diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8ccf2060e56a621b3eaa884af687f584ebc16aaa..bcb02f5417a6311be9d22f12d0f72c965f3ecc9a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: check_update: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: config @@ -35,7 +35,7 @@ jobs: check_docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --strict-warnings && perl configdata.pm --dump - name: make build_generated @@ -49,7 +49,7 @@ jobs: check-ansi: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CPPFLAGS=-ansi ./config no-asm no-makedepend enable-buildtest-c++ --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make @@ -58,7 +58,7 @@ jobs: basic_gcc: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=gcc ./config --strict-warnings && perl configdata.pm --dump - name: make @@ -69,7 +69,7 @@ jobs: basic_clang: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --strict-warnings && perl configdata.pm --dump - name: make @@ -80,7 +80,7 @@ jobs: minimal: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --strict-warnings no-shared no-dso no-pic no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump - name: make @@ -91,7 +91,7 @@ jobs: no-deprecated: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --strict-warnings no-deprecated && perl configdata.pm --dump - name: make @@ -105,7 +105,7 @@ jobs: os: [ ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --strict-warnings no-shared && perl configdata.pm --dump - name: make @@ -116,7 +116,7 @@ jobs: address_ub_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --debug enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION && perl configdata.pm --dump - name: make @@ -130,7 +130,7 @@ jobs: # memory_sanitizer: # runs-on: ubuntu-latest # steps: -# - uses: actions/checkout@v3 +# - uses: actions/checkout@v4 # - name: config # # --debug -O1 is to produce a debug build that runs in a reasonable amount of time # run: CC=clang ./config --debug -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump @@ -142,7 +142,7 @@ jobs: threads_sanitizer: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --strict-warnings -fsanitize=thread && perl configdata.pm --dump - name: make @@ -153,7 +153,7 @@ jobs: enable_non-default_options: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config --strict-warnings no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-crypto-mdebug-backtrace enable-egd && perl configdata.pm --dump - name: make @@ -164,7 +164,7 @@ jobs: legacy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump - name: make @@ -175,7 +175,7 @@ jobs: buildtest: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: ./config no-asm no-makedepend enable-buildtest-c++ --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump - name: make @@ -186,7 +186,7 @@ jobs: out-of-tree_build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: setup build dir run: | set -eux @@ -210,7 +210,7 @@ jobs: os: [ubuntu-latest, macos-latest ] runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: extra preparations run: | mkdir ./build @@ -231,7 +231,7 @@ jobs: external-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: package installs @@ -263,7 +263,7 @@ jobs: PYTHON: - 3.9 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: recursive - name: Configure OpenSSL diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 1bd62da1b1f42e6121d8688bff28d64faebe42ed..2a8970c8631ec64f46b36f5899e0c89a7c8f56c8 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -125,7 +125,7 @@ jobs: sudo apt-get -yq --force-yes install \ gcc-${{ matrix.platform.arch }} \ ${{ matrix.platform.libs }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: | diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 8a587bca3fcc22d180de235ae82717c6e96a2340..a8cfd03399b757244df6888bca838cc00d6d0682 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -30,7 +30,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --strict-warnings ${{ matrix.opt }} - name: config dump diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 43d1b0afaa71306fb2fd2874ec8bf260ffc23dbe..effc420cb6820772acb203d4bd67141ef13c3331 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -117,7 +117,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --strict-warnings ${{ matrix.opt }} - name: config dump diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index b4887e6b03d8ded6b874666144505199a563d248..4d701366ca3d82cc10908fa7c0afadac7bc36dac 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -26,7 +26,7 @@ jobs: ] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: config run: CC=clang ./config --strict-warnings ${{ matrix.opt }} - name: config dump diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 395f69764fdae785e8ae63b39d16ff307fd947db..4ec4b64d1c273886ca775268fac2410d29aea4b5 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -21,7 +21,7 @@ jobs: config: VC-WIN32 --strict-warnings runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 with: arch: ${{ matrix.platform.arch }} @@ -57,7 +57,7 @@ jobs: - windows-2022 runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 - uses: shogo82148/actions-setup-perl@v1 - name: prepare the build directory @@ -81,7 +81,7 @@ jobs: - windows-2022 runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: ilammy/msvc-dev-cmd@v1 - uses: shogo82148/actions-setup-perl@v1 - name: prepare the build directory diff --git a/CHANGES b/CHANGES index b0b2f44e419ef7e3c6e4d412559d73372d26e17d..8c6f19356d8791a1b590b2e5db234de52f993ae6 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,27 @@ Changes between 1.1.1v and 1.1.1w [xx XXX xxxx] - *) + *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + (CVE-2023-4807) + [Bernd Edlinger] + Changes between 1.1.1u and 1.1.1v [1 Aug 2023] diff --git a/NEWS b/NEWS index 2cbee282836d4aff930348db3acb68f4696ec714..12ecbf1def2081fd5236f41681612582ca2e5b56 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,8 @@ Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [under development] - o + o Fix POLY1305 MAC implementation corrupting XMM registers on Windows + (CVE-2023-4807) Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index 6210391f204a37333a5a1d4cc77f99dbb9b5db08..0000000000000000000000000000000000000000 --- a/appveyor.yml +++ /dev/null @@ -1,78 +0,0 @@ -image: - - Visual Studio 2017 - -platform: - - x64 - - x86 - -environment: - fast_finish: true - matrix: - - VSVER: 15 - -configuration: - - shared - - plain - - minimal - -before_build: - - ps: >- - Install-Module VSSetup -Scope CurrentUser - - ps: >- - Get-VSSetupInstance -All - - ps: >- - gci env:* | sort-object name - - ps: >- - If ($env:Platform -Match "x86") { - $env:VCVARS_PLATFORM="x86" - $env:TARGET="VC-WIN32 no-asm --strict-warnings" - } Else { - $env:VCVARS_PLATFORM="amd64" - $env:TARGET="VC-WIN64A-masm" - } - - ps: >- - If ($env:Configuration -Match "shared") { - $env:SHARED="no-makedepend" - } ElseIf ($env:Configuration -Match "minimal") { - $env:SHARED="no-shared no-dso no-makedepend no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_SMALL_FOOTPRINT" - } Else { - $env:SHARED="no-shared no-makedepend" - } - - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM% - - mkdir _build - - cd _build - - perl ..\Configure %TARGET% %SHARED% - - perl configdata.pm --dump - - cd .. - - ps: >- - if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER` - -or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT | - Select-String "\[extended tests\]") ) { - $env:EXTENDED_TESTS="yes" - } - -build_script: - - cd _build - - ps: >- - If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) { - cmd /c "nmake build_all_generated 2>&1" - cmd /c "nmake PERL=no-perl 2>&1" - } - - cd .. - -test_script: - - cd _build - - ps: >- - If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) { - if ($env:EXTENDED_TESTS) { - cmd /c "nmake test V=1 2>&1" - } Else { - cmd /c "nmake test V=1 TESTS=-test_fuzz 2>&1" - } - } - - ps: >- - if ($env:EXTENDED_TESTS) { - mkdir ..\_install - cmd /c "nmake install DESTDIR=..\_install 2>&1" - } - - cd .. diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 08069d72a29e27f5ea05bdee6544ecd1587fdb21..d006ada998963be159f30362dfde3b0c8bd6771a 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -51,6 +51,7 @@ static int cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, EVP_PKEY_free(si->pkey); X509_free(si->signer); EVP_MD_CTX_free(si->mctx); + EVP_PKEY_CTX_free(si->pctx); } return 1; } @@ -89,11 +90,21 @@ ASN1_SEQUENCE(CMS_OriginatorInfo) = { ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1) } static_ASN1_SEQUENCE_END(CMS_OriginatorInfo) -ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = { +static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, + void *exarg) +{ + CMS_EncryptedContentInfo *ec = (CMS_EncryptedContentInfo *)*pval; + + if (operation == ASN1_OP_FREE_POST) + OPENSSL_clear_free(ec->key, ec->keylen); + return 1; +} + +ASN1_NDEF_SEQUENCE_cb(CMS_EncryptedContentInfo, cms_ec_cb) = { ASN1_SIMPLE(CMS_EncryptedContentInfo, contentType, ASN1_OBJECT), ASN1_SIMPLE(CMS_EncryptedContentInfo, contentEncryptionAlgorithm, X509_ALGOR), ASN1_IMP_OPT(CMS_EncryptedContentInfo, encryptedContent, ASN1_OCTET_STRING_NDEF, 0) -} static_ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo) +} ASN1_NDEF_SEQUENCE_END_cb(CMS_EncryptedContentInfo, CMS_EncryptedContentInfo) ASN1_SEQUENCE(CMS_KeyTransRecipientInfo) = { ASN1_EMBED(CMS_KeyTransRecipientInfo, version, INT32), diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index a0ce4448f6036e54da858901857cde3e8196ead2..b275bddf75b25a2fe90f09000b728e92cef4765f 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -342,6 +342,7 @@ struct CMS_Receipt_st { DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) DECLARE_ASN1_ITEM(CMS_SignerInfo) +DECLARE_ASN1_ITEM(CMS_EncryptedContentInfo) DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber) DECLARE_ASN1_ITEM(CMS_Attributes_Sign) DECLARE_ASN1_ITEM(CMS_Attributes_Verify) diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 3f2a782565a8a1d15f188d81dab9a54773143292..708b443704026113d5dd1df7ffd19502c650b6e0 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -375,6 +375,8 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <= 0) goto err; + else + EVP_MD_CTX_set_flags(si->mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); } if (!sd->signerInfos) @@ -600,6 +602,7 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen; pctx = si->pctx; + si->pctx = NULL; if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) goto err; siglen = EVP_PKEY_size(si->pkey); @@ -680,6 +683,7 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si) EVP_MD_CTX_reset(mctx); if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) goto err; + EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); si->pctx = pctx; } @@ -745,8 +749,13 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si) return -1; } mctx = si->mctx; + if (si->pctx != NULL) { + EVP_PKEY_CTX_free(si->pctx); + si->pctx = NULL; + } if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0) goto err; + EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); if (!cms_sd_asn1_ctrl(si, 1)) goto err; @@ -859,8 +868,11 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0) goto err; si->pctx = pkctx; - if (!cms_sd_asn1_ctrl(si, 1)) + if (!cms_sd_asn1_ctrl(si, 1)) { + si->pctx = NULL; goto err; + } + si->pctx = NULL; r = EVP_PKEY_verify(pkctx, si->signature->data, si->signature->length, mval, mlen); if (r <= 0) { diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 6e7dbc4da1fae39c4cf472f88ab6842e4fb528be..8f3a9fbaeb977ae8ae99228f5b16040cec2f7564 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -211,7 +211,7 @@ CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher, if (cms == NULL) return NULL; if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen)) - return NULL; + goto err; if (!(flags & CMS_DETACHED)) CMS_set_detached(cms, 0); @@ -220,6 +220,7 @@ CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher, || CMS_final(cms, in, NULL, flags)) return cms; + err: CMS_ContentInfo_free(cms); return NULL; } diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 5098bd7a66025a3960742c68e9780f150e5ed68c..c48b7cb7542142956c4e14aee1a0a659cd5c5653 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -38,7 +38,6 @@ static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key) ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid); if (asn1obj == NULL || OBJ_length(asn1obj) == 0) { - ASN1_OBJECT_free(asn1obj); ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID); return 0; } @@ -98,9 +97,7 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) ptype, pval, penc, penclen)) return 1; err: - if (ptype == V_ASN1_OBJECT) - ASN1_OBJECT_free(pval); - else + if (ptype == V_ASN1_SEQUENCE) ASN1_STRING_free(pval); OPENSSL_free(penc); return 0; @@ -256,24 +253,32 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) eplen = i2d_ECPrivateKey(&ec_key, NULL); if (!eplen) { + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); return 0; } ep = OPENSSL_malloc(eplen); if (ep == NULL) { + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); return 0; } p = ep; if (!i2d_ECPrivateKey(&ec_key, &p)) { - OPENSSL_free(ep); + OPENSSL_clear_free(ep, eplen); + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); return 0; } if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, ptype, pval, ep, eplen)) { - OPENSSL_free(ep); + OPENSSL_clear_free(ep, eplen); + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); return 0; } diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 2c9c46ea53c8becaf1f43e9eff467e135e2e760e..63efd93798811a940951fb59ea52e3c4d492617c 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -82,13 +82,16 @@ static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) if (!rsa_param_encode(pkey, &str, &strtype)) return 0; penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); - if (penclen <= 0) + if (penclen <= 0) { + ASN1_STRING_free(str); return 0; + } if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), strtype, str, penc, penclen)) return 1; OPENSSL_free(penc); + ASN1_STRING_free(str); return 0; } diff --git a/fuzz/corpora/cms/2aba8037213156ea1593054768d4576cb8d08309 b/fuzz/corpora/cms/2aba8037213156ea1593054768d4576cb8d08309 new file mode 100644 index 0000000000000000000000000000000000000000..8b18bb15d5fa6ade857b5118cab2977a5e225334 Binary files /dev/null and b/fuzz/corpora/cms/2aba8037213156ea1593054768d4576cb8d08309 differ diff --git a/fuzz/corpora/cms/2aba8037213156ea1593054768d4576cb8d083ed b/fuzz/corpora/cms/2aba8037213156ea1593054768d4576cb8d083ed new file mode 100644 index 0000000000000000000000000000000000000000..0aabaa3fdfcb608a5549fa93b6c9e2028c49bc7e Binary files /dev/null and b/fuzz/corpora/cms/2aba8037213156ea1593054768d4576cb8d083ed differ diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index 65ec6f3d75289d5d8f53d95f6818ecefdb925642..61c13b6a49a58bceb9fde72e01a728650e547239 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_rsapss"); -plan tests => 5; +plan tests => 7; #using test/testrsa.pem which happens to be a 512 bit RSA ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', @@ -47,3 +47,11 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), srctop_file('test', 'testrsa.pem')])), "openssl dgst -prverify"); unlink 'testrsapss.sig'; + +ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024', + '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10', + '-out', 'testrsapss.pem'])), + "openssl genpkey RSA-PSS with pss parameters"); +ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])), + "openssl pkey, execute rsa_pub_encode with pss parameters"); +unlink 'testrsapss.pem'; diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index adb60e14368645c007bb61d71fa6516ca24cc6f1..544d4466b5a2cf626bdf71eb65ce183a3bc172b1 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -288,6 +288,13 @@ my @smime_cms_tests = ( "-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ] ], + [ "encrypted content test streaming PEM format -noout, 128 bit AES key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-noout" ], + [ "-help" ] + ], + ); my @smime_cms_comp_tests = (