[openssl] master update
The branch master has been updated
via 4ccad35756dfa9df657f3853810101fa9d6ca525 (commit)
from bd32bdb8b2a0f98d99b21e1b4d68dfaf1bd5584d (commit)
- Log -
commit 4ccad35756dfa9df657f3853810101fa9d6ca525
Author: Tomas Mraz
Date: Wed Aug 11 18:46:07 2021 +0200
Correct documentation errors in regards to UTF8 params
This fixes numerous bugs in documentation in regards to UTF8
params and their sizes. The returned size should always be without the
terminating NUL byte. On the other hand on the requestor side
the size of the buffer should include the NUL byte if it expects it
being included in the returned string.
Also make this clear in the EVP_PKEY_get_group_name() documentation
which uses utf8 string params under the hood.
Fixes #16287
Reviewed-by: Viktor Dukhovni
Reviewed-by: Matt Caswell
(Merged from https://github.com/openssl/openssl/pull/16296)
---
Summary of changes:
doc/man3/EVP_PKEY_fromdata.pod| 2 +-
doc/man3/EVP_PKEY_get_group_name.pod | 4 ++--
doc/man3/EVP_PKEY_gettable_params.pod | 3 ++-
doc/man3/OSSL_PARAM.pod | 8
doc/man3/OSSL_PARAM_BLD.pod | 6 --
doc/man3/OSSL_PARAM_int.pod | 13 +++--
6 files changed, 20 insertions(+), 16 deletions(-)
diff --git a/doc/man3/EVP_PKEY_fromdata.pod b/doc/man3/EVP_PKEY_fromdata.pod
index d24fb34a25..107ebf82a0 100644
--- a/doc/man3/EVP_PKEY_fromdata.pod
+++ b/doc/man3/EVP_PKEY_fromdata.pod
@@ -161,7 +161,7 @@ TODO Write a set of cookbook documents and link to them.
0x5c, 0xcd, 0x86, 0x71, 0xa8, 0xbf, 0x1a, 0x47
};
const OSSL_PARAM params[] = {
- OSSL_PARAM_utf8_string("group", "prime256v1"),
+ OSSL_PARAM_utf8_string("group", "prime256v1", 10),
OSSL_PARAM_BN("priv", priv, sizeof(priv)),
OSSL_PARAM_BN("pub", pub, sizeof(pub)),
OSSL_PARAM_END
diff --git a/doc/man3/EVP_PKEY_get_group_name.pod
b/doc/man3/EVP_PKEY_get_group_name.pod
index 3ef19b8575..5844bf1abc 100644
--- a/doc/man3/EVP_PKEY_get_group_name.pod
+++ b/doc/man3/EVP_PKEY_get_group_name.pod
@@ -15,8 +15,8 @@ EVP_PKEY_get_group_name - get group name of a key
EVP_PKEY_get_group_name() fills in the group name of the I into
I, up to at most I bytes including the ending NUL byte
-and assigns I<*gname_len> the actual size of the name, if I's key type
-supports it.
+and assigns I<*gname_len> the actual length of the name not including
+the NUL byte, if I's key type supports it.
I as well as I may individually be NULL, and won't be
filled in or assigned in that case.
diff --git a/doc/man3/EVP_PKEY_gettable_params.pod
b/doc/man3/EVP_PKEY_gettable_params.pod
index da3d99d0bf..27240b0d3b 100644
--- a/doc/man3/EVP_PKEY_gettable_params.pod
+++ b/doc/man3/EVP_PKEY_gettable_params.pod
@@ -49,7 +49,8 @@ is allocated by the method.
EVP_PKEY_get_utf8_string_param() get a key I UTF8 string value int a
buffer
I of maximum size I associated with a name of I.
-I<*out_sz> is the returned size of the string if it is not NULL.
+If I is not NULL the I<*out_sz> is set to the length of the string
+not including the terminating NUL byte.
EVP_PKEY_get_octet_string_param() copy a I's octet string value into a
buffer
I of maximum size I associated with a name of I.
diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod
index 98d75c9fa2..f335d6f2c8 100644
--- a/doc/man3/OSSL_PARAM.pod
+++ b/doc/man3/OSSL_PARAM.pod
@@ -306,11 +306,11 @@ This example is for setting parameters on some object:
#include
const char *foo = "some string";
-size_t foo_l = strlen(foo) + 1;
+size_t foo_l = strlen(foo);
const char bar[] = "some other string";
OSSL_PARAM set[] = {
{ "foo", OSSL_PARAM_UTF8_STRING_PTR, &foo, foo_l, 0 },
-{ "bar", OSSL_PARAM_UTF8_STRING, &bar, sizeof(bar), 0 },
+{ "bar", OSSL_PARAM_UTF8_STRING, &bar, sizeof(bar) - 1, 0 },
{ NULL, 0, NULL, 0, 0 }
};
@@ -338,10 +338,10 @@ could fill in the parameters like this:
for (i = 0; params[i].key != NULL; i++) {
if (strcmp(params[i].key, "foo") == 0) {
*(char **)params[i].data = "foo value";
-params[i].return_size = 10; /* size of "foo value" */
+params[i].return_size = 9; /* length of "foo value" string */
} else if (strcmp(params[i].key, "bar") == 0) {
memcpy(params[i].data, "bar value", 10);
-params[i].return_size = 10; /* size of "bar value" */
+params[i].return_size = 9; /* length of "bar value" string */
}
/* Ignore stuff we don't know */
}
diff --git a/doc/man3/OSSL_PARAM_BLD.pod b/doc/man3/OSSL_PARAM_BLD.pod
index fdc9ec3081..d07eff6f27 100644
--- a/doc/man3/OSSL_PARAM_BLD.pod
+++ b/doc/man3/OSSL_PARAM_BLD.pod
@@ -91,7 +91,8 @@ must exist until after OS
[openssl] master update
The branch master has been updated via bd32bdb8b2a0f98d99b21e1b4d68dfaf1bd5584d (commit) from 254957f768a61c91c14d89566224173d0831c2ce (commit) - Log - commit bd32bdb8b2a0f98d99b21e1b4d68dfaf1bd5584d Author: Tomas Mraz Date: Tue Aug 10 17:07:35 2021 +0200 Add documentation about the multilib postfix and libdir Fixes #16244 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16281) --- Summary of changes: CHANGES.md | 10 ++ INSTALL.md | 8 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5991eb5465..bcb1601d26 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,6 +30,16 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 1.1.1 and 3.0 [xx XXX ] + * On build targets where the multilib postfix is set in the build + configuration the libdir directory was changing based on whether + the lib directory with the multilib postfix exists on the system + or not. This unpredictable behavior was removed and eventual + multilib postfix is now always added to the default libdir. Use + `--libdir=lib` to override the libdir if adding the postfix is + undesirable. + + *Jan Lána* + * The ERR_GET_FUNC() function was removed. With the loss of meaningful function codes, this function can only cause problems for calling applications. diff --git a/INSTALL.md b/INSTALL.md index 202a66885e..c717dfcdf0 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -350,9 +350,13 @@ Directories The name of the directory under the top of the installation directory tree (see the `--prefix` option) where libraries will be installed. By default -this is `lib/`. Note that on Windows only static libraries (`*.lib`) will +this is `lib`. Note that on Windows only static libraries (`*.lib`) will be stored in this location. Shared libraries (`*.dll`) will always be -installed to the `bin/` directory. +installed to the `bin` directory. + +Some build targets have a multilib postfix set in the build configuration. +For these targets the default libdir is `lib`. Please use +`--libdir=lib` to override the libdir if adding the postfix is undesirable. ### openssldir
[openssl] master update
The branch master has been updated
via 254957f768a61c91c14d89566224173d0831c2ce (commit)
from a5f4099d275520caf90a28a88e889cb36683b412 (commit)
- Log -
commit 254957f768a61c91c14d89566224173d0831c2ce
Author: Shane Lontis
Date: Wed Aug 11 12:23:08 2021 +1000
Allow small RSA exponents in the default provider
Fixes #16255
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/16285)
---
Summary of changes:
crypto/rsa/rsa_sp800_56b_check.c | 27 +--
test/rsa_sp800_56b_test.c| 15 +--
2 files changed, 18 insertions(+), 24 deletions(-)
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index 9b827d2872..fc8f19b487 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -218,30 +218,21 @@ int ossl_rsa_check_private_exponent(const RSA *rsa, int
nbits, BN_CTX *ctx)
return ret;
}
-#ifndef FIPS_MODULE
-static int bn_is_three(const BIGNUM *bn)
-{
-BIGNUM *num = BN_dup(bn);
-int ret = (num != NULL && BN_sub_word(num, 3) && BN_is_zero(num));
-
-BN_free(num);
-return ret;
-}
-#endif /* FIPS_MODULE */
-
-/* Check exponent is odd, and has a bitlen ranging from [17..256] */
+/*
+ * Check exponent is odd.
+ * For FIPS also check the bit length is in the range [17..256]
+ */
int ossl_rsa_check_public_exponent(const BIGNUM *e)
{
+#ifdef FIPS_MODULE
int bitlen;
-/* For legacy purposes RSA_3 is allowed in non fips mode */
-#ifndef FIPS_MODULE
-if (bn_is_three(e))
-return 1;
-#endif /* FIPS_MODULE */
-
bitlen = BN_num_bits(e);
return (BN_is_odd(e) && bitlen > 16 && bitlen < 257);
+#else
+/* Allow small exponents larger than 1 for legacy purposes */
+return BN_is_odd(e) && BN_cmp(e, BN_value_one()) > 0;
+#endif /* FIPS_MODULE */
}
/*
diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
index 033983d58e..f5df0e4955 100644
--- a/test/rsa_sp800_56b_test.c
+++ b/test/rsa_sp800_56b_test.c
@@ -104,26 +104,29 @@ static BIGNUM *bn_load_new(const unsigned char *data, int
sz)
return ret;
}
+/* Check that small rsa exponents are allowed in non FIPS mode */
static int test_check_public_exponent(void)
{
int ret = 0;
BIGNUM *e = NULL;
ret = TEST_ptr(e = BN_new())
- /* e is too small */
- && TEST_true(BN_set_word(e, 65535))
+ /* e is too small will fail */
+ && TEST_true(BN_set_word(e, 1))
&& TEST_false(ossl_rsa_check_public_exponent(e))
/* e is even will fail */
&& TEST_true(BN_set_word(e, 65536))
&& TEST_false(ossl_rsa_check_public_exponent(e))
/* e is ok */
+ && TEST_true(BN_set_word(e, 3))
+ && TEST_true(ossl_rsa_check_public_exponent(e))
+ && TEST_true(BN_set_word(e, 17))
+ && TEST_true(ossl_rsa_check_public_exponent(e))
&& TEST_true(BN_set_word(e, 65537))
&& TEST_true(ossl_rsa_check_public_exponent(e))
- /* e = 2^256 is too big */
+ /* e = 2^256 + 1 is ok */
&& TEST_true(BN_lshift(e, BN_value_one(), 256))
- && TEST_false(ossl_rsa_check_public_exponent(e))
- /* e = 2^256-1 is odd and in range */
- && TEST_true(BN_sub(e, e, BN_value_one()))
+ && TEST_true(BN_add(e, e, BN_value_one()))
&& TEST_true(ossl_rsa_check_public_exponent(e));
BN_free(e);
return ret;
Coverity Scan: Analysis completed for OpenSSL-1.0.2
Your request for analysis of OpenSSL-1.0.2 has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7Hlun-2FGpeF2rhqKLKnzox0Gkw-3D-3DjShx_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeG2cnqvkCu-2F1-2BinRHXHAvoEEoKx9-2FUMVzm9dhE4ccuEnu4FFb2Fm8R7II6ccYRTT6r7G6ljK1i6cWa66CaIqJ3lR5hYMTY44l-2FsVcciPci7CbUE5gCzuWTVvgVINCQf62nhYzvcripyQRxe-2F4q9DDWIhPu3lzSATWWcrU1lJJ8xgmyQwalxSJUIH6NrE7PlRxw-3D Build ID: 402140 Analysis Summary: New defects found: 0 Defects eliminated: 0
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Dz9Sh_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeGFfGykvY0KQCLP38DZRrvWIbJ-2FbzIXiNiCW8qOyz83PJ-2F5YTauo7O9JXxYe-2F3cloRYxHqkYwg6kFpIWgVk0-2Bo0Gk5Rq5qlC6-2FwQ5AYqxsHNGP2vCt9kBRB9e59r-2B06KI56mKzc8rQUI47XN0f-2BQuJB-2FAN1m0kC8Ha1oeJJaDUQNKKTIBKokEEDNzdkP0Ddg9A-3D Build ID: 402139 Analysis Summary: New defects found: 0 Defects eliminated: 0
