Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3DSCVH_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeHvyQ0nCoW6uJA7KDXKjKjeJzfYQu-2FjIxRdum7GNrljDZ9xNRM3r2rxea8JI2-2Bax4w-2BKw9psIMlNHRAO6iafBaKTTg76rcbtEAcrLB4-2Fn3Dc-2FEaRBNlQsEc4Z5YZwtEA6Maztif-2BMO2QCnx0rlg-2BELC4xN15xXakDOl-2BSgd-2F2ecpvXCAAKDFnBbd9KPcbOsiGk-3D Build ID: 417305 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] master update
The branch master has been updated
via 00cf3a2d30fc7642bf9f816a7c545115985a8c0c (commit)
via adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (commit)
from b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (commit)
- Log -
commit 00cf3a2d30fc7642bf9f816a7c545115985a8c0c
Author: Dr. David von Oheimb
Date: Tue Aug 24 09:31:53 2021 +0200
25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl.
self-signed) certs
Reviewed-by: Viktor Dukhovni
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16342)
commit adbd77f6d7cc4efb7b4bde483036fab8e48ce870
Author: Dr. David von Oheimb
Date: Tue Aug 17 23:13:28 2021 +0200
X509: Fix handling of AKID and SKID extensions according to configuration
Fixes #16300
Reviewed-by: Viktor Dukhovni
Reviewed-by: Tomas Mraz
Reviewed-by: Dmitry Belyavskiy
(Merged from https://github.com/openssl/openssl/pull/16342)
---
Summary of changes:
apps/ca.c | 11 +++-
apps/include/apps.h | 1 +
apps/lib/apps.c | 20 --
apps/pkcs12.c | 2 +-
apps/req.c | 4 +-
apps/x509.c | 4 ++
crypto/x509/v3_akid.c | 13 ++--
crypto/x509/v3_conf.c | 18 -
doc/man5/x509v3_config.pod | 1 +
test/certs/ext-check.csr| 23 ++-
test/recipes/25-test_req.t | 157 +---
test/recipes/tconversion.pl | 3 +-
12 files changed, 199 insertions(+), 58 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 24883615ed..1e77bf50c5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1709,7 +1709,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
/* Initialize the context structure */
X509V3_set_ctx(_ctx, selfsign ? ret : x509,
- ret, req, NULL, X509V3_CTX_REPLACE);
+ ret, NULL /* no need to give req, needed info is in ret */,
+ NULL, X509V3_CTX_REPLACE);
+/* prepare fallback for AKID, but only if issuer cert equals subject cert
*/
+if (selfsign) {
+if (!X509V3_set_issuer_pkey(_ctx, pkey))
+goto end;
+if (!cert_matches_key(ret, pkey))
+BIO_printf(bio_err,
+ "Warning: Signature key and public key of cert do not
match\n");
+}
/* Lets add the extensions, if there are any */
if (ext_sect) {
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 9d5db16600..6018a83ca4 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -247,6 +247,7 @@ int x509_req_ctrl_string(X509_REQ *x, const char *value);
int init_gen_str(EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param,
OSSL_LIB_CTX *libctx, const char *propq);
+int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey);
int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index b15abac857..82eeaea249 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2224,8 +2224,8 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX
*ext_ctx,
idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1);
if (idx >= 0) {
X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx);
-ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext);
-int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */
+ASN1_OCTET_STRING *encoded = X509_EXTENSION_get_data(found_ext);
+int disabled = ASN1_STRING_length(encoded) <= 2; /* indicating "none"
*/
if (disabled) {
X509_delete_ext(cert, idx);
@@ -2239,6 +2239,16 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX
*ext_ctx,
return rv;
}
+int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey)
+{
+int match;
+
+ERR_set_mark();
+match = X509_check_private_key(cert, pkey);
+ERR_pop_to_mark();
+return match;
+}
+
/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info
*/
int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char *md,
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx)
@@ -2254,16 +2264,14 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const char
*md,
goto end;
/*
- * Add default SKID before such that default AKID can make use of it
+ * Add default SKID before AKID such that AKID can make use of it
* in case the certificate is self-signed
*/
/* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */
if (!adapt_keyid_ext(cert,
[openssl] master update
The branch master has been updated
via b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (commit)
from 8f9842fd03945d9484dcc9e5fab37dce7caa5f50 (commit)
- Log -
commit b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c
Author: Job Snijders
Date: Tue Nov 9 19:30:28 2021 +
Add OID for RPKI id-ct-ASPA
References: draft-ietf-sidrops-aspa-profile
"A Profile for Autonomous System Provider Authorization" (ASPA)
OID permanently assigned under 'SMI Security for S/MIME CMS Content Type
(1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
CLA: trivial
Reviewed-by: Matt Caswell
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17002)
---
Summary of changes:
crypto/objects/obj_dat.h | 15 ++-
crypto/objects/obj_mac.num | 1 +
crypto/objects/objects.txt | 1 +
fuzz/oids.txt | 1 +
include/openssl/obj_mac.h | 4
5 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index ed9debf890..643646be19 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -10,7 +10,7 @@
*/
/* Serialized OID's */
-static const unsigned char so[8092] = {
+static const unsigned char so[8103] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [0] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,/* [6] OBJ_pkcs */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */
@@ -1117,9 +1117,10 @@ static const unsigned char so[8092] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x30, /* [ 8064]
OBJ_id_ct_signedChecklist */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x08, /* [ 8075] OBJ_sm4_gcm */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x09, /* [ 8083] OBJ_sm4_ccm */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x31, /* [ 8091]
OBJ_id_ct_ASPA */
};
-#define NUM_NID 1250
+#define NUM_NID 1251
static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"UNDEF", "undefined", NID_undef},
{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, [0]},
@@ -2371,9 +2372,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"id-ct-signedChecklist", "id-ct-signedChecklist",
NID_id_ct_signedChecklist, 11, [8064]},
{"SM4-GCM", "sm4-gcm", NID_sm4_gcm, 8, [8075]},
{"SM4-CCM", "sm4-ccm", NID_sm4_ccm, 8, [8083]},
+{"id-ct-ASPA", "id-ct-ASPA", NID_id_ct_ASPA, 11, [8091]},
};
-#define NUM_SN 1241
+#define NUM_SN 1242
static const unsigned int sn_objs[NUM_SN] = {
364,/* "AD_DVCS" */
419,/* "AES-128-CBC" */
@@ -2986,6 +2988,7 @@ static const unsigned int sn_objs[NUM_SN] = {
327,/* "id-cmc-statusInfo" */
331,/* "id-cmc-transactionId" */
1238,/* "id-cp" */
+1250,/* "id-ct-ASPA" */
787,/* "id-ct-asciiTextWithCRLF" */
1246,/* "id-ct-geofeedCSVwithCRLF" */
1237,/* "id-ct-resourceTaggedAttest" */
@@ -3618,7 +3621,7 @@ static const unsigned int sn_objs[NUM_SN] = {
1093,/* "x509ExtAdmission" */
};
-#define NUM_LN 1241
+#define NUM_LN 1242
static const unsigned int ln_objs[NUM_LN] = {
363,/* "AD Time Stamping" */
405,/* "ANSI X9.62" */
@@ -4247,6 +4250,7 @@ static const unsigned int ln_objs[NUM_LN] = {
327,/* "id-cmc-statusInfo" */
331,/* "id-cmc-transactionId" */
1238,/* "id-cp" */
+1250,/* "id-ct-ASPA" */
787,/* "id-ct-asciiTextWithCRLF" */
1246,/* "id-ct-geofeedCSVwithCRLF" */
1237,/* "id-ct-resourceTaggedAttest" */
@@ -4863,7 +4867,7 @@ static const unsigned int ln_objs[NUM_LN] = {
125,/* "zlib compression" */
};
-#define NUM_OBJ 1112
+#define NUM_OBJ 1113
static const unsigned int obj_objs[NUM_OBJ] = {
0,/* OBJ_undef0 */
181,/* OBJ_iso 1 */
@@ -5906,6 +5910,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
1237,/* OBJ_id_ct_resourceTaggedAttest 1 2 840 113549 1 9 16 1 36 */
1246,/* OBJ_id_ct_geofeedCSVwithCRLF 1 2 840 113549 1 9 16 1 47 */
1247,/* OBJ_id_ct_signedChecklist1 2 840 113549 1 9 16 1 48 */
+1250,/* OBJ_id_ct_ASPA 1 2 840 113549 1 9 16 1 49 */
212,/* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */
213,/* OBJ_id_smime_aa_securityLabel1 2 840 113549 1 9 16 2 2 */
214,/* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index f20dbba312..14869e582b 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -1247,3 +1247,4 @@ id_ct_geofeedCSVwithCRLF 1246
[openssl] master update
The branch master has been updated
via 8f9842fd03945d9484dcc9e5fab37dce7caa5f50 (commit)
from 90c311315c15a4fea895fd317d9c8fe801ba04a0 (commit)
- Log -
commit 8f9842fd03945d9484dcc9e5fab37dce7caa5f50
Author: Anton Blanchard
Date: Tue Mar 12 16:03:56 2019 +1100
sha/asm/keccak1600-ppc64.pl: Load data in 8 byte chunks on little endian
We currently load data byte by byte in order to byteswap it on big
endian. On little endian we can just do 8 byte loads.
A SHAKE128 benchmark runs 10% faster on POWER9 with this patch applied.
Reviewed-by: Paul Dale
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/8455)
---
Summary of changes:
crypto/sha/asm/keccak1600-ppc64.pl | 69 +++---
1 file changed, 42 insertions(+), 27 deletions(-)
diff --git a/crypto/sha/asm/keccak1600-ppc64.pl
b/crypto/sha/asm/keccak1600-ppc64.pl
index 83f8d8ef33..bff0d78585 100755
--- a/crypto/sha/asm/keccak1600-ppc64.pl
+++ b/crypto/sha/asm/keccak1600-ppc64.pl
@@ -51,6 +51,16 @@ if ($flavour =~ /64/) {
$PUSH ="std";
} else { die "nonsense $flavour"; }
+$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0;
+
+if ($LITTLE_ENDIAN) {
+ $DWORD_LE_LOAD = "ldu r0,8(r3)";
+ $LE_LOAD_SIZE = "8";
+} else {
+ $DWORD_LE_LOAD = "bldword_le_load";
+ $LE_LOAD_SIZE = "1";
+}
+
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
@@ -384,7 +394,9 @@ KeccakF1600:
.byte 0,12,4,1,0x80,18,1,0
.long 0
.size KeccakF1600,.-KeccakF1600
-
+___
+if (!$LITTLE_ENDIAN) {
+$code.=<<___;
.type dword_le_load,\@function
.align 5
dword_le_load:
@@ -408,7 +420,10 @@ dword_le_load:
.byte 0,12,0x14,0,0,0,1,0
.long 0
.size dword_le_load,.-dword_le_load
+___
+}
+$code.=<<___;
.globl SHA3_absorb
.type SHA3_absorb,\@function
.align 5
@@ -436,7 +451,7 @@ SHA3_absorb:
$PUSH r0,`$FRAME+$LRSAVE`($sp)
bl PICmeup
- subir4,r4,1 ; prepare for lbzu
+ subir4,r4,$LE_LOAD_SIZE ; prepare for ldu or lbzu
subir12,r12,8 ; prepare for ldu
$PUSH r3,`$LOCALS+0*$SIZE_T`($sp) ; save A[][]
@@ -487,79 +502,79 @@ SHA3_absorb:
srwir5,r5,3
$PUSH r4,`$LOCALS+2*$SIZE_T`($sp) ; save len
mtctr r5
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[0][0],$A[0][0],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[0][1],$A[0][1],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[0][2],$A[0][2],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[0][3],$A[0][3],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[0][4],$A[0][4],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[1][0],$A[1][0],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[1][1],$A[1][1],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[1][2],$A[1][2],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[1][3],$A[1][3],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[1][4],$A[1][4],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[2][0],$A[2][0],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[2][1],$A[2][1],r0
bdz .Lprocess_block
- bl dword_le_load ; *inp++
+ $DWORD_LE_LOAD ; *inp++
xor $A[2][2],$A[2][2],r0
bdz
