[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Tue May 18 03:26:43 UTC 2021
The branch master has been updated
via a94d62ab23e95630c156d00342ee9c3cf2e59515 (commit)
via 4547a71930a27fca9ae62c38962d6dc67ee0b4bf (commit)
via 678d0dba6cdcae7dd742d4d0d65da101e9ada1d2 (commit)
via 84c5ad23e13a95d962fe52a5aeb23c0c525f0166 (commit)
via 3c18459235331e0562cfd2a9de5ab87040bf55f2 (commit)
via 634da876e0d6d95a23c5d005b1ac4354a04310d2 (commit)
via cef71ebb5c757bafd15926dd6f6f2a2779b9d71a (commit)
from c9cddf05424c3292956123e7fa4c16cb80867b3f (commit)
- Log -----------------------------------------------------------------
commit a94d62ab23e95630c156d00342ee9c3cf2e59515
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 18:16:28 2021 +1000
apps: use else if when checking for headers in the http server code
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
commit 4547a71930a27fca9ae62c38962d6dc67ee0b4bf
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 12:18:53 2021 +1000
seal: make EVP_SealInit() library context aware
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
commit 678d0dba6cdcae7dd742d4d0d65da101e9ada1d2
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 09:45:33 2021 +1000
hmac: fix coverity 1484888 negative integer to size_t conversion
More theoretical than real but easy and cheap to check for.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
commit 84c5ad23e13a95d962fe52a5aeb23c0c525f0166
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 09:42:42 2021 +1000
keymgmt: fix coverity 1484886 unchecked return value
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
commit 3c18459235331e0562cfd2a9de5ab87040bf55f2
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 09:38:29 2021 +1000
evp: fix coverity 1484885 negative integer to size_t conversion
Theoretically, the IV length can come back negative which would explode.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
commit 634da876e0d6d95a23c5d005b1ac4354a04310d2
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 09:33:10 2021 +1000
provider: fix coverity 1484884: uninitialised lock use
This actually fixes a more subtle problem that wasn't detected which could
cause memory leaks.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
commit cef71ebb5c757bafd15926dd6f6f2a2779b9d71a
Author: Pauli <pauli at openssl.org>
Date: Mon May 17 09:26:48 2021 +1000
apps: clean up the http server code
Clean up some of the null checking in the http server code.
This also "fixes" the false positive from coverity CID 1484883.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15300)
-----------------------------------------------------------------------
Summary of changes:
apps/lib/http_server.c | 43 +++++++++++++---------------
crypto/evp/p_seal.c | 22 ++++++++++----
crypto/hmac/hmac.c | 5 +++-
crypto/provider_core.c | 2 +-
providers/implementations/keymgmt/ec_kmgmt.c | 7 +++--
test/evp_extra_test.c | 18 +++++++++---
6 files changed, 59 insertions(+), 38 deletions(-)
diff --git a/apps/lib/http_server.c b/apps/lib/http_server.c
index ae33632598..e7e84fa4c5 100644
--- a/apps/lib/http_server.c
+++ b/apps/lib/http_server.c
@@ -433,36 +433,33 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
key = inbuf;
value = strchr(key, ':');
- if (value != NULL) {
- *(value++) = '\0';
- while (*value == ' ')
- value++;
- line_end = strchr(value, '\r');
- if (line_end == NULL)
- line_end = strchr(value, '\n');
- if (line_end != NULL)
- *line_end = '\0';
- } else {
+ if (value == NULL) {
log_message(prog, LOG_WARNING,
"Error parsing HTTP header: missing ':'");
(void)http_server_send_status(cbio, 400, "Bad Request");
goto out;
}
- if (value != NULL && line_end != NULL) {
- /* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */
- if (found_keep_alive != NULL && strcasecmp(key, "Connection") == 0) {
- if (strcasecmp(value, "keep-alive") == 0)
- *found_keep_alive = 1;
- if (strcasecmp(value, "close") == 0)
- *found_keep_alive = 0;
+ *(value++) = '\0';
+ while (*value == ' ')
+ value++;
+ line_end = strchr(value, '\r');
+ if (line_end == NULL) {
+ line_end = strchr(value, '\n');
+ if (line_end == NULL) {
+ log_message(prog, LOG_WARNING,
+ "Error parsing HTTP header: missing end of line");
+ (void)http_server_send_status(cbio, 400, "Bad Request");
+ goto out;
}
- } else {
- log_message(prog, LOG_WARNING,
- "Error parsing HTTP header: missing end of line");
- (void)http_server_send_status(cbio, 400, "Bad Request");
- goto out;
}
-
+ *line_end = '\0';
+ /* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */
+ if (found_keep_alive != NULL && strcasecmp(key, "Connection") == 0) {
+ if (strcasecmp(value, "keep-alive") == 0)
+ *found_keep_alive = 1;
+ else if (strcasecmp(value, "close") == 0)
+ *found_keep_alive = 0;
+ }
}
# ifdef HTTP_DAEMON
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index 36900e0352..76d3278b8c 100644
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "internal/provider.h"
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
@@ -20,7 +21,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
EVP_PKEY **pubk, int npubk)
{
unsigned char key[EVP_MAX_KEY_LENGTH];
- int i;
+ const OSSL_PROVIDER *prov = EVP_CIPHER_provider(type);
+ OSSL_LIB_CTX *libctx = prov != NULL ? ossl_provider_libctx(prov) : NULL;
+ EVP_PKEY_CTX *pctx = NULL;
+ int i, len;
int rv = 0;
if (type) {
@@ -34,18 +38,22 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
return 0;
- if (EVP_CIPHER_CTX_iv_length(ctx)
- && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
+ len = EVP_CIPHER_CTX_iv_length(ctx);
+ if (len < 0 || RAND_priv_bytes_ex(libctx, iv, len) <= 0)
+ goto err;
+
+ len = EVP_CIPHER_CTX_key_length(ctx);
+ if (len < 0)
goto err;
if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
goto err;
for (i = 0; i < npubk; i++) {
- size_t keylen = EVP_CIPHER_CTX_key_length(ctx);
- EVP_PKEY_CTX *pctx = NULL;
+ size_t keylen = len;
- if ((pctx = EVP_PKEY_CTX_new(pubk[i], NULL)) == NULL) {
+ pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pubk[i], NULL);
+ if (pctx == NULL) {
ERR_raise(ERR_LIB_EVP, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -56,8 +64,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
ekl[i] = (int)keylen;
EVP_PKEY_CTX_free(pctx);
}
+ pctx = NULL;
rv = npubk;
err:
+ EVP_PKEY_CTX_free(pctx);
OPENSSL_cleanse(key, sizeof(key));
return rv;
}
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index 6d142f2cbb..f800cb8f89 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -221,10 +221,13 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
unsigned char *md, unsigned int *md_len)
{
static unsigned char static_md[EVP_MAX_MD_SIZE];
+ int size = EVP_MD_size(evp_md);
+ if (size < 0)
+ return NULL;
return EVP_Q_mac(NULL, "HMAC", NULL, EVP_MD_name(evp_md), NULL,
key, key_len, data, data_len,
- md == NULL ? static_md : md, EVP_MD_size(evp_md), md_len);
+ md == NULL ? static_md : md, size, md_len);
}
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index b384f74fd2..9d5248de0d 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -306,7 +306,6 @@ static OSSL_PROVIDER *provider_new(const char *name,
#ifndef HAVE_ATOMICS
|| (prov->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL
#endif
- || !ossl_provider_up_ref(prov) /* +1 One reference to be returned */
|| (prov->opbits_lock = CRYPTO_THREAD_lock_new()) == NULL
|| (prov->flag_lock = CRYPTO_THREAD_lock_new()) == NULL
|| (prov->name = OPENSSL_strdup(name)) == NULL) {
@@ -315,6 +314,7 @@ static OSSL_PROVIDER *provider_new(const char *name,
return NULL;
}
+ prov->refcnt = 1; /* 1 One reference to be returned */
prov->init_function = init_function;
#ifndef FIPS_MODULE
prov->flag_couldbechild = 1;
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 2673619ef4..e901275ce2 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -255,9 +255,10 @@ int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl,
name))
return 0;
- if ((EC_KEY_get_enc_flags(ec) & EC_PKEY_NO_PUBKEY) != 0)
- ossl_param_build_set_int(tmpl, params,
- OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 0);
+ if ((EC_KEY_get_enc_flags(ec) & EC_PKEY_NO_PUBKEY) != 0
+ && !ossl_param_build_set_int(tmpl, params,
+ OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 0))
+ return 0;
ecdh_cofactor_mode =
(EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 56522e4af9..10ab4bfc9e 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -818,7 +818,11 @@ static int test_EC_priv_only_legacy(void)
# endif /* OPENSSL_NO_DEPRECATED_3_0 */
#endif /* OPENSSL_NO_EC */
-static int test_EVP_Enveloped(void)
+/*
+ * n = 0 => test using legacy cipher
+ * n = 1 => test using fetched cipher
+ */
+static int test_EVP_Enveloped(int n)
{
int ret = 0;
EVP_CIPHER_CTX *ctx = NULL;
@@ -828,12 +832,16 @@ static int test_EVP_Enveloped(void)
static const unsigned char msg[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
int len, kek_len, ciphertext_len, plaintext_len;
unsigned char ciphertext[32], plaintext[16];
- const EVP_CIPHER *type = NULL;
+ EVP_CIPHER *type = NULL;
if (nullprov != NULL)
return TEST_skip("Test does not support a non-default library context");
- type = EVP_aes_256_cbc();
+ if (n == 0)
+ type = (EVP_CIPHER *)EVP_aes_256_cbc();
+ else if (!TEST_ptr(type = EVP_CIPHER_fetch(testctx, "AES-256-CBC",
+ testpropq)))
+ goto err;
if (!TEST_ptr(keypair = load_example_rsa_key())
|| !TEST_ptr(kek = OPENSSL_zalloc(EVP_PKEY_size(keypair)))
@@ -860,6 +868,8 @@ static int test_EVP_Enveloped(void)
ret = 1;
err:
+ if (n != 0)
+ EVP_CIPHER_free(type);
OPENSSL_free(kek);
EVP_PKEY_free(keypair);
EVP_CIPHER_CTX_free(ctx);
@@ -2925,7 +2935,7 @@ int setup_tests(void)
ADD_ALL_TESTS(test_EVP_DigestSignInit, 9);
ADD_TEST(test_EVP_DigestVerifyInit);
ADD_TEST(test_EVP_Digest);
- ADD_TEST(test_EVP_Enveloped);
+ ADD_ALL_TESTS(test_EVP_Enveloped, 2);
ADD_ALL_TESTS(test_d2i_AutoPrivateKey, OSSL_NELEM(keydata));
ADD_TEST(test_privatekey_to_pkcs8);
ADD_TEST(test_EVP_PKCS82PKEY_wrong_tag);
More information about the openssl-commits
mailing list