[openssl.org #1781] make makefiles traceable in 0.9.8i
Not doing this because of portability concerns. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2948] thousands of getpid called inside libcrypto.sl.0.9.8
working as designed and required. no bug. closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1673] ssl handshake failure when protocol specified (0.9.8g)
old release, cannot reproduce, closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1155] openssl-0.9.8 causes MS Windows fatal error when executing 'openssl exngine xxx'
old release. cannot reproduce. closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1867] Fw:About OpenSSL crashed in 0.9.8g
very old release. not enough information to reproduce. closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2845] Impact on OpenSSL 0.9.8h from upcoming Microsoft patch
not an issue -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1665] Contribution of aes.pod
commit c7497f34fbf3824dd4a0881d598e598980f2edb1 Author: Rich Salz Date: Thu Aug 14 10:50:26 2014 -0400 RT1665,2300: Crypto doc cleanups RT1665: aes documentation. Paul Green wrote a nice aes.pod file. But we now encourage the EVP interface. So I took his RT item and used it as impetus to add the AES modes to EVP_EncryptInit.pod I also noticed that rc4.pod has spurious references to some other cipher pages, so I removed them. RT2300: Clean up MD history (merged into RT1665) Put HISTORY section only in EVP_DigestInit.pod. Also add words to discourage use of older cipher-specific API, and remove SEE ALSO links that point to them. Make sure digest pages have a NOTE that says use EVP_DigestInit. Review feedback: More cleanup in EVP_EncryptInit.pod Fixed SEE ALSO links in ripemd160.pod, sha.pod, mdc2.pod, blowfish.pod, rc4.d, and des.pod. Re-order sections in des.pod for consistency Reviewed-by: Matt Caswell -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3439] Memory leak bug
This function act like destructor. It is really strange if destructor doesn't delete object, if object haven't one method. Also function end with free deallocate pointer, see OpenSSL_free. In your code you can just put new allocation or create clear function ( I think performance doesn't differ between clear and delete+new). Also I highly recommended use tools like valgrind if possible, to check any memory leaks, also use tools like PVS studio for check code (or cppcheck or all together) Sorry for add work to you. It is really frustrating when 8 year code doesn't work, but now I think I do openssl better. On Aug 27, 2014 9:09 PM, "Florman, Bruce via RT" wrote: > Hi, and sorry about getting in on this topic so late, > Is it certain that the prior behavior of the BIO_free() function was in > fact a bug? I ask because BIO_set() provides a mechanism for initializing a > pre-allocated BIO structure, but now that BIO_free() unconditionally passes > its argument to OPENSSL_free(), there is no longer a way to de-initialize a > BIO without simultaneously de-allocating it. I had used the old conditional > behavior of BIO_free() when implementing a private stack-allocated BIO (for > inserting data formatted by various OpenSSL functions into a C++ iostream), > and was dismayed to discover that our recent update to 1.0.1i caused my > 8-year-old code to suddenly start corrupting the runtime heap. > If the new behavior of BIO_free() is now set in stone, is there any chance > of adding a BIO_unset() function to the library, to allow the > de-initialization and de-allocation to be decoupled when appropriate? > Bruce Florman | Senior Software Engineer > phone & fax +1.317.715.8115 | bruce.flor...@inin.com > > Interactive Intelligence Inc. > Deliberately Innovative > www.inin.com > > > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2193] bug report openssl-0.9.8m crypto/bio/bss_dgram.c
Fixed in HEAD commit ac53354b949a252610cf987dbc875a7717f295c4 Author: l.montecchi...@gmail.com Date: Tue Aug 26 23:11:01 2014 -0400 RT2193: #ifdef errors in bss_dgram.c Problem with #ifdef in the BIO_CTRL_DGRAM_MTU_DISCOVER case that is different from the BIO_CTRL_DGRAM_QUERY_MTU one which seems correct. Reviewed-by: Matt Caswell -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3102] s_server does not reject invalid client certificates in "OpenSSL 1.0.1 14 Mar 2012" with -verify or -Verify options
commit 8d4193305b1634a0fb397cb8806cd7dedbff34ef Author: Rich Salz Date: Wed Aug 27 14:23:39 2014 -0400 RT3102: Document -verify_error_return flag Also moved some options around so all the "verify" options. are clumped together. Reviewed-by: Matt Caswell -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Subject: [PATCH] ssl: introduce async sign/decrypt APIs This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: * Serve
Oh, and I have just realized that it doesn't handle `ssl3_get_cert_verify` case right now. I'll figure it out tomorrow. On Thu, Aug 28, 2014 at 2:26 PM, Fedor Indutny wrote: > Hello again! > > Here is a second patch that improves the first one. Additionally it copies > and restores the packet > data before/after calling out async callback. However it is almost evident > for me that nothing > could overwrite `s->init_buf->data` during async handshake, so if you feel > confident about it - > please let me know and I will revert everything except style changes in > that 0002 patch. > > Cheers, > Fedor. > > > On Wed, Aug 27, 2014 at 1:05 PM, Fedor Indutny wrote: > >> Oops, just realized that I pasted whole commit message into a subject. >> >> Anyway, CCing Rich Salz here. >> >> Rich, >> >> You seem to be on a wave on triaging tickets, may be you could take a >> look at this one eventually? >> >> Thank you, >> Fedor. >> >> >> On Sat, Aug 23, 2014 at 10:08 PM, Fedor Indutny >> wrote: >> >>> This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and >>> `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: >>> >>> * Server will ignore dummy RSA key, assuming that it is matching the >>> certificate. >>> * Server will invoke this callback with either: >>> * `SSL_KEY_EX_RSA` >>> * `SSL_KEY_EX_RSA_SIGN` >>> as a `type` argument, and some data for signature or decryption in >>> `p`/`n` pair. >>> >>> At that time the sign/decryption may be performed on any thread, or even >>> remotely, and the result should be supplied with `SSL_supply()`. Calling >>> `SSL_supply()` will continue the handshake process without even touching >>> the real private key. >>> >>> NOTE: >>> >>> The test is missing right now, I'll add it once we will figure out how >>> the API should look like. Implementation appears to be working when used >>> with node.js, see >>> https://github.com/indutny/node/tree/feature/async-key-exchange and >>> https://gist.github.com/indutny/948eaf9b5154eb395e8b for testing. >>> >>> ANOTHER NOTE: >>> >>> Pull Request on github: https://github.com/openssl/openssl/pull/162 >>> >> >> >
Re: [openssl.org #3507] [PATCH] Fix memory leaks.
I ran make which regenerated the objects, thanks for pointing that out, I attached an updated patch without the change. --- Kurt Cancemi https://www.x64architecture.com On Thu, Aug 28, 2014 at 12:41 PM, Kurt Roeckx wrote: > On Thu, Aug 28, 2014 at 03:11:14PM +0200, Kurt Cancemi via RT wrote: >> The attached updated patch fixes a style error. > > I still have a bunch of other patches like this to go thru, but > did a quick look at this, and at least this looks weird: > >> --- a/crypto/objects/obj_xref.h >> +++ b/crypto/objects/obj_xref.h >> @@ -54,8 +54,8 @@ static const nid_triple sigoid_srt[] = >> static const nid_triple * const sigoid_srt_xref[] = >> { >> &sigoid_srt[29], >> - &sigoid_srt[17], >> &sigoid_srt[18], >> + &sigoid_srt[17], >> &sigoid_srt[0], >> &sigoid_srt[1], >> &sigoid_srt[7], > > Can you explain that? > > > Kurt > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org From e5ec6311b407e52e096ad0197814e77176b4c9f9 Mon Sep 17 00:00:00 2001 From: Kurt Cancemi Date: Thu, 28 Aug 2014 13:48:39 -0400 Subject: [PATCH] Fix memory leaks. --- crypto/asn1/x_x509a.c| 21 - crypto/ec/ec_ameth.c | 1 + crypto/ec/ec_mult.c | 1 + crypto/ec/ecp_mont.c | 7 +-- crypto/pkcs7/pk7_smime.c | 1 + crypto/x509/x509_trs.c | 2 ++ crypto/x509/x509_vfy.c | 1 + crypto/x509v3/pcy_data.c | 4 crypto/x509v3/pcy_tree.c | 3 +++ 9 files changed, 34 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 03a9c45..ec3da38 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -159,12 +159,23 @@ int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; - ASN1_OBJECT *objtmp; - if(!(objtmp = OBJ_dup(obj))) return 0; - if(!(aux = aux_get(x))) return 0; - if(!aux->reject - && !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0; + ASN1_OBJECT *objtmp = NULL; + if (obj) + { + objtmp = OBJ_dup(obj); + if (!objtmp) + return 0; + } + if(!(aux = aux_get(x))) + goto err; + if(!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null())) + goto err; return sk_ASN1_OBJECT_push(aux->reject, objtmp); + + err: + if (objtmp) + ASN1_OBJECT_free(objtmp); + return 0; } void X509_trust_clear(X509 *x) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index a149bf6..15e86c4 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -387,6 +387,7 @@ static int ec_bits(const EVP_PKEY *pkey) group = EC_KEY_get0_group(pkey->pkey.ec); if (!EC_GROUP_get_order(group, order, NULL)) { + BN_free(order); ERR_clear_error(); return 0; } diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index fb693c3..3b23c5d 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -535,6 +535,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, if (numblocks > pre_comp->numblocks) { ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + OPENSSL_free(tmp_wNAF); goto err; } totalnum = num + numblocks; diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 232ae34..2735957 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -229,8 +229,11 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM * } one = BN_new(); if (one == NULL) goto err; - if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err; - + if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) + { + BN_free(one); + goto err; + } group->field_data1 = mont; mont = NULL; group->field_data2 = one; diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index a5104f8..9024ce8 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -364,6 +364,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, if (tmpin == NULL) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE); + sk_X509_free(signers); return 0; } } diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 3d7e068..5781573 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -206,10 +206,12 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), if(idx == -1) { if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + OPENSSL_free(trtmp); return 0; } if (!sk_X509_TRUST_push(trtable, trtmp)) { X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + OPENSSL_free(trtmp); return 0; } } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 85aa113..ae4fff9 100644 --- a/crypto/x509/x509_vfy.c +++ b/cryp
Re: [openssl.org #3507] [PATCH] Fix memory leaks.
On Thu, Aug 28, 2014 at 03:11:14PM +0200, Kurt Cancemi via RT wrote: > The attached updated patch fixes a style error. I still have a bunch of other patches like this to go thru, but did a quick look at this, and at least this looks weird: > --- a/crypto/objects/obj_xref.h > +++ b/crypto/objects/obj_xref.h > @@ -54,8 +54,8 @@ static const nid_triple sigoid_srt[] = > static const nid_triple * const sigoid_srt_xref[] = > { > &sigoid_srt[29], > - &sigoid_srt[17], > &sigoid_srt[18], > + &sigoid_srt[17], > &sigoid_srt[0], > &sigoid_srt[1], > &sigoid_srt[7], Can you explain that? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3470] [BUG] DTLS abort
On 28 Aug 2014, at 17:25, Brian Hassink via RT wrote: > Hello Michael, > > We can confirm that the patch resolves the disconnect abort. Great, thanks a lot for the feedback. Let me know if you have further issues with DTLS/SCTP. Best regards Michael > > Thanks, > Brian > > -Original Message- > From: Michael Tüxen via RT [mailto:r...@openssl.org] > Sent: Wednesday, August 27, 2014 3:33 PM > To: Brian Hassink > Cc: openssl-dev@openssl.org > Subject: Re: [openssl.org #3470] [BUG] DTLS abort > > On 18 Aug 2014, at 21:47, Michael Tuexen > wrote: > >> On 18 Aug 2014, at 16:31, Brian Hassink wrote: >> >>> Yes, this was observed for DTLS/SCTP. >> OK. The problem is an incorrect usage of OPENSSL_assert()... Let me >> see if I can come-up with a patch... > Hi Brian, > > please find attached a patch which fixes several usages of OPENSSL_assert() > and let me know if this resolves your issue. > > Please note that you want also to apply the patch from > http://rt.openssl.org/Ticket/Display.html?id=3483&user=guest&pass=guest > > Best regards > Michael > > > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3470] [BUG] DTLS abort
On 28 Aug 2014, at 17:25, Brian Hassink via RT wrote: > Hello Michael, > > We can confirm that the patch resolves the disconnect abort. Great, thanks a lot for the feedback. Let me know if you have further issues with DTLS/SCTP. Best regards Michael > > Thanks, > Brian > > -Original Message- > From: Michael Tüxen via RT [mailto:r...@openssl.org] > Sent: Wednesday, August 27, 2014 3:33 PM > To: Brian Hassink > Cc: openssl-dev@openssl.org > Subject: Re: [openssl.org #3470] [BUG] DTLS abort > > On 18 Aug 2014, at 21:47, Michael Tuexen > wrote: > >> On 18 Aug 2014, at 16:31, Brian Hassink wrote: >> >>> Yes, this was observed for DTLS/SCTP. >> OK. The problem is an incorrect usage of OPENSSL_assert()... Let me >> see if I can come-up with a patch... > Hi Brian, > > please find attached a patch which fixes several usages of OPENSSL_assert() > and let me know if this resolves your issue. > > Please note that you want also to apply the patch from > http://rt.openssl.org/Ticket/Display.html?id=3483&user=guest&pass=guest > > Best regards > Michael > > > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #3470] [BUG] DTLS abort
Hello Michael, We can confirm that the patch resolves the disconnect abort. Thanks, Brian -Original Message- From: Michael Tüxen via RT [mailto:r...@openssl.org] Sent: Wednesday, August 27, 2014 3:33 PM To: Brian Hassink Cc: openssl-dev@openssl.org Subject: Re: [openssl.org #3470] [BUG] DTLS abort On 18 Aug 2014, at 21:47, Michael Tuexen wrote: > On 18 Aug 2014, at 16:31, Brian Hassink wrote: > >> Yes, this was observed for DTLS/SCTP. > OK. The problem is an incorrect usage of OPENSSL_assert()... Let me > see if I can come-up with a patch... Hi Brian, please find attached a patch which fixes several usages of OPENSSL_assert() and let me know if this resolves your issue. Please note that you want also to apply the patch from http://rt.openssl.org/Ticket/Display.html?id=3483&user=guest&pass=guest Best regards Michael __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3507] [PATCH] Fix memory leaks.
The attached updated patch fixes a style error. --- Kurt Cancemi https://www.x64architecture.com >From d112c3f7b36a60f8af109b90fe5299f7ac049cc6 Mon Sep 17 00:00:00 2001 From: Kurt Cancemi Date: Wed, 27 Aug 2014 20:37:45 -0400 Subject: [PATCH] Fix memory leaks. --- crypto/asn1/x_x509a.c | 21 - crypto/ec/ec_ameth.c | 1 + crypto/ec/ec_mult.c | 1 + crypto/ec/ecp_mont.c | 7 +-- crypto/objects/obj_xref.h | 2 +- crypto/pkcs7/pk7_smime.c | 1 + crypto/x509/x509_trs.c| 2 ++ crypto/x509/x509_vfy.c| 1 + crypto/x509v3/pcy_data.c | 4 crypto/x509v3/pcy_tree.c | 3 +++ 10 files changed, 35 insertions(+), 8 deletions(-) diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 03a9c45..ec3da38 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -159,12 +159,23 @@ int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; - ASN1_OBJECT *objtmp; - if(!(objtmp = OBJ_dup(obj))) return 0; - if(!(aux = aux_get(x))) return 0; - if(!aux->reject - && !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0; + ASN1_OBJECT *objtmp = NULL; + if (obj) + { + objtmp = OBJ_dup(obj); + if (!objtmp) + return 0; + } + if(!(aux = aux_get(x))) + goto err; + if(!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null())) + goto err; return sk_ASN1_OBJECT_push(aux->reject, objtmp); + + err: + if (objtmp) + ASN1_OBJECT_free(objtmp); + return 0; } void X509_trust_clear(X509 *x) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index a149bf6..15e86c4 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -387,6 +387,7 @@ static int ec_bits(const EVP_PKEY *pkey) group = EC_KEY_get0_group(pkey->pkey.ec); if (!EC_GROUP_get_order(group, order, NULL)) { + BN_free(order); ERR_clear_error(); return 0; } diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index fb693c3..3b23c5d 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -535,6 +535,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, if (numblocks > pre_comp->numblocks) { ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + OPENSSL_free(tmp_wNAF); goto err; } totalnum = num + numblocks; diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 232ae34..2735957 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -229,8 +229,11 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM * } one = BN_new(); if (one == NULL) goto err; - if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err; - + if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) + { + BN_free(one); + goto err; + } group->field_data1 = mont; mont = NULL; group->field_data2 = one; diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index cfd628a..2b3dc6d 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -54,8 +54,8 @@ static const nid_triple sigoid_srt[] = static const nid_triple * const sigoid_srt_xref[] = { &sigoid_srt[29], - &sigoid_srt[17], &sigoid_srt[18], + &sigoid_srt[17], &sigoid_srt[0], &sigoid_srt[1], &sigoid_srt[7], diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index a5104f8..9024ce8 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -364,6 +364,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, if (tmpin == NULL) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE); + sk_X509_free(signers); return 0; } } diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 3d7e068..5781573 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -206,10 +206,12 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), if(idx == -1) { if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + OPENSSL_free(trtmp); return 0; } if (!sk_X509_TRUST_push(trtable, trtmp)) { X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + OPENSSL_free(trtmp); return 0; } } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 85aa113..ae4fff9 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -353,6 +353,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) x = xtmp; if (!sk_X509_push(ctx->chain,x)) { + sk_X509_free(sktmp); X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index 3444b03..2bb5868 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -99,7 +99,11 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, id = NULL; ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); if (!ret) + { + if (id) + ASN1_OBJECT_free(id); return NULL; + } ret->exp
[openssl.org #3507] [PATCH] Fix memory leaks.
Hello, The attached patch fixes some memory leaks that were found via Coverity. --- Kurt Cancemi https://www.x64architecture.com >From 3d2c713113545255b61efe433e130078d4cf2e22 Mon Sep 17 00:00:00 2001 From: Kurt Cancemi Date: Wed, 27 Aug 2014 20:21:33 -0400 Subject: [PATCH] Fix memory leaks. --- crypto/asn1/x_x509a.c| 20 +++- crypto/ec/ec_ameth.c | 1 + crypto/ec/ec_mult.c | 1 + crypto/ec/ecp_mont.c | 7 +-- crypto/pkcs7/pk7_smime.c | 1 + crypto/x509/x509_trs.c | 2 ++ crypto/x509/x509_vfy.c | 1 + crypto/x509v3/pcy_data.c | 4 crypto/x509v3/pcy_tree.c | 3 +++ 9 files changed, 33 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 03a9c45..1603e4b 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -159,12 +159,22 @@ int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; - ASN1_OBJECT *objtmp; - if(!(objtmp = OBJ_dup(obj))) return 0; - if(!(aux = aux_get(x))) return 0; - if(!aux->reject - && !(aux->reject = sk_ASN1_OBJECT_new_null())) return 0; + ASN1_OBJECT *objtmp = NULL; + if (obj) { + objtmp = OBJ_dup(obj); + if (!objtmp) + return 0; + } + if(!(aux = aux_get(x))) + goto err; + if(!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null())) + goto err; return sk_ASN1_OBJECT_push(aux->reject, objtmp); + + err: + if (objtmp) + ASN1_OBJECT_free(objtmp); + return 0; } void X509_trust_clear(X509 *x) diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index a149bf6..15e86c4 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -387,6 +387,7 @@ static int ec_bits(const EVP_PKEY *pkey) group = EC_KEY_get0_group(pkey->pkey.ec); if (!EC_GROUP_get_order(group, order, NULL)) { + BN_free(order); ERR_clear_error(); return 0; } diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index fb693c3..3b23c5d 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -535,6 +535,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, if (numblocks > pre_comp->numblocks) { ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR); + OPENSSL_free(tmp_wNAF); goto err; } totalnum = num + numblocks; diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 232ae34..2735957 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -229,8 +229,11 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM * } one = BN_new(); if (one == NULL) goto err; - if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err; - + if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) + { + BN_free(one); + goto err; + } group->field_data1 = mont; mont = NULL; group->field_data2 = one; diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index a5104f8..9024ce8 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -364,6 +364,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, if (tmpin == NULL) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE); + sk_X509_free(signers); return 0; } } diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 3d7e068..5781573 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -206,10 +206,12 @@ int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), if(idx == -1) { if(!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + OPENSSL_free(trtmp); return 0; } if (!sk_X509_TRUST_push(trtable, trtmp)) { X509err(X509_F_X509_TRUST_ADD,ERR_R_MALLOC_FAILURE); + OPENSSL_free(trtmp); return 0; } } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 85aa113..ae4fff9 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -353,6 +353,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) x = xtmp; if (!sk_X509_push(ctx->chain,x)) { + sk_X509_free(sktmp); X509_free(xtmp); X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index 3444b03..2bb5868 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -99,7 +99,11 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, id = NULL; ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); if (!ret) + { + if (id) + ASN1_OBJECT_free(id); return NULL; + } ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); if (!ret->expected_policy_set) { diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 47b1bf8..f8658ba 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -684,7 +684,10 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, { tree->user_policies = sk_X509_POLICY_NODE_new_null(); if (!tree->user_policies) +{
RE: [openssl.org #3470] [BUG] DTLS abort
Thanks, we're rolling a new build with it now... -Brian -Original Message- From: Michael Tüxen via RT [mailto:r...@openssl.org] Sent: Wednesday, August 27, 2014 3:33 PM To: Brian Hassink Cc: openssl-dev@openssl.org Subject: Re: [openssl.org #3470] [BUG] DTLS abort On 18 Aug 2014, at 21:47, Michael Tuexen wrote: > On 18 Aug 2014, at 16:31, Brian Hassink wrote: > >> Yes, this was observed for DTLS/SCTP. > OK. The problem is an incorrect usage of OPENSSL_assert()... Let me > see if I can come-up with a patch... Hi Brian, please find attached a patch which fixes several usages of OPENSSL_assert() and let me know if this resolves your issue. Please note that you want also to apply the patch from http://rt.openssl.org/Ticket/Display.html?id=3483&user=guest&pass=guest Best regards Michael __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Subject: [PATCH] ssl: introduce async sign/decrypt APIs This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: * Serve
Hello again! Here is a second patch that improves the first one. Additionally it copies and restores the packet data before/after calling out async callback. However it is almost evident for me that nothing could overwrite `s->init_buf->data` during async handshake, so if you feel confident about it - please let me know and I will revert everything except style changes in that 0002 patch. Cheers, Fedor. On Wed, Aug 27, 2014 at 1:05 PM, Fedor Indutny wrote: > Oops, just realized that I pasted whole commit message into a subject. > > Anyway, CCing Rich Salz here. > > Rich, > > You seem to be on a wave on triaging tickets, may be you could take a look > at this one eventually? > > Thank you, > Fedor. > > > On Sat, Aug 23, 2014 at 10:08 PM, Fedor Indutny wrote: > >> This patch is introducing `async_key_ex_cb` member of both `SSL_CTX` and >> `SSL`, and `SSL_supply()`. If `async_key_ex_cb` is present: >> >> * Server will ignore dummy RSA key, assuming that it is matching the >> certificate. >> * Server will invoke this callback with either: >> * `SSL_KEY_EX_RSA` >> * `SSL_KEY_EX_RSA_SIGN` >> as a `type` argument, and some data for signature or decryption in >> `p`/`n` pair. >> >> At that time the sign/decryption may be performed on any thread, or even >> remotely, and the result should be supplied with `SSL_supply()`. Calling >> `SSL_supply()` will continue the handshake process without even touching >> the real private key. >> >> NOTE: >> >> The test is missing right now, I'll add it once we will figure out how >> the API should look like. Implementation appears to be working when used >> with node.js, see >> https://github.com/indutny/node/tree/feature/async-key-exchange and >> https://gist.github.com/indutny/948eaf9b5154eb395e8b for testing. >> >> ANOTHER NOTE: >> >> Pull Request on github: https://github.com/openssl/openssl/pull/162 >> > > 0002-ssl-copy-packet-before-performing-async-key-ex.patch.sig Description: Binary data 0002-ssl-copy-packet-before-performing-async-key-ex.patch Description: Binary data