Upgrade to upstream 1.1.1t #430
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'__int64', not 'int64_t' Ref: commit 2e5cdbc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16557)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16524) (cherry picked from commit 485d079)
Fixes openssl#16517 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16587)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16582) (cherry picked from commit 9e51f87)
The behaviour for what happens in a resumption connection was not quite described correctly. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16582) (cherry picked from commit 4603b78)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16671)
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16511) (cherry picked from commit 8ba65c3)
According to an old stackoverflow thread [1], citing an even older comment by Andy Polyakov (1875e6d, Pull up Win64 support from 0.9.8., 2005-07-05), a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2), in practice the socket() implementation on Windows returns an index into the kernel handle table, the size of which is limited to 2^24 [3]. Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow. [1] https://stackoverflow.com/questions/1953639/is-it-safe-to-cast-socket-to-int-under-win64 [2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 [3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16699) (cherry picked from commit f8dd586)
The dasync_aes_128_cbc_hmac_sha1 cipher depends on EVP_aes_128_cbc_hmac_sha1() returning a NON-NULL value. We should simply not advertise this cipher otherwise. Fixes: openssl#7950 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16722)
Fixes: openssl#16743 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16744) (cherry picked from commit 6f6a5e0)
An EVP_CONTEXT with zero cipher but non-zero engine, and/or cipher_data is possible if an error happens in EVP_CTRL_INIT or in EVP_CTRL_COPY, the error handling will just clear the cipher in that case. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16756)
When the cipher is copied, the inner_cihper_data need to be copied as well, using the EVP_CTRL_COPY method. The EVP_CIPH_CUSTOM_COPY bit needs to be set as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16751)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16775) (cherry picked from commit 0ce0c45)
Normally we expect a client to send new extensions in the ClientHello, which may be echoed back by the server in subsequent messages. However the server can also send a new extension in the certificate request message to be echoed back in a certificate message Fixes openssl#16632 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16634) (cherry picked from commit cbb862f)
Test the scenario where we add a custom extension to a cetificate request and expect a response in the client's certificate message. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16634) (cherry picked from commit 0db3a99)
…aries It's a small change to the 'nm' call, to have it look at dynamic symbols rather than the normal ones. Fixes openssl#16810 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16822) (cherry picked from commit a85b4de)
The output of 'nm -DPg' contains version info attached to the symbols, which makes the test fail. Simply dropping the version info makes the test work again. Fixes openssl#16810 (followup) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#16840) (cherry picked from commit 73970cb)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16806) (cherry picked from commit 34563be)
pkey_set_type should not consume the ENGINE references that may be passed to it. Fixes openssl#16757 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16860)
Add some tests which would have caught the issues fixed in the previous commit related to engine handling. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16860)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16794) (cherry picked from commit f1d077f)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16792)
Commit 0007ff2 added a protocol version check to psk_server_cb but failed to take account of DTLS causing DTLS based psk connections to fail. Fixes openssl#16707 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from openssl#16838) (cherry picked from commit 8b09a9c)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16894) (cherry picked from commit ef2fb64)
gcc 11.2.0 is the default on Ubuntu 21.10. It emits a (spurious) warning when compiling test/packettest.c, which causes --strict-warnings builds to fail. A simple fix avoids the warning. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#16887) (cherry picked from commit 37467b2)
Fixes openssl#16899 for 1.1.1 branch. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16922)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#16948) (cherry picked from commit d99004f)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#16957)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#16955)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#16974) (cherry picked from commit 0923528)
If an error occurs during a flush on a BIO_f_cipher() then in some cases we could get into an infinite loop. We add a check to make sure we are making progress during flush and exit if not. This issue was reported by Octavio Galland who also demonstrated an infinite loop in CMS encryption as a result of this bug. The security team has assessed this issue as not a CVE. This occurs on *encryption* only which is typically processing trusted data. We are not aware of a way to trigger this with untrusted data. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19920)
If the BIO unexpectedly fails to flush then SMIME_crlf_copy() was not correctly reporting the error. We modify it to properly propagate the error condition. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19920)
Some things that may go wrong in asn1_bio_write() are serious errors that should be reported as -1, rather than 0 (which just means "we wrote no data"). Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19920)
If the cipher being used in ossl_cms_EncryptedContent_init_bio() has no associated OID then we should report an error rather than continuing on regardless. Continuing on still ends up failing - but later on and with a more cryptic error message. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19920)
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from openssl#19735)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#19930)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#19930)
Byte swapping code incorrectly uses the number of AES rounds to swap expanded AES key, while swapping only a single dword in a loop, resulting in swapped key and partially swapped expanded keys, breaking AES encryption and decryption on VIA Padlock hardware. This commit correctly sets the number of swapping loops to be done. Fixes openssl#20073 CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#20077) (cherry picked from commit 7331e7e)
Test that sending large app data records works correctly. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl#20087)
Some ciphers/protocol versions have an explicit IV. We need to make sure we have sufficient room for it in the underlying buffer. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl#20087)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl#20087)
The by_dir certificate/CRL lookup code uses an OPENSSL_STACK to track how many sequentially numbered CRL files have been loaded for a given X509_NAME hash which is being requested. This avoids loading already loaded CRL files and repeated stat() calls. This OPENSSL_STACK is searched using sk_find, however this mutates the OPENSSL_STACK unless it is known to be sorted. This operation therefore requires a write lock, which was not taken. Fix this issue by sorting the OPENSSL_STACK whenever it is mutated. This guarantees no mutation will occur during sk_find. This is chosen over taking a write lock during sk_find as retrieving a CRL by X509_NAME is assumed to be a hotter path than the case where a new CRL is installed. Also optimise the code by avoiding creating the structure to track the last CRL file sequence number in the circumstance where it would match the initial value, namely where no CRL with the given hash is installed. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#20127)
Using floating point is not supported in UEFI and can cause build problems, for example due to SSE being disabled and x64 calling convention passing floats in SSE registers. Avoid those problems by not compiling the formating code for floating point numbers. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#19738)
If the user specifies an alternative build file than the default, this
alternative is recorded in $config{build_file}, not $target{build_file}.
Therefore, the former should be used, leaving the latter as a mere default.
This is a bug.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#20174)
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. Patch written by Dmitry Belyavsky and Hubert Kario CVE-2022-4304 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
In the event of a failure in PEM_read_bio_ex() we free the buffers we allocated for the header and data buffers. However we were not clearing the ptrs stored in *header and *data. Since, on success, the caller is responsible for freeing these ptrs this can potentially lead to a double free if the caller frees them even on failure. Thanks to Dawei Wang for reporting this issue. Based on a proposed patch by Kurt Roeckx. CVE-2022-4450 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
Call PEM_read_bio_ex() and expect a failure. There should be no dangling ptrs and therefore there should be no double free if we free the ptrs on error. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will be part of an invalid BIO chain. This causes a "use after free" when the BIO is eventually freed. Based on an original patch by Viktor Dukhovni and an idea from Theo Buehler. Thanks to Octavio Galland for reporting this issue. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
Test for the issue fixed in the previous commit Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
dstebila
approved these changes
Feb 8, 2023
christianpaquin
approved these changes
Feb 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #427