Version in base suite: 1.1.1n-0+deb11u4 Version in overlay suite: 1.1.1v-0~deb11u1 Base version: openssl_1.1.1v-0~deb11u1 Target version: openssl_1.1.1w-0~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssl/openssl_1.1.1v-0~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssl/openssl_1.1.1w-0~deb11u1.dsc CHANGES | 24 ++++++++++ NEWS | 5 ++ README | 2 appveyor.yml | 78 --------------------------------- crypto/asn1/ameth_lib.c | 11 ++++ crypto/cms/cms_asn1.c | 17 +++++-- crypto/cms/cms_local.h | 3 - crypto/cms/cms_sd.c | 16 +++++- crypto/cms/cms_smime.c | 5 +- crypto/ec/ec_ameth.c | 19 +++++--- crypto/poly1305/asm/poly1305-x86_64.pl | 6 +- crypto/rsa/rsa_ameth.c | 7 ++ debian/changelog | 6 ++ doc/man3/CMS_sign.pod | 4 - include/openssl/opensslv.h | 4 - ssl/ssl_sess.c | 7 ++ test/recipes/15-test_rsapss.t | 12 ++++- test/recipes/80-test_cms.t | 7 ++ 18 files changed, 125 insertions(+), 108 deletions(-) diff -Nru openssl-1.1.1v/CHANGES openssl-1.1.1w/CHANGES --- openssl-1.1.1v/CHANGES 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/CHANGES 2023-09-11 14:08:11.000000000 +0000 @@ -7,6 +7,30 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1v and 1.1.1w [11 Sep 2023] + + *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + (CVE-2023-4807) + [Bernd Edlinger] + + Changes between 1.1.1u and 1.1.1v [1 Aug 2023] *) Fix excessive time spent checking DH q parameter value. diff -Nru openssl-1.1.1v/NEWS openssl-1.1.1w/NEWS --- openssl-1.1.1v/NEWS 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/NEWS 2023-09-11 14:08:11.000000000 +0000 @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023] + + o Fix POLY1305 MAC implementation corrupting XMM registers on Windows + (CVE-2023-4807) + Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] o Fix excessive time spent checking DH q parameter value (CVE-2023-3817) diff -Nru openssl-1.1.1v/README openssl-1.1.1w/README --- openssl-1.1.1v/README 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/README 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ - OpenSSL 1.1.1v 1 Aug 2023 + OpenSSL 1.1.1w 11 Sep 2023 Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff -Nru openssl-1.1.1v/appveyor.yml openssl-1.1.1w/appveyor.yml --- openssl-1.1.1v/appveyor.yml 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/appveyor.yml 1970-01-01 00:00:00.000000000 +0000 @@ -1,78 +0,0 @@ -image: - - Visual Studio 2017 - -platform: - - x64 - - x86 - -environment: - fast_finish: true - matrix: - - VSVER: 15 - -configuration: - - shared - - plain - - minimal - -before_build: - - ps: >- - Install-Module VSSetup -Scope CurrentUser - - ps: >- - Get-VSSetupInstance -All - - ps: >- - gci env:* | sort-object name - - ps: >- - If ($env:Platform -Match "x86") { - $env:VCVARS_PLATFORM="x86" - $env:TARGET="VC-WIN32 no-asm --strict-warnings" - } Else { - $env:VCVARS_PLATFORM="amd64" - $env:TARGET="VC-WIN64A-masm" - } - - ps: >- - If ($env:Configuration -Match "shared") { - $env:SHARED="no-makedepend" - } ElseIf ($env:Configuration -Match "minimal") { - $env:SHARED="no-shared no-dso no-makedepend no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_SMALL_FOOTPRINT" - } Else { - $env:SHARED="no-shared no-makedepend" - } - - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM% - - mkdir _build - - cd _build - - perl ..\Configure %TARGET% %SHARED% - - perl configdata.pm --dump - - cd .. - - ps: >- - if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER` - -or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT | - Select-String "\[extended tests\]") ) { - $env:EXTENDED_TESTS="yes" - } - -build_script: - - cd _build - - ps: >- - If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) { - cmd /c "nmake build_all_generated 2>&1" - cmd /c "nmake PERL=no-perl 2>&1" - } - - cd .. - -test_script: - - cd _build - - ps: >- - If ($env:Configuration -Match "shared" -or $env:EXTENDED_TESTS) { - if ($env:EXTENDED_TESTS) { - cmd /c "nmake test V=1 2>&1" - } Else { - cmd /c "nmake test V=1 TESTS=-test_fuzz 2>&1" - } - } - - ps: >- - if ($env:EXTENDED_TESTS) { - mkdir ..\_install - cmd /c "nmake install DESTDIR=..\_install 2>&1" - } - - cd .. diff -Nru openssl-1.1.1v/crypto/asn1/ameth_lib.c openssl-1.1.1w/crypto/asn1/ameth_lib.c --- openssl-1.1.1v/crypto/asn1/ameth_lib.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/asn1/ameth_lib.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -264,6 +264,7 @@ dst->pkey_size = src->pkey_size; dst->pkey_bits = src->pkey_bits; + dst->pkey_security_bits = src->pkey_security_bits; dst->param_decode = src->param_decode; dst->param_encode = src->param_encode; @@ -271,6 +272,7 @@ dst->param_copy = src->param_copy; dst->param_cmp = src->param_cmp; dst->param_print = src->param_print; + dst->sig_print = src->sig_print; dst->pkey_free = src->pkey_free; dst->pkey_ctrl = src->pkey_ctrl; @@ -281,6 +283,13 @@ dst->siginf_set = src->siginf_set; dst->pkey_check = src->pkey_check; + dst->pkey_public_check = src->pkey_public_check; + dst->pkey_param_check = src->pkey_param_check; + + dst->set_priv_key = src->set_priv_key; + dst->set_pub_key = src->set_pub_key; + dst->get_priv_key = src->get_priv_key; + dst->get_pub_key = src->get_pub_key; } diff -Nru openssl-1.1.1v/crypto/cms/cms_asn1.c openssl-1.1.1w/crypto/cms/cms_asn1.c --- openssl-1.1.1v/crypto/cms/cms_asn1.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/cms/cms_asn1.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -51,6 +51,7 @@ EVP_PKEY_free(si->pkey); X509_free(si->signer); EVP_MD_CTX_free(si->mctx); + EVP_PKEY_CTX_free(si->pctx); } return 1; } @@ -89,11 +90,21 @@ ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1) } static_ASN1_SEQUENCE_END(CMS_OriginatorInfo) -ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = { +static int cms_ec_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, + void *exarg) +{ + CMS_EncryptedContentInfo *ec = (CMS_EncryptedContentInfo *)*pval; + + if (operation == ASN1_OP_FREE_POST) + OPENSSL_clear_free(ec->key, ec->keylen); + return 1; +} + +ASN1_NDEF_SEQUENCE_cb(CMS_EncryptedContentInfo, cms_ec_cb) = { ASN1_SIMPLE(CMS_EncryptedContentInfo, contentType, ASN1_OBJECT), ASN1_SIMPLE(CMS_EncryptedContentInfo, contentEncryptionAlgorithm, X509_ALGOR), ASN1_IMP_OPT(CMS_EncryptedContentInfo, encryptedContent, ASN1_OCTET_STRING_NDEF, 0) -} static_ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo) +} ASN1_NDEF_SEQUENCE_END_cb(CMS_EncryptedContentInfo, CMS_EncryptedContentInfo) ASN1_SEQUENCE(CMS_KeyTransRecipientInfo) = { ASN1_EMBED(CMS_KeyTransRecipientInfo, version, INT32), diff -Nru openssl-1.1.1v/crypto/cms/cms_local.h openssl-1.1.1w/crypto/cms/cms_local.h --- openssl-1.1.1v/crypto/cms/cms_local.h 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/cms/cms_local.h 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -342,6 +342,7 @@ DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) DECLARE_ASN1_ITEM(CMS_SignerInfo) +DECLARE_ASN1_ITEM(CMS_EncryptedContentInfo) DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber) DECLARE_ASN1_ITEM(CMS_Attributes_Sign) DECLARE_ASN1_ITEM(CMS_Attributes_Verify) diff -Nru openssl-1.1.1v/crypto/cms/cms_sd.c openssl-1.1.1w/crypto/cms/cms_sd.c --- openssl-1.1.1v/crypto/cms/cms_sd.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/cms/cms_sd.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -375,6 +375,8 @@ } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <= 0) goto err; + else + EVP_MD_CTX_set_flags(si->mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); } if (!sd->signerInfos) @@ -600,6 +602,7 @@ unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen; pctx = si->pctx; + si->pctx = NULL; if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) goto err; siglen = EVP_PKEY_size(si->pkey); @@ -680,6 +683,7 @@ EVP_MD_CTX_reset(mctx); if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) goto err; + EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); si->pctx = pctx; } @@ -745,8 +749,13 @@ return -1; } mctx = si->mctx; + if (si->pctx != NULL) { + EVP_PKEY_CTX_free(si->pctx); + si->pctx = NULL; + } if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0) goto err; + EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX); if (!cms_sd_asn1_ctrl(si, 1)) goto err; @@ -859,8 +868,11 @@ if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0) goto err; si->pctx = pkctx; - if (!cms_sd_asn1_ctrl(si, 1)) + if (!cms_sd_asn1_ctrl(si, 1)) { + si->pctx = NULL; goto err; + } + si->pctx = NULL; r = EVP_PKEY_verify(pkctx, si->signature->data, si->signature->length, mval, mlen); if (r <= 0) { diff -Nru openssl-1.1.1v/crypto/cms/cms_smime.c openssl-1.1.1w/crypto/cms/cms_smime.c --- openssl-1.1.1v/crypto/cms/cms_smime.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/cms/cms_smime.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -211,7 +211,7 @@ if (cms == NULL) return NULL; if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen)) - return NULL; + goto err; if (!(flags & CMS_DETACHED)) CMS_set_detached(cms, 0); @@ -220,6 +220,7 @@ || CMS_final(cms, in, NULL, flags)) return cms; + err: CMS_ContentInfo_free(cms); return NULL; } diff -Nru openssl-1.1.1v/crypto/ec/ec_ameth.c openssl-1.1.1w/crypto/ec/ec_ameth.c --- openssl-1.1.1v/crypto/ec/ec_ameth.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/ec/ec_ameth.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,7 +38,6 @@ ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid); if (asn1obj == NULL || OBJ_length(asn1obj) == 0) { - ASN1_OBJECT_free(asn1obj); ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID); return 0; } @@ -98,9 +97,7 @@ ptype, pval, penc, penclen)) return 1; err: - if (ptype == V_ASN1_OBJECT) - ASN1_OBJECT_free(pval); - else + if (ptype == V_ASN1_SEQUENCE) ASN1_STRING_free(pval); OPENSSL_free(penc); return 0; @@ -256,24 +253,32 @@ eplen = i2d_ECPrivateKey(&ec_key, NULL); if (!eplen) { + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); return 0; } ep = OPENSSL_malloc(eplen); if (ep == NULL) { + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); return 0; } p = ep; if (!i2d_ECPrivateKey(&ec_key, &p)) { - OPENSSL_free(ep); + OPENSSL_clear_free(ep, eplen); + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); return 0; } if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, ptype, pval, ep, eplen)) { - OPENSSL_free(ep); + OPENSSL_clear_free(ep, eplen); + if (ptype == V_ASN1_SEQUENCE) + ASN1_STRING_free(pval); return 0; } diff -Nru openssl-1.1.1v/crypto/poly1305/asm/poly1305-x86_64.pl openssl-1.1.1w/crypto/poly1305/asm/poly1305-x86_64.pl --- openssl-1.1.1v/crypto/poly1305/asm/poly1305-x86_64.pl 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/poly1305/asm/poly1305-x86_64.pl 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -193,7 +193,7 @@ bt \$`5+32`,%r9 # AVX2? cmovc %rax,%r10 ___ -$code.=<<___ if ($avx>3); +$code.=<<___ if ($avx>3 && !$win64); mov \$`(1<<31|1<<21|1<<16)`,%rax shr \$32,%r9 and %rax,%r9 @@ -2722,7 +2722,7 @@ .cfi_endproc .size poly1305_blocks_avx512,.-poly1305_blocks_avx512 ___ -if ($avx>3) { +if ($avx>3 && !$win64) { ######################################################################## # VPMADD52 version using 2^44 radix. # diff -Nru openssl-1.1.1v/crypto/rsa/rsa_ameth.c openssl-1.1.1w/crypto/rsa/rsa_ameth.c --- openssl-1.1.1v/crypto/rsa/rsa_ameth.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/crypto/rsa/rsa_ameth.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -82,13 +82,16 @@ if (!rsa_param_encode(pkey, &str, &strtype)) return 0; penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); - if (penclen <= 0) + if (penclen <= 0) { + ASN1_STRING_free(str); return 0; + } if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), strtype, str, penc, penclen)) return 1; OPENSSL_free(penc); + ASN1_STRING_free(str); return 0; } diff -Nru openssl-1.1.1v/debian/changelog openssl-1.1.1w/debian/changelog --- openssl-1.1.1v/debian/changelog 2023-08-26 11:17:12.000000000 +0000 +++ openssl-1.1.1w/debian/changelog 2023-09-13 19:21:33.000000000 +0000 @@ -1,3 +1,9 @@ +openssl (1.1.1w-0~deb11u1) bullseye; urgency=medium + + * Import 1.1.1w + + -- Sebastian Andrzej Siewior Wed, 13 Sep 2023 21:21:33 +0200 + openssl (1.1.1v-0~deb11u1) bullseye; urgency=medium * Import 1.1.1v diff -Nru openssl-1.1.1v/doc/man3/CMS_sign.pod openssl-1.1.1w/doc/man3/CMS_sign.pod --- openssl-1.1.1v/doc/man3/CMS_sign.pod 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/doc/man3/CMS_sign.pod 2023-09-11 14:08:11.000000000 +0000 @@ -95,7 +95,7 @@ suitable for many purposes. For finer control of the output format the B, B and B parameters can all be B and the B flag set. Then one or more signers can be added using the -function CMS_sign_add1_signer(), non default digests can be used and custom +function CMS_add1_signer(), non default digests can be used and custom attributes added. CMS_final() must then be called to finalize the structure if streaming is not enabled. @@ -119,7 +119,7 @@ =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff -Nru openssl-1.1.1v/include/openssl/opensslv.h openssl-1.1.1w/include/openssl/opensslv.h --- openssl-1.1.1v/include/openssl/opensslv.h 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/include/openssl/opensslv.h 2023-09-11 14:08:11.000000000 +0000 @@ -39,8 +39,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010116fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1v 1 Aug 2023" +# define OPENSSL_VERSION_NUMBER 0x1010117fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff -Nru openssl-1.1.1v/ssl/ssl_sess.c openssl-1.1.1w/ssl/ssl_sess.c --- openssl-1.1.1v/ssl/ssl_sess.c 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/ssl/ssl_sess.c 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -139,8 +139,11 @@ dest->references = 1; dest->lock = CRYPTO_THREAD_lock_new(); - if (dest->lock == NULL) + if (dest->lock == NULL) { + OPENSSL_free(dest); + dest = NULL; goto err; + } if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data)) goto err; diff -Nru openssl-1.1.1v/test/recipes/15-test_rsapss.t openssl-1.1.1w/test/recipes/15-test_rsapss.t --- openssl-1.1.1v/test/recipes/15-test_rsapss.t 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/test/recipes/15-test_rsapss.t 2023-09-11 14:08:11.000000000 +0000 @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -16,7 +16,7 @@ setup("test_rsapss"); -plan tests => 5; +plan tests => 7; #using test/testrsa.pem which happens to be a 512 bit RSA ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', @@ -47,3 +47,11 @@ srctop_file('test', 'testrsa.pem')])), "openssl dgst -prverify"); unlink 'testrsapss.sig'; + +ok(run(app(['openssl', 'genpkey', '-algorithm', 'RSA-PSS', '-pkeyopt', 'rsa_keygen_bits:1024', + '-pkeyopt', 'rsa_pss_keygen_md:SHA256', '-pkeyopt', 'rsa_pss_keygen_saltlen:10', + '-out', 'testrsapss.pem'])), + "openssl genpkey RSA-PSS with pss parameters"); +ok(run(app(['openssl', 'pkey', '-in', 'testrsapss.pem', '-pubout', '-text'])), + "openssl pkey, execute rsa_pub_encode with pss parameters"); +unlink 'testrsapss.pem'; diff -Nru openssl-1.1.1v/test/recipes/80-test_cms.t openssl-1.1.1w/test/recipes/80-test_cms.t --- openssl-1.1.1v/test/recipes/80-test_cms.t 2023-08-01 13:51:35.000000000 +0000 +++ openssl-1.1.1w/test/recipes/80-test_cms.t 2023-09-11 14:08:11.000000000 +0000 @@ -288,6 +288,13 @@ "-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ] ], + [ "encrypted content test streaming PEM format -noout, 128 bit AES key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-noout" ], + [ "-help" ] + ], + ); my @smime_cms_comp_tests = (