[openssl] OpenSSL_1_1_1-stable update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Fri Oct 1 18:41:25 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  1be120ac5bf613a7277250b6e73f3c60adad4517 (commit)
      from  c23abef43ef482e129f440d40c98eb6d3a094e2b (commit)


- Log -----------------------------------------------------------------
commit 1be120ac5bf613a7277250b6e73f3c60adad4517
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Thu Sep 30 17:18:44 2021 +0200

    Fix a NPD bug in engines/e_dasync.c
    
    The dasync_aes_128_cbc_hmac_sha1 cipher depends on
    EVP_aes_128_cbc_hmac_sha1() returning a NON-NULL value.
    We should simply not advertise this cipher otherwise.
    
    Fixes: #7950
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16722)

-----------------------------------------------------------------------

Summary of changes:
 engines/e_dasync.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/engines/e_dasync.c b/engines/e_dasync.c
index 5cdacb66a0..07793037df 100644
--- a/engines/e_dasync.c
+++ b/engines/e_dasync.c
@@ -182,8 +182,8 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
                                    const int **nids, int nid);
 
 static int dasync_cipher_nids[] = {
-    NID_aes_128_cbc,
     NID_aes_128_cbc_hmac_sha1,
+    NID_aes_128_cbc,
     0
 };
 
@@ -264,6 +264,7 @@ static int bind_dasync(ENGINE *e)
                                                 16 /* block size */,
                                                 16 /* key len */);
     if (_hidden_aes_128_cbc_hmac_sha1 == NULL
+            || EVP_aes_128_cbc_hmac_sha1() == NULL
             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16)
             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1,
                                             EVP_CIPH_CBC_MODE
@@ -371,6 +372,10 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
     int ok = 1;
     if (cipher == NULL) {
         /* We are returning a list of supported nids */
+        if (dasync_aes_128_cbc_hmac_sha1() == NULL) {
+            *nids = dasync_cipher_nids + 1;
+            return 1;
+        }
         *nids = dasync_cipher_nids;
         return (sizeof(dasync_cipher_nids) -
                 1) / sizeof(dasync_cipher_nids[0]);

More information about the openssl-commits mailing list