[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon Jun 18 09:51:12 UTC 2018
The branch master has been updated
via 8263e6cb98a1b0067c13250890e4933e390b59e6 (commit)
via 49c9c1b3d05782fe76bef2eef8c5224baf843240 (commit)
via f2950a46a6217110a7f77b5acfe558a6fb4dfeeb (commit)
from 748eb991f49585a609ec65b0d8d26835a2911045 (commit)
- Log -----------------------------------------------------------------
commit 8263e6cb98a1b0067c13250890e4933e390b59e6
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu May 10 21:15:56 2018 +0200
add cast in test/x509aux.c preventing compiler warning for VC-WIN64A architecture
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
commit 49c9c1b3d05782fe76bef2eef8c5224baf843240
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu May 10 21:14:12 2018 +0200
add 'unsupported cipher mode' diagnostics to evp_lib.c and genpkey.c
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
commit f2950a46a6217110a7f77b5acfe558a6fb4dfeeb
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu May 10 21:10:03 2018 +0200
remove needless and misleading malloc failure error messages of PKCS12_SAFEBAG_create_pkcs8_encrypt
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
-----------------------------------------------------------------------
Summary of changes:
apps/genpkey.c | 7 +++++++
crypto/asn1/asn1_err.c | 2 ++
crypto/asn1/p5_pbev2.c | 2 +-
crypto/asn1/p5_scrypt.c | 2 +-
crypto/cms/cms_pwri.c | 2 +-
crypto/err/openssl.txt | 3 +++
crypto/evp/evp_err.c | 4 ++++
crypto/evp/evp_lib.c | 16 ++++++++++++++--
crypto/pkcs12/p12_sbag.c | 12 ++----------
doc/man3/EVP_EncryptInit.pod | 2 +-
doc/man3/PKCS12_create.pod | 3 ++-
include/openssl/asn1err.h | 1 +
include/openssl/evperr.h | 2 ++
test/x509aux.c | 2 +-
14 files changed, 42 insertions(+), 18 deletions(-)
diff --git a/apps/genpkey.c b/apps/genpkey.c
index ce6de94..39fa73c 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -120,6 +120,13 @@ int genpkey_main(int argc, char **argv)
if (!opt_cipher(opt_unknown(), &cipher)
|| do_param == 1)
goto opthelp;
+ if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE ||
+ EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE ||
+ EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE ||
+ EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) {
+ BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
+ goto end;
+ }
}
}
argc = opt_num_rest();
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 22bf06f..5907c94 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -322,6 +322,8 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = {
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_TAG), "unknown tag"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),
"unsupported any defined by type"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_CIPHER),
+ "unsupported cipher"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE),
"unsupported public key type"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_TYPE), "unsupported type"},
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 14e8700..5b65adc 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -78,7 +78,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
/* Dummy cipherinit to just setup the IV, and PRF */
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0))
goto err;
- if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) {
+ if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
goto err;
}
diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c
index 21d74da..1491d96 100644
--- a/crypto/asn1/p5_scrypt.c
+++ b/crypto/asn1/p5_scrypt.c
@@ -93,7 +93,7 @@ X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
/* Dummy cipherinit to just setup the IV */
if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, iv, 0) == 0)
goto err;
- if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) < 0) {
+ if (EVP_CIPHER_param_to_asn1(ctx, scheme->parameter) <= 0) {
ASN1err(ASN1_F_PKCS5_PBE2_SET_SCRYPT,
ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
goto err;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index a7e63c7..eac9c2f 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -326,7 +326,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
goto err;
EVP_CIPHER_CTX_set_padding(kekctx, 0);
- if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) < 0) {
+ if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
goto err;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index bd54c8b..2a9804c 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -716,9 +716,11 @@ EVP_F_DES_EDE3_WRAP_CIPHER:171:des_ede3_wrap_cipher
EVP_F_DO_SIGVER_INIT:161:do_sigver_init
EVP_F_ENC_NEW:199:enc_new
EVP_F_EVP_CIPHERINIT_EX:123:EVP_CipherInit_ex
+EVP_F_EVP_CIPHER_ASN1_TO_PARAM:202:EVP_CIPHER_asn1_to_param
EVP_F_EVP_CIPHER_CTX_COPY:163:EVP_CIPHER_CTX_copy
EVP_F_EVP_CIPHER_CTX_CTRL:124:EVP_CIPHER_CTX_ctrl
EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH:122:EVP_CIPHER_CTX_set_key_length
+EVP_F_EVP_CIPHER_PARAM_TO_ASN1:203:EVP_CIPHER_param_to_asn1
EVP_F_EVP_DECRYPTFINAL_EX:101:EVP_DecryptFinal_ex
EVP_F_EVP_DECRYPTUPDATE:166:EVP_DecryptUpdate
EVP_F_EVP_DIGESTFINALXOF:174:EVP_DigestFinalXOF
@@ -1831,6 +1833,7 @@ ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE:163:unknown public key type
ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM:199:unknown signature algorithm
ASN1_R_UNKNOWN_TAG:194:unknown tag
ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE:164:unsupported any defined by type
+ASN1_R_UNSUPPORTED_CIPHER:228:unsupported cipher
ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE:167:unsupported public key type
ASN1_R_UNSUPPORTED_TYPE:196:unsupported type
ASN1_R_WRONG_INTEGER_TYPE:225:wrong integer type
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 809adff..4403fa5 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -35,12 +35,16 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
{ERR_PACK(ERR_LIB_EVP, EVP_F_DO_SIGVER_INIT, 0), "do_sigver_init"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_ENC_NEW, 0), "enc_new"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_ASN1_TO_PARAM, 0),
+ "EVP_CIPHER_asn1_to_param"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_COPY, 0),
"EVP_CIPHER_CTX_copy"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_CTRL, 0),
"EVP_CIPHER_CTX_ctrl"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH, 0),
"EVP_CIPHER_CTX_set_key_length"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_CIPHER_PARAM_TO_ASN1, 0),
+ "EVP_CIPHER_param_to_asn1"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTFINAL_EX, 0),
"EVP_DecryptFinal_ex"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTUPDATE, 0), "EVP_DecryptUpdate"},
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index c337dca..8ef3f8e 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -32,7 +32,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
case EVP_CIPH_CCM_MODE:
case EVP_CIPH_XTS_MODE:
case EVP_CIPH_OCB_MODE:
- ret = -1;
+ ret = -2;
break;
default:
@@ -40,6 +40,12 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
}
} else
ret = -1;
+ if (ret <= 0)
+ EVPerr(EVP_F_EVP_CIPHER_PARAM_TO_ASN1, ret == -2 ?
+ ASN1_R_UNSUPPORTED_CIPHER :
+ EVP_R_CIPHER_PARAMETER_ERROR);
+ if (ret < -1)
+ ret = -1;
return ret;
}
@@ -60,7 +66,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
case EVP_CIPH_CCM_MODE:
case EVP_CIPH_XTS_MODE:
case EVP_CIPH_OCB_MODE:
- ret = -1;
+ ret = -2;
break;
default:
@@ -69,6 +75,12 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
}
} else
ret = -1;
+ if (ret <= 0)
+ EVPerr(EVP_F_EVP_CIPHER_ASN1_TO_PARAM, ret == -2 ?
+ EVP_R_UNSUPPORTED_CIPHER :
+ EVP_R_CIPHER_PARAMETER_ERROR);
+ if (ret < -1)
+ ret = -1;
return ret;
}
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 4a3d259..2f1ce58 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -146,25 +146,17 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
X509_SIG *p8;
pbe_ciph = EVP_get_cipherbynid(pbe_nid);
-
if (pbe_ciph)
pbe_nid = -1;
p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
p8inf);
-
- if (p8 == NULL) {
- PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+ if (p8 == NULL)
return NULL;
- }
bag = PKCS12_SAFEBAG_create0_pkcs8(p8);
-
- if (bag == NULL) {
- PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+ if (bag == NULL)
X509_SIG_free(p8);
- return NULL;
- }
return bag;
}
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 2e3a45a..5fdbc33 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -316,7 +316,7 @@ OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
-than zero for success and zero or a negative number.
+than zero for success and zero or a negative number on failure.
EVP_CIPHER_CTX_rand_key() returns 1 for success.
diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod
index 0dcd2ab..1587ea5 100644
--- a/doc/man3/PKCS12_create.pod
+++ b/doc/man3/PKCS12_create.pod
@@ -22,7 +22,8 @@ the structure and B<cert> its corresponding certificates. B<ca>, if not B<NULL>
is an optional set of certificates to also include in the structure.
B<nid_key> and B<nid_cert> are the encryption algorithms that should be used
-for the key and certificate respectively. B<iter> is the encryption algorithm
+for the key and certificate respectively. The modes
+GCM, CCM, XTS, and OCB are unsupported. B<iter> is the encryption algorithm
iteration count to use and B<mac_iter> is the MAC iteration count to use.
B<keytype> is the type of key.
diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h
index 048a737..8001120 100644
--- a/include/openssl/asn1err.h
+++ b/include/openssl/asn1err.h
@@ -241,6 +241,7 @@ int ERR_load_ASN1_strings(void);
# define ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM 199
# define ASN1_R_UNKNOWN_TAG 194
# define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 164
+# define ASN1_R_UNSUPPORTED_CIPHER 228
# define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 167
# define ASN1_R_UNSUPPORTED_TYPE 196
# define ASN1_R_WRONG_INTEGER_TYPE 225
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index a8f79c7..c742ea5 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -38,9 +38,11 @@ int ERR_load_EVP_strings(void);
# define EVP_F_DO_SIGVER_INIT 161
# define EVP_F_ENC_NEW 199
# define EVP_F_EVP_CIPHERINIT_EX 123
+# define EVP_F_EVP_CIPHER_ASN1_TO_PARAM 202
# define EVP_F_EVP_CIPHER_CTX_COPY 163
# define EVP_F_EVP_CIPHER_CTX_CTRL 124
# define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH 122
+# define EVP_F_EVP_CIPHER_PARAM_TO_ASN1 203
# define EVP_F_EVP_DECRYPTFINAL_EX 101
# define EVP_F_EVP_DECRYPTUPDATE 166
# define EVP_F_EVP_DIGESTFINALXOF 174
diff --git a/test/x509aux.c b/test/x509aux.c
index b66e1de..72e0082 100644
--- a/test/x509aux.c
+++ b/test/x509aux.c
@@ -161,6 +161,6 @@ int setup_tests(void)
return 0;
}
- ADD_ALL_TESTS(test_certs, n);
+ ADD_ALL_TESTS(test_certs, (int)n);
return 1;
}
More information about the openssl-commits
mailing list