Fixed two UAFs and bumped versions for release

alex · alex · commit d1a12e21573e · 2025-04-04T08:27:26.000-04:00
diff --git a/openssl-sys/CHANGELOG.md b/openssl-sys/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## [Unreleased]
 
+## [v0.9.107] - 2025-04-04
+
+### Added
+
+* Support for building with AWS-LC.
+
 ## [v0.9.106] - 2025-02-15
 
 ### Added
@@ -636,7 +642,8 @@ Fixed builds against OpenSSL built with `no-cast`.
 * Added `X509_verify` and `X509_REQ_verify`.
 * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.106..master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.107..master
+[v0.9.107]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.106...openssl-sys-v0.9.107
 [v0.9.106]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.105...openssl-sys-v0.9.106
 [v0.9.105]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.104...openssl-sys-v0.9.105
 [v0.9.104]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103...openssl-sys-v0.9.104
diff --git a/openssl-sys/Cargo.toml b/openssl-sys/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openssl-sys"
-version = "0.9.106"
+version = "0.9.107"
 authors = [
     "Alex Crichton <alex@alexcrichton.com>",
     "Steven Fackler <sfackler@gmail.com>",
diff --git a/openssl/CHANGELOG.md b/openssl/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 ## [Unreleased]
 
+## [v0.10.72] - 2025-04-04
+
+### Fixed
+
+* Fixed use-after-free in `Md::fetch` and `Cipher::fetch` when `properties` is `Some(...)`. In practice this use-after-free most likely resulted in OpenSSL treating the `properties` as `b""`.
+
+### Added
+
+* Support for building with AWS-LC.
+
 ## [v0.10.71] - 2025-02-15
 
 ### Added
@@ -959,7 +969,8 @@
 
 Look at the [release tags] for information about older releases.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...master
+[v0.10.72]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...openssl-v0.10.72
 [v0.10.71]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.70...openssl-v0.10.71
 [v0.10.70]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.69...openssl-v0.10.70
 [v0.10.69]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...openssl-v0.10.69
diff --git a/openssl/Cargo.toml b/openssl/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openssl"
-version = "0.10.71"
+version = "0.10.72"
 authors = ["Steven Fackler <sfackler@gmail.com>"]
 license = "Apache-2.0"
 description = "OpenSSL bindings"
@@ -32,7 +32,7 @@ libc = "0.2"
 once_cell = "1.5.2"
 
 openssl-macros = { version = "0.1.1", path = "../openssl-macros" }
-ffi = { package = "openssl-sys", version = "0.9.106", path = "../openssl-sys" }
+ffi = { package = "openssl-sys", version = "0.9.107", path = "../openssl-sys" }
 
 [dev-dependencies]
 hex = "0.4"
diff --git a/openssl/src/cipher.rs b/openssl/src/cipher.rs
@@ -146,7 +146,7 @@ impl Cipher {
             let ptr = cvt_p(ffi::EVP_CIPHER_fetch(
                 ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr),
                 algorithm.as_ptr(),
-                properties.map_or(ptr::null_mut(), |s| s.as_ptr()),
+                properties.as_ref().map_or(ptr::null_mut(), |s| s.as_ptr()),
             ))?;
 
             Ok(Cipher::from_ptr(ptr))
@@ -595,3 +595,15 @@ impl CipherRef {
         unsafe { EVP_CIPHER_block_size(self.as_ptr()) as usize }
     }
 }
+
+#[cfg(test)]
+mod test {
+    #[cfg(ossl300)]
+    use super::Cipher;
+
+    #[test]
+    #[cfg(ossl300)]
+    fn test_cipher_fetch_properties() {
+        assert!(Cipher::fetch(None, "AES-128-GCM", Some("provider=gibberish")).is_err());
+    }
+}
diff --git a/openssl/src/lib.rs b/openssl/src/lib.rs
@@ -60,19 +60,19 @@
 //! override the automatic detection logic.
 //!
 //! * `OPENSSL_DIR` - If specified, the directory of an OpenSSL installation. The directory should contain `lib` and
-//!     `include` subdirectories containing the libraries and headers respectively.
+//!   `include` subdirectories containing the libraries and headers respectively.
 //! * `OPENSSL_LIB_DIR` and `OPENSSL_INCLUDE_DIR` - If specified, the directories containing the OpenSSL libraries and
-//!     headers respectively. This can be used if the OpenSSL installation is split in a nonstandard directory layout.
+//!   headers respectively. This can be used if the OpenSSL installation is split in a nonstandard directory layout.
 //! * `OPENSSL_STATIC` - If set, the crate will statically link to OpenSSL rather than dynamically link.
 //! * `OPENSSL_LIBS` - If set, a `:`-separated list of library names to link to (e.g. `ssl:crypto`). This can be used
-//!     if nonstandard library names were used for whatever reason.
+//!   if nonstandard library names were used for whatever reason.
 //! * `OPENSSL_NO_VENDOR` - If set, always find OpenSSL in the system, even if the `vendored` feature is enabled.
 //!
 //! If the `vendored` Cargo feature is enabled, the following environment variable can also be used to further configure
 //! the OpenSSL build.
 //!
 //! * `OPENSSL_CONFIG_DIR` - If set, the copy of OpenSSL built by the `openssl-src` crate will be configured to look for
-//!     configuration files and root certificates in this directory.
+//!   configuration files and root certificates in this directory.
 //!
 //! Additionally, these variables can be prefixed with the upper-cased target architecture (e.g.
 //!     `X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR`), which can be useful when cross compiling.
diff --git a/openssl/src/md.rs b/openssl/src/md.rs
@@ -109,7 +109,7 @@ impl Md {
             let ptr = cvt_p(ffi::EVP_MD_fetch(
                 ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr),
                 algorithm.as_ptr(),
-                properties.map_or(ptr::null_mut(), |s| s.as_ptr()),
+                properties.as_ref().map_or(ptr::null_mut(), |s| s.as_ptr()),
             ))?;
 
             Ok(Md::from_ptr(ptr))
@@ -233,3 +233,15 @@ impl MdRef {
         unsafe { Nid::from_raw(ffi::EVP_MD_type(self.as_ptr())) }
     }
 }
+
+#[cfg(test)]
+mod test {
+    #[cfg(ossl300)]
+    use super::Md;
+
+    #[test]
+    #[cfg(ossl300)]
+    fn test_md_fetch_properties() {
+        assert!(Md::fetch(None, "SHA-256", Some("provider=gibberish")).is_err());
+    }
+}
