Click house/openssl 3.0.10 #7
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Two key 3DES only sets two keys and the random generation errors out if fewer than three keys are required. It shouldn't. Fixes openssl#20212 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#20224) (cherry picked from commit 587e040)
BIO_set_accept_name() can return error values -1 and 0 according to my analysis tool and the documentation. Documentation says a value of 1 indicates success. Currently, only an error value != 0 is checked which erroneously interprets a -1 error return value as success. Fix it by changing the check condition. CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#20206) (cherry picked from commit a811b63) (cherry picked from commit 510e493)
Allocate memory for a new SSL session. If any of these steps fail, free the key memory and the tmpsess object before returning 0 to prevent a memory leak. Fixes: openssl#20110 CLA: trivial Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#20213) (cherry picked from commit 8e2552b) (cherry picked from commit 4cfae92)
Documentation is necessary as static and dynamic linking cause SIGSEGV during atexit() processing on the platform. Fixes: 19951 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19952) (cherry picked from commit e80518d)
BIO_set_md() can return an error value <= 0 according to my analysis tool and the documentation. But only an error value == 0 is currently checked. Fix it by changing the check condition. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#20195) (cherry picked from commit abf6546) (cherry picked from commit 9b77bd9)
default_check() can return a zero value to indicate an internal error in one condition for the PRE_CTRL_STR_TO_PARAMS state. This state can be reached from the default_fixup_args() function which does not check for a zero value. All other callers of default_check() in that file do check for a zero return value. Fix it by changing the check to <= 0. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#20175) (cherry picked from commit 650f047)
CMS_SharedInfo_encode() can also return a negative error value, but this is not checked in the current check, only the zero error return value is covered. A previous PR [1] fixed the other caller's check of CMS_SharedInfo_encode in this file, but it seems like this place was missed. Fix it by changing the check to <= 0. [1] openssl@a752fc4 CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#20181) (cherry picked from commit ba06181)
This function returns an errorcode <= 0, but only < 0 is checked. Other callers that check the return value perform this check correctly. Fix it by changing the check to <= 0. CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#20186) (cherry picked from commit 8263749)
BIO_dup_state() returns an error code <= 0 according to my analysis tool and the documentation. Currently only == 0 is checked. Fix it by changing the check condition. CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#20194) (cherry picked from commit 89601c7) (cherry picked from commit cf3cf2b)
_umul128() is x86_64 (x64) only, while __umulh() works everywhere, but doesn't generate optimal code on x64 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#20244) (cherry picked from commit 075652f)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20228) (cherry picked from commit 1472127)
Also add corresponding tests and to this end update credentials Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#20160) (cherry picked from commit 6b58f49)
Conditioning it on $disabled{shared} isn't right, it will still end up
in the static variant of the library. It's better to use SHARED_SOURCE
for these sorts of things.
Fixes openssl#20238
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#20240)
(cherry picked from commit cd870db)
The test tries to use DES but that may not be available. But for the purpose of regression testing CVE-2023-0215 the cipher is not relevant, so we use AES-128 instead. Fixes openssl#20249 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#20276) (cherry picked from commit c400a1f)
BN_priv_rand_range_ex() and BN_add() both return a 0 on failure and a 1 on success. In case of failure, the algorithm should fail. However, the branch that it goes through on failure is "goto end", not "goto err". Therefore, the algorithm will return 1 which indicates success instead of 0 for failure, leading to potential problems for the callers. Fix it by changing the goto to "goto err" instead of "goto end". CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl#20279) (cherry picked from commit 835b90a) (cherry picked from commit d1e1a8f)
CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20327) (cherry picked from commit 7e55051)
CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20310)
There is no point in calling OPENSSL_init_crypto() unless we are actually going to be using the default libctx. Fixes openssl#20315 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20341) (cherry picked from commit 7a6a0ba) (cherry picked from commit ba8e207)
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20341) (cherry picked from commit 0aa7d7f) (cherry picked from commit ed8d2c9)
CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20294) (cherry picked from commit ab5a172)
CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20351) (cherry picked from commit 7fed519)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20312) (cherry picked from commit 1dc35d4)
TLS pipelining provides the ability for libssl to read or write multiple records in parallel. It requires special ciphers to do this, and there are currently no built-in ciphers that provide this capability. However, the dasync engine does have such a cipher, so we add a test for this capability using that engine. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20208) (cherry picked from commit 24c7d36)
…lled The pipeline input/output buf arrays must remain accessible to the EVP_CIPHER_CTX until EVP_Cipher is subsequently called. This fixes an asan error discovered by the newly added pipeline test. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20208) (cherry picked from commit df9c7ce)
During read pipelining we must ensure that the buffer is sufficiently large to read enough data to fill our pipelines. We also remove some code that moved data to the start of the packet if we can. This was unnecessary because of later code which would end up moving it anyway. The earlier move was also incorrect in the case that |clearold| was 0. This would cause the read pipelining code to fail with sufficiently large records. Fixes openssl#20197 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20208) (cherry picked from commit 1d06598)
Document the effect on the internal read buffer when using pipelining. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20208) (cherry picked from commit 89ed544)
We shouldn't be putting more data into a pipeline than the value of split_send_fragment. This is a backport of a fix which was included in a much larger commit in master (c618679) related to moving the pipelining code into the new record layer that exists there. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#20208) (cherry picked from commit 2c4b1c7)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#20275)
… improvements Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#20275)
Also document CMS_decrypt_set1_password() and fix CMS_EnvelopedData_create.pod. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#20209)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.