From pauli at openssl.org Wed Sep 1 01:45:59 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Wed, 01 Sep 2021 01:45:59 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1630460759.608696.29578.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 35cefdcab0f474deafcd769a2eb93f2c0f07051e (commit)
via 5f9c384a1cd54ff28707d8c652343d2bf636c245 (commit)
from a9972440d26e482cec9d7a8c4c0063baa20d9eac (commit)
- Log -----------------------------------------------------------------
commit 35cefdcab0f474deafcd769a2eb93f2c0f07051e
Author: Tomas Mraz
Date: Fri Aug 27 11:41:04 2021 +0200
ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build
Reviewed-by: Bernd Edlinger
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16441)
commit 5f9c384a1cd54ff28707d8c652343d2bf636c245
Author: Tomas Mraz
Date: Fri Aug 27 11:37:10 2021 +0200
Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests
Fixes #16428
Reviewed-by: Bernd Edlinger
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16441)
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/ci.yml | 2 +-
crypto/asn1/a_print.c | 7 ++++---
crypto/asn1/asn1_lib.c | 11 ++++++++---
ssl/ssl_asn1.c | 2 +-
4 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6b61af9c03..367b8cf41f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,7 +113,7 @@ jobs:
steps:
- uses: actions/checkout at v2
- name: config
- run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump
+ run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl configdata.pm --dump
- name: make
run: make -s -j4
- name: make test
diff --git a/crypto/asn1/a_print.c b/crypto/asn1/a_print.c
index 85a631a27a..f86623fdfa 100644
--- a/crypto/asn1/a_print.c
+++ b/crypto/asn1/a_print.c
@@ -18,12 +18,13 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
int ia5 = 0;
int t61 = 0;
- if (len <= 0)
- len = -1;
if (s == NULL)
return V_ASN1_PRINTABLESTRING;
- while ((*s) && (len-- != 0)) {
+ if (len < 0)
+ len = strlen((const char *)s);
+
+ while (len-- > 0) {
c = *(s++);
if (!ossl_isasn1print(c))
ia5 = 1;
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 3d99d1383d..b9b7ad8e9e 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -294,7 +294,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
c = str->data;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
/* No NUL terminator in fuzzing builds */
- str->data = OPENSSL_realloc(c, len);
+ str->data = OPENSSL_realloc(c, len != 0 ? len : 1);
#else
str->data = OPENSSL_realloc(c, len + 1);
#endif
@@ -307,7 +307,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
str->length = len;
if (data != NULL) {
memcpy(str->data, data, len);
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ /* Set the unused byte to something non NUL and printable. */
+ if (len == 0)
+ str->data[len] = '~';
+#else
/*
* Add a NUL terminator. This should not be necessary - but we add it as
* a safety precaution
@@ -375,7 +379,8 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
i = (a->length - b->length);
if (i == 0) {
- i = memcmp(a->data, b->data, a->length);
+ if (a->length != 0)
+ i = memcmp(a->data, b->data, a->length);
if (i == 0)
return a->type - b->type;
else
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 799fee771b..dd4a2e3203 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -225,7 +225,7 @@ static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src)
static int ssl_session_memcpy(unsigned char *dst, size_t *pdstlen,
ASN1_OCTET_STRING *src, size_t maxlen)
{
- if (src == NULL) {
+ if (src == NULL || src->length == 0) {
*pdstlen = 0;
return 1;
}
From scan-admin at coverity.com Wed Sep 1 07:48:53 2021
From: scan-admin at coverity.com (scan-admin at coverity.com)
Date: Wed, 01 Sep 2021 07:48:53 +0000 (UTC)
Subject: Coverity Scan: Analysis completed for openssl/openssl
Message-ID: <612f3064bb977_3c7a732ad695a019a097869@prd-scan-dashboard-0.mail>
Your request for analysis of openssl/openssl has been completed successfully.
The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DV4E0_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGG5oqraT40s8jZHaY4Qpf6btgR9hmd5xG7xlO0OUxnrW63p-2BsQcNAnSImtPI5wk9ZlIbGwBEHt94Gt1CwkeHaQSttULrsUj81wXdhKLc0yXfOPvSq31DxdoOtol2jc05yFK3J-2BHIx27OVQPrB7IaNbpkQbeeCFyNw3wss9AarSFvuuyNS8Sl20eqa9kMKxCFk-3D
Build ID: 405311
Analysis Summary:
New defects found: 0
Defects eliminated: 3
From scan-admin at coverity.com Wed Sep 1 07:53:00 2021
From: scan-admin at coverity.com (scan-admin at coverity.com)
Date: Wed, 01 Sep 2021 07:53:00 +0000 (UTC)
Subject: Coverity Scan: Analysis completed for OpenSSL-1.0.2
Message-ID: <612f315bb2a8c_3c7bc12ad695a019a097818@prd-scan-dashboard-0.mail>
Your request for analysis of OpenSSL-1.0.2 has been completed successfully.
The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3Dztak_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeH9-2F6IyN0CePAibL4LvPGmjRt-2F4gfAcfaoOy4V39RdEqENfN7iSalJDDYfIzXYFKa2C4Mwi8XWuCoojO6euP0Z6GWEFMAGA-2FsjSJXeK5UcoQTopJgtujhLo-2Fh2lk4CjNZVEXBLL60VCAy1ahU9kFTYh8XGRRag4JBAEhISICdJgD1SWzqjfaCNy-2FkapGkMZBhg-3D
Build ID: 405312
Analysis Summary:
New defects found: 0
Defects eliminated: 0
From levitte at openssl.org Wed Sep 1 14:51:15 2021
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 01 Sep 2021 14:51:15 +0000
Subject: [openssl] master update
Message-ID: <1630507875.139161.23857.nullmailer@dev.openssl.org>
The branch master has been updated
via 8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0 (commit)
from 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d (commit)
- Log -----------------------------------------------------------------
commit 8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0
Author: Richard Levitte
Date: Tue Aug 31 12:07:33 2021 +0200
dev/release.sh: Adjust release branch names to votes
The OTC voted today that the release branch for OpenSSL 3.0 should be
openssl-3.0 rather than openssl-3.0.x. The release script is changed
accordingly.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16481)
-----------------------------------------------------------------------
Summary of changes:
dev/release.sh | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/dev/release.sh b/dev/release.sh
index bf5aa8af35..351ddc5528 100755
--- a/dev/release.sh
+++ b/dev/release.sh
@@ -20,7 +20,7 @@ Usage: release.sh [ options ... ]
--final Get out of "alpha" or "beta" and make a final release.
Implies --branch.
---branch Create a release branch 'openssl-{major}.{minor}.x',
+--branch Create a release branch 'openssl-{major}.{minor}',
where '{major}' and '{minor}' are the major and minor
version numbers.
@@ -218,7 +218,7 @@ if (echo "$orig_branch" \
| grep -E -q \
-e '^master$' \
-e '^OpenSSL_[0-9]+_[0-9]+_[0-9]+[a-z]*-stable$' \
- -e '^openssl-[0-9]+\.[0-9]+\.x$'); then
+ -e '^openssl-[0-9]+\.[0-9]+$'); then
:
elif $force; then
:
@@ -253,7 +253,7 @@ get_version
# changes for the release, the update branch is where we make the post-
# release changes
update_branch="$orig_branch"
-release_branch="openssl-$SERIES.x"
+release_branch="openssl-$SERIES"
# among others, we only create a release branch if the patch number is zero
if [ "$update_branch" = "$release_branch" ] || [ $PATCH -ne 0 ]; then
@@ -694,9 +694,9 @@ This implies B<--branch>.
=item B<--branch>
-Create a branch specific for the I.x release series, if it doesn't
+Create a branch specific for the I release series, if it doesn't
already exist, and switch to it. The exact branch name will be
-C<< openssl-I.x >>.
+C<< openssl-I >>.
=item B<--no-upload>
@@ -751,7 +751,7 @@ C<< OpenSSL_I >> for regular releases, or
C<< OpenSSL_I-preI >> for pre-releases.
From OpenSSL 3.0 ongoing, the release branches are named
-C<< openssl-I.x >>, and the release tags are named
+C<< openssl-I >>, and the release tags are named
C<< openssl-I >> for regular releases, or
C<< openssl-I-alphaI >> for alpha releases
and C<< openssl-I-betaI >> for beta releases.
From pauli at openssl.org Thu Sep 2 00:04:46 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 02 Sep 2021 00:04:46 +0000
Subject: [openssl] master update
Message-ID: <1630541086.805678.14583.nullmailer@dev.openssl.org>
The branch master has been updated
via 3a1fa0116a92235ba200228e4bb60d6a3a7f4113 (commit)
from 8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0 (commit)
- Log -----------------------------------------------------------------
commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113
Author: Mattias Ellert
Date: Tue Aug 31 08:26:06 2021 +0200
Openssl fails to compile on Debian with kfreebsd kernels
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:
../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
50 | return getauxval(AT_SECURE) != 0;
| ^~~~~~~~~
This commit changes the code to use the freebsd code in this case.
This fixes the compilation.
CLA: trivial
Reviewed-by: Ben Kaduk
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16477)
-----------------------------------------------------------------------
Summary of changes:
crypto/uid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/uid.c b/crypto/uid.c
index 928b83c026..698127779f 100644
--- a/crypto/uid.c
+++ b/crypto/uid.c
@@ -17,7 +17,7 @@ int OPENSSL_issetugid(void)
return 0;
}
-#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__)
+#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__))
# include
From pauli at openssl.org Thu Sep 2 00:05:38 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 02 Sep 2021 00:05:38 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1630541138.406221.15713.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 (commit)
from 35cefdcab0f474deafcd769a2eb93f2c0f07051e (commit)
- Log -----------------------------------------------------------------
commit 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0
Author: Mattias Ellert
Date: Tue Aug 31 08:26:06 2021 +0200
Openssl fails to compile on Debian with kfreebsd kernels
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:
../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
50 | return getauxval(AT_SECURE) != 0;
| ^~~~~~~~~
This commit changes the code to use the freebsd code in this case.
This fixes the compilation.
CLA: trivial
Reviewed-by: Ben Kaduk
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16477)
(cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113)
-----------------------------------------------------------------------
Summary of changes:
crypto/uid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/uid.c b/crypto/uid.c
index 5e3315eeb2..a9eae36818 100644
--- a/crypto/uid.c
+++ b/crypto/uid.c
@@ -17,7 +17,7 @@ int OPENSSL_issetugid(void)
return 0;
}
-#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__)
+#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__))
# include OPENSSL_UNISTD
From pauli at openssl.org Thu Sep 2 00:06:07 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 02 Sep 2021 00:06:07 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1630541167.881339.16867.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via a0bbd4be5a8231e26322a8e0a3df68ffd1db0edb (commit)
from 59f4a51a7f2c53b9fd161b032d0fcb8a85f4f19d (commit)
- Log -----------------------------------------------------------------
commit a0bbd4be5a8231e26322a8e0a3df68ffd1db0edb
Author: Mattias Ellert
Date: Tue Aug 31 08:26:06 2021 +0200
Openssl fails to compile on Debian with kfreebsd kernels
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:
../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
50 | return getauxval(AT_SECURE) != 0;
| ^~~~~~~~~
This commit changes the code to use the freebsd code in this case.
This fixes the compilation.
CLA: trivial
Reviewed-by: Ben Kaduk
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16477)
(cherry picked from commit 3a1fa0116a92235ba200228e4bb60d6a3a7f4113)
-----------------------------------------------------------------------
Summary of changes:
crypto/uid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/uid.c b/crypto/uid.c
index 928b83c026..698127779f 100644
--- a/crypto/uid.c
+++ b/crypto/uid.c
@@ -17,7 +17,7 @@ int OPENSSL_issetugid(void)
return 0;
}
-#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__)
+#elif defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) || defined(__DragonFly__) || (defined(__GLIBC__) && defined(__FreeBSD_kernel__))
# include
From pauli at openssl.org Thu Sep 2 00:10:23 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 02 Sep 2021 00:10:23 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1630541423.738339.20565.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba (commit)
from 1f8e36720fff9bdc9f08fe24a38cc91b1b78ddb0 (commit)
- Log -----------------------------------------------------------------
commit 9e72d1a3145a0585b96fa9b4e9ab31ce35a43aba
Author: Pauli
Date: Wed Sep 1 09:52:03 2021 +1000
doc: document the rsa_oaep_md: pkeyopt
This was missing but essential for using non-SHA1 digests with OAEP.
Fixes #15998
Manual backport of #16410
Reviewed-by: Tomas Mraz
Reviewed-by: Tim Hudson
(Merged from https://github.com/openssl/openssl/pull/16488)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/pkeyutl.pod | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index 3b350efadd..f6fd48d5b5 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -246,6 +246,11 @@ B block structure.
For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
explicitly set in PSS mode then the signing digest is used.
+=item BI
+
+Sets the digest used for the OAEP hash function. If not explicitly set then
+SHA1 is used.
+
=back
=head1 RSA-PSS ALGORITHM
@@ -319,6 +324,11 @@ seed consisting of the single byte 0xFF:
openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
-pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
+Decrypt some data using a private key with OAEP padding using SHA256:
+
+ openssl pkeyutl -decrypt -in file -inkey key.pem -out secret \
+ -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+
=head1 SEE ALSO
L, L, L
From pauli at openssl.org Thu Sep 2 02:56:01 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 02 Sep 2021 02:56:01 +0000
Subject: [openssl] master update
Message-ID: <1630551361.079476.31497.nullmailer@dev.openssl.org>
The branch master has been updated
via 473664aafdff1f60db99929bdd43c2a9b26d14cd (commit)
from 3a1fa0116a92235ba200228e4bb60d6a3a7f4113 (commit)
- Log -----------------------------------------------------------------
commit 473664aafdff1f60db99929bdd43c2a9b26d14cd
Author: a1346054 <36859588+a1346054 at users.noreply.github.com>
Date: Thu Aug 19 11:05:15 2021 +0000
always use the same perl in $PATH
Different tests may use unexpectedly different versions of perl,
depending on whether they hardcode the path to the perl executable or if
they resolve the path from the environment. This fixes it so that the
same perl is always used.
Fix some trailing whitespace and spelling mistakes as well.
CLA: trivial
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16362)
-----------------------------------------------------------------------
Summary of changes:
.github/ISSUE_TEMPLATE.md | 4 ++--
.github/ISSUE_TEMPLATE/bug_report.md | 4 ++--
.github/ISSUE_TEMPLATE/feature_request.md | 4 ++--
.github/workflows/cross-compiles.yml | 4 ++--
.github/workflows/run-checker-ci.yml | 1 -
ACKNOWLEDGEMENTS.md | 1 -
Configurations/unix-checker.pm | 2 +-
Configurations/windows-checker.pm | 2 +-
INSTALL.md | 2 +-
dev/release-aux/fix-title.pl | 2 +-
dev/release-aux/release-state-fn.sh | 3 +--
dev/release.sh | 4 ++--
test/README-dev.md | 4 ++--
test/recipes/06-test_algorithmid.t | 4 ++--
test/recipes/06-test_rdrand_sanity.t | 4 ++--
test/recipes/80-test_cipherbytes.t | 2 +-
test/recipes/80-test_cipherlist.t | 2 +-
test/recipes/80-test_ciphername.t | 2 +-
test/recipes/90-test_includes.t | 2 +-
util/check-format.pl | 2 +-
util/echo.pl | 2 +-
util/fips-checksums.sh | 4 ++--
util/fix-deprecation | 2 +-
23 files changed, 30 insertions(+), 33 deletions(-)
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index 7a89c4ef13..942a8fc5c6 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,7 +1,7 @@
diff --git a/docs/sidebar.shtml b/docs/sidebar.shtml
index a603a43..b87c91c 100644
--- a/docs/sidebar.shtml
+++ b/docs/sidebar.shtml
@@ -10,7 +10,7 @@
Manpages
diff --git a/source/index.html b/source/index.html
index bde4983..e8477e1 100644
--- a/source/index.html
+++ b/source/index.html
@@ -30,28 +30,32 @@
A list of mirror sites can be found here.
-
Note: The latest stable version is the 1.1.1 series. This is
- also our Long Term Support (LTS) version, supported until 11th September
- 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are
- now out of support and should not be used. Users of these older versions
- are encouraged to upgrade to 1.1.1 as soon as possible. Extended support
+
Note: The latest stable version is the 3.0 series. Also
+ available is the 1.1.1 series which is our Long Term Support (LTS)
+ version, supported until 11th September 2023. All older versions
+ (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and
+ should not be used. Users of these older versions are encouraged to
+ upgrade to 3.0 or 1.1.1 as soon as possible. Extended support
for 1.0.2 to gain access to security fixes for that version is
available.
-
The OpenSSL FIPS Object Module 2.0 (FOM) is also available for
- download. It is no longer receiving updates. It must be used in
- conjunction with a FIPS capable version of OpenSSL (1.0.2 series). A
- new FIPS module is currently in development.
+
OpenSSL 3.0 is the latest major version of OpenSSL. The OpenSSL FIPS
+ Object Module (FOM) 3.0 is an integrated part of the OpenSSL 3.0
+ download. You do not need to download the 3.0 FOM separately. Refer to
+ the installation instructions inside the download, and use the
+ "enable-fips" compile time configuration option to build it.
-
OpenSSL 3.0 is the next major version of OpenSSL that is currently
- in development and includes the new FIPS Object Module. A pre-release
- version of this is available below. This is for testing only. It should
- not be used in production. For an overview of some of the key concepts
- in OpenSSL 3.0 see the libcrypto
- manual page.
+
For an overview of some of the key concepts in OpenSSL 3.0 see the
+ libcrypto
+ manual page.
Information and notes about migrating existing applications to OpenSSL
3.0 are available in the
- OpenSSL 3.0 Migration Guide
The OpenSSL FIPS Object Module (FOM) 2.0 is also available for
+ download. It is no longer receiving updates. It must be used in
+ conjunction with a FIPS capable version of OpenSSL (1.0.2 series).
+
KBytes
diff --git a/source/license.html b/source/license.html
index 643045e..ec6ea5d 100644
--- a/source/license.html
+++ b/source/license.html
@@ -18,13 +18,13 @@
Copies can also be found here.
- For the 3.0.0 release, and later releases derived from that,
+ For the 3.0 release, and later releases derived from that,
the Apache License v2
applies.
This also applies to the git "master" branch.
-
+
diff --git a/docs/sub-man1-index.html.tt b/docs/sub-man1-index.html.tt
index d213130..e6a4b5d 100644
--- a/docs/sub-man1-index.html.tt
+++ b/docs/sub-man1-index.html.tt
@@ -34,7 +34,7 @@
-
+
diff --git a/docs/sub-man3-index.html.tt b/docs/sub-man3-index.html.tt
index 03aee4f..57cfd04 100644
--- a/docs/sub-man3-index.html.tt
+++ b/docs/sub-man3-index.html.tt
@@ -36,7 +36,7 @@
-
+
diff --git a/docs/sub-man5-index.html.tt b/docs/sub-man5-index.html.tt
index 9cc6826..2517295 100644
--- a/docs/sub-man5-index.html.tt
+++ b/docs/sub-man5-index.html.tt
@@ -29,7 +29,7 @@
-
+
diff --git a/docs/sub-man7-index.html.tt b/docs/sub-man7-index.html.tt
index 74c6119..799772a 100644
--- a/docs/sub-man7-index.html.tt
+++ b/docs/sub-man7-index.html.tt
@@ -29,7 +29,7 @@
-
+
From levitte at openssl.org Tue Sep 7 20:54:08 2021
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 07 Sep 2021 20:54:08 +0000
Subject: [web] master update
Message-ID: <1631048048.648023.13457.nullmailer@dev.openssl.org>
The branch master has been updated
discards 4c6dea4a88da460e9bc58b24b13b0e4133465334 (commit)
via 79ff40e1b146b57350bbcafa7f245eb8254436b4 (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (4c6dea4a88da460e9bc58b24b13b0e4133465334)
\
N -- N -- N (79ff40e1b146b57350bbcafa7f245eb8254436b4)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
- Log -----------------------------------------------------------------
commit 79ff40e1b146b57350bbcafa7f245eb8254436b4
Author: Richard Levitte
Date: Tue Sep 7 22:38:28 2021 +0200
Correct mansidebar.html reference
-----------------------------------------------------------------------
Summary of changes:
docs/sub-index.html.tt | 2 +-
docs/sub-man1-index.html.tt | 2 +-
docs/sub-man3-index.html.tt | 2 +-
docs/sub-man5-index.html.tt | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/sub-index.html.tt b/docs/sub-index.html.tt
index f1ade79..0b02457 100644
--- a/docs/sub-index.html.tt
+++ b/docs/sub-index.html.tt
@@ -31,7 +31,7 @@
-
+
diff --git a/docs/sub-man1-index.html.tt b/docs/sub-man1-index.html.tt
index e6a4b5d..2894fcf 100644
--- a/docs/sub-man1-index.html.tt
+++ b/docs/sub-man1-index.html.tt
@@ -34,7 +34,7 @@
-
+
diff --git a/docs/sub-man3-index.html.tt b/docs/sub-man3-index.html.tt
index 57cfd04..48b21c7 100644
--- a/docs/sub-man3-index.html.tt
+++ b/docs/sub-man3-index.html.tt
@@ -36,7 +36,7 @@
-
+
diff --git a/docs/sub-man5-index.html.tt b/docs/sub-man5-index.html.tt
index 2517295..28ebb0f 100644
--- a/docs/sub-man5-index.html.tt
+++ b/docs/sub-man5-index.html.tt
@@ -29,7 +29,7 @@
-
+
From levitte at openssl.org Tue Sep 7 21:33:23 2021
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 07 Sep 2021 21:33:23 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631050403.020020.30611.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 2e5cdbc18a1a26bfc817070a52689886fa0669c2 (commit)
from ed96022218e71efcf50c69cd6997ed85a2c37ffe (commit)
- Log -----------------------------------------------------------------
commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2
Author: Richard Levitte
Date: Mon Sep 6 13:40:43 2021 +0200
VMS: Compensate for compiler type incompatibility
The compiler says that 'unsigned long long' isn't the same as
'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c
is specific VMS only code, it's easy to just change the type to the
exact same as what's specified in the system headers.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/15613)
-----------------------------------------------------------------------
Summary of changes:
crypto/rand/rand_vms.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/rand/rand_vms.c b/crypto/rand/rand_vms.c
index 61c2f10299..fe516c3ca5 100644
--- a/crypto/rand/rand_vms.c
+++ b/crypto/rand/rand_vms.c
@@ -484,7 +484,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
struct {
pid_t pid;
CRYPTO_THREAD_ID tid;
- uint64_t time;
+ unsigned __int64_t time;
} data = { 0 };
/*
@@ -582,7 +582,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool)
{
struct {
CRYPTO_THREAD_ID tid;
- uint64_t time;
+ unsigned __int64_t time;
} data = { 0 };
/*
From pauli at openssl.org Wed Sep 8 03:32:09 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Wed, 08 Sep 2021 03:32:09 +0000
Subject: [openssl] master update
Message-ID: <1631071929.989705.13822.nullmailer@dev.openssl.org>
The branch master has been updated
via 994fa5f9861df94c07699cb118ad5c5470a868b2 (commit)
from a04b06573e2b3c6a5c703a60bd95354c6c6e91dc (commit)
- Log -----------------------------------------------------------------
commit 994fa5f9861df94c07699cb118ad5c5470a868b2
Author: Zengit
Date: Tue Aug 24 05:06:04 2021 +0300
Socket now displays what address it is connecting to
CLA: trivial
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16392)
-----------------------------------------------------------------------
Summary of changes:
apps/lib/s_socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c
index dbeebb54c5..1dd30ac724 100644
--- a/apps/lib/s_socket.c
+++ b/apps/lib/s_socket.c
@@ -172,6 +172,8 @@ int init_client(int *sock, const char *host, const char *port,
break;
}
+ BIO_printf(bio_out, "Connecting to %s\n", BIO_ADDR_hostname_string(BIO_ADDRINFO_address(ai), 1));
+
if (*sock == INVALID_SOCKET) {
if (bindaddr != NULL && !found) {
BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
From matt at openssl.org Wed Sep 8 13:34:15 2021
From: matt at openssl.org (Matt Caswell)
Date: Wed, 08 Sep 2021 13:34:15 +0000
Subject: [web] master update
Message-ID: <1631108055.315149.24395.nullmailer@dev.openssl.org>
The branch master has been updated
via 6850835feb4bc989b2e5465163b065c44bed644a (commit)
from 79ff40e1b146b57350bbcafa7f245eb8254436b4 (commit)
- Log -----------------------------------------------------------------
commit 6850835feb4bc989b2e5465163b065c44bed644a
Author: Matt Caswell
Date: Wed Sep 8 12:46:23 2021 +0100
Update the secondary platform definition
Updates to the definition as per an OMC vote
Reviewed-by: Tim Hudson
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/web/pull/260)
-----------------------------------------------------------------------
Summary of changes:
policies/platformpolicy.html | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policies/platformpolicy.html b/policies/platformpolicy.html
index 5d59af8..24b4829 100644
--- a/policies/platformpolicy.html
+++ b/policies/platformpolicy.html
@@ -29,8 +29,9 @@
Secondary
- Targets which at least one team member actively
- supports.
+ Targets which at least one team member actively supports, or the
+ platform is covered by CI and at least one team member has access to
+ the platform. The current secondary development platforms
are: FreeBSD, Windows (Visual Studio, MinGW), MacOS
From levitte at openssl.org Wed Sep 8 14:28:25 2021
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 08 Sep 2021 14:28:25 +0000
Subject: [openssl] master update
Message-ID: <1631111305.452787.4281.nullmailer@dev.openssl.org>
The branch master has been updated
via 116799ff6a8fc803ec4685fc432c7329d0511e23 (commit)
from 994fa5f9861df94c07699cb118ad5c5470a868b2 (commit)
- Log -----------------------------------------------------------------
commit 116799ff6a8fc803ec4685fc432c7329d0511e23
Author: Richard Levitte
Date: Tue Sep 7 11:48:07 2021 +0200
DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.
Fixes #16529
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16531)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl-passwd.pod.in | 2 --
1 file changed, 2 deletions(-)
diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in
index ed68bab495..314fe4fe72 100644
--- a/doc/man1/openssl-passwd.pod.in
+++ b/doc/man1/openssl-passwd.pod.in
@@ -31,8 +31,6 @@ This command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
-The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>,
-and its AIX variant are available.
=head1 OPTIONS
From levitte at openssl.org Wed Sep 8 14:29:03 2021
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 08 Sep 2021 14:29:03 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631111343.408666.5580.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via ced5078399bc0249d2b28df4f51ec34abd022b7f (commit)
from 50a0298a71fe2cdd5fc7f4e71c1deb1d4e901f1e (commit)
- Log -----------------------------------------------------------------
commit ced5078399bc0249d2b28df4f51ec34abd022b7f
Author: Richard Levitte
Date: Tue Sep 7 11:48:07 2021 +0200
DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.
Fixes #16529
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16531)
(cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl-passwd.pod.in | 2 --
1 file changed, 2 deletions(-)
diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in
index ed68bab495..314fe4fe72 100644
--- a/doc/man1/openssl-passwd.pod.in
+++ b/doc/man1/openssl-passwd.pod.in
@@ -31,8 +31,6 @@ This command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
-The MD5-based BSD password algorithm B<-1>, its Apache variant B<-apr1>,
-and its AIX variant are available.
=head1 OPTIONS
From levitte at openssl.org Wed Sep 8 14:30:50 2021
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 08 Sep 2021 14:30:50 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631111450.735090.8462.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 61ac53426e7873ead414b9259eb4446e2608209b (commit)
from 2e5cdbc18a1a26bfc817070a52689886fa0669c2 (commit)
- Log -----------------------------------------------------------------
commit 61ac53426e7873ead414b9259eb4446e2608209b
Author: Richard Levitte
Date: Tue Sep 7 11:48:07 2021 +0200
DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.
Fixes #16529
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16531)
(cherry picked from commit 116799ff6a8fc803ec4685fc432c7329d0511e23)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/passwd.pod | 2 --
1 file changed, 2 deletions(-)
diff --git a/doc/man1/passwd.pod b/doc/man1/passwd.pod
index c5760fe76e..c651f65544 100644
--- a/doc/man1/passwd.pod
+++ b/doc/man1/passwd.pod
@@ -31,8 +31,6 @@ The B command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option B<-in file>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
-The Unix standard algorithm B and the MD5-based BSD password
-algorithm B<1>, its Apache variant B, and its AIX variant are available.
=head1 OPTIONS
From levitte at openssl.org Wed Sep 8 14:36:07 2021
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 08 Sep 2021 14:36:07 +0000
Subject: [openssl] master update
Message-ID: <1631111767.721305.13585.nullmailer@dev.openssl.org>
The branch master has been updated
via c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221 (commit)
from 116799ff6a8fc803ec4685fc432c7329d0511e23 (commit)
- Log -----------------------------------------------------------------
commit c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221
Author: Richard Levitte
Date: Tue Sep 7 12:48:52 2021 +0200
Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
It used bldtop_dir(), which is incorrect for files.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16532)
-----------------------------------------------------------------------
Summary of changes:
test/recipes/90-test_fipsload.t | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/recipes/90-test_fipsload.t b/test/recipes/90-test_fipsload.t
index 9aa39da0e4..7537e2cb75 100644
--- a/test/recipes/90-test_fipsload.t
+++ b/test/recipes/90-test_fipsload.t
@@ -6,7 +6,7 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/;
use OpenSSL::Test::Utils;
BEGIN {
@@ -25,7 +25,7 @@ plan skip_all => 'Test is disabled in an address sanitizer build' unless disable
plan tests => 1;
-my $fips = bldtop_dir('providers', platform->dso('fips'));
+my $fips = bldtop_file('providers', platform->dso('fips'));
ok(run(test(['moduleloadtest', $fips, 'OSSL_provider_init'])),
"trying to load $fips in its own");
From levitte at openssl.org Wed Sep 8 14:36:47 2021
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 08 Sep 2021 14:36:47 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631111807.710470.15139.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 03943ae71dfd1ac37cb9675197ea59cc2718f099 (commit)
from ced5078399bc0249d2b28df4f51ec34abd022b7f (commit)
- Log -----------------------------------------------------------------
commit 03943ae71dfd1ac37cb9675197ea59cc2718f099
Author: Richard Levitte
Date: Tue Sep 7 12:48:52 2021 +0200
Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
It used bldtop_dir(), which is incorrect for files.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16532)
(cherry picked from commit c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221)
-----------------------------------------------------------------------
Summary of changes:
test/recipes/90-test_fipsload.t | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/recipes/90-test_fipsload.t b/test/recipes/90-test_fipsload.t
index 9aa39da0e4..7537e2cb75 100644
--- a/test/recipes/90-test_fipsload.t
+++ b/test/recipes/90-test_fipsload.t
@@ -6,7 +6,7 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/;
use OpenSSL::Test::Utils;
BEGIN {
@@ -25,7 +25,7 @@ plan skip_all => 'Test is disabled in an address sanitizer build' unless disable
plan tests => 1;
-my $fips = bldtop_dir('providers', platform->dso('fips'));
+my $fips = bldtop_file('providers', platform->dso('fips'));
ok(run(test(['moduleloadtest', $fips, 'OSSL_provider_init'])),
"trying to load $fips in its own");
From pauli at openssl.org Thu Sep 9 06:41:13 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 09 Sep 2021 06:41:13 +0000
Subject: [openssl] master update
Message-ID: <1631169673.663815.5367.nullmailer@dev.openssl.org>
The branch master has been updated
via 81280137a1f33685d7d7fc531ea8fbac38e9a4b7 (commit)
from c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221 (commit)
- Log -----------------------------------------------------------------
commit 81280137a1f33685d7d7fc531ea8fbac38e9a4b7
Author: Pauli
Date: Wed Sep 8 09:28:57 2021 +1000
Fix the example SSH KDF code.
A salt was being set instead of a session ID.
Fixes #16525
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16550)
-----------------------------------------------------------------------
Summary of changes:
doc/man7/EVP_KDF-SSHKDF.pod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod
index 74d1b71aca..08369abff1 100644
--- a/doc/man7/EVP_KDF-SSHKDF.pod
+++ b/doc/man7/EVP_KDF-SSHKDF.pod
@@ -121,7 +121,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate
key, (size_t)1024);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
xcghash, (size_t)32);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
session_id, (size_t)32);
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
&type, sizeof(type));
From pauli at openssl.org Thu Sep 9 06:42:21 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 09 Sep 2021 06:42:21 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631169741.622774.6754.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via c076f7b6d53454b5a3a1c837a5ea71b7c6fbebe9 (commit)
from 03943ae71dfd1ac37cb9675197ea59cc2718f099 (commit)
- Log -----------------------------------------------------------------
commit c076f7b6d53454b5a3a1c837a5ea71b7c6fbebe9
Author: Pauli
Date: Wed Sep 8 09:28:57 2021 +1000
Fix the example SSH KDF code.
A salt was being set instead of a session ID.
Fixes #16525
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16550)
(cherry picked from commit 81280137a1f33685d7d7fc531ea8fbac38e9a4b7)
-----------------------------------------------------------------------
Summary of changes:
doc/man7/EVP_KDF-SSHKDF.pod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod
index 74d1b71aca..08369abff1 100644
--- a/doc/man7/EVP_KDF-SSHKDF.pod
+++ b/doc/man7/EVP_KDF-SSHKDF.pod
@@ -121,7 +121,7 @@ This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate
key, (size_t)1024);
*p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH,
xcghash, (size_t)32);
- *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
+ *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
session_id, (size_t)32);
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE,
&type, sizeof(type));
From tomas at openssl.org Thu Sep 9 07:33:10 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Thu, 09 Sep 2021 07:33:10 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631172790.001786.17861.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via de26f8fad7948adc935ab0aae2fc9fa5d6c11411 (commit)
from c076f7b6d53454b5a3a1c837a5ea71b7c6fbebe9 (commit)
- Log -----------------------------------------------------------------
commit de26f8fad7948adc935ab0aae2fc9fa5d6c11411
Author: PW Hu
Date: Wed Sep 8 09:13:20 2021 +0800
Fix some documentation errors
CLA: trivial
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16553)
(cherry picked from commit 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/ASN1_item_d2i_bio.pod | 8 ++++----
doc/man3/OSSL_CMP_MSG_get0_header.pod | 2 +-
doc/man3/OSSL_HTTP_REQ_CTX.pod | 3 +--
3 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/doc/man3/ASN1_item_d2i_bio.pod b/doc/man3/ASN1_item_d2i_bio.pod
index 9083f85f69..bdf5c48096 100644
--- a/doc/man3/ASN1_item_d2i_bio.pod
+++ b/doc/man3/ASN1_item_d2i_bio.pod
@@ -10,15 +10,15 @@ ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio
#include
- ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in,
+ ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it,
OSSL_LIB_CTX *libctx, const char *propq);
- ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in,
+ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it);
- void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval,
+ void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x,
OSSL_LIB_CTX *libctx, const char *propq);
- void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval);
+ void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x,
OSSL_LIB_CTX *libctx, const char *propq);
diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod
index 32cdf81187..741349cd6e 100644
--- a/doc/man3/OSSL_CMP_MSG_get0_header.pod
+++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod
@@ -20,7 +20,7 @@ i2d_OSSL_CMP_MSG_bio
int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);
int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
- OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file);
+ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq);
int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg);
OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg);
int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg);
diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod
index 38f57f5cd6..0c270780e1 100644
--- a/doc/man3/OSSL_HTTP_REQ_CTX.pod
+++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod
@@ -70,8 +70,7 @@ The allocated context structure is also populated with an internal allocated
memory B, which collects the HTTP request and additional headers as text.
OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I.
-The I and I are not free'd and it is up to the application
-to do so.
+The I is not free'd, I will be free'd if I is set.
OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context.
The HTTP method is determined by I,
From tomas at openssl.org Thu Sep 9 07:32:32 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Thu, 09 Sep 2021 07:32:32 +0000
Subject: [openssl] master update
Message-ID: <1631172752.405819.16149.nullmailer@dev.openssl.org>
The branch master has been updated
via 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4 (commit)
from 81280137a1f33685d7d7fc531ea8fbac38e9a4b7 (commit)
- Log -----------------------------------------------------------------
commit 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4
Author: PW Hu
Date: Wed Sep 8 09:13:20 2021 +0800
Fix some documentation errors
CLA: trivial
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16553)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/ASN1_item_d2i_bio.pod | 8 ++++----
doc/man3/OSSL_CMP_MSG_get0_header.pod | 2 +-
doc/man3/OSSL_HTTP_REQ_CTX.pod | 3 +--
3 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/doc/man3/ASN1_item_d2i_bio.pod b/doc/man3/ASN1_item_d2i_bio.pod
index 9083f85f69..bdf5c48096 100644
--- a/doc/man3/ASN1_item_d2i_bio.pod
+++ b/doc/man3/ASN1_item_d2i_bio.pod
@@ -10,15 +10,15 @@ ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio
#include
- ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in,
+ ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it,
OSSL_LIB_CTX *libctx, const char *propq);
- ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in,
+ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it);
- void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval,
+ void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x,
OSSL_LIB_CTX *libctx, const char *propq);
- void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval);
+ void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x,
OSSL_LIB_CTX *libctx, const char *propq);
diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod
index 32cdf81187..741349cd6e 100644
--- a/doc/man3/OSSL_CMP_MSG_get0_header.pod
+++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod
@@ -20,7 +20,7 @@ i2d_OSSL_CMP_MSG_bio
int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);
int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
- OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file);
+ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, const char *propq);
int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg);
OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg);
int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg);
diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod
index 38f57f5cd6..0c270780e1 100644
--- a/doc/man3/OSSL_HTTP_REQ_CTX.pod
+++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod
@@ -70,8 +70,7 @@ The allocated context structure is also populated with an internal allocated
memory B, which collects the HTTP request and additional headers as text.
OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I.
-The I and I are not free'd and it is up to the application
-to do so.
+The I is not free'd, I will be free'd if I is set.
OSSL_HTTP_REQ_CTX_set_request_line() adds the HTTP request line to the context.
The HTTP method is determined by I,
From pauli at openssl.org Thu Sep 9 08:32:53 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Thu, 09 Sep 2021 08:32:53 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631176373.573660.29147.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 8ad183c1448551d715ac255c612e982d04637463 (commit)
from de26f8fad7948adc935ab0aae2fc9fa5d6c11411 (commit)
- Log -----------------------------------------------------------------
commit 8ad183c1448551d715ac255c612e982d04637463
Author: Pauli
Date: Thu Sep 9 14:39:37 2021 +1000
Remove end of line whitespace to appease CI checks
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16567)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 2 +-
NEWS.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 6177b57c2e..21e8d2029a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,7 +30,7 @@ breaking changes, and mappings for the large list of deprecated functions.
### Changes between 3.0.0 and 3.0.1 [xx XXX xxxx]
- *
+ *
### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
diff --git a/NEWS.md b/NEWS.md
index f3dde1a2f7..0b1fc5fe97 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,7 +20,7 @@ OpenSSL 3.0
### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [under development]
- *
+ *
### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021]
From levitte at openssl.org Thu Sep 9 09:22:32 2021
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 09 Sep 2021 09:22:32 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631179352.190190.545.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 (commit)
from 61ac53426e7873ead414b9259eb4446e2608209b (commit)
- Log -----------------------------------------------------------------
commit 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91
Author: Richard Levitte
Date: Wed Sep 8 10:49:27 2021 +0200
VMS: Fix misspelt type
'__int64', not 'int64_t'
Ref: commit 2e5cdbc18a1a26bfc817070a52689886fa0669c2
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16557)
-----------------------------------------------------------------------
Summary of changes:
crypto/rand/rand_vms.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/rand/rand_vms.c b/crypto/rand/rand_vms.c
index fe516c3ca5..4afc101295 100644
--- a/crypto/rand/rand_vms.c
+++ b/crypto/rand/rand_vms.c
@@ -484,7 +484,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
struct {
pid_t pid;
CRYPTO_THREAD_ID tid;
- unsigned __int64_t time;
+ unsigned __int64 time;
} data = { 0 };
/*
@@ -582,7 +582,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool)
{
struct {
CRYPTO_THREAD_ID tid;
- unsigned __int64_t time;
+ unsigned __int64 time;
} data = { 0 };
/*
From levitte at openssl.org Thu Sep 9 09:26:22 2021
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 09 Sep 2021 09:26:22 +0000
Subject: [openssl] master update
Message-ID: <1631179582.759681.8030.nullmailer@dev.openssl.org>
The branch master has been updated
via 2fe2279d1f3bbfa934e432d4f2c3a7e6a6b0f958 (commit)
from 5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4 (commit)
- Log -----------------------------------------------------------------
commit 2fe2279d1f3bbfa934e432d4f2c3a7e6a6b0f958
Author: Richard Levitte
Date: Tue Sep 7 10:00:12 2021 +0200
Enhance the srctop, bldtop, data and result functions to check the result
This affects bldtop_dir, bldtop_file, srctop_dir, srctop_file,
data_dir, data_file, result_dir, and result_file. They are all
enhanced to check that the resulting path really is a directory or a
file. They only do this if the path exists.
This allows the tests to catch if these functions are used
incorrectly, even on systems where the syntax for directories and
files is the same.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16523)
-----------------------------------------------------------------------
Summary of changes:
util/perl/OpenSSL/Test.pm | 60 +++++++++++++++++++++++++++++++++--------------
1 file changed, 43 insertions(+), 17 deletions(-)
diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm
index 00ef1832d3..3123c1d3ec 100644
--- a/util/perl/OpenSSL/Test.pm
+++ b/util/perl/OpenSSL/Test.pm
@@ -10,6 +10,7 @@ package OpenSSL::Test;
use strict;
use warnings;
+use Carp;
use Test::More 0.96;
use Exporter;
@@ -557,8 +558,11 @@ operating system.
=cut
sub bldtop_dir {
- return __bldtop_dir(@_); # This caters for operating systems that have
+ my $d = __bldtop_dir(@_); # This caters for operating systems that have
# a very distinct syntax for directories.
+
+ croak "$d isn't a directory" if -e $d && ! -d $d;
+ return $d;
}
=over 4
@@ -576,7 +580,10 @@ operating system.
=cut
sub bldtop_file {
- return __bldtop_file(@_);
+ my $f = __bldtop_file(@_);
+
+ croak "$f isn't a file" if -e $f && ! -f $f;
+ return $f;
}
=over 4
@@ -594,8 +601,11 @@ operating system.
=cut
sub srctop_dir {
- return __srctop_dir(@_); # This caters for operating systems that have
+ my $d = __srctop_dir(@_); # This caters for operating systems that have
# a very distinct syntax for directories.
+
+ croak "$d isn't a directory" if -e $d && ! -d $d;
+ return $d;
}
=over 4
@@ -613,7 +623,10 @@ operating system.
=cut
sub srctop_file {
- return __srctop_file(@_);
+ my $f = __srctop_file(@_);
+
+ croak "$f isn't a file" if -e $f && ! -f $f;
+ return $f;
}
=over 4
@@ -630,7 +643,10 @@ operating system.
=cut
sub data_dir {
- return __data_dir(@_);
+ my $d = __data_dir(@_);
+
+ croak "$d isn't a directory" if -e $d && ! -d $d;
+ return $d;
}
=over 4
@@ -647,15 +663,20 @@ file path as a string, adapted to the local operating system.
=cut
sub data_file {
- return __data_file(@_);
+ my $f = __data_file(@_);
+
+ croak "$f isn't a file" if -e $f && ! -f $f;
+ return $f;
}
=over 4
-=item B
+=item B
-C returns the directory where test output files should be placed
-as a string, adapted to the local operating system.
+LIST is a list of directories that make up a path from the result directory
+associated with the test (see L above).
+C returns the resulting directory as a string, adapted to the local
+operating system.
=back
@@ -664,17 +685,20 @@ as a string, adapted to the local operating system.
sub result_dir {
BAIL_OUT("Must run setup() first") if (! $test_name);
- return catfile($directories{RESULTS});
+ my $d = catdir($directories{RESULTS}, at _);
+
+ croak "$d isn't a directory" if -e $d && ! -d $d;
+ return $d;
}
=over 4
-=item B
+=item B
-FILENAME is the name of a test output file.
-C returns the path of the given file as a string,
-prepending to the file name the path to the directory where test output files
-should be placed, adapted to the local operating system.
+LIST is a list of directories that make up a path from the data directory
+associated with the test (see L above) and FILENAME is the name
+of a file located in that directory path. C returns the resulting
+file path as a string, adapted to the local operating system.
=back
@@ -683,8 +707,10 @@ should be placed, adapted to the local operating system.
sub result_file {
BAIL_OUT("Must run setup() first") if (! $test_name);
- my $f = pop;
- return catfile(result_dir(), at _,$f);
+ my $f = catfile(result_dir(), at _);
+
+ croak "$f isn't a file" if -e $f && ! -f $f;
+ return $f;
}
=over 4
From levitte at openssl.org Thu Sep 9 10:08:13 2021
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 09 Sep 2021 10:08:13 +0000
Subject: [openssl] master update
Message-ID: <1631182093.161878.10515.nullmailer@dev.openssl.org>
The branch master has been updated
via 435981cbadad2c58c35bacd30ca5d8b4c9bea72f (commit)
from 2fe2279d1f3bbfa934e432d4f2c3a7e6a6b0f958 (commit)
- Log -----------------------------------------------------------------
commit 435981cbadad2c58c35bacd30ca5d8b4c9bea72f
Author: Richard Levitte
Date: Wed Sep 8 09:40:37 2021 +0200
OpenSSL::Ordinals::set_version() should only be given the short version
This function tried to shave off the pre-release and build metadata
text from the the version number it gets, but didn't do that quite
right. Since this isn't even a documented behaviour, the easier, and
arguably more correct path is for that function not to try to shave
off anything, and for the callers to feed it the short version number,
"{MAJOR}.{MINOR}.{PATCH}", nothing more.
The build file templates are adjusted accordingly.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16556)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 3 ++-
Configurations/unix-Makefile.tmpl | 11 ++++++-----
Configurations/windows-makefile.tmpl | 3 ++-
util/perl/OpenSSL/Ordinals.pm | 2 --
4 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 3db0fc7286..42dea4752a 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -267,6 +267,7 @@ VERBOSE=$(V)
VERBOSE_FAILURE=$(VF)
VERSION={- "$config{full_version}" -}
+VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
@@ -904,7 +905,7 @@ EOF
#
my $target = platform->def($args{src});
my $mkdef = sourcefile('util', 'mkdef.pl');
- my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
+ my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name =
$args{generator}->[1] || basename($args{product}, '.EXE');
my $case_insensitive =
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index f88a70f482..0cab39267c 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -67,6 +67,7 @@ BLDDIR={- $config{builddir} -}
FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
+VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
@@ -1305,23 +1306,23 @@ SSLHEADERS={- join(" \\\n" . ' ' x 11,
fill_lines(" ", $COLUMNS - 11, sort keys %sslheaders)) -}
renumber: build_generated
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libcrypto.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
--renumber \
$(CRYPTOHEADERS)
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libssl.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
--renumber \
$(SSLHEADERS)
ordinals: build_generated
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libcrypto.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
$(CRYPTOHEADERS)
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libssl.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
$(SSLHEADERS)
@@ -1529,7 +1530,7 @@ EOF
#
my $target = platform->def($args{src});
(my $mkdef_os = $target{shared_target}) =~ s|-shared$||;
- my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
+ my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name = $args{generator}->[1] || $args{product};
return <<"EOF";
$target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 26357c75bc..d6dc008ba7 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -41,6 +41,7 @@ BLDDIR={- $config{builddir} -}
FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
+VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
@@ -727,7 +728,7 @@ EOF
my $mkdef = abs2rel(rel2abs(catfile($config{sourcedir},
"util", "mkdef.pl")),
rel2abs($config{builddir}));
- my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
+ my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name =
$args{generator}->[1] || platform->dsoname($args{product});
return <<"EOF";
diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm
index 7e4c008dc2..f6c63d14c4 100644
--- a/util/perl/OpenSSL/Ordinals.pm
+++ b/util/perl/OpenSSL/Ordinals.pm
@@ -623,8 +623,6 @@ sub set_version {
my $version = shift // '*';
my $baseversion = shift // '*';
- $version =~ s|-.*||g;
-
if ($baseversion eq '*') {
$baseversion = $version;
if ($baseversion ne '*') {
From levitte at openssl.org Thu Sep 9 10:09:50 2021
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 09 Sep 2021 10:09:50 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631182190.687499.12841.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 69afbf88a4fab3ba3bf19f438abc8ca7787027ff (commit)
from 8ad183c1448551d715ac255c612e982d04637463 (commit)
- Log -----------------------------------------------------------------
commit 69afbf88a4fab3ba3bf19f438abc8ca7787027ff
Author: Richard Levitte
Date: Wed Sep 8 09:40:37 2021 +0200
OpenSSL::Ordinals::set_version() should only be given the short version
This function tried to shave off the pre-release and build metadata
text from the the version number it gets, but didn't do that quite
right. Since this isn't even a documented behaviour, the easier, and
arguably more correct path is for that function not to try to shave
off anything, and for the callers to feed it the short version number,
"{MAJOR}.{MINOR}.{PATCH}", nothing more.
The build file templates are adjusted accordingly.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16556)
(cherry picked from commit 435981cbadad2c58c35bacd30ca5d8b4c9bea72f)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 3 ++-
Configurations/unix-Makefile.tmpl | 11 ++++++-----
Configurations/windows-makefile.tmpl | 3 ++-
util/perl/OpenSSL/Ordinals.pm | 2 --
4 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 3db0fc7286..42dea4752a 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -267,6 +267,7 @@ VERBOSE=$(V)
VERBOSE_FAILURE=$(VF)
VERSION={- "$config{full_version}" -}
+VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
@@ -904,7 +905,7 @@ EOF
#
my $target = platform->def($args{src});
my $mkdef = sourcefile('util', 'mkdef.pl');
- my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
+ my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name =
$args{generator}->[1] || basename($args{product}, '.EXE');
my $case_insensitive =
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index f88a70f482..0cab39267c 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -67,6 +67,7 @@ BLDDIR={- $config{builddir} -}
FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
+VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
SHLIB_VERSION_NUMBER={- $config{shlib_version} -}
@@ -1305,23 +1306,23 @@ SSLHEADERS={- join(" \\\n" . ' ' x 11,
fill_lines(" ", $COLUMNS - 11, sort keys %sslheaders)) -}
renumber: build_generated
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libcrypto.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
--renumber \
$(CRYPTOHEADERS)
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libssl.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
--renumber \
$(SSLHEADERS)
ordinals: build_generated
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libcrypto.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
$(CRYPTOHEADERS)
- $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION) --no-warnings \
+ $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
--ordinals $(SRCDIR)/util/libssl.num \
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
$(SSLHEADERS)
@@ -1529,7 +1530,7 @@ EOF
#
my $target = platform->def($args{src});
(my $mkdef_os = $target{shared_target}) =~ s|-shared$||;
- my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
+ my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name = $args{generator}->[1] || $args{product};
return <<"EOF";
$target: $gen0 $deps \$(SRCDIR)/util/mkdef.pl
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 26357c75bc..d6dc008ba7 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -41,6 +41,7 @@ BLDDIR={- $config{builddir} -}
FIPSKEY={- $config{FIPSKEY} -}
VERSION={- "$config{full_version}" -}
+VERSION_NUMBER={- "$config{version}" -}
MAJOR={- $config{major} -}
MINOR={- $config{minor} -}
@@ -727,7 +728,7 @@ EOF
my $mkdef = abs2rel(rel2abs(catfile($config{sourcedir},
"util", "mkdef.pl")),
rel2abs($config{builddir}));
- my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION)' : '';
+ my $ord_ver = $args{intent} eq 'lib' ? ' --version $(VERSION_NUMBER)' : '';
my $ord_name =
$args{generator}->[1] || platform->dsoname($args{product});
return <<"EOF";
diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm
index 7e4c008dc2..f6c63d14c4 100644
--- a/util/perl/OpenSSL/Ordinals.pm
+++ b/util/perl/OpenSSL/Ordinals.pm
@@ -623,8 +623,6 @@ sub set_version {
my $version = shift // '*';
my $baseversion = shift // '*';
- $version =~ s|-.*||g;
-
if ($baseversion eq '*') {
$baseversion = $version;
if ($baseversion ne '*') {
From no-reply at appveyor.com Thu Sep 9 17:36:48 2021
From: no-reply at appveyor.com (AppVeyor)
Date: Thu, 09 Sep 2021 17:36:48 +0000
Subject: Build failed: openssl master.42698
Message-ID: <20210909173648.1.B3B91CF219AED900@appveyor.com>
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Thu Sep 9 19:20:48 2021
From: no-reply at appveyor.com (AppVeyor)
Date: Thu, 09 Sep 2021 19:20:48 +0000
Subject: Build completed: openssl openssl-3.0.42699
Message-ID: <20210909192048.1.A7BE45D434BCB630@appveyor.com>
An HTML attachment was scrubbed...
URL:
From pauli at openssl.org Fri Sep 10 08:02:33 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Fri, 10 Sep 2021 08:02:33 +0000
Subject: [openssl] master update
Message-ID: <1631260953.945512.27563.nullmailer@dev.openssl.org>
The branch master has been updated
via e82fc27bcd34f246e1acd42a61e8ba62907e1d19 (commit)
from 435981cbadad2c58c35bacd30ca5d8b4c9bea72f (commit)
- Log -----------------------------------------------------------------
commit e82fc27bcd34f246e1acd42a61e8ba62907e1d19
Author: astraujums
Date: Wed Sep 8 15:55:39 2021 +0300
Fixed state transitions for the HTML version of the life_cycle-kdf.pod.
The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles
CLA: trivial
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16559)
-----------------------------------------------------------------------
Summary of changes:
doc/man7/life_cycle-kdf.pod | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/man7/life_cycle-kdf.pod b/doc/man7/life_cycle-kdf.pod
index 6a50cc9aa6..d2aec8fe82 100644
--- a/doc/man7/life_cycle-kdf.pod
+++ b/doc/man7/life_cycle-kdf.pod
@@ -103,19 +103,19 @@ This is the canonical list.
EVP_KDF_derive
-
newed
deriving
-
-
EVP_KDF_CTX_free
-
-
newed
deriving
-
EVP_KDF_CTX_reset
+
EVP_KDF_CTX_free
freed
freed
freed
+
EVP_KDF_CTX_reset
+
+
newed
+
newed
+
EVP_KDF_CTX_get_params
newed
From pauli at openssl.org Fri Sep 10 08:03:00 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Fri, 10 Sep 2021 08:03:00 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631260980.120156.28890.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via bfdce628350730b44dc46a4fc22d19e988fd8c50 (commit)
from 69afbf88a4fab3ba3bf19f438abc8ca7787027ff (commit)
- Log -----------------------------------------------------------------
commit bfdce628350730b44dc46a4fc22d19e988fd8c50
Author: astraujums
Date: Wed Sep 8 15:55:39 2021 +0300
Fixed state transitions for the HTML version of the life_cycle-kdf.pod.
The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles
CLA: trivial
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16559)
(cherry picked from commit e82fc27bcd34f246e1acd42a61e8ba62907e1d19)
-----------------------------------------------------------------------
Summary of changes:
doc/man7/life_cycle-kdf.pod | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/man7/life_cycle-kdf.pod b/doc/man7/life_cycle-kdf.pod
index 6a50cc9aa6..d2aec8fe82 100644
--- a/doc/man7/life_cycle-kdf.pod
+++ b/doc/man7/life_cycle-kdf.pod
@@ -103,19 +103,19 @@ This is the canonical list.
EVP_KDF_derive
-
newed
deriving
-
-
EVP_KDF_CTX_free
-
-
newed
deriving
-
EVP_KDF_CTX_reset
+
EVP_KDF_CTX_free
freed
freed
freed
+
EVP_KDF_CTX_reset
+
+
newed
+
newed
+
EVP_KDF_CTX_get_params
newed
From levitte at openssl.org Fri Sep 10 10:03:19 2021
From: levitte at openssl.org (Richard Levitte)
Date: Fri, 10 Sep 2021 10:03:19 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631268199.582789.17284.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 1dc15a3330434ef1f79921a2d97c585048dcf05e (commit)
from bfdce628350730b44dc46a4fc22d19e988fd8c50 (commit)
- Log -----------------------------------------------------------------
commit 1dc15a3330434ef1f79921a2d97c585048dcf05e
Author: Richard Levitte
Date: Wed Sep 8 20:16:37 2021 +0200
VMS: Fix descrip.mms template
away the use of $(DEFINES), which does get populated with defines
given through configuration. This makes it impossible to configure
with extra defines on VMS. Uncommenting and moving $(DEFINES) to a
more proper spot gives the users back that ability.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16561)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 42dea4752a..9812df2aef 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -110,9 +110,9 @@
@cnf_defines,
'OPENSSLDIR="""$(OPENSSLDIR_C)"""',
'ENGINESDIR="""$(ENGINESDIR_C)"""',
- 'MODULESDIR="""$(MODULESDIR_C)"""',
- #'$(DEFINES)'
+ 'MODULESDIR="""$(MODULESDIR_C)"""'
)
+ . '$(DEFINES)'
. "'extradefines'";
our $lib_asflags =
join(' ', $target{lib_asflags} || (), @{$config{lib_asflags}},
@@ -144,8 +144,8 @@
join(',', @{$target{dso_defines}}, @{$target{module_defines}},
@{$config{dso_defines}}, @{$config{module_defines}},
@cnf_defines,
- #'$(DEFINES)'
)
+ . '$(DEFINES)'
. "'extradefines'";
our $dso_asflags =
join(' ', $target{dso_asflags} || (), $target{module_asflags} || (),
@@ -180,8 +180,8 @@
join(',', @{$target{bin_defines}},
@{$config{bin_defines}},
@cnf_defines,
- #'$(DEFINES)'
)
+ . '$(DEFINES)'
. "'extradefines'";
our $bin_asflags =
join(' ', $target{bin_asflags} || (),
From tomas at openssl.org Fri Sep 10 10:07:41 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 10 Sep 2021 10:07:41 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631268461.472682.21813.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 49ca3979f903334e192e75eeafb371824d1c14f6 (commit)
from 1dc15a3330434ef1f79921a2d97c585048dcf05e (commit)
- Log -----------------------------------------------------------------
commit 49ca3979f903334e192e75eeafb371824d1c14f6
Author: Tomas Mraz
Date: Thu Sep 9 09:12:22 2021 +0200
dh_ameth: Fix dh_cmp_parameters to really compare the params
This is legacy DH PKEY only code.
Fixes #16562
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16568)
(cherry picked from commit cf1a231d44db81f8565ecae5498a4f1f6f0168c9)
-----------------------------------------------------------------------
Summary of changes:
crypto/dh/dh_ameth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 0e577177ec..38d8e7a38f 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -311,7 +311,7 @@ static int dh_security_bits(const EVP_PKEY *pkey)
static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
{
- return ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params,
+ return ossl_ffc_params_cmp(&a->pkey.dh->params, &b->pkey.dh->params,
a->ameth != &ossl_dhx_asn1_meth);
}
From levitte at openssl.org Fri Sep 10 10:11:08 2021
From: levitte at openssl.org (Richard Levitte)
Date: Fri, 10 Sep 2021 10:11:08 +0000
Subject: [openssl] master update
Message-ID: <1631268668.972633.25573.nullmailer@dev.openssl.org>
The branch master has been updated
via 2f9ded524c2c95ab4efcc12b14e098eb4613d2f5 (commit)
from cf1a231d44db81f8565ecae5498a4f1f6f0168c9 (commit)
- Log -----------------------------------------------------------------
commit 2f9ded524c2c95ab4efcc12b14e098eb4613d2f5
Author: Richard Levitte
Date: Wed Sep 8 20:16:37 2021 +0200
VMS: Fix descrip.mms template
away the use of $(DEFINES), which does get populated with defines
given through configuration. This makes it impossible to configure
with extra defines on VMS. Uncommenting and moving $(DEFINES) to a
more proper spot gives the users back that ability.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16561)
(cherry picked from commit 1dc15a3330434ef1f79921a2d97c585048dcf05e)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 42dea4752a..9812df2aef 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -110,9 +110,9 @@
@cnf_defines,
'OPENSSLDIR="""$(OPENSSLDIR_C)"""',
'ENGINESDIR="""$(ENGINESDIR_C)"""',
- 'MODULESDIR="""$(MODULESDIR_C)"""',
- #'$(DEFINES)'
+ 'MODULESDIR="""$(MODULESDIR_C)"""'
)
+ . '$(DEFINES)'
. "'extradefines'";
our $lib_asflags =
join(' ', $target{lib_asflags} || (), @{$config{lib_asflags}},
@@ -144,8 +144,8 @@
join(',', @{$target{dso_defines}}, @{$target{module_defines}},
@{$config{dso_defines}}, @{$config{module_defines}},
@cnf_defines,
- #'$(DEFINES)'
)
+ . '$(DEFINES)'
. "'extradefines'";
our $dso_asflags =
join(' ', $target{dso_asflags} || (), $target{module_asflags} || (),
@@ -180,8 +180,8 @@
join(',', @{$target{bin_defines}},
@{$config{bin_defines}},
@cnf_defines,
- #'$(DEFINES)'
)
+ . '$(DEFINES)'
. "'extradefines'";
our $bin_asflags =
join(' ', $target{bin_asflags} || (),
From tomas at openssl.org Fri Sep 10 10:07:14 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 10 Sep 2021 10:07:14 +0000
Subject: [openssl] master update
Message-ID: <1631268435.005482.20619.nullmailer@dev.openssl.org>
The branch master has been updated
via cf1a231d44db81f8565ecae5498a4f1f6f0168c9 (commit)
from e82fc27bcd34f246e1acd42a61e8ba62907e1d19 (commit)
- Log -----------------------------------------------------------------
commit cf1a231d44db81f8565ecae5498a4f1f6f0168c9
Author: Tomas Mraz
Date: Thu Sep 9 09:12:22 2021 +0200
dh_ameth: Fix dh_cmp_parameters to really compare the params
This is legacy DH PKEY only code.
Fixes #16562
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16568)
-----------------------------------------------------------------------
Summary of changes:
crypto/dh/dh_ameth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 0e577177ec..38d8e7a38f 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -311,7 +311,7 @@ static int dh_security_bits(const EVP_PKEY *pkey)
static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
{
- return ossl_ffc_params_cmp(&a->pkey.dh->params, &a->pkey.dh->params,
+ return ossl_ffc_params_cmp(&a->pkey.dh->params, &b->pkey.dh->params,
a->ameth != &ossl_dhx_asn1_meth);
}
From levitte at openssl.org Fri Sep 10 10:15:37 2021
From: levitte at openssl.org (Richard Levitte)
Date: Fri, 10 Sep 2021 10:15:37 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631268937.638705.29807.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via c1dc3536a89d71f8545f3c70bee2332f389a871d (commit)
from 49ca3979f903334e192e75eeafb371824d1c14f6 (commit)
- Log -----------------------------------------------------------------
commit c1dc3536a89d71f8545f3c70bee2332f389a871d
Author: Richard Levitte
Date: Wed Sep 8 21:58:19 2021 +0200
Fix 'openssl speed' information printout
Most of all, this reduces the following:
built on: built on: Wed Sep 8 19:41:55 2021 UTC
to:
built on: Wed Sep 8 19:41:55 2021 UTC
Reviewed-by: Paul Dale
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16563)
-----------------------------------------------------------------------
Summary of changes:
apps/speed.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index 830a502656..1e5295398f 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3092,10 +3092,9 @@ int speed_main(int argc, char **argv)
#endif
if (!mr) {
printf("version: %s\n", OpenSSL_version(OPENSSL_FULL_VERSION_STRING));
- printf("built on: %s\n", OpenSSL_version(OPENSSL_BUILT_ON));
- printf("options:");
- printf("%s ", BN_options());
- printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS));
+ printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON));
+ printf("options: %s\n", BN_options());
+ printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS));
printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO));
}
From levitte at openssl.org Fri Sep 10 10:16:16 2021
From: levitte at openssl.org (Richard Levitte)
Date: Fri, 10 Sep 2021 10:16:16 +0000
Subject: [openssl] master update
Message-ID: <1631268976.578487.31184.nullmailer@dev.openssl.org>
The branch master has been updated
via 9e1b6f3cdc9258b6759d00cd23819925c9e4c391 (commit)
from 2f9ded524c2c95ab4efcc12b14e098eb4613d2f5 (commit)
- Log -----------------------------------------------------------------
commit 9e1b6f3cdc9258b6759d00cd23819925c9e4c391
Author: Richard Levitte
Date: Wed Sep 8 21:58:19 2021 +0200
Fix 'openssl speed' information printout
Most of all, this reduces the following:
built on: built on: Wed Sep 8 19:41:55 2021 UTC
to:
built on: Wed Sep 8 19:41:55 2021 UTC
Reviewed-by: Paul Dale
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16563)
(cherry picked from commit c1dc3536a89d71f8545f3c70bee2332f389a871d)
-----------------------------------------------------------------------
Summary of changes:
apps/speed.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index 830a502656..1e5295398f 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3092,10 +3092,9 @@ int speed_main(int argc, char **argv)
#endif
if (!mr) {
printf("version: %s\n", OpenSSL_version(OPENSSL_FULL_VERSION_STRING));
- printf("built on: %s\n", OpenSSL_version(OPENSSL_BUILT_ON));
- printf("options:");
- printf("%s ", BN_options());
- printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS));
+ printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON));
+ printf("options: %s\n", BN_options());
+ printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS));
printf("%s\n", OpenSSL_version(OPENSSL_CPU_INFO));
}
From tomas at openssl.org Fri Sep 10 12:08:43 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 10 Sep 2021 12:08:43 +0000
Subject: [openssl] master update
Message-ID: <1631275723.295593.4956.nullmailer@dev.openssl.org>
The branch master has been updated
via 85efdaab4d068f7de354b0a18f70f1737941dc7f (commit)
from 9e1b6f3cdc9258b6759d00cd23819925c9e4c391 (commit)
- Log -----------------------------------------------------------------
commit 85efdaab4d068f7de354b0a18f70f1737941dc7f
Author: Tomas Mraz
Date: Thu Sep 9 09:19:58 2021 +0200
install_fips: Create the OPENSSLDIR as it might not exist
Fixes #16564
Reviewed-by: Paul Dale
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/16569)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 2 ++
Configurations/unix-Makefile.tmpl | 1 +
Configurations/windows-makefile.tmpl | 1 +
3 files changed, 4 insertions(+)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 9812df2aef..9767802e88 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -570,6 +570,8 @@ uninstall_docs : uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
install_fips : build_sw $(INSTALL_FIPSMODULECONF)
@ WRITE SYS$OUTPUT "*** Installing FIPS module"
+ - CREATE/DIR ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']
+ - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
COPY/PROT=W:RE $(INSTALL_FIPSMODULES) -
ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME)
@ WRITE SYS$OUTPUT "*** Installing FIPS module configuration"
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 0cab39267c..bf53cbcec5 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -619,6 +619,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs
install_fips: build_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)
@$(ECHO) "*** Installing FIPS module"
@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
@cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index d6dc008ba7..63431b97ed 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -500,6 +500,7 @@ uninstall_docs: uninstall_html_docs
install_fips: build_sw $(INSTALL_FIPSMODULECONF)
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR)
+ @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(OPENSSLDIR)
@$(ECHO) "*** Installing FIPS module"
@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(MODULESDIR)\$(FIPSMODULENAME)"
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(INSTALL_FIPSMODULE)" "$(MODULESDIR)"
From tomas at openssl.org Fri Sep 10 12:09:17 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 10 Sep 2021 12:09:17 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631275757.087523.6173.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 96c925c41bf6d9f60f3e8cbe528e82ac7ddc9539 (commit)
from c1dc3536a89d71f8545f3c70bee2332f389a871d (commit)
- Log -----------------------------------------------------------------
commit 96c925c41bf6d9f60f3e8cbe528e82ac7ddc9539
Author: Tomas Mraz
Date: Thu Sep 9 09:19:58 2021 +0200
install_fips: Create the OPENSSLDIR as it might not exist
Fixes #16564
Reviewed-by: Paul Dale
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/16569)
(cherry picked from commit 85efdaab4d068f7de354b0a18f70f1737941dc7f)
-----------------------------------------------------------------------
Summary of changes:
Configurations/descrip.mms.tmpl | 2 ++
Configurations/unix-Makefile.tmpl | 1 +
Configurations/windows-makefile.tmpl | 1 +
3 files changed, 4 insertions(+)
diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
index 9812df2aef..9767802e88 100644
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -570,6 +570,8 @@ uninstall_docs : uninstall_html_docs
{- output_off() if $disabled{fips}; "" -}
install_fips : build_sw $(INSTALL_FIPSMODULECONF)
@ WRITE SYS$OUTPUT "*** Installing FIPS module"
+ - CREATE/DIR ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']
+ - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
COPY/PROT=W:RE $(INSTALL_FIPSMODULES) -
ossl_installroot:[MODULES{- $sover_dirname.$target{pointer_size} -}.'arch']$(FIPSMODULENAME)
@ WRITE SYS$OUTPUT "*** Installing FIPS module configuration"
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 0cab39267c..bf53cbcec5 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -619,6 +619,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs
install_fips: build_sw $(INSTALL_FIPSMODULECONF)
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(MODULESDIR)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)
@$(ECHO) "*** Installing FIPS module"
@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME)"
@cp "$(INSTALL_FIPSMODULE)" $(DESTDIR)$(MODULESDIR)/$(FIPSMODULENAME).new
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index d6dc008ba7..63431b97ed 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -500,6 +500,7 @@ uninstall_docs: uninstall_html_docs
install_fips: build_sw $(INSTALL_FIPSMODULECONF)
# @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)\util\mkdir-p.pl $(MODULESDIR)
+ @$(PERL) $(SRCDIR)\util\mkdir-p.pl $(OPENSSLDIR)
@$(ECHO) "*** Installing FIPS module"
@$(ECHO) "install $(INSTALL_FIPSMODULE) -> $(MODULESDIR)\$(FIPSMODULENAME)"
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(INSTALL_FIPSMODULE)" "$(MODULESDIR)"
From pauli at openssl.org Sat Sep 11 09:05:38 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Sat, 11 Sep 2021 09:05:38 +0000
Subject: [web] master update
Message-ID: <1631351138.619848.10693.nullmailer@dev.openssl.org>
The branch master has been updated
via 598d9806bc701a208da5506fcba59cd629e21f21 (commit)
from 6850835feb4bc989b2e5465163b065c44bed644a (commit)
- Log -----------------------------------------------------------------
commit 598d9806bc701a208da5506fcba59cd629e21f21
Author: Pauli
Date: Sat Sep 11 16:44:56 2021 +1000
Update copyright footer.
Reviewed-by: Mark J. Cox
(Merged from https://github.com/openssl/web/pull/261)
-----------------------------------------------------------------------
Summary of changes:
inc/footer.shtml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/inc/footer.shtml b/inc/footer.shtml
index 65be9f1..588fbab 100644
--- a/inc/footer.shtml
+++ b/inc/footer.shtml
@@ -4,7 +4,8 @@
Please report problems with this website to webmaster at openssl.org.
From dev at ddvo.net Sat Sep 11 21:00:35 2021
From: dev at ddvo.net (dev at ddvo.net)
Date: Sat, 11 Sep 2021 21:00:35 +0000
Subject: [openssl] master update
Message-ID: <1631394035.570240.22022.nullmailer@dev.openssl.org>
The branch master has been updated
via cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821 (commit)
via 611ef4f3737cc5812bdefe381403fdf1bacfba06 (commit)
from 85efdaab4d068f7de354b0a18f70f1737941dc7f (commit)
- Log -----------------------------------------------------------------
commit cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821
Author: Dr. David von Oheimb
Date: Wed Aug 25 12:30:09 2021 +0200
openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16440)
commit 611ef4f3737cc5812bdefe381403fdf1bacfba06
Author: Dr. David von Oheimb
Date: Fri Aug 27 07:11:36 2021 +0200
APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16440)
-----------------------------------------------------------------------
Summary of changes:
apps/req.c | 41 ++++++++++++++++++++++++++++++++++-------
apps/x509.c | 16 +++++++++++-----
doc/man1/openssl-req.pod.in | 29 +++++++++++++++++++++--------
doc/man1/openssl-x509.pod.in | 37 ++++++++++++++++++++++---------------
4 files changed, 88 insertions(+), 35 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index 6aa364fec5..f756c25b2a 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -103,7 +103,7 @@ const OPTIONS req_options[] = {
{"keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations"},
#endif
- {"in", OPT_IN, '<', "X.509 request input file"},
+ {"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},
@@ -136,10 +136,10 @@ const OPTIONS req_options[] = {
"Cert extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's',
"Request extension section (override value in config file)"},
- {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
+ {"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"},
OPT_SECTION("Keys and Signing"),
- {"key", OPT_KEY, 's', "Key to include and to use for self-signature"},
+ {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to write private key to"},
@@ -489,8 +489,13 @@ int req_main(int argc, char **argv)
if (ext_copy == EXT_COPY_NONE)
BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n");
}
- if (gen_x509 && infile == NULL)
- newreq = 1;
+ if (infile == NULL) {
+ if (gen_x509)
+ newreq = 1;
+ else
+ BIO_printf(bio_err,
+ "Warning: Will read cert request from stdin since no -in option is given\n");
+ }
if (!app_passwd(passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
@@ -631,6 +636,11 @@ int req_main(int argc, char **argv)
goto end;
app_RAND_load_conf(req_conf, section);
}
+ if (keyalg != NULL && pkey != NULL) {
+ BIO_printf(bio_err,
+ "Warning: Not generating key via given -newkey option since -key is given\n");
+ /* Better throw an error in this case */
+ }
if (newreq && pkey == NULL) {
app_RAND_load_conf(req_conf, section);
@@ -742,9 +752,17 @@ int req_main(int argc, char **argv)
goto end;
if (!newreq) {
- req = load_csr(infile, informat, "X509 request");
+ if (keyfile != NULL)
+ BIO_printf(bio_err,
+ "Warning: Not placing -key in cert or request since request is used\n");
+ req = load_csr(infile /* if NULL, reads from stdin */,
+ informat, "X509 request");
if (req == NULL)
goto end;
+ } else if (infile != NULL) {
+ BIO_printf(bio_err,
+ "Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
+ /* Better throw an error in this case, as done in the x509 app */
}
if (CAkeyfile == NULL)
@@ -752,7 +770,7 @@ int req_main(int argc, char **argv)
if (CAkeyfile != NULL) {
if (CAfile == NULL) {
BIO_printf(bio_err,
- "Ignoring -CAkey option since no -CA option is given\n");
+ "Warning: Ignoring -CAkey option since no -CA option is given\n");
} else {
if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e,
@@ -788,6 +806,7 @@ int req_main(int argc, char **argv)
BIO_printf(bio_err, "Error making certificate request\n");
goto end;
}
+ /* Note that -x509 can take over -key and -subj option values. */
}
if (gen_x509) {
EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
@@ -798,6 +817,10 @@ int req_main(int argc, char **argv)
X509_NAME *n_subj = fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req);
+ if (CAcert != NULL && keyfile != NULL)
+ BIO_printf(bio_err,
+ "Warning: Not using -key or -newkey for signing since -CA option is given\n");
+
if ((new_x509 = X509_new_ex(app_get0_libctx(),
app_get0_propq())) == NULL)
goto end;
@@ -874,6 +897,10 @@ int req_main(int argc, char **argv)
} else {
X509V3_CTX ext_ctx;
+ if (precert) {
+ BIO_printf(bio_err,
+ "Warning: Ignoring -precert flag since no cert is produced\n");
+ }
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
X509V3_set_nconf(&ext_ctx, req_conf);
diff --git a/apps/x509.c b/apps/x509.c
index 7236972c5b..65af7f0d06 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -61,7 +61,7 @@ const OPTIONS x509_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<',
- "Certificate input (default stdin), or CSR input file with -req"},
+ "Certificate input, or CSR input file with -req (default stdin)"},
{"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
{"new", OPT_NEW, '-', "Generate a certificate from scratch"},
{"x509toreq", OPT_X509TOREQ, '-',
@@ -73,7 +73,7 @@ const OPTIONS x509_options[] = {
"CSR input file format (DER or PEM) - default PEM"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
{"key", OPT_KEY, 's',
- "Key to be used in certificate or cert request"},
+ "Key for signing, and to include unless using -force_pubkey"},
{"signkey", OPT_SIGNKEY, 's',
"Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
@@ -630,7 +630,7 @@ int x509_main(int argc, char **argv)
}
if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
- "The -new option without -key requires using -force_pubkey\n");
+ "The -new option requires using the -key or -force_pubkey option\n");
goto end;
}
}
@@ -642,7 +642,7 @@ int x509_main(int argc, char **argv)
CAkeyfile = CAfile;
if (CAfile != NULL) {
if (privkeyfile != NULL) {
- BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
+ BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n");
goto end;
}
} else if (CAkeyfile != NULL) {
@@ -676,6 +676,9 @@ int x509_main(int argc, char **argv)
}
if (reqfile) {
+ if (infile == NULL)
+ BIO_printf(bio_err,
+ "Warning: Reading cert request from stdin since no -in option is given\n");
req = load_csr(infile, informat, "certificate request input");
if (req == NULL)
goto end;
@@ -725,6 +728,9 @@ int x509_main(int argc, char **argv)
}
}
} else {
+ if (infile == NULL)
+ BIO_printf(bio_err,
+ "Warning: Reading certificate from stdin since no -in option is given\n");
x = load_cert_pass(infile, informat, 1, passin, "certificate");
if (x == NULL)
goto end;
@@ -819,7 +825,7 @@ int x509_main(int argc, char **argv)
if (x509toreq) { /* also works in conjunction with -req */
if (privkey == NULL) {
- BIO_printf(bio_err, "Must specify request key using -key\n");
+ BIO_printf(bio_err, "Must specify request signing key using -key\n");
goto end;
}
if (clrext && ext_copy != EXT_COPY_NONE) {
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index e78b04c65b..a21c30ba47 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -79,9 +79,10 @@ The data is a PKCS#10 object.
=item B<-in> I
-This specifies the input filename to read a request from or standard input
-if this option is not specified. A request is only read if the creation
-options (B<-new> or B<-newkey>) are not specified.
+This specifies the input filename to read a request from.
+This defaults to standard input unless B<-x509> or B<-CA> is specified.
+A request is only read if the creation options
+(B<-new> or B<-newkey> or B<-precert>) are not specified.
=item B<-sigopt> I:I
@@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length.
=item B<-newkey> I
-This option creates a new certificate request and a new private
-key. The argument takes one of several forms.
+This option is used to generate a new private key unless B<-key> is given.
+It is subsequently used as if it was given using the B<-key> option.
+
+This option implies the B<-new> flag to create a new certificate request
+or a new certificate in case B<-x509> is given.
+
+The argument takes one of several forms.
[B]I generates an RSA key I in size.
If I is omitted, i.e., B<-newkey> B is specified,
@@ -193,9 +199,14 @@ See L for more details.
=item B<-key> I|I
-This specifies the key to include and to use for request self-signature
-and for self-signing certificates produced with the B<-x509> option.
-It also accepts PKCS#8 format private keys for PEM format files.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-in> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+For certificate signing this option is overridden by the B<-CA> option.
+
+This option also accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform> B|B|B|B
@@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request.
This is typically used to generate test certificates.
It is implied by the B<-CA> option.
+This option implies the B<-new> flag if B<-in> is not given.
+
If an existing request is specified with the B<-in> option, it is converted
to the a certificate; otherwise a request is created from scratch.
diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in
index 9c77a216c2..b86f409ce8 100644
--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@@ -102,9 +102,11 @@ Print out a usage message.
=item B<-in> I|I
-If the B<-req> option is not used this specifies the input
-to read a certificate from or standard input if this option is not specified.
-With the B<-req> option this specifies a certificate request file.
+This specifies the input to read a certificate from
+or the input file for reading a certificate request if the B<-req> flag is used.
+In both cases this defaults to standard input.
+
+This option cannot be combined with the B<-new> flag.
=item B<-passin> I
@@ -118,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> option needs to be given.
The public key to include can be given with the B<-force_pubkey> option
-and defaults to the key given with the B<-key> option,
+and defaults to the key given with the B<-key> (or B<-signkey>) option,
which implies self-signature.
=item B<-x509toreq>
Output a PKCS#10 certificate request (rather than a certificate).
-The B<-key> option must be used to provide the private key for self-signing;
-the corresponding public key is placed in the subjectPKInfo field.
+The B<-key> (or B<-signkey>) option must be used to provide the private key for
+self-signing; the corresponding public key is placed in the subjectPKInfo field.
X.509 extensions included in a certificate input are not copied by default.
X.509 extensions to be added can be specified using the B<-extfile> option.
@@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific.
=item B<-key> I|I
-This option causes the new certificate or certificate request
-to be self-signed using the supplied private key.
-This cannot be used in conjunction with the B<-CA> option.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-force_pubkey> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+This option cannot be used in conjunction with the B<-CA> option.
It sets the issuer name to the subject name (i.e., makes it self-issued)
and changes the public key to the supplied value (unless overridden
@@ -355,8 +360,9 @@ Check that the certificate matches the specified IP address.
=item B<-set_serial> I
-Specifies the serial number to use. This option can be used with either
-the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option
+Specifies the serial number to use.
+This option can be used with the B<-key>, B<-signkey>, or B<-CA> options.
+If used in conjunction with the B<-CA> option
the serial number file (as specified by the B<-CAserial> option) is not used.
The serial number can be decimal or hex (if preceded by C<0x>).
@@ -400,7 +406,8 @@ or certificate request.
=item B<-force_pubkey> I
When a certificate is created set its public key to the key in I
-instead of the key contained in the input or given with the B<-key> option.
+instead of the key contained in the input
+or given with the B<-key> (or B<-signkey>) option.
This option is useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as DH.
@@ -446,7 +453,7 @@ for testing.
The digest to use.
This affects any signing or printing option that uses a message
-digest, such as the B<-fingerprint>, B<-key> and B<-CA> options.
+digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options.
Any digest supported by the L command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
@@ -464,9 +471,9 @@ When present, this behaves like a "micro CA" as follows:
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as detailed below.
-This option cannot be used in conjunction with the B<-key> option.
+This option cannot be used in conjunction with B<-key> (or B<-signkey>).
This option is normally combined with the B<-req> option referencing a CSR.
-Without the B<-req> option the input must be a self-signed certificate
+Without the B<-req> option the input must be an existing certificate
unless the B<-new> option is given, which generates a certificate from scratch.
=item B<-CAform> B|B|B,
From pauli at openssl.org Mon Sep 13 07:03:03 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Mon, 13 Sep 2021 07:03:03 +0000
Subject: [openssl] master update
Message-ID: <1631516583.189652.14148.nullmailer@dev.openssl.org>
The branch master has been updated
via 485d0790ac1a29a0d4e7391d804810d485890376 (commit)
from cc0d1b03a94b71dd9d8ee9aa11ee22fdc3659821 (commit)
- Log -----------------------------------------------------------------
commit 485d0790ac1a29a0d4e7391d804810d485890376
Author: Nikita Ivanov
Date: Tue Sep 7 11:31:17 2021 +0300
Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16524)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_ncons.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
index dc56fe2c0c..70a7e8304e 100644
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@@ -714,6 +714,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
if (baseat != baseptr) {
if ((baseat - baseptr) != (emlat - emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
+ if (memchr(baseptr, 0, baseat - baseptr) ||
+ memchr(emlptr, 0, emlat - emlptr))
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Case sensitive match of local part */
if (strncmp(baseptr, emlptr, emlat - emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
From pauli at openssl.org Mon Sep 13 07:03:39 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Mon, 13 Sep 2021 07:03:39 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631516619.070634.15802.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via c24758277800ef8fe1f294bcc84da02ca5367129 (commit)
from 96c925c41bf6d9f60f3e8cbe528e82ac7ddc9539 (commit)
- Log -----------------------------------------------------------------
commit c24758277800ef8fe1f294bcc84da02ca5367129
Author: Nikita Ivanov
Date: Tue Sep 7 11:31:17 2021 +0300
Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16524)
(cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_ncons.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
index dc56fe2c0c..70a7e8304e 100644
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@@ -714,6 +714,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
if (baseat != baseptr) {
if ((baseat - baseptr) != (emlat - emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
+ if (memchr(baseptr, 0, baseat - baseptr) ||
+ memchr(emlptr, 0, emlat - emlptr))
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Case sensitive match of local part */
if (strncmp(baseptr, emlptr, emlat - emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
From pauli at openssl.org Mon Sep 13 07:04:23 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Mon, 13 Sep 2021 07:04:23 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631516663.175412.17598.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 9e44ffc281326330937eee0e94b6fd4bfcaa98eb (commit)
from 2753b6ff7f0b91c7ddeb72a6a08948ca28d12a91 (commit)
- Log -----------------------------------------------------------------
commit 9e44ffc281326330937eee0e94b6fd4bfcaa98eb
Author: Nikita Ivanov
Date: Tue Sep 7 11:31:17 2021 +0300
Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16524)
(cherry picked from commit 485d0790ac1a29a0d4e7391d804810d485890376)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509v3/v3_ncons.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index d985aa91da..60cb4ceaa8 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -602,6 +602,9 @@ static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
if (baseat != baseptr) {
if ((baseat - baseptr) != (emlat - emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
+ if (memchr(baseptr, 0, baseat - baseptr) ||
+ memchr(emlptr, 0, emlat - emlptr))
+ return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
/* Case sensitive match of local part */
if (strncmp(baseptr, emlptr, emlat - emlptr))
return X509_V_ERR_PERMITTED_VIOLATION;
From tomas at openssl.org Mon Sep 13 07:36:51 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Mon, 13 Sep 2021 07:36:51 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631518611.253384.13210.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via fc455e5838fd4520c75473342df6e1867367c913 (commit)
from c24758277800ef8fe1f294bcc84da02ca5367129 (commit)
- Log -----------------------------------------------------------------
commit fc455e5838fd4520c75473342df6e1867367c913
Author: Tomas Mraz
Date: Fri Sep 10 10:45:01 2021 +0200
linux-x86-clang target: Add -latomic
Fixes #16572
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16578)
(cherry picked from commit 7ea01f521d08d6585a62c7cfd9358c0f191bd903)
-----------------------------------------------------------------------
Summary of changes:
Configurations/10-main.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 468698a366..8414b34ed9 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -857,6 +857,7 @@ my %targets = (
inherit_from => [ "linux-x86" ],
CC => "clang",
CXX => "clang++",
+ ex_libs => add(threads("-latomic")),
},
"linux-x86_64" => {
inherit_from => [ "linux-generic64" ],
From tomas at openssl.org Mon Sep 13 07:36:18 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Mon, 13 Sep 2021 07:36:18 +0000
Subject: [openssl] master update
Message-ID: <1631518578.049889.11661.nullmailer@dev.openssl.org>
The branch master has been updated
via 7ea01f521d08d6585a62c7cfd9358c0f191bd903 (commit)
from 485d0790ac1a29a0d4e7391d804810d485890376 (commit)
- Log -----------------------------------------------------------------
commit 7ea01f521d08d6585a62c7cfd9358c0f191bd903
Author: Tomas Mraz
Date: Fri Sep 10 10:45:01 2021 +0200
linux-x86-clang target: Add -latomic
Fixes #16572
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16578)
-----------------------------------------------------------------------
Summary of changes:
Configurations/10-main.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 468698a366..8414b34ed9 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -857,6 +857,7 @@ my %targets = (
inherit_from => [ "linux-x86" ],
CC => "clang",
CXX => "clang++",
+ ex_libs => add(threads("-latomic")),
},
"linux-x86_64" => {
inherit_from => [ "linux-generic64" ],
From levitte at openssl.org Mon Sep 13 07:53:03 2021
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 13 Sep 2021 07:53:03 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631519583.562809.26830.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via de36ce47bf9858f3c517345f46e52d5a6fc506de (commit)
from fc455e5838fd4520c75473342df6e1867367c913 (commit)
- Log -----------------------------------------------------------------
commit de36ce47bf9858f3c517345f46e52d5a6fc506de
Author: Richard Levitte
Date: Fri Sep 10 06:42:24 2021 +0200
Fix the build file templates where uplink matters
We changed the manner in which a build needing applink is detected,
but forgot to change the installation targets accordingly.
Fixes #16570
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16577)
-----------------------------------------------------------------------
Summary of changes:
Configurations/unix-Makefile.tmpl | 8 ++++----
Configurations/windows-makefile.tmpl | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index bf53cbcec5..52d2f6a64e 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -693,11 +693,11 @@ install_dev: install_runtime_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
@@ -767,10 +767,10 @@ install_dev: install_runtime_libs
uninstall_dev: uninstall_runtime_libs
@$(ECHO) "*** Uninstalling development files"
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 63431b97ed..78d39ffb4b 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -543,10 +543,10 @@ install_dev: install_runtime_libs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing development files"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl"
- @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @{- output_off() if $disabled{uplink}; "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \
"$(INSTALLTOP)\include\openssl"
- @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @{- output_on() if $disabled{uplink}; "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \
"$(SRCDIR)\include\openssl\*.h" \
"$(INSTALLTOP)\include\openssl"
From levitte at openssl.org Mon Sep 13 07:54:09 2021
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 13 Sep 2021 07:54:09 +0000
Subject: [openssl] master update
Message-ID: <1631519649.224260.28755.nullmailer@dev.openssl.org>
The branch master has been updated
via 6d56fcd86a75c6c3b061fc69bc2b3b100ebac24b (commit)
from 7ea01f521d08d6585a62c7cfd9358c0f191bd903 (commit)
- Log -----------------------------------------------------------------
commit 6d56fcd86a75c6c3b061fc69bc2b3b100ebac24b
Author: Richard Levitte
Date: Fri Sep 10 06:42:24 2021 +0200
Fix the build file templates where uplink matters
We changed the manner in which a build needing applink is detected,
but forgot to change the installation targets accordingly.
Fixes #16570
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16577)
(cherry picked from commit de36ce47bf9858f3c517345f46e52d5a6fc506de)
-----------------------------------------------------------------------
Summary of changes:
Configurations/unix-Makefile.tmpl | 8 ++++----
Configurations/windows-makefile.tmpl | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index bf53cbcec5..52d2f6a64e 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -693,11 +693,11 @@ install_dev: install_runtime_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
@@ -767,10 +767,10 @@ install_dev: install_runtime_libs
uninstall_dev: uninstall_runtime_libs
@$(ECHO) "*** Uninstalling development files"
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_off() if $disabled{uplink}; "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @ : {- output_on() if $disabled{uplink}; "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
index 63431b97ed..78d39ffb4b 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -543,10 +543,10 @@ install_dev: install_runtime_libs
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
@$(ECHO) "*** Installing development files"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl"
- @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @{- output_off() if $disabled{uplink}; "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \
"$(INSTALLTOP)\include\openssl"
- @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
+ @{- output_on() if $disabled{uplink}; "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \
"$(SRCDIR)\include\openssl\*.h" \
"$(INSTALLTOP)\include\openssl"
From matt at openssl.org Mon Sep 13 10:19:24 2021
From: matt at openssl.org (Matt Caswell)
Date: Mon, 13 Sep 2021 10:19:24 +0000
Subject: [web] master update
Message-ID: <1631528364.507904.28907.nullmailer@dev.openssl.org>
The branch master has been updated
via 78a40cab4af1807c6530546557a93303b2505f40 (commit)
from 598d9806bc701a208da5506fcba59cd629e21f21 (commit)
- Log -----------------------------------------------------------------
commit 78a40cab4af1807c6530546557a93303b2505f40
Author: Tom?? Mr?z
Date: Mon Sep 13 12:07:30 2021 +0200
newsflash.txt: Add link to blog about Let's encrypt root expiration
Reviewed-by: Paul Dale
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/web/pull/262)
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 7c8a166..dc25841 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -5,6 +5,7 @@
# headings. URL paths must all be absolute.
Date: Item
+13-Sep-2021: New Blog post: Old Let?s Encrypt Root Certificate Expiration and OpenSSL 1.0.2
07-Sep-2021: Final version of OpenSSL 3.0.0 is now available: please download and upgrade!
24-Aug-2021: Security Advisory: two security fixes
24-Aug-2021: OpenSSL 1.1.1l is now available, including bug and security fixes
From pauli at openssl.org Mon Sep 13 21:21:45 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Mon, 13 Sep 2021 21:21:45 +0000
Subject: [openssl] master update
Message-ID: <1631568105.846902.17105.nullmailer@dev.openssl.org>
The branch master has been updated
via ea0d79db9be9066de350c44c160bd8b17f2be666 (commit)
from 6d56fcd86a75c6c3b061fc69bc2b3b100ebac24b (commit)
- Log -----------------------------------------------------------------
commit ea0d79db9be9066de350c44c160bd8b17f2be666
Author: Viktor Szakats
Date: Sun Aug 29 00:59:09 2021 +0000
convert tabs to spaces in two distributed Perl scripts
Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8
spaces was used before, in addition to tabs.
CLA: trivial
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16459)
-----------------------------------------------------------------------
Summary of changes:
apps/tsget.in | 50 +++++-----
tools/c_rehash.in | 292 +++++++++++++++++++++++++++---------------------------
2 files changed, 171 insertions(+), 171 deletions(-)
diff --git a/apps/tsget.in b/apps/tsget.in
index d87ea4d654..8eab6a8f1f 100644
--- a/apps/tsget.in
+++ b/apps/tsget.in
@@ -21,10 +21,10 @@ sub read_body {
my $return_data = "";
my $data_len = length ${$state->{data}};
if ($state->{bytes} < $data_len) {
- $data_len = $data_len - $state->{bytes};
- $data_len = $maxlength if $data_len > $maxlength;
- $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
- $state->{bytes} += $data_len;
+ $data_len = $data_len - $state->{bytes};
+ $data_len = $maxlength if $data_len > $maxlength;
+ $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
+ $state->{bytes} += $data_len;
}
return $return_data;
}
@@ -53,8 +53,8 @@ sub create_curl {
$curl->setopt(CURLOPT_UPLOAD, 1);
$curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");
$curl->setopt(CURLOPT_HTTPHEADER,
- ["Content-Type: application/timestamp-query",
- "Accept: application/timestamp-reply,application/timestamp-response"]);
+ ["Content-Type: application/timestamp-query",
+ "Accept: application/timestamp-reply,application/timestamp-response"]);
$curl->setopt(CURLOPT_READFUNCTION, \&read_body);
$curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); });
@@ -63,8 +63,8 @@ sub create_curl {
# SSL related options.
$curl->setopt(CURLOPT_SSLKEYTYPE, "PEM");
- $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate.
- $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN.
+ $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate.
+ $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN.
$curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k});
$curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p});
$curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c});
@@ -101,15 +101,15 @@ sub get_timestamp {
my $error_string;
if ($error_code != 0) {
my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE);
- $error_string = "could not get timestamp";
- $error_string .= ", http code: $http_code" unless $http_code == 0;
- $error_string .= ", curl code: $error_code";
- $error_string .= " ($::error_buf)" if defined($::error_buf);
+ $error_string = "could not get timestamp";
+ $error_string .= ", http code: $http_code" unless $http_code == 0;
+ $error_string .= ", curl code: $error_code";
+ $error_string .= " ($::error_buf)" if defined($::error_buf);
} else {
my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE);
- if (lc($ct) ne "application/timestamp-reply"
- && lc($ct) ne "application/timestamp-response") {
- $error_string = "unexpected content type returned: $ct";
+ if (lc($ct) ne "application/timestamp-reply"
+ && lc($ct) ne "application/timestamp-response") {
+ $error_string = "unexpected content type returned: $ct";
}
}
return ($ts_body, $error_string);
@@ -163,15 +163,15 @@ REQUEST: foreach (@ARGV) {
# Read request.
my $body;
if ($input eq "-") {
- # Read the request from STDIN;
- $body = ;
+ # Read the request from STDIN;
+ $body = ;
} else {
- # Read the request from file.
+ # Read the request from file.
open INPUT, "<" . $input
- or warn("$input: could not open input file: $!\n"), next REQUEST;
+ or warn("$input: could not open input file: $!\n"), next REQUEST;
$body = ;
close INPUT
- or warn("$input: could not close input file: $!\n"), next REQUEST;
+ or warn("$input: could not close input file: $!\n"), next REQUEST;
}
# Send request.
@@ -179,21 +179,21 @@ REQUEST: foreach (@ARGV) {
my ($ts_body, $error) = get_timestamp $curl, \$body;
if (defined($error)) {
- die "$input: fatal error: $error\n";
+ die "$input: fatal error: $error\n";
}
STDERR->printflush(", reply received") if $options{v};
# Write response.
if ($output eq "-") {
- # Write to STDOUT.
+ # Write to STDOUT.
print $ts_body;
} else {
- # Write to file.
+ # Write to file.
open OUTPUT, ">", $output
- or warn("$output: could not open output file: $!\n"), next REQUEST;
+ or warn("$output: could not open output file: $!\n"), next REQUEST;
print OUTPUT $ts_body;
close OUTPUT
- or warn("$output: could not close output file: $!\n"), next REQUEST;
+ or warn("$output: could not close output file: $!\n"), next REQUEST;
}
STDERR->printflush(", $output written.\n") if $options{v};
}
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index 54cad6138b..d51d8856d7 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -28,35 +28,35 @@ while ( $ARGV[0] =~ /^-/ ) {
my $flag = shift @ARGV;
last if ( $flag eq '--');
if ( $flag eq '-old') {
- $x509hash = "-subject_hash_old";
- $crlhash = "-hash_old";
+ $x509hash = "-subject_hash_old";
+ $crlhash = "-hash_old";
} elsif ( $flag eq '-h' || $flag eq '-help' ) {
- help();
+ help();
} elsif ( $flag eq '-n' ) {
- $removelinks = 0;
+ $removelinks = 0;
} elsif ( $flag eq '-v' ) {
- $verbose++;
+ $verbose++;
}
else {
- print STDERR "Usage error; try -h.\n";
- exit 1;
+ print STDERR "Usage error; try -h.\n";
+ exit 1;
}
}
sub help {
- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
- print " -old use old-style digest\n";
- print " -h or -help print this help text\n";
- print " -v print files removed and linked\n";
- exit 0;
+ print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
+ print " -old use old-style digest\n";
+ print " -h or -help print this help text\n";
+ print " -v print files removed and linked\n";
+ exit 0;
}
eval "require Cwd";
if (defined(&Cwd::getcwd)) {
- $pwd=Cwd::getcwd();
+ $pwd=Cwd::getcwd();
} else {
- $pwd=`pwd`;
- chomp($pwd);
+ $pwd=`pwd`;
+ chomp($pwd);
}
# DOS/Win32 or Unix delimiter? Prefix our installdir, then search.
@@ -64,92 +64,92 @@ my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
if (! -x $openssl) {
- my $found = 0;
- foreach (split /$path_delim/, $ENV{PATH}) {
- if (-x "$_/$openssl") {
- $found = 1;
- $openssl = "$_/$openssl";
- last;
- }
- }
- if ($found == 0) {
- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
- exit 0;
- }
+ my $found = 0;
+ foreach (split /$path_delim/, $ENV{PATH}) {
+ if (-x "$_/$openssl") {
+ $found = 1;
+ $openssl = "$_/$openssl";
+ last;
+ }
+ }
+ if ($found == 0) {
+ print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
+ exit 0;
+ }
}
if (@ARGV) {
- @dirlist = @ARGV;
+ @dirlist = @ARGV;
} elsif ($ENV{SSL_CERT_DIR}) {
- @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
+ @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
} else {
- $dirlist[0] = "$dir/certs";
+ $dirlist[0] = "$dir/certs";
}
if (-d $dirlist[0]) {
- chdir $dirlist[0];
- $openssl="$pwd/$openssl" if (!-x $openssl);
- chdir $pwd;
+ chdir $dirlist[0];
+ $openssl="$pwd/$openssl" if (!-x $openssl);
+ chdir $pwd;
}
foreach (@dirlist) {
- if (-d $_ ) {
- if ( -w $_) {
- hash_dir($_);
- } else {
- print "Skipping $_, can't write\n";
- $errorcount++;
- }
- }
+ if (-d $_ ) {
+ if ( -w $_) {
+ hash_dir($_);
+ } else {
+ print "Skipping $_, can't write\n";
+ $errorcount++;
+ }
+ }
}
exit($errorcount);
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my %hashlist;
+ print "Doing $_[0]\n";
+ chdir $_[0];
+ opendir(DIR, ".");
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while() {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+ open IN, $fname;
+ while() {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close IN;
+ return ($is_cert, $is_crl);
}
@@ -160,72 +160,72 @@ sub check_file {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
- chomp $hash;
- chomp $fprint;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ my $fname = $_[0];
+ $fname =~ s/\"/\\\"/g;
+ my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ chomp $hash;
+ chomp $fprint;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ while(exists $hashlist{"$hash.$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$suffix"} eq $fprint) {
+ print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ if (open($in, "<", $fname)) {
+ if (open($out,">", $hash)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "can't open $hash for write, $!";
+ }
+ close $in;
+ } else {
+ warn "can't open $fname for read, $!";
+ }
+ }
+ $hashlist{$hash} = $fprint;
}
# Same as above except for a CRL. CRL links are of the form .r
sub link_hash_crl {
- my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
- chomp $hash;
- chomp $fprint;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ my $fname = $_[0];
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ chomp $hash;
+ chomp $fprint;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ while(exists $hashlist{"$hash.r$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.r$suffix"} eq $fprint) {
+ print STDERR "WARNING: Skipping duplicate CRL $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".r$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "cp $fname -> $hash\n" if $verbose;
+ system ("cp", $fname, $hash);
+ warn "Can't copy, $!" if ($? >> 8) != 0;
+ }
+ $hashlist{$hash} = $fprint;
}
From pauli at openssl.org Mon Sep 13 21:22:27 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Mon, 13 Sep 2021 21:22:27 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631568147.793186.18328.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 566431716efab52b40cc3af6610ba831d5c1cccc (commit)
from de36ce47bf9858f3c517345f46e52d5a6fc506de (commit)
- Log -----------------------------------------------------------------
commit 566431716efab52b40cc3af6610ba831d5c1cccc
Author: Viktor Szakats
Date: Sun Aug 29 00:59:09 2021 +0000
convert tabs to spaces in two distributed Perl scripts
Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8
spaces was used before, in addition to tabs.
CLA: trivial
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16459)
(cherry picked from commit ea0d79db9be9066de350c44c160bd8b17f2be666)
-----------------------------------------------------------------------
Summary of changes:
apps/tsget.in | 50 +++++-----
tools/c_rehash.in | 292 +++++++++++++++++++++++++++---------------------------
2 files changed, 171 insertions(+), 171 deletions(-)
diff --git a/apps/tsget.in b/apps/tsget.in
index d87ea4d654..8eab6a8f1f 100644
--- a/apps/tsget.in
+++ b/apps/tsget.in
@@ -21,10 +21,10 @@ sub read_body {
my $return_data = "";
my $data_len = length ${$state->{data}};
if ($state->{bytes} < $data_len) {
- $data_len = $data_len - $state->{bytes};
- $data_len = $maxlength if $data_len > $maxlength;
- $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
- $state->{bytes} += $data_len;
+ $data_len = $data_len - $state->{bytes};
+ $data_len = $maxlength if $data_len > $maxlength;
+ $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
+ $state->{bytes} += $data_len;
}
return $return_data;
}
@@ -53,8 +53,8 @@ sub create_curl {
$curl->setopt(CURLOPT_UPLOAD, 1);
$curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");
$curl->setopt(CURLOPT_HTTPHEADER,
- ["Content-Type: application/timestamp-query",
- "Accept: application/timestamp-reply,application/timestamp-response"]);
+ ["Content-Type: application/timestamp-query",
+ "Accept: application/timestamp-reply,application/timestamp-response"]);
$curl->setopt(CURLOPT_READFUNCTION, \&read_body);
$curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); });
@@ -63,8 +63,8 @@ sub create_curl {
# SSL related options.
$curl->setopt(CURLOPT_SSLKEYTYPE, "PEM");
- $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate.
- $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN.
+ $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate.
+ $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN.
$curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k});
$curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p});
$curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c});
@@ -101,15 +101,15 @@ sub get_timestamp {
my $error_string;
if ($error_code != 0) {
my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE);
- $error_string = "could not get timestamp";
- $error_string .= ", http code: $http_code" unless $http_code == 0;
- $error_string .= ", curl code: $error_code";
- $error_string .= " ($::error_buf)" if defined($::error_buf);
+ $error_string = "could not get timestamp";
+ $error_string .= ", http code: $http_code" unless $http_code == 0;
+ $error_string .= ", curl code: $error_code";
+ $error_string .= " ($::error_buf)" if defined($::error_buf);
} else {
my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE);
- if (lc($ct) ne "application/timestamp-reply"
- && lc($ct) ne "application/timestamp-response") {
- $error_string = "unexpected content type returned: $ct";
+ if (lc($ct) ne "application/timestamp-reply"
+ && lc($ct) ne "application/timestamp-response") {
+ $error_string = "unexpected content type returned: $ct";
}
}
return ($ts_body, $error_string);
@@ -163,15 +163,15 @@ REQUEST: foreach (@ARGV) {
# Read request.
my $body;
if ($input eq "-") {
- # Read the request from STDIN;
- $body = ;
+ # Read the request from STDIN;
+ $body = ;
} else {
- # Read the request from file.
+ # Read the request from file.
open INPUT, "<" . $input
- or warn("$input: could not open input file: $!\n"), next REQUEST;
+ or warn("$input: could not open input file: $!\n"), next REQUEST;
$body = ;
close INPUT
- or warn("$input: could not close input file: $!\n"), next REQUEST;
+ or warn("$input: could not close input file: $!\n"), next REQUEST;
}
# Send request.
@@ -179,21 +179,21 @@ REQUEST: foreach (@ARGV) {
my ($ts_body, $error) = get_timestamp $curl, \$body;
if (defined($error)) {
- die "$input: fatal error: $error\n";
+ die "$input: fatal error: $error\n";
}
STDERR->printflush(", reply received") if $options{v};
# Write response.
if ($output eq "-") {
- # Write to STDOUT.
+ # Write to STDOUT.
print $ts_body;
} else {
- # Write to file.
+ # Write to file.
open OUTPUT, ">", $output
- or warn("$output: could not open output file: $!\n"), next REQUEST;
+ or warn("$output: could not open output file: $!\n"), next REQUEST;
print OUTPUT $ts_body;
close OUTPUT
- or warn("$output: could not close output file: $!\n"), next REQUEST;
+ or warn("$output: could not close output file: $!\n"), next REQUEST;
}
STDERR->printflush(", $output written.\n") if $options{v};
}
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index 54cad6138b..d51d8856d7 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -28,35 +28,35 @@ while ( $ARGV[0] =~ /^-/ ) {
my $flag = shift @ARGV;
last if ( $flag eq '--');
if ( $flag eq '-old') {
- $x509hash = "-subject_hash_old";
- $crlhash = "-hash_old";
+ $x509hash = "-subject_hash_old";
+ $crlhash = "-hash_old";
} elsif ( $flag eq '-h' || $flag eq '-help' ) {
- help();
+ help();
} elsif ( $flag eq '-n' ) {
- $removelinks = 0;
+ $removelinks = 0;
} elsif ( $flag eq '-v' ) {
- $verbose++;
+ $verbose++;
}
else {
- print STDERR "Usage error; try -h.\n";
- exit 1;
+ print STDERR "Usage error; try -h.\n";
+ exit 1;
}
}
sub help {
- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
- print " -old use old-style digest\n";
- print " -h or -help print this help text\n";
- print " -v print files removed and linked\n";
- exit 0;
+ print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
+ print " -old use old-style digest\n";
+ print " -h or -help print this help text\n";
+ print " -v print files removed and linked\n";
+ exit 0;
}
eval "require Cwd";
if (defined(&Cwd::getcwd)) {
- $pwd=Cwd::getcwd();
+ $pwd=Cwd::getcwd();
} else {
- $pwd=`pwd`;
- chomp($pwd);
+ $pwd=`pwd`;
+ chomp($pwd);
}
# DOS/Win32 or Unix delimiter? Prefix our installdir, then search.
@@ -64,92 +64,92 @@ my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
if (! -x $openssl) {
- my $found = 0;
- foreach (split /$path_delim/, $ENV{PATH}) {
- if (-x "$_/$openssl") {
- $found = 1;
- $openssl = "$_/$openssl";
- last;
- }
- }
- if ($found == 0) {
- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
- exit 0;
- }
+ my $found = 0;
+ foreach (split /$path_delim/, $ENV{PATH}) {
+ if (-x "$_/$openssl") {
+ $found = 1;
+ $openssl = "$_/$openssl";
+ last;
+ }
+ }
+ if ($found == 0) {
+ print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
+ exit 0;
+ }
}
if (@ARGV) {
- @dirlist = @ARGV;
+ @dirlist = @ARGV;
} elsif ($ENV{SSL_CERT_DIR}) {
- @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
+ @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
} else {
- $dirlist[0] = "$dir/certs";
+ $dirlist[0] = "$dir/certs";
}
if (-d $dirlist[0]) {
- chdir $dirlist[0];
- $openssl="$pwd/$openssl" if (!-x $openssl);
- chdir $pwd;
+ chdir $dirlist[0];
+ $openssl="$pwd/$openssl" if (!-x $openssl);
+ chdir $pwd;
}
foreach (@dirlist) {
- if (-d $_ ) {
- if ( -w $_) {
- hash_dir($_);
- } else {
- print "Skipping $_, can't write\n";
- $errorcount++;
- }
- }
+ if (-d $_ ) {
+ if ( -w $_) {
+ hash_dir($_);
+ } else {
+ print "Skipping $_, can't write\n";
+ $errorcount++;
+ }
+ }
}
exit($errorcount);
sub hash_dir {
- my %hashlist;
- print "Doing $_[0]\n";
- chdir $_[0];
- opendir(DIR, ".");
- my @flist = sort readdir(DIR);
- closedir DIR;
- if ( $removelinks ) {
- # Delete any existing symbolic links
- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
- if (-l $_) {
- print "unlink $_" if $verbose;
- unlink $_ || warn "Can't unlink $_, $!\n";
- }
- }
- }
- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
- # Check to see if certificates and/or CRLs present.
- my ($cert, $crl) = check_file($fname);
- if (!$cert && !$crl) {
- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
- next;
- }
- link_hash_cert($fname) if ($cert);
- link_hash_crl($fname) if ($crl);
- }
+ my %hashlist;
+ print "Doing $_[0]\n";
+ chdir $_[0];
+ opendir(DIR, ".");
+ my @flist = sort readdir(DIR);
+ closedir DIR;
+ if ( $removelinks ) {
+ # Delete any existing symbolic links
+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+ if (-l $_) {
+ print "unlink $_" if $verbose;
+ unlink $_ || warn "Can't unlink $_, $!\n";
+ }
+ }
+ }
+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+ # Check to see if certificates and/or CRLs present.
+ my ($cert, $crl) = check_file($fname);
+ if (!$cert && !$crl) {
+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+ next;
+ }
+ link_hash_cert($fname) if ($cert);
+ link_hash_crl($fname) if ($crl);
+ }
}
sub check_file {
- my ($is_cert, $is_crl) = (0,0);
- my $fname = $_[0];
- open IN, $fname;
- while() {
- if (/^-----BEGIN (.*)-----/) {
- my $hdr = $1;
- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
- $is_cert = 1;
- last if ($is_crl);
- } elsif ($hdr eq "X509 CRL") {
- $is_crl = 1;
- last if ($is_cert);
- }
- }
- }
- close IN;
- return ($is_cert, $is_crl);
+ my ($is_cert, $is_crl) = (0,0);
+ my $fname = $_[0];
+ open IN, $fname;
+ while() {
+ if (/^-----BEGIN (.*)-----/) {
+ my $hdr = $1;
+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+ $is_cert = 1;
+ last if ($is_crl);
+ } elsif ($hdr eq "X509 CRL") {
+ $is_crl = 1;
+ last if ($is_cert);
+ }
+ }
+ }
+ close IN;
+ return ($is_cert, $is_crl);
}
@@ -160,72 +160,72 @@ sub check_file {
# certificate fingerprints
sub link_hash_cert {
- my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
- chomp $hash;
- chomp $fprint;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "copy $fname -> $hash\n" if $verbose;
- if (open($in, "<", $fname)) {
- if (open($out,">", $hash)) {
- print $out $_ while (<$in>);
- close $out;
- } else {
- warn "can't open $hash for write, $!";
- }
- close $in;
- } else {
- warn "can't open $fname for read, $!";
- }
- }
- $hashlist{$hash} = $fprint;
+ my $fname = $_[0];
+ $fname =~ s/\"/\\\"/g;
+ my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ chomp $hash;
+ chomp $fprint;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ while(exists $hashlist{"$hash.$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.$suffix"} eq $fprint) {
+ print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "copy $fname -> $hash\n" if $verbose;
+ if (open($in, "<", $fname)) {
+ if (open($out,">", $hash)) {
+ print $out $_ while (<$in>);
+ close $out;
+ } else {
+ warn "can't open $hash for write, $!";
+ }
+ close $in;
+ } else {
+ warn "can't open $fname for read, $!";
+ }
+ }
+ $hashlist{$hash} = $fprint;
}
# Same as above except for a CRL. CRL links are of the form .r
sub link_hash_crl {
- my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
- chomp $hash;
- chomp $fprint;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
- # Search for an unused hash filename
- while(exists $hashlist{"$hash.r$suffix"}) {
- # Hash matches: if fingerprint matches its a duplicate cert
- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
- return;
- }
- $suffix++;
- }
- $hash .= ".r$suffix";
- if ($symlink_exists) {
- print "link $fname -> $hash\n" if $verbose;
- symlink $fname, $hash || warn "Can't symlink, $!";
- } else {
- print "cp $fname -> $hash\n" if $verbose;
- system ("cp", $fname, $hash);
- warn "Can't copy, $!" if ($? >> 8) != 0;
- }
- $hashlist{$hash} = $fprint;
+ my $fname = $_[0];
+ $fname =~ s/'/'\\''/g;
+ my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ chomp $hash;
+ chomp $fprint;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+ # Search for an unused hash filename
+ while(exists $hashlist{"$hash.r$suffix"}) {
+ # Hash matches: if fingerprint matches its a duplicate cert
+ if ($hashlist{"$hash.r$suffix"} eq $fprint) {
+ print STDERR "WARNING: Skipping duplicate CRL $fname\n";
+ return;
+ }
+ $suffix++;
+ }
+ $hash .= ".r$suffix";
+ if ($symlink_exists) {
+ print "link $fname -> $hash\n" if $verbose;
+ symlink $fname, $hash || warn "Can't symlink, $!";
+ } else {
+ print "cp $fname -> $hash\n" if $verbose;
+ system ("cp", $fname, $hash);
+ warn "Can't copy, $!" if ($? >> 8) != 0;
+ }
+ $hashlist{$hash} = $fprint;
}
From tomas at openssl.org Tue Sep 14 12:51:04 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Tue, 14 Sep 2021 12:51:04 +0000
Subject: [openssl] master update
Message-ID: <1631623864.069855.6451.nullmailer@dev.openssl.org>
The branch master has been updated
via 24cdb1bfecbd765e829b9932a5a60ff63a7dff4b (commit)
from ea0d79db9be9066de350c44c160bd8b17f2be666 (commit)
- Log -----------------------------------------------------------------
commit 24cdb1bfecbd765e829b9932a5a60ff63a7dff4b
Author: lprimak
Date: Sun Sep 12 20:21:30 2021 -0500
MacOS prior to 10.12 does not support random API correctly
Fixes #16517
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16592)
-----------------------------------------------------------------------
Summary of changes:
include/crypto/rand.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/crypto/rand.h b/include/crypto/rand.h
index ac41a9f62b..fa3b5b2b93 100644
--- a/include/crypto/rand.h
+++ b/include/crypto/rand.h
@@ -24,7 +24,7 @@
# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
# include
-# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \
+# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \
(defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000)
# define OPENSSL_APPLE_CRYPTO_RANDOM 1
# include
From tomas at openssl.org Tue Sep 14 12:52:40 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Tue, 14 Sep 2021 12:52:40 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631623960.925604.8389.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via ad0697696cc3d9f4a588a3b2d48d898619dbe228 (commit)
from 566431716efab52b40cc3af6610ba831d5c1cccc (commit)
- Log -----------------------------------------------------------------
commit ad0697696cc3d9f4a588a3b2d48d898619dbe228
Author: lprimak
Date: Sun Sep 12 20:21:30 2021 -0500
MacOS prior to 10.12 does not support random API correctly
Fixes #16517
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16591)
-----------------------------------------------------------------------
Summary of changes:
include/crypto/rand.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/crypto/rand.h b/include/crypto/rand.h
index ac41a9f62b..fa3b5b2b93 100644
--- a/include/crypto/rand.h
+++ b/include/crypto/rand.h
@@ -24,7 +24,7 @@
# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
# include
-# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \
+# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \
(defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000)
# define OPENSSL_APPLE_CRYPTO_RANDOM 1
# include
From tomas at openssl.org Tue Sep 14 12:54:25 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Tue, 14 Sep 2021 12:54:25 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631624065.519611.9939.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 2f3b120401533db82e99ed28de5fc8aab1b76b33 (commit)
from 9e44ffc281326330937eee0e94b6fd4bfcaa98eb (commit)
- Log -----------------------------------------------------------------
commit 2f3b120401533db82e99ed28de5fc8aab1b76b33
Author: Lenny Primak
Date: Sat Sep 11 18:53:45 2021 -0500
MacOS prior to 10.12 does not support random API correctly
Fixes #16517
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16587)
-----------------------------------------------------------------------
Summary of changes:
include/crypto/rand.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/crypto/rand.h b/include/crypto/rand.h
index 674f840fd1..8247d16c55 100644
--- a/include/crypto/rand.h
+++ b/include/crypto/rand.h
@@ -22,7 +22,7 @@
# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
# include
-# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101000) || \
+# if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \
(defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000)
# define OPENSSL_APPLE_CRYPTO_RANDOM 1
# include
From tomas at openssl.org Tue Sep 14 13:01:22 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Tue, 14 Sep 2021 13:01:22 +0000
Subject: [openssl] master update
Message-ID: <1631624482.643108.12853.nullmailer@dev.openssl.org>
The branch master has been updated
via 1ed3249f253e4490a813279e2eb253c8e5cfaabb (commit)
from 24cdb1bfecbd765e829b9932a5a60ff63a7dff4b (commit)
- Log -----------------------------------------------------------------
commit 1ed3249f253e4490a813279e2eb253c8e5cfaabb
Author: Dr. David von Oheimb
Date: Mon Sep 13 08:14:58 2021 +0200
80-test_cmp_http.t: Fix handling of empty HTTP proxy string
Fixes #16546
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16593)
-----------------------------------------------------------------------
Summary of changes:
test/recipes/80-test_cmp_http.t | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t
index 7bd95337e8..92f11e8ac8 100644
--- a/test/recipes/80-test_cmp_http.t
+++ b/test/recipes/80-test_cmp_http.t
@@ -42,8 +42,8 @@ sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows)
return $str;
}
-my $proxy = "";
-$proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy);
+my $proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // "");
+$proxy = "" if $proxy eq "";
$proxy =~ s{^https?://}{}i;
my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY};
From tomas at openssl.org Tue Sep 14 13:01:36 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Tue, 14 Sep 2021 13:01:36 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631624496.272359.13931.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 42ea0a86e89d84c2d649b268ebbfb43a9344d33e (commit)
from ad0697696cc3d9f4a588a3b2d48d898619dbe228 (commit)
- Log -----------------------------------------------------------------
commit 42ea0a86e89d84c2d649b268ebbfb43a9344d33e
Author: Dr. David von Oheimb
Date: Mon Sep 13 08:14:58 2021 +0200
80-test_cmp_http.t: Fix handling of empty HTTP proxy string
Fixes #16546
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16593)
(cherry picked from commit 1ed3249f253e4490a813279e2eb253c8e5cfaabb)
-----------------------------------------------------------------------
Summary of changes:
test/recipes/80-test_cmp_http.t | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t
index 7bd95337e8..92f11e8ac8 100644
--- a/test/recipes/80-test_cmp_http.t
+++ b/test/recipes/80-test_cmp_http.t
@@ -42,8 +42,8 @@ sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows)
return $str;
}
-my $proxy = "";
-$proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy);
+my $proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // "");
+$proxy = "" if $proxy eq "";
$proxy =~ s{^https?://}{}i;
my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY};
From tomas at openssl.org Wed Sep 15 12:08:07 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Wed, 15 Sep 2021 12:08:07 +0000
Subject: [openssl] master update
Message-ID: <1631707687.976217.18845.nullmailer@dev.openssl.org>
The branch master has been updated
via e59bfbaa2dbd680f77e1121e382502bd522a466c (commit)
from 1ed3249f253e4490a813279e2eb253c8e5cfaabb (commit)
- Log -----------------------------------------------------------------
commit e59bfbaa2dbd680f77e1121e382502bd522a466c
Author: Tomas Mraz
Date: Tue Sep 14 09:34:32 2021 +0200
providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16600)
-----------------------------------------------------------------------
Summary of changes:
providers/common/provider_util.c | 21 +++++++++++++++++----
test/evp_kdf_test.c | 13 +++++++++----
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 662175c2f3..fcfbab632d 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -16,6 +16,7 @@
#include
#ifndef FIPS_MODULE
# include
+# include "crypto/evp.h"
#endif
#include "prov/provider_util.h"
#include "internal/nelem.h"
@@ -90,8 +91,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
ERR_set_mark();
pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */
- if (pc->cipher == NULL)
- pc->cipher = EVP_get_cipherbyname(p->data);
+ if (pc->cipher == NULL) {
+ const EVP_CIPHER *cipher;
+
+ cipher = EVP_get_cipherbyname(p->data);
+ /* Do not use global EVP_CIPHERs */
+ if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL)
+ pc->cipher = cipher;
+ }
#endif
if (pc->cipher != NULL)
ERR_pop_to_mark();
@@ -159,8 +166,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
ERR_set_mark();
ossl_prov_digest_fetch(pd, ctx, p->data, propquery);
#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
- if (pd->md == NULL)
- pd->md = EVP_get_digestbyname(p->data);
+ if (pd->md == NULL) {
+ const EVP_MD *md;
+
+ md = EVP_get_digestbyname(p->data);
+ /* Do not use global EVP_MDs */
+ if (md != NULL && md->origin != EVP_ORIG_GLOBAL)
+ pd->md = md;
+ }
#endif
if (pd->md != NULL)
ERR_pop_to_mark();
diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c
index 4b3df38b5f..145e64fbdb 100644
--- a/test/evp_kdf_test.c
+++ b/test/evp_kdf_test.c
@@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void)
unsigned int iterations = 4096;
OSSL_LIB_CTX *libctx = NULL;
OSSL_PARAM *params = NULL;
- OSSL_PROVIDER *prov = NULL;
+ OSSL_PROVIDER *legacyprov = NULL;
+ OSSL_PROVIDER *defprov = NULL;
const unsigned char expected[sizeof(out)] = {
0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
@@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void)
goto err;
/* PBKDF1 only available in the legacy provider */
- prov = OSSL_PROVIDER_load(libctx, "legacy");
- if (prov == NULL) {
+ legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
+ if (legacyprov == NULL) {
OSSL_LIB_CTX_free(libctx);
return TEST_skip("PBKDF1 only available in legacy provider");
}
+ if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
+ goto err;
+
params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
"saltSALTsaltSALTsaltSALTsaltSALTsalt",
&iterations);
@@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void)
err:
EVP_KDF_CTX_free(kctx);
OPENSSL_free(params);
- OSSL_PROVIDER_unload(prov);
+ OSSL_PROVIDER_unload(defprov);
+ OSSL_PROVIDER_unload(legacyprov);
OSSL_LIB_CTX_free(libctx);
return ret;
}
From tomas at openssl.org Wed Sep 15 12:08:39 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Wed, 15 Sep 2021 12:08:39 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631707719.093934.19963.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 3f9c95824593b8d57ac0227591e4c338fc98c5f9 (commit)
from 42ea0a86e89d84c2d649b268ebbfb43a9344d33e (commit)
- Log -----------------------------------------------------------------
commit 3f9c95824593b8d57ac0227591e4c338fc98c5f9
Author: Tomas Mraz
Date: Tue Sep 14 09:34:32 2021 +0200
providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16600)
(cherry picked from commit e59bfbaa2dbd680f77e1121e382502bd522a466c)
-----------------------------------------------------------------------
Summary of changes:
providers/common/provider_util.c | 21 +++++++++++++++++----
test/evp_kdf_test.c | 13 +++++++++----
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 662175c2f3..fcfbab632d 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -16,6 +16,7 @@
#include
#ifndef FIPS_MODULE
# include
+# include "crypto/evp.h"
#endif
#include "prov/provider_util.h"
#include "internal/nelem.h"
@@ -90,8 +91,14 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
ERR_set_mark();
pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy ciphers */
- if (pc->cipher == NULL)
- pc->cipher = EVP_get_cipherbyname(p->data);
+ if (pc->cipher == NULL) {
+ const EVP_CIPHER *cipher;
+
+ cipher = EVP_get_cipherbyname(p->data);
+ /* Do not use global EVP_CIPHERs */
+ if (cipher != NULL && cipher->origin != EVP_ORIG_GLOBAL)
+ pc->cipher = cipher;
+ }
#endif
if (pc->cipher != NULL)
ERR_pop_to_mark();
@@ -159,8 +166,14 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
ERR_set_mark();
ossl_prov_digest_fetch(pd, ctx, p->data, propquery);
#ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
- if (pd->md == NULL)
- pd->md = EVP_get_digestbyname(p->data);
+ if (pd->md == NULL) {
+ const EVP_MD *md;
+
+ md = EVP_get_digestbyname(p->data);
+ /* Do not use global EVP_MDs */
+ if (md != NULL && md->origin != EVP_ORIG_GLOBAL)
+ pd->md = md;
+ }
#endif
if (pd->md != NULL)
ERR_pop_to_mark();
diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c
index 4b3df38b5f..145e64fbdb 100644
--- a/test/evp_kdf_test.c
+++ b/test/evp_kdf_test.c
@@ -502,7 +502,8 @@ static int test_kdf_pbkdf1(void)
unsigned int iterations = 4096;
OSSL_LIB_CTX *libctx = NULL;
OSSL_PARAM *params = NULL;
- OSSL_PROVIDER *prov = NULL;
+ OSSL_PROVIDER *legacyprov = NULL;
+ OSSL_PROVIDER *defprov = NULL;
const unsigned char expected[sizeof(out)] = {
0xfb, 0x83, 0x4d, 0x36, 0x6d, 0xbc, 0x53, 0x87, 0x35, 0x1b, 0x34, 0x75,
0x95, 0x88, 0x32, 0x4f, 0x3e, 0x82, 0x81, 0x01, 0x21, 0x93, 0x64, 0x00,
@@ -513,12 +514,15 @@ static int test_kdf_pbkdf1(void)
goto err;
/* PBKDF1 only available in the legacy provider */
- prov = OSSL_PROVIDER_load(libctx, "legacy");
- if (prov == NULL) {
+ legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
+ if (legacyprov == NULL) {
OSSL_LIB_CTX_free(libctx);
return TEST_skip("PBKDF1 only available in legacy provider");
}
+ if (!TEST_ptr(defprov = OSSL_PROVIDER_load(libctx, "default")))
+ goto err;
+
params = construct_pbkdf1_params("passwordPASSWORDpassword", "sha256",
"saltSALTsaltSALTsaltSALTsaltSALTsalt",
&iterations);
@@ -534,7 +538,8 @@ static int test_kdf_pbkdf1(void)
err:
EVP_KDF_CTX_free(kctx);
OPENSSL_free(params);
- OSSL_PROVIDER_unload(prov);
+ OSSL_PROVIDER_unload(defprov);
+ OSSL_PROVIDER_unload(legacyprov);
OSSL_LIB_CTX_free(libctx);
return ret;
}
From dev at ddvo.net Fri Sep 17 08:03:18 2021
From: dev at ddvo.net (dev at ddvo.net)
Date: Fri, 17 Sep 2021 08:03:18 +0000
Subject: [openssl] master update
Message-ID: <1631865798.833682.25098.nullmailer@dev.openssl.org>
The branch master has been updated
via 39a8d4e13219580c8c89a234d6db5d261408cadb (commit)
from e59bfbaa2dbd680f77e1121e382502bd522a466c (commit)
- Log -----------------------------------------------------------------
commit 39a8d4e13219580c8c89a234d6db5d261408cadb
Author: Dr. David von Oheimb
Date: Sat Sep 11 23:08:13 2021 +0200
APPS/cmp.c: Move warning on overlong section name to make it effective again
Fixes #16585
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16586)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 74c8cd71f1..170ac816f2 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2001,14 +2001,14 @@ static const char *prev_item(const char *opt, const char *end)
while (beg != opt && beg[-1] != ',' && !isspace(beg[-1]))
beg--;
len = end - beg;
- if (len > SECTION_NAME_MAX)
+ if (len > SECTION_NAME_MAX) {
+ CMP_warn2("using only first %d characters of section name starting with \"%s\"",
+ SECTION_NAME_MAX, opt_item);
len = SECTION_NAME_MAX;
+ }
strncpy(opt_item, beg, len);
opt_item[SECTION_NAME_MAX] = '\0'; /* avoid gcc v8 O3 stringop-truncation */
opt_item[len] = '\0';
- if (len > SECTION_NAME_MAX)
- CMP_warn2("using only first %d characters of section name starting with \"%s\"",
- SECTION_NAME_MAX, opt_item);
while (beg != opt && (beg[-1] == ',' || isspace(beg[-1])))
beg--;
return beg;
From tomas at openssl.org Fri Sep 17 11:15:01 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 11:15:01 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631877301.093203.10406.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via d656a086ef61581cae10a0f33322e6910232aa01 (commit)
from 3f9c95824593b8d57ac0227591e4c338fc98c5f9 (commit)
- Log -----------------------------------------------------------------
commit d656a086ef61581cae10a0f33322e6910232aa01
Author: Dr. David von Oheimb
Date: Sat Sep 11 23:08:13 2021 +0200
APPS/cmp.c: Move warning on overlong section name to make it effective again
Fixes #16585
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16586)
(cherry picked from commit 39a8d4e13219580c8c89a234d6db5d261408cadb)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 74c8cd71f1..170ac816f2 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2001,14 +2001,14 @@ static const char *prev_item(const char *opt, const char *end)
while (beg != opt && beg[-1] != ',' && !isspace(beg[-1]))
beg--;
len = end - beg;
- if (len > SECTION_NAME_MAX)
+ if (len > SECTION_NAME_MAX) {
+ CMP_warn2("using only first %d characters of section name starting with \"%s\"",
+ SECTION_NAME_MAX, opt_item);
len = SECTION_NAME_MAX;
+ }
strncpy(opt_item, beg, len);
opt_item[SECTION_NAME_MAX] = '\0'; /* avoid gcc v8 O3 stringop-truncation */
opt_item[len] = '\0';
- if (len > SECTION_NAME_MAX)
- CMP_warn2("using only first %d characters of section name starting with \"%s\"",
- SECTION_NAME_MAX, opt_item);
while (beg != opt && (beg[-1] == ',' || isspace(beg[-1])))
beg--;
return beg;
From no-reply at appveyor.com Fri Sep 17 11:16:13 2021
From: no-reply at appveyor.com (AppVeyor)
Date: Fri, 17 Sep 2021 11:16:13 +0000
Subject: Build failed: openssl openssl-3.0.42737
Message-ID: <20210917111613.1.A88A7CB834B566D9@appveyor.com>
An HTML attachment was scrubbed...
URL:
From tomas at openssl.org Fri Sep 17 12:33:44 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 12:33:44 +0000
Subject: [openssl] master update
Message-ID: <1631882024.894629.28752.nullmailer@dev.openssl.org>
The branch master has been updated
via 9e51f877930dbd4216438a5da3c9612bf4d0a918 (commit)
via 4603b782e6dbed493d2f38db111abc05df66fb99 (commit)
from 39a8d4e13219580c8c89a234d6db5d261408cadb (commit)
- Log -----------------------------------------------------------------
commit 9e51f877930dbd4216438a5da3c9612bf4d0a918
Author: Matt Caswell
Date: Sat Sep 11 10:02:21 2021 +0100
Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16582)
commit 4603b782e6dbed493d2f38db111abc05df66fb99
Author: Matt Caswell
Date: Sat Sep 11 09:58:52 2021 +0100
Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16582)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CTX_set_num_tickets.pod | 8 ++++----
doc/man3/SSL_get_session.pod | 7 +++++--
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod
index c06583304f..95ed719df7 100644
--- a/doc/man3/SSL_CTX_set_num_tickets.pod
+++ b/doc/man3/SSL_CTX_set_num_tickets.pod
@@ -27,10 +27,10 @@ the client after a full handshake. Set the desired value (which could be 0) in
the B argument. Typically these functions should be called before
the start of the handshake.
-The default number of tickets is 2; the default number of tickets sent following
-a resumption handshake is 1 but this cannot be changed using these functions.
-The number of tickets following a resumption handshake can be reduced to 0 using
-custom session ticket callbacks (see L).
+The default number of tickets is 2. Following a resumption the number of tickets
+issued will never be more than 1 regardless of the value set via
+SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to
+0 then no tickets will be issued for either a normal connection or a resumption.
Tickets are also issued on receipt of a post-handshake certificate from the
client following a request by the server using
diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod
index 967ccea564..6631bdf324 100644
--- a/doc/man3/SSL_get_session.pod
+++ b/doc/man3/SSL_get_session.pod
@@ -37,8 +37,11 @@ L for information on how to determine whether an
SSL_SESSION object can be used for resumption or not.
Additionally, in TLSv1.3, a server can send multiple messages that establish a
-session for a single connection. In that case the above functions will only
-return information on the last session that was received.
+session for a single connection. In that case, on the client side, the above
+functions will only return information on the last session that was received. On
+the server side they will only return information on the last session that was
+sent, or if no session tickets were sent then the session for the current
+connection.
The preferred way for applications to obtain a resumable SSL_SESSION object is
to use a new session callback as described in L.
From tomas at openssl.org Fri Sep 17 12:34:08 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 12:34:08 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631882048.772308.30083.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 2221e7eebab7af085a7235547585da1cbd798350 (commit)
from d656a086ef61581cae10a0f33322e6910232aa01 (commit)
- Log -----------------------------------------------------------------
commit 2221e7eebab7af085a7235547585da1cbd798350
Author: Matt Caswell
Date: Sat Sep 11 10:02:21 2021 +0100
Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_get_session.pod | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod
index 967ccea564..6631bdf324 100644
--- a/doc/man3/SSL_get_session.pod
+++ b/doc/man3/SSL_get_session.pod
@@ -37,8 +37,11 @@ L for information on how to determine whether an
SSL_SESSION object can be used for resumption or not.
Additionally, in TLSv1.3, a server can send multiple messages that establish a
-session for a single connection. In that case the above functions will only
-return information on the last session that was received.
+session for a single connection. In that case, on the client side, the above
+functions will only return information on the last session that was received. On
+the server side they will only return information on the last session that was
+sent, or if no session tickets were sent then the session for the current
+connection.
The preferred way for applications to obtain a resumable SSL_SESSION object is
to use a new session callback as described in L.
From tomas at openssl.org Fri Sep 17 12:34:21 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 12:34:21 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631882061.618801.31212.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f (commit)
from 2f3b120401533db82e99ed28de5fc8aab1b76b33 (commit)
- Log -----------------------------------------------------------------
commit 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f
Author: Matt Caswell
Date: Sat Sep 11 10:02:21 2021 +0100
Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit 9e51f877930dbd4216438a5da3c9612bf4d0a918)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_get_session.pod | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/doc/man3/SSL_get_session.pod b/doc/man3/SSL_get_session.pod
index 7c04570635..4d8527aecf 100644
--- a/doc/man3/SSL_get_session.pod
+++ b/doc/man3/SSL_get_session.pod
@@ -37,8 +37,11 @@ L for information on how to determine whether an
SSL_SESSION object can be used for resumption or not.
Additionally, in TLSv1.3, a server can send multiple messages that establish a
-session for a single connection. In that case the above functions will only
-return information on the last session that was received.
+session for a single connection. In that case, on the client side, the above
+functions will only return information on the last session that was received. On
+the server side they will only return information on the last session that was
+sent, or if no session tickets were sent then the session for the current
+connection.
The preferred way for applications to obtain a resumable SSL_SESSION object is
to use a new session callback as described in L.
From tomas at openssl.org Fri Sep 17 12:35:16 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 12:35:16 +0000
Subject: [openssl] OpenSSL_1_1_1-stable update
Message-ID: <1631882116.008647.834.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_1-stable has been updated
via 5402f96aba9dd3d0b3006b8b2651bd27d3cbf326 (commit)
from 97a1fb5106fdb2b3dc3bbe84d0892db40e50c45f (commit)
- Log -----------------------------------------------------------------
commit 5402f96aba9dd3d0b3006b8b2651bd27d3cbf326
Author: Matt Caswell
Date: Sat Sep 11 09:58:52 2021 +0100
Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CTX_set_num_tickets.pod | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod
index ad13ed15f4..2224b35c30 100644
--- a/doc/man3/SSL_CTX_set_num_tickets.pod
+++ b/doc/man3/SSL_CTX_set_num_tickets.pod
@@ -25,10 +25,10 @@ the client after a full handshake. Set the desired value (which could be 0) in
the B argument. Typically these functions should be called before
the start of the handshake.
-The default number of tickets is 2; the default number of tickets sent following
-a resumption handshake is 1 but this cannot be changed using these functions.
-The number of tickets following a resumption handshake can be reduced to 0 using
-custom session ticket callbacks (see L).
+The default number of tickets is 2. Following a resumption the number of tickets
+issued will never be more than 1 regardless of the value set via
+SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to
+0 then no tickets will be issued for either a normal connection or a resumption.
Tickets are also issued on receipt of a post-handshake certificate from the
client following a request by the server using
From tomas at openssl.org Fri Sep 17 12:35:26 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 12:35:26 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631882126.828418.2205.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 119983124f996c8159e8fd816e84e41edfcda700 (commit)
from 2221e7eebab7af085a7235547585da1cbd798350 (commit)
- Log -----------------------------------------------------------------
commit 119983124f996c8159e8fd816e84e41edfcda700
Author: Matt Caswell
Date: Sat Sep 11 09:58:52 2021 +0100
Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit 4603b782e6dbed493d2f38db111abc05df66fb99)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CTX_set_num_tickets.pod | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod
index c06583304f..95ed719df7 100644
--- a/doc/man3/SSL_CTX_set_num_tickets.pod
+++ b/doc/man3/SSL_CTX_set_num_tickets.pod
@@ -27,10 +27,10 @@ the client after a full handshake. Set the desired value (which could be 0) in
the B argument. Typically these functions should be called before
the start of the handshake.
-The default number of tickets is 2; the default number of tickets sent following
-a resumption handshake is 1 but this cannot be changed using these functions.
-The number of tickets following a resumption handshake can be reduced to 0 using
-custom session ticket callbacks (see L).
+The default number of tickets is 2. Following a resumption the number of tickets
+issued will never be more than 1 regardless of the value set via
+SSL_set_num_tickets() or SSL_CTX_set_num_tickets(). If B is set to
+0 then no tickets will be issued for either a normal connection or a resumption.
Tickets are also issued on receipt of a post-handshake certificate from the
client following a request by the server using
From tomas at openssl.org Fri Sep 17 12:49:38 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Fri, 17 Sep 2021 12:49:38 +0000
Subject: [openssl] master update
Message-ID: <1631882978.694448.16683.nullmailer@dev.openssl.org>
The branch master has been updated
via a7f58bdc1abe245dd09790e8f97d91df271578f4 (commit)
from 9e51f877930dbd4216438a5da3c9612bf4d0a918 (commit)
- Log -----------------------------------------------------------------
commit a7f58bdc1abe245dd09790e8f97d91df271578f4
Author: Bernd Edlinger
Date: Sun Aug 22 21:28:51 2021 +0200
Fix the parameter type of gf_serialize
It is better to use array bounds for improved
gcc warning checks.
While "uint8_t*" allows arbitrary pointer arithmetic
using "uint8_t[SER_BYTES]" limits the pointer arithmetic
to the range 0..SER_BYTES.
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16376)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/curve448/f_generic.c | 2 +-
crypto/ec/curve448/field.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/ec/curve448/f_generic.c b/crypto/ec/curve448/f_generic.c
index 4c571810d3..7bb7df6b60 100644
--- a/crypto/ec/curve448/f_generic.c
+++ b/crypto/ec/curve448/f_generic.c
@@ -18,7 +18,7 @@ static const gf MODULUS = {
};
/* Serialize to wire format. */
-void gf_serialize(uint8_t *serial, const gf x, int with_hibit)
+void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_hibit)
{
unsigned int j = 0, fill = 0;
dword_t buffer = 0;
diff --git a/crypto/ec/curve448/field.h b/crypto/ec/curve448/field.h
index e1c6333789..0350322553 100644
--- a/crypto/ec/curve448/field.h
+++ b/crypto/ec/curve448/field.h
@@ -62,7 +62,7 @@ mask_t gf_eq(const gf x, const gf y);
mask_t gf_lobit(const gf x);
mask_t gf_hibit(const gf x);
-void gf_serialize(uint8_t *serial, const gf x, int with_highbit);
+void gf_serialize(uint8_t serial[SER_BYTES], const gf x, int with_highbit);
mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit,
uint8_t hi_nmask);
From no-reply at appveyor.com Fri Sep 17 13:00:52 2021
From: no-reply at appveyor.com (AppVeyor)
Date: Fri, 17 Sep 2021 13:00:52 +0000
Subject: Build completed: openssl openssl-3.0.42738
Message-ID: <20210917130052.1.3606069DC7C995C3@appveyor.com>
An HTML attachment was scrubbed...
URL:
From levitte at openssl.org Sat Sep 18 06:13:41 2021
From: levitte at openssl.org (Richard Levitte)
Date: Sat, 18 Sep 2021 06:13:41 +0000
Subject: [openssl] master update
Message-ID: <1631945621.444330.26393.nullmailer@dev.openssl.org>
The branch master has been updated
via bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit)
from a7f58bdc1abe245dd09790e8f97d91df271578f4 (commit)
- Log -----------------------------------------------------------------
commit bfbb62c3b0a8f8d223f84ebf7507594cee99f135
Author: Richard Levitte
Date: Wed Sep 15 09:11:41 2021 +0200
Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so,
this was inadvertently dropped.
Fixes #16605
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16608)
-----------------------------------------------------------------------
Summary of changes:
Configurations/platform/Unix.pm | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/Configurations/platform/Unix.pm b/Configurations/platform/Unix.pm
index c7d7d9eb80..8db0ed912e 100644
--- a/Configurations/platform/Unix.pm
+++ b/Configurations/platform/Unix.pm
@@ -63,9 +63,21 @@ sub sharedname_simple {
}
sub sharedlib_simple {
- return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple();
- return platform::BASE::__concat($_[0]->sharedname_simple($_[1]),
- $_[0]->shlibextsimple());
+ # This function returns the simplified shared library name (no version
+ # or variant in the shared library file name) if the simple variants of
+ # the base name or the suffix differ from the full variants of the same.
+
+ # Note: if $_[1] isn't a shared library name, then $_[0]->sharedname()
+ # and $_[0]->sharedname_simple() will return undef. This needs being
+ # accounted for.
+ my $name = $_[0]->sharedname($_[1]);
+ my $simplename = $_[0]->sharedname_simple($_[1]);
+ my $ext = $_[0]->shlibext();
+ my $simpleext = $_[0]->shlibextsimple();
+
+ return undef unless defined $simplename && defined $name;
+ return undef if ($name eq $simplename && $ext eq $simpleext);
+ return platform::BASE::__concat($simplename, $simpleext);
}
sub sharedlib_import {
From levitte at openssl.org Sat Sep 18 06:14:53 2021
From: levitte at openssl.org (Richard Levitte)
Date: Sat, 18 Sep 2021 06:14:53 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1631945693.225229.28359.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 814271efcc6e77fefabd616fab381fd168e2bd15 (commit)
from 119983124f996c8159e8fd816e84e41edfcda700 (commit)
- Log -----------------------------------------------------------------
commit 814271efcc6e77fefabd616fab381fd168e2bd15
Author: Richard Levitte
Date: Wed Sep 15 09:11:41 2021 +0200
Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so,
this was inadvertently dropped.
Fixes #16605
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16608)
(cherry picked from commit bfbb62c3b0a8f8d223f84ebf7507594cee99f135)
-----------------------------------------------------------------------
Summary of changes:
Configurations/platform/Unix.pm | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/Configurations/platform/Unix.pm b/Configurations/platform/Unix.pm
index c7d7d9eb80..8db0ed912e 100644
--- a/Configurations/platform/Unix.pm
+++ b/Configurations/platform/Unix.pm
@@ -63,9 +63,21 @@ sub sharedname_simple {
}
sub sharedlib_simple {
- return undef if $_[0]->shlibext() eq $_[0]->shlibextsimple();
- return platform::BASE::__concat($_[0]->sharedname_simple($_[1]),
- $_[0]->shlibextsimple());
+ # This function returns the simplified shared library name (no version
+ # or variant in the shared library file name) if the simple variants of
+ # the base name or the suffix differ from the full variants of the same.
+
+ # Note: if $_[1] isn't a shared library name, then $_[0]->sharedname()
+ # and $_[0]->sharedname_simple() will return undef. This needs being
+ # accounted for.
+ my $name = $_[0]->sharedname($_[1]);
+ my $simplename = $_[0]->sharedname_simple($_[1]);
+ my $ext = $_[0]->shlibext();
+ my $simpleext = $_[0]->shlibextsimple();
+
+ return undef unless defined $simplename && defined $name;
+ return undef if ($name eq $simplename && $ext eq $simpleext);
+ return platform::BASE::__concat($simplename, $simpleext);
}
sub sharedlib_import {
From pauli at openssl.org Sat Sep 18 21:40:19 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Sat, 18 Sep 2021 21:40:19 +0000
Subject: [openssl] master update
Message-ID: <1632001219.358087.8187.nullmailer@dev.openssl.org>
The branch master has been updated
via e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit)
via e2ef7f1265e727567e8963aa2756a387a621ef71 (commit)
from bfbb62c3b0a8f8d223f84ebf7507594cee99f135 (commit)
- Log -----------------------------------------------------------------
commit e396c114eb7233e24ba6a920606cfdd6bc6cff7c
Author: Tianjia Zhang
Date: Wed Sep 15 11:00:50 2021 +0800
apps/s_client: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.
Signed-off-by: Tianjia Zhang
Reviewed-by: Paul Yang
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16609)
commit e2ef7f1265e727567e8963aa2756a387a621ef71
Author: Tianjia Zhang
Date: Wed Sep 15 11:39:51 2021 +0800
apps/s_server: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.
At the same time, SSL_sendfile() depends on KTLS feature to work
properly, make parameters sendfile depend on parameters ktls.
Signed-off-by: Tianjia Zhang
Reviewed-by: Paul Yang
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16609)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 16 ++++++++++++++++
apps/s_server.c | 20 +++++++++++++++++++-
doc/man1/openssl-s_client.pod.in | 7 +++++++
doc/man1/openssl-s_server.pod.in | 10 +++++++++-
4 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index 3b9be0e8c2..6ccb7a42d0 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -467,6 +467,7 @@ typedef enum OPTION_choice {
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
OPT_SCTP_LABEL_BUG,
+ OPT_KTLS,
OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
@@ -664,6 +665,9 @@ const OPTIONS s_client_options[] = {
{"srp_strength", OPT_SRP_STRENGTH, 'p',
"(deprecated) Minimal length in bits for N"},
#endif
+#ifndef OPENSSL_NO_KTLS
+ {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
+#endif
OPT_R_OPTIONS,
OPT_S_OPTIONS,
@@ -888,6 +892,9 @@ int s_client_main(int argc, char **argv)
int sctp_label_bug = 0;
#endif
int ignore_unexpected_eof = 0;
+#ifndef OPENSSL_NO_KTLS
+ int enable_ktls = 0;
+#endif
FD_ZERO(&readfds);
FD_ZERO(&writefds);
@@ -1457,6 +1464,11 @@ int s_client_main(int argc, char **argv)
case OPT_ENABLE_PHA:
enable_pha = 1;
break;
+ case OPT_KTLS:
+#ifndef OPENSSL_NO_KTLS
+ enable_ktls = 1;
+#endif
+ break;
}
}
@@ -1700,6 +1712,10 @@ int s_client_main(int argc, char **argv)
if (ignore_unexpected_eof)
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#ifndef OPENSSL_NO_KTLS
+ if (enable_ktls)
+ SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index c5d9221e90..9f448298f0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -716,7 +716,7 @@ typedef enum OPTION_choice {
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
- OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF,
+ OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
@@ -958,6 +958,7 @@ const OPTIONS s_server_options[] = {
{"alpn", OPT_ALPN, 's',
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
#ifndef OPENSSL_NO_KTLS
+ {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
{"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
#endif
@@ -1053,6 +1054,9 @@ int s_server_main(int argc, char *argv[])
int sctp_label_bug = 0;
#endif
int ignore_unexpected_eof = 0;
+#ifndef OPENSSL_NO_KTLS
+ int enable_ktls = 0;
+#endif
/* Init of few remaining global variables */
local_argc = argc;
@@ -1627,6 +1631,11 @@ int s_server_main(int argc, char *argv[])
case OPT_NOCANAMES:
no_ca_names = 1;
break;
+ case OPT_KTLS:
+#ifndef OPENSSL_NO_KTLS
+ enable_ktls = 1;
+#endif
+ break;
case OPT_SENDFILE:
#ifndef OPENSSL_NO_KTLS
use_sendfile = 1;
@@ -1694,6 +1703,11 @@ int s_server_main(int argc, char *argv[])
#endif
#ifndef OPENSSL_NO_KTLS
+ if (use_sendfile && enable_ktls == 0) {
+ BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n");
+ enable_ktls = 1;
+ }
+
if (use_sendfile && www <= 1) {
BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
goto end;
@@ -1883,6 +1897,10 @@ int s_server_main(int argc, char *argv[])
if (ignore_unexpected_eof)
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#ifndef OPENSSL_NO_KTLS
+ if (enable_ktls)
+ SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
if (max_send_fragment > 0
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 6328cd07d9..709bc49375 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -116,6 +116,7 @@ B B
[B<-srp_lateuser>]
[B<-srp_moregroups>]
[B<-srp_strength> I]
+[B<-ktls>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
@@ -765,6 +766,12 @@ Tolerate other than the known B and B values.
Set the minimal acceptable length, in bits, for B. This option is
deprecated.
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
{- $OpenSSL::safe::opt_version_item -}
{- $OpenSSL::safe::opt_name_item -}
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 115eceb0e3..c461a0cd73 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -128,6 +128,7 @@ B B
[B<-no_dhe>]
[B<-nextprotoneg> I]
[B<-alpn> I]
+[B<-ktls>]
[B<-sendfile>]
[B<-keylogfile> I]
[B<-recv_max_early_data> I]
@@ -762,11 +763,18 @@ Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+=item B<-ktls>
+
+Enable Kernel TLS for sending and receiving.
+This option was introduced in OpenSSL 3.1.0.
+Kernel TLS is off by default as of OpenSSL 3.1.0.
+
=item B<-sendfile>
If this option is set and KTLS is enabled, SSL_sendfile() will be used
instead of BIO_write() to send the HTTP response requested by a client.
-This option is only valid if B<-WWW> or B<-HTTP> is specified.
+This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP>
+are specified.
=item B<-keylogfile> I
From tomas at openssl.org Mon Sep 20 07:32:25 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Mon, 20 Sep 2021 07:32:25 +0000
Subject: [openssl] master update
Message-ID: <1632123145.180269.5463.nullmailer@dev.openssl.org>
The branch master has been updated
via 8d257d0dc6ed9d5aeb8366de6be0af01538557ea (commit)
from e396c114eb7233e24ba6a920606cfdd6bc6cff7c (commit)
- Log -----------------------------------------------------------------
commit 8d257d0dc6ed9d5aeb8366de6be0af01538557ea
Author: slontis
Date: Tue Aug 31 10:59:20 2021 +1000
Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260
If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16475)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl-fipsinstall.pod.in | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index d79e237dba..97e2ae910c 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -197,6 +197,18 @@ All other options are ignored if '-config' is used.
=back
+=head1 NOTES
+
+Self tests results are logged by default if the options B<-quiet> and B<-noout>
+are not specified, or if either of the options B<-corrupt_desc> or
+B<-corrupt_type> are used.
+If the base configuration file is set up to autoload the fips module, then the
+fips module will be loaded and self tested BEFORE the fipsinstall application
+has a chance to set up its own self test callback. As a result of this the self
+test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
+For normal usage the base configuration file should use the default provider
+when generating the fips configuration file.
+
=head1 EXAMPLES
Calculate the mac of a FIPS module F and run a FIPS self test
From tomas at openssl.org Mon Sep 20 07:33:10 2021
From: tomas at openssl.org (tomas at openssl.org)
Date: Mon, 20 Sep 2021 07:33:10 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1632123190.351862.7161.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 119062833cc7ac4fc6d67287e3be3e4868f7f389 (commit)
from 814271efcc6e77fefabd616fab381fd168e2bd15 (commit)
- Log -----------------------------------------------------------------
commit 119062833cc7ac4fc6d67287e3be3e4868f7f389
Author: slontis
Date: Tue Aug 31 10:59:20 2021 +1000
Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260
If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16475)
(cherry picked from commit 8d257d0dc6ed9d5aeb8366de6be0af01538557ea)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl-fipsinstall.pod.in | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index d79e237dba..97e2ae910c 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -197,6 +197,18 @@ All other options are ignored if '-config' is used.
=back
+=head1 NOTES
+
+Self tests results are logged by default if the options B<-quiet> and B<-noout>
+are not specified, or if either of the options B<-corrupt_desc> or
+B<-corrupt_type> are used.
+If the base configuration file is set up to autoload the fips module, then the
+fips module will be loaded and self tested BEFORE the fipsinstall application
+has a chance to set up its own self test callback. As a result of this the self
+test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
+For normal usage the base configuration file should use the default provider
+when generating the fips configuration file.
+
=head1 EXAMPLES
Calculate the mac of a FIPS module F and run a FIPS self test
From pauli at openssl.org Tue Sep 21 00:52:06 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Tue, 21 Sep 2021 00:52:06 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1632185526.990243.4702.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 56b8f434c7da35b4de16603faad4170eb1d80710 (commit)
from 119062833cc7ac4fc6d67287e3be3e4868f7f389 (commit)
- Log -----------------------------------------------------------------
commit 56b8f434c7da35b4de16603faad4170eb1d80710
Author: Arne Schwabe
Date: Sat Sep 18 05:04:39 2021 +0200
Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
The manual page provider-keymgmt.pod is missing the mention of the
required function OSSL_FUNC_keymgmt_has. The function
keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS
if keymgmt->has == NULL
CLA: trivial
Signed-off-by: Arne Schwabe
Reviewed-by: Tomas Mraz
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16621)
-----------------------------------------------------------------------
Summary of changes:
doc/man7/provider-keymgmt.pod | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod
index 000c8cab3f..25b822b47d 100644
--- a/doc/man7/provider-keymgmt.pod
+++ b/doc/man7/provider-keymgmt.pod
@@ -254,9 +254,10 @@ provider knows how to interpret, but that may come from other operations.
Outside the provider, this reference is simply an array of bytes.
At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and
-OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free().
-Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init()
-and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well.
+OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and
+OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present,
+OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be
+present as well.
=head2 Key Object Information Functions
From pauli at openssl.org Tue Sep 21 00:52:31 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Tue, 21 Sep 2021 00:52:31 +0000
Subject: [openssl] master update
Message-ID: <1632185551.238139.5982.nullmailer@dev.openssl.org>
The branch master has been updated
via d270a6c9ea9f240f653a98c7eb0a5c2134a5d63a (commit)
from 8d257d0dc6ed9d5aeb8366de6be0af01538557ea (commit)
- Log -----------------------------------------------------------------
commit d270a6c9ea9f240f653a98c7eb0a5c2134a5d63a
Author: Arne Schwabe
Date: Sat Sep 18 05:04:39 2021 +0200
Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
The manual page provider-keymgmt.pod is missing the mention of the
required function OSSL_FUNC_keymgmt_has. The function
keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS
if keymgmt->has == NULL
CLA: trivial
Signed-off-by: Arne Schwabe
Reviewed-by: Tomas Mraz
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/16621)
(cherry picked from commit 56b8f434c7da35b4de16603faad4170eb1d80710)
-----------------------------------------------------------------------
Summary of changes:
doc/man7/provider-keymgmt.pod | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod
index 000c8cab3f..25b822b47d 100644
--- a/doc/man7/provider-keymgmt.pod
+++ b/doc/man7/provider-keymgmt.pod
@@ -254,9 +254,10 @@ provider knows how to interpret, but that may come from other operations.
Outside the provider, this reference is simply an array of bytes.
At least one of OSSL_FUNC_keymgmt_new(), OSSL_FUNC_keymgmt_gen() and
-OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free().
-Additionally, if OSSL_FUNC_keymgmt_gen() is present, OSSL_FUNC_keymgmt_gen_init()
-and OSSL_FUNC_keymgmt_gen_cleanup() must be present as well.
+OSSL_FUNC_keymgmt_load() are mandatory, as well as OSSL_FUNC_keymgmt_free() and
+OSSL_FUNC_keymgmt_has(). Additionally, if OSSL_FUNC_keymgmt_gen() is present,
+OSSL_FUNC_keymgmt_gen_init() and OSSL_FUNC_keymgmt_gen_cleanup() must be
+present as well.
=head2 Key Object Information Functions
From pauli at openssl.org Tue Sep 21 08:03:35 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Tue, 21 Sep 2021 08:03:35 +0000
Subject: [openssl] master update
Message-ID: <1632211415.934281.22379.nullmailer@dev.openssl.org>
The branch master has been updated
via 08d8c2d87ec782e95c28ff795e096c2f6f590d63 (commit)
from d270a6c9ea9f240f653a98c7eb0a5c2134a5d63a (commit)
- Log -----------------------------------------------------------------
commit 08d8c2d87ec782e95c28ff795e096c2f6f590d63
Author: Pauli
Date: Mon Sep 20 09:54:10 2021 +1000
ci: add copyright header to CI scripts
There is quite a bit of creative effort in these and even more trouble-
shooting effort. I.e. they are non-trivial from a copyright perspective.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16628)
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/ci.yml | 7 +++++++
.github/workflows/compiler-zoo.yml | 7 +++++++
.github/workflows/coveralls.yml | 7 +++++++
.github/workflows/cross-compiles.yml | 7 +++++++
.github/workflows/fips-checksums.yml | 7 +++++++
.github/workflows/fips-label.yml | 7 +++++++
.github/workflows/fuzz-checker.yml | 7 +++++++
.github/workflows/main.yml | 7 +++++++
.github/workflows/run-checker-ci.yml | 7 +++++++
.github/workflows/run-checker-daily.yml | 7 +++++++
.github/workflows/run-checker-merge.yml | 7 +++++++
.github/workflows/windows.yml | 7 +++++++
12 files changed, 84 insertions(+)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 601ba5f6b1..c7a344c529 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: GitHub CI
on: [pull_request, push]
diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml
index 29a9097343..55d108543f 100644
--- a/.github/workflows/compiler-zoo.yml
+++ b/.github/workflows/compiler-zoo.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Compiler Zoo CI
on: [push]
diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml
index 45e9e8e62e..3392edda4a 100644
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Coverage
#Run once a day
diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml
index 576a9d3b18..ebfc13c626 100644
--- a/.github/workflows/cross-compiles.yml
+++ b/.github/workflows/cross-compiles.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Cross Compile
on: [pull_request, push]
diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml
index d8aea44786..78351981d5 100644
--- a/.github/workflows/fips-checksums.yml
+++ b/.github/workflows/fips-checksums.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: FIPS Checksums
on: [pull_request]
diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml
index eb87f200f5..c241801b9e 100644
--- a/.github/workflows/fips-label.yml
+++ b/.github/workflows/fips-label.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: FIPS Changed Label
on:
workflow_run:
diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml
index 5b784deb10..4d3bf35884 100644
--- a/.github/workflows/fuzz-checker.yml
+++ b/.github/workflows/fuzz-checker.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Fuzz-checker CI
on: [push]
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 81f6203e2a..4ad9c0c1fa 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: CIFuzz
on: [pull_request, push]
jobs:
diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml
index 5a6dd4dc85..1aca0170f8 100644
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
# Jobs run per pull request submission
name: Run-checker CI
on: [pull_request, push]
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index d9374f1cfc..0937d2f57d 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Run-checker daily
# Jobs run daily
diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml
index 4f5efeae51..7795ab1db2 100644
--- a/.github/workflows/run-checker-merge.yml
+++ b/.github/workflows/run-checker-merge.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Run-checker merge
# Jobs run per merge to master
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index ffe6c92403..cb9e84b33d 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Windows GitHub CI
on: [pull_request, push]
From pauli at openssl.org Tue Sep 21 08:05:07 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Tue, 21 Sep 2021 08:05:07 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1632211507.146356.25534.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 8f3bcfdfddf8b670439150d9ce6b2aec5df6c036 (commit)
from 56b8f434c7da35b4de16603faad4170eb1d80710 (commit)
- Log -----------------------------------------------------------------
commit 8f3bcfdfddf8b670439150d9ce6b2aec5df6c036
Author: Pauli
Date: Mon Sep 20 09:54:10 2021 +1000
ci: add copyright header to CI scripts
There is quite a bit of creative effort in these and even more trouble-
shooting effort. I.e. they are non-trivial from a copyright perspective.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16628)
(cherry picked from commit 08d8c2d87ec782e95c28ff795e096c2f6f590d63)
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/ci.yml | 7 +++++++
.github/workflows/compiler-zoo.yml | 7 +++++++
.github/workflows/coveralls.yml | 7 +++++++
.github/workflows/cross-compiles.yml | 7 +++++++
.github/workflows/fips-checksums.yml | 7 +++++++
.github/workflows/fips-label.yml | 7 +++++++
.github/workflows/fuzz-checker.yml | 7 +++++++
.github/workflows/main.yml | 7 +++++++
.github/workflows/run-checker-ci.yml | 7 +++++++
.github/workflows/run-checker-daily.yml | 7 +++++++
.github/workflows/run-checker-merge.yml | 7 +++++++
.github/workflows/windows.yml | 7 +++++++
12 files changed, 84 insertions(+)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 601ba5f6b1..c7a344c529 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: GitHub CI
on: [pull_request, push]
diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml
index 29a9097343..55d108543f 100644
--- a/.github/workflows/compiler-zoo.yml
+++ b/.github/workflows/compiler-zoo.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Compiler Zoo CI
on: [push]
diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml
index 45e9e8e62e..3392edda4a 100644
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Coverage
#Run once a day
diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml
index 576a9d3b18..ebfc13c626 100644
--- a/.github/workflows/cross-compiles.yml
+++ b/.github/workflows/cross-compiles.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Cross Compile
on: [pull_request, push]
diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml
index d8aea44786..78351981d5 100644
--- a/.github/workflows/fips-checksums.yml
+++ b/.github/workflows/fips-checksums.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: FIPS Checksums
on: [pull_request]
diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml
index eb87f200f5..c241801b9e 100644
--- a/.github/workflows/fips-label.yml
+++ b/.github/workflows/fips-label.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: FIPS Changed Label
on:
workflow_run:
diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml
index 5b784deb10..4d3bf35884 100644
--- a/.github/workflows/fuzz-checker.yml
+++ b/.github/workflows/fuzz-checker.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Fuzz-checker CI
on: [push]
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 81f6203e2a..4ad9c0c1fa 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: CIFuzz
on: [pull_request, push]
jobs:
diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml
index 5a6dd4dc85..1aca0170f8 100644
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
# Jobs run per pull request submission
name: Run-checker CI
on: [pull_request, push]
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index d9374f1cfc..0937d2f57d 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Run-checker daily
# Jobs run daily
diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml
index 4f5efeae51..7795ab1db2 100644
--- a/.github/workflows/run-checker-merge.yml
+++ b/.github/workflows/run-checker-merge.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Run-checker merge
# Jobs run per merge to master
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index ffe6c92403..cb9e84b33d 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -1,3 +1,10 @@
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
name: Windows GitHub CI
on: [pull_request, push]
From levitte at openssl.org Tue Sep 21 09:06:44 2021
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 21 Sep 2021 09:06:44 +0000
Subject: [openssl] master update
Message-ID: <1632215204.310211.5633.nullmailer@dev.openssl.org>
The branch master has been updated
via dc18f036f161e1e49e1d001046716c77d1699e70 (commit)
from 08d8c2d87ec782e95c28ff795e096c2f6f590d63 (commit)
- Log -----------------------------------------------------------------
commit dc18f036f161e1e49e1d001046716c77d1699e70
Author: Richard Levitte
Date: Sun Sep 19 11:05:35 2021 +0200
Fix util/mkpod2html.pl to call pod2html with absolute paths
It turns out that on VMS, pod2html only recognises VMS directory
specifications if they contain a device name, which is accomplished by
making them absolute. Otherwise, a VMS build that includes building
the document HTML files ends up with an error like this:
$ perl [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-20210916.doc]"
[---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-20210916/doc/: no such file or directory
%SYSTEM-F-ABORT, abort
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16626)
-----------------------------------------------------------------------
Summary of changes:
util/mkpod2html.pl | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/util/mkpod2html.pl b/util/mkpod2html.pl
index 2df4b22b41..ea1164d597 100755
--- a/util/mkpod2html.pl
+++ b/util/mkpod2html.pl
@@ -12,6 +12,7 @@ use warnings;
use lib ".";
use Getopt::Std;
use Pod::Html;
+use File::Spec::Functions qw(:DEFAULT rel2abs);
# Options.
our($opt_i); # -i INFILE
@@ -25,6 +26,14 @@ die "-o flag missing" unless $opt_o;
die "-t flag missing" unless $opt_t;
die "-r flag missing" unless $opt_r;
+# We originally used realpath() here, but the Windows implementation appears
+# to require that the directory or file exist to be able to process the input,
+# so we use rel2abs() instead, which only processes the string without
+# looking further.
+$opt_i = rel2abs($opt_i) or die "Can't convert to real path: $!";
+$opt_o = rel2abs($opt_o) or die "Can't convert to real path: $!";
+$opt_r = rel2abs($opt_r) or die "Can't convert to real path: $!";
+
pod2html
"--infile=$opt_i",
"--outfile=$opt_o",
From levitte at openssl.org Tue Sep 21 09:07:14 2021
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 21 Sep 2021 09:07:14 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1632215234.463488.7019.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via 5a05c0d05233051f7af736e4f906b99f42212526 (commit)
from 8f3bcfdfddf8b670439150d9ce6b2aec5df6c036 (commit)
- Log -----------------------------------------------------------------
commit 5a05c0d05233051f7af736e4f906b99f42212526
Author: Richard Levitte
Date: Sun Sep 19 11:05:35 2021 +0200
Fix util/mkpod2html.pl to call pod2html with absolute paths
It turns out that on VMS, pod2html only recognises VMS directory
specifications if they contain a device name, which is accomplished by
making them absolute. Otherwise, a VMS build that includes building
the document HTML files ends up with an error like this:
$ perl [---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-20210916.doc]"
[---.downloads.openssl-3_0-snap-20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-20210916/doc/: no such file or directory
%SYSTEM-F-ABORT, abort
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16626)
(cherry picked from commit dc18f036f161e1e49e1d001046716c77d1699e70)
-----------------------------------------------------------------------
Summary of changes:
util/mkpod2html.pl | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/util/mkpod2html.pl b/util/mkpod2html.pl
index 2df4b22b41..ea1164d597 100755
--- a/util/mkpod2html.pl
+++ b/util/mkpod2html.pl
@@ -12,6 +12,7 @@ use warnings;
use lib ".";
use Getopt::Std;
use Pod::Html;
+use File::Spec::Functions qw(:DEFAULT rel2abs);
# Options.
our($opt_i); # -i INFILE
@@ -25,6 +26,14 @@ die "-o flag missing" unless $opt_o;
die "-t flag missing" unless $opt_t;
die "-r flag missing" unless $opt_r;
+# We originally used realpath() here, but the Windows implementation appears
+# to require that the directory or file exist to be able to process the input,
+# so we use rel2abs() instead, which only processes the string without
+# looking further.
+$opt_i = rel2abs($opt_i) or die "Can't convert to real path: $!";
+$opt_o = rel2abs($opt_o) or die "Can't convert to real path: $!";
+$opt_r = rel2abs($opt_r) or die "Can't convert to real path: $!";
+
pod2html
"--infile=$opt_i",
"--outfile=$opt_o",
From beldmit at gmail.com Tue Sep 21 12:10:04 2021
From: beldmit at gmail.com (beldmit at gmail.com)
Date: Tue, 21 Sep 2021 12:10:04 +0000
Subject: [openssl] master update
Message-ID: <1632226204.629178.30484.nullmailer@dev.openssl.org>
The branch master has been updated
via 6923d261b819cdd5d9e0a72337da6d6a92cef2a2 (commit)
via 537976defe0775c016b9dbb36406bee1e96d0edb (commit)
via 7e399f03829aad161b52b9c433b8d349c5922739 (commit)
via 7a27bdbdce3d6d6548d5878a30aecc989fcab574 (commit)
via 86cfd132ffc4f6198cc640a29c293850c0a59914 (commit)
from dc18f036f161e1e49e1d001046716c77d1699e70 (commit)
- Log -----------------------------------------------------------------
commit 6923d261b819cdd5d9e0a72337da6d6a92cef2a2
Author: Dmitry Belyavskiy
Date: Fri Sep 17 17:49:39 2021 +0200
Update the default value for the -nameopt option - documentation
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16583)
commit 537976defe0775c016b9dbb36406bee1e96d0edb
Author: Dmitry Belyavskiy
Date: Fri Sep 17 17:47:55 2021 +0200
NEWS and CHANGES are updated about switching to utf8
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16583)
commit 7e399f03829aad161b52b9c433b8d349c5922739
Author: Dmitry Belyavskiy
Date: Mon Sep 13 19:24:24 2021 +0200
Tests adjustments for default output change
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16583)
commit 7a27bdbdce3d6d6548d5878a30aecc989fcab574
Author: Dmitry Belyavskiy
Date: Thu Sep 16 17:47:47 2021 +0200
Update gost-engine to match new default nameopt
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16583)
commit 86cfd132ffc4f6198cc640a29c293850c0a59914
Author: Dmitry Belyavskiy
Date: Sat Sep 11 13:56:28 2021 +0200
Use -nameopt utf8 by default
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16583)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 5 ++++-
NEWS.md | 5 +++--
apps/lib/apps.c | 2 +-
doc/man1/openssl-namedisplay-options.pod | 2 +-
gost-engine | 2 +-
test/recipes/25-test_rusext.t | 6 +++++-
test/recipes/80-test_pkcs12.t | 2 +-
7 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 58dffb15ef..c9d3825eec 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,7 +24,10 @@ OpenSSL 3.1
### Changes between 3.0 and 3.1 [xx XXX xxxx]
- *
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+ by default.
+
+ *Dmitry Belyavskiy*
OpenSSL 3.0
-----------
diff --git a/NEWS.md b/NEWS.md
index 7cf0d8a7b7..720cec7330 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -21,12 +21,13 @@ OpenSSL 3.1
### Major changes between OpenSSL 3.0 and OpenSSL 3.1 [under development]
- *
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+ by default.
OpenSSL 3.0
-----------
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0
* Enhanced 'openssl list' with many new options.
* Added migration guide to man7.
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 43c01401e8..6fe99422b9 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -197,7 +197,7 @@ int set_nameopt(const char *arg)
unsigned long get_nameopt(void)
{
- return (nmflag_set) ? nmflag : XN_FLAG_ONELINE;
+ return (nmflag_set) ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT;
}
void dump_cert_text(BIO *out, X509 *x)
diff --git a/doc/man1/openssl-namedisplay-options.pod b/doc/man1/openssl-namedisplay-options.pod
index ff6ed1f4b4..a12f4dbf66 100644
--- a/doc/man1/openssl-namedisplay-options.pod
+++ b/doc/man1/openssl-namedisplay-options.pod
@@ -18,7 +18,7 @@ displayed.
This is specified by using the B<-nameopt> option, which takes a
comma-separated list of options from the following set.
An option may be preceded by a minus sign, C<->, to turn it off.
-The default value is C.
+The default value is C.
The first four are the most commonly used.
=head1 OPTIONS
diff --git a/gost-engine b/gost-engine
index 62583fb222..9869058423 160000
--- a/gost-engine
+++ b/gost-engine
@@ -1 +1 @@
-Subproject commit 62583fb222ec89ff4f6aa3d18b91ed3e64ed5cea
+Subproject commit 986905842330e4a54e61334eb508fe3147c43e38
diff --git a/test/recipes/25-test_rusext.t b/test/recipes/25-test_rusext.t
index 05727f9d04..6c02ed1ba2 100644
--- a/test/recipes/25-test_rusext.t
+++ b/test/recipes/25-test_rusext.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_rusext");
-plan tests => 5;
+plan tests => 7;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
my $pem = srctop_file("test/certs", "grfc.pem");
@@ -31,3 +31,7 @@ ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
"-nameopt", "utf8", "-certopt", "no_pubkey"])));
is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')),
0, 'Comparing utf8 output');
+ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
+ "-certopt", "no_pubkey"])));
+is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')),
+ 0, 'Comparing cyrillic utf8 output by default');
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 1f0cb4d501..759cc57118 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -143,7 +143,7 @@ my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
"-passin", "pass:"]), capture => 1);
# Test that with one input certificate, we get one output certificate
-ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
+ok(grep(/subject=CN\s*=\s*server.example/, @pkcs12info) == 1,
"test one cert in output");
# Test that the expected friendly name is present in the output
ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
From beldmit at gmail.com Tue Sep 21 16:38:19 2021
From: beldmit at gmail.com (beldmit at gmail.com)
Date: Tue, 21 Sep 2021 16:38:19 +0000
Subject: [openssl] master update
Message-ID: <1632242299.234359.25388.nullmailer@dev.openssl.org>
The branch master has been updated
via 52dcc011191ad1a40fd52ae92ef009309deaca52 (commit)
from 6923d261b819cdd5d9e0a72337da6d6a92cef2a2 (commit)
- Log -----------------------------------------------------------------
commit 52dcc011191ad1a40fd52ae92ef009309deaca52
Author: Dmitry Belyavskiy
Date: Mon Sep 20 16:35:10 2021 +0200
Avoid double-free on unsuccessful getting PRNG seeding
Fixes #16631
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16636)
-----------------------------------------------------------------------
Summary of changes:
providers/implementations/rands/seed_src.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
index 173c99ce17..7a4b780bb4 100644
--- a/providers/implementations/rands/seed_src.c
+++ b/providers/implementations/rands/seed_src.c
@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return 0;
}
- *pout = p;
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
- adin, adin_len) != 0)
+ adin, adin_len) != 0) {
+ *pout = p;
return bytes_needed;
+ }
OPENSSL_secure_clear_free(p, bytes_needed);
return 0;
}
From beldmit at gmail.com Tue Sep 21 16:43:17 2021
From: beldmit at gmail.com (beldmit at gmail.com)
Date: Tue, 21 Sep 2021 16:43:17 +0000
Subject: [openssl] openssl-3.0 update
Message-ID: <1632242597.208164.29365.nullmailer@dev.openssl.org>
The branch openssl-3.0 has been updated
via c84f7c4c22828574885916479885ede6b32ba473 (commit)
from 5a05c0d05233051f7af736e4f906b99f42212526 (commit)
- Log -----------------------------------------------------------------
commit c84f7c4c22828574885916479885ede6b32ba473
Author: Dmitry Belyavskiy
Date: Mon Sep 20 16:35:10 2021 +0200
Avoid double-free on unsuccessful getting PRNG seeding
Fixes #16631
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16636)
(cherry picked from commit 52dcc011191ad1a40fd52ae92ef009309deaca52)
-----------------------------------------------------------------------
Summary of changes:
providers/implementations/rands/seed_src.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
index 173c99ce17..7a4b780bb4 100644
--- a/providers/implementations/rands/seed_src.c
+++ b/providers/implementations/rands/seed_src.c
@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
return 0;
}
- *pout = p;
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
- adin, adin_len) != 0)
+ adin, adin_len) != 0) {
+ *pout = p;
return bytes_needed;
+ }
OPENSSL_secure_clear_free(p, bytes_needed);
return 0;
}
From pauli at openssl.org Wed Sep 22 06:23:11 2021
From: pauli at openssl.org (Dr. Paul Dale)
Date: Wed, 22 Sep 2021 06:23:11 +0000
Subject: [openssl] master update
Message-ID: <1632291791.917616.26177.nullmailer@dev.openssl.org>
The branch master has been updated
via 57cd10dd1ee9659b94cfa8a8e74c5a151632975e (commit)
from 52dcc011191ad1a40fd52ae92ef009309deaca52 (commit)
- Log -----------------------------------------------------------------
commit 57cd10dd1ee9659b94cfa8a8e74c5a151632975e
Author: Pauli
Date: Tue Sep 21 10:59:56 2021 +1000
doc: remove end of line whitespace
Reviewed-by: Tomas Mraz
Reviewed-by: Shane Lontis
(Merged from https://github.com/openssl/openssl/pull/16641)
-----------------------------------------------------------------------
Summary of changes:
doc/build.info.in | 2 +-
doc/internal/man3/OPTIONS.pod | 2 +-
doc/internal/man3/cms_add1_signing_cert.pod | 2 +-
doc/internal/man3/evp_generic_fetch.pod | 2 +-
doc/internal/man3/ossl_lib_ctx_get_data.pod | 2 +-
doc/internal/man3/ossl_provider_new.pod | 2 +-
doc/internal/man7/DERlib.pod | 2 +-
doc/internal/man7/build.info.pod | 2 +-
doc/life-cycles/digest.dot | 2 +-
doc/life-cycles/kdf.dot | 2 +-
doc/life-cycles/mac.dot | 2 +-
doc/life-cycles/rand.dot | 2 +-
doc/man1/openssl-cmp.pod.in | 2 +-
doc/man3/CMS_add1_recipient_cert.pod | 2 +-
doc/man3/CMS_get0_RecipientInfos.pod | 2 +-
doc/man3/CMS_verify.pod | 2 +-
doc/man3/CRYPTO_get_ex_new_index.pod | 2 +-
doc/man3/ERR_get_error.pod | 4 ++--
doc/man3/ERR_put_error.pod | 2 +-
doc/man3/EVP_EncryptInit.pod | 2 +-
doc/man3/EVP_PKEY_copy_parameters.pod | 2 +-
doc/man3/EVP_PKEY_encapsulate.pod | 2 +-
doc/man3/EVP_PKEY_encrypt.pod | 2 +-
doc/man3/EVP_PKEY_fromdata.pod | 2 +-
doc/man3/OSSL_CMP_SRV_CTX_new.pod | 2 +-
doc/man3/OSSL_DECODER_CTX.pod | 2 +-
doc/man3/PKCS12_SAFEBAG_create_cert.pod | 4 ++--
doc/man3/PKCS12_SAFEBAG_get0_attrs.pod | 6 +++---
doc/man3/PKCS12_SAFEBAG_get1_cert.pod | 2 +-
doc/man3/PKCS12_decrypt_skey.pod | 2 +-
doc/man3/SSL_set_async_callback.pod | 2 +-
doc/man3/SSL_set_bio.pod | 2 +-
doc/man3/X509_get0_signature.pod | 4 ++--
doc/man3/d2i_RSAPrivateKey.pod | 14 +++++++-------
doc/man5/x509v3_config.pod | 4 ++--
doc/man7/EVP_KEYEXCH-ECDH.pod | 2 +-
doc/man7/EVP_PKEY-DH.pod | 2 +-
doc/man7/EVP_PKEY-EC.pod | 2 +-
doc/man7/EVP_PKEY-FFC.pod | 2 +-
doc/man7/EVP_SIGNATURE-DSA.pod | 2 +-
doc/man7/EVP_SIGNATURE-ECDSA.pod | 2 +-
doc/man7/EVP_SIGNATURE-RSA.pod | 6 +++---
doc/man7/OSSL_PROVIDER-FIPS.pod | 4 ++--
doc/man7/bio.pod | 2 +-
doc/man7/life_cycle-cipher.pod | 6 +++---
doc/man7/life_cycle-digest.pod | 2 +-
doc/man7/life_cycle-kdf.pod | 2 +-
doc/man7/life_cycle-mac.pod | 2 +-
doc/man7/life_cycle-rand.pod | 2 +-
doc/man7/migration_guide.pod | 30 ++++++++++++++---------------
doc/man7/openssl-core.h.pod | 2 +-
doc/man7/openssl-glossary.pod | 2 +-
doc/man7/property.pod | 2 +-
doc/man7/provider-base.pod | 2 +-
doc/man7/provider-keyexch.pod | 2 +-
doc/man7/provider-keymgmt.pod | 4 ++--
doc/man7/provider-signature.pod | 2 +-
doc/man7/proxy-certificates.pod | 4 ++--
58 files changed, 91 insertions(+), 91 deletions(-)
diff --git a/doc/build.info.in b/doc/build.info.in
index fa1962f382..e8dae7058a 100644
--- a/doc/build.info.in
+++ b/doc/build.info.in
@@ -14,7 +14,7 @@ SUBDIRS = man1
map { $_ => 1 } glob catfile($sourcedir, "man$section", "img", "*.png");
my %podfiles =
map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod");
- my %podinfiles =
+ my %podinfiles =
map { $_ => 1 } glob catfile($sourcedir, "man$section", "*.pod.in");
foreach (keys %podinfiles) {
diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod
index 1971c76241..90593ca46f 100644
--- a/doc/internal/man3/OPTIONS.pod
+++ b/doc/internal/man3/OPTIONS.pod
@@ -189,7 +189,7 @@ B macro:
OPT_PARAMETERS()
{OPT_PARAM_STR, 1, '-', "Parameters:\n"}
-Every "option" after after this should contain the parameter and
+Every "option" after after this should contain the parameter and
the help string:
{"text", 0, 0, "Words to display (optional)"},
diff --git a/doc/internal/man3/cms_add1_signing_cert.pod b/doc/internal/man3/cms_add1_signing_cert.pod
index 97c5a5111d..1f5f681c64 100644
--- a/doc/internal/man3/cms_add1_signing_cert.pod
+++ b/doc/internal/man3/cms_add1_signing_cert.pod
@@ -31,7 +31,7 @@ For a fuller description see L).
=head1 RETURN VALUES
-cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute
+cms_add1_signing_cert() and cms_add1_signing_cert_v2() return 1 if attribute
is added or 0 if an error occurred.
=head1 COPYRIGHT
diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod
index 243f6c952f..bc9a3a0770 100644
--- a/doc/internal/man3/evp_generic_fetch.pod
+++ b/doc/internal/man3/evp_generic_fetch.pod
@@ -37,7 +37,7 @@ I, I