Upstream 1.1.1s #407
Merged
Upstream 1.1.1s #407
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16385) (cherry picked from commit 562d4cd)
Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16381)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16375)
Command 'openssl ciphers -convert <name>' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16383) (cherry picked from commit 8b4e9c5)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16382)
CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16347) (cherry picked from commit 62bae84)
issue openssl#16407 openssl#16408 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16409)
CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16403)
ubsan found undefined pointer addtions in crypto/bio/bss_mem.c (mem_ctrl), crypto/pem/pem_lib.c (PEM_read_bio_ex), test/testutil/format_output.c (test_fail_string_common, test_fail_memory_common). Mostly a straight back-port-of: a07dc81 Additionally enable the ubsan run-checker, to prevent regressions. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from openssl#16423)
the following config: ./config no-shared enable-asan enable-buildtest-c++ enable-external-tests fails to build with unresolved asan symbols when linking test/ossl_shim/ossl_shim Fixed by passing all sanitizer-flags to cxxflags. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16434)
This test did not really execute, since usually the OPENSSL_malloc(0) will fail and prevent the execution of the KDF. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16446)
This fixes the following error with gcc10 under strict ANSI conditions: .../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no member named 's6_addr32' CLA: trivial Fixes openssl#16449 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#16451) (cherry picked from commit e8e1f6d)
This recently added test needs DH2048 to work without tls1_3. Fixes: openssl#16335 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16453)
These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. @@ Note: This commit limits to ECPKParameters as a type. (cherry picked from commit ea1128e) Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#12457)
These functions are part of the public API but we don't have tests covering their usage. They are actually implemented as macros and the absence of tests has caused them to fall out-of-sync with the latest changes to ASN1 related functions and cause compilation warnings. This commit fixes the public headers to reflect these changes. Fixes openssl#12443 (cherry picked from commit cca8a4c) Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#12457)
Some curves don't have an associated OID: for those we should not default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`. This is a follow-up to openssl#12312 (cherry picked from commit 7aa3dfc) Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#12457)
(cherry picked from commit <bernd-edlinger@96a463c>) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from openssl#12457)
Fixes openssl#16428 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16441)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16441)
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:
../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
50 | return getauxval(AT_SECURE) != 0;
| ^~~~~~~~~
This commit changes the code to use the freebsd code in this case.
This fixes the compilation.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#16477)
(cherry picked from commit 3a1fa01)
This was missing but essential for using non-SHA1 digests with OAEP. Fixes openssl#15998 Manual backport of openssl#16410 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl#16488)
When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the peer. This is important when the server sends a cross cert, but TLSA records include the underlying root CA cert. We want to construct a chain with the issuer from the TLSA record, which can then match the TLSA records (while the associated cross cert may not). Reviewed-by: Tomáš Mráz <tomas@openssl.org>
Reviewed-by: Tomáš Mráz <tomas@openssl.org>
Whenever the source from $target{apps_init_src} is added to the source
of a test program, it needs to be linked with libapps.a as well. Some
init sources depend on that.
Without this, builds break on VMS because of the unresolved symbol
'app_malloc'.
On platforms that do not need anything from libapps.a, adding it is a
no-op.
This is for OpenSSL 1.1.1 only. OpenSSL 3.0 and beyond have a
different solution.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#16512)
The compiler says that 'unsigned long long' isn't the same as 'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c is specific VMS only code, it's easy to just change the type to the exact same as what's specified in the system headers. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#15613)
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning any other options or even mentioning that there are more algorithms. The simple fix is to remove that sentence and let the OPTIONS section speak for itself. Fixes openssl#16529 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16531) (cherry picked from commit 116799f)
If the first app data record arrives before the Finished message we should be able to buffer it and move on to the Finished message. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18976)
As of clang-14 the strict aliasing is causing code to magically disappear. By explicitly inlining the code, the aliasing problem evaporates. Fixes openssl#18225 Backport of openssl#18258 to 1.1.1. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18948)
Avoid problems when the lower 32 bits of time_t roll over by delaying the cast to integer until after the time delta has been computed. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#19004) (cherry picked from commit a6cadcb)
Fixes a bug in the cookie code which would have caused problems for ten minutes before and after the lower 32 bits of time_t rolled over. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#19022)
CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19007) (cherry picked from commit c92c3df)
Fixes openssl#18183. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl#19081)
…a updated We need to reencode X509_req_info_st if member data updated. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#18879)
… successful Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from openssl#18879)
The IRIX mips64-cpu, n32-abi configurations include SIXTY_FOUR_BIT in bn_ops, but it is missing from mips64*-linux-*abin32 (which OpenSSL calls "linux-mips64"). This causes heap corruption when verifying TLS certificates (which tend to be RSA-signed) with openssl 1.1.1q: ``` nix@oak:~$ /nix/store/4k04dh6a1zs6hxiacwcg4a4nvxvgli2j-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443free(): invalid pointer Aborted ``` and a slightly different failure with current HEAD: ``` nix@oak:~$ /nix/store/9bqxharxajsl9fid0c8ls6fb9wxp8kdc-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443 Connecting to 142.250.180.4 CONNECTED(00000003) Fatal glibc error: malloc assertion failure in sysmalloc: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) Aborted ``` Applying this patch and recompiling produces the expected output instead of a crash. Note that Gentoo (and to my knowledge all other other distributions which support mips64n32) use the `linux-generic32` configuration, which uses only 32-bit arithmetic (rather than full 64-bit arithmetic) and lacks assembler implementations for the SHA hash functions: https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl/files/gentoo.config-1.0.2#n102 For support in nixpkgs we would like to use the full 64-bit integer registers and perlasm routines, so I'm submitting this upstream as well. Fixes openssl#19319 CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19320) (cherry picked from commit d250e85)
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes (Merged from openssl#19381)
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes (Merged from openssl#19383)
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
This reverts commit 748df18. Fixes openssl#19388 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19392)
Also change B< to I< in {CMS,PKCS7}_verify.pod, PKCS7_sign{,_add_signer}.pod
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from openssl#19108)
(cherry picked from commit 312a6b3)
Fixes openssl#19460 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from openssl#19461) (cherry picked from commit 5b9480f)
If rule_str ended in a "-", "l" was incremented one byte past the end of the buffer. This resulted in an out-of-bounds read when "l" is dereferenced at the end of the loop. It is safest to just return early in this case since the condition occurs inside a nested loop. CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19166) (cherry picked from commit 428511c)
SYS$GETTIM_PREC is a very new function, only available on OpenVMS v8.4. OpenSSL binaries built on OpenVMS v8.4 become unusable on older OpenVM versions, but building for the older CRTL version will make the high precision time functions unavailable. Tests have shown that on Alpha and Itanium, the time update granularity between SYS$GETTIM and SYS$GETTIM_PREC is marginal, so the former plus a sequence number turns out to be better to guarantee a unique nonce. Fixes openssl#18727 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl#18730)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#19558)
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes (Merged from openssl#19560)
Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
dstebila
approved these changes
Nov 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #404