Fixed two UAFs and bumped versions for release

Author: alex

openssl-sys/CHANGELOG.md

@@ -2,6 +2,12 @@
 
 ## [Unreleased]
 
+## [v0.9.107] - 2025-04-04
+
+### Added
+
+* Support for building with AWS-LC.
+
 ## [v0.9.106] - 2025-02-15
 
 ### Added
@@ -636,7 +642,8 @@ Fixed builds against OpenSSL built with `no-cast`.
 * Added `X509_verify` and `X509_REQ_verify`.
 * Added `EVP_MD_type` and `EVP_GROUP_get_curve_name`.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.106..master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.107..master
+[v0.9.107]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.106...openssl-sys-v0.9.107
 [v0.9.106]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.105...openssl-sys-v0.9.106
 [v0.9.105]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.104...openssl-sys-v0.9.105
 [v0.9.104]: https://github.com/sfackler/rust-openssl/compare/openssl-sys-v0.9.103...openssl-sys-v0.9.104

openssl-sys/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "openssl-sys"
-version = "0.9.106"
+version = "0.9.107"
 authors = [
     "Alex Crichton <[email protected]>",
     "Steven Fackler <[email protected]>",

openssl/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 ## [Unreleased]
 
+## [v0.10.72] - 2025-04-04
+
+### Fixed
+
+* Fixed use-after-free in `Md::fetch` and `Cipher::fetch` when `properties` is `Some(...)`. In practice this use-after-free most likely resulted in OpenSSL treating the `properties` as `b""`.
+
+### Added
+
+* Support for building with AWS-LC.
+
 ## [v0.10.71] - 2025-02-15
 
 ### Added
@@ -959,7 +969,8 @@
 
 Look at the [release tags] for information about older releases.
 
-[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...master
+[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.72...master
+[v0.10.72]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.71...openssl-v0.10.72
 [v0.10.71]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.70...openssl-v0.10.71
 [v0.10.70]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.69...openssl-v0.10.70
 [v0.10.69]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...openssl-v0.10.69

openssl/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "openssl"
-version = "0.10.71"
+version = "0.10.72"
 authors = ["Steven Fackler <[email protected]>"]
 license = "Apache-2.0"
 description = "OpenSSL bindings"
@@ -32,7 +32,7 @@ libc = "0.2"
 once_cell = "1.5.2"
 
 openssl-macros = { version = "0.1.1", path = "../openssl-macros" }
-ffi = { package = "openssl-sys", version = "0.9.106", path = "../openssl-sys" }
+ffi = { package = "openssl-sys", version = "0.9.107", path = "../openssl-sys" }
 
 [dev-dependencies]
 hex = "0.4"

openssl/src/cipher.rs

@@ -146,7 +146,7 @@ impl Cipher {
             let ptr = cvt_p(ffi::EVP_CIPHER_fetch(
                 ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr),
                 algorithm.as_ptr(),
-                properties.map_or(ptr::null_mut(), |s| s.as_ptr()),
+                properties.as_ref().map_or(ptr::null_mut(), |s| s.as_ptr()),
             ))?;
 
             Ok(Cipher::from_ptr(ptr))
@@ -595,3 +595,18 @@ impl CipherRef {
         unsafe { EVP_CIPHER_block_size(self.as_ptr()) as usize }
     }
 }
+
+#[cfg(test)]
+mod test {
+    #[cfg(ossl300)]
+    use super::Cipher;
+
+    #[test]
+    #[cfg(ossl300)]
+    fn test_cipher_fetch_properties() {
+        assert!(matches!(
+            Cipher::fetch(None, "AES-128-GCM", Some("provider=gibberish")),
+            Err(_)
+        ));
+    }
+}

openssl/src/md.rs

@@ -109,7 +109,7 @@ impl Md {
             let ptr = cvt_p(ffi::EVP_MD_fetch(
                 ctx.map_or(ptr::null_mut(), ForeignTypeRef::as_ptr),
                 algorithm.as_ptr(),
-                properties.map_or(ptr::null_mut(), |s| s.as_ptr()),
+                properties.as_ref().map_or(ptr::null_mut(), |s| s.as_ptr()),
             ))?;
 
             Ok(Md::from_ptr(ptr))
@@ -233,3 +233,18 @@ impl MdRef {
         unsafe { Nid::from_raw(ffi::EVP_MD_type(self.as_ptr())) }
     }
 }
+
+#[cfg(test)]
+mod test {
+    #[cfg(ossl300)]
+    use super::Md;
+
+    #[test]
+    #[cfg(ossl300)]
+    fn test_md_fetch_properties() {
+        assert!(matches!(
+            Md::fetch(None, "SHA-256", Some("provider=gibberish")),
+            Err(_)
+        ));
+    }
+}