[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Tue Jun 8 09:34:33 UTC 2021
The branch master has been updated
via 69807ab8ed5d5b3b0bb59f418cb3a7658de005a3 (commit)
via cec8854cc90794a0696c518efabd90e0279658db (commit)
via 3f617061eceb2f33fb40682cc7b14cc4f9a2143f (commit)
via dacb0d8f79debfe6b47f4b17ed6a51449dd7e484 (commit)
via 9428977994921d23b6aabc047298db3c55867709 (commit)
via 0341ff9774283b85179bc07c0cfc80d6e547771e (commit)
via 042f8f70cb8fb21445ed20d07e2624d5a2bba4e4 (commit)
via b0a0ab07b4313cc893b17880b4399bdb804837c5 (commit)
via 6c1d17c802678364a8a8d7d69ee2aba2ac76a854 (commit)
via 37bbe449294b63f87b03e792cae465b0b095299a (commit)
from 95c8a5125207a62362345d85be77531ad9654edd (commit)
- Log -----------------------------------------------------------------
commit 69807ab8ed5d5b3b0bb59f418cb3a7658de005a3
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 21:07:21 2021 +1000
evp: avoid some calls to EVP_CIPHER_CTX_get_iv_length() because it's been called already
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit cec8854cc90794a0696c518efabd90e0279658db
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:49:04 2021 +1000
evp: fix Coverity 1485670 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit 3f617061eceb2f33fb40682cc7b14cc4f9a2143f
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:45:40 2021 +1000
evp: fix Coverity 1485669 improper use of negative value
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit dacb0d8f79debfe6b47f4b17ed6a51449dd7e484
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:42:54 2021 +1000
evp: fix Coverity 1485668 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit 9428977994921d23b6aabc047298db3c55867709
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:39:55 2021 +1000
pkcs12: fix Coverity 1485667 logically dead code
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit 0341ff9774283b85179bc07c0cfc80d6e547771e
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:36:04 2021 +1000
evp: fix coverity 1485666 argument cannot be negative
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit 042f8f70cb8fb21445ed20d07e2624d5a2bba4e4
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:28:49 2021 +1000
evp: fix improper use of negative value issues
Coverity issues 1485662, 1485663 & 1485664.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit b0a0ab07b4313cc893b17880b4399bdb804837c5
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:26:42 2021 +1000
afalg: fix coverity 1485661 improper use of negative value
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit 6c1d17c802678364a8a8d7d69ee2aba2ac76a854
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:23:41 2021 +1000
fix coverity 1485660 improper use of negative value
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
commit 37bbe449294b63f87b03e792cae465b0b095299a
Author: Pauli <pauli at openssl.org>
Date: Mon Jun 7 09:20:16 2021 +1000
bio: improve error checking fixing coverity 1485659 & 1485665
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15635)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/bio_ok.c | 8 ++++++--
crypto/evp/ctrl_params_translate.c | 4 ++++
crypto/evp/e_aes.c | 21 +++++++++++++++------
crypto/evp/e_aria.c | 7 ++++++-
crypto/evp/e_bf.c | 6 +++++-
crypto/evp/e_sm4.c | 7 ++++++-
crypto/evp/evp_enc.c | 15 +++++++++------
crypto/pkcs12/p12_mutl.c | 11 +++++------
engines/e_afalg.c | 7 ++++---
engines/e_padlock.c | 7 ++++++-
10 files changed, 66 insertions(+), 27 deletions(-)
diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index 97641d11d1..97e67fcb68 100644
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -483,9 +483,11 @@ static int sig_in(BIO *b)
void *md_data;
ctx = BIO_get_data(b);
- md = ctx->md;
+ if ((md = ctx->md) == NULL)
+ goto berr;
digest = EVP_MD_CTX_get0_md(md);
- md_size = EVP_MD_get_size(digest);
+ if ((md_size = EVP_MD_get_size(digest)) < 0)
+ goto berr;
md_data = EVP_MD_CTX_get0_md_data(md);
if ((int)(ctx->buf_len - ctx->buf_off) < 2 * md_size)
@@ -562,6 +564,8 @@ static int block_in(BIO *b)
ctx = BIO_get_data(b);
md = ctx->md;
md_size = EVP_MD_get_size(EVP_MD_CTX_get0_md(md));
+ if (md_size < 0)
+ goto berr;
assert(sizeof(tl) >= OK_BLOCK_BLOCK); /* always true */
tl = ctx->buf[0];
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
index e289c7df7b..6998dcc6fc 100644
--- a/crypto/evp/ctrl_params_translate.c
+++ b/crypto/evp/ctrl_params_translate.c
@@ -1704,6 +1704,10 @@ static int get_ec_decoded_from_explicit_params(enum state state,
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
val = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
+ if (val < 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY);
+ return 0;
+ }
break;
#endif
default:
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 2c2a4ba90c..6d5506056e 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -2516,9 +2516,14 @@ static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
- unsigned int num = EVP_CIPHER_CTX_get_num(ctx);
+ int n = EVP_CIPHER_CTX_get_num(ctx);
+ unsigned int num;
EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+ if (n < 0)
+ return 0;
+ num = (unsigned int)n;
+
if (dat->stream.ctr)
CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
ctx->iv,
@@ -3550,21 +3555,25 @@ typedef struct {
static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
+ int len;
EVP_AES_WRAP_CTX *wctx = EVP_C_DATA(EVP_AES_WRAP_CTX,ctx);
- if (!iv && !key)
+
+ if (iv == NULL && key == NULL)
return 1;
- if (key) {
+ if (key != NULL) {
if (EVP_CIPHER_CTX_is_encrypting(ctx))
AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8,
&wctx->ks.ks);
else
AES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8,
&wctx->ks.ks);
- if (!iv)
+ if (iv == NULL)
wctx->iv = NULL;
}
- if (iv) {
- memcpy(ctx->iv, iv, EVP_CIPHER_CTX_get_iv_length(ctx));
+ if (iv != NULL) {
+ if ((len = EVP_CIPHER_CTX_get_iv_length(ctx)) < 0)
+ return 0;
+ memcpy(ctx->iv, iv, len);
wctx->iv = ctx->iv;
}
return 1;
diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c
index f53528ea5c..7e1fda33e1 100644
--- a/crypto/evp/e_aria.c
+++ b/crypto/evp/e_aria.c
@@ -175,9 +175,14 @@ const EVP_CIPHER *EVP_aria_##keylen##_##mode(void) \
static int aria_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
- unsigned int num = EVP_CIPHER_CTX_get_num(ctx);
+ int n = EVP_CIPHER_CTX_get_num(ctx);
+ unsigned int num;
EVP_ARIA_KEY *dat = EVP_C_DATA(EVP_ARIA_KEY, ctx);
+ if (n < 0)
+ return 0;
+ num = (unsigned int)n;
+
CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv,
EVP_CIPHER_CTX_buf_noconst(ctx), &num,
(block128_f) ossl_aria_encrypt);
diff --git a/crypto/evp/e_bf.c b/crypto/evp/e_bf.c
index 734e77f0a9..e3ff568757 100644
--- a/crypto/evp/e_bf.c
+++ b/crypto/evp/e_bf.c
@@ -38,7 +38,11 @@ IMPLEMENT_BLOCK_CIPHER(bf, ks, BF, EVP_BF_KEY, NID_bf, 8, 16, 8, 64,
static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
- BF_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_get_key_length(ctx), key);
+ int len = EVP_CIPHER_CTX_get_key_length(ctx);
+
+ if (len < 0)
+ return 0;
+ BF_set_key(&data(ctx)->ks, len, key);
return 1;
}
diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c
index 39bec569f7..abd603015c 100644
--- a/crypto/evp/e_sm4.c
+++ b/crypto/evp/e_sm4.c
@@ -74,9 +74,14 @@ IMPLEMENT_BLOCK_CIPHER(sm4, ks, sm4, EVP_SM4_KEY, NID_sm4,
static int sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
- unsigned int num = EVP_CIPHER_CTX_get_num(ctx);
+ int n = EVP_CIPHER_CTX_get_num(ctx);
+ unsigned int num;
EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY, ctx);
+ if (n < 0)
+ return 0;
+ num = (unsigned int)n;
+
CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv,
EVP_CIPHER_CTX_buf_noconst(ctx), &num,
(block128_f)ossl_sm4_encrypt);
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index f39e9b8c90..5188e73602 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -344,16 +344,19 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
n = EVP_CIPHER_CTX_get_iv_length(ctx);
if (!ossl_assert(n >= 0 && n <= (int)sizeof(ctx->iv)))
return 0;
- if (iv)
- memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_get_iv_length(ctx));
- memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_get_iv_length(ctx));
+ if (iv != NULL)
+ memcpy(ctx->oiv, iv, n);
+ memcpy(ctx->iv, ctx->oiv, n);
break;
case EVP_CIPH_CTR_MODE:
ctx->num = 0;
/* Don't reuse IV for CTR mode */
- if (iv)
- memcpy(ctx->iv, iv, EVP_CIPHER_CTX_get_iv_length(ctx));
+ if (iv != NULL) {
+ if ((n = EVP_CIPHER_CTX_get_iv_length(ctx)) <= 0)
+ return 0;
+ memcpy(ctx->iv, iv, n);
+ }
break;
default:
@@ -361,7 +364,7 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
}
}
- if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+ if (key != NULL || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
if (!ctx->cipher->init(ctx, key, iv, enc))
return 0;
}
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 88655651a0..afdb8d688b 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -249,23 +249,22 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
return 0;
}
}
- if (!saltlen)
+ if (saltlen == 0)
saltlen = PKCS12_SALT_LEN;
- if (saltlen < 0)
+ else if (saltlen < 0)
return 0;
if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
return 0;
}
p12->mac->salt->length = saltlen;
- if (!salt) {
- if (saltlen < 0)
- return 0;
+ if (salt == NULL) {
if (RAND_bytes_ex(p12->authsafes->ctx.libctx, p12->mac->salt->data,
(size_t)saltlen, 0) <= 0)
return 0;
- } else
+ } else {
memcpy(p12->mac->salt->data, salt, saltlen);
+ }
X509_SIG_getm(p12->mac->dinfo, &macalg, NULL);
if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_get_type(md_type)),
V_ASN1_NULL, NULL)) {
diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index 93b3b3f02e..f36665acf6 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -544,7 +544,7 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
int ciphertype;
- int ret;
+ int ret, len;
afalg_ctx *actx;
const char *ciphername;
@@ -588,8 +588,9 @@ static int afalg_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
if (ret < 1)
return 0;
-
- ret = afalg_set_key(actx, key, EVP_CIPHER_CTX_get_key_length(ctx));
+ if ((len = EVP_CIPHER_CTX_get_key_length(ctx)) <= 0)
+ goto err;
+ ret = afalg_set_key(actx, key, len);
if (ret < 1)
goto err;
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index a22fc476e6..5662bf5b50 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -457,7 +457,12 @@ padlock_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
const unsigned char *in_arg, size_t nbytes)
{
struct padlock_cipher_data *cdata = ALIGNED_CIPHER_DATA(ctx);
- unsigned int num = EVP_CIPHER_CTX_get_num(ctx);
+ int n = EVP_CIPHER_CTX_get_num(ctx);
+ unsigned int num;
+
+ if (n < 0)
+ return 0;
+ num = (unsigned int)n;
CRYPTO_ctr128_encrypt_ctr32(in_arg, out_arg, nbytes,
cdata, EVP_CIPHER_CTX_iv_noconst(ctx),
More information about the openssl-commits
mailing list