[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated
via 35cf781c20b65e51c6d0d3e9a199e74534b60b4a (commit)
via c8ce9e50d50af58d878d81522a3d592c00a17ba0 (commit)
from b1016c96dbb7a8d9b724f34656e0b2aae9e54cfe (commit)
- Log -
commit 35cf781c20b65e51c6d0d3e9a199e74534b60b4a
Author: Viktor Dukhovni
Date: Mon Oct 8 12:05:14 2018 -0400
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)
commit c8ce9e50d50af58d878d81522a3d592c00a17ba0
Author: Viktor Dukhovni
Date: Thu Oct 4 23:53:01 2018 -0400
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
---
Summary of changes:
crypto/x509/x509_vfy.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 749768e..da778d4 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -694,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
goto end;
}
}
-/* Check pathlen if not self issued */
-if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
-&& (x->ex_pathlen != -1)
-&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+/* Check pathlen */
+if ((i > 1) && (x->ex_pathlen != -1)
+&& (plen > (x->ex_pathlen + proxy_path_length))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i;
ctx->current_cert = x;
@@ -705,8 +704,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
if (!ok)
goto end;
}
-/* Increment path length if not self issued */
-if (!(x->ex_flags & EXFLAG_SI))
+/* Increment
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 (commit)
via cc54a2a0f5a2455205ee236bb44458cc39366065 (commit)
from a76a41655e57b72b30a373aae6e75afedf920076 (commit)
- Log -
commit d46f9173bbd62ffa7ae0b20bf05c600e14722cc6
Author: Viktor Dukhovni
Date: Mon Oct 8 12:05:14 2018 -0400
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)
commit cc54a2a0f5a2455205ee236bb44458cc39366065
Author: Viktor Dukhovni
Date: Thu Oct 4 23:53:01 2018 -0400
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
---
Summary of changes:
crypto/x509/x509_vfy.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f86871f..ba186d3 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -515,15 +515,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
-/* Check pathlen if not self issued */
-if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
-&& (x->ex_pathlen != -1)
-&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+/* Check pathlen */
+if ((i > 1) && (x->ex_pathlen != -1)
+&& (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
-/* Increment path length if not self issued */
-if (!(x->ex_flags & EXFLAG_SI))
+/* Increment path length if not a self issued intermediate
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via a190ea8ad7f2405d1a6245e59481fb6e3d0f60d2 (commit)
via bb6923945ee61b024c841f8131416c3c35cc9746 (commit)
from 871039698042467b814b4fa37353db120be5b331 (commit)
- Log -
commit a190ea8ad7f2405d1a6245e59481fb6e3d0f60d2
Author: Viktor Dukhovni
Date: Mon Oct 8 12:05:14 2018 -0400
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)
commit bb6923945ee61b024c841f8131416c3c35cc9746
Author: Viktor Dukhovni
Date: Thu Oct 4 23:53:01 2018 -0400
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)
---
Summary of changes:
crypto/x509/x509_vfy.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3a60d41..61e8192 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
-/* Check pathlen if not self issued */
-if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
-&& (x->ex_pathlen != -1)
-&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+/* Check pathlen */
+if ((i > 1) && (x->ex_pathlen != -1)
+&& (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
-/* Increment path length if not self issued */
-if (!(x->ex_flags & EXFLAG_SI))
+/* Increment path length if not a self issued intermediate
[openssl-commits] [openssl] master update
The branch master has been updated
via dc5831da59e9bfad61ba425d886a0b06ac160cd6 (commit)
via ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f (commit)
from d68af00685c4a76e9545882e350717ae5e4071df (commit)
- Log -
commit dc5831da59e9bfad61ba425d886a0b06ac160cd6
Author: Viktor Dukhovni
Date: Mon Oct 8 12:05:14 2018 -0400
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf). Therefore, never count the EE
cert, and adjust the path length comparison accordinly. This may
be more clear to the reader.
Reviewed-by: Matt Caswell
commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f
Author: Viktor Dukhovni
Date: Thu Oct 4 23:53:01 2018 -0400
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:
This specification covers two classes of certificates: CA
certificates and end entity certificates. CA certificates may be
further divided into three classes: cross-certificates, self-issued
certificates, and self-signed certificates. Cross-certificates are
CA certificates in which the issuer and subject are different
entities. Cross-certificates describe a trust relationship between
the two CAs. Self-issued certificates are CA certificates in which
the issuer and subject are the same entity. Self-issued certificates
are generated to support changes in policy or operations. Self-
signed certificates are self-issued certificates where the digital
signature may be verified by the public key bound into the
certificate. Self-signed certificates are used to convey a public
key for use to begin certification paths. End entity certificates
are issued to subjects that are not authorized to issue certificates.
that the term "self-issued" is only applicable to CAs, not end-entity
certificates. In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:
The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit (Section 4.2.1.3). In this case, it gives the
maximum number of non-self-issued intermediate certificates that may
follow this certificate in a valid certification path. (Note: The
last certificate in the certification path is not an intermediate
certificate, and is not included in this limit. Usually, the last
certificate is an end entity certificate, but it can be a CA
certificate.)
This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates. A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count. The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.
Reviewed-by: Matt Caswell
---
Summary of changes:
crypto/x509/x509_vfy.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3a60d41..61e8192 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
-/* Check pathlen if not self issued */
-if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
-&& (x->ex_pathlen != -1)
-&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
+/* Check pathlen */
+if ((i > 1) && (x->ex_pathlen != -1)
+&& (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
-/* Increment path length if not self issued */
-if (!(x->ex_flags & EXFLAG_SI))
+/* Increment path length if not a self issued intermediate CA */
+if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
plen++;
/*
* If this certificate is a proxy certificate, the next ce
[openssl-commits] Build completed: openssl master.20382
Build openssl master.20382 completed Commit 2397338954 by Mansour Ahmadi on 10/17/2018 10:13 PM: Check return value of EVP_PKEY_new Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.20381
Build openssl master.20381 failed Commit f497c69bf0 by David von Oheimb on 10/17/2018 1:51 PM: Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl OpenSSL_1_1_0-stable.20372
Build openssl OpenSSL_1_1_0-stable.20372 completed Commit a76a41655e by Andy Polyakov on 10/17/2018 11:58 AM: ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.20371
Build openssl master.20371 failed Commit 17a7445d54 by David von Oheimb on 10/17/2018 11:55 AM: Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via d68af00685c4a76e9545882e350717ae5e4071df (commit)
via f39ad8dcaa75293968d2633d043de3f5fce4f37b (commit)
from 9453b196343db579c590130adc63d35d2ff87188 (commit)
- Log -
commit d68af00685c4a76e9545882e350717ae5e4071df
Author: Patrick Steuer
Date: Tue Jan 31 12:43:35 2017 +0100
s390x assembly pack: add OPENSSL_s390xcap man page.
Signed-off-by: Patrick Steuer
Reviewed-by: Andy Polyakov
Reviewed-by: Rich Salz
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/6813)
commit f39ad8dcaa75293968d2633d043de3f5fce4f37b
Author: Patrick Steuer
Date: Mon Jan 30 17:37:54 2017 +0100
s390x assembly pack: add OPENSSL_s390xcap environment variable.
The OPENSSL_s390xcap environment variable is used to set bits in the s390x
capability vector to zero. This simplifies testing of different code paths.
Signed-off-by: Patrick Steuer
Reviewed-by: Andy Polyakov
Reviewed-by: Rich Salz
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/6813)
---
Summary of changes:
crypto/s390x_arch.h | 23 +-
crypto/s390xcap.c | 515 ++
crypto/s390xcpuid.pl | 31 ++-
doc/man3/OPENSSL_s390xcap.pod | 173 ++
util/private.num | 1 +
5 files changed, 730 insertions(+), 13 deletions(-)
create mode 100644 doc/man3/OPENSSL_s390xcap.pod
diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
index 4a775a9..3bed655 100644
--- a/crypto/s390x_arch.h
+++ b/crypto/s390x_arch.h
@@ -49,6 +49,9 @@ struct OPENSSL_s390xcap_st {
extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
+/* Max number of 64-bit words currently returned by STFLE */
+# define S390X_STFLE_MAX 3
+
/* convert facility bit number or function code to bit mask */
# define S390X_CAPBIT(i) (1ULL << (63 - (i) % 64))
@@ -68,9 +71,15 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
# define S390X_KMA 0xb0
/* Facility Bit Numbers */
-# define S390X_VX 129
-# define S390X_VXD 134
-# define S390X_VXE 135
+# define S390X_MSA 17 /* message-security-assist */
+# define S390X_STCKF 25 /* store-clock-fast */
+# define S390X_MSA557 /* message-security-assist-ext. 5 */
+# define S390X_MSA376 /* message-security-assist-ext. 3 */
+# define S390X_MSA477 /* message-security-assist-ext. 4 */
+# define S390X_VX 129 /* vector */
+# define S390X_VXD 134 /* vector packed decimal */
+# define S390X_VXE 135 /* vector enhancements 1 */
+# define S390X_MSA8146 /* message-security-assist-ext. 8 */
/* Function Codes */
@@ -78,6 +87,9 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
# define S390X_QUERY 0
/* kimd/klmd */
+# define S390X_SHA_1 1
+# define S390X_SHA_256 2
+# define S390X_SHA_512 3
# define S390X_SHA3_22432
# define S390X_SHA3_25633
# define S390X_SHA3_38434
@@ -91,7 +103,12 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
# define S390X_AES_192 19
# define S390X_AES_256 20
+/* km */
+# define S390X_XTS_AES_128 50
+# define S390X_XTS_AES_256 52
+
/* prno */
+# define S390X_SHA_512_DRNG3
# define S390X_TRNG114
/* Register 0 Flags */
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
index e7c7f0a..881613a 100644
--- a/crypto/s390xcap.c
+++ b/crypto/s390xcap.c
@@ -13,15 +13,51 @@
#include
#include
#include "internal/cryptlib.h"
+#include "internal/ctype.h"
#include "s390x_arch.h"
+#define LEN128
+#define STR_(S)#S
+#define STR(S) STR_(S)
+
+#define TOK_FUNC(NAME) \
+(sscanf(tok_begin, \
+" " STR(NAME) " : %" STR(LEN) "[^:] : "\
+"%" STR(LEN) "s %" STR(LEN) "s ", \
+tok[0], tok[1], tok[2]) == 2) {\
+ \
+off = (tok[0][0] == '~') ? 1 : 0; \
+if (sscanf(tok[0] + off, "%llx", &cap->NAME[0]) != 1) \
+goto ret; \
+if (off) \
+cap->NAME[0] = ~cap->NAME[0]; \
+ \
+off = (tok[1][0] == '~') ? 1 : 0;
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated
via a76a41655e57b72b30a373aae6e75afedf920076 (commit)
from 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit)
- Log -
commit a76a41655e57b72b30a373aae6e75afedf920076
Author: Andy Polyakov
Date: Fri Oct 12 22:17:51 2018 +0200
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
(back-port of commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51)
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7392)
---
Summary of changes:
ssl/s3_enc.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index e08857d..89b7739 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -404,13 +404,14 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int
len, unsigned char *p)
}
if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) {
SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR);
-return 0;
+ret = 0;
+goto err;
}
ret = EVP_MD_CTX_size(ctx);
if (ret < 0) {
-EVP_MD_CTX_reset(ctx);
-return 0;
+ret = 0;
+goto err;
}
if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0)
@@ -422,6 +423,7 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int
len, unsigned char *p)
ret = 0;
}
+ err:
EVP_MD_CTX_free(ctx);
return ret;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.20363
Build openssl master.20363 failed Commit 937a5e0327 by Richard Levitte on 10/12/2018 3:05 PM: apps: Switch to using OSSL_STORE for loading keys, certs, ... Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 871039698042467b814b4fa37353db120be5b331 (commit)
from 135e8062369f3c7a2398ac12e7eea3c3c18b017d (commit)
- Log -
commit 871039698042467b814b4fa37353db120be5b331
Author: Antoine Salon
Date: Mon Oct 1 14:11:57 2018 -0700
EVP module documentation pass
Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()
Signed-off-by: Antoine Salon
Reviewed-by: Matt Caswell
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/7345)
(cherry picked from commit ffd89124bdfc9e69349492c3f15383bb35520a11)
---
Summary of changes:
CHANGES | 7 +-
crypto/ec/ec_ameth.c| 4 +-
crypto/ec/ec_pmeth.c| 4 +-
crypto/ec/ecdh_kdf.c| 19 +-
crypto/include/internal/ec_int.h| 8 +
crypto/sm2/sm2_crypt.c | 5 +-
doc/man3/EVP_PKEY_CTX_ctrl.pod | 283 ++--
doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod | 4 +-
doc/man3/EVP_PKEY_set1_RSA.pod | 35 +--
doc/man3/EVP_aes.pod| 6 +
doc/man3/EVP_aria.pod | 6 +
doc/man3/EVP_bf_cbc.pod | 3 +
doc/man3/EVP_camellia.pod | 6 +
doc/man3/EVP_cast5_cbc.pod | 3 +
doc/man3/EVP_des.pod| 30 ++-
doc/man3/EVP_idea_cbc.pod | 3 +
doc/man3/EVP_md5.pod| 4 +-
doc/man3/EVP_rc2_cbc.pod| 3 +
doc/man3/EVP_rc5_32_12_16_cbc.pod | 3 +
doc/man3/EVP_seed_cbc.pod | 3 +
doc/man3/EVP_sm4_cbc.pod| 3 +
include/openssl/ec.h| 13 +-
util/private.num| 39 +++-
23 files changed, 433 insertions(+), 61 deletions(-)
diff --git a/CHANGES b/CHANGES
index 59d5733..cf45875 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,9 +9,10 @@
Changes between 1.1.1 and 1.1.1a [xx XXX ]
- *)
-
- Changes between 1.1.1 and 1.1.1a [xx XXX ]
+ *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+ the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+ are retained for backwards compatibility.
+ [Antoine Salon]
*) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
if its length exceeds 4096 bytes. The limit has been raised to a buffer
size
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 2130268..a3164b5 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int
eckdf_nid)
if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
return 0;
-if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0)
+if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
return 0;
kdf_md = EVP_get_digestbynid(kdfmd_nid);
@@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
ecdh_nid = NID_dh_cofactor_kdf;
if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
-kdf_type = EVP_PKEY_ECDH_KDF_X9_62;
+kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
goto err;
} else
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 5bee031..f4ad074 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -209,7 +209,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
goto err;
/* Do KDF stuff */
-if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
+if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
goto err;
rv = 1;
@@ -281,7 +281,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int
p1, void *p2)
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
-if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
+if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
return -2;
dctx->kdf_type = p1;
return 1;
diff --git a/crypto/ec/ecdh_kdf.c b/crypto/ec/ecdh_kdf.c
index d47486e..d686f9d 100644
--- a/crypto/ec/ecdh_kdf.c
+++ b/crypto/ec/ecdh_kdf.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License").
[openssl-commits] [openssl] master update
The branch master has been updated
via 9453b196343db579c590130adc63d35d2ff87188 (commit)
via ffd89124bdfc9e69349492c3f15383bb35520a11 (commit)
from aeec793b4bee929cef8ae35ec4b5a783a6e1d7ed (commit)
- Log -
commit 9453b196343db579c590130adc63d35d2ff87188
Author: Antoine Salon
Date: Tue Oct 16 10:54:26 2018 -0700
Deprecate ECDH_KDF_X9_62()
Signed-off-by: Antoine Salon
Reviewed-by: Matt Caswell
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/7345)
commit ffd89124bdfc9e69349492c3f15383bb35520a11
Author: Antoine Salon
Date: Mon Oct 1 14:11:57 2018 -0700
EVP module documentation pass
Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()
Signed-off-by: Antoine Salon
Reviewed-by: Matt Caswell
Reviewed-by: Nicola Tuveri
(Merged from https://github.com/openssl/openssl/pull/7345)
---
Summary of changes:
CHANGES | 9 +
crypto/ec/ec_ameth.c| 4 +-
crypto/ec/ec_pmeth.c| 4 +-
crypto/ec/ecdh_kdf.c| 21 +-
crypto/include/internal/ec_int.h| 8 +
crypto/sm2/sm2_crypt.c | 5 +-
doc/man3/EVP_PKEY_CTX_ctrl.pod | 283 ++--
doc/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod | 4 +-
doc/man3/EVP_PKEY_set1_RSA.pod | 35 +--
doc/man3/EVP_aes.pod| 6 +
doc/man3/EVP_aria.pod | 6 +
doc/man3/EVP_bf_cbc.pod | 3 +
doc/man3/EVP_camellia.pod | 6 +
doc/man3/EVP_cast5_cbc.pod | 3 +
doc/man3/EVP_des.pod| 30 ++-
doc/man3/EVP_idea_cbc.pod | 3 +
doc/man3/EVP_md5.pod| 4 +-
doc/man3/EVP_rc2_cbc.pod| 3 +
doc/man3/EVP_rc5_32_12_16_cbc.pod | 3 +
doc/man3/EVP_seed_cbc.pod | 3 +
doc/man3/EVP_sm4_cbc.pod| 3 +
include/openssl/ec.h| 17 +-
util/libcrypto.num | 2 +-
util/private.num| 39 +++-
24 files changed, 443 insertions(+), 61 deletions(-)
diff --git a/CHANGES b/CHANGES
index aa00369..e540c9c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,15 @@
Changes between 1.1.1 and 1.1.2 [xx XXX ]
+ *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users
+ should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type).
+ [Antoine Salon]
+
+ *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+ the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+ are retained for backwards compatibility.
+ [Antoine Salon]
+
*) AES-XTS mode now enforces that its two keys are different to mitigate
the attacked described in "Efficient Instantiations of Tweakable
Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 2130268..a3164b5 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int
eckdf_nid)
if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
return 0;
-if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0)
+if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
return 0;
kdf_md = EVP_get_digestbynid(kdfmd_nid);
@@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
ecdh_nid = NID_dh_cofactor_kdf;
if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
-kdf_type = EVP_PKEY_ECDH_KDF_X9_62;
+kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
goto err;
} else
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 5bee031..f4ad074 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -209,7 +209,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
goto err;
/* Do KDF stuff */
-if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
+if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
goto err;
rv = 1;
@@ -281,7 +281,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int
p1, void *p2)
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
-if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 135e8062369f3c7a2398ac12e7eea3c3c18b017d (commit)
from 695bc60fe4abbe2e6ef3039f96bade5315778c98 (commit)
- Log -
commit 135e8062369f3c7a2398ac12e7eea3c3c18b017d
Author: Dr. Matthias St. Pierre
Date: Tue Oct 16 23:50:16 2018 +0200
Fix: 'openssl ca' command crashes when used with 'rand_serial' option
Commit ffb46830e2df introduced the 'rand_serial' option. When it is used,
the 'serialfile' does not get initialized, i.e. it remains a NULL pointer.
This causes a crash when the NULL pointer is passed to the rotate_serial()
call.
This commit fixes the crash and unifies the pointer checking before
calling the rotate_serial() and save_serial() commands.
Fixes #7412
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7417)
(cherry picked from commit aeec793b4bee929cef8ae35ec4b5a783a6e1d7ed)
---
Summary of changes:
apps/ca.c | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 847809a..69207c0 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -976,7 +976,7 @@ end_of_options:
BIO_printf(bio_err, "Write out database with %d new entries\n",
sk_X509_num(cert_sk));
-if (!rand_ser
+if (serialfile != NULL
&& !save_serial(serialfile, "new", serial, NULL))
goto end;
@@ -1044,7 +1044,8 @@ end_of_options:
if (sk_X509_num(cert_sk)) {
/* Rename the database and the serial file */
-if (!rotate_serial(serialfile, "new", "old"))
+if (serialfile != NULL
+&& !rotate_serial(serialfile, "new", "old"))
goto end;
if (!rotate_index(dbfile, "new", "old"))
@@ -1177,10 +1178,9 @@ end_of_options:
}
/* we have a CRL number that need updating */
-if (crlnumberfile != NULL)
-if (!rand_ser
-&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
-goto end;
+if (crlnumberfile != NULL
+&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
+goto end;
BN_free(crlnumber);
crlnumber = NULL;
@@ -1195,9 +1195,10 @@ end_of_options:
PEM_write_bio_X509_CRL(Sout, crl);
-if (crlnumberfile != NULL) /* Rename the crlnumber file */
-if (!rotate_serial(crlnumberfile, "new", "old"))
-goto end;
+/* Rename the crlnumber file */
+if (crlnumberfile != NULL
+&& !rotate_serial(crlnumberfile, "new", "old"))
+goto end;
}
/*/
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via aeec793b4bee929cef8ae35ec4b5a783a6e1d7ed (commit)
from 92ebf6c4c21ff4b41ba1fd69af74b2039e138114 (commit)
- Log -
commit aeec793b4bee929cef8ae35ec4b5a783a6e1d7ed
Author: Dr. Matthias St. Pierre
Date: Tue Oct 16 23:50:16 2018 +0200
Fix: 'openssl ca' command crashes when used with 'rand_serial' option
Commit ffb46830e2df introduced the 'rand_serial' option. When it is used,
the 'serialfile' does not get initialized, i.e. it remains a NULL pointer.
This causes a crash when the NULL pointer is passed to the rotate_serial()
call.
This commit fixes the crash and unifies the pointer checking before
calling the rotate_serial() and save_serial() commands.
Fixes #7412
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7417)
---
Summary of changes:
apps/ca.c | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 847809a..69207c0 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -976,7 +976,7 @@ end_of_options:
BIO_printf(bio_err, "Write out database with %d new entries\n",
sk_X509_num(cert_sk));
-if (!rand_ser
+if (serialfile != NULL
&& !save_serial(serialfile, "new", serial, NULL))
goto end;
@@ -1044,7 +1044,8 @@ end_of_options:
if (sk_X509_num(cert_sk)) {
/* Rename the database and the serial file */
-if (!rotate_serial(serialfile, "new", "old"))
+if (serialfile != NULL
+&& !rotate_serial(serialfile, "new", "old"))
goto end;
if (!rotate_index(dbfile, "new", "old"))
@@ -1177,10 +1178,9 @@ end_of_options:
}
/* we have a CRL number that need updating */
-if (crlnumberfile != NULL)
-if (!rand_ser
-&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
-goto end;
+if (crlnumberfile != NULL
+&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
+goto end;
BN_free(crlnumber);
crlnumber = NULL;
@@ -1195,9 +1195,10 @@ end_of_options:
PEM_write_bio_X509_CRL(Sout, crl);
-if (crlnumberfile != NULL) /* Rename the crlnumber file */
-if (!rotate_serial(crlnumberfile, "new", "old"))
-goto end;
+/* Rename the crlnumber file */
+if (crlnumberfile != NULL
+&& !rotate_serial(crlnumberfile, "new", "old"))
+goto end;
}
/*/
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 695bc60fe4abbe2e6ef3039f96bade5315778c98 (commit)
from 72a859c9755ef845c83d53986b3d48b0f1ee5430 (commit)
- Log -
commit 695bc60fe4abbe2e6ef3039f96bade5315778c98
Author: Richard Levitte
Date: Mon Oct 15 17:38:26 2018 +0200
Build file templates: look at *all* defines
When looking at configured macro definitions, we must look at both
what comes from the config target AND what comes from user
configuration.
Fixes #7396
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/7402)
(cherry picked from commit 92ebf6c4c21ff4b41ba1fd69af74b2039e138114)
---
Summary of changes:
Configurations/unix-Makefile.tmpl| 8
Configurations/windows-makefile.tmpl | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl
b/Configurations/unix-Makefile.tmpl
index 16af4d2..5c0604d 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -495,11 +495,11 @@ install_dev:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl
$(DESTDIR)$(INSTALLTOP)/include/openssl
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c ->
$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@cp $(SRCDIR)/ms/applink.c
$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
@@ -570,10 +570,10 @@ install_dev:
uninstall_dev:
@$(ECHO) "*** Uninstalling development files"
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
diff --git a/Configurations/windows-makefile.tmpl
b/Configurations/windows-makefile.tmpl
index f7d8e27..bc79205 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -410,10 +410,10 @@ install_dev:
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" &
exit 1 )
@$(ECHO) "*** Installing development files"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl"
- @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$config{defines}}; "" -}
+ @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \
"$(INSTALLTOP)\include\openssl"
- @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$config{defines}}; "" -}
+ @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \
"$(SRCDIR)\include\openssl\*.h" \
"$(INSTALLTOP)\include\openssl"
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via 92ebf6c4c21ff4b41ba1fd69af74b2039e138114 (commit)
from 61bef9bde09dc6099a7c59baa79898e3b003fec3 (commit)
- Log -
commit 92ebf6c4c21ff4b41ba1fd69af74b2039e138114
Author: Richard Levitte
Date: Mon Oct 15 17:38:26 2018 +0200
Build file templates: look at *all* defines
When looking at configured macro definitions, we must look at both
what comes from the config target AND what comes from user
configuration.
Fixes #7396
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/7402)
---
Summary of changes:
Configurations/unix-Makefile.tmpl| 8
Configurations/windows-makefile.tmpl | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl
b/Configurations/unix-Makefile.tmpl
index 3f76c59..590f18d 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -499,11 +499,11 @@ install_dev:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl
$(DESTDIR)$(INSTALLTOP)/include/openssl
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c ->
$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@cp $(SRCDIR)/ms/applink.c
$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
@@ -574,10 +574,10 @@ install_dev:
uninstall_dev:
@$(ECHO) "*** Uninstalling development files"
- @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
- @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$target{defines}}; "" -}
+ @ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
diff --git a/Configurations/windows-makefile.tmpl
b/Configurations/windows-makefile.tmpl
index 6ab298e..9d23ec2 100644
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -414,10 +414,10 @@ install_dev:
@if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" &
exit 1 )
@$(ECHO) "*** Installing development files"
@"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(INSTALLTOP)\include\openssl"
- @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$config{defines}}; "" -}
+ @{- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "$(SRCDIR)\ms\applink.c" \
"$(INSTALLTOP)\include\openssl"
- @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
@{$config{defines}}; "" -}
+ @{- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" }
(@{$target{defines}}, @{$config{defines}}); "" -}
@"$(PERL)" "$(SRCDIR)\util\copy.pl" "-exclude_re=/__DECC_" \
"$(SRCDIR)\include\openssl\*.h" \
"$(INSTALLTOP)\include\openssl"
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via 61bef9bde09dc6099a7c59baa79898e3b003fec3 (commit)
from 83e4533a71c5c78278e9763552a5e5f1806473ee (commit)
- Log -
commit 61bef9bde09dc6099a7c59baa79898e3b003fec3
Author: Mansour Ahmadi
Date: Mon Oct 15 15:11:24 2018 -0400
Add a missing check on s->s3->tmp.pkey
Reviewed-by: Paul Yang
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7405)
---
Summary of changes:
ssl/statem/statem_srvr.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 95f83c8..ac5fd09 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3224,6 +3224,12 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
SSL_R_LENGTH_MISMATCH);
goto err;
}
+if (skey == NULL) {
+SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
+ SSL_R_MISSING_TMP_ECDH_KEY);
+goto err;
+}
+
ckey = EVP_PKEY_new();
if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 72a859c9755ef845c83d53986b3d48b0f1ee5430 (commit)
from 391f76f1a5869c228e75b4435656819b4dfb43a9 (commit)
- Log -
commit 72a859c9755ef845c83d53986b3d48b0f1ee5430
Author: Mansour Ahmadi
Date: Mon Oct 15 15:11:24 2018 -0400
Add a missing check on s->s3->tmp.pkey
Reviewed-by: Paul Yang
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/7405)
(cherry picked from commit 61bef9bde09dc6099a7c59baa79898e3b003fec3)
---
Summary of changes:
ssl/statem/statem_srvr.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 95f83c8..ac5fd09 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3224,6 +3224,12 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
SSL_R_LENGTH_MISMATCH);
goto err;
}
+if (skey == NULL) {
+SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
+ SSL_R_MISSING_TMP_ECDH_KEY);
+goto err;
+}
+
ckey = EVP_PKEY_new();
if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
