Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DPleO_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHqy3YmBxMwPoMUYcUPIhGvXjfLy-2Bdf3iTYE9zfeNaELRaOlc88f6nE5IObS5j2zC5I1NcvhwiBReXJ5iwrFjXIxIayLXBEJ4UQB2rmHB-2BfvA1hkP4S-2B-2BDrux78st6-2FHbQ3JTOsAJxzc9tL64rKfKyE4KLETEtiG-2FoQSt17PuCNfa-2B5Rm758nbaDmgkiG2sOjM-3D Build ID: 423822 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via bfbeb31d6d0dfed4029c91a416857e5e0f35fa93 (commit)
from b11183f68658cf625a3befd6d245923d588638f5 (commit)
- Log -
commit bfbeb31d6d0dfed4029c91a416857e5e0f35fa93
Author: Dr. David von Oheimb
Date: Tue Dec 7 19:07:43 2021 +0100
APPS/cmp: Fix logic and doc of mutually exclusive
-server/-use_mock_srv/-port/-rspin options
Ignore -server with -rspin and exclude all of -use_mock_srv/-port/-rspin.
On the other hand, -server is required if no -use_mock_srv/-port/-rspin is
given.
Ignore -tls_used with -use_mock_srv and -rspin; it is not supported with
-port.
If -server is not given, ignore -proxy, -no_proxy, and -tls_used.
Also slightly improve the documentation of the two mock server variants.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17254)
(cherry picked from commit a56bb5d64e7599140117f935eeeb34ba94c83aea)
---
Summary of changes:
apps/cmp.c | 138 +---
doc/man1/openssl-cmp.pod.in | 22 +--
2 files changed, 96 insertions(+), 64 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 01a437fe48..985d7339a0 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -161,7 +161,7 @@ static char *opt_rspin = NULL;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
-/* server-side debugging */
+/* mock server */
#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
@@ -287,7 +287,7 @@ const OPTIONS cmp_options[] = {
{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert
template"},
{OPT_MORE_STR, 0, 0,
- "For kur, default is subject of -csr arg or else of reference cert (see
-oldcert)"},
+ "For kur, default is subject of -csr arg or reference cert (see
-oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are
set"},
{"issuer", OPT_ISSUER, 's',
@@ -336,7 +336,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"also used as reference (defaulting to -cert) for subject DN and SANs."},
{OPT_MORE_STR, 0, 0,
- "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
+ "Issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
{"revreason", OPT_REVREASON, 'n',
"Reason code to include in revocation request (rr); possible values:"},
{OPT_MORE_STR, 0, 0,
@@ -470,14 +470,16 @@ const OPTIONS cmp_options[] = {
"Process sequence of CMP responses provided in file(s), skipping server"},
{"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
-{"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level,
bypassing HTTP"},
+{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
+ "Use internal mock server at API level, bypassing socket-based HTTP"},
OPT_SECTION("Mock server"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -port and -max_msgs not supported due to no-sock build"},
#else
-{"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"},
+{"port", OPT_PORT, 's',
+ "Act as HTTP-based mock server listening on given port"},
{"max_msgs", OPT_MAX_MSGS, 'N',
"max number of messages handled by HTTP mock server. Default: 0 =
unlimited"},
#endif
@@ -1000,7 +1002,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_ref == NULL) {
if (opt_srv_cert == NULL) {
/* opt_srv_cert should determine the sender */
-CMP_err("must give -srv_ref for server if no -srv_cert given");
+CMP_err("must give -srv_ref for mock server if no -srv_cert
given");
goto err;
}
} else {
@@ -1011,7 +1013,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_secret != NULL) {
int res;
-char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of server");
+char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of mock
server");
if (pass_str != NULL) {
cleanse(opt_srv_secret);
@@ -1022,10 +1024,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
goto err;
}
} else if (opt_srv_cert == NULL) {
-CMP_err("server credentials must be given if -use_mock_srv or -port is
used");
+CMP_err("mock server credentials must be given if -use_mock_srv or
-port is used");
goto err;
} else {
-CMP_warn("server will not be able to handle PBM-protected requests
since -srv_secret is not given");
+CMP_warn("mock server will not be able to handle PBM-protected
requests since -srv_secret is not given");
}
if (opt_srv_secret ==
[openssl] master update
The branch master has been updated
via a56bb5d64e7599140117f935eeeb34ba94c83aea (commit)
from 1f8ca9e3d3fa674da4ab6694cef2f266e6ab0f20 (commit)
- Log -
commit a56bb5d64e7599140117f935eeeb34ba94c83aea
Author: Dr. David von Oheimb
Date: Tue Dec 7 19:07:43 2021 +0100
APPS/cmp: Fix logic and doc of mutually exclusive
-server/-use_mock_srv/-port/-rspin options
Ignore -server with -rspin and exclude all of -use_mock_srv/-port/-rspin.
On the other hand, -server is required if no -use_mock_srv/-port/-rspin is
given.
Ignore -tls_used with -use_mock_srv and -rspin; it is not supported with
-port.
If -server is not given, ignore -proxy, -no_proxy, and -tls_used.
Also slightly improve the documentation of the two mock server variants.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17254)
---
Summary of changes:
apps/cmp.c | 138 +---
doc/man1/openssl-cmp.pod.in | 22 +--
2 files changed, 96 insertions(+), 64 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index d6ab2a249b..f994b83b18 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -161,7 +161,7 @@ static char *opt_rspin = NULL;
static char *opt_rspout = NULL;
static int opt_use_mock_srv = 0;
-/* server-side debugging */
+/* mock server */
#ifndef OPENSSL_NO_SOCK
static char *opt_port = NULL;
static int opt_max_msgs = 0;
@@ -287,7 +287,7 @@ const OPTIONS cmp_options[] = {
{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert
template"},
{OPT_MORE_STR, 0, 0,
- "For kur, default is subject of -csr arg or else of reference cert (see
-oldcert)"},
+ "For kur, default is subject of -csr arg or reference cert (see
-oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are
set"},
{"issuer", OPT_ISSUER, 's',
@@ -336,7 +336,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"also used as reference (defaulting to -cert) for subject DN and SANs."},
{OPT_MORE_STR, 0, 0,
- "Its issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
+ "Issuer is used as recipient unless -recipient, -srvcert, or -issuer
given"},
{"revreason", OPT_REVREASON, 'n',
"Reason code to include in revocation request (rr); possible values:"},
{OPT_MORE_STR, 0, 0,
@@ -470,14 +470,16 @@ const OPTIONS cmp_options[] = {
"Process sequence of CMP responses provided in file(s), skipping server"},
{"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
-{"use_mock_srv", OPT_USE_MOCK_SRV, '-', "Use mock server at API level,
bypassing HTTP"},
+{"use_mock_srv", OPT_USE_MOCK_SRV, '-',
+ "Use internal mock server at API level, bypassing socket-based HTTP"},
OPT_SECTION("Mock server"),
#ifdef OPENSSL_NO_SOCK
{OPT_MORE_STR, 0, 0,
"NOTE: -port and -max_msgs not supported due to no-sock build"},
#else
-{"port", OPT_PORT, 's', "Act as HTTP mock server listening on given port"},
+{"port", OPT_PORT, 's',
+ "Act as HTTP-based mock server listening on given port"},
{"max_msgs", OPT_MAX_MSGS, 'N',
"max number of messages handled by HTTP mock server. Default: 0 =
unlimited"},
#endif
@@ -1000,7 +1002,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_ref == NULL) {
if (opt_srv_cert == NULL) {
/* opt_srv_cert should determine the sender */
-CMP_err("must give -srv_ref for server if no -srv_cert given");
+CMP_err("must give -srv_ref for mock server if no -srv_cert
given");
goto err;
}
} else {
@@ -1011,7 +1013,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
if (opt_srv_secret != NULL) {
int res;
-char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of server");
+char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of mock
server");
if (pass_str != NULL) {
cleanse(opt_srv_secret);
@@ -1022,10 +1024,10 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
goto err;
}
} else if (opt_srv_cert == NULL) {
-CMP_err("server credentials must be given if -use_mock_srv or -port is
used");
+CMP_err("mock server credentials must be given if -use_mock_srv or
-port is used");
goto err;
} else {
-CMP_warn("server will not be able to handle PBM-protected requests
since -srv_secret is not given");
+CMP_warn("mock server will not be able to handle PBM-protected
requests since -srv_secret is not given");
}
if (opt_srv_secret == NULL
@@ -1035,7 +1037,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
[openssl] master update
The branch master has been updated
via 1f8ca9e3d3fa674da4ab6694cef2f266e6ab0f20 (commit)
via 0e4e4e27df3ff7c1b1c07be4a518c03acf2513ee (commit)
via c868d1f9ca923fa4ea57a46e823c280233e254ea (commit)
from 0fcf2351ecff5db21cba431704e4da631b74904a (commit)
- Log -
commit 1f8ca9e3d3fa674da4ab6694cef2f266e6ab0f20
Author: Tomas Mraz
Date: Tue Dec 14 18:10:44 2021 +0100
NEWS.md: Add missing empty line
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17274)
commit 0e4e4e27df3ff7c1b1c07be4a518c03acf2513ee
Author: Richard Levitte
Date: Tue Dec 14 14:54:55 2021 +0100
Add some CHANGES entries for 3.0.1
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17274)
commit c868d1f9ca923fa4ea57a46e823c280233e254ea
Author: Tomas Mraz
Date: Mon Dec 13 15:27:20 2021 +0100
Add some CHANGES.md entries for the 3.0.1 release
Reviewed-by: Richard Levitte
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17274)
---
Summary of changes:
CHANGES.md | 75 ++
NEWS.md| 1 +
2 files changed, 67 insertions(+), 9 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 8fd7e7288a..16e2c341bd 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -70,7 +70,17 @@ OpenSSL 3.1
*Sergey Kirillov, Andrey Matyukov (Intel Corp)*
-### Changes between 3.0.0 and 3.0.1 [xx XXX ]
+OpenSSL 3.0
+---
+
+For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries
+listed here are only a brief description.
+The migration guide contains more detailed information related to new features,
+breaking changes, and mappings for the large list of deprecated functions.
+
+[Migration guide]:
https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+
+### Changes between 3.0.0 and 3.0.1 [14 dec 2021]
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
@@ -103,17 +113,48 @@ OpenSSL 3.1
*Richard Levitte*
-OpenSSL 3.0
+ * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private
+ keys.
-For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries
-listed here are only a brief description.
-The migration guide contains more detailed information related to new features,
-breaking changes, and mappings for the large list of deprecated functions.
+ *Richard Levitte*
-[Migration guide]:
https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+ * Fixed PVK encoder to properly query for the passphrase.
-### Changes between 1.1.1 and 3.0 [xx XXX ]
+ *Tomáš Mráz*
+
+ * Multiple fixes in the OSSL_HTTP API functions.
+
+ *David von Oheimb*
+
+ * Allow sign extension in OSSL_PARAM_allocate_from_text() for the
+ OSSL_PARAM_INTEGER data type and return error on negative numbers
+ used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make
+ OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.
+
+ *Richard Levitte*
+
+ * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
+
+ *Tomáš Mráz*
+
+ * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
+
+ *Allan Jude*
+
+ * Multiple threading fixes.
+
+ *Matt Caswell*
+
+ * Added NULL digest implementation to keep compatibility with 1.1.1 version.
+
+ *Tomáš Mráz*
+
+ * Allow fetching an operation from the provider that owns an unexportable key
+ as a fallback if that is still allowed by the property query.
+
+ *Richard Levitte*
+
+### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
* TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
deprecated.
@@ -1538,6 +1579,22 @@ breaking changes, and mappings for the large list of
deprecated functions.
OpenSSL 1.1.1
-
+### Changes between 1.1.1l and 1.1.1m [xx XXX ]
+
+ * Avoid loading of a dynamic engine twice.
+
+ *Bernd Edlinger*
+
+ * Prioritise DANE TLSA issuer certs over peer certs
+
+ *Viktor Dukhovni*
+
+ * Fixed random API for MacOS prior to 10.12
+
+ These MacOS versions don't support the CommonCrypto APIs
+
+ *Lenny Primak*
+
### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
* Fixed an SM2 Decryption Buffer Overflow.
diff --git a/NEWS.md b/NEWS.md
index 9da16da913..18fa374acb 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -28,6 +28,7 @@ OpenSSL 3.0
---
### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1
+
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
([CVE-2021-4044])
* Allow fetching an operation from the provider that owns
