Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DHOkm_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEbzk-2FmOaOcXTk6dFlWZ-2FRmyVoqpfzIM1ml7wWPIAVt1Z-2BuYOOj92xOODHvubRn88tt46S-2BpRNVd-2F1Cc9VJ47VZ-2FXLfi5z1-2BU5X42pD7fIEFarCPfUFjY-2FCVG5kA5MV-2BeNTJ-2BeD589ZG7k0qN6Oi23-2BqW7M-2FsM7CU-2FC21GmS1ZX91jxDh7BTJSUNr-2F64QTsUtY-3D Build ID: 421168 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] master update
The branch master has been updated via 07ba69483a7d8005a53284cbde55b9dac8c5c554 (commit) from a632bfaa4ee3339749f7a6a07ab4d0abee4eaaef (commit) - Log - commit 07ba69483a7d8005a53284cbde55b9dac8c5c554 Author: Dmitry Belyavskiy Date: Mon Nov 22 10:14:27 2021 +0100 Refactor: a separate func for provider activation from config Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17099) --- Summary of changes: crypto/provider_conf.c | 140 ++--- 1 file changed, 75 insertions(+), 65 deletions(-) diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index c13c887c3d..6a62f0df60 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -136,13 +136,86 @@ static int prov_already_activated(const char *name, return 0; } +static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + const char *value, const char *path, + int soft, const CONF *cnf) +{ +PROVIDER_CONF_GLOBAL *pcgbl += ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, +_conf_ossl_ctx_method); +OSSL_PROVIDER *prov = NULL, *actual = NULL; +int ok = 0; + +if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { +ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); +return 0; +} +if (!prov_already_activated(name, pcgbl->activated_providers)) { +/* +* There is an attempt to activate a provider, so we should disable +* loading of fallbacks. Otherwise a misconfiguration could mean the +* intended provider does not get loaded. Subsequent fetches could +* then fallback to the default provider - which may be the wrong +* thing. +*/ +if (!ossl_provider_disable_fallback_loading(libctx)) { +CRYPTO_THREAD_unlock(pcgbl->lock); +ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); +return 0; +} +prov = ossl_provider_find(libctx, name, 1); +if (prov == NULL) +prov = ossl_provider_new(libctx, name, NULL, 1); +if (prov == NULL) { +CRYPTO_THREAD_unlock(pcgbl->lock); +if (soft) +ERR_clear_error(); +return 0; +} + +if (path != NULL) +ossl_provider_set_module_path(prov, path); + +ok = provider_conf_params(prov, NULL, NULL, value, cnf); + +if (ok) { +if (!ossl_provider_activate(prov, 1, 0)) { +ok = 0; +} else if (!ossl_provider_add_to_store(prov, , 0)) { +ossl_provider_deactivate(prov, 1); +ok = 0; +} else if (actual != prov + && !ossl_provider_activate(actual, 1, 0)) { +ossl_provider_free(actual); +ok = 0; +} else { +if (pcgbl->activated_providers == NULL) +pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); +if (pcgbl->activated_providers == NULL +|| !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, + actual)) { +ossl_provider_deactivate(actual, 1); +ossl_provider_free(actual); +ok = 0; +} else { +ok = 1; +} +} +} +if (!ok) +ossl_provider_free(prov); +} +CRYPTO_THREAD_unlock(pcgbl->lock); + +return ok; +} + static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, const char *value, const CONF *cnf) { int i; STACK_OF(CONF_VALUE) *ecmds; int soft = 0; -OSSL_PROVIDER *prov = NULL, *actual = NULL; const char *path = NULL; long activate = 0; int ok = 0; @@ -182,70 +255,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, } if (activate) { -PROVIDER_CONF_GLOBAL *pcgbl -= ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -_conf_ossl_ctx_method); - -if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { -ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -return 0; -} -if (!prov_already_activated(name, pcgbl->activated_providers)) { -/* -* There is an attempt to activate a provider, so we should disable -* loading of fallbacks. Otherwise a misconfiguration could mean the -* intended provider does not get loaded. Subsequent fetches could -* then fallback to the
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 76eb12aa278cb30a495bcee3fdc176d0a6c35052 (commit) from 162bd56e99b2e73cfdc6777acb3f1b3dafccc9ba (commit) - Log - commit 76eb12aa278cb30a495bcee3fdc176d0a6c35052 Author: Dmitry Belyavskiy Date: Mon Nov 29 16:37:32 2021 +0100 No EtM for GOST ciphers Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17158) --- Summary of changes: ssl/statem/extensions_clnt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 621fcfa561..9d38ac23b5 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1741,7 +1741,9 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, /* Ignore if inappropriate ciphersuite */ if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD -&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) +&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4 +&& s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT +&& s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12) s->ext.use_etm = 1; return 1;
[openssl] master update
The branch master has been updated via a632bfaa4ee3339749f7a6a07ab4d0abee4eaaef (commit) from d2217c88df6e65c756013417e5ee4f470dd12470 (commit) - Log - commit a632bfaa4ee3339749f7a6a07ab4d0abee4eaaef Author: Tomas Mraz Date: Tue Nov 30 11:39:52 2021 +0100 pvkkdf: Always reset buflen after clearing the buffer Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17164) --- Summary of changes: providers/implementations/kdfs/pvkkdf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/providers/implementations/kdfs/pvkkdf.c b/providers/implementations/kdfs/pvkkdf.c index 051c625455..e953911c83 100644 --- a/providers/implementations/kdfs/pvkkdf.c +++ b/providers/implementations/kdfs/pvkkdf.c @@ -97,13 +97,15 @@ static int pvk_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; }
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 8a1ff913be1951432500d176e5f7a33901fa83b4 (commit) from 015e3f59434651c454c94888d0c6d57c2203cd42 (commit) - Log - commit 8a1ff913be1951432500d176e5f7a33901fa83b4 Author: Tomas Mraz Date: Tue Nov 30 11:52:10 2021 +0100 various kdfs: Always reset buflen after clearing the buffer Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17165) (cherry picked from commit d2217c88df6e65c756013417e5ee4f470dd12470) --- Summary of changes: providers/implementations/kdfs/krb5kdf.c | 1 + providers/implementations/kdfs/pbkdf1.c| 4 +++- providers/implementations/kdfs/pbkdf2.c| 4 +++- providers/implementations/kdfs/pkcs12kdf.c | 4 +++- providers/implementations/kdfs/scrypt.c| 4 +++- providers/implementations/kdfs/sshkdf.c| 1 + 6 files changed, 14 insertions(+), 4 deletions(-) diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index f8d4baa568..2c887f0eb9 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -98,6 +98,7 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len, { OPENSSL_clear_free(*dst, *dst_len); *dst = NULL; +*dst_len = 0; return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } diff --git a/providers/implementations/kdfs/pbkdf1.c b/providers/implementations/kdfs/pbkdf1.c index af715efc91..1a042bac9f 100644 --- a/providers/implementations/kdfs/pbkdf1.c +++ b/providers/implementations/kdfs/pbkdf1.c @@ -134,13 +134,15 @@ static int kdf_pbkdf1_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index fe247028ea..2a0ae63acc 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -126,13 +126,15 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index 2037b458c8..3218daa781 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -182,13 +182,15 @@ static int pkcs12kdf_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 2bbea0c7cc..a7072f785f 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -108,13 +108,15 @@ static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 93a7a64fb5..be23c2143d 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -91,6 +91,7 @@ static int sshkdf_set_membuf(unsigned
[openssl] master update
The branch master has been updated via d2217c88df6e65c756013417e5ee4f470dd12470 (commit) from 29a27cb2c5c1757831f42117871f8c59058343a9 (commit) - Log - commit d2217c88df6e65c756013417e5ee4f470dd12470 Author: Tomas Mraz Date: Tue Nov 30 11:52:10 2021 +0100 various kdfs: Always reset buflen after clearing the buffer Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17165) --- Summary of changes: providers/implementations/kdfs/krb5kdf.c | 1 + providers/implementations/kdfs/pbkdf1.c| 4 +++- providers/implementations/kdfs/pbkdf2.c| 4 +++- providers/implementations/kdfs/pkcs12kdf.c | 4 +++- providers/implementations/kdfs/scrypt.c| 4 +++- providers/implementations/kdfs/sshkdf.c| 1 + 6 files changed, 14 insertions(+), 4 deletions(-) diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index f8d4baa568..2c887f0eb9 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -98,6 +98,7 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len, { OPENSSL_clear_free(*dst, *dst_len); *dst = NULL; +*dst_len = 0; return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } diff --git a/providers/implementations/kdfs/pbkdf1.c b/providers/implementations/kdfs/pbkdf1.c index c93ff9b3eb..b9b164c4e2 100644 --- a/providers/implementations/kdfs/pbkdf1.c +++ b/providers/implementations/kdfs/pbkdf1.c @@ -134,13 +134,15 @@ static int kdf_pbkdf1_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 16acf300ea..b9e865f8ec 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -126,13 +126,15 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index 7f461fe022..a29a618ee8 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -182,13 +182,15 @@ static int pkcs12kdf_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index 2bbea0c7cc..a7072f785f 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -108,13 +108,15 @@ static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { OPENSSL_clear_free(*buffer, *buflen); +*buffer = NULL; +*buflen = 0; + if (p->data_size == 0) { if ((*buffer = OPENSSL_malloc(1)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return 0; } } else if (p->data != NULL) { -*buffer = NULL; if (!OSSL_PARAM_get_octet_string(p, (void **)buffer, 0, buflen)) return 0; } diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index 93a7a64fb5..be23c2143d 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -91,6 +91,7 @@ static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len, { OPENSSL_clear_free(*dst, *dst_len); *dst