openssl.git
8 months agoFix EC_GROUP_new_from_ecparameters to check the base length
Matt Caswell [Thu, 19 Aug 2021 11:24:17 +0000 (12:24 +0100)]
Fix EC_GROUP_new_from_ecparameters to check the base length

Check that there's at least one byte in params->base before trying to
read it.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix NETSCAPE_SPKI_print function to not assume NUL terminated strings
Matt Caswell [Thu, 19 Aug 2021 11:23:38 +0000 (12:23 +0100)]
Fix NETSCAPE_SPKI_print function to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix append_ia5 function to not assume NUL terminated strings
Matt Caswell [Wed, 18 Aug 2021 16:58:23 +0000 (17:58 +0100)]
Fix append_ia5 function to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix test code to not assume NUL terminated strings
Matt Caswell [Wed, 18 Aug 2021 16:37:41 +0000 (17:37 +0100)]
Fix test code to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix the name constraints code to not assume NUL terminated strings
Matt Caswell [Wed, 18 Aug 2021 16:08:58 +0000 (17:08 +0100)]
Fix the name constraints code to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings
Matt Caswell [Wed, 18 Aug 2021 13:02:40 +0000 (14:02 +0100)]
Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix POLICYINFO printing to not assume NUL terminated strings
Matt Caswell [Wed, 18 Aug 2021 11:31:38 +0000 (12:31 +0100)]
Fix POLICYINFO printing to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
8 months agoFix i2v_GENERAL_NAME to not assume NUL terminated strings
Matt Caswell [Wed, 18 Aug 2021 11:24:22 +0000 (12:24 +0100)]
Fix i2v_GENERAL_NAME to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
9 months agosparc: fix cross compile build
Pauli [Mon, 31 May 2021 05:33:22 +0000 (15:33 +1000)]
sparc: fix cross compile build

(cherry picked from commit 64fac96de81d3dc19cc0c9045c341f0dec818075)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16336)

9 months agoRevert "[github-ci][cross-compiles.yml] Disable sparcv9"
Nicola Tuveri [Wed, 18 Aug 2021 22:16:10 +0000 (01:16 +0300)]
Revert "[github-ci][cross-compiles.yml] Disable sparcv9"

This reverts commit aa23aa759cf33b4f481fc719d42cb7bae8b2eaf0.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16336)

9 months ago[github-ci] Add comment about our approach to GitHub Actions CI
Pauli [Tue, 17 Aug 2021 13:34:52 +0000 (23:34 +1000)]
[github-ci] Add comment about our approach to GitHub Actions CI

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci][run-checker-merge.yml] Disable ubsan build
Nicola Tuveri [Sat, 7 Aug 2021 06:54:08 +0000 (09:54 +0300)]
[github-ci][run-checker-merge.yml] Disable ubsan build

This commit temporarily disables the ubsan build,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci][ci.yml] Disable memory sanitizer build
Nicola Tuveri [Sat, 7 Aug 2021 10:49:03 +0000 (13:49 +0300)]
[github-ci][ci.yml] Disable memory sanitizer build

In 1.1.1 currently we do not support running multiple tests in parallel,
and the `--debug -O1` msan build required more than 3h to run the tests.

This commit temporarily disables this build configuration.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci][run-checker-ci.yml] Disable no-tls1_3 tests
Nicola Tuveri [Sat, 7 Aug 2021 07:15:16 +0000 (10:15 +0300)]
[github-ci][run-checker-ci.yml] Disable no-tls1_3 tests

This commit temporarily disables tests for no-tls1_3,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci][ci.yml] Disable pyca external tests
Nicola Tuveri [Sat, 7 Aug 2021 06:54:08 +0000 (09:54 +0300)]
[github-ci][ci.yml] Disable pyca external tests

This commit temporarily disables pyca external tests,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci][ci.yml] Disable krb5 external tests
Nicola Tuveri [Sat, 7 Aug 2021 06:53:08 +0000 (09:53 +0300)]
[github-ci][ci.yml] Disable krb5 external tests

This commit temporarily disables krb5 external tests,
due to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci][cross-compiles.yml] Disable sparcv9
Nicola Tuveri [Sat, 7 Aug 2021 06:46:19 +0000 (09:46 +0300)]
[github-ci][cross-compiles.yml] Disable sparcv9

This commit temporarily disables cross-compiling tests for sparcv9, due
to failures to be investigated in a dedicated PR.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci] Import run-checker daily workflow from master
Nicola Tuveri [Fri, 6 Aug 2021 15:37:02 +0000 (18:37 +0300)]
[github-ci] Import run-checker daily workflow from master

The daily run-checker is scheduled to start at 6:42, instead of the
start of the hour.

The official GitHub documentation remarks the following regarding
scheduled workflows:

> Note: The schedule event can be delayed during periods of high loads
> of GitHub Actions workflow runs. High load times include the start of
> every hour. To decrease the chance of delay, schedule your workflow to
> run at a different time of the hour.

42, obviously, has been picked because it is the answer to the ultimate
question of life, the universe, and everything.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci] Import run-checker workflows from master
Nicola Tuveri [Fri, 6 Aug 2021 15:37:02 +0000 (18:37 +0300)]
[github-ci] Import run-checker workflows from master

This commit does not include the daily run-checker workflow.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci] Import cross-compiles.yml workflow from master
Nicola Tuveri [Fri, 6 Aug 2021 15:26:11 +0000 (18:26 +0300)]
[github-ci] Import cross-compiles.yml workflow from master

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci] Import windows.yml workflow from master
Nicola Tuveri [Fri, 6 Aug 2021 14:55:31 +0000 (17:55 +0300)]
[github-ci] Import windows.yml workflow from master

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months ago[github-ci] Sync ci.yml workflow with master
Nicola Tuveri [Fri, 6 Aug 2021 14:49:32 +0000 (17:49 +0300)]
[github-ci] Sync ci.yml workflow with master

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16252)

9 months agopkcs12: check for zero length digest to avoid division by zero
Pauli [Tue, 17 Aug 2021 03:19:32 +0000 (13:19 +1000)]
pkcs12: check for zero length digest to avoid division by zero

Fixes #16331

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/16333)

9 months agoTest EVP Cipher updating the context's IV
Ingo Franzki [Wed, 11 Aug 2021 10:53:09 +0000 (12:53 +0200)]
Test EVP Cipher updating the context's IV

Ensure that an EVP_CipherUpdate operation updates the context's
IV for AES CBC, CFB, OFB, and CTR. An application can get the
updated IV via EVP_CIPHER_CTX_iv().

The s390x implementation of the CFB and OFB ciphers did not
update the IV in the context, but only within its s390x specific
context data.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16292)

9 months agos390x: AES OFB/CFB: Maintain running IV from cipher context
Ingo Franzki [Wed, 11 Aug 2021 07:39:46 +0000 (09:39 +0200)]
s390x: AES OFB/CFB: Maintain running IV from cipher context

Copy the current IV from the cipher context into the kmo/kmf param before
the operation, and copy the modified IV back to the context afterwards.
Without this, an application that obtains the running IV from the context
would still get the original IV, but not the updated one.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16292)

9 months agoFix potential double-free
Todd Short [Fri, 13 Aug 2021 13:59:59 +0000 (09:59 -0400)]
Fix potential double-free

The `sk` variable is assigned to `s->session->peer_chain`.
If `ssl3_digest_cached_records()` were to fail, then `sk` would still be
non-NULL, and subsequently freed on the error return. When the session
is freed, it will then attempt to free `s->session->peer_chain`,
resulting in a double-free (of `sk`).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16309)

(cherry picked from commit 0449702abc95a3af24c049cb02c01ca6a8015cef)

9 months agoRevert "TEST: Check that i2d refuses to encode non-optional items with no content"
Tomas Mraz [Fri, 13 Aug 2021 11:01:38 +0000 (13:01 +0200)]
Revert "TEST: Check that i2d refuses to encode non-optional items with no content"

This reverts commit 12e9b74c513a8ed3c1c260cf25221a465ae14b84.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16308)

9 months agoRevert "ASN.1: Refuse to encode to DER if non-optional items are missing"
Tomas Mraz [Fri, 13 Aug 2021 11:01:37 +0000 (13:01 +0200)]
Revert "ASN.1: Refuse to encode to DER if non-optional items are missing"

This reverts commit 006906cddda37e24a66443199444ef4476697477.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16308)

9 months agoRevert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN"
Tomas Mraz [Fri, 13 Aug 2021 11:01:35 +0000 (13:01 +0200)]
Revert "Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN"

This reverts commit 5434acb6c4d56507d761b28f7e142ccab808a8fa.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16308)

9 months agoRevert "Fix test/asn1_encode_test.c to handle encoding/decoding failure"
Tomas Mraz [Fri, 13 Aug 2021 11:01:34 +0000 (13:01 +0200)]
Revert "Fix test/asn1_encode_test.c to handle encoding/decoding failure"

This reverts commit f1d97905bbd8679b7647c992b97f526791069040.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16308)

9 months agoRevert "make update (adds a new function code)"
Tomas Mraz [Fri, 13 Aug 2021 11:01:29 +0000 (13:01 +0200)]
Revert "make update (adds a new function code)"

This reverts commit ea26844c4f624ef515d9228d3b623761a369b049.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16308)

9 months ago[doc/man3] documentation: BN_cmp manpage updates
Billy Brumley [Wed, 4 Aug 2021 07:45:52 +0000 (10:45 +0300)]
[doc/man3] documentation: BN_cmp manpage updates

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16214)

(cherry picked from commit 3d4ca443b4778e3230ff23f17625f58f815a9142)

9 months agoDSA/RSA_print(): Fix potential memory leak
Tomas Mraz [Wed, 21 Jul 2021 16:45:01 +0000 (18:45 +0200)]
DSA/RSA_print(): Fix potential memory leak

Fixes #10777

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16130)

(cherry picked from commit 40184c96103a388209939c1c19920971c05bb78c)

9 months agoFix a read buffer overrun in X509_aux_print().
Ingo Schwarze [Sun, 18 Jul 2021 15:48:06 +0000 (17:48 +0200)]
Fix a read buffer overrun in X509_aux_print().

The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in any
way either, so we must assume the return value from X509_alias_get0(3)
is merely a byte array and not necessarily a string in the sense
of the C language.

I found this bug while writing manual pages for X509_print_ex(3)
and related functions.  Theo Buehler <tb@openbsd.org> checked my
patch to fix the same bug in LibreSSL, see

http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9

As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others.  But let's stay focussed.  Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16108)

(cherry picked from commit c5dc9ab965f2a69bca964c709e648158f3e4cd67)

9 months agoFix some minor record layer issues
Matt Caswell [Thu, 15 Jul 2021 13:08:56 +0000 (14:08 +0100)]
Fix some minor record layer issues

Various comments referred to s->packet and s->packet_length instead of
s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where
RECORD_LAYER_write_pending() should have been used. Based on the review
comments in #16077.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(cherry picked from commit ca001524971ccd595bc0e9843611e6784adfc981)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16105)

10 months agoDisallow SSL_key_update() if there are writes pending
Matt Caswell [Tue, 13 Jul 2021 16:44:44 +0000 (17:44 +0100)]
Disallow SSL_key_update() if there are writes pending

If an application is halfway through writing application data it should
not be allowed to attempt an SSL_key_update() operation. Instead the
SSL_write() operation should be completed.

Fixes #12485

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16098)

10 months agoDon't reset the packet pointer in ssl3_setup_read_buffer
Matt Caswell [Tue, 13 Jul 2021 16:19:12 +0000 (17:19 +0100)]
Don't reset the packet pointer in ssl3_setup_read_buffer

Sometimes this function gets called when the buffers have already been
set up. If there is already a partial packet in the read buffer then the
packet pointer will be set to an incorrect value. The packet pointer already
gets reset to the correct value when we first read a packet anyway, so we
don't also need to do it in ssl3_setup_read_buffer.

Fixes #13729

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16098)

10 months agoapps: Use the first detected address family if IPv6 is not available
Daiki Ueno [Wed, 14 Jul 2021 09:15:34 +0000 (11:15 +0200)]
apps: Use the first detected address family if IPv6 is not available

This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c.  Even
when the host does not support IPv6 at all, BIO_lookup_ex may now
return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of
the ai_next field.

After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function
prefers the IPv6 address and fails on the BIO_socket call.  This adds
a fallback code to retry with the IPv4 address returned as the first
element to avoid the error.

The failure had been partially avoided in the previous code with
AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no
IPv6 address is associated with external interface.  However, it would
be still a problem if the external interface has an IPv6 address
assigned, while the loopback interface doesn't.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16078)

10 months agoAvoid empty lines in nmake rule bodies
Richard Levitte [Mon, 12 Jul 2021 05:26:36 +0000 (07:26 +0200)]
Avoid empty lines in nmake rule bodies

nmake is tolerant of those empty lines, but jom isn't.  That tolerance
isn't standard make behaviour, so we lean towards avoiding them.

We simply use '@rem' instead.

Fixes #16014

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16047)

10 months agoBIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given
Daiki Ueno [Thu, 8 Jul 2021 17:22:36 +0000 (19:22 +0200)]
BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given

The flag only affects which record types are queried via DNS (A or
AAAA, or both).  When node is NULL and AF_UNSPEC is used, it prevents
getaddrinfo returning the right address associated with the loopback
interface.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16039)

10 months agoAvoid "excessive message size" for session tickets
Matt Caswell [Wed, 23 Jun 2021 07:54:12 +0000 (08:54 +0100)]
Avoid "excessive message size" for session tickets

We received a report of an "excessive message size" for a received
session ticket. Our maximum size was significantly less than the theoretical
maximum. The server may put any data it likes in the session ticket
including (for example) the full certificate chain so we should be able to
handle longer tickets. Update the value to the maximum allowed by the spec.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15877)

(cherry picked from commit e54f0c9b2fe3dd2dcb5e8100e2c69e5b2f6eb681)

10 months agomake update (adds a new function code)
Richard Levitte [Fri, 9 Jul 2021 07:14:11 +0000 (09:14 +0200)]
make update (adds a new function code)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16027)

10 months agoFix test/asn1_encode_test.c to handle encoding/decoding failure
Richard Levitte [Fri, 9 Jul 2021 06:51:55 +0000 (08:51 +0200)]
Fix test/asn1_encode_test.c to handle encoding/decoding failure

Make it only report (and fail on) encoding/decoding failures when success
is expected.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16027)

10 months agoFix test/asn1_encode_test.c to not use ASN1_FBOOLEAN
Richard Levitte [Fri, 9 Jul 2021 06:31:24 +0000 (08:31 +0200)]
Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN

ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items.
This test program used it for non-optional items, which doesn't encode
well.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16027)

10 months agoASN.1: Refuse to encode to DER if non-optional items are missing
Richard Levitte [Thu, 8 Jul 2021 11:38:45 +0000 (13:38 +0200)]
ASN.1: Refuse to encode to DER if non-optional items are missing

Fixes #16026

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16027)

10 months agoTEST: Check that i2d refuses to encode non-optional items with no content
Richard Levitte [Thu, 8 Jul 2021 11:33:28 +0000 (13:33 +0200)]
TEST: Check that i2d refuses to encode non-optional items with no content

The test case creates an RSA public key and tries to pass it through
i2d_PrivateKey().  This SHOULD fail, since the private bits are missing.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16027)

10 months agoFix s_server PSK handling
Matt Caswell [Tue, 6 Jul 2021 15:24:07 +0000 (16:24 +0100)]
Fix s_server PSK handling

Issue #15951 describes a scenario which causes s_server to fail when using
a PSK. In the originally described issue this only impacted master and not
1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you
additionally supply the option "-no_ticket" to the s_server command line.

The difference between the behaviour in master and 1.1.1 is due to 9c13b49,
which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that
a default OpenSSL TLSv1.3 ticket length happens to fall between those 2
values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing
"no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just
forces the use of "session ids as a ticket" instead. This significantly
reduces the ticket size to below 128 in 1.1.1.

The problem was due to s_server setting a TLSv1.2 PSK callback and a
TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK
callbacks also work in TLSv1.3 but are not preferred. In the described
scenario we use a PSK to create the initial connection. Subsequent to that
we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is
below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback.
Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's
TLSv1.2 PSK callback accepts the identity regardless, even though it is an
unexpected value, and hence the binder subsequently fails to verify.

The fix is to bail early in the TLSv1.2 callback if we detect we are being
called from a TLSv1.3 connection.

Fixes #15951

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16008)

(cherry picked from commit 0007ff257c95f5cd046799e492436f41caf4ecb2)

10 months agotest: add test for auto DH security level meets the minimum
Pauli [Sat, 19 Jun 2021 06:17:38 +0000 (16:17 +1000)]
test: add test for auto DH security level meets the minimum

Manual merge from https://github.com/openssl/openssl/pull/15818
Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15832)

10 months agossl: do not choose auto DH groups that are weaker than the security level
Pauli [Sat, 19 Jun 2021 06:16:36 +0000 (16:16 +1000)]
ssl: do not choose auto DH groups that are weaker than the security level

manual merge from https://github.com/openssl/openssl/pull/15818
id d7b5c648d682b499b71320a03747602a6ba4dec3

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15832)

10 months agoFix memory leak in i2d_ASN1_bio_stream
Oliver Mihatsch [Mon, 5 Jul 2021 14:23:03 +0000 (16:23 +0200)]
Fix memory leak in i2d_ASN1_bio_stream

When creating a signed S/MIME message using SMIME_write_CMS()
if the reading from the bio fails, the state is therefore
still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream().
This results in calling asn1_bio_flush_ex cleanup but will only
reset retry flags as the state is not ASN1_STATE_POST_COPY.
Therefore 48 bytes (Linux x86_64) leaked since the
ndef_prefix_free / ndef_suffix_free callbacks are not executed
and the ndef_aux structure is not freed.

By always calling free function callback in asn1_bio_free() the
memory leak is fixed.

(cherry picked from commit 3a1d2b59522163ebb83bb68e13c896188dc222c6)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15999)

10 months agobn: procduce correct sign for result of BN_mod()
Pauli [Mon, 5 Jul 2021 01:01:59 +0000 (11:01 +1000)]
bn: procduce correct sign for result of BN_mod()

There is a problem that appears when calling BN_div(a, c, a, b) with negative b.
In this case, the sign of the remainder c is incorrect.  The problem only
occurs if the dividend and the quotient are the same BIGNUM.

Fixes #15982

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15991)

(cherry picked from commit 105c83150f15af3f78ea0758859062842bdbe30e)

10 months agodoc: Mention the update of der data pointers in d2i/i2d
Tomas Mraz [Wed, 30 Jun 2021 09:17:09 +0000 (11:17 +0200)]
doc: Mention the update of der data pointers in d2i/i2d

Fixes #15958

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15973)

10 months agoFix use of uninitialized memory in test_rsa_oaep
David Benjamin [Tue, 29 Jun 2021 18:41:12 +0000 (14:41 -0400)]
Fix use of uninitialized memory in test_rsa_oaep

48f1739600f33c92387debce2002acec6e365f1d did not convert the RSA OAEP
tests correctly. The corrupted ciphertext and truncation tests were
really decrypting uninitialized memory, rather than the sample
ciphertext. This results in an error in tools like MSan.

The test is somewhat roundabout. In the original version, before the
conversion, ctext_ex was an OAEP test vector from key1(), etc.,
functions. The test would:

1. Encrypt ptext_ex as ctext.
2. Decrypt ctext and check it gives ptext_ex.
3. Decrypt ctext_ex and check it gives ptext_ex.
4. Try corrupted and truncated versions of ctext.

48f1739600f33c92387debce2002acec6e365f1d then moved steps 1 and 2 into
test_rsa_simple, which meant ctext is no longer available for step 4. It
then mistakenly left the variable around, but uninitialized, so the test
wasn't testing anything. (Confusingly, test_rsa_simple outputs ctext_ex
to the caller, but doesn't do anything with it. The ctext_ex output is
also only usable for OAEP, not PKCS#1 v1.5.)

It doesn't really matter whether we use ctext or ctext_ex for step 4, so
this PR fixes it by using ctext_ex instead.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15950)

(cherry picked from commit 36a4637e158508f5d2fb7750e4870888072a56f9)

10 months agoapple getentropy removal
David CARLIER [Mon, 28 Jun 2021 08:55:22 +0000 (09:55 +0100)]
apple getentropy removal

backport of #15924

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15935)

10 months agoAdd riscv64 target
luyahan [Mon, 29 Mar 2021 07:33:23 +0000 (16:33 +0900)]
Add riscv64 target

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14724)

10 months agoUse getauxval on Android with API level > 18
Lars Immisch [Thu, 5 Mar 2020 10:26:06 +0000 (11:26 +0100)]
Use getauxval on Android with API level > 18

We received analytics that devices of the device family Oppo A37x
are crashing with SIGILL when trying to load libcrypto.so.
These crashes were fixed by using the system-supplied getauxval function.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15763)

10 months agoenable getauxval on android 10
yunh [Wed, 23 Jun 2021 01:46:42 +0000 (09:46 +0800)]
enable getauxval on android 10

Fixes #9498

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15870)

11 months agoClean away remaining Travis related files
Richard Levitte [Thu, 10 Jun 2021 07:43:07 +0000 (09:43 +0200)]
Clean away remaining Travis related files

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15693)

11 months agoTest EVP_CipherInit sequences and resets
Patrick Steuer [Tue, 8 Jun 2021 08:22:53 +0000 (10:22 +0200)]
Test EVP_CipherInit sequences and resets

Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x. Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results. Add some unit tests to cover these rather exotic use
cases.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14900)

11 months agos390x: cipher must set EVP_CIPH_ALWAYS_CALL_INIT flag
Patrick Steuer [Fri, 16 Apr 2021 15:09:46 +0000 (15:09 +0000)]
s390x: cipher must set EVP_CIPH_ALWAYS_CALL_INIT flag

The s390x cipher implementations must call their init function
even if the key argument is NULL to allow initializing the
cipher operation's context in any order.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14900)

11 months agoOnly call dtls1_start_timer() once
Matt Caswell [Wed, 2 Jun 2021 16:19:23 +0000 (17:19 +0100)]
Only call dtls1_start_timer() once

The function dtls1_handle_timeout() calls dtls1_double_timeout() which
was calling dtls1_start_timer(). However dtls1_start_timer() is also
called directly by dtls1_handle_timeout(). We only need to start the timer
once.

Fixes #15561

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15595)

(cherry picked from commit f570d33b02d824e2a3f676f718c4692572f45333)

11 months agoCheck the return value of ASN1_STRING_length
bonniegong [Wed, 2 Jun 2021 07:35:18 +0000 (15:35 +0800)]
Check the return value of ASN1_STRING_length

ASN1_STRING_length gets the field 'length' of msg, which
can be manipulated through a crafted input.
Add a check to avoid error execution of OPENSSL_malloc().

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15583)

(cherry picked from commit effb0dcf864110a4595f1a243adb9c1dd09eb516)

11 months agoee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t
Dr. David von Oheimb [Thu, 27 May 2021 17:35:53 +0000 (19:35 +0200)]
ee-self-signed.pem: Restore original version, adding -attime to 25-test_verify.t

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15505)

11 months agoModify ssl_handshake_hash to call SSLfatal
Trev Larock [Fri, 28 May 2021 02:26:41 +0000 (02:26 +0000)]
Modify ssl_handshake_hash to call SSLfatal

When EVP_MD_CTX_new fails call SSLfatal before the goto err.
This resolves a state machine issue on the out of memory condition:
ssl/statem/statem.c:643: OpenSSL internal error: Assertion failed:
(s)->statem.in_init && (s)->statem.state == MSG_FLOW_ERROR

Fixes #15491.
CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15511)

11 months agoPut init_ec_point_formats() inside #ifndef OPENSSL_NO_EC
Tomas Mraz [Fri, 28 May 2021 12:12:12 +0000 (14:12 +0200)]
Put init_ec_point_formats() inside #ifndef OPENSSL_NO_EC

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15518)

11 months agoCall SSLfatal when the generate_ticket_cb returns 0
Todd Short [Wed, 26 May 2021 14:03:35 +0000 (10:03 -0400)]
Call SSLfatal when the generate_ticket_cb returns 0

Otherwise, the state machine ends up being in a bad state:
```
SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:850:
```

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15485)

11 months agos_client.pod: Fix grammar in NOTES section.
Shane Lontis [Fri, 18 Sep 2020 02:45:14 +0000 (12:45 +1000)]
s_client.pod: Fix grammar in NOTES section.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12907)

11 months agoCleanup the peer point formats on regotiation
Dmitry Belyavskiy [Thu, 20 May 2021 14:03:05 +0000 (16:03 +0200)]
Cleanup the peer point formats on regotiation

Fixes #14875

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15383)

(cherry picked from commit 3f987381929ee725daf4746591144dde18f313e1)

11 months agoProperly restore XMM registers in ChaCha20's AVX-512(VL) assembly
Jean-Philippe Boivin [Mon, 17 May 2021 20:38:14 +0000 (16:38 -0400)]
Properly restore XMM registers in ChaCha20's AVX-512(VL) assembly

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15315)

(cherry picked from commit 6d3f798cba8075e700003aaf34f1e72bb930086c)

11 months agoInherit hostflags verify params even without hosts
Christian Heimes [Tue, 30 Mar 2021 10:02:42 +0000 (12:02 +0200)]
Inherit hostflags verify params even without hosts

X509_VERIFY_PARAM_inherit() now copies hostflags independently of hosts.

Previously hostflags were only copied when at least one host was set.
Typically applications don't configure hosts on SSL_CTX. The change
enables applications to configure hostflags on SSL_CTX and have OpenSSL
copy the flags from SSL_CTX to SSL.

Fixes: https://github.com/openssl/openssl/issues/14579
Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14856)

12 months agoTest oct2point for hybrid point encoding of (0, y)
Theo Buehler [Sat, 1 May 2021 11:09:10 +0000 (13:09 +0200)]
Test oct2point for hybrid point encoding of (0, y)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15112)

12 months agoAvoid division by zero in hybrid point encoding
Theo Buehler [Sat, 1 May 2021 10:25:50 +0000 (12:25 +0200)]
Avoid division by zero in hybrid point encoding

In hybrid and compressed point encodings, the form octet contains a bit
of information allowing to calculate y from x.  For a point on a binary
curve, this bit is zero if x is zero, otherwise it must match the
rightmost bit of of the field element y / x.  The existing code only
considers the second possibility. It could thus incorrecly fail with a
division by zero error as found by Guido Vranken's cryptofuzz.

This commit adds a few explanatory comments to oct2point. The only
actual code change is in the last hunk which adds a BN_is_zero(x)
check to avoid the division by zero.

Fixes #15021

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15112)

12 months agoUpdate expected results for tls13kexmodes tests
Benjamin Kaduk [Tue, 30 Mar 2021 06:05:22 +0000 (23:05 -0700)]
Update expected results for tls13kexmodes tests

One of the scenarios constructed in these tests was erroneously
producing successful handshakes until the previous commits, but should
have been failing.  Update our expected behavior to match the
specification requirements, and adjust the commentary slightly for
a test case relevant for the other preceding commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit 80c25611abd7067815943187f36f5e1879201678)

(Merged from https://github.com/openssl/openssl/pull/15255)

12 months agoDon't send key_share for PSK-only key exchange
Benjamin Kaduk [Tue, 30 Mar 2021 04:27:49 +0000 (21:27 -0700)]
Don't send key_share for PSK-only key exchange

TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes.
Only the latter mode introduces a new ephemeral (Diffie-Hellman)
key exchange, with the PSK being the only key material used in the
former case.

It's a compliance requirement of RFC 8446 that the server MUST NOT
send a KeyShareEntry when using the "psk_ke" mode, but prior to
this commit we would send a key-share based solely on whether the
client sent one.  This bug goes unnoticed in our internal test suite
since openssl communicating with openssl can never negotiate the
PSK-only key-exchange mode.  However, we should still be compliant
with the spec, so check whether the DHE mode was offered and don't
send a key-share if it wasn't.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit e776858bce32d473bd7a69c616ad7f6c2f979dfc)

(Merged from https://github.com/openssl/openssl/pull/15255)

12 months agomake update
Benjamin Kaduk [Tue, 30 Mar 2021 06:08:10 +0000 (23:08 -0700)]
make update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15255)

12 months agoImprove RFC 8446 PSK key exchange mode compliance
Benjamin Kaduk [Tue, 30 Mar 2021 06:03:49 +0000 (23:03 -0700)]
Improve RFC 8446 PSK key exchange mode compliance

It's a MUST-level requirement that if the client sends a pre_shared_key
extension not accompanied by a psk_key_exchange_modes extension, the
server must abort the handshake.  Prior to this commit the server
would continue on.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit efe0f315354b020213097885c79ce856a2f5ac68)

(Merged from https://github.com/openssl/openssl/pull/15255)

12 months agocheck i2d_ASN1_TYPE return value
bonniegong [Mon, 12 Apr 2021 02:43:13 +0000 (10:43 +0800)]
check i2d_ASN1_TYPE return value

add a length check to the return value of function i2d_ASN1_TYPE. Return an error instead of trying to malloc a negative number.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14828)

(cherry picked from commit c65abf2213117eb5348a46fbc18f706aca052e85)

12 months agoTesting private keys with extra attributes
Dmitry Belyavskiy [Fri, 30 Apr 2021 16:13:14 +0000 (18:13 +0200)]
Testing private keys with extra attributes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15075)

12 months agoTry to parse private key as PKCS#8 first, fallback afterwards
Dmitry Belyavskiy [Wed, 28 Apr 2021 18:43:35 +0000 (21:43 +0300)]
Try to parse private key as PKCS#8 first, fallback afterwards

Fixes #15022

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15075)

12 months agoBIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and...
David Carlier [Sat, 24 Apr 2021 15:13:26 +0000 (16:13 +0100)]
BIO_listen: disable setting ipv6_v6only on OpenBSD as it is a read only data and true

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15015)

(cherry picked from commit f7f0632b01cf16efccb133e395cf115c194bd003)

12 months agoAvoid sending alerts after shutdown
Dmitry Belyavskiy [Wed, 5 May 2021 12:29:28 +0000 (14:29 +0200)]
Avoid sending alerts after shutdown

Fixes #11388

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15159)

(cherry picked from commit 22d1138fe2fde9a16e80b81de1d848ae6fa879ef)

12 months agoSupport for Android NDK r22
Fred Hornsey [Wed, 18 Nov 2020 04:20:43 +0000 (22:20 -0600)]
Support for Android NDK r22

This is a backport of #13434, Fixes #13685.

I think builds using standalone toolchain are fine so I left them alone,
but `Configure` will fail if using the NDK directly because the
`platforms` and `sysroot` directories were removed.

If `sysroot` is missing, omit the `--sysroot` and `-gcc-toolchain`
arguments and use the triplet form clang command.

Also since `platforms` was being used for the default API level, use
`meta/platforms.json` instead if needed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13694)

12 months agoUse OCSP-specific error code for clarity
Dmitry Belyavskiy [Sat, 1 May 2021 11:29:05 +0000 (13:29 +0200)]
Use OCSP-specific error code for clarity

Fixes #12735 for 1.1.1

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15109)

12 months agoman: s_server: fix typo in -alpn option description
Hubert Kario [Fri, 30 Apr 2021 14:41:17 +0000 (16:41 +0200)]
man: s_server: fix typo in -alpn option description

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15098)

12 months agoTest that we don't have a memory leak in d2i_ASN1_OBJECT.
Shane Lontis [Wed, 21 Apr 2021 03:49:29 +0000 (13:49 +1000)]
Test that we don't have a memory leak in d2i_ASN1_OBJECT.

Fixes #14667

Reworked test supplied by @smcpeak into a unit test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14938)

12 months agoASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse
Richard Levitte [Tue, 20 Apr 2021 06:43:30 +0000 (08:43 +0200)]
ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse

The 'sn' and 'ln' strings may be dynamically allocated, and the
ASN1_OBJECT flags have a bit set to say this.  If an ASN1_OBJECT with
such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings
must be freed, or there is a memory leak.

Fixes #14667

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14938)

12 months agoDon't remove $(TARFILE) when cleaning
Richard Levitte [Thu, 22 Apr 2021 12:37:40 +0000 (14:37 +0200)]
Don't remove $(TARFILE) when cleaning

This file is outside the source tree, so we have no business removing
it.  This is especially concerning if that was the tarball the user
had to create the source tree.

Fixes #14981

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14985)

(cherry picked from commit f58f7ec9397de7b752aa547e2677933559a657db)

12 months agoCorrect the return value on match and mismatch for MAC pkeys
Tomas Mraz [Thu, 22 Apr 2021 10:45:39 +0000 (12:45 +0200)]
Correct the return value on match and mismatch for MAC pkeys

Fixes #14147

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14982)

12 months agoTest that EVP_PKEY_cmp() returns 1 when comparing a key to itself
Tomas Mraz [Thu, 22 Apr 2021 09:16:37 +0000 (11:16 +0200)]
Test that EVP_PKEY_cmp() returns 1 when comparing a key to itself

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14982)

12 months agoSome compilers define __STDC_VERSION__ in c++
Niclas Rosenvik [Tue, 20 Apr 2021 17:14:27 +0000 (19:14 +0200)]
Some compilers define __STDC_VERSION__ in c++

Some compilers(g++ on Solaris/Illumos) define __STDC__VERSION__ in c++ .
This causes c++ code that uses openssl to break on these compilers since
_Noreturn is not a keyword in c++ .

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14944)

(cherry picked from commit 1f3b58d8413cfa3824e9c0a146dee6ceedbc367e)

12 months agoengine: fix double free on error path.
Pauli [Sun, 18 Apr 2021 22:57:18 +0000 (08:57 +1000)]
engine: fix double free on error path.

In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481.
If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8.
In the nop8 branch, p8 is freed again at line 491.

Bug reported by @Yunlongs

Fixes #14915

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

(cherry picked from commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d)

12 months agots: fix double free on error path.
Pauli [Sun, 18 Apr 2021 22:55:37 +0000 (08:55 +1000)]
ts: fix double free on error path.

In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.

After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.

Bug reported by @Yunlongs

Fixes #14914

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

(cherry picked from commit db78c84eb2fa9c41124690bcc2ea50e05f5fc7b7)

12 months agosrp: fix double free,
Pauli [Sun, 18 Apr 2021 22:51:38 +0000 (08:51 +1000)]
srp: fix double free,

In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.

Bug reported by @Yunlongs

Fixes #14913

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

(cherry picked from commit b06450bcf763735a89b65ca3ec176600fe7fceed)

13 months agoHandle set_alpn_protos inputs better.
Todd Short [Mon, 22 Mar 2021 16:56:36 +0000 (12:56 -0400)]
Handle set_alpn_protos inputs better.

It's possible to set an invalid protocol list that will be sent in a
ClientHello. This validates the inputs to make sure this does not
happen.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14679)

13 months agocrl2pkcs7 shouldn't include empty optional sets
Dave Coombs [Tue, 6 Apr 2021 16:49:21 +0000 (12:49 -0400)]
crl2pkcs7 shouldn't include empty optional sets

If using crl2pkcs7 -nocrl and with no -certfiles, we shouldn't include
the implicitly tagged [0] certs and [1] crls sets as they are marked
optional and would be empty.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14781)

(cherry picked from commit d3a5898a7f4980bc0fa6345c408f88007573c405)

13 months agoFix typos in x509.pod
Nan Xiao [Wed, 7 Apr 2021 01:18:29 +0000 (09:18 +0800)]
Fix typos in x509.pod

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14783)

(cherry picked from commit 4c979cbeeb9792b170670fa15e29d077597e7ee0)

13 months agoFix potential double free in sslapitest.c
Nan Xiao [Thu, 1 Apr 2021 05:55:04 +0000 (13:55 +0800)]
Fix potential double free in sslapitest.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14758)

(cherry picked from commit 493e78986f9677c2b321273da51c276b9a8182d8)

13 months agoRemove unnecessary BIO_do_handshake()s
Nan Xiao [Mon, 29 Mar 2021 09:24:01 +0000 (17:24 +0800)]
Remove unnecessary BIO_do_handshake()s

Since BIO_do_connect() and BIO_do_handshake() are same, no
need to invoke BIO_do_handshake() once more after BIO_do_connect().

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14725)

(cherry picked from commit 975e37cd016f86985d16f1ee646e88213494854a)

13 months agodoc: fix enc -z option documentation
Mohamed Akram [Wed, 10 Mar 2021 14:59:13 +0000 (18:59 +0400)]
doc: fix enc -z option documentation

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14499)

(cherry picked from commit 6635ea531e9f7709e5880dd77fd4c3403a5c3db7)

13 months agoPrint correct error message in utils/mkdir-p.pl
Alex Yursha [Tue, 9 Mar 2021 20:07:26 +0000 (10:07 -1000)]
Print correct error message in utils/mkdir-p.pl

Commit 70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression.

If utils/mkdir-p.pl fails to create a target dir because of insufficient file system
permissions, the subsequent test for dir existence always fails and overwrites
the system error. As a result, a user is presented with a misleading error message.

E.g. if a user tries to create a dir under /usr/local and does not have permissions
for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory",
whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied".

This commit introduces a fix by declaring an additional local variable to cache
the original error message from mkdir. If -d check fails and overwrites the system
error, the user is still presented with the original error from mkdir.

CLA: Trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14487)

(cherry picked from commit af2e1e9c81110ca1a156430686e2f171e80ebfa0)