Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DSCVH_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHvyQ0nCoW6uJA7KDXKjKjeJzfYQu-2FjIxRdum7GNrljDZ9xNRM3r2rxea8JI2-2Bax4w-2BKw9psIMlNHRAO6iafBaKTTg76rcbtEAcrLB4-2Fn3Dc-2FEaRBNlQsEc4Z5YZwtEA6Maztif-2BMO2QCnx0rlg-2BELC4xN15xXakDOl-2BSgd-2F2ecpvXCAAKDFnBbd9KPcbOsiGk-3D Build ID: 417305 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] master update
The branch master has been updated via 00cf3a2d30fc7642bf9f816a7c545115985a8c0c (commit) via adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (commit) from b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (commit) - Log - commit 00cf3a2d30fc7642bf9f816a7c545115985a8c0c Author: Dr. David von Oheimb Date: Tue Aug 24 09:31:53 2021 +0200 25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl. self-signed) certs Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16342) commit adbd77f6d7cc4efb7b4bde483036fab8e48ce870 Author: Dr. David von Oheimb Date: Tue Aug 17 23:13:28 2021 +0200 X509: Fix handling of AKID and SKID extensions according to configuration Fixes #16300 Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16342) --- Summary of changes: apps/ca.c | 11 +++- apps/include/apps.h | 1 + apps/lib/apps.c | 20 -- apps/pkcs12.c | 2 +- apps/req.c | 4 +- apps/x509.c | 4 ++ crypto/x509/v3_akid.c | 13 ++-- crypto/x509/v3_conf.c | 18 - doc/man5/x509v3_config.pod | 1 + test/certs/ext-check.csr| 23 ++- test/recipes/25-test_req.t | 157 +--- test/recipes/tconversion.pl | 3 +- 12 files changed, 199 insertions(+), 58 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 24883615ed..1e77bf50c5 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1709,7 +1709,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Initialize the context structure */ X509V3_set_ctx(_ctx, selfsign ? ret : x509, - ret, req, NULL, X509V3_CTX_REPLACE); + ret, NULL /* no need to give req, needed info is in ret */, + NULL, X509V3_CTX_REPLACE); +/* prepare fallback for AKID, but only if issuer cert equals subject cert */ +if (selfsign) { +if (!X509V3_set_issuer_pkey(_ctx, pkey)) +goto end; +if (!cert_matches_key(ret, pkey)) +BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); +} /* Lets add the extensions, if there are any */ if (ext_sect) { diff --git a/apps/include/apps.h b/apps/include/apps.h index 9d5db16600..6018a83ca4 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -247,6 +247,7 @@ int x509_req_ctrl_string(X509_REQ *x, const char *value); int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param, OSSL_LIB_CTX *libctx, const char *propq); +int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey); int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx); int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts); diff --git a/apps/lib/apps.c b/apps/lib/apps.c index b15abac857..82eeaea249 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2224,8 +2224,8 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1); if (idx >= 0) { X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx); -ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext); -int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */ +ASN1_OCTET_STRING *encoded = X509_EXTENSION_get_data(found_ext); +int disabled = ASN1_STRING_length(encoded) <= 2; /* indicating "none" */ if (disabled) { X509_delete_ext(cert, idx); @@ -2239,6 +2239,16 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, return rv; } +int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey) +{ +int match; + +ERR_set_mark(); +match = X509_check_private_key(cert, pkey); +ERR_pop_to_mark(); +return match; +} + /* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) @@ -2254,16 +2264,14 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md, goto end; /* - * Add default SKID before such that default AKID can make use of it + * Add default SKID before AKID such that AKID can make use of it * in case the certificate is self-signed */ /* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */ if (!adapt_keyid_ext(cert,
[openssl] master update
The branch master has been updated via b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (commit) from 8f9842fd03945d9484dcc9e5fab37dce7caa5f50 (commit) - Log - commit b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c Author: Job Snijders Date: Tue Nov 9 19:30:28 2021 + Add OID for RPKI id-ct-ASPA References: draft-ietf-sidrops-aspa-profile "A Profile for Autonomous System Provider Authorization" (ASPA) OID permanently assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)' https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 CLA: trivial Reviewed-by: Matt Caswell Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17002) --- Summary of changes: crypto/objects/obj_dat.h | 15 ++- crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 1 + fuzz/oids.txt | 1 + include/openssl/obj_mac.h | 4 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index ed9debf890..643646be19 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[8092] = { +static const unsigned char so[8103] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,/* [6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1117,9 +1117,10 @@ static const unsigned char so[8092] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x30, /* [ 8064] OBJ_id_ct_signedChecklist */ 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x08, /* [ 8075] OBJ_sm4_gcm */ 0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x09, /* [ 8083] OBJ_sm4_ccm */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x31, /* [ 8091] OBJ_id_ct_ASPA */ }; -#define NUM_NID 1250 +#define NUM_NID 1251 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, [0]}, @@ -2371,9 +2372,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"id-ct-signedChecklist", "id-ct-signedChecklist", NID_id_ct_signedChecklist, 11, [8064]}, {"SM4-GCM", "sm4-gcm", NID_sm4_gcm, 8, [8075]}, {"SM4-CCM", "sm4-ccm", NID_sm4_ccm, 8, [8083]}, +{"id-ct-ASPA", "id-ct-ASPA", NID_id_ct_ASPA, 11, [8091]}, }; -#define NUM_SN 1241 +#define NUM_SN 1242 static const unsigned int sn_objs[NUM_SN] = { 364,/* "AD_DVCS" */ 419,/* "AES-128-CBC" */ @@ -2986,6 +2988,7 @@ static const unsigned int sn_objs[NUM_SN] = { 327,/* "id-cmc-statusInfo" */ 331,/* "id-cmc-transactionId" */ 1238,/* "id-cp" */ +1250,/* "id-ct-ASPA" */ 787,/* "id-ct-asciiTextWithCRLF" */ 1246,/* "id-ct-geofeedCSVwithCRLF" */ 1237,/* "id-ct-resourceTaggedAttest" */ @@ -3618,7 +3621,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1093,/* "x509ExtAdmission" */ }; -#define NUM_LN 1241 +#define NUM_LN 1242 static const unsigned int ln_objs[NUM_LN] = { 363,/* "AD Time Stamping" */ 405,/* "ANSI X9.62" */ @@ -4247,6 +4250,7 @@ static const unsigned int ln_objs[NUM_LN] = { 327,/* "id-cmc-statusInfo" */ 331,/* "id-cmc-transactionId" */ 1238,/* "id-cp" */ +1250,/* "id-ct-ASPA" */ 787,/* "id-ct-asciiTextWithCRLF" */ 1246,/* "id-ct-geofeedCSVwithCRLF" */ 1237,/* "id-ct-resourceTaggedAttest" */ @@ -4863,7 +4867,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125,/* "zlib compression" */ }; -#define NUM_OBJ 1112 +#define NUM_OBJ 1113 static const unsigned int obj_objs[NUM_OBJ] = { 0,/* OBJ_undef0 */ 181,/* OBJ_iso 1 */ @@ -5906,6 +5910,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 1237,/* OBJ_id_ct_resourceTaggedAttest 1 2 840 113549 1 9 16 1 36 */ 1246,/* OBJ_id_ct_geofeedCSVwithCRLF 1 2 840 113549 1 9 16 1 47 */ 1247,/* OBJ_id_ct_signedChecklist1 2 840 113549 1 9 16 1 48 */ +1250,/* OBJ_id_ct_ASPA 1 2 840 113549 1 9 16 1 49 */ 212,/* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */ 213,/* OBJ_id_smime_aa_securityLabel1 2 840 113549 1 9 16 2 2 */ 214,/* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index f20dbba312..14869e582b 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1247,3 +1247,4 @@ id_ct_geofeedCSVwithCRLF 1246
[openssl] master update
The branch master has been updated via 8f9842fd03945d9484dcc9e5fab37dce7caa5f50 (commit) from 90c311315c15a4fea895fd317d9c8fe801ba04a0 (commit) - Log - commit 8f9842fd03945d9484dcc9e5fab37dce7caa5f50 Author: Anton Blanchard Date: Tue Mar 12 16:03:56 2019 +1100 sha/asm/keccak1600-ppc64.pl: Load data in 8 byte chunks on little endian We currently load data byte by byte in order to byteswap it on big endian. On little endian we can just do 8 byte loads. A SHAKE128 benchmark runs 10% faster on POWER9 with this patch applied. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/8455) --- Summary of changes: crypto/sha/asm/keccak1600-ppc64.pl | 69 +++--- 1 file changed, 42 insertions(+), 27 deletions(-) diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl index 83f8d8ef33..bff0d78585 100755 --- a/crypto/sha/asm/keccak1600-ppc64.pl +++ b/crypto/sha/asm/keccak1600-ppc64.pl @@ -51,6 +51,16 @@ if ($flavour =~ /64/) { $PUSH ="std"; } else { die "nonsense $flavour"; } +$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; + +if ($LITTLE_ENDIAN) { + $DWORD_LE_LOAD = "ldu r0,8(r3)"; + $LE_LOAD_SIZE = "8"; +} else { + $DWORD_LE_LOAD = "bldword_le_load"; + $LE_LOAD_SIZE = "1"; +} + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or @@ -384,7 +394,9 @@ KeccakF1600: .byte 0,12,4,1,0x80,18,1,0 .long 0 .size KeccakF1600,.-KeccakF1600 - +___ +if (!$LITTLE_ENDIAN) { +$code.=<<___; .type dword_le_load,\@function .align 5 dword_le_load: @@ -408,7 +420,10 @@ dword_le_load: .byte 0,12,0x14,0,0,0,1,0 .long 0 .size dword_le_load,.-dword_le_load +___ +} +$code.=<<___; .globl SHA3_absorb .type SHA3_absorb,\@function .align 5 @@ -436,7 +451,7 @@ SHA3_absorb: $PUSH r0,`$FRAME+$LRSAVE`($sp) bl PICmeup - subir4,r4,1 ; prepare for lbzu + subir4,r4,$LE_LOAD_SIZE ; prepare for ldu or lbzu subir12,r12,8 ; prepare for ldu $PUSH r3,`$LOCALS+0*$SIZE_T`($sp) ; save A[][] @@ -487,79 +502,79 @@ SHA3_absorb: srwir5,r5,3 $PUSH r4,`$LOCALS+2*$SIZE_T`($sp) ; save len mtctr r5 - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][0],$A[0][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][1],$A[0][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][2],$A[0][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][3],$A[0][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][4],$A[0][4],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][0],$A[1][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][1],$A[1][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][2],$A[1][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][3],$A[1][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][4],$A[1][4],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][0],$A[2][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][1],$A[2][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][2],$A[2][2],r0 bdz