Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3De1qS_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeEvfGJxN9PpwwOEGHVpy4CbQmJFoZebvfYriEed6QmkCYEMYvmPHO-2BMc1zsj-2FIOjjIjo-2Fea6WoAmz2CgF6CncjalIxVGKwDDaDpMcPJqZARq0kfhyRSYczHiQiKt0PhqeXReBM-2FXrWEzhFTv83f6mKigGAAbhyVLAqKxW3gDuppCryCkhZfWeqJ2Gkpd-2Ba-2Bluc-3D Build ID: 427325 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 8e5ba8d0be7410fb784d5895d97dcc23d6266715 (commit) via f1c7b44ebb826ba89f5b74ae455d7e03dbe98642 (commit) from d0bfe6dc399e7071b660160d3470a050f0240013 (commit) - Log - commit 8e5ba8d0be7410fb784d5895d97dcc23d6266715 Author: Pauli Date: Tue Jan 4 10:52:52 2022 +1100 Revert "property: use a stack to efficiently convert index to string" This reverts commit e4a32f209ce6dcb380a7dc8c10a42946345ff38f. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/17403) commit f1c7b44ebb826ba89f5b74ae455d7e03dbe98642 Author: Pauli Date: Tue Jan 4 10:52:49 2022 +1100 Revert "test: add some unit tests for the property to string functions" This reverts commit e1436d54b9de5012d1716212c7329e46cf21a24a. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/17403) --- Summary of changes: crypto/property/property_string.c | 114 +- test/property_test.c | 61 ++-- 2 files changed, 78 insertions(+), 97 deletions(-) diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c index 6c61bfbbb2..38deab5af0 100644 --- a/crypto/property/property_string.c +++ b/crypto/property/property_string.c @@ -40,8 +40,6 @@ typedef struct { PROP_TABLE *prop_values; OSSL_PROPERTY_IDX prop_name_idx; OSSL_PROPERTY_IDX prop_value_idx; -STACK_OF(OPENSSL_CSTRING) *prop_namelist; -STACK_OF(OPENSSL_CSTRING) *prop_valuelist; } PROPERTY_STRING_DATA; static unsigned long property_hash(const PROPERTY_STRING *a) @@ -80,9 +78,6 @@ static void property_string_data_free(void *vpropdata) CRYPTO_THREAD_lock_free(propdata->lock); property_table_free(>prop_names); property_table_free(>prop_values); -sk_OPENSSL_CSTRING_free(propdata->prop_namelist); -sk_OPENSSL_CSTRING_free(propdata->prop_valuelist); -propdata->prop_namelist = propdata->prop_valuelist = NULL; propdata->prop_name_idx = propdata->prop_value_idx = 0; OPENSSL_free(propdata); @@ -95,21 +90,24 @@ static void *property_string_data_new(OSSL_LIB_CTX *ctx) { return NULL; propdata->lock = CRYPTO_THREAD_lock_new(); +if (propdata->lock == NULL) +goto err; + propdata->prop_names = lh_PROPERTY_STRING_new(_hash, _cmp); +if (propdata->prop_names == NULL) +goto err; + propdata->prop_values = lh_PROPERTY_STRING_new(_hash, _cmp); -propdata->prop_namelist = sk_OPENSSL_CSTRING_new_null(); -propdata->prop_valuelist = sk_OPENSSL_CSTRING_new_null(); -if (propdata->lock == NULL -|| propdata->prop_names == NULL -|| propdata->prop_values == NULL -|| propdata->prop_namelist == NULL -|| propdata->prop_valuelist == NULL) { -property_string_data_free(propdata); -return NULL; -} +if (propdata->prop_values == NULL) +goto err; + return propdata; + +err: +property_string_data_free(propdata); +return NULL; } static const OSSL_LIB_CTX_METHOD property_string_data_method = { @@ -136,65 +134,57 @@ static PROPERTY_STRING *new_property_string(const char *s, return ps; } -static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, - int create, const char *s) +static OSSL_PROPERTY_IDX ossl_property_string(CRYPTO_RWLOCK *lock, + PROP_TABLE *t, + OSSL_PROPERTY_IDX *pidx, + const char *s) { PROPERTY_STRING p, *ps, *ps_new; -PROP_TABLE *t; -STACK_OF(OPENSSL_CSTRING) *slist; -OSSL_PROPERTY_IDX *pidx; -PROPERTY_STRING_DATA *propdata -= ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -_string_data_method); -if (propdata == NULL) -return 0; - -t = name ? propdata->prop_names : propdata->prop_values; p.s = s; -if (!CRYPTO_THREAD_read_lock(propdata->lock)) { +if (!CRYPTO_THREAD_read_lock(lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); return 0; } ps = lh_PROPERTY_STRING_retrieve(t, ); -if (ps == NULL && create) { -CRYPTO_THREAD_unlock(propdata->lock); -if (!CRYPTO_THREAD_write_lock(propdata->lock)) { +if (ps == NULL && pidx != NULL) { +CRYPTO_THREAD_unlock(lock); +if (!CRYPTO_THREAD_write_lock(lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_WRITE_LOCK); return 0; } -pidx = name ? >prop_name_idx :
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via d0bfe6dc399e7071b660160d3470a050f0240013 (commit) from 5135551613f134d39fe34442d08b38d5221175b9 (commit) - Log - commit d0bfe6dc399e7071b660160d3470a050f0240013 Author: Matt Caswell Date: Wed Dec 29 13:42:58 2021 + Validate the category in OSSL_trace_end() OSSL_trace_end() should validate that the category it has been passed by the caler is valid, and return immediately if not. Fixes #17353 Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17371) (cherry picked from commit ee8a61e158c42c327c3303101083422b9a7cc504) --- Summary of changes: crypto/trace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/trace.c b/crypto/trace.c index f012b617ab..cc0b477698 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -496,6 +496,8 @@ void OSSL_trace_end(int category, BIO * channel) char *suffix = NULL; category = ossl_trace_get_category(category); +if (category < 0) +return; suffix = trace_channels[category].suffix; if (channel != NULL && ossl_assert(channel == current_channel)) {
[openssl] master update
The branch master has been updated via ee8a61e158c42c327c3303101083422b9a7cc504 (commit) from 0088ef48c3e7d9c68e5b3c75cb077da601d22f37 (commit) - Log - commit ee8a61e158c42c327c3303101083422b9a7cc504 Author: Matt Caswell Date: Wed Dec 29 13:42:58 2021 + Validate the category in OSSL_trace_end() OSSL_trace_end() should validate that the category it has been passed by the caler is valid, and return immediately if not. Fixes #17353 Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Matthias St. Pierre Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17371) --- Summary of changes: crypto/trace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/trace.c b/crypto/trace.c index f012b617ab..cc0b477698 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -496,6 +496,8 @@ void OSSL_trace_end(int category, BIO * channel) char *suffix = NULL; category = ossl_trace_get_category(category); +if (category < 0) +return; suffix = trace_channels[category].suffix; if (channel != NULL && ossl_assert(channel == current_channel)) {
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 4623700d4eaaa250b49032768be2e97a147f3a1e (commit) from e5050aa1bbce84e359bfd35de60dd745627e8d41 (commit) - Log - commit 4623700d4eaaa250b49032768be2e97a147f3a1e Author: Dr. David von Oheimb Date: Fri Dec 3 15:18:07 2021 +0100 OBJ_obj2txt(): fix off-by-one documentation of the result This backports the doc improvements of #17188. Reviewed-by: Tomas Mraz (cherry picked from commit e36d10925396b6519e1abd338e1ef62cd5b1c9e6) --- Summary of changes: doc/man3/OBJ_nid2obj.pod | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index 74379ad817..81e57154f1 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -68,13 +68,15 @@ If I is 0 then long names and short names will be interpreted as well as numerical forms. If I is 1 only the numerical form is acceptable. -OBJ_obj2txt() converts the B B into a textual representation. -The representation is written as a null terminated string to B -at most B bytes are written, truncating the result if necessary. -The total amount of space required is returned. If B is 0 then -if the object has a long or short name then that will be used, otherwise -the numerical form will be used. If B is 1 then the numerical -form will always be used. +OBJ_obj2txt() converts the B I into a textual representation. +Unless I is NULL, +the representation is written as a NUL-terminated string to I, where +at most I bytes are written, truncating the result if necessary. +In any case it returns the total string length, excluding the NUL character, +required for non-truncated representation, or -1 on error. +If I is 0 then if the object has a long or short name +then that will be used, otherwise the numerical form will be used. +If I is 1 then the numerical form will always be used. i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I set to zero. @@ -141,6 +143,13 @@ on error. OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return a NID or B on error. +OBJ_add_sigid() returns 1 on success or 0 on error. + +i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error. +On success, they return the length of the string written to I if I is +not NULL and I is big enough, otherwise the total string length. +Note that this does not count the trailing NUL character. + =head1 EXAMPLES Create an object for B: @@ -161,15 +170,6 @@ Create a new object directly: obj = OBJ_txt2obj("1.2.3.4", 1); -=head1 BUGS - -OBJ_obj2txt() is awkward and messy to use: it doesn't follow the -convention of other OpenSSL functions where the buffer can be set -to B to determine the amount of data that should be written. -Instead B must point to a valid buffer and B should -be set to a positive value. A buffer length of 80 should be more -than enough to handle any OID encountered in practice. - =head1 SEE ALSO L
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 5135551613f134d39fe34442d08b38d5221175b9 (commit) from 5f0b3ef025e13522572c65f683ea5b649b0142b9 (commit) - Log - commit 5135551613f134d39fe34442d08b38d5221175b9 Author: Dr. David von Oheimb Date: Mon Jan 3 13:40:55 2022 +0100 Update troublesome copyright years of auto-generated files to 2022 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17398) (cherry picked from commit 0088ef48c3e7d9c68e5b3c75cb077da601d22f37) --- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h| 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- fuzz/oids.txt | 2 +- include/openssl/obj_mac.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index ac1eb076cc..95928ca663 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index 8a859ac02e..d92f6dfa69 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 1f66a58e09..e5321bd30d 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 5d638fb05d..59d156117a 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 21a193ee98..c08b5fc2ab 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/oids.txt b/fuzz/oids.txt index f0dbc30fc3..36c79212bb 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1,7 +1,7 @@ # WARNING: do not edit! # Generated by fuzz/mkfuzzoids.pl # -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 0e86027667..edbd98b152 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at
[openssl] master update
The branch master has been updated via 0088ef48c3e7d9c68e5b3c75cb077da601d22f37 (commit) from b6144bb8c1be63935ae09e1992c04fbe6e0f88a8 (commit) - Log - commit 0088ef48c3e7d9c68e5b3c75cb077da601d22f37 Author: Dr. David von Oheimb Date: Mon Jan 3 13:40:55 2022 +0100 Update troublesome copyright years of auto-generated files to 2022 Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17398) --- Summary of changes: crypto/asn1/charmap.h | 2 +- crypto/bn/bn_prime.h | 2 +- crypto/conf/conf_def.h| 2 +- crypto/objects/obj_dat.h | 2 +- crypto/objects/obj_xref.h | 2 +- fuzz/oids.txt | 2 +- include/openssl/obj_mac.h | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h index ac1eb076cc..95928ca663 100644 --- a/crypto/asn1/charmap.h +++ b/crypto/asn1/charmap.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/asn1/charmap.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index 8a859ac02e..d92f6dfa69 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/bn/bn_prime.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h index 1f66a58e09..e5321bd30d 100644 --- a/crypto/conf/conf_def.h +++ b/crypto/conf/conf_def.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/conf/keysets.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 643646be19..3810b307d2 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 21a193ee98..c08b5fc2ab 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/fuzz/oids.txt b/fuzz/oids.txt index 0f2489ac5f..2d35718ef9 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1,7 +1,7 @@ # WARNING: do not edit! # Generated by fuzz/mkfuzzoids.pl # -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index a9e51d7b38..fb788d43d5 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at
[openssl] master update
The branch master has been updated via b6144bb8c1be63935ae09e1992c04fbe6e0f88a8 (commit) from 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0 (commit) - Log - commit b6144bb8c1be63935ae09e1992c04fbe6e0f88a8 Author: Dr. David von Oheimb Date: Mon Dec 27 19:14:03 2021 +0100 X509V3_set_ctx(): Improve documentation Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17358) --- Summary of changes: doc/man3/X509V3_set_ctx.pod | 27 +++ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod index 8287802e41..e86ade211d 100644 --- a/doc/man3/X509V3_set_ctx.pod +++ b/doc/man3/X509V3_set_ctx.pod @@ -16,29 +16,32 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation utilities =head1 DESCRIPTION X509V3_set_ctx() fills in the basic fields of I of type B, -providing details potentially needed by functions producing X509 v3 extensions, -e.g., to look up values for filling in authority key identifiers. -Any of I, I, or I may be provided, pointing to a certificate, -certification request, or certificate revocation list, respectively. +providing details potentially needed by functions producing X509 v3 extensions. +These may make use of fields of the certificate I, the certification +request I, or the certificate revocation list I. +At most one of these three parameters can be non-NULL. When constructing the subject key identifier of a certificate by computing a hash value of its public key, the public key is taken from I or I. Similarly, when constructing subject alternative names from any email addresses contained in a subject DN, the subject DN is taken from I or I. -If I or I is provided, I should point to its issuer, -for instance to help generating an authority key identifier extension. -Note that if I is provided, I may be the same as I, -which means that I is self-issued (or even self-signed). +If I or I is provided, I should point to its issuer, for +instance as a reference for generating the authority key identifier extension. +I may be the same pointer value as I (which usually is an +indication that the I certificate is self-issued or even self-signed). +In this case the fallback source for generating the authority key identifier +extension will be taken from any value provided using X509V3_set_issuer_pkey(). I may be 0 or contain B, which means that just the syntax of -extension definitions is to be checked without actually producing an extension, +extension definitions is to be checked without actually producing any extension, or B, which means that each X.509v3 extension added as defined in some configuration section shall replace any already existing extension with the same OID. X509V3_set_issuer_pkey() explicitly sets the issuer private key of -the certificate that has been provided in I. -This should be done for self-issued certificates (which may be self-signed -or not) to provide fallback data for the authority key identifier extension. +the subject certificate that has been provided in I. +This should be done in case the I and I arguments to +X509V3_set_ctx() have the same pointer value +to provide fallback data for the authority key identifier extension. =head1 RETURN VALUES
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via 5f0b3ef025e13522572c65f683ea5b649b0142b9 (commit) from e09648323645031c16fdd9eb3e900e2db259e0d0 (commit) - Log - commit 5f0b3ef025e13522572c65f683ea5b649b0142b9 Author: Dr. David von Oheimb Date: Thu Dec 30 09:30:18 2021 +0100 ec.h: Explain use of strstr() for EVP_EC_gen() and add #include Fixes #17362 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17380) (cherry picked from commit 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0) --- Summary of changes: include/openssl/ec.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/openssl/ec.h b/include/openssl/ec.h index f59b4f9288..4e65d84c45 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -20,6 +20,8 @@ # include # include +# include + # ifdef __cplusplus extern "C" { # endif @@ -1548,6 +1550,7 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify # define EVP_EC_gen(curve) \ EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, ""))) +/* strstr is used to enable type checking for the variadic string arg */ # define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \ d2i_ECParameters, x)
[openssl] master update
The branch master has been updated via 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0 (commit) from 352a0bcaab8eda18cce786d2871e8d4ec6f9cbfe (commit) - Log - commit 1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0 Author: Dr. David von Oheimb Date: Thu Dec 30 09:30:18 2021 +0100 ec.h: Explain use of strstr() for EVP_EC_gen() and add #include Fixes #17362 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17380) --- Summary of changes: include/openssl/ec.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/openssl/ec.h b/include/openssl/ec.h index f59b4f9288..4e65d84c45 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -20,6 +20,8 @@ # include # include +# include + # ifdef __cplusplus extern "C" { # endif @@ -1548,6 +1550,7 @@ OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify # define EVP_EC_gen(curve) \ EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, ""))) +/* strstr is used to enable type checking for the variadic string arg */ # define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \ d2i_ECParameters, x)
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via e09648323645031c16fdd9eb3e900e2db259e0d0 (commit) from b247bb52b83ce096ab572af5d9525880e142f426 (commit) - Log - commit e09648323645031c16fdd9eb3e900e2db259e0d0 Author: x2018 Date: Mon Nov 29 17:09:36 2021 +0800 Check the return value of ossl_bio_new_from_core_bio() There are missing checks of its return value in 8 different spots. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17154) (cherry picked from commit 352a0bcaab8eda18cce786d2871e8d4ec6f9cbfe) --- Summary of changes: providers/implementations/encode_decode/decode_epki2pki.c | 6 +- providers/implementations/encode_decode/decode_msblob2key.c | 3 +++ providers/implementations/encode_decode/decode_pem2der.c| 6 +- providers/implementations/encode_decode/decode_pvk2key.c| 3 +++ providers/implementations/encode_decode/encode_key2blob.c | 6 +- providers/implementations/encode_decode/encode_key2ms.c | 12 providers/implementations/encode_decode/endecoder_common.c | 5 - 7 files changed, 33 insertions(+), 8 deletions(-) diff --git a/providers/implementations/encode_decode/decode_epki2pki.c b/providers/implementations/encode_decode/decode_epki2pki.c index 66f4ff659d..a997629aaa 100644 --- a/providers/implementations/encode_decode/decode_epki2pki.c +++ b/providers/implementations/encode_decode/decode_epki2pki.c @@ -68,8 +68,12 @@ static int epki2pki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, PKCS8_PRIV_KEY_INFO *p8inf = NULL; const X509_ALGOR *alg = NULL; BIO *in = ossl_bio_new_from_core_bio(ctx->provctx, cin); -int ok = (asn1_d2i_read_bio(in, ) >= 0); +int ok = 0; +if (in == NULL) +return 0; + +ok = (asn1_d2i_read_bio(in, ) >= 0); BIO_free(in); /* We return "empty handed". This is not an error. */ diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c index 0508e68b32..0445721171 100644 --- a/providers/implementations/encode_decode/decode_msblob2key.c +++ b/providers/implementations/encode_decode/decode_msblob2key.c @@ -93,6 +93,9 @@ static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, void *key = NULL; int ok = 0; +if (in == NULL) +return 0; + if (BIO_read(in, hdr_buf, 16) != 16) { ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); goto next; diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 6c537d26ae..1d5d30968f 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -33,7 +33,11 @@ static int read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin, unsigned char **data, long *len) { BIO *in = ossl_bio_new_from_core_bio(provctx, cin); -int ok = (PEM_read_bio(in, pem_name, pem_header, data, len) > 0); +int ok; + +if (in == NULL) +return 0; +ok = (PEM_read_bio(in, pem_name, pem_header, data, len) > 0); BIO_free(in); return ok; diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index 32206fe84d..7169aef2f4 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -88,6 +88,9 @@ static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, void *key = NULL; int ok = 0; +if (in == NULL) +return 0; + ctx->selection = selection; if ((selection == 0 diff --git a/providers/implementations/encode_decode/encode_key2blob.c b/providers/implementations/encode_decode/encode_key2blob.c index 19a7d171db..d4cc2e7cdc 100644 --- a/providers/implementations/encode_decode/encode_key2blob.c +++ b/providers/implementations/encode_decode/encode_key2blob.c @@ -30,7 +30,11 @@ static int write_blob(void *provctx, OSSL_CORE_BIO *cout, void *data, int len) { BIO *out = ossl_bio_new_from_core_bio(provctx, cout); -int ret = BIO_write(out, data, len); +int ret; + +if (out == NULL) +return 0; +ret = BIO_write(out, data, len); BIO_free(out); return ret; diff --git a/providers/implementations/encode_decode/encode_key2ms.c b/providers/implementations/encode_decode/encode_key2ms.c index 81528fefb6..15077954a4 100644 --- a/providers/implementations/encode_decode/encode_key2ms.c +++ b/providers/implementations/encode_decode/encode_key2ms.c @@ -39,8 +39,11 @@ static int write_msblob(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout,
[openssl] master update
The branch master has been updated via 352a0bcaab8eda18cce786d2871e8d4ec6f9cbfe (commit) from 5bea0e2ee9bda4d9be6e88c79f2c1b411bb65351 (commit) - Log - commit 352a0bcaab8eda18cce786d2871e8d4ec6f9cbfe Author: x2018 Date: Mon Nov 29 17:09:36 2021 +0800 Check the return value of ossl_bio_new_from_core_bio() There are missing checks of its return value in 8 different spots. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/17154) --- Summary of changes: providers/implementations/encode_decode/decode_epki2pki.c | 6 +- providers/implementations/encode_decode/decode_msblob2key.c | 3 +++ providers/implementations/encode_decode/decode_pem2der.c| 6 +- providers/implementations/encode_decode/decode_pvk2key.c| 3 +++ providers/implementations/encode_decode/encode_key2blob.c | 6 +- providers/implementations/encode_decode/encode_key2ms.c | 12 providers/implementations/encode_decode/endecoder_common.c | 5 - 7 files changed, 33 insertions(+), 8 deletions(-) diff --git a/providers/implementations/encode_decode/decode_epki2pki.c b/providers/implementations/encode_decode/decode_epki2pki.c index 66f4ff659d..a997629aaa 100644 --- a/providers/implementations/encode_decode/decode_epki2pki.c +++ b/providers/implementations/encode_decode/decode_epki2pki.c @@ -68,8 +68,12 @@ static int epki2pki_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, PKCS8_PRIV_KEY_INFO *p8inf = NULL; const X509_ALGOR *alg = NULL; BIO *in = ossl_bio_new_from_core_bio(ctx->provctx, cin); -int ok = (asn1_d2i_read_bio(in, ) >= 0); +int ok = 0; +if (in == NULL) +return 0; + +ok = (asn1_d2i_read_bio(in, ) >= 0); BIO_free(in); /* We return "empty handed". This is not an error. */ diff --git a/providers/implementations/encode_decode/decode_msblob2key.c b/providers/implementations/encode_decode/decode_msblob2key.c index 0508e68b32..0445721171 100644 --- a/providers/implementations/encode_decode/decode_msblob2key.c +++ b/providers/implementations/encode_decode/decode_msblob2key.c @@ -93,6 +93,9 @@ static int msblob2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, void *key = NULL; int ok = 0; +if (in == NULL) +return 0; + if (BIO_read(in, hdr_buf, 16) != 16) { ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT); goto next; diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c index 6c537d26ae..1d5d30968f 100644 --- a/providers/implementations/encode_decode/decode_pem2der.c +++ b/providers/implementations/encode_decode/decode_pem2der.c @@ -33,7 +33,11 @@ static int read_pem(PROV_CTX *provctx, OSSL_CORE_BIO *cin, unsigned char **data, long *len) { BIO *in = ossl_bio_new_from_core_bio(provctx, cin); -int ok = (PEM_read_bio(in, pem_name, pem_header, data, len) > 0); +int ok; + +if (in == NULL) +return 0; +ok = (PEM_read_bio(in, pem_name, pem_header, data, len) > 0); BIO_free(in); return ok; diff --git a/providers/implementations/encode_decode/decode_pvk2key.c b/providers/implementations/encode_decode/decode_pvk2key.c index 32206fe84d..7169aef2f4 100644 --- a/providers/implementations/encode_decode/decode_pvk2key.c +++ b/providers/implementations/encode_decode/decode_pvk2key.c @@ -88,6 +88,9 @@ static int pvk2key_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, void *key = NULL; int ok = 0; +if (in == NULL) +return 0; + ctx->selection = selection; if ((selection == 0 diff --git a/providers/implementations/encode_decode/encode_key2blob.c b/providers/implementations/encode_decode/encode_key2blob.c index 19a7d171db..d4cc2e7cdc 100644 --- a/providers/implementations/encode_decode/encode_key2blob.c +++ b/providers/implementations/encode_decode/encode_key2blob.c @@ -30,7 +30,11 @@ static int write_blob(void *provctx, OSSL_CORE_BIO *cout, void *data, int len) { BIO *out = ossl_bio_new_from_core_bio(provctx, cout); -int ret = BIO_write(out, data, len); +int ret; + +if (out == NULL) +return 0; +ret = BIO_write(out, data, len); BIO_free(out); return ret; diff --git a/providers/implementations/encode_decode/encode_key2ms.c b/providers/implementations/encode_decode/encode_key2ms.c index 81528fefb6..15077954a4 100644 --- a/providers/implementations/encode_decode/encode_key2ms.c +++ b/providers/implementations/encode_decode/encode_key2ms.c @@ -39,8 +39,11 @@ static int write_msblob(struct key2ms_ctx_st *ctx, OSSL_CORE_BIO *cout, EVP_PKEY *pkey, int ispub) { BIO *out =
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via b247bb52b83ce096ab572af5d9525880e142f426 (commit) from be44d58e80fdab137aef73d610c165acc991fcf9 (commit) - Log - commit b247bb52b83ce096ab572af5d9525880e142f426 Author: Tomas Mraz Date: Tue Dec 28 13:32:57 2021 +0100 close_console: Always unlock as the lock is always held Fixes #17364 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17365) (cherry picked from commit 5bea0e2ee9bda4d9be6e88c79f2c1b411bb65351) --- Summary of changes: crypto/ui/ui_openssl.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 8cf7a21d76..37b98910c7 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -551,6 +551,8 @@ static int echo_console(UI *ui) static int close_console(UI *ui) { +int ret = 1; + if (tty_in != stdin) fclose(tty_in); if (tty_out != stderr) @@ -560,12 +562,12 @@ static int close_console(UI *ui) if (status != SS$_NORMAL) { ERR_raise_data(ERR_LIB_UI, UI_R_SYSDASSGN_ERROR, "status=%%X%08X", status); -return 0; +ret = 0; } # endif CRYPTO_THREAD_unlock(ui->lock); -return 1; +return ret; } # if !defined(OPENSSL_SYS_WINCE)
[openssl] master update
The branch master has been updated via 5bea0e2ee9bda4d9be6e88c79f2c1b411bb65351 (commit) from da7db7ae6d7d1929893a58e41335c88e472fc364 (commit) - Log - commit 5bea0e2ee9bda4d9be6e88c79f2c1b411bb65351 Author: Tomas Mraz Date: Tue Dec 28 13:32:57 2021 +0100 close_console: Always unlock as the lock is always held Fixes #17364 Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/17365) --- Summary of changes: crypto/ui/ui_openssl.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 8cf7a21d76..37b98910c7 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -551,6 +551,8 @@ static int echo_console(UI *ui) static int close_console(UI *ui) { +int ret = 1; + if (tty_in != stdin) fclose(tty_in); if (tty_out != stderr) @@ -560,12 +562,12 @@ static int close_console(UI *ui) if (status != SS$_NORMAL) { ERR_raise_data(ERR_LIB_UI, UI_R_SYSDASSGN_ERROR, "status=%%X%08X", status); -return 0; +ret = 0; } # endif CRYPTO_THREAD_unlock(ui->lock); -return 1; +return ret; } # if !defined(OPENSSL_SYS_WINCE)
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated via be44d58e80fdab137aef73d610c165acc991fcf9 (commit) via c7eba968f4f070077f9638884abff68d0c161aac (commit) via daf0b77e34468696158e7ec92d636f8dbb578ffd (commit) via 7e1fba44e0c2e5a2f6fb86bcabe5c2b160f678ca (commit) via cb6f2f179dc5b4cb00250222e28cd52a858e9562 (commit) from e1436d54b9de5012d1716212c7329e46cf21a24a (commit) - Log - commit be44d58e80fdab137aef73d610c165acc991fcf9 Author: Tomas Mraz Date: Wed Dec 29 09:26:58 2021 +0100 try_pkcs12(): cleanse passphrase so it is not left on the stack Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17320) (cherry picked from commit da7db7ae6d7d1929893a58e41335c88e472fc364) commit c7eba968f4f070077f9638884abff68d0c161aac Author: Tomas Mraz Date: Tue Dec 28 12:46:31 2021 +0100 try_pkcs12(): Correct handling of NUL termination of passphrases Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17320) (cherry picked from commit 1dfef929e43ebfa3a7f1108317f75747f92effb6) commit daf0b77e34468696158e7ec92d636f8dbb578ffd Author: Tomas Mraz Date: Tue Dec 21 16:05:52 2021 +0100 Test that PEM_BUFSIZE is passed into pem_password_cb When pem_password_cb is used from SSL_CTX, its size parameter should be equal to PEM_BUFSIZE. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17320) (cherry picked from commit c7debe811123951a60cdfe73716184ca8fdd79d2) commit 7e1fba44e0c2e5a2f6fb86bcabe5c2b160f678ca Author: Tomas Mraz Date: Tue Dec 21 15:58:44 2021 +0100 pem_password_cb: Clarify the documentation on passphrases Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17320) (cherry picked from commit 5b5342e04ff24d5138c054c1677c32729d47e938) commit cb6f2f179dc5b4cb00250222e28cd52a858e9562 Author: Tomas Mraz Date: Tue Dec 21 12:26:05 2021 +0100 Compensate for UI method always adding NUL termination The UI method always adds NUL termination and we need to compensate for that when using it from a pem_password_cb because the buffer used in pem_password_cb does not account for that and the returned password should be able fill the whole buffer. Fixes #16601 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/17320) (cherry picked from commit ef65bbb96352650bf9ce4ff46c60c71d9f138d08) --- Summary of changes: crypto/passphrase.c | 33 - crypto/store/store_result.c | 19 +-- doc/man3/PEM_read_bio_PrivateKey.pod | 5 +++-- test/certs/leaf-encrypted.key| 30 ++ test/sslapitest.c| 14 +- 5 files changed, 83 insertions(+), 18 deletions(-) create mode 100644 test/certs/leaf-encrypted.key diff --git a/crypto/passphrase.c b/crypto/passphrase.c index d61e249440..cb1bc66958 100644 --- a/crypto/passphrase.c +++ b/crypto/passphrase.c @@ -109,7 +109,8 @@ int ossl_pw_disable_passphrase_caching(struct ossl_passphrase_data_st *data) * UI_METHOD processor. It differs from UI_UTIL_read_pw() like this: * * 1. It constructs a prompt on its own, based on |prompt_info|. - * 2. It allocates a buffer for verification on its own. + * 2. It allocates a buffer for password and verification on its own + * to compensate for NUL terminator in UI password strings. * 3. It raises errors. * 4. It reports back the length of the prompted pass phrase. */ @@ -117,8 +118,8 @@ static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, const char *prompt_info, int verify, const UI_METHOD *ui_method, void *ui_data) { -char *prompt = NULL, *vpass = NULL; -int prompt_idx = -1, verify_idx = -1; +char *prompt = NULL, *ipass = NULL, *vpass = NULL; +int prompt_idx = -1, verify_idx = -1, res; UI *ui = NULL; int ret = 0; @@ -145,9 +146,16 @@ static int do_ui_passphrase(char *pass, size_t pass_size, size_t *pass_len, goto end; } +/* Get a buffer for verification prompt */ +ipass = OPENSSL_zalloc(pass_size + 1); +if (ipass == NULL) { +ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); +goto end; +} + prompt_idx = UI_add_input_string(ui, prompt, UI_INPUT_FLAG_DEFAULT_PWD, - pass, 0, pass_size - 1) - 1; + ipass, 0, pass_size) - 1; if (prompt_idx < 0) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UI_LIB); goto end; @@ -155,15 +163,15 @@ static int