Commits · e31066f7e9894c9cdaef80404da854f89e9e365f · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

29 Apr, 2016 15 commits

Add the ability to test EBCDIC builds · e31066f7

Matt Caswell authored Apr 29, 2016



This adds the define CHARSET_EBCDIC_TEST which enables testing of EBCDIC
code on an ASCII system.

Reviewed-by: Andy Polyakov <appro@openssl.org>

e31066f7

Fix building with -DCHARSET_EBCDIC · 5fd1478d

Matt Caswell authored Apr 28, 2016



Building with -DCHARSET_EBCDIC and using --strict-warnings resulted in
lots of miscellaneous errors. This fixes it.

Reviewed-by: Andy Polyakov <appro@openssl.org>

5fd1478d

VMS: only explicitely translate names in library C files. · e590afdc

Richard Levitte authored Apr 28, 2016



When compiling all other C files, rely on the compiler to
automatically pick up the name translation information from the header
files __DECC_INCLUDE_{PRO,EPI}LOGUE.H.

Reviewed-by: Andy Polyakov <appro@openssl.org>

e590afdc

VMS: It seems DEC C doesn't handle certain header files quite right · 1bfe73d5

Richard Levitte authored Apr 11, 2016



With DEC C on VMS, you can use __DECC_INCLUDE_PROLOGUE.H and
__DECC_INCLUDE_EPILOGUE.H to include some DEC C specific features or
pragmas without having to touch the other header files.

It seems, however, that the current version of the compiler requires
the file names to be upcased, or it doesn't handle them quite right.

Reviewed-by: Andy Polyakov <appro@openssl.org>

1bfe73d5

Add aliases for des-ede-ecb and des-ede3-ecb ciphers. · 842dc987

Kirill Marinushkin authored Apr 24, 2016



Currently we can get all block ciphers with
	EVP_get_cipherbyname("<alg_name>-<block-mode-name>")
for example, by names "aes-128-ecb" or "des-ede-cbc".
I found a problem with des-ede-ecb and des-ede3-ecb ciphers as
they can be accessed only with names:
	EVP_get_cipherbyname("des-ede")
	EVP_get_cipherbyname("des-ede3")
It breaks the general concept.

In this patch I add aliases which allow to use names:
	EVP_get_cipherbyname("des-ede-ecb")
	EVP_get_cipherbyname("des-ede3-ecb")
in addition to the currently used names.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

842dc987

Fixed scripts order for generate_crypto_objects target · e6f2bb66

Kirill Marinushkin authored Apr 24, 2016



Script obj_dat.pl depends on file obj_mac.h generated by script objects.pl

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

e6f2bb66

crypto/ppccap.c: fix missing declaration warning. · 53385e1f
Andy Polyakov authored Apr 27, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
53385e1f
crypto/ppccap.c: permit build with no-chacha and no-poly1305. · fa79c543
Andy Polyakov authored Apr 27, 2016
```
RT#4508

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
fa79c543

Remove some dead code · 10a57adc

Matt Caswell authored Apr 28, 2016

Commit e1d9f1ab

 left some dead code behind. This removes it.

Reviewed-by: Stephen Henson <steve@openssl.org>

10a57adc

A call to RSA_set0_key had the arguments in the wrong order · b375f081
Matt Caswell authored Apr 28, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
b375f081

Client side CKE processing can double free on error · 6f137370

Matt Caswell authored Apr 28, 2016



The tls_client_key_exchange_post_work() frees the pms on error. It also
calls ssl_generate_master_secret() which also free the pms. If an error
occurs after ssl_generate_master_secret() has been called then a double
free can occur.

Reviewed-by: Andy Polyakov <appro@openssl.org>

6f137370

Don't free the BIGNUM passed to BN_mpi2bn · b8f1c116

Matt Caswell authored Apr 28, 2016

Commit 91fb42dd

 fixed a leak but introduced a problem where a parameter
is erroneously freed instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

b8f1c116

Fix a leak in i2b_PVK · 098c1e3d

Matt Caswell authored Apr 28, 2016

Commit 8e588e28

 fixed a leak but introduced a new one.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

098c1e3d

make update · 1f644005
Richard Levitte authored Apr 29, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
1f644005

apps/progs.pl: don't make digests disablable by default · 08590a86

Richard Levitte authored Apr 29, 2016



Some digest algorithms can't be disabled, don't pretend they can.

Reviewed-by: Matt Caswell <matt@openssl.org>

08590a86

28 Apr, 2016 25 commits

BIO_free should call method->destroy before free'ing member fields · a14a740d

FdaSilvaYY authored Apr 28, 2016



Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1007)

a14a740d

Add checks on CRYPTO_new_ex_data return value... · 2bbf0baa

FdaSilvaYY authored Mar 08, 2016


with some adaptation to new multi-threading API.

Once reference, lock, meth and flag fields are setup,
DSA_free/DH_free can be called directly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/996)

2bbf0baa

Add checks on CRYPTO_new_ex_data return value · 25a807bc

FdaSilvaYY authored Feb 13, 2016



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/996)

25a807bc

Fix an error code spelling. · 8fdc99cb

FdaSilvaYY authored Apr 04, 2016



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)

8fdc99cb

various spelling fixes · 8483a003

FdaSilvaYY authored Mar 10, 2016



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)

8483a003

Add getters for X509_STORE and X509_OBJECT members · f0c58c32

Christian Heimes authored Apr 19, 2016



OpenSSL 1.1.0-pre5 has made some additional structs opaque. Python's ssl
module requires access to some of the struct members. Three new getters
are added:

int X509_OBJECT_get_type(X509_OBJECT *a);
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v);
X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx);

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

f0c58c32

make update · d5553b4c

Viktor Dukhovni authored Apr 27, 2016



Recycling an unused slot.

Reviewed-by: Rich Salz <rsalz@openssl.org>

d5553b4c

Implement X509_STORE_CTX_set_current_cert() accessor · c9654873
Viktor Dukhovni authored Apr 27, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
c9654873

Fix BIO_set_nbio_accept() · 68423b14

Richard Levitte authored Apr 28, 2016



The code that implements this control would work when enabling nbio,
but the disabling code needed fixing.

Reviewed-by: Matt Caswell <matt@openssl.org>

68423b14

Don't leak memory on error path in dane_ctx_enable() · b3bd3d5a

Matt Caswell authored Apr 27, 2016



The function dane_ctx_enable() allocated some memory that it did not
free in an error path.

Reviewed-by: Richard Levitte <levitte@openssl.org>

b3bd3d5a

Free an ASN1_OBJECT in an error path · 34b9acbd

Matt Caswell authored Apr 27, 2016



The r2i_certpol() function allocates an ASN1_OBJECT but can fail to free
it in an error path.

Reviewed-by: Richard Levitte <levitte@openssl.org>

34b9acbd

Don't leak an ASN1_OCTET_STRING on error in rsa_cms_encrypt · 5e8129f2

Matt Caswell authored Apr 27, 2016



The rsa_cms_encrypt() function allocates an ASN1_OCTET_STRING but can
then fail to free it in an error condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>

5e8129f2

Free memory on error in PKCS7_dataFinal() · d54ac5c4

Matt Caswell authored Apr 27, 2016



The PKCS7_dataFinal() function allocates a memory buffer but then fails
to free it on an error condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>

d54ac5c4

Don't leak memory on error in PKCS12_key_gen_uni · 460c5e1d

Matt Caswell authored Apr 27, 2016



The PKCS12_key_gen_uni() had one error path which did not free memory
correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>

460c5e1d

Don't leak memory on error in i2b_PVK · 8e588e28

Matt Caswell authored Apr 27, 2016



The i2b_PVK function leaked a number of different memory allocations on
error paths (and even some non-error paths).

Reviewed-by: Richard Levitte <levitte@openssl.org>

8e588e28

Don't leak memory on error in b2i_rsa · 204cf940

Matt Caswell authored Apr 27, 2016



The b2i_rsa() function uses a number of temporary local variables which
get leaked on an error path.

Reviewed-by: Richard Levitte <levitte@openssl.org>

204cf940

Don't leak resource on error in OCSP_url_svcloc_new · a4e584a6

Matt Caswell authored Apr 27, 2016



On error we could leak a ACCESS_DESCRIPTION and an ASN1_IA5STRING. Both
should be freed in the error path.

Reviewed-by: Richard Levitte <levitte@openssl.org>

a4e584a6

Check that we were actually allocated BIGNUMs in dsa_builtin_paramgen2 · f08e8034

Matt Caswell authored Apr 27, 2016



Calls to BN_CTX_get() can fail so we should check that they were
successful.

Reviewed-by: Richard Levitte <levitte@openssl.org>

f08e8034

Don't leak EVP_MD_CTX on error path · 22803581

Matt Caswell authored Apr 27, 2016



The cms_SignerInfo_content_sign() function allocated an EVP_MD_CTX but
then failed to free it on an error path.

Reviewed-by: Richard Levitte <levitte@openssl.org>

22803581

Don't leak memory on error in cms_RecipientInfo_pwri_crypt · 29f4c357

Matt Caswell authored Apr 27, 2016



The cms_RecipientInfo_pwri_crypt() allocated an EVP_CIPHER_CTX but then
failed to free it in some error paths. By allocating it a bit later that
can be avoided.

Reviewed-by: Richard Levitte <levitte@openssl.org>

29f4c357

Don't leak memory on error in BN_generate_prime_ex · d71eb667

Matt Caswell authored Apr 27, 2016



In BN_generate_prime_ex() we do some sanity checks first and return
with an error if they fail. We should do that *before* allocating any
resources to avoid a memory leak.

Reviewed-by: Richard Levitte <levitte@openssl.org>

d71eb667

Free a BIGNUM on error in BN_mpi2bn · 91fb42dd

Matt Caswell authored Apr 27, 2016



In the BN_mpi2bn() function, a failure of a call to BN_bin2bn() could
result in the leak of a previously allocated BIGNUM value.

Reviewed-by: Richard Levitte <levitte@openssl.org>

91fb42dd

Don't leak memory on failure to create a mem BIO · b0b6ba2d

Matt Caswell authored Apr 27, 2016



During construction of a mem BIO we allocate some resources. If this
allocation fails we can end up leaking everything we have allocated so
far.

Reviewed-by: Richard Levitte <levitte@openssl.org>

b0b6ba2d

Close the accept socket on error · df0f2759

Matt Caswell authored Apr 27, 2016



When setting an accepted socket for non-blocking, if the operation fails
make sure we close the accepted socket.

Reviewed-by: Richard Levitte <levitte@openssl.org>

df0f2759

Make BIO_sock_error return a proper error code when getsockopt fails · 2bd8c853

Richard Levitte authored Apr 28, 2016



BIO_sock_error() returned 1 when getsockopt() fails when it should
return the error code for that failure.

Additionally, the optlen parameter to getsockopt() has to point at
the size of the area that the optval parameter points at rather than
zero.  Some systems may forgive it being zero, but others don't.

Reviewed-by: Matt Caswell <matt@openssl.org>

2bd8c853