[openssl-commits] [openssl] master update
The branch master has been updated via d63bde7827b0be1172f823baf25309b54aa87e0f (commit) via 0a5bda639f8fd59e15051cf757708e3b94bcf399 (commit) from e26f653defd08334ebfa517b6715a338f543fbf1 (commit) - Log - commit d63bde7827b0be1172f823baf25309b54aa87e0f Author: Matt Caswell Date: Mon Jan 14 11:22:42 2019 + Check more return values in the SRP code Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) commit 0a5bda639f8fd59e15051cf757708e3b94bcf399 Author: Matt Caswell Date: Mon Jan 14 11:06:43 2019 + Check a return value in the SRP code Spotted by OSTIF audit Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) --- Summary of changes: crypto/srp/srp_lib.c | 4 +++- crypto/srp/srp_vfy.c | 21 ++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index c43d27a..8cba189 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -26,6 +26,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N) unsigned char *tmp = NULL; int numN = BN_num_bytes(N); BIGNUM *res = NULL; + if (x != N && BN_ucmp(x, N) >= 0) return NULL; if (y != N && BN_ucmp(y, N) >= 0) @@ -139,7 +140,8 @@ BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass) || !EVP_DigestFinal_ex(ctxt, dig, NULL) || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL)) goto err; -BN_bn2bin(s, cs); +if (BN_bn2bin(s, cs) < 0) +goto err; if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s))) goto err; diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 4ed94b7..d69e330 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -614,10 +614,14 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0) goto err; N_bn_alloc = BN_bin2bn(tmp, len, NULL); +if (N_bn_alloc == NULL) +goto err; N_bn = N_bn_alloc; if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0) goto err; g_bn_alloc = BN_bin2bn(tmp, len, NULL); +if (g_bn_alloc == NULL) +goto err; g_bn = g_bn_alloc; defgNid = "*"; } else { @@ -639,15 +643,19 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, goto err; s = BN_bin2bn(tmp2, len, NULL); } +if (s == NULL) +goto err; if (!SRP_create_verifier_BN(user, pass, , , N_bn, g_bn)) goto err; -BN_bn2bin(v, tmp); +if (BN_bn2bin(v, tmp) < 0) +goto err; vfsize = BN_num_bytes(v) * 2; if (((vf = OPENSSL_malloc(vfsize)) == NULL)) goto err; -t_tob64(vf, tmp, BN_num_bytes(v)); +if (!t_tob64(vf, tmp, BN_num_bytes(v))) +goto err; if (*salt == NULL) { char *tmp_salt; @@ -655,7 +663,10 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { goto err; } -t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN); +if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) { +OPENSSL_free(tmp_salt); +goto err; +} *salt = tmp_salt; } @@ -702,11 +713,15 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, goto err; salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); +if (salttmp == NULL) +goto err; } else { salttmp = *salt; } x = SRP_Calc_x(salttmp, user, pass); +if (x == NULL) +goto err; *verifier = BN_new(); if (*verifier == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 46c853e03a797946326c030462d708e312f36c4a (commit) via d42c356882229765c5a502c32656c49eefcce7b4 (commit) from bbcfd60e388ab9aa244d652453b52ff490be9b27 (commit) - Log - commit 46c853e03a797946326c030462d708e312f36c4a Author: Matt Caswell Date: Mon Jan 14 11:22:42 2019 + Check more return values in the SRP code Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) (cherry picked from commit d63bde7827b0be1172f823baf25309b54aa87e0f) commit d42c356882229765c5a502c32656c49eefcce7b4 Author: Matt Caswell Date: Mon Jan 14 11:06:43 2019 + Check a return value in the SRP code Spotted by OSTIF audit Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) (cherry picked from commit 0a5bda639f8fd59e15051cf757708e3b94bcf399) --- Summary of changes: crypto/srp/srp_lib.c | 4 +++- crypto/srp/srp_vfy.c | 21 ++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index b97d630..747da88 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -26,6 +26,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N) unsigned char *tmp = NULL; int numN = BN_num_bytes(N); BIGNUM *res = NULL; + if (x != N && BN_ucmp(x, N) >= 0) return NULL; if (y != N && BN_ucmp(y, N) >= 0) @@ -139,7 +140,8 @@ BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass) || !EVP_DigestFinal_ex(ctxt, dig, NULL) || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL)) goto err; -BN_bn2bin(s, cs); +if (BN_bn2bin(s, cs) < 0) +goto err; if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s))) goto err; diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 17b35c0..f47f6d9 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -598,10 +598,14 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0) goto err; N_bn_alloc = BN_bin2bn(tmp, len, NULL); +if (N_bn_alloc == NULL) +goto err; N_bn = N_bn_alloc; if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0) goto err; g_bn_alloc = BN_bin2bn(tmp, len, NULL); +if (g_bn_alloc == NULL) +goto err; g_bn = g_bn_alloc; defgNid = "*"; } else { @@ -623,15 +627,19 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, goto err; s = BN_bin2bn(tmp2, len, NULL); } +if (s == NULL) +goto err; if (!SRP_create_verifier_BN(user, pass, , , N_bn, g_bn)) goto err; -BN_bn2bin(v, tmp); +if (BN_bn2bin(v, tmp) < 0) +goto err; vfsize = BN_num_bytes(v) * 2; if (((vf = OPENSSL_malloc(vfsize)) == NULL)) goto err; -t_tob64(vf, tmp, BN_num_bytes(v)); +if (!t_tob64(vf, tmp, BN_num_bytes(v))) +goto err; if (*salt == NULL) { char *tmp_salt; @@ -639,7 +647,10 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { goto err; } -t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN); +if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) { +OPENSSL_free(tmp_salt); +goto err; +} *salt = tmp_salt; } @@ -686,11 +697,15 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, goto err; salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); +if (salttmp == NULL) +goto err; } else { salttmp = *salt; } x = SRP_Calc_x(salttmp, user, pass); +if (x == NULL) +goto err; *verifier = BN_new(); if (*verifier == NULL) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via ea09abc80892920ee5db4de82bed7a193b5896f0 (commit) via 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4 (commit) from d63bde7827b0be1172f823baf25309b54aa87e0f (commit) - Log - commit ea09abc80892920ee5db4de82bed7a193b5896f0 Author: Matt Caswell Date: Mon Jan 14 16:37:14 2019 + Don't get the mac type in TLSv1.3 We don't use this information so we shouldn't fetch it. As noted in the comments in #8005. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) commit 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4 Author: Matt Caswell Date: Mon Jan 14 16:36:33 2019 + Add missing entries in ssl_mac_pkey_id Fixes #8005 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) --- Summary of changes: ssl/ssl_ciph.c | 2 ++ ssl/tls13_enc.c | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index bd97c0f..461a9de 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -171,6 +171,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, /* GOST2012_512 */ EVP_PKEY_HMAC, +/* MD5/SHA1, SHA224, SHA512 */ +NID_undef, NID_undef, NID_undef }; static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX]; diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 6022950..e6cd705 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -323,11 +323,9 @@ int tls13_setup_key_block(SSL *s) { const EVP_CIPHER *c; const EVP_MD *hash; -int mac_type = NID_undef; s->session->cipher = s->s3->tmp.new_cipher; -if (!ssl_cipher_get_evp -(s->session, , , _type, NULL, NULL, 0)) { +if (!ssl_cipher_get_evp(s->session, , , NULL, NULL, NULL, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 0c13c8ece1fd88acf757e385bbc865e1e94382ed (commit) via 709c6be2f8cd986f54140488d4154fe56825904b (commit) from 46c853e03a797946326c030462d708e312f36c4a (commit) - Log - commit 0c13c8ece1fd88acf757e385bbc865e1e94382ed Author: Matt Caswell Date: Mon Jan 14 16:37:14 2019 + Don't get the mac type in TLSv1.3 We don't use this information so we shouldn't fetch it. As noted in the comments in #8005. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) (cherry picked from commit ea09abc80892920ee5db4de82bed7a193b5896f0) commit 709c6be2f8cd986f54140488d4154fe56825904b Author: Matt Caswell Date: Mon Jan 14 16:36:33 2019 + Add missing entries in ssl_mac_pkey_id Fixes #8005 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) (cherry picked from commit 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4) --- Summary of changes: ssl/ssl_ciph.c | 2 ++ ssl/tls13_enc.c | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 14066d0..044dd3a 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -171,6 +171,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, /* GOST2012_512 */ EVP_PKEY_HMAC, +/* MD5/SHA1, SHA224, SHA512 */ +NID_undef, NID_undef, NID_undef }; static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX]; diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index e36b7d3..d663566 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -323,11 +323,9 @@ int tls13_setup_key_block(SSL *s) { const EVP_CIPHER *c; const EVP_MD *hash; -int mac_type = NID_undef; s->session->cipher = s->s3->tmp.new_cipher; -if (!ssl_cipher_get_evp -(s->session, , , _type, NULL, NULL, 0)) { +if (!ssl_cipher_get_evp(s->session, , , NULL, NULL, NULL, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return 0; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 0ef1cccd789aa8434f9ef8e3783df637d506b53f (commit) via d5d657a5d4ee7aa2602d41cdcc5723b191c43a8b (commit) from c49be85acdf6d10bfb17d0a5f1cb6405ae25fcaf (commit) - Log - commit 0ef1cccd789aa8434f9ef8e3783df637d506b53f Merge: c49be85 d5d657a Author: Mark J. Cox Date: Tue Jan 15 12:02:31 2019 + Merge pull request #105 from iamamoose/vulns Add severities that were in the advisories but missing from the vulnerability pages, also found a missing vulnerability commit d5d657a5d4ee7aa2602d41cdcc5723b191c43a8b Author: Mark J. Cox Date: Tue Jan 15 11:37:51 2019 + Add severities that were in the advisories but missing from the vulnerability pages, also found a missing vulnerability --- Summary of changes: news/vulnerabilities.xml | 80 1 file changed, 80 insertions(+) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 2142ade..d9b42bd 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -3629,6 +3629,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3671,6 +3672,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3689,6 +3691,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3757,8 +3760,79 @@ the certificate key is invalid. This function is rarely used in practice. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due + to a NULL pointer dereference. This could lead to a Denial Of Service attack. + + + + + + @@ -3829,6 +3903,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3872,6 +3947,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3951,6 +4027,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4040,6 +4117,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4066,6 +4144,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4201,6 +4280,7 @@ the certificate key is invalid. This function is rarely used in practice. + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Passed: openssl/openssl#22558 (OpenSSL_1_1_1-stable - 46c853e)
Build Update for openssl/openssl - Build: #22558 Status: Passed Duration: 23 mins and 18 secs Commit: 46c853e (OpenSSL_1_1_1-stable) Author: Matt Caswell Message: Check more return values in the SRP code Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) (cherry picked from commit d63bde7827b0be1172f823baf25309b54aa87e0f) View the changeset: https://github.com/openssl/openssl/compare/bbcfd60e388a...46c853e03a79 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/479841153?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Passed: openssl/openssl#22560 (OpenSSL_1_1_1-stable - 0c13c8e)
Build Update for openssl/openssl - Build: #22560 Status: Passed Duration: 23 mins and 0 secs Commit: 0c13c8e (OpenSSL_1_1_1-stable) Author: Matt Caswell Message: Don't get the mac type in TLSv1.3 We don't use this information so we shouldn't fetch it. As noted in the comments in #8005. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) (cherry picked from commit ea09abc80892920ee5db4de82bed7a193b5896f0) View the changeset: https://github.com/openssl/openssl/compare/46c853e03a79...0c13c8ece1fd View the full build log and details: https://travis-ci.org/openssl/openssl/builds/479844554?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.21961
Build openssl master.21961 failed Commit feb54aa03c by Tobias Klotz on 1/15/2019 4:26 PM: Merge branch 'vxworks_randlib' of https://github.com/klotzt-draeger/openssl into vxworks_randlib Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl master.21962
Build openssl master.21962 completed Commit 8b2cbc15db by Jakub Zelenka on 1/15/2019 3:52 PM: Add CMS AuthEnvelopedData with AES-GCM support Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via fff469b269d8309377291ff86767314d7489fd84 (commit) via 7ab24d9508fdc6e40d53e10cf7c961070dfcc8a9 (commit) via cfa9a7cd5316fddd2e41bda3f3a1e50537e784bb (commit) from eed51aa8270dd3feb1fce049aeae505cbfe806f5 (commit) - Log - commit fff469b269d8309377291ff86767314d7489fd84 Author: Richard Levitte Date: Wed Dec 12 11:22:52 2018 +0100 test/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7856) commit 7ab24d9508fdc6e40d53e10cf7c961070dfcc8a9 Author: Richard Levitte Date: Mon Dec 10 10:23:01 2018 +0100 make update Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7856) commit cfa9a7cd5316fddd2e41bda3f3a1e50537e784bb Author: Richard Levitte Date: Mon Dec 10 10:18:10 2018 +0100 Prevent calling decryption in an encryption context and vice versa Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7856) --- Summary of changes: crypto/evp/evp.h | 2 ++ crypto/evp/evp_enc.c | 40 crypto/evp/evp_err.c | 4 +++- crypto/evp/evp_test.c | 2 +- 4 files changed, 42 insertions(+), 6 deletions(-) diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index cf1de15..883a943 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void); # define EVP_F_EVP_CIPHER_CTX_CTRL124 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122 # define EVP_F_EVP_DECRYPTFINAL_EX101 +# define EVP_F_EVP_DECRYPTUPDATE 181 # define EVP_F_EVP_DIGESTINIT_EX 128 # define EVP_F_EVP_ENCRYPTFINAL_EX127 +# define EVP_F_EVP_ENCRYPTUPDATE 180 # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE162 # define EVP_F_EVP_OPENINIT 102 diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0c740d1..c63fb53 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); } -int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - const unsigned char *in, int inl) +static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx, +unsigned char *out, int *outl, +const unsigned char *in, int inl) { int i, j, bl; @@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } +int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl) +{ +/* Prevent accidental use of decryption context when encrypting */ +if (!ctx->encrypt) { +EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION); +return 0; +} + +return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); +} + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { int ret; @@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int n, ret; unsigned int i, b, bl; +/* Prevent accidental use of decryption context when encrypting */ +if (!ctx->encrypt) { +EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION); +return 0; +} + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { ret = M_do_cipher(ctx, out, NULL, 0); if (ret < 0) @@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, int fix_len; unsigned int b; +/* Prevent accidental use of encryption context when decrypting */ +if (ctx->encrypt) { +EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION); +return 0; +} + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { fix_len = M_do_cipher(ctx, out, in, inl); if (fix_len < 0) { @@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } if (ctx->flags & EVP_CIPH_NO_PADDING) -return EVP_EncryptUpdate(ctx, out, outl, in, inl); +return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl); b = ctx->cipher->block_size; OPENSSL_assert(b <= sizeof(ctx->final)); @@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, } else fix_len = 0; -
[openssl-commits] Build failed: openssl master.21965
Build openssl master.21965 failed Commit d9cf1c256a by Michael Tuexen on 1/15/2019 10:09 PM: Add tests for SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso
Platform and configuration command: $ uname -a Linux run 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: ea09abc808 Don't get the mac type in TLSv1.3 7fe0ed75e3 Add missing entries in ssl_mac_pkey_id d63bde7827 Check more return values in the SRP code 0a5bda639f Check a return value in the SRP code Build log ended with (last 100 lines): ../../openssl/test/recipes/30-test_pkey_meth.t ok ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ok ../../openssl/test/recipes/40-test_rehash.t ... ok ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t . ok ../../openssl/test/recipes/60-test_x509_dup_cert.t ok ../../openssl/test/recipes/60-test_x509_store.t ... ok ../../openssl/test/recipes/60-test_x509_time.t ok ../../openssl/test/recipes/70-test_asyncio.t .. ok ../../openssl/test/recipes/70-test_bad_dtls.t . ok ../../openssl/test/recipes/70-test_clienthello.t .. ok ../../openssl/test/recipes/70-test_comp.t . skipped: test_comp needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_key_share.t skipped: test_key_share needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_packet.t ... ok ../../openssl/test/recipes/70-test_recordlen.t ok ../../openssl/test/recipes/70-test_renegotiation.t skipped: test_renegotiation needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_servername.t ... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t skipped: test_sslcbcpadding needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslcertstatus.t skipped: test_sslcertstatus needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslextension.t . skipped: test_sslextension needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslmessages.t .. skipped: test_sslmessages needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ... skipped: test_sslsigalgs needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsignature.t . skipped: test_sslsignature needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslskewith0p.t . skipped: test_sslskewith0p needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslversions.t .. skipped: test_sslversions needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslvertol.t skipped: test_sslextension needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13alerts.t .. skipped: test_tls13alerts needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13cookie.t .. skipped: test_tls13cookie needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13hrr.t . skipped: test_tls13hrr needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13kexmodes.t skipped: test_tls13kexmodes needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13messages.t skipped: test_tls13messages needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13psk.t . skipped: test_tls13psk needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tlsextms.t . skipped: test_tlsextms needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_verify_extra.t . ok ../../openssl/test/recipes/70-test_wpacket.t .. ok ../../openssl/test/recipes/80-test_ca.t ... ok ../../openssl/test/recipes/80-test_cipherbytes.t .. ok ../../openssl/test/recipes/80-test_cipherlist.t ... ok ../../openssl/test/recipes/80-test_ciphername.t ... ok ../../openssl/test/recipes/80-test_cms.t .. ok ../../openssl/test/recipes/80-test_cmsapi.t ... ok ../../openssl/test/recipes/80-test_ct.t ... ok ../../openssl/test/recipes/80-test_dane.t . ok ../../openssl/test/recipes/80-test_dtls.t . ok
[openssl-commits] Build failed: openssl master.21969
Build openssl master.21969 failed Commit aefb980c45 by Richard Levitte on 1/16/2019 5:19 AM: crypto/uid.c: use own macro as guard rather than AT_SECURE Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via aefb980c45134d84f1757de1a9c61d699c8a7e33 (commit) from ea09abc80892920ee5db4de82bed7a193b5896f0 (commit) - Log - commit aefb980c45134d84f1757de1a9c61d699c8a7e33 Author: Richard Levitte Date: Thu Dec 20 10:17:38 2018 +0100 crypto/uid.c: use own macro as guard rather than AT_SECURE It turns out that AT_SECURE may be defined through other means than our inclusion of sys/auxv.h, so to be on the safe side, we define our own guard and use that to determine if getauxval() should be used or not. Fixes #7932 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7933) --- Summary of changes: crypto/uid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/uid.c b/crypto/uid.c index 6635639..494dbde 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -34,12 +34,13 @@ int OPENSSL_issetugid(void) # if defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # include +# define OSSL_IMPLEMENT_GETAUXVAL # endif # endif int OPENSSL_issetugid(void) { -# ifdef AT_SECURE +# ifdef OSSL_IMPLEMENT_GETAUXVAL return getauxval(AT_SECURE) != 0; # else return getuid() != geteuid() || getgid() != getegid(); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 6ffcd10ade7fac6cd08dff3dba304b9d8d9de0a4 (commit) from 0c13c8ece1fd88acf757e385bbc865e1e94382ed (commit) - Log - commit 6ffcd10ade7fac6cd08dff3dba304b9d8d9de0a4 Author: Richard Levitte Date: Thu Dec 20 10:17:38 2018 +0100 crypto/uid.c: use own macro as guard rather than AT_SECURE It turns out that AT_SECURE may be defined through other means than our inclusion of sys/auxv.h, so to be on the safe side, we define our own guard and use that to determine if getauxval() should be used or not. Fixes #7932 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7933) (cherry picked from commit aefb980c45134d84f1757de1a9c61d699c8a7e33) --- Summary of changes: crypto/uid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/uid.c b/crypto/uid.c index f7ae261..e1c08a7 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -34,12 +34,13 @@ int OPENSSL_issetugid(void) # if defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # include +# define OSSL_IMPLEMENT_GETAUXVAL # endif # endif int OPENSSL_issetugid(void) { -# ifdef AT_SECURE +# ifdef OSSL_IMPLEMENT_GETAUXVAL return getauxval(AT_SECURE) != 0; # else return getuid() != geteuid() || getgid() != getegid(); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl OpenSSL_1_1_1-stable.21970
Build openssl OpenSSL_1_1_1-stable.21970 completed Commit 6ffcd10ade by Richard Levitte on 1/16/2019 5:21 AM: crypto/uid.c: use own macro as guard rather than AT_SECURE Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits