Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=74398580-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoalginit
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoalginit Commit log since last time: b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): clang -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -I../openssl -I../openssl/crypto -I../openssl/include -I../openssl/providers/implementations/include -I../openssl/providers/common/include -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_IA32_SSE2 -fPIC -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-3\"" -DMODUL ESDIR="\"/usr/local/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -MMD -MF providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.d.tmp -MT providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o -c -o providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o ../openssl/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c clang -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -I../openssl -I../openssl/crypto -I../openssl/include -I../openssl/providers/implementations/include -I../openssl/providers/common/include -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_IA32_SSE2 -fPIC -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-3\"" -DMODUL
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: b9cd82f95b 80-test_cmp_http.t: Extend diagnostics of mock server launch cfe20aee3b 80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands c6df354c2a 80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed aed03a1209 apps/cmp: Add generic random state options, e.g., for nonce generation 3206e41c0e openssl-cmp.pod.in: Fix missing provider options description 9518f8957a cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE f56c9c7c94 APPS and TEST: Make sure prog name is set for usage output 3ad6030948 APPS: make apps strict on app_RAND_load() and app_RAND_write() failure 456541f0b7 Document the invariants for the empty X509_NAME encoding 74bcbea76f X509_NAME_cmp: if canon_enclen is 0 for both names return 0 d32fc2c51b bio_printf: add \0 terminators for error returns in floating point conversions. 586d9436c8 bio: note that BIO_sprintf null terminates on insufficient space. 4e1ebda9d9 bio: add a malloc failed error to BIO_print 5c10724387 Add some additional NULL checks to prevent segfaults. 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 0d5bbaaae2 Remove a TODO(3.0) from X509_PUBKEY_set 89947af2c5 crypto: raise error on malloc failure clean a few style nits. f691578bdc nits: fix a few typo in template code c6e090fe17 doc: Fix formatting feba11cf2e Handle set_alpn_protos inputs better. 3ab736acb8 util/wrap.pl: use the apps/openssl.cnf from the source tree 0f10196042 apps: call ERR_print_errors when OSSL_PROVIDER_load fails b47e7bbc41 Note deprecated function/macros with no replacement. 9acbbbae6b Fix windows compiler error in kmac_prov.c 3fed27181a Add FIPS Self test for AES_ECB decrypt 28fd895305 Remove the function EVP_PKEY_set_alias_type 6878f43002 Update KTLS documentation a3a54179b6 Only enable KTLS if it is explicitly configured 4ec4b063e0 Always reset IV for CBC, OFB, and CFB mode on cipher context reinit 3f883c7c83 Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free(). 884314cab7 Add OSSL_PARAM_dup() and OSSL_PARAM_merge(). d36114d7cd kmac: update the documention for the customisation string maximum length 13eaa4ecaa kmac: fix customistation string overflow bug 810a169eb2 kmac: add long customisation string example e3c2a55d47 Add additional KMAC error Build log ended with (last 100 lines): 02-test_internal_keymgmt.t . ok 02-test_internal_provider.t ok 02-test_lhash.t ok 02-test_ordinals.t . ok 02-test_sparse_array.t . ok 02-test_stack.t ok 03-test_exdata.t ... ok 03-test_fipsinstall.t .. ok 03-test_internal_asn1.t ok 03-test_internal_asn1_dsa.t ok 03-test_internal_bn.t .. ok 03-test_internal_chacha.t .. ok 03-test_internal_curve448.t ok 03-test_internal_ec.t .. ok 03-test_internal_ffc.t . ok 03-test_internal_mdc2.t ok 03-test_internal_modes.t ... ok 03-test_internal_namemap.t . ok 03-test_internal_poly1305.t ok 03-test_internal_rsa_sp800_56b.t ... ok 03-test_internal_siphash.t . ok 03-test_internal_sm2.t . ok 03-test_internal_sm4.t . ok 03-test_internal_ssl_cert_table.t .. ok 03-test_internal_x509.t ok 03-test_params_api.t ... ok 03-test_property.t . ok 03-test_ui.t ... ok 04-test_asn1_decode.t .. ok 04-test_asn1_encode.t .. ok 04-test_asn1_string_table.t ok 04-test_bio_callback.t . ok 04-test_bioprint.t . ok 04-test_conf.t . ok 04-test_encoder_decoder.t .. ok 04-test_encoder_decoder_legacy.t ... ok 04-test_err.t .. ok 04-test_hexstring.t ok 04-test_param_build.t .. ok 04-test_params.t ... ok 04-test_params_conversion.t ok 04-test_pem_read_depr.t ok 04-test_pem_reading.t .. ok 04-test_provider.t . ok 04-test_provider_fallback.t ok 05-test_bf.t ... ok 05-test_cast.t . ok 05-test_cmac.t . ok 05-test_des.t .. ok 05-test_hmac.t . ok 05-test_idea.t . ok 05-test_rand.t . ok 05-test_rc2.t .. ok 05-test_rc4.t .. ok 05-test_rc5.t .. skipped: rc5 is not supported by this OpenSSL build 06-test_algorithmid.t .. ok 06-test_rdrand_sanity.t ok 10-test_bn.t ... ok 10-test_exp.t .. ok 15-test_dh.t
[openssl] master update
The branch master has been updated
via b9cd82f95bf99eab4e1b0420918e7139db091c4b (commit)
via cfe20aee3b84934271ba6ab4a054dc7a7ddebb2e (commit)
via c6df354c2a2295ed120161a5a183e885df3ae1a6 (commit)
from aed03a12096cbcce30a133c179336072fdad64d1 (commit)
- Log -
commit b9cd82f95bf99eab4e1b0420918e7139db091c4b
Author: Dr. David von Oheimb
Date: Sat Apr 3 15:53:16 2021 +0200
80-test_cmp_http.t: Extend diagnostics of mock server launch
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14839)
commit cfe20aee3b84934271ba6ab4a054dc7a7ddebb2e
Author: Dr. David von Oheimb
Date: Sat Apr 3 14:28:17 2021 +0200
80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof'
commands
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14839)
commit c6df354c2a2295ed120161a5a183e885df3ae1a6
Author: Dr. David von Oheimb
Date: Sat Apr 3 14:25:54 2021 +0200
80-test_cmp_http.t: Fix resumption when skipping after mock server launch
failed
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14839)
---
Summary of changes:
test/recipes/80-test_cmp_http.t | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t
index 80cb6a4122..bfae899040 100644
--- a/test/recipes/80-test_cmp_http.t
+++ b/test/recipes/80-test_cmp_http.t
@@ -34,9 +34,9 @@ plan skip_all => "Tests involving local HTTP server not
available on Windows, AI
plan skip_all => "Tests involving local HTTP server not available in
cross-compile builds"
if defined $ENV{EXE_SHELL};
plan skip_all => "Tests involving local HTTP server require 'kill' command"
-if system("which kill");
+if system("which kill >/dev/null");
plan skip_all => "Tests involving local HTTP server require 'lsof' command"
-if system("which lsof"); # this typically excludes Solaris
+if system("which lsof >/dev/null"); # this typically excludes Solaris
sub chop_dblquot { # chop any leading and trailing '"' (needed for Windows)
my $str = shift;
@@ -180,6 +180,7 @@ indir data_dir() => sub {
$server_name = chop_dblquot($server_name);
load_config($server_name, $server_name);
{
+ SKIP: {
my $pid;
if ($server_name eq "Mock") {
indir "Mock" => sub {
@@ -198,6 +199,7 @@ indir data_dir() => sub {
};
};
stop_mock_server($pid) if $pid;
+ }
}
};
};
@@ -277,7 +279,8 @@ sub start_mock_server {
print "Mock server already running with pid=$pid\n";
return $pid;
}
-print "Launching mock server: $cmd\n";
+print "Current directory is ".getcwd()."\n";
+print "Launching mock server listening on port $server_port: $cmd\n";
return system("$cmd &") == 0 # start in background, check for success
? (sleep 1, mock_server_pid()) : 0;
}
[openssl] master update
The branch master has been updated
via aed03a12096cbcce30a133c179336072fdad64d1 (commit)
via 3206e41c0eb8ba952cae93786a2477228a951f34 (commit)
via 9518f8957ae5a156e55117c511996ee1775612a2 (commit)
from f56c9c7c942cd82595bb47808c732048141dc72d (commit)
- Log -
commit aed03a12096cbcce30a133c179336072fdad64d1
Author: Dr. David von Oheimb
Date: Sat Apr 3 12:19:10 2021 +0200
apps/cmp: Add generic random state options, e.g., for nonce generation
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14842)
commit 3206e41c0eb8ba952cae93786a2477228a951f34
Author: Dr. David von Oheimb
Date: Sat Apr 3 13:08:16 2021 +0200
openssl-cmp.pod.in: Fix missing provider options description
Also correct layout of engines description
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14842)
commit 9518f8957ae5a156e55117c511996ee1775612a2
Author: Dr. David von Oheimb
Date: Sat Apr 3 11:29:54 2021 +0200
cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14842)
---
Summary of changes:
apps/cmp.c | 27 ++-
crypto/cmp/cmp_util.c | 8 ++--
doc/man1/openssl-cmp.pod.in | 24 ++--
3 files changed, 46 insertions(+), 13 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 53996a7cc8..7cc8988b13 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -222,6 +222,7 @@ typedef enum OPTION_choice {
OPT_ENGINE,
#endif
OPT_PROV_ENUM,
+OPT_R_ENUM,
OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
OPT_TLS_KEYPASS,
@@ -412,6 +413,7 @@ const OPTIONS cmp_options[] = {
"Engines may also be defined in OpenSSL config file engine section."},
#endif
OPT_PROV_OPTIONS,
+OPT_R_OPTIONS,
OPT_SECTION("TLS connection"),
{"tls_used", OPT_TLS_USED, '-',
@@ -2058,8 +2060,6 @@ static int read_config(void)
long num = 0;
char *txt = NULL;
const OPTIONS *opt;
-int provider_option;
-int verification_option;
int start = OPT_VERBOSITY;
/*
* starting with offset OPT_VERBOSITY because OPT_CONFIG and OPT_SECTION
@@ -2075,19 +2075,23 @@ static int read_config(void)
n_options--;
OPENSSL_assert(OSSL_NELEM(cmp_vars) == n_options
+ OPT_PROV__FIRST + 1 - OPT_PROV__LAST
+ + OPT_R__FIRST + 1 - OPT_R__LAST
+ OPT_V__FIRST + 1 - OPT_V__LAST);
for (i = start - OPT_HELP, opt = _options[start];
opt->name; i++, opt++) {
-if (!strcmp(opt->name, OPT_SECTION_STR)
-|| !strcmp(opt->name, OPT_MORE_STR)) {
+int provider_option = (OPT_PROV__FIRST <= opt->retval
+ && opt->retval < OPT_PROV__LAST);
+int rand_state_option = (OPT_R__FIRST <= opt->retval
+ && opt->retval < OPT_R__LAST);
+int verification_option = (OPT_V__FIRST <= opt->retval
+ && opt->retval < OPT_V__LAST);
+
+if (strcmp(opt->name, OPT_SECTION_STR) == 0
+|| strcmp(opt->name, OPT_MORE_STR) == 0) {
i--;
continue;
}
-provider_option = (OPT_PROV__FIRST <= opt->retval
- && opt->retval < OPT_PROV__LAST);
-verification_option = (OPT_V__FIRST <= opt->retval
- && opt->retval < OPT_V__LAST);
-if (provider_option || verification_option)
+if (provider_option || rand_state_option || verification_option)
i--;
switch (opt->valtype) {
case '-':
@@ -2099,6 +2103,7 @@ static int read_config(void)
}
break;
case 's':
+case '>':
case 'M':
txt = conf_get_string(conf, opt_section, opt->name);
if (txt == NULL) {
@@ -2415,6 +2420,10 @@ static int get_opts(int argc, char **argv)
if (!opt_provider(o))
goto opthelp;
break;
+case OPT_R_CASES:
+if (!opt_rand(o))
+goto opthelp;
+break;
case OPT_BATCH:
opt_batch = 1;
diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
index eef297d50b..56f2b0eeb8 100644
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@@ -22,15 +22,19 @@
int OSSL_CMP_log_open(void) /* is designed to be idempotent */
{
-#ifndef OPENSSL_NO_STDIO
+#ifdef OPENSSL_NO_TRACE
+return 1;
+#else
+# ifndef OPENSSL_NO_STDIO
BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
if (bio != NULL && OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, bio))
return 1;
BIO_free(bio);
-#endif
+# endif
[openssl] master update
The branch master has been updated
via f56c9c7c942cd82595bb47808c732048141dc72d (commit)
from 3ad6030948ac999de165f6185116459d74644e8d (commit)
- Log -
commit f56c9c7c942cd82595bb47808c732048141dc72d
Author: Dr. David von Oheimb
Date: Sat Apr 3 14:05:09 2021 +0200
APPS and TEST: Make sure prog name is set for usage output
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14841)
---
Summary of changes:
apps/cmp.c | 2 +-
apps/lib/opt.c | 3 +++
test/evp_fetch_prov_test.c | 3 +--
test/evp_test.c| 3 +--
test/testutil.h| 8
5 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 135c509831..53996a7cc8 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2536,8 +2536,8 @@ int cmp_main(int argc, char **argv)
char mock_server[] = "mock server:1";
int ret = 0; /* default: failure */
+prog = opt_appname(argv[0]);
if (argc <= 1) {
-prog = opt_appname(argv[0]);
opt_help(cmp_options);
goto err;
}
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 8cc520daec..4077cf2936 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -162,6 +162,9 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
opts = o;
unknown = NULL;
+/* Make sure prog name is set for usage output */
+(void)opt_progname(argv[0]);
+
/* Check all options up until the PARAM marker (if present) */
for (; o->name != NULL && o->name != OPT_PARAM_STR; ++o) {
#ifndef NDEBUG
diff --git a/test/evp_fetch_prov_test.c b/test/evp_fetch_prov_test.c
index 18e57c76c6..ec339ebbc3 100644
--- a/test/evp_fetch_prov_test.c
+++ b/test/evp_fetch_prov_test.c
@@ -47,8 +47,7 @@ const OPTIONS *test_get_options(void)
{ "fetchfail", OPT_FETCH_FAILURE, '-', "fetch is expected to fail" },
{ "defaultctx", OPT_USE_DEFAULTCTX, '-',
"Use the default context if this is set" },
-{ OPT_HELP_STR, 1, '-',
- "file\tProvider names to explicitly load\n" },
+{ OPT_HELP_STR, 1, '-', "file\tProvider names to explicitly load\n" },
{ NULL }
};
return test_options;
diff --git a/test/evp_test.c b/test/evp_test.c
index a7a3cc4bb3..503aaa0e8e 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -3570,8 +3570,7 @@ const OPTIONS *test_get_options(void)
OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("[file...]\n"),
{ "config", OPT_CONFIG_FILE, '<',
"The configuration file to use for the libctx" },
-{ OPT_HELP_STR, 1, '-',
- "file\tFile to run tests on.\n" },
+{ OPT_HELP_STR, 1, '-', "file\tFile to run tests on.\n" },
{ NULL }
};
return test_options;
diff --git a/test/testutil.h b/test/testutil.h
index 8457a2a384..9311e2ce58 100644
--- a/test/testutil.h
+++ b/test/testutil.h
@@ -174,9 +174,9 @@
* the test system.
*
* Tests that need to use opt_next() need to specify
- * (1) test_get_options() containing an options[] (Which should include either
- *OPT_TEST_OPTIONS_DEFAULT_USAGE OR
- *OPT_TEST_OPTIONS_WITH_EXTRA_USAGE).
+ * (1) test_get_options() containing an options[] which should include either
+ *OPT_TEST_OPTIONS_DEFAULT_USAGE or
+ *OPT_TEST_OPTIONS_WITH_EXTRA_USAGE(...).
* (2) An enum outside the test_get_options() which contains OPT_TEST_ENUM, as
* well as the additional options that need to be handled.
* (3) case OPT_TEST_CASES: break; inside the opt_next() handling code.
@@ -232,7 +232,7 @@ void cleanup_tests(void);
* Used to supply test specific command line options,
* If non optional parameters are used, then the first entry in the OPTIONS[]
* should contain:
- * { OPT_HELP_STR, 1, '-', "list of non optional commandline params\n"},
+ * { OPT_HELP_STR, 1, '-', "\n"},
* The last entry should always be { NULL }.
*
* Run the test locally using './test/test_name -help' to check the usage.
[openssl] master update
The branch master has been updated
via 3ad6030948ac999de165f6185116459d74644e8d (commit)
from 456541f0b7c7a4ca8c1c99740fff1bedcc4c9244 (commit)
- Log -
commit 3ad6030948ac999de165f6185116459d74644e8d
Author: Dr. David von Oheimb
Date: Sat Apr 3 12:53:51 2021 +0200
APPS: make apps strict on app_RAND_load() and app_RAND_write() failure
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14840)
---
Summary of changes:
apps/ca.c | 3 ++-
apps/cmp.c | 2 ++
apps/cms.c | 4 +++-
apps/dgst.c | 4 +++-
apps/dhparam.c | 4 ++--
apps/dsaparam.c | 3 ++-
apps/ecparam.c | 4 +++-
apps/enc.c | 3 ++-
apps/gendsa.c | 4 +++-
apps/genrsa.c | 4 +++-
apps/include/apps.h | 2 +-
apps/include/opt.h | 2 +-
apps/lib/app_rand.c | 11 ++-
apps/openssl.c | 3 ++-
apps/passwd.c | 4 +++-
apps/pkcs12.c | 4 +++-
apps/pkcs8.c| 4 +++-
apps/pkeyutl.c | 3 ++-
apps/rand.c | 4 +++-
apps/req.c | 4 +++-
apps/rsautl.c | 4 +++-
apps/s_client.c | 3 ++-
apps/s_server.c | 4 +++-
apps/smime.c| 4 +++-
apps/speed.c| 4 +++-
apps/srp.c | 4 +++-
apps/ts.c | 4 +++-
apps/x509.c | 4 +++-
28 files changed, 75 insertions(+), 32 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 268bd76912..cec5c8f1ac 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -521,7 +521,8 @@ end_of_options:
goto end;
app_RAND_load_conf(conf, BASE_SECTION);
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
f = NCONF_get_string(conf, section, STRING_MASK);
if (f == NULL)
diff --git a/apps/cmp.c b/apps/cmp.c
index 8a996f6dce..135c509831 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2603,6 +2603,8 @@ int cmp_main(int argc, char **argv)
if (ret <= 0)
goto err;
ret = 0;
+if (!app_RAND_load())
+goto err;
if (opt_batch)
set_base_ui_method(UI_null());
diff --git a/apps/cms.c b/apps/cms.c
index b03e981a56..56f0b37bbf 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -697,7 +697,9 @@ int cms_main(int argc, char **argv)
break;
}
}
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
+
if (digestname != NULL) {
if (!opt_md(digestname, _md))
goto end;
diff --git a/apps/dgst.c b/apps/dgst.c
index 891cf79279..20626c2b32 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -225,7 +225,9 @@ int dgst_main(int argc, char **argv)
BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog);
goto end;
}
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
+
if (digestname != NULL) {
if (!opt_md(digestname, ))
goto opthelp;
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 136dbcff64..b43935eb7f 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -158,8 +158,8 @@ int dhparam_main(int argc, char **argv)
} else if (argc != 0) {
goto opthelp;
}
-app_RAND_load();
-
+if (!app_RAND_load())
+goto end;
if (g && !num)
num = DEFBITS;
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index c83d1fff41..a38dceb255 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -135,7 +135,8 @@ int dsaparam_main(int argc, char **argv)
} else if (argc != 0) {
goto opthelp;
}
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
/* generate a key */
numbits = num;
diff --git a/apps/ecparam.c b/apps/ecparam.c
index fc19ab6bf9..c99b8cc909 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -190,7 +190,9 @@ int ecparam_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
+
private = genkey ? 1 : 0;
in = bio_open_default(infile, 'r', informat);
diff --git a/apps/enc.c b/apps/enc.c
index 498d0d500b..3647a1ce61 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -293,7 +293,8 @@ int enc_main(int argc, char **argv)
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
/* Get the cipher name, either from progname (if set) or flag. */
if (ciphername != NULL) {
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 482191d8bf..97904d2c82 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -107,7 +107,9 @@ int gendsa_main(int argc, char **argv)
goto opthelp;
dsaparams = argv[0];
-app_RAND_load();
+if (!app_RAND_load())
+goto end;
+
if (ciphername != NULL) {
if (!opt_cipher(ciphername, ))
goto end;
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 469b0a0b2f..ab991d2385 100644
---
Build completed: openssl master.41448
Build openssl master.41448 completed Commit 7e13baa6b0 by fangming.fang on 3/19/2021 6:45 AM: Optimize RSA on armv8 Configure your notification preferences
[openssl] master update
The branch master has been updated via 456541f0b7c7a4ca8c1c99740fff1bedcc4c9244 (commit) via 74bcbea76ff180c3eb27a141be99b7b577eec81c (commit) from d32fc2c51b74c135ae09c3bb04ebe5781edd7571 (commit) - Log - commit 456541f0b7c7a4ca8c1c99740fff1bedcc4c9244 Author: Tomas Mraz Date: Mon Apr 12 19:22:04 2021 +0200 Document the invariants for the empty X509_NAME encoding Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/14832) commit 74bcbea76ff180c3eb27a141be99b7b577eec81c Author: Tomas Mraz Date: Mon Apr 12 09:58:27 2021 +0200 X509_NAME_cmp: if canon_enclen is 0 for both names return 0 We do not care whether canon_enc is NULL in this case. Fixes #14813 Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/14832) --- Summary of changes: crypto/x509/x509_cmp.c | 7 +-- crypto/x509/x_name.c | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 51dc24b6fb..0cc5ed7f5f 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -269,11 +269,14 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) return -2; } +ret = a->canon_enclen - b->canon_enclen; +if (ret == 0 && a->canon_enclen == 0) +return 0; + if (a->canon_enc == NULL || b->canon_enc == NULL) return -2; -ret = a->canon_enclen - b->canon_enclen; -if (ret == 0 && a->canon_enclen != 0) +if (ret == 0) ret = memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); return ret < 0 ? -1 : ret > 0; diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index 7b59b71ffb..6e9b46005e 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -298,6 +298,7 @@ static int x509_name_ex_print(BIO *out, const ASN1_VALUE **pval, * comparison of Name structures can be rapidly performed by just using * memcmp() of the canonical encoding. By omitting the leading SEQUENCE name * constraints of type dirName can also be checked with a simple memcmp(). + * NOTE: For empty X509_NAME (NULL-DN), canon_enclen == 0 && canon_enc == NULL */ static int x509_name_canon(X509_NAME *a)
Build failed: openssl master.41447
Build openssl master.41447 failed Commit 9c09311f05 by Richard Levitte on 4/13/2021 5:26 AM: fixup! Adapt our decoder implementations to the new way to indicate succes / failure Configure your notification preferences
[openssl] master update
The branch master has been updated
via d32fc2c51b74c135ae09c3bb04ebe5781edd7571 (commit)
via 586d9436c807f5ee5aa82dab79cc6ee40b28bb3e (commit)
via 4e1ebda9d9f079ba25638aa8b61393865520c2b1 (commit)
from 5c107243877121f84037a5aaf19457f87458e8ed (commit)
- Log -
commit d32fc2c51b74c135ae09c3bb04ebe5781edd7571
Author: Pauli
Date: Tue Apr 13 07:47:31 2021 +1000
bio_printf: add \0 terminators for error returns in floating point
conversions.
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14829)
commit 586d9436c807f5ee5aa82dab79cc6ee40b28bb3e
Author: Pauli
Date: Mon Apr 12 13:52:19 2021 +1000
bio: note that BIO_sprintf null terminates on insufficient space.
Fixes: #14772
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14829)
commit 4e1ebda9d9f079ba25638aa8b61393865520c2b1
Author: Pauli
Date: Mon Apr 12 11:36:50 2021 +1000
bio: add a malloc failed error to BIO_print
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/14829)
---
Summary of changes:
crypto/bio/b_print.c| 14 ++
doc/man3/BIO_printf.pod | 14 ++
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 08d43d3bd5..2f012f42f2 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -620,6 +620,7 @@ fmtfp(char **sbuffer,
/*
* Should not happen. If we're in F_FORMAT then exp < max?
*/
+(void)doapr_outch(sbuffer, buffer, currlen, maxlen, '\0');
return 0;
}
} else {
@@ -641,6 +642,7 @@ fmtfp(char **sbuffer,
*/
if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0) {
/* Number too big */
+(void)doapr_outch(sbuffer, buffer, currlen, maxlen, '\0');
return 0;
}
intpart = (unsigned long)ufvalue;
@@ -704,8 +706,10 @@ fmtfp(char **sbuffer,
tmpexp = (tmpexp / 10);
} while (tmpexp > 0 && eplace < (int)sizeof(econvert));
/* Exponent is huge!! Too big to print */
-if (tmpexp > 0)
+if (tmpexp > 0) {
+(void)doapr_outch(sbuffer, buffer, currlen, maxlen, '\0');
return 0;
+}
/* Add a leading 0 for single digit exponents */
if (eplace == 1)
econvert[eplace++] = '0';
@@ -835,9 +839,12 @@ doapr_outch(char **sbuffer,
*sbuffer = NULL;
} else {
char *tmpbuf;
+
tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
-if (tmpbuf == NULL)
+if (tmpbuf == NULL) {
+ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
return 0;
+}
*buffer = tmpbuf;
}
}
@@ -929,6 +936,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format,
va_list args)
* been large enough.)
*/
return -1;
-else
-return (retlen <= INT_MAX) ? (int)retlen : -1;
+return (retlen <= INT_MAX) ? (int)retlen : -1;
}
diff --git a/doc/man3/BIO_printf.pod b/doc/man3/BIO_printf.pod
index 2d7c230308..ce3e6b31ad 100644
--- a/doc/man3/BIO_printf.pod
+++ b/doc/man3/BIO_printf.pod
@@ -18,16 +18,16 @@ BIO_printf, BIO_vprintf, BIO_snprintf, BIO_vsnprintf
=head1 DESCRIPTION
BIO_printf() is similar to the standard C printf() function, except that
-the output is sent to the specified BIO, B, rather than standard
+the output is sent to the specified BIO, I, rather than standard
output. All common format specifiers are supported.
BIO_vprintf() is similar to the vprintf() function found on many platforms,
-the output is sent to the specified BIO, B, rather than standard
+the output is sent to the specified BIO, I, rather than standard
output. All common format specifiers are supported. The argument
-list B is a stdarg argument list.
+list I is a stdarg argument list.
BIO_snprintf() is for platforms that do not have the common snprintf()
-function. It is like sprintf() except that the size parameter, B,
+function. It is like sprintf() except that the size parameter, I,
specifies the size of the output buffer.
BIO_vsnprintf() is to BIO_snprintf() as BIO_vprintf() is to BIO_printf().
@@ -38,6 +38,12 @@ All functions return the number of bytes written, or -1 on
error.
For BIO_snprintf() and BIO_vsnprintf() this includes when the output
buffer is too small.
+=head1 NOTES
+
+Except when I is 0, both BIO_snprintf() and BIO_vsnprintf() terminate
+their output with C<'\0'> even when there is insufficient space to output
+the whole string.
+
=head1 COPYRIGHT
Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
[openssl] master update
The branch master has been updated
via 5c107243877121f84037a5aaf19457f87458e8ed (commit)
from 46eee7104d77f9d303e06a398febdc60fd014d33 (commit)
- Log -
commit 5c107243877121f84037a5aaf19457f87458e8ed
Author: Shane Lontis
Date: Mon Apr 12 11:19:21 2021 +1000
Add some additional NULL checks to prevent segfaults.
Fixes #14809
PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places that needed additional NULL checks so
that they behavethe same as they did before.
OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed
the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was
segfaulting.
Adding an additional NULL check EVP_MD_name() resolves this issue.
The other NULL checks are required to produce errors rather than
segfaults if the certificate is NULL.
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14826)
---
Summary of changes:
crypto/evp/evp_lib.c | 2 ++
crypto/ocsp/ocsp_srv.c | 4
crypto/x509/x_crl.c| 6 +++---
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index a707285c91..6c578bd8ba 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -701,6 +701,8 @@ const char *EVP_MD_description(const EVP_MD *md)
const char *EVP_MD_name(const EVP_MD *md)
{
+if (md == NULL)
+return NULL;
if (md->prov != NULL)
return evp_first_name(md->prov, md->name_id);
#ifndef FIPS_MODULE
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 4187446e1c..1475bb0f7e 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -278,6 +278,8 @@ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509
*cert,
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
{
+if (cert == NULL)
+return 0;
return OCSP_RESPID_set_by_key_ex(respid, cert, cert->libctx, cert->propq);
}
@@ -319,5 +321,7 @@ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert,
OSSL_LIB_CTX *libctx,
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
{
+if (cert == NULL)
+return 0;
return OCSP_RESPID_match_ex(respid, cert, cert->libctx, cert->propq);
}
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 4b90e5b756..d77746a2b2 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -393,9 +393,9 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED
**ret, X509 *x)
static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
{
-return (ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
->sig_alg, >signature, >crl,
NULL,
-r, crl->libctx, crl->propq));
+return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CRL_INFO),
+ >sig_alg, >signature, >crl, NULL,
+ r, crl->libctx, crl->propq);
}
static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
[openssl] master update
The branch master has been updated
via 46eee7104d77f9d303e06a398febdc60fd014d33 (commit)
from 0d5bbaaae2c65ddf7a30596b61617304e0950d9c (commit)
- Log -
commit 46eee7104d77f9d303e06a398febdc60fd014d33
Author: Shane Lontis
Date: Mon Apr 12 09:06:24 2021 +1000
Add domain parameter match check for DH and ECDH key exchange.
Fixes #14808
Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by
checking the peers public key was in the range of other parties p. It was not
actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/14823)
---
Summary of changes:
crypto/err/openssl.txt | 1 +
include/openssl/proverr.h | 1 +
providers/common/provider_err.c| 2 +
providers/implementations/exchange/dh_exch.c | 16 +++
providers/implementations/exchange/ecdh_exch.c | 27 +++-
test/evp_test.c| 8 +-
test/recipes/30-test_evp.t | 7 +-
test/recipes/30-test_evp_data/evppkey_dh.txt | 167 +
test/recipes/30-test_evp_data/evppkey_ecdh.txt | 9 +-
9 files changed, 232 insertions(+), 6 deletions(-)
create mode 100644 test/recipes/30-test_evp_data/evppkey_dh.txt
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index ee17b68405..eed0b71ada 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1007,6 +1007,7 @@ PROV_R_IN_ERROR_STATE:192:in error state
PROV_R_KEY_SETUP_FAILED:101:key setup failed
PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
PROV_R_LENGTH_TOO_LARGE:202:length too large
+PROV_R_MISMATCHING_DOMAIN_PARAMETERS:203:mismatching domain parameters
PROV_R_MISSING_CEK_ALG:144:missing cek alg
PROV_R_MISSING_CIPHER:155:missing cipher
PROV_R_MISSING_CONFIG_DATA:213:missing config data
diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h
index c40815a03b..29301124ec 100644
--- a/include/openssl/proverr.h
+++ b/include/openssl/proverr.h
@@ -80,6 +80,7 @@
# define PROV_R_KEY_SETUP_FAILED 101
# define PROV_R_KEY_SIZE_TOO_SMALL171
# define PROV_R_LENGTH_TOO_LARGE 202
+# define PROV_R_MISMATCHING_DOMAIN_PARAMETERS 203
# define PROV_R_MISSING_CEK_ALG 144
# define PROV_R_MISSING_CIPHER155
# define PROV_R_MISSING_CONFIG_DATA 213
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
index dd1a98f935..8b5d0008f9 100644
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@@ -111,6 +111,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_KEY_SIZE_TOO_SMALL),
"key size too small"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_LENGTH_TOO_LARGE), "length too large"},
+{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISMATCHING_DOMAIN_PARAMETERS),
+"mismatching shared parameters"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CEK_ALG), "missing cek alg"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CIPHER), "missing cipher"},
{ERR_PACK(ERR_LIB_PROV, 0, PROV_R_MISSING_CONFIG_DATA),
diff --git a/providers/implementations/exchange/dh_exch.c
b/providers/implementations/exchange/dh_exch.c
index 87eb17dd60..0ecc6c7a4c 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -108,6 +108,21 @@ static int dh_init(void *vpdhctx, void *vdh, const
OSSL_PARAM params[])
return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh);
}
+/* The 2 parties must share the same domain parameters */
+static int dh_match_params(DH *priv, DH *peer)
+{
+int ret;
+FFC_PARAMS *dhparams_priv = ossl_dh_get0_params(priv);
+FFC_PARAMS *dhparams_peer = ossl_dh_get0_params(peer);
+
+ret = dhparams_priv != NULL
+ && dhparams_peer != NULL
+ && ossl_ffc_params_cmp(dhparams_priv, dhparams_peer, 1);
+if (!ret)
+ERR_raise(ERR_LIB_PROV, PROV_R_MISMATCHING_DOMAIN_PARAMETERS);
+return ret;
+}
+
static int dh_set_peer(void *vpdhctx, void *vdh)
{
PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
@@ -115,6 +130,7 @@ static int dh_set_peer(void *vpdhctx, void *vdh)
if (!ossl_prov_is_running()
|| pdhctx == NULL
|| vdh == NULL
+|| !dh_match_params(vdh, pdhctx->dh)
|| !DH_up_ref(vdh))
return 0;
DH_free(pdhctx->dhpeer);
diff --git
