[openssl] OpenSSL_1_1_1-stable update

Mon Sep 30 09:19:44 UTC 2019

The branch OpenSSL_1_1_1-stable has been updated
       via  f5517d95217fb5ec152a70be7fc4f399925efeb2 (commit)
      from  312674e5148a44843202040006f47fc374902f88 (commit)


- Log -----------------------------------------------------------------
commit f5517d95217fb5ec152a70be7fc4f399925efeb2
Author: Paul Yang <kaishen.yy at antfin.com>
Date:   Mon Sep 30 14:05:31 2019 +0800

    Fix a bundle of mischecks of return values
    
    Several EVP_PKEY_xxxx functions return 0 and a negative value for
    indicating errors. Some places call these functions with a zero return
    value check only, which misses the check for the negative scenarios.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/10055)
    
    (cherry picked from commit 7e3ae24832e0705583b1471febf3dc0eb1cc021f)

-----------------------------------------------------------------------

Summary of changes:
 apps/speed.c          | 12 ++++++------
 crypto/cms/cms_kari.c |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/apps/speed.c b/apps/speed.c
index 7f8ba7c096..d396b3acca 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -3006,7 +3006,7 @@ int speed_main(int argc, char **argv)
                 pctx = NULL;
             }
             if (kctx == NULL ||      /* keygen ctx is not null */
-                !EVP_PKEY_keygen_init(kctx) /* init keygen ctx */ ) {
+                EVP_PKEY_keygen_init(kctx) <= 0/* init keygen ctx */ ) {
                 ecdh_checks = 0;
                 BIO_printf(bio_err, "ECDH keygen failure.\n");
                 ERR_print_errors(bio_err);
@@ -3014,12 +3014,12 @@ int speed_main(int argc, char **argv)
                 break;
             }
 
-            if (!EVP_PKEY_keygen(kctx, &key_A) || /* generate secret key A */
-                !EVP_PKEY_keygen(kctx, &key_B) || /* generate secret key B */
+            if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A */
+                EVP_PKEY_keygen(kctx, &key_B) <= 0 || /* generate secret key B */
                 !(ctx = EVP_PKEY_CTX_new(key_A, NULL)) || /* derivation ctx from skeyA */
-                !EVP_PKEY_derive_init(ctx) || /* init derivation ctx */
-                !EVP_PKEY_derive_set_peer(ctx, key_B) || /* set peer pubkey in ctx */
-                !EVP_PKEY_derive(ctx, NULL, &outlen) || /* determine max length */
+                EVP_PKEY_derive_init(ctx) <= 0 || /* init derivation ctx */
+                EVP_PKEY_derive_set_peer(ctx, key_B) <= 0 || /* set peer pubkey in ctx */
+                EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 || /* determine max length */
                 outlen == 0 ||  /* ensure outlen is a valid size */
                 outlen > MAX_ECDH_SIZE /* avoid buffer overflow */ ) {
                 ecdh_checks = 0;
diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c
index 3980bf8f3f..cafc3040ac 100644
--- a/crypto/cms/cms_kari.c
+++ b/crypto/cms/cms_kari.c
@@ -162,7 +162,7 @@ int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk)
     if (!pk)
         return 1;
     pctx = EVP_PKEY_CTX_new(pk, NULL);
-    if (!pctx || !EVP_PKEY_derive_init(pctx))
+    if (!pctx || EVP_PKEY_derive_init(pctx) <= 0)
         goto err;
     kari->pctx = pctx;
     return 1;
