From pauli at openssl.org Thu Jul 1 01:46:56 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 01 Jul 2021 01:46:56 +0000 Subject: [openssl] master update Message-ID: <1625104016.537977.18014.nullmailer@dev.openssl.org> The branch master has been updated via d720e60357c0a477ff547edac539d15b0a9e320e (commit) from 36a4637e158508f5d2fb7750e4870888072a56f9 (commit) - Log ----------------------------------------------------------------- commit d720e60357c0a477ff547edac539d15b0a9e320e Author: Randall S. Becker Date: Tue Jun 29 08:39:29 2021 -0600 Document cross-compile considerations for NonStop x86 builds. Fixes #15919 Signed-off-by: Randall S. Becker Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15948) ----------------------------------------------------------------------- Summary of changes: NOTES-NONSTOP.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md index 7bf051cdd3..171f394a9d 100644 --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -78,12 +78,65 @@ The current OpenSSL default memory model uses the default platform address model. If you need a different address model, you must specify the appropriate c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`). +Cross Compiling on Windows +-------------------------- + +To configure and compile OpenSSL, you will need to set up a Cygwin environment. +The Cygwin tools should include bash, make, and any other normal tools required +for building programs. + +Your `PATH` must include the bin directory for the c99 cross-compiler, as in: + + export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH + +This should be set before Configure is run. For the c99 cross-compiler to work +correctly, you also need the `COMP_ROOT` set, as in: + + export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05" + +`COMP_ROOT` needs to be in Windows form. + +`Configure` must specify the `no-makedepend` option otherwise errors will +result when running the build because the c99 cross-compiler does not support +the `gcc -MT` option. An example of a `Configure` command to be run from the +OpenSSL directory is: + + ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu + +Do not forget to include any OpenSSL cross-compiling prefix and certificate +options when creating your libraries. + +The OpenSSL test suite will not run on your workstation. In order to verify the +build, you will need to perform the build and test steps in OSS in your NonStop +server. You can also build under gcc and run the test suite for Windows but that +is not equivalent. + +**Note:** In the event that you are attempting a FIPS-compliant cross-compile, +be aware that signatures may not match between builds done under OSS and under +cross-compiles as the compilers do not necessarily generate identical objects. +Anything and everything to do with FIPS is outside the scope of this document. +Refer to the FIPS security policy for more information. + +The following build configurations have been successfully attempted at one +point or another. If you are successful in your cross-compile efforts, please +update this list: + +- nonstop-nsx_64 +- nonstop-nsx_64_put + +**Note:** Cross-compile builds for TNS/E have not been attempted, but should +follow the same considerations as for TNS/X above. SPT builds generally require +FLOSS, which is not available for workstation builds. As a result, SPT builds +of OpenSSL cannot be cross-compiled. + +Also see the NSDEE discussion below for more historical information. + Cross Compiling with NSDEE -------------------------- -**Note:** None of these builds have been tested by the platform maintainer and are -supplied for historical value. Please submit a Pull Request to OpenSSL should -these need to be adjusted. +**Note:** None of these builds have been tested by the platform maintainer and +are supplied for historical value. Please submit a Pull Request to OpenSSL +should these need to be adjusted. If you are attempting to build OpenSSL with NSDEE, you will need to specify the following variables. The following set of compiler defines are required: From pauli at openssl.org Thu Jul 1 03:20:15 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 01 Jul 2021 03:20:15 +0000 Subject: [openssl] master update Message-ID: <1625109615.771016.1728.nullmailer@dev.openssl.org> The branch master has been updated via a5a4dac988c536bb021c4145ebba88e1507834f8 (commit) via 514b76917c36836ae4243392e71785f01d8233c9 (commit) from d720e60357c0a477ff547edac539d15b0a9e320e (commit) - Log ----------------------------------------------------------------- commit a5a4dac988c536bb021c4145ebba88e1507834f8 Author: Pauli Date: Wed Jun 30 09:25:40 2021 +1000 ci: add a memory sanitiser test run This omission noted in #15950 Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15952) commit 514b76917c36836ae4243392e71785f01d8233c9 Author: Pauli Date: Wed Jun 30 10:21:17 2021 +1000 afalg: add some memory initialisation calls to pacify memory sanitisation. The engine is modifying memory without the sanitiser realising. By pre- initialising this memory, the sanitiser now thinks that read accesses are okay. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15952) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 14 +++++++++++++- engines/e_afalg.c | 9 +++++++++ test/afalgtest.c | 50 ++++++++++++++++++++++++++++++------------------ 3 files changed, 53 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a34ab933c0..5ff0750681 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -125,7 +125,7 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" - sanitizers: + address_ub_sanitizer: runs-on: ubuntu-latest steps: - uses: actions/checkout at v2 @@ -136,6 +136,18 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + memory_sanitizer: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout at v2 + - name: config + # --debug -O1 is to produce a debug build that runs in a reasonable amount of time + run: CC=clang ./config --banner=Configured --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 + threads_sanitizer: runs-on: ubuntu-latest steps: diff --git a/engines/e_afalg.c b/engines/e_afalg.c index f36665acf6..d8d3ef610c 100644 --- a/engines/e_afalg.c +++ b/engines/e_afalg.c @@ -324,6 +324,15 @@ static int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, } if (eval > 0) { +#ifdef OSSL_SANITIZE_MEMORY + /* + * In a memory sanitiser build, the changes to memory made by the + * system call aren't reliably detected. By initialising the + * memory here, the sanitiser is told that they are okay. + */ + memset(events, 0, sizeof(events)); +#endif + /* Get results of AIO read */ r = io_getevents(aio->aio_ctx, 1, MAX_INFLIGHTS, events, &timeout); diff --git a/test/afalgtest.c b/test/afalgtest.c index 6e6bbd5530..1177ceaf8e 100644 --- a/test/afalgtest.c +++ b/test/afalgtest.c @@ -48,27 +48,39 @@ static int test_afalg_aes_cbc(int keysize_idx) { EVP_CIPHER_CTX *ctx; const EVP_CIPHER *cipher; - unsigned char key[] = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b" - "\x51\x2e\x03\xd5\x34\x12\x00\x06" - "\x06\xa9\x21\x40\x36\xb8\xa1\x5b" - "\x51\x2e\x03\xd5\x34\x12\x00\x06"; - unsigned char iv[] = "\x3d\xaf\xba\x42\x9d\x9e\xb4\x30" - "\xb4\x22\xda\x80\x2c\x9f\xac\x41"; - /* input = "Single block msg\n" 17Bytes*/ - unsigned char in[BUFFER_SIZE] = "\x53\x69\x6e\x67\x6c\x65\x20\x62" - "\x6c\x6f\x63\x6b\x20\x6d\x73\x67\x0a"; unsigned char ebuf[BUFFER_SIZE + 32]; unsigned char dbuf[BUFFER_SIZE + 32]; - unsigned char encresult_128[] = "\xe3\x53\x77\x9c\x10\x79\xae\xb8" - "\x27\x08\x94\x2d\xbe\x77\x18\x1a\x2d"; - unsigned char encresult_192[] = "\xf7\xe4\x26\xd1\xd5\x4f\x8f\x39" - "\xb1\x9e\xe0\xdf\x61\xb9\xc2\x55\xeb"; - unsigned char encresult_256[] = "\xa0\x76\x85\xfd\xc1\x65\x71\x9d" - "\xc7\xe9\x13\x6e\xae\x55\x49\xb4\x13"; - unsigned char *enc_result = NULL; - + const unsigned char *enc_result = NULL; int encl, encf, decl, decf; int ret = 0; + static const unsigned char key[] = + "\x06\xa9\x21\x40\x36\xb8\xa1\x5b\x51\x2e\x03\xd5\x34\x12\x00\x06" + "\x06\xa9\x21\x40\x36\xb8\xa1\x5b\x51\x2e\x03\xd5\x34\x12\x00\x06"; + static const unsigned char iv[] = + "\x3d\xaf\xba\x42\x9d\x9e\xb4\x30\xb4\x22\xda\x80\x2c\x9f\xac\x41"; + /* input = "Single block msg\n" 17 Bytes*/ + static const unsigned char in[BUFFER_SIZE] = + "\x53\x69\x6e\x67\x6c\x65\x20\x62\x6c\x6f\x63\x6b\x20\x6d\x73\x67" + "\x0a"; + static const unsigned char encresult_128[BUFFER_SIZE] = + "\xe3\x53\x77\x9c\x10\x79\xae\xb8\x27\x08\x94\x2d\xbe\x77\x18\x1a" + "\x2d"; + static const unsigned char encresult_192[BUFFER_SIZE] = + "\xf7\xe4\x26\xd1\xd5\x4f\x8f\x39\xb1\x9e\xe0\xdf\x61\xb9\xc2\x55" + "\xeb"; + static const unsigned char encresult_256[BUFFER_SIZE] = + "\xa0\x76\x85\xfd\xc1\x65\x71\x9d\xc7\xe9\x13\x6e\xae\x55\x49\xb4" + "\x13"; + +#ifdef OSSL_SANITIZE_MEMORY + /* + * Initialise the encryption & decryption buffers to pacify the memory + * sanitiser. The sanitiser doesn't know that this memory is modified + * by the engine, this tells it that all is good. + */ + OPENSSL_cleanse(ebuf, sizeof(ebuf)); + OPENSSL_cleanse(dbuf, sizeof(dbuf)); +#endif switch (keysize_idx) { case 0: @@ -91,7 +103,7 @@ static int test_afalg_aes_cbc(int keysize_idx) if (!TEST_true(EVP_CipherInit_ex(ctx, cipher, e, key, iv, 1)) || !TEST_true(EVP_CipherUpdate(ctx, ebuf, &encl, in, BUFFER_SIZE)) - || !TEST_true(EVP_CipherFinal_ex(ctx, ebuf+encl, &encf))) + || !TEST_true(EVP_CipherFinal_ex(ctx, ebuf + encl, &encf))) goto end; encl += encf; @@ -101,7 +113,7 @@ static int test_afalg_aes_cbc(int keysize_idx) if (!TEST_true(EVP_CIPHER_CTX_reset(ctx)) || !TEST_true(EVP_CipherInit_ex(ctx, cipher, e, key, iv, 0)) || !TEST_true(EVP_CipherUpdate(ctx, dbuf, &decl, ebuf, encl)) - || !TEST_true(EVP_CipherFinal_ex(ctx, dbuf+decl, &decf))) + || !TEST_true(EVP_CipherFinal_ex(ctx, dbuf + decl, &decf))) goto end; decl += decf; From levitte at openssl.org Thu Jul 1 07:22:07 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 01 Jul 2021 07:22:07 +0000 Subject: [openssl] master update Message-ID: <1625124127.490301.6098.nullmailer@dev.openssl.org> The branch master has been updated via 025312431db8c5cf0c16e1043987a7f0f9e3bf87 (commit) from a5a4dac988c536bb021c4145ebba88e1507834f8 (commit) - Log ----------------------------------------------------------------- commit 025312431db8c5cf0c16e1043987a7f0f9e3bf87 Author: Richard Levitte Date: Wed Jun 30 06:31:58 2021 +0200 DOC: clarify OPENSSL_API_COMPAT Fixes #15928 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15956) ----------------------------------------------------------------------- Summary of changes: doc/man7/openssl_user_macros.pod.in | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/man7/openssl_user_macros.pod.in b/doc/man7/openssl_user_macros.pod.in index 33969e2476..ec99da594f 100644 --- a/doc/man7/openssl_user_macros.pod.in +++ b/doc/man7/openssl_user_macros.pod.in @@ -74,16 +74,18 @@ minor and patch components of the version number. For example: =back -If not set, this macro will default to +If B is undefined, this default value is used in its +place: C<{- join('', map { my @x = split /=/,$_; $x[1] } grep /^OPENSSL_CONFIGURED_API=/, @{$config{openssl_api_defines} // []}) || '0x00000000L' - -}>. + -}> =item B If this macro is defined, all deprecated public symbols in all OpenSSL versions up to and including the version given by B +(or the default value given above, when B isn't defined) will be hidden. =back From tomas at openssl.org Thu Jul 1 14:04:25 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 01 Jul 2021 14:04:25 +0000 Subject: [openssl] master update Message-ID: <1625148265.479391.29776.nullmailer@dev.openssl.org> The branch master has been updated via d60e719c2d158a2998412d45c52df25375e10b74 (commit) from 025312431db8c5cf0c16e1043987a7f0f9e3bf87 (commit) - Log ----------------------------------------------------------------- commit d60e719c2d158a2998412d45c52df25375e10b74 Author: Tomas Mraz Date: Wed Jun 30 11:17:09 2021 +0200 doc: Mention the update of der data pointers in d2i/i2d Fixes #15958 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15959) ----------------------------------------------------------------------- Summary of changes: doc/man3/d2i_PrivateKey.pod | 4 ++++ doc/man3/d2i_RSAPrivateKey.pod | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod index eb34a1386f..aac92336c3 100644 --- a/doc/man3/d2i_PrivateKey.pod +++ b/doc/man3/d2i_PrivateKey.pod @@ -86,6 +86,10 @@ functions described in L. =head1 NOTES +All the functions that operate on data in memory update the data pointer I<*pp> +after a successful operation, just like the other d2i and i2d functions; +see L. + All these functions use DER format and unencrypted keys. Applications wishing to encrypt or decrypt private keys should use other functions such as d2i_PKCS8PrivateKey() instead. diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 3e991a0c9f..20cdfb1fcb 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -265,8 +265,8 @@ Functions such as strlen() will B return the correct length of the encoded structure. The ways that I<*ppin> and I<*ppout> are incremented after the operation -can trap the unwary. See the B section for some common -errors. +can trap the unwary. See the B section in L for some +common errors. The reason for this-auto increment behaviour is to reflect a typical usage of ASN1 functions: after one structure is encoded or decoded another will be processed after it. From pauli at openssl.org Fri Jul 2 03:01:07 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 02 Jul 2021 03:01:07 +0000 Subject: [openssl] master update Message-ID: <1625194867.074501.27601.nullmailer@dev.openssl.org> The branch master has been updated via 6870c1e7b79043a9a85b70de7b2b29276aff235c (commit) from d60e719c2d158a2998412d45c52df25375e10b74 (commit) - Log ----------------------------------------------------------------- commit 6870c1e7b79043a9a85b70de7b2b29276aff235c Author: Randall S. Becker Date: Wed Jun 23 14:50:09 2021 -0600 Defined out MUTEX attributes not available on NonStop SPT Threads. Standard Posix Threads (SPT) Threads are an older separate branch of pthreads that do not support some of the capabilities in the current Posix User Threads (PUT). The change also includes a rename of the close field of OSSL_STORE_LOADER which was causing preprocessor conflicts. Fixes #15885 Signed-off-by: Randall S. Becker Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15886) ----------------------------------------------------------------------- Summary of changes: crypto/store/store_lib.c | 2 +- crypto/store/store_local.h | 2 +- crypto/store/store_register.c | 8 ++++---- crypto/threads_pthread.c | 8 ++++++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 636a94e832..7dcb939066 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -514,7 +514,7 @@ static int ossl_store_close_it(OSSL_STORE_CTX *ctx) ret = ctx->loader->p_close(ctx->loader_ctx); #ifndef OPENSSL_NO_DEPRECATED_3_0 if (ctx->fetched_loader == NULL) - ret = ctx->loader->close(ctx->loader_ctx); + ret = ctx->loader->closefn(ctx->loader_ctx); #endif sk_OSSL_STORE_INFO_pop_free(ctx->cached_info, OSSL_STORE_INFO_free); diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 6aeaaa915f..8f817fd514 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -92,7 +92,7 @@ struct ossl_store_loader_st { OSSL_STORE_load_fn load; OSSL_STORE_eof_fn eof; OSSL_STORE_error_fn error; - OSSL_STORE_close_fn close; + OSSL_STORE_close_fn closefn; OSSL_STORE_open_ex_fn open_ex; #endif diff --git a/crypto/store/store_register.c b/crypto/store/store_register.c index dfb0cdc811..6fa7352ccd 100644 --- a/crypto/store/store_register.c +++ b/crypto/store/store_register.c @@ -130,7 +130,7 @@ int OSSL_STORE_LOADER_set_error(OSSL_STORE_LOADER *loader, int OSSL_STORE_LOADER_set_close(OSSL_STORE_LOADER *loader, OSSL_STORE_close_fn close_function) { - loader->close = close_function; + loader->closefn = close_function; return 1; } @@ -185,7 +185,7 @@ int ossl_store_register_loader_int(OSSL_STORE_LOADER *loader) /* Check that functions we absolutely require are present */ if (loader->open == NULL || loader->load == NULL || loader->eof == NULL - || loader->error == NULL || loader->close == NULL) { + || loader->error == NULL || loader->closefn == NULL) { ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_LOADER_INCOMPLETE); return 0; } @@ -220,7 +220,7 @@ const OSSL_STORE_LOADER *ossl_store_get0_loader_int(const char *scheme) template.open = NULL; template.load = NULL; template.eof = NULL; - template.close = NULL; + template.closefn = NULL; template.open_ex = NULL; if (!RUN_ONCE(®istry_init, do_registry_init)) { @@ -251,7 +251,7 @@ OSSL_STORE_LOADER *ossl_store_unregister_loader_int(const char *scheme) template.open = NULL; template.load = NULL; template.eof = NULL; - template.close = NULL; + template.closefn = NULL; if (!RUN_ONCE(®istry_init, do_registry_init)) { ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE); diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index 00a98f4c71..9f00d8be5e 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -57,10 +57,14 @@ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void) * We don't use recursive mutexes, but try to catch errors if we do. */ pthread_mutexattr_init(&attr); -# if !defined(NDEBUG) && !defined(OPENSSL_NO_MUTEX_ERRORCHECK) +# if !defined (__TANDEM) && !defined (_SPT_MODEL_) +# if !defined(NDEBUG) && !defined(OPENSSL_NO_MUTEX_ERRORCHECK) pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK); -# else +# else pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_NORMAL); +# endif +# else + /* The SPT Thread Library does not define MUTEX attributes. */ # endif if (pthread_mutex_init(lock, &attr) != 0) { From pauli at openssl.org Fri Jul 2 03:21:08 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 02 Jul 2021 03:21:08 +0000 Subject: [openssl] master update Message-ID: <1625196068.457649.7458.nullmailer@dev.openssl.org> The branch master has been updated via 6a74852907983112da9fbfd98a7b83cbdb682b3c (commit) from 6870c1e7b79043a9a85b70de7b2b29276aff235c (commit) - Log ----------------------------------------------------------------- commit 6a74852907983112da9fbfd98a7b83cbdb682b3c Author: Paul Kehrer Date: Thu Jul 1 08:24:49 2021 -0500 update pyca-cryptography regression test suite Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15962) ----------------------------------------------------------------------- Summary of changes: pyca-cryptography | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyca-cryptography b/pyca-cryptography index 62124e673a..0034926f2c 160000 --- a/pyca-cryptography +++ b/pyca-cryptography @@ -1 +1 @@ -Subproject commit 62124e673aa3b37a1b3652bfed7bdcb9ac8d33a2 +Subproject commit 0034926f2cca02258f50e9faccb90ec344790159 From pauli at openssl.org Fri Jul 2 04:03:25 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 02 Jul 2021 04:03:25 +0000 Subject: [openssl] master update Message-ID: <1625198605.939657.727.nullmailer@dev.openssl.org> The branch master has been updated via 92d7120c60cea7c9e0219921c2cc2320346218b2 (commit) from 6a74852907983112da9fbfd98a7b83cbdb682b3c (commit) - Log ----------------------------------------------------------------- commit 92d7120c60cea7c9e0219921c2cc2320346218b2 Author: Shane Lontis Date: Thu Jul 1 12:01:22 2021 +1000 Fix compile errors when building with --api=1.1.0 no-deprecated. Fixes #15963 INSTALL.md uses these exact options as an example so it should work. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15965) ----------------------------------------------------------------------- Summary of changes: crypto/bn/build.info | 5 ++++- test/pem_read_depr_test.c | 3 +++ test/sslapitest.c | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/crypto/bn/build.info b/crypto/bn/build.info index c3c71884e5..40d7db9f50 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -108,8 +108,11 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c DEFINE[../../libcrypto]=$BNDEF +IF[{- !$disabled{'deprecated-0.9.8'} -}] + SOURCE[../../libcrypto]=bn_depr.c +ENDIF IF[{- !$disabled{'deprecated-3.0'} -}] - SOURCE[../../libcrypto]=bn_depr.c bn_x931p.c + SOURCE[../../libcrypto]=bn_x931p.c ENDIF SOURCE[../../providers/libfips.a]=$COMMON $BNASM DEFINE[../../providers/libfips.a]=$BNDEF diff --git a/test/pem_read_depr_test.c b/test/pem_read_depr_test.c index 7ef7f30be6..b6a518873a 100644 --- a/test/pem_read_depr_test.c +++ b/test/pem_read_depr_test.c @@ -15,6 +15,9 @@ #include #include +#include +#include +#include #include "testutil.h" diff --git a/test/sslapitest.c b/test/sslapitest.c index bbb1cf91f4..1b3db55d6b 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -32,6 +32,7 @@ #include #include #include +#include #include "helpers/ssltestlib.h" #include "testutil.h" From scan-admin at coverity.com Fri Jul 2 07:51:23 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 02 Jul 2021 07:51:23 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60dec57b4e866_2b02542ae0b9ffd9981042a@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Drohe_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEPPagDnczf-2Fdhg-2Be8jYKcLc-2Fz4xldtzGYeahGUelO6A5eByst9CeCAcXeai8kK6AteAznLzx-2F3PyOHGc2H5IwsfWoP4-2FQs6kwFaWNQmnXHU-2F2NDf-2B-2BSE-2BFOid7zYxAY45JpBiLAm6q0hp2Em8p5rak002rZMXPtasDExkBKi-2FV3UMkIRmXiwHzsOD7dvEh9g8-3D Build ID: 394934 Analysis Summary: New defects found: 1 Defects eliminated: 10 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3D2CO0_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEPPagDnczf-2Fdhg-2Be8jYKcLc-2Fz4xldtzGYeahGUelO6A3KXXnTwb3M9AdLPEM9niYxpZagkVfBSYb3BB2RZOs2mYKc9tK252JbrHleE8chI6gsPo1gq4h-2FY5iHNktk9RvG2ZImmf1JRKkAZaYXjLxBwQIGWf7tVmf3kSHUJkKfVJj39AipzcHMtJ4SfCE7gp5A-3D From scan-admin at coverity.com Fri Jul 2 07:59:21 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 02 Jul 2021 07:59:21 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60dec758edcc3_2b06722ae0b9ffd99810450@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DHPET_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHhNnNNu0953h-2F7tIE3dkDlbnAi6god3lzvkSgwOQ-2BUcaDpcZqLeKaCGfNjXWuURbMT1SA3TuT2QHiG9O8qGLZueo8nEKDvHLxH91hfpevxgHTXptG2MToNayuNym3sDI1nXHxueJ5iAQ8tUY9R6jVZ38I0BwHUc-2B6Yk0iPzBo1fDfQlrjwXiRzMFX788lkTNs-3D Build ID: 394935 Analysis Summary: New defects found: 0 Defects eliminated: 0 From tomas at openssl.org Fri Jul 2 13:34:34 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 02 Jul 2021 13:34:34 +0000 Subject: [openssl] master update Message-ID: <1625232874.563679.23833.nullmailer@dev.openssl.org> The branch master has been updated via 5cffc49f7213c718ebcc2c1236cdd8c2fae7fb28 (commit) via d82d1d11d4dafc97875969329a5100242441744d (commit) via e58087842cf74164809977872eb2f7a62490d8dd (commit) via bb8a24503c309e353fb25f341de3ed27f7003f77 (commit) via 66a7c9f34b46edd462d647ae2febe8276bb9b4f7 (commit) via fbbd425336144455f4a976acd7b890352ef7ed38 (commit) from 92d7120c60cea7c9e0219921c2cc2320346218b2 (commit) - Log ----------------------------------------------------------------- commit 5cffc49f7213c718ebcc2c1236cdd8c2fae7fb28 Author: Tomas Mraz Date: Wed Jun 30 18:02:24 2021 +0200 PEM_read_...: document that garbage and other PEM data is skipped Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15949) commit d82d1d11d4dafc97875969329a5100242441744d Author: Tomas Mraz Date: Wed Jun 30 16:11:17 2021 +0200 load_key_certs_crls: Avoid reporting any spurious errors When there is other PEM data in between certs the OSSL_STORE_load returns NULL and reports error. Avoid printing that error unless there was nothing read at all. Fixes #15945 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15949) commit e58087842cf74164809977872eb2f7a62490d8dd Author: Tomas Mraz Date: Tue Jun 29 17:18:34 2021 +0200 test_pem_reading: Test loading a key from a file with multiple PEM data Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15949) commit bb8a24503c309e353fb25f341de3ed27f7003f77 Author: Tomas Mraz Date: Tue Jun 29 16:44:00 2021 +0200 load_pkey_pem: Check for spurious errors when loading Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15949) commit 66a7c9f34b46edd462d647ae2febe8276bb9b4f7 Author: Tomas Mraz Date: Tue Jun 29 16:24:59 2021 +0200 pem_read_bio_key: Add passphrase caching to avoid asking for password twice Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15949) commit fbbd425336144455f4a976acd7b890352ef7ed38 Author: Tomas Mraz Date: Tue Jun 29 15:46:25 2021 +0200 pem_read_bio_key_decoder: Avoid spurious error on unknown PEM data Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15949) ----------------------------------------------------------------------- Summary of changes: apps/lib/apps.c | 12 ++--- crypto/pem/pem_pkey.c | 38 ++++++++++++--- doc/man3/PEM_read_bio_PrivateKey.pod | 4 ++ test/certs/cert-key-cert.pem | 90 ++++++++++++++++++++++++++++++++++++ test/pemtest.c | 16 +++++++ test/recipes/04-test_pem_reading.t | 24 ++++++---- test/recipes/80-test_pkcs12.t | 23 ++++++++- test/testutil/load.c | 14 ++++-- 8 files changed, 193 insertions(+), 28 deletions(-) create mode 100644 test/certs/cert-key-cert.pem diff --git a/apps/lib/apps.c b/apps/lib/apps.c index dfbc3ec522..a767023197 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -871,9 +871,6 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, OSSL_PARAM itp[2]; const OSSL_PARAM *params = NULL; - if (suppress_decode_errors) - ERR_set_mark(); - if (ppkey != NULL) { *ppkey = NULL; cnt_expectations++; @@ -971,10 +968,6 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, * certificate in it. We just retry until eof. */ if (info == NULL) { - if (OSSL_STORE_error(ctx)) { - ERR_print_errors(bio_err); - ERR_clear_error(); - } continue; } @@ -1078,8 +1071,9 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, BIO_printf(bio_err, "\n"); ERR_print_errors(bio_err); } - if (suppress_decode_errors) - ERR_pop_to_mark(); + if (suppress_decode_errors || failed == NULL) + /* clear any spurious errors */ + ERR_clear_error(); return failed == NULL; } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index ca6b2a2132..f9346486dd 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -11,7 +11,6 @@ #define OPENSSL_SUPPRESS_DEPRECATED #include -#include "internal/cryptlib.h" #include #include #include @@ -22,6 +21,8 @@ #include #include #include +#include "internal/cryptlib.h" +#include "internal/passphrase.h" #include "crypto/asn1.h" #include "crypto/x509.h" #include "crypto/evp.h" @@ -55,11 +56,24 @@ static EVP_PKEY *pem_read_bio_key_decoder(BIO *bp, EVP_PKEY **x, if (!OSSL_DECODER_CTX_set_pem_password_cb(dctx, cb, u)) goto err; + ERR_set_mark(); while (!OSSL_DECODER_from_bio(dctx, bp) || pkey == NULL) - if (BIO_eof(bp) != 0 || (newpos = BIO_tell(bp)) < 0 || newpos <= pos) + if (BIO_eof(bp) != 0 || (newpos = BIO_tell(bp)) < 0 || newpos <= pos) { + ERR_clear_last_mark(); goto err; - else + } else { + if (ERR_GET_REASON(ERR_peek_error()) == ERR_R_UNSUPPORTED) { + /* unsupported PEM data, try again */ + ERR_pop_to_mark(); + ERR_set_mark(); + } else { + /* other error, bail out */ + ERR_clear_last_mark(); + goto err; + } pos = newpos; + } + ERR_pop_to_mark(); if (!evp_keymgmt_util_has(pkey, selection)) { EVP_PKEY_free(pkey); @@ -195,9 +209,10 @@ static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x, const char *propq, int selection) { - EVP_PKEY *ret; + EVP_PKEY *ret = NULL; BIO *new_bio = NULL; int pos; + struct ossl_passphrase_data_st pwdata = { 0 }; if ((pos = BIO_tell(bp)) < 0) { new_bio = BIO_new(BIO_f_readbuffer()); @@ -207,17 +222,28 @@ static EVP_PKEY *pem_read_bio_key(BIO *bp, EVP_PKEY **x, pos = BIO_tell(bp); } + if (cb == NULL) + cb = PEM_def_callback; + + if (!ossl_pw_set_pem_password_cb(&pwdata, cb, u) + || !ossl_pw_enable_passphrase_caching(&pwdata)) + goto err; + ERR_set_mark(); - ret = pem_read_bio_key_decoder(bp, x, cb, u, libctx, propq, selection); + ret = pem_read_bio_key_decoder(bp, x, ossl_pw_pem_password, &pwdata, + libctx, propq, selection); if (ret == NULL && (BIO_seek(bp, pos) < 0 - || (ret = pem_read_bio_key_legacy(bp, x, cb, u, + || (ret = pem_read_bio_key_legacy(bp, x, + ossl_pw_pem_password, &pwdata, libctx, propq, selection)) == NULL)) ERR_clear_last_mark(); else ERR_pop_to_mark(); + err: + ossl_pw_clear_passphrase_data(&pwdata); if (new_bio != NULL) { BIO_pop(new_bio); BIO_free(new_bio); diff --git a/doc/man3/PEM_read_bio_PrivateKey.pod b/doc/man3/PEM_read_bio_PrivateKey.pod index 9df61892fd..4ed1b8c703 100644 --- a/doc/man3/PEM_read_bio_PrivateKey.pod +++ b/doc/man3/PEM_read_bio_PrivateKey.pod @@ -358,6 +358,10 @@ will be used. =head1 NOTES +The PEM reading functions will skip any extraneous content or PEM data of +a different type than they expect. This allows for example having a certificate +(or multiple certificates) and a key in the PEM format in a single file. + The old B write routines are retained for compatibility. New applications should write private keys using the PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines diff --git a/test/certs/cert-key-cert.pem b/test/certs/cert-key-cert.pem new file mode 100644 index 0000000000..bf6fd9c34b --- /dev/null +++ b/test/certs/cert-key-cert.pem @@ -0,0 +1,90 @@ +Some garbage at the beginning +-----BEGIN CERTIFICATE----- +MIIEzDCCA7QCCQCgxkRox+YljjANBgkqhkiG9w0BAQsFADCCASYxYzBhBgNVBAgM +WlRoZSBHcmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVs +ZCBOYW1lcyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0G +A1UEBwwWVG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2 +b2xlbnQgU29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlw +aHJhc2lzMT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlk +ZW50aWFyeSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwHhcN +MTcwMjIzMjAyNTM2WhcNMTcwMzI1MjAyNTM2WjCCASYxYzBhBgNVBAgMWlRoZSBH +cmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVsZCBOYW1l +cyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0GA1UEBwwW +VG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2b2xlbnQg +U29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlwaHJhc2lz +MT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlkZW50aWFy +eSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7MOIrqH+ZIJiZdroKMrelKMSvvRKg2MEg +j/sx9TaHHqrKys4AiL4Rq/ybQEigFC6G8mpZWbBrU+vN2SLr1ZsPftCHIY12LF56 +0WLYTYNqDgF5BdCZCrjJ2hhN+XwML2tgYdWioV/Eey8SJSqUskf03MpcwnLbVfSp +hwmowqNfiEFFqPBCf7E8IVarGWctbMpvlMbAM5owhMev/Ccmqqt81NFkb1WVejvN +5v/JKv243/Xedf4I7ZJv7zKeswoP9piFzWHXCd9SIVzWqF77u/crHufIhoEa7NkZ +hSC2aosQF619iKnfk0nqWaLDJ182CCXkHERoQC7q9X2IGLDLoA0XAgMBAAEwDQYJ +KoZIhvcNAQELBQADggEBAKbtLx+YlCGRCBmYn3dfYF+BIvK/b/e0DKNhDKhb4s9J +ywlJ4qnAB48tgPx0q+ZB+EdMYRqCwyvXJxEdZ7PsCdUeU6xI2ybkhSdUUfQbYem3 +aYRG+yukGzazySQJs8lGqxBlRMFl/FGCg+oSQ/I32eGf8micDskj2zkAJtCkUPHX +30YrWMfOwW1r2xYr2mBNXbNWXJhW/sIg5u8aa9fcALeuQcMXkbsbVoPmC5aLdiVZ +rvUFoJ8DPg0aYYwj64RwU0B5HW/7jKhQ25FgKVAzLGrgYx1DivkM7UQGdWYnU8IA +A8S89gRjGk2hnkeagWas3dxqTTpgJDhprgWzyKa9hII= +-----END CERTIFICATE----- +Some garbage in the middle +And more +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7MOIrqH+ZIJiZ +droKMrelKMSvvRKg2MEgj/sx9TaHHqrKys4AiL4Rq/ybQEigFC6G8mpZWbBrU+vN +2SLr1ZsPftCHIY12LF560WLYTYNqDgF5BdCZCrjJ2hhN+XwML2tgYdWioV/Eey8S +JSqUskf03MpcwnLbVfSphwmowqNfiEFFqPBCf7E8IVarGWctbMpvlMbAM5owhMev +/Ccmqqt81NFkb1WVejvN5v/JKv243/Xedf4I7ZJv7zKeswoP9piFzWHXCd9SIVzW +qF77u/crHufIhoEa7NkZhSC2aosQF619iKnfk0nqWaLDJ182CCXkHERoQC7q9X2I +GLDLoA0XAgMBAAECggEAcEBMIGoWuji1ybFMtrjbL4tXBxuWhCX3ChPNSpQFctmN +Cba7+c4GTIqaHG9cHcJ8dCgCZjpGdNYKXZKMQmgBaDVfzujr76WDsprFb3hsCbkE +YRJ/mIa5cTH7ySaGoLf+5/lDJxcmWqiT/YmUEz8lr0yHfUCNp8HPyalUvYKafbos +5BiXs8lr4XQ/vxL0CtVQx+5T8pmgU6CmP1jjgBqV4Y9RPewSmPNhxKAqm82JYMND +9evNHNpZmDpwTMygwwL0oJ0DV0nq0uqzuk1ORcp7YIph7IFGcdi4n7Y4Y2U6B8Ok +ITY684qpcXgy+qO1A8AwDEJ34wiIWb8Mi8S84KdTIQKBgQDhHmCdpWKzwLETlHQR +V9wT3ulySmxG0t8kSgNOFRVUZNXQ0ij2v8rOJ7R0QzJ+kCqvdxJ5QHNlUFKkOFMA +SnSy098iEz5skwRhHof7ZNa3U6oRRSauUcZcThWL+z14nhTIC1m99KpACV6fl3jj +MVEYYpG6n7jZ0wKUGMStxT1q9QKBgQDU3pOgNLnFasMIujvXI3ARSK6xIpkBTq89 +n6pmn9XeMWs/H6wQRO5wpUXbg+/3/d4tnezrDG9Lg5aPV8ca/zJ7IP8iNyLnhiUY +c9O6hKAW1fxddt9megzBDvsBgRzhytnv3OSpM+idgtsJ7Tvkevmt4K5j6gitpJpb +1A1erknoWwKBgCM5zKZ+bZ5xBYRp02uvUtmtJNxkduLyNkaIalH6jJbjHG4LpKtP +wZ1Wqy8SIMGbL4K7YCGnCyeMVRIrWhmOjQo6iwza9AarTqEf1OlqkwqmxdLj/jSC +yUZCVa7MxoasPdY7qHRH56gTj0HrwtfSLL1jFyibu6IiGaIw6f3DAmRNAoGAL2sx +iYOVSnPg5GXQBLnBMih1ucHSQadMhDa4F8pNMwThNhuREcK5NuCqMh8u6phj0NeY +Ojf35uN2O5I7KTll/mW4T9/mZ5rLUqoipS78FnoukId1dneDtdHnektPqsCsUbFs +QoDstYG713dAW0JFskUVs+4jZsL/G6ueGtRKZHcCgYEA27sBEJtHGLAgEUGSlwSA +acmaIlKpF3EMImgWhlzRN3JC7+z8HJAhoHTxQUdnWfJt2Xl4Z+WmXvv+E7U9ofH7 +kH8fbLcaxwvylPm4hAMlhtL3EqnRDSL4hfZHBrqqf3C0Kv+C8naNxzeCNG6iHxcp +3c7vY4BXTz0dGBGHml6qu5Y= +-----END PRIVATE KEY----- +More garbage in the middle +And more +-----BEGIN CERTIFICATE----- +MIIEzDCCA7QCCQCgxkRox+YljjANBgkqhkiG9w0BAQsFADCCASYxYzBhBgNVBAgM +WlRoZSBHcmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVs +ZCBOYW1lcyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0G +A1UEBwwWVG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2 +b2xlbnQgU29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlw +aHJhc2lzMT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlk +ZW50aWFyeSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwHhcN +MTcwMjIzMjAyNTM2WhcNMTcwMzI1MjAyNTM2WjCCASYxYzBhBgNVBAgMWlRoZSBH +cmVhdCBTdGF0ZSBvZiBMb25nLVdpbmRlZCBDZXJ0aWZpY2F0ZSBGaWVsZCBOYW1l +cyBXaGVyZWJ5IHRvIEluY3JlYXNlIHRoZSBPdXRwdXQgU2l6ZTEfMB0GA1UEBwwW +VG9vbWFueWNoYXJhY3RlcnN2aWxsZTFIMEYGA1UECgw/VGhlIEJlbmV2b2xlbnQg +U29jaWV0eSBvZiBMb3F1YWNpb3VzIGFuZCBQbGVvbmFzdGljIFBlcmlwaHJhc2lz +MT0wOwYDVQQLDDRFbmRvcnNlbWVudCBvZiBWb3VjaHNhZmUnZCBFdmlkZW50aWFy +eSBDZXJ0aWZpY2F0aW9uMRUwEwYDVQQDDAxjZXJ0LmV4YW1wbGUwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7MOIrqH+ZIJiZdroKMrelKMSvvRKg2MEg +j/sx9TaHHqrKys4AiL4Rq/ybQEigFC6G8mpZWbBrU+vN2SLr1ZsPftCHIY12LF56 +0WLYTYNqDgF5BdCZCrjJ2hhN+XwML2tgYdWioV/Eey8SJSqUskf03MpcwnLbVfSp +hwmowqNfiEFFqPBCf7E8IVarGWctbMpvlMbAM5owhMev/Ccmqqt81NFkb1WVejvN +5v/JKv243/Xedf4I7ZJv7zKeswoP9piFzWHXCd9SIVzWqF77u/crHufIhoEa7NkZ +hSC2aosQF619iKnfk0nqWaLDJ182CCXkHERoQC7q9X2IGLDLoA0XAgMBAAEwDQYJ +KoZIhvcNAQELBQADggEBAKbtLx+YlCGRCBmYn3dfYF+BIvK/b/e0DKNhDKhb4s9J +ywlJ4qnAB48tgPx0q+ZB+EdMYRqCwyvXJxEdZ7PsCdUeU6xI2ybkhSdUUfQbYem3 +aYRG+yukGzazySQJs8lGqxBlRMFl/FGCg+oSQ/I32eGf8micDskj2zkAJtCkUPHX +30YrWMfOwW1r2xYr2mBNXbNWXJhW/sIg5u8aa9fcALeuQcMXkbsbVoPmC5aLdiVZ +rvUFoJ8DPg0aYYwj64RwU0B5HW/7jKhQ25FgKVAzLGrgYx1DivkM7UQGdWYnU8IA +A8S89gRjGk2hnkeagWas3dxqTTpgJDhprgWzyKa9hII= +-----END CERTIFICATE----- +Some garbage at the end diff --git a/test/pemtest.c b/test/pemtest.c index 8c9e04297a..444603f253 100644 --- a/test/pemtest.c +++ b/test/pemtest.c @@ -28,6 +28,8 @@ static TESTDATA b64_pem_data[] = { static const char *pemtype = "PEMTESTDATA"; +static char *pemfile; + static int test_b64(int idx) { BIO *b = BIO_new(BIO_s_mem()); @@ -83,9 +85,23 @@ static int test_invalid(void) return 1; } +static int test_cert_key_cert(void) +{ + EVP_PKEY *key; + + if (!TEST_ptr(key = load_pkey_pem(pemfile, NULL))) + return 0; + + EVP_PKEY_free(key); + return 1; +} + int setup_tests(void) { + if (!TEST_ptr(pemfile = test_get_argument(0))) + return 0; ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); ADD_TEST(test_invalid); + ADD_TEST(test_cert_key_cert); return 1; } diff --git a/test/recipes/04-test_pem_reading.t b/test/recipes/04-test_pem_reading.t index f69121cd37..9698289a8b 100644 --- a/test/recipes/04-test_pem_reading.t +++ b/test/recipes/04-test_pem_reading.t @@ -80,7 +80,7 @@ my %dsa_expected = ( "dsa.pem" => 1 ); -plan tests => scalar keys(%cert_expected) + scalar keys(%dsa_expected) + 2; +plan tests => scalar keys(%cert_expected) + scalar keys(%dsa_expected) + 4; foreach my $input (keys %cert_expected) { my @common = ($cmd, "x509", "-text", "-noout", "-inform", "PEM", "-in"); @@ -101,12 +101,18 @@ SKIP: { is((scalar @match > 0 ? 1 : 0), $dsa_expected{$input}); } } -SKIP: { - skip "RSA support disabled, skipping...", 1 unless !disabled("rsa"); - my @common = ($cmd, "pkey", "-inform", "PEM", "-noout", "-text", "-in"); - my @data = run(app([@common, data_file("beermug.pem")], stderr => undef), capture => 1); - my @match = grep /00:a0:3a:21:14:5d:cd:b6:d5:a0:3e:49:23:c1:3a:/, @data; - ok(scalar @match > 0 ? 1 : 0); -} -ok(run(test(["pemtest"])), "running pemtest"); +my @common = ($cmd, "pkey", "-inform", "PEM", "-noout", "-text", "-in"); +my @data = run(app([@common, data_file("beermug.pem")], stderr => undef), capture => 1); +my @match = grep /00:a0:3a:21:14:5d:cd:b6:d5:a0:3e:49:23:c1:3a:/, @data; +ok(scalar @match > 0 ? 1 : 0); +my $certkeycert = srctop_file("test", "certs", "cert-key-cert.pem"); + at data = run(app([@common, $certkeycert], stderr => "outerr.txt"), capture => 1); +open DATA, "outerr.txt"; + at match = grep /:error:/, ; +close DATA; +ok(scalar @match > 0 ? 0 : 1); + at match = grep /70:40:4c:20:6a:16:ba:38:b5:c9:b1:4c:b6:b8:db:/, @data; +ok(scalar @match > 0 ? 1 : 0); + +ok(run(test(["pemtest", $certkeycert])), "running pemtest"); diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index c85437f1a8..52c70cb0f7 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { } $ENV{OPENSSL_WIN32_UTF8}=1; -plan tests => 7; +plan tests => 10; # Test different PKCS#12 formats ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); @@ -78,6 +78,7 @@ my @path = qw(test certs); my $outfile1 = "out1.p12"; my $outfile2 = "out2.p12"; my $outfile3 = "out3.p12"; +my $outfile4 = "out4.p12"; # Test the -chain option with -untrusted ok(run(app(["openssl", "pkcs12", "-export", "-chain", @@ -113,4 +114,24 @@ SKIP: { "test_pkcs12_passcerts_legacy"); } +# Test export of PEM file with both cert and key +# -nomac necessary to avoid legacy provider requirement +ok(run(app(["openssl", "pkcs12", "-export", + "-inkey", srctop_file(@path, "cert-key-cert.pem"), + "-in", srctop_file(@path, "cert-key-cert.pem"), + "-passout", "pass:v3-certs", + "-nomac", "-out", $outfile4], stderr => "outerr.txt")), + "test_export_pkcs12_cert_key_cert"); +open DATA, "outerr.txt"; +my @match = grep /:error:/, ; +close DATA; +ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr_empty"); + +ok(run(app(["openssl", "pkcs12", + "-in", $outfile4, + "-passin", "pass:v3-certs", + "-nomacver", "-nodes"])), + "test_import_pkcs12_cert_key_cert"); + + SetConsoleOutputCP($savedcp) if (defined($savedcp)); diff --git a/test/testutil/load.c b/test/testutil/load.c index be30d7e053..d776a7f167 100644 --- a/test/testutil/load.c +++ b/test/testutil/load.c @@ -73,9 +73,17 @@ EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx) if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new(BIO_s_file()))) return NULL; - if (TEST_int_gt(BIO_read_filename(bio, file), 0)) - (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL, - libctx, NULL)); + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) { + unsigned long err = ERR_peek_error(); + + if (TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL, + libctx, NULL)) + && err != ERR_peek_error()) { + TEST_info("Spurious error from reading PEM"); + EVP_PKEY_free(key); + key = NULL; + } + } BIO_free(bio); return key; From tomas at openssl.org Fri Jul 2 14:17:22 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 02 Jul 2021 14:17:22 +0000 Subject: [openssl] master update Message-ID: <1625235442.504679.15674.nullmailer@dev.openssl.org> The branch master has been updated via 3a1d2b59522163ebb83bb68e13c896188dc222c6 (commit) from 5cffc49f7213c718ebcc2c1236cdd8c2fae7fb28 (commit) - Log ----------------------------------------------------------------- commit 3a1d2b59522163ebb83bb68e13c896188dc222c6 Author: Oliver Mihatsch Date: Mon Apr 12 16:46:16 2021 +0200 Fix memory leak in i2d_ASN1_bio_stream When creating a signed S/MIME message using SMIME_write_CMS() if the reading from the bio fails, the state is therefore still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream(). This results in calling asn1_bio_flush_ex cleanup but will only reset retry flags as the state is not ASN1_STATE_POST_COPY. Therefore 48 bytes (Linux x86_64) leaked since the ndef_prefix_free / ndef_suffix_free callbacks are not executed and the ndef_aux structure is not freed. By always calling free function callback in asn1_bio_free() the memory leak is fixed. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14844) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/bio_asn1.c | 5 ++++ crypto/asn1/bio_ndef.c | 3 ++ test/bio_memleak_test.c | 74 +++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 76 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index fa81b3a28a..f792c08806 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -138,6 +138,11 @@ static int asn1_bio_free(BIO *b) if (ctx == NULL) return 0; + if (ctx->prefix_free != NULL) + ctx->prefix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + if (ctx->suffix_free != NULL) + ctx->suffix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + OPENSSL_free(ctx->buf); OPENSSL_free(ctx); BIO_set_data(b, NULL); diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index df462d741a..d94e3a3644 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -143,6 +143,9 @@ static int ndef_prefix_free(BIO *b, unsigned char **pbuf, int *plen, ndef_aux = *(NDEF_SUPPORT **)parg; + if (ndef_aux == NULL) + return 0; + OPENSSL_free(ndef_aux->derbuf); ndef_aux->derbuf = NULL; diff --git a/test/bio_memleak_test.c b/test/bio_memleak_test.c index cafc60e7b7..518e7dd982 100644 --- a/test/bio_memleak_test.c +++ b/test/bio_memleak_test.c @@ -35,7 +35,7 @@ static int test_bio_memleak(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); return ok; } @@ -62,7 +62,7 @@ static int test_bio_get_mem(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); BUF_MEM_free(bufmem); return ok; @@ -98,7 +98,7 @@ static int test_bio_new_mem_buf(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); return ok; } @@ -139,7 +139,7 @@ static int test_bio_rdonly_mem_buf(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); BIO_free(bio2); return ok; @@ -176,7 +176,7 @@ static int test_bio_rdwr_rdonly(void) ok = 1; -finish: + finish: BIO_free(bio); return ok; } @@ -216,11 +216,72 @@ static int test_bio_nonclear_rst(void) ok = 1; -finish: + finish: BIO_free(bio); return ok; } +static int error_callback_fired; +static long BIO_error_callback(BIO *bio, int cmd, const char *argp, + size_t len, int argi, + long argl, int ret, size_t *processed) +{ + if ((cmd & (BIO_CB_READ | BIO_CB_RETURN)) != 0) { + error_callback_fired = 1; + ret = 0; /* fail for read operations to simulate error in input BIO */ + } + return ret; +} + +/* Checks i2d_ASN1_bio_stream() is freeing all memory when input BIO ends unexpectedly. */ +static int test_bio_i2d_ASN1_mime(void) +{ + int ok = 0; + BIO *bio = NULL, *out = NULL; + BUF_MEM bufmem; + static const char str[] = "BIO mime test\n"; + PKCS7 *p7 = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_mem()))) + goto finish; + + bufmem.length = sizeof(str); + bufmem.data = (char *) str; + bufmem.max = bufmem.length; + BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE); + BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); + BIO_set_callback_ex(bio, BIO_error_callback); + + if (!TEST_ptr(out = BIO_new(BIO_s_mem()))) + goto finish; + if (!TEST_ptr(p7 = PKCS7_new())) + goto finish; + if (!TEST_true(PKCS7_set_type(p7, NID_pkcs7_data))) + goto finish; + + error_callback_fired = 0; + + /* + * The call succeeds even if the input stream ends unexpectedly as + * there is no handling for this case in SMIME_crlf_copy(). + */ + if (!TEST_true(i2d_ASN1_bio_stream(out, (ASN1_VALUE*) p7, bio, + SMIME_STREAM | SMIME_BINARY, + ASN1_ITEM_rptr(PKCS7)))) + goto finish; + + if (!TEST_int_eq(error_callback_fired, 1)) + goto finish; + + ok = 1; + + finish: + BIO_free(bio); + BIO_free(out); + PKCS7_free(p7); + return ok; +} + int setup_tests(void) { ADD_TEST(test_bio_memleak); @@ -229,5 +290,6 @@ int setup_tests(void) ADD_TEST(test_bio_rdonly_mem_buf); ADD_TEST(test_bio_rdwr_rdonly); ADD_TEST(test_bio_nonclear_rst); + ADD_TEST(test_bio_i2d_ASN1_mime); return 1; } From matt at openssl.org Fri Jul 2 16:57:46 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 02 Jul 2021 16:57:46 +0000 Subject: [openssl] master update Message-ID: <1625245066.698487.18251.nullmailer@dev.openssl.org> The branch master has been updated via 3c0d0eca3505aabe14024e3dd269dee3692ba1ce (commit) via 4616a61416e7ea860e871001879e735943434f00 (commit) via 53d0d01fd48867494be4c33faf0604cd58458c9d (commit) from 3a1d2b59522163ebb83bb68e13c896188dc222c6 (commit) - Log ----------------------------------------------------------------- commit 3c0d0eca3505aabe14024e3dd269dee3692ba1ce Author: Matt Caswell Date: Thu Jul 1 11:58:35 2021 +0100 Work around a 32-bit mingw failure Passing the return value from gmtime() directly to mktime() was producing incorrect results under windows (but not under wine) when built with mingw 32-bit (but not VC-WIN32). We implement a workaround for this. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15939) commit 4616a61416e7ea860e871001879e735943434f00 Author: Matt Caswell Date: Tue Jun 29 14:12:28 2021 +0100 Use TEST_time_t_* functions in cmp_hrd_test.c This gives better diagnostic output Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15939) commit 53d0d01fd48867494be4c33faf0604cd58458c9d Author: Matt Caswell Date: Fri Jun 25 16:05:20 2021 +0100 Avoid some MinGW test failures There were 4 classes of failure: - line ending problems; - unicode problems; - file path munging problems; and - a "hang" in test_cmp_http. The unicode problems appear to be somewhere between wine or msys - they don't actually appear to be a problem with the built binaries. We just skip those tests for now. Fixes #13558 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15939) ----------------------------------------------------------------------- Summary of changes: test/cmp_hdr_test.c | 20 +++++++++++++++----- test/recipes/01-test_symbol_presence.t | 1 + test/recipes/04-test_conf.t | 9 +++++++-- test/recipes/15-test_ecparam.t | 7 ++++++- test/recipes/25-test_eai_data.t | 8 ++++++-- test/recipes/25-test_req.t | 4 ++++ test/recipes/25-test_x509.t | 6 +++++- test/recipes/79-test_http.t | 1 + test/recipes/80-test_cmp_http.t | 2 +- test/recipes/81-test_cmp_cli.t | 4 ++++ test/recipes/90-test_store.t | 16 ++++++++-------- 11 files changed, 58 insertions(+), 20 deletions(-) diff --git a/test/cmp_hdr_test.c b/test/cmp_hdr_test.c index f4bc65bb9e..5a49299b42 100644 --- a/test/cmp_hdr_test.c +++ b/test/cmp_hdr_test.c @@ -161,22 +161,32 @@ static int test_HDR_set1_recipient(void) static int execute_HDR_update_messageTime_test(CMP_HDR_TEST_FIXTURE *fixture) { - struct tm hdrtm; + struct tm hdrtm, tmptm; time_t hdrtime, before, after, now; now = time(NULL); - before = mktime(gmtime(&now)); + /* + * Trial and error reveals that passing the return value from gmtime + * directly to mktime in a mingw 32 bit build gives unexpected results. To + * work around this we take a copy of the return value first. + */ + tmptm = *gmtime(&now); + before = mktime(&tmptm); + if (!TEST_true(ossl_cmp_hdr_update_messageTime(fixture->hdr))) return 0; if (!TEST_true(ASN1_TIME_to_tm(fixture->hdr->messageTime, &hdrtm))) return 0; hdrtime = mktime(&hdrtm); - if (!TEST_true(before <= hdrtime)) + + if (!TEST_time_t_le(before, hdrtime)) return 0; now = time(NULL); - after = mktime(gmtime(&now)); - return TEST_true(hdrtime <= after); + tmptm = *gmtime(&now); + after = mktime(&tmptm); + + return TEST_time_t_le(hdrtime, after); } static int test_HDR_update_messageTime(void) diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t index 6031c6ac68..4271ac32a3 100644 --- a/test/recipes/01-test_symbol_presence.t +++ b/test/recipes/01-test_symbol_presence.t @@ -23,6 +23,7 @@ use platform; plan skip_all => "Test is disabled on NonStop" if config('target') =~ m|^nonstop|; # MacOS arranges symbol names differently plan skip_all => "Test is disabled on MacOS" if config('target') =~ m|^darwin|; +plan skip_all => "Test is disabled on MinGW" if config('target') =~ m|^mingw|; plan skip_all => "Only useful when building shared libraries" if disabled("shared"); diff --git a/test/recipes/04-test_conf.t b/test/recipes/04-test_conf.t index 071233fe6f..cab0ec59dc 100644 --- a/test/recipes/04-test_conf.t +++ b/test/recipes/04-test_conf.t @@ -35,7 +35,12 @@ foreach (sort keys %input_result) { unless ok(run(test([ 'confdump', $input_path ], stdout => $result_path)), "dumping $_"); - is(compare_text($result_path, $expected_path), 0, - "comparing the dump of $_ with $input_result{$_}"); + is(compare_text($result_path, $expected_path, sub { + my $in1 = $_[0]; + my $in2 = $_[1]; + $in1 =~ s/\r\n/\n/g; + $in2 =~ s/\r\n/\n/g; + $in1 ne $in2}), 0, + "comparing the dump of $_ with $input_result{$_}"); } } diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t index c741d5a32c..766524e8cf 100644 --- a/test/recipes/15-test_ecparam.t +++ b/test/recipes/15-test_ecparam.t @@ -50,7 +50,12 @@ sub checkcompare { my $testout = "$app.tst"; ok(run(app(['openssl', $app, '-out', $testout, '-in', $_]))); - ok(!compare_text($_, $testout), "Original file $_ is the same as new one"); + ok(!compare_text($_, $testout, sub { + my $in1 = $_[0]; + my $in2 = $_[1]; + $in1 =~ s/\r\n/\n/g; + $in2 =~ s/\r\n/\n/g; + $in1 ne $in2}), "Original file $_ is the same as new one"); } } diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t index 44b85420a7..8aebf5d621 100644 --- a/test/recipes/25-test_eai_data.t +++ b/test/recipes/25-test_eai_data.t @@ -47,8 +47,12 @@ $out = outname(); ok(run(app(["openssl", "x509", "-ext", "subjectAltName", "-in", $utf8_pem, "-noout", "-out", $out]))); is(cmp_text($out, srctop_file($folder, "san.utf8")), 0, 'Comparing othername for IDN domain'); -ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", "??\@elementary.school.example.com", "-CAfile", $ascii_chain_pem, $ascii_pem]))); -ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", "??\@??.example.com", "-CAfile", $utf8_chain_pem, $utf8_pem]))); +SKIP: { + skip "Unicode tests disabled on MingW", 2 if $^O =~ /^msys$/; + + ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", "??\@elementary.school.example.com", "-CAfile", $ascii_chain_pem, $ascii_pem]))); + ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", "??\@??.example.com", "-CAfile", $utf8_chain_pem, $utf8_pem]))); +} ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 5f3598c71d..084d70bca5 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -31,6 +31,10 @@ if (disabled("rsa")) { note("There should not be more that at most 80 per line"); } +# Prevent MSys2 filename munging for arguments that look like file paths but +# aren't +$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; + # Check for duplicate -addext parameters, and one "working" case. my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem", "-key", srctop_file("test", "certs", "ee-key.pem"), diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t index 7e8ce2408e..81bd8f6f6e 100644 --- a/test/recipes/25-test_x509.t +++ b/test/recipes/25-test_x509.t @@ -18,6 +18,10 @@ setup("test_x509"); plan tests => 18; +# Prevent MSys2 filename munging for arguments that look like file paths but +# aren't +$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; + require_ok(srctop_file("test", "recipes", "tconversion.pl")); my @certs = qw(test certs); @@ -40,7 +44,7 @@ is(cmp_text($out_utf8, $utf), SKIP: { skip "DES disabled", 1 if disabled("des"); - skip "VMS doesn't support command line UTF-8", 1 if $^O eq 'VMS'; + skip "Platform doesn't support command line UTF-8", 1 if $^O =~ /^(VMS|msys)$/; my $p12 = srctop_file("test", "shibboleth.pfx"); my $p12pass = "??????? ????????"; diff --git a/test/recipes/79-test_http.t b/test/recipes/79-test_http.t index 9f0904da6f..b3ac70fdeb 100644 --- a/test/recipes/79-test_http.t +++ b/test/recipes/79-test_http.t @@ -19,6 +19,7 @@ SKIP: { skip "OCSP disabled", 1 if disabled("ocsp"); my $cmd = [qw{openssl ocsp -index any -port 0}]; my @output = run(app($cmd), capture => 1); + $output[0] =~ s/\r\n/\n/g; ok($output[0] =~ /^ACCEPT (0.0.0.0|\[::\]):(\d+?) PID=(\d+)$/ && $2 >= 1024 && $3 > 0, "HTTP server auto-selects and reports local port >= 1024 and pid > 0"); diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 68130a364a..7bd95337e8 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -32,7 +32,7 @@ plan skip_all => "These tests are not supported in a no-sock build" if disabled("sock"); plan skip_all => "Tests involving local HTTP server not available on Windows or VMS" - if $^O =~ /^(VMS|MSWin32)$/; + if $^O =~ /^(VMS|MSWin32|msys)$/; plan skip_all => "Tests involving local HTTP server not available in cross-compile builds" if defined $ENV{EXE_SHELL}; diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t index 20ce738052..77a83c2bed 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/81-test_cmp_cli.t @@ -28,6 +28,10 @@ plan skip_all => "These tests are not supported in a fuzz build" plan skip_all => "These tests are not supported in a no-cmp build" if disabled("cmp"); +# Prevent MSys2 filename munging for arguments that look like file paths but +# aren't +$ENV{MSYS2_ARG_CONV_EXCL} = "/CN="; + my @app = qw(openssl cmp); my @cmp_basic_tests = ( diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index e9a33c91d9..835ad6191e 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -16,8 +16,6 @@ use OpenSSL::Test::Utils; my $test_name = "test_store"; setup($test_name); -my $mingw = config('target') =~ m|^mingw|; - my $use_md5 = !disabled("md5"); my $use_des = !(disabled("des") || disabled("legacy")); # also affects 3des and pkcs12 app my $use_dsa = !disabled("dsa"); @@ -112,8 +110,10 @@ my $n = scalar @methods + 3 + 11 ); +# Test doesn't work under msys because the file name munging doesn't work +# correctly with the "ot:" prefix my $do_test_ossltest_store = - !(disabled("engine") || disabled("dynamic-engine")); + !(disabled("engine") || disabled("dynamic-engine") || $^O =~ /^msys$/); if ($do_test_ossltest_store) { # test loading with apps 'org.openssl.engine:' loader, using the @@ -180,7 +180,7 @@ indir "store_$$" => sub { ok(run(app([@storeutl, "-noout", to_abs_file($file)]))); SKIP: { - skip "file: tests disabled on MingW", 4 if $mingw; + skip "file: tests disabled on MingW", 4 if $^O =~ /^msys$/; ok(run(app([@storeutl, "-noout", to_abs_file_uri($file)]))); @@ -200,7 +200,7 @@ indir "store_$$" => sub { SKIP: { - skip "file: tests disabled on MingW", 2 if $mingw; + skip "file: tests disabled on MingW", 2 if $^O =~ /^msys$/; ok(run(app([@storeutl, "-noout", "-passin", "pass:password", to_abs_file_uri($_)]))); @@ -211,7 +211,7 @@ indir "store_$$" => sub { foreach (values %generated_file_files) { SKIP: { - skip "file: tests disabled on MingW", 1 if $mingw; + skip "file: tests disabled on MingW", 1 if $^O =~ /^msys$/; ok(run(app([@storeutl, "-noout", $_]))); } @@ -219,7 +219,7 @@ indir "store_$$" => sub { foreach (@noexist_file_files) { SKIP: { - skip "file: tests disabled on MingW", 1 if $mingw; + skip "file: tests disabled on MingW", 1 if $^O =~ /^msys$/; ok(!run(app([@storeutl, "-noout", $_]))); } @@ -231,7 +231,7 @@ indir "store_$$" => sub { ok(run(app([@storeutl, "-noout", to_abs_file($dir, 1)]))); SKIP: { - skip "file: tests disabled on MingW", 1 if $mingw; + skip "file: tests disabled on MingW", 1 if $^O =~ /^msys$/; ok(run(app([@storeutl, "-noout", to_abs_file_uri($dir, 1)]))); From scan-admin at coverity.com Sat Jul 3 07:50:33 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 03 Jul 2021 07:50:33 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e016c876fd6_2cd1b42ad3447959a4237a2@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DbTwo_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHqo5LIKxaafnVCOoAvk1Nbe4RpQfbR0HHIAEgumH-2FW-2BgQLQG4ZFbOg-2BFwxQgJDzINyki4wDMV-2FGaPjsh9dUurvhjt0gl1VGwbuZ9kXdKcO-2FRAzbwXzENaZ39tJMSbXkKyT2cYVHQmehRxfykHgq8m2adqpZ81oH6bWpyAQnmWU32i5gvkKRptis0sVaDhW0y0-3D Build ID: 395094 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sat Jul 3 07:52:20 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 03 Jul 2021 07:52:20 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e017334e138_2cd2422ad3447959a4237b0@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Da8YK_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHcdVCef6eP7zd4fpIPe522h8Qd6lnye-2BdeJyaBrqs-2BQ3PCD4ZKNXxIvjrCxj-2BN6J1eID-2FUtRELFLnhI-2BETjPoBI07aFxlEg4vcPScrMxLmChT-2Bd7RNnVXZa8oT4wGs6pJtBnoiDuGa-2FKYxopbsF-2FMqpNnfEMUcVkko52x8GVrB6ozL-2FAepRtxi0LoBAT30dp0-3D Build ID: 395095 Analysis Summary: New defects found: 0 Defects eliminated: 0 From levitte at openssl.org Sat Jul 3 17:42:09 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 03 Jul 2021 17:42:09 +0000 Subject: [openssl] master update Message-ID: <1625334129.218409.30880.nullmailer@dev.openssl.org> The branch master has been updated via a9fa32c2a082dc91fc2c2255c2ccef7dce0e9ee4 (commit) from 3c0d0eca3505aabe14024e3dd269dee3692ba1ce (commit) - Log ----------------------------------------------------------------- commit a9fa32c2a082dc91fc2c2255c2ccef7dce0e9ee4 Author: Richard Levitte Date: Fri Jul 2 12:13:47 2021 +0200 TEST: Add testing of PVK and MSBLOB files to test_store The PVK and MSBLOB files were generated using openssl 1.1.1, using test/testrsa.pem as source: openssl rsa -in test/testrsa.pem \ -out test/recipes/90-test_store_data/testrsa.msb \ -outform msb openssl rsa -in test/testrsa.pem \ -out test/recipes/90-test_store_data/testrsa.pvk \ -outform pvk \ -passout pass:password Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15980) ----------------------------------------------------------------------- Summary of changes: test/recipes/90-test_store.t | 22 ++++++++++++++++++---- test/recipes/90-test_store_data/testrsa.msb | Bin 0 -> 308 bytes test/recipes/90-test_store_data/testrsa.pvk | Bin 0 -> 348 bytes 3 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 test/recipes/90-test_store_data/testrsa.msb create mode 100644 test/recipes/90-test_store_data/testrsa.pvk diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 835ad6191e..2bdc08f4c2 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -30,6 +30,11 @@ my @src_files = "test/testrsapub.pem", "test/testcrl.pem", "apps/server.pem" ); +my @data_files = + ( "testrsa.msb" ); +push(@data_files, + ( "testrsa.pvk" )) + unless disabled("legacy") || disabled("rc4"); my @src_rsa_files = ( "test/testrsa.pem", "test/testrsapub.pem" ); @@ -104,6 +109,7 @@ push @methods, [qw(-engine loader_attic)] my $n = scalar @methods * ( (3 * scalar @noexist_files) + (6 * scalar @src_files) + + (2 * scalar @data_files) + (4 * scalar @generated_files) + (scalar keys %generated_file_files) + (scalar @noexist_file_files) @@ -192,11 +198,19 @@ indir "store_$$" => sub { to_abs_file_uri($file, 0, "dummy")]))); } } + foreach (@data_files) { + my $file = data_file($_); + + ok(run(app([@storeutl, "-noout", "-passin", "pass:password", + $file]))); + ok(run(app([@storeutl, "-noout", "-passin", "pass:password", + to_abs_file($file)]))); + } foreach (@generated_files) { - ok(run(app([@storeutl, "-noout", "-passin", - "pass:password", $_]))); - ok(run(app([@storeutl, "-noout", "-passin", - "pass:password", to_abs_file($_)]))); + ok(run(app([@storeutl, "-noout", "-passin", "pass:password", + $_]))); + ok(run(app([@storeutl, "-noout", "-passin", "pass:password", + to_abs_file($_)]))); SKIP: { diff --git a/test/recipes/90-test_store_data/testrsa.msb b/test/recipes/90-test_store_data/testrsa.msb new file mode 100644 index 0000000000..0249d6630a Binary files /dev/null and b/test/recipes/90-test_store_data/testrsa.msb differ diff --git a/test/recipes/90-test_store_data/testrsa.pvk b/test/recipes/90-test_store_data/testrsa.pvk new file mode 100644 index 0000000000..c311244d63 Binary files /dev/null and b/test/recipes/90-test_store_data/testrsa.pvk differ From levitte at openssl.org Sat Jul 3 17:44:50 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 03 Jul 2021 17:44:50 +0000 Subject: [openssl] master update Message-ID: <1625334290.317604.1791.nullmailer@dev.openssl.org> The branch master has been updated via f40c5f2c53b9d5eec98993653c3d741b0226b697 (commit) via 0550cdeb802a2462c4d59e0fc15a1f773054bc65 (commit) from a9fa32c2a082dc91fc2c2255c2ccef7dce0e9ee4 (commit) - Log ----------------------------------------------------------------- commit f40c5f2c53b9d5eec98993653c3d741b0226b697 Author: Richard Levitte Date: Fri Jul 2 12:38:18 2021 +0200 PROV & STORE: Make the 'file:' store loader understand more binary formats The 'file:' store loader only understood DER natively. With all the whatever to key decoders gone, direct support for other binary file formats are gone, and we need to recreate them for this store loader. With these changes, it now also understands MSBLOB and PVK files. As a consequence, any store loader that handles some form of open file data (such as a PEM object) can now simply pass that data back via OSSL_FUNC_store_load()'s object callback. As long as libcrypto has access to a decoder that can understand the data, the appropriate OpenSSL object will be generated for it, even if the store loader sits in a different provider than any decoder or keymgmt. For example, an LDAP store loader, which typically finds diverse PEM formatted blobs in the database, can simply pass those back via the object callback, and let libcrypto do the rest of the work. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15981) commit 0550cdeb802a2462c4d59e0fc15a1f773054bc65 Author: Richard Levitte Date: Fri Jul 2 12:29:23 2021 +0200 PROV & STORE: Don't decode keys in the 'file:' store loader This makes the 'file:' store loader only read the file, and only decode down to a base level binary format, and simply pass that blob of data back to the OSSL_FUNC_store_load() object callback. This offloads the decoding into specific OpenSSL types to libcrypto, which takes away the issue of origins, which provider is it that holds the key (or other future types of objects). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15981) ----------------------------------------------------------------------- Summary of changes: crypto/store/store_result.c | 2 +- providers/implementations/storemgmt/build.info | 2 +- providers/implementations/storemgmt/file_store.c | 89 +++---- .../implementations/storemgmt/file_store_any2obj.c | 261 +++++++++++++++++++++ .../implementations/storemgmt/file_store_der2obj.c | 109 --------- .../implementations/storemgmt/file_store_local.h | 2 +- 6 files changed, 295 insertions(+), 170 deletions(-) create mode 100644 providers/implementations/storemgmt/file_store_any2obj.c delete mode 100644 providers/implementations/storemgmt/file_store_der2obj.c diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 91c679718c..3a0dc9dfba 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -268,7 +268,7 @@ static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, } decoderctx = - OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", data->data_structure, + OSSL_DECODER_CTX_new_for_pkey(&pk, NULL, data->data_structure, data->data_type, selection, libctx, propq); (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); diff --git a/providers/implementations/storemgmt/build.info b/providers/implementations/storemgmt/build.info index ad47fb1fe8..8e6445a4e7 100644 --- a/providers/implementations/storemgmt/build.info +++ b/providers/implementations/storemgmt/build.info @@ -3,4 +3,4 @@ $STORE_GOAL=../../libdefault.a -SOURCE[$STORE_GOAL]=file_store.c file_store_der2obj.c +SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c index 4f1e2de650..6ccda2b33f 100644 --- a/providers/implementations/storemgmt/file_store.c +++ b/providers/implementations/storemgmt/file_store.c @@ -419,13 +419,9 @@ void file_load_cleanup(void *construct_data) static int file_setup_decoders(struct file_ctx_st *ctx) { - EVP_PKEY *dummy; /* for ossl_decoder_ctx_setup_for_pkey() */ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); - OSSL_DECODER *to_obj = NULL; /* Last resort decoder */ - OSSL_DECODER_INSTANCE *to_obj_inst = NULL; - OSSL_DECODER_CLEANUP *old_cleanup = NULL; - void *old_construct_data = NULL; - int ok = 0, expect_evp_pkey = 0; + const OSSL_ALGORITHM *to_algo = NULL; + int ok = 0; /* Setup for this session, so only if not already done */ if (ctx->_.file.decoderctx == NULL) { @@ -434,11 +430,6 @@ static int file_setup_decoders(struct file_ctx_st *ctx) goto err; } - expect_evp_pkey = (ctx->expected_type == 0 - || ctx->expected_type == OSSL_STORE_INFO_PARAMS - || ctx->expected_type == OSSL_STORE_INFO_PUBKEY - || ctx->expected_type == OSSL_STORE_INFO_PKEY); - /* Make sure the input type is set */ if (!OSSL_DECODER_CTX_set_input_type(ctx->_.file.decoderctx, ctx->_.file.input_type)) { @@ -446,59 +437,42 @@ static int file_setup_decoders(struct file_ctx_st *ctx) goto err; } - /* - * Create the internal last resort decoder implementation together - * with a "decoder instance". - * The decoder doesn't need any identification or to be attached to - * any provider, since it's only used locally. - */ - to_obj = ossl_decoder_from_algorithm(0, &ossl_der_to_obj_algorithm, - NULL); - if (to_obj == NULL) - goto err; - to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); - if (to_obj_inst == NULL) - goto err; + for (to_algo = ossl_any_to_obj_algorithm; + to_algo->algorithm_names != NULL; + to_algo++) { + OSSL_DECODER *to_obj = NULL; + OSSL_DECODER_INSTANCE *to_obj_inst = NULL; - if (!ossl_decoder_ctx_add_decoder_inst(ctx->_.file.decoderctx, - to_obj_inst)) { - ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); - goto err; + /* + * Create the internal last resort decoder implementation + * together with a "decoder instance". + * The decoder doesn't need any identification or to be + * attached to any provider, since it's only used locally. + */ + to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL); + if (to_obj != NULL) + to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); + OSSL_DECODER_free(to_obj); + if (to_obj_inst == NULL) + goto err; + + if (!ossl_decoder_ctx_add_decoder_inst(ctx->_.file.decoderctx, + to_obj_inst)) { + ossl_decoder_instance_free(to_obj_inst); + ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); + goto err; + } } - - /* - * OSSL_DECODER_INSTANCE shouldn't be freed from this point on. - * That's going to happen whenever the OSSL_DECODER_CTX is freed. - */ - to_obj_inst = NULL; - - /* - * Add on the usual decoder context for keys, with a dummy object. - * Since we're setting up our own constructor, we don't need to care - * more than that... - */ - if ((expect_evp_pkey - && !ossl_decoder_ctx_setup_for_pkey(ctx->_.file.decoderctx, - &dummy, NULL, - libctx, ctx->_.file.propq)) - || !OSSL_DECODER_CTX_add_extra(ctx->_.file.decoderctx, - libctx, ctx->_.file.propq)) { + /* Add on the usual extra decoders */ + if (!OSSL_DECODER_CTX_add_extra(ctx->_.file.decoderctx, + libctx, ctx->_.file.propq)) { ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); goto err; } /* - * Then we throw away the installed finalizer data, and install our - * own instead. - */ - old_cleanup = OSSL_DECODER_CTX_get_cleanup(ctx->_.file.decoderctx); - old_construct_data = - OSSL_DECODER_CTX_get_construct_data(ctx->_.file.decoderctx); - if (old_cleanup != NULL) - old_cleanup(old_construct_data); - - /* - * Set the hooks. + * Then install our constructor hooks, which just passes decoded + * data to the load callback */ if (!OSSL_DECODER_CTX_set_construct(ctx->_.file.decoderctx, file_load_construct) @@ -511,7 +485,6 @@ static int file_setup_decoders(struct file_ctx_st *ctx) ok = 1; err: - OSSL_DECODER_free(to_obj); return ok; } diff --git a/providers/implementations/storemgmt/file_store_any2obj.c b/providers/implementations/storemgmt/file_store_any2obj.c new file mode 100644 index 0000000000..28601683bf --- /dev/null +++ b/providers/implementations/storemgmt/file_store_any2obj.c @@ -0,0 +1,261 @@ +/* + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * This is a decoder that's completely internal to the 'file:' store + * implementation. Only code in file_store.c know about this one. Because + * of this close relationship, we can cut certain corners, such as making + * assumptions about the "provider context", which is currently simply the + * provider context that the file_store.c code operates within. + * + * All this does is to read known binary encodings (currently: DER, MSBLOB, + * PVK) from the input if it can, and passes it on to the data callback as + * an object abstraction, leaving it to the callback to figure out what it + * actually is. + * + * This MUST be made the last decoder in a chain, leaving it to other more + * specialized decoders to recognise and process their stuff first. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "internal/asn1.h" +#include "crypto/pem.h" /* For internal PVK and "blob" headers */ +#include "prov/bio.h" +#include "file_store_local.h" + +/* + * newctx and freectx are not strictly necessary. However, the method creator, + * ossl_decoder_from_algorithm(), demands that they exist, so we make sure to + * oblige. + */ + +static OSSL_FUNC_decoder_newctx_fn any2obj_newctx; +static OSSL_FUNC_decoder_freectx_fn any2obj_freectx; + +static void *any2obj_newctx(void *provctx) +{ + return provctx; +} + +static void any2obj_freectx(void *vctx) +{ +} + +static int any2obj_decode_final(void *provctx, int objtype, BUF_MEM *mem, + OSSL_CALLBACK *data_cb, void *data_cbarg) +{ + /* + * 1 indicates that we successfully decoded something, or not at all. + * Ending up "empty handed" is not an error. + */ + int ok = 1; + + if (mem != NULL) { + OSSL_PARAM params[3]; + + params[0] = + OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &objtype); + params[1] = + OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_DATA, + mem->data, mem->length); + params[2] = OSSL_PARAM_construct_end(); + + ok = data_cb(params, data_cbarg); + BUF_MEM_free(mem); + } + return ok; +} + +static OSSL_FUNC_decoder_decode_fn der2obj_decode; +static int der2obj_decode(void *provctx, OSSL_CORE_BIO *cin, int selection, + OSSL_CALLBACK *data_cb, void *data_cbarg, + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) +{ + BIO *in = ossl_bio_new_from_core_bio(provctx, cin); + BUF_MEM *mem = NULL; + int ok; + + if (in == NULL) + return 0; + + ERR_set_mark(); + ok = (asn1_d2i_read_bio(in, &mem) >= 0); + ERR_pop_to_mark(); + if (!ok && mem != NULL) { + BUF_MEM_free(mem); + mem = NULL; + } + BIO_free(in); + + /* any2obj_decode_final() frees |mem| for us */ + return any2obj_decode_final(provctx, OSSL_OBJECT_UNKNOWN, mem, + data_cb, data_cbarg); +} + +static OSSL_FUNC_decoder_decode_fn msblob2obj_decode; +static int msblob2obj_decode(void *provctx, OSSL_CORE_BIO *cin, int selection, + OSSL_CALLBACK *data_cb, void *data_cbarg, + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) +{ + BIO *in = ossl_bio_new_from_core_bio(provctx, cin); + BUF_MEM *mem = NULL; + size_t mem_len = 0, mem_want; + const unsigned char *p; + unsigned int bitlen, magic; + int isdss = -1; + int ispub = -1; + int ok = 0; + + if (in == NULL) + goto err; + + mem_want = 16; /* The size of the MSBLOB header */ + if ((mem = BUF_MEM_new()) == NULL + || !BUF_MEM_grow(mem, mem_want)) { + ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); + goto err; + } + + ERR_set_mark(); + ok = BIO_read(in, &mem->data[0], mem_want) == (int)mem_want; + mem_len += mem_want; + ERR_pop_to_mark(); + if (!ok) + goto next; + + + ERR_set_mark(); + p = (unsigned char *)&mem->data[0]; + ok = ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, &ispub) > 0; + ERR_pop_to_mark(); + if (!ok) + goto next; + + ok = 0; + mem_want = ossl_blob_length(bitlen, isdss, ispub); + if (!BUF_MEM_grow(mem, mem_len + mem_want)) { + ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); + goto err; + } + + ERR_set_mark(); + ok = BIO_read(in, &mem->data[mem_len], mem_want) == (int)mem_want; + mem_len += mem_want; + ERR_pop_to_mark(); + + next: + /* Free resources we no longer need. */ + BIO_free(in); + if (!ok && mem != NULL) { + BUF_MEM_free(mem); + mem = NULL; + } + + /* any2obj_decode_final() frees |mem| for us */ + return any2obj_decode_final(provctx, OSSL_OBJECT_PKEY, mem, + data_cb, data_cbarg); + + err: + BIO_free(in); + BUF_MEM_free(mem); + return 0; +} + +static OSSL_FUNC_decoder_decode_fn pvk2obj_decode; +static int pvk2obj_decode(void *provctx, OSSL_CORE_BIO *cin, int selection, + OSSL_CALLBACK *data_cb, void *data_cbarg, + OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) +{ + BIO *in = ossl_bio_new_from_core_bio(provctx, cin); + BUF_MEM *mem = NULL; + size_t mem_len = 0, mem_want; + const unsigned char *p; + unsigned int saltlen, keylen; + int ok = 0; + + if (in == NULL) + goto err; + + mem_want = 24; /* The size of the PVK header */ + if ((mem = BUF_MEM_new()) == NULL + || !BUF_MEM_grow(mem, mem_want)) { + ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); + goto err; + } + + ERR_set_mark(); + ok = BIO_read(in, &mem->data[0], mem_want) == (int)mem_want; + mem_len += mem_want; + ERR_pop_to_mark(); + if (!ok) + goto next; + + + ERR_set_mark(); + p = (unsigned char *)&mem->data[0]; + ok = ossl_do_PVK_header(&p, 24, 0, &saltlen, &keylen) > 0; + ERR_pop_to_mark(); + if (!ok) + goto next; + + ok = 0; + mem_want = saltlen + keylen; + if (!BUF_MEM_grow(mem, mem_len + mem_want)) { + ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); + goto err; + } + + ERR_set_mark(); + ok = BIO_read(in, &mem->data[mem_len], mem_want) == (int)mem_want; + mem_len += mem_want; + ERR_pop_to_mark(); + + next: + /* Free resources we no longer need. */ + BIO_free(in); + if (!ok && mem != NULL) { + BUF_MEM_free(mem); + mem = NULL; + } + + /* any2obj_decode_final() frees |mem| for us */ + return any2obj_decode_final(provctx, OSSL_OBJECT_PKEY, mem, + data_cb, data_cbarg); + + err: + BIO_free(in); + BUF_MEM_free(mem); + return 0; +} + +#define MAKE_DECODER(fromtype, objtype) \ + static const OSSL_DISPATCH fromtype##_to_obj_decoder_functions[] = { \ + { OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))any2obj_newctx }, \ + { OSSL_FUNC_DECODER_FREECTX, (void (*)(void))any2obj_freectx }, \ + { OSSL_FUNC_DECODER_DECODE, (void (*)(void))fromtype##2obj_decode }, \ + { 0, NULL } \ + } + +MAKE_DECODER(der, OSSL_OBJECT_UNKNOWN); +MAKE_DECODER(msblob, OSSL_OBJECT_PKEY); +MAKE_DECODER(pvk, OSSL_OBJECT_PKEY); + +const OSSL_ALGORITHM ossl_any_to_obj_algorithm[] = { + { "obj", "input=DER", der_to_obj_decoder_functions }, + { "obj", "input=MSBLOB", msblob_to_obj_decoder_functions }, + { "obj", "input=PVK", pvk_to_obj_decoder_functions }, + { NULL, } +}; diff --git a/providers/implementations/storemgmt/file_store_der2obj.c b/providers/implementations/storemgmt/file_store_der2obj.c deleted file mode 100644 index 5f71ea500d..0000000000 --- a/providers/implementations/storemgmt/file_store_der2obj.c +++ /dev/null @@ -1,109 +0,0 @@ -/* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * This is a decoder that's completely internal to the 'file:' store - * implementation. Only code in file_store.c know about this one. Because - * of this close relationship, we can cut certain corners, such as making - * assumptions about the "provider context", which is currently simply the - * provider context that the file_store.c code operates within. - * - * All this does is to read DER from the input if it can, and passes it on - * to the data callback as an object abstraction, leaving it to the callback - * to figure out what it actually is. - * - * This MUST be made the last decoder in a chain, leaving it to other more - * specialized decoders to recognise and process their stuff first. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include "internal/asn1.h" -#include "prov/bio.h" -#include "file_store_local.h" - -/* - * newctx and freectx are not strictly necessary. However, the method creator, - * ossl_decoder_from_algorithm(), demands that they exist, so we make sure to - * oblige. - */ - -static OSSL_FUNC_decoder_newctx_fn der2obj_newctx; -static OSSL_FUNC_decoder_freectx_fn der2obj_freectx; - -static void *der2obj_newctx(void *provctx) -{ - return provctx; -} - -static void der2obj_freectx(void *vctx) -{ -} - -static OSSL_FUNC_decoder_decode_fn der2obj_decode; - -static int der2obj_decode(void *provctx, OSSL_CORE_BIO *cin, int selection, - OSSL_CALLBACK *data_cb, void *data_cbarg, - OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) -{ - /* - * We're called from file_store.c, so we know that OSSL_CORE_BIO is a - * BIO in this case. - */ - BIO *in = ossl_bio_new_from_core_bio(provctx, cin); - BUF_MEM *mem = NULL; - int ok; - - if (in == NULL) - return 0; - - ERR_set_mark(); - ok = (asn1_d2i_read_bio(in, &mem) >= 0); - ERR_pop_to_mark(); - if (!ok && mem != NULL) { - OPENSSL_free(mem->data); - OPENSSL_free(mem); - mem = NULL; - } - - ok = 1; - if (mem != NULL) { - OSSL_PARAM params[3]; - int object_type = OSSL_OBJECT_UNKNOWN; - - params[0] = - OSSL_PARAM_construct_int(OSSL_OBJECT_PARAM_TYPE, &object_type); - params[1] = - OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_DATA, - mem->data, mem->length); - params[2] = OSSL_PARAM_construct_end(); - - ok = data_cb(params, data_cbarg); - OPENSSL_free(mem->data); - OPENSSL_free(mem); - } - BIO_free(in); - return ok; -} - -static const OSSL_DISPATCH der_to_obj_decoder_functions[] = { - { OSSL_FUNC_DECODER_NEWCTX, (void (*)(void))der2obj_newctx }, - { OSSL_FUNC_DECODER_FREECTX, (void (*)(void))der2obj_freectx }, - { OSSL_FUNC_DECODER_DECODE, (void (*)(void))der2obj_decode }, - { 0, NULL } -}; - -const OSSL_ALGORITHM ossl_der_to_obj_algorithm = - { "obj", "input=DER", der_to_obj_decoder_functions }; diff --git a/providers/implementations/storemgmt/file_store_local.h b/providers/implementations/storemgmt/file_store_local.h index b25dacc18b..3459315948 100644 --- a/providers/implementations/storemgmt/file_store_local.h +++ b/providers/implementations/storemgmt/file_store_local.h @@ -7,5 +7,5 @@ * https://www.openssl.org/source/license.html */ -extern const OSSL_ALGORITHM ossl_der_to_obj_algorithm; +extern const OSSL_ALGORITHM ossl_any_to_obj_algorithm[]; From scan-admin at coverity.com Sun Jul 4 07:50:32 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 04 Jul 2021 07:50:32 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e16848d1f6_2e964e2ada0319f9a891561@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Dn3Qw_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGOzn5u12-2F-2B9iHgppswwMJnNsgNSCxhWYz6n0p8qVCyt8yCE9rt6MBEzyc5751eSFLZl8RHhZlwh9ZDPWP7-2FGKHjRuvLfTkIfPlWcNdIyUacNodL2gxVkggU8SWjwfuIeVwToRJW-2FSArXctCH91mwcTa1839Xjh9mfKQnCtKq7IlytEvYJ-2FgR0SezO-2BQQx9zZU-3D Build ID: 395242 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jul 4 07:51:59 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 04 Jul 2021 07:51:59 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e1689e90074_2e96c52ada0319f9a891523@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DD2x-_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeG5UIe1Irx39FIddhF1IKwxf1zMMpqZLA6mcYBjWF14jdb8G6AFPkokUtYQMrY-2FZseSUUtXy8-2FtgL3wE0Pmc8cikWsKNGnnumuVqpwL2pRrT7NsvhaGl-2Bc4Fb49BUPiaQqNGrj-2F7O-2FbkmA074Ic2N48nQ-2FeYfCozTBQ2kaSA8qL2yU4f0bj1Aie0hcWbcvDTyk-3D Build ID: 395243 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Mon Jul 5 01:51:17 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 05 Jul 2021 01:51:17 +0000 Subject: [openssl] master update Message-ID: <1625449877.708701.24414.nullmailer@dev.openssl.org> The branch master has been updated via f7546162d406be1f93bb39fb5a968521162b9acf (commit) via 97419ce97da89f5b6f51121e2562b7d2c788dd25 (commit) via 56cd5dc78b3cecd2c6cf98b0d235b126e82f0dd2 (commit) from f40c5f2c53b9d5eec98993653c3d741b0226b697 (commit) - Log ----------------------------------------------------------------- commit f7546162d406be1f93bb39fb5a968521162b9acf Author: Pauli Date: Thu Jul 1 14:47:38 2021 +1000 doc: include PBKDF1 documentation in build.info Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15967) commit 97419ce97da89f5b6f51121e2562b7d2c788dd25 Author: Pauli Date: Thu Jul 1 14:46:39 2021 +1000 doc: add PBKDF1 provider documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15967) commit 56cd5dc78b3cecd2c6cf98b0d235b126e82f0dd2 Author: Pauli Date: Thu Jul 1 14:00:03 2021 +1000 provider: use #define for PBKDF1 algorithm name This seems to be standard practice so bringing PBKDF1 into line. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15967) ----------------------------------------------------------------------- Summary of changes: doc/build.info | 6 ++++++ .../{EVP_KDF-PKCS12KDF.pod => EVP_KDF-PBKDF1.pod} | 24 +++++++++------------- providers/implementations/include/prov/names.h | 1 + providers/legacyprov.c | 2 +- 4 files changed, 18 insertions(+), 15 deletions(-) copy doc/man7/{EVP_KDF-PKCS12KDF.pod => EVP_KDF-PBKDF1.pod} (68%) diff --git a/doc/build.info b/doc/build.info index 4529e3c72f..475034cb9f 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4107,6 +4107,10 @@ DEPEND[html/man7/EVP_KDF-KRB5KDF.html]=man7/EVP_KDF-KRB5KDF.pod GENERATE[html/man7/EVP_KDF-KRB5KDF.html]=man7/EVP_KDF-KRB5KDF.pod DEPEND[man/man7/EVP_KDF-KRB5KDF.7]=man7/EVP_KDF-KRB5KDF.pod GENERATE[man/man7/EVP_KDF-KRB5KDF.7]=man7/EVP_KDF-KRB5KDF.pod +DEPEND[html/man7/EVP_KDF-PBKDF1.html]=man7/EVP_KDF-PBKDF1.pod +GENERATE[html/man7/EVP_KDF-PBKDF1.html]=man7/EVP_KDF-PBKDF1.pod +DEPEND[man/man7/EVP_KDF-PBKDF1.7]=man7/EVP_KDF-PBKDF1.pod +GENERATE[man/man7/EVP_KDF-PBKDF1.7]=man7/EVP_KDF-PBKDF1.pod DEPEND[html/man7/EVP_KDF-PBKDF2.html]=man7/EVP_KDF-PBKDF2.pod GENERATE[html/man7/EVP_KDF-PBKDF2.html]=man7/EVP_KDF-PBKDF2.pod DEPEND[man/man7/EVP_KDF-PBKDF2.7]=man7/EVP_KDF-PBKDF2.pod @@ -4548,6 +4552,7 @@ html/man7/EVP_CIPHER-SM4.html \ html/man7/EVP_KDF-HKDF.html \ html/man7/EVP_KDF-KB.html \ html/man7/EVP_KDF-KRB5KDF.html \ +html/man7/EVP_KDF-PBKDF1.html \ html/man7/EVP_KDF-PBKDF2.html \ html/man7/EVP_KDF-PKCS12KDF.html \ html/man7/EVP_KDF-SCRYPT.html \ @@ -4669,6 +4674,7 @@ man/man7/EVP_CIPHER-SM4.7 \ man/man7/EVP_KDF-HKDF.7 \ man/man7/EVP_KDF-KB.7 \ man/man7/EVP_KDF-KRB5KDF.7 \ +man/man7/EVP_KDF-PBKDF1.7 \ man/man7/EVP_KDF-PBKDF2.7 \ man/man7/EVP_KDF-PKCS12KDF.7 \ man/man7/EVP_KDF-SCRYPT.7 \ diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PBKDF1.pod similarity index 68% copy from doc/man7/EVP_KDF-PKCS12KDF.pod copy to doc/man7/EVP_KDF-PBKDF1.pod index 68f987b050..ae13765211 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PBKDF1.pod @@ -2,21 +2,20 @@ =head1 NAME -EVP_KDF-PKCS12KDF - The PKCS#12 EVP_KDF implementation +EVP_KDF-PBKDF1 - The PBKDF1 EVP_KDF implementation =head1 DESCRIPTION -Support for computing the B password-based KDF through the B +Support for computing the B password-based KDF through the B API. -The EVP_KDF-PKCS12KDF algorithm implements the PKCS#12 password-based key -derivation function, as described in appendix B of RFC 7292 (PKCS #12: -Personal Information Exchange Syntax); it derives a key from a password -using a salt, iteration count and the intended usage. +The EVP_KDF-PBKDF1 algorithm implements the PBKDF1 password-based key +derivation function, as described in RFC 8018; it derives a key from a password +using a salt and iteration count. =head2 Identity -"PKCS12KDF" is the name for this implementation; it +"PBKDF1" is the name for this implementation; it can be used with the EVP_KDF_fetch() function. =head2 Supported parameters @@ -31,17 +30,14 @@ The supported parameters are: =item "iter" (B) +This parameter has a default value of 0 and should be set. + =item "properties" (B) =item "digest" (B) These parameters work as described in L. -=item "id" (B) - -This parameter is used to specify the intended usage of the output bits, as per -RFC 7292 section B.3. - =back =head1 NOTES @@ -59,7 +55,7 @@ byte sequence. =head1 CONFORMING TO -RFC7292 +RFC 8018 =head1 SEE ALSO @@ -76,7 +72,7 @@ This functionality was added to OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index fd39c0229e..5aec4a0934 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -250,6 +250,7 @@ #define PROV_NAMES_HKDF "HKDF" #define PROV_DESCS_HKDF_SIGN "OpenSSL HKDF via EVP_PKEY implementation" #define PROV_NAMES_SSKDF "SSKDF" +#define PROV_NAMES_PBKDF1 "PBKDF1" #define PROV_NAMES_PBKDF2 "PBKDF2:1.2.840.113549.1.5.12" #define PROV_NAMES_SSHKDF "SSHKDF" #define PROV_NAMES_X963KDF "X963KDF:X942KDF-CONCAT" diff --git a/providers/legacyprov.c b/providers/legacyprov.c index b5fc5f523f..a5999c5f8b 100644 --- a/providers/legacyprov.c +++ b/providers/legacyprov.c @@ -144,7 +144,7 @@ static const OSSL_ALGORITHM legacy_ciphers[] = { }; static const OSSL_ALGORITHM legacy_kdfs[] = { - ALG("PBKDF1", ossl_kdf_pbkdf1_functions), + ALG(PROV_NAMES_PBKDF1, ossl_kdf_pbkdf1_functions), { NULL, NULL, NULL } }; From pauli at openssl.org Mon Jul 5 02:45:17 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 05 Jul 2021 02:45:17 +0000 Subject: [openssl] master update Message-ID: <1625453117.809962.25418.nullmailer@dev.openssl.org> The branch master has been updated via 0a02c81f8173e0c5d554bd16daa68b7594f4cbd8 (commit) from f7546162d406be1f93bb39fb5a968521162b9acf (commit) - Log ----------------------------------------------------------------- commit 0a02c81f8173e0c5d554bd16daa68b7594f4cbd8 Author: Tomas Mraz Date: Fri Jul 2 15:45:09 2021 +0200 Coverity #1486687: fix potential dereference of NULL keymgmt Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15986) ----------------------------------------------------------------------- Summary of changes: crypto/encode_decode/decoder_pkey.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index 719bd17b2f..edbea4face 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -126,9 +126,9 @@ static int decoder_construct_pkey(OSSL_DECODER_INSTANCE *decoder_inst, /* To allow it to be freed further down */ if (!EVP_KEYMGMT_up_ref(keymgmt)) return 0; - } else { - keymgmt = EVP_KEYMGMT_fetch(data->libctx, - data->object_type, data->propq); + } else if ((keymgmt = EVP_KEYMGMT_fetch(data->libctx, + data->object_type, + data->propq)) != NULL) { keymgmt_prov = EVP_KEYMGMT_get0_provider(keymgmt); } From scan-admin at coverity.com Mon Jul 5 07:49:30 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 05 Jul 2021 07:49:30 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e2b98a368cd_305b952ab11347b99c14477@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DUsI4_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHNHXfefX-2BR-2B3XGOmrjRx-2BIV8rxrdEONxGqFZaUbOmSQSAziw4koRmiGVagzBPGwmhjuUVx0qF9o-2FxLzory2Gl-2BHUUK9iZjReb6rq-2BKbyMDoKp-2Fl-2FSLibOrVNFX0sUBmeVujAJQ9APfU6kOR3qg0TQKv6pL42T5nArI2Zn4IdVb23i-2FrxA8agcgo30tWvkiA-2BE-3D Build ID: 395389 Analysis Summary: New defects found: 0 Defects eliminated: 1 From scan-admin at coverity.com Mon Jul 5 07:52:32 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 05 Jul 2021 07:52:32 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e2ba3fd226c_305c872ab11347b99c144c4@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DZQRV_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHs4m4CBSSNhqTTB6btnHSJVzxE4UM01zwDQqnwzQ6okfObdXHhC7itRkp8qJBzYRlqerI3Qo4rffn2q-2FTEIwmJfEd9M8s9FY5y06YrHKYQFbVsEVbENgKbJ1p0LX-2BJrWysjpXVYEaLkk6fVxCbk28PkO4mSNU9TOOaKSbMUuqoLgi3XpdBKViC-2Bc8q-2BGp5BnI-3D Build ID: 395390 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Tue Jul 6 00:08:31 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:08:31 +0000 Subject: [openssl] master update Message-ID: <1625530111.449331.19749.nullmailer@dev.openssl.org> The branch master has been updated via 643ce3108f88751c44348335bed91e475d50677d (commit) from 0a02c81f8173e0c5d554bd16daa68b7594f4cbd8 (commit) - Log ----------------------------------------------------------------- commit 643ce3108f88751c44348335bed91e475d50677d Author: Tomas Mraz Date: Fri Jul 2 15:29:13 2021 +0200 rsa_cms_verify: Avoid negative return with missing pss parameters Fixes #15984 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15985) ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_rsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c index b9e895aed4..20ed816918 100644 --- a/crypto/cms/cms_rsa.c +++ b/crypto/cms/cms_rsa.c @@ -222,7 +222,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si) CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); nid = OBJ_obj2nid(alg->algorithm); if (nid == EVP_PKEY_RSA_PSS) - return ossl_rsa_pss_to_ctx(NULL, pkctx, alg, NULL); + return ossl_rsa_pss_to_ctx(NULL, pkctx, alg, NULL) > 0; /* Only PSS allowed for PSS keys */ if (EVP_PKEY_is_a(pkey, "RSA-PSS")) { ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); From pauli at openssl.org Tue Jul 6 00:49:58 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:49:58 +0000 Subject: [openssl] master update Message-ID: <1625532598.042872.22488.nullmailer@dev.openssl.org> The branch master has been updated via 1627a41f1db38c0e762cbbcb452a869924370561 (commit) via e7370fa016cc3d8a8f2c3a8d0c30a6a656bb622c (commit) via bf9b78214d651f84ca328506fee1bd0bd857fed8 (commit) from 643ce3108f88751c44348335bed91e475d50677d (commit) - Log ----------------------------------------------------------------- commit 1627a41f1db38c0e762cbbcb452a869924370561 Author: Martin Schwenke Date: Thu Jul 1 16:59:30 2021 +1000 bn: Make fixed-length Montgomery Multiplication conditional on PPC64 This code is currently unconditional even though build.info has: $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s This causes a build failure on 32-bit systems. Fixes #15923 Signed-off-by: Martin Schwenke Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15971) commit e7370fa016cc3d8a8f2c3a8d0c30a6a656bb622c Author: Martin Schwenke Date: Thu Jul 1 14:44:33 2021 +1000 bn: Fix .size directive This requires the text address. Fixes #15923 Signed-off-by: Martin Schwenke Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15971) commit bf9b78214d651f84ca328506fee1bd0bd857fed8 Author: Martin Schwenke Date: Thu Jul 1 14:23:50 2021 +1000 bn: Use a basic branch-if-not-zero Ancient toolchains fail the build because they don't like the hints, newer ISAs recommend not using the hints and relying on dynamic branch prediction. Signed-off-by: Martin Schwenke Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15971) ----------------------------------------------------------------------- Summary of changes: crypto/bn/asm/ppc64-mont-fixed.pl | 4 ++-- crypto/bn/bn_ppc.c | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl index da4967a730..56df89dc27 100755 --- a/crypto/bn/asm/ppc64-mont-fixed.pl +++ b/crypto/bn/asm/ppc64-mont-fixed.pl @@ -267,7 +267,7 @@ ___ addze $tp[$n],$tp[$n+1] addi $i,$i,$SIZE_T - bc 25,0,$label->{"outer"} + bdnz $label->{"outer"} and. $tp[$n],$tp[$n],$tp[$n] bne $label->{"sub"} @@ -322,7 +322,7 @@ ___ $self->add_code(<<___); li r3,1 blr -.size ${fname},.-${fname} +.size .${fname},.-.${fname} ___ } diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c index 24b384acbd..05c0c4cb92 100644 --- a/crypto/bn/bn_ppc.c +++ b/crypto/bn/bn_ppc.c @@ -40,12 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, * no opportunity to figure it out... */ +#if defined(_ARCH_PPC64) if (num == 6) { if (OPENSSL_ppccap_P & PPC_MADD300) return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); else return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); } +#endif return bn_mul_mont_int(rp, ap, bp, np, n0, num); } From pauli at openssl.org Tue Jul 6 00:51:40 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:51:40 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1625532700.053900.24938.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via f775b5c4857d1fef67f487c2ec6017b1f1c6eb19 (commit) from cadb6f0e32e516c2b530c02f03905fa98920a2d3 (commit) - Log ----------------------------------------------------------------- commit f775b5c4857d1fef67f487c2ec6017b1f1c6eb19 Author: Tomas Mraz Date: Wed Jun 30 11:17:09 2021 +0200 doc: Mention the update of der data pointers in d2i/i2d Fixes #15958 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15973) ----------------------------------------------------------------------- Summary of changes: doc/man3/d2i_PrivateKey.pod | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod index 4e3f20f8b3..31732e89c8 100644 --- a/doc/man3/d2i_PrivateKey.pod +++ b/doc/man3/d2i_PrivateKey.pod @@ -42,6 +42,10 @@ These functions are similar to the d2i_X509() functions; see L. =head1 NOTES +All the functions that operate on data in memory update the data pointer I<*pp> +after a successful operation, just like the other d2i and i2d functions; +see L. + All these functions use DER format and unencrypted keys. Applications wishing to encrypt or decrypt private keys should use other functions such as d2i_PKCS8PrivateKey() instead. From pauli at openssl.org Tue Jul 6 00:53:16 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:53:16 +0000 Subject: [openssl] master update Message-ID: <1625532796.802039.29281.nullmailer@dev.openssl.org> The branch master has been updated via 2f61bc17d42bce0d5958cabc971f4f1343353fb3 (commit) via 3f773c911a03c5be2eff00beaf94e88f1d997b22 (commit) from 1627a41f1db38c0e762cbbcb452a869924370561 (commit) - Log ----------------------------------------------------------------- commit 2f61bc17d42bce0d5958cabc971f4f1343353fb3 Author: Tomas Mraz Date: Thu Jul 1 17:41:47 2021 +0200 update fips checksums Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15974) commit 3f773c911a03c5be2eff00beaf94e88f1d997b22 Author: Tomas Mraz Date: Thu Jul 1 17:41:02 2021 +0200 fips module header inclusion fine-tunning Reviewed-by: Richard Levitte Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15974) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_backend.c | 3 + crypto/dh/dh_lib.c | 4 +- crypto/dsa/dsa_backend.c | 3 + crypto/dsa/dsa_lib.c | 4 +- crypto/ec/ec_backend.c | 5 +- crypto/ec/ec_key.c | 4 +- crypto/ec/ec_kmeth.c | 4 +- crypto/ec/ecx_backend.c | 3 + crypto/evp/digest.c | 4 +- crypto/evp/evp_enc.c | 4 +- crypto/evp/evp_lib.c | 2 +- crypto/evp/evp_rand.c | 5 -- crypto/evp/kdf_lib.c | 3 - crypto/evp/keymgmt_lib.c | 1 - crypto/evp/m_sigver.c | 1 - crypto/evp/p_lib.c | 11 ++- crypto/evp/pmeth_check.c | 4 +- crypto/evp/pmeth_gn.c | 4 +- crypto/evp/pmeth_lib.c | 9 ++- crypto/rsa/rsa_backend.c | 5 +- crypto/rsa/rsa_lib.c | 4 +- crypto/rsa/rsa_sign.c | 32 ++++---- include/crypto/dh.h | 1 - include/crypto/dsa.h | 1 - include/crypto/ec.h | 1 - include/crypto/ecx.h | 1 - include/crypto/rsa.h | 1 - providers/common/include/prov/provider_util.h | 2 +- providers/common/provider_util.c | 3 + providers/fips-sources.checksums | 88 ++++++++-------------- providers/fips.checksum | 2 +- providers/fips.module.sources | 22 ------ .../implementations/keymgmt/mac_legacy_kmgmt.c | 3 + providers/implementations/macs/cmac_prov.c | 3 +- providers/implementations/macs/gmac_prov.c | 1 - providers/implementations/macs/hmac_prov.c | 1 - .../implementations/signature/mac_legacy_sig.c | 3 + ssl/s3_cbc.c | 4 +- 38 files changed, 122 insertions(+), 134 deletions(-) diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c index a727d5c87b..7bd5c617de 100644 --- a/crypto/dh/dh_backend.c +++ b/crypto/dh/dh_backend.c @@ -15,6 +15,9 @@ #include #include +#ifndef FIPS_MODULE +# include +#endif #include "internal/param_build_set.h" #include "crypto/dh.h" #include "dh_local.h" diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 7154f8c2ab..29cda5d7bf 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -15,7 +15,9 @@ #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include #include "internal/cryptlib.h" diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index e4fa070f23..5e3ff85154 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -15,6 +15,9 @@ #include #include +#ifndef FIPS_MODULE +# include +#endif #include "crypto/dsa.h" #include "dsa_local.h" diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 5512b99ef1..ccc7016592 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -14,7 +14,9 @@ #include "internal/deprecated.h" #include -#include +#ifndef FIPS_MODULE +# include +#endif #include "internal/cryptlib.h" #include "internal/refcount.h" #include "crypto/dsa.h" diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index 9b4467f2be..381da71f33 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -17,7 +17,10 @@ #include #include #include -#include +#ifndef FIPS_MODULE +# include +# include +#endif #include "crypto/bn.h" #include "crypto/ec.h" #include "ec_local.h" diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index ba6b8df514..eb14f4e409 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -19,7 +19,9 @@ #include "ec_local.h" #include "internal/refcount.h" #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include "prov/providercommon.h" #include "crypto/bn.h" diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c index 91b7a44082..8c011635cb 100644 --- a/crypto/ec/ec_kmeth.c +++ b/crypto/ec/ec_kmeth.c @@ -15,7 +15,9 @@ #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include "ec_local.h" diff --git a/crypto/ec/ecx_backend.c b/crypto/ec/ecx_backend.c index 14278592cd..a0144d5a86 100644 --- a/crypto/ec/ecx_backend.c +++ b/crypto/ec/ecx_backend.c @@ -13,6 +13,9 @@ #include #include #include +#ifndef FIPS_MODULE +# include +#endif #include "crypto/ecx.h" #include "ecx_backend.h" diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 4a5c926103..1f2910bc69 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -14,7 +14,9 @@ #include #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include #include "internal/cryptlib.h" diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 3a8e2c643e..e0f411aa06 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -16,7 +16,9 @@ #include #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include #include "internal/cryptlib.h" diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 0b08c9adfd..f78df52ab1 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -25,11 +25,11 @@ #include #include #include "crypto/evp.h" -#include "crypto/asn1.h" #include "internal/provider.h" #include "evp_local.h" #if !defined(FIPS_MODULE) +# include "crypto/asn1.h" int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index 7b1a44241e..0db755e06b 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -7,13 +7,9 @@ * https://www.openssl.org/source/license.html */ -#include - #include #include -#include #include -#include #include #include #include @@ -22,7 +18,6 @@ #include "internal/numbers.h" #include "internal/provider.h" #include "internal/core.h" -#include "crypto/asn1.h" #include "crypto/evp.h" #include "evp_local.h" diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c index 5552b26601..8177626ae0 100644 --- a/crypto/evp/kdf_lib.c +++ b/crypto/evp/kdf_lib.c @@ -11,13 +11,10 @@ #include #include #include "internal/cryptlib.h" -#include #include -#include #include #include #include -#include "crypto/asn1.h" #include "crypto/evp.h" #include "internal/numbers.h" #include "internal/provider.h" diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index f3dd876cfd..32e4fbcbaa 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -11,7 +11,6 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "crypto/evp.h" -#include "crypto/asn1.h" #include "internal/core.h" #include "internal/provider.h" #include "evp_local.h" diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 0da6498030..5c5ed05876 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -11,7 +11,6 @@ #include "internal/cryptlib.h" #include #include -#include #include "crypto/evp.h" #include "internal/provider.h" #include "internal/numbers.h" /* includes SIZE_MAX */ diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 07be8884fe..fa3a0258fa 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -22,13 +22,14 @@ #include #include #include -#include #include #include #include #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include #include @@ -36,14 +37,16 @@ #include "internal/numbers.h" /* includes SIZE_MAX */ #include "internal/ffc.h" -#include "crypto/asn1.h" #include "crypto/evp.h" #include "crypto/dh.h" #include "crypto/dsa.h" #include "crypto/ec.h" #include "crypto/ecx.h" #include "crypto/rsa.h" -#include "crypto/x509.h" +#ifndef FIPS_MODULE +# include "crypto/asn1.h" +# include "crypto/x509.h" +#endif #include "internal/provider.h" #include "evp_local.h" diff --git a/crypto/evp/pmeth_check.c b/crypto/evp/pmeth_check.c index 112965e794..2ecf2d0251 100644 --- a/crypto/evp/pmeth_check.c +++ b/crypto/evp/pmeth_check.c @@ -13,7 +13,9 @@ #include #include #include "crypto/bn.h" -#include "crypto/asn1.h" +#ifndef FIPS_MODULE +# include "crypto/asn1.h" +#endif #include "crypto/evp.h" #include "evp_local.h" diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 2d96e3c227..af3d990869 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -16,7 +16,9 @@ #include #include #include "crypto/bn.h" -#include "crypto/asn1.h" +#ifndef FIPS_MODULE +# include "crypto/asn1.h" +#endif #include "crypto/evp.h" #include "evp_local.h" diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 1256e981eb..c214163588 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -15,15 +15,18 @@ #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include -#include #include #include #include #include #include "internal/cryptlib.h" -#include "crypto/asn1.h" +#ifndef FIPS_MODULE +# include "crypto/asn1.h" +#endif #include "crypto/evp.h" #include "crypto/dh.h" #include "crypto/ec.h" diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c index e824dcaf3c..85ad54e4cf 100644 --- a/crypto/rsa/rsa_backend.c +++ b/crypto/rsa/rsa_backend.c @@ -18,9 +18,12 @@ #include #include #include +#ifndef FIPS_MODULE +# include +# include "crypto/asn1.h" +#endif #include "internal/sizes.h" #include "internal/param_build_set.h" -#include "crypto/asn1.h" #include "crypto/rsa.h" #include "rsa_local.h" diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 70eaa59a8b..6433282597 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -15,7 +15,9 @@ #include #include -#include +#ifndef FIPS_MODULE +# include +#endif #include #include #include "internal/cryptlib.h" diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 21a2e9d727..c5a664dc0b 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -18,22 +18,22 @@ #include #include #include -#include -#include "crypto/x509.h" -#ifndef OPENSSL_NO_MD2 -# include /* uses MD2_DIGEST_LENGTH */ -#endif -#ifndef OPENSSL_NO_MD4 -# include /* uses MD4_DIGEST_LENGTH */ -#endif -#ifndef OPENSSL_NO_MD5 -# include /* uses MD5_DIGEST_LENGTH */ -#endif -#ifndef OPENSSL_NO_MDC2 -# include /* uses MDC2_DIGEST_LENGTH */ -#endif -#ifndef OPENSSL_NO_RMD160 -# include /* uses RIPEMD160_DIGEST_LENGTH */ +#ifndef FIPS_MODULE +# ifndef OPENSSL_NO_MD2 +# include /* uses MD2_DIGEST_LENGTH */ +# endif +# ifndef OPENSSL_NO_MD4 +# include /* uses MD4_DIGEST_LENGTH */ +# endif +# ifndef OPENSSL_NO_MD5 +# include /* uses MD5_DIGEST_LENGTH */ +# endif +# ifndef OPENSSL_NO_MDC2 +# include /* uses MDC2_DIGEST_LENGTH */ +# endif +# ifndef OPENSSL_NO_RMD160 +# include /* uses RIPEMD160_DIGEST_LENGTH */ +# endif #endif #include /* uses SHA???_DIGEST_LENGTH */ #include "crypto/rsa.h" diff --git a/include/crypto/dh.h b/include/crypto/dh.h index 8613f9038e..f6be4ae006 100644 --- a/include/crypto/dh.h +++ b/include/crypto/dh.h @@ -14,7 +14,6 @@ # include # include # include -# include # include "internal/ffc.h" DH *ossl_dh_new_by_nid_ex(OSSL_LIB_CTX *libctx, int nid); diff --git a/include/crypto/dsa.h b/include/crypto/dsa.h index dad056bb28..eedbd8c7d1 100644 --- a/include/crypto/dsa.h +++ b/include/crypto/dsa.h @@ -13,7 +13,6 @@ # include # include -# include # include "internal/ffc.h" #define DSA_PARAMGEN_TYPE_FIPS_186_4 0 /* Use FIPS186-4 standard */ diff --git a/include/crypto/ec.h b/include/crypto/ec.h index 77972c3650..62163b31ac 100644 --- a/include/crypto/ec.h +++ b/include/crypto/ec.h @@ -24,7 +24,6 @@ int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc); # ifndef OPENSSL_NO_EC # include # include -# include # include "crypto/types.h" /*- diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 82671a8f4d..48b95fa5ba 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -20,7 +20,6 @@ # include # include # include -# include # include "internal/refcount.h" # include "crypto/types.h" diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index cc67e1f709..100e7ceb05 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -13,7 +13,6 @@ # include # include -# include # include "crypto/types.h" #define RSA_MIN_MODULUS_BITS 512 diff --git a/providers/common/include/prov/provider_util.h b/providers/common/include/prov/provider_util.h index 1f6f4687ad..fa73e46506 100644 --- a/providers/common/include/prov/provider_util.h +++ b/providers/common/include/prov/provider_util.h @@ -8,7 +8,7 @@ */ #include -#include +#include typedef struct { /* diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 30fe7c6b21..662175c2f3 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -14,6 +14,9 @@ #include #include #include +#ifndef FIPS_MODULE +# include +#endif #include "prov/provider_util.h" #include "internal/nelem.h" diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 37693cd562..3e01b0c295 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -122,13 +122,13 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb 70f4cf3485a38cd7d22aa3e965bfe950905f8efec1622e832592a6728498fd78 crypto/dh/dh_group_params.c 7809cbfd5570db17dcb4bd8f0cf9c5f94337096d39da453d0624c08f071e809f crypto/dh/dh_kdf.c c71b8691416a61c306ea0973ca22570a56d3e9e93618a3eb2fd7b9d9a789ca44 crypto/dh/dh_key.c -100aec90d54161ea0f03c6e62b889283e80ef0f73c88d8ae5bc8ad6c17365da3 crypto/dh/dh_lib.c +b0046b2c4e1d74ff4e93f2486a00f63728909b8a75cbdd29b9100e607f97995c crypto/dh/dh_lib.c 8300775d88db0a1aa26a77eb49d6c4f7252e7fee69e1440de4c40edadc9da044 crypto/dh/dh_local.h 27d0ea795bb7f571ba37b7460eee63608b9089a95337491c0980b91135563e15 crypto/dsa/dsa_backend.c b9c5992089203123c3fae46e39bb4d05e19854087bca7a30ad1f82a3505deec7 crypto/dsa/dsa_check.c ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58 crypto/dsa/dsa_gen.c b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa_key.c -c6b05c784a18e7b9f2d8dfcca8e93eb445b02c9e9eaa64087e00fb44f233962e crypto/dsa/dsa_lib.c +9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146 crypto/dsa/dsa_lib.c f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022 crypto/dsa/dsa_local.h f88db9fd73a78e66967e56df442b55230f405b4cd804f31f8696324f0b702f15 crypto/dsa/dsa_ossl.c b57b648524bc7dd98f8e2737f4e87b5578c7921df59b1df4a03a34e23e977e8a crypto/dsa/dsa_sign.c @@ -161,12 +161,12 @@ f6447921a0031fa5beddedd298e82096fb3fdb189b712fab328b61f6beae0c23 crypto/ec/curv ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_oct.c 6bbbf570ce31f5b579f7e03ec9f8a774663c7c1eb5e475bd31f8fee94a021ffc crypto/ec/ec2_smpl.c 69d64accd498583e65df2dc43730eee2922217a7bfefda2cd1a9da176e3d1dcd crypto/ec/ec_asn1.c -4ec7fe2efa0e55316ac4bb8507c7a37360339070c406c2623c38c5a541ac65d6 crypto/ec/ec_backend.c +c07fa05c6885e59913e2ce345ff52ef9dfb0418842de3affa6163ad3e71f9c1b crypto/ec/ec_backend.c 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a crypto/ec/ec_check.c 265f911b9d4aada326a2d52cd8a589b556935c8b641598dcd36c6f85d29ce655 crypto/ec/ec_curve.c 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c -d0166f55170de91e37fd2848ff617b43fb429fc87c28c7879a2bc7c784ce921f crypto/ec/ec_key.c -7b34605e017eb81037344538f917c32d3ab85c744a819617e012bab73c27dd68 crypto/ec/ec_kmeth.c +28726bc957ea821639b1023e5bff0e77ced61bae31f96c165e33aadfe0bc5c9a crypto/ec/ec_key.c +7e40fc646863e0675bbb90f075b809f61bdf0600d8095c8366858d9533ab7700 crypto/ec/ec_kmeth.c 2db28a620fa62889c816dca25bb1153c99af2e8604beb3b1655495da96f2c965 crypto/ec/ec_lib.c a8a4690e42b4af60aad822aa8b16196df337906af53ea4db926707f7b596ff27 crypto/ec/ec_local.h fa901b996eb0e460359cd470843bdb03af7a77a2f1136c5e1d30daef70f3e4d2 crypto/ec/ec_mult.c @@ -186,27 +186,27 @@ b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_ 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c 6618159105f23d5b2aa03d806d66f9c7a0b97298fe1e8ec7d503b066d627b31d crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -c877405c475e7df094f3f09a3e632c8cb98b7939a96bc18fc2fec06abd2f3051 crypto/evp/digest.c +847e039a249a1f9af42dfc6427de2ad4925f1116f86619dd420cf8cec9d3bbfe crypto/evp/digest.c 5e2c5d865029ae86855f15e162360d091f28ca0d4c67260700c90aa25faf308b crypto/evp/ec_support.c -323ea0f84844e7bac88079954c07c0af826c078605422ae41b6247d9bbfea5fb crypto/evp/evp_enc.c +bd8cdd250f64cc314133a1c3cdef8eba3de5a40f1a9ef1d26729c5361690a368 crypto/evp/evp_enc.c b6f77874575329b66f98359e52505d6f30f8ea1c2f20aacff54a9ef89fb3eece crypto/evp/evp_fetch.c -1fd35db4c01159b8b86434f896c1484c7a013ba5af5f7798d05193e383f7b01d crypto/evp/evp_lib.c +3998f2fa31d2e5de0051c28046dbd87f8ae9a3a23a73b7aee77618df382896b5 crypto/evp/evp_lib.c 34574e474d3f5daf24981200cae9e24a427d165cd43d8fb738844fa9b0fc991f crypto/evp/evp_local.h -0da611ac7202866afee2f66797e8d9b80c08c4614b82a6a1f6d83931eef3e17c crypto/evp/evp_rand.c +e822c16fc4dc30f2c86e8598c721a9ddfe46d318ce78f4e8e883cdcf8b936221 crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c befe4e1ec273973748a9fff49d8510873737ea04d86eac70c2e11bbb0d874ca1 crypto/evp/exchange.c -6bcf946bc6aeb6a8350b17ab16759a9db03cfc025637a296de2999ca254a6317 crypto/evp/kdf_lib.c +a3164e3247e2a38f4f9a20db463779b5260e4e6639ac8eec6e960b265fc8cce5 crypto/evp/kdf_lib.c 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c f88b3d178f0d5e7bcd250fd2b3d2fabb19f05f3ecc0627c100c5418e9fdd0ade crypto/evp/kem.c -8abe5c279753ab6ee8ad9672429b60c6db9f430741ca2b167998950e5efec468 crypto/evp/keymgmt_lib.c -37c9b9f51863b01c9cd373360e110e53e77d410d70971be0fab8b75314fdd610 crypto/evp/keymgmt_meth.c -39bce1fb6dab7892da1665276ce45645ded5f0206e29c2ce209d51a2b9f4a54d crypto/evp/m_sigver.c +df82657d18fb15d4da3218e33e7326248db509443304889b1dbee5810cbcb78b crypto/evp/keymgmt_lib.c +7b850a8f7e7c5018546541254cd33da479834c47273b5018fdcb8a9ccf77f522 crypto/evp/keymgmt_meth.c +e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c f9988dfed6253c30b08a966496f188763671cb72a2fcb25455f65f8d270027cc crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c -5baffd0e611a0cc84a39dacc2c12d72ce6d8b4c889e7c7d0c5564c7789c08a5f crypto/evp/p_lib.c -b7e9ce6e8a35e0fc5b4eb4c047cda1e811b757669dbfafa71e743d85e07817a4 crypto/evp/pmeth_check.c -9d68dcfd474720779a236d760cb070fc56422b502e0bbdabe8721139cbd70cc6 crypto/evp/pmeth_gn.c -00367193c23aeadb3a7f250f5cef17dcdc1413510be67e80eeea54020d803406 crypto/evp/pmeth_lib.c +0b3714cb5ff9deb5e17081b8dc12922910de9b8693e644dd2ac67a53fe25c7ff crypto/evp/p_lib.c +c7323b477b512701e27b28c2e328068593755e2b7ad537e8c21406c4e7bef789 crypto/evp/pmeth_check.c +bbce11755bcc5ba2ee8e9c1eb95905447136f614fdc2b0f74cf785fe81ead6a5 crypto/evp/pmeth_gn.c +c95daaba3fe5389509d7c2c3d4b76c63a7183c14c52e5623be820931dfce39a8 crypto/evp/pmeth_lib.c c2158cf4f1d149889746665501035f38049dc1cdcea8c61cd377c0c3be6b8a43 crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c 00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8 crypto/ffc/ffc_backend.c @@ -239,7 +239,7 @@ a4e9f2e496bd9362b17a1b5989aa4682647cefcff6117f0607122a9e11a9dfd9 crypto/modes/a 1611e73dc1e01b5c2201f51756a7405b7673aa0bb872e2957d1ec80c3530486f crypto/modes/ccm128.c d8c2f256532a4b94db6d03aea5cb609cccc938069f644b2fc77c5015648d148d crypto/modes/cfb128.c af1c034152d82b29cb7c938c8516cfd136b62bac0908c1d40eb50790d23b288c crypto/modes/ctr128.c -9168100d4a8ce4aecc757efefea4e68e1fe8d3469a1238681884f7eb9cc59b89 crypto/modes/gcm128.c +6b96ab27237cb01a6a7e031abd71b5f14c08cfa13ad4c8e8f9f29cbe31f70a5b crypto/modes/gcm128.c bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/ofb128.c e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c @@ -261,11 +261,11 @@ d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provide 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c 5d16318d3a36b06145af74afa3523109768990a33457c81895c7ab8a830654f8 crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h -a6841319cb6e9970a3c3f8adb619086310e4b56d1f52448ef2e2caaeface4146 crypto/rsa/rsa_backend.c +8b93871f1f0392704d29028b8c93281be62cf02d0f79f9831bdabcd7a378df5b crypto/rsa/rsa_backend.c 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c e32cfa04221a2a3ea33f7bcb93ee51b84cbeba97e94c1fbf6e420b24f97fc9ce crypto/rsa/rsa_crpt.c 21794dcb6bfebcf9a14d4f8aa7fab8f745b595433b388b55f46ba6e615d90f98 crypto/rsa/rsa_gen.c -20d8e6f066c1c3de599e4e1f3295418e28dde05fe7e664d1cb20f88e204eed06 crypto/rsa/rsa_lib.c +74ed75d1d8e0844800504a137bfd81c3dbcb6c4bd58b5d5fe9d0a362092b6e88 crypto/rsa/rsa_lib.c a65e85be5269d8cb88e86b3413c978fa8994419a671092cbf104ff1a08fda23b crypto/rsa/rsa_local.h cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa_mp_names.c 5c60f6e05db82e13178d805deb1947b8eee4a905e6e77523d3b288da70a46bb5 crypto/rsa/rsa_none.c @@ -274,7 +274,7 @@ a2fd2e4e31ec53d01a575ccaf03bad5a270412ff66804cf0b5fa40492b89181d crypto/rsa/rsa be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c 174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c -3f269305314a812a343d74c182bff0a747e465c686af31ccc82f9adfa8616836 crypto/rsa/rsa_sign.c +f01af62704dbf9457e2669c3e7c1d4d740f0388faa49df93611b987a8aa2bf11 crypto/rsa/rsa_sign.c 740c022caff3b2487c5838b581cdddcc7de2ceabb504aad72dc0dd70a67bf7cf crypto/rsa/rsa_sp800_56b_check.c 20e54cf2a8fd23ced0962c5f358cedd8ec0c398a87d33b34f1a4326d11e4892e crypto/rsa/rsa_sp800_56b_gen.c 1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c @@ -336,7 +336,6 @@ a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl d13560a5f8a66d7b956d54cd6bf24eade529d686992d243bfb312376a57b475e e_os.h 811d6a848c55328dfa97761aba74c785f971a874e14bf5efda5431893fde3bf0 include/crypto/aes_platform.h -314b950cc99c28d22ea310f6bbb4d746cefc2a90071de1563917264d6d06ca6f include/crypto/asn1.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h 8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in @@ -344,22 +343,21 @@ d13560a5f8a66d7b956d54cd6bf24eade529d686992d243bfb312376a57b475e e_os.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 5ee1ea30382bef9869f29b6610665ca304f3b9cf3653746a2d02c64b1a24f103 include/crypto/ctype.h 3036fb7a2e1f32e3e53e2bd1cf24acbf18705d75f9ce9de6d2945a6e7c3fb4e0 include/crypto/des_platform.h -c7bef6ee3e29950650275470be540d182e1c6b9ccb30b45d97b3ad2911d14fca include/crypto/dh.h -c6d99cc3f9ce38c44220576835e18fbce854769c06bb4a8eaa47167e67e7b244 include/crypto/dsa.h -e6c51d2758229195585e8164deae782d9b5d4f6992571ff70b41b3ee2c9f5c5d include/crypto/ec.h -33a436599b6ac6b30fce96f312054a2453b582c5a897b6d66cfcf0d83955c3fd include/crypto/ecx.h -1c44d15f1331be058b35dab92380f3f74c4f399eba7af3ed5402abba406acaf5 include/crypto/evp.h +830da1513661794e979f7cca2bba1792224e3b3d20d4f10f6f5c6566d9b7e723 include/crypto/dh.h +7ddd70f02371c7bd190414369d2bbe7c9c6d2de085dfe1e3eab0c4082f803ca1 include/crypto/dsa.h +2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574 include/crypto/ec.h +edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858 include/crypto/ecx.h +c7bb494047191ae3990793e53348b8f8353aa54805443a8b78303cd66f384c61 include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6 include/crypto/md32_common.h f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31 include/crypto/modes.h 763ec96091c828c16278873eb32665bfc70624dbd3809cb8043d19dc16e84d22 include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h -bb6676c9975fff5c4e8f7c2ff9fd5a1a9c784a0f3c1d1bf1d711c23d55e1da70 include/crypto/rsa.h +bd5ce686c97a8a3a0e3d7ca1e4f16706fd51df5da9673169303a4428d62da233 include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h 0f743762f646656b5480648c05632575fe8acc7506460c63e0fcdf42cf20c08a include/crypto/sha.h 7676b02824b2d68df6bddeb251e9b8a8fa2e35a95dad9a7ebeca53f9ab8d2dad include/crypto/sparse_array.h 5bfeea62d21b7cb43d9a819c5cd2800f02ea019687a8331abf313d615889ad37 include/crypto/types.h -b0e2073dcf0e4f80f221f98d980f1d63c3effc6825c64c9a7b1038444eb70b49 include/crypto/x509.h a1778b610a244f49317a09e1e6c78b5fb68bc6d003ffdea0f6eefe5733ee5b5f include/internal/bio.h 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131 include/internal/constant_time.h 28195bbbe81d831792f07485287fd3ac400e03f1f1733a19e3f7115c0f1828f6 include/internal/core.h @@ -417,41 +415,28 @@ bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openss cbbf74efc7fdb020f06840c856ad7fe97553944f4cc3c197fbb004de38158048 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h -171a780183dd91350d2f7abed7ded9ce80dfdec8afaab5adcd843514bdbc7a43 include/openssl/engine.h -fb510978001ebea15eee4c4c6cbeebb126a66e11117e6f6d9b9fb4be5057b92c include/openssl/engineerr.h 0b8f934c1a2f9cff5f37a2ac52f79483d005d48ce85de1a0a8d7825fbc94a0c9 include/openssl/err.h.in f82bb2f5aa1c50e9842f9cb6a8e8acd880a579aa608aeecd193b114bc7563ab3 include/openssl/evp.h 5bd1b5dcd14067a1fe490d49df911002793c0b4f0bd4492cd8f71cfed7bf9f2a include/openssl/evperr.h 5381d96fe867a4ee0ebc09b9e3a262a0d7a27edc5f91dccfb010c7d713cd0820 include/openssl/fips_names.h b1d41beba560a41383f899a361b786e04f889106fb5960ec831b0af7996c9783 include/openssl/fipskey.h.in 47a088c98ad536ea99f2c6a9333e372507cb61b9bdffb930c586ed52f8f261eb include/openssl/hmac.h -d454024c7bd34dda6cbeffad51fd0d39740b19b41d59b1740447c34da9241588 include/openssl/http.h faab8accc9520269dd874126ae164a43526d5784e6280521c7ab3772c02b0a0c include/openssl/kdf.h c6db6926e90c9efd530a7bdb018be8c62f2c2b3c2f7b90228e9f73b8437dd785 include/openssl/lhash.h.in fd5c049ac6c3498750fa8f8dcbf88b2a31c02fa62dfe43a33d7b490fb86f61c8 include/openssl/macros.h -4ec92db58402e93d967bf7f69616e7d9b169aa337bfeb266b5f748ca6c9fb639 include/openssl/md4.h -6e73e6ead21c841f2af694a4363680afb58b20fc51dd457964c2040b4d8b8816 include/openssl/md5.h -bb1f2272e984100231add6a62a9a01126eecb447a2293b103b4a7f6bcd714789 include/openssl/mdc2.h 9184207c562fd1fa7bd3a4f1fadcb984130561279818f0cdfcf3e9c55be8a7d1 include/openssl/modes.h 7c71200e35f4cc1b4011a4bc14e521e4dc037b9b2d640a74bc30ef334b813de3 include/openssl/obj_mac.h 157797b450215f973eb10be96a04e58048ab9c131ad29427e80d0e37e230ed98 include/openssl/objects.h d25537af264684dff033dd8ae62b0348f868fcfec4aa51fa8f07bcfa4bd807ad include/openssl/objectserr.h -b668680d98db6a6c8aebc747b7602cf52179614c684144d38c34c47c9131af40 include/openssl/ocsp.h.in -d77660e0b2d89c4a2359a81c4a04066719420eb4295d8acf679501cd13bf0b1d include/openssl/ocsperr.h fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openssl/opensslconf.h 1bf52d136e94f727a96651c1f48ad040482f35dae152519ccd585efd410b92f0 include/openssl/opensslv.h.in 767d9d7d5051c937a3ce8a268c702902fda93eeaa210a94dfde1f45c23277d20 include/openssl/param_build.h 30085f4d1b4934bb25ffe7aa9a30859966318a1b4d4dcea937c426e90e6e1984 include/openssl/params.h -180a49cae0dfdf7975466f922b1950a998736924926d7588b5592ba903813349 include/openssl/pem.h -fb453de1abc5ec8410586593921a66757441ecbfc4273349ddc6257c503a2000 include/openssl/pemerr.h -74305b1bd8575cd0ef6c86eb1edd89a9a144b84d39d7f6740b7ce8cdad6f9d9c include/openssl/pkcs7.h.in -8394828da6fd7a794777320c955d27069bfef694356c25c62b7a9eb47cd55832 include/openssl/pkcs7err.h 097615b849375e2903967521f76c570512e5be47b8159fdbcd31e433f8a4cca7 include/openssl/prov_ssl.h 90fb37a1a564b989afca658dae8c78b0ba72ac1f4d1ffc0c52eb93e74e144603 include/openssl/proverr.h b97e8ad49b38683817387596aefec0abd5f4d572643beef48be4f7acba26768d include/openssl/provider.h 7c9b5f479d9b22cfc8db0976dddfc2a1ee6e757b436e01a2b4d2744bcb6d81a5 include/openssl/rand.h e3545298f0cdf598a3419416ce20acd0119c0e88557a13d52c5b1a0117ee643e include/openssl/randerr.h -44246a82a6515c932a6ba834fbab8ee2a82b91db977367e8de07a8f529d2f045 include/openssl/ripemd.h c1015b77c444a3816d2ea7ad770f1c3b79a1e54887930af6dd662895701f3323 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in @@ -459,15 +444,8 @@ c7da25794eb70f0cbc2457f4cb87e8d04dc3512b509034ff1db7285961952963 include/openss 2964274ab32b1ba8578a06b06663db2eda4317ae806369271d889176bb5a7d04 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h -12026c3aa4b14d9083999a7e5098bd4273a4f2004ff1d397d65710b3d4bc6e2b include/openssl/trace.h +97e10e7745f2589f3a19704b4f78d28d7118fbb353b33bd30325606cf15bdc89 include/openssl/trace.h 873d2ec2054ec24c52df4abe830cb2b9666fe4e75cc62b4de0f50ef9d20c5812 include/openssl/types.h -f37b0da67078c8c220c442499e02f92dfe240f6d77ec942f2a562a18f338284a include/openssl/ui.h.in -558433ae747ebf3d9a71d583b7a7ee8c5476f3bef38d97a1f88bdcace4c2f311 include/openssl/uierr.h -509c97837d73abeac39b0e06a24a4ff5a83520f8df49d5af56ed3ed76ec4290f include/openssl/x509.h.in -37aa2d54d71575690e29055e2a453f1200a6023885ef787b6a50a34ba5f5c2b5 include/openssl/x509_vfy.h.in -9e6409eddfa13a469c1da6c5b562825381da2eb4da3c08546aa1182a4ec54726 include/openssl/x509err.h -8ddb7bd65c766317f6f20ff615e4d0ddc99bc4ee0d6ec149e3834b8d4fe11a05 include/openssl/x509v3.h.in -f78e901b2260416773c6d7933de8771a03bbb2cc3073809f3c1715d4276789ff include/openssl/x509v3err.h c0a9551efccf43f3dd748d4fd8ec897ddaabbc629c00ec1ad76ce983e1195a13 providers/common/bio_prov.c e7c39ef7b76668dae1470ce0edd7254da2937569762cebbf20e08fb97cb3324c providers/common/capabilities.c f94b7435d4ec888ec30df1c611afa8b9eedbb59e905a2c7cb17cfc8c4b9b85b8 providers/common/der/der_digests_gen.c.in @@ -493,7 +471,7 @@ ce605f32413b09d33ce5795de9498a08183895c3347f33344f9ae5d31c29ccac providers/comm 6c1fa3f229c6f049c3ac152c4c265f3eb056d94221b82df95a15400649690e93 providers/common/include/prov/der_wrap.h.in 76087f04f4de6414c240f88807659fb2a04af914108f0c5f2515a4cb5482f655 providers/common/include/prov/proverr.h 83a57505d88a6a9cc4f7781c9f7f4af07668e7923502dfd6c5960bb492c1d24e providers/common/include/prov/provider_ctx.h -7c4ea8ab097690f28755814192e6ddd78d023151edc83dc3d1e2feb3fbcba533 providers/common/include/prov/provider_util.h +03fcfea9ed6e23d1df7ffd230af15f0f9b91a6aa635f77b9cbe52d5112168d09 providers/common/include/prov/provider_util.h e1ef8b2be828a54312d6561b37751a5b6e9d5ebdb6c3e63589728c3d8adca7dc providers/common/include/prov/providercommon.h 73d0e15963759fcb7c5c434bb214b50bc32f6066e90ac07fb53dad11c2fd1939 providers/common/include/prov/securitycheck.h 737cc1228106e555e9bab24e3c2438982e04e05b0d5b9ee6995d71df16c49143 providers/common/provider_ctx.c @@ -583,9 +561,9 @@ a388e52f059331a8636c6b73fc7cc03c8d51a585f2a8ae1a5e21bd967db9f9f5 providers/impl 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c bcb51fe05014ade575494b44c55b1a0b3dc404e31ff7acee40bb2f63a8f6712f providers/implementations/keymgmt/mac_legacy_kmgmt.c 464d6f9236351e7dc3b991f5bba142c7aabcf2db3c236367332a9dd0308ddfac providers/implementations/keymgmt/rsa_kmgmt.c -e25c8bfd205b0842ba8e7a0cbcf9f86b78c7d4d093655b8d45b23b8653d7358d providers/implementations/macs/cmac_prov.c -c774e2791484ea9a1ffed69958f9d05c139bbf53603a9621ae76c6e89c36e5b1 providers/implementations/macs/gmac_prov.c -4d1d73b64f9fd1473a4b70c92fae2ad87aa30b6ec6d946d408deb251c0ef70c1 providers/implementations/macs/hmac_prov.c +79da66d4b696388d7eab6b2126bccc88908915813d79c4305b8b4d545a500469 providers/implementations/macs/cmac_prov.c +41464d1e640434bb3ff9998f093829d5e2c1963d68033dca7d31e5ab75365fb1 providers/implementations/macs/gmac_prov.c +282c1065f18c87073529ed1bdc2c0b3a1967701728084de6632ddc72c671d209 providers/implementations/macs/hmac_prov.c aa7ba1d39ea4e3347294eb50b4dfcb895ef1a22bd6117d3b076a74e9ff11c242 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c f6c4b38dd1c22d562ef8b172218b688070336dc43550f40af01bb2e77eb3ea4d providers/implementations/rands/drbg.c @@ -600,4 +578,4 @@ f9eac5acc880756ab17c9e00b7707fa6bf882026cbca21ce67aadcf560352120 providers/impl 762b49aa68fa7cd15c0496c35a23acb85df9588c8bb4ecb54438f86cc06ce13d providers/implementations/signature/mac_legacy_sig.c ac8f4452ea236ef877d13bc787f53f117722025c9c74874c6d2cc541382a8953 providers/implementations/signature/rsa_sig.c 737b9afe8f03f58797034ae906f982179677f5a9cf42965468f7126cf15e6694 ssl/record/tls_pad.c -accefe92a493af8334bc3b5d4d2845eaa0278816c028c91d2b85bce8ead7f9fd ssl/s3_cbc.c +3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 191d14b3e3..09e13bd14b 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -b9b5778d372dcad1d32aa23b2f5920b42af8f41a70e349410c4ccb57e5ccb8b0 providers/fips-sources.checksums +ac2360dcca0e5aac97a9275615ca82111479511fdd51b607a02e7fd52fa7ee7e providers/fips-sources.checksums diff --git a/providers/fips.module.sources b/providers/fips.module.sources index 058db4a3c3..53c1fb947a 100644 --- a/providers/fips.module.sources +++ b/providers/fips.module.sources @@ -336,7 +336,6 @@ crypto/threads_win.c crypto/x86_64cpuid.pl e_os.h include/crypto/aes_platform.h -include/crypto/asn1.h include/crypto/asn1_dsa.h include/crypto/bn.h include/crypto/bn_conf.h.in @@ -359,7 +358,6 @@ include/crypto/security_bits.h include/crypto/sha.h include/crypto/sparse_array.h include/crypto/types.h -include/crypto/x509.h include/internal/bio.h include/internal/constant_time.h include/internal/core.h @@ -417,41 +415,28 @@ include/openssl/ec.h include/openssl/ecerr.h include/openssl/encoder.h include/openssl/encodererr.h -include/openssl/engine.h -include/openssl/engineerr.h include/openssl/err.h.in include/openssl/evp.h include/openssl/evperr.h include/openssl/fips_names.h include/openssl/fipskey.h.in include/openssl/hmac.h -include/openssl/http.h include/openssl/kdf.h include/openssl/lhash.h.in include/openssl/macros.h -include/openssl/md4.h -include/openssl/md5.h -include/openssl/mdc2.h include/openssl/modes.h include/openssl/obj_mac.h include/openssl/objects.h include/openssl/objectserr.h -include/openssl/ocsp.h.in -include/openssl/ocsperr.h include/openssl/opensslconf.h include/openssl/opensslv.h.in include/openssl/param_build.h include/openssl/params.h -include/openssl/pem.h -include/openssl/pemerr.h -include/openssl/pkcs7.h.in -include/openssl/pkcs7err.h include/openssl/prov_ssl.h include/openssl/proverr.h include/openssl/provider.h include/openssl/rand.h include/openssl/randerr.h -include/openssl/ripemd.h include/openssl/rsa.h include/openssl/rsaerr.h include/openssl/safestack.h.in @@ -461,13 +446,6 @@ include/openssl/stack.h include/openssl/symhacks.h include/openssl/trace.h include/openssl/types.h -include/openssl/ui.h.in -include/openssl/uierr.h -include/openssl/x509.h.in -include/openssl/x509_vfy.h.in -include/openssl/x509err.h -include/openssl/x509v3.h.in -include/openssl/x509v3err.h providers/common/bio_prov.c providers/common/capabilities.c providers/common/der/der_digests_gen.c.in diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index e1e2609dfa..63553996bd 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -18,6 +18,9 @@ #include #include #include +#ifndef FIPS_MODULE +# include +#endif #include "internal/param_build_set.h" #include "prov/implementations.h" #include "prov/providercommon.h" diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c index 2291276035..b44f13b5fa 100644 --- a/providers/implementations/macs/cmac_prov.c +++ b/providers/implementations/macs/cmac_prov.c @@ -16,7 +16,6 @@ #include #include #include -#include #include #include @@ -111,7 +110,7 @@ static int cmac_setkey(struct cmac_data_st *macctx, ossl_prov_cipher_cipher(&macctx->cipher), ossl_prov_cipher_engine(&macctx->cipher)); ossl_prov_cipher_reset(&macctx->cipher); - return rv; + return rv; } static int cmac_init(void *vmacctx, const unsigned char *key, diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index 29fb9f87df..89904fc89d 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -11,7 +11,6 @@ #include #include #include -#include #include #include #include diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c index 3a0679ce8f..78c4924a38 100644 --- a/providers/implementations/macs/hmac_prov.c +++ b/providers/implementations/macs/hmac_prov.c @@ -18,7 +18,6 @@ #include #include #include -#include #include #include diff --git a/providers/implementations/signature/mac_legacy_sig.c b/providers/implementations/signature/mac_legacy_sig.c index d9fd105289..06f79505ff 100644 --- a/providers/implementations/signature/mac_legacy_sig.c +++ b/providers/implementations/signature/mac_legacy_sig.c @@ -16,6 +16,9 @@ #include #include #include +#ifndef FIPS_MODULE +# include +#endif #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/macsignature.h" diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index b0e3496ba2..85f296b807 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -27,7 +27,9 @@ #include "internal/cryptlib.h" #include -#include +#ifndef FIPS_MODULE +# include +#endif #include char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); From pauli at openssl.org Tue Jul 6 00:54:55 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:54:55 +0000 Subject: [openssl] master update Message-ID: <1625532895.718971.23580.nullmailer@dev.openssl.org> The branch master has been updated via e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681 (commit) from 2f61bc17d42bce0d5958cabc971f4f1343353fb3 (commit) - Log ----------------------------------------------------------------- commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681 Author: Matt Caswell Date: Wed Jun 23 08:54:12 2021 +0100 Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15877) ----------------------------------------------------------------------- Summary of changes: ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_local.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 472a4a366b..d5aa8797ff 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -996,7 +996,8 @@ size_t ossl_statem_client_max_message_size(SSL *s) return CCS_MAX_LENGTH; case TLS_ST_CR_SESSION_TICKET: - return SSL3_RT_MAX_PLAIN_LENGTH; + return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 + : SESSION_TICKET_MAX_LENGTH_TLS12; case TLS_ST_CR_FINISHED: return FINISHED_MAX_LENGTH; diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index 25bfdffc6c..1883b0166f 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -21,6 +21,8 @@ #define END_OF_EARLY_DATA_MAX_LENGTH 0 #define HELLO_RETRY_REQUEST_MAX_LENGTH 20000 #define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000 +#define SESSION_TICKET_MAX_LENGTH_TLS13 131338 +#define SESSION_TICKET_MAX_LENGTH_TLS12 65541 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH 0 #define KEY_UPDATE_MAX_LENGTH 1 From pauli at openssl.org Tue Jul 6 00:55:44 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:55:44 +0000 Subject: [openssl] master update Message-ID: <1625532944.396468.3142.nullmailer@dev.openssl.org> The branch master has been updated via 866376432bc403adbdb447830d0a33ffcd5fb0fa (commit) from e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681 (commit) - Log ----------------------------------------------------------------- commit 866376432bc403adbdb447830d0a33ffcd5fb0fa Author: Shane Lontis Date: Fri Jun 25 12:01:13 2021 +1000 Add test for provider gettables Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15970) ----------------------------------------------------------------------- Summary of changes: test/provider_status_test.c | 74 ++++++++++++++++++++++++++++++---- test/recipes/30-test_provider_status.t | 29 ++++++++++--- 2 files changed, 90 insertions(+), 13 deletions(-) diff --git a/test/provider_status_test.c b/test/provider_status_test.c index fb52fa67f0..551277c8e0 100644 --- a/test/provider_status_test.c +++ b/test/provider_status_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -103,6 +103,43 @@ static int self_test_on_load(const OSSL_PARAM params[], void *arg) return self_test_events(params, arg, "On Loading", 0); } +static int get_provider_params(const OSSL_PROVIDER *prov) +{ + int ret = 0; + OSSL_PARAM params[5]; + char *name, *version, *buildinfo; + int status; + const OSSL_PARAM *gettable, *p; + + if (!TEST_ptr(gettable = OSSL_PROVIDER_gettable_params(prov)) + || !TEST_ptr(p = OSSL_PARAM_locate_const(gettable, OSSL_PROV_PARAM_NAME)) + || !TEST_ptr(p = OSSL_PARAM_locate_const(gettable, OSSL_PROV_PARAM_VERSION)) + || !TEST_ptr(p = OSSL_PARAM_locate_const(gettable, OSSL_PROV_PARAM_STATUS)) + || !TEST_ptr(p = OSSL_PARAM_locate_const(gettable, OSSL_PROV_PARAM_BUILDINFO))) + goto end; + + params[0] = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME, &name, 0); + params[1] = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION, + &version, 0); + params[2] = OSSL_PARAM_construct_int(OSSL_PROV_PARAM_STATUS, &status); + params[3] = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO, + &buildinfo, 0); + params[4] = OSSL_PARAM_construct_end(); + OSSL_PARAM_set_all_unmodified(params); + if (!TEST_true(OSSL_PROVIDER_get_params(prov, params))) + goto end; + if (!TEST_true(OSSL_PARAM_modified(params + 0)) + || !TEST_true(OSSL_PARAM_modified(params + 1)) + || !TEST_true(OSSL_PARAM_modified(params + 2)) + || !TEST_true(OSSL_PARAM_modified(params + 3)) + || !TEST_true(status == 1)) + goto end; + + ret = 1; +end: + return ret; +} + static int test_provider_status(void) { int ret = 0; @@ -113,6 +150,8 @@ static int test_provider_status(void) if (!TEST_ptr(prov = OSSL_PROVIDER_load(libctx, provider_name))) goto err; + if (!get_provider_params(prov)) + goto err; /* Test that the provider status is ok */ params[0] = OSSL_PARAM_construct_uint(OSSL_PROV_PARAM_STATUS, &status); @@ -149,6 +188,18 @@ err: return ret; } +static int test_provider_gettable_params(void) +{ + OSSL_PROVIDER *prov; + int ret; + + if (!TEST_ptr(prov = OSSL_PROVIDER_load(libctx, provider_name))) + return 0; + ret = get_provider_params(prov); + OSSL_PROVIDER_unload(prov); + return ret; +} + int setup_tests(void) { OPTION_CHOICE o; @@ -173,13 +224,22 @@ int setup_tests(void) libctx = OSSL_LIB_CTX_new(); if (libctx == NULL) return 0; - self_test_args.count = 0; - OSSL_SELF_TEST_set_callback(libctx, self_test_on_load, &self_test_args); - if (!OSSL_LIB_CTX_load_config(libctx, config_file)) { - opt_printf_stderr("Failed to load config\n"); - return 0; + if (strcmp(provider_name, "fips") == 0) { + self_test_args.count = 0; + OSSL_SELF_TEST_set_callback(libctx, self_test_on_load, &self_test_args); + if (!OSSL_LIB_CTX_load_config(libctx, config_file)) { + opt_printf_stderr("Failed to load config\n"); + return 0; + } + ADD_TEST(test_provider_status); + } else { + ADD_TEST(test_provider_gettable_params); } - ADD_TEST(test_provider_status); return 1; } + +void cleanup_tests(void) +{ + OSSL_LIB_CTX_free(libctx); +} diff --git a/test/recipes/30-test_provider_status.t b/test/recipes/30-test_provider_status.t index b3a239fb6a..2b2e242a5f 100644 --- a/test/recipes/30-test_provider_status.t +++ b/test/recipes/30-test_provider_status.t @@ -22,11 +22,28 @@ use lib bldtop_dir('.'); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -plan skip_all => "provider_status is not supported by this test" - if $no_fips; +plan tests => 5; -plan tests => 1; +ok(run(test(["provider_status_test", "-provider_name", "null"])), + "null provider test"); -ok(run(test(["provider_status_test", "-config", srctop_file("test","fips.cnf"), - "-provider_name", "fips"])), - "running provider_status_test"); +ok(run(test(["provider_status_test", "-provider_name", "base"])), + "base provider test"); + +ok(run(test(["provider_status_test", "-provider_name", "default"])), + "default provider test"); + +SKIP: { + skip "Skipping legacy test", 1 + if disabled("legacy"); + ok(run(test(["provider_status_test", "-provider_name", "legacy"])), + "legacy provider test"); +} + +SKIP: { + skip "Skipping fips test", 1 + if $no_fips; + ok(run(test(["provider_status_test", "-config", srctop_file("test","fips.cnf"), + "-provider_name", "fips"])), + "fips provider test"); +} From pauli at openssl.org Tue Jul 6 00:56:36 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 00:56:36 +0000 Subject: [openssl] master update Message-ID: <1625532996.777194.28478.nullmailer@dev.openssl.org> The branch master has been updated via 9d300aa21b02f13d3429931417f4320350b9f891 (commit) from 866376432bc403adbdb447830d0a33ffcd5fb0fa (commit) - Log ----------------------------------------------------------------- commit 9d300aa21b02f13d3429931417f4320350b9f891 Author: Shane Lontis Date: Fri Jul 2 14:26:07 2021 +1000 Add HKDF negative tests Fix memory leak if legacy test is skipped. Using EVP_KDF_CTX_get_params() to get OSSL_KDF_PARAM_SIZE will now return 0 if the returned size is 0. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15977) ----------------------------------------------------------------------- Summary of changes: providers/implementations/kdfs/hkdf.c | 13 +- test/evp_kdf_test.c | 166 +++++++++++++++++++++++++- test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 9 ++ 3 files changed, 178 insertions(+), 10 deletions(-) diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 83d9d1ecce..167b64f0b3 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -149,6 +149,7 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + default: return HKDF(libctx, md, ctx->salt, ctx->salt_len, ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen); @@ -159,9 +160,6 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, case EVP_KDF_HKDF_MODE_EXPAND_ONLY: return HKDF_Expand(md, ctx->key, ctx->key_len, ctx->info, ctx->info_len, key, keylen); - - default: - return 0; } } @@ -262,8 +260,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) KDF_HKDF *ctx = (KDF_HKDF *)vctx; OSSL_PARAM *p; - if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) - return OSSL_PARAM_set_size_t(p, kdf_hkdf_size(ctx)); + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { + size_t sz = kdf_hkdf_size(ctx); + + if (sz == 0) + return 0; + return OSSL_PARAM_set_size_t(p, sz); + } return -2; } diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 94d2b0ac58..4b3df38b5f 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -199,14 +199,19 @@ static OSSL_PARAM *construct_hkdf_params(char *digest, char *key, if (params == NULL) return NULL; - *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, - digest, 0); + if (digest != NULL) + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + digest, 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, salt, strlen(salt)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (unsigned char *)key, keylen); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, - info, strlen(info)); + if (info != NULL) + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, + info, strlen(info)); + else + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, + "EXTRACT_ONLY", 0); *p = OSSL_PARAM_construct_end(); return params; @@ -234,6 +239,66 @@ static int test_kdf_hkdf(void) return ret; } +static int do_kdf_hkdf_gettables(int expand_only, int has_digest) +{ + int ret = 0; + size_t sz = 0; + OSSL_PARAM *params; + OSSL_PARAM params_get[2]; + const OSSL_PARAM *gettables, *p; + EVP_KDF_CTX *kctx = NULL; + + if (!TEST_ptr(params = construct_hkdf_params( + has_digest ? "sha256" : NULL, + "secret", 6, "salt", + expand_only ? NULL : "label")) + || !TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF)) + || !TEST_true(EVP_KDF_CTX_set_params(kctx, params))) + goto err; + + /* Check OSSL_KDF_PARAM_SIZE is gettable */ + if (!TEST_ptr(gettables = EVP_KDF_CTX_gettable_params(kctx)) + || !TEST_ptr(p = OSSL_PARAM_locate_const(gettables, OSSL_KDF_PARAM_SIZE))) + goto err; + + /* Get OSSL_KDF_PARAM_SIZE as a size_t */ + params_get[0] = OSSL_PARAM_construct_size_t(OSSL_KDF_PARAM_SIZE, &sz); + params_get[1] = OSSL_PARAM_construct_end(); + if (has_digest) { + if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 1) + || !TEST_size_t_eq(sz, expand_only ? SHA256_DIGEST_LENGTH : SIZE_MAX)) + goto err; + } else { + if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), 0)) + goto err; + } + + /* Get params returns -2 if an unsupported parameter is requested */ + params_get[0] = OSSL_PARAM_construct_end(); + if (!TEST_int_eq(EVP_KDF_CTX_get_params(kctx, params_get), -2)) + goto err; + ret = 1; +err: + EVP_KDF_CTX_free(kctx); + OPENSSL_free(params); + return ret; +} + +static int test_kdf_hkdf_gettables(void) +{ + return do_kdf_hkdf_gettables(0, 1); +} + +static int test_kdf_hkdf_gettables_expandonly(void) +{ + return do_kdf_hkdf_gettables(1, 1); +} + +static int test_kdf_hkdf_gettables_no_digest(void) +{ + return do_kdf_hkdf_gettables(1, 0); +} + static int test_kdf_hkdf_invalid_digest(void) { int ret; @@ -251,6 +316,89 @@ static int test_kdf_hkdf_invalid_digest(void) return ret; } +static int test_kdf_hkdf_derive_set_params_fail(void) +{ + int ret = 0, i = 0; + EVP_KDF_CTX *kctx = NULL; + OSSL_PARAM params[2]; + unsigned char out[10]; + + if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))) + goto end; + /* + * Set the wrong type for the digest so that it causes a failure + * inside kdf_hkdf_derive() when kdf_hkdf_set_ctx_params() is called + */ + params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_DIGEST, &i); + params[1] = OSSL_PARAM_construct_end(); + if (!TEST_int_eq(EVP_KDF_derive(kctx, out, sizeof(out), params), 0)) + goto end; + ret = 1; +end: + EVP_KDF_CTX_free(kctx); + return ret; +} + +static int test_kdf_hkdf_set_invalid_mode(void) +{ + int ret = 0, bad_mode = 100; + EVP_KDF_CTX *kctx = NULL; + OSSL_PARAM params[2]; + + if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))) + goto end; + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, + "BADMODE", 0); + params[1] = OSSL_PARAM_construct_end(); + if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0)) + goto end; + + params[0] = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &bad_mode); + if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0)) + goto end; + + ret = 1; +end: + EVP_KDF_CTX_free(kctx); + return ret; +} + +static int do_kdf_hkdf_set_invalid_param(const char *key, int type) +{ + int ret = 0; + EVP_KDF_CTX *kctx = NULL; + OSSL_PARAM params[2]; + unsigned char buf[2]; + + if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_HKDF))) + goto end; + /* Set the wrong type for the key so that it causes a failure */ + if (type == OSSL_PARAM_UTF8_STRING) + params[0] = OSSL_PARAM_construct_utf8_string(key, "BAD", 0); + else + params[0] = OSSL_PARAM_construct_octet_string(key, buf, sizeof(buf)); + params[1] = OSSL_PARAM_construct_end(); + if (!TEST_int_eq(EVP_KDF_CTX_set_params(kctx, params), 0)) + goto end; + + ret = 1; +end: + EVP_KDF_CTX_free(kctx); + return ret; +} + +static int test_kdf_hkdf_set_ctx_param_fail(void) +{ + return do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_MODE, + OSSL_PARAM_OCTET_STRING) + && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_KEY, + OSSL_PARAM_UTF8_STRING) + && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_SALT, + OSSL_PARAM_UTF8_STRING) + && do_kdf_hkdf_set_invalid_param(OSSL_KDF_PARAM_INFO, + OSSL_PARAM_UTF8_STRING); +} + static int test_kdf_hkdf_zero_output_size(void) { int ret; @@ -366,8 +514,10 @@ static int test_kdf_pbkdf1(void) /* PBKDF1 only available in the legacy provider */ prov = OSSL_PROVIDER_load(libctx, "legacy"); - if (prov == NULL) + if (prov == NULL) { + OSSL_LIB_CTX_free(libctx); return TEST_skip("PBKDF1 only available in legacy provider"); + } params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256", "saltSALTsaltSALTsaltSALTsaltSALTsalt", @@ -1495,6 +1645,12 @@ int setup_tests(void) ADD_TEST(test_kdf_hkdf_empty_key); ADD_TEST(test_kdf_hkdf_1byte_key); ADD_TEST(test_kdf_hkdf_empty_salt); + ADD_TEST(test_kdf_hkdf_gettables); + ADD_TEST(test_kdf_hkdf_gettables_expandonly); + ADD_TEST(test_kdf_hkdf_gettables_no_digest); + ADD_TEST(test_kdf_hkdf_derive_set_params_fail); + ADD_TEST(test_kdf_hkdf_set_invalid_mode); + ADD_TEST(test_kdf_hkdf_set_ctx_param_fail); ADD_TEST(test_kdf_pbkdf2); ADD_TEST(test_kdf_pbkdf2_small_output); ADD_TEST(test_kdf_pbkdf2_large_output); diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt index 8d486c672a..c7f94cc644 100644 --- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt @@ -193,3 +193,12 @@ Ctrl.digest = digest:SHA1 Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c Ctrl.salt = salt: Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 + +# The output key size should match the digest size for EXTRACT_ONLY mode +KDF = HKDF +Ctrl.mode = mode:EXTRACT_ONLY +Ctrl.digest = digest:SHA1 +Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +Ctrl.salt = salt: +Output = da8c8a73 +Result = KDF_DERIVE_ERROR From scan-admin at coverity.com Tue Jul 6 07:49:48 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 06 Jul 2021 07:49:48 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e40b1cd142_3235722aaaba9899982866@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DaBvC_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeF2M7sG-2Byu12PS0sEyF2wLXpHi-2F48pAk14Au9f-2BjT4FfFdpEXiwS04wQbDSha8EKP-2FLksADAEVNj-2F8T4r8KoenkOUA7K14IJh4zMB80WSd-2FlHVCIbrJ-2FR1ERSZilE7zlFONze2A8I8-2BBxA2Ierosik6atsHmx8lYbzaBsevXDOfaU7f9Ovcbmqv1GRZz2uVRa8-3D Build ID: 395595 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Tue Jul 6 07:51:30 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 06 Jul 2021 07:51:30 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e40b8196804_32360d2aaaba9899982818@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DUVMA_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFDFaQJgSEF0K-2BCRYSN0H1-2B78myXmQitnFsx-2BUK12SSu-2FvMT-2BGPNbvCMOKsicxAwcTMA4KDk7-2Fsbe4wB7ICy10lThnx9-2FmI8Il-2BApe6-2BR7kETdaI028x-2B-2FvNOlFI7tqmYj9XnWlgh6vzq2tBgKs9yR1aoVpIPk4ESf0gJxZG3lp7h5X2WgtunM-2BBWmd-2B0-2FlGLM-3D Build ID: 395596 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Tue Jul 6 08:15:04 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 08:15:04 +0000 Subject: [openssl] master update Message-ID: <1625559304.812396.29462.nullmailer@dev.openssl.org> The branch master has been updated via 4e20d04ee0e7be2061c1e5d2c2c8d714b7923c89 (commit) from 9d300aa21b02f13d3429931417f4320350b9f891 (commit) - Log ----------------------------------------------------------------- commit 4e20d04ee0e7be2061c1e5d2c2c8d714b7923c89 Author: Pauli Date: Thu Jul 1 12:48:30 2021 +1000 util: add -fips option to wrap.pl to make using the FIPS provider easier Without this option, I find I need to figure out which environment variables point where which wastes effort. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15966) ----------------------------------------------------------------------- Summary of changes: util/wrap.pl.in | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/util/wrap.pl.in b/util/wrap.pl.in index 2ac068ce96..b13c34d851 100644 --- a/util/wrap.pl.in +++ b/util/wrap.pl.in @@ -24,6 +24,20 @@ my $std_providers = catdir($there, 'providers'); my $std_openssl_conf = catdir($there, 'apps/openssl.cnf'); my $unix_shlib_wrap = catfile($there, 'util/shlib_wrap.sh'); +if ($ARGV[0] eq '-fips') { + $std_openssl_conf = {- + use Cwd qw(abs_path); + + "'" . abs_path(catfile($config{sourcedir}, 'test/fips-and-base.cnf')) . "'"; + -}; + shift; + + my $std_openssl_conf_include = catdir($there, 'providers'); + $ENV{OPENSSL_CONF_INCLUDE} = $std_openssl_conf_include + if ($ENV{OPENSSL_CONF_INCLUDE} // '') eq '' + && -d $std_openssl_conf_include; +} + $ENV{OPENSSL_ENGINES} = $std_engines if ($ENV{OPENSSL_ENGINES} // '') eq '' && -d $std_engines; $ENV{OPENSSL_MODULES} = $std_providers From pauli at openssl.org Tue Jul 6 08:44:18 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 06 Jul 2021 08:44:18 +0000 Subject: [openssl] master update Message-ID: <1625561058.097036.16433.nullmailer@dev.openssl.org> The branch master has been updated via ef1e0242a9aec5210845df86162c0b9219ff0f11 (commit) from 4e20d04ee0e7be2061c1e5d2c2c8d714b7923c89 (commit) - Log ----------------------------------------------------------------- commit ef1e0242a9aec5210845df86162c0b9219ff0f11 Author: Pauli Date: Sat Jun 19 09:54:55 2021 +1000 test: add some integral type size sanity checks With the recent problem on VMS of maxint_t being defined as a 32 bit integer despite OpenSSL mandating 64 bit integers being available, it seems prudent to add some sanity checks for out integral types. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15830) ----------------------------------------------------------------------- Summary of changes: test/sanitytest.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/test/sanitytest.c b/test/sanitytest.c index 46cd224e7a..892b3b55e1 100644 --- a/test/sanitytest.c +++ b/test/sanitytest.c @@ -8,6 +8,7 @@ */ #include +#include #include "testutil.h" #include "internal/numbers.h" @@ -76,6 +77,38 @@ static int test_sanity_unsigned_conversion(void) static int test_sanity_range(void) { + /* Verify some types are the correct size */ + if (!TEST_size_t_eq(sizeof(int8_t), 1) + || !TEST_size_t_eq(sizeof(uint8_t), 1) + || !TEST_size_t_eq(sizeof(int16_t), 2) + || !TEST_size_t_eq(sizeof(uint16_t), 2) + || !TEST_size_t_eq(sizeof(int32_t), 4) + || !TEST_size_t_eq(sizeof(uint32_t), 4) + || !TEST_size_t_eq(sizeof(int64_t), 8) + || !TEST_size_t_eq(sizeof(uint64_t), 8) +#ifdef UINT128_MAX + || !TEST_size_t_eq(sizeof(int128_t), 16) + || !TEST_size_t_eq(sizeof(uint128_t), 16) +#endif + || !TEST_size_t_eq(sizeof(char), 1) + || !TEST_size_t_eq(sizeof(unsigned char), 1)) + return 0; + + /* We want our long longs to be at least 64 bits */ + if (!TEST_size_t_ge(sizeof(long long int), 8) + || !TEST_size_t_ge(sizeof(unsigned long long int), 8)) + return 0; + + /* + * Verify intmax_t. + * Some platforms defined intmax_t to be 64 bits but still support + * an int128_t, so this check is for at least 64 bits. + */ + if (!TEST_size_t_ge(sizeof(ossl_intmax_t), 8) + || !TEST_size_t_ge(sizeof(ossl_uintmax_t), 8) + || !TEST_size_t_ge(sizeof(ossl_uintmax_t), sizeof(size_t))) + return 0; + /* This isn't possible to check using the framework functions */ if (SIZE_MAX < INT_MAX) { TEST_error("int must not be wider than size_t"); @@ -86,7 +119,7 @@ static int test_sanity_range(void) static int test_sanity_memcmp(void) { - return CRYPTO_memcmp("ab","cd",2); + return CRYPTO_memcmp("ab", "cd", 2); } int setup_tests(void) From scan-admin at coverity.com Wed Jul 7 07:49:42 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 07 Jul 2021 07:49:42 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e55c963194c_3407f42af3033879a078779@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DrHgP_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFF7H9-2FIXcF3o64esyf6UFYAie6gUmsHuA8mJ-2BDf-2Ffw3pE9h7zGDZB3QOvJV4ZaxScKM-2FOzA1MinD9mn0S-2ByXPHluvRBq0idlAcHHRjzsFFWlPqqaAsApRJPIVgn-2FFga0g3O4PNIo-2FDQeIb-2BQtk73uv60mwWLUXQ99mP-2FVlwdG4k12TILV8Q5uEC3gQqq-2Fg4uo-3D Build ID: 395750 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Wed Jul 7 07:54:45 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 07 Jul 2021 07:54:45 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e55dc53749a_3409872af3033879a078752@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DBcAJ_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH-2FKbZaeU4s9j7QWkz2KKEZyngr7n1g6eAIJ9IDbo0v3dcaRLAAh29riScP3vijAE9MKjMQ6T6Ca0M0rsWM7pQP0Qbr9nJgEZtBoNNYRhSnR-2F3sedaDEtEQaTYNmnuW-2BLINdLouRgYx8M1sb11BqF6LMdfZZe14vn2zMA7iOdCCntkNL0E6rc2SK06LJgpoTTw-3D Build ID: 395752 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Wed Jul 7 09:09:09 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 07 Jul 2021 09:09:09 +0000 Subject: [openssl] master update Message-ID: <1625648949.808462.22961.nullmailer@dev.openssl.org> The branch master has been updated via 0f71b1eb6c390e58059a4c4225bcbecac9aef2c7 (commit) via 4e20312ba693c5f4241edf62717f9c0ee5661ae2 (commit) via 561e5cda7b7139c665dd9d2f39058b4081da54d2 (commit) from ef1e0242a9aec5210845df86162c0b9219ff0f11 (commit) - Log ----------------------------------------------------------------- commit 0f71b1eb6c390e58059a4c4225bcbecac9aef2c7 Author: Pauli Date: Tue Jul 6 19:00:04 2021 +1000 changes: add entry noting the removal of ERR_GET_FUNC() Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/16004) commit 4e20312ba693c5f4241edf62717f9c0ee5661ae2 Author: Pauli Date: Tue Jul 6 18:54:39 2021 +1000 doc: update documentation to note removal of ERR_GET_FUNC() Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/16004) commit 561e5cda7b7139c665dd9d2f39058b4081da54d2 Author: Pauli Date: Tue Jul 6 18:50:11 2021 +1000 err: remove ERR_GET_FUNC() This is problematic in 3.0 because the function codes are all defined as zero. This leads to either every error matching or no error ever matching. Both are problematic for users. The OTC vote resolved to remove this function completely. Fixes #15946 Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/16004) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 8 ++++++++ doc/man3/ERR_GET_LIB.pod | 14 ++++++-------- include/openssl/err.h.in | 5 ----- util/other.syms | 1 - 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 9eb5eeb19b..8109e0ad8d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,12 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * The ERR_GET_FUNC() function was removed. With the loss of meaningful + function codes, this function can only cause problems for calling + applications. + + *Paul Dale* + * Add a configurable flag to output date formats as ISO 8601. Does not change the default date format. @@ -1061,6 +1067,8 @@ breaking changes, and mappings for the large list of deprecated functions. * Removed the function names from error messages and deprecated the xxx_F_xxx define's. + *Richard Levitte* + * Removed NextStep support and the macro OPENSSL_UNISTD *Rich Salz* diff --git a/doc/man3/ERR_GET_LIB.pod b/doc/man3/ERR_GET_LIB.pod index 2046159021..412a292dd2 100644 --- a/doc/man3/ERR_GET_LIB.pod +++ b/doc/man3/ERR_GET_LIB.pod @@ -2,7 +2,7 @@ =head1 NAME -ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON, ERR_FATAL_ERROR +ERR_GET_LIB, ERR_GET_REASON, ERR_FATAL_ERROR - get information from error codes =head1 SYNOPSIS @@ -11,8 +11,6 @@ ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON, ERR_FATAL_ERROR int ERR_GET_LIB(unsigned long e); - int ERR_GET_FUNC(unsigned long e); - int ERR_GET_REASON(unsigned long e); int ERR_FATAL_ERROR(unsigned long e); @@ -20,7 +18,7 @@ ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON, ERR_FATAL_ERROR =head1 DESCRIPTION The error code returned by ERR_get_error() consists of a library -number, function code and reason code. ERR_GET_LIB(), ERR_GET_FUNC() +number, function code and reason code. ERR_GET_LIB() and ERR_GET_REASON() can be used to extract these. ERR_FATAL_ERROR() indicates whether a given error code is a fatal error. @@ -37,8 +35,7 @@ B reason codes such as B are globally unique. However, when checking for sub-library specific reason codes, be sure to also compare the library number. -ERR_GET_LIB(), ERR_GET_FUNC(), ERR_GET_REASON(), and ERR_FATAL_ERROR() -are macros. +ERR_GET_LIB(), ERR_GET_REASON(), and ERR_FATAL_ERROR() are macros. =head1 RETURN VALUES @@ -52,8 +49,9 @@ L =head1 HISTORY -ERR_GET_LIB(), ERR_GET_FUNC() and ERR_GET_REASON() are available in -all versions of OpenSSL. +ERR_GET_LIB() and ERR_GET_REASON() are available in all versions of OpenSSL. + +ERR_GET_FUNC() was removed in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/include/openssl/err.h.in b/include/openssl/err.h.in index 306656a2c1..7ca0b970a1 100644 --- a/include/openssl/err.h.in +++ b/include/openssl/err.h.in @@ -247,11 +247,6 @@ static ossl_unused ossl_inline int ERR_GET_LIB(unsigned long errcode) return (errcode >> ERR_LIB_OFFSET) & ERR_LIB_MASK; } -static ossl_unused ossl_inline int ERR_GET_FUNC(unsigned long errcode ossl_unused) -{ - return 0; -} - static ossl_unused ossl_inline int ERR_GET_RFLAGS(unsigned long errcode) { if (ERR_SYSTEM_ERROR(errcode)) diff --git a/util/other.syms b/util/other.syms index cf3455bcca..38aaacd6cf 100644 --- a/util/other.syms +++ b/util/other.syms @@ -234,7 +234,6 @@ DTLS_get_link_min_mtu define DTLS_set_link_mtu define ENGINE_cleanup define deprecated 1.1.0 ERR_FATAL_ERROR define -ERR_GET_FUNC define ERR_GET_LIB define ERR_GET_REASON define ERR_PACK define From pauli at openssl.org Wed Jul 7 09:13:10 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 07 Jul 2021 09:13:10 +0000 Subject: [openssl] master update Message-ID: <1625649190.818920.14676.nullmailer@dev.openssl.org> The branch master has been updated via 105c83150f15af3f78ea0758859062842bdbe30e (commit) from 0f71b1eb6c390e58059a4c4225bcbecac9aef2c7 (commit) - Log ----------------------------------------------------------------- commit 105c83150f15af3f78ea0758859062842bdbe30e Author: Pauli Date: Mon Jul 5 11:01:59 2021 +1000 bn: procduce correct sign for result of BN_mod() There is a problem that appears when calling BN_div(a, c, a, b) with negative b. In this case, the sign of the remainder c is incorrect. The problem only occurs if the dividend and the quotient are the same BIGNUM. Fixes #15982 Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/15991) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_div.c | 7 ++--- test/bntest.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 79 insertions(+), 5 deletions(-) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 3ba009a540..25514c05f1 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -268,7 +268,7 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, BIGNUM *tmp, *snum, *sdiv, *res; BN_ULONG *resp, *wnum, *wnumtop; BN_ULONG d0, d1; - int num_n, div_n; + int num_n, div_n, num_neg; assert(divisor->top > 0 && divisor->d[divisor->top - 1] != 0); @@ -326,7 +326,8 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, /* Setup quotient */ if (!bn_wexpand(res, loop)) goto err; - res->neg = (num->neg ^ divisor->neg); + num_neg = num->neg; + res->neg = (num_neg ^ divisor->neg); res->top = loop; res->flags |= BN_FLG_FIXED_TOP; resp = &(res->d[loop]); @@ -442,7 +443,7 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, *--resp = q; } /* snum holds remainder, it's as wide as divisor */ - snum->neg = num->neg; + snum->neg = num_neg; snum->top = div_n; snum->flags |= BN_FLG_FIXED_TOP; if (rm != NULL) diff --git a/test/bntest.c b/test/bntest.c index 5bbef1f543..86fa163c6e 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -308,6 +308,75 @@ static int test_div_recip(void) return st; } +static struct { + int n, divisor, result, remainder; +} signed_mod_tests[] = { + { 10, 3, 3, 1 }, + { -10, 3, -3, -1 }, + { 10, -3, -3, 1 }, + { -10, -3, 3, -1 }, +}; + +static BIGNUM *set_signed_bn(int value) +{ + BIGNUM *bn = BN_new(); + + if (bn == NULL) + return NULL; + if (!BN_set_word(bn, value < 0 ? -value : value)) { + BN_free(bn); + return NULL; + } + BN_set_negative(bn, value < 0); + return bn; +} + +static int test_signed_mod_replace_ab(int n) +{ + BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; + int st = 0; + + if (!TEST_ptr(a = set_signed_bn(signed_mod_tests[n].n)) + || !TEST_ptr(b = set_signed_bn(signed_mod_tests[n].divisor)) + || !TEST_ptr(c = set_signed_bn(signed_mod_tests[n].result)) + || !TEST_ptr(d = set_signed_bn(signed_mod_tests[n].remainder))) + goto err; + + if (TEST_true(BN_div(a, b, a, b, ctx)) + && TEST_BN_eq(a, c) + && TEST_BN_eq(b, d)) + st = 1; + err: + BN_free(a); + BN_free(b); + BN_free(c); + BN_free(d); + return st; +} + +static int test_signed_mod_replace_ba(int n) +{ + BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; + int st = 0; + + if (!TEST_ptr(a = set_signed_bn(signed_mod_tests[n].n)) + || !TEST_ptr(b = set_signed_bn(signed_mod_tests[n].divisor)) + || !TEST_ptr(c = set_signed_bn(signed_mod_tests[n].result)) + || !TEST_ptr(d = set_signed_bn(signed_mod_tests[n].remainder))) + goto err; + + if (TEST_true(BN_div(b, a, a, b, ctx)) + && TEST_BN_eq(b, c) + && TEST_BN_eq(a, d)) + st = 1; + err: + BN_free(a); + BN_free(b); + BN_free(c); + BN_free(d); + return st; +} + static int test_mod(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -329,8 +398,10 @@ static int test_mod(void) BN_set_negative(b, rand_neg()); if (!(TEST_true(BN_mod(c, a, b, ctx)) && TEST_true(BN_div(d, e, a, b, ctx)) - && TEST_true(BN_sub(e, e, c)) - && TEST_BN_eq_zero(e))) + && TEST_BN_eq(e, c) + && TEST_true(BN_mul(c, d, b, ctx)) + && TEST_true(BN_add(d, c, e)) + && TEST_BN_eq(d, a))) goto err; } st = 1; @@ -2875,6 +2946,8 @@ int setup_tests(void) if (n == 0) { ADD_TEST(test_sub); ADD_TEST(test_div_recip); + ADD_ALL_TESTS(test_signed_mod_replace_ab, OSSL_NELEM(signed_mod_tests)); + ADD_ALL_TESTS(test_signed_mod_replace_ba, OSSL_NELEM(signed_mod_tests)); ADD_TEST(test_mod); ADD_TEST(test_modexp_mont5); ADD_TEST(test_kronecker); From pauli at openssl.org Wed Jul 7 09:13:39 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 07 Jul 2021 09:13:39 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1625649219.665009.11855.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via f8fc0e35e0b1813af15887d42e17b7d5537bb86c (commit) from f775b5c4857d1fef67f487c2ec6017b1f1c6eb19 (commit) - Log ----------------------------------------------------------------- commit f8fc0e35e0b1813af15887d42e17b7d5537bb86c Author: Pauli Date: Mon Jul 5 11:01:59 2021 +1000 bn: procduce correct sign for result of BN_mod() There is a problem that appears when calling BN_div(a, c, a, b) with negative b. In this case, the sign of the remainder c is incorrect. The problem only occurs if the dividend and the quotient are the same BIGNUM. Fixes #15982 Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/15991) (cherry picked from commit 105c83150f15af3f78ea0758859062842bdbe30e) ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_div.c | 7 ++--- test/bntest.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 79 insertions(+), 5 deletions(-) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 286d69c895..4a6889900e 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -268,7 +268,7 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, BIGNUM *tmp, *snum, *sdiv, *res; BN_ULONG *resp, *wnum, *wnumtop; BN_ULONG d0, d1; - int num_n, div_n; + int num_n, div_n, num_neg; assert(divisor->top > 0 && divisor->d[divisor->top - 1] != 0); @@ -326,7 +326,8 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, /* Setup quotient */ if (!bn_wexpand(res, loop)) goto err; - res->neg = (num->neg ^ divisor->neg); + num_neg = num->neg; + res->neg = (num_neg ^ divisor->neg); res->top = loop; res->flags |= BN_FLG_FIXED_TOP; resp = &(res->d[loop]); @@ -442,7 +443,7 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, *--resp = q; } /* snum holds remainder, it's as wide as divisor */ - snum->neg = num->neg; + snum->neg = num_neg; snum->top = div_n; snum->flags |= BN_FLG_FIXED_TOP; if (rm != NULL) diff --git a/test/bntest.c b/test/bntest.c index 97d08ac0be..8bccfc4171 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -305,6 +305,75 @@ static int test_div_recip(void) return st; } +static struct { + int n, divisor, result, remainder; +} signed_mod_tests[] = { + { 10, 3, 3, 1 }, + { -10, 3, -3, -1 }, + { 10, -3, -3, 1 }, + { -10, -3, 3, -1 }, +}; + +static BIGNUM *set_signed_bn(int value) +{ + BIGNUM *bn = BN_new(); + + if (bn == NULL) + return NULL; + if (!BN_set_word(bn, value < 0 ? -value : value)) { + BN_free(bn); + return NULL; + } + BN_set_negative(bn, value < 0); + return bn; +} + +static int test_signed_mod_replace_ab(int n) +{ + BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; + int st = 0; + + if (!TEST_ptr(a = set_signed_bn(signed_mod_tests[n].n)) + || !TEST_ptr(b = set_signed_bn(signed_mod_tests[n].divisor)) + || !TEST_ptr(c = set_signed_bn(signed_mod_tests[n].result)) + || !TEST_ptr(d = set_signed_bn(signed_mod_tests[n].remainder))) + goto err; + + if (TEST_true(BN_div(a, b, a, b, ctx)) + && TEST_BN_eq(a, c) + && TEST_BN_eq(b, d)) + st = 1; + err: + BN_free(a); + BN_free(b); + BN_free(c); + BN_free(d); + return st; +} + +static int test_signed_mod_replace_ba(int n) +{ + BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; + int st = 0; + + if (!TEST_ptr(a = set_signed_bn(signed_mod_tests[n].n)) + || !TEST_ptr(b = set_signed_bn(signed_mod_tests[n].divisor)) + || !TEST_ptr(c = set_signed_bn(signed_mod_tests[n].result)) + || !TEST_ptr(d = set_signed_bn(signed_mod_tests[n].remainder))) + goto err; + + if (TEST_true(BN_div(b, a, a, b, ctx)) + && TEST_BN_eq(b, c) + && TEST_BN_eq(a, d)) + st = 1; + err: + BN_free(a); + BN_free(b); + BN_free(c); + BN_free(d); + return st; +} + static int test_mod(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -326,8 +395,10 @@ static int test_mod(void) BN_set_negative(b, rand_neg()); if (!(TEST_true(BN_mod(c, a, b, ctx)) && TEST_true(BN_div(d, e, a, b, ctx)) - && TEST_true(BN_sub(e, e, c)) - && TEST_BN_eq_zero(e))) + && TEST_BN_eq(e, c) + && TEST_true(BN_mul(c, d, b, ctx)) + && TEST_true(BN_add(d, c, e)) + && TEST_BN_eq(d, a))) goto err; } st = 1; @@ -2759,6 +2830,8 @@ int setup_tests(void) if (n == 0) { ADD_TEST(test_sub); ADD_TEST(test_div_recip); + ADD_ALL_TESTS(test_signed_mod_replace_ab, OSSL_NELEM(signed_mod_tests)); + ADD_ALL_TESTS(test_signed_mod_replace_ba, OSSL_NELEM(signed_mod_tests)); ADD_TEST(test_mod); ADD_TEST(test_modexp_mont5); ADD_TEST(test_kronecker); From levitte at openssl.org Wed Jul 7 13:39:20 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 07 Jul 2021 13:39:20 +0000 Subject: [openssl] master update Message-ID: <1625665160.510255.17839.nullmailer@dev.openssl.org> The branch master has been updated via d101700dffa710f3de0ab6465dff688f55214bcc (commit) from 105c83150f15af3f78ea0758859062842bdbe30e (commit) - Log ----------------------------------------------------------------- commit d101700dffa710f3de0ab6465dff688f55214bcc Author: Richard Levitte Date: Tue Jul 6 08:44:37 2021 +0200 CRYPTO: Remove the check for built-in methods in the export_to function That check was seen as necessary at the time, but other changes have been made since, so we now have better control on when we're handling legacy structures and methods, making it safe to run the export_to function on keys with foreign methods. The basic message is that foreign methods must set key structure values according to our standards no matter what, or not set them at all. This has really always been the case, but was harder to see at the time because of interaction with other bugs. Fixes #15927 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15996) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_ameth.c | 7 ------- crypto/dsa/dsa_ameth.c | 7 ------- crypto/ec/ec_ameth.c | 7 ------- crypto/rsa/rsa_ameth.c | 7 ------- 4 files changed, 28 deletions(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 3d23321b59..0e577177ec 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -453,13 +453,6 @@ static int dh_pkey_export_to(const EVP_PKEY *from, void *to_keydata, int selection = 0; int rv = 0; - /* - * If the DH method is foreign, then we can't be sure of anything, and - * can therefore not export or pretend to export. - */ - if (ossl_dh_get_method(dh) != DH_OpenSSL()) - return 0; - if (p == NULL || g == NULL) return 0; diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index ea9f839955..53417bff6a 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -436,13 +436,6 @@ static int dsa_pkey_export_to(const EVP_PKEY *from, void *to_keydata, int selection = 0; int rv = 0; - /* - * If the DSA method is foreign, then we can't be sure of anything, and - * can therefore not export or pretend to export. - */ - if (DSA_get_method(dsa) != DSA_OpenSSL()) - return 0; - if (p == NULL || q == NULL || g == NULL) return 0; diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index c7fbaeab5e..9ca023bbe3 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -498,13 +498,6 @@ int ec_pkey_export_to(const EVP_PKEY *from, void *to_keydata, || (ecg = EC_KEY_get0_group(eckey)) == NULL) return 0; - /* - * If the EC_KEY method is foreign, then we can't be sure of anything, - * and can therefore not export or pretend to export. - */ - if (EC_KEY_get_method(eckey) != EC_KEY_OpenSSL()) - return 0; - tmpl = OSSL_PARAM_BLD_new(); if (tmpl == NULL) return 0; diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 1d3b8685bd..b1580ca48c 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -738,13 +738,6 @@ static int rsa_int_export_to(const EVP_PKEY *from, int rsa_type, if (tmpl == NULL) return 0; - /* - * If the RSA method is foreign, then we can't be sure of anything, and - * can therefore not export or pretend to export. - */ - if (RSA_get_method(rsa) != RSA_PKCS1_OpenSSL()) - goto err; - /* Public parameters must always be present */ if (RSA_get0_n(rsa) == NULL || RSA_get0_e(rsa) == NULL) goto err; From kaduk at mit.edu Wed Jul 7 16:15:30 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Wed, 07 Jul 2021 16:15:30 +0000 Subject: [openssl] master update Message-ID: <1625674530.496942.26773.nullmailer@dev.openssl.org> The branch master has been updated via 3bd5319b5d0df9ecf05c8baba2c401ad8e3ba130 (commit) from d101700dffa710f3de0ab6465dff688f55214bcc (commit) - Log ----------------------------------------------------------------- commit 3bd5319b5d0df9ecf05c8baba2c401ad8e3ba130 Author: Benjamin Kaduk Date: Tue Jul 6 07:49:39 2021 -0700 Fix comment for test_negotiated_group() test order Because of how the 'client_multi' variable is set, we end up running the tests where the client configures multiple groups (and the server only configures one) before the ones where the server configures multiple groups (and the client only configures one). Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16007) ----------------------------------------------------------------------- Summary of changes: test/sslapitest.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 1b3db55d6b..49f7ef639d 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4751,14 +4751,14 @@ static int set_ssl_groups(SSL *serverssl, SSL *clientssl, int clientmulti, * was offered in the resumption ClientHello. * * Using E for the number of EC groups and F for the number of FF groups: - * E tests of ECDHE with TLS 1.3, client sends only one group - * F tests of FFDHE with TLS 1.3, client sends only one group - * E tests of ECDHE with TLS 1.2, client sends only one group - * F tests of FFDHE with TLS 1.2, client sends only one group * E tests of ECDHE with TLS 1.3, server only has one group * F tests of FFDHE with TLS 1.3, server only has one group * E tests of ECDHE with TLS 1.2, server only has one group * F tests of FFDHE with TLS 1.2, server only has one group + * E tests of ECDHE with TLS 1.3, client sends only one group + * F tests of FFDHE with TLS 1.3, client sends only one group + * E tests of ECDHE with TLS 1.2, client sends only one group + * F tests of FFDHE with TLS 1.2, client sends only one group */ static int test_negotiated_group(int idx) { From pauli at openssl.org Thu Jul 8 01:46:47 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 08 Jul 2021 01:46:47 +0000 Subject: [openssl] master update Message-ID: <1625708807.281321.12698.nullmailer@dev.openssl.org> The branch master has been updated via 02db7354fe780c8bfb34b3f0ed73595cb9ac6570 (commit) from 3bd5319b5d0df9ecf05c8baba2c401ad8e3ba130 (commit) - Log ----------------------------------------------------------------- commit 02db7354fe780c8bfb34b3f0ed73595cb9ac6570 Author: Rich Salz Date: Tue Jul 6 12:00:19 2021 -0400 Fix bug in X509_print_ex If the user set nmflags == XN_FLAG_COMPAT and X509_NAME_print_ex(3) failed, the error return value of 0 was misinterpreted as an indicator of success, causing X509_print_ex(3) to ignore the error, continue printing, and potentially return successfully even though not all the content of the certificate was printed. The X509_NAME_print_ex(3) manual page explains that this function indicates failure by returning 0 if nmflags == XN_FLAG_COMPAT and by returning -1 if nmflags != XN_FLAG_COMPAT. Note that just checking for <= 0 in all cases would not be correct either because X509_NAME_print_ex(3) returns 0 to indicate that it successfully printed zero bytes in some cases, for example when all three of the following conditions hold: 1. nmflags != XN_FLAG_COMPAT 2. indent == 0 (which X509_print_ex(3) does use in some cases) 3. the name object is NULL or empty Thanks to Ingo Schwarze for finding the bug, and Joel Sing for contributing an idea for the fix. Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16009) ----------------------------------------------------------------------- Summary of changes: crypto/x509/t_x509.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index fdbdfd5b09..69b04e74eb 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -51,7 +51,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, long l; int ret = 0, i; char *m = NULL, mlch = ' '; - int nmindent = 0; + int nmindent = 0, printok = 0; EVP_PKEY *pkey = NULL; const char *neg; @@ -60,8 +60,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, nmindent = 12; } - if (nmflags == X509_FLAG_COMPAT) + if (nmflags == X509_FLAG_COMPAT) { nmindent = 16; + printok = 1; + } if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate:\n", 13) <= 0) @@ -130,7 +132,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) - < 0) + < printok) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; @@ -153,7 +155,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex - (bp, X509_get_subject_name(x), nmindent, nmflags) < 0) + (bp, X509_get_subject_name(x), nmindent, nmflags) < printok) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; From pauli at openssl.org Thu Jul 8 04:11:41 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 08 Jul 2021 04:11:41 +0000 Subject: [openssl] master update Message-ID: <1625717501.687147.8896.nullmailer@dev.openssl.org> The branch master has been updated via 0588778f5ef5c5840e00879a1f62775e4c7a2f17 (commit) from 02db7354fe780c8bfb34b3f0ed73595cb9ac6570 (commit) - Log ----------------------------------------------------------------- commit 0588778f5ef5c5840e00879a1f62775e4c7a2f17 Author: Randall S. Becker Date: Tue Jul 6 12:42:22 2021 -0500 Made foreign bit field unsigned in evp.h Fixes #16010 Signed-off-by: Randall S. Becker Reviewed-by: Richard Levitte Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16011) ----------------------------------------------------------------------- Summary of changes: include/crypto/evp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 16e55cd9a2..3707977d9d 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -686,7 +686,7 @@ struct evp_pkey_st { #ifndef FIPS_MODULE STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */ int save_parameters; - int foreign:1; /* the low-level key is using an engine or an app-method */ + unsigned int foreign:1; /* the low-level key is using an engine or an app-method */ CRYPTO_EX_DATA ex_data; #endif From tomas at openssl.org Thu Jul 8 08:35:09 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 08 Jul 2021 08:35:09 +0000 Subject: [openssl] master update Message-ID: <1625733309.184744.17142.nullmailer@dev.openssl.org> The branch master has been updated via daf4b2437f38bd104400517cf8ff2c8121813b1a (commit) from 0588778f5ef5c5840e00879a1f62775e4c7a2f17 (commit) - Log ----------------------------------------------------------------- commit daf4b2437f38bd104400517cf8ff2c8121813b1a Author: Juergen Christ Date: Mon Jul 5 09:48:53 2021 +0200 Fix compile warning with GCC 11. When configured with strict warnings, GCC 11 complains about a possible stringop-translation: Config: /usr/bin/perl ./Configure enable-asan enable-ubsan enable-zlib-dynamic \ enable-unit-test enable-md2 enable-rc5 enable-buildtest-c++ \ enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-fips -w \ --strict-warnings Warning: crypto/evp/ctrl_params_translate.c: In function 'fix_rsa_pss_saltlen': crypto/evp/ctrl_params_translate.c:1356:13: error: 'strncpy' specified bound 50 equals destination size [-Werror=stringop-truncation] 1356 | strncpy(ctx->name_buf, str_value_map[i].ptr, sizeof(ctx->name_buf)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix by copying one byte less than the buffer size. We anyway overwrite the last byte. Signed-off-by: Juergen Christ Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15993) ----------------------------------------------------------------------- Summary of changes: crypto/evp/ctrl_params_translate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index c532e57f8f..4ea17380af 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1353,8 +1353,8 @@ static int fix_rsa_pss_saltlen(enum state state, if (i == OSSL_NELEM(str_value_map)) { BIO_snprintf(ctx->name_buf, sizeof(ctx->name_buf), "%d", ctx->p1); } else { - strncpy(ctx->name_buf, str_value_map[i].ptr, sizeof(ctx->name_buf)); /* This won't truncate but it will quiet static analysers */ + strncpy(ctx->name_buf, str_value_map[i].ptr, sizeof(ctx->name_buf) - 1); ctx->name_buf[sizeof(ctx->name_buf) - 1] = '\0'; } ctx->p2 = ctx->name_buf; From scan-admin at coverity.com Thu Jul 8 09:01:41 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 08 Jul 2021 09:01:41 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e6bef55db70_35f0662afb921ef998894ba@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DLJyz_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGjZDZS-2Ff4En9HRmoKOOPvDhC-2FUR7C2z3UX8EtXcf-2FtgmGRGJrG0VNNWSuxRaO7KTt-2BjCmAMngibbJT0uyMo0ctUpx5f2Kbs5Sz0eRQMpHUFsBZRwAhCwyezkDPx1EdylRT4-2FYAeTzyqm7NwCUcDe2VhjLwI3bOF5fIN0O2IeF1mIZTQaIF3dj2WWn1ErHfp1o-3D Build ID: 395906 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Thu Jul 8 09:08:14 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 08 Jul 2021 09:08:14 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e6c07d732c3_35f2722afb921ef9988945f@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DqkD5_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFMvVuA5jpzQ2xnTRCU0Ig-2BFyUPN2vRT6JiRi8AaTafvH31CoO-2FV77GJRzodz9RmY-2Bxtvk-2BS6lEz0pmLORsJbSuBdupTKhPhUHFDrraWVUI7UBAhNBHJ0kmRQ7Qe5SwzsLfB9OEm0WEfnr7UDRuWjdeLKQA0g8-2FvdYT8RvtNKcK-2BjaFX7yRLi-2F2D7K-2BP0pyCU4-3D Build ID: 395907 Analysis Summary: New defects found: 0 Defects eliminated: 0 From tomas at openssl.org Thu Jul 8 10:06:50 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 08 Jul 2021 10:06:50 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1625738810.957226.3256.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via ce50fd96dc542fe22a42265019e556272fd060ba (commit) from f8fc0e35e0b1813af15887d42e17b7d5537bb86c (commit) - Log ----------------------------------------------------------------- commit ce50fd96dc542fe22a42265019e556272fd060ba Author: Oliver Mihatsch Date: Mon Jul 5 16:23:03 2021 +0200 Fix memory leak in i2d_ASN1_bio_stream When creating a signed S/MIME message using SMIME_write_CMS() if the reading from the bio fails, the state is therefore still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream(). This results in calling asn1_bio_flush_ex cleanup but will only reset retry flags as the state is not ASN1_STATE_POST_COPY. Therefore 48 bytes (Linux x86_64) leaked since the ndef_prefix_free / ndef_suffix_free callbacks are not executed and the ndef_aux structure is not freed. By always calling free function callback in asn1_bio_free() the memory leak is fixed. (cherry picked from commit 3a1d2b59522163ebb83bb68e13c896188dc222c6) Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15999) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/bio_asn1.c | 5 ++++ crypto/asn1/bio_ndef.c | 3 ++ test/bio_memleak_test.c | 76 +++++++++++++++++++++++++++++++++++++++++++++---- 3 files changed, 78 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index 86ee566323..7bb3c1fa16 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -138,6 +138,11 @@ static int asn1_bio_free(BIO *b) if (ctx == NULL) return 0; + if (ctx->prefix_free != NULL) + ctx->prefix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + if (ctx->suffix_free != NULL) + ctx->suffix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + OPENSSL_free(ctx->buf); OPENSSL_free(ctx); BIO_set_data(b, NULL); diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index d7d7d80eea..760e4846a4 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -142,6 +142,9 @@ static int ndef_prefix_free(BIO *b, unsigned char **pbuf, int *plen, ndef_aux = *(NDEF_SUPPORT **)parg; + if (ndef_aux == NULL) + return 0; + OPENSSL_free(ndef_aux->derbuf); ndef_aux->derbuf = NULL; diff --git a/test/bio_memleak_test.c b/test/bio_memleak_test.c index 383c82d156..23a6e7e5ce 100644 --- a/test/bio_memleak_test.c +++ b/test/bio_memleak_test.c @@ -10,6 +10,8 @@ #include #include #include +#include +#include #include "testutil.h" @@ -35,7 +37,7 @@ static int test_bio_memleak(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); return ok; } @@ -62,7 +64,7 @@ static int test_bio_get_mem(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); BUF_MEM_free(bufmem); return ok; @@ -98,7 +100,7 @@ static int test_bio_new_mem_buf(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); return ok; } @@ -139,7 +141,7 @@ static int test_bio_rdonly_mem_buf(void) goto finish; ok = 1; -finish: + finish: BIO_free(bio); BIO_free(bio2); return ok; @@ -176,7 +178,7 @@ static int test_bio_rdwr_rdonly(void) ok = 1; -finish: + finish: BIO_free(bio); return ok; } @@ -216,11 +218,72 @@ static int test_bio_nonclear_rst(void) ok = 1; -finish: + finish: BIO_free(bio); return ok; } +static int error_callback_fired; +static long BIO_error_callback(BIO *bio, int cmd, const char *argp, + size_t len, int argi, + long argl, int ret, size_t *processed) +{ + if ((cmd & (BIO_CB_READ | BIO_CB_RETURN)) != 0) { + error_callback_fired = 1; + ret = 0; /* fail for read operations to simulate error in input BIO */ + } + return ret; +} + +/* Checks i2d_ASN1_bio_stream() is freeing all memory when input BIO ends unexpectedly. */ +static int test_bio_i2d_ASN1_mime(void) +{ + int ok = 0; + BIO *bio = NULL, *out = NULL; + BUF_MEM bufmem; + static const char str[] = "BIO mime test\n"; + PKCS7 *p7 = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_mem()))) + goto finish; + + bufmem.length = sizeof(str); + bufmem.data = (char *) str; + bufmem.max = bufmem.length; + BIO_set_mem_buf(bio, &bufmem, BIO_NOCLOSE); + BIO_set_flags(bio, BIO_FLAGS_MEM_RDONLY); + BIO_set_callback_ex(bio, BIO_error_callback); + + if (!TEST_ptr(out = BIO_new(BIO_s_mem()))) + goto finish; + if (!TEST_ptr(p7 = PKCS7_new())) + goto finish; + if (!TEST_true(PKCS7_set_type(p7, NID_pkcs7_data))) + goto finish; + + error_callback_fired = 0; + + /* + * The call succeeds even if the input stream ends unexpectedly as + * there is no handling for this case in SMIME_crlf_copy(). + */ + if (!TEST_true(i2d_ASN1_bio_stream(out, (ASN1_VALUE*) p7, bio, + SMIME_STREAM | SMIME_BINARY, + ASN1_ITEM_rptr(PKCS7)))) + goto finish; + + if (!TEST_int_eq(error_callback_fired, 1)) + goto finish; + + ok = 1; + + finish: + BIO_free(bio); + BIO_free(out); + PKCS7_free(p7); + return ok; +} + int global_init(void) { CRYPTO_set_mem_debug(1); @@ -236,5 +299,6 @@ int setup_tests(void) ADD_TEST(test_bio_rdonly_mem_buf); ADD_TEST(test_bio_rdwr_rdonly); ADD_TEST(test_bio_nonclear_rst); + ADD_TEST(test_bio_i2d_ASN1_mime); return 1; } From pauli at openssl.org Thu Jul 8 10:22:42 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 08 Jul 2021 10:22:42 +0000 Subject: [openssl] master update Message-ID: <1625739762.819618.12400.nullmailer@dev.openssl.org> The branch master has been updated via e278127cbfa2709d864ca9628a8ddb160c5c5331 (commit) from daf4b2437f38bd104400517cf8ff2c8121813b1a (commit) - Log ----------------------------------------------------------------- commit e278127cbfa2709d864ca9628a8ddb160c5c5331 Author: Pauli Date: Wed Jul 7 16:32:16 2021 +1000 evp: detect and raise an error if no digest is found for a sign/verify operation If no digest is specified, the code looks for a default digest per PKEY via the evp_keymgmt_util_get_deflt_digest_name() call. If this call returns NULL, indicating no digest found, the code continues regardless. If the verify/sign init later fails, it returns an error without raising one. This change raises an error in this case. Fixes #15372 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16015) ----------------------------------------------------------------------- Summary of changes: crypto/evp/m_sigver.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 5c5ed05876..63360a94bc 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -208,7 +208,14 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, mdname, provkey, params); } - goto end; + /* + * If the operation was not a success and no digest was found, an error + * needs to be raised. + */ + if (ret > 0 || mdname != NULL) + goto end; + if (type == NULL) /* This check is redundant but clarifies matters */ + ERR_raise(ERR_LIB_EVP, EVP_R_NO_DEFAULT_DIGEST); err: evp_pkey_ctx_free_old_ops(locpctx); From pauli at openssl.org Thu Jul 8 11:55:41 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 08 Jul 2021 11:55:41 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1625745341.326074.7478.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via d1a8201e88f0a5d46731010bb442f0f207c74fe9 (commit) via 987f66d1d7b1ef3576101a56b78f52d3f0e77c07 (commit) from ce50fd96dc542fe22a42265019e556272fd060ba (commit) - Log ----------------------------------------------------------------- commit d1a8201e88f0a5d46731010bb442f0f207c74fe9 Author: Pauli Date: Sat Jun 19 16:17:38 2021 +1000 test: add test for auto DH security level meets the minimum Manual merge from https://github.com/openssl/openssl/pull/15818 Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15832) commit 987f66d1d7b1ef3576101a56b78f52d3f0e77c07 Author: Pauli Date: Sat Jun 19 16:16:36 2021 +1000 ssl: do not choose auto DH groups that are weaker than the security level manual merge from https://github.com/openssl/openssl/pull/15818 id d7b5c648d682b499b71320a03747602a6ba4dec3 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15832) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_cert.c | 33 ++++++++++++++++++++++++--------- ssl/ssl_local.h | 1 + ssl/t1_lib.c | 9 ++++++++- test/recipes/80-test_ssl_old.t | 12 ++++++++++-- 4 files changed, 43 insertions(+), 12 deletions(-) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 5d3e83f328..c102473864 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -876,18 +876,36 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) return 1; } +int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) +{ + int level; + static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 }; + + if (ctx != NULL) + level = SSL_CTX_get_security_level(ctx); + else + level = SSL_get_security_level(s); + + if (level > 5) + level = 5; + else if (level < 0) + level = 0; + + if (levelp != NULL) + *levelp = level; + + return minbits_table[level]; +} + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex) { int level, minbits; - static const int minbits_table[5] = { 80, 112, 128, 192, 256 }; - if (ctx) - level = SSL_CTX_get_security_level(ctx); - else - level = SSL_get_security_level(s); - if (level <= 0) { + minbits = ssl_get_security_level_bits(s, ctx, &level); + + if (level == 0) { /* * No EDH keys weaker than 1024-bits even at level 0, otherwise, * anything goes. @@ -896,9 +914,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, return 0; return 1; } - if (level > 5) - level = 5; - minbits = minbits_table[level - 1]; switch (op) { case SSL_SECOP_CIPHER_SUPPORTED: case SSL_SECOP_CIPHER_SHARED: diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index a357d4d950..f92472117a 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2305,6 +2305,7 @@ __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other); +int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp); __owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx); __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 48d46f8a48..93228ec183 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2441,7 +2441,8 @@ DH *ssl_get_auto_dh(SSL *s) { DH *dhp = NULL; BIGNUM *p = NULL, *g = NULL; - int dh_secbits = 80; + int dh_secbits = 80, sec_level_bits; + if (s->cert->dh_tmp_auto != 2) { if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { if (s->s3->tmp.new_cipher->strength_bits == 256) @@ -2464,6 +2465,12 @@ DH *ssl_get_auto_dh(SSL *s) BN_free(g); return NULL; } + + /* Do not pick a prime that is too weak for the current security level */ + sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); + if (dh_secbits < sec_level_bits) + dh_secbits = sec_level_bits; + if (dh_secbits >= 192) p = BN_get_rfc3526_prime_8192(NULL); else if (dh_secbits >= 152) diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 377bf090ba..35cf0a7af8 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -476,10 +476,10 @@ sub testssl { subtest 'RSA/(EC)DHE/PSK tests' => sub { ###################################################################### - plan tests => 5; + plan tests => 6; SKIP: { - skip "TLSv1.0 is not supported by this OpenSSL build", 5 + skip "TLSv1.0 is not supported by this OpenSSL build", 6 if $no_tls1; SKIP: { @@ -514,6 +514,14 @@ sub testssl { ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 'test tls1 with PSK via BIO pair'); } + + SKIP: { + skip "skipping auto PSK tests", 1 + if ($no_dh || $no_psk || $no_ec); + + ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), + 'test auto DH meets security strength'); + } } }; From pauli at openssl.org Thu Jul 8 23:18:40 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 08 Jul 2021 23:18:40 +0000 Subject: [openssl] master update Message-ID: <1625786320.990024.30865.nullmailer@dev.openssl.org> The branch master has been updated via 5c8c2e6b484d5845cc26a0b634c872e2d102037a (commit) from e278127cbfa2709d864ca9628a8ddb160c5c5331 (commit) - Log ----------------------------------------------------------------- commit 5c8c2e6b484d5845cc26a0b634c872e2d102037a Author: Pauli Date: Mon Jul 5 18:30:27 2021 +1000 apps: fix Coverity 1451531 Unchecked return value Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/15994) ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 555e66afbc..830a502656 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -764,24 +764,25 @@ static int EVP_Update_loop_ccm(void *args) if (decrypt) { for (count = 0; COND(c[D_EVP][testnum]); count++) { - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(tag), tag); + (void)EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, sizeof(tag), + tag); /* reset iv */ - EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv); + (void)EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv); /* counter is reset on every update */ - EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); + (void)EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); } } else { for (count = 0; COND(c[D_EVP][testnum]); count++) { /* restore iv length field */ - EVP_EncryptUpdate(ctx, NULL, &outl, NULL, lengths[testnum]); + (void)EVP_EncryptUpdate(ctx, NULL, &outl, NULL, lengths[testnum]); /* counter is reset on every update */ - EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); + (void)EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); } } if (decrypt) - EVP_DecryptFinal_ex(ctx, buf, &outl); + (void)EVP_DecryptFinal_ex(ctx, buf, &outl); else - EVP_EncryptFinal_ex(ctx, buf, &outl); + (void)EVP_EncryptFinal_ex(ctx, buf, &outl); return count; } @@ -2231,8 +2232,8 @@ int speed_main(int argc, char **argv) /* SIV mode only allows for a single Update operation */ if (EVP_CIPHER_get_mode(evp_cipher) == EVP_CIPH_SIV_MODE) - EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, EVP_CTRL_SET_SPEED, - 1, NULL); + (void)EVP_CIPHER_CTX_ctrl(loopargs[k].ctx, + EVP_CTRL_SET_SPEED, 1, NULL); } Time_F(START); @@ -3628,8 +3629,9 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, mb_param.out = out; mb_param.inp = inp; mb_param.len = len; - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT, - sizeof(mb_param), &mb_param); + (void)EVP_CIPHER_CTX_ctrl(ctx, + EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT, + sizeof(mb_param), &mb_param); } else { int pad; From pauli at openssl.org Fri Jul 9 00:25:54 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 09 Jul 2021 00:25:54 +0000 Subject: [openssl] master update Message-ID: <1625790354.793666.15013.nullmailer@dev.openssl.org> The branch master has been updated via 35258435ddc9a1afe7da0a1de78607bd3cbf837a (commit) via be618c7cc18ab0cbaf0538128705de7f60975ad7 (commit) from 5c8c2e6b484d5845cc26a0b634c872e2d102037a (commit) - Log ----------------------------------------------------------------- commit 35258435ddc9a1afe7da0a1de78607bd3cbf837a Author: Matt Caswell Date: Tue Jul 6 11:31:28 2021 +0100 Add a PKCS12 test to check with one input cert we get one output cert Following on from the regression in issue #15983, add a test that with one input cert, we get one cert in the pkcs12 file, and that it has the expected friendlyName. Reviewed-by: David von Oheimb Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16001) commit be618c7cc18ab0cbaf0538128705de7f60975ad7 Author: Matt Caswell Date: Mon Jul 5 17:19:59 2021 +0100 Don't add the first pkcs12 certificate multiple times This fixes a regression introduced by commit 1d6c867. When exporting a set of certificates to a PKCS12 file we shouldn't add the first one twice. Also we restore historic behaviour with respect to the canames option where we have no ee certificate with key. Fixes #15983 Reviewed-by: David von Oheimb Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16001) ----------------------------------------------------------------------- Summary of changes: apps/pkcs12.c | 11 +++++++---- test/recipes/80-test_pkcs12.t | 16 +++++++++++++++- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 1234a69892..d745df8494 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv) infile); goto export_end; } - } else { - ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */ } } @@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv) int vret; STACK_OF(X509) *chain2; X509_STORE *store; + X509 *ee_cert_tmp = ee_cert; + + /* Assume the first cert if we haven't got anything else */ + if (ee_cert_tmp == NULL && certs != NULL) + ee_cert_tmp = sk_X509_value(certs, 0); - if (ee_cert == NULL) { + if (ee_cert_tmp == NULL) { BIO_printf(bio_err, "No end entity certificate to check with -chain\n"); goto export_end; @@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv) == NULL) goto export_end; - vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2); + vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2); X509_STORE_free(store); if (vret == X509_V_OK) { diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index 52c70cb0f7..1f0cb4d501 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { } $ENV{OPENSSL_WIN32_UTF8}=1; -plan tests => 10; +plan tests => 13; # Test different PKCS#12 formats ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); @@ -79,6 +79,7 @@ my $outfile1 = "out1.p12"; my $outfile2 = "out2.p12"; my $outfile3 = "out3.p12"; my $outfile4 = "out4.p12"; +my $outfile5 = "out5.p12"; # Test the -chain option with -untrusted ok(run(app(["openssl", "pkcs12", "-export", "-chain", @@ -133,5 +134,18 @@ ok(run(app(["openssl", "pkcs12", "-nomacver", "-nodes"])), "test_import_pkcs12_cert_key_cert"); +ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5, + "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname", + "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])), + "test nokeys single cert"); + +my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5, + "-passin", "pass:"]), capture => 1); + +# Test that with one input certificate, we get one output certificate +ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, + "test one cert in output"); +# Test that the expected friendly name is present in the output +ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); SetConsoleOutputCP($savedcp) if (defined($savedcp)); From pauli at openssl.org Fri Jul 9 00:46:02 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 09 Jul 2021 00:46:02 +0000 Subject: [openssl] master update Message-ID: <1625791562.282577.28999.nullmailer@dev.openssl.org> The branch master has been updated via 0007ff257c95f5cd046799e492436f41caf4ecb2 (commit) from 35258435ddc9a1afe7da0a1de78607bd3cbf837a (commit) - Log ----------------------------------------------------------------- commit 0007ff257c95f5cd046799e492436f41caf4ecb2 Author: Matt Caswell Date: Tue Jul 6 16:24:07 2021 +0100 Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16008) ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apps/s_server.c b/apps/s_server.c index a112b01f1b..c5d9221e90 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -130,6 +130,17 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); + + if (SSL_version(ssl) >= TLS1_3_VERSION) { + /* + * This callback is designed for use in TLSv1.2. It is possible to use + * a single callback for all protocol versions - but it is preferred to + * use a dedicated callback for TLSv1.3. For TLSv1.3 we have + * psk_find_session_cb. + */ + return 0; + } + if (identity == NULL) { BIO_printf(bio_err, "Error: client did not send PSK identity\n"); goto out_err; From pauli at openssl.org Fri Jul 9 00:47:27 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 09 Jul 2021 00:47:27 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1625791647.519331.31090.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 6eba6a9b35e97f8fc9fee33a7bdfff0bed04a6dc (commit) from d1a8201e88f0a5d46731010bb442f0f207c74fe9 (commit) - Log ----------------------------------------------------------------- commit 6eba6a9b35e97f8fc9fee33a7bdfff0bed04a6dc Author: Matt Caswell Date: Tue Jul 6 16:24:07 2021 +0100 Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16008) (cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2) ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apps/s_server.c b/apps/s_server.c index 0ba75999fd..bb81c9b40f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -133,6 +133,17 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); + + if (SSL_version(ssl) >= TLS1_3_VERSION) { + /* + * This callback is designed for use in TLSv1.2. It is possible to use + * a single callback for all protocol versions - but it is preferred to + * use a dedicated callback for TLSv1.3. For TLSv1.3 we have + * psk_find_session_cb. + */ + return 0; + } + if (identity == NULL) { BIO_printf(bio_err, "Error: client did not send PSK identity\n"); goto out_err; From scan-admin at coverity.com Fri Jul 9 08:02:51 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 09 Jul 2021 08:02:51 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e802aa2a758_1ade42b0e0706b9a0895e5@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DTbE1_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH8bIUMqRbO-2BbfqgRy50zs6Gawr0LufAlLc-2FCbX9nGkwdsiLU-2BeD3Aiziqr0djkCi3JUzEdSI9yL-2F0PBvOWJ9mONlFfBzI0HuD2PZPRGpazXrAXqErolwImhH7eaoKVkv47322YTjwaa2jyvzMC-2Fy21fgoYPr-2BVIlbqGzq7dMUEo-2FADhhzr6MKMPeNSyOPbfQ0-3D Build ID: 396070 Analysis Summary: New defects found: 0 Defects eliminated: 3 From scan-admin at coverity.com Fri Jul 9 08:16:31 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 09 Jul 2021 08:16:31 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e805de69500_1b3e52b0e0706b9a08951f@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DHtJ4_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGFbNJBn5ZL1B4pF9ZGKRaMACYM5-2BY7V2okyB2ZlJOEKAJvf8U9RTK2asnKXCpr1ZMnb5WrH6xUbRIFxaZfz3zH5QZaUmEuKVXCPeeuyrcrFta3m-2BmsJnaaiSLLSDB6lhXwWeRXzB77Ww9BOSGiMrX1Qxon7mMU75SB1I-2F-2FBOp3e0tr3P4paCTz-2F1-2FTuxbvc9A-3D Build ID: 396072 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sat Jul 10 07:49:56 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 10 Jul 2021 07:49:56 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60e9512389c13_38d372ae06dce999c87224@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DhAZG_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeF4gI3AmCutU3pBC3qx724PmHvqdqsDlzfOAOS8bl7M6xMp6CmPwp9lXM4Wo2-2FjWgSmCHnJxh9mWISfK40y5QfmBTU40FwNDVj-2FOamQioGgHxGL2SnePEjFwxoDh8be2NHAsQJuKHGeTlYcmRpBx5ZvYJR763zo2ZhzInxmviDi-2BRyWb-2BTWASc7vR8ycFWugS4-3D Build ID: 396242 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sat Jul 10 07:52:42 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 10 Jul 2021 07:52:42 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60e951ca55a19_38e1e2ae06dce999c8722@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DL8YS_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFgoZ9AiDcgwMLhxk6ghZTttO7jz3B7MwN-2F4vs7-2BXvKjApOadZY3K4E-2FG5M4ymqxCnvL6WGM3UimuVsAVRuLgGaVkH61rVQzoZk3k-2Fu1NBu3MgN5-2FWhMtS-2FFOLvaeEY5PQ-2BO9MsIJpCSfGqd61NFANnV3tKvSgwwJ2QNdJzszkIhVWFM0qjhGJGvSM8GjHgrPU-3D Build ID: 396243 Analysis Summary: New defects found: 0 Defects eliminated: 0 From levitte at openssl.org Sat Jul 10 10:07:59 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 10 Jul 2021 10:07:59 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1625911679.489811.12056.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via ea26844c4f624ef515d9228d3b623761a369b049 (commit) via f1d97905bbd8679b7647c992b97f526791069040 (commit) via 5434acb6c4d56507d761b28f7e142ccab808a8fa (commit) via 006906cddda37e24a66443199444ef4476697477 (commit) via 12e9b74c513a8ed3c1c260cf25221a465ae14b84 (commit) from 6eba6a9b35e97f8fc9fee33a7bdfff0bed04a6dc (commit) - Log ----------------------------------------------------------------- commit ea26844c4f624ef515d9228d3b623761a369b049 Author: Richard Levitte Date: Fri Jul 9 09:14:11 2021 +0200 make update (adds a new function code) Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16027) commit f1d97905bbd8679b7647c992b97f526791069040 Author: Richard Levitte Date: Fri Jul 9 08:51:55 2021 +0200 Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16027) commit 5434acb6c4d56507d761b28f7e142ccab808a8fa Author: Richard Levitte Date: Fri Jul 9 08:31:24 2021 +0200 Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16027) commit 006906cddda37e24a66443199444ef4476697477 Author: Richard Levitte Date: Thu Jul 8 13:38:45 2021 +0200 ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16027) commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84 Author: Richard Levitte Date: Thu Jul 8 13:33:28 2021 +0200 TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16027) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/asn1_err.c | 4 +++- crypto/asn1/tasn_enc.c | 30 ++++++++++++++++-------- crypto/err/openssl.txt | 1 + include/openssl/asn1err.h | 3 ++- test/asn1_encode_test.c | 59 +++++++++++++++++++++++++---------------------- test/asn1_internal_test.c | 38 ++++++++++++++++++++++++++++++ 6 files changed, 97 insertions(+), 38 deletions(-) diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index cc0a59ca4c..50003a8531 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -82,6 +82,8 @@ static const ERR_STRING_DATA ASN1_str_functs[] = { "ASN1_STRING_type_new"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_EX_D2I, 0), "asn1_template_ex_d2i"}, + {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_EX_I2D, 0), + "asn1_template_ex_i2d"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_NEW, 0), "asn1_template_new"}, {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 0), "asn1_template_noexp_d2i"}, diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index bcc96337bc..6eb300a21e 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -213,7 +213,7 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass) { - int i, ret, flags, ttag, tclass, ndef; + int i, ret, flags, ttag, tclass, ndef, len; ASN1_VALUE *tval; flags = tt->flags; @@ -300,13 +300,17 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, /* Determine total length of items */ skcontlen = 0; for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { - int tmplen; skitem = sk_ASN1_VALUE_value(sk, i); - tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), - -1, iclass); - if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) + len = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), + -1, iclass); + if (len == -1 || (skcontlen > INT_MAX - len)) + return -1; + if (len == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ASN1err(ASN1_F_ASN1_TEMPLATE_EX_I2D, + ASN1_R_ILLEGAL_ZERO_CONTENT); return -1; - skcontlen += tmplen; + } + skcontlen += len; } sklen = ASN1_object_size(ndef, skcontlen, sktag); if (sklen == -1) @@ -344,6 +348,10 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, iclass); if (!i) return 0; + if (i == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ASN1err(ASN1_F_ASN1_TEMPLATE_EX_I2D, ASN1_R_ILLEGAL_ZERO_CONTENT); + return -1; + } /* Find length of EXPLICIT tag */ ret = ASN1_object_size(ndef, i, ttag); if (out && ret != -1) { @@ -357,9 +365,13 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, } /* Either normal or IMPLICIT tagging: combine class and flags */ - return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), - ttag, tclass | iclass); - + len = ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), + ttag, tclass | iclass); + if (len == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ASN1err(ASN1_F_ASN1_TEMPLATE_EX_I2D, ASN1_R_ILLEGAL_ZERO_CONTENT); + return -1; + } + return len; } /* Temporary structure used to hold DER encoding of items for SET OF */ diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 017a9a6652..34b1bb8b84 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -60,6 +60,7 @@ ASN1_F_ASN1_STRING_TABLE_ADD:129:ASN1_STRING_TABLE_add ASN1_F_ASN1_STRING_TO_BN:228:asn1_string_to_bn ASN1_F_ASN1_STRING_TYPE_NEW:130:ASN1_STRING_type_new ASN1_F_ASN1_TEMPLATE_EX_D2I:132:asn1_template_ex_d2i +ASN1_F_ASN1_TEMPLATE_EX_I2D:145:asn1_template_ex_i2d ASN1_F_ASN1_TEMPLATE_NEW:133:asn1_template_new ASN1_F_ASN1_TEMPLATE_NOEXP_D2I:131:asn1_template_noexp_d2i ASN1_F_ASN1_TIME_ADJ:217:ASN1_TIME_adj diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h index e1ad1fefec..fc72bb70f4 100644 --- a/include/openssl/asn1err.h +++ b/include/openssl/asn1err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -75,6 +75,7 @@ int ERR_load_ASN1_strings(void); # define ASN1_F_ASN1_STRING_TO_BN 228 # define ASN1_F_ASN1_STRING_TYPE_NEW 130 # define ASN1_F_ASN1_TEMPLATE_EX_D2I 132 +# define ASN1_F_ASN1_TEMPLATE_EX_I2D 145 # define ASN1_F_ASN1_TEMPLATE_NEW 133 # define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I 131 # define ASN1_F_ASN1_TIME_ADJ 217 diff --git a/test/asn1_encode_test.c b/test/asn1_encode_test.c index 51c3802942..dc0dfaf7b5 100644 --- a/test/asn1_encode_test.c +++ b/test/asn1_encode_test.c @@ -190,7 +190,7 @@ typedef struct { } ASN1_LONG_DATA; ASN1_SEQUENCE(ASN1_LONG_DATA) = { - ASN1_SIMPLE(ASN1_LONG_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_LONG_DATA, success, ASN1_BOOLEAN), ASN1_SIMPLE(ASN1_LONG_DATA, test_long, LONG), ASN1_EXP_OPT(ASN1_LONG_DATA, test_zlong, ZLONG, 0) } static_ASN1_SEQUENCE_END(ASN1_LONG_DATA) @@ -280,7 +280,7 @@ typedef struct { } ASN1_INT32_DATA; ASN1_SEQUENCE(ASN1_INT32_DATA) = { - ASN1_SIMPLE(ASN1_INT32_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_INT32_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_INT32_DATA, test_int32, INT32), ASN1_EXP_OPT_EMBED(ASN1_INT32_DATA, test_zint32, ZINT32, 0) } static_ASN1_SEQUENCE_END(ASN1_INT32_DATA) @@ -328,7 +328,7 @@ typedef struct { } ASN1_UINT32_DATA; ASN1_SEQUENCE(ASN1_UINT32_DATA) = { - ASN1_SIMPLE(ASN1_UINT32_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_UINT32_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_UINT32_DATA, test_uint32, UINT32), ASN1_EXP_OPT_EMBED(ASN1_UINT32_DATA, test_zuint32, ZUINT32, 0) } static_ASN1_SEQUENCE_END(ASN1_UINT32_DATA) @@ -376,7 +376,7 @@ typedef struct { } ASN1_INT64_DATA; ASN1_SEQUENCE(ASN1_INT64_DATA) = { - ASN1_SIMPLE(ASN1_INT64_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_INT64_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_INT64_DATA, test_int64, INT64), ASN1_EXP_OPT_EMBED(ASN1_INT64_DATA, test_zint64, ZINT64, 0) } static_ASN1_SEQUENCE_END(ASN1_INT64_DATA) @@ -425,7 +425,7 @@ typedef struct { } ASN1_UINT64_DATA; ASN1_SEQUENCE(ASN1_UINT64_DATA) = { - ASN1_SIMPLE(ASN1_UINT64_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_UINT64_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_UINT64_DATA, test_uint64, UINT64), ASN1_EXP_OPT_EMBED(ASN1_UINT64_DATA, test_zuint64, ZUINT64, 0) } static_ASN1_SEQUENCE_END(ASN1_UINT64_DATA) @@ -742,14 +742,17 @@ static int test_intern(const TEST_PACKAGE *package) sizeof(test_custom_data) / sizeof(test_custom_data[0])); for (i = 0; i < nelems; i++) { size_t pos = i * package->encode_expectations_elem_size; - switch (do_encode_custom((EXPECTED *)&((unsigned char *)package - ->encode_expectations)[pos], - &test_custom_data[i], package)) { + EXPECTED *expected + = (EXPECTED *)&((unsigned char *)package->encode_expectations)[pos]; + + switch (do_encode_custom(expected, &test_custom_data[i], package)) { case -1: - TEST_error("Failed custom encode round trip %u of %s", - i, package->name); - TEST_openssl_errors(); - fail++; + if (expected->success) { + TEST_error("Failed custom encode round trip %u of %s", + i, package->name); + TEST_openssl_errors(); + fail++; + } break; case 0: TEST_error("Custom encode round trip %u of %s mismatch", @@ -763,16 +766,16 @@ static int test_intern(const TEST_PACKAGE *package) OPENSSL_die("do_encode_custom() return unknown value", __FILE__, __LINE__); } - switch (do_decode_custom(&test_custom_data[i], - (EXPECTED *)&((unsigned char *)package - ->encode_expectations)[pos], + switch (do_decode_custom(&test_custom_data[i], expected, package->encode_expectations_elem_size, package)) { case -1: - TEST_error("Failed custom decode round trip %u of %s", - i, package->name); - TEST_openssl_errors(); - fail++; + if (expected->success) { + TEST_error("Failed custom decode round trip %u of %s", + i, package->name); + TEST_openssl_errors(); + fail++; + } break; case 0: TEST_error("Custom decode round trip %u of %s mismatch", @@ -792,15 +795,17 @@ static int test_intern(const TEST_PACKAGE *package) nelems = package->encdec_data_size / package->encdec_data_elem_size; for (i = 0; i < nelems; i++) { size_t pos = i * package->encdec_data_elem_size; - switch (do_enc_dec((EXPECTED *)&((unsigned char *)package - ->encdec_data)[pos], - package->encdec_data_elem_size, - package)) { + EXPECTED *expected + = (EXPECTED *)&((unsigned char *)package->encdec_data)[pos]; + + switch (do_enc_dec(expected, package->encdec_data_elem_size, package)) { case -1: - TEST_error("Failed encode/decode round trip %u of %s", - i, package->name); - TEST_openssl_errors(); - fail++; + if (expected->success) { + TEST_error("Failed encode/decode round trip %u of %s", + i, package->name); + TEST_openssl_errors(); + fail++; + } break; case 0: TEST_error("Encode/decode round trip %u of %s mismatch", diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c index 865e058421..146d8a8994 100644 --- a/test/asn1_internal_test.c +++ b/test/asn1_internal_test.c @@ -107,9 +107,47 @@ static int test_standard_methods(void) return 0; } +/********************************************************************** + * + * Test of that i2d fail on non-existing non-optional items + * + ***/ + +#include + +static int test_empty_nonoptional_content(void) +{ + RSA *rsa = NULL; + BIGNUM *n = NULL; + BIGNUM *e = NULL; + int ok = 0; + + if (!TEST_ptr(rsa = RSA_new()) + || !TEST_ptr(n = BN_new()) + || !TEST_ptr(e = BN_new()) + || !TEST_true(RSA_set0_key(rsa, n, e, NULL))) + goto end; + + n = e = NULL; /* They are now "owned" by |rsa| */ + + /* + * This SHOULD fail, as we're trying to encode a public key as a private + * key. The private key bits MUST be present for a proper RSAPrivateKey. + */ + if (TEST_int_le(i2d_RSAPrivateKey(rsa, NULL), 0)) + ok = 1; + + end: + RSA_free(rsa); + BN_free(n); + BN_free(e); + return ok; +} + int setup_tests(void) { ADD_TEST(test_tbl_standard); ADD_TEST(test_standard_methods); + ADD_TEST(test_empty_nonoptional_content); return 1; } From levitte at openssl.org Sat Jul 10 10:10:10 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 10 Jul 2021 10:10:10 +0000 Subject: [openssl] master update Message-ID: <1625911810.504244.14121.nullmailer@dev.openssl.org> The branch master has been updated via f159b83a75c8d5e5c43ae4b2dec62086a5e36189 (commit) via 1bbe13fce5be8eee6fe2854b79dfbd38c028077c (commit) from 0007ff257c95f5cd046799e492436f41caf4ecb2 (commit) - Log ----------------------------------------------------------------- commit f159b83a75c8d5e5c43ae4b2dec62086a5e36189 Author: Richard Levitte Date: Thu Jul 8 19:05:34 2021 +0200 Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback If platform->sharedlib_simple() and platform->sharedlib_import() return undefined, try platform->sharedlib() as a fallback before platform->staticlib(). Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16023) commit 1bbe13fce5be8eee6fe2854b79dfbd38c028077c Author: Richard Levitte Date: Thu Jul 8 05:18:25 2021 +0200 platform->sharedlib_simple(): return undef when same as platform->sharedlib() On some Unix-like platforms, there is no such thing as versioned shared libraries. In this case, platform->sharedlib_simple() should simply return undef. Among others, this avoids the shared libraries to be installed as symlinks on themselves. Fixes #16012 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16023) ----------------------------------------------------------------------- Summary of changes: Configurations/platform/Unix.pm | 1 + Configurations/unix-Makefile.tmpl | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Configurations/platform/Unix.pm b/Configurations/platform/Unix.pm index 80963adc30..c7d7d9eb80 100644 --- a/Configurations/platform/Unix.pm +++ b/Configurations/platform/Unix.pm @@ -63,6 +63,7 @@ sub sharedname_simple { } sub sharedlib_simple { + return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple(); return platform::BASE::__concat($_[0]->sharedname_simple($_[1]), $_[0]->shlibextsimple()); } diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index b82166f70a..0fb80f1968 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1392,7 +1392,7 @@ FORCE: # Building targets ################################################### -libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // () } @{$unified_info{libraries}}) -} +libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -} libcrypto.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ echo 'exec_prefix=$${prefix}'; \ @@ -1484,6 +1484,7 @@ reconfigure reconf: # On Unix platforms, we depend on {shlibname}.so return map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) + // platform->sharedlib($_) // platform->staticlib($_) } @_; } From levitte at openssl.org Sat Jul 10 15:07:25 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 10 Jul 2021 15:07:25 +0000 Subject: [openssl] master update Message-ID: <1625929645.443829.7338.nullmailer@dev.openssl.org> The branch master has been updated via 6bfd3e51c04faa97ed98f38e35bd9bb5294b9070 (commit) via 50d0a51d6dc83815a6fca5c00c711ffcf407a214 (commit) via f0f4de4e50eaa11eb5a51fa6e7756d4a0876557e (commit) via 4cd473518777766e303cebe89c5a056dbec7e513 (commit) via 2296cc34f3c700b0bc5c45f35e56641fbb840db3 (commit) from f159b83a75c8d5e5c43ae4b2dec62086a5e36189 (commit) - Log ----------------------------------------------------------------- commit 6bfd3e51c04faa97ed98f38e35bd9bb5294b9070 Author: Tomas Mraz Date: Fri Jul 9 15:48:02 2021 +0200 test_cmp_ctx: Avoid using empty X509 with i2d Reviewed-by: Richard Levitte Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/16036) commit 50d0a51d6dc83815a6fca5c00c711ffcf407a214 Author: Richard Levitte Date: Fri Jul 9 08:51:55 2021 +0200 Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16036) commit f0f4de4e50eaa11eb5a51fa6e7756d4a0876557e Author: Richard Levitte Date: Fri Jul 9 08:31:24 2021 +0200 Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16036) commit 4cd473518777766e303cebe89c5a056dbec7e513 Author: Richard Levitte Date: Thu Jul 8 13:38:45 2021 +0200 ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16036) commit 2296cc34f3c700b0bc5c45f35e56641fbb840db3 Author: Richard Levitte Date: Thu Jul 8 13:33:28 2021 +0200 TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16036) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_enc.c | 29 ++++++++++++++------- test/asn1_encode_test.c | 59 +++++++++++++++++++++++------------------- test/asn1_internal_test.c | 44 +++++++++++++++++++++++++++++++ test/cmp_ctx_test.c | 22 +++++++++++++--- test/recipes/65-test_cmp_ctx.t | 6 +++-- 5 files changed, 119 insertions(+), 41 deletions(-) diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index 2d24320af9..06473d3411 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -217,7 +217,7 @@ static int asn1_template_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass) { const int flags = tt->flags; - int i, ret, ttag, tclass, ndef; + int i, ret, ttag, tclass, ndef, len; const ASN1_VALUE *tval; /* @@ -303,13 +303,16 @@ static int asn1_template_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, /* Determine total length of items */ skcontlen = 0; for (i = 0; i < sk_const_ASN1_VALUE_num(sk); i++) { - int tmplen; skitem = sk_const_ASN1_VALUE_value(sk, i); - tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), - -1, iclass); - if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) + len = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), + -1, iclass); + if (len == -1 || (skcontlen > INT_MAX - len)) + return -1; + if (len == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_ZERO_CONTENT); return -1; - skcontlen += tmplen; + } + skcontlen += len; } sklen = ASN1_object_size(ndef, skcontlen, sktag); if (sklen == -1) @@ -347,6 +350,10 @@ static int asn1_template_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, iclass); if (!i) return 0; + if (i == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_ZERO_CONTENT); + return -1; + } /* Find length of EXPLICIT tag */ ret = ASN1_object_size(ndef, i, ttag); if (out && ret != -1) { @@ -360,9 +367,13 @@ static int asn1_template_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, } /* Either normal or IMPLICIT tagging: combine class and flags */ - return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), - ttag, tclass | iclass); - + len = ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), + ttag, tclass | iclass); + if (len == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_ZERO_CONTENT); + return -1; + } + return len; } /* Temporary structure used to hold DER encoding of items for SET OF */ diff --git a/test/asn1_encode_test.c b/test/asn1_encode_test.c index 27f522b222..c453bdf3f8 100644 --- a/test/asn1_encode_test.c +++ b/test/asn1_encode_test.c @@ -190,7 +190,7 @@ typedef struct { } ASN1_LONG_DATA; ASN1_SEQUENCE(ASN1_LONG_DATA) = { - ASN1_SIMPLE(ASN1_LONG_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_LONG_DATA, success, ASN1_BOOLEAN), ASN1_SIMPLE(ASN1_LONG_DATA, test_long, LONG), ASN1_EXP_OPT(ASN1_LONG_DATA, test_zlong, ZLONG, 0) } static_ASN1_SEQUENCE_END(ASN1_LONG_DATA) @@ -280,7 +280,7 @@ typedef struct { } ASN1_INT32_DATA; ASN1_SEQUENCE(ASN1_INT32_DATA) = { - ASN1_SIMPLE(ASN1_INT32_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_INT32_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_INT32_DATA, test_int32, INT32), ASN1_EXP_OPT_EMBED(ASN1_INT32_DATA, test_zint32, ZINT32, 0) } static_ASN1_SEQUENCE_END(ASN1_INT32_DATA) @@ -328,7 +328,7 @@ typedef struct { } ASN1_UINT32_DATA; ASN1_SEQUENCE(ASN1_UINT32_DATA) = { - ASN1_SIMPLE(ASN1_UINT32_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_UINT32_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_UINT32_DATA, test_uint32, UINT32), ASN1_EXP_OPT_EMBED(ASN1_UINT32_DATA, test_zuint32, ZUINT32, 0) } static_ASN1_SEQUENCE_END(ASN1_UINT32_DATA) @@ -376,7 +376,7 @@ typedef struct { } ASN1_INT64_DATA; ASN1_SEQUENCE(ASN1_INT64_DATA) = { - ASN1_SIMPLE(ASN1_INT64_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_INT64_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_INT64_DATA, test_int64, INT64), ASN1_EXP_OPT_EMBED(ASN1_INT64_DATA, test_zint64, ZINT64, 0) } static_ASN1_SEQUENCE_END(ASN1_INT64_DATA) @@ -425,7 +425,7 @@ typedef struct { } ASN1_UINT64_DATA; ASN1_SEQUENCE(ASN1_UINT64_DATA) = { - ASN1_SIMPLE(ASN1_UINT64_DATA, success, ASN1_FBOOLEAN), + ASN1_SIMPLE(ASN1_UINT64_DATA, success, ASN1_BOOLEAN), ASN1_EMBED(ASN1_UINT64_DATA, test_uint64, UINT64), ASN1_EXP_OPT_EMBED(ASN1_UINT64_DATA, test_zuint64, ZUINT64, 0) } static_ASN1_SEQUENCE_END(ASN1_UINT64_DATA) @@ -742,14 +742,17 @@ static int test_intern(const TEST_PACKAGE *package) sizeof(test_custom_data) / sizeof(test_custom_data[0])); for (i = 0; i < nelems; i++) { size_t pos = i * package->encode_expectations_elem_size; - switch (do_encode_custom((EXPECTED *)&((unsigned char *)package - ->encode_expectations)[pos], - &test_custom_data[i], package)) { + EXPECTED *expected + = (EXPECTED *)&((unsigned char *)package->encode_expectations)[pos]; + + switch (do_encode_custom(expected, &test_custom_data[i], package)) { case -1: - TEST_error("Failed custom encode round trip %u of %s", - i, package->name); - TEST_openssl_errors(); - fail++; + if (expected->success) { + TEST_error("Failed custom encode round trip %u of %s", + i, package->name); + TEST_openssl_errors(); + fail++; + } break; case 0: TEST_error("Custom encode round trip %u of %s mismatch", @@ -763,16 +766,16 @@ static int test_intern(const TEST_PACKAGE *package) OPENSSL_die("do_encode_custom() return unknown value", __FILE__, __LINE__); } - switch (do_decode_custom(&test_custom_data[i], - (EXPECTED *)&((unsigned char *)package - ->encode_expectations)[pos], + switch (do_decode_custom(&test_custom_data[i], expected, package->encode_expectations_elem_size, package)) { case -1: - TEST_error("Failed custom decode round trip %u of %s", - i, package->name); - TEST_openssl_errors(); - fail++; + if (expected->success) { + TEST_error("Failed custom decode round trip %u of %s", + i, package->name); + TEST_openssl_errors(); + fail++; + } break; case 0: TEST_error("Custom decode round trip %u of %s mismatch", @@ -792,15 +795,17 @@ static int test_intern(const TEST_PACKAGE *package) nelems = package->encdec_data_size / package->encdec_data_elem_size; for (i = 0; i < nelems; i++) { size_t pos = i * package->encdec_data_elem_size; - switch (do_enc_dec((EXPECTED *)&((unsigned char *)package - ->encdec_data)[pos], - package->encdec_data_elem_size, - package)) { + EXPECTED *expected + = (EXPECTED *)&((unsigned char *)package->encdec_data)[pos]; + + switch (do_enc_dec(expected, package->encdec_data_elem_size, package)) { case -1: - TEST_error("Failed encode/decode round trip %u of %s", - i, package->name); - TEST_openssl_errors(); - fail++; + if (expected->success) { + TEST_error("Failed encode/decode round trip %u of %s", + i, package->name); + TEST_openssl_errors(); + fail++; + } break; case 0: TEST_error("Encode/decode round trip %u of %s mismatch", diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c index 5bf0eee8c8..61e4265c8b 100644 --- a/test/asn1_internal_test.c +++ b/test/asn1_internal_test.c @@ -9,6 +9,12 @@ /* Internal tests for the asn1 module */ +/* + * RSA low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include @@ -107,6 +113,43 @@ static int test_standard_methods(void) return 0; } +/********************************************************************** + * + * Test of that i2d fail on non-existing non-optional items + * + ***/ + +#include + +static int test_empty_nonoptional_content(void) +{ + RSA *rsa = NULL; + BIGNUM *n = NULL; + BIGNUM *e = NULL; + int ok = 0; + + if (!TEST_ptr(rsa = RSA_new()) + || !TEST_ptr(n = BN_new()) + || !TEST_ptr(e = BN_new()) + || !TEST_true(RSA_set0_key(rsa, n, e, NULL))) + goto end; + + n = e = NULL; /* They are now "owned" by |rsa| */ + + /* + * This SHOULD fail, as we're trying to encode a public key as a private + * key. The private key bits MUST be present for a proper RSAPrivateKey. + */ + if (TEST_int_le(i2d_RSAPrivateKey(rsa, NULL), 0)) + ok = 1; + + end: + RSA_free(rsa); + BN_free(n); + BN_free(e); + return ok; +} + /********************************************************************** * * Tests of the Unicode code point range @@ -151,6 +194,7 @@ int setup_tests(void) { ADD_TEST(test_tbl_standard); ADD_TEST(test_standard_methods); + ADD_TEST(test_empty_nonoptional_content); ADD_TEST(test_unicode_range); return 1; } diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c index e25aa9ab43..71fa679ff4 100644 --- a/test/cmp_ctx_test.c +++ b/test/cmp_ctx_test.c @@ -13,6 +13,11 @@ #include +static X509 *test_cert; + +/* Avoid using X509_new() via the generic macros below. */ +#define X509_new() X509_dup(test_cert) + typedef struct test_fixture { const char *test_case_name; OSSL_CMP_CTX *ctx; @@ -42,7 +47,7 @@ static OSSL_CMP_CTX_TEST_FIXTURE *set_up(const char *const test_case_name) static STACK_OF(X509) *sk_X509_new_1(void) { STACK_OF(X509) *sk = sk_X509_new_null(); - X509 *x = X509_new(); + X509 *x = X509_dup(test_cert); if (x == NULL || !sk_X509_push(sk, x)) { sk_X509_free(sk); @@ -68,12 +73,12 @@ static int execute_CTX_reinit_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) ctx->status = 1; ctx->failInfoCode = 1; if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null()) - || !ossl_cmp_ctx_set0_newCert(ctx, X509_new()) + || !ossl_cmp_ctx_set0_newCert(ctx, X509_dup(test_cert)) || !TEST_ptr(certs = sk_X509_new_1()) || !ossl_cmp_ctx_set1_newChain(ctx, certs) || !ossl_cmp_ctx_set1_caPubs(ctx, certs) || !ossl_cmp_ctx_set1_extraCertsIn(ctx, certs) - || !ossl_cmp_ctx_set0_validatedSrvCert(ctx, X509_new()) + || !ossl_cmp_ctx_set0_validatedSrvCert(ctx, X509_dup(test_cert)) || !TEST_ptr(bytes = ASN1_OCTET_STRING_new()) || !OSSL_CMP_CTX_set1_transactionID(ctx, bytes) || !OSSL_CMP_CTX_set1_senderNonce(ctx, bytes) @@ -786,6 +791,17 @@ DEFINE_SET_TEST(ossl_cmp, ctx, 1, 1, recipNonce, ASN1_OCTET_STRING) int setup_tests(void) { + char *cert_file; + + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + + if (!TEST_ptr(cert_file = test_get_argument(0)) + || !TEST_ptr(test_cert = load_cert_pem(cert_file, NULL))) + return 0; + /* OSSL_CMP_CTX_new() is tested by set_up() */ /* OSSL_CMP_CTX_free() is tested by tear_down() */ ADD_TEST(test_CTX_reinit); diff --git a/test/recipes/65-test_cmp_ctx.t b/test/recipes/65-test_cmp_ctx.t index 93f26ea994..069c0e660b 100644 --- a/test/recipes/65-test_cmp_ctx.t +++ b/test/recipes/65-test_cmp_ctx.t @@ -10,7 +10,7 @@ use strict; -use OpenSSL::Test; # get 'plan' +use OpenSSL::Test qw/:DEFAULT srctop_file/; use OpenSSL::Test::Simple; use OpenSSL::Test::Utils; @@ -19,4 +19,6 @@ setup("test_cmp_ctx"); plan skip_all => "This test is not supported in a no-cmp build" if disabled("cmp"); -simple_test("test_cmp_ctx", "cmp_ctx_test", "cmp_ctx"); +plan tests => 1; + +ok(run(test(["cmp_ctx_test", srctop_file("test", "certs", "ee-cert.pem")]))); From beldmit at gmail.com Sat Jul 10 15:59:49 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Sat, 10 Jul 2021 15:59:49 +0000 Subject: [openssl] master update Message-ID: <1625932789.725926.22440.nullmailer@dev.openssl.org> The branch master has been updated via 15729bef385211bc2a0497e2d53a45c45d677d2c (commit) from 6bfd3e51c04faa97ed98f38e35bd9bb5294b9070 (commit) - Log ----------------------------------------------------------------- commit 15729bef385211bc2a0497e2d53a45c45d677d2c Author: Daiki Ueno Date: Thu Jul 8 19:22:36 2021 +0200 BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16033) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_addr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bio/bio_addr.c b/crypto/bio/bio_addr.c index 0efbc3cb44..d18c849ade 100644 --- a/crypto/bio/bio_addr.c +++ b/crypto/bio/bio_addr.c @@ -696,7 +696,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, hints.ai_protocol = protocol; # ifdef AI_ADDRCONFIG # ifdef AF_UNSPEC - if (family == AF_UNSPEC) + if (host != NULL && family == AF_UNSPEC) # endif hints.ai_flags |= AI_ADDRCONFIG; # endif From scan-admin at coverity.com Sun Jul 11 07:49:40 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 11 Jul 2021 07:49:40 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60eaa2935a031_559fb2ad5d30a999c58048@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DUhy7_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFie-2BOASCJdgsBX0BnxNNki77r3b32ZCP7rKuiGJf3xkj-2F9oTgrejtivSOTpuWjuAt2hFhrHSgJuEi4X5UdGLJ-2F7T50ELcfJ70fsqq4-2FMJbfmHPnwicYEpC6JY5rGy6lezA1Z-2BbUEb-2FwWu7Aph3AqPKOJgxMIOIb-2BWzPr6mBIOr-2BrfPSRia1Anm7CtsrW1zw0I-3D Build ID: 396386 Analysis Summary: New defects found: 1 Defects eliminated: 0 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3D0Y90_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFie-2BOASCJdgsBX0BnxNNki77r3b32ZCP7rKuiGJf3xkklxdsLZdlqkjmu8DxMXLL35tkDR-2BCaH-2FiXRzD3UqJPXPAbPLXcuIwtzRabV7SMsBzxFs1ShZzQFh8MkbrQDJpBUNgpHwcHW4b5teKxZausVS685O-2BwSCo-2BFCxOZ9Fs8A4hGu4nsKMSRS06DfNh2AHw-3D From scan-admin at coverity.com Sun Jul 11 07:52:22 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 11 Jul 2021 07:52:22 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60eaa3362195d_55bef2ad5d30a999c580d7@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DYefB_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeF7eeIzdHkQAothNnv9VSnbjyQvFX4gWSbH7SKsUNu6NRgbRomkewKD2us69bB72B7uN7QGyTwLL7JMhQDSBH-2BKkgaiXIfoXBeX1Q7EoZPd7YCysALhQ06uqkoZi27OgdtXbQl98nxe0mC0GFm9cKnQAjX1fxxbp0wmr5BBAZUs-2FdkrF8sBF5zAL7drgzk5IwU-3D Build ID: 396388 Analysis Summary: New defects found: 0 Defects eliminated: 0 From dev at ddvo.net Sun Jul 11 15:06:44 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sun, 11 Jul 2021 15:06:44 +0000 Subject: [openssl] master update Message-ID: <1626016004.105432.5757.nullmailer@dev.openssl.org> The branch master has been updated via 5303aa51c015ab7590187ac3e441b6d3c47a6e79 (commit) via 6a1f9cdc0c33f9b0cfae44ec04e506367a1582cd (commit) from 15729bef385211bc2a0497e2d53a45c45d677d2c (commit) - Log ----------------------------------------------------------------- commit 5303aa51c015ab7590187ac3e441b6d3c47a6e79 Author: Dr. David von Oheimb Date: Thu Jul 8 19:44:47 2021 +0200 Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16029) commit 6a1f9cdc0c33f9b0cfae44ec04e506367a1582cd Author: Dr. David von Oheimb Date: Thu Jul 8 19:45:35 2021 +0200 Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16029) ----------------------------------------------------------------------- Summary of changes: crypto/http/http_client.c | 2 +- doc/man3/OSSL_HTTP_REQ_CTX.pod | 6 ++++-- include/openssl/ocsp.h.in | 5 +++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index aea53b302b..779e4b7203 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -257,7 +257,7 @@ int OSSL_HTTP_REQ_CTX_set_expected(OSSL_HTTP_REQ_CTX *rctx, rctx->expect_asn1 = asn1; if (timeout >= 0) rctx->max_time = timeout > 0 ? time(NULL) + timeout : 0; - else + else /* take over any |overall_timeout| arg of OSSL_HTTP_open(), else 0 */ rctx->max_time = rctx->max_total_time; rctx->keep_alive = keep_alive; return 1; diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index c1cf9ad87b..38f57f5cd6 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -97,14 +97,16 @@ If the I parameter is nonzero a structure in ASN.1 encoding will be expected as the response content and input streaming is disabled. This means that an ASN.1 sequence header is required, its length field is checked, and OSSL_HTTP_REQ_CTX_get0_mem_bio() should be used to get the buffered response. -Else any form of input is allowed without length checks, which is the default. +Otherwise any input format is allowed without length checks, which is the default. In this case the BIO given as I argument to OSSL_HTTP_REQ_CTX_new() should be used directly to read the response contents, which may support streaming. If the I parameter is > 0 this indicates the maximum number of seconds the subsequent HTTP transfer (sending the request and receiving a response) is allowed to take. -A value <= 0 enables waiting indefinitely, i.e., no timeout can occur. +I == 0 enables waiting indefinitely, i.e., no timeout can occur. This is the default. +I < 0 takes over any value set via the I argument of +L with the default being 0, which means no timeout. If the I parameter is 0, which is the default, the connection is not kept open after receiving a response. This is the default behavior for HTTP 1.0. If the value is 1 or 2 then a persistent connection is requested. diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index a9ff4e565c..e2cc2716b5 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -180,8 +180,9 @@ typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX; OSSL_HTTP_REQ_CTX_new(io, io, buf_size) # define OCSP_REQ_CTX_free OSSL_HTTP_REQ_CTX_free # define OCSP_REQ_CTX_http(rctx, op, path) \ - OSSL_HTTP_REQ_CTX_set_request_line(rctx, strcmp(op, "POST") == 0, \ - NULL, NULL, path) + (OSSL_HTTP_REQ_CTX_set_expected(rctx, NULL, 1 /* asn1 */, 0, 0) && \ + OSSL_HTTP_REQ_CTX_set_request_line(rctx, strcmp(op, "POST") == 0, \ + NULL, NULL, path)) # define OCSP_REQ_CTX_add1_header OSSL_HTTP_REQ_CTX_add1_header # define OCSP_REQ_CTX_i2d(r, it, req) \ OSSL_HTTP_REQ_CTX_set1_req(r, "application/ocsp-request", it, req) From pauli at openssl.org Sun Jul 11 23:15:13 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 11 Jul 2021 23:15:13 +0000 Subject: [openssl] master update Message-ID: <1626045313.241976.30142.nullmailer@dev.openssl.org> The branch master has been updated via d19dacd55f03cb36974fe69e6649bca16d80ab35 (commit) via 09b430cd87bc3b018fb97879eb6a2ea540c8e923 (commit) via ff215713655e721be505cc884aed5d1230c7759e (commit) via 242dfd8a1b93326d200383948a8d57db5ce57de0 (commit) via ac1e85f464568d14962162fe97670a53f11f6bfc (commit) via 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789 (commit) via 12aa352f091c25bcc1a8d7518a33e10b9375313f (commit) from 5303aa51c015ab7590187ac3e441b6d3c47a6e79 (commit) - Log ----------------------------------------------------------------- commit d19dacd55f03cb36974fe69e6649bca16d80ab35 Author: Pauli Date: Thu Jul 8 11:38:06 2021 +1000 doc: document the new opt_legacy_okay() function's behaviour Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) commit 09b430cd87bc3b018fb97879eb6a2ea540c8e923 Author: Pauli Date: Thu Jul 8 11:25:11 2021 +1000 app: add library context and propq arguments to opt_md() and opt_cipher() Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) commit ff215713655e721be505cc884aed5d1230c7759e Author: Pauli Date: Thu Jul 8 11:24:05 2021 +1000 apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not By default they are. However, if a provider, provider path or a property query has been specified they are not. Likewise, if a library context or a property query has been specified by the command, they are not. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) commit 242dfd8a1b93326d200383948a8d57db5ce57de0 Author: Pauli Date: Thu Jul 8 11:22:14 2021 +1000 apps: add query to allow a command to know of a provider command line option was processed Better fixing: Fixing #15683 Fixing #15686 Replacing rather than fixing: Fixing #15414 Since that claims to fix another: Fixing #15372 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) commit ac1e85f464568d14962162fe97670a53f11f6bfc Author: Pauli Date: Thu Jul 8 11:09:39 2021 +1000 test: make build descriptions more consistent Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) commit 2f8f8e6fc941b4cc80e29fc1d553445b13a6a789 Author: Pauli Date: Thu Jul 8 10:55:01 2021 +1000 test: add a shim function for the apps's opt_legacy_okay() function Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) commit 12aa352f091c25bcc1a8d7518a33e10b9375313f Author: Pauli Date: Thu Jul 8 10:53:05 2021 +1000 test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16022) ----------------------------------------------------------------------- Summary of changes: apps/include/opt.h | 5 +++++ apps/lib/app_provider.c | 13 ++++++++++++ apps/lib/apps.c | 32 ++++++++++++++++++++++++++++++ apps/lib/opt.c | 19 +++++++++++++----- doc/internal/man3/OPTIONS.pod | 10 +++++++++- test/build.info | 6 +++--- test/testutil/{apps_mem.c => apps_shims.c} | 26 ++++++++++++++++++++++++ 7 files changed, 102 insertions(+), 9 deletions(-) rename test/testutil/{apps_mem.c => apps_shims.c} (68%) diff --git a/apps/include/opt.h b/apps/include/opt.h index ce0e35cd72..4f83a0ed53 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -388,8 +388,13 @@ int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result); int opt_verify(int i, X509_VERIFY_PARAM *vpm); int opt_rand(int i); int opt_provider(int i); +int opt_provider_option_given(void); char **opt_rest(void); int opt_num_rest(void); +/* Returns non-zero if legacy paths are still available */ +int opt_legacy_okay(void); + + #endif /* OSSL_APPS_OPT_H */ diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c index c3100b2fa8..63f78ae07d 100644 --- a/apps/lib/app_provider.c +++ b/apps/lib/app_provider.c @@ -13,6 +13,9 @@ #include #include +/* Non-zero if any of the provider options have been seen */ +static int provider_option_given = 0; + DEFINE_STACK_OF(OSSL_PROVIDER) /* @@ -64,6 +67,9 @@ static int opt_provider_path(const char *path) int opt_provider(int opt) { + const int given = provider_option_given; + + provider_option_given = 1; switch ((enum prov_range)opt) { case OPT_PROV__FIRST: case OPT_PROV__LAST: @@ -75,5 +81,12 @@ int opt_provider(int opt) case OPT_PROV_PROPQUERY: return app_set_propq(opt_arg()); } + /* Should never get here but if we do, undo what we did earlier */ + provider_option_given = given; return 0; } + +int opt_provider_option_given(void) +{ + return provider_option_given; +} diff --git a/apps/lib/apps.c b/apps/lib/apps.c index a767023197..a29d582990 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -15,6 +15,12 @@ # define _POSIX_C_SOURCE 2 #endif +#ifndef OPENSSL_NO_ENGINE +/* We need to use some deprecated APIs */ +# define OPENSSL_SUPPRESS_DEPRECATED +# include +#endif + #include #include #include @@ -3295,3 +3301,29 @@ EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg) opt_getprog(), alg != NULL ? alg : "asymmetric"); return res; } + +/* + * Return non-zero if the legacy path is still an option. + * This decision is based on the global command line operations and the + * behaviour thus far. + */ +int opt_legacy_okay(void) +{ + int provider_options = opt_provider_option_given(); + int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; +#ifndef OPENSSL_NO_ENGINE + ENGINE *e = ENGINE_get_first(); + + if (e != NULL) { + ENGINE_free(e); + return 1; + } +#endif + /* + * Having a provider option specified or a custom library context or + * property query, is a sure sign we're not using legacy. + */ + if (provider_options || libctx) + return 0; + return 1; +} diff --git a/apps/lib/opt.c b/apps/lib/opt.c index adb0417bd8..157367982d 100644 --- a/apps/lib/opt.c +++ b/apps/lib/opt.c @@ -378,8 +378,10 @@ int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp) EVP_CIPHER *c; ERR_set_mark(); - if ((c = EVP_CIPHER_fetch(NULL, name, NULL)) != NULL - || (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL) { + if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name, + app_get0_propq())) != NULL + || (opt_legacy_okay() + && (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) { ERR_pop_to_mark(); if (cipherp != NULL) { EVP_CIPHER_free(*cipherp); @@ -429,12 +431,19 @@ int opt_cipher(const char *name, EVP_CIPHER **cipherp) */ int opt_md_silent(const char *name, EVP_MD **mdp) { - EVP_MD_free(*mdp); + EVP_MD *md; ERR_set_mark(); - if ((*mdp = EVP_MD_fetch(NULL, name, NULL)) != NULL - || (*mdp = (EVP_MD *)EVP_get_digestbyname(name)) != NULL) { + if ((md = EVP_MD_fetch(app_get0_libctx(), name, app_get0_propq())) != NULL + || (opt_legacy_okay() + && (md = (EVP_MD *)EVP_get_digestbyname(name)) != NULL)) { ERR_pop_to_mark(); + if (mdp != NULL) { + EVP_MD_free(*mdp); + *mdp = md; + } else { + EVP_MD_free(md); + } return 1; } ERR_clear_last_mark(); diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod index d615aa3c28..1971c76241 100644 --- a/doc/internal/man3/OPTIONS.pod +++ b/doc/internal/man3/OPTIONS.pod @@ -8,7 +8,7 @@ opt_begin, opt_next, opt_flag, opt_arg, opt_unknown, opt_cipher, opt_cipher_any, opt_cipher_silent, opt_md, opt_int, opt_int_arg, opt_long, opt_ulong, opt_intmax, opt_uintmax, opt_format, opt_isdir, opt_string, opt_pair, -opt_num_rest, opt_rest +opt_num_rest, opt_rest, opt_legacy_okay - Option parsing for commands and tests =head1 SYNOPSIS @@ -53,6 +53,8 @@ opt_num_rest, opt_rest int opt_num_rest(void); char **opt_rest(void); + int opt_legacy_okay(void); + =head1 DESCRIPTION The functions on this page provide a common set of option-parsing for @@ -290,6 +292,12 @@ The opt_rest() function returns a pointer to the first non-option. If there were no parameters, it will point to the NULL that is at the end of the standard I array. +The opt_legacy_okay() function returns true if no options have been +specified that would preclude using legacy code paths. Currently, +the various provider options preclude legacy operation. This means, +for example, that specifying both B<-provider> and B<-engine> in the +same command line will not work as expected. + =head2 Common Options There are a few groups of options that are common to many OpenSSL programs. diff --git a/test/build.info b/test/build.info index 568fcff3ed..af21e03255 100644 --- a/test/build.info +++ b/test/build.info @@ -21,7 +21,7 @@ IF[{- !$disabled{tests} -}] testutil/format_output.c testutil/load.c testutil/fake_random.c \ testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \ testutil/options.c testutil/test_options.c testutil/provider.c \ - testutil/apps_mem.c testutil/random.c $LIBAPPSSRC + testutil/apps_shims.c testutil/random.c $LIBAPPSSRC INCLUDE[libtestutil.a]=../include ../apps/include .. DEPEND[libtestutil.a]=../libcrypto @@ -859,9 +859,9 @@ IF[{- !$disabled{tests} -}] DEPEND[namemap_internal_test]=../libcrypto.a libtestutil.a PROGRAMS{noinst}=bio_prefix_text - SOURCE[bio_prefix_text]=bio_prefix_text.c $LIBAPPSSRC + SOURCE[bio_prefix_text]=bio_prefix_text.c INCLUDE[bio_prefix_text]=.. ../include ../apps/include - DEPEND[bio_prefix_text]=../libcrypto + DEPEND[bio_prefix_text]=../libcrypto libtestutil.a IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=pem_read_depr_test diff --git a/test/testutil/apps_mem.c b/test/testutil/apps_shims.c similarity index 68% rename from test/testutil/apps_mem.c rename to test/testutil/apps_shims.c index ef5e266b25..53d851ffda 100644 --- a/test/testutil/apps_mem.c +++ b/test/testutil/apps_shims.c @@ -28,3 +28,29 @@ void *app_malloc(size_t sz, const char *what) } return vp; } + +/* shim to prevent sucking in too much from apps */ + +int opt_legacy_okay(void) +{ + return 1; +} + +/* + * These three functions are defined here so that they don't need to come from + * the apps source code and pull in a lot of additional things. + */ +int opt_provider_option_given(void) +{ + return 0; +} + +const char *app_get0_propq(void) +{ + return NULL; +} + +OSSL_LIB_CTX *app_get0_libctx(void) +{ + return NULL; +} From scan-admin at coverity.com Mon Jul 12 07:51:59 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 12 Jul 2021 07:51:59 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60ebf49e9c659_72fb72b1a78bbf9a0957a6@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DlWBm_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEhyrAx67pq-2BYSkvpeuTyGAuYI0DJWC26upNUsYftH27-2FXed3FAhzLa13ZwdKiah6yEmCtoaIiP4WCSAH64JobjfkyKBXdbh5Xn8Yr9UmvASlrm3K1DwAoFkGuthcgz3awOuFn6HKwV-2Byux2-2FrUvLz5H281q4bnQBnBPh6GmsQlKU7OuGFK9NZIvhZLhbE6cg4-3D Build ID: 396531 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Mon Jul 12 07:53:26 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 12 Jul 2021 07:53:26 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60ebf4f615eb2_730332b1a78bbf9a0957ec@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DJsGm_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFtwecztxAwDT-2Fu6eA6Q-2FVvlyWQ8AZjkwEqN55LGkIkESU3a-2BJwPRfAGPVbob358tHvO3JMCRJfFO7Gvv9txI4AT90XSnm5oJ00zLp-2BFqX21bKVZqd2T88D-2FZud3csH44ik3fwu-2BaY76MZN86ODLzTdBeQb5qIhgJRlR7PigOyu3XUXse0pmzFyfvNQ5wG6Rkg-3D Build ID: 396532 Analysis Summary: New defects found: 0 Defects eliminated: 0 From matt at openssl.org Mon Jul 12 09:09:47 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 12 Jul 2021 09:09:47 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626080987.426433.13132.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 5b71c677781ca260c8d9968c103d92c44d644007 (commit) from ea26844c4f624ef515d9228d3b623761a369b049 (commit) - Log ----------------------------------------------------------------- commit 5b71c677781ca260c8d9968c103d92c44d644007 Author: Matt Caswell Date: Wed Jun 23 08:54:12 2021 +0100 Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15877) (cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681) ----------------------------------------------------------------------- Summary of changes: ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_local.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 5543e08c59..d1a3969812 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1001,7 +1001,8 @@ size_t ossl_statem_client_max_message_size(SSL *s) return CCS_MAX_LENGTH; case TLS_ST_CR_SESSION_TICKET: - return SSL3_RT_MAX_PLAIN_LENGTH; + return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 + : SESSION_TICKET_MAX_LENGTH_TLS12; case TLS_ST_CR_FINISHED: return FINISHED_MAX_LENGTH; diff --git a/ssl/statem/statem_local.h b/ssl/statem/statem_local.h index e27c0c13a2..3efa1c5a1c 100644 --- a/ssl/statem/statem_local.h +++ b/ssl/statem/statem_local.h @@ -22,6 +22,8 @@ #define SERVER_HELLO_MAX_LENGTH 20000 #define HELLO_RETRY_REQUEST_MAX_LENGTH 20000 #define ENCRYPTED_EXTENSIONS_MAX_LENGTH 20000 +#define SESSION_TICKET_MAX_LENGTH_TLS13 131338 +#define SESSION_TICKET_MAX_LENGTH_TLS12 65541 #define SERVER_KEY_EXCH_MAX_LENGTH 102400 #define SERVER_HELLO_DONE_MAX_LENGTH 0 #define KEY_UPDATE_MAX_LENGTH 1 From pauli at openssl.org Mon Jul 12 23:24:24 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 12 Jul 2021 23:24:24 +0000 Subject: [openssl] master update Message-ID: <1626132264.410322.7360.nullmailer@dev.openssl.org> The branch master has been updated via a773e67b89208309032d14bd61cf2c2ed4708420 (commit) from d19dacd55f03cb36974fe69e6649bca16d80ab35 (commit) - Log ----------------------------------------------------------------- commit a773e67b89208309032d14bd61cf2c2ed4708420 Author: Pauli Date: Sun Jul 11 20:53:43 2021 +1000 asn.1: fix Coverity 1487104 Logically dead code Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16042) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_enc.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index 06473d3411..3ea18b0280 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -348,11 +348,12 @@ static int asn1_template_ex_i2d(const ASN1_VALUE **pval, unsigned char **out, /* EXPLICIT tagging */ /* Find length of tagged item */ i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, iclass); - if (!i) + if (i == 0) { + if ((tt->flags & ASN1_TFLG_OPTIONAL) == 0) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_ZERO_CONTENT); + return -1; + } return 0; - if (i == 0 && (tt->flags & ASN1_TFLG_OPTIONAL) == 0) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_ZERO_CONTENT); - return -1; } /* Find length of EXPLICIT tag */ ret = ASN1_object_size(ndef, i, ttag); From pauli at openssl.org Tue Jul 13 01:28:28 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 13 Jul 2021 01:28:28 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626139708.883815.20724.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 474cd196d628b1f91efa32827b403e2c1d896f81 (commit) from 5b71c677781ca260c8d9968c103d92c44d644007 (commit) - Log ----------------------------------------------------------------- commit 474cd196d628b1f91efa32827b403e2c1d896f81 Author: Daiki Ueno Date: Thu Jul 8 19:22:36 2021 +0200 BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16039) ----------------------------------------------------------------------- Summary of changes: crypto/bio/b_addr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c index b023bbda40..ea15601f3d 100644 --- a/crypto/bio/b_addr.c +++ b/crypto/bio/b_addr.c @@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, hints.ai_protocol = protocol; # ifdef AI_ADDRCONFIG # ifdef AF_UNSPEC - if (family == AF_UNSPEC) + if (host != NULL && family == AF_UNSPEC) # endif hints.ai_flags |= AI_ADDRCONFIG; # endif From pauli at openssl.org Tue Jul 13 06:04:54 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 13 Jul 2021 06:04:54 +0000 Subject: [openssl] master update Message-ID: <1626156294.856808.32588.nullmailer@dev.openssl.org> The branch master has been updated via db226bf20f350ea62d3c649a4707fcdd78bbaea9 (commit) from a773e67b89208309032d14bd61cf2c2ed4708420 (commit) - Log ----------------------------------------------------------------- commit db226bf20f350ea62d3c649a4707fcdd78bbaea9 Author: Tianjia Zhang Date: Mon Jul 12 11:22:59 2021 +0800 Remove executable mode attributes of non-executable files Remove the executable attributes of some C code files and key files, change the file mode from 0755 to 0644. Signed-off-by: Tianjia Zhang Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16045) ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 0 demos/digest/BIO_f_md.c | 0 demos/digest/EVP_MD_stdin.c | 0 test/insta.priv.pem | 0 test/insta_ca.cert.pem | 0 .../65-test_cmp_vfy_data/IR_protected_0_extraCerts.der | Bin .../65-test_cmp_vfy_data/IR_protected_2_extraCerts.der | Bin test/recipes/65-test_cmp_vfy_data/insta.cert.pem | 0 test/recipes/65-test_cmp_vfy_data/insta.priv.pem | 0 test/recipes/65-test_cmp_vfy_data/insta_ca.cert.pem | 0 10 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 apps/ca.c mode change 100755 => 100644 demos/digest/BIO_f_md.c mode change 100755 => 100644 demos/digest/EVP_MD_stdin.c mode change 100755 => 100644 test/insta.priv.pem mode change 100755 => 100644 test/insta_ca.cert.pem mode change 100755 => 100644 test/recipes/65-test_cmp_vfy_data/IR_protected_0_extraCerts.der mode change 100755 => 100644 test/recipes/65-test_cmp_vfy_data/IR_protected_2_extraCerts.der mode change 100755 => 100644 test/recipes/65-test_cmp_vfy_data/insta.cert.pem mode change 100755 => 100644 test/recipes/65-test_cmp_vfy_data/insta.priv.pem mode change 100755 => 100644 test/recipes/65-test_cmp_vfy_data/insta_ca.cert.pem diff --git a/apps/ca.c b/apps/ca.c old mode 100755 new mode 100644 diff --git a/demos/digest/BIO_f_md.c b/demos/digest/BIO_f_md.c old mode 100755 new mode 100644 diff --git a/demos/digest/EVP_MD_stdin.c b/demos/digest/EVP_MD_stdin.c old mode 100755 new mode 100644 diff --git a/test/insta.priv.pem b/test/insta.priv.pem old mode 100755 new mode 100644 diff --git a/test/insta_ca.cert.pem b/test/insta_ca.cert.pem old mode 100755 new mode 100644 diff --git a/test/recipes/65-test_cmp_vfy_data/IR_protected_0_extraCerts.der b/test/recipes/65-test_cmp_vfy_data/IR_protected_0_extraCerts.der old mode 100755 new mode 100644 diff --git a/test/recipes/65-test_cmp_vfy_data/IR_protected_2_extraCerts.der b/test/recipes/65-test_cmp_vfy_data/IR_protected_2_extraCerts.der old mode 100755 new mode 100644 diff --git a/test/recipes/65-test_cmp_vfy_data/insta.cert.pem b/test/recipes/65-test_cmp_vfy_data/insta.cert.pem old mode 100755 new mode 100644 diff --git a/test/recipes/65-test_cmp_vfy_data/insta.priv.pem b/test/recipes/65-test_cmp_vfy_data/insta.priv.pem old mode 100755 new mode 100644 diff --git a/test/recipes/65-test_cmp_vfy_data/insta_ca.cert.pem b/test/recipes/65-test_cmp_vfy_data/insta_ca.cert.pem old mode 100755 new mode 100644 From scan-admin at coverity.com Tue Jul 13 07:50:30 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 13 Jul 2021 07:50:30 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60ed45c612f48_919722af1157ed9a83dd@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3D51Ya_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFG95GTDh1w0aKMwj1zE6K-2BNAxND7WAoRkqwnUVJVdP3jxYVbL7AwfH4A3zul3qDqxnb9RTP2Ro2G4nePtt76d5-2FakzDL6wR7udGFKUkGPsznWF8UJ51n3H3ONNBDOSjtDVu-2BKeShCuqwfRhCbf7TAJEhKhnJtX9YlEMgeI6oClXN6tNKG3Sr0oQQJMY5EGcXM-3D Build ID: 396692 Analysis Summary: New defects found: 0 Defects eliminated: 1 From scan-admin at coverity.com Tue Jul 13 08:03:45 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 13 Jul 2021 08:03:45 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60ed48e181e07_91ebe2af1157ed9a8337@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DMyMf_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH10iz0QwqHe4095m6sr87uctIrG9WQeVs7gWYYL7pe7MSg20i4HY95li2epTEWe76nVW-2B-2FbnMkhyUWI1J9TCTL3sLh07zz7ZKKAvdRCotu8j0bTpWBh-2FDzAwPmIOA4YHKCmKsT0BzIB3p5uCHcjPpCzn1pu-2FG49UFX5zaTZF9zGTIXWOy36YbOoMPJmz2o-2FFY-3D Build ID: 396694 Analysis Summary: New defects found: 0 Defects eliminated: 0 From levitte at openssl.org Tue Jul 13 08:07:30 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 13 Jul 2021 08:07:30 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626163650.976703.15350.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via b46a26b3ade22be5ba4c39bf89c66f17d7900944 (commit) from 474cd196d628b1f91efa32827b403e2c1d896f81 (commit) - Log ----------------------------------------------------------------- commit b46a26b3ade22be5ba4c39bf89c66f17d7900944 Author: Richard Levitte Date: Mon Jul 12 07:26:36 2021 +0200 Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16047) ----------------------------------------------------------------------- Summary of changes: Configurations/windows-makefile.tmpl | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 9351149fe8..13716e0644 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -324,15 +324,15 @@ build_apps build_tests: build_programs # Convenience target to prebuild all generated files, not just the mandatory # ones build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) - @{- output_off() if $disabled{makedepend}; "" -} + @{- output_off() if $disabled{makedepend}; "\@rem" -} @$(ECHO) "Warning: consider configuring with no-makedepend, because if" @$(ECHO) " target system doesn't have $(PERL)," @$(ECHO) " then make will fail..." - @{- output_on() if $disabled{makedepend}; "" -} + @{- output_on() if $disabled{makedepend}; "\@rem" -} test: tests {- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep - @{- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "\@rem" -} -mkdir $(BLDDIR)\test\test-runs set SRCTOP=$(SRCDIR) set BLDTOP=$(BLDDIR) @@ -341,17 +341,17 @@ test: tests set OPENSSL_ENGINES=$(MAKEDIR)\engines set OPENSSL_DEBUG_MEMORY=on "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS) - @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} + @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "\@rem" -} @$(ECHO) "Tests are not supported with your chosen Configure options" - @{- output_on() if !$disabled{tests}; "" -} + @{- output_on() if !$disabled{tests}; "\@rem" -} list-tests: - @{- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "\@rem" -} @set SRCTOP=$(SRCDIR) @"$(PERL)" "$(SRCDIR)\test\run_tests.pl" list - @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} + @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "\@rem" -} @$(ECHO) "Tests are not supported with your chosen Configure options" - @{- output_on() if !$disabled{tests}; "" -} + @{- output_on() if !$disabled{tests}; "\@rem" -} install: install_sw install_ssldirs install_docs @@ -362,7 +362,7 @@ libclean: -del /Q /F $(LIBS) libcrypto.* libssl.* ossl_static.pdb clean: libclean - {- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) -} + {- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) || "\@rem" -} -del /Q /F $(ENGINES) -del /Q /F $(SCRIPTS) -del /Q /F $(GENERATED_MANDATORY) @@ -378,9 +378,9 @@ distclean: clean -del /Q /F makefile depend: - @ {- output_off() if $disabled{makedepend}; "" -} + @ {- output_off() if $disabled{makedepend}; "\@rem" -} @ "$(PERL)" "$(SRCDIR)\util\add-depends.pl" "VC" - @ {- output_on() if $disabled{makedepend}; "" -} + @ {- output_on() if $disabled{makedepend}; "\@rem" -} # Install helper targets ############################################# @@ -413,10 +413,10 @@ install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" - @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "\@rem" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \ "$(INSTALLTOP)\include\openssl" - @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "\@rem" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \ "$(SRCDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" From levitte at openssl.org Tue Jul 13 08:09:27 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 13 Jul 2021 08:09:27 +0000 Subject: [openssl] master update Message-ID: <1626163767.849781.17741.nullmailer@dev.openssl.org> The branch master has been updated via 53111a88ce5081f44a1775ddb11765491f115f50 (commit) from db226bf20f350ea62d3c649a4707fcdd78bbaea9 (commit) - Log ----------------------------------------------------------------- commit 53111a88ce5081f44a1775ddb11765491f115f50 Author: Richard Levitte Date: Mon Jul 12 07:29:02 2021 +0200 Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16048) ----------------------------------------------------------------------- Summary of changes: Configurations/windows-makefile.tmpl | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 43b29baab4..fc40e61144 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -429,28 +429,28 @@ build_apps build_tests: build_programs # Convenience target to prebuild all generated files, not just the mandatory # ones build_all_generated: $(GENERATED_MANDATORY) $(GENERATED) build_docs - @{- output_off() if $disabled{makedepend}; "" -} + @{- output_off() if $disabled{makedepend}; "\@rem" -} @$(ECHO) "Warning: consider configuring with no-makedepend, because if" @$(ECHO) " target system doesn't have $(PERL)," @$(ECHO) " then make will fail..." - @{- output_on() if $disabled{makedepend}; "" -} + @{- output_on() if $disabled{makedepend}; "\@rem" -} all: build_sw build_docs test: tests {- dependmagic('tests'); -}: build_programs_nodep build_modules_nodep copy-utils - @{- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "\@rem" -} cmd /C "set "SRCTOP=$(SRCDIR)" & set "BLDTOP=$(BLDDIR)" & set "PERL=$(PERL)" & set "FIPSKEY=$(FIPSKEY)" & "$(PERL)" "$(SRCDIR)\test\run_tests.pl" $(TESTS)" @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} @$(ECHO) "Tests are not supported with your chosen Configure options" - @{- output_on() if !$disabled{tests}; "" -} + @{- output_on() if !$disabled{tests}; "\@rem" -} list-tests: - @{- output_off() if $disabled{tests}; "" -} + @{- output_off() if $disabled{tests}; "\@rem" -} @cmd /C "set "SRCTOP=$(SRCDIR)" & "$(PERL)" "$(SRCDIR)\test\run_tests.pl" list" @{- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -} @$(ECHO) "Tests are not supported with your chosen Configure options" - @{- output_on() if !$disabled{tests}; "" -} + @{- output_on() if !$disabled{tests}; "\@rem" -} install: install_sw install_ssldirs install_docs @@ -465,11 +465,11 @@ clean: libclean -rd /Q /S $(HTMLDOCS3_BLDDIRS) -rd /Q /S $(HTMLDOCS5_BLDDIRS) -rd /Q /S $(HTMLDOCS7_BLDDIRS) - {- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) -} - {- join("\n\t", map { "-del /Q /F $_" } @MODULES) -} - {- join("\n\t", map { "-del /Q /F $_" } @SCRIPTS) -} - {- join("\n\t", map { "-del /Q /F $_" } @GENERATED_MANDATORY) -} - {- join("\n\t", map { "-del /Q /F $_" } @GENERATED) -} + {- join("\n\t", map { "-del /Q /F $_" } @PROGRAMS) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @MODULES) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @SCRIPTS) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @GENERATED_MANDATORY) || "\@rem" -} + {- join("\n\t", map { "-del /Q /F $_" } @GENERATED) || "\@rem" -} -del /Q /S /F *.d *.obj *.pdb *.ilk *.manifest -del /Q /S /F engines\*.lib engines\*.exp -del /Q /S /F apps\*.lib apps\*.rc apps\*.res apps\*.exp @@ -481,9 +481,9 @@ distclean: clean -del /Q /F makefile depend: - @ {- output_off() if $disabled{makedepend}; "" -} + @ {- output_off() if $disabled{makedepend}; "\@rem" -} @ "$(PERL)" "$(SRCDIR)\util\add-depends.pl" "{- $target{makedep_scheme} -}" - @ {- output_on() if $disabled{makedepend}; "" -} + @ {- output_on() if $disabled{makedepend}; "\@rem" -} # Install helper targets ############################################# From pauli at openssl.org Wed Jul 14 04:57:30 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 14 Jul 2021 04:57:30 +0000 Subject: [openssl] master update Message-ID: <1626238650.618926.2158.nullmailer@dev.openssl.org> The branch master has been updated via 4e0383d8519373372c899380842adad7ef887e16 (commit) from 53111a88ce5081f44a1775ddb11765491f115f50 (commit) - Log ----------------------------------------------------------------- commit 4e0383d8519373372c899380842adad7ef887e16 Author: Syrone Wong Date: Tue Jul 13 10:04:56 2021 +0800 Fix OSSL_TRACE9 missing arg9 Signed-off-by: Syrone Wong CLA: trivial Reviewed-by: Tim Hudson Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16060) ----------------------------------------------------------------------- Summary of changes: include/openssl/trace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/trace.h b/include/openssl/trace.h index b3a29ea8c4..2820013367 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -302,7 +302,7 @@ void OSSL_trace_end(int category, BIO *channel); OSSL_TRACEV(category, (trc_out, format, arg1, arg2, arg3, arg4, arg5, arg6, arg7)) # define OSSL_TRACE8(category, format, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8) \ OSSL_TRACEV(category, (trc_out, format, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8)) -# define OSSL_TRACE9(category, format, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8) \ +# define OSSL_TRACE9(category, format, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9) \ OSSL_TRACEV(category, (trc_out, format, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9)) # ifdef __cplusplus From tomas at openssl.org Wed Jul 14 07:17:59 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 14 Jul 2021 07:17:59 +0000 Subject: [openssl] master update Message-ID: <1626247079.751809.2442.nullmailer@dev.openssl.org> The branch master has been updated via 2f0a53816b2956f585903a52ab6ab681cf6f9ae1 (commit) from 4e0383d8519373372c899380842adad7ef887e16 (commit) - Log ----------------------------------------------------------------- commit 2f0a53816b2956f585903a52ab6ab681cf6f9ae1 Author: Pauli Date: Wed Jul 14 11:02:57 2021 +1000 apps: avoid using POSIX IO macros and functions when built without them. Fall back to stdio functions if not available. Fixes a daily run-checker failure (no-posix-io) Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16073) ----------------------------------------------------------------------- Summary of changes: apps/lib/apps.c | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index a29d582990..9762001b6a 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2962,28 +2962,32 @@ BIO *bio_open_owner(const char *filename, int format, int private) { FILE *fp = NULL; BIO *b = NULL; - int fd = -1, bflags, mode, textmode; + int textmode, bflags; +#ifndef OPENSSL_NO_POSIX_IO + int fd = -1, mode; +#endif if (!private || filename == NULL || strcmp(filename, "-") == 0) return bio_open_default(filename, 'w', format); + textmode = FMT_istext(format); +#ifndef OPENSSL_NO_POSIX_IO mode = O_WRONLY; -#ifdef O_CREAT +# ifdef O_CREAT mode |= O_CREAT; -#endif -#ifdef O_TRUNC +# endif +# ifdef O_TRUNC mode |= O_TRUNC; -#endif - textmode = FMT_istext(format); +# endif if (!textmode) { -#ifdef O_BINARY +# ifdef O_BINARY mode |= O_BINARY; -#elif defined(_O_BINARY) +# elif defined(_O_BINARY) mode |= _O_BINARY; -#endif +# endif } -#ifdef OPENSSL_SYS_VMS +# ifdef OPENSSL_SYS_VMS /* VMS doesn't have O_BINARY, it just doesn't make sense. But, * it still needs to know that we're going binary, or fdopen() * will fail with "invalid argument"... so we tell VMS what the @@ -2992,18 +2996,22 @@ BIO *bio_open_owner(const char *filename, int format, int private) if (!textmode) fd = open(filename, mode, 0600, "ctx=bin"); else -#endif +# endif fd = open(filename, mode, 0600); if (fd < 0) goto err; fp = fdopen(fd, modestr('w', format)); +#else /* OPENSSL_NO_POSIX_IO */ + /* Have stdio but not Posix IO, do the best we can */ + fp = fopen(filename, modestr('w', format)); +#endif /* OPENSSL_NO_POSIX_IO */ if (fp == NULL) goto err; bflags = BIO_CLOSE; if (textmode) bflags |= BIO_FP_TEXT; b = BIO_new_fp(fp, bflags); - if (b) + if (b != NULL) return b; err: @@ -3011,10 +3019,12 @@ BIO *bio_open_owner(const char *filename, int format, int private) opt_getprog(), filename, strerror(errno)); ERR_print_errors(bio_err); /* If we have fp, then fdopen took over fd, so don't close both. */ - if (fp) + if (fp != NULL) fclose(fp); +#ifndef OPENSSL_NO_POSIX_IO else if (fd >= 0) close(fd); +#endif return NULL; } From scan-admin at coverity.com Wed Jul 14 09:09:00 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 14 Jul 2021 09:09:00 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60eea9ac79333_b05b42ae2c907b9a4626fd@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DFcDz_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH22PkoE395yEkkc5ZGLkfvS46cFSSijfpuAId-2FkNdbSAgPOGPilP0ZI-2FaTjUIuManUnifAABLX90FuyDW9muXYM2WdeUSRuXoOQ5IUgpbEFzn8QyXoeahyVEIs0-2FOE4lbvw86v3S3opB8yTsOx2Lw38uPtVmQcCcKRt7dqx1pfguloZd-2F-2F0b0qP-2FXCDCaLl3I-3D Build ID: 396858 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Wed Jul 14 09:16:44 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 14 Jul 2021 09:16:44 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60eeab7c15084_b088f2ae2c907b9a4626d4@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3D-fbn_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEGGOrjNsCNg8X2f1neoEYrXhhDvViMivsf3-2BNd9W9-2FTK1sCnsWMor5iSKc-2Bk7m4pTpU9J-2FWMMwOSpwbyd1ewbkgs8N9UbdJy8G-2BadBYgIPGaymGuTvtuKj-2BmQEl5tFfss7tbr-2FriC5kUxoilhicJLKClYT8zdphzLhWh33QTYWWTG5fifcA7-2FbKefNvXl-2FRrk-3D Build ID: 396859 Analysis Summary: New defects found: 0 Defects eliminated: 0 From tomas at openssl.org Wed Jul 14 10:02:39 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 14 Jul 2021 10:02:39 +0000 Subject: [openssl] master update Message-ID: <1626256959.877326.20379.nullmailer@dev.openssl.org> The branch master has been updated via e77be2e20175f5ae3f96952f5b9fce557bc00fb1 (commit) via c55c7d0292947bb906847ff03132c7eeb967936f (commit) from 2f0a53816b2956f585903a52ab6ab681cf6f9ae1 (commit) - Log ----------------------------------------------------------------- commit e77be2e20175f5ae3f96952f5b9fce557bc00fb1 Author: Pauli Date: Tue Jul 13 18:55:36 2021 +1000 test: add single byte IV AES GCM tests Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16064) commit c55c7d0292947bb906847ff03132c7eeb967936f Author: Pauli Date: Tue Jul 13 18:40:01 2021 +1000 Remove lower limit on GCM mode ciphers Fixes #16057 Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16064) ----------------------------------------------------------------------- Summary of changes: providers/implementations/ciphers/cipher_aes_gcm.c | 5 +- .../implementations/ciphers/cipher_aria_gcm.c | 4 +- .../implementations/ciphers/ciphercommon_gcm.c | 5 +- .../include/prov/ciphercommon_gcm.h | 3 +- .../30-test_evp_data/evpciph_aes_common.txt | 103 +++++++++++++++++++++ 5 files changed, 108 insertions(+), 12 deletions(-) diff --git a/providers/implementations/ciphers/cipher_aes_gcm.c b/providers/implementations/ciphers/cipher_aes_gcm.c index a9f574ab23..0081ca6cd7 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm.c +++ b/providers/implementations/ciphers/cipher_aes_gcm.c @@ -20,9 +20,6 @@ #include "prov/implementations.h" #include "prov/providercommon.h" -#define AES_GCM_IV_MIN_SIZE (64 / 8) /* size in bytes */ -/* Note: GCM_IV_MAX_SIZE is listed in ciphercommon_gcm.h */ - static void *aes_gcm_newctx(void *provctx, size_t keybits) { PROV_AES_GCM_CTX *ctx; @@ -33,7 +30,7 @@ static void *aes_gcm_newctx(void *provctx, size_t keybits) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) ossl_gcm_initctx(provctx, &ctx->base, keybits, - ossl_prov_aes_hw_gcm(keybits), AES_GCM_IV_MIN_SIZE); + ossl_prov_aes_hw_gcm(keybits)); return ctx; } diff --git a/providers/implementations/ciphers/cipher_aria_gcm.c b/providers/implementations/ciphers/cipher_aria_gcm.c index c2fe7ec185..b412bd3202 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.c +++ b/providers/implementations/ciphers/cipher_aria_gcm.c @@ -13,8 +13,6 @@ #include "prov/implementations.h" #include "prov/providercommon.h" -#define ARIA_GCM_IV_MIN_SIZE (32 / 8) /* size in bytes */ - static void *aria_gcm_newctx(void *provctx, size_t keybits) { PROV_ARIA_GCM_CTX *ctx; @@ -25,7 +23,7 @@ static void *aria_gcm_newctx(void *provctx, size_t keybits) ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx != NULL) ossl_gcm_initctx(provctx, &ctx->base, keybits, - ossl_prov_aria_hw_gcm(keybits), ARIA_GCM_IV_MIN_SIZE); + ossl_prov_aria_hw_gcm(keybits)); return ctx; } diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c index 97a1af3191..c4301f6b82 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c @@ -26,13 +26,12 @@ static int gcm_cipher_internal(PROV_GCM_CTX *ctx, unsigned char *out, size_t len); void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, - const PROV_GCM_HW *hw, size_t ivlen_min) + const PROV_GCM_HW *hw) { ctx->pad = 1; ctx->mode = EVP_CIPH_GCM_MODE; ctx->taglen = UNINITIALISED_SIZET; ctx->tls_aad_len = UNINITIALISED_SIZET; - ctx->ivlen_min = ivlen_min; ctx->ivlen = (EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN); ctx->keylen = keybits / 8; ctx->hw = hw; @@ -51,7 +50,7 @@ static int gcm_init(void *vctx, const unsigned char *key, size_t keylen, ctx->enc = enc; if (iv != NULL) { - if (ivlen < ctx->ivlen_min || ivlen > sizeof(ctx->iv)) { + if (ivlen == 0 || ivlen > sizeof(ctx->iv)) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); return 0; } diff --git a/providers/implementations/include/prov/ciphercommon_gcm.h b/providers/implementations/include/prov/ciphercommon_gcm.h index 3e01cc7e7b..7c4a548f9d 100644 --- a/providers/implementations/include/prov/ciphercommon_gcm.h +++ b/providers/implementations/include/prov/ciphercommon_gcm.h @@ -48,7 +48,6 @@ typedef struct prov_gcm_ctx_st { unsigned int mode; /* The mode that we are using */ size_t keylen; size_t ivlen; - size_t ivlen_min; size_t taglen; size_t tls_aad_pad_sz; size_t tls_aad_len; /* TLS AAD length */ @@ -110,7 +109,7 @@ OSSL_FUNC_cipher_cipher_fn ossl_gcm_cipher; OSSL_FUNC_cipher_update_fn ossl_gcm_stream_update; OSSL_FUNC_cipher_final_fn ossl_gcm_stream_final; void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits, - const PROV_GCM_HW *hw, size_t ivlen_min); + const PROV_GCM_HW *hw); int ossl_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, size_t ivlen); int ossl_gcm_aad_update(PROV_GCM_CTX *ctx, const unsigned char *aad, diff --git a/test/recipes/30-test_evp_data/evpciph_aes_common.txt b/test/recipes/30-test_evp_data/evpciph_aes_common.txt index c0ed605646..b42329007c 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_common.txt @@ -893,6 +893,109 @@ Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f2021 Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5 NextIV = dbcca32ebf9b804617c3aa9e +# Single byte IV test cases from +# https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#GCMVS + +Title = AES GCM single byte IV tests + +Cipher = aes-128-gcm +Key = 1672c3537afa82004c6b8a46f6f0d026 +IV = 05 +Tag = 8e2ad721f9455f74d8b53d3141f27e8e +Plaintext = +Ciphertext = + +Cipher = aes-128-gcm +Key = 6471e11b5a559f84d196160c64ced95a +IV = 1a +AAD = 147c70bd944ae51289717bdbdac86511fa3a43a2 +Tag = b7b80d314024261bafd7d218 +Plaintext = +Ciphertext = + +Cipher = aes-128-gcm +Key = f0d44d3c8c8ff4d2aab5c315e77a5cff +IV = 3e +Tag = fe0c50de4c5443e4c9380a7df0 +Plaintext = ecb7e9263c3080cb8861ffc5afdf3fe8 +Ciphertext = b5cfd9141ea43d5c16e28666c3840805 + +Cipher = aes-128-gcm +Key = c422ac0266dc9b5ddc391d9cdb72257e +IV = c7 +Tag = 95c1e410d4ea59dda50d84162b49 +Plaintext = 6149277175c02a462dab219b80d15641a4c033dfa4c9a81de1765f0276008fa2 +AAD = aa56b160c5d51a4aa400e798c825aaa27d6693de +Ciphertext = 39d9f9b2348214270f1ca18b521f7485c5390c8e993eb7ff79a5be99c7d523f1 + +Cipher = aes-128-gcm +Key = 72c5683d1e0173afcd92002c26ae3ea5 +IV = 4c +Plaintext = f69623243c6bb924a5502dd270f730baf3fd4a0c10b889fb42a12b086d427786 +AAD = f6cecdc9118777b875ef256cf92a3dc0cf208149 +Ciphertext = 188e68729648fa9b4a202ed2313be860c593600ac8419c75c55859faa585bc0e +Tag = bb4e889b58b9716f6556c676bd59 + +Cipher = aes-192-gcm +Key = d49dfb35287db0b4bce518412c4e84229a9bf8461e11e8a9 +IV = 0b +Tag = b1ecd3e6f27346c47e7fff898a418a0f +Plaintext = +Ciphertext = + +Cipher = aes-192-gcm +Key = 842c899c5d7c3598676081e9e25fdd030d3e4490a3268fd0 +IV = 9e +AAD = ed1162a2d95e0c248ebf9197cb03ad2d +Tag = c81a9ff65112b75911b22523926bf39f +Plaintext = +Ciphertext = + +Cipher = aes-192-gcm +Key = d273319d24f356bf77cb6a56450bd0d464f476a18863840a +IV = 13 +Tag = 729b5b765d008e982d9e5fae7c998e +Plaintext = c07e127ceb93a3d8d166d1e3fa2565e4 +Ciphertext = 0c44c7b5fb1520bdb493bec38e7846e6 + +Cipher = aes-192-gcm +Key = 1120b14c39f4240e2cc63285d8b7d59d44c993fddc77d456 +IV = 66 +AAD = c25f9b36d06547a64442e534b1fe3bb120a55292060a3c8611b75313fb5475333eeedac642ee2eed1dd110643ce8aff8 +Tag = ebf90469dae01e4be5b0ce86 +Plaintext = 8eb78ac034ce4f182fb9ee68d71ed3f7 +Ciphertext = ec13d51a2c37ea48beb32f766e1e42a1 + +Cipher = aes-256-gcm +Key = a70f2f3c96b952b2d177fce5d5edac7c939259ebd3ff7354df3d86100f0be5ac +IV = 69 +Tag = 2d484f834a313bf3f9a25f0a7604a869 +Plaintext = +Ciphertext = + +Cipher = aes-256-gcm +Key = c639f716597a86afd12319199e21a62b1fc0277a70e3ca120bd3ff745be88604 +IV = 29 +AAD = 20fda1db6911d160121dc3c48e5f19b2 +Tag = 221a3398f20d0d9fe913f33a6cd413d3 +Plaintext = +Ciphertext = + +Cipher = aes-256-gcm +Key = 9473c28f6e978eb15e1967b888282aa6b078d320034fe5f40f8bb68674f1ecda +IV = 0a +Tag = 03337df7e1e68d77706abef9edaf5e07 +Plaintext = 2d2e2798c10bcfcce742e92d3c390fef +Ciphertext = c4e5ab2c6a4316e57c6c37d2c2acb42c + +Cipher = aes-256-gcm +Key = bb4635d766dd0e4a7019d1724c736e1f2c016af9e29e7d3aa2c0de23e780af26 +IV = ab +AAD = 0f85c7dbeb674b7a70c35125d3619350 +Tag = 6bd54e5184eb300934b392c32b7c1a6e +Plaintext = d05ce878d94662d1520b184b4bef3c45 +Ciphertext = 51baa26a6a719c1600645ff3bfdfa53b + Title = AES XTS test vectors from IEEE Std 1619-2007 # Using the same key twice for encryption is always banned. From pauli at openssl.org Thu Jul 15 00:24:02 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 15 Jul 2021 00:24:02 +0000 Subject: [openssl] master update Message-ID: <1626308642.593629.15484.nullmailer@dev.openssl.org> The branch master has been updated via 54c0480dac6c25f262d537048503a660aaa4b568 (commit) from e77be2e20175f5ae3f96952f5b9fce557bc00fb1 (commit) - Log ----------------------------------------------------------------- commit 54c0480dac6c25f262d537048503a660aaa4b568 Author: Tomas Mraz Date: Tue Jul 13 17:59:37 2021 +0200 doc: Document that incomplete certificates return error Fixes #16065 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16070) ----------------------------------------------------------------------- Summary of changes: doc/man3/X509_check_ca.pod | 3 ++- doc/man3/X509_check_issued.pod | 3 ++- doc/man3/X509_check_purpose.pod | 3 ++- doc/man3/X509_verify.pod | 7 ++++--- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/doc/man3/X509_check_ca.pod b/doc/man3/X509_check_ca.pod index e070fb403a..6cf122ddfc 100644 --- a/doc/man3/X509_check_ca.pod +++ b/doc/man3/X509_check_ca.pod @@ -13,7 +13,8 @@ X509_check_ca - check if given certificate is CA certificate =head1 DESCRIPTION This function checks if given certificate is CA certificate (can be used -to sign other certificates). +to sign other certificates). The certificate must be a complete certificate +otherwise an error is returned. =head1 RETURN VALUES diff --git a/doc/man3/X509_check_issued.pod b/doc/man3/X509_check_issued.pod index fe37cd4858..c8d627ebba 100644 --- a/doc/man3/X509_check_issued.pod +++ b/doc/man3/X509_check_issued.pod @@ -21,7 +21,8 @@ but also compares all sub-fields of the B extension of I, as far as present, with the respective B, serial number, and issuer fields of I, as far as present. It also checks if the B field (if present) of I allows certificate signing. -It does not actually check the certificate signature. +It does not actually check the certificate signature. An error is returned +if the I or the I are incomplete certificates. =head1 RETURN VALUES diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod index 619ed7831a..d1447c3c87 100644 --- a/doc/man3/X509_check_purpose.pod +++ b/doc/man3/X509_check_purpose.pod @@ -15,7 +15,8 @@ X509_check_purpose - Check the purpose of a certificate This function checks if certificate I was created with the purpose represented by I. If I is nonzero, then certificate I is checked to determine if it's a possible CA with various levels of certainty -possibly returned. +possibly returned. The certificate I must be a complete certificate +otherwise the function returns an error. Below are the potential ID's that can be checked: diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod index 65e41977bd..6033804b8d 100644 --- a/doc/man3/X509_verify.pod +++ b/doc/man3/X509_verify.pod @@ -25,7 +25,7 @@ X509_verify() verifies the signature of certificate I using public key I. Only the signature is checked: no other checks (such as certificate chain validity) are performed. -X509_self_signed() checks whether a certificate is self-signed. +X509_self_signed() checks whether certificate I is self-signed. For success the issuer and subject names must match, the components of the authority key identifier (if present) must match the subject key identifier etc. The signature itself is actually verified only if B is 1, as @@ -39,8 +39,9 @@ verify the signatures of certificate requests and CRLs, respectively. X509_verify(), X509_REQ_verify_ex(), X509_REQ_verify() and X509_CRL_verify() return 1 if the signature is valid and 0 if the signature check fails. -If the signature could not be checked at all because it was ill-formed -or some other error occurred then -1 is returned. +If the signature could not be checked at all because it was ill-formed, +the certificate or the request was not complete or some other error occurred +then -1 is returned. X509_self_signed() returns the same values but also returns 1 if all respective fields match and B is 0. From pauli at openssl.org Thu Jul 15 00:54:46 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 15 Jul 2021 00:54:46 +0000 Subject: [openssl] master update Message-ID: <1626310486.693333.25780.nullmailer@dev.openssl.org> The branch master has been updated via 11f18ef1f5ea92ba32a3efeb0eaf1af6a1f35e13 (commit) from 54c0480dac6c25f262d537048503a660aaa4b568 (commit) - Log ----------------------------------------------------------------- commit 11f18ef1f5ea92ba32a3efeb0eaf1af6a1f35e13 Author: Tomas Mraz Date: Tue Jul 13 17:41:02 2021 +0200 Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check() The implementation of EVP_PKEY_pairwise_check() is also changed to handle the legacy keys. Fixes #16046 Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16069) ----------------------------------------------------------------------- Summary of changes: crypto/evp/pmeth_check.c | 20 +++----------------- doc/man3/EVP_PKEY_check.pod | 2 +- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/crypto/evp/pmeth_check.c b/crypto/evp/pmeth_check.c index 2ecf2d0251..7f3a2e3a1c 100644 --- a/crypto/evp/pmeth_check.c +++ b/crypto/evp/pmeth_check.c @@ -152,26 +152,12 @@ int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx) return -2; } -int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx) +int EVP_PKEY_check(EVP_PKEY_CTX *ctx) { - EVP_PKEY *pkey = ctx->pkey; - int ok; - - if (pkey == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_NO_KEY_SET); - return 0; - } - - if ((ok = try_provided_check(ctx, OSSL_KEYMGMT_SELECT_KEYPAIR, - OSSL_KEYMGMT_VALIDATE_FULL_CHECK)) != -1) - return ok; - - /* not supported for legacy keys */ - ERR_raise(ERR_LIB_EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; + return EVP_PKEY_pairwise_check(ctx); } -int EVP_PKEY_check(EVP_PKEY_CTX *ctx) +int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx) { EVP_PKEY *pkey = ctx->pkey; int ok; diff --git a/doc/man3/EVP_PKEY_check.pod b/doc/man3/EVP_PKEY_check.pod index dc03671498..1ba656fd22 100644 --- a/doc/man3/EVP_PKEY_check.pod +++ b/doc/man3/EVP_PKEY_check.pod @@ -44,7 +44,7 @@ EVP_PKEY_private_check() validates the private component of the key given by B. -EVP_PKEY_check() validates all components of a key given by B. +EVP_PKEY_check() is an alias for the EVP_PKEY_pairwise_check() function. =head1 NOTES From pauli at openssl.org Thu Jul 15 06:47:05 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 15 Jul 2021 06:47:05 +0000 Subject: [openssl] master update Message-ID: <1626331625.969811.30391.nullmailer@dev.openssl.org> The branch master has been updated via 8e94c51b3279f7faae9161df5112414f915cd9f3 (commit) via 56fdb70796010b8db598189d5c1e5a6b1479c2e6 (commit) from 11f18ef1f5ea92ba32a3efeb0eaf1af6a1f35e13 (commit) - Log ----------------------------------------------------------------- commit 8e94c51b3279f7faae9161df5112414f915cd9f3 Author: Pauli Date: Wed Jul 14 10:03:45 2021 +1000 doc: document the params arguments to the initialisation functions. These were accidentally omitted when the arguments were added globally. Fixes #16067 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16072) commit 56fdb70796010b8db598189d5c1e5a6b1479c2e6 Author: Pauli Date: Wed Jul 14 10:03:22 2021 +1000 evp: constify some OSSL_PARAM arguments These were missed when the initialisation params were added Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16072) ----------------------------------------------------------------------- Summary of changes: crypto/evp/m_sigver.c | 6 +++--- doc/man3/EVP_DigestSignInit.pod | 6 ++++-- doc/man3/EVP_DigestVerifyInit.pod | 6 ++++-- include/openssl/evp.h | 4 ++-- 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 63360a94bc..ae79562e2d 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -40,7 +40,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, const char *mdname, OSSL_LIB_CTX *libctx, const char *props, ENGINE *e, EVP_PKEY *pkey, int ver, - OSSL_PARAM params[]) + const OSSL_PARAM params[]) { EVP_PKEY_CTX *locpctx = NULL; EVP_SIGNATURE *signature = NULL; @@ -304,7 +304,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const char *mdname, OSSL_LIB_CTX *libctx, const char *props, EVP_PKEY *pkey, - OSSL_PARAM params[]) + const OSSL_PARAM params[]) { return do_sigver_init(ctx, pctx, NULL, mdname, libctx, props, NULL, pkey, 0, params); @@ -320,7 +320,7 @@ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const char *mdname, OSSL_LIB_CTX *libctx, const char *props, EVP_PKEY *pkey, - OSSL_PARAM params[]) + const OSSL_PARAM params[]) { return do_sigver_init(ctx, pctx, NULL, mdname, libctx, props, NULL, pkey, 1, params); diff --git a/doc/man3/EVP_DigestSignInit.pod b/doc/man3/EVP_DigestSignInit.pod index b1eb4ae7e3..8748014465 100644 --- a/doc/man3/EVP_DigestSignInit.pod +++ b/doc/man3/EVP_DigestSignInit.pod @@ -11,7 +11,8 @@ EVP_DigestSignFinal, EVP_DigestSign - EVP signing functions int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const char *mdname, OSSL_LIB_CTX *libctx, - const char *props, EVP_PKEY *pkey); + const char *props, EVP_PKEY *pkey, + const OSSL_PARAM params[]); int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); @@ -33,7 +34,8 @@ provider interprets the digest name is provider specific. The provider may implement that digest directly itself or it may (optionally) choose to fetch it (which could result in a digest from a different provider being selected). If the provider supports fetching the digest then it may use the I argument for -the properties to be used during the fetch. +the properties to be used during the fetch. Finally, the passed parameters +I, if not NULL, are set on the context before returning. The I algorithm is used to fetch a B method implicitly, to be used for the actual signing. See L for diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod index 3f332c1801..c318656fc9 100644 --- a/doc/man3/EVP_DigestVerifyInit.pod +++ b/doc/man3/EVP_DigestVerifyInit.pod @@ -11,7 +11,8 @@ EVP_DigestVerifyFinal, EVP_DigestVerify - EVP signature verification functions int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const char *mdname, OSSL_LIB_CTX *libctx, - const char *props, EVP_PKEY *pkey); + const char *props, EVP_PKEY *pkey, + const OSSL_PARAM params[]); int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); @@ -32,7 +33,8 @@ provider interprets the digest name is provider specific. The provider may implement that digest directly itself or it may (optionally) choose to fetch it (which could result in a digest from a different provider being selected). If the provider supports fetching the digest then it may use the B argument -for the properties to be used during the fetch. +for the properties to be used during the fetch. Finally, the passed parameters +I, if not NULL, are set on the context before returning. The I algorithm is used to fetch a B method implicitly, to be used for the actual signing. See L for diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 76fabd63ed..f76c4a26d1 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -820,7 +820,7 @@ __owur int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const char *mdname, OSSL_LIB_CTX *libctx, const char *props, EVP_PKEY *pkey, - OSSL_PARAM params[]); + const OSSL_PARAM params[]); /*__owur*/ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); @@ -831,7 +831,7 @@ __owur int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const char *mdname, OSSL_LIB_CTX *libctx, const char *props, EVP_PKEY *pkey, - OSSL_PARAM params[]); + const OSSL_PARAM params[]); __owur int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); From tomas at openssl.org Thu Jul 15 07:34:41 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 15 Jul 2021 07:34:41 +0000 Subject: [openssl] master update Message-ID: <1626334481.595153.24758.nullmailer@dev.openssl.org> The branch master has been updated via 52f7e44ec88a4d803dc9783cd7c71f87014ae3ee (commit) from 8e94c51b3279f7faae9161df5112414f915cd9f3 (commit) - Log ----------------------------------------------------------------- commit 52f7e44ec88a4d803dc9783cd7c71f87014ae3ee Author: Tomas Mraz Date: Wed Jul 7 17:47:06 2021 +0200 Split bignum code out of the sparcv9cap.c Fixes #15978 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16019) ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aes-sparcv9.pl | 5 ++- crypto/aes/asm/aesfx-sparcv9.pl | 5 ++- crypto/aes/asm/aest4-sparcv9.pl | 5 ++- crypto/bn/asm/sparct4-mont.pl | 5 ++- crypto/bn/asm/sparcv9-gf2m.pl | 5 ++- crypto/bn/asm/sparcv9-mont.pl | 5 ++- crypto/bn/asm/sparcv9a-mont.pl | 5 ++- crypto/bn/asm/vis3-mont.pl | 5 ++- crypto/bn/bn_exp.c | 3 +- crypto/bn/bn_sparc.c | 77 +++++++++++++++++++++++++++++++++ crypto/bn/build.info | 2 +- crypto/camellia/asm/cmllt4-sparcv9.pl | 5 ++- crypto/des/asm/dest4-sparcv9.pl | 5 ++- crypto/ec/asm/ecp_nistz256-sparcv9.pl | 5 ++- crypto/evp/e_camellia.c | 3 +- crypto/evp/e_des.c | 4 +- crypto/evp/e_des3.c | 4 +- crypto/md5/asm/md5-sparcv9.pl | 5 ++- crypto/modes/asm/ghash-sparcv9.pl | 5 ++- crypto/modes/gcm128.c | 3 +- crypto/poly1305/asm/poly1305-sparcv9.pl | 5 ++- crypto/sha/asm/sha1-sparcv9.pl | 5 ++- crypto/sha/asm/sha512-sparcv9.pl | 5 ++- crypto/sparcv9cap.c | 67 +--------------------------- include/crypto/aes_platform.h | 5 +-- include/crypto/cmll_platform.h | 3 +- include/crypto/des_platform.h | 3 +- {crypto => include/crypto}/sparc_arch.h | 6 ++- 28 files changed, 157 insertions(+), 103 deletions(-) create mode 100644 crypto/bn/bn_sparc.c rename {crypto => include/crypto}/sparc_arch.h (96%) diff --git a/crypto/aes/asm/aes-sparcv9.pl b/crypto/aes/asm/aes-sparcv9.pl index 9b9a795dbf..cb17a75f24 100755 --- a/crypto/aes/asm/aes-sparcv9.pl +++ b/crypto/aes/asm/aes-sparcv9.pl @@ -82,7 +82,10 @@ sub _data_word() } $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/aes/asm/aesfx-sparcv9.pl b/crypto/aes/asm/aesfx-sparcv9.pl index b40f3919b4..86f2c442ed 100644 --- a/crypto/aes/asm/aesfx-sparcv9.pl +++ b/crypto/aes/asm/aesfx-sparcv9.pl @@ -39,7 +39,10 @@ $output = pop and open STDOUT,">$output"; my ($inp,$out,$key,$rounds,$tmp,$mask) = map("%o$_",(0..5)); $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #define LOCALS (STACK_BIAS+STACK_FRAME) diff --git a/crypto/aes/asm/aest4-sparcv9.pl b/crypto/aes/asm/aest4-sparcv9.pl index 6b7a6eb403..bb73f24915 100644 --- a/crypto/aes/asm/aest4-sparcv9.pl +++ b/crypto/aes/asm/aest4-sparcv9.pl @@ -91,7 +91,10 @@ $::evp=1; # if $evp is set to 0, script generates module with my ($inp,$out,$key,$rounds,$tmp,$mask)=map("%o$_",(0..5)); $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/bn/asm/sparct4-mont.pl b/crypto/bn/asm/sparct4-mont.pl index 2df872b4a8..6bc98530ce 100755 --- a/crypto/bn/asm/sparct4-mont.pl +++ b/crypto/bn/asm/sparct4-mont.pl @@ -86,7 +86,10 @@ require "sparcv9_modes.pl"; $output = pop and open STDOUT,">$output"; $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/bn/asm/sparcv9-gf2m.pl b/crypto/bn/asm/sparcv9-gf2m.pl index 41ab8039cc..28d1ed7426 100644 --- a/crypto/bn/asm/sparcv9-gf2m.pl +++ b/crypto/bn/asm/sparcv9-gf2m.pl @@ -38,7 +38,10 @@ $tab="%l0"; ($lo,$hi,$b)=("%g1",$a8,"%o7"); $a=$lo; $code.=<<___; -#include +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/bn/asm/sparcv9-mont.pl b/crypto/bn/asm/sparcv9-mont.pl index 6005334790..ac93ef9ee6 100644 --- a/crypto/bn/asm/sparcv9-mont.pl +++ b/crypto/bn/asm/sparcv9-mont.pl @@ -83,7 +83,10 @@ $tpj="%l7"; $fname="bn_mul_mont_int"; $code=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" .section ".text",#alloc,#execinstr diff --git a/crypto/bn/asm/sparcv9a-mont.pl b/crypto/bn/asm/sparcv9a-mont.pl index 2a4255ed69..062a017072 100755 --- a/crypto/bn/asm/sparcv9a-mont.pl +++ b/crypto/bn/asm/sparcv9a-mont.pl @@ -126,7 +126,10 @@ $nhia="%f56"; $nhib="%f58"; $nhic="%f60"; $nhid="%f62"; $ASI_FL16_P=0xD2; # magic ASI value to engage 16-bit FP load $code=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" .section ".text",#alloc,#execinstr diff --git a/crypto/bn/asm/vis3-mont.pl b/crypto/bn/asm/vis3-mont.pl index 6ee64e28f6..6649c34727 100644 --- a/crypto/bn/asm/vis3-mont.pl +++ b/crypto/bn/asm/vis3-mont.pl @@ -31,7 +31,10 @@ $frame = "STACK_FRAME"; $bias = "STACK_BIAS"; $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 2ee85aa0cf..5329cd12a9 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -29,8 +29,7 @@ #undef SPARC_T4_MONT #if defined(OPENSSL_BN_ASM_MONT) && (defined(__sparc__) || defined(__sparc)) -# include "sparc_arch.h" -extern unsigned int OPENSSL_sparcv9cap_P[]; +# include "crypto/sparc_arch.h" # define SPARC_T4_MONT #endif diff --git a/crypto/bn/bn_sparc.c b/crypto/bn/bn_sparc.c new file mode 100644 index 0000000000..a810c3b1fa --- /dev/null +++ b/crypto/bn/bn_sparc.c @@ -0,0 +1,77 @@ +/* + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "internal/cryptlib.h" +#include "crypto/sparc_arch.h" +#include "bn_local.h" /* for definition of bn_mul_mont */ + +int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num) +{ + int bn_mul_mont_vis3(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); + int bn_mul_mont_fpu(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); + int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); + + if (!(num & 1) && num >= 6) { + if ((num & 15) == 0 && num <= 64 && + (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) == + (CFR_MONTMUL | CFR_MONTSQR)) { + typedef int (*bn_mul_mont_f) (BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, + const BN_ULONG *np, + const BN_ULONG *n0); + int bn_mul_mont_t4_8(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, const BN_ULONG *np, + const BN_ULONG *n0); + int bn_mul_mont_t4_16(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, const BN_ULONG *np, + const BN_ULONG *n0); + int bn_mul_mont_t4_24(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, const BN_ULONG *np, + const BN_ULONG *n0); + int bn_mul_mont_t4_32(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, const BN_ULONG *np, + const BN_ULONG *n0); + static const bn_mul_mont_f funcs[4] = { + bn_mul_mont_t4_8, bn_mul_mont_t4_16, + bn_mul_mont_t4_24, bn_mul_mont_t4_32 + }; + bn_mul_mont_f worker = funcs[num / 16 - 1]; + + if ((*worker) (rp, ap, bp, np, n0)) + return 1; + /* retry once and fall back */ + if ((*worker) (rp, ap, bp, np, n0)) + return 1; + return bn_mul_mont_vis3(rp, ap, bp, np, n0, num); + } + if ((OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3)) + return bn_mul_mont_vis3(rp, ap, bp, np, n0, num); + else if (num >= 8 && + /* + * bn_mul_mont_fpu doesn't use FMADD, we just use the + * flag to detect when FPU path is preferable in cases + * when current heuristics is unreliable. [it works + * out because FMADD-capable processors where FPU + * code path is undesirable are also VIS3-capable and + * VIS3 code path takes precedence.] + */ + ( (OPENSSL_sparcv9cap_P[0] & SPARCV9_FMADD) || + (OPENSSL_sparcv9cap_P[0] & + (SPARCV9_PREFER_FPU | SPARCV9_VIS1)) == + (SPARCV9_PREFER_FPU | SPARCV9_VIS1) )) + return bn_mul_mont_fpu(rp, ap, bp, np, n0, num); + } + return bn_mul_mont_int(rp, ap, bp, np, n0, num); +} diff --git a/crypto/bn/build.info b/crypto/bn/build.info index 40d7db9f50..9330274aef 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -40,7 +40,7 @@ IF[{- !$disabled{asm} -}] ENDIF $BNASM_sparcv9=asm/sparcv8plus.S sparcv9-mont.S sparcv9a-mont.S vis3-mont.S \ - sparct4-mont.S + sparct4-mont.S bn_sparc.c $BNDEF_sparcv9=OPENSSL_BN_ASM_MONT $BNASM_sparcv9_ec2m=sparcv9-gf2m.S $BNDEF_sparcv9_ec2m=OPENSSL_BN_ASM_GF2m diff --git a/crypto/camellia/asm/cmllt4-sparcv9.pl b/crypto/camellia/asm/cmllt4-sparcv9.pl index cbb626f00b..3f71e4c2fc 100644 --- a/crypto/camellia/asm/cmllt4-sparcv9.pl +++ b/crypto/camellia/asm/cmllt4-sparcv9.pl @@ -66,7 +66,10 @@ $::evp=1; # if $evp is set to 0, script generates module with my ($inp,$out,$key,$rounds,$tmp,$mask)=map("%o$_",(0..5)); $code=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" .text diff --git a/crypto/des/asm/dest4-sparcv9.pl b/crypto/des/asm/dest4-sparcv9.pl index eec9716074..09298583e4 100644 --- a/crypto/des/asm/dest4-sparcv9.pl +++ b/crypto/des/asm/dest4-sparcv9.pl @@ -37,7 +37,10 @@ require "sparcv9_modes.pl"; $output=pop and open STDOUT,">$output"; $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/crypto/ec/asm/ecp_nistz256-sparcv9.pl index 5815896fa8..19821cdc85 100755 --- a/crypto/ec/asm/ecp_nistz256-sparcv9.pl +++ b/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -34,7 +34,10 @@ $output = pop and open STDOUT,">$output"; $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #define LOCALS (STACK_BIAS+STACK_FRAME) #ifdef __arch64__ diff --git a/crypto/evp/e_camellia.c b/crypto/evp/e_camellia.c index b2f59847d4..4f1f4822dc 100644 --- a/crypto/evp/e_camellia.c +++ b/crypto/evp/e_camellia.c @@ -46,8 +46,7 @@ typedef struct { #if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) /* ---------^^^ this is not a typo, just a way to detect that * assembler support was in general requested... */ -# include "sparc_arch.h" - +# include "crypto/sparc_arch.h" static int cmll_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 51a2f9d353..cd6e5af8d0 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -37,9 +37,7 @@ typedef struct { # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) /* ----------^^^ this is not a typo, just a way to detect that * assembler support was in general requested... */ -# include "sparc_arch.h" - -extern unsigned int OPENSSL_sparcv9cap_P[]; +# include "crypto/sparc_arch.h" # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES) diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 746709fa41..1e15918344 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -40,9 +40,7 @@ typedef struct { # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) /* ---------^^^ this is not a typo, just a way to detect that * assembler support was in general requested... */ -# include "sparc_arch.h" - -extern unsigned int OPENSSL_sparcv9cap_P[]; +# include "crypto/sparc_arch.h" # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES) diff --git a/crypto/md5/asm/md5-sparcv9.pl b/crypto/md5/asm/md5-sparcv9.pl index 64e53a003f..a17d0b6bf5 100644 --- a/crypto/md5/asm/md5-sparcv9.pl +++ b/crypto/md5/asm/md5-sparcv9.pl @@ -203,7 +203,10 @@ ___ } $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/modes/asm/ghash-sparcv9.pl b/crypto/modes/asm/ghash-sparcv9.pl index c844235c0a..d3fa2a68fe 100644 --- a/crypto/modes/asm/ghash-sparcv9.pl +++ b/crypto/modes/asm/ghash-sparcv9.pl @@ -80,7 +80,10 @@ $inp="%i2"; $len="%i3"; $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 8317fd48e4..e7e719fc0e 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -674,10 +674,9 @@ void gcm_ghash_v8(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len); # endif # elif defined(__sparc__) || defined(__sparc) -# include "sparc_arch.h" +# include "crypto/sparc_arch.h" # define GHASH_ASM_SPARC # define GCM_FUNCREF_4BIT -extern unsigned int OPENSSL_sparcv9cap_P[]; void gcm_init_vis3(u128 Htable[16], const u64 Xi[2]); void gcm_gmult_vis3(u64 Xi[2], const u128 Htable[16]); void gcm_ghash_vis3(u64 Xi[2], const u128 Htable[16], const u8 *inp, diff --git a/crypto/poly1305/asm/poly1305-sparcv9.pl b/crypto/poly1305/asm/poly1305-sparcv9.pl index c9db450b48..b20517f57b 100755 --- a/crypto/poly1305/asm/poly1305-sparcv9.pl +++ b/crypto/poly1305/asm/poly1305-sparcv9.pl @@ -52,7 +52,10 @@ my ($h0,$h1,$h2,$h3, $t0,$t1,$t2) = map("%o$_",(0..5,7)); my ($d0,$d1,$d2,$d3) = map("%g$_",(1..4)); $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/sha/asm/sha1-sparcv9.pl b/crypto/sha/asm/sha1-sparcv9.pl index c3b82d0cfd..bbca9ed21a 100644 --- a/crypto/sha/asm/sha1-sparcv9.pl +++ b/crypto/sha/asm/sha1-sparcv9.pl @@ -187,7 +187,10 @@ ___ } $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/sha/asm/sha512-sparcv9.pl b/crypto/sha/asm/sha512-sparcv9.pl index 1619f14387..a77ae7bed7 100644 --- a/crypto/sha/asm/sha512-sparcv9.pl +++ b/crypto/sha/asm/sha512-sparcv9.pl @@ -394,7 +394,10 @@ ___ } if ($SZ==8); $code.=<<___; -#include "sparc_arch.h" +#ifndef __ASSEMBLER__ +# define __ASSEMBLER__ 1 +#endif +#include "crypto/sparc_arch.h" #ifdef __arch64__ .register %g2,#scratch diff --git a/crypto/sparcv9cap.c b/crypto/sparcv9cap.c index d93429f4c3..53c0c3e045 100644 --- a/crypto/sparcv9cap.c +++ b/crypto/sparcv9cap.c @@ -16,78 +16,13 @@ #include #include #include "internal/cryptlib.h" -#include "bn/bn_local.h" /* for definition of bn_mul_mont */ - -#include "sparc_arch.h" +#include "crypto/sparc_arch.h" #if defined(__GNUC__) && defined(__linux) __attribute__ ((visibility("hidden"))) #endif unsigned int OPENSSL_sparcv9cap_P[2] = { SPARCV9_TICK_PRIVILEGED, 0 }; -int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num) -{ - int bn_mul_mont_vis3(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - int bn_mul_mont_fpu(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - - if (!(num & 1) && num >= 6) { - if ((num & 15) == 0 && num <= 64 && - (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) == - (CFR_MONTMUL | CFR_MONTSQR)) { - typedef int (*bn_mul_mont_f) (BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *bp, - const BN_ULONG *np, - const BN_ULONG *n0); - int bn_mul_mont_t4_8(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *bp, const BN_ULONG *np, - const BN_ULONG *n0); - int bn_mul_mont_t4_16(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *bp, const BN_ULONG *np, - const BN_ULONG *n0); - int bn_mul_mont_t4_24(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *bp, const BN_ULONG *np, - const BN_ULONG *n0); - int bn_mul_mont_t4_32(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *bp, const BN_ULONG *np, - const BN_ULONG *n0); - static const bn_mul_mont_f funcs[4] = { - bn_mul_mont_t4_8, bn_mul_mont_t4_16, - bn_mul_mont_t4_24, bn_mul_mont_t4_32 - }; - bn_mul_mont_f worker = funcs[num / 16 - 1]; - - if ((*worker) (rp, ap, bp, np, n0)) - return 1; - /* retry once and fall back */ - if ((*worker) (rp, ap, bp, np, n0)) - return 1; - return bn_mul_mont_vis3(rp, ap, bp, np, n0, num); - } - if ((OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3)) - return bn_mul_mont_vis3(rp, ap, bp, np, n0, num); - else if (num >= 8 && - /* - * bn_mul_mont_fpu doesn't use FMADD, we just use the - * flag to detect when FPU path is preferable in cases - * when current heuristics is unreliable. [it works - * out because FMADD-capable processors where FPU - * code path is undesirable are also VIS3-capable and - * VIS3 code path takes precedence.] - */ - ( (OPENSSL_sparcv9cap_P[0] & SPARCV9_FMADD) || - (OPENSSL_sparcv9cap_P[0] & - (SPARCV9_PREFER_FPU | SPARCV9_VIS1)) == - (SPARCV9_PREFER_FPU | SPARCV9_VIS1) )) - return bn_mul_mont_fpu(rp, ap, bp, np, n0, num); - } - return bn_mul_mont_int(rp, ap, bp, np, n0, num); -} - unsigned long _sparcv9_rdtick(void); void _sparcv9_vis1_probe(void); unsigned long _sparcv9_vis1_instrument(void); diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index a50bdbe069..f1b1d62549 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -61,7 +61,7 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, # if defined(OPENSSL_CPUID_OBJ) # if (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC)) -# include "ppc_arch.h" +# include "crypto/ppc_arch.h" # ifdef VPAES_ASM # define VPAES_CAPABLE (OPENSSL_ppccap_P & PPC_ALTIVEC) # endif @@ -233,8 +233,7 @@ void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, size_t len); # elif defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) /* Fujitsu SPARC64 X support */ -extern unsigned int OPENSSL_sparcv9cap_P[]; -# include "sparc_arch.h" +# include "crypto/sparc_arch.h" # define SPARC_AES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_AES) # define HWAES_CAPABLE (OPENSSL_sparcv9cap_P[0] & SPARCV9_FJAESX) diff --git a/include/crypto/cmll_platform.h b/include/crypto/cmll_platform.h index fe2f789173..8cadadf68a 100644 --- a/include/crypto/cmll_platform.h +++ b/include/crypto/cmll_platform.h @@ -14,8 +14,7 @@ # if defined(CMLL_ASM) && (defined(__sparc) || defined(__sparc__)) /* Fujitsu SPARC64 X support */ -extern unsigned int OPENSSL_sparcv9cap_P[]; -# include "sparc_arch.h" +# include "crypto/sparc_arch.h" # ifndef OPENSSL_NO_CAMELLIA # define SPARC_CMLL_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_CAMELLIA) diff --git a/include/crypto/des_platform.h b/include/crypto/des_platform.h index 24fdb90b2f..07ea1ddd0a 100644 --- a/include/crypto/des_platform.h +++ b/include/crypto/des_platform.h @@ -14,8 +14,7 @@ # if defined(DES_ASM) && (defined(__sparc) || defined(__sparc__)) /* Fujitsu SPARC64 X support */ -extern unsigned int OPENSSL_sparcv9cap_P[]; -# include "sparc_arch.h" +# include "crypto/sparc_arch.h" # ifndef OPENSSL_NO_DES # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES) diff --git a/crypto/sparc_arch.h b/include/crypto/sparc_arch.h similarity index 96% rename from crypto/sparc_arch.h rename to include/crypto/sparc_arch.h index f57f0e145b..447e715bf2 100644 --- a/crypto/sparc_arch.h +++ b/include/crypto/sparc_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -115,4 +115,8 @@ mov tmp, %o7; # endif +# ifndef __ASSEMBLER__ +extern unsigned int OPENSSL_sparcv9cap_P[2]; +# endif + #endif /* OSSL_CRYPTO_SPARC_ARCH_H */ From mark at openssl.org Thu Jul 15 08:00:09 2021 From: mark at openssl.org (Mark J. Cox) Date: Thu, 15 Jul 2021 08:00:09 +0000 Subject: [web] master update Message-ID: <1626336009.011506.11218.nullmailer@dev.openssl.org> The branch master has been updated via 539bea014de78db5ff5b0785a46bfd7647b0b589 (commit) via f975a6468b54079ffad293492d9c42e006f65794 (commit) from 1570fc29ed21a46e7a7a3dd7c64f58a8ff976c29 (commit) - Log ----------------------------------------------------------------- commit 539bea014de78db5ff5b0785a46bfd7647b0b589 Merge: 1570fc2 f975a64 Author: Mark J. Cox Date: Thu Jul 15 08:58:51 2021 +0100 Merge pull request #246 from iamamoose/shiguredosponsor Add sponsor Shiguredo Inc commit f975a6468b54079ffad293492d9c42e006f65794 Author: Mark J. Cox Date: Thu Jul 15 08:54:51 2021 +0100 Add sponsor Shiguredo Inc ----------------------------------------------------------------------- Summary of changes: support/acks.html | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/support/acks.html b/support/acks.html index 418652c..8a81815 100644 --- a/support/acks.html +++ b/support/acks.html @@ -43,6 +43,11 @@

+ +

Silver:

+
+

Shiguredo Inc.

+

Bronze:

From scan-admin at coverity.com Thu Jul 15 09:54:24 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 15 Jul 2021 09:54:24 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f005cfa4fba_cf4382afc646799a0816c9@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DjvW-_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFT0iiDkNYG5Qt84uYQmHuSFY-2F1D84c-2FZfPMKELhJ59vhHJcI-2FI38i0m9UV1iFzxH3N-2BM6bea42R2ppKFo03qONnCC7zTRaU70I6yAWGtuGMaUlv-2FFhLervn8Auane8jSlK-2BhILZTYUAYQy6JCK8GWstx8ZKbW-2Fqyw-2BdC-2FedcHvZpNpOu2ekN3ND90ZhbuGjrc-3D Build ID: 397029 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Thu Jul 15 10:12:47 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 15 Jul 2021 10:12:47 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f00a1e7ffad_cfa762afc646799a08166d@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dmz7u_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHankaNlFIhMtetfDpXeqWwN64QjWR6ISIYPtjoS9WxjlPaeMfFCfB0ffh4W6xjvtuP5YoggvgYsXqN1qV2pBB8nzqDixrh9ll8es68kYQv74Pz8wcKoNdXWlsQdQnLIYL5kiRBDPqIWwMHHWBtRHXJM91Bw2rGTejIKgvZt8T-2FxCWAsv2-2FmZ4Ct89-2BhWotBfk-3D Build ID: 397032 Analysis Summary: New defects found: 0 Defects eliminated: 0 From tomas at openssl.org Fri Jul 16 06:58:22 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 16 Jul 2021 06:58:22 +0000 Subject: [openssl] master update Message-ID: <1626418702.825285.7930.nullmailer@dev.openssl.org> The branch master has been updated via 09c1db3399d682523443af64158e1862082da23e (commit) from 52f7e44ec88a4d803dc9783cd7c71f87014ae3ee (commit) - Log ----------------------------------------------------------------- commit 09c1db3399d682523443af64158e1862082da23e Author: Daiki Ueno Date: Wed Jul 14 11:15:34 2021 +0200 apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16074) ----------------------------------------------------------------------- Summary of changes: apps/lib/s_socket.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index bddf16045f..6884fd86cd 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -267,6 +267,8 @@ int do_server(int *accept_sock, const char *host, const char *port, const BIO_ADDRINFO *next; int sock_family, sock_type, sock_protocol, sock_port; const BIO_ADDR *sock_address; + int sock_family_fallback = AF_UNSPEC; + const BIO_ADDR *sock_address_fallback = NULL; int sock_options = BIO_SOCK_REUSEADDR; int ret = 0; @@ -298,6 +300,10 @@ int do_server(int *accept_sock, const char *host, const char *port, && BIO_ADDRINFO_protocol(next) == sock_protocol) { if (sock_family == AF_INET && BIO_ADDRINFO_family(next) == AF_INET6) { + /* In case AF_INET6 is returned but not supported by the + * kernel, retry with the first detected address family */ + sock_family_fallback = sock_family; + sock_address_fallback = sock_address; sock_family = AF_INET6; sock_address = BIO_ADDRINFO_address(next); } else if (sock_family == AF_INET6 @@ -308,6 +314,10 @@ int do_server(int *accept_sock, const char *host, const char *port, #endif asock = BIO_socket(sock_family, sock_type, sock_protocol, 0); + if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) { + asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0); + sock_address = sock_address_fallback; + } if (asock == INVALID_SOCKET || !BIO_listen(asock, sock_address, sock_options)) { BIO_ADDRINFO_free(res); From tomas at openssl.org Fri Jul 16 06:59:54 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 16 Jul 2021 06:59:54 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626418794.362456.10037.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 657f3d030fce41600d3b9f8daf4cb98c8dc4ec3e (commit) from b46a26b3ade22be5ba4c39bf89c66f17d7900944 (commit) - Log ----------------------------------------------------------------- commit 657f3d030fce41600d3b9f8daf4cb98c8dc4ec3e Author: Daiki Ueno Date: Wed Jul 14 11:15:34 2021 +0200 apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16078) ----------------------------------------------------------------------- Summary of changes: apps/s_socket.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apps/s_socket.c b/apps/s_socket.c index 76f9289002..f16de24145 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -214,6 +214,8 @@ int do_server(int *accept_sock, const char *host, const char *port, const BIO_ADDRINFO *next; int sock_family, sock_type, sock_protocol, sock_port; const BIO_ADDR *sock_address; + int sock_family_fallback = AF_UNSPEC; + const BIO_ADDR *sock_address_fallback = NULL; int sock_options = BIO_SOCK_REUSEADDR; int ret = 0; @@ -244,6 +246,10 @@ int do_server(int *accept_sock, const char *host, const char *port, && BIO_ADDRINFO_protocol(next) == sock_protocol) { if (sock_family == AF_INET && BIO_ADDRINFO_family(next) == AF_INET6) { + /* In case AF_INET6 is returned but not supported by the + * kernel, retry with the first detected address family */ + sock_family_fallback = sock_family; + sock_address_fallback = sock_address; sock_family = AF_INET6; sock_address = BIO_ADDRINFO_address(next); } else if (sock_family == AF_INET6 @@ -253,6 +259,10 @@ int do_server(int *accept_sock, const char *host, const char *port, } asock = BIO_socket(sock_family, sock_type, sock_protocol, 0); + if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) { + asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0); + sock_address = sock_address_fallback; + } if (asock == INVALID_SOCKET || !BIO_listen(asock, sock_address, sock_options)) { BIO_ADDRINFO_free(res); From scan-admin at coverity.com Fri Jul 16 09:04:58 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 16 Jul 2021 09:04:58 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f14bb9ecc22_ebb492ac0562f19a885441@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DE7lm_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHdiedy0FhNU6NTZ2mT1Y-2B-2BgadrcNul7xnXNKYK8mXyXT0gUUKlpeXskXNkB5iC-2FkJtPp0qboCHvFGb4X2dR9JMvRDosKjr8r6LAVv7-2BiZmkCK4pMCUWL5di0HmkWdTV4iIur7jT05YyIKQKrfj-2FzZVAIY926h9dwehyeEOJxdhwulA7LO9-2BvskoOM6mzlGfCw-3D Build ID: 397212 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Fri Jul 16 09:13:37 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 16 Jul 2021 09:13:37 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f14dc0df5bd_ebde72ac0562f19a885463@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3D3cuD_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFIqrvVjAq7T-2FGqFqsABPSAN11EyoQ3HNQUgZlzQqM5TwczAT3QlFO7FnHGLgdqihNgl-2B8vm0x1rkYhUgNxuNj1piL69ak3iGV8xpCGvmQ4i0lqBj9YMClTla-2Fs44GTWtrJWY6NgJ-2FVpgNpJzeTNFy7-2B4nS01jEO7gnZ1ao-2B7NMHPuDACSTrOd84vjaQzkadMw-3D Build ID: 397213 Analysis Summary: New defects found: 0 Defects eliminated: 0 From tomas at openssl.org Fri Jul 16 09:24:11 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 16 Jul 2021 09:24:11 +0000 Subject: [openssl] master update Message-ID: <1626427451.086748.3934.nullmailer@dev.openssl.org> The branch master has been updated via ca638147c8cdb7c49621f3f0acc628c090989b6a (commit) via f096691b91413363e8c45a0e093018d1c86de941 (commit) via 033e987c03e025fa15eeae036578384e65f49af0 (commit) via 59f66d8cf98a2c11404826bfecd7d6f210ddc048 (commit) from 09c1db3399d682523443af64158e1862082da23e (commit) - Log ----------------------------------------------------------------- commit ca638147c8cdb7c49621f3f0acc628c090989b6a Author: Tomas Mraz Date: Wed Jul 14 15:51:29 2021 +0200 Drop daily run-checker build with just enable-acvp-tests Having just enable-acvp-tests without enable-fips does not make much sense as this just builds the test but it is skipped. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16076) commit f096691b91413363e8c45a0e093018d1c86de941 Author: Tomas Mraz Date: Wed Jul 14 15:49:31 2021 +0200 CI: have enable-acvp-tests in some CI build Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16076) commit 033e987c03e025fa15eeae036578384e65f49af0 Author: Tomas Mraz Date: Wed Jul 14 15:41:22 2021 +0200 Signature algos: allow having identical digest in params The flag_allow_md prevents setting a digest in params however this is unnecessarily strict. If the digest is the same as the one already set, we do not return an error. Fixes #16071 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16076) commit 59f66d8cf98a2c11404826bfecd7d6f210ddc048 Author: Tomas Mraz Date: Wed Jul 14 15:41:00 2021 +0200 acvp_test: Fix incorrect parenthesis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16076) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 +- .github/workflows/run-checker-daily.yml | 1 - providers/implementations/signature/dsa_sig.c | 16 +++++++++++---- providers/implementations/signature/ecdsa_sig.c | 27 +++++++++++++++++-------- providers/implementations/signature/rsa_sig.c | 17 +++++++++++----- test/acvp_test.c | 4 ++-- 6 files changed, 46 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5ff0750681..fa650e4d6c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -215,7 +215,7 @@ jobs: mkdir ./build mkdir ./install - name: config - run: ../config --banner=Configured enable-fips --strict-warnings --prefix=$(cd ../install; pwd) && perl configdata.pm --dump + run: ../config --banner=Configured enable-fips enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd) && perl configdata.pm --dump working-directory: ./build - name: make run: make -s -j4 diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index a85ad2cb71..c66241743a 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -11,7 +11,6 @@ jobs: matrix: opt: [ 386, - enable-acvp-tests, no-afalgeng, no-aria, no-asan, diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index 138fbce5e9..2acab0b481 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -145,6 +145,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, return 0; } + if (!ctx->flag_allow_md) { + if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest %s != %s", mdname, ctx->mdname); + EVP_MD_free(md); + return 0; + } + EVP_MD_free(md); + return 1; + } + EVP_MD_CTX_free(ctx->mdctx); EVP_MD_free(ctx->md); @@ -260,13 +271,13 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname, if (!ossl_prov_is_running()) return 0; - pdsactx->flag_allow_md = 0; if (!dsa_signverify_init(vpdsactx, vdsa, params, operation)) return 0; if (!dsa_setup_md(pdsactx, mdname, NULL)) return 0; + pdsactx->flag_allow_md = 0; pdsactx->mdctx = EVP_MD_CTX_new(); if (pdsactx->mdctx == NULL) goto error; @@ -463,9 +474,6 @@ static int dsa_set_ctx_params(void *vpdsactx, const OSSL_PARAM params[]) return 1; p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); - /* Not allowed during certain operations */ - if (p != NULL && !pdsactx->flag_allow_md) - return 0; if (p != NULL) { char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname; char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops; diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c index c32641f1eb..64be0657c3 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c @@ -234,6 +234,17 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, return 0; } + if (!ctx->flag_allow_md) { + if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest %s != %s", mdname, ctx->mdname); + EVP_MD_free(md); + return 0; + } + EVP_MD_free(md); + return 1; + } + EVP_MD_CTX_free(ctx->mdctx); EVP_MD_free(ctx->md); @@ -263,11 +274,11 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname, if (!ossl_prov_is_running()) return 0; - ctx->flag_allow_md = 0; if (!ecdsa_signverify_init(vctx, ec, params, operation) || !ecdsa_setup_md(ctx, mdname, NULL)) return 0; + ctx->flag_allow_md = 0; ctx->mdctx = EVP_MD_CTX_new(); if (ctx->mdctx == NULL) goto error; @@ -452,6 +463,7 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[]) { PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; const OSSL_PARAM *p; + size_t mdsize = 0; if (ctx == NULL) return 0; @@ -465,9 +477,6 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[]) #endif p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); - /* Not allowed during certain operations */ - if (p != NULL && !ctx->flag_allow_md) - return 0; if (p != NULL) { char mdname[OSSL_MAX_NAME_SIZE] = "", *pmdname = mdname; char mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmdprops = mdprops; @@ -485,10 +494,12 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST_SIZE); - if (p != NULL - && (!ctx->flag_allow_md - || !OSSL_PARAM_get_size_t(p, &ctx->mdsize))) - return 0; + if (p != NULL) { + if (!OSSL_PARAM_get_size_t(p, &mdsize) + || (!ctx->flag_allow_md && mdsize != ctx->mdsize)) + return 0; + ctx->mdsize = mdsize; + } return 1; } diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index 30fd43e0e5..40a97c0165 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -305,6 +305,17 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, return 0; } + if (!ctx->flag_allow_md) { + if (ctx->mdname[0] != '\0' && !EVP_MD_is_a(md, ctx->mdname)) { + ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, + "digest %s != %s", mdname, ctx->mdname); + EVP_MD_free(md); + return 0; + } + EVP_MD_free(md); + return 1; + } + if (!ctx->mgf1_md_set) { if (!EVP_MD_up_ref(md)) { EVP_MD_free(md); @@ -826,8 +837,6 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, if (!ossl_prov_is_running()) return 0; - if (prsactx != NULL) - prsactx->flag_allow_md = 0; if (!rsa_signverify_init(vprsactx, vrsa, params, operation)) return 0; if (mdname != NULL @@ -836,6 +845,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname, && !rsa_setup_md(prsactx, mdname, prsactx->propq)) return 0; + prsactx->flag_allow_md = 0; prsactx->mdctx = EVP_MD_CTX_new(); if (prsactx->mdctx == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); @@ -1141,9 +1151,6 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) saltlen = prsactx->saltlen; p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST); - /* Not allowed during certain operations */ - if (p != NULL && !prsactx->flag_allow_md) - return 0; if (p != NULL) { const OSSL_PARAM *propsp = OSSL_PARAM_locate_const(params, diff --git a/test/acvp_test.c b/test/acvp_test.c index 05a328a6ad..ce0ef66b8b 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1227,10 +1227,10 @@ static int rsa_sigver_test(int id) || !TEST_ptr(md_ctx = EVP_MD_CTX_new()) || !TEST_true(EVP_DigestVerifyInit_ex(md_ctx, &pkey_ctx, tst->digest_alg, libctx, NULL, - pkey, NULL) + pkey, NULL)) || !TEST_true(EVP_PKEY_CTX_set_params(pkey_ctx, params)) || !TEST_int_eq(EVP_DigestVerify(md_ctx, tst->sig, tst->sig_len, - tst->msg, tst->msg_len), tst->pass))) + tst->msg, tst->msg_len), tst->pass)) goto err; ret = 1; err: From tomas at openssl.org Fri Jul 16 09:29:56 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 16 Jul 2021 09:29:56 +0000 Subject: [openssl] master update Message-ID: <1626427796.791051.7962.nullmailer@dev.openssl.org> The branch master has been updated via e0ad156d22587514b60920143917cdb149734212 (commit) via 02d63fe999d36a7d37d992bc77b05b89f9a929cc (commit) via 07d189cee45e334cde119b547449841a4414e740 (commit) from ca638147c8cdb7c49621f3f0acc628c090989b6a (commit) - Log ----------------------------------------------------------------- commit e0ad156d22587514b60920143917cdb149734212 Author: Tomas Mraz Date: Thu Jul 15 09:30:23 2021 +0200 RSA_public_decrypt is equivalent to a verify recover operation Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16068) commit 02d63fe999d36a7d37d992bc77b05b89f9a929cc Author: Tomas Mraz Date: Wed Jul 14 12:45:30 2021 +0200 evp_test: Add tests for rsa_padding_mode:none Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16068) commit 07d189cee45e334cde119b547449841a4414e740 Author: Tomas Mraz Date: Tue Jul 13 15:28:24 2021 +0200 Allow RSA signature operations with RSA_NO_PADDING When no md is set, the raw operations should be allowed. Fixes #16056 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16068) ----------------------------------------------------------------------- Summary of changes: doc/man3/RSA_private_encrypt.pod | 7 ++-- doc/man7/migration_guide.pod | 4 +- providers/implementations/signature/rsa_sig.c | 7 +++- .../30-test_evp_data/evppkey_rsa_common.txt | 47 ++++++++++++++++++++++ 4 files changed, 58 insertions(+), 7 deletions(-) diff --git a/doc/man3/RSA_private_encrypt.pod b/doc/man3/RSA_private_encrypt.pod index 4b97d874c3..1c89b58b5f 100644 --- a/doc/man3/RSA_private_encrypt.pod +++ b/doc/man3/RSA_private_encrypt.pod @@ -22,8 +22,8 @@ L: Both of the functions described on this page are deprecated. Applications should instead use L, -L, L and -L. +L, L, and +L. These functions handle RSA signatures at a low-level. @@ -69,7 +69,8 @@ obtained by L. =head1 SEE ALSO L, -L, L +L, L, +L, L =head1 HISTORY diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 9a9d940af4..aac158795c 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -2025,8 +2025,8 @@ See L RSA_private_encrypt(), RSA_public_decrypt() -This is equivalent to doing sign and verify operations (with a padding mode -of none). See L. +This is equivalent to doing sign and verify recover operations (with a padding +mode of none). See L. =item - diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index 40a97c0165..298d789b74 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -126,8 +126,11 @@ static int rsa_check_padding(const PROV_RSA_CTX *prsactx, { switch(prsactx->pad_mode) { case RSA_NO_PADDING: - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); - return 0; + if (mdname != NULL || mdnid != NID_undef) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE); + return 0; + } + break; case RSA_X931_PADDING: if (RSA_X931_hash_id(mdnid) == -1) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_X931_DIGEST); diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt index b56bc84c37..b0406ea5dc 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -200,6 +200,53 @@ Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad +# no padding + +# Too small input +Sign = RSA-2048 +Ctrl = rsa_padding_mode:none +Input = "0123456789ABCDEF123456789ABC" +Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad +Result = KEYOP_ERROR + +# Digest set before padding +Sign = RSA-2048 +Ctrl = digest:sha256 +Ctrl = rsa_padding_mode:none +Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3 +Result = PKEY_CTRL_ERROR + +# Digest set after padding +Sign = RSA-2048 +Ctrl = rsa_padding_mode:none +Ctrl = digest:sha256 +Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3 +Result = PKEY_CTRL_ERROR + +Sign = RSA-2048 +Ctrl = rsa_padding_mode:none +Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3 + +Verify = RSA-2048-PUBLIC +Ctrl = rsa_padding_mode:none +Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3 + +# Plaintext modified +Verify = RSA-2048-PUBLIC +Ctrl = rsa_padding_mode:none +Input = 0223456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3 +Result = VERIFY_ERROR + +VerifyRecover = RSA-2048-PUBLIC +Ctrl = rsa_padding_mode:none +Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3 +Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + # RSA decrypt Decrypt = RSA-2048 From tomas at openssl.org Fri Jul 16 10:20:48 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 16 Jul 2021 10:20:48 +0000 Subject: [openssl] master update Message-ID: <1626430848.018885.1707.nullmailer@dev.openssl.org> The branch master has been updated via 3bec48515354bc4138ce14c5aafc2c9e3bcc473f (commit) via 21ba77cad67f6a40b051ac9d57069fa58d0658f7 (commit) from e0ad156d22587514b60920143917cdb149734212 (commit) - Log ----------------------------------------------------------------- commit 3bec48515354bc4138ce14c5aafc2c9e3bcc473f Author: Matt Caswell Date: Tue Jul 13 17:44:44 2021 +0100 Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16077) commit 21ba77cad67f6a40b051ac9d57069fa58d0658f7 Author: Matt Caswell Date: Tue Jul 13 17:19:12 2021 +0100 Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16077) ----------------------------------------------------------------------- Summary of changes: ssl/record/ssl3_buffer.c | 1 - ssl/ssl_lib.c | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 861610a08b..daa175d98c 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -73,7 +73,6 @@ int ssl3_setup_read_buffer(SSL *s) b->len = len; } - RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0])); return 1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c1e8e41f02..892a417d93 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2262,6 +2262,11 @@ int SSL_key_update(SSL *s, int updatetype) return 0; } + if (RECORD_LAYER_write_pending(&s->rlayer)) { + ERR_raise(ERR_LIB_SSL, SSL_R_BAD_WRITE_RETRY); + return 0; + } + ossl_statem_set_in_init(s, 1); s->key_update = updatetype; return 1; From tomas at openssl.org Fri Jul 16 12:37:35 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 16 Jul 2021 12:37:35 +0000 Subject: [openssl] master update Message-ID: <1626439055.146867.23232.nullmailer@dev.openssl.org> The branch master has been updated via 24f84b4e4dbde9d8ef7a5ebb4b3c2ca22fd4cd22 (commit) from 3bec48515354bc4138ce14c5aafc2c9e3bcc473f (commit) - Log ----------------------------------------------------------------- commit 24f84b4e4dbde9d8ef7a5ebb4b3c2ca22fd4cd22 Author: Tomas Mraz Date: Thu Jul 15 13:37:26 2021 +0200 doc: It is not possible to use SSL_OP_* value in preprocessor conditions Fixes #16082 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/16084) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set_options.pod | 6 ++++++ doc/man7/migration_guide.pod | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 7b179099e1..df47e4dd03 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -427,6 +427,12 @@ were added in OpenSSL 1.1.1. The B and B options were added in OpenSSL 3.0. +The B constants and the corresponding parameter and return values +of the affected functions were changed to C type in OpenSSL 3.0. +For that reason it is no longer possible use the B macro values +in preprocessor C<#if> conditions. However it is still possible to test +whether these macros are defined or not. + =head1 COPYRIGHT Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index aac158795c..8cc9bd5fc8 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -2235,7 +2235,9 @@ SSL and SSL_CTX options are now 64 bit instead of 32 bit. The signatures of the functions to get and set options on SSL and SSL_CTX objects changed from "unsigned long" to "uint64_t" type. -This may require source code changes. +This may require source code changes. For example it is no longer possible +to use the B macro values in preprocessor C<#if> conditions. +However it is still possible to test whether these macros are defined or not. See L, L, L and L. From scan-admin at coverity.com Sat Jul 17 07:49:53 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 17 Jul 2021 07:49:53 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f28ba151e46_1081482b234042798866538@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DgLm7_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEy0HQzB5JKEkJq4TjxlJ8xH99H-2FBZn8w0VwSP-2FaXBmViv0caox58KrTkMm8LUQ5GTxOfAFpWUPJDctrPYfk6XQwpobILKQwCsW8cTkPjzKtoXdJUG4tSuS5QaujwxkbMznwnYDJxT-2BgMETsVFznvcykIhgaV2LLevzYJshnAUIfigfhy4td-2FDC63jtAbCMrno-3D Build ID: 397395 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sat Jul 17 07:51:33 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sat, 17 Jul 2021 07:51:33 +0000 Subject: [openssl] master update Message-ID: <1626508293.407616.6195.nullmailer@dev.openssl.org> The branch master has been updated via c3c00c7acd040f8e410fffffb5808d2f1c3ac9b9 (commit) from 24f84b4e4dbde9d8ef7a5ebb4b3c2ca22fd4cd22 (commit) - Log ----------------------------------------------------------------- commit c3c00c7acd040f8e410fffffb5808d2f1c3ac9b9 Author: Pauli Date: Fri Jul 16 10:31:41 2021 +1000 config: enable ACVP test case if FIPS is enabled. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16095) ----------------------------------------------------------------------- Summary of changes: Configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Configure b/Configure index 0ec72395db..2264e090c5 100755 --- a/Configure +++ b/Configure @@ -532,7 +532,6 @@ my %deprecated_disablables = ( our %disabled = ( # "what" => "comment" "fips" => "default", - "acvp-tests" => "default", "asan" => "default", "buildtest-c++" => "default", "crypto-mdebug" => "default", @@ -638,7 +637,7 @@ my @disable_cascades = ( "cmp" => [ "crmf" ], - "fips" => [ "fips-securitychecks" ], + "fips" => [ "fips-securitychecks", "acvp-tests" ], "deprecated-3.0" => [ "engine", "srp" ] ); From scan-admin at coverity.com Sat Jul 17 07:52:47 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 17 Jul 2021 07:52:47 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f28c4e70b2d_1082442b2340427988665b1@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Ds-cS_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFgJwd84Yad7NAkZGXl8XlzMPGC8hBVqv-2Bm-2Fdl1UVtBFIgW2yl8m4C1frO4wQTK-2B25vdrSL5I8OZLzyU-2FYnSDTV-2FoS3kkf7ivd7euSVZCzSCB18Xff1j9941U-2BCc0m8fgjVC8-2BMkpC6VrtkMC7xoMnptpDYEjQMoNqf7euSvxk88YGM43nSlxzPfE5RhxQbQII-3D Build ID: 397396 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sat Jul 17 07:53:12 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sat, 17 Jul 2021 07:53:12 +0000 Subject: [openssl] master update Message-ID: <1626508392.241774.8001.nullmailer@dev.openssl.org> The branch master has been updated via 2cff17fdb8bfd46ac8d72208a6538d91217cd629 (commit) from c3c00c7acd040f8e410fffffb5808d2f1c3ac9b9 (commit) - Log ----------------------------------------------------------------- commit 2cff17fdb8bfd46ac8d72208a6538d91217cd629 Author: Matt Caswell Date: Wed Jul 14 15:36:12 2021 +0100 Fix signed/unsigned comparison warnings in sslapitest Fixes build failures if using enable-ktls in conjunction with --strict-warnings Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16090) ----------------------------------------------------------------------- Summary of changes: test/sslapitest.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 49f7ef639d..cc11eebc54 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1436,7 +1436,7 @@ static int test_ktls(int test) struct ktls_test_cipher *cipher; int cis_ktls, sis_ktls; - OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS); + OPENSSL_assert(test / 4 < (int)NUM_KTLS_TEST_CIPHERS); cipher = &ktls_test_ciphers[test / 4]; cis_ktls = (test & 1) != 0; @@ -1450,7 +1450,7 @@ static int test_ktls_sendfile(int tst) { struct ktls_test_cipher *cipher; - OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS); + OPENSSL_assert(tst < (int)NUM_KTLS_TEST_CIPHERS); cipher = &ktls_test_ciphers[tst]; return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher); From kaduk at mit.edu Sat Jul 17 16:05:11 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Sat, 17 Jul 2021 16:05:11 +0000 Subject: [openssl] master update Message-ID: <1626537911.165754.25277.nullmailer@dev.openssl.org> The branch master has been updated via ca001524971ccd595bc0e9843611e6784adfc981 (commit) from 2cff17fdb8bfd46ac8d72208a6538d91217cd629 (commit) - Log ----------------------------------------------------------------- commit ca001524971ccd595bc0e9843611e6784adfc981 Author: Matt Caswell Date: Thu Jul 15 14:08:56 2021 +0100 Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/16086) ----------------------------------------------------------------------- Summary of changes: ssl/record/rec_layer_s3.c | 6 +++--- ssl/record/ssl3_record.c | 34 +++++++++++++++++----------------- ssl/ssl_lib.c | 2 +- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 28e02e642c..ea7b0cbfde 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -172,9 +172,9 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. The packet will be in the sub-array of - * s->s3.rbuf.buf specified by s->packet and s->packet_length. (If - * s->rlayer.read_ahead is set, 'max' bytes may be stored in rbuf [plus - * s->packet_length bytes if extend == 1].) + * s->rlayer.rbuf.buf specified by s->rlayer.packet and + * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may + * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].) * if clearold == 1, move the packet to the start of the buffer; if * clearold == 0 then leave any old packets where they were */ diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 4275c19cff..30af6508a7 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -428,7 +428,7 @@ int ssl3_get_record(SSL *s) } if (more > 0) { - /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ + /* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */ rret = ssl3_read_n(s, more, more, 1, 0, &n); if (rret <= 0) @@ -439,9 +439,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); /* - * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH - * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH - * + thisrr->length and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH + * + thisrr->length, or s->rlayer.packet_length == SSL2_RT_HEADER_LENGTH + * + thisrr->length and we have that many bytes in s->rlayer.packet */ if (thisrr->rec_version == SSL2_VERSION) { thisrr->input = @@ -452,11 +452,11 @@ int ssl3_get_record(SSL *s) } /* - * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input - * points at thisrr->length bytes, which need to be copied into - * thisrr->data by either the decryption or by the decompression When - * the data is 'copied' into the thisrr->data buffer, thisrr->input will - * be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'thisrr'. + * thisrr->input points at thisrr->length bytes, which need to be copied + * into thisrr->data by either the decryption or by the decompression. + * When the data is 'copied' into the thisrr->data buffer, + * thisrr->input will be updated to point at the new buffer */ /* @@ -1512,16 +1512,16 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) sess = s->session; /* - * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length, + * and we have that many bytes in s->rlayer.packet */ rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]); /* - * ok, we can now read from 's->packet' data into 'rr' rr->input points - * at rr->length bytes, which need to be copied into rr->data by either - * the decryption or by the decompression When the data is 'copied' into - * the rr->data buffer, rr->input will be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'rr'. rr->input + * points at rr->length bytes, which need to be copied into rr->data by + * either the decryption or by the decompression. When the data is 'copied' + * into the rr->data buffer, rr->input will be pointed at the new buffer */ /* @@ -1807,7 +1807,7 @@ int dtls1_get_record(SSL *s) if (rr->length > RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) { - /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ + /* now s->rlayer.packet_length == DTLS1_RT_HEADER_LENGTH */ more = rr->length; rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ @@ -1823,7 +1823,7 @@ int dtls1_get_record(SSL *s) } /* - * now n == rr->length, and s->packet_length == + * now n == rr->length, and s->rlayer.packet_length == * DTLS1_RT_HEADER_LENGTH + rr->length */ } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 892a417d93..501977f02c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2333,7 +2333,7 @@ int SSL_new_session_ticket(SSL *s) || !SSL_IS_TLS13(s)) return 0; s->ext.extra_tickets_expected++; - if (s->rlayer.wbuf[0].left == 0 && !SSL_in_init(s)) + if (!RECORD_LAYER_write_pending(&s->rlayer) && !SSL_in_init(s)) ossl_statem_set_in_init(s, 1); return 1; } From scan-admin at coverity.com Sun Jul 18 07:49:16 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 18 Jul 2021 07:49:16 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f3dcfc4cc49_124db42adaec8c79a869225@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DIT2v_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeG-2FVYTakpST1FMw6kb9JYwoQ7YxE28Vyn7-2BpRaZuDzJ5lxTkcqStkr-2BFdppSjM-2FP7Wsxv7GMvjAnwNkH14AQDW41NR-2BNU-2Fda3dQPH29ULFAck3geTrUMVkvKkpMAyLmjlWDggT32UdM1YsdBPGwbF3kZoZ1rO9TLYs1JtgATs8VhV7DKanCN8MIRB-2Ba8maUhRw-3D Build ID: 397547 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jul 18 07:53:04 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 18 Jul 2021 07:53:04 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f3dddfbd168_124ef32adaec8c79a869285@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DGMFE_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFypkfOaSm-2FTp-2BMfQz3T7XwWqLn09VWU4hdBVIJwL8U0qYEjUomSXuhrUgZYo4T8a08tk8I1lQ5BeQUuQvaRatCN8mKzt46JTlY4cB4lmA1kLVUWUcWe7Y11-2BtT8peCbEbTPq6nr5j4N2QPS89WkRkKdi0IOMAVvutMJhk-2BnmVaf3sHEojtiFYw-2FHWer0n6ULs-3D Build ID: 397548 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Mon Jul 19 03:09:10 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 19 Jul 2021 03:09:10 +0000 Subject: [openssl] master update Message-ID: <1626664150.172509.14029.nullmailer@dev.openssl.org> The branch master has been updated via d9c29baf1a23d2be17b9b4ab8f7b4fe43dd74454 (commit) from ca001524971ccd595bc0e9843611e6784adfc981 (commit) - Log ----------------------------------------------------------------- commit d9c29baf1a23d2be17b9b4ab8f7b4fe43dd74454 Author: Pauli Date: Sun Jul 18 00:47:09 2021 +1000 test: fix use after scope problem in ACVP test Repeat after me: thou shall not use an auto scope variable as a parameter that is used out of scope. Fixes GitHub CI #6305 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16103) ----------------------------------------------------------------------- Summary of changes: test/acvp_test.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/test/acvp_test.c b/test/acvp_test.c index ce0ef66b8b..0e2d54dab6 100644 --- a/test/acvp_test.c +++ b/test/acvp_test.c @@ -1160,6 +1160,7 @@ static int rsa_siggen_test(int id) size_t sig_len = 0, n_len = 0, e_len = 0; OSSL_PARAM params[4], *p; const struct rsa_siggen_st *tst = &rsa_siggen_data[id]; + int salt_len = tst->pss_salt_len; TEST_note("RSA %s signature generation", tst->sig_pad_mode); @@ -1168,12 +1169,9 @@ static int rsa_siggen_test(int id) (char *)tst->sig_pad_mode, 0); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)tst->digest_alg, 0); - if (tst->pss_salt_len >= 0) { - int salt_len = tst->pss_salt_len; - + if (salt_len >= 0) *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, &salt_len); - } *p++ = OSSL_PARAM_construct_end(); if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", tst->mod)) @@ -1204,6 +1202,7 @@ static int rsa_sigver_test(int id) BN_CTX *bn_ctx = NULL; OSSL_PARAM params[4], *p; const struct rsa_sigver_st *tst = &rsa_sigver_data[id]; + int salt_len = tst->pss_salt_len; TEST_note("RSA %s Signature Verify : expected to %s ", tst->sig_pad_mode, tst->pass == PASS ? "pass" : "fail"); @@ -1213,12 +1212,9 @@ static int rsa_sigver_test(int id) (char *)tst->sig_pad_mode, 0); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, (char *)tst->digest_alg, 0); - if (tst->pss_salt_len >= 0) { - int salt_len = tst->pss_salt_len; - + if (salt_len >= 0) *p++ = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, &salt_len); - } *p++ = OSSL_PARAM_construct_end(); if (!TEST_ptr(bn_ctx = BN_CTX_new()) From scan-admin at coverity.com Mon Jul 19 07:50:04 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 19 Jul 2021 07:50:04 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f52eabe6b0a_141ae22adb3a2399a8395da@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DLmWq_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGUf1ZNnF6F7-2BV78MMO1LoTFp-2B5Pn0gOiRPiXZi-2FFNxVFrEjcyrh3RIWxC-2BwsOJdMvJWoAl3OZtWWiOTDrVeJXi1xGZVIekjxsfZ7q9DrHSEQKlaWJgGpVEzFm-2B7EDHF4-2B7fS-2BciiLDHdjEagcIzJpKu1-2BDyN4uxqIXxshuyaUF3IZMj9XdUMMqn41iQKeb5gU-3D Build ID: 397697 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Mon Jul 19 07:53:06 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 19 Jul 2021 07:53:06 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f52f61a5c99_141bc92adb3a2399a83956b@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dgb54_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHNQB46BZcIJgHdHGHev2vIuJHHIgVFst1ZewIThsbFPJ886-2BbD2tgwXgQEC5V0YhASmcsf871-2BhwsGYGi5IoafGxFzYhpDFKowkGsHLtLXbmP7sn-2F4ZR6ACLEHEa9oVTEeCyh0DbZ8-2BirN-2F5UqdtANmw0xV4NZoXSFmUxTwg7CJ9ulii7U1a7CQIF0ewZuWCI-3D Build ID: 397698 Analysis Summary: New defects found: 0 Defects eliminated: 0 From tomas at openssl.org Mon Jul 19 08:31:08 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Mon, 19 Jul 2021 08:31:08 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626683468.026862.4006.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via c9d782d72f573045d0c09e1685a1125df58ecb03 (commit) via 97664088f3b332cfd462e3d209983115ef88cfc9 (commit) from 657f3d030fce41600d3b9f8daf4cb98c8dc4ec3e (commit) - Log ----------------------------------------------------------------- commit c9d782d72f573045d0c09e1685a1125df58ecb03 Author: Matt Caswell Date: Tue Jul 13 17:44:44 2021 +0100 Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16098) commit 97664088f3b332cfd462e3d209983115ef88cfc9 Author: Matt Caswell Date: Tue Jul 13 17:19:12 2021 +0100 Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16098) ----------------------------------------------------------------------- Summary of changes: ssl/record/ssl3_buffer.c | 1 - ssl/ssl_lib.c | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 9b2a6964c6..c99f5bd249 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -74,7 +74,6 @@ int ssl3_setup_read_buffer(SSL *s) b->len = len; } - RECORD_LAYER_set_packet(&s->rlayer, &(b->buf[0])); return 1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e1c95ddc60..ffd0a0bc6d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2119,6 +2119,11 @@ int SSL_key_update(SSL *s, int updatetype) return 0; } + if (RECORD_LAYER_write_pending(&s->rlayer)) { + SSLerr(SSL_F_SSL_KEY_UPDATE, SSL_R_BAD_WRITE_RETRY); + return 0; + } + ossl_statem_set_in_init(s, 1); s->key_update = updatetype; return 1; From pauli at openssl.org Tue Jul 20 00:15:38 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 20 Jul 2021 00:15:38 +0000 Subject: [openssl] master update Message-ID: <1626740138.090695.20550.nullmailer@dev.openssl.org> The branch master has been updated via b8ffcd8715cc9cf4626fe5b2ddaa5daf7b0957f2 (commit) via 9dbb4dac096729779c32751350810e610d3dfe0a (commit) via 73a3b967e915487565fe04c0e6530d8081e6c3a5 (commit) via d2f25d5c0aa5f96766ce1f49bedba35a5330cfdb (commit) from d9c29baf1a23d2be17b9b4ab8f7b4fe43dd74454 (commit) - Log ----------------------------------------------------------------- commit b8ffcd8715cc9cf4626fe5b2ddaa5daf7b0957f2 Author: Pauli Date: Mon Jul 19 13:17:02 2021 +1000 demos: update readme file with pbkdf2 and scrypt examples. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16109) commit 9dbb4dac096729779c32751350810e610d3dfe0a Author: Pauli Date: Mon Jul 19 13:00:38 2021 +1000 demos: add Makefile support for pbkdf2 and scrypt KDF demos Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16109) commit 73a3b967e915487565fe04c0e6530d8081e6c3a5 Author: Pauli Date: Mon Jul 19 13:00:23 2021 +1000 demo: add scrypt demonstration program Using test vector from RTC 7914 Fixes #14108 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16109) commit d2f25d5c0aa5f96766ce1f49bedba35a5330cfdb Author: Pauli Date: Mon Jul 19 13:00:06 2021 +1000 demo: add pbkdf2 demonstration program Using test vector from RTC 7914 Fixes #14107 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16109) ----------------------------------------------------------------------- Summary of changes: demos/README.txt | 2 + demos/kdf/Makefile | 6 ++- demos/kdf/{hkdf.c => pbkdf2.c} | 69 ++++++++++++++---------- demos/kdf/scrypt.c | 120 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 167 insertions(+), 30 deletions(-) copy demos/kdf/{hkdf.c => pbkdf2.c} (52%) create mode 100644 demos/kdf/scrypt.c diff --git a/demos/README.txt b/demos/README.txt index cdcbd02f94..8adfdb774d 100644 --- a/demos/README.txt +++ b/demos/README.txt @@ -20,6 +20,8 @@ EVP_f_md.c Compute a digest using BIO and EVP_f_md kdf: hkdf.c Demonstration of HMAC based key derivation +pbkdf2.c Demonstration of PBKDF2 password based key derivation +scrypt.c Demonstration of SCRYPT password based key derivation pkey: EVP_PKEY_EC_keygen.c Generate an EC key. diff --git a/demos/kdf/Makefile b/demos/kdf/Makefile index b561de43b7..0aa5113105 100644 --- a/demos/kdf/Makefile +++ b/demos/kdf/Makefile @@ -7,14 +7,16 @@ CFLAGS = -I../../include -g LDFLAGS = -L../.. LDLIBS = -lcrypto -all: hkdf +all: hkdf pbkdf2 scrypt %.o: %.c $(CC) $(CFLAGS) -c $< hkdf: hkdf.o +pbkdf2: pbkdf2.o +scrypt: scrypt.o test: ; clean: - $(RM) *.o hkdf + $(RM) *.o hkdf pbkdf2 scrypt diff --git a/demos/kdf/hkdf.c b/demos/kdf/pbkdf2.c similarity index 52% copy from demos/kdf/hkdf.c copy to demos/kdf/pbkdf2.c index cb7a170e94..3e0adaee79 100644 --- a/demos/kdf/hkdf.c +++ b/demos/kdf/pbkdf2.c @@ -16,29 +16,43 @@ /* * test vector from - * https://datatracker.ietf.org/doc/html/rfc5869 + * https://datatracker.ietf.org/doc/html/rfc7914 */ -static unsigned char hkdf_salt[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, - 0x0c +/* + * Hard coding a password into an application is very bad. + * It is done here solely for educational purposes. + */ +static unsigned char password[] = { + 'P', 'a', 's', 's', 'w', 'o', 'r', 'd' }; -static unsigned char hkdf_ikm[] = { - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b +/* + * The salt is better not being hard coded too. Each password should have a + * different salt if possible. The salt is not considered secret information + * and is safe to store with an encrypted password. + */ +static unsigned char pbkdf2_salt[] = { + 'N', 'a', 'C', 'l' }; + +/* + * The iteration parameter can be variable or hard coded. The disadvantage with + * hard coding them is that they cannot easily be adjusted for future + * technological improvements appear. + */ +static unsigned int pbkdf2_iterations = 80000; -static unsigned char hkdf_info[] = { - 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 -}; +static const unsigned char expected_output[] = { -/* Expected output keying material */ -static unsigned char hkdf_okm[] = { - 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64, - 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c, - 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08, - 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 + 0x4d, 0xdc, 0xd8, 0xf6, 0x0b, 0x98, 0xbe, 0x21, + 0x83, 0x0c, 0xee, 0x5e, 0xf2, 0x27, 0x01, 0xf9, + 0x64, 0x1a, 0x44, 0x18, 0xd0, 0x4c, 0x04, 0x14, + 0xae, 0xff, 0x08, 0x87, 0x6b, 0x34, 0xab, 0x56, + 0xa1, 0xd4, 0x25, 0xa1, 0x22, 0x58, 0x33, 0x54, + 0x9a, 0xdb, 0x84, 0x1b, 0x51, 0xc9, 0xb3, 0x17, + 0x6a, 0x27, 0x2b, 0xde, 0xbb, 0xa1, 0xd0, 0x78, + 0x47, 0x8f, 0x62, 0xb3, 0x97, 0xf3, 0x3c, 0x8d }; int main(int argc, char **argv) @@ -46,7 +60,7 @@ int main(int argc, char **argv) int rv = 1; EVP_KDF *kdf = NULL; EVP_KDF_CTX *kctx = NULL; - unsigned char out[42]; + unsigned char out[64]; OSSL_PARAM params[5], *p = params; OSSL_LIB_CTX *library_context = NULL; @@ -57,7 +71,7 @@ int main(int argc, char **argv) } /* Fetch the key derivation function implementation */ - kdf = EVP_KDF_fetch(library_context, "HKDF", NULL); + kdf = EVP_KDF_fetch(library_context, "PBKDF2", NULL); if (kdf == NULL) { fprintf(stderr, "EVP_KDF_fetch() returned NULL\n"); goto end; @@ -70,18 +84,17 @@ int main(int argc, char **argv) goto end; } + /* Set password */ + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD, password, + sizeof(password)); + /* Set salt */ + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, pbkdf2_salt, + sizeof(pbkdf2_salt)); + /* Set iteration count (default 2048) */ + *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_ITER, &pbkdf2_iterations); /* Set the underlying hash function used to derive the key */ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0); - /* Set input keying material */ - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, hkdf_ikm, - sizeof(hkdf_ikm)); - /* Set application specific information */ - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO, hkdf_info, - sizeof(hkdf_info)); - /* Set salt */ - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, hkdf_salt, - sizeof(hkdf_salt)); *p = OSSL_PARAM_construct_end(); /* Derive the key */ @@ -90,7 +103,7 @@ int main(int argc, char **argv) goto end; } - if (CRYPTO_memcmp(hkdf_okm, out, sizeof(hkdf_okm)) != 0) { + if (CRYPTO_memcmp(expected_output, out, sizeof(expected_output)) != 0) { fprintf(stderr, "Generated key does not match expected value\n"); goto end; } diff --git a/demos/kdf/scrypt.c b/demos/kdf/scrypt.c new file mode 100644 index 0000000000..2be9908800 --- /dev/null +++ b/demos/kdf/scrypt.c @@ -0,0 +1,120 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include + +/* + * test vector from + * https://datatracker.ietf.org/doc/html/rfc7914 + */ + +/* + * Hard coding a password into an application is very bad. + * It is done here solely for educational purposes. + */ +static unsigned char password[] = { + 'p', 'a', 's', 's', 'w', 'o', 'r', 'd' +}; + +/* + * The salt is better not being hard coded too. Each password should have a + * different salt if possible. The salt is not considered secret information + * and is safe to store with an encrypted password. + */ +static unsigned char scrypt_salt[] = { + 'N', 'a', 'C', 'l' +}; + +/* + * The SCRYPT parameters can be variable or hard coded. The disadvantage with + * hard coding them is that they cannot easily be adjusted for future + * technological improvements appear. + */ +static unsigned int scrypt_n = 1024; +static unsigned int scrypt_r = 8; +static unsigned int scrypt_p = 16; + +static const unsigned char expected_output[] = { + + 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, + 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, + 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, + 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, + 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, + 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, + 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, + 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 +}; + +int main(int argc, char **argv) +{ + int rv = 1; + EVP_KDF *kdf = NULL; + EVP_KDF_CTX *kctx = NULL; + unsigned char out[64]; + OSSL_PARAM params[6], *p = params; + OSSL_LIB_CTX *library_context = NULL; + + library_context = OSSL_LIB_CTX_new(); + if (library_context == NULL) { + fprintf(stderr, "OSSL_LIB_CTX_new() returned NULL\n"); + goto end; + } + + /* Fetch the key derivation function implementation */ + kdf = EVP_KDF_fetch(library_context, "SCRYPT", NULL); + if (kdf == NULL) { + fprintf(stderr, "EVP_KDF_fetch() returned NULL\n"); + goto end; + } + + /* Create a context for the key derivation operation */ + kctx = EVP_KDF_CTX_new(kdf); + if (kctx == NULL) { + fprintf(stderr, "EVP_KDF_CTX_new() returned NULL\n"); + goto end; + } + + /* Set password */ + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD, password, + sizeof(password)); + /* Set salt */ + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, scrypt_salt, + sizeof(scrypt_salt)); + /* Set N (default 1048576) */ + *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_N, &scrypt_n); + /* Set R (default 8) */ + *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_R, &scrypt_r); + /* Set P (default 1) */ + *p++ = OSSL_PARAM_construct_uint(OSSL_KDF_PARAM_SCRYPT_P, &scrypt_p); + *p = OSSL_PARAM_construct_end(); + + /* Derive the key */ + if (EVP_KDF_derive(kctx, out, sizeof(out), params) != 1) { + fprintf(stderr, "EVP_KDF_derive() failed\n"); + goto end; + } + + if (CRYPTO_memcmp(expected_output, out, sizeof(expected_output)) != 0) { + fprintf(stderr, "Generated key does not match expected value\n"); + goto end; + } + + rv = 0; +end: + EVP_KDF_CTX_free(kctx); + EVP_KDF_free(kdf); + OSSL_LIB_CTX_free(library_context); + return rv; +} From pauli at openssl.org Tue Jul 20 00:19:28 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 20 Jul 2021 00:19:28 +0000 Subject: [openssl] master update Message-ID: <1626740368.590571.23805.nullmailer@dev.openssl.org> The branch master has been updated via 718d55f43fb9c076c88ea1be4abe86b0f46a10d2 (commit) from b8ffcd8715cc9cf4626fe5b2ddaa5daf7b0957f2 (commit) - Log ----------------------------------------------------------------- commit 718d55f43fb9c076c88ea1be4abe86b0f46a10d2 Author: Petr Gotthard Date: Sun Jul 18 14:19:11 2021 +0200 doc: fix OPENSSL_VERSION_NUMBER length in the synopsis The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16106) ----------------------------------------------------------------------- Summary of changes: doc/man3/OpenSSL_version.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/OpenSSL_version.pod b/doc/man3/OpenSSL_version.pod index 120a936f83..034bd718fe 100644 --- a/doc/man3/OpenSSL_version.pod +++ b/doc/man3/OpenSSL_version.pod @@ -41,7 +41,7 @@ OpenSSL_version_num, OPENSSL_info Deprecated: /* from openssl/opensslv.h */ - #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL + #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnL /* from openssl/crypto.h */ unsigned long OpenSSL_version_num(); From pauli at openssl.org Tue Jul 20 04:16:18 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 20 Jul 2021 04:16:18 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626754578.299483.2439.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via c5b2c075feea9ae3810cc0493bbdf962d3257329 (commit) from c9d782d72f573045d0c09e1685a1125df58ecb03 (commit) - Log ----------------------------------------------------------------- commit c5b2c075feea9ae3810cc0493bbdf962d3257329 Author: Matt Caswell Date: Thu Jul 15 14:08:56 2021 +0100 Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (cherry picked from commit ca001524971ccd595bc0e9843611e6784adfc981) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16105) ----------------------------------------------------------------------- Summary of changes: ssl/record/rec_layer_s3.c | 6 +++--- ssl/record/ssl3_record.c | 34 +++++++++++++++++----------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index b2a7a47eb0..393088f50f 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -172,9 +172,9 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. The packet will be in the sub-array of - * s->s3->rbuf.buf specified by s->packet and s->packet_length. (If - * s->rlayer.read_ahead is set, 'max' bytes may be stored in rbuf [plus - * s->packet_length bytes if extend == 1].) + * s->rlayer.rbuf.buf specified by s->rlayer.packet and + * s->rlayer.packet_length. (If s->rlayer.read_ahead is set, 'max' bytes may + * be stored in rbuf [plus s->rlayer.packet_length bytes if extend == 1].) * if clearold == 1, move the packet to the start of the buffer; if * clearold == 0 then leave any old packets where they were */ diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index ab5d22aa10..a5ef3b9e1c 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -405,7 +405,7 @@ int ssl3_get_record(SSL *s) more = thisrr->length; } if (more > 0) { - /* now s->packet_length == SSL3_RT_HEADER_LENGTH */ + /* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */ rret = ssl3_read_n(s, more, more, 1, 0, &n); if (rret <= 0) @@ -416,9 +416,9 @@ int ssl3_get_record(SSL *s) RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER); /* - * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH - * + thisrr->length, or s->packet_length == SSL2_RT_HEADER_LENGTH - * + thisrr->length and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH + * + thisrr->length, or s->rlayer.packet_length == SSL2_RT_HEADER_LENGTH + * + thisrr->length and we have that many bytes in s->rlayer.packet */ if (thisrr->rec_version == SSL2_VERSION) { thisrr->input = @@ -429,11 +429,11 @@ int ssl3_get_record(SSL *s) } /* - * ok, we can now read from 's->packet' data into 'thisrr' thisrr->input - * points at thisrr->length bytes, which need to be copied into - * thisrr->data by either the decryption or by the decompression When - * the data is 'copied' into the thisrr->data buffer, thisrr->input will - * be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'thisrr'. + * thisrr->input points at thisrr->length bytes, which need to be copied + * into thisrr->data by either the decryption or by the decompression. + * When the data is 'copied' into the thisrr->data buffer, + * thisrr->input will be updated to point at the new buffer */ /* @@ -1616,16 +1616,16 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap) sess = s->session; /* - * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, - * and we have that many bytes in s->packet + * At this point, s->rlayer.packet_length == SSL3_RT_HEADER_LNGTH + rr->length, + * and we have that many bytes in s->rlayer.packet */ rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[DTLS1_RT_HEADER_LENGTH]); /* - * ok, we can now read from 's->packet' data into 'rr' rr->input points - * at rr->length bytes, which need to be copied into rr->data by either - * the decryption or by the decompression When the data is 'copied' into - * the rr->data buffer, rr->input will be pointed at the new buffer + * ok, we can now read from 's->rlayer.packet' data into 'rr'. rr->input + * points at rr->length bytes, which need to be copied into rr->data by + * either the decryption or by the decompression. When the data is 'copied' + * into the rr->data buffer, rr->input will be pointed at the new buffer */ /* @@ -1947,7 +1947,7 @@ int dtls1_get_record(SSL *s) if (rr->length > RECORD_LAYER_get_packet_length(&s->rlayer) - DTLS1_RT_HEADER_LENGTH) { - /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ + /* now s->rlayer.packet_length == DTLS1_RT_HEADER_LENGTH */ more = rr->length; rret = ssl3_read_n(s, more, more, 1, 1, &n); /* this packet contained a partial record, dump it */ @@ -1963,7 +1963,7 @@ int dtls1_get_record(SSL *s) } /* - * now n == rr->length, and s->packet_length == + * now n == rr->length, and s->rlayer.packet_length == * DTLS1_RT_HEADER_LENGTH + rr->length */ } From tomas at openssl.org Tue Jul 20 07:41:19 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 20 Jul 2021 07:41:19 +0000 Subject: [openssl] master update Message-ID: <1626766879.133721.23058.nullmailer@dev.openssl.org> The branch master has been updated via c5dc9ab965f2a69bca964c709e648158f3e4cd67 (commit) from 718d55f43fb9c076c88ea1be4abe86b0f46a10d2 (commit) - Log ----------------------------------------------------------------- commit c5dc9ab965f2a69bca964c709e648158f3e4cd67 Author: Ingo Schwarze Date: Sun Jul 18 17:48:06 2021 +0200 Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16108) ----------------------------------------------------------------------- Summary of changes: crypto/x509/t_x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 69b04e74eb..95ee5f519f 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -380,9 +380,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent) BIO_puts(out, "\n"); } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - alias = X509_alias_get0(x, NULL); + alias = X509_alias_get0(x, &i); if (alias) - BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); + BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); keyid = X509_keyid_get0(x, &keyidlen); if (keyid) { BIO_printf(out, "%*sKey Id: ", indent, ""); From tomas at openssl.org Tue Jul 20 07:42:00 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 20 Jul 2021 07:42:00 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1626766920.605198.24446.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 (commit) from c5b2c075feea9ae3810cc0493bbdf962d3257329 (commit) - Log ----------------------------------------------------------------- commit d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 Author: Ingo Schwarze Date: Sun Jul 18 17:48:06 2021 +0200 Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16108) (cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67) ----------------------------------------------------------------------- Summary of changes: crypto/x509/t_x509.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 12d807f705..3ba0b3a045 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -365,9 +365,9 @@ int X509_aux_print(BIO *out, X509 *x, int indent) BIO_puts(out, "\n"); } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - alias = X509_alias_get0(x, NULL); + alias = X509_alias_get0(x, &i); if (alias) - BIO_printf(out, "%*sAlias: %s\n", indent, "", alias); + BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias); keyid = X509_keyid_get0(x, &keyidlen); if (keyid) { BIO_printf(out, "%*sKey Id: ", indent, ""); From scan-admin at coverity.com Tue Jul 20 07:49:38 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 20 Jul 2021 07:49:38 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f68011e339b_15ee9f2b04dfa5d9a8670d8@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DUQJ6_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFwlLkUP0Aso4dhBXMf6QuoJMJglLOX26pJWYk6dn4PwmD0i4kjp7BRgeQ4VfJEVYeuoe-2FptQ3eyeFAL37AL8y0OisTltDXwajpvOki3USlSqcrJWVX2AeDryJ0tPFSqFDibIhPe7scC4DSCBuUxMdvPauCPj4iXFR-2FGbUaeovli3BiAbpxAgFZ-2BH-2BtjMSbGXU-3D Build ID: 397859 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Tue Jul 20 07:52:30 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 20 Jul 2021 07:52:30 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f680bdb4aaf_15ef872b04dfa5d9a8670c2@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dh3SZ_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEX6xFw4hqgWFbfAIsNECxyncObDarN5zh2mx-2Bg-2BJ1I6sgk29CMVnf6soN7WM-2FocY9I9txOBnLWVpFVCT2L1inxvSm5Eqyvf-2Bi7Bz80U5CeaCGQzNPWKBBll0LGxdfThXqmJ7-2BJklTLAOYMvMsfa-2BGbF4TcYngeo8xNNlJz1tgik6B7Od4fdg4d1SlQMQeqtig-3D Build ID: 397860 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Tue Jul 20 08:35:19 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 20 Jul 2021 08:35:19 +0000 Subject: [openssl] master update Message-ID: <1626770119.103716.27884.nullmailer@dev.openssl.org> The branch master has been updated via fd76ee47b951657cf1366fd6297bb3a85aecb169 (commit) via 9989a746ebc70ff1b842fd3d837aa5c0e823f26d (commit) via 4e6fa8014f397d33ee87cab20b791648f76ffe1e (commit) via 00f5f3cd0097544540af5b6213ed7d82bc63590f (commit) from c5dc9ab965f2a69bca964c709e648158f3e4cd67 (commit) - Log ----------------------------------------------------------------- commit fd76ee47b951657cf1366fd6297bb3a85aecb169 Author: Pauli Date: Fri Jul 16 11:58:46 2021 +1000 test: include all DRBG tests in FIPS mode Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16096) commit 9989a746ebc70ff1b842fd3d837aa5c0e823f26d Author: Pauli Date: Fri Jul 16 11:54:14 2021 +1000 docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16096) commit 4e6fa8014f397d33ee87cab20b791648f76ffe1e Author: Pauli Date: Fri Jul 16 11:52:30 2021 +1000 err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16096) commit 00f5f3cd0097544540af5b6213ed7d82bc63590f Author: Pauli Date: Fri Jul 16 11:38:23 2021 +1000 drbg: allow the ctr derivation function to be disabled in FIPS mode Word from the lab is: The use of the derivation function is optional if either an approved RBG or an entropy source provides full entropy output when entropy input is requested by the DRBG mechanism. Otherwise, the derivation function shall be used. So our disallowing it's use was more than required. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16096) ----------------------------------------------------------------------- Summary of changes: crypto/err/openssl.txt | 2 - crypto/rand/rand_err.c | 2 - doc/man7/EVP_RAND-CTR-DRBG.pod | 3 +- include/openssl/randerr.h | 1 - providers/implementations/rands/drbg_ctr.c | 14 --- test/recipes/30-test_evp_data/evprand.txt | 144 ----------------------------- 6 files changed, 1 insertion(+), 165 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 05005a8eaf..da3fee84d1 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1084,8 +1084,6 @@ RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long RAND_R_ALREADY_INSTANTIATED:103:already instantiated RAND_R_ARGUMENT_OUT_OF_RANGE:105:argument out of range RAND_R_CANNOT_OPEN_FILE:121:Cannot open file -RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS:137:\ - derivation function mandatory for fips RAND_R_DRBG_ALREADY_INITIALIZED:129:drbg already initialized RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised RAND_R_ENTROPY_INPUT_TOO_LONG:106:entropy input too long diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index f01773d871..b9c2bf1760 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -22,8 +22,6 @@ static const ERR_STRING_DATA RAND_str_reasons[] = { {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_ARGUMENT_OUT_OF_RANGE), "argument out of range"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_CANNOT_OPEN_FILE), "Cannot open file"}, - {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS), - "derivation function mandatory for fips"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_ALREADY_INITIALIZED), "drbg already initialized"}, {ERR_PACK(ERR_LIB_RAND, 0, RAND_R_DRBG_NOT_INITIALISED), diff --git a/doc/man7/EVP_RAND-CTR-DRBG.pod b/doc/man7/EVP_RAND-CTR-DRBG.pod index 57e53c314b..1012494250 100644 --- a/doc/man7/EVP_RAND-CTR-DRBG.pod +++ b/doc/man7/EVP_RAND-CTR-DRBG.pod @@ -54,8 +54,7 @@ These parameters work as described in L. This Boolean indicates if a derivation function should be used or not. A nonzero value (the default) uses the derivation function. A zero value -does not. The FIPS provider always uses the derivation function and attempts -to set this value result in an error. +does not. =back diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index 3756ad17a8..b5e08e4362 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -25,7 +25,6 @@ # define RAND_R_ALREADY_INSTANTIATED 103 # define RAND_R_ARGUMENT_OUT_OF_RANGE 105 # define RAND_R_CANNOT_OPEN_FILE 121 -# define RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS 137 # define RAND_R_DRBG_ALREADY_INITIALIZED 129 # define RAND_R_DRBG_NOT_INITIALISED 104 # define RAND_R_ENTROPY_INPUT_TOO_LONG 106 diff --git a/providers/implementations/rands/drbg_ctr.c b/providers/implementations/rands/drbg_ctr.c index 458feca6a5..dbe57b0d28 100644 --- a/providers/implementations/rands/drbg_ctr.c +++ b/providers/implementations/rands/drbg_ctr.c @@ -496,13 +496,6 @@ static int drbg_ctr_init_lengths(PROV_DRBG *drbg) PROV_DRBG_CTR *ctr = (PROV_DRBG_CTR *)drbg->data; int res = 1; -#ifdef FIPS_MODULE - if (!ctr->use_df) { - ERR_raise(ERR_LIB_PROV, RAND_R_DERIVATION_FUNCTION_MANDATORY_FOR_FIPS); - ctr->use_df = 1; - res = 0; - } -#endif /* Maximum number of bits per request = 2^19 = 2^16 bytes */ drbg->max_request = 1 << 16; if (ctr->use_df) { @@ -730,14 +723,7 @@ static const OSSL_PARAM *drbg_ctr_settable_ctx_params(ossl_unused void *vctx, static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_utf8_string(OSSL_DRBG_PARAM_CIPHER, NULL, 0), -#ifndef FIPS_MODULE - /* - * Don't advertise this for FIPS, it isn't allowed to change. - * The parameter can still be passed and will be processed but errors - * out. - */ OSSL_PARAM_int(OSSL_DRBG_PARAM_USE_DF, NULL), -#endif OSSL_PARAM_DRBG_SETTABLE_CTX_COMMON, OSSL_PARAM_END }; diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt index 3d31762617..8cb70247a0 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt @@ -3561,7 +3561,6 @@ AdditionalInputA.14 = 84922c0335a0ead609e5a92cfc4a225bd3c7c01ab4580b786338e1caa3 AdditionalInputB.14 = 34b034ca643bbfd2fcc57c9b53e0f9b3fd6a73454f1823dfe7b7076ec73fd956 Output.14 = 6caa4475189ee00ddc54910f8723b0e5b8d3d0c321ce7f2ac7194d134a0a31d96b102dd58e092e08f8a008f05c4f2afb2901c6e29549d3a720aa2b1d1f461bb9 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3597,7 +3596,6 @@ Output.13 = e2b531ea43c513a1564fa65e9a68d43c875137773102941d0ef544c84e3689b82eac Entropy.14 = 727c0ac75a99bb1a318e4fe2fe0f2e312b3b61d82b2e5071acfb4a36bc8258c1 Output.14 = f595ee1af437fe1bed8d451088b788f1cd599f2b0c47feac1fb5c6efbf7a14a8ab0ea11a3569a3c23b2a9702b415bda355c15afd275c0d67b38bcfb54ab13f70 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3663,7 +3661,6 @@ AdditionalInputA.14 = 170a92d093d30f939b3eac628a18bab5faf86b3a5d91f30cfd0beafdec AdditionalInputB.14 = fd0349af015037cdbb52983155c89fc59f37d512543559c3ee6589f7b93861f6 Output.14 = 0273a1317f3dd36877a505ca2e440445094d3c702c4ff5f4a07daa3f810d8d7a4f4b9c54dce169a1307fbdc5d197e6a3edc3ea737bedc1c9857aa0e9f87943e2 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3714,7 +3711,6 @@ Entropy.14 = 22d1d8c8bde76a239d032804717face16d77b51170d0f53ccbcca4eaff4fb315 PersonalisationString.14 = 5d3a7d40fdf95b98454bca03c6fcbf6abf3807de75171b55bab2db5a3f5f12f2 Output.14 = 1007e11f48e3c4813fddd67310db56d67a49fe93e45e61b37ba81485df6a62ee57ca41fa1d987f467c2939790a20421c2b4f70b28fb0b90bbeab1ac0ae884f1a -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3795,7 +3791,6 @@ AdditionalInputA.14 = 1eed7463c004c94b600245f4967af955919d0f325a2baf2e9c5f6e1504 AdditionalInputB.14 = 6eace0fdabf1bc84d08eaa4afcbebd502f1d83847d2e86a1e68147b3b15a76cf Output.14 = da59c09259ecc1d61e05d3198f349904df1468ffaf85f5d6cc57489e2785e54e710413674bd2ac41896ce9010d9588446e7540b35519c4689a5818ace7dbe0a8 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3831,7 +3826,6 @@ Output.13 = 78b32d396f5a919f5ccb9be2afaf5f6212d75bf084e99357e28ccc98d433696455b1 Entropy.14 = 42cb183d2a04c89c69efbcec08bee2003b9a1cd56878a774f0162bf70f2c708f Output.14 = cb4afdec033b42949ebbb27245fd33c1503c1278027e11a1f050e04080abe4850821b71ed5a6bd83da6bde8e56c5faed49da26887028bab807d1ad055e2a8a27 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3897,7 +3891,6 @@ AdditionalInputA.14 = eb2888119b0020cff3ac53cbb81d8576457a863fb087f91c795c297f68 AdditionalInputB.14 = ad80f4ecff758da0a5beed20a9d851fcca2ad4ea0d54af619470e3cf3033a04a Output.14 = e2105e60f2f2fceb27c882caebb0c1eca543c359947c4319c503efa82ed5cb63640f627c82217260f0203220435c842d7993623a2b05e26e1ed1d03f68ab3cb1 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -3948,7 +3941,6 @@ Entropy.14 = 3acd2c23bbae4d02cc9e4bb548e264f43e35764b446595bfe1e45165d42c770a PersonalisationString.14 = afb8203d4f7900c35d7bb454a83c5f2667ab506a68b710011c0be67055dfc3eb Output.14 = 02664c0570c4d3c468d16cc7c8b99da7a7f1752249e30f2833b1b7cd32a4df3c23454621d79119a9aaccc52d3f9055dbde98e773c26d4dace09ce9be1f1f61b2 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4029,7 +4021,6 @@ AdditionalInputA.14 = f57cf314188b397797caa30733cdabd5ab2a90562cab9be5f812bbd482 AdditionalInputB.14 = 93839acaa271af55ec6c8464ac2ba8bc1c61584008b5d908b200d8048edc0562 Output.14 = 38a3dd584a68bd037c5d5be4a103083e1d4bbd8a845ac1832e4c545e942bb5232ccec9df2abaaf0870d1f75d3bf85aa9323b5eedc26a73ade2ddade69fcaf6d4 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4065,7 +4056,6 @@ Output.13 = e6e345a50ced3cc68ae24ed9ad8cdb482815284e66f9b0151fdd75d13c9758663c4d Entropy.14 = ab875886827197b784b137726f1f5862c016e2c8780452fe98f4eeb68f71aca5 Output.14 = b6634452661b019afbf2e9b6e20b8be7d9cab739383de8636404c275dc495f54fbf23205dbf843afebbc4e88c6ee126f729cc407ccbbe792e3319230f23023d1 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4131,7 +4121,6 @@ AdditionalInputA.14 = dacdc1a5c9b4215da6b1520c227724ffc888945a3cf1db2d2ff5c48266 AdditionalInputB.14 = f291eac0295f5e0936542010df7ca9c417cd78f7a109655e9050fd502ad91d4c Output.14 = 70b881acd434f90da8788bfe77226132c8a3f2544293b0ef7408559575ff0e52a17aff11b9601a4765e2ab0cc90f19f69fb4485554ec0b17ceabde960a56655d -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4182,7 +4171,6 @@ Entropy.14 = 0c4564ba254455b6557aec1cfee2b2b726d2c4f45379267f0e27d11c6f1edc7f PersonalisationString.14 = 46aefb024c6acdc9297d5019109310de558f6afcca730c8414c54f4e574fab1e Output.14 = c94894d56985d73ac516c1249cea3d8e79b67dcdb2bf24b830d52f9e1fbdd8bdb37a546c4ffe13186ceb0a230a14ee1be0e409eb19eef018e54f79c3ddd4fbd4 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4263,7 +4251,6 @@ AdditionalInputA.14 = 959a1aed8c1b0af637b8c0d0dfd600b0d5dcbcac12bc8cb160a2a0ee7f AdditionalInputB.14 = fdbb472c9f368a44f92bab4bd993c7f39d4e61c6503f69c205191d86bc1b2944 Output.14 = fa2f2a566b99ae810b2b95092da67bb16fa185013ad0c83a845b48cf4fa55f7017ed944d08b57d6813700fb60a30a2a2f976f8b9761516ef137e3e3a078312f9 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4299,7 +4286,6 @@ Output.13 = 9ab8f2730cd5039a1c78f837ccaf7747b27ca425b07728933e61bc39b5c09fd63a0f Entropy.14 = 397427acb3683af13636a70fa2d9ff5b6d032f9fc6197d62ce1027517cb66268 Output.14 = 2c6b5c5682187740fb566ca60644052b2e0bc3285a399e8127ae53fafa3d5286680416772e552a2cbce4a523f26e7e7e45827a291b61a8b6fc7836e3a14e694a -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4365,7 +4351,6 @@ AdditionalInputA.14 = 534589895777f502aa3712aeed8013d343a824584774d92f9b0668201d AdditionalInputB.14 = a97742c1e0c816626e67ebc81ba3987378499b75212b194bb56a6746029866b0 Output.14 = 8057f97b49700edc8ebf7bbc798e6eae639a443e4c8e935cd06ebf9e9bdb803cd3121a0602b32f088e7906abaa68b28b942e84bb09d13d565490d20295c520a6 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4416,7 +4401,6 @@ Entropy.14 = 315bbe530ecfa44eb27250f6d20f4b6c648e42c61f6faed6fe483f26f6f8427f PersonalisationString.14 = efa10fa5bc1e445c031620ebb37e7552c2dfa08307dfe53c1b8e74ec55050356 Output.14 = c592d9e7b67415d09dfc46d3039b3afc1ce66afa98e8793437cfcb5ab3a122c636f0a84edc04099d3819d7fa30d196880d9199de17f7170de725f3650ef34b19 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -4497,7 +4481,6 @@ AdditionalInputA.14 = 36551ef09232d2199547aaefecaaad217443d616433d9d169bd8cd3eae AdditionalInputB.14 = 9e57a4e96ace483dbc3c226d2723c9258063278140d220c4fd023c77fb20b84c Output.14 = ca43dcecdab689549bc4493a38a6a017f6048270e5d70d0d7576a2ab764d922bc346e30f42dc5a73ea6a210d2eba9bee5b5afe3c66867a68ab3fe0d08f511101 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4533,7 +4516,6 @@ Output.13 = 20d734ab5611a39d6ccaf8941d254804c36ba8bf206bf10d82f721ba9548b9f7cc10 Entropy.14 = 8dc5a9e8e9458f841dae788d24bb5fb192ef1ffaccd991f89f2b5d3ba57c1471612496c7d9cdd174 Output.14 = fd74a7b15c9af2ea140a2d0e353c3387b389144dda5779c69f299917dfb19de6ad60dd440c14c010ca161436243bf9d33a6649339a3543b8e71789621da7ab7b -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4599,7 +4581,6 @@ AdditionalInputA.14 = 79b75fe104f0d7c86bbe311585198f82350a13c4a7e450cfb86e440c00 AdditionalInputB.14 = 6f20134564e79c7eb530727f5b649996c89d7bd54ebac095c19a162348fce468782f0324f2138c84 Output.14 = d00f784a9613677023d27a4350efc4cc28f95a3928c4c8da67063ee59de5d2da13a3090f580e61fff1af27a8f4ba9418e07d856a996e836a89062064bac7a9cc -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4650,7 +4631,6 @@ Entropy.14 = 0ac627692b28d31e347179c8ee9e508e2b3ffbedae4009414b3b72e76a3739f0292 PersonalisationString.14 = 946fb7e5c3cbf3d198f19135b1a71a241ee892ac5a0316f57eae7076a4d99bf0e77fe23e81258cca Output.14 = 00007f407f75335a351d31d2754366f8f220ef2f9688a87e9d6aac59fa9f36be824b9bc7409ea991d3e0a7c411854b3701c84abdd7a696406dd13331e2785455 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4731,7 +4711,6 @@ AdditionalInputA.14 = 1564d70c91a7f72151a4483b9eba35b52c196656ff96875d7c59c6d116 AdditionalInputB.14 = c2731fd38e65f8e724378ad4e01359512cb473dd9854fc2303e61c2d197caad69b12fde14aed66b6 Output.14 = c68d3e5697f36c9db2535b05226aa118e00fdab95ca2cdbd37421298d46d2054e900b82ccb63227a23380e4a2e93327718cca3b9f5fc9c3949adabd723bd4313 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4767,7 +4746,6 @@ Output.13 = ba6649f527ef2d09cacf926d81abd456d4b43800dbf77de69bb9e2229cb6e3ac29c7 Entropy.14 = 62efa359ebd31d3c499353a5ab5f3b70a34c5f39c508231eae5f3ee20e17834b88fb804a32a268a1 Output.14 = 20dbd757317220a9a5b2394b495efe5e12cc7b759c877bfeed6425cd64146ee90c455c50b2243972b43015f69a015f1a4953e84a089d38171f9a6fd47b8d4870 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4833,7 +4811,6 @@ AdditionalInputA.14 = 612b0fa86e20fcfaafb14424d1ea3092c9be131efaddff1bd9bf0c9f53 AdditionalInputB.14 = afc244f8c93dd4578bd193226d7ed321f96dfeafe8b491684e53a0fa7d5cfb95dc3cb7739df80279 Output.14 = 64806feb8e212b2b5def3375d83075a0cccecf2a8f0fd38a8ff4700a3152d2044b65e555f5a6171b10d72b6b6139ecd29309dd09e132ae88fa9a6adb500a03db -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4884,7 +4861,6 @@ Entropy.14 = a59c31d7354eec799ecaba8193466aaa928025b162ff442ad2a4e0f9b65409f105d PersonalisationString.14 = 7b56fc016f55fe0ba21f9cc53b962e215e4ecd3dff487af67b275a19cde4afa74724a747358fd1fb Output.14 = aacfaf0360c415de87b92d74381be991f4a41bdd61175bccdd7c8dd19cd3f7076b485e95b1e9ae60ffb9b778f6470e5fe3a54092c6db3b909a4d9e5a8cb96ef5 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -4965,7 +4941,6 @@ AdditionalInputA.14 = 6cff7528b843b2efb40336bdcaa9629be2720bfa509a330430c36d5935 AdditionalInputB.14 = e0843ca3385ed55f56d51343dd718dbd1a3705d7b8a3a5cb7b955c9070ef1faf74382a9130a6803c Output.14 = 9052a75eb225ac7522cb141245e0592a334cdc8e194f5249a5843e6efb6398db1b8ae97a15829efa4685cb4f1435d022424cc7854d34743bb2d861866fff51c1 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5001,7 +4976,6 @@ Output.13 = 2cb651524a6b094c93e8d1caf33bef269d267eaae0849c359b52d34640f14ad4a7fe Entropy.14 = 689f2f61670360472b24f8ad360fe08e249b59ec0cc4675b08ac0793dae6956db8f63108574ef0c2 Output.14 = 0897856129a42d785b60d770836a68198bc76e29840abb0802ba9d471acf8b8bff3f02e1a1c34015ad51ce85969b12ea65236bc12d349c03f2031fde19cb22c2 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5067,7 +5041,6 @@ AdditionalInputA.14 = a0c8fb5bc632cec6f7f7a385587f27ee3ef3dfeb5aa13d978049c3d4a8 AdditionalInputB.14 = d2c1ec49b1b0f810ae9a71fe5d93ffa4004e05cf8ffb1e1eacc146c37b3af5258b4e46222cf33914 Output.14 = f3ef4c192e85dccd2df5b1c5f791daca65363d5f79bd490b7d9232b19c6059aaebc494dea3615295f407aec1af3b867a6d94abdcc41f68d2d9afbee19647f748 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5118,7 +5091,6 @@ Entropy.14 = 2d0c45bdccac3a972fe401601379d5e5f6173edea823d53186829f343c0d1c843a6 PersonalisationString.14 = 9345dc1ee7c428a961f2b787e6f9487f938062afd5fe3b3ceb04ba8445b1118a8e2e30b3f0bcc299 Output.14 = 3d6f9140fdb46cc1a04ae987dda91a18a7eb59240c6b4292f64c8445f27f1f72a2d80e8463da01409cbf28416986ed8a85e8b9c4caa4541688aede1b6905b384 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5199,7 +5171,6 @@ AdditionalInputA.14 = 28cb3cecec5705c020d8a3edb8079e004050d480efee70faec7e1b00e2 AdditionalInputB.14 = bf2d138b18cd6f6c698901db8b605b598b0c3ec9fb0b14f9b586b791ab6976717fcdda68e42e083c Output.14 = febe358e4daf7e1938d8c0756ae39531b1bc497e603f91c7aa2203327604144eb442ad2efee1fe9b1bbcf33a5eafa94c3c04d583631b91fe550daf227d5cc05d -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5235,7 +5206,6 @@ Output.13 = 0ad3c8e5ad0cd1f3308f882f9aa0aa5f290d93b4a2045ceb867991f2640c5276156b Entropy.14 = 1f5f78458959b3cabd57a556a8e70c364bab260ad5572fca41fc2bb64335fb888a31cdb37deef5d1 Output.14 = 0c4436f75415d0eec411f5ba0d96fe333161c2d6faa30f6d806dc457b4123b7b2b65cf7bd8f4e699c563ec0c6f45ee37c31b3c6c11c28927b77d53053b0057a7 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5301,7 +5271,6 @@ AdditionalInputA.14 = 320c3202d710d62b04bed6cc1d45b6a3fa306522b94cb7037ae7ed6609 AdditionalInputB.14 = bf6b78f3552fab90333117fd2fcfac3af10c5e4dc0dedc581b0b15b6aa579e576fd8b10a099d05e1 Output.14 = e9690cf3a6a69e92e56b8f793c2a27d2ed3c321e61c2e59b99b8aebae74aeb9f810348529386037ff4f1a9f525aff494f8817b087d67817c9a7547e56109224a -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5352,7 +5321,6 @@ Entropy.14 = cf9477ba033c5d2324dd97b69cfe59d66ae7f7327aa928ed1ad36c2d9d63be731ff PersonalisationString.14 = 215a3e638fa6a74d91592b07fa08f8d4983c6ad0820a908ba735ac5bcee68c3f670f6fcf4d05b25c Output.14 = acade190508f25724a3c7dd4d960bee088cb6152f31a537295a8ff4b85af94a0ff006be9ce2f541b8237f6a7fc62a4bb8e41ac6979a6f112b57158aa6eca347f -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -5433,7 +5401,6 @@ AdditionalInputA.14 = 8b981ec9ca88b1493e7ff3b90c02da6f478bfa573f5a0354941dfedb86 AdditionalInputB.14 = 829e75a58edd00d86269ef332e6744723b289f7df8f1c0bbf70222b542b9014e2d0cdd6aaec8c194 Output.14 = 8c4aa794af3d7d4d684006808c98c11d8146b11fd062c69cac019f1913c457b49d423b5ec683f19143eab372079a6df551fc686d9d6f9ce5f64ef619186f816b -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5469,7 +5436,6 @@ Output.13 = a0ea3af0cc95103ba3e89e5e4a6b792bfb19eef9580255ed76e71ed0e5325848497d Entropy.14 = b7f7e4e68356b2ac2c2c0075c0ef5ec6f5a6f225a18db00830261a95765771eba739a7cf8a1126c58994c43b2d28024a Output.14 = a15e8cc437a600a51dcfb778afa23d577d0e56b004f56eeb286e6c949d982bdb9353cbc63d33d7d397ceb4fea51a6df0b4d6d4cd32b9065bc4110d790c610e44 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5535,7 +5501,6 @@ AdditionalInputA.14 = 67cd37e14222e5966d243bb44aabb32b0750220f75546953981631b948 AdditionalInputB.14 = 1c0f67ce459099f3993bc8ee4a4550d3e7dec1a5225280ecdb00ac68e17c7cf40afc5e6794208e5742c0012e87d5711c Output.14 = 26167ff9820aa23ab61f7872e007dd25d58c7f82eacb9474280731a550c8b899e08074d910d576939f87e90018987e0bff48da03aaabaa9b7faeaddd65fdf5e2 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5586,7 +5551,6 @@ Entropy.14 = 4e37ee8649a86dd0bab8785a1e3acbd2c3a57ca346d0e31476490e49b588b928232 PersonalisationString.14 = 61334cdc8735332925221a6318987403a4c1c936c0a8066cbfbb1a84510bac2bb37ea52d6ba9f4e1a93269473f4566cb Output.14 = 8bf9c263c12a19c50525fb70cfe56980b26957e5c295f7546244ce6b7b1b90b24ce3cffc5536e96d973b192a77f878eb5e6987e1055475a0abd00312d7a65dd3 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5667,7 +5631,6 @@ AdditionalInputA.14 = 781c2441577ac05fc069f0f988e150d7e983bbb49810eeac8b5d98fc5d AdditionalInputB.14 = 7598eabea8e516eb2d111441e94a98bb37916f291e3107dd991e7798ed896dc99b1a405443f7c781b98adc8ba9750696 Output.14 = eae935bf9ea3174c0d7da0359c175cc6bbb91ecf9357e7748011fba02fd52205df0a87a44eb4ccb6015b266ed3bb9be4d0d403838bacd42757cd34216d71989f -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5703,7 +5666,6 @@ Output.13 = d39cb66ae64219a8de99b4f63daa8536defeaa53a055a66ec3de18c41673fc926b1a Entropy.14 = 100e176574bd55438477f0153ed04b6cf221bf6c1fcd7141aba10c80d71eb2e16bc8213aed689f44ef57807334dc3d12 Output.14 = b4315cc4470d4c50a15836f218b21c96668d32eafc1649cf6c92b96f0716aa54582a31a1c5f597b80f62102622369e422d98c34d1498cb9bc01d418a4d232074 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5769,7 +5731,6 @@ AdditionalInputA.14 = cd4cb3a8e0f1f8a67577d71339e6c4f40a291cdd22d5a19aafe0f7c99e AdditionalInputB.14 = 0203e75cce2d2e81ec441ba73b3129c6ae5067733bc0031614cbc8fc92d599523ad30da2ea253c06c48293befb14ab71 Output.14 = 927c1e64d9f3acfdd74e7afeb9ab2280f37ce9c1839f8cec8c32db7676fab057620144d34c8382bcb904e85af45d348e10bb2e5708268343595ffc08dd258c00 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5820,7 +5781,6 @@ Entropy.14 = 4e6768b663b1838fbd56c78b002c08c28121662238456ea93c4b286f4a1d6aa2a1f PersonalisationString.14 = 47c24038732c32baf7e1e71fb0b74b74ec055adb88f8cf111fc27598ea74872fde608266a8f49105282c2ca7093acea2 Output.14 = b1ce96d86e77a251c4fffe5de31e9199a19fa242b03b005cf0b6a23ea3a0c5b87edcbc77d0019f24d8c0594a4edba054b32d2c9e5e2f0893c424b11887b0be48 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5901,7 +5861,6 @@ AdditionalInputA.14 = 0e2ec484d8866adc065b4f11d3760b4d276e2cf9c066b226311e7c7806 AdditionalInputB.14 = 9fdfcb7460ce5b9913ffb9889696df7abe28aad40eba3b675d7508cca1c98faaa27dd5f52997dd6f251a68e86f966fb1 Output.14 = 66d6b1693a3ca1cb6169858390741bae3285e0c28604d064b57f3aa2ef9a569bec22884ccc5cd315d3f3847c680c3481bcae423cb105ea47956f62cf8c2c5d29 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -5937,7 +5896,6 @@ Output.13 = 47b6dc1f9fc7ba68973e15b489e46b94b4ba58e23d6691a6e8311dd82a6187252e10 Entropy.14 = 80ffeccaddab35221cba00ff374728dab8f91f3e5498622704c050e3e13a2b0bdd2f913672e896a979974c52067e2a05 Output.14 = 0292bdaf725f469307e76e3ef5bed03470f6bdfc22e4d7f0661bd1b87696c9da201bbbdca6a22344ea88ffc7325370863b4cfb105740165eaed9c6e73b06a4e8 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -6003,7 +5961,6 @@ AdditionalInputA.14 = 8ca625e0daf65ecb70ccc63bbe88720ece7a415b12542c59db488bd056 AdditionalInputB.14 = e511e77b98df72d3e4c175b58b7182fa729a61649659ff117d9b4c514cf694fea2731b170d0babbf6b6bf8198be6d932 Output.14 = d9d3ac1480323439e9f8f09a54b3668684890fad51ad314c8e14bf0fdb429738b8955e3d2d928f2403f20caca2065795c0adaa30a5c4683a08d83074633be8f2 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -6054,7 +6011,6 @@ Entropy.14 = 409bc372b8738c80ac35721bbb8e806ddc93e816c8fab98d1d0f2a053f959601667 PersonalisationString.14 = 975da7439df9a5b76f8ae5201da35692fd46d277787f8a73b08201e6547ba72de26ba7725ad44a11f742e6c2b57c0e9f Output.14 = 01fe7c18b85ede519740ed4068af24b4baaaa7d727b05241af481ec843c20bfce41e4bb131cf03a504aecd5409d03f6b5b84d22f0e1042b66e5d99d4339742fd -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -6135,7 +6091,6 @@ AdditionalInputA.14 = b0bf3ae2cfe4d3fae5573781456b3725a59598d52ffdd081b412106481 AdditionalInputB.14 = b94a9134257079c16192066b6e3e50d63d58dec6632524114e6bce3415db5abfe0c89108cf2fd6478a97079f5190f1c5 Output.14 = ac7c1a00228f6a7a0620d00dca7dd38e53c71d31aace470703e4d8911b071b5ae517af60ff9f2aa570b18d35b2dcf8af0ee14ba646f2be35571c7cec44ec88d4 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -6171,7 +6126,6 @@ Output.13 = dbeb1de34b0e6f1c96cf4afd1e1230e434bcb1a5497f797871e16aa3f60f8dbcb4b3 Entropy.14 = c1fdb2167e6db331a3e796c83c8b10352650c20cdcc41b859f8b0059f2638bdceca6120928c3311b6b8d764a67b47192 Output.14 = b9ec753ca46bdc1058f5b77a9d1d9d7090d0b70f8b9995658b8d5abcb68462a09c59cf404bc4a625037b52ba10e336c2bbd049a507fdb95e32d09904a2482f97 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -6237,7 +6191,6 @@ AdditionalInputA.14 = c839973b79c3eea5db7107ca7cae1c012cdd59a50e58b7461ed7921178 AdditionalInputB.14 = 3cde5a2f6e19fb4a4493830016cd86afcb7a8db49a2abf6077ebb5314dd12a2d1fe9d3601c125c41c3e9af4603ee8f8b Output.14 = e61a4d439b4bb1ccdc810ef7a0019e5e88321ab6687f6564d5f70c0afb1633d50da63d6d1b1919b724b57ee926d63a80ac20f1ff06c4932456c70e8b64db43f8 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -6288,7 +6241,6 @@ Entropy.14 = 7ce9977cb80634f0503deee2afb8230c57408c83bf5bf41d2d62d4daa4c492fa60b PersonalisationString.14 = d862039cc2c297d63529a33f38a6e5660a06919a044c7e746ff238b65321d2a233a9a9c7b3534c932a8881ad38d31f65 Output.14 = f17b61f1c3caae331160b714504b9c058ac345f07a5a26034dbfd7fef5013b52cae3e2cd357095b623065ec5cb557001887b17f9b6f9476d5449ac7d81d5abd3 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -27223,7 +27175,6 @@ AdditionalInputA.14 = 639824768081b8f8d09b9b4eb51c0bd1ea5666067ade2628d45e727213 AdditionalInputB.14 = 7492ada1c96f7b2de329cd54651bde17b4fc69471280931180bbdecaa2889435 Output.14 = 5c37c829eee0a9acf2ec0af816c7974a09994e744c070f58d4fcc216491a35be0d32854cc4bf6956ea5c43370c02084dd30a66fda089f5c47b4975d59a01a022 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27274,7 +27225,6 @@ Entropy.14 = 8ecdbf1cba26eae45f70ccfec0e42d6139be57f131ff60898a3b63968acf28ac ReseedEntropy.14 = 8d860dcf67fbee47f33ed5273ff81956335d9152085f184f8427ad4234f95661 Output.14 = 8049f3fe2e62883f71cc43873b9775bf60a97c070370f9757c51488b050c00959d085ddd8f8e3702aa4cd6ff19b6c62685afb7792eb003c07bbcc9f4a026d138 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27370,7 +27320,6 @@ AdditionalInputA.14 = 9e0abd6fee611320de52bc48e56f5f17bf180e596d258031e3666066bc AdditionalInputB.14 = 5612694e4260dc91ba87ee97656f1436cec1f711536bdbf61064026673bb398b Output.14 = 02bb0c1e3abb2993383cc9cf2f32c148d785dde27df3a8dbd3ecc73ea4e884cd427061423e0736a95dd3202e6336cfac40311b8f08aaa88a90baa2f93999694b -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27436,7 +27385,6 @@ PersonalisationString.14 = 48882b0a263582f0c6bb8288ba894d7141e665aa0c084c7d99eaa ReseedEntropy.14 = 34cc10a3d71398efec3c5854ef82a77a0b6bfcaf841ad9a1d5c7bf05aeed9082 Output.14 = cac26b07204eea9a41e4289302d0da8f36ea200dacd2435f1bb1c1235cb362497eeb87aea2889aa1093d13d2cee25eb11e28229c39acdf894122425b5948cae2 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27547,7 +27495,6 @@ AdditionalInputA.14 = 1550ac6da1742834c705b4dad61c37fc33e7d786f76b553ab324bf543f AdditionalInputB.14 = 77ef7c3f819de78c243351a71bbb460936064738fcb75acfc214c884ff172311 Output.14 = 1030bfc7cc645d6e2d6b2a3f2e97979ab999d70252c15504d71d02c5842c34cf63b94c512e162726acfb1492ccb525ea56e4ca1b54daaac2284e558cb4936931 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27598,7 +27545,6 @@ Entropy.14 = ac5668ac054f732d2bcd88561642c5a7ca98c68e341cf0cf18873fea93ef33fe ReseedEntropy.14 = 4a4d088beb9843e4622cdb0c5a6851587f2b472dc5d734211409bacec7b2ac06 Output.14 = b2013a363f3ee01ab8573f3e3eed32285108c3ed3bf231c066176ed901e4d6ffaaf0cfd12d63d7c19f6c460baf434a1d6a552c62274bcb7469f7009c0beab972 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27694,7 +27640,6 @@ AdditionalInputA.14 = cc92f09a3b12f29d9e73253c261e828196fa540a9024632665c6c25a41 AdditionalInputB.14 = 53113703a3362b3eefb0c12587fa25a620e09e0cb63acb3f7b74471618cc0d05 Output.14 = eef4850d91b63508bdf3257c4b66c8c022a6869cc8d9473e5f579d103c67225c04e3994f14c31ff0e328c1adddc8d8f6b1f2e70409325a353eec19c420352b7c -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27760,7 +27705,6 @@ PersonalisationString.14 = a48f64c672f37649b12630157e15b9364ee7548984d94171b2a29 ReseedEntropy.14 = c4933f8a2af99389732cbd0120b697b9ad99e4821f4610b66c18d9da0e28bd00 Output.14 = 77dc9c1b636acd5b76a3453b168479ce947f4fc1401ccad4dc61d4630370ce21d29017244cee50644e3654e702b623e20ff49861890781a6bdb68e5cf3a7216b -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27871,7 +27815,6 @@ AdditionalInputA.14 = 2537ee73b566f7febc51963ea96691994fdb150d42db58204f95be45b4 AdditionalInputB.14 = 2f4dd1698f26af2a921d4f4aceda1c15ac71fff62ff7bb5ea6a993a29a8dc199 Output.14 = f1b46b0276bbd75eec0792e9998ce83022c8ff2f00ee9947760c6b2bed3f6a19bff58a0a92093a57b5ac949cc4028fe31e2a6262125994e6e30dbb4b7faa6d4a -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -27922,7 +27865,6 @@ Entropy.14 = d083e222d8159740044707c76bd9ec4436202ac778f63646e5b1e88f21ddc13f ReseedEntropy.14 = b7b714550798c888a5026b0b7801c0923ae60a2858cabb6d6972d66115f40eda Output.14 = 227a88583bb137f082967af04c27cb464a6332720b759b435d4a7e26349f56f4bb447695c06295e838a6c86fc3867006217c94bb5cc99b3c44bfe541fc77503c -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28018,7 +27960,6 @@ AdditionalInputA.14 = ee0d3e9c178d53f9957ec0877ac719694197e8bdffedf8fe59c57a0cf6 AdditionalInputB.14 = 2545d30f8b974a21fa54146a14a566bc0156a015bdde60f3f2b9e186f6181f5d Output.14 = 7cd2003034f235e209cb0d73ab442234016a04c830752721998146c2f6f27d92300b47fa3ee72b46378092feb175583894b6f7004362f724ef145fe03c941d42 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28084,7 +28025,6 @@ PersonalisationString.14 = 41b9b8e2d9a7945ffcf2631bf7d668648993c0f4859ea22de4279 ReseedEntropy.14 = cecd9d0ac5cb7ea4cda4566b873bcefc2db068ee41774a6861a21bc69cbe1814 Output.14 = 9d7209b625d5df31a949fbf15bf6e4515e42e6eb03909dd6d7ff4e001a8408c704901ca2b2121c079e36c28aed7a786aa356b6f3c75b87d4c78a2d06371de356 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28195,7 +28135,6 @@ AdditionalInputA.14 = adc0707f3a06e767ea80f0882ebc015b79f0228547d22eb5a635b244a7 AdditionalInputB.14 = 8372a1277f0eb84cadd53df4a6cc619cfca029f84d9bea48beca8cc8060528cc Output.14 = 86cde22dae3a1af947d76cd15e4df0c83a11769d34610d1991945350acd4f0aaef9ef70b5bbd57fab74fac6be8cbc028b9bab63aa5de62d9f1f95d949e9d093e -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28246,7 +28185,6 @@ Entropy.14 = e3d8fcb8c049e442d2bd07104c46f0602a1f60f87bdc02dbecdcfcf4006b5b0a ReseedEntropy.14 = e25327867ff27456eff9f4ae4375c7a85788b400dcae03ae8c892472c8a05221 Output.14 = 754063c679269931fdab8f90deaa967969f20b1805d93fe5b1928512cd2fe98984974b0bb1d7494d81f53e073f1a3a9378ea27307a154dc8a1fb1d3e17998f85 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28342,7 +28280,6 @@ AdditionalInputA.14 = ff296cd83f439529d436254c490013f26fac4ab407e158a06b3c9d4e9e AdditionalInputB.14 = 63dee758f80f00738dee68e5f8a361cbbb371bcfa1b67ffb073c45e3c84b85fb Output.14 = 295446b08f879c3e46f0c57dac85767d94805fcdf7beb1eee75d40f643254691adef0e8300cf27deb90a72805cce91a4433d263ecacee0583b222b81c0bbe401 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28408,7 +28345,6 @@ PersonalisationString.14 = 345b74cf00947dc1eedbbacd5e4030d5639f5e3c0b9fb986fdc0c ReseedEntropy.14 = 3150b6ab1fb005ceb8323c6982fc3af3092077241dcf4993fe91696bd5b8b747 Output.14 = bff83f45e0a4223489b08409497471427e7b82f834082137497bc552127446a8a3f52a730914650cd753098162f7d253bbd625983430d1f16fcdb0f78a1348a8 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 0 @@ -28519,7 +28455,6 @@ AdditionalInputA.14 = b643013474a37b208a6f6c44cc56b1caea69e1289d8897d53f40423d9a AdditionalInputB.14 = b1e07a0f9740c49335ab5244e3b7aa567c7234e01253fa1c31372ac43b1d6519 Output.14 = 6e5fb213d4bef40b3f274f956960a1e0d28e5399bfcf2709fe98de2b54ff26766835b6ed538b887cc617529d057f6005db0227dae7627728504cb8cf3530eb2e -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -28570,7 +28505,6 @@ Entropy.14 = ac8e24b8704e2011076ff9175fa1c12d9beeed66c9a975037ef6f1f519efa2230ca ReseedEntropy.14 = cbe05b235ab45735f0fa0ed945ec38ec3801f2caed0bd8f96dfb34cc75ef1a6a4122f5a8305f915e Output.14 = 91c49803af71477a06a6a493b75aa36817aa15b58afe7598750b2fe4d663f05ecf0b8c1b5737cd611e2d56ce95a029bc4fbc307f5478f0b796b259e01a48920b -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -28666,7 +28600,6 @@ AdditionalInputA.14 = a491fa45d161efa71ccdb405d6ef3153700b28966582e1052cea992218 AdditionalInputB.14 = 4a0cd52d005056df60803fb353728f3b3fd27964e5c96965ac472ff8bb4dedc4dd7d1ca04b124f0a Output.14 = 0f78e45be38a6a46c2914449beb9df52394067b720f390225f930c3313916f00293c7f7f173cd89d2c30c72bc07482f066708bda7a29af420490821c98c995f4 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -28732,7 +28665,6 @@ PersonalisationString.14 = a35f706fe78dab179bdb83495408764805175744bc020388a8a60 ReseedEntropy.14 = 4d632ef30482e6d5949cf52407d42caea7cd745e70d76d3449852a7ddb3f92e19840cd0217e1112f Output.14 = 3340cd5e74c52918b391156702851b25327072f075e16b8c9378972b081b2ca8cfa7665b7052cc44f480f0c188342357cc6c8cb616a0dadefc4e1ed40ba42b0a -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -28843,7 +28775,6 @@ AdditionalInputA.14 = 5f7205d87d0a9868234eeb8c4ae42cd47c03983b77dfaa84637b4080df AdditionalInputB.14 = fb6d486fd7586036003ffce8865e479498fe530f9ae29e01f98d4a2f7b665b6a9329450b0fb6ffb1 Output.14 = 0d3d8c9ff86fb56bf362787f474f838066fa7483a958c23f752be6e21cb42fee11d8dc53396508f9fd5122d04e41d0e0c949d50c46d51d0ac824b6f46b5df088 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -28894,7 +28825,6 @@ Entropy.14 = 0e681f881afa243f5de75a046205f733a32a1bb39e2abd057c07d8d5e81589d537e ReseedEntropy.14 = cb16a4907b39f647eec2b388704d6a2b89836cdd8d1c0c7ff27cddbbb0d01e306dbd01ec58334700 Output.14 = e48aab2c01335ba4f6d377c3c993932d4fe2ef60254eff315491b81acd1c22b3a33c59b8b78c479b7cd4fdd31f7d15864a48ac706e32174de36f9239aba4b6ad -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -28990,7 +28920,6 @@ AdditionalInputA.14 = 37ab678301ab45deca791b4c5b1a792c5422f2e3be57bcf77d92468e25 AdditionalInputB.14 = cb7a6611c7fd8ffb884ab41766bf4a57878f187dbb09d7b0e77db4ed2ccfbcf3c640a9348dec4e1f Output.14 = b194fd786cfab66885cfe7b03daf642dc60efd7399f6c48d3df50337b40c40349b94ca509053451c34d6b838ce1905b5cddbcf5df1be2a9783404bd0b72b523d -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29056,7 +28985,6 @@ PersonalisationString.14 = 003b5e534bb565f4e1eacb22f2a2a65093dd0c782a27805f0c4c4 ReseedEntropy.14 = f2c16713da96ef435d96c63fbbc57d49c44d99c679c1af53a12cadea98d31981a7d06991efeec73f Output.14 = 67c409157d60f8703da237c4c8b4f124298bc95f68cd5510304c2167145fb7c4beeadbc6d7ff9b261b420e93cf9fb135d9946d5f4c4829557e7dcd713143115b -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29167,7 +29095,6 @@ AdditionalInputA.14 = 6f6d6ab0d0c02ecfbaa3ba6d8f38a8acb08699d08f3035ce7fd03343b7 AdditionalInputB.14 = fba0d6f6ca8f1a587782c5319766209059a23cb3e7476b2d060ad06f2db9e09728cdbe0f8a86c14c Output.14 = 9e88544b8486d3445c0bf47d0f55bb8d3f2abf5d5b2816df7abcf3f419dc37ca332bc00fb8c40152750b4c46054e8a281190f6e3007b844c63f6cbd1dd9acb01 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29218,7 +29145,6 @@ Entropy.14 = 8f5235da708cb15781db85ddc141eacc654d93f8c211ae718df22ed7bae7ba5f2d5 ReseedEntropy.14 = e6cf01b0cf9931ded0ae50bd0e1092cf79221397f2850d31390db33ae05072ad0e67cde6f3c438ba Output.14 = 7a00675e1a9b524dadc1b356b22c46c6747147ed736639739bbf761ed9b917670238ec001387b7cf3c91a58a81ec09c1487313058b6c26ce61d5785269a1d8e3 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29314,7 +29240,6 @@ AdditionalInputA.14 = 18a09894ed824809e66ee447f9413505035c8e85db5b9c6e597bf6a2e3 AdditionalInputB.14 = 75ec329e54639306dc853b73498dbc002abceadb355e12ae69fea16cc3ae892272544990d2938be9 Output.14 = 4c08126a7fe978f25982672ee2044a9dfe31919a2003853a74d9132b46a2278547af5980d037401275ff86528bff41fa80180e823bb88cda6029e06d2b009e81 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29380,7 +29305,6 @@ PersonalisationString.14 = d811d476960f2d5032cc3fb7002be155c6314e03ae7788dc886d0 ReseedEntropy.14 = 8fad4aec11507a394be8bf8cf24c4f2442c45948b5ddf28ebe33f9643ae5d21337ec8dedc9b23e1a Output.14 = 6d353a66b4cd16ffc5469b1c16951ba00b075db4f1282df1cba7267b9e191e21f604dda9eb48921f927f1d7b4548d5bcc580829c422ef0d5b2127d5eff4b020c -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29491,7 +29415,6 @@ AdditionalInputA.14 = eb4fa0ae2bd5ff9ab19545d30350fab09719db12f428ccc3fea36da4a0 AdditionalInputB.14 = f1d0853fc6fecca6730079b5e64840bdcbc2ccf4a9e20aa08e8ee2e48c785838b154c66845e2423b Output.14 = a29949eb92716b0682cd27f62ca00cfbad717fc976c55dddd854ded44a53ea2cd0dc0a97db8b6011d583f8fcb522b7f8c3d2fdd68ebdc083e23d5f5737dfb572 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29542,7 +29465,6 @@ Entropy.14 = 963fe575c96b319a3418cc7548484ab827df1f7ba56b0da8131fd19f7712add1d29 ReseedEntropy.14 = e1470ee367e55bd8dd82dea6f7fbd905b98d596306807f8aae529807b36aa0655bd260e1e2bab75c Output.14 = a1e6286529fab40e3db9b57741bf6e5b4904590d05569a7d571baf77842065be742e2c26c14e8599e46a520fa39b81ebe32dd857556d9f55e4bd37c1952afc0d -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29638,7 +29560,6 @@ AdditionalInputA.14 = bf76973791b52d9387e2a36f3ab3620bb983dcd2399fef3cc6bf4cf86c AdditionalInputB.14 = 2089acf7aca43a77d8459d4f384919575ed88c7c4759b9dd7033a132a85c2ec6c71025c166083bc7 Output.14 = 81309a10ac3f02d3fee049a5ddb9f02f64dff3d6b75259d561921a8349b30054059b2af81c6f7d50189a0bb6d360da06bcbdc944997d6f8b051f23998c8c36ae -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29704,7 +29625,6 @@ PersonalisationString.14 = a477a42a221cd2cbcf790ca70fb6a5f18a91c297617561acd1bc5 ReseedEntropy.14 = 108f6f37621ace418e2155f70dda4c2b5d6aafa9269f6aa98a5455e3a1d188e64ec022c454c68620 Output.14 = 05e4896494b02861a51357463f705e812a14f57eb8630cf1fb025c42ec9dd54de3f5fa1b38d1f3d890aad74d5ad1683d0b5981da4d3a939d05fd5435b1d50f38 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 0 @@ -29815,7 +29735,6 @@ AdditionalInputA.14 = 6aec5f8c3dc54924104e04635ab80b1f782869bc5c1557f7d89daa1e1b AdditionalInputB.14 = 668d732a98f7ae8cdc9235d63e705955c09600a490021a19a34c1befba8cb613ee7d8e4c5774aba4 Output.14 = 1dfb0a6bf411580aa55044f26c598d2620965fc94a769001f10b1909228616146bc9d02f749d094786805e3db859da9e6a572833af5cefdb147873ec6023b028 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -29866,7 +29785,6 @@ Entropy.14 = 1accff5a19861164c5d2cf542cf41a789f143c7956518ae158d4449ff0c257a0096 ReseedEntropy.14 = f2fa58209759d84bf38a1656bae655669767a902ade22a830df56b32ef9e1c992335eb4cb27eeb142bfd21b5d31451de Output.14 = f214b4055d182cb258d9e9b61251bebc9bf090db662c4e36023cc156964fbbe1cedf691cd0c3d7db4262fb65a5d34b942f909b0f31fc18009766413523dcaf40 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -29962,7 +29880,6 @@ AdditionalInputA.14 = e33d181f3159fb0874eff5ef8ddd2b51a60b13ccf046f7e637ed27bed8 AdditionalInputB.14 = 3ecf6233820e6cceddac7b024c490c5ee14c73d5b598c92cda30940471b6ed450019120689aaf157fd87b71b13afea25 Output.14 = 9d793dd96b870dfa0267623bd1c2d8bd3e2c63e9f211340f630fea01358011394154145a10659c4d98274a525c48a90da0126a99b85ed5b4b903195f0dddc762 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30028,7 +29945,6 @@ PersonalisationString.14 = 8c40c5317f29b64da7f4025cda90ae3e99ba1ed350482048f8411 ReseedEntropy.14 = cb7933c3c803644d4ab7c35b941319bebf6784f98c04754c69359e10c9693b57ae12e38b08ca8a9f0f15142c4476f0bc Output.14 = e95d375c7b3354190721d598e8fde7aef16fb2a9dc963ed76eef6a12abe2001622725a8e1545c73c9a85995e6b07806e2ac39b179b595bcfd96b2189b5d10497 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30139,7 +30055,6 @@ AdditionalInputA.14 = 588eb722d4066ce1e9148d2e7a6d43d1d8b4886bd97f36f24599dcdedb AdditionalInputB.14 = 1b4e904a6b861201028506075d7d7fecb81158ea3749421d4d4710ba0fcb157b5019dbca199c8302d34745cb0c2330b1 Output.14 = d155941b54ab48dc1866641c034b117d6dd8a7d068d29201105d845315dbc747afd8fb1f9ba5c976c75ff8c7052aff7b342c1489bc0c9f8a7d898b88ed0d5746 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30190,7 +30105,6 @@ Entropy.14 = 68e91e73623fa6a3ce22f424e9db971459dfbe06601ccff96f1726fa18e61d5cdc1 ReseedEntropy.14 = 249b56dcdc4c5c8eaf796c8685a740fd4ea2455c135e0d7b8e50532fd87c95b781c8f3775c213c2714eecef140125b78 Output.14 = a15d3d61408ddea3b9753c854c693ca1a91cf49d172160bf15f512f345bb1bda9aa7bc4fcce177fdfebb3fea4cc6404c6024527ea662669a5eb78753822bfdd3 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30286,7 +30200,6 @@ AdditionalInputA.14 = ed3f47e59a12b36a42616b338c7a77a18e333d38abb9da4e36914b69f3 AdditionalInputB.14 = 6e39b249f1b8111ff12fa24f9f2320df2dc8752e1541f556b5cedfff409b6a858490c27e052a63504c7131b438f44356 Output.14 = 650bee69393d5d7793c8a5a40cae79bd470d15fdacab7b51b251f51dc5d3e383d28d808c7f9e018c71eccc80371a9e0267ba4053ec0e4c071d110942c43149c0 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30352,7 +30265,6 @@ PersonalisationString.14 = 531b64be5d25937f30bed886f2021855db1b63777febe6695eb4f ReseedEntropy.14 = 350112071b8315afa26fa3d9be6b6dec59ba7fed2387556cdec43ab8def92050d2f0fd34ef0c837c022c337f227b2169 Output.14 = 47ad3d7ef4e7bc4696d039b6e424669200b5f6c687f813c270483793518adf6698aa40a781208878017bf77afeb2f98794d21578623888eb98135ef0e5121c57 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30463,7 +30375,6 @@ AdditionalInputA.14 = 02a4bfd4a825e4d811770127c6f5a568deff4d7989300a0bd23220a586 AdditionalInputB.14 = f9775f8fb1b767c4639e2c3fe9f0820e03e28780641ecbf832451baea5e1ef83cf9e078cc325b1fc7a8a14bf07cc4ff5 Output.14 = ba473979f23358b95ff49610a7b91936b7d1da44bf8891cc19ac6ceb9f0241a8c3771a2efb403275bf599aad30b9e4604e90729241763801387ab239ae543625 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30514,7 +30425,6 @@ Entropy.14 = e23a7f95c3cf3fddddec66cb16e1fbc38495ebe98b3e14d8f351e58bc457cd38b79 ReseedEntropy.14 = 36410abe456d7a51948098897ec205f75f22ee09cfcc94ca88fbaff8d159fc779a8e420d11fc1ac09518237bfdb74462 Output.14 = 3c14a63a9c74dd02051c0147637401649a68452c28af90e9628f1ac87df1d27671397ba34f493997ef634284b74b3b28b2e7d4171eb025e470f39dfd12636a5f -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30610,7 +30520,6 @@ AdditionalInputA.14 = aff406d3d514ec118c9a8f470db34922b8bb262f78c1ee6ecbc647eaa2 AdditionalInputB.14 = 50d8e7887df0785c331a381b6f11057ed720abaece80b7f8358386fabf5da24a912b8f1563301fbcd7ad240c03a5e444 Output.14 = be0045c0bee70daf5a57e5b449fde2e9320a0e0d429950ec3b8ec14ca2acdd7ca2a365bebf11f45f356c34f7e52a8c39ac2e141815134bab3b79ce3dc1d2a44f -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30676,7 +30585,6 @@ PersonalisationString.14 = cfbbe01cda290c89b2841f37952cfc1d9a4222fb425e9453de307 ReseedEntropy.14 = dc9c22b1006462af08615eca5998ea81a81411be226a241c38d480e7ae0ab5bb34721f0ab9226633d655675ffd953420 Output.14 = e544668dbca5b35bb59ab04945649cead8d822a1d8ce125e3ae5db8b23e3bcc05bf6921ce95b85766b92c13c59ae83d908471e03e020fdeb59e5cea817a48802 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30787,7 +30695,6 @@ AdditionalInputA.14 = bd203cdd94307bab1a53734a3a451f0b038614892186b26877b2c1c849 AdditionalInputB.14 = 631cf0317b713d07ce74f7b05ff4e7a158c769993d357325f8e9d16b25076bc9b0febbbd66bf23fbc9c27286dc1663e7 Output.14 = 401176185d33ef08d0b65a5b853d57583250dd2efaf44ca0f987b45f89eafeb52d2f4346bf9b9d0b7dd4f7126e7d89dd32f53b737cef79ab5dd0794fb8a4c89d -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30838,7 +30745,6 @@ Entropy.14 = 91fa80b727040295b850119e9fb7e4cce4551ae234f29616af15572557d1555de04 ReseedEntropy.14 = 9937f776ddae1dd4a6ed76cc1795d450e14d1e462c30a9e1a85334b3ca148451b94e00055b3ed227f0a2fc247db4db6d Output.14 = e659a7de7a1b1b15a56170a1d6334dec91b6fffc47fb7ae1f2b3af03cbc25f7bec0cb6afadb76af9d36216825ee0e13aa3915bc515325c27270858654175a81d -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -30934,7 +30840,6 @@ AdditionalInputA.14 = 54dd28543c859fd4dc1e4f0a44ec9aa2b758d51379c0a9c75805356793 AdditionalInputB.14 = 3803a58e41fb766847b9f568ecd7f1993091c4689fcf70f754d345ec7a3f45d1fecbfcc52cd60b47b5a486acb155e213 Output.14 = 3cfb2eda22c4f01893b4760b785d330cb771938ed6f2f929030fe625780fb91fc2f9952409b99f011cb5e7e0b4a7d461be80e94e91111ace0604a7a41719f3b3 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -31000,7 +30905,6 @@ PersonalisationString.14 = e7a492e06f2079eb6428f4d39fb18aa0ece5d1edc5f2e1403737b ReseedEntropy.14 = 17837fdc7d5600fa487fa07331c4db6e3d65d522537aae0715a5936f5cb81953965fdda82e5f2b0a1f20dc8beb76beca Output.14 = 2cf0d9cfb60234b23086dc1649e6fa99c4104de9853d19508105535c960468777a936543f6b31ed0d3c52d135671a23d3ea08fb7f29c9dcb3f151163587c39db -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 0 @@ -52325,7 +52229,6 @@ AdditionalInputB.14 = 373b7d3c6e3c07907a45e6292da02991c252b4f368ac894e44fe2741d6 EntropyPredictionResistanceB.14 = 72901d3c6324cb6eea7e62879721c4ab437fcac453cc43f179388851b6d160f3 Output.14 = effddd2d7c39df20550e03ad21ccba6f6775a92726af567a80bcc91523f3646ec156cbaabd4fdb13c63105f2b771f94fbdec6a2670f8fb263cdec3ac1b775774 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52391,7 +52294,6 @@ EntropyPredictionResistanceA.14 = 43d53e48de3c247857132224a448147672dec7cffe1016 EntropyPredictionResistanceB.14 = de28c574f0d771f2211acb54b43a60ef79973081f06da6819219612c67bd94b7 Output.14 = 3e6e82f2edb3fcd74559b46d319b09cfc3441c06bac7a1260647ed7f9327485d553873d8b58c08410574161e0ff9d5bb2ed4cfea533bdbcd47ec627ac405d3f6 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52487,7 +52389,6 @@ AdditionalInputB.14 = f298b8789db7c5b8e0354764d0b30013453c3c5c77bfec04264203d767 EntropyPredictionResistanceB.14 = 9a4dfac99270a67b45256a4da4ac0df15693a4a19fb68d08c0a2061a9e190749 Output.14 = a7746e689fbe9eeed34b0ba524851742a5fefe1ff5ab84c6b9a118da64a8ad8fc9ff601ccbe6a5b7e90c5da8cdc8d9fba741d22a0aa1d8ce4fb9cd6148eb06da -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52568,7 +52469,6 @@ EntropyPredictionResistanceA.14 = 9dfd31e3adc822b675c0a9c8702df12de4c3354ccdb538 EntropyPredictionResistanceB.14 = 2a1b1519d22d40ef4ec23c6d97dc148cfe171fb5f8b1c305ec6d8e83a1ef9064 Output.14 = ac054570b081cf53b39b0a2faa21ee9b554c05ff9055843ac0eb9031d1de324701ad4cf2875623e0bf4184de4aea20070be1cb586880ac87fbb7e414b4b128d0 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52679,7 +52579,6 @@ AdditionalInputB.14 = 6fd46ca18d10326f5734d0160163bc42d3daa55e3c74a2e0fc7380fd84 EntropyPredictionResistanceB.14 = 16f3bd62634368535da170a7f117bbf8b896ba1bfac5ab682247b1b55452e844 Output.14 = f84c05b144b114fbd2f80a21862a44f3641fbe980957e3fab736976db37b8bca823d7f848f32f4aca60268c020a2e85a5ee0f31fb746f0dff066b83d32563df9 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52745,7 +52644,6 @@ EntropyPredictionResistanceA.14 = 8090391380ed44d3423fdf8d47891a2027110da4c2334e EntropyPredictionResistanceB.14 = 8288a190ae9118c57b033808bb3f895d4dfbf2dc7ce9b9016e339548fee10a6f Output.14 = 73d122b8854f2610a833a78af28baf4a2dae48dd1ed685e4f98947092e3aaa56a65fdc9acd8a875c16b2a91c757ff7cd6ee777292fbcb0220795c9519cf44052 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52841,7 +52739,6 @@ AdditionalInputB.14 = 440e9b55a68dd27df4ef8d0dfeb8c2156c2250cc1ab574432c2b62baca EntropyPredictionResistanceB.14 = 3cd2f704ace560337fcbcc07d2b027c37380b35b26b26e40b9d62dd654e44193 Output.14 = e55b536cca2b2148af20e887ad6b1c6ab5c285fe5271e188c5fe5f7f037bab8d6d2502ab71d768d4f05b1bef7f27440ce8f64311ff7147dbb55719bf7371bbd4 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -52922,7 +52819,6 @@ EntropyPredictionResistanceA.14 = d0caa71a0c2e2f218bdded7a08864addea822aaab598b5 EntropyPredictionResistanceB.14 = 31fcf2f4f7580ea3b79e738830d42a218935ac5c6583febabc14bb5463fe4609 Output.14 = ae6cbc3e108ba64b18244ac14eefb670caa16784e175ffc1f41126cdbe791e0e3de26d58123aae6843613b478b9ed94173fa27c7400bb071e0a9829b9a8fca19 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53033,7 +52929,6 @@ AdditionalInputB.14 = 55156a604966212f7cf20379b79cdfee41a9fe462c9f7e17e5a082c5dc EntropyPredictionResistanceB.14 = c64dc7f4e7fc14ada0905e271e0de491a7b8e4931d26823e572132329e00652a Output.14 = 7d96dfe0f6fe3eac2de3a3a8729d36afb1767aeae2ac3c79db0c523226cacac3cac6d5a87d4f152e8e7274069cc9f12bb7edb293f04e9bbd5a8f0ab142fc373b -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53099,7 +52994,6 @@ EntropyPredictionResistanceA.14 = 25aeb73bc04139a647b60a0e506db2109581f58b704f00 EntropyPredictionResistanceB.14 = a2e5839c59fc255576a2fd462c719895314a033823f11f419446d02702bf004f Output.14 = fb833a40a658217ad75391aa8311b3e872bbc2e1cb150da87cc6e3494423c5a992593b68f609d30387a0384f64079236a1038969d011bea6f8adb052c5b57eec -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53195,7 +53089,6 @@ AdditionalInputB.14 = 4e6c1d082917ac9eda7f032c61867736b5be7b3045555f6ef10c584875 EntropyPredictionResistanceB.14 = bcad225d779bd3653a616a8d667030c556117b2adb88e4a6a4e0d0561ae94f42 Output.14 = 14cf6fa5cfb8f9c74add5b2dca5e30395a1045ed1e1cf4e91ccbdf8ab80d1c0f1d93481651535e4089638b04fdf95f52aec1fff6565b21d8a2a32ea814952411 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53276,7 +53169,6 @@ EntropyPredictionResistanceA.14 = 24e9ce22a727e4540d7d85e056bf6448063d5f13dae559 EntropyPredictionResistanceB.14 = 9a5f15c36078cfa0c768868816d5bd0b1d33c492fa9554498b6625639a293dcc Output.14 = 54c02aa8e6ccc1f109a5f215f488fe9ca7c7ceb3d1b0d9e9256ac4f5d4195cc8c36f8d8ddff55ea10f86d0eb5bdb5b116339b9c0229eb7e96814012a2ed5eb0a -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53387,7 +53279,6 @@ AdditionalInputB.14 = 34e517ff4f40e3c0c699710134cdeed029baea8e142db0bac9c5aba6a0 EntropyPredictionResistanceB.14 = 09d8b16346fbf20ca073688ab3e917602686e07dff338142841410068e640296 Output.14 = c1d0095376ac846921d2bba5f4d50d231851311792c66d125d5701d6cc466e181c893dfc9999c21063f69f0cdb9850c3a34755926c67e3af75e801e7c21f3da9 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53453,7 +53344,6 @@ EntropyPredictionResistanceA.14 = c52074e8343f57c0f56c9aa4bc3a6bcc9dff30b21905ae EntropyPredictionResistanceB.14 = f09a47309a1ddfeb54eea6dfa7b15ab0e6f183e2478a3889de89091c2bac0c25 Output.14 = efd931fe77e202d2aba86f6407126a859c881abc86c8f8342deeabf527ed6dc679e5dfcdd212ddc3f2e779d043f058893d7b23c6b69334ba0132db6ce82a167c -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53549,7 +53439,6 @@ AdditionalInputB.14 = 0bf212302b4d20c6d2b799c9fd692b14b5672897fc45b416addaf55501 EntropyPredictionResistanceB.14 = d0b9c12bd6b178f89a238afb0fce43d45dfd2467b3a1cf9b1aa31960179f125c Output.14 = 7e5720126ce4ef83b785d9649915cf76ed6ef318422950b6540cef9a0ca90c40203b3a365b8a5c40d63475f7b37f5366b7f2ed6e18885e361ba89d46350028e4 -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53630,7 +53519,6 @@ EntropyPredictionResistanceA.14 = 3695bd2e5b30b1d3957dd0a116bddba53a24dbe647dea6 EntropyPredictionResistanceB.14 = 4079d6610bbc715e62777ab699e3ac6b6c4d097aad4debf668a54d15744d9ec1 Output.14 = d0aaa51fb084825f8bf0476c703f1133829a93dee1f8061222f3502ff1bdfd550edfdc275f3aec8a8fc5f9e5f71246362fdbcc65a00e7cc52ff353cfa3b3759a -Availablein = default RAND = CTR-DRBG Cipher = AES-128-CTR PredictionResistance = 1 @@ -53741,7 +53629,6 @@ AdditionalInputB.14 = b44a499fdf9330170ebede64cf8fb19f4a8317596d80d8f9c9d1009322 EntropyPredictionResistanceB.14 = a4341ae5155601af7ccfd9bc573968f99ff82ae2605a462af7e6ed6fd5f2cab6 Output.14 = de6541dae09137dfe17fa3bc785c8f45d3d36cb621d76c53f9031b2853ee0657a1edba0f6f06dade6a5a62faec54cf69bbf15db2244909114b0486f75da3cf16 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -53807,7 +53694,6 @@ EntropyPredictionResistanceA.14 = ddcd35394681d6f0170aa6bd8932b602745f41117eecb8 EntropyPredictionResistanceB.14 = 09a5d5925616379b5221b347659afa11da4326b630b57f3b78db9812e667ed3fbad25fcce6307486 Output.14 = e04e5432f671015350f0cc912f5e83e969e00584c6178cc82394cf85ce3dee6ca87b6cb02e27a21e03f83c24c761f521830645fefd4474c634e1124a4d93da30 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -53903,7 +53789,6 @@ AdditionalInputB.14 = cc7df42c7f93a63b8a8389c66a336519cf27cc6e61a06a67c33077c954 EntropyPredictionResistanceB.14 = 1c59550710b2efa9f009e44c0aa724ad3451da29323f60d68d025693510fc01670c282b38bff3249 Output.14 = de2abced63a11a9c7c034fae31d8fd57239a76a8d8382d9a507e5230c1b0c5bf063a99f00cd4428db196597427900f56ac2ff8d556d3af3d119a590b594c2e90 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -53984,7 +53869,6 @@ EntropyPredictionResistanceA.14 = 756f29305af9f4d3ceca4399594d07636df0b2ecfaa064 EntropyPredictionResistanceB.14 = 1880252ad93c994dff31fb2a10fab8c265cf6f6a36f010fc35e4d858bbb783e3a682afc3fb98fe6d Output.14 = 2f7872a704eb276afad3efb131e67c4b9508fffdbb704e8c85c07e6132745941a8889ffc37baa637a1b7b7b0b84fbfdb8fbc00e7f1eff50baf2d062d8434bba2 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54095,7 +53979,6 @@ AdditionalInputB.14 = 3d91e9e7ca5683312545bdb4613dba83182b0c906f3a1d65a2610709e8 EntropyPredictionResistanceB.14 = c9255e2fabf84b9edd45737f5de13e5661acc03623a3f9268efcaf7f5562cf839bcceda229e06f11 Output.14 = 28ac3acb17dfdba1d5abb3e2515dc16b42bd207d2743c51b3a2e5edceb0021d964fadd50d499e2df1623c2832a9e552331e915395d65e95f3d523d40d1d8a15c -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54161,7 +54044,6 @@ EntropyPredictionResistanceA.14 = ea4ffce516fba5a28325206d639d1b3a0f7c61798947a5 EntropyPredictionResistanceB.14 = d7e649cdf563e960640b50927a92abcaa306d4e1315eadb0316bb65d7f9166577bab34bf012a6f9c Output.14 = e92c34e544c5342445228ae6740616889856eda4ce82fb7f1c15d1951953f5509ae754624ad9f159dd5e1908da3c97d2a66945b8a8746634dc70b7f31718c4ab -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54257,7 +54139,6 @@ AdditionalInputB.14 = 16d262848510e407c7680cfcd3fcc27b8647fcc0155426b3e7b54bc473 EntropyPredictionResistanceB.14 = f6d98f69302da7ad42b8e580a9d755e929fe39fb0436140388fc7160d94f6167c0e150566fe5310f Output.14 = 9c7766b3ebb27f65539f3dd6001ae45c85bba6d6c09e600f0b9cf5e02f30b0f8584e696c2fee0239d5e4d5b623700ca98c94e7ca82fbb8b4643549f29d2df244 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54338,7 +54219,6 @@ EntropyPredictionResistanceA.14 = 828357ad5c99f114394f578f56cd7e9a5da671636bce00 EntropyPredictionResistanceB.14 = 6f256e9f5f7a84ba4fd6eb19b6ae20b27c26660e51982bc4cf8e28a2dc43cdb723cc8a727c2ea91d Output.14 = c176910a6a7c96982841c0b603b423b2fa67c267b5388d858a4d8dcd69d6b67cb96816892162147e38cc602afa459fc5623da0862b74f1e8f569bf3b1024d881 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54449,7 +54329,6 @@ AdditionalInputB.14 = 205f0f79d140c6ffef742bf3cda512a3fb84af66d058e5a34752cfd0e4 EntropyPredictionResistanceB.14 = 1989becc20da39682e67b961dc4a2f10a73b037b21cf055f1f12e8f59f047200dab4907e5e8b96aa Output.14 = fa20e0054f9edef75b34aa4e76b16dd6d9d54de5e350c879e16541cb80a4e64c3f392a0108c792ec8fcec84721cd71ccae15de31f3eff57e09f024506857c3e9 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54515,7 +54394,6 @@ EntropyPredictionResistanceA.14 = fcab2000ecec66a23af1381d36e1df97a4341c329f375b EntropyPredictionResistanceB.14 = d75022692bbe5beeca5d81942443cf0dd78b770b7542cb8fd1be65e4908816ea43fa903a7a66fe0b Output.14 = d5f91235a90cafc96e39e2a1e636d9a2386c5214d8616941bb9f4c2fd375da49d33fabec2faca971d6520bab482e33f6f2752b2d054f9c3bb1f50d072978ea2f -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54611,7 +54489,6 @@ AdditionalInputB.14 = 1a72cab51be3633be268e4533fe4ad482e5178cb3b15c6d8090ae9e888 EntropyPredictionResistanceB.14 = 6587fd55057566c3fcdbd85aa2b693d885234144a6ac9000b8640c8530da8e2e72abfca6980d7119 Output.14 = a0496a05e5238f171f18870973c9e7b9b3fff44df1fc1ccfa398ef73aeb41829a39339fd032591abcce4cd9402297f7c2e38fd2486eaa8c20134fc0122af978f -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54692,7 +54569,6 @@ EntropyPredictionResistanceA.14 = b459eeb404a1480b64e7d572bced365bf822878085363d EntropyPredictionResistanceB.14 = a057871a394e93e58ba191c239e21858a3127a6b748a4505eda487dc6a5293304aad36d52da132b6 Output.14 = 96b24ef7b19370cb3ec40a4763de926977ecbe6af2fba201e983e7bbd71b23fa95bd315933ce2fb5a10f4a121cc56b125233f09ff920cc380df7ab5513403457 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54803,7 +54679,6 @@ AdditionalInputB.14 = 02a318a1579714ddac239f968564fa2768d5099c237237ac15aba9bddc EntropyPredictionResistanceB.14 = 0d18ee1fdb9dc23c66aea587fa59cc9c65da7690a7a780bc64727fa3fb22602301911ed3f99fd712 Output.14 = 992397ec168448c4521560085f3956d2fc583bda1924b29fddd081dfcc056a0dcaaf3edd1a84158b6b7e5737d37535fbbd6258319b7458c5524cd0061a8850e8 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54869,7 +54744,6 @@ EntropyPredictionResistanceA.14 = ad927a71c6390c5613a7c14780abe6d266b2d126aa49f2 EntropyPredictionResistanceB.14 = 152ec7c0d26eab6de29d3d2ef321281297bd2591be887318712ccdbbd3ecfc1c9250f99a226fc9b8 Output.14 = 0ad1101454cfe091f1456383eeb1e7a968328da150f1166b89e7c202daf5e42324314c43fd1da6de3feb9ffcf82cf217bbcdf5c96864c227246306f0c975c4c8 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -54965,7 +54839,6 @@ AdditionalInputB.14 = 3f5221732e417fe4234626d8b4fe5dce8d0974a7551c4e7b9eb827f32c EntropyPredictionResistanceB.14 = 1d81b5e14e9f995cf19771d54877e97b2d4f551c36033874fcf3a4814312d7064acc2556ea5e0fdc Output.14 = c6d9cb21922398c6a63e4d17f0f69f1d4c1b4998d73828d43ea1f69acad5b1d94800a6976c09a8b5befa2b0c82877874eaed15027f9f7dad3bffa005e49758a0 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -55046,7 +54919,6 @@ EntropyPredictionResistanceA.14 = 21db28b5cb9724d93c58f787b155f0131c39b5606e6a96 EntropyPredictionResistanceB.14 = 4aa587edcb940c3a9328a0ef2f195effc1cf027b549ff1ec5d5cac0e996196eacd16108498b27366 Output.14 = 69dc6c36459e005275e344886624ca61a42cba3387dcee79392ae96a311313dc7e33283605fb46aa1d881bccaec6336a61545dac52166cbf8174b8dca3ebfbc6 -Availablein = default RAND = CTR-DRBG Cipher = AES-192-CTR PredictionResistance = 1 @@ -55157,7 +55029,6 @@ AdditionalInputB.14 = 3dc3ef9447ffddf64c3ca0569afcf8e5d491a9571b9a1fa251e0684d3a EntropyPredictionResistanceB.14 = 140636342e9ebb2bae8a87b5d8193a59b75b12318e7094975bed5ce2d23a58b4a021496e820a1b35 Output.14 = b72e486984d1273fa7865a2a43a830b625e394cccf169610ad2714b5b64ef6473f53e62aaffc85bfa2b155bf81830abfc528a80c17f2e325bb7ac9197e5a1099 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55223,7 +55094,6 @@ EntropyPredictionResistanceA.14 = 6f16ff94cb8ade7a928b9a59af32ea79944e6890a003b0 EntropyPredictionResistanceB.14 = c73fe23a8ba2bb780178342598252e9ce3de907c4fc1cd632b353cf959ff610f23a8a2b0424ad137aec7da42f8c9f2da Output.14 = 8f7261edf6d10824218ad0b10881e3c1251637bbb71d0f35280caec7de254e07147f33288b5c60794060b59e6f5cc2938e4c29de1e4d5d4d3bde3f27c3fab92d -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55319,7 +55189,6 @@ AdditionalInputB.14 = da29846d4d48e3eeac71ab07fae9b9dbb6c5d83cffb75c67be10bb15e6 EntropyPredictionResistanceB.14 = 0d9037cf745b3cf41628eb1538bb71b59116da1049ecd36d12d344c5a17e471c8c4e72cfdc7ca0538c81085952241d68 Output.14 = 7a7ed6e632630ffcf32f0373deb2c67c6dcb77f04f1991f89d5d25a3a8c390ac8ac373b66c5da990c3fe28cd93f3a4f8e5594cae25498ed73f5f001b83179b0c -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55400,7 +55269,6 @@ EntropyPredictionResistanceA.14 = 2b3877ed4d1b3174d36e784ad7b6b7991dd52979ca5b1c EntropyPredictionResistanceB.14 = 91d421c3eb04de94099a7467254bad70e236d5c27616f766e85b4de3965001db854e61a80bfec2eacb4ff93ecafb8b83 Output.14 = ed703d9273bb9462ac400ee8d587ea3c4d6c27aa014defcb6ca6fe885272bcb4b6ba0822f42941071bf635b41d997c631b680d91b23ee48351041dc274900821 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55511,7 +55379,6 @@ AdditionalInputB.14 = 4f23641093342d946d3a956c456dba18bd42de21cb2494f6310da7d20a EntropyPredictionResistanceB.14 = 843e7cac38b659a611dc4af4bd228ebc0cd9073ee98350d04da61f77db66c0c70872153d9fa2af4bc583ac2cf79d506e Output.14 = 6754a72f7fe23ea607ef0ae61a61eb3afc562c5227670572b7ff2dcecf3dcb4194829d29fcf9b100412aa0ee87611ab534896f80f47cff40b7f76e0ea46b3d41 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55577,7 +55444,6 @@ EntropyPredictionResistanceA.14 = b8ef0d478028f0c55dd13861281489e6c124870f0f28c8 EntropyPredictionResistanceB.14 = c12649a0f249c7f5ddb550eb527a0f720e5eaf04e6e3b96dc24881eba10ce466f67e3fe51a0342cb1a2192a555798169 Output.14 = d8c63ecb23f16ee925282b7744e8cc2c2c1deb56581cf27152118b5790cdbe682a34d91523bf0c7be4ff263aba2ffdda35e4d36a5122461b89b43069932b30a9 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55673,7 +55539,6 @@ AdditionalInputB.14 = e97f7fc9e287ae947d3e937d60ece684f0c8dd9e133cbd7265b2b3e073 EntropyPredictionResistanceB.14 = 94904fbdfaf6b1d8931c15a37277814dcacc6343d48b80a1c624f8aa3733e05a52bf1f1266e2b90da5d562d7ffcbc274 Output.14 = ef2fcb4a9113e062d6cd37f51a9944645c3cce0b06e2d11a2c778bdb559a2f627c8a0e7f419660f461456064c3508df1db945af6085abaf7719e868a912df8dd -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55754,7 +55619,6 @@ EntropyPredictionResistanceA.14 = c436b73aae532ffb950c6ed83753aa6df0571f11fd8e0a EntropyPredictionResistanceB.14 = d3ed7671eb3c2e0c115ec9d6d684964d39533d767413b63e0bf7c956b47205f8d5001a9650e7a1c7381f110c9ecfe92c Output.14 = f99b7d88ccfe1c84c9949c3548630ea2a9ec033543c693c5bf72a82f404c5eec5b2a09afb6c95f10b48fe4608092e7213285af83ba1304acfef846060a1cf860 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55865,7 +55729,6 @@ AdditionalInputB.14 = 58a98d14625f59f7adf6a703b2e1ee21fb83f22f3694f7f06548c85804 EntropyPredictionResistanceB.14 = aec90f26f7c7853f3917de516f1ee0f85a0f3d0eb4967f6d2694552a93a25ca7fbdb4554de8acc0e60af0c5b0829cb9a Output.14 = 18d3f2396fa92b0b9e6bc7a5c0f9f8e10857c0063b4fdd8ee76d12e1205eb5e4fbe1b07ffc0ec5045eaaad608a558d1107f931c0290392166bed2d09849880a5 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -55931,7 +55794,6 @@ EntropyPredictionResistanceA.14 = 1e5191f18e3c049b3aa304604a42b13e87b61ab808a1f2 EntropyPredictionResistanceB.14 = a04435fab8cffaaef34f6738f2682adef4790e8e2655d5943bd5370009ede99a6da3c9ca4dc7105a1352f9bd295be419 Output.14 = 31b0234431f4ff22f0c1f5c220a5890c7efabc06974357a1ab8a79d1caa66b46b62f0b5a5b0d8010923dd86ced2f039effa2031619aafbb3d7dc9362ef04bdf3 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -56027,7 +55889,6 @@ AdditionalInputB.14 = b1e3c770adbc772d94edef6188d0f07ea1c25fb41dd20eefb552dead33 EntropyPredictionResistanceB.14 = ffd6fd3031397d33e382f40b6338e7e3640b9b35800d890581fad4784366a1533f38398f255dc316bde222850794e46a Output.14 = 826dc7b1c39fb4955f614fab27697ed5fa1ed8686c701ef5e03776a814bbcdf9afe49343cb53944241c30b201be6d181edd20d55fe0374a43d68205d8ef758ff -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -56108,7 +55969,6 @@ EntropyPredictionResistanceA.14 = 83acc7bc2f89de95c84a4450d509e7de3512ad839f832b EntropyPredictionResistanceB.14 = 95a26a2f946c03f51012bc6cda0797af89a8500394cc7f11866a861608eb97fcd2e37df3f681dc3c1b3f48bdeae119cd Output.14 = a7b6c0c8bebd7eca9357a2be02063a603c103d68a793e792497ecf66592835f1f9607dae7b98be1049514ec5ea4cdd0b41d5cbf986a3a04314515b341f0924ab -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -56219,7 +56079,6 @@ AdditionalInputB.14 = c0e16d4fc85cfb1c3a4f69806041c5a270d4af742292dcebeccba75e1b EntropyPredictionResistanceB.14 = a52c99a12f63c6ae4bc101ff221d7fd1b4dd79df76e38992ba3fdf380bdbad5e6aa15d0ab638e90874d81bdb2e983aba Output.14 = e728957b292565f906de0cee5bf91fbe2e189857ca5d5efefb5953a8e9f46630756ea01abf8e6fc499bc8e2e5c29c62669bc07ccfbdc7951215f8ba7f1bc815e -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -56285,7 +56144,6 @@ EntropyPredictionResistanceA.14 = cd66ebf08c99f9c04c1effc078717b4f24422f111591a0 EntropyPredictionResistanceB.14 = 60c6f9f07f75f1a80188b32d07c2895872c4e8b92a19ac6c2a29bc807f99fb4af75b6aed8e6f75c9a6b1559b48f128e9 Output.14 = 2d20709ea0ff7a624ea1e37d80c65c25eaed85af45ef1a092ea7b97c49c912a0f0fc62d29ff4e4182c6bb12676cab3711c2b8db265cd9f81569a300b99fac43e -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -56381,7 +56239,6 @@ AdditionalInputB.14 = dbe91ffe3bfb719bebbb0e3bb60aa907ca6e0411c05a7ded766674cd4d EntropyPredictionResistanceB.14 = ca5099749aa7f195e0fde5262c56ad35c1d52069001fbb6580d478f50d1d69f6941d7ea4fa66e4741cad701a67f92933 Output.14 = a135641f33e2aa5975a3be70b05e0b8c48372ef7c6768eed8e6c2b4e91d9153eead217ea47bf96b1412af4e08c3114d2c85f2e29fbe93c26014677bd14266ecf -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 @@ -56462,7 +56319,6 @@ EntropyPredictionResistanceA.14 = c3444261962386b57d6c5f125dc3043678afe1962d55d9 EntropyPredictionResistanceB.14 = 1fd895068aec8df2684784007949e0370578676c6537a09dd90567b95f6138809e70bcc9fc9efc03dfd83f0367784bde Output.14 = 894f3bc0fcbdb76b01df80f05d0ca636bd51438f5ee28250f27e8e47968c9c86a847970090d51b0a60984ebb5079017a5c5bac394e9644befc566edd4768d919 -Availablein = default RAND = CTR-DRBG Cipher = AES-256-CTR PredictionResistance = 1 From pauli at openssl.org Wed Jul 21 04:12:19 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 21 Jul 2021 04:12:19 +0000 Subject: [openssl] master update Message-ID: <1626840739.471573.27802.nullmailer@dev.openssl.org> The branch master has been updated via 0c48fda8d38ab91356c725e00ebcbbcad9ef0302 (commit) from fd76ee47b951657cf1366fd6297bb3a85aecb169 (commit) - Log ----------------------------------------------------------------- commit 0c48fda8d38ab91356c725e00ebcbbcad9ef0302 Author: yangyangtiantianlonglong Date: Thu Jul 15 20:15:36 2021 +0800 Add testcases for SSL_key_update() corner case calls Test that SSL_key_update() is not allowed if there are writes pending. Test that there is no reset of the packet pointer in ssl3_setup_read_buffer(). Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16085) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_get_error.pod | 4 +- doc/man3/SSL_key_update.pod | 9 +- test/sslapitest.c | 271 +++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 274 insertions(+), 10 deletions(-) diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index c52fd04d07..eee1cbe643 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -85,7 +85,9 @@ protocol level. It is safe to call SSL_read() or SSL_read_ex() when more data is available even when the call that set this error was an SSL_write() or SSL_write_ex(). However, if the call was an SSL_write() or SSL_write_ex(), it should be called -again to continue sending the application data. +again to continue sending the application data. If you get B +from SSL_write() or SSL_write_ex() then you should not do any other operation +that could trigger B other than to repeat the previous SSL_write() call. For socket Bs (e.g. when SSL_set_fd() was used), select() or poll() on the underlying socket can be used to find out when the diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod index f95d89e44a..24c125a8b5 100644 --- a/doc/man3/SSL_key_update.pod +++ b/doc/man3/SSL_key_update.pod @@ -32,10 +32,11 @@ peer to additionally update its sending keys. It is an error if B is set to B. SSL_key_update() must only be called after the initial handshake has been -completed and TLSv1.3 has been negotiated. The key update will not take place -until the next time an IO operation such as SSL_read_ex() or SSL_write_ex() -takes place on the connection. Alternatively SSL_do_handshake() can be called to -force the update to take place immediately. +completed and TLSv1.3 has been negotiated, at the same time, the application +needs to ensure that the writing of data has been completed. The key update +will not take place until the next time an IO operation such as SSL_read_ex() +or SSL_write_ex() takes place on the connection. Alternatively SSL_do_handshake() +can be called to force the update to take place immediately. SSL_get_key_update_type() can be used to determine whether a key update operation has been scheduled but not yet performed. The type of the pending key diff --git a/test/sslapitest.c b/test/sslapitest.c index cc11eebc54..b5212d1ace 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -6109,12 +6109,12 @@ static int test_key_update(void) } /* - * Test we can handle a KeyUpdate (update requested) message while write data - * is pending. + * Test we can handle a KeyUpdate (update requested) message while + * write data is pending in peer. * Test 0: Client sends KeyUpdate while Server is writing * Test 1: Server sends KeyUpdate while Client is writing */ -static int test_key_update_in_write(int tst) +static int test_key_update_peer_in_write(int tst) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -6141,7 +6141,7 @@ static int test_key_update_in_write(int tst) peerwrite = tst == 0 ? serverssl : clientssl; if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED)) - || !TEST_true(SSL_do_handshake(peerupdate))) + || !TEST_int_eq(SSL_do_handshake(peerupdate), 1)) goto end; /* Swap the writing endpoint's write BIO to force a retry */ @@ -6192,6 +6192,264 @@ static int test_key_update_in_write(int tst) return testresult; } + +/* + * Test we can handle a KeyUpdate (update requested) message while + * peer read data is pending after peer accepted keyupdate(the msg header + * had been read 5 bytes). + * Test 0: Client sends KeyUpdate while Server is reading + * Test 1: Server sends KeyUpdate while Client is reading + */ +static int test_key_update_peer_in_read(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char prbuf[515], lwbuf[515] = {0}; + static char *mess = "A test message"; + BIO *lbio = NULL, *pbio = NULL; + SSL *local = NULL, *peer = NULL; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), + TLS1_3_VERSION, + 0, + &sctx, &cctx, cert, privkey)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + local = tst == 0 ? clientssl : serverssl; + peer = tst == 0 ? serverssl : clientssl; + + if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1)) + goto end; + + SSL_set_bio(local, lbio, lbio); + SSL_set_bio(peer, pbio, pbio); + + /* + * we first write keyupdate msg then appdata in local + * write data in local will fail with SSL_ERROR_WANT_WRITE,because + * lwbuf app data msg size + key updata msg size > 512(the size of + * the bio pair buffer) + */ + if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) + || !TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), -1) + || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE)) + goto end; + + /* + * first read keyupdate msg in peer in peer + * then read appdata that we know will fail with SSL_ERROR_WANT_READ + */ + if (!TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), -1) + || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_READ)) + goto end; + + /* Now write some data in peer - we will write the key update */ + if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess))) + goto end; + + /* + * write data in local previously that we will complete + * read data in peer previously that we will complete + */ + if (!TEST_int_eq(SSL_write(local, lwbuf, sizeof(lwbuf)), sizeof(lwbuf)) + || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), sizeof(prbuf))) + goto end; + + /* check that sending and receiving appdata ok */ + if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) + || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess))) + goto end; + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} + +/* + * Test we can't send a KeyUpdate (update requested) message while + * local write data is pending. + * Test 0: Client sends KeyUpdate while Client is writing + * Test 1: Server sends KeyUpdate while Server is writing + */ +static int test_key_update_local_in_write(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char buf[20]; + static char *mess = "A test message"; + BIO *bretry = BIO_new(bio_s_always_retry()); + BIO *tmp = NULL; + SSL *local = NULL, *peer = NULL; + + if (!TEST_ptr(bretry) + || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), + TLS1_3_VERSION, + 0, + &sctx, &cctx, cert, privkey)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + local = tst == 0 ? clientssl : serverssl; + peer = tst == 0 ? serverssl : clientssl; + + /* Swap the writing endpoint's write BIO to force a retry */ + tmp = SSL_get_wbio(local); + if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { + tmp = NULL; + goto end; + } + SSL_set0_wbio(local, bretry); + bretry = NULL; + + /* write data in local will fail with SSL_ERROR_WANT_WRITE */ + if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), -1) + || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_WRITE)) + goto end; + + /* Reinstate the original writing endpoint's write BIO */ + SSL_set0_wbio(local, tmp); + tmp = NULL; + + /* SSL_key_update will fail, because writing in local*/ + if (!TEST_false(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) + || !TEST_int_eq(ERR_GET_REASON(ERR_peek_error()), SSL_R_BAD_WRITE_RETRY)) + goto end; + + ERR_clear_error(); + /* write data in local previously that we will complete */ + if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess))) + goto end; + + /* SSL_key_update will succeed because there is no pending write data */ + if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) + || !TEST_int_eq(SSL_do_handshake(local), 1)) + goto end; + + /* + * we write some appdata in local + * read data in peer - we will read the keyupdate msg + */ + if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) + || !TEST_int_eq(SSL_read(peer, buf, sizeof(buf)), strlen(mess))) + goto end; + + /* Write more peer more data to ensure we send the keyupdate message back */ + if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)) + || !TEST_int_eq(SSL_read(local, buf, sizeof(buf)), strlen(mess))) + goto end; + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + BIO_free(bretry); + BIO_free(tmp); + + return testresult; +} + +/* + * Test we can handle a KeyUpdate (update requested) message while + * local read data is pending(the msg header had been read 5 bytes). + * Test 0: Client sends KeyUpdate while Client is reading + * Test 1: Server sends KeyUpdate while Server is reading + */ +static int test_key_update_local_in_read(int tst) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char lrbuf[515], pwbuf[515] = {0}, prbuf[20]; + static char *mess = "A test message"; + BIO *lbio = NULL, *pbio = NULL; + SSL *local = NULL, *peer = NULL; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), + TLS1_3_VERSION, + 0, + &sctx, &cctx, cert, privkey)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + local = tst == 0 ? clientssl : serverssl; + peer = tst == 0 ? serverssl : clientssl; + + if (!TEST_int_eq(BIO_new_bio_pair(&lbio, 512, &pbio, 512), 1)) + goto end; + + SSL_set_bio(local, lbio, lbio); + SSL_set_bio(peer, pbio, pbio); + + /* write app data in peer will fail with SSL_ERROR_WANT_WRITE */ + if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), -1) + || !TEST_int_eq(SSL_get_error(peer, -1), SSL_ERROR_WANT_WRITE)) + goto end; + + /* read appdata in local will fail with SSL_ERROR_WANT_READ */ + if (!TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), -1) + || !TEST_int_eq(SSL_get_error(local, -1), SSL_ERROR_WANT_READ)) + goto end; + + /* SSL_do_handshake will send keyupdate msg */ + if (!TEST_true(SSL_key_update(local, SSL_KEY_UPDATE_REQUESTED)) + || !TEST_int_eq(SSL_do_handshake(local), 1)) + goto end; + + /* + * write data in peer previously that we will complete + * read data in local previously that we will complete + */ + if (!TEST_int_eq(SSL_write(peer, pwbuf, sizeof(pwbuf)), sizeof(pwbuf)) + || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), sizeof(lrbuf))) + goto end; + + /* + * write data in local + * read data in peer - we will read the key update + */ + if (!TEST_int_eq(SSL_write(local, mess, strlen(mess)), strlen(mess)) + || !TEST_int_eq(SSL_read(peer, prbuf, sizeof(prbuf)), strlen(mess))) + goto end; + + /* Write more peer data to ensure we send the keyupdate message back */ + if (!TEST_int_eq(SSL_write(peer, mess, strlen(mess)), strlen(mess)) + || !TEST_int_eq(SSL_read(local, lrbuf, sizeof(lrbuf)), strlen(mess))) + goto end; + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} #endif /* OSSL_NO_USABLE_TLS1_3 */ static int test_ssl_clear(int idx) @@ -9402,7 +9660,10 @@ int setup_tests(void) #ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); ADD_TEST(test_key_update); - ADD_ALL_TESTS(test_key_update_in_write, 2); + ADD_ALL_TESTS(test_key_update_peer_in_write, 2); + ADD_ALL_TESTS(test_key_update_peer_in_read, 2); + ADD_ALL_TESTS(test_key_update_local_in_write, 2); + ADD_ALL_TESTS(test_key_update_local_in_read, 2); #endif ADD_ALL_TESTS(test_ssl_clear, 2); ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); From scan-admin at coverity.com Wed Jul 21 07:49:48 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 21 Jul 2021 07:49:48 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f7d19bce1ac_17bca42b02b5c5b9ac91857@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DcBTa_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFAOqi-2B2iDQ4Eg5mJKG1VQHIIdyXTQ0kK4kmm4gZr3NwzQgXJgEn98CW8utsQG0WFkLiP5AsWG9U1A-2BdncLd8qSfrqZ28KL0-2BX9C3y5RG4JAb6me-2F2S42o8izj1IARcHbkuox4Hb3twxyAOjLmdX73wU-2BLeXr-2BBaJLTBKU1PvSlLOxYoOPDcLdbypn2-2BpzvtRA-3D Build ID: 398041 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Wed Jul 21 07:53:05 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 21 Jul 2021 07:53:05 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f7d26081428_17bdb72b02b5c5b9ac9181@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3D5I00_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFfPKFZK9A7MQi3ULSUqbGZBh2sol7dVA4OM5I4mwC-2FEPh6IPZ-2FN0lYwCgVipaQCQvCZEO22NXTN6cWP6piKDmkO7behNif3fTHyb-2Fq4eqn3EPGqFJ6xO2zhMk6UPqg-2BnSj14Tsy9AygyNsgqdTtBbDNzqYyxB8-2BedOJZznY43YLHDkcI1gEt5WyOdazbCJlP4-3D Build ID: 398042 Analysis Summary: New defects found: 0 Defects eliminated: 0 From dev at ddvo.net Wed Jul 21 09:47:17 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Wed, 21 Jul 2021 09:47:17 +0000 Subject: [openssl] master update Message-ID: <1626860837.394354.5474.nullmailer@dev.openssl.org> The branch master has been updated via 4672e5de9e22a752870c9a05e0a92faef9e6f340 (commit) via ee11462d31e0f05bc75264ab40bf90ae55cb1d7c (commit) from 0c48fda8d38ab91356c725e00ebcbbcad9ef0302 (commit) - Log ----------------------------------------------------------------- commit 4672e5de9e22a752870c9a05e0a92faef9e6f340 Author: Dr. David von Oheimb Date: Wed Jan 27 22:13:30 2021 +0100 tls_process_{client,server}_certificate(): allow verify_callback return > 1 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13937) commit ee11462d31e0f05bc75264ab40bf90ae55cb1d7c Author: Dr. David von Oheimb Date: Fri Jan 22 22:34:56 2021 +0100 SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications - Make clear the callback is called whenever a peer certificate has been received, which is independent of the verification mode. - Make clear that a return value > 1 always leads to handshake failure. - Make clear that in server mode also return values <= 0 lead to handshake failure. - For client mode replace the incorrect formulation "if B is set" by what is actually implemented: "if the verification mode is not B". - Refer to X509_STORE_CTX_set_error() rather than to internal error variable. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/13937) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 9 ++++++ doc/man3/SSL_CTX_set_cert_verify_callback.pod | 45 +++++++++++++++++---------- ssl/statem/statem_clnt.c | 4 --- ssl/statem/statem_srvr.c | 4 --- 4 files changed, 37 insertions(+), 25 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8109e0ad8d..49031339d0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -292,6 +292,15 @@ breaking changes, and mappings for the large list of deprecated functions. * Deprecated the obsolete X9.31 RSA key generation related functions. + * While a callback function set via `SSL_CTX_set_cert_verify_callback()` + is not allowed to return a value > 1, this is no more taken as failure. + + *Viktor Dukhovni and David von Oheimb* + + * Deprecated the obsolete X9.31 RSA key generation related functions + BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and + BN_X931_generate_prime_ex(). + *Tom?? Mr?z* * The default key generation method for the regular 2-prime RSA keys was diff --git a/doc/man3/SSL_CTX_set_cert_verify_callback.pod b/doc/man3/SSL_CTX_set_cert_verify_callback.pod index 6a482ece5a..fdeeaee6d7 100644 --- a/doc/man3/SSL_CTX_set_cert_verify_callback.pod +++ b/doc/man3/SSL_CTX_set_cert_verify_callback.pod @@ -20,20 +20,23 @@ the time when L is called. =head1 NOTES -Whenever a certificate is verified during a SSL/TLS handshake, a verification -function is called. If the application does not explicitly specify a -verification callback function, the built-in verification function is used. +When a peer certificate has been received during a SSL/TLS handshake, +a verification function is called regardless of the verification mode. +If the application does not explicitly specify a verification callback function, +the built-in verification function is used. If a verification callback I is specified via SSL_CTX_set_cert_verify_callback(), the supplied callback function is called -instead. By setting I to NULL, the default behaviour is restored. - -When the verification must be performed, I will be called with -the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The -argument I is specified by the application when setting I. - -I should return 1 to indicate verification success and 0 to -indicate verification failure. If SSL_VERIFY_PEER is set and I -returns 0, the handshake will fail. +instead with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). +The argument I is specified by the application when setting I. +By setting I to NULL, the default behaviour is restored. + +I should return 1 to indicate verification success +and 0 to indicate verification failure. +In server mode, a return value of 0 leads to handshake failure. +In client mode, the behaviour is as follows. +All values, including 0, are ignored +if the verification mode is B. +Otherwise, when the return value is 0, the handshake will fail. In client mode I may also return -1, typically on failure verifying the server certificate. @@ -45,11 +48,18 @@ Calling L again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. -As the verification procedure may -allow the connection to continue in the case of failure (by always -returning 1) the verification result must be set in any case using the -B member of I so that the calling application -will be informed about the detailed result of the verification procedure! +In any case a viable verification result value must be reflected +in the B member of I, +which can be done using L. +This is particularly important in case +the I allows the connection to continue (by returning 1). +Note that the verification status in the store context is a possibly durable +indication of the chain's validity! +This gets recorded in the SSL session (and thus also in session tickets) +and the validity of the originally presented chain is then visible +on resumption, even though no chain is presented int that case. +Moreover, the calling application will be informed about the detailed result of +the verification procedure and may elect to base further decisions on it. Within I, I has access to the I function set using L. @@ -77,6 +87,7 @@ SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. =head1 SEE ALSO L, L, +L, L, L diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d5aa8797ff..d12d1e947e 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1884,10 +1884,6 @@ WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) return WORK_ERROR; } ERR_clear_error(); /* but we keep s->verify_result */ - if (i > 1) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, i); - return WORK_ERROR; - } /* * Inconsistency alert: cert_chain does include the peer's certificate, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 35e023b781..2be50733fe 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3524,10 +3524,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; } - if (i > 1) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, i); - goto err; - } pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); if (pkey == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, From pauli at openssl.org Wed Jul 21 10:05:00 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 21 Jul 2021 10:05:00 +0000 Subject: [openssl] master update Message-ID: <1626861900.429315.13683.nullmailer@dev.openssl.org> The branch master has been updated via c74188e86c78c4fa47c4a658e1355c40524fadb4 (commit) from 4672e5de9e22a752870c9a05e0a92faef9e6f340 (commit) - Log ----------------------------------------------------------------- commit c74188e86c78c4fa47c4a658e1355c40524fadb4 Author: Pauli Date: Wed Jul 21 19:25:22 2021 +1000 ci: omit tests that consume too much memory The SSL API tests and the passwd command test trigger memory leakage in the address sanitizer. Fixes #16116 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16125) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fa650e4d6c..a3a93b6602 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -123,7 +123,7 @@ jobs: - name: make run: make -s -j4 - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_passwd -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" address_ub_sanitizer: runs-on: ubuntu-latest From scan-admin at coverity.com Thu Jul 22 07:49:45 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 22 Jul 2021 07:49:45 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60f923194f0b6_1994d22b2195e6b9a011233@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DZHSa_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH8lShX5ym73SSlyMu43Gb7mk7JLtTmi7Cv3dMDdWDk3A4Ow8aXaYEuc-2FJMdcA0epNS6eW7JD7gXK8Nt4qP-2BycL9O1eBTqItRjAppZbvZandthmUSDUq9LXOQoUfZPoXEAL0GRXVNODUhe3OvbrRpiXf-2Byf0Nne-2BtsdhQW2Ed4GiKCBZoNpcSK3NTuso-2F7z0x4-3D Build ID: 398224 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Thu Jul 22 07:52:53 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 22 Jul 2021 07:52:53 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60f923d555b95_1996002b2195e6b9a011238@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dxi_M_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHWSvnaGIPKTE5AFf5sTFCTJ5W-2Bthloz78hPD-2FvR5APrG0RqF0YiHpMHdtiHzRT9kmFV8LRMUlXstYu0WyWU2mo2JQUp84FyJBSv5-2B8KInT-2B-2B6rebov-2FCEECBFAeY1gEE8for-2FSEDzcgq6fuRTEz7RhHZZYd90aD9c-2Bv5-2FaMa0tmX2y1MmuKmBp84SuVV2lXkU-3D Build ID: 398225 Analysis Summary: New defects found: 0 Defects eliminated: 0 From dev at ddvo.net Thu Jul 22 08:15:33 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 22 Jul 2021 08:15:33 +0000 Subject: [openssl] master update Message-ID: <1626941733.446970.17426.nullmailer@dev.openssl.org> The branch master has been updated via 981a5b7ce3bcdf4748162073c3dbd096c82d3c69 (commit) from c74188e86c78c4fa47c4a658e1355c40524fadb4 (commit) - Log ----------------------------------------------------------------- commit 981a5b7ce3bcdf4748162073c3dbd096c82d3c69 Author: Dr. David von Oheimb Date: Tue Jul 20 11:19:39 2021 +0200 OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16119) ----------------------------------------------------------------------- Summary of changes: crypto/http/http_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 779e4b7203..bb80836cd1 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -926,7 +926,8 @@ OSSL_HTTP_REQ_CTX *OSSL_HTTP_open(const char *server, const char *port, cbio = (*bio_update_fn)(cbio, arg, 1 /* connect */, use_ssl); if (cbio == NULL) { - cbio = orig_bio; + if (bio == NULL) /* cbio was not provided by caller */ + BIO_free_all(orig_bio); goto end; } } From tomas at openssl.org Thu Jul 22 11:53:26 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 22 Jul 2021 11:53:26 +0000 Subject: [openssl] master update Message-ID: <1626954806.133445.31616.nullmailer@dev.openssl.org> The branch master has been updated via a983764e17551b2988bd684279ac9e9077d84601 (commit) via 929f651eaa763625eab602516706a1bf4ba3bc32 (commit) via 5dc6489bb6026b679eb6cbe696e4227da9c7032e (commit) from 981a5b7ce3bcdf4748162073c3dbd096c82d3c69 (commit) - Log ----------------------------------------------------------------- commit a983764e17551b2988bd684279ac9e9077d84601 Author: Matt Caswell Date: Tue Jul 20 16:18:58 2021 +0100 Add a test for custom EVP_PKEY_METHODs Adds a test for using custom EVP_PKEY_METHODs without an ENGINE. As part of this we also test having a custom EVP_PKEY_METHOD that wraps a built-in EVP_PKEY_METHOD. We do this for both legacy and provided keys. Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16118) commit 929f651eaa763625eab602516706a1bf4ba3bc32 Author: Matt Caswell Date: Mon Jul 19 16:17:50 2021 +0100 Fix custom EVP_PKEY_METHOD implementations where no engine is present It is possible to have a custom EVP_PKEY_METHOD implementation without having an engine. In those cases we were failing to use that custom implementation. Fixes #16088 Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16118) commit 5dc6489bb6026b679eb6cbe696e4227da9c7032e Author: Matt Caswell Date: Tue Jul 20 09:58:53 2021 +0100 Update our EVP_PKEY_METHODs to get low level keys via public APIs It is possible to call built-in EVP_PKEY_METHOD functions with a provided key. For example this might occur if a custom EVP_PKEY_METHOD is in use that wraps a built-in EVP_PKEY_METHOD. Therefore our EVP_PKEY_METHOD functions should not assume that we are using a legacy key. Instead we get the low level key using EVP_PKEY_get0_RSA() or other similar functions. This "does the right thing" if the key is actually provided. Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16118) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_pmeth.c | 4 +- crypto/dsa/dsa_pmeth.c | 16 ++- crypto/ec/ec_pmeth.c | 30 ++++- crypto/ec/ecx_meth.c | 20 +-- crypto/evp/pmeth_lib.c | 43 +++---- crypto/rsa/rsa_pmeth.c | 67 ++++++---- include/crypto/evp.h | 13 +- test/evp_extra_test.c | 328 +++++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 443 insertions(+), 78 deletions(-) diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index f742bf75cf..1ad50b850d 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -392,7 +392,7 @@ static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) /* Note: if error return, pkey is freed by parent routine */ if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) return 0; - return DH_generate_key(pkey->pkey.dh); + return DH_generate_key((DH *)EVP_PKEY_get0_DH(pkey)); } static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, @@ -408,7 +408,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET); return 0; } - dh = ctx->pkey->pkey.dh; + dh = (DH *)EVP_PKEY_get0_DH(ctx->pkey); dhpub = EVP_PKEY_get0_DH(ctx->peerkey); if (dhpub == NULL) { ERR_raise(ERR_LIB_DH, DH_R_KEYS_NOT_SET); diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index ffb19da580..ba6be720a2 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -81,7 +81,12 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, int ret; unsigned int sltmp; DSA_PKEY_CTX *dctx = ctx->data; - DSA *dsa = ctx->pkey->pkey.dsa; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + DSA *dsa = (DSA *)EVP_PKEY_get0_DSA(ctx->pkey); if (dctx->md != NULL && tbslen != (size_t)EVP_MD_get_size(dctx->md)) return 0; @@ -100,7 +105,12 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, { int ret; DSA_PKEY_CTX *dctx = ctx->data; - DSA *dsa = ctx->pkey->pkey.dsa; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + DSA *dsa = (DSA *)EVP_PKEY_get0_DSA(ctx->pkey); if (dctx->md != NULL && tbslen != (size_t)EVP_MD_get_size(dctx->md)) return 0; @@ -245,7 +255,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) /* Note: if error return, pkey is freed by parent routine */ if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey)) return 0; - return DSA_generate_key(pkey->pkey.dsa); + return DSA_generate_key((DSA *)EVP_PKEY_get0_DSA(pkey)); } static const EVP_PKEY_METHOD dsa_pkey_meth = { diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index ce658e14ca..19e2f0d0c0 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -109,7 +109,12 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, int ret, type; unsigned int sltmp; EC_PKEY_CTX *dctx = ctx->data; - EC_KEY *ec = ctx->pkey->pkey.ec; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + EC_KEY *ec = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey); const int sig_sz = ECDSA_size(ec); /* ensure cast to size_t is safe */ @@ -142,7 +147,12 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx, { int ret, type; EC_PKEY_CTX *dctx = ctx->data; - EC_KEY *ec = ctx->pkey->pkey.ec; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + EC_KEY *ec = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey); if (dctx->md) type = EVP_MD_get_type(dctx->md); @@ -174,7 +184,8 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) return 0; } - eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec; + eckey = dctx->co_key ? dctx->co_key + : (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey); if (!key) { const EC_GROUP *group; @@ -266,14 +277,23 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) if (dctx->cofactor_mode != -1) return dctx->cofactor_mode; else { - EC_KEY *ec_key = ctx->pkey->pkey.ec; + const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(ctx->pkey); return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; } } else if (p1 < -1 || p1 > 1) return -2; dctx->cofactor_mode = p1; if (p1 != -1) { - EC_KEY *ec_key = ctx->pkey->pkey.ec; + EC_KEY *ec_key = (EC_KEY *)EVP_PKEY_get0_EC_KEY(ctx->pkey); + + /* + * We discarded the "const" above. This will only work if the key is + * a "real" legacy key, and not a cached copy of a provided key + */ + if (evp_pkey_is_provided(ctx->pkey)) { + ERR_raise(ERR_LIB_EC, ERR_R_UNSUPPORTED); + return 0; + } if (!ec_key->group) return -2; /* If cofactor is 1 cofactor mode does nothing */ diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index c4bbb0a535..9098decf2f 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -732,8 +732,8 @@ static int validate_ecx_derive(EVP_PKEY_CTX *ctx, unsigned char *key, ERR_raise(ERR_LIB_EC, EC_R_KEYS_NOT_SET); return 0; } - ecxkey = ctx->pkey->pkey.ecx; - peerkey = EVP_PKEY_get0(ctx->peerkey); + ecxkey = evp_pkey_get_legacy(ctx->pkey); + peerkey = evp_pkey_get_legacy(ctx->peerkey); if (ecxkey == NULL || ecxkey->privkey == NULL) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY); return 0; @@ -806,7 +806,7 @@ static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); if (sig == NULL) { *siglen = ED25519_SIGSIZE; @@ -828,7 +828,7 @@ static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); if (sig == NULL) { *siglen = ED448_SIGSIZE; @@ -850,7 +850,7 @@ static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen) { - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); if (siglen != ED25519_SIGSIZE) return 0; @@ -863,7 +863,7 @@ static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen) { - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); if (siglen != ED448_SIGSIZE) return 0; @@ -1177,7 +1177,7 @@ static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, } ed25519; unsigned long long buff[512]; } param; - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); int rc; if (sig == NULL) { @@ -1217,7 +1217,7 @@ static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx, } ed448; unsigned long long buff[512]; } param; - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); int rc; if (sig == NULL) { @@ -1260,7 +1260,7 @@ static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, } ed25519; unsigned long long buff[512]; } param; - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); if (siglen != ED25519_SIGSIZE) return 0; @@ -1287,7 +1287,7 @@ static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx, } ed448; unsigned long long buff[512]; } param; - const ECX_KEY *edkey = EVP_MD_CTX_get_pkey_ctx(ctx)->pkey->pkey.ecx; + const ECX_KEY *edkey = evp_pkey_get_legacy(EVP_MD_CTX_get_pkey_ctx(ctx)->pkey); if (siglen != ED448_SIGSIZE) return 0; diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index c214163588..040a1a8d10 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -184,36 +184,33 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, { EVP_PKEY_CTX *ret = NULL; - const EVP_PKEY_METHOD *pmeth = NULL; + const EVP_PKEY_METHOD *pmeth = NULL, *app_pmeth = NULL; EVP_KEYMGMT *keymgmt = NULL; - /* - * If the given |pkey| is provided, we extract the keytype from its - * keymgmt and skip over the legacy code. - */ - if (pkey != NULL && evp_pkey_is_provided(pkey)) { - /* If we have an engine, something went wrong somewhere... */ - if (!ossl_assert(e == NULL)) - return NULL; - keytype = EVP_KEYMGMT_get0_name(pkey->keymgmt); - goto common; - } - -#ifndef FIPS_MODULE /* Code below to be removed when legacy support is dropped. */ /* BEGIN legacy */ if (id == -1) { - if (pkey != NULL) + if (pkey != NULL && !evp_pkey_is_provided(pkey)) { id = pkey->type; - else if (keytype != NULL) - id = evp_pkey_name2type(keytype); - if (id == NID_undef) - id = -1; + } else { + if (pkey != NULL) { + /* Must be provided if we get here */ + keytype = EVP_KEYMGMT_get0_name(pkey->keymgmt); + } +#ifndef FIPS_MODULE + if (keytype != NULL) { + id = evp_pkey_name2type(keytype); + if (id == NID_undef) + id = -1; + } +#endif + } } /* If no ID was found here, we can only resort to find a keymgmt */ if (id == -1) goto common; +#ifndef FIPS_MODULE /* * Here, we extract what information we can for the purpose of * supporting usage with implementations from providers, to make @@ -253,16 +250,16 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, pmeth = EVP_PKEY_meth_find(id); else # endif - pmeth = evp_pkey_meth_find_added_by_application(id); + app_pmeth = pmeth = evp_pkey_meth_find_added_by_application(id); /* END legacy */ #endif /* FIPS_MODULE */ common: /* - * If there's no engine and there's a name, we try fetching a provider - * implementation. + * If there's no engine and no app supplied pmeth and there's a name, we try + * fetching a provider implementation. */ - if (e == NULL && keytype != NULL) { + if (e == NULL && app_pmeth == NULL && keytype != NULL) { keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); if (keymgmt == NULL) return NULL; /* EVP_KEYMGMT_fetch() recorded an error */ diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 110d998ebd..44c819a5c3 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -111,7 +111,8 @@ static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) { if (ctx->tbuf != NULL) return 1; - if ((ctx->tbuf = OPENSSL_malloc(RSA_size(pk->pkey->pkey.rsa))) == NULL) { + if ((ctx->tbuf = + OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pk->pkey)))) == NULL) { ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); return 0; } @@ -135,7 +136,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, { int ret; RSA_PKEY_CTX *rctx = ctx->data; - RSA *rsa = ctx->pkey->pkey.rsa; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); if (rctx->md) { if (tbslen != (size_t)EVP_MD_get_size(rctx->md)) { @@ -147,8 +153,7 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, unsigned int sltmp; if (rctx->pad_mode != RSA_PKCS1_PADDING) return -1; - ret = RSA_sign_ASN1_OCTET_STRING(0, - tbs, tbslen, sig, &sltmp, rsa); + ret = RSA_sign_ASN1_OCTET_STRING(0, tbs, tbslen, sig, &sltmp, rsa); if (ret <= 0) return ret; @@ -187,8 +192,7 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, return -1; } } else { - ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, - rctx->pad_mode); + ret = RSA_private_encrypt(tbslen, tbs, sig, rsa, rctx->pad_mode); } if (ret < 0) return ret; @@ -202,13 +206,18 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, { int ret; RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); if (rctx->md) { if (rctx->pad_mode == RSA_X931_PADDING) { if (!setup_tbuf(rctx, ctx)) return -1; - ret = RSA_public_decrypt(siglen, sig, - rctx->tbuf, ctx->pkey->pkey.rsa, + ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, RSA_X931_PADDING); if (ret < 1) return 0; @@ -227,7 +236,7 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, size_t sltmp; ret = ossl_rsa_verify(EVP_MD_get_type(rctx->md), NULL, 0, rout, &sltmp, - sig, siglen, ctx->pkey->pkey.rsa); + sig, siglen, rsa); if (ret <= 0) return 0; ret = sltmp; @@ -235,8 +244,7 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, return -1; } } else { - ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, - rctx->pad_mode); + ret = RSA_public_decrypt(siglen, sig, rout, rsa, rctx->pad_mode); } if (ret < 0) return ret; @@ -249,7 +257,12 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *tbs, size_t tbslen) { RSA_PKEY_CTX *rctx = ctx->data; - RSA *rsa = ctx->pkey->pkey.rsa; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); size_t rslen; if (rctx->md) { @@ -302,9 +315,15 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, { int ret; RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { - int klen = RSA_size(ctx->pkey->pkey.rsa); + int klen = RSA_size(rsa); if (!setup_tbuf(rctx, ctx)) return -1; if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, @@ -313,11 +332,9 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, rctx->oaep_labellen, rctx->md, rctx->mgf1md)) return -1; - ret = RSA_public_encrypt(klen, rctx->tbuf, out, - ctx->pkey->pkey.rsa, RSA_NO_PADDING); + ret = RSA_public_encrypt(klen, rctx->tbuf, out, rsa, RSA_NO_PADDING); } else { - ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); + ret = RSA_public_encrypt(inlen, in, out, rsa, rctx->pad_mode); } if (ret < 0) return ret; @@ -331,12 +348,17 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, { int ret; RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of + * the "real" key. These calls don't make any modifications that need to + * be reflected back in the "original" key. + */ + RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(ctx->pkey); if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { if (!setup_tbuf(rctx, ctx)) return -1; - ret = RSA_private_decrypt(inlen, in, rctx->tbuf, - ctx->pkey->pkey.rsa, RSA_NO_PADDING); + ret = RSA_private_decrypt(inlen, in, rctx->tbuf, rsa, RSA_NO_PADDING); if (ret <= 0) return ret; ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, @@ -345,8 +367,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, rctx->oaep_labellen, rctx->md, rctx->mgf1md); } else { - ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); + ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); } *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); ret = constant_time_select_int(constant_time_msb(ret), ret, 1); @@ -805,7 +826,7 @@ const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void) static int pkey_pss_init(EVP_PKEY_CTX *ctx) { - RSA *rsa; + const RSA *rsa; RSA_PKEY_CTX *rctx = ctx->data; const EVP_MD *md; const EVP_MD *mgf1md; @@ -814,7 +835,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *ctx) /* Should never happen */ if (!pkey_ctx_is_pss(ctx)) return 0; - rsa = ctx->pkey->pkey.rsa; + rsa = EVP_PKEY_get0_RSA(ctx->pkey); /* If no restrictions just return */ if (rsa->pss == NULL) return 1; diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 3707977d9d..68aab33cae 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -22,19 +22,8 @@ */ #define EVP_MD_CTX_FLAG_KEEP_PKEY_CTX 0x0400 -/* - * An EVP_PKEY_CTX can have the following support states: - * - * Supports legacy implementations only: - * - * engine != NULL || keytype == NULL - * - * Supports provided implementations: - * - * engine == NULL && keytype != NULL - */ #define evp_pkey_ctx_is_legacy(ctx) \ - ((ctx)->engine != NULL || (ctx)->keytype == NULL) + ((ctx)->keymgmt == NULL) #define evp_pkey_ctx_is_provided(ctx) \ (!evp_pkey_ctx_is_legacy(ctx)) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index f10e0077ec..5358a54a6d 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -400,6 +400,47 @@ static const unsigned char kExampleED25519PubKeyDER[] = { 0x97, 0xa3, 0x08, 0xdc, 0x65, 0x80, 0x39, 0x29 }; +# ifndef OPENSSL_NO_DEPRECATED_3_0 +static const unsigned char kExampleX25519KeyDER[] = { + 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x6e, + 0x04, 0x22, 0x04, 0x20, 0xa0, 0x24, 0x3a, 0x31, 0x24, 0xc3, 0x3f, 0xf6, + 0x7b, 0x96, 0x0b, 0xd4, 0x8f, 0xd1, 0xee, 0x67, 0xf2, 0x9b, 0x88, 0xac, + 0x50, 0xce, 0x97, 0x36, 0xdd, 0xaf, 0x25, 0xf6, 0x10, 0x34, 0x96, 0x6e +}; +# endif +#endif + +/* kExampleDHKeyDER is a DH private key in ASN.1, DER format. */ +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# ifndef OPENSSL_NO_DH +static const unsigned char kExampleDHKeyDER[] = { + 0x30, 0x82, 0x01, 0x21, 0x02, 0x01, 0x00, 0x30, 0x81, 0x95, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x03, 0x01, 0x30, 0x81, 0x87, + 0x02, 0x81, 0x81, 0x00, 0xf7, 0x52, 0xc2, 0x68, 0xcc, 0x66, 0xc4, 0x8d, + 0x03, 0x3f, 0xfa, 0x9c, 0x52, 0xd0, 0xd8, 0x33, 0xf2, 0xe1, 0xc9, 0x9e, + 0xb7, 0xe7, 0x6e, 0x90, 0x97, 0xeb, 0x92, 0x91, 0x6a, 0x9a, 0x85, 0x63, + 0x92, 0x79, 0xab, 0xb6, 0x3d, 0x23, 0x58, 0x5a, 0xe8, 0x45, 0x06, 0x81, + 0x97, 0x77, 0xe1, 0xcc, 0x34, 0x4e, 0xae, 0x36, 0x80, 0xf2, 0xc4, 0x7f, + 0x8a, 0x52, 0xb8, 0xdb, 0x58, 0xc8, 0x4b, 0x12, 0x4c, 0xf1, 0x4c, 0x53, + 0xc1, 0x89, 0x39, 0x8d, 0xb6, 0x06, 0xd8, 0xea, 0x7f, 0x2d, 0x36, 0x53, + 0x96, 0x29, 0xbe, 0xb6, 0x75, 0xfc, 0xe7, 0xf3, 0x36, 0xd6, 0xf4, 0x8f, + 0x16, 0xa6, 0xc7, 0xec, 0x7b, 0xce, 0x42, 0x8d, 0x48, 0x2e, 0xb7, 0x74, + 0x00, 0x11, 0x52, 0x61, 0xb4, 0x19, 0x35, 0xec, 0x5c, 0xe4, 0xbe, 0x34, + 0xc6, 0x59, 0x64, 0x5e, 0x42, 0x61, 0x70, 0x54, 0xf4, 0xe9, 0x6b, 0x53, + 0x02, 0x01, 0x02, 0x04, 0x81, 0x83, 0x02, 0x81, 0x80, 0x64, 0xc2, 0xe3, + 0x09, 0x69, 0x37, 0x3c, 0xd2, 0x4a, 0xba, 0xc3, 0x78, 0x6a, 0x9b, 0x8a, + 0x2a, 0xdb, 0xe7, 0xe6, 0xc0, 0xfa, 0x3a, 0xbe, 0x39, 0x67, 0xc0, 0xa9, + 0x2a, 0xf0, 0x0a, 0xc1, 0x53, 0x1c, 0xdb, 0xfa, 0x1a, 0x26, 0x98, 0xb0, + 0x8c, 0xc6, 0x06, 0x4a, 0xa2, 0x48, 0xd3, 0xa4, 0x3b, 0xbd, 0x05, 0x48, + 0xea, 0x59, 0xdb, 0x18, 0xa4, 0xca, 0x66, 0xd9, 0x5d, 0xb8, 0x95, 0xd1, + 0xeb, 0x97, 0x3d, 0x66, 0x97, 0x5c, 0x86, 0x8f, 0x7e, 0x90, 0xd3, 0x43, + 0xd1, 0xa2, 0x0d, 0xcb, 0xe7, 0xeb, 0x90, 0xea, 0x09, 0x40, 0xb1, 0x6f, + 0xf7, 0x4c, 0xf2, 0x41, 0x83, 0x1d, 0xd0, 0x76, 0xef, 0xaf, 0x55, 0x6f, + 0x5d, 0xa9, 0xa3, 0x55, 0x81, 0x2a, 0xd1, 0x5d, 0x9d, 0x22, 0x77, 0x97, + 0x83, 0xde, 0xad, 0xb6, 0x5d, 0x19, 0xc1, 0x53, 0xec, 0xfb, 0xaf, 0x06, + 0x2e, 0x87, 0x2a, 0x0b, 0x7a +}; +# endif #endif static const unsigned char kCFBDefaultKey[] = { @@ -558,6 +599,36 @@ static EVP_PKEY *load_example_dsa_key(void) } #endif +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# ifndef OPENSSL_NO_DH +static EVP_PKEY *load_example_dh_key(void) +{ + return load_example_key("DH", kExampleDHKeyDER, + sizeof(kExampleDHKeyDER)); +} +# endif + +# ifndef OPENSSL_NO_EC +static EVP_PKEY *load_example_ec_key(void) +{ + return load_example_key("EC", kExampleECKeyDER, + sizeof(kExampleECKeyDER)); +} + +static EVP_PKEY *load_example_ed25519_key(void) +{ + return load_example_key("ED25519", kExampleED25519KeyDER, + sizeof(kExampleED25519KeyDER)); +} + +static EVP_PKEY *load_example_x25519_key(void) +{ + return load_example_key("X25519", kExampleX25519KeyDER, + sizeof(kExampleX25519KeyDER)); +} +# endif +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ + static EVP_PKEY *load_example_hmac_key(void) { EVP_PKEY *pkey = NULL; @@ -3367,6 +3438,259 @@ static int test_gcm_reinit(int idx) return testresult; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 +static EVP_PKEY_METHOD *custom_pmeth = NULL; +static const EVP_PKEY_METHOD *orig_pmeth = NULL; + +# define EVP_PKEY_CTRL_MY_COMMAND 9999 + +static int custom_pmeth_init(EVP_PKEY_CTX *ctx) +{ + int (*pinit)(EVP_PKEY_CTX *ctx); + + EVP_PKEY_meth_get_init(orig_pmeth, &pinit); + return pinit(ctx); +} + +static void custom_pmeth_cleanup(EVP_PKEY_CTX *ctx) +{ + void (*pcleanup)(EVP_PKEY_CTX *ctx); + + EVP_PKEY_meth_get_cleanup(orig_pmeth, &pcleanup); + pcleanup(ctx); +} + +static int custom_pmeth_sign(EVP_PKEY_CTX *ctx, unsigned char *out, + size_t *outlen, const unsigned char *in, + size_t inlen) +{ + int (*psign)(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen); + + EVP_PKEY_meth_get_sign(orig_pmeth, NULL, &psign); + return psign(ctx, out, outlen, in, inlen); +} + +static int custom_pmeth_digestsign(EVP_MD_CTX *ctx, unsigned char *sig, + size_t *siglen, const unsigned char *tbs, + size_t tbslen) +{ + int (*pdigestsign)(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen); + + EVP_PKEY_meth_get_digestsign((EVP_PKEY_METHOD *)orig_pmeth, &pdigestsign); + return pdigestsign(ctx, sig, siglen, tbs, tbslen); +} + +static int custom_pmeth_derive(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + int (*pderive)(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen); + + EVP_PKEY_meth_get_derive(orig_pmeth, NULL, &pderive); + return pderive(ctx, key, keylen); +} + +static int custom_pmeth_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) +{ + int (*pcopy)(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src); + + EVP_PKEY_meth_get_copy(orig_pmeth, &pcopy); + return pcopy(dst, src); +} + +static int ctrl_called; + +static int custom_pmeth_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +{ + int (*pctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2); + + EVP_PKEY_meth_get_ctrl(orig_pmeth, &pctrl, NULL); + + if (type == EVP_PKEY_CTRL_MY_COMMAND) { + ctrl_called = 1; + return 1; + } + + return pctrl(ctx, type, p1, p2); +} + +static int test_custom_pmeth(int idx) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_MD_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; + int id, orig_id, orig_flags; + int testresult = 0; + size_t reslen; + unsigned char *res = NULL; + unsigned char msg[] = { 'H', 'e', 'l', 'l', 'o' }; + const EVP_MD *md = EVP_sha256(); + int doderive = 0; + + ctrl_called = 0; + + /* We call deprecated APIs so this test doesn't support a custom libctx */ + if (testctx != NULL) + return 1; + + switch(idx) { + case 0: + case 6: + id = EVP_PKEY_RSA; + pkey = load_example_rsa_key(); + break; + case 1: + case 7: +# ifndef OPENSSL_NO_DSA + id = EVP_PKEY_DSA; + pkey = load_example_dsa_key(); + break; +# else + return 1; +# endif + case 2: + case 8: +# ifndef OPENSSL_NO_EC + id = EVP_PKEY_EC; + pkey = load_example_ec_key(); + break; +# else + return 1; +# endif + case 3: + case 9: +# ifndef OPENSSL_NO_EC + id = EVP_PKEY_ED25519; + md = NULL; + pkey = load_example_ed25519_key(); + break; +# else + return 1; +# endif + case 4: + case 10: +# ifndef OPENSSL_NO_DH + id = EVP_PKEY_DH; + doderive = 1; + pkey = load_example_dh_key(); + break; +# else + return 1; +# endif + case 5: + case 11: +# ifndef OPENSSL_NO_EC + id = EVP_PKEY_X25519; + doderive = 1; + pkey = load_example_x25519_key(); + break; +# else + return 1; +# endif + default: + TEST_error("Should not happen"); + goto err; + } + + if (!TEST_ptr(pkey)) + goto err; + + if (idx < 6) { + if (!TEST_true(evp_pkey_is_provided(pkey))) + goto err; + } else { + EVP_PKEY *tmp = pkey; + + /* Convert to a legacy key */ + pkey = EVP_PKEY_new(); + if (!TEST_ptr(pkey)) { + pkey = tmp; + goto err; + } + if (!TEST_true(evp_pkey_copy_downgraded(&pkey, tmp))) { + EVP_PKEY_free(tmp); + goto err; + } + EVP_PKEY_free(tmp); + if (!TEST_true(evp_pkey_is_legacy(pkey))) + goto err; + } + + if (!TEST_ptr(orig_pmeth = EVP_PKEY_meth_find(id)) + || !TEST_ptr(pkey)) + goto err; + + EVP_PKEY_meth_get0_info(&orig_id, &orig_flags, orig_pmeth); + if (!TEST_int_eq(orig_id, id) + || !TEST_ptr(custom_pmeth = EVP_PKEY_meth_new(id, orig_flags))) + goto err; + + if (id == EVP_PKEY_ED25519) { + EVP_PKEY_meth_set_digestsign(custom_pmeth, custom_pmeth_digestsign); + } if (id == EVP_PKEY_DH || id == EVP_PKEY_X25519) { + EVP_PKEY_meth_set_derive(custom_pmeth, NULL, custom_pmeth_derive); + } else { + EVP_PKEY_meth_set_sign(custom_pmeth, NULL, custom_pmeth_sign); + } + if (id != EVP_PKEY_ED25519 && id != EVP_PKEY_X25519) { + EVP_PKEY_meth_set_init(custom_pmeth, custom_pmeth_init); + EVP_PKEY_meth_set_cleanup(custom_pmeth, custom_pmeth_cleanup); + EVP_PKEY_meth_set_copy(custom_pmeth, custom_pmeth_copy); + } + EVP_PKEY_meth_set_ctrl(custom_pmeth, custom_pmeth_ctrl, NULL); + if (!TEST_true(EVP_PKEY_meth_add0(custom_pmeth))) + goto err; + + if (doderive) { + pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!TEST_ptr(pctx) + || !TEST_int_eq(EVP_PKEY_derive_init(pctx), 1) + || !TEST_int_ge(EVP_PKEY_CTX_ctrl(pctx, -1, -1, + EVP_PKEY_CTRL_MY_COMMAND, 0, NULL), + 1) + || !TEST_int_eq(ctrl_called, 1) + || !TEST_int_ge(EVP_PKEY_derive_set_peer(pctx, pkey), 1) + || !TEST_int_ge(EVP_PKEY_derive(pctx, NULL, &reslen), 1) + || !TEST_ptr(res = OPENSSL_malloc(reslen)) + || !TEST_int_ge(EVP_PKEY_derive(pctx, res, &reslen), 1)) + goto err; + } else { + ctx = EVP_MD_CTX_new(); + reslen = EVP_PKEY_size(pkey); + res = OPENSSL_malloc(reslen); + if (!TEST_ptr(ctx) + || !TEST_ptr(res) + || !TEST_true(EVP_DigestSignInit(ctx, &pctx, md, NULL, pkey)) + || !TEST_int_ge(EVP_PKEY_CTX_ctrl(pctx, -1, -1, + EVP_PKEY_CTRL_MY_COMMAND, 0, NULL), + 1) + || !TEST_int_eq(ctrl_called, 1)) + goto err; + + if (id == EVP_PKEY_ED25519) { + if (!TEST_true(EVP_DigestSign(ctx, res, &reslen, msg, sizeof(msg)))) + goto err; + } else { + if (!TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg))) + || !TEST_true(EVP_DigestSignFinal(ctx, res, &reslen))) + goto err; + } + } + + testresult = 1; + err: + OPENSSL_free(res); + EVP_MD_CTX_free(ctx); + if (doderive) + EVP_PKEY_CTX_free(pctx); + EVP_PKEY_free(pkey); + EVP_PKEY_meth_remove(custom_pmeth); + EVP_PKEY_meth_free(custom_pmeth); + custom_pmeth = NULL; + return testresult; +} +#endif typedef enum OPTION_choice { OPT_ERR = -1, @@ -3488,6 +3812,10 @@ int setup_tests(void) ADD_ALL_TESTS(test_evp_reset, OSSL_NELEM(evp_reset_tests)); ADD_ALL_TESTS(test_gcm_reinit, OSSL_NELEM(gcm_reinit_tests)); +#ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_ALL_TESTS(test_custom_pmeth, 12); +#endif + return 1; } From tomas at openssl.org Fri Jul 23 07:06:38 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 23 Jul 2021 07:06:38 +0000 Subject: [openssl] master update Message-ID: <1627023998.684276.12822.nullmailer@dev.openssl.org> The branch master has been updated via 40184c96103a388209939c1c19920971c05bb78c (commit) from a983764e17551b2988bd684279ac9e9077d84601 (commit) - Log ----------------------------------------------------------------- commit 40184c96103a388209939c1c19920971c05bb78c Author: Tomas Mraz Date: Wed Jul 21 18:45:01 2021 +0200 DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16130) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_prn.c | 12 ++++++++---- crypto/rsa/rsa_prn.c | 6 ++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/crypto/dsa/dsa_prn.c b/crypto/dsa/dsa_prn.c index c5ec7d5dfe..6f001a50f0 100644 --- a/crypto/dsa/dsa_prn.c +++ b/crypto/dsa/dsa_prn.c @@ -55,9 +55,11 @@ int DSA_print(BIO *bp, const DSA *x, int off) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); + ret = EVP_PKEY_set1_DSA(pk, (DSA *)x); + if (ret) + ret = EVP_PKEY_print_private(bp, pk, off, NULL); EVP_PKEY_free(pk); return ret; } @@ -67,9 +69,11 @@ int DSAparams_print(BIO *bp, const DSA *x) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_params(bp, pk, 4, NULL); + ret = EVP_PKEY_set1_DSA(pk, (DSA *)x); + if (ret) + ret = EVP_PKEY_print_params(bp, pk, 4, NULL); EVP_PKEY_free(pk); return ret; } diff --git a/crypto/rsa/rsa_prn.c b/crypto/rsa/rsa_prn.c index 4a317dadc4..35723c87ae 100644 --- a/crypto/rsa/rsa_prn.c +++ b/crypto/rsa/rsa_prn.c @@ -40,9 +40,11 @@ int RSA_print(BIO *bp, const RSA *x, int off) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); + ret = EVP_PKEY_set1_RSA(pk, (RSA *)x); + if (ret) + ret = EVP_PKEY_print_private(bp, pk, off, NULL); EVP_PKEY_free(pk); return ret; } From tomas at openssl.org Fri Jul 23 07:06:53 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 23 Jul 2021 07:06:53 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1627024013.919477.13946.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via ba4c89a9700ff07cecde90248707056292bf36d1 (commit) from d9d838ddc0ed083fb4c26dd067e71aad7c65ad16 (commit) - Log ----------------------------------------------------------------- commit ba4c89a9700ff07cecde90248707056292bf36d1 Author: Tomas Mraz Date: Wed Jul 21 18:45:01 2021 +0200 DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16130) (cherry picked from commit 40184c96103a388209939c1c19920971c05bb78c) ----------------------------------------------------------------------- Summary of changes: crypto/dsa/dsa_prn.c | 12 ++++++++---- crypto/rsa/rsa_prn.c | 6 ++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/crypto/dsa/dsa_prn.c b/crypto/dsa/dsa_prn.c index a4a1fd5650..6bc336c50e 100644 --- a/crypto/dsa/dsa_prn.c +++ b/crypto/dsa/dsa_prn.c @@ -49,9 +49,11 @@ int DSA_print(BIO *bp, const DSA *x, int off) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); + ret = EVP_PKEY_set1_DSA(pk, (DSA *)x); + if (ret) + ret = EVP_PKEY_print_private(bp, pk, off, NULL); EVP_PKEY_free(pk); return ret; } @@ -61,9 +63,11 @@ int DSAparams_print(BIO *bp, const DSA *x) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_params(bp, pk, 4, NULL); + ret = EVP_PKEY_set1_DSA(pk, (DSA *)x); + if (ret) + ret = EVP_PKEY_print_params(bp, pk, 4, NULL); EVP_PKEY_free(pk); return ret; } diff --git a/crypto/rsa/rsa_prn.c b/crypto/rsa/rsa_prn.c index b5f4bce2a3..0d97e57eb1 100644 --- a/crypto/rsa/rsa_prn.c +++ b/crypto/rsa/rsa_prn.c @@ -34,9 +34,11 @@ int RSA_print(BIO *bp, const RSA *x, int off) EVP_PKEY *pk; int ret; pk = EVP_PKEY_new(); - if (pk == NULL || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) + if (pk == NULL) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); + ret = EVP_PKEY_set1_RSA(pk, (RSA *)x); + if (ret) + ret = EVP_PKEY_print_private(bp, pk, off, NULL); EVP_PKEY_free(pk); return ret; } From tomas at openssl.org Fri Jul 23 07:08:52 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 23 Jul 2021 07:08:52 +0000 Subject: [openssl] master update Message-ID: <1627024132.134493.15494.nullmailer@dev.openssl.org> The branch master has been updated via 74b7f339aa58af57c0e71b7efca66e6f2db5ae2e (commit) from 40184c96103a388209939c1c19920971c05bb78c (commit) - Log ----------------------------------------------------------------- commit 74b7f339aa58af57c0e71b7efca66e6f2db5ae2e Author: jenda1 Date: Tue Jul 20 16:32:49 2021 +0200 Makefile: Avoid changing LIBDIR based on whether it already exists unix-Makefile.tmpl checks if the target LIBDIR exists on the build machine or not and based on the result modify the final LIBDIR. This should be avoided, build results should not depend on the build machine root filesystem layout. It makes the build results unstable. The fix simply removes the dir existence test from the unix-Makefile.tmpl. Fixes: openssl#16121 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16122) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 0fb80f1968..f88a70f482 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -297,14 +297,7 @@ OPENSSLDIR={- # $openssldir -} LIBDIR={- our $libdir = $config{libdir}; unless ($libdir) { - # - # if $prefix/lib$target{multilib} is not an existing - # directory, then assume that it's not searched by linker - # automatically, in which case adding $target{multilib} suffix - # causes more grief than we're ready to tolerate, so don't... - our $multilib = - -d "$prefix/lib$target{multilib}" ? $target{multilib} : ""; - $libdir = "lib$multilib"; + $libdir = "lib$target{multilib}"; } file_name_is_absolute($libdir) ? "" : $libdir -} # $(libdir) is chosen to be compatible with the GNU coding standards From scan-admin at coverity.com Fri Jul 23 07:51:18 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 23 Jul 2021 07:51:18 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60fa74f5689c8_1b6d852ad65605b9a88634@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DO0qM_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGF0btNgVFNE9BQCqeV7SylTbtL6sTlEKaV73Rt7DBNaHIzXHNWguiOV3sbeVpTUn818OvKa7mtKouZ1TQSLmkHUe6AGvW8yc7q1WOTm2M-2BbWceMjqk2I3bNe9LwDkB23QeQjdSRQElx9NPaotUeFTq29gzqZlAoBcYfXlLB3PrsgsJMtEULfZhCR36mnRLWOE-3D Build ID: 398399 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Fri Jul 23 07:54:10 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 23 Jul 2021 07:54:10 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60fa75a1c62ac_1b6e7d2ad65605b9a886e6@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DesyM_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGsuIj-2B9ShvA69vZg0EvtgRdoElNlUMt3R6amaVZAuIPVD6w2HSHnitIDqOSjDrsNhRbik7PiKOtFILUPJBu3VrxHgPkBur75iWEyRm5hin9uzc12BtfU1nGzY2Ida0LkHKIBllnDHICkUqOq5XFyiogWEiC7JfMTQoVA0aKRQWBhfQBPXvqS6-2FoJHaaj3dcDA-3D Build ID: 398400 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Fri Jul 23 08:01:30 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 23 Jul 2021 08:01:30 +0000 Subject: [openssl] master update Message-ID: <1627027290.391177.3074.nullmailer@dev.openssl.org> The branch master has been updated via e6f0c8d3a78671065a80e89df4c8c070a5b4e518 (commit) from 74b7f339aa58af57c0e71b7efca66e6f2db5ae2e (commit) - Log ----------------------------------------------------------------- commit e6f0c8d3a78671065a80e89df4c8c070a5b4e518 Author: Pauli Date: Thu Jul 22 10:56:29 2021 +1000 ci: reinstate the passwd tests for the no-cached-fetch run. By selectively skipping the high round test cases, the out of memory problem can be avoided. partially fixes #16127 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16132) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 +- test/recipes/20-test_passwd.t | 40 +++++++++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3a93b6602..4f9bfbfb8a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -123,7 +123,7 @@ jobs: - name: make run: make -s -j4 - name: make test - run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_passwd -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]" address_ub_sanitizer: runs-on: ubuntu-latest diff --git a/test/recipes/20-test_passwd.t b/test/recipes/20-test_passwd.t index 9707ecc3f2..69920773a4 100644 --- a/test/recipes/20-test_passwd.t +++ b/test/recipes/20-test_passwd.t @@ -34,14 +34,6 @@ my @sha_tests = salt => 'rounds=1400$anotherlongsaltstring', key => 'a very much longer text to encrypt. This one even stretches over morethan one line.', expected => '$5$rounds=1400$anotherlongsalts$Rx.j8H.h8HjEDGomFU8bDkXm3XIUnzyxf12oP84Bnq1' }, - { type => '5', - salt => 'rounds=77777$short', - key => 'we have a short salt string but not a short password', - expected => '$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/' }, - { type => '5', - salt => 'rounds=123456$asaltof16chars..', - key => 'a short string', - expected => '$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/cZKmF/wJvD' }, { type => '5', salt => 'rounds=10$roundstoolow', key => 'the minimum number is still observed', @@ -62,6 +54,22 @@ my @sha_tests = salt => 'rounds=1400$anotherlongsaltstring', key => 'a very much longer text to encrypt. This one even stretches over morethan one line.', expected => '$6$rounds=1400$anotherlongsalts$POfYwTEok97VWcjxIiSOjiykti.o/pQs.wPvMxQ6Fm7I6IoYN3CmLs66x9t0oSwbtEW7o7UmJEiDwGqd8p4ur1' }, + { type => '6', + salt => 'rounds=10$roundstoolow', + key => 'the minimum number is still observed', + expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' } + ); +# From the same source as above, these tests use a number of rounds > 10000. They are separated because this can +# cause out of memory problems in the address sanitizer in the no-cache-fetch build. +my @sha_high_rounds_tests = + ({ type => '5', + salt => 'rounds=77777$short', + key => 'we have a short salt string but not a short password', + expected => '$5$rounds=77777$short$JiO1O3ZpDAxGJeaDIuqCoEFysAe1mZNJRs3pw0KQRd/' }, + { type => '5', + salt => 'rounds=123456$asaltof16chars..', + key => 'a short string', + expected => '$5$rounds=123456$asaltof16chars..$gP3VQ/6X7UUEW3HkBn2w1/Ptq2jxPyzV/cZKmF/wJvD' }, { type => '6', salt => 'rounds=77777$short', key => 'we have a short salt string but not a short password', @@ -70,13 +78,9 @@ my @sha_tests = salt => 'rounds=123456$asaltof16chars..', key => 'a short string', expected => '$6$rounds=123456$asaltof16chars..$BtCwjqMJGx5hrJhZywWvt0RLE8uZ4oPwcelCjmw2kSYu.Ec6ycULevoBK25fs2xXgMNrCzIMVcgEJAstJeonj1' }, - { type => '6', - salt => 'rounds=10$roundstoolow', - key => 'the minimum number is still observed', - expected => '$6$rounds=1000$roundstoolow$kUMsbe306n21p9R.FRkW3IGn.S9NPN0x50YhH1xhLsPuWGsUSklZt58jaTfF4ZEQpyUNGc0dqbpBYYBaHHrsX.' } ); -plan tests => 9 + scalar @sha_tests; +plan tests => 9 + scalar @sha_tests + scalar @sha_high_rounds_tests; ok(compare1stline_re([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'), @@ -105,6 +109,16 @@ foreach (@sha_tests) { { 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt}); } +SKIP: { + skip "Skipping high rounds tests in non caching builds", scalar @sha_high_rounds_tests + if disabled("cached-fetch"); + + foreach (@sha_high_rounds_tests) { + ok(compare1stline([qw{openssl passwd}, '-'.$_->{type}, '-salt', $_->{salt}, + $_->{key}], $_->{expected}), + { 5 => 'SHA256', 6 => 'SHA512' }->{$_->{type}} . ' password with salt ' . $_->{salt}); + } +} sub compare1stline_re { my ($cmdarray, $regexp) = @_; From pauli at openssl.org Fri Jul 23 12:01:25 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 23 Jul 2021 12:01:25 +0000 Subject: [openssl] master update Message-ID: <1627041685.628597.16659.nullmailer@dev.openssl.org> The branch master has been updated via 034f9f4f6e6213a46ae8c7ac79d6e34179ac6cca (commit) from e6f0c8d3a78671065a80e89df4c8c070a5b4e518 (commit) - Log ----------------------------------------------------------------- commit 034f9f4f6e6213a46ae8c7ac79d6e34179ac6cca Author: Pauli Date: Thu Jul 22 19:13:41 2021 +1000 ci: QEMU based cross compiled testing With a little set up, Debian provides an ability to use QEMU to execute programs compiled for other architectures. Using this, most of our cross compilation CI builds can be executed. This PR does this. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16133) ----------------------------------------------------------------------- Summary of changes: .github/workflows/cross-compiles.yml | 118 ++++++++++++++++++++++++++--------- 1 file changed, 88 insertions(+), 30 deletions(-) diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 668ef6a658..6b4505c5db 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -7,50 +7,83 @@ jobs: strategy: fail-fast: false matrix: - # The platform matrix specifies the package to be loaded by apt, - # then the cross compilation prefix and finally the configuration - # target. + # The platform matrix specifies: + # arch: the architecture to build for, this defines the tool-chain + # prefix {arch}- and the Debian compiler package gcc-{arch} + # name. + # libs: the Debian package for the necessary link/runtime libraries. + # target: the OpenSSL configuration target to use, this is passed + # directly to the config command line. + # tests: omit this to run all the tests using QEMU, set it to "none" + # to never run the tests, otherwise it's value is passed to + # the "make test" command to allow selectiving disabling of + # tests. platform: [ { - package: gcc-aarch64-linux-gnu libc6-dev-arm64-cross, - cross: aarch64-linux-gnu-, + arch: aarch64-linux-gnu, + libs: libc6-dev-arm64-cross, target: linux-aarch64 }, { - package: gcc-alpha-linux-gnu libc6.1-dev-alpha-cross, - cross: alpha-linux-gnu-, + arch: alpha-linux-gnu, + libs: libc6.1-dev-alpha-cross, target: linux-alpha-gcc }, { - package: gcc-arm-linux-gnueabi libc6-dev-armel-cross, - cross: arm-linux-gnueabi-, - target: linux-armv4 + arch: arm-linux-gnueabi, + libs: libc6-dev-armel-cross, + target: linux-armv4, + tests: -test_includes -test_store -test_x509_store }, { - package: gcc-arm-linux-gnueabihf libc6-dev-armhf-cross, - cross: arm-linux-gnueabihf-, - target: linux-armv4 + arch: arm-linux-gnueabihf, + libs: libc6-dev-armhf-cross, + target: linux-armv4, + tests: -test_includes -test_store -test_x509_store }, { - package: gcc-mips-linux-gnu libc6-dev-mips-cross, - cross: mips-linux-gnu-, - target: linux-mips32 + arch: hppa-linux-gnu, + libs: libc6-dev-hppa-cross, + target: linux-generic32, + tests: none #-test_includes -test_store -test_x509_store }, { - package: gcc-mipsel-linux-gnu libc6-dev-mipsel-cross, - cross: mipsel-linux-gnu-, - target: linux-mips32 + arch: m68k-linux-gnu, + libs: libc6-dev-m68k-cross, + target: linux-latomic no-asm, + tests: none #-test_includes -test_store -test_x509_store -test_includes }, { - package: gcc-powerpc64le-linux-gnu libc6-dev-ppc64el-cross, - cross: powerpc64le-linux-gnu-, + arch: mips-linux-gnu, + libs: libc6-dev-mips-cross, + target: linux-mips32, + tests: none + }, { + arch: mips64-linux-gnuabi64, + libs: libc6-dev-mips64-cross, + target: linux64-mips64, + tests: none + }, { + arch: mipsel-linux-gnu, + libs: libc6-dev-mipsel-cross, + target: linux-mips32, + tests: -test_includes -test_store -test_x509_store + }, { + arch: powerpc64le-linux-gnu, + libs: libc6-dev-ppc64el-cross, target: linux-ppc64le }, { - package: gcc-riscv64-linux-gnu libc6-dev-riscv64-cross, - cross: riscv64-linux-gnu-, + arch: riscv64-linux-gnu, + libs: libc6-dev-riscv64-cross, target: linux64-riscv64 }, { - package: gcc-s390x-linux-gnu libc6-dev-s390x-cross, - cross: s390x-linux-gnu-, + arch: s390x-linux-gnu, + libs: libc6-dev-s390x-cross, target: linux64-s390x }, { - package: gcc-sparc64-linux-gnu libc6-dev-sparc64-cross, - cross: sparc64-linux-gnu-, - target: linux64-sparcv9 + arch: sh4-linux-gnu, + libs: libc6-dev-sh4-cross, + target: linux-latomic, + tests: -test_includes -test_store -test_x509_store -test_async + }, { + arch: sparc64-linux-gnu, + libs: libc6-dev-sparc64-cross, + target: linux64-sparcv9, + tests: none } ] runs-on: ubuntu-latest @@ -58,9 +91,34 @@ jobs: - name: install packages run: | sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install ${{ matrix.platform.package }} + sudo apt-get -yq --force-yes install \ + gcc-${{ matrix.platform.arch }} \ + ${{ matrix.platform.libs }} - uses: actions/checkout at v2 + - name: config - run: ./config --banner=Configured --strict-warnings enable-fips --cross-compile-prefix=${{ matrix.platform.cross }} ${{ matrix.platform.target }} && perl configdata.pm --dump + run: | + ./config --banner=Configured --strict-warnings enable-fips \ + --cross-compile-prefix=${{ matrix.platform.arch }}- \ + ${{ matrix.platform.target }} + - name: config dump + run: ./configdata.pm --dump + - name: make run: make -s -j4 + + - name: install qemu + if: github.event_name == 'push' && matrix.platform.tests != 'none' + run: sudo apt-get -yq --force-yes install qemu-user + + - name: make all tests + if: github.event_name == 'push' && matrix.platform.tests == '' + run: | + make test HARNESS_JOBS=${HARNESS_JOBS:-4} \ + QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} + - name: make some tests + if: github.event_name == 'push' && matrix.platform.tests != 'none' && matrix.platform.tests != '' + run: | + make test HARNESS_JOBS=${HARNESS_JOBS:-4} \ + TESTS="${{ matrix.platform.tests }}" \ + QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} From tomas at openssl.org Fri Jul 23 14:37:56 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 23 Jul 2021 14:37:56 +0000 Subject: [openssl] master update Message-ID: <1627051076.392492.24638.nullmailer@dev.openssl.org> The branch master has been updated via 4bd60d486cbe59cc7d086985d42a5220fd12ce32 (commit) from 034f9f4f6e6213a46ae8c7ac79d6e34179ac6cca (commit) - Log ----------------------------------------------------------------- commit 4bd60d486cbe59cc7d086985d42a5220fd12ce32 Author: Tomas Mraz Date: Thu Jul 22 15:25:32 2021 +0200 do_sigver_init: Add missing ERR_clear_last_mark() Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16138) ----------------------------------------------------------------------- Summary of changes: crypto/evp/m_sigver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index ae79562e2d..f21865a8c3 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -87,6 +87,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, provkey = evp_pkey_export_to_provider(locpctx->pkey, locpctx->libctx, &tmp_keymgmt, locpctx->propquery); if (provkey == NULL) { + ERR_clear_last_mark(); ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } From tomas at openssl.org Fri Jul 23 14:39:04 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 23 Jul 2021 14:39:04 +0000 Subject: [openssl] master update Message-ID: <1627051144.865788.26360.nullmailer@dev.openssl.org> The branch master has been updated via 4d4de19e9c77f36cc5ab71df77a6eb1253031d4c (commit) from 4bd60d486cbe59cc7d086985d42a5220fd12ce32 (commit) - Log ----------------------------------------------------------------- commit 4d4de19e9c77f36cc5ab71df77a6eb1253031d4c Author: Tomas Mraz Date: Thu Jul 22 15:01:53 2021 +0200 Fix potential problems with EVP_PKEY_CTX_new() with engine set If an engine is non-NULL in EVP_PKEY_CTX_new() call an assert might have been incorrectly triggered or the engine might be finished without being inited. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16137) ----------------------------------------------------------------------- Summary of changes: crypto/evp/pmeth_lib.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 040a1a8d10..e5975081e1 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -192,7 +192,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, if (id == -1) { if (pkey != NULL && !evp_pkey_is_provided(pkey)) { id = pkey->type; - } else { + } else { if (pkey != NULL) { /* Must be provided if we get here */ keytype = EVP_KEYMGMT_get0_name(pkey->keymgmt); @@ -207,8 +207,16 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, } } /* If no ID was found here, we can only resort to find a keymgmt */ - if (id == -1) + if (id == -1) { +#ifndef FIPS_MODULE + /* Using engine with a key without id will not work */ + if (e != NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_ALGORITHM); + return NULL; + } +#endif goto common; + } #ifndef FIPS_MODULE /* @@ -217,13 +225,10 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, * for a smooth transition from legacy stuff to provider based stuff. * * If an engine is given, this is entirely legacy, and we should not - * pretend anything else, so we only set the name when no engine is - * given. If both are already given, someone made a mistake, and - * since that can only happen internally, it's safe to make an - * assertion. + * pretend anything else, so we clear the name. */ - if (!ossl_assert(e == NULL || keytype == NULL)) - return NULL; + if (e != NULL) + keytype = NULL; if (e == NULL && (pkey == NULL || pkey->foreign == 0)) keytype = OBJ_nid2sn(id); @@ -231,7 +236,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx, if (e == NULL && pkey != NULL) e = pkey->pmeth_engine != NULL ? pkey->pmeth_engine : pkey->engine; /* Try to find an ENGINE which implements this method */ - if (e) { + if (e != NULL) { if (!ENGINE_init(e)) { ERR_raise(ERR_LIB_EVP, ERR_R_ENGINE_LIB); return NULL; From scan-admin at coverity.com Sat Jul 24 07:49:06 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 24 Jul 2021 07:49:06 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60fbc5f26dd93_1d3e8d2b17caf739a8683e4@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3D5uVh_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFj6ywaDapbx1ZmmHte-2BEj08AwWXltHhnJ8quVZY5MeWHhznoMvqqWDVjEzrbXvjJtpxOCuB3dXFSxz6BUObdyvjmmi3jkCa2OfIZfiSYVz7JFkbCqIEJm6ysvRzVoZTzwKz4G-2BoLReCRrmxdWdiwPK53XntJ0lA-2BJ8G7QegqWu2urIWVza1PHYeXAnrx6WoI8-3D Build ID: 398545 Analysis Summary: New defects found: 3 Defects eliminated: 0 If you have difficulty understanding any defects, email us at scan-admin at coverity.com, or post your question to StackOverflow at https://u15810271.ct.sendgrid.net/ls/click?upn=CTPegkVN6peWFCMEieYYmPWIi1E4yUS9EoqKFcNAiqhRq8qmgeBE-2Bdt3uvFRAFXd-2FlwX83-2FVVdybfzIMOby0qA-3D-3Dv0_N_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFj6ywaDapbx1ZmmHte-2BEj08AwWXltHhnJ8quVZY5MeWMFbLiGgbKFhTymlc-2BhZTD5jdnCM8ek3Bm-2BD6T6OnZeQDMhYq9KeQps1O4OrKmkRxYZrj5zfvBhhlOBOukCm-2BhFIsFeRuyjI2Mk73Cadu7R9184vtW3Ygi7EeOVpmBoiytorAQGA6BvOxFBJ126tEfc-3D From scan-admin at coverity.com Sat Jul 24 07:52:58 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 24 Jul 2021 07:52:58 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60fbc6d9d888a_1d40b92b17caf739a868336@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DTK1o_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHmNmjUCJ3Qi-2BTzvziW7mp0g2dOcEuBRG7u5nCXqrfe-2FsFrq-2Fm1mSFK43dAyeMFaly7rvZYCxXBhkA9eTdLKCc-2BYRefsXaoMk753xb3Lt-2FQbplKJBwJQVbqqnLi2qYJSlYw9qJHruFjDc1K507WHz4C-2BW8H0oC2pGaD9XsdjxALYPDJXvTrIzh3Q-2FUJ3WTGyvM-3D Build ID: 398546 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jul 25 07:49:31 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 25 Jul 2021 07:49:31 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60fd178b1a028_1f05132afa064159a87278f@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Dn8v1_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGCY-2FfQqTtWobJuJE6BTVLJ12vMVUueeo0XDYgJCy-2FbdKa0XtZqzv-2FPffV2FNE289pAGfJ9dQdFlBnv-2B0zk-2F8gJkP59ExWmWDPpg0O-2BxWK-2BhhNFKE4A-2BzunABUs-2FePt-2B32TCZ-2FGUAXyFWKU0EMOqJMHdaHRGXse94XGgLL9NRVwWZV9SmvOEuWj1kNNwfG-2F6DM-3D Build ID: 398693 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sun Jul 25 07:52:08 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sun, 25 Jul 2021 07:52:08 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60fd1827a7f50_1f05f42afa064159a872778@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DgqTz_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHPc8HwkEk3JeyHQFmXd86EryF84ZvSd4MFlcnJPBMGphUZZ7Cs71Yk2uFcb9pxK11ToE02WX3cCksWOF5RbbSjxwHiyDqM-2Fmy1Q2Wk7G9Y586VUq-2BxSTlJi90rKB3aD7AkWtCVOH5g6vzSiO2vrtaWRIA0pOkHBEnOa-2BevnFHQiFn6ENCCsyMNR7DXs-2B63rho-3D Build ID: 398694 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Mon Jul 26 07:49:29 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 26 Jul 2021 07:49:29 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60fe6908deea8_20dd432b1a3985b99c2290@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Djdv__MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHYuPDbbWNwQlJMrLpu5R0Hq3qVZwnMdv4N5PBznOt9cDflOdbGjzsarZ8VF7m-2BZ32XQIQX8vXdqRNjem4jqZuC6nMRh6bgKOmm-2Bhbsv-2F6JtzAg4dWLKYOm-2FcXDnN6JtVYazsfCam2SxRY-2BjDVYwEofm6tVDDDpDqbywKTmHjJwwRzXUlEJ9zn1Yeddb421K6Y-3D Build ID: 398862 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Mon Jul 26 07:52:51 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Mon, 26 Jul 2021 07:52:51 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60fe69d27fb62_20de542b1a3985b99c22926@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DusWP_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHA4rcOdzhj4zFJgdFVTheoTEAAUaV0rXEyM0OrBPGuG-2F-2BSBIYn2SYh5TdDFCavH7hiplCxyQfDjgWCLPVFYcAlAKWK7yvJ6k7cW46zzslW7lvrhBgxOD9E6eCPsLf8gPWjxv-2FUsD69tuYe-2BhcdY8-2FNJT-2F5HxgCFO5hYdFgswhsH6-2FmV6PkxqG26oSxIvHjktE-3D Build ID: 398863 Analysis Summary: New defects found: 0 Defects eliminated: 0 From levitte at openssl.org Mon Jul 26 10:14:45 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 26 Jul 2021 10:14:45 +0000 Subject: [openssl] master update Message-ID: <1627294485.799747.17920.nullmailer@dev.openssl.org> The branch master has been updated via 317ed1b41790db7187bc6585b3d57c6a983c793a (commit) via ad0a2c011020268a242737820bc50549e76cd6b8 (commit) from 4d4de19e9c77f36cc5ab71df77a6eb1253031d4c (commit) - Log ----------------------------------------------------------------- commit 317ed1b41790db7187bc6585b3d57c6a983c793a Author: Richard Levitte Date: Tue Jul 13 11:15:29 2021 +0200 DOCS: Move the description of EVP_PKEY_get0_description() It appears to have been misplaced Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16063) commit ad0a2c011020268a242737820bc50549e76cd6b8 Author: Richard Levitte Date: Tue Jul 13 10:40:45 2021 +0200 EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider() Fixes #16058 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16063) ----------------------------------------------------------------------- Summary of changes: crypto/evp/evp_pkey.c | 7 +++++++ crypto/evp/pmeth_lib.c | 24 +++++++++++++++++++++++- doc/man3/EVP_PKEY_CTX_get0_libctx.pod | 19 ++++++++++++++----- doc/man3/EVP_PKEY_is_a.pod | 15 ++++++++++++++- doc/man3/EVP_PKEY_new.pod | 6 ------ include/openssl/evp.h | 4 +++- util/libcrypto.num | 2 ++ 7 files changed, 63 insertions(+), 14 deletions(-) diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 6f0b3dbda9..8f3f150375 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -237,3 +237,10 @@ const char *EVP_PKEY_get0_type_name(const EVP_PKEY *key) return name; } + +const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key) +{ + if (evp_pkey_is_provided(key)) + return EVP_KEYMGMT_get0_provider(key->keymgmt); + return NULL; +} diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index e5975081e1..7b835a5eb6 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1531,11 +1531,33 @@ OSSL_LIB_CTX *EVP_PKEY_CTX_get0_libctx(EVP_PKEY_CTX *ctx) return ctx->libctx; } -const char *EVP_PKEY_CTX_get0_propq(EVP_PKEY_CTX *ctx) +const char *EVP_PKEY_CTX_get0_propq(const EVP_PKEY_CTX *ctx) { return ctx->propquery; } +const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx) +{ + if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)) { + if (ctx->op.sig.signature != NULL) + return EVP_SIGNATURE_get0_provider(ctx->op.sig.signature); + } else if (EVP_PKEY_CTX_IS_DERIVE_OP(ctx)) { + if (ctx->op.kex.exchange != NULL) + return EVP_KEYEXCH_get0_provider(ctx->op.kex.exchange); + } else if (EVP_PKEY_CTX_IS_KEM_OP(ctx)) { + if (ctx->op.encap.kem != NULL) + return EVP_KEM_get0_provider(ctx->op.encap.kem); + } else if (EVP_PKEY_CTX_IS_ASYM_CIPHER_OP(ctx)) { + if (ctx->op.ciph.cipher != NULL) + return EVP_ASYM_CIPHER_get0_provider(ctx->op.ciph.cipher); + } else if (EVP_PKEY_CTX_IS_GEN_OP(ctx)) { + if (ctx->keymgmt != NULL) + return EVP_KEYMGMT_get0_provider(ctx->keymgmt); + } + + return NULL; +} + /* Utility functions to send a string of hex string to a ctrl */ int EVP_PKEY_CTX_str2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *str) diff --git a/doc/man3/EVP_PKEY_CTX_get0_libctx.pod b/doc/man3/EVP_PKEY_CTX_get0_libctx.pod index 33aa418462..9f84bd96c4 100644 --- a/doc/man3/EVP_PKEY_CTX_get0_libctx.pod +++ b/doc/man3/EVP_PKEY_CTX_get0_libctx.pod @@ -3,28 +3,37 @@ =head1 NAME EVP_PKEY_CTX_get0_libctx, -EVP_PKEY_CTX_get0_propq -- functions for getting OSSL_LIB_CTX and property query data from an EVP_PKEY_CTX +EVP_PKEY_CTX_get0_propq, +EVP_PKEY_CTX_get0_provider +- functions for getting diverse information from an EVP_PKEY_CTX =head1 SYNOPSIS #include OSSL_LIB_CTX *EVP_PKEY_CTX_get0_libctx(EVP_PKEY_CTX *ctx); - const char *EVP_PKEY_CTX_get0_propq(EVP_PKEY_CTX *ctx); + const char *EVP_PKEY_CTX_get0_propq(const EVP_PKEY_CTX *ctx); + const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx); =head1 DESCRIPTION -The EVP_PKEY_CTX_get0_libctx() and EVP_PKEY_CTX_get0_propq() functions obtain -the OSSL_LIB_CTX and property query string values respectively that were +EVP_PKEY_CTX_get0_libctx() and EVP_PKEY_CTX_get0_propq() obtain the +OSSL_LIB_CTX and property query string values respectively that were associated with the EVP_PKEY_CTX when it was constructed. +EVP_PKEY_CTX_get0_provider() returns the provider associated with the +ongoing B operation. If the operation is performed by +en B, this function returns NULL. + =head1 RETURN VALUES EVP_PKEY_CTX_get0_libctx() and EVP_PKEY_CTX_get0_propq() functions return the OSSL_LIB_CTX and property query string associated with the EVP_PKEY_CTX or NULL if they are not set. The returned values should not be freed by the caller. +EVP_PKEY_CTX_get0_provider() returns a provider if an operation performed by +a provider is ongoing, otherwise NULL. + =head1 SEE ALSO L diff --git a/doc/man3/EVP_PKEY_is_a.pod b/doc/man3/EVP_PKEY_is_a.pod index 58c7ed7f8e..8bada052fa 100644 --- a/doc/man3/EVP_PKEY_is_a.pod +++ b/doc/man3/EVP_PKEY_is_a.pod @@ -3,7 +3,7 @@ =head1 NAME EVP_PKEY_is_a, EVP_PKEY_can_sign, EVP_PKEY_type_names_do_all, -EVP_PKEY_get0_type_name +EVP_PKEY_get0_type_name, EVP_PKEY_get0_description, EVP_PKEY_get0_provider - key type and capabilities functions =head1 SYNOPSIS @@ -16,6 +16,8 @@ EVP_PKEY_get0_type_name void (*fn)(const char *name, void *data), void *data); const char *EVP_PKEY_get0_type_name(const EVP_PKEY *key); + const char *EVP_PKEY_get0_description(const EVP_PKEY *key); + const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key); =head1 DESCRIPTION @@ -38,6 +40,13 @@ that holds the key which one will be returned. Ownership of the returned string is retained by the I object and should not be freed by the caller. +EVP_PKEY_get0_description() returns a description of the type of B, +meant for display and human consumption. The description is at the +discretion of the key type implementation. + +EVP_PKEY_get0_provider() returns the provider of the B's +L. + =head1 RETURN VALUES EVP_PKEY_is_a() returns 1 if I has the key type I, @@ -48,6 +57,10 @@ supports signing, otherwise 0. EVP_PKEY_get0_type_name() returns the name that is found or NULL on error. +EVP_PKEY_get0_description() returns the description if found or NULL if not. + +EVP_PKEY_get0_provider() returns the provider if found or NULL if not. + EVP_PKEY_type_names_do_all() returns 1 if the callback was called for all names. A return value of 0 means that the callback was not called for any names. diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod index 89b93c9bac..ee55396de3 100644 --- a/doc/man3/EVP_PKEY_new.pod +++ b/doc/man3/EVP_PKEY_new.pod @@ -7,7 +7,6 @@ EVP_PKEY_new, EVP_PKEY_up_ref, EVP_PKEY_dup, EVP_PKEY_free, -EVP_PKEY_get0_description, EVP_PKEY_new_raw_private_key_ex, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key_ex, @@ -28,7 +27,6 @@ EVP_PKEY_get_raw_public_key int EVP_PKEY_up_ref(EVP_PKEY *key); EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *key); void EVP_PKEY_free(EVP_PKEY *key); - const char *EVP_PKEY_get0_description(const EVP_PKEY *key); EVP_PKEY *EVP_PKEY_new_raw_private_key_ex(OSSL_LIB_CTX *libctx, const char *keytype, @@ -92,10 +90,6 @@ a raw key, otherwise the duplication will fail. EVP_PKEY_free() decrements the reference count of I and, if the reference count is zero, frees it up. If I is NULL, nothing is done. -EVP_PKEY_get0_description() returns a description of the type of B, -meant for display and human consumption. The description is at the -discretion of the key type implementation. - EVP_PKEY_new_raw_private_key_ex() allocates a new B. Unless an engine should be used for the key type, a provider for the key is found using the library context I and the property query string I. The diff --git a/include/openssl/evp.h b/include/openssl/evp.h index f76c4a26d1..1c8ce48773 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1380,6 +1380,7 @@ int EVP_PKEY_up_ref(EVP_PKEY *pkey); EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey); void EVP_PKEY_free(EVP_PKEY *pkey); const char *EVP_PKEY_get0_description(const EVP_PKEY *pkey); +const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key); EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length); @@ -2160,7 +2161,8 @@ int EVP_PKEY_get_group_name(const EVP_PKEY *pkey, char *name, size_t name_sz, size_t *gname_len); OSSL_LIB_CTX *EVP_PKEY_CTX_get0_libctx(EVP_PKEY_CTX *ctx); -const char *EVP_PKEY_CTX_get0_propq(EVP_PKEY_CTX *ctx); +const char *EVP_PKEY_CTX_get0_propq(const EVP_PKEY_CTX *ctx); +const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx); # ifdef __cplusplus } diff --git a/util/libcrypto.num b/util/libcrypto.num index c7862c568d..3d4d7c37df 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5423,3 +5423,5 @@ ASN1_item_d2i_fp_ex ? 3_0_0 EXIST::FUNCTION:STDIO ASN1_item_d2i_bio_ex ? 3_0_0 EXIST::FUNCTION: ASN1_item_d2i_ex ? 3_0_0 EXIST::FUNCTION: ASN1_TIME_print_ex ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get0_provider ? 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_provider ? 3_0_0 EXIST::FUNCTION: From pauli at openssl.org Tue Jul 27 01:04:00 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 27 Jul 2021 01:04:00 +0000 Subject: [openssl] master update Message-ID: <1627347840.099636.15871.nullmailer@dev.openssl.org> The branch master has been updated via a7e62fbdf89b9bbaac85826020c1033b35a67d52 (commit) via 9aaf5048b17aa381e9b3fc42e15c9dbfab0f77df (commit) from 317ed1b41790db7187bc6585b3d57c6a983c793a (commit) - Log ----------------------------------------------------------------- commit a7e62fbdf89b9bbaac85826020c1033b35a67d52 Author: Tomas Mraz Date: Thu Jul 22 09:32:56 2021 +0200 ECDSA_SIG_set0(): Clarify documentation and fix formatting errors Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16129) commit 9aaf5048b17aa381e9b3fc42e15c9dbfab0f77df Author: Tomas Mraz Date: Wed Jul 21 16:42:55 2021 +0200 ECDSA_SIG_set0: r and s parameters cannot be NULL Fixes #7731 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16129) ----------------------------------------------------------------------- Summary of changes: doc/man3/ECDSA_SIG_new.pod | 65 +++++++++++++++++++++++----------------------- include/openssl/ec.h | 4 +-- 2 files changed, 34 insertions(+), 35 deletions(-) diff --git a/doc/man3/ECDSA_SIG_new.pod b/doc/man3/ECDSA_SIG_new.pod index 6b31cbaf0a..dd4c16f57e 100644 --- a/doc/man3/ECDSA_SIG_new.pod +++ b/doc/man3/ECDSA_SIG_new.pod @@ -46,26 +46,25 @@ L: =head1 DESCRIPTION B is an opaque structure consisting of two BIGNUMs for the -B and B value of an ECDSA signature (see X9.62 or FIPS 186-2). +I and I value of an ECDSA signature (see X9.62 or FIPS 186-2). ECDSA_SIG_new() allocates an empty B structure. Note: before -OpenSSL 1.1.0 the: the B and B components were initialised. +OpenSSL 1.1.0 the: the I and I components were initialised. -ECDSA_SIG_free() frees the B structure B. +ECDSA_SIG_free() frees the B structure I. -ECDSA_SIG_get0() returns internal pointers the B and B values contained -in B and stores them in B<*pr> and B<*ps>, respectively. -The pointer B or B can be NULL, in which case the corresponding value +ECDSA_SIG_get0() returns internal pointers the I and I values contained +in I and stores them in I<*pr> and I<*ps>, respectively. +The pointer I or I can be NULL, in which case the corresponding value is not returned. -The values B, B can also be retrieved separately by the corresponding +The values I, I can also be retrieved separately by the corresponding function ECDSA_SIG_get0_r() and ECDSA_SIG_get0_s(), respectively. -The B and B values can be set by calling ECDSA_SIG_set0() and passing the -new values for B and B as parameters to the function. Calling this -function transfers the memory management of the values to the ECDSA_SIG object, -and therefore the values that have been passed in should not be freed directly -after this function has been called. +Non-NULL I and I values can be set on the I by calling +ECDSA_SIG_set0(). Calling this function transfers the memory management of the +values to the B object, and therefore the values that have been +passed in should not be freed by the caller. See L and L for information about encoding and decoding ECDSA signatures to/from DER. @@ -75,43 +74,43 @@ use the higher level B interface such as L or L instead. ECDSA_size() returns the maximum length of a DER encoded ECDSA signature -created with the private EC key B. To obtain the actual signature -size use L with a NULL B parameter. +created with the private EC key I. To obtain the actual signature +size use L with a NULL I parameter. -ECDSA_sign() computes a digital signature of the B bytes hash value -B using the private EC key B. The DER encoded signatures is -stored in B and its length is returned in B. Note: B must -point to ECDSA_size(eckey) bytes of memory. The parameter B is currently -ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with B -and B set to NULL. +ECDSA_sign() computes a digital signature of the I bytes hash value +I using the private EC key I. The DER encoded signatures is +stored in I and its length is returned in I. Note: I must +point to ECDSA_size(eckey) bytes of memory. The parameter I is currently +ignored. ECDSA_sign() is wrapper function for ECDSA_sign_ex() with I +and I set to NULL. ECDSA_do_sign() is similar to ECDSA_sign() except the signature is returned as a newly allocated B structure (or NULL on error). ECDSA_do_sign() -is a wrapper function for ECDSA_do_sign_ex() with B and B set to +is a wrapper function for ECDSA_do_sign_ex() with I and I set to NULL. -ECDSA_verify() verifies that the signature in B of size B is a -valid ECDSA signature of the hash value B of size B using the -public key B. The parameter B is ignored. +ECDSA_verify() verifies that the signature in I of size I is a +valid ECDSA signature of the hash value I of size I using the +public key I. The parameter I is ignored. ECDSA_do_verify() is similar to ECDSA_verify() except the signature is presented in the form of a pointer to an B structure. -The remaining functions utilise the internal B and B values used +The remaining functions utilise the internal I and I values used during signature computation. Most applications will never need to call these and some external ECDSA ENGINE implementations may not support them at all if -either B or B is not B. +either I or I is not NULL. ECDSA_sign_setup() may be used to precompute parts of the signing operation. -B is the private EC key and B is a pointer to B structure -(or NULL). The precomputed values or returned in B and B and can be +I is the private EC key and I is a pointer to B structure +(or NULL). The precomputed values or returned in I and I and can be used in a later call to ECDSA_sign_ex() or ECDSA_do_sign_ex(). -ECDSA_sign_ex() computes a digital signature of the B bytes hash value -B using the private EC key B and the optional pre-computed values -B and B. The DER encoded signature is stored in B and its -length is returned in B. Note: B must point to ECDSA_size(eckey) -bytes of memory. The parameter B is ignored. +ECDSA_sign_ex() computes a digital signature of the I bytes hash value +I using the private EC key I and the optional pre-computed values +I and I. The DER encoded signature is stored in I and its +length is returned in I. Note: I must point to ECDSA_size(eckey) +bytes of memory. The parameter I is ignored. ECDSA_do_sign_ex() is similar to ECDSA_sign_ex() except the signature is returned as a newly allocated B structure (or NULL on error). diff --git a/include/openssl/ec.h b/include/openssl/ec.h index ad40b9045c..8b1abcebb7 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1347,8 +1347,8 @@ const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); /** Setter for r and s fields of ECDSA_SIG * \param sig pointer to ECDSA_SIG structure - * \param r pointer to BIGNUM for r (may be NULL) - * \param s pointer to BIGNUM for s (may be NULL) + * \param r pointer to BIGNUM for r + * \param s pointer to BIGNUM for s */ int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); From pauli at openssl.org Tue Jul 27 03:20:07 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 27 Jul 2021 03:20:07 +0000 Subject: [openssl] master update Message-ID: <1627356007.622939.15652.nullmailer@dev.openssl.org> The branch master has been updated via 26411bc8879bf979e3703357e9595de057528e28 (commit) via c9eb45987036314b150fdeed8a8a8a24bfa71687 (commit) via bdb65e2ba63bc63456ec3d462bd2e2c3e62eb193 (commit) from a7e62fbdf89b9bbaac85826020c1033b35a67d52 (commit) - Log ----------------------------------------------------------------- commit 26411bc8879bf979e3703357e9595de057528e28 Author: Tomas Mraz Date: Tue Jul 20 13:08:31 2021 +0200 KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it Fixes #16089 Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16120) commit c9eb45987036314b150fdeed8a8a8a24bfa71687 Author: Tomas Mraz Date: Tue Jul 20 12:23:24 2021 +0200 Test ktls in non-default options CI build Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16120) commit bdb65e2ba63bc63456ec3d462bd2e2c3e62eb193 Author: Tomas Mraz Date: Tue Jul 20 12:22:57 2021 +0200 Drop no-ktls from runchecker daily build as it has no effect Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16120) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 4 +++- .github/workflows/run-checker-daily.yml | 1 - ssl/ktls.c | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f9bfbfb8a..9e89d455a9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -163,8 +163,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout at v2 + - name: modprobe tls + run: sudo modprobe tls - name: config - run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-fips && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd enable-ktls enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index c66241743a..0ab02c5375 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -62,7 +62,6 @@ jobs: no-hw, no-hw-padlock, no-idea, - no-ktls, no-makedepend, enable-md2, no-md2, diff --git a/ssl/ktls.c b/ssl/ktls.c index 2d691fdeb2..02dbb937ea 100644 --- a/ssl/ktls.c +++ b/ssl/ktls.c @@ -133,7 +133,8 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, { # ifdef OPENSSL_KTLS_AES_CCM_128 case NID_aes_128_ccm: - if (EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) + if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */ + || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) return 0; # endif # ifdef OPENSSL_KTLS_AES_GCM_128 From scan-admin at coverity.com Tue Jul 27 07:49:54 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 27 Jul 2021 07:49:54 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <60ffbaa21334f_22c80e2adbdc6bf9a85806c@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DDBJ3_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH3vm906luUSw7s4b93pdYRUemPvs2e-2BV8wgq7zSy5-2B-2FF9Mnd1Ze5lXnHTMM0ywR7eNal2LfAUqwzHoqXBiQ-2BjloNoW3cwSGW79I1NA-2Fda04qTOB5Gp0IITy4exV8tTYu04ETuIThHk9TD0i6sxPpH8swy8Y3sdePmdBaeS4F7svRFi35WHvkgpyvxoAa0Gu9w-3D Build ID: 399071 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Tue Jul 27 07:57:37 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Tue, 27 Jul 2021 07:57:37 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <60ffbc70f3855_22cb0c2adbdc6bf9a858041@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DavDb_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGNr7Zz4kt39z4EEycNzwwoD5GvTaBiKjjikrHwT4wrfoP3Si3ViDyBExjFnPC5gk7SDR32NTDD5YYnJZmrgU3By0YG46mmhBPaJL97-2F6flbK1jr3P5cdX-2FbhfSz5rZDxGXHaU3PfXFp-2B8-2FWGq8hkIiQ2M9TJ2DZrI08gx0ulRsadJazGmnvQIwzRSlWCY3Wd4-3D Build ID: 399072 Analysis Summary: New defects found: 0 Defects eliminated: 0 From levitte at openssl.org Tue Jul 27 08:31:25 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 27 Jul 2021 08:31:25 +0000 Subject: [web] master update Message-ID: <1627374685.120826.539.nullmailer@dev.openssl.org> The branch master has been updated via 61f488185e0736cf5196efc9d5f4f4b3370b3f8e (commit) from 539bea014de78db5ff5b0785a46bfd7647b0b589 (commit) - Log ----------------------------------------------------------------- commit 61f488185e0736cf5196efc9d5f4f4b3370b3f8e Author: Richard Levitte Date: Tue Jul 27 09:55:07 2021 +0200 Simplify the CDN purge Our CDN (Akamai) purge script was run as a standalone automation, in parallell with the automatic 'make' run. The consequence was that the CDN could catch a copy of our original web pages in a semi built state, as demonstrated by openssl/openssl#16152. The solution is the ensure that the purge is run in sequence after everything is built. We simplify this further by moving the actual script into the web source. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/248) ----------------------------------------------------------------------- Summary of changes: Makefile | 7 +++-- bin/purge-one-hour | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 93 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 32b9244..fb15dad 100644 --- a/Makefile +++ b/Makefile @@ -56,15 +56,18 @@ SRCLISTS = $(foreach S,$(FUTURESERIES) $(SERIES) $(OLDSERIES2) fips,source/old/$ @rm -f $@ ./bin/md-to-html5 $< -all: suball manmaster mancross +all: suball manmaster mancross akamai-purge suball: $(SIMPLE) $(SRCLISTS) -relupd: suball manpages mancross +relupd: suball manpages mancross akamai-purge clean: rm -f $(SIMPLE) $(SRCLISTS) +akamai-purge: + ./bin/purge-one-hour + # Legacy targets hack-source_htaccess: all simple: all diff --git a/bin/purge-one-hour b/bin/purge-one-hour index 5e10e49..895967f 100755 --- a/bin/purge-one-hour +++ b/bin/purge-one-hour @@ -1,3 +1,89 @@ -#! /bin/sh +#! /usr/bin/perl +# +# script to purge the Akamai cache. +# +# Notes: +# +# - we limit the purging to files newer than an hour +# - there must be a file ~openssl/.edgerc with our Akamai credentials +# - the Akamai supplied program 'akamai-purge' must be installed in +# /usr/local/bin -/opt/openssl/maker/triggered-makers/akamai-purge +use strict; +use warnings; + +# Find all .html files that include a .inc file, and create a map +my %inc2html = (); + +my $debug = $ENV{DEBUG}; +my $dryrun = $ENV{DRYRUN}; + +my $base = '/var/www/openssl'; # MUST NOT end with a slash + +foreach ( `find $base -type f -name '*.html'` ) { + chomp; + my $file = $_; + my ($dn, $fn) = $_ =~ m/^(?:(.*)\/)?([^\/]*)$/; + my @incs = (); + + open HTML, $_; + foreach ( ) { + if (//) { + my $vf = $1; + $vf = ($vf =~ m|^/|) ? "$base$vf" : "$dn/$vf"; + push @incs, "$vf"; + } + } + close HTML; + + foreach ( @incs ) { + push @{$inc2html{$_}}, $file; + } +} + +if ($debug) { + for ( sort keys %inc2html ) { + print STDERR "DEBUG: $_ => ", join(", ", @{$inc2html{$_}}), "\n"; + } +} + +# Find all files younger than an hour +# Discard those in .git/ and bin/ +# Discard any .ht* +# For any virtually included file, use the corresponding .html file instead +# For all remaining files, turn it into a valid URL +# For any valid index file, duplicate into two URLs without the file, +# one with an ending slash and one without. +my %files = (); + +foreach ( `find $base -type f -mtime -2` ) { + chomp; + next if /^\Q$base\E\/(\.git|bin)/; + next if /\/\.ht\w+$/; + my $x = $_; + my @files = defined $inc2html{$x} ? @{$inc2html{$x}} : ( $x ); + foreach ( @files ) { + s/^\Q$base\E\//https:\/\/www.openssl.org\//; + $files{$_} = 1; + if ( /^(.*)\/index.(html|cgi|pl|php|xhtml|htm)$/ ) { + $files{"$1/"} = $files{"$1"} = 1; + } + } +} + +# Finally, output the result to the akamai-purge program +my @files = sort keys %files; +while ( @files ) { + my $count = 500; # Try not to overwhelm Akamai + if ( $dryrun || open PURGE, '| /usr/local/bin/akamai-purge invalidate' ) { + printf STDERR + "DEBUG: Invoking '/usr/local/bin/akamai-purge invalidate' with:\n" + if $debug; + while ( @files && $count-- > 0 ) { + my $file = pop @files; + print STDERR " ",$file,"\n" if $debug; + print PURGE $file,"\n" unless $dryrun; + } + close PURGE unless $dryrun; + } +} From matt at openssl.org Tue Jul 27 09:52:03 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 27 Jul 2021 09:52:03 +0000 Subject: [openssl] master update Message-ID: <1627379523.854659.20462.nullmailer@dev.openssl.org> The branch master has been updated via c6fcd88fa030da8322cf27aff95376512f41faff (commit) from 26411bc8879bf979e3703357e9595de057528e28 (commit) - Log ----------------------------------------------------------------- commit c6fcd88fa030da8322cf27aff95376512f41faff Author: Matt Caswell Date: Tue Jul 20 16:18:04 2021 +0100 Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as const. But 3 did not. We fix those to be consistent. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16128) ----------------------------------------------------------------------- Summary of changes: crypto/evp/pmeth_lib.c | 6 +++--- doc/man3/EVP_PKEY_meth_new.pod | 6 +++--- include/openssl/evp.h | 6 +++--- test/evp_extra_test.c | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 7b835a5eb6..954166caae 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1990,7 +1990,7 @@ void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth, *pctrl_str = pmeth->ctrl_str; } -void EVP_PKEY_meth_get_digestsign(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_digestsign(const EVP_PKEY_METHOD *pmeth, int (**digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen)) { @@ -1998,7 +1998,7 @@ void EVP_PKEY_meth_get_digestsign(EVP_PKEY_METHOD *pmeth, *digestsign = pmeth->digestsign; } -void EVP_PKEY_meth_get_digestverify(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_digestverify(const EVP_PKEY_METHOD *pmeth, int (**digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen)) @@ -2028,7 +2028,7 @@ void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth, *pcheck = pmeth->param_check; } -void EVP_PKEY_meth_get_digest_custom(EVP_PKEY_METHOD *pmeth, +void EVP_PKEY_meth_get_digest_custom(const EVP_PKEY_METHOD *pmeth, int (**pdigest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)) { diff --git a/doc/man3/EVP_PKEY_meth_new.pod b/doc/man3/EVP_PKEY_meth_new.pod index d07ec1a637..06404079ab 100644 --- a/doc/man3/EVP_PKEY_meth_new.pod +++ b/doc/man3/EVP_PKEY_meth_new.pod @@ -220,13 +220,13 @@ L: int (**pctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value)); - void EVP_PKEY_meth_get_digestsign(EVP_PKEY_METHOD *pmeth, + void EVP_PKEY_meth_get_digestsign(const EVP_PKEY_METHOD *pmeth, int (**digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen)); - void EVP_PKEY_meth_get_digestverify(EVP_PKEY_METHOD *pmeth, + void EVP_PKEY_meth_get_digestverify(const EVP_PKEY_METHOD *pmeth, int (**digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen, @@ -238,7 +238,7 @@ L: int (**pcheck) (EVP_PKEY *pkey)); void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth, int (**pcheck) (EVP_PKEY *pkey)); - void EVP_PKEY_meth_get_digest_custom(EVP_PKEY_METHOD *pmeth, + void EVP_PKEY_meth_get_digest_custom(const EVP_PKEY_METHOD *pmeth, int (**pdigest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)); diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 1c8ce48773..1850381720 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -2117,11 +2117,11 @@ OSSL_DEPRECATEDIN_3_0 void EVP_PKEY_meth_get_ctrl int (**pctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value)); OSSL_DEPRECATEDIN_3_0 void EVP_PKEY_meth_get_digestsign - (EVP_PKEY_METHOD *pmeth, + (const EVP_PKEY_METHOD *pmeth, int (**digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen)); OSSL_DEPRECATEDIN_3_0 void EVP_PKEY_meth_get_digestverify - (EVP_PKEY_METHOD *pmeth, + (const EVP_PKEY_METHOD *pmeth, int (**digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen)); @@ -2132,7 +2132,7 @@ OSSL_DEPRECATEDIN_3_0 void EVP_PKEY_meth_get_public_check OSSL_DEPRECATEDIN_3_0 void EVP_PKEY_meth_get_param_check (const EVP_PKEY_METHOD *pmeth, int (**pcheck) (EVP_PKEY *pkey)); OSSL_DEPRECATEDIN_3_0 void EVP_PKEY_meth_get_digest_custom - (EVP_PKEY_METHOD *pmeth, + (const EVP_PKEY_METHOD *pmeth, int (**pdigest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)); # endif diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 5358a54a6d..7494c1f21b 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -3478,7 +3478,7 @@ static int custom_pmeth_digestsign(EVP_MD_CTX *ctx, unsigned char *sig, int (*pdigestsign)(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen); - EVP_PKEY_meth_get_digestsign((EVP_PKEY_METHOD *)orig_pmeth, &pdigestsign); + EVP_PKEY_meth_get_digestsign(orig_pmeth, &pdigestsign); return pdigestsign(ctx, sig, siglen, tbs, tbslen); } From mark at openssl.org Tue Jul 27 12:07:05 2021 From: mark at openssl.org (Mark J. Cox) Date: Tue, 27 Jul 2021 12:07:05 +0000 Subject: [web] master update Message-ID: <1627387625.485693.30313.nullmailer@dev.openssl.org> The branch master has been updated via 86e6eb2e66ec9112b311616d9dbfbb7da734c6a4 (commit) via 6340022c20721b8cde5817dc5a9caa39e2d7b232 (commit) from 61f488185e0736cf5196efc9d5f4f4b3370b3f8e (commit) - Log ----------------------------------------------------------------- commit 86e6eb2e66ec9112b311616d9dbfbb7da734c6a4 Merge: 61f4881 6340022 Author: Mark J. Cox Date: Tue Jul 27 13:06:17 2021 +0100 Merge pull request #249 from iamamoose/fixpgp SKS keyservers have been offline for a while, so switch to OpenPGP commit 6340022c20721b8cde5817dc5a9caa39e2d7b232 Author: Mark J. Cox Date: Tue Jul 27 12:07:40 2021 +0100 SKS keyservers have been offline for a while, so switch to keys.openpgp.org ----------------------------------------------------------------------- Summary of changes: bin/mk-omc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/mk-omc b/bin/mk-omc index e6dee11..24144df 100755 --- a/bin/mk-omc +++ b/bin/mk-omc @@ -60,7 +60,7 @@ foreach my $key (sort { mk_sortable($a) cmp mk_sortable($b) } keys %data) { my $pgpurl = $data{$key}->{pgpid} if $options{pgp}; $pgpurl =~ s|\s+||g if $pgpurl; $pgpurl = - "http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x$pgpurl" + "https://keys.openpgp.org/search?q=$pgpurl" if $pgpurl; my @columndata = (); From pauli at openssl.org Tue Jul 27 23:37:41 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 27 Jul 2021 23:37:41 +0000 Subject: [openssl] master update Message-ID: <1627429061.623541.6367.nullmailer@dev.openssl.org> The branch master has been updated via 03c2f21b980524dc05a0426146f845ec1e969c2e (commit) via bb98a1123b3d7a8464f2c1f61ffd41f826c7c423 (commit) from c6fcd88fa030da8322cf27aff95376512f41faff (commit) - Log ----------------------------------------------------------------- commit 03c2f21b980524dc05a0426146f845ec1e969c2e Author: Matt Caswell Date: Tue Jul 27 10:32:49 2021 +0100 Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup() Check that EVP_MD_meth_free() and EVP_CIPHER_meth_free() does actually free the data. Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16159) commit bb98a1123b3d7a8464f2c1f61ffd41f826c7c423 Author: Matt Caswell Date: Mon Jul 26 15:53:25 2021 +0100 Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup Make sure the origin is set correctly when duping an EVP_MD or EVP_CIPHER. Fixes #16157 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16159) ----------------------------------------------------------------------- Summary of changes: crypto/evp/cmeth_lib.c | 1 + crypto/evp/evp_lib.c | 1 + test/evp_extra_test.c | 21 ++++++++++++++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/crypto/evp/cmeth_lib.c b/crypto/evp/cmeth_lib.c index 9b93550307..a806ec5f9e 100644 --- a/crypto/evp/cmeth_lib.c +++ b/crypto/evp/cmeth_lib.c @@ -50,6 +50,7 @@ EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher) memcpy(to, cipher, sizeof(*to)); to->lock = lock; + to->origin = EVP_ORIG_METH; } return to; } diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index f78df52ab1..64d7fb046d 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -823,6 +823,7 @@ EVP_MD *EVP_MD_meth_dup(const EVP_MD *md) memcpy(to, md, sizeof(*to)); to->lock = lock; + to->origin = EVP_ORIG_METH; } return to; } diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 7494c1f21b..e03e2a252e 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -3690,7 +3690,25 @@ static int test_custom_pmeth(int idx) custom_pmeth = NULL; return testresult; } -#endif + +static int test_evp_md_cipher_meth(void) +{ + EVP_MD *md = EVP_MD_meth_dup(EVP_sha256()); + EVP_CIPHER *ciph = EVP_CIPHER_meth_dup(EVP_aes_128_cbc()); + int testresult = 0; + + if (!TEST_ptr(md) || !TEST_ptr(ciph)) + goto err; + + testresult = 1; + + err: + EVP_MD_meth_free(md); + EVP_CIPHER_meth_free(ciph); + + return testresult; +} +#endif /* OPENSSL_NO_DEPRECATED_3_0 */ typedef enum OPTION_choice { OPT_ERR = -1, @@ -3814,6 +3832,7 @@ int setup_tests(void) #ifndef OPENSSL_NO_DEPRECATED_3_0 ADD_ALL_TESTS(test_custom_pmeth, 12); + ADD_TEST(test_evp_md_cipher_meth); #endif return 1; From pauli at openssl.org Wed Jul 28 00:31:48 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 28 Jul 2021 00:31:48 +0000 Subject: [openssl] master update Message-ID: <1627432308.239714.15310.nullmailer@dev.openssl.org> The branch master has been updated via 2a7855fb2596048e5038afa5e49a02853297df6d (commit) via 1ad435039333a09b31d7c569b822bd5d936b8105 (commit) via cb7055fd5ad9bf5c84d4480b7dbbcfb1cb242fc9 (commit) via 64d9b626aae49154bd44edf8fb1a3eca133445a3 (commit) via 09755337d5b907565d3b8a9ee8b33a2c60616c0a (commit) from 03c2f21b980524dc05a0426146f845ec1e969c2e (commit) - Log ----------------------------------------------------------------- commit 2a7855fb2596048e5038afa5e49a02853297df6d Author: Pauli Date: Mon Jul 26 12:54:50 2021 +1000 ci: disable async for the SH4 build and reenable the associated test The platform doesn't seem to have support for this. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16144) commit 1ad435039333a09b31d7c569b822bd5d936b8105 Author: Pauli Date: Mon Jul 26 11:57:48 2021 +1000 ci: get rid of no-asm flag to m68k cross compiles Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16144) commit cb7055fd5ad9bf5c84d4480b7dbbcfb1cb242fc9 Author: Pauli Date: Mon Jul 26 11:54:12 2021 +1000 ci: add the param conversion tests to the cross compiles. There was a failure because an "inf" values was being read as a "NaN" not an infinity. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16144) commit 64d9b626aae49154bd44edf8fb1a3eca133445a3 Author: Pauli Date: Fri Jul 23 11:48:32 2021 +1000 QEMU: include test runs for most cross compilation targets For the cross compiles where the tests couldn't be run, most are capable of being run when statically linked. For these, a shared with FIPS build but not test run is also included to maximise compilation coverage. The builds take a couple of minutes so the impact of these extra jobs isn't great. The test failures for test_includes, test_store and test_x509_store across several platforms are related the the OPENSSL_DIR_read() call. This gets a "Value too large for defined data type" error calling the standard library's readdir() wrapper. That is, the failure is during the translation from the x86-64 structure to the 32 bit structure. I've tried tweaking the include defines to use larger fields but couldn't figure out how to make it work. The most prudent fix is to ignore these tests for these platforms. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16144) commit 09755337d5b907565d3b8a9ee8b33a2c60616c0a Author: Pauli Date: Mon Jul 26 11:53:23 2021 +1000 test: handle not a number (NaN) values in the param conversion test. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16144) ----------------------------------------------------------------------- Summary of changes: .github/workflows/cross-compiles.yml | 62 +++++++++++++++++++++++++++++------- test/params_conversion_test.c | 24 ++++++++++++-- 2 files changed, 73 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 6b4505c5db..514a4fbabe 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -14,6 +14,8 @@ jobs: # libs: the Debian package for the necessary link/runtime libraries. # target: the OpenSSL configuration target to use, this is passed # directly to the config command line. + # fips: set to "no" to disable building FIPS, leave unset to + # build the FIPS provider. # tests: omit this to run all the tests using QEMU, set it to "none" # to never run the tests, otherwise it's value is passed to # the "make test" command to allow selectiving disabling of @@ -40,23 +42,26 @@ jobs: }, { arch: hppa-linux-gnu, libs: libc6-dev-hppa-cross, - target: linux-generic32, - tests: none #-test_includes -test_store -test_x509_store + target: -static linux-generic32, + fips: no, + tests: -test_includes -test_store -test_x509_store }, { arch: m68k-linux-gnu, libs: libc6-dev-m68k-cross, - target: linux-latomic no-asm, - tests: none #-test_includes -test_store -test_x509_store -test_includes + target: -static -m68040 linux-latomic, + fips: no, + tests: -test_includes -test_store -test_x509_store }, { arch: mips-linux-gnu, libs: libc6-dev-mips-cross, - target: linux-mips32, - tests: none + target: -static linux-mips32, + fips: no, + tests: -test_includes -test_store -test_x509_store }, { arch: mips64-linux-gnuabi64, libs: libc6-dev-mips64-cross, - target: linux64-mips64, - tests: none + target: -static linux64-mips64, + fips: no }, { arch: mipsel-linux-gnu, libs: libc6-dev-mipsel-cross, @@ -77,9 +82,37 @@ jobs: }, { arch: sh4-linux-gnu, libs: libc6-dev-sh4-cross, - target: linux-latomic, - tests: -test_includes -test_store -test_x509_store -test_async + target: no-async linux-latomic, + tests: -test_includes -test_store -test_x509_store + }, + + # These build with shared libraries but they crash when run + # They mirror static builds above in order to cover more of the + # code base. + { + arch: hppa-linux-gnu, + libs: libc6-dev-hppa-cross, + target: linux-generic32, + tests: none }, { + arch: m68k-linux-gnu, + libs: libc6-dev-m68k-cross, + target: -mcfv4e linux-latomic, + tests: none + }, { + arch: mips-linux-gnu, + libs: libc6-dev-mips-cross, + target: linux-mips32, + tests: none + }, { + arch: mips64-linux-gnuabi64, + libs: libc6-dev-mips64-cross, + target: linux64-mips64, + tests: none + }, + + # This build doesn't execute either with or without shared libraries. + { arch: sparc64-linux-gnu, libs: libc6-dev-sparc64-cross, target: linux64-sparcv9, @@ -96,11 +129,18 @@ jobs: ${{ matrix.platform.libs }} - uses: actions/checkout at v2 - - name: config + - name: config with FIPS + if: matrix.platform.fips != 'no' run: | ./config --banner=Configured --strict-warnings enable-fips \ --cross-compile-prefix=${{ matrix.platform.arch }}- \ ${{ matrix.platform.target }} + - name: config without FIPS + if: matrix.platform.fips == 'no' + run: | + ./config --banner=Configured --strict-warnings \ + --cross-compile-prefix=${{ matrix.platform.arch }}- \ + ${{ matrix.platform.target }} - name: config dump run: ./configdata.pm --dump diff --git a/test/params_conversion_test.c b/test/params_conversion_test.c index 48d01cac68..9422ef1473 100644 --- a/test/params_conversion_test.c +++ b/test/params_conversion_test.c @@ -279,8 +279,28 @@ static int param_conversion_test(const PARAM_CONVERSION *pc, int line) return 0; } } else { - if (!TEST_true(OSSL_PARAM_get_double(pc->param, &d)) - || !TEST_true(d == pc->d)) { + if (!TEST_true(OSSL_PARAM_get_double(pc->param, &d))) { + TEST_note("unable to convert to double on line %d", line); + return 0; + } + /* + * Check for not a number (NaN) without using the libm functions. + * When d is a NaN, the standard requires d == d to be false. + * It's less clear if d != d should be true even though it generally is. + * Hence we use the equality test and a not. + */ + if (!(d == d)) { + /* + * We've encountered a NaN so check it's really meant to be a NaN. + * We ignore the case where the two values are both different NaN, + * that's not resolvable without knowing the underlying format + * or using libm functions. + */ + if (!TEST_false(pc->d == pc->d)) { + TEST_note("unexpected NaN on line %d", line); + return 0; + } + } else if (!TEST_true(d == pc->d)) { TEST_note("unexpected conversion to double on line %d", line); return 0; } From pauli at openssl.org Wed Jul 28 00:36:48 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 28 Jul 2021 00:36:48 +0000 Subject: [openssl] master update Message-ID: <1627432608.247959.18778.nullmailer@dev.openssl.org> The branch master has been updated via 96d6a4e4464c3dec9cdf2c6fb59d737c8cb1be49 (commit) via ca7cac886b0f1084acfe2e07135acd212415e2bd (commit) via 589fbc18aa5e72b2574a71d69c09b4f63f0ae943 (commit) via 123ed334337e874acb1f55b36dc671de7e306824 (commit) via 09f38299ccc006e0ce7e94897250e995ec2fc337 (commit) from 2a7855fb2596048e5038afa5e49a02853297df6d (commit) - Log ----------------------------------------------------------------- commit 96d6a4e4464c3dec9cdf2c6fb59d737c8cb1be49 Author: Pauli Date: Wed Jul 28 09:52:23 2021 +1000 test: add a comment indication that a bad MAC is intentional This permits negative testing of FIPS module load failure. Also changed the MAC to all zeros to make it even clearer. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16168) commit ca7cac886b0f1084acfe2e07135acd212415e2bd Author: Matt Caswell Date: Tue Jul 27 16:36:41 2021 +0100 Add some testing for the case where the FIPS provider fails to load Ensure we get correct behaviour in the event that an attempt is made to load the fips provider but it fails to load. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16168) commit 589fbc18aa5e72b2574a71d69c09b4f63f0ae943 Author: Matt Caswell Date: Tue Jul 27 16:59:59 2021 +0100 Don't try and load the config file while already loading the config file Calls to the API function EVP_default_properties_enable_fips() will automatically attempt to load the default config file if it is not already loaded. Therefore this function should not be called from inside code to process the config file. Fixes #16165 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16168) commit 123ed334337e874acb1f55b36dc671de7e306824 Author: Matt Caswell Date: Tue Jul 27 16:36:24 2021 +0100 Ensure any default_properties still apply even in the event of a provider load failure We don't treat a failure to load a provider as a fatal error. If it is fatal then we give up attempting to load the config file - including reading any default properties. Additionally if an attempt has been made to load a provider then we disable fallback loading. Fixes #16166 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16168) commit 09f38299ccc006e0ce7e94897250e995ec2fc337 Author: Matt Caswell Date: Tue Jul 27 16:31:20 2021 +0100 Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module Ensure we free the OSSL_LIB_CTX on the error path. Fixes #16163 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16168) ----------------------------------------------------------------------- Summary of changes: crypto/evp/evp_cnf.c | 4 +-- crypto/evp/evp_fetch.c | 17 ++++++++---- crypto/provider_conf.c | 16 ++++++++++- include/crypto/evp.h | 2 ++ providers/fips/fipsprov.c | 1 + test/defltfips_test.c | 39 +++++++++++++++++++-------- test/{fips.cnf => fips-alt.cnf} | 2 +- test/recipes/30-test_defltfips.t | 19 ++++++++++--- test/recipes/30-test_defltfips/fipsmodule.cnf | 7 +++++ 9 files changed, 84 insertions(+), 23 deletions(-) copy test/{fips.cnf => fips-alt.cnf} (91%) create mode 100644 test/recipes/30-test_defltfips/fipsmodule.cnf diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 415712dffa..0e7fe64cf9 100644 --- a/crypto/evp/evp_cnf.c +++ b/crypto/evp/evp_cnf.c @@ -46,8 +46,8 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) * fips_mode is deprecated and should not be used in new * configurations. */ - if (!EVP_default_properties_enable_fips(NCONF_get0_libctx((CONF *)cnf), - m > 0)) { + if (!evp_default_properties_enable_fips_int( + NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); return 0; } diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index 3067928030..5303cf8859 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -479,15 +479,16 @@ int EVP_set_default_properties(OSSL_LIB_CTX *libctx, const char *propq) return evp_set_default_properties_int(libctx, propq, 1, 0); } -static int evp_default_properties_merge(OSSL_LIB_CTX *libctx, const char *propq) +static int evp_default_properties_merge(OSSL_LIB_CTX *libctx, const char *propq, + int loadconfig) { - OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, 1); + OSSL_PROPERTY_LIST **plp = ossl_ctx_global_properties(libctx, loadconfig); OSSL_PROPERTY_LIST *pl1, *pl2; if (propq == NULL) return 1; if (plp == NULL || *plp == NULL) - return EVP_set_default_properties(libctx, propq); + return evp_set_default_properties_int(libctx, propq, 0, 0); if ((pl1 = ossl_parse_query(libctx, propq, 1)) == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_DEFAULT_QUERY_PARSE_ERROR); return 0; @@ -518,11 +519,17 @@ int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *libctx) return evp_default_property_is_enabled(libctx, "fips"); } -int EVP_default_properties_enable_fips(OSSL_LIB_CTX *libctx, int enable) +int evp_default_properties_enable_fips_int(OSSL_LIB_CTX *libctx, int enable, + int loadconfig) { const char *query = (enable != 0) ? "fips=yes" : "-fips"; - return evp_default_properties_merge(libctx, query); + return evp_default_properties_merge(libctx, query, loadconfig); +} + +int EVP_default_properties_enable_fips(OSSL_LIB_CTX *libctx, int enable) +{ + return evp_default_properties_enable_fips_int(libctx, enable, 1); } char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig) diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index 1d4e695fb8..fe66e1158e 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -156,6 +156,16 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, } if (activate) { + /* + * There is an attempt to activate a provider, so we should disable + * loading of fallbacks. Otherwise a misconfiguration could mean the + * intended provider does not get loaded. Subsequent fetches could then + * fallback to the default provider - which may be the wrong thing. + */ + if (!ossl_provider_disable_fallback_loading(libctx)) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + return 0; + } prov = ossl_provider_find(libctx, name, 1); if (prov == NULL) prov = ossl_provider_new(libctx, name, NULL, 1); @@ -215,7 +225,11 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, } - return ok; + /* + * Even if ok is 0, we still return success. Failure to load a provider is + * not fatal. We want to continue to load the rest of the config file. + */ + return 1; } static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index 68aab33cae..41ac80ed9d 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -891,6 +891,8 @@ int evp_pkey_ctx_use_cached_data(EVP_PKEY_CTX *ctx); # endif /* !defined(FIPS_MODULE) */ int evp_method_store_flush(OSSL_LIB_CTX *libctx); +int evp_default_properties_enable_fips_int(OSSL_LIB_CTX *libctx, int enable, + int loadconfig); int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, int loadconfig, int mirrored); char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig); diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 4155b64197..b69299e046 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -712,6 +712,7 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, return 1; err: fips_teardown(*provctx); + OSSL_LIB_CTX_free(libctx); *provctx = NULL; return 0; } diff --git a/test/defltfips_test.c b/test/defltfips_test.c index 21c5e1524d..8b6dc0d6f1 100644 --- a/test/defltfips_test.c +++ b/test/defltfips_test.c @@ -4,6 +4,7 @@ #include "testutil.h" static int is_fips; +static int bad_fips; static int test_is_fips_enabled(void) { @@ -24,8 +25,8 @@ static int test_is_fips_enabled(void) * on the default properties. However we only set those properties if also * loading the FIPS provider. */ - if (!TEST_int_eq(is_fips, is_fips_enabled) - || !TEST_int_eq(is_fips, is_fips_loaded)) + if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled) + || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded)) return 0; /* @@ -33,19 +34,26 @@ static int test_is_fips_enabled(void) * expected provider. */ sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL); - if (!TEST_ptr(sha256)) - return 0; - if (is_fips - && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)), - "fips")) { + if (bad_fips) { + if (!TEST_ptr_null(sha256)) { + EVP_MD_free(sha256); + return 0; + } + } else { + if (!TEST_ptr(sha256)) + return 0; + if (is_fips + && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)), + "fips")) { + EVP_MD_free(sha256); + return 0; + } EVP_MD_free(sha256); - return 0; } - EVP_MD_free(sha256); /* State should still be consistent */ is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL); - if (!TEST_int_eq(is_fips, is_fips_enabled)) + if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)) return 0; return 1; @@ -54,6 +62,7 @@ static int test_is_fips_enabled(void) int setup_tests(void) { size_t argc; + char *arg1; if (!test_skip_common_options()) { TEST_error("Error parsing test options\n"); @@ -64,10 +73,18 @@ int setup_tests(void) switch(argc) { case 0: is_fips = 0; + bad_fips = 0; break; case 1: - if (strcmp(test_get_argument(0), "fips") == 0) { + arg1 = test_get_argument(0); + if (strcmp(arg1, "fips") == 0) { is_fips = 1; + bad_fips = 0; + break; + } else if (strcmp(arg1, "badfips") == 0) { + /* Configured for FIPS, but the module fails to load */ + is_fips = 0; + bad_fips = 1; break; } /* fall through */ diff --git a/test/fips.cnf b/test/fips-alt.cnf similarity index 91% copy from test/fips.cnf copy to test/fips-alt.cnf index fa131a8bf6..17889372c7 100644 --- a/test/fips.cnf +++ b/test/fips-alt.cnf @@ -10,7 +10,7 @@ alg_section = evp_properties # Ensure FIPS non-approved algorithms in the FIPS module are suppressed (e.g. # TEST-RAND). This also means that EVP_default_properties_is_fips_enabled() # returns the expected value -default_properties = "fips=yes" +fips_mode = true [provider_sect] fips = fips_sect diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t index 73bb4bce9c..f0338bb3e0 100644 --- a/test/recipes/30-test_defltfips.t +++ b/test/recipes/30-test_defltfips.t @@ -10,12 +10,12 @@ use strict; use warnings; -use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir data_dir/; use OpenSSL::Test::Utils; use Cwd qw(abs_path); BEGIN { - setup("test_evp"); + setup("test_defltfips"); } use lib srctop_dir('Configurations'); @@ -24,11 +24,24 @@ use lib bldtop_dir('.'); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => - ($no_fips ? 1 : 2); + ($no_fips ? 1 : 5); unless ($no_fips) { $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "fips.cnf")); ok(run(test(["defltfips_test", "fips"])), "running defltfips_test fips"); + + #Test an alternative way of configuring fips + $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "fips-alt.cnf")); + ok(run(test(["defltfips_test", "fips"])), "running defltfips_test fips"); + + #Configured to run FIPS but the module-mac is bad + $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "fips.cnf")); + $ENV{OPENSSL_CONF_INCLUDE} = srctop_file("test", "recipes", "30-test_defltfips"); + ok(run(test(["defltfips_test", "badfips"])), "running defltfips_test badfips"); + + #Test an alternative way of configuring fips (but still with bad module-mac) + $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "fips-alt.cnf")); + ok(run(test(["defltfips_test", "badfips"])), "running defltfips_test badfips"); } $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf")); diff --git a/test/recipes/30-test_defltfips/fipsmodule.cnf b/test/recipes/30-test_defltfips/fipsmodule.cnf new file mode 100644 index 0000000000..14d26d8e56 --- /dev/null +++ b/test/recipes/30-test_defltfips/fipsmodule.cnf @@ -0,0 +1,7 @@ +#The MAC here is meant to be incorrect, do not modify it + +[fips_sect] +activate = 1 +conditional-errors = 1 +security-checks = 1 +module-mac = 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 From pauli at openssl.org Wed Jul 28 00:38:07 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 28 Jul 2021 00:38:07 +0000 Subject: [openssl] master update Message-ID: <1627432687.074412.20665.nullmailer@dev.openssl.org> The branch master has been updated via a65c8d8f737fe4e67d0b37e2b20dc1adccd93112 (commit) from 96d6a4e4464c3dec9cdf2c6fb59d737c8cb1be49 (commit) - Log ----------------------------------------------------------------- commit a65c8d8f737fe4e67d0b37e2b20dc1adccd93112 Author: Todd Short Date: Fri Jul 23 09:25:09 2021 -0400 Add missing session timeout calc Fixes #16142 Add missing session timeout calculation in `ssl_get_new_session()` Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16145) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index b526984289..0e756c37c1 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -437,6 +437,7 @@ int ssl_get_new_session(SSL *s, int session) ss->timeout = SSL_get_default_timeout(s); else ss->timeout = s->session_ctx->session_timeout; + ssl_session_calculate_timeout(ss); SSL_SESSION_free(s->session); s->session = NULL; From levitte at openssl.org Wed Jul 28 07:20:20 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 28 Jul 2021 07:20:20 +0000 Subject: [web] master update Message-ID: <1627456820.286171.13641.nullmailer@dev.openssl.org> The branch master has been updated via 9ce1784ce87906832ed14a6b3b5055e0a7a4ce45 (commit) from 86e6eb2e66ec9112b311616d9dbfbb7da734c6a4 (commit) - Log ----------------------------------------------------------------- commit 9ce1784ce87906832ed14a6b3b5055e0a7a4ce45 Author: Richard Levitte Date: Tue Jul 27 17:57:14 2021 +0200 Fix generation of community .inc files For some reason, these files were excempt from automatic generation. I cannot see a reason why we did this, so we restore the automatic generation as originally planned. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/250) ----------------------------------------------------------------------- Summary of changes: Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index fb15dad..9eedcec 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,8 @@ FUTURESERIES=3.0 # All simple generated files. SIMPLE = newsflash.inc sitemap.txt \ + community/committers.inc community/otc.inc \ + community/omc.inc community/omc-alumni.inc \ docs/faq.inc docs/fips.inc \ docs/OpenSSLStrategicArchitecture.html \ docs/OpenSSL300Design.html \ @@ -176,7 +178,7 @@ docs/manpages.html: docs/manpages.html.tt ## ## $(SIMPLE) -- SIMPLE GENERATED FILES ## -.PHONY: sitemap community/committers.inc community/otc.inc community/omc.inc community/omc-alumni.inc +.PHONY: sitemap newsflash.inc: news/newsflash.inc @rm -f $@ head -7 $? >$@ From scan-admin at coverity.com Wed Jul 28 07:49:26 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 28 Jul 2021 07:49:26 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <61010c062df68_24a54e2ae972e7f9b019584@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DWEcE_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGmLGXyM48VtWxUsgFUT4WpzM1p4wqWS20swPkL-2F3uA0j2-2FQhGXOb9sloK3wchEObO6Y9ouEcmn-2BMajXz7oxA9Kp2fHEhG0sQlPlcDoLyVL28gyn1lz5keyFzAMwxm1gLjeIGsAgxHYbN3Vlr5tKqe3KQllS6BU6pE7buMAjEnaLIP1PUt4dwcZ-2Ftprig7x-2FEA-3D Build ID: 399236 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Wed Jul 28 07:56:55 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 28 Jul 2021 07:56:55 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <61010dc7327f1_24a7ae2ae972e7f9b019528@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DNcuE_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFcTFelruq-2FJvn-2FzJxtnzUJXs50ogRbP-2FEwznFiESAxJoD93WE2esimLJ-2B2PMLYARrb64HaOovifZTi1aOkbLPAs-2Bkc6bujQzg5IOOaA-2BT1Rfh2-2BYy2Mh5T68doA37shBlSoX57ymNQw6WQH7ZZKuiaFL5SMtYbFGEDWS-2BN2qpqxa9ZjynAKCRJDel0-2BotOdq8-3D Build ID: 399238 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Thu Jul 29 07:49:26 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 29 Jul 2021 07:49:26 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <61025d85e495d_62352aac923879a8249de@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DdU6S_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGbFOeYO3859VXOtheIZlCuNHiz96JiNnznwPGR2iZ3lSkgSf2nnm5OngdjLvbKMlsklaF8Ih4KFHKq-2BWYPYAZt-2FQqMG0zyEqEAEtzjrTu-2BXxu4FGhi89HnT4gjscVq7UWxY-2BVX-2B65T043wMS4DE-2FNz4J8fdZtBdRLr9hpzOUVamvHw8WelA7Zs4nrW8dsiZtc-3D Build ID: 399443 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Thu Jul 29 07:53:13 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Thu, 29 Jul 2021 07:53:13 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <61025e68b089f_635d2aac923879a82499d@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DNjjo_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH6snrZwbpC5zSUoreXXbgBw8DOTkiguzuqBzFres-2BAu07ATEvTcLcWLC4atn1ta15Kq3yM6-2FLIX1pwEMB940uma68j1eKj-2FhfeBHuMnLofFVH5lz313wzkFASK94YiiMkECXe2BknT5YLsSveR4LzqMRv3qdfvMvUr-2FPFXhAXNpLglPRgo5W9qRhGSWdHq54A-3D Build ID: 399445 Analysis Summary: New defects found: 0 Defects eliminated: 0 From matt at openssl.org Thu Jul 29 13:10:51 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Jul 2021 13:10:51 +0000 Subject: [openssl] master update Message-ID: <1627564251.456745.1368.nullmailer@dev.openssl.org> The branch master has been updated via 0136956dc6d51060aa79e1ed1e8bec527116415d (commit) from a65c8d8f737fe4e67d0b37e2b20dc1adccd93112 (commit) - Log ----------------------------------------------------------------- commit 0136956dc6d51060aa79e1ed1e8bec527116415d Author: Matt Caswell Date: Thu Jul 29 11:09:05 2021 +0100 Update fingerprints.txt Add Paul Dale as an approved release signer. Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16175) ----------------------------------------------------------------------- Summary of changes: doc/fingerprints.txt | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt index 51e76c8f71..4a8fc8e8d8 100644 --- a/doc/fingerprints.txt +++ b/doc/fingerprints.txt @@ -12,13 +12,11 @@ in the file named openssl-1.0.1h.tar.gz.asc. The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: -pub 4096R/7DF9EE8C 2014-10-04 - Key fingerprint = 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C -uid Richard Levitte -uid Richard Levitte -uid Richard Levitte +Richard Levitte: +7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C -pub 2048R/0E604491 2013-04-30 - Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 -uid Matt Caswell -uid Matt Caswell +Matt Caswell: +8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 + +Paul Dale: +1B72 6772 1033 CC88 A531 5EF5 5359 C4D8 443B 383B From matt at openssl.org Thu Jul 29 14:46:24 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Jul 2021 14:46:24 +0000 Subject: [openssl] master update Message-ID: <1627569984.919377.26894.nullmailer@dev.openssl.org> The branch master has been updated via 54b40531307fcaba1206e98f4cae73f0532fbdbb (commit) from 0136956dc6d51060aa79e1ed1e8bec527116415d (commit) - Log ----------------------------------------------------------------- commit 54b40531307fcaba1206e98f4cae73f0532fbdbb Author: Matt Caswell Date: Thu Jul 29 15:41:35 2021 +0100 Update copyright year Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16176) ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aes-sparcv9.pl | 2 +- crypto/aes/asm/aesfx-sparcv9.pl | 2 +- crypto/aes/asm/aest4-sparcv9.pl | 2 +- crypto/bn/asm/sparct4-mont.pl | 2 +- crypto/bn/asm/sparcv9-gf2m.pl | 2 +- crypto/bn/asm/sparcv9-mont.pl | 2 +- crypto/bn/asm/sparcv9a-mont.pl | 2 +- crypto/bn/asm/vis3-mont.pl | 2 +- crypto/camellia/asm/cmllt4-sparcv9.pl | 2 +- crypto/des/asm/dest4-sparcv9.pl | 2 +- crypto/dsa/dsa_prn.c | 2 +- crypto/ec/asm/ecp_nistz256-sparcv9.pl | 2 +- crypto/md5/asm/md5-sparcv9.pl | 2 +- crypto/modes/asm/ghash-sparcv9.pl | 2 +- crypto/passphrase.c | 2 +- crypto/poly1305/asm/poly1305-sparcv9.pl | 2 +- crypto/rsa/rsa_prn.c | 2 +- crypto/sha/asm/sha1-sparcv9.pl | 2 +- crypto/sha/asm/sha512-sparcv9.pl | 2 +- crypto/ui/ui_lib.c | 2 +- crypto/uid.c | 2 +- crypto/x509/x_x509a.c | 2 +- doc/internal/man3/ossl_cmp_certreq_new.pod | 2 +- doc/internal/man3/ossl_cmp_hdr_init.pod | 2 +- doc/internal/man3/ossl_cmp_msg_create.pod | 2 +- doc/man3/ECDSA_SIG_new.pod | 2 +- doc/man3/ERR_GET_LIB.pod | 2 +- doc/man3/EVP_DigestVerifyInit.pod | 2 +- doc/man3/EVP_PKEY_CTX_get0_libctx.pod | 2 +- doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 2 +- doc/man3/OSSL_CRMF_MSG_set0_validity.pod | 2 +- doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod | 2 +- doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod | 2 +- doc/man3/SSL_CTX_set_verify.pod | 2 +- doc/man3/SSL_get_error.pod | 2 +- doc/man3/SSL_key_update.pod | 2 +- doc/man3/SSL_new.pod | 2 +- doc/man3/X509_check_ca.pod | 2 +- doc/man3/X509_check_issued.pod | 2 +- doc/man3/X509_check_purpose.pod | 2 +- doc/man3/X509_verify.pod | 2 +- doc/man7/openssl_user_macros.pod.in | 2 +- include/crypto/ppc_arch.h | 2 +- include/openssl/crmf.h.in | 2 +- providers/common/include/prov/provider_util.h | 2 +- providers/implementations/storemgmt/file_store_local.h | 2 +- ssl/record/ssl3_buffer.c | 2 +- test/afalgtest.c | 2 +- test/asn1_encode_test.c | 2 +- test/bio_memleak_test.c | 2 +- test/pem_read_depr_test.c | 2 +- test/pemtest.c | 2 +- test/recipes/04-test_conf.t | 2 +- test/recipes/15-test_rsa.t | 2 +- test/recipes/20-test_enc.t | 2 +- test/recipes/20-test_passwd.t | 2 +- test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 2 +- test/recipes/30-test_evp_data/evppkey_rsa_common.txt | 2 +- test/recipes/65-test_cmp_ctx.t | 2 +- test/recipes/70-test_sslsessiontick.t | 2 +- test/recipes/80-test_ocsp.t | 2 +- test/recipes/90-test_shlibload.t | 2 +- test/recipes/90-test_store.t | 2 +- test/sanitytest.c | 2 +- test/simpledynamic.c | 2 +- 65 files changed, 65 insertions(+), 65 deletions(-) diff --git a/crypto/aes/asm/aes-sparcv9.pl b/crypto/aes/asm/aes-sparcv9.pl index cb17a75f24..d15640e3d7 100755 --- a/crypto/aes/asm/aes-sparcv9.pl +++ b/crypto/aes/asm/aes-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/aes/asm/aesfx-sparcv9.pl b/crypto/aes/asm/aesfx-sparcv9.pl index 86f2c442ed..27233d03af 100644 --- a/crypto/aes/asm/aesfx-sparcv9.pl +++ b/crypto/aes/asm/aesfx-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/aes/asm/aest4-sparcv9.pl b/crypto/aes/asm/aest4-sparcv9.pl index bb73f24915..c04b5f3cda 100644 --- a/crypto/aes/asm/aest4-sparcv9.pl +++ b/crypto/aes/asm/aest4-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/sparct4-mont.pl b/crypto/bn/asm/sparct4-mont.pl index 6bc98530ce..8a3bedc9af 100755 --- a/crypto/bn/asm/sparct4-mont.pl +++ b/crypto/bn/asm/sparct4-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/sparcv9-gf2m.pl b/crypto/bn/asm/sparcv9-gf2m.pl index 28d1ed7426..9f773f183c 100644 --- a/crypto/bn/asm/sparcv9-gf2m.pl +++ b/crypto/bn/asm/sparcv9-gf2m.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/sparcv9-mont.pl b/crypto/bn/asm/sparcv9-mont.pl index ac93ef9ee6..fe51fcaf81 100644 --- a/crypto/bn/asm/sparcv9-mont.pl +++ b/crypto/bn/asm/sparcv9-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/sparcv9a-mont.pl b/crypto/bn/asm/sparcv9a-mont.pl index 062a017072..08773bc758 100755 --- a/crypto/bn/asm/sparcv9a-mont.pl +++ b/crypto/bn/asm/sparcv9a-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/asm/vis3-mont.pl b/crypto/bn/asm/vis3-mont.pl index 6649c34727..f7e6c38635 100644 --- a/crypto/bn/asm/vis3-mont.pl +++ b/crypto/bn/asm/vis3-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/camellia/asm/cmllt4-sparcv9.pl b/crypto/camellia/asm/cmllt4-sparcv9.pl index 3f71e4c2fc..86e38d65c4 100644 --- a/crypto/camellia/asm/cmllt4-sparcv9.pl +++ b/crypto/camellia/asm/cmllt4-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/des/asm/dest4-sparcv9.pl b/crypto/des/asm/dest4-sparcv9.pl index 09298583e4..afa15860f0 100644 --- a/crypto/des/asm/dest4-sparcv9.pl +++ b/crypto/des/asm/dest4-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/dsa/dsa_prn.c b/crypto/dsa/dsa_prn.c index 6f001a50f0..1164e0f5cb 100644 --- a/crypto/dsa/dsa_prn.c +++ b/crypto/dsa/dsa_prn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/crypto/ec/asm/ecp_nistz256-sparcv9.pl index 19821cdc85..986e002cc9 100755 --- a/crypto/ec/asm/ecp_nistz256-sparcv9.pl +++ b/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/md5/asm/md5-sparcv9.pl b/crypto/md5/asm/md5-sparcv9.pl index a17d0b6bf5..c41ccf6ba9 100644 --- a/crypto/md5/asm/md5-sparcv9.pl +++ b/crypto/md5/asm/md5-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/modes/asm/ghash-sparcv9.pl b/crypto/modes/asm/ghash-sparcv9.pl index d3fa2a68fe..e35064237f 100644 --- a/crypto/modes/asm/ghash-sparcv9.pl +++ b/crypto/modes/asm/ghash-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/passphrase.c b/crypto/passphrase.c index 5fb77756c5..fb8ea1deb1 100644 --- a/crypto/passphrase.c +++ b/crypto/passphrase.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/poly1305/asm/poly1305-sparcv9.pl b/crypto/poly1305/asm/poly1305-sparcv9.pl index b20517f57b..dc592a07ac 100755 --- a/crypto/poly1305/asm/poly1305-sparcv9.pl +++ b/crypto/poly1305/asm/poly1305-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/rsa/rsa_prn.c b/crypto/rsa/rsa_prn.c index 35723c87ae..3a9892ebdd 100644 --- a/crypto/rsa/rsa_prn.c +++ b/crypto/rsa/rsa_prn.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha1-sparcv9.pl b/crypto/sha/asm/sha1-sparcv9.pl index bbca9ed21a..904eda6465 100644 --- a/crypto/sha/asm/sha1-sparcv9.pl +++ b/crypto/sha/asm/sha1-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/asm/sha512-sparcv9.pl b/crypto/sha/asm/sha512-sparcv9.pl index a77ae7bed7..6bf366ef12 100644 --- a/crypto/sha/asm/sha512-sparcv9.pl +++ b/crypto/sha/asm/sha512-sparcv9.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 7cb91add41..1ff8c6fa35 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/uid.c b/crypto/uid.c index 60af78b9e0..928b83c026 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x_x509a.c b/crypto/x509/x_x509a.c index c88a58aa9f..f7953c269e 100644 --- a/crypto/x509/x_x509a.c +++ b/crypto/x509/x_x509a.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod index 05530dafae..068e1b29b9 100644 --- a/doc/internal/man3/ossl_cmp_certreq_new.pod +++ b/doc/internal/man3/ossl_cmp_certreq_new.pod @@ -167,7 +167,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_hdr_init.pod b/doc/internal/man3/ossl_cmp_hdr_init.pod index 7bc87a253a..a0804aa4cf 100644 --- a/doc/internal/man3/ossl_cmp_hdr_init.pod +++ b/doc/internal/man3/ossl_cmp_hdr_init.pod @@ -141,7 +141,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_cmp_msg_create.pod b/doc/internal/man3/ossl_cmp_msg_create.pod index 60f425b96e..d4294d3e9f 100644 --- a/doc/internal/man3/ossl_cmp_msg_create.pod +++ b/doc/internal/man3/ossl_cmp_msg_create.pod @@ -124,7 +124,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ECDSA_SIG_new.pod b/doc/man3/ECDSA_SIG_new.pod index dd4c16f57e..584f11b32e 100644 --- a/doc/man3/ECDSA_SIG_new.pod +++ b/doc/man3/ECDSA_SIG_new.pod @@ -211,7 +211,7 @@ functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ERR_GET_LIB.pod b/doc/man3/ERR_GET_LIB.pod index 412a292dd2..e388d32de2 100644 --- a/doc/man3/ERR_GET_LIB.pod +++ b/doc/man3/ERR_GET_LIB.pod @@ -55,7 +55,7 @@ ERR_GET_FUNC() was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod index c318656fc9..9a02f12e37 100644 --- a/doc/man3/EVP_DigestVerifyInit.pod +++ b/doc/man3/EVP_DigestVerifyInit.pod @@ -181,7 +181,7 @@ EVP_DigestVerifyUpdate() was converted from a macro to a function in OpenSSL =head1 COPYRIGHT -Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_CTX_get0_libctx.pod b/doc/man3/EVP_PKEY_CTX_get0_libctx.pod index 9f84bd96c4..81332b8c70 100644 --- a/doc/man3/EVP_PKEY_CTX_get0_libctx.pod +++ b/doc/man3/EVP_PKEY_CTX_get0_libctx.pod @@ -44,7 +44,7 @@ All functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index bc268d64ca..51296599e5 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -88,7 +88,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod index fd42159d67..6489645e56 100644 --- a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod +++ b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod @@ -108,7 +108,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod index 77377ef7eb..96281b67a8 100644 --- a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +++ b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod @@ -121,7 +121,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod index f3d8fb1217..00541c32b4 100644 --- a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod +++ b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod @@ -58,7 +58,7 @@ The OpenSSL CRMF support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index 5e3ebef8e6..e3271aff01 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -348,7 +348,7 @@ and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod index eee1cbe643..a90b22d984 100644 --- a/doc/man3/SSL_get_error.pod +++ b/doc/man3/SSL_get_error.pod @@ -180,7 +180,7 @@ The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod index 24c125a8b5..6d5b42e0b1 100644 --- a/doc/man3/SSL_key_update.pod +++ b/doc/man3/SSL_key_update.pod @@ -101,7 +101,7 @@ OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index 02cbd036b5..59d275523f 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -124,7 +124,7 @@ L =head1 COPYRIGHT -Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_check_ca.pod b/doc/man3/X509_check_ca.pod index 6cf122ddfc..91eba44f41 100644 --- a/doc/man3/X509_check_ca.pod +++ b/doc/man3/X509_check_ca.pod @@ -38,7 +38,7 @@ L =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_check_issued.pod b/doc/man3/X509_check_issued.pod index c8d627ebba..b83bc1396b 100644 --- a/doc/man3/X509_check_issued.pod +++ b/doc/man3/X509_check_issued.pod @@ -36,7 +36,7 @@ L, L =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod index d1447c3c87..a3cfb78d61 100644 --- a/doc/man3/X509_check_purpose.pod +++ b/doc/man3/X509_check_purpose.pod @@ -70,7 +70,7 @@ For CA checks the below integers could be returned with the following meanings: =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L. diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod index 6033804b8d..ad22721bd1 100644 --- a/doc/man3/X509_verify.pod +++ b/doc/man3/X509_verify.pod @@ -73,7 +73,7 @@ X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/openssl_user_macros.pod.in b/doc/man7/openssl_user_macros.pod.in index ec99da594f..829fe69aeb 100644 --- a/doc/man7/openssl_user_macros.pod.in +++ b/doc/man7/openssl_user_macros.pod.in @@ -92,7 +92,7 @@ will be hidden. =head1 COPYRIGHT -Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ppc_arch.h b/include/crypto/ppc_arch.h index 0241878ea7..3b3ce4bff5 100644 --- a/include/crypto/ppc_arch.h +++ b/include/crypto/ppc_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index beb73d7bf0..4d37ea6d94 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -1,7 +1,7 @@ /*- * {- join("\n * ", @autowarntext) -} * - * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/providers/common/include/prov/provider_util.h b/providers/common/include/prov/provider_util.h index fa73e46506..dfe91f29bc 100644 --- a/providers/common/include/prov/provider_util.h +++ b/providers/common/include/prov/provider_util.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/storemgmt/file_store_local.h b/providers/implementations/storemgmt/file_store_local.h index 3459315948..b7d9e58516 100644 --- a/providers/implementations/storemgmt/file_store_local.h +++ b/providers/implementations/storemgmt/file_store_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index daa175d98c..01c553ebff 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/afalgtest.c b/test/afalgtest.c index 1177ceaf8e..f0bdb26271 100644 --- a/test/afalgtest.c +++ b/test/afalgtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/asn1_encode_test.c b/test/asn1_encode_test.c index c453bdf3f8..335f24e113 100644 --- a/test/asn1_encode_test.c +++ b/test/asn1_encode_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/bio_memleak_test.c b/test/bio_memleak_test.c index 518e7dd982..e95c21768c 100644 --- a/test/bio_memleak_test.c +++ b/test/bio_memleak_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pem_read_depr_test.c b/test/pem_read_depr_test.c index b6a518873a..aef85f91cf 100644 --- a/test/pem_read_depr_test.c +++ b/test/pem_read_depr_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/pemtest.c b/test/pemtest.c index 444603f253..a8d2d49bb5 100644 --- a/test/pemtest.c +++ b/test/pemtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/04-test_conf.t b/test/recipes/04-test_conf.t index cab0ec59dc..f987e43c8e 100644 --- a/test/recipes/04-test_conf.t +++ b/test/recipes/04-test_conf.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t index 089986f0d8..301368b69b 100644 --- a/test/recipes/15-test_rsa.t +++ b/test/recipes/15-test_rsa.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_enc.t b/test/recipes/20-test_enc.t index 9a38aed4d0..c5391d53f2 100644 --- a/test/recipes/20-test_enc.t +++ b/test/recipes/20-test_enc.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/20-test_passwd.t b/test/recipes/20-test_passwd.t index 69920773a4..bd2a2ae469 100644 --- a/test/recipes/20-test_passwd.t +++ b/test/recipes/20-test_passwd.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt index c7f94cc644..d8adb7f732 100644 --- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt +++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt index b0406ea5dc..b8d8bb2993 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/65-test_cmp_ctx.t b/test/recipes/65-test_cmp_ctx.t index 069c0e660b..d347673640 100644 --- a/test/recipes/65-test_cmp_ctx.t +++ b/test/recipes/65-test_cmp_ctx.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. # Copyright Nokia 2007-2019 # Copyright Siemens AG 2015-2019 # diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t index ce112fd51f..ad14577470 100644 --- a/test/recipes/70-test_sslsessiontick.t +++ b/test/recipes/70-test_sslsessiontick.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t index bf00386a0f..d42030cb89 100644 --- a/test/recipes/80-test_ocsp.t +++ b/test/recipes/80-test_ocsp.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_shlibload.t b/test/recipes/90-test_shlibload.t index 29826f7252..8f691dee38 100644 --- a/test/recipes/90-test_shlibload.t +++ b/test/recipes/90-test_shlibload.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index 2bdc08f4c2..12a8a32d98 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/sanitytest.c b/test/sanitytest.c index 892b3b55e1..b1aadc4aa8 100644 --- a/test/sanitytest.c +++ b/test/sanitytest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/simpledynamic.c b/test/simpledynamic.c index a3a4b06dd0..2cced8c861 100644 --- a/test/simpledynamic.c +++ b/test/simpledynamic.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy From matt at openssl.org Thu Jul 29 15:15:04 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Jul 2021 15:15:04 +0000 Subject: [openssl] master update Message-ID: <1627571704.653214.5844.nullmailer@dev.openssl.org> The branch master has been updated via b5e2b1d8447645b296375bc69b010ac4fedb07ac (commit) via 9f551541e84eead1d42604b7d5e61885e8e34be0 (commit) via 437f101ee0f36626716af2f082c2e68c7e214c38 (commit) from 54b40531307fcaba1206e98f4cae73f0532fbdbb (commit) - Log ----------------------------------------------------------------- commit b5e2b1d8447645b296375bc69b010ac4fedb07ac Author: Matt Caswell Date: Thu Jul 29 15:50:46 2021 +0100 Prepare for 3.0 beta 3 Reviewed-by: Richard Levitte commit 9f551541e84eead1d42604b7d5e61885e8e34be0 Author: Matt Caswell Date: Thu Jul 29 15:50:29 2021 +0100 Prepare for release of 3.0 beta 2 Reviewed-by: Richard Levitte commit 437f101ee0f36626716af2f082c2e68c7e214c38 Author: Matt Caswell Date: Thu Jul 29 15:50:27 2021 +0100 make update Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: VERSION.dat | 2 +- providers/fips-sources.checksums | 77 +- providers/fips.checksum | 2 +- providers/fips.module.sources | 1 + util/libcrypto.num | 2044 +++++++++++++++++++------------------- 5 files changed, 1064 insertions(+), 1062 deletions(-) diff --git a/VERSION.dat b/VERSION.dat index 8ed390bf17..d5c6836ce5 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 MINOR=0 PATCH=0 -PRE_RELEASE_TAG=beta2-dev +PRE_RELEASE_TAG=beta3-dev BUILD_METADATA= RELEASE_DATE="" SHLIB_VERSION=3 diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 3e01b0c295..37fff3a49d 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -11,16 +11,16 @@ a2466f18da5847c7d9fbced17524633c10ce024671a72f53f9c9c55b9b9923dd crypto/aes/aes 7ff9c96ef3d591d45d776fa4b244601ea0d9328e289aeab1e1b92436ce7d02ad crypto/aes/asm/aes-parisc.pl f1244cdeadcb4e48f35bc5df19d4cfaf07e0086ad951b84f07ff6966501faa5b crypto/aes/asm/aes-ppc.pl ecbfe826f4c514810c3ee20e265f4f621149694c298554b2682e5de4f029f14f crypto/aes/asm/aes-s390x.pl -01f60ddf86f97eae22559e4b5a79855296100a1ec04c527567ba5c52e4f64f9b crypto/aes/asm/aes-sparcv9.pl +ee4e8cacef972942d2a89c1a83c984df9cad87c61a54383403c5c4864c403ba1 crypto/aes/asm/aes-sparcv9.pl 2b3b9ac56bf54334d053857a24bdb08592151e8a7a60b89b8195846b7f8ee7b5 crypto/aes/asm/aes-x86_64.pl -cb429f1e92cb7d8397497a149161b10f05420031ba7d501e8b0c79ab7faaeb57 crypto/aes/asm/aesfx-sparcv9.pl +c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm/aesfx-sparcv9.pl 14359dc32b7f4e5c08227fb9ac8f9232c1287399463b233fec4a2ab0c19f68d1 crypto/aes/asm/aesni-mb-x86_64.pl 2fe016e8098d1c959b6199ce98e91dfed9a3a543d6b068daf88d4c4c402701ec crypto/aes/asm/aesni-sha1-x86_64.pl 1d3acabadedb88d1327eeb76201ea9b3f4814f44898018ffae6c73e3f400b89b crypto/aes/asm/aesni-sha256-x86_64.pl 3f4a0cc23cd55f9f2603abfdc33b08323ad599cbf84e50d7c39db82723b54c4a crypto/aes/asm/aesni-x86.pl c7c6694480bb5319690f94826139a93f5c460ebea6dba101b520a76cb956ec93 crypto/aes/asm/aesni-x86_64.pl f3a8f3c960c0f47aaa8fc2633d18b14e7c7feeccc536b0115a08bc58333122b6 crypto/aes/asm/aesp8-ppc.pl -0b0ff9898edbe069320979eadb0114cb37761416750d983520af7ae47bb0fb48 crypto/aes/asm/aest4-sparcv9.pl +e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl fbee40f89882019c0f03072f92fccd5cfc79bfebea2ff675909e731d0e71d622 crypto/aes/asm/aesv8-armx.pl 15cf92ba0ea6fb216c75bb0c134fa1e1b4159a3f9d3c571b2a8319252c4ae633 crypto/aes/asm/bsaes-armv7.pl 0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl @@ -43,7 +43,7 @@ eb240c1f72063048abe026ab7fab340361a329d5cd355276a25950be446cc091 crypto/bn/asm/ b27ec5181e387e812925bb26823b830f49d7a6e4971b6d11ea583f5632a1504b crypto/bn/asm/parisc-mont.pl 9973523b361db963eea4938a7a8a3adc692e1a4e1aec4fa1f1e57dc93da37921 crypto/bn/asm/ppc-mont.pl 59cd27e1e10c4984b7fb684b27f491e7634473b1bcff197a07e0ca653124aa9a crypto/bn/asm/ppc.pl -67d4e08edbb4afdae9c39f69f89d0ee863b1a07f8d62e3ddd7b4472ff5a88134 crypto/bn/asm/ppc64-mont-fixed.pl +b1696b1aacf45d153b58c9a698a84c1917c6621eca50568dd83c341a1e61b3c0 crypto/bn/asm/ppc64-mont-fixed.pl a25be64867ab837d93855af232e2bfa71b85b2c6f00e35e620fdc5618187fb6f crypto/bn/asm/ppc64-mont.pl 231579e532443665020d4d522d9f11713d9c5d5c814b95b434b0f65452e16de4 crypto/bn/asm/rsaz-avx2.pl 8e193a1457ca30823f6172c9ec4568c1628c57c10ee12b88c7656adcc5f54491 crypto/bn/asm/rsaz-avx512.pl @@ -51,14 +51,14 @@ a25be64867ab837d93855af232e2bfa71b85b2c6f00e35e620fdc5618187fb6f crypto/bn/asm/ 30fedf48dfc5fec1c2044b6c226dd9fc42a92522cc589797a23a79d452bdd2cf crypto/bn/asm/s390x-gf2m.pl 590388d69d7ac3a0e9af4014792f4f0fdb9552719e8fb48ebc7e5dfca2a491d4 crypto/bn/asm/s390x-mont.pl aa02597f3dc09cfbc190aedb75711859ba0f3efff87067ebfba1ec78ebee40d7 crypto/bn/asm/s390x.S -458ecb209d5c2daf79b1d3abadc62e34809beed8be87a9c46f358850503045b8 crypto/bn/asm/sparct4-mont.pl +2f7cbc2c3d93b1bbc4953dda38b9ae0ab3a0a8331a0418d94d9b286183736c9e crypto/bn/asm/sparct4-mont.pl ca21a9ccbc54e19fb7c2e6cdf286ce7cb08b0fba960c777c6edce5c57ccc2101 crypto/bn/asm/sparcv8.S fbc93c8dbbecefe66086f58fe9719ed87b13b2cdc61454a10e841228296fecef crypto/bn/asm/sparcv8plus.S -62105f8f1eb54778b52923f6d24f41392d0ede8804d7fb587bda2bc1af302560 crypto/bn/asm/sparcv9-gf2m.pl -115af57cbd6024fd88b6f56e656bdf44f8243ce4984d3f2ab8ecfad2af327db0 crypto/bn/asm/sparcv9-mont.pl -96cc20651e5e9dc8d87047a739ad4863a2bf2afee868c3337684bcd2241b7462 crypto/bn/asm/sparcv9a-mont.pl +127832c1e3d298aad805236776488f5f8836b6a0fdbce3f6b42678163df3909f crypto/bn/asm/sparcv9-gf2m.pl +1622f04a8918724ac0e8804baf285fdafa0eeaaecc36c7facd459d0ff13a8cac crypto/bn/asm/sparcv9-mont.pl +b69083f78b4b4f7097de4462d16649532fb82c453a82cdd9cc1393122661d6e2 crypto/bn/asm/sparcv9a-mont.pl d404375a21d33396824a3da212d6646d4f3150dd141ee4b4a250aefae3482efb crypto/bn/asm/via-mont.pl -da709b73914f9d43a46c699b8ec68c67c52fe853a76f531bfccb542470d97ae0 crypto/bn/asm/vis3-mont.pl +d24f3e97239c8eed5efc721521b025b7256c15e67a54ea6b5c4cf8f7cd0f89ea crypto/bn/asm/vis3-mont.pl 89278854f44d95be916516609ce6f79dcd346bab52574b9b6336a9952aa94bee crypto/bn/asm/x86-gf2m.pl 90d4ae234c08267adce9ed38d56e0edc223f7480cb9605f5d7399d0b3914c6be crypto/bn/asm/x86-mont.pl d444ca73875e97e0ea88b20e4c02f2fcf3850e8b9311e3b67a2d04fe2796d543 crypto/bn/asm/x86_64-gcc.c @@ -72,8 +72,8 @@ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/ 69b864ae1f230c6c1cbc8f512031a107fcc43651aeceafcb6647b2b222a6f7f8 crypto/bn/bn_conv.c 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c -d3b8496faecc56e6ea833efe0378c0e7c6d9d52cf3b038ada7436b37d26c0dee crypto/bn/bn_div.c -15ca5c67bec7744f2f8561d1948e6b384a640809adcaee89ffc84d4f21406ce1 crypto/bn/bn_exp.c +a837ba52750ab30a57b6dd2fd4cf901e18a891a189b089f83add2f5dc8138eb7 crypto/bn/bn_div.c +160ea2c916774d6a7f8130e0a05cad7c0a954b4726c15017b3df67e3285231f3 crypto/bn/bn_exp.c 617d0fd580faf72aa144f9489d6d102e2a1c4953713ac31a2b1feea4fabb2f6c crypto/bn/bn_exp2.c b32d83cee8c00d837a7e4fb8af3f5cf17cb8d2419302e8f5fbcf62119092e874 crypto/bn/bn_gcd.c 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c @@ -137,7 +137,7 @@ b57b648524bc7dd98f8e2737f4e87b5578c7921df59b1df4a03a34e23e977e8a crypto/dsa/dsa 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl 4617351d2de4d0b2abfd358c58050cee00702d0b4c1acca09312ec870e351c7d crypto/ec/asm/ecp_nistz256-armv8.pl 3715ddd921425f3018741037f01455ed26a840ace08691a800708170a66cf4d2 crypto/ec/asm/ecp_nistz256-ppc64.pl -7aeade641bf28d9cfdc43dc20da0378df5225377dcf52835c7e76aab64d3af77 crypto/ec/asm/ecp_nistz256-sparcv9.pl +cfe7e75a2fddc87a7251684469a8808b9da82b2f5725eafad5806920f89932bd crypto/ec/asm/ecp_nistz256-sparcv9.pl 922725c4761cfa567af6ed9ecab04f2c7729ae2595f2fc0fa46dc67879dc87b0 crypto/ec/asm/ecp_nistz256-x86.pl ac327475c7ec828d11aa05628b4e3b81ec3b1400f30fe7bec01daf3cf71f2dc9 crypto/ec/asm/ecp_nistz256-x86_64.pl cc727533130f5f1a29229929b3d4e8454585d647be25d6344f3c6a0240998368 crypto/ec/asm/x25519-ppc64.pl @@ -189,8 +189,8 @@ b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_ 847e039a249a1f9af42dfc6427de2ad4925f1116f86619dd420cf8cec9d3bbfe crypto/evp/digest.c 5e2c5d865029ae86855f15e162360d091f28ca0d4c67260700c90aa25faf308b crypto/evp/ec_support.c bd8cdd250f64cc314133a1c3cdef8eba3de5a40f1a9ef1d26729c5361690a368 crypto/evp/evp_enc.c -b6f77874575329b66f98359e52505d6f30f8ea1c2f20aacff54a9ef89fb3eece crypto/evp/evp_fetch.c -3998f2fa31d2e5de0051c28046dbd87f8ae9a3a23a73b7aee77618df382896b5 crypto/evp/evp_lib.c +363dda606a23f1cbb6eefc713903bb353b8fc8661dee0e853366c7798f050483 crypto/evp/evp_fetch.c +6e0a2b11440a3cfd80d5539aa6a4b133dbfefc6a646736980dbbd504b3f16ac8 crypto/evp/evp_lib.c 34574e474d3f5daf24981200cae9e24a427d165cd43d8fb738844fa9b0fc991f crypto/evp/evp_local.h e822c16fc4dc30f2c86e8598c721a9ddfe46d318ce78f4e8e883cdcf8b936221 crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c @@ -204,9 +204,9 @@ e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_s f9988dfed6253c30b08a966496f188763671cb72a2fcb25455f65f8d270027cc crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c 0b3714cb5ff9deb5e17081b8dc12922910de9b8693e644dd2ac67a53fe25c7ff crypto/evp/p_lib.c -c7323b477b512701e27b28c2e328068593755e2b7ad537e8c21406c4e7bef789 crypto/evp/pmeth_check.c +3b4228b92eebd04616ecc3ee58684095313dd5ffd1b43cf698a7d6c202cb4622 crypto/evp/pmeth_check.c bbce11755bcc5ba2ee8e9c1eb95905447136f614fdc2b0f74cf785fe81ead6a5 crypto/evp/pmeth_gn.c -c95daaba3fe5389509d7c2c3d4b76c63a7183c14c52e5623be820931dfce39a8 crypto/evp/pmeth_lib.c +fdaddf5c4b274d83292a5121d9b0541dce82fb83e59d64d48a93964840421f30 crypto/evp/pmeth_lib.c c2158cf4f1d149889746665501035f38049dc1cdcea8c61cd377c0c3be6b8a43 crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c 00ca3b72cd56308aabb2826b6a400c675526afa7efca052d39c74b2ac6d137d8 crypto/ffc/ffc_backend.c @@ -230,7 +230,7 @@ c2e874a8deb418b5d8c935b2e256370566a5150e040c9fa008cdb5b463c26904 crypto/modes/a fdde3bc48b37790c6e0006014da71e7a831bbb4fdbfcda2d01dbe0ceb0ba88fa crypto/modes/asm/ghash-ia64.pl e472d73d06933667a51a0af973479993eed333c71b43af03095450acb36dbeb4 crypto/modes/asm/ghash-parisc.pl 6fb4332ac88113a20915ad4de1931ef88b0114b5379b16e1d967820e1229fbb0 crypto/modes/asm/ghash-s390x.pl -fcab204033126699be826a850d098c6d84f44b377de66f15d303ebd31ee77397 crypto/modes/asm/ghash-sparcv9.pl +6af1a05981e1d41e4dea51e58938360e3abc4a4f58e179908242466d032b1a8a crypto/modes/asm/ghash-sparcv9.pl 26f55a57e77f774d17dfba93d757f78edfa3a03f68a71ffa37ccf3bfc468b1e2 crypto/modes/asm/ghash-x86.pl 72744131007d2389c09665a59a862f5f6bb61b64bd3456e9b400985cb56586b8 crypto/modes/asm/ghash-x86_64.pl a4e9f2e496bd9362b17a1b5989aa4682647cefcff6117f0607122a9e11a9dfd9 crypto/modes/asm/ghashp8-ppc.pl @@ -239,7 +239,7 @@ a4e9f2e496bd9362b17a1b5989aa4682647cefcff6117f0607122a9e11a9dfd9 crypto/modes/a 1611e73dc1e01b5c2201f51756a7405b7673aa0bb872e2957d1ec80c3530486f crypto/modes/ccm128.c d8c2f256532a4b94db6d03aea5cb609cccc938069f644b2fc77c5015648d148d crypto/modes/cfb128.c af1c034152d82b29cb7c938c8516cfd136b62bac0908c1d40eb50790d23b288c crypto/modes/ctr128.c -6b96ab27237cb01a6a7e031abd71b5f14c08cfa13ad4c8e8f9f29cbe31f70a5b crypto/modes/gcm128.c +2413852b46ee90bcbb711c0d4fb79fc6b0cac1f837b4df4896a0003935d4211a crypto/modes/gcm128.c bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/ofb128.c e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c @@ -261,6 +261,7 @@ d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provide 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c 5d16318d3a36b06145af74afa3523109768990a33457c81895c7ab8a830654f8 crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h +f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c 8b93871f1f0392704d29028b8c93281be62cf02d0f79f9831bdabcd7a378df5b crypto/rsa/rsa_backend.c 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e crypto/rsa/rsa_chk.c e32cfa04221a2a3ea33f7bcb93ee51b84cbeba97e94c1fbf6e420b24f97fc9ce crypto/rsa/rsa_crpt.c @@ -301,7 +302,7 @@ efc69cb0d867b7fac6b3fa8985c343d1f984d552bc8e75bbbbace0adf9ee5f15 crypto/sha/asm b5ffd7b6dbb04c05de7efa2945adb67ea845e7e61a3bf163a532f7b6acdf4267 crypto/sha/asm/sha1-parisc.pl 482cd23ca6ec38d6f62b90c68f9f20643579c50f2c0fbb0dab1c10a0e35efe77 crypto/sha/asm/sha1-ppc.pl 28cf69efd53d7a5a8c32e0f8db32c193f41b91faf44f5f59944334bc3f5aa337 crypto/sha/asm/sha1-s390x.pl -2613188936687dfc93e3a6588c279d7113bb10d307fc690aec909c5a2b65bf18 crypto/sha/asm/sha1-sparcv9.pl +7fd355b412ddfa1c510e0ba3284f75b1c0d621b6db2ecb1d2a935d5cdb706628 crypto/sha/asm/sha1-sparcv9.pl 24554e68b0e7b7db7b635ff149549015f623ca0bcd9ae90439586a2076f6ae80 crypto/sha/asm/sha1-sparcv9a.pl 74d197cdd72400cabbff7e173f72c8976723081508b095dc995e8cd1abf3daa6 crypto/sha/asm/sha1-thumb.pl a59a86293e28f5600609dc8af2b39c5285580ae8636520990b000eeeb67bb889 crypto/sha/asm/sha1-x86_64.pl @@ -318,7 +319,7 @@ fb06844e7c3b014a58dccc8ec6020c71843cfdc5be08288bc7d204f0a840c474 crypto/sha/asm 11548f06d213947104a80898e000218ec0d6ff3f6913f6582de498476482ce9f crypto/sha/asm/sha512-parisc.pl 7c0c490ce6bb11a228853aecad5e164ce84e5bdabb8a6658ae7184782076c7d3 crypto/sha/asm/sha512-ppc.pl 38e0455fd6a2b93a7a5385379ca92bc6526585ca1eb4af365fac4c78f7285c72 crypto/sha/asm/sha512-s390x.pl -94fc64338a8b1642782f68c9e3f45813617daa42a7dcc9917fe4053b2d0a5c5c crypto/sha/asm/sha512-sparcv9.pl +0611845c52091b0208dd41f22ddef9dd1e68d3d92fa4c4360738b840a6314de6 crypto/sha/asm/sha512-sparcv9.pl f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm/sha512-x86_64.pl 8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907 crypto/sha/asm/sha512p8-ppc.pl 57f6cf54b1b5d2cac7a8f622b7b6bd1878f360fff3fa0f02352061c24162ebbb crypto/sha/keccak1600.c @@ -331,23 +332,23 @@ f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm b39e5ba863af36e455cc5864fe8c5d0fc05a6aaef0d528a115951d1248e8fa8b crypto/stack/stack.c 7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c -761c6178c102161e6a6ae83eb45b6eb7a50d4cacb11390d824a9da4027d80505 crypto/threads_pthread.c +ebb210a22c280839853920bee245eb769c713ab99cb35a468ed2b1df0d112a7f crypto/threads_pthread.c 60bdd9213c67c4d9a287cb57517eca63913c134ef57fcb102b641eb56ddce19a crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl d13560a5f8a66d7b956d54cd6bf24eade529d686992d243bfb312376a57b475e e_os.h -811d6a848c55328dfa97761aba74c785f971a874e14bf5efda5431893fde3bf0 include/crypto/aes_platform.h +6761a5e155b5eec21bcae9d3c6714a3677c747fdf9daefdd7819250e686f8129 include/crypto/aes_platform.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h 8ce1b35c6924555ef316c7c51d6c27656869e6da7f513f45b7a7051579e3e54d include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 5ee1ea30382bef9869f29b6610665ca304f3b9cf3653746a2d02c64b1a24f103 include/crypto/ctype.h -3036fb7a2e1f32e3e53e2bd1cf24acbf18705d75f9ce9de6d2945a6e7c3fb4e0 include/crypto/des_platform.h +89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h 830da1513661794e979f7cca2bba1792224e3b3d20d4f10f6f5c6566d9b7e723 include/crypto/dh.h 7ddd70f02371c7bd190414369d2bbe7c9c6d2de085dfe1e3eab0c4082f803ca1 include/crypto/dsa.h 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574 include/crypto/ec.h edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858 include/crypto/ecx.h -c7bb494047191ae3990793e53348b8f8353aa54805443a8b78303cd66f384c61 include/crypto/evp.h +1930dcf277bba1f458bcb1b74bba2db0fd28a8e047d8ceef5bf6973075167bdd include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h 162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6 include/crypto/md32_common.h f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31 include/crypto/modes.h @@ -415,8 +416,8 @@ bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openss cbbf74efc7fdb020f06840c856ad7fe97553944f4cc3c197fbb004de38158048 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h -0b8f934c1a2f9cff5f37a2ac52f79483d005d48ce85de1a0a8d7825fbc94a0c9 include/openssl/err.h.in -f82bb2f5aa1c50e9842f9cb6a8e8acd880a579aa608aeecd193b114bc7563ab3 include/openssl/evp.h +0bb50eda4fe2600c20779d5e3c49668cf2dd8f295104549a33e57bc95a9219eb include/openssl/err.h.in +12ec111c0e22581e0169be5e1838353a085fb51e3042ef59a7db1cee7da73c5b include/openssl/evp.h 5bd1b5dcd14067a1fe490d49df911002793c0b4f0bd4492cd8f71cfed7bf9f2a include/openssl/evperr.h 5381d96fe867a4ee0ebc09b9e3a262a0d7a27edc5f91dccfb010c7d713cd0820 include/openssl/fips_names.h b1d41beba560a41383f899a361b786e04f889106fb5960ec831b0af7996c9783 include/openssl/fipskey.h.in @@ -436,7 +437,7 @@ fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openss 90fb37a1a564b989afca658dae8c78b0ba72ac1f4d1ffc0c52eb93e74e144603 include/openssl/proverr.h b97e8ad49b38683817387596aefec0abd5f4d572643beef48be4f7acba26768d include/openssl/provider.h 7c9b5f479d9b22cfc8db0976dddfc2a1ee6e757b436e01a2b4d2744bcb6d81a5 include/openssl/rand.h -e3545298f0cdf598a3419416ce20acd0119c0e88557a13d52c5b1a0117ee643e include/openssl/randerr.h +108966f56c82fedff53df76a4aa7861c82be4db1fd1ddafb59dc086ea155831c include/openssl/randerr.h c1015b77c444a3816d2ea7ad770f1c3b79a1e54887930af6dd662895701f3323 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in @@ -444,7 +445,7 @@ c7da25794eb70f0cbc2457f4cb87e8d04dc3512b509034ff1db7285961952963 include/openss 2964274ab32b1ba8578a06b06663db2eda4317ae806369271d889176bb5a7d04 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h -97e10e7745f2589f3a19704b4f78d28d7118fbb353b33bd30325606cf15bdc89 include/openssl/trace.h +410c6eb3ffadcbee13d511d6b8ee576db75b35b324cb394b5e05dbd4a17fb92e include/openssl/trace.h 873d2ec2054ec24c52df4abe830cb2b9666fe4e75cc62b4de0f50ef9d20c5812 include/openssl/types.h c0a9551efccf43f3dd748d4fd8ec897ddaabbc629c00ec1ad76ce983e1195a13 providers/common/bio_prov.c e7c39ef7b76668dae1470ce0edd7254da2937569762cebbf20e08fb97cb3324c providers/common/capabilities.c @@ -481,7 +482,7 @@ eec462d685dd3b4764b076a3c18ecd9dd254350a0b78ddc2f8a60587829e1ce3 providers/comm ba345b0d71f74c9e3d752579e16d11cc70b4b00faa329cc674bc43dd2620e044 providers/common/securitycheck.c 527eda471e26763a5fcf123b2d290234d5c836de7b8ef6eef2166ef439919d82 providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c -f74c0d672eb313139706a1839914a558d53c43737e7c54fd85edc38b33500097 providers/fips/fipsprov.c +3bae030b142c90518f3b6c59924fee939b17667008e670e73733c09c3f1d54f0 providers/fips/fipsprov.c fdbaf748044ce54f13e673b92db876e32436e4d5644f443cc43d063112a89676 providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h 26b6bf82ee3865d0c6c612d98957dee7e2b7a82b68b643eb25771735fd6cec59 providers/fips/self_test_data.inc @@ -500,7 +501,7 @@ f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/impl 7a61f7e0684b6053aeb64edb1de2eb1a47df1e70d041eb5e2e96a528a4c5512f providers/implementations/ciphers/cipher_aes_cts.c 2e72401dbc4f64f0e263660bc7b5192dc5e0e8cc955661aca6a7e3e3359c97cf providers/implementations/ciphers/cipher_aes_cts.h 2ec666b6b7fdaa7ffb0f083a3358904c8c3159699540d270c7ddb46a8d96647b providers/implementations/ciphers/cipher_aes_cts.inc -e540092e34896a0f75622365a8d97473dfc7c3036ef6ef6f8ce343922ac03f56 providers/implementations/ciphers/cipher_aes_gcm.c +710ee60704dd9dffa2a11e2e96596af1f7f84f915cedcedeec7292e0d978317a providers/implementations/ciphers/cipher_aes_gcm.c 79f5a732820d2512a7f4fc2a99ece7e6e2523a51e62561eb67a4b70d5538b0c4 providers/implementations/ciphers/cipher_aes_gcm.h ab298c5f89f3165fa11093fad8063b7bcbff0924b43fb3107148ae66d54adcb5 providers/implementations/ciphers/cipher_aes_gcm_hw.c 8ed4a100e4756c31c56147b4b0fab76a4c6e5292aa2f079045f37b5502fd41b9 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc @@ -522,7 +523,7 @@ f358c4121a8a223e2c6cf009fd28b8a195520279016462890214e8858880f632 providers/impl dd72ea861edf70b94197821ceb00e07165d550934a2e851d62afa5034b79f468 providers/implementations/ciphers/ciphercommon_block.c 4b4106f85e36eb2c07acc5a3ca5ccd77b736b3ac46cc4af786cf57405ecd54b2 providers/implementations/ciphers/ciphercommon_ccm.c 8b6828f188c2590c7d9c6cac13fa0eb6d38a522b0f2859e7c8a766580fa9b66e providers/implementations/ciphers/ciphercommon_ccm_hw.c -251aca4d087418e4fdac1390e1570b189b4076ba63a635d228784a05bb26e421 providers/implementations/ciphers/ciphercommon_gcm.c +f0e15648f42621d24c28f3165437bb9a49b6f4a666381688b954fe2633a40adf providers/implementations/ciphers/ciphercommon_gcm.c bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/implementations/ciphers/ciphercommon_gcm_hw.c 23fd89e3239e596c325a8c5d23eb1fe157a8d23aa4d90ed2c574bf06dfabd693 providers/implementations/ciphers/ciphercommon_hw.c c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h @@ -536,14 +537,14 @@ b14f76813cb10cb1cfadfc04bb5e0660bb12c5a120c96d196b0f6f1a948d2f48 providers/impl 0832bd4dd2d125754a87aef5b1f188017bcd7ee909cf62f8228ac4c5c68397be providers/implementations/include/prov/ciphercommon.h 6dc876a1a785420e84210f085be6e4c7aca407ffb5433dbca4cd3f1c11bb7f06 providers/implementations/include/prov/ciphercommon_aead.h dd07797d61988fd4124cfb920616df672938da80649fac5977bfd061c981edc5 providers/implementations/include/prov/ciphercommon_ccm.h -c6ff62b82daccac75752a1d1dd6a9967aa09f3875b82d11e26d17c276a549478 providers/implementations/include/prov/ciphercommon_gcm.h +0c1e99d70155402a790e4de65923228c8df8ad970741caccfe8b513837457d7f providers/implementations/include/prov/ciphercommon_gcm.h 79a5ed6e4a97431233c56eede9d9c9eec27598fff53590c627ea40bd5b871fd5 providers/implementations/include/prov/digestcommon.h 19ddd49020b421794be5e69645a62a3ebfa75cb9cb32253bb52d8d7a508e147c providers/implementations/include/prov/implementations.h 5f09fc71874b00419d71646714f21ebbdcceda277463b6f77d3d3ea6946914e8 providers/implementations/include/prov/kdfexchange.h c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h -cc30d303dd0ebc1a3828c3fe231a9dd6472dcec01415941b6cbd210d32862193 providers/implementations/include/prov/names.h +968eaa42bcc58d8b4991a4071768a497ca12bfc332b57c6644dfb749e1e84461 providers/implementations/include/prov/names.h 2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h -51f6cd510cd4e45b6e9d93809da7382d229f93522c4ecac4b5dfa53f685828ab providers/implementations/kdfs/hkdf.c +925c5beb1f5e204d27aa2ba045d67dcceeda453cc029dbc8ed194bb897306d8a providers/implementations/kdfs/hkdf.c b2e971a5a5d91da121db468cd8c8501c154643120dae31bb674e758c6403ad14 providers/implementations/kdfs/kbkdf.c fb62e76d7d751bf3b4c39157d601aa0a16477bb9335121ec6649ba7176a43f8d providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h @@ -567,15 +568,15 @@ bcb51fe05014ade575494b44c55b1a0b3dc404e31ff7acee40bb2f63a8f6712f providers/impl aa7ba1d39ea4e3347294eb50b4dfcb895ef1a22bd6117d3b076a74e9ff11c242 providers/implementations/macs/kmac_prov.c bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c f6c4b38dd1c22d562ef8b172218b688070336dc43550f40af01bb2e77eb3ea4d providers/implementations/rands/drbg.c -80eafae49bfd9ffd32e36c01cee54bd251c27ca625576455ee7378474bd22abb providers/implementations/rands/drbg_ctr.c +b1e7a0b2610aaab5800af7ede0df13a184f4a321a4084652cdb509357c55783b providers/implementations/rands/drbg_ctr.c a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3 providers/implementations/rands/drbg_hash.c 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb providers/implementations/rands/drbg_hmac.c fc43558964bdf12442d3f6ab6cc3e6849f7adb42f4d0123a1279819befcf71cb providers/implementations/rands/drbg_local.h 888a671934abef4225956f9931cff842f245f90660e11f23a55228edca962e16 providers/implementations/rands/test_rng.c -f47d6ab720e21b092d741e8b27acadd91b46466a8bd14fc8b79b3e1c618513d0 providers/implementations/signature/dsa_sig.c -f9eac5acc880756ab17c9e00b7707fa6bf882026cbca21ce67aadcf560352120 providers/implementations/signature/ecdsa_sig.c +9b9111a1502badf60c5e93603bb8841e62c6541ff82e356fb8c1ca31bd374b0a providers/implementations/signature/dsa_sig.c +bcacc02b7c92a20acf32b3d26b1a8f2bf8d4cab4ef97b91cfaa3e2062a7b839f providers/implementations/signature/ecdsa_sig.c 2f2b974819c29112144c1086e61dd6fd7bd3ebd924376f8ebdcff9f477a821c7 providers/implementations/signature/eddsa_sig.c 762b49aa68fa7cd15c0496c35a23acb85df9588c8bb4ecb54438f86cc06ce13d providers/implementations/signature/mac_legacy_sig.c -ac8f4452ea236ef877d13bc787f53f117722025c9c74874c6d2cc541382a8953 providers/implementations/signature/rsa_sig.c +c35f9ceff14f539526e568afc7e52282d732be9f0ff4bd9fbb9da9c4d3a663ef providers/implementations/signature/rsa_sig.c 737b9afe8f03f58797034ae906f982179677f5a9cf42965468f7126cf15e6694 ssl/record/tls_pad.c 3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 09e13bd14b..707e44af15 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -ac2360dcca0e5aac97a9275615ca82111479511fdd51b607a02e7fd52fa7ee7e providers/fips-sources.checksums +0c627e1484ecf223a7939c9ab5c4b59eea02025d821ae634b9db5f0581b2d916 providers/fips-sources.checksums diff --git a/providers/fips.module.sources b/providers/fips.module.sources index 53c1fb947a..497be6456e 100644 --- a/providers/fips.module.sources +++ b/providers/fips.module.sources @@ -261,6 +261,7 @@ crypto/provider_local.h crypto/provider_predefined.c crypto/rand/rand_lib.c crypto/rand/rand_local.h +crypto/rsa/rsa_acvp_test_params.c crypto/rsa/rsa_backend.c crypto/rsa/rsa_chk.c crypto/rsa/rsa_crpt.c diff --git a/util/libcrypto.num b/util/libcrypto.num index 3d4d7c37df..10b4e57d79 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4403,1025 +4403,1025 @@ OCSP_resp_get0_respdata 4530 3_0_0 EXIST::FUNCTION:OCSP EVP_MD_CTX_set_pkey_ctx 4531 3_0_0 EXIST::FUNCTION: EVP_PKEY_meth_set_digest_custom 4532 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_PKEY_meth_get_digest_custom 4533 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_MAC_CTX_new ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_free ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_dup ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get0_mac ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get_mac_size ? 3_0_0 EXIST::FUNCTION: -EVP_Q_mac ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_init ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_update ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_final ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_finalXOF ? 3_0_0 EXIST::FUNCTION: -OSSL_EC_curve_nid2name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_digestsign_supports_digest ? 3_0_0 EXIST::FUNCTION: -SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_set_gN ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_set1_ids ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_set0_sv ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -OPENSSL_version_major ? 3_0_0 EXIST::FUNCTION: -OPENSSL_version_minor ? 3_0_0 EXIST::FUNCTION: -OPENSSL_version_patch ? 3_0_0 EXIST::FUNCTION: -OPENSSL_version_pre_release ? 3_0_0 EXIST::FUNCTION: -OPENSSL_version_build_metadata ? 3_0_0 EXIST::FUNCTION: -OPENSSL_INIT_set_config_filename ? 3_0_0 EXIST::FUNCTION:STDIO -OPENSSL_INIT_set_config_file_flags ? 3_0_0 EXIST::FUNCTION:STDIO -ASYNC_WAIT_CTX_get_callback ? 3_0_0 EXIST::FUNCTION: -ASYNC_WAIT_CTX_set_callback ? 3_0_0 EXIST::FUNCTION: -ASYNC_WAIT_CTX_set_status ? 3_0_0 EXIST::FUNCTION: -ASYNC_WAIT_CTX_get_status ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_free ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_reset ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_get_kdf_size ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_derive ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_get0_name ? 3_0_0 EXIST::FUNCTION: -EC_GROUP_get0_field ? 3_0_0 EXIST::FUNCTION:EC -CRYPTO_alloc_ex_data ? 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_new ? 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_free ? 3_0_0 EXIST::FUNCTION: -OPENSSL_LH_flush ? 3_0_0 EXIST::FUNCTION: -BN_native2bn ? 3_0_0 EXIST::FUNCTION: -BN_bn2nativepad ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_get_category_num ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_get_category_name ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_set_channel ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_set_prefix ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_set_suffix ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_set_callback ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_enabled ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_begin ? 3_0_0 EXIST::FUNCTION: -OSSL_trace_end ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_load ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_try_load ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_unload ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_add_builtin ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_gettable_params ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_get_params ? 3_0_0 EXIST::FUNCTION: -d2i_OSSL_CRMF_ENCRYPTEDVALUE ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_ENCRYPTEDVALUE ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_ENCRYPTEDVALUE_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_ENCRYPTEDVALUE_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_ENCRYPTEDVALUE_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_MSG ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_MSG ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_dup ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_PBMPARAMETER ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_PBMPARAMETER ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_PBMPARAMETER_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_PBMPARAMETER_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_PBMPARAMETER_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_CERTID ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_CERTID ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTID_dup ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTID_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTID_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTID_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_PKIPUBLICATIONINFO ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_PKIPUBLICATIONINFO ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_PKIPUBLICATIONINFO_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_PKIPUBLICATIONINFO_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_PKIPUBLICATIONINFO_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_SINGLEPUBINFO ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_SINGLEPUBINFO ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_SINGLEPUBINFO_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_SINGLEPUBINFO_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_SINGLEPUBINFO_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_CERTTEMPLATE ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_CERTTEMPLATE ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_it ? 3_0_0 EXIST::FUNCTION:CRMF -d2i_OSSL_CRMF_MSGS ? 3_0_0 EXIST::FUNCTION:CRMF -i2d_OSSL_CRMF_MSGS ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSGS_free ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSGS_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSGS_it ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_pbmp_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_pbm_new ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regCtrl_regToken ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regCtrl_regToken ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regCtrl_authenticator ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regCtrl_authenticator ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set0_SinglePubInfo ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set_PKIPublicationInfo_action ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regCtrl_oldCertID ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regCtrl_oldCertID ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTID_gen ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regInfo_utf8Pairs ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regInfo_utf8Pairs ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_regInfo_certReq ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set1_regInfo_certReq ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set0_validity ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set_certReqId ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get_certReqId ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_set0_extensions ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_push0_extension ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_create_popo ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSGS_verify_popo ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_MSG_get0_tmpl ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_get0_serialNumber ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_get0_subject ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_get0_issuer ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_get0_extensions ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTTEMPLATE_fill ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_PARAM_locate ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_int ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_uint ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_long ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_ulong ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_int32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_uint32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_int64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_uint64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_size_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_BN ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_double ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_utf8_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_utf8_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_octet_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_octet_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_int ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_uint ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_long ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_ulong ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_int32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_uint32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_int64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_uint64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_size_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_int ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_uint ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_long ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_ulong ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_int32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_uint32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_int64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_uint64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_size_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_double ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_double ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_BN ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_BN ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_utf8_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_utf8_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_octet_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_octet_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_utf8_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_utf8_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_octet_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_octet_ptr ? 3_0_0 EXIST::FUNCTION: -X509_set0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: -X509_get0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get0_engine ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -EVP_MD_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_MD_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_set_default_properties ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_end ? 3_0_0 EXIST::FUNCTION: -EC_GROUP_check_named_curve ? 3_0_0 EXIST::FUNCTION:EC -EVP_CIPHER_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_get_mode ? 3_0_0 EXIST::FUNCTION: -OPENSSL_info ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_new ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_kdf ? 3_0_0 EXIST::FUNCTION: -i2d_KeyParams ? 3_0_0 EXIST::FUNCTION: -d2i_KeyParams ? 3_0_0 EXIST::FUNCTION: -i2d_KeyParams_bio ? 3_0_0 EXIST::FUNCTION: -d2i_KeyParams_bio ? 3_0_0 EXIST::FUNCTION: -OSSL_CMP_PKISTATUS_it ? 3_0_0 EXIST::FUNCTION:CMP -d2i_OSSL_CMP_PKIHEADER ? 3_0_0 EXIST::FUNCTION:CMP -i2d_OSSL_CMP_PKIHEADER ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKIHEADER_free ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKIHEADER_new ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKIHEADER_it ? 3_0_0 EXIST::FUNCTION:CMP -d2i_OSSL_CMP_MSG ? 3_0_0 EXIST::FUNCTION:CMP -i2d_OSSL_CMP_MSG ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_it ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_create ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_set0 ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_get0_type ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_get0_value ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_push0_stack_item ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_free ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_free ? 3_0_0 EXIST::FUNCTION:CMP -EVP_MD_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_get_params ? 3_0_0 EXIST::FUNCTION: -BN_CTX_new_ex ? 3_0_0 EXIST::FUNCTION: -BN_CTX_secure_new_ex ? 3_0_0 EXIST::FUNCTION: -OPENSSL_thread_stop_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_locate_const ? 3_0_0 EXIST::FUNCTION: -X509_REQ_set0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: -X509_REQ_get0_distinguishing_id ? 3_0_0 EXIST::FUNCTION: -BN_rand_ex ? 3_0_0 EXIST::FUNCTION: -BN_priv_rand_ex ? 3_0_0 EXIST::FUNCTION: -BN_rand_range_ex ? 3_0_0 EXIST::FUNCTION: -BN_priv_rand_range_ex ? 3_0_0 EXIST::FUNCTION: -BN_generate_prime_ex2 ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_free ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_pad ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_free ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_get0_provider ? 3_0_0 EXIST::FUNCTION: -X509_PUBKEY_dup ? 3_0_0 EXIST::FUNCTION: -EVP_MD_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_MD_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_get0_provider ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_MD_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_get0_provider ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_available ? 3_0_0 EXIST::FUNCTION: -ERR_new ? 3_0_0 EXIST::FUNCTION: -ERR_set_debug ? 3_0_0 EXIST::FUNCTION: -ERR_set_error ? 3_0_0 EXIST::FUNCTION: -ERR_vset_error ? 3_0_0 EXIST::FUNCTION: -X509_get0_authority_issuer ? 3_0_0 EXIST::FUNCTION: -X509_get0_authority_serial ? 3_0_0 EXIST::FUNCTION: -X509_self_signed ? 3_0_0 EXIST::FUNCTION: -OPENSSL_hexstr2buf_ex ? 3_0_0 EXIST::FUNCTION: -OPENSSL_buf2hexstr_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_allocate_from_text ? 3_0_0 EXIST::FUNCTION: -EVP_MD_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_MD_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_free ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_MD_free ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_free ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_free ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_dup ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_free ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_signature_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_signature_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get_tag_length ? 3_0_0 EXIST::FUNCTION: -ERR_get_error_all ? 3_0_0 EXIST::FUNCTION: -ERR_peek_error_func ? 3_0_0 EXIST::FUNCTION: -ERR_peek_error_data ? 3_0_0 EXIST::FUNCTION: -ERR_peek_error_all ? 3_0_0 EXIST::FUNCTION: -ERR_peek_last_error_func ? 3_0_0 EXIST::FUNCTION: -ERR_peek_last_error_data ? 3_0_0 EXIST::FUNCTION: -ERR_peek_last_error_all ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_MD_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_MD_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -OSSL_CMP_CTX_new ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_free ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_reinit ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_option ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get_option ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_log_cb ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_print_errors ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_serverPath ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_server ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_serverPort ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_proxy ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_no_proxy ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_http_cb ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_http_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get_http_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_transfer_cb ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_transfer_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get_transfer_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_srvCert ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_expected_sender ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_untrusted ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get0_untrusted ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_cert ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_pkey ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_build_cert_chain ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_referenceValue ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_secretValue ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_recipient ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_push0_geninfo_ITAV ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_extraCertsOut ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set0_newPkey ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get0_newPkey ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_issuer ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_subjectName ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_push1_subjectAltName ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set0_reqExtensions ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_reqExtensions_have_SAN ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_push0_policy ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_oldCert ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_p10CSR ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_push0_genm_ITAV ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_certConf_cb ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set_certConf_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get_certConf_cb_arg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get_status ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get0_statusString ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get_failInfoCode ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get0_newCert ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get1_newChain ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get1_caPubs ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_get1_extraCertsIn ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_transactionID ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_set1_senderNonce ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_log_open ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_log_close ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_print_to_bio ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_print_errors_cb ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CRMF_CERTID_get0_issuer ? 3_0_0 EXIST::FUNCTION:CRMF -OSSL_CRMF_CERTID_get0_serialNumber ? 3_0_0 EXIST::FUNCTION:CRMF -EVP_DigestSignUpdate ? 3_0_0 EXIST::FUNCTION: -EVP_DigestVerifyUpdate ? 3_0_0 EXIST::FUNCTION: -BN_check_prime ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_MD_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_MD_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_names_do_all ? 3_0_0 EXIST::FUNCTION: -OSSL_CMP_CTX_snprint_PKIStatus ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_HDR_get0_transactionID ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_HDR_get0_recipNonce ? 3_0_0 EXIST::FUNCTION:CMP -X509_LOOKUP_store ? 3_0_0 EXIST::FUNCTION: -X509_add_cert ? 3_0_0 EXIST::FUNCTION: -X509_add_certs ? 3_0_0 EXIST::FUNCTION: -X509_STORE_load_file ? 3_0_0 EXIST::FUNCTION: -X509_STORE_load_path ? 3_0_0 EXIST::FUNCTION: -X509_STORE_load_store ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_fromdata ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_free ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_padding ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_rsa_padding ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_mgf1_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_mgf1_md_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_rsa_mgf1_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_oaep_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_oaep_md_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_rsa_oaep_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set0_rsa_oaep_label ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_rsa_oaep_label ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_rsa_mgf1_md_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_rsa_oaep_md_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_meth_set_digestsign ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_PKEY_meth_set_digestverify ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_PKEY_meth_get_digestsign ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_PKEY_meth_get_digestverify ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OSSL_ENCODER_up_ref ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_free ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_fetch ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_is_a ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_get0_provider ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_do_all_provided ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_names_do_all ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_new ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_free ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_get0_properties ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_to_bio ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_to_fp ? 3_0_0 EXIST::FUNCTION:STDIO -OSSL_ENCODER_CTX_new_for_pkey ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_cipher ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_passphrase ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_pem_password_cb ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_passphrase_ui ? 3_0_0 EXIST::FUNCTION: -PEM_read_X509_PUBKEY ? 3_0_0 EXIST::FUNCTION:STDIO -PEM_write_X509_PUBKEY ? 3_0_0 EXIST::FUNCTION:STDIO -PEM_read_bio_X509_PUBKEY ? 3_0_0 EXIST::FUNCTION: -PEM_write_bio_X509_PUBKEY ? 3_0_0 EXIST::FUNCTION: -d2i_X509_PUBKEY_fp ? 3_0_0 EXIST::FUNCTION:STDIO -i2d_X509_PUBKEY_fp ? 3_0_0 EXIST::FUNCTION:STDIO -d2i_X509_PUBKEY_bio ? 3_0_0 EXIST::FUNCTION: -i2d_X509_PUBKEY_bio ? 3_0_0 EXIST::FUNCTION: -RSA_get0_pss_params ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -X509_cmp_timeframe ? 3_0_0 EXIST::FUNCTION: -OSSL_CMP_MSG_get0_header ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_get_bodytype ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_update_transactionID ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_setup_CRM ? 3_0_0 EXIST::FUNCTION:CMP -BIO_f_prefix ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_new_from_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_new_from_pkey ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_set_callback ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_get_callback ? 3_0_0 EXIST::FUNCTION: -ASN1_TIME_dup ? 3_0_0 EXIST::FUNCTION: -ASN1_UTCTIME_dup ? 3_0_0 EXIST::FUNCTION: -ASN1_GENERALIZEDTIME_dup ? 3_0_0 EXIST::FUNCTION: -RAND_priv_bytes_ex ? 3_0_0 EXIST::FUNCTION: -RAND_bytes_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_default_digest_name ? 3_0_0 EXIST::FUNCTION: -CMS_decrypt_set1_pkey_and_peer ? 3_0_0 EXIST::FUNCTION:CMS -CMS_add1_recipient ? 3_0_0 EXIST::FUNCTION:CMS -CMS_RecipientInfo_kari_set0_pkey_and_peer ? 3_0_0 EXIST::FUNCTION:CMS -PKCS8_pkey_add1_attr ? 3_0_0 EXIST::FUNCTION: -PKCS8_pkey_add1_attr_by_OBJ ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_private_check ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_pairwise_check ? 3_0_0 EXIST::FUNCTION: -ASN1_item_verify_ctx ? 3_0_0 EXIST::FUNCTION: -ASN1_item_sign_ex ? 3_0_0 EXIST::FUNCTION: -ASN1_item_verify_ex ? 3_0_0 EXIST::FUNCTION: -BIO_socket_wait ? 3_0_0 EXIST::FUNCTION:SOCK -BIO_wait ? 3_0_0 EXIST::FUNCTION: -BIO_do_connect_retry ? 3_0_0 EXIST::FUNCTION: -OSSL_parse_url ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_adapt_proxy ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_REQ_CTX_get_resp_len ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_REQ_CTX_set_expected ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_is_alive ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_open ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_proxy_connect ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_set1_request ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_exchange ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_get ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_transfer ? 3_0_0 EXIST::FUNCTION: -OSSL_HTTP_close ? 3_0_0 EXIST::FUNCTION: -ASN1_item_i2d_mem_bio ? 3_0_0 EXIST::FUNCTION: -ERR_add_error_txt ? 3_0_0 EXIST::FUNCTION: -ERR_add_error_mem_bio ? 3_0_0 EXIST::FUNCTION: -X509_STORE_CTX_print_verify_cb ? 3_0_0 EXIST::FUNCTION: -X509_STORE_get1_all_certs ? 3_0_0 EXIST::FUNCTION: -OSSL_CMP_validate_msg ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_validate_cert_path ? 3_0_0 EXIST::FUNCTION:CMP -EVP_PKEY_CTX_set_ecdh_cofactor_mode ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_ecdh_cofactor_mode ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_ecdh_kdf_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_ecdh_kdf_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_ecdh_kdf_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_ecdh_kdf_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_ecdh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_ecdh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_ecdh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_PKEY_CTX_set_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_rsa_pss_saltlen ? 3_0_0 EXIST::FUNCTION: -d2i_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION: -i2d_ISSUER_SIGN_TOOL ? 3_0_0 EXIST::FUNCTION: -ISSUER_SIGN_TOOL_free ? 3_0_0 EXIST::FUNCTION: -ISSUER_SIGN_TOOL_new ? 3_0_0 EXIST::FUNCTION: -ISSUER_SIGN_TOOL_it ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_new ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_free ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_onbegin ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_oncorrupt_byte ? 3_0_0 EXIST::FUNCTION: -OSSL_SELF_TEST_onend ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_set_default_search_path ? 3_0_0 EXIST::FUNCTION: -X509_digest_sig ? 3_0_0 EXIST::FUNCTION: -OSSL_CMP_MSG_dup ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_dup ? 3_0_0 EXIST::FUNCTION:CMP -d2i_OSSL_CMP_PKISI ? 3_0_0 EXIST::FUNCTION:CMP -i2d_OSSL_CMP_PKISI ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKISI_free ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKISI_new ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKISI_it ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKISI_dup ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_snprint_PKIStatusInfo ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_STATUSINFO_new ? 3_0_0 EXIST::FUNCTION:CMP -d2i_OSSL_CMP_MSG_bio ? 3_0_0 EXIST::FUNCTION:CMP -i2d_OSSL_CMP_MSG_bio ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_process_request ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_CTX_server_perform ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_new ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_free ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_init ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_get0_cmp_ctx ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_get0_custom_ctx ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_set_send_unprotected_errors ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_set_accept_unprotected ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_set_accept_raverified ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_SRV_CTX_set_grant_implicit_confirm ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_exec_certreq ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_try_certreq ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_certConf_cb ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_exec_RR_ses ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_exec_GENM_ses ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_http_perform ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_read ? 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_write ? 3_0_0 EXIST::FUNCTION:CMP -EVP_PKEY_Q_keygen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_generate ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_keygen_bits ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_keygen_pubexp ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_PKEY_CTX_set1_rsa_keygen_pubexp ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_keygen_primes ? 3_0_0 EXIST::FUNCTION: -NCONF_new_ex ? 3_0_0 EXIST::FUNCTION: -CONF_modules_load_file_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_load_config ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_to_param ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_int ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_uint ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_long ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_ulong ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_int32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_uint32 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_int64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_uint64 ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_size_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_double ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_BN ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_BN_pad ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_utf8_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_utf8_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_octet_string ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_octet_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_new ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_free ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_type_by_keymgmt ? 3_0_0 EXIST::FUNCTION: -OCSP_RESPID_set_by_key_ex ? 3_0_0 EXIST::FUNCTION:OCSP -OCSP_RESPID_match_ex ? 3_0_0 EXIST::FUNCTION:OCSP -SRP_create_verifier_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_create_verifier_BN_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_Calc_B_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_Calc_u_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_Calc_x_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_Calc_client_key_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -EVP_PKEY_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_int_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_size_t_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_bn_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_utf8_string_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_octet_string_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_can_sign ? 3_0_0 EXIST::FUNCTION: -X509_STORE_CTX_new_ex ? 3_0_0 EXIST::FUNCTION: -X509_STORE_CTX_verify ? 3_0_0 EXIST::FUNCTION: -CT_POLICY_EVAL_CTX_new_ex ? 3_0_0 EXIST::FUNCTION:CT -CTLOG_new_ex ? 3_0_0 EXIST::FUNCTION:CT -CTLOG_new_from_base64_ex ? 3_0_0 EXIST::FUNCTION:CT -CTLOG_STORE_new_ex ? 3_0_0 EXIST::FUNCTION:CT -EVP_PKEY_set_ex_data ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_ex_data ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_group_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_group_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_ec_paramgen_curve_nid ? 3_0_0 EXIST::FUNCTION: -d2i_PrivateKey_ex ? 3_0_0 EXIST::FUNCTION: -d2i_AutoPrivateKey_ex ? 3_0_0 EXIST::FUNCTION: -d2i_PrivateKey_ex_fp ? 3_0_0 EXIST::FUNCTION:STDIO -d2i_PrivateKey_ex_bio ? 3_0_0 EXIST::FUNCTION: -PEM_read_bio_PrivateKey_ex ? 3_0_0 EXIST::FUNCTION: -PEM_read_PrivateKey_ex ? 3_0_0 EXIST::FUNCTION:STDIO -EVP_PKEY_CTX_set_dsa_paramgen_bits ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dsa_paramgen_q_bits ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dsa_paramgen_md_props ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dsa_paramgen_gindex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dsa_paramgen_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dsa_paramgen_seed ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dsa_paramgen_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_paramgen_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_paramgen_gindex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_paramgen_seed ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_paramgen_prime_len ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_paramgen_subprime_len ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_paramgen_generator ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_nid ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_rfc5114 ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dhx_rfc5114 ? 3_0_0 EXIST::FUNCTION: -X509_VERIFY_PARAM_get0_host ? 3_0_0 EXIST::FUNCTION: -X509_VERIFY_PARAM_get0_email ? 3_0_0 EXIST::FUNCTION: -X509_VERIFY_PARAM_get1_ip_asc ? 3_0_0 EXIST::FUNCTION: -X509_ALGOR_copy ? 3_0_0 EXIST::FUNCTION: -X509_REQ_set0_signature ? 3_0_0 EXIST::FUNCTION: -X509_REQ_set1_signature_algo ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_modified ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_all_unmodified ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_free ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_new ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_free ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_get0_rand ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_instantiate ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_uninstantiate ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_generate ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_reseed ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_nonce ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_enable_locking ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_verify_zeroization ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_get_strength ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_get_state ? 3_0_0 EXIST::FUNCTION: -EVP_default_properties_is_fips_enabled ? 3_0_0 EXIST::FUNCTION: -EVP_default_properties_enable_fips ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_new_raw_private_key_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_new_raw_public_key_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_BLD_push_time_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_time_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_time_t ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_set_time_t ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_attach ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_set_attach ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_do_all ? 3_0_0 EXIST::FUNCTION: -EC_GROUP_get_field_type ? 3_0_0 EXIST::FUNCTION:EC -X509_PUBKEY_eq ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_eq ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_parameters_eq ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_query_operation ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_unquery_operation ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_get0_provider_ctx ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_get_capabilities ? 3_0_0 EXIST::FUNCTION: -EC_GROUP_new_by_curve_name_ex ? 3_0_0 EXIST::FUNCTION:EC -EC_KEY_new_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -EC_KEY_new_by_curve_name_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -OSSL_LIB_CTX_set0_default ? 3_0_0 EXIST::FUNCTION: -PEM_X509_INFO_read_bio_ex ? 3_0_0 EXIST::FUNCTION: -PEM_X509_INFO_read_ex ? 3_0_0 EXIST::FUNCTION:STDIO -X509_REQ_verify_ex ? 3_0_0 EXIST::FUNCTION: -X509_new_ex ? 3_0_0 EXIST::FUNCTION: -X509_LOOKUP_ctrl_ex ? 3_0_0 EXIST::FUNCTION: -X509_load_cert_file_ex ? 3_0_0 EXIST::FUNCTION: -X509_load_cert_crl_file_ex ? 3_0_0 EXIST::FUNCTION: -X509_LOOKUP_by_subject_ex ? 3_0_0 EXIST::FUNCTION: -X509_STORE_load_file_ex ? 3_0_0 EXIST::FUNCTION: -X509_STORE_load_store_ex ? 3_0_0 EXIST::FUNCTION: -X509_STORE_load_locations_ex ? 3_0_0 EXIST::FUNCTION: -X509_STORE_set_default_paths_ex ? 3_0_0 EXIST::FUNCTION: -X509_build_chain ? 3_0_0 EXIST::FUNCTION: -X509V3_set_issuer_pkey ? 3_0_0 EXIST::FUNCTION: -i2s_ASN1_UTF8STRING ? 3_0_0 EXIST::FUNCTION: -s2i_ASN1_UTF8STRING ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_open_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_fetch ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_up_ref ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_free ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_get0_provider ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_get0_properties ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_is_a ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_do_all_provided ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_names_do_all ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_new ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_params ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_free ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_passphrase ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_pem_password_cb ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_passphrase_ui ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_from_bio ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_from_fp ? 3_0_0 EXIST::FUNCTION:STDIO -OSSL_DECODER_CTX_add_decoder ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_add_extra ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_get_num_decoders ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_input_type ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_export ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_INSTANCE_get_decoder ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_INSTANCE_get_decoder_ctx ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_gettable_params ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_get_params ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_new_for_pkey ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_construct ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_construct_data ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_cleanup ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_get_construct ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_get_construct_data ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_get_cleanup ? 3_0_0 EXIST::FUNCTION: -RAND_get0_primary ? 3_0_0 EXIST::FUNCTION: -RAND_get0_public ? 3_0_0 EXIST::FUNCTION: -RAND_get0_private ? 3_0_0 EXIST::FUNCTION: -PKCS12_SAFEBAG_get0_bag_obj ? 3_0_0 EXIST::FUNCTION: -PKCS12_SAFEBAG_get0_bag_type ? 3_0_0 EXIST::FUNCTION: -PKCS12_SAFEBAG_create_secret ? 3_0_0 EXIST::FUNCTION: -PKCS12_add1_attr_by_NID ? 3_0_0 EXIST::FUNCTION: -PKCS12_add1_attr_by_txt ? 3_0_0 EXIST::FUNCTION: -PKCS12_add_secret ? 3_0_0 EXIST::FUNCTION: -SMIME_write_ASN1_ex ? 3_0_0 EXIST::FUNCTION: -SMIME_read_ASN1_ex ? 3_0_0 EXIST::FUNCTION: -CMS_ContentInfo_new_ex ? 3_0_0 EXIST::FUNCTION:CMS -SMIME_read_CMS_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_sign_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_data_create_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_digest_create_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_EncryptedData_encrypt_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_encrypt_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_EnvelopedData_create_ex ? 3_0_0 EXIST::FUNCTION:CMS -CMS_ReceiptRequest_create0_ex ? 3_0_0 EXIST::FUNCTION:CMS -EVP_SignFinal_ex ? 3_0_0 EXIST::FUNCTION: -EVP_VerifyFinal_ex ? 3_0_0 EXIST::FUNCTION: -EVP_DigestSignInit_ex ? 3_0_0 EXIST::FUNCTION: -EVP_DigestVerifyInit_ex ? 3_0_0 EXIST::FUNCTION: -PKCS7_new_ex ? 3_0_0 EXIST::FUNCTION: -PKCS7_sign_ex ? 3_0_0 EXIST::FUNCTION: -PKCS7_encrypt_ex ? 3_0_0 EXIST::FUNCTION: -SMIME_read_PKCS7_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_self_test ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_tls1_prf_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set1_tls1_prf_secret ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_add1_tls1_prf_seed ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_hkdf_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set1_hkdf_salt ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set1_hkdf_key ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_add1_hkdf_info ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_hkdf_mode ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set1_pbe_pass ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set1_scrypt_salt ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_scrypt_N ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_scrypt_r ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_scrypt_p ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_scrypt_maxmem_bytes ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_kdf_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_dh_kdf_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set0_dh_kdf_oid ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_dh_kdf_oid ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_kdf_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_dh_kdf_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_dh_kdf_outlen ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_dh_kdf_ukm ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_CIPHER_CTX_get_updated_iv ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get_original_iv ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_gen_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -d2i_PUBKEY_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_INFO_new_PUBKEY ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_INFO_get0_PUBKEY ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_INFO_get1_PUBKEY ? 3_0_0 EXIST::FUNCTION: -PEM_read_bio_PUBKEY_ex ? 3_0_0 EXIST::FUNCTION: -PEM_read_PUBKEY_ex ? 3_0_0 EXIST::FUNCTION:STDIO -PEM_read_bio_Parameters_ex ? 3_0_0 EXIST::FUNCTION: -EC_GROUP_new_from_params ? 3_0_0 EXIST::FUNCTION:EC -OSSL_STORE_LOADER_set_open_ex ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OSSL_STORE_LOADER_fetch ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_up_ref ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_get0_provider ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_get0_properties ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_is_a ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_do_all_provided ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_names_do_all ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_utf8_string_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_get_octet_string_ptr ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_passphrase_cb ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_mac_key ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_INFO_new ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_INFO_get0_data ? 3_0_0 EXIST::FUNCTION: -asn1_d2i_read_bio ? 3_0_0 EXIST::FUNCTION: -EVP_PKCS82PKEY_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set1_id ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get1_id ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get1_id_len ? 3_0_0 EXIST::FUNCTION: -CMS_AuthEnvelopedData_create ? 3_0_0 EXIST::FUNCTION:CMS -CMS_AuthEnvelopedData_create_ex ? 3_0_0 EXIST::FUNCTION:CMS -EVP_PKEY_CTX_set_ec_param_enc ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get0_type_name ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_get0_name ? 3_0_0 EXIST::FUNCTION: -EC_KEY_decoded_from_explicit_params ? 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -EVP_KEM_free ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_up_ref ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_fetch ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_do_all_provided ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_names_do_all ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_encapsulate_init ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_encapsulate ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_decapsulate_init ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_decapsulate ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_kem_op ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_gettable_params ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_get_params ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_output_type ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_add_encoder ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_add_extra ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_get_num_encoders ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_selection ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_INSTANCE_get_encoder ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_INSTANCE_get_encoder_ctx ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_INSTANCE_get_output_type ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_construct ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_construct_data ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_cleanup ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_passphrase_cb ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_type_names_do_all ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_INSTANCE_get_input_type ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_gettable_ctx_params ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_settable_ctx_params ? 3_0_0 EXIST::FUNCTION: -PKCS7_type_is_other ? 3_0_0 EXIST::FUNCTION: -PKCS7_get_octet_string ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_from_data ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_to_data ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_libctx ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_propq ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set1_encoded_public_key ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get1_encoded_public_key ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_selection ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_INSTANCE_get_input_structure ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_CTX_set_output_structure ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_INSTANCE_get_output_structure ? 3_0_0 EXIST::FUNCTION: -PEM_write_PrivateKey_ex ? 3_0_0 EXIST::FUNCTION:STDIO -PEM_write_bio_PrivateKey_ex ? 3_0_0 EXIST::FUNCTION: -PEM_write_PUBKEY_ex ? 3_0_0 EXIST::FUNCTION:STDIO -PEM_write_bio_PUBKEY_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_group_name ? 3_0_0 EXIST::FUNCTION: -CRYPTO_atomic_or ? 3_0_0 EXIST::FUNCTION: -CRYPTO_atomic_load ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_pss_keygen_md ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_rsa_pss_keygen_md_name ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_params ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_int_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_size_t_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_bn_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_utf8_string_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_set_octet_string_param ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_ec_point_conv_form ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_field_type ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get_params ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_fromdata_init ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_fromdata_settable ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_param_check_quick ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_public_check_quick ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_is_a ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_gettable_params ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_CTX_settable_params ? 3_0_0 EXIST::FUNCTION: -RAND_set_DRBG_type ? 3_0_0 EXIST::FUNCTION: -RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION: -BN_mod_exp_mont_consttime_x2 ? 3_0_0 EXIST::FUNCTION: -BIO_f_readbuffer ? 3_0_0 EXIST::FUNCTION: -OSSL_ESS_check_signing_certs ? 3_0_0 EXIST::FUNCTION: -OSSL_ESS_signing_cert_new_init ? 3_0_0 EXIST::FUNCTION: -OSSL_ESS_signing_cert_v2_new_init ? 3_0_0 EXIST::FUNCTION: -ESS_SIGNING_CERT_it ? 3_0_0 EXIST::FUNCTION: -ESS_SIGNING_CERT_V2_it ? 3_0_0 EXIST::FUNCTION: -EVP_Q_digest ? 3_0_0 EXIST::FUNCTION: -EVP_DigestInit_ex2 ? 3_0_0 EXIST::FUNCTION: -EVP_EncryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: -EVP_DecryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: -EVP_CipherInit_ex2 ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_sign_init_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_verify_init_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_verify_recover_init_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_encrypt_init_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_decrypt_init_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_derive_init_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_print_public_fp ? 3_0_0 EXIST::FUNCTION:STDIO -EVP_PKEY_print_private_fp ? 3_0_0 EXIST::FUNCTION:STDIO -EVP_PKEY_print_params_fp ? 3_0_0 EXIST::FUNCTION:STDIO -TS_RESP_CTX_new_ex ? 3_0_0 EXIST::FUNCTION:TS -X509_REQ_new_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_dup ? 3_0_0 EXIST::FUNCTION: -RSA_PSS_PARAMS_dup ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_derive_set_peer_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_get0_name ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_get0_name ? 3_0_0 EXIST::FUNCTION: -OSSL_DECODER_get0_description ? 3_0_0 EXIST::FUNCTION: -OSSL_ENCODER_get0_description ? 3_0_0 EXIST::FUNCTION: -OSSL_STORE_LOADER_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_MD_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_RAND_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_get0_description ? 3_0_0 EXIST::FUNCTION: -EVP_KDF_get0_description ? 3_0_0 EXIST::FUNCTION: -OPENSSL_sk_find_all ? 3_0_0 EXIST::FUNCTION: -X509_CRL_new_ex ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_dup ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_merge ? 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_free ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_todata ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_export ? 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_get0_md ? 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_get1_md ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get0_cipher ? 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get1_cipher ? 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_get0_global_default ? 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_ASYM_CIPHER_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_KEM_get0_name ? 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_get0_name ? 3_0_0 EXIST::FUNCTION: -PKCS5_v2_PBE_keyivgen_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PBE_scrypt_ex ? 3_0_0 EXIST::FUNCTION:SCRYPT -PKCS5_v2_scrypt_keyivgen_ex ? 3_0_0 EXIST::FUNCTION:SCRYPT -EVP_PBE_CipherInit_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PBE_find_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_SAFEBAG_create_pkcs8_encrypt_ex ? 3_0_0 EXIST::FUNCTION: -PKCS8_decrypt_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_decrypt_skey_ex ? 3_0_0 EXIST::FUNCTION: -PKCS8_encrypt_ex ? 3_0_0 EXIST::FUNCTION: -PKCS8_set0_pbe_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_pack_p7encdata_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_pbe_crypt_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_item_decrypt_d2i_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_item_i2d_encrypt_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_init_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_key_gen_asc_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_key_gen_uni_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_key_gen_utf8_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_PBE_keyivgen_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_create_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_add_key_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_add_safe_ex ? 3_0_0 EXIST::FUNCTION: -PKCS12_add_safes_ex ? 3_0_0 EXIST::FUNCTION: -PKCS5_pbe_set0_algor_ex ? 3_0_0 EXIST::FUNCTION: -PKCS5_pbe_set_ex ? 3_0_0 EXIST::FUNCTION: -PKCS5_pbe2_set_iv_ex ? 3_0_0 EXIST::FUNCTION: -PKCS5_pbkdf2_set_ex ? 3_0_0 EXIST::FUNCTION: -BIO_new_from_core_bio ? 3_0_0 EXIST::FUNCTION: -BIO_new_ex ? 3_0_0 EXIST::FUNCTION: -BIO_s_core ? 3_0_0 EXIST::FUNCTION: -BIO_get_line ? 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_new_from_dispatch ? 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_new_child ? 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_get0_dispatch ? 3_0_0 EXIST::FUNCTION: -PKCS5_PBE_keyivgen_ex ? 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get_block_size ? 3_0_0 EXIST::FUNCTION: -BIO_debug_callback_ex ? 3_0_0 EXIST::FUNCTION: -b2i_PVK_bio_ex ? 3_0_0 EXIST::FUNCTION: -i2b_PVK_bio_ex ? 3_0_0 EXIST::FUNCTION: -NCONF_get0_libctx ? 3_0_0 EXIST::FUNCTION: -NCONF_get_section_names ? 3_0_0 EXIST::FUNCTION: -X509_PUBKEY_new_ex ? 3_0_0 EXIST::FUNCTION: -ASN1_item_new_ex ? 3_0_0 EXIST::FUNCTION: -ASN1_item_d2i_fp_ex ? 3_0_0 EXIST::FUNCTION:STDIO -ASN1_item_d2i_bio_ex ? 3_0_0 EXIST::FUNCTION: -ASN1_item_d2i_ex ? 3_0_0 EXIST::FUNCTION: -ASN1_TIME_print_ex ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_get0_provider ? 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get0_provider ? 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_new 4534 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_free 4535 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_dup 4536 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_get0_mac 4537 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_get_mac_size 4538 3_0_0 EXIST::FUNCTION: +EVP_Q_mac 4539 3_0_0 EXIST::FUNCTION: +EVP_MAC_init 4540 3_0_0 EXIST::FUNCTION: +EVP_MAC_update 4541 3_0_0 EXIST::FUNCTION: +EVP_MAC_final 4542 3_0_0 EXIST::FUNCTION: +EVP_MAC_finalXOF 4543 3_0_0 EXIST::FUNCTION: +OSSL_EC_curve_nid2name 4544 3_0_0 EXIST::FUNCTION: +EVP_PKEY_digestsign_supports_digest 4545 3_0_0 EXIST::FUNCTION: +SRP_VBASE_add0_user 4546 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_new 4547 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_set_gN 4548 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_set1_ids 4549 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_user_pwd_set0_sv 4550 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +OPENSSL_version_major 4551 3_0_0 EXIST::FUNCTION: +OPENSSL_version_minor 4552 3_0_0 EXIST::FUNCTION: +OPENSSL_version_patch 4553 3_0_0 EXIST::FUNCTION: +OPENSSL_version_pre_release 4554 3_0_0 EXIST::FUNCTION: +OPENSSL_version_build_metadata 4555 3_0_0 EXIST::FUNCTION: +OPENSSL_INIT_set_config_filename 4556 3_0_0 EXIST::FUNCTION:STDIO +OPENSSL_INIT_set_config_file_flags 4557 3_0_0 EXIST::FUNCTION:STDIO +ASYNC_WAIT_CTX_get_callback 4558 3_0_0 EXIST::FUNCTION: +ASYNC_WAIT_CTX_set_callback 4559 3_0_0 EXIST::FUNCTION: +ASYNC_WAIT_CTX_set_status 4560 3_0_0 EXIST::FUNCTION: +ASYNC_WAIT_CTX_get_status 4561 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_free 4562 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_reset 4563 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_get_kdf_size 4564 3_0_0 EXIST::FUNCTION: +EVP_KDF_derive 4565 3_0_0 EXIST::FUNCTION: +EVP_KDF_get0_name 4566 3_0_0 EXIST::FUNCTION: +EC_GROUP_get0_field 4567 3_0_0 EXIST::FUNCTION:EC +CRYPTO_alloc_ex_data 4568 3_0_0 EXIST::FUNCTION: +OSSL_LIB_CTX_new 4569 3_0_0 EXIST::FUNCTION: +OSSL_LIB_CTX_free 4570 3_0_0 EXIST::FUNCTION: +OPENSSL_LH_flush 4571 3_0_0 EXIST::FUNCTION: +BN_native2bn 4572 3_0_0 EXIST::FUNCTION: +BN_bn2nativepad 4573 3_0_0 EXIST::FUNCTION: +OSSL_trace_get_category_num 4574 3_0_0 EXIST::FUNCTION: +OSSL_trace_get_category_name 4575 3_0_0 EXIST::FUNCTION: +OSSL_trace_set_channel 4576 3_0_0 EXIST::FUNCTION: +OSSL_trace_set_prefix 4577 3_0_0 EXIST::FUNCTION: +OSSL_trace_set_suffix 4578 3_0_0 EXIST::FUNCTION: +OSSL_trace_set_callback 4579 3_0_0 EXIST::FUNCTION: +OSSL_trace_enabled 4580 3_0_0 EXIST::FUNCTION: +OSSL_trace_begin 4581 3_0_0 EXIST::FUNCTION: +OSSL_trace_end 4582 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_load 4583 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_try_load 4584 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_unload 4585 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_add_builtin 4586 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_gettable_params 4587 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_get_params 4588 3_0_0 EXIST::FUNCTION: +d2i_OSSL_CRMF_ENCRYPTEDVALUE 4589 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_ENCRYPTEDVALUE 4590 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDVALUE_free 4591 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDVALUE_new 4592 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDVALUE_it 4593 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_MSG 4594 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_MSG 4595 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_dup 4596 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_free 4597 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_new 4598 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_it 4599 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_PBMPARAMETER 4600 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_PBMPARAMETER 4601 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_PBMPARAMETER_free 4602 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_PBMPARAMETER_new 4603 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_PBMPARAMETER_it 4604 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_CERTID 4605 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_CERTID 4606 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_dup 4607 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_free 4608 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_new 4609 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_it 4610 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_PKIPUBLICATIONINFO 4611 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_PKIPUBLICATIONINFO 4612 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_PKIPUBLICATIONINFO_free 4613 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_PKIPUBLICATIONINFO_new 4614 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_PKIPUBLICATIONINFO_it 4615 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_SINGLEPUBINFO 4616 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_SINGLEPUBINFO 4617 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_SINGLEPUBINFO_free 4618 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_SINGLEPUBINFO_new 4619 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_SINGLEPUBINFO_it 4620 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_CERTTEMPLATE 4621 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_CERTTEMPLATE 4622 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_free 4623 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_new 4624 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_it 4625 3_0_0 EXIST::FUNCTION:CRMF +d2i_OSSL_CRMF_MSGS 4626 3_0_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_MSGS 4627 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSGS_free 4628 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSGS_new 4629 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSGS_it 4630 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_pbmp_new 4631 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_pbm_new 4632 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regCtrl_regToken 4633 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regCtrl_regToken 4634 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regCtrl_authenticator 4635 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regCtrl_authenticator 4636 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo 4637 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set0_SinglePubInfo 4638 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo 4639 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set_PKIPublicationInfo_action 4640 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo 4641 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey 4642 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey 4643 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regCtrl_oldCertID 4644 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regCtrl_oldCertID 4645 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_gen 4646 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regInfo_utf8Pairs 4647 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regInfo_utf8Pairs 4648 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_regInfo_certReq 4649 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set1_regInfo_certReq 4650 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set0_validity 4651 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set_certReqId 4652 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get_certReqId 4653 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_set0_extensions 4654 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_push0_extension 4655 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_create_popo 4656 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSGS_verify_popo 4657 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_MSG_get0_tmpl 4658 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_get0_serialNumber 4659 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_get0_subject 4660 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_get0_issuer 4661 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_get0_extensions 4662 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTTEMPLATE_fill 4663 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert 4664 3_0_0 EXIST::FUNCTION:CRMF +OSSL_PARAM_locate 4665 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_int 4666 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_uint 4667 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_long 4668 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_ulong 4669 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_int32 4670 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_uint32 4671 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_int64 4672 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_uint64 4673 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_size_t 4674 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_BN 4675 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_double 4676 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_utf8_string 4677 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_utf8_ptr 4678 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_octet_string 4679 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_octet_ptr 4680 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_int 4681 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_uint 4682 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_long 4683 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_ulong 4684 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_int32 4685 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_uint32 4686 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_int64 4687 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_uint64 4688 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_size_t 4689 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_int 4690 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_uint 4691 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_long 4692 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_ulong 4693 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_int32 4694 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_uint32 4695 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_int64 4696 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_uint64 4697 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_size_t 4698 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_double 4699 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_double 4700 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_BN 4701 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_BN 4702 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_utf8_string 4703 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_utf8_string 4704 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_octet_string 4705 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_octet_string 4706 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_utf8_ptr 4707 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_utf8_ptr 4708 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_octet_ptr 4709 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_octet_ptr 4710 3_0_0 EXIST::FUNCTION: +X509_set0_distinguishing_id 4711 3_0_0 EXIST::FUNCTION: +X509_get0_distinguishing_id 4712 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get0_engine 4713 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE +EVP_MD_up_ref 4714 3_0_0 EXIST::FUNCTION: +EVP_MD_fetch 4715 3_0_0 EXIST::FUNCTION: +EVP_set_default_properties 4716 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_end 4717 3_0_0 EXIST::FUNCTION: +EC_GROUP_check_named_curve 4718 3_0_0 EXIST::FUNCTION:EC +EVP_CIPHER_up_ref 4719 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_fetch 4720 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_get_mode 4721 3_0_0 EXIST::FUNCTION: +OPENSSL_info 4722 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_new 4723 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_kdf 4724 3_0_0 EXIST::FUNCTION: +i2d_KeyParams 4725 3_0_0 EXIST::FUNCTION: +d2i_KeyParams 4726 3_0_0 EXIST::FUNCTION: +i2d_KeyParams_bio 4727 3_0_0 EXIST::FUNCTION: +d2i_KeyParams_bio 4728 3_0_0 EXIST::FUNCTION: +OSSL_CMP_PKISTATUS_it 4729 3_0_0 EXIST::FUNCTION:CMP +d2i_OSSL_CMP_PKIHEADER 4730 3_0_0 EXIST::FUNCTION:CMP +i2d_OSSL_CMP_PKIHEADER 4731 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKIHEADER_free 4732 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKIHEADER_new 4733 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKIHEADER_it 4734 3_0_0 EXIST::FUNCTION:CMP +d2i_OSSL_CMP_MSG 4735 3_0_0 EXIST::FUNCTION:CMP +i2d_OSSL_CMP_MSG 4736 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_it 4737 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_create 4738 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_set0 4739 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_get0_type 4740 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_get0_value 4741 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_push0_stack_item 4742 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_free 4743 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_free 4744 3_0_0 EXIST::FUNCTION:CMP +EVP_MD_CTX_set_params 4745 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get_params 4746 3_0_0 EXIST::FUNCTION: +BN_CTX_new_ex 4747 3_0_0 EXIST::FUNCTION: +BN_CTX_secure_new_ex 4748 3_0_0 EXIST::FUNCTION: +OPENSSL_thread_stop_ex 4749 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_locate_const 4750 3_0_0 EXIST::FUNCTION: +X509_REQ_set0_distinguishing_id 4751 3_0_0 EXIST::FUNCTION: +X509_REQ_get0_distinguishing_id 4752 3_0_0 EXIST::FUNCTION: +BN_rand_ex 4753 3_0_0 EXIST::FUNCTION: +BN_priv_rand_ex 4754 3_0_0 EXIST::FUNCTION: +BN_rand_range_ex 4755 3_0_0 EXIST::FUNCTION: +BN_priv_rand_range_ex 4756 3_0_0 EXIST::FUNCTION: +BN_generate_prime_ex2 4757 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_free 4758 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_up_ref 4759 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_fetch 4760 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_pad 4761 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_params 4762 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_fetch 4763 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_up_ref 4764 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_free 4765 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_get0_provider 4766 3_0_0 EXIST::FUNCTION: +X509_PUBKEY_dup 4767 3_0_0 EXIST::FUNCTION: +EVP_MD_get0_name 4768 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_get0_name 4769 3_0_0 EXIST::FUNCTION: +EVP_MD_get0_provider 4770 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_get0_provider 4771 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_get0_name 4772 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_do_all_provided 4773 3_0_0 EXIST::FUNCTION: +EVP_MD_do_all_provided 4774 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_get0_provider 4775 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_available 4776 3_0_0 EXIST::FUNCTION: +ERR_new 4777 3_0_0 EXIST::FUNCTION: +ERR_set_debug 4778 3_0_0 EXIST::FUNCTION: +ERR_set_error 4779 3_0_0 EXIST::FUNCTION: +ERR_vset_error 4780 3_0_0 EXIST::FUNCTION: +X509_get0_authority_issuer 4781 3_0_0 EXIST::FUNCTION: +X509_get0_authority_serial 4782 3_0_0 EXIST::FUNCTION: +X509_self_signed 4783 3_0_0 EXIST::FUNCTION: +OPENSSL_hexstr2buf_ex 4784 3_0_0 EXIST::FUNCTION: +OPENSSL_buf2hexstr_ex 4785 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_allocate_from_text 4786 3_0_0 EXIST::FUNCTION: +EVP_MD_gettable_params 4787 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_settable_params 4788 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_gettable_params 4789 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_get_params 4790 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_set_params 4791 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_params 4792 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_gettable_params 4793 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_settable_ctx_params 4794 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_gettable_ctx_params 4795 3_0_0 EXIST::FUNCTION: +EVP_MD_get_params 4796 3_0_0 EXIST::FUNCTION: +EVP_MAC_fetch 4797 3_0_0 EXIST::FUNCTION: +EVP_MAC_settable_ctx_params 4798 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_set_params 4799 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_get_params 4800 3_0_0 EXIST::FUNCTION: +EVP_MAC_gettable_ctx_params 4801 3_0_0 EXIST::FUNCTION: +EVP_MAC_free 4802 3_0_0 EXIST::FUNCTION: +EVP_MAC_up_ref 4803 3_0_0 EXIST::FUNCTION: +EVP_MAC_get_params 4804 3_0_0 EXIST::FUNCTION: +EVP_MAC_gettable_params 4805 3_0_0 EXIST::FUNCTION: +EVP_MAC_get0_provider 4806 3_0_0 EXIST::FUNCTION: +EVP_MAC_do_all_provided 4807 3_0_0 EXIST::FUNCTION: +EVP_MAC_get0_name 4808 3_0_0 EXIST::FUNCTION: +EVP_MD_free 4809 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_free 4810 3_0_0 EXIST::FUNCTION: +EVP_KDF_up_ref 4811 3_0_0 EXIST::FUNCTION: +EVP_KDF_free 4812 3_0_0 EXIST::FUNCTION: +EVP_KDF_fetch 4813 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_dup 4814 3_0_0 EXIST::FUNCTION: +EVP_KDF_get0_provider 4815 3_0_0 EXIST::FUNCTION: +EVP_KDF_get_params 4816 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_get_params 4817 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_set_params 4818 3_0_0 EXIST::FUNCTION: +EVP_KDF_gettable_params 4819 3_0_0 EXIST::FUNCTION: +EVP_KDF_gettable_ctx_params 4820 3_0_0 EXIST::FUNCTION: +EVP_KDF_settable_ctx_params 4821 3_0_0 EXIST::FUNCTION: +EVP_KDF_do_all_provided 4822 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_free 4823 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_up_ref 4824 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_get0_provider 4825 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_fetch 4826 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_signature_md 4827 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_signature_md 4828 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_params 4829 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_gettable_params 4830 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_settable_params 4831 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_tag_length 4832 3_0_0 EXIST::FUNCTION: +ERR_get_error_all 4833 3_0_0 EXIST::FUNCTION: +ERR_peek_error_func 4834 3_0_0 EXIST::FUNCTION: +ERR_peek_error_data 4835 3_0_0 EXIST::FUNCTION: +ERR_peek_error_all 4836 3_0_0 EXIST::FUNCTION: +ERR_peek_last_error_func 4837 3_0_0 EXIST::FUNCTION: +ERR_peek_last_error_data 4838 3_0_0 EXIST::FUNCTION: +ERR_peek_last_error_all 4839 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_is_a 4840 3_0_0 EXIST::FUNCTION: +EVP_MAC_is_a 4841 3_0_0 EXIST::FUNCTION: +EVP_MD_settable_ctx_params 4842 3_0_0 EXIST::FUNCTION: +EVP_MD_gettable_ctx_params 4843 3_0_0 EXIST::FUNCTION: +OSSL_CMP_CTX_new 4844 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_free 4845 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_reinit 4846 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_option 4847 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_option 4848 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_log_cb 4849 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_print_errors 4850 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_serverPath 4851 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_server 4852 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_serverPort 4853 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_proxy 4854 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_no_proxy 4855 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_http_cb 4856 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_http_cb_arg 4857 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_http_cb_arg 4858 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_transfer_cb 4859 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_transfer_cb_arg 4860 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_transfer_cb_arg 4861 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_srvCert 4862 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_expected_sender 4863 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set0_trustedStore 4864 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_trustedStore 4865 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_untrusted 4866 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_untrusted 4867 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_cert 4868 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_pkey 4869 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_build_cert_chain 4870 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_referenceValue 4871 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_secretValue 4872 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_recipient 4873 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push0_geninfo_ITAV 4874 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_extraCertsOut 4875 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set0_newPkey 4876 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_newPkey 4877 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_issuer 4878 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_subjectName 4879 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push1_subjectAltName 4880 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set0_reqExtensions 4881 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_reqExtensions_have_SAN 4882 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push0_policy 4883 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_oldCert 4884 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_p10CSR 4885 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push0_genm_ITAV 4886 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_certConf_cb 4887 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_certConf_cb_arg 4888 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_certConf_cb_arg 4889 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_status 4890 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_statusString 4891 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_failInfoCode 4892 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_newCert 4893 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get1_newChain 4894 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get1_caPubs 4895 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get1_extraCertsIn 4896 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_transactionID 4897 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_senderNonce 4898 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_log_open 4899 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_log_close 4900 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_print_to_bio 4901 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_print_errors_cb 4902 3_0_0 EXIST::FUNCTION:CMP +OSSL_CRMF_CERTID_get0_issuer 4903 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_get0_serialNumber 4904 3_0_0 EXIST::FUNCTION:CRMF +EVP_DigestSignUpdate 4905 3_0_0 EXIST::FUNCTION: +EVP_DigestVerifyUpdate 4906 3_0_0 EXIST::FUNCTION: +BN_check_prime 4907 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_is_a 4908 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_do_all_provided 4909 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_is_a 4910 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_do_all_provided 4911 3_0_0 EXIST::FUNCTION: +EVP_KDF_is_a 4912 3_0_0 EXIST::FUNCTION: +EVP_MD_is_a 4913 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_is_a 4914 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_do_all_provided 4915 3_0_0 EXIST::FUNCTION: +EVP_MD_names_do_all 4916 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_names_do_all 4917 3_0_0 EXIST::FUNCTION: +EVP_MAC_names_do_all 4918 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_names_do_all 4919 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_names_do_all 4920 3_0_0 EXIST::FUNCTION: +EVP_KDF_names_do_all 4921 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_names_do_all 4922 3_0_0 EXIST::FUNCTION: +OSSL_CMP_CTX_snprint_PKIStatus 4923 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_HDR_get0_transactionID 4924 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_HDR_get0_recipNonce 4925 3_0_0 EXIST::FUNCTION:CMP +X509_LOOKUP_store 4926 3_0_0 EXIST::FUNCTION: +X509_add_cert 4927 3_0_0 EXIST::FUNCTION: +X509_add_certs 4928 3_0_0 EXIST::FUNCTION: +X509_STORE_load_file 4929 3_0_0 EXIST::FUNCTION: +X509_STORE_load_path 4930 3_0_0 EXIST::FUNCTION: +X509_STORE_load_store 4931 3_0_0 EXIST::FUNCTION: +EVP_PKEY_fromdata 4932 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_free 4933 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_up_ref 4934 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_get0_provider 4935 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_fetch 4936 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_is_a 4937 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_do_all_provided 4938 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_names_do_all 4939 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_padding 4940 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_rsa_padding 4941 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_mgf1_md 4942 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_mgf1_md_name 4943 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_rsa_mgf1_md 4944 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_oaep_md 4945 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_oaep_md_name 4946 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_rsa_oaep_md 4947 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set0_rsa_oaep_label 4948 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_rsa_oaep_label 4949 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_rsa_mgf1_md_name 4950 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_rsa_oaep_md_name 4951 3_0_0 EXIST::FUNCTION: +EVP_PKEY_meth_set_digestsign 4952 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_PKEY_meth_set_digestverify 4953 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_PKEY_meth_get_digestsign 4954 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_PKEY_meth_get_digestverify 4955 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +OSSL_ENCODER_up_ref 4956 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_free 4957 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_fetch 4958 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_is_a 4959 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_get0_provider 4960 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_do_all_provided 4961 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_names_do_all 4962 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_settable_ctx_params 4963 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_new 4964 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_params 4965 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_free 4966 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_get0_properties 4967 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_to_bio 4968 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_to_fp 4969 3_0_0 EXIST::FUNCTION:STDIO +OSSL_ENCODER_CTX_new_for_pkey 4970 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_cipher 4971 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_passphrase 4972 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_pem_password_cb 4973 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_passphrase_ui 4974 3_0_0 EXIST::FUNCTION: +PEM_read_X509_PUBKEY 4975 3_0_0 EXIST::FUNCTION:STDIO +PEM_write_X509_PUBKEY 4976 3_0_0 EXIST::FUNCTION:STDIO +PEM_read_bio_X509_PUBKEY 4977 3_0_0 EXIST::FUNCTION: +PEM_write_bio_X509_PUBKEY 4978 3_0_0 EXIST::FUNCTION: +d2i_X509_PUBKEY_fp 4979 3_0_0 EXIST::FUNCTION:STDIO +i2d_X509_PUBKEY_fp 4980 3_0_0 EXIST::FUNCTION:STDIO +d2i_X509_PUBKEY_bio 4981 3_0_0 EXIST::FUNCTION: +i2d_X509_PUBKEY_bio 4982 3_0_0 EXIST::FUNCTION: +RSA_get0_pss_params 4983 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +X509_cmp_timeframe 4984 3_0_0 EXIST::FUNCTION: +OSSL_CMP_MSG_get0_header 4985 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_get_bodytype 4986 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_update_transactionID 4987 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_setup_CRM 4988 3_0_0 EXIST::FUNCTION:CMP +BIO_f_prefix 4989 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_new_from_name 4990 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_new_from_pkey 4991 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_set_callback 4992 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_get_callback 4993 3_0_0 EXIST::FUNCTION: +ASN1_TIME_dup 4994 3_0_0 EXIST::FUNCTION: +ASN1_UTCTIME_dup 4995 3_0_0 EXIST::FUNCTION: +ASN1_GENERALIZEDTIME_dup 4996 3_0_0 EXIST::FUNCTION: +RAND_priv_bytes_ex 4997 3_0_0 EXIST::FUNCTION: +RAND_bytes_ex 4998 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_default_digest_name 4999 3_0_0 EXIST::FUNCTION: +CMS_decrypt_set1_pkey_and_peer 5000 3_0_0 EXIST::FUNCTION:CMS +CMS_add1_recipient 5001 3_0_0 EXIST::FUNCTION:CMS +CMS_RecipientInfo_kari_set0_pkey_and_peer 5002 3_0_0 EXIST::FUNCTION:CMS +PKCS8_pkey_add1_attr 5003 3_0_0 EXIST::FUNCTION: +PKCS8_pkey_add1_attr_by_OBJ 5004 3_0_0 EXIST::FUNCTION: +EVP_PKEY_private_check 5005 3_0_0 EXIST::FUNCTION: +EVP_PKEY_pairwise_check 5006 3_0_0 EXIST::FUNCTION: +ASN1_item_verify_ctx 5007 3_0_0 EXIST::FUNCTION: +ASN1_item_sign_ex 5008 3_0_0 EXIST::FUNCTION: +ASN1_item_verify_ex 5009 3_0_0 EXIST::FUNCTION: +BIO_socket_wait 5010 3_0_0 EXIST::FUNCTION:SOCK +BIO_wait 5011 3_0_0 EXIST::FUNCTION: +BIO_do_connect_retry 5012 3_0_0 EXIST::FUNCTION: +OSSL_parse_url 5013 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_adapt_proxy 5014 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_get_resp_len 5015 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_REQ_CTX_set_expected 5016 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_is_alive 5017 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_open 5018 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_proxy_connect 5019 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_set1_request 5020 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_exchange 5021 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_get 5022 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_transfer 5023 3_0_0 EXIST::FUNCTION: +OSSL_HTTP_close 5024 3_0_0 EXIST::FUNCTION: +ASN1_item_i2d_mem_bio 5025 3_0_0 EXIST::FUNCTION: +ERR_add_error_txt 5026 3_0_0 EXIST::FUNCTION: +ERR_add_error_mem_bio 5027 3_0_0 EXIST::FUNCTION: +X509_STORE_CTX_print_verify_cb 5028 3_0_0 EXIST::FUNCTION: +X509_STORE_get1_all_certs 5029 3_0_0 EXIST::FUNCTION: +OSSL_CMP_validate_msg 5030 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_validate_cert_path 5031 3_0_0 EXIST::FUNCTION:CMP +EVP_PKEY_CTX_set_ecdh_cofactor_mode 5032 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_ecdh_cofactor_mode 5033 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_ecdh_kdf_type 5034 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_ecdh_kdf_type 5035 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_ecdh_kdf_md 5036 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_ecdh_kdf_md 5037 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_ecdh_kdf_outlen 5038 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_ecdh_kdf_outlen 5039 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set0_ecdh_kdf_ukm 5040 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_ecdh_kdf_ukm 5041 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_PKEY_CTX_set_rsa_pss_saltlen 5042 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_rsa_pss_saltlen 5043 3_0_0 EXIST::FUNCTION: +d2i_ISSUER_SIGN_TOOL 5044 3_0_0 EXIST::FUNCTION: +i2d_ISSUER_SIGN_TOOL 5045 3_0_0 EXIST::FUNCTION: +ISSUER_SIGN_TOOL_free 5046 3_0_0 EXIST::FUNCTION: +ISSUER_SIGN_TOOL_new 5047 3_0_0 EXIST::FUNCTION: +ISSUER_SIGN_TOOL_it 5048 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_new 5049 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_free 5050 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_onbegin 5051 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_oncorrupt_byte 5052 3_0_0 EXIST::FUNCTION: +OSSL_SELF_TEST_onend 5053 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_set_default_search_path 5054 3_0_0 EXIST::FUNCTION: +X509_digest_sig 5055 3_0_0 EXIST::FUNCTION: +OSSL_CMP_MSG_dup 5056 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_dup 5057 3_0_0 EXIST::FUNCTION:CMP +d2i_OSSL_CMP_PKISI 5058 3_0_0 EXIST::FUNCTION:CMP +i2d_OSSL_CMP_PKISI 5059 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKISI_free 5060 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKISI_new 5061 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKISI_it 5062 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_PKISI_dup 5063 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_snprint_PKIStatusInfo 5064 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_STATUSINFO_new 5065 3_0_0 EXIST::FUNCTION:CMP +d2i_OSSL_CMP_MSG_bio 5066 3_0_0 EXIST::FUNCTION:CMP +i2d_OSSL_CMP_MSG_bio 5067 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_process_request 5068 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_server_perform 5069 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_new 5070 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_free 5071 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_init 5072 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_get0_cmp_ctx 5073 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_get0_custom_ctx 5074 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_set_send_unprotected_errors 5075 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_set_accept_unprotected 5076 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_set_accept_raverified 5077 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm 5078 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_exec_certreq 5079 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_try_certreq 5080 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_certConf_cb 5081 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_exec_RR_ses 5082 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_exec_GENM_ses 5083 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_http_perform 5084 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_read 5085 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_MSG_write 5086 3_0_0 EXIST::FUNCTION:CMP +EVP_PKEY_Q_keygen 5087 3_0_0 EXIST::FUNCTION: +EVP_PKEY_generate 5088 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_keygen_bits 5089 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_keygen_pubexp 5090 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_PKEY_CTX_set1_rsa_keygen_pubexp 5091 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_keygen_primes 5092 3_0_0 EXIST::FUNCTION: +NCONF_new_ex 5093 3_0_0 EXIST::FUNCTION: +CONF_modules_load_file_ex 5094 3_0_0 EXIST::FUNCTION: +OSSL_LIB_CTX_load_config 5095 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_to_param 5096 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_int 5097 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_uint 5098 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_long 5099 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_ulong 5100 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_int32 5101 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_uint32 5102 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_int64 5103 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_uint64 5104 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_size_t 5105 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_double 5106 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_BN 5107 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_BN_pad 5108 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_utf8_string 5109 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_utf8_ptr 5110 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_octet_string 5111 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_octet_ptr 5112 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_new 5113 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_free 5114 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_type_by_keymgmt 5115 3_0_0 EXIST::FUNCTION: +OCSP_RESPID_set_by_key_ex 5116 3_0_0 EXIST::FUNCTION:OCSP +OCSP_RESPID_match_ex 5117 3_0_0 EXIST::FUNCTION:OCSP +SRP_create_verifier_ex 5118 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_create_verifier_BN_ex 5119 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_B_ex 5120 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_u_ex 5121 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_x_ex 5122 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_Calc_client_key_ex 5123 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +EVP_PKEY_gettable_params 5124 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_int_param 5125 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_size_t_param 5126 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_bn_param 5127 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_utf8_string_param 5128 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_octet_string_param 5129 3_0_0 EXIST::FUNCTION: +EVP_PKEY_is_a 5130 3_0_0 EXIST::FUNCTION: +EVP_PKEY_can_sign 5131 3_0_0 EXIST::FUNCTION: +X509_STORE_CTX_new_ex 5132 3_0_0 EXIST::FUNCTION: +X509_STORE_CTX_verify 5133 3_0_0 EXIST::FUNCTION: +CT_POLICY_EVAL_CTX_new_ex 5134 3_0_0 EXIST::FUNCTION:CT +CTLOG_new_ex 5135 3_0_0 EXIST::FUNCTION:CT +CTLOG_new_from_base64_ex 5136 3_0_0 EXIST::FUNCTION:CT +CTLOG_STORE_new_ex 5137 3_0_0 EXIST::FUNCTION:CT +EVP_PKEY_set_ex_data 5138 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_ex_data 5139 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_group_name 5140 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_group_name 5141 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_ec_paramgen_curve_nid 5142 3_0_0 EXIST::FUNCTION: +d2i_PrivateKey_ex 5143 3_0_0 EXIST::FUNCTION: +d2i_AutoPrivateKey_ex 5144 3_0_0 EXIST::FUNCTION: +d2i_PrivateKey_ex_fp 5145 3_0_0 EXIST::FUNCTION:STDIO +d2i_PrivateKey_ex_bio 5146 3_0_0 EXIST::FUNCTION: +PEM_read_bio_PrivateKey_ex 5147 3_0_0 EXIST::FUNCTION: +PEM_read_PrivateKey_ex 5148 3_0_0 EXIST::FUNCTION:STDIO +EVP_PKEY_CTX_set_dsa_paramgen_bits 5149 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dsa_paramgen_q_bits 5150 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dsa_paramgen_md_props 5151 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dsa_paramgen_gindex 5152 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dsa_paramgen_type 5153 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dsa_paramgen_seed 5154 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dsa_paramgen_md 5155 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_paramgen_type 5156 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_paramgen_gindex 5157 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_paramgen_seed 5158 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_paramgen_prime_len 5159 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_paramgen_subprime_len 5160 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_paramgen_generator 5161 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_nid 5162 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_rfc5114 5163 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dhx_rfc5114 5164 3_0_0 EXIST::FUNCTION: +X509_VERIFY_PARAM_get0_host 5165 3_0_0 EXIST::FUNCTION: +X509_VERIFY_PARAM_get0_email 5166 3_0_0 EXIST::FUNCTION: +X509_VERIFY_PARAM_get1_ip_asc 5167 3_0_0 EXIST::FUNCTION: +X509_ALGOR_copy 5168 3_0_0 EXIST::FUNCTION: +X509_REQ_set0_signature 5169 3_0_0 EXIST::FUNCTION: +X509_REQ_set1_signature_algo 5170 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_modified 5171 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_all_unmodified 5172 3_0_0 EXIST::FUNCTION: +EVP_RAND_fetch 5173 3_0_0 EXIST::FUNCTION: +EVP_RAND_up_ref 5174 3_0_0 EXIST::FUNCTION: +EVP_RAND_free 5175 3_0_0 EXIST::FUNCTION: +EVP_RAND_get0_name 5176 3_0_0 EXIST::FUNCTION: +EVP_RAND_is_a 5177 3_0_0 EXIST::FUNCTION: +EVP_RAND_get0_provider 5178 3_0_0 EXIST::FUNCTION: +EVP_RAND_get_params 5179 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_new 5180 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_free 5181 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_get0_rand 5182 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_get_params 5183 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_set_params 5184 3_0_0 EXIST::FUNCTION: +EVP_RAND_gettable_params 5185 3_0_0 EXIST::FUNCTION: +EVP_RAND_gettable_ctx_params 5186 3_0_0 EXIST::FUNCTION: +EVP_RAND_settable_ctx_params 5187 3_0_0 EXIST::FUNCTION: +EVP_RAND_do_all_provided 5188 3_0_0 EXIST::FUNCTION: +EVP_RAND_names_do_all 5189 3_0_0 EXIST::FUNCTION: +EVP_RAND_instantiate 5190 3_0_0 EXIST::FUNCTION: +EVP_RAND_uninstantiate 5191 3_0_0 EXIST::FUNCTION: +EVP_RAND_generate 5192 3_0_0 EXIST::FUNCTION: +EVP_RAND_reseed 5193 3_0_0 EXIST::FUNCTION: +EVP_RAND_nonce 5194 3_0_0 EXIST::FUNCTION: +EVP_RAND_enable_locking 5195 3_0_0 EXIST::FUNCTION: +EVP_RAND_verify_zeroization 5196 3_0_0 EXIST::FUNCTION: +EVP_RAND_get_strength 5197 3_0_0 EXIST::FUNCTION: +EVP_RAND_get_state 5198 3_0_0 EXIST::FUNCTION: +EVP_default_properties_is_fips_enabled 5199 3_0_0 EXIST::FUNCTION: +EVP_default_properties_enable_fips 5200 3_0_0 EXIST::FUNCTION: +EVP_PKEY_new_raw_private_key_ex 5201 3_0_0 EXIST::FUNCTION: +EVP_PKEY_new_raw_public_key_ex 5202 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_BLD_push_time_t 5203 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_time_t 5204 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_time_t 5205 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_set_time_t 5206 3_0_0 EXIST::FUNCTION: +OSSL_STORE_attach 5207 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_set_attach 5208 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen 5209 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md 5210 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name 5211 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_do_all 5212 3_0_0 EXIST::FUNCTION: +EC_GROUP_get_field_type 5213 3_0_0 EXIST::FUNCTION:EC +X509_PUBKEY_eq 5214 3_0_0 EXIST::FUNCTION: +EVP_PKEY_eq 5215 3_0_0 EXIST::FUNCTION: +EVP_PKEY_parameters_eq 5216 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_query_operation 5217 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_unquery_operation 5218 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_get0_provider_ctx 5219 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_get_capabilities 5220 3_0_0 EXIST::FUNCTION: +EC_GROUP_new_by_curve_name_ex 5221 3_0_0 EXIST::FUNCTION:EC +EC_KEY_new_ex 5222 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC +EC_KEY_new_by_curve_name_ex 5223 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC +OSSL_LIB_CTX_set0_default 5224 3_0_0 EXIST::FUNCTION: +PEM_X509_INFO_read_bio_ex 5225 3_0_0 EXIST::FUNCTION: +PEM_X509_INFO_read_ex 5226 3_0_0 EXIST::FUNCTION:STDIO +X509_REQ_verify_ex 5227 3_0_0 EXIST::FUNCTION: +X509_new_ex 5228 3_0_0 EXIST::FUNCTION: +X509_LOOKUP_ctrl_ex 5229 3_0_0 EXIST::FUNCTION: +X509_load_cert_file_ex 5230 3_0_0 EXIST::FUNCTION: +X509_load_cert_crl_file_ex 5231 3_0_0 EXIST::FUNCTION: +X509_LOOKUP_by_subject_ex 5232 3_0_0 EXIST::FUNCTION: +X509_STORE_load_file_ex 5233 3_0_0 EXIST::FUNCTION: +X509_STORE_load_store_ex 5234 3_0_0 EXIST::FUNCTION: +X509_STORE_load_locations_ex 5235 3_0_0 EXIST::FUNCTION: +X509_STORE_set_default_paths_ex 5236 3_0_0 EXIST::FUNCTION: +X509_build_chain 5237 3_0_0 EXIST::FUNCTION: +X509V3_set_issuer_pkey 5238 3_0_0 EXIST::FUNCTION: +i2s_ASN1_UTF8STRING 5239 3_0_0 EXIST::FUNCTION: +s2i_ASN1_UTF8STRING 5240 3_0_0 EXIST::FUNCTION: +OSSL_STORE_open_ex 5241 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_fetch 5242 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_up_ref 5243 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_free 5244 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_get0_provider 5245 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_get0_properties 5246 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_is_a 5247 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_do_all_provided 5248 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_names_do_all 5249 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_settable_ctx_params 5250 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_new 5251 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_params 5252 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_free 5253 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_passphrase 5254 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_pem_password_cb 5255 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_passphrase_ui 5256 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_from_bio 5257 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_from_fp 5258 3_0_0 EXIST::FUNCTION:STDIO +OSSL_DECODER_CTX_add_decoder 5259 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_add_extra 5260 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_get_num_decoders 5261 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_input_type 5262 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_export 5263 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_INSTANCE_get_decoder 5264 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_INSTANCE_get_decoder_ctx 5265 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_gettable_params 5266 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_get_params 5267 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_new_for_pkey 5268 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_construct 5269 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_construct_data 5270 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_cleanup 5271 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_get_construct 5272 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_get_construct_data 5273 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_get_cleanup 5274 3_0_0 EXIST::FUNCTION: +RAND_get0_primary 5275 3_0_0 EXIST::FUNCTION: +RAND_get0_public 5276 3_0_0 EXIST::FUNCTION: +RAND_get0_private 5277 3_0_0 EXIST::FUNCTION: +PKCS12_SAFEBAG_get0_bag_obj 5278 3_0_0 EXIST::FUNCTION: +PKCS12_SAFEBAG_get0_bag_type 5279 3_0_0 EXIST::FUNCTION: +PKCS12_SAFEBAG_create_secret 5280 3_0_0 EXIST::FUNCTION: +PKCS12_add1_attr_by_NID 5281 3_0_0 EXIST::FUNCTION: +PKCS12_add1_attr_by_txt 5282 3_0_0 EXIST::FUNCTION: +PKCS12_add_secret 5283 3_0_0 EXIST::FUNCTION: +SMIME_write_ASN1_ex 5284 3_0_0 EXIST::FUNCTION: +SMIME_read_ASN1_ex 5285 3_0_0 EXIST::FUNCTION: +CMS_ContentInfo_new_ex 5286 3_0_0 EXIST::FUNCTION:CMS +SMIME_read_CMS_ex 5287 3_0_0 EXIST::FUNCTION:CMS +CMS_sign_ex 5288 3_0_0 EXIST::FUNCTION:CMS +CMS_data_create_ex 5289 3_0_0 EXIST::FUNCTION:CMS +CMS_digest_create_ex 5290 3_0_0 EXIST::FUNCTION:CMS +CMS_EncryptedData_encrypt_ex 5291 3_0_0 EXIST::FUNCTION:CMS +CMS_encrypt_ex 5292 3_0_0 EXIST::FUNCTION:CMS +CMS_EnvelopedData_create_ex 5293 3_0_0 EXIST::FUNCTION:CMS +CMS_ReceiptRequest_create0_ex 5294 3_0_0 EXIST::FUNCTION:CMS +EVP_SignFinal_ex 5295 3_0_0 EXIST::FUNCTION: +EVP_VerifyFinal_ex 5296 3_0_0 EXIST::FUNCTION: +EVP_DigestSignInit_ex 5297 3_0_0 EXIST::FUNCTION: +EVP_DigestVerifyInit_ex 5298 3_0_0 EXIST::FUNCTION: +PKCS7_new_ex 5299 3_0_0 EXIST::FUNCTION: +PKCS7_sign_ex 5300 3_0_0 EXIST::FUNCTION: +PKCS7_encrypt_ex 5301 3_0_0 EXIST::FUNCTION: +SMIME_read_PKCS7_ex 5302 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_self_test 5303 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_tls1_prf_md 5304 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set1_tls1_prf_secret 5305 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_add1_tls1_prf_seed 5306 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_hkdf_md 5307 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set1_hkdf_salt 5308 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set1_hkdf_key 5309 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_add1_hkdf_info 5310 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_hkdf_mode 5311 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set1_pbe_pass 5312 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set1_scrypt_salt 5313 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_scrypt_N 5314 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_scrypt_r 5315 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_scrypt_p 5316 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_scrypt_maxmem_bytes 5317 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_kdf_type 5318 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_dh_kdf_type 5319 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set0_dh_kdf_oid 5320 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_dh_kdf_oid 5321 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_kdf_md 5322 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_dh_kdf_md 5323 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_kdf_outlen 5324 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_dh_kdf_outlen 5325 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set0_dh_kdf_ukm 5326 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_dh_kdf_ukm 5327 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +EVP_CIPHER_CTX_get_updated_iv 5328 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_original_iv 5329 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_gettable_params 5330 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_settable_params 5331 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_gen_settable_params 5332 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_gettable_ctx_params 5333 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_settable_ctx_params 5334 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_gettable_ctx_params 5335 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_settable_ctx_params 5336 3_0_0 EXIST::FUNCTION: +d2i_PUBKEY_ex 5337 3_0_0 EXIST::FUNCTION: +OSSL_STORE_INFO_new_PUBKEY 5338 3_0_0 EXIST::FUNCTION: +OSSL_STORE_INFO_get0_PUBKEY 5339 3_0_0 EXIST::FUNCTION: +OSSL_STORE_INFO_get1_PUBKEY 5340 3_0_0 EXIST::FUNCTION: +PEM_read_bio_PUBKEY_ex 5341 3_0_0 EXIST::FUNCTION: +PEM_read_PUBKEY_ex 5342 3_0_0 EXIST::FUNCTION:STDIO +PEM_read_bio_Parameters_ex 5343 3_0_0 EXIST::FUNCTION: +EC_GROUP_new_from_params 5344 3_0_0 EXIST::FUNCTION:EC +OSSL_STORE_LOADER_set_open_ex 5345 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 +OSSL_STORE_LOADER_fetch 5346 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_up_ref 5347 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_get0_provider 5348 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_get0_properties 5349 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_is_a 5350 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_do_all_provided 5351 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_names_do_all 5352 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_utf8_string_ptr 5353 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_get_octet_string_ptr 5354 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_passphrase_cb 5355 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_mac_key 5356 3_0_0 EXIST::FUNCTION: +OSSL_STORE_INFO_new 5357 3_0_0 EXIST::FUNCTION: +OSSL_STORE_INFO_get0_data 5358 3_0_0 EXIST::FUNCTION: +asn1_d2i_read_bio 5359 3_0_0 EXIST::FUNCTION: +EVP_PKCS82PKEY_ex 5360 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set1_id 5361 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get1_id 5362 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get1_id_len 5363 3_0_0 EXIST::FUNCTION: +CMS_AuthEnvelopedData_create 5364 3_0_0 EXIST::FUNCTION:CMS +CMS_AuthEnvelopedData_create_ex 5365 3_0_0 EXIST::FUNCTION:CMS +EVP_PKEY_CTX_set_ec_param_enc 5366 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get0_type_name 5367 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_get0_name 5368 3_0_0 EXIST::FUNCTION: +EC_KEY_decoded_from_explicit_params 5369 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC +EVP_KEM_free 5370 3_0_0 EXIST::FUNCTION: +EVP_KEM_up_ref 5371 3_0_0 EXIST::FUNCTION: +EVP_KEM_get0_provider 5372 3_0_0 EXIST::FUNCTION: +EVP_KEM_fetch 5373 3_0_0 EXIST::FUNCTION: +EVP_KEM_is_a 5374 3_0_0 EXIST::FUNCTION: +EVP_KEM_do_all_provided 5375 3_0_0 EXIST::FUNCTION: +EVP_KEM_names_do_all 5376 3_0_0 EXIST::FUNCTION: +EVP_PKEY_encapsulate_init 5377 3_0_0 EXIST::FUNCTION: +EVP_PKEY_encapsulate 5378 3_0_0 EXIST::FUNCTION: +EVP_PKEY_decapsulate_init 5379 3_0_0 EXIST::FUNCTION: +EVP_PKEY_decapsulate 5380 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_kem_op 5381 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_gettable_params 5382 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_get_params 5383 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_output_type 5384 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_add_encoder 5385 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_add_extra 5386 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_get_num_encoders 5387 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_selection 5388 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_INSTANCE_get_encoder 5389 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_INSTANCE_get_encoder_ctx 5390 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_INSTANCE_get_output_type 5391 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_construct 5392 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_construct_data 5393 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_cleanup 5394 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_passphrase_cb 5395 3_0_0 EXIST::FUNCTION: +EVP_PKEY_type_names_do_all 5396 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_INSTANCE_get_input_type 5397 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_gettable_ctx_params 5398 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_settable_ctx_params 5399 3_0_0 EXIST::FUNCTION: +EVP_KEM_gettable_ctx_params 5400 3_0_0 EXIST::FUNCTION: +EVP_KEM_settable_ctx_params 5401 3_0_0 EXIST::FUNCTION: +PKCS7_type_is_other 5402 3_0_0 EXIST::FUNCTION: +PKCS7_get_octet_string 5403 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_from_data 5404 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_to_data 5405 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_libctx 5406 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_propq 5407 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set1_encoded_public_key 5408 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get1_encoded_public_key 5409 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_selection 5410 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_CTX_set_input_structure 5411 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_INSTANCE_get_input_structure 5412 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_CTX_set_output_structure 5413 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_INSTANCE_get_output_structure 5414 3_0_0 EXIST::FUNCTION: +PEM_write_PrivateKey_ex 5415 3_0_0 EXIST::FUNCTION:STDIO +PEM_write_bio_PrivateKey_ex 5416 3_0_0 EXIST::FUNCTION: +PEM_write_PUBKEY_ex 5417 3_0_0 EXIST::FUNCTION:STDIO +PEM_write_bio_PUBKEY_ex 5418 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_group_name 5419 3_0_0 EXIST::FUNCTION: +CRYPTO_atomic_or 5420 3_0_0 EXIST::FUNCTION: +CRYPTO_atomic_load 5421 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_pss_keygen_md 5422 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_rsa_pss_keygen_md_name 5423 3_0_0 EXIST::FUNCTION: +EVP_PKEY_settable_params 5424 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_params 5425 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_int_param 5426 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_size_t_param 5427 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_bn_param 5428 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_utf8_string_param 5429 3_0_0 EXIST::FUNCTION: +EVP_PKEY_set_octet_string_param 5430 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_ec_point_conv_form 5431 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_field_type 5432 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get_params 5433 3_0_0 EXIST::FUNCTION: +EVP_PKEY_fromdata_init 5434 3_0_0 EXIST::FUNCTION: +EVP_PKEY_fromdata_settable 5435 3_0_0 EXIST::FUNCTION: +EVP_PKEY_param_check_quick 5436 3_0_0 EXIST::FUNCTION: +EVP_PKEY_public_check_quick 5437 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_is_a 5438 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_settable_params 5439 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_gettable_params 5440 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_gettable_params 5441 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_settable_params 5442 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_gettable_params 5443 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_settable_params 5444 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_gettable_params 5445 3_0_0 EXIST::FUNCTION: +EVP_RAND_CTX_settable_params 5446 3_0_0 EXIST::FUNCTION: +RAND_set_DRBG_type 5447 3_0_0 EXIST::FUNCTION: +RAND_set_seed_source_type 5448 3_0_0 EXIST::FUNCTION: +BN_mod_exp_mont_consttime_x2 5449 3_0_0 EXIST::FUNCTION: +BIO_f_readbuffer 5450 3_0_0 EXIST::FUNCTION: +OSSL_ESS_check_signing_certs 5451 3_0_0 EXIST::FUNCTION: +OSSL_ESS_signing_cert_new_init 5452 3_0_0 EXIST::FUNCTION: +OSSL_ESS_signing_cert_v2_new_init 5453 3_0_0 EXIST::FUNCTION: +ESS_SIGNING_CERT_it 5454 3_0_0 EXIST::FUNCTION: +ESS_SIGNING_CERT_V2_it 5455 3_0_0 EXIST::FUNCTION: +EVP_Q_digest 5456 3_0_0 EXIST::FUNCTION: +EVP_DigestInit_ex2 5457 3_0_0 EXIST::FUNCTION: +EVP_EncryptInit_ex2 5458 3_0_0 EXIST::FUNCTION: +EVP_DecryptInit_ex2 5459 3_0_0 EXIST::FUNCTION: +EVP_CipherInit_ex2 5460 3_0_0 EXIST::FUNCTION: +EVP_PKEY_sign_init_ex 5461 3_0_0 EXIST::FUNCTION: +EVP_PKEY_verify_init_ex 5462 3_0_0 EXIST::FUNCTION: +EVP_PKEY_verify_recover_init_ex 5463 3_0_0 EXIST::FUNCTION: +EVP_PKEY_encrypt_init_ex 5464 3_0_0 EXIST::FUNCTION: +EVP_PKEY_decrypt_init_ex 5465 3_0_0 EXIST::FUNCTION: +EVP_PKEY_derive_init_ex 5466 3_0_0 EXIST::FUNCTION: +EVP_PKEY_print_public_fp 5467 3_0_0 EXIST::FUNCTION:STDIO +EVP_PKEY_print_private_fp 5468 3_0_0 EXIST::FUNCTION:STDIO +EVP_PKEY_print_params_fp 5469 3_0_0 EXIST::FUNCTION:STDIO +TS_RESP_CTX_new_ex 5470 3_0_0 EXIST::FUNCTION:TS +X509_REQ_new_ex 5471 3_0_0 EXIST::FUNCTION: +EVP_PKEY_dup 5472 3_0_0 EXIST::FUNCTION: +RSA_PSS_PARAMS_dup 5473 3_0_0 EXIST::FUNCTION: +EVP_PKEY_derive_set_peer_ex 5474 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_get0_name 5475 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_get0_name 5476 3_0_0 EXIST::FUNCTION: +OSSL_DECODER_get0_description 5477 3_0_0 EXIST::FUNCTION: +OSSL_ENCODER_get0_description 5478 3_0_0 EXIST::FUNCTION: +OSSL_STORE_LOADER_get0_description 5479 3_0_0 EXIST::FUNCTION: +EVP_MD_get0_description 5480 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_get0_description 5481 3_0_0 EXIST::FUNCTION: +EVP_MAC_get0_description 5482 3_0_0 EXIST::FUNCTION: +EVP_RAND_get0_description 5483 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get0_description 5484 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_get0_description 5485 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_get0_description 5486 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_get0_description 5487 3_0_0 EXIST::FUNCTION: +EVP_KEM_get0_description 5488 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_get0_description 5489 3_0_0 EXIST::FUNCTION: +EVP_KDF_get0_description 5490 3_0_0 EXIST::FUNCTION: +OPENSSL_sk_find_all 5491 3_0_0 EXIST::FUNCTION: +X509_CRL_new_ex 5492 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_dup 5493 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_merge 5494 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_free 5495 3_0_0 EXIST::FUNCTION: +EVP_PKEY_todata 5496 3_0_0 EXIST::FUNCTION: +EVP_PKEY_export 5497 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get0_md 5498 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get1_md 5499 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get0_cipher 5500 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get1_cipher 5501 3_0_0 EXIST::FUNCTION: +OSSL_LIB_CTX_get0_global_default 5502 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_get0_name 5503 3_0_0 EXIST::FUNCTION: +EVP_ASYM_CIPHER_get0_name 5504 3_0_0 EXIST::FUNCTION: +EVP_KEM_get0_name 5505 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_get0_name 5506 3_0_0 EXIST::FUNCTION: +PKCS5_v2_PBE_keyivgen_ex 5507 3_0_0 EXIST::FUNCTION: +EVP_PBE_scrypt_ex 5508 3_0_0 EXIST::FUNCTION:SCRYPT +PKCS5_v2_scrypt_keyivgen_ex 5509 3_0_0 EXIST::FUNCTION:SCRYPT +EVP_PBE_CipherInit_ex 5510 3_0_0 EXIST::FUNCTION: +EVP_PBE_find_ex 5511 3_0_0 EXIST::FUNCTION: +PKCS12_SAFEBAG_create_pkcs8_encrypt_ex 5512 3_0_0 EXIST::FUNCTION: +PKCS8_decrypt_ex 5513 3_0_0 EXIST::FUNCTION: +PKCS12_decrypt_skey_ex 5514 3_0_0 EXIST::FUNCTION: +PKCS8_encrypt_ex 5515 3_0_0 EXIST::FUNCTION: +PKCS8_set0_pbe_ex 5516 3_0_0 EXIST::FUNCTION: +PKCS12_pack_p7encdata_ex 5517 3_0_0 EXIST::FUNCTION: +PKCS12_pbe_crypt_ex 5518 3_0_0 EXIST::FUNCTION: +PKCS12_item_decrypt_d2i_ex 5519 3_0_0 EXIST::FUNCTION: +PKCS12_item_i2d_encrypt_ex 5520 3_0_0 EXIST::FUNCTION: +PKCS12_init_ex 5521 3_0_0 EXIST::FUNCTION: +PKCS12_key_gen_asc_ex 5522 3_0_0 EXIST::FUNCTION: +PKCS12_key_gen_uni_ex 5523 3_0_0 EXIST::FUNCTION: +PKCS12_key_gen_utf8_ex 5524 3_0_0 EXIST::FUNCTION: +PKCS12_PBE_keyivgen_ex 5525 3_0_0 EXIST::FUNCTION: +PKCS12_create_ex 5526 3_0_0 EXIST::FUNCTION: +PKCS12_add_key_ex 5527 3_0_0 EXIST::FUNCTION: +PKCS12_add_safe_ex 5528 3_0_0 EXIST::FUNCTION: +PKCS12_add_safes_ex 5529 3_0_0 EXIST::FUNCTION: +PKCS5_pbe_set0_algor_ex 5530 3_0_0 EXIST::FUNCTION: +PKCS5_pbe_set_ex 5531 3_0_0 EXIST::FUNCTION: +PKCS5_pbe2_set_iv_ex 5532 3_0_0 EXIST::FUNCTION: +PKCS5_pbkdf2_set_ex 5533 3_0_0 EXIST::FUNCTION: +BIO_new_from_core_bio 5534 3_0_0 EXIST::FUNCTION: +BIO_new_ex 5535 3_0_0 EXIST::FUNCTION: +BIO_s_core 5536 3_0_0 EXIST::FUNCTION: +BIO_get_line 5537 3_0_0 EXIST::FUNCTION: +OSSL_LIB_CTX_new_from_dispatch 5538 3_0_0 EXIST::FUNCTION: +OSSL_LIB_CTX_new_child 5539 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_get0_dispatch 5540 3_0_0 EXIST::FUNCTION: +PKCS5_PBE_keyivgen_ex 5541 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_get_block_size 5542 3_0_0 EXIST::FUNCTION: +BIO_debug_callback_ex 5543 3_0_0 EXIST::FUNCTION: +b2i_PVK_bio_ex 5544 3_0_0 EXIST::FUNCTION: +i2b_PVK_bio_ex 5545 3_0_0 EXIST::FUNCTION: +NCONF_get0_libctx 5546 3_0_0 EXIST::FUNCTION: +NCONF_get_section_names 5547 3_0_0 EXIST::FUNCTION: +X509_PUBKEY_new_ex 5548 3_0_0 EXIST::FUNCTION: +ASN1_item_new_ex 5549 3_0_0 EXIST::FUNCTION: +ASN1_item_d2i_fp_ex 5550 3_0_0 EXIST::FUNCTION:STDIO +ASN1_item_d2i_bio_ex 5551 3_0_0 EXIST::FUNCTION: +ASN1_item_d2i_ex 5552 3_0_0 EXIST::FUNCTION: +ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: +EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: From matt at openssl.org Thu Jul 29 15:15:19 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Jul 2021 15:15:19 +0000 Subject: [openssl] openssl-3.0.0-beta2 create Message-ID: <1627571719.962483.6945.nullmailer@dev.openssl.org> The annotated tag openssl-3.0.0-beta2 has been created at 9e34480b312df6080aeca3e71e3c9d6893e66beb (tag) tagging 9f551541e84eead1d42604b7d5e61885e8e34be0 (commit) replaces openssl-3.0.0-beta1 tagged by Matt Caswell on Thu Jul 29 15:50:30 2021 +0100 - Log ----------------------------------------------------------------- OpenSSL 3.0.0-beta2 release tag -----BEGIN PGP SIGNATURE----- iQFFBAABCAAvFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmECwDYRHG1hdHRAb3Bl bnNzbC5vcmcACgkQ2cTSbQ5gRJFN4Qf/RtGlb8u3mITyqOs5uGBFcN6iP6YVUHvV s3X8Hjgs8d+a0tbTp7SHSlWv30OgMdVH6WbKFOzdZ8bSBEheDEF0P8XGWU2/M9lF GBTfFG+upruURSLL00kyKea0bVorbk2/j4+jamDY2E8TPIcJeXM3sPQsfFvjV504 if1mruIWjuTLDLCbyaBF6jPeWML1mqO59AKDAfEWln9p2+KOBRFdGvlwm6cv2UjE 61xLheCiwLfo4dbV+Zxu1lCa6m9d2dvkUp/6AHURZxr83LIIekdC9eog0if05Kah LvXi/G3QrcdgDNHizbsaUrkbSl2DK2CTruzqKGf5fowoosPIQL7XUw== =l8M6 -----END PGP SIGNATURE----- Benjamin Kaduk (1): Fix comment for test_negotiated_group() test order Christian Heimes (1): Fix segfault in openssl x509 -modulus Daiki Ueno (2): BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given apps: Use the first detected address family if IPv6 is not available David Benjamin (1): Fix use of uninitialized memory in test_rsa_oaep David CARLIER (1): darwin platform replacing getentropy usage by platform api instead. Dmitry Belyavskiy (2): Some clear guidelines for the legacy algs. Missing link to fips_config documentation Dr. David von Oheimb (22): http_client.c: fix OSSL_HTTP_proxy_connect() for HTTPS proxy use http_client.c: fix error reporting (a char was missing; improve style) http_client.c: make prefix checking more readable and more efficient http_client.c: make HTTP_LINE1_MINLEN more efficient http_client.c: fix HTTP_VERSION_STR_LEN and make it more efficient cmp_mock_srv.c: Fix polling mode such that it can be done multiple times cmp_client.c: Print checkAfter value from pollRep before it may get modified cmp_server.c: Fix check: certConf not allowed after transaction is closed CMP: Clean up internal message creation API and its documentation ossl_sk_ASN1_UTF8STRING2text(): Minor generalization and refactoring for readability CMP: Improve reporting of error codes and related strings via 'error' msg Fix file_name_check() in storemgmt/file_store.c and e_loader_attic.c DOC: Clarify the role of EKUs including defaults for TLS client and server use ossl_cmp_error_new(): Fix Coverity issue 1486534, and consequently also issues 1486536 and 1486533 CMP: Add missing getter functions to CRMF API and CMP API cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requests OSSL_CRMF_{CERTTEMPLATE,CERTID}_get0_serialNumber(): Make result const for consistency Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0 Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications tls_process_{client,server}_certificate(): allow verify_callback return > 1 OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy Hubert Kario (2): cross-reference the DH and RSA SECLEVEL to level of security mappings doc: make error checking in ticket handling code explicit Ingo Schwarze (1): Fix a read buffer overrun in X509_aux_print(). John Baldwin (2): Refactor KTLS tests to better support TLS 1.3. Add tests for KTLS with Chacha20-Poly1035. Juergen Christ (1): Fix compile warning with GCC 11. L?rinczy, Zsigmond (1): Update config.pm Marek (1): Add demo for HKDF Martin Schwenke (12): ec: Fail build on big-endian with enable-ec_nistp_64_gcc_128 bn: Drop use of .p2align pseudo-op bn: Update .align pseudo-ops to match convention bn: Drop unnecessary use of r9 bn: Switch $i to be unused r9 bn: save/restore registers to/from stack ec: Drop uses of .cfi_startproc/.cfi_endproc pseudo-ops ec: Add alignment pseudo-op at beginning of function ec: Only build ecp_nistp521-ppc64.s if enable-ec_nistp_64_gcc_128 bn: Use a basic branch-if-not-zero bn: Fix .size directive bn: Make fixed-length Montgomery Multiplication conditional on PPC64 Matt Caswell (45): Prepare for 3.0 beta 2 Ensure we remove libctx DRBG state before removing the provider store Add a test for a custom rand provider Instantiate predefined providers just-in-time Instantiate user-added builtin providers when we need them Instantiate configuration supplied providers when we need them Add a new provider to the store only after we activate it Remove flag_couldbechild Set use_fallbacks to zero when we add a provider to the store Merge ossl_provider_activate() and ossl_provider_activate_child() Only associate a provider with a store once it has been added to it Don't hold any locks while calling the provider init function Add a test to check that RAND_bytes_ex() works with a child lib ctx Don't skip the current provider in ossl_provider_register_child_cb make struct provider_info_st a full type Update documentation following updates to the provider code Move OPENSSL_add_builtin back into provider.c Fix a race in ossl_provider_add_to_store() Add wrap.pl to .gitignore Ensure ordinals are created during release process Avoid some MinGW test failures Use TEST_time_t_* functions in cmp_hrd_test.c Work around a 32-bit mingw failure Avoid "excessive message size" for session tickets Don't add the first pkcs12 certificate multiple times Add a PKCS12 test to check with one input cert we get one output cert Fix s_server PSK handling Don't reset the packet pointer in ssl3_setup_read_buffer Disallow SSL_key_update() if there are writes pending Fix signed/unsigned comparison warnings in sslapitest Fix some minor record layer issues Update our EVP_PKEY_METHODs to get low level keys via public APIs Fix custom EVP_PKEY_METHOD implementations where no engine is present Add a test for custom EVP_PKEY_METHODs Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup() Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module Ensure any default_properties still apply even in the event of a provider load failure Don't try and load the config file while already loading the config file Add some testing for the case where the FIPS provider fails to load Update fingerprints.txt Update copyright year make update Prepare for release of 3.0 beta 2 Oliver Mihatsch (1): Fix memory leak in i2d_ASN1_bio_stream Paul Kehrer (1): update pyca-cryptography regression test suite Pauli (85): params: avoid using intmax_t since it's not well supported params: fix range check when converting double to uint64_t. ssl: do not choose auto DH groups that are weaker than the security level test: add test for auto DH security level meets the minimum include: replace tabs with spaces in headers ssl: replace tabs with spaces test: replace tabs with spaces in test recipes crypto: repalce tabs with spaces punycode: fix indentation ssl: fix indentation ssl: fix indentation asn1: fix indentation rsa: fix indentation test: fix indentation sm3: fix function names after the big ossl_ prefix addition. test: put the new DHE auto test in the correct place asn1: properly clean up on failed BIO creation testutil: preserve app_malloc()'s failure behaviour doc: Document that the OBJ creation functions don't lock. err: add unable to get lock errors property: add locking for the property string database property: remove spurious incorrect comments test: add EVP_Q_digest tests to evp_test test: add EVP_Q_mac tests to evp_test apps: properly initialise arguments to EVP_PKEY_get_bn_param() x509: address NULL dereference and memory leaks apps: address potential memory leaks ui: address potential memory leak evp_test: address NULL pointer dereference and return failure better test: avoid memory leaks on errors test: check for NULL returns better doc: update up call documentation evp_test: use correct size in memory clear x509: improve error reporting test: fix coverity 1469427 Improper use of negative value (NEGATIVE_RETURNS) bio: check for valid socket when closing s_time: avoid unlikely division by zero dh_test: fix coverity 1473239 Argument cannot be negative (NEGATIVE_RETURNS) evp: fix coverity 1473380 Copy into fixed size buffer (STRING_OVERFLOW) test: fix test ordering in threads test afalg: add some memory initialisation calls to pacify memory sanitisation. ci: add a memory sanitiser test run provider: use #define for PBKDF1 algorithm name doc: add PBKDF1 provider documentation doc: include PBKDF1 documentation in build.info util: add -fips option to wrap.pl to make using the FIPS provider easier test: add some integral type size sanity checks err: remove ERR_GET_FUNC() doc: update documentation to note removal of ERR_GET_FUNC() changes: add entry noting the removal of ERR_GET_FUNC() bn: procduce correct sign for result of BN_mod() evp: detect and raise an error if no digest is found for a sign/verify operation apps: fix Coverity 1451531 Unchecked return value test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions test: add a shim function for the apps's opt_legacy_okay() function test: make build descriptions more consistent apps: add query to allow a command to know of a provider command line option was processed apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not app: add library context and propq arguments to opt_md() and opt_cipher() doc: document the new opt_legacy_okay() function's behaviour asn.1: fix Coverity 1487104 Logically dead code apps: avoid using POSIX IO macros and functions when built without them. Remove lower limit on GCM mode ciphers test: add single byte IV AES GCM tests evp: constify some OSSL_PARAM arguments doc: document the params arguments to the initialisation functions. config: enable ACVP test case if FIPS is enabled. test: fix use after scope problem in ACVP test demo: add pbkdf2 demonstration program demo: add scrypt demonstration program demos: add Makefile support for pbkdf2 and scrypt KDF demos demos: update readme file with pbkdf2 and scrypt examples. drbg: allow the ctr derivation function to be disabled in FIPS mode err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS test: include all DRBG tests in FIPS mode ci: omit tests that consume too much memory ci: reinstate the passwd tests for the no-cached-fetch run. ci: QEMU based cross compiled testing test: handle not a number (NaN) values in the param conversion test. QEMU: include test runs for most cross compilation targets ci: add the param conversion tests to the cross compiles. ci: get rid of no-asm flag to m68k cross compiles ci: disable async for the SH4 build and reenable the associated test test: add a comment indication that a bad MAC is intentional Petr Gotthard (2): BIO_new_from_core_bio: Fix heap-use-after-free after attach doc: fix OPENSSL_VERSION_NUMBER length in the synopsis Randall S. Becker (4): Add assert.h to threads_pthread.c for NonStop thread compiles. Document cross-compile considerations for NonStop x86 builds. Defined out MUTEX attributes not available on NonStop SPT Threads. Made foreign bit field unsigned in evp.h Rich Salz (1): Fix bug in X509_print_ex Richard Levitte (45): OpenSSL::Test: Move the command line quotifier Make util/wrap.pl work better on VMS TESTS: drop explicit quotes from empty command line arguments STORE: Fix OSSL_STORE_open_ex() error reporting Fix definition of ossl_intmax_t and ossl_uintmax_t APPS: Make fallback opt_[u]intmax() implementations based on long APPS & TEST: Use ossl_[u]intmax_t rather than [u]intmax_t test/recipes/80-test_cmp_http.t: use app() rather than cmd() test/recipes/81-test_cmp_cli.t: use app() rather than cmd() TEST: check 'loadereng' to determine if loader_attic should be tested Configure: Reflect that We don't build loader_attic when dynamic-engine is disabled EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac() Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac() test/recipes/90-test_shlibload.t: Modify to work with known file names TEST: Modify simpledynamic.[ch] to allow use on VMS as well OpenSSL::Util::fixup_cmd_elements(): Include '!' among the VMS chars to process Fix test_errstr for VMS UTF-8 not easily supported on VMS command line yet test/ossl_store_test.c: Adapt the use of datadir for VMS paths testutil: teach test_mk_file_path() how to merge VMS file specs test/recipes/66-test_ossl_store.t: ensure native paths test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reason test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory ENCODER & DECODER: Allow en/decoders to have multiple names Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn' PROV: Have our PEM->DER decoder only recognise our PEM names ENCODER & DECODER: Make a tighter coupling between en/decoders and keymgmt OSSL_STORE: Fix crash when tracing STORE DECODER & ENCODER: Make sure to pass around the original selection bits EVP: Have EVP_PKCS82PKEY_ex() pass a correct selection to OSSL_DECODER DOC: clarify OPENSSL_API_COMPAT TEST: Add testing of PVK and MSBLOB files to test_store PROV & STORE: Don't decode keys in the 'file:' store loader PROV & STORE: Make the 'file:' store loader understand more binary formats CRYPTO: Remove the check for built-in methods in the export_to function platform->sharedlib_simple(): return undef when same as platform->sharedlib() Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback TEST: Check that i2d refuses to encode non-optional items with no content ASN.1: Refuse to encode to DER if non-optional items are missing Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN Fix test/asn1_encode_test.c to handle encoding/decoding failure Avoid empty lines in nmake rule bodies EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider() DOCS: Move the description of EVP_PKEY_get0_description() Robbie Harwood (1): Update dependencies for krb5 external test Shane Lontis (6): Fix aes_core to use U64() macro.. Change self test for AES_CGM to perform both an encrypt and decrypt. Add table entries for fips 186-5 related to RSA auxiliary probable primes. Fix compile errors when building with --api=1.1.0 no-deprecated. Add test for provider gettables Add HKDF negative tests Syrone Wong (1): Fix OSSL_TRACE9 missing arg9 Theo Buehler (1): Fix two typos in OSSL_trace_enabled.pod Tianjia Zhang (1): Remove executable mode attributes of non-executable files Todd Short (1): Add missing session timeout calc Tomas Mraz (45): aix64-gcc target: Fix build breakage with enable-fips Replace non-ASCII character in source file evp_test: Support testing of stitched TLS ciphers simpledynamic: Add missing include for AIX builds Documentation: SM2 keys can use only the SM2 curve ossl_pw_get_passphrase: No ui method does not necessarily mean internal error epki2pki_decode: passphrase callback failure is fatal error OSSL_DECODER_from_bio: Avoid spurious decoder error trace: Do not produce dead code calling BIO_printf if disabled ppccap.c: Split out algorithm-specific functions Only the fips module dependencies are relevant for fips.module.sources Update fips sources and checksums coverity #1486531: return error properly from x509_pubkey_ex_new_ex() coverity #1486532: fix potential NULL dereference in test_mk_file_path() doc: Mention the update of der data pointers in d2i/i2d pem_read_bio_key_decoder: Avoid spurious error on unknown PEM data pem_read_bio_key: Add passphrase caching to avoid asking for password twice load_pkey_pem: Check for spurious errors when loading test_pem_reading: Test loading a key from a file with multiple PEM data load_key_certs_crls: Avoid reporting any spurious errors PEM_read_...: document that garbage and other PEM data is skipped Coverity #1486687: fix potential dereference of NULL keymgmt rsa_cms_verify: Avoid negative return with missing pss parameters fips module header inclusion fine-tunning update fips checksums test_cmp_ctx: Avoid using empty X509 with i2d doc: Document that incomplete certificates return error Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check() Split bignum code out of the sparcv9cap.c acvp_test: Fix incorrect parenthesis Signature algos: allow having identical digest in params CI: have enable-acvp-tests in some CI build Drop daily run-checker build with just enable-acvp-tests Allow RSA signature operations with RSA_NO_PADDING evp_test: Add tests for rsa_padding_mode:none RSA_public_decrypt is equivalent to a verify recover operation doc: It is not possible to use SSL_OP_* value in preprocessor conditions DSA/RSA_print(): Fix potential memory leak do_sigver_init: Add missing ERR_clear_last_mark() Fix potential problems with EVP_PKEY_CTX_new() with engine set ECDSA_SIG_set0: r and s parameters cannot be NULL ECDSA_SIG_set0(): Clarify documentation and fix formatting errors Drop no-ktls from runchecker daily build as it has no effect Test ktls in non-default options CI build KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it jenda1 (1): Makefile: Avoid changing LIBDIR based on whether it already exists yangyangtiantianlonglong (1): Add testcases for SSL_key_update() corner case calls yunh (1): enable getauxval on android 10 ??? (1): test: add sm3 low level test case to test suite. ----------------------------------------------------------------------- From matt at openssl.org Thu Jul 29 15:16:34 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Jul 2021 15:16:34 +0000 Subject: [web] master update Message-ID: <1627571794.070570.9804.nullmailer@dev.openssl.org> The branch master has been updated via ac35d06e77a972cafbebc4ec233d3fd9525206e6 (commit) from 9ce1784ce87906832ed14a6b3b5055e0a7a4ce45 (commit) - Log ----------------------------------------------------------------- commit ac35d06e77a972cafbebc4ec233d3fd9525206e6 Author: Matt Caswell Date: Thu Jul 29 16:11:36 2021 +0100 Updates newsflash for 3.0 beta2 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/web/pull/251) ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index cb959e3..a756e6e 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +29-Jul-2021: Beta 2 of OpenSSL 3.0 is now available. This is a release candidate: please download and test it 17-Jun-2021: New Blog post: OpenSSL 3.0 Release Candidate 17-Jun-2021: Beta 1 of OpenSSL 3.0 is now available. This is a release candidate: please download and test it 20-May-2021: Alpha 17 of OpenSSL 3.0 is now available: please download and test it From kaduk at mit.edu Thu Jul 29 17:33:49 2021 From: kaduk at mit.edu (kaduk at mit.edu) Date: Thu, 29 Jul 2021 17:33:49 +0000 Subject: [openssl] master update Message-ID: <1627580029.060683.28213.nullmailer@dev.openssl.org> The branch master has been updated via b5557666bda56ce4b9464a3dbc65e2a1fa1e482b (commit) from b5e2b1d8447645b296375bc69b010ac4fedb07ac (commit) - Log ----------------------------------------------------------------- commit b5557666bda56ce4b9464a3dbc65e2a1fa1e482b Author: yangyangtiantianlonglong Date: Sun Jul 25 11:43:16 2021 +0800 Fix dtls timeout dead code Delete dtls timeout dead code in dtls1_handle_timeout Fix: #15559 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/16151) ----------------------------------------------------------------------- Summary of changes: include/openssl/dtls1.h | 4 ---- ssl/d1_lib.c | 13 ++++--------- ssl/ssl_local.h | 12 ++---------- 3 files changed, 6 insertions(+), 23 deletions(-) diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index 985e409725..5dc6b5419c 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -49,10 +49,6 @@ extern "C" { # define DTLS1_AL_HEADER_LENGTH 2 -/* Timeout multipliers */ -# define DTLS1_TMO_READ_COUNT 2 -# define DTLS1_TMO_WRITE_COUNT 2 - # define DTLS1_TMO_ALERT_COUNT 12 #ifdef __cplusplus diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index a986252866..95a34093c9 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -352,7 +352,7 @@ static void dtls1_double_timeout(SSL *s) void dtls1_stop_timer(SSL *s) { /* Reset everything */ - memset(&s->d1->timeout, 0, sizeof(s->d1->timeout)); + s->d1->timeout_num_alerts = 0; memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); s->d1->timeout_duration_us = 1000000; BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, @@ -365,10 +365,10 @@ int dtls1_check_timeout_num(SSL *s) { size_t mtu; - s->d1->timeout.num_alerts++; + s->d1->timeout_num_alerts++; /* Reduce MTU after 2 unsuccessful retransmissions */ - if (s->d1->timeout.num_alerts > 2 + if (s->d1->timeout_num_alerts > 2 && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); @@ -376,7 +376,7 @@ int dtls1_check_timeout_num(SSL *s) s->d1->mtu = mtu; } - if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { + if (s->d1->timeout_num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_READ_TIMEOUT_EXPIRED); return -1; @@ -402,11 +402,6 @@ int dtls1_handle_timeout(SSL *s) return -1; } - s->d1->timeout.read_timeouts++; - if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { - s->d1->timeout.read_timeouts = 1; - } - dtls1_start_timer(s); /* Calls SSLfatal() if required */ return dtls1_retransmit_buffered_messages(s); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index dd82314602..ce93049180 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1862,15 +1862,6 @@ struct hm_header_st { struct dtls1_retransmit_state saved_retransmit_state; }; -struct dtls1_timeout_st { - /* Number of read timeouts so far */ - unsigned int read_timeouts; - /* Number of write timeouts so far */ - unsigned int write_timeouts; - /* Number of alerts received so far */ - unsigned int num_alerts; -}; - typedef struct hm_fragment_st { struct hm_header_st msg_header; unsigned char *fragment; @@ -1916,7 +1907,8 @@ typedef struct dtls1_state_st { size_t mtu; /* max DTLS packet size */ struct hm_header_st w_msg_hdr; struct hm_header_st r_msg_hdr; - struct dtls1_timeout_st timeout; + /* Number of alerts received so far */ + unsigned int timeout_num_alerts; /* * Indicates when the last handshake msg sent will timeout */ From pauli at openssl.org Thu Jul 29 23:10:30 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 29 Jul 2021 23:10:30 +0000 Subject: [openssl] master update Message-ID: <1627600230.375647.29990.nullmailer@dev.openssl.org> The branch master has been updated via 58bd45d86fcf7afc95a542de0a9b1d07eda1c7e6 (commit) from b5557666bda56ce4b9464a3dbc65e2a1fa1e482b (commit) - Log ----------------------------------------------------------------- commit 58bd45d86fcf7afc95a542de0a9b1d07eda1c7e6 Author: Pauli Date: Tue Jul 20 15:04:49 2021 +1000 demo: add GMAC demonstration program Test vector from NIST's GCM mode suite. Fixes #14123 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16113) ----------------------------------------------------------------------- Summary of changes: demos/README.txt | 3 ++ demos/mac/gmac.c | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 demos/mac/gmac.c diff --git a/demos/README.txt b/demos/README.txt index 8adfdb774d..291094bf9d 100644 --- a/demos/README.txt +++ b/demos/README.txt @@ -23,6 +23,9 @@ hkdf.c Demonstration of HMAC based key derivation pbkdf2.c Demonstration of PBKDF2 password based key derivation scrypt.c Demonstration of SCRYPT password based key derivation +mac: +gmac.c Demonstration of GMAC message authentication + pkey: EVP_PKEY_EC_keygen.c Generate an EC key. diff --git a/demos/mac/gmac.c b/demos/mac/gmac.c new file mode 100644 index 0000000000..bdaa9b1daa --- /dev/null +++ b/demos/mac/gmac.c @@ -0,0 +1,145 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include + +/* + * Taken from NIST's GCM Test Vectors + * http://csrc.nist.gov/groups/STM/cavp/ + */ + +/* + * Hard coding the key into an application is very bad. + * It is done here solely for educational purposes. + */ +static unsigned char key[] = { + 0x77, 0xbe, 0x63, 0x70, 0x89, 0x71, 0xc4, 0xe2, + 0x40, 0xd1, 0xcb, 0x79, 0xe8, 0xd7, 0x7f, 0xeb +}; + +/* + * The initialisation vector (IV) is better not being hard coded too. + * Repeating password/IV pairs compromises the integrity of GMAC. + * The IV is not considered secret information and is safe to store with + * an encrypted password. + */ +static unsigned char iv[] = { + 0xe0, 0xe0, 0x0f, 0x19, 0xfe, 0xd7, 0xba, + 0x01, 0x36, 0xa7, 0x97, 0xf3 +}; + +static unsigned char data[] = { + 0x7a, 0x43, 0xec, 0x1d, 0x9c, 0x0a, 0x5a, 0x78, + 0xa0, 0xb1, 0x65, 0x33, 0xa6, 0x21, 0x3c, 0xab +}; + +static const unsigned char expected_output[] = { + 0x20, 0x9f, 0xcc, 0x8d, 0x36, 0x75, 0xed, 0x93, + 0x8e, 0x9c, 0x71, 0x66, 0x70, 0x9d, 0xd9, 0x46 +}; + +/* + * A property query used for selecting the GMAC implementation and the + * underlying GCM mode cipher. + */ +static char *propq = NULL; + +int main(int argc, char **argv) +{ + int rv = EXIT_FAILURE; + EVP_MAC *mac = NULL; + EVP_MAC_CTX *mctx = NULL; + unsigned char out[16]; + OSSL_PARAM params[4], *p = params; + OSSL_LIB_CTX *library_context = NULL; + size_t out_len = 0; + + library_context = OSSL_LIB_CTX_new(); + if (library_context == NULL) { + fprintf(stderr, "OSSL_LIB_CTX_new() returned NULL\n"); + goto end; + } + + /* Fetch the GMAC implementation */ + mac = EVP_MAC_fetch(library_context, "GMAC", propq); + if (mac == NULL) { + fprintf(stderr, "EVP_MAC_fetch() returned NULL\n"); + goto end; + } + + /* Create a context for the GMAC operation */ + mctx = EVP_MAC_CTX_new(mac); + if (mctx == NULL) { + fprintf(stderr, "EVP_MAC_CTX_new() returned NULL\n"); + goto end; + } + + /* GMAC requries a GCM mode cipher to be specified */ + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER, + "AES-128-GCM", 0); + + /* + * If a non-default property query is required when fetching the GCM mode + * cipher, it needs to be specified too. + */ + if (propq != NULL) + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_PROPERTIES, + propq, 0); + + /* Set the initialisation vector (IV) */ + *p++ = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_IV, + iv, sizeof(iv)); + *p = OSSL_PARAM_construct_end(); + + /* Initialise the GMAC operation */ + if (!EVP_MAC_init(mctx, key, sizeof(key), params)) { + fprintf(stderr, "EVP_MAC_init() failed\n"); + goto end; + } + + /* Make one or more calls to process the data to be authenticated */ + if (!EVP_MAC_update(mctx, data, sizeof(data))) { + fprintf(stderr, "EVP_MAC_update() failed\n"); + goto end; + } + + /* Make one call to the final to get the MAC */ + if (!EVP_MAC_final(mctx, out, &out_len, sizeof(out))) { + fprintf(stderr, "EVP_MAC_final() failed\n"); + goto end; + } + + printf("Generated MAC:\n"); + BIO_dump_indent_fp(stdout, out, out_len, 2); + putchar('\n'); + + if (out_len != sizeof(expected_output)) { + fprintf(stderr, "Generated MAC has an unexpected length\n"); + goto end; + } + + if (CRYPTO_memcmp(expected_output, out, sizeof(expected_output)) != 0) { + fprintf(stderr, "Generated MAC does not match expected value\n"); + goto end; + } + + rv = EXIT_SUCCESS; +end: + EVP_MAC_CTX_free(mctx); + EVP_MAC_free(mac); + OSSL_LIB_CTX_free(library_context); + if (rv != EXIT_SUCCESS) + ERR_print_errors_fp(stderr); + return rv; +} From pauli at openssl.org Fri Jul 30 05:41:36 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 30 Jul 2021 05:41:36 +0000 Subject: [openssl] master update Message-ID: <1627623696.144023.8452.nullmailer@dev.openssl.org> The branch master has been updated via 5540855bda5e58f4b33f2306feb6ff4e93c0af81 (commit) from 58bd45d86fcf7afc95a542de0a9b1d07eda1c7e6 (commit) - Log ----------------------------------------------------------------- commit 5540855bda5e58f4b33f2306feb6ff4e93c0af81 Author: Pauli Date: Thu Jul 29 11:39:01 2021 +1000 doc: document that config_diagnostics is sensible but involves risk Also: - add this option to the sample configurations in the documentation. - note that it is a sensible choice when using FIPS via config Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16172) ----------------------------------------------------------------------- Summary of changes: doc/man5/config.pod | 12 ++++++++---- doc/man5/fips_config.pod | 7 +++++++ doc/man7/fips_module.pod | 6 ++++++ doc/man7/provider-base.pod | 1 + 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/doc/man5/config.pod b/doc/man5/config.pod index ad7d7e1e01..7bd603a2cc 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -169,10 +169,14 @@ different name by calling CONF_modules_load_file(), for example, directly. OpenSSL also looks up the value of B. If this exists and has a nonzero numeric value, any error suppressing flags passed to CONF_modules_load() will be ignored. -This is useful for diagnosing misconfigurations and should not be used in -production. - - # This must be in the default section +This is useful for diagnosing misconfigurations but its use in +production requires additional consideration. With this option enabled, +a configuration error will completely prevent access to a service. +Without this option and in the presence of a configuration error, access +will be allowed but the desired configuration will B be used. + + # These must be in the default section + config_diagnostics = 1 openssl_conf = openssl_init [openssl_init] diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod index ff1b97e962..50eefba6ef 100644 --- a/doc/man5/fips_config.pod +++ b/doc/man5/fips_config.pod @@ -95,6 +95,13 @@ For example: install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C install-status = INSTALL_SELF_TEST_KATS_RUN +=head1 NOTES + +When using the FIPS provider, it is recommended that the +B option is enabled to prevent accidental use of +non-FIPS validated algorithms via broken or mistaken configuration. +See L. + =head1 SEE ALSO L diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index 1d709be513..b47ed279f6 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -73,6 +73,7 @@ F. Edit the config file to add the following lines near the beginning: + config_diagnostics = 1 openssl_conf = openssl_init .include /usr/local/ssl/fipsmodule.cnf @@ -91,6 +92,10 @@ Obviously the include file location above should match the path and name of the FIPS module config file that you installed earlier. See L. +For FIPS usage, it is recommened that the B option is +enabled to prevent accidental use of non-FIPS validated algorithms via broken +or mistaken configuration. See L. + Any applications that use OpenSSL 3.0 and are started after these changes are made will start using only the FIPS module unless those applications take explicit steps to avoid this default behaviour. Note that this configuration @@ -273,6 +278,7 @@ sets the default property value to be C. Note that this config file does not load the "base" provider. All supporting algorithms that are in "base" are also in "default", so it is unnecessary in this case: + config_diagnostics = 1 openssl_conf = openssl_init .include /usr/local/ssl/fipsmodule.cnf diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index f1d9f3cce3..92c167638b 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -475,6 +475,7 @@ config command name separated by periods. For example, let's say we have the following config example: + config_diagnostics = 1 openssl_conf = openssl_init [openssl_init] From scan-admin at coverity.com Fri Jul 30 07:50:58 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 30 Jul 2021 07:50:58 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <6103af61eadee_232842b0cd593d9942137d@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DLsx5_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHBr6wgqdPOxpW-2B8l7RCU5elWGs4lHmdvDGf3fagMC6fFzax7tslmGgjJeg0fu63cfTFCunq2FI5JwxnpLseaW3mvs2domz1aZ9uhnD05cVGeQAqbneShUW6JJslvDgO13-2FM-2Fpc-2FuV3kUHHtsI7itLuQ8Va3-2FDpmTB4Had2DM0GlGlGVL7gQsWXBaZqQatgmPQ-3D Build ID: 399625 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Fri Jul 30 07:55:45 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Fri, 30 Jul 2021 07:55:45 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <6103b080a702d_234b52b0cd593d99421370@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DyPMU_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEAH-2FyD-2FLu7vRIshUxQoA50r-2Bl47JyFEq3AkRXP7GVMVZ9OCToWhI5ng640oQ4Vlbf-2Btt-2BsLZSRixwWSFmT9ppFjgo5ItzdhFQfbCLYWZbdrvssNHm81hMLLMiP618H26TU7Wjav5UrR0ZBsXIzjak2IC2GT3NVi5OtSLlCFAYKPSzwdzB0H4FpD9ZEXynJBS8-3D Build ID: 399627 Analysis Summary: New defects found: 0 Defects eliminated: 0 From pauli at openssl.org Sat Jul 31 06:25:46 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sat, 31 Jul 2021 06:25:46 +0000 Subject: [openssl] master update Message-ID: <1627712746.542407.22393.nullmailer@dev.openssl.org> The branch master has been updated via 2625807aff370830b55c0fb71b63357e8523733e (commit) from 5540855bda5e58f4b33f2306feb6ff4e93c0af81 (commit) - Log ----------------------------------------------------------------- commit 2625807aff370830b55c0fb71b63357e8523733e Author: Pauli Date: Fri Jul 30 10:38:33 2021 +1000 changes: remove duplicate entry Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16180) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 49031339d0..5991eb5465 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1566,12 +1566,6 @@ OpenSSL 1.1.1 *Richard Levitte* - * Added newline escaping functionality to a filename when using openssl dgst. - This output format is to replicate the output format found in the `*sum` - checksum programs. This aims to preserve backward compatibility. - - *Matt Eaton, Richard Levitte, and Paul Dale* - * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. From scan-admin at coverity.com Sat Jul 31 07:57:02 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 31 Jul 2021 07:57:02 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <6105024d7991c_407962adfbbce39a05142a@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DVGaM_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeF-2B0H7vYSy-2FWHPlaTYhOeiiT7vhXy0pvRD1JXvhJ8sbeq-2FkPScQ74QfdknnSrlD77FiOI-2Bh7U7oPuotKnpvvQApOiP44XmltnHz9Ny1dnNFgCeYw19XH3Xwm9GXkIh9ANAc0-2B7UVnZuj5dbZVqEnMmvOJdXHEbSIe2Z9bg5Bo8z3gnttVIXgVzqXRj9MIxjoIA-3D Build ID: 399846 Analysis Summary: New defects found: 0 Defects eliminated: 0 From scan-admin at coverity.com Sat Jul 31 08:04:29 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Sat, 31 Jul 2021 08:04:29 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <6105040c76eed_40ad32adfbbce39a051482@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DOAcz_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEltMaMqSuNqd9-2BpIETsZTq4mIcgZ8RuMWC21m6rwATa361hJzHA-2BVbAG48Nq54NgIwCeJ4FP6Ojd4sAl47GKwddEb2vB7KJ3riRSxZeNbDIuHCyo-2BLBZNE02W8xg1-2BhQ5AijNg1D1ZFc4xCKm5ZNuN9yHd5WW-2Bx2iXycPW1bbPZ5jl5jtludYA70j4vmPNedY-3D Build ID: 399847 Analysis Summary: New defects found: 0 Defects eliminated: 0