date:20211201

Coverity Scan: Analysis completed for openssl/openssl

2021-12-01 Thread scan-admin



Your request for analysis of openssl/openssl has been completed 
successfully.
The results are available at 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DHOkm_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEbzk-2FmOaOcXTk6dFlWZ-2FRmyVoqpfzIM1ml7wWPIAVt1Z-2BuYOOj92xOODHvubRn88tt46S-2BpRNVd-2F1Cc9VJ47VZ-2FXLfi5z1-2BU5X42pD7fIEFarCPfUFjY-2FCVG5kA5MV-2BeNTJ-2BeD589ZG7k0qN6Oi23-2BqW7M-2FsM7CU-2FC21GmS1ZX91jxDh7BTJSUNr-2F64QTsUtY-3D

Build ID: 421168

Analysis Summary:
   New defects found: 0
   Defects eliminated: 0

[openssl] master update

2021-12-01 Thread beldmit

The branch master has been updated
   via  07ba69483a7d8005a53284cbde55b9dac8c5c554 (commit)
  from  a632bfaa4ee3339749f7a6a07ab4d0abee4eaaef (commit)


- Log -
commit 07ba69483a7d8005a53284cbde55b9dac8c5c554
Author: Dmitry Belyavskiy 
Date:   Mon Nov 22 10:14:27 2021 +0100

Refactor: a separate func for provider activation from config

Reviewed-by: Matt Caswell 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17099)

---

Summary of changes:
 crypto/provider_conf.c | 140 ++---
 1 file changed, 75 insertions(+), 65 deletions(-)

diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
index c13c887c3d..6a62f0df60 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -136,13 +136,86 @@ static int prov_already_activated(const char *name,
 return 0;
 }
 
+static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+  const char *value, const char *path,
+  int soft, const CONF *cnf)
+{
+PROVIDER_CONF_GLOBAL *pcgbl
+= ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
+_conf_ossl_ctx_method);
+OSSL_PROVIDER *prov = NULL, *actual = NULL;
+int ok = 0;
+
+if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
+ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+return 0;
+}
+if (!prov_already_activated(name, pcgbl->activated_providers)) {
+/*
+* There is an attempt to activate a provider, so we should disable
+* loading of fallbacks. Otherwise a misconfiguration could mean the
+* intended provider does not get loaded. Subsequent fetches could
+* then fallback to the default provider - which may be the wrong
+* thing.
+*/
+if (!ossl_provider_disable_fallback_loading(libctx)) {
+CRYPTO_THREAD_unlock(pcgbl->lock);
+ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
+return 0;
+}
+prov = ossl_provider_find(libctx, name, 1);
+if (prov == NULL)
+prov = ossl_provider_new(libctx, name, NULL, 1);
+if (prov == NULL) {
+CRYPTO_THREAD_unlock(pcgbl->lock);
+if (soft)
+ERR_clear_error();
+return 0;
+}
+
+if (path != NULL)
+ossl_provider_set_module_path(prov, path);
+
+ok = provider_conf_params(prov, NULL, NULL, value, cnf);
+
+if (ok) {
+if (!ossl_provider_activate(prov, 1, 0)) {
+ok = 0;
+} else if (!ossl_provider_add_to_store(prov, , 0)) {
+ossl_provider_deactivate(prov, 1);
+ok = 0;
+} else if (actual != prov
+   && !ossl_provider_activate(actual, 1, 0)) {
+ossl_provider_free(actual);
+ok = 0;
+} else {
+if (pcgbl->activated_providers == NULL)
+pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
+if (pcgbl->activated_providers == NULL
+|| !sk_OSSL_PROVIDER_push(pcgbl->activated_providers,
+  actual)) {
+ossl_provider_deactivate(actual, 1);
+ossl_provider_free(actual);
+ok = 0;
+} else {
+ok = 1;
+}
+}
+}
+if (!ok)
+ossl_provider_free(prov);
+}
+CRYPTO_THREAD_unlock(pcgbl->lock);
+
+return ok;
+}
+
 static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
   const char *value, const CONF *cnf)
 {
 int i;
 STACK_OF(CONF_VALUE) *ecmds;
 int soft = 0;
-OSSL_PROVIDER *prov = NULL, *actual = NULL;
 const char *path = NULL;
 long activate = 0;
 int ok = 0;
@@ -182,70 +255,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const 
char *name,
 }
 
 if (activate) {
-PROVIDER_CONF_GLOBAL *pcgbl
-= ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
-_conf_ossl_ctx_method);
-
-if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
-ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
-return 0;
-}
-if (!prov_already_activated(name, pcgbl->activated_providers)) {
-/*
-* There is an attempt to activate a provider, so we should disable
-* loading of fallbacks. Otherwise a misconfiguration could mean the
-* intended provider does not get loaded. Subsequent fetches could
-* then fallback to the

[openssl] OpenSSL_1_1_1-stable update

2021-12-01 Thread beldmit

The branch OpenSSL_1_1_1-stable has been updated
   via  76eb12aa278cb30a495bcee3fdc176d0a6c35052 (commit)
  from  162bd56e99b2e73cfdc6777acb3f1b3dafccc9ba (commit)


- Log -
commit 76eb12aa278cb30a495bcee3fdc176d0a6c35052
Author: Dmitry Belyavskiy 
Date:   Mon Nov 29 16:37:32 2021 +0100

No EtM for GOST ciphers

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17158)

---

Summary of changes:
 ssl/statem/extensions_clnt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 621fcfa561..9d38ac23b5 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1741,7 +1741,9 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int 
context, X509 *x,
 /* Ignore if inappropriate ciphersuite */
 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
-&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
+&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4
+&& s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
+&& s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12)
 s->ext.use_etm = 1;
 
 return 1;

[openssl] master update

2021-12-01 Thread tomas

The branch master has been updated
   via  a632bfaa4ee3339749f7a6a07ab4d0abee4eaaef (commit)
  from  d2217c88df6e65c756013417e5ee4f470dd12470 (commit)


- Log -
commit a632bfaa4ee3339749f7a6a07ab4d0abee4eaaef
Author: Tomas Mraz 
Date:   Tue Nov 30 11:39:52 2021 +0100

pvkkdf: Always reset buflen after clearing the buffer

Reviewed-by: Richard Levitte 
Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17164)

---

Summary of changes:
 providers/implementations/kdfs/pvkkdf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/providers/implementations/kdfs/pvkkdf.c 
b/providers/implementations/kdfs/pvkkdf.c
index 051c625455..e953911c83 100644
--- a/providers/implementations/kdfs/pvkkdf.c
+++ b/providers/implementations/kdfs/pvkkdf.c
@@ -97,13 +97,15 @@ static int pvk_set_membuf(unsigned char **buffer, size_t 
*buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }

[openssl] openssl-3.0 update

2021-12-01 Thread tomas

The branch openssl-3.0 has been updated
   via  8a1ff913be1951432500d176e5f7a33901fa83b4 (commit)
  from  015e3f59434651c454c94888d0c6d57c2203cd42 (commit)


- Log -
commit 8a1ff913be1951432500d176e5f7a33901fa83b4
Author: Tomas Mraz 
Date:   Tue Nov 30 11:52:10 2021 +0100

various kdfs: Always reset buflen after clearing the buffer

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17165)

(cherry picked from commit d2217c88df6e65c756013417e5ee4f470dd12470)

---

Summary of changes:
 providers/implementations/kdfs/krb5kdf.c   | 1 +
 providers/implementations/kdfs/pbkdf1.c| 4 +++-
 providers/implementations/kdfs/pbkdf2.c| 4 +++-
 providers/implementations/kdfs/pkcs12kdf.c | 4 +++-
 providers/implementations/kdfs/scrypt.c| 4 +++-
 providers/implementations/kdfs/sshkdf.c| 1 +
 6 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/providers/implementations/kdfs/krb5kdf.c 
b/providers/implementations/kdfs/krb5kdf.c
index f8d4baa568..2c887f0eb9 100644
--- a/providers/implementations/kdfs/krb5kdf.c
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -98,6 +98,7 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t 
*dst_len,
 {
 OPENSSL_clear_free(*dst, *dst_len);
 *dst = NULL;
+*dst_len = 0;
 return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
 }
 
diff --git a/providers/implementations/kdfs/pbkdf1.c 
b/providers/implementations/kdfs/pbkdf1.c
index af715efc91..1a042bac9f 100644
--- a/providers/implementations/kdfs/pbkdf1.c
+++ b/providers/implementations/kdfs/pbkdf1.c
@@ -134,13 +134,15 @@ static int kdf_pbkdf1_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/pbkdf2.c 
b/providers/implementations/kdfs/pbkdf2.c
index fe247028ea..2a0ae63acc 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -126,13 +126,15 @@ static int pbkdf2_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/pkcs12kdf.c 
b/providers/implementations/kdfs/pkcs12kdf.c
index 2037b458c8..3218daa781 100644
--- a/providers/implementations/kdfs/pkcs12kdf.c
+++ b/providers/implementations/kdfs/pkcs12kdf.c
@@ -182,13 +182,15 @@ static int pkcs12kdf_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/scrypt.c 
b/providers/implementations/kdfs/scrypt.c
index 2bbea0c7cc..a7072f785f 100644
--- a/providers/implementations/kdfs/scrypt.c
+++ b/providers/implementations/kdfs/scrypt.c
@@ -108,13 +108,15 @@ static int scrypt_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/sshkdf.c 
b/providers/implementations/kdfs/sshkdf.c
index 93a7a64fb5..be23c2143d 100644
--- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -91,6 +91,7 @@ static int sshkdf_set_membuf(unsigned

[openssl] master update

2021-12-01 Thread tomas

The branch master has been updated
   via  d2217c88df6e65c756013417e5ee4f470dd12470 (commit)
  from  29a27cb2c5c1757831f42117871f8c59058343a9 (commit)


- Log -
commit d2217c88df6e65c756013417e5ee4f470dd12470
Author: Tomas Mraz 
Date:   Tue Nov 30 11:52:10 2021 +0100

various kdfs: Always reset buflen after clearing the buffer

Reviewed-by: Paul Dale 
(Merged from https://github.com/openssl/openssl/pull/17165)

---

Summary of changes:
 providers/implementations/kdfs/krb5kdf.c   | 1 +
 providers/implementations/kdfs/pbkdf1.c| 4 +++-
 providers/implementations/kdfs/pbkdf2.c| 4 +++-
 providers/implementations/kdfs/pkcs12kdf.c | 4 +++-
 providers/implementations/kdfs/scrypt.c| 4 +++-
 providers/implementations/kdfs/sshkdf.c| 1 +
 6 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/providers/implementations/kdfs/krb5kdf.c 
b/providers/implementations/kdfs/krb5kdf.c
index f8d4baa568..2c887f0eb9 100644
--- a/providers/implementations/kdfs/krb5kdf.c
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -98,6 +98,7 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t 
*dst_len,
 {
 OPENSSL_clear_free(*dst, *dst_len);
 *dst = NULL;
+*dst_len = 0;
 return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len);
 }
 
diff --git a/providers/implementations/kdfs/pbkdf1.c 
b/providers/implementations/kdfs/pbkdf1.c
index c93ff9b3eb..b9b164c4e2 100644
--- a/providers/implementations/kdfs/pbkdf1.c
+++ b/providers/implementations/kdfs/pbkdf1.c
@@ -134,13 +134,15 @@ static int kdf_pbkdf1_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/pbkdf2.c 
b/providers/implementations/kdfs/pbkdf2.c
index 16acf300ea..b9e865f8ec 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -126,13 +126,15 @@ static int pbkdf2_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/pkcs12kdf.c 
b/providers/implementations/kdfs/pkcs12kdf.c
index 7f461fe022..a29a618ee8 100644
--- a/providers/implementations/kdfs/pkcs12kdf.c
+++ b/providers/implementations/kdfs/pkcs12kdf.c
@@ -182,13 +182,15 @@ static int pkcs12kdf_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/scrypt.c 
b/providers/implementations/kdfs/scrypt.c
index 2bbea0c7cc..a7072f785f 100644
--- a/providers/implementations/kdfs/scrypt.c
+++ b/providers/implementations/kdfs/scrypt.c
@@ -108,13 +108,15 @@ static int scrypt_set_membuf(unsigned char **buffer, 
size_t *buflen,
  const OSSL_PARAM *p)
 {
 OPENSSL_clear_free(*buffer, *buflen);
+*buffer = NULL;
+*buflen = 0;
+
 if (p->data_size == 0) {
 if ((*buffer = OPENSSL_malloc(1)) == NULL) {
 ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 return 0;
 }
 } else if (p->data != NULL) {
-*buffer = NULL;
 if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen))
 return 0;
 }
diff --git a/providers/implementations/kdfs/sshkdf.c 
b/providers/implementations/kdfs/sshkdf.c
index 93a7a64fb5..be23c2143d 100644
--- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -91,6 +91,7 @@ static int sshkdf_set_membuf(unsigned char **dst, size_t 
*dst_len,
 {
 OPENSSL_clear_free(*dst, *dst_len);
 *dst

Coverity Scan: Analysis completed for openssl/openssl

[openssl] master update

[openssl] OpenSSL_1_1_1-stable update

[openssl] master update

[openssl] openssl-3.0 update

[openssl] master update

6 matches

Site Navigation

Mail list logo

Footer information