Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DdjHW_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeFyF-2FUGFtcxWMgO8LTjmc9dUWrP16zXOWwJRYu9VeRwvWv8-2BbTBqB3a-2BOsLVrch061WSR7scYih50AkUEtOYCBDbDEa0FJ2l1H2K-2FqjoptqGthOlwicKhZoXS-2BYEx-2BU90o9vvSYqtmPnztwB-2FXAy1iUuGx9EEbIuYmUUrnZpzyeQH00TcmPcpApORhSzGx-2Blmc-3D Build ID: 439300 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 0ec286a62840c2a0de4b7a1b5063ace3338a925f (commit) from 46119286c16341734b3cb60945fb07d1ea30eb81 (commit) - Log - commit 0ec286a62840c2a0de4b7a1b5063ace3338a925f Author: xkernel Date: Mon Feb 21 15:29:25 2022 +0800 check *libctx which is allocated by OSSL_LIB_CTX_new() Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17740) (cherry picked from commit 8d215738a05350baa583c47a2c52371d9cff3197) --- Summary of changes: test/tls-provider.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/tls-provider.c b/test/tls-provider.c index 9ac1db51b3..3b7be54331 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -840,6 +840,9 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); +if (libctx == NULL) +return 0; + *provctx = libctx; /*
[openssl] master update
The branch master has been updated via 8d215738a05350baa583c47a2c52371d9cff3197 (commit) from b0317df2311769e02d9ceb4e7afe19521f8ffbf1 (commit) - Log - commit 8d215738a05350baa583c47a2c52371d9cff3197 Author: xkernel Date: Mon Feb 21 15:29:25 2022 +0800 check *libctx which is allocated by OSSL_LIB_CTX_new() Reviewed-by: Dmitry Belyavskiy Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17740) --- Summary of changes: test/tls-provider.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/tls-provider.c b/test/tls-provider.c index 7bff6e7406..c658514854 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -840,6 +840,9 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); +if (libctx == NULL) +return 0; + *provctx = libctx; /*
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 46119286c16341734b3cb60945fb07d1ea30eb81 (commit) from ad910cc482c8e06d04a141a9f5f79172a6e56f66 (commit) - Log - commit 46119286c16341734b3cb60945fb07d1ea30eb81 Author: Jiasheng Jiang Date: Mon Feb 21 10:54:29 2022 +0800 test/sslapitest.c: Add check for SSL_CTX_new As the potential failure of the memory allocation, it should be better to check the return value of SSL_CTX_new() and return error if fails, like SSL_CTX_new_ex(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17739) (cherry picked from commit b0317df2311769e02d9ceb4e7afe19521f8ffbf1) --- Summary of changes: test/sslapitest.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 9056fa28f1..b2f3471548 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8074,8 +8074,12 @@ static int test_cert_cb_int(int prot, int tst) else cert_cb_cnt = 0; -if (tst == 2) +if (tst == 2) { snictx = SSL_CTX_new(TLS_server_method()); +if (!TEST_ptr(snictx)) +goto end; +} + SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); if (!TEST_true(create_ssl_objects(sctx, cctx, , ,
[openssl] master update
The branch master has been updated via b0317df2311769e02d9ceb4e7afe19521f8ffbf1 (commit) from a044af49c43ec8fe099deeb5d06501ddf70abf7a (commit) - Log - commit b0317df2311769e02d9ceb4e7afe19521f8ffbf1 Author: Jiasheng Jiang Date: Mon Feb 21 10:54:29 2022 +0800 test/sslapitest.c: Add check for SSL_CTX_new As the potential failure of the memory allocation, it should be better to check the return value of SSL_CTX_new() and return error if fails, like SSL_CTX_new_ex(). Signed-off-by: Jiasheng Jiang Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17739) --- Summary of changes: test/sslapitest.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index 181d0ef686..8ba5d8125c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8090,8 +8090,12 @@ static int test_cert_cb_int(int prot, int tst) else cert_cb_cnt = 0; -if (tst == 2) +if (tst == 2) { snictx = SSL_CTX_new(TLS_server_method()); +if (!TEST_ptr(snictx)) +goto end; +} + SSL_CTX_set_cert_cb(sctx, cert_cb, snictx); if (!TEST_true(create_ssl_objects(sctx, cctx, , ,
[openssl] master update
The branch master has been updated via a044af49c43ec8fe099deeb5d06501ddf70abf7a (commit) via 2455a21f4ef9826b465ba68fd96f26ea25b80b10 (commit) from cd7ec0bca00ceb6e8d4af46a57c6c096a7ed8947 (commit) - Log - commit a044af49c43ec8fe099deeb5d06501ddf70abf7a Author: Dr. David von Oheimb Date: Fri Feb 18 09:36:00 2022 +0100 X509V3_get_d2i.pod: use I<> for arguments and remove B<> around NULL Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17724) commit 2455a21f4ef9826b465ba68fd96f26ea25b80b10 Author: Dr. David von Oheimb Date: Thu Feb 17 19:43:55 2022 +0100 X509V3_get_d2i.pod: Fix glitch on X509V3_get{,_ext}_d2i and align order Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17724) --- Summary of changes: doc/man3/X509V3_get_d2i.pod | 66 +++-- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/doc/man3/X509V3_get_d2i.pod b/doc/man3/X509V3_get_d2i.pod index 981eab14b8..a94e92191d 100644 --- a/doc/man3/X509V3_get_d2i.pod +++ b/doc/man3/X509V3_get_d2i.pod @@ -2,11 +2,12 @@ =head1 NAME -X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, -X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, -X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, -X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions +X509_get_ext_d2i, X509_add1_ext_i2d, +X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, +X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, +X509_get0_extensions, X509_CRL_get0_extensions, +X509_REVOKED_get0_extensions - X509 extension decode and encode functions =head1 SYNOPSIS @@ -38,37 +39,37 @@ X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions =head1 DESCRIPTION -X509V3_get_ext_d2i() looks for an extension with OID B in the extensions -B and, if found, decodes it. If B is B then only one +X509V3_get_d2i() looks for an extension with OID I in the extensions +I and, if found, decodes it. If I is NULL then only one occurrence of an extension is permissible otherwise the first extension after -index B<*idx> is returned and B<*idx> updated to the location of the extension. -If B is not B then B<*crit> is set to a status value: -2 if the -extension occurs multiple times (this is only returned if B is B), +index I<*idx> is returned and I<*idx> updated to the location of the extension. +If I is not NULL then I<*crit> is set to a status value: -2 if the +extension occurs multiple times (this is only returned if I is NULL), -1 if the extension could not be found, 0 if the extension is found and is not critical and 1 if critical. A pointer to an extension specific structure -or B is returned. +or NULL is returned. -X509V3_add1_i2d() adds extension B to STACK B<*x> (allocating a new -STACK if necessary) using OID B and criticality B according -to B. +X509V3_add1_i2d() adds extension I to STACK I<*x> (allocating a new +STACK if necessary) using OID I and criticality I according +to I. X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension -B and returns a pointer to an extension specific structure or B +I and returns a pointer to an extension specific structure or NULL if the extension could not be decoded (invalid syntax or not supported). -X509V3_EXT_i2d() encodes the extension specific structure B -with OID B and criticality B. +X509V3_EXT_i2d() encodes the extension specific structure I +with OID I and criticality I. X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of -certificate B, they are otherwise identical to X509V3_get_d2i() and +certificate I, they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions -of CRL B, they are otherwise identical to X509V3_get_d2i() and +of CRL I, they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the -extensions of B structure B (i.e for CRL entry extensions), +extensions of B structure I (i.e for CRL entry extensions), they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_get0_extensions(), X509_CRL_get0_extensions() and @@ -78,9 +79,9 @@ of a certificate a CRL or a CRL entry respectively. =head1 NOTES In almost all cases an extension can occur at most once and multiple -occurrences is an error. Therefore, the B parameter is usually B. +occurrences is an error. Therefore, the I parameter is usually NULL. -The B parameter may be one of the following values. +The I parameter may be one of the following values.
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via ad910cc482c8e06d04a141a9f5f79172a6e56f66 (commit) via 3138402278b3fc3ce67edc01e6198b9840ca7d9b (commit) from 5675a5aaf6a2e489022bcfc18330dae9263e598e (commit) - Log - commit ad910cc482c8e06d04a141a9f5f79172a6e56f66 Author: Dr. David von Oheimb Date: Fri Feb 18 09:36:00 2022 +0100 X509V3_get_d2i.pod: use I<> for arguments and remove B<> around NULL Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17724) (cherry picked from commit a044af49c43ec8fe099deeb5d06501ddf70abf7a) commit 3138402278b3fc3ce67edc01e6198b9840ca7d9b Author: Dr. David von Oheimb Date: Thu Feb 17 19:43:55 2022 +0100 X509V3_get_d2i.pod: Fix glitch on X509V3_get{,_ext}_d2i and align order Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17724) (cherry picked from commit 2455a21f4ef9826b465ba68fd96f26ea25b80b10) --- Summary of changes: doc/man3/X509V3_get_d2i.pod | 66 +++-- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/doc/man3/X509V3_get_d2i.pod b/doc/man3/X509V3_get_d2i.pod index 981eab14b8..a94e92191d 100644 --- a/doc/man3/X509V3_get_d2i.pod +++ b/doc/man3/X509V3_get_d2i.pod @@ -2,11 +2,12 @@ =head1 NAME -X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, -X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, -X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, -X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions +X509_get_ext_d2i, X509_add1_ext_i2d, +X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, +X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d, +X509_get0_extensions, X509_CRL_get0_extensions, +X509_REVOKED_get0_extensions - X509 extension decode and encode functions =head1 SYNOPSIS @@ -38,37 +39,37 @@ X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions =head1 DESCRIPTION -X509V3_get_ext_d2i() looks for an extension with OID B in the extensions -B and, if found, decodes it. If B is B then only one +X509V3_get_d2i() looks for an extension with OID I in the extensions +I and, if found, decodes it. If I is NULL then only one occurrence of an extension is permissible otherwise the first extension after -index B<*idx> is returned and B<*idx> updated to the location of the extension. -If B is not B then B<*crit> is set to a status value: -2 if the -extension occurs multiple times (this is only returned if B is B), +index I<*idx> is returned and I<*idx> updated to the location of the extension. +If I is not NULL then I<*crit> is set to a status value: -2 if the +extension occurs multiple times (this is only returned if I is NULL), -1 if the extension could not be found, 0 if the extension is found and is not critical and 1 if critical. A pointer to an extension specific structure -or B is returned. +or NULL is returned. -X509V3_add1_i2d() adds extension B to STACK B<*x> (allocating a new -STACK if necessary) using OID B and criticality B according -to B. +X509V3_add1_i2d() adds extension I to STACK I<*x> (allocating a new +STACK if necessary) using OID I and criticality I according +to I. X509V3_EXT_d2i() attempts to decode the ASN.1 data contained in extension -B and returns a pointer to an extension specific structure or B +I and returns a pointer to an extension specific structure or NULL if the extension could not be decoded (invalid syntax or not supported). -X509V3_EXT_i2d() encodes the extension specific structure B -with OID B and criticality B. +X509V3_EXT_i2d() encodes the extension specific structure I +with OID I and criticality I. X509_get_ext_d2i() and X509_add1_ext_i2d() operate on the extensions of -certificate B, they are otherwise identical to X509V3_get_d2i() and +certificate I, they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_CRL_get_ext_d2i() and X509_CRL_add1_ext_i2d() operate on the extensions -of CRL B, they are otherwise identical to X509V3_get_d2i() and +of CRL I, they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_REVOKED_get_ext_d2i() and X509_REVOKED_add1_ext_i2d() operate on the -extensions of B structure B (i.e for CRL entry extensions), +extensions of B structure I (i.e for CRL entry extensions), they are otherwise identical to X509V3_get_d2i() and X509V3_add_i2d(). X509_get0_extensions(), X509_CRL_get0_extensions() and @@ -78,9 +79,9 @@ of a certificate a CRL or a CRL entry respectively. =head1 NOTES In almost all cases an extension can occur at most once and multiple -occurrences is an error. Therefore, the B parameter is usually B. +occurrences is
[openssl] master update
The branch master has been updated via cd7ec0bca00ceb6e8d4af46a57c6c096a7ed8947 (commit) from f596bbe4da779b56eea34d96168b557d78e1149a (commit) - Log - commit cd7ec0bca00ceb6e8d4af46a57c6c096a7ed8947 Author: Dr. David von Oheimb Date: Thu Feb 17 19:46:29 2022 +0100 CMP: add subject of any provided CSR as default message sender Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17723) --- Summary of changes: crypto/cmp/cmp_hdr.c | 3 ++- doc/man1/openssl-cmp.pod.in | 4 +++- doc/man3/OSSL_CMP_CTX_new.pod | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index e970e6cbd7..86966c3195 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -301,11 +301,12 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr) return 0; /* - * If neither protection cert nor oldCert nor subject are given, + * If no protection cert nor oldCert nor CSR nor subject is given, * sender name is not known to the client and thus set to NULL-DN */ sender = ctx->cert != NULL ? X509_get_subject_name(ctx->cert) : ctx->oldCert != NULL ? X509_get_subject_name(ctx->oldCert) : +ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) : ctx->subjectName; if (!ossl_cmp_hdr_set1_sender(hdr, sender)) return 0; diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 705baf1dd6..5a111a39eb 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -273,7 +273,7 @@ or of the reference certificate (see B<-oldcert>) if provided. This default is used for IR and CR only if no SANs are set. If the NULL-DN (C<"/">) is given then no subject is placed in the template. -If provided and neither B<-cert> nor B<-oldcert> is given, +If provided and neither of B<-cert>, B<-oldcert>, or B<-csr> is given, the subject DN is used as fallback sender of outgoing CMP messages. The argument must be formatted as I. @@ -360,6 +360,8 @@ When used with B<-cmd> I, I, or I, it is transformed into the respective regular CMP request. It may also be used with B<-cmd> I to specify the certificate to be revoked via the included subject name and public key. +Its subject is used as fallback sender in CMP message headers +if B<-cert> and B<-oldcert> are not given. =item B<-out_trusted> I|I diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index d739f7f6f7..883bda8b69 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -457,7 +457,8 @@ When using signature-based protection of CMP request messages this CMP signer certificate will be included first in the extraCerts field. It serves as fallback reference certificate, see OSSL_CMP_CTX_set1_oldCert(). The subject of this I will be used as the sender field of outgoing -messages, while the subject of any cert set via OSSL_CMP_CTX_set1_oldCert() +messages, while the subject of any cert set via OSSL_CMP_CTX_set1_oldCert(), +the subject of any PKCS#10 CSR set via OSSL_CMP_CTX_set1_p10CSR(), and any value set via OSSL_CMP_CTX_set1_subjectName() are used as fallback. The I argument may be NULL to clear the entry.