[openssl/openssl] 7765d2: Add a test for late loading of an ENGINE in TLS
Matt Caswell
noreply at github.com
Tue Dec 12 16:17:01 UTC 2023
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 7765d25ffe4f2a60b2082d469dec3b40f3418024
https://github.com/openssl/openssl/commit/7765d25ffe4f2a60b2082d469dec3b40f3418024
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M test/sslapitest.c
Log Message:
-----------
Add a test for late loading of an ENGINE in TLS
Confirm that using an ENGINE works as expected with TLS even if it is
loaded late (after construction of the SSL_CTX).
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)
Commit: afcc12c41ad82c5b63194502592de015604dbd47
https://github.com/openssl/openssl/commit/afcc12c41ad82c5b63194502592de015604dbd47
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M ssl/record/methods/ssl3_meth.c
M ssl/record/methods/tls1_meth.c
Log Message:
-----------
Don't attempt to set provider params on an ENGINE based cipher
If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but the cipher we
actually end up using might not be. Don't try to set provider params on
a cipher that is actually ENGINE based.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)
Commit: e46a6b1a5de0759023c5c9c2143ead4621f20d20
https://github.com/openssl/openssl/commit/e46a6b1a5de0759023c5c9c2143ead4621f20d20
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M ssl/ssl_local.h
M ssl/t1_enc.c
Log Message:
-----------
Remove some redundant code
We remove a function that was left behind and is no longer called after the
record layer refactor
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)
Commit: ff279597692f9f19dca5b147944d3d96f2e109f8
https://github.com/openssl/openssl/commit/ff279597692f9f19dca5b147944d3d96f2e109f8
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M providers/implementations/ciphers/cipher_aes_ccm_hw.c
Log Message:
-----------
Fix detection for riscv64/riscv32
Fixes #22871
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/22881)
Commit: 9c1b8f17ce2471ca37ee3936d07aed29aab10975
https://github.com/openssl/openssl/commit/9c1b8f17ce2471ca37ee3936d07aed29aab10975
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M crypto/bn/bn_gf2m.c
Log Message:
-----------
Avoid an infinite loop in BN_GF2m_mod_inv
If p is set to 1 when calling BN_GF2m_mod_inv then an infinite loop will
result. Calling this function set 1 when applications call this directly
is a non-sensical value - so this would be considered a bug in the caller.
It does not seem possible to cause OpenSSL internal callers of
BN_GF2m_mod_inv to call it with a value of 1.
So, for the above reasons, this is not considered a security issue.
Reported by Bing Shi.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)
Commit: b83c719ecb884f609ade7ad7f52bd5e09737585b
https://github.com/openssl/openssl/commit/b83c719ecb884f609ade7ad7f52bd5e09737585b
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M test/bntest.c
Log Message:
-----------
Extend the test of BN_GF2m_mod_inv
Test that input value of 1 for p is treated as an error
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)
Commit: 322517d817ecb5c1a3a8b0e7e038fa146857b4d4
https://github.com/openssl/openssl/commit/322517d817ecb5c1a3a8b0e7e038fa146857b4d4
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M apps/errstr.c
M crypto/http/http_lib.c
Log Message:
-----------
Fix some invalid use of sscanf
sscanf can return -1 on an empty input string. We need to appropriately
handle such an invalid case.
The instance in OSSL_HTTP_parse_url could cause an uninitialised read of
sizeof(unsigned int) bytes (typically 4). In many cases this uninit read
will immediately fail on the following check (i.e. if the read value
>65535).
If the top 2 bytes of a 4 byte unsigned int are zero then the value will
be <=65535 and the uninitialised value will be returned to the caller and
could represent arbitrary data on the application stack.
The OpenSSL security team has assessed this issue and consider it to be
a bug only (i.e. not a CVE).
Reviewed-by: Todd Short <todd.short at me.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)
Commit: a36d10dfb7e77614c8d3da602ff3800a2e9f4989
https://github.com/openssl/openssl/commit/a36d10dfb7e77614c8d3da602ff3800a2e9f4989
Author: Matt Caswell <matt at openssl.org>
Date: 2023-12-12 (Tue, 12 Dec 2023)
Changed paths:
M test/http_test.c
Log Message:
-----------
Add a test case for OSSL_HTTP_parse_url
Ensure we test the case where the port value is empty in the URL.
Reviewed-by: Todd Short <todd.short at me.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)
Compare: https://github.com/openssl/openssl/compare/5cd17920167a...a36d10dfb7e7
More information about the openssl-commits
mailing list