[openssl] master update
The branch master has been updated via 19c0b46b83335b36a9816abef4e82f74863a4e0a (commit) from f616ad4b022b8afa8416a7d9e475d02c49164192 (commit) - Log - commit 19c0b46b83335b36a9816abef4e82f74863a4e0a Author: Richard Levitte Date: Mon Jun 28 04:36:33 2021 +0200 OSSL_STORE: Fix crash when tracing STORE Reviewed-by: Shane Lontis Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15931) --- Summary of changes: crypto/store/store_lib.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 4b31c6f7d5..636a94e832 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -72,7 +72,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, OSSL_STORE_CTX *ctx = NULL; char *propq_copy = NULL; int no_loader_found = 1; -char scheme_copy[256], *p, *schemes[2]; +char scheme_copy[256], *p, *schemes[2], *scheme = NULL; size_t schemes_n = 0; size_t i; @@ -111,9 +111,10 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, * elsewhere. */ for (i = 0; loader_ctx == NULL && i < schemes_n; i++) { -OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]); +scheme = schemes[i]; +OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme); #ifndef OPENSSL_NO_DEPRECATED_3_0 -if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) { +if ((loader = ossl_store_get0_loader_int(scheme)) != NULL) { no_loader_found = 0; if (loader->open_ex != NULL) loader_ctx = loader->open_ex(loader, uri, libctx, propq, @@ -124,7 +125,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, #endif if (loader == NULL && (fetched_loader = -OSSL_STORE_LOADER_fetch(libctx, schemes[i], propq)) != NULL) { +OSSL_STORE_LOADER_fetch(libctx, scheme, propq)) != NULL) { const OSSL_PROVIDER *provider = OSSL_STORE_LOADER_get0_provider(fetched_loader); void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); @@ -151,7 +152,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, */ goto err; -OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); +OSSL_TRACE1(STORE, "Found loader for scheme %s\n", scheme); if (loader_ctx == NULL) /*
[openssl] master update
The branch master has been updated via 16561896ae5d3babc4662cca9a2c75cb6297ae17 (commit) from 6ee4741281f032e13423a1e05c4fb9a90454e748 (commit) - Log - commit 16561896ae5d3babc4662cca9a2c75cb6297ae17 Author: Richard Levitte Date: Mon Jun 28 04:29:17 2021 +0200 PROV: Have our PEM->DER decoder only recognise our PEM names This is to avoid creating confusion where other PEM decoder implementations may know better what PEM names that are unknown to us actually mean. Fixes #15929 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15930) --- Summary of changes: .../implementations/encode_decode/decode_pem2der.c | 116 - 1 file changed, 43 insertions(+), 73 deletions(-) diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 16f3322354..5db3689f30 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -92,35 +92,49 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, OSSL_CALLBACK *data_cb, void *data_cbarg, OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) { -/* Strings to peel off the pem name */ -static struct peelablee_pem_name_endings_st { -const char *ending; +/* + * PEM names we recognise. Other PEM names should be recognised by + * other decoder implementations. + */ +static struct pem_name_map_st { +const char *pem_name; +int object_type; +const char *data_type; const char *data_structure; -} peelable_pem_name_endings[] = { -/* - * These entries should be in longest to shortest order to avoid - * mixups. - */ -{ "ENCRYPTED PRIVATE KEY", "EncryptedPrivateKeyInfo" }, -{ "PRIVATE KEY", "PrivateKeyInfo" }, -{ "PUBLIC KEY", "SubjectPublicKeyInfo" }, -{ "PARAMETERS", NULL } +} pem_name_map[] = { +/* PKCS#8 and SubjectPublicKeyInfo */ +{ PEM_STRING_PKCS8, OSSL_OBJECT_PKEY, NULL, "EncryptedPrivateKeyInfo" }, +{ PEM_STRING_PKCS8INF, OSSL_OBJECT_PKEY, NULL, "PrivateKeyInfo" }, +{ PEM_STRING_PUBLIC, OSSL_OBJECT_PKEY, NULL, "SubjectPublicKeyInfo" }, + +/* Our set of type specific PEM types */ +{ PEM_STRING_DHPARAMS, OSSL_OBJECT_PKEY, "DH", "type-specific" }, +{ PEM_STRING_DHXPARAMS, OSSL_OBJECT_PKEY, "X9.42 DH", "type-specific" }, +{ PEM_STRING_DSA, OSSL_OBJECT_PKEY, "DSA", "type-specific" }, +{ PEM_STRING_DSA_PUBLIC, OSSL_OBJECT_PKEY, "DSA", "type-specific" }, +{ PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" }, +{ PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" }, +{ PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" }, +{ PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, +{ PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, /* - * Libcrypto currently only supports decoding keys with provider side - * decoders, so we don't try to peel any other PEM name. That's an - * exercise for when libcrypto starts to treat other types of objects - * via providers. + * A few others that there is at least have an object type for, even + * though there is no provider interface to handle such objects, yet. + * However, this is beneficial for the OSSL_STORE result handler. */ +{ PEM_STRING_X509, OSSL_OBJECT_CERT, NULL, NULL }, +{ PEM_STRING_X509_TRUSTED, OSSL_OBJECT_CERT, NULL, NULL }, +{ PEM_STRING_X509_OLD, OSSL_OBJECT_CERT, NULL, NULL }, +{ PEM_STRING_X509_CRL, OSSL_OBJECT_CRL, NULL, NULL } }; struct pem2der_ctx_st *ctx = vctx; char *pem_name = NULL, *pem_header = NULL; -size_t pem_name_len, i; +size_t i; unsigned char *der = NULL; long der_len = 0; int ok = 0; int objtype = OSSL_OBJECT_UNKNOWN; -const char *data_structure = NULL; ok = read_pem(ctx->provctx, cin, _name, _header, , _len) > 0; @@ -153,71 +167,27 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, */ ok = 1; -/* - * Peal off certain strings from the end of |pem_name|, as they serve - * no further purpose. - */ -for (i = 0, pem_name_len = s
[openssl] master update
The branch master has been updated via 426005eea5afd64bb76006f0fda69502ab3e008d (commit) from 92eb592b3b70a1f8e08b7160e54e367ba0d0aca2 (commit) - Log - commit 426005eea5afd64bb76006f0fda69502ab3e008d Author: Richard Levitte Date: Fri Jun 25 08:36:30 2021 +0200 Fix 'openssl req' to correctly use the algorithm from '-newkey algo:' We used the original string, which meant fetching for, for example, 'rsa:2048'. That was, of course, doomed to fail. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15912) --- Summary of changes: apps/req.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/req.c b/apps/req.c index d0c620438b..eb286f8a8e 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1615,14 +1615,14 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, EVP_PKEY_free(param); } else { if (keygen_engine != NULL) { -int pkey_id = get_legacy_pkey_id(app_get0_libctx(), keytype, +int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype, keygen_engine); if (pkey_id != NID_undef) gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine); } else { gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), - keytype, app_get0_propq()); + *pkeytype, app_get0_propq()); } }
[openssl] master update
The branch master has been updated via 32a56ebab2ed77bd342ab85da7e3ce9d49eb9e71 (commit) via f49b42e6eec9b7abee940a10e8e1125edcb61481 (commit) via ed0bd67d4b7a61e864e9f71fbb62ba2a9dff0c28 (commit) via bb4f826272712b7c57edefa9b920e9f7c31778d8 (commit) via 01b093aaeeb15d0a2ca0b5f8c100109821f884fb (commit) via 511fb47264df8333a5e2096fb5ef49436a965a63 (commit) via 46399d9db2c1a1afdfebac1a7fe64276c7f677de (commit) via e7137c8497234e442f0a2639c43453b5baea7695 (commit) from 89fe295257f374647122f73776ddb34555c543f0 (commit) - Log - commit 32a56ebab2ed77bd342ab85da7e3ce9d49eb9e71 Author: Richard Levitte Date: Tue Jun 22 11:08:24 2021 +0200 test/recipes/90-test_includes_data/vms-includes.cnf: correct the directory ... to mimic includes.cnf Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit f49b42e6eec9b7abee940a10e8e1125edcb61481 Author: Richard Levitte Date: Tue Jun 22 10:52:09 2021 +0200 apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reason Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit ed0bd67d4b7a61e864e9f71fbb62ba2a9dff0c28 Author: Richard Levitte Date: Tue Jun 22 10:38:55 2021 +0200 test/recipes/80-test_ca.t: Don't force quotes around the config file in $cnf However, when passing it through the OPENSSL_CONFIG environment variable, we still need the quotes, just to make sure. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit bb4f826272712b7c57edefa9b920e9f7c31778d8 Author: Richard Levitte Date: Tue Jun 22 08:04:12 2021 +0200 test/recipes/66-test_ossl_store.t: ensure native paths Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit 01b093aaeeb15d0a2ca0b5f8c100109821f884fb Author: Richard Levitte Date: Tue Jun 22 08:03:47 2021 +0200 testutil: teach test_mk_file_path() how to merge VMS file specs This isn't a full solution, it only handles current use cases. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit 511fb47264df8333a5e2096fb5ef49436a965a63 Author: Richard Levitte Date: Tue Jun 22 07:28:26 2021 +0200 test/ossl_store_test.c: Adapt the use of datadir for VMS paths Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit 46399d9db2c1a1afdfebac1a7fe64276c7f677de Author: Richard Levitte Date: Wed Jun 16 06:47:58 2021 +0200 UTF-8 not easily supported on VMS command line yet Some tests are designed to test UTF-8 on the command line. We simply disable those on VMS. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) commit e7137c8497234e442f0a2639c43453b5baea7695 Author: Richard Levitte Date: Wed Jun 16 06:46:45 2021 +0200 Fix test_errstr for VMS Occasionally, we get an error code on VMS that doesn't translate into POSIX, and the error string reflects that Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15823) --- Summary of changes: apps/CA.pl.in | 4 +++- test/ossl_store_test.c | 14 +-- test/recipes/02-test_errstr.t | 8 ++- test/recipes/25-test_x509.t| 1 + test/recipes/66-test_ossl_store.t | 3 ++- test/recipes/80-test_ca.t | 10 test/recipes/80-test_pkcs12.t | 17 +- .../recipes/90-test_includes_data/vms-includes.cnf | 2 +- test/testutil/driver.c | 27 -- 9 files changed, 67 insertions(+), 19 deletions(-) diff --git a/apps/CA.pl.in b/apps/CA.pl.in index 7087f55d27..f029470005 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -209,7 +209,9 @@ if ($WHAT eq '-newcert' ) { } elsif ($WHAT eq '-verify' ) { my @files = @ARGV ? @ARGV : ( $NEWCERT ); foreach my $file (@files) { -my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file $EXTRA{verify}"); +# -CAfile quoted for VMS, since the C RTL downcases all unquoted +# arguments to C programs +my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}"); $RET = $status if $status != 0; } } elsif ($WHAT eq '-crl' ) { diff --git a/test/ossl_store_test.c b/test/ossl_store_test.c index b9135cfcb3..b45d1d548f 100644 --- a/test/ossl_store_test.c +++ b/test/ossl_store_test.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include
[openssl] master update
The branch master has been updated via 21dfdbef4965d95d65bfc942aafafd342cb61e4c (commit) via 006de7670a12dff617e86a55b6db7c6e3b1f8fef (commit) from 86ff7cf2a6cdf26f2ba7e64db6fe5c92c64bf9ac (commit) - Log - commit 21dfdbef4965d95d65bfc942aafafd342cb61e4c Author: Richard Levitte Date: Tue Jun 22 18:11:03 2021 +0200 Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac() Fixes #15839 Reviewed-by: David von Oheimb Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15861) commit 006de7670a12dff617e86a55b6db7c6e3b1f8fef Author: Richard Levitte Date: Tue Jun 22 18:09:25 2021 +0200 EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac() This makes them more consistent with other new interfaces. Fixes #15839 Reviewed-by: David von Oheimb Reviewed-by: Paul Dale Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15861) --- Summary of changes: apps/lib/s_cb.c | 28 ++-- crypto/crmf/crmf_pbm.c | 4 +--- crypto/evp/digest.c | 9 ++--- crypto/evp/mac_lib.c| 9 + crypto/hmac/hmac.c | 17 +++-- doc/man3/EVP_DigestInit.pod | 11 ++- doc/man3/EVP_MAC.pod| 2 +- include/openssl/evp.h | 6 +++--- ssl/tls13_enc.c | 6 ++ 9 files changed, 49 insertions(+), 43 deletions(-) diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index ef431c98ea..245bae6249 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -740,8 +740,8 @@ void tlsext_cb(SSL *s, int client_server, int type, } #ifndef OPENSSL_NO_SOCK -int generate_cookie_callback(SSL *ssl, unsigned char *cookie, - unsigned int *cookie_len) +int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, + size_t *cookie_len) { unsigned char *buffer = NULL; size_t length = 0; @@ -800,16 +800,16 @@ end: return res; } -int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, - unsigned int cookie_len) +int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, + size_t cookie_len) { unsigned char result[EVP_MAX_MD_SIZE]; -unsigned int resultlength; +size_t resultlength; /* Note: we check cookie_initialized because if it's not, * it cannot be valid */ if (cookie_initialized -&& generate_cookie_callback(ssl, result, ) +&& generate_stateless_cookie_callback(ssl, result, ) && cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) return 1; @@ -817,20 +817,20 @@ int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, return 0; } -int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, - size_t *cookie_len) +int generate_cookie_callback(SSL *ssl, unsigned char *cookie, + unsigned int *cookie_len) { -unsigned int temp = 0; +size_t temp = 0; +int res = generate_stateless_cookie_callback(ssl, cookie, ); -int res = generate_cookie_callback(ssl, cookie, ); -*cookie_len = temp; +*cookie_len = (unsigned int)temp; return res; } -int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, - size_t cookie_len) +int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, + unsigned int cookie_len) { -return verify_cookie_callback(ssl, cookie, cookie_len); +return verify_stateless_cookie_callback(ssl, cookie, cookie_len); } #endif diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index 0c217295d3..aba6b3a16f 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -140,7 +140,6 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, unsigned int bklen = EVP_MAX_MD_SIZE; int64_t iterations; unsigned char *mac_res = 0; -unsigned int maclen; int ok = 0; if (out == NULL || pbmp == NULL || pbmp->mac == NULL @@ -207,10 +206,9 @@ int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq, goto err; } if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen, - msg, msglen, mac_res, EVP_MAX_MD_SIZE, ) == NULL) + msg, msglen, mac_res, EVP_MAX_MD_SIZE, outlen) == NULL) goto err; -*outlen = (size_t)maclen; ok = 1; err: diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 98c39343be..4a5c926103 100644 --- a/crypto/evp/
[openssl] master update
The branch master has been updated via 86ff7cf2a6cdf26f2ba7e64db6fe5c92c64bf9ac (commit) via 488689507c9a2bc5626411c8e1c597db329183bc (commit) from 0d40745671e562725e865167854be66222798ae1 (commit) - Log - commit 86ff7cf2a6cdf26f2ba7e64db6fe5c92c64bf9ac Author: Richard Levitte Date: Tue Jun 22 12:10:21 2021 +0200 Configure: Reflect that We don't build loader_attic when dynamic-engine is disabled Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15858) commit 488689507c9a2bc5626411c8e1c597db329183bc Author: Richard Levitte Date: Tue Jun 22 11:56:18 2021 +0200 TEST: check 'loadereng' to determine if loader_attic should be tested Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15858) --- Summary of changes: Configure | 1 + test/recipes/81-test_cmp_cli.t | 11 +++ test/recipes/90-test_store.t | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/Configure b/Configure index 2181d34a21..0ec72395db 100755 --- a/Configure +++ b/Configure @@ -618,6 +618,7 @@ my @disable_cascades = ( "module"=> [ "fips", "dso" ], "engine"=> [ "dynamic-engine", grep(/eng$/, @disablables) ], +"dynamic-engine"=> [ "loadereng" ], "hw"=> [ "padlockeng" ], # no-autoalginit is only useful when building non-shared diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t index fd1a1b0607..20ce738052 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/81-test_cmp_cli.t @@ -41,12 +41,15 @@ my @cmp_basic_tests = ( ); my @cmp_server_tests = ( -[ "with polling", [ "-poll_count", "1" ], 1 ], -[ "with loader_attic engine", [ "-engine", "loader_attic"], - !disabled('dynamic-engine') && - !disabled("deprecated-3.0") ] +[ "with polling", [ "-poll_count", "1" ], 1 ] ); +# loader_attic doesn't build on VMS, so we don't test it +push @cmp_server_tests, ( +[ "with loader_attic engine", [ "-engine", "loader_attic"], 1 ] +) +unless disabled('loadereng'); + plan tests => @cmp_basic_tests + @cmp_server_tests; foreach (@cmp_basic_tests) { diff --git a/test/recipes/90-test_store.t b/test/recipes/90-test_store.t index a61ed5b51e..e9a33c91d9 100644 --- a/test/recipes/90-test_store.t +++ b/test/recipes/90-test_store.t @@ -101,7 +101,7 @@ my @prov_method = qw(-provider default); push @prov_method, qw(-provider legacy) unless disabled('legacy'); push @methods, [ @prov_method ]; push @methods, [qw(-engine loader_attic)] -unless disabled('dynamic-engine') || disabled('deprecated-3.0'); +unless disabled('loadereng'); my $n = scalar @methods * ( (3 * scalar @noexist_files)
[openssl] master update
The branch master has been updated via 1b1c9b0d7527f946755f6fc9784b45e34cb16a17 (commit) via 321a48cdd833e839c175085597e024d504ad23d6 (commit) from e493d6e0ca4157741d2e4cfcb91fd367851f5771 (commit) - Log - commit 1b1c9b0d7527f946755f6fc9784b45e34cb16a17 Author: Richard Levitte Date: Mon Jun 21 15:18:19 2021 +0200 test/recipes/81-test_cmp_cli.t: use app() rather than cmd() Fixes #15833 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15846) commit 321a48cdd833e839c175085597e024d504ad23d6 Author: Richard Levitte Date: Mon Jun 21 08:35:28 2021 +0200 test/recipes/80-test_cmp_http.t: use app() rather than cmd() OpenSSL::Test::cmd() should be used with caution, as it is for special cases only. It's preferable to use OpenSSL::Test::app() or OpenSSL::Test::test(). Fixes #15833 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15846) --- Summary of changes: test/recipes/80-test_cmp_http.t | 12 +--- test/recipes/81-test_cmp_cli.t | 6 +++--- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index dddc1db918..68130a364a 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -47,7 +47,7 @@ $proxy = chop_dblquot($ENV{http_proxy} // $ENV{HTTP_PROXY} // $proxy); $proxy =~ s{^https?://}{}i; my $no_proxy = $ENV{no_proxy} // $ENV{NO_PROXY}; -my $app = "apps/openssl cmp"; +my @app = qw(openssl cmp); # the CMP server configuration consists of: my $ca_dn; # The CA's Distinguished Name @@ -129,16 +129,14 @@ sub test_cmp_http { my $title = shift; my $params = shift; my $expected_result = shift; -my $path_app = bldtop_dir($app); $params = [ '-server', "127.0.0.1:$server_port", @$params ] unless grep { $_ eq '-server' } @$params; +my $cmd = app([@app, @$params]); -unless (is(my $actual_result = run(cmd([$path_app, @$params,])), - $expected_result, - $title)) { +unless (is(my $actual_result = run($cmd), $expected_result, $title)) { if ($faillog) { my $quote_spc_empty = sub { $_ eq "" ? '""' : $_ =~ m/ / ? '"'.$_.'"' : $_ }; -my $invocation = "$path_app ".join(' ', map $quote_spc_empty->($_), @$params); +my $invocation = cmdstr($cmd, display => 1); print $faillog "$server_name $aspect \"$title\" ($i/$n)". " expected=$expected_result actual=$actual_result\n"; print $faillog "$invocation\n\n"; @@ -266,7 +264,7 @@ sub load_tests { sub start_mock_server { my $args = $_[0]; # optional further CLI arguments -my $cmd = cmdstr(app(['openssl', 'cmp', '-config', 'server.cnf', +my $cmd = cmdstr(app([@app, '-config', 'server.cnf', $args ? $args : ()]), display => 1); print "Current directory is ".getcwd()."\n"; print "Launching mock server: $cmd\n"; diff --git a/test/recipes/81-test_cmp_cli.t b/test/recipes/81-test_cmp_cli.t index 8cf787cb26..fd1a1b0607 100644 --- a/test/recipes/81-test_cmp_cli.t +++ b/test/recipes/81-test_cmp_cli.t @@ -28,7 +28,7 @@ plan skip_all => "These tests are not supported in a fuzz build" plan skip_all => "These tests are not supported in a no-cmp build" if disabled("cmp"); -my $app = bldtop_dir("apps/openssl cmp"); +my @app = qw(openssl cmp); my @cmp_basic_tests = ( [ "show help",[ "-help" ], 1 ], @@ -53,7 +53,7 @@ foreach (@cmp_basic_tests) { my $title = $$_[0]; my $params = $$_[1]; my $expected = $$_[2]; -ok($expected == run(cmd([$app, "-config", '', @$params])), +ok($expected == run(app([@app, "-config", '', @$params])), $title); } @@ -66,7 +66,7 @@ foreach (@cmp_server_tests) { my $rsp_cert = srctop_file('test', 'certs', 'ee-cert-1024.pem'); my $outfile = result_file("test.certout.pem"); ok($expected == - run(cmd([$app, "-config", '', @$extra_args, + run(app([@app, "-config", '', @$extra_args, "-use_mock_srv", "-srv_ref", "mock server", "-srv_secret", $secret, "-rsp_cert", $rsp_cert,
[openssl] master update
The branch master has been updated via ecd699b6dae054d368ca9ff04f3b80013f3c241f (commit) from a1a62437e96ce4c1ba807e99a8231560f4ba59ef (commit) - Log - commit ecd699b6dae054d368ca9ff04f3b80013f3c241f Author: Richard Levitte Date: Fri Jun 18 07:09:25 2021 +0200 STORE: Fix OSSL_STORE_open_ex() error reporting OSSL_STORE_open_ex() could result in reports like this: 80722AA3927F:error:8002:system library:file_open_ex:No such file or directory:engines/e_loader_attic.c:1016:calling stat(file:test/blahdibleh.der) 80722AA3927F:error:41800069:lib(131)::path must be absolute:engines/e_loader_attic.c:1010:test/blahdibleh.der 80722AA3927F:error:167B:STORE routines:OSSL_STORE_open_ex:no loaders found:crypto/store/store_lib.c:148:No store loaders were found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? The last one turns out to be a bit too generically reported. It should only be reported when no loader were loaded at all, not when loader_ctx happens to be NULL (which may happen for other reasons). We also move the helpful message to the OSSL_STORE_LOADER fetcher. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15820) --- Summary of changes: crypto/store/store_lib.c | 24 crypto/store/store_meth.c | 9 - 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index c0d9dafbdf..4b31c6f7d5 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -71,6 +71,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, OSSL_STORE_LOADER_CTX *loader_ctx = NULL; OSSL_STORE_CTX *ctx = NULL; char *propq_copy = NULL; +int no_loader_found = 1; char scheme_copy[256], *p, *schemes[2]; size_t schemes_n = 0; size_t i; @@ -113,6 +114,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]); #ifndef OPENSSL_NO_DEPRECATED_3_0 if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) { +no_loader_found = 0; if (loader->open_ex != NULL) loader_ctx = loader->open_ex(loader, uri, libctx, propq, ui_method, ui_data); @@ -127,6 +129,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, OSSL_STORE_LOADER_get0_provider(fetched_loader); void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); +no_loader_found = 0; loader_ctx = fetched_loader->p_open(provctx, uri); if (loader_ctx == NULL) { OSSL_STORE_LOADER_free(fetched_loader); @@ -141,16 +144,21 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, } } -if (loader != NULL) -OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); +if (no_loader_found) +/* + * It's assumed that ossl_store_get0_loader_int() and + * OSSL_STORE_LOADER_fetch() report their own errors + */ +goto err; -if (loader_ctx == NULL) { -ERR_raise_data(ERR_LIB_OSSL_STORE, OSSL_STORE_R_NO_LOADERS_FOUND, - "No store loaders were found. For standard store " - "loaders you need at least one of the default or base " - "providers available. Did you forget to load them?"); +OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); + +if (loader_ctx == NULL) +/* + * It's assumed that the loader's open() method reports its own + * errors + */ goto err; -} OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx); diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index e316f4f139..61230a6c24 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -344,11 +344,18 @@ inner_loader_fetch(struct loader_data_st *methdata, int id, if ((id != 0 || scheme != NULL) && method == NULL) { int code = unsupported ? ERR_R_UNSUPPORTED : ERR_R_FETCH_FAILED; +const char *helpful_msg = +unsupported +? ( "No store loader found. For standard store loaders you need " +"at least one of the default or base providers available. " +"Did you forget to load them? Info: " ) +: "";
[openssl] master update
The branch master has been updated via 0eed845ce2d76a1f2d8882cb32e1d36c30236d5e (commit) via 1abcd1e858ea4b1e924bdd8141d55b889cc2fbc2 (commit) from a205860404f219e4c07424ebe49b817bcaa6d488 (commit) - Log - commit 0eed845ce2d76a1f2d8882cb32e1d36c30236d5e Author: Richard Levitte Date: Wed Jun 16 10:32:43 2021 +0200 Make util/wrap.pl work better on VMS Perl's system() on VMS needs to have the command line properly fixed up, even with arguments passed in list form. We arrange that by having util/wrap.pl use the same command line fixups as OpenSSL::Test. As a consequence, util/wrap.pl needs to be generated, to easily pick up data from configdata.pm. This also removes yet another file copying hack from the build file templates. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15791) commit 1abcd1e858ea4b1e924bdd8141d55b889cc2fbc2 Author: Richard Levitte Date: Wed Jun 16 10:18:20 2021 +0200 OpenSSL::Test: Move the command line quotifier The command line quotifier is more useful as a common utility, so it gets moved to OpenSSL::Util, as the following two functions: fixup_cmd_elements(), which is the generic command line reformatter fixup_cmd(), which is like fixup_cmd_elements(), but treats the first element specially where necessary (such as on VMS). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15791) --- Summary of changes: Configurations/descrip.mms.tmpl | 14 +- Configurations/unix-Makefile.tmpl| 6 +-- Configurations/windows-makefile.tmpl | 6 +-- util/build.info | 3 ++ util/perl/OpenSSL/Test.pm| 82 util/perl/OpenSSL/Util.pm| 92 +++- util/{wrap.pl => wrap.pl.in} | 19 +++- 7 files changed, 126 insertions(+), 96 deletions(-) rename util/{wrap.pl => wrap.pl.in} (81%) mode change 100755 => 100644 diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 2cf03d0214..bad8e0a776 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -447,7 +447,7 @@ NODEBUG=@ # The main targets ### -{- dependmagic('build_sw'); -} : build_libs_nodep, build_modules_nodep, build_programs_nodep copy-utils +{- dependmagic('build_sw'); -} : build_libs_nodep, build_modules_nodep, build_programs_nodep {- dependmagic('build_libs'); -} : build_libs_nodep {- dependmagic('build_modules'); -} : build_modules_nodep {- dependmagic('build_programs'); -} : build_programs_nodep @@ -476,7 +476,7 @@ build_all_generated : $(GENERATED_MANDATORY) $(GENERATED) build_docs all : build_sw build_docs test : tests -{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep copy-utils run_tests +{- dependmagic('tests'); -} : build_programs_nodep, build_modules_nodep run_tests run_tests : @ ! {- output_off() if $disabled{tests}; "" -} DEFINE SRCTOP "$(SRCDIR)" @@ -738,16 +738,6 @@ check_INSTALLTOP : @ IF "$(INSTALLTOP)" .EQS. "" THEN - EXIT %x1002 -# Helper targets # - -copy-utils : [.util]wrap.pl - -[.util]wrap.pl : configdata.pm - @ IF "$(SRCDIR)" .NES. "$(BLDDIR)" THEN - - CREATE/DIR/LOG [.util] - @ IF "$(SRCDIR)" .NES. "$(BLDDIR)" THEN - - COPY/LOG ossl_sourceroot:[util]wrap.pl [.util] - # Developer targets ## debug_logicals : diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 553e51dfe5..2b894c0928 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1361,10 +1361,9 @@ tar: # Helper targets # -link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/wrap.pl \ -$(BLDDIR)/apps/openssl.cnf +link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf -$(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/wrap.pl: configdata.pm +$(BLDDIR)/util/opensslwrap.sh: configdata.pm @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ mkdir -p "$(BLDDIR)/util"; \ ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \ @@ -1924,6 +1923,7 @@ EOF rel2abs($config{builddir})); return <<"EOF"; $script: $sources configdata.pm + \$(RM) "$script" \$(PERL) "-I\$(BLDDIR)" -Mconfigdata
[openssl] master update
The branch master has been updated via 835dd706d3a916dacdb302905899a32638ed8adc (commit) from 29b3fdad2b078f45f840f6e45b0fe483b77dbc6f (commit) - Log - commit 835dd706d3a916dacdb302905899a32638ed8adc Author: Richard Levitte Date: Tue Jun 15 17:43:02 2021 +0200 TEST: Make test/recipes/01-test_symbol_presence.t more platform agnostic Assuming ".so" as shared library ending is faulty on MacOS, where the normal shared library extension is ".dylib". We use the platform module to get the same extension as the build process. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15771) --- Summary of changes: test/recipes/01-test_symbol_presence.t | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t index 9df57de421..e979c18f46 100644 --- a/test/recipes/01-test_symbol_presence.t +++ b/test/recipes/01-test_symbol_presence.t @@ -9,10 +9,16 @@ use strict; use File::Spec::Functions qw(devnull); -use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_dir bldtop_file); +use OpenSSL::Test qw(:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file); use OpenSSL::Test::Utils; -setup("test_symbol_presence"); +BEGIN { +setup("test_symbol_presence"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; plan skip_all => "Test is disabled on NonStop" if config('target') =~ m|^nonstop|; plan skip_all => "Only useful when building shared libraries" @@ -33,7 +39,7 @@ note foreach my $libname (@libnames) { SKIP: { -my $shlibpath = bldtop_file("lib" . $libname . ".so"); +my $shlibpath = bldtop_file(platform->sharedlib("lib$libname")); *OSTDERR = *STDERR; *OSTDOUT = *STDOUT; open STDERR, ">", devnull();
[openssl] master update
The branch master has been updated via 29b3fdad2b078f45f840f6e45b0fe483b77dbc6f (commit) via 5d8ad7d385f1be0d2ef6fd3bfc91debdf3835c96 (commit) via 27fb7a0a27c2b35b8f385fa2a23588603c7a94a4 (commit) via cd770738796c591f93b2db630bab57cd8d3d5796 (commit) via 793b05865a3892258522e875df6ba4dff2ceb817 (commit) via b3f5d5d3684c4059b09e73b951a84fc0d77594e9 (commit) via 07562828308417205f39a628af3b78af0d30d308 (commit) via f0191d0b1373bb7b0c50a0103d63791f51ed3398 (commit) from 04fb4ec8facce1e289029c289ebc4b487db8 (commit) - Log - commit 29b3fdad2b078f45f840f6e45b0fe483b77dbc6f Author: Richard Levitte Date: Thu Jun 10 07:31:13 2021 +0200 Refactor OSSL_STORE_LOADER_do_all_provided() to behave like OSSL_STORE_LOADER_fetch() This is refactored to use inner_loader_fetch() without any given name, which is just there to ensure all decoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal ossl_store_loader_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the decoder implementations, or if listing may happen multiple times. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 5d8ad7d385f1be0d2ef6fd3bfc91debdf3835c96 Author: Richard Levitte Date: Wed Jun 9 11:00:00 2021 +0200 test/evp_extra_test.c: Peek at the error instead of getting it. If there is an error report, we want to get it printed too. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 27fb7a0a27c2b35b8f385fa2a23588603c7a94a4 Author: Richard Levitte Date: Wed Jun 9 10:58:33 2021 +0200 DECODER & ENCODER: Add better tracing Now that we have functions to get the name and properties of the diverse implementations, we can as well display them for clarity. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit cd770738796c591f93b2db630bab57cd8d3d5796 Author: Richard Levitte Date: Wed Jun 9 07:52:09 2021 +0200 Adapt all public EVP_XXX_do_all_provided() for the changed evp_generic_do_all() Fixes #15538 Fixes #14837 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 793b05865a3892258522e875df6ba4dff2ceb817 Author: Richard Levitte Date: Wed Jun 9 07:50:08 2021 +0200 Refactor evp_generic_do_all() to behave like evp_generic_fetch() This is refactored to use inner_evp_generic_fetch() without any given name, which is just there to ensure all decoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal evp_generic_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the decoder implementations, or if listing may happen multiple times. Fixes #15538 Fixes #14837 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit b3f5d5d3684c4059b09e73b951a84fc0d77594e9 Author: Richard Levitte Date: Wed Jun 9 07:47:41 2021 +0200 Refactor OSSL_ENCODER_do_all_provided() to behave like OSSL_ENCODER_fetch() This is refactored to use inner_ossl_encoder_fetch() without any given name, which is just there to ensure all encoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal ossl_encoder_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the encoder implementations, or if listing may happen multiple times. Fixes #15538 Fixes #14837 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15604) commit 07562828308417205f39a628af3b78af0d30d308 Author: Richard Levitte Date: Fri Jun 4 14:29:07 2021 +0200 Refactor OSSL_DECODER_do_all_provided() to behave like OSSL_DECODER_fetch() This is refactored to use inner_ossl_decoder_fetch() without any given name, which is just there to ensure all decoder implementations are made into methods, and then use ossl_method_store_do_all() to list them all. This also adds the internal ossl_decoder_do_all_prefetched(), which can be used if pre-fetching needs to be done separately from listing all the decoder implementations, or if listing may happen multiple times. Fixes #15538 Fixes #1
[openssl] master update
The branch master has been updated via 9067cf6ccdce0a73922f06937e54c2fce2752038 (commit) from 515480be79de6907fcf0f7797aa0d3cd45e7d33c (commit) - Log - commit 9067cf6ccdce0a73922f06937e54c2fce2752038 Author: Richard Levitte Date: Mon Jun 14 09:25:53 2021 +0200 CORE: Move away the allocation of the temporary no_cache method store The responsibility for managing the temporary store for methods from algorithm implementations flaged "no_store" is moved up to the diverse method fetching functions. This allows them to allocate it "just in time", or in other words not at all if there is not such algorithm implementation. This makes this temporary store more flexible if it's needed outside of the core fetching functionality, and slightly faster when this temporary store isn't necessary at all. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15737) --- Summary of changes: crypto/core_fetch.c | 46 ++ crypto/encode_decode/decoder_meth.c | 63 +++--- crypto/encode_decode/encoder_meth.c | 63 +++--- crypto/evp/evp_fetch.c | 76 ++--- crypto/store/store_meth.c | 63 +++--- include/internal/core.h | 6 +-- 6 files changed, 188 insertions(+), 129 deletions(-) diff --git a/crypto/core_fetch.c b/crypto/core_fetch.c index 0c30f985d6..fade75f4c9 100644 --- a/crypto/core_fetch.c +++ b/crypto/core_fetch.c @@ -83,19 +83,25 @@ static void ossl_method_construct_this(OSSL_PROVIDER *provider, */ if (data->force_store || !no_store) { +/* If we haven't been told not to store, add to the global store */ +data->mcm->put(data->libctx, NULL, method, provider, + data->operation_id, algo->algorithm_names, + algo->property_definition, data->mcm_data); +} else { /* - * If we haven't been told not to store, - * add to the global store + * If we have been told not to store the method "permanently", we + * ask for a temporary store, and store the method there. + * The owner of |data->mcm| is completely responsible for managing + * that temporary store. */ -data->mcm->put(data->libctx, NULL, method, provider, +if ((data->store = data->mcm->get_tmp_store(data->mcm_data)) == NULL) +return; + +data->mcm->put(data->libctx, data->store, method, provider, data->operation_id, algo->algorithm_names, algo->property_definition, data->mcm_data); } -data->mcm->put(data->libctx, data->store, method, provider, - data->operation_id, algo->algorithm_names, - algo->property_definition, data->mcm_data); - /* refcnt-- because we're dropping the reference */ data->mcm->destruct(method, data->mcm_data); } @@ -109,14 +115,8 @@ void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, if ((method = mcm->get(libctx, NULL, mcm_data)) == NULL) { struct construct_data_st cbdata; -/* - * We have a temporary store to be able to easily search among new - * items, or items that should find themselves in the global store. - */ -if ((cbdata.store = mcm->alloc_tmp_store(libctx)) == NULL) -goto fin; - cbdata.libctx = libctx; +cbdata.store = NULL; cbdata.operation_id = operation_id; cbdata.force_store = force_store; cbdata.mcm = mcm; @@ -127,20 +127,14 @@ void *ossl_method_construct(OSSL_LIB_CTX *libctx, int operation_id, ossl_method_construct_postcondition, ); -method = mcm->get(libctx, cbdata.store, mcm_data); -if (method == NULL) { -/* - * If we get here then we did not construct the method that we - * attempted to construct. It's possible that another thread got - * there first and so we skipped construction (pre-condition - * failed). We check the global store again to see if it has - * appeared by now. - */ +/* If there is a temporary store, try there first */ +if (cbdata.store != NULL) +method = mcm->get(libctx, cbdata.store, mcm_data); + +/* If no method was found yet, try the global store */ +if (method == NULL) method = mcm
[openssl] master update
The branch master has been updated via e2217b44f43753320ec74e62f8cbc6b9e9feaa9d (commit) from 0051746e03c65f5970d8ca424579d50f58a877e0 (commit) - Log - commit e2217b44f43753320ec74e62f8cbc6b9e9feaa9d Author: Richard Levitte Date: Fri Jun 11 18:11:07 2021 +0200 APPS: Remove an unreachable statement in s_client.c A Solaris compiler complains: "apps/s_client.c", line 2994: statement not reached It takes a bit of scrutiny to see that this is true, on all platforms. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15719) --- Summary of changes: apps/s_client.c | 1 - 1 file changed, 1 deletion(-) diff --git a/apps/s_client.c b/apps/s_client.c index 2b8f274433..ac9b08dfc2 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2991,7 +2991,6 @@ int s_client_main(int argc, char **argv) } } -ret = 0; shut: if (in_init) print_stuff(bio_c_out, con, full_log);
[openssl] master update
The branch master has been updated via 773e67ab82df4b268bd88465b70fd08ff7165904 (commit) from 4a73938756566e06f101c1c599b5472b06a8e0c0 (commit) - Log - commit 773e67ab82df4b268bd88465b70fd08ff7165904 Author: Richard Levitte Date: Fri Jun 11 17:22:44 2021 +0200 Building: Add necessary dependencies for linker scripts and .rc files These files depend on the data from configdata.pm, so need a dependency on that one to always be properly updated. The same goes for .rc files. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15717) --- Summary of changes: build.info | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.info b/build.info index 6c91e22309..a70d1671f2 100644 --- a/build.info +++ b/build.info @@ -77,11 +77,13 @@ IF[{- defined $target{shared_defflag} -}] GENERATE[libcrypto.ld]=util/libcrypto.num libcrypto GENERATE[libssl.ld]=util/libssl.num libssl + DEPEND[libcrypto.ld libssl.ld]=configdata.pm util/perl/OpenSSL/Ordinals.pm ENDIF IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}] GENERATE[libcrypto.rc]=util/mkrc.pl libcrypto GENERATE[libssl.rc]=util/mkrc.pl libssl + DEPEND[libcrypto.rc libssl.rc]=configdata.pm SHARED_SOURCE[libcrypto]=libcrypto.rc SHARED_SOURCE[libssl]=libssl.rc
[openssl] master update
The branch master has been updated via 4a73938756566e06f101c1c599b5472b06a8e0c0 (commit) from 8ccbf00d1786f25af5e64a2354f87aef31b57bdf (commit) - Log - commit 4a73938756566e06f101c1c599b5472b06a8e0c0 Author: Richard Levitte Date: Thu Jun 10 09:15:58 2021 +0200 Configure: Allow spaces around '=' in all build.info statements This was allowed already for some statements, but not consistently for all. Fixes #15684 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15691) --- Summary of changes: Configure | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Configure b/Configure index c6e85b3e48..2181d34a21 100755 --- a/Configure +++ b/Configure @@ -2108,7 +2108,7 @@ if ($builder eq "unified") { my $index_re = qr/\[\s*(?P(?:\\.|.)*?)\s*\]/; my $cond_re = qr/\[\s*(?P(?:\\.|.)*?)\s*\]/; my $attribs_re = qr/(?:\{\s*(?P(?:\\.|.)*?)\s*\})?/; -my $value_re = qr/\s*(?P.*?)\s*/; +my $value_re = qr/(?P.*?)/; collect_information( collect_from_array([ @text ], qr/\\$/ => sub { my $l1 = shift; my $l2 = shift; @@ -2135,13 +2135,13 @@ if ($builder eq "unified") { qr/^\s* ENDIF \s*$/x => sub { die "ENDIF out of scope" if ! @skip; pop @skip; }, -qr/^\s* ${variable_re} \s* = ${value_re} $/x +qr/^\s* ${variable_re} \s* = \s* ${value_re} \s* $/x => sub { if (!@skip || $skip[$#skip] > 0) { $variables{$+{VARIABLE}} = $expand_variables->($+{VALUE}); } }, -qr/^\s* SUBDIRS \s* = ${value_re} $/x +qr/^\s* SUBDIRS \s* = \s* ${value_re} \s* $/x => sub { if (!@skip || $skip[$#skip] > 0) { foreach (tokenize($expand_variables->($+{VALUE}))) { @@ -2149,67 +2149,67 @@ if ($builder eq "unified") { } } }, -qr/^\s* PROGRAMS ${attribs_re} \s* = ${value_re} $/x +qr/^\s* PROGRAMS ${attribs_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\@programs, undef, \$attributes{programs}, $+{ATTRIBS}, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* LIBS ${attribs_re} \s* = ${value_re} $/x +qr/^\s* LIBS ${attribs_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\@libraries, undef, \$attributes{libraries}, $+{ATTRIBS}, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* MODULES ${attribs_re} \s* = ${value_re} $/x +qr/^\s* MODULES ${attribs_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\@modules, undef, \$attributes{modules}, $+{ATTRIBS}, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* SCRIPTS ${attribs_re} \s* = ${value_re} $/x +qr/^\s* SCRIPTS ${attribs_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\@scripts, undef, \$attributes{scripts}, $+{ATTRIBS}, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* IMAGEDOCS ${index_re} = ${value_re} $/x +qr/^\s* IMAGEDOCS ${index_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\%imagedocs, $expand_variables->($+{INDEX}), undef, undef, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* HTMLDOCS ${index_re} = ${value_re} $/x +qr/^\s* HTMLDOCS ${index_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\%htmldocs, $expand_variables->($+{INDEX}), undef, undef, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* MANDOCS ${index_re} = ${value_re} $/x +qr/^\s* MANDOCS ${index_re} \s* = \s* ${value_re} \s* $/x => sub { $push_to->(\%mandocs, $
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 6e03ee56f4aec778a9d303f85c1d290a9e154aad (commit) from 668893a9207adbed5186fcc6ac24ac3458cc7883 (commit) - Log - commit 6e03ee56f4aec778a9d303f85c1d290a9e154aad Author: Richard Levitte Date: Thu Jun 10 09:43:07 2021 +0200 Clean away remaining Travis related files Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15693) --- Summary of changes: .travis-apt-pin.preferences | 15 --- .travis-create-release.sh | 3 --- 2 files changed, 18 deletions(-) delete mode 100644 .travis-apt-pin.preferences delete mode 100644 .travis-create-release.sh diff --git a/.travis-apt-pin.preferences b/.travis-apt-pin.preferences deleted file mode 100644 index 1797bd0414..00 --- a/.travis-apt-pin.preferences +++ /dev/null @@ -1,15 +0,0 @@ -Package: clang-3.9 -Pin: release o=Ubuntu -Pin-Priority: -1 - -Package: libclang-common-3.9-dev -Pin: release o=Ubuntu -Pin-Priority: -1 - -Package: libclang1-3.9 -Pin: release o=Ubuntu -Pin-Priority: -1 - -Package: libllvm3.9v4 -Pin: release o=Ubuntu -Pin-Priority: -1 diff --git a/.travis-create-release.sh b/.travis-create-release.sh deleted file mode 100644 index 3407de7117..00 --- a/.travis-create-release.sh +++ /dev/null @@ -1,3 +0,0 @@ -#! /bin/sh - -./util/mktar.sh --name=_srcdist
[openssl] master update
The branch master has been updated via c24b3f2eda0235d04865bf258759d46d8a01608d (commit) from 541d4f19957727d331c2e4353a26841f5d1fe32d (commit) - Log - commit c24b3f2eda0235d04865bf258759d46d8a01608d Author: Richard Levitte Date: Thu Jun 10 09:41:22 2021 +0200 Clean away remaining Travis related files Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15692) --- Summary of changes: .travis-apt-pin.preferences | 15 --- .travis-create-release.sh | 3 --- 2 files changed, 18 deletions(-) delete mode 100644 .travis-apt-pin.preferences delete mode 100644 .travis-create-release.sh diff --git a/.travis-apt-pin.preferences b/.travis-apt-pin.preferences deleted file mode 100644 index 1797bd0414..00 --- a/.travis-apt-pin.preferences +++ /dev/null @@ -1,15 +0,0 @@ -Package: clang-3.9 -Pin: release o=Ubuntu -Pin-Priority: -1 - -Package: libclang-common-3.9-dev -Pin: release o=Ubuntu -Pin-Priority: -1 - -Package: libclang1-3.9 -Pin: release o=Ubuntu -Pin-Priority: -1 - -Package: libllvm3.9v4 -Pin: release o=Ubuntu -Pin-Priority: -1 diff --git a/.travis-create-release.sh b/.travis-create-release.sh deleted file mode 100644 index 3407de7117..00 --- a/.travis-create-release.sh +++ /dev/null @@ -1,3 +0,0 @@ -#! /bin/sh - -./util/mktar.sh --name=_srcdist
[openssl] master update
The branch master has been updated via 814b5133e9aca90f1edb99c38a26e55cd7e50e19 (commit) from baa47ad3b13eea1152e3773b606964f7bd87a720 (commit) - Log - commit 814b5133e9aca90f1edb99c38a26e55cd7e50e19 Author: Richard Levitte Date: Fri Jun 11 04:55:03 2021 +0200 apps/lib/s_socket.c: Alias getpid with _getpid for _WIN32 Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15710) --- Summary of changes: apps/lib/s_socket.c | 9 + 1 file changed, 9 insertions(+) diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index 36dbe615d2..bddf16045f 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -26,6 +26,15 @@ typedef unsigned int u_int; #endif +#ifdef _WIN32 +/* + * With MSVC, certain POSIX functions have been renamed to have an underscore + * prefix. + */ +# include +# define getpid _getpid +#endif + #ifndef OPENSSL_NO_SOCK # include "apps.h"
[openssl] master update
The branch master has been updated via 6309b799e940d57fdeb55ba4416a571283beb116 (commit) from b19fcc66d382357617744690dc3363947de2cb6f (commit) - Log - commit 6309b799e940d57fdeb55ba4416a571283beb116 Author: Richard Levitte Date: Thu Jun 10 07:25:56 2021 +0200 STORE: Make OSSL_STORE_LOADER_fetch() consistent with all other fetch functions The argument order was different on this one. Fixes #15688 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15689) --- Summary of changes: crypto/store/store_lib.c | 4 ++-- crypto/store/store_meth.c | 6 +++--- doc/man3/OSSL_STORE_LOADER.pod | 6 +++--- include/openssl/store.h| 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index f7939ea0dd..c0d9dafbdf 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -122,7 +122,7 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, #endif if (loader == NULL && (fetched_loader = -OSSL_STORE_LOADER_fetch(schemes[i], libctx, propq)) != NULL) { +OSSL_STORE_LOADER_fetch(libctx, schemes[i], propq)) != NULL) { const OSSL_PROVIDER *provider = OSSL_STORE_LOADER_get0_provider(fetched_loader); void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); @@ -975,7 +975,7 @@ OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, #endif if (loader == NULL && (fetched_loader = -OSSL_STORE_LOADER_fetch(scheme, libctx, propq)) != NULL) { +OSSL_STORE_LOADER_fetch(libctx, scheme, propq)) != NULL) { const OSSL_PROVIDER *provider = OSSL_STORE_LOADER_get0_provider(fetched_loader); void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider); diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index cf2d1c6bba..a48e40d8c8 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -251,7 +251,7 @@ static void *construct_loader(const OSSL_ALGORITHM *algodef, /* * Flag to indicate that there was actual construction errors. This - * helps inner_evp_generic_fetch() determine what error it should + * helps inner_loader_fetch() determine what error it should * record on inaccessible algorithms. */ if (method == NULL) @@ -355,8 +355,8 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, return method; } -OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(const char *scheme, - OSSL_LIB_CTX *libctx, +OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(OSSL_LIB_CTX *libctx, + const char *scheme, const char *properties) { return inner_loader_fetch(libctx, 0, scheme, properties); diff --git a/doc/man3/OSSL_STORE_LOADER.pod b/doc/man3/OSSL_STORE_LOADER.pod index 04fd318897..d150d24b49 100644 --- a/doc/man3/OSSL_STORE_LOADER.pod +++ b/doc/man3/OSSL_STORE_LOADER.pod @@ -33,8 +33,8 @@ unregister STORE loaders for different URI schemes typedef struct ossl_store_loader_st OSSL_STORE_LOADER; - OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(const char *scheme, -OSSL_LIB_CTX *libctx, + OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(OSSL_LIB_CTX *libctx, +const char *scheme, const char *properties); int OSSL_STORE_LOADER_up_ref(OSSL_STORE_LOADER *loader); void OSSL_STORE_LOADER_free(OSSL_STORE_LOADER *loader); @@ -119,7 +119,7 @@ storage schemes. OSSL_STORE_LOADER_fetch() looks for an implementation for a storage I within the providers that has been loaded into the B -given by I, and with the properties given by I. +given by I, and with the properties given by I. OSSL_STORE_LOADER_up_ref() increments the reference count for the given I. diff --git a/include/openssl/store.h b/include/openssl/store.h index c3e9beeff6..3c1445e0e6 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -253,8 +253,8 @@ int OSSL_STORE_find(OSSL_STORE_CTX *ctx, const OSSL_STORE_SEARCH *search); typedef struct ossl_store_loader_st OSSL_STORE_LOADER; -OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(const char *scheme, - OSSL_LIB_CTX *libctx, +OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(OSSL_LIB_CTX *libctx, + const char *scheme, const char *properties); int OSSL_STORE_LOADER_up_ref(OSSL_STORE_LOADER *loader); void OSSL_STORE_LOADER_free(O
[openssl] master update
The branch master has been updated via 7afef721ff93018a66f8e2e6b9e1ce3d48321bdf (commit) from ef0449135c4e4e7f04bbeafbd76ce7b5c0518088 (commit) - Log - commit 7afef721ff93018a66f8e2e6b9e1ce3d48321bdf Author: Richard Levitte Date: Thu Jun 10 16:43:27 2021 +0200 OpenSSL::Test: If __cwd() is to create the directory, do it early This is to ensure that abs_path() has an existing directory to look at. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15701) --- Summary of changes: util/perl/OpenSSL/Test.pm | 23 --- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm index 00db3d41c8..00aa4d841e 100644 --- a/util/perl/OpenSSL/Test.pm +++ b/util/perl/OpenSSL/Test.pm @@ -1124,6 +1124,14 @@ sub __data_dir { sub __cwd { my $dir = catdir(shift); my %opts = @_; + +# If the directory is to be created, we must do that before using +# abs_path(). +$dir = canonpath($dir); +if ($opts{create}) { + mkpath($dir); +} + my $abscurdir = abs_path(curdir()); my $absdir = abs_path($dir); my $reverse = abs2rel($abscurdir, $absdir); @@ -1143,11 +1151,6 @@ sub __cwd { # In this case, we won't even clean it out, for safety's sake. return "." if $reverse eq ""; -$dir = canonpath($dir); -if ($opts{create}) { - mkpath($dir); -} - # We are recalculating the directories we keep track of, but need to save # away the result for after having moved into the new directory. my %tmp_directories = (); @@ -1160,11 +1163,10 @@ sub __cwd { foreach (@dirtags) { if (!file_name_is_absolute($directories{$_})) { my $oldpath = abs_path($directories{$_}); - my $newbase = abs_path($dir); - my $newpath = abs2rel($oldpath, $newbase); + my $newpath = abs2rel($oldpath, $absdir); if ($debug) { print STDERR "DEBUG: [dir $_] old path: $oldpath\n"; - print STDERR "DEBUG: [dir $_] new base: $newbase\n"; + print STDERR "DEBUG: [dir $_] new base: $absdir\n"; print STDERR "DEBUG: [dir $_] resulting new path: $newpath\n"; } $tmp_directories{$_} = $newpath; @@ -1177,11 +1179,10 @@ sub __cwd { foreach (@direnv) { if (!file_name_is_absolute($ENV{$_})) { my $oldpath = abs_path($ENV{$_}); - my $newbase = abs_path($dir); - my $newpath = abs2rel($oldpath, $newbase); + my $newpath = abs2rel($oldpath, $absdir); if ($debug) { print STDERR "DEBUG: [env $_] old path: $oldpath\n"; - print STDERR "DEBUG: [env $_] new base: $newbase\n"; + print STDERR "DEBUG: [env $_] new base: $absdir\n"; print STDERR "DEBUG: [env $_] resulting new path: $newpath\n"; } $tmp_ENV{$_} = $newpath;
[openssl] master update
The branch master has been updated via 5ac6d7d21b4e896fee2eca0488915faaea196448 (commit) from b6298a7f8de45b287bfbad5de282fbceb68abb02 (commit) - Log - commit 5ac6d7d21b4e896fee2eca0488915faaea196448 Author: Richard Levitte Date: Tue Jun 8 12:22:31 2021 +0200 APPS: Restore the possibility to combine -pubout with -text This applies to the 'openssl pkey' command. Fixes #15645 Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15658) --- Summary of changes: apps/pkey.c | 10 +++--- doc/man1/openssl-pkey.pod.in | 6 -- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/apps/pkey.c b/apps/pkey.c index 781f376837..fb3899b08e 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -175,15 +175,19 @@ int pkey_main(int argc, char **argv) if (argc != 0) goto opthelp; -if (noout && pubout) -BIO_printf(bio_err, - "Warning: The -pubout option is ignored with -noout\n"); if (text && text_pub) BIO_printf(bio_err, "Warning: The -text option is ignored with -text_pub\n"); if (traditional && (noout || outformat != FORMAT_PEM)) BIO_printf(bio_err, "Warning: The -traditional is ignored since there is no PEM output\n"); + +/* -pubout and -text is the same as -text_pub */ +if (!text_pub && pubout && text) { +text = 0; +text_pub = 1; +} + private = (!noout && !pubout) || (text && !text_pub); if (ciphername != NULL) { diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index bf45643bce..34d57f7d14 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -131,10 +131,12 @@ option is specified then the older "traditional" format is used instead. =item B<-pubout> -By default the encoded private and public key is output; -this option restricts the encoded output to the public components. +By default the private and public key is output; +this option restricts the output to the public components. This option is automatically set if the input is a public key. +When combined with B<-text>, this is equivalent to B<-text_pub>. + =item B<-noout> Do not output the key in encoded form.
[openssl] master update
The branch master has been updated via ef2194c4ade7b765ccf9a6e8f97d88b0fa6b223d (commit) via 8ea5a6b523bf363751e52a1fddc93f5f9b11e803 (commit) via 6a2b8ff392a304bbb106528653397b864acc53fa (commit) from 320fc032b98cc452c5dc96600b16da40b155123b (commit) - Log - commit ef2194c4ade7b765ccf9a6e8f97d88b0fa6b223d Author: Richard Levitte Date: Thu May 27 12:51:04 2021 +0200 DECODER & ENCODER: Add better tracing Now that we have functions to get the name and properties of the diverse implementations, we can as well display them for clarity. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15498) commit 8ea5a6b523bf363751e52a1fddc93f5f9b11e803 Author: Richard Levitte Date: Thu May 27 12:44:19 2021 +0200 DECODER: Adapt addition of extra decoder implementations The new PKCS#8 decoder implementation decodes from DER to DER. OSSL_DECODER_CTX_add_extra() wasn't suited for this case; we had to modify it to walk through all existing decoder implementations, and filter out those that aren't suitable. This also turns out to fix the possibility to have more than one extra decoder implementation that produces the same type of encoding, for example several different wrapper formats that all decoder into DER. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15498) commit 6a2b8ff392a304bbb106528653397b864acc53fa Author: Richard Levitte Date: Thu May 27 12:34:03 2021 +0200 Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8 This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo", which is sensible considering we already have "SubjectPublicKeyInfo". We also add "EncryptedPrivateKeyInfo", and use it for a special decoder that detects and decrypts an EncryptedPrivateKeyInfo structured DER blob into a PrivateKeyInfo structured DER blob and passes that on to the next decoder implementation. The result of this change is that PKCS#8 decryption should only happen once per decoding instead of once for every expected key type. Furthermore, this new decoder implementation sets the data type to the OID of the algorithmIdentifier field, thus reducing how many decoder implementations are tentativaly run further down the call chain. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/15498) --- Summary of changes: apps/rsa.c | 2 +- crypto/asn1/d2i_pr.c | 2 +- crypto/asn1/i2d_evp.c | 2 +- crypto/encode_decode/decoder_lib.c | 228 ++--- crypto/encode_decode/decoder_meth.c| 7 +- crypto/encode_decode/decoder_pkey.c| 13 ++ crypto/encode_decode/encoder_lib.c | 10 +- crypto/encode_decode/encoder_local.h | 3 +- crypto/encode_decode/encoder_meth.c| 7 +- crypto/evp/evp_pkey.c | 6 +- crypto/pem/pem_local.h | 2 +- crypto/pem/pem_pk8.c | 2 +- doc/man3/OSSL_ENCODER_to_bio.pod | 4 +- doc/man7/openssl-glossary.pod | 10 +- providers/decoders.inc | 31 +-- providers/encoders.inc | 48 ++--- providers/implementations/encode_decode/build.info | 2 +- .../implementations/encode_decode/decode_der2key.c | 89 +++- .../encode_decode/decode_epki2pki.c| 153 ++ .../implementations/encode_decode/decode_pem2der.c | 4 +- .../implementations/encode_decode/encode_key2any.c | 228 ++--- .../implementations/include/prov/implementations.h | 67 +++--- test/endecode_test.c | 10 +- test/evp_pkey_provided_test.c | 4 +- 24 files changed, 619 insertions(+), 315 deletions(-) create mode 100644 providers/implementations/encode_decode/decode_epki2pki.c diff --git a/apps/rsa.c b/apps/rsa.c index c4f65cac10..3e9d320ea3 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -322,7 +322,7 @@ int rsa_main(int argc, char **argv) if (traditional) output_structure = "pkcs1"; /* "type-specific" would work too */ else -output_structure = "pkcs8"; +output_structure = "PrivateKeyInfo"; } } diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 3b28460d4b..72
[openssl] master update
The branch master has been updated via 97cf9b05fa1cdb8e4e7f60016aa95ae0e976e8c3 (commit) via d00be9f38760b5f143a7cdecf6c61ad6316f4cc8 (commit) from 0ebef5b5098e5d15cf2e7f48a78b22cced41f352 (commit) - Log - commit 97cf9b05fa1cdb8e4e7f60016aa95ae0e976e8c3 Author: Richard Levitte Date: Wed Jun 2 21:19:18 2021 +0200 test/recipes/80-test_cmp_http.t: Don't trust $server_port in start_mock_server() Even if $server_port isn't touched, it's still a number coming from configuration. It's therefore not trustable as an indicator that the ACCEPT line delivered a port number or an error indication. $accept_msg is used instead to capture the port if there is one, and be a better indicator of error. Fixes #15557 Fixes #15571 Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/15580) commit d00be9f38760b5f143a7cdecf6c61ad6316f4cc8 Author: Richard Levitte Date: Wed Jun 2 08:14:08 2021 +0200 test/recipes/80-test_cmp_http.t: Simplify test_cmp_http() test_cmp_http() made some assumptions about what values that exit_checker could get that aren't quite right. Furthermore, the expected result isn't about exit codes, but about true or false. This is better served by getting the value from OpenSSL::Test::run(), and checking that value against $expected_result with Test::More::is(). Fixes #15557 Fixes #15571 Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/15580) --- Summary of changes: test/recipes/80-test_cmp_http.t | 35 ++- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 910c751eec..9c99226721 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -12,7 +12,7 @@ use strict; use warnings; use POSIX; -use OpenSSL::Test qw/:DEFAULT with data_file data_dir srctop_dir bldtop_dir result_dir/; +use OpenSSL::Test qw/:DEFAULT data_file data_dir srctop_dir bldtop_dir result_dir/; use OpenSSL::Test::Utils; BEGIN { @@ -133,19 +133,17 @@ sub test_cmp_http { $params = [ '-server', "127.0.0.1:$server_port", @$params ] unless grep { $_ eq '-server' } @$params; -with({ exit_checker => sub { -my $actual_result = shift == 0; -my $OK = $actual_result == $expected_result; -if ($faillog && !$OK) { +unless (is(my $actual_result = run(cmd([$path_app, @$params,])), + $expected_result, + $title)) { +if ($faillog) { my $quote_spc_empty = sub { $_ eq "" ? '""' : $_ =~ m/ / ? '"'.$_.'"' : $_ }; my $invocation = "$path_app ".join(' ', map $quote_spc_empty->($_), @$params); print $faillog "$server_name $aspect \"$title\" ($i/$n)". " expected=$expected_result actual=$actual_result\n"; print $faillog "$invocation\n\n"; } -return $OK; } }, - sub { ok(run(cmd([$path_app, @$params,])), - $title); }); +} } sub test_cmp_http_aspect { @@ -278,19 +276,30 @@ sub start_mock_server { my $pid = open($server_fh, "$cmd|") or die "Trying to $cmd"; print "Pid is: $pid\n"; if ($server_port == 0) { +# Clear it first +$server_port = undef; + # Find out the actual server port while (<$server_fh>) { print; s/\R$//;# Better chomp next unless (/^ACCEPT/); -$server_port = $server_tls = $kur_port = $pbm_port = $1 -if m/^ACCEPT\s.*?:(\d+)$/; + +# $1 may be undefined, which is OK to assign to $server_port, +# as that gets detected further down. +/^ACCEPT\s.*:(\d+)$/; +$server_port = $1; + last; } + +unless (defined $server_port) { +stop_mock_server($pid); +return 0; +} } -return $pid if $server_port =~ m/^(\d+)$/; -stop_mock_server($pid); -return 0; +$server_tls = $kur_port = $pbm_port = $server_port; +return $pid; } sub stop_mock_server {
[openssl] master update
The branch master has been updated via 0b3fe363e6188dcb854d480180c9af91cc613f2c (commit) via 50360c1a4b6584c404c62c3ac7631ba0ce3a88be (commit) from 3d9d1ce52904660757dadeb629926932abe25158 (commit) - Log - commit 0b3fe363e6188dcb854d480180c9af91cc613f2c Author: Richard Levitte Date: Fri Jun 4 10:25:00 2021 +0200 make update-fips-checksums Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15615) commit 50360c1a4b6584c404c62c3ac7631ba0ce3a88be Author: Richard Levitte Date: Fri Jun 4 10:19:40 2021 +0200 FIPS: don't include crypto/passphrase.c in libfips.a Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15615) --- Summary of changes: crypto/build.info| 4 ++-- providers/fips-sources.checksums | 8 +++- providers/fips.checksum | 2 +- providers/fips.module.sources| 2 -- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/crypto/build.info b/crypto/build.info index 9d8eda2884..efca6cc105 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -95,13 +95,13 @@ $UTIL_COMMON=\ cryptlib.c params.c params_from_text.c bsearch.c ex_data.c o_str.c \ threads_pthread.c threads_win.c threads_none.c initthread.c \ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ -param_build_set.c der_writer.c passphrase.c threads_lib.c params_dup.c +param_build_set.c der_writer.c threads_lib.c params_dup.c SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ cversion.c info.c cpt_err.c ebcdic.c uid.c o_time.c o_dir.c \ o_fopen.c getenv.c o_init.c init.c trace.c provider.c provider_child.c \ -punycode.c +punycode.c passphrase.c SOURCE[../providers/libfips.a]=$UTIL_COMMON SOURCE[../libcrypto]=$UPLINKSRC diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index e0b4a4a6d4..b56281b287 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -250,7 +250,6 @@ c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_b 07299afb0e8a7f5a7b43fef290c1fc1e280e4ca18472e7bb44e6a7e1c7efc027 crypto/params.c 4f2a8c9acf5898fdc1e4bf98813049947221cd9a1db04faaa490250591f54cb4 crypto/params_dup.c d0f6af3e89a693f0327e1bf073666cbec6786220ef3b3688ef0be9539d5ab6bf crypto/params_from_text.c -0dd202ec1def47c12852a8ae4bfaadb74f7fe968d68def631fe3ac671aac943f crypto/passphrase.c 2140778d5f35e503e22b173736e18ff84406f6657463e8ff9e7b91a78aa686d3 crypto/property/defn_cache.c e7ee9ae467238875a413c44552af3937942b4e61a8aa3af6bee81a456d9daad1 crypto/property/property.c d2ea0144cf661fe3369b2f1cae22409e2155313eaeed8eb8497aa2ab7a88e1ac crypto/property/property_local.h @@ -377,7 +376,6 @@ b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d include/intern 5df7377027b7c0640417441dea147eb0d95a0bd6b7a1a7e7f2a49cf4107faf87 include/internal/numbers.h ea1bec4f1fff37aef8d4a62745bb451baa3e3ad20ba1bc68920a24f5cbb2f0a7 include/internal/packet.h dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688 include/internal/param_build_set.h -54ec20cba51d1284f5da9b605823c344a68adb5f19c2c5e6f569aeb19cc70a7e include/internal/passphrase.h 6d08ed9c307c5d85dce8baf7ee3fc358bfc53b9026760884b2d7e4a051c5a2bd include/internal/property.h 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h f214a3d1ebe1109b739f0846e26ba2cd644759e8546a218b202886450018d34e include/internal/provider.h @@ -389,9 +387,9 @@ f214a3d1ebe1109b739f0846e26ba2cd644759e8546a218b202886450018d34e include/intern 415b725d7f949a6191ab7bb30b48931bafc01c7aa93607e529fabbc853a4ddc5 include/internal/tlsgroups.h b24938409313384024524cbde837690d83119bcb70fb289b38cb7efa8e082852 include/internal/tsan_assist.h 2b38fb6e65d549aca3b2c76907daf67124f395251c0261dec26faa54da8d6d73 include/openssl/aes.h -323549254bf7055fd2928253f2fb307cd97903d32716406ac5b11c990f4d88e3 include/openssl/asn1.h.in +17fdc0e806fcb601e1013b6fbccdb9876a14aaa545dcf69120f4e72edd20dc8c include/openssl/asn1.h.in d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h -23809ecb0bcc5d870a776a322f26f1f7339d2fabc275931b5bd0619b6b18e7c9 include/openssl/asn1t.h.in +1550474ee05423896ec4abfb6346f1bc44c7be22329efac9ea25de10e81d549c include/openssl/asn1t.h.in d23e74122090a71268818a8162bb0642d292b931eed2188f4f3a5c9083227a01 include/openssl/bio.h.in 0a26138aaded05cafe2326e11fdc19b28408e054cfe3dda40d45ef95ce8136b0 include/openssl/bioerr.h 7d1f9880976a926ba6e0cad08e8de6f326aae48d8350b499aa79127f63d4d108 include/openssl/bn.h @@ -466,7 +464,7
[web] master update
The branch master has been updated via 2e8cfad0e7a3155e8cdeae1a2d9d0cfa9a4efe80 (commit) from e39973455eaed0265573f24ce0eb6e5544757169 (commit) - Log - commit 2e8cfad0e7a3155e8cdeae1a2d9d0cfa9a4efe80 Author: Richard Levitte Date: Fri Jun 4 11:31:45 2021 +0200 bin/mk-manpages3: install more than just HTML files OpenSSL 3.0 now sports images as well. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/web/pull/241) --- Summary of changes: bin/mk-manpages3 | 55 +++ 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/bin/mk-manpages3 b/bin/mk-manpages3 index 5c83583..dda2be5 100755 --- a/bin/mk-manpages3 +++ b/bin/mk-manpages3 @@ -5,30 +5,45 @@ checkoutdir=$1 series=$2 destdir=$3 -rm -rf tmp -mkdir tmp +rm -rf tmp-build +rm -rf tmp-install +mkdir tmp-build +mkdir tmp-install +install=$(cd tmp-install; pwd) -(cd tmp; $checkoutdir/Configure cc && make build_html_docs) +( +cd tmp-build +$checkoutdir/Configure --prefix=$install && make install_html_docs +) -srcdir=tmp/doc/html +srcdir=tmp-install/share/doc/openssl/html (cd $srcdir; find -type f) | while read F; do Dn=$(dirname $F) Fn=$(basename $F .html) -G=$Dn/$Fn.inc -$HERE/strip-man-html < $srcdir/$F > $destdir/$G -section=$(basename $Dn | sed -e 's|^man||') -description="$($HERE/all-html-man-names < $destdir/$G | sed -e 's|^.* - ||' -e 's|\&|\\\&|g')" -names="$($HERE/all-html-man-names < $destdir/$G | sed -e 's| - .*||' -e 's|, *| |g' -e 's|/|-|g')" -for name in $names; do -G=$Dn/$name.html - cat $HERE/../inc/manpage-template.html5 \ -| sed -E \ - -e "s|\\\$release\\\$|$series|g" \ - -e "s|\\\$sectnum\\\$|$section|g" \ - -e "s|\\\$description\\\$|$description|g" \ - -e "s|\\\$name\\\$|$name|g" \ - -e "s|\\\$origname\\\$|$Fn|g" \ - > $destdir/$G -done +if [ "$F" != "$Dn/$Fn" ]; then +# HTML file, which we treat specially +G=$Dn/$Fn.inc +$HERE/strip-man-html < $srcdir/$F > $destdir/$G + +section=$(basename $Dn | sed -e 's|^man||') +description="$($HERE/all-html-man-names < $destdir/$G | sed -e 's|^.* - ||' -e 's|\&|\\\&|g')" +names="$($HERE/all-html-man-names < $destdir/$G | sed -e 's| - .*||' -e 's|, *| |g' -e 's|/|-|g')" +for name in $names; do +G=$Dn/$name.html + cat $HERE/../inc/manpage-template.html5 \ +| sed -E \ + -e "s|\\\$release\\\$|$series|g" \ + -e "s|\\\$sectnum\\\$|$section|g" \ + -e "s|\\\$description\\\$|$description|g" \ + -e "s|\\\$name\\\$|$name|g" \ + -e "s|\\\$origname\\\$|$Fn|g" \ + > $destdir/$G +done +else +# Other file types, such as images. We simply copy those +G=$Dn/$Fn +mkdir -p $destdir/$Dn +cp $srcdir/$F $destdir/$G +fi done
[openssl] master update
The branch master has been updated via b7d2bd1219db7e12f8bde6667cb7771b0b83c2fe (commit) from 17213b2ad03fe577c03a3e77142242adde41fa9f (commit) - Log - commit b7d2bd1219db7e12f8bde6667cb7771b0b83c2fe Author: Richard Levitte Date: Wed Jun 2 11:07:20 2021 +0200 Deprecate EVP_CIPHER_impl_ctx_size and EVP_CIPHER_CTX_buf_noconst Fixes #15519 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15584) --- Summary of changes: crypto/evp/e_aria.c | 2 ++ crypto/evp/e_sm4.c| 2 ++ include/openssl/evp.h | 6 ++ util/libcrypto.num| 4 ++-- 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c index b57661db58..f53528ea5c 100644 --- a/crypto/evp/e_aria.c +++ b/crypto/evp/e_aria.c @@ -8,6 +8,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include "internal/cryptlib.h" #ifndef OPENSSL_NO_ARIA # include diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c index a3ccc49f7e..39bec569f7 100644 --- a/crypto/evp/e_sm4.c +++ b/crypto/evp/e_sm4.c @@ -9,6 +9,8 @@ * https://www.openssl.org/source/license.html */ +#include "internal/deprecated.h" + #include "internal/cryptlib.h" #ifndef OPENSSL_NO_SM4 # include diff --git a/include/openssl/evp.h b/include/openssl/evp.h index c4338dae9c..50cf8eeb77 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -586,7 +586,10 @@ int EVP_CIPHER_names_do_all(const EVP_CIPHER *cipher, const OSSL_PROVIDER *EVP_CIPHER_get0_provider(const EVP_CIPHER *cipher); int EVP_CIPHER_get_block_size(const EVP_CIPHER *cipher); # define EVP_CIPHER_block_size EVP_CIPHER_get_block_size +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 int EVP_CIPHER_impl_ctx_size(const EVP_CIPHER *cipher); +# endif int EVP_CIPHER_get_key_length(const EVP_CIPHER *cipher); # define EVP_CIPHER_key_length EVP_CIPHER_get_key_length int EVP_CIPHER_get_iv_length(const EVP_CIPHER *cipher); @@ -624,7 +627,10 @@ OSSL_DEPRECATEDIN_3_0 unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *c # endif int EVP_CIPHER_CTX_get_updated_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); int EVP_CIPHER_CTX_get_original_iv(EVP_CIPHER_CTX *ctx, void *buf, size_t len); +# ifndef OPENSSL_NO_DEPRECATED_3_0 +OSSL_DEPRECATEDIN_3_0 unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx); +# endif int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx); # define EVP_CIPHER_CTX_num EVP_CIPHER_CTX_get_num int EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num); diff --git a/util/libcrypto.num b/util/libcrypto.num index a66a379038..6f763f1063 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -119,7 +119,7 @@ EVP_BytesToKey 120 3_0_0 EXIST::FUNCTION: ENGINE_set_default_pkey_asn1_meths 1213_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE OCSP_BASICRESP_add1_ext_i2d 1223_0_0 EXIST::FUNCTION:OCSP EVP_camellia_128_ctr1233_0_0 EXIST::FUNCTION:CAMELLIA -EVP_CIPHER_impl_ctx_size1243_0_0 EXIST::FUNCTION: +EVP_CIPHER_impl_ctx_size1243_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 X509_CRL_get_nextUpdate 1253_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0 PKCS12_free 1263_0_0 EXIST::FUNCTION: CMS_signed_get_attr 1273_0_0 EXIST::FUNCTION:CMS @@ -1217,7 +1217,7 @@ DSO_METHOD_openssl 1244 3_0_0 EXIST::FUNCTION: d2i_PrivateKey_fp 1245 3_0_0 EXIST::FUNCTION:STDIO i2d_NETSCAPE_CERT_SEQUENCE 1246 3_0_0 EXIST::FUNCTION: EC_POINT_oct2point 1248 3_0_0 EXIST::FUNCTION:EC -EVP_CIPHER_CTX_buf_noconst 1249 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_buf_noconst 1249 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 OPENSSL_DIR_read1250 3_0_0 EXIST::FUNCTION: CMS_add_smimecap1251 3_0_0 EXIST::FUNCTION:CMS X509_check_email1252 3_0_0 EXIST::FUNCTION:
[openssl] master update
The branch master has been updated via 17213b2ad03fe577c03a3e77142242adde41fa9f (commit) via cbba082fc071de82ffb53844586cdcc26251e32b (commit) from ba3ea453b0863a8b7374003dd2e22dea9cece5be (commit) - Log - commit 17213b2ad03fe577c03a3e77142242adde41fa9f Author: Richard Levitte Date: Wed Jun 2 08:45:28 2021 +0200 Restore all the ? in util/libcrypto.num They will become numbers again when beta1 is actually released. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15578) commit cbba082fc071de82ffb53844586cdcc26251e32b Author: Richard Levitte Date: Wed Jun 2 06:20:05 2021 +0200 util/mknum.pl: Really allow unset ordinals in development Any pre-release tag that includes '-dev' is development. The ordinals don't need to be finalized before '-dev' is removed (i.e. a release is made). Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15578) --- Summary of changes: util/libcrypto.num | 2008 ++-- util/mknum.pl |6 +- 2 files changed, 1007 insertions(+), 1007 deletions(-) diff --git a/util/libcrypto.num b/util/libcrypto.num index 5b1a67dec0..a66a379038 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4403,1007 +4403,1007 @@ OCSP_resp_get0_respdata 4530 3_0_0 EXIST::FUNCTION:OCSP EVP_MD_CTX_set_pkey_ctx 4531 3_0_0 EXIST::FUNCTION: EVP_PKEY_meth_set_digest_custom 4532 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_PKEY_meth_get_digest_custom 4533 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -EVP_MAC_CTX_new 4534 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_free4535 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_dup 4536 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get0_mac4537 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get_mac_size4538 3_0_0 EXIST::FUNCTION: -EVP_Q_mac 4539 3_0_0 EXIST::FUNCTION: -EVP_MAC_init4540 3_0_0 EXIST::FUNCTION: -EVP_MAC_update 4541 3_0_0 EXIST::FUNCTION: -EVP_MAC_final 4542 3_0_0 EXIST::FUNCTION: -EVP_MAC_finalXOF4543 3_0_0 EXIST::FUNCTION: -OSSL_EC_curve_nid2name 4544 3_0_0 EXIST::FUNCTION: -EVP_PKEY_digestsign_supports_digest 4545 3_0_0 EXIST::FUNCTION: -SRP_VBASE_add0_user 4546 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_new4547 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_set_gN 4548 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_set1_ids 4549 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SRP_user_pwd_set0_sv4550 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -OPENSSL_version_major 4551 3_0_0 EXIST::FUNCTION: -OPENSSL_version_minor 4552 3_0_0 EXIST::FUNCTION: -OPENSSL_version_patch 4553 3_0_0 EXIST::FUNCTION: -OPENSSL_version_pre_release 4554 3_0_0 EXIST::FUNCTION: -OPENSSL_version_build_metadata 4555 3_0_0 EXIST::FUNCTION: -OPENSSL_INIT_set_config_filename4556 3_0_0 EXIST::FUNCTION:STDIO -OPENSSL_INIT_set_config_file_flags 4557 3_0_0 EXIST::FUNCTION:STDIO -ASYNC_WAIT_CTX_get_callback 4558 3_0_0 EXIST::FUNCTION: -ASYNC_WAIT_CTX_set_callback 4559 3_0_0 EXIST::FUNCTION: -ASYNC_WAIT_CTX_set_status 4560 3_0_0 EXIST::FUNCTION: -ASYNC_WAIT_CTX_get_status 4561 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_free4562 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_reset 4563 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_get_kdf_size4564 3_0_0 EXIST::FUNCTION: -EVP_KDF_derive 4565 3_0_0 EXIST::FUNCTION: -EVP_KDF_get0_name 4566 3_0_0 EXIST::FUNCTION: -EC_GROUP_get0_field 4567 3_0_0 EXIST::FUNCTION:EC -CRYPTO_alloc_ex_data4568 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_new4569 3_0_0 EXIST::FUNCTION: -OSSL_LIB_CTX_free 4570 3_0_0 EXIST::FUNCTION: -OPENSSL_LH_flush4571 3_0_0 EXIST::FUNCTION: -BN_native2bn4572 3_0_0 EXIST::FUNCTION: -BN_bn2nativepad 4573 3_0_0 EXIST::FUNCTION: -OSSL_trace_get_category_num 4574 3_0_0 EXIST::FUNCTION: -OSSL_trace_get_category_name4575 3_0_0 EXIST
[openssl] master update
The branch master has been updated via 0608afe0963fc8188f0df1093e0eb42c32cd0a47 (commit) from b3c2ed7043233bd738957a7fcdf9e0734bfea937 (commit) - Log - commit 0608afe0963fc8188f0df1093e0eb42c32cd0a47 Author: Jon Spillett Date: Wed Jun 2 13:04:04 2021 +1000 Fix up bad libcrypto.num Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15576) --- Summary of changes: util/libcrypto.num | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/libcrypto.num b/util/libcrypto.num index eb1d17197c..f53092a0a4 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5418,5 +5418,5 @@ EVP_MAC_CTX_get_block_size 5545 3_0_0 EXIST::FUNCTION: BIO_debug_callback_ex 5546 3_0_0 EXIST::FUNCTION: b2i_PVK_bio_ex 5547 3_0_0 EXIST::FUNCTION: i2b_PVK_bio_ex 5548 3_0_0 EXIST::FUNCTION: -NCONF_get0_libctx 5547 3_0_0 EXIST::FUNCTION: -NCONF_get_section_names 5548 3_0_0 EXIST::FUNCTION: +NCONF_get0_libctx 5549 3_0_0 EXIST::FUNCTION: +NCONF_get_section_names 5550 3_0_0 EXIST::FUNCTION:
[openssl] master update
The branch master has been updated via e378be2a29f8bc5e679e63d5f5e9766d2f4dfc4b (commit) from 691e2efa62e5d4c46b725ddb54481a0970f7347b (commit) - Log - commit e378be2a29f8bc5e679e63d5f5e9766d2f4dfc4b Author: Richard Levitte Date: Sat May 29 11:15:40 2021 +0200 Add .asn1 dependencies for files generated from providers/common/der/*.in Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/15533) --- Summary of changes: providers/common/der/build.info | 28 ++-- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/providers/common/der/build.info b/providers/common/der/build.info index 35c6787e98..87ac2eb11c 100644 --- a/providers/common/der/build.info +++ b/providers/common/der/build.info @@ -3,11 +3,11 @@ $DER_DIGESTS_H=../include/prov/der_digests.h $DER_DIGESTS_GEN=der_digests_gen.c GENERATE[$DER_DIGESTS_GEN]=der_digests_gen.c.in -DEPEND[$DER_DIGESTS_GEN]=oids_to_c.pm +DEPEND[$DER_DIGESTS_GEN]=oids_to_c.pm NIST.asn1 DIGESTS.asn1 DEPEND[${DER_DIGESTS_GEN/.c/.o}]=$DER_DIGESTS_H GENERATE[$DER_DIGESTS_H]=der_digests.h.in -DEPEND[$DER_DIGESTS_H]=oids_to_c.pm +DEPEND[$DER_DIGESTS_H]=oids_to_c.pm NIST.asn1 DIGESTS.asn1 #- RSA $DER_RSA_H=../include/prov/der_rsa.h @@ -17,12 +17,12 @@ $DER_RSA_COMMON=$DER_RSA_GEN der_rsa_key.c $DER_RSA_FIPSABLE=der_rsa_sig.c GENERATE[$DER_RSA_GEN]=der_rsa_gen.c.in -DEPEND[$DER_RSA_GEN]=oids_to_c.pm +DEPEND[$DER_RSA_GEN]=oids_to_c.pm NIST.asn1 RSA.asn1 DEPEND[${DER_RSA_AUX/.c/.o}]=$DER_RSA_H $DER_DIGESTS_H DEPEND[${DER_RSA_GEN/.c/.o}]=$DER_RSA_H GENERATE[$DER_RSA_H]=der_rsa.h.in -DEPEND[$DER_RSA_H]=oids_to_c.pm +DEPEND[$DER_RSA_H]=oids_to_c.pm NIST.asn1 RSA.asn1 #- DSA IF[{- !$disabled{dsa} -}] @@ -31,12 +31,12 @@ IF[{- !$disabled{dsa} -}] $DER_DSA_AUX=der_dsa_key.c der_dsa_sig.c GENERATE[$DER_DSA_GEN]=der_dsa_gen.c.in - DEPEND[$DER_DSA_GEN]=oids_to_c.pm + DEPEND[$DER_DSA_GEN]=oids_to_c.pm DSA.asn1 DEPEND[${DER_DSA_AUX/.c/.o}]=$DER_DSA_H $DER_DIGESTS_H DEPEND[${DER_DSA_GEN/.c/.o}]=$DER_DSA_H GENERATE[$DER_DSA_H]=der_dsa.h.in - DEPEND[$DER_DSA_H]=oids_to_c.pm + DEPEND[$DER_DSA_H]=oids_to_c.pm DSA.asn1 ENDIF #- EC @@ -46,12 +46,12 @@ IF[{- !$disabled{ec} -}] $DER_EC_AUX=der_ec_key.c der_ec_sig.c GENERATE[$DER_EC_GEN]=der_ec_gen.c.in - DEPEND[$DER_EC_GEN]=oids_to_c.pm + DEPEND[$DER_EC_GEN]=oids_to_c.pm EC.asn1 DEPEND[${DER_EC_AUX/.c/.o}]=$DER_EC_H $DER_DIGESTS_H DEPEND[${DER_EC_GEN/.c/.o}]=$DER_EC_H GENERATE[$DER_EC_H]=der_ec.h.in - DEPEND[$DER_EC_H]=oids_to_c.pm + DEPEND[$DER_EC_H]=oids_to_c.pm EC.asn1 ENDIF #- ECX @@ -61,12 +61,12 @@ IF[{- !$disabled{ec} -}] $DER_ECX_AUX=der_ecx_key.c GENERATE[$DER_ECX_GEN]=der_ecx_gen.c.in - DEPEND[$DER_ECX_GEN]=oids_to_c.pm + DEPEND[$DER_ECX_GEN]=oids_to_c.pm ECX.asn1 DEPEND[${DER_ECX_AUX/.c/.o}]=$DER_ECX_H DEPEND[${DER_ECX_GEN/.c/.o}]=$DER_ECX_H GENERATE[$DER_ECX_H]=der_ecx.h.in - DEPEND[$DER_ECX_H]=oids_to_c.pm + DEPEND[$DER_ECX_H]=oids_to_c.pm ECX.asn1 ENDIF #- KEY WRAP @@ -74,11 +74,11 @@ $DER_WRAP_H=../include/prov/der_wrap.h $DER_WRAP_GEN=der_wrap_gen.c GENERATE[$DER_WRAP_GEN]=der_wrap_gen.c.in -DEPEND[$DER_WRAP_GEN]=oids_to_c.pm +DEPEND[$DER_WRAP_GEN]=oids_to_c.pm wrap.asn1 DEPEND[${DER_WRAP_GEN/.c/.o}]=$DER_WRAP_H GENERATE[$DER_WRAP_H]=der_wrap.h.in -DEPEND[$DER_WRAP_H]=oids_to_c.pm +DEPEND[$DER_WRAP_H]=oids_to_c.pm wrap.asn1 #- SM2 IF[{- !$disabled{sm2} -}] @@ -87,12 +87,12 @@ IF[{- !$disabled{sm2} -}] $DER_SM2_AUX=der_sm2_key.c der_sm2_sig.c GENERATE[$DER_SM2_GEN]=der_sm2_gen.c.in - DEPEND[$DER_SM2_GEN]=oids_to_c.pm + DEPEND[$DER_SM2_GEN]=oids_to_c.pm SM2.asn1 DEPEND[${DER_SM2_AUX/.c/.o}]=$DER_SM2_H $DER_EC_H DEPEND[${DER_SM2_GEN/.c/.o}]=$DER_SM2_H GENERATE[$DER_SM2_H]=der_sm2.h.in - DEPEND[$DER_SM2_H]=oids_to_c.pm + DEPEND[$DER_SM2_H]=oids_to_c.pm SM2.asn1 ENDIF #- Conclusion
[openssl] master update
The branch master has been updated via f839361e3e45b5becce7c3267fa8e2f72654e75f (commit) via 57bd5fc728a9015ea1ed46487c19495042df2e48 (commit) via 32eebfa27f12581d0b03fe18e9222eba1447a896 (commit) via e653b04bd29f35ee9703be8ee6691b4a640ee2b4 (commit) from 5cbd2ea3f94aa8adec9b4486ac757d4d688e3f8c (commit) - Log - commit f839361e3e45b5becce7c3267fa8e2f72654e75f Author: Richard Levitte Date: Sat May 29 11:06:44 2021 +0200 make update-fips-checksums Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15514) commit 57bd5fc728a9015ea1ed46487c19495042df2e48 Author: Richard Levitte Date: Fri May 28 07:54:04 2021 +0200 Rearrange the check of providers/fips.so dependencies The mechanism had special cases to guess when something was generated from a .in file. It's better, though, to use the knowledge in configdata.pm, especially when the generated file is in a different location than its source. Cleanups are added, and we change the use of sed to a use of perl when cleaning up paths with 'something/../' in them, since perl has more powerful tools for this sort of thing. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15514) commit 32eebfa27f12581d0b03fe18e9222eba1447a896 Author: Richard Levitte Date: Fri May 28 07:52:37 2021 +0200 Make providers/fips.module.sources.new depend on configdata.pm Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15514) commit e653b04bd29f35ee9703be8ee6691b4a640ee2b4 Author: Richard Levitte Date: Fri May 28 07:51:05 2021 +0200 configdata.pm: Allow extra arguments when --query is given. That allows operations like this: ./configdata.pm --query 'get_sources(@ARGV)' file1 file2 file3 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15514) --- Summary of changes: Configurations/unix-Makefile.tmpl | 44 +++ configdata.pm.in | 5 +- providers/fips-sources.checksums | 267 ++ providers/fips.checksum | 2 +- providers/fips.module.sources | 216 +- 5 files changed, 483 insertions(+), 51 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 7855018e3d..80f38dd1a2 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1188,13 +1188,7 @@ generate_doc_buildinfo: fi ) generate_fips_sources: providers/fips.module.sources.new -providers/fips.module.sources.new: \ -$(SRCDIR)/Configure \ -{- join(" \\\n" . ' ' x 16, -fill_lines(" ", $COLUMNS - 16, - @{$config{build_file_templates}}, - @{$config{build_infos}}, - @{$config{conf_files}})) -} +providers/fips.module.sources.new: configdata.pm rm -rf sources-tmp mkdir sources-tmp ( \ @@ -1203,38 +1197,44 @@ providers/fips.module.sources.new: \ && $$srcdir/Configure --banner=Configured enable-fips -O0 \ && ./configdata.pm --query 'get_sources("providers/fips")' > sources1 \ && $(MAKE) -sj 4 \ - && find .. -name '*.d' | xargs cat > dep1 \ + && find . -name '*.d' | xargs cat > dep1 \ && $(MAKE) distclean \ && $$srcdir/Configure --banner=Configured enable-fips no-asm -O0 \ && ./configdata.pm --query 'get_sources("providers/fips")' > sources2 \ && $(MAKE) -sj 4 \ - && find .. -name '*.d' | xargs cat > dep2 \ + && find . -name '*.d' | xargs cat > dep2 \ && cat sources1 sources2 \ | grep -v ' : \\$$' | grep -v util/providers.num \ -| sed -E -e 's:^ *([.][.]/)*$(SRCDIR)::' -e 's: \\::' \ +| sed -e 's/^ *//' -e 's/ *\\$$//' \ | sort | uniq > sources \ - && cat dep1 dep2 | grep -v providers/common/include/prov/der_ >deps \ + && cat dep1 dep2 \ +| $(PERL) -p -e 's/\\\n//' \ +| sed -e 's/^.*: *//' -e 's/ */ /g' \ +| fgrep -f sources \ +| tr ' ' '\n' \ +| sort | uniq > deps.raw \ + && cat deps.raw \ +| xargs ./configdata.pm --query 'get_sources(@ARGV)' \ +| $(PERL) -p -e 's/\\\n//' \ +| sed -e 's/\./\\\./g' -e 's/ : */:/' -e 's/^/s:/' -e 's/$$/:/' \ +> deps.sed \ + && ca
[openssl] master update
The branch master has been updated via 6c014da0b2d84f657a6ea5145b5e90ddc9913ebe (commit) from 3e3ad3c54855dd534437871a0c78858de5e3d246 (commit) - Log - commit 6c014da0b2d84f657a6ea5145b5e90ddc9913ebe Author: Tommy Chiang Date: Thu May 27 02:46:13 2021 +0800 Fix typo about SSL_CONF_FLAG_CMDLINE change SSL_CONF_CMDLINE to SSL_CONF_FLAG_CMDLINE CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15489) --- Summary of changes: doc/man3/SSL_CONF_cmd.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index bbd622a687..68c05d33d7 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -24,8 +24,8 @@ SSL_CONF_cmd_value_type() returns the type of value that B refers to. =head1 SUPPORTED COMMAND LINE COMMANDS Currently supported B names for command lines (i.e. when the -flag B is set) are listed below. Note: all B names -are case sensitive. Unless otherwise stated commands can be used by +flag B is set) are listed below. Note: all B +names are case sensitive. Unless otherwise stated commands can be used by both clients and servers and the B parameter is not used. The default prefix for command line commands is B<-> and that is reflected below.
[openssl] master update
The branch master has been updated via 3e3ad3c54855dd534437871a0c78858de5e3d246 (commit) from 32075a17249636b3e2986a0ac422b1803663ccaa (commit) - Log - commit 3e3ad3c54855dd534437871a0c78858de5e3d246 Author: Rich Salz Date: Tue May 25 10:28:49 2021 -0400 Fix issues found by md-nits Fixes #15460 Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15461) --- Summary of changes: CHANGES.md| 4 +--- NOTES-PERL.md | 36 +--- NOTES-VMS.md | 1 - NOTES-WINDOWS.md | 1 - README-PROVIDERS.md | 6 -- doc/life-cycles/README.md | 12 +++- 6 files changed, 17 insertions(+), 43 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 326a99b0fc..203deac7f2 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -12257,7 +12257,7 @@ s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *"Brian Havard" and Richard Levitte* * Rewrite commands to use `NCONF` routines instead of the old `CONF`. - New functions to support `NCONF `routines in extension code. + New functions to support `NCONF` routines in extension code. New function `CONF_set_nconf()` to allow functions which take an `NCONF` to also handle the old `LHASH` structure: this means that the old `CONF` compatible routines can be @@ -18578,13 +18578,11 @@ ndif *Ralf S. Engelschall* * Removed dummy files from the 0.9.1b source tree: - ``` crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi crypto/bn/asm/..add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f - ``` *Ralf S. Engelschall* diff --git a/NOTES-PERL.md b/NOTES-PERL.md index a28f5b9033..b7fc83fc7d 100644 --- a/NOTES-PERL.md +++ b/NOTES-PERL.md @@ -8,7 +8,6 @@ Notes on Perl - [Required Perl modules](#required-perl-modules) - [Notes on installing a Perl module](#notes-on-installing-a-perl-module]) - General Notes - @@ -70,35 +69,18 @@ Required Perl modules We do our best to limit ourselves to core Perl modules to keep the requirements down. There are just a few exceptions. + * Text::Template this is required *for building* -## For Building - - * `Text::Template` - - This module is not part of the core Perl modules. - As a matter of fact, the core Perl modules do not - include any templating module to date. - This module is absolutely needed, - configuration depends on it. - -## For Testing - - * `Test::More` - - We require the minimum version to be 0.96, which - appeared in Perl 5.13.4, because that version was - the first to have all the features we're using. - This module is required for testing only! - If you don't plan on running the tests, - you don't need to bother with this one. - - + To avoid unnecessary initial hurdles, we include a copy of this module + in the source. It will work as a fallback if the module isn't already + installed. -To avoid unnecessary initial hurdles, we have bundled a copy of the -following modules in our source. They will work as fallbacks if -these modules aren't already installed on the system. + * `Test::More` this is required *for testing* - Text::Template + We require the minimum version to be 0.96, which appeared in Perl 5.13.4, + because that version was the first to have all the features we're using. + This module is required for testing only! If you don't plan on running + the tests, you don't need to bother with this one. Notes on installing a Perl module - diff --git a/NOTES-VMS.md b/NOTES-VMS.md index 02e6cbcb8d..e27f3d682a 100644 --- a/NOTES-VMS.md +++ b/NOTES-VMS.md @@ -8,7 +8,6 @@ Notes for the OpenVMS platform - [About debugging](#about-debugging) - [Checking the distribution](#checking-the-distribution) - Requirement details --- diff --git a/NOTES-WINDOWS.md b/NOTES-WINDOWS.md index 7ca8de299e..40fd95cf67 100644 --- a/NOTES-WINDOWS.md +++ b/NOTES-WINDOWS.md @@ -8,7 +8,6 @@ Notes for Windows platforms - [Linking native applications](#linking-native-applications) - [Hosted builds using Cygwin](#hosted-builds-using-cygwin) - There are various options to build and run OpenSSL on the Windows platforms. "Native" OpenSSL uses the Windows APIs directly at run time. diff --git a/README-PROVIDERS.md b/README-PROVIDERS.md index 5092d039f3..33533f671c 100644 --- a/README-PROVIDERS.md +++ b/README-PROVIDERS.md @@ -9,7 +9,6 @@ Providers - [The Null Provider](#the-null-provider)
[openssl] master update
The branch master has been updated via 32075a17249636b3e2986a0ac422b1803663ccaa (commit) from a935791d54078f43209ffbc1886ac5e68772ce34 (commit) - Log - commit 32075a17249636b3e2986a0ac422b1803663ccaa Author: Petr Gotthard Date: Tue May 25 15:39:01 2021 +0200 Fix memory leak in OSSL_CMP_CTX The ctx->propq is strdup'ed, so it must be free'd too. Reviewed-by: Ben Kaduk Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15458) --- Summary of changes: crypto/cmp/cmp_ctx.c | 1 + crypto/cmp/cmp_local.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index a09432597b..d1f8f27e13 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -179,6 +179,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) (void)OSSL_HTTP_close(ctx->http_ctx, 1); ossl_cmp_debug(ctx, "disconnected from CMP server"); } +OPENSSL_free(ctx->propq); OPENSSL_free(ctx->serverPath); OPENSSL_free(ctx->server); OPENSSL_free(ctx->proxy); diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index eee609937b..fec4916ed3 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -32,7 +32,7 @@ */ struct ossl_cmp_ctx_st { OSSL_LIB_CTX *libctx; -const char *propq; +char *propq; OSSL_CMP_log_cb_t log_cb; /* log callback for error/debug/etc. output */ OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
[openssl] master update
The branch master has been updated via a935791d54078f43209ffbc1886ac5e68772ce34 (commit) from 6bf3692d311ad15d3667e7015bbe1a8f849f3c7b (commit) - Log - commit a935791d54078f43209ffbc1886ac5e68772ce34 Author: Rich Salz Date: Wed May 19 11:09:49 2021 -0400 Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG. Rename REF_PRINT to REF_DEBUG for consistency, and add a new tracing category and use it for printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. Fixes #15357 Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15353) --- Summary of changes: CHANGES.md| 14 +++--- Configurations/90-team.norelease.conf | 15 +-- Configure | 5 ++--- crypto/asn1/tasn_utl.c| 4 +--- crypto/bio/bio_local.h| 2 +- crypto/bn/bn_exp.c| 4 ++-- crypto/bn/bn_gf2m.c | 4 ++-- crypto/bn/bn_local.h | 25 +++-- crypto/ec/ecp_nistp224.c | 2 +- crypto/ec/ecp_nistp256.c | 2 +- crypto/ec/ecp_nistp521.c | 2 +- crypto/engine/eng_init.c | 6 +++--- crypto/engine/eng_lib.c | 4 ++-- crypto/engine/eng_list.c | 12 ++-- crypto/engine/eng_local.h | 12 ++-- crypto/engine/tb_asnmth.c | 2 +- crypto/trace.c| 2 ++ include/internal/refcount.h | 18 +- include/openssl/e_os2.h | 2 +- include/openssl/trace.h | 4 +++- 20 files changed, 75 insertions(+), 66 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 65f3c88ece..326a99b0fc 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,22 +30,30 @@ breaking changes, and mappings for the large list of deprecated functions. ### Changes between 1.1.1 and 3.0 [xx XXX ] + * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG, + -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for + printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG + Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set + also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. + + *Rich Salz* + * The signatures of the functions to get and set options on SSL and SSL_CTX objects changed from "unsigned long" to "uint64_t" type. Some source code changes may be required. - * Rich Salz * + *Rich Salz* * Client-initiated renegotiation is disabled by default. To allow it, use the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION flag, or the "ClientRenegotiation" config parameter as appropriate. - * Rich Salz * + *Rich Salz* * Add "abspath" and "includedir" pragma's to config files, to prevent, or modify relative pathname inclusion. - * Rich Salz * + *Rich Salz* * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 validated. Please consult the README-FIPS and diff --git a/Configurations/90-team.norelease.conf b/Configurations/90-team.norelease.conf index 8ad05a6cc6..c0a14328c6 100644 --- a/Configurations/90-team.norelease.conf +++ b/Configurations/90-team.norelease.conf @@ -12,14 +12,17 @@ my %targets = ( "debug" => { inherit_from => [ 'BASE_unix' ], cc => "gcc", -cflags => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror", +cflags => combine(join(' ', @gcc_devteam_warn), +"-DOPENSSL_NO_ASM -ggdb -g2" + . " -DBN_DEBUG -DBN_RAND_DEBUG" + ), thread_scheme=> "(unknown)", }, "debug-erbridge" => { inherit_from => [ 'BASE_unix', "x86_64_asm" ], cc => "gcc", cflags => combine(join(' ', @gcc_devteam_warn), -"-DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g", +"-m64 -DL_ENDIAN -DTERMIO -g", threads("-D_REEN
[openssl] master update
The branch master has been updated via 0e7e3b9b9d2d0a49097b4e224098036d3e6b8087 (commit) from 7c499c7da93561fd620338cc4f8691c1dbc9ee36 (commit) - Log - commit 0e7e3b9b9d2d0a49097b4e224098036d3e6b8087 Author: Richard Levitte Date: Tue May 25 10:29:24 2021 +0200 util/fix-doc-nits: Fix link detection in collectnames() to be kinder The way the links were parsed out of the contents caused a regexp recursion. The easiest way to deal with it is to find all markup using $markup_re, and then parsing out the L markups and add them to the links array. Fixes #15449 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15450) --- Summary of changes: util/find-doc-nits | 31 +-- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/util/find-doc-nits b/util/find-doc-nits index c62307a9ce..7498ac6865 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -1000,16 +1000,27 @@ sub collectnames { } } -my @links = -$podinfo{contents} =~ /L< - # if the link is of the form L, - # then remove 'something'. Note that 'something' - # may contain POD codes as well... - (?:(?:[^\|]|<[^>]*>)*\|)? - # we're only interested in references that have - # a one digit section number - ([^\/>\(]+\(\d\)) - /gx; +my @links = (); +# Don't use this regexp directly on $podinfo{contents}, as it causes +# a regexp recursion, which fails on really big PODs. Instead, use +# $markup_re to pick up general markup, and use this regexp to check +# that the markup that was found is indeed a link. +my $linkre = qr/L< +# if the link is of the form L, +# then remove 'something'. Note that 'something' +# may contain POD codes as well... +(?:(?:[^\|]|<[^>]*>)*\|)? +# we're only interested in references that have +# a one digit section number +([^\/>\(]+\(\d\)) + /x; +while ( $podinfo{contents} =~ /$markup_re/msg ) { +my $x = $1; + +if ($x =~ $linkre) { +push @links, $1; +} +} $link_map{$filename} = [ @links ]; }
[openssl] master update
The branch master has been updated via 7c499c7da93561fd620338cc4f8691c1dbc9ee36 (commit) via f5657ce8e664cbb1e3314f54385b9a4d653e6bae (commit) via 6dd07a9328950ff8bf3f95ad35caf3a4e1e33a15 (commit) via a2405c5f2019707d1a4306f152faa9ccda5f4cd5 (commit) from bfd6b619b6ccba8aee6b1d9ea1af21f0e03567dc (commit) - Log - commit 7c499c7da93561fd620338cc4f8691c1dbc9ee36 Author: Richard Levitte Date: Mon May 24 14:25:28 2021 +0200 TEST: Add test specific fipsmodule.cnf, and use it We add the concept of preparation recipes, which are performed unconditionally. They are all expected to match the pattern test/recipes/00-prep_*.t. We add one such preparation recipe, test/recipes/00-prep_fipsmodule_cnf.t, which helps us generate a test specific fipsmodule.cnf, to be used by all other tests. Fixes #15166 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15436) commit f5657ce8e664cbb1e3314f54385b9a4d653e6bae Author: Richard Levitte Date: Mon May 24 14:24:32 2021 +0200 Build file templates: rework FIPS module installation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15436) commit 6dd07a9328950ff8bf3f95ad35caf3a4e1e33a15 Author: Richard Levitte Date: Mon May 24 14:19:38 2021 +0200 Build file templates: rework how general dependencies are computed For some types of targets, we pretty much know what kinds of files all the dependencies are. For some, however, we can't assume anything, and are faced with dependencies in platform agnostic form. We need to find those in diverse places in %unified_info, and deduce from there how they should be converted to a platform specific form. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15436) commit a2405c5f2019707d1a4306f152faa9ccda5f4cd5 Author: Richard Levitte Date: Mon May 24 14:06:00 2021 +0200 Rework how providers/fipsmodule.cnf is produced First of all, we have concluded that we can calculate the integrity checksum with a simple perl script. Second, having the production of providers/fipsmodule.cnf as a dependency for run_tests wasn't quite right. What we really want is to generate it as soon as a new providers/fips.so is produced. That required a small bit of fiddling with how diverse dependencies are made. Fixes #15166 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15436) --- Summary of changes: Configurations/descrip.mms.tmpl| 99 +++- Configurations/unix-Makefile.tmpl | 97 ++-- Configurations/windows-makefile.tmpl | 101 +++-- providers/build.info | 15 +-- ...t_fipsmodule_cnf.t => 00-prep_fipsmodule_cnf.t} | 19 ++-- test/recipes/01-test_fipsmodule_cnf.t | 2 +- test/recipes/90-test_threads.t | 2 +- test/run_tests.pl | 11 ++- util/mk-fipsmodule-cnf.pl | 44 + 9 files changed, 225 insertions(+), 165 deletions(-) copy test/recipes/{01-test_fipsmodule_cnf.t => 00-prep_fipsmodule_cnf.t} (66%) create mode 100644 util/mk-fipsmodule-cnf.pl diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 4188e29020..3430f7258d 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -62,7 +62,12 @@ @{$unified_info{modules}}; our @install_modules = grep { !$unified_info{attributes}->{modules}->{$_}->{noinst} - && !$unified_info{attributes}->{modules}->{$_}->{engine} } + && !$unified_info{attributes}->{modules}->{$_}->{engine} + && !$unified_info{attributes}->{modules}->{$_}->{fips} } + @{$unified_info{modules}}; + our @install_fipsmodules = + grep { !$unified_info{attributes}->{modules}->{$_}->{noinst} + && $unified_info{attributes}->{modules}->{$_}->{fips} } @{$unified_info{modules}}; our @install_programs = grep { !$unified_info{attributes}->{programs}->{$_}->{noinst} } @@ -269,15 +274,23 @@ SHLIB_TARGET={- $target{shared_target} -} LIBS={- join(", ", map { "-\n\t".$_.".OLB" } @libs) -} SHLIBS={- join(", ", map { "-\n\t".$_.".EXE" } @shlibs) -} -FIPSMODULENAME={- # We do some extra checking here, as there should be only one - use File::Basename; - my @fipsmodules = - grep { !$unified_info{att
[openssl] master update
The branch master has been updated via 8d67621de16990132c13f6a11bcc18ce8e9cdd47 (commit) from 817d408dd9a8d31866351e4676d232dce93ebbcf (commit) - Log - commit 8d67621de16990132c13f6a11bcc18ce8e9cdd47 Author: Jan Lana Date: Mon May 24 17:08:09 2021 +0200 fix Solaris OS detection in config.pm Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15439) --- Summary of changes: util/perl/OpenSSL/config.pm | 40 +--- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 79e8c29d71..58feba952b 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -197,13 +197,15 @@ sub is_sco_uname { open UNAME, "uname -X 2>/dev/null|" or return ''; my $line = ""; +my $os = ""; while ( ) { chop; $line = $_ if m@^Release@; +$os = $_ if m@^System@; } close UNAME; -return undef if $line eq ''; +return undef if $line eq '' or $os eq 'System = SunOS'; my @fields = split(/\s+/, $line); return $fields[2]; @@ -238,7 +240,7 @@ sub get_sco_type { sub guess_system { ($SYSTEM, undef, $RELEASE, $VERSION, $MACHINE) = POSIX::uname(); my $sys = "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}"; - + # Special-cases for ISC, SCO, Unixware my $REL = is_sco_uname(); if ( defined $REL ) { @@ -360,29 +362,20 @@ sub determine_compiler_settings { } if ( $SYSTEM eq "SunOS" ) { -# check for WorkShop C, expected output is "cc: blah-blah C x.x" +# check for Oracle Developer Studio, expected output is "cc: blah-blah C x.x blah-blah" my $v = `(cc -V 2>&1) 2>/dev/null | egrep -e '^cc: .* C [0-9]\.[0-9]'`; -chomp $v; -$v =~ s/.* C \([0-9]\)\.\([0-9]\).*/$1.$2/; -my @numbers = split /\./, $v; +my @numbers = +( $v =~ m/^.* C ([0-9]+)\.([0-9]+) .*/ ); my @factors = (100, 1); $v = 0; while (@numbers && @factors) { $v += shift(@numbers) * shift(@factors) } -if ( $v > 4 && $MACHINE ne 'i86pc' ) { +if ($v > 500) { $CC = 'cc'; -$CCVENDOR = ''; # Determine later +$CCVENDOR = 'sun'; $CCVER = $v; - -if ( $CCVER == 5 ) { -print <<'EOF'; -WARNING! Found WorkShop C 5.0. - Make sure you have patch #107357-01 or later applied. -EOF -maybe_abort(); -} } } } @@ -685,11 +678,12 @@ EOF sub { my $KERNEL_BITS = $ENV{KERNEL_BITS}; my $ISA64 = `isainfo 2>/dev/null | grep sparcv9`; -if ( $ISA64 ne "" && $KERNEL_BITS eq '' ) { +my $KB = $KERNEL_BITS // '64'; +if ( $ISA64 ne "" && $KB eq '64' ) { if ( $CCVENDOR eq "sun" && $CCVER >= 500 ) { print < "solaris64-sparcv9" }; +return { target => "solaris64-sparcv9-gcc" }; } elsif ( $GCC_ARCH eq "-m32" ) { print < "solaris64-sparcv9" } -if $ISA64 ne "" && $KERNEL_BITS eq '64'; -return { target => "solaris-sparcv9" }; +return { target => "solaris64-sparcv9-cc" } +if $ISA64 ne "" && $KB eq '64'; +return { target => "solaris-sparcv9-cc" }; } ], [ 'sun4m-.*-solaris2', { target => "solaris-sparcv8" } ],
[openssl] master update
The branch master has been updated via f0fa37a4a7f43c68770ccb0b3ce286cfe6e3254a (commit) from eb1b66f00ca4e1fb6f9e815e8686768b6d81722d (commit) - Log - commit f0fa37a4a7f43c68770ccb0b3ce286cfe6e3254a Author: Richard Levitte Date: Fri May 21 08:26:46 2021 +0200 Fix 'openssl req' to be able to use provided keytypes 'openssl req' was still using old APIs that could only deal with EVP_PKEY_ASN1_METHOD based EVP_PKEYs. Now modified to use more generic functions that can handle all forms of EVP_PKEY, this app should be ready for the future. Fixes #15388 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15400) --- Summary of changes: apps/req.c | 163 ++--- 1 file changed, 80 insertions(+), 83 deletions(-) diff --git a/apps/req.c b/apps/req.c index d41b992e6d..11222cb397 100644 --- a/apps/req.c +++ b/apps/req.c @@ -14,6 +14,7 @@ #include #include "apps.h" #include "progs.h" +#include #include #include #include @@ -70,8 +71,8 @@ static int check_end(const char *str, const char *end); static int join(char buf[], size_t buf_size, const char *name, const char *tail, const char *desc); static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, -int *pkey_type, long *pkeylen, -char **palgnam, ENGINE *keygen_engine); +char **pkeytype, long *pkeylen, +ENGINE *keygen_engine); static const char *section = "req"; static CONF *req_conf = NULL; @@ -255,7 +256,6 @@ int req_main(int argc, char **argv) OPTION_CHOICE o; int days = UNSET_DAYS; int ret = 1, gen_x509 = 0, i = 0, newreq = 0, verbose = 0; -int pkey_type = -1; int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyform = FORMAT_UNDEF; int modulus = 0, multirdn = 1, verify = 0, noout = 0, text = 0; int noenc = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; @@ -631,30 +631,30 @@ int req_main(int argc, char **argv) newkey_len = DEFAULT_KEY_LENGTH; } -if (keyalg != NULL) { -genctx = set_keygen_ctx(keyalg, _type, _len, -, gen_eng); -if (genctx == NULL) -goto end; -} +genctx = set_keygen_ctx(keyalg, , _len, gen_eng); +if (genctx == NULL) +goto end; if (newkey_len < MIN_KEY_LENGTH -&& (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { +&& (EVP_PKEY_CTX_is_a(genctx, "RSA") +|| EVP_PKEY_CTX_is_a(genctx, "RSA-PSS") +|| EVP_PKEY_CTX_is_a(genctx, "DSA"))) { BIO_printf(bio_err, "Private key length is too short,\n"); BIO_printf(bio_err, "it needs to be at least %d bits, not %ld.\n", MIN_KEY_LENGTH, newkey_len); goto end; } -if (pkey_type == EVP_PKEY_RSA -&& newkey_len > OPENSSL_RSA_MAX_MODULUS_BITS) +if (newkey_len > OPENSSL_RSA_MAX_MODULUS_BITS +&& (EVP_PKEY_CTX_is_a(genctx, "RSA") +|| EVP_PKEY_CTX_is_a(genctx, "RSA-PSS"))) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for RSA keys.\n" " Your key size is %ld! Larger key size may behave not as expected.\n", OPENSSL_RSA_MAX_MODULUS_BITS, newkey_len); #ifndef OPENSSL_NO_DSA -if (pkey_type == EVP_PKEY_DSA +if (EVP_PKEY_CTX_is_a(genctx, "DSA") && newkey_len > OPENSSL_DSA_MAX_MODULUS_BITS) BIO_printf(bio_err, "Warning: It is not recommended to use more than %d bit for DSA keys.\n" @@ -662,13 +662,6 @@ int req_main(int argc, char **argv) OPENSSL_DSA_MAX_MODULUS_BITS, newkey_len); #endif -if (genctx == NULL) { -genctx = set_keygen_ctx(NULL, _type, _len, -, gen_eng); -if (genctx == NULL) -goto end; -} - if (pkeyopts != NULL) { char *genopt; for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { @@ -680,11 +673,7 @@ int req_main(int argc, char **argv) } } -if (pkey_type == EVP_PKEY_EC) { -BIO_printf(bio_err, "Generating an EC private key\n"); -} else { -BIO_printf(bio_err, "Gener
[openssl] master update
The branch master has been updated via 733094ec6b718ebced449b275a780ec3d0a361a5 (commit) from e16d9afe4106503ba6c4b22c9b7c5bd367e3b565 (commit) - Log - commit 733094ec6b718ebced449b275a780ec3d0a361a5 Author: Richard Levitte Date: Fri May 21 06:07:25 2021 +0200 TEST: Avoid using just 'example.com' - test_cmp_http We have reports that some are using example.com in their /etc/hosts for testing purposes, so we can't necessarily assume that those will fail. We fix it by using "random" hosts in that domain. Fixes #15395 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15398) --- Summary of changes: test/recipes/80-test_cmp_http_data/Mock/test.cnf | 6 +++--- test/recipes/80-test_cmp_http_data/test_connection.csv | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/recipes/80-test_cmp_http_data/Mock/test.cnf b/test/recipes/80-test_cmp_http_data/Mock/test.cnf index 503ded18e3..8c8913b3c9 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/test.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/test.cnf @@ -135,6 +135,6 @@ subjectAltName = @alt_names_3 [alt_names_3] DNS.0 = localhost -DNS.1 = example.com -DNS.2 = example2.com -DNS__3 = example3.com +DNS.1 = xn--rksmrgs-5wao1o.example.com +DNS.2 = xn--rkmacka-5wa.example.com +DNS__3 = xn--rksallad-0za.example.com diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv index 55670cf446..33a572a29d 100644 --- a/test/recipes/80-test_cmp_http_data/test_connection.csv +++ b/test/recipes/80-test_cmp_http_data/test_connection.csv @@ -5,7 +5,7 @@ expected,description, -section,val, -server,val, -proxy,val, -no_proxy,val, -tls TBD,Domain name, -section,, -server,_SERVER_CN:_SERVER_PORT,, TBD,IP address, -section,, -server,_SERVER_IP:_SERVER_PORT,, ,,, -0,wrong server, -section,, -server,example.com:_SERVER_PORT,BLANK -msg_timeout,1,BLANK,,BLANK, +0,wrong server, -section,, -server,xn--rksmrgs-5wao1o.example.com:_SERVER_PORT,BLANK -msg_timeout,1,BLANK,,BLANK, 0,wrong server port, -section,, -server,_SERVER_HOST:99,BLANK -msg_timeout,1,BLANK,,BLANK, 0,server default port, -section,, -server,_SERVER_HOST,BLANK -msg_timeout,1,BLANK,,BLANK, 0,server port out of range, -section,, -server,_SERVER_HOST:65536,BLANKBLANK,,BLANK,,BLANK,
[openssl] master update
The branch master has been updated via d0ccefdb77f94bec662d75aeadd0b081641abd19 (commit) via 4b2981f13e6d2090a656dec5e877b849331c3b69 (commit) from b4810b70ff79bef340a9447789622b6066a6361b (commit) - Log - commit d0ccefdb77f94bec662d75aeadd0b081641abd19 Author: Richard Levitte Date: Mon May 17 23:10:11 2021 +0200 Disable loader_attic by default on VMS The reason is that it currently doesn't build properly, due to the of pvkfmt.c, causing multiply defined symbols since libcrypto exports them as well. At the same time, it can't do without that source file, or it won't have access to certain internal symbols from there. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15320) commit 4b2981f13e6d2090a656dec5e877b849331c3b69 Author: Richard Levitte Date: Mon May 17 23:10:02 2021 +0200 Make it possible to disable the loader_attic engine Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15320) --- Summary of changes: Configurations/10-main.conf | 2 +- Configure | 1 + engines/build.info | 22 -- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 122d3f46db..117598eb06 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1857,7 +1857,7 @@ my %targets = ( asflags => sub { vms_info()->{asflags} }, perlasm_scheme => sub { vms_info()->{perlasm_scheme} }, -disable => add('pinshared'), +disable => add('pinshared', 'loadereng'), }, diff --git a/Configure b/Configure index 16f12565ab..a6fb8324a0 100755 --- a/Configure +++ b/Configure @@ -449,6 +449,7 @@ my @disablables = ( "idea", "ktls", "legacy", +"loadereng", "makedepend", "md2", "md4", diff --git a/engines/build.info b/engines/build.info index e275035946..cae014ecc6 100644 --- a/engines/build.info +++ b/engines/build.info @@ -69,8 +69,19 @@ IF[{- !$disabled{"engine"} -}] GENERATE[devcrypto.ld]=../util/engines.num ENDIF ENDIF +IF[{- !$disabled{"loadereng"} -}] + MODULES{engine}=loader_attic + SOURCE[loader_attic]=e_loader_attic.c ../crypto/pem/pvkfmt.c + DEFINE[loader_attic]=OPENSSL_NO_PROVIDER_CODE + DEPEND[loader_attic]=../libcrypto + INCLUDE[loader_attic]=../include + IF[{- defined $target{shared_defflag} -}] +SOURCE[loader_attic]=loader_attic.ld +GENERATE[loader_attic.ld]=../util/engines.num + ENDIF +ENDIF -MODULES{noinst,engine}=ossltest dasync loader_attic +MODULES{noinst,engine}=ossltest dasync SOURCE[dasync]=e_dasync.c DEPEND[dasync]=../libcrypto INCLUDE[dasync]=../include @@ -86,15 +97,6 @@ IF[{- !$disabled{"engine"} -}] SOURCE[ossltest]=ossltest.ld GENERATE[ossltest.ld]=../util/engines.num ENDIF - -SOURCE[loader_attic]=e_loader_attic.c ../crypto/pem/pvkfmt.c -DEFINE[loader_attic]=OPENSSL_NO_PROVIDER_CODE -DEPEND[loader_attic]=../libcrypto -INCLUDE[loader_attic]=../include -IF[{- defined $target{shared_defflag} -}] - SOURCE[loader_attic]=loader_attic.ld - GENERATE[loader_attic.ld]=../util/engines.num -ENDIF ENDIF GENERATE[e_padlock-x86.s]=asm/e_padlock-x86.pl GENERATE[e_padlock-x86_64.s]=asm/e_padlock-x86_64.pl
[openssl] master update
The branch master has been updated via b4810b70ff79bef340a9447789622b6066a6361b (commit) from 1b77f00a9b0469fe578c60710e760ebc2b908e21 (commit) - Log - commit b4810b70ff79bef340a9447789622b6066a6361b Author: Richard Levitte Date: Fri May 21 05:52:01 2021 +0200 VMS: Fix run of generic generator programs in descrip.mms.tmpl For a generic program, always go through the MCR utility. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15397) --- Summary of changes: Configurations/descrip.mms.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 85f90ad518..4188e29020 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -984,7 +984,7 @@ EOF $gen0 = platform->bin($gen0); return <<"EOF"; $args{src} : $gen0 $deps - PIPE $gen0$gen_args > \$@ + PIPE MCR $gen0$gen_args > \$@ EOF } else { #
[openssl] master update
The branch master has been updated via 1b77f00a9b0469fe578c60710e760ebc2b908e21 (commit) from 84faea44e6ad9ff7f470b5958e7303f6c521bf2e (commit) - Log - commit 1b77f00a9b0469fe578c60710e760ebc2b908e21 Author: Richard Levitte Date: Wed May 19 10:57:48 2021 +0200 Configurations/descrip.mms.tmpl: rework the inclusion hacks Because VMS C has some trouble with recursive inclusion of header files, we have had to help it out for object files where there is such an inclusion structure. Previously, we did so with temporary logical names that were the same as the first directory in an inclusion, so for example, to enable this inclusion (found in ssl/ssl_local.h), we created the logical name "record" when building any of the object files in the ssl/ subdirectories: #include "record/record.h" However, there is another way with the VMS C compiler, to selectively specify extra include directories in Unix form directly to the compiler. The logic is that from the directory where the source file to compile is located, the specified inclusion directory merged with the inclusion string should be able to access to specified header file. So for example, when a file in ssl/record/ is compiled, the following inclusion is found: #include "../ssl_local.h" So far so good, VMS C handles it properly. However, the recursive inclusion of "record/record.h" fails. However, if the compiler is helped out a little bit, with the following extra qualifier, then it works: /INCLUDE="../" The reason is that the compiler merges "../" and "record/record.h" into "../record/record.h", which is the correct path to that header file from the directory of the source file being compiled. All that remained was to figure out all places where this trouble may occur, and specify extra Unix formatted inclusion directories to specify on per object file basis. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15369) --- Summary of changes: Configurations/descrip.mms.tmpl | 81 + 1 file changed, 33 insertions(+), 48 deletions(-) diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index 873d74f651..85f90ad518 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -205,43 +205,39 @@ our $bin_ex_libs = join('', @cnf_ex_libs, '$(EX_LIBS)'); # This is a horrible hack, but is needed because recursive inclusion of files - # in different directories does not work well with HP C. - my $sd = sourcedir("crypto", "async", "arch"); + # in different directories does not work well with VMS C. We try to help by + # specifying extra relative directories. They must always be in Unix format, + # relative to the directory where the .c file is located. The logic is that + # any inclusion, merged with one of these relative directories, will find the + # requested inclusion file. foreach (grep /\[\.crypto\.async\.arch\].*\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); - $unified_info{before}->{$obj} - = qq(arch_include = F\$PARSE("$sd","A.;",,,"SYNTAX_ONLY") - "A.;" -define arch 'arch_include'); - $unified_info{after}->{$obj} - = qq(deassign arch); + push @{$unified_info{includes_extra}->{$obj}}, qw(../); } - my $sd32 = sourcedir("crypto", "ec", "curve448", "arch_32"); - my $sd64 = sourcedir("crypto", "ec", "curve448", "arch_64"); - foreach (grep /\[\.crypto\.ec\.curve448.*?\].*?\.o$/, keys %{$unified_info{sources}}) { + foreach (grep /\[\.crypto\.ec\.curve448\].*?\.o$/, keys %{$unified_info{sources}}) { my $obj = platform->obj($_); - $unified_info{before}->{$obj} - = qq(arch_32_include = F\$PARSE("$sd32","A.;",,,"SYNTAX_ONLY") - "A.;" -define arch_32 'arch_32_include' -arch_64_include = F\$PARSE("$sd64","A.;",,,"SYNTAX_ONLY") - "A.;" -define arch_64 'arch_64_include'); - $unified_info{after}->{$obj} - = qq(deassign arch_64 -deassign arch_32); + push @{$unified_info{includes_extra}->{$obj}}, qw(./arch_32 ./arch64); } - my $sd1 = sourcedir("ssl","record"); - my $sd2 = sourcedir("ssl","statem"); - my @ssl_locl_users = grep(/^\[\.(?:ssl\.(?:record|statem)|test)\].*\.o$/
[openssl] master update
The branch master has been updated via b54611922b5eb760bd64de0c8edfeb13ae81fa65 (commit) via 6251895ca8f816a7a8b234eb7f0842fcff2937f4 (commit) from a066841554bd23281ae4bb48badc088753f734ca (commit) - Log - commit b54611922b5eb760bd64de0c8edfeb13ae81fa65 Author: Richard Levitte Date: Thu May 20 09:42:22 2021 +0200 test/params_conversion_test.c: fix the use of strtoumax and strtoimax on VMS We do this by making them aliases for strtoull and strtoll, since long long is the current largest integer that have this sort of routine on VMS. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15366) commit 6251895ca8f816a7a8b234eb7f0842fcff2937f4 Author: Richard Levitte Date: Thu May 20 09:42:12 2021 +0200 Include "internal/numbers.h" in test programs using SIZE_MAX Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15366) --- Summary of changes: test/evp_kdf_test.c | 1 + test/params_conversion_test.c | 5 + test/params_test.c| 1 + 3 files changed, 7 insertions(+) diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c index cc172db42e..1bed159227 100644 --- a/test/evp_kdf_test.c +++ b/test/evp_kdf_test.c @@ -16,6 +16,7 @@ #include #include #include +#include "internal/numbers.h" #include "testutil.h" static EVP_KDF_CTX *get_kdfbyname(const char *name) diff --git a/test/params_conversion_test.c b/test/params_conversion_test.c index 1c3a4716a6..2fc17cc592 100644 --- a/test/params_conversion_test.c +++ b/test/params_conversion_test.c @@ -19,6 +19,11 @@ # define strcasecmp _stricmp # endif +# ifdef OPENSSL_SYS_VMS +# define strtoumax strtoull +# define strtoimax strtoll +# endif + typedef struct { OSSL_PARAM *param; int32_t i32; diff --git a/test/params_test.c b/test/params_test.c index dd2d13b862..205c2deab0 100644 --- a/test/params_test.c +++ b/test/params_test.c @@ -16,6 +16,7 @@ #include #include #include +#include "internal/numbers.h" #include "internal/nelem.h" #include "testutil.h"
[openssl] master update
The branch master has been updated via a066841554bd23281ae4bb48badc088753f734ca (commit) from 3f987381929ee725daf4746591144dde18f313e1 (commit) - Log - commit a066841554bd23281ae4bb48badc088753f734ca Author: Richard Levitte Date: Thu May 20 10:31:21 2021 +0200 VMS: don't use app_malloc() in apps/lib/vms_decc_argv.c The reason being that it would otherwise force test programs to link with all of libapps.a, which unfortunately causes multiple symbol definition issues. The quick and dirty fix is to use OPENSSL_malloc() instead of app_malloc() in apps/lib/vms_decc_argv.c, and clean up libapps.a later. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15368) --- Summary of changes: apps/lib/vms_decc_argv.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/lib/vms_decc_argv.c b/apps/lib/vms_decc_argv.c index 932b51a837..25b42eb801 100644 --- a/apps/lib/vms_decc_argv.c +++ b/apps/lib/vms_decc_argv.c @@ -10,7 +10,6 @@ #include #include #include "platform.h"/* for copy_argv() */ -#include "apps.h"/* for app_malloc() */ char **newargv = NULL; @@ -51,7 +50,13 @@ char **copy_argv(int *argc, char *argv[]) cleanup_argv(); -newargv = app_malloc(sizeof(*newargv) * (count + 1), "argv copy"); +/* + * We purposefully use OPENSSL_malloc() rather than app_malloc() here, + * to avoid symbol name clashes in test programs that would otherwise + * get them when linking with all of libapps.a. + * See comment in test/build.info. + */ +newargv = OPENSSL_malloc(sizeof(*newargv) * (count + 1)); if (newargv == NULL) return NULL;
[openssl] master update
The branch master has been updated via 0491691342cf8fefb61de14b8edd56a937b458ac (commit) from 819b94c0c0d338fbec0aee828f3b61d7878c3837 (commit) - Log - commit 0491691342cf8fefb61de14b8edd56a937b458ac Author: Richard Levitte Date: Thu May 20 13:32:28 2021 +0200 DOCS: Fixups of the migration guide and the FIPS module manual The markup needed a few touch-ups Reviewed-by: Paul Dale Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/15377) --- Summary of changes: doc/man7/fips_module.pod | 112 ++-- doc/man7/migration_guide.pod | 1256 +- 2 files changed, 940 insertions(+), 428 deletions(-) diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index b8a343eb09..3fdbfc0386 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -14,17 +14,29 @@ This guide details different ways that OpenSSL can be used in conjunction with the FIPS module. Which is the correct approach to use will depend on your own specific circumstances and what you are attempting to achieve. -Note that the old functions 'FIPS_mode()` and `FIPS_mode_set()` are no longer +Note that the old functions FIPS_mode() and FIPS_mode_set() are no longer present so you must remove them from your application if you use them. Applications written to use the OpenSSL 3.0 FIPS module should not use any legacy APIs or features that avoid the FIPS module. Specifically this includes: -- Low level cryptographic APIs (use the high level APIs, such as EVP, instead) -- Engines -- Any functions that create or modify custom "METHODS" (for example -`EVP_MD_meth_new`, `EVP_CIPHER_meth_new`, `EVP_PKEY_meth_new`, `RSA_meth_new`, -`EC_KEY_METHOD_new`, etc.) +=over 4 + +=item - + +Low level cryptographic APIs (use the high level APIs, such as EVP, instead) + +=item - + +Engines + +=item - + +Any functions that create or modify custom "METHODS" (for example +EVP_MD_meth_new(), EVP_CIPHER_meth_new(), EVP_PKEY_meth_new(), RSA_meth_new(), +EC_KEY_METHOD_new(), etc.) + +=back All of the above APIs are deprecated in OpenSSL 3.0 - so a simple rule is to avoid using all deprecated functions. See L for a list of @@ -55,9 +67,9 @@ running an OpenSSL 3.0 version like this: $ openssl version -v OpenSSL 3.0.0-dev xx XXX (Library: OpenSSL 3.0.0-dev xx XXX ) -The OPENSSLDIR value above gives the directory name for where the default config -file is stored. So in this case the default config file will be called -`/usr/local/ssl/openssl.cnf` +The B value above gives the directory name for where the default +config file is stored. So in this case the default config file will be called +F. Edit the config file to add the following lines near the beginning: @@ -93,23 +105,31 @@ some disadvantages to this approach: =over 4 -=item You may not want all applications to use the FIPS module. +=item - + +You may not want all applications to use the FIPS module. It may be the case that some applications should and some should not use the FIPS module. -=item If applications take explicit steps to not load the default config file or +=item - + +If applications take explicit steps to not load the default config file or set different settings. This method will not work for these cases. -=item The algorithms available in the FIPS module are a subset of the algorithms +=item - + +The algorithms available in the FIPS module are a subset of the algorithms that are available in the default OpenSSL Provider. If any applications attempt to use any algorithms that are not present, then they will fail. --=item Usage of certain deprecated APIs avoids the use of the FIPS module. +=item - + +Usage of certain deprecated APIs avoids the use of the FIPS module. If any applications use those APIs then the FIPS module will not be used. @@ -119,8 +139,8 @@ If any applications use those APIs then the FIPS module will not be used. A variation on the above approach is to do the same thing on an individual application basis. The default OpenSSL config file depends on the compiled in -value for OPENSSLDIR as described in the section above. However it is also -possible to override the config file to be used via the `OPENSSL_CONF` +value for B as described in the section above. However it is also +possible to override the config file to be used via the B environment variable. For example the following, on Unix, will cause the application to be executed with a non-standard config file location: @@ -143,8 +163,8 @@ file. To do things this way configure as per L above, but edit the -`fipsmodule.cnf` file to remove or comment out the line which says -`activate = 1` (note that setting this value to 0 is I sufficient). +F file to remove or commen
[openssl] master update
The branch master has been updated via b938544969577e3b74da6f8c689c87c90ceced22 (commit) from d2f82495a25d835e4821c0c1a79e8e39b66eed66 (commit) - Log - commit b938544969577e3b74da6f8c689c87c90ceced22 Author: Richard Levitte Date: Wed May 19 18:51:07 2021 +0200 PROV: Relegate most of the FIPS provider code to libfips.a provider/fips/fipsprov.c contains a number of symbols that get used by anything that's included in libfips.a, at least on Unix. Unfortunately, there are platforms that do not support resolving symbols to things that are already included in the end product (module in this case) being built; they only support resolving symbols with what comes next in the linking process. The offending symbols in this case are FIPS_security_check_enabled, c_thread_start and ossl_fips_intern_provider_init. We resolve this by placing provider/fips/fipsprov.c in libfips.a along with everything else there. That takes care of the offending symbols. What remains is to ensure that there is an entry point in an object file used directly when linking the module, providers/fips/fips_entry.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15370) --- Summary of changes: providers/fips/build.info| 8 ++-- test/filterprov.h => providers/fips/fips_entry.c | 13 + providers/fips/fipsprov.c| 24 3 files changed, 35 insertions(+), 10 deletions(-) copy test/filterprov.h => providers/fips/fips_entry.c (50%) diff --git a/providers/fips/build.info b/providers/fips/build.info index 8d3c5e2049..2bfc58501e 100644 --- a/providers/fips/build.info +++ b/providers/fips/build.info @@ -1,2 +1,6 @@ -SOURCE[../fips]=fipsprov.c self_test.c self_test_kats.c -INCLUDE[../fips]=../implementations/include ../common/include ../.. +# We include the provider implementation into ../libfips.a, so that all +# platforms can resolve symbols in other members of that library. +SOURCE[../libfips.a]=fipsprov.c self_test.c self_test_kats.c + +# It is necessary to have an explicit entry point +SOURCE[../fips]=fips_entry.c diff --git a/test/filterprov.h b/providers/fips/fips_entry.c similarity index 50% copy from test/filterprov.h copy to providers/fips/fips_entry.c index 3c63071556..c2c8d5de2c 100644 --- a/test/filterprov.h +++ b/providers/fips/fips_entry.c @@ -7,8 +7,13 @@ * https://www.openssl.org/source/license.html */ -#include +#include -OSSL_provider_init_fn filter_provider_init; -int filter_provider_set_filter(int operation, const char *name); -int filter_provider_check_clean_finish(void); +OSSL_provider_init_fn OSSL_provider_init_int; +int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, + void **provctx) +{ +return OSSL_provider_init_int(handle, in, out, provctx); +} diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index c28995fc44..580eea574f 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -518,10 +518,26 @@ static const OSSL_DISPATCH intern_dispatch_table[] = { { 0, NULL } }; -int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, - const OSSL_DISPATCH *in, - const OSSL_DISPATCH **out, - void **provctx) +/* + * On VMS, the provider init function name is expected to be uppercase, + * see the pragmas in . Let's do the same with this + * internal name. This is how symbol names are treated by default + * by the compiler if nothing else is said, but since this is part + * of libfips, and we build our libraries with mixed case symbol names, + * we must switch back to this default explicitly here. + */ +#ifdef __VMS +# pragma names save +# pragma names uppercase,truncated +#endif +OSSL_provider_init_fn OSSL_provider_init_int; +#ifdef __VMS +# pragma names restore +#endif +int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, + void **provctx) { FIPS_GLOBAL *fgbl; OSSL_LIB_CTX *libctx = NULL;
[openssl] master update
The branch master has been updated via f14bead2c4898e484b6c01808c07edf3b61f01e9 (commit) from 14d3bb06c9c11b3e13c64611913757c27bc057f2 (commit) - Log - commit f14bead2c4898e484b6c01808c07edf3b61f01e9 Author: Richard Levitte Date: Wed May 19 09:43:13 2021 +0200 VMS: Copy __DECC_INCLUDE_{PROLOGUE,EPILOGUE}.H to more places Every inclusion directory related to a library we build need these two files. That signals to any other module using anything from these libraries what to expect in terms of case sensitivity as well as how long symbol names are dealt with. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15341) --- Summary of changes: {include/openssl => apps/include}/__DECC_INCLUDE_EPILOGUE.H | 0 {include/openssl => apps/include}/__DECC_INCLUDE_PROLOGUE.H | 0 .../openssl => providers/common/include/prov}/__DECC_INCLUDE_EPILOGUE.H | 0 .../openssl => providers/common/include/prov}/__DECC_INCLUDE_PROLOGUE.H | 0 .../implementations/include/prov}/__DECC_INCLUDE_EPILOGUE.H | 0 .../implementations/include/prov}/__DECC_INCLUDE_PROLOGUE.H | 0 6 files changed, 0 insertions(+), 0 deletions(-) copy {include/openssl => apps/include}/__DECC_INCLUDE_EPILOGUE.H (100%) copy {include/openssl => apps/include}/__DECC_INCLUDE_PROLOGUE.H (100%) copy {include/openssl => providers/common/include/prov}/__DECC_INCLUDE_EPILOGUE.H (100%) copy {include/openssl => providers/common/include/prov}/__DECC_INCLUDE_PROLOGUE.H (100%) copy {include/openssl => providers/implementations/include/prov}/__DECC_INCLUDE_EPILOGUE.H (100%) copy {include/openssl => providers/implementations/include/prov}/__DECC_INCLUDE_PROLOGUE.H (100%) diff --git a/include/openssl/__DECC_INCLUDE_EPILOGUE.H b/apps/include/__DECC_INCLUDE_EPILOGUE.H similarity index 100% copy from include/openssl/__DECC_INCLUDE_EPILOGUE.H copy to apps/include/__DECC_INCLUDE_EPILOGUE.H diff --git a/include/openssl/__DECC_INCLUDE_PROLOGUE.H b/apps/include/__DECC_INCLUDE_PROLOGUE.H similarity index 100% copy from include/openssl/__DECC_INCLUDE_PROLOGUE.H copy to apps/include/__DECC_INCLUDE_PROLOGUE.H diff --git a/include/openssl/__DECC_INCLUDE_EPILOGUE.H b/providers/common/include/prov/__DECC_INCLUDE_EPILOGUE.H similarity index 100% copy from include/openssl/__DECC_INCLUDE_EPILOGUE.H copy to providers/common/include/prov/__DECC_INCLUDE_EPILOGUE.H diff --git a/include/openssl/__DECC_INCLUDE_PROLOGUE.H b/providers/common/include/prov/__DECC_INCLUDE_PROLOGUE.H similarity index 100% copy from include/openssl/__DECC_INCLUDE_PROLOGUE.H copy to providers/common/include/prov/__DECC_INCLUDE_PROLOGUE.H diff --git a/include/openssl/__DECC_INCLUDE_EPILOGUE.H b/providers/implementations/include/prov/__DECC_INCLUDE_EPILOGUE.H similarity index 100% copy from include/openssl/__DECC_INCLUDE_EPILOGUE.H copy to providers/implementations/include/prov/__DECC_INCLUDE_EPILOGUE.H diff --git a/include/openssl/__DECC_INCLUDE_PROLOGUE.H b/providers/implementations/include/prov/__DECC_INCLUDE_PROLOGUE.H similarity index 100% copy from include/openssl/__DECC_INCLUDE_PROLOGUE.H copy to providers/implementations/include/prov/__DECC_INCLUDE_PROLOGUE.H
[openssl] master update
The branch master has been updated via da750b15c0e69f809243d56eceb37d56a8fc9cfd (commit) via dd05c7938d70b620204f2808812f3bf7c535db48 (commit) from b41ebb991e8bbce736cf73b9c3d6b7c3e208b2b0 (commit) - Log - commit da750b15c0e69f809243d56eceb37d56a8fc9cfd Author: Richard Levitte Date: Tue May 18 18:22:57 2021 +0200 Make apps/progs.pl not look at apps/progs.c apps/progs.pl will have apps/progs.c as output, and on some systems, the output file of a program is locked against reading. Unfortunately, apps/progs.c is also part of the sources that make up apps/openssl, so it's necessary to mark that file in a way that makes progs.pl skip over it. Fortunately, this is easily done with a special attribute in apps/build.info and a simple adaptation of apps/progs.pl. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15332) commit dd05c7938d70b620204f2808812f3bf7c535db48 Author: Richard Levitte Date: Tue May 18 18:21:51 2021 +0200 build.info: Make it possible to set attributes on SOURCE / SHARED_SOURCE stmts Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15332) --- Summary of changes: Configure| 53 apps/build.info | 9 +-- apps/progs.pl| 3 ++- doc/internal/man7/build.info.pod | 14 +++ 4 files changed, 66 insertions(+), 13 deletions(-) diff --git a/Configure b/Configure index cd40abedf7..635dc1c84e 100755 --- a/Configure +++ b/Configure @@ -2186,14 +2186,14 @@ if ($builder eq "unified") { undef, undef, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* SOURCE ${index_re} = ${value_re} $/x +qr/^\s* SOURCE ${index_re} ${attribs_re} = ${value_re} $/x => sub { $push_to->(\%sources, $expand_variables->($+{INDEX}), -undef, undef, +\$attributes{sources}, $+{ATTRIBS}, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, -qr/^\s* SHARED_SOURCE ${index_re} = ${value_re} $/x +qr/^\s* SHARED_SOURCE ${index_re} ${attribs_re} = ${value_re} $/x => sub { $push_to->(\%shared_sources, $expand_variables->($+{INDEX}), -undef, undef, +\$attributes{sources}, $+{ATTRIBS}, tokenize($expand_variables->($+{VALUE}))) if !@skip || $skip[$#skip] > 0; }, qr/^\s* INCLUDE ${index_re} = ${value_re} $/x @@ -2279,10 +2279,10 @@ EOF if ($s eq $src_configdata || $generate{$_} || ! -f $s) { $s = cleanfile($buildd, $_, $blddir); } +my $o = $_; # We recognise C++, C and asm files if ($s =~ /\.(cc|cpp|c|s|S)$/) { push @{$check_exist{$s}}, $ddest; -my $o = $_; $o =~ s/\.[csS]$/.o/; # C and assembler $o =~ s/\.(cc|cpp)$/_cc.o/; # C++ $o = cleanfile($buildd, $o, $blddir); @@ -2291,7 +2291,6 @@ EOF } elsif ($s =~ /\.rc$/) { # We also recognise resource files push @{$check_exist{$s}}, $ddest; -my $o = $_; $o =~ s/\.rc$/.res/; # Resource configuration $o = cleanfile($buildd, $o, $blddir); $unified_info{sources}->{$ddest}->{$o} = -1; @@ -2300,6 +2299,17 @@ EOF push @{$check_exist{$s}}, $ddest; $unified_info{sources}->{$ddest}->{$s} = 1; } +# Fix up associated attributes +if ($o ne $_) { +$unified_info{attributes}->{sources}->{$ddest}->{$o} = +$unified_info{attributes}->{sources}->{$o}->{$s} = +$attributes{sources}->{$dest}->{$_} +if defined $attributes{sources}->{$dest}->{$_}; +} else { +$unified_info{attributes}->{sources}->{$ddest}->{$s} = +$attributes{sources}->{$dest}->{$_} +if defined $attributes{sources}->{$dest}->{$_}; +} } } @@ -2315,10 +2325,10 @@ EOF $s = cleanfile($buildd
[openssl] master update
The branch master has been updated via bf991b25caa6e915d858dd56c98ee774f248f03c (commit) via d2f53212933f751ef76acca9cc05bcb67d799964 (commit) via 857cbe176f28e3f178e492159fa9f2f203e845cd (commit) via fea559085bbe873f0f81751653cf673a7b00a95c (commit) via ac2aa13aaf6d4c5457fd99edd82659cb5b662816 (commit) from bba402ece781db0918e0a27289cf38479bafb023 (commit) - Log - commit bf991b25caa6e915d858dd56c98ee774f248f03c Author: Richard Levitte Date: Mon May 17 22:58:27 2021 +0200 Make sure to include "crypto/ctype.h" to get ossl_isdigit() Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15319) commit d2f53212933f751ef76acca9cc05bcb67d799964 Author: Richard Levitte Date: Mon May 17 21:38:51 2021 +0200 Make sure to include "internal/numbers.h" to get SIZE_MAX Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15319) commit 857cbe176f28e3f178e492159fa9f2f203e845cd Author: Richard Levitte Date: Mon May 17 20:20:35 2021 +0200 Fix crypto/bio/b_sock.c for VMS Current VMS C-RTL does not have . is a good enough replacement to get fd_set. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15319) commit fea559085bbe873f0f81751653cf673a7b00a95c Author: Richard Levitte Date: Mon May 17 15:16:58 2021 +0200 Fix include/internal/sockets.h for VMS It needs to include Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15319) commit ac2aa13aaf6d4c5457fd99edd82659cb5b662816 Author: Richard Levitte Date: Mon May 17 15:15:44 2021 +0200 Fix include/openssl/e_os2.h for VMS It would try to define OPENSSL_SYS_VMS if that macro is defined. That's just not right. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15319) --- Summary of changes: crypto/bio/b_sock.c | 12 crypto/evp/m_sigver.c| 1 + crypto/evp/p_lib.c | 1 + crypto/evp/signature.c | 1 + engines/e_loader_attic.c | 1 + include/internal/sockets.h | 3 ++- include/openssl/e_os2.h | 4 ++-- providers/implementations/storemgmt/file_store.c | 1 + 8 files changed, 17 insertions(+), 7 deletions(-) diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index d0cdae7b3d..ca45886739 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -29,11 +29,15 @@ static int wsa_init_done = 0; # if defined(OPENSSL_TANDEM_FLOSS) # include # endif -# elif !defined _WIN32 -# include -# include -# else +# elif defined _WIN32 # include /* for type fd_set */ +# else +# include +# if defined __VMS +# include +# else +# include +# endif # endif # ifndef OPENSSL_NO_DEPRECATED_1_1_0 diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 0a51493efb..17565554e0 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -14,6 +14,7 @@ #include #include "crypto/evp.h" #include "internal/provider.h" +#include "internal/numbers.h" /* includes SIZE_MAX */ #include "evp_local.h" #ifndef FIPS_MODULE diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 6a8dc9..00a310d4e4 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -34,6 +34,7 @@ #include #include +#include "internal/numbers.h" /* includes SIZE_MAX */ #include "internal/ffc.h" #include "crypto/asn1.h" #include "crypto/evp.h" diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c index c945eaae5e..e80d4f503d 100644 --- a/crypto/evp/signature.c +++ b/crypto/evp/signature.c @@ -11,6 +11,7 @@ #include #include #include +#include "internal/numbers.h" /* includes SIZE_MAX */ #include "internal/cryptlib.h" #include "internal/provider.h" #include "internal/core.h" diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index 4cb98280a5..faa598f85e 100644 --- a/engines/e_loader_attic.c +++ b/engines/e_loader_attic.c @@ -33,6 +33,7 @@ #include "internal/asn1.h" /* For asn1_d2i_read_bio */ #include "internal/o_dir.h" #include "internal/cryptlib.h" +#include "crypto/ctype.h"/* For ossl_isdigit */ #include "crypto/pem.h" /* For PVK and "blob" PEM headers */ #include "e_loader_attic_err.c" diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 5ef5ef1756..6e882fa6aa 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -7,11
[openssl] master update
The branch master has been updated via bba402ece781db0918e0a27289cf38479bafb023 (commit) via 31be74d3ca8809752b7dfd37394f28c76c519fa5 (commit) via 8ba3a15816c6e417967eac13ee415325c52675b4 (commit) via 0cbb6f6a9ac5aa3ff813ef2e5afe6e443708ee20 (commit) via cfc73c230d1766903314f6b088a8da37fec1e9f0 (commit) via 0c1428f4418cbd4d449bd43100017b85db17b17d (commit) via a1181fbdd0df70109c04283c564718b6f8d6ec18 (commit) via a2625c0fc8ad229871874782ee2b5c46e66f9716 (commit) via 22119050ab21ed5c9cf361d29aabc6b5da9c8aad (commit) via 58ad786aa7b5c19021686c74e02ead3968050da6 (commit) from 2660b7cfbad710dcd9df26e68c18d6c7d6ebaca0 (commit) - Log - commit bba402ece781db0918e0a27289cf38479bafb023 Author: Richard Levitte Date: Tue May 18 14:12:51 2021 +0200 Tweak apps/build.info for VMS A bit of quoting is all that's needed, and it doesn't hurt other platforms. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit 31be74d3ca8809752b7dfd37394f28c76c519fa5 Author: Richard Levitte Date: Mon May 17 23:40:32 2021 +0200 VMS need to build DSO with name shortening, because of provider code We have pretty long symbol names, so they need to be shortened to fit in the linker's 31 character limit on symbols. Symbol name shortening with the VMS C compiler works in such a way that a symbol name that's longer than 31 characters is mangled into its first original 22 characters, followed by a dollar sign and the 32-bit CRC of the original symbol name in hexadecimal. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit 8ba3a15816c6e417967eac13ee415325c52675b4 Author: Richard Levitte Date: Mon May 17 21:40:24 2021 +0200 Configurations/descrip.mms.tmpl: Add another inclusion hack crypto/ec/curve448/ has a series of inclusions that throws VMS C off, so we compensate for it the same way as we have done before. Fixes #14247 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit 0cbb6f6a9ac5aa3ff813ef2e5afe6e443708ee20 Author: Richard Levitte Date: Mon May 17 16:56:28 2021 +0200 Configurations/descrip.mms.tmpl: Change strategy for include directories Instead of what we used to do, put all include directories in a number of DCL variables and generate the /INCLUDE qualifier value on the command line, we instead generate VMS C specific header files with include directory pragmas, to be used with the VMS C's /FIRST_INCLUDE qualifier. This also shortens the command line, the size of which is limited. VMS C needs to have those include directories specified in a Unix form, to be able to safely merge #include paths with them when searching through them. Fixes #14247 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit cfc73c230d1766903314f6b088a8da37fec1e9f0 Author: Richard Levitte Date: Mon May 17 18:21:45 2021 +0200 Thrown away all special descrip.mms variables Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit 0c1428f4418cbd4d449bd43100017b85db17b17d Author: Richard Levitte Date: Mon May 17 17:20:58 2021 +0200 Fix configdata.pm.in's "use lib" for VMS `use lib` needs Unix formatted paths. For VMS, it means that we must make sure to convert paths, and we may as well generalise it. In this case, we need to adapt the functions sourcedir() and sourcefile() Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit a1181fbdd0df70109c04283c564718b6f8d6ec18 Author: Richard Levitte Date: Mon May 17 15:13:41 2021 +0200 Fix The VMS variant of platform->staticname() It was looking in the wrong place in %unified_info to determine if the library would be installed or not. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit a2625c0fc8ad229871874782ee2b5c46e66f9716 Author: Richard Levitte Date: Mon May 17 15:04:42 2021 +0200 Fix OpenSSL::fallback for VMS VMS unpackers will typically convert any period ('.') in directory names to underscores, since the period is a path separator on VMS, just like '/' is a path separator on Unix. Our fallback mechanism needs to account for that. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/15317) commit 22119050ab21ed5c9cf361d29aabc6b5da9c8aad Author: Richard Levitte Date: Mon May 17 14:53:48 2021 +0200 Configurations/descrip.mms.tmpl: Diverse updates Get it back in sync with the other templates, and correct
[openssl] master update
The branch master has been updated via 2660b7cfbad710dcd9df26e68c18d6c7d6ebaca0 (commit) via da51dc5f68c9e7924be3d5071ba8aea439a4d1c9 (commit) from 8a734d3aaf4e4784581b87cdf2a4b3e2c2403b97 (commit) - Log - commit 2660b7cfbad710dcd9df26e68c18d6c7d6ebaca0 Author: Richard Levitte Date: Mon May 17 14:33:16 2021 +0200 Rework how a build file (Makefile, ...) is produced The memory footprint of how we produced the Makefile was quite... important, because we have all the processing in one perl snippet, and generate the details of the build file by appending to the "magic" variable $OUT. The result is that this variable gets to hold the majority of the build file text, and depending on memory reallocation strategies for strings, the heap may hold multiple (possibly not just a few) copies of this string, almost all of them "freed" but still taking up space. This has resulted in memory exhaustion. We therefore change strategy, and generate the build file in two phases, where the first phase generates the full template using small perl snippets for each detail, and the second phase processes this template. This is much kinder to process memory. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15310) commit da51dc5f68c9e7924be3d5071ba8aea439a4d1c9 Author: Richard Levitte Date: Mon May 17 14:25:12 2021 +0200 Move some OpenSSL perl utility functions to OpenSSL::Util quotify1() and quotify_l() were in OpenSSL::Template, but should be more widely usable. configdata.pm.in's out_item() is also more widely useful and is therefore moved to OpenSSL::Util as well, and renamed to dump_data(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15310) --- Summary of changes: .gitignore | 1 + Configurations/common.tmpl | 492 --- Configurations/descrip.mms.tmpl | 1 + Configurations/gentemplate.pm| 549 +++ Configurations/unix-Makefile.tmpl| 2 + Configurations/windows-makefile.tmpl | 1 + Configure| 6 +- configdata.pm.in | 162 --- tools/c_rehash.in| 2 +- util/perl/OpenSSL/Template.pm| 45 --- util/perl/OpenSSL/Util.pm| 136 - 11 files changed, 754 insertions(+), 643 deletions(-) delete mode 100644 Configurations/common.tmpl create mode 100644 Configurations/gentemplate.pm diff --git a/.gitignore b/.gitignore index b88ede1d59..038ccb9773 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ /.dir-locals.el # Top level excludes +/Makefile.in /Makefile /MINFO /TABLE diff --git a/Configurations/common.tmpl b/Configurations/common.tmpl deleted file mode 100644 index 32190352aa..00 --- a/Configurations/common.tmpl +++ /dev/null @@ -1,492 +0,0 @@ -{- # -*- Mode: perl -*- - - use File::Basename; - - my $debug_resolvedepends = $ENV{BUILDFILE_DEBUG_DEPENDS}; - my $debug_rules = $ENV{BUILDFILE_DEBUG_RULES}; - - # A cache of objects for which a recipe has already been generated - my %cache; - - # collectdepends, expanddepends and reducedepends work together to make - # sure there are no duplicate or weak dependencies and that they are in - # the right order. This is used to sort the list of libraries that a - # build depends on. - sub extensionlesslib { - my @result = map { $_ =~ /(\.a)?$/; $` } @_; - return @result if wantarray; - return $result[0]; - } - - # collectdepends dives into the tree of dependencies and returns - # a list of all the non-weak ones. - sub collectdepends { - return () unless @_; - - my $thing = shift; - my $extensionlessthing = extensionlesslib($thing); - my @listsofar = @_;# to check if we're looping - my @list = @{$unified_info{depends}->{$thing} // - $unified_info{depends}->{$extensionlessthing}}; - my @newlist = (); - - print STDERR "DEBUG[collectdepends] $thing > ", join(' ', @listsofar), "\n" - if $debug_resolvedepends; - foreach my $item (@list) { - my $extensionlessitem = extensionlesslib($item); - # It's time to break off when the dependency list starts looping - next if grep { extensionlesslib($_) eq $extensionlessitem } @listsofar; - # Don't add anything here if the dependency is weak - next if defined $unified_info{attributes}->{depends}->{$thing}->{$item}->{'weak'}; - my @resolved = collectdepends($item, @listsofar, $item); - push @newlist, $item, @resolved; - } - print STDERR "DEBUG[collectdepends] $thing
[openssl] master update
The branch master has been updated via b422ba3dda5d85c295aae6205909a6eeb4921c4b (commit) via a12da5dafbc6e681d32e88ddef0067ff14abd8f2 (commit) from e2daf6f14045587614681bf6579480be63de6da0 (commit) - Log - commit b422ba3dda5d85c295aae6205909a6eeb4921c4b Author: Richard Levitte Date: Fri May 14 12:26:21 2021 +0200 Adapt 80-test_cmp_http.t and its data for random accept ports Fixes #14694 Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/15281) commit a12da5dafbc6e681d32e88ddef0067ff14abd8f2 Author: Richard Levitte Date: Fri May 14 12:25:11 2021 +0200 APPS: Make the cmp Mock server output the accept address and port Fixes #14694 Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/15281) --- Summary of changes: apps/include/s_apps.h | 1 + apps/lib/http_server.c | 9 +++ apps/lib/s_socket.c| 66 -- test/recipes/80-test_cmp_http.t| 44 --- test/recipes/80-test_cmp_http_data/Mock/server.cnf | 3 +- test/recipes/80-test_cmp_http_data/Mock/test.cnf | 8 +-- .../80-test_cmp_http_data/test_connection.csv | 2 +- 7 files changed, 78 insertions(+), 55 deletions(-) diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index 3d2bace594..a5e9762aed 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -16,6 +16,7 @@ #define PROTOCOL"tcp" typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context); +int report_server_accept(BIO *out, int asock, int with_address); int do_server(int *accept_sock, const char *host, const char *port, int family, int type, int protocol, do_server_cb cb, unsigned char *context, int naccept, BIO *bio_s_out); diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c index 691e5c9056..ae33632598 100644 --- a/apps/lib/http_server.c +++ b/apps/lib/http_server.c @@ -23,6 +23,7 @@ #include "internal/sockets.h" #include #include +#include "s_apps.h" #if defined(__TANDEM) # if defined(OPENSSL_TANDEM_FLOSS) @@ -218,6 +219,7 @@ void spawn_loop(const char *prog) BIO *http_server_init_bio(const char *prog, const char *port) { BIO *acbio = NULL, *bufbio; +int asock; bufbio = BIO_new(BIO_f_buffer()); if (bufbio == NULL) @@ -237,6 +239,13 @@ BIO *http_server_init_bio(const char *prog, const char *port) goto err; } +/* Report back what address and port are used */ +BIO_get_fd(acbio, ); +if (!report_server_accept(bio_out, asock, 1)) { +log_message(prog, LOG_ERR, "Error printing ACCEPT string"); +goto err; +} + return acbio; err: diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index 65d56c0991..e41429df89 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -191,6 +191,38 @@ out: return ret; } +int report_server_accept(BIO *out, int asock, int with_address) +{ +int success = 0; + +if (with_address) { +union BIO_sock_info_u info; +char *hostname = NULL; +char *service = NULL; + +if ((info.addr = BIO_ADDR_new()) != NULL +&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, ) +&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL +&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL +&& BIO_printf(out, + strchr(hostname, ':') == NULL + ? /* IPv4 */ "ACCEPT %s:%s\n" + : /* IPv6 */ "ACCEPT [%s]:%s\n", + hostname, service) > 0) +success = 1; + +OPENSSL_free(hostname); +OPENSSL_free(service); +BIO_ADDR_free(info.addr); +} else { +(void)BIO_printf(out, "ACCEPT\n"); +success = 1; +} +(void)BIO_flush(out); + +return success; +} + /* * do_server - helper routine to perform a server operation * @accept_sock: pointer to storage of resulting socket. @@ -296,36 +328,10 @@ int do_server(int *accept_sock, const char *host, const char *port, BIO_ADDRINFO_free(res); res = NULL; -if (sock_port == 0) { -/* dynamically allocated port, report which one */ -union BIO_sock_info_u info; -char *hostname = NULL; -char *service = NULL; -int success = 0; - -if ((info.addr = BIO_ADDR_new()) != NULL -&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, ) -&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL -&&
[openssl] master update
The branch master has been updated via d0364dcc42b151cfc08d860efb15cd48d87302c6 (commit) from c65abf2213117eb5348a46fbc18f706aca052e85 (commit) - Log - commit d0364dcc42b151cfc08d860efb15cd48d87302c6 Author: Rich Salz Date: Wed May 12 10:42:46 2021 -0400 Add --banner config option Use it in the automated workflows. Fixes: #15247 Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15248) --- Summary of changes: .github/workflows/ci.yml| 36 ++--- .github/workflows/coveralls.yml | 2 +- .github/workflows/run-checker-ci.yml| 2 +- .github/workflows/run-checker-daily.yml | 2 +- .github/workflows/run-checker-merge.yml | 2 +- .github/workflows/windows.yml | 2 +- Configurations/unix-Makefile.tmpl | 4 ++-- Configure | 41 +++-- INSTALL.md | 5 9 files changed, 54 insertions(+), 42 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e37c7f54d8..46a096cb75 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings enable-fips && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated run: make -s build_generated - name: make update @@ -34,7 +34,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings enable-fips && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated run: make -s build_generated - name: make doc-nits @@ -48,7 +48,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: CPPFLAGS=-ansi ./config no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump + run: CPPFLAGS=-ansi ./config --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make run: make -s -j4 @@ -57,7 +57,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config enable-fips --strict-warnings && perl configdata.pm --dump + run: ./config --banner=Configured enable-fips --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -68,7 +68,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: CC=clang ./config no-fips --strict-warnings && perl configdata.pm --dump + run: CC=clang ./config --banner=Configured no-fips --strict-warnings && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -79,7 +79,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings no-bulk no-pic no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -90,7 +90,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings no-deprecated enable-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -104,7 +104,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --strict-warnings no-shared no-fips && perl configdata.pm --dump + run: ./config --banner=Configured --strict-warnings no-shared no-fips && perl configdata.pm --dump - name: make run: make -s -j4 - name: make test @@ -115,7 +115,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: config - run: ./config --debug enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump + run: ./config --banner=Configured --debug enable-asa
[openssl] master update
The branch master has been updated via 6d1bb1fffdeb053c6448ebf025979f9ad4689aaf (commit) via 848af5e8feab2dd27becec8a4121947ab4a97df3 (commit) via 5a86dac8620b31b3259a8a2f609f3c9d06a1a21b (commit) from 28a8d07d7fb8046b9efcca33a4a7a26a1591c6c7 (commit) - Log - commit 6d1bb1fffdeb053c6448ebf025979f9ad4689aaf Author: Richard Levitte Date: Thu May 6 09:03:23 2021 +0200 make update The impact on the FIPS checksum files is pretty significant Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15171) commit 848af5e8feab2dd27becec8a4121947ab4a97df3 Author: Richard Levitte Date: Thu May 6 08:48:15 2021 +0200 Drop libimplementations.a libimplementations.a was a nice idea, but had a few flaws: 1. The idea to have common code in libimplementations.a and FIPS sensitive helper functions in libfips.a / libnonfips.a didn't catch on, and we saw full implementation ending up in them instead and not appearing in libimplementations.a at all. 2. Because more or less ALL algorithm implementations were included in libimplementations.a (the idea being that the appropriate objects from it would be selected automatically by the linker when building the shared libraries), it's very hard to find only the implementation source that should go into the FIPS module, with the result that the FIPS checksum mechanism include source files that it shouldn't To mitigate, we drop libimplementations.a, but retain the idea of collecting implementations in static libraries. With that, we not have: libfips.a Includes all implementations that should become part of the FIPS provider. liblegacy.a Includes all implementations that should become part of the legacy provider. libdefault.a Includes all implementations that should become part of the default and base providers. With this, libnonfips.a becomes irrelevant and is dropped. libcommon.a is retained to include common provider code that can be used uniformly by all providers. Fixes #15157 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15171) commit 5a86dac8620b31b3259a8a2f609f3c9d06a1a21b Author: Richard Levitte Date: Thu May 6 08:40:18 2021 +0200 Rename files in providers/implementations/signatures It was discovered that eddsa.c exist in two places, here and in crypto/ec/curve448/, which would result in a file name clash if they ever end up in the same library. To mitigate, we rename the copy in providers/implementations/signatures to have '_sig' in the file name, and do the same with all other source files in this directory, for consistency. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15171) --- Summary of changes: crypto/aes/build.info | 1 - crypto/bn/build.info | 1 - crypto/build.info | 1 - crypto/ec/build.info | 1 - crypto/md5/build.info | 5 +- crypto/modes/build.info| 1 - crypto/poly1305/build.info | 1 - crypto/ripemd/build.info | 1 - crypto/sha/build.info | 1 - crypto/whrlpool/build.info | 4 - providers/build.info | 164 + providers/common/build.info| 2 +- providers/common/der/build.info| 4 +- providers/fips-sources.checksums | 64 +--- providers/fips.checksum| 2 +- providers/fips.module.sources | 64 +--- providers/implementations/asymciphers/build.info | 4 +- providers/implementations/ciphers/build.info | 23 ++- providers/implementations/digests/build.info | 12 +- providers/implementations/encode_decode/build.info | 16 +- providers/implementations/exchange/build.info | 9 +- providers/implementations/kdfs/build.info | 23 ++- providers/implementations/kem/build.info | 2 +- providers/implementations/keymgmt/build.info | 24 +-- providers/implementations/macs/build.info | 16 +- providers/implementations/rands/build.info | 6 +- providers/implementations/rands/seeding/build.info | 2 +- providers/implementations/signature/build.info | 20 +-- .../implementations/signature/{dsa.c => dsa_sig.c} | 0 .../signature/{ecds
[openssl] master update
The branch master has been updated via 5432d827ec2cffa2e75bf8dd0bc570288cba19f6 (commit) via 49ce00374030c74f527c9916bff7c2c7268f4318 (commit) from f97bc7c4240ba370c323c0d753d9d97f7a7c89bf (commit) - Log - commit 5432d827ec2cffa2e75bf8dd0bc570288cba19f6 Author: Richard Levitte Date: Mon May 3 08:48:17 2021 +0200 APPS: Add passphrase handling in the "rsa" and "dsa" commands They completely ignored any passphrase related setting. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15119) commit 49ce00374030c74f527c9916bff7c2c7268f4318 Author: Richard Levitte Date: Mon May 3 08:48:07 2021 +0200 APPS: Set a default passphrase UI for the "ec" command Fixes #15114 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15119) --- Summary of changes: apps/dsa.c | 14 ++ apps/ec.c | 3 +++ apps/rsa.c | 14 ++ 3 files changed, 31 insertions(+) diff --git a/apps/dsa.c b/apps/dsa.c index 9ea1098514..9a7bf04adb 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -267,6 +267,20 @@ int dsa_main(int argc, char **argv) goto end; } +/* Passphrase setup */ +if (enc != NULL) +OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_name(enc), NULL); + +/* Default passphrase prompter */ +if (enc != NULL || outformat == FORMAT_PVK) { +OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL); +if (passout != NULL) +/* When passout given, override the passphrase prompter */ +OSSL_ENCODER_CTX_set_passphrase(ectx, +(const unsigned char *)passout, +strlen(passout)); +} + /* PVK requires a bit more */ if (outformat == FORMAT_PVK) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; diff --git a/apps/ec.c b/apps/ec.c index 5103838da0..f8f77dd492 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -267,7 +267,10 @@ int ec_main(int argc, char **argv) NULL); if (enc != NULL) { OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_name(enc), NULL); +/* Default passphrase prompter */ +OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL); if (passout != NULL) +/* When passout given, override the passphrase prompter */ OSSL_ENCODER_CTX_set_passphrase(ectx, (const unsigned char *)passout, strlen(passout)); diff --git a/apps/rsa.c b/apps/rsa.c index fc1db506d7..47316757d5 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -335,6 +335,20 @@ int rsa_main(int argc, char **argv) goto end; } +/* Passphrase setup */ +if (enc != NULL) +OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_name(enc), NULL); + +/* Default passphrase prompter */ +if (enc != NULL || outformat == FORMAT_PVK) { +OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL); +if (passout != NULL) +/* When passout given, override the passphrase prompter */ +OSSL_ENCODER_CTX_set_passphrase(ectx, +(const unsigned char *)passout, +strlen(passout)); +} + /* PVK is a bit special... */ if (outformat == FORMAT_PVK) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
[openssl] master update
The branch master has been updated via f97bc7c4240ba370c323c0d753d9d97f7a7c89bf (commit) via 49f699b54d982c431c13f29ea08628ab599f1e6e (commit) via be22315235605ac50f735758f6c6edcb262146db (commit) via 27ca03ea829443ee750db148dde87cf3da900d9c (commit) via 841a438c7f67f697dd6710b26cc6536dd76a420a (commit) from 02669b677e6263b3d337ceb526b8b030477fe26b (commit) - Log - commit f97bc7c4240ba370c323c0d753d9d97f7a7c89bf Author: Richard Levitte Date: Tue Apr 27 11:23:12 2021 +0200 [TEMPORARY] make 'make update' verbose in ci.yml Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8871) commit 49f699b54d982c431c13f29ea08628ab599f1e6e Author: Richard Levitte Date: Fri May 3 13:24:39 2019 +0200 GitHub CI: ensure that unifdef is installed This is required for 'make update' and fips checksums Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8871) commit be22315235605ac50f735758f6c6edcb262146db Author: Richard Levitte Date: Fri May 3 13:12:59 2019 +0200 FIPS module checksums: add scripts and Makefile rule This adds the following scripts: util/lang-compress.pl: Compress source code, which language is determined by the first argument. For the moment, we know 'perl' (perlasm source code), 'C' (C source code) and 'S' (Assembler with C preprocessor directives). This removes comments and empty lines, and compresses series of horizontal spaces to one single space in the languages where that's appropriate. util/fips-checksums.sh: Takes source file names as arguments, pushes them through util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates the checksum on the result. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8871) commit 27ca03ea829443ee750db148dde87cf3da900d9c Author: Richard Levitte Date: Mon Apr 26 19:44:24 2021 +0200 Unix build file: Add a target to create providers/fips.module.sources This file will be the basis for the FIPS module checksum calculation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8871) commit 841a438c7f67f697dd6710b26cc6536dd76a420a Author: Richard Levitte Date: Mon Apr 26 19:41:54 2021 +0200 Add OpenSSL::Config::Query and use it in configdata.pm OpenSSL::Config::Query is a configuration querying tool that's meant to make it easier to query the diverse configuration data for info. That's much easier than to dig through all the parts of %unified_info. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8871) --- Summary of changes: .github/workflows/ci.yml | 6 +- Configurations/unix-Makefile.tmpl | 53 + configdata.pm.in | 26 ++- providers/fips-sources.checksums | 459 + providers/fips.checksum | 1 + providers/fips.module.sources | 467 ++ util/c-compress-test.pl | 54 + util/fips-checksums.sh| 31 +++ util/lang-compress.pl | 189 +++ util/perl/OpenSSL/Config/Query.pm | 177 +++ 10 files changed, 1460 insertions(+), 3 deletions(-) create mode 100644 providers/fips-sources.checksums create mode 100644 providers/fips.checksum create mode 100644 providers/fips.module.sources create mode 100755 util/c-compress-test.pl create mode 100755 util/fips-checksums.sh create mode 100755 util/lang-compress.pl create mode 100644 util/perl/OpenSSL/Config/Query.pm diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2e18fba41a..e37c7f54d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,13 +15,17 @@ jobs: check_update: runs-on: ubuntu-latest steps: +- name: install unifdef + run: | +sudo apt-get update +sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - uses: actions/checkout@v2 - name: config run: ./config --strict-warnings enable-fips && perl configdata.pm --dump - name: make build_generated run: make -s build_generated - name: make update - run: make -s update + run: make update - name: git diff run: git diff --exit-code diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 4ace44477d..d98c42c85e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1055,6 +1055,9 @@ uninstall_html_docs: # It's important that generate_buildinfo comes after ordinals, as ordinals # is sensitive to build.info changes. update:
[openssl] master update
The branch master has been updated via 02669b677e6263b3d337ceb526b8b030477fe26b (commit) via 0d6c144e8d0c53e8947e3a76225ea33b3e29abc8 (commit) from d1a770414acd34c774248ce8efbe202fd7a44041 (commit) - Log - commit 02669b677e6263b3d337ceb526b8b030477fe26b Author: Richard Levitte Date: Thu Apr 29 12:50:33 2021 +0200 Windows build file: add forgotten quotes on POD->html command line Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15084) commit 0d6c144e8d0c53e8947e3a76225ea33b3e29abc8 Author: Richard Levitte Date: Sat May 1 07:29:27 2021 +0200 OpenSSL::Test: When prefixing command with $^X on Windows, fix it up! The perl interpreter name itself might contain spaces and need quoting. __fixup_prg() does this for us. Fixes #14256 Co-authored-by: Tomáš Mráz Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15084) --- Summary of changes: Configurations/windows-makefile.tmpl | 2 +- util/perl/OpenSSL/Test.pm| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 4843106de2..014c1eb8d1 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -686,7 +686,7 @@ EOF my $pod = $gen0; return <<"EOF"; $args{src}: "$pod" - \$(PERL) \$(SRCDIR)/util/mkpod2html.pl -i "$pod" -o \$\@ -t "$title" -r "\$(SRCDIR)/doc" + "\$(PERL)" "\$(SRCDIR)/util/mkpod2html.pl" -i "$pod" -o \$\@ -t "$title" -r "\$(SRCDIR)/doc" EOF } elsif (platform->isdef($args{src})) { # diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm index 4dc1bad188..55f26cc630 100644 --- a/util/perl/OpenSSL/Test.pm +++ b/util/perl/OpenSSL/Test.pm @@ -1232,7 +1232,7 @@ sub __wrap_cmd { # In the Windows case, we run perl explicitly. We might not # need it, but that depends on if the user has associated the # '.pl' extension with a perl interpreter, so better be safe. -@prefix = ( $^X, $std_wrapper ); +@prefix = ( __fixup_prg($^X), $std_wrapper ); } else { # Otherwise, we assume Unix semantics, and trust that the #! # line activates perl for us.
[openssl] master update
The branch master has been updated via b7f7a15f6ace4e6e25f8222a9996159582983aa8 (commit) from b594a227178ccd812e5bb196bcb59ebc52d538ab (commit) - Log - commit b7f7a15f6ace4e6e25f8222a9996159582983aa8 Author: Richard Levitte Date: Wed Apr 28 09:50:42 2021 +0200 STORE: Fix the repeated prompting of passphrase OSSL_STORE's loading function could prompt repeatedly for the same passphrase. It turns out that OSSL_STORE_load() wasn't caching the passphrase properly. Fixed in this change. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15064) --- Summary of changes: crypto/store/store_lib.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 134207d5c2..1a62d7f6ff 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -135,7 +135,8 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, } if (ui_method != NULL -&& !ossl_pw_set_ui_method(>pwdata, ui_method, ui_data)) { +&& (!ossl_pw_set_ui_method(>pwdata, ui_method, ui_data) +|| !ossl_pw_enable_passphrase_caching(>pwdata))) { ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB); goto err; } @@ -413,6 +414,9 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx) goto again; } +/* Clear any internally cached passphrase */ +(void)ossl_pw_clear_passphrase_cache(>pwdata); + if (v != NULL && ctx->expected_type != 0) { int returned_type = OSSL_STORE_INFO_get_type(v);
[openssl] master update
The branch master has been updated via c230e938c75c7c2d24b5d1d322a34ec369d92696 (commit) via e73fc81345ae2cdcc4be55768345d8a00fed6453 (commit) from 38230e30118e434ca1c41d05d03fe2c41042d97d (commit) - Log - commit c230e938c75c7c2d24b5d1d322a34ec369d92696 Author: Richard Levitte Date: Wed Apr 28 21:28:11 2021 +0200 CORE: Rework the pre-population of the namemap The pre-population of names has become more thorough. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15066) commit e73fc81345ae2cdcc4be55768345d8a00fed6453 Author: Richard Levitte Date: Wed Apr 28 11:02:36 2021 +0200 STORE: Use the 'expect' param to limit the amount of decoders used In the provider file: scheme loader implementation, the OSSL_DECODER_CTX was set up with all sorts of implementations, even if the caller has declared a limited expectation on what should be loaded, which means that even though a certificate is expected, all the diverse decoders to produce an EVP_PKEY are added to the decoding change. This optimization looks more closely at the expected type, and only adds the EVP_PKEY related decoder implementations to the chain if there is no expectation, or if the expectation is one of OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15066) --- Summary of changes: crypto/core_namemap.c| 71 +++- providers/implementations/storemgmt/file_store.c | 14 +++-- 2 files changed, 41 insertions(+), 44 deletions(-) diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index daf22c3af2..1009fb1e94 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -379,66 +379,62 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, #include /* Creates an initial namemap with names found in the legacy method db */ -static void get_legacy_evp_names(const char *name, const char *desc, - const ASN1_OBJECT *obj, void *arg) +static void get_legacy_evp_names(int base_nid, int nid, const char *pem_name, + void *arg) { -int num = ossl_namemap_add_name(arg, 0, name); +int num = 0; +ASN1_OBJECT *obj; -/* - * We currently treat the description ("long name" in OBJ speak) as an - * alias. - */ - -/* - * We could check that the returned value is the same as id, but since - * this is a void function, there's no sane way to report the error. - * The best we can do is trust ourselve to keep the legacy method - * database conflict free. - * - * This registers any alias with the same number as the main name. - * Should it be that the current |on| *has* the main name, this is - * simply a no-op. - */ -if (desc != NULL) { -(void)ossl_namemap_add_name(arg, num, desc); +if (base_nid != NID_undef) { +num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(base_nid)); +num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(base_nid)); } -if (obj != NULL) { -char txtoid[OSSL_MAX_NAME_SIZE]; +if (nid != NID_undef) { +num = ossl_namemap_add_name(arg, num, OBJ_nid2sn(nid)); +num = ossl_namemap_add_name(arg, num, OBJ_nid2ln(nid)); +if ((obj = OBJ_nid2obj(nid)) != NULL) { +char txtoid[OSSL_MAX_NAME_SIZE]; -if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1)) -(void)ossl_namemap_add_name(arg, num, txtoid); +if (OBJ_obj2txt(txtoid, sizeof(txtoid), obj, 1)) +num = ossl_namemap_add_name(arg, num, txtoid); +} } +if (pem_name != NULL) +num = ossl_namemap_add_name(arg, num, pem_name); } static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg) { const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type); -int nid = EVP_CIPHER_type(cipher); -get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid), - arg); +get_legacy_evp_names(NID_undef, EVP_CIPHER_type(cipher), NULL, arg); } static void get_legacy_md_names(const OBJ_NAME *on, void *arg) { const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type); -int nid = EVP_MD_type(md); -get_legacy_evp_names(OBJ_nid2sn(nid), OBJ_nid2ln(nid), OBJ_nid2obj(nid), - arg); +get_legacy_evp_names(0, EVP_MD_type(md), NULL, arg); } static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth, void *arg) { int nid = 0, base_nid = 0, flags = 0; +const char *pem_name = NULL; -EVP_PKEY_asn1_get0_info(, _ni
[openssl] master update
The branch master has been updated via 3babc1e468c9a5cfb30582a3ea1d55c1ec776361 (commit) via 2e535eb50aa9c6b73c796f668e1aef8bc17f14c4 (commit) via 0bd138b8c36c7e8e504beb2c12a2771929c24cfb (commit) from e9b30d9f50a356b3b0a9d60e6fc877e08f68a40e (commit) - Log - commit 3babc1e468c9a5cfb30582a3ea1d55c1ec776361 Author: Richard Levitte Date: Mon Apr 26 09:28:12 2021 +0200 util/add-depends.pl: Adapt to localized /showIncludes output It was discovered that MSVC has localized /showIncludes output. Fortunately, it still seems to follow the same generic format, so we can adapt the regular expression to make it language agnostic. Fixes #14994 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15006) commit 2e535eb50aa9c6b73c796f668e1aef8bc17f14c4 Author: Richard Levitte Date: Mon Apr 26 09:17:05 2021 +0200 Configuration: rework how dependency making is handled Previously, we had dependency making pretty much hard coded in the build file templates, with a bit of an exception for Unix family platforms, where we had different cases depending on what dependency making program was found. With the Embarcadero C++ builder, a separate scheme appeared, with a different logic. This change merges the two, and introduces two config target attributes: makedepcmd The program to use, where this is relevant. This replaces the earlier configuration attribute 'makedepprog'. makedep_scheme This is a keyword that can be used by build files templates to produce different sorts of commands, but most importantly, to pass as argument to util/add-depend.pl, which uses this keyword as a "producer" for the dependency lines. If the config target doesn't define the 'makedep_scheme' attribute, Configure tries to figure it out by looking for GCC compatible compilers or for the 'makedepend' command. Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15006) commit 0bd138b8c36c7e8e504beb2c12a2771929c24cfb Author: Richard Levitte Date: Fri Apr 23 16:19:23 2021 +0200 Windows bulding: Make dependency generation not quite as talkative The modified way to generate .d files had an unfortunate side effect, that it outputs the whole preprocessed file and not just the dependency lines, at least with MSVC's cl. That gave util/add-depends.pl a whole lot more to read through, which impacts greatly on the performance of dependency treatment. We modify the process by adding a config target attribute 'make_depend', which can be any suitable command for generating such lines. All it needs is to also accept C flags and macro definitions. Fixes #14994 Reviewed-by: Tomas Mraz Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/15006) --- Summary of changes: Configurations/10-main.conf | 4 +- Configurations/50-cppbuilder.conf| 8 +++- Configurations/descrip.mms.tmpl | 2 +- Configurations/platform/Unix.pm | 2 +- Configurations/platform/mingw.pm | 2 +- Configurations/unix-Makefile.tmpl| 14 +++ Configurations/windows-makefile.tmpl | 6 +-- Configure| 28 - util/add-depends.pl | 77 9 files changed, 102 insertions(+), 41 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index f5e5754b3a..1e53f20861 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1278,13 +1278,14 @@ my %targets = ( CPP => '"$(CC)" /EP /C', CFLAGS => "/W3 /wd4090 /nologo", coutflag => "/Fo", -cpp_depend_flags => "/Zs /showIncludes", LD => "link", LDFLAGS => "/nologo /debug", ldoutflag=> "/out:", ldpostoutflag=> "", ld_resp_delim=> "\n", bin_lflags => "setargv.obj", +makedepcmd => '"$(CC)" /Zs /showIncludes', +makedep_scheme => 'VC', AR => "lib", ARFLAGS => "/nologo", aroutflag=> "/out:", @@
[tools] master update
The branch master has been updated via 9d9c86fe443afcb8a13a8ae40b91674a6afefcd3 (commit) from e1fc98e1c15660ad4d51526cc6da9c44e2f49cd4 (commit) - Log - commit 9d9c86fe443afcb8a13a8ae40b91674a6afefcd3 Author: Richard Levitte Date: Tue Nov 17 11:28:23 2020 +0100 release-tools: Separate do-release.pl docs from mkrelease.pl docs Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/tools/pull/74) --- Summary of changes: release-tools/DO-RELEASE.md | 34 ++ release-tools/MKRELEASE.md | 35 --- release-tools/README.md | 2 +- 3 files changed, 35 insertions(+), 36 deletions(-) create mode 100644 release-tools/DO-RELEASE.md diff --git a/release-tools/DO-RELEASE.md b/release-tools/DO-RELEASE.md new file mode 100644 index 000..636d60b --- /dev/null +++ b/release-tools/DO-RELEASE.md @@ -0,0 +1,34 @@ +# Documentation on the do-release script + +The do-release.pl script copies distributions from the temporary holding area +to the http and ftp areas. It it intended to be run as the `openssl` user on +dev.openssl.org. + +It does the following: + +1. Copy OpenSSL release files from the holding area to the http and ftp + locations: currently /v/openssl/www/source and /v/openssl/ftp/source +2. Move OpenSSL release files from holding area to ~openssl/dist/old By + doing this the script wont try and make a release again with old files. +3. Mail the release message. This is sent to openssl-project openssl-users + and openssl-announce (it needs to be approved in openssl-announce). The + subject line is `OpenSSL version xxx released`. + +## do-release options + +- `--copy` + Copy files to http and ftp directories. **You will have to manually move + the OLD files to old/ directories.** + +- `--move` + Move files from holding area to ~openssl/dist/old + +- `--mail` + Send out announcement email: if this option is not given, the command you + need to call to send the release mail will be printed out. + +- `--full-release` + Perform all operations for a release (copy, move and mail). + +Note: because several of these options are irreversible they have to be +explicitly included. diff --git a/release-tools/MKRELEASE.md b/release-tools/MKRELEASE.md index 3c8c1e4..be9e73e 100644 --- a/release-tools/MKRELEASE.md +++ b/release-tools/MKRELEASE.md @@ -136,38 +136,3 @@ For local testing, you can do something like this: - `--branch-version=version` Use branch `version` instead of the one autodetected for the current branch. This option is not normally needed. - -# The do-release script - -The do-release.pl script copies distributions from the temporary holding area -to the http and ftp areas. It it intended to be run as the `openssl` user on -dev.openssl.org. - -It does the following: - -1. Copy OpenSSL release files from the holding area to the http and ftp - locations: currently /v/openssl/www/source and /v/openssl/ftp/source -2. Move OpenSSL release files from holding area to ~openssl/dist/old By - doing this the script wont try and make a release again with old files. -3. Mail the release message. This is sent to openssl-dev openssl-users and - openssl-announce (it needs to be approved in openssl-announce). The - subject line is `OpenSSL version xxx released`. - -## do-release options - -- `--copy` - Copy files to http and ftp directories. **You will have to manually move - the OLD files to old/ directories.** - -- `--move` - Move files from holding area to ~openssl/dist/old - -- `--mail` - Send out announcement email: if this option is not given, the command you - need to call to send the release mail will be printed out. - -- `--full-release` - Perform all operations for a release (copy, move and mail). - -Note: because several of these options are irreversible they have to be -explicitly included. diff --git a/release-tools/README.md b/release-tools/README.md index ad03508..dc18f74 100644 --- a/release-tools/README.md +++ b/release-tools/README.md @@ -114,7 +114,7 @@ associated files should be in ~openssl/dist/new. They should be owned by the openssl userid and world-readable. Copy the tarballs to appropriate directories. This can be -done using the do-release.pl script. See MKRELEASE.md for a description of +done using the do-release.pl script. See DO-RELEASE.md for a description of the options. For example: sudo -u openssl perl ~openssl/do-release.pl --copy --move
[openssl] master update
The branch master has been updated via e6760e3e84caa341e6b93d87d98edcbccd2d3003 (commit) from e466dc3646bc15fa928366a2c64ed987daab5b2c (commit) - Log - commit e6760e3e84caa341e6b93d87d98edcbccd2d3003 Author: Andreas Schwab Date: Sun Apr 25 19:29:45 2021 +0200 Add system guessing for linux64-riscv64 target CLA: trivial Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15023) --- Summary of changes: util/perl/OpenSSL/config.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 4b40a62fd8..79e8c29d71 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -679,6 +679,7 @@ EOF } ], [ '.*86-.*-linux1', { target => "linux-aout" } ], + [ 'riscv64-.*-linux.', { target => "linux64-riscv64" } ], [ '.*-.*-linux.', { target => "linux-generic32" } ], [ 'sun4[uv].*-.*-solaris2', sub {
[openssl] master update
The branch master has been updated via e466dc3646bc15fa928366a2c64ed987daab5b2c (commit) via 1727465471e800548694da96b8970743b7efa7ff (commit) from 94471ccfdab810a3cdc35116831c231ca277d814 (commit) - Log - commit e466dc3646bc15fa928366a2c64ed987daab5b2c Author: Shane Lontis Date: Wed Apr 21 13:49:29 2021 +1000 Test that we don't have a memory leak in d2i_ASN1_OBJECT. Fixes #14667 Reworked test supplied by @smcpeak into a unit test. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14938) (cherry picked from commit 7c65179ad95d0f6f598ee82e763fce2567fe5802) commit 1727465471e800548694da96b8970743b7efa7ff Author: Richard Levitte Date: Tue Apr 20 08:43:30 2021 +0200 ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14938) (cherry picked from commit 65b88a75921533ada8b465bc8d5c0817ad927947) --- Summary of changes: crypto/asn1/a_object.c | 13 - test/asn1_decode_test.c | 26 ++ 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 3740f608c5..c96c36e730 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -291,16 +291,13 @@ ASN1_OBJECT *ossl_c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, } } -/* - * only the ASN1_OBJECTs from the 'table' will have values for ->sn or - * ->ln - */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) return NULL; -} else +} else { ret = (*a); +} p = *pp; /* detach data from object */ @@ -318,6 +315,12 @@ ASN1_OBJECT *ossl_c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA; } memcpy(data, p, length); +/* If there are dynamic strings, free them here, and clear the flag */ +if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) { +OPENSSL_free((char *)ret->sn); +OPENSSL_free((char *)ret->ln); +ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS; +} /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length; diff --git a/test/asn1_decode_test.c b/test/asn1_decode_test.c index c6e1501fa1..3a3ad525ae 100644 --- a/test/asn1_decode_test.c +++ b/test/asn1_decode_test.c @@ -12,6 +12,7 @@ #include #include +#include #include "internal/numbers.h" #include "testutil.h" @@ -195,6 +196,30 @@ static int test_invalid_template(void) return 0; } +static int test_reuse_asn1_object(void) +{ +static unsigned char cn_der[] = { 0x06, 0x03, 0x55, 0x04, 0x06 }; +static unsigned char oid_der[] = { +0x06, 0x06, 0x2a, 0x03, 0x04, 0x05, 0x06, 0x07 +}; +int ret = 0; +ASN1_OBJECT *obj; +unsigned char const *p = oid_der; + +/* Create an object that owns dynamically allocated 'sn' and 'ln' fields */ + +if (!TEST_ptr(obj = ASN1_OBJECT_create(NID_undef, cn_der, sizeof(cn_der), + "C", "countryName"))) +goto err; +/* reuse obj - this should not leak sn and ln */ +if (!TEST_ptr(d2i_ASN1_OBJECT(, , sizeof(oid_der +goto err; +ret = 1; +err: +ASN1_OBJECT_free(obj); +return ret; +} + int setup_tests(void) { #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -205,5 +230,6 @@ int setup_tests(void) ADD_TEST(test_int64); ADD_TEST(test_uint64); ADD_TEST(test_invalid_template); +ADD_TEST(test_reuse_asn1_object); return 1; }
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 7c65179ad95d0f6f598ee82e763fce2567fe5802 (commit) via 65b88a75921533ada8b465bc8d5c0817ad927947 (commit) from 513ead860853e0d07f7fc43bf35d1b90fdad5a11 (commit) - Log - commit 7c65179ad95d0f6f598ee82e763fce2567fe5802 Author: Shane Lontis Date: Wed Apr 21 13:49:29 2021 +1000 Test that we don't have a memory leak in d2i_ASN1_OBJECT. Fixes #14667 Reworked test supplied by @smcpeak into a unit test. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14938) commit 65b88a75921533ada8b465bc8d5c0817ad927947 Author: Richard Levitte Date: Tue Apr 20 08:43:30 2021 +0200 ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14938) --- Summary of changes: crypto/asn1/a_object.c | 13 - test/asn1_decode_test.c | 26 ++ 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index d67a723c96..8790be340a 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -286,16 +286,13 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, } } -/* - * only the ASN1_OBJECTs from the 'table' will have values for ->sn or - * ->ln - */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) return NULL; -} else +} else { ret = (*a); +} p = *pp; /* detach data from object */ @@ -313,6 +310,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA; } memcpy(data, p, length); +/* If there are dynamic strings, free them here, and clear the flag */ +if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) { +OPENSSL_free((char *)ret->sn); +OPENSSL_free((char *)ret->ln); +ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS; +} /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length; diff --git a/test/asn1_decode_test.c b/test/asn1_decode_test.c index 18f0ca12e9..de818ab12e 100644 --- a/test/asn1_decode_test.c +++ b/test/asn1_decode_test.c @@ -12,6 +12,7 @@ #include #include +#include #include "internal/numbers.h" #include "testutil.h" @@ -195,6 +196,30 @@ static int test_invalid_template(void) return 0; } +static int test_reuse_asn1_object(void) +{ +static unsigned char cn_der[] = { 0x06, 0x03, 0x55, 0x04, 0x06 }; +static unsigned char oid_der[] = { +0x06, 0x06, 0x2a, 0x03, 0x04, 0x05, 0x06, 0x07 +}; +int ret = 0; +ASN1_OBJECT *obj; +unsigned char const *p = oid_der; + +/* Create an object that owns dynamically allocated 'sn' and 'ln' fields */ + +if (!TEST_ptr(obj = ASN1_OBJECT_create(NID_undef, cn_der, sizeof(cn_der), + "C", "countryName"))) +goto err; +/* reuse obj - this should not leak sn and ln */ +if (!TEST_ptr(d2i_ASN1_OBJECT(, , sizeof(oid_der +goto err; +ret = 1; +err: +ASN1_OBJECT_free(obj); +return ret; +} + int setup_tests(void) { #if OPENSSL_API_COMPAT < 0x1020L @@ -205,5 +230,6 @@ int setup_tests(void) ADD_TEST(test_int64); ADD_TEST(test_uint64); ADD_TEST(test_invalid_template); +ADD_TEST(test_reuse_asn1_object); return 1; }
[openssl] master update
The branch master has been updated via 3e4981dd59d301f60bcc85f7c893db1ee4a21906 (commit) from c85c5e1a5327379306f4c3f8248ace740c64c338 (commit) - Log - commit 3e4981dd59d301f60bcc85f7c893db1ee4a21906 Author: Tanzinul Islam Date: Sun Apr 25 19:59:29 2021 +0100 Avoid #include with inline function on C++Builder Commit 6b2978406 exposed a bug with C++Builder's Clang-based compilers, which cause inline function definitions in C translation units to not be found by the linker. Disable the inclusion of the triggering header. Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/15025) --- Summary of changes: e_os.h | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/e_os.h b/e_os.h index b19c4829de..8bfc1dcb10 100644 --- a/e_os.h +++ b/e_os.h @@ -108,7 +108,14 @@ */ #include #include -#include + /* +* Clang-based C++Builder 10.3.3 toolchains cannot find C inline +* definitions at link-time. This header defines WspiapiLoad() as an +* __inline function. https://quality.embarcadero.com/browse/RSP-33806 +*/ +#if !defined(__BORLANDC__) || !defined(__clang__) +# include +#endif /* yes, they have to be #included prior to */ # endif # include
[web] master update
The branch master has been updated via be9a59e85c1be6992ed7f61737bcf630d6cad0f6 (commit) from 595141eef7fd28c41ab414573d05266ece47d814 (commit) - Log - commit be9a59e85c1be6992ed7f61737bcf630d6cad0f6 Author: Richard Levitte Date: Mon Apr 26 14:02:36 2021 +0200 Reorder the old source directory list in source/old/ Change the template source/old/index.html.tt to not reverse the received list of releases. Change the order of releases to that template to be from newest to oldest, and fips (the old FOM) last. Fixes #235 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/236) --- Summary of changes: Makefile | 2 +- source/old/index.html.tt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c8721b4..32b9244 100644 --- a/Makefile +++ b/Makefile @@ -321,7 +321,7 @@ $(foreach S,fips $(FUTURESERIES) $(SERIES) $(OLDSERIES2),$(eval $(call mkoldsour source/old/index.html: source/old/index.html.tt bin/from-tt @rm -f $@ - ./bin/from-tt releases='fips $(FUTURESERIES) $(SERIES) $(OLDSERIES2)' $< + ./bin/from-tt releases='$(FUTURESERIES) $(SERIES) $(OLDSERIES2) fips' $< # Because these the indexes of old tarballs will inevitably be newer # than the tarballs that are moved into their respective directory, diff --git a/source/old/index.html.tt b/source/old/index.html.tt index 9ff2913..88674e9 100644 --- a/source/old/index.html.tt +++ b/source/old/index.html.tt @@ -11,7 +11,7 @@ Here are the old releases. -[% FOREACH release IN releases.split('\s+').reverse -%] +[% FOREACH release IN releases.split('\s+') -%] [% release %] [% END -%]
[web] master update
The branch master has been updated via 595141eef7fd28c41ab414573d05266ece47d814 (commit) from d75862e89e153138b64119bf4f88d5b1013a928f (commit) - Log - commit 595141eef7fd28c41ab414573d05266ece47d814 Author: Richard Levitte Date: Mon Apr 26 12:04:00 2021 +0200 Makefile: Missed a spot! (FUTURESERIES missing in one place) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/234) --- Summary of changes: Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1fe5423..c8721b4 100644 --- a/Makefile +++ b/Makefile @@ -321,7 +321,7 @@ $(foreach S,fips $(FUTURESERIES) $(SERIES) $(OLDSERIES2),$(eval $(call mkoldsour source/old/index.html: source/old/index.html.tt bin/from-tt @rm -f $@ - ./bin/from-tt releases='fips $(SERIES) $(OLDSERIES2)' $< + ./bin/from-tt releases='fips $(FUTURESERIES) $(SERIES) $(OLDSERIES2)' $< # Because these the indexes of old tarballs will inevitably be newer # than the tarballs that are moved into their respective directory,
[web] master update
The branch master has been updated via d75862e89e153138b64119bf4f88d5b1013a928f (commit) from 86a7e16d191918cf6bc87764d66c166985bec04e (commit) - Log - commit d75862e89e153138b64119bf4f88d5b1013a928f Author: Richard Levitte Date: Mon Apr 26 11:01:06 2021 +0200 Makefile: Add FUTURESERIES, for series that have no final release yet Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/233) --- Summary of changes: Makefile | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 741be51..1fe5423 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,11 @@ OLDSERIES2=1.1.0 1.0.2 1.0.1 1.0.0 0.9.x MANSERIES1=1.1.1 MANSERIES3=3.0 +## Future series, i.e. a series that hasn't had any final release yet. +## We distinguish them to avoid having to produce notes, vulnerability +## documents, ... +FUTURESERIES=3.0 + # All simple generated files. SIMPLE = newsflash.inc sitemap.txt \ docs/faq.inc docs/fips.inc \ @@ -42,7 +47,7 @@ SIMPLE = newsflash.inc sitemap.txt \ source/.htaccess \ source/index.inc \ source/old/index.html -SRCLISTS = $(foreach S,$(SERIES) $(OLDSERIES2) fips,source/old/$(S)/index.inc source/old/$(S)/index.html) +SRCLISTS = $(foreach S,$(FUTURESERIES) $(SERIES) $(OLDSERIES2) fips,source/old/$(S)/index.inc source/old/$(S)/index.html) .SUFFIXES: .md .html @@ -312,7 +317,7 @@ endef # We also create a list specifically for the old FIPS module, carefully # crafting an HTML title with an uppercase 'FIPS' while the subdirectory # remains named 'fips' -$(foreach S,fips $(SERIES) $(OLDSERIES2),$(eval $(call mkoldsourceindex,$(S),$(patsubst fips,FIPS,$(S) +$(foreach S,fips $(FUTURESERIES) $(SERIES) $(OLDSERIES2),$(eval $(call mkoldsourceindex,$(S),$(patsubst fips,FIPS,$(S) source/old/index.html: source/old/index.html.tt bin/from-tt @rm -f $@
[web] master update
The branch master has been updated via 86a7e16d191918cf6bc87764d66c166985bec04e (commit) from 650e079c69473944f2731e6a964d260a2a6dff61 (commit) - Log - commit 86a7e16d191918cf6bc87764d66c166985bec04e Author: Richard Levitte Date: Mon Apr 26 10:51:53 2021 +0200 bin/mk-latest: Make the adapation for the OpenSSL 3.0 version scheme work The attempt done in the previous commit didn't quite work out. Current fix is to hard code 3.x series. Fixes #229 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/232) --- Summary of changes: bin/mk-latest | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/mk-latest b/bin/mk-latest index 1ac1c46..7a57fdd 100755 --- a/bin/mk-latest +++ b/bin/mk-latest @@ -42,9 +42,9 @@ print <<\EOF; RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(openssl-0\.9\.\d.*) old/0.9.x/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^(openssl-(\d+\.\d+\.\d+).*) old/$2/$1 [L] +RewriteRule ^(openssl-3\.(\d+).*) old/3.$2/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^(openssl-(\d+\.\d+).*) old/$2/$1 [L] +RewriteRule ^(openssl-(\d+\.\d+\.\d+).*) old/$2/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^openssl-(fips.*) old/fips/openssl-$1 [L]
[web] master update
The branch master has been updated via 650e079c69473944f2731e6a964d260a2a6dff61 (commit) from 0ab77d020743d9f6aadc2b1110ab44cfae9d8d0a (commit) - Log - commit 650e079c69473944f2731e6a964d260a2a6dff61 Author: Richard Levitte Date: Mon Apr 26 09:39:26 2021 +0200 bin/mk-latest: Adapt .htaccess for the version scheme of OpenSSL 3.0 Fixes #229 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/230) --- Summary of changes: bin/mk-latest | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/mk-latest b/bin/mk-latest index aa4432a..1ac1c46 100755 --- a/bin/mk-latest +++ b/bin/mk-latest @@ -44,6 +44,8 @@ RewriteRule ^(openssl-0\.9\.\d.*) old/0.9.x/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(openssl-(\d+\.\d+\.\d+).*) old/$2/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f +RewriteRule ^(openssl-(\d+\.\d+).*) old/$2/$1 [L] +RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^openssl-(fips.*) old/fips/openssl-$1 [L]
[openssl] master update
The branch master has been updated via a70936a8453a307992820f2a9d3e252f6c4f9ad6 (commit) via 3d80b5e611f112fd004a4320cb5ecce93c73b7d4 (commit) via 521a0bf6a11c4cdaef331934e93581d06ce834e1 (commit) via e36a4dc476448a2ef212d774be48ce38ea6eb6df (commit) from f58f7ec9397de7b752aa547e2677933559a657db (commit) - Log - commit a70936a8453a307992820f2a9d3e252f6c4f9ad6 Author: Richard Levitte Date: Fri Apr 23 15:52:02 2021 +0200 TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt Some keys with groups that aren't supported by FIPS were still used for Derive stanzas, even when testing with the FIPS provider. This was due to the flaw in evp_keymgmt_util_try_import() that meant that even though the key was invalid for FIPS, it could still come through, because the imported keydata wasn't cleared on import error. With that flaw corrected, these few Derive stanzas start failing. We mitigate this by making of "offending" Derive stanzas only available with the default provider. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15008) commit 3d80b5e611f112fd004a4320cb5ecce93c73b7d4 Author: Richard Levitte Date: Fri Apr 23 15:47:59 2021 +0200 STORE: Simplify error filtering in der2obj_decode() We do here like in all other decoder implementations, drop all errors that were caused by a failing asn1_d2i_read_bio(), as it's most likely to mean that the input isn't DER, and another decoder implementation, if there is any left, should have a go. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15008) commit 521a0bf6a11c4cdaef331934e93581d06ce834e1 Author: Richard Levitte Date: Fri Apr 23 15:44:39 2021 +0200 crypto/store/ossl_result.c: Better filtering of errors The diverse variants of try_XXX() were filtering errors independently of each other. It's better done in ossl_store_handle_load_result() itself, where we have control over the overall success and failure of the attempts. Fixes #14973 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15008) commit e36a4dc476448a2ef212d774be48ce38ea6eb6df Author: Richard Levitte Date: Fri Apr 23 15:40:30 2021 +0200 EVP: evp_keymgmt_util_try_import() should clean up on failed import If evp_keymgmt_util_try_import() allocated keydata, and the import itself fails, it should deallocate keydata. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/15008) --- Summary of changes: crypto/evp/keymgmt_lib.c | 25 + crypto/store/store_result.c| 63 -- .../implementations/storemgmt/file_store_der2obj.c | 24 +++-- test/recipes/30-test_evp_data/evppkey_ecdh.txt | 8 +++ 4 files changed, 53 insertions(+), 67 deletions(-) diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c index f3118a76c9..301e1a8a2f 100644 --- a/crypto/evp/keymgmt_lib.c +++ b/crypto/evp/keymgmt_lib.c @@ -31,12 +31,15 @@ static int match_type(const EVP_KEYMGMT *keymgmt1, const EVP_KEYMGMT *keymgmt2) int evp_keymgmt_util_try_import(const OSSL_PARAM params[], void *arg) { struct evp_keymgmt_util_try_import_data_st *data = arg; +int delete_on_error = 0; /* Just in time creation of keydata */ -if (data->keydata == NULL -&& (data->keydata = evp_keymgmt_newdata(data->keymgmt)) == NULL) { -ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE); -return 0; +if (data->keydata == NULL) { +if ((data->keydata = evp_keymgmt_newdata(data->keymgmt)) == NULL) { +ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE); +return 0; +} +delete_on_error = 1; } /* @@ -46,8 +49,14 @@ int evp_keymgmt_util_try_import(const OSSL_PARAM params[], void *arg) if (params[0].key == NULL) return 1; -return evp_keymgmt_import(data->keymgmt, data->keydata, data->selection, - params); +if (evp_keymgmt_import(data->keymgmt, data->keydata, data->selection, + params)) +return 1; +if (delete_on_error) { +evp_keymgmt_freedata(data->keymgmt, data->keydata); +data->keydata = NULL; +} +return 0; } int evp_keymgmt_util_assign_pkey(EVP_PKEY *pkey, EVP_KEYMGMT *keymgmt, @@ -149,11 +158,9 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) * which does the import for us. If successful, we're done. */ if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL, -
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 513ead860853e0d07f7fc43bf35d1b90fdad5a11 (commit) from ccfe5ec8fe6c36e10aea373d44dcf04f65d94ef0 (commit) - Log - commit 513ead860853e0d07f7fc43bf35d1b90fdad5a11 Author: Richard Levitte Date: Thu Apr 22 14:37:40 2021 +0200 Don't remove $(TARFILE) when cleaning This file is outside the source tree, so we have no business removing it. This is especially concerning if that was the tarball the user had to create the source tree. Fixes #14981 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14985) (cherry picked from commit f58f7ec9397de7b752aa547e2677933559a657db) --- Summary of changes: Configurations/unix-Makefile.tmpl | 1 - 1 file changed, 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 41648c9526..66617d6f4f 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -523,7 +523,6 @@ clean: libclean $(RM) -r test/test-runs $(RM) openssl.pc libcrypto.pc libssl.pc -$(RM) `find . -type l \! -name '.*' -print` - $(RM) $(TARFILE) distclean: clean $(RM) configdata.pm
[openssl] master update
The branch master has been updated via f58f7ec9397de7b752aa547e2677933559a657db (commit) from 45e72d1f279fc56045459839407ae44e806414f0 (commit) - Log - commit f58f7ec9397de7b752aa547e2677933559a657db Author: Richard Levitte Date: Thu Apr 22 14:37:40 2021 +0200 Don't remove $(TARFILE) when cleaning This file is outside the source tree, so we have no business removing it. This is especially concerning if that was the tarball the user had to create the source tree. Fixes #14981 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14985) --- Summary of changes: Configurations/unix-Makefile.tmpl | 1 - 1 file changed, 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index c4755c54cd..be6036c227 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -561,7 +561,6 @@ clean: libclean $(RM) -r test/test-runs $(RM) openssl.pc libcrypto.pc libssl.pc -find . -type l \! -name '.*' -exec $(RM) {} \; - $(RM) $(TARFILE) distclean: clean $(RM) configdata.pm
[openssl] master update
The branch master has been updated via 1fbf7079e7aff51d02333aad63593386b27aa209 (commit) via 7aef200089fbf4b306d13905d55772d646ceef76 (commit) via 9cc97ddf3c8c3c6ef30b0505ad2559d3734c685d (commit) via f99659535d180f15cd19c63cb53392c256e35534 (commit) from a2502862f679c82b794869ac88ed0d8ca7bc291c (commit) - Log - commit 1fbf7079e7aff51d02333aad63593386b27aa209 Author: Richard Levitte Date: Fri Apr 16 14:34:19 2021 +0200 STORE: Discard the error report filter in crypto/store/store_result.c The error report filter was fragile, as it could potentially have to be updated when other parts of libcrypto got updated, making a goose chase and a maintenance problem. We change this to regard d2i errors as something we don't care so much about, since they are mainly part of the guessing mechanism. The success of the ossl_store_handle_load_result() call is based on whether an object was actually created or not anyway. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14834) commit 7aef200089fbf4b306d13905d55772d646ceef76 Author: Richard Levitte Date: Fri Apr 16 10:08:38 2021 +0200 TEST: Adapt the EVP test The EVP test didn't recognise ERR_R_UNSUPPORTED, now does Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14834) commit 9cc97ddf3c8c3c6ef30b0505ad2559d3734c685d Author: Richard Levitte Date: Mon Apr 12 12:20:20 2021 +0200 Adapt our decoder implementations to the new way to indicate succes / failure This includes the special decoder used in our STOREMGMT 'file:' implementation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14834) commit f99659535d180f15cd19c63cb53392c256e35534 Author: Richard Levitte Date: Mon Apr 12 12:11:07 2021 +0200 ENCODER & DECODER: Allow decoder implementations to specify "carry on" So far, decoder implementations would return true (1) for a successful decode all the way, including what the callback it called returned, and false (0) in all other cases. This construction didn't allow to stop to decoding process on fatal errors, nor to choose what to report in the provider code. This is now changed so that decoders implementations are made to return false only on errors that should stop the decoding process from carrying on with other implementations, and return true for all other cases, even if that didn't result in a constructed object (EVP_PKEY for example), essentially making it OK to return "empty handed". The success of the decoding process is now all about successfully constructing the final object, rather than about the return value of the decoding chain. If no construction is attempted, the central decoding processing code concludes that whatever the input consisted of, it's not supported by the available decoder implementations. Fixes #14423 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14834) --- Summary of changes: crypto/encode_decode/decoder_err.c | 4 +- crypto/encode_decode/decoder_lib.c | 89 -- crypto/err/openssl.txt | 1 + crypto/store/store_result.c| 88 - doc/man7/provider-decoder.pod | 29 ++- include/crypto/decodererr.h| 2 +- include/openssl/decodererr.h | 1 + .../implementations/encode_decode/decode_der2key.c | 51 + .../encode_decode/decode_msblob2key.c | 29 --- .../implementations/encode_decode/decode_pem2der.c | 15 +++- .../implementations/encode_decode/decode_pvk2key.c | 26 +++ .../implementations/storemgmt/file_store_der2obj.c | 21 +++-- test/evp_test.c| 12 +-- test/recipes/30-test_evp.t | 2 +- 14 files changed, 249 insertions(+), 121 deletions(-) diff --git a/crypto/encode_decode/decoder_err.c b/crypto/encode_decode/decoder_err.c index cf68a4c7c5..1880c8f409 100644 --- a/crypto/encode_decode/decoder_err.c +++ b/crypto/encode_decode/decoder_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,6 +15,8 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA OSSL_DECODER_str_reasons[] = { +
[openssl] master update
The branch master has been updated via 05aed12f54de44df586d8912172b4ec05a8af855 (commit) via a0fff549e6635000a545ac7d1e7a8102c1e614f1 (commit) via 01ba6c8e438ea2d31c92fe2f386e6ce5809f29f0 (commit) via ad57a13bb86949a9e9adc7a2960e3f39e3e5b284 (commit) via 42423ac9611e0cbb02c93b3c5661328f324f9d08 (commit) via 6ee1ae32933e299a6a0a5a0e8b4a1c1a64da3492 (commit) via ebb3c82b9c7afc89986d56f794ec9d3ca3b6793f (commit) via e2f5df36138abcc1f989c6739b23bf7e23fe (commit) from f6c95e46c03025b2694241e1ad785d8bd3ac083b (commit) - Log - commit 05aed12f54de44df586d8912172b4ec05a8af855 Author: Richard Levitte Date: Tue Mar 16 05:40:50 2021 +0100 CORE: pre-populate the namemap with legacy OIDs too This also pre-populates the namemap with names derived from the internal EVP_PKEY_ASN1_METHODs. This requires attention, as they contain aliases that we may want (RSA == rsaEncryption), as well as aliases that we absolutely do not want (SM2 == EC). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit a0fff549e6635000a545ac7d1e7a8102c1e614f1 Author: Richard Levitte Date: Thu Mar 11 16:04:16 2021 +0100 TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit 01ba6c8e438ea2d31c92fe2f386e6ce5809f29f0 Author: Richard Levitte Date: Thu Mar 11 13:36:06 2021 +0100 CORE: Register all legacy "names" when generating the initial namemap When generating the initial namemap from EVP cipher and digest names, we din't do it quite as thoroughly as necessary, which meant that so called "long names" weren't necessarily registered, and if anyone ever tried to check the algorithm of an EVP_CIPHER or EVP_MD using a so called "long name" would fail. This doesn't deal with the fact that "long names" have a distinct role as human readable descriptors, useful for printouts. Further changes are necessary to deal with this. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit ad57a13bb86949a9e9adc7a2960e3f39e3e5b284 Author: Richard Levitte Date: Wed Mar 10 12:58:53 2021 +0100 Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt() The intention is to allow for OIDs for which libcrypto has no information, but are still fetchable for OSSL_ALGORITHM implementations that specify an OID amongst their names. Fixes #14278 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit 42423ac9611e0cbb02c93b3c5661328f324f9d08 Author: Richard Levitte Date: Wed Mar 10 12:53:51 2021 +0100 TEST: Modify how the retrieved digest name for SM2 digestsign is checked Because of aliases, retrieved names won't always match one specific string. A safer way to check is to fetch the digest from the retrieved name and check it's the expected one with the help of EVP_MD_is_a(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit 6ee1ae32933e299a6a0a5a0e8b4a1c1a64da3492 Author: Richard Levitte Date: Wed Mar 10 11:32:45 2021 +0100 TEST: Modify testutil's run_tests to display NOSUBTEST cases individually When test cases were added with ADD_ALL_TESTS_NOSUBTEST(), all those iteration verdicts were summarized as if it was one single case. This modification gets each iteration verdict displayed separately instead. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit ebb3c82b9c7afc89986d56f794ec9d3ca3b6793f Author: Richard Levitte Date: Wed Mar 10 11:31:49 2021 +0100 TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) commit e2f5df36138abcc1f989c6739b23bf7e23fe Author: Richard Levitte Date: Wed Mar 10 11:22:55 2021 +0100 PROV: Add OIDs we know to all provider applicable algorithms The OIDs were extracted with the help of libcrypto's ASN1 OID database. While doing this, we move all the names strings to macro definitions, to avoid duplication and conflicting names declarations. Those macros are all in providers/implementations/include/prov/names.h Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14498) --- Summary of changes: crypto/cms/cms_dh.c| 8 +- crypto/cms/cms_ec.c| 12 +- crypto/cms/cms_env.c
[openssl] master update
The branch master has been updated via f6c95e46c03025b2694241e1ad785d8bd3ac083b (commit) via 543e740b95e303790f8fe6ec59458b4ecdcfb56c (commit) from ad72484909abbcb088c52305894b87604ef58de8 (commit) - Log - commit f6c95e46c03025b2694241e1ad785d8bd3ac083b Author: Rich Salz Date: Tue Feb 16 17:51:56 2021 -0500 Add "origin" field to EVP_CIPHER, EVP_MD Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch, or via EVP_{CIPHER,MD}_meth_new. Update EVP_{CIPHER,MD}_free to handle all three origins. The flag is deliberately right before some function pointers, so that compile-time failures (int/pointer) will occur, as opposed to taking a bit in the existing "flags" field. The "global variable" flag is non-zero, so the default case of using OPENSSL_zalloc (for provider ciphers), will do the right thing. Ref-counting is a no-op for Make up_ref no-op for global MD and CIPHER objects Deprecate EVP_MD_CTX_md(). Added EVP_MD_CTX_get0_md() (same semantics as the deprecated function) and EVP_MD_CTX_get1_md(). Likewise, deprecate EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add EVP_CIPHER_CTX_get1_CIPHER(). Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common evp_md_free_int() function. Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common evp_cipher_free_int() function. Also change some flags tests to explicit test == or != zero. E.g., if (flags & x) --> if ((flags & x) != 0) if (!(flags & x)) --> if ((flags & x) == 0) Only done for those lines where "get0_cipher" calls were made. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14193) commit 543e740b95e303790f8fe6ec59458b4ecdcfb56c Author: Rich Salz Date: Mon Feb 15 12:31:36 2021 -0500 Standard style for all EVP_xxx_free routines Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14193) --- Summary of changes: apps/dgst.c| 2 +- crypto/asn1/a_sign.c | 2 +- crypto/asn1/p5_scrypt.c| 2 +- crypto/cmac/cmac.c | 2 +- crypto/cms/cms_env.c | 7 +++-- crypto/cms/cms_kari.c | 2 +- crypto/cms/cms_lib.c | 2 +- crypto/cms/cms_sd.c| 2 +- crypto/evp/asymcipher.c| 20 ++--- crypto/evp/bio_md.c| 4 +-- crypto/evp/bio_ok.c| 10 +++ crypto/evp/cmeth_lib.c | 6 +++- crypto/evp/digest.c| 11 +++- crypto/evp/e_aes.c | 32 + crypto/evp/e_aes_cbc_hmac_sha1.c | 2 ++ crypto/evp/e_aes_cbc_hmac_sha256.c | 2 ++ crypto/evp/e_aria.c| 2 ++ crypto/evp/e_camellia.c| 3 ++ crypto/evp/e_chacha20_poly1305.c | 2 ++ crypto/evp/e_des3.c| 1 + crypto/evp/e_null.c| 1 + crypto/evp/e_rc2.c | 2 ++ crypto/evp/e_rc4.c | 2 ++ crypto/evp/e_rc4_hmac_md5.c| 1 + crypto/evp/e_sm4.c | 1 + crypto/evp/e_xcbc_d.c | 1 + crypto/evp/evp_enc.c | 21 ++ crypto/evp/evp_lib.c | 58 +- crypto/evp/evp_local.h | 2 ++ crypto/evp/evp_rand.c | 50 crypto/evp/exchange.c | 20 ++--- crypto/evp/kdf_lib.c | 12 crypto/evp/kdf_meth.c | 20 +++-- crypto/evp/kem.c | 21 +++--- crypto/evp/legacy_blake2.c | 2 ++ crypto/evp/legacy_md2.c| 1 + crypto/evp/legacy_md4.c| 1 + crypto/evp/legacy_md5.c| 1 + crypto/evp/legacy_md5_sha1.c | 1 + crypto/evp/legacy_mdc2.c | 1 + crypto/evp/legacy_ripemd.c | 1 + crypto/evp/legacy_sha.c| 9 ++ crypto/evp/legacy_wp.c | 1 + crypto/evp/m_null.c| 1 + crypto/evp/m_sigver.c | 2 +- crypto/evp/mac_lib.c | 12 crypto/evp/p5_crpt2.c | 2 +- crypto/evp/p_sign.c| 2 +- crypto/evp/p_verify.c | 2 +- crypto/evp/signature.c | 20 ++--- crypto/pkcs12/p12_decr.c | 6 ++-- crypto/pkcs7/pk7_doit.c| 2 +- crypto/sm3/legacy_sm3.c| 1 + doc/man3/EVP_DigestInit.pod| 19 + doc/man3/EVP_EncryptInit.pod | 19 +++
[openssl] master update
The branch master has been updated via 4a95b70d1e3df791ea569e94067cf0bec1f69557 (commit) from a732a4c329144f0b4c60372d9b7106c6b88ddd9f (commit) - Log - commit 4a95b70d1e3df791ea569e94067cf0bec1f69557 Author: Richard Levitte Date: Wed Mar 31 07:59:48 2021 +0200 Github workflows: re-implement a no-shared build We do this both on Ubuntu and MacOS X Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14753) --- Summary of changes: .github/workflows/ci.yml | 14 ++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f0c60d6947..ee4a2c8f2b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -92,6 +92,20 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + no-shared: +strategy: + matrix: +os: [ ubuntu-latest, macos-latest ] +runs-on: ${{matrix.os}} +steps: +- uses: actions/checkout@v2 +- name: config + run: ./config --strict-warnings no-shared && perl configdata.pm --dump +- name: make + run: make -s -j4 +- name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + non-caching: runs-on: ubuntu-latest steps:
[openssl] master update
The branch master has been updated via 41385f2708d08155d56ce08dce494152e225069e (commit) from 014498fff9ee2e71dfdd82978b8896b05c9c8cb0 (commit) - Log - commit 41385f2708d08155d56ce08dce494152e225069e Author: Richard Levitte Date: Tue Apr 6 15:30:38 2021 +0200 test/recipes/02-test_errstr.t: Do not test negative system error codes It's been deemed unlikely that these will end up in OpenSSL error records, so we simply don't test them if they happen to be among the error codes that perl has support for. Fixes #14763 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14779) --- Summary of changes: test/recipes/02-test_errstr.t | 4 1 file changed, 4 insertions(+) diff --git a/test/recipes/02-test_errstr.t b/test/recipes/02-test_errstr.t index 6bc07f6d65..3bbf530c28 100644 --- a/test/recipes/02-test_errstr.t +++ b/test/recipes/02-test_errstr.t @@ -69,6 +69,10 @@ foreach my $errname (@Errno::EXPORT_OK) { # is to skip this errcode. skip "perl error strings and ssystem error strings for errcode 0 differ", 1 if $errcode == 0; + # On some systems (for example Hurd), there are negative error codes. + # These are currently unsupported in OpenSSL error reports. + skip "negative error codes are not supported in OpenSSL", 1 + if $errcode < 0; (match_syserr_reason($errcode)); }
[openssl] master update
The branch master has been updated via 5ad3e6c56eb1c295a7de92de5bb2f54614d5c277 (commit) via ef83daf4dadf9380a3b94618fb7aee75fcd9a6b1 (commit) from baf02793fc5b5095ad8929b8e2aae679e113f457 (commit) - Log - commit 5ad3e6c56eb1c295a7de92de5bb2f54614d5c277 Author: Richard Levitte Date: Wed Apr 15 12:54:23 2020 +0200 Include BN assembler alongside CPUID code It turns out that some CPUID code requires the presence of some BN assembler code, so we make sure it's included in the same manner as the CPUID code itself. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14755) commit ef83daf4dadf9380a3b94618fb7aee75fcd9a6b1 Author: Richard Levitte Date: Wed Mar 11 17:38:46 2020 +0100 Refactor CPUID code We were using CPUID coded in several modules, but it was unclear how it actually got there, and could fail randomly. To remedy that, this change separates the CPUID C code from the rest of cryptlib.c, and ensures the right modules get both that and the assembler sources explicitly. Fixes #11281 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14755) --- Summary of changes: crypto/bn/build.info | 10 ++- crypto/build.info| 43 +++ crypto/cpuid.c | 214 +++ crypto/cryptlib.c| 197 --- 4 files changed, 250 insertions(+), 214 deletions(-) create mode 100644 crypto/cpuid.c diff --git a/crypto/bn/build.info b/crypto/bn/build.info index 237d5e90ed..89ff0044f2 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -107,17 +107,21 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c +DEFINE[../../libcrypto]=$BNDEF IF[{- !$disabled{'deprecated-3.0'} -}] SOURCE[../../libcrypto]=bn_depr.c bn_x931p.c ENDIF SOURCE[../../providers/libfips.a]=$COMMON $BNASM +DEFINE[../../providers/libfips.a]=$BNDEF +# Because some CPUID implementations use some BN assembler (!!!), we +# must include assembler code into the legacy provider under the same +# conditions as CPUID code is included. See ../build.info SOURCE[../../providers/liblegacy.a]=$BNASM +DEFINE[../../providers/liblegacy.a]=$BNDEF # Implementations are now spread across several libraries, so the defines # need to be applied to all affected libraries and modules. -DEFINE[../../libcrypto]=$BNDEF -DEFINE[../../providers/libfips.a]=$BNDEF -DEFINE[../../providers/liblegacy.a]=$BNDEF DEFINE[../../providers/libimplementations.a]=$BNDEF +DEFINE[../../providers/libcommon.a]=$BNDEF INCLUDE[bn_exp.o]=.. diff --git a/crypto/build.info b/crypto/build.info index dc180d0252..560f872ee2 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -59,6 +59,30 @@ IF[{- !$disabled{asm} && $config{processor} ne '386' -}] ENDIF ENDIF +# CPUID support. We need to add that explicitly in every shared library and +# provider module that uses it. ctype.c is included here because the CPUID +# uses functions from there to parse magic environment variables. +$CPUID_COMMON=$CPUIDASM cpuid.c ctype.c +INCLUDE[cpuid.o]=.. + +SOURCE[../libcrypto]=$CPUID_COMMON +DEFINE[../libcrypto]=$CPUIDDEF +SOURCE[../providers/libfips.a]=$CPUID_COMMON +DEFINE[../providers/libfips.a]=$CPUIDDEF +# We only need to include the CPUID stuff in the legacy provider when it's a +# separate module and it's dynamically linked with libcrypto. Otherwise, it +# already gets everything that the static libcrypto.a has, and doesn't need it +# added again. +IF[{- !$disabled{module} && !$disabled{shared} -}] + SOURCE[../providers/liblegacy.a]=$CPUID_COMMON + DEFINE[../providers/liblegacy.a]=$CPUIDDEF +ENDIF + +# Implementations are now spread across several libraries, so the CPUID define +# need to be applied to all affected libraries and modules. +DEFINE[../providers/libimplementations.a]=$CPUIDDEF +DEFINE[../providers/libcommon.a]=$CPUIDDEF + # The Core $CORE_COMMON=provider_core.c provider_predefined.c \ core_fetch.c core_algorithm.c core_namemap.c self_test_core.c @@ -69,28 +93,19 @@ SOURCE[../providers/libfips.a]=$CORE_COMMON # Central utilities $UTIL_COMMON=\ cryptlib.c params.c params_from_text.c bsearch.c ex_data.c o_str.c \ -ctype.c threads_pthread.c threads_win.c threads_none.c initthread.c \ -context.c sparse_array.c asn1_dsa.c packet.c param_build.c $CPUIDASM \ +threads_pthread.c threads_win.c threads_none.c initthread.c \ +context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ p
[openssl] master update
The branch master has been updated via baf02793fc5b5095ad8929b8e2aae679e113f457 (commit) via 03888233290bf3b8410e8dc2acbef8950fffef60 (commit) via b638dad970c65e311e9a724b89972441268adc9f (commit) via 1010884e0a6d391d3628ffdb057f1812ef08ed73 (commit) via 309a78aa305ee14878e453c78ccf9a7dc91264cf (commit) from 650c66873793bed505802f316b15772a0f887743 (commit) - Log - commit baf02793fc5b5095ad8929b8e2aae679e113f457 Author: Richard Levitte Date: Tue Mar 16 14:45:07 2021 +0100 APPS: Replace the use of OBJ_nid2ln() with name or description calls With new provided algorithms added, we'd rather rely on the names and descriptions that we get from the providers. Specifically with the 'openssl list' command, we now display the description of all algorithms. For '-public-key-algorithms', we additionally print key type information a bit more like we do for legacy methods. We also add descriptions to all our keymgmt functions, because the built in EVP_PKEY_ASN1_METHODs had them. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14656) commit 03888233290bf3b8410e8dc2acbef8950fffef60 Author: Richard Levitte Date: Tue Mar 16 14:23:54 2021 +0100 EVP: Add EVP__description() The following operation types are covered: EVP_MD, EVP_CIPHER, EVP_MAC, EVP_RAND, EVP_KEYMGMT, EVP_SIGNATURE, EVP_ASYM_CIPHER, EVP_KEM, EVP_KEYEXCH, EVP_KDF. Also EVP_PKEY. For EVP_MD and EVP_CIPHER, OBJ_nid2ln() is used as a fallback for legacy implementations. For EVP_PKEY, the info field of the EVP_PKEY_ASN1_METHOD is used as a fallback for legacy implementations. Fixes #14514 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14656) commit b638dad970c65e311e9a724b89972441268adc9f Author: Richard Levitte Date: Tue Mar 16 14:30:59 2021 +0100 Add OSSL_STORE_LOADER_description() Fixes #14514 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14656) commit 1010884e0a6d391d3628ffdb057f1812ef08ed73 Author: Richard Levitte Date: Tue Mar 16 14:21:42 2021 +0100 Add OSSL_DECODER_description() and OSSL_ENCODER_description() Fixes #14514 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14656) commit 309a78aa305ee14878e453c78ccf9a7dc91264cf Author: Richard Levitte Date: Tue Mar 16 14:14:43 2021 +0100 CORE: Add an algorithm_description field to OSSL_ALGORITHM This corresponds to the |info| field in EVP_PKEY_ASN1_METHOD, as well as the generic use of OBJ_nid2ln() as a one line description. We also add the base functionality to make use of this field. Fixes #14514 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14656) --- Summary of changes: apps/list.c| 64 -- crypto/encode_decode/decoder_meth.c| 16 -- crypto/encode_decode/encoder_local.h | 1 + crypto/encode_decode/encoder_meth.c| 16 -- crypto/evp/asymcipher.c| 17 -- crypto/evp/digest.c| 12 ++-- crypto/evp/evp_enc.c | 12 ++-- crypto/evp/evp_fetch.c | 21 --- crypto/evp/evp_lib.c | 22 crypto/evp/evp_local.h | 11 +++- crypto/evp/evp_rand.c | 18 -- crypto/evp/exchange.c | 17 -- crypto/evp/kdf_lib.c | 5 ++ crypto/evp/kdf_meth.c | 12 ++-- crypto/evp/kem.c | 15 +++-- crypto/evp/keymgmt_meth.c | 19 +-- crypto/evp/mac_lib.c | 5 ++ crypto/evp/mac_meth.c | 12 ++-- crypto/evp/p_lib.c | 14 + crypto/evp/signature.c | 17 -- crypto/store/store_local.h | 1 + crypto/store/store_meth.c | 16 -- doc/internal/man3/evp_generic_fetch.pod| 16 +++--- doc/man3/EVP_ASYM_CIPHER_free.pod | 6 ++ doc/man3/EVP_DigestInit.pod| 9 ++- doc/man3/EVP_EncryptInit.pod | 6 ++ doc/man3/EVP_KDF.pod | 7 ++- doc/man3/EVP_KEM_free.pod | 7 ++- doc/man3/EVP_KEYEXCH_free.pod | 6 ++ doc/man3/EVP_KEYMGMT.pod | 9
[openssl] master update
The branch master has been updated via 4f10a996e5123c20315912149f586c481960e0de (commit) from 3bf7c3a166f20f3deac8d4730aa54bcce466c10a (commit) - Log - commit 4f10a996e5123c20315912149f586c481960e0de Author: Richard Levitte Date: Mon Mar 29 12:36:34 2021 +0200 Android config targets: don't include the SO version in the shlib file name Reports say that the Android platform(s) don't have the SO version number in the shared library file name. Reportedly, Android package managers do complain that our shared libraries do include the SO version number. That's easy enough to fix. Fixes #14711 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14727) --- Summary of changes: Configurations/15-android.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Configurations/15-android.conf b/Configurations/15-android.conf index f3075e4b79..0b6b6d6832 100644 --- a/Configurations/15-android.conf +++ b/Configurations/15-android.conf @@ -191,6 +191,7 @@ my %targets = ( bin_cflags => "-fPIE", bin_lflags => "-pie", enable => [ ], +shared_extension => ".so", }, "android-arm" => {
[openssl] master update
The branch master has been updated via 3bf7c3a166f20f3deac8d4730aa54bcce466c10a (commit) from 8f81e3a1848819b3e2bf57d7bc810e440e29d8a5 (commit) - Log - commit 3bf7c3a166f20f3deac8d4730aa54bcce466c10a Author: Richard Levitte Date: Mon Mar 29 12:23:40 2021 +0200 Unix build file template: symlink "simple" to "full" shlib selectively On Unix-like platforms where the shared library comes in a form with and a form without SO version number, the one without is symbolically linked to the one with. However, we have Unix-like platforms where we don't deal with SO version numbers, and where the "simple" shlib thereby ends up being symbolically linked to itself. A simple check of the two shlib file names is enough to ensure that we only do the symbolic link when actually necessary. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14726) --- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index d0192aa32e..8a2b2353ab 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1607,7 +1607,7 @@ EOF my $recipe = ''; - if (defined $simple) { + if (defined $simple && $simple ne $full) { if (sharedaix()) { $recipe .= <<"EOF"; $simple: $full
[openssl] master update
The branch master has been updated via 92a979b4034cd6c1da9cc71736929eb4161359d2 (commit) from 09a17655ea2d5e64b8bd9fd4b74c7dd5daf45bf4 (commit) - Log - commit 92a979b4034cd6c1da9cc71736929eb4161359d2 Author: Randall S. Becker Date: Thu Mar 18 16:45:28 2021 -0600 Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities Using /usr/bin/env on the NonStop ia64 and x86 platforms causes a translation of - to -i as part of the implicit interpretation by env of its arguments prior to handing off the arguments to perl. This causes the FIPS module configuration to be written to a file named -i instead of going to stdout. CLA: Trivial Fixes: #14612 Signed-off-by: Randall S. Becker Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14613) --- Summary of changes: Configurations/unix-Makefile.tmpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 249652296c..d0192aa32e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1433,9 +1433,10 @@ EOF # Also redo $gen0, to ensure that we have the proper extension where # necessary. $gen0 = platform->bin($gen0); + # Use $(PERL) to execute wrap.pl directly to avoid calling env return <<"EOF"; $args{src}: $gen0 $deps \$(BLDDIR)/util/wrap.pl - \$(BLDDIR)/util/wrap.pl $gen0$gen_args > \$@ + \$(PERL) \$(BLDDIR)/util/wrap.pl $gen0$gen_args > \$@ EOF } else { #
[openssl] master update
The branch master has been updated via 53eecb5de5e97fe436a1ccaff8bad5aaa8fb3edc (commit) from bf5b37cedf373a6fde496e1f7bb0a63db29a6cd2 (commit) - Log - commit 53eecb5de5e97fe436a1ccaff8bad5aaa8fb3edc Author: Richard Levitte Date: Wed Mar 10 22:24:11 2021 +0100 TEST: Cleanup test recipes Name mixups cleared, and a few more test case result files that arent't removed, making forensics on failed tests easier. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14505) --- Summary of changes: test/recipes/02-test_internal_keymgmt.t | 2 +- test/recipes/{04-test_pem.t => 04-test_pem_reading.t} | 0 .../NOTES.txt | 0 .../beermug.pem | 0 .../cert-1023line.pem | 0 .../cert-1024line.pem | 0 .../cert-1025line.pem | 0 .../cert-254-chars-at-the-end.pem | 0 .../cert-254-chars-in-the-middle.pem| 0 .../cert-255line.pem| 0 .../cert-256line.pem| 0 .../cert-257line.pem| 0 .../cert-blankline.pem | 0 .../cert-bom.pem| 0 .../cert-comment.pem| 0 .../cert-earlypad.pem | 0 .../cert-extrapad.pem | 0 .../cert-infixwhitespace.pem| 0 .../cert-junk.pem | 0 .../cert-leadingwhitespace.pem | 0 .../cert-longline.pem | 0 .../cert-misalignedpad.pem | 0 .../cert-onecolumn.pem | 0 .../cert-oneline-multiple-of-254.pem| 0 .../cert-oneline.pem| 0 .../cert-shortandlongline.pem | 0 .../cert-shortline.pem | 0 .../cert-threecolumn.pem| 0 .../cert-trailingwhitespace.pem | 0 .../{04-test_pem_data => 04-test_pem_reading_data}/cert.pem | 0 .../{04-test_pem_data => 04-test_pem_reading_data}/csr.pem | 0 .../dsa-1023line.pem| 0 .../dsa-1024line.pem| 0 .../dsa-1025line.pem| 0 .../dsa-255line.pem | 0 .../dsa-256line.pem | 0 .../dsa-257line.pem | 0 .../dsa-blankline.pem | 0 .../dsa-comment.pem | 0 .../dsa-corruptedheader.pem | 0 .../dsa-corruptiv.pem | 0 .../dsa-earlypad.pem| 0 .../dsa-extrapad.pem| 0 .../dsa-infixwhitespace.pem | 0 .../dsa-junk.pem| 0 .../dsa-leadingwhitespace.pem | 0 .../dsa-longline.pem| 0 .../dsa-misalignedpad.pem | 0 .../dsa-onecolumn.pem | 0 .../dsa-oneline.pem | 0 .../dsa-onelineheader.pem | 0 .../dsa-shortandlongline.pem| 0 .../dsa-shortline.pem | 0 .../dsa-threecolumn.pem | 0 .../dsa-trailingwhitespace.pem | 0 .../{04-test_pem_data => 04-test_pem_reading_data}/dsa.pem | 0 .../dsaparam.pem| 0 .../{04-test_pem_data => 04-test_pem_reading_data}/key.pem | 0 .../wellknown | 0 test/recipes/{06-test-rdrand.t => 06-test_rdrand_sanity.t} | 0 test/recipes/20-test_mac.t | 3 +-- test/recipes/25-test_eai_data.t | 13 + test/recipes/65-test_cmp_hdr.t | 2 +- test/recipes/65-test_cmp_status.t | 2 +- test/recipes/7
[openssl] master update
The branch master has been updated via 814581bb7a1360ee054ad3500cd0907fbfeef915 (commit) from 4551763efc8c9d2e39f3d39430cb4657d155cde6 (commit) - Log - commit 814581bb7a1360ee054ad3500cd0907fbfeef915 Author: Richard Levitte Date: Wed Mar 24 19:51:01 2021 +0100 RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value The legacy implementation would print the ASN.1 value of the trailerfield, except when it wasn't set (i.e. is default). For better consistency, we now always print the ASN.1 value, both in the legacy and the provided implementation. Fixes #14363 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14676) --- Summary of changes: crypto/rsa/rsa_ameth.c| 2 +- providers/implementations/encode_decode/encode_key2text.c | 7 --- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 067b7db12d..7a747a33ef 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -280,7 +280,7 @@ static int rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, if (pss->trailerField) { if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) goto err; -} else if (BIO_puts(bp, "BC (default)") <= 0) { +} else if (BIO_puts(bp, "01 (default)") <= 0) { goto err; } BIO_puts(bp, "\n"); diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c index f913a9bb14..9bdbe52656 100644 --- a/providers/implementations/encode_decode/encode_key2text.c +++ b/providers/implementations/encode_decode/encode_key2text.c @@ -764,13 +764,6 @@ static int rsa_to_text(BIO *out, const void *key, int selection) saltlen, (saltlen == 20 ? " (default)" : "")) <= 0) goto err; -/* - * TODO(3.0) Should we show the ASN.1 trailerField value, or - * the actual trailerfield byte (i.e. 0xBC for 1)? - * crypto/rsa/rsa_ameth.c isn't very clear on that, as it - * does display 0xBC when the default applies, but the ASN.1 - * trailerField value otherwise... - */ if (BIO_printf(out, " Trailer Field: 0x%x%s\n", trailerfield, (trailerfield == 1 ? " (default)" : "")) <= 0)
[openssl] master update
The branch master has been updated via eb78f9552307248ca5ccfc28d61faa823dae7c7e (commit) from b238e78fe897dd22400e0353a9f43318397c2f98 (commit) - Log - commit eb78f9552307248ca5ccfc28d61faa823dae7c7e Author: Rich Salz Date: Fri Mar 19 12:05:59 2021 -0400 Make fipsinstall -out flag optional If -out is not specified, send output to stdout. Fix documentation errors. Remove "-out -" from an invocation. Reviewed-by: Shane Lontis Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14623) --- Summary of changes: apps/fipsinstall.c | 10 +- doc/man1/openssl-fipsinstall.pod.in | 4 ++-- providers/build.info| 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index e1279c32e9..651df6250f 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -376,7 +376,7 @@ opthelp: /* No extra arguments. */ argc = opt_num_rest(); -if (argc != 0) +if (argc != 0 || (verify && in_fname == NULL)) goto opthelp; if (parent_config != NULL) { @@ -389,9 +389,7 @@ opthelp: } goto end; } -if (module_fname == NULL -|| (verify && in_fname == NULL) -|| (!verify && out_fname == NULL)) +if (module_fname == NULL) goto opthelp; tail = opt_path_end(module_fname); @@ -490,7 +488,9 @@ opthelp: if (!load_fips_prov_and_run_self_test(prov_name)) goto end; -fout = bio_open_default(out_fname, 'w', FORMAT_TEXT); +fout = +out_fname == NULL ? dup_bio_out(FORMAT_TEXT) + : bio_open_default(out_fname, 'w', FORMAT_TEXT); if (fout == NULL) { BIO_printf(bio_err, "Failed to open file\n"); goto end; diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index b57717f7da..b04164d4da 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -88,8 +88,8 @@ Filename to output the configuration data to; the default is standard output. =item B<-in> I -Input filename to load configuration data from. Used with the B<-verify> option. -Standard input is used if the filename is C<->. +Input filename to load configuration data from. +Must be used if the B<-verify> option is specified. =item B<-verify> diff --git a/providers/build.info b/providers/build.info index 1fab34c28d..4296aa05a6 100644 --- a/providers/build.info +++ b/providers/build.info @@ -150,7 +150,7 @@ IF[{- !$disabled{fips} -}] DEPEND[|tests|]=fipsmodule.cnf GENERATE[fipsmodule.cnf]=../apps/openssl fipsinstall \ -module providers/$(FIPSMODULENAME) -provider_name fips \ --mac_name HMAC -section_name fips_sect -out - +-mac_name HMAC -section_name fips_sect DEPEND[fipsmodule.cnf]=$FIPSGOAL ENDIF
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via ffefffa000437da5703dd8a173386623304b055d (commit) from b402f00ee26157ad4e7e6e52f3a736743e3de46f (commit) - Log - commit ffefffa000437da5703dd8a173386623304b055d Author: Richard Levitte Date: Sat Mar 20 09:09:40 2021 +0100 ASN1: Reset the content dump flag after dumping When encountering a badly coded item, the DER printer (ASN1_print_dump()) sets a flag to ensure that an additional hex dump of the offending content is printed as part of the output. Unfortunately, this flag is never reset, which means that all following items are printed with the extra hex dump, whether they are faulty or not. Resetting the flag after hex dumping ensures that only the faulty contents are printed with the additional hex dump. Fixes #14626 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/14627) (cherry picked from commit 6e34a1048ce4871371eac224b995c3b4338f6166) --- Summary of changes: crypto/asn1/asn1_par.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index 3f10c7cb94..d45f810bce 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -325,6 +325,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, } if (BIO_puts(bp, "]") <= 0) goto end; +dump_cont = 0; } if (!nl) {
[openssl] master update
The branch master has been updated via 6e34a1048ce4871371eac224b995c3b4338f6166 (commit) from abded2ced44b94d96f08ea5cf01df6519b80f5d3 (commit) - Log - commit 6e34a1048ce4871371eac224b995c3b4338f6166 Author: Richard Levitte Date: Sat Mar 20 09:09:40 2021 +0100 ASN1: Reset the content dump flag after dumping When encountering a badly coded item, the DER printer (ASN1_print_dump()) sets a flag to ensure that an additional hex dump of the offending content is printed as part of the output. Unfortunately, this flag is never reset, which means that all following items are printed with the extra hex dump, whether they are faulty or not. Resetting the flag after hex dumping ensures that only the faulty contents are printed with the additional hex dump. Fixes #14626 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/14627) --- Summary of changes: crypto/asn1/asn1_par.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index cf6d48ce10..c51a8f7571 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -337,6 +337,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, } if (BIO_puts(bp, "]") <= 0) goto end; +dump_cont = 0; } if (!nl) {
[openssl] master update
The branch master has been updated via 2d101b0f493a3066c5ea7152c00c44d70fcea4d8 (commit) from 6084b5c2c9ab5a167d808d6f6c9b21f98c99bbc2 (commit) - Log - commit 2d101b0f493a3066c5ea7152c00c44d70fcea4d8 Author: Richard Levitte Date: Thu Mar 18 05:07:11 2021 +0100 Configure: check all DEPEND values against GENERATE, not just .h files All files that are given to DEPEND statements in build.info files are being checked against GENERATE statements, to see if it's reasonable to look for them in the source tree or not. This was only done for .h files, for reasons that are lost in history. We now change that check to look at all files instead. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14598) --- Summary of changes: Configure | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Configure b/Configure index 5f2be9cf3c..10a988e6a3 100755 --- a/Configure +++ b/Configure @@ -2349,16 +2349,16 @@ EOF } foreach (@{$depends{$dest}}) { my $d = cleanfile($sourced, $_, $blddir); +my $d2 = cleanfile($buildd, $_, $blddir); # If we know it's generated, or assume it is because we can't # find it in the source tree, we set file we depend on to be # in the build tree rather than the source tree. if ($d eq $src_configdata -|| (grep { $d eq $_ } -map { cleanfile($srcdir, $_, $blddir) } -grep { /\.h$/ } keys %{$unified_info{generate}}) +|| (grep { $d2 eq $_ } +keys %{$unified_info{generate}}) || ! -f $d) { -$d = cleanfile($buildd, $_, $blddir); +$d = $d2; } $unified_info{depends}->{$ddest}->{$d} = 1;
[openssl] master update
The branch master has been updated via 92e9359b24660228fa8fbf9129837ce5ab287715 (commit) via c9d01f4186817612e8afa401951e0968aed83b2e (commit) from 6bbff162f1d72ed52d705c4c146cd3152ef4648c (commit) - Log - commit 92e9359b24660228fa8fbf9129837ce5ab287715 Author: Richard Levitte Date: Tue Mar 9 18:49:06 2021 +0100 TEST: Stop the cleanup in test/recipes/20-test_mac.t Let the files remain to make test forensics easy Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14484) commit c9d01f4186817612e8afa401951e0968aed83b2e Author: Richard Levitte Date: Tue Mar 9 18:23:39 2021 +0100 PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl() This is in gmac_final(), where the cipher is known to be fetched. It's more suitable to use OSSL_PARAMs than _ctrl functions, as the latter are expected to become obsolete. Fixes #14359 Reviewed-by: Paul Dale Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14484) --- Summary of changes: providers/implementations/macs/gmac_prov.c | 7 --- test/recipes/20-test_mac.t | 20 +--- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/providers/implementations/macs/gmac_prov.c b/providers/implementations/macs/gmac_prov.c index 14ca948077..1f4047ccd3 100644 --- a/providers/implementations/macs/gmac_prov.c +++ b/providers/implementations/macs/gmac_prov.c @@ -146,6 +146,7 @@ static int gmac_update(void *vmacctx, const unsigned char *data, static int gmac_final(void *vmacctx, unsigned char *out, size_t *outl, size_t outsize) { +OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; struct gmac_data_st *macctx = vmacctx; int hlen = 0; @@ -155,10 +156,10 @@ static int gmac_final(void *vmacctx, unsigned char *out, size_t *outl, if (!EVP_EncryptFinal_ex(macctx->ctx, out, )) return 0; -/* TODO(3.0) Use params */ hlen = gmac_size(); -if (!EVP_CIPHER_CTX_ctrl(macctx->ctx, EVP_CTRL_AEAD_GET_TAG, - hlen, out)) +params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, + out, (size_t)hlen); +if (!EVP_CIPHER_CTX_get_params(macctx->ctx, params)) return 0; *outl = hlen; diff --git a/test/recipes/20-test_mac.t b/test/recipes/20-test_mac.t index fac72cfaaf..b6a8078763 100644 --- a/test/recipes/20-test_mac.t +++ b/test/recipes/20-test_mac.t @@ -97,21 +97,26 @@ push @mac_fail_tests, @siphash_fail_tests unless disabled("siphash"); plan tests => (scalar @mac_tests * 2) + scalar @mac_fail_tests; +my $test_count = 0; + foreach (@mac_tests) { +$test_count++; ok(compareline($_->{cmd}, $_->{type}, $_->{input}, $_->{expected}, $_->{err}), $_->{desc}); } foreach (@mac_tests) { +$test_count++; ok(comparefile($_->{cmd}, $_->{type}, $_->{input}, $_->{expected}), $_->{desc}); } foreach (@mac_fail_tests) { +$test_count++; ok(compareline($_->{cmd}, $_->{type}, $_->{input}, $_->{expected}, $_->{err}), $_->{desc}); } # Create a temp input file and save the input data into it, and # then compare the stdout output matches the expected value. sub compareline { -my $tmpfile = 'tmp.bin'; +my $tmpfile = "input-$test_count.bin"; my ($cmdarray_orig, $type, $input, $expect, $err) = @_; my $cmdarray = dclone $cmdarray_orig; if (defined($expect)) { @@ -129,7 +134,7 @@ sub compareline { push @$cmdarray, @other; my @lines = run(app($cmdarray), capture => 1); -unlink $tmpfile; +# Not unlinking $tmpfile if (defined($expect)) { if ($lines[1] =~ m|^\Q${expect}\E\R$|) { @@ -162,8 +167,8 @@ sub compareline { # use the '-bin -out ' commandline options to save results out to a file. # Read this file back in and check its output matches the expected value. sub comparefile { -my $tmpfile = 'tmp.bin'; -my $outfile = 'out.bin'; +my $tmpfile = "input-$test_count.bin"; +my $outfile = "output-$test_count.bin"; my ($cmdarray, $type, $input, $expect) = @_; $expect = uc $expect; @@ -178,16 +183,17 @@ sub comparefile { push @$cmdarray, @other; run(app($cmdarray)); -unlink $tmpfile; +# Not unlinking $tmpfile + open(my $out, '<', $outfile) or die "Could not open file"; binmode($out); my $buffer; my $BUFSIZE = 1024; read($out, $buffer, $BUFSIZE) or die "unable to read"; - +# Not unlinking $outfile + my $line = uc unpack("H*", $buffer); close($out); -unlink $outfile; if ($line eq $expect) { return 1;
[web] master update
The branch master has been updated via abbb2d45bbd7db0f8733a2ca997300b572d19061 (commit) from a12160447e27f7fd9dd1d84441d527de2545a4a8 (commit) - Log - commit abbb2d45bbd7db0f8733a2ca997300b572d19061 Author: Richard Levitte Date: Thu Mar 11 16:27:33 2021 +0100 Complete the transition changelog.txt -> changelog.md Almost a year ago, in 4b0220368e888aab29972537aff8602a45b724e9, changelog.txt was renamed to changelog.md. It seems, however, that we didn't make that change complete. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/web/pull/224) --- Summary of changes: .gitignore | 2 +- Makefile | 2 +- news/changelog.html.tt | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 83f4641..e2cf52a 100644 --- a/.gitignore +++ b/.gitignore @@ -14,7 +14,7 @@ docs/fips.inc docs/man*/ news/changelog.html news/changelog.inc -news/changelog.txt +news/changelog.md news/cl*.txt news/newsflash.inc news/openssl-*-notes.html diff --git a/Makefile b/Makefile index 4b1bd1f..741be51 100644 --- a/Makefile +++ b/Makefile @@ -218,7 +218,7 @@ news/$(1): $(CHECKOUTS)/$(2) cp $$? $$@ endef -# Create the target 'news/changelog.txt', taking the source from +# Create the target 'news/changelog.md', taking the source from # $(CHECKOUTS)/openssl/CHANGES.md $(eval $(call mknews_changelogtxt,changelog.md,openssl/CHANGES.md)) diff --git a/news/changelog.html.tt b/news/changelog.html.tt index 95097b7..2b7a510 100644 --- a/news/changelog.html.tt +++ b/news/changelog.html.tt @@ -22,8 +22,8 @@ This is the changelog for the master branch, the one that is currently in active development. - The plain-text version of this document is available - here: changelog.txt + The plain-text / markdown version of this document is available + here: changelog.md For other branches, the changelogs are distributed with
[openssl] master update
The branch master has been updated via c3a85d3d170a0bffd7b009edb544f0a4a182a3b7 (commit) from c2ec2bb7c146d1e48568f27d11dca02c06c36338 (commit) - Log - commit c3a85d3d170a0bffd7b009edb544f0a4a182a3b7 Author: Richard Levitte Date: Wed Mar 3 17:33:08 2021 +0100 DOCS: Document OSSL_STORE_INFO_PUBKEY in doc/man3/OSSL_STORE_INFO.pod Fixes #14414 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14415) --- Summary of changes: doc/man3/OSSL_STORE_INFO.pod | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod index 8c811ec1f3..070b325a2d 100644 --- a/doc/man3/OSSL_STORE_INFO.pod +++ b/doc/man3/OSSL_STORE_INFO.pod @@ -166,7 +166,11 @@ Key parameters. =item OSSL_STORE_INFO_PKEY -A private/public key of some sort. +A keypair or just a private key (possibly with key parameters). + +=item OSSL_STORE_INFO_PUBKEY + +A public key (possibly with key parameters). =item OSSL_STORE_INFO_CERT
[openssl] master update
The branch master has been updated via c2ec2bb7c146d1e48568f27d11dca02c06c36338 (commit) via d60a8e0a2345205242e21aae35815645708580c4 (commit) via 2f17e978a0ec5becda8a61dcf3e7840740ccdfd3 (commit) from 8c631cfaa1f812ed990053c1b0c73f3a3f369aca (commit) - Log - commit c2ec2bb7c146d1e48568f27d11dca02c06c36338 Author: Richard Levitte Date: Mon Mar 1 13:27:24 2021 +0100 Make provider provider_init thread safe, and flag checking/setting too provider_init() makes changes in the provider structure, and needs a bit of protection to ensure that doesn't happen concurrently with race conditions. This also demands a bit of protection of the flags, since they are bits and presumably occupy the same byte in memory. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14354) commit d60a8e0a2345205242e21aae35815645708580c4 Author: Richard Levitte Date: Mon Mar 1 13:27:15 2021 +0100 Make ossl_provider_disable_fallback_loading() thread safe Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14354) commit 2f17e978a0ec5becda8a61dcf3e7840740ccdfd3 Author: Richard Levitte Date: Mon Mar 1 16:31:34 2021 +0100 test/threadstest.c: Add a test to load providers concurrently If we don't synchronize properly in the core provider code, and build with a thread sanitizer, this should cause a crash. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14354) --- Summary of changes: crypto/provider_core.c | 48 +--- test/threadstest.c | 29 + 2 files changed, 66 insertions(+), 11 deletions(-) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index d210026e25..1326f83f7e 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -48,6 +48,9 @@ struct ossl_provider_st { unsigned int flag_fallback:1; /* Can be used as fallback */ unsigned int flag_activated_as_fallback:1; +/* Getting and setting the flags require synchronization */ +CRYPTO_RWLOCK *flag_lock; + /* OpenSSL library side data */ CRYPTO_REF_COUNT refcnt; CRYPTO_RWLOCK *refcnt_lock; /* For the ref counter */ @@ -201,7 +204,9 @@ int ossl_provider_disable_fallback_loading(OSSL_LIB_CTX *libctx) struct provider_store_st *store; if ((store = get_provider_store(libctx)) != NULL) { +CRYPTO_THREAD_write_lock(store->lock); store->use_fallbacks = 0; +CRYPTO_THREAD_unlock(store->lock); return 1; } return 0; @@ -255,6 +260,7 @@ static OSSL_PROVIDER *provider_new(const char *name, #endif || !ossl_provider_up_ref(prov) /* +1 One reference to be returned */ || (prov->opbits_lock = CRYPTO_THREAD_lock_new()) == NULL +|| (prov->flag_lock = CRYPTO_THREAD_lock_new()) == NULL || (prov->name = OPENSSL_strdup(name)) == NULL) { ossl_provider_free(prov); ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); @@ -375,6 +381,7 @@ void ossl_provider_free(OSSL_PROVIDER *prov) OPENSSL_free(prov->path); sk_INFOPAIR_pop_free(prov->parameters, free_infopair); CRYPTO_THREAD_lock_free(prov->opbits_lock); +CRYPTO_THREAD_lock_free(prov->flag_lock); #ifndef HAVE_ATOMICS CRYPTO_THREAD_lock_free(prov->refcnt_lock); CRYPTO_THREAD_lock_free(prov->activatecnt_lock); @@ -470,9 +477,19 @@ static int provider_init(OSSL_PROVIDER *prov) OSSL_FUNC_provider_get_reason_strings_fn *p_get_reason_strings = NULL; # endif #endif +int ok = 0; -if (prov->flag_initialized) -return 1; +/* + * The flag lock is used to lock init, not only because the flag is + * checked here and set at the end, but also because this function + * modifies a number of things in the provider structure that this + * function needs to perform under lock anyway. + */ +CRYPTO_THREAD_write_lock(prov->flag_lock); +if (prov->flag_initialized) { +ok = 1; +goto end; +} /* * If the init function isn't set, it indicates that this provider is @@ -480,7 +497,7 @@ static int provider_init(OSSL_PROVIDER *prov) */ if (prov->init_function == NULL) { #ifdef FIPS_MODULE -return 0; +goto end; #else if (prov->module == NULL) { char *allocated_path = NULL; @@ -491,13 +508,14 @@ static int provider_init(OSSL_PROVIDER *prov) if ((prov->module = DSO_new()) == NULL) { /* DSO_new() generates an error already *
[openssl] master update
The branch master has been updated via 33ac7b324bdf6791b3ec4a2e3bde74fee8686ff4 (commit) via c9b0214edeb7fdbedd36cf403583e016d9fbbd38 (commit) via e25b4db754b2327be27fa0c1a4f6e66f57368293 (commit) via e9d74dbd3676603a257cedcdcbd720a3a9a775a5 (commit) via 05869bba7fbe59d04bb8605b81b470d4dedb38ac (commit) via 79f47ef507c945f4c73bcf8eb12f2caef19dc04e (commit) via 3f399e3787788b1cc3832e254c53cda42873d847 (commit) from 8593ff00cc66e330228164ae5422f80ef93ed35d (commit) - Log - commit 33ac7b324bdf6791b3ec4a2e3bde74fee8686ff4 Author: Richard Levitte Date: Fri Feb 26 10:46:27 2021 +0100 Add a new test recipe to verify the generated test fipsmodule.cnf Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) commit c9b0214edeb7fdbedd36cf403583e016d9fbbd38 Author: Richard Levitte Date: Thu Feb 25 19:40:50 2021 +0100 Fix the perl code to get FIPSMODULENAME Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) commit e25b4db754b2327be27fa0c1a4f6e66f57368293 Author: Richard Levitte Date: Tue Sep 29 10:26:19 2020 +0200 TEST: Remove the build of fipsmodule.cnf from test recipes The exception is the test recipe that tests 'openssl fipsinstall'. However, that one uses a different output file name, so it's safe. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) commit e9d74dbd3676603a257cedcdcbd720a3a9a775a5 Author: Richard Levitte Date: Mon Sep 28 21:29:56 2020 +0200 APPS: Modify 'fipsinstall' to output all notifications on stderr The actual output of the 'fipsinstall' is the config file it outputs. It should be possible to output that to standard output, and diverse notification messages shouldn't be mixed in. Therefore, we output them to standard error instead. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) commit 05869bba7fbe59d04bb8605b81b470d4dedb38ac Author: Richard Levitte Date: Thu Feb 25 17:46:36 2021 +0100 Make 'tests' depend on a generated 'providers/fipsmodule.cnf' providers/fipsmodule.cnf is generated using 'openssl fipsinstall' with the openssl program in the build directory. Fixes #14315 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) commit 79f47ef507c945f4c73bcf8eb12f2caef19dc04e Author: Richard Levitte Date: Thu Feb 25 17:43:57 2021 +0100 build.info: Make it possible to use compiled programs as generators Our goal is to be able to produce fipsmodule.cnf with the help of 'openssl fipsinstall', using the openssl program that we build. This refactors the generatesrc code in all the build file templates to replace $generator and $generator_incs with $gen0, $gen_args and $gen_incs, which makes it easier and more consistent to manipulate different bits of the generator command, and also keeps the variable names consistent while not overly long. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) commit 3f399e3787788b1cc3832e254c53cda42873d847 Author: Richard Levitte Date: Thu Feb 25 16:55:39 2021 +0100 build.info: Add the possibility to add dependencies on raw targets We need to add something for the 'tests' target to depend on, so a special syntax for those is introduced: DEPEND[|tests|]=fipsmodule.cnf Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14320) --- Summary of changes: Configurations/common.tmpl | 18 - Configurations/descrip.mms.tmpl| 130 +- Configurations/unix-Makefile.tmpl | 141 +++-- Configurations/windows-makefile.tmpl | 129 +- Configure | 24 -- apps/fipsinstall.c | 12 +-- doc/internal/man7/build.info.pod | 6 ++ providers/build.info | 10 +++ test/recipes/01-test_fipsmodule_cnf.t | 37 + test/recipes/03-test_fipsinstall.t | 7 +- test/recipes/15-test_gendsa.t | 11 +-- test/recipes/15-test_genrsa.t | 11 +-- test/recipes/15-test_rsaoaep.t | 40 -- test/recipes/20-test_cli_fips.t| 17 +--- test/recipes/30-test_acvp.t| 10 +-- test/recipes/30-test_defltfips.t | 10 +-- test/recipes/30-test_evp.t | 11 --- test/recipes/30-test_evp_fetch_prov.t | 15 +--- test/recipes/30-test_evp_libctx.t | 8 +- test/recipes/30-test_provider_status.t | 10 +-- test/recipes/65-test_cmp_client.t | 8 +- test
[openssl] master update
The branch master has been updated via 8593ff00cc66e330228164ae5422f80ef93ed35d (commit) from cb54d1b9d7f0d386aa22550d8b12ecd43e248a3f (commit) - Log - commit 8593ff00cc66e330228164ae5422f80ef93ed35d Author: Richard Levitte Date: Mon Mar 1 18:46:20 2021 +0100 DOCS: Fix provider-mac.pod and the docs of our implementations The idea being that doc/man7/provider-mac.pod is for provider authors, while provider users find the documentation for each implementation in doc/man7/EVP_MAC-*.pod, the documentation of parameters wasn't quite aligned. This change re-arranges the parameter documentation to be more aligned with this idea. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/14380) --- Summary of changes: doc/man7/EVP_MAC-BLAKE2.pod | 23 --- doc/man7/EVP_MAC-CMAC.pod | 12 doc/man7/EVP_MAC-GMAC.pod | 16 +++ doc/man7/EVP_MAC-HMAC.pod | 26 ++--- doc/man7/EVP_MAC-KMAC.pod | 9 ++ doc/man7/EVP_MAC-Poly1305.pod | 5 doc/man7/EVP_MAC-Siphash.pod | 5 doc/man7/provider-mac.pod | 65 --- 8 files changed, 100 insertions(+), 61 deletions(-) diff --git a/doc/man7/EVP_MAC-BLAKE2.pod b/doc/man7/EVP_MAC-BLAKE2.pod index 51bac880b5..042e2bfaa0 100644 --- a/doc/man7/EVP_MAC-BLAKE2.pod +++ b/doc/man7/EVP_MAC-BLAKE2.pod @@ -36,25 +36,28 @@ The length of the "size" parameter should not exceed that of a B. =item "key" (B) -This may be at most 64 bytes for BLAKE2BMAC or 32 for BLAKE2SMAC and -at least 1 byte in both cases. +Sets the MAC key. +It may be at most 64 bytes for BLAKE2BMAC or 32 for BLAKE2SMAC and at +least 1 byte in both cases. +Setting this parameter is identical to passing a I to L. =item "custom" (B) -This is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for -BLAKE2SMAC. -It is empty by default. +Sets the custom value. +It is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for +BLAKE2SMAC, and is empty by default. =item "salt" (B) -This is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for -BLAKE2SMAC. -It is empty by default. +Sets the salt. +It is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for +BLAKE2SMAC, and is empty by default. =item "size" (B) -When set, this can be any number between between 1 and 32 for -EVP_MAC_BLAKE2S or 64 for EVP_MAC_BLAKE2B. +Sets the MAC size. +It can be any number between 1 and 32 for EVP_MAC_BLAKE2S or between 1 +and 64 for EVP_MAC_BLAKE2B. It is 32 and 64 respectively by default. =back diff --git a/doc/man7/EVP_MAC-CMAC.pod b/doc/man7/EVP_MAC-CMAC.pod index 4d05919b8f..3c6af827b9 100644 --- a/doc/man7/EVP_MAC-CMAC.pod +++ b/doc/man7/EVP_MAC-CMAC.pod @@ -8,6 +8,9 @@ EVP_MAC-CMAC - The CMAC EVP_MAC implementation Support for computing CMAC MACs through the B API. +This implementation uses EVP_CIPHER functions to get access to the underlying +cipher. + =head2 Identity This implementation is identified with this name and properties, to be @@ -30,10 +33,19 @@ The following parameter can be set with EVP_MAC_CTX_set_params(): =item "key" (B) +Sets the MAC key. +Setting this parameter is identical to passing a I to L. + =item "cipher" (B) +Sets the name of the underlying cipher to be used. + =item "properties" (B) +Sets the properties to be queried when trying to fetch the underlying cipher. +This must be given together with the cipher naming parameter to be considered +valid. + =back The following parameters can be retrieved with diff --git a/doc/man7/EVP_MAC-GMAC.pod b/doc/man7/EVP_MAC-GMAC.pod index d662e7d5d2..a392cf3dfe 100644 --- a/doc/man7/EVP_MAC-GMAC.pod +++ b/doc/man7/EVP_MAC-GMAC.pod @@ -8,6 +8,9 @@ EVP_MAC-GMAC - The GMAC EVP_MAC implementation Support for computing GMAC MACs through the B API. +This implementation uses EVP_CIPHER functions to get access to the underlying +cipher. + =head2 Identity This implementation is identified with this name and properties, to be @@ -30,12 +33,23 @@ The following parameter can be set with EVP_MAC_CTX_set_params(): =item "key" (B) +Sets the MAC key. +Setting this parameter is identical to passing a I to L. + =item "iv" (B) +Sets the IV of the underlying cipher, when applicable. + =item "cipher" (B) +Sets the name of the underlying cipher to be used. + =item "properties" (B) +Sets the properties to be queried when trying to fetch the underlying cipher. +This must be given together with the cipher naming parameter to be considered +valid. + =back The following parameters can be retrieved with @@ -45,6 +59,8 @@ EVP_MAC_CTX_get_params(): =ite
[openssl] master update
The branch master has been updated via 0647162f6af7c2e0edb4c770bf501ad7e0302970 (commit) from bed963d58d837c5cbf0707bffe250cafffc64690 (commit) - Log - commit 0647162f6af7c2e0edb4c770bf501ad7e0302970 Author: Richard Levitte Date: Mon Mar 1 12:06:36 2021 +0100 make update Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14352) --- Summary of changes: doc/build.info | 6 ++ 1 file changed, 6 insertions(+) diff --git a/doc/build.info b/doc/build.info index e753b06e12..e53b3d1007 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1594,6 +1594,10 @@ DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod GENERATE[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod +DEPEND[html/man3/OSSL_HTTP_parse_url.html]=man3/OSSL_HTTP_parse_url.pod +GENERATE[html/man3/OSSL_HTTP_parse_url.html]=man3/OSSL_HTTP_parse_url.pod +DEPEND[man/man3/OSSL_HTTP_parse_url.3]=man3/OSSL_HTTP_parse_url.pod +GENERATE[man/man3/OSSL_HTTP_parse_url.3]=man3/OSSL_HTTP_parse_url.pod DEPEND[html/man3/OSSL_HTTP_transfer.html]=man3/OSSL_HTTP_transfer.pod GENERATE[html/man3/OSSL_HTTP_transfer.html]=man3/OSSL_HTTP_transfer.pod DEPEND[man/man3/OSSL_HTTP_transfer.3]=man3/OSSL_HTTP_transfer.pod @@ -3024,6 +3028,7 @@ html/man3/OSSL_ENCODER_CTX.html \ html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \ html/man3/OSSL_ENCODER_to_bio.html \ html/man3/OSSL_HTTP_REQ_CTX.html \ +html/man3/OSSL_HTTP_parse_url.html \ html/man3/OSSL_HTTP_transfer.html \ html/man3/OSSL_LIB_CTX.html \ html/man3/OSSL_PARAM.html \ @@ -3593,6 +3598,7 @@ man/man3/OSSL_ENCODER_CTX.3 \ man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \ man/man3/OSSL_ENCODER_to_bio.3 \ man/man3/OSSL_HTTP_REQ_CTX.3 \ +man/man3/OSSL_HTTP_parse_url.3 \ man/man3/OSSL_HTTP_transfer.3 \ man/man3/OSSL_LIB_CTX.3 \ man/man3/OSSL_PARAM.3 \
[openssl] master update
The branch master has been updated via 1d73e2adae9c80d359d6d85c9f65d97a86add542 (commit) via c8182743a7764ba8c9e61665722cae06fa8edb62 (commit) via 8ab9c4ddc41830a9bd1be36a8e37ee2abc57e886 (commit) via 3d364726606424f760211b5015920410ea9c8f0d (commit) via ad7cb0bf5cb9b014d34327cb35ecdd609a3d4dd4 (commit) via c0ff1932e446621f43cd607371b7d265370d4bc6 (commit) from 4ef70dbcf495adfa28efa815c5415dfb9903b92d (commit) - Log - commit 1d73e2adae9c80d359d6d85c9f65d97a86add542 Author: Richard Levitte Date: Tue Feb 23 22:42:18 2021 +0100 crypto/asn1/i2d_evp.c: Fix i2d_provided() to return a proper length Fixes #14258 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14291) commit c8182743a7764ba8c9e61665722cae06fa8edb62 Author: Richard Levitte Date: Tue Feb 23 22:41:04 2021 +0100 PROV: Implement an EC key -> blob encoder, to get the public key Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14291) commit 8ab9c4ddc41830a9bd1be36a8e37ee2abc57e886 Author: Richard Levitte Date: Tue Feb 23 22:39:39 2021 +0100 Modify i2d_PublicKey() so it can get an EC public key as a blob This introduces the encoder output type "blob", to be used for anything that outputs an unstructured blob of data. Fixes #14258 Reviewed-by: Tomas Mraz Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/14291) commit 3d364726606424f760211b5015920410ea9c8f0d Author: Benjamin Kaduk Date: Fri Feb 19 13:20:00 2021 -0800 test_ecpub: test that we can decode the DER we encoded We should be able to round-trip through the encoded DER form of the EC public key and get back something that compares as equal to the original key. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14291) commit ad7cb0bf5cb9b014d34327cb35ecdd609a3d4dd4 Author: Benjamin Kaduk Date: Fri Feb 19 13:46:49 2021 -0800 test_ecpub: verify returned length after encoding Save the length we got from querying how much space was needed, and check that the actual encoding call returned the same length. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14291) commit c0ff1932e446621f43cd607371b7d265370d4bc6 Author: Benjamin Kaduk Date: Mon Jan 25 12:19:16 2021 -0800 Add test for EC pubkey export/import There seems to be an issue with i2d_provided() in i2d_evp.c that causes us to fail to construct a valid chain of encoders for the "type-specific" output when it's an EC pubkey. This test is designed to exercise that codepath for a variety of curves. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/14291) --- Summary of changes: crypto/asn1/i2d_evp.c | 54 -- providers/encoders.inc | 5 +- providers/implementations/encode_decode/build.info | 6 + .../encode_decode/encode_key2blob.c| 202 + .../implementations/include/prov/implementations.h | 2 + test/evp_extra_test.c | 71 6 files changed, 324 insertions(+), 16 deletions(-) create mode 100644 providers/implementations/encode_decode/encode_key2blob.c diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c index 6e4f7080c7..2a101a6fa3 100644 --- a/crypto/asn1/i2d_evp.c +++ b/crypto/asn1/i2d_evp.c @@ -25,29 +25,42 @@ #include "crypto/asn1.h" #include "crypto/evp.h" +struct type_and_structure_st { +const char *output_type; +const char *output_structure; +}; + static int i2d_provided(const EVP_PKEY *a, int selection, -const char *output_structures[], +const struct type_and_structure_st *output_info, unsigned char **pp) { OSSL_ENCODER_CTX *ctx = NULL; int ret; for (ret = -1; - ret == -1 && *output_structures != NULL; - output_structures++) { + ret == -1 && output_info->output_type != NULL; + output_info++) { /* * The i2d_ calls don't take a boundary length for *pp. However, - * OSSL_ENCODER_CTX_get_num_encoders() needs one, so we make one - * up. + * OSSL_ENCODER_to_data() needs one, so we make one up. Because + * OSSL_ENCODER_to_data() decrements this number by the amount of + * bytes written, we need to calculat
[openssl] master update
The branch master has been updated via 5a6a6d59a642e0ee437e3753c152b67e92d3cb3f (commit) from 32ab57cbb4877ce7e6b4eb3f9b3cfbb0ff7cd10b (commit) - Log - commit 5a6a6d59a642e0ee437e3753c152b67e92d3cb3f Author: Richard Levitte Date: Thu Feb 25 00:06:46 2021 +0100 Makefile: Only update doc/build.info when there's an actual change Fixes #14307 Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14309) --- Summary of changes: Configurations/unix-Makefile.tmpl | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index b0aff03ad1..aa4b3ec0ec 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -1096,7 +1096,16 @@ generate_fuzz_oids: generate_doc_buildinfo: ( $(PERL) -I$(BLDDIR) -Mconfigdata \ $(SRCDIR)/util/dofile.pl -o Makefile \ -$(SRCDIR)/doc/build.info.in > $(SRCDIR)/doc/build.info ) +$(SRCDIR)/doc/build.info.in \ +> $(SRCDIR)/doc/build.info.new; \ + if ( test -e $(SRCDIR)/doc/build.info \ + && cmp $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info \ + > /dev/null ); \ + then \ +rm $(SRCDIR)/doc/build.info.new; \ + else \ +mv $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info; \ + fi ) # Set to -force to force a rebuild ERROR_REBUILD=
[openssl] master update
The branch master has been updated via 6be27456e1346121b1fed797e92353733b59e16e (commit) via af8bd1d8359705c6a980c65b0c27c3e90fc43bea (commit) via a8eb71ad577bbbd41cea915315451f0ef9f11581 (commit) from da9988e0f5371cb7e2aeed9f3c9a6433a9acc595 (commit) - Log - commit 6be27456e1346121b1fed797e92353733b59e16e Author: Richard Levitte Date: Tue Feb 23 18:19:38 2021 +0100 Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string() OSSL_PARAM_BLD_push_utf8_string() was still setting the length in bytes of the UTF8 string to include the terminating NUL byte, while recent changes excludes that byte from the length. It's still made to add a NUL byte at the end of the string no matter what. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14035) commit af8bd1d8359705c6a980c65b0c27c3e90fc43bea Author: Richard Levitte Date: Tue Feb 23 08:10:02 2021 +0100 Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING OSSL_PARAM_allocate_from_text() was still setting the length in bytes of the UTF8 string to include the terminating NUL byte, while recent changes excludes that byte from the length. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14035) commit a8eb71ad577bbbd41cea915315451f0ef9f11581 Author: Richard Levitte Date: Mon Feb 1 08:58:58 2021 +0100 Allow the sshkdf type to be passed as a single character This partially reverts commit 270a5ce1d9ea579a2f1d45887971582b1ef2b6a1. This also slightly modifies the way diverse parameters in are specified in providers/fips/self_test_data.inc for better consistency. Fixes #14027 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14035) --- Summary of changes: crypto/param_build.c| 10 ++ crypto/params_from_text.c | 2 ++ doc/man7/EVP_KDF-SSHKDF.pod | 16 include/openssl/kdf.h | 14 ++ providers/fips/self_test_data.inc | 12 +++- providers/fips/self_test_kats.c | 3 ++- providers/implementations/kdfs/sshkdf.c | 3 ++- test/evp_kdf_test.c | 4 ++-- 8 files changed, 35 insertions(+), 29 deletions(-) diff --git a/crypto/param_build.c b/crypto/param_build.c index ce9eaa1fec..954ff81e2a 100644 --- a/crypto/param_build.c +++ b/crypto/param_build.c @@ -74,7 +74,7 @@ static OSSL_PARAM_BLD_DEF *param_push(OSSL_PARAM_BLD *bld, const char *key, pd->key = key; pd->type = type; pd->size = size; -pd->alloc_blocks = bytes_to_blocks(size); +pd->alloc_blocks = bytes_to_blocks(alloc); if ((pd->secure = secure) != 0) bld->secure_blocks += pd->alloc_blocks; else @@ -242,12 +242,12 @@ int OSSL_PARAM_BLD_push_utf8_string(OSSL_PARAM_BLD *bld, const char *key, OSSL_PARAM_BLD_DEF *pd; if (bsize == 0) { -bsize = strlen(buf) + 1; +bsize = strlen(buf); } else if (bsize > INT_MAX) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG); return 0; } -pd = param_push(bld, key, bsize, bsize, OSSL_PARAM_UTF8_STRING, 0); +pd = param_push(bld, key, bsize, bsize + 1, OSSL_PARAM_UTF8_STRING, 0); if (pd == NULL) return 0; pd->string = buf; @@ -260,7 +260,7 @@ int OSSL_PARAM_BLD_push_utf8_ptr(OSSL_PARAM_BLD *bld, const char *key, OSSL_PARAM_BLD_DEF *pd; if (bsize == 0) { -bsize = strlen(buf) + 1; +bsize = strlen(buf); } else if (bsize > INT_MAX) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_STRING_TOO_LONG); return 0; @@ -340,6 +340,8 @@ static OSSL_PARAM *param_bld_convert(OSSL_PARAM_BLD *bld, OSSL_PARAM *param, memcpy(p, pd->string, pd->size); else memset(p, 0, pd->size); +if (pd->type == OSSL_PARAM_UTF8_STRING) +((char *)p)[pd->size] = '\0'; } else { /* Number, but could also be a NULL BIGNUM */ if (pd->size > sizeof(pd->num)) diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c index b019744f9b..3ff94c7475 100644 --- a/crypto/params_from_text.c +++ b/crypto/params_from_text.c @@ -151,6 +151,8 @@ static int construct_from_text(OSSL_PARAM *to, const OSSL_PARAM *paramdef, #else strncpy(buf, value, buf_n); #endif +/* Don't count the terminating NUL byte as data */ +buf_n--; break; case OSSL_PARAM_OCTET_STRING: if (ishex) { diff --git a/doc/man7/EVP_KDF-SSHKDF.pod b/doc/man7/EVP_KDF-SSHKDF.pod index a2ff902cce..b782b6fa7c 100644 --- a/doc/man7/EVP_K
[openssl] master update
The branch master has been updated via 10315851d0230646947213ac148747bc64c56798 (commit) from ce0b307ea01bc5e3e178cd4dba45f9bb9d4ba5df (commit) - Log - commit 10315851d0230646947213ac148747bc64c56798 Author: Richard Levitte Date: Thu Jan 28 09:00:58 2021 +0100 X509: Refactor X509_PUBKEY processing to include provider side keys When a SubjectPublicKeyInfo (SPKI) is decoded into an X509_PUBKEY structure, the corresponding EVP_PKEY is automatically added as well. This used to only support our built-in keytypes, and only in legacy form. This is now refactored by making The ASN1 implementation of the X509_PUBKEY an EXTERN_ASN1, resulting in a more manual implementation of the basic support routines. Specifically, the d2i routine will do what was done in the callback before, and try to interpret the input as an EVP_PKEY, first in legacy form, and then using OSSL_DECODER. Fixes #13893 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14281) --- Summary of changes: crypto/x509/x_pubkey.c | 231 + include/crypto/x509.h | 3 + .../implementations/encode_decode/decode_der2key.c | 3 +- 3 files changed, 196 insertions(+), 41 deletions(-) diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index 5d500f0690..8392540c73 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -22,17 +22,23 @@ #include "crypto/x509.h" #include #include +#include #include #include "internal/provider.h" +#include "internal/sizes.h" struct X509_pubkey_st { X509_ALGOR *algor; ASN1_BIT_STRING *public_key; + EVP_PKEY *pkey; /* extra data for the callback, used by d2i_PUBKEY_ex */ OSSL_LIB_CTX *libctx; char *propq; + +/* Flag to force legacy keys */ +unsigned int flag_force_legacy : 1; }; static int x509_pubkey_decode(EVP_PKEY **pk, const X509_PUBKEY *key); @@ -53,46 +59,172 @@ static int x509_pubkey_set0_libctx(X509_PUBKEY *x, OSSL_LIB_CTX *libctx, return 1; } -/* Minor tweak to operation: free up EVP_PKEY */ -static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, - void *exarg) +ASN1_SEQUENCE(X509_PUBKEY_INTERNAL) = { +ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR), +ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING) +} static_ASN1_SEQUENCE_END_name(X509_PUBKEY, X509_PUBKEY_INTERNAL) + +static void x509_pubkey_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; -if (operation == ASN1_OP_FREE_POST) { -OPENSSL_free(pubkey->propq); -EVP_PKEY_free(pubkey->pkey); -} else if (operation == ASN1_OP_D2I_POST) { -/* Attempt to decode public key and cache in pubkey structure. */ -EVP_PKEY_free(pubkey->pkey); -pubkey->pkey = NULL; -/* - * Opportunistically decode the key but remove any non fatal errors - * from the queue. Subsequent explicit attempts to decode/use the key - * will return an appropriate error. - */ -ERR_set_mark(); -if (x509_pubkey_decode(>pkey, pubkey) == -1) { +X509_ALGOR_free(pubkey->algor); +ASN1_BIT_STRING_free(pubkey->public_key); +EVP_PKEY_free(pubkey->pkey); +OPENSSL_free(pubkey); +*pval = NULL; +} + +static int x509_pubkey_ex_populate(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ +X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; + +return (pubkey->algor != NULL +|| (pubkey->algor = X509_ALGOR_new()) != NULL) +&& (pubkey->public_key != NULL +|| (pubkey->public_key = ASN1_BIT_STRING_new()) != NULL); +} + +static int x509_pubkey_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ +X509_PUBKEY *ret; + +if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL +|| !x509_pubkey_ex_populate((ASN1_VALUE **), NULL)) { +x509_pubkey_ex_free((ASN1_VALUE **), NULL); +ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); +} else { +*pval = (ASN1_VALUE *)ret; +} + +return ret != NULL; +} + +static int x509_pubkey_ex_d2i(ASN1_VALUE **pval, + const unsigned char **in, long len, + const ASN1_ITEM *it, int tag, int aclass, + char opt, ASN1_TLC *ctx) +{ +const unsigned char *in_saved = *in; +X509_PUBKEY *pubkey; +int ret; +OSSL_DECODER_CTX *dctx = NULL; + +if (*pval == NULL && !x509_pubkey_ex_new(pval, it)) +return 0; +if (!x509_pubkey_ex_populate(pval, NULL)) { +ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); +return 0; +} +