Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-des
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-des Commit log since last time: 41385f2708 test/recipes/02-test_errstr.t: Do not test negative system error codes 014498fff9 test: fix coverity 1475940: negative return 97ef45ea13 test: fix coverity 1475941: resource leak ccf19c23c0 Disallow ASN.1 enumerated types to be treated as strings. 44e82b813f Remove locking in CRYPTO_secure_allocated() 0bc27f7203 Make the lock in CRYPTO_secure_allocated() a read lock bec9289143 Fix AES-CBC perf test failure issue 30573117bb Fix typo in store_meth.c 1ac64327df Remove unnecessary setting SSL_MODE_AUTO_RETRY 86522324d2 Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad 581c4b1d53 Ensure that the negative flag is correct set for ASN1 integer types. 0806698047 Check for integer overflow in i2a_ASN1_OBJECT and error out if found. 493e78986f Fix potential double free in sslapitest.c 0cfbc828e0 Deprecate the EVP_PKEY controls for CMS and PKCS#7 Build log ended with (last 100 lines): 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=97976180-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... skipped: The PKCS12 command line utility is not supported by this OpenSSL build 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_gost_engine.t . skipped: No external tests in this configuration 95-test_external_krb5.t skipped: No external tests in this configuration 95-test_external_pyca.t skipped: No external tests in this configuration 99-test_ecstress.t . ok 99-test_fuzz_asn1.t ok 99-test_fuzz_asn1parse.t ... ok 99-test_fuzz_bignum.t .. ok 99-test_fuzz_bndiv.t ... ok 99-test_fuzz_client.t .. ok 99-test_fuzz_cmp.t . ok 99-test_fuzz_cms.t . ok 99-test_fuzz_conf.t ok 99-test_fuzz_crl.t . ok 99-test_fuzz_ct.t .. ok 99-test_fuzz_server.t .. ok 99-test_fuzz_x509.t ok Test Summary Report --- 30-test_evp.t(Wstat: 512 Tests: 89 Failed: 2) Failed tests: 13, 39 Non-zero exit status: 2 30-test_evp_kdf.t(Wstat
[openssl] master update
The branch master has been updated via 9695f6de1579f5d46e75cfebbaf44bc99cb421ec (commit) from e6c2f96489fc0c006845c8597f8ceed2f01f76ee (commit) - Log - commit 9695f6de1579f5d46e75cfebbaf44bc99cb421ec Author: Pauli Date: Tue Apr 6 22:26:25 2021 +1000 apps: fix AES CBC performance loop Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14778) --- Summary of changes: apps/speed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/speed.c b/apps/speed.c index 25c384d775..3cb93ecf12 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -2088,7 +2088,7 @@ int speed_main(int argc, char **argv) if (doit[algindex]) { int st = 1; -keylen = 16 + i * 8; +keylen = 16 + k * 8; for (i = 0; st && i < loopargs_len; i++) { loopargs[i].ctx = init_evp_cipher_ctx(names[algindex], key32, keylen);
[openssl] master update
The branch master has been updated via e6c2f96489fc0c006845c8597f8ceed2f01f76ee (commit) from 09fba0b44032c2f66d5e7e8c732869e031ce74c8 (commit) - Log - commit e6c2f96489fc0c006845c8597f8ceed2f01f76ee Author: Shane Lontis Date: Wed Mar 31 15:10:22 2021 +1000 Fix more certificate related lib_ctx settings. Fixes #13732 Fix a few places that were not using the '_ex' variants of ASN1_item_sign/verify. Added X509_CRL_new_ex(). Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14752) --- Summary of changes: apps/ca.c | 2 +- apps/ocsp.c | 11 ++- apps/req.c| 2 +- crypto/asn1/a_sign.c | 1 + crypto/ocsp/ocsp_cl.c | 2 +- crypto/ocsp/ocsp_local.h | 46 +++--- crypto/ocsp/ocsp_srv.c| 7 --- crypto/ocsp/ocsp_vfy.c| 4 ++-- crypto/x509/x509_vfy.c| 2 +- crypto/x509/x_all.c | 19 +++ crypto/x509/x_crl.c | 17 +++-- doc/man3/X509_dup.pod | 8 +--- doc/man3/X509_new.pod | 3 ++- include/openssl/x509.h.in | 1 + util/libcrypto.num| 1 + 15 files changed, 79 insertions(+), 47 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 9cec43cf8b..268bd76912 100755 --- a/apps/ca.c +++ b/apps/ca.c @@ -1178,7 +1178,7 @@ end_of_options: if (verbose) BIO_printf(bio_err, "making CRL\n"); -if ((crl = X509_CRL_new()) == NULL) +if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) goto end; if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto end; diff --git a/apps/ocsp.c b/apps/ocsp.c index cd3a3bd695..7d64ee2d02 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -469,7 +469,8 @@ int ocsp_main(int argc, char **argv) case OPT_RSIGOPT: if (rsign_sigopts == NULL) rsign_sigopts = sk_OPENSSL_STRING_new_null(); -if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) +if (rsign_sigopts == NULL +|| !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) goto end; break; case OPT_HEADER: @@ -676,8 +677,8 @@ redo_accept: if (key == NULL) goto end; -if (!OCSP_request_sign -(req, signer, key, NULL, sign_other, sign_flags)) { +if (!OCSP_request_sign(req, signer, key, NULL, + sign_other, sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; } @@ -696,8 +697,8 @@ redo_accept: if (rdb != NULL) { make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, - rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig, - resp_certid_md); + rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, + badsig, resp_certid_md); if (cbio != NULL) send_ocsp_response(cbio, resp); } else if (host != NULL) { diff --git a/apps/req.c b/apps/req.c index 4056b18f51..04774db399 100644 --- a/apps/req.c +++ b/apps/req.c @@ -802,7 +802,7 @@ int req_main(int argc, char **argv) } if (req == NULL) { -req = X509_REQ_new(); +req = X509_REQ_new_ex(app_get0_libctx(), app_get0_propq()); if (req == NULL) { goto end; } diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index 911d61453a..fe55373b34 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -136,6 +136,7 @@ int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1, ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; } +/* We can use the non _ex variant here since the pkey is already setup */ if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey)) goto err; diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index cfa85af240..c1dda38414 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -94,7 +94,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; } -if (!OCSP_REQUEST_sign(req, key, dgst)) +if (!OCSP_REQUEST_sign(req, key, dgst, signer->libctx, signer->propq)) goto err; } diff --git a/crypto/ocsp/ocsp_local.h b/crypto/ocsp/ocsp_local.h index 6542febc98..e1633403c6 100644 --- a/crypto/ocsp/ocsp_local.h +++ b/crypto/ocsp/ocsp_local.h @@ -217,22 +217,30 @@ struct ocsp_service_locator_st { STACK_OF(ACCESS_DESCRIPTION) *locator; }; -# define OCSP_REQUEST_sign(o,pkey,md
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoerrinit
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoerrinit Commit log since last time: 41385f2708 test/recipes/02-test_errstr.t: Do not test negative system error codes 014498fff9 test: fix coverity 1475940: negative return 97ef45ea13 test: fix coverity 1475941: resource leak ccf19c23c0 Disallow ASN.1 enumerated types to be treated as strings. 44e82b813f Remove locking in CRYPTO_secure_allocated() 0bc27f7203 Make the lock in CRYPTO_secure_allocated() a read lock bec9289143 Fix AES-CBC perf test failure issue 30573117bb Fix typo in store_meth.c 1ac64327df Remove unnecessary setting SSL_MODE_AUTO_RETRY 86522324d2 Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad 581c4b1d53 Ensure that the negative flag is correct set for ASN1 integer types. 0806698047 Check for integer overflow in i2a_ASN1_OBJECT and error out if found. 493e78986f Fix potential double free in sslapitest.c 0cfbc828e0 Deprecate the EVP_PKEY controls for CMS and PKCS#7 Build log ended with (last 100 lines): 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t .. ok 71-test_ssl_ctx.t .. ok 80-test_ca.t ... ok 80-test_cipherbytes.t .. ok 80-test_cipherlist.t ... ok 80-test_ciphername.t ... ok # Killing mock server with pid=24585780-test_cmp_http.t . ok # 80-test_cms.t .. ok 80-test_cmsapi.t ... ok 80-test_ct.t ... ok 80-test_dane.t . ok 80-test_dtls.t . ok 80-test_dtls_mtu.t . ok 80-test_dtlsv1listen.t . ok 80-test_http.t . ok 80-test_ocsp.t . ok 80-test_pkcs12.t ... ok 80-test_ssl_new.t .. ok 80-test_ssl_old.t .. ok 80-test_ssl_test_ctx.t . ok 80-test_sslcorrupt.t ... ok 80-test_tsa.t .. ok 80-test_x509aux.t .. ok 81-test_cmp_cli.t .. ok 90-test_asn1_time.t ok 90-test_async.t ok 90-test_bio_enc.t .. ok 90-test_bio_memleak.t .. ok 90-test_constant_time.t ok 90-test_fatalerr.t . ok 90-test_fipsload.t . ok 90-test_gmdiff.t ... ok 90-test_gost.t . ok 90-test_ige.t .. ok 90-test_includes.t . ok 90-test_memleak.t .. ok 90-test_overhead.t . ok 90-test_secmem.t ... ok 90-test_shlibload.t ok 90-test_srp.t .. ok 90-test_sslapi.t ... ok 90-test_sslbuffers.t ... ok 90-test_store.t ok 90-test_sysdefault.t ... ok 90-test_threads.t .. ok 90-test_time_offset.t .. ok 90-test_tls13ccs.t . ok 90-test_tls13encryption.t .. ok 90-test_tls13secrets.t . ok 90-test_v3name.t ... ok 91-test_pkey_check.t ... ok 95-test_external_gost_engine.t . skipped: No external tests in this configuration 95-test_external_krb5.t skipped: No external tests in this configuration 95-test_external_pyca.t skipped: No external tests in this configuration 99-test_ecstress.t . ok 99-test_fuzz_asn1.t ok 99-test_fuzz_asn1parse.t ... ok 99-test_fuzz_bignum.t .. ok 99-test_fuzz_bndiv.t ... ok 99-test_fuzz_client.t .. ok 99-test_fuzz_cmp.t . ok 99-test_fuzz_cms.t . ok 99-test_fuzz_conf.t ok 99-test_fuzz_crl.t . ok 99-test_fuzz_ct.t .. ok 99-test_fuzz_server.t .. ok 99-test_fuzz_x509.t ok Test Summary Report --- 04-test_err.t(Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-autoalginit
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-autoalginit Commit log since last time: 41385f2708 test/recipes/02-test_errstr.t: Do not test negative system error codes 014498fff9 test: fix coverity 1475940: negative return 97ef45ea13 test: fix coverity 1475941: resource leak ccf19c23c0 Disallow ASN.1 enumerated types to be treated as strings. 44e82b813f Remove locking in CRYPTO_secure_allocated() 0bc27f7203 Make the lock in CRYPTO_secure_allocated() a read lock bec9289143 Fix AES-CBC perf test failure issue 30573117bb Fix typo in store_meth.c 1ac64327df Remove unnecessary setting SSL_MODE_AUTO_RETRY 86522324d2 Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad 581c4b1d53 Ensure that the negative flag is correct set for ASN1 integer types. 0806698047 Check for integer overflow in i2a_ASN1_OBJECT and error out if found. 493e78986f Fix potential double free in sslapitest.c 0cfbc828e0 Deprecate the EVP_PKEY controls for CMS and PKCS#7 Build log ended with (last 100 lines): clang -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -I../openssl -I../openssl/crypto -I../openssl/include -I../openssl/providers/implementations/include -I../openssl/providers/common/include -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_IA32_SSE2 -fPIC -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-3\"" -DMODUL ESDIR="\"/usr/local/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -MMD -MF providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.d.tmp -MT providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o -c -o providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o ../openssl/providers/implementations/ciphers/cipher_rc4_hmac_md5_hw.c clang -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -I../openssl -I../openssl/crypto -I../openssl/include -I../openssl/providers/implementations/include -I../openssl/providers/common/include -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_IA32_SSE2 -fPIC -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-3\"" -DMODUL ESDIR="\"/usr/local/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -MMD -MF providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.d.tmp -MT providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o -c -o providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o ../openssl/providers/implementations/ciphers/cipher_rc4_hw.c clang -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -I../openssl -I../openssl/crypto -I../openssl/include -I../openssl/providers/implementations/include -I../openssl/providers/common/include -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_IA32_SSE2 -fPIC -pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -Wno-unknown-warning-option -Wswitch-default -Wno-parentheses-equality -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-3\"" -DMO
Still FAILED build of OpenSSL branch master with options -d --strict-warnings no-asm
Platform and configuration command: $ uname -a Linux run 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ CC=clang ../openssl/config -d --strict-warnings no-asm Commit log since last time: 41385f2708 test/recipes/02-test_errstr.t: Do not test negative system error codes 014498fff9 test: fix coverity 1475940: negative return 97ef45ea13 test: fix coverity 1475941: resource leak ccf19c23c0 Disallow ASN.1 enumerated types to be treated as strings. 44e82b813f Remove locking in CRYPTO_secure_allocated() 0bc27f7203 Make the lock in CRYPTO_secure_allocated() a read lock bec9289143 Fix AES-CBC perf test failure issue 30573117bb Fix typo in store_meth.c 1ac64327df Remove unnecessary setting SSL_MODE_AUTO_RETRY 86522324d2 Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad 581c4b1d53 Ensure that the negative flag is correct set for ASN1 integer types. 0806698047 Check for integer overflow in i2a_ASN1_OBJECT and error out if found. 493e78986f Fix potential double free in sslapitest.c 0cfbc828e0 Deprecate the EVP_PKEY controls for CMS and PKCS#7 Build log ended with (last 100 lines): 15-test_ecparam.t .. ok 15-test_gendh.t ok 15-test_gendsa.t ... ok 15-test_genec.t ok 15-test_genrsa.t ... ok 15-test_mp_rsa.t ... ok 15-test_out_option.t ... ok 15-test_rsa.t .. ok 15-test_rsaoaep.t .. ok 15-test_rsapss.t ... ok 20-test_app.t .. ok 20-test_cli_fips.t . ok 20-test_dgst.t . ok 20-test_dhparam.t .. ok 20-test_dhparam_check.t ok 20-test_enc.t .. ok 20-test_enc_more.t . ok 20-test_kdf.t .. ok 20-test_mac.t .. ok 20-test_passwd.t ... ok 20-test_pkeyutl.t .. ok 20-test_rand_config.t .. ok 25-test_crl.t .. ok 25-test_d2i.t .. ok 25-test_eai_data.t . ok 25-test_pkcs7.t ok 25-test_req.t .. ok 25-test_rusext.t ... ok 25-test_sid.t .. ok 25-test_verify.t ... ok 25-test_verify_store.t . ok 25-test_x509.t . ok 30-test_acvp.t . ok 30-test_aesgcm.t ... ok 30-test_afalg.t ok 30-test_defltfips.t ok 30-test_engine.t ... ok 30-test_evp.t .. ok 30-test_evp_extra.t ok 30-test_evp_fetch_prov.t ... ok 30-test_evp_kdf.t .. ok 30-test_evp_libctx.t ... ok 30-test_evp_pkey_dparam.t .. ok 30-test_evp_pkey_provided.t ok 30-test_pbelu.t ok 30-test_pkey_meth.t ok 30-test_pkey_meth_kdf.t ok 30-test_provider_status.t .. ok 40-test_rehash.t ... ok 60-test_x509_check_cert_pkey.t . ok 60-test_x509_dup_cert.t ok 60-test_x509_store.t ... ok 60-test_x509_time.t ok 61-test_bio_prefix.t ... ok 61-test_bio_readbuffer.t ... ok 65-test_cmp_asn.t .. ok 65-test_cmp_client.t ... ok 65-test_cmp_ctx.t .. ok 65-test_cmp_hdr.t .. ok 65-test_cmp_msg.t .. ok 65-test_cmp_protect.t .. ok 65-test_cmp_server.t ... ok 65-test_cmp_status.t ... ok 65-test_cmp_vfy.t .. ok 66-test_ossl_store.t ... ok 70-test_asyncio.t .. ok 70-test_bad_dtls.t . ok 70-test_clienthello.t .. ok 70-test_comp.t . ok 70-test_key_share.t ok 70-test_packet.t ... ok 70-test_recordlen.t ok 70-test_renegotiation.t ok 70-test_servername.t ... ok 70-test_sslcbcpadding.t ok 70-test_sslcertstatus.t ok 70-test_sslextension.t . ok 70-test_sslmessages.t .. ok 70-test_sslrecords.t ... ok 70-test_sslsessiontick.t ... ok 70-test_sslsigalgs.t ... ok 70-test_sslsignature.t . ok 70-test_sslskewith0p.t . ok 70-test_sslversions.t .. ok 70-test_sslvertol.t ok 70-test_tls13alerts.t .. ok 70-test_tls13cookie.t .. ok 70-test_tls13downgrade.t ... ok 70-test_tls13hrr.t . ok 70-test_tls13kexmodes.t ok 70-test_tls13messages.t ok 70-test_tls13psk.t . ok 70-test_tlsextms.t . ok 70-test_verify_extra.t . ok 70-test_wpacket.t
[openssl] master update
The branch master has been updated via 09fba0b44032c2f66d5e7e8c732869e031ce74c8 (commit) via fd0a9ff7ef0db7441baf8626f53e37a10d22449d (commit) via c12bf35026af94a73402eaf13f2428a9af30f1c0 (commit) via 3bbc7b562abf4ca3221d8762fe3f749024936281 (commit) via 48b05bb617e247a40b66c2ddd9326966000a3504 (commit) via 1002bb9ff0e35b4195586199222f9bad77837162 (commit) via 89f7ea045be346ecd9085804a429bb4842843344 (commit) from 41385f2708d08155d56ce08dce494152e225069e (commit) - Log - commit 09fba0b44032c2f66d5e7e8c732869e031ce74c8 Author: Pauli Date: Mon Mar 22 08:37:56 2021 +1000 fix coverity 1466710: resource leak Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) commit fd0a9ff7ef0db7441baf8626f53e37a10d22449d Author: Pauli Date: Fri Mar 19 14:54:40 2021 +1000 dh: fix coverity 1473238: argument cannot be negative Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) commit c12bf35026af94a73402eaf13f2428a9af30f1c0 Author: Pauli Date: Fri Mar 19 14:50:43 2021 +1000 evp: fix coverity 1473631: argument cannot be negative Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) commit 3bbc7b562abf4ca3221d8762fe3f749024936281 Author: Pauli Date: Fri Mar 19 14:50:28 2021 +1000 evp: fix coverity 1451509: argument cannot be negative Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) commit 48b05bb617e247a40b66c2ddd9326966000a3504 Author: Pauli Date: Fri Mar 19 14:50:11 2021 +1000 evp: fix coverity 1451510: argument cannot be negative Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) commit 1002bb9ff0e35b4195586199222f9bad77837162 Author: Pauli Date: Fri Mar 19 14:49:57 2021 +1000 evp: fix coverity 1472682: argument cannot be negative Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) commit 89f7ea045be346ecd9085804a429bb4842843344 Author: Pauli Date: Fri Mar 19 14:49:42 2021 +1000 test: fix coverity 1473234 & 1473239: argument cannot be negative Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14620) --- Summary of changes: crypto/dh/dh_pmeth.c | 9 + crypto/evp/e_cast.c | 6 +- crypto/evp/e_rc4.c | 6 +- crypto/evp/e_rc4_hmac_md5.c | 6 +- crypto/evp/evp_enc.c | 7 --- providers/implementations/keymgmt/ec_kmgmt.c | 6 +++--- test/dhtest.c| 4 ++-- 7 files changed, 29 insertions(+), 15 deletions(-) diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 584a174ae2..affe40a53c 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -463,10 +463,11 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, if (*keylen != dctx->kdf_outlen) return 0; ret = 0; -Zlen = DH_size(dh); -Z = OPENSSL_malloc(Zlen); -if (Z == NULL) { -goto err; +if ((Zlen = DH_size(dh)) <= 0) +return 0; +if ((Z = OPENSSL_malloc(Zlen)) == NULL) { +ERR_raise(ERR_LIB_DH, ERR_R_MALLOC_FAILURE); +return 0; } if (DH_compute_key_padded(Z, dhpubbn, dh) <= 0) goto err; diff --git a/crypto/evp/e_cast.c b/crypto/evp/e_cast.c index 8325a5f8d2..883030224b 100644 --- a/crypto/evp/e_cast.c +++ b/crypto/evp/e_cast.c @@ -40,7 +40,11 @@ IMPLEMENT_BLOCK_CIPHER(cast5, ks, CAST, EVP_CAST_KEY, static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { -CAST_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_key_length(ctx), key); +int keylen = EVP_CIPHER_CTX_key_length(ctx); + +if (keylen <= 0) +return 0; +CAST_set_key(&data(ctx)->ks, keylen, key); return 1; } diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c index 10b83aea6d..94107c72c3 100644 --- a/crypto/evp/e_rc4.c +++ b/crypto/evp/e_rc4.c @@ -75,7 +75,11 @@ const EVP_CIPHER *EVP_rc4_40(void) static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { -RC4_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_key_length(ctx), key); +int keylen; + +if ((keylen = EVP_CIPHER_CTX_key_length(ctx)) <= 0) +return 0; +RC4_set_key(&data(ctx)->ks, keylen, key); return 1; } diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index 098aa3ee1b..8bc1da6323 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto
[openssl] master update
The branch master has been updated via 41385f2708d08155d56ce08dce494152e225069e (commit) from 014498fff9ee2e71dfdd82978b8896b05c9c8cb0 (commit) - Log - commit 41385f2708d08155d56ce08dce494152e225069e Author: Richard Levitte Date: Tue Apr 6 15:30:38 2021 +0200 test/recipes/02-test_errstr.t: Do not test negative system error codes It's been deemed unlikely that these will end up in OpenSSL error records, so we simply don't test them if they happen to be among the error codes that perl has support for. Fixes #14763 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14779) --- Summary of changes: test/recipes/02-test_errstr.t | 4 1 file changed, 4 insertions(+) diff --git a/test/recipes/02-test_errstr.t b/test/recipes/02-test_errstr.t index 6bc07f6d65..3bbf530c28 100644 --- a/test/recipes/02-test_errstr.t +++ b/test/recipes/02-test_errstr.t @@ -69,6 +69,10 @@ foreach my $errname (@Errno::EXPORT_OK) { # is to skip this errcode. skip "perl error strings and ssystem error strings for errcode 0 differ", 1 if $errcode == 0; + # On some systems (for example Hurd), there are negative error codes. + # These are currently unsupported in OpenSSL error reports. + skip "negative error codes are not supported in OpenSSL", 1 + if $errcode < 0; &ok(match_syserr_reason($errcode)); }
[openssl] master update
The branch master has been updated via 014498fff9ee2e71dfdd82978b8896b05c9c8cb0 (commit) via 97ef45ea135a7c88bf986a7fad5f2a9d6347f2e6 (commit) from ccf19c23c03ff0355d5008f73b77a0e22ee8ca8c (commit) - Log - commit 014498fff9ee2e71dfdd82978b8896b05c9c8cb0 Author: Pauli Date: Sun Apr 4 18:00:26 2021 +1000 test: fix coverity 1475940: negative return Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14769) commit 97ef45ea135a7c88bf986a7fad5f2a9d6347f2e6 Author: Pauli Date: Sun Apr 4 17:58:32 2021 +1000 test: fix coverity 1475941: resource leak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14769) --- Summary of changes: test/dhtest.c | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/test/dhtest.c b/test/dhtest.c index 836d800c29..189b5ae13f 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -249,16 +249,18 @@ static int dh_computekey_range_test(void) || !TEST_true(DH_set0_pqg(dh, p, q, g))) goto err; p = q = g = NULL; -sz = DH_size(dh); -if (!TEST_ptr(buf = OPENSSL_malloc(sz)) +if (!TEST_int_gt(sz = DH_size(dh), 0) +|| !TEST_ptr(buf = OPENSSL_malloc(sz)) || !TEST_ptr(pub = BN_new()) || !TEST_ptr(priv = BN_new())) goto err; if (!TEST_true(BN_set_word(priv, 1)) -|| !TEST_true(DH_set0_key(dh, NULL, priv)) -|| !TEST_true(BN_set_word(pub, 1))) +|| !TEST_true(DH_set0_key(dh, NULL, priv))) +goto err; +priv = NULL; +if (!TEST_true(BN_set_word(pub, 1))) goto err; /* Given z = pub ^ priv mod p */ @@ -282,6 +284,7 @@ static int dh_computekey_range_test(void) ret = 1; err: OPENSSL_free(buf); +BN_free(priv); BN_free(pub); BN_free(g); BN_free(q);
[openssl] master update
The branch master has been updated via ccf19c23c03ff0355d5008f73b77a0e22ee8ca8c (commit) from 44e82b813fbec93664fa355a65024a56f6eb82d7 (commit) - Log - commit ccf19c23c03ff0355d5008f73b77a0e22ee8ca8c Author: Pauli Date: Tue Apr 6 10:23:12 2021 +1000 Disallow ASN.1 enumerated types to be treated as strings. They are actually integers. Problem reported by: Scott McPeak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14774) --- Summary of changes: crypto/asn1/tasn_dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 0987c2ece3..00a76cc825 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -66,7 +66,7 @@ static const unsigned long tag2bit[32] = { /* tags 4- 7 */ B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN, /* tags 8-11 */ -B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, +B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, 0, B_ASN1_UNKNOWN, /* tags 12-15 */ B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags 16-19 */
[openssl] master update
The branch master has been updated via 44e82b813fbec93664fa355a65024a56f6eb82d7 (commit) via 0bc27f7203258f662a533574d0c6c55fb08166eb (commit) from bec9289143c955b330a8f9ad32f26f3da76e2685 (commit) - Log - commit 44e82b813fbec93664fa355a65024a56f6eb82d7 Author: Pauli Date: Tue Apr 6 12:25:58 2021 +1000 Remove locking in CRYPTO_secure_allocated() The check for being in secure memory is against the arena. The arena is only ever modified by sh_init() and sh_done() and in both cases, it is done without locking. Thus, it is safe for the CRYPTO_secure_allocated() to not lock. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14775) commit 0bc27f7203258f662a533574d0c6c55fb08166eb Author: Pauli Date: Tue Apr 6 12:24:06 2021 +1000 Make the lock in CRYPTO_secure_allocated() a read lock Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14775) --- Summary of changes: crypto/mem_sec.c | 13 ++--- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c index ebc0e557b5..86ff41bf87 100644 --- a/crypto/mem_sec.c +++ b/crypto/mem_sec.c @@ -208,15 +208,14 @@ void CRYPTO_secure_clear_free(void *ptr, size_t num, int CRYPTO_secure_allocated(const void *ptr) { #ifndef OPENSSL_NO_SECURE_MEMORY -int ret; - if (!secure_mem_initialized) return 0; -if (!CRYPTO_THREAD_write_lock(sec_malloc_lock)) -return 0; -ret = sh_allocated(ptr); -CRYPTO_THREAD_unlock(sec_malloc_lock); -return ret; +/* + * Only read accesses to the arena take place in sh_allocated() and this + * is only changed by the sh_init() and sh_done() calls which are not + * locked. Hence, it is safe to make this check without a lock too. + */ +return sh_allocated(ptr); #else return 0; #endif /* OPENSSL_NO_SECURE_MEMORY */
[openssl] master update
The branch master has been updated via bec9289143c955b330a8f9ad32f26f3da76e2685 (commit) from 30573117bbfef0991b522fd0f7c3d4abc5e296cd (commit) - Log - commit bec9289143c955b330a8f9ad32f26f3da76e2685 Author: Fangming.Fang Date: Fri Apr 2 11:17:05 2021 + Fix AES-CBC perf test failure issue As ossl_cipher_generic dosen't support to set key length, and "openssl speed aes-(128|192|256)-cbc" tests fail. A small fix by adding OSSL_CIPHER_PARAM_KEYLEN params. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14777) --- Summary of changes: providers/implementations/ciphers/ciphercommon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index 53ecbc9012..73d39ad1eb 100644 --- a/providers/implementations/ciphers/ciphercommon.c +++ b/providers/implementations/ciphers/ciphercommon.c @@ -97,6 +97,7 @@ CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_cipher_generic) CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_cipher_generic) OSSL_PARAM_uint(OSSL_CIPHER_PARAM_TLS_VERSION, NULL), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, NULL), +OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL), CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_cipher_generic) /*
[openssl] master update
The branch master has been updated via 30573117bbfef0991b522fd0f7c3d4abc5e296cd (commit) from 1ac64327dfd8d20072a34e73116ab222d77a24d0 (commit) - Log - commit 30573117bbfef0991b522fd0f7c3d4abc5e296cd Author: Nan Xiao Date: Tue Apr 6 16:14:46 2021 +0800 Fix typo in store_meth.c CLA: trivial Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14776) --- Summary of changes: crypto/store/store_meth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index be78adaab8..a2ab341fe9 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -281,7 +281,7 @@ static OSSL_STORE_LOADER *inner_loader_fetch(OSSL_LIB_CTX *libctx, } /* - * If we have been passed neither a scheme_id or a scheme, we have an + * If we have been passed neither a scheme_id nor a scheme, we have an * internal programming error. */ if (!ossl_assert(id != 0 || scheme != NULL)) {
[openssl] master update
The branch master has been updated via 1ac64327dfd8d20072a34e73116ab222d77a24d0 (commit) from 86522324d2a398ad3ed2f648a66b62b0a6176258 (commit) - Log - commit 1ac64327dfd8d20072a34e73116ab222d77a24d0 Author: Nan Xiao Date: Tue Mar 30 16:30:47 2021 +0800 Remove unnecessary setting SSL_MODE_AUTO_RETRY Since SSL_MODE_AUTO_RETRY is enabled by default, no need to set it explicitly. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14742) --- Summary of changes: apps/cmp.c | 2 -- apps/ocsp.c | 1 - apps/s_time.c | 1 - demos/bio/client-arg.c | 3 --- demos/bio/client-conf.c | 3 --- doc/man3/BIO_f_ssl.pod | 4 6 files changed, 14 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 2112df0186..8a996f6dce 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1191,8 +1191,6 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (ssl_ctx == NULL) return NULL; -SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); - if (opt_tls_trusted != NULL) { trust_store = load_certstore(opt_tls_trusted, opt_otherpass, "trusted TLS certificates", vpm); diff --git a/apps/ocsp.c b/apps/ocsp.c index bd509d98a7..cd3a3bd695 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1202,7 +1202,6 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, BIO_printf(bio_err, "Error creating SSL context.\n"); goto end; } -SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); } resp = (OCSP_RESPONSE *) diff --git a/apps/s_time.c b/apps/s_time.c index 60861642f5..251f16ebc3 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -246,7 +246,6 @@ int s_time_main(int argc, char **argv) if ((ctx = SSL_CTX_new(meth)) == NULL) goto end; -SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_quiet_shutdown(ctx, 1); if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) goto end; diff --git a/demos/bio/client-arg.c b/demos/bio/client-arg.c index 27c4c98f96..c35b9233a4 100644 --- a/demos/bio/client-arg.c +++ b/demos/bio/client-arg.c @@ -80,9 +80,6 @@ int main(int argc, char **argv) goto end; } -/* Don't want any retries */ -SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); - /* We might want to do other things with ssl here */ BIO_set_conn_hostname(sbio, connect_str); diff --git a/demos/bio/client-conf.c b/demos/bio/client-conf.c index 270df377e7..da6548e6a3 100644 --- a/demos/bio/client-conf.c +++ b/demos/bio/client-conf.c @@ -88,9 +88,6 @@ int main(int argc, char **argv) goto end; } -/* Don't want any retries */ -SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); - /* We might want to do other things with ssl here */ BIO_set_conn_hostname(sbio, connect_str); diff --git a/doc/man3/BIO_f_ssl.pod b/doc/man3/BIO_f_ssl.pod index 8eee317c7a..7ed179e453 100644 --- a/doc/man3/BIO_f_ssl.pod +++ b/doc/man3/BIO_f_ssl.pod @@ -174,9 +174,6 @@ unencrypted example in L. exit(1); } - /* Don't want any retries */ - SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); - /* XXX We might want to do other things with ssl here */ /* An empty host part means the loopback address */ @@ -234,7 +231,6 @@ a client and also echoes the request to standard output. exit(1); } - SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); bbio = BIO_new(BIO_f_buffer()); sbio = BIO_push(bbio, sbio); acpt = BIO_new_accept("4433");
[openssl] master update
The branch master has been updated via 86522324d2a398ad3ed2f648a66b62b0a6176258 (commit) from 581c4b1d5357bdf858a6675ea0b3121731bca5c3 (commit) - Log - commit 86522324d2a398ad3ed2f648a66b62b0a6176258 Author: Sahana Prasad Date: Mon Mar 22 23:44:22 2021 +0100 Adds a new lock to read default_path and uses a strdup() on default_path before using it Fixes #14483 Signed-off-by: Sahana Prasad Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14650) --- Summary of changes: crypto/provider_core.c | 25 - 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 632ea72a5d..ac094f0bdd 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -114,6 +114,7 @@ static int ossl_provider_cmp(const OSSL_PROVIDER * const *a, struct provider_store_st { STACK_OF(OSSL_PROVIDER) *providers; +CRYPTO_RWLOCK *default_path_lock; CRYPTO_RWLOCK *lock; char *default_path; unsigned int use_fallbacks:1; @@ -140,6 +141,7 @@ static void provider_store_free(void *vstore) return; OPENSSL_free(store->default_path); sk_OSSL_PROVIDER_pop_free(store->providers, provider_deactivate_free); +CRYPTO_THREAD_lock_free(store->default_path_lock); CRYPTO_THREAD_lock_free(store->lock); OPENSSL_free(store); } @@ -151,6 +153,7 @@ static void *provider_store_new(OSSL_LIB_CTX *ctx) if (store == NULL || (store->providers = sk_OSSL_PROVIDER_new(ossl_provider_cmp)) == NULL +|| (store->default_path_lock = CRYPTO_THREAD_lock_new()) == NULL || (store->lock = CRYPTO_THREAD_lock_new()) == NULL) { provider_store_free(store); return NULL; @@ -461,10 +464,10 @@ int OSSL_PROVIDER_set_default_search_path(OSSL_LIB_CTX *libctx, } } if ((store = get_provider_store(libctx)) != NULL -&& CRYPTO_THREAD_write_lock(store->lock)) { +&& CRYPTO_THREAD_write_lock(store->default_path_lock)) { OPENSSL_free(store->default_path); store->default_path = p; -CRYPTO_THREAD_unlock(store->lock); +CRYPTO_THREAD_unlock(store->default_path_lock); return 1; } OPENSSL_free(p); @@ -513,6 +516,7 @@ static int provider_init(OSSL_PROVIDER *prov) const char *module_path = NULL; char *merged_path = NULL; const char *load_dir = NULL; +char *allocated_load_dir = NULL; struct provider_store_st *store; if ((prov->module = DSO_new()) == NULL) { @@ -521,10 +525,20 @@ static int provider_init(OSSL_PROVIDER *prov) } if ((store = get_provider_store(prov->libctx)) == NULL -|| !CRYPTO_THREAD_read_lock(store->lock)) +|| !CRYPTO_THREAD_read_lock(store->default_path_lock)) goto end; -load_dir = store->default_path; -CRYPTO_THREAD_unlock(store->lock); + +if (store->default_path != NULL) { +allocated_load_dir = OPENSSL_strdup(store->default_path); +CRYPTO_THREAD_unlock(store->default_path_lock); +if (allocated_load_dir == NULL) { +ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); +goto end; +} +load_dir = allocated_load_dir; +} else { +CRYPTO_THREAD_unlock(store->default_path_lock); +} if (load_dir == NULL) { load_dir = ossl_safe_getenv("OPENSSL_MODULES"); @@ -550,6 +564,7 @@ static int provider_init(OSSL_PROVIDER *prov) OPENSSL_free(merged_path); OPENSSL_free(allocated_path); +OPENSSL_free(allocated_load_dir); } if (prov->module != NULL)
[openssl] master update
The branch master has been updated via 581c4b1d5357bdf858a6675ea0b3121731bca5c3 (commit) via 080669804799b2fef788029555ac7b26f3e67881 (commit) from 493e78986f9677c2b321273da51c276b9a8182d8 (commit) - Log - commit 581c4b1d5357bdf858a6675ea0b3121731bca5c3 Author: Pauli Date: Sun Apr 4 13:58:22 2021 +1000 Ensure that the negative flag is correct set for ASN1 integer types. Reported by: Scott McPeak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14768) commit 080669804799b2fef788029555ac7b26f3e67881 Author: Pauli Date: Sun Apr 4 13:52:06 2021 +1000 Check for integer overflow in i2a_ASN1_OBJECT and error out if found. Problem reported by Scott McPeak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14768) --- Summary of changes: crypto/asn1/a_int.c | 6 -- crypto/asn1/a_object.c| 12 +--- crypto/asn1/asn1_err.c| 3 ++- crypto/err/openssl.txt| 1 + include/crypto/asn1err.h | 2 +- include/openssl/asn1err.h | 1 + 6 files changed, 18 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 92c58b3418..6774ba627c 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -308,8 +308,10 @@ ASN1_INTEGER *ossl_c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, c2i_ibuf(ret->data, &neg, *pp, len); -if (neg) +if (neg != 0) ret->type |= V_ASN1_NEG; +else +ret->type &= ~V_ASN1_NEG; *pp += len; if (a != NULL) @@ -317,7 +319,7 @@ ASN1_INTEGER *ossl_c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, return ret; err: ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); -if ((a == NULL) || (*a != ret)) +if (a == NULL || *a != ret) ASN1_INTEGER_free(ret); return NULL; } diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 6967ab44e8..9d8f48b73c 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -190,6 +190,10 @@ int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) return BIO_write(bp, "NULL", 4); i = i2t_ASN1_OBJECT(buf, sizeof(buf), a); if (i > (int)(sizeof(buf) - 1)) { +if (i > INT_MAX - 1) { /* catch an integer overflow */ +ERR_raise(ERR_LIB_ASN1, ASN1_R_LENGTH_TOO_LONG); +return -1; +} if ((p = OPENSSL_malloc(i + 1)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; @@ -349,9 +353,11 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a) if (a == NULL) return; if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) { -#ifndef CONST_STRICT/* disable purely for compile-time strict - * const checking. Doing this on a "real" - * compile will cause memory leaks */ +#ifndef CONST_STRICT +/* + * Disable purely for compile-time strict const checking. Doing this + * on a "real" compile will cause memory leaks + */ OPENSSL_free((void*)a->sn); OPENSSL_free((void*)a->ln); #endif diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 8957519cb2..af706e638e 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -109,6 +109,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UTF8STRING), "invalid utf8string"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_VALUE), "invalid value"}, +{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LENGTH_TOO_LONG), "length too long"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LIST_ERROR), "list error"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_NO_CONTENT_TYPE), "mime no content type"}, diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index aed5b72cff..07439f7c4a 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -66,6 +66,7 @@ ASN1_R_INVALID_STRING_TABLE_VALUE:218:invalid string table value ASN1_R_INVALID_UNIVERSALSTRING_LENGTH:133:invalid universalstring length ASN1_R_INVALID_UTF8STRING:134:invalid utf8string ASN1_R_INVALID_VALUE:219:invalid value +ASN1_R_LENGTH_TOO_LONG:231:length too long ASN1_R_LIST_ERROR:188:list error ASN1_R_MIME_NO_CONTENT_TYPE:206:mime no content type ASN1_R_MIME_PARSE_ERROR:207:mime parse error diff --git a/include/crypto/asn1err.h b/include/crypto/asn1err.h index 21800a0ac3..9b623555f8 100644 --