[openssl] master update
The branch master has been updated via f6f159e7a133d1b2f82a82fab3f8c357a07b574f (commit) from 63794b048cbe46ac9abb883df4dd703f522e4643 (commit) - Log - commit f6f159e7a133d1b2f82a82fab3f8c357a07b574f Author: Richard Levitte Date: Mon Jul 6 11:35:25 2020 +0200 Makefile template: fix incorrect treatment of produced document files Documentation files were treated as programs when assigning to the make variables HTMLDOCS{1,3,5,7} and MANDOCS{1,3,5,7}, which is is incorrect on POSIX sub-systems where executables have an extension (.exe). Fixes #11937 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/12374) --- Summary of changes: Configurations/unix-Makefile.tmpl | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 2586f73791..a0c5081b04 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -173,35 +173,35 @@ MISC_SCRIPTS={- -} HTMLDOCS1={- join(" \\\n" . ' ' x 10, - fill_lines(" ", $COLUMNS - 10, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 10, @{$unified_info{htmldocs}->{man1}})) -} HTMLDOCS3={- join(" \\\n" . ' ' x 10, - fill_lines(" ", $COLUMNS - 10, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 10, @{$unified_info{htmldocs}->{man3}})) -} HTMLDOCS5={- join(" \\\n" . ' ' x 10, - fill_lines(" ", $COLUMNS - 10, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 10, @{$unified_info{htmldocs}->{man5}})) -} HTMLDOCS7={- join(" \\\n" . ' ' x 10, - fill_lines(" ", $COLUMNS - 10, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 10, @{$unified_info{htmldocs}->{man7}})) -} MANDOCS1={- join(" \\\n" . ' ' x 9, - fill_lines(" ", $COLUMNS - 9, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 9, @{$unified_info{mandocs}->{man1}})) -} MANDOCS3={- join(" \\\n" . ' ' x 9, - fill_lines(" ", $COLUMNS - 9, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 9, @{$unified_info{mandocs}->{man3}})) -} MANDOCS5={- join(" \\\n" . ' ' x 9, - fill_lines(" ", $COLUMNS - 9, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 9, @{$unified_info{mandocs}->{man5}})) -} MANDOCS7={- join(" \\\n" . ' ' x 9, - fill_lines(" ", $COLUMNS - 9, map { platform->bin($_) } + fill_lines(" ", $COLUMNS - 9, @{$unified_info{mandocs}->{man7}})) -} APPS_OPENSSL="{- use File::Spec::Functions;
[openssl] master update
The branch master has been updated via 63794b048cbe46ac9abb883df4dd703f522e4643 (commit) from eae4a008341149783b540198470f04f85b22730e (commit) - Log - commit 63794b048cbe46ac9abb883df4dd703f522e4643 Author: Shane Lontis Date: Thu Jul 9 13:43:10 2020 +1000 Add multiple fixes for ffc key generation using invalid p,q,g parameters. Fixes #11864 - The dsa keygen assumed valid p, q, g values were being passed. If this is not correct then it is possible that dsa keygen can either hang or segfault. The fix was to do a partial validation of p, q, and g inside the keygen. - Fixed a potential double free in the dsa keypair test in the case when in failed (It should never fail!). It freed internal object members without setting them to NULL. - Changed the FFC key validation to accept 1024 bit keys in non fips mode. - Added tests that use both the default provider & fips provider to test these cases. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12176) --- Summary of changes: crypto/dh/dh_key.c| 4 + crypto/dsa/dsa_key.c | 7 ++ crypto/ffc/ffc_params_generate.c | 11 +- crypto/ffc/ffc_params_validate.c | 26 include/internal/ffc.h| 1 + test/build.info | 6 +- test/evp_libctx_test.c| 253 ++ test/ffc_internal_test.c | 7 -- test/recipes/30-test_evp_libctx.t | 46 +++ 9 files changed, 352 insertions(+), 9 deletions(-) create mode 100644 test/evp_libctx_test.c create mode 100644 test/recipes/30-test_evp_libctx.t diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 5d2acca25c..3b4da19cd2 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -287,6 +287,10 @@ static int generate_key(DH *dh) } else #endif { +/* Do a partial check for invalid p, q, g */ +if (!ffc_params_simple_validate(dh->libctx, >params, +FFC_PARAM_TYPE_DH)) +goto err; /* * For FFC FIPS 186-4 keygen * security strength s = 112, diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 7bd9c5ff2e..b537ec0b3c 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -74,6 +74,11 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) priv_key = dsa->priv_key; } +/* Do a partial check for invalid p, q, g */ +if (!ffc_params_simple_validate(dsa->libctx, >params, +FFC_PARAM_TYPE_DSA)) +goto err; + /* * For FFC FIPS 186-4 keygen * security strength s = 112, @@ -110,6 +115,8 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) if (!ok) { BN_free(dsa->pub_key); BN_clear_free(dsa->priv_key); +dsa->pub_key = NULL; +dsa->priv_key = NULL; BN_CTX_free(ctx); return ok; } diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index 325eb6768f..8a0b77e7f8 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -39,6 +39,11 @@ */ static int ffc_validate_LN(size_t L, size_t N, int type) { +#ifndef FIPS_MODULE +if (L == 1024 && N == 160) +return 80; +#endif + if (type == FFC_PARAM_TYPE_DH) { /* Valid DH L,N parameters from SP800-56Ar3 5.5.1 Table 1 */ if (L == 2048 && (N == 224 || N == 256)) @@ -498,6 +503,7 @@ int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params, EVP_MD *md = NULL; int verify = (mode == FFC_PARAM_MODE_VERIFY); unsigned int flags = verify ? params->flags : 0; +const char *def_name; *res = 0; @@ -506,7 +512,10 @@ int ffc_params_FIPS186_4_gen_verify(OPENSSL_CTX *libctx, FFC_PARAMS *params, } else { if (N == 0) N = (L >= 2048 ? SHA256_DIGEST_LENGTH : SHA_DIGEST_LENGTH) * 8; -md = EVP_MD_fetch(libctx, default_mdname(N), NULL); +def_name = default_mdname(N); +if (def_name == NULL) +goto err; +md = EVP_MD_fetch(libctx, def_name, NULL); } if (md == NULL) goto err; diff --git a/crypto/ffc/ffc_params_validate.c b/crypto/ffc/ffc_params_validate.c index f3df0c2b39..821ff3e88a 100644 --- a/crypto/ffc/ffc_params_validate.c +++ b/crypto/ffc/ffc_params_validate.c @@ -78,3 +78,29 @@ int ffc_params_FIPS186_2_validate(OPENSSL_CTX *libctx, const FFC_PARAMS *params, FFC_PARAM_MODE_VERIFY, type, L, N, res, cb); } + +/* + * This does a simple check of L and N and partial g. + * It
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: eae4a00834 Fix CID 1454808: Error handling issues NEGATIVE_RETURNS (PKCS7_dataDecode()) c8ea9bc670 Fix CID 1454806: NEGATIVE_RETURNS (cms_enc.c) e2cc68c8fd Fix CID 1465213: Integer handling issues (evp_extra_test.c) 5999d20ea8 Fix CID 1463883 Dereference after null check (in ess_find_cert_v2()) 821278a885 Fix CID 1465214 Resource leak (in file_load.c) fd7d574dd9 Fix CID 1465215 : Explicit null dereferenced (in test) 84ba665d72 Fix CID #1465216 Resource leak in property_fetch 2f1d0b35c1 Ensure we excluse ec2m curves if ec2m is disabled 146aebc6a0 Add a test to check having a provider loaded without a groups still works 90a74d8c43 Fix an incorrect error flow in add_provider_groups 08a1c9f2e6 Fix OSSL_PROVIDER_get_capabilities() 163b801616 Add support to zeroize plaintext in S3 record layer 1c9761d0b5 [test][15-test_genec] Improve EC tests with genpkey 466d30c0d7 [apps/genpkey] exit status should not be 0 on output errors e0137ca92b [EC][ASN1] Detect missing OID when serializing EC parameters and keys 8c330e1939 improve SSL_CTX_set_tlsext_ticket_key_cb ref impl 2d9f56e999 Ensure TLS padding is added during encryption on the provider side b558817823 Convert SSLv3 handling to use provider side CBC/MAC removal 63ee6ec177 Ensure any allocated MAC is freed in the provider code f29dbb0866 Decreate the length after decryption for the stitched ciphers 09ce6e0854 Ensure the sslcorrupttest checks all errors on the queue ee0c849e5a Ensure GCM "update" failures return 0 on error 978cc3648d Ensure cipher_generic_initkey gets passed the actual provider ctx 1ae7354c04 Make the NULL cipher TLS aware 27d4c840fc Change ChaCha20-Poly1305 to be consistent with out ciphers 524cb684ac Make libssl start using the TLS provider CBC support e71fd827bc Add provider support for TLS CBC padding and MAC removal f0237a6c62 Remove SSL dependencies from tls_pad.c ebacd57bee Split the padding/mac removal functions out into a separate file ec27e619e8 Move MAC removal responsibility to the various protocol "enc" functions Build log ended with (last 100 lines): 65-test_cmp_status.t ... ok 65-test_cmp_vfy.t .. ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok # 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ...
FAILED build of OpenSSL branch master with options -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT
Platform and configuration command: $ uname -a Linux run 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings enable-asan no-shared -DOPENSSL_SMALL_FOOTPRINT Commit log since last time: eae4a00834 Fix CID 1454808: Error handling issues NEGATIVE_RETURNS (PKCS7_dataDecode()) c8ea9bc670 Fix CID 1454806: NEGATIVE_RETURNS (cms_enc.c) e2cc68c8fd Fix CID 1465213: Integer handling issues (evp_extra_test.c) 5999d20ea8 Fix CID 1463883 Dereference after null check (in ess_find_cert_v2()) 821278a885 Fix CID 1465214 Resource leak (in file_load.c) fd7d574dd9 Fix CID 1465215 : Explicit null dereferenced (in test) 84ba665d72 Fix CID #1465216 Resource leak in property_fetch 2f1d0b35c1 Ensure we excluse ec2m curves if ec2m is disabled 146aebc6a0 Add a test to check having a provider loaded without a groups still works 90a74d8c43 Fix an incorrect error flow in add_provider_groups 08a1c9f2e6 Fix OSSL_PROVIDER_get_capabilities() 163b801616 Add support to zeroize plaintext in S3 record layer 1c9761d0b5 [test][15-test_genec] Improve EC tests with genpkey 466d30c0d7 [apps/genpkey] exit status should not be 0 on output errors e0137ca92b [EC][ASN1] Detect missing OID when serializing EC parameters and keys 8c330e1939 improve SSL_CTX_set_tlsext_ticket_key_cb ref impl 2d9f56e999 Ensure TLS padding is added during encryption on the provider side b558817823 Convert SSLv3 handling to use provider side CBC/MAC removal 63ee6ec177 Ensure any allocated MAC is freed in the provider code f29dbb0866 Decreate the length after decryption for the stitched ciphers 09ce6e0854 Ensure the sslcorrupttest checks all errors on the queue ee0c849e5a Ensure GCM "update" failures return 0 on error 978cc3648d Ensure cipher_generic_initkey gets passed the actual provider ctx 1ae7354c04 Make the NULL cipher TLS aware 27d4c840fc Change ChaCha20-Poly1305 to be consistent with out ciphers 524cb684ac Make libssl start using the TLS provider CBC support e71fd827bc Add provider support for TLS CBC padding and MAC removal f0237a6c62 Remove SSL dependencies from tls_pad.c ebacd57bee Split the padding/mac removal functions out into a separate file ec27e619e8 Move MAC removal responsibility to the various protocol "enc" functions Build log ended with (last 100 lines): # Server sent alert unexpected_message but client received no alert. # 80174F3DAA7F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_srvr.c:318: not ok 9 - iteration 9 # -- not ok 1 - test_handshake # -- ../../util/wrap.pl ../../test/ssl_test 25-cipher.cnf.default default => 1 not ok 6 - running ssl_test 25-cipher.cnf # -- # Looks like you failed 2 tests of 9. not ok 26 - Test configuration 25-cipher.cnf # -- # Looks like you failed 1 test of 31.80-test_ssl_new.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/31 subtests 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok # INFO: @ ../openssl/test/sslcorrupttest.c:199 # Starting #2, ECDHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @ ../openssl/test/ssltestlib.c:1032 # [1] compared to [2] # ERROR: (bool) 'create_ssl_connection(server, client, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslcorrupttest.c:229 # false # 8067017BBA7F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_clnt.c:400: not ok 3 - iteration 3 # -- # INFO: @ ../openssl/test/sslcorrupttest.c:199 # Starting #3, DHE-RSA-CHACHA20-POLY1305 # ERROR: (int) 'SSL_get_error(clientssl, 0) == SSL_ERROR_WANT_READ' failed @ ../openssl/test/ssltestlib.c:1032 # [1] compared to [2] # ERROR: (bool) 'create_ssl_connection(server, client, SSL_ERROR_NONE) == true' failed @ ../openssl/test/sslcorrupttest.c:229 # false # 8067017BBA7F:error::SSL routines::unexpected message:../openssl/ssl/statem/statem_clnt.c:400: not ok 4 - iteration 4 # -- not ok 1 - test_ssl_corrupt # -- ../../util/wrap.pl ../../test/sslcorrupttest ../../../openssl/apps/server.pem ../../../openssl/apps/server.pem => 1 not ok 1 - running sslcorrupttest # -- # Failed test 'running
Errored: openssl/openssl#36002 (master - eae4a00)
Build Update for openssl/openssl - Build: #36002 Status: Errored Duration: 1 hr, 19 mins, and 50 secs Commit: eae4a00 (master) Author: Shane Lontis Message: Fix CID 1454808: Error handling issues NEGATIVE_RETURNS (PKCS7_dataDecode()) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) View the changeset: https://github.com/openssl/openssl/compare/2f1d0b35c12f...eae4a0083411 View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/174762896?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Errored: openssl/openssl#36001 (master - 2f1d0b3)
Build Update for openssl/openssl - Build: #36001 Status: Errored Duration: 1 hr, 11 mins, and 54 secs Commit: 2f1d0b3 (master) Author: Matt Caswell Message: Ensure we excluse ec2m curves if ec2m is disabled Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12292) View the changeset: https://github.com/openssl/openssl/compare/163b8016160f...2f1d0b35c12f View the full build log and details: https://travis-ci.com/github/openssl/openssl/builds/174760837?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=13885459_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] master update
The branch master has been updated via eae4a008341149783b540198470f04f85b22730e (commit) via c8ea9bc6702e30f4efa690906abd14c5eab927cf (commit) via e2cc68c8fda7792eb2f09ac152dd346bb90ad316 (commit) via 5999d20ea8ed1c69e89b201fa70a5964ff11665e (commit) via 821278a885c7c8edb5bca943006df5700257390e (commit) via fd7d574dd98761d41d87a777c0b4f044ecc075be (commit) via 84ba665d72906c36b158071035896f50a9aad808 (commit) from 2f1d0b35c12f50e971ef626ff9bbf35a53f9a66d (commit) - Log - commit eae4a008341149783b540198470f04f85b22730e Author: Shane Lontis Date: Tue Jul 7 09:50:34 2020 +1000 Fix CID 1454808: Error handling issues NEGATIVE_RETURNS (PKCS7_dataDecode()) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) commit c8ea9bc6702e30f4efa690906abd14c5eab927cf Author: Shane Lontis Date: Tue Jul 7 09:46:37 2020 +1000 Fix CID 1454806: NEGATIVE_RETURNS (cms_enc.c) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) commit e2cc68c8fda7792eb2f09ac152dd346bb90ad316 Author: Shane Lontis Date: Mon Jul 6 17:35:23 2020 +1000 Fix CID 1465213: Integer handling issues (evp_extra_test.c) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) commit 5999d20ea8ed1c69e89b201fa70a5964ff11665e Author: Shane Lontis Date: Mon Jul 6 16:13:48 2020 +1000 Fix CID 1463883 Dereference after null check (in ess_find_cert_v2()) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) commit 821278a885c7c8edb5bca943006df5700257390e Author: Shane Lontis Date: Mon Jul 6 14:31:32 2020 +1000 Fix CID 1465214 Resource leak (in file_load.c) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) commit fd7d574dd98761d41d87a777c0b4f044ecc075be Author: Shane Lontis Date: Mon Jul 6 14:16:09 2020 +1000 Fix CID 1465215 : Explicit null dereferenced (in test) Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) commit 84ba665d72906c36b158071035896f50a9aad808 Author: Shane Lontis Date: Mon Jul 6 14:08:58 2020 +1000 Fix CID #1465216 Resource leak in property_fetch Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/12379) --- Summary of changes: crypto/cms/cms_enc.c | 7 ++- crypto/ess/ess_lib.c | 4 +++- crypto/pkcs7/pk7_doit.c | 7 +-- crypto/property/property.c| 2 +- crypto/store/loader_file.c| 4 +++- test/evp_extra_test.c | 8 test/evp_pkey_provided_test.c | 2 ++ 7 files changed, 24 insertions(+), 10 deletions(-) diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index 3a17a2798b..5f9e2b3a52 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -28,6 +28,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) X509_ALGOR *calg = ec->contentEncryptionAlgorithm; unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; unsigned char *tkey = NULL; +int len; size_t tkeylen = 0; int ok = 0; @@ -81,7 +82,11 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } -tkeylen = EVP_CIPHER_CTX_key_length(ctx); +len = EVP_CIPHER_CTX_key_length(ctx); +if (len <= 0) +goto err; +tkeylen = (size_t)len; + /* Generate random session key */ if (!enc || !ec->key) { tkey = OPENSSL_malloc(tkeylen); diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 17f9db98ff..3f418235ad 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -339,7 +339,9 @@ int ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, const X509 *cert) const ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i); const EVP_MD *md; -if (cid != NULL && cid->hash_alg != NULL) +if (cid == NULL) +return -1; +if (cid->hash_alg != NULL) md = EVP_get_digestbyobj(cid->hash_alg->algorithm); else md = EVP_sha256(); diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 3e2065244d..718b6f3899 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -361,7 +361,7 @@ static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) /* int */ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) { -int i, j; +int i, j, len; BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL; X509_ALGOR *xa; ASN1_OCTET_STRING *data_body = NULL; @@ -524,7 +524,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7,
[openssl] master update
The branch master has been updated via 2f1d0b35c12f50e971ef626ff9bbf35a53f9a66d (commit) via 146aebc6a082ac4343b79dcf18ef86e853b85d85 (commit) via 90a74d8c4331c363d68ecd1168bc5344f7ba9be8 (commit) via 08a1c9f2e6e28a81936e51019b89e842a1a90b31 (commit) from 163b8016160f03558d8352b76fb594685cb39f7d (commit) - Log - commit 2f1d0b35c12f50e971ef626ff9bbf35a53f9a66d Author: Matt Caswell Date: Wed Jul 1 12:20:49 2020 +0100 Ensure we excluse ec2m curves if ec2m is disabled Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12292) commit 146aebc6a082ac4343b79dcf18ef86e853b85d85 Author: Matt Caswell Date: Fri Jun 26 20:49:19 2020 +0100 Add a test to check having a provider loaded without a groups still works As long as we have at least one provider loaded which offers some groups, it doesn't matter if we have others loaded that don't. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12292) commit 90a74d8c4331c363d68ecd1168bc5344f7ba9be8 Author: Matt Caswell Date: Fri Jun 26 20:44:27 2020 +0100 Fix an incorrect error flow in add_provider_groups Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12292) commit 08a1c9f2e6e28a81936e51019b89e842a1a90b31 Author: Matt Caswell Date: Fri Jun 26 20:40:11 2020 +0100 Fix OSSL_PROVIDER_get_capabilities() It is not a failure to call OSSL_PROVIDER_get_capabilities() with a provider loaded that has no capabilities. Fixes #12286 Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/12292) --- Summary of changes: crypto/provider_core.c | 2 +- providers/common/capabilities.c | 8 ssl/t1_lib.c| 2 +- test/sslapitest.c | 5 - 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index a2350bb88e..f68fd8f0f9 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -831,7 +831,7 @@ int ossl_provider_get_capabilities(const OSSL_PROVIDER *prov, void *arg) { return prov->get_capabilities == NULL -? 0 : prov->get_capabilities(prov->provctx, capability, cb, arg); +? 1 : prov->get_capabilities(prov->provctx, capability, cb, arg); } diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index a41d3990f0..a60620d8a2 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -97,26 +97,34 @@ static const TLS_GROUP_CONSTANTS group_list[35] = { static const OSSL_PARAM param_group_list[][10] = { #ifndef OPENSSL_NO_EC +# ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0), +# endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("sect163r1", "sect163r1", "EC", 1), # endif +# ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect163r2", "sect163r2", "EC", 2), +# endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("sect193r1", "sect193r1", "EC", 3), TLS_GROUP_ENTRY("sect193r2", "sect193r2", "EC", 4), # endif +# ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect233k1", "sect233k1", "EC", 5), TLS_GROUP_ENTRY("sect233r1", "sect233r1", "EC", 6), +# endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("sect239k1", "sect239k1", "EC", 7), # endif +# ifndef OPENSSL_NO_EC2M TLS_GROUP_ENTRY("sect283k1", "sect283k1", "EC", 8), TLS_GROUP_ENTRY("sect283r1", "sect283r1", "EC", 9), TLS_GROUP_ENTRY("sect409k1", "sect409k1", "EC", 10), TLS_GROUP_ENTRY("sect409r1", "sect409r1", "EC", 11), TLS_GROUP_ENTRY("sect571k1", "sect571k1", "EC", 12), TLS_GROUP_ENTRY("sect571r1", "sect571r1", "EC", 13), +# endif # ifndef FIPS_MODULE TLS_GROUP_ENTRY("secp160k1", "secp160k1", "EC", 14), TLS_GROUP_ENTRY("secp160r1", "secp160r1", "EC", 15), diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c9097fcc44..41228d58e9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -334,7 +334,7 @@ static int add_provider_groups(const OSSL_PARAM params[], void *data) p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MAX_TLS); if (p == NULL || !OSSL_PARAM_get_int(p, >maxtls)) { SSLerr(0, ERR_R_PASSED_INVALID_ARGUMENT); -return 0; +goto err; } p = OSSL_PARAM_locate_const(params, OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS); diff --git a/test/sslapitest.c b/test/sslapitest.c index 182984ecb1..afc4ea8d40 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -8235,8 +8235,10 @@ static int test_pluggable_group(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; OSSL_PROVIDER *tlsprov = OSSL_PROVIDER_load(libctx, "tls-provider"); +/* Check that we are not impacted by a