111j (#288)

* Prepare for 1.1.1j-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Fix typo in OPENSSL_malloc.pod

CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13632)

(cherry picked from commit 74c8dd1)

* v3nametest: Make the gennames structure static

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from openssl#13635)

(cherry picked from commit 7eea331)

* Modify is_tls13_capable() to take account of the servername cb

A servername cb may change the available certificates, so if we have one
set then we cannot rely on the configured certificates to determine if we
are capable of negotiating TLSv1.3 or not.

Fixes openssl#13291

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)

* Test that we can negotiate TLSv1.3 if we have an SNI callback

If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)

* Configurations: PowerPC is big endian

Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.

Fixes: openssl#12199

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12371)

(cherry picked from commit 52c6c12)

* Github CI: run also on repository pushes

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13686)

(cherry picked from commit 4159ebc)

* Document OCSP_REQ_CTX_i2d.

This is a backport of the documentation from openssl#13620.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13691)

* GitHub CI: Add 'check-update' and 'check-docs'

'check-update' runs a 'make update' to check that it wasn't forgotten.

'check-docs' runs 'make doc-nits'.  We have that as a separate job to
make it more prominent.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13701)

(cherry picked from commit 8175476)

* Fix NULL pointer access caused by X509_ATTRIBUTE_create()

When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on.  This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.

This bug was found while working on LibreSSL documentation.

Reviewed-by: Theo Buehler <tb@openbsd.org>

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12052)

(cherry picked from commit c4b2c53)

* CRYPTO_secure_malloc_init: BSD support improvements.

Backport of openssl#13394

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13637)

* Update copyright years of auto-generated headers (make update)

This backports openssl#13764.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#13769)

* poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue

I.e.:

    error: out of range immediate fixup value

This fix is identical to one of the changes made in 3405db9, which I
discovered right after taking a quick stab at fixing this.

CLA: trivial
Fixes openssl#7878

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13757)

* Ensure DTLS free functions can handle NULL

Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.

Fixes openssl#13649

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13655)

(cherry picked from commit d0afb30)

* Fix for negative return value from `SSL_CTX_sess_accept()`

Fixes openssl#13183

From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:

- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
  "Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
  decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
  default context is decremented. Hence giving a negative value.

This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13297)

* [crypto/dh] side channel hardening for computing DH shared keys (1.1.1)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#13772)

* OPENSSL_cpuid_setup FreeBSD PowerPC update

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13821)

(cherry picked from commit b57ec73)

* OPENSSL_cpuid_setup FreeBSD arm update.

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13650)

(cherry picked from commit 5eb24fb)

* Fix -static builds

Pull in check from openssl#10878
Move disabling of pic, threads and statics up higher before they
are checked.

Fixes openssl#12772

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#12773)

* Skip BOM when reading the config file

Fixes openssl#13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13857)

(cherry picked from commit 4369a88)

* X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

This is the backport of openssl#13755 to v1.1.1.
Fixes openssl#13698

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13756)

* x509_vfy.c: Fix a regression in find_isser()

...in case the candidate issuer cert is identical to the target cert.

Fixes openssl#13739

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13749)

* DOCS: Fix incorrect pass phrase options references

There were a number of older style references to the pass phrase
options section, now streamlined with the current openssl(1).

Fixes openssl#13883

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13886)

* Fix regression in no-deprecated build

Also add a new no-deprecated CI build to test it.

Fixes openssl#13896

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from openssl#13902)

* Ensure SRP BN_mod_exp follows the constant time path

SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.

Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.

Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13889)

* Fix typo in crl2pkcs documentation

Fixes openssl#13910

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13911)

(cherry picked from commit 6857058)

* CI: Add some legacy stuff that we do not test in GitHub CI yet

There are some options that seem to belong to the legacy build.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from openssl#13903)

(cherry picked from commit adcaebc)

* Drop Travis

At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#13941)

* check_sig_alg_match(): weaken sig nid comparison to base alg

This (re-)allows RSA-PSS signers

Fixes openssl#13931

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13982)

* Add some missing committers to the AUTHORS list

Fixes openssl#13815

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14029)

(cherry picked from commit af403db)

* apps/ca: Properly handle certificate expiration times in do_updatedb

Fixes openssl#13944

   + changed ASN1_UTCTIME to ASN1_TIME
   + removed all Y2K code from do_updatedb
   + changed compare to ASN1_TIME_compare

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14026)

* Prevent creating empty folder "../apps/include"

This folder "../apps/include" is accidentally created.
This prevents this glitch.

Fixes 19b4fe5 ("Add a CMAC test")

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14051)

* NOTES.WIN: fix typo

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#14078)

* configdata.pm: Better display of enabled/disabled options

The options listed in the array @disablables are regular expressions.
For most of them, it's not visible, but there are a few.

However, configdata.pm didn't quite treat them that way, which meant
that the few that are visibly regular expressions, there's a
difference between that and the corresponding the key in %disabled,
which is never a regular expression.

To correctly display the enabled and disabled options with --dump,
we must therefore go through a bit of Perl gymnastics to get the
output correct enough, primarly so that disabled features don't look
enabled.

Fixes openssl#13790

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14081)

* Configuration: ensure that 'no-tests' works correctly

'no-tests' wasn't entirely respected by test/build.info.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14081)

* Remove unused 'peer_type' from SSL_SESSION

This field has not been used since openssl#3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13991)

(cherry picked from commit 3bc0b62)

* Configurations/descrip.mms.tmpl: avoid enormous PIPE commands

DCL has a total command line limitation that's too easily broken by
them.

We solve them by creating separate message scripts and using them.

Fixes openssl#13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13834)

* VMS documentation fixes

This mostly clarifies details.

Fixes openssl#13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13834)

* Fix Null pointer deref in X509_issuer_and_serial_hash()

The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.

CVE-2021-23841

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 8130d65)

* Test that X509_issuer_and_serial_hash doesn't crash

Provide a certificate with a bad issuer and check that
X509_issuer_and_serial_hash doesn't crash.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 55869f5)

* Refactor rsa_test

Reduce code copying by factoring out common code into a separate function.

Reviewed-by: Paul Dale <pauli@openssl.org>

* Fix the RSA_SSLV23_PADDING padding type

This also fixes the public function RSA_padding_check_SSLv23.

Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.

Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.

This has no impact on libssl for modern versions of OpenSSL because
there is no protocol support for SSLv2 in these versions. However
applications that call RSA_paddin_check_SSLv23 directly, or use the
RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.

Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.

CVE-2021-23839

Reviewed-by: Paul Dale <pauli@openssl.org>

* Fix rsa_test to properly test RSA_SSLV23_PADDING

We test all three cases:
- An SSLv2 only client talking to a TLS capable server
- A TLS capable client talking to an SSLv2 only server
- A TLS capable client talking to a TLS capable server (should fail due
to detecting a rollback attack)

Reviewed-by: Paul Dale <pauli@openssl.org>

* Don't overflow the output length in EVP_CipherUpdate calls

CVE-2021-23840

Reviewed-by: Paul Dale <pauli@openssl.org>

* Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Prepare for 1.1.1j release

Reviewed-by: Richard Levitte <levitte@openssl.org>

Co-authored-by: Matt Caswell <matt@openssl.org>
Co-authored-by: Nan Xiao <nan@chinadtrace.org>
Co-authored-by: Tomas Mraz <tmraz@fedoraproject.org>
Co-authored-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Co-authored-by: Rich Salz <rsalz@akamai.com>
Co-authored-by: Richard Levitte <levitte@openssl.org>
Co-authored-by: Ingo Schwarze <schwarze@openbsd.org>
Co-authored-by: David Carlier <devnexen@gmail.com>
Co-authored-by: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Co-authored-by: Ole André Vadla Ravnås <oleavr@gmail.com>
Co-authored-by: anupamam13 <anuavnd@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Todd Short <tshort@akamai.com>
Co-authored-by: Dmitry Belyavskiy <beldmit@gmail.com>
Co-authored-by: Tim Hitchins <tim.hitchins@ekkosense.co.uk>
Co-authored-by: Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com>
Co-authored-by: Armin Fuerst <armin@fuerst.priv.at>
Co-authored-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Co-authored-by: Jay Satiro <raysatiro@yahoo.com>
Co-authored-by: Benjamin Kaduk <bkaduk@akamai.com>

.github/workflows/ci.yml

@@ -1,6 +1,6 @@
 name: GitHub CI
 
-on: [pull_request]
+on: [pull_request, push]
 
 # for some reason, this does not work:
 # variables:
@@ -13,6 +13,30 @@ on: [pull_request]
 #     - make="make -s"
 
 jobs:
+  check_update:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: config
+      run: ./config --strict-warnings && perl configdata.pm --dump
+    - name: make build_generated
+      run: make -s build_generated
+    - name: make update
+      run: make -s update
+    - name: git diff
+      run: git diff --exit-code
+
+  check_docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: config
+      run: ./config --strict-warnings && perl configdata.pm --dump
+    - name: make build_generated
+      run: make -s build_generated
+    - name: make doc-nits
+      run: make doc-nits
+
   basic_gcc:
     runs-on: ubuntu-latest
     steps:
@@ -23,8 +47,6 @@ jobs:
         run: make -s -j4
       - name: make test
         run: make test
-      - name: make doc-nits
-        run: make doc-nits
 
   basic_clang:
     runs-on: ubuntu-latest
@@ -48,6 +70,17 @@ jobs:
       - name: make test
         run: make test
 
+  no-deprecated:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: config
+        run: ./config --strict-warnings no-deprecated && perl configdata.pm --dump
+      - name: make
+        run: make -s -j4
+      - name: make test
+        run: make test
+
   sanitizers:
     runs-on: ubuntu-latest
     steps:
@@ -75,7 +108,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: config
-        run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 && perl configdata.pm --dump
+        run: ./config -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 && perl configdata.pm --dump
       - name: make
         run: make -s -j4
       - name: make test