Branch: refs/heads/openssl-3.0 Home: https://github.com/openssl/openssl Commit: 5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b https://github.com/openssl/openssl/commit/5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b Author: Matt Caswell <m...@openssl.org> Date: 2022-10-03 (Mon, 03 Oct 2022)
Changed paths: M crypto/evp/digest.c M crypto/evp/evp_enc.c Log Message: ----------- Fix usage of custom EVP_CIPHER objects If a custom EVP_CIPHER object has been passed to EVP_CipherInit() then it should be used in preference to a fetched cipher. We also fix a possible NULL pointer deref in the same code for digests. If the custom cipher passed to EVP_CipherInit() happens to use NID_undef (which should be a discouraged practice), then in the previous implementation this could result in the NULL cipher being fetched and hence NULL encryption being unexpectedly used. CVE-2022-3358 Fixes #18970 Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19300) (cherry picked from commit 25d47cccf203c3b71171e78865e48ea061a039a8) Commit: a2893b62333d97c8dfaaf655eaea919d30fb9a7b https://github.com/openssl/openssl/commit/a2893b62333d97c8dfaaf655eaea919d30fb9a7b Author: Matt Caswell <m...@openssl.org> Date: 2022-10-03 (Mon, 03 Oct 2022) Changed paths: M crypto/evp/evp_enc.c Log Message: ----------- Ensure we call the cleanup() function when cleaning an EVP_CIPHER_CTX In some circumstances we were not calling the cleanup() function to remove cipher specific data from an EVP_CIPHER_CTX. Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19300) (cherry picked from commit f817a7439eaa705429cf699dd0485e665b0ffc49) Commit: b2f68ebeb5eef96249a22591199d43f960789c41 https://github.com/openssl/openssl/commit/b2f68ebeb5eef96249a22591199d43f960789c41 Author: Matt Caswell <m...@openssl.org> Date: 2022-10-03 (Mon, 03 Oct 2022) Changed paths: M test/evp_extra_test.c Log Message: ----------- Test usage of a custom EVP_CIPHER Test that a custom EVP_CIPHER gets used in EVP_CipherInit_ex() calls. Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19300) (cherry picked from commit 8c7d847e2e6ac6bfded210c19fd8461254bb2be3) Compare: https://github.com/openssl/openssl/compare/9f0867da4cbf...b2f68ebeb5ee