[openssl] OpenSSL_1_1_1-stable update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Thu Oct 7 14:04:11 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  503eb0e108ca5819dacd5ae171aedd37268654d9 (commit)
      from  2fd9c433712a08474af071cef538ffcd94dc4b57 (commit)


- Log -----------------------------------------------------------------
commit 503eb0e108ca5819dacd5ae171aedd37268654d9
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Wed Oct 6 09:23:17 2021 +0200

    Fix some possible memory leaks in EVP_CipherInit_ex
    
    An EVP_CONTEXT with zero cipher but non-zero engine,
    and/or cipher_data is possible if an error happens
    in EVP_CTRL_INIT or in EVP_CTRL_COPY, the error handling
    will just clear the cipher in that case.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16756)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/evp_enc.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index e3c165d48e..d835968f25 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -85,7 +85,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
          * previous check attempted to avoid this if the same ENGINE and
          * EVP_CIPHER could be used).
          */
-        if (ctx->cipher) {
+        if (ctx->cipher
+#ifndef OPENSSL_NO_ENGINE
+                || ctx->engine
+#endif
+                || ctx->cipher_data) {
             unsigned long flags = ctx->flags;
             EVP_CIPHER_CTX_reset(ctx);
             /* Restore encrypt and flags */
@@ -105,11 +109,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
             /* There's an ENGINE for this job ... (apparently) */
             const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
             if (!c) {
-                /*
-                 * One positive side-effect of US's export control history,
-                 * is that we should at least be able to avoid using US
-                 * misspellings of "initialisation"?
-                 */
+                ENGINE_finish(impl);
                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
                 return 0;
             }

More information about the openssl-commits mailing list