[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Sat Sep 12 06:04:43 UTC 2020


The branch master has been updated
       via  5e8cd0a4f48f06df2542e7c74dcbb4310bce7c4c (commit)
       via  97f7a6d42e9d2f38969aff75b0d8f00d934ac8cf (commit)
       via  9951eaf467f8cc43ffad69222b42340c3b24cd52 (commit)
       via  0f0b7dfbe5740da9e3fdf4753f8fb56301af13b7 (commit)
       via  6e417f951c64f4643cdc62c370badf46d5fe485e (commit)
       via  34816949460e7131af4de421806845be213354d4 (commit)
      from  c1aba0763c477f345c065007ff6295dbe6ec4f64 (commit)


- Log -----------------------------------------------------------------
commit 5e8cd0a4f48f06df2542e7c74dcbb4310bce7c4c
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Sep 10 18:45:39 2020 +1000

    Fix coverity issue: CID 1466479 - Resource leak in apps/pkcs12.c
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12847)

commit 97f7a6d42e9d2f38969aff75b0d8f00d934ac8cf
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Sep 10 18:21:46 2020 +1000

    Fix coverity issue: CID 1466482 - Resource leak in OSSL_STORE_SEARCH_by_key_fingerprint()
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12847)

commit 9951eaf467f8cc43ffad69222b42340c3b24cd52
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Sep 10 18:19:13 2020 +1000

    Fix coverity issue: CID 1466483 - Improper use of Negative value in dh_ctrl.c
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12847)

commit 0f0b7dfbe5740da9e3fdf4753f8fb56301af13b7
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Sep 10 17:30:02 2020 +1000

    Fix coverity issue: CID 1466484 - Remove dead code in PKCS7_dataInit()
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12847)

commit 6e417f951c64f4643cdc62c370badf46d5fe485e
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Sep 10 17:22:40 2020 +1000

    Fix coverity issue: CID 1466485 - Explicit NULL dereference in OSSL_STORE_find()
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12847)

commit 34816949460e7131af4de421806845be213354d4
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Thu Sep 10 16:40:24 2020 +1000

    Fix coverity issue: CID 1466486 - Resource leak in OSSL_STORE
    
    Note that although this is a false positive currently, it could become possible if any of the methods called
    change behaviour - so it is safer to add the fix than to ignore it. Added a simple test so that I could prove this was the case.
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/12847)

-----------------------------------------------------------------------

Summary of changes:
 apps/pkcs12.c                                      |  8 ++-
 crypto/dh/dh_ctrl.c                                |  3 +
 crypto/pkcs7/pk7_doit.c                            |  7 +-
 crypto/store/store_lib.c                           |  6 ++
 test/build.info                                    |  6 +-
 test/ossl_store_test.c                             | 84 ++++++++++++++++++++++
 .../{04-test_hexstring.t => 66-test_ossl_store.t}  | 10 ++-
 7 files changed, 111 insertions(+), 13 deletions(-)
 create mode 100644 test/ossl_store_test.c
 copy test/recipes/{04-test_hexstring.t => 66-test_ossl_store.t} (67%)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index f5bb18a8db..23ffa98f77 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -541,13 +541,15 @@ int pkcs12_main(int argc, char **argv)
             X509_STORE_free(store);
 
             if (vret == X509_V_OK) {
+                int add_certs;
                 /* Remove from chain2 the first (end entity) certificate */
                 X509_free(sk_X509_shift(chain2));
                 /* Add the remaining certs (except for duplicates) */
-                if (!X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF
-                                    | X509_ADD_FLAG_NO_DUP))
-                    goto export_end;
+                add_certs = X509_add_certs(certs, chain2, X509_ADD_FLAG_UP_REF
+                                           | X509_ADD_FLAG_NO_DUP);
                 sk_X509_pop_free(chain2, X509_free);
+                if (!add_certs)
+                    goto export_end;
             } else {
                 if (vret != X509_V_ERR_UNSPECIFIED)
                     BIO_printf(bio_err, "Error getting chain: %s\n",
diff --git a/crypto/dh/dh_ctrl.c b/crypto/dh/dh_ctrl.c
index 6fddd271a8..0db5eba505 100644
--- a/crypto/dh/dh_ctrl.c
+++ b/crypto/dh/dh_ctrl.c
@@ -500,6 +500,9 @@ int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len)
     int ret;
     OSSL_PARAM params[2], *p = params;
 
+    if (len <= 0)
+        return -1;
+
     ret = dh_param_derive_check(ctx);
     if (ret != 1)
         return ret;
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 6a7af7826d..c48c629398 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -316,17 +316,12 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
         fetched_cipher = EVP_CIPHER_fetch(p7_ctx->libctx,
                                           EVP_CIPHER_name(evp_cipher),
                                           p7_ctx->propq);
+        (void)ERR_pop_to_mark();
         if (fetched_cipher != NULL)
             cipher = fetched_cipher;
         else
             cipher = evp_cipher;
 
-        if (cipher == NULL) {
-            (void)ERR_clear_last_mark();
-            goto err;
-        }
-        (void)ERR_pop_to_mark();
-
         if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 1) <= 0)
             goto err;
 
diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c
index 61558a9b6e..0f686fb119 100644
--- a/crypto/store/store_lib.c
+++ b/crypto/store/store_lib.c
@@ -178,6 +178,7 @@ OSSL_STORE_open_with_libctx(const char *uri,
     }
     OSSL_STORE_LOADER_free(fetched_loader);
     OPENSSL_free(propq_copy);
+    OPENSSL_free(ctx);
     return NULL;
 }
 
@@ -271,6 +272,10 @@ int OSSL_STORE_find(OSSL_STORE_CTX *ctx, const OSSL_STORE_SEARCH *search)
         ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_LOADING_STARTED);
         return 0;
     }
+    if (search == NULL) {
+        ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_NULL_PARAMETER);
+        return 0;
+    }
 
     if (ctx->fetched_loader != NULL) {
         OSSL_PARAM_BLD *bld;
@@ -845,6 +850,7 @@ OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD *digest,
                        OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST,
                        "%s size is %d, fingerprint size is %zu",
                        EVP_MD_name(digest), EVP_MD_size(digest), len);
+        OPENSSL_free(search);
         return NULL;
     }
 
diff --git a/test/build.info b/test/build.info
index 7c80b16284..0b67d49b38 100644
--- a/test/build.info
+++ b/test/build.info
@@ -36,7 +36,7 @@ IF[{- !$disabled{tests} -}]
           destest mdc2test \
           exptest \
           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
-          evp_fetch_prov_test acvp_test evp_libctx_test \
+          evp_fetch_prov_test acvp_test evp_libctx_test ossl_store_test \
           v3nametest v3ext \
           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
           evp_fetch_prov_test v3nametest v3ext \
@@ -166,6 +166,10 @@ IF[{- !$disabled{tests} -}]
     DEPEND[acvp_test]=../libcrypto.a libtestutil.a
   ENDIF
 
+  SOURCE[ossl_store_test]=ossl_store_test.c
+  INCLUDE[ossl_store_test]=../include ../apps/include
+  DEPEND[ossl_store_test]=../libcrypto.a libtestutil.a
+
   SOURCE[provider_status_test]=provider_status_test.c
   INCLUDE[provider_status_test]=../include ../apps/include
   DEPEND[provider_status_test]=../libcrypto.a libtestutil.a
diff --git a/test/ossl_store_test.c b/test/ossl_store_test.c
new file mode 100644
index 0000000000..2ce7d51877
--- /dev/null
+++ b/test/ossl_store_test.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/store.h>
+#include <openssl/ui.h>
+#include "testutil.h"
+
+typedef enum OPTION_choice {
+    OPT_ERR = -1,
+    OPT_EOF = 0,
+    OPT_INFILE,
+    OPT_TEST_ENUM
+} OPTION_CHOICE;
+
+static const char *infile = NULL;
+
+static int test_store_open(void)
+{
+    int ret = 0;
+    OSSL_STORE_CTX *sctx = NULL;
+    OSSL_STORE_SEARCH *search = NULL;
+    UI_METHOD *ui_method = NULL;
+
+    ret = TEST_ptr(search = OSSL_STORE_SEARCH_by_alias("nothing"))
+          && TEST_ptr(ui_method= UI_create_method("DummyUI"))
+          && TEST_ptr(sctx = OSSL_STORE_open_with_libctx(infile, NULL, NULL,
+                                                         ui_method, NULL,
+                                                         NULL, NULL))
+          && TEST_false(OSSL_STORE_find(sctx, NULL))
+          && TEST_true(OSSL_STORE_find(sctx, search));
+    UI_destroy_method(ui_method);
+    OSSL_STORE_SEARCH_free(search);
+    OSSL_STORE_close(sctx);
+    return ret;
+}
+
+static int test_store_search_by_key_fingerprint_fail(void)
+{
+    int ret;
+    OSSL_STORE_SEARCH *search = NULL;
+
+    ret = TEST_ptr_null(search = OSSL_STORE_SEARCH_by_key_fingerprint(
+                                     EVP_sha256(), NULL, 0));
+    OSSL_STORE_SEARCH_free(search);
+    return ret;
+}
+
+const OPTIONS *test_get_options(void)
+{
+    static const OPTIONS test_options[] = {
+        OPT_TEST_OPTIONS_DEFAULT_USAGE,
+        { "in", OPT_INFILE, '<', },
+        { NULL }
+    };
+    return test_options;
+}
+
+int setup_tests(void)
+{
+    OPTION_CHOICE o;
+
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_INFILE:
+            infile = opt_arg();
+            break;
+        case OPT_TEST_CASES:
+           break;
+        default:
+        case OPT_ERR:
+            return 0;
+        }
+    }
+
+    ADD_TEST(test_store_open);
+    ADD_TEST(test_store_search_by_key_fingerprint_fail);
+    return 1;
+}
diff --git a/test/recipes/04-test_hexstring.t b/test/recipes/66-test_ossl_store.t
similarity index 67%
copy from test/recipes/04-test_hexstring.t
copy to test/recipes/66-test_ossl_store.t
index 664868fe60..634b0e76a8 100644
--- a/test/recipes/04-test_hexstring.t
+++ b/test/recipes/66-test_ossl_store.t
@@ -7,9 +7,13 @@
 # https://www.openssl.org/source/license.html
 
 use strict;
-use OpenSSL::Test;
+use warnings;
+
 use OpenSSL::Test::Simple;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_ossl_store");
 
-setup("test_hexstring");
+plan tests => 1;
 
-simple_test("test_hexstring", "hexstr_test");
+ok(run(test(["ossl_store_test", "-in", srctop_file("test", "testrsa.pem")])));


More information about the openssl-commits mailing list