Merging OpenSSL 1.1.1m #346
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes openssl#13840 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#13857) (cherry picked from commit 4369a88)
…o due to invalid cert This is the backport of openssl#13755 to v1.1.1. Fixes openssl#13698 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13756)
...in case the candidate issuer cert is identical to the target cert. Fixes openssl#13739 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from openssl#13749)
There were a number of older style references to the pass phrase options section, now streamlined with the current openssl(1). Fixes openssl#13883 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl#13886)
Also add a new no-deprecated CI build to test it. Fixes openssl#13896 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#13902)
SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13889)
Fixes openssl#13910 CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13911) (cherry picked from commit 6857058)
There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#13903) (cherry picked from commit adcaebc)
At this point, we have transitioned completely from Travis to GitHub Actions Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#13941)
This (re-)allows RSA-PSS signers Fixes openssl#13931 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13982)
Fixes openssl#13815 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#14029) (cherry picked from commit af403db)
Fixes openssl#13944 + changed ASN1_UTCTIME to ASN1_TIME + removed all Y2K code from do_updatedb + changed compare to ASN1_TIME_compare Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#14026)
This folder "../apps/include" is accidentally created. This prevents this glitch. Fixes 19b4fe5 ("Add a CMAC test") Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#14051)
CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from openssl#14078)
The options listed in the array @disablables are regular expressions. For most of them, it's not visible, but there are a few. However, configdata.pm didn't quite treat them that way, which meant that the few that are visibly regular expressions, there's a difference between that and the corresponding the key in %disabled, which is never a regular expression. To correctly display the enabled and disabled options with --dump, we must therefore go through a bit of Perl gymnastics to get the output correct enough, primarly so that disabled features don't look enabled. Fixes openssl#13790 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#14081)
'no-tests' wasn't entirely respected by test/build.info. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#14081)
This field has not been used since openssl#3858 was merged in 2017 when we moved to a table-based lookup for certificate type properties instead of an index-based one. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from openssl#13991) (cherry picked from commit 3bc0b62)
DCL has a total command line limitation that's too easily broken by them. We solve them by creating separate message scripts and using them. Fixes openssl#13789 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13834)
This mostly clarifies details. Fixes openssl#13789 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#13834)
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. CVE-2021-23841 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (cherry picked from commit 8130d65)
Provide a certificate with a bad issuer and check that X509_issuer_and_serial_hash doesn't crash. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (cherry picked from commit 55869f5)
Reduce code copying by factoring out common code into a separate function. Reviewed-by: Paul Dale <pauli@openssl.org>
This also fixes the public function RSA_padding_check_SSLv23. Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23 so that padding is rejected if the nul delimiter byte is not immediately preceded by at least 8 bytes containing 0x03. Prior to that commit the padding is rejected if it *is* preceded by at least 8 bytes containing 0x03. Presumably this change was made to be consistent with what it says in appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the original behaviour was correct. This is fixed in later errata issued for that RFC. This has no impact on libssl for modern versions of OpenSSL because there is no protocol support for SSLv2 in these versions. However applications that call RSA_paddin_check_SSLv23 directly, or use the RSA_SSLV23_PADDING mode may still be impacted. The effect of the original error is that an RSA message encrypted by an SSLv2 only client will fail to be decrypted properly by a TLS capable server, or a message encrypted by a TLS capable client will fail to decrypt on an SSLv2 only server. Most significantly an RSA message encrypted by a TLS capable client will be successfully decrypted by a TLS capable server. This last case should fail due to a rollback being detected. Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting this issue. CVE-2021-23839 Reviewed-by: Paul Dale <pauli@openssl.org>
We test all three cases: - An SSLv2 only client talking to a TLS capable server - A TLS capable client talking to an SSLv2 only server - A TLS capable client talking to a TLS capable server (should fail due to detecting a rollback attack) Reviewed-by: Paul Dale <pauli@openssl.org>
CVE-2021-23840 Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Compiler complained. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#14204) (cherry picked from commit 55e9d8c)
There was no string present for ERR_R_PASSED_INVALID_ARGUMENT Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#17069)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#17083)
d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp() were documented in OpenSSL 1.0.2. In a grand unification of the documentation of (almost) all d2i and i2d functions, these were dropped, most likely by mistake. This simply adds them back. Fixes openssl#17091 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17093)
OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25 Switch to using AT_HWCAP, and setting it to 16 if it is not defined. OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT resulting in all ARM acceleration features being disabled. CLA: trivial Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17082) (cherry picked from commit c1dabe2)
The restriction about setting a tag length prior to setting the IV only applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG can be called. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17111) (cherry picked from commit 3607b8a)
OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT. Fixes openssl#17121 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#17125) (cherry picked from commit 01fde90)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17086) (cherry picked from commit 7a37fd0)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17132)
This looks like old code, written when the padded variety of BN_bn2bin() was developped, and disabled by default... and forgotten. A few simple changes to update it to the current API is all that was needed to enable it. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17133) (cherry picked from commit 23750f6)
Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17158)
Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17135)
Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17135)
The tlsext_ticket_key functions are documented as returning 0 on success. In fact they return 1 on success. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17210) (cherry picked from commit b0be101)
Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17221)
This happened after an out of memory error: CRYPTO_THREAD_write_lock may hang in OBJ_NAME_add. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17236)
Windows 2016 environment is going to be discontinued. We also replace windows-latest with windows-2019 so there aren't two identical builds done once windows-latest is switched to mean windows-2022. Fixes openssl#17177 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#17211)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#17131)
bn_sqr_comba8 does for instance compute a wrong result for the value:
a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45
The correct result is:
r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899
but the actual result was:
r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899
so the forth word of the result was 0x75be8e3c but should have been
0x75be8e3d instead.
Likewise bn_sqr_comba4 has an identical bug for the same value as well:
a=0x022181ba fd3aa878 899b2346 ee210f45
correct result:
r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899
wrong result:
r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899
Fortunately the bn_mul_comba4/8 code paths are not affected.
Also the mips64 target does in fact not handle the carry propagation
correctly.
Example:
a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000
022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001
correct result:
r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001
wrong result:
r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#17258)
(cherry picked from commit 336923c)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#17269)
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#17271)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#17273)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Past updates also looked like that. CI will indeed tell.... |
dstebila
approved these changes
Dec 14, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merging upstream 1.1.1m tag.
Not happy with the (overly?) long list of upstream commits and some inexplicable conflicts, though. Did sth go wrong? Let's see what CI says...