merge with upstream 1.1.1o (#370)

.github/workflows/ci.yml

@@ -249,36 +249,31 @@ jobs:
 #    - name: test external krb5
 #      run: make test TESTS="test_external_krb5" VERBOSE=1
 
-# pyca testing temporarily disabled due to failures to be investigated separately
-#  external-test-pyca:
-#    runs-on: ubuntu-latest
-#    strategy:
-#      matrix:
-#        RUST:
-#        - 1.51.0
-#        PYTHON:
-#        - 3.9
-#    steps:
-#    - uses: actions/checkout@v2
-#      with:
-#        submodules: recursive
-#    - name: package installs
-#      run: |
-#        sudo apt-get update
-#        sudo apt-get -yq install python3-virtualenv virtualenv
-#    - name: Configure OpenSSL
-#      run: ./config --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
-#    - name: make
-#      run: make -s -j4
-#    - name: Setup Python
-#      uses: actions/setup-python@v2.2.2
-#      with:
-#        python-version: ${{ matrix.PYTHON }}
-#    - uses: actions-rs/toolchain@v1
-#      with:
-#        profile: minimal
-#        toolchain: ${{ matrix.RUST }}
-#        override: true
-#        default: true
-#    - name: test external pyca
-#      run: make test TESTS="test_external_pyca" VERBOSE=1
+  external-test-pyca:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        RUST:
+          - 1.51.0
+        PYTHON:
+          - 3.9
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        submodules: recursive
+    - name: Configure OpenSSL
+      run: ./config --strict-warnings --debug enable-external-tests && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: Setup Python
+      uses: actions/setup-python@v2.2.2
+      with:
+        python-version: ${{ matrix.PYTHON }}
+    - uses: actions-rs/toolchain@v1
+      with:
+        profile: minimal
+        toolchain: ${{ matrix.RUST }}
+        override: true
+        default: true
+    - name: test external pyca
+      run: make test TESTS="test_external_pyca" VERBOSE=1

.github/workflows/run-checker-ci.yml

@@ -20,6 +20,7 @@ jobs:
           no-tests,
           no-threads,
           no-tls,
+          no-tls1_2,
           no-tls1_3,
           no-ts,
           no-ui,

.gitmodules

@@ -6,6 +6,10 @@
 	path = pyca-cryptography
 	url = https://github.com/pyca/cryptography.git
 
+[submodule "wycheproof"]
+	path = wycheproof
+	url = https://github.com/google/wycheproof
+
 [submodule "krb5"]
 	path = krb5
 	url = https://github.com/krb5/krb5

CHANGES

@@ -7,6 +7,19 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1n and 1.1.1o [3 May 2022]
+
+  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
+    metacharacters to prevent command injection.  This script is distributed by
+    some operating systems in a manner where it is automatically executed.  On
+    such operating systems, an attacker could execute arbitrary commands with the
+    privileges of the script.
+
+    Use of the c_rehash script is considered obsolete and should be replaced
+    by the OpenSSL rehash command line tool.
+    (CVE-2022-1292)
+    [Tomáš Mráz]
+
  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
 
   *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever

NEWS

@@ -5,10 +5,15 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]
+
+      o Fixed a bug in the c_rehash script which was not properly sanitising
+        shell metacharacters to prevent command injection (CVE-2022-1292)
+
   Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
 
       o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
-        forever for non-prime moduli ([CVE-2022-0778])
+        forever for non-prime moduli (CVE-2022-0778)
 
   Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
 

README

@@ -1,7 +1,7 @@
 
- OpenSSL 1.1.1n 15 Mar 2022
+ OpenSSL 1.1.1o 3 May 2022
 
- Copyright (c) 1998-2021 The OpenSSL Project
+ Copyright (c) 1998-2022 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 

apps/apps.c

@@ -307,6 +307,8 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
         if (cb_data != NULL && cb_data->password != NULL
                 && *(const char*)cb_data->password != '\0')
             pw_min_len = 1;
+        else if (!verify)
+            pw_min_len = 0;
         prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
         if (!prompt) {
             BIO_printf(bio_err, "Out of memory\n");

apps/x509.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -590,6 +590,8 @@ int x509_main(int argc, char **argv)
         xca = load_cert(CAfile, CAformat, "CA Certificate");
         if (xca == NULL)
             goto end;
+        if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+            goto end;
     }
 
     out = bio_open_default(outfile, 'w', outformat);
@@ -987,8 +989,6 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
         goto end;
     }
 
-    if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
-        goto end;
     if (!X509_set_serialNumber(x, bs))
         goto end;
 

crypto/armcap.c

@@ -92,41 +92,6 @@ static unsigned long getauxval(unsigned long key)
 }
 #  endif
 # endif
-# if defined(__FreeBSD__)
-#  include <sys/param.h>
-#  if __FreeBSD_version >= 1200000
-#   include <sys/auxv.h>
-#   define OSSL_IMPLEMENT_GETAUXVAL
-
-static unsigned long getauxval(unsigned long key)
-{
-  unsigned long val = 0ul;
-
-  if (elf_aux_info((int)key, &val, sizeof(val)) != 0)
-    return 0ul;
-
-  return val;
-}
-#  endif
-# endif
-
-/*
- * Android: according to https://developer.android.com/ndk/guides/cpu-features,
- * getauxval is supported starting with API level 18
- */
-#  if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18
-#   include <sys/auxv.h>
-#   define OSSL_IMPLEMENT_GETAUXVAL
-#  endif
-
-/*
- * Android: according to https://developer.android.com/ndk/guides/cpu-features,
- * getauxval is supported starting with API level 18
- */
-#  if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18
-#   include <sys/auxv.h>
-#   define OSSL_IMPLEMENT_GETAUXVAL
-#  endif
 
 /*
  * Android: according to https://developer.android.com/ndk/guides/cpu-features,

crypto/bn/bn_div.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
     snum->neg = num_neg;
     snum->top = div_n;
     snum->flags |= BN_FLG_FIXED_TOP;
-    if (rm != NULL)
-        bn_rshift_fixed_top(rm, snum, norm_shift);
+
+    if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0)
+        goto err;
+
     BN_CTX_end(ctx);
     return 1;
  err:

crypto/bn/bn_exp.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -188,13 +188,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         return ret;
     }
 
+    BN_RECP_CTX_init(&recp);
+
     BN_CTX_start(ctx);
     aa = BN_CTX_get(ctx);
     val[0] = BN_CTX_get(ctx);
     if (val[0] == NULL)
         goto err;
 
-    BN_RECP_CTX_init(&recp);
     if (m->neg) {
         /* ignore sign of 'm' */
         if (!BN_copy(aa, m))

crypto/ec/curve448/curve448.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2015-2016 Cryptography Research, Inc.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
@@ -577,6 +577,7 @@ static int recode_wnaf(struct smvt_control *control,
             int32_t delta = odd & mask;
 
             assert(position >= 0);
+            assert(pos < 32);       /* can't fail since current & 0xFFFF != 0 */
             if (odd & (1 << (table_bits + 1)))
                 delta -= (1 << (table_bits + 1));
             current -= delta * (1 << pos);

crypto/ec/ecp_nistz256.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2014, Intel Corporation. All Rights Reserved.
  * Copyright (c) 2015, CloudFlare, Inc.
  *
@@ -973,6 +973,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group,
         return 0;
     }
 
+    memset(&p, 0, sizeof(p));
     BN_CTX_start(ctx);
 
     if (scalar) {

crypto/engine/eng_dyn.c

@@ -393,6 +393,26 @@ static int int_load(dynamic_data_ctx *ctx)
     return 0;
 }
 
+/*
+ * Unfortunately the version checker does not distinguish between
+ * engines built for openssl 1.1.x and openssl 3.x, but loading
+ * an engine that is built for openssl 3.x will cause a fatal
+ * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
+ * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+ * in openssl 1.1.x.  Therefore we take the presence of that symbol
+ * as an indication that the engine will be incompatible.
+ */
+static int using_libcrypto_3(dynamic_data_ctx *ctx)
+{
+    int ret;
+
+    ERR_set_mark();
+    ret = DSO_bind_func(ctx->dynamic_dso, "EVP_PKEY_get_base_id") != NULL;
+    ERR_pop_to_mark();
+
+    return ret;
+}
+
 static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
 {
     ENGINE cpy;
@@ -442,18 +462,9 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
         /*
          * We fail if the version checker veto'd the load *or* if it is
          * deferring to us (by returning its version) and we think it is too
-         * old.
-         * Unfortunately the version checker does not distinguish between
-         * engines built for openssl 1.1.x and openssl 3.x, but loading
-         * an engine that is built for openssl 3.x will cause a fatal
-         * error.  Detect such engines, since EVP_PKEY_get_base_id is exported
-         * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
-         * in openssl 1.1.x.  Therefore we take the presence of that symbol
-         * as an indication that the engine will be incompatible.
+         * old. Also fail if this is engine for openssl 3.x.
          */
-        if (vcheck_res < OSSL_DYNAMIC_OLDEST
-                || DSO_bind_func(ctx->dynamic_dso,
-                                 "EVP_PKEY_get_base_id") != NULL) {
+        if (vcheck_res < OSSL_DYNAMIC_OLDEST || using_libcrypto_3(ctx)) {
             /* Fail */
             ctx->bind_engine = NULL;
             ctx->v_check = NULL;