[openssl-commits] [openssl] master update
The branch master has been updated
via d63bde7827b0be1172f823baf25309b54aa87e0f (commit)
via 0a5bda639f8fd59e15051cf757708e3b94bcf399 (commit)
from e26f653defd08334ebfa517b6715a338f543fbf1 (commit)
- Log -
commit d63bde7827b0be1172f823baf25309b54aa87e0f
Author: Matt Caswell
Date: Mon Jan 14 11:22:42 2019 +
Check more return values in the SRP code
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8019)
commit 0a5bda639f8fd59e15051cf757708e3b94bcf399
Author: Matt Caswell
Date: Mon Jan 14 11:06:43 2019 +
Check a return value in the SRP code
Spotted by OSTIF audit
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8019)
---
Summary of changes:
crypto/srp/srp_lib.c | 4 +++-
crypto/srp/srp_vfy.c | 21 ++---
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
index c43d27a..8cba189 100644
--- a/crypto/srp/srp_lib.c
+++ b/crypto/srp/srp_lib.c
@@ -26,6 +26,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y,
const BIGNUM *N)
unsigned char *tmp = NULL;
int numN = BN_num_bytes(N);
BIGNUM *res = NULL;
+
if (x != N && BN_ucmp(x, N) >= 0)
return NULL;
if (y != N && BN_ucmp(y, N) >= 0)
@@ -139,7 +140,8 @@ BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const
char *pass)
|| !EVP_DigestFinal_ex(ctxt, dig, NULL)
|| !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL))
goto err;
-BN_bn2bin(s, cs);
+if (BN_bn2bin(s, cs) < 0)
+goto err;
if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s)))
goto err;
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 4ed94b7..d69e330 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -614,10 +614,14 @@ char *SRP_create_verifier(const char *user, const char
*pass, char **salt,
if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0)
goto err;
N_bn_alloc = BN_bin2bn(tmp, len, NULL);
+if (N_bn_alloc == NULL)
+goto err;
N_bn = N_bn_alloc;
if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0)
goto err;
g_bn_alloc = BN_bin2bn(tmp, len, NULL);
+if (g_bn_alloc == NULL)
+goto err;
g_bn = g_bn_alloc;
defgNid = "*";
} else {
@@ -639,15 +643,19 @@ char *SRP_create_verifier(const char *user, const char
*pass, char **salt,
goto err;
s = BN_bin2bn(tmp2, len, NULL);
}
+if (s == NULL)
+goto err;
if (!SRP_create_verifier_BN(user, pass, , , N_bn, g_bn))
goto err;
-BN_bn2bin(v, tmp);
+if (BN_bn2bin(v, tmp) < 0)
+goto err;
vfsize = BN_num_bytes(v) * 2;
if (((vf = OPENSSL_malloc(vfsize)) == NULL))
goto err;
-t_tob64(vf, tmp, BN_num_bytes(v));
+if (!t_tob64(vf, tmp, BN_num_bytes(v)))
+goto err;
if (*salt == NULL) {
char *tmp_salt;
@@ -655,7 +663,10 @@ char *SRP_create_verifier(const char *user, const char
*pass, char **salt,
if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) {
goto err;
}
-t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN);
+if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) {
+OPENSSL_free(tmp_salt);
+goto err;
+}
*salt = tmp_salt;
}
@@ -702,11 +713,15 @@ int SRP_create_verifier_BN(const char *user, const char
*pass, BIGNUM **salt,
goto err;
salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
+if (salttmp == NULL)
+goto err;
} else {
salttmp = *salt;
}
x = SRP_Calc_x(salttmp, user, pass);
+if (x == NULL)
+goto err;
*verifier = BN_new();
if (*verifier == NULL)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 46c853e03a797946326c030462d708e312f36c4a (commit)
via d42c356882229765c5a502c32656c49eefcce7b4 (commit)
from bbcfd60e388ab9aa244d652453b52ff490be9b27 (commit)
- Log -
commit 46c853e03a797946326c030462d708e312f36c4a
Author: Matt Caswell
Date: Mon Jan 14 11:22:42 2019 +
Check more return values in the SRP code
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8019)
(cherry picked from commit d63bde7827b0be1172f823baf25309b54aa87e0f)
commit d42c356882229765c5a502c32656c49eefcce7b4
Author: Matt Caswell
Date: Mon Jan 14 11:06:43 2019 +
Check a return value in the SRP code
Spotted by OSTIF audit
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/8019)
(cherry picked from commit 0a5bda639f8fd59e15051cf757708e3b94bcf399)
---
Summary of changes:
crypto/srp/srp_lib.c | 4 +++-
crypto/srp/srp_vfy.c | 21 ++---
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
index b97d630..747da88 100644
--- a/crypto/srp/srp_lib.c
+++ b/crypto/srp/srp_lib.c
@@ -26,6 +26,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y,
const BIGNUM *N)
unsigned char *tmp = NULL;
int numN = BN_num_bytes(N);
BIGNUM *res = NULL;
+
if (x != N && BN_ucmp(x, N) >= 0)
return NULL;
if (y != N && BN_ucmp(y, N) >= 0)
@@ -139,7 +140,8 @@ BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const
char *pass)
|| !EVP_DigestFinal_ex(ctxt, dig, NULL)
|| !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL))
goto err;
-BN_bn2bin(s, cs);
+if (BN_bn2bin(s, cs) < 0)
+goto err;
if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s)))
goto err;
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 17b35c0..f47f6d9 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -598,10 +598,14 @@ char *SRP_create_verifier(const char *user, const char
*pass, char **salt,
if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0)
goto err;
N_bn_alloc = BN_bin2bn(tmp, len, NULL);
+if (N_bn_alloc == NULL)
+goto err;
N_bn = N_bn_alloc;
if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0)
goto err;
g_bn_alloc = BN_bin2bn(tmp, len, NULL);
+if (g_bn_alloc == NULL)
+goto err;
g_bn = g_bn_alloc;
defgNid = "*";
} else {
@@ -623,15 +627,19 @@ char *SRP_create_verifier(const char *user, const char
*pass, char **salt,
goto err;
s = BN_bin2bn(tmp2, len, NULL);
}
+if (s == NULL)
+goto err;
if (!SRP_create_verifier_BN(user, pass, , , N_bn, g_bn))
goto err;
-BN_bn2bin(v, tmp);
+if (BN_bn2bin(v, tmp) < 0)
+goto err;
vfsize = BN_num_bytes(v) * 2;
if (((vf = OPENSSL_malloc(vfsize)) == NULL))
goto err;
-t_tob64(vf, tmp, BN_num_bytes(v));
+if (!t_tob64(vf, tmp, BN_num_bytes(v)))
+goto err;
if (*salt == NULL) {
char *tmp_salt;
@@ -639,7 +647,10 @@ char *SRP_create_verifier(const char *user, const char
*pass, char **salt,
if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) {
goto err;
}
-t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN);
+if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) {
+OPENSSL_free(tmp_salt);
+goto err;
+}
*salt = tmp_salt;
}
@@ -686,11 +697,15 @@ int SRP_create_verifier_BN(const char *user, const char
*pass, BIGNUM **salt,
goto err;
salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
+if (salttmp == NULL)
+goto err;
} else {
salttmp = *salt;
}
x = SRP_Calc_x(salttmp, user, pass);
+if (x == NULL)
+goto err;
*verifier = BN_new();
if (*verifier == NULL)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via ea09abc80892920ee5db4de82bed7a193b5896f0 (commit)
via 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4 (commit)
from d63bde7827b0be1172f823baf25309b54aa87e0f (commit)
- Log -
commit ea09abc80892920ee5db4de82bed7a193b5896f0
Author: Matt Caswell
Date: Mon Jan 14 16:37:14 2019 +
Don't get the mac type in TLSv1.3
We don't use this information so we shouldn't fetch it. As noted in the
comments in #8005.
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/8020)
commit 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4
Author: Matt Caswell
Date: Mon Jan 14 16:36:33 2019 +
Add missing entries in ssl_mac_pkey_id
Fixes #8005
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/8020)
---
Summary of changes:
ssl/ssl_ciph.c | 2 ++
ssl/tls13_enc.c | 4 +---
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index bd97c0f..461a9de 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -171,6 +171,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
/* GOST2012_512 */
EVP_PKEY_HMAC,
+/* MD5/SHA1, SHA224, SHA512 */
+NID_undef, NID_undef, NID_undef
};
static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 6022950..e6cd705 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -323,11 +323,9 @@ int tls13_setup_key_block(SSL *s)
{
const EVP_CIPHER *c;
const EVP_MD *hash;
-int mac_type = NID_undef;
s->session->cipher = s->s3->tmp.new_cipher;
-if (!ssl_cipher_get_evp
-(s->session, , , _type, NULL, NULL, 0)) {
+if (!ssl_cipher_get_evp(s->session, , , NULL, NULL, NULL, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 0c13c8ece1fd88acf757e385bbc865e1e94382ed (commit)
via 709c6be2f8cd986f54140488d4154fe56825904b (commit)
from 46c853e03a797946326c030462d708e312f36c4a (commit)
- Log -
commit 0c13c8ece1fd88acf757e385bbc865e1e94382ed
Author: Matt Caswell
Date: Mon Jan 14 16:37:14 2019 +
Don't get the mac type in TLSv1.3
We don't use this information so we shouldn't fetch it. As noted in the
comments in #8005.
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/8020)
(cherry picked from commit ea09abc80892920ee5db4de82bed7a193b5896f0)
commit 709c6be2f8cd986f54140488d4154fe56825904b
Author: Matt Caswell
Date: Mon Jan 14 16:36:33 2019 +
Add missing entries in ssl_mac_pkey_id
Fixes #8005
Reviewed-by: Ben Kaduk
(Merged from https://github.com/openssl/openssl/pull/8020)
(cherry picked from commit 7fe0ed75e3e7760226a0a3a5a86cf3887004f6e4)
---
Summary of changes:
ssl/ssl_ciph.c | 2 ++
ssl/tls13_enc.c | 4 +---
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 14066d0..044dd3a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -171,6 +171,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
/* GOST2012_512 */
EVP_PKEY_HMAC,
+/* MD5/SHA1, SHA224, SHA512 */
+NID_undef, NID_undef, NID_undef
};
static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index e36b7d3..d663566 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -323,11 +323,9 @@ int tls13_setup_key_block(SSL *s)
{
const EVP_CIPHER *c;
const EVP_MD *hash;
-int mac_type = NID_undef;
s->session->cipher = s->s3->tmp.new_cipher;
-if (!ssl_cipher_get_evp
-(s->session, , , _type, NULL, NULL, 0)) {
+if (!ssl_cipher_get_evp(s->session, , , NULL, NULL, NULL, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via 0ef1cccd789aa8434f9ef8e3783df637d506b53f (commit) via d5d657a5d4ee7aa2602d41cdcc5723b191c43a8b (commit) from c49be85acdf6d10bfb17d0a5f1cb6405ae25fcaf (commit) - Log - commit 0ef1cccd789aa8434f9ef8e3783df637d506b53f Merge: c49be85 d5d657a Author: Mark J. Cox Date: Tue Jan 15 12:02:31 2019 + Merge pull request #105 from iamamoose/vulns Add severities that were in the advisories but missing from the vulnerability pages, also found a missing vulnerability commit d5d657a5d4ee7aa2602d41cdcc5723b191c43a8b Author: Mark J. Cox Date: Tue Jan 15 11:37:51 2019 + Add severities that were in the advisories but missing from the vulnerability pages, also found a missing vulnerability --- Summary of changes: news/vulnerabilities.xml | 80 1 file changed, 80 insertions(+) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 2142ade..d9b42bd 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -3629,6 +3629,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3671,6 +3672,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3689,6 +3691,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3757,8 +3760,79 @@ the certificate key is invalid. This function is rarely used in practice. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due + to a NULL pointer dereference. This could lead to a Denial Of Service attack. + + + + + + @@ -3829,6 +3903,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3872,6 +3947,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -3951,6 +4027,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4040,6 +4117,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4066,6 +4144,7 @@ the certificate key is invalid. This function is rarely used in practice. + @@ -4201,6 +4280,7 @@ the certificate key is invalid. This function is rarely used in practice. + _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Passed: openssl/openssl#22558 (OpenSSL_1_1_1-stable - 46c853e)
Build Update for openssl/openssl - Build: #22558 Status: Passed Duration: 23 mins and 18 secs Commit: 46c853e (OpenSSL_1_1_1-stable) Author: Matt Caswell Message: Check more return values in the SRP code Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8019) (cherry picked from commit d63bde7827b0be1172f823baf25309b54aa87e0f) View the changeset: https://github.com/openssl/openssl/compare/bbcfd60e388a...46c853e03a79 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/479841153?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Passed: openssl/openssl#22560 (OpenSSL_1_1_1-stable - 0c13c8e)
Build Update for openssl/openssl - Build: #22560 Status: Passed Duration: 23 mins and 0 secs Commit: 0c13c8e (OpenSSL_1_1_1-stable) Author: Matt Caswell Message: Don't get the mac type in TLSv1.3 We don't use this information so we shouldn't fetch it. As noted in the comments in #8005. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8020) (cherry picked from commit ea09abc80892920ee5db4de82bed7a193b5896f0) View the changeset: https://github.com/openssl/openssl/compare/46c853e03a79...0c13c8ece1fd View the full build log and details: https://travis-ci.org/openssl/openssl/builds/479844554?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.21961
Build openssl master.21961 failed Commit feb54aa03c by Tobias Klotz on 1/15/2019 4:26 PM: Merge branch 'vxworks_randlib' of https://github.com/klotzt-draeger/openssl into vxworks_randlib Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl master.21962
Build openssl master.21962 completed Commit 8b2cbc15db by Jakub Zelenka on 1/15/2019 3:52 PM: Add CMS AuthEnvelopedData with AES-GCM support Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated
via fff469b269d8309377291ff86767314d7489fd84 (commit)
via 7ab24d9508fdc6e40d53e10cf7c961070dfcc8a9 (commit)
via cfa9a7cd5316fddd2e41bda3f3a1e50537e784bb (commit)
from eed51aa8270dd3feb1fce049aeae505cbfe806f5 (commit)
- Log -
commit fff469b269d8309377291ff86767314d7489fd84
Author: Richard Levitte
Date: Wed Dec 12 11:22:52 2018 +0100
test/evp_test.c: use EVP_DecryptUpdate when decrypting, even for AAD
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7856)
commit 7ab24d9508fdc6e40d53e10cf7c961070dfcc8a9
Author: Richard Levitte
Date: Mon Dec 10 10:23:01 2018 +0100
make update
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7856)
commit cfa9a7cd5316fddd2e41bda3f3a1e50537e784bb
Author: Richard Levitte
Date: Mon Dec 10 10:18:10 2018 +0100
Prevent calling decryption in an encryption context and vice versa
Reviewed-by: Matthias St. Pierre
(Merged from https://github.com/openssl/openssl/pull/7856)
---
Summary of changes:
crypto/evp/evp.h | 2 ++
crypto/evp/evp_enc.c | 40
crypto/evp/evp_err.c | 4 +++-
crypto/evp/evp_test.c | 2 +-
4 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index cf1de15..883a943 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -1489,8 +1489,10 @@ void ERR_load_EVP_strings(void);
# define EVP_F_EVP_CIPHER_CTX_CTRL124
# define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122
# define EVP_F_EVP_DECRYPTFINAL_EX101
+# define EVP_F_EVP_DECRYPTUPDATE 181
# define EVP_F_EVP_DIGESTINIT_EX 128
# define EVP_F_EVP_ENCRYPTFINAL_EX127
+# define EVP_F_EVP_ENCRYPTUPDATE 180
# define EVP_F_EVP_MD_CTX_COPY_EX 110
# define EVP_F_EVP_MD_SIZE162
# define EVP_F_EVP_OPENINIT 102
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 0c740d1..c63fb53 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -317,8 +317,9 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const
EVP_CIPHER *cipher,
return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
}
-int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
- const unsigned char *in, int inl)
+static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
+unsigned char *out, int *outl,
+const unsigned char *in, int inl)
{
int i, j, bl;
@@ -380,6 +381,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char
*out, int *outl,
return 1;
}
+int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+ const unsigned char *in, int inl)
+{
+/* Prevent accidental use of decryption context when encrypting */
+if (!ctx->encrypt) {
+EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
+return 0;
+}
+
+return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
+}
+
int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
int ret;
@@ -392,6 +405,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char
*out, int *outl)
int n, ret;
unsigned int i, b, bl;
+/* Prevent accidental use of decryption context when encrypting */
+if (!ctx->encrypt) {
+EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+return 0;
+}
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
ret = M_do_cipher(ctx, out, NULL, 0);
if (ret < 0)
@@ -435,6 +454,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char
*out, int *outl,
int fix_len;
unsigned int b;
+/* Prevent accidental use of encryption context when decrypting */
+if (ctx->encrypt) {
+EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
+return 0;
+}
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
fix_len = M_do_cipher(ctx, out, in, inl);
if (fix_len < 0) {
@@ -451,7 +476,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char
*out, int *outl,
}
if (ctx->flags & EVP_CIPH_NO_PADDING)
-return EVP_EncryptUpdate(ctx, out, outl, in, inl);
+return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
b = ctx->cipher->block_size;
OPENSSL_assert(b <= sizeof(ctx->final));
@@ -463,7 +488,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char
*out, int *outl,
} else
fix_len = 0;
-
[openssl-commits] Build failed: openssl master.21965
Build openssl master.21965 failed Commit d9cf1c256a by Michael Tuexen on 1/15/2019 10:09 PM: Add tests for SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-dso
Platform and configuration command: $ uname -a Linux run 4.4.0-135-generic #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-dso Commit log since last time: ea09abc808 Don't get the mac type in TLSv1.3 7fe0ed75e3 Add missing entries in ssl_mac_pkey_id d63bde7827 Check more return values in the SRP code 0a5bda639f Check a return value in the SRP code Build log ended with (last 100 lines): ../../openssl/test/recipes/30-test_pkey_meth.t ok ../../openssl/test/recipes/30-test_pkey_meth_kdf.t ok ../../openssl/test/recipes/40-test_rehash.t ... ok ../../openssl/test/recipes/60-test_x509_check_cert_pkey.t . ok ../../openssl/test/recipes/60-test_x509_dup_cert.t ok ../../openssl/test/recipes/60-test_x509_store.t ... ok ../../openssl/test/recipes/60-test_x509_time.t ok ../../openssl/test/recipes/70-test_asyncio.t .. ok ../../openssl/test/recipes/70-test_bad_dtls.t . ok ../../openssl/test/recipes/70-test_clienthello.t .. ok ../../openssl/test/recipes/70-test_comp.t . skipped: test_comp needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_key_share.t skipped: test_key_share needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_packet.t ... ok ../../openssl/test/recipes/70-test_recordlen.t ok ../../openssl/test/recipes/70-test_renegotiation.t skipped: test_renegotiation needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_servername.t ... ok ../../openssl/test/recipes/70-test_sslcbcpadding.t skipped: test_sslcbcpadding needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslcertstatus.t skipped: test_sslcertstatus needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslextension.t . skipped: test_sslextension needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslmessages.t .. skipped: test_sslmessages needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslrecords.t ... skipped: test_sslrecords needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsessiontick.t ... skipped: test_sslsessiontick needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsigalgs.t ... skipped: test_sslsigalgs needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslsignature.t . skipped: test_sslsignature needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslskewith0p.t . skipped: test_sslskewith0p needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslversions.t .. skipped: test_sslversions needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_sslvertol.t skipped: test_sslextension needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13alerts.t .. skipped: test_tls13alerts needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13cookie.t .. skipped: test_tls13cookie needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13downgrade.t ... skipped: test_tls13downgrade needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13hrr.t . skipped: test_tls13hrr needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13kexmodes.t skipped: test_tls13kexmodes needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13messages.t skipped: test_tls13messages needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tls13psk.t . skipped: test_tls13psk needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_tlsextms.t . skipped: test_tlsextms needs the dynamic engine feature enabled ../../openssl/test/recipes/70-test_verify_extra.t . ok ../../openssl/test/recipes/70-test_wpacket.t .. ok ../../openssl/test/recipes/80-test_ca.t ... ok ../../openssl/test/recipes/80-test_cipherbytes.t .. ok ../../openssl/test/recipes/80-test_cipherlist.t ... ok ../../openssl/test/recipes/80-test_ciphername.t ... ok ../../openssl/test/recipes/80-test_cms.t .. ok ../../openssl/test/recipes/80-test_cmsapi.t ... ok ../../openssl/test/recipes/80-test_ct.t ... ok ../../openssl/test/recipes/80-test_dane.t . ok ../../openssl/test/recipes/80-test_dtls.t . ok
[openssl-commits] Build failed: openssl master.21969
Build openssl master.21969 failed Commit aefb980c45 by Richard Levitte on 1/16/2019 5:19 AM: crypto/uid.c: use own macro as guard rather than AT_SECURE Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated
via aefb980c45134d84f1757de1a9c61d699c8a7e33 (commit)
from ea09abc80892920ee5db4de82bed7a193b5896f0 (commit)
- Log -
commit aefb980c45134d84f1757de1a9c61d699c8a7e33
Author: Richard Levitte
Date: Thu Dec 20 10:17:38 2018 +0100
crypto/uid.c: use own macro as guard rather than AT_SECURE
It turns out that AT_SECURE may be defined through other means than
our inclusion of sys/auxv.h, so to be on the safe side, we define our
own guard and use that to determine if getauxval() should be used or
not.
Fixes #7932
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7933)
---
Summary of changes:
crypto/uid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/uid.c b/crypto/uid.c
index 6635639..494dbde 100644
--- a/crypto/uid.c
+++ b/crypto/uid.c
@@ -34,12 +34,13 @@ int OPENSSL_issetugid(void)
# if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
# if __GLIBC_PREREQ(2, 16)
# include
+# define OSSL_IMPLEMENT_GETAUXVAL
# endif
# endif
int OPENSSL_issetugid(void)
{
-# ifdef AT_SECURE
+# ifdef OSSL_IMPLEMENT_GETAUXVAL
return getauxval(AT_SECURE) != 0;
# else
return getuid() != geteuid() || getgid() != getegid();
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 6ffcd10ade7fac6cd08dff3dba304b9d8d9de0a4 (commit)
from 0c13c8ece1fd88acf757e385bbc865e1e94382ed (commit)
- Log -
commit 6ffcd10ade7fac6cd08dff3dba304b9d8d9de0a4
Author: Richard Levitte
Date: Thu Dec 20 10:17:38 2018 +0100
crypto/uid.c: use own macro as guard rather than AT_SECURE
It turns out that AT_SECURE may be defined through other means than
our inclusion of sys/auxv.h, so to be on the safe side, we define our
own guard and use that to determine if getauxval() should be used or
not.
Fixes #7932
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/7933)
(cherry picked from commit aefb980c45134d84f1757de1a9c61d699c8a7e33)
---
Summary of changes:
crypto/uid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/uid.c b/crypto/uid.c
index f7ae261..e1c08a7 100644
--- a/crypto/uid.c
+++ b/crypto/uid.c
@@ -34,12 +34,13 @@ int OPENSSL_issetugid(void)
# if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
# if __GLIBC_PREREQ(2, 16)
# include
+# define OSSL_IMPLEMENT_GETAUXVAL
# endif
# endif
int OPENSSL_issetugid(void)
{
-# ifdef AT_SECURE
+# ifdef OSSL_IMPLEMENT_GETAUXVAL
return getauxval(AT_SECURE) != 0;
# else
return getuid() != geteuid() || getgid() != getegid();
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl OpenSSL_1_1_1-stable.21970
Build openssl OpenSSL_1_1_1-stable.21970 completed Commit 6ffcd10ade by Richard Levitte on 1/16/2019 5:21 AM: crypto/uid.c: use own macro as guard rather than AT_SECURE Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
