[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Tue May 8 07:47:50 UTC 2018 

The branch master has been updated
       via  e15e92dbd5248bc8dbd95d2c0af33a6daf8f7255 (commit)
       via  3d551b20df1acd01f80d3ae00d37177e0fdf344a (commit)
      from  4ffc1842fa7da63b42da0e9553ebee33e2e173aa (commit)


- Log -----------------------------------------------------------------
commit e15e92dbd5248bc8dbd95d2c0af33a6daf8f7255
Author: Matt Caswell <matt at openssl.org>
Date:   Tue May 1 09:32:30 2018 +0100

    Add a CMS API test
    
    Previous tests only invoked CMS via the command line app. This test uses
    the CMS API directly to do and encrypt and decrypt operation. This test
    would have caught the memory leak fixed by the previous commit (when
    building with enable-crypto-mdebug).
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6142)

commit 3d551b20df1acd01f80d3ae00d37177e0fdf344a
Author: Matt Caswell <matt at openssl.org>
Date:   Tue May 1 09:29:17 2018 +0100

    Fix a mem leak in CMS
    
    The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore
    memory management passes to OpenSSL. If the same function is called again
    then we should ensure that any previous value that was set is freed first
    before we set it again.
    
    Fixes #5052
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6142)

-----------------------------------------------------------------------

Summary of changes:
 crypto/cms/cms_env.c                               |  1 +
 crypto/cms/cms_smime.c                             |  1 +
 test/build.info                                    |  6 +-
 test/cmsapitest.c                                  | 93 ++++++++++++++++++++++
 .../{90-test_tls13ccs.t => 80-test_cmsapi.t}       | 13 ++-
 5 files changed, 106 insertions(+), 8 deletions(-)
 create mode 100644 test/cmsapitest.c
 copy test/recipes/{90-test_tls13ccs.t => 80-test_cmsapi.t} (52%)

diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 6ca3be7..7c2d420 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -282,6 +282,7 @@ int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey)
         CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY, CMS_R_NOT_KEY_TRANSPORT);
         return 0;
     }
+    EVP_PKEY_free(ri->d.ktri->pkey);
     ri->d.ktri->pkey = pkey;
     return 1;
 }
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 7e7b6e5..76883bf 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
          * all.
          */
         else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
+            EVP_PKEY_up_ref(pk);
             CMS_RecipientInfo_set0_pkey(ri, pk);
             r = CMS_RecipientInfo_decrypt(cms, ri);
             CMS_RecipientInfo_set0_pkey(ri, NULL);
diff --git a/test/build.info b/test/build.info
index 1708e94..535c5aa 100644
--- a/test/build.info
+++ b/test/build.info
@@ -51,7 +51,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
           recordlentest drbgtest drbg_cavs_test sslbuffertest \
           time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
           servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \
-          sysdefaulttest
+          sysdefaulttest cmsapitest
 
   SOURCE[versions]=versions.c
   INCLUDE[versions]=../include
@@ -373,6 +373,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
   INCLUDE[servername_test]=../include
   DEPEND[servername_test]=../libcrypto ../libssl libtestutil.a
 
+  SOURCE[cmsapitest]=cmsapitest.c
+  INCLUDE[cmsapitest]=../include
+  DEPEND[cmsapitest]=../libcrypto libtestutil.a
+
   IF[{- !$disabled{psk} -}]
     PROGRAMS_NO_INST=dtls_mtu_test
     SOURCE[dtls_mtu_test]=dtls_mtu_test.c ssltestlib.c
diff --git a/test/cmsapitest.c b/test/cmsapitest.c
new file mode 100644
index 0000000..a79ae8c
--- /dev/null
+++ b/test/cmsapitest.c
@@ -0,0 +1,93 @@
+#include <string.h>
+
+#include <openssl/cms.h>
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#include "testutil.h"
+
+static X509 *cert = NULL;
+static EVP_PKEY *privkey = NULL;
+
+static int test_encrypt_decrypt(void)
+{
+    int testresult = 0;
+    STACK_OF(X509) *certstack = sk_X509_new_null();
+    const char *msg = "Hello world";
+    BIO *msgbio = BIO_new_mem_buf(msg, strlen(msg));
+    BIO *outmsgbio = BIO_new(BIO_s_mem());
+    CMS_ContentInfo* content = NULL;
+    char buf[80];
+
+    if (!TEST_ptr(certstack) || !TEST_ptr(msgbio) || !TEST_ptr(outmsgbio))
+        goto end;
+
+    if (!TEST_int_gt(sk_X509_push(certstack, cert), 0))
+        goto end;
+
+    content = CMS_encrypt(certstack, msgbio, EVP_aes_128_cbc(), CMS_TEXT);
+    if (!TEST_ptr(content))
+        goto end;
+
+    if (!TEST_true(CMS_decrypt(content, privkey, cert, NULL, outmsgbio,
+                               CMS_TEXT)))
+        goto end;
+
+    /* Check we got the message we first started with */
+    if (!TEST_int_eq(BIO_gets(outmsgbio, buf, sizeof(buf)), strlen(msg))
+            || !TEST_int_eq(strcmp(buf, msg), 0))
+        goto end;
+
+    testresult = 1;
+ end:
+    sk_X509_free(certstack);
+    BIO_free(msgbio);
+    BIO_free(outmsgbio);
+    CMS_ContentInfo_free(content);
+
+    return testresult;
+}
+
+int setup_tests(void)
+{
+    char *certin = NULL, *privkeyin = NULL;
+    BIO *certbio = NULL, *privkeybio = NULL;
+
+    if (!TEST_ptr(certin = test_get_argument(0))
+            || !TEST_ptr(privkeyin = test_get_argument(1)))
+        return 0;
+
+    certbio = BIO_new_file(certin, "r");
+    if (!TEST_ptr(certbio))
+        return 0;
+    if (!TEST_true(PEM_read_bio_X509(certbio, &cert, NULL, NULL))) {
+        BIO_free(certbio);
+        return 0;
+    }
+    BIO_free(certbio);
+
+    privkeybio = BIO_new_file(privkeyin, "r");
+    if (!TEST_ptr(privkeybio)) {
+        X509_free(cert);
+        cert = NULL;
+        return 0;
+    }
+    if (!TEST_true(PEM_read_bio_PrivateKey(privkeybio, &privkey, NULL, NULL))) {
+        BIO_free(privkeybio);
+        X509_free(cert);
+        cert = NULL;
+        return 0;
+    }
+    BIO_free(privkeybio);
+
+    ADD_TEST(test_encrypt_decrypt);
+
+    return 1;
+}
+
+void cleanup_tests(void)
+{
+    X509_free(cert);
+    EVP_PKEY_free(privkey);
+}
diff --git a/test/recipes/90-test_tls13ccs.t b/test/recipes/80-test_cmsapi.t
similarity index 52%
copy from test/recipes/90-test_tls13ccs.t
copy to test/recipes/80-test_cmsapi.t
index 2ec28ce..990f8a7 100644
--- a/test/recipes/90-test_tls13ccs.t
+++ b/test/recipes/80-test_cmsapi.t
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -10,13 +10,12 @@
 use OpenSSL::Test::Utils;
 use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
-my $test_name = "test_tls13ccs";
-setup($test_name);
+setup("test_cmsapi");
 
-plan skip_all => "$test_name is not supported in this build"
-    if disabled("tls1_3");
+plan skip_all => "CMS is disabled in this build" if disabled("cms");
 
 plan tests => 1;
 
-ok(run(test(["tls13ccstest", srctop_file("apps", "server.pem"),
-             srctop_file("apps", "server.pem")])), "tls13ccstest");
+ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"),
+             srctop_file("test", "certs", "serverkey.pem")])),
+             "running cmsapitest");

More information about the openssl-commits mailing list