From pauli at openssl.org Wed Sep 1 01:45:59 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 01 Sep 2021 01:45:59 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1630460759.608696.29578.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 35cefdcab0f474deafcd769a2eb93f2c0f07051e (commit) via 5f9c384a1cd54ff28707d8c652343d2bf636c245 (commit) from a9972440d26e482cec9d7a8c4c0063baa20d9eac (commit) - Log ----------------------------------------------------------------- commit 35cefdcab0f474deafcd769a2eb93f2c0f07051e Author: Tomas Mraz Date: Fri Aug 27 11:41:04 2021 +0200 ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16441) commit 5f9c384a1cd54ff28707d8c652343d2bf636c245 Author: Tomas Mraz Date: Fri Aug 27 11:37:10 2021 +0200 Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests Fixes #16428 Reviewed-by: Bernd Edlinger Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16441) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 2 +- crypto/asn1/a_print.c | 7 ++++--- crypto/asn1/asn1_lib.c | 11 ++++++++--- ssl/ssl_asn1.c | 2 +- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6b61af9c03..367b8cf41f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -113,7 +113,7 @@ jobs: steps: - uses: actions/checkout at v2 - name: config - run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump + run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test diff --git a/crypto/asn1/a_print.c b/crypto/asn1/a_print.c index 85a631a27a..f86623fdfa 100644 --- a/crypto/asn1/a_print.c +++ b/crypto/asn1/a_print.c @@ -18,12 +18,13 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len) int ia5 = 0; int t61 = 0; - if (len <= 0) - len = -1; if (s == NULL) return V_ASN1_PRINTABLESTRING; - while ((*s) && (len-- != 0)) { + if (len < 0) + len = strlen((const char *)s); + + while (len-- > 0) { c = *(s++); if (!ossl_isasn1print(c)) ia5 = 1; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 3d99d1383d..b9b7ad8e9e 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -294,7 +294,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) c = str->data; #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* No NUL terminator in fuzzing builds */ - str->data = OPENSSL_realloc(c, len); + str->data = OPENSSL_realloc(c, len != 0 ? len : 1); #else str->data = OPENSSL_realloc(c, len + 1); #endif @@ -307,7 +307,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in) str->length = len; if (data != NULL) { memcpy(str->data, data, len); -#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* Set the unused byte to something non NUL and printable. */ + if (len == 0) + str->data[len] = '~'; +#else /* * Add a NUL terminator. This should not be necessary - but we add it as * a safety precaution @@ -375,7 +379,8 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) i = (a->length - b->length); if (i == 0) { - i = memcmp(a->data, b->data, a->length); + if (a->length != 0) + i = memcmp(a->data, b->data, a->length); if (i == 0) return a->type - b->type; else diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 799fee771b..dd4a2e3203 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -225,7 +225,7 @@ static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src) static int ssl_session_memcpy(unsigned char *dst, size_t *pdstlen, ASN1_OCTET_STRING *src, size_t maxlen) { - if (src == NULL) { + if (src == NULL || src->length == 0) { *pdstlen = 0; return 1; } From scan-admin at coverity.com Wed Sep 1 07:48:53 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 01 Sep 2021 07:48:53 +0000 (UTC) Subject: Coverity Scan: Analysis completed for openssl/openssl Message-ID: <612f3064bb977_3c7a732ad695a019a097869@prd-scan-dashboard-0.mail> Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DV4E0_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGG5oqraT40s8jZHaY4Qpf6btgR9hmd5xG7xlO0OUxnrW63p-2BsQcNAnSImtPI5wk9ZlIbGwBEHt94Gt1CwkeHaQSttULrsUj81wXdhKLc0yXfOPvSq31DxdoOtol2jc05yFK3J-2BHIx27OVQPrB7IaNbpkQbeeCFyNw3wss9AarSFvuuyNS8Sl20eqa9kMKxCFk-3D Build ID: 405311 Analysis Summary: New defects found: 0 Defects eliminated: 3 From scan-admin at coverity.com Wed Sep 1 07:53:00 2021 From: scan-admin at coverity.com (scan-admin at coverity.com) Date: Wed, 01 Sep 2021 07:53:00 +0000 (UTC) Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2 Message-ID: <612f315bb2a8c_3c7bc12ad695a019a097818@prd-scan-dashboard-0.mail> Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dztak_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH9-2F6IyN0CePAibL4LvPGmjRt-2F4gfAcfaoOy4V39RdEqENfN7iSalJDDYfIzXYFKa2C4Mwi8XWuCoojO6euP0Z6GWEFMAGA-2FsjSJXeK5UcoQTopJgtujhLo-2Fh2lk4CjNZVEXBLL60VCAy1ahU9kFTYh8XGRRag4JBAEhISICdJgD1SWzqjfaCNy-2FkapGkMZBhg-3D Build ID: 405312 Analysis Summary: New defects found: 0 Defects eliminated: 0 From levitte at openssl.org Wed Sep 1 14:51:15 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 01 Sep 2021 14:51:15 +0000 Subject: [openssl] master update Message-ID: <1630507875.139161.23857.nullmailer@dev.openssl.org> The branch master has been updated via 8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0 (commit) from 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d (commit) - Log ----------------------------------------------------------------- commit 8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0 Author: Richard Levitte Date: Tue Aug 31 12:07:33 2021 +0200 dev/release.sh: Adjust release branch names to votes The OTC voted today that the release branch for OpenSSL 3.0 should be openssl-3.0 rather than openssl-3.0.x. The release script is changed accordingly. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16481) ----------------------------------------------------------------------- Summary of changes: dev/release.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dev/release.sh b/dev/release.sh index bf5aa8af35..351ddc5528 100755 --- a/dev/release.sh +++ b/dev/release.sh @@ -20,7 +20,7 @@ Usage: release.sh [ options ... ] --final Get out of "alpha" or "beta" and make a final release. Implies --branch. ---branch Create a release branch 'openssl-{major}.{minor}.x', +--branch Create a release branch 'openssl-{major}.{minor}', where '{major}' and '{minor}' are the major and minor version numbers. @@ -218,7 +218,7 @@ if (echo "$orig_branch" \ | grep -E -q \ -e '^master$' \ -e '^OpenSSL_[0-9]+_[0-9]+_[0-9]+[a-z]*-stable$' \ - -e '^openssl-[0-9]+\.[0-9]+\.x$'); then + -e '^openssl-[0-9]+\.[0-9]+$'); then : elif $force; then : @@ -253,7 +253,7 @@ get_version # changes for the release, the update branch is where we make the post- # release changes update_branch="$orig_branch" -release_branch="openssl-$SERIES.x" +release_branch="openssl-$SERIES" # among others, we only create a release branch if the patch number is zero if [ "$update_branch" = "$release_branch" ] || [ $PATCH -ne 0 ]; then @@ -694,9 +694,9 @@ This implies B<--branch>. =item B<--branch> -Create a branch specific for the I.x release series, if it doesn't +Create a branch specific for the I release series, if it doesn't already exist, and switch to it. The exact branch name will be -C<< openssl-I.x >>. +C<< openssl-I >>. =item B<--no-upload> @@ -751,7 +751,7 @@ C<< OpenSSL_I >> for regular releases, or C<< OpenSSL_I-preI >> for pre-releases. From OpenSSL 3.0 ongoing, the release branches are named -C<< openssl-I.x >>, and the release tags are named +C<< openssl-I >>, and the release tags are named C<< openssl-I >> for regular releases, or C<< openssl-I-alphaI >> for alpha releases and C<< openssl-I-betaI >> for beta releases. From pauli at openssl.org Thu Sep 2 00:04:46 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 02 Sep 2021 00:04:46 +0000 Subject: [openssl] master update Message-ID: <1630541086.805678.14583.nullmailer@dev.openssl.org> The branch master has been updated via 3a1fa0116a92235ba200228e4bb60d6a3a7f4113 (commit) from 8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0 (commit) - Log ----------------------------------------------------------------- commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113 Author: Mattias Ellert Date: Tue Aug 31 08:26:06 2021 +0200 Openssl fails to compile on Debian with kfreebsd kernels (kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler is: ../crypto/uid.c: In function 'OPENSSL_issetugid': ../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function) 50 | return getauxval(AT_SECURE) != 0; | ^~~~~~~~~ This commit changes the code to use the freebsd code in this case. This fixes the compilation. CLA: trivial Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16477) ----------------------------------------------------------------------- Summary of changes: crypto/uid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/uid.c b/crypto/uid.c index 928b83c026..698127779f 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -17,7 +17,7 @@ int OPENSSL_issetugid(void) return 0; } -#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) +#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__)) # include From pauli at openssl.org Thu Sep 2 00:05:38 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 02 Sep 2021 00:05:38 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1630541138.406221.15713.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 (commit) from 35cefdcab0f474deafcd769a2eb93f2c0f07051e (commit) - Log ----------------------------------------------------------------- commit 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 Author: Mattias Ellert Date: Tue Aug 31 08:26:06 2021 +0200 Openssl fails to compile on Debian with kfreebsd kernels (kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler is: ../crypto/uid.c: In function 'OPENSSL_issetugid': ../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function) 50 | return getauxval(AT_SECURE) != 0; | ^~~~~~~~~ This commit changes the code to use the freebsd code in this case. This fixes the compilation. CLA: trivial Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16477) (cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113) ----------------------------------------------------------------------- Summary of changes: crypto/uid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/uid.c b/crypto/uid.c index 5e3315eeb2..a9eae36818 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -17,7 +17,7 @@ int OPENSSL_issetugid(void) return 0; } -#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) +#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__)) # include OPENSSL_UNISTD From pauli at openssl.org Thu Sep 2 00:06:07 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 02 Sep 2021 00:06:07 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1630541167.881339.16867.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via a0bbd4be5a8231e26322a8e0a3df68ffd1db0edb (commit) from 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d (commit) - Log ----------------------------------------------------------------- commit a0bbd4be5a8231e26322a8e0a3df68ffd1db0edb Author: Mattias Ellert Date: Tue Aug 31 08:26:06 2021 +0200 Openssl fails to compile on Debian with kfreebsd kernels (kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler is: ../crypto/uid.c: In function 'OPENSSL_issetugid': ../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function) 50 | return getauxval(AT_SECURE) != 0; | ^~~~~~~~~ This commit changes the code to use the freebsd code in this case. This fixes the compilation. CLA: trivial Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16477) (cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113) ----------------------------------------------------------------------- Summary of changes: crypto/uid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/uid.c b/crypto/uid.c index 928b83c026..698127779f 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -17,7 +17,7 @@ int OPENSSL_issetugid(void) return 0; } -#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) +#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__)) # include From pauli at openssl.org Thu Sep 2 00:10:23 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 02 Sep 2021 00:10:23 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1630541423.738339.20565.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba (commit) from 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 (commit) - Log ----------------------------------------------------------------- commit 9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba Author: Pauli Date: Wed Sep 1 09:52:03 2021 +1000 doc: document the rsa_oaep_md: pkeyopt This was missing but essential for using non-SHA1 digests with OAEP. Fixes #15998 Manual backport of #16410 Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/16488) ----------------------------------------------------------------------- Summary of changes: doc/man1/pkeyutl.pod | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod index 3b350efadd..f6fd48d5b5 100644 --- a/doc/man1/pkeyutl.pod +++ b/doc/man1/pkeyutl.pod @@ -246,6 +246,11 @@ B block structure. For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not explicitly set in PSS mode then the signing digest is used. +=item BI + +Sets the digest used for the OAEP hash function. If not explicitly set then +SHA1 is used. + =back =head1 RSA-PSS ALGORITHM @@ -319,6 +324,11 @@ seed consisting of the single byte 0xFF: openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \ -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump +Decrypt some data using a private key with OAEP padding using SHA256: + + openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \ + -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 + =head1 SEE ALSO L, L, L From pauli at openssl.org Thu Sep 2 02:56:01 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 02 Sep 2021 02:56:01 +0000 Subject: [openssl] master update Message-ID: <1630551361.079476.31497.nullmailer@dev.openssl.org> The branch master has been updated via 473664aafdff1f60db99929bdd43c2a9b26d14cd (commit) from 3a1fa0116a92235ba200228e4bb60d6a3a7f4113 (commit) - Log ----------------------------------------------------------------- commit 473664aafdff1f60db99929bdd43c2a9b26d14cd Author: a1346054 <36859588+a1346054 at users.noreply.github.com> Date: Thu Aug 19 11:05:15 2021 +0000 always use the same perl in $PATH Different tests may use unexpectedly different versions of perl, depending on whether they hardcode the path to the perl executable or if they resolve the path from the environment. This fixes it so that the same perl is always used. Fix some trailing whitespace and spelling mistakes as well. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16362) ----------------------------------------------------------------------- Summary of changes: .github/ISSUE_TEMPLATE.md | 4 ++-- .github/ISSUE_TEMPLATE/bug_report.md | 4 ++-- .github/ISSUE_TEMPLATE/feature_request.md | 4 ++-- .github/workflows/cross-compiles.yml | 4 ++-- .github/workflows/run-checker-ci.yml | 1 - ACKNOWLEDGEMENTS.md | 1 - Configurations/unix-checker.pm | 2 +- Configurations/windows-checker.pm | 2 +- INSTALL.md | 2 +- dev/release-aux/fix-title.pl | 2 +- dev/release-aux/release-state-fn.sh | 3 +-- dev/release.sh | 4 ++-- test/README-dev.md | 4 ++-- test/recipes/06-test_algorithmid.t | 4 ++-- test/recipes/06-test_rdrand_sanity.t | 4 ++-- test/recipes/80-test_cipherbytes.t | 2 +- test/recipes/80-test_cipherlist.t | 2 +- test/recipes/80-test_ciphername.t | 2 +- test/recipes/90-test_includes.t | 2 +- util/check-format.pl | 2 +- util/echo.pl | 2 +- util/fips-checksums.sh | 4 ++-- util/fix-deprecation | 2 +- 23 files changed, 30 insertions(+), 33 deletions(-) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 7a89c4ef13..942a8fc5c6 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -1,7 +1,7 @@ diff --git a/docs/sidebar.shtml b/docs/sidebar.shtml index a603a43..b87c91c 100644 --- a/docs/sidebar.shtml +++ b/docs/sidebar.shtml @@ -10,7 +10,7 @@ Manpages

- FIPS-140 Validation + Legacy FIPS-140 Validation

diff --git a/source/index.html b/source/index.html index bde4983..e8477e1 100644 --- a/source/index.html +++ b/source/index.html @@ -30,28 +30,32 @@ A list of mirror sites can be found here.

Note: The latest stable version is the 1.1.1 series. This is - also our Long Term Support (LTS) version, supported until 11th September - 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are - now out of support and should not be used. Users of these older versions - are encouraged to upgrade to 1.1.1 as soon as possible. Extended support +

Note: The latest stable version is the 3.0 series. Also + available is the 1.1.1 series which is our Long Term Support (LTS) + version, supported until 11th September 2023. All older versions + (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and + should not be used. Users of these older versions are encouraged to + upgrade to 3.0 or 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available.

The OpenSSL FIPS Object Module 2.0 (FOM) is also available for - download. It is no longer receiving updates. It must be used in - conjunction with a FIPS capable version of OpenSSL (1.0.2 series). A - new FIPS module is currently in development.

OpenSSL 3.0 is the latest major version of OpenSSL. The OpenSSL FIPS + Object Module (FOM) 3.0 is an integrated part of the OpenSSL 3.0 + download. You do not need to download the 3.0 FOM separately. Refer to + the installation instructions inside the download, and use the + "enable-fips" compile time configuration option to build it.

OpenSSL 3.0 is the next major version of OpenSSL that is currently - in development and includes the new FIPS Object Module. A pre-release - version of this is available below. This is for testing only. It should - not be used in production. For an overview of some of the key concepts - in OpenSSL 3.0 see the libcrypto - manual page. +

For an overview of some of the key concepts in OpenSSL 3.0 see the + libcrypto + manual page. Information and notes about migrating existing applications to OpenSSL 3.0 are available in the - OpenSSL 3.0 Migration Guide

+ OpenSSL 3.0 Migration Guide

+ +

The OpenSSL FIPS Object Module (FOM) 2.0 is also available for + download. It is no longer receiving updates. It must be used in + conjunction with a FIPS capable version of OpenSSL (1.0.2 series).

+ diff --git a/source/license.html b/source/license.html index 643045e..ec6ea5d 100644 --- a/source/license.html +++ b/source/license.html @@ -18,13 +18,13 @@ Copies can also be found here.

- For the 3.0.0 release, and later releases derived from that, + For the 3.0 release, and later releases derived from that, the Apache License v2 applies. This also applies to the git "master" branch.

- For any release made before OpenSSL 3.0.0 (namely + For any release made before OpenSSL 3.0 (namely the 1.1.1, 1.1.0, 1.0.2, and all prior releases including those not currently supported), the dual OpenSSL and SSLeay @@ -34,7 +34,7 @@ releases -- the "letter suffix" -- no matter when they are made. It also applies to the git branches for all those releases, and to any public forks that have not rebased to - master (or 3.0.0). + master (or 3.0).

- + diff --git a/docs/sub-man1-index.html.tt b/docs/sub-man1-index.html.tt index d213130..e6a4b5d 100644 --- a/docs/sub-man1-index.html.tt +++ b/docs/sub-man1-index.html.tt @@ -34,7 +34,7 @@ - + diff --git a/docs/sub-man3-index.html.tt b/docs/sub-man3-index.html.tt index 03aee4f..57cfd04 100644 --- a/docs/sub-man3-index.html.tt +++ b/docs/sub-man3-index.html.tt @@ -36,7 +36,7 @@ - + diff --git a/docs/sub-man5-index.html.tt b/docs/sub-man5-index.html.tt index 9cc6826..2517295 100644 --- a/docs/sub-man5-index.html.tt +++ b/docs/sub-man5-index.html.tt @@ -29,7 +29,7 @@ - + diff --git a/docs/sub-man7-index.html.tt b/docs/sub-man7-index.html.tt index 74c6119..799772a 100644 --- a/docs/sub-man7-index.html.tt +++ b/docs/sub-man7-index.html.tt @@ -29,7 +29,7 @@ - + From levitte at openssl.org Tue Sep 7 20:54:08 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 07 Sep 2021 20:54:08 +0000 Subject: [web] master update Message-ID: <1631048048.648023.13457.nullmailer@dev.openssl.org> The branch master has been updated discards 4c6dea4a88da460e9bc58b24b13b0e4133465334 (commit) via 79ff40e1b146b57350bbcafa7f245eb8254436b4 (commit) This update added new revisions after undoing existing revisions. That is to say, the old revision is not a strict subset of the new revision. This situation occurs when you --force push a change and generate a repository containing something like this: * -- * -- B -- O -- O -- O (4c6dea4a88da460e9bc58b24b13b0e4133465334) \ N -- N -- N (79ff40e1b146b57350bbcafa7f245eb8254436b4) When this happens we assume that you've already had alert emails for all of the O revisions, and so we here report only the revisions in the N branch from the common base, B. - Log ----------------------------------------------------------------- commit 79ff40e1b146b57350bbcafa7f245eb8254436b4 Author: Richard Levitte Date: Tue Sep 7 22:38:28 2021 +0200 Correct mansidebar.html reference ----------------------------------------------------------------------- Summary of changes: docs/sub-index.html.tt | 2 +- docs/sub-man1-index.html.tt | 2 +- docs/sub-man3-index.html.tt | 2 +- docs/sub-man5-index.html.tt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/sub-index.html.tt b/docs/sub-index.html.tt index f1ade79..0b02457 100644 --- a/docs/sub-index.html.tt +++ b/docs/sub-index.html.tt @@ -31,7 +31,7 @@ - + diff --git a/docs/sub-man1-index.html.tt b/docs/sub-man1-index.html.tt index e6a4b5d..2894fcf 100644 --- a/docs/sub-man1-index.html.tt +++ b/docs/sub-man1-index.html.tt @@ -34,7 +34,7 @@ - + diff --git a/docs/sub-man3-index.html.tt b/docs/sub-man3-index.html.tt index 57cfd04..48b21c7 100644 --- a/docs/sub-man3-index.html.tt +++ b/docs/sub-man3-index.html.tt @@ -36,7 +36,7 @@ - + diff --git a/docs/sub-man5-index.html.tt b/docs/sub-man5-index.html.tt index 2517295..28ebb0f 100644 --- a/docs/sub-man5-index.html.tt +++ b/docs/sub-man5-index.html.tt @@ -29,7 +29,7 @@ - + From levitte at openssl.org Tue Sep 7 21:33:23 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 07 Sep 2021 21:33:23 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631050403.020020.30611.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 2e5cdbc18a1a26bfc817070a52689886fa0669c2 (commit) from ed96022218e71efcf50c69cd6997ed85a2c37ffe (commit) - Log ----------------------------------------------------------------- commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2 Author: Richard Levitte Date: Mon Sep 6 13:40:43 2021 +0200 VMS: Compensate for compiler type incompatibility The compiler says that 'unsigned long long' isn't the same as 'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c is specific VMS only code, it's easy to just change the type to the exact same as what's specified in the system headers. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15613) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_vms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/rand_vms.c b/crypto/rand/rand_vms.c index 61c2f10299..fe516c3ca5 100644 --- a/crypto/rand/rand_vms.c +++ b/crypto/rand/rand_vms.c @@ -484,7 +484,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool) struct { pid_t pid; CRYPTO_THREAD_ID tid; - uint64_t time; + unsigned __int64_t time; } data = { 0 }; /* @@ -582,7 +582,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool) { struct { CRYPTO_THREAD_ID tid; - uint64_t time; + unsigned __int64_t time; } data = { 0 }; /* From pauli at openssl.org Wed Sep 8 03:32:09 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 08 Sep 2021 03:32:09 +0000 Subject: [openssl] master update Message-ID: <1631071929.989705.13822.nullmailer@dev.openssl.org> The branch master has been updated via 994fa5f9861df94c07699cb118ad5c5470a868b2 (commit) from a04b06573e2b3c6a5c703a60bd95354c6c6e91dc (commit) - Log ----------------------------------------------------------------- commit 994fa5f9861df94c07699cb118ad5c5470a868b2 Author: Zengit Date: Tue Aug 24 05:06:04 2021 +0300 Socket now displays what address it is connecting to CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16392) ----------------------------------------------------------------------- Summary of changes: apps/lib/s_socket.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index dbeebb54c5..1dd30ac724 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -172,6 +172,8 @@ int init_client(int *sock, const char *host, const char *port, break; } + BIO_printf(bio_out, "Connecting to %s\n", BIO_ADDR_hostname_string(BIO_ADDRINFO_address(ai), 1)); + if (*sock == INVALID_SOCKET) { if (bindaddr != NULL && !found) { BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n", From matt at openssl.org Wed Sep 8 13:34:15 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 08 Sep 2021 13:34:15 +0000 Subject: [web] master update Message-ID: <1631108055.315149.24395.nullmailer@dev.openssl.org> The branch master has been updated via 6850835feb4bc989b2e5465163b065c44bed644a (commit) from 79ff40e1b146b57350bbcafa7f245eb8254436b4 (commit) - Log ----------------------------------------------------------------- commit 6850835feb4bc989b2e5465163b065c44bed644a Author: Matt Caswell Date: Wed Sep 8 12:46:23 2021 +0100 Update the secondary platform definition Updates to the definition as per an OMC vote Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/260) ----------------------------------------------------------------------- Summary of changes: policies/platformpolicy.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policies/platformpolicy.html b/policies/platformpolicy.html index 5d59af8..24b4829 100644 --- a/policies/platformpolicy.html +++ b/policies/platformpolicy.html @@ -29,8 +29,9 @@

Secondary

- Targets which at least one team member actively - supports.
+ Targets which at least one team member actively supports, or the + platform is covered by CI and at least one team member has access to + the platform.
The current secondary development platforms are: FreeBSD, Windows (Visual Studio, MinGW), MacOS From levitte at openssl.org Wed Sep 8 14:28:25 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Sep 2021 14:28:25 +0000 Subject: [openssl] master update Message-ID: <1631111305.452787.4281.nullmailer@dev.openssl.org> The branch master has been updated via 116799ff6a8fc803ec4685fc432c7329d0511e23 (commit) from 994fa5f9861df94c07699cb118ad5c5470a868b2 (commit) - Log ----------------------------------------------------------------- commit 116799ff6a8fc803ec4685fc432c7329d0511e23 Author: Richard Levitte Date: Tue Sep 7 11:48:07 2021 +0200 DOCS: Update the page for 'openssl passwd' to not duplicate some info The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes #16529 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16531) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-passwd.pod.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in index ed68bab495..314fe4fe72 100644 --- a/doc/man1/openssl-passwd.pod.in +++ b/doc/man1/openssl-passwd.pod.in @@ -31,8 +31,6 @@ This command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in>, from stdin for option B<-stdin>, or from the command line, or from the terminal otherwise. -The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>, -and its AIX variant are available. =head1 OPTIONS From levitte at openssl.org Wed Sep 8 14:29:03 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Sep 2021 14:29:03 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631111343.408666.5580.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via ced5078399bc0249d2b28df4f51ec34abd022b7f (commit) from 50a0298a71fe2cdd5fc7f4e71c1deb1d4e901f1e (commit) - Log ----------------------------------------------------------------- commit ced5078399bc0249d2b28df4f51ec34abd022b7f Author: Richard Levitte Date: Tue Sep 7 11:48:07 2021 +0200 DOCS: Update the page for 'openssl passwd' to not duplicate some info The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes #16529 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16531) (cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-passwd.pod.in | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in index ed68bab495..314fe4fe72 100644 --- a/doc/man1/openssl-passwd.pod.in +++ b/doc/man1/openssl-passwd.pod.in @@ -31,8 +31,6 @@ This command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in>, from stdin for option B<-stdin>, or from the command line, or from the terminal otherwise. -The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>, -and its AIX variant are available. =head1 OPTIONS From levitte at openssl.org Wed Sep 8 14:30:50 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Sep 2021 14:30:50 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631111450.735090.8462.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 61ac53426e7873ead414b9259eb4446e2608209b (commit) from 2e5cdbc18a1a26bfc817070a52689886fa0669c2 (commit) - Log ----------------------------------------------------------------- commit 61ac53426e7873ead414b9259eb4446e2608209b Author: Richard Levitte Date: Tue Sep 7 11:48:07 2021 +0200 DOCS: Update the page for 'openssl passwd' to not duplicate some info The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes #16529 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16531) (cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23) ----------------------------------------------------------------------- Summary of changes: doc/man1/passwd.pod | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/man1/passwd.pod b/doc/man1/passwd.pod index c5760fe76e..c651f65544 100644 --- a/doc/man1/passwd.pod +++ b/doc/man1/passwd.pod @@ -31,8 +31,6 @@ The B command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in file>, from stdin for option B<-stdin>, or from the command line, or from the terminal otherwise. -The Unix standard algorithm B and the MD5-based BSD password -algorithm B<1>, its Apache variant B, and its AIX variant are available. =head1 OPTIONS From levitte at openssl.org Wed Sep 8 14:36:07 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Sep 2021 14:36:07 +0000 Subject: [openssl] master update Message-ID: <1631111767.721305.13585.nullmailer@dev.openssl.org> The branch master has been updated via c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221 (commit) from 116799ff6a8fc803ec4685fc432c7329d0511e23 (commit) - Log ----------------------------------------------------------------- commit c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221 Author: Richard Levitte Date: Tue Sep 7 12:48:52 2021 +0200 Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module It used bldtop_dir(), which is incorrect for files. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16532) ----------------------------------------------------------------------- Summary of changes: test/recipes/90-test_fipsload.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/recipes/90-test_fipsload.t b/test/recipes/90-test_fipsload.t index 9aa39da0e4..7537e2cb75 100644 --- a/test/recipes/90-test_fipsload.t +++ b/test/recipes/90-test_fipsload.t @@ -6,7 +6,7 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/; use OpenSSL::Test::Utils; BEGIN { @@ -25,7 +25,7 @@ plan skip_all => 'Test is disabled in an address sanitizer build' unless disable plan tests => 1; -my $fips = bldtop_dir('providers', platform->dso('fips')); +my $fips = bldtop_file('providers', platform->dso('fips')); ok(run(test(['moduleloadtest', $fips, 'OSSL_provider_init'])), "trying to load $fips in its own"); From levitte at openssl.org Wed Sep 8 14:36:47 2021 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Sep 2021 14:36:47 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631111807.710470.15139.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 03943ae71dfd1ac37cb9675197ea59cc2718f099 (commit) from ced5078399bc0249d2b28df4f51ec34abd022b7f (commit) - Log ----------------------------------------------------------------- commit 03943ae71dfd1ac37cb9675197ea59cc2718f099 Author: Richard Levitte Date: Tue Sep 7 12:48:52 2021 +0200 Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module It used bldtop_dir(), which is incorrect for files. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16532) (cherry picked from commit c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221) ----------------------------------------------------------------------- Summary of changes: test/recipes/90-test_fipsload.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/recipes/90-test_fipsload.t b/test/recipes/90-test_fipsload.t index 9aa39da0e4..7537e2cb75 100644 --- a/test/recipes/90-test_fipsload.t +++ b/test/recipes/90-test_fipsload.t @@ -6,7 +6,7 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html -use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/; use OpenSSL::Test::Utils; BEGIN { @@ -25,7 +25,7 @@ plan skip_all => 'Test is disabled in an address sanitizer build' unless disable plan tests => 1; -my $fips = bldtop_dir('providers', platform->dso('fips')); +my $fips = bldtop_file('providers', platform->dso('fips')); ok(run(test(['moduleloadtest', $fips, 'OSSL_provider_init'])), "trying to load $fips in its own"); From pauli at openssl.org Thu Sep 9 06:41:13 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 09 Sep 2021 06:41:13 +0000 Subject: [openssl] master update Message-ID: <1631169673.663815.5367.nullmailer@dev.openssl.org> The branch master has been updated via 81280137a1f33685d7d7fc531ea8fbac38e9a4b7 (commit) from c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221 (commit) - Log ----------------------------------------------------------------- commit 81280137a1f33685d7d7fc531ea8fbac38e9a4b7 Author: Pauli Date: Wed Sep 8 09:28:57 2021 +1000 Fix the example SSH KDF code. A salt was being set instead of a session ID. Fixes #16525 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16550) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_KDF-SSHKDF.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index 74d1b71aca..08369abff1 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -121,7 +121,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate key, (size_t)1024); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, xcghash, (size_t)32); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, session_id, (size_t)32); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, &type, sizeof(type)); From pauli at openssl.org Thu Sep 9 06:42:21 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 09 Sep 2021 06:42:21 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631169741.622774.6754.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via c076f7b6d53454b5a3a1c837a5ea71b7c6fbebe9 (commit) from 03943ae71dfd1ac37cb9675197ea59cc2718f099 (commit) - Log ----------------------------------------------------------------- commit c076f7b6d53454b5a3a1c837a5ea71b7c6fbebe9 Author: Pauli Date: Wed Sep 8 09:28:57 2021 +1000 Fix the example SSH KDF code. A salt was being set instead of a session ID. Fixes #16525 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16550) (cherry picked from commit 81280137a1f33685d7d7fc531ea8fbac38e9a4b7) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_KDF-SSHKDF.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index 74d1b71aca..08369abff1 100644 --- a/doc/man7/EVP_KDF-SSHKDF.pod +++ b/doc/man7/EVP_KDF-SSHKDF.pod @@ -121,7 +121,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate key, (size_t)1024); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, xcghash, (size_t)32); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, session_id, (size_t)32); *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, &type, sizeof(type)); From tomas at openssl.org Thu Sep 9 07:33:10 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 09 Sep 2021 07:33:10 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631172790.001786.17861.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via de26f8fad7948adc935ab0aae2fc9fa5d6c11411 (commit) from c076f7b6d53454b5a3a1c837a5ea71b7c6fbebe9 (commit) - Log ----------------------------------------------------------------- commit de26f8fad7948adc935ab0aae2fc9fa5d6c11411 Author: PW Hu Date: Wed Sep 8 09:13:20 2021 +0800 Fix some documentation errors CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16553) (cherry picked from commit 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4) ----------------------------------------------------------------------- Summary of changes: doc/man3/ASN1_item_d2i_bio.pod | 8 ++++---- doc/man3/OSSL_CMP_MSG_get0_header.pod | 2 +- doc/man3/OSSL_HTTP_REQ_CTX.pod | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/doc/man3/ASN1_item_d2i_bio.pod b/doc/man3/ASN1_item_d2i_bio.pod index 9083f85f69..bdf5c48096 100644 --- a/doc/man3/ASN1_item_d2i_bio.pod +++ b/doc/man3/ASN1_item_d2i_bio.pod @@ -10,15 +10,15 @@ ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio #include - ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in, + ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, OSSL_LIB_CTX *libctx, const char *propq); - ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, + ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it); - void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval, + void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x, OSSL_LIB_CTX *libctx, const char *propq); - void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval); + void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x); void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index 32cdf81187..741349cd6e 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -20,7 +20,7 @@ i2d_OSSL_CMP_MSG_bio int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); - OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file); + OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg); int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index 38f57f5cd6..0c270780e1 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -70,8 +70,7 @@ The allocated context structure is also populated with an internal allocated memory B, which collects the HTTP request and additional headers as text. OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I. -The I and I are not free'd and it is up to the application -to do so. +The I is not free'd, I will be free'd if I is set. OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context. The HTTP method is determined by I, From tomas at openssl.org Thu Sep 9 07:32:32 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 09 Sep 2021 07:32:32 +0000 Subject: [openssl] master update Message-ID: <1631172752.405819.16149.nullmailer@dev.openssl.org> The branch master has been updated via 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4 (commit) from 81280137a1f33685d7d7fc531ea8fbac38e9a4b7 (commit) - Log ----------------------------------------------------------------- commit 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4 Author: PW Hu Date: Wed Sep 8 09:13:20 2021 +0800 Fix some documentation errors CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16553) ----------------------------------------------------------------------- Summary of changes: doc/man3/ASN1_item_d2i_bio.pod | 8 ++++---- doc/man3/OSSL_CMP_MSG_get0_header.pod | 2 +- doc/man3/OSSL_HTTP_REQ_CTX.pod | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/doc/man3/ASN1_item_d2i_bio.pod b/doc/man3/ASN1_item_d2i_bio.pod index 9083f85f69..bdf5c48096 100644 --- a/doc/man3/ASN1_item_d2i_bio.pod +++ b/doc/man3/ASN1_item_d2i_bio.pod @@ -10,15 +10,15 @@ ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio #include - ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in, + ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, OSSL_LIB_CTX *libctx, const char *propq); - ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, + ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it); - void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval, + void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x, OSSL_LIB_CTX *libctx, const char *propq); - void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval); + void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x); void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x, OSSL_LIB_CTX *libctx, const char *propq); diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index 32cdf81187..741349cd6e 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -20,7 +20,7 @@ i2d_OSSL_CMP_MSG_bio int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg); int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid); - OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file); + OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg); OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg); int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg); diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index 38f57f5cd6..0c270780e1 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -70,8 +70,7 @@ The allocated context structure is also populated with an internal allocated memory B, which collects the HTTP request and additional headers as text. OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I. -The I and I are not free'd and it is up to the application -to do so. +The I is not free'd, I will be free'd if I is set. OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context. The HTTP method is determined by I, From pauli at openssl.org Thu Sep 9 08:32:53 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 09 Sep 2021 08:32:53 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631176373.573660.29147.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 8ad183c1448551d715ac255c612e982d04637463 (commit) from de26f8fad7948adc935ab0aae2fc9fa5d6c11411 (commit) - Log ----------------------------------------------------------------- commit 8ad183c1448551d715ac255c612e982d04637463 Author: Pauli Date: Thu Sep 9 14:39:37 2021 +1000 Remove end of line whitespace to appease CI checks Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16567) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 2 +- NEWS.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 6177b57c2e..21e8d2029a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,7 +30,7 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 3.0.0 and 3.0.1 [xx XXX xxxx] - * + * ### Changes between 1.1.1 and 3.0.0 [7 sep 2021] diff --git a/NEWS.md b/NEWS.md index f3dde1a2f7..0b1fc5fe97 100644 --- a/NEWS.md +++ b/NEWS.md @@ -20,7 +20,7 @@ OpenSSL 3.0 ### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [under development] - * + * ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021] From levitte at openssl.org Thu Sep 9 09:22:32 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 09 Sep 2021 09:22:32 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631179352.190190.545.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 (commit) from 61ac53426e7873ead414b9259eb4446e2608209b (commit) - Log ----------------------------------------------------------------- commit 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 Author: Richard Levitte Date: Wed Sep 8 10:49:27 2021 +0200 VMS: Fix misspelt type '__int64', not 'int64_t' Ref: commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16557) ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_vms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/rand_vms.c b/crypto/rand/rand_vms.c index fe516c3ca5..4afc101295 100644 --- a/crypto/rand/rand_vms.c +++ b/crypto/rand/rand_vms.c @@ -484,7 +484,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool) struct { pid_t pid; CRYPTO_THREAD_ID tid; - unsigned __int64_t time; + unsigned __int64 time; } data = { 0 }; /* @@ -582,7 +582,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool) { struct { CRYPTO_THREAD_ID tid; - unsigned __int64_t time; + unsigned __int64 time; } data = { 0 }; /* From levitte at openssl.org Thu Sep 9 09:26:22 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 09 Sep 2021 09:26:22 +0000 Subject: [openssl] master update Message-ID: <1631179582.759681.8030.nullmailer@dev.openssl.org> The branch master has been updated via 2fe2279d1f3bbfa934e432d4f2c3a7e6a6b0f958 (commit) from 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4 (commit) - Log ----------------------------------------------------------------- commit 2fe2279d1f3bbfa934e432d4f2c3a7e6a6b0f958 Author: Richard Levitte Date: Tue Sep 7 10:00:12 2021 +0200 Enhance the srctop, bldtop, data and result functions to check the result This affects bldtop_dir, bldtop_file, srctop_dir, srctop_file, data_dir, data_file, result_dir, and result_file. They are all enhanced to check that the resulting path really is a directory or a file. They only do this if the path exists. This allows the tests to catch if these functions are used incorrectly, even on systems where the syntax for directories and files is the same. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16523) ----------------------------------------------------------------------- Summary of changes: util/perl/OpenSSL/Test.pm | 60 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 17 deletions(-) diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm index 00ef1832d3..3123c1d3ec 100644 --- a/util/perl/OpenSSL/Test.pm +++ b/util/perl/OpenSSL/Test.pm @@ -10,6 +10,7 @@ package OpenSSL::Test; use strict; use warnings; +use Carp; use Test::More 0.96; use Exporter; @@ -557,8 +558,11 @@ operating system. =cut sub bldtop_dir { - return __bldtop_dir(@_); # This caters for operating systems that have + my $d = __bldtop_dir(@_); # This caters for operating systems that have # a very distinct syntax for directories. + + croak "$d isn't a directory" if -e $d && ! -d $d; + return $d; } =over 4 @@ -576,7 +580,10 @@ operating system. =cut sub bldtop_file { - return __bldtop_file(@_); + my $f = __bldtop_file(@_); + + croak "$f isn't a file" if -e $f && ! -f $f; + return $f; } =over 4 @@ -594,8 +601,11 @@ operating system. =cut sub srctop_dir { - return __srctop_dir(@_); # This caters for operating systems that have + my $d = __srctop_dir(@_); # This caters for operating systems that have # a very distinct syntax for directories. + + croak "$d isn't a directory" if -e $d && ! -d $d; + return $d; } =over 4 @@ -613,7 +623,10 @@ operating system. =cut sub srctop_file { - return __srctop_file(@_); + my $f = __srctop_file(@_); + + croak "$f isn't a file" if -e $f && ! -f $f; + return $f; } =over 4 @@ -630,7 +643,10 @@ operating system. =cut sub data_dir { - return __data_dir(@_); + my $d = __data_dir(@_); + + croak "$d isn't a directory" if -e $d && ! -d $d; + return $d; } =over 4 @@ -647,15 +663,20 @@ file path as a string, adapted to the local operating system. =cut sub data_file { - return __data_file(@_); + my $f = __data_file(@_); + + croak "$f isn't a file" if -e $f && ! -f $f; + return $f; } =over 4 -=item B +=item B -C returns the directory where test output files should be placed -as a string, adapted to the local operating system. +LIST is a list of directories that make up a path from the result directory +associated with the test (see L above). +C returns the resulting directory as a string, adapted to the local +operating system. =back @@ -664,17 +685,20 @@ as a string, adapted to the local operating system. sub result_dir { BAIL_OUT("Must run setup() first") if (! $test_name); - return catfile($directories{RESULTS}); + my $d = catdir($directories{RESULTS}, at _); + + croak "$d isn't a directory" if -e $d && ! -d $d; + return $d; } =over 4 -=item B +=item B -FILENAME is the name of a test output file. -C returns the path of the given file as a string, -prepending to the file name the path to the directory where test output files -should be placed, adapted to the local operating system. +LIST is a list of directories that make up a path from the data directory +associated with the test (see L above) and FILENAME is the name +of a file located in that directory path. C returns the resulting +file path as a string, adapted to the local operating system. =back @@ -683,8 +707,10 @@ should be placed, adapted to the local operating system. sub result_file { BAIL_OUT("Must run setup() first") if (! $test_name); - my $f = pop; - return catfile(result_dir(), at _,$f); + my $f = catfile(result_dir(), at _); + + croak "$f isn't a file" if -e $f && ! -f $f; + return $f; } =over 4 From levitte at openssl.org Thu Sep 9 10:08:13 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 09 Sep 2021 10:08:13 +0000 Subject: [openssl] master update Message-ID: <1631182093.161878.10515.nullmailer@dev.openssl.org> The branch master has been updated via 435981cbadad2c58c35bacd30ca5d8b4c9bea72f (commit) from 2fe2279d1f3bbfa934e432d4f2c3a7e6a6b0f958 (commit) - Log ----------------------------------------------------------------- commit 435981cbadad2c58c35bacd30ca5d8b4c9bea72f Author: Richard Levitte Date: Wed Sep 8 09:40:37 2021 +0200 OpenSSL::Ordinals::set_version() should only be given the short version This function tried to shave off the pre-release and build metadata text from the the version number it gets, but didn't do that quite right. Since this isn't even a documented behaviour, the easier, and arguably more correct path is for that function not to try to shave off anything, and for the callers to feed it the short version number, "{MAJOR}.{MINOR}.{PATCH}", nothing more. The build file templates are adjusted accordingly. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16556) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 3 ++- Configurations/unix-Makefile.tmpl | 11 ++++++----- Configurations/windows-makefile.tmpl | 3 ++- util/perl/OpenSSL/Ordinals.pm | 2 -- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 3db0fc7286..42dea4752a 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -267,6 +267,7 @@ VERBOSE=$(V) VERBOSE_FAILURE=$(VF) VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -904,7 +905,7 @@ EOF # my $target = platform->def($args{src}); my $mkdef = sourcefile('util', 'mkdef.pl'); - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || basename($args{product}, '.EXE'); my $case_insensitive = diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index f88a70f482..0cab39267c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -67,6 +67,7 @@ BLDDIR={- $config{builddir} -} FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -1305,23 +1306,23 @@ SSLHEADERS={- join(" \\\n" . ' ' x 11, fill_lines(" ", $COLUMNS - 11, sort keys %sslheaders)) -} renumber: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libcrypto.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ --renumber \ $(CRYPTOHEADERS) - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libssl.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ --renumber \ $(SSLHEADERS) ordinals: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libcrypto.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ $(CRYPTOHEADERS) - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libssl.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ $(SSLHEADERS) @@ -1529,7 +1530,7 @@ EOF # my $target = platform->def($args{src}); (my $mkdef_os = $target{shared_target}) =~ s|-shared$||; - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || $args{product}; return <<"EOF"; $target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 26357c75bc..d6dc008ba7 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -41,6 +41,7 @@ BLDDIR={- $config{builddir} -} FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} @@ -727,7 +728,7 @@ EOF my $mkdef = abs2rel(rel2abs(catfile($config{sourcedir}, "util", "mkdef.pl")), rel2abs($config{builddir})); - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || platform->dsoname($args{product}); return <<"EOF"; diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm index 7e4c008dc2..f6c63d14c4 100644 --- a/util/perl/OpenSSL/Ordinals.pm +++ b/util/perl/OpenSSL/Ordinals.pm @@ -623,8 +623,6 @@ sub set_version { my $version = shift // '*'; my $baseversion = shift // '*'; - $version =~ s|-.*||g; - if ($baseversion eq '*') { $baseversion = $version; if ($baseversion ne '*') { From levitte at openssl.org Thu Sep 9 10:09:50 2021 From: levitte at openssl.org (Richard Levitte) Date: Thu, 09 Sep 2021 10:09:50 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631182190.687499.12841.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 69afbf88a4fab3ba3bf19f438abc8ca7787027ff (commit) from 8ad183c1448551d715ac255c612e982d04637463 (commit) - Log ----------------------------------------------------------------- commit 69afbf88a4fab3ba3bf19f438abc8ca7787027ff Author: Richard Levitte Date: Wed Sep 8 09:40:37 2021 +0200 OpenSSL::Ordinals::set_version() should only be given the short version This function tried to shave off the pre-release and build metadata text from the the version number it gets, but didn't do that quite right. Since this isn't even a documented behaviour, the easier, and arguably more correct path is for that function not to try to shave off anything, and for the callers to feed it the short version number, "{MAJOR}.{MINOR}.{PATCH}", nothing more. The build file templates are adjusted accordingly. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16556) (cherry picked from commit 435981cbadad2c58c35bacd30ca5d8b4c9bea72f) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 3 ++- Configurations/unix-Makefile.tmpl | 11 ++++++----- Configurations/windows-makefile.tmpl | 3 ++- util/perl/OpenSSL/Ordinals.pm | 2 -- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 3db0fc7286..42dea4752a 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -267,6 +267,7 @@ VERBOSE=$(V) VERBOSE_FAILURE=$(VF) VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -904,7 +905,7 @@ EOF # my $target = platform->def($args{src}); my $mkdef = sourcefile('util', 'mkdef.pl'); - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || basename($args{product}, '.EXE'); my $case_insensitive = diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index f88a70f482..0cab39267c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -67,6 +67,7 @@ BLDDIR={- $config{builddir} -} FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} SHLIB_VERSION_NUMBER={- $config{shlib_version} -} @@ -1305,23 +1306,23 @@ SSLHEADERS={- join(" \\\n" . ' ' x 11, fill_lines(" ", $COLUMNS - 11, sort keys %sslheaders)) -} renumber: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libcrypto.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ --renumber \ $(CRYPTOHEADERS) - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libssl.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ --renumber \ $(SSLHEADERS) ordinals: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libcrypto.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ $(CRYPTOHEADERS) - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \ + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ --ordinals $(SRCDIR)/util/libssl.num \ --symhacks $(SRCDIR)/include/openssl/symhacks.h \ $(SSLHEADERS) @@ -1529,7 +1530,7 @@ EOF # my $target = platform->def($args{src}); (my $mkdef_os = $target{shared_target}) =~ s|-shared$||; - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || $args{product}; return <<"EOF"; $target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 26357c75bc..d6dc008ba7 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -41,6 +41,7 @@ BLDDIR={- $config{builddir} -} FIPSKEY={- $config{FIPSKEY} -} VERSION={- "$config{full_version}" -} +VERSION_NUMBER={- "$config{version}" -} MAJOR={- $config{major} -} MINOR={- $config{minor} -} @@ -727,7 +728,7 @@ EOF my $mkdef = abs2rel(rel2abs(catfile($config{sourcedir}, "util", "mkdef.pl")), rel2abs($config{builddir})); - my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : ''; + my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : ''; my $ord_name = $args{generator}->[1] || platform->dsoname($args{product}); return <<"EOF"; diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm index 7e4c008dc2..f6c63d14c4 100644 --- a/util/perl/OpenSSL/Ordinals.pm +++ b/util/perl/OpenSSL/Ordinals.pm @@ -623,8 +623,6 @@ sub set_version { my $version = shift // '*'; my $baseversion = shift // '*'; - $version =~ s|-.*||g; - if ($baseversion eq '*') { $baseversion = $version; if ($baseversion ne '*') { From no-reply at appveyor.com Thu Sep 9 17:36:48 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 09 Sep 2021 17:36:48 +0000 Subject: Build failed: openssl master.42698 Message-ID: <20210909173648.1.B3B91CF219AED900@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Thu Sep 9 19:20:48 2021 From: no-reply at appveyor.com (AppVeyor) Date: Thu, 09 Sep 2021 19:20:48 +0000 Subject: Build completed: openssl openssl-3.0.42699 Message-ID: <20210909192048.1.A7BE45D434BCB630@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Fri Sep 10 08:02:33 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 10 Sep 2021 08:02:33 +0000 Subject: [openssl] master update Message-ID: <1631260953.945512.27563.nullmailer@dev.openssl.org> The branch master has been updated via e82fc27bcd34f246e1acd42a61e8ba62907e1d19 (commit) from 435981cbadad2c58c35bacd30ca5d8b4c9bea72f (commit) - Log ----------------------------------------------------------------- commit e82fc27bcd34f246e1acd42a61e8ba62907e1d19 Author: astraujums Date: Wed Sep 8 15:55:39 2021 +0300 Fixed state transitions for the HTML version of the life_cycle-kdf.pod. The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16559) ----------------------------------------------------------------------- Summary of changes: doc/man7/life_cycle-kdf.pod | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/man7/life_cycle-kdf.pod b/doc/man7/life_cycle-kdf.pod index 6a50cc9aa6..d2aec8fe82 100644 --- a/doc/man7/life_cycle-kdf.pod +++ b/doc/man7/life_cycle-kdf.pod @@ -103,19 +103,19 @@ This is the canonical list.

- - - - - - + + + + + + From pauli at openssl.org Fri Sep 10 08:03:00 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 10 Sep 2021 08:03:00 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631260980.120156.28890.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via bfdce628350730b44dc46a4fc22d19e988fd8c50 (commit) from 69afbf88a4fab3ba3bf19f438abc8ca7787027ff (commit) - Log ----------------------------------------------------------------- commit bfdce628350730b44dc46a4fc22d19e988fd8c50 Author: astraujums Date: Wed Sep 8 15:55:39 2021 +0300 Fixed state transitions for the HTML version of the life_cycle-kdf.pod. The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16559) (cherry picked from commit e82fc27bcd34f246e1acd42a61e8ba62907e1d19) ----------------------------------------------------------------------- Summary of changes: doc/man7/life_cycle-kdf.pod | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/man7/life_cycle-kdf.pod b/doc/man7/life_cycle-kdf.pod index 6a50cc9aa6..d2aec8fe82 100644 --- a/doc/man7/life_cycle-kdf.pod +++ b/doc/man7/life_cycle-kdf.pod @@ -103,19 +103,19 @@ This is the canonical list. - - - - - - + + + + + + From levitte at openssl.org Fri Sep 10 10:03:19 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 10 Sep 2021 10:03:19 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631268199.582789.17284.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 1dc15a3330434ef1f79921a2d97c585048dcf05e (commit) from bfdce628350730b44dc46a4fc22d19e988fd8c50 (commit) - Log ----------------------------------------------------------------- commit 1dc15a3330434ef1f79921a2d97c585048dcf05e Author: Richard Levitte Date: Wed Sep 8 20:16:37 2021 +0200 VMS: Fix descrip.mms template away the use of $(DEFINES), which does get populated with defines given through configuration. This makes it impossible to configure with extra defines on VMS. Uncommenting and moving $(DEFINES) to a more proper spot gives the users back that ability. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16561) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 42dea4752a..9812df2aef 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -110,9 +110,9 @@ @cnf_defines, 'OPENSSLDIR="""$(OPENSSLDIR_C)"""', 'ENGINESDIR="""$(ENGINESDIR_C)"""', - 'MODULESDIR="""$(MODULESDIR_C)"""', - #'$(DEFINES)' + 'MODULESDIR="""$(MODULESDIR_C)"""' ) + . '$(DEFINES)' . "'extradefines'"; our $lib_asflags = join(' ', $target{lib_asflags} || (), @{$config{lib_asflags}}, @@ -144,8 +144,8 @@ join(',', @{$target{dso_defines}}, @{$target{module_defines}}, @{$config{dso_defines}}, @{$config{module_defines}}, @cnf_defines, - #'$(DEFINES)' ) + . '$(DEFINES)' . "'extradefines'"; our $dso_asflags = join(' ', $target{dso_asflags} || (), $target{module_asflags} || (), @@ -180,8 +180,8 @@ join(',', @{$target{bin_defines}}, @{$config{bin_defines}}, @cnf_defines, - #'$(DEFINES)' ) + . '$(DEFINES)' . "'extradefines'"; our $bin_asflags = join(' ', $target{bin_asflags} || (), From tomas at openssl.org Fri Sep 10 10:07:41 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 10 Sep 2021 10:07:41 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631268461.472682.21813.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 49ca3979f903334e192e75eeafb371824d1c14f6 (commit) from 1dc15a3330434ef1f79921a2d97c585048dcf05e (commit) - Log ----------------------------------------------------------------- commit 49ca3979f903334e192e75eeafb371824d1c14f6 Author: Tomas Mraz Date: Thu Sep 9 09:12:22 2021 +0200 dh_ameth: Fix dh_cmp_parameters to really compare the params This is legacy DH PKEY only code. Fixes #16562 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16568) (cherry picked from commit cf1a231d44db81f8565ecae5498a4f1f6f0168c9) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_ameth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 0e577177ec..38d8e7a38f 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -311,7 +311,7 @@ static int dh_security_bits(const EVP_PKEY *pkey) static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { - return ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params, + return ossl_ffc_params_cmp(&a->pkey.dh->params, &b->pkey.dh->params, a->ameth != &ossl_dhx_asn1_meth); } From levitte at openssl.org Fri Sep 10 10:11:08 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 10 Sep 2021 10:11:08 +0000 Subject: [openssl] master update Message-ID: <1631268668.972633.25573.nullmailer@dev.openssl.org> The branch master has been updated via 2f9ded524c2c95ab4efcc12b14e098eb4613d2f5 (commit) from cf1a231d44db81f8565ecae5498a4f1f6f0168c9 (commit) - Log ----------------------------------------------------------------- commit 2f9ded524c2c95ab4efcc12b14e098eb4613d2f5 Author: Richard Levitte Date: Wed Sep 8 20:16:37 2021 +0200 VMS: Fix descrip.mms template away the use of $(DEFINES), which does get populated with defines given through configuration. This makes it impossible to configure with extra defines on VMS. Uncommenting and moving $(DEFINES) to a more proper spot gives the users back that ability. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16561) (cherry picked from commit 1dc15a3330434ef1f79921a2d97c585048dcf05e) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 42dea4752a..9812df2aef 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -110,9 +110,9 @@ @cnf_defines, 'OPENSSLDIR="""$(OPENSSLDIR_C)"""', 'ENGINESDIR="""$(ENGINESDIR_C)"""', - 'MODULESDIR="""$(MODULESDIR_C)"""', - #'$(DEFINES)' + 'MODULESDIR="""$(MODULESDIR_C)"""' ) + . '$(DEFINES)' . "'extradefines'"; our $lib_asflags = join(' ', $target{lib_asflags} || (), @{$config{lib_asflags}}, @@ -144,8 +144,8 @@ join(',', @{$target{dso_defines}}, @{$target{module_defines}}, @{$config{dso_defines}}, @{$config{module_defines}}, @cnf_defines, - #'$(DEFINES)' ) + . '$(DEFINES)' . "'extradefines'"; our $dso_asflags = join(' ', $target{dso_asflags} || (), $target{module_asflags} || (), @@ -180,8 +180,8 @@ join(',', @{$target{bin_defines}}, @{$config{bin_defines}}, @cnf_defines, - #'$(DEFINES)' ) + . '$(DEFINES)' . "'extradefines'"; our $bin_asflags = join(' ', $target{bin_asflags} || (), From tomas at openssl.org Fri Sep 10 10:07:14 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 10 Sep 2021 10:07:14 +0000 Subject: [openssl] master update Message-ID: <1631268435.005482.20619.nullmailer@dev.openssl.org> The branch master has been updated via cf1a231d44db81f8565ecae5498a4f1f6f0168c9 (commit) from e82fc27bcd34f246e1acd42a61e8ba62907e1d19 (commit) - Log ----------------------------------------------------------------- commit cf1a231d44db81f8565ecae5498a4f1f6f0168c9 Author: Tomas Mraz Date: Thu Sep 9 09:12:22 2021 +0200 dh_ameth: Fix dh_cmp_parameters to really compare the params This is legacy DH PKEY only code. Fixes #16562 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16568) ----------------------------------------------------------------------- Summary of changes: crypto/dh/dh_ameth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 0e577177ec..38d8e7a38f 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -311,7 +311,7 @@ static int dh_security_bits(const EVP_PKEY *pkey) static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { - return ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params, + return ossl_ffc_params_cmp(&a->pkey.dh->params, &b->pkey.dh->params, a->ameth != &ossl_dhx_asn1_meth); } From levitte at openssl.org Fri Sep 10 10:15:37 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 10 Sep 2021 10:15:37 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631268937.638705.29807.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via c1dc3536a89d71f8545f3c70bee2332f389a871d (commit) from 49ca3979f903334e192e75eeafb371824d1c14f6 (commit) - Log ----------------------------------------------------------------- commit c1dc3536a89d71f8545f3c70bee2332f389a871d Author: Richard Levitte Date: Wed Sep 8 21:58:19 2021 +0200 Fix 'openssl speed' information printout Most of all, this reduces the following: built on: built on: Wed Sep 8 19:41:55 2021 UTC to: built on: Wed Sep 8 19:41:55 2021 UTC Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16563) ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 830a502656..1e5295398f 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -3092,10 +3092,9 @@ int speed_main(int argc, char **argv) #endif if (!mr) { printf("version: %s\n", OpenSSL_version(OPENSSL_FULL_VERSION_STRING)); - printf("built on: %s\n", OpenSSL_version(OPENSSL_BUILT_ON)); - printf("options:"); - printf("%s ", BN_options()); - printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS)); + printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); + printf("options: %s\n", BN_options()); + printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO)); } From levitte at openssl.org Fri Sep 10 10:16:16 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 10 Sep 2021 10:16:16 +0000 Subject: [openssl] master update Message-ID: <1631268976.578487.31184.nullmailer@dev.openssl.org> The branch master has been updated via 9e1b6f3cdc9258b6759d00cd23819925c9e4c391 (commit) from 2f9ded524c2c95ab4efcc12b14e098eb4613d2f5 (commit) - Log ----------------------------------------------------------------- commit 9e1b6f3cdc9258b6759d00cd23819925c9e4c391 Author: Richard Levitte Date: Wed Sep 8 21:58:19 2021 +0200 Fix 'openssl speed' information printout Most of all, this reduces the following: built on: built on: Wed Sep 8 19:41:55 2021 UTC to: built on: Wed Sep 8 19:41:55 2021 UTC Reviewed-by: Paul Dale Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16563) (cherry picked from commit c1dc3536a89d71f8545f3c70bee2332f389a871d) ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 830a502656..1e5295398f 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -3092,10 +3092,9 @@ int speed_main(int argc, char **argv) #endif if (!mr) { printf("version: %s\n", OpenSSL_version(OPENSSL_FULL_VERSION_STRING)); - printf("built on: %s\n", OpenSSL_version(OPENSSL_BUILT_ON)); - printf("options:"); - printf("%s ", BN_options()); - printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS)); + printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); + printf("options: %s\n", BN_options()); + printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO)); } From tomas at openssl.org Fri Sep 10 12:08:43 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 10 Sep 2021 12:08:43 +0000 Subject: [openssl] master update Message-ID: <1631275723.295593.4956.nullmailer@dev.openssl.org> The branch master has been updated via 85efdaab4d068f7de354b0a18f70f1737941dc7f (commit) from 9e1b6f3cdc9258b6759d00cd23819925c9e4c391 (commit) - Log ----------------------------------------------------------------- commit 85efdaab4d068f7de354b0a18f70f1737941dc7f Author: Tomas Mraz Date: Thu Sep 9 09:19:58 2021 +0200 install_fips: Create the OPENSSLDIR as it might not exist Fixes #16564 Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16569) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 2 ++ Configurations/unix-Makefile.tmpl | 1 + Configurations/windows-makefile.tmpl | 1 + 3 files changed, 4 insertions(+) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 9812df2aef..9767802e88 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -570,6 +570,8 @@ uninstall_docs : uninstall_html_docs {- output_off() if $disabled{fips}; "" -} install_fips : build_sw $(INSTALL_FIPSMODULECONF) @ WRITE SYS$OUTPUT "*** Installing FIPS module" + - CREATE/DIR ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch'] + - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000] COPY/PROT=W:RE $(INSTALL_FIPSMODULES) - ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME) @ WRITE SYS$OUTPUT "*** Installing FIPS module configuration" diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 0cab39267c..bf53cbcec5 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -619,6 +619,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs install_fips: build_sw $(INSTALL_FIPSMODULECONF) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR) @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)" @cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index d6dc008ba7..63431b97ed 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -500,6 +500,7 @@ uninstall_docs: uninstall_html_docs install_fips: build_sw $(INSTALL_FIPSMODULECONF) # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR) + @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(OPENSSLDIR) @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(MODULESDIR)\$(FIPSMODULENAME)" @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(INSTALL_FIPSMODULE)" "$(MODULESDIR)" From tomas at openssl.org Fri Sep 10 12:09:17 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 10 Sep 2021 12:09:17 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631275757.087523.6173.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 96c925c41bf6d9f60f3e8cbe528e82ac7ddc9539 (commit) from c1dc3536a89d71f8545f3c70bee2332f389a871d (commit) - Log ----------------------------------------------------------------- commit 96c925c41bf6d9f60f3e8cbe528e82ac7ddc9539 Author: Tomas Mraz Date: Thu Sep 9 09:19:58 2021 +0200 install_fips: Create the OPENSSLDIR as it might not exist Fixes #16564 Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16569) (cherry picked from commit 85efdaab4d068f7de354b0a18f70f1737941dc7f) ----------------------------------------------------------------------- Summary of changes: Configurations/descrip.mms.tmpl | 2 ++ Configurations/unix-Makefile.tmpl | 1 + Configurations/windows-makefile.tmpl | 1 + 3 files changed, 4 insertions(+) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 9812df2aef..9767802e88 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -570,6 +570,8 @@ uninstall_docs : uninstall_html_docs {- output_off() if $disabled{fips}; "" -} install_fips : build_sw $(INSTALL_FIPSMODULECONF) @ WRITE SYS$OUTPUT "*** Installing FIPS module" + - CREATE/DIR ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch'] + - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000] COPY/PROT=W:RE $(INSTALL_FIPSMODULES) - ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME) @ WRITE SYS$OUTPUT "*** Installing FIPS module configuration" diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 0cab39267c..bf53cbcec5 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -619,6 +619,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs install_fips: build_sw $(INSTALL_FIPSMODULECONF) @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR) + @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR) @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)" @cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index d6dc008ba7..63431b97ed 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -500,6 +500,7 @@ uninstall_docs: uninstall_html_docs install_fips: build_sw $(INSTALL_FIPSMODULECONF) # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR) + @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(OPENSSLDIR) @$(ECHO) "*** Installing FIPS module" @$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(MODULESDIR)\$(FIPSMODULENAME)" @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(INSTALL_FIPSMODULE)" "$(MODULESDIR)" From pauli at openssl.org Sat Sep 11 09:05:38 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sat, 11 Sep 2021 09:05:38 +0000 Subject: [web] master update Message-ID: <1631351138.619848.10693.nullmailer@dev.openssl.org> The branch master has been updated via 598d9806bc701a208da5506fcba59cd629e21f21 (commit) from 6850835feb4bc989b2e5465163b065c44bed644a (commit) - Log ----------------------------------------------------------------- commit 598d9806bc701a208da5506fcba59cd629e21f21 Author: Pauli Date: Sat Sep 11 16:44:56 2021 +1000 Update copyright footer. Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/261) ----------------------------------------------------------------------- Summary of changes: inc/footer.shtml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/inc/footer.shtml b/inc/footer.shtml index 65be9f1..588fbab 100644 --- a/inc/footer.shtml +++ b/inc/footer.shtml @@ -4,7 +4,8 @@ Please report problems with this website to webmaster at openssl.org.

- Copyright © 1999-2018, OpenSSL Software Foundation. + Copyright © 1999-2021 The OpenSSL Project Authors. + All Rights Reserved.
From dev at ddvo.net Sat Sep 11 21:00:35 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Sat, 11 Sep 2021 21:00:35 +0000 Subject: [openssl] master update Message-ID: <1631394035.570240.22022.nullmailer@dev.openssl.org> The branch master has been updated via cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821 (commit) via 611ef4f3737cc5812bdefe381403fdf1bacfba06 (commit) from 85efdaab4d068f7de354b0a18f70f1737941dc7f (commit) - Log ----------------------------------------------------------------- commit cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821 Author: Dr. David von Oheimb Date: Wed Aug 25 12:30:09 2021 +0200 openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16440) commit 611ef4f3737cc5812bdefe381403fdf1bacfba06 Author: Dr. David von Oheimb Date: Fri Aug 27 07:11:36 2021 +0200 APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16440) ----------------------------------------------------------------------- Summary of changes: apps/req.c | 41 ++++++++++++++++++++++++++++++++++------- apps/x509.c | 16 +++++++++++----- doc/man1/openssl-req.pod.in | 29 +++++++++++++++++++++-------- doc/man1/openssl-x509.pod.in | 37 ++++++++++++++++++++++--------------- 4 files changed, 88 insertions(+), 35 deletions(-) diff --git a/apps/req.c b/apps/req.c index 6aa364fec5..f756c25b2a 100644 --- a/apps/req.c +++ b/apps/req.c @@ -103,7 +103,7 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif - {"in", OPT_IN, '<', "X.509 request input file"}, + {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, @@ -136,10 +136,10 @@ const OPTIONS req_options[] = { "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, - {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, + {"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"}, OPT_SECTION("Keys and Signing"), - {"key", OPT_KEY, 's', "Key to include and to use for self-signature"}, + {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"keyout", OPT_KEYOUT, '>', "File to write private key to"}, @@ -489,8 +489,13 @@ int req_main(int argc, char **argv) if (ext_copy == EXT_COPY_NONE) BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n"); } - if (gen_x509 && infile == NULL) - newreq = 1; + if (infile == NULL) { + if (gen_x509) + newreq = 1; + else + BIO_printf(bio_err, + "Warning: Will read cert request from stdin since no -in option is given\n"); + } if (!app_passwd(passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -631,6 +636,11 @@ int req_main(int argc, char **argv) goto end; app_RAND_load_conf(req_conf, section); } + if (keyalg != NULL && pkey != NULL) { + BIO_printf(bio_err, + "Warning: Not generating key via given -newkey option since -key is given\n"); + /* Better throw an error in this case */ + } if (newreq && pkey == NULL) { app_RAND_load_conf(req_conf, section); @@ -742,9 +752,17 @@ int req_main(int argc, char **argv) goto end; if (!newreq) { - req = load_csr(infile, informat, "X509 request"); + if (keyfile != NULL) + BIO_printf(bio_err, + "Warning: Not placing -key in cert or request since request is used\n"); + req = load_csr(infile /* if NULL, reads from stdin */, + informat, "X509 request"); if (req == NULL) goto end; + } else if (infile != NULL) { + BIO_printf(bio_err, + "Warning: Ignoring -in option since -new or -newkey or -precert is given\n"); + /* Better throw an error in this case, as done in the x509 app */ } if (CAkeyfile == NULL) @@ -752,7 +770,7 @@ int req_main(int argc, char **argv) if (CAkeyfile != NULL) { if (CAfile == NULL) { BIO_printf(bio_err, - "Ignoring -CAkey option since no -CA option is given\n"); + "Warning: Ignoring -CAkey option since no -CA option is given\n"); } else { if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 0, passin, e, @@ -788,6 +806,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Error making certificate request\n"); goto end; } + /* Note that -x509 can take over -key and -subj option values. */ } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); @@ -798,6 +817,10 @@ int req_main(int argc, char **argv) X509_NAME *n_subj = fsubj != NULL ? fsubj : X509_REQ_get_subject_name(req); + if (CAcert != NULL && keyfile != NULL) + BIO_printf(bio_err, + "Warning: Not using -key or -newkey for signing since -CA option is given\n"); + if ((new_x509 = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) goto end; @@ -874,6 +897,10 @@ int req_main(int argc, char **argv) } else { X509V3_CTX ext_ctx; + if (precert) { + BIO_printf(bio_err, + "Warning: Ignoring -precert flag since no cert is produced\n"); + } /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); X509V3_set_nconf(&ext_ctx, req_conf); diff --git a/apps/x509.c b/apps/x509.c index 7236972c5b..65af7f0d06 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -61,7 +61,7 @@ const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"in", OPT_IN, '<', - "Certificate input (default stdin), or CSR input file with -req"}, + "Certificate input, or CSR input file with -req (default stdin)"}, {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"}, {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, {"x509toreq", OPT_X509TOREQ, '-', @@ -73,7 +73,7 @@ const OPTIONS x509_options[] = { "CSR input file format (DER or PEM) - default PEM"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, {"key", OPT_KEY, 's', - "Key to be used in certificate or cert request"}, + "Key for signing, and to include unless using -force_pubkey"}, {"signkey", OPT_SIGNKEY, 's', "Same as -key"}, {"keyform", OPT_KEYFORM, 'E', @@ -630,7 +630,7 @@ int x509_main(int argc, char **argv) } if (privkeyfile == NULL && pubkeyfile == NULL) { BIO_printf(bio_err, - "The -new option without -key requires using -force_pubkey\n"); + "The -new option requires using the -key or -force_pubkey option\n"); goto end; } } @@ -642,7 +642,7 @@ int x509_main(int argc, char **argv) CAkeyfile = CAfile; if (CAfile != NULL) { if (privkeyfile != NULL) { - BIO_printf(bio_err, "Cannot use both -key and -CA option\n"); + BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n"); goto end; } } else if (CAkeyfile != NULL) { @@ -676,6 +676,9 @@ int x509_main(int argc, char **argv) } if (reqfile) { + if (infile == NULL) + BIO_printf(bio_err, + "Warning: Reading cert request from stdin since no -in option is given\n"); req = load_csr(infile, informat, "certificate request input"); if (req == NULL) goto end; @@ -725,6 +728,9 @@ int x509_main(int argc, char **argv) } } } else { + if (infile == NULL) + BIO_printf(bio_err, + "Warning: Reading certificate from stdin since no -in option is given\n"); x = load_cert_pass(infile, informat, 1, passin, "certificate"); if (x == NULL) goto end; @@ -819,7 +825,7 @@ int x509_main(int argc, char **argv) if (x509toreq) { /* also works in conjunction with -req */ if (privkey == NULL) { - BIO_printf(bio_err, "Must specify request key using -key\n"); + BIO_printf(bio_err, "Must specify request signing key using -key\n"); goto end; } if (clrext && ext_copy != EXT_COPY_NONE) { diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index e78b04c65b..a21c30ba47 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -79,9 +79,10 @@ The data is a PKCS#10 object. =item B<-in> I -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (B<-new> or B<-newkey>) are not specified. +This specifies the input filename to read a request from. +This defaults to standard input unless B<-x509> or B<-CA> is specified. +A request is only read if the creation options +(B<-new> or B<-newkey> or B<-precert>) are not specified. =item B<-sigopt> I:I @@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length. =item B<-newkey> I -This option creates a new certificate request and a new private -key. The argument takes one of several forms. +This option is used to generate a new private key unless B<-key> is given. +It is subsequently used as if it was given using the B<-key> option. + +This option implies the B<-new> flag to create a new certificate request +or a new certificate in case B<-x509> is given. + +The argument takes one of several forms. [B]I generates an RSA key I in size. If I is omitted, i.e., B<-newkey> B is specified, @@ -193,9 +199,14 @@ See L for more details. =item B<-key> I|I -This specifies the key to include and to use for request self-signature -and for self-signing certificates produced with the B<-x509> option. -It also accepts PKCS#8 format private keys for PEM format files. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-in> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +For certificate signing this option is overridden by the B<-CA> option. + +This option also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B|B|B @@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request. This is typically used to generate test certificates. It is implied by the B<-CA> option. +This option implies the B<-new> flag if B<-in> is not given. + If an existing request is specified with the B<-in> option, it is converted to the a certificate; otherwise a request is created from scratch. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 9c77a216c2..b86f409ce8 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -102,9 +102,11 @@ Print out a usage message. =item B<-in> I|I -If the B<-req> option is not used this specifies the input -to read a certificate from or standard input if this option is not specified. -With the B<-req> option this specifies a certificate request file. +This specifies the input to read a certificate from +or the input file for reading a certificate request if the B<-req> flag is used. +In both cases this defaults to standard input. + +This option cannot be combined with the B<-new> flag. =item B<-passin> I @@ -118,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate or certificate request. So the B<-in> option must not be used in this case. Instead, the B<-subj> option needs to be given. The public key to include can be given with the B<-force_pubkey> option -and defaults to the key given with the B<-key> option, +and defaults to the key given with the B<-key> (or B<-signkey>) option, which implies self-signature. =item B<-x509toreq> Output a PKCS#10 certificate request (rather than a certificate). -The B<-key> option must be used to provide the private key for self-signing; -the corresponding public key is placed in the subjectPKInfo field. +The B<-key> (or B<-signkey>) option must be used to provide the private key for +self-signing; the corresponding public key is placed in the subjectPKInfo field. X.509 extensions included in a certificate input are not copied by default. X.509 extensions to be added can be specified using the B<-extfile> option. @@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific. =item B<-key> I|I -This option causes the new certificate or certificate request -to be self-signed using the supplied private key. -This cannot be used in conjunction with the B<-CA> option. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-force_pubkey> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +This option cannot be used in conjunction with the B<-CA> option. It sets the issuer name to the subject name (i.e., makes it self-issued) and changes the public key to the supplied value (unless overridden @@ -355,8 +360,9 @@ Check that the certificate matches the specified IP address. =item B<-set_serial> I -Specifies the serial number to use. This option can be used with either -the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option +Specifies the serial number to use. +This option can be used with the B<-key>, B<-signkey>, or B<-CA> options. +If used in conjunction with the B<-CA> option the serial number file (as specified by the B<-CAserial> option) is not used. The serial number can be decimal or hex (if preceded by C<0x>). @@ -400,7 +406,8 @@ or certificate request. =item B<-force_pubkey> I When a certificate is created set its public key to the key in I -instead of the key contained in the input or given with the B<-key> option. +instead of the key contained in the input +or given with the B<-key> (or B<-signkey>) option. This option is useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. @@ -446,7 +453,7 @@ for testing. The digest to use. This affects any signing or printing option that uses a message -digest, such as the B<-fingerprint>, B<-key> and B<-CA> options. +digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options. Any digest supported by the L command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. @@ -464,9 +471,9 @@ When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as detailed below. -This option cannot be used in conjunction with the B<-key> option. +This option cannot be used in conjunction with B<-key> (or B<-signkey>). This option is normally combined with the B<-req> option referencing a CSR. -Without the B<-req> option the input must be a self-signed certificate +Without the B<-req> option the input must be an existing certificate unless the B<-new> option is given, which generates a certificate from scratch. =item B<-CAform> B|B|B, From pauli at openssl.org Mon Sep 13 07:03:03 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 13 Sep 2021 07:03:03 +0000 Subject: [openssl] master update Message-ID: <1631516583.189652.14148.nullmailer@dev.openssl.org> The branch master has been updated via 485d0790ac1a29a0d4e7391d804810d485890376 (commit) from cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821 (commit) - Log ----------------------------------------------------------------- commit 485d0790ac1a29a0d4e7391d804810d485890376 Author: Nikita Ivanov Date: Tue Sep 7 11:31:17 2021 +0300 Fix nc_email to check ASN1 strings with NULL byte in the middle Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16524) ----------------------------------------------------------------------- Summary of changes: crypto/x509/v3_ncons.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c index dc56fe2c0c..70a7e8304e 100644 --- a/crypto/x509/v3_ncons.c +++ b/crypto/x509/v3_ncons.c @@ -714,6 +714,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) if (baseat != baseptr) { if ((baseat - baseptr) != (emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; + if (memchr(baseptr, 0, baseat - baseptr) || + memchr(emlptr, 0, emlat - emlptr)) + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; /* Case sensitive match of local part */ if (strncmp(baseptr, emlptr, emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; From pauli at openssl.org Mon Sep 13 07:03:39 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 13 Sep 2021 07:03:39 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631516619.070634.15802.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via c24758277800ef8fe1f294bcc84da02ca5367129 (commit) from 96c925c41bf6d9f60f3e8cbe528e82ac7ddc9539 (commit) - Log ----------------------------------------------------------------- commit c24758277800ef8fe1f294bcc84da02ca5367129 Author: Nikita Ivanov Date: Tue Sep 7 11:31:17 2021 +0300 Fix nc_email to check ASN1 strings with NULL byte in the middle Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16524) (cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376) ----------------------------------------------------------------------- Summary of changes: crypto/x509/v3_ncons.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c index dc56fe2c0c..70a7e8304e 100644 --- a/crypto/x509/v3_ncons.c +++ b/crypto/x509/v3_ncons.c @@ -714,6 +714,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) if (baseat != baseptr) { if ((baseat - baseptr) != (emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; + if (memchr(baseptr, 0, baseat - baseptr) || + memchr(emlptr, 0, emlat - emlptr)) + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; /* Case sensitive match of local part */ if (strncmp(baseptr, emlptr, emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; From pauli at openssl.org Mon Sep 13 07:04:23 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 13 Sep 2021 07:04:23 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631516663.175412.17598.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 9e44ffc281326330937eee0e94b6fd4bfcaa98eb (commit) from 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 (commit) - Log ----------------------------------------------------------------- commit 9e44ffc281326330937eee0e94b6fd4bfcaa98eb Author: Nikita Ivanov Date: Tue Sep 7 11:31:17 2021 +0300 Fix nc_email to check ASN1 strings with NULL byte in the middle Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16524) (cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376) ----------------------------------------------------------------------- Summary of changes: crypto/x509v3/v3_ncons.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index d985aa91da..60cb4ceaa8 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -602,6 +602,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) if (baseat != baseptr) { if ((baseat - baseptr) != (emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; + if (memchr(baseptr, 0, baseat - baseptr) || + memchr(emlptr, 0, emlat - emlptr)) + return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; /* Case sensitive match of local part */ if (strncmp(baseptr, emlptr, emlat - emlptr)) return X509_V_ERR_PERMITTED_VIOLATION; From tomas at openssl.org Mon Sep 13 07:36:51 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Mon, 13 Sep 2021 07:36:51 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631518611.253384.13210.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via fc455e5838fd4520c75473342df6e1867367c913 (commit) from c24758277800ef8fe1f294bcc84da02ca5367129 (commit) - Log ----------------------------------------------------------------- commit fc455e5838fd4520c75473342df6e1867367c913 Author: Tomas Mraz Date: Fri Sep 10 10:45:01 2021 +0200 linux-x86-clang target: Add -latomic Fixes #16572 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16578) (cherry picked from commit 7ea01f521d08d6585a62c7cfd9358c0f191bd903) ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 468698a366..8414b34ed9 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -857,6 +857,7 @@ my %targets = ( inherit_from => [ "linux-x86" ], CC => "clang", CXX => "clang++", + ex_libs => add(threads("-latomic")), }, "linux-x86_64" => { inherit_from => [ "linux-generic64" ], From tomas at openssl.org Mon Sep 13 07:36:18 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Mon, 13 Sep 2021 07:36:18 +0000 Subject: [openssl] master update Message-ID: <1631518578.049889.11661.nullmailer@dev.openssl.org> The branch master has been updated via 7ea01f521d08d6585a62c7cfd9358c0f191bd903 (commit) from 485d0790ac1a29a0d4e7391d804810d485890376 (commit) - Log ----------------------------------------------------------------- commit 7ea01f521d08d6585a62c7cfd9358c0f191bd903 Author: Tomas Mraz Date: Fri Sep 10 10:45:01 2021 +0200 linux-x86-clang target: Add -latomic Fixes #16572 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16578) ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 468698a366..8414b34ed9 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -857,6 +857,7 @@ my %targets = ( inherit_from => [ "linux-x86" ], CC => "clang", CXX => "clang++", + ex_libs => add(threads("-latomic")), }, "linux-x86_64" => { inherit_from => [ "linux-generic64" ], From levitte at openssl.org Mon Sep 13 07:53:03 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 13 Sep 2021 07:53:03 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631519583.562809.26830.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via de36ce47bf9858f3c517345f46e52d5a6fc506de (commit) from fc455e5838fd4520c75473342df6e1867367c913 (commit) - Log ----------------------------------------------------------------- commit de36ce47bf9858f3c517345f46e52d5a6fc506de Author: Richard Levitte Date: Fri Sep 10 06:42:24 2021 +0200 Fix the build file templates where uplink matters We changed the manner in which a build needing applink is detected, but forgot to change the installation targets accordingly. Fixes #16570 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16577) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 8 ++++---- Configurations/windows-makefile.tmpl | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index bf53cbcec5..52d2f6a64e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -693,11 +693,11 @@ install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl - @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c @chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ @@ -767,10 +767,10 @@ install_dev: install_runtime_libs uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" - @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 63431b97ed..78d39ffb4b 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -543,10 +543,10 @@ install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" - @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_off() if $disabled{uplink}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \ "$(INSTALLTOP)\include\openssl" - @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_on() if $disabled{uplink}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \ "$(SRCDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" From levitte at openssl.org Mon Sep 13 07:54:09 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 13 Sep 2021 07:54:09 +0000 Subject: [openssl] master update Message-ID: <1631519649.224260.28755.nullmailer@dev.openssl.org> The branch master has been updated via 6d56fcd86a75c6c3b061fc69bc2b3b100ebac24b (commit) from 7ea01f521d08d6585a62c7cfd9358c0f191bd903 (commit) - Log ----------------------------------------------------------------- commit 6d56fcd86a75c6c3b061fc69bc2b3b100ebac24b Author: Richard Levitte Date: Fri Sep 10 06:42:24 2021 +0200 Fix the build file templates where uplink matters We changed the manner in which a build needing applink is detected, but forgot to change the installation targets accordingly. Fixes #16570 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16577) (cherry picked from commit de36ce47bf9858f3c517345f46e52d5a6fc506de) ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 8 ++++---- Configurations/windows-makefile.tmpl | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index bf53cbcec5..52d2f6a64e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -693,11 +693,11 @@ install_dev: install_runtime_libs @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) @$(ECHO) "*** Installing development files" @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl - @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c @chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ @@ -767,10 +767,10 @@ install_dev: install_runtime_libs uninstall_dev: uninstall_runtime_libs @$(ECHO) "*** Uninstalling development files" - @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_off() if $disabled{uplink}; "" -} @$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c" @$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c - @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @ : {- output_on() if $disabled{uplink}; "" -} @set -e; for i in $(SRCDIR)/include/openssl/*.h \ $(BLDDIR)/include/openssl/*.h; do \ fn=`basename $$i`; \ diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 63431b97ed..78d39ffb4b 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -543,10 +543,10 @@ install_dev: install_runtime_libs @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 ) @$(ECHO) "*** Installing development files" @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl" - @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_off() if $disabled{uplink}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \ "$(INSTALLTOP)\include\openssl" - @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -} + @{- output_on() if $disabled{uplink}; "" -} @"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \ "$(SRCDIR)\include\openssl\*.h" \ "$(INSTALLTOP)\include\openssl" From matt at openssl.org Mon Sep 13 10:19:24 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 13 Sep 2021 10:19:24 +0000 Subject: [web] master update Message-ID: <1631528364.507904.28907.nullmailer@dev.openssl.org> The branch master has been updated via 78a40cab4af1807c6530546557a93303b2505f40 (commit) from 598d9806bc701a208da5506fcba59cd629e21f21 (commit) - Log ----------------------------------------------------------------- commit 78a40cab4af1807c6530546557a93303b2505f40 Author: Tom?? Mr?z Date: Mon Sep 13 12:07:30 2021 +0200 newsflash.txt: Add link to blog about Let's encrypt root expiration Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/262) ----------------------------------------------------------------------- Summary of changes: news/newsflash.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/news/newsflash.txt b/news/newsflash.txt index 7c8a166..dc25841 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -5,6 +5,7 @@ # headings. URL paths must all be absolute. Date: Item +13-Sep-2021: New Blog post: Old Let?s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 07-Sep-2021: Final version of OpenSSL 3.0.0 is now available: please download and upgrade! 24-Aug-2021: Security Advisory: two security fixes 24-Aug-2021: OpenSSL 1.1.1l is now available, including bug and security fixes From pauli at openssl.org Mon Sep 13 21:21:45 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 13 Sep 2021 21:21:45 +0000 Subject: [openssl] master update Message-ID: <1631568105.846902.17105.nullmailer@dev.openssl.org> The branch master has been updated via ea0d79db9be9066de350c44c160bd8b17f2be666 (commit) from 6d56fcd86a75c6c3b061fc69bc2b3b100ebac24b (commit) - Log ----------------------------------------------------------------- commit ea0d79db9be9066de350c44c160bd8b17f2be666 Author: Viktor Szakats Date: Sun Aug 29 00:59:09 2021 +0000 convert tabs to spaces in two distributed Perl scripts Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8 spaces was used before, in addition to tabs. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16459) ----------------------------------------------------------------------- Summary of changes: apps/tsget.in | 50 +++++----- tools/c_rehash.in | 292 +++++++++++++++++++++++++++--------------------------- 2 files changed, 171 insertions(+), 171 deletions(-) diff --git a/apps/tsget.in b/apps/tsget.in index d87ea4d654..8eab6a8f1f 100644 --- a/apps/tsget.in +++ b/apps/tsget.in @@ -21,10 +21,10 @@ sub read_body { my $return_data = ""; my $data_len = length ${$state->{data}}; if ($state->{bytes} < $data_len) { - $data_len = $data_len - $state->{bytes}; - $data_len = $maxlength if $data_len > $maxlength; - $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; - $state->{bytes} += $data_len; + $data_len = $data_len - $state->{bytes}; + $data_len = $maxlength if $data_len > $maxlength; + $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; + $state->{bytes} += $data_len; } return $return_data; } @@ -53,8 +53,8 @@ sub create_curl { $curl->setopt(CURLOPT_UPLOAD, 1); $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); $curl->setopt(CURLOPT_HTTPHEADER, - ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply,application/timestamp-response"]); + ["Content-Type: application/timestamp-query", + "Accept: application/timestamp-reply,application/timestamp-response"]); $curl->setopt(CURLOPT_READFUNCTION, \&read_body); $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); @@ -63,8 +63,8 @@ sub create_curl { # SSL related options. $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); - $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. - $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. + $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. + $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); @@ -101,15 +101,15 @@ sub get_timestamp { my $error_string; if ($error_code != 0) { my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); - $error_string = "could not get timestamp"; - $error_string .= ", http code: $http_code" unless $http_code == 0; - $error_string .= ", curl code: $error_code"; - $error_string .= " ($::error_buf)" if defined($::error_buf); + $error_string = "could not get timestamp"; + $error_string .= ", http code: $http_code" unless $http_code == 0; + $error_string .= ", curl code: $error_code"; + $error_string .= " ($::error_buf)" if defined($::error_buf); } else { my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply" - && lc($ct) ne "application/timestamp-response") { - $error_string = "unexpected content type returned: $ct"; + if (lc($ct) ne "application/timestamp-reply" + && lc($ct) ne "application/timestamp-response") { + $error_string = "unexpected content type returned: $ct"; } } return ($ts_body, $error_string); @@ -163,15 +163,15 @@ REQUEST: foreach (@ARGV) { # Read request. my $body; if ($input eq "-") { - # Read the request from STDIN; - $body = ; + # Read the request from STDIN; + $body = ; } else { - # Read the request from file. + # Read the request from file. open INPUT, "<" . $input - or warn("$input: could not open input file: $!\n"), next REQUEST; + or warn("$input: could not open input file: $!\n"), next REQUEST; $body = ; close INPUT - or warn("$input: could not close input file: $!\n"), next REQUEST; + or warn("$input: could not close input file: $!\n"), next REQUEST; } # Send request. @@ -179,21 +179,21 @@ REQUEST: foreach (@ARGV) { my ($ts_body, $error) = get_timestamp $curl, \$body; if (defined($error)) { - die "$input: fatal error: $error\n"; + die "$input: fatal error: $error\n"; } STDERR->printflush(", reply received") if $options{v}; # Write response. if ($output eq "-") { - # Write to STDOUT. + # Write to STDOUT. print $ts_body; } else { - # Write to file. + # Write to file. open OUTPUT, ">", $output - or warn("$output: could not open output file: $!\n"), next REQUEST; + or warn("$output: could not open output file: $!\n"), next REQUEST; print OUTPUT $ts_body; close OUTPUT - or warn("$output: could not close output file: $!\n"), next REQUEST; + or warn("$output: could not close output file: $!\n"), next REQUEST; } STDERR->printflush(", $output written.\n") if $options{v}; } diff --git a/tools/c_rehash.in b/tools/c_rehash.in index 54cad6138b..d51d8856d7 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -28,35 +28,35 @@ while ( $ARGV[0] =~ /^-/ ) { my $flag = shift @ARGV; last if ( $flag eq '--'); if ( $flag eq '-old') { - $x509hash = "-subject_hash_old"; - $crlhash = "-hash_old"; + $x509hash = "-subject_hash_old"; + $crlhash = "-hash_old"; } elsif ( $flag eq '-h' || $flag eq '-help' ) { - help(); + help(); } elsif ( $flag eq '-n' ) { - $removelinks = 0; + $removelinks = 0; } elsif ( $flag eq '-v' ) { - $verbose++; + $verbose++; } else { - print STDERR "Usage error; try -h.\n"; - exit 1; + print STDERR "Usage error; try -h.\n"; + exit 1; } } sub help { - print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; - print " -old use old-style digest\n"; - print " -h or -help print this help text\n"; - print " -v print files removed and linked\n"; - exit 0; + print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; + print " -old use old-style digest\n"; + print " -h or -help print this help text\n"; + print " -v print files removed and linked\n"; + exit 0; } eval "require Cwd"; if (defined(&Cwd::getcwd)) { - $pwd=Cwd::getcwd(); + $pwd=Cwd::getcwd(); } else { - $pwd=`pwd`; - chomp($pwd); + $pwd=`pwd`; + chomp($pwd); } # DOS/Win32 or Unix delimiter? Prefix our installdir, then search. @@ -64,92 +64,92 @@ my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; $ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); if (! -x $openssl) { - my $found = 0; - foreach (split /$path_delim/, $ENV{PATH}) { - if (-x "$_/$openssl") { - $found = 1; - $openssl = "$_/$openssl"; - last; - } - } - if ($found == 0) { - print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; - exit 0; - } + my $found = 0; + foreach (split /$path_delim/, $ENV{PATH}) { + if (-x "$_/$openssl") { + $found = 1; + $openssl = "$_/$openssl"; + last; + } + } + if ($found == 0) { + print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; + exit 0; + } } if (@ARGV) { - @dirlist = @ARGV; + @dirlist = @ARGV; } elsif ($ENV{SSL_CERT_DIR}) { - @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; + @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; } else { - $dirlist[0] = "$dir/certs"; + $dirlist[0] = "$dir/certs"; } if (-d $dirlist[0]) { - chdir $dirlist[0]; - $openssl="$pwd/$openssl" if (!-x $openssl); - chdir $pwd; + chdir $dirlist[0]; + $openssl="$pwd/$openssl" if (!-x $openssl); + chdir $pwd; } foreach (@dirlist) { - if (-d $_ ) { - if ( -w $_) { - hash_dir($_); - } else { - print "Skipping $_, can't write\n"; - $errorcount++; - } - } + if (-d $_ ) { + if ( -w $_) { + hash_dir($_); + } else { + print "Skipping $_, can't write\n"; + $errorcount++; + } + } } exit($errorcount); sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my %hashlist; + print "Doing $_[0]\n"; + chdir $_[0]; + opendir(DIR, "."); + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + open IN, $fname; + while() { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close IN; + return ($is_cert, $is_crl); } @@ -160,72 +160,72 @@ sub check_file { # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + my $fname = $_[0]; + $fname =~ s/\"/\\\"/g; + my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + while(exists $hashlist{"$hash.$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$suffix"} eq $fprint) { + print STDERR "WARNING: Skipping duplicate certificate $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + if (open($in, "<", $fname)) { + if (open($out,">", $hash)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "can't open $hash for write, $!"; + } + close $in; + } else { + warn "can't open $fname for read, $!"; + } + } + $hashlist{$hash} = $fprint; } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + my $fname = $_[0]; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + while(exists $hashlist{"$hash.r$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.r$suffix"} eq $fprint) { + print STDERR "WARNING: Skipping duplicate CRL $fname\n"; + return; + } + $suffix++; + } + $hash .= ".r$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "cp $fname -> $hash\n" if $verbose; + system ("cp", $fname, $hash); + warn "Can't copy, $!" if ($? >> 8) != 0; + } + $hashlist{$hash} = $fprint; } From pauli at openssl.org Mon Sep 13 21:22:27 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Mon, 13 Sep 2021 21:22:27 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631568147.793186.18328.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 566431716efab52b40cc3af6610ba831d5c1cccc (commit) from de36ce47bf9858f3c517345f46e52d5a6fc506de (commit) - Log ----------------------------------------------------------------- commit 566431716efab52b40cc3af6610ba831d5c1cccc Author: Viktor Szakats Date: Sun Aug 29 00:59:09 2021 +0000 convert tabs to spaces in two distributed Perl scripts Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8 spaces was used before, in addition to tabs. CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16459) (cherry picked from commit ea0d79db9be9066de350c44c160bd8b17f2be666) ----------------------------------------------------------------------- Summary of changes: apps/tsget.in | 50 +++++----- tools/c_rehash.in | 292 +++++++++++++++++++++++++++--------------------------- 2 files changed, 171 insertions(+), 171 deletions(-) diff --git a/apps/tsget.in b/apps/tsget.in index d87ea4d654..8eab6a8f1f 100644 --- a/apps/tsget.in +++ b/apps/tsget.in @@ -21,10 +21,10 @@ sub read_body { my $return_data = ""; my $data_len = length ${$state->{data}}; if ($state->{bytes} < $data_len) { - $data_len = $data_len - $state->{bytes}; - $data_len = $maxlength if $data_len > $maxlength; - $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; - $state->{bytes} += $data_len; + $data_len = $data_len - $state->{bytes}; + $data_len = $maxlength if $data_len > $maxlength; + $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; + $state->{bytes} += $data_len; } return $return_data; } @@ -53,8 +53,8 @@ sub create_curl { $curl->setopt(CURLOPT_UPLOAD, 1); $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); $curl->setopt(CURLOPT_HTTPHEADER, - ["Content-Type: application/timestamp-query", - "Accept: application/timestamp-reply,application/timestamp-response"]); + ["Content-Type: application/timestamp-query", + "Accept: application/timestamp-reply,application/timestamp-response"]); $curl->setopt(CURLOPT_READFUNCTION, \&read_body); $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); @@ -63,8 +63,8 @@ sub create_curl { # SSL related options. $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); - $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. - $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. + $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. + $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); @@ -101,15 +101,15 @@ sub get_timestamp { my $error_string; if ($error_code != 0) { my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); - $error_string = "could not get timestamp"; - $error_string .= ", http code: $http_code" unless $http_code == 0; - $error_string .= ", curl code: $error_code"; - $error_string .= " ($::error_buf)" if defined($::error_buf); + $error_string = "could not get timestamp"; + $error_string .= ", http code: $http_code" unless $http_code == 0; + $error_string .= ", curl code: $error_code"; + $error_string .= " ($::error_buf)" if defined($::error_buf); } else { my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); - if (lc($ct) ne "application/timestamp-reply" - && lc($ct) ne "application/timestamp-response") { - $error_string = "unexpected content type returned: $ct"; + if (lc($ct) ne "application/timestamp-reply" + && lc($ct) ne "application/timestamp-response") { + $error_string = "unexpected content type returned: $ct"; } } return ($ts_body, $error_string); @@ -163,15 +163,15 @@ REQUEST: foreach (@ARGV) { # Read request. my $body; if ($input eq "-") { - # Read the request from STDIN; - $body = ; + # Read the request from STDIN; + $body = ; } else { - # Read the request from file. + # Read the request from file. open INPUT, "<" . $input - or warn("$input: could not open input file: $!\n"), next REQUEST; + or warn("$input: could not open input file: $!\n"), next REQUEST; $body = ; close INPUT - or warn("$input: could not close input file: $!\n"), next REQUEST; + or warn("$input: could not close input file: $!\n"), next REQUEST; } # Send request. @@ -179,21 +179,21 @@ REQUEST: foreach (@ARGV) { my ($ts_body, $error) = get_timestamp $curl, \$body; if (defined($error)) { - die "$input: fatal error: $error\n"; + die "$input: fatal error: $error\n"; } STDERR->printflush(", reply received") if $options{v}; # Write response. if ($output eq "-") { - # Write to STDOUT. + # Write to STDOUT. print $ts_body; } else { - # Write to file. + # Write to file. open OUTPUT, ">", $output - or warn("$output: could not open output file: $!\n"), next REQUEST; + or warn("$output: could not open output file: $!\n"), next REQUEST; print OUTPUT $ts_body; close OUTPUT - or warn("$output: could not close output file: $!\n"), next REQUEST; + or warn("$output: could not close output file: $!\n"), next REQUEST; } STDERR->printflush(", $output written.\n") if $options{v}; } diff --git a/tools/c_rehash.in b/tools/c_rehash.in index 54cad6138b..d51d8856d7 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -28,35 +28,35 @@ while ( $ARGV[0] =~ /^-/ ) { my $flag = shift @ARGV; last if ( $flag eq '--'); if ( $flag eq '-old') { - $x509hash = "-subject_hash_old"; - $crlhash = "-hash_old"; + $x509hash = "-subject_hash_old"; + $crlhash = "-hash_old"; } elsif ( $flag eq '-h' || $flag eq '-help' ) { - help(); + help(); } elsif ( $flag eq '-n' ) { - $removelinks = 0; + $removelinks = 0; } elsif ( $flag eq '-v' ) { - $verbose++; + $verbose++; } else { - print STDERR "Usage error; try -h.\n"; - exit 1; + print STDERR "Usage error; try -h.\n"; + exit 1; } } sub help { - print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; - print " -old use old-style digest\n"; - print " -h or -help print this help text\n"; - print " -v print files removed and linked\n"; - exit 0; + print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; + print " -old use old-style digest\n"; + print " -h or -help print this help text\n"; + print " -v print files removed and linked\n"; + exit 0; } eval "require Cwd"; if (defined(&Cwd::getcwd)) { - $pwd=Cwd::getcwd(); + $pwd=Cwd::getcwd(); } else { - $pwd=`pwd`; - chomp($pwd); + $pwd=`pwd`; + chomp($pwd); } # DOS/Win32 or Unix delimiter? Prefix our installdir, then search. @@ -64,92 +64,92 @@ my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; $ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); if (! -x $openssl) { - my $found = 0; - foreach (split /$path_delim/, $ENV{PATH}) { - if (-x "$_/$openssl") { - $found = 1; - $openssl = "$_/$openssl"; - last; - } - } - if ($found == 0) { - print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; - exit 0; - } + my $found = 0; + foreach (split /$path_delim/, $ENV{PATH}) { + if (-x "$_/$openssl") { + $found = 1; + $openssl = "$_/$openssl"; + last; + } + } + if ($found == 0) { + print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; + exit 0; + } } if (@ARGV) { - @dirlist = @ARGV; + @dirlist = @ARGV; } elsif ($ENV{SSL_CERT_DIR}) { - @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; + @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; } else { - $dirlist[0] = "$dir/certs"; + $dirlist[0] = "$dir/certs"; } if (-d $dirlist[0]) { - chdir $dirlist[0]; - $openssl="$pwd/$openssl" if (!-x $openssl); - chdir $pwd; + chdir $dirlist[0]; + $openssl="$pwd/$openssl" if (!-x $openssl); + chdir $pwd; } foreach (@dirlist) { - if (-d $_ ) { - if ( -w $_) { - hash_dir($_); - } else { - print "Skipping $_, can't write\n"; - $errorcount++; - } - } + if (-d $_ ) { + if ( -w $_) { + hash_dir($_); + } else { + print "Skipping $_, can't write\n"; + $errorcount++; + } + } } exit($errorcount); sub hash_dir { - my %hashlist; - print "Doing $_[0]\n"; - chdir $_[0]; - opendir(DIR, "."); - my @flist = sort readdir(DIR); - closedir DIR; - if ( $removelinks ) { - # Delete any existing symbolic links - foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if (-l $_) { - print "unlink $_" if $verbose; - unlink $_ || warn "Can't unlink $_, $!\n"; - } - } - } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { - # Check to see if certificates and/or CRLs present. - my ($cert, $crl) = check_file($fname); - if (!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; - } - link_hash_cert($fname) if ($cert); - link_hash_crl($fname) if ($crl); - } + my %hashlist; + print "Doing $_[0]\n"; + chdir $_[0]; + opendir(DIR, "."); + my @flist = sort readdir(DIR); + closedir DIR; + if ( $removelinks ) { + # Delete any existing symbolic links + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { + if (-l $_) { + print "unlink $_" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; + } + } + } + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + # Check to see if certificates and/or CRLs present. + my ($cert, $crl) = check_file($fname); + if (!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); + } } sub check_file { - my ($is_cert, $is_crl) = (0,0); - my $fname = $_[0]; - open IN, $fname; - while() { - if (/^-----BEGIN (.*)-----/) { - my $hdr = $1; - if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { - $is_cert = 1; - last if ($is_crl); - } elsif ($hdr eq "X509 CRL") { - $is_crl = 1; - last if ($is_cert); - } - } - } - close IN; - return ($is_cert, $is_crl); + my ($is_cert, $is_crl) = (0,0); + my $fname = $_[0]; + open IN, $fname; + while() { + if (/^-----BEGIN (.*)-----/) { + my $hdr = $1; + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + $is_cert = 1; + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { + $is_crl = 1; + last if ($is_cert); + } + } + } + close IN; + return ($is_cert, $is_crl); } @@ -160,72 +160,72 @@ sub check_file { # certificate fingerprints sub link_hash_cert { - my $fname = $_[0]; - $fname =~ s/\"/\\\"/g; - my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate certificate $fname\n"; - return; - } - $suffix++; - } - $hash .= ".$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "copy $fname -> $hash\n" if $verbose; - if (open($in, "<", $fname)) { - if (open($out,">", $hash)) { - print $out $_ while (<$in>); - close $out; - } else { - warn "can't open $hash for write, $!"; - } - close $in; - } else { - warn "can't open $fname for read, $!"; - } - } - $hashlist{$hash} = $fprint; + my $fname = $_[0]; + $fname =~ s/\"/\\\"/g; + my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + while(exists $hashlist{"$hash.$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.$suffix"} eq $fprint) { + print STDERR "WARNING: Skipping duplicate certificate $fname\n"; + return; + } + $suffix++; + } + $hash .= ".$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "copy $fname -> $hash\n" if $verbose; + if (open($in, "<", $fname)) { + if (open($out,">", $hash)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "can't open $hash for write, $!"; + } + close $in; + } else { + warn "can't open $fname for read, $!"; + } + } + $hashlist{$hash} = $fprint; } # Same as above except for a CRL. CRL links are of the form .r sub link_hash_crl { - my $fname = $_[0]; - $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; - chomp $hash; - chomp $fprint; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; - # Search for an unused hash filename - while(exists $hashlist{"$hash.r$suffix"}) { - # Hash matches: if fingerprint matches its a duplicate cert - if ($hashlist{"$hash.r$suffix"} eq $fprint) { - print STDERR "WARNING: Skipping duplicate CRL $fname\n"; - return; - } - $suffix++; - } - $hash .= ".r$suffix"; - if ($symlink_exists) { - print "link $fname -> $hash\n" if $verbose; - symlink $fname, $hash || warn "Can't symlink, $!"; - } else { - print "cp $fname -> $hash\n" if $verbose; - system ("cp", $fname, $hash); - warn "Can't copy, $!" if ($? >> 8) != 0; - } - $hashlist{$hash} = $fprint; + my $fname = $_[0]; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; + # Search for an unused hash filename + while(exists $hashlist{"$hash.r$suffix"}) { + # Hash matches: if fingerprint matches its a duplicate cert + if ($hashlist{"$hash.r$suffix"} eq $fprint) { + print STDERR "WARNING: Skipping duplicate CRL $fname\n"; + return; + } + $suffix++; + } + $hash .= ".r$suffix"; + if ($symlink_exists) { + print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; + } else { + print "cp $fname -> $hash\n" if $verbose; + system ("cp", $fname, $hash); + warn "Can't copy, $!" if ($? >> 8) != 0; + } + $hashlist{$hash} = $fprint; } From tomas at openssl.org Tue Sep 14 12:51:04 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 14 Sep 2021 12:51:04 +0000 Subject: [openssl] master update Message-ID: <1631623864.069855.6451.nullmailer@dev.openssl.org> The branch master has been updated via 24cdb1bfecbd765e829b9932a5a60ff63a7dff4b (commit) from ea0d79db9be9066de350c44c160bd8b17f2be666 (commit) - Log ----------------------------------------------------------------- commit 24cdb1bfecbd765e829b9932a5a60ff63a7dff4b Author: lprimak Date: Sun Sep 12 20:21:30 2021 -0500 MacOS prior to 10.12 does not support random API correctly Fixes #16517 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16592) ----------------------------------------------------------------------- Summary of changes: include/crypto/rand.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/rand.h b/include/crypto/rand.h index ac41a9f62b..fa3b5b2b93 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -24,7 +24,7 @@ # if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM) # include -# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \ +# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000) # define OPENSSL_APPLE_CRYPTO_RANDOM 1 # include From tomas at openssl.org Tue Sep 14 12:52:40 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 14 Sep 2021 12:52:40 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631623960.925604.8389.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via ad0697696cc3d9f4a588a3b2d48d898619dbe228 (commit) from 566431716efab52b40cc3af6610ba831d5c1cccc (commit) - Log ----------------------------------------------------------------- commit ad0697696cc3d9f4a588a3b2d48d898619dbe228 Author: lprimak Date: Sun Sep 12 20:21:30 2021 -0500 MacOS prior to 10.12 does not support random API correctly Fixes #16517 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16591) ----------------------------------------------------------------------- Summary of changes: include/crypto/rand.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/rand.h b/include/crypto/rand.h index ac41a9f62b..fa3b5b2b93 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -24,7 +24,7 @@ # if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM) # include -# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \ +# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000) # define OPENSSL_APPLE_CRYPTO_RANDOM 1 # include From tomas at openssl.org Tue Sep 14 12:54:25 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 14 Sep 2021 12:54:25 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631624065.519611.9939.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 2f3b120401533db82e99ed28de5fc8aab1b76b33 (commit) from 9e44ffc281326330937eee0e94b6fd4bfcaa98eb (commit) - Log ----------------------------------------------------------------- commit 2f3b120401533db82e99ed28de5fc8aab1b76b33 Author: Lenny Primak Date: Sat Sep 11 18:53:45 2021 -0500 MacOS prior to 10.12 does not support random API correctly Fixes #16517 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16587) ----------------------------------------------------------------------- Summary of changes: include/crypto/rand.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 674f840fd1..8247d16c55 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -22,7 +22,7 @@ # if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM) # include -# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \ +# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \ (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000) # define OPENSSL_APPLE_CRYPTO_RANDOM 1 # include From tomas at openssl.org Tue Sep 14 13:01:22 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 14 Sep 2021 13:01:22 +0000 Subject: [openssl] master update Message-ID: <1631624482.643108.12853.nullmailer@dev.openssl.org> The branch master has been updated via 1ed3249f253e4490a813279e2eb253c8e5cfaabb (commit) from 24cdb1bfecbd765e829b9932a5a60ff63a7dff4b (commit) - Log ----------------------------------------------------------------- commit 1ed3249f253e4490a813279e2eb253c8e5cfaabb Author: Dr. David von Oheimb Date: Mon Sep 13 08:14:58 2021 +0200 80-test_cmp_http.t: Fix handling of empty HTTP proxy string Fixes #16546 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16593) ----------------------------------------------------------------------- Summary of changes: test/recipes/80-test_cmp_http.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 7bd95337e8..92f11e8ac8 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -42,8 +42,8 @@ sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows) return $str; } -my $proxy = ""; -$proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy); +my $proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // ""); +$proxy = "" if $proxy eq ""; $proxy =~ s{^https?://}{}i; my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY}; From tomas at openssl.org Tue Sep 14 13:01:36 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 14 Sep 2021 13:01:36 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631624496.272359.13931.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 42ea0a86e89d84c2d649b268ebbfb43a9344d33e (commit) from ad0697696cc3d9f4a588a3b2d48d898619dbe228 (commit) - Log ----------------------------------------------------------------- commit 42ea0a86e89d84c2d649b268ebbfb43a9344d33e Author: Dr. David von Oheimb Date: Mon Sep 13 08:14:58 2021 +0200 80-test_cmp_http.t: Fix handling of empty HTTP proxy string Fixes #16546 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16593) (cherry picked from commit 1ed3249f253e4490a813279e2eb253c8e5cfaabb) ----------------------------------------------------------------------- Summary of changes: test/recipes/80-test_cmp_http.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 7bd95337e8..92f11e8ac8 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -42,8 +42,8 @@ sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows) return $str; } -my $proxy = ""; -$proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy); +my $proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // ""); +$proxy = "" if $proxy eq ""; $proxy =~ s{^https?://}{}i; my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY}; From tomas at openssl.org Wed Sep 15 12:08:07 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 15 Sep 2021 12:08:07 +0000 Subject: [openssl] master update Message-ID: <1631707687.976217.18845.nullmailer@dev.openssl.org> The branch master has been updated via e59bfbaa2dbd680f77e1121e382502bd522a466c (commit) from 1ed3249f253e4490a813279e2eb253c8e5cfaabb (commit) - Log ----------------------------------------------------------------- commit e59bfbaa2dbd680f77e1121e382502bd522a466c Author: Tomas Mraz Date: Tue Sep 14 09:34:32 2021 +0200 providers: Do not use global EVP_CIPHERs and EVP_MDs Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16600) ----------------------------------------------------------------------- Summary of changes: providers/common/provider_util.c | 21 +++++++++++++++++---- test/evp_kdf_test.c | 13 +++++++++---- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 662175c2f3..fcfbab632d 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -16,6 +16,7 @@ #include #ifndef FIPS_MODULE # include +# include "crypto/evp.h" #endif #include "prov/provider_util.h" #include "internal/nelem.h" @@ -90,8 +91,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc, ERR_set_mark(); pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery); #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */ - if (pc->cipher == NULL) - pc->cipher = EVP_get_cipherbyname(p->data); + if (pc->cipher == NULL) { + const EVP_CIPHER *cipher; + + cipher = EVP_get_cipherbyname(p->data); + /* Do not use global EVP_CIPHERs */ + if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL) + pc->cipher = cipher; + } #endif if (pc->cipher != NULL) ERR_pop_to_mark(); @@ -159,8 +166,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd, ERR_set_mark(); ossl_prov_digest_fetch(pd, ctx, p->data, propquery); #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */ - if (pd->md == NULL) - pd->md = EVP_get_digestbyname(p->data); + if (pd->md == NULL) { + const EVP_MD *md; + + md = EVP_get_digestbyname(p->data); + /* Do not use global EVP_MDs */ + if (md != NULL && md->origin != EVP_ORIG_GLOBAL) + pd->md = md; + } #endif if (pd->md != NULL) ERR_pop_to_mark(); diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 4b3df38b5f..145e64fbdb 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void) unsigned int iterations = 4096; OSSL_LIB_CTX *libctx = NULL; OSSL_PARAM *params = NULL; - OSSL_PROVIDER *prov = NULL; + OSSL_PROVIDER *legacyprov = NULL; + OSSL_PROVIDER *defprov = NULL; const unsigned char expected[sizeof(out)] = { 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75, 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00, @@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void) goto err; /* PBKDF1 only available in the legacy provider */ - prov = OSSL_PROVIDER_load(libctx, "legacy"); - if (prov == NULL) { + legacyprov = OSSL_PROVIDER_load(libctx, "legacy"); + if (legacyprov == NULL) { OSSL_LIB_CTX_free(libctx); return TEST_skip("PBKDF1 only available in legacy provider"); } + if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default"))) + goto err; + params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256", "saltSALTsaltSALTsaltSALTsaltSALTsalt", &iterations); @@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void) err: EVP_KDF_CTX_free(kctx); OPENSSL_free(params); - OSSL_PROVIDER_unload(prov); + OSSL_PROVIDER_unload(defprov); + OSSL_PROVIDER_unload(legacyprov); OSSL_LIB_CTX_free(libctx); return ret; } From tomas at openssl.org Wed Sep 15 12:08:39 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Wed, 15 Sep 2021 12:08:39 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631707719.093934.19963.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 3f9c95824593b8d57ac0227591e4c338fc98c5f9 (commit) from 42ea0a86e89d84c2d649b268ebbfb43a9344d33e (commit) - Log ----------------------------------------------------------------- commit 3f9c95824593b8d57ac0227591e4c338fc98c5f9 Author: Tomas Mraz Date: Tue Sep 14 09:34:32 2021 +0200 providers: Do not use global EVP_CIPHERs and EVP_MDs Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16600) (cherry picked from commit e59bfbaa2dbd680f77e1121e382502bd522a466c) ----------------------------------------------------------------------- Summary of changes: providers/common/provider_util.c | 21 +++++++++++++++++---- test/evp_kdf_test.c | 13 +++++++++---- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 662175c2f3..fcfbab632d 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -16,6 +16,7 @@ #include #ifndef FIPS_MODULE # include +# include "crypto/evp.h" #endif #include "prov/provider_util.h" #include "internal/nelem.h" @@ -90,8 +91,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc, ERR_set_mark(); pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery); #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */ - if (pc->cipher == NULL) - pc->cipher = EVP_get_cipherbyname(p->data); + if (pc->cipher == NULL) { + const EVP_CIPHER *cipher; + + cipher = EVP_get_cipherbyname(p->data); + /* Do not use global EVP_CIPHERs */ + if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL) + pc->cipher = cipher; + } #endif if (pc->cipher != NULL) ERR_pop_to_mark(); @@ -159,8 +166,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd, ERR_set_mark(); ossl_prov_digest_fetch(pd, ctx, p->data, propquery); #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */ - if (pd->md == NULL) - pd->md = EVP_get_digestbyname(p->data); + if (pd->md == NULL) { + const EVP_MD *md; + + md = EVP_get_digestbyname(p->data); + /* Do not use global EVP_MDs */ + if (md != NULL && md->origin != EVP_ORIG_GLOBAL) + pd->md = md; + } #endif if (pd->md != NULL) ERR_pop_to_mark(); diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index 4b3df38b5f..145e64fbdb 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void) unsigned int iterations = 4096; OSSL_LIB_CTX *libctx = NULL; OSSL_PARAM *params = NULL; - OSSL_PROVIDER *prov = NULL; + OSSL_PROVIDER *legacyprov = NULL; + OSSL_PROVIDER *defprov = NULL; const unsigned char expected[sizeof(out)] = { 0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75, 0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00, @@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void) goto err; /* PBKDF1 only available in the legacy provider */ - prov = OSSL_PROVIDER_load(libctx, "legacy"); - if (prov == NULL) { + legacyprov = OSSL_PROVIDER_load(libctx, "legacy"); + if (legacyprov == NULL) { OSSL_LIB_CTX_free(libctx); return TEST_skip("PBKDF1 only available in legacy provider"); } + if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default"))) + goto err; + params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256", "saltSALTsaltSALTsaltSALTsaltSALTsalt", &iterations); @@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void) err: EVP_KDF_CTX_free(kctx); OPENSSL_free(params); - OSSL_PROVIDER_unload(prov); + OSSL_PROVIDER_unload(defprov); + OSSL_PROVIDER_unload(legacyprov); OSSL_LIB_CTX_free(libctx); return ret; } From dev at ddvo.net Fri Sep 17 08:03:18 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Fri, 17 Sep 2021 08:03:18 +0000 Subject: [openssl] master update Message-ID: <1631865798.833682.25098.nullmailer@dev.openssl.org> The branch master has been updated via 39a8d4e13219580c8c89a234d6db5d261408cadb (commit) from e59bfbaa2dbd680f77e1121e382502bd522a466c (commit) - Log ----------------------------------------------------------------- commit 39a8d4e13219580c8c89a234d6db5d261408cadb Author: Dr. David von Oheimb Date: Sat Sep 11 23:08:13 2021 +0200 APPS/cmp.c: Move warning on overlong section name to make it effective again Fixes #16585 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16586) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 74c8cd71f1..170ac816f2 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2001,14 +2001,14 @@ static const char *prev_item(const char *opt, const char *end) while (beg != opt && beg[-1] != ',' && !isspace(beg[-1])) beg--; len = end - beg; - if (len > SECTION_NAME_MAX) + if (len > SECTION_NAME_MAX) { + CMP_warn2("using only first %d characters of section name starting with \"%s\"", + SECTION_NAME_MAX, opt_item); len = SECTION_NAME_MAX; + } strncpy(opt_item, beg, len); opt_item[SECTION_NAME_MAX] = '\0'; /* avoid gcc v8 O3 stringop-truncation */ opt_item[len] = '\0'; - if (len > SECTION_NAME_MAX) - CMP_warn2("using only first %d characters of section name starting with \"%s\"", - SECTION_NAME_MAX, opt_item); while (beg != opt && (beg[-1] == ',' || isspace(beg[-1]))) beg--; return beg; From tomas at openssl.org Fri Sep 17 11:15:01 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 11:15:01 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631877301.093203.10406.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via d656a086ef61581cae10a0f33322e6910232aa01 (commit) from 3f9c95824593b8d57ac0227591e4c338fc98c5f9 (commit) - Log ----------------------------------------------------------------- commit d656a086ef61581cae10a0f33322e6910232aa01 Author: Dr. David von Oheimb Date: Sat Sep 11 23:08:13 2021 +0200 APPS/cmp.c: Move warning on overlong section name to make it effective again Fixes #16585 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16586) (cherry picked from commit 39a8d4e13219580c8c89a234d6db5d261408cadb) ----------------------------------------------------------------------- Summary of changes: apps/cmp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 74c8cd71f1..170ac816f2 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2001,14 +2001,14 @@ static const char *prev_item(const char *opt, const char *end) while (beg != opt && beg[-1] != ',' && !isspace(beg[-1])) beg--; len = end - beg; - if (len > SECTION_NAME_MAX) + if (len > SECTION_NAME_MAX) { + CMP_warn2("using only first %d characters of section name starting with \"%s\"", + SECTION_NAME_MAX, opt_item); len = SECTION_NAME_MAX; + } strncpy(opt_item, beg, len); opt_item[SECTION_NAME_MAX] = '\0'; /* avoid gcc v8 O3 stringop-truncation */ opt_item[len] = '\0'; - if (len > SECTION_NAME_MAX) - CMP_warn2("using only first %d characters of section name starting with \"%s\"", - SECTION_NAME_MAX, opt_item); while (beg != opt && (beg[-1] == ',' || isspace(beg[-1]))) beg--; return beg; From no-reply at appveyor.com Fri Sep 17 11:16:13 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 17 Sep 2021 11:16:13 +0000 Subject: Build failed: openssl openssl-3.0.42737 Message-ID: <20210917111613.1.A88A7CB834B566D9@appveyor.com> An HTML attachment was scrubbed... URL: From tomas at openssl.org Fri Sep 17 12:33:44 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 12:33:44 +0000 Subject: [openssl] master update Message-ID: <1631882024.894629.28752.nullmailer@dev.openssl.org> The branch master has been updated via 9e51f877930dbd4216438a5da3c9612bf4d0a918 (commit) via 4603b782e6dbed493d2f38db111abc05df66fb99 (commit) from 39a8d4e13219580c8c89a234d6db5d261408cadb (commit) - Log ----------------------------------------------------------------- commit 9e51f877930dbd4216438a5da3c9612bf4d0a918 Author: Matt Caswell Date: Sat Sep 11 10:02:21 2021 +0100 Clarify what SSL_get_session() does on the server side in TLSv1.3 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16582) commit 4603b782e6dbed493d2f38db111abc05df66fb99 Author: Matt Caswell Date: Sat Sep 11 09:58:52 2021 +0100 Correct the documentation for SSL_set_num_tickets() The behaviour for what happens in a resumption connection was not quite described correctly. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16582) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set_num_tickets.pod | 8 ++++---- doc/man3/SSL_get_session.pod | 7 +++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod index c06583304f..95ed719df7 100644 --- a/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/doc/man3/SSL_CTX_set_num_tickets.pod @@ -27,10 +27,10 @@ the client after a full handshake. Set the desired value (which could be 0) in the B argument. Typically these functions should be called before the start of the handshake. -The default number of tickets is 2; the default number of tickets sent following -a resumption handshake is 1 but this cannot be changed using these functions. -The number of tickets following a resumption handshake can be reduced to 0 using -custom session ticket callbacks (see L). +The default number of tickets is 2. Following a resumption the number of tickets +issued will never be more than 1 regardless of the value set via +SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to +0 then no tickets will be issued for either a normal connection or a resumption. Tickets are also issued on receipt of a post-handshake certificate from the client following a request by the server using diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod index 967ccea564..6631bdf324 100644 --- a/doc/man3/SSL_get_session.pod +++ b/doc/man3/SSL_get_session.pod @@ -37,8 +37,11 @@ L for information on how to determine whether an SSL_SESSION object can be used for resumption or not. Additionally, in TLSv1.3, a server can send multiple messages that establish a -session for a single connection. In that case the above functions will only -return information on the last session that was received. +session for a single connection. In that case, on the client side, the above +functions will only return information on the last session that was received. On +the server side they will only return information on the last session that was +sent, or if no session tickets were sent then the session for the current +connection. The preferred way for applications to obtain a resumable SSL_SESSION object is to use a new session callback as described in L. From tomas at openssl.org Fri Sep 17 12:34:08 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 12:34:08 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631882048.772308.30083.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 2221e7eebab7af085a7235547585da1cbd798350 (commit) from d656a086ef61581cae10a0f33322e6910232aa01 (commit) - Log ----------------------------------------------------------------- commit 2221e7eebab7af085a7235547585da1cbd798350 Author: Matt Caswell Date: Sat Sep 11 10:02:21 2021 +0100 Clarify what SSL_get_session() does on the server side in TLSv1.3 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_get_session.pod | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod index 967ccea564..6631bdf324 100644 --- a/doc/man3/SSL_get_session.pod +++ b/doc/man3/SSL_get_session.pod @@ -37,8 +37,11 @@ L for information on how to determine whether an SSL_SESSION object can be used for resumption or not. Additionally, in TLSv1.3, a server can send multiple messages that establish a -session for a single connection. In that case the above functions will only -return information on the last session that was received. +session for a single connection. In that case, on the client side, the above +functions will only return information on the last session that was received. On +the server side they will only return information on the last session that was +sent, or if no session tickets were sent then the session for the current +connection. The preferred way for applications to obtain a resumable SSL_SESSION object is to use a new session callback as described in L. From tomas at openssl.org Fri Sep 17 12:34:21 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 12:34:21 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631882061.618801.31212.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f (commit) from 2f3b120401533db82e99ed28de5fc8aab1b76b33 (commit) - Log ----------------------------------------------------------------- commit 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f Author: Matt Caswell Date: Sat Sep 11 10:02:21 2021 +0100 Clarify what SSL_get_session() does on the server side in TLSv1.3 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_get_session.pod | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod index 7c04570635..4d8527aecf 100644 --- a/doc/man3/SSL_get_session.pod +++ b/doc/man3/SSL_get_session.pod @@ -37,8 +37,11 @@ L for information on how to determine whether an SSL_SESSION object can be used for resumption or not. Additionally, in TLSv1.3, a server can send multiple messages that establish a -session for a single connection. In that case the above functions will only -return information on the last session that was received. +session for a single connection. In that case, on the client side, the above +functions will only return information on the last session that was received. On +the server side they will only return information on the last session that was +sent, or if no session tickets were sent then the session for the current +connection. The preferred way for applications to obtain a resumable SSL_SESSION object is to use a new session callback as described in L. From tomas at openssl.org Fri Sep 17 12:35:16 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 12:35:16 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1631882116.008647.834.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 5402f96aba9dd3d0b3006b8b2651bd27d3cbf326 (commit) from 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f (commit) - Log ----------------------------------------------------------------- commit 5402f96aba9dd3d0b3006b8b2651bd27d3cbf326 Author: Matt Caswell Date: Sat Sep 11 09:58:52 2021 +0100 Correct the documentation for SSL_set_num_tickets() The behaviour for what happens in a resumption connection was not quite described correctly. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set_num_tickets.pod | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod index ad13ed15f4..2224b35c30 100644 --- a/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/doc/man3/SSL_CTX_set_num_tickets.pod @@ -25,10 +25,10 @@ the client after a full handshake. Set the desired value (which could be 0) in the B argument. Typically these functions should be called before the start of the handshake. -The default number of tickets is 2; the default number of tickets sent following -a resumption handshake is 1 but this cannot be changed using these functions. -The number of tickets following a resumption handshake can be reduced to 0 using -custom session ticket callbacks (see L). +The default number of tickets is 2. Following a resumption the number of tickets +issued will never be more than 1 regardless of the value set via +SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to +0 then no tickets will be issued for either a normal connection or a resumption. Tickets are also issued on receipt of a post-handshake certificate from the client following a request by the server using From tomas at openssl.org Fri Sep 17 12:35:26 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 12:35:26 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631882126.828418.2205.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 119983124f996c8159e8fd816e84e41edfcda700 (commit) from 2221e7eebab7af085a7235547585da1cbd798350 (commit) - Log ----------------------------------------------------------------- commit 119983124f996c8159e8fd816e84e41edfcda700 Author: Matt Caswell Date: Sat Sep 11 09:58:52 2021 +0100 Correct the documentation for SSL_set_num_tickets() The behaviour for what happens in a resumption connection was not quite described correctly. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16582) (cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_CTX_set_num_tickets.pod | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod index c06583304f..95ed719df7 100644 --- a/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/doc/man3/SSL_CTX_set_num_tickets.pod @@ -27,10 +27,10 @@ the client after a full handshake. Set the desired value (which could be 0) in the B argument. Typically these functions should be called before the start of the handshake. -The default number of tickets is 2; the default number of tickets sent following -a resumption handshake is 1 but this cannot be changed using these functions. -The number of tickets following a resumption handshake can be reduced to 0 using -custom session ticket callbacks (see L). +The default number of tickets is 2. Following a resumption the number of tickets +issued will never be more than 1 regardless of the value set via +SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to +0 then no tickets will be issued for either a normal connection or a resumption. Tickets are also issued on receipt of a post-handshake certificate from the client following a request by the server using From tomas at openssl.org Fri Sep 17 12:49:38 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 17 Sep 2021 12:49:38 +0000 Subject: [openssl] master update Message-ID: <1631882978.694448.16683.nullmailer@dev.openssl.org> The branch master has been updated via a7f58bdc1abe245dd09790e8f97d91df271578f4 (commit) from 9e51f877930dbd4216438a5da3c9612bf4d0a918 (commit) - Log ----------------------------------------------------------------- commit a7f58bdc1abe245dd09790e8f97d91df271578f4 Author: Bernd Edlinger Date: Sun Aug 22 21:28:51 2021 +0200 Fix the parameter type of gf_serialize It is better to use array bounds for improved gcc warning checks. While "uint8_t*" allows arbitrary pointer arithmetic using "uint8_t[SER_BYTES]" limits the pointer arithmetic to the range 0..SER_BYTES. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16376) ----------------------------------------------------------------------- Summary of changes: crypto/ec/curve448/f_generic.c | 2 +- crypto/ec/curve448/field.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/ec/curve448/f_generic.c b/crypto/ec/curve448/f_generic.c index 4c571810d3..7bb7df6b60 100644 --- a/crypto/ec/curve448/f_generic.c +++ b/crypto/ec/curve448/f_generic.c @@ -18,7 +18,7 @@ static const gf MODULUS = { }; /* Serialize to wire format. */ -void gf_serialize(uint8_t *serial, const gf x, int with_hibit) +void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_hibit) { unsigned int j = 0, fill = 0; dword_t buffer = 0; diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h index e1c6333789..0350322553 100644 --- a/crypto/ec/curve448/field.h +++ b/crypto/ec/curve448/field.h @@ -62,7 +62,7 @@ mask_t gf_eq(const gf x, const gf y); mask_t gf_lobit(const gf x); mask_t gf_hibit(const gf x); -void gf_serialize(uint8_t *serial, const gf x, int with_highbit); +void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit); mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit, uint8_t hi_nmask); From no-reply at appveyor.com Fri Sep 17 13:00:52 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 17 Sep 2021 13:00:52 +0000 Subject: Build completed: openssl openssl-3.0.42738 Message-ID: <20210917130052.1.3606069DC7C995C3@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sat Sep 18 06:13:41 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 18 Sep 2021 06:13:41 +0000 Subject: [openssl] master update Message-ID: <1631945621.444330.26393.nullmailer@dev.openssl.org> The branch master has been updated via bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit) from a7f58bdc1abe245dd09790e8f97d91df271578f4 (commit) - Log ----------------------------------------------------------------- commit bfbb62c3b0a8f8d223f84ebf7507594cee99f135 Author: Richard Levitte Date: Wed Sep 15 09:11:41 2021 +0200 Configurations/platform/Unix.pm: account for variants in sharedlib_simple() OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so, this was inadvertently dropped. Fixes #16605 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16608) ----------------------------------------------------------------------- Summary of changes: Configurations/platform/Unix.pm | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/Configurations/platform/Unix.pm b/Configurations/platform/Unix.pm index c7d7d9eb80..8db0ed912e 100644 --- a/Configurations/platform/Unix.pm +++ b/Configurations/platform/Unix.pm @@ -63,9 +63,21 @@ sub sharedname_simple { } sub sharedlib_simple { - return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple(); - return platform::BASE::__concat($_[0]->sharedname_simple($_[1]), - $_[0]->shlibextsimple()); + # This function returns the simplified shared library name (no version + # or variant in the shared library file name) if the simple variants of + # the base name or the suffix differ from the full variants of the same. + + # Note: if $_[1] isn't a shared library name, then $_[0]->sharedname() + # and $_[0]->sharedname_simple() will return undef. This needs being + # accounted for. + my $name = $_[0]->sharedname($_[1]); + my $simplename = $_[0]->sharedname_simple($_[1]); + my $ext = $_[0]->shlibext(); + my $simpleext = $_[0]->shlibextsimple(); + + return undef unless defined $simplename && defined $name; + return undef if ($name eq $simplename && $ext eq $simpleext); + return platform::BASE::__concat($simplename, $simpleext); } sub sharedlib_import { From levitte at openssl.org Sat Sep 18 06:14:53 2021 From: levitte at openssl.org (Richard Levitte) Date: Sat, 18 Sep 2021 06:14:53 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1631945693.225229.28359.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 814271efcc6e77fefabd616fab381fd168e2bd15 (commit) from 119983124f996c8159e8fd816e84e41edfcda700 (commit) - Log ----------------------------------------------------------------- commit 814271efcc6e77fefabd616fab381fd168e2bd15 Author: Richard Levitte Date: Wed Sep 15 09:11:41 2021 +0200 Configurations/platform/Unix.pm: account for variants in sharedlib_simple() OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so, this was inadvertently dropped. Fixes #16605 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16608) (cherry picked from commit bfbb62c3b0a8f8d223f84ebf7507594cee99f135) ----------------------------------------------------------------------- Summary of changes: Configurations/platform/Unix.pm | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/Configurations/platform/Unix.pm b/Configurations/platform/Unix.pm index c7d7d9eb80..8db0ed912e 100644 --- a/Configurations/platform/Unix.pm +++ b/Configurations/platform/Unix.pm @@ -63,9 +63,21 @@ sub sharedname_simple { } sub sharedlib_simple { - return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple(); - return platform::BASE::__concat($_[0]->sharedname_simple($_[1]), - $_[0]->shlibextsimple()); + # This function returns the simplified shared library name (no version + # or variant in the shared library file name) if the simple variants of + # the base name or the suffix differ from the full variants of the same. + + # Note: if $_[1] isn't a shared library name, then $_[0]->sharedname() + # and $_[0]->sharedname_simple() will return undef. This needs being + # accounted for. + my $name = $_[0]->sharedname($_[1]); + my $simplename = $_[0]->sharedname_simple($_[1]); + my $ext = $_[0]->shlibext(); + my $simpleext = $_[0]->shlibextsimple(); + + return undef unless defined $simplename && defined $name; + return undef if ($name eq $simplename && $ext eq $simpleext); + return platform::BASE::__concat($simplename, $simpleext); } sub sharedlib_import { From pauli at openssl.org Sat Sep 18 21:40:19 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sat, 18 Sep 2021 21:40:19 +0000 Subject: [openssl] master update Message-ID: <1632001219.358087.8187.nullmailer@dev.openssl.org> The branch master has been updated via e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit) via e2ef7f1265e727567e8963aa2756a387a621ef71 (commit) from bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit) - Log ----------------------------------------------------------------- commit e396c114eb7233e24ba6a920606cfdd6bc6cff7c Author: Tianjia Zhang Date: Wed Sep 15 11:00:50 2021 +0800 apps/s_client: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s_client, so a parameter option 'ktls' is added to enable KTLS through cmdline. Signed-off-by: Tianjia Zhang Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16609) commit e2ef7f1265e727567e8963aa2756a387a621ef71 Author: Tianjia Zhang Date: Wed Sep 15 11:39:51 2021 +0800 apps/s_server: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s_client, so a parameter option 'ktls' is added to enable KTLS through cmdline. At the same time, SSL_sendfile() depends on KTLS feature to work properly, make parameters sendfile depend on parameters ktls. Signed-off-by: Tianjia Zhang Reviewed-by: Paul Yang Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16609) ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 16 ++++++++++++++++ apps/s_server.c | 20 +++++++++++++++++++- doc/man1/openssl-s_client.pod.in | 7 +++++++ doc/man1/openssl-s_server.pod.in | 10 +++++++++- 4 files changed, 51 insertions(+), 2 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 3b9be0e8c2..6ccb7a42d0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -467,6 +467,7 @@ typedef enum OPTION_choice { OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME, OPT_ENABLE_PHA, OPT_SCTP_LABEL_BUG, + OPT_KTLS, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -664,6 +665,9 @@ const OPTIONS s_client_options[] = { {"srp_strength", OPT_SRP_STRENGTH, 'p', "(deprecated) Minimal length in bits for N"}, #endif +#ifndef OPENSSL_NO_KTLS + {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"}, +#endif OPT_R_OPTIONS, OPT_S_OPTIONS, @@ -888,6 +892,9 @@ int s_client_main(int argc, char **argv) int sctp_label_bug = 0; #endif int ignore_unexpected_eof = 0; +#ifndef OPENSSL_NO_KTLS + int enable_ktls = 0; +#endif FD_ZERO(&readfds); FD_ZERO(&writefds); @@ -1457,6 +1464,11 @@ int s_client_main(int argc, char **argv) case OPT_ENABLE_PHA: enable_pha = 1; break; + case OPT_KTLS: +#ifndef OPENSSL_NO_KTLS + enable_ktls = 1; +#endif + break; } } @@ -1700,6 +1712,10 @@ int s_client_main(int argc, char **argv) if (ignore_unexpected_eof) SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#ifndef OPENSSL_NO_KTLS + if (enable_ktls) + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); diff --git a/apps/s_server.c b/apps/s_server.c index c5d9221e90..9f448298f0 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -716,7 +716,7 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG, - OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, + OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS, OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, @@ -958,6 +958,7 @@ const OPTIONS s_server_options[] = { {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, #ifndef OPENSSL_NO_KTLS + {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"}, {"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"}, #endif @@ -1053,6 +1054,9 @@ int s_server_main(int argc, char *argv[]) int sctp_label_bug = 0; #endif int ignore_unexpected_eof = 0; +#ifndef OPENSSL_NO_KTLS + int enable_ktls = 0; +#endif /* Init of few remaining global variables */ local_argc = argc; @@ -1627,6 +1631,11 @@ int s_server_main(int argc, char *argv[]) case OPT_NOCANAMES: no_ca_names = 1; break; + case OPT_KTLS: +#ifndef OPENSSL_NO_KTLS + enable_ktls = 1; +#endif + break; case OPT_SENDFILE: #ifndef OPENSSL_NO_KTLS use_sendfile = 1; @@ -1694,6 +1703,11 @@ int s_server_main(int argc, char *argv[]) #endif #ifndef OPENSSL_NO_KTLS + if (use_sendfile && enable_ktls == 0) { + BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n"); + enable_ktls = 1; + } + if (use_sendfile && www <= 1) { BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n"); goto end; @@ -1883,6 +1897,10 @@ int s_server_main(int argc, char *argv[]) if (ignore_unexpected_eof) SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#ifndef OPENSSL_NO_KTLS + if (enable_ktls) + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif if (max_send_fragment > 0 && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) { diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 6328cd07d9..709bc49375 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -116,6 +116,7 @@ B B [B<-srp_lateuser>] [B<-srp_moregroups>] [B<-srp_strength> I] +[B<-ktls>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_version_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} @@ -765,6 +766,12 @@ Tolerate other than the known B and B values. Set the minimal acceptable length, in bits, for B. This option is deprecated. +=item B<-ktls> + +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.1.0. +Kernel TLS is off by default as of OpenSSL 3.1.0. + {- $OpenSSL::safe::opt_version_item -} {- $OpenSSL::safe::opt_name_item -} diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 115eceb0e3..c461a0cd73 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -128,6 +128,7 @@ B B [B<-no_dhe>] [B<-nextprotoneg> I] [B<-alpn> I] +[B<-ktls>] [B<-sendfile>] [B<-keylogfile> I] [B<-recv_max_early_data> I] @@ -762,11 +763,18 @@ Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. +=item B<-ktls> + +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.1.0. +Kernel TLS is off by default as of OpenSSL 3.1.0. + =item B<-sendfile> If this option is set and KTLS is enabled, SSL_sendfile() will be used instead of BIO_write() to send the HTTP response requested by a client. -This option is only valid if B<-WWW> or B<-HTTP> is specified. +This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> +are specified. =item B<-keylogfile> I From tomas at openssl.org Mon Sep 20 07:32:25 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Mon, 20 Sep 2021 07:32:25 +0000 Subject: [openssl] master update Message-ID: <1632123145.180269.5463.nullmailer@dev.openssl.org> The branch master has been updated via 8d257d0dc6ed9d5aeb8366de6be0af01538557ea (commit) from e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit) - Log ----------------------------------------------------------------- commit 8d257d0dc6ed9d5aeb8366de6be0af01538557ea Author: slontis Date: Tue Aug 31 10:59:20 2021 +1000 Document that the openssl fipsinstall self test callback may not be used. Fixes #16260 If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set), and they may not get triggered again during the fipsinstall process. In order for this to happen there must already be a valid fips config file. As the main purpose of the application is to generate the fips config file, this case has just been documented. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16475) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-fipsinstall.pod.in | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index d79e237dba..97e2ae910c 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -197,6 +197,18 @@ All other options are ignored if '-config' is used. =back +=head1 NOTES + +Self tests results are logged by default if the options B<-quiet> and B<-noout> +are not specified, or if either of the options B<-corrupt_desc> or +B<-corrupt_type> are used. +If the base configuration file is set up to autoload the fips module, then the +fips module will be loaded and self tested BEFORE the fipsinstall application +has a chance to set up its own self test callback. As a result of this the self +test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +For normal usage the base configuration file should use the default provider +when generating the fips configuration file. + =head1 EXAMPLES Calculate the mac of a FIPS module F and run a FIPS self test From tomas at openssl.org Mon Sep 20 07:33:10 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Mon, 20 Sep 2021 07:33:10 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632123190.351862.7161.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 119062833cc7ac4fc6d67287e3be3e4868f7f389 (commit) from 814271efcc6e77fefabd616fab381fd168e2bd15 (commit) - Log ----------------------------------------------------------------- commit 119062833cc7ac4fc6d67287e3be3e4868f7f389 Author: slontis Date: Tue Aug 31 10:59:20 2021 +1000 Document that the openssl fipsinstall self test callback may not be used. Fixes #16260 If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set), and they may not get triggered again during the fipsinstall process. In order for this to happen there must already be a valid fips config file. As the main purpose of the application is to generate the fips config file, this case has just been documented. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16475) (cherry picked from commit 8d257d0dc6ed9d5aeb8366de6be0af01538557ea) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-fipsinstall.pod.in | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index d79e237dba..97e2ae910c 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -197,6 +197,18 @@ All other options are ignored if '-config' is used. =back +=head1 NOTES + +Self tests results are logged by default if the options B<-quiet> and B<-noout> +are not specified, or if either of the options B<-corrupt_desc> or +B<-corrupt_type> are used. +If the base configuration file is set up to autoload the fips module, then the +fips module will be loaded and self tested BEFORE the fipsinstall application +has a chance to set up its own self test callback. As a result of this the self +test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +For normal usage the base configuration file should use the default provider +when generating the fips configuration file. + =head1 EXAMPLES Calculate the mac of a FIPS module F and run a FIPS self test From pauli at openssl.org Tue Sep 21 00:52:06 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 21 Sep 2021 00:52:06 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632185526.990243.4702.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 56b8f434c7da35b4de16603faad4170eb1d80710 (commit) from 119062833cc7ac4fc6d67287e3be3e4868f7f389 (commit) - Log ----------------------------------------------------------------- commit 56b8f434c7da35b4de16603faad4170eb1d80710 Author: Arne Schwabe Date: Sat Sep 18 05:04:39 2021 +0200 Add missing mention of mandatory function OSSL_FUNC_keymgmt_has The manual page provider-keymgmt.pod is missing the mention of the required function OSSL_FUNC_keymgmt_has. The function keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS if keymgmt->has == NULL CLA: trivial Signed-off-by: Arne Schwabe Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16621) ----------------------------------------------------------------------- Summary of changes: doc/man7/provider-keymgmt.pod | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 000c8cab3f..25b822b47d 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -254,9 +254,10 @@ provider knows how to interpret, but that may come from other operations. Outside the provider, this reference is simply an array of bytes. At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and -OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free(). -Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init() -and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well. +OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and +OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, +OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be +present as well. =head2 Key Object Information Functions From pauli at openssl.org Tue Sep 21 00:52:31 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 21 Sep 2021 00:52:31 +0000 Subject: [openssl] master update Message-ID: <1632185551.238139.5982.nullmailer@dev.openssl.org> The branch master has been updated via d270a6c9ea9f240f653a98c7eb0a5c2134a5d63a (commit) from 8d257d0dc6ed9d5aeb8366de6be0af01538557ea (commit) - Log ----------------------------------------------------------------- commit d270a6c9ea9f240f653a98c7eb0a5c2134a5d63a Author: Arne Schwabe Date: Sat Sep 18 05:04:39 2021 +0200 Add missing mention of mandatory function OSSL_FUNC_keymgmt_has The manual page provider-keymgmt.pod is missing the mention of the required function OSSL_FUNC_keymgmt_has. The function keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS if keymgmt->has == NULL CLA: trivial Signed-off-by: Arne Schwabe Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16621) (cherry picked from commit 56b8f434c7da35b4de16603faad4170eb1d80710) ----------------------------------------------------------------------- Summary of changes: doc/man7/provider-keymgmt.pod | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 000c8cab3f..25b822b47d 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -254,9 +254,10 @@ provider knows how to interpret, but that may come from other operations. Outside the provider, this reference is simply an array of bytes. At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and -OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free(). -Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init() -and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well. +OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and +OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, +OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be +present as well. =head2 Key Object Information Functions From pauli at openssl.org Tue Sep 21 08:03:35 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 21 Sep 2021 08:03:35 +0000 Subject: [openssl] master update Message-ID: <1632211415.934281.22379.nullmailer@dev.openssl.org> The branch master has been updated via 08d8c2d87ec782e95c28ff795e096c2f6f590d63 (commit) from d270a6c9ea9f240f653a98c7eb0a5c2134a5d63a (commit) - Log ----------------------------------------------------------------- commit 08d8c2d87ec782e95c28ff795e096c2f6f590d63 Author: Pauli Date: Mon Sep 20 09:54:10 2021 +1000 ci: add copyright header to CI scripts There is quite a bit of creative effort in these and even more trouble- shooting effort. I.e. they are non-trivial from a copyright perspective. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16628) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 7 +++++++ .github/workflows/compiler-zoo.yml | 7 +++++++ .github/workflows/coveralls.yml | 7 +++++++ .github/workflows/cross-compiles.yml | 7 +++++++ .github/workflows/fips-checksums.yml | 7 +++++++ .github/workflows/fips-label.yml | 7 +++++++ .github/workflows/fuzz-checker.yml | 7 +++++++ .github/workflows/main.yml | 7 +++++++ .github/workflows/run-checker-ci.yml | 7 +++++++ .github/workflows/run-checker-daily.yml | 7 +++++++ .github/workflows/run-checker-merge.yml | 7 +++++++ .github/workflows/windows.yml | 7 +++++++ 12 files changed, 84 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 601ba5f6b1..c7a344c529 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: GitHub CI on: [pull_request, push] diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 29a9097343..55d108543f 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Compiler Zoo CI on: [push] diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 45e9e8e62e..3392edda4a 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Coverage #Run once a day diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 576a9d3b18..ebfc13c626 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Cross Compile on: [pull_request, push] diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index d8aea44786..78351981d5 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: FIPS Checksums on: [pull_request] diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml index eb87f200f5..c241801b9e 100644 --- a/.github/workflows/fips-label.yml +++ b/.github/workflows/fips-label.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: FIPS Changed Label on: workflow_run: diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 5b784deb10..4d3bf35884 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Fuzz-checker CI on: [push] diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 81f6203e2a..4ad9c0c1fa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: CIFuzz on: [pull_request, push] jobs: diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 5a6dd4dc85..1aca0170f8 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + # Jobs run per pull request submission name: Run-checker CI on: [pull_request, push] diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index d9374f1cfc..0937d2f57d 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Run-checker daily # Jobs run daily diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 4f5efeae51..7795ab1db2 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Run-checker merge # Jobs run per merge to master diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index ffe6c92403..cb9e84b33d 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Windows GitHub CI on: [pull_request, push] From pauli at openssl.org Tue Sep 21 08:05:07 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 21 Sep 2021 08:05:07 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632211507.146356.25534.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 8f3bcfdfddf8b670439150d9ce6b2aec5df6c036 (commit) from 56b8f434c7da35b4de16603faad4170eb1d80710 (commit) - Log ----------------------------------------------------------------- commit 8f3bcfdfddf8b670439150d9ce6b2aec5df6c036 Author: Pauli Date: Mon Sep 20 09:54:10 2021 +1000 ci: add copyright header to CI scripts There is quite a bit of creative effort in these and even more trouble- shooting effort. I.e. they are non-trivial from a copyright perspective. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16628) (cherry picked from commit 08d8c2d87ec782e95c28ff795e096c2f6f590d63) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 7 +++++++ .github/workflows/compiler-zoo.yml | 7 +++++++ .github/workflows/coveralls.yml | 7 +++++++ .github/workflows/cross-compiles.yml | 7 +++++++ .github/workflows/fips-checksums.yml | 7 +++++++ .github/workflows/fips-label.yml | 7 +++++++ .github/workflows/fuzz-checker.yml | 7 +++++++ .github/workflows/main.yml | 7 +++++++ .github/workflows/run-checker-ci.yml | 7 +++++++ .github/workflows/run-checker-daily.yml | 7 +++++++ .github/workflows/run-checker-merge.yml | 7 +++++++ .github/workflows/windows.yml | 7 +++++++ 12 files changed, 84 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 601ba5f6b1..c7a344c529 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: GitHub CI on: [pull_request, push] diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 29a9097343..55d108543f 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Compiler Zoo CI on: [push] diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index 45e9e8e62e..3392edda4a 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Coverage #Run once a day diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 576a9d3b18..ebfc13c626 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Cross Compile on: [pull_request, push] diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index d8aea44786..78351981d5 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: FIPS Checksums on: [pull_request] diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml index eb87f200f5..c241801b9e 100644 --- a/.github/workflows/fips-label.yml +++ b/.github/workflows/fips-label.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: FIPS Changed Label on: workflow_run: diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 5b784deb10..4d3bf35884 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Fuzz-checker CI on: [push] diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 81f6203e2a..4ad9c0c1fa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: CIFuzz on: [pull_request, push] jobs: diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 5a6dd4dc85..1aca0170f8 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + # Jobs run per pull request submission name: Run-checker CI on: [pull_request, push] diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index d9374f1cfc..0937d2f57d 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Run-checker daily # Jobs run daily diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 4f5efeae51..7795ab1db2 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Run-checker merge # Jobs run per merge to master diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index ffe6c92403..cb9e84b33d 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,3 +1,10 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + name: Windows GitHub CI on: [pull_request, push] From levitte at openssl.org Tue Sep 21 09:06:44 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 21 Sep 2021 09:06:44 +0000 Subject: [openssl] master update Message-ID: <1632215204.310211.5633.nullmailer@dev.openssl.org> The branch master has been updated via dc18f036f161e1e49e1d001046716c77d1699e70 (commit) from 08d8c2d87ec782e95c28ff795e096c2f6f590d63 (commit) - Log ----------------------------------------------------------------- commit dc18f036f161e1e49e1d001046716c77d1699e70 Author: Richard Levitte Date: Sun Sep 19 11:05:35 2021 +0200 Fix util/mkpod2html.pl to call pod2html with absolute paths It turns out that on VMS, pod2html only recognises VMS directory specifications if they contain a device name, which is accomplished by making them absolute. Otherwise, a VMS build that includes building the document HTML files ends up with an error like this: $ perl [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-20210916.doc]" [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-20210916/doc/: no such file or directory %SYSTEM-F-ABORT, abort Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16626) ----------------------------------------------------------------------- Summary of changes: util/mkpod2html.pl | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/util/mkpod2html.pl b/util/mkpod2html.pl index 2df4b22b41..ea1164d597 100755 --- a/util/mkpod2html.pl +++ b/util/mkpod2html.pl @@ -12,6 +12,7 @@ use warnings; use lib "."; use Getopt::Std; use Pod::Html; +use File::Spec::Functions qw(:DEFAULT rel2abs); # Options. our($opt_i); # -i INFILE @@ -25,6 +26,14 @@ die "-o flag missing" unless $opt_o; die "-t flag missing" unless $opt_t; die "-r flag missing" unless $opt_r; +# We originally used realpath() here, but the Windows implementation appears +# to require that the directory or file exist to be able to process the input, +# so we use rel2abs() instead, which only processes the string without +# looking further. +$opt_i = rel2abs($opt_i) or die "Can't convert to real path: $!"; +$opt_o = rel2abs($opt_o) or die "Can't convert to real path: $!"; +$opt_r = rel2abs($opt_r) or die "Can't convert to real path: $!"; + pod2html "--infile=$opt_i", "--outfile=$opt_o", From levitte at openssl.org Tue Sep 21 09:07:14 2021 From: levitte at openssl.org (Richard Levitte) Date: Tue, 21 Sep 2021 09:07:14 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632215234.463488.7019.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 5a05c0d05233051f7af736e4f906b99f42212526 (commit) from 8f3bcfdfddf8b670439150d9ce6b2aec5df6c036 (commit) - Log ----------------------------------------------------------------- commit 5a05c0d05233051f7af736e4f906b99f42212526 Author: Richard Levitte Date: Sun Sep 19 11:05:35 2021 +0200 Fix util/mkpod2html.pl to call pod2html with absolute paths It turns out that on VMS, pod2html only recognises VMS directory specifications if they contain a device name, which is accomplished by making them absolute. Otherwise, a VMS build that includes building the document HTML files ends up with an error like this: $ perl [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-20210916.doc]" [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-20210916/doc/: no such file or directory %SYSTEM-F-ABORT, abort Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16626) (cherry picked from commit dc18f036f161e1e49e1d001046716c77d1699e70) ----------------------------------------------------------------------- Summary of changes: util/mkpod2html.pl | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/util/mkpod2html.pl b/util/mkpod2html.pl index 2df4b22b41..ea1164d597 100755 --- a/util/mkpod2html.pl +++ b/util/mkpod2html.pl @@ -12,6 +12,7 @@ use warnings; use lib "."; use Getopt::Std; use Pod::Html; +use File::Spec::Functions qw(:DEFAULT rel2abs); # Options. our($opt_i); # -i INFILE @@ -25,6 +26,14 @@ die "-o flag missing" unless $opt_o; die "-t flag missing" unless $opt_t; die "-r flag missing" unless $opt_r; +# We originally used realpath() here, but the Windows implementation appears +# to require that the directory or file exist to be able to process the input, +# so we use rel2abs() instead, which only processes the string without +# looking further. +$opt_i = rel2abs($opt_i) or die "Can't convert to real path: $!"; +$opt_o = rel2abs($opt_o) or die "Can't convert to real path: $!"; +$opt_r = rel2abs($opt_r) or die "Can't convert to real path: $!"; + pod2html "--infile=$opt_i", "--outfile=$opt_o", From beldmit at gmail.com Tue Sep 21 12:10:04 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Tue, 21 Sep 2021 12:10:04 +0000 Subject: [openssl] master update Message-ID: <1632226204.629178.30484.nullmailer@dev.openssl.org> The branch master has been updated via 6923d261b819cdd5d9e0a72337da6d6a92cef2a2 (commit) via 537976defe0775c016b9dbb36406bee1e96d0edb (commit) via 7e399f03829aad161b52b9c433b8d349c5922739 (commit) via 7a27bdbdce3d6d6548d5878a30aecc989fcab574 (commit) via 86cfd132ffc4f6198cc640a29c293850c0a59914 (commit) from dc18f036f161e1e49e1d001046716c77d1699e70 (commit) - Log ----------------------------------------------------------------- commit 6923d261b819cdd5d9e0a72337da6d6a92cef2a2 Author: Dmitry Belyavskiy Date: Fri Sep 17 17:49:39 2021 +0200 Update the default value for the -nameopt option - documentation Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16583) commit 537976defe0775c016b9dbb36406bee1e96d0edb Author: Dmitry Belyavskiy Date: Fri Sep 17 17:47:55 2021 +0200 NEWS and CHANGES are updated about switching to utf8 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16583) commit 7e399f03829aad161b52b9c433b8d349c5922739 Author: Dmitry Belyavskiy Date: Mon Sep 13 19:24:24 2021 +0200 Tests adjustments for default output change Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16583) commit 7a27bdbdce3d6d6548d5878a30aecc989fcab574 Author: Dmitry Belyavskiy Date: Thu Sep 16 17:47:47 2021 +0200 Update gost-engine to match new default nameopt Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16583) commit 86cfd132ffc4f6198cc640a29c293850c0a59914 Author: Dmitry Belyavskiy Date: Sat Sep 11 13:56:28 2021 +0200 Use -nameopt utf8 by default Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16583) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 ++++- NEWS.md | 5 +++-- apps/lib/apps.c | 2 +- doc/man1/openssl-namedisplay-options.pod | 2 +- gost-engine | 2 +- test/recipes/25-test_rusext.t | 6 +++++- test/recipes/80-test_pkcs12.t | 2 +- 7 files changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 58dffb15ef..c9d3825eec 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,7 +24,10 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX xxxx] - * + * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings + by default. + + *Dmitry Belyavskiy* OpenSSL 3.0 ----------- diff --git a/NEWS.md b/NEWS.md index 7cf0d8a7b7..720cec7330 100644 --- a/NEWS.md +++ b/NEWS.md @@ -21,12 +21,13 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.0 and OpenSSL 3.1 [under development] - * + * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings + by default. OpenSSL 3.0 ----------- -### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development] +### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 * Enhanced 'openssl list' with many new options. * Added migration guide to man7. diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 43c01401e8..6fe99422b9 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -197,7 +197,7 @@ int set_nameopt(const char *arg) unsigned long get_nameopt(void) { - return (nmflag_set) ? nmflag : XN_FLAG_ONELINE; + return (nmflag_set) ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT; } void dump_cert_text(BIO *out, X509 *x) diff --git a/doc/man1/openssl-namedisplay-options.pod b/doc/man1/openssl-namedisplay-options.pod index ff6ed1f4b4..a12f4dbf66 100644 --- a/doc/man1/openssl-namedisplay-options.pod +++ b/doc/man1/openssl-namedisplay-options.pod @@ -18,7 +18,7 @@ displayed. This is specified by using the B<-nameopt> option, which takes a comma-separated list of options from the following set. An option may be preceded by a minus sign, C<->, to turn it off. -The default value is C. +The default value is C. The first four are the most commonly used. =head1 OPTIONS diff --git a/gost-engine b/gost-engine index 62583fb222..9869058423 160000 --- a/gost-engine +++ b/gost-engine @@ -1 +1 @@ -Subproject commit 62583fb222ec89ff4f6aa3d18b91ed3e64ed5cea +Subproject commit 986905842330e4a54e61334eb508fe3147c43e38 diff --git a/test/recipes/25-test_rusext.t b/test/recipes/25-test_rusext.t index 05727f9d04..6c02ed1ba2 100644 --- a/test/recipes/25-test_rusext.t +++ b/test/recipes/25-test_rusext.t @@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_rusext"); -plan tests => 5; +plan tests => 7; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); my $pem = srctop_file("test/certs", "grfc.pem"); @@ -31,3 +31,7 @@ ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8, "-nameopt", "utf8", "-certopt", "no_pubkey"]))); is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')), 0, 'Comparing utf8 output'); +ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8, + "-certopt", "no_pubkey"]))); +is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')), + 0, 'Comparing cyrillic utf8 output by default'); diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index 1f0cb4d501..759cc57118 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -143,7 +143,7 @@ my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5, "-passin", "pass:"]), capture => 1); # Test that with one input certificate, we get one output certificate -ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, +ok(grep(/subject=CN\s*=\s*server.example/, @pkcs12info) == 1, "test one cert in output"); # Test that the expected friendly name is present in the output ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); From beldmit at gmail.com Tue Sep 21 16:38:19 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Tue, 21 Sep 2021 16:38:19 +0000 Subject: [openssl] master update Message-ID: <1632242299.234359.25388.nullmailer@dev.openssl.org> The branch master has been updated via 52dcc011191ad1a40fd52ae92ef009309deaca52 (commit) from 6923d261b819cdd5d9e0a72337da6d6a92cef2a2 (commit) - Log ----------------------------------------------------------------- commit 52dcc011191ad1a40fd52ae92ef009309deaca52 Author: Dmitry Belyavskiy Date: Mon Sep 20 16:35:10 2021 +0200 Avoid double-free on unsuccessful getting PRNG seeding Fixes #16631 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16636) ----------------------------------------------------------------------- Summary of changes: providers/implementations/rands/seed_src.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index 173c99ce17..7a4b780bb4 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } - *pout = p; if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, - adin, adin_len) != 0) + adin, adin_len) != 0) { + *pout = p; return bytes_needed; + } OPENSSL_secure_clear_free(p, bytes_needed); return 0; } From beldmit at gmail.com Tue Sep 21 16:43:17 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Tue, 21 Sep 2021 16:43:17 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632242597.208164.29365.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via c84f7c4c22828574885916479885ede6b32ba473 (commit) from 5a05c0d05233051f7af736e4f906b99f42212526 (commit) - Log ----------------------------------------------------------------- commit c84f7c4c22828574885916479885ede6b32ba473 Author: Dmitry Belyavskiy Date: Mon Sep 20 16:35:10 2021 +0200 Avoid double-free on unsuccessful getting PRNG seeding Fixes #16631 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16636) (cherry picked from commit 52dcc011191ad1a40fd52ae92ef009309deaca52) ----------------------------------------------------------------------- Summary of changes: providers/implementations/rands/seed_src.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c index 173c99ce17..7a4b780bb4 100644 --- a/providers/implementations/rands/seed_src.c +++ b/providers/implementations/rands/seed_src.c @@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout, ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } - *pout = p; if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance, - adin, adin_len) != 0) + adin, adin_len) != 0) { + *pout = p; return bytes_needed; + } OPENSSL_secure_clear_free(p, bytes_needed); return 0; } From pauli at openssl.org Wed Sep 22 06:23:11 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 06:23:11 +0000 Subject: [openssl] master update Message-ID: <1632291791.917616.26177.nullmailer@dev.openssl.org> The branch master has been updated via 57cd10dd1ee9659b94cfa8a8e74c5a151632975e (commit) from 52dcc011191ad1a40fd52ae92ef009309deaca52 (commit) - Log ----------------------------------------------------------------- commit 57cd10dd1ee9659b94cfa8a8e74c5a151632975e Author: Pauli Date: Tue Sep 21 10:59:56 2021 +1000 doc: remove end of line whitespace Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16641) ----------------------------------------------------------------------- Summary of changes: doc/build.info.in | 2 +- doc/internal/man3/OPTIONS.pod | 2 +- doc/internal/man3/cms_add1_signing_cert.pod | 2 +- doc/internal/man3/evp_generic_fetch.pod | 2 +- doc/internal/man3/ossl_lib_ctx_get_data.pod | 2 +- doc/internal/man3/ossl_provider_new.pod | 2 +- doc/internal/man7/DERlib.pod | 2 +- doc/internal/man7/build.info.pod | 2 +- doc/life-cycles/digest.dot | 2 +- doc/life-cycles/kdf.dot | 2 +- doc/life-cycles/mac.dot | 2 +- doc/life-cycles/rand.dot | 2 +- doc/man1/openssl-cmp.pod.in | 2 +- doc/man3/CMS_add1_recipient_cert.pod | 2 +- doc/man3/CMS_get0_RecipientInfos.pod | 2 +- doc/man3/CMS_verify.pod | 2 +- doc/man3/CRYPTO_get_ex_new_index.pod | 2 +- doc/man3/ERR_get_error.pod | 4 ++-- doc/man3/ERR_put_error.pod | 2 +- doc/man3/EVP_EncryptInit.pod | 2 +- doc/man3/EVP_PKEY_copy_parameters.pod | 2 +- doc/man3/EVP_PKEY_encapsulate.pod | 2 +- doc/man3/EVP_PKEY_encrypt.pod | 2 +- doc/man3/EVP_PKEY_fromdata.pod | 2 +- doc/man3/OSSL_CMP_SRV_CTX_new.pod | 2 +- doc/man3/OSSL_DECODER_CTX.pod | 2 +- doc/man3/PKCS12_SAFEBAG_create_cert.pod | 4 ++-- doc/man3/PKCS12_SAFEBAG_get0_attrs.pod | 6 +++--- doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 2 +- doc/man3/PKCS12_decrypt_skey.pod | 2 +- doc/man3/SSL_set_async_callback.pod | 2 +- doc/man3/SSL_set_bio.pod | 2 +- doc/man3/X509_get0_signature.pod | 4 ++-- doc/man3/d2i_RSAPrivateKey.pod | 14 +++++++------- doc/man5/x509v3_config.pod | 4 ++-- doc/man7/EVP_KEYEXCH-ECDH.pod | 2 +- doc/man7/EVP_PKEY-DH.pod | 2 +- doc/man7/EVP_PKEY-EC.pod | 2 +- doc/man7/EVP_PKEY-FFC.pod | 2 +- doc/man7/EVP_SIGNATURE-DSA.pod | 2 +- doc/man7/EVP_SIGNATURE-ECDSA.pod | 2 +- doc/man7/EVP_SIGNATURE-RSA.pod | 6 +++--- doc/man7/OSSL_PROVIDER-FIPS.pod | 4 ++-- doc/man7/bio.pod | 2 +- doc/man7/life_cycle-cipher.pod | 6 +++--- doc/man7/life_cycle-digest.pod | 2 +- doc/man7/life_cycle-kdf.pod | 2 +- doc/man7/life_cycle-mac.pod | 2 +- doc/man7/life_cycle-rand.pod | 2 +- doc/man7/migration_guide.pod | 30 ++++++++++++++--------------- doc/man7/openssl-core.h.pod | 2 +- doc/man7/openssl-glossary.pod | 2 +- doc/man7/property.pod | 2 +- doc/man7/provider-base.pod | 2 +- doc/man7/provider-keyexch.pod | 2 +- doc/man7/provider-keymgmt.pod | 4 ++-- doc/man7/provider-signature.pod | 2 +- doc/man7/proxy-certificates.pod | 4 ++-- 58 files changed, 91 insertions(+), 91 deletions(-) diff --git a/doc/build.info.in b/doc/build.info.in index fa1962f382..e8dae7058a 100644 --- a/doc/build.info.in +++ b/doc/build.info.in @@ -14,7 +14,7 @@ SUBDIRS = man1 map { $_ => 1 } glob catfile($sourcedir, "man$section", "img", "*.png"); my %podfiles = map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod"); - my %podinfiles = + my %podinfiles = map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod.in"); foreach (keys %podinfiles) { diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod index 1971c76241..90593ca46f 100644 --- a/doc/internal/man3/OPTIONS.pod +++ b/doc/internal/man3/OPTIONS.pod @@ -189,7 +189,7 @@ B macro: OPT_PARAMETERS() {OPT_PARAM_STR, 1, '-', "Parameters:\n"} -Every "option" after after this should contain the parameter and +Every "option" after after this should contain the parameter and the help string: {"text", 0, 0, "Words to display (optional)"}, diff --git a/doc/internal/man3/cms_add1_signing_cert.pod b/doc/internal/man3/cms_add1_signing_cert.pod index 97c5a5111d..1f5f681c64 100644 --- a/doc/internal/man3/cms_add1_signing_cert.pod +++ b/doc/internal/man3/cms_add1_signing_cert.pod @@ -31,7 +31,7 @@ For a fuller description see L). =head1 RETURN VALUES -cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute +cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute is added or 0 if an error occurred. =head1 COPYRIGHT diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod index 243f6c952f..bc9a3a0770 100644 --- a/doc/internal/man3/evp_generic_fetch.pod +++ b/doc/internal/man3/evp_generic_fetch.pod @@ -37,7 +37,7 @@ I, I, I, and I and uses it to create an EVP method with the help of the functions I, I, and I. -evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), +evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), but takes a numeric I instead of a name. I must always be nonzero; as a matter of fact, it being zero is considered a programming error. diff --git a/doc/internal/man3/ossl_lib_ctx_get_data.pod b/doc/internal/man3/ossl_lib_ctx_get_data.pod index 2050a2506b..faedf7275f 100644 --- a/doc/internal/man3/ossl_lib_ctx_get_data.pod +++ b/doc/internal/man3/ossl_lib_ctx_get_data.pod @@ -91,7 +91,7 @@ and a destructor to an index. } /* - * Include a reference to this in the methods table in context.c + * Include a reference to this in the methods table in context.c * OSSL_LIB_CTX_FOO_INDEX should be added to internal/cryptlib.h * Priorities can be OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, * OSSL_LIB_CTX_METHOD_PRIORITY_1, OSSL_LIB_CTX_METHOD_PRIORITY_2, etc. diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index 09b2e04117..10d197bcfc 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -296,7 +296,7 @@ in a bitstring that's internal to I. ossl_provider_test_operation_bit() checks if the bit operation I is set (1) or not (0) in the internal I bitstring, and sets -I<*result> to 1 or 0 accorddingly. +I<*result> to 1 or 0 accorddingly. ossl_provider_clear_all_operation_bits() clears all of the operation bits to (0) for all providers in the library context I. diff --git a/doc/internal/man7/DERlib.pod b/doc/internal/man7/DERlib.pod index 7085a2cb6d..3129a9b74d 100644 --- a/doc/internal/man7/DERlib.pod +++ b/doc/internal/man7/DERlib.pod @@ -81,7 +81,7 @@ As a reminder, the AlgorithmIdentifier is specified like this: -- From RFC 3280, section 4.1.1.2 AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } + parameters ANY DEFINED BY algorithm OPTIONAL } And the RSASSA-PSS OID and parameters are specified like this: diff --git a/doc/internal/man7/build.info.pod b/doc/internal/man7/build.info.pod index 8c651b37e6..080c9e444e 100644 --- a/doc/internal/man7/build.info.pod +++ b/doc/internal/man7/build.info.pod @@ -574,7 +574,7 @@ appear in a linking command line (because of recursive dependencies through other libraries), they will be ordered in such a way that this dependency is maintained: - DEPEND[libfoo.a]{weak}=libfoo.a libcookie.a + DEPEND[libfoo.a]{weak}=libfoo.a libcookie.a This is useful in complex dependency trees where two libraries can be used as alternatives for each other. In this example, C and diff --git a/doc/life-cycles/digest.dot b/doc/life-cycles/digest.dot index 4ad7f79e45..8d4d72480c 100644 --- a/doc/life-cycles/digest.dot +++ b/doc/life-cycles/digest.dot @@ -30,4 +30,4 @@ digraph digest { finaled -> initialised [label="EVP_DigestInit", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/life-cycles/kdf.dot b/doc/life-cycles/kdf.dot index b0e925685d..2dce34377d 100644 --- a/doc/life-cycles/kdf.dot +++ b/doc/life-cycles/kdf.dot @@ -13,4 +13,4 @@ strict digraph kdf { deriving -> newed [label="EVP_KDF_CTX_reset", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/life-cycles/mac.dot b/doc/life-cycles/mac.dot index c841c5f218..fe277f8328 100644 --- a/doc/life-cycles/mac.dot +++ b/doc/life-cycles/mac.dot @@ -25,4 +25,4 @@ digraph mac { finaled -> initialised [label="EVP_MAC_init", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/life-cycles/rand.dot b/doc/life-cycles/rand.dot index df740b7a9b..a57cf710c7 100644 --- a/doc/life-cycles/rand.dot +++ b/doc/life-cycles/rand.dot @@ -14,4 +14,4 @@ strict digraph rand { uninstantiated -> end [label="EVP_RAND_CTX_free"]; uninstantiated -> instantiated [label="EVP_RAND_instantiate", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 0e482677a0..b4c3c82255 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -835,7 +835,7 @@ have no effect on the certificate verification enabled via this option. =item B<-tls_host> I -Address to be checked during hostname validation. +Address to be checked during hostname validation. This may be a DNS name or an IP address. If not given it defaults to the B<-server> address. diff --git a/doc/man3/CMS_add1_recipient_cert.pod b/doc/man3/CMS_add1_recipient_cert.pod index 34d1e0ee36..0855d5321b 100644 --- a/doc/man3/CMS_add1_recipient_cert.pod +++ b/doc/man3/CMS_add1_recipient_cert.pod @@ -9,7 +9,7 @@ CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipi #include CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, - EVP_PKEY *originatorPrivKey, + EVP_PKEY *originatorPrivKey, X509 *originator, unsigned int flags); CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, diff --git a/doc/man3/CMS_get0_RecipientInfos.pod b/doc/man3/CMS_get0_RecipientInfos.pod index c6354381fc..eb755f5243 100644 --- a/doc/man3/CMS_get0_RecipientInfos.pod +++ b/doc/man3/CMS_get0_RecipientInfos.pod @@ -140,7 +140,7 @@ L, L =head1 HISTORY -B and B +B and B were added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod index 33130bc9f2..6c9595e51e 100644 --- a/doc/man3/CMS_verify.pod +++ b/doc/man3/CMS_verify.pod @@ -71,7 +71,7 @@ verified, unless CMS_CADES flag is also set. If B is set the signed attributes signature is not verified, unless CMS_CADES flag is also set. -If B is set, each signer certificate is checked against the +If B is set, each signer certificate is checked against the ESS signingCertificate or ESS signingCertificateV2 extension that is required in the signed attributes of the signature. diff --git a/doc/man3/CRYPTO_get_ex_new_index.pod b/doc/man3/CRYPTO_get_ex_new_index.pod index 7a8ebdf1d9..86b3745d8d 100644 --- a/doc/man3/CRYPTO_get_ex_new_index.pod +++ b/doc/man3/CRYPTO_get_ex_new_index.pod @@ -152,7 +152,7 @@ will fail. CRYPTO_get_ex_new_index() returns a new index or -1 on failure. CRYPTO_free_ex_index(), CRYPTO_alloc_ex_data() and CRYPTO_set_ex_data() -return 1 on success or 0 on failure. +return 1 on success or 0 on failure. CRYPTO_get_ex_data() returns the application data or NULL on failure; note that NULL may be a valid value. diff --git a/doc/man3/ERR_get_error.pod b/doc/man3/ERR_get_error.pod index 4e33378cf3..fb02a3ca07 100644 --- a/doc/man3/ERR_get_error.pod +++ b/doc/man3/ERR_get_error.pod @@ -78,14 +78,14 @@ is valid until the respective entry is overwritten in the error queue. ERR_peek_error_line() and ERR_peek_last_error_line() are the same as ERR_peek_error() and ERR_peek_last_error(), but on success they additionally store the filename and line number where the error occurred in *I and -*I, as far as they are not NULL. +*I, as far as they are not NULL. An unset filename is indicated as "", i.e., an empty string. An unset line number is indicated as 0. ERR_peek_error_func() and ERR_peek_last_error_func() are the same as ERR_peek_error() and ERR_peek_last_error(), but on success they additionally store the name of the function where the error occurred in *I, unless -it is NULL. +it is NULL. An unset function name is indicated as "". ERR_peek_error_data() and ERR_peek_last_error_data() are the same as diff --git a/doc/man3/ERR_put_error.pod b/doc/man3/ERR_put_error.pod index a4e0cd6bec..06e728bb82 100644 --- a/doc/man3/ERR_put_error.pod +++ b/doc/man3/ERR_put_error.pod @@ -35,7 +35,7 @@ record. ERR_raise_data() does the same thing as ERR_raise(), but also lets the caller specify additional information as a format string B and an -arbitrary number of values, which are processed with L. +arbitrary number of values, which are processed with L. ERR_put_error() adds an error code to the thread's error queue. It signals that the error of reason code B occurred in function diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 62d9047dce..93b4f2c383 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -1330,7 +1330,7 @@ Sets the CCM B value. If not set a default is used (8 for AES). =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) -Sets the CCM nonce (IV) length. This call can only be made before specifying a +Sets the CCM nonce (IV) length. This call can only be made before specifying a nonce value. The nonce length is given by B<15 - L> so it is 7 by default for AES. diff --git a/doc/man3/EVP_PKEY_copy_parameters.pod b/doc/man3/EVP_PKEY_copy_parameters.pod index 1ca38f8ae9..7c3404403e 100644 --- a/doc/man3/EVP_PKEY_copy_parameters.pod +++ b/doc/man3/EVP_PKEY_copy_parameters.pod @@ -64,7 +64,7 @@ doesn't use parameters. These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for failure. -The functions EVP_PKEY_cmp_parameters(), EVP_PKEY_parameters_eq(), +The functions EVP_PKEY_cmp_parameters(), EVP_PKEY_parameters_eq(), EVP_PKEY_cmp() and EVP_PKEY_eq() return 1 if their inputs match, 0 if they don't match, -1 if the key types are different and -2 if the operation is not supported. diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod index 22b0aaed6f..9baf88d07b 100644 --- a/doc/man3/EVP_PKEY_encapsulate.pod +++ b/doc/man3/EVP_PKEY_encapsulate.pod @@ -75,7 +75,7 @@ Encapsulate an RSASVE key (for RSA keys). /* * The generated 'secret' can be used as key material. * The encapsulated 'out' can be sent to another party who can - * decapsulate it using their private key to retrieve the 'secret'. + * decapsulate it using their private key to retrieve the 'secret'. */ if (EVP_PKEY_encapsulate(ctx, out, &outlen, secret, &secretlen) <= 0) /* Error */ diff --git a/doc/man3/EVP_PKEY_encrypt.pod b/doc/man3/EVP_PKEY_encrypt.pod index e574efa73a..9ff6ed6cae 100644 --- a/doc/man3/EVP_PKEY_encrypt.pod +++ b/doc/man3/EVP_PKEY_encrypt.pod @@ -2,7 +2,7 @@ =head1 NAME -EVP_PKEY_encrypt_init_ex, +EVP_PKEY_encrypt_init_ex, EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm =head1 SYNOPSIS diff --git a/doc/man3/EVP_PKEY_fromdata.pod b/doc/man3/EVP_PKEY_fromdata.pod index 107ebf82a0..b968150bb6 100644 --- a/doc/man3/EVP_PKEY_fromdata.pod +++ b/doc/man3/EVP_PKEY_fromdata.pod @@ -80,7 +80,7 @@ public key and key parameters. These functions only work with key management methods coming from a provider. This is the mirror function to L. -=for comment We may choose to make this available for legacy methods too... +=for comment We may choose to make this available for legacy methods too... =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index bad043cb92..d7f1a2e4db 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -100,7 +100,7 @@ in the same way as L. The B must be set as I of I. OSSL_CMP_SRV_CTX_new() creates and initializes an B structure -associated with the library context I and property query string +associated with the library context I and property query string I, both of which may be NULL to select the defaults. OSSL_CMP_SRV_CTX_free() deletes the given I. diff --git a/doc/man3/OSSL_DECODER_CTX.pod b/doc/man3/OSSL_DECODER_CTX.pod index aa5dc90893..0c9db4e087 100644 --- a/doc/man3/OSSL_DECODER_CTX.pod +++ b/doc/man3/OSSL_DECODER_CTX.pod @@ -159,7 +159,7 @@ OSSL_DECODER_CTX_set_cleanup() respectively. OSSL_DECODER_export() is a fallback function for constructors that cannot use the data they get directly for diverse reasons. It takes the same -decode instance I that the constructor got and an object +decode instance I that the constructor got and an object I, unpacks the object which it refers to, and exports it by creating an L array that it then passes to I, along with I. diff --git a/doc/man3/PKCS12_SAFEBAG_create_cert.pod b/doc/man3/PKCS12_SAFEBAG_create_cert.pod index 07ba1425e7..ef161f01ba 100644 --- a/doc/man3/PKCS12_SAFEBAG_create_cert.pod +++ b/doc/man3/PKCS12_SAFEBAG_create_cert.pod @@ -3,7 +3,7 @@ =head1 NAME PKCS12_SAFEBAG_create_cert, PKCS12_SAFEBAG_create_crl, -PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, +PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, PKCS12_SAFEBAG_create0_pkcs8, PKCS12_SAFEBAG_create_pkcs8_encrypt, PKCS12_SAFEBAG_create_pkcs8_encrypt_ex - Create PKCS#12 safeBag objects @@ -52,7 +52,7 @@ containing the supplied PKCS8 structure. PKCS12_SAFEBAG_create0_pkcs8() creates a new B of type B containing the supplied PKCS8 structure. -PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B of type +PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B of type B by encrypting the supplied PKCS8 I. If I is 0, a default encryption algorithm is used. I is the passphrase and I is the iteration count. If I is zero then a default diff --git a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod index c1544bc0e7..8ed67fbdf7 100644 --- a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod +++ b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod @@ -16,7 +16,7 @@ PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen =head1 DESCRIPTION -PKCS12_SAFEBAG_get0_attrs() retrieves the stack of Bs from a +PKCS12_SAFEBAG_get0_attrs() retrieves the stack of Bs from a PKCS#12 safeBag. I is the B to retrieve the attributes from. PKCS12_get_attr_gen() retrieves an attribute by NID from a stack of @@ -24,10 +24,10 @@ Bs. I is the NID of the attribute to retrieve. =head1 RETURN VALUES -PKCS12_SAFEBAG_get0_attrs() returns the stack of Bs from a +PKCS12_SAFEBAG_get0_attrs() returns the stack of Bs from a PKCS#12 safeBag, which could be empty. -PKCS12_get_attr_gen() returns an B object containing the attribute, +PKCS12_get_attr_gen() returns an B object containing the attribute, or NULL if the attribute was either not present or an error occurred. PKCS12_get_attr_gen() does not allocate a new attribute. The returned attribute diff --git a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod index b89b17eeaf..13f1263fe6 100644 --- a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod +++ b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod @@ -48,7 +48,7 @@ PKCS12_SAFEBAG_get0_p8inf() and PKCS12_SAFEBAG_get0_pkcs8() return the PKCS8 obj from a PKCS8shroudedKeyBag or a keyBag. PKCS12_SAFEBAG_get0_safes() retrieves the set of B contained within a -safeContentsBag. +safeContentsBag. =head1 RETURN VALUES diff --git a/doc/man3/PKCS12_decrypt_skey.pod b/doc/man3/PKCS12_decrypt_skey.pod index a376ddc502..7a41b2b06c 100644 --- a/doc/man3/PKCS12_decrypt_skey.pod +++ b/doc/man3/PKCS12_decrypt_skey.pod @@ -21,7 +21,7 @@ decrypt functions PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I using the supplied password I of length I. -PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex +PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex I and property query I to be used to select algorithm implementations. =head1 RETURN VALUES diff --git a/doc/man3/SSL_set_async_callback.pod b/doc/man3/SSL_set_async_callback.pod index 9de735f8fc..db858a00ce 100644 --- a/doc/man3/SSL_set_async_callback.pod +++ b/doc/man3/SSL_set_async_callback.pod @@ -55,7 +55,7 @@ An example of the above functions would be the following: =item 1. -Application sets the async callback and callback data on an SSL connection +Application sets the async callback and callback data on an SSL connection by calling SSL_set_async_callback(). =item 2. diff --git a/doc/man3/SSL_set_bio.pod b/doc/man3/SSL_set_bio.pod index d88e6836b8..44c69ef21e 100644 --- a/doc/man3/SSL_set_bio.pod +++ b/doc/man3/SSL_set_bio.pod @@ -78,7 +78,7 @@ and no references are consumed for the B. If the B and B parameters are different and the B is the same as the previously set value and the old B and B values were different -to each other, then one reference is consumed for the B and one +to each other, then one reference is consumed for the B and one reference is consumed for the B. =back diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod index 0d251a0012..a49a70038e 100644 --- a/doc/man3/X509_get0_signature.pod +++ b/doc/man3/X509_get0_signature.pod @@ -3,8 +3,8 @@ =head1 NAME X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo, -X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, -X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, +X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, +X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature information =head1 SYNOPSIS diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 20cdfb1fcb..2e22049ffb 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -172,13 +172,13 @@ There are two migration paths: =item * Replace -bPrivateKey()> with L, -bPublicKey()> with L, -bparams()> with L, -b_PUBKEY()> with L, -bPrivateKey()> with L, -bPublicKey()> with L, -bparams()> with L, +bPrivateKey()> with L, +bPublicKey()> with L, +bparams()> with L, +b_PUBKEY()> with L, +bPrivateKey()> with L, +bPublicKey()> with L, +bparams()> with L, b_PUBKEY()> with L. A caveat is that L may output a DER encoded PKCS#8 outermost structure instead of the type specific structure, and that diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index fb7c3aaff7..1d4c4dc3ae 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -289,8 +289,8 @@ B, where B is an object identifier syntax as subject alternative name (except that B is not supported). Possible values for access_id include B (OCSP responder), -B (CA Issuers), -B (AD Time Stamping), +B (CA Issuers), +B (AD Time Stamping), B (ad dvcs), B (CA Repository). diff --git a/doc/man7/EVP_KEYEXCH-ECDH.pod b/doc/man7/EVP_KEYEXCH-ECDH.pod index 95076b1ebd..a710625f22 100644 --- a/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -74,7 +74,7 @@ Keys for the host and peer must be generated as shown in L using the same curve name. The code to generate a shared secret for the normal case is identical to -L. +L. To derive a shared secret on the host using the host's key and the peer's public key but also using X963KDF with a user key material: diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod index 9da5d9c6ef..2c90982d07 100644 --- a/doc/man7/EVP_PKEY-DH.pod +++ b/doc/man7/EVP_PKEY-DH.pod @@ -74,7 +74,7 @@ See EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key(). Used for DH generation of safe primes using the old safe prime generator code. The default value is 2. It is recommended to use a named safe prime group instead, if domain parameter -validation is required. +validation is required. Randomly generated safe primes are not allowed by FIPS, so setting this value for the OpenSSL FIPS provider will instead choose a named safe prime group diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index 31d92bf8a1..a3c3ccb705 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -71,7 +71,7 @@ I multiplied by the I gives the number of points on the curve. =item "decoded-from-explicit" (B) Gets a flag indicating wether the key or parameters were decoded from explicit -curve parameters. Set to 1 if so or 0 if a named curve was used. +curve parameters. Set to 1 if so or 0 if a named curve was used. =item "use-cofactor-flag" (B) diff --git a/doc/man7/EVP_PKEY-FFC.pod b/doc/man7/EVP_PKEY-FFC.pod index 3ab243f45a..dab7380fc2 100644 --- a/doc/man7/EVP_PKEY-FFC.pod +++ b/doc/man7/EVP_PKEY-FFC.pod @@ -92,7 +92,7 @@ of I
. This value must be saved if domain parameter validation is required. =item "hindex" (B) -For unverifiable generation of the generator I this value is output during +For unverifiable generation of the generator I this value is output during generation of I. Its value is the first integer larger than one that satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). diff --git a/doc/man7/EVP_SIGNATURE-DSA.pod b/doc/man7/EVP_SIGNATURE-DSA.pod index 11fe500cb3..4801cf9994 100644 --- a/doc/man7/EVP_SIGNATURE-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-DSA.pod @@ -14,7 +14,7 @@ See L for information related to DSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod index 04b80a1118..0ac3f78461 100644 --- a/doc/man7/EVP_SIGNATURE-ECDSA.pod +++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod @@ -13,7 +13,7 @@ See L for information related to EC keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod index 1be30b3158..06ca036f0c 100644 --- a/doc/man7/EVP_SIGNATURE-RSA.pod +++ b/doc/man7/EVP_SIGNATURE-RSA.pod @@ -14,7 +14,7 @@ See L for information related to RSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 @@ -32,11 +32,11 @@ The type of padding to be used. Its value can be one of the following: =item "none" (B) -=item "pkcs1" (B) +=item "pkcs1" (B) =item "x931" (B) -=item "pss" (B) +=item "pss" (B) =back diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 0eac85b324..00ab7977f4 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -6,7 +6,7 @@ OSSL_PROVIDER-FIPS - OpenSSL FIPS provider =head1 DESCRIPTION -The OpenSSL FIPS provider is a special provider that conforms to the Federal +The OpenSSL FIPS provider is a special provider that conforms to the Federal Information Processing Standards (FIPS) specified in FIPS 140-2. This 'module' contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. @@ -214,7 +214,7 @@ Known answer test for a digest. Known answer test for a signature. -=item "PCT_Signature" (B) +=item "PCT_Signature" (B) Pairwise Consistency check for a signature. diff --git a/doc/man7/bio.pod b/doc/man7/bio.pod index e2c11665b9..9b86e9493d 100644 --- a/doc/man7/bio.pod +++ b/doc/man7/bio.pod @@ -49,7 +49,7 @@ BIO_free() on it other than the discarded return value. Normally the I argument is supplied by a function which returns a pointer to a BIO_METHOD. There is a naming convention for such functions: -a source/sink BIO typically starts with I and +a source/sink BIO typically starts with I and a filter BIO with I. =head1 EXAMPLES diff --git a/doc/man7/life_cycle-cipher.pod b/doc/man7/life_cycle-cipher.pod index 227cc18b8d..1fe05688ed 100644 --- a/doc/man7/life_cycle-cipher.pod +++ b/doc/man7/life_cycle-cipher.pod @@ -126,12 +126,12 @@ This is the canonical list. Function Call ---------------------------------------------- Current State ----------------------------------------------- start newed initialised updated finaled initialised updated initialised updated freed decryption decryption encryption encryption - EVP_CIPHER_CTX_new newed + EVP_CIPHER_CTX_new newed EVP_CipherInit initialised initialised initialised initialised initialised initialised initialised initialised EVP_DecryptInit initialised initialised initialised initialised initialised initialised initialised initialised - decryption decryption decryption decryption decryption decryption decryption decryption + decryption decryption decryption decryption decryption decryption decryption decryption EVP_EncryptInit initialised initialised initialised initialised initialised initialised initialised initialised - encryption encryption encryption encryption encryption encryption encryption encryption + encryption encryption encryption encryption encryption encryption encryption encryption EVP_CipherUpdate updated updated EVP_DecryptUpdate updated updated decryption decryption diff --git a/doc/man7/life_cycle-digest.pod b/doc/man7/life_cycle-digest.pod index 5425f57dd5..709fd0d04c 100644 --- a/doc/man7/life_cycle-digest.pod +++ b/doc/man7/life_cycle-digest.pod @@ -93,7 +93,7 @@ This is the canonical list. Function Call --------------------- Current State ---------------------- start newed initialised updated finaled freed - EVP_MD_CTX_new newed + EVP_MD_CTX_new newed EVP_DigestInit initialised initialised initialised initialised EVP_DigestUpdate updated updated EVP_DigestFinal finaled diff --git a/doc/man7/life_cycle-kdf.pod b/doc/man7/life_cycle-kdf.pod index d2aec8fe82..9fe042a2c2 100644 --- a/doc/man7/life_cycle-kdf.pod +++ b/doc/man7/life_cycle-kdf.pod @@ -75,7 +75,7 @@ This is the canonical list. Function Call ------------- Current State ------------- start newed deriving freed - EVP_KDF_CTX_new newed + EVP_KDF_CTX_new newed EVP_KDF_derive deriving deriving EVP_KDF_CTX_free freed freed freed EVP_KDF_CTX_reset newed newed diff --git a/doc/man7/life_cycle-mac.pod b/doc/man7/life_cycle-mac.pod index 1a9a008818..60b8b55d4b 100644 --- a/doc/man7/life_cycle-mac.pod +++ b/doc/man7/life_cycle-mac.pod @@ -94,7 +94,7 @@ This is the canonical list. Function Call --------------------- Current State ---------------------- start newed initialised updated finaled freed - EVP_MAC_CTX_new newed + EVP_MAC_CTX_new newed EVP_MAC_init initialised initialised initialised initialised EVP_MAC_update updated updated EVP_MAC_final finaled diff --git a/doc/man7/life_cycle-rand.pod b/doc/man7/life_cycle-rand.pod index de2dfcb97e..8afb229b58 100644 --- a/doc/man7/life_cycle-rand.pod +++ b/doc/man7/life_cycle-rand.pod @@ -87,7 +87,7 @@ This is the canonical list. Function Call ------------------ Current State ------------------ start newed instantiated uninstantiated freed - EVP_RAND_CTX_new newed + EVP_RAND_CTX_new newed EVP_RAND_instantiate instantiated EVP_RAND_generate instantiated EVP_RAND_uninstantiate uninstantiated diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 02d2327ee2..3e4ce9f65a 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -119,7 +119,7 @@ bypass provider selection and configuration, with unintended consequences. This is particularly relevant for applications written to use the OpenSSL 3.0 FIPS module, as detailed below. Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers -using the new Provider API and avoiding deprecated methods. +using the new Provider API and avoiding deprecated methods. =head3 Versioning Scheme @@ -133,7 +133,7 @@ at the end of the release version number. This will no longer be used and instead the patch level is indicated by the final number in the version. A change in the second (MINOR) number indicates that new features may have been added. OpenSSL versions with the same major number are API and ABI compatible. -If the major number changes then API and ABI compatibility is not guaranteed. +If the major number changes then API and ABI compatibility is not guaranteed. For more information, see L. @@ -409,7 +409,7 @@ enable them to be "freed". However they should also be treated as read-only. This may mean result in an error in L rather than during L. -To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). +To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). =head4 The print format has cosmetic changes for some functions @@ -541,14 +541,14 @@ The code needs to be amended to look like this: Support for TLSv1.3 has been added. -This has a number of implications for SSL/TLS applications. See the +This has a number of implications for SSL/TLS applications. See the L for further details. =back More details about the breaking changes between OpenSSL versions 1.0.2 and 1.1.0 can be found on the -L. +L. =head3 Upgrading from the OpenSSL 2.0 FIPS Object Module @@ -985,7 +985,7 @@ APIs, or alternatively use L or L. Functions that access low-level objects directly such as L are now deprecated. Applications should use one of L, L, l, -L, L or +L, L or L to access fields from an EVP_PKEY. Gettable parameters are listed in L, L, L, @@ -1115,7 +1115,7 @@ Bi-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but -this issue was never fixed for backwards compatibility reasons. +this issue was never fixed for backwards compatibility reasons. =item * @@ -1265,7 +1265,7 @@ DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), DES_ecb_encrypt(), DES_ecb3_encrypt(), DES_ofb64_encrypt(), DES_ofb_encrypt(), DES_cfb64_encrypt DES_cfb_encrypt(), DES_cbc_encrypt(), DES_ncbc_encrypt(), -DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), +DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), DES_check_key_parity(), DES_is_weak_key(), DES_key_sched(), DES_options(), DES_random_key(), DES_set_key(), DES_set_key_checked(), DES_set_key_unchecked(), DES_set_odd_parity(), DES_string_to_2keys(), DES_string_to_key() @@ -1513,7 +1513,7 @@ EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags() See L which handles flags as seperate parameters for B, B, B, -B and +B and B. See also L @@ -1715,7 +1715,7 @@ See L for further details. =item * -EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), +EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), Applications should use L and L or L and L instead. @@ -1795,7 +1795,7 @@ See L. i2d_DHparams(), i2d_DHxparams() See L -and L +and L =item * @@ -1804,7 +1804,7 @@ i2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(), i2d_DSA_PUBKEY_fp(), i2d_DSAPublicKey() See L -and L +and L =item * @@ -1813,7 +1813,7 @@ i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), i2d_EC_PUBKEY_fp(), i2o_ECPublicKey() See L -and L +and L =item * @@ -1822,7 +1822,7 @@ i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() See L -and L +and L =item * @@ -2201,7 +2201,7 @@ B<-provider_path> and B<-provider> are available to all apps and can be used multiple times to load any providers, such as the 'legacy' provider or third party providers. If used then the 'default' provider would also need to be specified if required. The B<-provider_path> must be specified before the -B<-provider> option. +B<-provider> option. The B app has many new options. See L for more information. diff --git a/doc/man7/openssl-core.h.pod b/doc/man7/openssl-core.h.pod index 03980a4b56..3d1eca3e64 100644 --- a/doc/man7/openssl-core.h.pod +++ b/doc/man7/openssl-core.h.pod @@ -67,7 +67,7 @@ or canonical name, on a per algorithm implementation basis. This type is a structure that allows passing arbitrary object data between two parties that have no or very little shared knowledge about -their respective internal structures for that object. +their respective internal structures for that object. It's normally passed in arrays, where the array is terminated with an element where all fields are zero (for non-pointers) or NULL (for pointers). diff --git a/doc/man7/openssl-glossary.pod b/doc/man7/openssl-glossary.pod index 16ff2f3176..b112b375ac 100644 --- a/doc/man7/openssl-glossary.pod +++ b/doc/man7/openssl-glossary.pod @@ -132,7 +132,7 @@ L =item Operation -An operation is a group of OpenSSL functions with a common purpose such as +An operation is a group of OpenSSL functions with a common purpose such as encryption, or digesting. L diff --git a/doc/man7/property.pod b/doc/man7/property.pod index 90368b1f8d..a75f262246 100644 --- a/doc/man7/property.pod +++ b/doc/man7/property.pod @@ -144,7 +144,7 @@ setting. The lexical syntax in EBNF is given by: - Definition ::= PropertyName ( '=' Value )? + Definition ::= PropertyName ( '=' Value )? ( ',' PropertyName ( '=' Value )? )* Query ::= PropertyQuery ( ',' PropertyQuery )* PropertyQuery ::= '-' PropertyName diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index ac197accca..d1e26baa11 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -443,7 +443,7 @@ different for any third party provider. This returns 0 if the provider has entered an error state, otherwise it returns 1. -=back +=back provider_gettable_params() should return the above parameters. diff --git a/doc/man7/provider-keyexch.pod b/doc/man7/provider-keyexch.pod index ebfcd85153..f85f3cac50 100644 --- a/doc/man7/provider-keyexch.pod +++ b/doc/man7/provider-keyexch.pod @@ -43,7 +43,7 @@ This documentation is primarily aimed at provider authors. See L for further information. The key exchange (OSSL_OP_KEYEXCH) operation enables providers to implement key -exchange algorithms and make them available to applications via +exchange algorithms and make them available to applications via L and other related functions). diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 25b822b47d..b0397b4103 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -237,7 +237,7 @@ OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters from I in the key object generation context I. OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() +descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() can handle. OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and @@ -255,7 +255,7 @@ Outside the provider, this reference is simply an array of bytes. At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and -OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, +OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well. diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index 9cb3a620c3..a299d43cc5 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -371,7 +371,7 @@ Sets a flag to modify the sign operation to return an error if the initial calculated signature is invalid. In the normal mode of operation - new random values are chosen until the signature operation succeeds. -By default it retries until a signature is calculated. +By default it retries until a signature is calculated. Setting the value to 0 causes the sign operation to retry, otherwise the sign operation is only tried once and returns whether or not it was successful. diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index 395fab86e5..89cd3eea80 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -215,7 +215,7 @@ The following skeleton code can be used as a starting point: * bottom. You get the CA root first, followed by the * possible chain of intermediate CAs, followed by the EE * certificate, followed by the possible proxy - * certificates. + * certificates. */ X509 *xs = X509_STORE_CTX_get_current_cert(ctx); @@ -234,7 +234,7 @@ The following skeleton code can be used as a starting point: * by pulling them from some database. If there * are none to be found, clear all rights (making * this and any subsequent proxy certificate void - * of any rights). + * of any rights). */ memset(rights->rights, 0, sizeof(rights->rights)); break; From pauli at openssl.org Wed Sep 22 06:23:42 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 06:23:42 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632291822.430613.28442.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via c9fb4c816b6648eccb31ebe84871d50dbfc87b3a (commit) from c84f7c4c22828574885916479885ede6b32ba473 (commit) - Log ----------------------------------------------------------------- commit c9fb4c816b6648eccb31ebe84871d50dbfc87b3a Author: Pauli Date: Tue Sep 21 10:59:56 2021 +1000 doc: remove end of line whitespace Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16641) (cherry picked from commit 57cd10dd1ee9659b94cfa8a8e74c5a151632975e) ----------------------------------------------------------------------- Summary of changes: doc/build.info.in | 2 +- doc/internal/man3/OPTIONS.pod | 2 +- doc/internal/man3/cms_add1_signing_cert.pod | 2 +- doc/internal/man3/evp_generic_fetch.pod | 2 +- doc/internal/man3/ossl_lib_ctx_get_data.pod | 2 +- doc/internal/man3/ossl_provider_new.pod | 2 +- doc/internal/man7/DERlib.pod | 2 +- doc/internal/man7/build.info.pod | 2 +- doc/life-cycles/digest.dot | 2 +- doc/life-cycles/kdf.dot | 2 +- doc/life-cycles/mac.dot | 2 +- doc/life-cycles/rand.dot | 2 +- doc/man1/openssl-cmp.pod.in | 2 +- doc/man3/CMS_add1_recipient_cert.pod | 2 +- doc/man3/CMS_get0_RecipientInfos.pod | 2 +- doc/man3/CMS_verify.pod | 2 +- doc/man3/CRYPTO_get_ex_new_index.pod | 2 +- doc/man3/ERR_get_error.pod | 4 ++-- doc/man3/ERR_put_error.pod | 2 +- doc/man3/EVP_EncryptInit.pod | 2 +- doc/man3/EVP_PKEY_copy_parameters.pod | 2 +- doc/man3/EVP_PKEY_encapsulate.pod | 2 +- doc/man3/EVP_PKEY_encrypt.pod | 2 +- doc/man3/EVP_PKEY_fromdata.pod | 2 +- doc/man3/OSSL_CMP_SRV_CTX_new.pod | 2 +- doc/man3/OSSL_DECODER_CTX.pod | 2 +- doc/man3/PKCS12_SAFEBAG_create_cert.pod | 4 ++-- doc/man3/PKCS12_SAFEBAG_get0_attrs.pod | 6 +++--- doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 2 +- doc/man3/PKCS12_decrypt_skey.pod | 2 +- doc/man3/SSL_set_async_callback.pod | 2 +- doc/man3/SSL_set_bio.pod | 2 +- doc/man3/X509_get0_signature.pod | 4 ++-- doc/man3/d2i_RSAPrivateKey.pod | 14 +++++++------- doc/man5/x509v3_config.pod | 4 ++-- doc/man7/EVP_KEYEXCH-ECDH.pod | 2 +- doc/man7/EVP_PKEY-DH.pod | 2 +- doc/man7/EVP_PKEY-EC.pod | 2 +- doc/man7/EVP_PKEY-FFC.pod | 2 +- doc/man7/EVP_SIGNATURE-DSA.pod | 2 +- doc/man7/EVP_SIGNATURE-ECDSA.pod | 2 +- doc/man7/EVP_SIGNATURE-RSA.pod | 6 +++--- doc/man7/OSSL_PROVIDER-FIPS.pod | 4 ++-- doc/man7/bio.pod | 2 +- doc/man7/life_cycle-cipher.pod | 6 +++--- doc/man7/life_cycle-digest.pod | 2 +- doc/man7/life_cycle-kdf.pod | 2 +- doc/man7/life_cycle-mac.pod | 2 +- doc/man7/life_cycle-rand.pod | 2 +- doc/man7/migration_guide.pod | 30 ++++++++++++++--------------- doc/man7/openssl-core.h.pod | 2 +- doc/man7/openssl-glossary.pod | 2 +- doc/man7/property.pod | 2 +- doc/man7/provider-base.pod | 2 +- doc/man7/provider-keyexch.pod | 2 +- doc/man7/provider-keymgmt.pod | 4 ++-- doc/man7/provider-signature.pod | 2 +- doc/man7/proxy-certificates.pod | 4 ++-- 58 files changed, 91 insertions(+), 91 deletions(-) diff --git a/doc/build.info.in b/doc/build.info.in index fa1962f382..e8dae7058a 100644 --- a/doc/build.info.in +++ b/doc/build.info.in @@ -14,7 +14,7 @@ SUBDIRS = man1 map { $_ => 1 } glob catfile($sourcedir, "man$section", "img", "*.png"); my %podfiles = map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod"); - my %podinfiles = + my %podinfiles = map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod.in"); foreach (keys %podinfiles) { diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod index 1971c76241..90593ca46f 100644 --- a/doc/internal/man3/OPTIONS.pod +++ b/doc/internal/man3/OPTIONS.pod @@ -189,7 +189,7 @@ B macro: OPT_PARAMETERS() {OPT_PARAM_STR, 1, '-', "Parameters:\n"} -Every "option" after after this should contain the parameter and +Every "option" after after this should contain the parameter and the help string: {"text", 0, 0, "Words to display (optional)"}, diff --git a/doc/internal/man3/cms_add1_signing_cert.pod b/doc/internal/man3/cms_add1_signing_cert.pod index 97c5a5111d..1f5f681c64 100644 --- a/doc/internal/man3/cms_add1_signing_cert.pod +++ b/doc/internal/man3/cms_add1_signing_cert.pod @@ -31,7 +31,7 @@ For a fuller description see L). =head1 RETURN VALUES -cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute +cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute is added or 0 if an error occurred. =head1 COPYRIGHT diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod index 243f6c952f..bc9a3a0770 100644 --- a/doc/internal/man3/evp_generic_fetch.pod +++ b/doc/internal/man3/evp_generic_fetch.pod @@ -37,7 +37,7 @@ I, I, I, and I and uses it to create an EVP method with the help of the functions I, I, and I. -evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), +evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), but takes a numeric I instead of a name. I must always be nonzero; as a matter of fact, it being zero is considered a programming error. diff --git a/doc/internal/man3/ossl_lib_ctx_get_data.pod b/doc/internal/man3/ossl_lib_ctx_get_data.pod index 2050a2506b..faedf7275f 100644 --- a/doc/internal/man3/ossl_lib_ctx_get_data.pod +++ b/doc/internal/man3/ossl_lib_ctx_get_data.pod @@ -91,7 +91,7 @@ and a destructor to an index. } /* - * Include a reference to this in the methods table in context.c + * Include a reference to this in the methods table in context.c * OSSL_LIB_CTX_FOO_INDEX should be added to internal/cryptlib.h * Priorities can be OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, * OSSL_LIB_CTX_METHOD_PRIORITY_1, OSSL_LIB_CTX_METHOD_PRIORITY_2, etc. diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index 09b2e04117..10d197bcfc 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -296,7 +296,7 @@ in a bitstring that's internal to I. ossl_provider_test_operation_bit() checks if the bit operation I is set (1) or not (0) in the internal I bitstring, and sets -I<*result> to 1 or 0 accorddingly. +I<*result> to 1 or 0 accorddingly. ossl_provider_clear_all_operation_bits() clears all of the operation bits to (0) for all providers in the library context I. diff --git a/doc/internal/man7/DERlib.pod b/doc/internal/man7/DERlib.pod index 7085a2cb6d..3129a9b74d 100644 --- a/doc/internal/man7/DERlib.pod +++ b/doc/internal/man7/DERlib.pod @@ -81,7 +81,7 @@ As a reminder, the AlgorithmIdentifier is specified like this: -- From RFC 3280, section 4.1.1.2 AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, - parameters ANY DEFINED BY algorithm OPTIONAL } + parameters ANY DEFINED BY algorithm OPTIONAL } And the RSASSA-PSS OID and parameters are specified like this: diff --git a/doc/internal/man7/build.info.pod b/doc/internal/man7/build.info.pod index 8c651b37e6..080c9e444e 100644 --- a/doc/internal/man7/build.info.pod +++ b/doc/internal/man7/build.info.pod @@ -574,7 +574,7 @@ appear in a linking command line (because of recursive dependencies through other libraries), they will be ordered in such a way that this dependency is maintained: - DEPEND[libfoo.a]{weak}=libfoo.a libcookie.a + DEPEND[libfoo.a]{weak}=libfoo.a libcookie.a This is useful in complex dependency trees where two libraries can be used as alternatives for each other. In this example, C and diff --git a/doc/life-cycles/digest.dot b/doc/life-cycles/digest.dot index 4ad7f79e45..8d4d72480c 100644 --- a/doc/life-cycles/digest.dot +++ b/doc/life-cycles/digest.dot @@ -30,4 +30,4 @@ digraph digest { finaled -> initialised [label="EVP_DigestInit", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/life-cycles/kdf.dot b/doc/life-cycles/kdf.dot index b0e925685d..2dce34377d 100644 --- a/doc/life-cycles/kdf.dot +++ b/doc/life-cycles/kdf.dot @@ -13,4 +13,4 @@ strict digraph kdf { deriving -> newed [label="EVP_KDF_CTX_reset", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/life-cycles/mac.dot b/doc/life-cycles/mac.dot index c841c5f218..fe277f8328 100644 --- a/doc/life-cycles/mac.dot +++ b/doc/life-cycles/mac.dot @@ -25,4 +25,4 @@ digraph mac { finaled -> initialised [label="EVP_MAC_init", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/life-cycles/rand.dot b/doc/life-cycles/rand.dot index df740b7a9b..a57cf710c7 100644 --- a/doc/life-cycles/rand.dot +++ b/doc/life-cycles/rand.dot @@ -14,4 +14,4 @@ strict digraph rand { uninstantiated -> end [label="EVP_RAND_CTX_free"]; uninstantiated -> instantiated [label="EVP_RAND_instantiate", style=dashed, color="#034f84", fontcolor="#034f84"]; } - + diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 0e482677a0..b4c3c82255 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -835,7 +835,7 @@ have no effect on the certificate verification enabled via this option. =item B<-tls_host> I -Address to be checked during hostname validation. +Address to be checked during hostname validation. This may be a DNS name or an IP address. If not given it defaults to the B<-server> address. diff --git a/doc/man3/CMS_add1_recipient_cert.pod b/doc/man3/CMS_add1_recipient_cert.pod index 34d1e0ee36..0855d5321b 100644 --- a/doc/man3/CMS_add1_recipient_cert.pod +++ b/doc/man3/CMS_add1_recipient_cert.pod @@ -9,7 +9,7 @@ CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key - add recipi #include CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, - EVP_PKEY *originatorPrivKey, + EVP_PKEY *originatorPrivKey, X509 *originator, unsigned int flags); CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, diff --git a/doc/man3/CMS_get0_RecipientInfos.pod b/doc/man3/CMS_get0_RecipientInfos.pod index c6354381fc..eb755f5243 100644 --- a/doc/man3/CMS_get0_RecipientInfos.pod +++ b/doc/man3/CMS_get0_RecipientInfos.pod @@ -140,7 +140,7 @@ L, L =head1 HISTORY -B and B +B and B were added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod index 33130bc9f2..6c9595e51e 100644 --- a/doc/man3/CMS_verify.pod +++ b/doc/man3/CMS_verify.pod @@ -71,7 +71,7 @@ verified, unless CMS_CADES flag is also set. If B is set the signed attributes signature is not verified, unless CMS_CADES flag is also set. -If B is set, each signer certificate is checked against the +If B is set, each signer certificate is checked against the ESS signingCertificate or ESS signingCertificateV2 extension that is required in the signed attributes of the signature. diff --git a/doc/man3/CRYPTO_get_ex_new_index.pod b/doc/man3/CRYPTO_get_ex_new_index.pod index 7a8ebdf1d9..86b3745d8d 100644 --- a/doc/man3/CRYPTO_get_ex_new_index.pod +++ b/doc/man3/CRYPTO_get_ex_new_index.pod @@ -152,7 +152,7 @@ will fail. CRYPTO_get_ex_new_index() returns a new index or -1 on failure. CRYPTO_free_ex_index(), CRYPTO_alloc_ex_data() and CRYPTO_set_ex_data() -return 1 on success or 0 on failure. +return 1 on success or 0 on failure. CRYPTO_get_ex_data() returns the application data or NULL on failure; note that NULL may be a valid value. diff --git a/doc/man3/ERR_get_error.pod b/doc/man3/ERR_get_error.pod index 4e33378cf3..fb02a3ca07 100644 --- a/doc/man3/ERR_get_error.pod +++ b/doc/man3/ERR_get_error.pod @@ -78,14 +78,14 @@ is valid until the respective entry is overwritten in the error queue. ERR_peek_error_line() and ERR_peek_last_error_line() are the same as ERR_peek_error() and ERR_peek_last_error(), but on success they additionally store the filename and line number where the error occurred in *I and -*I, as far as they are not NULL. +*I, as far as they are not NULL. An unset filename is indicated as "", i.e., an empty string. An unset line number is indicated as 0. ERR_peek_error_func() and ERR_peek_last_error_func() are the same as ERR_peek_error() and ERR_peek_last_error(), but on success they additionally store the name of the function where the error occurred in *I, unless -it is NULL. +it is NULL. An unset function name is indicated as "". ERR_peek_error_data() and ERR_peek_last_error_data() are the same as diff --git a/doc/man3/ERR_put_error.pod b/doc/man3/ERR_put_error.pod index a4e0cd6bec..06e728bb82 100644 --- a/doc/man3/ERR_put_error.pod +++ b/doc/man3/ERR_put_error.pod @@ -35,7 +35,7 @@ record. ERR_raise_data() does the same thing as ERR_raise(), but also lets the caller specify additional information as a format string B and an -arbitrary number of values, which are processed with L. +arbitrary number of values, which are processed with L. ERR_put_error() adds an error code to the thread's error queue. It signals that the error of reason code B occurred in function diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 62d9047dce..93b4f2c383 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -1330,7 +1330,7 @@ Sets the CCM B value. If not set a default is used (8 for AES). =item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) -Sets the CCM nonce (IV) length. This call can only be made before specifying a +Sets the CCM nonce (IV) length. This call can only be made before specifying a nonce value. The nonce length is given by B<15 - L> so it is 7 by default for AES. diff --git a/doc/man3/EVP_PKEY_copy_parameters.pod b/doc/man3/EVP_PKEY_copy_parameters.pod index 1ca38f8ae9..7c3404403e 100644 --- a/doc/man3/EVP_PKEY_copy_parameters.pod +++ b/doc/man3/EVP_PKEY_copy_parameters.pod @@ -64,7 +64,7 @@ doesn't use parameters. These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for failure. -The functions EVP_PKEY_cmp_parameters(), EVP_PKEY_parameters_eq(), +The functions EVP_PKEY_cmp_parameters(), EVP_PKEY_parameters_eq(), EVP_PKEY_cmp() and EVP_PKEY_eq() return 1 if their inputs match, 0 if they don't match, -1 if the key types are different and -2 if the operation is not supported. diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod index 22b0aaed6f..9baf88d07b 100644 --- a/doc/man3/EVP_PKEY_encapsulate.pod +++ b/doc/man3/EVP_PKEY_encapsulate.pod @@ -75,7 +75,7 @@ Encapsulate an RSASVE key (for RSA keys). /* * The generated 'secret' can be used as key material. * The encapsulated 'out' can be sent to another party who can - * decapsulate it using their private key to retrieve the 'secret'. + * decapsulate it using their private key to retrieve the 'secret'. */ if (EVP_PKEY_encapsulate(ctx, out, &outlen, secret, &secretlen) <= 0) /* Error */ diff --git a/doc/man3/EVP_PKEY_encrypt.pod b/doc/man3/EVP_PKEY_encrypt.pod index e574efa73a..9ff6ed6cae 100644 --- a/doc/man3/EVP_PKEY_encrypt.pod +++ b/doc/man3/EVP_PKEY_encrypt.pod @@ -2,7 +2,7 @@ =head1 NAME -EVP_PKEY_encrypt_init_ex, +EVP_PKEY_encrypt_init_ex, EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm =head1 SYNOPSIS diff --git a/doc/man3/EVP_PKEY_fromdata.pod b/doc/man3/EVP_PKEY_fromdata.pod index 107ebf82a0..b968150bb6 100644 --- a/doc/man3/EVP_PKEY_fromdata.pod +++ b/doc/man3/EVP_PKEY_fromdata.pod @@ -80,7 +80,7 @@ public key and key parameters. These functions only work with key management methods coming from a provider. This is the mirror function to L. -=for comment We may choose to make this available for legacy methods too... +=for comment We may choose to make this available for legacy methods too... =head1 RETURN VALUES diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index bad043cb92..d7f1a2e4db 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -100,7 +100,7 @@ in the same way as L. The B must be set as I of I. OSSL_CMP_SRV_CTX_new() creates and initializes an B structure -associated with the library context I and property query string +associated with the library context I and property query string I, both of which may be NULL to select the defaults. OSSL_CMP_SRV_CTX_free() deletes the given I. diff --git a/doc/man3/OSSL_DECODER_CTX.pod b/doc/man3/OSSL_DECODER_CTX.pod index aa5dc90893..0c9db4e087 100644 --- a/doc/man3/OSSL_DECODER_CTX.pod +++ b/doc/man3/OSSL_DECODER_CTX.pod @@ -159,7 +159,7 @@ OSSL_DECODER_CTX_set_cleanup() respectively. OSSL_DECODER_export() is a fallback function for constructors that cannot use the data they get directly for diverse reasons. It takes the same -decode instance I that the constructor got and an object +decode instance I that the constructor got and an object I, unpacks the object which it refers to, and exports it by creating an L array that it then passes to I, along with I. diff --git a/doc/man3/PKCS12_SAFEBAG_create_cert.pod b/doc/man3/PKCS12_SAFEBAG_create_cert.pod index 07ba1425e7..ef161f01ba 100644 --- a/doc/man3/PKCS12_SAFEBAG_create_cert.pod +++ b/doc/man3/PKCS12_SAFEBAG_create_cert.pod @@ -3,7 +3,7 @@ =head1 NAME PKCS12_SAFEBAG_create_cert, PKCS12_SAFEBAG_create_crl, -PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, +PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf, PKCS12_SAFEBAG_create0_pkcs8, PKCS12_SAFEBAG_create_pkcs8_encrypt, PKCS12_SAFEBAG_create_pkcs8_encrypt_ex - Create PKCS#12 safeBag objects @@ -52,7 +52,7 @@ containing the supplied PKCS8 structure. PKCS12_SAFEBAG_create0_pkcs8() creates a new B of type B containing the supplied PKCS8 structure. -PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B of type +PKCS12_SAFEBAG_create_pkcs8_encrypt() creates a new B of type B by encrypting the supplied PKCS8 I. If I is 0, a default encryption algorithm is used. I is the passphrase and I is the iteration count. If I is zero then a default diff --git a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod index c1544bc0e7..8ed67fbdf7 100644 --- a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod +++ b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod @@ -16,7 +16,7 @@ PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen =head1 DESCRIPTION -PKCS12_SAFEBAG_get0_attrs() retrieves the stack of Bs from a +PKCS12_SAFEBAG_get0_attrs() retrieves the stack of Bs from a PKCS#12 safeBag. I is the B to retrieve the attributes from. PKCS12_get_attr_gen() retrieves an attribute by NID from a stack of @@ -24,10 +24,10 @@ Bs. I is the NID of the attribute to retrieve. =head1 RETURN VALUES -PKCS12_SAFEBAG_get0_attrs() returns the stack of Bs from a +PKCS12_SAFEBAG_get0_attrs() returns the stack of Bs from a PKCS#12 safeBag, which could be empty. -PKCS12_get_attr_gen() returns an B object containing the attribute, +PKCS12_get_attr_gen() returns an B object containing the attribute, or NULL if the attribute was either not present or an error occurred. PKCS12_get_attr_gen() does not allocate a new attribute. The returned attribute diff --git a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod index b89b17eeaf..13f1263fe6 100644 --- a/doc/man3/PKCS12_SAFEBAG_get1_cert.pod +++ b/doc/man3/PKCS12_SAFEBAG_get1_cert.pod @@ -48,7 +48,7 @@ PKCS12_SAFEBAG_get0_p8inf() and PKCS12_SAFEBAG_get0_pkcs8() return the PKCS8 obj from a PKCS8shroudedKeyBag or a keyBag. PKCS12_SAFEBAG_get0_safes() retrieves the set of B contained within a -safeContentsBag. +safeContentsBag. =head1 RETURN VALUES diff --git a/doc/man3/PKCS12_decrypt_skey.pod b/doc/man3/PKCS12_decrypt_skey.pod index a376ddc502..7a41b2b06c 100644 --- a/doc/man3/PKCS12_decrypt_skey.pod +++ b/doc/man3/PKCS12_decrypt_skey.pod @@ -21,7 +21,7 @@ decrypt functions PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I using the supplied password I of length I. -PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex +PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex I and property query I to be used to select algorithm implementations. =head1 RETURN VALUES diff --git a/doc/man3/SSL_set_async_callback.pod b/doc/man3/SSL_set_async_callback.pod index 9de735f8fc..db858a00ce 100644 --- a/doc/man3/SSL_set_async_callback.pod +++ b/doc/man3/SSL_set_async_callback.pod @@ -55,7 +55,7 @@ An example of the above functions would be the following: =item 1. -Application sets the async callback and callback data on an SSL connection +Application sets the async callback and callback data on an SSL connection by calling SSL_set_async_callback(). =item 2. diff --git a/doc/man3/SSL_set_bio.pod b/doc/man3/SSL_set_bio.pod index d88e6836b8..44c69ef21e 100644 --- a/doc/man3/SSL_set_bio.pod +++ b/doc/man3/SSL_set_bio.pod @@ -78,7 +78,7 @@ and no references are consumed for the B. If the B and B parameters are different and the B is the same as the previously set value and the old B and B values were different -to each other, then one reference is consumed for the B and one +to each other, then one reference is consumed for the B and one reference is consumed for the B. =back diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod index 0d251a0012..a49a70038e 100644 --- a/doc/man3/X509_get0_signature.pod +++ b/doc/man3/X509_get0_signature.pod @@ -3,8 +3,8 @@ =head1 NAME X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo, -X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, -X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, +X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, +X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature information =head1 SYNOPSIS diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod index 20cdfb1fcb..2e22049ffb 100644 --- a/doc/man3/d2i_RSAPrivateKey.pod +++ b/doc/man3/d2i_RSAPrivateKey.pod @@ -172,13 +172,13 @@ There are two migration paths: =item * Replace -bPrivateKey()> with L, -bPublicKey()> with L, -bparams()> with L, -b_PUBKEY()> with L, -bPrivateKey()> with L, -bPublicKey()> with L, -bparams()> with L, +bPrivateKey()> with L, +bPublicKey()> with L, +bparams()> with L, +b_PUBKEY()> with L, +bPrivateKey()> with L, +bPublicKey()> with L, +bparams()> with L, b_PUBKEY()> with L. A caveat is that L may output a DER encoded PKCS#8 outermost structure instead of the type specific structure, and that diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index fb7c3aaff7..1d4c4dc3ae 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -289,8 +289,8 @@ B, where B is an object identifier syntax as subject alternative name (except that B is not supported). Possible values for access_id include B (OCSP responder), -B (CA Issuers), -B (AD Time Stamping), +B (CA Issuers), +B (AD Time Stamping), B (ad dvcs), B (CA Repository). diff --git a/doc/man7/EVP_KEYEXCH-ECDH.pod b/doc/man7/EVP_KEYEXCH-ECDH.pod index 95076b1ebd..a710625f22 100644 --- a/doc/man7/EVP_KEYEXCH-ECDH.pod +++ b/doc/man7/EVP_KEYEXCH-ECDH.pod @@ -74,7 +74,7 @@ Keys for the host and peer must be generated as shown in L using the same curve name. The code to generate a shared secret for the normal case is identical to -L. +L. To derive a shared secret on the host using the host's key and the peer's public key but also using X963KDF with a user key material: diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod index 9da5d9c6ef..2c90982d07 100644 --- a/doc/man7/EVP_PKEY-DH.pod +++ b/doc/man7/EVP_PKEY-DH.pod @@ -74,7 +74,7 @@ See EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key(). Used for DH generation of safe primes using the old safe prime generator code. The default value is 2. It is recommended to use a named safe prime group instead, if domain parameter -validation is required. +validation is required. Randomly generated safe primes are not allowed by FIPS, so setting this value for the OpenSSL FIPS provider will instead choose a named safe prime group diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index 31d92bf8a1..a3c3ccb705 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -71,7 +71,7 @@ I multiplied by the I gives the number of points on the curve. =item "decoded-from-explicit" (B) Gets a flag indicating wether the key or parameters were decoded from explicit -curve parameters. Set to 1 if so or 0 if a named curve was used. +curve parameters. Set to 1 if so or 0 if a named curve was used. =item "use-cofactor-flag" (B) diff --git a/doc/man7/EVP_PKEY-FFC.pod b/doc/man7/EVP_PKEY-FFC.pod index 3ab243f45a..dab7380fc2 100644 --- a/doc/man7/EVP_PKEY-FFC.pod +++ b/doc/man7/EVP_PKEY-FFC.pod @@ -92,7 +92,7 @@ of I
. This value must be saved if domain parameter validation is required. =item "hindex" (B) -For unverifiable generation of the generator I this value is output during +For unverifiable generation of the generator I this value is output during generation of I. Its value is the first integer larger than one that satisfies g = h^j mod p (where g != 1 and "j" is the cofactor). diff --git a/doc/man7/EVP_SIGNATURE-DSA.pod b/doc/man7/EVP_SIGNATURE-DSA.pod index 11fe500cb3..4801cf9994 100644 --- a/doc/man7/EVP_SIGNATURE-DSA.pod +++ b/doc/man7/EVP_SIGNATURE-DSA.pod @@ -14,7 +14,7 @@ See L for information related to DSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 diff --git a/doc/man7/EVP_SIGNATURE-ECDSA.pod b/doc/man7/EVP_SIGNATURE-ECDSA.pod index 04b80a1118..0ac3f78461 100644 --- a/doc/man7/EVP_SIGNATURE-ECDSA.pod +++ b/doc/man7/EVP_SIGNATURE-ECDSA.pod @@ -13,7 +13,7 @@ See L for information related to EC keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod index 1be30b3158..06ca036f0c 100644 --- a/doc/man7/EVP_SIGNATURE-RSA.pod +++ b/doc/man7/EVP_SIGNATURE-RSA.pod @@ -14,7 +14,7 @@ See L for information related to RSA keys. The following signature parameters can be set using EVP_PKEY_CTX_set_params(). This may be called after EVP_PKEY_sign_init() or EVP_PKEY_verify_init(), -and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). +and before calling EVP_PKEY_sign() or EVP_PKEY_verify(). =over 4 @@ -32,11 +32,11 @@ The type of padding to be used. Its value can be one of the following: =item "none" (B) -=item "pkcs1" (B) +=item "pkcs1" (B) =item "x931" (B) -=item "pss" (B) +=item "pss" (B) =back diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 0eac85b324..00ab7977f4 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -6,7 +6,7 @@ OSSL_PROVIDER-FIPS - OpenSSL FIPS provider =head1 DESCRIPTION -The OpenSSL FIPS provider is a special provider that conforms to the Federal +The OpenSSL FIPS provider is a special provider that conforms to the Federal Information Processing Standards (FIPS) specified in FIPS 140-2. This 'module' contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. @@ -214,7 +214,7 @@ Known answer test for a digest. Known answer test for a signature. -=item "PCT_Signature" (B) +=item "PCT_Signature" (B) Pairwise Consistency check for a signature. diff --git a/doc/man7/bio.pod b/doc/man7/bio.pod index e2c11665b9..9b86e9493d 100644 --- a/doc/man7/bio.pod +++ b/doc/man7/bio.pod @@ -49,7 +49,7 @@ BIO_free() on it other than the discarded return value. Normally the I argument is supplied by a function which returns a pointer to a BIO_METHOD. There is a naming convention for such functions: -a source/sink BIO typically starts with I and +a source/sink BIO typically starts with I and a filter BIO with I. =head1 EXAMPLES diff --git a/doc/man7/life_cycle-cipher.pod b/doc/man7/life_cycle-cipher.pod index 227cc18b8d..1fe05688ed 100644 --- a/doc/man7/life_cycle-cipher.pod +++ b/doc/man7/life_cycle-cipher.pod @@ -126,12 +126,12 @@ This is the canonical list. Function Call ---------------------------------------------- Current State ----------------------------------------------- start newed initialised updated finaled initialised updated initialised updated freed decryption decryption encryption encryption - EVP_CIPHER_CTX_new newed + EVP_CIPHER_CTX_new newed EVP_CipherInit initialised initialised initialised initialised initialised initialised initialised initialised EVP_DecryptInit initialised initialised initialised initialised initialised initialised initialised initialised - decryption decryption decryption decryption decryption decryption decryption decryption + decryption decryption decryption decryption decryption decryption decryption decryption EVP_EncryptInit initialised initialised initialised initialised initialised initialised initialised initialised - encryption encryption encryption encryption encryption encryption encryption encryption + encryption encryption encryption encryption encryption encryption encryption encryption EVP_CipherUpdate updated updated EVP_DecryptUpdate updated updated decryption decryption diff --git a/doc/man7/life_cycle-digest.pod b/doc/man7/life_cycle-digest.pod index 5425f57dd5..709fd0d04c 100644 --- a/doc/man7/life_cycle-digest.pod +++ b/doc/man7/life_cycle-digest.pod @@ -93,7 +93,7 @@ This is the canonical list. Function Call --------------------- Current State ---------------------- start newed initialised updated finaled freed - EVP_MD_CTX_new newed + EVP_MD_CTX_new newed EVP_DigestInit initialised initialised initialised initialised EVP_DigestUpdate updated updated EVP_DigestFinal finaled diff --git a/doc/man7/life_cycle-kdf.pod b/doc/man7/life_cycle-kdf.pod index d2aec8fe82..9fe042a2c2 100644 --- a/doc/man7/life_cycle-kdf.pod +++ b/doc/man7/life_cycle-kdf.pod @@ -75,7 +75,7 @@ This is the canonical list. Function Call ------------- Current State ------------- start newed deriving freed - EVP_KDF_CTX_new newed + EVP_KDF_CTX_new newed EVP_KDF_derive deriving deriving EVP_KDF_CTX_free freed freed freed EVP_KDF_CTX_reset newed newed diff --git a/doc/man7/life_cycle-mac.pod b/doc/man7/life_cycle-mac.pod index 1a9a008818..60b8b55d4b 100644 --- a/doc/man7/life_cycle-mac.pod +++ b/doc/man7/life_cycle-mac.pod @@ -94,7 +94,7 @@ This is the canonical list. Function Call --------------------- Current State ---------------------- start newed initialised updated finaled freed - EVP_MAC_CTX_new newed + EVP_MAC_CTX_new newed EVP_MAC_init initialised initialised initialised initialised EVP_MAC_update updated updated EVP_MAC_final finaled diff --git a/doc/man7/life_cycle-rand.pod b/doc/man7/life_cycle-rand.pod index de2dfcb97e..8afb229b58 100644 --- a/doc/man7/life_cycle-rand.pod +++ b/doc/man7/life_cycle-rand.pod @@ -87,7 +87,7 @@ This is the canonical list. Function Call ------------------ Current State ------------------ start newed instantiated uninstantiated freed - EVP_RAND_CTX_new newed + EVP_RAND_CTX_new newed EVP_RAND_instantiate instantiated EVP_RAND_generate instantiated EVP_RAND_uninstantiate uninstantiated diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 02d2327ee2..3e4ce9f65a 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -119,7 +119,7 @@ bypass provider selection and configuration, with unintended consequences. This is particularly relevant for applications written to use the OpenSSL 3.0 FIPS module, as detailed below. Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers -using the new Provider API and avoiding deprecated methods. +using the new Provider API and avoiding deprecated methods. =head3 Versioning Scheme @@ -133,7 +133,7 @@ at the end of the release version number. This will no longer be used and instead the patch level is indicated by the final number in the version. A change in the second (MINOR) number indicates that new features may have been added. OpenSSL versions with the same major number are API and ABI compatible. -If the major number changes then API and ABI compatibility is not guaranteed. +If the major number changes then API and ABI compatibility is not guaranteed. For more information, see L. @@ -409,7 +409,7 @@ enable them to be "freed". However they should also be treated as read-only. This may mean result in an error in L rather than during L. -To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). +To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). =head4 The print format has cosmetic changes for some functions @@ -541,14 +541,14 @@ The code needs to be amended to look like this: Support for TLSv1.3 has been added. -This has a number of implications for SSL/TLS applications. See the +This has a number of implications for SSL/TLS applications. See the L for further details. =back More details about the breaking changes between OpenSSL versions 1.0.2 and 1.1.0 can be found on the -L. +L. =head3 Upgrading from the OpenSSL 2.0 FIPS Object Module @@ -985,7 +985,7 @@ APIs, or alternatively use L or L. Functions that access low-level objects directly such as L are now deprecated. Applications should use one of L, L, l, -L, L or +L, L or L to access fields from an EVP_PKEY. Gettable parameters are listed in L, L, L, @@ -1115,7 +1115,7 @@ Bi-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but -this issue was never fixed for backwards compatibility reasons. +this issue was never fixed for backwards compatibility reasons. =item * @@ -1265,7 +1265,7 @@ DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(), DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(), DES_ecb_encrypt(), DES_ecb3_encrypt(), DES_ofb64_encrypt(), DES_ofb_encrypt(), DES_cfb64_encrypt DES_cfb_encrypt(), DES_cbc_encrypt(), DES_ncbc_encrypt(), -DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), +DES_pcbc_encrypt(), DES_xcbc_encrypt(), DES_cbc_cksum(), DES_quad_cksum(), DES_check_key_parity(), DES_is_weak_key(), DES_key_sched(), DES_options(), DES_random_key(), DES_set_key(), DES_set_key_checked(), DES_set_key_unchecked(), DES_set_odd_parity(), DES_string_to_2keys(), DES_string_to_key() @@ -1513,7 +1513,7 @@ EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags() See L which handles flags as seperate parameters for B, B, B, -B and +B and B. See also L @@ -1715,7 +1715,7 @@ See L for further details. =item * -EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), +EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(), Applications should use L and L or L and L instead. @@ -1795,7 +1795,7 @@ See L. i2d_DHparams(), i2d_DHxparams() See L -and L +and L =item * @@ -1804,7 +1804,7 @@ i2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(), i2d_DSA_PUBKEY_fp(), i2d_DSAPublicKey() See L -and L +and L =item * @@ -1813,7 +1813,7 @@ i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(), i2d_EC_PUBKEY_fp(), i2o_ECPublicKey() See L -and L +and L =item * @@ -1822,7 +1822,7 @@ i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(), i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp() See L -and L +and L =item * @@ -2201,7 +2201,7 @@ B<-provider_path> and B<-provider> are available to all apps and can be used multiple times to load any providers, such as the 'legacy' provider or third party providers. If used then the 'default' provider would also need to be specified if required. The B<-provider_path> must be specified before the -B<-provider> option. +B<-provider> option. The B app has many new options. See L for more information. diff --git a/doc/man7/openssl-core.h.pod b/doc/man7/openssl-core.h.pod index 03980a4b56..3d1eca3e64 100644 --- a/doc/man7/openssl-core.h.pod +++ b/doc/man7/openssl-core.h.pod @@ -67,7 +67,7 @@ or canonical name, on a per algorithm implementation basis. This type is a structure that allows passing arbitrary object data between two parties that have no or very little shared knowledge about -their respective internal structures for that object. +their respective internal structures for that object. It's normally passed in arrays, where the array is terminated with an element where all fields are zero (for non-pointers) or NULL (for pointers). diff --git a/doc/man7/openssl-glossary.pod b/doc/man7/openssl-glossary.pod index 16ff2f3176..b112b375ac 100644 --- a/doc/man7/openssl-glossary.pod +++ b/doc/man7/openssl-glossary.pod @@ -132,7 +132,7 @@ L =item Operation -An operation is a group of OpenSSL functions with a common purpose such as +An operation is a group of OpenSSL functions with a common purpose such as encryption, or digesting. L diff --git a/doc/man7/property.pod b/doc/man7/property.pod index 90368b1f8d..a75f262246 100644 --- a/doc/man7/property.pod +++ b/doc/man7/property.pod @@ -144,7 +144,7 @@ setting. The lexical syntax in EBNF is given by: - Definition ::= PropertyName ( '=' Value )? + Definition ::= PropertyName ( '=' Value )? ( ',' PropertyName ( '=' Value )? )* Query ::= PropertyQuery ( ',' PropertyQuery )* PropertyQuery ::= '-' PropertyName diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index ac197accca..d1e26baa11 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -443,7 +443,7 @@ different for any third party provider. This returns 0 if the provider has entered an error state, otherwise it returns 1. -=back +=back provider_gettable_params() should return the above parameters. diff --git a/doc/man7/provider-keyexch.pod b/doc/man7/provider-keyexch.pod index ebfcd85153..f85f3cac50 100644 --- a/doc/man7/provider-keyexch.pod +++ b/doc/man7/provider-keyexch.pod @@ -43,7 +43,7 @@ This documentation is primarily aimed at provider authors. See L for further information. The key exchange (OSSL_OP_KEYEXCH) operation enables providers to implement key -exchange algorithms and make them available to applications via +exchange algorithms and make them available to applications via L and other related functions). diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index 25b822b47d..b0397b4103 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -237,7 +237,7 @@ OSSL_FUNC_keymgmt_gen_set_params() should set additional parameters from I in the key object generation context I. OSSL_FUNC_keymgmt_gen_settable_params() should return a constant array of -descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() +descriptor B, for parameters that OSSL_FUNC_keymgmt_gen_set_params() can handle. OSSL_FUNC_keymgmt_gen() should perform the key object generation itself, and @@ -255,7 +255,7 @@ Outside the provider, this reference is simply an array of bytes. At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and -OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, +OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well. diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index 9cb3a620c3..a299d43cc5 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -371,7 +371,7 @@ Sets a flag to modify the sign operation to return an error if the initial calculated signature is invalid. In the normal mode of operation - new random values are chosen until the signature operation succeeds. -By default it retries until a signature is calculated. +By default it retries until a signature is calculated. Setting the value to 0 causes the sign operation to retry, otherwise the sign operation is only tried once and returns whether or not it was successful. diff --git a/doc/man7/proxy-certificates.pod b/doc/man7/proxy-certificates.pod index 395fab86e5..89cd3eea80 100644 --- a/doc/man7/proxy-certificates.pod +++ b/doc/man7/proxy-certificates.pod @@ -215,7 +215,7 @@ The following skeleton code can be used as a starting point: * bottom. You get the CA root first, followed by the * possible chain of intermediate CAs, followed by the EE * certificate, followed by the possible proxy - * certificates. + * certificates. */ X509 *xs = X509_STORE_CTX_get_current_cert(ctx); @@ -234,7 +234,7 @@ The following skeleton code can be used as a starting point: * by pulling them from some database. If there * are none to be found, clear all rights (making * this and any subsequent proxy certificate void - * of any rights). + * of any rights). */ memset(rights->rights, 0, sizeof(rights->rights)); break; From pauli at openssl.org Wed Sep 22 08:01:42 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 08:01:42 +0000 Subject: [openssl] master update Message-ID: <1632297702.785407.7630.nullmailer@dev.openssl.org> The branch master has been updated via caf569a5b3271c2860732ee44509f3825a179fd5 (commit) from 57cd10dd1ee9659b94cfa8a8e74c5a151632975e (commit) - Log ----------------------------------------------------------------- commit caf569a5b3271c2860732ee44509f3825a179fd5 Author: Pauli Date: Tue Sep 21 09:19:35 2021 +1000 rand: don't free an mis-set pointer on error This is adding robustness to the code. The fix to not mis-set the pointer is in #16636. Fixes #16631 Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16640) ----------------------------------------------------------------------- Summary of changes: providers/implementations/rands/drbg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index 81343fbd52..8b899b99b1 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -459,9 +459,11 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) { + cleanup_entropy(drbg, entropy, entropylen); ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG); goto end; } + cleanup_entropy(drbg, entropy, entropylen); drbg->state = EVP_RAND_STATE_READY; drbg->generate_counter = 1; @@ -469,8 +471,6 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter); end: - if (entropy != NULL) - cleanup_entropy(drbg, entropy, entropylen); if (nonce != NULL) ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen); if (drbg->state == EVP_RAND_STATE_READY) From pauli at openssl.org Wed Sep 22 08:02:12 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 08:02:12 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632297732.121036.10119.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 7260376b775dc929ef205561e1adb244c0dd87af (commit) from c9fb4c816b6648eccb31ebe84871d50dbfc87b3a (commit) - Log ----------------------------------------------------------------- commit 7260376b775dc929ef205561e1adb244c0dd87af Author: Pauli Date: Tue Sep 21 09:19:35 2021 +1000 rand: don't free an mis-set pointer on error This is adding robustness to the code. The fix to not mis-set the pointer is in #16636. Fixes #16631 Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16640) (cherry picked from commit caf569a5b3271c2860732ee44509f3825a179fd5) ----------------------------------------------------------------------- Summary of changes: providers/implementations/rands/drbg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index 81343fbd52..8b899b99b1 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -459,9 +459,11 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, if (!drbg->instantiate(drbg, entropy, entropylen, nonce, noncelen, pers, perslen)) { + cleanup_entropy(drbg, entropy, entropylen); ERR_raise(ERR_LIB_PROV, PROV_R_ERROR_INSTANTIATING_DRBG); goto end; } + cleanup_entropy(drbg, entropy, entropylen); drbg->state = EVP_RAND_STATE_READY; drbg->generate_counter = 1; @@ -469,8 +471,6 @@ int ossl_prov_drbg_instantiate(PROV_DRBG *drbg, unsigned int strength, tsan_store(&drbg->reseed_counter, drbg->reseed_next_counter); end: - if (entropy != NULL) - cleanup_entropy(drbg, entropy, entropylen); if (nonce != NULL) ossl_prov_cleanup_nonce(drbg->provctx, nonce, noncelen); if (drbg->state == EVP_RAND_STATE_READY) From pauli at openssl.org Wed Sep 22 08:25:53 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 08:25:53 +0000 Subject: [openssl] master update Message-ID: <1632299153.839798.5250.nullmailer@dev.openssl.org> The branch master has been updated via c249f48778473ebca46a44282b0b0ff40b8665b8 (commit) from caf569a5b3271c2860732ee44509f3825a179fd5 (commit) - Log ----------------------------------------------------------------- commit c249f48778473ebca46a44282b0b0ff40b8665b8 Author: Mattias Ellert Date: Tue Sep 21 06:56:36 2021 +0200 Remove extra comma in man page example code Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16643) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_ENCODER_to_bio.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/OSSL_ENCODER_to_bio.pod b/doc/man3/OSSL_ENCODER_to_bio.pod index 365c74ad05..237e29b0b3 100644 --- a/doc/man3/OSSL_ENCODER_to_bio.pod +++ b/doc/man3/OSSL_ENCODER_to_bio.pod @@ -92,7 +92,7 @@ AES-256-CBC into a buffer: size_t datalen; ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, - OSSL_KEYMGMT_SELECT_KEYPAIR, + OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, format, structure, NULL); From pauli at openssl.org Wed Sep 22 08:26:23 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 08:26:23 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632299183.316529.6641.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 4f343fa943e1cc30825b23372622bd92fa04aede (commit) from 7260376b775dc929ef205561e1adb244c0dd87af (commit) - Log ----------------------------------------------------------------- commit 4f343fa943e1cc30825b23372622bd92fa04aede Author: Mattias Ellert Date: Tue Sep 21 06:56:36 2021 +0200 Remove extra comma in man page example code Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16643) (cherry picked from commit c249f48778473ebca46a44282b0b0ff40b8665b8) ----------------------------------------------------------------------- Summary of changes: doc/man3/OSSL_ENCODER_to_bio.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man3/OSSL_ENCODER_to_bio.pod b/doc/man3/OSSL_ENCODER_to_bio.pod index 365c74ad05..237e29b0b3 100644 --- a/doc/man3/OSSL_ENCODER_to_bio.pod +++ b/doc/man3/OSSL_ENCODER_to_bio.pod @@ -92,7 +92,7 @@ AES-256-CBC into a buffer: size_t datalen; ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, - OSSL_KEYMGMT_SELECT_KEYPAIR, + OSSL_KEYMGMT_SELECT_KEYPAIR | OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, format, structure, NULL); From pauli at openssl.org Wed Sep 22 08:56:01 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 08:56:01 +0000 Subject: [openssl] master update Message-ID: <1632300961.657780.4073.nullmailer@dev.openssl.org> The branch master has been updated via 50aba7ffde860dbc5a8d1eb3f5d9f49c58ebc2ce (commit) from c249f48778473ebca46a44282b0b0ff40b8665b8 (commit) - Log ----------------------------------------------------------------- commit 50aba7ffde860dbc5a8d1eb3f5d9f49c58ebc2ce Author: Pauli Date: Tue Sep 21 18:48:17 2021 +1000 doc: Fix include syntax Internal headers should be included using "" instead of <>. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/16647) ----------------------------------------------------------------------- Summary of changes: doc/internal/man3/evp_md_get_number.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/internal/man3/evp_md_get_number.pod b/doc/internal/man3/evp_md_get_number.pod index 3c85f58b99..1f913551aa 100644 --- a/doc/internal/man3/evp_md_get_number.pod +++ b/doc/internal/man3/evp_md_get_number.pod @@ -10,7 +10,7 @@ ossl_store_loader_get_number - EVP get internal identification numbers =head1 SYNOPSIS - #include + #include "crypto/evp.h" int evp_asym_cipher_get_number(const EVP_ASYM_CIPHER *cipher); int evp_cipher_get_number(const EVP_CIPHER *e); From pauli at openssl.org Wed Sep 22 08:56:31 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Wed, 22 Sep 2021 08:56:31 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632300991.356283.5849.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via c6769fd4b6483fa0428300722d494251dcbe7144 (commit) from 4f343fa943e1cc30825b23372622bd92fa04aede (commit) - Log ----------------------------------------------------------------- commit c6769fd4b6483fa0428300722d494251dcbe7144 Author: Pauli Date: Tue Sep 21 18:48:17 2021 +1000 doc: Fix include syntax Internal headers should be included using "" instead of <>. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/16647) (cherry picked from commit 50aba7ffde860dbc5a8d1eb3f5d9f49c58ebc2ce) ----------------------------------------------------------------------- Summary of changes: doc/internal/man3/evp_md_get_number.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/internal/man3/evp_md_get_number.pod b/doc/internal/man3/evp_md_get_number.pod index 3c85f58b99..1f913551aa 100644 --- a/doc/internal/man3/evp_md_get_number.pod +++ b/doc/internal/man3/evp_md_get_number.pod @@ -10,7 +10,7 @@ ossl_store_loader_get_number - EVP get internal identification numbers =head1 SYNOPSIS - #include + #include "crypto/evp.h" int evp_asym_cipher_get_number(const EVP_ASYM_CIPHER *cipher); int evp_cipher_get_number(const EVP_CIPHER *e); From pauli at openssl.org Thu Sep 23 02:08:22 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 23 Sep 2021 02:08:22 +0000 Subject: [openssl] master update Message-ID: <1632362902.895311.8115.nullmailer@dev.openssl.org> The branch master has been updated via 524f12611040de64cda13dd148ad1b8ca559c730 (commit) from 50aba7ffde860dbc5a8d1eb3f5d9f49c58ebc2ce (commit) - Log ----------------------------------------------------------------- commit 524f12611040de64cda13dd148ad1b8ca559c730 Author: Ulrich M?ller Date: Mon Sep 13 12:59:42 2021 +0200 Add default provider support for Keccak 224, 256, 384 and 512 Fixes issue openssl#13033 Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16594) ----------------------------------------------------------------------- Summary of changes: crypto/s390x_arch.h | 4 + doc/build.info | 6 ++ doc/man1/openssl.pod | 16 ++++ doc/man7/{EVP_MD-BLAKE2.pod => EVP_MD-KECCAK.pod} | 16 ++-- doc/man7/OSSL_PROVIDER-default.pod | 2 + doc/man7/provider-digest.pod | 4 +- providers/defltprov.c | 5 ++ providers/implementations/digests/sha3_prov.c | 20 +++++ .../implementations/include/prov/implementations.h | 4 + providers/implementations/include/prov/names.h | 5 ++ test/recipes/30-test_evp_data/evpmd_sha.txt | 86 ++++++++++++++++++++++ 11 files changed, 158 insertions(+), 10 deletions(-) copy doc/man7/{EVP_MD-BLAKE2.pod => EVP_MD-KECCAK.pod} (60%) diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h index 78fcd73af0..fa920d14da 100644 --- a/crypto/s390x_arch.h +++ b/crypto/s390x_arch.h @@ -122,6 +122,10 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_SHA3_256 33 # define S390X_SHA3_384 34 # define S390X_SHA3_512 35 +# define S390X_KECCAK_224 32 +# define S390X_KECCAK_256 33 +# define S390X_KECCAK_384 34 +# define S390X_KECCAK_512 35 # define S390X_SHAKE_128 36 # define S390X_SHAKE_256 37 # define S390X_GHASH 65 diff --git a/doc/build.info b/doc/build.info index 542ddb8182..fcf2c1cacf 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4199,6 +4199,10 @@ DEPEND[html/man7/EVP_MD-BLAKE2.html]=man7/EVP_MD-BLAKE2.pod GENERATE[html/man7/EVP_MD-BLAKE2.html]=man7/EVP_MD-BLAKE2.pod DEPEND[man/man7/EVP_MD-BLAKE2.7]=man7/EVP_MD-BLAKE2.pod GENERATE[man/man7/EVP_MD-BLAKE2.7]=man7/EVP_MD-BLAKE2.pod +DEPEND[html/man7/EVP_MD-KECCAK.html]=man7/EVP_MD-KECCAK.pod +GENERATE[html/man7/EVP_MD-KECCAK.html]=man7/EVP_MD-KECCAK.pod +DEPEND[man/man7/EVP_MD-KECCAK.7]=man7/EVP_MD-KECCAK.pod +GENERATE[man/man7/EVP_MD-KECCAK.7]=man7/EVP_MD-KECCAK.pod DEPEND[html/man7/EVP_MD-MD2.html]=man7/EVP_MD-MD2.pod GENERATE[html/man7/EVP_MD-MD2.html]=man7/EVP_MD-MD2.pod DEPEND[man/man7/EVP_MD-MD2.7]=man7/EVP_MD-MD2.pod @@ -4579,6 +4583,7 @@ html/man7/EVP_MAC-KMAC.html \ html/man7/EVP_MAC-Poly1305.html \ html/man7/EVP_MAC-Siphash.html \ html/man7/EVP_MD-BLAKE2.html \ +html/man7/EVP_MD-KECCAK.html \ html/man7/EVP_MD-MD2.html \ html/man7/EVP_MD-MD4.html \ html/man7/EVP_MD-MD5-SHA1.html \ @@ -4702,6 +4707,7 @@ man/man7/EVP_MAC-KMAC.7 \ man/man7/EVP_MAC-Poly1305.7 \ man/man7/EVP_MAC-Siphash.7 \ man/man7/EVP_MD-BLAKE2.7 \ +man/man7/EVP_MD-KECCAK.7 \ man/man7/EVP_MD-MD2.7 \ man/man7/EVP_MD-MD4.7 \ man/man7/EVP_MD-MD5-SHA1.7 \ diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index b6f4029a67..c78d06b020 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -387,6 +387,22 @@ SHA-3 384 Digest SHA-3 512 Digest +=item B + +KECCAK 224 Digest + +=item B + +KECCAK 256 Digest + +=item B + +KECCAK 384 Digest + +=item B + +KECCAK 512 Digest + =item B SHA-3 SHAKE128 Digest diff --git a/doc/man7/EVP_MD-BLAKE2.pod b/doc/man7/EVP_MD-KECCAK.pod similarity index 60% copy from doc/man7/EVP_MD-BLAKE2.pod copy to doc/man7/EVP_MD-KECCAK.pod index be3b0b9286..d854db9157 100644 --- a/doc/man7/EVP_MD-BLAKE2.pod +++ b/doc/man7/EVP_MD-KECCAK.pod @@ -2,26 +2,26 @@ =head1 NAME -EVP_MD-BLAKE2 - The BLAKE2 EVP_MD implementation +EVP_MD-KECCAK - The KECCAK EVP_MD implementations =head1 DESCRIPTION -Support for computing SHA2 digests through the B API. +Support for computing KECCAK digests through the B API. =head2 Identities -This implementation is only available with the default provider, and +This implementation is available in the default provider and includes the following varieties: =over 4 -=item BLAKE2S-256 +=item "KECCAK-224" -Known names are "BLAKE2S-256" and "BLAKE2s256". +=item "KECCAK-256" -=item BLAKE2B-512 +=item "KECCAK-384" -Known names are "BLAKE2B-512" and "BLAKE2b512". +=item "KECCAK-512" =back @@ -36,7 +36,7 @@ L, L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 14d590cbde..492132b8c0 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -57,6 +57,8 @@ The OpenSSL default provider supports these operations and algorithms: =item SHA3, see L +=item KECCAK, see L + =item KECCAK-KMAC, see L =item SHAKE, see L diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index 63f30d77b5..5f44df97e7 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -266,8 +266,8 @@ L, L, L, L, L, L, L, L, L, L, -L, L, L, -L, L, +L, L, L +L, L, L, L, L =head1 HISTORY diff --git a/providers/defltprov.c b/providers/defltprov.c index 62258da723..e6c0b24658 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -114,6 +114,11 @@ static const OSSL_ALGORITHM deflt_digests[] = { { PROV_NAMES_SHA3_384, "provider=default", ossl_sha3_384_functions }, { PROV_NAMES_SHA3_512, "provider=default", ossl_sha3_512_functions }, + { PROV_NAMES_KECCAK_224, "provider=default", ossl_keccak_224_functions }, + { PROV_NAMES_KECCAK_256, "provider=default", ossl_keccak_256_functions }, + { PROV_NAMES_KECCAK_384, "provider=default", ossl_keccak_384_functions }, + { PROV_NAMES_KECCAK_512, "provider=default", ossl_keccak_512_functions }, + /* * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * the KMAC-128 and KMAC-256. diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index 168825d475..230de73275 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -183,6 +183,12 @@ static PROV_SHA3_METHOD sha3_s390x_md = s390x_sha3_final }; +static PROV_SHA3_METHOD keccak_s390x_md = +{ + s390x_sha3_absorb, + s390x_sha3_final +}; + static PROV_SHA3_METHOD shake_s390x_md = { s390x_sha3_absorb, @@ -303,6 +309,12 @@ static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[]) SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ SHA3_FLAGS) +#define IMPLEMENT_KECCAK_functions(bitlen) \ + SHA3_newctx(keccak, KECCAK_##bitlen, keccak_##bitlen, bitlen, '\x01') \ + PROV_FUNC_SHA3_DIGEST(keccak_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + SHA3_FLAGS) + #define IMPLEMENT_SHAKE_functions(bitlen) \ SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ @@ -322,6 +334,14 @@ IMPLEMENT_SHA3_functions(256) IMPLEMENT_SHA3_functions(384) /* ossl_sha3_512_functions */ IMPLEMENT_SHA3_functions(512) +/* ossl_keccak_224_functions */ +IMPLEMENT_KECCAK_functions(224) +/* ossl_keccak_256_functions */ +IMPLEMENT_KECCAK_functions(256) +/* ossl_keccak_384_functions */ +IMPLEMENT_KECCAK_functions(384) +/* ossl_keccak_512_functions */ +IMPLEMENT_KECCAK_functions(512) /* ossl_shake_128_functions */ IMPLEMENT_SHAKE_functions(128) /* ossl_shake_256_functions */ diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 73e1823742..e2573ebb4a 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -22,6 +22,10 @@ extern const OSSL_DISPATCH ossl_sha3_224_functions[]; extern const OSSL_DISPATCH ossl_sha3_256_functions[]; extern const OSSL_DISPATCH ossl_sha3_384_functions[]; extern const OSSL_DISPATCH ossl_sha3_512_functions[]; +extern const OSSL_DISPATCH ossl_keccak_224_functions[]; +extern const OSSL_DISPATCH ossl_keccak_256_functions[]; +extern const OSSL_DISPATCH ossl_keccak_384_functions[]; +extern const OSSL_DISPATCH ossl_keccak_512_functions[]; extern const OSSL_DISPATCH ossl_keccak_kmac_128_functions[]; extern const OSSL_DISPATCH ossl_keccak_kmac_256_functions[]; extern const OSSL_DISPATCH ossl_shake_128_functions[]; diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index e0dbb69a9d..1509598ffc 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -219,6 +219,11 @@ #define PROV_NAMES_SHA3_384 "SHA3-384:2.16.840.1.101.3.4.2.9" #define PROV_NAMES_SHA3_512 "SHA3-512:2.16.840.1.101.3.4.2.10" +#define PROV_NAMES_KECCAK_224 "KECCAK-224" +#define PROV_NAMES_KECCAK_256 "KECCAK-256" +#define PROV_NAMES_KECCAK_384 "KECCAK-384" +#define PROV_NAMES_KECCAK_512 "KECCAK-512" + #define PROV_NAMES_SHAKE_128 "SHAKE-128:SHAKE128:2.16.840.1.101.3.4.2.11" #define PROV_NAMES_SHAKE_256 "SHAKE-256:SHAKE256:2.16.840.1.101.3.4.2.12" diff --git a/test/recipes/30-test_evp_data/evpmd_sha.txt b/test/recipes/30-test_evp_data/evpmd_sha.txt index 66ddf4590a..1b417bfca7 100644 --- a/test/recipes/30-test_evp_data/evpmd_sha.txt +++ b/test/recipes/30-test_evp_data/evpmd_sha.txt @@ -281,6 +281,92 @@ Digest = SHAKE256 Input = 8d8001e2c096f1b88e7c9224a086efd4797fbf74a8033a2d422a2b6b8f6747e4 Output = 2e975f6a8a14f0704d51b13667d8195c219f71e6345696c49fa4b9d08e9225d3d39393425152c97e71dd24601c11abcfa0f12f53c680bd3ae757b8134a9c10d429615869217fdd5885c4db174985703a6d6de94a667eac3023443a8337ae1bc601b76d7d38ec3c34463105f0d3949d78e562a039e4469548b609395de5a4fd43c46ca9fd6ee29ada5efc07d84d553249450dab4a49c483ded250c9338f85cd937ae66bb436f3b4026e859fda1ca571432f3bfc09e7c03ca4d183b741111ca0483d0edabc03feb23b17ee48e844ba2408d9dcfd0139d2e8c7310125aee801c61ab7900d1efc47c078281766f361c5e6111346235e1dc38325666c + + +Title = KECCAK + +# Test vectors taken from https://keccak.team/archives.html. +# "Known-answer and Monte Carlo test results, as of round 3 +# of the SHA-3 competition": +# https://keccak.team/obsolete/KeccakKAT-3.zip + +# ShortMsgKAT_224.txt, Len = 0 +Availablein = default +Digest = KECCAK-224 +Input = "" +Output = F71837502BA8E10837BDD8D365ADB85591895602FC552B48B7390ABD + +# LongMsgKAT_224.txt, Len = 3560 +Availablein = default +Digest = KECCAK-224 +Input = 20FF454369A5D05B81A78F3DB05819FEA9B08C2384F75CB0AB6AA115DD690DA3131874A1CA8F708AD1519EA952C1E249CB540D196392C79E87755424FEE7C890808C562722359EEA52E8A12FBBB969DD7961D2BA52037493755A5FA04F0D50A1AA26C9B44148C0D3B94D1C4A59A31ACA15AE8BD44ACB7833D8E91C4B86FA3135A423387B8151B4133ED23F6D7187B50EC2204AD901AD74D396E44274E0ECAFAAE17B3B9085E22260B35CA53B15CC52ABBA758AF6798FBD04ECEECED648F3AF4FDB3DED7557A9A5CFB7382612A8A8F3F45947D1A29CE29072928EC193CA25D51071BD5E1984ECF402F306EA762F0F25282F5296D997658BE3F983696FFA6D095C6369B4DAF79E9A5D3136229128F8EB63C12B9E9FA78AFF7A3E9E19A62022493CD136DEFBB5BB7BA1B938F367FD2F63EB5CA76C0B0FF21B9E36C3F07230CF3C3074E5DA587040A76975D7E39F4494ACE5486FCBF380AB7558C4FE89656335B82E4DB8659509EAB46A19613126E594042732DD4C411F41AA8CDEAC71C0FB40A94E6DA558C05E77B6182806F26D9AFDF3DA00C69419222C8186A6EFAD600B410E6CE2F2A797E49DC1F135319801FA6F396B06F975E2A190A023E474B618E7 +Output = 34A58DDFC5C2222281FA73EB34BFB5E152272CC3AC7FE97AC58C08B0 + +# LongMsgKAT_224.txt, Len = 4064 +Availablein = default +Digest = KECCAK-224 +Input = 4FBDC596508D24A2A0010E140980B809FB9C6D55EC75125891DD985D37665BD80F9BEB6A50207588ABF3CEEE8C77CD8A5AD48A9E0AA074ED388738362496D2FB2C87543BB3349EA64997CE3E7B424EA92D122F57DBB0855A803058437FE08AFB0C8B5E7179B9044BBF4D81A7163B3139E30888B536B0F957EFF99A7162F4CA5AA756A4A982DFADBF31EF255083C4B5C6C1B99A107D7D3AFFFDB89147C2CC4C9A2643F478E5E2D393AEA37B4C7CB4B5E97DADCF16B6B50AAE0F3B549ECE47746DB6CE6F67DD4406CD4E75595D5103D13F9DFA79372924D328F8DD1FCBEB5A8E2E8BF4C76DE08E3FC46AA021F989C49329C7ACAC5A688556D7BCBCB2A5D4BE69D3284E9C40EC4838EE8592120CE20A0B635ECADAA84FD5690509F54F77E35A417C584648BC9839B974E07BFAB0038E90295D0B13902530A830D1C2BDD53F1F9C9FAED43CA4EED0A8DD761BC7EDBDDA28A287C60CD42AF5F9C758E5C7250231C09A582563689AFC65E2B79A7A2B68200667752E9101746F03184E2399E4ED8835CB8E9AE90E296AF220AE234259FE0BD0BCC60F7A4A5FF3F70C5ED4DE9C8C519A10E962F673C82C5E9351786A8A3BFD570031857BD4C87F4FCA31ED4D50E14F2107DA02CB5058700B74EA241A8B41D78461658F1B2B90BFD84A4C2C9D6543861AB3C56451757DCFB9BA60333488DBDD02D601B41AAE317CA7474EB6E6DD +Output = 0790649A6F6ECC4DCACAFAFB6AEFBF6C6F7EC883C72671DB211CD163 + + +# ShortMsgKAT_256.txt, Len = 0 +Availablein = default +Digest = KECCAK-256 +Input = "" +Output = C5D2460186F7233C927E7DB2DCC703C0E500B653CA82273B7BFAD8045D85A470 + +# LongMsgKAT_256.txt, Len = 3560 +Availablein = default +Digest = KECCAK-256 +Input = 20FF454369A5D05B81A78F3DB05819FEA9B08C2384F75CB0AB6AA115DD690DA3131874A1CA8F708AD1519EA952C1E249CB540D196392C79E87755424FEE7C890808C562722359EEA52E8A12FBBB969DD7961D2BA52037493755A5FA04F0D50A1AA26C9B44148C0D3B94D1C4A59A31ACA15AE8BD44ACB7833D8E91C4B86FA3135A423387B8151B4133ED23F6D7187B50EC2204AD901AD74D396E44274E0ECAFAAE17B3B9085E22260B35CA53B15CC52ABBA758AF6798FBD04ECEECED648F3AF4FDB3DED7557A9A5CFB7382612A8A8F3F45947D1A29CE29072928EC193CA25D51071BD5E1984ECF402F306EA762F0F25282F5296D997658BE3F983696FFA6D095C6369B4DAF79E9A5D3136229128F8EB63C12B9E9FA78AFF7A3E9E19A62022493CD136DEFBB5BB7BA1B938F367FD2F63EB5CA76C0B0FF21B9E36C3F07230CF3C3074E5DA587040A76975D7E39F4494ACE5486FCBF380AB7558C4FE89656335B82E4DB8659509EAB46A19613126E594042732DD4C411F41AA8CDEAC71C0FB40A94E6DA558C05E77B6182806F26D9AFDF3DA00C69419222C8186A6EFAD600B410E6CE2F2A797E49DC1F135319801FA6F396B06F975E2A190A023E474B618E7 +Output = 0EC8D9D20DDF0A7B0251E941A7261B557507FF6287B504362A8F1734C5A91012 + +# LongMsgKAT_256.txt, Len = 4064 +Availablein = default +Digest = KECCAK-256 +Input = 4FBDC596508D24A2A0010E140980B809FB9C6D55EC75125891DD985D37665BD80F9BEB6A50207588ABF3CEEE8C77CD8A5AD48A9E0AA074ED388738362496D2FB2C87543BB3349EA64997CE3E7B424EA92D122F57DBB0855A803058437FE08AFB0C8B5E7179B9044BBF4D81A7163B3139E30888B536B0F957EFF99A7162F4CA5AA756A4A982DFADBF31EF255083C4B5C6C1B99A107D7D3AFFFDB89147C2CC4C9A2643F478E5E2D393AEA37B4C7CB4B5E97DADCF16B6B50AAE0F3B549ECE47746DB6CE6F67DD4406CD4E75595D5103D13F9DFA79372924D328F8DD1FCBEB5A8E2E8BF4C76DE08E3FC46AA021F989C49329C7ACAC5A688556D7BCBCB2A5D4BE69D3284E9C40EC4838EE8592120CE20A0B635ECADAA84FD5690509F54F77E35A417C584648BC9839B974E07BFAB0038E90295D0B13902530A830D1C2BDD53F1F9C9FAED43CA4EED0A8DD761BC7EDBDDA28A287C60CD42AF5F9C758E5C7250231C09A582563689AFC65E2B79A7A2B68200667752E9101746F03184E2399E4ED8835CB8E9AE90E296AF220AE234259FE0BD0BCC60F7A4A5FF3F70C5ED4DE9C8C519A10E962F673C82C5E9351786A8A3BFD570031857BD4C87F4FCA31ED4D50E14F2107DA02CB5058700B74EA241A8B41D78461658F1B2B90BFD84A4C2C9D6543861AB3C56451757DCFB9BA60333488DBDD02D601B41AAE317CA7474EB6E6DD +Output = 0EA33E2E34F572440640244C7F1F5F04697CE97139BDA72A6558D8663C02B388 + + +# ShortMsgKAT_384.txt, Len = 0 +Availablein = default +Digest = KECCAK-384 +Input = "" +Output = 2C23146A63A29ACF99E73B88F8C24EAA7DC60AA771780CCC006AFBFA8FE2479B2DD2B21362337441AC12B515911957FF + +# LongMsgKAT_384.txt, Len = 3560 +Availablein = default +Digest = KECCAK-384 +Input = 20FF454369A5D05B81A78F3DB05819FEA9B08C2384F75CB0AB6AA115DD690DA3131874A1CA8F708AD1519EA952C1E249CB540D196392C79E87755424FEE7C890808C562722359EEA52E8A12FBBB969DD7961D2BA52037493755A5FA04F0D50A1AA26C9B44148C0D3B94D1C4A59A31ACA15AE8BD44ACB7833D8E91C4B86FA3135A423387B8151B4133ED23F6D7187B50EC2204AD901AD74D396E44274E0ECAFAAE17B3B9085E22260B35CA53B15CC52ABBA758AF6798FBD04ECEECED648F3AF4FDB3DED7557A9A5CFB7382612A8A8F3F45947D1A29CE29072928EC193CA25D51071BD5E1984ECF402F306EA762F0F25282F5296D997658BE3F983696FFA6D095C6369B4DAF79E9A5D3136229128F8EB63C12B9E9FA78AFF7A3E9E19A62022493CD136DEFBB5BB7BA1B938F367FD2F63EB5CA76C0B0FF21B9E36C3F07230CF3C3074E5DA587040A76975D7E39F4494ACE5486FCBF380AB7558C4FE89656335B82E4DB8659509EAB46A19613126E594042732DD4C411F41AA8CDEAC71C0FB40A94E6DA558C05E77B6182806F26D9AFDF3DA00C69419222C8186A6EFAD600B410E6CE2F2A797E49DC1F135319801FA6F396B06F975E2A190A023E474B618E7 +Output = 5975FA4BCEFC79FADC79CCF1254BBA9EAC252E24C7DEC7EB8972D265EFAD3F6CF648C49DFFF5453AD27D62FF867A2F03 + +# LongMsgKAT_384.txt, Len = 4064 +Availablein = default +Digest = KECCAK-384 +Input = 4FBDC596508D24A2A0010E140980B809FB9C6D55EC75125891DD985D37665BD80F9BEB6A50207588ABF3CEEE8C77CD8A5AD48A9E0AA074ED388738362496D2FB2C87543BB3349EA64997CE3E7B424EA92D122F57DBB0855A803058437FE08AFB0C8B5E7179B9044BBF4D81A7163B3139E30888B536B0F957EFF99A7162F4CA5AA756A4A982DFADBF31EF255083C4B5C6C1B99A107D7D3AFFFDB89147C2CC4C9A2643F478E5E2D393AEA37B4C7CB4B5E97DADCF16B6B50AAE0F3B549ECE47746DB6CE6F67DD4406CD4E75595D5103D13F9DFA79372924D328F8DD1FCBEB5A8E2E8BF4C76DE08E3FC46AA021F989C49329C7ACAC5A688556D7BCBCB2A5D4BE69D3284E9C40EC4838EE8592120CE20A0B635ECADAA84FD5690509F54F77E35A417C584648BC9839B974E07BFAB0038E90295D0B13902530A830D1C2BDD53F1F9C9FAED43CA4EED0A8DD761BC7EDBDDA28A287C60CD42AF5F9C758E5C7250231C09A582563689AFC65E2B79A7A2B68200667752E9101746F03184E2399E4ED8835CB8E9AE90E296AF220AE234259FE0BD0BCC60F7A4A5FF3F70C5ED4DE9C8C519A10E962F673C82C5E9351786A8A3BFD570031857BD4C87F4FCA31ED4D50E14F2107DA02CB5058700B74EA241A8B41D78461658F1B2B90BFD84A4C2C9D6543861AB3C56451757DCFB9BA60333488DBDD02D601B41AAE317CA7474EB6E6DD +Output = D8A18FDF0DBC4D9DC9A399EED833D258BDF4E06C50C12550B50297DDA05784AEE91F339766021B2CA6BE1577823D920B + + +# ShortMsgKAT_512.txt, Len = 0 +Availablein = default +Digest = KECCAK-512 +Input = "" +Output = 0EAB42DE4C3CEB9235FC91ACFFE746B29C29A8C366B7C60E4E67C466F36A4304C00FA9CAF9D87976BA469BCBE06713B435F091EF2769FB160CDAB33D3670680E + +# LongMsgKAT_512.txt, Len = 3560 +Availablein = default +Digest = KECCAK-512 +Input = 20FF454369A5D05B81A78F3DB05819FEA9B08C2384F75CB0AB6AA115DD690DA3131874A1CA8F708AD1519EA952C1E249CB540D196392C79E87755424FEE7C890808C562722359EEA52E8A12FBBB969DD7961D2BA52037493755A5FA04F0D50A1AA26C9B44148C0D3B94D1C4A59A31ACA15AE8BD44ACB7833D8E91C4B86FA3135A423387B8151B4133ED23F6D7187B50EC2204AD901AD74D396E44274E0ECAFAAE17B3B9085E22260B35CA53B15CC52ABBA758AF6798FBD04ECEECED648F3AF4FDB3DED7557A9A5CFB7382612A8A8F3F45947D1A29CE29072928EC193CA25D51071BD5E1984ECF402F306EA762F0F25282F5296D997658BE3F983696FFA6D095C6369B4DAF79E9A5D3136229128F8EB63C12B9E9FA78AFF7A3E9E19A62022493CD136DEFBB5BB7BA1B938F367FD2F63EB5CA76C0B0FF21B9E36C3F07230CF3C3074E5DA587040A76975D7E39F4494ACE5486FCBF380AB7558C4FE89656335B82E4DB8659509EAB46A19613126E594042732DD4C411F41AA8CDEAC71C0FB40A94E6DA558C05E77B6182806F26D9AFDF3DA00C69419222C8186A6EFAD600B410E6CE2F2A797E49DC1F135319801FA6F396B06F975E2A190A023E474B618E7 +Output = 116AE94C86F68F96B8AEF298A9F5852CC9913A2AD3C3C344F28DCC9B29292A716FAF51DD04A9433D8A12572E1DBC581A7CDC4E50BC1CA9051DDBC121F2E864E2 + +# LongMsgKAT_512.txt, Len = 4064 +Availablein = default +Digest = KECCAK-512 +Input = 4FBDC596508D24A2A0010E140980B809FB9C6D55EC75125891DD985D37665BD80F9BEB6A50207588ABF3CEEE8C77CD8A5AD48A9E0AA074ED388738362496D2FB2C87543BB3349EA64997CE3E7B424EA92D122F57DBB0855A803058437FE08AFB0C8B5E7179B9044BBF4D81A7163B3139E30888B536B0F957EFF99A7162F4CA5AA756A4A982DFADBF31EF255083C4B5C6C1B99A107D7D3AFFFDB89147C2CC4C9A2643F478E5E2D393AEA37B4C7CB4B5E97DADCF16B6B50AAE0F3B549ECE47746DB6CE6F67DD4406CD4E75595D5103D13F9DFA79372924D328F8DD1FCBEB5A8E2E8BF4C76DE08E3FC46AA021F989C49329C7ACAC5A688556D7BCBCB2A5D4BE69D3284E9C40EC4838EE8592120CE20A0B635ECADAA84FD5690509F54F77E35A417C584648BC9839B974E07BFAB0038E90295D0B13902530A830D1C2BDD53F1F9C9FAED43CA4EED0A8DD761BC7EDBDDA28A287C60CD42AF5F9C758E5C7250231C09A582563689AFC65E2B79A7A2B68200667752E9101746F03184E2399E4ED8835CB8E9AE90E296AF220AE234259FE0BD0BCC60F7A4A5FF3F70C5ED4DE9C8C519A10E962F673C82C5E9351786A8A3BFD570031857BD4C87F4FCA31ED4D50E14F2107DA02CB5058700B74EA241A8B41D78461658F1B2B90BFD84A4C2C9D6543861AB3C56451757DCFB9BA60333488DBDD02D601B41AAE317CA7474EB6E6DD +Output = DEA56BDABBC6D24183CF7BDE1E1F78631B2B0230C76FF2F43075F2FDE77CF052769276CAD98DA62394EC62D77730F5761489585E093EA7315F3592717C485C84 + + + Title = Case insensitive digest tests Digest = Sha3-256 From tomas at openssl.org Thu Sep 23 12:07:31 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 23 Sep 2021 12:07:31 +0000 Subject: [openssl] master update Message-ID: <1632398851.910867.2433.nullmailer@dev.openssl.org> The branch master has been updated via eeb612021e220de734e1ff08499f42bb962c3916 (commit) from 415e6ac80405e13b20b083315747e431274fbd33 (commit) - Log ----------------------------------------------------------------- commit eeb612021e220de734e1ff08499f42bb962c3916 Author: Kelvin Lee Date: Tue Sep 14 17:55:50 2021 +1000 Explicitly #include is unnecessary The header is already included by for WinSDK 8 or later. Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that it does not have this header while SRW Locks do exist for Windows 7. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16603) ----------------------------------------------------------------------- Summary of changes: crypto/threads_win.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/threads_win.c b/crypto/threads_win.c index fdc32a2a54..d65b3826d9 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -10,7 +10,6 @@ #if defined(_WIN32) # include # if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 -# include # define USE_RWLOCK # endif #endif From tomas at openssl.org Thu Sep 23 12:05:02 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 23 Sep 2021 12:05:02 +0000 Subject: [openssl] master update Message-ID: <1632398702.481603.32324.nullmailer@dev.openssl.org> The branch master has been updated via 415e6ac80405e13b20b083315747e431274fbd33 (commit) from 524f12611040de64cda13dd148ad1b8ca559c730 (commit) - Log ----------------------------------------------------------------- commit 415e6ac80405e13b20b083315747e431274fbd33 Author: Tavis Ormandy Date: Tue Sep 21 15:48:27 2021 -0700 increase x509 code coverage metrics Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16651) ----------------------------------------------------------------------- Summary of changes: .../x509/21c8004279f4b57fd8f904382cf138effd089b25 | Bin 0 -> 1122 bytes .../x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f | Bin 0 -> 354 bytes .../x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 | Bin 0 -> 589 bytes .../x509/31305f3b3ee0a5510918efdad62d29da23c1d057 | Bin 0 -> 5758 bytes .../x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 | Bin 0 -> 6566 bytes .../x509/39cf74c117b5dba51828cff51a27790c737045d7 | Bin 0 -> 680 bytes .../x509/57927e05973120e02ca3e0af582a70d3398f085f | Bin 0 -> 1263 bytes .../x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 | Bin 0 -> 1191 bytes .../x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 | Bin 0 -> 1648 bytes .../x509/6dcc554810035cc46962eac88c1883623f3e69c6 | Bin 0 -> 164 bytes .../x509/76b8ba06006375c9c47466dacf3a53021672df12 | Bin 0 -> 1432 bytes .../x509/8b5fc9262d78c8c87d100ead207dc93df6361295 | Bin 0 -> 1432 bytes .../x509/9900db635402ea32ef26249b5f811a0d85a56385 | Bin 0 -> 2754 bytes .../x509/aa0e6c5373568c9d7f48dc627d19400208baed83 | Bin 0 -> 1688 bytes .../x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 | Bin 0 -> 444 bytes .../x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 | Bin 0 -> 621 bytes .../x509/ce89063b8353b1880cb86f73f618a4008d83532a | Bin 0 -> 437 bytes .../x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc | Bin 0 -> 1046 bytes .../x509/d57f9f790ec3895b7e11969a0b319bf274284be3 | Bin 0 -> 652 bytes .../x509/d60a803dc64c2f98c732660fb006b944df9f9270 | Bin 0 -> 164 bytes .../x509/e690741d65108fc3e8ce0af814e6b6967cfad51c | Bin 0 -> 1363 bytes .../x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 | Bin 0 -> 788 bytes .../x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 | Bin 0 -> 1173 bytes .../x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e | Bin 0 -> 910 bytes .../x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 | Bin 0 -> 1173 bytes .../x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 | Bin 0 -> 1659 bytes .../x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 | Bin 0 -> 1445 bytes .../x509/f11550062adba3ac78fccf835a882a68e1bffab2 | Bin 0 -> 2223 bytes .../x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 | Bin 0 -> 1566 bytes .../x509/f1506975d926f6e98be686ea147854951d8fefcc | Bin 0 -> 1469 bytes .../x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 | Bin 0 -> 1185 bytes .../x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 | Bin 0 -> 2601 bytes .../x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f | Bin 0 -> 2032 bytes .../x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 | Bin 0 -> 644 bytes .../x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 | Bin 0 -> 372 bytes .../x509/fb92fed0a0bc2235437683e655533d84b64a59c0 | Bin 0 -> 1442 bytes .../x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 | Bin 0 -> 2027 bytes .../x509/fe543a8d7e09109a9a08114323eefec802ad79e2 | Bin 0 -> 372 bytes 38 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 create mode 100644 fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f create mode 100644 fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 create mode 100644 fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 create mode 100644 fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 create mode 100644 fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 create mode 100644 fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f create mode 100644 fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 create mode 100644 fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 create mode 100644 fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 create mode 100644 fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 create mode 100644 fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 create mode 100644 fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 create mode 100644 fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 create mode 100644 fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 create mode 100644 fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 create mode 100644 fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a create mode 100644 fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc create mode 100644 fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 create mode 100644 fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 create mode 100644 fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c create mode 100644 fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 create mode 100644 fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 create mode 100644 fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e create mode 100644 fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 create mode 100644 fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 create mode 100644 fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 create mode 100644 fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 create mode 100644 fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 create mode 100644 fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc create mode 100644 fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 create mode 100644 fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 create mode 100644 fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f create mode 100644 fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 create mode 100644 fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 create mode 100644 fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 create mode 100644 fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 create mode 100644 fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 diff --git a/fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 b/fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 new file mode 100644 index 0000000000..4eaf125cdb Binary files /dev/null and b/fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 differ diff --git a/fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f b/fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f new file mode 100644 index 0000000000..64dac7d16b Binary files /dev/null and b/fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f differ diff --git a/fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 b/fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 new file mode 100644 index 0000000000..268e3e0611 Binary files /dev/null and b/fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 differ diff --git a/fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 b/fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 new file mode 100644 index 0000000000..953c6f83ca Binary files /dev/null and b/fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 differ diff --git a/fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 b/fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 new file mode 100644 index 0000000000..8c85d3a074 Binary files /dev/null and b/fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 differ diff --git a/fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 b/fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 new file mode 100644 index 0000000000..f00d2ef7d6 Binary files /dev/null and b/fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 differ diff --git a/fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f b/fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f new file mode 100644 index 0000000000..311355eb85 Binary files /dev/null and b/fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f differ diff --git a/fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 b/fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 new file mode 100644 index 0000000000..1b6e769874 Binary files /dev/null and b/fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 differ diff --git a/fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 b/fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 new file mode 100644 index 0000000000..e74427530a Binary files /dev/null and b/fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 differ diff --git a/fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 b/fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 new file mode 100644 index 0000000000..2c3a0708c8 Binary files /dev/null and b/fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 differ diff --git a/fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 b/fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 new file mode 100644 index 0000000000..7303487e62 Binary files /dev/null and b/fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 differ diff --git a/fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 b/fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 new file mode 100644 index 0000000000..1ce08697e6 Binary files /dev/null and b/fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 differ diff --git a/fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 b/fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 new file mode 100644 index 0000000000..0be1c3b170 Binary files /dev/null and b/fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 differ diff --git a/fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 b/fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 new file mode 100644 index 0000000000..756d80137c Binary files /dev/null and b/fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 differ diff --git a/fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 b/fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 new file mode 100644 index 0000000000..c562cfb957 Binary files /dev/null and b/fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 differ diff --git a/fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 b/fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 new file mode 100644 index 0000000000..c5d8052b7a Binary files /dev/null and b/fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 differ diff --git a/fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a b/fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a new file mode 100644 index 0000000000..a51e79d9db Binary files /dev/null and b/fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a differ diff --git a/fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc b/fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc new file mode 100644 index 0000000000..a885aeb031 Binary files /dev/null and b/fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc differ diff --git a/fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 b/fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 new file mode 100644 index 0000000000..372c0cbdc0 Binary files /dev/null and b/fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 differ diff --git a/fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 b/fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 new file mode 100644 index 0000000000..daed8ef2a4 Binary files /dev/null and b/fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 differ diff --git a/fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c b/fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c new file mode 100644 index 0000000000..2e68ea904e Binary files /dev/null and b/fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c differ diff --git a/fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 b/fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 new file mode 100644 index 0000000000..e7bfca9bec Binary files /dev/null and b/fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 differ diff --git a/fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 b/fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 new file mode 100644 index 0000000000..5bade84ae5 Binary files /dev/null and b/fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 differ diff --git a/fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e b/fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e new file mode 100644 index 0000000000..3eb164e547 Binary files /dev/null and b/fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e differ diff --git a/fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 b/fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 new file mode 100644 index 0000000000..0e9915f4d6 Binary files /dev/null and b/fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 differ diff --git a/fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 b/fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 new file mode 100644 index 0000000000..188b05f494 Binary files /dev/null and b/fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 differ diff --git a/fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 b/fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 new file mode 100644 index 0000000000..ab49a35255 Binary files /dev/null and b/fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 differ diff --git a/fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 b/fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 new file mode 100644 index 0000000000..26cbb9718b Binary files /dev/null and b/fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 differ diff --git a/fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 b/fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 new file mode 100644 index 0000000000..568f803a45 Binary files /dev/null and b/fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 differ diff --git a/fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc b/fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc new file mode 100644 index 0000000000..51e6882f52 Binary files /dev/null and b/fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc differ diff --git a/fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 b/fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 new file mode 100644 index 0000000000..b99db14b11 Binary files /dev/null and b/fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 differ diff --git a/fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 b/fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 new file mode 100644 index 0000000000..9368383e9d Binary files /dev/null and b/fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 differ diff --git a/fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f b/fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f new file mode 100644 index 0000000000..bff7c23844 Binary files /dev/null and b/fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f differ diff --git a/fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 b/fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 new file mode 100644 index 0000000000..2272219160 Binary files /dev/null and b/fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 differ diff --git a/fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 b/fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 new file mode 100644 index 0000000000..9bae34555c Binary files /dev/null and b/fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 differ diff --git a/fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 b/fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 new file mode 100644 index 0000000000..a14aae963c Binary files /dev/null and b/fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 differ diff --git a/fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 b/fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 new file mode 100644 index 0000000000..abce23c4a4 Binary files /dev/null and b/fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 differ diff --git a/fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 b/fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 new file mode 100644 index 0000000000..95d521e55f Binary files /dev/null and b/fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 differ From tomas at openssl.org Thu Sep 23 12:13:41 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 23 Sep 2021 12:13:41 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632399221.697507.7235.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via b3242ca622ef3da34ebb7b78b1f82cd5f0b516e7 (commit) from c6769fd4b6483fa0428300722d494251dcbe7144 (commit) - Log ----------------------------------------------------------------- commit b3242ca622ef3da34ebb7b78b1f82cd5f0b516e7 Author: Kelvin Lee Date: Tue Sep 14 17:55:50 2021 +1000 Explicitly #include is unnecessary The header is already included by for WinSDK 8 or later. Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that it does not have this header while SRW Locks do exist for Windows 7. CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16603) (cherry picked from commit eeb612021e220de734e1ff08499f42bb962c3916) ----------------------------------------------------------------------- Summary of changes: crypto/threads_win.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/threads_win.c b/crypto/threads_win.c index fdc32a2a54..d65b3826d9 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -10,7 +10,6 @@ #if defined(_WIN32) # include # if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 -# include # define USE_RWLOCK # endif #endif From tomas at openssl.org Thu Sep 23 12:18:11 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 23 Sep 2021 12:18:11 +0000 Subject: [openssl] master update Message-ID: <1632399491.616887.11047.nullmailer@dev.openssl.org> The branch master has been updated via c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 (commit) from eeb612021e220de734e1ff08499f42bb962c3916 (commit) - Log ----------------------------------------------------------------- commit c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 Author: slontis Date: Wed Sep 22 15:53:54 2021 +1000 Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16656) ----------------------------------------------------------------------- Summary of changes: ssl/s3_lib.c | 20 ++++++++++---------- ssl/ssl_cert.c | 3 --- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 348d02d8bd..ef027d79e0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2807,7 +2807,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2823,7 +2823,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2839,7 +2839,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2855,7 +2855,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2871,7 +2871,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2887,7 +2887,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2903,7 +2903,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2919,7 +2919,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2935,7 +2935,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, { @@ -2951,7 +2951,7 @@ static SSL_CIPHER ssl3_ciphers[] = { 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, + 80, 128, }, #endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 547e9b9ccd..a9e71046b3 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1021,9 +1021,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, /* SHA1 HMAC is 160 bits of security */ if (minbits > 160 && c->algorithm_mac & SSL_SHA1) return 0; - /* Level 2: no RC4 */ - if (level >= 2 && c->algorithm_enc == SSL_RC4) - return 0; /* Level 3: forward secure ciphersuites only */ if (level >= 3 && c->min_tls != TLS1_3_VERSION && !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) From pauli at openssl.org Fri Sep 24 07:39:31 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Fri, 24 Sep 2021 07:39:31 +0000 Subject: [openssl] master update Message-ID: <1632469171.167075.8322.nullmailer@dev.openssl.org> The branch master has been updated via e07102220afe4059bc45aa3d7073b7678329e26e (commit) via 56ffcce492ffc6f36b2f0d9431e23febe054dd04 (commit) via 1a473d1cc67e04ae9fea517b36dc332143250cf5 (commit) from c3b5fa4ab7d19e35311a21fec3ebc0a333c352b6 (commit) - Log ----------------------------------------------------------------- commit e07102220afe4059bc45aa3d7073b7678329e26e Author: Pauli Date: Thu Sep 23 12:27:11 2021 +1000 tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits This is the length of the tag they use and should be considered an upper bound on their strength. This lowers their security strength to level 0. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16652) commit 56ffcce492ffc6f36b2f0d9431e23febe054dd04 Author: Pauli Date: Wed Sep 22 10:32:49 2021 +1000 doc: document the change to the security level of CCM8 cipher suites Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16652) commit 1a473d1cc67e04ae9fea517b36dc332143250cf5 Author: Pauli Date: Wed Sep 22 10:31:22 2021 +1000 tls: reduce the strength of CCM_8 ciphers due to their short IV. Fixes #16154 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16652) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 ++++ doc/man3/SSL_CTX_set_security_level.pod | 3 ++- ssl/s3_lib.c | 44 ++++++++++++++++----------------- test/sslapitest.c | 34 ++++++++++++++++++------- 4 files changed, 54 insertions(+), 32 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c9d3825eec..84fb4c3f84 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,11 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX xxxx] + * CCM8 cipher suites in TLS have been downgraded to security level zero + because they use a short authentication tag which lowers their strength. + + *Paul Dale* + * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default. diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index 292d6a2333..d9965572c8 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -77,7 +77,8 @@ parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite -using MD5 for the MAC is also prohibited. +using MD5 for the MAC is also prohibited. Any cipher suites using CCM with +a 64 bit authentication tag are prohibited. =item B diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ef027d79e0..88565a7000 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -108,9 +108,9 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, 0, 0, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256, - 128, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, } }; @@ -699,9 +699,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, }, { @@ -715,9 +715,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 256, }, { @@ -731,9 +731,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, }, { @@ -747,9 +747,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 256, }, { @@ -827,9 +827,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, }, { @@ -843,9 +843,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 256, }, { @@ -859,9 +859,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, }, { @@ -875,9 +875,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 256, }, { @@ -923,9 +923,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 128, }, { @@ -939,9 +939,9 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_AEAD, TLS1_2_VERSION, TLS1_2_VERSION, DTLS1_2_VERSION, DTLS1_2_VERSION, - SSL_NOT_DEFAULT | SSL_HIGH, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, + 64, /* CCM8 uses a short tag, so we have a low security strength */ 256, }, { diff --git a/test/sslapitest.c b/test/sslapitest.c index e95d2657f4..1337698e0d 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4112,6 +4112,12 @@ static int test_early_data_psk_with_all_ciphers(int idx) &serverssl, &sess, 2))) goto end; + if (idx == 4) { + /* CCM8 ciphers are considered low security due to their short tag */ + SSL_set_security_level(clientssl, 0); + SSL_set_security_level(serverssl, 0); + } + if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx])) || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx]))) goto end; @@ -4399,9 +4405,11 @@ static int test_ciphersuite_change(void) "TLS_AES_256_GCM_SHA384:" "TLS_AES_128_CCM_SHA256")) || !TEST_true(SSL_CTX_set_ciphersuites(cctx, - "TLS_AES_128_GCM_SHA256")) - || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, - &clientssl, NULL, NULL)) + "TLS_AES_128_GCM_SHA256"))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) || !TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; @@ -4928,16 +4936,19 @@ static int test_tls13_ciphersuite(int idx) static const struct { const char *ciphername; int fipscapable; + int low_security; } t13_ciphers[] = { - { TLS1_3_RFC_AES_128_GCM_SHA256, 1 }, - { TLS1_3_RFC_AES_256_GCM_SHA384, 1 }, - { TLS1_3_RFC_AES_128_CCM_SHA256, 1 }, + { TLS1_3_RFC_AES_128_GCM_SHA256, 1, 0 }, + { TLS1_3_RFC_AES_256_GCM_SHA384, 1, 0 }, + { TLS1_3_RFC_AES_128_CCM_SHA256, 1, 0 }, # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, + { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 }, { TLS1_3_RFC_AES_256_GCM_SHA384 - ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, + ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0, 0 }, # endif - { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 } + /* CCM8 ciphers are considered low security due to their short tag */ + { TLS1_3_RFC_AES_128_CCM_8_SHA256 + ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1, 1 } }; const char *t13_cipher = NULL; const char *t12_cipher = NULL; @@ -4981,6 +4992,11 @@ static int test_tls13_ciphersuite(int idx) &sctx, &cctx, cert, privkey))) goto end; + if (t13_ciphers[i].low_security) { + SSL_CTX_set_security_level(sctx, 0); + SSL_CTX_set_security_level(cctx, 0); + } + if (set_at_ctx) { if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, t13_cipher)) || !TEST_true(SSL_CTX_set_ciphersuites(cctx, t13_cipher))) From beldmit at gmail.com Fri Sep 24 09:03:43 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Fri, 24 Sep 2021 09:03:43 +0000 Subject: [openssl] master update Message-ID: <1632474223.074918.32757.nullmailer@dev.openssl.org> The branch master has been updated via aa58071e4b8b245db1564f476731c978738e7e98 (commit) from e07102220afe4059bc45aa3d7073b7678329e26e (commit) - Log ----------------------------------------------------------------- commit aa58071e4b8b245db1564f476731c978738e7e98 Author: Dominic Letz Date: Wed Sep 22 18:03:28 2021 +0200 Update 15-ios.conf CLA: trivial I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS. Cheers! Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16659) ----------------------------------------------------------------------- Summary of changes: Configurations/15-ios.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/15-ios.conf b/Configurations/15-ios.conf index 4b5aeecc28..54d37f63f4 100644 --- a/Configurations/15-ios.conf +++ b/Configurations/15-ios.conf @@ -10,7 +10,7 @@ my %targets = ( template => 1, inherit_from => [ "darwin-common" ], sys_id => "iOS", - disable => [ "engine", "async" ], + disable => [ "shared", "async" ], }, "ios-xcrun" => { inherit_from => [ "ios-common" ], From beldmit at gmail.com Fri Sep 24 09:05:11 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Fri, 24 Sep 2021 09:05:11 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632474311.081143.2251.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via f8543a08ffe18485b2e1361d4f496d33d6e6f35e (commit) from b3242ca622ef3da34ebb7b78b1f82cd5f0b516e7 (commit) - Log ----------------------------------------------------------------- commit f8543a08ffe18485b2e1361d4f496d33d6e6f35e Author: Dominic Letz Date: Wed Sep 22 18:03:28 2021 +0200 Update 15-ios.conf CLA: trivial I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS. Cheers! Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16659) (cherry picked from commit aa58071e4b8b245db1564f476731c978738e7e98) ----------------------------------------------------------------------- Summary of changes: Configurations/15-ios.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/15-ios.conf b/Configurations/15-ios.conf index 4b5aeecc28..54d37f63f4 100644 --- a/Configurations/15-ios.conf +++ b/Configurations/15-ios.conf @@ -10,7 +10,7 @@ my %targets = ( template => 1, inherit_from => [ "darwin-common" ], sys_id => "iOS", - disable => [ "engine", "async" ], + disable => [ "shared", "async" ], }, "ios-xcrun" => { inherit_from => [ "ios-common" ], From beldmit at gmail.com Fri Sep 24 09:07:44 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Fri, 24 Sep 2021 09:07:44 +0000 Subject: [openssl] master update Message-ID: <1632474464.218115.4826.nullmailer@dev.openssl.org> The branch master has been updated via a5d8a2f8f10b83e5afb297698fe72cee77b1837f (commit) from aa58071e4b8b245db1564f476731c978738e7e98 (commit) - Log ----------------------------------------------------------------- commit a5d8a2f8f10b83e5afb297698fe72cee77b1837f Author: Dmitry Belyavskiy Date: Wed Sep 22 16:40:13 2021 +0200 FIPS and KTLS may interfere New Linux kernels (>= 5.11) enable KTLS CHACHA which is not FIPS-suitable. Fixes #16657 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16658) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 13 +++++++++++++ test/sslapitest.c | 10 ++++++++++ 2 files changed, 23 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7a344c529..b52b8c15f4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -179,6 +179,19 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + fips_and_ktls: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout at v2 + - name: modprobe tls + run: sudo modprobe tls + - name: config + run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + no-legacy: runs-on: ubuntu-latest steps: diff --git a/test/sslapitest.c b/test/sslapitest.c index 1337698e0d..25dc61b876 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), @@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), From beldmit at gmail.com Fri Sep 24 09:08:27 2021 From: beldmit at gmail.com (beldmit at gmail.com) Date: Fri, 24 Sep 2021 09:08:27 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632474507.490502.6303.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 5b896265e7305f85f3b14283869393c255ab401e (commit) from f8543a08ffe18485b2e1361d4f496d33d6e6f35e (commit) - Log ----------------------------------------------------------------- commit 5b896265e7305f85f3b14283869393c255ab401e Author: Dmitry Belyavskiy Date: Wed Sep 22 16:40:13 2021 +0200 FIPS and KTLS may interfere New Linux kernels (>= 5.11) enable KTLS CHACHA which is not FIPS-suitable. Fixes #16657 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16658) (cherry picked from commit a5d8a2f8f10b83e5afb297698fe72cee77b1837f) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 13 +++++++++++++ test/sslapitest.c | 10 ++++++++++ 2 files changed, 23 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7a344c529..b52b8c15f4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -179,6 +179,19 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + fips_and_ktls: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout at v2 + - name: modprobe tls + run: sudo modprobe tls + - name: config + run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + no-legacy: runs-on: ubuntu-latest steps: diff --git a/test/sslapitest.c b/test/sslapitest.c index e95d2657f4..7af0eab3fc 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), @@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), From no-reply at appveyor.com Fri Sep 24 13:53:44 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 24 Sep 2021 13:53:44 +0000 Subject: Build failed: openssl openssl-3.0.42775 Message-ID: <20210924135344.1.EBCDC4D1F98993BF@appveyor.com> An HTML attachment was scrubbed... URL: From tomas at openssl.org Fri Sep 24 14:36:14 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Fri, 24 Sep 2021 14:36:14 +0000 Subject: [openssl] master update Message-ID: <1632494174.965281.2957.nullmailer@dev.openssl.org> The branch master has been updated via 75cce8ddee8c108039d0329c4f84466aad0f9c3c (commit) via 574246ae02a206b49957b63b0d4f53992e855e13 (commit) from a5d8a2f8f10b83e5afb297698fe72cee77b1837f (commit) - Log ----------------------------------------------------------------- commit 75cce8ddee8c108039d0329c4f84466aad0f9c3c Author: Dr. David von Oheimb Date: Mon Jul 12 15:32:02 2021 +0200 80-test_cmp_http.t: Remove -certout option where not needed Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16052) commit 574246ae02a206b49957b63b0d4f53992e855e13 Author: Dr. David von Oheimb Date: Mon Jul 12 15:30:20 2021 +0200 cmp_client_test.c: Remove needless dependency on NDEBUG Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16052) ----------------------------------------------------------------------- Summary of changes: test/cmp_client_test.c | 14 +------------- test/recipes/80-test_cmp_http.t | 3 ++- test/recipes/80-test_cmp_http_data/Mock/test.cnf | 1 + 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c index f470f5e445..f4f664a49e 100644 --- a/test/cmp_client_test.c +++ b/test/cmp_client_test.c @@ -13,8 +13,6 @@ #include "cmp_mock_srv.h" -#ifndef NDEBUG /* tests need mock server, which is available only if !NDEBUG */ - static const char *server_key_f; static const char *server_cert_f; static const char *client_key_f; @@ -344,7 +342,7 @@ void cleanup_tests(void) return; } -# define USAGE "server.key server.crt client.key client.crt client.csr module_name [module_conf_file]\n" +#define USAGE "server.key server.crt client.key client.crt client.csr module_name [module_conf_file]\n" OPT_TEST_DECLARE_USAGE(USAGE) int setup_tests(void) @@ -391,13 +389,3 @@ int setup_tests(void) ADD_TEST(test_exchange_error); return 1; } - -#else /* !defined (NDEBUG) */ - -int setup_tests(void) -{ - TEST_note("CMP session tests are disabled in this build (NDEBUG)."); - return 1; -} - -#endif diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 92f11e8ac8..75acc07a4c 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -242,7 +242,8 @@ sub load_tests { } else { $line =~ s{-section,,}{-section,,-proxy,$proxy,}; } - $line =~ s{-section,,}{-section,,-certout,$result_dir/test.cert.pem,}; + $line =~ s{-section,,}{-section,,-certout,$result_dir/test.cert.pem,} + if $aspect ne "commands" || $line =~ m/,\s*-cmd\s*,\s*(ir|cr|p10cr|kur)\s*,/; $line =~ s{-section,,}{-config,../$test_config,-section,$server_name $aspect,}; my @fields = grep /\S/, split ",", $line; diff --git a/test/recipes/80-test_cmp_http_data/Mock/test.cnf b/test/recipes/80-test_cmp_http_data/Mock/test.cnf index 87dd575a8a..0853893cd7 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/test.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/test.cnf @@ -84,6 +84,7 @@ extracertsout = [commands] cmd = +certout = cacertsout = infotype = oldcert = From no-reply at appveyor.com Fri Sep 24 16:39:56 2021 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 24 Sep 2021 16:39:56 +0000 Subject: Build completed: openssl master.42776 Message-ID: <20210924163956.1.D08810ECAAE45CC9@appveyor.com> An HTML attachment was scrubbed... URL: From pauli at openssl.org Sun Sep 26 22:39:00 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 26 Sep 2021 22:39:00 +0000 Subject: [openssl] master update Message-ID: <1632695940.541341.32268.nullmailer@dev.openssl.org> The branch master has been updated via 63d0f4d2b04ed334e534c9f6d0b18262161b0050 (commit) via 0855591e1f3559313641c13e4b7ce900ce42321c (commit) via b66b024cf7124c9639011b27b70a082e3bc3d269 (commit) via 06394a6cc7c784b46bc6d1e65a1ff39637093934 (commit) via c568900c9ac02e92c54bd3168773d54d7350a580 (commit) via 29c80c6004de8bfd1792e421bbe03ab5f075f21d (commit) via 397065c621e733fff80dedb28252120ec143693e (commit) via b0b456f8c8b628c3d7e212339e31cbfd06ac4ec8 (commit) from 75cce8ddee8c108039d0329c4f84466aad0f9c3c (commit) - Log ----------------------------------------------------------------- commit 63d0f4d2b04ed334e534c9f6d0b18262161b0050 Author: Pauli Date: Sat Sep 25 10:41:02 2021 +1000 Add changes entry indicating that the OBJ_* calls are now thread safe Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit 0855591e1f3559313641c13e4b7ce900ce42321c Author: Pauli Date: Mon Jun 14 11:11:16 2021 +1000 test: add threading test for object creation In addition, rework the multi tests to use common code. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit b66b024cf7124c9639011b27b70a082e3bc3d269 Author: Pauli Date: Fri Jun 11 19:10:49 2021 +1000 doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0 Also remove OBJ_thread from the list of non-threadsafe functions. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit 06394a6cc7c784b46bc6d1e65a1ff39637093934 Author: Pauli Date: Thu Jun 24 23:51:53 2021 +1000 doc: Document that the OBJ creation functions are now thread safe. With the OBJ_ thread locking in place, these documentation changes are not required. This reverts commit 0218bcdd3feab456135207c140998305df73ab7b. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit c568900c9ac02e92c54bd3168773d54d7350a580 Author: Pauli Date: Thu Jun 17 11:05:02 2021 +1000 obj: add locking to the OBJ sigid calls This is done using a single global lock. The premise for this is that new objects will most frequently be added at start up and never added subsequently. Thus, the locking will be for read most of the time. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit 29c80c6004de8bfd1792e421bbe03ab5f075f21d Author: Pauli Date: Thu Jun 17 12:41:36 2021 +1000 obj: make new NIDs use tsan if possible Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit 397065c621e733fff80dedb28252120ec143693e Author: Pauli Date: Fri Jun 11 17:05:20 2021 +1000 obj: make the OBJ_ calls thread safe This is done using a single global lock. The premise for this is that new objects will most frequently be added at start up and never added subsequently. Thus, the locking will be for read most of the time. This does, however, introduce the overhead of taking an uncontested read lock when accessing the object database. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) commit b0b456f8c8b628c3d7e212339e31cbfd06ac4ec8 Author: Pauli Date: Thu Jun 17 12:36:33 2021 +1000 tsan: add an addition macro Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15713) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 4 + crypto/objects/obj_dat.c | 365 +++++++++++++++++++++++----------------- crypto/objects/obj_xref.c | 157 ++++++++++++----- doc/man3/OBJ_nid2obj.pod | 6 +- doc/man7/openssl-threads.pod | 4 +- doc/man7/provider-base.pod | 7 +- include/internal/tsan_assist.h | 22 ++- test/threadstest.c | 372 +++++++++++++++++++++++++---------------- 8 files changed, 585 insertions(+), 352 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 84fb4c3f84..dc3008f814 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,10 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX xxxx] + * The various OBJ_* functions have been made thread safe. + + *Paul Dale* + * CCM8 cipher suites in TLS have been downgraded to security level zero because they use a short authentication tag which lowers their strength. diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 653cc9ad94..a146a96aad 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -11,6 +11,8 @@ #include "crypto/ctype.h" #include #include "internal/cryptlib.h" +#include "internal/thread_once.h" +#include "internal/tsan_assist.h" #include #include #include "crypto/objects.h" @@ -21,6 +23,14 @@ /* obj_dat.h is generated from objects.h by obj_dat.pl */ #include "obj_dat.h" +/* + * If we don't have suitable TSAN support, we'll use a lock for generation of + * new NIDs. This will be slower of course. + */ +#ifndef tsan_ld_acq +# define OBJ_USE_LOCK_FOR_NEW_NID +#endif + DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, sn); DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, ln); DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj); @@ -35,8 +45,71 @@ struct added_obj_st { ASN1_OBJECT *obj; }; -static int new_nid = NUM_NID; static LHASH_OF(ADDED_OBJ) *added = NULL; +static CRYPTO_RWLOCK *ossl_obj_lock = NULL; +#ifdef OBJ_USE_LOCK_FOR_NEW_NID +static CRYPTO_RWLOCK *ossl_obj_nid_lock = NULL; +#endif + +static CRYPTO_ONCE ossl_obj_lock_init = CRYPTO_ONCE_STATIC_INIT; + +static ossl_inline void objs_free_locks(void) +{ + CRYPTO_THREAD_lock_free(ossl_obj_lock); + ossl_obj_lock = NULL; +#ifdef OBJ_USE_LOCK_FOR_NEW_NID + CRYPTO_THREAD_lock_free(ossl_obj_nid_lock); + ossl_obj_nid_lock = NULL; +#endif +} + +DEFINE_RUN_ONCE_STATIC(obj_lock_initialise) +{ + /* Make sure we've loaded config before checking for any "added" objects */ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + + ossl_obj_lock = CRYPTO_THREAD_lock_new(); + if (ossl_obj_lock == NULL) + return 0; + +#ifdef OBJ_USE_LOCK_FOR_NEW_NID + ossl_obj_nid_lock = CRYPTO_THREAD_lock_new(); + if (ossl_obj_nid_lock == NULL) { + objs_free_locks(); + return 0; + } +#endif + return 1; +} + +static ossl_inline int ossl_init_added_lock(void) +{ + return RUN_ONCE(&ossl_obj_lock_init, obj_lock_initialise); +} + +static ossl_inline int ossl_obj_write_lock(int lock) +{ + if (!lock) + return 1; + if (!ossl_init_added_lock()) + return 0; + return CRYPTO_THREAD_write_lock(ossl_obj_lock); +} + +static ossl_inline int ossl_obj_read_lock(int lock) +{ + if (!lock) + return 1; + if (!ossl_init_added_lock()) + return 0; + return CRYPTO_THREAD_read_lock(ossl_obj_lock); +} + +static ossl_inline void ossl_obj_unlock(int lock) +{ + if (lock) + CRYPTO_THREAD_unlock(ossl_obj_lock); +} static int sn_cmp(const ASN1_OBJECT *const *a, const unsigned int *b) { @@ -123,14 +196,6 @@ static int added_obj_cmp(const ADDED_OBJ *ca, const ADDED_OBJ *cb) } } -static int init_added(void) -{ - if (added != NULL) - return 1; - added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp); - return added != NULL; -} - static void cleanup1_doall(ADDED_OBJ *a) { a->obj->nid = 0; @@ -152,47 +217,69 @@ static void cleanup3_doall(ADDED_OBJ *a) void ossl_obj_cleanup_int(void) { - if (added == NULL) - return; - lh_ADDED_OBJ_set_down_load(added, 0); - lh_ADDED_OBJ_doall(added, cleanup1_doall); /* zero counters */ - lh_ADDED_OBJ_doall(added, cleanup2_doall); /* set counters */ - lh_ADDED_OBJ_doall(added, cleanup3_doall); /* free objects */ - lh_ADDED_OBJ_free(added); - added = NULL; + if (added != NULL) { + lh_ADDED_OBJ_set_down_load(added, 0); + lh_ADDED_OBJ_doall(added, cleanup1_doall); /* zero counters */ + lh_ADDED_OBJ_doall(added, cleanup2_doall); /* set counters */ + lh_ADDED_OBJ_doall(added, cleanup3_doall); /* free objects */ + lh_ADDED_OBJ_free(added); + added = NULL; + } + objs_free_locks(); } int OBJ_new_nid(int num) { +#ifdef OBJ_USE_LOCK_FOR_NEW_NID + static int new_nid = NUM_NID; int i; + if (!CRYPTO_THREAD_write_lock(ossl_obj_nid_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); + return NID_undef; + } i = new_nid; new_nid += num; + CRYPTO_THREAD_unlock(ossl_obj_nid_lock); return i; +#else + static TSAN_QUALIFIER int new_nid = NUM_NID; + + return tsan_add(&new_nid, num); +#endif } -int OBJ_add_object(const ASN1_OBJECT *obj) +static int ossl_obj_add_object(const ASN1_OBJECT *obj, int lock) { - ASN1_OBJECT *o; + ASN1_OBJECT *o = NULL; ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop; int i; - if (added == NULL) - if (!init_added()) - return 0; if ((o = OBJ_dup(obj)) == NULL) - goto err; - if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) + return NID_undef; + if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL + || (o->length != 0 + && obj->data != NULL + && (ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) + || (o->sn != NULL + && (ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) + || (o->ln != NULL + && (ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); goto err2; - if ((o->length != 0) && (obj->data != NULL)) - if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) - goto err2; - if (o->sn != NULL) - if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) - goto err2; - if (o->ln != NULL) - if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) - goto err2; + } + + if (!ossl_obj_write_lock(lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); + goto err2; + } + if (added == NULL) { + added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp); + if (added == NULL) { + ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); + goto err; + } + } for (i = ADDED_DATA; i <= ADDED_NID; i++) { if (ao[i] != NULL) { @@ -207,10 +294,12 @@ int OBJ_add_object(const ASN1_OBJECT *obj) ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA); + ossl_obj_unlock(lock); return o->nid; - err2: - ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); + err: + ossl_obj_unlock(lock); + err2: for (i = ADDED_DATA; i <= ADDED_NID; i++) OPENSSL_free(ao[i]); ASN1_OBJECT_free(o); @@ -219,27 +308,24 @@ int OBJ_add_object(const ASN1_OBJECT *obj) ASN1_OBJECT *OBJ_nid2obj(int n) { - ADDED_OBJ ad, *adp; + ADDED_OBJ ad, *adp = NULL; ASN1_OBJECT ob; - if ((n >= 0) && (n < NUM_NID)) { - if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; - } - return (ASN1_OBJECT *)&(nid_objs[n]); - } - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - - if (added == NULL) + if (n == NID_undef) return NULL; + if (n >= 0 && n < NUM_NID && nid_objs[n].nid != NID_undef) + return (ASN1_OBJECT *)&(nid_objs[n]); ad.type = ADDED_NID; ad.obj = &ob; ob.nid = n; - adp = lh_ADDED_OBJ_retrieve(added, &ad); + if (!ossl_obj_read_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NULL; + } + if (added != NULL) + adp = lh_ADDED_OBJ_retrieve(added, &ad); + ossl_obj_unlock(1); if (adp != NULL) return adp->obj; @@ -249,62 +335,16 @@ ASN1_OBJECT *OBJ_nid2obj(int n) const char *OBJ_nid2sn(int n) { - ADDED_OBJ ad, *adp; - ASN1_OBJECT ob; - - if ((n >= 0) && (n < NUM_NID)) { - if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; - } - return nid_objs[n].sn; - } - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - - if (added == NULL) - return NULL; + ASN1_OBJECT *ob = OBJ_nid2obj(n); - ad.type = ADDED_NID; - ad.obj = &ob; - ob.nid = n; - adp = lh_ADDED_OBJ_retrieve(added, &ad); - if (adp != NULL) - return adp->obj->sn; - - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; + return ob == NULL ? NULL : ob->sn; } const char *OBJ_nid2ln(int n) { - ADDED_OBJ ad, *adp; - ASN1_OBJECT ob; - - if ((n >= 0) && (n < NUM_NID)) { - if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; - } - return nid_objs[n].ln; - } - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - - if (added == NULL) - return NULL; + ASN1_OBJECT *ob = OBJ_nid2obj(n); - ad.type = ADDED_NID; - ad.obj = &ob; - ob.nid = n; - adp = lh_ADDED_OBJ_retrieve(added, &ad); - if (adp != NULL) - return adp->obj->ln; - - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; + return ob == NULL ? NULL : ob->ln; } static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) @@ -323,33 +363,35 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj); -int OBJ_obj2nid(const ASN1_OBJECT *a) +static int ossl_obj_obj2nid(const ASN1_OBJECT *a, const int lock) { + int nid = NID_undef; const unsigned int *op; ADDED_OBJ ad, *adp; if (a == NULL) return NID_undef; - if (a->nid != 0) + if (a->nid != NID_undef) return a->nid; - if (a->length == 0) return NID_undef; - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - + op = OBJ_bsearch_obj(&a, obj_objs, NUM_OBJ); + if (op != NULL) + return nid_objs[*op].nid; + if (!ossl_obj_read_lock(lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NID_undef; + } if (added != NULL) { ad.type = ADDED_DATA; - ad.obj = (ASN1_OBJECT *)a; /* XXX: ugly but harmless */ + ad.obj = (ASN1_OBJECT *)a; /* casting away const is harmless here */ adp = lh_ADDED_OBJ_retrieve(added, &ad); if (adp != NULL) - return adp->obj->nid; + nid = adp->obj->nid; } - op = OBJ_bsearch_obj(&a, obj_objs, NUM_OBJ); - if (op == NULL) - return NID_undef; - return nid_objs[*op].nid; + ossl_obj_unlock(lock); + return nid; } /* @@ -358,20 +400,20 @@ int OBJ_obj2nid(const ASN1_OBJECT *a) * into an object: unlike OBJ_txt2nid it can be used with any objects, not * just registered ones. */ - ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) { int nid = NID_undef; - ASN1_OBJECT *op; + ASN1_OBJECT *op = NULL; unsigned char *buf; unsigned char *p; const unsigned char *cp; int i, j; if (!no_name) { - if (((nid = OBJ_sn2nid(s)) != NID_undef) || - ((nid = OBJ_ln2nid(s)) != NID_undef)) + if ((nid = OBJ_sn2nid(s)) != NID_undef || + (nid = OBJ_ln2nid(s)) != NID_undef) { return OBJ_nid2obj(nid); + } if (!ossl_isdigit(*s)) { ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_OBJECT_NAME); return NULL; @@ -380,13 +422,9 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) /* Work out size of content octets */ i = a2d_ASN1_OBJECT(NULL, 0, s, -1); - if (i <= 0) { - /* Don't clear the error */ - /* - * ERR_clear_error(); - */ + if (i <= 0) return NULL; - } + /* Work out total size */ j = ASN1_object_size(0, i, V_ASN1_OBJECT); if (j < 0) @@ -416,24 +454,23 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) unsigned long l; const unsigned char *p; char tbuf[DECIMAL_SIZE(i) + DECIMAL_SIZE(l) + 2]; + const char *s; /* Ensure that, at every state, |buf| is NUL-terminated. */ - if (buf && buf_len > 0) + if (buf != NULL && buf_len > 0) buf[0] = '\0'; - if ((a == NULL) || (a->data == NULL)) + if (a == NULL || a->data == NULL) return 0; if (!no_name && (nid = OBJ_obj2nid(a)) != NID_undef) { - const char *s; s = OBJ_nid2ln(nid); if (s == NULL) s = OBJ_nid2sn(nid); - if (s) { - if (buf) + if (s != NULL) { + if (buf != NULL) OPENSSL_strlcpy(buf, s, buf_len); - n = strlen(s); - return n; + return (int)strlen(s); } } @@ -545,11 +582,13 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) int OBJ_txt2nid(const char *s) { - ASN1_OBJECT *obj; - int nid; - obj = OBJ_txt2obj(s, 0); - nid = OBJ_obj2nid(obj); - ASN1_OBJECT_free(obj); + ASN1_OBJECT *obj = OBJ_txt2obj(s, 0); + int nid = NID_undef; + + if (obj != NULL) { + nid = OBJ_obj2nid(obj); + ASN1_OBJECT_free(obj); + } return nid; } @@ -559,22 +598,25 @@ int OBJ_ln2nid(const char *s) const ASN1_OBJECT *oo = &o; ADDED_OBJ ad, *adp; const unsigned int *op; - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + int nid = NID_undef; o.ln = s; + op = OBJ_bsearch_ln(&oo, ln_objs, NUM_LN); + if (op != NULL) + return nid_objs[*op].nid; + if (!ossl_obj_read_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NID_undef; + } if (added != NULL) { ad.type = ADDED_LNAME; ad.obj = &o; adp = lh_ADDED_OBJ_retrieve(added, &ad); if (adp != NULL) - return adp->obj->nid; + nid = adp->obj->nid; } - op = OBJ_bsearch_ln(&oo, ln_objs, NUM_LN); - if (op == NULL) - return NID_undef; - return nid_objs[*op].nid; + ossl_obj_unlock(1); + return nid; } int OBJ_sn2nid(const char *s) @@ -583,22 +625,25 @@ int OBJ_sn2nid(const char *s) const ASN1_OBJECT *oo = &o; ADDED_OBJ ad, *adp; const unsigned int *op; - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + int nid = NID_undef; o.sn = s; + op = OBJ_bsearch_sn(&oo, sn_objs, NUM_SN); + if (op != NULL) + return nid_objs[*op].nid; + if (!ossl_obj_read_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NID_undef; + } if (added != NULL) { ad.type = ADDED_SNAME; ad.obj = &o; adp = lh_ADDED_OBJ_retrieve(added, &ad); if (adp != NULL) - return adp->obj->nid; + nid = adp->obj->nid; } - op = OBJ_bsearch_sn(&oo, sn_objs, NUM_SN); - if (op == NULL) - return NID_undef; - return nid_objs[*op].nid; + ossl_obj_unlock(1); + return nid; } const void *OBJ_bsearch_(const void *key, const void *base, int num, int size, @@ -698,16 +743,21 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) if ((sn != NULL && OBJ_sn2nid(sn) != NID_undef) || (ln != NULL && OBJ_ln2nid(ln) != NID_undef)) { ERR_raise(ERR_LIB_OBJ, OBJ_R_OID_EXISTS); - return 0; + goto err; } /* Convert numerical OID string to an ASN1_OBJECT structure */ tmpoid = OBJ_txt2obj(oid, 1); if (tmpoid == NULL) + goto err; + + if (!ossl_obj_write_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); return 0; + } /* If NID is not NID_undef then object already exists */ - if (OBJ_obj2nid(tmpoid) != NID_undef) { + if (ossl_obj_obj2nid(tmpoid, 0) != NID_undef) { ERR_raise(ERR_LIB_OBJ, OBJ_R_OID_EXISTS); goto err; } @@ -716,12 +766,13 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) tmpoid->sn = (char *)sn; tmpoid->ln = (char *)ln; - ok = OBJ_add_object(tmpoid); + ok = ossl_obj_add_object(tmpoid, 0); tmpoid->sn = NULL; tmpoid->ln = NULL; err: + ossl_obj_unlock(1); ASN1_OBJECT_free(tmpoid); return ok; } @@ -739,3 +790,13 @@ const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) return NULL; return obj->data; } + +int OBJ_add_object(const ASN1_OBJECT *obj) +{ + return ossl_obj_add_object(obj, 1); +} + +int OBJ_obj2nid(const ASN1_OBJECT *a) +{ + return ossl_obj_obj2nid(a, 1); +} diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c index da1035112f..3a6ae02bf0 100644 --- a/crypto/objects/obj_xref.c +++ b/crypto/objects/obj_xref.c @@ -10,9 +10,11 @@ #include #include "obj_xref.h" #include "internal/nelem.h" +#include "internal/thread_once.h" #include static STACK_OF(nid_triple) *sig_app, *sigx_app; +static CRYPTO_RWLOCK *sig_lock; static int sig_cmp(const nid_triple *a, const nid_triple *b) { @@ -32,62 +34,104 @@ DECLARE_OBJ_BSEARCH_CMP_FN(const nid_triple *, const nid_triple *, sigx); static int sigx_cmp(const nid_triple *const *a, const nid_triple *const *b) { int ret; + ret = (*a)->hash_id - (*b)->hash_id; - if (ret) + if (ret != 0) return ret; return (*a)->pkey_id - (*b)->pkey_id; } IMPLEMENT_OBJ_BSEARCH_CMP_FN(const nid_triple *, const nid_triple *, sigx); -int OBJ_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid) +static CRYPTO_ONCE sig_init = CRYPTO_ONCE_STATIC_INIT; + +DEFINE_RUN_ONCE_STATIC(o_sig_init) +{ + sig_lock = CRYPTO_THREAD_lock_new(); + return sig_lock != NULL; +} + +static ossl_inline int obj_sig_init(void) +{ + return RUN_ONCE(&sig_init, o_sig_init); +} + +static int ossl_obj_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid, + int lock) { nid_triple tmp; - const nid_triple *rv = NULL; - tmp.sign_id = signid; + const nid_triple *rv; + int idx; - if (sig_app != NULL) { - int idx = sk_nid_triple_find(sig_app, &tmp); - rv = sk_nid_triple_value(sig_app, idx); - } -#ifndef OBJ_XREF_TEST2 + if (signid == NID_undef) + return 0; + + tmp.sign_id = signid; + rv = OBJ_bsearch_sig(&tmp, sigoid_srt, OSSL_NELEM(sigoid_srt)); if (rv == NULL) { - rv = OBJ_bsearch_sig(&tmp, sigoid_srt, OSSL_NELEM(sigoid_srt)); + if (!obj_sig_init()) + return 0; + if (lock && !CRYPTO_THREAD_read_lock(sig_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return 0; + } + if (sig_app != NULL) { + idx = sk_nid_triple_find(sig_app, &tmp); + if (idx >= 0) + rv = sk_nid_triple_value(sig_app, idx); + } + if (lock) + CRYPTO_THREAD_unlock(sig_lock); + if (rv == NULL) + return 0; } -#endif - if (rv == NULL) - return 0; - if (pdig_nid) + + if (pdig_nid != NULL) *pdig_nid = rv->hash_id; - if (ppkey_nid) + if (ppkey_nid != NULL) *ppkey_nid = rv->pkey_id; return 1; } +int OBJ_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid) +{ + return ossl_obj_find_sigid_algs(signid, pdig_nid, ppkey_nid, 1); +} + int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid) { nid_triple tmp; const nid_triple *t = &tmp; - const nid_triple **rv = NULL; + const nid_triple **rv; + int idx; + + if (dig_nid == NID_undef || pkey_nid == NID_undef) + return 0; tmp.hash_id = dig_nid; tmp.pkey_id = pkey_nid; - if (sigx_app) { - int idx = sk_nid_triple_find(sigx_app, &tmp); - if (idx >= 0) { - t = sk_nid_triple_value(sigx_app, idx); - rv = &t; - } - } -#ifndef OBJ_XREF_TEST2 + rv = OBJ_bsearch_sigx(&t, sigoid_srt_xref, OSSL_NELEM(sigoid_srt_xref)); if (rv == NULL) { - rv = OBJ_bsearch_sigx(&t, sigoid_srt_xref, OSSL_NELEM(sigoid_srt_xref)); + if (!obj_sig_init()) + return 0; + if (!CRYPTO_THREAD_read_lock(sig_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return 0; + } + if (sigx_app != NULL) { + idx = sk_nid_triple_find(sigx_app, &tmp); + if (idx >= 0) { + t = sk_nid_triple_value(sigx_app, idx); + rv = &t; + } + } + CRYPTO_THREAD_unlock(sig_lock); + if (rv == NULL) + return 0; } -#endif - if (rv == NULL) - return 0; - if (psignid) + + if (psignid != NULL) *psignid = (*rv)->sign_id; return 1; } @@ -95,14 +139,14 @@ int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid) int OBJ_add_sigid(int signid, int dig_id, int pkey_id) { nid_triple *ntr; - if (sig_app == NULL) - sig_app = sk_nid_triple_new(sig_sk_cmp); - if (sig_app == NULL) + int dnid = NID_undef, pnid = NID_undef, ret = 0; + + if (signid == NID_undef || dig_id == NID_undef || pkey_id == NID_undef) return 0; - if (sigx_app == NULL) - sigx_app = sk_nid_triple_new(sigx_cmp); - if (sigx_app == NULL) + + if (!obj_sig_init()) return 0; + if ((ntr = OPENSSL_malloc(sizeof(*ntr))) == NULL) { ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); return 0; @@ -111,18 +155,49 @@ int OBJ_add_sigid(int signid, int dig_id, int pkey_id) ntr->hash_id = dig_id; ntr->pkey_id = pkey_id; - if (!sk_nid_triple_push(sig_app, ntr)) { + if (!CRYPTO_THREAD_write_lock(sig_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); OPENSSL_free(ntr); return 0; } - if (!sk_nid_triple_push(sigx_app, ntr)) - return 0; + /* Check that the entry doesn't exist or exists as desired */ + if (ossl_obj_find_sigid_algs(signid, &dnid, &pnid, 0)) { + ret = dnid == dig_id && pnid == pkey_id; + goto err; + } + + if (sig_app == NULL) { + sig_app = sk_nid_triple_new(sig_sk_cmp); + if (sig_app == NULL) + goto err; + } + if (sigx_app == NULL) { + sigx_app = sk_nid_triple_new(sigx_cmp); + if (sigx_app == NULL) + goto err; + } + + /* + * Better might be to find where to insert the element and insert it there. + * This would avoid the sorting steps below. + */ + if (!sk_nid_triple_push(sig_app, ntr)) + goto err; + if (!sk_nid_triple_push(sigx_app, ntr)) { + ntr = NULL; /* This is referenced by sig_app still */ + goto err; + } sk_nid_triple_sort(sig_app); sk_nid_triple_sort(sigx_app); - return 1; + ntr = NULL; + ret = 1; + err: + OPENSSL_free(ntr); + CRYPTO_THREAD_unlock(sig_lock); + return ret; } static void sid_free(nid_triple *tt) @@ -133,7 +208,9 @@ static void sid_free(nid_triple *tt) void OBJ_sigid_free(void) { sk_nid_triple_pop_free(sig_app, sid_free); - sig_app = NULL; sk_nid_triple_free(sigx_app); + CRYPTO_THREAD_lock_free(sig_lock); + sig_app = NULL; sigx_app = NULL; + sig_lock = NULL; } diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index 58fc94f6dd..2d16cc83cc 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -139,6 +139,8 @@ These functions cannot return B because an B can represent both an internal, constant, OID and a dynamically-created one. The latter cannot be constant because it needs to be freed after use. +These functions were not thread safe in OpenSSL 3.0 and before. + =head1 RETURN VALUES OBJ_nid2obj() returns an B structure or B is an @@ -181,10 +183,6 @@ Instead I must point to a valid buffer and I should be set to a positive value. A buffer length of 80 should be more than enough to handle any OID encountered in practice. -Neither OBJ_create() nor OBJ_add_sigid() do any locking and are thus not -thread safe. Moreover, none of the other functions should be called while -concurrent calls to these two functions are possible. - =head1 SEE ALSO L diff --git a/doc/man7/openssl-threads.pod b/doc/man7/openssl-threads.pod index 56cc638e1b..7f29a327ac 100644 --- a/doc/man7/openssl-threads.pod +++ b/doc/man7/openssl-threads.pod @@ -73,8 +73,8 @@ For implicit global state or singletons, thread-safety depends on the facility. The L and related API's have their own lock, while L assumes the underlying platform allocation will do any necessary locking. -Some API's, such as L and related, or L -do no locking at all; this can be considered a bug. +Some API's, such as L and related do no locking at all; +this can be considered a bug. A separate, although related, issue is modifying "factory" objects when other objects have been created from that. diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index d1e26baa11..5af35bf4dc 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -269,7 +269,6 @@ It will treat as success the case where the OID already exists (even if the short name I or long name I provided as arguments differ from those associated with the existing OID, in which case the new names are not associated). -This function is not thread safe. The core_obj_add_sigid() function registers a new composite signature algorithm (I) consisting of an underlying signature algorithm (I) @@ -283,7 +282,6 @@ to identify the object. It will treat as success the case where the composite signature algorithm already exists (even if registered against a different underlying signature or digest algorithm). It returns 1 on success or 0 on failure. -This function is not thread safe. CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_memdup(), CRYPTO_strdup(), CRYPTO_strndup(), CRYPTO_free(), CRYPTO_clear_free(), @@ -613,6 +611,11 @@ or maximum. A -1 indicates that the group should not be used in that protocol. =back +=head1 NOTES + +The core_obj_create() and core_obj_add_sigid() functions were not thread safe +in OpenSSL 3.0. + =head1 EXAMPLES This is an example of a simple provider made available as a diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index f8285b1d85..c67c591e0e 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -56,8 +56,7 @@ # define TSAN_QUALIFIER _Atomic # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) -# define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) -# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) +# define tsan_add(ptr, n) atomic_fetch_add_explicit((ptr), (n), memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,8 +68,7 @@ # define TSAN_QUALIFIER volatile # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) -# define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) -# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) +# define tsan_add(ptr, n) __atomic_fetch_add((ptr), (n), __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,13 +111,10 @@ # pragma intrinsic(_InterlockedExchangeAdd) # ifdef _WIN64 # pragma intrinsic(_InterlockedExchangeAdd64) -# define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ - : _InterlockedExchangeAdd((ptr), 1)) -# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ - : _InterlockedExchangeAdd((ptr), -1)) +# define tsan_add(ptr, n) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), (n)) \ + : _InterlockedExchangeAdd((ptr), (n))) # else -# define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) -# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) +# define tsan_add(ptr, n) _InterlockedExchangeAdd((ptr), (n)) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -133,8 +128,7 @@ # define TSAN_QUALIFIER volatile # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) -# define tsan_counter(ptr) ((*(ptr))++) -# define tsan_decr(ptr) ((*(ptr))--) +# define tsan_add(ptr, n) (*(ptr) += (n)) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be @@ -142,3 +136,7 @@ */ #endif + +#define tsan_counter(ptr) tsan_add((ptr), 1) +#define tsan_decr(ptr) tsan_add((ptr), -1) + diff --git a/test/threadstest.c b/test/threadstest.c index 3160d9e334..f689676c54 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -7,8 +7,13 @@ * https://www.openssl.org/source/license.html */ -/* test_multi below tests the thread safety of a deprecated function */ -#define OPENSSL_SUPPRESS_DEPRECATED +/* + * The test_multi_downgrade_shared_pkey function tests the thread safety of a + * deprecated function. + */ +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# define OPENSSL_SUPPRESS_DEPRECATED +#endif #if defined(_WIN32) # include @@ -18,15 +23,39 @@ #include #include #include -#include +#include +#include "internal/tsan_assist.h" +#include "internal/nelem.h" #include "testutil.h" #include "threadstest.h" +/* Limit the maximum number of threads */ +#define MAXIMUM_THREADS 3 + +/* Limit the maximum number of providers loaded into a library context */ +#define MAXIMUM_PROVIDERS 4 + static int do_fips = 0; static char *privkey; static char *config_file = NULL; static int multidefault_run = 0; +static const char *default_provider[] = { "default", NULL }; +static const char *fips_provider[] = { "fips", NULL }; +static const char *fips_and_default_providers[] = { "default", "fips", NULL }; + +/* Grab a globally unique integer value */ +static int get_new_uid(void) +{ + /* + * Start with a nice large number to avoid potential conflicts when + * we generate a new OID. + */ + static TSAN_QUALIFIER int current_uid = 1 << (sizeof(int) * 8 - 2); + + return tsan_counter(¤t_uid); +} + static int test_lock(void) { CRYPTO_RWLOCK *lock = CRYPTO_THREAD_lock_new(); @@ -207,6 +236,94 @@ static int test_atomic(void) static OSSL_LIB_CTX *multi_libctx = NULL; static int multi_success; +static OSSL_PROVIDER *multi_provider[MAXIMUM_PROVIDERS + 1]; +static size_t multi_num_threads; +static thread_t multi_threads[MAXIMUM_THREADS]; + +static void multi_intialise(void) +{ + multi_success = 1; + multi_libctx = NULL; + multi_num_threads = 0; + memset(multi_threads, 0, sizeof(multi_threads)); + memset(multi_provider, 0, sizeof(multi_provider)); +} + +static void thead_teardown_libctx(void) +{ + OSSL_PROVIDER **p; + + for (p = multi_provider; *p != NULL; p++) + OSSL_PROVIDER_unload(*p); + OSSL_LIB_CTX_free(multi_libctx); + multi_intialise(); +} + +static int thread_setup_libctx(int libctx, const char *providers[]) +{ + size_t n; + + if (libctx && !TEST_true(test_get_libctx(&multi_libctx, NULL, config_file, + NULL, NULL))) + return 0; + + if (providers != NULL) + for (n = 0; providers[n] != NULL; n++) + if (!TEST_size_t_lt(n, MAXIMUM_PROVIDERS) + || !TEST_ptr(multi_provider[n] = OSSL_PROVIDER_load(multi_libctx, + providers[n]))) { + thead_teardown_libctx(); + return 0; + } + return 1; +} + +static int teardown_threads(void) +{ + size_t i; + + for (i = 0; i < multi_num_threads; i++) + if (!TEST_true(wait_for_thread(multi_threads[i]))) + return 0; + return 1; +} + +static int start_threads(size_t n, void (*thread_func)(void)) +{ + size_t i; + + if (!TEST_size_t_le(multi_num_threads + n, MAXIMUM_THREADS)) + return 0; + + for (i = 0 ; i < n; i++) + if (!TEST_true(run_thread(multi_threads + multi_num_threads++, thread_func))) + return 0; + return 1; +} + +/* Template multi-threaded test function */ +static int thread_run_test(void (*main_func)(void), + size_t num_threads, void (*thread_func)(void), + int libctx, const char *providers[]) +{ + int testresult = 0; + + multi_intialise(); + if (!thread_setup_libctx(libctx, providers) + || !start_threads(num_threads, thread_func)) + goto err; + + if (main_func != NULL) + main_func(); + + if (!teardown_threads() + || !TEST_true(multi_success)) + goto err; + testresult = 1; + err: + thead_teardown_libctx(); + return testresult; +} static void thread_general_worker(void) { @@ -334,21 +451,6 @@ static void thread_shared_evp_pkey(void) multi_success = 0; } -static void thread_downgrade_shared_evp_pkey(void) -{ -#ifndef OPENSSL_NO_DEPRECATED_3_0 - /* - * This test is only relevant for deprecated functions that perform - * downgrading - */ - if (EVP_PKEY_get0_RSA(shared_evp_pkey) == NULL) - multi_success = 0; -#else - /* Shouldn't ever get here */ - multi_success = 0; -#endif -} - static void thread_provider_load_unload(void) { OSSL_PROVIDER *deflt = OSSL_PROVIDER_load(multi_libctx, "default"); @@ -360,107 +462,99 @@ static void thread_provider_load_unload(void) OSSL_PROVIDER_unload(deflt); } -/* - * Do work in multiple worker threads at the same time. - * Test 0: General worker, using the default provider - * Test 1: General worker, using the fips provider - * Test 2: Simple fetch worker - * Test 3: Worker downgrading a shared EVP_PKEY - * Test 4: Worker using a shared EVP_PKEY - * Test 5: Worker loading and unloading a provider - */ -static int test_multi(int idx) +static int test_multi_general_worker_default_provider(void) { - thread_t thread1, thread2; - int testresult = 0; - OSSL_PROVIDER *prov = NULL, *prov2 = NULL; - void (*worker)(void) = NULL; - void (*worker2)(void) = NULL; - EVP_MD *sha256 = NULL; + return thread_run_test(&thread_general_worker, 2, &thread_general_worker, + 1, default_provider); +} - if (idx == 1 && !do_fips) +static int test_multi_general_worker_fips_provider(void) +{ + if (!do_fips) return TEST_skip("FIPS not supported"); + return thread_run_test(&thread_general_worker, 2, &thread_general_worker, + 1, fips_provider); +} -#ifdef OPENSSL_NO_DEPRECATED_3_0 - if (idx == 3) - return TEST_skip("Skipping tests for deprected functions"); -#endif +static int test_multi_fetch_worker(void) +{ + return thread_run_test(&thread_multi_simple_fetch, + 2, &thread_multi_simple_fetch, 1, default_provider); +} - multi_success = 1; - if (!TEST_true(test_get_libctx(&multi_libctx, NULL, config_file, - NULL, NULL))) - return 0; +static int test_multi_shared_pkey_common(void (*worker)(void)) +{ + int testresult = 0; - prov = OSSL_PROVIDER_load(multi_libctx, (idx == 1) ? "fips" : "default"); - if (!TEST_ptr(prov)) + multi_intialise(); + if (!thread_setup_libctx(1, do_fips ? fips_and_default_providers + : default_provider) + || !TEST_ptr(shared_evp_pkey = load_pkey_pem(privkey, multi_libctx)) + || !start_threads(1, &thread_shared_evp_pkey) + || !start_threads(1, worker)) goto err; - switch (idx) { - case 0: - case 1: - worker = thread_general_worker; - break; - case 2: - worker = thread_multi_simple_fetch; - break; - case 3: - worker2 = thread_downgrade_shared_evp_pkey; - /* fall through */ - case 4: - /* - * If available we have both the default and fips providers for this - * test - */ - if (do_fips - && !TEST_ptr(prov2 = OSSL_PROVIDER_load(multi_libctx, "fips"))) - goto err; - if (!TEST_ptr(shared_evp_pkey = load_pkey_pem(privkey, multi_libctx))) - goto err; - worker = thread_shared_evp_pkey; - break; - case 5: - /* - * We ensure we get an md from the default provider, and then unload the - * provider. This ensures the provider remains around but in a - * deactivated state. - */ - sha256 = EVP_MD_fetch(multi_libctx, "SHA2-256", NULL); - OSSL_PROVIDER_unload(prov); - prov = NULL; - worker = thread_provider_load_unload; - break; - default: - TEST_error("Invalid test index"); - goto err; - } - if (worker2 == NULL) - worker2 = worker; + thread_shared_evp_pkey(); - if (!TEST_true(run_thread(&thread1, worker)) - || !TEST_true(run_thread(&thread2, worker2))) + if (!teardown_threads() + || !TEST_true(multi_success)) goto err; - - worker(); - testresult = 1; + err: + EVP_PKEY_free(shared_evp_pkey); + thead_teardown_libctx(); + return testresult; +} + +#ifndef OPENSSL_NO_DEPRECATED_3_0 +static void thread_downgrade_shared_evp_pkey(void) +{ /* - * Don't combine these into one if statement; must wait for both threads. + * This test is only relevant for deprecated functions that perform + * downgrading */ - if (!TEST_true(wait_for_thread(thread1))) - testresult = 0; - if (!TEST_true(wait_for_thread(thread2))) - testresult = 0; - if (!TEST_true(multi_success)) - testresult = 0; + if (EVP_PKEY_get0_RSA(shared_evp_pkey) == NULL) + multi_success = 0; +} + +static int test_multi_downgrade_shared_pkey(void) +{ + return test_multi_shared_pkey_common(&thread_downgrade_shared_evp_pkey); +} +#endif + +static int test_multi_shared_pkey(void) +{ + return test_multi_shared_pkey_common(&thread_shared_evp_pkey); +} + +static int test_multi_load_unload_provider(void) +{ + EVP_MD *sha256 = NULL; + OSSL_PROVIDER *prov = NULL; + int testresult = 0; + + multi_intialise(); + if (!thread_setup_libctx(1, NULL) + || !TEST_ptr(prov = OSSL_PROVIDER_load(multi_libctx, "default")) + || !TEST_ptr(sha256 = EVP_MD_fetch(multi_libctx, "SHA2-256", NULL)) + || !TEST_true(OSSL_PROVIDER_unload(prov))) + goto err; + prov = NULL; + + if (!start_threads(2, &thread_provider_load_unload)) + goto err; + thread_provider_load_unload(); + + if (!teardown_threads() + || !TEST_true(multi_success)) + goto err; + testresult = 1; err: - EVP_MD_free(sha256); OSSL_PROVIDER_unload(prov); - OSSL_PROVIDER_unload(prov2); - OSSL_LIB_CTX_free(multi_libctx); - EVP_PKEY_free(shared_evp_pkey); - shared_evp_pkey = NULL; - multi_libctx = NULL; + EVP_MD_free(sha256); + thead_teardown_libctx(); return testresult; } @@ -469,21 +563,17 @@ static int test_multi(int idx) * run with a thread sanitizer, should crash if the core provider code * doesn't synchronize well enough. */ -#define MULTI_LOAD_THREADS 3 static void test_multi_load_worker(void) { OSSL_PROVIDER *prov; - (void)TEST_ptr(prov = OSSL_PROVIDER_load(NULL, "default")); - (void)TEST_true(OSSL_PROVIDER_unload(prov)); + if (!TEST_ptr(prov = OSSL_PROVIDER_load(multi_libctx, "default")) + || !TEST_true(OSSL_PROVIDER_unload(prov))) + multi_success = 0; } static int test_multi_default(void) { - thread_t thread1, thread2; - int testresult = 0; - OSSL_PROVIDER *prov = NULL; - /* Avoid running this test twice */ if (multidefault_run) { TEST_skip("multi default test already run"); @@ -491,34 +581,13 @@ static int test_multi_default(void) } multidefault_run = 1; - multi_success = 1; - multi_libctx = NULL; - prov = OSSL_PROVIDER_load(multi_libctx, "default"); - if (!TEST_ptr(prov)) - goto err; - - if (!TEST_true(run_thread(&thread1, thread_multi_simple_fetch)) - || !TEST_true(run_thread(&thread2, thread_multi_simple_fetch))) - goto err; - - thread_multi_simple_fetch(); - - if (!TEST_true(wait_for_thread(thread1)) - || !TEST_true(wait_for_thread(thread2)) - || !TEST_true(multi_success)) - goto err; - - testresult = 1; - - err: - OSSL_PROVIDER_unload(prov); - return testresult; + return thread_run_test(&thread_multi_simple_fetch, + 2, &thread_multi_simple_fetch, 0, default_provider); } static int test_multi_load(void) { - thread_t threads[MULTI_LOAD_THREADS]; - int i, res = 1; + int res = 1; /* The multidefault test must run prior to this test */ if (!multidefault_run) { @@ -526,13 +595,28 @@ static int test_multi_load(void) res = test_multi_default(); } - for (i = 0; i < MULTI_LOAD_THREADS; i++) - (void)TEST_true(run_thread(&threads[i], test_multi_load_worker)); + return thread_run_test(NULL, 3, &test_multi_load_worker, 0, NULL) && res; +} - for (i = 0; i < MULTI_LOAD_THREADS; i++) - (void)TEST_true(wait_for_thread(threads[i])); +static void test_obj_create_one(void) +{ + char tids[12], oid[40], sn[30], ln[30]; + int id = get_new_uid(); + + BIO_snprintf(tids, sizeof(tids), "%d", id); + BIO_snprintf(oid, sizeof(oid), "1.3.6.1.4.1.16604.%s", tids); + BIO_snprintf(sn, sizeof(sn), "short-name-%s", tids); + BIO_snprintf(ln, sizeof(ln), "long-name-%s", tids); + if (!TEST_true(id = OBJ_create(oid, sn, ln)) + || !TEST_true(OBJ_add_sigid(id, NID_sha3_256, NID_rsa))) + multi_success = 0; +} - return res; +static int test_obj_add(void) +{ + return thread_run_test(&test_obj_create_one, + MAXIMUM_THREADS, &test_obj_create_one, + 1, default_provider); } typedef enum OPTION_choice { @@ -589,7 +673,15 @@ int setup_tests(void) ADD_TEST(test_thread_local); ADD_TEST(test_atomic); ADD_TEST(test_multi_load); - ADD_ALL_TESTS(test_multi, 6); + ADD_TEST(test_multi_general_worker_default_provider); + ADD_TEST(test_multi_general_worker_fips_provider); + ADD_TEST(test_multi_fetch_worker); + ADD_TEST(test_multi_shared_pkey); +#ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_TEST(test_multi_downgrade_shared_pkey); +#endif + ADD_TEST(test_multi_load_unload_provider); + ADD_TEST(test_obj_add); return 1; } From pauli at openssl.org Sun Sep 26 22:41:11 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 26 Sep 2021 22:41:11 +0000 Subject: [openssl] master update Message-ID: <1632696071.176270.4063.nullmailer@dev.openssl.org> The branch master has been updated via a16ba5f37547eb6ef38a9e623e42b21b35ce47fb (commit) from 63d0f4d2b04ed334e534c9f6d0b18262161b0050 (commit) - Log ----------------------------------------------------------------- commit a16ba5f37547eb6ef38a9e623e42b21b35ce47fb Author: Pauli Date: Fri Sep 24 10:28:13 2021 +1000 ci: add additional operating system specific builds These are an attempt to cover off on older OS versions that the main CIs do not cover. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/16669) ----------------------------------------------------------------------- Summary of changes: .github/workflows/os-zoo.yml | 66 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/os-zoo.yml diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml new file mode 100644 index 0000000000..659dd61ea8 --- /dev/null +++ b/.github/workflows/os-zoo.yml @@ -0,0 +1,66 @@ +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +name: OS Zoo CI + +on: + schedule: + - cron: '0 5 * * *' + +jobs: + unix: + strategy: + fail-fast: false + matrix: + os: [ + macos-10.15, + macos-11, + ubuntu-18.04, + ubuntu-20.04, + ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout at v2 + - name: config + run: | + CC=${{ matrix.zoo.cc }} ./config --banner=Configured \ + -Wall -Werror --strict-warnings enable-fips + - name: config dump + run: ./configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + windows: + strategy: + fail-fast: false + matrix: + os: [ + windows-2016, + windows-2019, + #windows-2022, # Perl issues, doesn't finish configure step + ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout at v2 + - uses: ilammy/msvc-dev-cmd at v1 + - uses: ilammy/setup-nasm at v1 + - name: prepare the build directory + run: mkdir _build + - name: config + working-directory: _build + run: | + perl ..\Configure --banner=Configured no-makedepend enable-fips + - name: config dump + working-directory: _build + run: ./configdata.pm --dump + - name: build + working-directory: _build + run: nmake /S + - name: test + working-directory: _build + run: nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4 From pauli at openssl.org Sun Sep 26 23:39:48 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 26 Sep 2021 23:39:48 +0000 Subject: [openssl] master update Message-ID: <1632699588.907986.25293.nullmailer@dev.openssl.org> The branch master has been updated via 8b6a7da304d4fdd0de38ddd6037d8a02491e3e4e (commit) from a16ba5f37547eb6ef38a9e623e42b21b35ce47fb (commit) - Log ----------------------------------------------------------------- commit 8b6a7da304d4fdd0de38ddd6037d8a02491e3e4e Author: Tianjia Zhang Date: Fri Sep 24 16:55:03 2021 +0800 ssl: Correct filename in README Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16671) ----------------------------------------------------------------------- Summary of changes: ssl/statem/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/README.md b/ssl/statem/README.md index ef33f77c82..ee49ed9863 100644 --- a/ssl/statem/README.md +++ b/ssl/statem/README.md @@ -56,7 +56,7 @@ Conceptually the state machine component is designed as follows: | | | | ____________V_______V________ ________V______V_______________ | | | | - | statem_both.c | | statem_dtls.c | + | statem_lib.c | | statem_dtls.c | | | | | | Non core functions common | | Non core functions common to | | to both servers and clients | | both DTLS servers and clients | From pauli at openssl.org Sun Sep 26 23:40:21 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 26 Sep 2021 23:40:21 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632699621.915526.26667.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via cc831835bf403c612de454d0fc2c065f5fbdfcde (commit) from 5b896265e7305f85f3b14283869393c255ab401e (commit) - Log ----------------------------------------------------------------- commit cc831835bf403c612de454d0fc2c065f5fbdfcde Author: Tianjia Zhang Date: Fri Sep 24 16:55:03 2021 +0800 ssl: Correct filename in README Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16671) (cherry picked from commit 8b6a7da304d4fdd0de38ddd6037d8a02491e3e4e) ----------------------------------------------------------------------- Summary of changes: ssl/statem/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/README.md b/ssl/statem/README.md index ef33f77c82..ee49ed9863 100644 --- a/ssl/statem/README.md +++ b/ssl/statem/README.md @@ -56,7 +56,7 @@ Conceptually the state machine component is designed as follows: | | | | ____________V_______V________ ________V______V_______________ | | | | - | statem_both.c | | statem_dtls.c | + | statem_lib.c | | statem_dtls.c | | | | | | Non core functions common | | Non core functions common to | | to both servers and clients | | both DTLS servers and clients | From pauli at openssl.org Sun Sep 26 23:46:52 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Sun, 26 Sep 2021 23:46:52 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1632700012.073652.30107.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via 5cd84a9db8446eacb688bab318c5476a45c41ec4 (commit) from 5402f96aba9dd3d0b3006b8b2651bd27d3cbf326 (commit) - Log ----------------------------------------------------------------- commit 5cd84a9db8446eacb688bab318c5476a45c41ec4 Author: Tianjia Zhang Date: Mon Sep 27 09:44:29 2021 +1000 ssl: Correct filename in README Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16671) ----------------------------------------------------------------------- Summary of changes: ssl/statem/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/README b/ssl/statem/README index 86cc066372..bafe33060c 100644 --- a/ssl/statem/README +++ b/ssl/statem/README @@ -55,7 +55,7 @@ Conceptually the state machine component is designed as follows: | | | | ____________V_______V________ ________V______V_______________ | | | | - | statem_both.c | | statem_dtls.c | + | statem_lib.c | | statem_dtls.c | | | | | | Non core functions common | | Non core functions common to | | to both servers and clients | | both DTLS servers and clients | From mark at openssl.org Mon Sep 27 12:24:22 2021 From: mark at openssl.org (Mark J. Cox) Date: Mon, 27 Sep 2021 12:24:22 +0000 Subject: [web] master update Message-ID: <1632745462.551423.16100.nullmailer@dev.openssl.org> The branch master has been updated via 95646d33a713dd67de6aef668fb717aca07fa11a (commit) from 78a40cab4af1807c6530546557a93303b2505f40 (commit) - Log ----------------------------------------------------------------- commit 95646d33a713dd67de6aef668fb717aca07fa11a Author: Mark J. Cox Date: Mon Sep 27 13:15:14 2021 +0100 Add note of third party bug bounty program ----------------------------------------------------------------------- Summary of changes: community/index.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/community/index.html b/community/index.html index 72587ad..19e5397 100644 --- a/community/index.html +++ b/community/index.html @@ -62,9 +62,9 @@
Please note that we do not run a Bug Bounty program, although third parties - may reward confirmed security issues reported in the OpenSSL codebase. We - do not consider - the lack of SPF records for openssl.org a security issue. + (such as the HackerOne Internet + Bug Bounty) + may reward correctly reported and confirmed security issues in the OpenSSL codebase.

From pauli at openssl.org Tue Sep 28 00:18:33 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 00:18:33 +0000 Subject: [openssl] master update Message-ID: <1632788313.435163.5598.nullmailer@dev.openssl.org> The branch master has been updated via ce0502ce1246046f78dc1e2b26a2790eceedd8b1 (commit) from 8b6a7da304d4fdd0de38ddd6037d8a02491e3e4e (commit) - Log ----------------------------------------------------------------- commit ce0502ce1246046f78dc1e2b26a2790eceedd8b1 Author: Mattias Ellert Date: Sat Sep 25 04:55:24 2021 +0200 EVP_PKEY_keygen_init has no argument named pkey int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); So it should not mention it in the man page description. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16675) ----------------------------------------------------------------------- Summary of changes: doc/man3/EVP_PKEY_keygen.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/EVP_PKEY_keygen.pod b/doc/man3/EVP_PKEY_keygen.pod index f21314504e..87644cc5c3 100644 --- a/doc/man3/EVP_PKEY_keygen.pod +++ b/doc/man3/EVP_PKEY_keygen.pod @@ -51,8 +51,8 @@ key generation function itself. The key algorithm context must be created using L or variants thereof, see that manual for details. -EVP_PKEY_keygen_init() initializes a public key algorithm context using key -I for a key generation operation. +EVP_PKEY_keygen_init() initializes a public key algorithm context I +for a key generation operation. EVP_PKEY_paramgen_init() is similar to EVP_PKEY_keygen_init() except key parameters are generated. From pauli at openssl.org Tue Sep 28 00:18:55 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 00:18:55 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632788335.375213.7112.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via cf87b6a4cd1f24f02d0038c8d1c232105973777e (commit) from cc831835bf403c612de454d0fc2c065f5fbdfcde (commit) - Log ----------------------------------------------------------------- commit cf87b6a4cd1f24f02d0038c8d1c232105973777e Author: Mattias Ellert Date: Sat Sep 25 04:55:24 2021 +0200 EVP_PKEY_keygen_init has no argument named pkey int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); So it should not mention it in the man page description. Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16675) (cherry picked from commit ce0502ce1246046f78dc1e2b26a2790eceedd8b1) ----------------------------------------------------------------------- Summary of changes: doc/man3/EVP_PKEY_keygen.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/EVP_PKEY_keygen.pod b/doc/man3/EVP_PKEY_keygen.pod index f21314504e..87644cc5c3 100644 --- a/doc/man3/EVP_PKEY_keygen.pod +++ b/doc/man3/EVP_PKEY_keygen.pod @@ -51,8 +51,8 @@ key generation function itself. The key algorithm context must be created using L or variants thereof, see that manual for details. -EVP_PKEY_keygen_init() initializes a public key algorithm context using key -I for a key generation operation. +EVP_PKEY_keygen_init() initializes a public key algorithm context I +for a key generation operation. EVP_PKEY_paramgen_init() is similar to EVP_PKEY_keygen_init() except key parameters are generated. From pauli at openssl.org Tue Sep 28 01:06:19 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 01:06:19 +0000 Subject: [openssl] master update Message-ID: <1632791179.612705.23821.nullmailer@dev.openssl.org> The branch master has been updated via 29a84567fb859ee6ae7245115b0c347994b03012 (commit) from ce0502ce1246046f78dc1e2b26a2790eceedd8b1 (commit) - Log ----------------------------------------------------------------- commit 29a84567fb859ee6ae7245115b0c347994b03012 Author: Mattias Ellert Date: Sat Sep 25 04:57:57 2021 +0200 Fix variable name mis-match in example code Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16676) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_PKEY-DH.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod index 2c90982d07..cd34d323ee 100644 --- a/doc/man7/EVP_PKEY-DH.pod +++ b/doc/man7/EVP_PKEY-DH.pod @@ -156,7 +156,7 @@ A B key can be generated with a named safe prime group by calling: EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, &pkey); ... - EVP_PKEY_free(key); + EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); B domain parameters can be generated according to B by calling: From pauli at openssl.org Tue Sep 28 01:06:44 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 01:06:44 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632791204.306675.25291.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via a9b79031205f96c7f163ae445c1985bbb3f883a3 (commit) from cf87b6a4cd1f24f02d0038c8d1c232105973777e (commit) - Log ----------------------------------------------------------------- commit a9b79031205f96c7f163ae445c1985bbb3f883a3 Author: Mattias Ellert Date: Sat Sep 25 04:57:57 2021 +0200 Fix variable name mis-match in example code Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16676) (cherry picked from commit 29a84567fb859ee6ae7245115b0c347994b03012) ----------------------------------------------------------------------- Summary of changes: doc/man7/EVP_PKEY-DH.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/man7/EVP_PKEY-DH.pod b/doc/man7/EVP_PKEY-DH.pod index 2c90982d07..cd34d323ee 100644 --- a/doc/man7/EVP_PKEY-DH.pod +++ b/doc/man7/EVP_PKEY-DH.pod @@ -156,7 +156,7 @@ A B key can be generated with a named safe prime group by calling: EVP_PKEY_CTX_set_params(pctx, params); EVP_PKEY_generate(pctx, &pkey); ... - EVP_PKEY_free(key); + EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(pctx); B domain parameters can be generated according to B by calling: From nic.tuv at gmail.com Tue Sep 28 06:21:12 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Tue, 28 Sep 2021 06:21:12 +0000 Subject: [openssl] master update Message-ID: <1632810072.161158.28989.nullmailer@dev.openssl.org> The branch master has been updated via 8ba65c35ea3af347c3b2adc8e665066b541a1c35 (commit) from 29a84567fb859ee6ae7245115b0c347994b03012 (commit) - Log ----------------------------------------------------------------- commit 8ba65c35ea3af347c3b2adc8e665066b541a1c35 Author: Mingjun.Yang Date: Mon Sep 6 15:30:19 2021 +0800 Add sm2 encryption test case from GM/T 0003.5-2012 Reviewed-by: Nicola Tuveri Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16511) ----------------------------------------------------------------------- Summary of changes: test/sm2_internal_test.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c index 22d23b6c5c..4899d5e213 100644 --- a/test/sm2_internal_test.c +++ b/test/sm2_internal_test.c @@ -209,6 +209,7 @@ static int test_sm2_crypt(const EC_GROUP *group, static int sm2_crypt_test(void) { int testresult = 0; + EC_GROUP *gm_group = NULL; EC_GROUP *test_group = create_EC_group ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", @@ -251,9 +252,49 @@ static int sm2_crypt_test(void) "88E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33")) goto done; + /* From Annex C in both GM/T0003.5-2012 and GB/T 32918.5-2016.*/ + gm_group = create_EC_group( + "fffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", + "fffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", + "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", + "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", + "fffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", + "1"); + + if (!TEST_ptr(gm_group)) + goto done; + + if (!test_sm2_crypt( + gm_group, + EVP_sm3(), + /* privkey (from which the encrypting public key is derived) */ + "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", + /* plaintext message */ + "encryption standard", + /* ephemeral nonce k */ + "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", + /* + * expected ciphertext, the field values are from GM/T 0003.5-2012 + * (Annex C), but serialized following the ASN.1 format specified + * in GM/T 0009-2012 (Sec. 7.2). + */ + "307C" /* SEQUENCE, 0x7c bytes */ + "0220" /* INTEGER, 0x20 bytes */ + "04EBFC718E8D1798620432268E77FEB6415E2EDE0E073C0F4F640ECD2E149A73" + "0221" /* INTEGER, 0x21 bytes */ + "00" /* leading 00 due to DER for pos. int with topmost bit set */ + "E858F9D81E5430A57B36DAAB8F950A3C64E6EE6A63094D99283AFF767E124DF0" + "0420" /* OCTET STRING, 0x20 bytes */ + "59983C18F809E262923C53AEC295D30383B54E39D609D160AFCB1908D0BD8766" + "0413" /* OCTET STRING, 0x13 bytes */ + "21886CA989CA9C7D58087307CA93092D651EFA")) + goto done; + testresult = 1; done: EC_GROUP_free(test_group); + EC_GROUP_free(gm_group); return testresult; } From nic.tuv at gmail.com Tue Sep 28 06:25:23 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Tue, 28 Sep 2021 06:25:23 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632810323.142351.32318.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 09f24c909cb717f40ebb4a6de2699aa971dcc15d (commit) from a9b79031205f96c7f163ae445c1985bbb3f883a3 (commit) - Log ----------------------------------------------------------------- commit 09f24c909cb717f40ebb4a6de2699aa971dcc15d Author: Mingjun.Yang Date: Mon Sep 6 15:30:19 2021 +0800 Add sm2 encryption test case from GM/T 0003.5-2012 Reviewed-by: Nicola Tuveri Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16511) (cherry picked from commit 8ba65c35ea3af347c3b2adc8e665066b541a1c35) ----------------------------------------------------------------------- Summary of changes: test/sm2_internal_test.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c index 22d23b6c5c..4899d5e213 100644 --- a/test/sm2_internal_test.c +++ b/test/sm2_internal_test.c @@ -209,6 +209,7 @@ static int test_sm2_crypt(const EC_GROUP *group, static int sm2_crypt_test(void) { int testresult = 0; + EC_GROUP *gm_group = NULL; EC_GROUP *test_group = create_EC_group ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", @@ -251,9 +252,49 @@ static int sm2_crypt_test(void) "88E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33")) goto done; + /* From Annex C in both GM/T0003.5-2012 and GB/T 32918.5-2016.*/ + gm_group = create_EC_group( + "fffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", + "fffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", + "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", + "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", + "fffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", + "1"); + + if (!TEST_ptr(gm_group)) + goto done; + + if (!test_sm2_crypt( + gm_group, + EVP_sm3(), + /* privkey (from which the encrypting public key is derived) */ + "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", + /* plaintext message */ + "encryption standard", + /* ephemeral nonce k */ + "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", + /* + * expected ciphertext, the field values are from GM/T 0003.5-2012 + * (Annex C), but serialized following the ASN.1 format specified + * in GM/T 0009-2012 (Sec. 7.2). + */ + "307C" /* SEQUENCE, 0x7c bytes */ + "0220" /* INTEGER, 0x20 bytes */ + "04EBFC718E8D1798620432268E77FEB6415E2EDE0E073C0F4F640ECD2E149A73" + "0221" /* INTEGER, 0x21 bytes */ + "00" /* leading 00 due to DER for pos. int with topmost bit set */ + "E858F9D81E5430A57B36DAAB8F950A3C64E6EE6A63094D99283AFF767E124DF0" + "0420" /* OCTET STRING, 0x20 bytes */ + "59983C18F809E262923C53AEC295D30383B54E39D609D160AFCB1908D0BD8766" + "0413" /* OCTET STRING, 0x13 bytes */ + "21886CA989CA9C7D58087307CA93092D651EFA")) + goto done; + testresult = 1; done: EC_GROUP_free(test_group); + EC_GROUP_free(gm_group); return testresult; } From pauli at openssl.org Tue Sep 28 08:10:19 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 08:10:19 +0000 Subject: [openssl] master update Message-ID: <1632816619.508952.31725.nullmailer@dev.openssl.org> The branch master has been updated via 2d34e5b2ecf6a5db982c53bb56c62249b7791051 (commit) via c8ffd2201b8685e149dd3244d6772339263d4a17 (commit) via 5fae7b432e3e2e14916bdcd1ad0fe594a27628c6 (commit) via 4eb27149f066d567393771986f01267707982a7e (commit) via 4667b0f0731a8bb8d6236ea18b8c0591016f53d7 (commit) via fc9eda53bcf7d41c8159b7161c663db86dda5481 (commit) via 1ffac6ca174d25a61f2e1e70dd0fd1eb7eaacbf5 (commit) via 722fe8edf224ecc0921481b47fdd06a54d82e4ff (commit) from 8ba65c35ea3af347c3b2adc8e665066b541a1c35 (commit) - Log ----------------------------------------------------------------- commit 2d34e5b2ecf6a5db982c53bb56c62249b7791051 Author: Pauli Date: Mon Sep 27 09:20:20 2021 +1000 test: add some PVK KDF unit test cases These cases were generated using OpenSSL. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit c8ffd2201b8685e149dd3244d6772339263d4a17 Author: Pauli Date: Mon Sep 27 09:06:01 2021 +1000 changes: note that PVK KDF has moved to the legacy provider Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit 5fae7b432e3e2e14916bdcd1ad0fe594a27628c6 Author: Pauli Date: Mon Sep 27 09:05:32 2021 +1000 doc: note that these KDFs require the legacy provider to be available Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit 4eb27149f066d567393771986f01267707982a7e Author: Pauli Date: Thu Jul 1 14:48:49 2021 +1000 doc: include PVK KDFdocumentation in build.info Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit 4667b0f0731a8bb8d6236ea18b8c0591016f53d7 Author: Pauli Date: Thu Jul 1 14:40:44 2021 +1000 include PVK KDF in legacy provider algorithm list Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit fc9eda53bcf7d41c8159b7161c663db86dda5481 Author: Pauli Date: Thu Jul 1 14:40:27 2021 +1000 doc: add page for PVK KDF Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit 1ffac6ca174d25a61f2e1e70dd0fd1eb7eaacbf5 Author: Pauli Date: Thu Jul 1 14:11:17 2021 +1000 pvk: use PVK KDF Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) commit 722fe8edf224ecc0921481b47fdd06a54d82e4ff Author: Pauli Date: Thu Jul 1 14:10:04 2021 +1000 kdf: Add PVK KDF to providers. Add PIN Verification Key key derevation function to providers. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15968) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 6 + crypto/pem/pvkfmt.c | 45 ++-- doc/build.info | 6 + doc/man7/EVP_KDF-PBKDF1.pod | 5 +- .../{EVP_KDF-PBKDF1.pod => EVP_KDF-PVKKDF.pod} | 29 +-- doc/man7/OSSL_PROVIDER-legacy.pod | 2 + .../implementations/include/prov/implementations.h | 1 + providers/implementations/include/prov/names.h | 1 + providers/implementations/kdfs/build.info | 3 + providers/implementations/kdfs/pvkkdf.c | 227 +++++++++++++++++++++ providers/legacyprov.c | 1 + test/recipes/30-test_evp_data/evpkdf_pvkkdf.txt | 36 ++++ 12 files changed, 322 insertions(+), 40 deletions(-) copy doc/man7/{EVP_KDF-PBKDF1.pod => EVP_KDF-PVKKDF.pod} (59%) create mode 100644 providers/implementations/kdfs/pvkkdf.c create mode 100644 test/recipes/30-test_evp_data/evpkdf_pvkkdf.txt diff --git a/CHANGES.md b/CHANGES.md index dc3008f814..c14bec916d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,12 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX xxxx] + * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into + the legacy crypto provider as an EVP_KDF. Applications requiring this KDF + will need to load the legacy crypto provider. + + *Paul Dale* + * The various OBJ_* functions have been made thread safe. *Paul Dale* diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 11ac0a7c40..6f5207abd1 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -23,6 +23,8 @@ #include #include #include +#include +#include #include "internal/cryptlib.h" #include "crypto/pem.h" #include "crypto/evp.h" @@ -790,29 +792,34 @@ int ossl_do_PVK_header(const unsigned char **in, unsigned int length, } #ifndef OPENSSL_NO_RC4 -static int derive_pvk_key(unsigned char *key, +static int derive_pvk_key(unsigned char *key, size_t keylen, const unsigned char *salt, unsigned int saltlen, const unsigned char *pass, int passlen, OSSL_LIB_CTX *libctx, const char *propq) { - EVP_MD_CTX *mctx = EVP_MD_CTX_new(); - int rv = 0; - EVP_MD *sha1 = NULL; + EVP_KDF *kdf; + EVP_KDF_CTX *ctx; + OSSL_PARAM params[5], *p = params; + int rv; - if ((sha1 = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL) - goto err; - - if (mctx == NULL - || !EVP_DigestInit_ex(mctx, sha1, NULL) - || !EVP_DigestUpdate(mctx, salt, saltlen) - || !EVP_DigestUpdate(mctx, pass, passlen) - || !EVP_DigestFinal_ex(mctx, key, NULL)) - goto err; + if ((kdf = EVP_KDF_fetch(libctx, "PVKKDF", propq)) == NULL) + return 0; + ctx = EVP_KDF_CTX_new(kdf); + EVP_KDF_free(kdf); + if (ctx == NULL) + return 0; - rv = 1; -err: - EVP_MD_CTX_free(mctx); - EVP_MD_free(sha1); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, + (void *)salt, saltlen); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD, + (void *)pass, passlen); + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, SN_sha1, 0); + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_PROPERTIES, + (char *)propq, 0); + *p = OSSL_PARAM_construct_end(); + + rv = EVP_KDF_derive(ctx, key, keylen, params); + EVP_KDF_CTX_free(ctx); return rv; } #endif @@ -852,7 +859,7 @@ static void *do_PVK_body_key(const unsigned char **in, ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE); goto err; } - if (!derive_pvk_key(keybuf, p, saltlen, + if (!derive_pvk_key(keybuf, sizeof(keybuf), p, saltlen, (unsigned char *)psbuf, inlen, libctx, propq)) goto err; p += saltlen; @@ -1058,7 +1065,7 @@ static int i2b_PVK(unsigned char **out, const EVP_PKEY *pk, int enclevel, ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ); goto error; } - if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, + if (!derive_pvk_key(keybuf, sizeof(keybuf), salt, PVK_SALTLEN, (unsigned char *)psbuf, inlen, libctx, propq)) goto error; if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL) diff --git a/doc/build.info b/doc/build.info index fcf2c1cacf..5f446e3868 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4119,6 +4119,10 @@ DEPEND[html/man7/EVP_KDF-PKCS12KDF.html]=man7/EVP_KDF-PKCS12KDF.pod GENERATE[html/man7/EVP_KDF-PKCS12KDF.html]=man7/EVP_KDF-PKCS12KDF.pod DEPEND[man/man7/EVP_KDF-PKCS12KDF.7]=man7/EVP_KDF-PKCS12KDF.pod GENERATE[man/man7/EVP_KDF-PKCS12KDF.7]=man7/EVP_KDF-PKCS12KDF.pod +DEPEND[html/man7/EVP_KDF-PVKKDF.html]=man7/EVP_KDF-PVKKDF.pod +GENERATE[html/man7/EVP_KDF-PVKKDF.html]=man7/EVP_KDF-PVKKDF.pod +DEPEND[man/man7/EVP_KDF-PVKKDF.7]=man7/EVP_KDF-PVKKDF.pod +GENERATE[man/man7/EVP_KDF-PVKKDF.7]=man7/EVP_KDF-PVKKDF.pod DEPEND[html/man7/EVP_KDF-SCRYPT.html]=man7/EVP_KDF-SCRYPT.pod GENERATE[html/man7/EVP_KDF-SCRYPT.html]=man7/EVP_KDF-SCRYPT.pod DEPEND[man/man7/EVP_KDF-SCRYPT.7]=man7/EVP_KDF-SCRYPT.pod @@ -4563,6 +4567,7 @@ html/man7/EVP_KDF-KRB5KDF.html \ html/man7/EVP_KDF-PBKDF1.html \ html/man7/EVP_KDF-PBKDF2.html \ html/man7/EVP_KDF-PKCS12KDF.html \ +html/man7/EVP_KDF-PVKKDF.html \ html/man7/EVP_KDF-SCRYPT.html \ html/man7/EVP_KDF-SS.html \ html/man7/EVP_KDF-SSHKDF.html \ @@ -4687,6 +4692,7 @@ man/man7/EVP_KDF-KRB5KDF.7 \ man/man7/EVP_KDF-PBKDF1.7 \ man/man7/EVP_KDF-PBKDF2.7 \ man/man7/EVP_KDF-PKCS12KDF.7 \ +man/man7/EVP_KDF-PVKKDF.7 \ man/man7/EVP_KDF-SCRYPT.7 \ man/man7/EVP_KDF-SS.7 \ man/man7/EVP_KDF-SSHKDF.7 \ diff --git a/doc/man7/EVP_KDF-PBKDF1.pod b/doc/man7/EVP_KDF-PBKDF1.pod index ae13765211..0d24325cd9 100644 --- a/doc/man7/EVP_KDF-PBKDF1.pod +++ b/doc/man7/EVP_KDF-PBKDF1.pod @@ -53,6 +53,8 @@ of candidate passwords. No assumption is made regarding the given password; it is simply treated as a byte sequence. +The legacy provider needs to be available in order to access this algorithm. + =head1 CONFORMING TO RFC 8018 @@ -64,7 +66,8 @@ L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/man7/EVP_KDF-PBKDF1.pod b/doc/man7/EVP_KDF-PVKKDF.pod similarity index 59% copy from doc/man7/EVP_KDF-PBKDF1.pod copy to doc/man7/EVP_KDF-PVKKDF.pod index ae13765211..08aff0c9e7 100644 --- a/doc/man7/EVP_KDF-PBKDF1.pod +++ b/doc/man7/EVP_KDF-PVKKDF.pod @@ -2,20 +2,19 @@ =head1 NAME -EVP_KDF-PBKDF1 - The PBKDF1 EVP_KDF implementation +EVP_KDF-PVKKDF - The PVK EVP_KDF implementation =head1 DESCRIPTION -Support for computing the B password-based KDF through the B +Support for computing the B PIN-based KDF through the B API. -The EVP_KDF-PBKDF1 algorithm implements the PBKDF1 password-based key -derivation function, as described in RFC 8018; it derives a key from a password -using a salt and iteration count. +The EVP_KDF-PVKKDF algorithm implements a PVK PIN-based key +derivation function; it derives a key from a password using a salt. =head2 Identity -"PBKDF1" is the name for this implementation; it +"PVKKDF" is the name for this implementation; it can be used with the EVP_KDF_fetch() function. =head2 Supported parameters @@ -28,10 +27,6 @@ The supported parameters are: =item "salt" (B) -=item "iter" (B) - -This parameter has a default value of 0 and should be set. - =item "properties" (B) =item "digest" (B) @@ -43,19 +38,12 @@ These parameters work as described in L. =head1 NOTES A typical application of this algorithm is to derive keying material for an -encryption algorithm from a password in the "pass", a salt in "salt", -and an iteration count. - -Increasing the "iter" parameter slows down the algorithm which makes it -harder for an attacker to perform a brute force attack using a large number -of candidate passwords. +encryption algorithm from a password in the "pass" and a salt in "salt". No assumption is made regarding the given password; it is simply treated as a byte sequence. -=head1 CONFORMING TO - -RFC 8018 +The legacy provider needs to be available in order to access this algorithm. =head1 SEE ALSO @@ -64,7 +52,8 @@ L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/man7/OSSL_PROVIDER-legacy.pod b/doc/man7/OSSL_PROVIDER-legacy.pod index d2fdfe3676..5724996fdc 100644 --- a/doc/man7/OSSL_PROVIDER-legacy.pod +++ b/doc/man7/OSSL_PROVIDER-legacy.pod @@ -87,6 +87,8 @@ Disabled by default. Use I config option to enable. =item PBKDF1 +=item PVKKDF + =back =begin comment diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index e2573ebb4a..66817fa104 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -258,6 +258,7 @@ extern const OSSL_DISPATCH ossl_poly1305_functions[]; /* KDFs / PRFs */ extern const OSSL_DISPATCH ossl_kdf_pbkdf1_functions[]; extern const OSSL_DISPATCH ossl_kdf_pbkdf2_functions[]; +extern const OSSL_DISPATCH ossl_kdf_pvk_functions[]; extern const OSSL_DISPATCH ossl_kdf_pkcs12_functions[]; #ifndef OPENSSL_NO_SCRYPT extern const OSSL_DISPATCH ossl_kdf_scrypt_functions[]; diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index 1509598ffc..62aa7bd725 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -261,6 +261,7 @@ #define PROV_NAMES_SSKDF "SSKDF" #define PROV_NAMES_PBKDF1 "PBKDF1" #define PROV_NAMES_PBKDF2 "PBKDF2:1.2.840.113549.1.5.12" +#define PROV_NAMES_PVKKDF "PVKKDF" #define PROV_NAMES_SSHKDF "SSHKDF" #define PROV_NAMES_X963KDF "X963KDF:X942KDF-CONCAT" #define PROV_NAMES_X942KDF_ASN1 "X942KDF-ASN1:X942KDF" diff --git a/providers/implementations/kdfs/build.info b/providers/implementations/kdfs/build.info index f4620adce2..ddc3eabca2 100644 --- a/providers/implementations/kdfs/build.info +++ b/providers/implementations/kdfs/build.info @@ -7,6 +7,7 @@ $KBKDF_GOAL=../../libdefault.a ../../libfips.a $KRB5KDF_GOAL=../../libdefault.a $PBKDF1_GOAL=../../liblegacy.a $PBKDF2_GOAL=../../libdefault.a ../../libfips.a +$PVKKDF_GOAL=../../liblegacy.a $PKCS12KDF_GOAL=../../libdefault.a $SSKDF_GOAL=../../libdefault.a ../../libfips.a $SCRYPT_GOAL=../../libdefault.a @@ -28,6 +29,8 @@ SOURCE[$PBKDF2_GOAL]=pbkdf2.c # When the PBKDF2 moves to legacy, this can be removed. SOURCE[$PBKDF2_GOAL]=pbkdf2_fips.c +SOURCE[$PBKDF1_GOAL]=pvkkdf.c + SOURCE[$PKCS12KDF_GOAL]=pkcs12kdf.c SOURCE[$SSKDF_GOAL]=sskdf.c diff --git a/providers/implementations/kdfs/pvkkdf.c b/providers/implementations/kdfs/pvkkdf.c new file mode 100644 index 0000000000..2dad6309b9 --- /dev/null +++ b/providers/implementations/kdfs/pvkkdf.c @@ -0,0 +1,227 @@ +/* + * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "prov/provider_ctx.h" +#include "prov/providercommon.h" +#include "prov/implementations.h" +#include "prov/provider_util.h" + +static OSSL_FUNC_kdf_newctx_fn kdf_pvk_new; +static OSSL_FUNC_kdf_freectx_fn kdf_pvk_free; +static OSSL_FUNC_kdf_reset_fn kdf_pvk_reset; +static OSSL_FUNC_kdf_derive_fn kdf_pvk_derive; +static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_pvk_settable_ctx_params; +static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pvk_set_ctx_params; +static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pvk_gettable_ctx_params; +static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pvk_get_ctx_params; + +typedef struct { + void *provctx; + unsigned char *pass; + size_t pass_len; + unsigned char *salt; + size_t salt_len; + PROV_DIGEST digest; +} KDF_PVK; + +static void kdf_pvk_init(KDF_PVK *ctx); + +static void *kdf_pvk_new(void *provctx) +{ + KDF_PVK *ctx; + + if (!ossl_prov_is_running()) + return NULL; + + ctx = OPENSSL_zalloc(sizeof(*ctx)); + if (ctx == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return NULL; + } + ctx->provctx = provctx; + kdf_pvk_init(ctx); + return ctx; +} + +static void kdf_pvk_cleanup(KDF_PVK *ctx) +{ + ossl_prov_digest_reset(&ctx->digest); + OPENSSL_free(ctx->salt); + OPENSSL_clear_free(ctx->pass, ctx->pass_len); + OPENSSL_cleanse(ctx, sizeof(*ctx)); +} + +static void kdf_pvk_free(void *vctx) +{ + KDF_PVK *ctx = (KDF_PVK *)vctx; + + if (ctx != NULL) { + kdf_pvk_cleanup(ctx); + OPENSSL_free(ctx); + } +} + +static void kdf_pvk_reset(void *vctx) +{ + KDF_PVK *ctx = (KDF_PVK *)vctx; + void *provctx = ctx->provctx; + + kdf_pvk_cleanup(ctx); + ctx->provctx = provctx; + kdf_pvk_init(ctx); +} + +static void kdf_pvk_init(KDF_PVK *ctx) +{ + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha1, 0); + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) + /* This is an error, but there is no way to indicate such directly */ + ossl_prov_digest_reset(&ctx->digest); +} + +static int pvk_set_membuf(unsigned char **buffer, size_t *buflen, + const OSSL_PARAM *p) +{ + OPENSSL_clear_free(*buffer, *buflen); + if (p->data_size == 0) { + if ((*buffer = OPENSSL_malloc(1)) == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + } else if (p->data != NULL) { + *buffer = NULL; + if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) + return 0; + } + return 1; +} + +static int kdf_pvk_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) +{ + KDF_PVK *ctx = (KDF_PVK *)vctx; + const EVP_MD *md; + EVP_MD_CTX *mctx; + int res; + + if (!ossl_prov_is_running() || !kdf_pvk_set_ctx_params(ctx, params)) + return 0; + + if (ctx->pass == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS); + return 0; + } + + if (ctx->salt == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_SALT); + return 0; + } + + md = ossl_prov_digest_md(&ctx->digest); + if (md == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST); + return 0; + } + res = EVP_MD_get_size(md); + if (res <= 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); + return 0; + } + if ((size_t)res > keylen) { + ERR_raise(ERR_LIB_PROV, PROV_R_LENGTH_TOO_LARGE); + return 0; + } + + mctx = EVP_MD_CTX_new(); + res = mctx != NULL + && EVP_DigestInit_ex(mctx, md, NULL) + && EVP_DigestUpdate(mctx, ctx->salt, ctx->salt_len) + && EVP_DigestUpdate(mctx, ctx->pass, ctx->pass_len) + && EVP_DigestFinal_ex(mctx, key, NULL); + EVP_MD_CTX_free(mctx); + return res; +} + +static int kdf_pvk_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +{ + const OSSL_PARAM *p; + KDF_PVK *ctx = vctx; + OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx); + + if (params == NULL) + return 1; + + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx)) + return 0; + + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) + if (!pvk_set_membuf(&ctx->pass, &ctx->pass_len, p)) + return 0; + + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { + if (!pvk_set_membuf(&ctx->salt, &ctx->salt_len,p)) + return 0; + } + + return 1; +} + +static const OSSL_PARAM *kdf_pvk_settable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) +{ + static const OSSL_PARAM known_settable_ctx_params[] = { + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_DIGEST, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_PASSWORD, NULL, 0), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_SALT, NULL, 0), + OSSL_PARAM_END + }; + return known_settable_ctx_params; +} + +static int kdf_pvk_get_ctx_params(void *vctx, OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) + return OSSL_PARAM_set_size_t(p, SIZE_MAX); + return -2; +} + +static const OSSL_PARAM *kdf_pvk_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *p_ctx) +{ + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +} + +const OSSL_DISPATCH ossl_kdf_pvk_functions[] = { + { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pvk_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pvk_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pvk_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pvk_derive }, + { OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS, + (void(*)(void))kdf_pvk_settable_ctx_params }, + { OSSL_FUNC_KDF_SET_CTX_PARAMS, (void(*)(void))kdf_pvk_set_ctx_params }, + { OSSL_FUNC_KDF_GETTABLE_CTX_PARAMS, + (void(*)(void))kdf_pvk_gettable_ctx_params }, + { OSSL_FUNC_KDF_GET_CTX_PARAMS, (void(*)(void))kdf_pvk_get_ctx_params }, + { 0, NULL } +}; diff --git a/providers/legacyprov.c b/providers/legacyprov.c index a5999c5f8b..93c4223a15 100644 --- a/providers/legacyprov.c +++ b/providers/legacyprov.c @@ -145,6 +145,7 @@ static const OSSL_ALGORITHM legacy_ciphers[] = { static const OSSL_ALGORITHM legacy_kdfs[] = { ALG(PROV_NAMES_PBKDF1, ossl_kdf_pbkdf1_functions), + ALG(PROV_NAMES_PVKKDF, ossl_kdf_pvk_functions), { NULL, NULL, NULL } }; diff --git a/test/recipes/30-test_evp_data/evpkdf_pvkkdf.txt b/test/recipes/30-test_evp_data/evpkdf_pvkkdf.txt new file mode 100644 index 0000000000..46ebec4ab2 --- /dev/null +++ b/test/recipes/30-test_evp_data/evpkdf_pvkkdf.txt @@ -0,0 +1,36 @@ +# +# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + +# Test cases created using OpenSSL +Title = PVKKDF tests + +Availablein = legacy +KDF = PVKKDF +Ctrl.pass = pass:password +Ctrl.salt = salt:saltsalt +Ctrl.digest = digest:md5 +Output = AE7CF6D3A33A2117FA4F008D66F6D26F + +Availablein = legacy +KDF = PVKKDF +Ctrl.pass = pass:password +Ctrl.salt = salt:salt +Ctrl.digest = digest:md5 +Output = 67A1E09BB1F83F5007DC119C14D663AA + +Availablein = legacy +KDF = PVKKDF +Ctrl.pass = pass:password +Ctrl.salt = salt:saltsalt +Ctrl.digest = digest:md4 +Output = E85DE988BB00EF61067A0506DFB044EE From pauli at openssl.org Tue Sep 28 08:14:18 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 08:14:18 +0000 Subject: [openssl] master update Message-ID: <1632816858.258767.31877.nullmailer@dev.openssl.org> The branch master has been updated via 105af0ad923a665ca5fee296b52dbf34b524a2aa (commit) from 2d34e5b2ecf6a5db982c53bb56c62249b7791051 (commit) - Log ----------------------------------------------------------------- commit 105af0ad923a665ca5fee296b52dbf34b524a2aa Author: Tianjia Zhang Date: Sat Sep 25 18:06:15 2021 +0800 ssl: Correct comment for ssl3_read_bytes() Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16680) ----------------------------------------------------------------------- Summary of changes: ssl/record/rec_layer_s3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index ea7b0cbfde..d26437f026 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1246,7 +1246,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, * * This function must handle any surprises the peer may have for us, such as * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec - * messages are treated as if they were handshake messages *if* the |recd_type| + * messages are treated as if they were handshake messages *if* the |recvd_type| * argument is non NULL. * Also if record payloads contain fragments too small to process, we store * them until there is enough for the respective protocol (the record protocol From pauli at openssl.org Tue Sep 28 08:15:31 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 08:15:31 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632816931.032424.1015.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 144562d412580f58656d64959bfe6d4794fef6a2 (commit) from 09f24c909cb717f40ebb4a6de2699aa971dcc15d (commit) - Log ----------------------------------------------------------------- commit 144562d412580f58656d64959bfe6d4794fef6a2 Author: Tianjia Zhang Date: Sat Sep 25 18:06:15 2021 +0800 ssl: Correct comment for ssl3_read_bytes() Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16680) (cherry picked from commit 105af0ad923a665ca5fee296b52dbf34b524a2aa) ----------------------------------------------------------------------- Summary of changes: ssl/record/rec_layer_s3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index ea7b0cbfde..d26437f026 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1246,7 +1246,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, * * This function must handle any surprises the peer may have for us, such as * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec - * messages are treated as if they were handshake messages *if* the |recd_type| + * messages are treated as if they were handshake messages *if* the |recvd_type| * argument is non NULL. * Also if record payloads contain fragments too small to process, we store * them until there is enough for the respective protocol (the record protocol From pauli at openssl.org Tue Sep 28 08:17:13 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 08:17:13 +0000 Subject: [openssl] master update Message-ID: <1632817033.475369.2281.nullmailer@dev.openssl.org> The branch master has been updated via 9efdf4ad6b130aa4e206a8fd612539925c0b1e45 (commit) from 105af0ad923a665ca5fee296b52dbf34b524a2aa (commit) - Log ----------------------------------------------------------------- commit 9efdf4ad6b130aa4e206a8fd612539925c0b1e45 Author: Peiwei Hu <58985155+PeiweiHu at users.noreply.github.com> Date: Sun Sep 26 15:44:42 2021 +0800 Fix some documentation errors CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16684) ----------------------------------------------------------------------- Summary of changes: doc/man3/BIO_s_file.pod | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man3/BIO_s_file.pod b/doc/man3/BIO_s_file.pod index c2beb7f924..aaaf2dc39e 100644 --- a/doc/man3/BIO_s_file.pod +++ b/doc/man3/BIO_s_file.pod @@ -87,7 +87,7 @@ BIO_s_file() returns the file BIO method. BIO_new_file() and BIO_new_fp() return a file BIO or NULL if an error occurred. -BIO_set_fp() and BIO_get_fp() return 1 for success or 0 for failure +BIO_set_fp() and BIO_get_fp() return 1 for success or <=0 for failure (although the current implementation never return 0). BIO_seek() returns the same value as the underlying fseek() function: @@ -96,7 +96,7 @@ BIO_seek() returns the same value as the underlying fseek() function: BIO_tell() returns the current file position. BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and -BIO_rw_filename() return 1 for success or 0 for failure. +BIO_rw_filename() return 1 for success or <=0 for failure. =head1 EXAMPLES @@ -114,7 +114,7 @@ Alternative technique: bio_out = BIO_new(BIO_s_file()); if (bio_out == NULL) /* Error */ - if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) + if (BIO_set_fp(bio_out, stdout, BIO_NOCLOSE) <= 0) /* Error */ BIO_printf(bio_out, "Hello World\n"); @@ -135,7 +135,7 @@ Alternative technique: out = BIO_new(BIO_s_file()); if (out == NULL) /* Error */ - if (!BIO_write_filename(out, "filename.txt")) + if (BIO_write_filename(out, "filename.txt") <= 0) /* Error */ BIO_printf(out, "Hello World\n"); BIO_free(out); From pauli at openssl.org Tue Sep 28 08:17:37 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 08:17:37 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632817057.700775.11711.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 4ff1639adb732f0f49652ed22124df2c0b199726 (commit) from 144562d412580f58656d64959bfe6d4794fef6a2 (commit) - Log ----------------------------------------------------------------- commit 4ff1639adb732f0f49652ed22124df2c0b199726 Author: Peiwei Hu <58985155+PeiweiHu at users.noreply.github.com> Date: Sun Sep 26 15:44:42 2021 +0800 Fix some documentation errors CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16684) (cherry picked from commit 9efdf4ad6b130aa4e206a8fd612539925c0b1e45) ----------------------------------------------------------------------- Summary of changes: doc/man3/BIO_s_file.pod | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man3/BIO_s_file.pod b/doc/man3/BIO_s_file.pod index c2beb7f924..aaaf2dc39e 100644 --- a/doc/man3/BIO_s_file.pod +++ b/doc/man3/BIO_s_file.pod @@ -87,7 +87,7 @@ BIO_s_file() returns the file BIO method. BIO_new_file() and BIO_new_fp() return a file BIO or NULL if an error occurred. -BIO_set_fp() and BIO_get_fp() return 1 for success or 0 for failure +BIO_set_fp() and BIO_get_fp() return 1 for success or <=0 for failure (although the current implementation never return 0). BIO_seek() returns the same value as the underlying fseek() function: @@ -96,7 +96,7 @@ BIO_seek() returns the same value as the underlying fseek() function: BIO_tell() returns the current file position. BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and -BIO_rw_filename() return 1 for success or 0 for failure. +BIO_rw_filename() return 1 for success or <=0 for failure. =head1 EXAMPLES @@ -114,7 +114,7 @@ Alternative technique: bio_out = BIO_new(BIO_s_file()); if (bio_out == NULL) /* Error */ - if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) + if (BIO_set_fp(bio_out, stdout, BIO_NOCLOSE) <= 0) /* Error */ BIO_printf(bio_out, "Hello World\n"); @@ -135,7 +135,7 @@ Alternative technique: out = BIO_new(BIO_s_file()); if (out == NULL) /* Error */ - if (!BIO_write_filename(out, "filename.txt")) + if (BIO_write_filename(out, "filename.txt") <= 0) /* Error */ BIO_printf(out, "Hello World\n"); BIO_free(out); From pauli at openssl.org Tue Sep 28 09:26:06 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 09:26:06 +0000 Subject: [openssl] master update Message-ID: <1632821166.661742.4663.nullmailer@dev.openssl.org> The branch master has been updated via d8f6c533cfcbcad350c9cfb2c112eb9f938ba83c (commit) from 9efdf4ad6b130aa4e206a8fd612539925c0b1e45 (commit) - Log ----------------------------------------------------------------- commit d8f6c533cfcbcad350c9cfb2c112eb9f938ba83c Author: Peiwei Hu <58985155+PeiweiHu at users.noreply.github.com> Date: Sun Sep 26 15:28:19 2021 +0800 Fix return value of BIO_free CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16682) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index a378f186d7..25df70f760 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -140,7 +140,7 @@ int BIO_free(BIO *a) if (HAS_CALLBACK(a)) { ret = (int)bio_call_callback(a, BIO_CB_FREE, NULL, 0, 0, 0L, 1L, NULL); if (ret <= 0) - return ret; + return 0; } if ((a->method != NULL) && (a->method->destroy != NULL)) From pauli at openssl.org Tue Sep 28 09:26:31 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 09:26:31 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632821191.706847.6359.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 51b5e8b8f8f8a9df2b2234bc2f777ad1430017bb (commit) from 4ff1639adb732f0f49652ed22124df2c0b199726 (commit) - Log ----------------------------------------------------------------- commit 51b5e8b8f8f8a9df2b2234bc2f777ad1430017bb Author: Peiwei Hu <58985155+PeiweiHu at users.noreply.github.com> Date: Sun Sep 26 15:28:19 2021 +0800 Fix return value of BIO_free CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16682) (cherry picked from commit d8f6c533cfcbcad350c9cfb2c112eb9f938ba83c) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index a378f186d7..25df70f760 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -140,7 +140,7 @@ int BIO_free(BIO *a) if (HAS_CALLBACK(a)) { ret = (int)bio_call_callback(a, BIO_CB_FREE, NULL, 0, 0, 0L, 1L, NULL); if (ret <= 0) - return ret; + return 0; } if ((a->method != NULL) && (a->method->destroy != NULL)) From pauli at openssl.org Tue Sep 28 09:28:30 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Tue, 28 Sep 2021 09:28:30 +0000 Subject: [openssl] master update Message-ID: <1632821310.340268.10192.nullmailer@dev.openssl.org> The branch master has been updated via c2ee608a234340aa735f894f8d84ead0ce58286e (commit) from d8f6c533cfcbcad350c9cfb2c112eb9f938ba83c (commit) - Log ----------------------------------------------------------------- commit c2ee608a234340aa735f894f8d84ead0ce58286e Author: Tianjia Zhang Date: Wed Sep 1 16:54:15 2021 +0800 providers: Add SM4 GCM implementation The GCM mode of the SM4 algorithm is specifieded by RFC8998. Signed-off-by: Tianjia Zhang Reviewed-by: Paul Yang Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16491) ----------------------------------------------------------------------- Summary of changes: providers/defltprov.c | 2 + providers/implementations/ciphers/build.info | 4 +- providers/implementations/ciphers/cipher_sm4_ccm.c | 39 ++++++++++++++++++++ .../{cipher_aria_ccm.h => cipher_sm4_ccm.h} | 14 +++---- .../{cipher_aria_ccm_hw.c => cipher_sm4_ccm_hw.c} | 25 +++++++------ providers/implementations/ciphers/cipher_sm4_gcm.c | 40 ++++++++++++++++++++ .../{cipher_aria_gcm.h => cipher_sm4_gcm.h} | 12 +++--- .../implementations/ciphers/cipher_sm4_gcm_hw.c | 43 ++++++++++++++++++++++ .../implementations/include/prov/implementations.h | 2 + providers/implementations/include/prov/names.h | 2 + test/recipes/30-test_evp_data/evpciph_sm4.txt | 20 ++++++++++ 11 files changed, 177 insertions(+), 26 deletions(-) create mode 100644 providers/implementations/ciphers/cipher_sm4_ccm.c copy providers/implementations/ciphers/{cipher_aria_ccm.h => cipher_sm4_ccm.h} (58%) copy providers/implementations/ciphers/{cipher_aria_ccm_hw.c => cipher_sm4_ccm_hw.c} (50%) create mode 100644 providers/implementations/ciphers/cipher_sm4_gcm.c copy providers/implementations/ciphers/{cipher_aria_gcm.h => cipher_sm4_gcm.h} (65%) create mode 100644 providers/implementations/ciphers/cipher_sm4_gcm_hw.c diff --git a/providers/defltprov.c b/providers/defltprov.c index e6c0b24658..ed4573cb8d 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -289,6 +289,8 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { ALG(PROV_NAMES_DES_EDE_CFB, ossl_tdes_ede2_cfb_functions), #endif /* OPENSSL_NO_DES */ #ifndef OPENSSL_NO_SM4 + ALG(PROV_NAMES_SM4_GCM, ossl_sm4128gcm_functions), + ALG(PROV_NAMES_SM4_CCM, ossl_sm4128ccm_functions), ALG(PROV_NAMES_SM4_ECB, ossl_sm4128ecb_functions), ALG(PROV_NAMES_SM4_CBC, ossl_sm4128cbc_functions), ALG(PROV_NAMES_SM4_CTR, ossl_sm4128ctr_functions), diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info index e4c5f4f051..b5d9d4f6c1 100644 --- a/providers/implementations/ciphers/build.info +++ b/providers/implementations/ciphers/build.info @@ -105,7 +105,9 @@ ENDIF IF[{- !$disabled{sm4} -}] SOURCE[$SM4_GOAL]=\ - cipher_sm4.c cipher_sm4_hw.c + cipher_sm4.c cipher_sm4_hw.c \ + cipher_sm4_gcm.c cipher_sm4_gcm_hw.c \ + cipher_sm4_ccm.c cipher_sm4_ccm_hw.c ENDIF IF[{- !$disabled{ocb} -}] diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c new file mode 100644 index 0000000000..f0295a5ca2 --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -0,0 +1,39 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Dispatch functions for SM4 CCM mode */ + +#include "cipher_sm4_ccm.h" +#include "prov/implementations.h" +#include "prov/providercommon.h" + +static OSSL_FUNC_cipher_freectx_fn sm4_ccm_freectx; + +static void *sm4_ccm_newctx(void *provctx, size_t keybits) +{ + PROV_SM4_CCM_CTX *ctx; + + if (!ossl_prov_is_running()) + return NULL; + + ctx = OPENSSL_zalloc(sizeof(*ctx)); + if (ctx != NULL) + ossl_ccm_initctx(&ctx->base, keybits, ossl_prov_sm4_hw_ccm(keybits)); + return ctx; +} + +static void sm4_ccm_freectx(void *vctx) +{ + PROV_SM4_CCM_CTX *ctx = (PROV_SM4_CCM_CTX *)vctx; + + OPENSSL_clear_free(ctx, sizeof(*ctx)); +} + +/* sm4128ccm functions */ +IMPLEMENT_aead_cipher(sm4, ccm, CCM, AEAD_FLAGS, 128, 8, 96); diff --git a/providers/implementations/ciphers/cipher_aria_ccm.h b/providers/implementations/ciphers/cipher_sm4_ccm.h similarity index 58% copy from providers/implementations/ciphers/cipher_aria_ccm.h copy to providers/implementations/ciphers/cipher_sm4_ccm.h index 558da4973f..189e71e9e4 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm.h +++ b/providers/implementations/ciphers/cipher_sm4_ccm.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,16 +7,16 @@ * https://www.openssl.org/source/license.html */ -#include "crypto/aria.h" +#include "crypto/sm4.h" #include "prov/ciphercommon.h" #include "prov/ciphercommon_ccm.h" -typedef struct prov_aria_ccm_ctx_st { +typedef struct prov_sm4_ccm_ctx_st { PROV_CCM_CTX base; /* Must be first */ union { OSSL_UNION_ALIGN; - ARIA_KEY ks; - } ks; /* ARIA key schedule to use */ -} PROV_ARIA_CCM_CTX; + SM4_KEY ks; + } ks; /* SM4 key schedule to use */ +} PROV_SM4_CCM_CTX; -const PROV_CCM_HW *ossl_prov_aria_hw_ccm(size_t keylen); +const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keylen); diff --git a/providers/implementations/ciphers/cipher_aria_ccm_hw.c b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c similarity index 50% copy from providers/implementations/ciphers/cipher_aria_ccm_hw.c copy to providers/implementations/ciphers/cipher_sm4_ccm_hw.c index e56ec8fb08..791daf3e46 100644 --- a/providers/implementations/ciphers/cipher_aria_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,33 +8,34 @@ */ /*- - * Generic support for ARIA CCM. + * Generic support for SM4 CCM. */ -#include "cipher_aria_ccm.h" +#include "cipher_sm4_ccm.h" -static int ccm_aria_initkey(PROV_CCM_CTX *ctx, - const unsigned char *key, size_t keylen) +static int ccm_sm4_initkey(PROV_CCM_CTX *ctx, + const unsigned char *key, size_t keylen) { - PROV_ARIA_CCM_CTX *actx = (PROV_ARIA_CCM_CTX *)ctx; + PROV_SM4_CCM_CTX *actx = (PROV_SM4_CCM_CTX *)ctx; - ossl_aria_set_encrypt_key(key, keylen * 8, &actx->ks.ks); + ossl_sm4_set_key(key, &actx->ks.ks); CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks, - (block128_f)ossl_aria_encrypt); + (block128_f)ossl_sm4_encrypt); ctx->str = NULL; ctx->key_set = 1; return 1; } -static const PROV_CCM_HW ccm_aria = { - ccm_aria_initkey, +static const PROV_CCM_HW ccm_sm4 = { + ccm_sm4_initkey, ossl_ccm_generic_setiv, ossl_ccm_generic_setaad, ossl_ccm_generic_auth_encrypt, ossl_ccm_generic_auth_decrypt, ossl_ccm_generic_gettag }; -const PROV_CCM_HW *ossl_prov_aria_hw_ccm(size_t keybits) + +const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keybits) { - return &ccm_aria; + return &ccm_sm4; } diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c new file mode 100644 index 0000000000..7a936f00ee --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -0,0 +1,40 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Dispatch functions for SM4 GCM mode */ + +#include "cipher_sm4_gcm.h" +#include "prov/implementations.h" +#include "prov/providercommon.h" + +static OSSL_FUNC_cipher_freectx_fn sm4_gcm_freectx; + +static void *sm4_gcm_newctx(void *provctx, size_t keybits) +{ + PROV_SM4_GCM_CTX *ctx; + + if (!ossl_prov_is_running()) + return NULL; + + ctx = OPENSSL_zalloc(sizeof(*ctx)); + if (ctx != NULL) + ossl_gcm_initctx(provctx, &ctx->base, keybits, + ossl_prov_sm4_hw_gcm(keybits)); + return ctx; +} + +static void sm4_gcm_freectx(void *vctx) +{ + PROV_SM4_GCM_CTX *ctx = (PROV_SM4_GCM_CTX *)vctx; + + OPENSSL_clear_free(ctx, sizeof(*ctx)); +} + +/* ossl_sm4128gcm_functions */ +IMPLEMENT_aead_cipher(sm4, gcm, GCM, AEAD_FLAGS, 128, 8, 96); diff --git a/providers/implementations/ciphers/cipher_aria_gcm.h b/providers/implementations/ciphers/cipher_sm4_gcm.h similarity index 65% copy from providers/implementations/ciphers/cipher_aria_gcm.h copy to providers/implementations/ciphers/cipher_sm4_gcm.h index 6251e8322f..2b6b5f3ece 100644 --- a/providers/implementations/ciphers/cipher_aria_gcm.h +++ b/providers/implementations/ciphers/cipher_sm4_gcm.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,16 +7,16 @@ * https://www.openssl.org/source/license.html */ -#include "crypto/aria.h" +#include "crypto/sm4.h" #include "prov/ciphercommon.h" #include "prov/ciphercommon_gcm.h" -typedef struct prov_aria_gcm_ctx_st { +typedef struct prov_sm4_gcm_ctx_st { PROV_GCM_CTX base; /* must be first entry in struct */ union { OSSL_UNION_ALIGN; - ARIA_KEY ks; + SM4_KEY ks; } ks; -} PROV_ARIA_GCM_CTX; +} PROV_SM4_GCM_CTX; -const PROV_GCM_HW *ossl_prov_aria_hw_gcm(size_t keybits); +const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits); diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c new file mode 100644 index 0000000000..6bcd1ec406 --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c @@ -0,0 +1,43 @@ +/* + * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * Generic support for SM4 GCM. + */ + +#include "cipher_sm4_gcm.h" + +static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_SM4_GCM_CTX *actx = (PROV_SM4_GCM_CTX *)ctx; + SM4_KEY *ks = &actx->ks.ks; + + ctx->ks = ks; + ossl_sm4_set_key(key, ks); + CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)ossl_sm4_encrypt); + ctx->ctr = (ctr128_f)NULL; + ctx->key_set = 1; + + return 1; +} + +static const PROV_GCM_HW sm4_gcm = { + sm4_gcm_initkey, + ossl_gcm_setiv, + ossl_gcm_aad_update, + ossl_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot +}; + +const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits) +{ + return &sm4_gcm; +} diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 66817fa104..cb1b7925c5 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -177,6 +177,8 @@ extern const OSSL_DISPATCH ossl_seed128ofb128_functions[]; extern const OSSL_DISPATCH ossl_seed128cfb128_functions[]; #endif /* OPENSSL_NO_SEED */ #ifndef OPENSSL_NO_SM4 +extern const OSSL_DISPATCH ossl_sm4128gcm_functions[]; +extern const OSSL_DISPATCH ossl_sm4128ccm_functions[]; extern const OSSL_DISPATCH ossl_sm4128ecb_functions[]; extern const OSSL_DISPATCH ossl_sm4128cbc_functions[]; extern const OSSL_DISPATCH ossl_sm4128ctr_functions[]; diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index 62aa7bd725..97cbae70f1 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -162,6 +162,8 @@ #define PROV_NAMES_SM4_CTR "SM4-CTR:1.2.156.10197.1.104.7" #define PROV_NAMES_SM4_OFB "SM4-OFB:SM4-OFB128:1.2.156.10197.1.104.3" #define PROV_NAMES_SM4_CFB "SM4-CFB:SM4-CFB128:1.2.156.10197.1.104.4" +#define PROV_NAMES_SM4_GCM "SM4-GCM:1.2.156.10197.1.104.8" +#define PROV_NAMES_SM4_CCM "SM4-CCM:1.2.156.10197.1.104.9" #define PROV_NAMES_ChaCha20 "ChaCha20" #define PROV_NAMES_ChaCha20_Poly1305 "ChaCha20-Poly1305" #define PROV_NAMES_CAST5_ECB "CAST5-ECB" diff --git a/test/recipes/30-test_evp_data/evpciph_sm4.txt b/test/recipes/30-test_evp_data/evpciph_sm4.txt index ec8a45bd3f..9fb16ca15c 100644 --- a/test/recipes/30-test_evp_data/evpciph_sm4.txt +++ b/test/recipes/30-test_evp_data/evpciph_sm4.txt @@ -36,3 +36,23 @@ Key = 0123456789ABCDEFFEDCBA9876543210 IV = 0123456789ABCDEFFEDCBA9876543210 Plaintext = AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFEEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAA Ciphertext = C2B4759E78AC3CF43D0852F4E8D5F9FD7256E8A5FCB65A350EE00630912E44492A0B17E1B85B060D0FBA612D8A95831638B361FD5FFACD942F081485A83CA35D + +Title = SM4 GCM test vectors from RFC8998 + +Cipher = SM4-GCM +Key = 0123456789abcdeffedcba9876543210 +IV = 00001234567800000000abcd +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 83de3541e4c2b58177e065a9bf7b62ec +Plaintext = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa +Ciphertext = 17f399f08c67d5ee19d0dc9969c4bb7d5fd46fd3756489069157b282bb200735d82710ca5c22f0ccfa7cbf93d496ac15a56834cbcf98c397b4024a2691233b8d + +Title = SM4 CCM test vectors from RFC8998 + +Cipher = SM4-CCM +Key = 0123456789abcdeffedcba9876543210 +IV = 00001234567800000000abcd +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 16842d4fa186f56ab33256971fa110f4 +Plaintext = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa +Ciphertext = 48af93501fa62adbcd414cce6034d895dda1bf8f132f042098661572e7483094fd12e518ce062c98acee28d95df4416bed31a2f04476c18bb40c84a74b97dc5b From tomas at openssl.org Tue Sep 28 10:13:15 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 28 Sep 2021 10:13:15 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1632823995.310233.13014.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 1257c2047455a84956946963bf31cdb7336b3bad (commit) from 51b5e8b8f8f8a9df2b2234bc2f777ad1430017bb (commit) - Log ----------------------------------------------------------------- commit 1257c2047455a84956946963bf31cdb7336b3bad Author: Tomas Mraz Date: Mon Sep 27 09:45:31 2021 +0200 BIO_ctrl: Avoid spurious error being raised on NULL bio parameter Some of the functions are being called on NULL bio with the expectation that such call will not raise an error. Fixes #16681 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16686) (cherry picked from commit 398ae8231650c4bd8ddff0e5efd38233c23b1ca0) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_lib.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 25df70f760..b5454f14b2 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -563,10 +563,8 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) { long ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return -1; - } if (b->method == NULL || b->method->ctrl == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; @@ -591,10 +589,8 @@ long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) { long ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return -2; - } if (b->method == NULL || b->method->callback_ctrl == NULL || cmd != BIO_CTRL_SET_CALLBACK) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); @@ -655,10 +651,8 @@ BIO *BIO_pop(BIO *b) { BIO *ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return NULL; - } ret = b->next_bio; BIO_ctrl(b, BIO_CTRL_POP, 0, b); @@ -728,10 +722,8 @@ BIO *BIO_find_type(BIO *bio, int type) BIO *BIO_next(BIO *b) { - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return NULL; - } return b->next_bio; } From tomas at openssl.org Tue Sep 28 10:12:50 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Tue, 28 Sep 2021 10:12:50 +0000 Subject: [openssl] master update Message-ID: <1632823970.136311.11622.nullmailer@dev.openssl.org> The branch master has been updated via 398ae8231650c4bd8ddff0e5efd38233c23b1ca0 (commit) from c2ee608a234340aa735f894f8d84ead0ce58286e (commit) - Log ----------------------------------------------------------------- commit 398ae8231650c4bd8ddff0e5efd38233c23b1ca0 Author: Tomas Mraz Date: Mon Sep 27 09:45:31 2021 +0200 BIO_ctrl: Avoid spurious error being raised on NULL bio parameter Some of the functions are being called on NULL bio with the expectation that such call will not raise an error. Fixes #16681 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/16686) ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_lib.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 25df70f760..b5454f14b2 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -563,10 +563,8 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) { long ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return -1; - } if (b->method == NULL || b->method->ctrl == NULL) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); return -2; @@ -591,10 +589,8 @@ long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) { long ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return -2; - } if (b->method == NULL || b->method->callback_ctrl == NULL || cmd != BIO_CTRL_SET_CALLBACK) { ERR_raise(ERR_LIB_BIO, BIO_R_UNSUPPORTED_METHOD); @@ -655,10 +651,8 @@ BIO *BIO_pop(BIO *b) { BIO *ret; - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return NULL; - } ret = b->next_bio; BIO_ctrl(b, BIO_CTRL_POP, 0, b); @@ -728,10 +722,8 @@ BIO *BIO_find_type(BIO *bio, int type) BIO *BIO_next(BIO *b) { - if (b == NULL) { - ERR_raise(ERR_LIB_BIO, ERR_R_PASSED_NULL_PARAMETER); + if (b == NULL) return NULL; - } return b->next_bio; } From nic.tuv at gmail.com Wed Sep 29 08:03:22 2021 From: nic.tuv at gmail.com (nic.tuv at gmail.com) Date: Wed, 29 Sep 2021 08:03:22 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1632902602.690427.22358.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via b9b45aa45873c63b8207eb527249f430288c17a0 (commit) from 5cd84a9db8446eacb688bab318c5476a45c41ec4 (commit) - Log ----------------------------------------------------------------- commit b9b45aa45873c63b8207eb527249f430288c17a0 Author: Mingjun.Yang Date: Mon Sep 6 15:30:19 2021 +0800 Add sm2 encryption test case from GM/T 0003.5-2012 Reviewed-by: Nicola Tuveri Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16511) (cherry picked from commit 8ba65c35ea3af347c3b2adc8e665066b541a1c35) ----------------------------------------------------------------------- Summary of changes: test/sm2_internal_test.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c index 18b1407c97..4951cd3e30 100644 --- a/test/sm2_internal_test.c +++ b/test/sm2_internal_test.c @@ -210,6 +210,7 @@ static int test_sm2_crypt(const EC_GROUP *group, static int sm2_crypt_test(void) { int testresult = 0; + EC_GROUP *gm_group = NULL; EC_GROUP *test_group = create_EC_group ("8542D69E4C044F18E8B92435BF6FF7DE457283915C45517D722EDB8B08F1DFC3", @@ -252,9 +253,49 @@ static int sm2_crypt_test(void) "88E3C5AAFC0413229E6C9AEE2BB92CAD649FE2C035689785DA33")) goto done; + /* From Annex C in both GM/T0003.5-2012 and GB/T 32918.5-2016.*/ + gm_group = create_EC_group( + "fffffffeffffffffffffffffffffffffffffffff00000000ffffffffffffffff", + "fffffffeffffffffffffffffffffffffffffffff00000000fffffffffffffffc", + "28e9fa9e9d9f5e344d5a9e4bcf6509a7f39789f515ab8f92ddbcbd414d940e93", + "32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7", + "bc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0", + "fffffffeffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123", + "1"); + + if (!TEST_ptr(gm_group)) + goto done; + + if (!test_sm2_crypt( + gm_group, + EVP_sm3(), + /* privkey (from which the encrypting public key is derived) */ + "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8", + /* plaintext message */ + "encryption standard", + /* ephemeral nonce k */ + "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21", + /* + * expected ciphertext, the field values are from GM/T 0003.5-2012 + * (Annex C), but serialized following the ASN.1 format specified + * in GM/T 0009-2012 (Sec. 7.2). + */ + "307C" /* SEQUENCE, 0x7c bytes */ + "0220" /* INTEGER, 0x20 bytes */ + "04EBFC718E8D1798620432268E77FEB6415E2EDE0E073C0F4F640ECD2E149A73" + "0221" /* INTEGER, 0x21 bytes */ + "00" /* leading 00 due to DER for pos. int with topmost bit set */ + "E858F9D81E5430A57B36DAAB8F950A3C64E6EE6A63094D99283AFF767E124DF0" + "0420" /* OCTET STRING, 0x20 bytes */ + "59983C18F809E262923C53AEC295D30383B54E39D609D160AFCB1908D0BD8766" + "0413" /* OCTET STRING, 0x13 bytes */ + "21886CA989CA9C7D58087307CA93092D651EFA")) + goto done; + testresult = 1; done: EC_GROUP_free(test_group); + EC_GROUP_free(gm_group); return testresult; } From tomas at openssl.org Thu Sep 30 10:20:22 2021 From: tomas at openssl.org (tomas at openssl.org) Date: Thu, 30 Sep 2021 10:20:22 +0000 Subject: [openssl] master update Message-ID: <1632997222.070532.10701.nullmailer@dev.openssl.org> The branch master has been updated via 0865200fe59e7b18fbef07077897e09ab39741dc (commit) via d1b26ddbf6a9165c71884eff228300e3d83be1b1 (commit) from 398ae8231650c4bd8ddff0e5efd38233c23b1ca0 (commit) - Log ----------------------------------------------------------------- commit 0865200fe59e7b18fbef07077897e09ab39741dc Author: Erik Lax Date: Fri Jul 30 01:43:36 2021 +0200 Update manual to reference the IANA TLS Cipher Suites Registry Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16179) commit d1b26ddbf6a9165c71884eff228300e3d83be1b1 Author: Erik Lax Date: Fri Jul 30 00:47:46 2021 +0200 Allow cipher strings to be given using its standard name Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16179) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 +++++ doc/man1/openssl-ciphers.pod.in | 4 ++++ ssl/ssl_ciph.c | 9 +++++++-- test/cipherlist_test.c | 16 ++++++++++++++++ 4 files changed, 32 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c14bec916d..963289ca09 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,11 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1 [xx XXX xxxx] + * The SSL_CTX_set_cipher_list family functions now accept ciphers using their + IANA standard names. + + *Erik Lax* + * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index 658730ec53..d4df30686f 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -115,6 +115,10 @@ used. The format is described below. The cipher list consists of one or more I separated by colons. Commas or spaces are also acceptable separators but colons are normally used. +The cipher string may reference a cipher using its standard name from +the IANA TLS Cipher Suites Registry +(L). + The actual cipher string can take several different forms. It can consist of a single cipher suite such as B. diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index dd22e57c59..01044deba3 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1042,9 +1042,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || - (ch == '-') || (ch == '.') || (ch == '=')) + (ch == '-') || (ch == '_') || (ch == '.') || (ch == '=')) #else - while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.') + while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '_') || (ch == '.') || (ch == '=')) #endif { @@ -1095,6 +1095,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str, && (ca_list[j]->name[buflen] == '\0')) { found = 1; break; + } else if (ca_list[j]->stdname != NULL + && strncmp(buf, ca_list[j]->stdname, buflen) == 0 + && ca_list[j]->stdname[buflen] == '\0') { + found = 1; + break; } else j++; } diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c index 2d166e2b46..c46e431b00 100644 --- a/test/cipherlist_test.c +++ b/test/cipherlist_test.c @@ -244,10 +244,26 @@ end: return result; } +/* SSL_CTX_set_cipher_list matching with cipher standard name */ +static int test_stdname_cipherlist(void) +{ + SETUP_CIPHERLIST_TEST_FIXTURE(); + if (!TEST_true(SSL_CTX_set_cipher_list(fixture->server, TLS1_RFC_RSA_WITH_AES_128_SHA)) + || !TEST_true(SSL_CTX_set_cipher_list(fixture->client, TLS1_RFC_RSA_WITH_AES_128_SHA))) { + goto end; + } + result = 1; +end: + tear_down(fixture); + fixture = NULL; + return result; +} + int setup_tests(void) { ADD_TEST(test_default_cipherlist_implicit); ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); + ADD_TEST(test_stdname_cipherlist); return 1; } From pauli at openssl.org Thu Sep 30 10:46:05 2021 From: pauli at openssl.org (Dr. Paul Dale) Date: Thu, 30 Sep 2021 10:46:05 +0000 Subject: [openssl] master update Message-ID: <1632998765.784306.14298.nullmailer@dev.openssl.org> The branch master has been updated via 611685adc04a7c7e9612d51e743044fdcd9d1846 (commit) from 0865200fe59e7b18fbef07077897e09ab39741dc (commit) - Log ----------------------------------------------------------------- commit 611685adc04a7c7e9612d51e743044fdcd9d1846 Author: marcfedorow Date: Mon Sep 20 19:52:23 2021 +0300 RISC-V support for the SHA512 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16638) ----------------------------------------------------------------------- Summary of changes: crypto/sha/sha512.c | 121 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 115 insertions(+), 6 deletions(-) diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c index ff035c469f..9600b370b4 100644 --- a/crypto/sha/sha512.c +++ b/crypto/sha/sha512.c @@ -432,6 +432,103 @@ static const SHA_LONG64 K512[80] = { : "=r"(ret) \ : "r"(*((const SHA_LONG64 *)(&(x))))); ret; }) # endif +# elif (__riscv_zbkb || __riscv_zbb) && __riscv_xlen == 32 +# define PULL64(x) ({ SHA_LONG64 ret; \ + unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("rev8 %0, %1" \ + : "=r"(r[0]) \ + : "r" (p[1])); \ + asm ("rev8 %0, %1" \ + : "=r"(r[1]) \ + : "r" (p[0])); ret; }) +# elif (__riscv_zbkb || __riscv_zbb) && __riscv_xlen == 64 +# define PULL64(x) ({ SHA_LONG64 ret; \ + asm ("rev8 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# endif +# if __riscv_zknh && __riscv_xlen == 32 +# define Sigma0(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sum0r %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sum0r %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# define Sigma1(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sum1r %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sum1r %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# define sigma0(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sig0l %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sig0h %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# define sigma1(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sig1l %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sig1h %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# elif __riscv_zknh && __riscv_xlen == 64 +# define Sigma0(x) ({ SHA_LONG64 ret; \ + asm ("sha512sum0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define Sigma1(x) ({ SHA_LONG64 ret; \ + asm ("sha512sum1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define sigma0(x) ({ SHA_LONG64 ret; \ + asm ("sha512sig0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define sigma1(x) ({ SHA_LONG64 ret; \ + asm ("sha512sig1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# endif +# if (__riscv_zbt || __riscv_zpn) && __riscv_xlen == 32 +# define Ch(x,y,z) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *xp = (const unsigned int *)(&(x)); \ + const unsigned int *yp = (const unsigned int *)(&(y)); \ + const unsigned int *zp = (const unsigned int *)(&(z)); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[0]) \ + : "r"(xp[0]), "r"(yp[0]), "r"(zp[0])); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[1]) \ + : "r"(xp[1]), "r"(yp[1]), "r"(zp[1])); ret; }) +# define Maj(x,y,z) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *xp = (const unsigned int *)(&(x)); \ + const unsigned int *yp = (const unsigned int *)(&(y)); \ + const unsigned int *zp = (const unsigned int *)(&(z)); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[0]) \ + : "r"(xp[0]^zp[0]), "r"(yp[0]), "r"(zp[0])); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[1]) \ + : "r"(xp[1]^zp[1]), "r"(yp[1]), "r"(zp[1])); ret; }) +# elif (__riscv_zbt || __riscv_zpn) && __riscv_xlen == 64 +# define Ch(x,y,z) ({ SHA_LONG64 ret; \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ + : "=r"(ret) \ + : "r"(x), "r"(y), "r"(z)); ret; }) +# define Maj(x,y,z) ({ SHA_LONG64 ret; \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ + : "=r"(ret) \ + : "r"(x^z), "r"(y), "r"(x)); ret; }) # endif # elif defined(_MSC_VER) # if defined(_WIN64) /* applies to both IA-64 and AMD64 */ @@ -472,12 +569,24 @@ static SHA_LONG64 __fastcall __pull64be(const void *x) # ifndef ROTR # define ROTR(x,s) (((x)>>s) | (x)<<(64-s)) # endif -# define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) -# define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) -# define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) -# define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) -# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +# ifndef Sigma0 +# define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) +# endif +# ifndef Sigma1 +# define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) +# endif +# ifndef sigma0 +# define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) +# endif +# ifndef sigma1 +# define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) +# endif +# ifndef Ch +# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +# endif +# ifndef Maj +# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +# endif # if defined(__i386) || defined(__i386__) || defined(_M_IX86) /* From matthias.st.pierre at ncp-e.com Thu Sep 30 12:08:05 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 30 Sep 2021 12:08:05 +0000 Subject: [openssl] master update Message-ID: <1633003685.461967.5083.nullmailer@dev.openssl.org> The branch master has been updated via f8dd5869bca047a23599ac925aace70efcf487ad (commit) from 611685adc04a7c7e9612d51e743044fdcd9d1846 (commit) - Log ----------------------------------------------------------------- commit f8dd5869bca047a23599ac925aace70efcf487ad Author: Dr. Matthias St. Pierre Date: Tue Sep 28 16:12:32 2021 +0200 doc/man3/SSL_set_fd.pod: add note about Windows compiler warning According to an old stackoverflow thread [1], citing an even older comment by Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05), a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the socket() implementation on Windows returns an index into the kernel handle table, the size of which is limited to 2^24 [3]. Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow. [1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64 [2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 [3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16699) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_set_fd.pod | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/man3/SSL_set_fd.pod b/doc/man3/SSL_set_fd.pod index 0b474eb99b..f519630752 100644 --- a/doc/man3/SSL_set_fd.pod +++ b/doc/man3/SSL_set_fd.pod @@ -45,6 +45,17 @@ The operation succeeded. =back +=head1 NOTES + +On Windows, a socket handle is a 64-bit data type (UINT_PTR), which leads to a +compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when +passing the socket handle to SSL_set_*fd(). For the time being, this warning can +safely be ignored, because although the Microsoft documentation claims that the +upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the current socket() +implementation returns an index into the kernel handle table, the size of which +is limited to 2^24. + + =head1 SEE ALSO L, L, From matthias.st.pierre at ncp-e.com Thu Sep 30 12:09:00 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 30 Sep 2021 12:09:00 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1633003740.414221.7012.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via d31e951aa496abbc88770e226ec46d8eb77dedad (commit) from 1257c2047455a84956946963bf31cdb7336b3bad (commit) - Log ----------------------------------------------------------------- commit d31e951aa496abbc88770e226ec46d8eb77dedad Author: Dr. Matthias St. Pierre Date: Tue Sep 28 16:12:32 2021 +0200 doc/man3/SSL_set_fd.pod: add note about Windows compiler warning According to an old stackoverflow thread [1], citing an even older comment by Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05), a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the socket() implementation on Windows returns an index into the kernel handle table, the size of which is limited to 2^24 [3]. Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow. [1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64 [2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 [3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16699) (cherry picked from commit f8dd5869bca047a23599ac925aace70efcf487ad) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_set_fd.pod | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/man3/SSL_set_fd.pod b/doc/man3/SSL_set_fd.pod index 0b474eb99b..f519630752 100644 --- a/doc/man3/SSL_set_fd.pod +++ b/doc/man3/SSL_set_fd.pod @@ -45,6 +45,17 @@ The operation succeeded. =back +=head1 NOTES + +On Windows, a socket handle is a 64-bit data type (UINT_PTR), which leads to a +compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when +passing the socket handle to SSL_set_*fd(). For the time being, this warning can +safely be ignored, because although the Microsoft documentation claims that the +upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the current socket() +implementation returns an index into the kernel handle table, the size of which +is limited to 2^24. + + =head1 SEE ALSO L, L, From matthias.st.pierre at ncp-e.com Thu Sep 30 12:10:23 2021 From: matthias.st.pierre at ncp-e.com (matthias.st.pierre at ncp-e.com) Date: Thu, 30 Sep 2021 12:10:23 +0000 Subject: [openssl] OpenSSL_1_1_1-stable update Message-ID: <1633003823.914031.10288.nullmailer@dev.openssl.org> The branch OpenSSL_1_1_1-stable has been updated via c23abef43ef482e129f440d40c98eb6d3a094e2b (commit) from b9b45aa45873c63b8207eb527249f430288c17a0 (commit) - Log ----------------------------------------------------------------- commit c23abef43ef482e129f440d40c98eb6d3a094e2b Author: Dr. Matthias St. Pierre Date: Tue Sep 28 16:12:32 2021 +0200 doc/man3/SSL_set_fd.pod: add note about Windows compiler warning According to an old stackoverflow thread [1], citing an even older comment by Andy Polyakov (1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05), a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the socket() implementation on Windows returns an index into the kernel handle table, the size of which is limited to 2^24 [3]. Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow. [1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64 [2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 [3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16699) (cherry picked from commit f8dd5869bca047a23599ac925aace70efcf487ad) ----------------------------------------------------------------------- Summary of changes: doc/man3/SSL_set_fd.pod | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/man3/SSL_set_fd.pod b/doc/man3/SSL_set_fd.pod index 6780d515f9..1e1496cfee 100644 --- a/doc/man3/SSL_set_fd.pod +++ b/doc/man3/SSL_set_fd.pod @@ -45,6 +45,17 @@ The operation succeeded. =back +=head1 NOTES + +On Windows, a socket handle is a 64-bit data type (UINT_PTR), which leads to a +compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when +passing the socket handle to SSL_set_*fd(). For the time being, this warning can +safely be ignored, because although the Microsoft documentation claims that the +upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the current socket() +implementation returns an index into the kernel handle table, the size of which +is limited to 2^24. + + =head1 SEE ALSO L, L, From dev at ddvo.net Thu Sep 30 13:08:51 2021 From: dev at ddvo.net (dev at ddvo.net) Date: Thu, 30 Sep 2021 13:08:51 +0000 Subject: [openssl] openssl-3.0 update Message-ID: <1633007331.837766.15434.nullmailer@dev.openssl.org> The branch openssl-3.0 has been updated via 394263c4424c04408b11143c596c2f657e6a3e97 (commit) via 8dc0b2b55db38c67f907a856c240227ae2283a07 (commit) from d31e951aa496abbc88770e226ec46d8eb77dedad (commit) - Log ----------------------------------------------------------------- commit 394263c4424c04408b11143c596c2f657e6a3e97 Author: Dr. David von Oheimb Date: Wed Aug 25 12:30:09 2021 +0200 openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16618) commit 8dc0b2b55db38c67f907a856c240227ae2283a07 Author: Dr. David von Oheimb Date: Fri Aug 27 07:11:36 2021 +0200 APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16618) ----------------------------------------------------------------------- Summary of changes: apps/req.c | 13 ++++++++----- apps/x509.c | 10 +++++----- doc/man1/openssl-req.pod.in | 29 +++++++++++++++++++++-------- doc/man1/openssl-x509.pod.in | 37 ++++++++++++++++++++++--------------- 4 files changed, 56 insertions(+), 33 deletions(-) diff --git a/apps/req.c b/apps/req.c index 6aa364fec5..fd9826a5a8 100644 --- a/apps/req.c +++ b/apps/req.c @@ -103,7 +103,7 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif - {"in", OPT_IN, '<', "X.509 request input file"}, + {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"}, @@ -136,10 +136,11 @@ const OPTIONS req_options[] = { "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, - {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, + {"precert", OPT_PRECERT, '-', + "Add a poison extension to the generated cert (implies -new)"}, OPT_SECTION("Keys and Signing"), - {"key", OPT_KEY, 's', "Key to include and to use for self-signature"}, + {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"keyout", OPT_KEYOUT, '>', "File to write private key to"}, @@ -742,7 +743,8 @@ int req_main(int argc, char **argv) goto end; if (!newreq) { - req = load_csr(infile, informat, "X509 request"); + req = load_csr(infile /* if NULL, reads from stdin */, + informat, "X509 request"); if (req == NULL) goto end; } @@ -752,7 +754,7 @@ int req_main(int argc, char **argv) if (CAkeyfile != NULL) { if (CAfile == NULL) { BIO_printf(bio_err, - "Ignoring -CAkey option since no -CA option is given\n"); + "Warning: Ignoring -CAkey option since no -CA option is given\n"); } else { if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, 0, passin, e, @@ -788,6 +790,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "Error making certificate request\n"); goto end; } + /* Note that -x509 can take over -key and -subj option values. */ } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); diff --git a/apps/x509.c b/apps/x509.c index 7236972c5b..3f0e2630f1 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -61,7 +61,7 @@ const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"in", OPT_IN, '<', - "Certificate input (default stdin), or CSR input file with -req"}, + "Certificate input, or CSR input file with -req (default stdin)"}, {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"}, {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, {"x509toreq", OPT_X509TOREQ, '-', @@ -73,7 +73,7 @@ const OPTIONS x509_options[] = { "CSR input file format (DER or PEM) - default PEM"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, {"key", OPT_KEY, 's', - "Key to be used in certificate or cert request"}, + "Key for signing, and to include unless using -force_pubkey"}, {"signkey", OPT_SIGNKEY, 's', "Same as -key"}, {"keyform", OPT_KEYFORM, 'E', @@ -630,7 +630,7 @@ int x509_main(int argc, char **argv) } if (privkeyfile == NULL && pubkeyfile == NULL) { BIO_printf(bio_err, - "The -new option without -key requires using -force_pubkey\n"); + "The -new option requires using the -key or -force_pubkey option\n"); goto end; } } @@ -642,7 +642,7 @@ int x509_main(int argc, char **argv) CAkeyfile = CAfile; if (CAfile != NULL) { if (privkeyfile != NULL) { - BIO_printf(bio_err, "Cannot use both -key and -CA option\n"); + BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n"); goto end; } } else if (CAkeyfile != NULL) { @@ -819,7 +819,7 @@ int x509_main(int argc, char **argv) if (x509toreq) { /* also works in conjunction with -req */ if (privkey == NULL) { - BIO_printf(bio_err, "Must specify request key using -key\n"); + BIO_printf(bio_err, "Must specify request signing key using -key\n"); goto end; } if (clrext && ext_copy != EXT_COPY_NONE) { diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index e78b04c65b..a21c30ba47 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -79,9 +79,10 @@ The data is a PKCS#10 object. =item B<-in> I -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (B<-new> or B<-newkey>) are not specified. +This specifies the input filename to read a request from. +This defaults to standard input unless B<-x509> or B<-CA> is specified. +A request is only read if the creation options +(B<-new> or B<-newkey> or B<-precert>) are not specified. =item B<-sigopt> I:I @@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length. =item B<-newkey> I -This option creates a new certificate request and a new private -key. The argument takes one of several forms. +This option is used to generate a new private key unless B<-key> is given. +It is subsequently used as if it was given using the B<-key> option. + +This option implies the B<-new> flag to create a new certificate request +or a new certificate in case B<-x509> is given. + +The argument takes one of several forms. [B]I generates an RSA key I in size. If I is omitted, i.e., B<-newkey> B is specified, @@ -193,9 +199,14 @@ See L for more details. =item B<-key> I|I -This specifies the key to include and to use for request self-signature -and for self-signing certificates produced with the B<-x509> option. -It also accepts PKCS#8 format private keys for PEM format files. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-in> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +For certificate signing this option is overridden by the B<-CA> option. + +This option also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B|B|B|B @@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request. This is typically used to generate test certificates. It is implied by the B<-CA> option. +This option implies the B<-new> flag if B<-in> is not given. + If an existing request is specified with the B<-in> option, it is converted to the a certificate; otherwise a request is created from scratch. diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 9c77a216c2..b86f409ce8 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -102,9 +102,11 @@ Print out a usage message. =item B<-in> I|I -If the B<-req> option is not used this specifies the input -to read a certificate from or standard input if this option is not specified. -With the B<-req> option this specifies a certificate request file. +This specifies the input to read a certificate from +or the input file for reading a certificate request if the B<-req> flag is used. +In both cases this defaults to standard input. + +This option cannot be combined with the B<-new> flag. =item B<-passin> I @@ -118,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate or certificate request. So the B<-in> option must not be used in this case. Instead, the B<-subj> option needs to be given. The public key to include can be given with the B<-force_pubkey> option -and defaults to the key given with the B<-key> option, +and defaults to the key given with the B<-key> (or B<-signkey>) option, which implies self-signature. =item B<-x509toreq> Output a PKCS#10 certificate request (rather than a certificate). -The B<-key> option must be used to provide the private key for self-signing; -the corresponding public key is placed in the subjectPKInfo field. +The B<-key> (or B<-signkey>) option must be used to provide the private key for +self-signing; the corresponding public key is placed in the subjectPKInfo field. X.509 extensions included in a certificate input are not copied by default. X.509 extensions to be added can be specified using the B<-extfile> option. @@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific. =item B<-key> I|I -This option causes the new certificate or certificate request -to be self-signed using the supplied private key. -This cannot be used in conjunction with the B<-CA> option. +This option provides the private key for signing a new certificate or +certificate request. +Unless B<-force_pubkey> is given, the corresponding public key is placed in +the new certificate or certificate request, resulting in a self-signature. + +This option cannot be used in conjunction with the B<-CA> option. It sets the issuer name to the subject name (i.e., makes it self-issued) and changes the public key to the supplied value (unless overridden @@ -355,8 +360,9 @@ Check that the certificate matches the specified IP address. =item B<-set_serial> I -Specifies the serial number to use. This option can be used with either -the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option +Specifies the serial number to use. +This option can be used with the B<-key>, B<-signkey>, or B<-CA> options. +If used in conjunction with the B<-CA> option the serial number file (as specified by the B<-CAserial> option) is not used. The serial number can be decimal or hex (if preceded by C<0x>). @@ -400,7 +406,8 @@ or certificate request. =item B<-force_pubkey> I When a certificate is created set its public key to the key in I -instead of the key contained in the input or given with the B<-key> option. +instead of the key contained in the input +or given with the B<-key> (or B<-signkey>) option. This option is useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. @@ -446,7 +453,7 @@ for testing. The digest to use. This affects any signing or printing option that uses a message -digest, such as the B<-fingerprint>, B<-key> and B<-CA> options. +digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options. Any digest supported by the L command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. @@ -464,9 +471,9 @@ When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as detailed below. -This option cannot be used in conjunction with the B<-key> option. +This option cannot be used in conjunction with B<-key> (or B<-signkey>). This option is normally combined with the B<-req> option referencing a CSR. -Without the B<-req> option the input must be a self-signed certificate +Without the B<-req> option the input must be an existing certificate unless the B<-new> option is given, which generates a certificate from scratch. =item B<-CAform> B|B|B,

EVP_KDF_CTX_reset
KBytes
EVP_KDF_derive		newed	deriving
EVP_KDF_CTX_free		newed	deriving
EVP_KDF_CTX_free	freed	freed	freed
EVP_KDF_CTX_reset		newed	newed
EVP_KDF_CTX_get_params		newed
EVP_KDF_derive		newed	deriving
EVP_KDF_CTX_free		newed	deriving
EVP_KDF_CTX_reset
EVP_KDF_CTX_free	freed	freed	freed
EVP_KDF_CTX_reset		newed	newed
EVP_KDF_CTX_get_params		newed