[openssl/openssl] 8b9644: Add a test for late loading of an ENGINE in TLS

Matt Caswell noreply at github.com
Tue Dec 12 16:17:04 UTC 2023


  Branch: refs/heads/openssl-3.2
  Home:   https://github.com/openssl/openssl
  Commit: 8b96444a3a32a89584e4373734faf49fdcf383e0
      https://github.com/openssl/openssl/commit/8b96444a3a32a89584e4373734faf49fdcf383e0
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M test/sslapitest.c

  Log Message:
  -----------
  Add a test for late loading of an ENGINE in TLS

Confirm that using an ENGINE works as expected with TLS even if it is
loaded late (after construction of the SSL_CTX).

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)

(cherry picked from commit 7765d25ffe4f2a60b2082d469dec3b40f3418024)


  Commit: 11d7870b07872d680e59757e4240e39504206de8
      https://github.com/openssl/openssl/commit/11d7870b07872d680e59757e4240e39504206de8
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M ssl/record/methods/ssl3_meth.c
    M ssl/record/methods/tls1_meth.c

  Log Message:
  -----------
  Don't attempt to set provider params on an ENGINE based cipher

If an ENGINE has been loaded after the SSL_CTX has been created then
the cipher we have cached might be provider based, but the cipher we
actually end up using might not be. Don't try to set provider params on
a cipher that is actually ENGINE based.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)

(cherry picked from commit afcc12c41ad82c5b63194502592de015604dbd47)


  Commit: fbf7bd015c42afcec06a793986cf277b37f3e66b
      https://github.com/openssl/openssl/commit/fbf7bd015c42afcec06a793986cf277b37f3e66b
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M ssl/ssl_local.h
    M ssl/t1_enc.c

  Log Message:
  -----------
  Remove some redundant code

We remove a function that was left behind and is no longer called after the
record layer refactor

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22864)

(cherry picked from commit e46a6b1a5de0759023c5c9c2143ead4621f20d20)


  Commit: 293f95004d220444612632cbc3c17431c00f04df
      https://github.com/openssl/openssl/commit/293f95004d220444612632cbc3c17431c00f04df
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M providers/implementations/ciphers/cipher_aes_ccm_hw.c

  Log Message:
  -----------
  Fix detection for riscv64/riscv32

Fixes #22871

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/22881)

(cherry picked from commit ff279597692f9f19dca5b147944d3d96f2e109f8)


  Commit: fd9ba4cd4eecaea34e1518ef688366323d4a2380
      https://github.com/openssl/openssl/commit/fd9ba4cd4eecaea34e1518ef688366323d4a2380
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M crypto/bn/bn_gf2m.c

  Log Message:
  -----------
  Avoid an infinite loop in BN_GF2m_mod_inv

If p is set to 1 when calling BN_GF2m_mod_inv then an infinite loop will
result. Calling this function set 1 when applications call this directly
is a non-sensical value - so this would be considered a bug in the caller.

It does not seem possible to cause OpenSSL internal callers of
BN_GF2m_mod_inv to call it with a value of 1.

So, for the above reasons, this is not considered a security issue.
Reported by Bing Shi.

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)

(cherry picked from commit 9c1b8f17ce2471ca37ee3936d07aed29aab10975)


  Commit: 952088af717616e2ef47eb793934bd15796477f7
      https://github.com/openssl/openssl/commit/952088af717616e2ef47eb793934bd15796477f7
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M test/bntest.c

  Log Message:
  -----------
  Extend the test of BN_GF2m_mod_inv

Test that input value of 1 for p is treated as an error

Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/22960)

(cherry picked from commit b83c719ecb884f609ade7ad7f52bd5e09737585b)


  Commit: c579c999c7175b8b6a9ef7ac4bfe82d2d20907d9
      https://github.com/openssl/openssl/commit/c579c999c7175b8b6a9ef7ac4bfe82d2d20907d9
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M apps/errstr.c
    M crypto/http/http_lib.c

  Log Message:
  -----------
  Fix some invalid use of sscanf

sscanf can return -1 on an empty input string. We need to appropriately
handle such an invalid case.

The instance in OSSL_HTTP_parse_url could cause an uninitialised read of
sizeof(unsigned int) bytes (typically 4). In many cases this uninit read
will immediately fail on the following check (i.e. if the read value
>65535).

If the top 2 bytes of a 4 byte unsigned int are zero then the value will
be <=65535 and the uninitialised value will be returned to the caller and
could represent arbitrary data on the application stack.

The OpenSSL security team has assessed this issue and consider it to be
a bug only (i.e. not a CVE).

Reviewed-by: Todd Short <todd.short at me.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit 322517d817ecb5c1a3a8b0e7e038fa146857b4d4)


  Commit: 23acb0d8969089a57386e455db3143923fc6ff02
      https://github.com/openssl/openssl/commit/23acb0d8969089a57386e455db3143923fc6ff02
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-12-12 (Tue, 12 Dec 2023)

  Changed paths:
    M test/http_test.c

  Log Message:
  -----------
  Add a test case for OSSL_HTTP_parse_url

Ensure we test the case where the port value is empty in the URL.

Reviewed-by: Todd Short <todd.short at me.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22961)

(cherry picked from commit a36d10dfb7e77614c8d3da602ff3800a2e9f4989)


Compare: https://github.com/openssl/openssl/compare/42ca6c042b5f...23acb0d89690


More information about the openssl-commits mailing list