[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 576cc3ecb34a8909bf549798430de95fc0fb4042 (commit) from afaa7755aa3e577348e1267d5ad34da695292917 (commit) - Log - commit 576cc3ecb34a8909bf549798430de95fc0fb4042 Author: Peiwei Hu Date: Wed Jan 5 23:17:53 2022 +0800 Fix: some patches related to error exiting Signed-off-by: Peiwei Hu Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17443) --- Summary of changes: apps/verify.c| 1 + crypto/ec/ec_lib.c | 4 ++-- crypto/x509/v3_crld.c| 1 + crypto/x509/v3_sxnet.c | 8 +--- ssl/statem/statem_clnt.c | 2 +- test/evp_test.c | 2 +- 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index acf80c65c4..a403f301fc 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -263,6 +263,7 @@ static int check(X509_STORE *ctx, const char *file, if (x509_ctrl_string(x, opt) <= 0) { BIO_printf(bio_err, "parameter error \"%s\"\n", opt); ERR_print_errors(bio_err); +X509_free(x); return 0; } } diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 3d3cf96962..2d85d4f23a 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1710,8 +1710,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (ptmp != NULL && !ossl_ec_encoding_param2id(ptmp, &encoding_flag)) { -ECerr(0, EC_R_INVALID_ENCODING); -return 0; +ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); +goto err; } if (encoding_flag == OPENSSL_EC_NAMED_CURVE) { ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING); diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c index bc755f5f0d..e704d419f7 100644 --- a/crypto/x509/v3_crld.c +++ b/crypto/x509/v3_crld.c @@ -83,6 +83,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, return -1; dnsect = X509V3_get_section(ctx, cnf->value); if (!dnsect) { +X509_NAME_free(nm); ERR_raise(ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND); return -1; } diff --git a/crypto/x509/v3_sxnet.c b/crypto/x509/v3_sxnet.c index 3e5ae048be..4c925900dd 100644 --- a/crypto/x509/v3_sxnet.c +++ b/crypto/x509/v3_sxnet.c @@ -167,11 +167,12 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, goto err; if (!ASN1_INTEGER_set(sx->version, 0)) goto err; -*psx = sx; } else sx = *psx; if (SXNET_get_id_INTEGER(sx, zone)) { ERR_raise(ERR_LIB_X509V3, X509V3_R_DUPLICATE_ZONE_ID); +if (*psx == NULL) +SXNET_free(sx); return 0; } @@ -185,13 +186,14 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, if (!sk_SXNETID_push(sx->ids, id)) goto err; id->zone = zone; +*psx = sx; return 1; err: ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); SXNETID_free(id); -SXNET_free(sx); -*psx = NULL; +if (*psx == NULL) +SXNET_free(sx); return 0; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 435888db21..f4e2c15600 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2926,7 +2926,7 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub); if (encoded_pub_len == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -EVP_PKEY_free(skey); +EVP_PKEY_free(ckey); return EXT_RETURN_FAIL; } diff --git a/test/evp_test.c b/test/evp_test.c index eda8c827f9..47d4e6c878 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -2516,7 +2516,7 @@ static int rand_test_run(EVP_TEST *t) item->pr_entropyB_len); params[1] = OSSL_PARAM_construct_end(); if (!TEST_true(EVP_RAND_CTX_set_params(expected->parent, params))) -return 0; +goto err; } if (!TEST_true(EVP_RAND_generate (expected->ctx, got, got_len,
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3Dxy9E_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeF-2BKAOObPXjHENogK3W3gArNgzf5eU9txBld1wIVZkTKD4M2xDiyi6ppjZPyltan2cq5I4f85OxwP8oU4PkBOs3-2Fr4yAL69wjltsoj62uzMGJ7ZkaXhX47yvuYeiXBuzWzl60UFGdnWjNHSZBZ4rqHc6a-2Bw3pKOpuyp7YghbYXVdEr8NX3d3ekCX1-2FxSzU5P5o-3D Build ID: 429133 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via afaa7755aa3e577348e1267d5ad34da695292917 (commit) via fa2029250e38947ebd68a9b5861bedaa2384d85d (commit) via 43927f81a5d1ea1d32508430eee2df85736ba105 (commit) from 617203e64f17371b95fc8d64fc7fde9f8bc6e9db (commit) - Log - commit afaa7755aa3e577348e1267d5ad34da695292917 Author: Matt Caswell Date: Wed Dec 29 16:39:11 2021 + Add a test for a custom digest created via EVP_MD_meth_new() We check that the init and cleanup functions for the custom method are called as expected. Based on an original reproducer by Dmitry Belyavsky from issue #17149. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17255) (cherry picked from commit fbbe7202eba9fba243c18513f4f0316dafb3496d) commit fa2029250e38947ebd68a9b5861bedaa2384d85d Author: Matt Caswell Date: Fri Dec 10 17:17:27 2021 + Fix a leak in EVP_DigestInit_ex() If an EVP_MD_CTX is reused then memory allocated and stored in md_data can be leaked unless the EVP_MD's cleanup function is called. Fixes #17149 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17255) (cherry picked from commit 357bccc8ba64ec8a5f587b04b5d6b6ca9e8dcbdc) commit 43927f81a5d1ea1d32508430eee2df85736ba105 Author: Matt Caswell Date: Fri Dec 10 16:53:02 2021 + Ensure that MDs created via EVP_MD_meth_new() go down the legacy route MDs created via EVP_MD_meth_new() are inherently legacy and therefore need to go down the legacy route when they are used. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17255) (cherry picked from commit d9ad5b16b32172df6f7d02cfb1c339cc85d0db01) --- Summary of changes: crypto/evp/digest.c | 34 - test/evp_extra_test.c | 85 +++ 2 files changed, 104 insertions(+), 15 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index d92059cbcc..eb6ccfaca2 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -25,6 +25,19 @@ #include "crypto/evp.h" #include "evp_local.h" +static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force) +{ +if (ctx->digest != NULL) { +if (ctx->digest->cleanup != NULL +&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) +ctx->digest->cleanup(ctx); +if (ctx->md_data != NULL && ctx->digest->ctx_size > 0 +&& (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) +|| force)) +OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); +ctx->md_data = NULL; +} +} void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) { @@ -41,12 +54,7 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because * sometimes only copies of the context are ever finalised. */ -if (ctx->digest && ctx->digest->cleanup -&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) -ctx->digest->cleanup(ctx); -if (ctx->digest && ctx->digest->ctx_size && ctx->md_data -&& (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) || force)) -OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); +cleanup_old_md_data(ctx, force); if (force) ctx->digest = NULL; @@ -207,7 +215,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) || tmpimpl != NULL #endif -|| (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) { +|| (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 +|| type->origin == EVP_ORIG_METH) { if (ctx->digest == ctx->fetched_digest) ctx->digest = NULL; EVP_MD_free(ctx->fetched_digest); @@ -215,10 +224,7 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, goto legacy; } -if (ctx->digest != NULL && ctx->digest->ctx_size > 0) { -OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); -ctx->md_data = NULL; -} +cleanup_old_md_data(ctx, 1); /* Start of non-legacy code below */ @@ -307,10 +313,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, } #endif if (ctx->digest != type) { -if (ctx->digest && ctx->digest->ctx_size) { -OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); -ctx->md_data = NULL; -} +cleanup_old_md_data(ctx, 1); + ctx->digest = type; if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { ctx->update = type->update; di
[openssl] master update
The branch master has been updated via fbbe7202eba9fba243c18513f4f0316dafb3496d (commit) via 357bccc8ba64ec8a5f587b04b5d6b6ca9e8dcbdc (commit) via d9ad5b16b32172df6f7d02cfb1c339cc85d0db01 (commit) from 64a8f6008acce93d0bf184559c63e66c0cc0e23d (commit) - Log - commit fbbe7202eba9fba243c18513f4f0316dafb3496d Author: Matt Caswell Date: Wed Dec 29 16:39:11 2021 + Add a test for a custom digest created via EVP_MD_meth_new() We check that the init and cleanup functions for the custom method are called as expected. Based on an original reproducer by Dmitry Belyavsky from issue #17149. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17255) commit 357bccc8ba64ec8a5f587b04b5d6b6ca9e8dcbdc Author: Matt Caswell Date: Fri Dec 10 17:17:27 2021 + Fix a leak in EVP_DigestInit_ex() If an EVP_MD_CTX is reused then memory allocated and stored in md_data can be leaked unless the EVP_MD's cleanup function is called. Fixes #17149 Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17255) commit d9ad5b16b32172df6f7d02cfb1c339cc85d0db01 Author: Matt Caswell Date: Fri Dec 10 16:53:02 2021 + Ensure that MDs created via EVP_MD_meth_new() go down the legacy route MDs created via EVP_MD_meth_new() are inherently legacy and therefore need to go down the legacy route when they are used. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/17255) --- Summary of changes: crypto/evp/digest.c | 34 - test/evp_extra_test.c | 85 +++ 2 files changed, 104 insertions(+), 15 deletions(-) diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 322cfe7646..cdcb60092e 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -25,6 +25,19 @@ #include "crypto/evp.h" #include "evp_local.h" +static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force) +{ +if (ctx->digest != NULL) { +if (ctx->digest->cleanup != NULL +&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) +ctx->digest->cleanup(ctx); +if (ctx->md_data != NULL && ctx->digest->ctx_size > 0 +&& (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) +|| force)) +OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); +ctx->md_data = NULL; +} +} void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) { @@ -41,12 +54,7 @@ void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force) * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because * sometimes only copies of the context are ever finalised. */ -if (ctx->digest && ctx->digest->cleanup -&& !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED)) -ctx->digest->cleanup(ctx); -if (ctx->digest && ctx->digest->ctx_size && ctx->md_data -&& (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE) || force)) -OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); +cleanup_old_md_data(ctx, force); if (force) ctx->digest = NULL; @@ -208,7 +216,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, || tmpimpl != NULL # endif #endif -|| (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0) { +|| (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 +|| type->origin == EVP_ORIG_METH) { if (ctx->digest == ctx->fetched_digest) ctx->digest = NULL; EVP_MD_free(ctx->fetched_digest); @@ -216,10 +225,7 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, goto legacy; } -if (ctx->digest != NULL && ctx->digest->ctx_size > 0) { -OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); -ctx->md_data = NULL; -} +cleanup_old_md_data(ctx, 1); /* Start of non-legacy code below */ @@ -308,10 +314,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, } #endif if (ctx->digest != type) { -if (ctx->digest && ctx->digest->ctx_size) { -OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); -ctx->md_data = NULL; -} +cleanup_old_md_data(ctx, 1); + ctx->digest = type; if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { ctx->update = type->update; diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 7f191c43a9..05af89379f 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -4179,6 +4179,90 @@ static int test_evp_md_cipher_meth(void) return testresult; } +typedef struct { +int data; +} custom
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 617203e64f17371b95fc8d64fc7fde9f8bc6e9db (commit) from 7e1ec537a91d1f33c50e8f70dff82a4ed6668e9a (commit) - Log - commit 617203e64f17371b95fc8d64fc7fde9f8bc6e9db Author: Tomas Mraz Date: Wed Jan 5 16:50:00 2022 +0100 EVP_PKEY_derive_set_peer_ex: Export the peer key to proper keymgmt The peer key has to be exported to the operation's keymgmt not the ctx->pkey's keymgmt. Fixes #17424 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17425) (cherry picked from commit 64a8f6008acce93d0bf184559c63e66c0cc0e23d) --- Summary of changes: crypto/evp/exchange.c | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index e2ca30c94d..bd97a047c5 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -306,7 +306,7 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) /* * Ensure that the key is provided, either natively, or as a cached * export. We start by fetching the keymgmt with the same name as - * |ctx->pkey|, but from the provider of the exchange method, using + * |ctx->keymgmt|, but from the provider of the exchange method, using * the same property query as when fetching the exchange method. * With the keymgmt we found (if we did), we try to export |ctx->pkey| * to it (evp_pkey_export_to_provider() is smart enough to only actually @@ -380,6 +380,7 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, int ret = 0, check; void *provkey = NULL; EVP_PKEY_CTX *check_ctx = NULL; +EVP_KEYMGMT *tmp_keymgmt = NULL, *tmp_keymgmt_tofree = NULL; if (ctx == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); @@ -404,8 +405,25 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, return -1; } -provkey = evp_pkey_export_to_provider(peer, ctx->libctx, &ctx->keymgmt, - ctx->propquery); +/* + * Ensure that the |peer| is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->keymgmt|, but from the provider of the exchange method, using + * the same property query as when fetching the exchange method. + * With the keymgmt we found (if we did), we try to export |peer| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + * export it if |tmp_keymgmt| is different from |peer|'s keymgmt) + */ +tmp_keymgmt_tofree = tmp_keymgmt = +evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *) + EVP_KEYEXCH_get0_provider(ctx->op.kex.exchange), +EVP_KEYMGMT_get0_name(ctx->keymgmt), +ctx->propquery); +if (tmp_keymgmt != NULL) +provkey = evp_pkey_export_to_provider(peer, ctx->libctx, + &tmp_keymgmt, ctx->propquery); +EVP_KEYMGMT_free(tmp_keymgmt_tofree); + /* * If making the key provided wasn't possible, legacy may be able to pick * it up
[openssl] master update
The branch master has been updated via 64a8f6008acce93d0bf184559c63e66c0cc0e23d (commit) from 328bf5adf9e23da523d4195db309083aa02403c4 (commit) - Log - commit 64a8f6008acce93d0bf184559c63e66c0cc0e23d Author: Tomas Mraz Date: Wed Jan 5 16:50:00 2022 +0100 EVP_PKEY_derive_set_peer_ex: Export the peer key to proper keymgmt The peer key has to be exported to the operation's keymgmt not the ctx->pkey's keymgmt. Fixes #17424 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17425) --- Summary of changes: crypto/evp/exchange.c | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c index e2ca30c94d..bd97a047c5 100644 --- a/crypto/evp/exchange.c +++ b/crypto/evp/exchange.c @@ -306,7 +306,7 @@ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]) /* * Ensure that the key is provided, either natively, or as a cached * export. We start by fetching the keymgmt with the same name as - * |ctx->pkey|, but from the provider of the exchange method, using + * |ctx->keymgmt|, but from the provider of the exchange method, using * the same property query as when fetching the exchange method. * With the keymgmt we found (if we did), we try to export |ctx->pkey| * to it (evp_pkey_export_to_provider() is smart enough to only actually @@ -380,6 +380,7 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, int ret = 0, check; void *provkey = NULL; EVP_PKEY_CTX *check_ctx = NULL; +EVP_KEYMGMT *tmp_keymgmt = NULL, *tmp_keymgmt_tofree = NULL; if (ctx == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); @@ -404,8 +405,25 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer, return -1; } -provkey = evp_pkey_export_to_provider(peer, ctx->libctx, &ctx->keymgmt, - ctx->propquery); +/* + * Ensure that the |peer| is provided, either natively, or as a cached + * export. We start by fetching the keymgmt with the same name as + * |ctx->keymgmt|, but from the provider of the exchange method, using + * the same property query as when fetching the exchange method. + * With the keymgmt we found (if we did), we try to export |peer| + * to it (evp_pkey_export_to_provider() is smart enough to only actually + * export it if |tmp_keymgmt| is different from |peer|'s keymgmt) + */ +tmp_keymgmt_tofree = tmp_keymgmt = +evp_keymgmt_fetch_from_prov((OSSL_PROVIDER *) + EVP_KEYEXCH_get0_provider(ctx->op.kex.exchange), +EVP_KEYMGMT_get0_name(ctx->keymgmt), +ctx->propquery); +if (tmp_keymgmt != NULL) +provkey = evp_pkey_export_to_provider(peer, ctx->libctx, + &tmp_keymgmt, ctx->propquery); +EVP_KEYMGMT_free(tmp_keymgmt_tofree); + /* * If making the key provided wasn't possible, legacy may be able to pick * it up