This repository has been archived by the owner on Jan 8, 2025. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Prepare for 1.1.1j-dev Reviewed-by: Richard Levitte <[email protected]> * Fix typo in OPENSSL_malloc.pod CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#13632) (cherry picked from commit 74c8dd1) * v3nametest: Make the gennames structure static Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#13635) (cherry picked from commit 7eea331) * Modify is_tls13_capable() to take account of the servername cb A servername cb may change the available certificates, so if we have one set then we cannot rely on the configured certificates to determine if we are capable of negotiating TLSv1.3 or not. Fixes openssl#13291 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13305) * Test that we can negotiate TLSv1.3 if we have an SNI callback If an SNI callback has been set then we may have no certificuates suitable for TLSv1.3 use configured for the current SSL_CTX. This should not prevent us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we need a suitable certificate. Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13305) * Configurations: PowerPC is big endian Define B_ENDIAN on PowerPC because it is a big endian architecture. With this change the BN* related tests pass. Fixes: openssl#12199 Signed-off-by: Sebastian Andrzej Siewior <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#12371) (cherry picked from commit 52c6c12) * Github CI: run also on repository pushes Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#13686) (cherry picked from commit 4159ebc) * Document OCSP_REQ_CTX_i2d. This is a backport of the documentation from openssl#13620. Reviewed-by: David von Oheimb <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13691) * GitHub CI: Add 'check-update' and 'check-docs' 'check-update' runs a 'make update' to check that it wasn't forgotten. 'check-docs' runs 'make doc-nits'. We have that as a separate job to make it more prominent. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Kurt Roeckx <[email protected]> (Merged from openssl#13701) (cherry picked from commit 8175476) * Fix NULL pointer access caused by X509_ATTRIBUTE_create() When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return failure rather than silently constructing a broken X509_ATTRIBUTE object that might cause NULL pointer accesses later on. This matters because X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3) and the NID comes straight from the user. This bug was found while working on LibreSSL documentation. Reviewed-by: Theo Buehler <[email protected]> CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#12052) (cherry picked from commit c4b2c53) * CRYPTO_secure_malloc_init: BSD support improvements. Backport of openssl#13394 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (Merged from openssl#13637) * Update copyright years of auto-generated headers (make update) This backports openssl#13764. Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl#13769) * poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue I.e.: error: out of range immediate fixup value This fix is identical to one of the changes made in 3405db9, which I discovered right after taking a quick stab at fixing this. CLA: trivial Fixes openssl#7878 Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13757) * Ensure DTLS free functions can handle NULL Our free functions should be able to deal with the case where the object being freed is NULL. This turns out to not be quite the case for DTLS related objects. Fixes openssl#13649 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13655) (cherry picked from commit d0afb30) * Fix for negative return value from `SSL_CTX_sess_accept()` Fixes openssl#13183 From the original issue report, before this commit, on master and on 1.1.1, the issue can be detected with the following steps: - Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI, "Accept" count of default context gets incremented - After servername lookup, "Accept" count of default context gets decremented and that of SNI context is incremented - Server sends a "Hello Retry Request" - Client sends the second "Client Hello", now again "Accept" count of default context is decremented. Hence giving a negative value. This commit fixes it by adding a check on `s->hello_retry_request` in addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved only on the first ClientHello. CLA: trivial Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#13297) * [crypto/dh] side channel hardening for computing DH shared keys (1.1.1) Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Nicola Tuveri <[email protected]> (Merged from openssl#13772) * OPENSSL_cpuid_setup FreeBSD PowerPC update Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#13821) (cherry picked from commit b57ec73) * OPENSSL_cpuid_setup FreeBSD arm update. when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach. Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#13650) (cherry picked from commit 5eb24fb) * Fix -static builds Pull in check from openssl#10878 Move disabling of pic, threads and statics up higher before they are checked. Fixes openssl#12772 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#12773) * Skip BOM when reading the config file Fixes openssl#13840 Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#13857) (cherry picked from commit 4369a88) * X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert This is the backport of openssl#13755 to v1.1.1. Fixes openssl#13698 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13756) * x509_vfy.c: Fix a regression in find_isser() ...in case the candidate issuer cert is identical to the target cert. Fixes openssl#13739 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13749) * DOCS: Fix incorrect pass phrase options references There were a number of older style references to the pass phrase options section, now streamlined with the current openssl(1). Fixes openssl#13883 Reviewed-by: Kurt Roeckx <[email protected]> (Merged from openssl#13886) * Fix regression in no-deprecated build Also add a new no-deprecated CI build to test it. Fixes openssl#13896 Reviewed-by: David von Oheimb <[email protected]> (Merged from openssl#13902) * Ensure SRP BN_mod_exp follows the constant time path SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13889) * Fix typo in crl2pkcs documentation Fixes openssl#13910 CLA: trivial Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13911) (cherry picked from commit 6857058) * CI: Add some legacy stuff that we do not test in GitHub CI yet There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy <[email protected]> (Merged from openssl#13903) (cherry picked from commit adcaebc) * Drop Travis At this point, we have transitioned completely from Travis to GitHub Actions Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#13941) * check_sig_alg_match(): weaken sig nid comparison to base alg This (re-)allows RSA-PSS signers Fixes openssl#13931 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13982) * Add some missing committers to the AUTHORS list Fixes openssl#13815 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#14029) (cherry picked from commit af403db) * apps/ca: Properly handle certificate expiration times in do_updatedb Fixes openssl#13944 + changed ASN1_UTCTIME to ASN1_TIME + removed all Y2K code from do_updatedb + changed compare to ASN1_TIME_compare Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14026) * Prevent creating empty folder "../apps/include" This folder "../apps/include" is accidentally created. This prevents this glitch. Fixes 19b4fe5 ("Add a CMAC test") Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14051) * NOTES.WIN: fix typo CLA: trivial Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Matthias St. Pierre <[email protected]> (Merged from openssl#14078) * configdata.pm: Better display of enabled/disabled options The options listed in the array @disablables are regular expressions. For most of them, it's not visible, but there are a few. However, configdata.pm didn't quite treat them that way, which meant that the few that are visibly regular expressions, there's a difference between that and the corresponding the key in %disabled, which is never a regular expression. To correctly display the enabled and disabled options with --dump, we must therefore go through a bit of Perl gymnastics to get the output correct enough, primarly so that disabled features don't look enabled. Fixes openssl#13790 Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#14081) * Configuration: ensure that 'no-tests' works correctly 'no-tests' wasn't entirely respected by test/build.info. Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#14081) * Remove unused 'peer_type' from SSL_SESSION This field has not been used since openssl#3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx <[email protected]> (Merged from openssl#13991) (cherry picked from commit 3bc0b62) * Configurations/descrip.mms.tmpl: avoid enormous PIPE commands DCL has a total command line limitation that's too easily broken by them. We solve them by creating separate message scripts and using them. Fixes openssl#13789 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13834) * VMS documentation fixes This mostly clarifies details. Fixes openssl#13789 Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#13834) * Fix Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. CVE-2021-23841 Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit 8130d65) * Test that X509_issuer_and_serial_hash doesn't crash Provide a certificate with a bad issuer and check that X509_issuer_and_serial_hash doesn't crash. Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Paul Dale <[email protected]> (cherry picked from commit 55869f5) * Refactor rsa_test Reduce code copying by factoring out common code into a separate function. Reviewed-by: Paul Dale <[email protected]> * Fix the RSA_SSLV23_PADDING padding type This also fixes the public function RSA_padding_check_SSLv23. Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 so that padding is rejected if the nul delimiter byte is not immediately preceded by at least 8 bytes containing 0x03. Prior to that commit the padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. Presumably this change was made to be consistent with what it says in appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the original behaviour was correct. This is fixed in later errata issued for that RFC. This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted. The effect of the original error is that an RSA message encrypted by an SSLv2 only client will fail to be decrypted properly by a TLS capable server, or a message encrypted by a TLS capable client will fail to decrypt on an SSLv2 only server. Most significantly an RSA message encrypted by a TLS capable client will be successfully decrypted by a TLS capable server. This last case should fail due to a rollback being detected. Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting this issue. CVE-2021-23839 Reviewed-by: Paul Dale <[email protected]> * Fix rsa_test to properly test RSA_SSLV23_PADDING We test all three cases: - An SSLv2 only client talking to a TLS capable server - A TLS capable client talking to an SSLv2 only server - A TLS capable client talking to a TLS capable server (should fail due to detecting a rollback attack) Reviewed-by: Paul Dale <[email protected]> * Don't overflow the output length in EVP_CipherUpdate calls CVE-2021-23840 Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <[email protected]> * Update copyright year Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1j release Reviewed-by: Richard Levitte <[email protected]> * Prepare for 1.1.1k-dev Reviewed-by: Richard Levitte <[email protected]> * TEST: Add missing initialization Compiler complained. Reviewed-by: Matt Caswell <[email protected]> (Merged from openssl#14204) (cherry picked from commit 55e9d8c) * Use CRIOGET to fetch a crypto descriptor when present. FreeBSD's current /dev/crypto implementation requires that consumers clone a separate file descriptor via the CRIOGET ioctl that can then be used with other ioctls such as CIOCGSESSION. Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit b39c215) Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#13853) * Close /dev/crypto file descriptor after CRIOGET ioctl(). Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> (cherry picked from commit 3ddf44e) Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#13853) * CRYPTO_gcm128_decrypt: fix mac or tag calculation The incorrect code is in #ifdef branch that is normally not compiled in. Signed-off-by: Zhang Jinde <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#12968) (cherry picked from commit 1d724b5) * Fix an integer overflow in o_time.c If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow. I think leaving offset_hms as an int is still safe. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#14252) (cherry picked from commit 75de543) * Fix filename escaping in c_rehash CLA: trivial Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#14301) (cherry picked from commit 2d96895) * Check ASN1_item_ndef_i2d() return value. Return an error instead of trying to malloc a negative number. The other usage in this file already had a similar check, and the caller should have put an entry on the error stack already. Note that we only check the initial calls to obtain the encoded length, and assume that the follow-up call to actually encode to the allocated storage will succeed if the first one did. Fixes: openssl#14177 Reviewed-by: Shane Lontis <[email protected]> (Merged from openssl#14308) (cherry picked from commit 90b4247) * [github-ci] Add a out-of-tree_build job This adds a new job to trigger the bug reported in <openssl#11940> Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#14388) * [1.1.1] Fix `make update` for out-of-tree builds Fixes openssl#11940 Reviewed-by: Nicola Tuveri <[email protected]> (Merged from openssl#14388) * Check SSL_set1_chain error in set_cert_cb CLA: trivial Reviewed-by: Shane Lontis <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14469) (cherry picked from commit 1aa7ecd) * modes: fix coverity 1449860: overlapping memory copy Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14584) (cherry picked from commit 145f12d) * modes: fix coverity 1449851: overlapping memory copy Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14584) (cherry picked from commit b875e0e) * ssl: fix coverity 1451515: out of bounds memory access Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14585) (cherry picked from commit 3de7f01) * apps: fix coverity 966560: division by zero Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#14586) (cherry picked from commit 7e7e034) * Add a missing RUN_ONCE in rand_lib.c Some of the callbacks in rand_lib.c were being invoked without the RUN_ONCE for that file being called. We add it during rand_pool_new which should cover all cases. Fixes openssl#7870 Fixes openssl#11144 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#14603) * ASN1: Reset the content dump flag after dumping When encountering a badly coded item, the DER printer (ASN1_print_dump()) sets a flag to ensure that an additional hex dump of the offending content is printed as part of the output. Unfortunately, this flag is never reset, which means that all following items are printed with the extra hex dump, whether they are faulty or not. Resetting the flag after hex dumping ensures that only the faulty contents are printed with the additional hex dump. Fixes openssl#14626 Reviewed-by: Tim Hudson <[email protected]> (Merged from openssl#14627) (cherry picked from commit 6e34a10) * Fix missing INVALID_EXTENSION Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Ben Kaduk <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#14639) * check_chain_extensions: Do not override error return value by check_curve The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates with explicitly encoded elliptic curve parameters in the chain was added to the strict checks. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then a subsequent check that the certificate is consistent with that purpose also checks that it is a valid CA. Therefore where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overriden by an application. Affected applications explicitly set the X509_V_FLAG_X509_STRICT verification flag and either do not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose to make it not set. CVE-2021-3450 Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Teach TLSProxy how to encrypt <= TLSv1.2 ETM records Previously TLSProxy only knew how to "repack" messages for TLSv1.3. Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been too much of restriction. However we now want to modify reneg handshakes which are encrypted so we need to add that capability. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Add a test for CVE-2021-3449 We perform a reneg handshake, where the second ClientHello drops the sig_algs extension. It must also contain cert_sig_algs for the test to work. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * ssl sigalg extension: fix NULL pointer dereference As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle <[email protected]> Signed-off-by: Samuel Sapalski <[email protected]> CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> * Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> * Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz <[email protected]> * Update copyright year Reviewed-by: Tomas Mraz <[email protected]> * Prepare for 1.1.1k release Reviewed-by: Tomas Mraz <[email protected]> * README version update [skip ci] Co-authored-by: Matt Caswell <[email protected]> Co-authored-by: Nan Xiao <[email protected]> Co-authored-by: Tomas Mraz <[email protected]> Co-authored-by: Sebastian Andrzej Siewior <[email protected]> Co-authored-by: Rich Salz <[email protected]> Co-authored-by: Richard Levitte <[email protected]> Co-authored-by: Ingo Schwarze <[email protected]> Co-authored-by: David Carlier <[email protected]> Co-authored-by: Dr. David von Oheimb <[email protected]> Co-authored-by: Ole André Vadla Ravnås <[email protected]> Co-authored-by: anupamam13 <[email protected]> Co-authored-by: Billy Brumley <[email protected]> Co-authored-by: Todd Short <[email protected]> Co-authored-by: Dmitry Belyavskiy <[email protected]> Co-authored-by: Tim Hitchins <[email protected]> Co-authored-by: Dr. Matthias St. Pierre <[email protected]> Co-authored-by: Armin Fuerst <[email protected]> Co-authored-by: Bernd Edlinger <[email protected]> Co-authored-by: Jay Satiro <[email protected]> Co-authored-by: Benjamin Kaduk <[email protected]> Co-authored-by: John Baldwin <[email protected]> Co-authored-by: Zhang Jinde <[email protected]> Co-authored-by: jwalch <[email protected]> Co-authored-by: Mark <[email protected]> Co-authored-by: Nicola Tuveri <[email protected]> Co-authored-by: panda <[email protected]> Co-authored-by: Pauli <[email protected]> Co-authored-by: Chenglong Zhang <[email protected]> Co-authored-by: Tomas Mraz <[email protected]> Co-authored-by: Peter Kaestle <[email protected]>
- Loading branch information
31 people
authored
Mar 26, 2021
1 parent
f593774
commit c2d0e86