[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Tue Apr 20 23:18:27 UTC 2021
The branch master has been updated
via 6bcbc3698557739da03495920a57be4ffe219fa4 (commit)
via efe8d69daa1a68be0a7f0f73220947c848e7ed1d (commit)
via db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7 (commit)
via b06450bcf763735a89b65ca3ec176600fe7fceed (commit)
from 4ecb19d1092d6db1397aa24512996f98f8e5e268 (commit)
- Log -----------------------------------------------------------------
commit 6bcbc3698557739da03495920a57be4ffe219fa4
Author: Pauli <pauli at openssl.org>
Date: Mon Apr 19 08:59:37 2021 +1000
test: fix double free problems.
In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577.
If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630.
The same problem also happens at line 593 and line 609, which causes two double free bugs.
Bugs reported by @Yunlongs
Fixes 14916
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d
Author: Pauli <pauli at openssl.org>
Date: Mon Apr 19 08:57:18 2021 +1000
engine: fix double free on error path.
In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481.
If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8.
In the nop8 branch, p8 is freed again at line 491.
Bug reported by @Yunlongs
Fixes #14915
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7
Author: Pauli <pauli at openssl.org>
Date: Mon Apr 19 08:55:37 2021 +1000
ts: fix double free on error path.
In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.
After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.
Bug reported by @Yunlongs
Fixes #14914
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
commit b06450bcf763735a89b65ca3ec176600fe7fceed
Author: Pauli <pauli at openssl.org>
Date: Mon Apr 19 08:51:38 2021 +1000
srp: fix double free,
In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.
Bug reported by @Yunlongs
Fixes #14913
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
-----------------------------------------------------------------------
Summary of changes:
crypto/srp/srp_vfy.c | 11 ++++++-----
crypto/ts/ts_rsp_verify.c | 1 +
engines/e_loader_attic.c | 1 +
test/evp_extra_test.c | 3 +++
4 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 0693a23be0..2c2ec11cd4 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -712,7 +712,7 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
BIGNUM *x = NULL;
BN_CTX *bn_ctx = BN_CTX_new_ex(libctx);
unsigned char tmp2[MAX_LEN];
- BIGNUM *salttmp = NULL;
+ BIGNUM *salttmp = NULL, *verif;
if ((user == NULL) ||
(pass == NULL) ||
@@ -735,17 +735,18 @@ int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
if (x == NULL)
goto err;
- *verifier = BN_new();
- if (*verifier == NULL)
+ verif = BN_new();
+ if (verif == NULL)
goto err;
- if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) {
- BN_clear_free(*verifier);
+ if (!BN_mod_exp(verif, g, x, N, bn_ctx)) {
+ BN_clear_free(verif);
goto err;
}
result = 1;
*salt = salttmp;
+ *verifier = verif;
err:
if (salt != NULL && *salt != salttmp)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 89428cdf54..f307e29fda 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -437,6 +437,7 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
err:
EVP_MD_CTX_free(md_ctx);
X509_ALGOR_free(*md_alg);
+ *md_alg = NULL;
OPENSSL_free(*imprint);
*imprint_len = 0;
*imprint = 0;
diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c
index 3ec31f8fc7..802b3d9067 100644
--- a/engines/e_loader_attic.c
+++ b/engines/e_loader_attic.c
@@ -479,6 +479,7 @@ static OSSL_STORE_INFO *try_decode_PKCS8Encrypted(const char *pem_name,
mem->data = (char *)new_data;
mem->max = mem->length = (size_t)new_data_len;
X509_SIG_free(p8);
+ p8 = NULL;
store_info = new_EMBEDDED(PEM_STRING_PKCS8INF, mem);
if (store_info == NULL) {
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 6140e16e26..a290878a7d 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -575,6 +575,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!test_fromdata(keytype, params))
goto err;
OSSL_PARAM_free(params);
+ params = NULL;
OSSL_PARAM_BLD_free(bld);
/* Test priv and !pub */
@@ -591,6 +592,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!test_fromdata(keytype, params))
goto err;
OSSL_PARAM_free(params);
+ params = NULL;
OSSL_PARAM_BLD_free(bld);
/* Test !priv and pub */
@@ -607,6 +609,7 @@ static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
if (!test_fromdata(keytype, params))
goto err;
OSSL_PARAM_free(params);
+ params = NULL;
OSSL_PARAM_BLD_free(bld);
/* Test priv and pub */
More information about the openssl-commits
mailing list