Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ossl111k merge #298

Merged
merged 75 commits into from
Mar 26, 2021
Merged

ossl111k merge #298

merged 75 commits into from
Mar 26, 2021

Conversation

baentsch
Copy link
Member

Fixes #297

mattcaswell and others added 30 commits December 8, 2020 13:21
@mattcaswell
Prepare for 1.1.1j-dev
cf36853 
Reviewed-by: Richard Levitte <levitte@openssl.org>
@NanXiao @levitte
Fix typo in OPENSSL_malloc.pod
5daa28a 
CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13632)

(cherry picked from commit 74c8dd1)
@t8m
v3nametest: Make the gennames structure static
7da3894 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from openssl#13635)

(cherry picked from commit 7eea331)
@mattcaswell
Modify is_tls13_capable() to take account of the servername cb
e0b139b 
A servername cb may change the available certificates, so if we have one
set then we cannot rely on the configured certificates to determine if we
are capable of negotiating TLSv1.3 or not.

Fixes openssl#13291

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)
@mattcaswell
Test that we can negotiate TLSv1.3 if we have an SNI callback
ad8e83c 
If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)
@sebastianas @t8m
Configurations: PowerPC is big endian
d73c936 
Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.

Fixes: openssl#12199

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12371)

(cherry picked from commit 52c6c12)
@t8m
Github CI: run also on repository pushes
69daea5 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13686)

(cherry picked from commit 4159ebc)
@richsalz @t8m
Document OCSP_REQ_CTX_i2d.
3b5edb4 
This is a backport of the documentation from openssl#13620.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13691)
@levitte
GitHub CI: Add 'check-update' and 'check-docs'
5a5d87a 
'check-update' runs a 'make update' to check that it wasn't forgotten.

'check-docs' runs 'make doc-nits'.  We have that as a separate job to
make it more prominent.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13701)

(cherry picked from commit 8175476)
@ischwarze @t8m
Fix NULL pointer access caused by X509_ATTRIBUTE_create()
64a1b94 
When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on.  This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.

This bug was found while working on LibreSSL documentation.

Reviewed-by: Theo Buehler <tb@openbsd.org>

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12052)

(cherry picked from commit c4b2c53)
@devnexen @kaduk
CRYPTO_secure_malloc_init: BSD support improvements.
9be1063 
Backport of openssl#13394

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13637)
@DDvO
Update copyright years of auto-generated headers (make update)
80d5bad 
This backports openssl#13764.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#13769)
@oleavr @t8m
poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue
a953f26 
I.e.:

    error: out of range immediate fixup value

This fix is identical to one of the changes made in 3405db9, which I
discovered right after taking a quick stab at fixing this.

CLA: trivial
Fixes openssl#7878

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13757)
@mattcaswell
Ensure DTLS free functions can handle NULL
37d9e3d 
Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.

Fixes openssl#13649

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13655)

(cherry picked from commit d0afb30)
@anupamam13 @romen
Fix for negative return value from SSL_CTX_sess_accept()
212d711 
Fixes openssl#13183

From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:

- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
  "Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
  decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
  default context is decremented. Hence giving a negative value.

This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13297)
@bbbrumley @romen
[crypto/dh] side channel hardening for computing DH shared keys (1.1.1)
6e3ba20 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#13772)
@devnexen @mattcaswell
OPENSSL_cpuid_setup FreeBSD PowerPC update
fc4ca44 
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13821)

(cherry picked from commit b57ec73)
@devnexen @mattcaswell
OPENSSL_cpuid_setup FreeBSD arm update.
dfe0718 
when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13650)

(cherry picked from commit 5eb24fb)
@tmshort @levitte
Fix -static builds
cfd7225 
Pull in check from openssl#10878
Move disabling of pic, threads and statics up higher before they
are checked.

Fixes openssl#12772

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#12773)
@beldmit
Skip BOM when reading the config file
2a9785c 
Fixes openssl#13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13857)

(cherry picked from commit 4369a88)
@DDvO
X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed t…
fb1e241 
…o due to invalid cert

This is the backport of openssl#13755 to v1.1.1.
Fixes openssl#13698

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13756)
@DDvO
x509_vfy.c: Fix a regression in find_isser()
76ed0c0 
...in case the candidate issuer cert is identical to the target cert.

Fixes openssl#13739

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13749)
@levitte
DOCS: Fix incorrect pass phrase options references
a83690c 
There were a number of older style references to the pass phrase
options section, now streamlined with the current openssl(1).

Fixes openssl#13883

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13886)
@t8m
Fix regression in no-deprecated build
69b3a65 
Also add a new no-deprecated CI build to test it.

Fixes openssl#13896

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from openssl#13902)
@mattcaswell
Ensure SRP BN_mod_exp follows the constant time path
0a31723 
SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.

Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.

Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13889)
@tim-hitchins-ekkosense @t8m
Fix typo in crl2pkcs documentation
b8cee4c 
Fixes openssl#13910

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13911)

(cherry picked from commit 6857058)
@t8m
CI: Add some legacy stuff that we do not test in GitHub CI yet
76e30a4 
There are some options that seem to belong to the legacy build.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from openssl#13903)

(cherry picked from commit adcaebc)
@levitte
Drop Travis
a7222fc 
At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#13941)
@DDvO
check_sig_alg_match(): weaken sig nid comparison to base alg
c2fc111 
This (re-)allows RSA-PSS signers

Fixes openssl#13931

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13982)
@mspncp
Add some missing committers to the AUTHORS list
2d8109f 
Fixes openssl#13815

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14029)

(cherry picked from commit af403db)
levitte and others added 18 commits March 4, 2021 20:30
@levitte @romen
[1.1.1] Fix make update for out-of-tree builds
01b9e18 
Fixes openssl#11940

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#14388)
@mamapanda @t8m
Check SSL_set1_chain error in set_cert_cb
081a706 
CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14469)

(cherry picked from commit 1aa7ecd)
@paulidale
modes: fix coverity 1449860: overlapping memory copy
8129ac6 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14584)

(cherry picked from commit 145f12d)
@paulidale
modes: fix coverity 1449851: overlapping memory copy
81198bf 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14584)

(cherry picked from commit b875e0e)
@paulidale
ssl: fix coverity 1451515: out of bounds memory access
1136fed 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14585)

(cherry picked from commit 3de7f01)
@paulidale
apps: fix coverity 966560: division by zero
f9398cc 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#14586)

(cherry picked from commit 7e7e034)
@mattcaswell @paulidale
Add a missing RUN_ONCE in rand_lib.c
b402f00 
Some of the callbacks in rand_lib.c were being invoked without the
RUN_ONCE for that file being called. We add it during rand_pool_new
which should cover all cases.

Fixes openssl#7870
Fixes openssl#11144

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14603)
@levitte
ASN1: Reset the content dump flag after dumping
ffefffa 
When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output.  Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.

Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.

Fixes openssl#14626

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#14627)

(cherry picked from commit 6e34a10)
@dongbeiouba
Fix missing INVALID_EXTENSION
cfd7438 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14639)
@t8m @mattcaswell
check_chain_extensions: Do not override error return value by check_c…
2a40b7b 
…urve

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates with
explicitly encoded elliptic curve parameters in the chain was added to the
strict checks.

An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then a subsequent check that the
certificate is consistent with that purpose also checks that it is a
valid CA. Therefore where a purpose is set the certificate chain will
still be rejected even when the strict flag has been used. A purpose is
set by default in libssl client and server certificate verification
routines, but it can be overriden by an application.

Affected applications explicitly set the X509_V_FLAG_X509_STRICT
verification flag and either do not set a purpose for the certificate
verification or, in the case of TLS client or server applications,
override the default purpose to make it not set.

CVE-2021-3450

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
@mattcaswell
Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
46d81bc 
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
@mattcaswell
Add a test for CVE-2021-3449
3ff3862 
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
@mattcaswell
ssl sigalg extension: fix NULL pointer dereference
fb9fa6b 
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.

On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.

This issue was introduced by c589c34 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).

Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>

CVE-2021-3449

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
@mattcaswell
Ensure buffer/length pairs are always in sync
d33c2a3 
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
@mattcaswell
Update CHANGES and NEWS for new release
62f75c9 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
@mattcaswell
Update copyright year
e83638b 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
@mattcaswell
Prepare for 1.1.1k release
fd78df5 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
@baentsch
OSSL 1.1.1k merge
e5fed17
@baentsch baentsch marked this pull request as ready for review March 25, 2021 17:30
christianpaquin
christianpaquin requested changes Mar 25, 2021
View reviewed changes
Copy link

@christianpaquin christianpaquin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. We should update our README.md, which still has an old reference:

This fork is currently in sync with the OpenSSL_1_1_1g tag, and adds the following:

@baentsch
Copy link
Member Author

Looks good. We should update our README.md, which still has an old reference:

This fork is currently in sync with the OpenSSL_1_1_1g tag, and adds the following:

Corrected.

@dstebila dstebila merged commit c2d0e86 into OQS-OpenSSL_1_1_1-stable Mar 26, 2021
@dstebila dstebila deleted the mb-111k branch March 26, 2021 02:08
@dstebila dstebila mentioned this pull request Mar 26, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christianpaquin christianpaquin christianpaquin approved these changes

@dstebila dstebila Awaiting requested review from dstebila

@xvzcf xvzcf Awaiting requested review from xvzcf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sync with OpenSSL 1.1.1k