Package: release.debian.org
Control: affects -1 + src:openssl
User: release.debian....@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal
OpenSSL upstream released 1.1.1w which the last stable update to the
1.1.1 series because it is EOL since last Monday.
The update is fairly small and contains a few fixes for memory leaks.
The mentioned CVE affects only Windows.
Sebastian
diff -Nru openssl-1.1.1v/appveyor.yml openssl-1.1.1w/appveyor.yml
--- openssl-1.1.1v/appveyor.yml 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/appveyor.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,78 +0,0 @@
-image:
- - Visual Studio 2017
-
-platform:
- - x64
- - x86
-
-environment:
- fast_finish: true
- matrix:
- - VSVER: 15
-
-configuration:
- - shared
- - plain
- - minimal
-
-before_build:
- - ps: >-
- Install-Module VSSetup -Scope CurrentUser
- - ps: >-
- Get-VSSetupInstance -All
- - ps: >-
- gci env:* | sort-object name
- - ps: >-
- If ($env:Platform -Match "x86") {
- $env:VCVARS_PLATFORM="x86"
- $env:TARGET="VC-WIN32 no-asm --strict-warnings"
- } Else {
- $env:VCVARS_PLATFORM="amd64"
- $env:TARGET="VC-WIN64A-masm"
- }
- - ps: >-
- If ($env:Configuration -Match "shared") {
- $env:SHARED="no-makedepend"
- } ElseIf ($env:Configuration -Match "minimal") {
- $env:SHARED="no-shared no-dso no-makedepend no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_SMALL_FOOTPRINT"
- } Else {
- $env:SHARED="no-shared no-makedepend"
- }
- - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM%
- - mkdir _build
- - cd _build
- - perl ..\Configure %TARGET% %SHARED%
- - perl configdata.pm --dump
- - cd ..
- - ps: >-
- if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER`
- -or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT |
- Select-String "\[extended tests\]") ) {
- $env:EXTENDED_TESTS="yes"
- }
-
-build_script:
- - cd _build
- - ps: >-
- If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) {
- cmd /c "nmake build_all_generated 2>&1"
- cmd /c "nmake PERL=no-perl 2>&1"
- }
- - cd ..
-
-test_script:
- - cd _build
- - ps: >-
- If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) {
- if ($env:EXTENDED_TESTS) {
- cmd /c "nmake test V=1 2>&1"
- } Else {
- cmd /c "nmake test V=1 TESTS=-test_fuzz 2>&1"
- }
- }
- - ps: >-
- if ($env:EXTENDED_TESTS) {
- mkdir ..\_install
- cmd /c "nmake install DESTDIR=..\_install 2>&1"
- }
- - cd ..
diff -Nru openssl-1.1.1v/CHANGES openssl-1.1.1w/CHANGES
--- openssl-1.1.1v/CHANGES 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/CHANGES 2023-09-11 16:08:11.000000000 +0200
@@ -7,6 +7,30 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1v and 1.1.1w [11 Sep 2023]
+
+ *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+
+ The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ does not save the contents of non-volatile XMM registers on Windows 64
+ platform when calculating the MAC of data larger than 64 bytes. Before
+ returning to the caller all the XMM registers are set to zero rather than
+ restoring their previous content. The vulnerable code is used only on newer
+ x86_64 processors supporting the AVX512-IFMA instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However given the contents of the registers are just
+ zeroized so the attacker cannot put arbitrary values inside, the most likely
+ consequence, if any, would be an incorrect result of some application
+ dependent calculations or a crash leading to a denial of service.
+
+ (CVE-2023-4807)
+ [Bernd Edlinger]
+
+
Changes between 1.1.1u and 1.1.1v [1 Aug 2023]
*) Fix excessive time spent checking DH q parameter value.
diff -Nru openssl-1.1.1v/crypto/asn1/ameth_lib.c openssl-1.1.1w/crypto/asn1/ameth_lib.c
--- openssl-1.1.1v/crypto/asn1/ameth_lib.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/asn1/ameth_lib.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -264,6 +264,7 @@
dst->pkey_size = src->pkey_size;
dst->pkey_bits = src->pkey_bits;
+ dst->pkey_security_bits = src->pkey_security_bits;
dst->param_decode = src->param_decode;
dst->param_encode = src->param_encode;
@@ -271,6 +272,7 @@
dst->param_copy = src->param_copy;
dst->param_cmp = src->param_cmp;
dst->param_print = src->param_print;
+ dst->sig_print = src->sig_print;
dst->pkey_free = src->pkey_free;
dst->pkey_ctrl = src->pkey_ctrl;
@@ -281,6 +283,13 @@
dst->siginf_set = src->siginf_set;
dst->pkey_check = src->pkey_check;
+ dst->pkey_public_check = src->pkey_public_check;
+ dst->pkey_param_check = src->pkey_param_check;
+
+ dst->set_priv_key = src->set_priv_key;
+ dst->set_pub_key = src->set_pub_key;
+ dst->get_priv_key = src->get_priv_key;
+ dst->get_pub_key = src->get_pub_key;
}
diff -Nru openssl-1.1.1v/crypto/cms/cms_asn1.c openssl-1.1.1w/crypto/cms/cms_asn1.c
--- openssl-1.1.1v/crypto/cms/cms_asn1.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/cms/cms_asn1.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -51,6 +51,7 @@
EVP_PKEY_free(si->pkey);
X509_free(si->signer);
EVP_MD_CTX_free(si->mctx);
+ EVP_PKEY_CTX_free(si->pctx);
}
return 1;
}
@@ -89,11 +90,21 @@
ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1)
} static_ASN1_SEQUENCE_END(CMS_OriginatorInfo)
-ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = {
+static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+ void *exarg)
+{
+ CMS_EncryptedContentInfo *ec = (CMS_EncryptedContentInfo *)*pval;
+
+ if (operation == ASN1_OP_FREE_POST)
+ OPENSSL_clear_free(ec->key, ec->keylen);
+ return 1;
+}
+
+ASN1_NDEF_SEQUENCE_cb(CMS_EncryptedContentInfo, cms_ec_cb) = {
ASN1_SIMPLE(CMS_EncryptedContentInfo, contentType, ASN1_OBJECT),
ASN1_SIMPLE(CMS_EncryptedContentInfo, contentEncryptionAlgorithm, X509_ALGOR),
ASN1_IMP_OPT(CMS_EncryptedContentInfo, encryptedContent, ASN1_OCTET_STRING_NDEF, 0)
-} static_ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo)
+} ASN1_NDEF_SEQUENCE_END_cb(CMS_EncryptedContentInfo, CMS_EncryptedContentInfo)
ASN1_SEQUENCE(CMS_KeyTransRecipientInfo) = {
ASN1_EMBED(CMS_KeyTransRecipientInfo, version, INT32),
diff -Nru openssl-1.1.1v/crypto/cms/cms_local.h openssl-1.1.1w/crypto/cms/cms_local.h
--- openssl-1.1.1v/crypto/cms/cms_local.h 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/cms/cms_local.h 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -342,6 +342,7 @@
DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
DECLARE_ASN1_ITEM(CMS_SignerInfo)
+DECLARE_ASN1_ITEM(CMS_EncryptedContentInfo)
DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber)
DECLARE_ASN1_ITEM(CMS_Attributes_Sign)
DECLARE_ASN1_ITEM(CMS_Attributes_Verify)
diff -Nru openssl-1.1.1v/crypto/cms/cms_sd.c openssl-1.1.1w/crypto/cms/cms_sd.c
--- openssl-1.1.1v/crypto/cms/cms_sd.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/cms/cms_sd.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -375,6 +375,8 @@
} else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <=
0)
goto err;
+ else
+ EVP_MD_CTX_set_flags(si->mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
}
if (!sd->signerInfos)
@@ -600,6 +602,7 @@
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
pctx = si->pctx;
+ si->pctx = NULL;
if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
goto err;
siglen = EVP_PKEY_size(si->pkey);
@@ -680,6 +683,7 @@
EVP_MD_CTX_reset(mctx);
if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
goto err;
+ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
si->pctx = pctx;
}
@@ -745,8 +749,13 @@
return -1;
}
mctx = si->mctx;
+ if (si->pctx != NULL) {
+ EVP_PKEY_CTX_free(si->pctx);
+ si->pctx = NULL;
+ }
if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0)
goto err;
+ EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
if (!cms_sd_asn1_ctrl(si, 1))
goto err;
@@ -859,8 +868,11 @@
if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0)
goto err;
si->pctx = pkctx;
- if (!cms_sd_asn1_ctrl(si, 1))
+ if (!cms_sd_asn1_ctrl(si, 1)) {
+ si->pctx = NULL;
goto err;
+ }
+ si->pctx = NULL;
r = EVP_PKEY_verify(pkctx, si->signature->data,
si->signature->length, mval, mlen);
if (r <= 0) {
diff -Nru openssl-1.1.1v/crypto/cms/cms_smime.c openssl-1.1.1w/crypto/cms/cms_smime.c
--- openssl-1.1.1v/crypto/cms/cms_smime.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/cms/cms_smime.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -211,7 +211,7 @@
if (cms == NULL)
return NULL;
if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
- return NULL;
+ goto err;
if (!(flags & CMS_DETACHED))
CMS_set_detached(cms, 0);
@@ -220,6 +220,7 @@
|| CMS_final(cms, in, NULL, flags))
return cms;
+ err:
CMS_ContentInfo_free(cms);
return NULL;
}
diff -Nru openssl-1.1.1v/crypto/ec/ec_ameth.c openssl-1.1.1w/crypto/ec/ec_ameth.c
--- openssl-1.1.1v/crypto/ec/ec_ameth.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/ec/ec_ameth.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,6 @@
ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid);
if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
- ASN1_OBJECT_free(asn1obj);
ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID);
return 0;
}
@@ -98,9 +97,7 @@
ptype, pval, penc, penclen))
return 1;
err:
- if (ptype == V_ASN1_OBJECT)
- ASN1_OBJECT_free(pval);
- else
+ if (ptype == V_ASN1_SEQUENCE)
ASN1_STRING_free(pval);
OPENSSL_free(penc);
return 0;
@@ -256,24 +253,32 @@
eplen = i2d_ECPrivateKey(&ec_key, NULL);
if (!eplen) {
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
return 0;
}
ep = OPENSSL_malloc(eplen);
if (ep == NULL) {
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE);
return 0;
}
p = ep;
if (!i2d_ECPrivateKey(&ec_key, &p)) {
- OPENSSL_free(ep);
+ OPENSSL_clear_free(ep, eplen);
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
return 0;
}
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
ptype, pval, ep, eplen)) {
- OPENSSL_free(ep);
+ OPENSSL_clear_free(ep, eplen);
+ if (ptype == V_ASN1_SEQUENCE)
+ ASN1_STRING_free(pval);
return 0;
}
diff -Nru openssl-1.1.1v/crypto/poly1305/asm/poly1305-x86_64.pl openssl-1.1.1w/crypto/poly1305/asm/poly1305-x86_64.pl
--- openssl-1.1.1v/crypto/poly1305/asm/poly1305-x86_64.pl 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/poly1305/asm/poly1305-x86_64.pl 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -193,7 +193,7 @@
bt \$`5+32`,%r9 # AVX2?
cmovc %rax,%r10
___
-$code.=<<___ if ($avx>3);
+$code.=<<___ if ($avx>3 && !$win64);
mov \$`(1<<31|1<<21|1<<16)`,%rax
shr \$32,%r9
and %rax,%r9
@@ -2722,7 +2722,7 @@
.cfi_endproc
.size poly1305_blocks_avx512,.-poly1305_blocks_avx512
___
-if ($avx>3) {
+if ($avx>3 && !$win64) {
########################################################################
# VPMADD52 version using 2^44 radix.
#
diff -Nru openssl-1.1.1v/crypto/rsa/rsa_ameth.c openssl-1.1.1w/crypto/rsa/rsa_ameth.c
--- openssl-1.1.1v/crypto/rsa/rsa_ameth.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/crypto/rsa/rsa_ameth.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -82,13 +82,16 @@
if (!rsa_param_encode(pkey, &str, &strtype))
return 0;
penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
- if (penclen <= 0)
+ if (penclen <= 0) {
+ ASN1_STRING_free(str);
return 0;
+ }
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
strtype, str, penc, penclen))
return 1;
OPENSSL_free(penc);
+ ASN1_STRING_free(str);
return 0;
}
diff -Nru openssl-1.1.1v/debian/changelog openssl-1.1.1w/debian/changelog
--- openssl-1.1.1v/debian/changelog 2023-08-26 13:17:12.000000000 +0200
+++ openssl-1.1.1w/debian/changelog 2023-09-13 21:21:33.000000000 +0200
@@ -1,3 +1,9 @@
+openssl (1.1.1w-0~deb11u1) bullseye; urgency=medium
+
+ * Import 1.1.1w
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Wed, 13 Sep 2023 21:21:33 +0200
+
openssl (1.1.1v-0~deb11u1) bullseye; urgency=medium
* Import 1.1.1v
diff -Nru openssl-1.1.1v/doc/man3/CMS_sign.pod openssl-1.1.1w/doc/man3/CMS_sign.pod
--- openssl-1.1.1v/doc/man3/CMS_sign.pod 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/doc/man3/CMS_sign.pod 2023-09-11 16:08:11.000000000 +0200
@@ -95,7 +95,7 @@
suitable for many purposes. For finer control of the output format the
B<certs>, B<signcert> and B<pkey> parameters can all be B<NULL> and the
B<CMS_PARTIAL> flag set. Then one or more signers can be added using the
-function CMS_sign_add1_signer(), non default digests can be used and custom
+function CMS_add1_signer(), non default digests can be used and custom
attributes added. CMS_final() must then be called to finalize the
structure if streaming is not enabled.
@@ -119,7 +119,7 @@
=head1 COPYRIGHT
-Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff -Nru openssl-1.1.1v/include/openssl/opensslv.h openssl-1.1.1w/include/openssl/opensslv.h
--- openssl-1.1.1v/include/openssl/opensslv.h 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/include/openssl/opensslv.h 2023-09-11 16:08:11.000000000 +0200
@@ -39,8 +39,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010116fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1v 1 Aug 2023"
+# define OPENSSL_VERSION_NUMBER 0x1010117fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff -Nru openssl-1.1.1v/NEWS openssl-1.1.1w/NEWS
--- openssl-1.1.1v/NEWS 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/NEWS 2023-09-11 16:08:11.000000000 +0200
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]
+
+ o Fix POLY1305 MAC implementation corrupting XMM registers on Windows
+ (CVE-2023-4807)
+
Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
diff -Nru openssl-1.1.1v/README openssl-1.1.1w/README
--- openssl-1.1.1v/README 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/README 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1v 1 Aug 2023
+ OpenSSL 1.1.1w 11 Sep 2023
Copyright (c) 1998-2023 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -Nru openssl-1.1.1v/ssl/ssl_sess.c openssl-1.1.1w/ssl/ssl_sess.c
--- openssl-1.1.1v/ssl/ssl_sess.c 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/ssl/ssl_sess.c 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -139,8 +139,11 @@
dest->references = 1;
dest->lock = CRYPTO_THREAD_lock_new();
- if (dest->lock == NULL)
+ if (dest->lock == NULL) {
+ OPENSSL_free(dest);
+ dest = NULL;
goto err;
+ }
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
goto err;
diff -Nru openssl-1.1.1v/test/recipes/15-test_rsapss.t openssl-1.1.1w/test/recipes/15-test_rsapss.t
--- openssl-1.1.1v/test/recipes/15-test_rsapss.t 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/test/recipes/15-test_rsapss.t 2023-09-11 16:08:11.000000000 +0200
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -16,7 +16,7 @@
setup("test_rsapss");
-plan tests => 5;
+plan tests => 7;
#using test/testrsa.pem which happens to be a 512 bit RSA
ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1',
@@ -47,3 +47,11 @@
srctop_file('test', 'testrsa.pem')])),
"openssl dgst -prverify");
unlink 'testrsapss.sig';
+
+ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024',
+ '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10',
+ '-out', 'testrsapss.pem'])),
+ "openssl genpkey RSA-PSS with pss parameters");
+ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])),
+ "openssl pkey, execute rsa_pub_encode with pss parameters");
+unlink 'testrsapss.pem';
diff -Nru openssl-1.1.1v/test/recipes/80-test_cms.t openssl-1.1.1w/test/recipes/80-test_cms.t
--- openssl-1.1.1v/test/recipes/80-test_cms.t 2023-08-01 15:51:35.000000000 +0200
+++ openssl-1.1.1w/test/recipes/80-test_cms.t 2023-09-11 16:08:11.000000000 +0200
@@ -288,6 +288,13 @@
"-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ]
],
+ [ "encrypted content test streaming PEM format -noout, 128 bit AES key",
+ [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
+ "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
+ "-stream", "-noout" ],
+ [ "-help" ]
+ ],
+
);
my @smime_cms_comp_tests = (
