqfDTI4fz -----END CERTIFICATE----- diff --git a/test/certs/ca-cert2.pem b/test/certs/ca-cert2.pem index 561ffb27b3..6e164cfbbf 100644 --- a/test/certs/ca-cert2.pem +++ b/test/certs/ca-cert2.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +MIIC/DCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTcwNFoYDzIxMjAxMjEzMjAxNzA0WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOsBxQ3RD9TDABcU Uddp+r5s2pLcA/IUN8MnH2PoemxgfJUKfWm+t0VR2mFqyiSeym1V1TkDnuhzui1Y ftOuiN1qVs0s6xBcU0+S9vWzYIu5SFTkOgB5APYamCLfbDw3xFTQvRs55UfR+yof T/sN6Enq6AhptqnJ/eYVX9EuLTDwV55Kptb4gv9JQs6v01aEHzJ9KGlK2zKpS9Am E67xNkwPeXwbzDdqXgr2a+aSrZjtHUfOsV5gZwH8XPAY0kFmrwhHIJsYZInsZhFo nil/9pMB8gHFU2EHq3LXbs4GUouQoIf+m3OmgeHCI+t7nAfQgU94FJzq+r6p4WxQ -KI7cotkCAwEAAaNQME4wHQYDVR0OBBYEFAFonW/5R1NkYk6W28NxJdMyTlCtMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBAJIyn7fl5QppxeRmCLhj18Ic+Nft5LMCvaOkv9HNctL+ -f1Qe2RgtdrMbHpYykXYrOI4KDt4LhLLInGjXNgV+lp8tSi/ok26wNIpwjf68bfP+ -nWNHi2Lt0Eeo9Wpq2VqdsHct98VvBXyuLysbThEJVbrLRsgvBWxdEzbf5RnwdWd5 -ZTDQyHgP1/gabl+AyvDFne101IyEA3i90NBhQ8NmSNn4ShTTrerbZSiWhy4eQEzo -PeWfUVERV28/0D4XIt/fFuF3M/0RbEgKq2wlDMCT8+W/hWmcZsdyt4xSyiGyjh9Y -ldYmdyOrlfOGVzkZ63GTOAC68SNVCXJg3cOmfEczkRw= +KI7cotkCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFAFonW/5R1NkYk6W28NxJdMyTlCtMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMA0GCSqGSIb3DQEBCwUAA4IBAQBQk6NQbaZhc8WuyE+dbori +U4BG8309syKWKVLwYwzhHFic4CfqL8B9zvO7Z7XHgnSTBhR31GkqUrUA2mV8p5js +45hi4GpuPTJFYammeTBdMJTeHfNrmKaFFnz1QM4zpyE5t8QyhIqQrvQqtONF2niI +XrM0fzd0UWuTkpSJP6F51+XMoS/KXSoSfyuImIKhJe7M8XXhYe70gQa/TIw9cVko +K8OTtKnEL9JLz5nIIe0nP9Ib/ejC7OZzwVMCrGqs5m9M4T6rv9vPTtke3fBCk4cZ +ukAjSY/i44LcEqxa6WOqc5rnWqy4jrglA8gPP300FsR6NgfOttkx93udwCMiL8dH -----END CERTIFICATE----- diff --git a/test/certs/ca-expired.pem b/test/certs/ca-expired.pem index 5be60fa34e..fd82b14a5c 100644 --- a/test/certs/ca-expired.pem +++ b/test/certs/ca-expired.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC6jCCAdKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMB4XDTE2MDExNTA4MTk0OVoXDTE2MDExNDA4MTk0OVowDTELMAkGA1UEAwwC +MIIC+jCCAeKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMB4XDTIwMTIxMjIwMTcwNFoXDTIwMTIxMTIwMTcwNFowDTELMAkGA1UEAwwC Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWnaQ9AEscX8bL3Y/S MbKIFczEhixc4mmLhPSno1PfkeO/UYn78HwQDTutrDVidfV///RuVI8FppIjs59Z OdA5GLAQQN5ic4pOsI7f3OfJQSJUhIAIKbw1PIbfMN7dtCT/fmKlwHroKhY/1pfa xULbL2lkkcsI11ZaeX8bhEHpTZ13CRCobCkzRMbAVGXm6OPydQVqZJVswPT9JWFu SDbwwAMHBdZ85RH9GOhKLdNyDDcoNjExOIXocY3YAknIvBmJxYqxP6I16qqQHGRo e69naloGVA9Q4fm09r461M4/Hkx9xncyPqJY7dvddNiSFGqo98s0WJGofBSxfQiz -TbFHAgMBAAGjUDBOMB0GA1UdDgQWBBS0ETPx1+Je91OeICIQT4YGvx/JXjAfBgNV -HSMEGDAWgBSO9SWvHptrhD18gJrJU5xNcvejUjAMBgNVHRMEBTADAQH/MA0GCSqG -SIb3DQEBCwUAA4IBAQAW1MwF8Rfcgj6zHutqzzt7RQB5GT1b/vJNzgUyGTRK9kch -HOw7rM9WpfP1cMEjhLwGJEZkHPb0DA8rZ4uFERuoZky04/vTum0GgLXmlnSTaAk5 -ImJyJn9aFR+sbD6QyfkSmQk9yS48AHom62IfA9yVwQStq3HvI038oVEb2IO5TE+L -CTX8dVFl4ZgYMVWTLYGzvECCvM42enR9QT0yp+9k8dZ9DcGzknZouoDd1BC2u05V -TJIviKNZMA/UEsON5QL02h25r1YRNlegeC4zl1DbJXXhJfDiacMZD7AA6NWMdwlk -7jDeEHIItT7V/x0NWllSqSPPZIsuyuuwFNmLZHfw +TbFHAgMBAAGjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1Ud +DgQWBBS0ETPx1+Je91OeICIQT4YGvx/JXjAfBgNVHSMEGDAWgBSO9SWvHptrhD18 +gJrJU5xNcvejUjANBgkqhkiG9w0BAQsFAAOCAQEACUyrkuz/34jLKGBj2m8RWm15 +tyZmjFMNEFi1uqLgo25WtDCgdnXp8N0/lULVKJ+cFcIjzbTXmJQ0LeWYrXB436XH +ky2DZ/M0WVcduiQvuEF2v2xGDDhvcvLedN5h/mqSaN/lav5OLHiArYTTYJ7cEphg +gGnoqC4qJ+KYyXAojL9owpUeJ1QsJVrbiA0RUxyQ6P62ZlyZ9fzNLGpQvymJCUqz +MqaAdcmlJxWvHF/CWJnks9Uu+83jvihuwryWtwj4ZydFzyx9WB0ueZQBAVdwhzjk +UWwxI5OG7CqtBONjeB63C0X/DDmSmaiQM9n9E0USRgg5r31+lXVotA7r/d8mog== -----END CERTIFICATE----- diff --git a/test/certs/ca-name2.pem b/test/certs/ca-name2.pem index b8bbc807c0..67f7d2ad15 100644 --- a/test/certs/ca-name2.pem +++ b/test/certs/ca-name2.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC7TCCAdWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjAOMQwwCgYDVQQD +MIIC/TCCAeWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTcwNFoYDzIxMjAxMjEzMjAxNzA0WjAOMQwwCgYDVQQD DANDQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWnaQ9AEscX8bL 3Y/SMbKIFczEhixc4mmLhPSno1PfkeO/UYn78HwQDTutrDVidfV///RuVI8FppIj s59ZOdA5GLAQQN5ic4pOsI7f3OfJQSJUhIAIKbw1PIbfMN7dtCT/fmKlwHroKhY/ 1pfaxULbL2lkkcsI11ZaeX8bhEHpTZ13CRCobCkzRMbAVGXm6OPydQVqZJVswPT9 JWFuSDbwwAMHBdZ85RH9GOhKLdNyDDcoNjExOIXocY3YAknIvBmJxYqxP6I16qqQ HGRoe69naloGVA9Q4fm09r461M4/Hkx9xncyPqJY7dvddNiSFGqo98s0WJGofBSx -fQizTbFHAgMBAAGjUDBOMB0GA1UdDgQWBBS0ETPx1+Je91OeICIQT4YGvx/JXjAf -BgNVHSMEGDAWgBSO9SWvHptrhD18gJrJU5xNcvejUjAMBgNVHRMEBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQCnVQGsqB3UipgBdwnxQMQJxaeo6MUdBs0gc3rFg2e9 -EFoDE92/hX+Ze7YRji6GRDzmRDd/i5gLgn6tMtJZzPPV6pzFsDZ0mB1pHJrObB+q -nZVjRFpGFcIm1epXjYRssCQepu92DR7ReSsLqFDSmBROAKfYvt3hdN34W8rp5Gnb -2kxm5F+dJrtDIs0C/3hItBkBmZ69KHqSWq5lmBY7K1cpKU6enZFgJEZ+w3pqAPBI -jrbxER2qdr4g80hzT9g+YPIlI+PfkGf5jmClugpsJ7ptXEdW1LsdEyZgd2VUZymw -rcIp4tupJNvgLC18ZcYcyQ6jMPZOfhfGpNlqZ37jI7Yu +fQizTbFHAgMBAAGjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0G +A1UdDgQWBBS0ETPx1+Je91OeICIQT4YGvx/JXjAfBgNVHSMEGDAWgBSO9SWvHptr +hD18gJrJU5xNcvejUjANBgkqhkiG9w0BAQsFAAOCAQEAa+4h7d7XCtWfWLes/m+V +v1bqar9Ed0mlM6X5bT/uneQ29NaGNB63D4IdnzM1ejYozCia9gg+EU59eVAxcM3i +EdzYV9WD0YOTB0l97daiF00kYKVP3Dvw7DrRdrENdKgTM+FvoHKKSoIBf4zCr6Nm +ohLUDFbkVzHZPNrm/M9S0AWvXDUn7V/EpuA0+r1eiAMNRNnJrZnrI64ckSuU3qYi +w6Cp935dm5t+qEJD4JmEgbsS6P1Os9WgpBs6YPb/BBG/i18ualQ2G3oQMNEycxlM +lCbfTQIj8KJIrX9hNU/zQUnxXb03TB+2JxOkwPoLpfzxI2pbgYP/hDR+L69ooCmk +zA== -----END CERTIFICATE----- diff --git a/test/certs/ca-nonbc.pem b/test/certs/ca-nonbc.pem index 013775b965..f528030414 100644 --- a/test/certs/ca-nonbc.pem +++ b/test/certs/ca-nonbc.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- MIIC6zCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMzMDAwMDE1N1oYDzIxMTYwMzMxMDAwMTU3WjANMQswCQYDVQQD +IENBMCAXDTIwMTIxMjIwMTcwNFoYDzIxMjAxMjEzMjAxNzA0WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W @@ -9,10 +9,10 @@ YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 CLNNsUcCAwEAAaNPME0wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAsGA1UdDwQEAwIBBjANBgkq -hkiG9w0BAQsFAAOCAQEAPo7bKKFLbwT3x7dw+OPZMDxwyG1pk5x+5SD7iv45mOzS -5lZ2ByaOH+jnjTfG6beNmTCbfq6RcHqTvD6LXYex5z9KliIL9Fpwh507uGDXmKDN -lM0zmbYhXiWGRwP5NkbB/EppbiSk42l5/ky4gmCH/a9kQfiBW+Gwe3aBwRX6v+5p -BLwH12YrM46DdEL4RHd2H/9rjSaX4X3aaZd9kZsf/yaOU65iQX15cNDfxkKncYQK -K+xjT2S/NLcwslkPzQLCWeWZVBV4Vd+TEjjZA1tFpu5e1oNlJYvGbqjIuUurpoxv -IhsVUfWJEf7KjpFy+kgPyijNYRUBFrMspdb6x771RQ== +hkiG9w0BAQsFAAOCAQEAOleg/SyxNbMMGkPd5ZVJgvXixrmwvBF/xjDKLqXPZmPM +w9SSffDAgi4rf/7NiRPEwkBlNpJmut+c9eiHjojc2R3k4O2JFlDCQW4rBjJGecI2 +DUAFPaR2eJb7aR2PcniB8wwlStuoej3FKVPYegUGhhQwpn9WOWZyEMgy5Zm//kAC +vFeEapDE/Wpp+SCoZ8WStkZ4URZN4uejbLfwEk+8MF8HXkwynGktzst50nkReWPi +6fSrbt4O2n8l1ThhhxMLEY6ZvBgwL4h4RP+IojKiK1E0lW42UTy13toR9JRJj5G8 +DAZbYsq6aXwdu6E58/EQVQ4yIFd8iEiU+da+AGdYGw== -----END CERTIFICATE----- diff --git a/test/certs/ca-nonca.pem b/test/certs/ca-nonca.pem index cdb2cd1860..239cd64ead 100644 --- a/test/certs/ca-nonca.pem +++ b/test/certs/ca-nonca.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- MIIDDTCCAfWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +IENBMCAXDTIwMTIxMjIwMTcwNFoYDzIxMjAxMjEzMjAxNzA0WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W @@ -10,10 +10,10 @@ ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 CLNNsUcCAwEAAaNxMG8wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAkGA1UdEwQCMAAwEwYDVR0l BAwwCgYIKwYBBQUHAwEwDQYDVR0RBAYwBIICQ0EwDQYJKoZIhvcNAQELBQADggEB -AL/aEy4Nk2W2UQNi/0h9MLkiq4J5IkjUocJp4grPUsdUJKu68GFYgWnJSBZjKMhs -X390IUWrRJ8C7SJtyGOhbh2E6Zn7TveI77Mnw2CZpGhy+xieqTFmaIIWJgZVzaTT -3hMhnXImn06k8eJiJiQQAHKr9XKDK9HIiESyBpujIW5hI7wrklkn0asl6DwiXcUw -AuXqNffWpomWI4ZZceOJkr5dSFM9HyksQi4uzj0qYTDyDHJ6BLuGYWbUoB64pnKF -wCn0cPOmbo866l0XqzJlxQYPvwOicAptX8jTjSpYsx5SLripS4KwyfxbGy5If8mT -X4st+BN48+n9wHuDQJ97sBs= +AGMZ+jXtPoEaGGj3vBOxw4Uf9h8G5PWIZOqV8EGdJkPVWSUJ7NM12vqTN8Lfv7UO ++gv1VJL02UO1UWrvDcid37XWBbVLwSjk963se+S8Xzd+I2FQY8+Yy4m5VN6m6Krc +pZt64zsgYROre5yP3gWIvzNa8Ayk/1nmQX1ADAe2tQJeWHROFBim0K3FcjIrhqZ8 +3MUAVJ5Nt3THrVrt3ojIWBOatBJHv+Q2Ii52UZVKG5HMGogRuMjFQy/mwshcBQSz +pxAWfqT2oVmP+K/iBGxikYjtrOOYNW8L8RwShU3j1dFulQZb2SLRRj8/eDBSV++6 +KsEzVayX0uF80Hohuxbq7OA= -----END CERTIFICATE----- diff --git a/test/certs/ca-root2.pem b/test/certs/ca-root2.pem index 28d9854c66..05e478bcf0 100644 --- a/test/certs/ca-root2.pem +++ b/test/certs/ca-root2.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +MIIC/DCCAeSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTcwNFoYDzIxMjAxMjEzMjAxNzA0WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFJzOZkIwqxwIJl9zGW3fD6euWFIeMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBAEqhb/i7hTJ9l/UdLm9fgm4QYmNb1OMWyCU84y5QI/Rj -uHueaHLy6zEWHTavz9m4VcQpu8hblxFG+4CWWr92QjSYwTsyi578k7Ju5jNzvZQ5 -RnVAL+eeaTVa/7mazmqYzOHgyE4IpljX1MOd0QDpUjRGuNLoWfKXeXn7ul44r3ry -1hDMwmc3SS3XMzJ9Wl6k5SjKObbkMc8e0WjhhAwGjw3lODa5nj2xGf6W/Ikr/XTp -pnVjYsm+jxHoj+qmMgmXa1h11wdFCPUl15V1qq4R4rcS5zR8YxKUGZRo1R839geW -w4G8ytKRsapdFi165mOXZUumyHpJ8i43SEvYlcJux0I= +CLNNsUcCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFJzOZkIwqxwI +Jl9zGW3fD6euWFIeMA0GCSqGSIb3DQEBCwUAA4IBAQArn3lUKgZl1GzvnQy2g4cI +1BDeh7nSDu9ry5qIG1VDPFstL4zCe7L3ANI95QwXDgCH5Pfn+4G4h+AuL6qTmMcB +Xhp04tz5G2dcS3F7NJCNkmgCf34GGi0+OPxyE29hhab+gtEbT/ZMxQuiKtIagYf4 +ZfWLKHzI2WmCEiPplATqQ1jJjO9SpdLMkYo9o+hCt4cVUSY5T5GujmnA8bLELy/Z +EUF3bT3sIHQG3UIkTgDRvnP2ORlLoJwVNqGHYbrtpq8TzzxZ+2UIQk89KQSBWcVW +PO5xmW7+rEEbuJjgBu1lCgDMmYA6E8eGe/6pVVF6s3WlrvH3OGaOOPNNkr7Yh222 -----END CERTIFICATE----- diff --git a/test/certs/cca+anyEKU.pem b/test/certs/cca+anyEKU.pem index 46ee9fae6d..fc671d40ab 100644 --- a/test/certs/cca+anyEKU.pem +++ b/test/certs/cca+anyEKU.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXgwCDAGBgRVHSUA +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5MAgwBgYEVR0lAA== -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca+clientAuth.pem b/test/certs/cca+clientAuth.pem index 0b857eece4..0f31101ff4 100644 --- a/test/certs/cca+clientAuth.pem +++ b/test/certs/cca+clientAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXgwDDAKBggrBgEFBQcDAg== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5MAwwCgYIKwYBBQUHAwI= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca+serverAuth.pem b/test/certs/cca+serverAuth.pem index 38a0bdb835..a0e0e2e5fe 100644 --- a/test/certs/cca+serverAuth.pem +++ b/test/certs/cca+serverAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXgwDDAKBggrBgEFBQcDAQ== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5MAwwCgYIKwYBBQUHAwE= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca-anyEKU.pem b/test/certs/cca-anyEKU.pem index cb3e70894e..66be5f6814 100644 --- a/test/certs/cca-anyEKU.pem +++ b/test/certs/cca-anyEKU.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXgwCKAGBgRVHSUA +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5MAigBgYEVR0lAA== -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca-cert.pem b/test/certs/cca-cert.pem index 6bccc4cce4..09a114946e 100644 --- a/test/certs/cca-cert.pem +++ b/test/certs/cca-cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXg= +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5 -----END CERTIFICATE----- diff --git a/test/certs/cca-clientAuth.pem b/test/certs/cca-clientAuth.pem index 0b857eece4..0f31101ff4 100644 --- a/test/certs/cca-clientAuth.pem +++ b/test/certs/cca-clientAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXgwDDAKBggrBgEFBQcDAg== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5MAwwCgYIKwYBBQUHAwI= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/cca-serverAuth.pem b/test/certs/cca-serverAuth.pem index 46cbce05ae..828c6e225b 100644 --- a/test/certs/cca-serverAuth.pem +++ b/test/certs/cca-serverAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB6mihrap7ByLl3w -P/0XsqMvOkxCxoWTeI0cEwbxSpUXfMTE24oIQJiqIyHO6qeSRgSywk/DTU0uJWOB -Idr6dPI6wPrS4jvFqcgoFH1OPjAJCpl5CuCJEH8gB3LJ4dNfj+O7shT0XeI+R1vw -gp+fJ8v6jX4y8Nk/Bcy748dC1HZhMWHxQblzjRu8Xmd6lDiMskoWE2JAwgRK7b3M -dCpuTCHMTsdCspwBUvQ4gNYNP5IURE+09DBtEBQicN/1RHyRZOw7YGs5ZOdc5mRe -O5E+WHE1xiJ0QwUu2co55PFlukidWXx7LE02foNaNm+rw4OUTrzsqmmgkp1qqAab -ap/RSXgwDKAKBggrBgEFBQcDAQ== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA +A4IBAQBgOqmevOO5WbDV6ZbDKzceW6xPukiq13Z0DU0moC5rF01ayrLL/GFFNndP +YZYCppu6PTwp3UYgAFw6VN+2Hv6fWCwu2rsWLcqkJIJPkmjYATZJU2RkWrRpn23D +SWwnam7i+uiJpot8uKhOCIQtrCtP+0Q8lG+6reWHpaNRU3Gcsrc+I98wyWhsx5jd +fiLl1Cgb5G7Xz3Ff1ObdR6JdP4Wc9krj3Czbjv3oYFZ2p8LPgui+C7XDb4RBxGUu +c4mETHtGSRoX6n25uEXvIia2KCcS44VfA6wYaZtO/Lq7FmJI0QwI8tsm7FG6ccj+ +y54iNhHRG7FCAXOLy2RBrEwQddq5MAygCgYIKwYBBQUHAwE= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/croot-cert.pem b/test/certs/croot-cert.pem index f3459f4c90..33a605896a 100644 --- a/test/certs/croot-cert.pem +++ b/test/certs/croot-cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +MIIDFjCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTEyOFoYDzIxMjAxMjEzMjAxMTI4WjASMRAwDgYDVQQD DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff -tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 -o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB -/zATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi/mR+SIa -bs1egGRRSAzqu4KkrOG1vGVQNj0XfHn1WeAdmwEAjNi+llErpkMyY08Cjb/3fiQc -6H9CA36utf/Ym84OQOY64m4C1Kikxw8EHudoPNvSWQAFEpCk5gs6rCJEnj9QolL3 -32IvZQ1m+GcrjGg976PccEaM7S362kTj+kcAswmS8iJmDAJ2b+ghHTFrFQS4GAw7 -XOcqQbinx9ntGn135VsJLOXKveYvQSD7sHKCd4RFrFTSEwWmtBL96vRXmTV5wTAr -tpkKKKw5N9CiHnbhNyVrSRiLCzVDTpYQDaBJhb7XOsHi+/HOzmbK6LHe0Lt1nP+k -4PR8O0S5WC0Plw== +tWgiQ35mJCOvxQIDAQABo3UwczAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl +rx6ba4Q9fICayVOcTXL3o1IwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcN +AQELBQADggEBANnzv3Vd0oYUdxlq9EkvGguR3/GNF1S6mDz3MiAyadXNGiJ6Fx3U +cJulbeqGpr5B4o5ynMVnvKfRrmulaOzUMOpZDlgF/U55bXKUNuOdUpESOg0szlek +KBf1xf3A5MDHD68lxKNt4NMaW+KmStQjr/Ahr/xF7xKtQCj+B7WcDibKBKLPICSf +PjqjV+CnkD/Q4E1pUpZ2rM+MPRDX8/5X9pg2UhoD0iEd5BubT+YvhLlHHRERtHUx +yRysl7uNzcSBe2WHPTcVdOowNKsymgeuoN63WmkiY2Oy4wn9Nu3w3CcIDm/wZBVX +LUdqS+uGmu2lMbIVjMWrdDkBq8ePVy0ezb8= -----END CERTIFICATE----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index a564e30c6b..bb02a23dc5 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -100,10 +100,12 @@ genroot() { local cn=$1; shift local key=$1; shift local cert=$1; shift + local bcon="basicConstraints = critical,CA:true" + local ku="keyUsage = keyCertSign,cRLSign" local skid="subjectKeyIdentifier = hash" local akid="authorityKeyIdentifier = keyid" - exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") + exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid") for eku in "$@" do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") @@ -119,10 +121,12 @@ genca() { local cert=$1; shift local cakey=$1; shift local cacert=$1; shift + local bcon="basicConstraints = critical,CA:true" + local ku="keyUsage = keyCertSign,cRLSign" local skid="subjectKeyIdentifier = hash" local akid="authorityKeyIdentifier = keyid" - exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = critical,CA:true") + exts=$(printf "%s\n%s\n%s\n" "$bcon" "$ku" "$skid" "$akid") for eku in "$@" do exts=$(printf "%s\nextendedKeyUsage = %s\n" "$exts" "$eku") diff --git a/test/certs/ncca1-cert.pem b/test/certs/ncca1-cert.pem index 1f7f52e7d2..68cb870f18 100644 --- a/test/certs/ncca1-cert.pem +++ b/test/certs/ncca1-cert.pem @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWTCCAkGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDcwOTE0NDgxMVoYDzIxMTYwNzEwMTQ0ODExWjAXMRUwEwYDVQQD +MIIDZjCCAk6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD DAxUZXN0IE5DIENBIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC XjL5JEImsGFW5whlXCfDTeqjZAVb+rSXAhZQ25bP9YvhsbmPVYe8A61zwGStl2rF mChzN9/+LA40/lh0mjCV82mfNp1XLRPhE9sPGXwfLgJGCy/d6pp/8yGuFmkWPus9 bhxlOk7ADw4e3R3kVdwn9I3O3mIrI+I45ywZpzrbs/NGFiqhRxXbZTAKyI4INxgB VZfkoxqesnjD1j36fq7qEVas6gVm27YA9b+31ofFLM7WN811LQELwTdWiF0/xXiO XawU1QnkrNPxCSPWyeaM4tN50ZPRQA/ArV4I7szKhKskRzGwFgdaxorYn8c+2gTq -fedLPvNw1WPryAumidqTAgMBAAGjgbIwga8wHQYDVR0OBBYEFAjRm/nm1WRwoPFr -Gp7tUtrd9VBDMB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1Ud -EwEB/wQFMAMBAf8wXAYDVR0eBFUwU6BRMA6CDHd3dy5nb29kLm9yZzAKgghnb29k -LmNvbTAPgQ1nb29kQGdvb2Qub3JnMAqBCGdvb2QuY29tMAqHCH8AAAH/////MAqH -CMCoAAD//wAAMA0GCSqGSIb3DQEBCwUAA4IBAQDRpRo9txGcsPsfBInz2ctvl37p -a7DcrFTSLltADj+7/80OwYBtdmxiU9OfuETxdq5XbkghlmBGrDswtGHhcoDnSugm -2n3Ov0YOQHYgStGYEsmXahjZ49Xlh8gzt9NBfzJIm6blBpJo845Z0cbzd1LdCgt/ -ck83nGnLvhIEZ3nFrT2K9vWQ3UkrFMfR3gCZpu/2X3+5UgK9IpGU+crDcGUcpdoz -YaJka2w7rjw0mvQX8JtVBRt4xGRRAXXL2YA421nIzX7tKLHngYp6V9zu7QE2G5zS -RewAXU3TERFQi4bF+N9mmwj8z9CYClRH56uFboGGBEGSulsbF5C4DB0p7dbl +fedLPvNw1WPryAumidqTAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zALBgNV +HQ8EBAMCAQYwHQYDVR0OBBYEFAjRm/nm1WRwoPFrGp7tUtrd9VBDMB8GA1UdIwQY +MBaAFI71Ja8em2uEPXyAmslTnE1y96NSMFwGA1UdHgRVMFOgUTAOggx3d3cuZ29v +ZC5vcmcwCoIIZ29vZC5jb20wD4ENZ29vZEBnb29kLm9yZzAKgQhnb29kLmNvbTAK +hwh/AAAB/////zAKhwjAqAAA//8AADANBgkqhkiG9w0BAQsFAAOCAQEAVyRsB6B8 +iCYZxBTOO10Bor+Q4xxgs0udVR90/tM57P8GHd10e8suaW2Dtg9stxZJ3cmsn3zd ++QNxNIQuwHTNtVU0OSqKv6puj6ZQETSya4jDAmRqY47R866MHkSwLUYDMFtuM1Wy +gnoD5m1/Uy1K/Wvbnp1Zq4jtTB6su8TmIdJgtpEmte7tIQu5kPXsuJrz/x5a1TfR +hu7h4LJYwKlQtd/LRINnHKd241YSE7PVdG8SPxyrX11hJSC+1Z5Epxc6BCVDVN1E +fyVDdLXvKf30Nlbg2hZfO/cGTmwOt7RImygzhV/s41v4wtMW0EPuVanGQusRgHFm +3JC//UMgfkkwAA== -----END CERTIFICATE----- diff --git a/test/certs/ncca2-cert.pem b/test/certs/ncca2-cert.pem index 2b649a20a3..67bb668817 100644 --- a/test/certs/ncca2-cert.pem +++ b/test/certs/ncca2-cert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSDCCAjCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDcwOTE0NDgxMVoYDzIxMTYwNzEwMTQ0ODExWjAXMRUwEwYDVQQD +MIIDVTCCAj2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTk0NFoYDzIxMjAxMjEzMjAxOTQ0WjAXMRUwEwYDVQQD DAxUZXN0IE5DIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8 Dg3FeyXgtP6MAYaLRCH1peDogKo0OI5dqERirJDymgg0eqUkGPD86n/ZRDFZMhqM 2LATVNS9UHybb/8aBZaSNmCVGcQuhGFFI1STjtu34n8z7+XFE66I2cFUo20kUdTl OeUAj7Wd+a2paAtPW3G2mX6EIzm/6/3HMh/y1d0knCBRjialOCdhrRTvGcamYBqw PJd8X8nMtM320ZNDF5wBvx09/5KY1jLhdzBVbzezFogX0Bj1LX9UZRu+xN2dHAUn CuYevJJwkfiHeg0EZxr/p4AZ7GICWkpk+bRzQ16+IifXtc5qIns0VvWKtffsDExV -mlM6af1eIjgLhKGAd9cZAgMBAAGjgaEwgZ4wHQYDVR0OBBYEFLoDn50GJKRX5nP6 -9ToJ+bqFzKn6MB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1Ud -EwEB/wQFMAMBAf8wSwYDVR0eBEQwQqFAMA2CC3d3dy5iYWQub3JnMAmCB2JhZC5j -b20wDYELYmFkQGJhZC5vcmcwCYEHYmFkLmNvbTAKhwgKAAAA/wAAADANBgkqhkiG -9w0BAQsFAAOCAQEAlqqhiquvukmLApryy5ztoy3bGtF6S6k/MGAZAf1ndxpdhHNX -vQmjSrFL2IPENwTrPd5T1Muf5C+ZfX/NOf6QWoF3kbD/98K1vfEa6C+3fgsflUQu -1Tu20ItN2C7VkMawOhItxBXU9nLcIULUJye0dRC+xvh1ECHiLBh45y/fG0bdZGpd -/NajC+1FwBGI2k62mbW8KGpNDKeJWwcDe4SsMs70Y3JybCj5PNO63JF6db9yZGF3 -2esHfYJ1NQTA9oRsOztlf+PQADQx/HoCJ/BhJSuOcBL/r9uN+YQUtBzG8BKGODE3 -aOrnkbDctDI3zZXUADTidBVxO5HzizGlRGodSQ== +mlM6af1eIjgLhKGAd9cZAgMBAAGjga4wgaswDwYDVR0TAQH/BAUwAwEB/zALBgNV +HQ8EBAMCAQYwHQYDVR0OBBYEFLoDn50GJKRX5nP69ToJ+bqFzKn6MB8GA1UdIwQY +MBaAFI71Ja8em2uEPXyAmslTnE1y96NSMEsGA1UdHgREMEKhQDANggt3d3cuYmFk +Lm9yZzAJggdiYWQuY29tMA2BC2JhZEBiYWQub3JnMAmBB2JhZC5jb20wCocICgAA +AP8AAAAwDQYJKoZIhvcNAQELBQADggEBAHD486rW57xvLnJ4IGfXkntdQXB6YqiV +OFajRMkxuf88CtlLSaRFeSwL+cqsVDR2vjOPPEck10anRf1ziAOX17NQFDu7PvZs +8ZJwtVz0oBNWgf5HHaLTfd+uRnSerenP8wEAW4ptYynEGAGGkPBU7IOfvWVAOTbc +RsgSfVpXH2TQP7reJO4DjJ0fHzH9X1ejBCIRn7YGIN9ZvMqjmkI6a14H9FHrhegC +oiIKWYC/OAI2S9b9AIKQgjaJaQvh5+x/fD81arQhLgiQF+6TlEcj/kp5DjhM3lNG +vIB+ErixBOOzT1BBWygKCIITTa7NEdTMcLhmPBjupeVBfJoYDUNs8mQ= -----END CERTIFICATE----- diff --git a/test/certs/ncca3-cert.pem b/test/certs/ncca3-cert.pem index 207c7a7dd7..8e32bba7c8 100644 --- a/test/certs/ncca3-cert.pem +++ b/test/certs/ncca3-cert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDQzCCAiugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 -IE5DIENBIDEwIBcNMTYwNzA5MTQ0ODExWhgPMjExNjA3MTAxNDQ4MTFaMBkxFzAV +MIIDUDCCAjigAwIBAgIBAjANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxUZXN0 +IE5DIENBIDEwIBcNMjAxMjEyMjAxOTQ0WhgPMjEyMDEyMTMyMDE5NDRaMBkxFzAV BgNVBAMMDlRlc3QgTkMgc3ViIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAu6gOQAcNel3NCbWCctR4Y4BqRNPbo6W3HpFyY+204kGimdNZvE2zkpfs HR6PB7AHUvq+44+NN/l1J//JkT/9rFVoGDbb/L354US/iBJ3zjBSqeeXvofSmsvf 6+x6g9W7bFLETJ0mH+vjPQ2f3dS4O4Lc7W3HsldR/WUkesQb3+FsxBph6/84vylM oSsScd/2HFD7lrt+Fk1DGqkMI10tl6PozREAxSJgSFLUtr2P15a7wyi4m5LBM4+L YKMr/vuj7wFtH2BEwh2iRbJ2wYxxjKV42Hg+6l5XlahVr2rTpK6aP9R8spg+Og/P -A+d2shD3+q6OkglEyq9rRGa2mRZrwwIDAQABo4GVMIGSMB0GA1UdDgQWBBTwU4mH -3VYZwBnmIFVvC/wUFdejsjAfBgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQ -QzAPBgNVHRMBAf8EBTADAQH/MD8GA1UdHgQ4MDagHzAOggx3d3cuZ29vZC5uZXQw -DYILb2suZ29vZC5jb22hEzARgg9iYWQub2suZ29vZC5jb20wDQYJKoZIhvcNAQEL -BQADggEBAMIXGpXdI4jpDzPkqJIoDtAC4KQlC8fm8nW/fEgfHiOZgGHsCkjcvpFU -4yQ/ito9qlV4d4SoWLQijc5eJmTvWQKvHfZNCM9nKWQCY/QDMMePT2UO8RLHjkI3 -V2ARfrFv9NEQ8gd7u0dvsGivacE0vlIS480saVVnda54gOHh5RVe1/mr3EUqnQJr -RTothfmTcCH104SUBUB92gD9Cgh3NpvRS/sZI1pv3diUyw1QF9qszWfk1NPDan4g -hX6VBeHQ4n6PbZLhdbUawE1tVyoN7Q7siz/ybNH0Uj68k87q+HOIx99Qtihw6xoj -UhL2ht4Pmyhy3ACeEI2BTZESEzG/WBI= +A+d2shD3+q6OkglEyq9rRGa2mRZrwwIDAQABo4GiMIGfMA8GA1UdEwEB/wQFMAMB +Af8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTwU4mH3VYZwBnmIFVvC/wUFdejsjAf +BgNVHSMEGDAWgBQI0Zv55tVkcKDxaxqe7VLa3fVQQzA/BgNVHR4EODA2oB8wDoIM +d3d3Lmdvb2QubmV0MA2CC29rLmdvb2QuY29toRMwEYIPYmFkLm9rLmdvb2QuY29t +MA0GCSqGSIb3DQEBCwUAA4IBAQCas6HvdD3CfYPEooZryBngkCmdtUQjccoBXRHW +ED1PisJUcZfvlMX5RH1s+yl3aVUJ1772MjRW2bXrBk/UdWLtkJVrZzbuSYRqEFQp +KHulRCnf6hZeMNFXKcCrbOcJNtdKVkuV1tHaqQPj5CnA0mnVfhyvYxKQrkG/zFfJ +RMgUIU62RFb/vddx2KZvwIBsYgw1gvUedNJ+uuBlGo5wf1jQNNn51N8yY21nx6lv +mlGPomS93q1MU2FiK1r/M0mU7s9wBGK9j/BStxqNjJdDYNKJVjcEFLFhvPRPQrZJ +QDOpJBdP3hIa3YN1STkq3NgpTu7b0jSVI7RGwLXTRDF07Ff0 -----END CERTIFICATE----- diff --git a/test/certs/root-cert-768.pem b/test/certs/root-cert-768.pem index 4392ef0e48..b2f12f6bb7 100644 --- a/test/certs/root-cert-768.pem +++ b/test/certs/root-cert-768.pem @@ -1,11 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBpzCCATGgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjASMRAwDgYDVQQD +MIIBtzCCAUGgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTA1MloYDzIxMjAxMjEzMjAxMDUyWjASMRAwDgYDVQQD DAdSb290IENBMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALntqSk2YVnhNalAikA2 tuSOvHUKVSJlqjKmzlUPI+gQFyBWxtyQdwepI87tl8EW1in2IiOeN49W+OtVOlBi -Mxwqi/BcBltTbbSrlRpoSKOH6V7zIXvfsqjwWsDi37V1xQIDAQABo1AwTjAdBgNV -HQ4EFgQUWPMT967zC8rDNvZo4PDnYL7SAtUwHwYDVR0jBBgwFoAUWPMT967zC8rD -NvZo4PDnYL7SAtUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAANhAFDU7FyF -Ma6EG0OBS4IYws2US9t3IQwlI5noQwm9R3Nk/3AIUrdPG8ydRyV1N4GuRhRpprh0 -sEbX3ZO9/E54DbPYfS5kqfZZtohUNy+Wmx8XY9OSv4SWUrrMSIRFXS63MA== +Mxwqi/BcBltTbbSrlRpoSKOH6V7zIXvfsqjwWsDi37V1xQIDAQABo2AwXjAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUWPMT967zC8rDNvZo +4PDnYL7SAtUwHwYDVR0jBBgwFoAUWPMT967zC8rDNvZo4PDnYL7SAtUwDQYJKoZI +hvcNAQELBQADYQCrTmsHAldrrX2EVpSqpAgrDc/SCO8B3HcuK/VCHqTch+d1eQaa +Yb4BHrSFInOVOzHpwU2Y62MNJZisbxn9aAa7uI/MLJgRQ8QVG8gxjLtSayPcoO6j +unRcNIEGydGfQX8= -----END CERTIFICATE----- diff --git a/test/certs/root-cert-md5.pem b/test/certs/root-cert-md5.pem index b6ed10c62f..3c8cd99fd5 100644 --- a/test/certs/root-cert-md5.pem +++ b/test/certs/root-cert-md5.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjASMRAwDgYDVQQD +MIIDATCCAemgAwIBAgIBATANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTA1MloYDzIxMjAxMjEzMjAxMDUyWjASMRAwDgYDVQQD DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff -tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 -o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQQFAAOCAQEAwSTZo97psLqiNmgvCC/Z51F3S9bFKPjGK4dc -Kqh8pMJsb8DnfGlPnsYXq/0oPcBThTRGZDqTeZa0ms8G+g4GS21TPF7lmvVJUJhz -GRLJxX7TYB8xriSJ15DwZgGmEGPfzmoIq27nwrO4TRAi0TCLdw01XZwiq2V7anl+ -jrIpJPDuaT3oBqnGTMZ5IoaQq2TX8PS/ZW6icJiRmXLMp/HUycKpDUshiuARR5Mi -UOzX8IHwn76Zj6z1R8xW9j1WcEycFYevTMaRuS6hnYagiSaAytIQU8hgMR4AWodM -NFYv5t9rguJnimGUGMMBIYXnPNE2kaoq9qCVgjuC14gWU0kq6Q== +tWgiQ35mJCOvxQIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl +rx6ba4Q9fICayVOcTXL3o1IwDQYJKoZIhvcNAQEEBQADggEBAOEN8Mh3mVaEHgNq +lYpQLHw04QgpAQtsZpBmfHQ1w9XclsZ/49DBx/izo81SesJSybHsQuz9AnmZxtSS +coD2yiNwl2nVbWfKA5IVAIQNqb6rvxtWjiL1+/trXT+t26Oz+L3tixexJuLbFZpZ +38pZWSCm2al2hlsmVeLZ+5DVVqO7d6UTg9Aq3T9HrLi8Okki2ufjBdNDiUwiHymI +ryVb74h6Gc7mkKJoHG8lxF6WyluwoORrhnV3fgIy5/RGjD8pgBWtOoldG0+t4/nY +PVOb2TMyUNtA1au/1/h7JbSDyyhQZ5rbucCkxZNMcoe3vguI05JL28VhB0aORVGl +qCKzkdI= -----END CERTIFICATE----- diff --git a/test/certs/root-cert.pem b/test/certs/root-cert.pem index 21ffa4d425..8c39e1197e 100644 --- a/test/certs/root-cert.pem +++ b/test/certs/root-cert.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +MIIDATCCAemgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMDk0OVoYDzIxMjAxMjEzMjAwOTQ5WjASMRAwDgYDVQQD DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff -tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 -o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw -bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2 -UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY -mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg -Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO -bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8A== +tWgiQ35mJCOvxQIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl +rx6ba4Q9fICayVOcTXL3o1IwDQYJKoZIhvcNAQELBQADggEBAL2sqYB5P22c068E +UNoMAfDgGxnuZ48ddWSWK/OWiS5U5VI7R/c8vjOCHU1OI/eQfhOenXxnHNF2QBuu +bjdg5ImPsvgQNFs6ZUgenQh+E4JDkTpn7bKCgtK7qlAPUXZRZI6uAaH5zKu3yFPU +2kow3LFCwYutrSfVg6JYeX+cuYsLHFzNzOhqh88Mu9yJ7pPJ8faeHFglHa51eoaw +vurAVknk7tzUxLZN0PxD9nrduVwtiluFbCPz0EtP5Dt1KylGdPrKvCJNkFkRJX+S +0t9VNIhyqLmslP5uSFtuTt8toXkizaYlxIVHckkvpuKZB8m7l8C/lom9sqagjZ1J +If+teEc= -----END CERTIFICATE----- diff --git a/test/certs/root-cert2.pem b/test/certs/root-cert2.pem index e47e91e6a9..65fe25071d 100644 --- a/test/certs/root-cert2.pem +++ b/test/certs/root-cert2.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +MIIDATCCAemgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTAzMFoYDzIxMjAxMjEzMjAxMDMwWjASMRAwDgYDVQQD DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyB6dJAD5 wbStQf4HE0EhldtDShNVQ/jhDu6s2Ka30FdP4ml1+c2Py7ODUSjSCegXaBIOXCA+ R0zaBAJ3ZeqXx3UrE9PiXaHRGZcoPtX4mK9IOHhIdxwPUa6ceSOJn4cHY+p0cFLp /5bnUErp4IqbL1bMd4v8fFxJ0ZDGJahfLiurnYUyalaNCHK+hK2+RaeRgPlsXfiU /vwhhjFhdhixbPm8l+S+2xNySV1JAAzrUvEDdNZ0iBvuVcS2mlhSKTht5Zeg+0C6 7kYYqxM9CVZCwcV/aSUImwjeFsNMJsl/nFyEacu6vXz0rjvLwPzTAeVYZy592Gwv -akWOtiDdap7WJQIDAQABo1AwTjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65Y -Uh4wHwYDVR0jBBgwFoAUnM5mQjCrHAgmX3MZbd8Pp65YUh4wDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQsFAAOCAQEADkH6+rUX2QD5TMBn8x4PR9mTQsxhD2k8K2bv -NpbsWX0ta2pDPhiBpIbrTrTmw656MMRkwMLYIAX7BFhyjO9gO0nVXfU1SSTDsso+ -qu/K1t2US/rLeJQn8gYiTw6AqmvxHOndLaZQrYef4rUzsYnahNzxcoS1FMVxoJFM -o+1Wo0BFBlASv5Az0iFfjd1Uy3+AHB41+2vczNIWSki3mg4hzus2PSS4AA9IYeh+ -zU/HJMddnVedLKNstTAfR85ftACtsP6JhBqCBqC4mCVsN2ZlgucETbsOMyWYB4+y -9b6JIYDA1wxNVBXwN+D4MyALxjmjwcTsL6pXgoVc0JEJWVqQ1w== +akWOtiDdap7WJQIDAQABo2AwXjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUnM5mQjCrHAgmX3MZbd8Pp65YUh4wHwYDVR0jBBgwFoAUnM5m +QjCrHAgmX3MZbd8Pp65YUh4wDQYJKoZIhvcNAQELBQADggEBAAjXsnCkJkm9r7F2 +pzzsa5UO3aLb4yBMeoi4ky7twg4nS0s9Dol/74TBPwBeiwsuNI7QxX1F5WdshBBX +OgvviFDGa0tgTI9ehhR4YICrSIbpAe4pyo20YZbgX7msjS6eaebh+Xcbbe5rSNh+ +UAboVaa1VoER9/qQf2eA/qxZKzBV2wQ2/0LnbcZe2I4YEJschZD3/pGQHsRTNy15 +l+QlKZNhMCwgj2La+V3T9+Oo1/PQ5Vmz3oM6efAOaziZSIZ9/0F09vxT/DjJxMqf +Y/jZkfB8+3DRBA8U4/rDqJF6gj90vrugxg1Pr3abAp7/7WUv/oh1Qo/UXCbVK7Mj +Y9vRIwg= -----END CERTIFICATE----- diff --git a/test/certs/root-ed448-cert.pem b/test/certs/root-ed448-cert.pem index 48e293d69d..c20f57eafc 100644 --- a/test/certs/root-ed448-cert.pem +++ b/test/certs/root-ed448-cert.pem @@ -1,10 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBeDCB+aADAgECAgEBMAUGAytlcTAVMRMwEQYDVQQDDApSb290IEVkNDQ4MCAX -DTIwMDIwOTEzMjY1NVoYDzIxMjAwMjEwMTMyNjU1WjAVMRMwEQYDVQQDDApSb290 -IEVkNDQ4MEMwBQYDK2VxAzoAbbhuwNA/rdlgdLSyTJ6WaCVNO1gzccKiKW6pCADM -McMBCNiQqWSt4EIbHpqDc+eWoiKbG6t7tjUAo1MwUTAdBgNVHQ4EFgQUVg2aQ+yh -VRhOuW1l19jtgxfTgj8wHwYDVR0jBBgwFoAUVg2aQ+yhVRhOuW1l19jtgxfTgj8w -DwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCiXlZXyMubWFqLYiLXfKYrurajBMON -lclLrYr57Syd+nAIlgXiF0rGK2PawoMPXVB3VWWSigEb54AImb6tsW42gC+zC6oq -nkPC2FTLXPvqqgGXUpK/OfhPUP9bWw6mcJaIozlyzJD4AyebN9LDrBqCMwA= +MIIBhjCCAQagAwIBAgIBATAFBgMrZXEwFTETMBEGA1UEAwwKUm9vdCBFZDQ0ODAg +Fw0yMTAxMTkxMTQ2MDZaGA8yMTIxMDEyMDExNDYwNlowFTETMBEGA1UEAwwKUm9v +dCBFZDQ0ODBDMAUGAytlcQM6AG24bsDQP63ZYHS0skyelmglTTtYM3HCoiluqQgA +zDHDAQjYkKlkreBCGx6ag3PnlqIimxure7Y1AKNgMF4wDwYDVR0TAQH/BAUwAwEB +/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFFYNmkPsoVUYTrltZdfY7YMX04I/MB8G +A1UdIwQYMBaAFFYNmkPsoVUYTrltZdfY7YMX04I/MAUGAytlcQNzAHr4TSwe5rUy +rAkWPJ/O88P52nIjjUy2KgJjG8KTYZsJxWZmNfGV1X/LyBGfF8Q6sNkGt3loshs6 +gNoqcbslqsxbVwnFzRmMRTmA5YyrJAePC2WglskTG86lO2LPnSgaG542AykcxUqB +Wdw+08Kl4uAfAA== -----END CERTIFICATE----- diff --git a/test/certs/root-expired.pem b/test/certs/root-expired.pem index 8204fb3b7b..80a71c176e 100644 --- a/test/certs/root-expired.pem +++ b/test/certs/root-expired.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC8jCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMB4XDTIwMTIwMjExNTQ0MVoXDTIwMTIwMTExNTQ0MVowEjEQMA4GA1UEAwwH +MIIC/zCCAeegAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMB4XDTIwMTIxMjIwMTcwNFoXDTIwMTIxMTIwMTcwNFowEjEQMA4GA1UEAwwH Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHmAPUGvKBG OHkPPx5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3j IVyk7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcAr VREXOjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI 0YYqalUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt 9gfNbiuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337Vo -IkN+ZiQjr8UCAwEAAaNTMFEwHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NS -MB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1UdEwEB/wQFMAMB -Af8wDQYJKoZIhvcNAQELBQADggEBAIIJIaT7B8PVjb9SrcjS2M5NfgjOftvrPrxf -KvWs+6m0+2RdHGAHScrIWZsCGSkmuLE96hKqfM33aQLu3gFJmwdO+HcKlEw6Dg0e -Br0fROcBIqjK5aS2ZQjqUyZR1CQ5F3Arlcd4RIrzsBPwBu7sO5pcEzc2c8A0DDkm -zenRZ/SpOJAmghk8ek25gJewCsRk2TR8Ln+Qym41FZJlhQb6gxHZX0U7aRasANdQ -MNSNgQ7HS4pSmticPg+tuKyOO+B9HHJeKRbWe6JLRYz7UyUrmWoMOrfmZFbZ66Xo -eflbkjIhEAZ/lqR2Wd3TezilUG8QVZN77Y2oQbR1QyoaWeHRkco= +IkN+ZiQjr8UCAwEAAaNgMF4wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw +HQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8GA1UdIwQYMBaAFI71Ja8e +m2uEPXyAmslTnE1y96NSMA0GCSqGSIb3DQEBCwUAA4IBAQC2j5q0uIsZeCXAT/ak +3zsJMsdeUK62XrctfDqGc71v+m09T+euPCpcpGkTVoO5ePijKcrlmbRQo5UZC/dM +6P1L75PqkUyoD3f9Ge3qYO0e+MSyfzTRJR14O46vaNsv8EoyNUfLcw0hgq9beK8z +34c/YA9vbaD18zdTlGR9L4VDIjeitkrwC16TCncuPfJiN6FbFyiYZLavOowTcEOW +gcIh5fH+Fluz+9+1iZHTD1/6xEblU6h2Q1KUrbQgNPKxnEzLcC0KKEtihNmHYA9x +RgddXkv2jsCnXZ7mK5mQgxegTedsucqcFF5RB43F5LYCiM6X2Kak468rqTbToM6T +dRIt -----END CERTIFICATE----- diff --git a/test/certs/root-name2.pem b/test/certs/root-name2.pem index ac3a4bb849..d1ecb69fbc 100644 --- a/test/certs/root-name2.pem +++ b/test/certs/root-name2.pem @@ -1,18 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIC+TCCAeGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtSb290 -IENlcnQgMjAgFw0xNjAxMTUwODE5NDlaGA8yMTE2MDExNjA4MTk0OVowFjEUMBIG +MIIDCTCCAfGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtSb290 +IENlcnQgMjAgFw0yMDEyMTIyMDEwMzBaGA8yMTIwMTIxMzIwMTAzMFowFjEUMBIG A1UEAwwLUm9vdCBDZXJ0IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDh5gD1BrygRjh5Dz8ecRkTbQLfK5t2a/yssCHt1pEIQjulYzXsUlugokrF1gCU A5daPblnKNJ94yFcpO3GPI2OhNGdVMM92XSilnZncfnGGlB3s/147lvg44yJI8Ka Iuw+1DeeB83AK1URFzo0QhxpDToYsO0VlF7G/Z6HxhznlBqSwF8FwXND5QPeCZHJ JM7Yjot+LuAxSNGGKmpVJnroCzZOl7HgpMnaXGlLA4AIVoOjH7IquMFM/sWxTdTA Aartvs4lve5prfYHzW4roYlU9WjrmAntyWBmyzNiSgOwaNYOq1/BNVV+/Ubuuuvc -tqKj7YV/d9+1aCJDfmYkI6/FAgMBAAGjUDBOMB0GA1UdDgQWBBSO9SWvHptrhD18 -gJrJU5xNcvejUjAfBgNVHSMEGDAWgBSO9SWvHptrhD18gJrJU5xNcvejUjAMBgNV -HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAXH466iCDUusG2NbpU/tMZVWB2 -8wVwawbXn2LNYCdWPAgOHR+87OekNAh/vXBoPu9up9Up40/l/4+29zl5s9tKpF7X -SI8QeM2HC9LLGsbFNEJoX4kcz6Q8WxrhtEeBTu1api4CB4POGkj5VlKFCwa3bjPH -brDwCODq1Gkggf4NR0piiqFKUEKTteMoeC3dod+FzBh6eDssGcVsNxhB0FiMk4GG -3Fc1NR56gL+Qz3QFZf2tdpMcBXECc1nP7fNq6CwSRwcgDgte/qqYr3gkeBo3M3Bz -7JE19lq7kjfiTq6zyswacaqlvN9bJAxNkbshW7kvIqw+27y5XErpestuoxSt +tqKj7YV/d9+1aCJDfmYkI6/FAgMBAAGjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYD +VR0PBAQDAgEGMB0GA1UdDgQWBBSO9SWvHptrhD18gJrJU5xNcvejUjAfBgNVHSME +GDAWgBSO9SWvHptrhD18gJrJU5xNcvejUjANBgkqhkiG9w0BAQsFAAOCAQEARabJ +b7cGq1uPfAu0Yw7OHIXu40yylNMLiUNjn1ihRasDSO+Arv4p+XbqE2uMs1yneviw +pJA4XoUv6DcjDj3R9qc11ZXw3NbFpBgPsp2wzrPhcyqFH4zardrnMIj8AJNHv0rv +JS2D3bhOHaaRMM0TFzrq5d4ep9dxb9VBeuwc7lF0yN2CCuVwWbCk4TO598ZtukJC +KfmlWS9IOUX+usZxylCvwqsXz4olWaQoxGkBNgTv6jGuCL/2Kr4njtXOrDSVfzyH +t0ABV3EyGTSre55Nqbhmuu2PaQT3UphWw4iws4PqPh85I04SMF03BP/IeHS31g/1 +1lqW0ORSWhvih/112Q== -----END CERTIFICATE----- diff --git a/test/certs/sca+anyEKU.pem b/test/certs/sca+anyEKU.pem index 459a4dc5fb..20b36cffe3 100644 --- a/test/certs/sca+anyEKU.pem +++ b/test/certs/sca+anyEKU.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0wCDAGBgRVHSUA +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71MAgwBgYEVR0lAA== -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca+clientAuth.pem b/test/certs/sca+clientAuth.pem index 3807805f7f..5dd7dc676a 100644 --- a/test/certs/sca+clientAuth.pem +++ b/test/certs/sca+clientAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0wDDAKBggrBgEFBQcDAg== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71MAwwCgYIKwYBBQUHAwI= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca+serverAuth.pem b/test/certs/sca+serverAuth.pem index 952d288f66..779a1c361e 100644 --- a/test/certs/sca+serverAuth.pem +++ b/test/certs/sca+serverAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0wDDAKBggrBgEFBQcDAQ== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71MAwwCgYIKwYBBQUHAwE= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca-anyEKU.pem b/test/certs/sca-anyEKU.pem index a43c0211d6..d713edb468 100644 --- a/test/certs/sca-anyEKU.pem +++ b/test/certs/sca-anyEKU.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0wCKAGBgRVHSUA +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71MAigBgYEVR0lAA== -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca-cert.pem b/test/certs/sca-cert.pem index 6b800b6303..86de3d0acc 100644 --- a/test/certs/sca-cert.pem +++ b/test/certs/sca-cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0= +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71 -----END CERTIFICATE----- diff --git a/test/certs/sca-clientAuth.pem b/test/certs/sca-clientAuth.pem index 62a98ff345..6f7b6fc62e 100644 --- a/test/certs/sca-clientAuth.pem +++ b/test/certs/sca-clientAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0wDKAKBggrBgEFBQcDAg== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71MAygCgYIKwYBBQUHAwI= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/sca-serverAuth.pem b/test/certs/sca-serverAuth.pem index 062087439b..1e354b8b61 100644 --- a/test/certs/sca-serverAuth.pem +++ b/test/certs/sca-serverAuth.pem @@ -1,19 +1,19 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIDATCCAemgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjANMQswCQYDVQQD +MIIDETCCAfmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTgyN1oYDzIxMjAxMjEzMjAxODI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -CLNNsUcCAwEAAaNlMGMwHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G -A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wEwYD -VR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBAB4hlnzu/V80J5+R -rT57HXi0ufIjXLTC4zEghc/xL3V5vKst2dDPTKJ6SqG6PWSlVg1nJJbjekR3kH+G -knFp8wMIDp4EZDt1vU2jHtEyLTEmuFPY/MiR2fnLtX4jlPk5EpuMCA7n69lBAD3I -rlyQxv/DVfBSxkXJYFKZCTghxYHsP7TrHvmI4qQ3Of0OXeH0vn7j8mqA8xBERUQl -ZCRUQWZoHd5zJX1ELv0iBaB7pQbV4f3ILhEBfWE04m8GxkbRNdEi4+i5BIvjSqw7 -SBKP9nn4g4+CfKFex6cHGafkAb+gBCoUWMofXJCNr1b7FBc6Zi6xnBMHwhUnhEdj -LGCBSw0wDKAKBggrBgEFBQcDAQ== +CLNNsUcCAwEAAaN1MHMwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE +PXyAmslTnE1y96NSMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA +A4IBAQADWiB2YGO7yxO/cHnSfSUFKrb+iDzAV0meO/PXiyZPXvRXrwDBW1YtKT1A +98Ki9LAHVLeJLlPHzE4ihg0IF9m2UV92K0tUo0IFOM7h75I1JjsTXk1BZYfFkYXl +ChZA7DjvemXU8wIqw12IHSk/MyckUN1VxI29PiGIYSCIDJSaEd8QsImF36yqMwGD +ow3jFFN7RdH+gp0KJu1ziVvgc4BCALABTur4KlYxZlfjLRLxtoPO40m2hl4k/NJL +qwBGVxUFGybliMbn5gOXC47DEWR91QfkIjb7zfcEhC9Qb4LXAWc8KWsZLUMLDz8E +pd53w4iC9W6IVBRZEA3Lf9tr/b71MAygCgYIKwYBBQUHAwE= -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 9aa910dcc2..0ac44fbe79 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -409,7 +409,7 @@ openssl req -new -noenc -subj "/CN=localhost" \ # CT entry ./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key -OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \ +OPENSSL_SIGALG= OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \ root-ed448-key root-ed448-cert OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert diff --git a/test/certs/sroot-cert.pem b/test/certs/sroot-cert.pem index 55508d9941..7fd65dfe92 100644 --- a/test/certs/sroot-cert.pem +++ b/test/certs/sroot-cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDEyOTA0NDc0NloYDzIxMTYwMTMwMDQ0NzQ2WjASMRAwDgYDVQQD +MIIDFjCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTIwMTIxMjIwMTEzN1oYDzIxMjAxMjEzMjAxMTM3WjASMRAwDgYDVQQD DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff -tWgiQ35mJCOvxQIDAQABo2UwYzAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 -o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB -/zATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAknUQhKHR -lI3BOPTuD+DMabjdfZ6Sb5ICpIOcvYFnlZV0lkyK3TuOw+iSlUUzHT3MlMos1w2a -mYPb1BpACTpB1vOcRZPaoSZqiOJrKzes+oUZG7R75lz+TK4Y1lQlWObsnUlFUDzr -c3P3mbCALr9RPee+Mqd10E/57jjIF0sb3Cq74l7MEzD/3JWKhxEtTmChG+Q29bzW -foaDqVaePdyk4M+TMQMioGqXYqu/4bzCnZyls1J5FfwBCtPGJ1/3wxLwk+Pavu9w -TSagWsC90QGRYH0EauS1KqlJ6dR6Tyf6G5HHmDPufzHT0ouL5Db6C59XSMWud6RG -E3ODKNXOOP3jsA== +tWgiQ35mJCOvxQIDAQABo3UwczAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB +BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl +rx6ba4Q9fICayVOcTXL3o1IwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcN +AQELBQADggEBABWUjaqtkdRDhVAJZTxkJVgohjRrBwp86Y0JZWdCDua/sErmEaGu +nQVxWWFWIgu6sb8tyQo3/7dBIQl3Rpij9bsgKhToO1OzoG3Oi3d0+zRDHfY6xNrj +TUE00FeLHGNWsgZSIvu99DrGApT/+uPdWfJgMu5szillqW+4hcCUPLjG9ekVNt1s +KhdEklo6PrP6eMbm6s22EIVUxqGE6xxAmrvyhlY1zJH9BJ23Ps+xabjG6OeMRZzT +0F/fU7XIFieSO7rqUcjgo1eYc3ghsDxNUJ6TPBgv5z4SPnstoOBj59rjpJ7Qkpyd +L17VfEadezat37Cpeha7vGDduCsyMfN4kiw= -----END CERTIFICATE----- diff --git a/test/v3_ca_exts.cnf b/test/v3_ca_exts.cnf index a6d3245fb4..3ad4cae8cc 100644 --- a/test/v3_ca_exts.cnf +++ b/test/v3_ca_exts.cnf @@ -1,4 +1,4 @@ -basicConstraints = CA:true +basicConstraints = critical, CA:true keyUsage = cRLSign, keyCertSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always From dev at ddvo.net Wed Jan 20 14:56:39 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 20 Jan 2021 14:56:39 +0000 Subject: [openssl] master update Message-ID: <1611154599.719268.30501.nullmailer@dev.openssl.org> The branch master has been updated via 63162e3d55e38aff51e243212bc73aa27bed8c4c (commit) via b09aa550d3d9af269f9551a5a95a3d8408d9098d (commit) from 9495cfbc22393aee87aa877e9e2e726c2cc441f1 (commit) - Log ----------------------------------------------------------------- commit 63162e3d55e38aff51e243212bc73aa27bed8c4c Author: Dr. David von Oheimb Date: Mon Jan 18 17:18:03 2021 +0100 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' Add internal asn1_time_print_ex() that can return success on invalid time. This is a workaround for inconsistent error behavior of ASN1_TIME_print(), used in X509_print_ex(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13714) commit b09aa550d3d9af269f9551a5a95a3d8408d9098d Author: Dr. David von Oheimb Date: Fri Dec 18 21:47:20 2020 +0100 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13714) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_time.c | 18 +++++++++++------- crypto/x509/t_x509.c | 4 ++-- doc/man3/ASN1_TIME_set.pod | 15 +++++++++------ include/crypto/asn1.h | 1 + 4 files changed, 23 insertions(+), 15 deletions(-) diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index c34b028eaf..aebbf53fd0 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -16,6 +16,7 @@ #include #include +#include "crypto/asn1.h" #include "crypto/ctype.h" #include "internal/cryptlib.h" #include @@ -467,17 +468,23 @@ static const char _asn1_mon[12][4] = { "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; +/* returns 1 on success, 0 on BIO write error or parse failure */ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) +{ + return asn1_time_print_ex(bp, tm) > 0; +} + +/* returns 0 on BIO write error, else -1 in case of parse failure, else 1 */ +int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm) { char *v; int gmt = 0, l; struct tm stm; const char upper_z = 0x5A, period = 0x2E; - if (!asn1_time_to_tm(&stm, tm)) { - /* asn1_time_to_tm will check the time type */ - goto err; - } + /* asn1_time_to_tm will check the time type */ + if (!asn1_time_to_tm(&stm, tm)) + return BIO_write(bp, "Bad time value", 14) ? -1 : 0; l = tm->length; v = (char *)tm->data; @@ -509,9 +516,6 @@ int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) stm.tm_min, stm.tm_sec, stm.tm_year + 1900, (gmt ? " GMT" : "")) > 0; } - err: - BIO_write(bp, "Bad time value", 14); - return 0; } int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 9636756b66..d4bfe455fc 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -140,11 +140,11 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, goto err; if (BIO_write(bp, " Not Before: ", 24) <= 0) goto err; - if (!ASN1_TIME_print(bp, X509_get0_notBefore(x))) + if (asn1_time_print_ex(bp, X509_get0_notBefore(x)) == 0) goto err; if (BIO_write(bp, "\n Not After : ", 25) <= 0) goto err; - if (!ASN1_TIME_print(bp, X509_get0_notAfter(x))) + if (asn1_time_print_ex(bp, X509_get0_notAfter(x)) == 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; diff --git a/doc/man3/ASN1_TIME_set.pod b/doc/man3/ASN1_TIME_set.pod index b3163ad539..60898e4e0a 100644 --- a/doc/man3/ASN1_TIME_set.pod +++ b/doc/man3/ASN1_TIME_set.pod @@ -102,9 +102,9 @@ functions check the syntax of the time structure I. The ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() functions print the time structure I to BIO I in human readable format. It will be of the format MMM DD HH:MM:SS YYYY [GMT], for example -"Feb 3 00:55:52 2015 GMT" it does not include a newline. If the time -structure has invalid format it prints out "Bad time value" and returns -an error. The output for generalized time may include a fractional part +"Feb 3 00:55:52 2015 GMT", which does not include a newline. +If the time structure has invalid format it prints out "Bad time value" and +returns an error. The output for generalized time may include a fractional part following the second. ASN1_TIME_to_tm() converts the time I to the standard I structure. @@ -181,6 +181,9 @@ ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() do not print out the timezone: it either prints out "GMT" or nothing. But all certificates complying with RFC5280 et al use GMT anyway. +ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() +do not distinguish if they fail because of an I/O error or invalid time format. + Use the ASN1_TIME_normalize() function to normalize the time value before printing to get GMT results. @@ -199,9 +202,9 @@ ASN1_TIME_normalize() returns 1 on success, and 0 on error. ASN1_TIME_check(), ASN1_UTCTIME_check and ASN1_GENERALIZEDTIME_check() return 1 if the structure is syntactically correct and 0 otherwise. -ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() return -1 if the time is successfully printed out and 0 if an error occurred (I/O error -or invalid time format). +ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print() +return 1 if the time is successfully printed out and +0 if an I/O error occurred an error occurred (I/O error or invalid time format). ASN1_TIME_to_tm() returns 1 if the time is successfully parsed and 0 if an error occurred (invalid time format). diff --git a/include/crypto/asn1.h b/include/crypto/asn1.h index 0d5d2116de..1add640630 100644 --- a/include/crypto/asn1.h +++ b/include/crypto/asn1.h @@ -138,3 +138,4 @@ int x509_algor_new_from_md(X509_ALGOR **palg, const EVP_MD *md); const EVP_MD *x509_algor_get_md(X509_ALGOR *alg); X509_ALGOR *x509_algor_mgf1_decode(X509_ALGOR *alg); int x509_algor_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md); +int asn1_time_print_ex(BIO *bp, const ASN1_TIME *tm); From dev at ddvo.net Wed Jan 20 15:01:13 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 20 Jan 2021 15:01:13 +0000 Subject: [openssl] master update Message-ID: <1611154873.814229.19012.nullmailer@dev.openssl.org> The branch master has been updated via d8ab30be9cc4d4e77008d4037e696bc41ce293f8 (commit) via 05458fdb73dcca30edace5ad727a15d6d919e215 (commit) via b9fbacaa7bdce2083186211b3cdf8511ad4cb91d (commit) via 1d1d23128f2bfc24d98a973e48e4eb1555d24880 (commit) via 03f4e3ded67ed4eacf0849f05c73222a56d4f8ef (commit) via 2367238ced66d5da07e104aa9d8ab1e1eae64ec4 (commit) via db6a47b10d3daad512fc08950d8329891209a4f4 (commit) via 743975c7e5e7a6bd5fafba2fc09c5942a833bfe3 (commit) via b24cfd6bf4d68ffe2b8526b5375861e89c5b9414 (commit) via 7c5237e1d7947e68bb100a2e170518ed0d74a20a (commit) via 49b36afb0b4bcd7ba2dde511f20095e15130aba6 (commit) via abc4439c925bbc867180ba024c42583e6836aaeb (commit) via 8cadc51706e1383febe2c1a5965b19c5b86e05a6 (commit) from 63162e3d55e38aff51e243212bc73aa27bed8c4c (commit) - Log ----------------------------------------------------------------- commit d8ab30be9cc4d4e77008d4037e696bc41ce293f8 Author: Dr. David von Oheimb Date: Fri Jan 8 23:18:19 2021 +0100 X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. Also simplify two uses of these functions. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 05458fdb73dcca30edace5ad727a15d6d919e215 Author: Dr. David von Oheimb Date: Fri Jan 8 17:43:13 2021 +0100 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options Also prevent copying SKID and AKID extension, which make no sense in CSRs and extend the use -ext to select with extensions are copied. Further simplifiy the overall structure of the code. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit b9fbacaa7bdce2083186211b3cdf8511ad4cb91d Author: Dr. David von Oheimb Date: Wed Jan 6 14:44:03 2021 +0100 apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req Fixes #3638 Fixes #6481 Fixes #10458 Partly fixes #13708 Supersedes #9449 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 1d1d23128f2bfc24d98a973e48e4eb1555d24880 Author: Dr. David von Oheimb Date: Wed Jan 6 14:32:21 2021 +0100 80-test_ssl_old.t: Minor corrections: update name of test dir etc. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 03f4e3ded67ed4eacf0849f05c73222a56d4f8ef Author: Dr. David von Oheimb Date: Wed Jan 6 12:57:27 2021 +0100 apps.c: Clean up copy_extensions() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 2367238ced66d5da07e104aa9d8ab1e1eae64ec4 Author: Dr. David von Oheimb Date: Wed Jan 6 11:49:36 2021 +0100 X509_REQ_print_ex(): Correct indentation of extensions, which are attributes Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit db6a47b10d3daad512fc08950d8329891209a4f4 Author: Dr. David von Oheimb Date: Wed Jan 6 11:27:55 2021 +0100 X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 743975c7e5e7a6bd5fafba2fc09c5942a833bfe3 Author: Dr. David von Oheimb Date: Tue Jan 5 23:07:07 2021 +0100 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit b24cfd6bf4d68ffe2b8526b5375861e89c5b9414 Author: Dr. David von Oheimb Date: Sat Dec 19 17:42:51 2020 +0100 apps/x509.c: Major code, user guidance, and documentation cleanup This brings the options in help output and doc in reasonable order and fixes various corner cases of option use combinations Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 7c5237e1d7947e68bb100a2e170518ed0d74a20a Author: Dr. David von Oheimb Date: Thu Dec 10 17:31:10 2020 +0100 apps/x509.c: Take the -signkey arg as default pubkey with -new Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 49b36afb0b4bcd7ba2dde511f20095e15130aba6 Author: Dr. David von Oheimb Date: Thu Dec 10 17:01:45 2020 +0100 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit abc4439c925bbc867180ba024c42583e6836aaeb Author: Dr. David von Oheimb Date: Thu Dec 10 16:41:03 2020 +0100 25-test_x509.t: Minor update: factor out path for test input files Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) commit 8cadc51706e1383febe2c1a5965b19c5b86e05a6 Author: Dr. David von Oheimb Date: Thu Dec 10 16:32:13 2020 +0100 25-test_x509.t: Minor update: do not anymore unlink test output files Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13711) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 24 +- apps/lib/apps.c | 27 +- apps/x509.c | 703 ++++++++++++++++++++----------------- crypto/ct/ct_sct_ctx.c | 5 +- crypto/x509/t_req.c | 10 +- crypto/x509/v3_conf.c | 8 +- crypto/x509/x509_req.c | 10 +- doc/man1/openssl-x509.pod.in | 676 ++++++++++++++++++----------------- doc/man3/X509v3_get_ext_by_NID.pod | 11 +- include/openssl/x509.h.in | 6 +- test/recipes/25-test_x509.t | 69 ++-- test/recipes/80-test_ssl_old.t | 8 +- 12 files changed, 825 insertions(+), 732 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index cd093491be..8ae1c7470a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -929,19 +929,25 @@ OpenSSL 3.0 *Richard Levitte* - * Added the `<-copy_extensions` option to the `req` command for use with `-x509`. - When given with the `copy` or `copyall` argument, - any extensions present in the certification request are copied to the certificate. + * Added the `-copy_extensions` option to the `x509` command for use with + `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument, + all extensions in the request are copied to the certificate or vice versa. + + *David von Oheimb*, *Kirill Stefanenkov * + + * Added the `-copy_extensions` option to the `req` command for use with + `-x509`. When given with the `copy` or `copyall` argument, + all extensions in the certification request are copied to the certificate. *David von Oheimb* - * The `x509`, `req`, and `ca` commands now make sure that certificates they - generate are RFC 5280 compliant by default: For X.509 version 3 certs they ensure that - a subjectKeyIdentifier extension is included containing a hash value of the public key - and an authorityKeyIdentifier extension is included for not self-signed certs - containing a keyIdentifier field with the hash value identifying the signing key. + * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates + they generate are by default RFC 5280 compliant in the following sense: + There is a subjectKeyIdentifier extension with a hash value of the public key + and for not self-signed certs there is an authorityKeyIdentifier extension + with a keyIdentifier field or issuer information identifying the signing key. This is done unless some configuration overrides the new default behavior, - e.g. `authorityKeyIdentifier = none`. + such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`. *David von Oheimb* diff --git a/apps/lib/apps.c b/apps/lib/apps.c index d5654d9dc9..30d026bdef 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -968,41 +968,38 @@ int set_ext_copy(int *copy_type, const char *arg) int copy_extensions(X509 *x, X509_REQ *req, int copy_type) { - STACK_OF(X509_EXTENSION) *exts = NULL; - X509_EXTENSION *ext, *tmpext; - ASN1_OBJECT *obj; - int i, idx, ret = 0; - if (!x || !req || (copy_type == EXT_COPY_NONE)) + STACK_OF(X509_EXTENSION) *exts; + int i, ret = 0; + + if (x == NULL || req == NULL) + return 0; + if (copy_type == EXT_COPY_NONE) return 1; exts = X509_REQ_get_extensions(req); for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { - ext = sk_X509_EXTENSION_value(exts, i); - obj = X509_EXTENSION_get_object(ext); - idx = X509_get_ext_by_OBJ(x, obj, -1); - /* Does extension exist? */ + X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); + ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext); + int idx = X509_get_ext_by_OBJ(x, obj, -1); + + /* Does extension exist in target? */ if (idx != -1) { /* If normal copy don't override existing extension */ if (copy_type == EXT_COPY_ADD) continue; /* Delete all extensions of same type */ do { - tmpext = X509_get_ext(x, idx); - X509_delete_ext(x, idx); - X509_EXTENSION_free(tmpext); + X509_EXTENSION_free(X509_delete_ext(x, idx)); idx = X509_get_ext_by_OBJ(x, obj, -1); } while (idx != -1); } if (!X509_add_ext(x, ext, -1)) goto end; } - ret = 1; end: - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - return ret; } diff --git a/apps/x509.c b/apps/x509.c index 5769f5f982..7ffcc121af 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -28,22 +28,15 @@ #undef POSTFIX #define POSTFIX ".srl" -#define DEF_DAYS 30 +#define DEFAULT_DAYS 30 /* default cert validity period in days */ +#define UNSET_DAYS -2 /* -1 is used for testing expiration checks */ +#define EXT_COPY_UNSET -1 static int callb(int ok, X509_STORE_CTX *ctx); -static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, - STACK_OF(OPENSSL_STRING) *sigopts, - int days, int clrext, - const EVP_MD *digest, CONF *conf, const char *section, - int preserve_dates); -static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, - X509 *x, X509 *xca, EVP_PKEY *pkey, - STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile, - int create, int days, int clrext, CONF *conf, - const char *section, ASN1_INTEGER *sno, int reqfile, - int preserve_dates); +static ASN1_INTEGER *x509_load_serial(const char *CAfile, + const char *serialfile, int create); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); -static int print_x509v3_exts(BIO *bio, X509 *x, const char *exts); +static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -58,8 +51,7 @@ typedef enum OPTION_choice { OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST, OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, - OPT_SUBJECT_HASH_OLD, - OPT_ISSUER_HASH_OLD, + OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, OPT_COPY_EXTENSIONS, OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES, OPT_R_ENUM, OPT_PROV_ENUM, OPT_EXT } OPTION_CHOICE; @@ -67,107 +59,192 @@ typedef enum OPTION_choice { const OPTIONS x509_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif - {"inform", OPT_INFORM, 'f', - "CSR input format (DER or PEM) - default PEM"}, - {"in", OPT_IN, '<', "Input file - default stdin"}, + {"in", OPT_IN, '<', + "Certificate input (default stdin), or CSR input file with -req"}, {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"}, + {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, + {"x509toreq", OPT_X509TOREQ, '-', + "Output a certification request (rather than a certificate)"}, + {"req", OPT_REQ, '-', "Input is a CSR file (rather than a certificate)"}, + {"copy_extensions", OPT_COPY_EXTENSIONS, 's', + "copy extensions when converting from CSR to x509 or vice versa"}, + {"inform", OPT_INFORM, 'f', + "CSR input file format (DER or PEM) - default PEM"}, + {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, + {"signkey", OPT_SIGNKEY, 's', + "Key used to self-sign certificate or cert request"}, + {"keyform", OPT_KEYFORM, 'E', + "Key input format (ENGINE, other values ignored)"}, + {"out", OPT_OUT, '>', "Output file - default stdout"}, {"outform", OPT_OUTFORM, 'f', "Output format (DER or PEM) - default PEM"}, - {"out", OPT_OUT, '>', "Output file - default stdout"}, - {"keyform", OPT_KEYFORM, 'E', "Private key format (ENGINE, other values ignored)"}, - {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, - {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"}, + {"nocert", OPT_NOCERT, '-', + "No cert output (except for requested printing)"}, + {"noout", OPT_NOOUT, '-', "No output (except for requested printing)"}, - OPT_SECTION("Output"), + OPT_SECTION("Certificate printing"), + {"text", OPT_TEXT, '-', "Print the certificate in text form"}, + {"certopt", OPT_CERTOPT, 's', "Various certificate text printing options"}, + {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"}, + {"alias", OPT_ALIAS, '-', "Print certificate alias"}, {"serial", OPT_SERIAL, '-', "Print serial number value"}, - {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, - {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, - {"hash", OPT_HASH, '-', "Synonym for -subject_hash"}, + {"startdate", OPT_STARTDATE, '-', "Print the notBefore field"}, + {"enddate", OPT_ENDDATE, '-', "Print the notAfter field"}, + {"dates", OPT_DATES, '-', "Print both notBefore and notAfter fields"}, {"subject", OPT_SUBJECT, '-', "Print subject DN"}, {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, + {"nameopt", OPT_NAMEOPT, 's', + "Certificate subject/issuer name printing options"}, {"email", OPT_EMAIL, '-', "Print email address(es)"}, - {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, - {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, - {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, - {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"}, - {"alias", OPT_ALIAS, '-', "Output certificate alias"}, - {"noout", OPT_NOOUT, '-', "No output, just status"}, - {"ocspid", OPT_OCSPID, '-', - "Print OCSP hash values for the subject name and public key"}, - {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, - {"nocert", OPT_NOCERT, '-', "No certificate output"}, - {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, - {"x509toreq", OPT_X509TOREQ, '-', - "Output a certification request object"}, - {"checkend", OPT_CHECKEND, 'M', - "Check whether the cert expires in the next arg seconds"}, - {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, - {"text", OPT_TEXT, '-', "Print the certificate in text form"}, - {"ext", OPT_EXT, 's', "Print various X509V3 extensions"}, + {"hash", OPT_HASH, '-', "Synonym for -subject_hash (for backward compat)"}, + {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, #ifndef OPENSSL_NO_MD5 {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', "Print old-style (MD5) subject hash value"}, +#endif + {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, +#ifndef OPENSSL_NO_MD5 {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', "Print old-style (MD5) issuer hash value"}, #endif - {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, + {"ext", OPT_EXT, 's', + "Restrict which X.509 extensions to print and/or copy"}, + {"ocspid", OPT_OCSPID, '-', + "Print OCSP hash values for the subject name and public key"}, + {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, + {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, + {"pubkey", OPT_PUBKEY, '-', "Print the public key in PEM format"}, + {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, - OPT_SECTION("Certificate"), - {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, - {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, - {"dates", OPT_DATES, '-', "Both Before and After dates"}, - {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, - {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, - {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, - {"addreject", OPT_ADDREJECT, 's', - "Reject certificate for a given purpose"}, - {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, - {"days", OPT_DAYS, 'n', - "How long till expiry of a signed certificate - def 30 days"}, - {"signkey", OPT_SIGNKEY, 's', "Self-sign cert with arg"}, - {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, - {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, - {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, + OPT_SECTION("Certificate checking"), + {"checkend", OPT_CHECKEND, 'M', + "Check whether cert expires in the next arg seconds"}, + {OPT_MORE_STR, 1, 1, "Exit 1 (failure) if so, 0 if not"}, {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, - {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"}, - {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"}, - OPT_SECTION("CA"), - {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, - {"CAkey", OPT_CAKEY, 's', - "The CA key, must be PEM format; if not in CAfile"}, - {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, - OPT_R_OPTIONS, - OPT_PROV_OPTIONS, + OPT_SECTION("Certificate output"), + {"set_serial", OPT_SET_SERIAL, 's', + "Serial number to use, overrides -CAserial"}, + {"next_serial", OPT_NEXT_SERIAL, '-', + "Increment current certificate serial number"}, + {"days", OPT_DAYS, 'n', + "Number of days until newly generated certificate expires - default 30"}, + {"preserve_dates", OPT_PRESERVE_DATES, '-', + "Preserve existing validity dates"}, + {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<', + "Place the given key in new certificate"}, + {"clrext", OPT_CLREXT, '-', + "Do not take over any extensions from the source certificate or request"}, + {"extfile", OPT_EXTFILE, '<', "Config file with X509V3 extensions to add"}, + {"extensions", OPT_EXTENSIONS, 's', + "Section of extfile to use - default: unnamed section"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter, in n:v form"}, + {"badsig", OPT_BADSIG, '-', + "Corrupt last byte of certificate signature (for test)"}, + {"", OPT_MD, '-', "Any supported digest, used for signing and printing"}, + + OPT_SECTION("Micro-CA"), + {"CA", OPT_CA, '<', + "Use the given CA certificate, conflicts with -signkey"}, {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"}, - {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format (ENGINE, other values ignored)"}, - {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"}, + {"CAkeyform", OPT_CAKEYFORM, 'E', + "CA key format (ENGINE, other values ignored)"}, + {"CAserial", OPT_CASERIAL, 's', + "File that keeps track of CA-generated serial number"}, {"CAcreateserial", OPT_CACREATESERIAL, '-', - "Create serial number file if it does not exist"}, - {"CAserial", OPT_CASERIAL, 's', "Serial file"}, - {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, - {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, + "Create CA serial number file if it does not exist"}, + + OPT_SECTION("Certificate trust output"), + {"trustout", OPT_TRUSTOUT, '-', "Mark certificate PEM output as trusted"}, + {"setalias", OPT_SETALIAS, 's', "Set certificate alias (nickname)"}, + {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, + {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, {"clrreject", OPT_CLRREJECT, '-', "Clears all the prohibited or rejected uses of the certificate"}, - {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, - {"", OPT_MD, '-', "Any supported digest"}, - {"preserve_dates", OPT_PRESERVE_DATES, '-', "preserve existing dates when signing"}, + {"addreject", OPT_ADDREJECT, 's', + "Reject certificate for a given purpose"}, + + OPT_R_OPTIONS, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + OPT_PROV_OPTIONS, {NULL} }; +static void warn_copying(ASN1_OBJECT *excluded, const char *names) +{ + const char *sn = OBJ_nid2sn(OBJ_obj2nid(excluded)); + + if (names != NULL && strstr(names, sn) != NULL) + BIO_printf(bio_err, + "Warning: -ext should not specify copying %s extension to CSR; ignoring this\n", + sn); +} + +static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const EVP_MD *digest, + STACK_OF(OPENSSL_STRING) *sigopts, + int ext_copy, const char *names) +{ + const STACK_OF(X509_EXTENSION) *cert_exts = X509_get0_extensions(cert); + int i, n = sk_X509_EXTENSION_num(cert_exts /* may be NULL */); + ASN1_OBJECT *skid = OBJ_nid2obj(NID_subject_key_identifier); + ASN1_OBJECT *akid = OBJ_nid2obj(NID_authority_key_identifier); + STACK_OF(X509_EXTENSION) *exts; + X509_REQ *req = X509_to_X509_REQ(cert, NULL, NULL); + + if (req == NULL) + return NULL; + + /* + * Filter out SKID and AKID extensions, which make no sense in a CSR. + * If names is not NULL, copy only those extensions listed there. + */ + warn_copying(skid, names); + warn_copying(akid, names); + if ((exts = sk_X509_EXTENSION_new_reserve(NULL, n)) == NULL) + goto err; + for (i = 0; i < n; i++) { + X509_EXTENSION *ex = sk_X509_EXTENSION_value(cert_exts, i); + ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex); + + if (OBJ_cmp(obj, skid) != 0 && OBJ_cmp(obj, akid) != 0 + && !sk_X509_EXTENSION_push(exts, ex)) + goto err; + } + + if (sk_X509_EXTENSION_num(exts) > 0) { + if (ext_copy != EXT_COPY_UNSET && ext_copy != EXT_COPY_NONE + && !X509_REQ_add_extensions(req, exts)) { + BIO_printf(bio_err, "Error copying extensions from certificate\n"); + goto err; + } + } + if (!do_X509_REQ_sign(req, pkey, digest, sigopts)) + goto err; + sk_X509_EXTENSION_free(exts); + return req; + + err: + sk_X509_EXTENSION_free(exts); + X509_REQ_free(req); + return NULL; +} + int x509_main(int argc, char **argv) { ASN1_INTEGER *sno = NULL; ASN1_OBJECT *objtmp = NULL; BIO *out = NULL; CONF *extconf = NULL; - EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; + int ext_copy = EXT_COPY_UNSET; + X509V3_CTX ext_ctx; + EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL; int newcert = 0; char *subj = NULL; X509_NAME *fsubj = NULL; @@ -175,21 +252,23 @@ int x509_main(int argc, char **argv) const int multirdn = 1; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; - X509 *x = NULL, *xca = NULL; + X509 *x = NULL, *xca = NULL, *issuer_cert; X509_REQ *req = NULL, *rq = NULL; X509_STORE *ctx = NULL; const EVP_MD *digest = NULL; - char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL; - char *checkhost = NULL, *checkemail = NULL, *checkip = NULL, *exts = NULL; + char *CAkeyfile = NULL, *CAserial = NULL, *pubkeyfile = NULL, *alias = NULL; + char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; + char *ext_names = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; - char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; + char *infile = NULL, *outfile = NULL, *signkeyfile = NULL, *CAfile = NULL; char *prog; - int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0; + int days = UNSET_DAYS; /* not explicitly set */ + int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0; int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; int fingerprint = 0, reqfile = 0, checkend = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; - int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; + int noout = 0, CA_createserial = 0, email = 0; int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, ext = 0; @@ -249,6 +328,13 @@ int x509_main(int argc, char **argv) case OPT_REQ: reqfile = 1; break; + case OPT_COPY_EXTENSIONS: + if (!set_ext_copy(&ext_copy, opt_arg())) { + BIO_printf(bio_err, + "Invalid extension copy option: %s\n", opt_arg()); + goto end; + } + break; case OPT_SIGOPT: if (!sigopts) @@ -263,9 +349,12 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_DAYS: - if (preserve_dates) - goto opthelp; days = atoi(opt_arg()); + if (days < -1) { + BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n", + prog); + goto end; + } break; case OPT_PASSIN: passinarg = opt_arg(); @@ -285,12 +374,10 @@ int x509_main(int argc, char **argv) extsect = opt_arg(); break; case OPT_SIGNKEY: - keyfile = opt_arg(); - sign_flag = ++num; + signkeyfile = opt_arg(); break; case OPT_CA: CAfile = opt_arg(); - CA_flag = ++num; break; case OPT_CAKEY: CAkeyfile = opt_arg(); @@ -310,7 +397,7 @@ int x509_main(int argc, char **argv) newcert = 1; break; case OPT_FORCE_PUBKEY: - fkeyfile = opt_arg(); + pubkeyfile = opt_arg(); break; case OPT_SUBJ: subj = opt_arg(); @@ -373,10 +460,10 @@ int x509_main(int argc, char **argv) modulus = ++num; break; case OPT_PUBKEY: - pubkey = ++num; + print_pubkey = ++num; break; case OPT_X509TOREQ: - x509req = ++num; + x509toreq = 1; break; case OPT_TEXT: text = ++num; @@ -410,7 +497,7 @@ int x509_main(int argc, char **argv) break; case OPT_EXT: ext = ++num; - exts = opt_arg(); + ext_names = opt_arg(); break; case OPT_NOCERT: nocert = 1; @@ -479,8 +566,6 @@ int x509_main(int argc, char **argv) checkip = opt_arg(); break; case OPT_PRESERVE_DATES: - if (days != DEF_DAYS) - goto opthelp; preserve_dates = 1; break; case OPT_MD: @@ -494,54 +579,77 @@ int x509_main(int argc, char **argv) if (argc != 0) goto opthelp; + if (preserve_dates && days != UNSET_DAYS) { + BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n"); + goto end; + } + if (days == UNSET_DAYS) + days = DEFAULT_DAYS; + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } if (!X509_STORE_set_default_paths_ex(ctx, app_get0_libctx(), - app_get0_propq())) { - ERR_print_errors(bio_err); + app_get0_propq())) goto end; - } if (newcert && infile != NULL) { - BIO_printf(bio_err, "The -in option must not be used since -new is set\n"); + BIO_printf(bio_err, "The -in option cannot be used with -new\n"); goto end; } - if (newcert && fkeyfile == NULL) { + if (newcert && reqfile) { BIO_printf(bio_err, - "The -new option requires a public key to be set using -force_pubkey\n"); + "The -req option cannot be used with -new\n"); goto end; } - if (fkeyfile != NULL) { - fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "forced key"); - if (fkey == NULL) + if (signkeyfile != NULL) { + signkey = load_key(signkeyfile, keyformat, 0, passin, e, "private key"); + if (signkey == NULL) + goto end; + } + if (pubkeyfile != NULL) { + if ((pubkey = load_pubkey(pubkeyfile, keyformat, 0, NULL, e, + "explicitly set public key")) == NULL) goto end; } - if (newcert && subj == NULL) { - BIO_printf(bio_err, - "The -new option requires a subject to be set using -subj\n"); - goto end; + if (newcert) { + if (subj == NULL) { + BIO_printf(bio_err, + "The -new option requires a subject to be set using -subj\n"); + goto end; + } + if (signkeyfile == NULL && pubkeyfile == NULL) { + BIO_printf(bio_err, + "The -new option without -signkey requires using -force_pubkey\n"); + goto end; + } } if (subj != NULL && (fsubj = parse_name(subj, chtype, multirdn, "subject")) == NULL) goto end; - if (CAkeyfile == NULL && CA_flag && CAformat == FORMAT_PEM) { + if (CAkeyfile == NULL) CAkeyfile = CAfile; - } else if (CA_flag && CAkeyfile == NULL) { - BIO_printf(bio_err, - "Need to specify a CAkey if using the CA command\n"); - goto end; - } else if (!CA_flag && CAkeyfile != NULL) { + if (CAfile != NULL) { + if (signkeyfile != NULL) { + BIO_printf(bio_err, "Cannot use both -signkey and -CA option\n"); + goto end; + } + } else if (CAkeyfile != NULL) { BIO_printf(bio_err, - "Ignoring -CAkey option since no -CA option is given\n"); + "Warning: ignoring -CAkey option since no -CA option is given\n"); } - if (extfile != NULL) { + if (extfile == NULL) { + if (extsect != NULL) + BIO_printf(bio_err, + "Warning: ignoring -extensions option without -extfile\n"); + } else { X509V3_CTX ctx2; + if ((extconf = app_load_config(extfile)) == NULL) goto end; if (extsect == NULL) { @@ -556,7 +664,6 @@ int x509_main(int argc, char **argv) if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { BIO_printf(bio_err, "Error checking extension section %s\n", extsect); - ERR_print_errors(bio_err); goto end; } } @@ -574,64 +681,66 @@ int x509_main(int argc, char **argv) } i = do_X509_REQ_verify(req, pkey, vfyopts); if (i < 0) { - BIO_printf(bio_err, "Request self-signature verification error\n"); - ERR_print_errors(bio_err); + BIO_printf(bio_err, + "Error while verifying certificate request self-signature\n"); goto end; } if (i == 0) { BIO_printf(bio_err, - "Request self-signature did not match the certificate request\n"); + "Certificate request self-signature did not match the contents\n"); goto end; } else { - BIO_printf(bio_err, "Request self-signature ok\n"); + BIO_printf(bio_err, "Certificate request self-signature ok\n"); } print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), get_nameopt()); + } else if (!x509toreq && ext_copy != EXT_COPY_UNSET) { + BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given\n"); } if (reqfile || newcert) { - X509_NAME *n; - - if (!sign_flag && CAkeyfile == NULL) { + if (preserve_dates) + BIO_printf(bio_err, + "Warning: ignoring -preserve_dates option with -req or -new\n"); + preserve_dates = 0; + if (signkeyfile == NULL && CAkeyfile == NULL) { BIO_printf(bio_err, - "We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n"); + "We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n"); goto end; } if ((x = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) goto end; - if (sno == NULL) { sno = ASN1_INTEGER_new(); if (sno == NULL || !rand_serial(NULL, sno)) goto end; - if (!X509_set_serialNumber(x, sno)) + } + if (req != NULL && ext_copy != EXT_COPY_UNSET) { + if (clrext && ext_copy != EXT_COPY_NONE) { + BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n"); goto end; - ASN1_INTEGER_free(sno); - sno = NULL; - } else if (!X509_set_serialNumber(x, sno)) { - goto end; + } else if (!copy_extensions(x, req, ext_copy)) { + BIO_printf(bio_err, "Error copying extensions from request\n"); + goto end; + } } - - n = req == NULL ? fsubj : X509_REQ_get_subject_name(req); - if (!X509_set_issuer_name(x, n) || !X509_set_subject_name(x, n)) - goto end; - if (!set_cert_times(x, NULL, NULL, days)) - goto end; - - if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req))) - goto end; } else { x = load_cert_pass(infile, 1, passin, "certificate"); if (x == NULL) goto end; - if (fkey != NULL && !X509_set_pubkey(x, fkey)) - goto end; - if (fsubj != NULL && !X509_set_subject_name(x, fsubj)) - goto end; } + if ((fsubj != NULL || req != NULL) + && !X509_set_subject_name(x, fsubj != NULL ? fsubj : + X509_REQ_get_subject_name(req))) + goto end; + if ((pubkey != NULL || signkey != NULL || req != NULL) + && !X509_set_pubkey(x, pubkey != NULL ? pubkey : + signkey != NULL ? signkey : + X509_REQ_get0_pubkey(req))) + goto end; - if (CA_flag) { + if (CAfile != NULL) { xca = load_cert_pass(CAfile, 1, passin, "CA certificate"); if (xca == NULL) goto end; @@ -643,6 +752,7 @@ int x509_main(int argc, char **argv) if (!noout || text || next_serial) OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); + /* TODO: why is this strange object created (and no error checked)? */ if (alias) X509_alias_set1(x, (unsigned char *)alias, -1); @@ -668,6 +778,104 @@ int x509_main(int argc, char **argv) objtmp = NULL; } + if (clrext && ext_names != NULL) + BIO_printf(bio_err, "Warning: Ignoring -ext since -clrext is given\n"); + for (i = X509_get_ext_count(x) - 1; i >= 0; i--) { + X509_EXTENSION *ex = X509_get_ext(x, i); + const char *sn = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ex))); + + if (clrext || (ext_names != NULL && strstr(ext_names, sn) == NULL)) + X509_EXTENSION_free(X509_delete_ext(x, i)); + } + + if ((reqfile || newcert || signkey != NULL || CAfile != NULL) + && !preserve_dates && !set_cert_times(x, NULL, NULL, days)) + goto end; + + issuer_cert = x; + if (CAfile != NULL) { + issuer_cert = xca; + if (sno == NULL) + sno = x509_load_serial(CAfile, CAserial, CA_createserial); + if (sno == NULL) + goto end; + } + + if (sno != NULL && !X509_set_serialNumber(x, sno)) + goto end; + + if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert))) + goto end; + + X509V3_set_ctx(&ext_ctx, issuer_cert, x, req, NULL, X509V3_CTX_REPLACE); + if (extconf != NULL) { + X509V3_set_nconf(&ext_ctx, extconf); + if (!X509V3_EXT_add_nconf(extconf, &ext_ctx, extsect, x)) { + BIO_printf(bio_err, + "Error adding extensions from section %s\n", extsect); + goto end; + } + } + + /* At this point the contents of the certificate x have been finished. */ + + if (x509toreq) { /* also works in conjunction with -req */ + if (signkey == NULL) { + BIO_printf(bio_err, "Must specify request key using -signkey\n"); + goto end; + } + if (clrext && ext_copy != EXT_COPY_NONE) { + BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n"); + goto end; + } + if ((rq = x509_to_req(x, signkey, digest, sigopts, + ext_copy, ext_names)) == NULL) + goto end; + if (!noout) { + if (outformat == FORMAT_ASN1) { + X509_REQ_print_ex(out, rq, get_nameopt(), X509_FLAG_COMPAT); + i = i2d_X509_bio(out, x); + } else { + i = PEM_write_bio_X509_REQ(out, rq); + } + if (!i) { + BIO_printf(bio_err, + "Unable to write certificate request\n"); + goto end; + } + } + noout = 1; + } else if (signkey != NULL) { + if (!do_X509_sign(x, signkey, digest, sigopts, &ext_ctx)) + goto end; + } else if (CAfile != NULL) { + if (!reqfile && !newcert) { /* certificate should be self-signed */ + X509_STORE_CTX *xsc = X509_STORE_CTX_new(); + + if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { + BIO_printf(bio_err, "Error initialising X509 store\n"); + X509_STORE_CTX_free(xsc); + goto end; + } + X509_STORE_CTX_set_cert(xsc, x); + X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); + i = X509_verify_cert(xsc); + X509_STORE_CTX_free(xsc); + if (i <= 0) + goto end; + } + if ((CAkey = load_key(CAkeyfile, CAkeyformat, + 0, passin, e, "CA private key")) == NULL) + goto end; + if (!X509_check_private_key(xca, CAkey)) { + BIO_printf(bio_err, + "CA certificate and CA private key do not match\n"); + goto end; + } + + if (!do_X509_sign(x, CAkey, digest, sigopts, &ext_ctx)) + goto end; + } if (badsig) { const ASN1_BIT_STRING *signature; @@ -675,10 +883,12 @@ int x509_main(int argc, char **argv) corrupt_signature(signature); } - if (num) { + if (num) { /* TODO remove this needless guard and extra indentation below */ + /* Process print options in the given order, as indicated by index i */ for (i = 1; i <= num; i++) { if (issuer == i) { - print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt()); + print_name(out, "issuer=", X509_get_issuer_name(x), + get_nameopt()); } else if (subject == i) { print_name(out, "subject=", X509_get_subject_name(x), get_nameopt()); @@ -702,8 +912,9 @@ int x509_main(int argc, char **argv) ASN1_INTEGER_free(ser); BIO_puts(out, "\n"); } else if (email == i || ocsp_uri == i) { - int j; STACK_OF(OPENSSL_STRING) *emlst; + int j; + if (email == i) emlst = X509_get1_email(x); else @@ -714,6 +925,7 @@ int x509_main(int argc, char **argv) X509_email_free(emlst); } else if (aliasout == i) { unsigned char *alstr; + alstr = X509_alias_get0(x, NULL); if (alstr) BIO_printf(out, "%s\n", alstr); @@ -721,23 +933,20 @@ int x509_main(int argc, char **argv) BIO_puts(out, "\n"); } else if (subject_hash == i) { BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); - } #ifndef OPENSSL_NO_MD5 - else if (subject_hash_old == i) { + } else if (subject_hash_old == i) { BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); - } #endif - else if (issuer_hash == i) { + } else if (issuer_hash == i) { BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); - } #ifndef OPENSSL_NO_MD5 - else if (issuer_hash_old == i) { + } else if (issuer_hash_old == i) { BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); - } #endif - else if (pprint == i) { + } else if (pprint == i) { X509_PURPOSE *ptmp; int j; + BIO_printf(out, "Certificate purposes:\n"); for (j = 0; j < X509_PURPOSE_get_count(); j++) { ptmp = X509_PURPOSE_get0(j); @@ -748,8 +957,8 @@ int x509_main(int argc, char **argv) pkey = X509_get0_pubkey(x); if (pkey == NULL) { - BIO_printf(bio_err, "Modulus=unavailable\n"); - ERR_print_errors(bio_err); + BIO_printf(bio_err, + "Modulus unavailable: cannot get key\n"); goto end; } BIO_printf(out, "Modulus="); @@ -768,16 +977,15 @@ int x509_main(int argc, char **argv) BN_print(out, dsapub); BN_free(dsapub); } else { - BIO_printf(out, "Wrong Algorithm type"); + BIO_printf(out, "No modulus for this public key type"); } BIO_printf(out, "\n"); - } else if (pubkey == i) { + } else if (print_pubkey == i) { EVP_PKEY *pkey; pkey = X509_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err, "Error getting public key\n"); - ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, pkey); @@ -810,64 +1018,10 @@ int x509_main(int argc, char **argv) BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); } - } - - /* should be in the library */ - else if (sign_flag == i && x509req == 0) { - if (Upkey == NULL) { - Upkey = load_key(keyfile, keyformat, 0, - passin, e, "private key"); - if (Upkey == NULL) - goto end; - } - if (fkey == NULL && !X509_set_pubkey(x, Upkey)) - goto end; - if (!sign(x, Upkey, x /* self-issuing */, sigopts, days, clrext, - digest, extconf, extsect, preserve_dates)) { - ERR_print_errors(bio_err); - goto end; - } - } else if (CA_flag == i) { - if (CAkeyfile != NULL) { - CApkey = load_key(CAkeyfile, CAkeyformat, - 0, passin, e, "CA private key"); - if (CApkey == NULL) - goto end; - } - - if (!x509_certify(ctx, CAfile, digest, x, xca, - CApkey, sigopts, - CAserial, CA_createserial, days, clrext, - extconf, extsect, sno, reqfile, preserve_dates)) - goto end; - } else if (x509req == i) { - EVP_PKEY *pk; - - if (keyfile == NULL) { - BIO_printf(bio_err, "No request key file specified\n"); - goto end; - } else { - pk = load_key(keyfile, keyformat, 0, - passin, e, "request key"); - if (pk == NULL) - goto end; - } - - rq = X509_to_X509_REQ(x, pk, digest); - EVP_PKEY_free(pk); - if (rq == NULL) { - ERR_print_errors(bio_err); - goto end; - } - if (!noout) { - X509_REQ_print_ex(out, rq, get_nameopt(), X509_FLAG_COMPAT); - PEM_write_bio_X509_REQ(out, rq); - } - noout = 1; } else if (ocspid == i) { X509_ocspid_print(out, x); } else if (ext == i) { - print_x509v3_exts(out, x, exts); + print_x509v3_exts(out, x, ext_names); } } } @@ -905,11 +1059,13 @@ int x509_main(int argc, char **argv) } if (!i) { BIO_printf(bio_err, "Unable to write certificate\n"); - ERR_print_errors(bio_err); goto end; } ret = 0; + end: + if (ret != 0) + ERR_print_errors(bio_err); NCONF_free(extconf); BIO_free_all(out); X509_STORE_free(ctx); @@ -917,9 +1073,9 @@ int x509_main(int argc, char **argv) X509_REQ_free(req); X509_free(x); X509_free(xca); - EVP_PKEY_free(Upkey); - EVP_PKEY_free(CApkey); - EVP_PKEY_free(fkey); + EVP_PKEY_free(signkey); + EVP_PKEY_free(CAkey); + EVP_PKEY_free(pubkey); sk_OPENSSL_STRING_free(sigopts); sk_OPENSSL_STRING_free(vfyopts); X509_REQ_free(rq); @@ -967,67 +1123,6 @@ static ASN1_INTEGER *x509_load_serial(const char *CAfile, return bs; } -static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, - X509 *x, X509 *xca, EVP_PKEY *pkey, - STACK_OF(OPENSSL_STRING) *sigopts, - const char *serialfile, int create, - int days, int clrext, CONF *conf, const char *section, - ASN1_INTEGER *sno, int reqfile, int preserve_dates) -{ - int ret = 0; - ASN1_INTEGER *bs = NULL; - X509_STORE_CTX *xsc = NULL; - EVP_PKEY *upkey; - - upkey = X509_get0_pubkey(xca); - if (upkey == NULL) { - BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); - goto end; - } - EVP_PKEY_copy_parameters(upkey, pkey); - - xsc = X509_STORE_CTX_new(); - if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { - BIO_printf(bio_err, "Error initialising X509 store\n"); - goto end; - } - if (sno) - bs = sno; - else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL) - goto end; - - /* - * NOTE: this certificate can/should be self-signed, unless it was a - * certificate request in which case it is not. - */ - X509_STORE_CTX_set_cert(xsc, x); - X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); - if (!reqfile && X509_verify_cert(xsc) <= 0) - goto end; - - if (!X509_check_private_key(xca, pkey)) { - BIO_printf(bio_err, - "CA certificate and CA private key do not match\n"); - goto end; - } - - if (!X509_set_serialNumber(x, bs)) - goto end; - - if (!sign(x, pkey, xca, sigopts, days, clrext, digest, - conf, section, preserve_dates)) - goto end; - - ret = 1; - end: - X509_STORE_CTX_free(xsc); - if (!ret) - ERR_print_errors(bio_err); - if (!sno) - ASN1_INTEGER_free(bs); - return ret; -} - static int callb(int ok, X509_STORE_CTX *ctx) { int err; @@ -1061,42 +1156,6 @@ static int callb(int ok, X509_STORE_CTX *ctx) } } -static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, - STACK_OF(OPENSSL_STRING) *sigopts, - int days, int clrext, - const EVP_MD *digest, CONF *conf, const char *section, - int preserve_dates) -{ - X509V3_CTX ext_ctx; - - if (!X509_set_issuer_name(x, X509_get_subject_name(issuer))) - return 0; - - if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) - return 0; - - if (clrext) { - while (X509_get_ext_count(x) > 0) - X509_delete_ext(x, 0); - } - - X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); - if (issuer == x - /* prepare the correct AKID of self-issued, possibly self-signed cert */ - && !X509V3_set_issuer_pkey(&ext_ctx, pkey)) - return 0; - - if (conf != NULL) { - X509V3_set_nconf(&ext_ctx, conf); - if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) { - BIO_printf(bio_err, - "Error adding extensions from section %s\n", section); - return 0; - } - } - return do_X509_sign(x, pkey, digest, sigopts, &ext_ctx); -} - static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) { int id, i, idret; diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c index a84c476caf..353b5a7f0e 100644 --- a/crypto/ct/ct_sct_ctx.c +++ b/crypto/ct/ct_sct_ctx.c @@ -168,15 +168,12 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) * SCT. */ if (idx >= 0) { - X509_EXTENSION *ext; - /* Take a copy of certificate so we don't modify passed version */ pretmp = X509_dup(cert); if (pretmp == NULL) goto err; - ext = X509_delete_ext(pretmp, idx); - X509_EXTENSION_free(ext); + X509_EXTENSION_free(X509_delete_ext(pretmp, idx)); if (!ct_x509_cert_fixup(pretmp, presigner)) goto err; diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c index 1f50a0a1e2..5e26db9c4e 100644 --- a/crypto/x509/t_req.c +++ b/crypto/x509/t_req.c @@ -108,7 +108,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, goto err; if (X509_REQ_get_attr_count(x) == 0) { - if (BIO_printf(bp, "%12sa0:00\n", "") <= 0) + if (BIO_printf(bp, "%12s(none)\n", "") <= 0) goto err; } else { for (i = 0; i < X509_REQ_get_attr_count(x); i++) { @@ -166,14 +166,14 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, if (!(cflag & X509_FLAG_NO_EXTENSIONS)) { exts = X509_REQ_get_extensions(x); if (exts) { - if (BIO_printf(bp, "%8sRequested Extensions:\n", "") <= 0) + if (BIO_printf(bp, "%12sRequested Extensions:\n", "") <= 0) goto err; for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ex; int critical; ex = sk_X509_EXTENSION_value(exts, i); - if (BIO_printf(bp, "%12s", "") <= 0) + if (BIO_printf(bp, "%16s", "") <= 0) goto err; obj = X509_EXTENSION_get_object(ex); if (i2a_ASN1_OBJECT(bp, obj) <= 0) @@ -181,8 +181,8 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, critical = X509_EXTENSION_get_critical(ex); if (BIO_printf(bp, ": %s\n", critical ? "critical" : "") <= 0) goto err; - if (!X509V3_EXT_print(bp, ex, cflag, 16)) { - if (BIO_printf(bp, "%16s", "") <= 0 + if (!X509V3_EXT_print(bp, ex, cflag, 20)) { + if (BIO_printf(bp, "%20s", "") <= 0 || ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex)) <= 0) goto err; diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index 740108fefd..9eda71348c 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -295,12 +295,8 @@ static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext) ASN1_OBJECT *obj; obj = X509_EXTENSION_get_object(dext); - while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) { - X509_EXTENSION *tmpext = X509v3_get_ext(sk, idx); - - X509v3_delete_ext(sk, idx); - X509_EXTENSION_free(tmpext); - } + while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0) + X509_EXTENSION_free(X509v3_delete_ext(sk, idx)); } /* diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index f3764e4179..4f4319a30c 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -164,15 +164,15 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) * Add a STACK_OF extensions to a certificate request: allow alternative OIDs * in case we want to create a non standard one. */ - -int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, - int nid) +int X509_REQ_add_extensions_nid(X509_REQ *req, + const STACK_OF(X509_EXTENSION) *exts, int nid) { int extlen; int rv = 0; unsigned char *ext = NULL; + /* Generate encoding of extensions */ - extlen = ASN1_item_i2d((ASN1_VALUE *)exts, &ext, + extlen = ASN1_item_i2d((const ASN1_VALUE *)exts, &ext, ASN1_ITEM_rptr(X509_EXTENSIONS)); if (extlen <= 0) return 0; @@ -182,7 +182,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, } /* This is the normal usage: use the "official" OID */ -int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts) +int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts) { return X509_REQ_add_extensions_nid(req, exts, NID_ext_req); } diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 0c0fc7e414..f90c8b3e3a 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -9,70 +9,71 @@ openssl-x509 - Certificate display and signing command B B [B<-help>] +[B<-in> I|I] +[B<-passin> I] +[B<-new>] +[B<-x509toreq>] +[B<-req>] +[B<-copy_extensions> I] [B<-inform> B|B] -[B<-outform> B|B] +[B<-vfyopt> I:I] +[B<-signkey> I|I] [B<-keyform> B|B|B|B] -[B<-CAform> B|B|B] -[B<-CAkeyform> B|B|B|B] -[B<-in> I] [B<-out> I] +[B<-outform> B|B] +[B<-nocert>] +[B<-noout>] +[B<-text>] +[B<-certopt> I

] [B<-sigopt> I:I] -[B<-vfyopt> I:I] -[B<-preserve_dates>] -{- $OpenSSL::safe::opt_name_synopsis -} +[B<-badsig>] +[B<-I>] +[B<-CA> I|I] +[B<-CAform> B|B|B] +[B<-CAkey> I|I] +[B<-CAkeyform> B|B|B|B] +[B<-CAserial> I] +[B<-CAcreateserial>] +[B<-trustout>] +[B<-setalias> I] +[B<-clrtrust>] +[B<-addtrust> I] +[B<-clrreject>] +[B<-addreject> I] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} @@ -80,10 +81,11 @@ B B =head1 DESCRIPTION -This command is a multi-purposes certificate command. It can -be used to display certificate information, convert certificates to -various forms, sign certificate requests like a "mini CA" or edit -certificate trust settings. +This command is a multi-purposes certificate handling command. +It can be used to print certificate information, +convert certificates to various forms, edit certificate trust settings, +generate certificates from scratch or from certificating requests +and then self-signing them or signing them like a "micro CA". Since there are a large number of options they will split up into various sections. @@ -98,356 +100,384 @@ various sections. Print out a usage message. +=item B<-in> I|I + +If the B<-req> option is not used this specifies the input +to read a certificate from or standard input if this option is not specified. +With the B<-req> option this specifies a certificate request file. + +=item B<-passin> I + +The key and certificate file password source. +For more information about the format of I +see L. + +=item B<-new> + +Generate a certificate from scratch, not using an input certificate +or certificate request. So the B<-in> option must not be used in this case. +Instead, the B<-subj> option needs to be given. +The public key to include can be given with the B<-force_pubkey> option +and defaults to the key given with the B<-signkey> option, +which implies self-signature. + +=item B<-x509toreq> + +Output a PKCS#10 certificate request (rather than a certificate). +The B<-signkey> option must be used to provide the private key for self-signing; +the corresponding public key is placed in the subjectPKInfo field. + +X.509 extensions included in a certificate input are not copied by default. +X.509 extensions to be added can be specified using the B<-extfile> option. + +=item B<-req> + +By default a certificate is expected on input. +With this option a PKCS#10 certificate request is expected instead, +which must be correctly self-signed. + +X.509 extensions included in the request are not copied by default. +X.509 extensions to be added can be specified using the B<-extfile> option. + +=item B<-copy_extensions> I + +Determines how to handle X.509 extensions +when converting from a certificate to a request using the B<-x509toreq> option +or converting from a request to a certificate using the B<-req> option. +If I is B or this option is not present then extensions are ignored. +If I is B or B then all extensions are copied, +except that subject identifier and authority key identifier extensions +are not taken over when producing a certificate request. + +The B<-ext> option can be used to further restrict which extensions to copy. + =item B<-inform> B|B -The CSR input format; the default is B. +The CSR input file format; the default is B. See L for details. -The input is normally an X.509 certificate file of any format, -but this can change if other options such as B<-req> are used. +=item B<-vfyopt> I:I -B<-outform> B|B +Pass options to the signature algorithm during verify operations. +Names and values of these options are algorithm-specific. -The output format; the default is B. -See L for details. +=item B<-signkey> I|I -=item B<-in> I +This option causes the new certificate or certificate request +to be self-signed using the supplied private key. +This cannot be used in conjunction with the B<-CA> option. -This specifies the input filename to read a certificate from or standard input -if this option is not specified. +It sets the issuer name to the subject name (i.e., makes it self-issued) +and changes the public key to the supplied value (unless overridden +by B<-force_pubkey>). +Unless the B<-preserve_dates> option is supplied, +it sets the validity start date to the current time +and the end date to a value determined by the B<-days> option. -=item B<-out> I +=item B<-keyform> B|B|B|B -This specifies the output filename to write to or standard output by -default. +The key input format; the default is B. +The only value with effect is B; all others have become obsolete. +See L for details. -=item B<-I> +=item B<-out> I -The digest to use. -This affects any signing or display option that uses a message -digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. -Any digest supported by the L command can be used. -If not specified then SHA1 is used with B<-fingerprint> or -the default digest for the signing algorithm is used, typically SHA256. +This specifies the output filename to write to or standard output by default. -=item B<-preserve_dates> +=item B<-outform> B|B -When signing a certificate, preserve the "notBefore" and "notAfter" dates -instead of adjusting them to current time and duration. -Cannot be used with the B<-days> option. +The output format; the default is B. +See L for details. -{- $OpenSSL::safe::opt_r_synopsis -} +=item B<-nocert> -{- $OpenSSL::safe::opt_engine_item -} +Do not output a certificate (except for printing as requested by below options). -{- $OpenSSL::safe::opt_provider_item -} +=item B<-noout> + +This option prevents output except for printing as requested by below options. =back -=head2 Display Options +=head2 Certificate Printing Options -Note: the B<-alias> and B<-purpose> options are also display options +Note: the B<-alias> and B<-purpose> options are also printing options but are described in the L section. =over 4 =item B<-text> -Prints out the certificate in text form. Full details are output including the +Prints out the certificate in text form. Full details are printed including the public key, signature algorithms, issuer and subject names, serial number any extensions present and any trust settings. -=item B<-ext> I - -Prints out the certificate extensions in text form. Extensions are specified -with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier". -See the L manual page for the extension names. - =item B<-certopt> I
-This option causes the input file to be self signed using the supplied -private key. +The section in the extfile to add X.509 extensions from. +If this option is not +specified then the extensions should either be contained in the unnamed +(default) section or the default section should contain a variable called +"extensions" which contains the section to use. +See the L manual page for details of the +extension section format. -It sets the issuer name to the subject name (i.e., makes it self-issued) -and changes the public key to the supplied value (unless overridden by -B<-force_pubkey>). It sets the validity start date to the current time -and the end date to a value determined by the B<-days> option. -It retains any certificate extensions unless the B<-clrext> option is supplied; -this includes, for example, any existing key identifier extensions. +=item B<-sigopt> I:I + +Pass options to the signature algorithm during sign operations. +This option may be given multiple times. +Names and values provided using this option are algorithm-specific. =item B<-badsig> Corrupt the signature before writing it; this can be useful for testing. -=item B<-sigopt> I:I - -Pass options to the signature algorithm during sign operations. -Names and values of these options are algorithm-specific. - -=item B<-vfyopt> I:I +=item B<-I> -Pass options to the signature algorithm during verify operations. -Names and values of these options are algorithm-specific. +The digest to use. +This affects any signing or printing option that uses a message +digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. +Any digest supported by the L command can be used. +If not specified then SHA1 is used with B<-fingerprint> or +the default digest for the signing algorithm is used, typically SHA256. -=item B<-passin> I +=back -The key and certificate file password source. -For more information about the format of I -see L. +=head2 Micro-CA Options -=item B<-clrext> +=over 4 -Delete any extensions from a certificate. This option is used when a -certificate is being created from another certificate (for example with -the B<-signkey> or the B<-CA> options). Normally all extensions are -retained. +=item B<-CA> I|I -=item B<-keyform> B|B|B|B +Specifies the "CA" certificate to be used for signing. +When present, this behaves like a "micro CA" as follows: +The subject name of the "CA" certificate is placed as issuer name in the new +certificate, which is then signed using the "CA" key given as detailed below. -The key format; the default is B. -The only value with effect is B; all others have become obsolete. -See L for details. +This option cannot be used in conjunction with the B<-signkey> option. +This option is normally combined with the B<-req> option referencing a CSR. +Without the B<-req> option the input must be a self-signed certificate +unless the B<-new> option is given, which generates a certificate from scratch. =item B<-CAform> B|B|B, The format for the CA certificate. This option has no effect and is retained for backward compatibility. +=item B<-CAkey> I|I + +Sets the CA private key to sign a certificate with. +The private key must match the public key of the certificate given with B<-CA>. +If this option is not provided then the key must be present in the B<-CA> input. + =item B<-CAkeyform> B|B|B|B The format for the CA key; the default is B. The only value with effect is B; all others have become obsolete. See L for details. -=item B<-days> I - -Specifies the number of days to make a certificate valid for. The default -is 30 days. Cannot be used with the B<-preserve_dates> option. - -=item B<-x509toreq> - -Converts a certificate into a certificate request. The B<-signkey> option -is used to pass the required private key. - -=item B<-req> - -By default a certificate is expected on input. With this option a -certificate request is expected instead. - -=item B<-set_serial> I - -Specifies the serial number to use. This option can be used with either -the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA> -option the serial number file (as specified by the B<-CAserial> or -B<-CAcreateserial> options) is not used. - -The serial number can be decimal or hex (if preceded by C<0x>). - -=item B<-CA> I - -Specifies the CA certificate to be used for signing. When this option is -present, this command behaves like a "mini CA". The input file is signed by -this CA using this option: that is its issuer name is set to the subject name -of the CA and it is digitally signed using the CAs private key. - -This option is normally combined with the B<-req> option. Without the -B<-req> option the input is a certificate which must be self signed. - -=item B<-CAkey> I|I - -Sets the CA private key to sign a certificate with. If this option is -not specified then it is assumed that the CA private key is present in -the CA certificate file. - =item B<-CAserial> I Sets the CA serial number file to use. @@ -470,78 +500,92 @@ have the 1 as its serial number. If the B<-CA> option is specified and the serial number file does not exist a random number is generated; this is the recommended practice. -=item B<-extfile> I +=back -File containing certificate extensions to use. If not specified then -no extensions are added to the certificate. +=head2 Trust Settings -=item B<-extensions> I
+A B is an ordinary certificate which has several +additional pieces of information attached to it such as the permitted +and prohibited uses of the certificate and possibly an "alias" (nickname). -The section to add certificate extensions from. If this option is not -specified then the extensions should either be contained in the unnamed -(default) section or the default section should contain a variable called -"extensions" which contains the section to use. See the -L manual page for details of the -extension section format. +Normally when a certificate is being verified at least one certificate +must be "trusted". By default a trusted certificate must be stored +locally and must be a root CA: any certificate chain ending in this CA +is then usable for any purpose. -=item B<-new> +Trust settings currently are only used with a root CA. +They allow a finer control over the purposes the root CA can be used for. +For example, a CA may be trusted for SSL client but not SSL server use. -Generate a certificate from scratch, not using an input certificate -or certificate request. So the B<-in> option must not be used in this case. -Instead, the B<-subj> and <-force_pubkey> options need to be given. +See the description in L for more information +on the meaning of trust settings. -=item B<-next_serial> +Future versions of OpenSSL will recognize trust settings on any +certificate: not just root CAs. -Set the serial to be one more than the number in the certificate. +=over 4 -=item B<-nocert> +=item B<-trustout> -Do not generate or output a certificate. +Mark any certificate PEM output as certificate rather than ordinary. +An ordinary or trusted certificate can be input but by default an ordinary +certificate is output and any trust settings are discarded. +With the B<-trustout> option a trusted certificate is output. A trusted +certificate is automatically output if any trust settings are modified. -=item B<-force_pubkey> I +=item B<-setalias> I -When a certificate is created set its public key to the key in I -instead of the key contained in the input or given with the B<-signkey> option. +Sets the "alias" of the certificate. This will allow the certificate +to be referred to using a nickname for example "Steve's Certificate". -This option is useful for creating self-issued certificates that are not -self-signed, for instance when the key cannot be used for signing, such as DH. -It can also be used in conjunction with b<-new> and B<-subj> to directly -generate a certificate containing any desired public key. +=item B<-clrtrust> -=item B<-subj> I +Clears all the permitted or trusted uses of the certificate. -When a certificate is created set its subject name to the given value. +=item B<-addtrust> I -The arg must be formatted as C. -Special characters may be escaped by C<\> (backslash), whitespace is retained. -Empty values are permitted, but the corresponding type will not be included -in the certificate. -Giving a single C will lead to an empty sequence of RDNs (a NULL-DN). -Multi-valued RDNs can be formed by placing a C<+> character instead of a C -between the AttributeValueAssertions (AVAs) that specify the members of the set. -Example: +Adds a trusted certificate use. +Any object name can be used here but currently only B (SSL client +use), B (SSL server use), B (S/MIME email) +and B are used. +As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or +enables all purposes when trusted. +Other OpenSSL applications may define additional uses. -C +=item B<-clrreject> -Unless the B<-CA> option is given the issuer is set to the same value. +Clears all the prohibited or rejected uses of the certificate. -This option can be used in conjunction with the B<-force_pubkey> option -to create a certificate even without providing an input certificate -or certificate request. +=item B<-addreject> I + +Adds a prohibited use. +It accepts the same values as the B<-addtrust> option. =back -=head2 Text Options +=head2 Generic options + +=over 4 + +{- $OpenSSL::safe::opt_r_item -} -As well as customising the name output format, it is also possible to -customise the actual fields printed using the B options when +{- $OpenSSL::safe::opt_engine_item -} + +{- $OpenSSL::safe::opt_provider_item -} + +=back + +=head2 Text Printing Flags + +As well as customising the name printing format, it is also possible to +customise the actual fields printed using the B option when the B option is present. The default behaviour is to print all fields. =over 4 =item B -Use the old format. This is equivalent to specifying no output options at all. +Use the old format. This is equivalent to specifying no printing options at all. =item B @@ -617,36 +661,36 @@ B, and B. Note: in these examples the '\' means the example should be all on one line. -Display the contents of a certificate: +Print the contents of a certificate: openssl x509 -in cert.pem -noout -text -Display the "Subject Alternative Name" extension of a certificate: +Print the "Subject Alternative Name" extension of a certificate: openssl x509 -in cert.pem -noout -ext subjectAltName -Display more extensions of a certificate: +Print more extensions of a certificate: openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType -Display the certificate serial number: +Print the certificate serial number: openssl x509 -in cert.pem -noout -serial -Display the certificate subject name: +Print the certificate subject name: openssl x509 -in cert.pem -noout -subject -Display the certificate subject name in RFC2253 form: +Print the certificate subject name in RFC2253 form: openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 -Display the certificate subject name in oneline form on a terminal +Print the certificate subject name in oneline form on a terminal supporting UTF8: openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb -Display the certificate SHA1 fingerprint: +Print the certificate SHA1 fingerprint: openssl x509 -sha1 -in cert.pem -noout -fingerprint @@ -658,7 +702,7 @@ Convert a certificate to a certificate request: openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem -Convert a certificate request into a self signed certificate using +Convert a certificate request into a self-signed certificate using extensions for a CA: openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ @@ -670,7 +714,6 @@ certificate extensions: openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial - Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" @@ -682,7 +725,7 @@ Set a certificate to be trusted for SSL client use and change set its alias to The conversion to UTF8 format used with the name options assumes that T61Strings use the ISO8859-1 character set. This is wrong but Netscape and MSIE do this as do many certificates. So although this is incorrect -it is more likely to display the majority of certificates correctly. +it is more likely to print the majority of certificates correctly. The B<-email> option searches the subject name and the subject alternative name extension. Only unique email addresses will be printed out: it will @@ -710,9 +753,9 @@ because the certificate should really not be regarded as a CA: however it is allowed to be a CA to work around some broken software. If the certificate is a V1 certificate (and thus has no extensions) and -it is self signed it is also assumed to be a CA but a warning is again +it is self-signed it is also assumed to be a CA but a warning is again given: this is to work around the problem of Verisign roots which are V1 -self signed certificates. +self-signed certificates. If the keyUsage extension is present then additional restraints are made on the uses of the certificate. A CA certificate B have the @@ -803,12 +846,9 @@ must be present. =head1 BUGS -Extensions in certificates are not transferred to certificate requests and -vice versa. - It is possible to produce invalid certificates or requests by specifying the -wrong private key or using inconsistent options in some cases: these should -be checked. +wrong private key, using unsuitable X.509 extensions, +or using inconsistent options in some cases: these should be checked. There should be options to explicitly set such things as start and end dates rather than an offset from the current time. diff --git a/doc/man3/X509v3_get_ext_by_NID.pod b/doc/man3/X509v3_get_ext_by_NID.pod index f77474ca80..79c68e1478 100644 --- a/doc/man3/X509v3_get_ext_by_NID.pod +++ b/doc/man3/X509v3_get_ext_by_NID.pod @@ -74,9 +74,9 @@ looks for an extension of criticality B. A zero value for B looks for a non-critical extension a nonzero value looks for a critical extension. -X509v3_delete_ext() deletes the extension with index B from B. The -deleted extension is returned and must be freed by the caller. If B -is in invalid index value B is returned. +X509v3_delete_ext() deletes the extension with index B from B. +The deleted extension is returned and must be freed by the caller. +If B is in invalid index value B is returned. X509v3_add_ext() adds extension B to stack B<*x> at position B. If B is B<-1> the new extension is added to the end. If B<*x> is B @@ -111,6 +111,11 @@ error. These search functions start from the extension B the B parameter so it should initially be set to B<-1>, if it is set to zero the initial extension will not be checked. +=head1 BUGS + +X509v3_delete_ext() and its variants are a bit counter-intuitive +because these functions do not free the extension they delete. + =head1 RETURN VALUES X509v3_get_ext_count() returns the extension count. diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 1d9ca63405..bf525f427f 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -734,9 +734,9 @@ int X509_REQ_extension_nid(int nid); int *X509_REQ_get_extension_nids(void); void X509_REQ_set_extension_nids(int *nids); STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); -int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, - int nid); -int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts); +int X509_REQ_add_extensions_nid(X509_REQ *req, + const STACK_OF(X509_EXTENSION) *exts, int nid); +int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *ext); int X509_REQ_get_attr_count(const X509_REQ *req); int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos); int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index e9550f1fe4..afaed66293 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -18,23 +18,23 @@ setup("test_x509"); plan tests => 15; -require_ok(srctop_file('test','recipes','tconversion.pl')); +require_ok(srctop_file("test", "recipes", "tconversion.pl")); my @certs = qw(test certs); -my $pem = srctop_file("test/certs", "cyrillic.pem"); +my $pem = srctop_file(@certs, "cyrillic.pem"); my $out_msb = "out-cyrillic.msb"; my $out_utf8 = "out-cyrillic.utf8"; -my $msb = srctop_file("test/certs", "cyrillic.msb"); -my $utf = srctop_file("test/certs", "cyrillic.utf8"); +my $msb = srctop_file(@certs, "cyrillic.msb"); +my $utf = srctop_file(@certs, "cyrillic.utf8"); ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_msb, "-nameopt", "esc_msb"]))); -is(cmp_text($out_msb, srctop_file("test/certs", "cyrillic.msb")), - 0, 'Comparing esc_msb output'); +is(cmp_text($out_msb, srctop_file(@certs, "cyrillic.msb")), + 0, 'Comparing esc_msb output with cyrillic.msb'); ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8, "-nameopt", "utf8"]))); -is(cmp_text($out_utf8, srctop_file("test/certs", "cyrillic.utf8")), - 0, 'Comparing utf8 output'); +is(cmp_text($out_utf8, srctop_file(@certs, "cyrillic.utf8")), + 0, 'Comparing utf8 output with cyrillic.utf8'); SKIP: { skip "DES disabled", 1 if disabled("des"); @@ -44,49 +44,42 @@ is(cmp_text($out_utf8, srctop_file("test/certs", "cyrillic.utf8")), my $out_pem = "out.pem"; ok(run(app(["openssl", "x509", "-text", "-in", $p12, "-out", $out_pem, "-passin", "pass:$p12pass"]))); - unlink $out_pem; + # not unlinking $out_pem } -SKIP: { - skip "EC disabled", 1 if disabled("ec"); - - # producing and checking self-issued (but not self-signed) cert - my @path = qw(test certs); - my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem - my $extfile = srctop_file("test", "v3_ca_exts.cnf"); - my $pkey = srctop_file(@path, "ca-key.pem"); # issuer private key - my $pubkey = "ca-pubkey.pem"; # the corresponding issuer public key - # use any (different) key for signing our self-issued cert: - my $signkey = srctop_file(@path, "ee-ecdsa-key.pem"); - my $selfout = "self-issued.out"; - my $testcert = srctop_file(@path, "ee-cert.pem"); - ok(run(app(["openssl", "pkey", "-in", $pkey, "-pubout", "-out", $pubkey])) - && - run(app(["openssl", "x509", "-new", "-force_pubkey", $pubkey, - "-subj", $subj, "-extfile", $extfile, - "-signkey", $signkey, "-out", $selfout])) - && - run(app(["openssl", "verify", "-no_check_time", - "-trusted", $selfout, "-partial_chain", $testcert]))); - unlink $pubkey; - unlink $selfout; -} +# producing and checking self-issued (but not self-signed) cert +my $subj = "/CN=CA"; # using same DN as in issuer of ee-cert.pem +my $extfile = srctop_file("test", "v3_ca_exts.cnf"); +my $pkey = srctop_file(@certs, "ca-key.pem"); # issuer private key +my $pubkey = "ca-pubkey.pem"; # the corresponding issuer public key +# use any (different) key for signing our self-issued cert: +my $signkey = srctop_file(@certs, "serverkey.pem"); +my $selfout = "self-issued.out"; +my $testcert = srctop_file(@certs, "ee-cert.pem"); +ok(run(app(["openssl", "pkey", "-in", $pkey, "-pubout", "-out", $pubkey])) +&& run(app(["openssl", "x509", "-new", "-force_pubkey", $pubkey, + "-subj", $subj, "-extfile", $extfile, + "-signkey", $signkey, "-out", $selfout])) +&& run(app(["openssl", "verify", "-no_check_time", + "-trusted", $selfout, "-partial_chain", $testcert]))); +# not unlinking $pubkey +# not unlinking $selfout subtest 'x509 -- x.509 v1 certificate' => sub { tconversion( -type => 'x509', -prefix => 'x509v1', - -in => srctop_file("test","testx509.pem") ); + -in => srctop_file("test", "testx509.pem") ); }; subtest 'x509 -- first x.509 v3 certificate' => sub { tconversion( -type => 'x509', -prefix => 'x509v3-1', - -in => srctop_file("test","v3-cert1.pem") ); + -in => srctop_file("test", "v3-cert1.pem") ); }; subtest 'x509 -- second x.509 v3 certificate' => sub { tconversion( -type => 'x509', -prefix => 'x509v3-2', - -in => srctop_file("test","v3-cert2.pem") ); + -in => srctop_file("test", "v3-cert2.pem") ); }; subtest 'x509 -- pathlen' => sub { - ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")]))); + ok(run(test(["v3ext", srctop_file(@certs, "pathlen.pem")]))); }; cert_contains(srctop_file(@certs, "fake-gp.pem"), @@ -95,7 +88,7 @@ cert_contains(srctop_file(@certs, "fake-gp.pem"), sub test_errors { # actually tests diagnostics of OSSL_STORE my ($expected, $cert, @opts) = @_; - my $infile = srctop_file('test', 'certs', $cert); + my $infile = srctop_file(@certs, $cert); my @args = qw(openssl x509 -in); push(@args, $infile, @opts); my $tmpfile = 'out.txt'; diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 05b940ca8e..f6fb87bce5 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -17,7 +17,7 @@ use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir use OpenSSL::Test::Utils; BEGIN { -setup("test_ssl"); +setup("test_ssl_old"); } use lib srctop_dir('Configurations'); @@ -103,15 +103,15 @@ subtest 'test_ss' => sub { } }; -note('test_ssl -- key U'); +note('test_ssl_old -- key U'); my $configfile = srctop_file("test","default-and-legacy.cnf"); if (disabled("legacy")) { $configfile = srctop_file("test","default.cnf"); } -testssl("keyU.ss", $Ucert, $CAcert, "default", $configfile); +testssl($Ukey, $Ucert, $CAcert, "default", $configfile); unless ($no_fips) { - testssl("keyU.ss", $Ucert, $CAcert, "fips", + testssl($Ukey, $Ucert, $CAcert, "fips", srctop_file("test","fips-and-base.cnf")); } From tmraz at fedoraproject.org Wed Jan 20 16:13:17 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 20 Jan 2021 16:13:17 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1611159197.054620.22907.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 69b3a65adeb1a997b1d5c7f28cda45c543de956d (commit) from a83690c0b61e342f35a9583868b74e7ff6023101 (commit) - Log ----------------------------------------------------------------- commit 69b3a65adeb1a997b1d5c7f28cda45c543de956d Author: Tomas Mraz Date: Tue Jan 19 14:56:16 2021 +0100 Fix regression in no-deprecated build Also add a new no-deprecated CI build to test it. Fixes #13896 Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/13902) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 11 +++++++++++ test/verify_extra_test.c | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4565e5499..ce40b5104a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,6 +70,17 @@ jobs: - name: make test run: make test + no-deprecated: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout at v2 + - name: config + run: ./config --strict-warnings no-deprecated && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test + sanitizers: runs-on: ubuntu-latest steps: diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index 94faa4c78b..18f785ab8b 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -200,7 +200,7 @@ static int test_self_signed(const char *filename, int expected) ret = TEST_ptr(cert) && TEST_true(sk_X509_push(trusted, cert)) && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); - X509_STORE_CTX_trusted_stack(ctx, trusted); + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); X509_STORE_CTX_free(ctx); From tmraz at fedoraproject.org Wed Jan 20 16:16:57 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 20 Jan 2021 16:16:57 +0000 Subject: [openssl] master update Message-ID: <1611159417.049514.24861.nullmailer@dev.openssl.org> The branch master has been updated via 53d650d1f3b34188a86409def4d086974b301cef (commit) from d8ab30be9cc4d4e77008d4037e696bc41ce293f8 (commit) - Log ----------------------------------------------------------------- commit 53d650d1f3b34188a86409def4d086974b301cef Author: Tomas Mraz Date: Tue Jan 19 13:58:34 2021 +0100 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13901) ----------------------------------------------------------------------- Summary of changes: providers/implementations/keymgmt/ec_kmgmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index ac7094490e..8775622a01 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -706,6 +706,7 @@ static const OSSL_PARAM ec_known_gettable_params[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0), OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0), EC_IMEXPORTABLE_DOM_PARAMETERS, EC2M_GETTABLE_DOM_PARAMS @@ -770,6 +771,7 @@ static const OSSL_PARAM sm2_known_gettable_params[] = { OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DEFAULT_DIGEST, NULL, 0), OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0), EC_IMEXPORTABLE_DOM_PARAMETERS, EC_IMEXPORTABLE_PUBLIC_KEY, From matt at openssl.org Wed Jan 20 16:26:34 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 20 Jan 2021 16:26:34 +0000 Subject: [openssl] master update Message-ID: <1611159994.077201.27734.nullmailer@dev.openssl.org> The branch master has been updated via 5b57aa24c35f78cc11aa91586bc8e8826c2ece5a (commit) from 53d650d1f3b34188a86409def4d086974b301cef (commit) - Log ----------------------------------------------------------------- commit 5b57aa24c35f78cc11aa91586bc8e8826c2ece5a Author: Matt Caswell Date: Wed Jan 6 17:03:44 2021 +0000 Ensure SRP BN_mod_exp follows the constant time path SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13888) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 15 ++++++++++++++- crypto/srp/srp_lib.c | 11 ++++++++--- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8ae1c7470a..a298a0590c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1395,7 +1395,20 @@ OpenSSL 3.0 OpenSSL 1.1.1 ------------- -### Changes between 1.1.1h and 1.1.1i [xx XXX xxxx] +### Changes between 1.1.1i and 1.1.1j [xx XXX xxxx] + + * Fixed SRP_Calc_client_key so that it uses constant time. The previous + implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This + could be exploited in a side channel attack to recover the password. Since + the attack is local host only this is outside of the current OpenSSL + threat model and therefore no CVE is assigned. + + Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this + issue. + + *Matt Caswell* + +### Changes between 1.1.1h and 1.1.1i [8 Dec 2020] * Fixed NULL pointer deref in the GENERAL_NAME_cmp function This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index 092cc159aa..39113d53ec 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -211,6 +211,7 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g OSSL_LIB_CTX *libctx, const char *propq) { BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL; + BIGNUM *xtmp = NULL; BN_CTX *bn_ctx; if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL @@ -219,10 +220,13 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g if ((tmp = BN_new()) == NULL || (tmp2 = BN_new()) == NULL || - (tmp3 = BN_new()) == NULL) + (tmp3 = BN_new()) == NULL || + (xtmp = BN_new()) == NULL) goto err; - if (!BN_mod_exp(tmp, g, x, N, bn_ctx)) + BN_with_flags(xtmp, x, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + if (!BN_mod_exp(tmp, g, xtmp, N, bn_ctx)) goto err; if ((k = srp_Calc_k(N, g, libctx, propq)) == NULL) goto err; @@ -230,7 +234,7 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g goto err; if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx)) goto err; - if (!BN_mul(tmp3, u, x, bn_ctx)) + if (!BN_mul(tmp3, u, xtmp, bn_ctx)) goto err; if (!BN_add(tmp2, a, tmp3)) goto err; @@ -242,6 +246,7 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g err: BN_CTX_free(bn_ctx); + BN_free(xtmp); BN_clear_free(tmp); BN_clear_free(tmp2); BN_clear_free(tmp3); From matt at openssl.org Wed Jan 20 16:27:14 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 20 Jan 2021 16:27:14 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1611160034.238434.28914.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 0a31723a158592d3271585bd02e627cc19a1c772 (commit) from 69b3a65adeb1a997b1d5c7f28cda45c543de956d (commit) - Log ----------------------------------------------------------------- commit 0a31723a158592d3271585bd02e627cc19a1c772 Author: Matt Caswell Date: Wed Jan 6 17:03:44 2021 +0000 Ensure SRP BN_mod_exp follows the constant time path SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13889) ----------------------------------------------------------------------- Summary of changes: CHANGES | 10 +++++++++- crypto/srp/srp_lib.c | 11 ++++++++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 75b9cec4b1..ba224c45cd 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,15 @@ Changes between 1.1.1i and 1.1.1j [xx XXX xxxx] - *) + *) Fixed SRP_Calc_client_key so that it uses constant time. The previous + implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This + could be exploited in a side channel attack to recover the password. Since + the attack is local host only this is outside of the current OpenSSL + threat model and therefore no CVE is assigned. + + Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this + issue. + [Matt Caswell] Changes between 1.1.1h and 1.1.1i [8 Dec 2020] diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index 4f417de0c9..0cefbfa910 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -177,6 +177,7 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, const BIGNUM *x, const BIGNUM *a, const BIGNUM *u) { BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL; + BIGNUM *xtmp = NULL; BN_CTX *bn_ctx; if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL @@ -185,10 +186,13 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, if ((tmp = BN_new()) == NULL || (tmp2 = BN_new()) == NULL || - (tmp3 = BN_new()) == NULL) + (tmp3 = BN_new()) == NULL || + (xtmp = BN_new()) == NULL) goto err; - if (!BN_mod_exp(tmp, g, x, N, bn_ctx)) + BN_with_flags(xtmp, x, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + if (!BN_mod_exp(tmp, g, xtmp, N, bn_ctx)) goto err; if ((k = srp_Calc_k(N, g)) == NULL) goto err; @@ -196,7 +200,7 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, goto err; if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx)) goto err; - if (!BN_mul(tmp3, u, x, bn_ctx)) + if (!BN_mul(tmp3, u, xtmp, bn_ctx)) goto err; if (!BN_add(tmp2, a, tmp3)) goto err; @@ -208,6 +212,7 @@ BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, err: BN_CTX_free(bn_ctx); + BN_free(xtmp); BN_clear_free(tmp); BN_clear_free(tmp2); BN_clear_free(tmp3); From tmraz at fedoraproject.org Wed Jan 20 17:05:53 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Wed, 20 Jan 2021 17:05:53 +0000 Subject: [openssl] master update Message-ID: <1611162353.275773.25420.nullmailer@dev.openssl.org> The branch master has been updated via 3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f (commit) from 5b57aa24c35f78cc11aa91586bc8e8826c2ece5a (commit) - Log ----------------------------------------------------------------- commit 3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f Author: Vadim Fedorenko Date: Sun Nov 22 10:02:31 2020 +0000 ktls: Initial support for ChaCha20-Poly1305 Linux kernel is going to support ChaCha20-Poly1305 in TLS offload. Add support for this cipher. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13475) ----------------------------------------------------------------------- Summary of changes: include/internal/ktls.h | 8 ++++++++ ssl/ktls.c | 21 ++++++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/include/internal/ktls.h b/include/internal/ktls.h index fd439b5718..cf2c813bbc 100644 --- a/include/internal/ktls.h +++ b/include/internal/ktls.h @@ -222,6 +222,11 @@ static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, # define OPENSSL_KTLS_TLS13 # if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) # define OPENSSL_KTLS_AES_CCM_128 +# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0) +# ifndef OPENSSL_NO_CHACHA +# define OPENSSL_KTLS_CHACHA20_POLY1305 +# endif +# endif # endif # endif @@ -254,6 +259,9 @@ struct tls_crypto_info_all { # endif # ifdef OPENSSL_KTLS_AES_CCM_128 struct tls12_crypto_info_aes_ccm_128 ccm128; +# endif +# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 + struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305; # endif }; size_t tls_crypto_info_len; diff --git a/ssl/ktls.c b/ssl/ktls.c index dc5bb2bbc3..da42084928 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -126,7 +126,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, return 0; } - /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 */ + /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 + * or Chacha20-Poly1305 + */ switch (EVP_CIPHER_nid(c)) { # ifdef OPENSSL_KTLS_AES_CCM_128 @@ -139,6 +141,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, # endif # ifdef OPENSSL_KTLS_AES_GCM_256 case NID_aes_256_gcm: +# endif +# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 + case NID_chacha20_poly1305: # endif return 1; default: @@ -212,6 +217,20 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, if (rec_seq != NULL) *rec_seq = crypto_info->ccm128.rec_seq; return 1; +# endif +# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 + case NID_chacha20_poly1305: + crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; + crypto_info->chacha20poly1305.info.version = s->version; + crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305); + memcpy(crypto_info->chacha20poly1305.iv, iiv, + TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); + memcpy(crypto_info->chacha20poly1305.key, key, EVP_CIPHER_key_length(c)); + memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); + if (rec_seq != NULL) + *rec_seq = crypto_info->chacha20poly1305.rec_seq; + return 1; # endif default: return 0; From no-reply at appveyor.com Thu Jan 21 01:02:44 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 21 Jan 2021 01:02:44 +0000 Subject: Build failed: openssl master.39293 Message-ID: <20210121010244.1.E060411C7D79FF66@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Jan 21 01:09:45 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 21 Jan 2021 01:09:45 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1611191385.499820.4091464.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): 20-test_cli_fips.t ................. ok 20-test_dgst.t ..................... ok 20-test_dhparam.t .................. ok 20-test_enc.t ...................... ok 20-test_enc_more.t ................. ok 20-test_kdf.t ...................... ok 20-test_mac.t ...................... ok 20-test_passwd.t ................... ok 20-test_pkeyutl.t .................. ok 20-test_rand_config.t .............. ok 25-test_crl.t ...................... ok 25-test_d2i.t ...................... ok 25-test_eai_data.t ................. ok 25-test_pkcs7.t .................... ok 25-test_req.t ...................... ok 25-test_rusext.t ................... ok 25-test_sid.t ...................... ok 25-test_verify.t ................... ok 25-test_verify_store.t ............. ok 25-test_x509.t ..................... ok 30-test_acvp.t ..................... ok 30-test_aesgcm.t ................... ok 30-test_afalg.t .................... ok 30-test_defltfips.t ................ ok 30-test_engine.t ................... ok 30-test_evp.t ...................... ok 30-test_evp_extra.t ................ ok 30-test_evp_fetch_prov.t ........... ok 30-test_evp_kdf.t .................. ok 30-test_evp_libctx.t ............... ok 30-test_evp_pkey_dparam.t .......... ok 30-test_evp_pkey_provided.t ........ ok 30-test_pbelu.t .................... ok 30-test_pkey_meth.t ................ ok 30-test_pkey_meth_kdf.t ............ ok 30-test_provider_status.t .......... ok 40-test_rehash.t ................... ok 60-test_x509_check_cert_pkey.t ..... ok 60-test_x509_dup_cert.t ............ ok 60-test_x509_store.t ............... ok 60-test_x509_time.t ................ ok 61-test_bio_prefix.t ............... ok 65-test_cmp_asn.t .................. ok 65-test_cmp_client.t ............... ok 65-test_cmp_ctx.t .................. ok 65-test_cmp_hdr.t .................. ok 65-test_cmp_msg.t .................. ok 65-test_cmp_protect.t .............. ok 65-test_cmp_server.t ............... ok 65-test_cmp_status.t ............... ok 65-test_cmp_vfy.t .................. ok 66-test_ossl_store.t ............... ok 70-test_asyncio.t .................. ok 70-test_bad_dtls.t ................. ok 70-test_clienthello.t .............. ok 70-test_comp.t ..................... ok 70-test_key_share.t ................ ok 70-test_packet.t ................... ok 70-test_recordlen.t ................ ok 70-test_renegotiation.t ............ ok 70-test_servername.t ............... ok 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok make[1]: *** [Makefile:3254: _tests] Terminated From openssl at openssl.org Thu Jan 21 01:57:23 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 21 Jan 2021 01:57:23 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1611194243.736394.7098.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3460, 800 wallclock secs (13.20 usr 1.30 sys + 716.24 cusr 78.98 csys = 809.72 CPU) Result: FAIL make[1]: *** [Makefile:3251: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3248: tests] Error 2 From openssl at openssl.org Thu Jan 21 07:39:30 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 21 Jan 2021 07:39:30 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1611214770.192598.715913.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3462, 858 wallclock secs (14.10 usr 1.87 sys + 759.56 cusr 81.61 csys = 857.14 CPU) Result: FAIL make[1]: *** [Makefile:3202: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3199: tests] Error 2 From openssl at openssl.org Thu Jan 21 08:07:23 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 21 Jan 2021 08:07:23 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dh Message-ID: <1611216443.358954.781045.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dh Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): /usr/bin/perl ../openssl/test/generate_buildtest.pl md5 > test/buildtest_md5.c /usr/bin/perl ../openssl/test/generate_buildtest.pl mdc2 > test/buildtest_mdc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl modes > test/buildtest_modes.c /usr/bin/perl ../openssl/test/generate_buildtest.pl obj_mac > test/buildtest_obj_mac.c /usr/bin/perl ../openssl/test/generate_buildtest.pl objects > test/buildtest_objects.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ossl_typ > test/buildtest_ossl_typ.c /usr/bin/perl ../openssl/test/generate_buildtest.pl param_build > test/buildtest_param_build.c /usr/bin/perl ../openssl/test/generate_buildtest.pl params > test/buildtest_params.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem > test/buildtest_pem.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem2 > test/buildtest_pem2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl provider > test/buildtest_provider.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rand > test/buildtest_rand.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc2 > test/buildtest_rc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc4 > test/buildtest_rc4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ripemd > test/buildtest_ripemd.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rsa > test/buildtest_rsa.c /usr/bin/perl ../openssl/test/generate_buildtest.pl seed > test/buildtest_seed.c /usr/bin/perl ../openssl/test/generate_buildtest.pl self_test > test/buildtest_self_test.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sha > test/buildtest_sha.c /usr/bin/perl ../openssl/test/generate_buildtest.pl srtp > test/buildtest_srtp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ssl2 > test/buildtest_ssl2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sslerr_legacy > test/buildtest_sslerr_legacy.c /usr/bin/perl ../openssl/test/generate_buildtest.pl stack > test/buildtest_stack.c /usr/bin/perl ../openssl/test/generate_buildtest.pl store > test/buildtest_store.c /usr/bin/perl ../openssl/test/generate_buildtest.pl symhacks > test/buildtest_symhacks.c /usr/bin/perl ../openssl/test/generate_buildtest.pl tls1 > test/buildtest_tls1.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ts > test/buildtest_ts.c /usr/bin/perl ../openssl/test/generate_buildtest.pl txt_db > test/buildtest_txt_db.c /usr/bin/perl ../openssl/test/generate_buildtest.pl types > test/buildtest_types.c /usr/bin/perl ../openssl/test/generate_buildtest.pl whrlpool > test/buildtest_whrlpool.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/casttest-bin-casttest.d.tmp -MT test/casttest-bin-casttest.o -c -o test/casttest-bin-casttest.o ../openssl/test/casttest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/chacha_internal_test-bin-chacha_internal_test.d.tmp -MT test/chacha_internal_test-bin-chacha_internal_test.o -c -o test/chacha_internal_test-bin-chacha_internal_test.o ../openssl/test/chacha_internal_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipher_overhead_test-bin-cipher_overhead_test.d.tmp -MT test/cipher_overhead_test-bin-cipher_overhead_test.o -c -o test/cipher_overhead_test-bin-cipher_overhead_test.o ../openssl/test/cipher_overhead_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherbytes_test-bin-cipherbytes_test.d.tmp -MT test/cipherbytes_test-bin-cipherbytes_test.o -c -o test/cipherbytes_test-bin-cipherbytes_test.o ../openssl/test/cipherbytes_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherlist_test-bin-cipherlist_test.d.tmp -MT test/cipherlist_test-bin-cipherlist_test.o -c -o test/cipherlist_test-bin-cipherlist_test.o ../openssl/test/cipherlist_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ciphername_test-bin-ciphername_test.d.tmp -MT test/ciphername_test-bin-ciphername_test.o -c -o test/ciphername_test-bin-ciphername_test.o ../openssl/test/ciphername_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/clienthellotest-bin-clienthellotest.d.tmp -MT test/clienthellotest-bin-clienthellotest.o -c -o test/clienthellotest-bin-clienthellotest.o ../openssl/test/clienthellotest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmactest-bin-cmactest.d.tmp -MT test/cmactest-bin-cmactest.o -c -o test/cmactest-bin-cmactest.o ../openssl/test/cmactest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_asn_test-bin-cmp_asn_test.d.tmp -MT test/cmp_asn_test-bin-cmp_asn_test.o -c -o test/cmp_asn_test-bin-cmp_asn_test.o ../openssl/test/cmp_asn_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_asn_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_asn_test-bin-cmp_testlib.o -c -o test/helpers/cmp_asn_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_client_test-bin-cmp_client_test.d.tmp -MT test/cmp_client_test-bin-cmp_client_test.o -c -o test/cmp_client_test-bin-cmp_client_test.o ../openssl/test/cmp_client_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_client_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_client_test-bin-cmp_testlib.o -c -o test/helpers/cmp_client_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_ctx_test-bin-cmp_ctx_test.d.tmp -MT test/cmp_ctx_test-bin-cmp_ctx_test.o -c -o test/cmp_ctx_test-bin-cmp_ctx_test.o ../openssl/test/cmp_ctx_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_ctx_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_ctx_test-bin-cmp_testlib.o -c -o test/helpers/cmp_ctx_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_hdr_test-bin-cmp_hdr_test.d.tmp -MT test/cmp_hdr_test-bin-cmp_hdr_test.o -c -o test/cmp_hdr_test-bin-cmp_hdr_test.o ../openssl/test/cmp_hdr_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_hdr_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_hdr_test-bin-cmp_testlib.o -c -o test/helpers/cmp_hdr_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_msg_test-bin-cmp_msg_test.d.tmp -MT test/cmp_msg_test-bin-cmp_msg_test.o -c -o test/cmp_msg_test-bin-cmp_msg_test.o ../openssl/test/cmp_msg_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_msg_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_msg_test-bin-cmp_testlib.o -c -o test/helpers/cmp_msg_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_protect_test-bin-cmp_protect_test.d.tmp -MT test/cmp_protect_test-bin-cmp_protect_test.o -c -o test/cmp_protect_test-bin-cmp_protect_test.o ../openssl/test/cmp_protect_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_protect_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_protect_test-bin-cmp_testlib.o -c -o test/helpers/cmp_protect_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c ../openssl/test/evp_extra_test.c:1857:12: error: implicit declaration of function 'test_EVP_PKEY_ffc_priv_pub' is invalid in C99 [-Werror,-Wimplicit-function-declaration] return test_EVP_PKEY_ffc_priv_pub("DSA"); ^ clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_libctx_test-bin-evp_libctx_test.d.tmp -MT test/evp_libctx_test-bin-evp_libctx_test.o -c -o test/evp_libctx_test-bin-evp_libctx_test.o ../openssl/test/evp_libctx_test.c 1 error generated. make[1]: *** [Makefile:26267: test/evp_extra_test-bin-evp_extra_test.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: Leaving directory '/home/openssl/run-checker/no-dh' make: *** [Makefile:3201: build_sw] Error 2 From openssl at openssl.org Thu Jan 21 08:10:48 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 21 Jan 2021 08:10:48 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dsa Message-ID: <1611216648.271015.794105.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dsa Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): /usr/bin/perl ../openssl/test/generate_buildtest.pl md4 > test/buildtest_md4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl md5 > test/buildtest_md5.c /usr/bin/perl ../openssl/test/generate_buildtest.pl mdc2 > test/buildtest_mdc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl modes > test/buildtest_modes.c /usr/bin/perl ../openssl/test/generate_buildtest.pl obj_mac > test/buildtest_obj_mac.c /usr/bin/perl ../openssl/test/generate_buildtest.pl objects > test/buildtest_objects.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ossl_typ > test/buildtest_ossl_typ.c /usr/bin/perl ../openssl/test/generate_buildtest.pl param_build > test/buildtest_param_build.c /usr/bin/perl ../openssl/test/generate_buildtest.pl params > test/buildtest_params.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem > test/buildtest_pem.c /usr/bin/perl ../openssl/test/generate_buildtest.pl pem2 > test/buildtest_pem2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl provider > test/buildtest_provider.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rand > test/buildtest_rand.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc2 > test/buildtest_rc2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rc4 > test/buildtest_rc4.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ripemd > test/buildtest_ripemd.c /usr/bin/perl ../openssl/test/generate_buildtest.pl rsa > test/buildtest_rsa.c /usr/bin/perl ../openssl/test/generate_buildtest.pl seed > test/buildtest_seed.c /usr/bin/perl ../openssl/test/generate_buildtest.pl self_test > test/buildtest_self_test.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sha > test/buildtest_sha.c /usr/bin/perl ../openssl/test/generate_buildtest.pl srtp > test/buildtest_srtp.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ssl2 > test/buildtest_ssl2.c /usr/bin/perl ../openssl/test/generate_buildtest.pl sslerr_legacy > test/buildtest_sslerr_legacy.c /usr/bin/perl ../openssl/test/generate_buildtest.pl stack > test/buildtest_stack.c /usr/bin/perl ../openssl/test/generate_buildtest.pl store > test/buildtest_store.c /usr/bin/perl ../openssl/test/generate_buildtest.pl symhacks > test/buildtest_symhacks.c /usr/bin/perl ../openssl/test/generate_buildtest.pl tls1 > test/buildtest_tls1.c /usr/bin/perl ../openssl/test/generate_buildtest.pl ts > test/buildtest_ts.c /usr/bin/perl ../openssl/test/generate_buildtest.pl txt_db > test/buildtest_txt_db.c /usr/bin/perl ../openssl/test/generate_buildtest.pl types > test/buildtest_types.c /usr/bin/perl ../openssl/test/generate_buildtest.pl whrlpool > test/buildtest_whrlpool.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/casttest-bin-casttest.d.tmp -MT test/casttest-bin-casttest.o -c -o test/casttest-bin-casttest.o ../openssl/test/casttest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/chacha_internal_test-bin-chacha_internal_test.d.tmp -MT test/chacha_internal_test-bin-chacha_internal_test.o -c -o test/chacha_internal_test-bin-chacha_internal_test.o ../openssl/test/chacha_internal_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipher_overhead_test-bin-cipher_overhead_test.d.tmp -MT test/cipher_overhead_test-bin-cipher_overhead_test.o -c -o test/cipher_overhead_test-bin-cipher_overhead_test.o ../openssl/test/cipher_overhead_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherbytes_test-bin-cipherbytes_test.d.tmp -MT test/cipherbytes_test-bin-cipherbytes_test.o -c -o test/cipherbytes_test-bin-cipherbytes_test.o ../openssl/test/cipherbytes_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cipherlist_test-bin-cipherlist_test.d.tmp -MT test/cipherlist_test-bin-cipherlist_test.o -c -o test/cipherlist_test-bin-cipherlist_test.o ../openssl/test/cipherlist_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ciphername_test-bin-ciphername_test.d.tmp -MT test/ciphername_test-bin-ciphername_test.o -c -o test/ciphername_test-bin-ciphername_test.o ../openssl/test/ciphername_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/clienthellotest-bin-clienthellotest.d.tmp -MT test/clienthellotest-bin-clienthellotest.o -c -o test/clienthellotest-bin-clienthellotest.o ../openssl/test/clienthellotest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmactest-bin-cmactest.d.tmp -MT test/cmactest-bin-cmactest.o -c -o test/cmactest-bin-cmactest.o ../openssl/test/cmactest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_asn_test-bin-cmp_asn_test.d.tmp -MT test/cmp_asn_test-bin-cmp_asn_test.o -c -o test/cmp_asn_test-bin-cmp_asn_test.o ../openssl/test/cmp_asn_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_asn_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_asn_test-bin-cmp_testlib.o -c -o test/helpers/cmp_asn_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_client_test-bin-cmp_client_test.d.tmp -MT test/cmp_client_test-bin-cmp_client_test.o -c -o test/cmp_client_test-bin-cmp_client_test.o ../openssl/test/cmp_client_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_client_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_client_test-bin-cmp_testlib.o -c -o test/helpers/cmp_client_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_ctx_test-bin-cmp_ctx_test.d.tmp -MT test/cmp_ctx_test-bin-cmp_ctx_test.o -c -o test/cmp_ctx_test-bin-cmp_ctx_test.o ../openssl/test/cmp_ctx_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_ctx_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_ctx_test-bin-cmp_testlib.o -c -o test/helpers/cmp_ctx_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_hdr_test-bin-cmp_hdr_test.d.tmp -MT test/cmp_hdr_test-bin-cmp_hdr_test.o -c -o test/cmp_hdr_test-bin-cmp_hdr_test.o ../openssl/test/cmp_hdr_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_hdr_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_hdr_test-bin-cmp_testlib.o -c -o test/helpers/cmp_hdr_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_msg_test-bin-cmp_msg_test.d.tmp -MT test/cmp_msg_test-bin-cmp_msg_test.o -c -o test/cmp_msg_test-bin-cmp_msg_test.o ../openssl/test/cmp_msg_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_msg_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_msg_test-bin-cmp_testlib.o -c -o test/helpers/cmp_msg_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_protect_test-bin-cmp_protect_test.d.tmp -MT test/cmp_protect_test-bin-cmp_protect_test.o -c -o test/cmp_protect_test-bin-cmp_protect_test.o ../openssl/test/cmp_protect_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_protect_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_protect_test-bin-cmp_testlib.o -c -o test/helpers/cmp_protect_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_server_test-bin-cmp_server_test.d.tmp -MT test/cmp_server_test-bin-cmp_server_test.o -c -o test/cmp_server_test-bin-cmp_server_test.o ../openssl/test/cmp_server_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_server_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_server_test-bin-cmp_testlib.o -c -o test/helpers/cmp_server_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_status_test-bin-cmp_status_test.d.tmp -MT test/cmp_status_test-bin-cmp_status_test.o -c -o test/cmp_status_test-bin-cmp_status_test.o ../openssl/test/cmp_status_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_status_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_status_test-bin-cmp_testlib.o -c -o test/helpers/cmp_status_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmp_vfy_test-bin-cmp_vfy_test.d.tmp -MT test/cmp_vfy_test-bin-cmp_vfy_test.o -c -o test/cmp_vfy_test-bin-cmp_vfy_test.o ../openssl/test/cmp_vfy_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/cmp_vfy_test-bin-cmp_testlib.d.tmp -MT test/helpers/cmp_vfy_test-bin-cmp_testlib.o -c -o test/helpers/cmp_vfy_test-bin-cmp_testlib.o ../openssl/test/helpers/cmp_testlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/cmsapitest-bin-cmsapitest.d.tmp -MT test/cmsapitest-bin-cmsapitest.o -c -o test/cmsapitest-bin-cmsapitest.o ../openssl/test/cmsapitest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/conf_include_test-bin-conf_include_test.d.tmp -MT test/conf_include_test-bin-conf_include_test.o -c -o test/conf_include_test-bin-conf_include_test.o ../openssl/test/conf_include_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/confdump-bin-confdump.d.tmp -MT test/confdump-bin-confdump.o -c -o test/confdump-bin-confdump.o ../openssl/test/confdump.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/constant_time_test-bin-constant_time_test.d.tmp -MT test/constant_time_test-bin-constant_time_test.o -c -o test/constant_time_test-bin-constant_time_test.o ../openssl/test/constant_time_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/context_internal_test-bin-context_internal_test.d.tmp -MT test/context_internal_test-bin-context_internal_test.o -c -o test/context_internal_test-bin-context_internal_test.o ../openssl/test/context_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/crltest-bin-crltest.d.tmp -MT test/crltest-bin-crltest.o -c -o test/crltest-bin-crltest.o ../openssl/test/crltest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ct_test-bin-ct_test.d.tmp -MT test/ct_test-bin-ct_test.o -c -o test/ct_test-bin-ct_test.o ../openssl/test/ct_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ctype_internal_test-bin-ctype_internal_test.d.tmp -MT test/ctype_internal_test-bin-ctype_internal_test.o -c -o test/ctype_internal_test-bin-ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Iapps/include -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/apps/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/curve448_internal_test-bin-curve448_internal_test.d.tmp -MT test/curve448_internal_test-bin-curve448_internal_test.o -c -o test/curve448_internal_test-bin-curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/d2i_test-bin-d2i_test.d.tmp -MT test/d2i_test-bin-d2i_test.o -c -o test/d2i_test-bin-d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/danetest-bin-danetest.d.tmp -MT test/danetest-bin-danetest.o -c -o test/danetest-bin-danetest.o ../openssl/test/danetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/defltfips_test-bin-defltfips_test.d.tmp -MT test/defltfips_test-bin-defltfips_test.o -c -o test/defltfips_test-bin-defltfips_test.o ../openssl/test/defltfips_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/destest-bin-destest.d.tmp -MT test/destest-bin-destest.o -c -o test/destest-bin-destest.o ../openssl/test/destest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dhtest-bin-dhtest.d.tmp -MT test/dhtest-bin-dhtest.o -c -o test/dhtest-bin-dhtest.o ../openssl/test/dhtest.c clang -Iinclude -Iapps/include -Iproviders/common/include -I../openssl/include -I../openssl/apps/include -I../openssl/providers/common/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/drbgtest-bin-drbgtest.d.tmp -MT test/drbgtest-bin-drbgtest.o -c -o test/drbgtest-bin-drbgtest.o ../openssl/test/drbgtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.d.tmp -MT test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o -c -o test/dsa_no_digest_size_test-bin-dsa_no_digest_size_test.o ../openssl/test/dsa_no_digest_size_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dsatest-bin-dsatest.d.tmp -MT test/dsatest-bin-dsatest.o -c -o test/dsatest-bin-dsatest.o ../openssl/test/dsatest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtls_mtu_test-bin-dtls_mtu_test.d.tmp -MT test/dtls_mtu_test-bin-dtls_mtu_test.o -c -o test/dtls_mtu_test-bin-dtls_mtu_test.o ../openssl/test/dtls_mtu_test.c clang -I. -Iinclude -I../openssl -I../openssl/include -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtls_mtu_test-bin-ssltestlib.d.tmp -MT test/helpers/dtls_mtu_test-bin-ssltestlib.o -c -o test/helpers/dtls_mtu_test-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlstest-bin-dtlstest.d.tmp -MT test/dtlstest-bin-dtlstest.o -c -o test/dtlstest-bin-dtlstest.o ../openssl/test/dtlstest.c clang -I. -Iinclude -I../openssl -I../openssl/include -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/dtlstest-bin-ssltestlib.d.tmp -MT test/helpers/dtlstest-bin-ssltestlib.o -c -o test/helpers/dtlstest-bin-ssltestlib.o ../openssl/test/helpers/ssltestlib.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/dtlsv1listentest-bin-dtlsv1listentest.d.tmp -MT test/dtlsv1listentest-bin-dtlsv1listentest.o -c -o test/dtlsv1listentest-bin-dtlsv1listentest.o ../openssl/test/dtlsv1listentest.c clang -Iinclude -Icrypto/ec -Iapps/include -I../openssl/include -I../openssl/crypto/ec -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ec_internal_test-bin-ec_internal_test.d.tmp -MT test/ec_internal_test-bin-ec_internal_test.o -c -o test/ec_internal_test-bin-ec_internal_test.o ../openssl/test/ec_internal_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecdsatest-bin-ecdsatest.d.tmp -MT test/ecdsatest-bin-ecdsatest.o -c -o test/ecdsatest-bin-ecdsatest.o ../openssl/test/ecdsatest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ecstresstest-bin-ecstresstest.d.tmp -MT test/ecstresstest-bin-ecstresstest.o -c -o test/ecstresstest-bin-ecstresstest.o ../openssl/test/ecstresstest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/ectest-bin-ectest.d.tmp -MT test/ectest-bin-ectest.o -c -o test/ectest-bin-ectest.o ../openssl/test/ectest.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecode_test-bin-endecode_test.d.tmp -MT test/endecode_test-bin-endecode_test.o -c -o test/endecode_test-bin-endecode_test.o ../openssl/test/endecode_test.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/helpers/endecode_test-bin-predefined_dhparams.d.tmp -MT test/helpers/endecode_test-bin-predefined_dhparams.o -c -o test/helpers/endecode_test-bin-predefined_dhparams.o ../openssl/test/helpers/predefined_dhparams.c clang -I. -Iinclude -Iapps/include -I../openssl -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/endecoder_legacy_test-bin-endecoder_legacy_test.d.tmp -MT test/endecoder_legacy_test-bin-endecoder_legacy_test.o -c -o test/endecoder_legacy_test-bin-endecoder_legacy_test.o ../openssl/test/endecoder_legacy_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/enginetest-bin-enginetest.d.tmp -MT test/enginetest-bin-enginetest.o -c -o test/enginetest-bin-enginetest.o ../openssl/test/enginetest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/errtest-bin-errtest.d.tmp -MT test/errtest-bin-errtest.o -c -o test/errtest-bin-errtest.o ../openssl/test/errtest.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test-bin-evp_extra_test.d.tmp -MT test/evp_extra_test-bin-evp_extra_test.o -c -o test/evp_extra_test-bin-evp_extra_test.o ../openssl/test/evp_extra_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_extra_test2-bin-evp_extra_test2.d.tmp -MT test/evp_extra_test2-bin-evp_extra_test2.o -c -o test/evp_extra_test2-bin-evp_extra_test2.o ../openssl/test/evp_extra_test2.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_fetch_prov_test-bin-evp_fetch_prov_test.d.tmp -MT test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o -c -o test/evp_fetch_prov_test-bin-evp_fetch_prov_test.o ../openssl/test/evp_fetch_prov_test.c clang -Iinclude -Iapps/include -I../openssl/include -I../openssl/apps/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_BUILDING_OPENSSL -MMD -MF test/evp_kdf_test-bin-evp_kdf_test.d.tmp -MT test/evp_kdf_test-bin-evp_kdf_test.o -c -o test/evp_kdf_test-bin-evp_kdf_test.o ../openssl/test/evp_kdf_test.c ../openssl/test/evp_extra_test.c:1982:12: error: implicit declaration of function 'test_EVP_PKEY_ffc_priv_pub' is invalid in C99 [-Werror,-Wimplicit-function-declaration] return test_EVP_PKEY_ffc_priv_pub("DH"); ^ 1 error generated. make[1]: *** [Makefile:26161: test/evp_extra_test-bin-evp_extra_test.o] Error 1 make[1]: *** Waiting for unfinished jobs.... make[1]: Leaving directory '/home/openssl/run-checker/no-dsa' make: *** [Makefile:3183: build_sw] Error 2 From levitte at openssl.org Thu Jan 21 11:13:17 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 21 Jan 2021 11:13:17 +0000 Subject: [openssl] master update Message-ID: <1611227597.169462.18573.nullmailer@dev.openssl.org> The branch master has been updated via a3d267f18492a1e874534d5af6072bc8b7a290e5 (commit) from 3aa7212e0a4fd1533c8a28b8587dd8b022f3a66f (commit) - Log ----------------------------------------------------------------- commit a3d267f18492a1e874534d5af6072bc8b7a290e5 Author: Rich Salz Date: Tue Dec 8 10:13:54 2020 -0500 Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex EVP_KEY_new_CMAC_key_ex was in the pre-release 3.0 only, so is safe to remove. Restore 1.1.1 version of EVP_PKEY_new_CMAC_key documentation. Also make testing of EVP_PKEY_new_CMAC_key properly #ifdef'd. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13829) ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 7 ------- doc/man3/EVP_PKEY_new.pod | 46 ++++++++++++++++++++++------------------------ include/openssl/evp.h | 6 +++--- test/evp_extra_test.c | 7 ++++++- test/evp_test.c | 16 ++++++++++++++-- util/libcrypto.num | 3 +-- 6 files changed, 46 insertions(+), 39 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 326c58c8aa..93cdbb89bf 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -636,13 +636,6 @@ static EVP_PKEY *new_cmac_key_int(const unsigned char *priv, size_t len, # endif } -EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len, - const char *cipher_name, OSSL_LIB_CTX *libctx, - const char *propq) -{ - return new_cmac_key_int(priv, len, cipher_name, NULL, libctx, propq, NULL); -} - EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, const EVP_CIPHER *cipher) { diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod index c2d3c57e43..88c4e67e53 100644 --- a/doc/man3/EVP_PKEY_new.pod +++ b/doc/man3/EVP_PKEY_new.pod @@ -10,7 +10,6 @@ EVP_PKEY_new_raw_private_key_ex, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key_ex, EVP_PKEY_new_raw_public_key, -EVP_PKEY_new_CMAC_key_ex, EVP_PKEY_new_CMAC_key, EVP_PKEY_new_mac_key, EVP_PKEY_get_raw_private_key, @@ -41,11 +40,6 @@ EVP_PKEY_get_raw_public_key size_t keylen); EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *e, const unsigned char *key, size_t keylen); - EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len, - const char *cipher_name, - OSSL_LIB_CTX *libctx, const char *propq); - EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, - size_t len, const EVP_CIPHER *cipher); EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key, int keylen); @@ -54,6 +48,13 @@ EVP_PKEY_get_raw_public_key int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub, size_t *len); +Deprecated since OpenSSL 3.0, can be hidden entirely by defining +B with a suitable version value, see +L: + + EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, + size_t len, const EVP_CIPHER *cipher); + =head1 DESCRIPTION B is a generic structure to hold diverse types of asymmetric keys @@ -121,21 +122,6 @@ data. The B structure will be initialised without any private key information. Algorithm types that support raw public keys are B, B, B or B. -EVP_PKEY_new_CMAC_key_ex() works in the same way as -EVP_PKEY_new_raw_private_key() except it is only for the B -algorithm type. In addition to the raw private key data, it also takes a cipher -algorithm to be used during creation of a CMAC in the I argument. The -cipher should be a standard encryption only cipher. For example AEAD and XTS -ciphers should not be used. Finally it also takes a library context I -and property query I which are used when fetching any cryptographic -algorithms which may be NULL to use the default values. - -EVP_PKEY_new_CMAC_key() is the same as EVP_PKEY_new_CMAC_key_ex() -except that the default values are used for I and I. - -Using EVP_PKEY_new_CMAC_key_ex() or EVP_PKEY_new_CMAC_key() is discouraged in -favor of the L API. - EVP_PKEY_new_mac_key() works in the same way as EVP_PKEY_new_raw_private_key(). New applications should use EVP_PKEY_new_raw_private_key() instead. @@ -159,6 +145,16 @@ key data. This function only works for algorithms that support raw public keys. Currently this is: B, B, B or B. +EVP_PKEY_new_CMAC_key() works in the same way as EVP_PKEY_new_raw_private_key() +except it is only for the B algorithm type. In addition to the +raw private key data, it also takes a cipher algorithm to be used during +creation of a CMAC in the B argument. The cipher should be a standard +encryption-only cipher. For example AEAD and XTS ciphers should not be used. + +Applications should use the L API instead +and set the B parameter on the B object +with the name of the cipher being used. + =head1 NOTES The B structure is used by various OpenSSL functions which require a @@ -195,9 +191,11 @@ EVP_PKEY_new_raw_private_key(), EVP_PKEY_new_raw_public_key(), EVP_PKEY_new_CMAC_key(), EVP_PKEY_new_raw_private_key() and EVP_PKEY_get_raw_public_key() functions were added in OpenSSL 1.1.1. -The EVP_PKEY_new_raw_private_key_ex(), -EVP_PKEY_new_raw_public_key_ex() and -EVP_PKEY_new_CMAC_key_ex() functions were added in OpenSSL 3.0. +The EVP_PKEY_new_raw_private_key_ex() and +EVP_PKEY_new_raw_public_key_ex() +functions were added in OpenSSL 3.0. + +The EVP_PKEY_new_CMAC_key() was deprecated in OpenSSL 3.0. The documentation of B was amended in OpenSSL 3.0 to allow there to be the private part of the keypair without the public part, where this was diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ae9488acbb..0180170b8d 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1678,11 +1678,11 @@ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, unsigned char *priv, int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub, size_t *len); -EVP_PKEY *EVP_PKEY_new_CMAC_key_ex(const unsigned char *priv, size_t len, - const char *cipher_name, OSSL_LIB_CTX *libctx, - const char *propq); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, const EVP_CIPHER *cipher); +# endif void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data); void *EVP_PKEY_CTX_get_data(const EVP_PKEY_CTX *ctx); diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 42f4319d6c..37efbd42e2 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -1538,7 +1538,10 @@ static int test_CMAC_keygen(void) EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL); int ret = 0; EVP_PKEY *pkey = NULL; - unsigned char mac[AES_BLOCK_SIZE], mac2[AES_BLOCK_SIZE]; + unsigned char mac[AES_BLOCK_SIZE]; +# if !defined(OPENSSL_NO_DEPRECATED_3_0) + unsigned char mac2[AES_BLOCK_SIZE]; +# endif /* Test a CMAC key created using the "generated" method */ if (!TEST_int_gt(EVP_PKEY_keygen_init(kctx), 0) @@ -1553,6 +1556,7 @@ static int test_CMAC_keygen(void) || !TEST_true(get_cmac_val(pkey, mac))) goto done; +# if !defined(OPENSSL_NO_DEPRECATED_3_0) EVP_PKEY_free(pkey); /* @@ -1564,6 +1568,7 @@ static int test_CMAC_keygen(void) || !TEST_true(get_cmac_val(pkey, mac2)) || !TEST_mem_eq(mac, sizeof(mac), mac2, sizeof(mac2))) goto done; +# endif ret = 1; diff --git a/test/evp_test.c b/test/evp_test.c index b1c9c72b8b..94bbdc7a35 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#define OPENSSL_SUPPRESS_DEPRECATED /* EVP_PKEY_new_CMAC_key */ #include #include #include @@ -1152,6 +1153,14 @@ static int mac_test_run_pkey(EVP_TEST *t) OBJ_nid2sn(expected->type), expected->alg); if (expected->type == EVP_PKEY_CMAC) { +#ifdef OPENSSL_NO_DEPRECATED_3_0 + TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg); + t->skip = 1; + t->err = NULL; + goto err; +#else + OSSL_LIB_CTX *tmpctx; + if (expected->alg != NULL && is_cipher_disabled(expected->alg)) { TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg); t->skip = 1; @@ -1162,8 +1171,11 @@ static int mac_test_run_pkey(EVP_TEST *t) t->err = "MAC_KEY_CREATE_ERROR"; goto err; } - key = EVP_PKEY_new_CMAC_key_ex(expected->key, expected->key_len, - EVP_CIPHER_name(cipher), libctx, NULL); + tmpctx = OSSL_LIB_CTX_set0_default(libctx); + key = EVP_PKEY_new_CMAC_key(NULL, expected->key, expected->key_len, + cipher); + OSSL_LIB_CTX_set0_default(tmpctx); +#endif } else { key = EVP_PKEY_new_raw_private_key_ex(libctx, OBJ_nid2sn(expected->type), NULL, diff --git a/util/libcrypto.num b/util/libcrypto.num index a1e9b5cc34..1cd4b86f4d 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4338,7 +4338,7 @@ OSSL_STORE_SEARCH_free 4450 3_0_0 EXIST::FUNCTION: OSSL_STORE_SEARCH_get0_digest 4451 3_0_0 EXIST::FUNCTION: EVP_PKEY_new_raw_private_key 4453 3_0_0 EXIST::FUNCTION: EVP_PKEY_new_raw_public_key 4454 3_0_0 EXIST::FUNCTION: -EVP_PKEY_new_CMAC_key 4455 3_0_0 EXIST::FUNCTION: +EVP_PKEY_new_CMAC_key 4455 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_PKEY_asn1_set_set_priv_key 4456 3_0_0 EXIST::FUNCTION: EVP_PKEY_asn1_set_set_pub_key 4457 3_0_0 EXIST::FUNCTION: conf_ssl_name_find 4469 3_0_0 EXIST::FUNCTION: @@ -5221,7 +5221,6 @@ OSSL_PARAM_get_utf8_string_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_PARAM_get_octet_string_ptr ? 3_0_0 EXIST::FUNCTION: OSSL_DECODER_CTX_set_passphrase_cb ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_mac_key ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_new_CMAC_key_ex ? 3_0_0 EXIST::FUNCTION: OSSL_STORE_INFO_new ? 3_0_0 EXIST::FUNCTION: OSSL_STORE_INFO_get0_data ? 3_0_0 EXIST::FUNCTION: asn1_d2i_read_bio ? 3_0_0 EXIST::FUNCTION: From tmraz at fedoraproject.org Thu Jan 21 14:32:11 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 14:32:11 +0000 Subject: [openssl] master update Message-ID: <1611239531.422091.15304.nullmailer@dev.openssl.org> The branch master has been updated via 6857058016e91d3182c2117922dd8001b27f5639 (commit) from a3d267f18492a1e874534d5af6072bc8b7a290e5 (commit) - Log ----------------------------------------------------------------- commit 6857058016e91d3182c2117922dd8001b27f5639 Author: Tim Hitchins Date: Wed Jan 20 11:35:33 2021 +0000 Fix typo in crl2pkcs documentation Fixes #13910 CLA: trivial Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13911) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-crl2pkcs7.pod.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/openssl-crl2pkcs7.pod.in b/doc/man1/openssl-crl2pkcs7.pod.in index db06f6e68f..7e57820ff7 100644 --- a/doc/man1/openssl-crl2pkcs7.pod.in +++ b/doc/man1/openssl-crl2pkcs7.pod.in @@ -55,7 +55,7 @@ output by default. Specifies a filename containing one or more certificates in B format. All certificates in the file will be added to the PKCS#7 structure. This -option can be used more than once to read certificates form multiple +option can be used more than once to read certificates from multiple files. =item B<-nocrl> From tmraz at fedoraproject.org Thu Jan 21 14:34:01 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 14:34:01 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1611239641.312725.27166.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via b8cee4cb43f86a86a6714af8900674456d94908f (commit) from 0a31723a158592d3271585bd02e627cc19a1c772 (commit) - Log ----------------------------------------------------------------- commit b8cee4cb43f86a86a6714af8900674456d94908f Author: Tim Hitchins Date: Wed Jan 20 11:35:33 2021 +0000 Fix typo in crl2pkcs documentation Fixes #13910 CLA: trivial Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13911) (cherry picked from commit 6857058016e91d3182c2117922dd8001b27f5639) ----------------------------------------------------------------------- Summary of changes: doc/man1/crl2pkcs7.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man1/crl2pkcs7.pod b/doc/man1/crl2pkcs7.pod index f58a442b5b..681145e77d 100644 --- a/doc/man1/crl2pkcs7.pod +++ b/doc/man1/crl2pkcs7.pod @@ -56,7 +56,7 @@ output by default. Specifies a filename containing one or more certificates in B format. All certificates in the file will be added to the PKCS#7 structure. This -option can be used more than once to read certificates form multiple +option can be used more than once to read certificates from multiple files. =item B<-nocrl> From tmraz at fedoraproject.org Thu Jan 21 16:05:31 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 16:05:31 +0000 Subject: [openssl] master update Message-ID: <1611245131.519610.10069.nullmailer@dev.openssl.org> The branch master has been updated via 52b0bb38f3e7f0a57babc07a189f15f6c022cae2 (commit) from 6857058016e91d3182c2117922dd8001b27f5639 (commit) - Log ----------------------------------------------------------------- commit 52b0bb38f3e7f0a57babc07a189f15f6c022cae2 Author: Michael Baentsch Date: Wed Jan 13 16:58:22 2021 +0100 fall-back -> fallback find-doc-nit addition Ensure the same term is used for fallback Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13862) ----------------------------------------------------------------------- Summary of changes: util/find-doc-nits | 1 + 1 file changed, 1 insertion(+) diff --git a/util/find-doc-nits b/util/find-doc-nits index 6c559ba05d..c0845791c1 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -609,6 +609,7 @@ my %preferred_words = ( 'bitmask' => 'bit mask', 'builtin' => 'built-in', #'epoch' => 'Epoch', # handled specially, below + 'fall-back' => 'fallback', 'file name' => 'filename', 'file system' => 'filesystem', 'host name' => 'hostname', From tmraz at fedoraproject.org Thu Jan 21 16:08:40 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 16:08:40 +0000 Subject: [openssl] master update Message-ID: <1611245320.612702.11464.nullmailer@dev.openssl.org> The branch master has been updated via adcaebc3148fe0fde3f7641c4b607f30e1479986 (commit) from 52b0bb38f3e7f0a57babc07a189f15f6c022cae2 (commit) - Log ----------------------------------------------------------------- commit adcaebc3148fe0fde3f7641c4b607f30e1479986 Author: Tomas Mraz Date: Tue Jan 19 15:59:22 2021 +0100 CI: Add some legacy stuff that we do not test in GitHub CI yet There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13903) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7588bcca66..fc4549fd57 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,7 +107,7 @@ jobs: steps: - uses: actions/checkout at v2 - name: config - run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 && perl configdata.pm --dump + run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test From tmraz at fedoraproject.org Thu Jan 21 16:11:11 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 16:11:11 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1611245471.392792.12886.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 76e30a434dfc625c0fae480449f87308d92d4b7c (commit) from b8cee4cb43f86a86a6714af8900674456d94908f (commit) - Log ----------------------------------------------------------------- commit 76e30a434dfc625c0fae480449f87308d92d4b7c Author: Tomas Mraz Date: Tue Jan 19 15:59:22 2021 +0100 CI: Add some legacy stuff that we do not test in GitHub CI yet There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/13903) (cherry picked from commit adcaebc3148fe0fde3f7641c4b607f30e1479986) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ce40b5104a..aca73be1a0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,7 +108,7 @@ jobs: steps: - uses: actions/checkout at v2 - name: config - run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 && perl configdata.pm --dump + run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test From dev at ddvo.net Thu Jan 21 16:54:03 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 21 Jan 2021 16:54:03 +0000 Subject: [openssl] master update Message-ID: <1611248043.875996.21403.nullmailer@dev.openssl.org> The branch master has been updated via 3d46c81a7d6219fd51ccc3b16406f19b82d0176e (commit) via 2039ac07b401932fa30a05ade80b3626e189d78a (commit) via 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af (commit) via 92d619450ad70a81252028d1daa0b8f2efb51a1d (commit) from adcaebc3148fe0fde3f7641c4b607f30e1479986 (commit) - Log ----------------------------------------------------------------- commit 3d46c81a7d6219fd51ccc3b16406f19b82d0176e Author: Dr. David von Oheimb Date: Tue Jan 12 12:16:32 2021 +0100 CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages Also update documentation regarding sources of certs and keys, improve type of OSSL_CMP_exec_RR_ses(), add tests for CSR-based cert revocation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13841) commit 2039ac07b401932fa30a05ade80b3626e189d78a Author: Dr. David von Oheimb Date: Fri Jan 8 08:27:17 2021 +0100 X509_REQ_get_extensions(): Return empty stack if no extensions found Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13841) commit 6b63b7b61e50eadee6b274f7c0d1abd2e3fca3af Author: Dr. David von Oheimb Date: Fri Jan 8 07:43:56 2021 +0100 apps/cmp.c: Check self-signature on CSR input and warn on failure Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13841) commit 92d619450ad70a81252028d1daa0b8f2efb51a1d Author: Dr. David von Oheimb Date: Fri Jan 8 07:30:51 2021 +0100 apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13841) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 85 +++++++++++------ apps/cmp_mock_srv.c | 6 +- crypto/cmp/cmp_client.c | 32 +++---- crypto/cmp/cmp_msg.c | 96 +++++++++++++------ crypto/cmp/cmp_server.c | 6 +- crypto/x509/x509_req.c | 4 +- doc/man1/openssl-cmp.pod.in | 105 +++++++++++---------- doc/man3/OSSL_CMP_exec_certreq.pod | 6 +- include/openssl/cmp.h.in | 2 +- test/cmp_client_test.c | 2 +- .../recipes/81-test_cmp_cli_data/test_commands.csv | 4 +- .../81-test_cmp_cli_data/test_enrollment.csv | 2 +- 12 files changed, 214 insertions(+), 136 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index b28b7431ce..a64ac9ae60 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -272,7 +272,7 @@ const OPTIONS cmp_options[] = { {"subject", OPT_SUBJECT, 's', "Distinguished Name (DN) of subject to use in the requested cert template"}, {OPT_MORE_STR, 0, 0, - "For kur, default is the subject DN of the reference cert (see -oldcert);"}, + "For kur, default is subject of -csr arg or else of reference cert (see -oldcert)"}, {OPT_MORE_STR, 0, 0, "this default is used for ir and cr only if no Subject Alt Names are set"}, {"issuer", OPT_ISSUER, 's', @@ -282,7 +282,9 @@ const OPTIONS cmp_options[] = { {"days", OPT_DAYS, 'n', "Requested validity time of the new certificate in number of days"}, {"reqexts", OPT_REQEXTS, 's', - "Name of config file section defining certificate request extensions"}, + "Name of config file section defining certificate request extensions."}, + {OPT_MORE_STR, 0, 0, + "Augments or replaces any extensions contained CSR given with -csr"}, {"sans", OPT_SANS, 's', "Subject Alt Names (IPADDR/DNS/URI) to add as (critical) cert req extension"}, {"san_nodefault", OPT_SAN_NODEFAULT, '-', @@ -298,7 +300,7 @@ const OPTIONS cmp_options[] = { {OPT_MORE_STR, 0, 0, "-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"}, {"csr", OPT_CSR, 's', - "PKCS#10 CSR file in PEM or DER format to use in p10cr for legacy support"}, + "PKCS#10 CSR file in PEM or DER format to convert or to use in p10cr"}, {"out_trusted", OPT_OUT_TRUSTED, 's', "Certificates to trust when verifying newly enrolled certificates"}, {"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-', @@ -383,7 +385,7 @@ const OPTIONS cmp_options[] = { "Optional certs to verify chain building for own CMP signer cert"}, {"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"}, {"keypass", OPT_KEYPASS, 's', - "Client private key (and cert and old cert file) pass phrase source"}, + "Client private key (and cert and old cert) pass phrase source"}, {"digest", OPT_DIGEST, 's', "Digest to use in message protection and POPO signatures. Default \"sha256\""}, {"mac", OPT_MAC, 's', @@ -418,7 +420,7 @@ const OPTIONS cmp_options[] = { {"tls_key", OPT_TLS_KEY, 's', "Private key for the client's TLS certificate"}, {"tls_keypass", OPT_TLS_KEYPASS, 's', - "Pass phrase source for the client's private TLS key (and TLS cert file)"}, + "Pass phrase source for the client's private TLS key (and TLS cert)"}, {"tls_extra", OPT_TLS_EXTRA, 's', "Extra certificates to provide to TLS server during TLS handshake"}, {"tls_trusted", OPT_TLS_TRUSTED, 's', @@ -455,7 +457,7 @@ const OPTIONS cmp_options[] = { {"srv_key", OPT_SRV_KEY, 's', "Private key used by the server for signing messages"}, {"srv_keypass", OPT_SRV_KEYPASS, 's', - "Server private key (and cert) file pass phrase source"}, + "Server private key (and cert) pass phrase source"}, {"srv_trusted", OPT_SRV_TRUSTED, 's', "Trusted certificates for client authentication"}, @@ -673,6 +675,14 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc) ERR_print_errors(bio_err); BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc, infile); + } else { + EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr); + int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */); + + if (pkey == NULL || ret < 0) + CMP_warn("error while verifying CSR self-signature"); + else if (ret == 0) + CMP_warn("CSR self-signature does not match the contents"); } return csr; } @@ -1591,9 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) */ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { - if (opt_subject == NULL && opt_oldcert == NULL && opt_cert == NULL + if (opt_subject == NULL + && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL && opt_cmd != CMP_RR && opt_cmd != CMP_GENM) - CMP_warn("no -subject given, neither -oldcert nor -cert available as default"); + CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject") || !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer")) return 0; @@ -1603,12 +1614,18 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) const int format = opt_keyform; const char *pass = opt_newkeypass; const char *desc = "new private key for cert to be enrolled"; - EVP_PKEY *pkey = load_key_pwd(file, format, pass, engine, desc); + EVP_PKEY *pkey; int priv = 1; + BIO *bio_bak = bio_err; + bio_err = NULL; /* suppress diagnostics on first try loading key */ + pkey = load_key_pwd(file, format, pass, engine, desc); + bio_err = bio_bak; if (pkey == NULL) { ERR_clear_error(); - desc = "fallback public key for cert to be enrolled"; + desc = opt_csr == NULL + ? "fallback public key for cert to be enrolled" + : "public key for checking cert resulting from p10cr"; pkey = load_pubkey(file, format, 0, pass, engine, desc); priv = 0; } @@ -1704,11 +1721,10 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); if (opt_csr != NULL) { - if (opt_cmd != CMP_P10CR) { - CMP_warn("-csr option is ignored for command other than p10cr"); + if (opt_cmd == CMP_GENM) { + CMP_warn("-csr option is ignored for genm command"); } else { - X509_REQ *csr = - load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); + X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr"); if (csr == NULL) return 0; @@ -1721,17 +1737,21 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) } if (opt_oldcert != NULL) { - X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass, - "certificate to be updated/revoked"); - /* opt_keypass is needed if opt_oldcert is an encrypted PKCS#12 file */ + if (opt_cmd == CMP_GENM) { + CMP_warn("-oldcert option is ignored for genm command"); + } else { + X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass, + "certificate to be updated/revoked"); + /* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */ - if (oldcert == NULL) - return 0; - if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) { + if (oldcert == NULL) + return 0; + if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) { + X509_free(oldcert); + goto oom; + } X509_free(oldcert); - goto oom; } - X509_free(oldcert); } cleanse(opt_keypass); if (opt_revreason > CRL_REASON_NONE) @@ -1869,17 +1889,21 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_cmd == CMP_KUR) { char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert; - if (ref_cert == NULL) { - CMP_err("missing -oldcert option for certificate to be updated"); + if (ref_cert == NULL && opt_csr == NULL) { + CMP_err("missing -oldcert or -csr option for certificate to be updated"); goto err; } if (opt_subject != NULL) - CMP_warn2("-subject '%s' given, which overrides the subject of '%s' in KUR", - opt_subject, ref_cert); + CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR", + opt_subject, ref_cert != NULL ? ref_cert : opt_csr); } - if (opt_cmd == CMP_RR && opt_oldcert == NULL) { - CMP_err("missing certificate to be revoked"); - goto err; + if (opt_cmd == CMP_RR) { + if (opt_oldcert == NULL && opt_csr == NULL) { + CMP_err("missing certificate to be revoked and no fallback -csr given"); + goto err; + } + if (opt_oldcert != NULL && opt_csr != NULL) + CMP_warn("Ignoring -csr since certificate to be revoked is given"); } if (opt_cmd == CMP_P10CR && opt_csr == NULL) { CMP_err("missing PKCS#10 CSR for p10cr"); @@ -2831,8 +2855,7 @@ int cmp_main(int argc, char **argv) ret = 1; break; case CMP_RR: - if (OSSL_CMP_exec_RR_ses(cmp_ctx) != NULL) - ret = 1; + ret = OSSL_CMP_exec_RR_ses(cmp_ctx); break; case CMP_GENM: { diff --git a/apps/cmp_mock_srv.c b/apps/cmp_mock_srv.c index 9acbcdf60a..16a4e41721 100644 --- a/apps/cmp_mock_srv.c +++ b/apps/cmp_mock_srv.c @@ -234,7 +234,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); - if (ctx == NULL || rr == NULL || issuer == NULL || serial == NULL) { + if (ctx == NULL || rr == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return NULL; } @@ -243,6 +243,10 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, return NULL; } + /* Allow any RR derived from CSR, which may include subject and serial */ + if (issuer == NULL || serial == NULL) + return OSSL_CMP_PKISI_dup(ctx->statusOut); + /* accept revocation only for the certificate we sent in ir/cr/kur */ if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0 || ASN1_INTEGER_cmp(serial, diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 9b01b772e3..a0b9443546 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -742,7 +742,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, return result; } -X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) +int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) { OSSL_CMP_MSG *rr = NULL; OSSL_CMP_MSG *rp = NULL; @@ -751,13 +751,13 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) OSSL_CMP_REVREPCONTENT *rrep = NULL; OSSL_CMP_PKISI *si = NULL; char buf[OSSL_CMP_PKISI_BUFLEN]; - X509 *result = NULL; + int ret = 0; if (ctx == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); return 0; } - if (ctx->oldCert == NULL) { + if (ctx->oldCert == NULL && ctx->p10CSR == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); return 0; } @@ -790,24 +790,24 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) switch (ossl_cmp_pkisi_get_status(si)) { case OSSL_CMP_PKISTATUS_accepted: ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)"); - result = ctx->oldCert; + ret = 1; break; case OSSL_CMP_PKISTATUS_grantedWithMods: ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)"); - result = ctx->oldCert; + ret = 1; break; case OSSL_CMP_PKISTATUS_rejection: ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); goto err; case OSSL_CMP_PKISTATUS_revocationWarning: ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)"); - result = ctx->oldCert; + ret = 1; break; case OSSL_CMP_PKISTATUS_revocationNotification: /* interpretation as warning or error depends on CA */ ossl_cmp_warn(ctx, "revocation accepted (PKIStatus=revocationNotification)"); - result = ctx->oldCert; + ret = 1; break; case OSSL_CMP_PKISTATUS_waiting: case OSSL_CMP_PKISTATUS_keyUpdateWarning: @@ -818,8 +818,8 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) goto err; } - /* check any present CertId in optional revCerts field */ - if (rrep->revCerts != NULL) { + /* check any pretent CertId in optional revCerts field */ + if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) { OSSL_CRMF_CERTID *cid; OSSL_CRMF_CERTTEMPLATE *tmpl = sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails; @@ -828,17 +828,17 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) { ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); - result = NULL; + ret = 0; goto err; } if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) { - result = NULL; + ret = 0; goto err; } if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP); - result = NULL; + ret = 0; goto err; #endif } @@ -846,7 +846,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP); - result = NULL; + ret = 0; goto err; #endif } @@ -855,19 +855,19 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) /* check number of any optionally present crls */ if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) { ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); - result = NULL; + ret = 0; goto err; } err: - if (result == NULL + if (ret == 0 && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) ERR_add_error_data(1, buf); end: OSSL_CMP_MSG_free(rr); OSSL_CMP_MSG_free(rp); - return result; + return ret; } STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 45cda58879..93e99f9610 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -79,6 +79,34 @@ static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex) return res; } +/* Add extension list to the referenced extension stack, which may be NULL */ +static int add_extensions(STACK_OF(X509_EXTENSION) **target, + const STACK_OF(X509_EXTENSION) *exts) +{ + int i; + + if (target == NULL) + return 0; + + for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { + X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); + ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext); + int idx = X509v3_get_ext_by_OBJ(*target, obj, -1); + + /* Does extension exist in target? */ + if (idx != -1) { + /* Delete all extensions of same type */ + do { + X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx)); + idx = X509v3_get_ext_by_OBJ(*target, obj, -1); + } while (idx != -1); + } + if (!X509v3_add_ext(target, ext, -1)) + return 0; + } + return 1; +} + /* Add a CRL revocation reason code to extension stack, which may be NULL */ static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code) { @@ -186,18 +214,19 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype) (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \ || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) -static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert, +static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, + const X509_NAME *ref_subj, int for_KUR) { if (ctx->subjectName != NULL) return ctx->subjectName; - if (refcert != NULL && (for_KUR || !HAS_SAN(ctx))) + if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx))) /* - * For KUR, copy subjectName from reference certificate. + * For KUR, copy subject from the reference. * For IR or CR, do the same only if there is no subjectAltName. */ - return X509_get_subject_name(refcert); + return ref_subj; return NULL; } @@ -208,13 +237,18 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) /* refcert defaults to current client cert */ EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0); STACK_OF(GENERAL_NAME) *default_sans = NULL; - const X509_NAME *subject = determine_subj(ctx, refcert, for_KUR); + const X509_NAME *ref_subj = + ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) : + refcert != NULL ? X509_get_subject_name(refcert) : NULL; + const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR); const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL ? ctx->issuer : X509_get_issuer_name(refcert); int crit = ctx->setSubjectAltNameCritical || subject == NULL; /* RFC5280: subjectAltName MUST be critical if subject is null */ X509_EXTENSIONS *exts = NULL; + if (rkey == NULL && ctx->p10CSR != NULL) + rkey = X509_REQ_get0_pubkey(ctx->p10CSR); if (rkey == NULL) rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { @@ -223,7 +257,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) return NULL; #endif } - if (for_KUR && refcert == NULL) { + if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); return NULL; } @@ -256,14 +290,12 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) if (refcert != NULL && !ctx->SubjectAltName_nodefault) default_sans = X509V3_get_d2i(X509_get0_extensions(refcert), NID_subject_alt_name, NULL, NULL); - /* exts are copied from ctx to allow reuse */ - if (ctx->reqExtensions != NULL) { - exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions, - X509_EXTENSION_dup, - X509_EXTENSION_free); - if (exts == NULL) - goto err; - } + if (ctx->p10CSR != NULL + && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL) + goto err; + if (ctx->reqExtensions != NULL /* augment/override existing ones */ + && !add_extensions(&exts, ctx->reqExtensions)) + goto err; if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && !add1_extension(&exts, NID_subject_alt_name, crit, ctx->subjectAltNames)) @@ -281,7 +313,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) /* end fill certTemplate, now set any controls */ /* for KUR, set OldCertId according to D.6 */ - if (for_KUR) { + if (for_KUR && refcert != NULL) { OSSL_CRMF_CERTID *cid = OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert), X509_get0_serialNumber(refcert)); @@ -460,19 +492,27 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) { OSSL_CMP_MSG *msg = NULL; OSSL_CMP_REVDETAILS *rd; + int ret; - if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL)) + if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL + || ctx->p10CSR != NULL))) return NULL; if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL) goto err; /* Fill the template from the contents of the certificate to be revoked */ - if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, - NULL /* pubkey would be redundant */, - NULL /* subject would be redundant */, - X509_get_issuer_name(ctx->oldCert), - X509_get0_serialNumber(ctx->oldCert))) + ret = ctx->oldCert != NULL + ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, + NULL /* pubkey would be redundant */, + NULL /* subject would be redundant */, + X509_get_issuer_name(ctx->oldCert), + X509_get0_serialNumber(ctx->oldCert)) + : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, + X509_REQ_get0_pubkey(ctx->p10CSR), + X509_REQ_get_subject_name(ctx->p10CSR), + NULL, NULL); + if (!ret) goto err; /* revocation reason code is optional */ @@ -513,7 +553,7 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, OSSL_CRMF_CERTID *cid_copy = NULL; OSSL_CMP_MSG *msg = NULL; - if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL)) + if (!ossl_assert(ctx != NULL && si != NULL)) return NULL; if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL) @@ -530,11 +570,13 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL) goto err; - if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL) - goto err; - if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) { - OSSL_CRMF_CERTID_free(cid_copy); - goto err; + if (cid != NULL) { + if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL) + goto err; + if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) { + OSSL_CRMF_CERTID_free(cid_copy); + goto err; + } } if (!unprot_err diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 73e996af4e..2abf672387 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -248,7 +248,7 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, { OSSL_CMP_MSG *msg = NULL; OSSL_CMP_REVDETAILS *details; - OSSL_CRMF_CERTID *certId; + OSSL_CRMF_CERTID *certId = NULL; OSSL_CRMF_CERTTEMPLATE *tmpl; const X509_NAME *issuer; ASN1_INTEGER *serial; @@ -272,8 +272,8 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, tmpl = details->certDetails; issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); - /* here issuer and serial may safely be NULL */ - if ((certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL) + if (issuer != NULL && serial != NULL + && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL) return NULL; if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL) goto err; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 4f4319a30c..0d9fce303e 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -152,7 +152,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) ext = X509_ATTRIBUTE_get0_type(attr, 0); break; } - if (!ext || (ext->type != V_ASN1_SEQUENCE)) + if (ext == NULL) /* no extensions is not an error */ + return sk_X509_EXTENSION_new_null(); + if (ext->type != V_ASN1_SEQUENCE) return NULL; p = ext->value.sequence->data; return (STACK_OF(X509_EXTENSION) *) diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 7841d2b0f3..6ef288168e 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -34,7 +34,7 @@ Certificate enrollment options: [B<-policy_oids_critical>] [B<-popo> I] [B<-csr> I] -[B<-out_trusted> I] +[B<-out_trusted> I|I] [B<-implicit_confirm>] [B<-disable_confirm>] [B<-certout> I] @@ -42,7 +42,7 @@ Certificate enrollment options: Certificate enrollment and revocation options: -[B<-oldcert> I] +[B<-oldcert> I|I] [B<-revreason> I] Message transfer options: @@ -56,9 +56,9 @@ Message transfer options: Server authentication options: -[B<-trusted> I] +[B<-trusted> I|I] [B<-untrusted> I] -[B<-srvcert> I] +[B<-srvcert> I|I] [B<-recipient> I] [B<-expect_sender> I] [B<-ignore_keyusage>] @@ -70,9 +70,9 @@ Client authentication options: [B<-ref> I] [B<-secret> I] -[B<-cert> I] -[B<-own_trusted> I] -[B<-key> I] +[B<-cert> I|I] +[B<-own_trusted> I|I] +[B<-key> I|I] [B<-keypass> I] [B<-digest> I] [B<-mac> I] @@ -89,11 +89,11 @@ Credentials format options: TLS connection options: [B<-tls_used>] -[B<-tls_cert> I] +[B<-tls_cert> I|I] [B<-tls_key> I|I] [B<-tls_keypass> I] -[B<-tls_extra> I] -[B<-tls_trusted> I] +[B<-tls_extra> I|I] +[B<-tls_trusted> I|I] [B<-tls_host> I] Client-side debugging options: @@ -113,14 +113,14 @@ Mock server options: [B<-max_msgs> I] [B<-srv_ref> I] [B<-srv_secret> I] -[B<-srv_cert> I] -[B<-srv_key> I] +[B<-srv_cert> I|I] +[B<-srv_key> I|I] [B<-srv_keypass> I] -[B<-srv_trusted> I] -[B<-srv_untrusted> I] -[B<-rsp_cert> I] -[B<-rsp_extracerts> I] -[B<-rsp_capubs> I] +[B<-srv_trusted> I|I] +[B<-srv_untrusted> I|I] +[B<-rsp_cert> I|I] +[B<-rsp_extracerts> I|I] +[B<-rsp_capubs> I|I] [B<-poll_count> I] [B<-check_after> I] [B<-grant_implicitconf>] @@ -216,7 +216,7 @@ B requests issuing an additional certificate for an End Entity already initialized to the PKI hierarchy. B requests issuing an additional certificate similarly to B -but uses PKCS#10 CSR format. +but using PKCS#10 CSR format. B requests a (key) update for an existing, given certificate. @@ -263,11 +263,11 @@ L. X509 Distinguished Name (DN) of subject to use in the requested certificate template. -For KUR, it defaults to the subject DN of the reference certificate -(see B<-oldcert>). +For KUR, it defaults to the subject DN of any given CSR +or of the reference certificate (see B<-oldcert>) if provided. This default is used for IR and CR only if no SANs are set. -The subject DN is also used as fallback sender of outgoing CMP messages +The provided subject DN is also used as fallback sender of outgoing CMP messages if no B<-cert> and no B<-oldcert> are given. The argument must be formatted as I. @@ -341,13 +341,18 @@ is provided via the B<-newkey> or B<-key> options. =item B<-csr> I -PKCS#10 CSR in PEM or DER format to use in legacy P10CR messages. +PKCS#10 CSR in PEM or DER format containing a certificate request. +When used with a with B<-cmd> I used directly in a legacy P10CR message. +When used with B<-cmd> I, I, or I, it is tranformed into the +respective regular CMP request. +It may also be used with B<-cmd> I to specifiy the certificate to be revoked +via the included subject and public key. -=item B<-out_trusted> I +=item B<-out_trusted> I|I Trusted certificate(s) to use for verifying the newly enrolled certificate. -Multiple filenames may be given, separated by commas and/or whitespace +Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. @@ -380,15 +385,17 @@ The file where the chain of the newly enrolled certificate should be saved. =over 4 -=item B<-oldcert> I +=item B<-oldcert> I|I] The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request (KUR) messages or to be revoked in Revocation Request (RR) messages. -It must be given for RR, while for KUR it defaults to B<-cert>. +For RR the certificate to be revoked can also be specified using B<-csr>. +For KUR certificate to be updated defaults to B<-cert>, and the resulting certificate is called +I. -The reference certificate determined in this way, if any, is also used for +The reference certificate, if any, is also used for deriving default subject DN and Subject Alternative Names and the -default issuer entry in the requested certificate template of IR/CR/KUR. +default issuer entry in the requested certificate template of a IR/CR/KUR. Its subject is used as sender of outgoing messages if B<-cert> is not given. Its issuer is used as default recipient in CMP message headers if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. @@ -465,7 +472,7 @@ Default is 0 (infinite). =over 4 -=item B<-trusted> I +=item B<-trusted> I|I When verifying signature-based protection of CMP response messages, these are the CA certificate(s) to trust while checking certificate chains @@ -477,7 +484,7 @@ for which a chain to one of the given trusted certificates can be constructed. If no B<-trusted>, B<-srvcert>, and B<-secret> option is given then protected response messages from the server are not authenticated. -Multiple filenames may be given, separated by commas and/or whitespace +Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. @@ -496,10 +503,10 @@ as well as for chain building when verifying the CMP server certificate (checking signature-based CMP message protection) and when verifying newly enrolled certificates. -Multiple filenames may be given, separated by commas and/or whitespace. +Multiple sources may be given, separated by commas and/or whitespace. Each file may contain multiple certificates. -=item B<-srvcert> I +=item B<-srvcert> I|I] The specific CMP server certificate to expect and directly trust (even if it is expired) when verifying signature-based protection of CMP response messages. @@ -609,7 +616,7 @@ This takes precedence over the B<-cert> and B<-key> options. For more information about the format of B see L. -=item B<-cert> I +=item B<-cert> I|I] The client's current CMP signer certificate. Requires the corresponding key to be given with B<-key>. @@ -628,13 +635,13 @@ If the file includes further certs, they are appended to the untrusted certs because they typically constitute the chain of the client certificate, which is included in the extraCerts field in signature-protected request messages. -=item B<-own_trusted> I +=item B<-own_trusted> I|I If this list of certificates is provided then the chain built for the client-side CMP signer certificate given with the B<-cert> option is verified using the given certificates as trust anchors. -Multiple filenames may be given, separated by commas and/or whitespace +Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. @@ -642,7 +649,7 @@ The certificate verification options B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> have no effect on the certificate verification enabled via this option. -=item B<-key> I +=item B<-key> I|I] The corresponding private key file for the client's current certificate given in the B<-cert> option. @@ -680,7 +687,7 @@ Defaults to C as per RFC 4210. Certificates to append in the extraCerts field when sending messages. They can be used as the default CMP signer certificate chain to include. -Multiple filenames or URLs may be given, separated by commas and/or whitespace +Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. @@ -743,10 +750,10 @@ B<-tls_key>. Enable using TLS (even when other TLS_related options are not set) when connecting to CMP server. -=item B<-tls_cert> I +=item B<-tls_cert> I|I] Client's TLS certificate. -If the file includes further certs they are used (along with B<-untrusted> +If the source includes further certs they are used (along with B<-untrusted> certs) for constructing the client cert chain provided to the TLS server. =item B<-tls_key> I|I @@ -762,16 +769,16 @@ If not given here, the password will be prompted for if needed. For more information about the format of B see L. -=item B<-tls_extra> I +=item B<-tls_extra> I|I Extra certificates to provide to TLS server during TLS handshake -=item B<-tls_trusted> I +=item B<-tls_trusted> I|I Trusted certificate(s) to use for verifying the TLS server certificate. This implies hostname validation. -Multiple filenames may be given, separated by commas and/or whitespace +Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). Each source may contain multiple certificates. @@ -868,11 +875,11 @@ Reference value to use as senderKID of server in case no B<-srv_cert> is given. Password source for server authentication with a pre-shared key (secret). -=item B<-srv_cert> I +=item B<-srv_cert> I|I] Certificate of the server. -=item B<-srv_key> I +=item B<-srv_key> I|I] Private key used by the server for signing messages. @@ -880,7 +887,7 @@ Private key used by the server for signing messages. Server private key (and cert) file pass phrase source. -=item B<-srv_trusted> I +=item B<-srv_trusted> I|I Trusted certificates for client authentication. @@ -888,19 +895,19 @@ The certificate verification options B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> have no effect on the certificate verification enabled via this option. -=item B<-srv_untrusted> I +=item B<-srv_untrusted> I|I Intermediate CA certs that may be useful when verifying client certificates. -=item B<-rsp_cert> I +=item B<-rsp_cert> I|I] Certificate to be returned as mock enrollment result. -=item B<-rsp_extracerts> I +=item B<-rsp_extracerts> I|I Extra certificates to be included in mock certification responses. -=item B<-rsp_capubs> I +=item B<-rsp_capubs> I|I CA certificates to be included in mock Initialization Response (IP) message. diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 895a8a9497..070f775914 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -32,7 +32,7 @@ OSSL_CMP_exec_GENM_ses #define OSSL_CMP_KUR int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, const OSSL_CRMF_MSG *crm, int *checkAfter); - X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); + int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx); =head1 DESCRIPTION @@ -137,9 +137,7 @@ In the latter case L yields NULL and the output parameter I has been used to assign the received value unless I is NULL. -OSSL_CMP_exec_RR_ses() returns the -pointer to the revoked certificate on success, NULL on error. -This pointer will be freed implicitly by OSSL_CMP_CTX_free(). +OSSL_CMP_exec_RR_ses() returns 1 on success, 0 on error. OSSL_CMP_exec_GENM_ses() returns a pointer to the received B sequence on success, NULL on error. diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index 94c8ccf978..a2c0984f5e 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -457,7 +457,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL) int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, const OSSL_CRMF_MSG *crm, int *checkAfter); -X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); +int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx); STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx); # ifdef __cplusplus diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index e2c0ca5534..8a570f62ea 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -92,7 +92,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name) static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture) { return TEST_int_eq(fixture->expected, - OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == client_cert); + OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1); } static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture) diff --git a/test/recipes/81-test_cmp_cli_data/test_commands.csv b/test/recipes/81-test_cmp_cli_data/test_commands.csv index 4d7a4be3eb..7feaebcdd0 100644 --- a/test/recipes/81-test_cmp_cli_data/test_commands.csv +++ b/test/recipes/81-test_cmp_cli_data/test_commands.csv @@ -33,8 +33,10 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, 0,revreason AACompromise, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,10 0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, +0, --- use csr for revocation ----, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -revreason,0, -csr,csr.pem +0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, 1,without oldcert, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK, +1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,cmp 1,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK, 1,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK, 1,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0 diff --git a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv b/test/recipes/81-test_cmp_cli_data/test_enrollment.csv index dc65973c55..d8d6cd2c6c 100644 --- a/test/recipes/81-test_cmp_cli_data/test_enrollment.csv +++ b/test/recipes/81-test_cmp_cli_data/test_enrollment.csv @@ -85,7 +85,7 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val, 1,oldcert empty file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert4.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,, 1,oldcert random contents, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert5.pem,, -out_trusted,root.crt,, -oldcert,random.bin,BLANK,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -0,csr ignored for ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,idontexist,, +0,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, 0,p10cr csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, 1,p10cr csr missing, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, 1,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,,, From tmraz at fedoraproject.org Thu Jan 21 17:09:18 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 17:09:18 +0000 Subject: [openssl] master update Message-ID: <1611248958.212998.12512.nullmailer@dev.openssl.org> The branch master has been updated via 616581aaac2dda1557586f7b43fc3a3d926899c4 (commit) via 6c4ecc655a1def370b4f5b43c455b0c6617938c8 (commit) via 24d5be7a2a9a6b992510f055a65462e372bd1085 (commit) via 6253cdcc8ea7b0116a43ee596ac03e0b04b8b762 (commit) via f23e4a17a2309793a0ac787725736f1c4474c804 (commit) via 6d9a54c6e661094c0668f0307213789c2d9be3ec (commit) from 3d46c81a7d6219fd51ccc3b16406f19b82d0176e (commit) - Log ----------------------------------------------------------------- commit 616581aaac2dda1557586f7b43fc3a3d926899c4 Author: Tomas Mraz Date: Fri Jan 15 18:33:40 2021 +0100 dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13869) commit 6c4ecc655a1def370b4f5b43c455b0c6617938c8 Author: Tomas Mraz Date: Fri Jan 15 17:13:00 2021 +0100 dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer It must be decoded from the ASN.1 integer before setting to the EVP_PKEY. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13869) commit 24d5be7a2a9a6b992510f055a65462e372bd1085 Author: Tomas Mraz Date: Fri Jan 15 11:12:09 2021 +0100 Make the smdh.pem test certificate usable with fips provider Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13869) commit 6253cdcc8ea7b0116a43ee596ac03e0b04b8b762 Author: Tomas Mraz Date: Thu Jan 14 15:53:08 2021 +0100 kdf_exch.c (kdf_derive): Proper handling of NULL secret Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13869) commit f23e4a17a2309793a0ac787725736f1c4474c804 Author: Tomas Mraz Date: Thu Jan 14 14:43:11 2021 +0100 Fixes related to broken DH support in CMS - DH support should work with both DH and DHX keys - UKM parameter is optional so it can have length 0 Fixes #13810 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13869) commit 6d9a54c6e661094c0668f0307213789c2d9be3ec Author: Tomas Mraz Date: Thu Jan 14 14:40:23 2021 +0100 Pass correct maximum output length to provider derive operation And improve error checking in EVP_PKEY_derive* calls. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/13869) ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_dh.c | 28 +++++++++-- crypto/cms/cms_env.c | 4 +- crypto/evp/dh_ctrl.c | 2 +- crypto/evp/exchange.c | 16 +++--- crypto/evp/p_lib.c | 2 + providers/fips/self_test_kats.c | 2 +- providers/implementations/exchange/kdf_exch.c | 8 ++- test/recipes/80-test_cms.t | 22 ++++---- test/smime-certs/mksmime-certs.sh | 3 +- test/smime-certs/smdh.pem | 72 ++++++++++++++++----------- 10 files changed, 101 insertions(+), 58 deletions(-) diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c index 9cba6364d1..538ef45174 100644 --- a/crypto/cms/cms_dh.c +++ b/crypto/cms/cms_dh.c @@ -13,6 +13,7 @@ #include #include #include "cms_local.h" +#include "crypto/evp.h" static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, X509_ALGOR *alg, ASN1_BIT_STRING *pubkey) @@ -23,7 +24,9 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, ASN1_INTEGER *public_key = NULL; int rv = 0; EVP_PKEY *pkpeer = NULL, *pk = NULL; + BIGNUM *bnpub = NULL; const unsigned char *p; + unsigned char *buf = NULL; int plen; X509_ALGOR_get0(&aoid, &atype, &aval, alg); @@ -43,16 +46,28 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, if (p == NULL || plen == 0) goto err; + if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL) + goto err; + plen = ASN1_STRING_length((ASN1_STRING *)public_key); + if ((bnpub = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL) + goto err; + if ((buf = OPENSSL_malloc(plen)) == NULL) + goto err; + if (BN_bn2binpad(bnpub, buf, plen) < 0) + goto err; + pkpeer = EVP_PKEY_new(); if (pkpeer == NULL || !EVP_PKEY_copy_parameters(pkpeer, pk) - || !EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen)) + || !EVP_PKEY_set1_encoded_public_key(pkpeer, buf, plen)) goto err; if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) rv = 1; err: ASN1_INTEGER_free(public_key); + BN_free(bnpub); + OPENSSL_free(buf); EVP_PKEY_free(pkpeer); return rv; } @@ -66,8 +81,9 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) unsigned char *dukm = NULL; size_t dukmlen = 0; int keylen, plen; - const EVP_CIPHER *kekcipher; + EVP_CIPHER *kekcipher = NULL; EVP_CIPHER_CTX *kekctx; + const char *name; if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) goto err; @@ -96,7 +112,12 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); if (kekctx == NULL) goto err; - kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); + + name = OBJ_nid2sn(OBJ_obj2nid(kekalg->algorithm)); + if (name == NULL) + goto err; + + kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery); if (kekcipher == NULL || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) goto err; if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) @@ -127,6 +148,7 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) rv = 1; err: X509_ALGOR_free(kekalg); + EVP_CIPHER_free(kekcipher); OPENSSL_free(dukm); return rv; } diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index d2f630146e..6f3ca020d8 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -115,7 +115,7 @@ int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) } else return 0; - if (EVP_PKEY_is_a(pkey, "DHX")) + if (EVP_PKEY_is_a(pkey, "DHX") || EVP_PKEY_is_a(pkey, "DH")) return cms_dh_envelope(ri, cmd); else if (EVP_PKEY_is_a(pkey, "EC")) return cms_ecdh_envelope(ri, cmd); @@ -1294,6 +1294,8 @@ int cms_pkey_get_ri_type(EVP_PKEY *pk) /* Check types that we know about */ if (EVP_PKEY_is_a(pk, "DH")) return CMS_RECIPINFO_AGREE; + else if (EVP_PKEY_is_a(pk, "DHX")) + return CMS_RECIPINFO_AGREE; else if (EVP_PKEY_is_a(pk, "DSA")) return CMS_RECIPINFO_NONE; else if (EVP_PKEY_is_a(pk, "EC")) diff --git a/crypto/evp/dh_ctrl.c b/crypto/evp/dh_ctrl.c index 64492389b7..7cf589f60b 100644 --- a/crypto/evp/dh_ctrl.c +++ b/crypto/evp/dh_ctrl.c @@ -514,7 +514,7 @@ int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len) int ret; OSSL_PARAM params[2], *p = params; - if (len <= 0) + if (len < 0) return -1; ret = dh_param_derive_check(ctx); diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index 501645fa0c..1721db94a7 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -183,7 +183,7 @@ int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) const char *supported_exch = NULL; if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); return -2; } @@ -318,8 +318,8 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) void *provkey = NULL; if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); + return -1; } if (!EVP_PKEY_CTX_IS_DERIVE_OP(ctx) || ctx->op.kex.exchprovctx == NULL) @@ -413,9 +413,9 @@ int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *pkeylen) { int ret; - if (ctx == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; + if (ctx == NULL || pkeylen == NULL) { + ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); + return -1; } if (!EVP_PKEY_CTX_IS_DERIVE_OP(ctx)) { @@ -427,11 +427,11 @@ int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *pkeylen) goto legacy; ret = ctx->op.kex.exchange->derive(ctx->op.kex.exchprovctx, key, pkeylen, - SIZE_MAX); + key != NULL ? *pkeylen : 0); return ret; legacy: - if (ctx == NULL || ctx->pmeth == NULL || ctx->pmeth->derive == NULL) { + if (ctx->pmeth == NULL || ctx->pmeth->derive == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return -2; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 93cdbb89bf..cc5a612748 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -972,6 +972,8 @@ int evp_pkey_name2type(const char *name) type = EVP_PKEY_DH; else if (strcasecmp(name, "X9.42 DH") == 0) type = EVP_PKEY_DHX; + else if (strcasecmp(name, "DHX") == 0) + type = EVP_PKEY_DHX; else if (strcasecmp(name, "DSA") == 0) type = EVP_PKEY_DSA; diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index 0d76778ab5..c80a2c0dbc 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -361,7 +361,7 @@ static int self_test_ka(const ST_KAT_KAS *t, OSSL_PARAM *params = NULL; OSSL_PARAM *params_peer = NULL; unsigned char secret[256]; - size_t secret_len; + size_t secret_len = sizeof(secret); OSSL_PARAM_BLD *bld = NULL; BN_CTX *bnctx = NULL; diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c index c022a35107..43652faf50 100644 --- a/providers/implementations/exchange/kdf_exch.c +++ b/providers/implementations/exchange/kdf_exch.c @@ -95,7 +95,13 @@ static int kdf_derive(void *vpkdfctx, unsigned char *secret, size_t *secretlen, if (!ossl_prov_is_running()) return 0; - return EVP_KDF_derive(pkdfctx->kdfctx, secret, *secretlen); + + if (secret == NULL) { + *secretlen = EVP_KDF_CTX_get_kdf_size(pkdfctx->kdfctx); + return 1; + } + + return EVP_KDF_derive(pkdfctx->kdfctx, secret, outlen); } static void kdf_freectx(void *vpkdfctx) diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 6783897139..1acc6980e0 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -598,7 +598,7 @@ my @smime_cms_param_tests = ( "-stream", "-out", "{output}.cms", "-recip", catfile($smdir, "smec1.pem"), "-aes-128-gcm", "-keyopt", "ecdh_kdf_md:sha256" ], [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smec1.pem"), - "-in", "{output}.cms", "-out", "{output}.txt" ], + "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare ], @@ -610,18 +610,16 @@ my @smime_cms_param_tests = ( [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smec2.pem"), "-in", "{output}.cms", "-out", "{output}.txt" ], \&final_compare - ] + ], - # TODO(3.0) Add this test back in when "dhpublicnumber" is supported - # in the keymanger. - #[ "enveloped content test streaming S/MIME format, X9.42 DH", - # [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, - # "-stream", "-out", "{output}.cms", - # "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], - # [ "{cmd2}", "-decrypt", "-recip", catfile($smdir, "smdh.pem"), - # "-in", "{output}.cms", "-out", "{output}.txt" ], - # \&final_compare - #] + [ "enveloped content test streaming S/MIME format, X9.42 DH", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], + [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] ); my @contenttype_cms_test = ( diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh index b0603d4e86..d06edae98c 100644 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -69,8 +69,7 @@ CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem # Create X9.42 DH parameters. -$OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \ - -out dhp.pem +$OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem # Generate X9.42 DH key. $OPENSSL genpkey -paramfile dhp.pem -out smdh.pem $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem diff --git a/test/smime-certs/smdh.pem b/test/smime-certs/smdh.pem index f831b0713b..7d66a6b421 100644 --- a/test/smime-certs/smdh.pem +++ b/test/smime-certs/smdh.pem @@ -1,33 +1,47 @@ -----BEGIN PRIVATE KEY----- -MIIBSgIBADCCASsGByqGSM4+AgEwggEeAoGBANQMSgwEcnEZ31kZxa9Ef8qOK/AJ -9dMlsXMWVYnf/QevGdN/0Aei/j9a8QHG+CvvTm0DOEKhN9QUtABKsYZag865CA7B -mSdHjQuFqILtzA25sDJ+3+jk9vbss+56ETRll/wasJVLGbmmHNkBMvc1fC1d/sGF -cEn4zJnQvvFaeMgDAoGAaQD9ZvL8FYsJuNxN6qp5VfnfRqYvyi2PWSqtRKPGGC+V -thYg49PRjwPOcXzvOsdEOQ7iH9jTiSvnUdwSSEwYTZkSBuQXAgOMJAWOpoXyaRvh -atziBDoBnWS+/kX5RBhxvS0+em9yfRqAQleuGG+R1mEDihyJc8dWQQPT+O1l4oUC -FQCJlKsQZ0VBrWPGcUCNa54ZW6TH9QQWAhRR2NMZrQSfWthXDO8Lj5WZ34zQrA== +MIICXQIBADCCAjUGByqGSM4+AgEwggIoAoIBAQCCyx9ZhD6HY5xgusGDrJZJ+FdT +e9OxD/p9DQNKqoLyJ10TAUXuycozVqDAD4v1wsOAPH0TDOX9Ns87PXgTbd6DpSJt +F1ZLW+1pklZs2m0cLl4raOe8CZGHkSgia0wC40LAg/u/JZ6NAG2YSiFEtjbkf81l +pvL0946LiHfHklMtSOkK3H9PkGB/KrXMITRR2P1u78AzTvc2YL7iLlCu6mV2g6v4 +ieeWprywTaZ8gp3NBMjyuRJniGCQ52jPfOvT32w/sBTIfUO+95u/eEHrTP4K+vTk +VS3wLo5ypgrveRdALKvqkHe0qfNr5VQRk2Pt6ReH35kjiUPLZCccgJr9h80hAoIB +AE50cpgSJBYr9+5dj+fJJcXf/KX9rttlBXyveUP+vbSm/oW443/IksO3oLMy1Raq +tHTDBhtNrH7rSK6CDStKrMkgHsjTYkZOU85vCdrVi3UZBz0GiYO/8kQ8aLeTe3LB +7QB0kkkUgZ7etsnNxEkz9WQwohTvGBHBFNDKDqWadP9BpNrFoDCYojit7GOZPQgt +eEiCO8D9xu0sEXT8ZdRqWcmkTfeMRojrzxt0LpT/vUKHGsBFmUN7kH4Hy9z2LJxB +DrYYkV3LSAweuUQKBocNI7bbbOvPByUvHVMfJBrBmwIJI3vc3091njOH53zATNNv +ta+9S7L4zNsvbg8RtJyH8i4CHQCY12PTXj6Ipxbqq4d1Q+AoUqnN/H9lAS46teXv +BB8CHQCGE6pxpX5lWcH6+TGLDoLo3T5L2/5KTd0tRNdj -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIID/zCCAuegAwIBAgIJANv1TSKgememMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv -TUlNRSBSU0EgUm9vdDAeFw0xMzA4MDIxNDQ5MjlaFw0yMzA2MTExNDQ5MjlaMEQx -CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU -ZXN0IFMvTUlNRSBFRSBESCAjMTCCAbYwggErBgcqhkjOPgIBMIIBHgKBgQDUDEoM -BHJxGd9ZGcWvRH/KjivwCfXTJbFzFlWJ3/0HrxnTf9AHov4/WvEBxvgr705tAzhC -oTfUFLQASrGGWoPOuQgOwZknR40LhaiC7cwNubAyft/o5Pb27LPuehE0ZZf8GrCV -Sxm5phzZATL3NXwtXf7BhXBJ+MyZ0L7xWnjIAwKBgGkA/Wby/BWLCbjcTeqqeVX5 -30amL8otj1kqrUSjxhgvlbYWIOPT0Y8DznF87zrHRDkO4h/Y04kr51HcEkhMGE2Z -EgbkFwIDjCQFjqaF8mkb4Wrc4gQ6AZ1kvv5F+UQYcb0tPnpvcn0agEJXrhhvkdZh -A4ociXPHVkED0/jtZeKFAhUAiZSrEGdFQa1jxnFAjWueGVukx/UDgYQAAoGAL1ve -cgI2awBeJH8ULBhSQpdL224VUDxFPiXzt8Vu5VLnxPv0pfA5En+8VByTuV7u6RSw -3/78NuTyr/sTyN8YlB1AuXHdTJynA1ICte1xgD4j2ijlq+dv8goOAFt9xkvXx7LD -umJ/cCignXETcNGfMi8+0s0bpMZyoHRdce8DQ26jYDBeMAwGA1UdEwEB/wQCMAAw -DgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQLWk1ffSXH8p3Bqrdjgi/6jzLnwDAf -BgNVHSMEGDAWgBTffl6IBSQzCN0igQKXzJq3sTMnMDANBgkqhkiG9w0BAQUFAAOC -AQEAWvJj79MW1/Wq3RIANgAhonsI1jufYqxTH+1M0RU0ZXHulgem77Le2Ls1bizi -0SbvfpTiiFGkbKonKtO2wvfqwwuptSg3omMI5IjAGxYbyv2KBzIpp1O1LTDk9RbD -48JMMF01gByi2+NLUQ1MYF+5RqyoRqcyp5x2+Om1GeIM4Q/GRuI4p4dybWy8iC+d -LeXQfR7HXfh+tAum+WzjfLJwbnWbHmPhTbKB01U4lBp6+r8BGHAtNdPjEHqap4/z -vVZVXti9ThZ20EhM+VFU3y2wyapeQjhQvw/A2YRES0Ik7BSj3hHfWH/CTbLVQnhu -Uj6tw18ExOYxqoEGixNLPA5qsQ== +MIIFljCCBH6gAwIBAgIUYmx57362u3KsYCqtKby2mYi+pLMwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIxMDExNTEwMDk1MloXDTMwMTEy +NDEwMDk1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx +HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIERIICMxMIIDQjCCAjUGByqGSM4+AgEw +ggIoAoIBAQCCyx9ZhD6HY5xgusGDrJZJ+FdTe9OxD/p9DQNKqoLyJ10TAUXuycoz +VqDAD4v1wsOAPH0TDOX9Ns87PXgTbd6DpSJtF1ZLW+1pklZs2m0cLl4raOe8CZGH +kSgia0wC40LAg/u/JZ6NAG2YSiFEtjbkf81lpvL0946LiHfHklMtSOkK3H9PkGB/ +KrXMITRR2P1u78AzTvc2YL7iLlCu6mV2g6v4ieeWprywTaZ8gp3NBMjyuRJniGCQ +52jPfOvT32w/sBTIfUO+95u/eEHrTP4K+vTkVS3wLo5ypgrveRdALKvqkHe0qfNr +5VQRk2Pt6ReH35kjiUPLZCccgJr9h80hAoIBAE50cpgSJBYr9+5dj+fJJcXf/KX9 +rttlBXyveUP+vbSm/oW443/IksO3oLMy1RaqtHTDBhtNrH7rSK6CDStKrMkgHsjT +YkZOU85vCdrVi3UZBz0GiYO/8kQ8aLeTe3LB7QB0kkkUgZ7etsnNxEkz9WQwohTv +GBHBFNDKDqWadP9BpNrFoDCYojit7GOZPQgteEiCO8D9xu0sEXT8ZdRqWcmkTfeM +Rojrzxt0LpT/vUKHGsBFmUN7kH4Hy9z2LJxBDrYYkV3LSAweuUQKBocNI7bbbOvP +ByUvHVMfJBrBmwIJI3vc3091njOH53zATNNvta+9S7L4zNsvbg8RtJyH8i4CHQCY +12PTXj6Ipxbqq4d1Q+AoUqnN/H9lAS46teXvA4IBBQACggEAJP4Vy6vcIa7jLa93 +DWeT0pxe4zeYXxRWbvS7reLoZcBIhH253/QfXj+0UhcjtAa5A2X519anBuetUern +ecBmHO9vAj9F7J6feK+pUxE8cl793gmWzcGijMXCuRorW7GZ3XBTuQbWaJLtxB4a +rS54+CFMUfqR5coxGrraGPGjR9P6YCpJgWL74yxiQVzjEdwPLEz/0ehKeDkSvuj8 +Ixe06fY0eA9sfxx7+4lm2Jhw7XaIfguo8mgrfWjBzkkT2mcAHss/fdKcXNYrg+A+ +xgApPiyuy7S4YkQSsdV5Ns8UFttBCuojzEuWQ49fMZcv/rIHSHSxpbg2Sdka+d6h +wOQHK6NgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYE +FLG7SOccVVRWmPw87GRrYH/NCegTMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaI +qSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQA5r5k39ghJIgQKjOXSffhtAaBPT0Um +WtLjijp/iBUAowFpncDRIp+Ng7n/feJHDdnh59H0ZHGljWqZ3rgG3HjjArvG+iUm +6aaS4KdM6OwK60JTUXBQ/InISXzrZof2oZ5BjO6L6yV6cpaYOLlLo3QjU8HE54G9 +7UyR48NSvhwPw+vS1Abjib+K1En/ctnlm0CurHgP56LrJxguFZZP6+UjCnEy0wxm +VRr+y4+IgWikdOumMelJ+x9O9R7EPVfwQ9TYBtpo5hZQiGhSJ3Di9LZO5i0h2xjj +AhtR8zmzusFX2Ruh2dXQWeNx/dMEcYRJLU1P+IxUq2g1GUiCgq2Xc7ZY -----END CERTIFICATE----- From tmraz at fedoraproject.org Thu Jan 21 17:35:54 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Thu, 21 Jan 2021 17:35:54 +0000 Subject: [openssl] master update Message-ID: <1611250554.549940.17708.nullmailer@dev.openssl.org> The branch master has been updated via daa86f9e6bfeb83a5db976c6351f7a568a8d6dcb (commit) from 616581aaac2dda1557586f7b43fc3a3d926899c4 (commit) - Log ----------------------------------------------------------------- commit daa86f9e6bfeb83a5db976c6351f7a568a8d6dcb Author: zsugabubus Date: Mon Jan 18 15:33:57 2021 +0100 Check input size before NULL pointer test inside mem_write() Checking is performed after the read-only test so it catches such errors earlier. CLA: trivial Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13786) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bss_mem.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c index 3bdf457966..fe362d87fc 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -221,10 +221,6 @@ static int mem_write(BIO *b, const char *in, int inl) int blen; BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; - if (in == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); - goto end; - } if (b->flags & BIO_FLAGS_MEM_RDONLY) { ERR_raise(ERR_LIB_BIO, BIO_R_WRITE_TO_READ_ONLY_BIO); goto end; @@ -232,6 +228,10 @@ static int mem_write(BIO *b, const char *in, int inl) BIO_clear_retry_flags(b); if (inl == 0) return 0; + if (in == NULL) { + ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + goto end; + } blen = bbm->readp->length; mem_buf_sync(b); if (BUF_MEM_grow_clean(bbm->buf, blen + inl) == 0) From levitte at openssl.org Thu Jan 21 18:49:18 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 21 Jan 2021 18:49:18 +0000 Subject: [openssl] master update Message-ID: <1611254958.254141.355.nullmailer@dev.openssl.org> The branch master has been updated via ef161e7b8f61ea588c654c9600bde80b2e07588f (commit) from daa86f9e6bfeb83a5db976c6351f7a568a8d6dcb (commit) - Log ----------------------------------------------------------------- commit ef161e7b8f61ea588c654c9600bde80b2e07588f Author: Richard Levitte Date: Fri Jan 15 12:20:25 2021 +0100 Unix Makefile generator: separate "simple" shared libraries from import libraries For Unix like environments, we may have so called "simple" shared library names (libfoo.so as opposed to libfoo.so.1.2), or we may have "import" library names associated with a DLL (libfoo.dll.a for libfoo.dll on Mingw and derivatives). So far, "import" library names were treated the same as "simple" shared library names, as some kind of normalization for the Unix way of doing things. We now shift to treat them separately, to make it clearer what is what. Fixes #13414, incidently Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13875) ----------------------------------------------------------------------- Summary of changes: Configurations/platform/Unix.pm | 4 ++ Configurations/platform/mingw.pm | 9 +++-- Configurations/unix-Makefile.tmpl | 77 +++++++++++++++++++++++++++------------ 3 files changed, 63 insertions(+), 27 deletions(-) diff --git a/Configurations/platform/Unix.pm b/Configurations/platform/Unix.pm index bb93d38f8c..f05ff67ad2 100644 --- a/Configurations/platform/Unix.pm +++ b/Configurations/platform/Unix.pm @@ -66,4 +66,8 @@ sub sharedlib_simple { $_[0]->shlibextsimple()); } +sub sharedlib_import { + return undef; +} + 1; diff --git a/Configurations/platform/mingw.pm b/Configurations/platform/mingw.pm index 7dacb32a31..d525ae8e57 100644 --- a/Configurations/platform/mingw.pm +++ b/Configurations/platform/mingw.pm @@ -37,10 +37,13 @@ sub sharedname { ? "-x64" : "")); } -# With Mingw and other DLL producers, there isn't really any "simpler" -# shared library name. However, there is a static import library, so -# we return that instead. +# With Mingw and other DLL producers, there isn't any "simpler" shared +# library name. However, there is a static import library. sub sharedlib_simple { + return undef; +} + +sub sharedlib_import { return platform::BASE::__concat(platform::BASE->sharedname($_[1]), $_[0]->shlibextimport()); } diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 342e46d24d..a331368311 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -80,8 +80,9 @@ SHLIBS={- join(" \\\n" . ' ' x 7, SHLIB_INFO={- join(" \\\n" . ' ' x 11, fill_lines(" ", $COLUMNS - 11, map { my $x = platform->sharedlib($_); - my $y = platform->sharedlib_simple($_); - $x ? "\"$x;$y\"" : () } + my $y = platform->sharedlib_simple($_) // ''; + my $z = platform->sharedlib_import($_) // ''; + $x ? "\"$x;$y;$z\"" : () } @{$unified_info{libraries}})) -} MODULES={- join(" \\\n" . ' ' x 8, fill_lines(" ", $COLUMNS - 8, @@ -134,8 +135,9 @@ INSTALL_SHLIB_INFO={- join(" \\\n" . ' ' x 19, fill_lines(" ", $COLUMNS - 19, map { my $x = platform->sharedlib($_); - my $y = platform->sharedlib_simple($_); - $x ? "\"$x;$y\"" : () } + my $y = platform->sharedlib_simple($_) // ''; + my $z = platform->sharedlib_import($_) // ''; + $x ? "\"$x;$y;$z\"" : () } grep { !$unified_info{attributes}->{libraries}->{$_}->{noinst} } @{$unified_info{libraries}})) -} @@ -508,15 +510,20 @@ libclean: if [ "$$s" = ";" ]; then continue; fi; \ s1=`echo "$$s" | cut -f1 -d";"`; \ s2=`echo "$$s" | cut -f2 -d";"`; \ + s3=`echo "$$s" | cut -f3 -d";"`; \ $(ECHO) $(RM) $$s1; {- output_off() unless windowsdll(); "" -}\ $(RM) apps/$$s1; \ $(RM) test/$$s1; \ $(RM) fuzz/$$s1; {- output_on() unless windowsdll(); "" -}\ $(RM) $$s1; \ - if [ "$$s1" != "$$s2" ]; then \ + if [ "$$s2" != "" ]; then \ $(ECHO) $(RM) $$s2; \ $(RM) $$s2; \ fi; \ + if [ "$$s3" != "" ]; then \ + $(ECHO) $(RM) $$s3; \ + $(RM) $$s3; \ + fi; \ done $(RM) $(LIBS) $(RM) *{- platform->defext() -} @@ -646,19 +653,21 @@ install_dev: install_runtime_libs @set -e; for s in $(INSTALL_SHLIB_INFO); do \ s1=`echo "$$s" | cut -f1 -d";"`; \ s2=`echo "$$s" | cut -f2 -d";"`; \ + s3=`echo "$$s" | cut -f3 -d";"`; \ fn1=`basename $$s1`; \ fn2=`basename $$s2`; \ + fn3=`basename $$s3`; \ : {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \ - if [ "$$fn1" != "$$fn2" ]; then \ + if [ "$$fn2" != "" ]; then \ $(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \ ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \ fi; \ : {- output_off() unless windowsdll() or sharedaix(); output_on() if windowsdll(); "" -}; \ - $(ECHO) "install $$s2 -> $(DESTDIR)$(libdir)/$$fn2"; \ - cp $$s2 $(DESTDIR)$(libdir)/$$fn2.new; \ - chmod 755 $(DESTDIR)$(libdir)/$$fn2.new; \ - mv -f $(DESTDIR)$(libdir)/$$fn2.new \ - $(DESTDIR)$(libdir)/$$fn2; \ + $(ECHO) "install $$s3 -> $(DESTDIR)$(libdir)/$$fn3"; \ + cp $$s3 $(DESTDIR)$(libdir)/$$fn3.new; \ + chmod 755 $(DESTDIR)$(libdir)/$$fn3.new; \ + mv -f $(DESTDIR)$(libdir)/$$fn3.new \ + $(DESTDIR)$(libdir)/$$fn3; \ : {- output_off() if windowsdll(); output_on() if sharedaix(); "" -}; \ a=$(DESTDIR)$(libdir)/$$fn2; \ $(ECHO) "install $$s1 -> $$a"; \ @@ -711,18 +720,20 @@ uninstall_dev: uninstall_runtime_libs @set -e; for s in $(INSTALL_SHLIB_INFO); do \ s1=`echo "$$s" | cut -f1 -d";"`; \ s2=`echo "$$s" | cut -f2 -d";"`; \ + s3=`echo "$$s" | cut -f3 -d";"`; \ fn1=`basename $$s1`; \ fn2=`basename $$s2`; \ + fn3=`basename $$s3`; \ : {- output_off() if windowsdll(); "" -}; \ - $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn2; \ - if [ "$$fn1" != "$$fn2" -a -f "$(DESTDIR)$(libdir)/$$fn1" ]; then \ - $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn1; \ + $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \ + $(RM) $(DESTDIR)$(libdir)/$$fn1; \ + if [ -n "$$fn2" ]; then \ + $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \ + $(RM) $(DESTDIR)$(libdir)/$$fn2; \ fi; \ : {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \ - $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \ - $(RM) $(DESTDIR)$(libdir)/$$fn2; \ + $(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn3"; \ + $(RM) $(DESTDIR)$(libdir)/$$fn3; \ : {- output_on() unless windowsdll(); "" -}; \ done @ : {- output_on() if $disabled{shared}; "" -} @@ -1173,7 +1184,7 @@ FORCE: # Building targets ################################################### -libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // () } @{$unified_info{libraries}}) -} +libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // () } @{$unified_info{libraries}}) -} libcrypto.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ echo 'exec_prefix=$${prefix}'; \ @@ -1252,7 +1263,10 @@ reconfigure reconf: # Depending on shared libraries: # On Windows POSIX layers, we depend on {libname}.dll.a # On Unix platforms, we depend on {shlibname}.so - return map { platform->sharedlib_simple($_) // platform->staticlib($_) } @_; + return map { platform->sharedlib_simple($_) + // platform->sharedlib_import($_) + // platform->staticlib($_) + } @_; } sub generatesrc { @@ -1450,15 +1464,25 @@ EOF my @deps = compute_lib_depends(@{$args{deps}}); die "More than one exported symbol map" if scalar @defs > 1; - my $simple = platform->sharedlib_simple($args{lib}); my $full = platform->sharedlib($args{lib}); + # $import is for Windows and subsystems thereof, where static import + # libraries for DLLs are a thing. On platforms that have this mechanism, + # $import has the name of this import library. On platforms that don't + # have this mechanism, $import will be |undef|. + my $import = platform->sharedlib_import($args{lib}); + # $simple is for platforms where full shared library names include the + # shared library version, and there's a simpler name that doesn't include + # that version. On such platforms, $simple has the simpler name. On + # other platforms, it will be |undef|. + my $simple = platform->sharedlib_simple($args{lib}); + my $argfile = defined $target{shared_argfileflag} ? $full.".args" : undef; my $shared_soname = ""; $shared_soname .= ' '.$target{shared_sonameflag}.basename($full) if defined $target{shared_sonameflag}; my $shared_imp = ""; - $shared_imp .= ' '.$target{shared_impflag}.basename($simple) - if defined $target{shared_impflag}; + $shared_imp .= ' '.$target{shared_impflag}.basename($import) + if defined $target{shared_impflag} && defined $import; my $shared_def = join("", map { ' '.$target{shared_defflag}.$_ } @defs); # There is at least one platform where the compiler-as-linker needs to @@ -1489,7 +1513,7 @@ EOF my $recipe = ''; - if ($simple ne $full) { + if (defined $simple) { if (sharedaix()) { $recipe .= <<"EOF"; $simple: $full @@ -1504,6 +1528,11 @@ $simple: $full EOF } } + if (defined $import) { + $recipe .= <<"EOF"; +$import: $full +EOF + } $recipe .= <<"EOF"; $full: $fulldeps \$(CC) \$(LIB_CFLAGS) $linkflags\$(LIB_LDFLAGS)$shared_soname$shared_imp \\ From openssl at openssl.org Thu Jan 21 23:04:55 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Thu, 21 Jan 2021 23:04:55 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d enable-fuzz-afl no-shared no-module Message-ID: <1611270295.623656.2600517.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=afl-clang-fast ../openssl/config -d enable-fuzz-afl no-shared no-module Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 0 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo1.pem -out_trusted root.crt => 0 not ok 43 - popo RAVERIFIED # ------------------------------------------------------------------------------ # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo -1 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo5.pem -out_trusted root.crt => 0 not ok 47 - popo NONE # ------------------------------------------------------------------------------ # Failed test 'popo NONE' # at ../openssl/test/recipes/81-test_cmp_cli.t line 183. # cmp_main:../openssl/apps/cmp.c:2661:CMP info: using section(s) 'Mock enrollment' of OpenSSL configuration file '../Mock/test.cnf' # opt_str:../openssl/apps/cmp.c:2260:CMP warning: argument of -proxy option is empty string, resetting option # warn_cert_msg:../openssl/apps/cmp.c:684:CMP warning: certificate from 'trusted.crt' with subject '/O=openssl_cmp' is not a CA cert # setup_client_ctx:../openssl/apps/cmp.c:1977:CMP info: will contact http://127.0.0.1:1700/pkix/ # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending IR # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received IP # send_receive_check:../openssl/crypto/cmp/cmp_client.c:165:CMP info: sending CERTCONF # send_receive_check:../openssl/crypto/cmp/cmp_client.c:183:CMP info: received PKICONF # save_free_certs:../openssl/apps/cmp.c:2027:CMP info: received 1 enrolled certificate(s), saving to file '../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem' ../../../../../enable-fuzz-afl/util/wrap.pl ../../../../../enable-fuzz-afl/apps/openssl cmp -config ../Mock/test.cnf -section 'Mock enrollment' -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.cert.pem -proxy '' -no_proxy 127.0.0.1 -cmd ir -newkey new.key -newkeypass 'pass:' -popo 2 -certout ../../../../../enable-fuzz-afl/test-runs/test_cmp_cli/test.certout_popo6.pem -out_trusted root.crt => 0 not ok 48 - popo KEYENC not supported # ------------------------------------------------------------------------------ # Looks like you failed 3 tests of 92. not ok 7 - CMP app CLI Mock enrollment # ------------------------------------------------------------------------------ # # Failed test 'CMP app CLI Mock enrollment # ' # at /home/openssl/run-checker/enable-fuzz-afl/../openssl/util/perl/OpenSSL/Test.pm line 1335. # Looks like you failed 3 tests of 7.81-test_cmp_cli.t .................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/7 subtests 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. skipped: Test only supported in a shared build 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... skipped: GOST support is disabled in this OpenSSL build 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ skipped: Test only supported in a shared build 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. skipped: tls13secrets is not supported in this build 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 81-test_cmp_cli.t (Wstat: 768 Tests: 7 Failed: 3) Failed tests: 4-5, 7 Non-zero exit status: 3 Files=228, Tests=3032, 796 wallclock secs (10.16 usr 1.19 sys + 719.63 cusr 70.67 csys = 801.65 CPU) Result: FAIL make[1]: *** [Makefile:2461: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/enable-fuzz-afl' make: *** [Makefile:2458: tests] Error 2 From matt at openssl.org Fri Jan 22 09:47:01 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 22 Jan 2021 09:47:01 +0000 Subject: [openssl] master update Message-ID: <1611308821.091262.17567.nullmailer@dev.openssl.org> The branch master has been updated via fc52ae8c4b4a00c7158549510ace0e5beef2306b (commit) via 5060cd5f3ed14a2dc4764cc1e042f76af6b44664 (commit) from ef161e7b8f61ea588c654c9600bde80b2e07588f (commit) - Log ----------------------------------------------------------------- commit fc52ae8c4b4a00c7158549510ace0e5beef2306b Author: Matt Caswell Date: Mon Jan 18 16:50:07 2021 +0000 Don't copy parameters on setting a key in libssl Whenever we set a private key in libssl, we first found the certificate that matched the key algorithm. Then we copied the key parameters from the private key into the public key for the certficate before finally checking that the private key matched the public key in the certificate. This makes no sense! Part of checking the private key is to make sure that the parameters match. It seems that this code has been present since SSLeay. Perhaps at some point it made sense to do this - but it doesn't any more. We remove that piece of code altogether. The previous code also had the undocumented side effect of removing the certificate if the key didn't match. This makes sense if you've just overwritten the parameters in the certificate with bad values - but doesn't seem to otherwise. I've also removed that error logic. Due to issue #13893, the public key associated with the certificate is always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from" key to legacy if the target is legacy, so this means that in libssl all private keys were always downgraded to legacy when they are first set in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the added benefit of removing that downgrade. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13899) commit 5060cd5f3ed14a2dc4764cc1e042f76af6b44664 Author: Matt Caswell Date: Tue Jan 19 11:36:24 2021 +0000 Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database The legacy_asn1_ctrl_to_param implementation of ASN1_PKEY_CTRL_DEFAULT_MD_NID calls EVP_PKEY_get_default_digest_name() which returns an mdname. Previously we were using OBJ_sn2nid/OBJ_ln2nid to lookup that name in the OBJ database. However we might get an md name back that only exists in the namemap, not in the OBJ database. In that case we need to check the various aliases for the name, to see if one of those matches the name we are looking for. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13899) ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 37 +++++++++++++++++++++++++++++++++---- ssl/ssl_rsa.c | 23 +++-------------------- 2 files changed, 36 insertions(+), 24 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index cc5a612748..f82e42c7e3 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -16,6 +16,7 @@ #include #include "internal/cryptlib.h" #include "internal/refcount.h" +#include "internal/namemap.h" #include #include #include @@ -1153,6 +1154,18 @@ int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, pctx); } +static void mdname2nid(const char *mdname, void *data) +{ + int *nid = (int *)data; + + if (*nid != NID_undef) + return; + + *nid = OBJ_sn2nid(mdname); + if (*nid == NID_undef) + *nid = OBJ_ln2nid(mdname); +} + static int legacy_asn1_ctrl_to_param(EVP_PKEY *pkey, int op, int arg1, void *arg2) { @@ -1166,11 +1179,27 @@ static int legacy_asn1_ctrl_to_param(EVP_PKEY *pkey, int op, sizeof(mdname)); if (rv > 0) { - int nid; + int mdnum; + OSSL_LIB_CTX *libctx = ossl_provider_libctx(pkey->keymgmt->prov); + /* Make sure the MD is in the namemap if available */ + EVP_MD *md = EVP_MD_fetch(libctx, mdname, NULL); + OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); + int nid = NID_undef; - nid = OBJ_sn2nid(mdname); - if (nid == NID_undef) - nid = OBJ_ln2nid(mdname); + /* + * The only reason to fetch the MD was to make sure it is in the + * namemap. We can immediately free it. + */ + EVP_MD_free(md); + mdnum = ossl_namemap_name2num(namemap, mdname); + if (mdnum == 0) + return 0; + + /* + * We have the namemap number - now we need to find the + * associated nid + */ + ossl_namemap_doall_names(namemap, mdnum, mdname2nid, &nid); *(int *)arg2 = nid; } return rv; diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index bfdd5ff43d..1c1053d316 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -124,26 +124,9 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) return 0; } - if (c->pkeys[i].x509 != NULL) { - EVP_PKEY *pktmp; - pktmp = X509_get0_pubkey(c->pkeys[i].x509); - if (pktmp == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); - return 0; - } - /* - * The return code from EVP_PKEY_copy_parameters is deliberately - * ignored. Some EVP_PKEY types cannot do this. - */ - EVP_PKEY_copy_parameters(pktmp, pkey); - ERR_clear_error(); - - if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { - X509_free(c->pkeys[i].x509); - c->pkeys[i].x509 = NULL; - return 0; - } - } + if (c->pkeys[i].x509 != NULL + && !X509_check_private_key(c->pkeys[i].x509, pkey)) + return 0; EVP_PKEY_free(c->pkeys[i].privatekey); EVP_PKEY_up_ref(pkey); From matt at openssl.org Fri Jan 22 09:59:57 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 22 Jan 2021 09:59:57 +0000 Subject: [openssl] master update Message-ID: <1611309597.780690.20393.nullmailer@dev.openssl.org> The branch master has been updated via 8a9394c1eddbac210d4a2dceab521efa7518fa1f (commit) from fc52ae8c4b4a00c7158549510ace0e5beef2306b (commit) - Log ----------------------------------------------------------------- commit 8a9394c1eddbac210d4a2dceab521efa7518fa1f Author: Matt Caswell Date: Thu Jan 21 09:19:16 2021 +0000 Fix no-dh and no-dsa Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13915) ----------------------------------------------------------------------- Summary of changes: test/evp_extra_test.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 37efbd42e2..4358fbe5c5 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -485,9 +485,9 @@ err: return res; } -#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DSA) +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_DSA) /* - * Test combinations of private, public, missing and private + public key + * Test combinations of private, public, missing and private + public key * params to ensure they are all accepted */ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) @@ -612,7 +612,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype) return ret; } -#endif /* !OPENSSL_NO_DH && !OPENSSL_NO_DSA */ +#endif /* !OPENSSL_NO_DH || !OPENSSL_NO_DSA */ static int test_EVP_Enveloped(void) { @@ -1854,7 +1854,7 @@ static int test_DSA_get_set_params(void) } /* - * Test combinations of private, public, missing and private + public key + * Test combinations of private, public, missing and private + public key * params to ensure they are all accepted */ static int test_DSA_priv_pub(void) @@ -1979,7 +1979,7 @@ static int test_decrypt_null_chunks(void) #ifndef OPENSSL_NO_DH /* - * Test combinations of private, public, missing and private + public key + * Test combinations of private, public, missing and private + public key * params to ensure they are all accepted */ static int test_DH_priv_pub(void) From no-reply at appveyor.com Fri Jan 22 14:48:23 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 22 Jan 2021 14:48:23 +0000 Subject: Build failed: openssl master.39326 Message-ID: <20210122144823.1.4E263CA7257DB4CF@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Jan 22 17:27:14 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 22 Jan 2021 17:27:14 +0000 Subject: Build failed: openssl master.39329 Message-ID: <20210122172714.1.6AAE7DEEFFB1087D@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Jan 22 18:45:38 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 22 Jan 2021 18:45:38 +0000 Subject: Build completed: openssl master.39330 Message-ID: <20210122184538.1.0A0223FC80E64D0B@appveyor.com> An HTML attachment was scrubbed... URL: From openssl at openssl.org Fri Jan 22 21:13:38 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 22 Jan 2021 21:13:38 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2 Message-ID: <1611350018.516138.1039021.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 80A1A91F067F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80A1A91F067F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/rgqHnbmgO5 default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80C1282EC17F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80C1282EC17F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80C1282EC17F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80C1282EC17F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 80C1282EC17F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 80C1282EC17F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/rgqHnbmgO5 fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3596, 918 wallclock secs (14.23 usr 1.31 sys + 825.33 cusr 89.14 csys = 930.01 CPU) Result: FAIL make[1]: *** [Makefile:3270: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2' make: *** [Makefile:3267: tests] Error 2 From openssl at openssl.org Fri Jan 22 23:33:27 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Fri, 22 Jan 2021 23:33:27 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method Message-ID: <1611358407.260063.1342624.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 3aa7212e0a ktls: Initial support for ChaCha20-Poly1305 5b57aa24c3 Ensure SRP BN_mod_exp follows the constant time path 53d650d1f3 ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys d8ab30be9c X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. 05458fdb73 apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options b9fbacaa7b apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req 1d1d23128f 80-test_ssl_old.t: Minor corrections: update name of test dir etc. 03f4e3ded6 apps.c: Clean up copy_extensions() 2367238ced X509_REQ_print_ex(): Correct indentation of extensions, which are attributes db6a47b10d X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' 743975c7e5 constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() b24cfd6bf4 apps/x509.c: Major code, user guidance, and documentation cleanup 7c5237e1d7 apps/x509.c: Take the -signkey arg as default pubkey with -new 49b36afb0b 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled abc4439c92 25-test_x509.t: Minor update: factor out path for test input files 8cadc51706 25-test_x509.t: Minor update: do not anymore unlink test output files 63162e3d55 X509: Enable printing cert even with invalid validity times, saying 'Bad time value' b09aa550d3 ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input 9495cfbc22 make various test CA certs RFC 5280 compliant w.r.t. X509 extensions 3d63348a87 apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters ac6ea3a7c5 test-gendsa: Add test cases with FIPS provider 07b6068d24 x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() 3e878d924f Remove pkey_downgrade from PKCS7 code c972577684 util/check-format.pl: Minor improvements of whitespace checks 83b6dc8dc7 Deprecate OCSP_xxx API for OSSL_HTTP_xxx fee0af0863 DOCS: Fix the last few remaining pass phrase options references 47b784a41b Fix memory leak in mac_newctx() on error 038f4dc68e Fix PKCS7 potential segfault 84af8027c5 CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. 0d83b7b903 Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity 3aff5b4bac Update SERVER_HELLO_MAX_LENGTH Build log ended with (last 100 lines): # SSL_accept() failed -1, 1 # 8091943D417F0000:error:0A000076:SSL routines:tls_choose_sigalg:no suitable signature algorithm:../openssl/ssl/t1_lib.c:3308: # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8091943D417F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:../openssl/ssl/record/rec_layer_d1.c:613:SSL alert number 80 # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/Xk4hXddLbj default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8091B2A2387F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8091B2A2387F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:852 # false not ok 3 - test_large_message_dtls # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8091B2A2387F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8091B2A2387F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1333 # false # ERROR: (bool) 'execute_cleanse_plaintext(DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0) == true' failed @ ../openssl/test/sslapitest.c:1411 # false not ok 4 - test_cleanse_plaintext # ------------------------------------------------------------------------------ # INFO: @ ../openssl/test/helpers/ssltestlib.c:942 # SSL_connect() failed -1, 1 # 8091B2A2387F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:960 # SSL_accept() failed -1, 1 # 8091B2A2387F0000:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6482 # false not ok 2 - iteration 2 # ------------------------------------------------------------------------------ not ok 53 - test_ssl_pending # ------------------------------------------------------------------------------ ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/Xk4hXddLbj fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 3 - running sslapitest # ------------------------------------------------------------------------------ # Failed test 'running sslapitest' # at ../openssl/test/recipes/90-test_sslapi.t line 45. # Looks like you failed 2 tests of 3.90-test_sslapi.t ................... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/3 subtests 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 80-test_dtls.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_ssl_new.t (Wstat: 768 Tests: 31 Failed: 3) Failed tests: 8, 17, 19 Non-zero exit status: 3 90-test_sslapi.t (Wstat: 512 Tests: 3 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 Files=228, Tests=3596, 685 wallclock secs (11.46 usr 0.97 sys + 620.07 cusr 63.31 csys = 695.81 CPU) Result: FAIL make[1]: *** [Makefile:3273: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-dtls1_2-method' make: *** [Makefile:3270: tests] Error 2 From dev at ddvo.net Sat Jan 23 14:26:14 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sat, 23 Jan 2021 14:26:14 +0000 Subject: [openssl] master update Message-ID: <1611411974.216774.12277.nullmailer@dev.openssl.org> The branch master has been updated via c9603dfa42d0643a6c8cac3e14364d9fd63303c4 (commit) via 806990e7db4c0ea7ad544477bb7b697cc36347ea (commit) via 046fba4493d6cb17e0b8b22f43d5ee63c2ff8d50 (commit) via cddbcf02f55e443c394f28768a20d0a7458cdb98 (commit) via 0a20cc4bc3af7bd9bb5860c09683a7a7f4ba39ed (commit) via 85c8b87b826b728a6c162edf4ec3b955c0979b4e (commit) from 8a9394c1eddbac210d4a2dceab521efa7518fa1f (commit) - Log ----------------------------------------------------------------- commit c9603dfa42d0643a6c8cac3e14364d9fd63303c4 Author: Dr. David von Oheimb Date: Mon Jan 18 12:53:55 2021 +0100 OCSP HTTP: Restore API of undocumented and recently deprecated functions Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d(). Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new(). Minor further fixes in OSSL_HTTP_REQ_CTX.pod Fixes #13873 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) commit 806990e7db4c0ea7ad544477bb7b697cc36347ea Author: Dr. David von Oheimb Date: Mon Jan 18 12:39:51 2021 +0100 OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) commit 046fba4493d6cb17e0b8b22f43d5ee63c2ff8d50 Author: Dr. David von Oheimb Date: Mon Jan 18 12:37:47 2021 +0100 OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) commit cddbcf02f55e443c394f28768a20d0a7458cdb98 Author: Dr. David von Oheimb Date: Mon Jan 18 12:17:31 2021 +0100 rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) commit 0a20cc4bc3af7bd9bb5860c09683a7a7f4ba39ed Author: Dr. David von Oheimb Date: Mon Jan 18 12:05:11 2021 +0100 Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) commit 85c8b87b826b728a6c162edf4ec3b955c0979b4e Author: Dr. David von Oheimb Date: Tue Jan 19 14:04:37 2021 +0100 Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13898) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 6 ++--- crypto/http/http_client.c | 28 ++++++++++++-------- crypto/ocsp/ocsp_http.c | 43 ++++++++++++++++--------------- doc/man3/OCSP_sendreq_new.pod | 28 ++++++++++---------- doc/man3/OSSL_HTTP_REQ_CTX.pod | 58 ++++++++++++++++++++---------------------- include/openssl/http.h | 6 ++--- include/openssl/ocsp.h.in | 19 +++++++------- util/libcrypto.num | 3 +-- util/other.syms | 1 + util/perl/OpenSSL/Util/Pod.pm | 1 + 10 files changed, 100 insertions(+), 93 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index a298a0590c..63d41c3911 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,15 +23,15 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] - * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(), OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These were used to collect all necessary data to form a HTTP request, and to perform the HTTP transfer with that request. With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced - with OSSL_HTTP_REQ_CTX_new(), OSSL_HTTP_REQ_CTX_free(), - OSSL_HTTP_REQ_CTX_header(), OSSL_HTTP_REQ_CTX_add1_header(), + with OSSL_HTTP_REQ_CTX_new(), OSSL_HTTP_REQ_CTX_free(), + OSSL_HTTP_REQ_CTX_set_request_line(), OSSL_HTTP_REQ_CTX_add1_header(), OSSL_HTTP_REQ_CTX_i2d(), OSSL_HTTP_REQ_CTX_nbio(), OSSL_HTTP_REQ_CTX_sendreq_d2i(), OSSL_HTTP_REQ_CTX_get0_mem_bio() and OSSL_HTTP_REQ_CTX_set_max_response_length(). diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index d8a6bdec31..a718b3678d 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -47,7 +47,7 @@ struct ossl_http_req_ctx_st { BIO *wbio; /* BIO to send request to */ BIO *rbio; /* BIO to read response from */ BIO *mem; /* Memory BIO response is built into */ - int method_GET; /* HTTP method "GET" or "POST" */ + int method_POST; /* HTTP method is "POST" (else "GET") */ const char *expected_ct; /* expected Content-Type, or NULL */ int expect_asn1; /* response must be ASN.1-encoded */ unsigned long resp_len; /* length of response */ @@ -75,7 +75,7 @@ struct ossl_http_req_ctx_st { #define OHS_HTTP_HEADER (9 | OHS_NOREAD) /* Headers set, w/o final \r\n */ OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, - int method_GET, int maxline, + int method_POST, int maxline, unsigned long max_resp_len, int timeout, const char *expected_content_type, @@ -100,7 +100,7 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, OSSL_HTTP_REQ_CTX_free(rctx); return NULL; } - rctx->method_GET = method_GET; + rctx->method_POST = method_POST; rctx->expected_ct = expected_content_type; rctx->expect_asn1 = expect_asn1; rctx->resp_len = 0; @@ -138,18 +138,19 @@ void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx, } /* - * Create HTTP header using given op and path (or "/" in case path is NULL). + * Create request line using |ctx| and |path| (or "/" in case |path| is NULL). * Server name (and port) must be given if and only if plain HTTP proxy is used. */ -int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, const char *server, - const char *port, const char *path) +int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, + const char *server, const char *port, + const char *path) { if (rctx == NULL) { ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return 0; } - if (BIO_printf(rctx->mem, "%s ", rctx->method_GET ? "GET" : "POST") <= 0) + if (BIO_printf(rctx->mem, "%s ", rctx->method_POST ? "POST" : "GET") <= 0) return 0; if (server != NULL) { /* HTTP (but not HTTPS) proxy is used */ @@ -207,6 +208,10 @@ static int OSSL_HTTP_REQ_CTX_content(OSSL_HTTP_REQ_CTX *rctx, ERR_raise(ERR_LIB_HTTP, ERR_R_PASSED_NULL_PARAMETER); return 0; } + if (!rctx->method_POST) { + ERR_raise(ERR_LIB_HTTP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } if (content_type != NULL && BIO_printf(rctx->mem, "Content-Type: %s\r\n", content_type) <= 0) @@ -299,14 +304,15 @@ OSSL_HTTP_REQ_CTX *HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, int use_http_proxy, } /* remaining parameters are checked indirectly by the functions called */ - if ((rctx = OSSL_HTTP_REQ_CTX_new(wbio, rbio, req_mem == NULL, maxline, + if ((rctx = OSSL_HTTP_REQ_CTX_new(wbio, rbio, req_mem != NULL, maxline, max_resp_len, timeout, expected_content_type, expect_asn1)) == NULL) return NULL; - if (OSSL_HTTP_REQ_CTX_header(rctx, use_http_proxy ? server : NULL, - port, path) + if (OSSL_HTTP_REQ_CTX_set_request_line(rctx, + use_http_proxy ? server : NULL, port, + path) && OSSL_HTTP_REQ_CTX_add1_headers(rctx, headers, server) && (req_mem == NULL || OSSL_HTTP_REQ_CTX_content(rctx, content_type, req_mem))) @@ -537,7 +543,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) goto next_line; case HTTP_STATUS_CODE_MOVED_PERMANENTLY: case HTTP_STATUS_CODE_FOUND: /* i.e., moved temporarily */ - if (rctx->method_GET) { + if (!rctx->method_POST) { /* method is GET */ rctx->state = OHS_REDIRECT; goto next_line; } diff --git a/crypto/ocsp/ocsp_http.c b/crypto/ocsp/ocsp_http.c index c5508698c8..e7f1b5a509 100644 --- a/crypto/ocsp/ocsp_http.c +++ b/crypto/ocsp/ocsp_http.c @@ -13,29 +13,30 @@ #ifndef OPENSSL_NO_OCSP -# ifndef OPENSSL_NO_DEPRECATED_3_0 -int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req) -{ - return OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", - ASN1_ITEM_rptr(OCSP_REQUEST), - (ASN1_VALUE *)req); -} -# endif - OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline) + const OCSP_REQUEST *req, int maxline) { - BIO *req_mem = HTTP_asn1_item2bio(ASN1_ITEM_rptr(OCSP_REQUEST), - (ASN1_VALUE *)req); - OSSL_HTTP_REQ_CTX *res = - HTTP_REQ_CTX_new(io, io, 0 /* no HTTP proxy used */, NULL, NULL, path, - NULL /* headers */, "application/ocsp-request", - req_mem /* may be NULL */, - maxline, 0 /* default max_resp_len */, - 0 /* no timeout, blocking indefinite */, NULL, - 1 /* expect_asn1 */); - BIO_free(req_mem); - return res; + OSSL_HTTP_REQ_CTX *rctx = NULL; + + if ((rctx = OSSL_HTTP_REQ_CTX_new(io, io, 1 /* POST */, + maxline, 0 /* default max_resp_len */, + 0 /* no timeout, blocking indefinitely */, + NULL, 1 /* expect_asn1 */)) == NULL) + return NULL; + + if (!OSSL_HTTP_REQ_CTX_set_request_line(rctx, NULL, NULL, path)) + goto err; + + if (req != NULL && !OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", + ASN1_ITEM_rptr(OCSP_REQUEST), + (ASN1_VALUE *)req)) + goto err; + + return rctx; + + err: + OSSL_HTTP_REQ_CTX_free(rctx); + return NULL; } int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx) diff --git a/doc/man3/OCSP_sendreq_new.pod b/doc/man3/OCSP_sendreq_new.pod index 6e346bdd44..2333ac24d7 100644 --- a/doc/man3/OCSP_sendreq_new.pod +++ b/doc/man3/OCSP_sendreq_new.pod @@ -17,7 +17,7 @@ OCSP_REQ_CTX_set1_req #include OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline); + const OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); @@ -27,26 +27,25 @@ Deprecated since OpenSSL 3.0, can be hidden entirely by defining B with a suitable version value, see L: - int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const char *content_type, - const ASN1_ITEM *it, ASN1_VALUE *req); + int OCSP_REQ_CTX_i2d(OCSP_REQ_CT *rctx, const ASN1_ITEM *it, ASN1_VALUE *req); int OCSP_REQ_CTX_add1_header(OCSP_REQ_CT *rctx, const char *name, const char *value); - void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); + void OCSP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); void OCSP_set_max_response_length(OCSP_REQ_CT *rctx, unsigned long len); - int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req); + int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); =head1 DESCRIPTION -These functions perform an OCSP request / response transfer over HTTP, using -the HTTP request functions described in L. +These functions perform an OCSP POST request / response transfer over HTTP, +using the HTTP request functions described in L. The function OCSP_sendreq_new() builds a complete B structure using connection B I, the URL path I, the OCSP -request I and with a response header maximum line length of I. -If I is zero a default value of 4k is used. The OCSP request I -may be set to NULL and provided later with L if -required. +request I, and with a response header maximum line length of I. +If I is zero a default value of 4k is used. +The I may be set to NULL and provided later using OCSP_REQ_CTX_set1_req() +or L . The I and I arguments to OCSP_sendreq_new() correspond to the components of the URL. @@ -64,6 +63,10 @@ response header maximum line length 4k. It waits indefinitely on a response. It does not support setting a timeout or adding headers and is retained for compatibility; use OCSP_sendreq_nbio() instead. +OCSP_REQ_CTX_i2d(rctx, it, req) is equivalent to the following: + + OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", it, req) + OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following: OSSL_HTTP_REQ_CTX_i2d(rctx, "application/ocsp-request", @@ -72,7 +75,6 @@ OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following: The other deprecated type and functions have been superseded by the following equivalents: B by L, -OCSP_REQ_CTX_i2d() by L, OCSP_REQ_CTX_add1_header() by L, OCSP_REQ_CTX_free() by L, and OCSP_set_max_response_length() by @@ -91,7 +93,7 @@ responder or NULL if an error occurred. =head1 SEE ALSO -L, +L L, L, L, diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index b75bac5f8c..3955359978 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -5,14 +5,14 @@ OSSL_HTTP_REQ_CTX, OSSL_HTTP_REQ_CTX_new, OSSL_HTTP_REQ_CTX_free, -OSSL_HTTP_REQ_CTX_header, +OSSL_HTTP_REQ_CTX_set_request_line, OSSL_HTTP_REQ_CTX_add1_header, OSSL_HTTP_REQ_CTX_i2d, OSSL_HTTP_REQ_CTX_nbio, OSSL_HTTP_REQ_CTX_sendreq_d2i, OSSL_HTTP_REQ_CTX_get0_mem_bio, OSSL_HTTP_REQ_CTX_set_max_response_length -- HTTP request functions +- HTTP client low-level functions =head1 SYNOPSIS @@ -21,16 +21,16 @@ OSSL_HTTP_REQ_CTX_set_max_response_length typedef struct ossl_http_req_ctx_st OSSL_HTTP_REQ_CTX; OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, - int method_GET, int maxline, + int method_POST, int maxline, unsigned long max_resp_len, int timeout, const char *expected_content_type, int expect_asn1); void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); - int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, - const char *server, - const char *port, const char *path); + int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, + const char *server, const char *port, + const char *path); int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, const char *name, const char *value); @@ -53,17 +53,19 @@ This file documents low-level HTTP functions rarely used directly. High-level HTTP client functions like L and L should be preferred. -OSSL_HTTP_REQ_CTX_new() allocates a new HTTP request context structure, which -gets populated with the B to send the request to (I), the B to -read the response from (I, which may be the same as I), the -request method (I, which may be 1 to indicate that the C -method is to be used, or 0 to indicate that the C method is to be used), -the maximum expected response header length (I, where any zero -or less indicates the default of 4KiB), a response timeout measure in seconds -(I, where 0 indicates no timeout, i.e., waiting indefinitely), the -expected MIME content type of the response (I, which -may be NULL for no expectation), and a flag indicating that the response is -expected to be a DER encoded ASN.1 structure (I). +OSSL_HTTP_REQ_CTX_new() allocates a new HTTP request context structure, +which gets populated with the B to send the request to (I), +the B to read the response from (I, which may be equal to I), +the request method (I, which may be 1 to indicate that the C +method is to be used, or 0 to indicate that the C method is to be used), +the maximum expected response header length (I, +where any zero or less indicates the default of 4KiB), +a response timeout measure in seconds (I, +where 0 indicates no timeout, i.e., waiting indefinitely), +the expected MIME content type of the response (I, +which may be NULL for no expectation), +and a flag indicating that the response is expected to be +a DER encoded ASN.1 structure (I). The allocated context structure is also populated with an internal allocated memory B, which collects the HTTP request and additional headers as text. The returned context should only be used for a single HTTP request/response. @@ -72,9 +74,9 @@ OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I. The I and I are not free'd and it is up to the application to do so. -OSSL_HTTP_REQ_CTX_header() adds an HTTP request line to the request context. -The request command itself becomes C or C depending on the value -of I in the OSSL_HTTP_REQ_CTX_new() call. I and I +OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context. +The request method itself becomes C or C depending on the value +of I in the OSSL_HTTP_REQ_CTX_new() call. I and I may be set to indicate a proxy server and port that the request should go through, otherwise they should be left NULL. I is the HTTP request path; if left NULL, C is used. @@ -90,8 +92,7 @@ encoding of I, using the ASN.1 template I to do the encoding. The HTTP header C is automatically filled out, and if I isn't NULL, the HTTP header C is also added with its content as value. All of this ends up in the internal memory B. -This requires that the request type be C, i.e. that I is 0 -in the OSSL_HTTP_REQ_CTX_new() call. +This requires that I was 1 in the OSSL_HTTP_REQ_CTX_new() call. OSSL_HTTP_REQ_CTX_nbio() attempts the exchange of request and response via HTTP, using the I and I that were given in the OSSL_HTTP_REQ_CTX_new() @@ -129,16 +130,17 @@ Then, the HTTP request must be prepared with request data: =item 1. -Calling OSSL_HTTP_REQ_CTX_header(). This must be done exactly once. +Calling OSSL_HTTP_REQ_CTX_set_request_line(). This must be done exactly once. =item 2. -Adding extra headers with OSSL_HTTP_REQ_CTX_add1_header(). This is optional. +Adding extra headers with OSSL_HTTP_REQ_CTX_add1_header(). +This is optional and may be done multiple times with different names. =item 3. Add C data with OSSL_HTTP_REQ_CTX_i2d(). This may only be done if -I was 0 in the OSSL_HTTP_REQ_CTX_new() call, and must be done +I was 1 in the OSSL_HTTP_REQ_CTX_new() call, and must be done exactly once in that case. =back @@ -146,10 +148,6 @@ exactly once in that case. When the request context is fully prepared, the HTTP exchange may be performed with OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_sendreq_d2i(). -Furthermore, all calls of OSSL_HTTP_REQ_CTX_header() and -OSSL_HTTP_REQ_CTX_add1_header() must be done before any call to -int OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_sendreq_d2i(). - =head1 RETURN VALUES OSSL_HTTP_REQ_CTX_new() returns a pointer to a B, or NULL @@ -158,7 +156,7 @@ on error. OSSL_HTTP_REQ_CTX_free() and OSSL_HTTP_REQ_CTX_set_max_response_length() do not return values. -OSSL_HTTP_REQ_CTX_header(), OSSL_HTTP_REQ_CTX_add1_header(), +OSSL_HTTP_REQ_CTX_set_request_line(), OSSL_HTTP_REQ_CTX_add1_header(), OSSL_HTTP_REQ_CTX_i2d() and OSSL_HTTP_REQ_CTX_nbio return 1 for success and 0 for failure. diff --git a/include/openssl/http.h b/include/openssl/http.h index 0bd32e514e..84a106f57a 100644 --- a/include/openssl/http.h +++ b/include/openssl/http.h @@ -42,9 +42,9 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_REQ_CTX_new(BIO *wbio, BIO *rbio, const char *expected_content_type, int expect_asn1); void OSSL_HTTP_REQ_CTX_free(OSSL_HTTP_REQ_CTX *rctx); -int OSSL_HTTP_REQ_CTX_header(OSSL_HTTP_REQ_CTX *rctx, - const char *server, - const char *port, const char *path); +int OSSL_HTTP_REQ_CTX_set_request_line(OSSL_HTTP_REQ_CTX *rctx, + const char *server, const char *port, + const char *path); int OSSL_HTTP_REQ_CTX_add1_header(OSSL_HTTP_REQ_CTX *rctx, const char *name, const char *value); int OSSL_HTTP_REQ_CTX_i2d(OSSL_HTTP_REQ_CTX *rctx, const char *content_type, diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index c3a0b0e267..bfd6aa8cc6 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -172,24 +172,21 @@ DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID) OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, - OCSP_REQUEST *req, int maxline); + const OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OSSL_HTTP_REQ_CTX *rctx); # ifndef OPENSSL_NO_DEPRECATED_3_0 typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; -OSSL_DEPRECATEDIN_3_0 -int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); - -# define OCSP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) \ - OSSL_HTTP_REQ_CTX_new(wb, rb, m, ml, mrl, t, ect, ea) +# define OCSP_REQ_CTX_new(io, maxline) \ + OSSL_HTTP_REQ_CTX_new(io, io, 1, maxline, 0, 0, NULL, 1) # define OCSP_REQ_CTX_free(r) \ OSSL_HTTP_REQ_CTX_free(r) -# define OCSP_REQ_CTX_http(r, s, po, pa) \ - OSSL_HTTP_REQ_CTX_header(r, s, po, pa) +# define OCSP_REQ_CTX_http(rctx, op, path) \ + OSSL_HTTP_REQ_CTX_set_request_line(rctx, NULL, NULL, path) # define OCSP_REQ_CTX_add1_header(r, n, v) \ OSSL_HTTP_REQ_CTX_add1_header(r, n, v) -# define OCSP_REQ_CTX_i2d(r, c, i, req) \ - OSSL_HTTP_REQ_CTX_i2d(r, c, i, req) +# define OCSP_REQ_CTX_i2d(r, i, req) \ + OSSL_HTTP_REQ_CTX_i2d(r, "application/ocsp-request", i, req) # define OCSP_REQ_CTX_nbio(r) \ OSSL_HTTP_REQ_CTX_nbio(r) # define OCSP_REQ_CTX_nbio_d2i(r, i) \ @@ -198,6 +195,8 @@ int OCSP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const OCSP_REQUEST *req); OSSL_HTTP_REQ_CTX_get0_mem_bio(r) # define OCSP_set_max_response_length(r, l) \ OSSL_HTTP_REQ_CTX_set_max_response_length(r, l) +# define OCSP_REQ_CTX_set1_req(r, req) \ + OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req)) # endif OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, diff --git a/util/libcrypto.num b/util/libcrypto.num index 1cd4b86f4d..ffc423953a 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -1379,7 +1379,7 @@ BIO_set_ex_data 1411 3_0_0 EXIST::FUNCTION: SHA512 1412 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_STORE_CTX_get_explicit_policy 1413 3_0_0 EXIST::FUNCTION: EVP_DecodeBlock 1414 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_REQ_CTX_header 1415 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_set_request_line 1415 3_0_0 EXIST::FUNCTION: EVP_MD_CTX_reset 1416 3_0_0 EXIST::FUNCTION: X509_NAME_new 1417 3_0_0 EXIST::FUNCTION: ASN1_item_pack 1418 3_0_0 EXIST::FUNCTION: @@ -3334,7 +3334,6 @@ EVP_PKEY_meth_get_verify 3403 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ CRYPTO_128_wrap 3404 3_0_0 EXIST::FUNCTION: X509_STORE_set_lookup_crls 3405 3_0_0 EXIST::FUNCTION: EVP_CIPHER_meth_get_ctrl 3406 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OCSP_REQ_CTX_set1_req 3407 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,OCSP CONF_imodule_get_usr_data 3408 3_0_0 EXIST::FUNCTION: CRYPTO_new_ex_data 3409 3_0_0 EXIST::FUNCTION: PEM_read_PKCS8_PRIV_KEY_INFO 3410 3_0_0 EXIST::FUNCTION:STDIO diff --git a/util/other.syms b/util/other.syms index 9644d3d02d..b6974b5f01 100644 --- a/util/other.syms +++ b/util/other.syms @@ -337,6 +337,7 @@ OCSP_REQ_CTX_add1_header define deprecated 3.0.0 OCSP_REQ_CTX_free define deprecated 3.0.0 OCSP_REQ_CTX_i2d define deprecated 3.0.0 OCSP_set_max_response_length define deprecated 3.0.0 +OCSP_REQ_CTX_set1_req define deprecated 3.0.0 OPENSSL_FILE define OPENSSL_FUNC define OPENSSL_LINE define diff --git a/util/perl/OpenSSL/Util/Pod.pm b/util/perl/OpenSSL/Util/Pod.pm index 02d37d2f85..b71f3901e0 100644 --- a/util/perl/OpenSSL/Util/Pod.pm +++ b/util/perl/OpenSSL/Util/Pod.pm @@ -116,6 +116,7 @@ sub extract_pod_info { my @invisible_names = (); my %podinfo = ( section => $defaults{section}); + $podinfo{lastsecttext} = ""; # init needed in case input file is empty # Regexp to split a text into paragraphs found at # https://www.perlmonks.org/?node_id=584367 From scan-admin at coverity.com Sun Jan 24 07:50:31 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 24 Jan 2021 07:50:31 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <600d26c739ebb_1eb1e2ad4c9578f5078063@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DZSwY_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGY72WlfAgn-2FtcilmT5lgR6E7SlQliqMBppd2Tj0ZZ8oyIefn-2FwXaxkIK2RAXhV3f0kAsV2cgtpm4s2K020Vk15BD17pCJ5mZprbNv2jlDN2oAThhQaHevH25UFRSLaCWPtF8F4-2Bcon3UHIEY7gs6KKFa4DbK70ReC2sdgBi2naWgzzsX71k4wlLYK4AAApeok-3D Build ID: 365544 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jan 24 07:54:17 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 24 Jan 2021 07:54:17 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <600d27a95d139_1ed222ad4c9578f5078030@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DJ1s7_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeG1-2Bj-2FObHycNGIXXHzRJ4MP3hk0WsytDdTlQzEfqUbb-2BCEZUd2VjmTH7t8R0ubeocCdfVvn9nEDe1CWzLy8RZ9TBS3-2BQJCnTFKbO1RuyveEjaWWHpU8kmiNtD3p2SuSuYiaZT9W-2FGSdBtzV-2BOiHjaNyu1Q3Ziafc4LYyXbtoDja6-2BC28oM5F-2BRKPSLjA6ecDuQ-3D Build ID: 365545 Analysis Summary: New defects found: 1 Defects eliminated: 0 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3DjY9x_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeG1-2Bj-2FObHycNGIXXHzRJ4MP3hk0WsytDdTlQzEfqUbb-2BDFjB2SA6JJ5yA-2FCJQHWTaL4-2BkGf7g5DeReLZACCrpv1Azlj2p1OCW028Td0QbJoo5j6fLTsK4eC3WKqkL3rt7bC1npcKRNUPJMkGUmvYfZtkYzfQOSfYdZEbhMNfM2Afv-2BVeKcv6dobUJNWu7s7uf4-3D From openssl at openssl.org Mon Jan 25 01:01:44 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 25 Jan 2021 01:01:44 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm Message-ID: <1611536504.499610.1969675.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: c9603dfa42 OCSP HTTP: Restore API of undocumented and recently deprecated functions 806990e7db OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph 046fba4493 OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST cddbcf02f5 rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line 0a20cc4bc3 Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() 85c8b87b82 Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input 8a9394c1ed Fix no-dh and no-dsa fc52ae8c4b Don't copy parameters on setting a key in libssl 5060cd5f3e Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database ef161e7b8f Unix Makefile generator: separate "simple" shared libraries from import libraries daa86f9e6b Check input size before NULL pointer test inside mem_write() 616581aaac dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx 6c4ecc655a dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer 24d5be7a2a Make the smdh.pem test certificate usable with fips provider 6253cdcc8e kdf_exch.c (kdf_derive): Proper handling of NULL secret f23e4a17a2 Fixes related to broken DH support in CMS 6d9a54c6e6 Pass correct maximum output length to provider derive operation 3d46c81a7d CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages 2039ac07b4 X509_REQ_get_extensions(): Return empty stack if no extensions found 6b63b7b61e apps/cmp.c: Check self-signature on CSR input and warn on failure 92d619450a apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request adcaebc314 CI: Add some legacy stuff that we do not test in GitHub CI yet 52b0bb38f3 fall-back -> fallback find-doc-nit addition 6857058016 Fix typo in crl2pkcs documentation a3d267f184 Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex Build log ended with (last 100 lines): rm -f test/tls13secretstest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/tls13secretstest \ crypto/tls13secretstest-bin-packet.o \ ssl/tls13secretstest-bin-tls13_enc.o \ test/tls13secretstest-bin-tls13secretstest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread rm -f test/uitest ${LDCMD:-clang} -pthread -m64 -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -L. \ -o test/uitest \ apps/lib/uitest-bin-apps_ui.o test/uitest-bin-uitest.o \ -lssl test/libtestutil.a -lcrypto -ldl -pthread make[1]: Leaving directory '/home/openssl/run-checker/no-asm' $ make test make depend && make _tests make[1]: Entering directory '/home/openssl/run-checker/no-asm' make[1]: Leaving directory '/home/openssl/run-checker/no-asm' make[1]: Entering directory '/home/openssl/run-checker/no-asm' ( SRCTOP=../openssl \ BLDTOP=. \ PERL="/usr/bin/perl" \ FIPSKEY="f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813" \ EXE_EXT= \ /usr/bin/perl ../openssl/test/run_tests.pl ) 01-test_abort.t .................... ok 01-test_sanity.t ................... ok 01-test_symbol_presence.t .......... ok 01-test_test.t ..................... ok 02-test_errstr.t ................... ok 02-test_internal_context.t ......... ok 02-test_internal_ctype.t ........... ok 02-test_internal_keymgmt.t ......... ok 02-test_internal_provider.t ........ ok 02-test_lhash.t .................... ok 02-test_ordinals.t ................. ok 02-test_sparse_array.t ............. ok 02-test_stack.t .................... ok 03-test_exdata.t ................... ok 03-test_fipsinstall.t .............. ok 03-test_internal_asn1.t ............ ok 03-test_internal_asn1_dsa.t ........ ok 03-test_internal_bn.t .............. ok 03-test_internal_chacha.t .......... ok 03-test_internal_curve448.t ........ ok 03-test_internal_ec.t .............. ok 03-test_internal_ffc.t ............. ok 03-test_internal_mdc2.t ............ ok 03-test_internal_modes.t ........... ok 03-test_internal_namemap.t ......... ok 03-test_internal_poly1305.t ........ ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t ......... ok 03-test_internal_sm2.t ............. ok 03-test_internal_sm4.t ............. ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ............ ok 03-test_params_api.t ............... ok 03-test_property.t ................. ok 03-test_ui.t ....................... ok 04-test_asn1_decode.t .............. ok 04-test_asn1_encode.t .............. ok 04-test_asn1_string_table.t ........ ok 04-test_bio_callback.t ............. ok 04-test_bioprint.t ................. ok 04-test_conf.t ..................... ok 04-test_encoder_decoder.t .......... ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t ...................... ok 04-test_hexstring.t ................ ok 04-test_param_build.t .............. ok 04-test_params.t ................... ok 04-test_params_conversion.t ........ ok 04-test_pem.t ...................... ok 04-test_pem_read_depr.t ............ ok 04-test_provider.t ................. ok 04-test_provider_fallback.t ........ ok 05-test_bf.t ....................... ok 05-test_cast.t ..................... ok 05-test_cmac.t ..................... ok 05-test_des.t ...................... ok 05-test_hmac.t ..................... ok 05-test_idea.t ..................... ok 05-test_rand.t ..................... ok 05-test_rc2.t ...................... ok 05-test_rc4.t ...................... ok 05-test_rc5.t ...................... skipped: rc5 is not supported by this OpenSSL build 06-test-rdrand.t ................... ok 10-test_bn.t ....................... ok 10-test_exp.t ...................... ok 15-test_dh.t ....................... ok 15-test_dsa.t ...................... ok 15-test_ec.t ....................... ok 15-test_ecdsa.t .................... ok 15-test_ecparam.t .................. ok 15-test_gendh.t .................... ok 15-test_gendsa.t ................... ok 15-test_genec.t .................... ok 15-test_genrsa.t ................... ok make[1]: *** [Makefile:3263: _tests] Terminated make: *** [Makefile:3260: tests] Terminated From openssl at openssl.org Mon Jan 25 01:52:18 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 25 Jan 2021 01:52:18 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit Message-ID: <1611539538.168392.2080376.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: c9603dfa42 OCSP HTTP: Restore API of undocumented and recently deprecated functions 806990e7db OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph 046fba4493 OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST cddbcf02f5 rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line 0a20cc4bc3 Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() 85c8b87b82 Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input 8a9394c1ed Fix no-dh and no-dsa fc52ae8c4b Don't copy parameters on setting a key in libssl 5060cd5f3e Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database ef161e7b8f Unix Makefile generator: separate "simple" shared libraries from import libraries daa86f9e6b Check input size before NULL pointer test inside mem_write() 616581aaac dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx 6c4ecc655a dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer 24d5be7a2a Make the smdh.pem test certificate usable with fips provider 6253cdcc8e kdf_exch.c (kdf_derive): Proper handling of NULL secret f23e4a17a2 Fixes related to broken DH support in CMS 6d9a54c6e6 Pass correct maximum output length to provider derive operation 3d46c81a7d CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages 2039ac07b4 X509_REQ_get_extensions(): Return empty stack if no extensions found 6b63b7b61e apps/cmp.c: Check self-signature on CSR input and warn on failure 92d619450a apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request adcaebc314 CI: Add some legacy stuff that we do not test in GitHub CI yet 52b0bb38f3 fall-back -> fallback find-doc-nit addition 6857058016 Fix typo in crl2pkcs documentation a3d267f184 Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ............ ok 70-test_sslcertstatus.t ............ ok 70-test_sslextension.t ............. ok 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... ok 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 04-test_err.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3460, 937 wallclock secs (14.61 usr 1.25 sys + 848.47 cusr 85.06 csys = 949.39 CPU) Result: FAIL make[1]: *** [Makefile:3263: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-autoerrinit' make: *** [Makefile:3260: tests] Error 2 From openssl at openssl.org Mon Jan 25 07:32:34 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 25 Jan 2021 07:32:34 +0000 Subject: Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des Message-ID: <1611559954.068017.2789443.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: c9603dfa42 OCSP HTTP: Restore API of undocumented and recently deprecated functions 806990e7db OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph 046fba4493 OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST cddbcf02f5 rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line 0a20cc4bc3 Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() 85c8b87b82 Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input 8a9394c1ed Fix no-dh and no-dsa fc52ae8c4b Don't copy parameters on setting a key in libssl 5060cd5f3e Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database ef161e7b8f Unix Makefile generator: separate "simple" shared libraries from import libraries daa86f9e6b Check input size before NULL pointer test inside mem_write() 616581aaac dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx 6c4ecc655a dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer 24d5be7a2a Make the smdh.pem test certificate usable with fips provider 6253cdcc8e kdf_exch.c (kdf_derive): Proper handling of NULL secret f23e4a17a2 Fixes related to broken DH support in CMS 6d9a54c6e6 Pass correct maximum output length to provider derive operation 3d46c81a7d CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages 2039ac07b4 X509_REQ_get_extensions(): Return empty stack if no extensions found 6b63b7b61e apps/cmp.c: Check self-signature on CSR input and warn on failure 92d619450a apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request adcaebc314 CI: Add some legacy stuff that we do not test in GitHub CI yet 52b0bb38f3 fall-back -> fallback find-doc-nit addition 6857058016 Fix typo in crl2pkcs documentation a3d267f184 Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex Build log ended with (last 100 lines): 70-test_sslmessages.t .............. ok 70-test_sslrecords.t ............... ok 70-test_sslsessiontick.t ........... ok 70-test_sslsigalgs.t ............... ok 70-test_sslsignature.t ............. ok 70-test_sslskewith0p.t ............. ok 70-test_sslversions.t .............. ok 70-test_sslvertol.t ................ ok 70-test_tls13alerts.t .............. ok 70-test_tls13cookie.t .............. ok 70-test_tls13downgrade.t ........... ok 70-test_tls13hrr.t ................. ok 70-test_tls13kexmodes.t ............ ok 70-test_tls13messages.t ............ ok 70-test_tls13psk.t ................. ok 70-test_tlsextms.t ................. ok 70-test_verify_extra.t ............. ok 70-test_wpacket.t .................. ok 71-test_ssl_ctx.t .................. ok 80-test_ca.t ....................... ok 80-test_cipherbytes.t .............. ok 80-test_cipherlist.t ............... ok 80-test_ciphername.t ............... ok # 80-test_cms.t ...................... ok 80-test_cmsapi.t ................... ok 80-test_ct.t ....................... ok 80-test_dane.t ..................... ok 80-test_dtls.t ..................... ok 80-test_dtls_mtu.t ................. ok 80-test_dtlsv1listen.t ............. ok 80-test_http.t ..................... ok 80-test_ocsp.t ..................... ok 80-test_pkcs12.t ................... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .................. ok 80-test_ssl_old.t .................. ok 80-test_ssl_test_ctx.t ............. ok 80-test_sslcorrupt.t ............... ok 80-test_tsa.t ...................... ok 80-test_x509aux.t .................. ok # 81-test_cmp_cli.t .................. ok 90-test_asn1_time.t ................ ok 90-test_async.t .................... ok 90-test_bio_enc.t .................. ok 90-test_bio_memleak.t .............. ok 90-test_constant_time.t ............ ok 90-test_fatalerr.t ................. ok 90-test_fipsload.t ................. ok 90-test_gmdiff.t ................... ok 90-test_gost.t ..................... ok 90-test_ige.t ...................... ok 90-test_includes.t ................. ok 90-test_memleak.t .................. ok 90-test_overhead.t ................. ok 90-test_secmem.t ................... ok 90-test_shlibload.t ................ ok 90-test_srp.t ...................... ok 90-test_sslapi.t ................... ok 90-test_sslbuffers.t ............... ok 90-test_store.t .................... ok 90-test_sysdefault.t ............... ok 90-test_threads.t .................. ok 90-test_time_offset.t .............. ok 90-test_tls13ccs.t ................. ok 90-test_tls13encryption.t .......... ok 90-test_tls13secrets.t ............. ok 90-test_v3name.t ................... ok 91-test_pkey_check.t ............... ok 95-test_external_boringssl.t ....... skipped: No external tests in this configuration 95-test_external_gost_engine.t ..... skipped: No external tests in this configuration 95-test_external_krb5.t ............ skipped: No external tests in this configuration 95-test_external_pyca.t ............ skipped: No external tests in this configuration 99-test_ecstress.t ................. ok 99-test_fuzz_asn1.t ................ ok 99-test_fuzz_asn1parse.t ........... ok 99-test_fuzz_bignum.t .............. ok 99-test_fuzz_bndiv.t ............... ok 99-test_fuzz_client.t .............. ok 99-test_fuzz_cmp.t ................. ok 99-test_fuzz_cms.t ................. ok 99-test_fuzz_conf.t ................ ok 99-test_fuzz_crl.t ................. ok 99-test_fuzz_ct.t .................. ok 99-test_fuzz_server.t .............. ok 99-test_fuzz_x509.t ................ ok Test Summary Report ------------------- 30-test_evp.t (Wstat: 512 Tests: 90 Failed: 2) Failed tests: 14, 40 Non-zero exit status: 2 30-test_evp_kdf.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=228, Tests=3462, 892 wallclock secs (14.52 usr 1.25 sys + 804.34 cusr 86.74 csys = 906.85 CPU) Result: FAIL make[1]: *** [Makefile:3208: _tests] Error 1 make[1]: Leaving directory '/home/openssl/run-checker/no-des' make: *** [Makefile:3205: tests] Error 2 From openssl at openssl.org Mon Jan 25 08:22:22 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 25 Jan 2021 08:22:22 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-dh Message-ID: <1611562942.377180.2891177.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dh Commit log since last time: c9603dfa42 OCSP HTTP: Restore API of undocumented and recently deprecated functions 806990e7db OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph 046fba4493 OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST cddbcf02f5 rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line 0a20cc4bc3 Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() 85c8b87b82 Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input 8a9394c1ed Fix no-dh and no-dsa fc52ae8c4b Don't copy parameters on setting a key in libssl 5060cd5f3e Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database ef161e7b8f Unix Makefile generator: separate "simple" shared libraries from import libraries daa86f9e6b Check input size before NULL pointer test inside mem_write() 616581aaac dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx 6c4ecc655a dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer 24d5be7a2a Make the smdh.pem test certificate usable with fips provider 6253cdcc8e kdf_exch.c (kdf_derive): Proper handling of NULL secret f23e4a17a2 Fixes related to broken DH support in CMS 6d9a54c6e6 Pass correct maximum output length to provider derive operation 3d46c81a7d CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages 2039ac07b4 X509_REQ_get_extensions(): Return empty stack if no extensions found 6b63b7b61e apps/cmp.c: Check self-signature on CSR input and warn on failure 92d619450a apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request adcaebc314 CI: Add some legacy stuff that we do not test in GitHub CI yet 52b0bb38f3 fall-back -> fallback find-doc-nit addition 6857058016 Fix typo in crl2pkcs documentation a3d267f184 Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex From openssl at openssl.org Mon Jan 25 08:44:55 2021 From: openssl at openssl.org (OpenSSL run-checker) Date: Mon, 25 Jan 2021 08:44:55 +0000 Subject: SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-dsa Message-ID: <1611564295.495670.2939968.nullmailer@run.openssl.org> Platform and configuration command: $ uname -a Linux run 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dsa Commit log since last time: c9603dfa42 OCSP HTTP: Restore API of undocumented and recently deprecated functions 806990e7db OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph 046fba4493 OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST cddbcf02f5 rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line 0a20cc4bc3 Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() 85c8b87b82 Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input 8a9394c1ed Fix no-dh and no-dsa fc52ae8c4b Don't copy parameters on setting a key in libssl 5060cd5f3e Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database ef161e7b8f Unix Makefile generator: separate "simple" shared libraries from import libraries daa86f9e6b Check input size before NULL pointer test inside mem_write() 616581aaac dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx 6c4ecc655a dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer 24d5be7a2a Make the smdh.pem test certificate usable with fips provider 6253cdcc8e kdf_exch.c (kdf_derive): Proper handling of NULL secret f23e4a17a2 Fixes related to broken DH support in CMS 6d9a54c6e6 Pass correct maximum output length to provider derive operation 3d46c81a7d CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages 2039ac07b4 X509_REQ_get_extensions(): Return empty stack if no extensions found 6b63b7b61e apps/cmp.c: Check self-signature on CSR input and warn on failure 92d619450a apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request adcaebc314 CI: Add some legacy stuff that we do not test in GitHub CI yet 52b0bb38f3 fall-back -> fallback find-doc-nit addition 6857058016 Fix typo in crl2pkcs documentation a3d267f184 Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex From tmraz at fedoraproject.org Mon Jan 25 10:32:10 2021 From: tmraz at fedoraproject.org (tmraz at fedoraproject.org) Date: Mon, 25 Jan 2021 10:32:10 +0000 Subject: [openssl] master update Message-ID: <1611570730.775658.21904.nullmailer@dev.openssl.org> The branch master has been updated via c27e7922211ac4f7aee5573f605c3b3cbef0d0bc (commit) from c9603dfa42d0643a6c8cac3e14364d9fd63303c4 (commit) - Log ----------------------------------------------------------------- commit c27e7922211ac4f7aee5573f605c3b3cbef0d0bc Author: Tomas Mraz Date: Thu Jan 21 16:37:26 2021 +0100 bn: Deprecate the X9.31 RSA key generation related functions This key generation method is obsolete. Fixes #10111 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/13921) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 6 ++++++ crypto/bn/bn_x931p.c | 2 ++ crypto/bn/build.info | 5 ++--- crypto/rsa/build.info | 5 ++++- crypto/rsa/rsa_x931g.c | 2 +- include/openssl/bn.h | 5 +++++ util/libcrypto.num | 6 +++--- 7 files changed, 23 insertions(+), 8 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 63d41c3911..fbd80c33c0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,12 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Deprecated the obsolete X9.31 RSA key generation related functions + BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and + BN_X931_generate_prime_ex(). + + *Tomas Mraz* + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(), OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(), OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(), diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index bca7c9788e..c7ecdd23c8 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include #include "bn_local.h" diff --git a/crypto/bn/build.info b/crypto/bn/build.info index 6164bba8c7..f732be24f8 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -105,11 +105,10 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_x931p.c bn_intern.c bn_dh.c \ - bn_rsa_fips186_4.c bn_const.c + bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c IF[{- !$disabled{'deprecated-3.0'} -}] - SOURCE[../../libcrypto]=bn_depr.c + SOURCE[../../libcrypto]=bn_depr.c bn_x931p.c ENDIF SOURCE[../../providers/libfips.a]=$COMMON $BNASM SOURCE[../../providers/liblegacy.a]=$BNASM diff --git a/crypto/rsa/build.info b/crypto/rsa/build.info index 1614996049..d97e07fa4c 100644 --- a/crypto/rsa/build.info +++ b/crypto/rsa/build.info @@ -2,7 +2,7 @@ LIBS=../../libcrypto $COMMON=rsa_ossl.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_pk1.c \ rsa_none.c rsa_oaep.c rsa_chk.c rsa_pss.c rsa_x931.c rsa_crpt.c \ - rsa_x931g.c rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \ + rsa_sp800_56b_gen.c rsa_sp800_56b_check.c rsa_backend.c \ rsa_mp_names.c rsa_schemes.c SOURCE[../../libcrypto]=$COMMON\ @@ -11,6 +11,9 @@ SOURCE[../../libcrypto]=$COMMON\ IF[{- !$disabled{'deprecated-0.9.8'} -}] SOURCE[../../libcrypto]=rsa_depr.c ENDIF +IF[{- !$disabled{'deprecated-3.0'} -}] + SOURCE[../../libcrypto]=rsa_x931g.c +ENDIF SOURCE[../../providers/libfips.a]=$COMMON diff --git a/crypto/rsa/rsa_x931g.c b/crypto/rsa/rsa_x931g.c index 211e717871..6c50bd9593 100644 --- a/crypto/rsa/rsa_x931g.c +++ b/crypto/rsa/rsa_x931g.c @@ -11,7 +11,7 @@ * RSA low level APIs are deprecated for public use, but still ok for * internal use. */ -#include "internal/deprecated.h" +#define OPENSSL_SUPPRESS_DEPRECATED #include #include diff --git a/include/openssl/bn.h b/include/openssl/bn.h index c15fa3054f..2a9ba8cd7f 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -370,15 +370,20 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb); int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); +OSSL_DEPRECATEDIN_3_0 int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, BIGNUM *Xp1, BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); +# endif BN_MONT_CTX *BN_MONT_CTX_new(void); int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, diff --git a/util/libcrypto.num b/util/libcrypto.num index ffc423953a..bc39e25b6d 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -568,7 +568,7 @@ ERR_load_CONF_strings 581 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3 ESS_ISSUER_SERIAL_dup 582 3_0_0 EXIST::FUNCTION: BN_GF2m_mod_exp_arr 583 3_0_0 EXIST::FUNCTION:EC2M ASN1_UTF8STRING_free 584 3_0_0 EXIST::FUNCTION: -BN_X931_generate_prime_ex 585 3_0_0 EXIST::FUNCTION: +BN_X931_generate_prime_ex 585 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ENGINE_get_RAND 586 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE EVP_DecryptInit 587 3_0_0 EXIST::FUNCTION: BN_bin2bn 588 3_0_0 EXIST::FUNCTION: @@ -980,7 +980,7 @@ CRYPTO_cbc128_encrypt 1004 3_0_0 EXIST::FUNCTION: i2d_RSAPublicKey_bio 1005 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_chain_check_suiteb 1006 3_0_0 EXIST::FUNCTION: i2d_OCSP_REQUEST 1007 3_0_0 EXIST::FUNCTION:OCSP -BN_X931_generate_Xpq 1008 3_0_0 EXIST::FUNCTION: +BN_X931_generate_Xpq 1008 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ASN1_item_digest 1009 3_0_0 EXIST::FUNCTION: X509_VERIFY_PARAM_set_trust 1010 3_0_0 EXIST::FUNCTION: X509_STORE_CTX_get_error 1011 3_0_0 EXIST::FUNCTION: @@ -1976,7 +1976,7 @@ EC_KEY_get0_private_key 2021 3_0_0 EXIST::FUNCTION:EC SCT_get0_extensions 2022 3_0_0 EXIST::FUNCTION:CT OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION: i2d_DIRECTORYSTRING 2024 3_0_0 EXIST::FUNCTION: -BN_X931_derive_prime_ex 2025 3_0_0 EXIST::FUNCTION: +BN_X931_derive_prime_ex 2025 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ENGINE_get_pkey_asn1_meth_str 2026 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE PKCS7_signatureVerify 2027 3_0_0 EXIST::FUNCTION: CRYPTO_ocb128_new 2028 3_0_0 EXIST::FUNCTION:OCB From levitte at openssl.org Mon Jan 25 12:21:15 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 25 Jan 2021 12:21:15 +0000 Subject: [web] master update Message-ID: <1611577275.079788.32002.nullmailer@dev.openssl.org> The branch master has been updated via 3d9c535a7ca836b670bec4680763d70c42f50e19 (commit) from 8bbe05eafe1a554259e527f9ba3dd18e4b2e3a9a (commit) - Log ----------------------------------------------------------------- commit 3d9c535a7ca836b670bec4680763d70c42f50e19 Author: Richard Levitte Date: Mon Jan 25 12:06:15 2021 +0100 Upgrade our use of jQuery to 3.5.1 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/213) ----------------------------------------------------------------------- Summary of changes: inc/head.shtml | 4 ++-- inc/libs/jquery-3.5.1.min.js | 2 ++ inc/libs/jquery.min.js | 5 ----- 3 files changed, 4 insertions(+), 7 deletions(-) create mode 100644 inc/libs/jquery-3.5.1.min.js delete mode 100644 inc/libs/jquery.min.js diff --git a/inc/head.shtml b/inc/head.shtml index c622c8b..b9d5435 100644 --- a/inc/head.shtml +++ b/inc/head.shtml @@ -13,8 +13,8 @@ - - + + diff --git a/inc/libs/jquery-3.5.1.min.js b/inc/libs/jquery-3.5.1.min.js new file mode 100644 index 0000000..b061403 --- /dev/null +++ b/inc/libs/jquery-3.5.1.min.js @@ -0,0 +1,2 @@ +/*! jQuery v3.5.1 | (c) JS Foundation and other contributors | jquery.org/license */ +!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.5.1",S=function(e,t){return new S.fn.init(e,t)};function p(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n||0===t||"number"==typeof t&&0+~]|"+M+")"+M+"*"),U=new RegExp(M+"|>"),X=new RegExp(F),V=new RegExp("^"+I+"$"),G={ID:new RegExp("^#("+I+")"),CLASS:new RegExp("^\\.("+I+")"),TAG:new RegExp("^("+I+"|[*])"),ATTR:new RegExp("^"+W),PSEUDO:new RegExp("^"+F),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+R+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/HTML$/i,Q=/^(?:input|select|textarea|button)$/i,J=/^h\d$/i,K=/^[^{]+\{\s*\[native \w/,Z=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ee=/[+~]/,te=new RegExp("\\\\[\\da-fA-F]{1,6}"+M+"?|\\\\([^\\r\\n\\f])","g"),ne=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},re=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\0-\x1f\x7f-\uFFFF\w-]/g,ie=function(e,t){return t?"\0"===e?"\ufffd":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e},oe=function(){T()},ae=be(function(e){return!0===e.disabled&&"fieldset"===e.nodeName.toLowerCase()},{dir:"parentNode",next:"legend"});try{H.apply(t=O.call(p.childNodes),p.childNodes),t[p.childNodes.length].nodeType}catch(e){H={apply:t.length?function(e,t){L.apply(e,O.call(t))}:function(e,t){var n=e.length,r=0;while(e[n++]=t[r++]);e.length=n-1}}}function se(t,e,n,r){var i,o,a,s,u,l,c,f=e&&e.ownerDocument,p=e?e.nodeType:9;if(n=n||[],"string"!=typeof t||!t||1!==p&&9!==p&&11!==p)return n;if(!r&&(T(e),e=e||C,E)){if(11!==p&&(u=Z.exec(t)))if(i=u[1]){if(9===p){if(!(a=e.getElementById(i)))return n;if(a.id===i)return n.push(a),n}else if(f&&(a=f.getElementById(i))&&y(e,a)&&a.id===i)return n.push(a),n}else{if(u[2])return H.apply(n,e.getElementsByTagName(t)),n;if((i=u[3])&&d.getElementsByClassName&&e.getElementsByClassName)return H.apply(n,e.getElementsByClassName(i)),n}if(d.qsa&&!N[t+" "]&&(!v||!v.test(t))&&(1!==p||"object"!==e.nodeName.toLowerCase())){if(c=t,f=e,1===p&&(U.test(t)||z.test(t))){(f=ee.test(t)&&ye(e.parentNode)||e)===e&&d.scope||((s=e.getAttribute("id"))?s=s.replace(re,ie):e.setAttribute("id",s=S)),o=(l=h(t)).length;while(o--)l[o]=(s?"#"+s:":scope")+" "+xe(l[o]);c=l.join(",")}try{return H.apply(n,f.querySelectorAll(c)),n}catch(e){N(t,!0)}finally{s===S&&e.removeAttribute("id")}}}return g(t.replace($,"$1"),e,n,r)}function ue(){var r=[];return function e(t,n){return r.push(t+" ")>b.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function le(e){return e[S]=!0,e}function ce(e){var t=C.createElement("fieldset");try{return!!e(t)}catch(e){return!1}finally{t.parentNode&&t.parentNode.removeChild(t),t=null}}function fe(e,t){var n=e.split("|"),r=n.length;while(r--)b.attrHandle[n[r]]=t}function pe(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&e.sourceIndex-t.sourceIndex;if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function de(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function he(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function ge(t){return function(e){return"form"in e?e.parentNode&&!1===e.disabled?"label"in e?"label"in e.parentNode?e.parentNode.disabled===t:e.disabled===t:e.isDisabled===t||e.isDisabled!==!t&&ae(e)===t:e.disabled===t:"label"in e&&e.disabled===t}}function ve(a){return le(function(o){return o=+o,le(function(e,t){var n,r=a([],e.length,o),i=r.length;while(i--)e[n=r[i]]&&(e[n]=!(t[n]=e[n]))})})}function ye(e){return e&&"undefined"!=typeof e.getElementsByTagName&&e}for(e in d=se.support={},i=se.isXML=function(e){var t=e.namespaceURI,n=(e.ownerDocument||e).documentElement;return!Y.test(t||n&&n.nodeName||"HTML")},T=se.setDocument=function(e){var t,n,r=e?e.ownerDocument||e:p;return r!=C&&9===r.nodeType&&r.documentElement&&(a=(C=r).documentElement,E=!i(C),p!=C&&(n=C.defaultView)&&n.top!==n&&(n.addEventListener?n.addEventListener("unload",oe,!1):n.attachEvent&&n.attachEvent("onunload",oe)),d.scope=ce(function(e){return a.appendChild(e).appendChild(C.createElement("div")),"undefined"!=typeof e.querySelectorAll&&!e.querySelectorAll(":scope fieldset div").length}),d.attributes=ce(function(e){return e.className="i",!e.getAttribute("className")}),d.getElementsByTagName=ce(function(e){return e.appendChild(C.createComment("")),!e.getElementsByTagName("*").length}),d.getElementsByClassName=K.test(C.getElementsByClassName),d.getById=ce(function(e){return a.appendChild(e).id=S,!C.getElementsByName||!C.getElementsByName(S).length}),d.getById?(b.filter.ID=function(e){var t=e.replace(te,ne);return function(e){return e.getAttribute("id")===t}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n=t.getElementById(e);return n?[n]:[]}}):(b.filter.ID=function(e){var n=e.replace(te,ne);return function(e){var t="undefined"!=typeof e.getAttributeNode&&e.getAttributeNode("id");return t&&t.value===n}},b.find.ID=function(e,t){if("undefined"!=typeof t.getElementById&&E){var n,r,i,o=t.getElementById(e);if(o){if((n=o.getAttributeNode("id"))&&n.value===e)return[o];i=t.getElementsByName(e),r=0;while(o=i[r++])if((n=o.getAttributeNode("id"))&&n.value===e)return[o]}return[]}}),b.find.TAG=d.getElementsByTagName?function(e,t){return"undefined"!=typeof t.getElementsByTagName?t.getElementsByTagName(e):d.qsa?t.querySelectorAll(e):void 0}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},b.find.CLASS=d.getElementsByClassName&&function(e,t){if("undefined"!=typeof t.getElementsByClassName&&E)return t.getElementsByClassName(e)},s=[],v=[],(d.qsa=K.test(C.querySelectorAll))&&(ce(function(e){var t;a.appendChild(e).innerHTML="",e.querySelectorAll("[msallowcapture^='']").length&&v.push("[*^$]="+M+"*(?:''|\"\")"),e.querySelectorAll("[selected]").length||v.push("\\["+M+"*(?:value|"+R+")"),e.querySelectorAll("[id~="+S+"-]").length||v.push("~="),(t=C.createElement("input")).setAttribute("name",""),e.appendChild(t),e.querySelectorAll("[name='']").length||v.push("\\["+M+"*name"+M+"*="+M+"*(?:''|\"\")"),e.querySelectorAll(":checked").length||v.push(":checked"),e.querySelectorAll("a#"+S+"+*").length||v.push(".#.+[+~]"),e.querySelectorAll("\\\f"),v.push("[\\r\\n\\f]")}),ce(function(e){e.innerHTML="";var t=C.createElement("input");t.setAttribute("type","hidden"),e.appendChild(t).setAttribute("name","D"),e.querySelectorAll("[name=d]").length&&v.push("name"+M+"*[*^$|!~]?="),2!==e.querySelectorAll(":enabled").length&&v.push(":enabled",":disabled"),a.appendChild(e).disabled=!0,2!==e.querySelectorAll(":disabled").length&&v.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),v.push(",.*:")})),(d.matchesSelector=K.test(c=a.matches||a.webkitMatchesSelector||a.mozMatchesSelector||a.oMatchesSelector||a.msMatchesSelector))&&ce(function(e){d.disconnectedMatch=c.call(e,"*"),c.call(e,"[s!='']:x"),s.push("!=",F)}),v=v.length&&new RegExp(v.join("|")),s=s.length&&new RegExp(s.join("|")),t=K.test(a.compareDocumentPosition),y=t||K.test(a.contains)?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},D=t?function(e,t){if(e===t)return l=!0,0;var n=!e.compareDocumentPosition-!t.compareDocumentPosition;return n||(1&(n=(e.ownerDocument||e)==(t.ownerDocument||t)?e.compareDocumentPosition(t):1)||!d.sortDetached&&t.compareDocumentPosition(e)===n?e==C||e.ownerDocument==p&&y(p,e)?-1:t==C||t.ownerDocument==p&&y(p,t)?1:u?P(u,e)-P(u,t):0:4&n?-1:1)}:function(e,t){if(e===t)return l=!0,0;var n,r=0,i=e.parentNode,o=t.parentNode,a=[e],s=[t];if(!i||!o)return e==C?-1:t==C?1:i?-1:o?1:u?P(u,e)-P(u,t):0;if(i===o)return pe(e,t);n=e;while(n=n.parentNode)a.unshift(n);n=t;while(n=n.parentNode)s.unshift(n);while(a[r]===s[r])r++;return r?pe(a[r],s[r]):a[r]==p?-1:s[r]==p?1:0}),C},se.matches=function(e,t){return se(e,null,null,t)},se.matchesSelector=function(e,t){if(T(e),d.matchesSelector&&E&&!N[t+" "]&&(!s||!s.test(t))&&(!v||!v.test(t)))try{var n=c.call(e,t);if(n||d.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(e){N(t,!0)}return 0":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(te,ne),e[3]=(e[3]||e[4]||e[5]||"").replace(te,ne),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||se.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&se.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return G.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&&X.test(n)&&(t=h(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(te,ne).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=m[e+" "];return t||(t=new RegExp("(^|"+M+")"+e+"("+M+"|$)"))&&m(e,function(e){return t.test("string"==typeof e.className&&e.className||"undefined"!=typeof e.getAttribute&&e.getAttribute("class")||"")})},ATTR:function(n,r,i){return function(e){var t=se.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===i:"!="===r?t!==i:"^="===r?i&&0===t.indexOf(i):"*="===r?i&&-1:\x20\t\r\n\f]*)[\x20\t\r\n\f]*\/?>(?:<\/\1>|)$/i;function D(e,n,r){return m(n)?S.grep(e,function(e,t){return!!n.call(e,t,e)!==r}):n.nodeType?S.grep(e,function(e){return e===n!==r}):"string"!=typeof n?S.grep(e,function(e){return-1)[^>]*|#([\w-]+))$/;(S.fn.init=function(e,t,n){var r,i;if(!e)return this;if(n=n||j,"string"==typeof e){if(!(r="<"===e[0]&&">"===e[e.length-1]&&3<=e.length?[null,e,null]:q.exec(e))||!r[1]&&t)return!t||t.jquery?(t||n).find(e):this.constructor(t).find(e);if(r[1]){if(t=t instanceof S?t[0]:t,S.merge(this,S.parseHTML(r[1],t&&t.nodeType?t.ownerDocument||t:E,!0)),N.test(r[1])&&S.isPlainObject(t))for(r in t)m(this[r])?this[r](t[r]):this.attr(r,t[r]);return this}return(i=E.getElementById(r[2]))&&(this[0]=i,this.length=1),this}return e.nodeType?(this[0]=e,this.length=1,this):m(e)?void 0!==n.ready?n.ready(e):e(S):S.makeArray(e,this)}).prototype=S.fn,j=S(E);var L=/^(?:parents|prev(?:Until|All))/,H={children:!0,contents:!0,next:!0,prev:!0};function O(e,t){while((e=e[t])&&1!==e.nodeType);return e}S.fn.extend({has:function(e){var t=S(e,this),n=t.length;return this.filter(function(){for(var e=0;e\x20\t\r\n\f]*)/i,he=/^$|^module$|\/(?:java|ecma)script/i;ce=E.createDocumentFragment().appendChild(E.createElement("div")),(fe=E.createElement("input")).setAttribute("type","radio"),fe.setAttribute("checked","checked"),fe.setAttribute("name","t"),ce.appendChild(fe),y.checkClone=ce.cloneNode(!0).cloneNode(!0).lastChild.checked,ce.innerHTML="",y.noCloneChecked=!!ce.cloneNode(!0).lastChild.defaultValue,ce.innerHTML="",y.option=!!ce.lastChild;var ge={thead:[1,"","
"],col:[2,"","
"],tr:[2,"","
"],td:[3,"","
"],_default:[0,"",""]};function ve(e,t){var n;return n="undefined"!=typeof e.getElementsByTagName?e.getElementsByTagName(t||"*"):"undefined"!=typeof e.querySelectorAll?e.querySelectorAll(t||"*"):[],void 0===t||t&&A(e,t)?S.merge([e],n):n}function ye(e,t){for(var n=0,r=e.length;n",""]);var me=/<|&#?\w+;/;function xe(e,t,n,r,i){for(var o,a,s,u,l,c,f=t.createDocumentFragment(),p=[],d=0,h=e.length;d\s*$/g;function qe(e,t){return A(e,"table")&&A(11!==t.nodeType?t:t.firstChild,"tr")&&S(e).children("tbody")[0]||e}function Le(e){return e.type=(null!==e.getAttribute("type"))+"/"+e.type,e}function He(e){return"true/"===(e.type||"").slice(0,5)?e.type=e.type.slice(5):e.removeAttribute("type"),e}function Oe(e,t){var n,r,i,o,a,s;if(1===t.nodeType){if(Y.hasData(e)&&(s=Y.get(e).events))for(i in Y.remove(t,"handle events"),s)for(n=0,r=s[i].length;n").attr(n.scriptAttrs||{}).prop({charset:n.scriptCharset,src:n.url}).on("load error",i=function(e){r.remove(),i=null,e&&t("error"===e.type?404:200,e.type)}),E.head.appendChild(r[0])},abort:function(){i&&i()}}});var Ut,Xt=[],Vt=/(=)\?(?=&|$)|\?\?/;S.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=Xt.pop()||S.expando+"_"+Ct.guid++;return this[e]=!0,e}}),S.ajaxPrefilter("json jsonp",function(e,t,n){var r,i,o,a=!1!==e.jsonp&&(Vt.test(e.url)?"url":"string"==typeof e.data&&0===(e.contentType||"").indexOf("application/x-www-form-urlencoded")&&Vt.test(e.data)&&"data");if(a||"jsonp"===e.dataTypes[0])return r=e.jsonpCallback=m(e.jsonpCallback)?e.jsonpCallback():e.jsonpCallback,a?e[a]=e[a].replace(Vt,"$1"+r):!1!==e.jsonp&&(e.url+=(Et.test(e.url)?"&":"?")+e.jsonp+"="+r),e.converters["script json"]=function(){return o||S.error(r+" was not called"),o[0]},e.dataTypes[0]="json",i=C[r],C[r]=function(){o=arguments},n.always(function(){void 0===i?S(C).removeProp(r):C[r]=i,e[r]&&(e.jsonpCallback=t.jsonpCallback,Xt.push(r)),o&&m(i)&&i(o[0]),o=i=void 0}),"script"}),y.createHTMLDocument=((Ut=E.implementation.createHTMLDocument("").body).innerHTML="
",2===Ut.childNodes.length),S.parseHTML=function(e,t,n){return"string"!=typeof e?[]:("boolean"==typeof t&&(n=t,t=!1),t||(y.createHTMLDocument?((r=(t=E.implementation.createHTMLDocument("")).createElement("base")).href=E.location.href,t.head.appendChild(r)):t=E),o=!n&&[],(i=N.exec(e))?[t.createElement(i[1])]:(i=xe([e],t,o),o&&o.length&&S(o).remove(),S.merge([],i.childNodes)));var r,i,o},S.fn.load=function(e,t,n){var r,i,o,a=this,s=e.indexOf(" ");return-1").append(S.parseHTML(e)).find(r):e)}).always(n&&function(e,t){a.each(function(){n.apply(this,o||[e.responseText,t,e])})}),this},S.expr.pseudos.animated=function(t){return S.grep(S.timers,function(e){return t===e.elem}).length},S.offset={setOffset:function(e,t,n){var r,i,o,a,s,u,l=S.css(e,"position"),c=S(e),f={};"static"===l&&(e.style.position="relative"),s=c.offset(),o=S.css(e,"top"),u=S.css(e,"left"),("absolute"===l||"fixed"===l)&&-1<(o+u).indexOf("auto")?(a=(r=c.position()).top,i=r.left):(a=parseFloat(o)||0,i=parseFloat(u)||0),m(t)&&(t=t.call(e,n,S.extend({},s))),null!=t.top&&(f.top=t.top-s.top+a),null!=t.left&&(f.left=t.left-s.left+i),"using"in t?t.using.call(e,f):("number"==typeof f.top&&(f.top+="px"),"number"==typeof f.left&&(f.left+="px"),c.css(f))}},S.fn.extend({offset:function(t){if(arguments.length)return void 0===t?this:this.each(function(e){S.offset.setOffset(this,t,e)});var e,n,r=this[0];return r?r.getClientRects().length?(e=r.getBoundingClientRect(),n=r.ownerDocument.defaultView,{top:e.top+n.pageYOffset,left:e.left+n.pageXOffset}):{top:0,left:0}:void 0},position:function(){if(this[0]){var e,t,n,r=this[0],i={top:0,left:0};if("fixed"===S.css(r,"position"))t=r.getBoundingClientRect();else{t=this.offset(),n=r.ownerDocument,e=r.offsetParent||n.documentElement;while(e&&(e===n.body||e===n.documentElement)&&"static"===S.css(e,"position"))e=e.parentNode;e&&e!==r&&1===e.nodeType&&((i=S(e).offset()).top+=S.css(e,"borderTopWidth",!0),i.left+=S.css(e,"borderLeftWidth",!0))}return{top:t.top-i.top-S.css(r,"marginTop",!0),left:t.left-i.left-S.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent;while(e&&"static"===S.css(e,"position"))e=e.offsetParent;return e||re})}}),S.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(t,i){var o="pageYOffset"===i;S.fn[t]=function(e){return $(this,function(e,t,n){var r;if(x(e)?r=e:9===e.nodeType&&(r=e.defaultView),void 0===n)return r?r[i]:e[t];r?r.scrollTo(o?r.pageXOffset:n,o?n:r.pageYOffset):e[t]=n},t,e,arguments.length)}}),S.each(["top","left"],function(e,n){S.cssHooks[n]=$e(y.pixelPosition,function(e,t){if(t)return t=Be(e,n),Me.test(t)?S(e).position()[n]+"px":t})}),S.each({Height:"height",Width:"width"},function(a,s){S.each({padding:"inner"+a,content:s,"":"outer"+a},function(r,o){S.fn[o]=function(e,t){var n=arguments.length&&(r||"boolean"!=typeof e),i=r||(!0===e||!0===t?"margin":"border");return $(this,function(e,t,n){var r;return x(e)?0===o.indexOf("outer")?e["inner"+a]:e.document.documentElement["client"+a]:9===e.nodeType?(r=e.documentElement,Math.max(e.body["scroll"+a],r["scroll"+a],e.body["offset"+a],r["offset"+a],r["client"+a])):void 0===n?S.css(e,t,i):S.style(e,t,n,i)},s,n?e:void 0,n)}})}),S.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){S.fn[t]=function(e){return this.on(t,e)}}),S.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)},hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),S.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,n){S.fn[n]=function(e,t){return 0)[^>]*|#([\w-]*))$/,C=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,k=/^[\],:{}\s]*$/,E=/(?:^|:|,)(?:\s*\[)+/g,S=/\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"|true|false|null|-?(?:\d+\.|)\d+(?:[eE][+-]?\d+|)/g,j=/^-ms-/,D=/-([\da-z])/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventListener||"load"===e.type||"complete"===o.readyState)&&(q(),b.ready())},q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoaded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onreadystatechange",H),e.detachEvent("onload",H))};b.fn=b.prototype={jquery:p,constructor:b,init:function(e,n,r){var i,a;if(!e)return this;if("string"==typeof e){if(i="<"===e.charAt(0)&&">"===e.charAt(e.length-1)&&e.length>=3?[null,e,null]:N.exec(e),!i||!i[1]&&n)return!n||n.jquery?(n||r).find(e):this.constructor(n).find(e);if(i[1]){if(n=n instanceof b?n[0]:n,b.merge(this,b.parseHTML(i[1],n&&n.nodeType?n.ownerDocument||n:o,!0)),C.test(i[1])&&b.isPlainObject(n))for(i in n)b.isFunction(this[i])?this[i](n[i]):this.attr(i,n[i]);return this}if(a=o.getElementById(i[2]),a&&a.parentNode){if(a.id!==i[2])return r.find(e);this.length=1,this[0]=a}return this.context=o,this.selector=e,this}return e.nodeType?(this.context=this[0]=e,this.length=1,this):b.isFunction(e)?r.ready(e):(e.selector!==t&&(this.selector=e.selector,this.context=e.context),b.makeArray(e,this))},selector:"",length:0,size:function(){return this.length},toArray:function(){return h.call(this)},get:function(e){return null==e?this.toArray():0>e?this[this.length+e]:this[e]},pushStack:function(e){var t=b.merge(this.constructor(),e);return t.prevObject=this,t.context=this.context,t},each:function(e,t){return b.each(this,e,t)},ready:function(e){return b.ready.promise().done(e),this},slice:function(){return this.pushStack(h.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(0>e?t:0);return this.pushStack(n>=0&&t>n?[this[n]]:[])},map:function(e){return this.pushStack(b.map(this,function(t,n){return e.call(t,n,t)}))},end:function(){return this.prevObject||this.constructor(null)},push:d,sort:[].sort,splice:[].splice},b.fn.init.prototype=b.fn,b.extend=b.fn.extend=function(){var e,n,r,i,o,a,s=arguments[0]||{},u=1,l=arguments.length,c=!1;for("boolean"==typeof s&&(c=s,s=arguments[1]||{},u=2),"object"==typeof s||b.isFunction(s)||(s={}),l===u&&(s=this,--u);l>u;u++)if(null!=(o=arguments[u]))for(i in o)e=s[i],r=o[i],s!==r&&(c&&r&&(b.isPlainObject(r)||(n=b.isArray(r)))?(n?(n=!1,a=e&&b.isArray(e)?e:[]):a=e&&b.isPlainObject(e)?e:{},s[i]=b.extend(c,a,r)):r!==t&&(s[i]=r));return s},b.extend({noConflict:function(t){return e.$===b&&(e.$=u),t&&e.jQuery===b&&(e.jQuery=s),b},isReady:!1,readyWait:1,holdReady:function(e){e?b.readyWait++:b.ready(!0)},ready:function(e){if(e===!0?!--b.readyWait:!b.isReady){if(!o.body)return setTimeout(b.ready);b.isReady=!0,e!==!0&&--b.readyWait>0||(n.resolveWith(o,[b]),b.fn.trigger&&b(o).trigger("ready").off("ready"))}},isFunction:function(e){return"function"===b.type(e)},isArray:Array.isArray||function(e){return"array"===b.type(e)},isWindow:function(e){return null!=e&&e==e.window},isNumeric:function(e){return!isNaN(parseFloat(e))&&isFinite(e)},type:function(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[m.call(e)]||"object":typeof e},isPlainObject:function(e){if(!e||"object"!==b.type(e)||e.nodeType||b.isWindow(e))return!1;try{if(e.constructor&&!y.call(e,"constructor")&&!y.call(e.constructor.prototype,"isPrototypeOf"))return!1}catch(n){return!1}var r;for(r in e);return r===t||y.call(e,r)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},error:function(e){throw Error(e)},parseHTML:function(e,t,n){if(!e||"string"!=typeof e)return null;"boolean"==typeof t&&(n=t,t=!1),t=t||o;var r=C.exec(e),i=!n&&[];return r?[t.createElement(r[1])]:(r=b.buildFragment([e],t,i),i&&b(i).remove(),b.merge([],r.childNodes))},parseJSON:function(n){return e.JSON&&e.JSON.parse?e.JSON.parse(n):null===n?n:"string"==typeof n&&(n=b.trim(n),n&&k.test(n.replace(S,"@").replace(A,"]").replace(E,"")))?Function("return "+n)():(b.error("Invalid JSON: "+n),t)},parseXML:function(n){var r,i;if(!n||"string"!=typeof n)return null;try{e.DOMParser?(i=new DOMParser,r=i.parseFromString(n,"text/xml")):(r=new ActiveXObject("Microsoft.XMLDOM"),r.async="false",r.loadXML(n))}catch(o){r=t}return r&&r.documentElement&&!r.getElementsByTagName("parsererror").length||b.error("Invalid XML: "+n),r},noop:function(){},globalEval:function(t){t&&b.trim(t)&&(e.execScript||function(t){e.eval.call(e,t)})(t)},camelCase:function(e){return e.replace(j,"ms-").replace(D,L)},nodeName:function(e,t){return e.nodeName&&e.nodeName.toLowerCase()===t.toLowerCase()},each:function(e,t,n){var r,i=0,o=e.length,a=M(e);if(n){if(a){for(;o>i;i++)if(r=t.apply(e[i],n),r===!1)break}else for(i in e)if(r=t.apply(e[i],n),r===!1)break}else if(a){for(;o>i;i++)if(r=t.call(e[i],i,e[i]),r===!1)break}else for(i in e)if(r=t.call(e[i],i,e[i]),r===!1)break;return e},trim:v&&!v.call("\ufeff\u00a0")?function(e){return null==e?"":v.call(e)}:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(M(Object(e))?b.merge(n,"string"==typeof e?[e]:e):d.call(n,e)),n},inArray:function(e,t,n){var r;if(t){if(g)return g.call(t,e,n);for(r=t.length,n=n?0>n?Math.max(0,r+n):n:0;r>n;n++)if(n in t&&t[n]===e)return n}return-1},merge:function(e,n){var r=n.length,i=e.length,o=0;if("number"==typeof r)for(;r>o;o++)e[i++]=n[o];else while(n[o]!==t)e[i++]=n[o++];return e.length=i,e},grep:function(e,t,n){var r,i=[],o=0,a=e.length;for(n=!!n;a>o;o++)r=!!t(e[o],o),n!==r&&i.push(e[o]);return i},map:function(e,t,n){var r,i=0,o=e.length,a=M(e),s=[];if(a)for(;o>i;i++)r=t(e[i],i,n),null!=r&&(s[s.length]=r);else for(i in e)r=t(e[i],i,n),null!=r&&(s[s.length]=r);return f.apply([],s)},guid:1,proxy:function(e,n){var r,i,o;return"string"==typeof n&&(o=e[n],n=e,e=o),b.isFunction(e)?(r=h.call(arguments,2),i=function(){return e.apply(n||this,r.concat(h.call(arguments)))},i.guid=e.guid=e.guid||b.guid++,i):t},access:function(e,n,r,i,o,a,s){var u=0,l=e.length,c=null==r;if("object"===b.type(r)){o=!0;for(u in r)b.access(e,n,u,r[u],!0,a,s)}else if(i!==t&&(o=!0,b.isFunction(i)||(s=!0),c&&(s?(n.call(e,i),n=null):(c=n,n=function(e,t,n){return c.call(b(e),n)})),n))for(;l>u;u++)n(e[u],r,s?i:i.call(e[u],u,n(e[u],r)));return o?e:c?n.call(e):l?n(e[0],r):a},now:function(){return(new Date).getTime()}}),b.ready.promise=function(t){if(!n)if(n=b.Deferred(),"complete"===o.readyState)setTimeout(b.ready);else if(o.addEventListener)o.addEventListener("DOMContentLoaded",H,!1),e.addEventListener("load",H,!1);else{o.attachEvent("onreadystatechange",H),e.attachEvent("onload",H);var r=!1;try{r=null==e.frameElement&&o.documentElement}catch(i){}r&&r.doScroll&&function a(){if(!b.isReady){try{r.doScroll("left")}catch(e){return setTimeout(a,50)}q(),b.ready()}}()}return n.promise(t)},b.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function M(e){var t=e.length,n=b.type(e);return b.isWindow(e)?!1:1===e.nodeType&&t?!0:"array"===n||"function"!==n&&(0===t||"number"==typeof t&&t>0&&t-1 in e)}r=b(o);var _={};function F(e){var t=_[e]={};return b.each(e.match(w)||[],function(e,n){t[n]=!0}),t}b.Callbacks=function(e){e="string"==typeof e?_[e]||F(e):b.extend({},e);var n,r,i,o,a,s,u=[],l=!e.once&&[],c=function(t){for(r=e.memory&&t,i=!0,a=s||0,s=0,o=u.length,n=!0;u&&o>a;a++)if(u[a].apply(t[0],t[1])===!1&&e.stopOnFalse){r=!1;break}n=!1,u&&(l?l.length&&c(l.shift()):r?u=[]:p.disable())},p={add:function(){if(u){var t=u.length;(function i(t){b.each(t,function(t,n){var r=b.type(n);"function"===r?e.unique&&p.has(n)||u.push(n):n&&n.length&&"string"!==r&&i(n)})})(arguments),n?o=u.length:r&&(s=t,c(r))}return this},remove:function(){return u&&b.each(arguments,function(e,t){var r;while((r=b.inArray(t,u,r))>-1)u.splice(r,1),n&&(o>=r&&o--,a>=r&&a--)}),this},has:function(e){return e?b.inArray(e,u)>-1:!(!u||!u.length)},empty:function(){return u=[],this},disable:function(){return u=l=r=t,this},disabled:function(){return!u},lock:function(){return l=t,r||p.disable(),this},locked:function(){return!l},fireWith:function(e,t){return t=t||[],t=[e,t.slice?t.slice():t],!u||i&&!l||(n?l.push(t):c(t)),this},fire:function(){return p.fireWith(this,arguments),this},fired:function(){return!!i}};return p},b.extend({Deferred:function(e){var t=[["resolve","done",b.Callbacks("once memory"),"resolved"],["reject","fail",b.Callbacks("once memory"),"rejected"],["notify","progress",b.Callbacks("memory")]],n="pending",r={state:function(){return n},always:function(){return i.done(arguments).fail(arguments),this},then:function(){var e=arguments;return b.Deferred(function(n){b.each(t,function(t,o){var a=o[0],s=b.isFunction(e[t])&&e[t];i[o[1]](function(){var e=s&&s.apply(this,arguments);e&&b.isFunction(e.promise)?e.promise().done(n.resolve).fail(n.reject).progress(n.notify):n[a+"With"](this===r?n.promise():this,s?[e]:arguments)})}),e=null}).promise()},promise:function(e){return null!=e?b.extend(e,r):r}},i={};return r.pipe=r.then,b.each(t,function(e,o){var a=o[2],s=o[3];r[o[1]]=a.add,s&&a.add(function(){n=s},t[1^e][2].disable,t[2][2].lock),i[o[0]]=function(){return i[o[0]+"With"](this===i?r:this,arguments),this},i[o[0]+"With"]=a.fireWith}),r.promise(i),e&&e.call(i,i),i},when:function(e){var t=0,n=h.call(arguments),r=n.length,i=1!==r||e&&b.isFunction(e.promise)?r:0,o=1===i?e:b.Deferred(),a=function(e,t,n){return function(r){t[e]=this,n[e]=arguments.length>1?h.call(arguments):r,n===s?o.notifyWith(t,n):--i||o.resolveWith(t,n)}},s,u,l;if(r>1)for(s=Array(r),u=Array(r),l=Array(r);r>t;t++)n[t]&&b.isFunction(n[t].promise)?n[t].promise().done(a(t,l,n)).fail(o.reject).progress(a(t,u,s)):--i;return i||o.resolveWith(l,n),o.promise()}}),b.support=function(){var t,n,r,a,s,u,l,c,p,f,d=o.createElement("div");if(d.setAttribute("className","t"),d.innerHTML="
a",n=d.getElementsByTagName("*"),r=d.getElementsByTagName("a")[0],!n||!r||!n.length)return{};s=o.createElement("select"),l=s.appendChild(o.createElement("option")),a=d.getElementsByTagName("input")[0],r.style.cssText="top:1px;float:left;opacity:.5",t={getSetAttribute:"t"!==d.className,leadingWhitespace:3===d.firstChild.nodeType,tbody:!d.getElementsByTagName("tbody").length,htmlSerialize:!!d.getElementsByTagName("link").length,style:/top/.test(r.getAttribute("style")),hrefNormalized:"/a"===r.getAttribute("href"),opacity:/^0.5/.test(r.style.opacity),cssFloat:!!r.style.cssFloat,checkOn:!!a.value,optSelected:l.selected,enctype:!!o.createElement("form").enctype,html5Clone:"<:nav>"!==o.createElement("nav").cloneNode(!0).outerHTML,boxModel:"CSS1Compat"===o.compatMode,deleteExpando:!0,noCloneEvent:!0,inlineBlockNeedsLayout:!1,shrinkWrapBlocks:!1,reliableMarginRight:!0,boxSizingReliable:!0,pixelPosition:!1},a.checked=!0,t.noCloneChecked=a.cloneNode(!0).checked,s.disabled=!0,t.optDisabled=!l.disabled;try{delete d.test}catch(h){t.deleteExpando=!1}a=o.createElement("input"),a.setAttribute("value",""),t.input=""===a.getAttribute("value"),a.value="t",a.setAttribute("type","radio"),t.radioValue="t"===a.value,a.setAttribute("checked","t"),a.setAttribute("name","t"),u=o.createDocumentFragment(),u.appendChild(a),t.appendChecked=a.checked,t.checkClone=u.cloneNode(!0).cloneNode(!0).lastChild.checked,d.attachEvent&&(d.attachEvent("onclick",function(){t.noCloneEvent=!1}),d.cloneNode(!0).click());for(f in{submit:!0,change:!0,focusin:!0})d.setAttribute(c="on"+f,"t"),t[f+"Bubbles"]=c in e||d.attributes[c].expando===!1;return d.style.backgroundClip="content-box",d.cloneNode(!0).style.backgroundClip="",t.clearCloneStyle="content-box"===d.style.backgroundClip,b(function(){var n,r,a,s="padding:0;margin:0;border:0;display:block;box-sizing:content-box;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;",u=o.getElementsByTagName("body")[0];u&&(n=o.createElement("div"),n.style.cssText="border:0;width:0;height:0;position:absolute;top:0;left:-9999px;margin-top:1px",u.appendChild(n).appendChild(d),d.innerHTML="
t
",a=d.getElementsByTagName("td"),a[0].style.cssText="padding:0;margin:0;border:0;display:none",p=0===a[0].offsetHeight,a[0].style.display="",a[1].style.display="none",t.reliableHiddenOffsets=p&&0===a[0].offsetHeight,d.innerHTML="",d.style.cssText="box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;padding:1px;border:1px;display:block;width:4px;margin-top:1%;position:absolute;top:1%;",t.boxSizing=4===d.offsetWidth,t.doesNotIncludeMarginInBodyOffset=1!==u.offsetTop,e.getComputedStyle&&(t.pixelPosition="1%"!==(e.getComputedStyle(d,null)||{}).top,t.boxSizingReliable="4px"===(e.getComputedStyle(d,null)||{width:"4px"}).width,r=d.appendChild(o.createElement("div")),r.style.cssText=d.style.cssText=s,r.style.marginRight=r.style.width="0",d.style.width="1px",t.reliableMarginRight=!parseFloat((e.getComputedStyle(r,null)||{}).marginRight)),typeof d.style.zoom!==i&&(d.innerHTML="",d.style.cssText=s+"width:1px;padding:1px;display:inline;zoom:1",t.inlineBlockNeedsLayout=3===d.offsetWidth,d.style.display="block",d.innerHTML="
",d.firstChild.style.width="5px",t.shrinkWrapBlocks=3!==d.offsetWidth,t.inlineBlockNeedsLayout&&(u.style.zoom=1)),u.removeChild(n),n=d=a=r=null)}),n=s=u=l=r=a=null,t}();var O=/(?:\{[\s\S]*\}|\[[\s\S]*\])$/,B=/([A-Z])/g;function P(e,n,r,i){if(b.acceptData(e)){var o,a,s=b.expando,u="string"==typeof n,l=e.nodeType,p=l?b.cache:e,f=l?e[s]:e[s]&&s;if(f&&p[f]&&(i||p[f].data)||!u||r!==t)return f||(l?e[s]=f=c.pop()||b.guid++:f=s),p[f]||(p[f]={},l||(p[f].toJSON=b.noop)),("object"==typeof n||"function"==typeof n)&&(i?p[f]=b.extend(p[f],n):p[f].data=b.extend(p[f].data,n)),o=p[f],i||(o.data||(o.data={}),o=o.data),r!==t&&(o[b.camelCase(n)]=r),u?(a=o[n],null==a&&(a=o[b.camelCase(n)])):a=o,a}}function R(e,t,n){if(b.acceptData(e)){var r,i,o,a=e.nodeType,s=a?b.cache:e,u=a?e[b.expando]:b.expando;if(s[u]){if(t&&(o=n?s[u]:s[u].data)){b.isArray(t)?t=t.concat(b.map(t,b.camelCase)):t in o?t=[t]:(t=b.camelCase(t),t=t in o?[t]:t.split(" "));for(r=0,i=t.length;i>r;r++)delete o[t[r]];if(!(n?$:b.isEmptyObject)(o))return}(n||(delete s[u].data,$(s[u])))&&(a?b.cleanData([e],!0):b.support.deleteExpando||s!=s.window?delete s[u]:s[u]=null)}}}b.extend({cache:{},expando:"jQuery"+(p+Math.random()).replace(/\D/g,""),noData:{embed:!0,object:"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000",applet:!0},hasData:function(e){return e=e.nodeType?b.cache[e[b.expando]]:e[b.expando],!!e&&!$(e)},data:function(e,t,n){return P(e,t,n)},removeData:function(e,t){return R(e,t)},_data:function(e,t,n){return P(e,t,n,!0)},_removeData:function(e,t){return R(e,t,!0)},acceptData:function(e){if(e.nodeType&&1!==e.nodeType&&9!==e.nodeType)return!1;var t=e.nodeName&&b.noData[e.nodeName.toLowerCase()];return!t||t!==!0&&e.getAttribute("classid")===t}}),b.fn.extend({data:function(e,n){var r,i,o=this[0],a=0,s=null;if(e===t){if(this.length&&(s=b.data(o),1===o.nodeType&&!b._data(o,"parsedAttrs"))){for(r=o.attributes;r.length>a;a++)i=r[a].name,i.indexOf("data-")||(i=b.camelCase(i.slice(5)),W(o,i,s[i]));b._data(o,"parsedAttrs",!0)}return s}return"object"==typeof e?this.each(function(){b.data(this,e)}):b.access(this,function(n){return n===t?o?W(o,e,b.data(o,e)):null:(this.each(function(){b.data(this,e,n)}),t)},null,n,arguments.length>1,null,!0)},removeData:function(e){return this.each(function(){b.removeData(this,e)})}});function W(e,n,r){if(r===t&&1===e.nodeType){var i="data-"+n.replace(B,"-$1").toLowerCase();if(r=e.getAttribute(i),"string"==typeof r){try{r="true"===r?!0:"false"===r?!1:"null"===r?null:+r+""===r?+r:O.test(r)?b.parseJSON(r):r}catch(o){}b.data(e,n,r)}else r=t}return r}function $(e){var t;for(t in e)if(("data"!==t||!b.isEmptyObject(e[t]))&&"toJSON"!==t)return!1;return!0}b.extend({queue:function(e,n,r){var i;return e?(n=(n||"fx")+"queue",i=b._data(e,n),r&&(!i||b.isArray(r)?i=b._data(e,n,b.makeArray(r)):i.push(r)),i||[]):t},dequeue:function(e,t){t=t||"fx";var n=b.queue(e,t),r=n.length,i=n.shift(),o=b._queueHooks(e,t),a=function(){b.dequeue(e,t)};"inprogress"===i&&(i=n.shift(),r--),o.cur=i,i&&("fx"===t&&n.unshift("inprogress"),delete o.stop,i.call(e,a,o)),!r&&o&&o.empty.fire()},_queueHooks:function(e,t){var n=t+"queueHooks";return b._data(e,n)||b._data(e,n,{empty:b.Callbacks("once memory").add(function(){b._removeData(e,t+"queue"),b._removeData(e,n)})})}}),b.fn.extend({queue:function(e,n){var r=2;return"string"!=typeof e&&(n=e,e="fx",r--),r>arguments.length?b.queue(this[0],e):n===t?this:this.each(function(){var t=b.queue(this,e,n);b._queueHooks(this,e),"fx"===e&&"inprogress"!==t[0]&&b.dequeue(this,e)})},dequeue:function(e){return this.each(function(){b.dequeue(this,e)})},delay:function(e,t){return e=b.fx?b.fx.speeds[e]||e:e,t=t||"fx",this.queue(t,function(t,n){var r=setTimeout(t,e);n.stop=function(){clearTimeout(r)}})},clearQueue:function(e){return this.queue(e||"fx",[])},promise:function(e,n){var r,i=1,o=b.Deferred(),a=this,s=this.length,u=function(){--i||o.resolveWith(a,[a])};"string"!=typeof e&&(n=e,e=t),e=e||"fx";while(s--)r=b._data(a[s],e+"queueHooks"),r&&r.empty&&(i++,r.empty.add(u));return u(),o.promise(n)}});var I,z,X=/[\t\r\n]/g,U=/\r/g,V=/^(?:input|select|textarea|button|object)$/i,Y=/^(?:a|area)$/i,J=/^(?:checked|selected|autofocus|autoplay|async|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped)$/i,G=/^(?:checked|selected)$/i,Q=b.support.getSetAttribute,K=b.support.input;b.fn.extend({attr:function(e,t){return b.access(this,b.attr,e,t,arguments.length>1)},removeAttr:function(e){return this.each(function(){b.removeAttr(this,e)})},prop:function(e,t){return b.access(this,b.prop,e,t,arguments.length>1)},removeProp:function(e){return e=b.propFix[e]||e,this.each(function(){try{this[e]=t,delete this[e]}catch(n){}})},addClass:function(e){var t,n,r,i,o,a=0,s=this.length,u="string"==typeof e&&e;if(b.isFunction(e))return this.each(function(t){b(this).addClass(e.call(this,t,this.className))});if(u)for(t=(e||"").match(w)||[];s>a;a++)if(n=this[a],r=1===n.nodeType&&(n.className?(" "+n.className+" ").replace(X," "):" ")){o=0;while(i=t[o++])0>r.indexOf(" "+i+" ")&&(r+=i+" ");n.className=b.trim(r)}return this},removeClass:function(e){var t,n,r,i,o,a=0,s=this.length,u=0===arguments.length||"string"==typeof e&&e;if(b.isFunction(e))return this.each(function(t){b(this).removeClass(e.call(this,t,this.className))});if(u)for(t=(e||"").match(w)||[];s>a;a++)if(n=this[a],r=1===n.nodeType&&(n.className?(" "+n.className+" ").replace(X," "):"")){o=0;while(i=t[o++])while(r.indexOf(" "+i+" ")>=0)r=r.replace(" "+i+" "," ");n.className=e?b.trim(r):""}return this},toggleClass:function(e,t){var n=typeof e,r="boolean"==typeof t;return b.isFunction(e)?this.each(function(n){b(this).toggleClass(e.call(this,n,this.className,t),t)}):this.each(function(){if("string"===n){var o,a=0,s=b(this),u=t,l=e.match(w)||[];while(o=l[a++])u=r?u:!s.hasClass(o),s[u?"addClass":"removeClass"](o)}else(n===i||"boolean"===n)&&(this.className&&b._data(this,"__className__",this.className),this.className=this.className||e===!1?"":b._data(this,"__className__")||"")})},hasClass:function(e){var t=" "+e+" ",n=0,r=this.length;for(;r>n;n++)if(1===this[n].nodeType&&(" "+this[n].className+" ").replace(X," ").indexOf(t)>=0)return!0;return!1},val:function(e){var n,r,i,o=this[0];{if(arguments.length)return i=b.isFunction(e),this.each(function(n){var o,a=b(this);1===this.nodeType&&(o=i?e.call(this,n,a.val()):e,null==o?o="":"number"==typeof o?o+="":b.isArray(o)&&(o=b.map(o,function(e){return null==e?"":e+""})),r=b.valHooks[this.type]||b.valHooks[this.nodeName.toLowerCase()],r&&"set"in r&&r.set(this,o,"value")!==t||(this.value=o))});if(o)return r=b.valHooks[o.type]||b.valHooks[o.nodeName.toLowerCase()],r&&"get"in r&&(n=r.get(o,"value"))!==t?n:(n=o.value,"string"==typeof n?n.replace(U,""):null==n?"":n)}}}),b.extend({valHooks:{option:{get:function(e){var t=e.attributes.value;return!t||t.specified?e.value:e.text}},select:{get:function(e){var t,n,r=e.options,i=e.selectedIndex,o="select-one"===e.type||0>i,a=o?null:[],s=o?i+1:r.length,u=0>i?s:o?i:0;for(;s>u;u++)if(n=r[u],!(!n.selected&&u!==i||(b.support.optDisabled?n.disabled:null!==n.getAttribute("disabled"))||n.parentNode.disabled&&b.nodeName(n.parentNode,"optgroup"))){if(t=b(n).val(),o)return t;a.push(t)}return a},set:function(e,t){var n=b.makeArray(t);return b(e).find("option").each(function(){this.selected=b.inArray(b(this).val(),n)>=0}),n.length||(e.selectedIndex=-1),n}}},attr:function(e,n,r){var o,a,s,u=e.nodeType;if(e&&3!==u&&8!==u&&2!==u)return typeof e.getAttribute===i?b.prop(e,n,r):(a=1!==u||!b.isXMLDoc(e),a&&(n=n.toLowerCase(),o=b.attrHooks[n]||(J.test(n)?z:I)),r===t?o&&a&&"get"in o&&null!==(s=o.get(e,n))?s:(typeof e.getAttribute!==i&&(s=e.getAttribute(n)),null==s?t:s):null!==r?o&&a&&"set"in o&&(s=o.set(e,r,n))!==t?s:(e.setAttribute(n,r+""),r):(b.removeAttr(e,n),t))},removeAttr:function(e,t){var n,r,i=0,o=t&&t.match(w);if(o&&1===e.nodeType)while(n=o[i++])r=b.propFix[n]||n,J.test(n)?!Q&&G.test(n)?e[b.camelCase("default-"+n)]=e[r]=!1:e[r]=!1:b.attr(e,n,""),e.removeAttribute(Q?n:r)},attrHooks:{type:{set:function(e,t){if(!b.support.radioValue&&"radio"===t&&b.nodeName(e,"input")){var n=e.value;return e.setAttribute("type",t),n&&(e.value=n),t}}}},propFix:{tabindex:"tabIndex",readonly:"readOnly","for":"htmlFor","class":"className",maxlength:"maxLength",cellspacing:"cellSpacing",cellpadding:"cellPadding",rowspan:"rowSpan",colspan:"colSpan",usemap:"useMap",frameborder:"frameBorder",contenteditable:"contentEditable"},prop:function(e,n,r){var i,o,a,s=e.nodeType;if(e&&3!==s&&8!==s&&2!==s)return a=1!==s||!b.isXMLDoc(e),a&&(n=b.propFix[n]||n,o=b.propHooks[n]),r!==t?o&&"set"in o&&(i=o.set(e,r,n))!==t?i:e[n]=r:o&&"get"in o&&null!==(i=o.get(e,n))?i:e[n]},propHooks:{tabIndex:{get:function(e){var n=e.getAttributeNode("tabindex");return n&&n.specified?parseInt(n.value,10):V.test(e.nodeName)||Y.test(e.nodeName)&&e.href?0:t}}}}),z={get:function(e,n){var r=b.prop(e,n),i="boolean"==typeof r&&e.getAttribute(n),o="boolean"==typeof r?K&&Q?null!=i:G.test(n)?e[b.camelCase("default-"+n)]:!!i:e.getAttributeNode(n);return o&&o.value!==!1?n.toLowerCase():t},set:function(e,t,n){return t===!1?b.removeAttr(e,n):K&&Q||!G.test(n)?e.setAttribute(!Q&&b.propFix[n]||n,n):e[b.camelCase("default-"+n)]=e[n]=!0,n}},K&&Q||(b.attrHooks.value={get:function(e,n){var r=e.getAttributeNode(n);return b.nodeName(e,"input")?e.defaultValue:r&&r.specified?r.value:t},set:function(e,n,r){return b.nodeName(e,"input")?(e.defaultValue=n,t):I&&I.set(e,n,r)}}),Q||(I=b.valHooks.button={get:function(e,n){var r=e.getAttributeNode(n);return r&&("id"===n||"name"===n||"coords"===n?""!==r.value:r.specified)?r.value:t},set:function(e,n,r){var i=e.getAttributeNode(r);return i||e.setAttributeNode(i=e.ownerDocument.createAttribute(r)),i.value=n+="","value"===r||n===e.getAttribute(r)?n:t}},b.attrHooks.contenteditable={get:I.get,set:function(e,t,n){I.set(e,""===t?!1:t,n)}},b.each(["width","height"],function(e,n){b.attrHooks[n]=b.extend(b.attrHooks[n],{set:function(e,r){return""===r?(e.setAttribute(n,"auto"),r):t}})})),b.support.hrefNormalized||(b.each(["href","src","width","height"],function(e,n){b.attrHooks[n]=b.extend(b.attrHooks[n],{get:function(e){var r=e.getAttribute(n,2);return null==r?t:r}})}),b.each(["href","src"],function(e,t){b.propHooks[t]={get:function(e){return e.getAttribute(t,4)}}})),b.support.style||(b.attrHooks.style={get:function(e){return e.style.cssText||t},set:function(e,t){return e.style.cssText=t+""}}),b.support.optSelected||(b.propHooks.selected=b.extend(b.propHooks.selected,{get:function(e){var t=e.parentNode;return t&&(t.selectedIndex,t.parentNode&&t.parentNode.selectedIndex),null}})),b.support.enctype||(b.propFix.enctype="encoding"),b.support.checkOn||b.each(["radio","checkbox"],function(){b.valHooks[this]={get:function(e){return null===e.getAttribute("value")?"on":e.value}}}),b.each(["radio","checkbox"],function(){b.valHooks[this]=b.extend(b.valHooks[this],{set:function(e,n){return b.isArray(n)?e.checked=b.inArray(b(e).val(),n)>=0:t}})});var Z=/^(?:input|select|textarea)$/i,et=/^key/,tt=/^(?:mouse|contextmenu)|click/,nt=/^(?:focusinfocus|focusoutblur)$/,rt=/^([^.]*)(?:\.(.+)|)$/;function it(){return!0}function ot(){return!1}b.event={global:{},add:function(e,n,r,o,a){var s,u,l,c,p,f,d,h,g,m,y,v=b._data(e);if(v){r.handler&&(c=r,r=c.handler,a=c.selector),r.guid||(r.guid=b.guid++),(u=v.events)||(u=v.events={}),(f=v.handle)||(f=v.handle=function(e){return typeof b===i||e&&b.event.triggered===e.type?t:b.event.dispatch.apply(f.elem,arguments)},f.elem=e),n=(n||"").match(w)||[""],l=n.length;while(l--)s=rt.exec(n[l])||[],g=y=s[1],m=(s[2]||"").split(".").sort(),p=b.event.special[g]||{},g=(a?p.delegateType:p.bindType)||g,p=b.event.special[g]||{},d=b.extend({type:g,origType:y,data:o,handler:r,guid:r.guid,selector:a,needsContext:a&&b.expr.match.needsContext.test(a),namespace:m.join(".")},c),(h=u[g])||(h=u[g]=[],h.delegateCount=0,p.setup&&p.setup.call(e,o,m,f)!==!1||(e.addEventListener?e.addEventListener(g,f,!1):e.attachEvent&&e.attachEvent("on"+g,f))),p.add&&(p.add.call(e,d),d.handler.guid||(d.handler.guid=r.guid)),a?h.splice(h.delegateCount++,0,d):h.push(d),b.event.global[g]=!0;e=null}},remove:function(e,t,n,r,i){var o,a,s,u,l,c,p,f,d,h,g,m=b.hasData(e)&&b._data(e);if(m&&(c=m.events)){t=(t||"").match(w)||[""],l=t.length;while(l--)if(s=rt.exec(t[l])||[],d=g=s[1],h=(s[2]||"").split(".").sort(),d){p=b.event.special[d]||{},d=(r?p.delegateType:p.bindType)||d,f=c[d]||[],s=s[2]&&RegExp("(^|\\.)"+h.join("\\.(?:.*\\.|)")+"(\\.|$)"),u=o=f.length;while(o--)a=f[o],!i&&g!==a.origType||n&&n.guid!==a.guid||s&&!s.test(a.namespace)||r&&r!==a.selector&&("**"!==r||!a.selector)||(f.splice(o,1),a.selector&&f.delegateCount--,p.remove&&p.remove.call(e,a));u&&!f.length&&(p.teardown&&p.teardown.call(e,h,m.handle)!==!1||b.removeEvent(e,d,m.handle),delete c[d])}else for(d in c)b.event.remove(e,d+t[l],n,r,!0);b.isEmptyObject(c)&&(delete m.handle,b._removeData(e,"events"))}},trigger:function(n,r,i,a){var s,u,l,c,p,f,d,h=[i||o],g=y.call(n,"type")?n.type:n,m=y.call(n,"namespace")?n.namespace.split("."):[];if(l=f=i=i||o,3!==i.nodeType&&8!==i.nodeType&&!nt.test(g+b.event.triggered)&&(g.indexOf(".")>=0&&(m=g.split("."),g=m.shift(),m.sort()),u=0>g.indexOf(":")&&"on"+g,n=n[b.expando]?n:new b.Event(g,"object"==typeof n&&n),n.isTrigger=!0,n.namespace=m.join("."),n.namespace_re=n.namespace?RegExp("(^|\\.)"+m.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,n.result=t,n.target||(n.target=i),r=null==r?[n]:b.makeArray(r,[n]),p=b.event.special[g]||{},a||!p.trigger||p.trigger.apply(i,r)!==!1)){if(!a&&!p.noBubble&&!b.isWindow(i)){for(c=p.delegateType||g,nt.test(c+g)||(l=l.parentNode);l;l=l.parentNode)h.push(l),f=l;f===(i.ownerDocument||o)&&h.push(f.defaultView||f.parentWindow||e)}d=0;while((l=h[d++])&&!n.isPropagationStopped())n.type=d>1?c:p.bindType||g,s=(b._data(l,"events")||{})[n.type]&&b._data(l,"handle"),s&&s.apply(l,r),s=u&&l[u],s&&b.acceptData(l)&&s.apply&&s.apply(l,r)===!1&&n.preventDefault();if(n.type=g,!(a||n.isDefaultPrevented()||p._default&&p._default.apply(i.ownerDocument,r)!==!1||"click"===g&&b.nodeName(i,"a")||!b.acceptData(i)||!u||!i[g]||b.isWindow(i))){f=i[u],f&&(i[u]=null),b.event.triggered=g;try{i[g]()}catch(v){}b.event.triggered=t,f&&(i[u]=f)}return n.result}},dispatch:function(e){e=b.event.fix(e);var n,r,i,o,a,s=[],u=h.call(arguments),l=(b._data(this,"events")||{})[e.type]||[],c=b.event.special[e.type]||{};if(u[0]=e,e.delegateTarget=this,!c.preDispatch||c.preDispatch.call(this,e)!==!1){s=b.event.handlers.call(this,e,l),n=0;while((o=s[n++])&&!e.isPropagationStopped()){e.currentTarget=o.elem,a=0;while((i=o.handlers[a++])&&!e.isImmediatePropagationStopped())(!e.namespace_re||e.namespace_re.test(i.namespace))&&(e.handleObj=i,e.data=i.data,r=((b.event.special[i.origType]||{}).handle||i.handler).apply(o.elem,u),r!==t&&(e.result=r)===!1&&(e.preventDefault(),e.stopPropagation()))}return c.postDispatch&&c.postDispatch.call(this,e),e.result}},handlers:function(e,n){var r,i,o,a,s=[],u=n.delegateCount,l=e.target;if(u&&l.nodeType&&(!e.button||"click"!==e.type))for(;l!=this;l=l.parentNode||this)if(1===l.nodeType&&(l.disabled!==!0||"click"!==e.type)){for(o=[],a=0;u>a;a++)i=n[a],r=i.selector+" ",o[r]===t&&(o[r]=i.needsContext?b(r,this).index(l)>=0:b.find(r,this,null,[l]).length),o[r]&&o.push(i);o.length&&s.push({elem:l,handlers:o})}return n.length>u&&s.push({elem:this,handlers:n.slice(u)}),s},fix:function(e){if(e[b.expando])return e;var t,n,r,i=e.type,a=e,s=this.fixHooks[i];s||(this.fixHooks[i]=s=tt.test(i)?this.mouseHooks:et.test(i)?this.keyHooks:{}),r=s.props?this.props.concat(s.props):this.props,e=new b.Event(a),t=r.length;while(t--)n=r[t],e[n]=a[n];return e.target||(e.target=a.srcElement||o),3===e.target.nodeType&&(e.target=e.target.parentNode),e.metaKey=!!e.metaKey,s.filter?s.filter(e,a):e},props:"altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(e,t){return null==e.which&&(e.which=null!=t.charCode?t.charCode:t.keyCode),e}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(e,n){var r,i,a,s=n.button,u=n.fromElement;return null==e.pageX&&null!=n.clientX&&(i=e.target.ownerDocument||o,a=i.documentElement,r=i.body,e.pageX=n.clientX+(a&&a.scrollLeft||r&&r.scrollLeft||0)-(a&&a.clientLeft||r&&r.clientLeft||0),e.pageY=n.clientY+(a&&a.scrollTop||r&&r.scrollTop||0)-(a&&a.clientTop||r&&r.clientTop||0)),!e.relatedTarget&&u&&(e.relatedTarget=u===e.target?n.toElement:u),e.which||s===t||(e.which=1&s?1:2&s?3:4&s?2:0),e}},special:{load:{noBubble:!0},click:{trigger:function(){return b.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):t}},focus:{trigger:function(){if(this!==o.activeElement&&this.focus)try{return this.focus(),!1}catch(e){}},delegateType:"focusin"},blur:{trigger:function(){return this===o.activeElement&&this.blur?(this.blur(),!1):t},delegateType:"focusout"},beforeunload:{postDispatch:function(e){e.result!==t&&(e.originalEvent.returnValue=e.result)}}},simulate:function(e,t,n,r){var i=b.extend(new b.Event,n,{type:e,isSimulated:!0,originalEvent:{}});r?b.event.trigger(i,null,t):b.event.dispatch.call(t,i),i.isDefaultPrevented()&&n.preventDefault()}},b.removeEvent=o.removeEventListener?function(e,t,n){e.removeEventListener&&e.removeEventListener(t,n,!1)}:function(e,t,n){var r="on"+t;e.detachEvent&&(typeof e[r]===i&&(e[r]=null),e.detachEvent(r,n))},b.Event=function(e,n){return this instanceof b.Event?(e&&e.type?(this.originalEvent=e,this.type=e.type,this.isDefaultPrevented=e.defaultPrevented||e.returnValue===!1||e.getPreventDefault&&e.getPreventDefault()?it:ot):this.type=e,n&&b.extend(this,n),this.timeStamp=e&&e.timeStamp||b.now(),this[b.expando]=!0,t):new b.Event(e,n)},b.Event.prototype={isDefaultPrevented:ot,isPropagationStopped:ot,isImmediatePropagationStopped:ot,preventDefault:function(){var e=this.originalEvent;this.isDefaultPrevented=it,e&&(e.preventDefault?e.preventDefault():e.returnValue=!1)},stopPropagation:function(){var e=this.originalEvent;this.isPropagationStopped=it,e&&(e.stopPropagation&&e.stopPropagation(),e.cancelBubble=!0)},stopImmediatePropagation:function(){this.isImmediatePropagationStopped=it,this.stopPropagation()}},b.each({mouseenter:"mouseover",mouseleave:"mouseout"},function(e,t){b.event.special[e]={delegateType:t,bindType:t,handle:function(e){var n,r=this,i=e.relatedTarget,o=e.handleObj; -return(!i||i!==r&&!b.contains(r,i))&&(e.type=o.origType,n=o.handler.apply(this,arguments),e.type=t),n}}}),b.support.submitBubbles||(b.event.special.submit={setup:function(){return b.nodeName(this,"form")?!1:(b.event.add(this,"click._submit keypress._submit",function(e){var n=e.target,r=b.nodeName(n,"input")||b.nodeName(n,"button")?n.form:t;r&&!b._data(r,"submitBubbles")&&(b.event.add(r,"submit._submit",function(e){e._submit_bubble=!0}),b._data(r,"submitBubbles",!0))}),t)},postDispatch:function(e){e._submit_bubble&&(delete e._submit_bubble,this.parentNode&&!e.isTrigger&&b.event.simulate("submit",this.parentNode,e,!0))},teardown:function(){return b.nodeName(this,"form")?!1:(b.event.remove(this,"._submit"),t)}}),b.support.changeBubbles||(b.event.special.change={setup:function(){return Z.test(this.nodeName)?(("checkbox"===this.type||"radio"===this.type)&&(b.event.add(this,"propertychange._change",function(e){"checked"===e.originalEvent.propertyName&&(this._just_changed=!0)}),b.event.add(this,"click._change",function(e){this._just_changed&&!e.isTrigger&&(this._just_changed=!1),b.event.simulate("change",this,e,!0)})),!1):(b.event.add(this,"beforeactivate._change",function(e){var t=e.target;Z.test(t.nodeName)&&!b._data(t,"changeBubbles")&&(b.event.add(t,"change._change",function(e){!this.parentNode||e.isSimulated||e.isTrigger||b.event.simulate("change",this.parentNode,e,!0)}),b._data(t,"changeBubbles",!0))}),t)},handle:function(e){var n=e.target;return this!==n||e.isSimulated||e.isTrigger||"radio"!==n.type&&"checkbox"!==n.type?e.handleObj.handler.apply(this,arguments):t},teardown:function(){return b.event.remove(this,"._change"),!Z.test(this.nodeName)}}),b.support.focusinBubbles||b.each({focus:"focusin",blur:"focusout"},function(e,t){var n=0,r=function(e){b.event.simulate(t,e.target,b.event.fix(e),!0)};b.event.special[t]={setup:function(){0===n++&&o.addEventListener(e,r,!0)},teardown:function(){0===--n&&o.removeEventListener(e,r,!0)}}}),b.fn.extend({on:function(e,n,r,i,o){var a,s;if("object"==typeof e){"string"!=typeof n&&(r=r||n,n=t);for(a in e)this.on(a,n,r,e[a],o);return this}if(null==r&&null==i?(i=n,r=n=t):null==i&&("string"==typeof n?(i=r,r=t):(i=r,r=n,n=t)),i===!1)i=ot;else if(!i)return this;return 1===o&&(s=i,i=function(e){return b().off(e),s.apply(this,arguments)},i.guid=s.guid||(s.guid=b.guid++)),this.each(function(){b.event.add(this,e,i,r,n)})},one:function(e,t,n,r){return this.on(e,t,n,r,1)},off:function(e,n,r){var i,o;if(e&&e.preventDefault&&e.handleObj)return i=e.handleObj,b(e.delegateTarget).off(i.namespace?i.origType+"."+i.namespace:i.origType,i.selector,i.handler),this;if("object"==typeof e){for(o in e)this.off(o,n,e[o]);return this}return(n===!1||"function"==typeof n)&&(r=n,n=t),r===!1&&(r=ot),this.each(function(){b.event.remove(this,e,r,n)})},bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)},trigger:function(e,t){return this.each(function(){b.event.trigger(e,t,this)})},triggerHandler:function(e,n){var r=this[0];return r?b.event.trigger(e,n,r,!0):t}}),function(e,t){var n,r,i,o,a,s,u,l,c,p,f,d,h,g,m,y,v,x="sizzle"+-new Date,w=e.document,T={},N=0,C=0,k=it(),E=it(),S=it(),A=typeof t,j=1<<31,D=[],L=D.pop,H=D.push,q=D.slice,M=D.indexOf||function(e){var t=0,n=this.length;for(;n>t;t++)if(this[t]===e)return t;return-1},_="[\\x20\\t\\r\\n\\f]",F="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",O=F.replace("w","w#"),B="([*^$|!~]?=)",P="\\["+_+"*("+F+")"+_+"*(?:"+B+_+"*(?:(['\"])((?:\\\\.|[^\\\\])*?)\\3|("+O+")|)|)"+_+"*\\]",R=":("+F+")(?:\\(((['\"])((?:\\\\.|[^\\\\])*?)\\3|((?:\\\\.|[^\\\\()[\\]]|"+P.replace(3,8)+")*)|.*)\\)|)",W=RegExp("^"+_+"+|((?:^|[^\\\\])(?:\\\\.)*)"+_+"+$","g"),$=RegExp("^"+_+"*,"+_+"*"),I=RegExp("^"+_+"*([\\x20\\t\\r\\n\\f>+~])"+_+"*"),z=RegExp(R),X=RegExp("^"+O+"$"),U={ID:RegExp("^#("+F+")"),CLASS:RegExp("^\\.("+F+")"),NAME:RegExp("^\\[name=['\"]?("+F+")['\"]?\\]"),TAG:RegExp("^("+F.replace("w","w*")+")"),ATTR:RegExp("^"+P),PSEUDO:RegExp("^"+R),CHILD:RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+_+"*(even|odd|(([+-]|)(\\d*)n|)"+_+"*(?:([+-]|)"+_+"*(\\d+)|))"+_+"*\\)|)","i"),needsContext:RegExp("^"+_+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+_+"*((?:-\\d)?\\d*)"+_+"*\\)|)(?=[^-]|$)","i")},V=/[\x20\t\r\n\f]*[+~]/,Y=/^[^{]+\{\s*\[native code/,J=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,G=/^(?:input|select|textarea|button)$/i,Q=/^h\d$/i,K=/'|\\/g,Z=/\=[\x20\t\r\n\f]*([^'"\]]*)[\x20\t\r\n\f]*\]/g,et=/\\([\da-fA-F]{1,6}[\x20\t\r\n\f]?|.)/g,tt=function(e,t){var n="0x"+t-65536;return n!==n?t:0>n?String.fromCharCode(n+65536):String.fromCharCode(55296|n>>10,56320|1023&n)};try{q.call(w.documentElement.childNodes,0)[0].nodeType}catch(nt){q=function(e){var t,n=[];while(t=this[e++])n.push(t);return n}}function rt(e){return Y.test(e+"")}function it(){var e,t=[];return e=function(n,r){return t.push(n+=" ")>i.cacheLength&&delete e[t.shift()],e[n]=r}}function ot(e){return e[x]=!0,e}function at(e){var t=p.createElement("div");try{return e(t)}catch(n){return!1}finally{t=null}}function st(e,t,n,r){var i,o,a,s,u,l,f,g,m,v;if((t?t.ownerDocument||t:w)!==p&&c(t),t=t||p,n=n||[],!e||"string"!=typeof e)return n;if(1!==(s=t.nodeType)&&9!==s)return[];if(!d&&!r){if(i=J.exec(e))if(a=i[1]){if(9===s){if(o=t.getElementById(a),!o||!o.parentNode)return n;if(o.id===a)return n.push(o),n}else if(t.ownerDocument&&(o=t.ownerDocument.getElementById(a))&&y(t,o)&&o.id===a)return n.push(o),n}else{if(i[2])return H.apply(n,q.call(t.getElementsByTagName(e),0)),n;if((a=i[3])&&T.getByClassName&&t.getElementsByClassName)return H.apply(n,q.call(t.getElementsByClassName(a),0)),n}if(T.qsa&&!h.test(e)){if(f=!0,g=x,m=t,v=9===s&&e,1===s&&"object"!==t.nodeName.toLowerCase()){l=ft(e),(f=t.getAttribute("id"))?g=f.replace(K,"\\$&"):t.setAttribute("id",g),g="[id='"+g+"'] ",u=l.length;while(u--)l[u]=g+dt(l[u]);m=V.test(e)&&t.parentNode||t,v=l.join(",")}if(v)try{return H.apply(n,q.call(m.querySelectorAll(v),0)),n}catch(b){}finally{f||t.removeAttribute("id")}}}return wt(e.replace(W,"$1"),t,n,r)}a=st.isXML=function(e){var t=e&&(e.ownerDocument||e).documentElement;return t?"HTML"!==t.nodeName:!1},c=st.setDocument=function(e){var n=e?e.ownerDocument||e:w;return n!==p&&9===n.nodeType&&n.documentElement?(p=n,f=n.documentElement,d=a(n),T.tagNameNoComments=at(function(e){return e.appendChild(n.createComment("")),!e.getElementsByTagName("*").length}),T.attributes=at(function(e){e.innerHTML="";var t=typeof e.lastChild.getAttribute("multiple");return"boolean"!==t&&"string"!==t}),T.getByClassName=at(function(e){return e.innerHTML="",e.getElementsByClassName&&e.getElementsByClassName("e").length?(e.lastChild.className="e",2===e.getElementsByClassName("e").length):!1}),T.getByName=at(function(e){e.id=x+0,e.innerHTML="
",f.insertBefore(e,f.firstChild);var t=n.getElementsByName&&n.getElementsByName(x).length===2+n.getElementsByName(x+0).length;return T.getIdNotName=!n.getElementById(x),f.removeChild(e),t}),i.attrHandle=at(function(e){return e.innerHTML="",e.firstChild&&typeof e.firstChild.getAttribute!==A&&"#"===e.firstChild.getAttribute("href")})?{}:{href:function(e){return e.getAttribute("href",2)},type:function(e){return e.getAttribute("type")}},T.getIdNotName?(i.find.ID=function(e,t){if(typeof t.getElementById!==A&&!d){var n=t.getElementById(e);return n&&n.parentNode?[n]:[]}},i.filter.ID=function(e){var t=e.replace(et,tt);return function(e){return e.getAttribute("id")===t}}):(i.find.ID=function(e,n){if(typeof n.getElementById!==A&&!d){var r=n.getElementById(e);return r?r.id===e||typeof r.getAttributeNode!==A&&r.getAttributeNode("id").value===e?[r]:t:[]}},i.filter.ID=function(e){var t=e.replace(et,tt);return function(e){var n=typeof e.getAttributeNode!==A&&e.getAttributeNode("id");return n&&n.value===t}}),i.find.TAG=T.tagNameNoComments?function(e,n){return typeof n.getElementsByTagName!==A?n.getElementsByTagName(e):t}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},i.find.NAME=T.getByName&&function(e,n){return typeof n.getElementsByName!==A?n.getElementsByName(name):t},i.find.CLASS=T.getByClassName&&function(e,n){return typeof n.getElementsByClassName===A||d?t:n.getElementsByClassName(e)},g=[],h=[":focus"],(T.qsa=rt(n.querySelectorAll))&&(at(function(e){e.innerHTML="",e.querySelectorAll("[selected]").length||h.push("\\["+_+"*(?:checked|disabled|ismap|multiple|readonly|selected|value)"),e.querySelectorAll(":checked").length||h.push(":checked")}),at(function(e){e.innerHTML="",e.querySelectorAll("[i^='']").length&&h.push("[*^$]="+_+"*(?:\"\"|'')"),e.querySelectorAll(":enabled").length||h.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),h.push(",.*:")})),(T.matchesSelector=rt(m=f.matchesSelector||f.mozMatchesSelector||f.webkitMatchesSelector||f.oMatchesSelector||f.msMatchesSelector))&&at(function(e){T.disconnectedMatch=m.call(e,"div"),m.call(e,"[s!='']:x"),g.push("!=",R)}),h=RegExp(h.join("|")),g=RegExp(g.join("|")),y=rt(f.contains)||f.compareDocumentPosition?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},v=f.compareDocumentPosition?function(e,t){var r;return e===t?(u=!0,0):(r=t.compareDocumentPosition&&e.compareDocumentPosition&&e.compareDocumentPosition(t))?1&r||e.parentNode&&11===e.parentNode.nodeType?e===n||y(w,e)?-1:t===n||y(w,t)?1:0:4&r?-1:1:e.compareDocumentPosition?-1:1}:function(e,t){var r,i=0,o=e.parentNode,a=t.parentNode,s=[e],l=[t];if(e===t)return u=!0,0;if(!o||!a)return e===n?-1:t===n?1:o?-1:a?1:0;if(o===a)return ut(e,t);r=e;while(r=r.parentNode)s.unshift(r);r=t;while(r=r.parentNode)l.unshift(r);while(s[i]===l[i])i++;return i?ut(s[i],l[i]):s[i]===w?-1:l[i]===w?1:0},u=!1,[0,0].sort(v),T.detectDuplicates=u,p):p},st.matches=function(e,t){return st(e,null,null,t)},st.matchesSelector=function(e,t){if((e.ownerDocument||e)!==p&&c(e),t=t.replace(Z,"='$1']"),!(!T.matchesSelector||d||g&&g.test(t)||h.test(t)))try{var n=m.call(e,t);if(n||T.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(r){}return st(t,p,null,[e]).length>0},st.contains=function(e,t){return(e.ownerDocument||e)!==p&&c(e),y(e,t)},st.attr=function(e,t){var n;return(e.ownerDocument||e)!==p&&c(e),d||(t=t.toLowerCase()),(n=i.attrHandle[t])?n(e):d||T.attributes?e.getAttribute(t):((n=e.getAttributeNode(t))||e.getAttribute(t))&&e[t]===!0?t:n&&n.specified?n.value:null},st.error=function(e){throw Error("Syntax error, unrecognized expression: "+e)},st.uniqueSort=function(e){var t,n=[],r=1,i=0;if(u=!T.detectDuplicates,e.sort(v),u){for(;t=e[r];r++)t===e[r-1]&&(i=n.push(r));while(i--)e.splice(n[i],1)}return e};function ut(e,t){var n=t&&e,r=n&&(~t.sourceIndex||j)-(~e.sourceIndex||j);if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function lt(e){return function(t){var n=t.nodeName.toLowerCase();return"input"===n&&t.type===e}}function ct(e){return function(t){var n=t.nodeName.toLowerCase();return("input"===n||"button"===n)&&t.type===e}}function pt(e){return ot(function(t){return t=+t,ot(function(n,r){var i,o=e([],n.length,t),a=o.length;while(a--)n[i=o[a]]&&(n[i]=!(r[i]=n[i]))})})}o=st.getText=function(e){var t,n="",r=0,i=e.nodeType;if(i){if(1===i||9===i||11===i){if("string"==typeof e.textContent)return e.textContent;for(e=e.firstChild;e;e=e.nextSibling)n+=o(e)}else if(3===i||4===i)return e.nodeValue}else for(;t=e[r];r++)n+=o(t);return n},i=st.selectors={cacheLength:50,createPseudo:ot,match:U,find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(et,tt),e[3]=(e[4]||e[5]||"").replace(et,tt),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||st.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&st.error(e[0]),e},PSEUDO:function(e){var t,n=!e[5]&&e[2];return U.CHILD.test(e[0])?null:(e[4]?e[2]=e[4]:n&&z.test(n)&&(t=ft(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){return"*"===e?function(){return!0}:(e=e.replace(et,tt).toLowerCase(),function(t){return t.nodeName&&t.nodeName.toLowerCase()===e})},CLASS:function(e){var t=k[e+" "];return t||(t=RegExp("(^|"+_+")"+e+"("+_+"|$)"))&&k(e,function(e){return t.test(e.className||typeof e.getAttribute!==A&&e.getAttribute("class")||"")})},ATTR:function(e,t,n){return function(r){var i=st.attr(r,e);return null==i?"!="===t:t?(i+="","="===t?i===n:"!="===t?i!==n:"^="===t?n&&0===i.indexOf(n):"*="===t?n&&i.indexOf(n)>-1:"$="===t?n&&i.slice(-n.length)===n:"~="===t?(" "+i+" ").indexOf(n)>-1:"|="===t?i===n||i.slice(0,n.length+1)===n+"-":!1):!0}},CHILD:function(e,t,n,r,i){var o="nth"!==e.slice(0,3),a="last"!==e.slice(-4),s="of-type"===t;return 1===r&&0===i?function(e){return!!e.parentNode}:function(t,n,u){var l,c,p,f,d,h,g=o!==a?"nextSibling":"previousSibling",m=t.parentNode,y=s&&t.nodeName.toLowerCase(),v=!u&&!s;if(m){if(o){while(g){p=t;while(p=p[g])if(s?p.nodeName.toLowerCase()===y:1===p.nodeType)return!1;h=g="only"===e&&!h&&"nextSibling"}return!0}if(h=[a?m.firstChild:m.lastChild],a&&v){c=m[x]||(m[x]={}),l=c[e]||[],d=l[0]===N&&l[1],f=l[0]===N&&l[2],p=d&&m.childNodes[d];while(p=++d&&p&&p[g]||(f=d=0)||h.pop())if(1===p.nodeType&&++f&&p===t){c[e]=[N,d,f];break}}else if(v&&(l=(t[x]||(t[x]={}))[e])&&l[0]===N)f=l[1];else while(p=++d&&p&&p[g]||(f=d=0)||h.pop())if((s?p.nodeName.toLowerCase()===y:1===p.nodeType)&&++f&&(v&&((p[x]||(p[x]={}))[e]=[N,f]),p===t))break;return f-=i,f===r||0===f%r&&f/r>=0}}},PSEUDO:function(e,t){var n,r=i.pseudos[e]||i.setFilters[e.toLowerCase()]||st.error("unsupported pseudo: "+e);return r[x]?r(t):r.length>1?(n=[e,e,"",t],i.setFilters.hasOwnProperty(e.toLowerCase())?ot(function(e,n){var i,o=r(e,t),a=o.length;while(a--)i=M.call(e,o[a]),e[i]=!(n[i]=o[a])}):function(e){return r(e,0,n)}):r}},pseudos:{not:ot(function(e){var t=[],n=[],r=s(e.replace(W,"$1"));return r[x]?ot(function(e,t,n,i){var o,a=r(e,null,i,[]),s=e.length;while(s--)(o=a[s])&&(e[s]=!(t[s]=o))}):function(e,i,o){return t[0]=e,r(t,null,o,n),!n.pop()}}),has:ot(function(e){return function(t){return st(e,t).length>0}}),contains:ot(function(e){return function(t){return(t.textContent||t.innerText||o(t)).indexOf(e)>-1}}),lang:ot(function(e){return X.test(e||"")||st.error("unsupported lang: "+e),e=e.replace(et,tt).toLowerCase(),function(t){var n;do if(n=d?t.getAttribute("xml:lang")||t.getAttribute("lang"):t.lang)return n=n.toLowerCase(),n===e||0===n.indexOf(e+"-");while((t=t.parentNode)&&1===t.nodeType);return!1}}),target:function(t){var n=e.location&&e.location.hash;return n&&n.slice(1)===t.id},root:function(e){return e===f},focus:function(e){return e===p.activeElement&&(!p.hasFocus||p.hasFocus())&&!!(e.type||e.href||~e.tabIndex)},enabled:function(e){return e.disabled===!1},disabled:function(e){return e.disabled===!0},checked:function(e){var t=e.nodeName.toLowerCase();return"input"===t&&!!e.checked||"option"===t&&!!e.selected},selected:function(e){return e.parentNode&&e.parentNode.selectedIndex,e.selected===!0},empty:function(e){for(e=e.firstChild;e;e=e.nextSibling)if(e.nodeName>"@"||3===e.nodeType||4===e.nodeType)return!1;return!0},parent:function(e){return!i.pseudos.empty(e)},header:function(e){return Q.test(e.nodeName)},input:function(e){return G.test(e.nodeName)},button:function(e){var t=e.nodeName.toLowerCase();return"input"===t&&"button"===e.type||"button"===t},text:function(e){var t;return"input"===e.nodeName.toLowerCase()&&"text"===e.type&&(null==(t=e.getAttribute("type"))||t.toLowerCase()===e.type)},first:pt(function(){return[0]}),last:pt(function(e,t){return[t-1]}),eq:pt(function(e,t,n){return[0>n?n+t:n]}),even:pt(function(e,t){var n=0;for(;t>n;n+=2)e.push(n);return e}),odd:pt(function(e,t){var n=1;for(;t>n;n+=2)e.push(n);return e}),lt:pt(function(e,t,n){var r=0>n?n+t:n;for(;--r>=0;)e.push(r);return e}),gt:pt(function(e,t,n){var r=0>n?n+t:n;for(;t>++r;)e.push(r);return e})}};for(n in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})i.pseudos[n]=lt(n);for(n in{submit:!0,reset:!0})i.pseudos[n]=ct(n);function ft(e,t){var n,r,o,a,s,u,l,c=E[e+" "];if(c)return t?0:c.slice(0);s=e,u=[],l=i.preFilter;while(s){(!n||(r=$.exec(s)))&&(r&&(s=s.slice(r[0].length)||s),u.push(o=[])),n=!1,(r=I.exec(s))&&(n=r.shift(),o.push({value:n,type:r[0].replace(W," ")}),s=s.slice(n.length));for(a in i.filter)!(r=U[a].exec(s))||l[a]&&!(r=l[a](r))||(n=r.shift(),o.push({value:n,type:a,matches:r}),s=s.slice(n.length));if(!n)break}return t?s.length:s?st.error(e):E(e,u).slice(0)}function dt(e){var t=0,n=e.length,r="";for(;n>t;t++)r+=e[t].value;return r}function ht(e,t,n){var i=t.dir,o=n&&"parentNode"===i,a=C++;return t.first?function(t,n,r){while(t=t[i])if(1===t.nodeType||o)return e(t,n,r)}:function(t,n,s){var u,l,c,p=N+" "+a;if(s){while(t=t[i])if((1===t.nodeType||o)&&e(t,n,s))return!0}else while(t=t[i])if(1===t.nodeType||o)if(c=t[x]||(t[x]={}),(l=c[i])&&l[0]===p){if((u=l[1])===!0||u===r)return u===!0}else if(l=c[i]=[p],l[1]=e(t,n,s)||r,l[1]===!0)return!0}}function gt(e){return e.length>1?function(t,n,r){var i=e.length;while(i--)if(!e[i](t,n,r))return!1;return!0}:e[0]}function mt(e,t,n,r,i){var o,a=[],s=0,u=e.length,l=null!=t;for(;u>s;s++)(o=e[s])&&(!n||n(o,r,i))&&(a.push(o),l&&t.push(s));return a}function yt(e,t,n,r,i,o){return r&&!r[x]&&(r=yt(r)),i&&!i[x]&&(i=yt(i,o)),ot(function(o,a,s,u){var l,c,p,f=[],d=[],h=a.length,g=o||xt(t||"*",s.nodeType?[s]:s,[]),m=!e||!o&&t?g:mt(g,f,e,s,u),y=n?i||(o?e:h||r)?[]:a:m;if(n&&n(m,y,s,u),r){l=mt(y,d),r(l,[],s,u),c=l.length;while(c--)(p=l[c])&&(y[d[c]]=!(m[d[c]]=p))}if(o){if(i||e){if(i){l=[],c=y.length;while(c--)(p=y[c])&&l.push(m[c]=p);i(null,y=[],l,u)}c=y.length;while(c--)(p=y[c])&&(l=i?M.call(o,p):f[c])>-1&&(o[l]=!(a[l]=p))}}else y=mt(y===a?y.splice(h,y.length):y),i?i(null,a,y,u):H.apply(a,y)})}function vt(e){var t,n,r,o=e.length,a=i.relative[e[0].type],s=a||i.relative[" "],u=a?1:0,c=ht(function(e){return e===t},s,!0),p=ht(function(e){return M.call(t,e)>-1},s,!0),f=[function(e,n,r){return!a&&(r||n!==l)||((t=n).nodeType?c(e,n,r):p(e,n,r))}];for(;o>u;u++)if(n=i.relative[e[u].type])f=[ht(gt(f),n)];else{if(n=i.filter[e[u].type].apply(null,e[u].matches),n[x]){for(r=++u;o>r;r++)if(i.relative[e[r].type])break;return yt(u>1&>(f),u>1&&dt(e.slice(0,u-1)).replace(W,"$1"),n,r>u&&vt(e.slice(u,r)),o>r&&vt(e=e.slice(r)),o>r&&dt(e))}f.push(n)}return gt(f)}function bt(e,t){var n=0,o=t.length>0,a=e.length>0,s=function(s,u,c,f,d){var h,g,m,y=[],v=0,b="0",x=s&&[],w=null!=d,T=l,C=s||a&&i.find.TAG("*",d&&u.parentNode||u),k=N+=null==T?1:Math.random()||.1;for(w&&(l=u!==p&&u,r=n);null!=(h=C[b]);b++){if(a&&h){g=0;while(m=e[g++])if(m(h,u,c)){f.push(h);break}w&&(N=k,r=++n)}o&&((h=!m&&h)&&v--,s&&x.push(h))}if(v+=b,o&&b!==v){g=0;while(m=t[g++])m(x,y,u,c);if(s){if(v>0)while(b--)x[b]||y[b]||(y[b]=L.call(f));y=mt(y)}H.apply(f,y),w&&!s&&y.length>0&&v+t.length>1&&st.uniqueSort(f)}return w&&(N=k,l=T),x};return o?ot(s):s}s=st.compile=function(e,t){var n,r=[],i=[],o=S[e+" "];if(!o){t||(t=ft(e)),n=t.length;while(n--)o=vt(t[n]),o[x]?r.push(o):i.push(o);o=S(e,bt(i,r))}return o};function xt(e,t,n){var r=0,i=t.length;for(;i>r;r++)st(e,t[r],n);return n}function wt(e,t,n,r){var o,a,u,l,c,p=ft(e);if(!r&&1===p.length){if(a=p[0]=p[0].slice(0),a.length>2&&"ID"===(u=a[0]).type&&9===t.nodeType&&!d&&i.relative[a[1].type]){if(t=i.find.ID(u.matches[0].replace(et,tt),t)[0],!t)return n;e=e.slice(a.shift().value.length)}o=U.needsContext.test(e)?0:a.length;while(o--){if(u=a[o],i.relative[l=u.type])break;if((c=i.find[l])&&(r=c(u.matches[0].replace(et,tt),V.test(a[0].type)&&t.parentNode||t))){if(a.splice(o,1),e=r.length&&dt(a),!e)return H.apply(n,q.call(r,0)),n;break}}}return s(e,p)(r,t,d,n,V.test(e)),n}i.pseudos.nth=i.pseudos.eq;function Tt(){}i.filters=Tt.prototype=i.pseudos,i.setFilters=new Tt,c(),st.attr=b.attr,b.find=st,b.expr=st.selectors,b.expr[":"]=b.expr.pseudos,b.unique=st.uniqueSort,b.text=st.getText,b.isXMLDoc=st.isXML,b.contains=st.contains}(e);var at=/Until$/,st=/^(?:parents|prev(?:Until|All))/,ut=/^.[^:#\[\.,]*$/,lt=b.expr.match.needsContext,ct={children:!0,contents:!0,next:!0,prev:!0};b.fn.extend({find:function(e){var t,n,r,i=this.length;if("string"!=typeof e)return r=this,this.pushStack(b(e).filter(function(){for(t=0;i>t;t++)if(b.contains(r[t],this))return!0}));for(n=[],t=0;i>t;t++)b.find(e,this[t],n);return n=this.pushStack(i>1?b.unique(n):n),n.selector=(this.selector?this.selector+" ":"")+e,n},has:function(e){var t,n=b(e,this),r=n.length;return this.filter(function(){for(t=0;r>t;t++)if(b.contains(this,n[t]))return!0})},not:function(e){return this.pushStack(ft(this,e,!1))},filter:function(e){return this.pushStack(ft(this,e,!0))},is:function(e){return!!e&&("string"==typeof e?lt.test(e)?b(e,this.context).index(this[0])>=0:b.filter(e,this).length>0:this.filter(e).length>0)},closest:function(e,t){var n,r=0,i=this.length,o=[],a=lt.test(e)||"string"!=typeof e?b(e,t||this.context):0;for(;i>r;r++){n=this[r];while(n&&n.ownerDocument&&n!==t&&11!==n.nodeType){if(a?a.index(n)>-1:b.find.matchesSelector(n,e)){o.push(n);break}n=n.parentNode}}return this.pushStack(o.length>1?b.unique(o):o)},index:function(e){return e?"string"==typeof e?b.inArray(this[0],b(e)):b.inArray(e.jquery?e[0]:e,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(e,t){var n="string"==typeof e?b(e,t):b.makeArray(e&&e.nodeType?[e]:e),r=b.merge(this.get(),n);return this.pushStack(b.unique(r))},addBack:function(e){return this.add(null==e?this.prevObject:this.prevObject.filter(e))}}),b.fn.andSelf=b.fn.addBack;function pt(e,t){do e=e[t];while(e&&1!==e.nodeType);return e}b.each({parent:function(e){var t=e.parentNode;return t&&11!==t.nodeType?t:null},parents:function(e){return b.dir(e,"parentNode")},parentsUntil:function(e,t,n){return b.dir(e,"parentNode",n)},next:function(e){return pt(e,"nextSibling")},prev:function(e){return pt(e,"previousSibling")},nextAll:function(e){return b.dir(e,"nextSibling")},prevAll:function(e){return b.dir(e,"previousSibling")},nextUntil:function(e,t,n){return b.dir(e,"nextSibling",n)},prevUntil:function(e,t,n){return b.dir(e,"previousSibling",n)},siblings:function(e){return b.sibling((e.parentNode||{}).firstChild,e)},children:function(e){return b.sibling(e.firstChild)},contents:function(e){return b.nodeName(e,"iframe")?e.contentDocument||e.contentWindow.document:b.merge([],e.childNodes)}},function(e,t){b.fn[e]=function(n,r){var i=b.map(this,t,n);return at.test(e)||(r=n),r&&"string"==typeof r&&(i=b.filter(r,i)),i=this.length>1&&!ct[e]?b.unique(i):i,this.length>1&&st.test(e)&&(i=i.reverse()),this.pushStack(i)}}),b.extend({filter:function(e,t,n){return n&&(e=":not("+e+")"),1===t.length?b.find.matchesSelector(t[0],e)?[t[0]]:[]:b.find.matches(e,t)},dir:function(e,n,r){var i=[],o=e[n];while(o&&9!==o.nodeType&&(r===t||1!==o.nodeType||!b(o).is(r)))1===o.nodeType&&i.push(o),o=o[n];return i},sibling:function(e,t){var n=[];for(;e;e=e.nextSibling)1===e.nodeType&&e!==t&&n.push(e);return n}});function ft(e,t,n){if(t=t||0,b.isFunction(t))return b.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return b.grep(e,function(e){return e===t===n});if("string"==typeof t){var r=b.grep(e,function(e){return 1===e.nodeType});if(ut.test(t))return b.filter(t,r,!n);t=b.filter(t,r)}return b.grep(e,function(e){return b.inArray(e,t)>=0===n})}function dt(e){var t=ht.split("|"),n=e.createDocumentFragment();if(n.createElement)while(t.length)n.createElement(t.pop());return n}var ht="abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",gt=/ jQuery\d+="(?:null|\d+)"/g,mt=RegExp("<(?:"+ht+")[\\s/>]","i"),yt=/^\s+/,vt=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,bt=/<([\w:]+)/,xt=/\s*$/g,At={option:[1,""],legend:[1,"
","
"],area:[1,"",""],param:[1,"",""],thead:[1,"","
"],tr:[2,"","
"],col:[2,"","
"],td:[3,"","
"],_default:b.support.htmlSerialize?[0,"",""]:[1,"X
","
"]},jt=dt(o),Dt=jt.appendChild(o.createElement("div"));At.optgroup=At.option,At.tbody=At.tfoot=At.colgroup=At.caption=At.thead,At.th=At.td,b.fn.extend({text:function(e){return b.access(this,function(e){return e===t?b.text(this):this.empty().append((this[0]&&this[0].ownerDocument||o).createTextNode(e))},null,e,arguments.length)},wrapAll:function(e){if(b.isFunction(e))return this.each(function(t){b(this).wrapAll(e.call(this,t))});if(this[0]){var t=b(e,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&t.insertBefore(this[0]),t.map(function(){var e=this;while(e.firstChild&&1===e.firstChild.nodeType)e=e.firstChild;return e}).append(this)}return this},wrapInner:function(e){return b.isFunction(e)?this.each(function(t){b(this).wrapInner(e.call(this,t))}):this.each(function(){var t=b(this),n=t.contents();n.length?n.wrapAll(e):t.append(e)})},wrap:function(e){var t=b.isFunction(e);return this.each(function(n){b(this).wrapAll(t?e.call(this,n):e)})},unwrap:function(){return this.parent().each(function(){b.nodeName(this,"body")||b(this).replaceWith(this.childNodes)}).end()},append:function(){return this.domManip(arguments,!0,function(e){(1===this.nodeType||11===this.nodeType||9===this.nodeType)&&this.appendChild(e)})},prepend:function(){return this.domManip(arguments,!0,function(e){(1===this.nodeType||11===this.nodeType||9===this.nodeType)&&this.insertBefore(e,this.firstChild)})},before:function(){return this.domManip(arguments,!1,function(e){this.parentNode&&this.parentNode.insertBefore(e,this)})},after:function(){return this.domManip(arguments,!1,function(e){this.parentNode&&this.parentNode.insertBefore(e,this.nextSibling)})},remove:function(e,t){var n,r=0;for(;null!=(n=this[r]);r++)(!e||b.filter(e,[n]).length>0)&&(t||1!==n.nodeType||b.cleanData(Ot(n)),n.parentNode&&(t&&b.contains(n.ownerDocument,n)&&Mt(Ot(n,"script")),n.parentNode.removeChild(n)));return this},empty:function(){var e,t=0;for(;null!=(e=this[t]);t++){1===e.nodeType&&b.cleanData(Ot(e,!1));while(e.firstChild)e.removeChild(e.firstChild);e.options&&b.nodeName(e,"select")&&(e.options.length=0)}return this},clone:function(e,t){return e=null==e?!1:e,t=null==t?e:t,this.map(function(){return b.clone(this,e,t)})},html:function(e){return b.access(this,function(e){var n=this[0]||{},r=0,i=this.length;if(e===t)return 1===n.nodeType?n.innerHTML.replace(gt,""):t;if(!("string"!=typeof e||Tt.test(e)||!b.support.htmlSerialize&&mt.test(e)||!b.support.leadingWhitespace&&yt.test(e)||At[(bt.exec(e)||["",""])[1].toLowerCase()])){e=e.replace(vt,"<$1>");try{for(;i>r;r++)n=this[r]||{},1===n.nodeType&&(b.cleanData(Ot(n,!1)),n.innerHTML=e);n=0}catch(o){}}n&&this.empty().append(e)},null,e,arguments.length)},replaceWith:function(e){var t=b.isFunction(e);return t||"string"==typeof e||(e=b(e).not(this).detach()),this.domManip([e],!0,function(e){var t=this.nextSibling,n=this.parentNode;n&&(b(this).remove(),n.insertBefore(e,t))})},detach:function(e){return this.remove(e,!0)},domManip:function(e,n,r){e=f.apply([],e);var i,o,a,s,u,l,c=0,p=this.length,d=this,h=p-1,g=e[0],m=b.isFunction(g);if(m||!(1>=p||"string"!=typeof g||b.support.checkClone)&&Ct.test(g))return this.each(function(i){var o=d.eq(i);m&&(e[0]=g.call(this,i,n?o.html():t)),o.domManip(e,n,r)});if(p&&(l=b.buildFragment(e,this[0].ownerDocument,!1,this),i=l.firstChild,1===l.childNodes.length&&(l=i),i)){for(n=n&&b.nodeName(i,"tr"),s=b.map(Ot(l,"script"),Ht),a=s.length;p>c;c++)o=l,c!==h&&(o=b.clone(o,!0,!0),a&&b.merge(s,Ot(o,"script"))),r.call(n&&b.nodeName(this[c],"table")?Lt(this[c],"tbody"):this[c],o,c);if(a)for(u=s[s.length-1].ownerDocument,b.map(s,qt),c=0;a>c;c++)o=s[c],kt.test(o.type||"")&&!b._data(o,"globalEval")&&b.contains(u,o)&&(o.src?b.ajax({url:o.src,type:"GET",dataType:"script",async:!1,global:!1,"throws":!0}):b.globalEval((o.text||o.textContent||o.innerHTML||"").replace(St,"")));l=i=null}return this}});function Lt(e,t){return e.getElementsByTagName(t)[0]||e.appendChild(e.ownerDocument.createElement(t))}function Ht(e){var t=e.getAttributeNode("type");return e.type=(t&&t.specified)+"/"+e.type,e}function qt(e){var t=Et.exec(e.type);return t?e.type=t[1]:e.removeAttribute("type"),e}function Mt(e,t){var n,r=0;for(;null!=(n=e[r]);r++)b._data(n,"globalEval",!t||b._data(t[r],"globalEval"))}function _t(e,t){if(1===t.nodeType&&b.hasData(e)){var n,r,i,o=b._data(e),a=b._data(t,o),s=o.events;if(s){delete a.handle,a.events={};for(n in s)for(r=0,i=s[n].length;i>r;r++)b.event.add(t,n,s[n][r])}a.data&&(a.data=b.extend({},a.data))}}function Ft(e,t){var n,r,i;if(1===t.nodeType){if(n=t.nodeName.toLowerCase(),!b.support.noCloneEvent&&t[b.expando]){i=b._data(t);for(r in i.events)b.removeEvent(t,r,i.handle);t.removeAttribute(b.expando)}"script"===n&&t.text!==e.text?(Ht(t).text=e.text,qt(t)):"object"===n?(t.parentNode&&(t.outerHTML=e.outerHTML),b.support.html5Clone&&e.innerHTML&&!b.trim(t.innerHTML)&&(t.innerHTML=e.innerHTML)):"input"===n&&Nt.test(e.type)?(t.defaultChecked=t.checked=e.checked,t.value!==e.value&&(t.value=e.value)):"option"===n?t.defaultSelected=t.selected=e.defaultSelected:("input"===n||"textarea"===n)&&(t.defaultValue=e.defaultValue)}}b.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(e,t){b.fn[e]=function(e){var n,r=0,i=[],o=b(e),a=o.length-1;for(;a>=r;r++)n=r===a?this:this.clone(!0),b(o[r])[t](n),d.apply(i,n.get());return this.pushStack(i)}});function Ot(e,n){var r,o,a=0,s=typeof e.getElementsByTagName!==i?e.getElementsByTagName(n||"*"):typeof e.querySelectorAll!==i?e.querySelectorAll(n||"*"):t;if(!s)for(s=[],r=e.childNodes||e;null!=(o=r[a]);a++)!n||b.nodeName(o,n)?s.push(o):b.merge(s,Ot(o,n));return n===t||n&&b.nodeName(e,n)?b.merge([e],s):s}function Bt(e){Nt.test(e.type)&&(e.defaultChecked=e.checked)}b.extend({clone:function(e,t,n){var r,i,o,a,s,u=b.contains(e.ownerDocument,e);if(b.support.html5Clone||b.isXMLDoc(e)||!mt.test("<"+e.nodeName+">")?o=e.cloneNode(!0):(Dt.innerHTML=e.outerHTML,Dt.removeChild(o=Dt.firstChild)),!(b.support.noCloneEvent&&b.support.noCloneChecked||1!==e.nodeType&&11!==e.nodeType||b.isXMLDoc(e)))for(r=Ot(o),s=Ot(e),a=0;null!=(i=s[a]);++a)r[a]&&Ft(i,r[a]);if(t)if(n)for(s=s||Ot(e),r=r||Ot(o),a=0;null!=(i=s[a]);a++)_t(i,r[a]);else _t(e,o);return r=Ot(o,"script"),r.length>0&&Mt(r,!u&&Ot(e,"script")),r=s=i=null,o},buildFragment:function(e,t,n,r){var i,o,a,s,u,l,c,p=e.length,f=dt(t),d=[],h=0;for(;p>h;h++)if(o=e[h],o||0===o)if("object"===b.type(o))b.merge(d,o.nodeType?[o]:o);else if(wt.test(o)){s=s||f.appendChild(t.createElement("div")),u=(bt.exec(o)||["",""])[1].toLowerCase(),c=At[u]||At._default,s.innerHTML=c[1]+o.replace(vt,"<$1>")+c[2],i=c[0];while(i--)s=s.lastChild;if(!b.support.leadingWhitespace&&yt.test(o)&&d.push(t.createTextNode(yt.exec(o)[0])),!b.support.tbody){o="table"!==u||xt.test(o)?""!==c[1]||xt.test(o)?0:s:s.firstChild,i=o&&o.childNodes.length;while(i--)b.nodeName(l=o.childNodes[i],"tbody")&&!l.childNodes.length&&o.removeChild(l) -}b.merge(d,s.childNodes),s.textContent="";while(s.firstChild)s.removeChild(s.firstChild);s=f.lastChild}else d.push(t.createTextNode(o));s&&f.removeChild(s),b.support.appendChecked||b.grep(Ot(d,"input"),Bt),h=0;while(o=d[h++])if((!r||-1===b.inArray(o,r))&&(a=b.contains(o.ownerDocument,o),s=Ot(f.appendChild(o),"script"),a&&Mt(s),n)){i=0;while(o=s[i++])kt.test(o.type||"")&&n.push(o)}return s=null,f},cleanData:function(e,t){var n,r,o,a,s=0,u=b.expando,l=b.cache,p=b.support.deleteExpando,f=b.event.special;for(;null!=(n=e[s]);s++)if((t||b.acceptData(n))&&(o=n[u],a=o&&l[o])){if(a.events)for(r in a.events)f[r]?b.event.remove(n,r):b.removeEvent(n,r,a.handle);l[o]&&(delete l[o],p?delete n[u]:typeof n.removeAttribute!==i?n.removeAttribute(u):n[u]=null,c.push(o))}}});var Pt,Rt,Wt,$t=/alpha\([^)]*\)/i,It=/opacity\s*=\s*([^)]*)/,zt=/^(top|right|bottom|left)$/,Xt=/^(none|table(?!-c[ea]).+)/,Ut=/^margin/,Vt=RegExp("^("+x+")(.*)$","i"),Yt=RegExp("^("+x+")(?!px)[a-z%]+$","i"),Jt=RegExp("^([+-])=("+x+")","i"),Gt={BODY:"block"},Qt={position:"absolute",visibility:"hidden",display:"block"},Kt={letterSpacing:0,fontWeight:400},Zt=["Top","Right","Bottom","Left"],en=["Webkit","O","Moz","ms"];function tn(e,t){if(t in e)return t;var n=t.charAt(0).toUpperCase()+t.slice(1),r=t,i=en.length;while(i--)if(t=en[i]+n,t in e)return t;return r}function nn(e,t){return e=t||e,"none"===b.css(e,"display")||!b.contains(e.ownerDocument,e)}function rn(e,t){var n,r,i,o=[],a=0,s=e.length;for(;s>a;a++)r=e[a],r.style&&(o[a]=b._data(r,"olddisplay"),n=r.style.display,t?(o[a]||"none"!==n||(r.style.display=""),""===r.style.display&&nn(r)&&(o[a]=b._data(r,"olddisplay",un(r.nodeName)))):o[a]||(i=nn(r),(n&&"none"!==n||!i)&&b._data(r,"olddisplay",i?n:b.css(r,"display"))));for(a=0;s>a;a++)r=e[a],r.style&&(t&&"none"!==r.style.display&&""!==r.style.display||(r.style.display=t?o[a]||"":"none"));return e}b.fn.extend({css:function(e,n){return b.access(this,function(e,n,r){var i,o,a={},s=0;if(b.isArray(n)){for(o=Rt(e),i=n.length;i>s;s++)a[n[s]]=b.css(e,n[s],!1,o);return a}return r!==t?b.style(e,n,r):b.css(e,n)},e,n,arguments.length>1)},show:function(){return rn(this,!0)},hide:function(){return rn(this)},toggle:function(e){var t="boolean"==typeof e;return this.each(function(){(t?e:nn(this))?b(this).show():b(this).hide()})}}),b.extend({cssHooks:{opacity:{get:function(e,t){if(t){var n=Wt(e,"opacity");return""===n?"1":n}}}},cssNumber:{columnCount:!0,fillOpacity:!0,fontWeight:!0,lineHeight:!0,opacity:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":b.support.cssFloat?"cssFloat":"styleFloat"},style:function(e,n,r,i){if(e&&3!==e.nodeType&&8!==e.nodeType&&e.style){var o,a,s,u=b.camelCase(n),l=e.style;if(n=b.cssProps[u]||(b.cssProps[u]=tn(l,u)),s=b.cssHooks[n]||b.cssHooks[u],r===t)return s&&"get"in s&&(o=s.get(e,!1,i))!==t?o:l[n];if(a=typeof r,"string"===a&&(o=Jt.exec(r))&&(r=(o[1]+1)*o[2]+parseFloat(b.css(e,n)),a="number"),!(null==r||"number"===a&&isNaN(r)||("number"!==a||b.cssNumber[u]||(r+="px"),b.support.clearCloneStyle||""!==r||0!==n.indexOf("background")||(l[n]="inherit"),s&&"set"in s&&(r=s.set(e,r,i))===t)))try{l[n]=r}catch(c){}}},css:function(e,n,r,i){var o,a,s,u=b.camelCase(n);return n=b.cssProps[u]||(b.cssProps[u]=tn(e.style,u)),s=b.cssHooks[n]||b.cssHooks[u],s&&"get"in s&&(a=s.get(e,!0,r)),a===t&&(a=Wt(e,n,i)),"normal"===a&&n in Kt&&(a=Kt[n]),""===r||r?(o=parseFloat(a),r===!0||b.isNumeric(o)?o||0:a):a},swap:function(e,t,n,r){var i,o,a={};for(o in t)a[o]=e.style[o],e.style[o]=t[o];i=n.apply(e,r||[]);for(o in t)e.style[o]=a[o];return i}}),e.getComputedStyle?(Rt=function(t){return e.getComputedStyle(t,null)},Wt=function(e,n,r){var i,o,a,s=r||Rt(e),u=s?s.getPropertyValue(n)||s[n]:t,l=e.style;return s&&(""!==u||b.contains(e.ownerDocument,e)||(u=b.style(e,n)),Yt.test(u)&&Ut.test(n)&&(i=l.width,o=l.minWidth,a=l.maxWidth,l.minWidth=l.maxWidth=l.width=u,u=s.width,l.width=i,l.minWidth=o,l.maxWidth=a)),u}):o.documentElement.currentStyle&&(Rt=function(e){return e.currentStyle},Wt=function(e,n,r){var i,o,a,s=r||Rt(e),u=s?s[n]:t,l=e.style;return null==u&&l&&l[n]&&(u=l[n]),Yt.test(u)&&!zt.test(n)&&(i=l.left,o=e.runtimeStyle,a=o&&o.left,a&&(o.left=e.currentStyle.left),l.left="fontSize"===n?"1em":u,u=l.pixelLeft+"px",l.left=i,a&&(o.left=a)),""===u?"auto":u});function on(e,t,n){var r=Vt.exec(t);return r?Math.max(0,r[1]-(n||0))+(r[2]||"px"):t}function an(e,t,n,r,i){var o=n===(r?"border":"content")?4:"width"===t?1:0,a=0;for(;4>o;o+=2)"margin"===n&&(a+=b.css(e,n+Zt[o],!0,i)),r?("content"===n&&(a-=b.css(e,"padding"+Zt[o],!0,i)),"margin"!==n&&(a-=b.css(e,"border"+Zt[o]+"Width",!0,i))):(a+=b.css(e,"padding"+Zt[o],!0,i),"padding"!==n&&(a+=b.css(e,"border"+Zt[o]+"Width",!0,i)));return a}function sn(e,t,n){var r=!0,i="width"===t?e.offsetWidth:e.offsetHeight,o=Rt(e),a=b.support.boxSizing&&"border-box"===b.css(e,"boxSizing",!1,o);if(0>=i||null==i){if(i=Wt(e,t,o),(0>i||null==i)&&(i=e.style[t]),Yt.test(i))return i;r=a&&(b.support.boxSizingReliable||i===e.style[t]),i=parseFloat(i)||0}return i+an(e,t,n||(a?"border":"content"),r,o)+"px"}function un(e){var t=o,n=Gt[e];return n||(n=ln(e,t),"none"!==n&&n||(Pt=(Pt||b("