Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPENSSL_cpuid_setup FreeBSD arm update. #13650

Closed

Conversation

@devnexen
Copy link
Contributor

@devnexen devnexen commented Dec 9, 2020

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

@devnexen devnexen force-pushed the devnexen:fbsd_arm_arch_getcpufeatures branch Dec 9, 2020
Copy link
Contributor

@paulidale paulidale left a comment

Looks good. One formatting/style nit.

crypto/armcap.c Show resolved Hide resolved
@devnexen devnexen force-pushed the devnexen:fbsd_arm_arch_getcpufeatures branch to d7f99d4 Dec 10, 2020
Copy link
Contributor

@kaduk kaduk left a comment

The "changes requested" is for splitting the preprocessor directive; the other stuff is optional.

Should we also consider giving ppccap.c the same treatment? (I don't think that FreeBSD runs on S390x...)

@@ -71,6 +72,20 @@ void OPENSSL_cpuid_setup(void) __attribute__ ((constructor));
# define OSSL_IMPLEMENT_GETAUXVAL
# endif
# endif
# if defined(__FreeBSD__) && __FreeBSD_version >= 1200000

This comment has been minimized.

@kaduk

kaduk Dec 14, 2020
Contributor

It looks like elf_aux_info() has been a public function on stable/11 since r356674, so 1103507 might be a better check.
Also, ISTR a need to use separate preprocessor directives for testing if a symbol is defined and comparing against its value, since some platforms we claim to support will choke on expressions like this if the value is not defined.

This comment has been minimized.

@devnexen

devnexen Dec 14, 2020
Author Contributor

Well the man page specifies since the 12.x release https://github.com/freebsd/freebsd/blob/b5a8a00c4307f6a1024e85e779c8e418ee087127/lib/libc/gen/auxv.3#L98

indeed even the last 11 release, the 11.4 one does not even have this man page as seen here https://github.com/freebsd/freebsd/blob/release/11.4.0/lib/libc/gen/auxv.3 so it seems "wiser" approach.

This comment has been minimized.

@devnexen

devnexen Dec 14, 2020
Author Contributor

Also, ISTR a need to use separate preprocessor directives for testing if a symbol is defined and comparing against its value, since some platforms we claim to support will choke on expressions like this if the value is not defined.

I do not get the last part, it is very common to test if this FreeBSD then its release via the __FreeBSD_version constant.

This comment has been minimized.

@kaduk

kaduk Dec 14, 2020
Contributor

It is very common to do that on FreeBSD, yes. But this file gets compiled on all OSes that OpenSSL supports (well, all those that support arm hardware), and some of those compilers leave much to be desired.

@devnexen devnexen force-pushed the devnexen:fbsd_arm_arch_getcpufeatures branch from d7f99d4 to 4962cca Dec 15, 2020
Copy link
Contributor

@kaduk kaduk left a comment

Thanks for the updates; they look good.
Unfortunately I failed to think hard enough about the <sys/param.h> inclusion the first time around, and think that one more change is needed. Sorry to have missed that previously.

@@ -12,6 +12,7 @@
#include <string.h>
#include <setjmp.h>
#include <signal.h>
#include <sys/param.h>

This comment has been minimized.

@kaduk

kaduk Dec 18, 2020
Contributor

I think we need to keep the #include <sys/param.h> conditional, presumably also on defined(__FreeBSD__), since that's not a terribly portable header. (I'm actually rather surprised that the CI was happy with it.)

@kaduk kaduk dismissed stale reviews from paulidale and themself Dec 18, 2020

requested changes were made

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.
@devnexen devnexen force-pushed the devnexen:fbsd_arm_arch_getcpufeatures branch from 4962cca to 229fcfa Dec 18, 2020
@kaduk
kaduk approved these changes Dec 18, 2020
Copy link
Contributor

@kaduk kaduk left a comment

Thanks for the quick turnaround!

@kaduk
Copy link
Contributor

@kaduk kaduk commented Dec 18, 2020

I will speculatively add the 1.1.1 label, though it is pretty borderline whether it qualifies.
The argument mostly being that having the library install a signal handler is a bug in its own right, just one that happens to be the least-bad option in some cases.

@openssl-machine
Copy link

@openssl-machine openssl-machine commented Jan 13, 2021

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request Jan 14, 2021
when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #13650)
openssl-machine pushed a commit that referenced this pull request Jan 14, 2021
when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #13650)

(cherry picked from commit 5eb24fb)
@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Jan 14, 2021

Pushed. Thanks.

baentsch added a commit to open-quantum-safe/openssl that referenced this pull request Jan 22, 2021
* Update copyright years of auto-generated headers (make update)

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#13764)

* crypto/win: Don't use disallowed APIs on UWP

CreateFiber and ConvertThreadToFiber are not allowed in Windows Store
(Universal Windows Platform) apps since they have been replaced by
their Ex variants which have a new dwFlags parameter.

This flag allows the fiber to do floating-point arithmetic in the
fiber on x86, which would silently cause corruption otherwise since
the floating-point state is not switched by default.

Switch to these "new" APIs which were added in Vista.

See: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createfiberex#parameters

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#12400)

* win-onecore: Build with /APPCONTAINER for UWP compat

When targeting the win-onecore configuration, we must link with
/APPCONTAINER which is a requirement for submitting apps to the
Windows Store.

Without this, the Windows App Certificate Kit will reject the app:
https://docs.microsoft.com/en-us/cpp/build/reference/appcontainer-windows-store-app

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#12400)

* EVP_SIGNATURE-ED25519.pod: fix typo in algo name

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13768)

* 28-seclevel.cnf.in: fix typo in algo name

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13768)

* Updated SSL_CTX_new doc

Fixes openssl#13703

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13741)

* Use CRIOGET to fetch a crypto descriptor when present.

FreeBSD's current /dev/crypto implementation requires that consumers
clone a separate file descriptor via the CRIOGET ioctl that can then
be used with other ioctls such as CIOCGSESSION.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13468)

* Support session information on FreeBSD.

FreeBSD's /dev/crypto does not provide a CIOCGSESSINFO ioctl, but it
does provide other ioctls that can be used to provide similar
functionality.

First, FreeBSD's /dev/crypto defines a CIOCGESSION2 ioctl which accepts
a 'struct session2_op'.  This structure extends 'struct session_op'
with a 'crid' member which can be used to either request an individual
driver by id, or a class of drivers via flags.

To determine if the available drivers for a given algorithm are
accelerated or not, use CIOCGESSION2 to first attempt to create an
accelerated (hardware) session.  If that fails, fall back to
attempting a software session.  In addition, when requesting a new
cipher session, use the current setting of the 'use_softdrivers' flag
to determine the value assigned to 'crid' when invoking CIOCGSESSION2.

Finally, use the returned 'crid' value from CIOCGSESSION2 to look up
the name of the associated driver via the CIOCFINDDEV ioctl.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13468)

* Mac M1 setting change proposal.

Running tests takes very long with the current setting while it takes a
lot shorter time with this change.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13771)

* Only perform special TLS handling if TLS has been configured

Skip over special TLS steps for stream ciphers if we haven't been
configured for TLS.

Fixes openssl#12528

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13774)

* Update copyright year

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#13800)

* Prepare for release of 3.0 alpha 10

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>

* Prepare for 3.0 alpha 11

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>

* Fix set_ciphersuites ignore unknown ciphers.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12100)

* Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12100)

* Fixed error and return code.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12100)

* Remove extra space.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12100)

* Ensure DTLS free functions can handle NULL

Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.

Fixes openssl#13649

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13655)

* [crypto/dh] side channel hardening for computing DH shared keys

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13783)

* Adding TLS group name retrieval

Function SSL_group_to_name() added, together with documentation and tests.
This now permits displaying names of internal and external
provider-implemented groups.

Partial fix of openssl#13767

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13785)

* [test] Add `pkey -check` validation tests

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13359)

* [apps/pkey] Return error on failed `-[pub]check`

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13359)

* [test][pkey_check] Add invalid SM2 key test

SM2 private keys have different validation requirements than EC keys:
this test checks one corner case highlighted in
openssl#8435

As @bbbrumley mentioned in
openssl#8435 (comment)
this only fixes the absence of a regression test for validation of this
kind of boundary issues for decoded SM2 keys.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13359)

* Add SM2 private key range validation

According to the relevant standards, the valid range for SM2 private
keys is [1, n-1), where n is the order of the curve generator.

For this reason we cannot reuse the EC validation function as it is, and
we introduce a new internal function `sm2_key_private_check()`.

Partially fixes openssl#8435

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13359)

* [test][pkey_check] Add more invalid SM2 key tests

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13359)

* replace 'unsigned const char' with 'const unsigned char'

The openssl code base has only a few occurrences of 'unsigned const char'
(15 occurrences), compared to the more common 'const unsigned char' (4420
occurrences).

While the former is not illegal C, mixing the 'const' keyword (a 'type
qualifier') in between 'unsigned' and 'char' (both 'type specifiers') is a
bit odd.

The background for writing this patch is not to be pedantic, but because
the 'opmock' program (used to mock headers for unit tests) does not accept
the 'unsigned const char' construct. While this definitely is a bug in
opmock or one of its dependencies, openssl is the only piece of software we
are using in combination with opmock that has this construct.

CLA: trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#13722)

* Fix simpledynamic test compilation when condigured without DSO support.

This fixes this compilation error:
In file included from test/simpledynamic.c:13:
test/simpledynamic.h:39:35: error: unknown type name 'SD'
   39 | int sd_load(const char *filename, SD *sd, int type);
      |                                   ^~
test/simpledynamic.h:40:12: error: unknown type name 'SD'
   40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
      |            ^~
test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM'
   40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
      |                                        ^~~~~~
test/simpledynamic.h:41:14: error: unknown type name 'SD'
   41 | int sd_close(SD lib);
      |              ^~
make[1]: *** [Makefile:24670: test/moduleloadtest-bin-simpledynamic.o] Error 1
make[1]: *** Waiting for unfinished jobs....
In file included from test/moduleloadtest.c:19:
test/simpledynamic.h:39:35: error: unknown type name 'SD'
   39 | int sd_load(const char *filename, SD *sd, int type);
      |                                   ^~
test/simpledynamic.h:40:12: error: unknown type name 'SD'
   40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
      |            ^~
test/simpledynamic.h:40:40: error: unknown type name 'SD_SYM'
   40 | int sd_sym(SD sd, const char *symname, SD_SYM *sym);
      |                                        ^~~~~~
test/simpledynamic.h:41:14: error: unknown type name 'SD'
   41 | int sd_close(SD lib);
      |              ^~

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13802)

* Fix for negative return value from `SSL_CTX_sess_accept()`

Fixes openssl#13183

From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:

- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
  "Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
  decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
  default context is decremented. Hence giving a negative value.

This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13297)

* doc/man7/provider.pod: updates providers to use EVP_MD_free() and EVP_CIPHER_free()
instead of EVP_MD_meth_free() and EVP_CIPHER_meth_free() respectively which are used mostly by the engine (legacy) code.

Signed-off-by: Sahana Prasad <sahana@redhat.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from openssl#13814)

* apps.c: Fix crash in case uri arg of IS_HTTP or IS_HTTPS is NULL

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13712)

* apps/pkey.c: Make clear that -passout is not supported for DER output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13712)

* apps/pkey.c: Re-order help output and option documentation

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13712)

* apps/pkey.c: Forther improve user guidance, also on non-sensical option combinations

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13712)

* APPS: Fix confusion between program and app/command name used in diagnostic/help output

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13799)

* APPS: Print help also on -h and --h; print high-level help when no cmd given

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13799)

* Close /dev/crypto file descriptor after CRIOGET ioctl().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13807)

* v3_ocsp.c: fix indentation of include directives

Fixes openssl#13820

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13822)

* Configure: Check all SOURCE declarations, to ensure consistency

If the given sources are GENERATEd, we check those generators as well.

This ensures that the declarations in the diverse build.info files are
consistent with existing files.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13824)

* Configure: clean away perl syntax faults

The faults aren't fatal (i.e. perl just shrugs), but are curious.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13824)

* Configure: warn about duplicate GENERATE declarations in build.info files

This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn to avoid future confusion.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13824)

* Remove duplicate GENERATE declarations for .pod files

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13824)

* Use centralized fetching errors

We've spread around FETCH_FAILED errors in quite a few places, and
that gives somewhat crude error records, as there's no way to tell if
the error was unavailable algorithms or some other error at such high
levels.

As an alternative, we take recording of these kinds of errors down to
the fetching functions, which are in a much better place to tell what
kind of error it was, thereby relieving the higher level calls from
having to guess.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13467)

* Clean away extraneous library specific FETCH_FAILED reason codes

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13467)

* Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1

Deprecate X509_NAME_hash()
Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13762)

* TEST: move cert, key, and CSR loading aux functions to new testutil/load.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13762)

* Make PEM_X509_INFO_read_bio_ex() conservative on the error queue

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13762)

* x509_vfy.c: Fix a regression in find_issuer()

...in case the candidate issuer cert is identical to the target cert.

This is the v3.0.0 variant of openssl#13749 fixing openssl#13739 for v1.1.1.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13762)

* Fix enable-weak-ssl-ciphers

Commit e260bee broke the enable-weak-ssl-ciphers option. The stitched
rc4-hmac-md5 cipher implementation did not recognise the tls_version
parameter, and therefore was being incorrectly handled.

Fixes openssl#13795

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13803)

* Fix incorrect use of BN_CTX API

In some edge cases BN_CTX_end was being called without first calling
BN_CTX_start. This creates a situation where the state of the big
number allocator is corrupted and may lead to crashes.

Fixes openssl#13812

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13813)

* d2i_X509(): Make deallocation behavior consistent with d2i_X509_AUX()

Partly fixes openssl#13754

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13755)

* X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

This is the upstream fix for openssl#13698 reported for v1.1.1

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13755)

* apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default

Fixes openssl#13603

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* APPS: Allow OPENSSL_CONF to be empty, not loading a config file

Also document the function CONF_get1_default_config_file()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* apps/req.c: add -CA and -CAkey options; improve code and doc

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* Add tests for (non-)default SKID and AKID inclusion by apps/{req,x509,ca}.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* apps/lib/opt.c: Fix error message on unknown option/digest

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* X509_PUBKEY_set(): Fix error reporting

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* apps/req.c: make -subj work with -x509; clean up related code

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert

Also clean up some related auxiliary functions and documentation

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* apps/req.c: Add -copy_extensions option for use with -x509; default: none

Fixes openssl#13708

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* crypto/x509: Rename v3_{skey,skid}.c, v3_{akey,akid}.c, v3_{alt,san}.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* apps/req.c: Cosmetic improvements of code and documentation

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* apps/req.c: Make sure -verify option takes effect also with -x509

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* x509v3.h.in: Deprecate CTX_TEST and replace it by X509V3_CTX_TEST

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13658)

* chacha20: Properly reinitialize the cipher context with NULL key

Same for chacha20-poly1305.

The test_cipher_reinit and test_cipher_reinit_partialupdate is modified
to test this case of cipher context reinitialization.

Fixes openssl#13064

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13850)

* Make the OSSL_PARAM manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13848)

* Make the OSSL_SELF_TEST manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13849)

* Make the OSSL_HTTP manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13847)

* Make the OSSL_PROVIDER manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13845)

* Make the OSSL_trace manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13842)

* Make header references conform with man-pages(7) in all manuals

Details from man-pages(7) that are used:

   Formatting conventions (general)

       ...
       Filenames (whether pathnames, or references to header files) are always
       in italics (e.g., <stdio.h>), except in the SYNOPSIS section, where in‐
       cluded files are in bold (e.g., #include <stdio.h>).  When referring to
       a standard header file include, specify the header file  surrounded  by
       angle brackets, in the usual C way (e.g., <stdio.h>).
       ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13843)

* OPENSSL_cpuid_setup FreeBSD PowerPC update

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13821)

* OPENSSL_cpuid_setup FreeBSD arm update.

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13650)

* Skip BOM when reading the config file

Fixes openssl#13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13857)

* Make the OSSL_CMP manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13846)

* find_issuer(): When returning an expired issuer, take the most recently expired one

Also point out in the documenting comment that a non-expired issuer is preferred.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13805)

* Fix a crash with multi-threaded applications using the FIPS module

The FIPS implementation of the ossl_ctx_thread_stop function needs to
use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was
assuming that these are the same thing (which was true at one point
during development) - but that is no longer the case. The fix is to
get the OSSL_LIB_CTX out of the provctx.

Fixes openssl#13469

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Add a test for performing work in multiple concurrent threads

We test both the default provider and the fips provider

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Document the core_thread_start upcall

The core_thread_start upcall previously had a placeholder in the docs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Lock the provider operation_bits

The provider operation_bits array can see concurrent access by multiple
threads and can be reallocated at any time. Therefore we need to ensure
that it is appropriately locked.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()

The function ossl_lib_ctx_generic_new() modifies the exdata. This may
be simultaneously being modified by other threads and therefore we need
to make sure we take the lock before doing so.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Enable locking on the primary DRBG when we create it

The primary DRBG may be shared across multiple threads and therefore
we must use locking to access it. Previously we were enabling that locking
lazily when we attempted to obtain one of the child DRBGs. Part of the
process of enabling the lock, is to create the lock. But if we create the
lock lazily then it is too late - we may race with other threads where each
thread is independently attempting to enable the locking. This results
in multiple locks being created - only one of which "sticks" and the rest
are leaked.

Instead we enable locking on the primary when we first create it. This is
already locked and therefore we cannot race.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Extend the threads test to add simple fetch from multi threads

Issue openssl#13682 suggests that doing a simple fetch from multi-threads may
result in issues so we add a test for that.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Fix an issue in provider_activate_fallbacks()

The above function was running while holding the store lock with a read
lock. Unfortunately it actually modifies the store, so a write lock is
required instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Fix a failure where fetches can return NULL in multi-threaded code

When a fetch is attempted simultaneously from multiple threads then both
threads can attempt to construct the method. However only one of those
will get added to the global evp method store. The one that "lost" the
race to add the method to the global evp method store ended up with the
fetch call returning NULL, instead of returning the method that was
already available.

Fixes openssl#13682

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13660)

* Enhance default provider documentation

Bring Wiki and man page documentation in line regarding default provider
fall-back behaviour.

Fixes openssl#13844

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13859)

* Correct typo in rsa_oaep.c

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13861)

* Remove unused DRBG tests.

The DRBG known answer tests are performed by evp_test and the old vectors
are not used.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from openssl#13867)

* Document openssl thread-safety

Also discuss reference-counting, mutability and safety.

Thanks to David Benjamin for pointing to comment text he added
to boringSSL's header files.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13788)

* Fix crypto/des/build.info

!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a.  Use !$disabled{des} instead.

Fixes openssl#13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13866)

* Fix incomplete deprecation guard in test/sslapitest.c

OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--api=' in account.

Fixes openssl#13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13866)

* Allow EVP_PKEY private key objects to be created without a public component

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13855)

* X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13713)

* bio_lib.c: Fix error queue entries and return codes on NULL args etc.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13713)

* replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13713)

* Update SERVER_HELLO_MAX_LENGTH

Update constant to maximum permitted by RFC 8446

Fixes openssl#13868

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13874)

* Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity

To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv.

Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV
to better align with the function name.

Fixes openssl#13411

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13870)

* CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.

Fixes openssl#13624

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13668)

* Fix PKCS7 potential segfault

As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue openssl#13624 needs to be applied.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13668)

* Fix memory leak in mac_newctx() on error

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13702)

* DOCS: Fix the last few remaining pass phrase options references

There were a few lingering older style references to the pass phrase
options section, now streamlined with all the others.

Fixes openssl#13883

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13885)

* Deprecate OCSP_xxx API for OSSL_HTTP_xxx

Deprecations made:
    OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
    OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
    OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
    OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
    OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
    OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
    OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
    OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
    OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
    OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio

Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline.  Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio.  Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod

Fixes openssl#12234

Co-authored-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13742)

* cleaned internal crypto references; activated all tests

* clarified provider activation

Co-authored-by: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Co-authored-by: Nirbheek Chauhan <nirbheek.chauhan@gmail.com>
Co-authored-by: Etienne Millon <me@emillon.org>
Co-authored-by: bazmoz <bazmoz@protonmail.com>
Co-authored-by: John Baldwin <jhb@FreeBSD.org>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: Matt Caswell <matt@openssl.org>
Co-authored-by: Otto Hollmann <otto@hollmann.cz>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Co-authored-by: Romain Geissler <romain.geissler@amadeus.com>
Co-authored-by: anupamam13 <anuavnd@gmail.com>
Co-authored-by: Sahana Prasad <sahana@redhat.com>
Co-authored-by: Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com>
Co-authored-by: Richard Levitte <levitte@openssl.org>
Co-authored-by: Agustin Gianni <agustingianni@gmail.com>
Co-authored-by: Tomas Mraz <tmraz@fedoraproject.org>
Co-authored-by: Dmitry Belyavskiy <beldmit@gmail.com>
Co-authored-by: Daniel Bevenius <daniel.bevenius@gmail.com>
Co-authored-by: Pauli <ppzgs1@gmail.com>
Co-authored-by: Rich Salz <rsalz@akamai.com>
Co-authored-by: Jon Spillett <jon.spillett@oracle.com>
Co-authored-by: Shane Lontis <shane.lontis@oracle.com>
Co-authored-by: Kurt Roeckx <kurt@roeckx.be>
baentsch added a commit to open-quantum-safe/openssl that referenced this pull request Mar 9, 2021
* Prepare for 1.1.1j-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Fix typo in OPENSSL_malloc.pod

CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13632)

(cherry picked from commit 74c8dd1)

* v3nametest: Make the gennames structure static

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from openssl#13635)

(cherry picked from commit 7eea331)

* Modify is_tls13_capable() to take account of the servername cb

A servername cb may change the available certificates, so if we have one
set then we cannot rely on the configured certificates to determine if we
are capable of negotiating TLSv1.3 or not.

Fixes openssl#13291

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)

* Test that we can negotiate TLSv1.3 if we have an SNI callback

If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)

* Configurations: PowerPC is big endian

Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.

Fixes: openssl#12199

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12371)

(cherry picked from commit 52c6c12)

* Github CI: run also on repository pushes

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13686)

(cherry picked from commit 4159ebc)

* Document OCSP_REQ_CTX_i2d.

This is a backport of the documentation from openssl#13620.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13691)

* GitHub CI: Add 'check-update' and 'check-docs'

'check-update' runs a 'make update' to check that it wasn't forgotten.

'check-docs' runs 'make doc-nits'.  We have that as a separate job to
make it more prominent.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13701)

(cherry picked from commit 8175476)

* Fix NULL pointer access caused by X509_ATTRIBUTE_create()

When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on.  This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.

This bug was found while working on LibreSSL documentation.

Reviewed-by: Theo Buehler <tb@openbsd.org>

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12052)

(cherry picked from commit c4b2c53)

* CRYPTO_secure_malloc_init: BSD support improvements.

Backport of openssl#13394

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13637)

* Update copyright years of auto-generated headers (make update)

This backports openssl#13764.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#13769)

* poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue

I.e.:

    error: out of range immediate fixup value

This fix is identical to one of the changes made in 3405db9, which I
discovered right after taking a quick stab at fixing this.

CLA: trivial
Fixes openssl#7878

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13757)

* Ensure DTLS free functions can handle NULL

Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.

Fixes openssl#13649

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13655)

(cherry picked from commit d0afb30)

* Fix for negative return value from `SSL_CTX_sess_accept()`

Fixes openssl#13183

From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:

- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
  "Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
  decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
  default context is decremented. Hence giving a negative value.

This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13297)

* [crypto/dh] side channel hardening for computing DH shared keys (1.1.1)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#13772)

* OPENSSL_cpuid_setup FreeBSD PowerPC update

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13821)

(cherry picked from commit b57ec73)

* OPENSSL_cpuid_setup FreeBSD arm update.

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13650)

(cherry picked from commit 5eb24fb)

* Fix -static builds

Pull in check from openssl#10878
Move disabling of pic, threads and statics up higher before they
are checked.

Fixes openssl#12772

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#12773)

* Skip BOM when reading the config file

Fixes openssl#13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13857)

(cherry picked from commit 4369a88)

* X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

This is the backport of openssl#13755 to v1.1.1.
Fixes openssl#13698

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13756)

* x509_vfy.c: Fix a regression in find_isser()

...in case the candidate issuer cert is identical to the target cert.

Fixes openssl#13739

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13749)

* DOCS: Fix incorrect pass phrase options references

There were a number of older style references to the pass phrase
options section, now streamlined with the current openssl(1).

Fixes openssl#13883

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13886)

* Fix regression in no-deprecated build

Also add a new no-deprecated CI build to test it.

Fixes openssl#13896

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from openssl#13902)

* Ensure SRP BN_mod_exp follows the constant time path

SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.

Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.

Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13889)

* Fix typo in crl2pkcs documentation

Fixes openssl#13910

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13911)

(cherry picked from commit 6857058)

* CI: Add some legacy stuff that we do not test in GitHub CI yet

There are some options that seem to belong to the legacy build.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from openssl#13903)

(cherry picked from commit adcaebc)

* Drop Travis

At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#13941)

* check_sig_alg_match(): weaken sig nid comparison to base alg

This (re-)allows RSA-PSS signers

Fixes openssl#13931

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13982)

* Add some missing committers to the AUTHORS list

Fixes openssl#13815

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14029)

(cherry picked from commit af403db)

* apps/ca: Properly handle certificate expiration times in do_updatedb

Fixes openssl#13944

   + changed ASN1_UTCTIME to ASN1_TIME
   + removed all Y2K code from do_updatedb
   + changed compare to ASN1_TIME_compare

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14026)

* Prevent creating empty folder "../apps/include"

This folder "../apps/include" is accidentally created.
This prevents this glitch.

Fixes 19b4fe5 ("Add a CMAC test")

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14051)

* NOTES.WIN: fix typo

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#14078)

* configdata.pm: Better display of enabled/disabled options

The options listed in the array @disablables are regular expressions.
For most of them, it's not visible, but there are a few.

However, configdata.pm didn't quite treat them that way, which meant
that the few that are visibly regular expressions, there's a
difference between that and the corresponding the key in %disabled,
which is never a regular expression.

To correctly display the enabled and disabled options with --dump,
we must therefore go through a bit of Perl gymnastics to get the
output correct enough, primarly so that disabled features don't look
enabled.

Fixes openssl#13790

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14081)

* Configuration: ensure that 'no-tests' works correctly

'no-tests' wasn't entirely respected by test/build.info.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14081)

* Remove unused 'peer_type' from SSL_SESSION

This field has not been used since openssl#3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13991)

(cherry picked from commit 3bc0b62)

* Configurations/descrip.mms.tmpl: avoid enormous PIPE commands

DCL has a total command line limitation that's too easily broken by
them.

We solve them by creating separate message scripts and using them.

Fixes openssl#13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13834)

* VMS documentation fixes

This mostly clarifies details.

Fixes openssl#13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13834)

* Fix Null pointer deref in X509_issuer_and_serial_hash()

The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.

CVE-2021-23841

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 8130d65)

* Test that X509_issuer_and_serial_hash doesn't crash

Provide a certificate with a bad issuer and check that
X509_issuer_and_serial_hash doesn't crash.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 55869f5)

* Refactor rsa_test

Reduce code copying by factoring out common code into a separate function.

Reviewed-by: Paul Dale <pauli@openssl.org>

* Fix the RSA_SSLV23_PADDING padding type

This also fixes the public function RSA_padding_check_SSLv23.

Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.

Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.

This has no impact on libssl for modern versions of OpenSSL because
there is no protocol support for SSLv2 in these versions. However
applications that call RSA_paddin_check_SSLv23 directly, or use the
RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.

Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.

CVE-2021-23839

Reviewed-by: Paul Dale <pauli@openssl.org>

* Fix rsa_test to properly test RSA_SSLV23_PADDING

We test all three cases:
- An SSLv2 only client talking to a TLS capable server
- A TLS capable client talking to an SSLv2 only server
- A TLS capable client talking to a TLS capable server (should fail due
to detecting a rollback attack)

Reviewed-by: Paul Dale <pauli@openssl.org>

* Don't overflow the output length in EVP_CipherUpdate calls

CVE-2021-23840

Reviewed-by: Paul Dale <pauli@openssl.org>

* Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Prepare for 1.1.1j release

Reviewed-by: Richard Levitte <levitte@openssl.org>

Co-authored-by: Matt Caswell <matt@openssl.org>
Co-authored-by: Nan Xiao <nan@chinadtrace.org>
Co-authored-by: Tomas Mraz <tmraz@fedoraproject.org>
Co-authored-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Co-authored-by: Rich Salz <rsalz@akamai.com>
Co-authored-by: Richard Levitte <levitte@openssl.org>
Co-authored-by: Ingo Schwarze <schwarze@openbsd.org>
Co-authored-by: David Carlier <devnexen@gmail.com>
Co-authored-by: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Co-authored-by: Ole André Vadla Ravnås <oleavr@gmail.com>
Co-authored-by: anupamam13 <anuavnd@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Todd Short <tshort@akamai.com>
Co-authored-by: Dmitry Belyavskiy <beldmit@gmail.com>
Co-authored-by: Tim Hitchins <tim.hitchins@ekkosense.co.uk>
Co-authored-by: Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com>
Co-authored-by: Armin Fuerst <armin@fuerst.priv.at>
Co-authored-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Co-authored-by: Jay Satiro <raysatiro@yahoo.com>
Co-authored-by: Benjamin Kaduk <bkaduk@akamai.com>
dstebila pushed a commit to open-quantum-safe/openssl that referenced this pull request Mar 26, 2021
* Prepare for 1.1.1j-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Fix typo in OPENSSL_malloc.pod

CLA: trivial

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13632)

(cherry picked from commit 74c8dd1)

* v3nametest: Make the gennames structure static

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from openssl#13635)

(cherry picked from commit 7eea331)

* Modify is_tls13_capable() to take account of the servername cb

A servername cb may change the available certificates, so if we have one
set then we cannot rely on the configured certificates to determine if we
are capable of negotiating TLSv1.3 or not.

Fixes openssl#13291

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)

* Test that we can negotiate TLSv1.3 if we have an SNI callback

If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13305)

* Configurations: PowerPC is big endian

Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.

Fixes: openssl#12199

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12371)

(cherry picked from commit 52c6c12)

* Github CI: run also on repository pushes

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13686)

(cherry picked from commit 4159ebc)

* Document OCSP_REQ_CTX_i2d.

This is a backport of the documentation from openssl#13620.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13691)

* GitHub CI: Add 'check-update' and 'check-docs'

'check-update' runs a 'make update' to check that it wasn't forgotten.

'check-docs' runs 'make doc-nits'.  We have that as a separate job to
make it more prominent.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13701)

(cherry picked from commit 8175476)

* Fix NULL pointer access caused by X509_ATTRIBUTE_create()

When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on.  This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.

This bug was found while working on LibreSSL documentation.

Reviewed-by: Theo Buehler <tb@openbsd.org>

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#12052)

(cherry picked from commit c4b2c53)

* CRYPTO_secure_malloc_init: BSD support improvements.

Backport of openssl#13394

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#13637)

* Update copyright years of auto-generated headers (make update)

This backports openssl#13764.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#13769)

* poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue

I.e.:

    error: out of range immediate fixup value

This fix is identical to one of the changes made in 3405db9, which I
discovered right after taking a quick stab at fixing this.

CLA: trivial
Fixes openssl#7878

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13757)

* Ensure DTLS free functions can handle NULL

Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.

Fixes openssl#13649

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13655)

(cherry picked from commit d0afb30)

* Fix for negative return value from `SSL_CTX_sess_accept()`

Fixes openssl#13183

From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:

- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
  "Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
  decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
  default context is decremented. Hence giving a negative value.

This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#13297)

* [crypto/dh] side channel hardening for computing DH shared keys (1.1.1)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#13772)

* OPENSSL_cpuid_setup FreeBSD PowerPC update

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13821)

(cherry picked from commit b57ec73)

* OPENSSL_cpuid_setup FreeBSD arm update.

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#13650)

(cherry picked from commit 5eb24fb)

* Fix -static builds

Pull in check from openssl#10878
Move disabling of pic, threads and statics up higher before they
are checked.

Fixes openssl#12772

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#12773)

* Skip BOM when reading the config file

Fixes openssl#13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#13857)

(cherry picked from commit 4369a88)

* X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert

This is the backport of openssl#13755 to v1.1.1.
Fixes openssl#13698

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13756)

* x509_vfy.c: Fix a regression in find_isser()

...in case the candidate issuer cert is identical to the target cert.

Fixes openssl#13739

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from openssl#13749)

* DOCS: Fix incorrect pass phrase options references

There were a number of older style references to the pass phrase
options section, now streamlined with the current openssl(1).

Fixes openssl#13883

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13886)

* Fix regression in no-deprecated build

Also add a new no-deprecated CI build to test it.

Fixes openssl#13896

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from openssl#13902)

* Ensure SRP BN_mod_exp follows the constant time path

SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.

Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.

Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13889)

* Fix typo in crl2pkcs documentation

Fixes openssl#13910

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13911)

(cherry picked from commit 6857058)

* CI: Add some legacy stuff that we do not test in GitHub CI yet

There are some options that seem to belong to the legacy build.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from openssl#13903)

(cherry picked from commit adcaebc)

* Drop Travis

At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#13941)

* check_sig_alg_match(): weaken sig nid comparison to base alg

This (re-)allows RSA-PSS signers

Fixes openssl#13931

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13982)

* Add some missing committers to the AUTHORS list

Fixes openssl#13815

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14029)

(cherry picked from commit af403db)

* apps/ca: Properly handle certificate expiration times in do_updatedb

Fixes openssl#13944

   + changed ASN1_UTCTIME to ASN1_TIME
   + removed all Y2K code from do_updatedb
   + changed compare to ASN1_TIME_compare

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14026)

* Prevent creating empty folder "../apps/include"

This folder "../apps/include" is accidentally created.
This prevents this glitch.

Fixes 19b4fe5 ("Add a CMAC test")

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14051)

* NOTES.WIN: fix typo

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#14078)

* configdata.pm: Better display of enabled/disabled options

The options listed in the array @disablables are regular expressions.
For most of them, it's not visible, but there are a few.

However, configdata.pm didn't quite treat them that way, which meant
that the few that are visibly regular expressions, there's a
difference between that and the corresponding the key in %disabled,
which is never a regular expression.

To correctly display the enabled and disabled options with --dump,
we must therefore go through a bit of Perl gymnastics to get the
output correct enough, primarly so that disabled features don't look
enabled.

Fixes openssl#13790

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14081)

* Configuration: ensure that 'no-tests' works correctly

'no-tests' wasn't entirely respected by test/build.info.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14081)

* Remove unused 'peer_type' from SSL_SESSION

This field has not been used since openssl#3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#13991)

(cherry picked from commit 3bc0b62)

* Configurations/descrip.mms.tmpl: avoid enormous PIPE commands

DCL has a total command line limitation that's too easily broken by
them.

We solve them by creating separate message scripts and using them.

Fixes openssl#13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13834)

* VMS documentation fixes

This mostly clarifies details.

Fixes openssl#13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#13834)

* Fix Null pointer deref in X509_issuer_and_serial_hash()

The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.

CVE-2021-23841

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 8130d65)

* Test that X509_issuer_and_serial_hash doesn't crash

Provide a certificate with a bad issuer and check that
X509_issuer_and_serial_hash doesn't crash.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 55869f5)

* Refactor rsa_test

Reduce code copying by factoring out common code into a separate function.

Reviewed-by: Paul Dale <pauli@openssl.org>

* Fix the RSA_SSLV23_PADDING padding type

This also fixes the public function RSA_padding_check_SSLv23.

Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.

Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.

This has no impact on libssl for modern versions of OpenSSL because
there is no protocol support for SSLv2 in these versions. However
applications that call RSA_paddin_check_SSLv23 directly, or use the
RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.

Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.

CVE-2021-23839

Reviewed-by: Paul Dale <pauli@openssl.org>

* Fix rsa_test to properly test RSA_SSLV23_PADDING

We test all three cases:
- An SSLv2 only client talking to a TLS capable server
- A TLS capable client talking to an SSLv2 only server
- A TLS capable client talking to a TLS capable server (should fail due
to detecting a rollback attack)

Reviewed-by: Paul Dale <pauli@openssl.org>

* Don't overflow the output length in EVP_CipherUpdate calls

CVE-2021-23840

Reviewed-by: Paul Dale <pauli@openssl.org>

* Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Prepare for 1.1.1j release

Reviewed-by: Richard Levitte <levitte@openssl.org>

* Prepare for 1.1.1k-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>

* TEST: Add missing initialization

Compiler complained.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#14204)

(cherry picked from commit 55e9d8c)

* Use CRIOGET to fetch a crypto descriptor when present.

FreeBSD's current /dev/crypto implementation requires that consumers
clone a separate file descriptor via the CRIOGET ioctl that can then
be used with other ioctls such as CIOCGSESSION.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>

(cherry picked from commit b39c215)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#13853)

* Close /dev/crypto file descriptor after CRIOGET ioctl().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>

(cherry picked from commit 3ddf44e)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#13853)

* CRYPTO_gcm128_decrypt: fix mac or tag calculation

The incorrect code is in #ifdef branch that is normally
not compiled in.

Signed-off-by: Zhang Jinde <zjd5536@163.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#12968)

(cherry picked from commit 1d724b5)

* Fix an integer overflow in o_time.c

If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow.

I think leaving offset_hms as an int is still safe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14252)

(cherry picked from commit 75de543)

* Fix filename escaping in c_rehash

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14301)

(cherry picked from commit 2d96895)

* Check ASN1_item_ndef_i2d() return value.

Return an error instead of trying to malloc a negative number.
The other usage in this file already had a similar check, and the caller
should have put an entry on the error stack already.

Note that we only check the initial calls to obtain the encoded length,
and assume that the follow-up call to actually encode to the allocated
storage will succeed if the first one did.

Fixes: openssl#14177

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from openssl#14308)

(cherry picked from commit 90b4247)

* [github-ci] Add a out-of-tree_build job

This adds a new job to trigger the bug reported in
<openssl#11940>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#14388)

* [1.1.1] Fix `make update` for out-of-tree builds

Fixes openssl#11940

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#14388)

* Check SSL_set1_chain error in set_cert_cb

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14469)

(cherry picked from commit 1aa7ecd)

* modes: fix coverity 1449860: overlapping memory copy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14584)

(cherry picked from commit 145f12d)

* modes: fix coverity 1449851: overlapping memory copy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14584)

(cherry picked from commit b875e0e)

* ssl: fix coverity 1451515: out of bounds memory access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14585)

(cherry picked from commit 3de7f01)

* apps: fix coverity 966560: division by zero

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#14586)

(cherry picked from commit 7e7e034)

* Add a missing RUN_ONCE in rand_lib.c

Some of the callbacks in rand_lib.c were being invoked without the
RUN_ONCE for that file being called. We add it during rand_pool_new
which should cover all cases.

Fixes openssl#7870
Fixes openssl#11144

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#14603)

* ASN1: Reset the content dump flag after dumping

When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output.  Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.

Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.

Fixes openssl#14626

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#14627)

(cherry picked from commit 6e34a10)

* Fix missing INVALID_EXTENSION

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from openssl#14639)

* check_chain_extensions: Do not override error return value by check_curve

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.

Starting from OpenSSL version 1.1.1h a check to disallow certificates with
explicitly encoded elliptic curve parameters in the chain was added to the
strict checks.

An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.

If a "purpose" has been configured then a subsequent check that the
certificate is consistent with that purpose also checks that it is a
valid CA. Therefore where a purpose is set the certificate chain will
still be rejected even when the strict flag has been used. A purpose is
set by default in libssl client and server certificate verification
routines, but it can be overriden by an application.

Affected applications explicitly set the X509_V_FLAG_X509_STRICT
verification flag and either do not set a purpose for the certificate
verification or, in the case of TLS client or server applications,
override the default purpose to make it not set.

CVE-2021-3450

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

* Teach TLSProxy how to encrypt <= TLSv1.2 ETM records

Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

* Add a test for CVE-2021-3449

We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

* ssl sigalg extension: fix NULL pointer dereference

As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.

On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.

This issue was introduced by c589c34 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).

Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>

CVE-2021-3449

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

* Ensure buffer/length pairs are always in sync

Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

* Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>

* Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>

* Prepare for 1.1.1k release

Reviewed-by: Tomas Mraz <tomas@openssl.org>

* README version update [skip ci]

Co-authored-by: Matt Caswell <matt@openssl.org>
Co-authored-by: Nan Xiao <nan@chinadtrace.org>
Co-authored-by: Tomas Mraz <tmraz@fedoraproject.org>
Co-authored-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Co-authored-by: Rich Salz <rsalz@akamai.com>
Co-authored-by: Richard Levitte <levitte@openssl.org>
Co-authored-by: Ingo Schwarze <schwarze@openbsd.org>
Co-authored-by: David Carlier <devnexen@gmail.com>
Co-authored-by: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Co-authored-by: Ole André Vadla Ravnås <oleavr@gmail.com>
Co-authored-by: anupamam13 <anuavnd@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Co-authored-by: Todd Short <tshort@akamai.com>
Co-authored-by: Dmitry Belyavskiy <beldmit@gmail.com>
Co-authored-by: Tim Hitchins <tim.hitchins@ekkosense.co.uk>
Co-authored-by: Dr. Matthias St. Pierre <matthias.st.pierre@ncp-e.com>
Co-authored-by: Armin Fuerst <armin@fuerst.priv.at>
Co-authored-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Co-authored-by: Jay Satiro <raysatiro@yahoo.com>
Co-authored-by: Benjamin Kaduk <bkaduk@akamai.com>
Co-authored-by: John Baldwin <jhb@FreeBSD.org>
Co-authored-by: Zhang Jinde <zjd5536@163.com>
Co-authored-by: jwalch <jeremy.walch@gmail.com>
Co-authored-by: Mark <mark@asx.hu>
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: panda <daniel.phan36@gmail.com>
Co-authored-by: Pauli <ppzgs1@gmail.com>
Co-authored-by: Chenglong Zhang <auvkone@gmail.com>
Co-authored-by: Tomas Mraz <tomas@openssl.org>
Co-authored-by: Peter Kaestle <peter.kaestle@nokia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants