Build failed: openssl master.41128
Build openssl master.41128 failed Commit 2562d9decf by Armin Fuerst on 3/29/2021 7:58 PM: fix next AppVeyor issues Configure your notification preferences
[openssl] master update
The branch master has been updated via c47a0803cea452ae009aeebc4f8b5e2da0524eaa (commit) from b24b72d109eab6f06380002796b89bb0f04af874 (commit) - Log - commit c47a0803cea452ae009aeebc4f8b5e2da0524eaa Author: Randall S. Becker Date: Mon Mar 29 13:45:40 2021 -0600 Split Makefile clean recipe for document sets into individual lines. This is needed for less capable platforms with limits on the size of command line argument lists. Fixes #14732 CLA: The author has the permission to grant the OpenSSL Team the right to use this change. Signed-off-by: Randall S. Becker Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14735) --- Summary of changes: Configurations/unix-Makefile.tmpl | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 8a2b2353ab..ef4fd5f077 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -544,8 +544,14 @@ libclean: $(RM) *{- platform->defext() -} clean: libclean - $(RM) $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7) - $(RM) $(MANDOCS1) $(MANDOCS3) $(MANDOCS5) $(MANDOCS7) + $(RM) $(HTMLDOCS1) + $(RM) $(HTMLDOCS3) + $(RM) $(HTMLDOCS5) + $(RM) $(HTMLDOCS7) + $(RM) $(MANDOCS1) + $(RM) $(MANDOCS3) + $(RM) $(MANDOCS5) + $(RM) $(MANDOCS7) $(RM) $(PROGRAMS) $(TESTPROGS) $(MODULES) $(SCRIPTS) $(RM) $(GENERATED_MANDATORY) $(GENERATED) -find . -name '*{- platform->depext() -}' \! -name '.*' \! -type d -exec $(RM) {} \;
[openssl] master update
The branch master has been updated via b24b72d109eab6f06380002796b89bb0f04af874 (commit) via 35bc387b97a51343456d1d72e19a64779d2224f3 (commit) via a350e3ef3899c012cd52a1130ffd5be9288f6f18 (commit) from 20c2876f24d0ccf9581ace08c7882d544d2588ea (commit) - Log - commit b24b72d109eab6f06380002796b89bb0f04af874 Author: Richard Levitte Date: Mon Mar 29 18:55:01 2021 +0200 EVP: One stray comma removed in crypto/evp/ctrl_params_translate.c Commas at the end of a list of items isn't allowed by ANSI C. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14729) commit 35bc387b97a51343456d1d72e19a64779d2224f3 Author: Randall S. Becker Date: Mon Mar 29 10:26:10 2021 -0600 Added guarding #ifndef/#define to avoid duplicate include of crypto/types.h Fixes #14730 CLA: The author has the permission to grant the OpenSSL Team the right to use this change. Signed-off-by: Randall S. Becker Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14729) commit a350e3ef3899c012cd52a1130ffd5be9288f6f18 Author: Richard Levitte Date: Mon Mar 29 16:04:21 2021 +0200 Re-implement ANSI C building with a Github workflow Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14729) --- Summary of changes: .github/workflows/ci.yml | 12 crypto/evp/ctrl_params_translate.c | 2 +- include/crypto/types.h | 14 ++ 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad24aaa5b8..85fbe952dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,18 @@ jobs: - name: make doc-nits run: make doc-nits + # This checks that we use ANSI C language syntax and semantics. + # We are not as strict with libraries, but rather adapt to what's + # expected to be available in a certain version of each platform. + check-ansi: +runs-on: ubuntu-latest +steps: +- uses: actions/checkout@v2 +- name: config + run: CPPFLAGS=-ansi ./config no-asm no-makedepend enable-buildtest-c++ --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump +- name: make + run: make -s -j4 + basic_gcc: runs-on: ubuntu-latest steps: diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index c13a40a95f..995e37a4e8 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -149,7 +149,7 @@ enum state { PKEY, PRE_CTRL_TO_PARAMS, POST_CTRL_TO_PARAMS, CLEANUP_CTRL_TO_PARAMS, PRE_CTRL_STR_TO_PARAMS, POST_CTRL_STR_TO_PARAMS, CLEANUP_CTRL_STR_TO_PARAMS, -PRE_PARAMS_TO_CTRL, POST_PARAMS_TO_CTRL, CLEANUP_PARAMS_TO_CTRL, +PRE_PARAMS_TO_CTRL, POST_PARAMS_TO_CTRL, CLEANUP_PARAMS_TO_CTRL }; enum action { NONE = 0, GET = 1, SET = 2 diff --git a/include/crypto/types.h b/include/crypto/types.h index 13a5f9ce1d..0d81404091 100644 --- a/include/crypto/types.h +++ b/include/crypto/types.h @@ -9,15 +9,21 @@ /* When removal is simulated, we still need the type internally */ -#ifdef OPENSSL_NO_DEPRECATED_3_0 +#ifndef OSSL_CRYPTO_TYPES_H +# define OSSL_CRYPTO_TYPES_H +# pragma once + +# ifdef OPENSSL_NO_DEPRECATED_3_0 typedef struct rsa_st RSA; typedef struct rsa_meth_st RSA_METHOD; -# ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC typedef struct ec_key_st EC_KEY; typedef struct ec_key_method_st EC_KEY_METHOD; +# endif # endif -#endif -#ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC typedef struct ecx_key_st ECX_KEY; +# endif + #endif
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sm3
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sm3 Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sm2
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sm2 Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_3
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_3 Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): not ok 2 - iteration 2 # -- # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # # OPENSSL_TEST_RAND_ORDER=1617157754 not ok 3 - iteration 3 # -- # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # # OPENSSL_TEST_RAND_ORDER=1617157754 not ok 4 - iteration 4 # -- # ERROR: (int) 'result->client_protocol == test_ctx->expected_protocol' failed @ ../openssl/test/ssl_test.c:114 # [771] compared to [772] # INFO: @ ../openssl/test/ssl_test.c:117 # Protocol mismatch: expected TLSv1.3, got TLSv1.2. # # OPENSSL_TEST_RAND_ORDER=1617157754 not ok 5 - iteration 5 # -- # OPENSSL_TEST_RAND_ORDER=1617157754 not ok 1 - test_handshake # -- ../../util/wrap.pl ../../test/ssl_test 14-curves.cnf.fips fips ../../../openssl/test/fips-and-base.cnf => 1 not ok 9
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2-method
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2-method Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6634 # false # OPENSSL_TEST_RAND_ORDER=1617154840 not ok 2 - iteration 2 # -- # OPENSSL_TEST_RAND_ORDER=1617154840 not ok 56 - test_ssl_pending # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/aJFRPrG5kO default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 8011DC356F7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 8011DC356F7F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1003 # false # OPENSSL_TEST_RAND_ORDER=1617154854 not ok 3 -
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2-method
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2-method Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): Failed 2/8 subtests (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ...
[openssl] master update
The branch master has been updated via 20c2876f24d0ccf9581ace08c7882d544d2588ea (commit) from c6b09ea0fe23a572a781681b3c1f436e8b0932fe (commit) - Log - commit 20c2876f24d0ccf9581ace08c7882d544d2588ea Author: Benjamin Kaduk Date: Mon Mar 22 15:02:04 2021 -0700 Increase HKDF_MAXBUF from 1024 to 2048 We've encountered some scenarios that need to use more than 1 kB of data as the HKDF-Expand() "info" argument (which, per RFC 5869, contains "optional context and application specific information"). Since HKDF_MAXBUF is used to size an array in the HKDF_PKEY_CTX structure, this adds 1 kB of memory footprint to each EVP_PKEY_CTX used for HKDF. Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14649) --- Summary of changes: providers/implementations/kdfs/hkdf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index 52b284c662..2d3c72f501 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -30,7 +30,7 @@ #include "prov/provider_util.h" #include "e_os.h" -#define HKDF_MAXBUF 1024 +#define HKDF_MAXBUF 2048 static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free;
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dtls1_2
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dtls1_2 Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:6634 # false # OPENSSL_TEST_RAND_ORDER=1617145751 not ok 2 - iteration 2 # -- # OPENSSL_TEST_RAND_ORDER=1617145751 not ok 56 - test_ssl_pending # -- ../../util/wrap.pl ../../test/sslapitest ../../../openssl/test/certs ../../../openssl/test/recipes/90-test_sslapi_data/passwd.txt /tmp/WtsOeKOfrN default ../../../openssl/test/default.cnf => 1 not ok 1 - running sslapitest # -- # INFO: @ ../openssl/test/helpers/ssltestlib.c:957 # SSL_connect() failed -1, 1 # 80715931627F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # INFO: @ ../openssl/test/helpers/ssltestlib.c:975 # SSL_accept() failed -1, 1 # 80715931627F:error:0A000129:SSL routines:tls_setup_handshake:no suitable digest algorithm:../openssl/ssl/statem/statem_lib.c:121:The max supported SSL/TLS version needs the MD5-SHA1 digest but it is not available in the loaded providers. Use (D)TLSv1.2 or above, or load different providers # ERROR: (bool) 'create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslapitest.c:1003 # false # OPENSSL_TEST_RAND_ORDER=1617145764 not ok 3 -
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-tls1_2
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-tls1_2 Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): Failed 2/8 subtests (less 4 skipped subtests: 2 okay) 70-test_sslmessages.t .. skipped: test_sslmessages needs TLS enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs TLSv1.2 enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. skipped: test_sslversions needs TLS1.3, TLS1.2 and TLS1.1 enabled 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs TLS1.3 and TLS1.2 enabled 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . skipped: test_tlsextms needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok
[openssl] master update
The branch master has been updated via c6b09ea0fe23a572a781681b3c1f436e8b0932fe (commit) from 6635ea531e9f7709e5880dd77fd4c3403a5c3db7 (commit) - Log - commit c6b09ea0fe23a572a781681b3c1f436e8b0932fe Author: Matt Caswell Date: Fri Mar 26 16:49:27 2021 + Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately if the number of bits was too small. In 3.0 it always succeeds, and only fails later during the key generation stage. We fix that so that it fails early like it used to in 1.1.1. Note that in 1.1.1 it fails with a -2 return code. That is not the case in 3.0 and has not been addressed here (see #14442) Fixes #14443 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14702) --- Summary of changes: crypto/rsa/rsa_local.h| 1 - include/crypto/rsa.h | 2 ++ providers/implementations/keymgmt/rsa_kmgmt.c | 12 +--- test/recipes/30-test_evp_data/evppkey_rsa.txt | 2 +- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index 6979adfcd1..ea70da05ad 100644 --- a/crypto/rsa/rsa_local.h +++ b/crypto/rsa/rsa_local.h @@ -14,7 +14,6 @@ #include "crypto/rsa.h" #define RSA_MAX_PRIME_NUM 5 -#define RSA_MIN_MODULUS_BITS512 typedef struct rsa_prime_info_st { BIGNUM *r; diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h index 69fa8a4d8a..73bf03f615 100644 --- a/include/crypto/rsa.h +++ b/include/crypto/rsa.h @@ -16,6 +16,8 @@ # include # include "crypto/types.h" +#define RSA_MIN_MODULUS_BITS512 + typedef struct rsa_pss_params_30_st { int hash_algorithm_nid; struct { diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c index eac3843884..1bcb6ed603 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "prov/implementations.h" #include "prov/providercommon.h" #include "prov/provider_ctx.h" @@ -473,9 +474,14 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[]) if (params == NULL) return 1; -if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL -&& !OSSL_PARAM_get_size_t(p, >nbits)) -return 0; +if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL) { +if (!OSSL_PARAM_get_size_t(p, >nbits)) +return 0; +if (gctx->nbits < RSA_MIN_MODULUS_BITS) { +ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); +return 0; +} +} if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_PRIMES)) != NULL && !OSSL_PARAM_get_size_t(p, >primes)) return 0; diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt index 4354bd649a..79e6715f4c 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt @@ -614,5 +614,5 @@ Title = Test RSA keygen KeyGen = rsaEncryption Ctrl = rsa_keygen_bits:128 KeyName = tmprsa -Result = KEYGEN_GENERATE_ERROR +Result = PKEY_CTRL_ERROR Reason = key size too small
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 7712b43c24514f82d6f0def5240a799bc011e9fe (commit) from ad6a39b22728260454461a4d04ba25fc15d3520f (commit) - Log - commit 7712b43c24514f82d6f0def5240a799bc011e9fe Author: Mohamed Akram Date: Wed Mar 10 18:59:13 2021 +0400 doc: fix enc -z option documentation CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14499) (cherry picked from commit 6635ea531e9f7709e5880dd77fd4c3403a5c3db7) --- Summary of changes: apps/enc.c | 2 +- doc/man1/enc.pod | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index ddf51e0dba..79a8ef6265 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -81,7 +81,7 @@ const OPTIONS enc_options[] = { {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_R_OPTIONS, #ifdef ZLIB -{"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, +{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, #endif #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod index 3c7b6c42ea..9068282db5 100644 --- a/doc/man1/enc.pod +++ b/doc/man1/enc.pod @@ -180,8 +180,8 @@ Debug the BIOs used for I/O. =item B<-z> -Compress or decompress clear text using zlib before encryption or after -decryption. This option exists only if OpenSSL with compiled with zlib +Compress or decompress encrypted data using zlib after encryption or before +decryption. This option exists only if OpenSSL was compiled with the zlib or zlib-dynamic option. =item B<-none>
[openssl] master update
The branch master has been updated via 6635ea531e9f7709e5880dd77fd4c3403a5c3db7 (commit) from af2e1e9c81110ca1a156430686e2f171e80ebfa0 (commit) - Log - commit 6635ea531e9f7709e5880dd77fd4c3403a5c3db7 Author: Mohamed Akram Date: Wed Mar 10 18:59:13 2021 +0400 doc: fix enc -z option documentation CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14499) --- Summary of changes: apps/enc.c | 2 +- doc/man1/openssl-enc.pod.in | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index 9982337c01..c5766f05e8 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -92,7 +92,7 @@ const OPTIONS enc_options[] = { {"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"}, {"none", OPT_NONE, '-', "Don't encrypt"}, #ifdef ZLIB -{"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, +{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"}, #endif {"", OPT_CIPHER, '-', "Any supported cipher"}, diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index cc0378c471..acd1486449 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -187,8 +187,8 @@ Debug the BIOs used for I/O. =item B<-z> -Compress or decompress clear text using zlib before encryption or after -decryption. This option exists only if OpenSSL with compiled with zlib +Compress or decompress encrypted data using zlib after encryption or before +decryption. This option exists only if OpenSSL was compiled with the zlib or zlib-dynamic option. =item B<-none>
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via ad6a39b22728260454461a4d04ba25fc15d3520f (commit) from 4cd2e3c952fa5eb1f7bd8cfd410781490878bdee (commit) - Log - commit ad6a39b22728260454461a4d04ba25fc15d3520f Author: Alex Yursha Date: Tue Mar 9 10:07:26 2021 -1000 Print correct error message in utils/mkdir-p.pl Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression. If utils/mkdir-p.pl fails to create a target dir because of insufficient file system permissions, the subsequent test for dir existence always fails and overwrites the system error. As a result, a user is presented with a misleading error message. E.g. if a user tries to create a dir under /usr/local and does not have permissions for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory", whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied". This commit introduces a fix by declaring an additional local variable to cache the original error message from mkdir. If -d check fails and overwrites the system error, the user is still presented with the original error from mkdir. CLA: Trivial Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14487) (cherry picked from commit af2e1e9c81110ca1a156430686e2f171e80ebfa0) --- Summary of changes: util/mkdir-p.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/mkdir-p.pl b/util/mkdir-p.pl index 328060243f..88d8b0151f 100755 --- a/util/mkdir-p.pl +++ b/util/mkdir-p.pl @@ -34,11 +34,12 @@ sub do_mkdir_p { } unless (mkdir($dir, 0777)) { +local($err) = $!; if (-d $dir) { # We raced against another instance doing the same thing. return; } -die "Cannot create directory $dir: $!\n"; +die "Cannot create directory $dir: $err\n"; } print "created directory `$dir'\n"; }
[openssl] master update
The branch master has been updated via af2e1e9c81110ca1a156430686e2f171e80ebfa0 (commit) from 1368f0cdf54fb1b7ddb9a9069b60db796abfe1b3 (commit) - Log - commit af2e1e9c81110ca1a156430686e2f171e80ebfa0 Author: Alex Yursha Date: Tue Mar 9 10:07:26 2021 -1000 Print correct error message in utils/mkdir-p.pl Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression. If utils/mkdir-p.pl fails to create a target dir because of insufficient file system permissions, the subsequent test for dir existence always fails and overwrites the system error. As a result, a user is presented with a misleading error message. E.g. if a user tries to create a dir under /usr/local and does not have permissions for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory", whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied". This commit introduces a fix by declaring an additional local variable to cache the original error message from mkdir. If -d check fails and overwrites the system error, the user is still presented with the original error from mkdir. CLA: Trivial Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14487) --- Summary of changes: util/mkdir-p.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/mkdir-p.pl b/util/mkdir-p.pl index dacf3ab16f..61a5826643 100755 --- a/util/mkdir-p.pl +++ b/util/mkdir-p.pl @@ -34,11 +34,12 @@ sub do_mkdir_p { } unless (mkdir($dir, 0777)) { +local($err) = $!; if (-d $dir) { # We raced against another instance doing the same thing. return; } -die "Cannot create directory $dir: $!\n"; +die "Cannot create directory $dir: $err\n"; } print "created directory `$dir'\n"; }
[openssl] master update
The branch master has been updated via 1368f0cdf54fb1b7ddb9a9069b60db796abfe1b3 (commit) from 05ba94e70554c88cde8a8782db15cc87491f6ab6 (commit) - Log - commit 1368f0cdf54fb1b7ddb9a9069b60db796abfe1b3 Author: David Benjamin Date: Fri Mar 19 14:00:35 2021 -0400 Merge OFB encrypt and decrypt test vectors. There's no point in specifying them separately, since they're the same. Also the OFB-AES192.Decrypt vectors specified the wrong operation, so we were running some encryption tests twice and missing some decryption tests. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14625) --- Summary of changes: .../30-test_evp_data/evpciph_aes_common.txt| 105 + 1 file changed, 3 insertions(+), 102 deletions(-) diff --git a/test/recipes/30-test_evp_data/evpciph_aes_common.txt b/test/recipes/30-test_evp_data/evpciph_aes_common.txt index 59beb2e22f..43de160593 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_common.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_common.txt @@ -396,177 +396,78 @@ Ciphertext = 75A385741AB9CEF82031623D55B1E471 # For all OFB encrypts and decrypts, the transformed sequence is # AES-bits-CFB:key:IV/output':plaintext:ciphertext:encdec -# OFB-AES128.Encrypt +# OFB-AES128 Cipher = AES-128-OFB Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = 000102030405060708090A0B0C0D0E0F -Operation = ENCRYPT -Plaintext = 6BC1BEE22E409F96E93D7E117393172A -Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A - -Cipher = AES-128-OFB -Key = 2B7E151628AED2A6ABF7158809CF4F3C -IV = 50FE67CC996D32B6DA0937E99BAFEC60 -Operation = ENCRYPT -Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 -Ciphertext = 7789508D16918F03F53C52DAC54ED825 - -Cipher = AES-128-OFB -Key = 2B7E151628AED2A6ABF7158809CF4F3C -IV = D9A4DADA0892239F6B8B3D7680E15674 -Operation = ENCRYPT -Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF -Ciphertext = 9740051E9C5FECF64344F7A82260EDCC - -Cipher = AES-128-OFB -Key = 2B7E151628AED2A6ABF7158809CF4F3C -IV = A78819583F0308E7A6BF36B1386ABF23 -Operation = ENCRYPT -Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 -Ciphertext = 304C6528F659C77866A510D9C1D6AE5E - -# OFB-AES128.Decrypt -Cipher = AES-128-OFB -Key = 2B7E151628AED2A6ABF7158809CF4F3C -IV = 000102030405060708090A0B0C0D0E0F -Operation = DECRYPT Plaintext = 6BC1BEE22E409F96E93D7E117393172A Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A Cipher = AES-128-OFB Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = 50FE67CC996D32B6DA0937E99BAFEC60 -Operation = DECRYPT Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 Ciphertext = 7789508D16918F03F53C52DAC54ED825 Cipher = AES-128-OFB Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = D9A4DADA0892239F6B8B3D7680E15674 -Operation = DECRYPT Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF Ciphertext = 9740051E9C5FECF64344F7A82260EDCC Cipher = AES-128-OFB Key = 2B7E151628AED2A6ABF7158809CF4F3C IV = A78819583F0308E7A6BF36B1386ABF23 -Operation = DECRYPT Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 Ciphertext = 304C6528F659C77866A510D9C1D6AE5E -# OFB-AES192.Encrypt -Cipher = AES-192-OFB -Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B -IV = 000102030405060708090A0B0C0D0E0F -Operation = ENCRYPT -Plaintext = 6BC1BEE22E409F96E93D7E117393172A -Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174 - -Cipher = AES-192-OFB -Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B -IV = A609B38DF3B1133DDDFF2718BA09565E -Operation = ENCRYPT -Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 -Ciphertext = FCC28B8D4C63837C09E81700C1100401 - -Cipher = AES-192-OFB -Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B -IV = 52EF01DA52602FE0975F78AC84BF8A50 -Operation = ENCRYPT -Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF -Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2 - -Cipher = AES-192-OFB -Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B -IV = BD5286AC63AABD7EB067AC54B553F71D -Operation = ENCRYPT -Plaintext = F69F2445DF4F9B17AD2B417BE66C3710 -Ciphertext = 6D9F200857CA6C3E9CAC524BD9ACC92A - -# OFB-AES192.Decrypt +# OFB-AES192 Cipher = AES-192-OFB Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B IV = 000102030405060708090A0B0C0D0E0F -Operation = ENCRYPT Plaintext = 6BC1BEE22E409F96E93D7E117393172A Ciphertext = CDC80D6FDDF18CAB34C25909C99A4174 Cipher = AES-192-OFB Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B IV = A609B38DF3B1133DDDFF2718BA09565E -Operation = ENCRYPT Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51 Ciphertext = FCC28B8D4C63837C09E81700C1100401 Cipher = AES-192-OFB Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B IV = 52EF01DA52602FE0975F78AC84BF8A50 -Operation = ENCRYPT Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF Ciphertext = 8D9A9AEAC0F6596F559C6D4DAF59A5F2 Cipher = AES-192-OFB Key =
[openssl] master update
The branch master has been updated via 05ba94e70554c88cde8a8782db15cc87491f6ab6 (commit) from 788a72e92fc0b78c2ca12df90e45cccbaf7a800e (commit) - Log - commit 05ba94e70554c88cde8a8782db15cc87491f6ab6 Author: Randall S. Becker Date: Tue Mar 23 14:42:36 2021 -0600 Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading. The NonStop platform uses a proprietary mechanism for specifying DLL locations. CLA: Permission is granted by the author to the OpenSSL team to use these modifications. Fixes #14666 Signed-off-by: Randall S. Becker Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14669) --- Summary of changes: util/shlib_wrap.sh.in | 9 + 1 file changed, 9 insertions(+) diff --git a/util/shlib_wrap.sh.in b/util/shlib_wrap.sh.in index 7024cafbd3..675d99a836 100755 --- a/util/shlib_wrap.sh.in +++ b/util/shlib_wrap.sh.in @@ -84,6 +84,15 @@ SunOS|IRIX*) eval $rld_var=\"${THERE}'${'$rld_var':+:$'$rld_var'}'\"; export $rld_var unset rld_var ;; +NONSTOP_KERNEL) + # HPE NonStop has a proprietary mechanism for specifying + # the location of DLLs. It does not use PATH or variables + # commonly used on other platforms. The platform has a limited + # environment space keeping extraneous variables to a minimum + # is recommended. + _RLD_LIB_PATH="${THERE}:$LD_LIBRARY_PATH" + export _RLD_LIB_PATH + ;; *) LD_LIBRARY_PATH="${THERE}:$LD_LIBRARY_PATH" # Linux, ELF HP-UX DYLD_LIBRARY_PATH="${THERE}:$DYLD_LIBRARY_PATH" # MacOS X SHLIB_PATH="${THERE}:$SHLIB_PATH" # legacy HP-UX
[openssl] master update
The branch master has been updated via 788a72e92fc0b78c2ca12df90e45cccbaf7a800e (commit) from 1ee1a169c310f3dc735a3d83298686cf70aa427a (commit) - Log - commit 788a72e92fc0b78c2ca12df90e45cccbaf7a800e Author: Andrey Matyukov Date: Wed Mar 24 10:05:29 2021 +0300 Increase minimum clang version requirement for rsaz-avx512.pl The reason is that clang-6 does not enable proper -march flags by default for assembly modules (rsaz-avx512.pl requires avx512ifma, avx512dq, avx512vl, avx512f). This is not true for newer clang versions - clang-7 and further work ok. For older clang versions users who want to get optimization from this file, we have a note in the OPENSSL_ia32cap.pod with the workaround that proposes having a wrapper that forces using external assembler. Fixes #14668: clang-6.0.0 build broken Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14671) --- Summary of changes: crypto/bn/asm/rsaz-avx512.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bn/asm/rsaz-avx512.pl b/crypto/bn/asm/rsaz-avx512.pl index 04effabffa..d22eeef5da 100644 --- a/crypto/bn/asm/rsaz-avx512.pl +++ b/crypto/bn/asm/rsaz-avx512.pl @@ -49,7 +49,7 @@ if (!$avx512 && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && } if (!$avx512 && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { -$avx512ifma = ($2>=6.0); +$avx512ifma = ($2>=7.0); } open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""
[openssl] master update
The branch master has been updated via 1ee1a169c310f3dc735a3d83298686cf70aa427a (commit) from 53d85372caac7a81eb14bea2eb06464778ed163c (commit) - Log - commit 1ee1a169c310f3dc735a3d83298686cf70aa427a Author: Nan Xiao Date: Sat Mar 27 18:23:59 2021 +0800 Fix typos in bio.pod CLA: trivial Reviewed-by: Kurt Roeckx Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14706) --- Summary of changes: doc/man7/bio.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man7/bio.pod b/doc/man7/bio.pod index 092bdde184..e2c11665b9 100644 --- a/doc/man7/bio.pod +++ b/doc/man7/bio.pod @@ -17,7 +17,7 @@ details from an application. If an application uses a BIO for its I/O it can transparently handle SSL connections, unencrypted network connections and file I/O. -There are two type of BIO, a source/sink BIO and a filter BIO. +There are two types of BIO, a source/sink BIO and a filter BIO. As its name implies a source/sink BIO is a source and/or sink of data, examples include a socket BIO and a file BIO. @@ -31,7 +31,7 @@ BIO will encrypt data if it is being written to and decrypt data if it is being read from. BIOs can be joined together to form a chain (a single BIO is a chain -with one component). A chain normally consist of one source/sink +with one component). A chain normally consists of one source/sink BIO and one or more filter BIOs. Data read from or written to the first BIO then traverses the chain to the end (normally a source/sink BIO).
[openssl] master update
The branch master has been updated via 53d85372caac7a81eb14bea2eb06464778ed163c (commit) from d1a57d873b0e8a09370010f5f632c3f10c7cf9fc (commit) - Log - commit 53d85372caac7a81eb14bea2eb06464778ed163c Author: Pauli Date: Mon Mar 29 11:19:33 2021 +1000 ssl: fix problem where MAC IDs were globally cached. Instead, they should be cached per SSL_CTX. This also addresses a threading issue where multiple attempts to write the same location occur. The last one winning. Under 1.1.1, this wasn't an issue but under 3.0 with library contexts, the results can and will be different. Fixes #13456 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14715) --- Summary of changes: ssl/ssl_ciph.c | 24 ++-- ssl/ssl_local.h | 1 + 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 1de8959506..582124aa1f 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -133,7 +133,7 @@ static int ssl_cipher_info_find(const ssl_cipher_table * table, * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is * found */ -static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { +static const int default_mac_pkey_id[SSL_MD_NUM_IDX] = { /* MD5, SHA, GOST94, MAC89 */ EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, /* SHA256, SHA384, GOST2012_256, MAC89-12 */ @@ -395,29 +395,33 @@ int ssl_load_ciphers(SSL_CTX *ctx) * Check for presence of GOST 34.10 algorithms, and if they are not * present, disable appropriate auth and key exchange */ -ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id(SN_id_Gost28147_89_MAC); -if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) +memcpy(ctx->ssl_mac_pkey_id, default_mac_pkey_id, + sizeof(ctx->ssl_mac_pkey_id)); + +ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = +get_optional_pkey_id(SN_id_Gost28147_89_MAC); +if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; else ctx->disabled_mac_mask |= SSL_GOST89MAC; -ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = +ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = get_optional_pkey_id(SN_gost_mac_12); -if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) +if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32; else ctx->disabled_mac_mask |= SSL_GOST89MAC12; -ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] = +ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] = get_optional_pkey_id(SN_magma_mac); -if (ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX]) +if (ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX]) ctx->ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32; else ctx->disabled_mac_mask |= SSL_MAGMAOMAC; -ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] = +ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] = get_optional_pkey_id(SN_kuznyechik_mac); -if (ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX]) +if (ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX]) ctx->ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32; else ctx->disabled_mac_mask |= SSL_KUZNYECHIKOMAC; @@ -557,7 +561,7 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, } *md = ctx->ssl_digest_methods[i]; if (mac_pkey_type != NULL) -*mac_pkey_type = ssl_mac_pkey_id[i]; +*mac_pkey_type = ctx->ssl_mac_pkey_id[i]; if (mac_secret_size != NULL) *mac_secret_size = ctx->ssl_mac_secret_size[i]; } diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 127011b62c..023e6f4378 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -1178,6 +1178,7 @@ struct ssl_ctx_st { char *propq; +int ssl_mac_pkey_id[SSL_MD_NUM_IDX]; const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]; const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]; size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
[openssl] master update
The branch master has been updated via d1a57d873b0e8a09370010f5f632c3f10c7cf9fc (commit) via 92b3e62fdd5c85101998affe2260ac845cf09ba4 (commit) via ec3dd97019b7ec95b77d50b6f81c8d32d58d9bbf (commit) via d0ea0eb331176bf5882e31c8cf2538af16ef76cb (commit) via 03915534851daef6232c514cf1a8ea3158a7704e (commit) from 2db9bef264ba39e173d6b6a3a800595e15eef31b (commit) - Log - commit d1a57d873b0e8a09370010f5f632c3f10c7cf9fc Author: Pauli Date: Mon Mar 29 12:37:43 2021 +1000 apps: fix coverity 1474463, 1474465 & 1474467: resource leaks Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14716) commit 92b3e62fdd5c85101998affe2260ac845cf09ba4 Author: Pauli Date: Mon Mar 29 12:33:02 2021 +1000 test: fix coverity 1474468: resource leak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14716) commit ec3dd97019b7ec95b77d50b6f81c8d32d58d9bbf Author: Pauli Date: Mon Mar 29 12:30:40 2021 +1000 evp: fix coverity 1474469: negative return Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14716) commit d0ea0eb331176bf5882e31c8cf2538af16ef76cb Author: Pauli Date: Mon Mar 29 12:29:10 2021 +1000 x509: fix coverity 1474470: NULL pointer dereference Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14716) commit 03915534851daef6232c514cf1a8ea3158a7704e Author: Pauli Date: Mon Mar 29 12:28:10 2021 +1000 x509: fix coverity 1474471: NULL pointer dereference Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14716) --- Summary of changes: apps/speed.c | 7 --- crypto/evp/evp_pkey.c | 6 +++--- crypto/x509/x509_att.c | 2 +- crypto/x509/x_all.c| 7 +-- test/bad_dtls_test.c | 14 ++ 5 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 0bd566e846..727341a1e6 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -3603,8 +3603,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, const int *mblengths = mblengths_list; int j, count, keylen, num = OSSL_NELEM(mblengths_list); const char *alg_name; -unsigned char *inp, *out, *key, no_key[32], no_iv[16]; -EVP_CIPHER_CTX *ctx; +unsigned char *inp = NULL, *out = NULL, *key, no_key[32], no_iv[16]; +EVP_CIPHER_CTX *ctx = NULL; double d = 0.0; if (lengths_single) { @@ -3621,7 +3621,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, if ((keylen = EVP_CIPHER_CTX_key_length(ctx)) < 0) { BIO_printf(bio_err, "Impossible negative key length: %d\n", keylen); -return; +goto err; } key = app_malloc(keylen, "evp_cipher key"); if (!EVP_CIPHER_CTX_rand_key(ctx, key)) @@ -3710,6 +3710,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single, fprintf(stdout, "\n"); } + err: OPENSSL_free(inp); OPENSSL_free(out); EVP_CIPHER_CTX_free(ctx); diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 7aafd76822..35de85cffd 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -73,8 +73,9 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, size_t len; OSSL_DECODER_CTX *dctx = NULL; -if ((encoded_len = i2d_PKCS8_PRIV_KEY_INFO(p8, _data)) <= 0) -goto end; +if ((encoded_len = i2d_PKCS8_PRIV_KEY_INFO(p8, _data)) <= 0 +|| encoded_data == NULL) +return NULL; p8_data = encoded_data; len = encoded_len; @@ -85,7 +86,6 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, /* try legacy */ pkey = evp_pkcs82pkey_legacy(p8, libctx, propq); - end: OPENSSL_clear_free(encoded_data, encoded_len); OSSL_DECODER_CTX_free(dctx); return pkey; diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index 52cad9a047..e7ed189958 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -79,7 +79,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, if (x == NULL) { ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); -goto err2; +return NULL; } if (*x == NULL) { diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index c5e0c0b1ec..042425456c 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -434,8 +434,11 @@ ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert) int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, unsigned int *len) { -if (type != NULL -&& EVP_MD_is_a(type, SN_sha1) +if (type ==
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 4cd2e3c952fa5eb1f7bd8cfd410781490878bdee (commit) from fd988967bb14ce49b01c399b5d2c466852c105e4 (commit) - Log - commit 4cd2e3c952fa5eb1f7bd8cfd410781490878bdee Author: Nan Xiao Date: Mon Mar 29 12:05:27 2021 +0800 Fix typo in BIO_push.pod CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14718) (cherry picked from commit 2db9bef264ba39e173d6b6a3a800595e15eef31b) --- Summary of changes: doc/man3/BIO_push.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod index 93f2cc31fd..c53314df9d 100644 --- a/doc/man3/BIO_push.pod +++ b/doc/man3/BIO_push.pod @@ -61,8 +61,8 @@ the new chain is B. Data written to B will be digested by B and B, B encoded and written to B. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, base64 B and digested -by B and B. If the call: +direction, that is data is read from B, B decoded and digested +by B and B. If the call: BIO_pop(md2);
[openssl] master update
The branch master has been updated via 2db9bef264ba39e173d6b6a3a800595e15eef31b (commit) from 7947a1eb13c221bbc034796bd394ba00b0e2387d (commit) - Log - commit 2db9bef264ba39e173d6b6a3a800595e15eef31b Author: Nan Xiao Date: Mon Mar 29 12:05:27 2021 +0800 Fix typo in BIO_push.pod CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14718) --- Summary of changes: doc/man3/BIO_push.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/BIO_push.pod b/doc/man3/BIO_push.pod index 236ac480e0..a959633fd5 100644 --- a/doc/man3/BIO_push.pod +++ b/doc/man3/BIO_push.pod @@ -61,8 +61,8 @@ the new chain is B. Data written to B will be digested by B and B, B encoded and written to B. It should be noted that reading causes data to pass in the reverse -direction, that is data is read from B, base64 B and digested -by B and B. If the call: +direction, that is data is read from B, B decoded and digested +by B and B. If the call: BIO_pop(md2);
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via fd988967bb14ce49b01c399b5d2c466852c105e4 (commit) from 122e5f7c010859f0b2984d553fa45cd1f18a6fc4 (commit) - Log - commit fd988967bb14ce49b01c399b5d2c466852c105e4 Author: Nan Xiao Date: Mon Mar 29 12:24:08 2021 +0800 Fix BIO_new_ssl_connect() to not leak memory CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14719) (cherry picked from commit 7947a1eb13c221bbc034796bd394ba00b0e2387d) --- Summary of changes: ssl/bio_ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 53129bfb88..75c78b9a68 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -451,6 +451,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) goto err; return ret; err: +BIO_free(ssl); BIO_free(con); #endif return NULL;
[openssl] master update
The branch master has been updated via 7947a1eb13c221bbc034796bd394ba00b0e2387d (commit) from 4f10a996e5123c20315912149f586c481960e0de (commit) - Log - commit 7947a1eb13c221bbc034796bd394ba00b0e2387d Author: Nan Xiao Date: Mon Mar 29 12:24:08 2021 +0800 Fix BIO_new_ssl_connect() to not leak memory CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14719) --- Summary of changes: ssl/bio_ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 033781fcf5..47fe936252 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -451,6 +451,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) goto err; return ret; err: +BIO_free(ssl); BIO_free(con); #endif return NULL;
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-stdio
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-stdio Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): clang -I. -Iinclude -Iproviders/common/include -Iproviders/implementations/include -I../openssl -I../openssl/include -I../openssl/providers/common/include -I../openssl/providers/implementations/include -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-3\"" -DMODULESDIR="\"/usr/local/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -MMD -MF crypto/evp/libcrypto-lib-ctrl_params_translate.d.tmp -MT crypto/evp/libcrypto-lib-ctrl_params_translate.o -c -o crypto/evp/libcrypto-lib-ctrl_params_translate.o ../openssl/crypto/evp/ctrl_params_translate.c clang -I. -Iinclude -Iproviders/common/include -Iproviders/implementations/include -I../openssl -I../openssl/include -I../openssl/providers/common/include -I../openssl/providers/implementations/include -DAES_ASM -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM
[openssl] master update
The branch master has been updated via 4f10a996e5123c20315912149f586c481960e0de (commit) from 3bf7c3a166f20f3deac8d4730aa54bcce466c10a (commit) - Log - commit 4f10a996e5123c20315912149f586c481960e0de Author: Richard Levitte Date: Mon Mar 29 12:36:34 2021 +0200 Android config targets: don't include the SO version in the shlib file name Reports say that the Android platform(s) don't have the SO version number in the shared library file name. Reportedly, Android package managers do complain that our shared libraries do include the SO version number. That's easy enough to fix. Fixes #14711 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14727) --- Summary of changes: Configurations/15-android.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Configurations/15-android.conf b/Configurations/15-android.conf index f3075e4b79..0b6b6d6832 100644 --- a/Configurations/15-android.conf +++ b/Configurations/15-android.conf @@ -191,6 +191,7 @@ my %targets = ( bin_cflags => "-fPIE", bin_lflags => "-pie", enable => [ ], +shared_extension => ".so", }, "android-arm" => {
[openssl] master update
The branch master has been updated via 3bf7c3a166f20f3deac8d4730aa54bcce466c10a (commit) from 8f81e3a1848819b3e2bf57d7bc810e440e29d8a5 (commit) - Log - commit 3bf7c3a166f20f3deac8d4730aa54bcce466c10a Author: Richard Levitte Date: Mon Mar 29 12:23:40 2021 +0200 Unix build file template: symlink "simple" to "full" shlib selectively On Unix-like platforms where the shared library comes in a form with and a form without SO version number, the one without is symbolically linked to the one with. However, we have Unix-like platforms where we don't deal with SO version numbers, and where the "simple" shlib thereby ends up being symbolically linked to itself. A simple check of the two shlib file names is enough to ensure that we only do the symbolic link when actually necessary. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14726) --- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index d0192aa32e..8a2b2353ab 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1607,7 +1607,7 @@ EOF my $recipe = ''; - if (defined $simple) { + if (defined $simple && $simple ne $full) { if (sharedaix()) { $recipe .= <<"EOF"; $simple: $full
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-sock
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-sock Commit log since last time: 2145ba5e83 Implement EVP_PKEY_dup() function c464583483 Remove RSA bignum_data that is not used anywhere 7f2fa88519 doc: fix style problems with this man page e7aa284e68 Fix X509_PUBKEY_dup() to not leak memory 808c63c5d0 test: add test case for X508_PUBKEY_dup() function 239ff7f769 doc: add documentation for the X509_PUBKEY_dup() function f0800c7c22 Allocates and initializes pubkey in X509_PUBKEY_dup() a638fb9413 Fix Build issue on Oracle Linux x64 ed2e5b612d Disable cmp_http test on AIX 53eecb5de5 TEST: Cleanup test recipes bf5b37cedf Make the SM2 group the default group for the SM2 algorithm cede07dc51 Remove the external BoringSSL test 6b2e51dd36 ssl/ssl_ciph.c: update format string, again 6466cc97e8 HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer() 1c8505fb7d HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req() 814581bb7a RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value 4551763efc doc: life-cycle descritpion for MACs 10b63e9756 doc: note that MAC lifecycle transitions will be enforced at some point b0b63654e9 doc: life-cycle descritpion for RANDs 632bc4dff3 doc: note that RAND lifecycle transitions will be enforced at some point 77d12ae049 doc: life-cycle description for KDFs/PRFs 2e1a40d037 doc: note that KDF/PRF transitions will be enforced at some future point 4aac71f705 doc: add life-cycle source files 8c63532002 test: fix coverity 1473609 & 1473610: unchecked return values 8eca93f8fb evp: fix coverity 1473378: unchecked return value 27f37279df params: fix coverity 1473069: unchecked return values 40d6e05cf8 evp: fix coverity 1467500 & 1467502: unchecked return values 8cdcb63fc0 apps: fix coverity 1455340: unchecked return value 3352a4f6fa test: fix coverity 1451550: unchecked return value f47865156a test: fix coverity 1429210: unchecked return value b8cb90cdb6 test: fix coverity 1416888: unchecked return value 0d2b8bd261 test: fix coverity 1414451: unchecked return value a02d70dd51 apps: fix coverity 1358776, 1451513, 1451519, 1451531 & 1473387: unchecked return values 6a6844a219 test: fix coverity 1338157: unchecked return value 3c4c8dd84a encoder: fix coverity 1473235: null dereference 26d5244253 apps: fix coverity 1470781: explicit null dereference fbe286a36e sm2: fix coverity 1467503: explicit null dereference 993237a8b6 rsa: fix coverity 1463571: explicit null dereference 8f4cddbc90 rand: fix coverity 1473636: data race condition 9aa4be691f x509: fix coverity 1474424: data race condition 96a68f21c3 x509: fix coverity 1461225: data race condition 4f0831b837 EVP_PKCS82PKEY: Create provided keys if possible 468d9d5564 Update CHANGES.md and NEWS.md for new release 39a140597d Ensure buffer/length pairs are always in sync 02b1636fe3 ssl sigalg extension: fix NULL pointer dereference 112580c27b Add a test for CVE-2021-3449 ae937a096c Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Build log ended with (last 100 lines): 70-test_sslmessages.t .. skipped: test_sslmessages needs the sock feature enabled 70-test_sslrecords.t ... skipped: test_sslrecords needs the sock feature enabled 70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the sock feature enabled 70-test_sslsigalgs.t ... skipped: test_sslsigalgs needs the sock feature enabled 70-test_sslsignature.t . skipped: test_sslsignature needs the sock feature enabled 70-test_sslskewith0p.t . skipped: test_sslskewith0p needs the sock feature enabled 70-test_sslversions.t .. skipped: test_sslversions needs the sock feature enabled 70-test_sslvertol.t skipped: test_sslvertol needs the sock feature enabled 70-test_tls13alerts.t .. skipped: test_tls13alerts needs the sock feature enabled 70-test_tls13cookie.t .. skipped: test_tls13cookie needs the sock feature enabled 70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs the sock feature enabled 70-test_tls13hrr.t . skipped: test_tls13hrr needs the sock feature enabled 70-test_tls13kexmodes.t skipped: test_tls13kexmodes needs the sock feature enabled 70-test_tls13messages.t skipped: test_tls13messages needs the sock feature enabled 70-test_tls13psk.t . skipped: test_tls13psk needs the sock feature enabled 70-test_tlsextms.t . skipped: test_tlsextms needs the sock feature enabled 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t