[openssl-commits] SUCCESSFUL build of OpenSSL branch master with options -d --strict-warnings no-ec
Platform and configuration command: $ uname -a Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-ec Commit log since last time: 2de108d Save and restore the Windows error around TlsGetValue. e363534 Use OPENSSL_EC_EXPLICIT_CURVE constant. fc6f579 Fix explicit EC curve encoding. 55a6250 Skip CN DNS name constraint checks when not needed d02d80b Limit scope of CN name constraints de9f5b3 Use the client app traffic secret for PHA Finished message b501ab6 INSTALL: Provide better documentation for enable-ec_nistp_64_gcc_128 8cc1dc3 Better error code when lacking __SIZEOF_INT128__ 0422591 Fix no-ec, no-tls1_3 and no-tls _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [tools] master update
The branch master has been updated via ddda55afb15458bc21187ef80397134193a8982e (commit) from 845c25d8db7fc784cbf92a523300376a8d69b2a1 (commit) - Log - commit ddda55afb15458bc21187ef80397134193a8982e Author: Rich SalzDate: Wed May 23 11:44:44 2018 -0400 Add --web and --tools to support other repo's. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/tools/pull/1t) --- Summary of changes: review-tools/addrev| 4 review-tools/gitaddrev | 9 +++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/review-tools/addrev b/review-tools/addrev index 0bd28a5..ce770f3 100755 --- a/review-tools/addrev +++ b/review-tools/addrev @@ -22,6 +22,10 @@ foreach (@ARGV) { $args .= "--rmreviewers "; } elsif (/^--trivial$/) { $args .= "--trivial "; +} elsif (/^--web$/) { +$args .= "--web "; +} elsif (/^--tools$/) { +$args .= "--tools "; } elsif (/^--verbose$/) { $args .= "--verbose "; } elsif (/^--noself$/) { diff --git a/review-tools/gitaddrev b/review-tools/gitaddrev index 2beb48a..cf041d4 100755 --- a/review-tools/gitaddrev +++ b/review-tools/gitaddrev @@ -21,6 +21,7 @@ my $num = 0; my $refuse = 0; my $prnum = 0; my $verbose = 0; +my $WHAT = 'openssl'; my $query = OpenSSL::Query->new(); @@ -99,6 +100,10 @@ foreach (@ARGV) { try_add_reviewer($1); } elsif (/^--verbose$/) { $verbose = 1; +} elsif (/^--web$/) { +$WHAT = 'web'; +} elsif (/--tools$/) { +$WHAT = 'tools' } } @@ -189,7 +194,7 @@ my $last_is_rev = 0; foreach (@commit_message) { # Start each line with assuming it's not a reviewed-by line $last_is_rev = 0; -if (/^\(Merged from https:\/\/github\.com\/openssl\/openssl\/pull\//) { +if (/^\(Merged from https:\/\/github\.com\/openssl\/$WHAT\/pull\//) { next if $rmrev == 1; $last_is_rev = 1; next; # Because we're rewriting it below @@ -211,5 +216,5 @@ if ($rmrev == 0) { } } -print "(Merged from https://github.com/openssl/openssl/pull/$prnum)\n" +print "(Merged from https://github.com/openssl/$WHAT/pull/$prnum)\n" if $prnum; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via c9f50cbf963b7d9949332c17e614ad0a6e97d431 (commit) from ac5eb58ddc24db122c494b4cb13de3adff366e48 (commit) - Log - commit c9f50cbf963b7d9949332c17e614ad0a6e97d431 Author: Rich SalzDate: Wed May 23 19:57:47 2018 -0400 Revert "Remove rationale, clarify language." This reverts commit ac5eb58ddc24db122c494b4cb13de3adff366e48. --- Summary of changes: policies/releasestrat.html | 28 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/policies/releasestrat.html b/policies/releasestrat.html index 83b85d2..3f37936 100644 --- a/policies/releasestrat.html +++ b/policies/releasestrat.html @@ -34,6 +34,20 @@ performance improvements and so on. There is no need to recompile applications to benefit from these features. + Binary compatibility also allows other possibilities. For + example, consider an application that wishes to utilize + a new cipher provided in a specific 1.0.x release, but it + is also desirable to maintain the application in a 1.0.0 + context. Customarily this would be resolved at compile time + resulting in two binary packages targeting different OpenSSL + versions. However, depending on the feature, it might be + possible to check for its availability at run-time, thus cutting + down on the maintenance of multiple binary packages. Admittedly + it takes a certain discipline and some extra coding, but we + would like to encourage such practice. This is because we + want to see later releases being adopted faster, because new + features can improve security. + With regards to current and future releases the OpenSSL project has adopted the following policy: @@ -50,18 +64,15 @@ and we will specify one at least every four years. Non-LTS releases will be supported for at least two years. - During the final year + As implied by the above paragraphs, during the final year of support, we do not commit to anything other than security - fixes. Before then, bug and security fixes will be applied + fixes. Before that, bug and security fixes will be applied as appropriate. The next version of OpenSSL will be 1.1.1. This is currently in development and has a primary focus of implementing TLSv1.3. The RFC for TLSv1.3 has not yet been published by the IETF. OpenSSL 1.1.1 - will not have its final release until that has happened; - we want to have at least one beta release after TLS 1.3 is - officially published as an RFC. The next LTS release will be - 1.1.1. + will not have its final release until that has happened. The draft release timetable for 1.1.1 is as follows. This may be amended at any time as the need arises. @@ -77,8 +88,9 @@ 3rd April 2018, beta release 2 (pre4) 17th April 2018, beta release 3 (pre5) 1st May 2018, beta release 4 (pre6) -29th May 2018, beta release 5 (pre7) -19th June 2018, beta release 6 (pre8) + 8th May 2018, release readiness check (new release + cycles added if required, first possible final release date: + 15th May 2018) An alpha release means: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via ac5eb58ddc24db122c494b4cb13de3adff366e48 (commit) from 2f148d990cb7ada6bf1516d08d9927cc9efd7b26 (commit) - Log - commit ac5eb58ddc24db122c494b4cb13de3adff366e48 Author: Rich SalzDate: Mon May 14 16:29:47 2018 -0400 Remove rationale, clarify language. Add 1.1.1 release/LTS details. Remove paragraph justifying binary compatibility. Also remove phrase "as implied by the above" beause, well, it ACTUALY ISN'T implied by the above. :) Reviewed-by: Matt Caswell Reviewed-by: Mark Cox (Merged from https://github.com/openssl/web/pull/52) --- Summary of changes: policies/releasestrat.html | 28 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/policies/releasestrat.html b/policies/releasestrat.html index 3f37936..83b85d2 100644 --- a/policies/releasestrat.html +++ b/policies/releasestrat.html @@ -34,20 +34,6 @@ performance improvements and so on. There is no need to recompile applications to benefit from these features. - Binary compatibility also allows other possibilities. For - example, consider an application that wishes to utilize - a new cipher provided in a specific 1.0.x release, but it - is also desirable to maintain the application in a 1.0.0 - context. Customarily this would be resolved at compile time - resulting in two binary packages targeting different OpenSSL - versions. However, depending on the feature, it might be - possible to check for its availability at run-time, thus cutting - down on the maintenance of multiple binary packages. Admittedly - it takes a certain discipline and some extra coding, but we - would like to encourage such practice. This is because we - want to see later releases being adopted faster, because new - features can improve security. - With regards to current and future releases the OpenSSL project has adopted the following policy: @@ -64,15 +50,18 @@ and we will specify one at least every four years. Non-LTS releases will be supported for at least two years. - As implied by the above paragraphs, during the final year + During the final year of support, we do not commit to anything other than security - fixes. Before that, bug and security fixes will be applied + fixes. Before then, bug and security fixes will be applied as appropriate. The next version of OpenSSL will be 1.1.1. This is currently in development and has a primary focus of implementing TLSv1.3. The RFC for TLSv1.3 has not yet been published by the IETF. OpenSSL 1.1.1 - will not have its final release until that has happened. + will not have its final release until that has happened; + we want to have at least one beta release after TLS 1.3 is + officially published as an RFC. The next LTS release will be + 1.1.1. The draft release timetable for 1.1.1 is as follows. This may be amended at any time as the need arises. @@ -88,9 +77,8 @@ 3rd April 2018, beta release 2 (pre4) 17th April 2018, beta release 3 (pre5) 1st May 2018, beta release 4 (pre6) - 8th May 2018, release readiness check (new release - cycles added if required, first possible final release date: - 15th May 2018) +29th May 2018, beta release 5 (pre7) +19th June 2018, beta release 6 (pre8) An alpha release means: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 2f148d990cb7ada6bf1516d08d9927cc9efd7b26 (commit) from e4458ac28cde9545944b3eb8fe6193ca1c33cd18 (commit) - Log - commit 2f148d990cb7ada6bf1516d08d9927cc9efd7b26 Author: Matt CaswellDate: Wed May 23 10:01:41 2018 +0100 Remove the Forthcoming Features section as per OMC vote Issues have been created for the outstanding features, also as per the vote. Reviewed-by: Tim Hudson Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/54) --- Summary of changes: policies/roadmap.html | 21 - 1 file changed, 21 deletions(-) diff --git a/policies/roadmap.html b/policies/roadmap.html index 58d9812..e2b9479 100644 --- a/policies/roadmap.html +++ b/policies/roadmap.html @@ -86,27 +86,6 @@ Publish the build and test status for each platform (Timescale: Next feature release) - - Forthcoming Features - The primary focus of the next feature release (1.1.1) is - TLS 1.3. - The primary focus of the immediately following feature - release (after 1.1.1) is FIPS. - - We are also evaluating the following new features. - - - New AEAD API - SHA3 - X25519 performance improvements - New IETF signature algorithms - PKCS#11 - PRNG replacement - ASN.1 encoder/decoder replacement - STORE (certificate, crl, key storage API) - Replace CAPI with newer API engine - _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via de9f5b3554274e27949941cbe74a07c8a5f25dbf (commit) from b501ab6bee469eafb8b67ac38896bb689ab632fa (commit) - Log - commit de9f5b3554274e27949941cbe74a07c8a5f25dbf Author: Matt CaswellDate: Fri May 18 17:33:19 2018 +0100 Use the client app traffic secret for PHA Finished message The TLSv1.3 spec requires us to use the client application traffic secret during generation of the Finished message following a post handshake authentication. Fixes #6263 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/6297) --- Summary of changes: ssl/tls13_enc.c | 15 +-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 1613004..1e6db92 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -247,12 +247,23 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, goto err; } -if (str == s->method->ssl3_enc->server_finished_label) +if (str == s->method->ssl3_enc->server_finished_label) { key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, s->server_finished_secret, hashlen); -else +} else if (SSL_IS_FIRST_HANDSHAKE(s)) { key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, s->client_finished_secret, hashlen); +} else { +unsigned char finsecret[EVP_MAX_MD_SIZE]; + +if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), + s->client_app_traffic_secret, + finsecret, hashlen)) +goto err; + +key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, + hashlen); +} if (key == NULL || ctx == NULL _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls
Platform and configuration command: $ uname -a Linux run 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls Commit log since last time: 693cf80 Enable SSL_MODE_AUTO_RETRY by default 1aac20f Fix no-ec in combination with no-dh Build log ended with (last 100 lines): clang -Iinclude -I../openssl/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/ct_test.d.tmp -MT test/ct_test.o -c -o test/ct_test.o ../openssl/test/ct_test.c clang -I. -Icrypto/include -Iinclude -I../openssl -I../openssl/crypto/include -I../openssl/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/ctype_internal_test.d.tmp -MT test/ctype_internal_test.o -c -o test/ctype_internal_test.o ../openssl/test/ctype_internal_test.c clang -I. -Iinclude -Icrypto/ec/curve448 -I../openssl -I../openssl/include -I../openssl/crypto/ec/curve448 -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/curve448_internal_test.d.tmp -MT test/curve448_internal_test.o -c -o test/curve448_internal_test.o ../openssl/test/curve448_internal_test.c clang -Iinclude -I../openssl/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/d2i_test.d.tmp -MT test/d2i_test.o -c -o test/d2i_test.o ../openssl/test/d2i_test.c clang -Iinclude -I../openssl/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/danetest.d.tmp -MT test/danetest.o -c -o test/danetest.o ../openssl/test/danetest.c clang -Iinclude -I../openssl/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -Wno-unknown-warning-option -Wall -O0 -g -MMD -MF test/destest.d.tmp -MT test/destest.o -c -o test/destest.o ../openssl/test/destest.c clang -Iinclude -I../openssl/include -pthread -m64 -Wa,--noexecstack -Qunused-arguments -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized
[openssl-commits] [openssl] master update
The branch master has been updated via b501ab6bee469eafb8b67ac38896bb689ab632fa (commit) via 8cc1dc3632ee685f7609c4923c7fb6e75154ea0d (commit) from 04225915731e913b4ad077aff6b6d7bbeb8b916b (commit) - Log - commit b501ab6bee469eafb8b67ac38896bb689ab632fa Author: Richard LevitteDate: Tue May 22 23:09:01 2018 +0200 INSTALL: Provide better documentation for enable-ec_nistp_64_gcc_128 Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6328) commit 8cc1dc3632ee685f7609c4923c7fb6e75154ea0d Author: Richard Levitte Date: Tue May 22 13:57:29 2018 +0200 Better error code when lacking __SIZEOF_INT128__ Fixes #6327 Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6328) --- Summary of changes: INSTALL | 9 +++-- crypto/ec/ecp_nistp224.c | 2 +- crypto/ec/ecp_nistp256.c | 2 +- crypto/ec/ecp_nistp521.c | 2 +- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/INSTALL b/INSTALL index a0ebef9..52e3f2a 100644 --- a/INSTALL +++ b/INSTALL @@ -336,8 +336,13 @@ enable-ec_nistp_64_gcc_128 Enable support for optimised implementations of some commonly - used NIST elliptic curves. This is only supported on some - platforms. + used NIST elliptic curves. + This is only supported on platforms: + - with little-endian storage of non-byte types + - that tolerate misaligned memory references + - where the compiler: + - supports the non-standard type __uint128_t + - defines the built-in macro __SIZEOF_INT128__ enable-egd Build support for gathering entropy from EGD (Entropy diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 5b8da3f..364b7f2 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -45,7 +45,7 @@ NON_EMPTY_TRANSLATION_UNIT typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit * platforms */ # else -# error "Need GCC 4.0 or later to define type uint128_t" +# error "Your compiler doesn't appear to support 128-bit integer types" # endif typedef uint8_t u8; diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 5eee25c..19caa03 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -47,7 +47,7 @@ typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit * platforms */ typedef __int128_t int128_t; # else -# error "Need GCC 4.0 or later to define type uint128_t" +# error "Your compiler doesn't appear to support 128-bit integer types" # endif typedef uint8_t u8; diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 97846f8..3f68ae3 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -45,7 +45,7 @@ NON_EMPTY_TRANSLATION_UNIT typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit * platforms */ # else -# error "Need GCC 4.0 or later to define type uint128_t" +# error "Your compiler doesn't appear to support 128-bit integer types" # endif typedef uint8_t u8; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 04225915731e913b4ad077aff6b6d7bbeb8b916b (commit) from 693cf80c6ff54ae276a44d305d4ad07168ec6895 (commit) - Log - commit 04225915731e913b4ad077aff6b6d7bbeb8b916b Author: Matt CaswellDate: Mon May 21 10:46:58 2018 +0100 Fix no-ec, no-tls1_3 and no-tls Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6321) --- Summary of changes: test/sslapitest.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/sslapitest.c b/test/sslapitest.c index 10bfc8a..9b0237e 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1197,6 +1197,7 @@ static int test_session_with_both_cache(void) #endif } +#ifndef OPENSSL_NO_TLS1_3 static SSL_SESSION *sesscache[6]; static int do_cache; @@ -1324,6 +1325,7 @@ static int test_tickets(int idx) return testresult; } +#endif #define USE_NULL0 #define USE_BIO_1 1 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits