[openssl-commits] [openssl] master update

Mon Jun 18 09:51:12 UTC 2018

The branch master has been updated
       via  8263e6cb98a1b0067c13250890e4933e390b59e6 (commit)
       via  49c9c1b3d05782fe76bef2eef8c5224baf843240 (commit)
       via  f2950a46a6217110a7f77b5acfe558a6fb4dfeeb (commit)
      from  748eb991f49585a609ec65b0d8d26835a2911045 (commit)


- Log -----------------------------------------------------------------
commit 8263e6cb98a1b0067c13250890e4933e390b59e6
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu May 10 21:15:56 2018 +0200

    add cast in test/x509aux.c preventing compiler warning for VC-WIN64A architecture
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6217)

commit 49c9c1b3d05782fe76bef2eef8c5224baf843240
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu May 10 21:14:12 2018 +0200

    add 'unsupported cipher mode' diagnostics to evp_lib.c and genpkey.c
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6217)

commit f2950a46a6217110a7f77b5acfe558a6fb4dfeeb
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu May 10 21:10:03 2018 +0200

    remove needless and misleading malloc failure error messages of PKCS12_SAFEBAG_create_pkcs8_encrypt
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6217)

-----------------------------------------------------------------------

Summary of changes:
 apps/genpkey.c               |  7 +++++++
 crypto/asn1/asn1_err.c       |  2 ++
 crypto/asn1/p5_pbev2.c       |  2 +-
 crypto/asn1/p5_scrypt.c      |  2 +-
 crypto/cms/cms_pwri.c        |  2 +-
 crypto/err/openssl.txt       |  3 +++
 crypto/evp/evp_err.c         |  4 ++++
 crypto/evp/evp_lib.c         | 16 ++++++++++++++--
 crypto/pkcs12/p12_sbag.c     | 12 ++----------
 doc/man3/EVP_EncryptInit.pod |  2 +-
 doc/man3/PKCS12_create.pod   |  3 ++-
 include/openssl/asn1err.h    |  1 +
 include/openssl/evperr.h     |  2 ++
 test/x509aux.c               |  2 +-
 14 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/apps/genpkey.c b/apps/genpkey.c
index ce6de94..39fa73c 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -120,6 +120,13 @@ int genpkey_main(int argc, char **argv)
             if (!opt_cipher(opt_unknown(), &cipher)
                 || do_param == 1)
                 goto opthelp;
+            if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE ||
+                EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE ||
+                EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE ||
+                EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) {
+                BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
+                goto end;
+            }
         }
     }
     argc = opt_num_rest();
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 22bf06f..5907c94 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -322,6 +322,8 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_TAG), "unknown tag"},
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),
     "unsupported any defined by type"},
+    {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_CIPHER),
+    "unsupported cipher"},
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),
     "unsupported public key type"},
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_TYPE), "unsupported type"},
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 14e8700..5b65adc 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -78,7 +78,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
     /* Dummy cipherinit to just setup the IV, and PRF */
     if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0))
         goto err;
-    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) {
+    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
         ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
         goto err;
     }
diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c
index 21d74da..1491d96 100644
--- a/crypto/asn1/p5_scrypt.c
+++ b/crypto/asn1/p5_scrypt.c
@@ -93,7 +93,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
     /* Dummy cipherinit to just setup the IV */
     if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
         goto err;
-    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) {
+    if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
         ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
                 ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
         goto err;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index a7e63c7..eac9c2f 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -326,7 +326,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
     if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
         goto err;
     EVP_CIPHER_CTX_set_padding(kekctx, 0);
-    if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) < 0) {
+    if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) {
         CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
                CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
         goto err;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index bd54c8b..2a9804c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -716,9 +716,11 @@ EVP_F_DES_EDE3_WRAP_CIPHER:171:des_ede3_wrap_cipher
 EVP_F_DO_SIGVER_INIT:161:do_sigver_init
 EVP_F_ENC_NEW:199:enc_new
 EVP_F_EVP_CIPHERINIT_EX:123:EVP_CipherInit_ex
+EVP_F_EVP_CIPHER_ASN1_TO_PARAM:202:EVP_CIPHER_asn1_to_param
 EVP_F_EVP_CIPHER_CTX_COPY:163:EVP_CIPHER_CTX_copy
 EVP_F_EVP_CIPHER_CTX_CTRL:124:EVP_CIPHER_CTX_ctrl
 EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH:122:EVP_CIPHER_CTX_set_key_length
+EVP_F_EVP_CIPHER_PARAM_TO_ASN1:203:EVP_CIPHER_param_to_asn1
 EVP_F_EVP_DECRYPTFINAL_EX:101:EVP_DecryptFinal_ex
 EVP_F_EVP_DECRYPTUPDATE:166:EVP_DecryptUpdate
 EVP_F_EVP_DIGESTFINALXOF:174:EVP_DigestFinalXOF
@@ -1831,6 +1833,7 @@ ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE:163:unknown public key type
 ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM:199:unknown signature algorithm
 ASN1_R_UNKNOWN_TAG:194:unknown tag
 ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE:164:unsupported any defined by type
+ASN1_R_UNSUPPORTED_CIPHER:228:unsupported cipher
 ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE:167:unsupported public key type
 ASN1_R_UNSUPPORTED_TYPE:196:unsupported type
 ASN1_R_WRONG_INTEGER_TYPE:225:wrong integer type
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 809adff..4403fa5 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -35,12 +35,16 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
     {ERR_PACK(ERR_LIB_EVP, EVP_F_DO_SIGVER_INIT, 0), "do_sigver_init"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_ENC_NEW, 0), "enc_new"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_ASN1_TO_PARAM, 0),
+     "EVP_CIPHER_asn1_to_param"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_COPY, 0),
      "EVP_CIPHER_CTX_copy"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_CTRL, 0),
      "EVP_CIPHER_CTX_ctrl"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, 0),
      "EVP_CIPHER_CTX_set_key_length"},
+    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_PARAM_TO_ASN1, 0),
+     "EVP_CIPHER_param_to_asn1"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTFINAL_EX, 0),
      "EVP_DecryptFinal_ex"},
     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTUPDATE, 0), "EVP_DecryptUpdate"},
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index c337dca..8ef3f8e 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -32,7 +32,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         case EVP_CIPH_CCM_MODE:
         case EVP_CIPH_XTS_MODE:
         case EVP_CIPH_OCB_MODE:
-            ret = -1;
+            ret = -2;
             break;
 
         default:
@@ -40,6 +40,12 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         }
     } else
         ret = -1;
+    if (ret <= 0)
+        EVPerr(EVP_F_EVP_CIPHER_PARAM_TO_ASN1, ret == -2 ?
+               ASN1_R_UNSUPPORTED_CIPHER :
+               EVP_R_CIPHER_PARAMETER_ERROR);
+    if (ret < -1)
+        ret = -1;
     return ret;
 }
 
@@ -60,7 +66,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         case EVP_CIPH_CCM_MODE:
         case EVP_CIPH_XTS_MODE:
         case EVP_CIPH_OCB_MODE:
-            ret = -1;
+            ret = -2;
             break;
 
         default:
@@ -69,6 +75,12 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
         }
     } else
         ret = -1;
+    if (ret <= 0)
+        EVPerr(EVP_F_EVP_CIPHER_ASN1_TO_PARAM, ret == -2 ?
+               EVP_R_UNSUPPORTED_CIPHER :
+               EVP_R_CIPHER_PARAMETER_ERROR);
+    if (ret < -1)
+        ret = -1;
     return ret;
 }
 
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 4a3d259..2f1ce58 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -146,25 +146,17 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
     X509_SIG *p8;
 
     pbe_ciph = EVP_get_cipherbynid(pbe_nid);
-
     if (pbe_ciph)
         pbe_nid = -1;
 
     p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
                        p8inf);
-
-    if (p8 == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+    if (p8 == NULL)
         return NULL;
-    }
 
     bag = PKCS12_SAFEBAG_create0_pkcs8(p8);
-
-    if (bag == NULL) {
-        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+    if (bag == NULL)
         X509_SIG_free(p8);
-        return NULL;
-    }
 
     return bag;
 }
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 2e3a45a..5fdbc33 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -316,7 +316,7 @@ OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
 EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
 
 EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
-than zero for success and zero or a negative number.
+than zero for success and zero or a negative number on failure.
 
 EVP_CIPHER_CTX_rand_key() returns 1 for success.
 
diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod
index 0dcd2ab..1587ea5 100644
--- a/doc/man3/PKCS12_create.pod
+++ b/doc/man3/PKCS12_create.pod
@@ -22,7 +22,8 @@ the structure and B<cert> its corresponding certificates. B<ca>, if not B<NULL>
 is an optional set of certificates to also include in the structure.
 
 B<nid_key> and B<nid_cert> are the encryption algorithms that should be used
-for the key and certificate respectively. B<iter> is the encryption algorithm
+for the key and certificate respectively. The modes
+GCM, CCM, XTS, and OCB are unsupported. B<iter> is the encryption algorithm
 iteration count to use and B<mac_iter> is the MAC iteration count to use.
 B<keytype> is the type of key.
 
diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h
index 048a737..8001120 100644
--- a/include/openssl/asn1err.h
+++ b/include/openssl/asn1err.h
@@ -241,6 +241,7 @@ int ERR_load_ASN1_strings(void);
 # define ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM               199
 # define ASN1_R_UNKNOWN_TAG                               194
 # define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE           164
+# define ASN1_R_UNSUPPORTED_CIPHER                        228
 # define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE               167
 # define ASN1_R_UNSUPPORTED_TYPE                          196
 # define ASN1_R_WRONG_INTEGER_TYPE                        225
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index a8f79c7..c742ea5 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -38,9 +38,11 @@ int ERR_load_EVP_strings(void);
 # define EVP_F_DO_SIGVER_INIT                             161
 # define EVP_F_ENC_NEW                                    199
 # define EVP_F_EVP_CIPHERINIT_EX                          123
+# define EVP_F_EVP_CIPHER_ASN1_TO_PARAM                   202
 # define EVP_F_EVP_CIPHER_CTX_COPY                        163
 # define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
+# define EVP_F_EVP_CIPHER_PARAM_TO_ASN1                   203
 # define EVP_F_EVP_DECRYPTFINAL_EX                        101
 # define EVP_F_EVP_DECRYPTUPDATE                          166
 # define EVP_F_EVP_DIGESTFINALXOF                         174
diff --git a/test/x509aux.c b/test/x509aux.c
index b66e1de..72e0082 100644
--- a/test/x509aux.c
+++ b/test/x509aux.c
@@ -161,6 +161,6 @@ int setup_tests(void)
         return 0;
     }
 
-    ADD_ALL_TESTS(test_certs, n);
+    ADD_ALL_TESTS(test_certs, (int)n);
     return 1;
 }
