[openssl/openssl] 25d47c: Fix usage of custom EVP_CIPHER objects

Matt Caswell noreply at github.com
Mon Oct 3 14:10:37 UTC 2022 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 25d47cccf203c3b71171e78865e48ea061a039a8
      https://github.com/openssl/openssl/commit/25d47cccf203c3b71171e78865e48ea061a039a8
  Author: Matt Caswell <matt at openssl.org>
  Date:   2022-10-03 (Mon, 03 Oct 2022)

  Changed paths:
    M crypto/evp/digest.c
    M crypto/evp/evp_enc.c

  Log Message:
  -----------
  Fix usage of custom EVP_CIPHER objects

If a custom EVP_CIPHER object has been passed to EVP_CipherInit() then it
should be used in preference to a fetched cipher.

We also fix a possible NULL pointer deref in the same code for digests.

If the custom cipher passed to EVP_CipherInit() happens to use NID_undef
(which should be a discouraged practice), then in the previous
implementation this could result in the NULL cipher being fetched and
hence NULL encryption being unexpectedly used.

CVE-2022-3358

Fixes #18970

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)


  Commit: f817a7439eaa705429cf699dd0485e665b0ffc49
      https://github.com/openssl/openssl/commit/f817a7439eaa705429cf699dd0485e665b0ffc49
  Author: Matt Caswell <matt at openssl.org>
  Date:   2022-10-03 (Mon, 03 Oct 2022)

  Changed paths:
    M crypto/evp/evp_enc.c

  Log Message:
  -----------
  Ensure we call the cleanup() function when cleaning an EVP_CIPHER_CTX

In some circumstances we were not calling the cleanup() function to
remove cipher specific data from an EVP_CIPHER_CTX.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)


  Commit: 8c7d847e2e6ac6bfded210c19fd8461254bb2be3
      https://github.com/openssl/openssl/commit/8c7d847e2e6ac6bfded210c19fd8461254bb2be3
  Author: Matt Caswell <matt at openssl.org>
  Date:   2022-10-03 (Mon, 03 Oct 2022)

  Changed paths:
    M test/evp_extra_test.c

  Log Message:
  -----------
  Test usage of a custom EVP_CIPHER

Test that a custom EVP_CIPHER gets used in EVP_CipherInit_ex() calls.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19300)


Compare: https://github.com/openssl/openssl/compare/fcae2ae4f675...8c7d847e2e6a

More information about the openssl-commits mailing list